Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: microsoft!c-rossgr@uunet.uu.net Newsgroups: comp.virus Subject: re: Into the 1990's Message-ID: <0008.9105141950.AA12065@ubu.cert.sei.cmu.edu> Date: 14 May 91 18:15:53 GMT Sender: Virus Discussion List Lines: 99 Approved: krvw@sei.cmu.edu >From: Padgett Peterson > >First I would like to offer an apology to Ross Greenberg (Flu-Shot) >and Fridrik Skulasson (F-Prot). Most happily accepted, Padgett. Sometimes we sorta forget there are real people on either end of these silly tubes before us. Sorry I was a bit hasty in my response to you originally. >communications capability. These people [end users]are not interested in which >strain of the 4096 they have been infected with, their concern is that >the machine is operating properly and without any hidden "extras". Stop for a moment and consider what we're dealing with here: a modified 4096 that was not released into the wild. It was a "lab" virus and scanners and monitors that are tuned to Version A might not find/detect/stop some Version B until they, themselves, have been modified. One of the big problems we, as anti-virus vendors and researchers, have is in getting these "lab" viruses to add to our product/knowledge-base. (See below in my response to Dave Chess why this is still important). This does not mean, however, that you're wrong. >What the user needs to know is that SOMETHING has happened and that a >technician is needed to interpret WHAT - wheter it be a problem caused >by power supply (I see a lot of these), drive, ICs, or malicious >software. Yes, just as most people do not work on their own cars when the problem is serious enough, but you're not really expected to call in AAA when you have a flat tire -- you should fix it yourself. I think the virus problem is growing. I think the anti-virus solutions are still in their infancy. Code such as my FLU_SHOT+ was initially designed to help out the more techie among us: the interface is, certainly, not user friendly. Newer code, such as my Virex-PC (and, giving credit where credit is due, my worthy competitors from Symantec and Central Point) is being constantly tweaked to make it not only better anti-virus software, but easier to use anti-virus software: the simple "Abort, Retry, Ignore" message is no longer acceptable in a product. Instead lots of time is spent in making the product user friendly enough that the number of tech support calls goes down to virtually zero. There is considerable incentive in making the product easy for *everyone* to use: the techie and non-techie alike. I don't see that a technician is going to be required for the more "popular" problems: they must be dealt with eventually if for no other reason than that tech support calls are very expensive. A new and hidden strain of a virus hasn't reached that category yet, obviously. >Today, viruses seem to account for on the order of 10-20% of the >trouble calls I get. They are significant enough to warrant avoidance >measures, but not anything to panic about. *This* is what the news media should be reporting. It's not something to panic over, true, but that's an *amazing* percentage of trouble calls due to viruses. Think of the cost to business today when their copy of a program doesn't work and they call up tech support because of the problem! >The real point I have been trying to make for some time is that such >[integrity]checking IS NOT DIFFICULT, orders of magnitude less > than what it takes to write a good word processor, it just has not > been done yet. You mentioned a few products and their methods, so its obvious that this integrity checking *IS* being done (FLU_SHOT+ has had integrity checking on program run for about three years, I guess). Now, is this integrity checking being done *properly*? Interesting question and one that only the marketplace can answer by what they select for their purchase (or freeware usage). Something like the example you gave of Norton's potential 9Mb overhead is ridiculous (not the example, but the instance!). That showsd a considerable lack of understanding about the market. Wanna bet that the next release of the code does things differently? If not, it'll probably be a dead product. Your subsequent points (not quoted herein) are good ones. Resident integrity checking, and access control, is a worthy goal of any of the anti-virus products. However, remember that it can and *will* be circumvented the first time somebody boots off a floppy. Signature checking, integrity checking, whatever: none of them can slap the wrist of somebody who boots off an infected disk with stealthing viruses on it, combined with people who really think that extra five seconds (or whatever) on a memory scan is too much "wasted" time. That's why the anti-virus code out there has to do more than simple integrity checking. > Comments welcome, > Padgett Okey doke: who do I send them to? :-) Ross M. Greenberg Author, Virex-PC & FLU_SHOT+