Great Circle Associates Firewalls
(May 1994) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: FTP Security
From: cyerkes @ jpmorgan . com
Date: Mon, 16 May 94 11:59:41 EDT
To: Firewalls @ GreatCircle . COM 
>> >Sez Marcus J Ranum (for which I'm grateful):
>> >
>> >	Scanning for DOS virii on a UNIX box is also a bit of a
>> >wild goose chase. Why? Because any DOS executable that's being
>> >transmitted through the UNIX box is probably encoded for transmission
>> >and then you have the whole issue of figuring out what the encoding
>> >is and means...

>> IBM's AIX does have a 'virscan' command which can examine DOS executables
>> for a pre-set list of well-known virus "signatures."  As Marcus 
>> notes, encoded stuff can't be scanned, but if it's unpacked under
>> AIX, 'virscan' might be useful.
> 
> Got a question for you folks:  How do other virii
> checkers work?  Ie., there are a cuple of virii
> checking programs for Macintosh that I know of.
> Windows 3.1 (or is is DOS?) comes with some check-
> ing program.  How do they scan virus?  Do they
> just look at known characteristics of known virii?
> If that's the case, they are pretty weak against
> newly written worms, aren't they?

Well, Yes.  They are.  But first, (worm != virus).  A virus often modifies
binaries of idle programs - virtually impossible with Unix.  Worms
are usually separate programs that find a way to run on a target computer
to do something.
   New viri come out fairly regularly.  That's why Symantic (for
example; one of many like companies) has updates for their virus
scanner data every couple months.  Pretty much they scan the binaries
for a known series of bytes.  Or a background task watches for
modifications to sensitive files.. Or they generate checksums for all
the files on your disk and will let you know when they change.  Or all
of the above.  It seems that it SHOULD be possible to look for certain
series of bytes in a program, assuming it's uncompressed in anyway but,
as Mr. Ranum pointed out (less colorfully), relying on the fact that a
program is coming through in a known format is like assuming you can
spot a murderer because he's carrying a bloody knife - there are just
too many options for formats to transfer programs in.
   I DID hear of a program to scan a Unix file system for DOS
viruses in programs stored for NFS mounting - unzipped, etc, but that
was YEARS ago and it would seem to be have disappeared.

chuck
--
chuck yerkes
consultant
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
I have no opinions that my employers would care to share.
Indexed By Date Previous: Re: trojans on ftp sites
From: Christopher Klaus <cklaus @ shadow . net>
Next: Re: virus scanning (was: FTP Security)
From: Ken Hardy <ken @ bridge . com>
Indexed By Thread Previous: Re: FTP Security
From: tkevans @ fallst . es . dupont . com (Tim Evans)
Next: Re: Firewalls Digest V3 #140
From: owen @ DeLong . SJ . CA . US (Owen DeLong)
Google
 
Search Internet Search www.greatcircle.com