FUNGEN7.CVP 911113 File checking Most file infecting viral programs can be checked for quite simply, and without any special programs or equipment. Provided, that is, that the computer user will pay the most minimal attention to the system, and take the most basic precautions. The simplest form of antivirus detection "equipment" is a list of all the programs to be run on the computer, with the size and "last changed date" for each. (The list for "resource" based systems such as the Macintosh will, of necessity, be somewhat larger, and must include all "code" resources on the disk.) With some few (albeit important) exceptions, programs should never change their size or file date. Any changes that are made, should be at the request of the user, and thus easy enough to spot as exceptions. While "stealth" technology of various types has been applied to viral programs, the most common (and successful) viri, to the date of this writing, have not used it. Most change the size of the file, and generally do it in such a standardized fashion that the "infective length" of the virus is often used as an identification of the specific viral program. The file date is changed less often, but is sometimes deliberately "used" by the virus as an indicator to prevent reinfection. (One used the value of "31" in the seconds field, which is presumably why the later 1.xx versions of F-PROT all had dates ending in 31. Another used the "impossible" value of 62.) Even when stealth techniques are used, they generally require that the virus itself be running for the measures to be effective. We thus come to the second piece of antiviral equipment; the often cited "known clean boot disk". This is a bootable system (floppy) disk, created under "sterile" conditions and known to be free of any viral program infection, and write protected so as to be free from possible future contamination. When the computer is "booted" from this disk, the hard disk boot sector and system areas can be bypassed so as to prevent "stealth" programs from passing "false data" about the state of the system. Viral protection can thus start with these simple, and non-technical provisions. Starting with a known-clean system, the list can be checked regularly for any discrepancies. The "clean disk" can be used to "cold boot" the system before these checks for added security. Checks should be performed before and after any changes made to software, such as upgrades or new programs. Security does not, of course, end here. This is only a very simple first line of defence. copyright Robert M. Slade, 1991 FUNGEN7.CVP 911113