Xref: utzoo comp.sys.ibm.pc:27187 comp.binaries.ibm.pc.d:2591
Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!rutgers!rochester!rit!ultb!ritcsh!dani
From: dani@ritcsh.UUCP (Dani Kadoch)
Newsgroups: comp.sys.ibm.pc,comp.binaries.ibm.pc.d
Subject: Re: PC Vaccination programs
Message-ID: <2719@ritcsh.UUCP>
Date: 7 Apr 89 12:45:44 GMT
References: <552@perle.UUCP>
Reply-To: dani@ritcsh.UUCP (Dani Kadoch)
Followup-To: comp.sys.ibm.pc
Organization: Computer Science House @ RIT - Rochester, NY
Lines: 46

In article <552@perle.UUCP> kevin@perle.UUCP (Kevin Pickard) writes:
>     Anyone out there have any experience  with  vaccination
>programs  for IBM Compatible PCs?
The best one I've seen is Flushot+.  Even though it is shareware,
it is pretty infallible (sp?).  I have tried a few things myself,
but the program catches them.  (see below)

>                                   In particular, I am look-
>ing for something that  can  detect  modified  or  corrupted
>files  on a system that may have been infected with a virus.
It will check any files you specify (tipically executables)
any time you run them, using CRC.

>It would also be nice if the program could detect corruption
>as it happens (maybe as a TSR).
It will keep a log of what interrupts are taken by what program,
and pop-up a window saying so if it is not a program you have OKed.
Once the window is up, you can stop or continue the execution of the
suspect program.  A similar window will pop-up any time the suspect
program tries to write directly to disk unsing INT 25 (for HDs) or
13 (floppies.)

>     Unfortunately, both of these programs
[Quaid Software's Antidote and FILERC from usenet]
>                                           can be fooled  by
>a  virus  that  knows what CRC is being used.  Programs that
>can vary their method  of  CRC  computation  would  be  more
>robust.
I am not sure if Flushot does this or not, but it also checks the
size of the file, which is bound to be changed with the introduction
of a virus.

I tried writing a couple of programs to see how I could trick flushot,
and get control of the machine, and I succeeded, but I ended up not
being able to do any disk writing without Flushot knowing about it.
It traps all the critical (potentially dangerous) interrupts very well.

I highly recommend this program.  Its documentation is _very_ complete
and gives you a good insight about viruses and worms too.

					Dani.
-- 
/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\
>  Dani Kadoch  @ Computer Science House @ Rochester Institute of Technology  <
> USMail: Box 1186 25 Andrews Memorial Dr, Rochester, NY 14623  (716)475-3307 <
>  UUCP:..!rochester!rit!ritcsh!dani    MCIMail:dani   BITNET:dnk8842@ritvax  <