VIRUS-L Digest Monday, 23 Jan 1989 Volume 2 : Issue 22 Today's Topics: re: PC Viruses --------------------------------------------------------------------------- Date: 23 January 1989, 09:20:53 EST From: David M. Chess Subject: re: PC Viruses In VIRUS-L v2n20, Otto Stolz writes a number of things, including: > First Main Proposition of Virus Hunting: Every program designed to > catch viruses can be circumvented by virus-writers who know its > principles of operation. > ... > The best option you have: To detect > COM- and EXE-viruses, write your own program to compute some signature > value from all bytes in a file and compare it with a value obtained > earlier in the same way. Lock away the source of your program and > every hints on its algorithm in a safe place, and apply it regularly > to every program file you use (including itself). While I agree with pretty much everything -else- Otto writes, I think these statements are perhaps a bit too strong. Consider, for instance, a modification-detection program that works using a nice long CRC (at least 30 bits), and that uses a "user-selectable" polynomial (for instance, the program might prompt the user for a long string when it's first run, and use that to find an irreducible polynomial). If the program and the database are kept on external media (in a floppy in a locked desk drawer, for instance), and the polynomial key is also external (in the user's head, or on that locked floppy), AND the program is run only after cold-booting the maching from a trusted IPL floppy (perhaps the same one again), so that the checking program, key, and database are never in the machine at the same time as a virus, I think I would claim that knowing all about the checking program, including having the commented source code, would do the virus-writer NO GOOD AT ALL in trying to defeat it (as long as the user's secret key isn't known, of course). That's just because it's not possible to make a probably-undetected change to a dataset if you don't know the polynomial used for detection (and if the CRC uses enough bits). Objections? DC Watson Research ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253