++What about firewalls?

Firewalls don't generally screen computer viruses, though version 3 of Checkpoint's Firewall-1 can use a plug-in scanning module based on Computing Associates/Cheyenne's Innoculan engine. However, there are a number of products that scan for viruses at a point either before or after a "normal" firewall to the Internet (or internally between post offices.) These products can scan incoming and outgoing E-mail attachments for viruses. MIMESweeper, by Integralis, uses your favourite scanner (e.g. F-PROT, Thunderbyte, Dr. Solomon's, Sophos, etc) for scanning the viruses after it has opened up the E-Mail attachments in a secure area on the hard drive of the NT machine.

Obviously, the on-demand scanner is an additional cost. The use of a "batch" file allows the scanning to use any switches or commands that are available to the scanner program(s) and also allows multiple scanners to be used with different switches, etc. which it runs. If clean, it sends the E-Mail on. Files which it cannot scan can be 'quarantined' in the secure area to be scanned 'by hand' or otherwise disposed of.

MIMESweeper vs. 1.0 reads MIME attachments and recognises ZIP archives, but does not read other compression formats or binary encoding formats such as uuencode

MIMESweeper ver. 2.1 reads MIME attachments, UUENCODE, and recognises ZIP and recursive .ZIP archives, OLE, but does not yet read many other compression or binary encoding formats. (CDA, BinHex, LHA and Stuffit are expected in due course). It runs under NT Workstation and requires,
at minimum, a 486 with 24Mb RAM, 500Mb hard disk, and a CD-ROM drive (for installation only). It works with cc:Mail, SMTP with MIME attachments, Microsoft Mail, or MHS, MIMESweeper 3.0 adds FTP/HTTP but not NNTP. Minimum requirement is still a 486 with 24Mb, but medium to high volumes will require a Pentium with 32Mb RAM. WEBSweeper requires NT version 4.0 (apply Service Pack 4 if accessed via NetWare). MIMESweeper requires TCP/IP for remote management MIMESweeper has advanced content filtering abilities which go beyond its capabilities (with assistance from other software) for detection of file viruses and trojans.

Trend's InterScan VirusWall is similar to MIMEsweeper but uses Trend's own scanning engine only as the scanner. Trend also scans FTP traffic. Trend currently runs on SUN Solaris 2.4-5 and will be adding NT later.

These products do real scanning before the mail hits the hard drive but, at least until the holes are filled in the above products, make sure your mail attachments, WWW downloads etc. can't be automatically executed and use a good TSR/VXD in combination with a good scanner. Note that scanning FTP traffic is likely to add a heavy network overhead and probably won't catch as many viruses as checking *all* files from *all* sources with a desktop scanner

Current informed thinking tends to be that detection of viruses at the firewall is acceptable (1) if you can afford the additional hardware, software and latency (processing overhead), not to mention the hidden administrative overheads of configuration and policy for dealing with boundary conditions such as unusual 7-bit encoding formats, encrypted files etc. (2) ss long as you appreciate that it can only be supplementary to checking at the desktop, not a replacement. Mail attachments, FTP and HTTP are more significant vectors for virus transmission than formerly, especially with the near-exponential boom in macro viruses, but other vectors (especially floppy disks) are still of vital concern. System administrators are attracted by the fact that it's easier to update server software than control the use of scanning on individual workstations, but the fact remains that in most environments, until the desktop is adequately protected with good, up-to-date realtime (on-access) scanning and/or scheduled on-demand scanning, virus scanning at the perimeter is a semi-irrelevance.



McAfee's WebScan also addresses this market, but has detection only, not disinfection: you need their on-demand scanner too. Dr. Solomon's MailGuard is based on MIMESweeper. Norton AntiVirus for Firewalls is due for release in June 1997.
For firewall-related information
comp.security
comp.security.firewalls

or, if you don't mind your mail by the ton, the firewalls mailing-lists.

mailto: majordomo@greatcircle.com
subject:
message: subscribe firewalls

mailto: majordomo@greatcircle.com
subject:
message: subscribe firewalls-digest

++GreatCircle Associates website with links to the GreatCircle mailing list and archives and other security/firewall resources.

http://www.greatcircle.com/firewalls/

++Marcus Ranum's FAQ:

http://www.v-one.com/pubs/fw-faq/

Books:

Firewalls and Internet Security - Repelling the Wily Hacker
(Cheswick, Bellovin) - Addison-Wesley
Building Internet Firewalls (Chapman, Zwicky) - O'Reilly
Vendors:
http://www.integralis.com/
http://www.checkpoint.com/
http://www.trendmicro.com/
http://www.mcafee.com/
http://www.drsolomon.com/

Viruses on CD-ROM

Viruses have been distributed on CD ROM (for instance, Microsoft shipped Concept, the first (in the wild) macro virus, on a CD ROM called "Windows 95 Software Compatability Test" in 1995). It is wise to scan CD ROMs on arrival for viruses, just like floppies. If the CD ROM has compressed or archived files it is wise to scan it with an anti-virus package which can cope with large amounts of compressed and archived files.
[If you scan all drives at every boot, though, you may find that this gives you a good incentive to remove CDs from your CD drive before you power down, especially if your scanner isn't set to allow you to break out of a scan. B-)]

Removing viruses

It is always better from a security point of view to replace infected files with clean, uninfected copies. However, in some circumstances this is not convenient. For example, if an entire network were infected with a fast-infecting file virus then it may be a lot quicker to run a quick repair with a reliable anti-virus product than to find clean, backup copies of the files.

It should also be realised that clean backups are not available. If a site has been hit by Nomenklatura, for example, it may take a long time before it is realised that you have been infected. By that time the data in backups has been seriously compromised.

There are virtually no circumstances under which you should need to reformat a hard disk, however: in general, this is an attempt to treat the symptom instead of the cause. Likewise re-partitioning with FDISK.

If you use a generic low-level format program, i.e. one which isn't specifically for the make and model of drive you actually own, you stand a good chance of trashing the drive more thoroughly than any virus yet discovered.

Can't viruses sometimes be useful?

Vesselin Bontchev wrote a respected paper on this subject:
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/goodvir.zip
Fred Cohen has done some heavy-duty writing in the other direction.
Start with "A Short Course on Computer Viruses", "It's Alive!"(Wiley).

In general, it's hard to imagine a situation where (e.g.) a maintenance virus is the *only* option. I have yet to see a convincing example of a potentially useful virus which *needs* to be a virus.
Such a program would have to be *much* better written and error-trapped than viruses usually are.

Do I have a virus, and how do I know?

Almost anything odd a computer may do can (and has been) blamed on a computer "virus," especially if no other explanation can readily be found. In most cases, when an anti-virus program is then run, no virus is found.

A computer virus can cause unusual screen displays, or messages - but most don't do that. A virus may slow the operation of the computer - but many times that doesn't happen. Even longer disk activity, or strange hardware behaviour can be caused by legitimate software, harmless "prank" programs, or by hardware faults. A virus may cause a drive to be accessed unexpectedly (and the drive light to go on) - but legitimate programs can do that also.

One usually reliable indic One usually reliable indicator of a virus infection is a change in the length of executable (*.com/*.exe) files, a change in their content, or a change in their file date/time in the Directory listing. But some viruses don't infect files, and some of those which do can avoid showing changes they've made to files, especially if they're active in RAM.

Another common indication of a virus infection is a change to interrupt vectors or the reassignment of system resources. Unaccounted use of memory or a reduction in the amount normally shown for the system may be significant.

In short, observing "something funny" and blaming it on a computer virus is less productive than scanning regularly for potential viruses, and not scanning, because "everything is running OK" is equally inadvisable.

What should be on a (clean) boot disk?

A boot floppy is one which contains the basic operating system, so that if the hard disk becomes inaccessible, you can still boot the machine to attempt some repairs. NB All formatted floppies contain a boot sector, but only floppies which contain the necessary system files can be used as boot floppies. A clean boot disk is one which is known not to be virus-infected. It's best to use a clean boot disk before routine scans of your hard disk(s). Some antivirus packages will refuse to run if there is a virus in memory. It is usually better and sometimes mandatory to disinfect a system without the virus in memory, and an undetected file virus may actually spread faster during a scan, since scanners normally open all executable files in all directories.

To make an emergency bootable floppy disk, put a disk in drive A and type
FORMAT A: /S
Be careful to avoid 'cross-formatting', i.e. formatting a double-density disk as high-density or vice versa, if you system allows this. (You should avoid this all the time, not just when creating a boot disk. I'd also recommend avoiding single-density and quad-density disks, and there may be problems writing to double-density 5.25" disks on a different machine to the one on which they were formatted, if one machine is an XT and the other an AT or better.)

You can also make a pre-formatted floppy into a boot disk by typing SYS A:

I'd suggest you also COPY these commands from C:\DOS to it: ATTRIB, CHKDSK (or SCANDISK if you have DOS6), FDISK, FORMAT, SYS, and BACKUP and RESTORE (or whatever backup program you use, if it will fit). They may come in handy if you can't access the hard disk, or it won't boot up.

You may be aware that if there is a problem with your boot sequence, you can boot from the hard disk on a DOS 6/7/Win95 system while bypassing AUTOEXEC.BAT and CONFIG.SYS. This is not as good as a clean floppy boot: it won't help at all if you have a boot sector/partition sector infector, or if any or all of the basic operating system files have been infected by a file virus.

The boot disk should have been created with the same version of DOS as you have on your hard disk. It should also include any drivers necessary to access your hard disk and other device. If, for some reason, you can't obtain a clean boot disk with the same version of DOS, you can often get away with booting from a (clean) disk using a different version, though: indeed, there are viruses which exploit a bug in recent versions of MS-DOS which will prevent a clean boot from DOS vs. 4-6. If you *do* use a different version, remember that you won't be able to use many of the standard DOS system utilities on the hard disk, which will simply return a message like 'Wrong DOS version' when you try to run them, and avoid the use of FORMAT or FDISK.

If you become virus-infected it can be very helpful to have backup of your hard disk's boot sector and partition sector (also known as MBR). Some anti-virus and disk utilities can do this. Other useful tools to include are a small DOS-based text editor (for editing AUTOEXEC.BAT, CONFIG.SYS and so forth), a copy of the DOS commands COMP or FC (for comparing files), FDISK and SYS (make sure they are from the same version of DOS as you are booting). There is a school of thought that your boot disk should also include your anti-virus software.

The problem with this is that anti-virus software should be updated frequently, and you may forget to update (and re-write-protect) your boot disk each time. Ideally you will have been sent a clean, write-protected copy of the latest version of your anti-virus software by your vendor/supplier.

If you want to use the DOS program EDIT, remember that you need both EDIT.* and QBASIC.* on the same disk.

When you have everything you need on your boot floppy and any supplementary floppies (see below), make sure they're all *write-protected*!

How do I know I have a clean boot disk?

You can't usually make up a clean boot disk on a system which has been booted from an infected floppy or hard disk. So how do you know you're booting clean? Actually, you can never be 100% sure. If you buy a PC with the system already installed, you can't be sure the supplier didn't format it with an infected disk. If you get a set of system disks, can you assume that Microsoft or the disk duplicator didn't somehow release a contaminated disk image? (Yes, something rather like this has indeed happened...) However, you can be better than 99% sure.

* If you have (and use) a reputable, up-to-date virus scanner, it will almost invariably detect a known virus in memory (scanners can't be relied on to detect an unknown virus, in memory or not). If a good scanner doesn't ring an alarm bell, you've *almost* certainly booted clean. What constitutes a good scanner is another question....
* If you have a set of original system disks which you received shrinkwrapped *and* which you've never used *or* which have only been used write-protected, you can probably use Disk 1 as a boot disk and it *probably* isn't infected - after all, Microsoft doesn't use MSAV for jobs like this..... It has been reported, though, that DOS systems disks have been distributed infected, and the fact that they're often distributed write-enabled doesn't inspire confidence.
* You could always contact the supplier of your most-trusted anti-virus utility and ask whether you can send them a boot floppy to check. Of course, even anti-virus gurus sometimes make mistakes, but a boot disk verified in this way would still be worth paying for, especially for organizations with mission-critical systems.

* S&S are now distributing a 'Magic Bullet' disk with future versions of their Dr. Solomon product, which will boot a PC with just enough functionality to enable users to run their scanning software without infringing Microsoft's copyright (as they would be doing if they distributed a boot-able DOS floppy). This strikes me as an excellent idea, though it won't work on every system.

* When the unit I work for approached Microsoft to check on the legal position as regards distributing a clean boot disk with anti-virus software updates within the organization, we were told that this was OK as long as the boot floppy was made with the same version of DOS as the version on the target machine. Any organization wishing to do this might like to check with Microsoft that this is still their formal position.

 

What other tools might I need?

Other suggestions have included a sector editor, and Norton Utilities components such as Disk Doctor (NDD). These are not suitable for use by the technically-challenged - any tool which can manipulate disks at a low-level is potentially dangerous. If you do use tools like this, make sure they're good quality and up-to-date. If you attack a 1Gb disk with a package that thinks 32Mb is the maximum for a partition and MFM disk controllers are leading edge, you're in for trouble....

A copy of PKZIP/PKUNZIP or similar compression/decompression utility may be useful both for retrieving data and for cleaning (some) stealth viruses.

The MSD diagnostic tool supplied with recent versions of DOS and Windows is a useful addition. QEMM includes a useful diagnostic tool called Manifest. Heavy duty diagnostic packages like CheckIt! may be of use. There are some useful shareware/freeware diagnostic packages, too.

Obviously, these are not all going to go on one bootdisk. When you prepare a toolkit like this, make sure *all* the disks are write-protected!
Tech support types are likely to find that an assortment of bootable disks including various versions of DOS comes in useful on occasion.
If you have one or two non-Microsoft DOS versions (DR-DOS/Novell DOS or PC-DOS), they can be a useful addition. DoubleSpaced or similar drives will need DOS 6.x; Stacked drives will need appropriate drivers loaded.


My understanding of the copyright position is that Microsoft does not encourage you to *distribute* bootable disks (even if they contain only enough files to minimally boot the system) *unless* the target system is loaded with the same version of MS-DOS as the boot floppy.

Support engineers will need to ensure that they are legally entitled to all DOS versions for which they have bootable disks.

What are rescue disks?

Many antivirus and disk repair utilities can make up a (usually bootable) rescue disk for a specific system. This needs a certain amount of care and maintenance, especially if you make up more than one of these for a single PC with more than one utility. Make sure you update *all* your rescue disks when you make a significant change, and that you understand what a rescue disk does and how it does it before you try to use it. Don't try to use a rescue disk made up on one PC on another PC, unless you're very sure of what you're doing: you may lose data.

Are there CMOS viruses?

Although a virus (e.g. antiCMOS) CAN write to (and corrupt) a PC's CMOS memory, it can NOT "hide" there. The CMOS memory used for system information (and backed up by battery power) is not "addressable," and requires Input/Output ("I/O") instructions to be usable.

Data stored there are not loaded from there and executed, so virus code written to CMOS memory would still need to infect an executable program in order to load and execute whatever it wrote.

A virus could use CMOS memory to store part of its code, and some tamper with the CMOS Setup's values. However, executable code stored there must first be first moved to DOS memory in order to be executed. Therefore, a virus can NOT spread from, or be hidden in CMOS memory.

++ There are also reports of a trojanized AMI BIOS - this is not a virus, but a 'joke' program which does not replicate. The malicious program is not on the disk, nor in CMOS, but was directly coded into the BIOS ROM chip on the system board. by a rogue programmer at American Megatrends Inc., the manufacturers.

++ If the date is 13th of November, it stops the bootup process and plays 'Happy Birthday' through the PC speaker. In this case, the only cure is a new BIOS (or motherboard) - contact your dealer. The trojanized chip run was BIOS version M82C498 Evaluation BIOS vs. 1.55 of 04-04-93, according to Jimmy Kuo's "What is NOT a virus" paper.

++ From time to time there are reports from Mac users that the message 'welcome datacomp' appears in their documents without having been typed. This appears to be the result of using a trojanised 3rd-party Mac-compatible keyboard with this 'joke' hard-coded into the keyboard ROM. It's not a virus - it can't infect anything - and the only cure is to replace the keyboard.

How do I know I'm FTP-ing 'good' software?
Reputable sites like SimTel and Garbo check uploaded utilities for viruses before making them publicly available. However, it makes sense not to take anything for granted. I'm aware of at least one instance of a virus-infected file being found on a SimTel mirror: you can't scan a newly-uploaded file for a virus your scanner doesn't know about. Good A/V packages include self-checking code, though it's unsafe to depend even on this 100%. Be paranoid: you know it makes sense....
In general, don't run *anything* downloaded from the Internet, BBSs etc. until it's been checked with at least one reputable and up-to-date antivirus scanner.

What is 386SPART.PAR?

People are sometimes alarmed at finding they have a hidden file with this name. It is, in fact, created by Windows 3.x when you configure it to use a permanent swap file (a way of allowing Windows to work as if you had more memory than you really do. On no account should you delete it, as it will upset your configuration. If you wish to remove it or adjust the size, do so via the 386 Enhanced setting in Control Panel. However, a permanent swap file usually improves performance on a machine with relatively little memory.
The file is not executable as such, and reports of virus infection are usually false positives.

+++Can I get a virus to test my antivirus package with?
Well, I won't send you one... Most packages have some means of allowing you to trigger a test alert. There is a standard EICAR test file which is recognized by some packages.
George Wenzel recently reported that recent versions of the following should recognise it. Well done George for promoting the EICAR file among vendors who hadn't been taking notice!

"AVAST!
AVP
AVScan
Dr. Solomon's
Dr. Web
F-Prot
McAfee
Norton
Norman
Sophos Sweep
ThunderByte
Virus ALERT!
VET will be adding detection in November.
ViruSafe will be adding detection in their next version. Don't know about Virus Buster yet, though.. "

To make use of the EICAR test string, type or copy/paste the following text into a file called EICAR.COM, or TEST.COM or whatever.
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Running the file displays the text "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!". Scanning the file with one of the components of these packages should trigger an alert.



The EICAR file isn't an indication of a scanner's -efficiency- at detecting viruses, since (1) it isn't a virus and (2) detecting a single virus or non-virus isn't a useful test of the number of viruses detected. It's a (limited) check on whether the program is installed, but I'm not sure it's a measure of whether it's installed correctly. For instance, the fact that a scanner reports correctly that a file called EICAR.COM contains the EICAR string, doesn't tell you whether it will detect macro viruses, for example. In fact, if I wanted to be really picky, I'd have to say that it doesn't actually tell you anything except that the scanner detects the EICAR string in files with a particular extension. B-)

[I have Chengi Jimmy Kuo's permission to reproduce the following, a propos of the preceding paragraph]:


"The purpose of the EICAR test file is for the user to test all the bells and whistles associated with detecting a virus. And, if given that one platform detects it, is everything else working? It is to enable such things as:

Surprise MIS testing of AV security placements.

The file serves no purpose in testing whether one product is better than another. Previously, every product had to supply its own test methods. This allows for an independent standard.'

There have been long threads recently on whether the Rosenthal Simulator is useful for this sort of job. This will be considered at length here when I have the time to look at it in more detail, but it should be noted that many anti-virus researchers have expressed considerable scepticism. Certainly, having looked at an earlier incarnation, I see no urgent need to research this further.

When I do DIR | MORE I see a couple of files with funny names...

Actually, this is in the Virus-L FAQ. Read that and post the question to comp.virus or alt.comp.virus if you're still worried. Basically, the answer is that MORE creates a couple of temporary files, being considerably less efficient than the Unix utility it attempts to emulate. Most versions of DOS since the Middle Ages support the syntax DIR /P, which does the same job less messily. In fact, if you have a version of DOS later than 5, you might consider incorporating it into the environment variable DIRCMD, so that it becomes your default on directory listings which exceed 1 screenful. Of course, other utilities such as ATTRIB can also be filtered through MORE like this, which may result in similar symptoms.

Reasons NOT to use FDISK /MBR

See Section 12 in part 2 of this FAQ for further information about FDISK with the undocumented /MBR switch. However, people with virus problems are frequently advised, out of ignorance or maliciousness, to use this switch in circumstances where it can lead to an inability to access your disk drive and possible loss of data (not to mention hair and sanity).

Essentially, you should avoid using FDISK /MBR unless you have it on good authority that it's safe and necessary to do so. In most circumstances, it's safer to clean a partition sector with a good anti-virus program.

You should avoid FDISK /MBR at all costs under the following circumstances:

1. Under an infection of viruses that don't preserve the Partition Table e.g., Monkey, reported at 7.2% of the infections reported to _Virus Bulletin_ for December '95, the last report for which I have data