Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!uwm.edu!linac!att!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: padgett.tccslr.dnet@mmc.com (Padgett Peterson) Newsgroups: comp.virus Subject: Into the 1990's Message-ID: <0002.9105141317.AA10748@ubu.cert.sei.cmu.edu> Date: 13 May 91 15:21:18 GMT Sender: Virus Discussion List Lines: 71 Approved: krvw@sei.cmu.edu First I would like to offer an apology to Ross Greenberg (Flu-Shot) and Fridrik Skulasson (F-Prot). You can count on your fingers the number of people who have made real contributions to the anti-viral scene and these are two of them. My choice of words ("You get what you pay for") in the circumstances was unfortunate. At the same time, I constantly deal with more and more users of PCs who could care less what kind of platform they are dealing with, all they are interested in is their spreadsheet/publications/ communications capability. These people are not interested in which strain of the 4096 they have been infected with, their concern is that the machine is operating properly and without any hidden "extras". Consequently, those techniques that were developed when mere ownership of a PC qualified one as a "hacker" (in the original sense), are more suited to the technicians who are paid to understand the architecture. What the user needs to know is that SOMETHING has happened and that a technician is needed to interpret WHAT - wheter it be a problem caused by power supply (I see a lot of these), drive, ICs, or malicious software. Today, viruses seem to account for on the order of 10-20% of the trouble calls I get. They are significant enough to warrant avoidance measures, but not anything to panic about. The fact of the matter is that today EVERY "common" virus allocates resources to itself, most in obvious manners, and all are detectable to the user/program that bothers to look. Trojans & logic bombs as well as simple failures are another matter entirely but protection is possible (just not as "glamorous"). Since the PC (and MAC) have only rudimentary integrity checking built in, the first order of business should be to add-on some additional measures to ensure the validity of the machine. Because problems (including malicious software) can begin at the BIOS level, so must integrity checking. The real point I have been trying to make for some time is that such checking IS NOT DIFFICULT, orders of magnitude less than what it takes to write a good word processor, it just has not been done yet. There are some guidelines and dead ends to be avoided: for example McAfee's SCAN /AV adds ten bytes of authentication to each program that can be retrieved by the resident VSHIELD program. Enigma-Logic's Virus-Safe stores the checksums in a single separate data file. Either is to be preferred to Norton's Anti-Virus method which reportedly creates a 77 byte file for each executable since given a disk like mine with 1100 executables and 2k clusters, this would take up over 2 Mb for those 77 byte files. With an 8k cluster size such as I have seen on many machines, we would be talking almost 9 Mb (each file takes up at least one cluster). Few users could afford this. Consequently, IMHO the first priority should be given to a resident integrity checking package designed for the single user system that uses authenticated data paths to each peripheral, and adds the program validation and permission process that exists on mainframes. The major difference would be that instead of user privileges we would have a set of program privileges on record. In this way, if a program were permitted to go resident, this attribute would be recorded and the location, hooked vectors, size, and memory checksum would be kept on file. Similarly, a self modifying program such as WordPerfect would be permitted to do so, but only to its own executables. I also believe that in the near future, signature scanning programs will be limited to the technicians, researchers, and hobbyists who need such sophisticated tools, and will not be in general use by the average user. Comments welcome, Padgett