Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sun-barr!lll-winken!iggy.GW.Vitalink.COM!widener!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: CHESS@YKTVMV.BITNET (David.M.Chess)
Newsgroups: comp.virus
Subject: Re: Virus scanners (PC)
Message-ID: <0001.9106201437.AA20289@ubu.cert.sei.cmu.edu>
Date: 18 Jun 91 15:53:35 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 18
Approved: krvw@sei.cmu.edu

>Date:    Mon, 17 Jun 91 13:05:00 -0400
>From:    Al Woodhull <AWOODHULL@hamp.hampshire.edu>

>The new files contain all of the infected code and so are
>good test targets, but since there is no way to execute the infected
>code it is essentially just a block of data.

They aren't necessarily good test targets.  "Bulk" scanners (like
IBM's), that look through every byte of every file for patterns, will
identify them as infected, but scanners that look at, for instance,
specific areas based on the file's entrypoint will not see them as
infected, even if they work fine on actually-infected files.  I
believe Alan Solomon's Anti-Virus Toolkit (I may have the name wrong)
is of the latter kind, for instance.  So if a scanner doesn't see
those files as infected, it doesn't necessarily mean that it wouldn't
see a normally-infected file as such...

DC