VIRUS-L Digest Thursday, 7 Nov 1991 Volume 4 : Issue 213 Today's Topics: Re: Hardware forever! Re: Zipped files (PC) Re: Clipper demo disk (PC) Re: VShield problem with DOS 5.0 & QEMM? (PC VSHIELD w/ MODEMS (PC) Re: Disk Compression (PC) Re: UNIX anti-virus program (UNIX) Re: Hardware forever! Virusproof systems; hardware Re: where can I get a copy of "When Harlie Was One"? help with INDIA Virus (PC) Efforts re: computer virus ^2 (PC) Stinkfoot...malignee speaks out! (PC) Re: Zipped files (PC) Re: Scanning inside ZIPPED files (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 05 Nov 91 16:20:56 -0500 >From: "Mike Gore" Subject: Re: Hardware forever! Hi, turtle@darkside.com (Fred Waller) writes: >Writes AGUTOWS@WAYNEST1.BITNET (Arthur Gutowski): > > Hardware isn't absolutely necessary to solve the problem, > Hardware is not _absolutely_ necessary, but I hold that it is the > most practical, least expensive and most effective solution. It > is also one that will not require updating. Adding to this point it should be stated that there is a good reason that a partial hardware solution is required(see below), however regarding your very last point it should be noted that hardware will likely have to change as system requirements change also. [ What follows are not comments aimed at your article but are my 2 cents on this issue ] Software MUST have at least some minimal trusted basis from which to work from in order to offer any long term ( read reasonable ) degree of protection. Also a system is only as good as it's weakest link so the FULL system design must be considered. BOTH hardware and software working together has a better chance then a collection of after the fact patches - that indeed simply obscure the original problem... At some point more effort will be spent trying to patch a badly designed system then starting from scratch would... Regarding this debate in general - One often sees the argument that ANY system can be broken in regards to the question of fixing this problem - but why is it that, in the REAL world, we don't leave our money in paper bags on park benches but still use vaults _because_of_this_fact? The lesson here is there will be a point were some degree of protection will reduce crime to a reasonable degree given it will cost the offender too much to be of interest. The PC with it's hardware and software, as it stands now, is this "paper bag" of the analogy in question... # Mike Gore, Technical Support, Institute for Computer Research # Internet: magore@watserv1.waterloo.edu or magore@watserv1.uwaterloo.ca # UUCP: uunet!watmath!watserv1!magore # These ideas/concepts do *not* imply views held by the University of Waterloo. ------------------------------ Date: Tue, 05 Nov 91 16:57:18 -0600 >From: jalicqui@wheaton.UUCP (Jeffrey Alan Licquia) Subject: Re: Zipped files (PC) >Are there any programs which will scan inside of Zipped files? >Thanks in advance. There is an archiver "front end" program called SHEZ which will do that. Basically, it runs your favorite scan program on files you unarchive (using ZIP, ZOO, LZH, ARC, PAK, and maybe a few others I'm forgetting) automatically as you unarchive them. It also provides a GUI for unarchiving, selective viewing of text files with your favorite lister, etc. The latest version can be found at various MS-DOS archive sites (garbo.uwasa.fi was one, I remember) as SHEZ64.ZIP. - -- Jeff Licquia | By His stripes YOU are healed!!! uunet!tellab5!wheaton!jalicqui | - see Isaiah 53 - jalicqui%wheaton.uucp@tellab5.chi.il.us | jlicquia@uipsuxb.ps.uiuc.edu | cat *.disclaimers > /dev/null ------------------------------ Date: Tue, 05 Nov 91 20:19:05 -0600 >From: Brian McGraw Subject: Re: Clipper demo disk (PC) You said the Form virus was found on a demo diskette of Clipper. Out of curiousity, would that be the one that was offered on TV? I had thought about calling. Brian DMcGraw1@Ua1vm.bitnet ------------------------------ Date: Tue, 05 Nov 91 21:40:37 -0500 >From: RY01@ns.cc.lehigh.edu (Robert Yung) Subject: Re: VShield problem with DOS 5.0 & QEMM? (PC Huh????? I have MS-DOS 5 and QEMM 6.0 and VSHIELD/LH works fine for me. Are you sure QEMM does not work with VSHIELD? I don't want to have set off a time bomb... BTW, when I use the /LH parameter, VSHIELD left a 0.4K stub in conventional memory. Is that normal? Can I not have it??? How about making VSHIELD device loadable so it gets to memory first. How about packaging a dummy virus w/ the VIRUSCAN products to test if everything is working. I'm not all that confident about VSHIELD since I can never tell if it's working or not. The PC-MAG virus seems nice... it fooled SCAN v70 (I think). THANKS! /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ | Robert 'Bobby' Yung | | That is about as effective as trying | (| RY01@NS.CC.Lehigh.Edu | | to melt an iceberg with a warm stream | | "THE MACHINE!" | | of piss. -Armmstrong | \~~~~~~~~~~~~~~~~~~~~~~~~ |_______________________________________/ ------------------------------ Date: Tue, 05 Nov 91 21:51:39 -0500 >From: RY01@ns.cc.lehigh.edu (Robert Yung) Subject: VSHIELD w/ MODEMS (PC) Is it possible to get a virus by just connecting to a BBS? How about when I download? Can Vshield check stuff as it downloads as with the /V parameter (check copying for virus)? THANKS. /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ | Robert 'Bobby' Yung | | That is about as effective as trying | (| RY01@NS.CC.Lehigh.Edu | | to melt an iceberg with a warm stream | | "THE MACHINE!" | | of piss. -Armmstrong | \~~~~~~~~~~~~~~~~~~~~~~~~ |_______________________________________/ ------------------------------ Date: Wed, 06 Nov 91 17:15:00 +1300 >From: "Mark Aitchison, U of Canty; Physics" Subject: Re: Disk Compression (PC) padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) writes: >>... Stacker/SuperStore/DoubleDisk, etc. formats! > > They may not have a choice - I see this as the next real "must have" > utilitiy as no-one ever has enough disk space. I agree that compressed partitions are likely to VERY popular; already I've saved the cost of the software simply by disk savings. Also, it makes scanning for conventional viruses easier since the disks look normal (certainly under SuperStore). Now (dare I say it?) for the question of the next generation of viruses that "know" about Stacker and SuperStore, etc. I presume that such viruses would have to be big, and they're hardly likely to handle all the brands and versions of compression software out there. The down side is that virus scanners are going to have to understand a lot about compressed disks (in conjunction with all sorts of other drivers and hardware) to ensure there isn't a "super virus" there. Not too much of a disadvantage, IMHO. Now, has anyone tried a combination of software read-only partition (e.g. by DMDRVR.BIN or DISKGARD) plus Stacker/SSTOR/etc (and maybe plus DRDOS's password protection)? Thanks Frisk for the comment about DRDOS passwords by themselves, and thanks to others for the discussion about viruses still being in RAM, even if they can't spread to the hard disk. The gap in the security left, apart from BSI's, is where people bring an infected program to the system - and hopefully compressed disks will reduce the need for programs like LZEXE, which then mean scanners will be able to spot a higher percentage of infected files. I, then, see compressed partitions as a glimmer of hope (not that they stops lots of viruses by themselves, but their contribution is positive, overall). Comments welcomed, as usual, Mark Aitchison, Physics, University of Canterbury, New Zealand. ------------------------------ Date: 06 Nov 91 06:03:21 +0000 >From: tommyp@ida.liu.se (Tommy Pedersen) Subject: Re: UNIX anti-virus program (UNIX) I wrote: >schieb@dingo.gsfc.nasa.gov (Brian Schieber) writes: >>I'm looking for sources for virus checking for UNIX boxes. Whats available ? >TCell is a commercial UNIX virus checking program that the company I >work for has developed. It uses cryptographic checksums to check for >unexpected changes in the file system. Contact me and I'll tell you >more about it. peter@ficc.ferranti.com (Peter da Silva) writes: >Are there any viruses on UNIX to actually *check* for? bdh@gsbsun.uchicago.edu (Brian D. Howard (CS)) writes: >No. But that never stopped nobody from selling. No, there are no virus to check for on UNIX systems around today, so I admit that the antiviral software TCell we are selling for UNIX systems are a little ahead of time. There is however no doubt that UNIX viruses can be written and also has been written. I can give you references on at least two articles where researchers has developed UNIX viruses. One of these articles discusses unix viruses in a B level (according to the Orange Book) security system. As you see above, the program we sell makes an integrity check on files by calculating cryptograpic checksums on files. This makes it not only usable for detecting viruses but also for detecting other kinds of unexpected changes to files. Thus also misstakes by the system administrator is dicovered and can be corrcted. Another usage is to check against changes to data files and text files. When the UNIX system is a server to a PC network, also the files the PCs use can be checked and therefore also PC virues can be detected. I therefore feel good about selling TCell, and besides that: The customer always has the choise not to buy it, we live in a free world... Regards, /Tommy Pedersen ______________________________________________________________________ |E-mail: tommyp@isy.liu.se /\ | |S-mail: Tommy Pedersen / / Telephone: +46 13 235200 | | SECTRA-Secure Transmission AB | | FAX: +46 13 212185 | | Teknikringen 2 |.> | | S-583 30 Linkoping |/ | |_______ SWEDEN ______________________________________________________| ------------------------------ Date: 06 Nov 91 09:55:38 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Hardware forever! groot@idca.tds.philips.nl (Henk de Groot) writes: > Incorrect, exchange your BIOS to include the following > processor-start-up *software* (though its as drastic as the "off > switch" but it is software :-) ): > 1) Disable all interrupts. > 2) Redirect NMI vector to a "reti" instruction. > 2) Execute a "Halt" instruction which stops the processor. Oh, there are other, less drastic software-only methods, which are just as secure, and just as useless... :-) > I don't know any Hardware protection boards but I assume that a board > like the "Thunderbyte" board will contain *software* (are there > (E)PROM's on it?), and I guess its the *software* on that board that > prevents from viruses, not the hardware! (but like I said, I don't > know the board). There is a card, called Disk Defender, with which you can select a range of cylinders on the hard disk, that are physically write protected by switching another switch. > I think the power in these applications is that its a *combination* of > hardware and software. Think of what software can do if I had a very > fast RISC processor with 80486 emulating software. This emuation Oh, you don't need all this... Just a CPU which has protected mode implemented (80286 will do the job, but 80386 is better) and an OS, which effectively -uses- this mode. You can get the same state of protection. Of virus resistence, if we use Fred Waller's term. But it doesn't help at all to achiev virus proofness... :-( Whther you want the latter or not, is nother story. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN Tel.:+49-40-54715-224, Fax: -246 Vogt-Koeln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Wed, 06 Nov 91 16:45:00 +0200 >From: Y. Radai Subject: Virusproof systems; hardware In an earlier posting, I wrote: >> ... if we could design a system >>which could never be infected, this would be preferable to detection >>after infection. Fred Waller replies: > I feel that it's really unnecessary to invent systems that could > *never* be infected. A virus-resistant system is quite enough. > We don't really need a totally virusproof approach. Some head- > banging-against-the-wall seen here is (as always) self-inflicted > and caused by the search for such absolutely foolproof protection ... > So what if we allow a small leak? If the leak is small enough, it > will be easy to monitor. Much easier than monitoring an entire > system! So far I haven't had the dubious pleasure of locking horns with you, mainly because until now I hadn't had the time to read all of last month's postings, but I guess the time has finally come. I must admit, though, that I have considerable difficulty in deciding how to reply to you, partly because in some of your claims you don't state whether you are talking of prevention or of detection, and partly because you often use terms without defining them. Examples of such terms are "totally virusproof", "absolutely fool- proof", "leak" and many others. In my posting, I distinguished bet- ween two criteria: (A) No false negatives and no false positives; (B) No false negatives and few false positives. The distinction between the two is especially important in the case of detection programs, since for them *(B) is attainable*. Now what do you mean by "totally virusproof" and "absolutely fool- proof"? (A)? (B)? something else? Offhand, I would suppose you mean (A). But then why criticize me when I *agree* that (A) is unat- tainable? So maybe you mean (B). But I claim that goal is achievable by using detection methods. You haven't said that you disagree with that statement. Now for your first sentence. I was certainly not trying to "invent systems that could never be infected". I was merely prefacing my following remarks by saying that it would be ideal if there were such a thing. I guess you agree that it can't be done. The difference between our approaches is that you seem to be content with preventing what you can (I guess that's what you mean by "virus-resistant"), whereas my emphasis is on *detection* of infection *after* files have been infected. This is not because I am opposed to partial preven- tion, but simply because even with this, one should (imho) have a "second line of defense" in case a virus has managed to circumvent the prevention mechanism. You seem to disagree with this when you say that a virus-*resistant* system with "leaks" is enough. Well, that depends on the price you have to pay in order to block the leaks. If one can do this for a small price, why not do so? (At present, I'm merely speaking in principle; I'll discuss the actual price below.) I also don't understand this talk about "banging heads against walls". *Precisely who* do you claim is doing this? If we assume interpretation (A), then as Cohen showed, there's no point in trying to achieve that goal. So if there really are people trying to do so, maybe they would be "head bangers", but I've never heard of any. The same would be true for goal (B) if you depend solely on prevention programs. On the other hand, goal (B) is achievable without the slightest need for head banging, provided you use generic detection (which means, roughly, modification detection). Which reminds me of a previous statement of yours: > I've seen this claim of a "perfect antiviral detector" over and > over here. Many people make this claim, and many have announced it > - but NOBODY is able to produce such marvel. Well, again I have to ask you: What do you mean by "perfect"? If you mean in sense (A), I have never seen or heard of such claims, and I invite you to quote a few. If, on the other hand, you mean sense (B), then I can produce "such marvel". I mentioned it in my last posting: V-Analyst. Another example: > Even though `detection' has failed, they > still cling to it and continue searching for the Holy Grail. Once again you don't define your terms. *What kind* of detection has failed: virus-specific? generic? both? And again you give no argu- ments whatsoever for your claim that detection has "failed". We now come to the question of "leaks" (whatever *that* may mean). You claim that we should be satisfied with a boat with a small leak instead of one with no leak at all. Here, at long last, you give a reason! -- namely, that a small leak is easy to monitor whereas an entire system is not. As for the first part, all I can say is that it's not necessarily true. As for "monitoring an entire system", it depends on what you mean by that phrase. One can monitor each program as it is about to be executed, either by checking for suspicious be- havior, for known viruses, or for modifications. But I guess that's not what you mean by "an entire system". Alternatively, one can scan all (executable) files at once, looking either for specific viruses or for files which have been modified. Let's assume you mean the latter. Is your complaint that scanning is time-consuming? I can only say that I don't find this to be the case at all. I checksum my files all at once after cold-booting from a clean system diskette. To checksum about 650 files takes the checksum program which I use 4 minutes on my 12-MHz AT. On a 386, it would go faster. And if one uses the quickcheck option to be made available in the next version of the program, it'll probably take considerably less than a minute. You might also consider booting from a diskette to be difficult. But it's essential if you don't want to be fooled by a stealth virus. Besides, if one combines detection with (partial) prevention, as I suggested above, then in most cases one can limit this booting from a diskette to once a week or two. In conclusion, I don't see any good reason for settling for a leaky boat when the price of fixing it is small. > Finally, the best way to achieve very high security (and stil have a > functioning machine) is with the help of hardware. While even this > may not yield a totally virus-proof system, it doesn't really have > to, since we don't really need virus-proof systems. Well, I'm not against hardware. Certainly it's the most secure of the *prevention* techniques. I would even agree that hardware seems like an effective technique in general. However, I have two reservations. One is that I have never heard of an inexpensive hardware solution. You keep *saying* that there is (you even claimed that some hardware protection may cost much less than $70), but you have never given us the name of a single "true" hardware product with such a price (or, for that matter, even without such a price). Does this hardware solu- tion of yours exist outside of your imagination? I think if you had ever used an actual hardware device, you would never have written, as you did in another posting of yours: > ... assuming it has first become TSR, which in turn means that > hardware protection was removed, .... Becoming TSR means that hardware protection has been removed??? TSRs reside in RAM. Have you ever heard of hardware protection of RAM? I haven't, and from your comparison of hardware protection to a write- protect tab, you shouldn't even be expecting such a thing. My other reservation is based on the fact that I have personal experience with one hardware product, Disk Defender, and even aside from its price of $240, my experience was rather negative. When activating the accompanying installation software, one could specify what cylinders one wanted to be write protected, but it had to be the trailing cylinders (i.e. from a given cylinder to the end of the disk). And since the Master Boot Record has to be on Cylinder 0, it couldn't be protected. Neither would the DD software (which called FDISK) allow me to make drive C: protected. Only by using Disk Manager instead, were we able to put C: at the end of the disk, and thus to protect it. But I still wasn't able to protect the MBR. This was apparently deliberate because there was an accompanying device driver which modified the MBR at boot time. But this left the MBR wide open to infections by Stoned, etc. I'm not claiming that DD is your idea of true hardware protection (btw, does anyone know if DD is still being sold?), but if you ever get around to naming any flesh- and-blood product for us, just make sure that it doesn't suffer from the same weakness ... and that it's inexpensive. Maybe *then* we'll have something to talk about. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: 06 Nov 91 15:37:00 +0000 >From: bdrake@oxy.edu (Barry T. Drake) Subject: Re: where can I get a copy of "When Harlie Was One"? This is for Eqix (al161926@mtecv2.mty.itesm.mx). My mailer can't figure out how to get to you. Anyway... on with the message: I have a copy of _When_Harlie_Was_One_ which I am willing to give to you. Send me your postal address, and I will mail it within the next couple of days (as soon as I finish it; probably tonight). - --Barry (bdrake@oxy.edu) 4053 W. Ave. 42, Los Angeles, CA 90065-4604, USA ------------------------------ Date: Wed, 06 Nov 91 11:39:20 -0600 >From: "Mitch Cottrell, Sr. Research Technician" Subject: help with INDIA Virus (PC) I am seeking information in the India virus. The PCtools virus utility has identified the india virus as being the virus currently infecting about 20 machines in a student lab. The problem is easily cleared up on those machines, but will likly reoccure due to the wid spread contamination expected on student disks. I am looking for informaion on what it does, and how it propogates, and how it may be easily cleaned up on student disks. Imediate response can be set to c2852@UMRVMB.UMR.EDU ------------------------------ Date: Wed, 06 Nov 91 13:25:41 -0500 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Efforts >From: turtle@darkside.com (Fred Waller) Wrote I: >> the effort required to breach a software defense is greater >> than that required to erect it. This comes about because the >> defender has the advantage of being on home ground & has a >> "world view" of the system. Wrote Fred: >I believe this is not true. As said earlier, virus-writing is not a >cost-conscious activity, while antivirus protection most definitely >is. Virus authors have the luxury of spending hours, days, weeks or >months probing and testing until they find a weakness. Antivirus >authors work to earn a living, sell their products and must perforce >be cost-effective. It's really just the reverse of what Padgett >claims. We seem to be discussing two different things here: my comment referred to what is *possible* for a knowlegable user to do to his/her personal machine or those within his/her control. Fred seems to be talking about commercial products that are as available to the malicious software authors as to the users. I agree that in Fred's worldview he may be right however this is not my worldview. As I have mentioned before, my *personal* pcs are protected by a layered mix of products, some of which I wrote and are not commercial. As I stated, it would be very difficult for a virus to penetrate *my* PC since the writer would have no way (short of physical B & E) to determine exactly what is in use. (besides it changes) For the same reason, the plethora of anti-virus products available today are a major protection since it would be difficult for a virus to cope with ALL of them. Now if some malefactor was targetting a particular installation and knew exactly what they were using, and was able to gain physical access, then I agree that any software can be broken (some just not in a *reasonable* timeframe). Companion viruses ? - one of my layers handles that. Stealth viruses - another layer, and so on, and so on. Manually, I can disable all of them in a monent but to do it in software would be *very* difficult (and then you would also have to target the separate programs that just verify that the other layers are still working (and can be stored/protected on the server). Just as an example: how does software get around an PC that does not recognize (or have) any .EXE .COM or .BAT files ? (no, I am not going to say what the real executable extensions are - if it is possible, you tell me 8*) It runs all my DOS applications just fine (after automated "fixing"). The point is that if you are at PHYSICAL risk, I will agree that hardware (preferally encrypting the whole disk with an off-system key) is necessary. However IMHO if the only risk is from software & the protection scheme is unknown (or just different on every PC), then software is GOOD ENOUGH (quantum economics (C)) Padgett Untested product: for all the people trying to write to write- protected floppies to see if the have the DIR-2, I have this to say: CD 24 CD 20. ------------------------------ Date: Wed, 06 Nov 91 12:45:18 -0800 >From: karyn@cheetah.llnl.gov (Karyn Pichnarczyk) Subject: re: computer virus ^2 (PC) About the Weekly World News article about a demon-pc which killed workers...a "hideous horned demon" appeared on the screen? Isn't there a virus named somthing like "Posessed" which displays a low-res picture of a demon on the screen? If I remember correctly it was a .EXE and .COM infector,and it may add a line saying something like "Your computer is Possessed". Karyn Pichnarczyk CIAC Group - LLNL ------------------------------ Date: Wed, 06 Nov 91 19:51:23 +0000 >From: duck@frcs.Alt.ZA (Paul Ducklin) Subject: Stinkfoot...malignee speaks out! (PC) StinkFoot...analysis. I, as the person maligned in the virus, and as the author of a South African antivirus package, had double reason to look at this stuff. Whoever wrote it has fairly poor assembler coding skills, but it does (sort of) work. Unfortunately, the versions I've got print their messages in Black on Black; apart from that, nice one Cyril. There were two versions out of the Rhodes University ftp repository; the author of the "Paul Ducklin" one seems to have been the author (or to have had the original source) of the other. Code reordering; arbitrary shifts in data item offsets etc. point to this. Version 1: Infection adds 1254 bytes. Message is "StinkFoot has arrived on your PC !". Message displayed (black on black) if infected file is executed when DOS time minutes==seconds. Version 2: Infection adds 1273 bytes. Message is "StinkFoot: '(Eat this Paul Ducklin)'" Displayed if hours==minutes. The virus tries to adjust INT 24h (Critical Error Handler) to its own code. Not only did the author fail to understand pointers in CS100, he (no, I'm not a chauvinist -- surely no woman would bother to write such cruddy code) wrote non-working INt 24h code anyway. Any critical errors *after* the virus has had a go bring down the system. The infection mechanism is broken, too. When the virus runs, the current directory is examined for .COM files; the first uninfected one over 512 bytes is hit. Alas, if the target .COM is the first one in its directory, StinkFoot hits it regardless of its size. If it was too small, it will no longer run. Trying to run it will hang the PC. Anyway, it's just another virus. Unfortunately, the South African media rather love it. What I've seen written so far in the local press is inane..and suggests that the whole affair is so daunting that we shall have to wait for overseas "experts" to fill us in on the heavy news. Jawellnofine. Paul Ducklin Non-Surfer Extraordinaire PS: my feet are clean and wholesome (esp. considering it's 33 degrees). [Ed. What a coincidence - it is also about 33 degrees here in Pittsburgh, Pennsylvania; we're even expecting some snow today. :-)] ------------------------------ Date: Tue, 05 Nov 91 10:19:50 +0000 >From: csh060@cck.coventry.ac.uk (-= WAD =-) Subject: Re: Zipped files (PC) usgjej@gsusgi2.gsu.edu (Jeffry Johnson) writes: >Are there any programs which will scan inside of Zipped files? >Thanks in advance. Yep theres one called VIRZIP in the pdsoft.lancs in england.. But I'm not to sure of the full address.. =--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--= | Fleshy : -= WAD =- E-mail : csh060%uk.ac.cov.cck@uk.ac.earn-relay | | Voice : (0203) 449274 Quote : 386 owners do it in windows | =--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--= ------------------------------ Date: Wed, 06 Nov 91 14:52:14 +0000 >From: csh060@cch.coventry.ac.uk (-= WAD =-) Subject: Re: Scanning inside ZIPPED files (PC) Eric_Florack.Wbst311@xerox.com writes: >In #208, Jeff Johnson asks: > >>>Are there any programs which will scan inside of Zipped files?<< > >Sure are, Jeff. MacAfee's SCAN is useable (and callable) from inside a >program I've been trying called SHEZ. SHEZ will allow you to look >inside any format you like; ARC, ZIP ARJ, PAK, or what have you. > >It won't look inside self extractors, but then you knew that I'd guess. By the way.... where can I get the latest copy of SHEZ... If its in Simtel-20 ... whats the ftp address !? Cheers =--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--= | Fleshy : -= WAD =- E-mail : csh060%uk.ac.cov.cch@uk.ac.earn-relay | | Voice : (0203) 449274 Quote : Nano Cray, one lump or two >? | =--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--= ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 213] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253