Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sun-barr!lll-winken!iggy.GW.Vitalink.COM!widener!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: RADAI@HUJIVMS.BITNET (Y. Radai)
Newsgroups: comp.virus
Subject: Re: Interesting advert (PC)
Message-ID: <0003.9105311330.AA00359@ubu.cert.sei.cmu.edu>
Date: 30 May 91 12:52:00 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 52
Approved: krvw@sei.cmu.edu


  Kenny Stevenson writes:

>Just read an interesting ad in Personal Computer  Magazine, April 1991
>VNU 404, page 135.  It seems that most of us can now sleep easy if the
>claim made in this advert  is true -  what will all  you EXPERTS do ?!
.....
>Vaccine anti-virus system -  "Vaccine  is virus-non specific detection
>software.  It uses  cryptographic checksums to  monitor the  state  of
>executables on  a PC or  file-server.  Any change, however caused will
>be detected.  Since  Vaccine does not  need to know  about  particular
>viruses in order to detect them,  it is future proof.  Once installed,
>Vaccine will detect all viruses, past, present and future."
.....
>Comments welcome ! (and I can't imagine that there woun't be some)

There is absolutely nothing new in this ad.  There are zillions of
checksum programs for the PC which claim to do the very same thing.
However, there are three things to note: (1) They cannot distinguish
between an actual viral infection and (say) replacement of an old
version of a program by a new one; this is left to the user to decide.
(2) The vast majority of such programs cannot really catch *all*
infec- tions because DOS has loopholes which the authors of these
programs are unaware of.  (3) This method only *detects* infections
after they have occurred; it does not prevent or remove them, so
there's still a wee bit left for the "experts" to do.

  Actually, there is one such program, V-Analyst, which goes a long
way toward solving all three problems: (1) It can distinguish between
the above two situations in *most* cases.  (2) It checks for three
loopholes and takes the necessary measures.  (3) It contains a
*generic disinfector* which, when a modification is detected, will
attempt to restore the file to its original condition.  If the
modification is due to a virus, it can do this in the great majority
of cases (regard- less of whether the virus is known or unknown).
Moreover, there is never any danger of its performing an incorrect
restoration.  (Features (1) and (3) are available only in the new
version 3.0, not yet offi- cially released.)
  I'm willing to bet that Vaccine doesn't come anywhere near this.

  Padgett Peterson to Kenny::
>Question: when does it go resident ? If from CONFIG or later, you know
>          my opinion.

Answer: Who says a checksum program has to go resident at all??  Most
checksum programs I know of (incl. Vaccine and V-Analyst) can (or
must) be run without going resident.

                                     Y. Radai
                                     Hebrew Univ. of Jerusalem, Israel
                                     RADAI@HUJIVMS.BITNET
                                     RADAI@VMS.HUJI.AC.IL