Path: utzoo!censor!geac!torsqnt!jarvis.csri.toronto.edu!cs.utexas.edu!uwm.edu!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw
From: Kevin_Haney@NIHDCRT.BITNET
Newsgroups: comp.virus
Subject: Virus signatures & IBM virus scanner (PC)
Message-ID: <0003.9002261315.AA04379@ge.sei.cmu.edu>
Date: 23 Feb 90 15:51:11 GMT
Sender: Virus Discussion List <VIRUS-L@IBM1.CC.Lehigh.EDU>
Lines: 36
Approved: krvw@sei.cmu.edu

With regard to Gerry Santoro's question about the IBM virus scanning
program, the author, Bill Arnold, is constantly updating the program,
improving its performance and including new viral signatures.  The
current version is 1.37 which scans for 58 different signatures and I
assume that if you have an older one you can get an update from IBM.

There is a facility in the program that gives you the ability to add
new viruses to be scanned for by constructing a text file
(ADDENDA.LST) containing the signatures of new viruses.  However, I do
not know of any central place where these signatures can be obtained.
While it is a valid concern that posting signatures may cause virus
authors to change them to create undetectable mutant viruses, I think
this is offset by the need to be able to update a scanning program
rapidly when a new virus is found.  (It is also possible to choose
signatures that cannot be changed without rewriting the whole virus
program.)

Is there in fact a publicly accessible system where new virus
signatures can be found?  If not, it seems that this digest would be a
good place to post such signatures as long as they come form a
reputable and verifiable source.  What do others think?

[Ed. There are a few problems with posting virus signatures.  First,
many developers choose, and indeed prefer, to use in-house developed
signatures.  Second, some viruses cannot be detected by "traditional"
signature scans.  There are more problems, I'm sure.  Still, I'm not
at all opposed to people posting virus signatures, just as long as
everyone realizes the limitations of these signatures.]

    _________________________________________________________
   |                                                         |
   |       Kevin Haney, Computer Specialist                  |
   |       Division of Computer Research and Technology      |
   |       National Institutes of Health                     |
   |       BITNET - Kevin_Haney@NIHDCRT.BITNET               |
   |_________________________________________________________|