Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!lll-winken!iggy.GW.Vitalink.COM!widener!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: p1@arkham.wimsey.bc.ca (Rob Slade) Newsgroups: comp.virus Subject: doom2:reply (PC) Message-ID: <0007.9106281824.AA04058@ubu.cert.sei.cmu.edu> Date: 27 Jun 91 18:52:28 GMT Sender: Virus Discussion List Lines: 33 Approved: krvw@sei.cmu.edu Eric_Florack.Wbst311@xerox.com writes: > Ross says: > - -=-=- > The signature a scanner uses is of no use to a bad guy unless he or > she already has the subject virus on hand, in any case. > =-=-=- > Of course not. My point in this case was the person doing the altering > to routre around your code being the original author. Moreover, we > have seen several varieties of a particular virus around, indicating While this arguement has some validity, I would suggest that it only serves to reinforce a point made before in this forum, and which I very strongly emphasize in my seminars and consulting. The "my scanner is better than your scanner, nyaah" school of evaluation misses a vital point: any two scanners are better than either alone. Even though I feel that Ross's product is one of the best on the market, and I use it myself for my own testing and protection, I would hate to see the day when it became the only one available. As Ross has pointed out, no matter how well strings are encrypted, eventually someone will break the code, and then it is a trivial matter to write a virus that circumvents that package. However, with a number of scanner packages on the market (and even I don't have them all), the author of a virus can never know which package his code will have to go up against. ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security