Most file infecting viral programs can be checked for quite
simply, and without any special programs or equipment.
Provided, that is, that the computer user will pay the most
minimal attention to the system, and take the most basic
precautions.
The simplest form of antivirus detection "equipment" is a list
of all the programs to be run on the computer, with the size and
"last changed date" for each. (The list for "resource" based
systems such as the Macintosh will, of necessity, be somewhat
larger, and must include all "code" resources on the disk.)
With some few (albeit important) exceptions, programs should
never change their size or file date. Any changes that are
made, should be at the request of the user, and thus easy enough
to spot as exceptions.
While "stealth" technology of various types has been applied to
viral programs, the most common (and successful) viri, to the
date of this writing, have not used it. Most change the size of
the file, and generally do it in such a standardized fashion
that the "infective length" of the virus is often used as an
identification of the specific viral program. The file date is
changed less often, but is sometimes deliberately "used" by the
virus as an indicator to prevent reinfection. (One used the
value of "31" in the seconds field, which is presumably why the
later 1.xx versions of F-PROT all had dates ending in 31.
Another used the "impossible" value of 62.)
Even when stealth techniques are used, they generally require
that the virus itself be running for the measures to be
effective. We thus come to the second piece of antiviral
equipment; the often cited "known clean boot disk". This is a
bootable system (floppy) disk, created under "sterile"
conditions and known to be free of any viral program infection,
and write protected so as to be free from possible future
contamination. When the computer is "booted" from this disk,
the hard disk boot sector and system areas can be bypassed so as
to prevent "stealth" programs from passing "false data" about
the state of the system.
Viral protection can thus start with these simple, and
non-technical provisions. Starting with a known-clean system,
the list can be checked regularly for any discrepancies. The
"clean disk" can be used to "cold boot" the system before these
checks for added security. Checks should be performed before
and after any changes made to software, such as upgrades or new
programs.
Security does not, of course, end here. This is only a very
simple first line of defence.
copyright Robert M. Slade, 1991 FUNGEN7.CVP 911113
