[* Author's note - This document contains information geared mainly towards prevention. It is best to read and follow it now as opposed to simply holding on to it until you get infected and need advice.*] The Anti-Virus Cook Book v1.8 (last modified July 19 1999, by Kurt Wismer) 0) Introduction ============ The purpose of this document is to serve as an educational tool. I have felt for a long time now that the computer virus is much like a headache. The average user should be able to administer proper anti-virus techniques on their computer as easily as they administer Tylenol, instead of having to run frantically to a specialist all the time (especially since most of those same specialists make available several tools that would take care of almost all the problems a user is likely to encounter). As such this document contains a lot of preventative measures and advice for various decision making circumstances in DOS or Windows95. This is the reasoning behind the name of this document and behind it's format. It is not intended to go into detailed technical minutiae (unless warranted by obscure and unbelievable circumstances) but instead to be an average-joe-friendly document regarding secure measures for virus prevention, detection, and recovery. Unfortunately it's not possible to get away with a complete lack of technical terms - anything I feel isn't obvious I will explain in the glossary at the end. This is sort of an anti-FAQ. I don't present questions and then answers as I don't feel that type of presentation is appropriate to reach people who might not be sure they even need to know about this stuff, let alone have specific questions. I'm also not going to go into great detail about what a virus is, many documents already do that and the average person probably doesn't need to know that. A virus is just a kind of program (it can be any kind of program, not just an *.exe / *.com file) and it has to be executed before it can do anything. The two defining characteristics are that it has to self-replicate (make copies of itself) and it requires a host program to attach itself to such that when the host gets executed the virus also gets executed. Now for a list of ingredients for an AV strategy. 1) Backups ======= These are deceptively important ingredients to a good AV strategy and should be made religiously. They are, in fact, *the* most important security procedure a user can perform. Why should you back up your hard drive? Besides the obvious threat of virus infection, there's also trojan horses, accidental deletion, corruption due to buggy software, corruption due to power spikes, corruption due to media failure, etc... Somewhere, at some point you WILL need to restore from back ups, regardless of what precautions you take. What should you back up? Everything that you don't fully intend to delete (which includes that which you're ambivalent about - you may find a use for that pop-up four digit display calculator yet!). Default program files are a must for backing up. Personal data files can be remade to a large extent but remaking the programs themselves is beyond the abilities of most of us. You'd have to find them (or buy them) all over again. To save yourself hassle, though, personal data files should be backed up too. But as you probably realize, data files change a lot so obviously they need to be backed up regularly while programs themselves (which for the most part shouldn't change at all) need only be backed up once. For this reason it may (especially if you're doing the backup manually) be easier to keep the two types of backups separate and save yourself a lot of redundant effort. Program backups (backups of the software itself) should likely be made as soon as you acquire the software (scan it first though). Data backups should be made on a regular basis, the interval between backups being dependent on the average rate at which new data is generated and the value of that data (i.e. in a system where incredible amounts of very valuable data are being produced, backups would probably take place every day at least; a single home user who might generate a new textfile every week containing his/her shopping list probably wouldn't need to backup that data more than once a month if at all but that's an unlikely and rather artificial example). Data backups can also be amalgamated (grouped together) into sets and stored for extended periods of time before being replaced by the next set of data backups. In this way small errors that grow with time but go unnoticed in early stages (like what might occur on a system with a data diddler on it or simply with progressive file corruption) don't contaminate the only backups you have and render the data completely lost. In essence, you'd have a fixed number of backups and the oldest one would be replaced by the one you just made. Backups can (obviously) be made on any writable media other than the hard disk (there'd be no point in storing the copy in the same place as the original as the copy would be just as insecure as the original), that includes floppy disks, tape cartridges, magneto-optical-erasable or floptical disks, SyQuest disks, Iomega ZIP or JAM disks, or even on paper (though that would be tedious to restore to the hard drive should it get lost - and you'd use up paper each time you made a new backup). There are more extensive systems that make use of methods beyond the scope of what we would conventionally think of as a backup (such as file mirroring on separate media) but such systems are costly and few average users would require such extensive measures. Unfortunately every system is different and has different requirements, and data has different value in different contexts so no hard and fast rules about backups are possible. In this document it is only feasible to stress their importance and give some general tips. 2) Recovery Disks ============== Something that far too many people need but don't have are recovery disks. These are disks that one uses with anti-virus software (possibly even containing that anti-virus software) so that one can effectively deal with computer viruses. The reason is that there are many viruses now for which it is a requirement to boot from a clean bootable diskette before removal of the virus is a viable option. Booting from a clean disk removes memory resident viruses (and especially stealth viruses) from memory. To that end, it's often best to make use of them whether you have such a virus or not (it will be nearly impossible for the average user to know for certain if it's required so just use this in all cases). To make a recovery disk set: [BOOT disk] 1) On a clean MS-DOS 6.X system insert a blank floppy disk in drive A: and execute the command "FORMAT /S A:". The disk is now bootable. 2) You should now patch A:\IO.SYS by executing the commands "ATTRIB -R -S -H A:\IO.SYS" and "DEBUG A:\IO.SYS". You should now see a '-' prompt, type "d 2a18 2a1a" and press return. You should see "07 72 03" somewhere around the middle of the output line. If this is the case type the following lines: e 2a18 07 72 06 w q and back at the DOS prompt: ATTRIB +R +S +H A:\IO.SYS At any point where I say "you should see", if you didn't what i said you should then press enter until you get a '-' prompt, type "q" and then "ATTRIB +R +S +H A:\IO.SYS". What it probably means is that you're using a version of DOS which is incompatible (you *must* use an MS-DOS 6.X version for this patch to be valid). If you were unable to perform this patch it doesn't matter all that much as is needed only in relatively rare circumstances. *1* See the end of this section. 3) Copy FORMAT.EXE on to the floppy (not for removing viruses but for creating more recovery disks in case you need to do so when your system is "dirty"). Copy DEBUG.EXE, SYS.COM, and FDISK.EXE to the floppy for disaster recovery (not necessarily viral) for which you will require instructions from an expert should such recovery become necessary. 4) Copy HIMEM.SYS and EMM386.EXE onto the floppy and create a CONFIG.SYS file on the floppy containing these three lines: device=a:\himem.sys device=a:\emm386 /noems dos=high 5) Write protect the disk (on 3-1/2" disks that means you can see through the hole, on 5-1/4" disks this means the notch is covered) so that if the disk is inserted into an infected system while a virus is active the virus cannot infect the disk and render it useless. 6) Write down all the configuration information in your CMOS memory down on a piece of paper to be stored with your recovery disk(s). (CMOS memory holds configuration information and can usually be accessed on 286+ computers during bootup by pressing 'Del' or 'Esc' during the memory test.) 7) Clearly label the disk with a meaningful name (i.e. Recovery Disk : Bootable DOS 6.x) 8) Repeat this process (without the patch in step 2) on a clean Win95 or Win98 system if you need a Win95 or Win98 boot disk (i.e. if you're going to be working on a Win95 or Win98 system). [AV disk] 1) Copy the necessary files from your anti-virus product on to a second floppy. This may require more than one floppy disk depending on the AV product. 2) Copy a backup of your clean Master Boot Record (MBR) and DOS Boot Sector (DBS) on to the second floppy along with a program to restore them to their proper locations. You will require special software to make these backups as the MBR and DBS are not files and can not be located inside of a file system. 3) Write protect this disk as you did the first one and give it a meaningful label. [DECOMPRESSION disk] 1) Copy the decompression tools you need to decompress new versions of your anti-virus product on to a third floppy. 2) Write protect this disk as you did the first and give it a meaningful label. To update an AV program on a recovery disk: 1) Do a verified clean boot (discussed in a following section) with a bootable recovery disk that matches your operating system (i.e. use the Win95/DOS 7.x boot disk if you run Win95). 2) Using the file decompression program on a recovery disk (specify the full path to be sure - i.e. A:\PKUNZIP.EXE) decompress the new version of the anti-virus product on the hard drive. 3) Remove the write protection from the recovery disk containing the old version of the anti-virus product, insert it into the drive and copy the necessary files from the new version to the disk (overwriting the old files in the process). 4) Replace the write protect tab on the disk in the write protected position. (on 3 1/2" disks this means you can see through the hole, on 5 1/4" disks this means that the notch in the side is covered) To update a compression program on a recovery disk: 1) Do a verified clean boot with a bootable recovery disk that matches your operating system. 2) Decompress the new compression program (usually they come in self-extracting executable archives so all you have to do is execute that - assuming it's already been scanned). 3) Remove the write protection from the recovery disk containing the old version of the compression program, insert it into the drive and copy the necessary files from the new version to the disk (overwriting the old files in the process). 4) Replace the write protect tab on the disk in the write protected position. (on 3 1/2' disks this means you can see through the hole, on 5 1/4" disks this means that the notch in the side is covered) (Important Note: You cannot start making recovery disks on your computer if your computer is already infected by a computer virus - make those recovery disks NOW while you're still capable of doing so, otherwise you're going to have to find someone else who isn't infected who can make recovery disks for you.) *1* This process (in particular the patching of A:\IO.SYS) is necessary to deal with a security loophole that has existed in MS-DOS since version 3.3 which would hang the computer when booted from the hard disk or from a floppy disk. The bug does not exist in current versions of PC-DOS or most other non-MS operating systems so those can be used instead without the patch (effectively step one should be reduced to include only the format command in that case). In the case of Win95 users, I still suggest using a DOS 6.X recovery disk to start because the above patch will not work on Win95 and also because Win95 leaves a copy of the MBR in a memory buffer even after a clean boot from a floppy. This can interfere with the user's ability to use anti-virus products on the drive (it causes false alarms in the case of MBR infections). A bootable Win95/DOS7.x should be made as well if that is the operating system your computer is running on - so that you can deal with the newer file systems and long filenames if you have them. 3) Verified Clean Boot =================== That's right, "Verified". The clean boot commonly discussed isn't good enough anymore (and hasn't been for some time - but people haven't updated what they say yet). A regular clean boot is a requirement for secure anti-virus scheme because, in essence, the code that gets control first wins. If a virus is already actively running in memory when a user attempts to apply a software based anti-viral technique it is possible for the virus to circumvent that technique, regardless of what it is or how complex it is. The virus can do this before the software is allowed to run or during the operation of the anti-viral software. A clean boot is a hardware based anti-viral technique for removing all possible viruses from the computer's memory so that subsequent software based av techniques can't be actively circumvented. In theory it is absolutely secure if you know that the disk you're booting off of is clean but there's a problem. There exists a mechanism by which a virus can make sure it gets loaded even when a simple clean boot is performed. It isn't magic, although it may seem impossible at first. What happens is that a virus (typically an MBR infector) making use of this technique changes the computers CMOS to make sure that the computer attempts to boot off of the hard drive (thus executing the virus) before checking the floppy drive (the default behaviour, the behaviour necessary for a true clean boot, is the reverse of this) regardless of whether or not a disk is put into drive A:. Upon detecting the disk in drive A:, the MBR infector would continue the boot from the floppy disk (instead of continuing from the hard disk) and make it seem to the user as if s/he had just booted from the floppy. It is now necessary to check and make sure this hasn't happened on your system when you perform a clean boot. (you may want to print this part out so it's handy when you need it) As such the verified clean boot is as follows: 1) Turn off the computer, do not press Ctrl-Alt-Del, do not hit the reset button. You may even want to go so far as to unplug the computer (it's been suggested that not all computers will actually turn off completely - most will though). 2) Insert your MS-DOS 6.X bootable recovery disk into drive A:. *See the section on Recovery Disks* 3) Then turn the computer back on. (and plug it in if necessary) 4) While the memory check is being performed press the key to bring up the CMOS configuration menu (it should say which key to press - usually it's either Del or Esc). 5) Verify that drive A: is installed and that it is the first drive that the computer attempts to boot from (i.e. make sure it's at the beginning of the boot sequence). Also turn off the BIOS virus protection if it's activated. If the BIOS virus protection was set on and/or the boot sequence was reversed deliberately for protection (which is wise) they can be reset to those states *after* you're done looking for viruses. 6) Exit from the configuration (saving any changes you needed to make) and continue with the clean floppy boot process. At the end you should be given the prompt A:\>. 7) If the system is using Win95 or Win98 then steps 1-6 will have given you at least enough access to perform anti-viral procedures on the Master Boot Record (MBR) and Dos Boot Sector (DBS) but steps 1-6 should be repeated with the Win95 or Win98 bootable recovery disk in order to be able to perform anti-viral procedures on your files. If the system in question is not Win95 or Win98 then the files can be checked for viruses without this second clean boot. 4) Anti-Virus Software (AV Software) ================================= This is not an easy subject to communicate as there are several different types of anti-virus software, some of which have broad general purpose uses while others are better suited to specialized environments. In later discussion only the first type will be mentioned but in this section I'll discuss both. a. Scanners - There are a large number of them out there, they look for specific viruses that they've been told how to look for (the identifying characteristics are stored in a database that comes with the product). Scanners are the most widely used type of av product and the most convenient because, if used properly, they can catch a virus before it has a chance to affect your system and save you the trouble of restoring your system to its original condition. Some more advanced scanners also know how to look for code that is commonly used in viruses and thus alert you to the presence of a possible new virus. This is called heuristic scanning and it doesn't always work as advertised (it doesn't detect all new viruses and sometimes it detects what it thinks "might" be a virus where there isn't one). Never the less it's very useful technology and most of the better av products out there now have heuristic capabilities. b. Integrity Checkers - These are considered the most secure type of anti-virus product even tough in the most general sense it is not an anti-virus product. Integrity checkers detect changes to files and/or other system areas (like the MBR or DBS). Viruses (all viruses) have to change something to infect - if they just sit there, they aren't viruses, this is why integrity checking is useful as an anti-virus measure because they can detect ALL viruses, not just the ones in it's database. Unfortunately integrity checkers can't tell you the name of the virus (or even if it really is a virus - unless you use it to watch the virus produce offspring) and they can only detect the virus AFTER it's done something, so that you won't know there is a virus there until after you've become infected. Also, an exhaustive check of the integrity of everything on a system can be time consuming so these generally shouldn't be used too often or productivity could suffer. A lesser known implementation is directed integrit checking which checks only certain key system areas and/or likely viral targets. c. Memory Resident Scanners - These are intended to catch viruses during the normal operation of the computer. They slow down the computer since they scan everything that gets executed or opened. They are sometimes less accurate than the regular scanner, detecting less viruses, and they can be circumvented by clever viruses. For these reasons the memory resident scanner is primarily useful only in situations where regular scanning of new materials isn't practical such as a school computer lab, or in environments where its disadvantages aren't noticeable (like WIN95, which affects the speed a lot more than a memory resident or, more appropriately under WIN95, a VxD scanner would). The more specialized products are: d. Memory Resident Integrity Checkers - These are like memory resident scanners except that they perform the function of an integrity checker instead. They also have the same drawback as the memory resident scanner with regards to using up system memory and slowing down the computer, but if properly used some can prevent all changed or as yet non-validated software from being executed (i.e. execution of new software won't be allowed until you first check the software and generate integrity information for it). They are open to attack from multipartite infections, however, as the boot infector instance of the multipartite virus will execute before the memory resident integrity checker. e. Behaviour Blockers - These are memory resident programs that monitor system activities looking for anything that might be considered virus activity. These can also be circumvented and since viruses don't use any techniques unique to viruses, behaviour blockers can warn you of a process even if it isn't viral. f. Bait Files - These are used to catch viruses in the act of infecting (the bait files themselves). They aren't particularly useful as they can only catch certain types of viruses and even then not always. They are much more useful to researchers who are studying a particular virus and can thus make a bait file with specific, intelligently chosen characteristics. g. Immunizers - Despite the name, these aren't very useful at all. These are programs that add self-integrity checking code to all your programs. This causes problems when such code is added to a program that already checks it's own integrity (the program will no longer run since it's been altered by new self-integrity checking code) and this method can easily be circumvented by simply overwriting the file when the virus infects it. The most important thing to remember with all software, though, is to Read The F'ing Manual (RTFM). If you don't read it, you are bound to have problems. The second most important thing to remember is to update your software regularly. Scanners typically come out with new versions or new definition files every month or so (there is one that does so every week). Integrity checkers and other generic av software are often updated less frequently, but keeping up to date is no less important in those cases. As a general rule of thumb, unless you are keeping constant tabs on the industry (thus making sure you hear about new releases when they happen) don't go more than 2 months without looking for a more recent version of your main av software. The detection rate of the current version of your scanner can go down by as much as 10% or more over that period just from the number of new viruses that come out each month. 5) Strategy ======== The strategy you use can greatly affect the security of your system against viruses and many people have only rudimentary or ad hoc strategies in place (if any). It's generally accepted in the Anti-Virus community that the best strategy is the multi-layered approach which uses the strengths of one type of software (i.e. integrity checking) to supplement and make up for the weaknesses in another type of software (i.e. scanning). At the moment I am aware of six basic layers that may or may not need to be addressed depending on the needs and capabilities of the system: a. Problem Scanning - Scanning the entire system to determine if indeed there is a virus already on the system and giving you options for removal (i.e. solving the virus problem you were having). Should be done from a recovery disk. b. Preventative Filtering - Scanning of all incoming materials (software downloads, disks and CD's, even new computers) to weed out those few that are infected. c. Virus-Specific System Monitoring - Checking everything you access or execute for viruses (as filtering may miss droppers or you may have filtered improperly or forgotten). d. Full Integrity Checking - The use of integrity checking to detect new unknown viruses that would remain undetected by virus-specific methods like scanning, and for locating viral changes such as files corrupted by a virus' payload. Should be done from a recovery disk. e. Generic System Monitoring - Using generic techniques (such as directed integrity checking and/or baiting) to monitor key system areas and/or likely viral targets. This should ideally be less computationally intensive than a Full Integrity Check as it is meant to replace it partially and hopefully lessen the performance hit that regular Full Integrity Checks would have. f. Recovery - Restoring programs, data, and the system in general to its original uninfected state. Problem Scanning and Preventative Filtering are best accomplished by known virus scanners. Virus-Specific System Monitoring is best accomplished using the VxD (Windows only) component (not a TSR) of the known virus scanner used for Problem Scanning and Preventative Filtering. Full Integrity Checking should be done using a good, secure integrity checker. Generic System Monitoring can be done using directed integrity checkers or full integrity checkers if they can be configured to check only a few important things. Recovery is best done using backups, restoring by replacing affected objects with known clean back-ups is the safest and most secure method of recovery - though most people seem to prefer the convenience of disinfection by a known virus scanner (not realizing that it's not always perfect or even possible). 6) Recipes ======= What follows are the situations you should run into and what you should do as far as anti-virus security when you do. (you may want to print this part out so it's handy when you need it) 1) Normal day to day computer use - Make backups regularly (the exact schedule is dependent on the situation), verify the integrity of your data with an integrity checker on a regular basis (a good idea to do this BEFORE you make a new backup). The integrity checker should be used from a bootable recovery disk if possible (so that viruses can't attack the files that it stores which tell it what your files are supposed to look like - and so that stealth viruses can't hide their effects from it) after a verified clean boot. You can run one of the memory resident anti-virus products and/or generic system monitors as well. 2) Reception of new software or disks or computer - Scan all new materials coming into your system. Unpack compressed archives and scan inside those (some scanners can do this by default with a number of types of compression). Use a program like UNP to decompress and/or decrypt runtime compressed/encrypted executables and scan inside those (some scanners can do this automatically). If these seem like measures you aren't sure you can remember to follow every time you might want to get a hold of a program called THDPro (along with all those unpacking utilities and scanners), as it will automate much of this (and more) when correctly installed. It won't automate everything though. You still have to tell it what to scan, when you want it to check something. You can't rest on your backside. There is no fully automatic security. Then backup the new software (if warranted). 3) Reception of email - Scan all email attachments before opening them as though they were new software (they can be just that). Configure your reader NOT to use HTML by default or at the very least turn off the ability to run embedded scripts in emails that HTML email allows. Do not accept attachments from strangers. Do not open attachments from people you know until you've verified that the sender meant to send it. The best way to verify that the sender meant to send it is if the sender also sent a PGP signature along with it - and shared his/her PGP public key with you ahead of time (i.e. in a different message at a much different time). Each attachment would have to have its own separate signature. The signature(s) should be checked for validity when received. This would be ideal when your normal order of business requires you to accept email attachments fairly frequently. In cases where using PGP isn't viable a good alternative method would be to send a message back requesting confirmation for each individual attachment. Do not accept confirmation messages sent before your request for confirmation and most certainly not confirmation in the original message itself. Ideally the confirmation should quote your request for confirmation in part or in whole and give individual confirmation for each attachment. 4) Scanning the entire computer - Perform a verified clean boot from the recovery disk, insert the disk with the scanner on it and execute the scanner. This allows you to scan your files in a clean environment so that viruses can neither hide from the scanner nor use the it to aid in infecting every executable on your hard drive. It isn't often necessary to scan the entire computer, usually only when you update your scanner or if integrity checking starts turning up changed executables. Otherwise step #2 and #3 should stop all known viruses before they get into your system. In the case of major device driven media (such as a Stacker, Doublespace, or Speedstor drive) where the device drivers necessary to access them aren't loaded during the verified clean boot - scan the computer using the method above, and when everything turns up clean reboot from the hard drive so that those drivers are loaded up but nothing inside the device driven media is executed and then use the scanner on the floppy to scan the device driven media (or if you're clever, put the device drivers on the recovery disk so that you can access them after the clean boot). In the case of Win95 or Win98, perform the above mentioned clean boot with the DOS 6.x boot disk and scan or otherwise check the MBR and DBS for viruses. Then boot from the Win95 or Win98 boot disk and check the rest of the computer. 5) Integrity checking the entire computer - Again, perform a verified clean boot from a recovery disk (so that stealth viruses cannot circumvent the integrity checker) insert the disk with the integrity checker and integrity data into the floppy drive and check the system. This should be done regularly regardless of whether or not the target system gets a lot of new files (integrity checking is a good all around security measure, and besides which a time bomb in a very old file could activate). There may be some question as to whether the disk with the integrity checker and data on it should be write protected or not - it should except when you intend to actually use it (i.e. remove the write protection just before executing the integrity checker and then restore it when the integrity checker has finished). This is so that it doesn't get infected if it's accidentally put in the drive when you haven't yet performed a clean boot (i.e. you might put it in by accident). 6) Disinfecting your system - Perform a verified clean boot and insert the disk with the scanner on it and execute the scanner. Use it to identify all infected objects on your hard disk. Use the identification the scanner gives you to find out information on the virus (such as data damaging effects other than infection - so that you'll know whether it's likely that it's started to affect the integrity of your backups - most viruses don't have such effects however). Delete those affected objects and replace them from backups. The disinfection capabilities in anti-virus software are not perfect and can wind up damaging a file even more, that's why even the people who create the software suggest that you remove viruses by deleting and replacing from known clean backups. The disinfectors are to be used only if there's no other way. If it's the MBR or Dos Boot Sector that's infected, restore it from the backups of them that you have on a recovery disk. If you don't have a backup of your boot sector or MBR it will be necessary to use the disinfection capability of your anti-virus program. These viruses will infect floppies so it will be necessary to scan your floppy disks and recover from those additional infections. After everything is clean and working properly again, send the company who makes your anti-virus program a note saying what virus you had, how you cleaned it up, and how much you appreciate their efforts in creating such great anti-virus tools. This will improve their figures regarding which viruses are in the wild and how prevalent they are, as well as giving them an opportunity to have someone reply if there's any additional procedures you should have used or anything they feel you need to be made aware of. It also makes some of them feel good to get the appreciation they so much deserve. 7) Dealing with a recurring infection - Consider the possibility that you haven't managed to clean up the infection entirely the first time or that you have a dropper that was able to slip through step #2 and/or #3. Boot sector and MBR infectors will infect floppy disks as well so after recovering the hard drive, check all your floppies. If it's a recurring file infection it could be that you weren't strict enough with your security and the backups got infected, or you could have a dropper. Scan your all your backups (program and data backups since macro viruses infect document files and they would be in your data) to eliminate the possibility of infected backups and then use one or more of the memory resident anti-virus products to hunt down droppers by executing all your files one by one (droppers are files that contain viruses but are designed so that scanners can't see the virus even if it's a virus the scanner knows about). When you finally execute the dropper the memory resident av programs should warn you that the program is trying to do something you may not want it to do. This should only be performed in situations where the dropper can't be detected but the virus it drops can be. If all this fails, question whether steps #2 and #3 is being followed strictly enough in all circumstances (you could be getting infected files over and over again from someone you would otherwise 'trust' - if so they should be alerted about the infection so that they can clean up their system). Well, that's it for security, now to tie up some loose ends. 7) How to choose an AV Product =========================== The scanner is a particularly difficult piece of software to choose. It requires you to trust the evaluations of others because exceptionally few people have the time or resources or know-how to do performance tests on scanners, but it also requires you to know WHO to trust. Magazine tests are a great source of misinformation, they have so many faults it's not funny and I'll describe some of the worse ones here so that you'll know a bad test when you see one. However, since there is no single "best" virus scanner you might want to look at the top few as opposed to the top one. The test bed size - This is the total number of *different* viruses used in the test. Magazine tests tend to use a dozen or so viruses that have popped up in the media. This really says nothing about how many viruses a scanner detects since there are, at the time of writing this document, about 12,000 different viruses for the PC. If a particular scanner tested in such a manner detects all 12 viruses, it could be that those are the only 12 viruses it can detect (some scanners are almost this bad). Certainly when there are 42,000 viruses to avoid, a scanner that only detects 12 is also something to avoid. Other tests (marginally better than those that are done by computer magazines) may use a few hundred or even a few thousand different viruses - but again, the majority of the viruses won't be checked for detection. A 'Good' test requires that the tester use relatively close to all the known viruses. Very few people have access to such large collections. Test bed integrity - Magazines tend not to check to make sure what they think are viruses are actually viruses. This check involves making sure each sample will infect something and that the newly infected file in turn will infect something else. For all those samples that don't do this their code must be checked by hand to see if it really is a virus that just isn't compatible with the particular hardware or software being used. Doing this for nearly 42,000 viruses is beyond the scope of almost every magazine (there are one or two specialty magazines/publications that is dedicated to the anti-virus industry that *should* be capable of this) and most private individuals as well. Rating criteria - Magazine tests tend to rate detection of viruses as having almost equal importance to user-friendly interfaces and scanning speed. A scanner is a security product, the security it provides is in its ability to detect viruses - therefore its virus detection rate is of prime importance, the interface and the speed are only important if they happen to be incredibly poor (thus making an otherwise excellent product practically unusable). Products tested - Magazines tend to test a very limited number of products, maybe as much as 25% of them in most cases leaving you to guess about whether or not one of the ones they didn't mention is far superior to all the ones they did mention. Some of the better respected independent tests in the industry have come from places like the Virus Test Center at the University of Hamburg and the Virus Research Unit at the University of Tampere. Two other organizations that perform well respected tests are Virus Bulletin and Secure Computing. Look for tests from any of these organizations to evaluate the detection rates of different scanners (tests performed by end users themselves have notoriously poor testing protocols, and usually have unreasonably small and unrepresentative collection of viruses). Web sites for the above mentioned organizations are listed below. Virus Test Center [Uni-Hamburg] http://agn-www.informatik.uni-hamburg.de/vtc/naveng.htm Virus Research Unit [Uni-Tampere] http://www.uta.fi/laitokset/virus Virus Bulletin [Industry Periodical] http://www.virusbtn.com Secure Computing [Industry Periodical] http://www.westcoast.com An integrity checker is even more difficult to choose since there aren't any widely accepted methods for testing them. A good idea would be to look for an integrity checker that can check all files as well as the MBR and boot sector, and can store it's data on a floppy disk. Other good qualities would be the ability to alert you when there is no integrity data stored for a particular file/directory and the ability to detect companion viruses generically. Another good quality to look for in an integrity checker is what is called a key dependent algorithm (sometimes simply described as a checksum or crc algorithm that is uniquely chosen each time the software is installed.) These are things you may have to read the manual carefully to find out about though, but they are the main things to look for. 8) Virus Facts =========== A virus is just a special sort of program, not a magical glitch that can do supernatural damage to your computer. You can't get infected by a virus from 'reading' email, however some email clients can do more than just 'read' email. No known virus has ever intentionally damaged hardware, nor is it likely that they will do so in the future. It is never necessary to format a hard drive to get rid of a virus, in some instances this method won't even work. Do not use the command "FDISK /MBR" unless specifically told to do so by the author of an anti-virus product (and sometimes not even then). There is no "best" anti-virus product and there likely never will be one, there are only very good products and products you should probably just ignore. CMOS memory cannot be infected, only corrupted. 9) Glossary of Terms: ================= Batch File - A script program made up of DOS commands and stored in readable form in a file with a '.BAT' after the filename. Clean/Dirty - Words used to describe the state of infection that an environment exhibits. A computer with no infection present is clean and a computer with one or more infections present is dirty. This can also be applied to floppy disks, boot processes, etc. CMOS - Complimentary Metal Oxide Semiconductor: Used in IBM PC/AT compatibles as a battery driven type of memory to store the setup/configuration information about that computer. Companion Virus - A specialized type of virus that doesn't modify its host. Instead it creates its own file with the same file name as the host but a different file extension that DOS will execute first. CRC - Cyclic Redundancy Check: A technique for producing a string of bytes that represent the input file (the string is usually much smaller than the input file). The string of bytes is unique enough to be used to distinguish one file from another (and thus are useful for checking if the file changes as it would change the file's CRC value). Checksums and cryptographic hash algorithms are roughly equivalent to this. DBS - DOS Boot sector: This piece of code is part of the operating system (in this case part of DOS). It loads the operating system's kernel. DEBUG.EXE - A program that comes with MS-DOS and is usually located in the DOS directory or the WINDOWS\COMMAND directory. Decompression - The reverse of the act of compression. In a computer environment data and programs can be digitally compressed so as to take up less storage space, but they must be decompressed to be used. Dropper - A program with a virus infected file hidden inside in such a way as to escape detection by scanners until the dropper is executed and injects the virus into the system. Generic - In anti-virus terms it is used to categorize techniques that don't require specific knowledge about the particular viruses they can detect. Infector - A word to indicate that a certain thing is a virus, usually when declaring what type of virus it is (i.e. a file infector is a virus that infects files). Kernel - The main controller part of the operating system. MBR - Master Boot Record: This is a piece of code that makes sense out the various drives you might have on a single physical hard disk and passes control to the boot sector on the appropriate logical drive. Media - Something which information is represented/stored in/on. Memory Resident - A term used to refer to the ability to remain active in memory while the computer goes on to perform other tasks (equivalent to TSR - Terminate and Stay Resident). PATH - An environment variable defined in the AUTOEXEC.BAT file. It lists the other directories that DOS will look in for a given program besides the current directory when you attempt to execute said program. Patch - An ad hoc solution to a problem with a piece of software. PGP - Pretty Good Privacy is a tool used for encryption, sender authentication, inter-computer integrity verification, and more. It is freely available on the Internet. Contributors ============ Jason Betts Micheal Lambert