Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sun-barr!lll-winken!iggy.GW.Vitalink.COM!widener!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Newsgroups: comp.virus Subject: Re: Checksumming Message-ID: <0006.9106201437.AA20289@ubu.cert.sei.cmu.edu> Date: 18 Jun 91 19:17:36 GMT Sender: Virus Discussion List Lines: 72 Approved: krvw@sei.cmu.edu >From: Y. Radai > Mike Lawrie writes: >> ... sooner or later this scenario [infecting >>files by performing SCAN while a virus like Plastique is in RAM] will >>re-occur, as you will get hit with a similar type of virus that McAfee >>has not yet catered for, even if you have their very latest version. >Right; First, organizations have been woefully lacking in training of personnel expected to deal with malicious software (a management problem). Our technicians get two days of targetted training before being certified to respond to suspected viruses. That said, since employees are instructed to power down and quarentine any PC suspected of having a virus, the first action after questioning the employee for symptoms is to cold boot from a write-protected floppy and check the system out in that manner including a "scan" of the disk and examination of the MBR and DOS Boot Record Only if that comes up negative is the PC allowed to boot itself. At this point the system integrity is repeatedly validated using MEM/DEBUG and CHKDSK to determine if something is trying to go resident. At this point, McAfee's SCAN is often used in a different way: the command "SCAN NUL /M" results in only memory (no files) being checked for all viruses it knows about. If this fails then file comparisons are done and the audit trails are checked (all PCs including employees home machines are authorized to use a site-licensed checksumming program). Again a layered approach by trained personnel is necessary to protect against the sort of global disaster mentioned (incidently, during my training session at the CSI Conference in Denver, I thoroughly infected the demo PC with the 4096 only to discover that there was no 5 1/4 boot floppy to use for recovery - Had several 3 1/2s for the laptop, but no 5 1/4s. Entertaining.) BTW the McAfee product .DOCs do mention in several places the advisability of booting from a known clean, write-protected floppy first. >>A checksummer gives you no >>security whatsoever, because it does not prevent a viral infection. >True, a checksummer does not prevent infection, but at least it can >*detect* infections, and that's a lot better than no security at all!! Depends on the checksummer - the one we use performs the checksum routine on any program presented for execution. If the program is not known to the audit trail, a screen warns the user that the program is unknown. Depending on the setting, the user may or may not be permitted to execute the program. I suppose that this really comes under the heading of access control but should be part of any integrity management solution. >... a program which prevents infections through floppy boots (to >be mentioned soon)... I believe that VSHIELD protects from hot-boots now - do not believe that prevention from cold boots can be done without hardware or special BIOS. My next project now that DISKSECURE is essentially complete will be a small addition to warn the user on boot if a floppy is in the drive - should not be difficult or require much code (trap cntrl-alt-del, check for floppy, write warning message, loop for response), several viruses make use of this technique already so it cannot be too difficult (famous last words). Cooly (a/c working again) Padgett