Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!uwm.edu!uakari.primate.wisc.edu!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: carroll1!tkopp@uunet.UU.NET (Tom Kopp) Newsgroups: comp.virus Subject: Future AV software (PC) Message-ID: <0014.8910021145.AA27888@ge.sei.cmu.edu> Date: 1 Oct 89 17:58:41 GMT Sender: Virus Discussion ListLines: 29 Approved: krvw@sei.cmu.edu I had a thought earlier about a possible future Anti-viral system. It would be software based, therefore subject to its own corruption, however it seems to me to be a mix of the work of Anti-Viral gurus McAfee and Greenberg. It works something like this: A version/variant of ViruScan would run, searching not for viral-identifying code, but rather for the interrupt calls that write to a disk (a la Flu_Shot techniques). When it finds one, it looks in a table to see if that code is allowed. This table could consist of the following format: filename;offset of interrupt;filesize CRC; with the possible inclusion of just WHICH interrupt was attempting to be invoked. The user of the software could either add to the table for software that he/she has written, or wait for updated database listings from whoever wrote/maintained such a program. Also in the vein of Flu_Shot, a list could be maintained of files to 'ignore'. I do see a problem in that setting up the original database to cover the countless programs existing is a truly arduous task, however for a purpose such as this, I would think reputable software companies would provide as much assistance as possible, which could be a lot if the code was written in assembler. Is there some other fundamental element I'm missing, or is this a plausible idea? tkopp@carroll1.cc.edu or uunet!marque!carroll1!tkopp Thomas J. Kopp @ Carroll College 3B2 - Waukesha, WI