Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!cs.utexas.edu!sun-barr!lll-winken!iggy.GW.Vitalink.COM!widener!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson)
Newsgroups: comp.virus
Subject: RE:CERTUS STUDY mentioned in - VIRUS-L Digest V4 #94
Message-ID: <0001.9106101933.AA10096@ubu.cert.sei.cmu.edu>
Date: 6 Jun 91 14:37:45 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 31
Approved: krvw@sei.cmu.edu

>From:    J|rgen Olsen <masjol@dou.dk>
>RE: LAN's as vehicle for spreading virii!
>This is mainly a question of network management.

Agreed, but one easy possibility does not seem to have been covered that
is widely used on BBSes: separate upload and download directories.

By making the upload directory write only for users and the download
directory execute only, the administrator can provide an effective
filter of what is made available to the community.

Of course this places added responsibility on the administrator since
a problem is traceable to him (I wonder if this is why many manufacturers
ship products on non-write-protected disks, there is not much question of
where an infection occurred with a notchless disk), and does introduce
a delay between posting and availability.

Such a scenario would have user A posting a file to the upload directory.
The administrator would then SCAN the program, check  for malicious
behavior using an account that is unpriv'd, and check for any license
restrictions.

Only when satisfied that the program is low-risk would it be placed in a
user-accessable area.

Such a filter should also be used between software developers and user
areas (but rarely is). In practise, the technique is much simpler than
it sounds and need not be a burden.

						Padgett
			It works for me