Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!usc!zaphod.mps.ohio-state.edu!tut.cis.ohio-state.edu!VAX1.CC.UAKRON.EDU!mcs.kent.edu!usenet.ins.cwru.edu!thor!david
From: david@thor.INS.CWRU.Edu (David Nerenberg)
Newsgroups: comp.sys.novell
Subject: Re: A virus on a novell LAN.
Message-ID: <1991Jan29.192211.1413@usenet.ins.cwru.edu>
Date: 29 Jan 91 19:22:11 GMT
References: <1991Jan21.210144.21385@cerberus.bhpese.oz.au> <1991Jan23.001244.8432@techbook.com>
Sender: news@usenet.ins.cwru.edu
Reply-To: david@po.CWRU.Edu
Organization: Case Western Reserve Univ. Cleveland, Ohio, (USA)
Lines: 21
Nntp-Posting-Host: thor.ins.cwru.edu


I have made an interesting observation, and would like to know if
anyone can explain this:

	Most of us have used netscan from McAfee to check our Novell Servers
for viruses.  I assume this is accomplished by opening the file to be
scanned, and comparing data strings with known virus strings.  
	Now, the interesting part:  Execute-Only files are scanned without a 
problem.
	Problem:  Execute-Only files can not be opened for reading except by 
an execute call.  Therefore, how is this being done, or is it not, and it
just looks like it is scanning these files?  If it is actually scanning the
files in their entirety, McAfee has broken the Execute-Only copy protection.

						Dave
-- 
david@ins.cwru.edu           *  Eagle  *      David Nerenberg
73107,177 Compuserve        * Computers *     Information Network Services
NY:  H-516-751-6344        * Electronics *    Case Western Reserve University
     W-516-751-8111       * Sound & Stage *   W-216-368-2982   H-216-754-2063