TIP: Click on subject to list as thread! ANSI
echo: virus_info
to: KEITH PEER
from: DMITRY MOSTOVOY
date: 1997-01-03 21:47:00
subject: Re: here again!
           Hi Keith!
03 Jan 97, letter Keith Peer to Dmitry Mostovoy:
 KP> Respose time is relative. I know for a fact Eugene (AVP) and I am
 KP> sure Igor (DrWeb) as well can provide same day or within 24 hours
 KP> service there in Russia.
    There is no problem to analize virus and to build new anti-virus 
database. The problem is to organize a good support to obtain new viruses at 
a short time. Here in Russia and in the ex-USSR DrWeb has the best support. 
So, it is more reliable here in Russia.
 KP> significant but not important.  Many products today are
 KP> multi-national in that the developers have international officies or
 KP> international distributors that feed the virus database world wide.
    International distributers can't solve the problem of local viruses. If 
virus is written in your region, in some school or college the main problem 
is to obtain infected example in a short time. Of course, after a month or 
later this virus will be distributed between all scanners developers but the 
most important is to be first in the region where it was written.
 KP> Using products that are regional today can needlessly expose the user
 KP> to the possibility of obtaining virus infection. Sadly, the internet
 KP> has increased the availablilty of a vast more number of viruses than
 KP> ever before.  Regional outbreaks still do happen but the frequency of
 KP> these regional attacks has increased. We see many viruses that are
 KP> not on any "In the wild" lists in these "regional" outbreaks.
    You repeated my words :-).
 KP> This is why products like AVP, F-Prot, Dr Solomon's have vast
 KP> databases. You cannot predict the exact virus that will infect a
 KP> users computer. It may be harmless, or it may not be.
    The big database is one of the popular self-deceptions. The choice of the 
scanner depends on its support! Not on the extensive nomber of dead bodies 
:-) of viruses! The scanner developer should spend a money to organize a 
system of receiving of new viruses. Here in Russia such system was developed 
by DialogueScience, Inc. and it really works. So, here in Russia and ex-USSR 
DrWeb, supported by DialogueScience is more reliable. In other regions, where 
the same structures were built by other companies, another scanners are more 
reliable.
 DM>> The second defence line is integrity checkers. They should be used
 DM>> at the every computer to be sure that there is no viruses in the
 DM>> system.
 KP> Integrity checkers are a third level of defense but should be used
 KP> with a quality antivirus scanner and resident protection on every
 KP> computer.  The problem with Integrity checkers is that they cannot
 KP> tell a user that a program is infected with one of the 10,000 or so
 KP> known different viruses or not. They only detect a change wether that
 KP> change is a virus or not the integrity checker cannot determine.
    Of course, it is very interesting to know the name given by scanner 
developer to the particular virus :-). But if the program can detect 
anonimous changes and restore informatin, (i.e. remove virus) without naming 
it, it solves a problem, is not it? Integrity checkers can do it! Even for 
unknown viruses!
 KP> We have seen a few large installations of integrity checks here in
 KP> the US and all were removed and replace with antivirus scanners and
 KP> TSR's.  Why?  In all cases over 70% of the time the end user ignored
 KP> the warning because without expert knowledge the end user could not
 KP> determine if the warning was a virus infection or not. The integrity
 KP> checker only gave a warning not a specific message.
    I do not know any good integrity checker, developed in the US. Here in 
Russia our ADinf is VERY popular anti-virus tool. And it is very popular in a 
big corporations. It can prevent spreading new viruses between computers of 
big companies, localize infection at the first infected computer and give an 
example of new virus to scanner developers or immidiately remove virus by 
curing cmpanion of integrity checker. It has special modes for the end users 
who do not know anything about computers. It can, for example, if it finds 
some suspicious virus-like changes, stop loading of computer and ask an end 
user to call system administrator for help.
 KP> Integrity antivirus products *can be* a powerful tool but require
 KP> expert knowledge to be used effectively.
    It is a second popular self-deception. Our experiance of sales and 
support shows that a good integrity checker can be used by tens of thousends 
end users.
 KP>  They also, require the end
 KP> user to keep his programs fairly static in that he cannot constantly
 KP> add or change software. If the end user did his integrity databases
 KP> would be constantly changing thus weakening the generic detection of
 KP> the Integrity checker. Keeping a integrity database current can be a
 KP> excessive task for a end user.
    Why do you say it?! You have seen ADinf. It keeps integrity databases 
up-today automatically!
 DM>> The 3-rd class is resident monitors. They were not very popular
 DM>> under DOS and Windows 3.xx enviroment. But under Win 95, written as
 KP> Active protection is the most powerful line of defense and is the
 KP> secondary line of defense for PC's. The reasoning is simple. Given
 KP> the fact the resident protection can prevent infections and acts in
 KP> almost real time with the end user, viruses are caught prior
 KP> infecting a computer.
    It would be the best anti-virus progrums, BUT!!! Unfortunately, it can't 
provide neded reliability. Resident monitors with virus data bases have the 
same restrictions as scanners and behaveur monitors are too importunate and 
with no problems can be deceived by viruses.
    And from the other point of view. There is no need to check the system 
permanently. One needs to check incoming files by scanners and to verify the 
system by integrity checkers one time per day or after the work with a new 
software. For example, if one use only one program at the computer and do not 
exchange files, one do not need to check the program at every execution! 
Viruses can not born themselfs in a clean system :-). And resident monitors 
use resources of computer and decreese its peformence for other tasks 
permanently. Resident monitors are to be used from time to time, for example 
when one downloaded a new software from a BBS or Internet, checked it with 
scanners and wants to execute it at a first time. And after the first start 
the system should be checked by integrity checker.
    I have said and repeat once more. There is no one program or class of 
programs which can be anti-virus panaceya. Only a combined use of two or more 
scanners, integrity checker and may be resident monitor may provide some 
level of reliability.
                                With best regards,
                                    Dmitry Mostovoy
--- GoldED 2.50+
---------------
* Origin: DialogueScience, Moscow; E-mail: dmost@dials.ru (2:5020/69.4)
SOURCE: echomail via exec-pc

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.