James P. Hogan Mind, Machines and Evolution
H Beam Piper The Cosmic Computer
Zarys dziejów piwowarstwa gliwickiego
BśÂćÂkitny zamek Montgomery Lucy Maud
Bourdais Gildas UFO 50 Tajemniczych Lat
B A Tortuga Collars and Cuffs [Torquere MM] (pdf)
J.R.R. Tolkien WśÂadca PierśÂcieni 1 Druśźyna PierśÂcienia 2
Dyscyplina Marina Anderson
117. O'Neill Margaret śąona dla szefa
Billie Letts Tu, gdzie jest serce pdf
[ Pobierz całość w formacie PDF ]
Thunderbyte41 is well known for its variety of filter
programs.
Most anti-virus companies release a filter program of
one kind or another. The most accurate of all seems to be a
combination of TBDisk and TBFile from the Thunderbyte
package.
Filters warn you of such activity as boot-sector
writes, alterations to a file's startup code, the appendage
of code to the end of an executable file, and other virus-
like activities. Some filters will warn you if a program
attempts to "tunnel" through the interrupt code searching
for the original DOS entry point. With this information, a
virus could take total control of a computer system,
completely unaffected by anti-virus programs supposed to be
combatting it. In many filtering anti-virus programs, the
file being altered is named to help you determine whether
the action is warranted or not.
Note that this technique is not the same as for TSR
scanners, which store scan strings in memory and scan files
as they are executed. Not only is this method slow and
41
Thunderbyte,....
cumbersome, it takes exceptional amounts of memory to store
the scan-strings.
Since no scan-strings are used in filter products, and
some, like Thunderbyte, hold all text in external files only
to be loaded when neccessary, filters take the average of 2
to 5 kilobytes of memory, and can be loaded into Upper
Memory Blocks. As a result, they are very fast and memory
efficient. If written well, false alarms very seldom occur,
and only in situations where they would be expected.
Example: If a file called X.COM is being installed
and the configuration needs to change built-in parameters in
the executable file, you may be given a warning similar to:
A Program is attempting to alter X.COM
Should this action be halted? Y/N
In the given situation, the modification is expected,
and the user can type "N" to allow the alteration.
Drawbacks to this method are few. However, it must be
noted that some filter programs are so poorly written that
false alarms or even irrelivant warnings will cause the user
so much interference that the filter is simply disabled and
not used. Well written filters will not pose this problem.
Another disadvantage is that if files have been infected,
filters do not provide resources to locate and eradicate
them.
Change Checkers
Change checking, or integrity checking, is a
diagnostic form of virus detection. This technology does
not require memory resident code, and is virtually
impossible to deceive if no virus is in memory. (Such is
the case when you boot from your emergency boot disk).
Change Checkers install themselves by writing small,
usually hidden, files in each directory on the disk being
set up. These files contain information such as file-length
and checksum for each of the executable files in that
directory.
When scanning the disk, change checkers compare the
files in each directory with the data stored in the
information files. Any changes, including the presence of
files not listed in the data file, are noted and presented
to the program user.
False alarms only occur in executable files which
alter their own code. This may be due to a new
installation, or any number of other reasons. If a file is
upgraded, you will be notified of this change as well.
Fortunately such changes rarely occure without a prior
warning.
In all cases, you have the option of listin these
changes in the data file kept for scanning purposes.
Another advantage to the above technique is that the anti-
virus program never needs to be upgraded.
The only disadvantage is the disk space used by
placing a hidden data file in each directory. Because of
the DOS method of handling the disk, all files take a
minimum of 2 kilobytes from the available space on the disk
(the size of 1 block on a small partition. This number may
be as high as 8 kilobytes for a large partition) . A disk
containing many directories would have many of these files,
and therefore a large amount of space would be made
unavailable.
A possible solution to this, which is apparently yet
to be implemented, is to store this data in one larger file
with a directory tree list on a separate diskette. This
would eliminate the hard disk usage completely. The data
file could easily be stored on the emergency boot diskette,
or even a diskette formatted solely for this usage. For
larger hard drives, multiple diskettes may be used.
A minor drawback is that change checkers do not always
provide a way to directly clean a virus from a file. If
this is the case, reverting to the system backup diskettes,
or the original setup disks will remedy the situation with
no great effort.
Heuristic Scanning
Heuristic scanning is very similar to filter scanning,
except that a TSR program is not involved. Instead of
waiting in memory for suspicious activity, it scans
executable files for questionable code.
Scanners like F-Prot42 can be configured to use scan-
strings and/or heuristics for scanning. If a virus is
encrypted, heuristics will usually detect the decryption
routine, but must stop there.
Thunderbyte implements a very radical form of
heuristic scanning not used in any other product. If a
decryption routine is found, it will actually simulate the
exectuion of the code until it is unencrypted, then proceed
by scanning the remaining code with both heuristic and scan-
string technologies.
Some properties that heuristic scanners search for are
.COM/.EXE determination, potentially damaging code, unusual
methods to become resident in memory, among others.
A common source of confusion with heuristics is that
the scanner will inform you of any virus-like code, such as
those listed above. Often these are classified as "false
alarms" when in fact, they are not. Heuristics looks for
42
F-Prot, Fridrick Skulason
certain traits, and informs the user if suspicious code is
present. Programs like FORMAT.EXE contain potentially [ Pobierz całość w formacie PDF ]
