Xref: utzoo comp.sys.ibm.pc:27051 comp.binaries.ibm.pc.d:2552
Path: utzoo!mnetor!perle!kevin
From: kevin@perle.UUCP (Kevin Pickard)
Newsgroups: comp.sys.ibm.pc,comp.binaries.ibm.pc.d
Subject: PC Vaccination programs
Message-ID: <552@perle.UUCP>
Date: 5 Apr 89 13:27:39 GMT
Reply-To: kevin@perle.UUCP (Kevin Pickard)
Organization: Perle Systems Limited  Scarborough, Ontario, Canada
Lines: 52


     Anyone out there have any experience  with  vaccination
programs  for IBM Compatible PCs?  In particular, I am look-
ing for something that  can  detect  modified  or  corrupted
files  on a system that may have been infected with a virus.
It would also be nice if the program could detect corruption
as it happens (maybe as a TSR).

     So far, I have seen the following programs:

Antidote

     This program is from Quaid Software here in Toronto and
     it  does  a pretty good job.  It computes a CRC for the
     specified files and  writes  this  information  out  to
     disk.   When run again in "examine" mode, it recomputes
     the checksums  and  compares  them  with  the  recorded
     values.  Any differences are flagged.

FILECRC

     This program is from USENET.  It also  computes  check-
     sums  and  records  them  to  disk.  A separate program
     called COMPARE must then be run to  verify  the  check-
     sums.  Again differences are flagged.

     Both of these programs use a CRC  method  for  catching
modified  files.   The program "Antidote" appears faster and
has a cleaner user interface.  It only uses one program  and
maintains  a  single  file.   It  also allows you to specify
which files you want to monitor.

     The program "FILECRC" appears slower and needs a second
program  called  "COMPARE"  to  verify  the files.  The user
interface is cruder.  It has the advantage of detecting more
types  of  differences though.  For example, it also detects
file access date/time changes.  With  this  though  it  also
creates more output files (about 5 if I remember).

     Unfortunately, both of these programs can be fooled  by
a  virus  that  knows what CRC is being used.  Programs that
can vary their method  of  CRC  computation  would  be  more
robust.

     If anyone has used any of these programs  or  knows  of
something  similar  I  would appreciate hearing from you.  I
will summarize any information I receive.
-- 
------------------------------ ~~~~~~~ ---------------------------------------
 Step 5: After filling needle | o   o |     Kevin Pickard
 inject vaccine into disk.    |   .   |     UUCP: ...!uunet!mnetor!perle!kevin
--------------------------^^^-----------^^^-----------------------------------