Hello Dmitry:
 KP>> This is why products like AVP, F-Prot, Dr Solomon's have vast
 KP>> databases. You cannot predict the exact virus that will infect a
 KP>> users computer. It may be harmless, or it may not be.
 DM> The big database is one of the popular self-deceptions. The choice
 DM> of the scanner depends on its support! Not on the extensive nomber
 DM> of dead bodies :-) of viruses! The scanner developer should spend a
 DM> money to organize a system of receiving of new viruses. Here in
 DM> Russia such system was developed by DialogueScience, Inc. and it
 DM> really works. So, here in Russia and ex-USSR DrWeb, supported by
 DM> DialogueScience is more reliable. In other regions, where the same
 DM> structures were built by other companies, another scanners are more
 DM> reliable.
Creating a structure to obtain virus samples is relativity simple.
All existing customers and non-customers can be directed to send
virus suspects to a particular e-mail address, post address, BBS,
etc... The structure is the easiest part. Users can be trained to
send virus suspects that are flagged using the heuristic messages and
other indicators. Most antivirus companies have installed these
systems.
Maybe you are refering about your "Internet Service?" I have logged
on to the service but it make no sense. Why would a end user upload a
file that he suspects is infected to the web server to have it virus
scanned? Why not just download a quality virus scanner and do it
locally and check for the additional 10,000 or so viruses as well?
Norman antivirus had a similar system to your idea some time ago.
Users could upload a suspected virus to their BBS and it would be
virus checked using scanner/heuristics. Needless to say it was not
very popular. The idea is logical but makes no pratical sense.
 DM> Of course, it is very interesting to know the name given by scanner
 DM> developer to the particular virus :-). But if the program can detect
 DM> anonimous changes and restore informatin, (i.e. remove virus) without
 DM> naming it, it solves a problem, is not it? Integrity checkers can do
 DM> it! Even for unknown viruses!
Knowing a name of a virus can also, lead to a virus description.
These descriptions can be very valuable to MIS departments and end
users.
I can be very valuable to know that for example some variants of the
"Stoned" virus moves the Partition Sector to sector 0/0/7.
Especially, if someone did Fdisk/MBR. This can be invaluable data
when recovering from a infection. There are thousands of other
examples as well.
 KP>> Integrity antivirus products *can be* a powerful tool but require
 KP>> expert knowledge to be used effectively.
 DM> It is a second popular self-deception. Our experiance of sales and
 DM> support shows that a good integrity checker can be used by tens of
 DM> thousends end users.
Not a deception... Logical. It is not pratical to think that end
users will not use un-virus scanned diskettes. They will. By
introducing these foriegn diskettes (possibly infected) to a system
that is protected using integrity checking as the primary virus
defense the end user if the machine becomes infected has no way to
determine if the infection is a virus, program upgrade, or false
alarm. Integrity checkers only have 2 possible reposnses: Something
has changed, or nothing has changed. Integrity checkers cannot
determine if this change was done by a virus, program upgrade, or
modified by the end user. They only detect the change.
 KP>>  They also, require the end
 KP>> user to keep his programs fairly static in that he cannot constantly
 KP>> add or change software. If the end user did his integrity databases
 KP>> would be constantly changing thus weakening the generic detection of
 KP>> the Integrity checker. Keeping a integrity database current can be a
 KP>> excessive task for a end user.
 DM>     Why do you say it?! You have seen ADinf. It keeps integrity
 DM>     databases up-today automatically!
Adinf is a reliable product. I agree, but it suffers the same
problems that all integrity checkers do. It cannot determine if the
modification was a virus, program upgrade, or user modified. It will
warn the end user of a possible virus even though it cannot determine
if infact it is a virus or not. This is why integrity checkers are
not popular.
The biggest advantage to using a quality virus scanner is that virus
scanners can indicate that of the 10,000 or so known viruses that
exist in the database none are currently infecting a particular
machine. They do this by processing the stored information on the
machine. Integrity checkers cannot do this function initially, and
may fail if the databases are not very current or the virus has
infected the machine prior to installing the integrity checker.
Integrity checkers cannot remove existing infections. Also, they are
vulnerable to direct attack. If all the prior databases are
destroyed, or corrupted they do not function. Even if they store the
databases off-line these databases may not be 100% current so total
restoration (virus removal) is impossible.
 DM> And from the other point of view. There is no need to check the
 DM> system permanently.
This I agree. Once a machine has been virus scanned using a quality
virus scanner a database for integrity data can be established. Using
the integrity checker along with quality resident monitors will keep
the machine very well protected. If a infection is encountered
depending on the infection (get a reliable virus name and research
the infection) then determine if the virus is best removed by a virus
scanner or generically using the integrity checker.
Sincerely,
Keith A. Peer
... Central Command Inc. U.S. Distributor for AVP and HS
 * Silver Xpress V4.01 SW12662
--- InterEcho 1.19
---------------