Section D. Protection plans

What is the best protection policy for my computer?
There is no "best" anti-virus policy. In particular, there is no program that can magically protect you against all viruses. But you can design an anti-virus protection strategy based on multiple layers of defense. There are three main kinds of anti-viral software, plus several other means of protection (such as hardware write-protect methods).

GENERIC MONITORING programs. These try to prevent viral activity before it happens, such as attempts to write to another executable, reformat the disk, etc. Examples: SECURE and FluShot+ (PC), and GateKeeper (Macintosh).

SCANNERS. Most look for known virus strings (byte sequences which occur in known viruses, but hopefully not in legitimate software) or patterns, but a few use heuristic techniques to recognize viral code. A scanner may be designed to examine specified disks or files on demand, or it may be resident, examining each program which is about to be executed. Most scanners also include virus removers. Examples: FindViru in Dr Solomon's Anti-Virus Toolkit, FRISK's F-Prot, McAfee's VIRUSCAN (all PC), Disinfectant (Macintosh). Resident scanners: McAfee's V-Shield, and VIRSTOP. Heuristic scanners: the Analyse module in FRISK's F-PROT package, and SCANBOOT.

INTEGRITY CHECKERS or MODIFICATION DETECTORS. These compute a small "checksum" or "hash value" (usually CRC or cryptographic) for files when they are presumably uninfected, and later compare newly calculated values with the original ones to see if the files have been modified. This catches unknown viruses as well as known ones and thus provides generic detection. On the other hand, modifications can also be due to reasons other than viruses. Usually, it is up to the user to decide which modifications are intentional and which might be due to viruses, although a few products give the user help in making this decision. As in the case of scanners, integrity checkers may be called to checksum entire disks or specified files on demand, or they may be resident, checking each program which is about to be executed (the latter is sometimes called an INTEGRITY SHELL). A third implementation is as a SELF-TEST, i.e. the checksumming code is attached to each executable file so that it checks itself just before execution. Examples: Fred Cohen's ASP Integrity Toolkit (commercial), and Integrity Master and VDS (shareware), all for the PC.

A few modification detectors come with GENERIC DISINFECTION. I.e., sufficient information is saved for each file that it can be restored to its original state in the case of the great majority of viral infections, even if the virus is unknown. Examples: V-Analyst 3 (BRM Technologies, Israel), marketed in the US as Untouchable (by Fifth Generation), and the VGUARD module of V-care.

Of course, only a few examples of each type have been given. All of them can find their place in the protection against computer viruses, but you should appreciate the limitations of each method, along with system-supplied security measures that may or may not be helpful in defeating viruses. Ideally, you would arrange a combination of methods that cover the loopholes between them.
A typical PC installation might include a protection system on the hard disk's MBR to protect against viruses at load time (ideally this would be hardware or in BIOS, but software methods such as DiskSecure and PanSoft's Immunise are pretty good). This would be followed by resident virus detectors loaded as part of the machine's startup (CONFIG.SYS or AUTOEXEC.BAT), such as FluShot+ and/or VirStop together with ScanBoot. A scanner such as F-Prot or McAfee's SCAN could be put into AUTOEXEC.BAT to look for viruses as you start up, but this may be a problem if you have a large disk to check (or don't reboot often enough). Most importantly, new files should be scanned as they arrive on the system. If your system has DR DOS installed, you should use the PASSWORD command to write-protect all system executables and utilities. If you have Stacker or SuperStore, you can get some improved security from these compressed drives, but also a risk that those viruses stupid enough to directly write to the disk could do much more damage than normal; using a software write-protect system (such as provided with Disk Manager or Norton Utilities) may help, but the best solution (if possible) is to put all executables on a disk of their own, protected by a hardware read-only system that sounds an alarm if a write is attempted.
If you do use a resident BSI detector or a scan-while-you-copy detector, it is important to trace back any infected diskette to its source; the reason why viruses survive so well is that usually you cannot do this, because the infection is found long after the infecting diskette has been forgotten with most people's lax scanning policies.
Organizations should devise and implement a careful policy, that may include a system of vetting new software brought into the building and free virus detectors for home machines of employees/students/etc who take work home with them.
Other anti-viral techniques include:

Creation of a special MBR to make the hard disk inaccessible when booting from a diskette (the latter is useful since booting from a diskette will normally bypass the protection in the CONFIG.SYS and AUTOEXEC.BAT files of the hard disk). Example: GUARD.
Use of Artificial Intelligence to learn about new viruses and extract scan patterns for them. Examples: V-Care (CSA Interprint, Israel; distributed in the U.S. by Sela Consultants Corp.), Victor Charlie (Bangkok Security Associates, Thailand; distributed in the US by Computer Security Associates).
Encryption of files (with decryption before execution).

Is it possible to protect a computer system with only software?
Not perfectly; however, software defenses can significantly reduce your risk of being affected by viruses WHEN APPLIED APPROPRIATELY. All virus defense systems are tools - each with their own capabilities and limitations. Learn how your system works and be sure to work within its limitations.
From a software standpoint, a very high level of protection/detection can be achieved with only software, using a layered approach.

ROM BIOS - password (access control) and selection of boot disk. (Some may consider this hardware.)
Boot sectors - integrity management and change detection.
OS programs - integrity management of existing programs, scanning of unknown programs. Requirement of authentication values for any new or transmitted software.
Locks that prevent writing to a fixed or floppy disk.
As each layer is added, invasion without detection becomes more difficult. However complete protection against any possible attack cannot be provided without dedicating the computer to pre-existing or unique tasks. The international standardization of the world on the IBM PC architecture is both its greatest asset and its greatest vulnerability.

Is it possible to write-protect the hard disk with only software?
The answer is no. There are several programs which claim to do that, but all of them can be bypassed using only the currently known techniques that are used by some viruses. Therefore you should never rely on such programs alone, although they can be useful in combination with other anti-viral measures.

What can be done with hardware protection?
Hardware protection can accomplish various things, including: write protection for hard disk drives, memory protection, monitoring and trapping unauthorized system calls, etc. Again, no tool is foolproof.
The popular idea of write-protection (see D3) may stop viruses spreading to the disk that is protected, but doesn't, in itself, prevent a virus from running.
Also, some of the existing hardware protections can be easily bypassed, fooled, or disconnected, if the virus writer knows them well and designs a virus which is aware of the particular defense.

Will setting DOS file attributes to READ ONLY protect them from viruses?
No. While the Read Only attribute will protect your files from a few viruses, most simply override it, and infect normally. So, while setting executable files to Read Only is not a bad idea, it is certainly not a thorough protection against viruses!

Will password/access control systems protect my files from viruses?
All password and other access control systems are designed to protect the user's data from other users and/or their programs. Remember, however, that when you execute an infected program the virus in it will gain your current rights/privileges. Therefore, if the access control system provides you the right to modify some files, it will provide it to the virus too. Note that this does not depend on the operating system used - DOS, Unix, or whatever. Therefore, an access control system will protect your files from viruses no better than it protects them from you.
Under DOS, there is no memory protection, so a virus could disable the access control system in memory, or even patch the operating system itself. On the more advanced operating systems (Unix) this is not possible, so at least the protection cannot be disabled by a virus. However it will still spread, due to the reasons noted above. In general, the access control systems (if implemented correctly) are able only to slow down the virus spread, not to eliminate viruses entirely.
Of course, it's better to have access control than not to have it at all. Just be sure not to develop a false sense of security and to rely entirely on the access control system to protect you.

Will the protection systems in DR DOS work against viruses?
Partially. Neither the password file/directory protection available from DR DOS version 5 onwards, nor the secure disk partitions introduced in DR DOS 6 are intended to combat viruses, but they do to some extent. If you have DR DOS, it is very wise to password-protect your files (to stop accidental damage too), but don't depend on it as the only means of defense.
The use of the password command (e.g. PASSWORD/W:MINE .EXE .COM) will stop more viruses than the plain DOS attribute facility, but that isn't saying much! The combination of the password system plus a disk compression system may be more secure (because to bypass the password system they must access the disk directly, but under SuperStore or Stacker the physical disk is meaningless to the virus). There may be some viruses which, rather than invisibly infecting files on compressed disks in fact very visibly corrupt the disk.
The "secure disk partitions" system introduced with DR DOS 6 may be of some help against a few viruses that look for DOS partitions on a disk. The main use is in stopping people fiddling with (and infecting) your hard disk while you are away.
Furthermore, DR DOS is not very compatible with MS/PC-DOS, especially down to the low-level tricks that some viruses are using. For instance, some internal memory structures are "read-only" in the sense that they are constantly updated (for DOS compatibility) but not really used by DR DOS, so that even if a sophisticated virus modifies them, this does not have any effect.
In general, using a less compatible system diminishes the number of viruses that can infect it. For instance, the introduction of hard disks made the Brain virus almost disappear; the introduction of 80286 and DOS 4.x+ made the Yale and Ping Pong viruses extinct, and so on.

Will a write-protect tab on a floppy disk stop viruses?
In general, yes. The write-protection on IBM PC (and compatible) and Macintosh floppy disk drives is implemented in hardware, not software, so viruses cannot infect a diskette when the write-protection mechanism is functioning properly.
But remember:

A computer may have a faulty write-protect system (this happens!) - you can test it by trying to copy a file to the diskette when it is presumably write-protected.
Someone may have removed the tab for a while, allowing a virus on.
The files may have been infected before the disk was protected. Even some diskettes "straight from the factory" have been known to be infected in the production processes.
So it is worthwhile scanning even write-protected disks for viruses.

Do local area networks (LANs) help to stop viruses or do they facilitate their spread?
Both. A set of computers connected in a well managed LAN, with carefully established security settings, with minimal privileges for each user, and without a transitive path of information flow between the users (i.e., the objects writable by any of the users are not readable by any of the others) is more virus-resistant than the same set of computers if they are not interconnected. The reason is that when all computers have (read-only) access to a common pool of executable programs, there is usually less need for diskette swapping and software exchange between them, and therefore less ways through which a virus could spread.
However, if the LAN is not well managed, with lax security, it could help a virus to spread like wildfire. It might even be impossible to remove the infection without shutting down the entire LAN.
A network that supports login scripting is inherently more resistant to viruses than one that does not, if this is used to validate the client before allowing access to the network.

What is the proper way to make backups?
Data and text files, and programs in source form, should be backed up each time they are modified. However, the only backups you should keep of COM, EXE and other executable files are the original versions, since if you back up an executable file on your hard disk over and over, it may have become infected meanwhile, so that you may no longer have an uninfected backup of that file. Therefore:

If you've downloaded shareware, copy it (preferably as a ZIP or other original archive file) onto your backup medium and do not re-back it up later.
If you have purchased commercial software, it's best to create a ZIP (or other) archive from the original diskettes (assuming they're not copy protected) and transfer the archive onto that medium. Again, do not re-back up.
If you write your own programs, back up only the latest version of the source programs. Depend on recompilation to reproduce the executables.
If an executable has been replaced by a new version, then of course you will want to keep a backup of the new version. However, if it has been modified as a result of your having changed configuration information, it seems safer not to back up the modified file; you can always re-configure the backup copy later if you have to.
Theoretically, source programs could be infected, but until such a virus is discovered, it seems preferable to treat such files as non-executables and back them up whenever you modify them. The same advice is probably appropriate for batch files as well, despite the fact that a few batch file infectors have been discovered.

Back to top