Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!think.com!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Newsgroups: comp.virus Subject: re: FSP and sales figures (was: Into the 1990s) Message-ID: <0004.9105301427.AA10625@ubu.cert.sei.cmu.edu> Date: 29 May 91 16:32:46 GMT Sender: Virus Discussion List Lines: 82 Approved: krvw@sei.cmu.edu >From: microsoft!c-rossgr@uunet.uu.net >... it should give different >"seeds" for each system. I recall that discussion and that I felt >(and still feel!) it's a good idea, but a tech support nightmare. Doesn't have to be, Enigma-Logic's product uses a different "seed" for each machine that is entered once by the user at installation time & is never encountered by either user or tech again. Also, about a year ago, we discussed a matrix method for a sinple checksum algorithm to be produced on the fly. >Not quite. However, a real dog of a product that simply doesn't work >is, eventually, gonna be found out and will have zero sales volume. The hooker here is "eventually". Besides, few products don't work at all and the first indication the poor sap who bought it may not come until he gets hit by something that is not caught or a manager finds out what it costs to update the software periodically on 5000 PCs. Anti-Viral software should now be in its third generation: 1) Initial design 2) Take care of exceptions & annoyances 3) Make it "user-friendly" but, except for those who are very deep into the subject, it is difficult to determine the "exception" cases and which products have the third generation look but skipped the second. I know of at least five software packages and several BIOSes & disk controllers that will give a good integrity checker fits (second generation problems) but have not seen any advertising by anti-viral products that give me a "warm" feeling. In the last month, I have returned two different Windows word processors to their respective manufacturers, one because it thought WordStar 4.0 was the last version (5.0 came out in 1988), another because the driver I had to use for my Panasonic printers (Windows doesn't list any Panasonics) caused the second to produce pure gibberish on the screen. These are second generation problems. >It's tough to decide on what determines the relative quality of a >product, though: if a scanner does 500 viruses and scans your disk in >two minutes and another scanner does 600 viruses and scans your disk >in three minutes, which one is a "better" product? Does making it >pretty, with a cool/spiffy GUI make it a "better" product? Consider quantum economics: first the process must be "good enough". Then linear comparisons become important. A minute is lost in the noise to a tech checking out a problem. If it occurs every time a user loads a file, it is liable to be noticed. To me "good enough" is a product that will detect any change to a system or authenticated file that is unauthorized without flagging. At the same time actions that are authorized for a product will be passed without challenge. I haven't seen any yet though some come close. I will make a stab at some targets: 1) Simple to install - should only give user opeions that are based on the machine in question. 2) Should recognize incompatable products 3) Should be robust enough not to require program updates unless new features are added. Simple data files updates of new signature strings should be all that is necessary 4) Each machine should have a different algorithm if only a unique seed. 5) Must make provision for routine mainenance (defrag, etc.) while maintaining functionality 6) Must be easy to remove for troubleshooting 7) Must recognize ANY change and be smart enough not to bombard the user with notices when authorized. Wish list: program privilege (e.g. rwe) interpreted and enforced by the program manager. Unknown programs have no privilege. Disk access enforcement is easy. Memory access enforcement is more difficult (but possible with 386 or good memory manager hardware). We will probably not be there until every new program is distributed on non-volatile media (e.g. notchless floppies) with authentication documentation, certification that what was received was what the manufacturer meant to send out, and a list of specific permissions the package requires. Unfortunately, I know of many mainframe packages that do not meet these criteria.