User`s guide
VIRUS BULLETIN ©1991 Virus Bulletin Ltd, 21 The Quadrant, Abingdon Science Park, Oxon, OX14 3YS, England. Tel (+44) 235 555139.
/90/$0.00+2.50 This bulletin is available only to qualified subscribers. No part of this publication may be reproduced, stored in a retrieval system, or transmitted
by any form or by any means, electronic, magnetic, optical or photocopying, without the prior written permission of the publishers.
Page 17
VIRUS BULLETINAugust 1991
ANTI-VIRUS SOFTWARE
Two types of detection software can be used: virus-specific
and virus-non-specific. The authors recommend standalone
(application) software; memory-resident anti-virus software is
not recommended.
Regardless of which type of software is used, proper proce-
dures must be followed to ensure that the machine running
anti-virus software is clean, i.e. free of any virus active in
memory. If this is not the case, stealth viruses can use hiding
techniques to prevent the software from discovering them (see
‘Secure Accessing of NetWare 3.11’ below).
Virus-Specific Software
A virus-scanning program relies on the knowledge of known
virus ‘patterns’. When a new virus appears in the wild, it is
analysed, and a characteristic pattern of some 16-32 bytes
recorded. The virus-scanning program scans all executables on
a disk, including the operating system and the boot sector(s),
and compares their contents with the known virus patterns.
This type of software can only discover viruses that it ‘knows’
about and as such has to be updated continually with new
patterns, as new viruses appear. This is the main problem with
scanning software.
The use of virus-specific software on networks is recom-
mended since the problems associated with updating the
master copy are minimal: one copy can be held on the file-
server and updated easily. The checking process can be
performed overnight, minimising the network workload.
It is vitally important that the workstation used to initiate the
scanning is booted from a clean write-protected system disk.
Viruses such as Dark Avenger infect files as they are opened;
if such a virus were resident in memory as scanning pro-
ceeded, it could infect every file stored locally on the worksta-
tion and, more significantly, on the file-server itself.
Checksumming Software
Checksumming software relies on the calculation of a
checksum of any executable on the system followed by
periodic recalculation in order to verify that the checksum has
not changed. If a virus attacks an executable, it will usually
change at least one bit of the executable, which will result in a
completely different checksum (providing a strong checksum-
ming algorithm is used). The exception is a special class of
viruses known as companion viruses which do not change
files (see page 12). However, well implemented checksum-
ming software will report modifications such as the bogus
hidden COM files which these viruses create.
This type of software is reactive rather than proactive, in that
a virus attack will be detected after it happens. Checksum-
ming software also relies on the fact that the executables are
clean (i.e. virus-free) before initial checksumming is applied.
This can be ensured by using virus-specific scanning software
to check the system for the presence of known viruses.
The checksumming approach is the only known method which
will detect all viruses, present and future, with absolute
certainty. The method of performing the checksumming
process (the checksumming algorithm) is very important.
Three general approaches are possible: Simple checksums,
Cyclic Redundancy Checks (CRCs) and cryptographic
checksums. The results of the checksumming algorithm must
not be easily reproducible (lest a virus should do this on
infection, preventing its detection).
It is recommended that checksumming software is used on
NetWare 3.11 in a fashion similar to the virus-specific
software. The main problem is deciding which areas of the
file-server should be fingerprinted and checked regularly. On
NetWare 3.11 it is recommended that all executables in the
\PUBLIC, \SYSTEM and \LOGIN subdirectories are finger-
printed. In addition, each system will have subdirectories
containing applications software; these should be finger-
printed as well. Checking of the fingerprints is best done from
a separate, securely booted workstation. This should be done
before performing backups as well as at a specific time during
the night on a daily basis.
TWO ID
S FOR SYSTEM ADMINISTRATORS
One of the weak points in any multi-user computer system is
that one or more users must be given high privileges necessary
for system administration. Unfortunately, these privileges are
also assigned to a virus whenever it is in control of a
workstation logged in as a network supervisor.
One way of reducing the danger from virus penetration via
this route is to reduce the time that network supervisors are
logged in as network supervisors. They should ideally have
two user IDs, one with all privileges and the other with
limited privileges. The use of the former should be limited to
system administration functions and supervisors should be
extremely cautious of using it if a virus infection is suspected.
SECURE ACCESSING OF NETWARE 3.11
With the advent of stealth viruses, it is most important to
guarantee a clean, virus-free environment before running anti-
virus software on a network (Note that the following proce-
dure presumes that the remote bootstrap ROM is not in use.)
To access NetWare 3.11 securely, prepare a system disk
containing the DOS system files, COMMAND.COM and the
following NetWare 3.11 files:
➤ IPX.COM
➤ NET3.EXE
➤ LOGIN.EXE
➤ MAP.EXE