FUNGEN8.CVP 911115 File checking - part 2 Historically, it is interesting to note that, initially, operation monitoring and restricting software was the preferred means of antiviral protection. Subsequently signature scanning software became more prevalent, and currently holds dominance in terms of number of programs in use. Change detection software, however, has recently become very popular and, from my reviews of software, at least, now leads in terms of number of different programs implementing the technique. The most basic type of change detection program could simply automate the process of manual file checking outlined in the previous column. However, this would not catch "overwriting" viri, as long as they did not change the file date. Therefore, most change detection software performs some type of "image checking" as well. "Image", "numerical" or "statistical" file checking is based on calculations performed on the data making up the file. At its most rudimentary, this is based on the "checksum". As the name suggests, this is nothing more than a check of the "summing" of all data in the file, or sometimes the modulus of that sum. More complex is the CRC or "cyclic redundancy check", which performs more complex calculations on matrices of the data. (This is done in a fashion similar to the Hamming encoding used for error detection and correction.) It would be fairly simple for an overwriting virus to calculate the checksum for a given file, and then to modify the code of the infected file in such a way that the checksum would still match. This is the reason for some of the more complex calculations which are implemented. While the initial checking of files is fairly standard, there are a wide variety of implementations for the subsequent checking of files. The original information must, of course, be stored somewhere. Some programs create a single file for this, others attach the information to the program to be protected. Each means has advantages and disadvantages. A single file means a single entity which virus authors may find out about and "target". Attaching of data to programs which may be altered means that the calculated codes may be altered or erased as well. Sometimes small modules of code are attached to the programs in order to allow the programs to check themselves. Unfortunately, adding such modules to programs which already check themselves for changes may prevent the programs from running. (Norton AntiVirus stores the information in a number of hidden, 77 byte files, with names similar to that of the protected file. This caused a number of users to suspect that the results of Norton's protection were actually the results of a virus. One fairly unique ploy is used by "Victor Charlie", which, in its earliest incarnation, simply offered itself as "bait" to viral programs -- and then checked itself.) copyright Robert M. Slade, 1991 FUNGEN8.CVP 911115