Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: RADAI@HUJIVMS.BITNET (Y. Radai)
Newsgroups: comp.virus
Subject: Re: TSR Virus Detector (PC)
Message-ID: <0005.9105141950.AA12065@ubu.cert.sei.cmu.edu>
Date: 13 May 91 10:15:00 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 42
Approved: krvw@sei.cmu.edu


  In connection with my comparison of F-LOCK, FSP, SECURE, TSAFE, and
VTAC, Esa Holmberg writes:
>       I'm afraid you have tested a wrong program; F-DRIVER
>       would be the actual resident virus tester of the F-PROT
>       package, and not F-LOCK.

  No, that's incorrect.  I don't know if your mistake is in not
knowing how F-DRIVER works or in confusing two different types of
resident anti-viral programs:
(I)  Those which search for *specific strings* (or patterns), each
     characteristic of a particular *known* virus, within program
     files which are about to be executed, and (usually) also in boot
     records when the anti-viral program is loaded.  Such programs
     must be updated continually to catch new viruses.
(II) Those which warn of suspicious activity by intercepting attempts
     to modify executable files, to stay resident, to format disks,
     etc., regardless of the source of this activity.  (It might be a
     virus, a Trojan, or some perfectly innocuous program; and if a
     virus, it may be a known one or an unknown one.)  Such programs
     do not ordinarily require updating.

  Now John Councill's question certainly resembled Type II more than
Type I, so I referred to the five programs of this type which I had
compared, and that includes F-LOCK.  F-DRIVER, on the other hand, is
of Type I, and therefore was not an appropriate program for my compa-
rison.  (When I say that a program is of Type I, it may include a few
Type-II features as well, but certainly F-DRIVER and V-Shield are
basically of Type I.)

  Perhaps my posting would have been clearer if, instead of calling
Type-II programs simply "monitoring" programs, I had called them
*generic* monitoring programs.  F-LOCK is generic; F-DRIVER is not.

  (Btw, there are also generic *disinfection* programs, i.e. programs
which in the great majority of cases can restore a file to its original
state regardless of the virus which infected it.)

                                     Y. Radai
                                     Hebrew Univ. of Jerusalem, Israel
                                     RADAI@HUJIVMS.BITNET
                                     RADAI@VMS.HUJI.AC.IL