Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: RADAI@HUJIVMS.BITNET (Y. Radai)
Newsgroups: comp.virus
Subject: Re: Checksumming
Message-ID: <0001.9106181359.AA17901@ubu.cert.sei.cmu.edu>
Date: 17 Jun 91 10:07:00 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 50
Approved: krvw@sei.cmu.edu


  Mike Lawrie writes:
>                         ... sooner or later this scenario [infecting
>files by performing SCAN while a virus like Plastique is in RAM] will
>re-occur, as you will get hit with a similar type of virus that McAfee
>has not yet catered for, even if you have their very latest version.

Right; I specifically stated that that could happen, and I mentioned
that in order to prevent such occurrences, you could add a good gene-
ric monitoring program.  You didn't reply to that suggestion.  But
actually, there is a surer solution which I mentioned only later on
in my posting, but which I should have mentioned here also: If you
want to be certain that such occurrences cannot occur, never run a
program like SCAN or a checksummer except when you are certain that
RAM is clean, i.e. only immediately after booting from a clean disk-
ette.  (Authors of such programs should mention this; if they don't,
and that apparently includes McAfee, you have a legitimate gripe
against them.)

>                                         A checksummer gives you no
>security whatsoever, because it does not prevent a viral infection.

True, a checksummer does not prevent infection, but at least it can
*detect* infections, and that's a lot better than no security at all!!
Knowing that certain files are infected, you can restore your files
from backups or use a disinfector, something which you wouldn't do if
the infections were not detected.
  Moreover, if the checksummer is properly designed and implemented,
(1) it can detect *all* infections, and (2) it cannot be neutralized
or circumvented by hostile software.  These are advantages that are
almost impossible to find in any other anti-viral software.

  In my opinion, the best software solution is a *combination of
several* programs: a good checksummer (like V-Analyst), a good generic
monitor (like Secure), a known-virus scanner (too many to mention
names), a program which prevents infections through floppy boots (to
be mentioned soon), and more.  I use all of them; the resident
programs don't take up much RAM, and they coexist peacefully (well,
most of them ...).

>Just that our experience that I wished to share was that with a
>checksummer in place and use of SCAN, you can end up with every last
>EXE/COM file on you hard disk looking very sick indeed.

Quite true ... *if* you don't take the proper precautions.

                                     Y. Radai
                                     Hebrew Univ. of Jerusalem, Israel
                                     RADAI@HUJIVMS.BITNET
                                     RADAI@VMS.HUJI.AC.IL