Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!wuarchive!zaphod.mps.ohio-state.edu!mips!pacbell.com!iggy.GW.Vitalink.COM!widener!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: PHYS169@csc.canterbury.ac.nz (Mark Aitchison, U of Canty; Physics) Newsgroups: comp.virus Subject: Re: Scanning infected files (PC) Message-ID: <0009.9106111458.AA11286@ubu.cert.sei.cmu.edu> Date: 11 Jun 91 05:11:00 GMT Sender: Virus Discussion List Lines: 27 Approved: krvw@sei.cmu.edu ACDFINN@vm.uoguelph.ca (Finnegan Southey) writes: > In regards to the problem of anti-viral programs infecting files > they scan when a memory-resident virus is present: Wouldn't it be > possible to read disks sector by sector instead of opening files > through DOS calls? Yes, you can do that, and there could be other advantages too: (a) potentially faster execution (if you are doing a whole diskette, you can organise things to reduce head movement), and (b) bypass some viruses, which intercept int 21 or int 13. There are some limitations, basically involving incompatibility with some network software, RAM drives, etc, but quite a good idea for most purposes. The latest version of my CHECKOUT program uses this; earlier versions didn't check files - just the boot sector - but used int 40 instead of int 13 for similar reasons. Ultimately, anti-virus software is going to directly access the disk controller (or possibly do far calls to the BIOS), to be certain of avoiding smart viruses, and relying on DOS will be unthinkable (as it *should* be now). This leads me to a thought... suppose a virus-removal program gets rid of the virus from disk, but the infected sectors still exist in (say) an Extended memory cache system. Has anyone guarded against this? Mark Aitchison, Physics, University of Canterbury, New Zealand.