Path: utzoo!utgpu!watmath!clyde!att!pacbell!ames!mailrus!cornell!uw-beaver!fluke!kurt From: kurt@tc.fluke.COM (Kurt Guntheroth) Newsgroups: comp.sys.amiga Subject: Re: IRQ virus Message-ID: <6546@fluke.COM> Date: 11 Jan 89 17:20:24 GMT Sender: news@tc.fluke.COM Organization: John Fluke Mfg. Co., Inc., Everett, WA Lines: 32 The major problem with anti-virus tools is that once their action is known, they can be got around. The virus either hides in a new and previously untested way, or it actively attacks the immune system (what a wonderful analogy), by killing, maiming or subverting the anti-virus program. Of all the suggestions I have heard so far, the only one that seems to me to be practical is doing a size and checksum on system programs. This is a good plan because it is difficult to defeat by virii that simply hide. If anyone does a program like this, there are some things to remember 1. For safety's sake, the checker program must not have its own name or the names of any data files it uses compiled in. That is, the names must be set when it is invoked (as in command line args or tooltypes). Otherwise, virii can identify the program by knowing its name and delete or subvert it. Same thing for the data file. 2. Ideally, even the length of the program should be variable, perhaps using an initialization program, to make identification more difficult for the virus author. 3. The inner workings of the program should not be publicized. This will give a brief respit before it is decoded by the virus authors. 4. It is important that people know and trust the disseminator of the program and the distribution system as well. What a wonderful way to insert a new virus -- by claiming it offers immunity. It will not be possible to eliminate virii from computers completely, either now or in the future. The features of an OS that make it usable also make it susceptible to attack by a malicious program. Hopefully we can make such programs more difficult, so that would-be computer vandals and crackers decide to stick to more traditional forms of vandalism, like writing "IBM Sucks Silicon" on walls of computer centers.