home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!ukma!darwin.sura.net!newsserver.jvnc.net!netnews.upenn.edu!netnews.cc.lehigh.edu!news
- From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
- Newsgroups: comp.virus
- Subject: Re: Vshield vs Virstop (PC)
- Message-ID: <0009.9301271940.AA16908@barnabas.cert.org>
- Date: 15 Jan 93 06:23:44 GMT
- Sender: virus-l@lehigh.edu
- Lines: 30
- Approved: news@netnews.cc.lehigh.edu
-
- ST29701@vm.cc.latech.edu writes:
-
- > VSHIELD with the /CF option to check for a file validation information
- > will not catch a file infecting virus like INTRUDER (very generic)
- > untill after it has infected. I would have hoped it could catch it
- > while the infection was trying to occure.
-
- Well, the /CF switch instructs VShield to use checksums of the
- protected programs, stored in a separate file. This means that in this
- particular case, VShield acts as a resident integrity checker. All
- integrity checkers detect modifications, not viruses. Next, they can
- detect the modifications only AFTER the modifications occur. Thus,
- VShield with the /CF option will catch an unknown virus only after
- this virus infects a protected file (i.e., causes a modification) and
- you try to execute it (because VShield performs its checks on program
- execution). There is no way an integrity checker can detect a virus
- before any modification occurs...
-
- Of course, it remains unanswered why the -scanner- component of
- VShield does not detect the virus - at least SCAN 99 -is- able to
- detect Intruder (although it reports it as two viruses - Sick [Sck]
- and Intrud-B [Intr])...
-
- Regards,
- Vesselin
- - --
- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
- Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
- < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
- e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
-
