Newsgroups: comp.sys.mac Path: utzoo!utgpu!jarvis.csri.toronto.edu!csri.toronto.edu!dudek From: dudek@csri.toronto.edu (Gregory Dudek) Subject: Re: Shareware and viruses Message-ID: <8803232317.AA01469@baldwin.csri.toronto.edu> Keywords: shareware viruses protection Organization: University of Toronto, CSRI References: <2157@ll1a.UUCP> Date: Wed, 23 Mar 88 18:17:34 EST In article <2157@ll1a.UUCP> markn@ll1a.UUCP (Mark Nettleingham) writes: > > While pondering the many postings to this group about >viruses, and the shareware problem (not enough people register and >pay for shareware programs). It occurred to me that there may be a >way to solve both problems at once. Or at least improve the current >situation. > > What we need is: > > 1. A data base of check sums (CRC, whatever) for each of the > programs on a system. > > 2. A program that will maintain and update this data base. ..... There may be a simpler solution to the virus problem. There are only a few "easy" ways for a virus to infect a system. By checking these, the virus creation problem becomes much trickier for those nasty people & hence cuts a lot of them out. In order for a virus to escape the original code it comes in, and hence become a problem, it has to install inself in another piece of code that will get executed. Problem code that just acts messy without installing itself elsewhere is annoying but the real furor over these viruses is that they replicate themselves all over the place. There are only a limited number of ways to do this, for example: - add/change an INIT/CDEV etc in the system file - modify an application other than itself - etc (no use giving nasty people ideas) Now, it strikes me that catching resource modifications in these places isn't that tough a job. A real quick & dirty virus trap could just sublaunch the suspect code while the appropriate traps are being monitored. For smarter visuses that might only install themselves randomly, an INIT would have to be constructed. Such an INIT could look for resource modification of the above sort and bring up an alert that might allow the user to validate/invalidate such accesses from a given application. One hassle is if this happens before quickdraw is initialized -- how do you bring up the alert? Well, there's a fix to this, I promise... Anyhow, does this sound workable? It ain't too hard to do, but I sure don't have time. Anybody wanna volunteer? Greg Dudek