The Sun Observer, Volume 10 No.7

Peter V. Radatti

radatti@cyber.com

CyberSoft

June 01 1996

This month's article is based upon a white paper I wrote last year called "Anti- Virus for Multimedia Publishers". The reason that I believe you may be interested is because it is the most popular white paper on my web page (URL http:\\www.cyber.com) and because it removes some of the mystery about anti- virus and does so in only a few words. Finally, many of the tasks that take place in the normal system administration of a large network have parallels in multimedia publishing. Not everyone goes through the bother of reinstalling an operating system and all of the third party software that belong on the system every time they install a new machine. Many people just copy everything from a running baseline system into the new system and have a fully functional system in a few hours.

In many cases end users of CD-ROMs believe that they are immune to attack because of the write protected nature of CD-ROM technology. This is not true. Write protection will keep the data on the CD-ROM from becoming infected but if the programs put onto the CD-ROM at the factory were infected prior to burn-in then they will continue to be infected on the CD-ROM. The infected files will then infect other files, which are not write protected, on the end user's computer. There has been many instances of CD-ROM's, shrink wrapped floppy diskettes and ready to run computer systems delivered to customers, factory fresh, already infected with viruses. An example of an unintentional distribution of computer viruses by a large international corporation occurred in 1995 when a European automobile manufacturer distributed media containing virus infected programs detailing their new product line. It was a major embarrassment and a public relations problem.

Computer virus infections can cost millions of dollars and possibly kill people. As a case in point, I was told a story by the Director of Biomedical Engineering at a local hospital. I don't know if the story is true, but there is no technical reason why it can't be. He said that a field technician from the manufacturer of a blood analyzer called and stated that there was a recall on their system and he needed to perform the repair. When the technician arrived he was supervised by the Director who noticed that the technician was replacing the ROMs. After talking with the technician the Director was told that the ROMs were infected with a computer virus. The virus had no effect on the operation of the system but it didn't belong there so the manufacture was replacing all of the contaminated ROM's, world wide at no charge. This raises the question of how did the virus get into the ROMs in the first place? The answer is usually simple. One of the systems used to develop or manufacture the software contained in the ROMs was also used to process other programs and one of them was infected.

How can you as a responsible publisher protect yourself? There are many companies willing to sell you solutions, including my company. Virus scanners, integrity subsystems, risk analyzers, disk fencing systems, heuristic modeling programs are all valid tools. However, there are trade offs with every method. To reduce the exposure created by these trade offs I suggest that you use multiple methods from multiple vendors. Use a virus scanner to check for known viruses. Use an integrity subsystem like CyberSoft's Cryptographic Integrity Tool to keep track of every file that was modified, added or deleted from your system. An integrity tool can tell you all of the files on your system that have been modified, added and deleted since the last time it was run. When files that you did not change are modified, then there is a problem even if the virus scanner didn't find anything. Virus scanners can only tell you if it locates a virus that it already knows about. No one can write a scanner that looks for the viruses that will be written next month. (There is a technology call Emulation that can locate unknown viruses but can not identify them or detect other forms of hostile software attacks such as logic bombs or Trojan Horses.) Integrity systems can only tell you if a file was modified The combination of a virus scanner with an integrity system can be used to catch all known and unknown viruses. Of course this takes a little awareness on the part of the end user. You can resolve the awareness problem by adopting some basic rules. CyberSoft's half dozen rules of antivirus common sense can be a start for your own policy on computer viruses.

THE CYBERSOFT HALF DOZEN RULES OF ANTIVIRUS COMMON SENSE

Always virus scan new software prior to installation.
Save a floppy diskette with a cryptographic integrity snap shot of how your system looks Do it before your system is infected so you can detect the changes later
. Scan the system and use the integrity system often I suggest daily, but many people live with the risk f running them wee
Only Use the keyboard lock to keep people out of your system em when you are not the
ere. Scan software copied from other people systems prior to
use. Backup your disk, o en. You can always retrieve destroyed data a if you have it backed up.

Additional Rules For Publishers

In addition to these rules, publishers must add some additional rules. Remember that once you manufacture a CD-ROM and it is later discovered to be virus infected your reputation is damaged and your warehouse full of products become waste. Very few people will buy an infected product. Since your exposure is greater, I suggest that you use anti virus products from three different companies. Each company has its own proprietary ways of detecting viruses. Very few companies share this data and if you scan your product in this way then you are as safe as is humanly possible. Don't forget to scan going into the mastering process so you can catch anything that might be there before spending money on pressing and do it again on the final product just to make sure that someone at the mastering service didn't infect it.

Pete Radatti is the founder and CEO of CyberSoft, Inc. CyberSoft manufactures VFind the antivirus software product that executes under UNIX and simultaneously scans for UNIX, MS-DOS, Macintosh, Amiga, NT and Macro destructive software while providing cryptographic integrity to your file system. You can reach Pete at radatti@cyber.com, URL http:\\www.cyber.com or call 610/825-4748 (9:00 AM to 5:00 PM Eastern Time). These articles are dedicated to Chrissy.

View more of Pete's Published Works