Path: utzoo!utgpu!jarvis.csri.toronto.edu!cs.utexas.edu!uwm.edu!lll-winken!decwrl!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: XPUM01@prime-a.central-services.umist.ac.uk (Dr. A. Wood) Newsgroups: comp.virus Subject: Universal virus detector / Biological analogy Message-ID: <0004.9002121648.AA15294@ge.sei.cmu.edu> Date: 9 Feb 90 16:08:24 GMT Sender: Virus Discussion List Lines: 45 Approved: krvw@sei.cmu.edu There has been much rhubarbiage about the possibility of writing a program which will detect viruses in incoming programs, not only a set list of viruses that it has been told about. I suspect that this is partly motivated by trying to achieve the efficiency of biological immune systems - there have been a few 'biological analogy' articles in Virus-L before. This analogy will not work - biological immune systems are set up in a different way. Long before birth, all possible antibody-producing cell types appear in the body. As in the womb before birth in the normal case, no foreign matter can get in, everything in the fetus is native and belongs. And, at that stage, every antibody-producing cell that loses its antibody, dies, for it must have lost its antibody by an auto-immume reaction. Thus all auto-immune antibody-producing cell lines are eliminated. Time passes and the baby is born. Then, any antibody-producing cell that loses its antibody must have lost it to some foreign matter. So it multiplies, and its descendants produce much antibody to combat the invader. After birth, nothing else gets unopposed into the body. The only way to imitate this in computers is to have an immune program which knows every program which will be run on that computer, and rejects all strange programs. No good! So, is there any point in this email-space-wasting discussion continuing? Bodies have a permitted list and exclude all others; computers have a forbidden list and admit all others. To a computer, a new virus is merely a new program, and some human has to find that it is harmful and then add it to the forbidden list. Also, any two bodies' cells (except identical twins) have different immunotypes, and attempted grafting fails, thus any bacterium that learns to masquerade as a legal cell of body A, is rejected on trying to invade body B. The computer analogy of this would be for each individual microcomputer's copy of each authorized program to be different. The only thing that I can suggest is for microcomputer designers to start using the mainframe technique of preventing programs running under ordinary mode from writing to system areas, and for only the suppliers of the computer to be allowed to write system programs which run under everything-permitted mode. That will exclude damaging viruses, but will still allow the sort of virus that merely multiplies and wastes time and storage space. {A.Appleyard} (email: APPLEYARD@UK.AC.UMIST), Fri, 09 Feb 90 15:38:12 GMT