58 lines
3.0 KiB
Plaintext
58 lines
3.0 KiB
Plaintext
|
FUNGEN8.CVP 911115
|
||
|
|
||
|
File checking - part 2
|
||
|
|
||
|
Historically, it is interesting to note that, initially,
|
||
|
operation monitoring and restricting software was the preferred
|
||
|
means of antiviral protection. Subsequently signature scanning
|
||
|
software became more prevalent, and currently holds dominance in
|
||
|
terms of number of programs in use. Change detection software,
|
||
|
however, has recently become very popular and, from my reviews
|
||
|
of software, at least, now leads in terms of number of different
|
||
|
programs implementing the technique.
|
||
|
|
||
|
The most basic type of change detection program could simply
|
||
|
automate the process of manual file checking outlined in the
|
||
|
previous column. However, this would not catch "overwriting"
|
||
|
viri, as long as they did not change the file date. Therefore,
|
||
|
most change detection software performs some type of "image
|
||
|
checking" as well.
|
||
|
|
||
|
"Image", "numerical" or "statistical" file checking is based on
|
||
|
calculations performed on the data making up the file. At its
|
||
|
most rudimentary, this is based on the "checksum". As the name
|
||
|
suggests, this is nothing more than a check of the "summing" of
|
||
|
all data in the file, or sometimes the modulus of that sum.
|
||
|
More complex is the CRC or "cyclic redundancy check", which
|
||
|
performs more complex calculations on matrices of the data.
|
||
|
(This is done in a fashion similar to the Hamming encoding used
|
||
|
for error detection and correction.)
|
||
|
|
||
|
It would be fairly simple for an overwriting virus to calculate
|
||
|
the checksum for a given file, and then to modify the code of
|
||
|
the infected file in such a way that the checksum would still
|
||
|
match. This is the reason for some of the more complex
|
||
|
calculations which are implemented.
|
||
|
|
||
|
While the initial checking of files is fairly standard, there
|
||
|
are a wide variety of implementations for the subsequent
|
||
|
checking of files. The original information must, of course, be
|
||
|
stored somewhere. Some programs create a single file for this,
|
||
|
others attach the information to the program to be protected.
|
||
|
Each means has advantages and disadvantages. A single file
|
||
|
means a single entity which virus authors may find out about and
|
||
|
"target". Attaching of data to programs which may be altered
|
||
|
means that the calculated codes may be altered or erased as
|
||
|
well. Sometimes small modules of code are attached to the
|
||
|
programs in order to allow the programs to check themselves.
|
||
|
Unfortunately, adding such modules to programs which already
|
||
|
check themselves for changes may prevent the programs from
|
||
|
running. (Norton AntiVirus stores the information in a number
|
||
|
of hidden, 77 byte files, with names similar to that of the
|
||
|
protected file. This caused a number of users to suspect that
|
||
|
the results of Norton's protection were actually the results of
|
||
|
a virus. One fairly unique ploy is used by "Victor Charlie",
|
||
|
which, in its earliest incarnation, simply offered itself as
|
||
|
"bait" to viral programs -- and then checked itself.)
|
||
|
|
||
|
copyright Robert M. Slade, 1991 FUNGEN8.CVP 911115
|