Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!zaphod.mps.ohio-state.edu!ub!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: vail@tegra.com (Johnathan Vail)
Newsgroups: comp.virus
Subject: Re: Scanning infected files (PC)
Message-ID: <0008.9106181359.AA17901@ubu.cert.sei.cmu.edu>
Date: 17 Jun 91 21:17:51 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 26
Approved: krvw@sei.cmu.edu

ACDFINN@vm.uoguelph.ca (Finnegan Southey) writes:

	 In regards to the problem of anti-viral programs infecting files
   they scan when a memory-resident virus is present: Wouldn't it be
   possible to read disks sector by sector instead of opening files
   through DOS calls?  This reading would be much the same as a disk
   editor program.  The scanner could consult directory listings to find
   program boundaries and then check approp- riate areas without opening
   the files as a file?  As I'm not an MS-DOS expert I'm not sure if this
   makes sense, but I thought I'd ask.

Good question, but: wouldn't it be possible for the stealthy virus to
trap the sector I/O and "fix" it to also hide its tracks?

Hardware level I/O is about the only way to go for this and then you
still have to be careful on a 386 where the MMU can trap hardware
accesses.

jv


"Always Mount a Scratch Monkey"
 _____
|     | Johnathan Vail | n1dxg@tegra.com
|Tegra| (508) 663-7435 | N1DXG@448.625-(WorldNet)
 -----  jv@n1dxg.ampr.org {...sun!sunne ..uunet}!tegra!vail