Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!gem.mps.ohio-state.edu!uakari.primate.wisc.edu!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Newsgroups: comp.virus Subject: Re: Future AV software (PC) Message-ID: <0005.8910031107.AA02205@ge.sei.cmu.edu> Date: 2 Oct 89 21:32:49 GMT Sender: Virus Discussion ListLines: 17 Approved: krvw@sei.cmu.edu In article <0014.8910021145.AA27888@ge.sei.cmu.edu> carroll1!tkopp@uunet.UU.NET (Tom Kopp) writes: | A version/variant of ViruScan would run, searching not for | viral-identifying code, but rather for the interrupt calls that write | to a disk (a la Flu_Shot techniques). When it finds one, it looks in | a table to see if that code is allowed. There is a program to do this already. CHK4BOMB will scan a program and report on anything "suspicious" it finds. This was originally meant to find Trojan Horses, but could work against some viruses as well if used in conjunction with other programs. One thing it cannot find is code which is self-modifying, thus hiding the actual low-level access to the disk controller. - -- Jim Wright jwright@atanasoff.cs.iastate.edu