Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!uwm.edu!uakari.primate.wisc.edu!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw
From: carroll1!tkopp@uunet.UU.NET (Tom Kopp)
Newsgroups: comp.virus
Subject: Future AV software (PC)
Message-ID: <0014.8910021145.AA27888@ge.sei.cmu.edu>
Date: 1 Oct 89 17:58:41 GMT
Sender: Virus Discussion List 
Lines: 29
Approved: krvw@sei.cmu.edu

I had a thought earlier about a possible future Anti-viral system.  It
would be software based, therefore subject to its own corruption,
however it seems to me to be a mix of the work of Anti-Viral gurus
McAfee and Greenberg.  It works something like this:

A version/variant of ViruScan would run, searching not for
viral-identifying code, but rather for the interrupt calls that write
to a disk (a la Flu_Shot techniques).  When it finds one, it looks in
a table to see if that code is allowed.  This table could consist of
the following format:

filename;offset of interrupt;filesize CRC;

with the possible inclusion of just WHICH interrupt was attempting to
be invoked.  The user of the software could either add to the table
for software that he/she has written, or wait for updated database
listings from whoever wrote/maintained such a program.  Also in the
vein of Flu_Shot, a list could be maintained of files to 'ignore'.  I
do see a problem in that setting up the original database to cover the
countless programs existing is a truly arduous task, however for a
purpose such as this, I would think reputable software companies would
provide as much assistance as possible, which could be a lot if the
code was written in assembler.

Is there some other fundamental element I'm missing, or is this a
plausible idea?

tkopp@carroll1.cc.edu  or  uunet!marque!carroll1!tkopp
Thomas J. Kopp @ Carroll College 3B2 - Waukesha, WI