Historically, it is interesting to note that, initially,
operation monitoring and restricting software was the preferred
means of antiviral protection. Subsequently signature scanning
software became more prevalent, and currently holds dominance in
terms of number of programs in use. Change detection software,
however, has recently become very popular and, from my reviews
of software, at least, now leads in terms of number of different
programs implementing the technique.
The most basic type of change detection program could simply
automate the process of manual file checking outlined in the
previous column. However, this would not catch "overwriting"
viri, as long as they did not change the file date. Therefore,
most change detection software performs some type of "image
checking" as well.
"Image", "numerical" or "statistical" file checking is based on
calculations performed on the data making up the file. At its
most rudimentary, this is based on the "checksum". As the name
suggests, this is nothing more than a check of the "summing" of
all data in the file, or sometimes the modulus of that sum.
More complex is the CRC or "cyclic redundancy check", which
performs more complex calculations on matrices of the data.
(This is done in a fashion similar to the Hamming encoding used
for error detection and correction.)
It would be fairly simple for an overwriting virus to calculate
the checksum for a given file, and then to modify the code of
the infected file in such a way that the checksum would still
match. This is the reason for some of the more complex
calculations which are implemented.
While the initial checking of files is fairly standard, there
are a wide variety of implementations for the subsequent
checking of files. The original information must, of course, be
stored somewhere. Some programs create a single file for this,
others attach the information to the program to be protected.
Each means has advantages and disadvantages. A single file
means a single entity which virus authors may find out about and
"target". Attaching of data to programs which may be altered
means that the calculated codes may be altered or erased as
well. Sometimes small modules of code are attached to the
programs in order to allow the programs to check themselves.
Unfortunately, adding such modules to programs which already
check themselves for changes may prevent the programs from
running. (Norton AntiVirus stores the information in a number
of hidden, 77 byte files, with names similar to that of the
protected file. This caused a number of users to suspect that
the results of Norton's protection were actually the results of
a virus. One fairly unique ploy is used by "Victor Charlie",
which, in its earliest incarnation, simply offered itself as
"bait" to viral programs -- and then checked itself.)
copyright Robert M. Slade, 1991 FUNGEN8.CVP 911115
