Hi Kurt!
14 Dec 96, letter Kurt Wismer to Dmitry Mostovoy:
 DM>> For  example ADinf scans disks by direct call to BIOS entry
 DM>> point
 KW> i find this somewhat unlikely... int13 entry points in the bios are not
 KW> constant for all bios (if they were, viruses would be having a field
 KW> day)... now i suppose adinf could use tunneling to find the true int13
 KW> entry points... but whats to stop a virus from blocking your tunnelling
 KW> or from subverting your tunnelling? couldn't a kernel infector setup
 KW> pmode type trapping to stop even port writes?... could a conventional
 KW> virus patch the kernel in memory to acheive the same end?...
    All your words are true, BUT!... Of cource I know this problems and tried 
to overcome them in ADinf. First of all, ADinf looks for BIOS Int 13h entry 
poin only once - at the first start. Than it stores the address and uses 
stored one. As for all integrity checkers it is assumed that the first start 
is at the non-infected computer to keep integrity information. So, viruses 
can't prevent ADinf to access real BIOS entry point even if they are in 
memory in the next starts. More over, while looking for the Int 13h BIOS 
entry point at the first start, ADinf checks wether it is a real BIOS or not.
    Now about prot. mode viruses and possible viruses in flash BIOS. Before 
calling saved Int 13h address, ADinf checks CRC of Int 13h handler at that 
address. CRC was saved togather with address at the first start. So, if a 
virus changed a code in the hardware BIOS, ADinf will warn you about it.
 KW> also, and i know this from experience, adinf (the version i tested,
 KW> 10.02 i believe) can't use the secure mode you're talking about if your
 KW> memory manager is using a stealth option (which my installation of qemm
 KW> does)...
    Yes, ADinf can't use direct BIOS access when QEMM works in the stealth 
mode. In that case ADinf works via Int 13h chain. It is less reliable but can 
find stealth viruses which use stealth methods at the level of Int 21h and 
disk drivers. Of course BIOS access in ADinf is preferable becouse in that 
mode ADinf can find all stealth viruses.
 KW> perhaps, but your integrity files are open to attack if not stored on a
 KW> floppy disk, and a new virus could certainly be made to block the
 KW> loading of your program simply on the basis of it's exe header...
    The 3-d time, YES! When any anti-virus program became popular virus 
writers began to write viruses against it. ADinf is very popular in the 
ex-USSR countries and many Russian viruses tried to attack it. I did some 
things to prevent it and now I do not know any virus which saccessfully 
attack ADinf. But if it will appeare I'll do everything to prevent it. So 
conclusions:
    1. There is no panaceya against viruses. No one anti-virus program alone 
can provide saccessful defence.
    2. If one use any anti-virus program, the latest version should be 
installed, becouse developer of the program looks at the virus situation and 
keeps the program actual.
 KW> by the way, does adinf detect companion infectors? i have a couple
 KW> companion bodies on my computer but i've never seen adinf complain
 KW> about them...
    ADinf detects if new files were created, or some files were renamed or 
moved to another directory. It can help to detect companian viruses. By the 
way, do any other integrity checker looks for deleted, moved and renamed 
files?
 DM>> More over! ADinf implements special alghorithms which
 DM>> compare information obtained by direct disk access sector-
 DM>> by-sector throw the BIOS and information obtained by DOS
 DM>> functions. This comparation implemented in ADinf can find
 DM>> any new active stealth virus. So stealth mechanism helps to
 DM>> find infectors! :-)
 KW> that will catch ordinary stealth viruses, will that catch sector level
 KW> stealth viruses?
    ADinf can find even viruses vith a stealth methods on a HDD controller 
level. One of such viruses is known "Hmm..." which hide itself by changing 
sectors in th IDE HD controller buffer. The special alghoritms are 
implemented in ADinf to find such infectors too.
 KW> my, oh my... it's good to see an actual av developer in this area
 KW> again...
    :-)
 KW>  i hear bill lambdin was looking for anyone related to adinf to
 KW> discuss a security concern a couple months ago... did he manage to
 KW> get in touch with anyone and voice those concerns?
    No. It seems to me that he could not find me or our company. The easyes 
way to contact us is e-mail: antivir@dials.ru and our WWW site: 
http://www.dials.ccas.ru.
 KW> good product by the way... i'm amazed by the speed of the crc
 KW> generation...
    :-) Thank you for a good words... Speed is acheaved thanks to the HD head 
movement optimisation. ADinf scans drives on the sector level, optimising the 
head movement.
                        With best regards,
                                Dmitry Mostovoy
--- GoldED 2.50+
---------------