|
|
| Previous | Table of Contents | Next |
Most integrity checkers retain the following information from program files:
This information then can be used to verify the integrity of an executable file. Because most viruses must modify the code at a program’s entry point, or update the entry point, to infect, an integrity checker can quickly detect over 98 percent of the file viruses by retrieving the first few instructions from the program’s entry point and comparing these instructions to those that are saved in the database.
If the instructions in the file differ from those in the database, the user has upgraded their program file without informing the integrity checker or a virus has infected the file. The integrity checker also can determine whether the size of the potentially infected file has increased. An increase in size coupled with a change in the entry point machine code strongly indicates a file virus. These same changes could be attributed to installing a new version of the software, however; frequently, the user must make this determination, because the integrity checker can’t know whether the user intentionally caused this change.
This is considered a flaw with integrity checking because many users might not be able to make this determination on their own.The user’s MIS department could have changed the programs without their knowledge or they may have inadvertently copied one file over another.
In any case, if a change is detected and the user suspects it is due to viral activity, the integrity checker can attempt to repair the infected file using the information stored in its database. This is quite a simple task for the integrity checker given the nature of most virus infections.
First, the checker backs up the potentially infected program, so if it fails to repair the program properly, the user can try an alternative method of repair.
In the case of EXE and SYS files, the integrity checker replaces the header of the infected EXE or SYS program with an original copy of the program’s header that was stored in the database. Viruses that infect these files ordinarily change the header’s entry point value to point to an appended copy of the virus. By replacing the modified header with the original, the virus can never be executed. Finally, the integrity checker truncates the file to its original length, cutting off the virus code that was appended to the end of the file.
COM files that are infected with an appended virus typically have a jump machine language instruction at the top of the infected program that transfers control to the virus body at the end of the file. To repair this type of infection, the integrity checker overwrites the machine language instructions at the entry point of the infected program with the original instructions that are stored in the database. This overwrites the jump instruction that the virus placed at the top of the program. The integrity checker then truncates the file to its original length, cutting off the virus code from the end of the file.
Similar repairs can be successfully performed for the other major types of viral infection. Once a repair has been completed, the integrity checker can compute the CRC of the repaired program and compare this to the CRC of the original program. If the results match, the program probably has been properly repaired. If the two values don’t match, then the user knows that the repair was unsuccessful and can attempt to deal with this potential infection in another way.
Integrity checking is a powerful form of virus protection. It can detect well over 98 percent of all file and boot record viruses. Even the most complex polymorphic viruses don’t pose a problem because integrity checking detects the virus based on changes to executable programs and boot records; even polymorphic viruses must infect target files by changing the executable file in some way, allowing them to be detected. Integrity checkers also can detect new and unknown viruses that normally would go undetected by virus scanner programs. Finally, current integrity checkers also can repair close to 98 percent of infected programs with the saved information in the database. This figure is significantly higher than that which the repair component of a standard virus scanner achieves.
The integrity checker also has a number of disadvantages. It may not be able to detect read-stealth viruses while these viruses are resident in memory. Just like the virus scanner, if the read-stealth virus hides its changes to executable files or boot records when they are accessed, the integrity checker retrieves disinfected versions of every infected file and boot record, and won’t be able to detect any infection.
Just like the virus scanner, the integrity checker can inadvertently spread fast viruses while scanning for changed programs. Once again, memory scanning must be performed to reduce the risk of this type of infection.
Some integrity checkers attempt to “tunnel under” any stealth or fast virus’ service provider to bypass the virus service provider and directly read files and boot records; this works sometimes, but can pose compatibility problems with certain hardware and software. Alternatively, the user can always run the integrity checker after booting from a write-protected, uninfected DOS disk. This bypasses any memory-resident viruses present on the computer.
Integrity checkers also cannot detect slow viruses. A typical slow virus might infect an executable file as it is copied to a new directory. The slow virus would leave the source file intact; however, it would infect the target file as it is written to disk. Because the target file was just created, it doesn’t reside in the integrity checker’s database.
Therefore, the user can’t use the integrity checker to detect the infection in the newly copied program file. Furthermore, if the user decides to “inoculate” this new program file, the integrity checker assumes the program is clean and will not remove the virus later. The virus effectively has a safe haven from where to infect other programs without being detected by the integrity checker.
Finally, companion viruses may also pose problems for integrity checkers. By definition, the companion virus doesn’t actually modify executable files to infect; therefore, the typical integrity checker misses this type of infection.
| Previous | Table of Contents | Next |