Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!rutgers!usc!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: David.M..Chess.CHESS@YKTVMV Newsgroups: comp.virus Subject: re: Future AV software (PC) Message-ID: <0002.8910031107.AA02205@ge.sei.cmu.edu> Date: 2 Oct 89 00:00:00 GMT Sender: Virus Discussion ListLines: 12 Approved: krvw@sei.cmu.edu Unfortunately, it's just about impossible to scan for new viruses by examining the on-disk image of programs, and looking for things like INTs. Three (at least) of the families of PC viruses out in the world today store themselves on disk in "garbled" form, with only a little "degarbler" stored in clear. That degarbler doesn't contain any INTs or other suspicious instructions, and the garbled part of the virus appears to be random data. The nasty instructions don't appear until the virus executes, and the degarbler converts the garbled stuff to code. So it's really only possible to catch these things at runtime (as Flushot+ and similar programs try to do), not on disk... DC