Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!usc!zaphod.mps.ohio-state.edu!wuarchive!ukma!widener!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: frisk@rhi.hi.is (Fridrik Skulason) Newsgroups: comp.virus Subject: Re: virus detection by scanners ? (PC) Message-ID: <0012.9106201437.AA20289@ubu.cert.sei.cmu.edu> Date: 19 Jun 91 08:22:54 GMT Sender: Virus Discussion List Lines: 42 Approved: krvw@sei.cmu.edu hermann@uran.informatik.uni-bonn.de (Hermann Stamm) writes: > - what other scanner should I try for these versions ? It does not matter - you will get practically the same results. My scanner may detect some of those SCAN missed or vice versa, but that is not important. What is important is that you cannot expect a scanner to detect a modified virus. It may work, or it may not, but there is absolutely no guarantee. A scanner is designed to detect existing viruses, not new ones or new variants of older viruses, although some scanners may detect some new variants of some viruses. > - is it true, that any scanner must try to look at the > semantics of such decoders, and not at the shape ? Well, if it looked at something else, it would not be a scanner.... :-) Don't misunderstand me - there are programs which may look at the 1701 virus, or some of your modified variants, and report something like: This program seems to cotain additional code at the end, which starts by performing decryption of itself. This is typical of a virus. But, a program like this is not a scanner - it is a generic analysis tool, unable to identify viruses - it just reports anything "suspicious". > - which systems are good by looking at the length of > files and reporting differences ? Differences between what ? > - Is the following behaviour possible for a virus: > > After getting resident, it forces to do a warm-start > with ctrl-alt-del, and then it copies itself to all > .com-files encountered during rebooting > (like command.com, ...). No - it is not possible.