Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!cs.widener.edu!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: frisk@rhi.hi.is (Fridrik Skulason) Newsgroups: comp.virus Subject: Re: Integrity Checking, programs & system Message-ID: <0005.9103281641.AA28811@ubu.cert.sei.cmu.edu> Date: 27 Mar 91 10:21:27 GMT Sender: Virus Discussion List Lines: 27 Approved: krvw@sei.cmu.edu padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) writes: >> SCAN does have an "internal" self check, but if a "stealth" virus is >>active in memory, it will defeat any kind of integrity check. > >NO ! It will not defeat "any kind of integrity check" though "stealth" >will defeat SCAN's if the /nomem switch is in use (wish we had italics) While >the "stealth" seen so far will defeat a program integrity check, it will NOT >defeat a system integrity check (the six bytes). I don't mean to be insulting, but I have said it before, and I will say it again: The six-byte check is no sustitute for a full system integrity check! Athough it will detect most wiruses, it will NOT detect them all, in particular it will miss some "stealth" viruses, like the "Number of the Beast". The method will also miss viruses like Saddam, Do-Nothing, Micro-128 and all non-resident viruses. Worse, it will "detect" all TRS programs, even programs like PRINT.COM However, my main point is this - it is possible to make a program integrity check which will detect infection by all "stealth" viruses known today, and (I hope) tomorrow's viruses as well. I cannot go into details, but I do have a working program which is able to do this - more details next month. - -frisk