Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!gem.mps.ohio-state.edu!uakari.primate.wisc.edu!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw
From: jwright@atanasoff.cs.iastate.edu (Jim Wright)
Newsgroups: comp.virus
Subject: Re: Future AV software (PC)
Message-ID: <0005.8910031107.AA02205@ge.sei.cmu.edu>
Date: 2 Oct 89 21:32:49 GMT
Sender: Virus Discussion List 
Lines: 17
Approved: krvw@sei.cmu.edu

In article <0014.8910021145.AA27888@ge.sei.cmu.edu> carroll1!tkopp@uunet.UU.NET
 (Tom Kopp) writes:
| A version/variant of ViruScan would run, searching not for
| viral-identifying code, but rather for the interrupt calls that write
| to a disk (a la Flu_Shot techniques).  When it finds one, it looks in
| a table to see if that code is allowed.

There is a program to do this already.  CHK4BOMB will scan a program and
report on anything "suspicious" it finds.  This was originally meant to
find Trojan Horses, but could work against some viruses as well if used
in conjunction with other programs.  One thing it cannot find is code
which is self-modifying, thus hiding the actual low-level access to the
disk controller.

- --
Jim Wright
jwright@atanasoff.cs.iastate.edu