Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!cs.utexas.edu!usc!ucsd!ucselx.sdsu.edu!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: vronay%castor.usc.edu@usc.edu (David Vronay) Newsgroups: comp.virus Subject: Re: The Ultimate Anti-Viral Solution? Message-ID: <0005.9002051554.AA01695@ge.sei.cmu.edu> Date: 2 Feb 90 19:13:16 GMT Sender: Virus Discussion List Lines: 49 Approved: krvw@sei.cmu.edu Well, the idea of programs containing descriptions of their own activity is nice, but doesn't really solve the problem. After all, all an infecting virus has to do is change these permission files. Or better yet, the virus could patch the code that did these checks so that the code would let this particular virus go through. If we think about how current virus detection programs "work", they basically do exactly what you described (only, instead of each manufacturing describing the program's behaviour, the burden is on the user). Take SAM, for instance, which can keep track of legal and illegal activities on an application-by-application basis. When it detects illegal activity, it brings up a dialog box that says "Allow" "Deny" and "Learn" (or three similar options). Clicking on "Learn" will change SAM's description of that program to allow that potentially-illegal action in the future. Now, that information is stored in SAM somewhere, where any moderately clever virus could find it and modify it. Now, let's go one one step further and pretend that Symantech made it impossible (via some yet-undiscovered hardware scheme) for SAM to be modified. Now our virus would be forced to use the following piece of pseudo-code: Step 1: Set the window-manager's port 16,000 pixels to the left Step 2: Set up dialog-box sniffer code that works at _vblank time. Step 3: Do illegal virus activity Step 4: SAM brings up its dialog box, which now appears about 16 feet off the screen due to step 1. Step 5: The dialog sniffer from step 2 "sees" the dialog and generates a mouse-down event over the "Learn" button. Step 6: SAM writes the new exception to its special harware Step 7: Restore the window-manager's port to its old position. We have now successfully infected, despite all of super-SAM's harware whatever. Let's face it. There is NO WAY WHATSOEVER to make a computer virus-proof, because there is no way that a computer can determine the true intentions of a piece of code. (which, in tern, is due to the fact that code doesn't HAVE intentions, only the programmer who wrote it has intentions, and guess what? They don't make it through the compile! :-) We should concentrate our efforts on education, not complex software solutions. After all, computer virii seem more a social problem than a technological one. - - ice ================== email replies to: iceman@applelink.apple.com DISCLAIMER: Not even I subscribe to everything I say ==================