BEGPANA.CVP 931111 3.2 Other Antivirals - Activity Monitors Scanners are still the most widely used of antiviral software, and result in by far the highest number of infections detected. When this happens, you usually get a name associated with the report of an infection. You may, however, have one of the other two types of antivirals, sometimes lumped together under the term "generic" antivirals, since they do not rely on a specific identification (and, indeed, cannot perform it). These are activity monitoring software and change detection software. If you have activity monitoring software, you will likely have been told that a suspicious activity has been detected, or that a certain program has virus-like characteristics, or even simply that a certain program is infected with a virus. If a specific program is named, the easiest thing to do might be to get rid of it. Copy the program on to a disk, first, so that someone qualified can study it. Then re-install the program from the original (or original backup) disks. There is a chance, and a fairly good one, that you still have other infected programs somewhere on your disk, but at least you have dealt with the immediate problem. I said there is a good chance that other programs were infected: this is assuming that the alarm was valid and that the program named *was* infected. This is by no means always the case. Both activity monitors and change detectors are subject to "false positive" alarms. This occurs when the antiviral detects something similar to a virus, but which actually is not infected. In the case of activity monitors, programs are being checked for suspicious actions. Viral programs will try to change other programs, or change the boot sector on floppy disks, or do "direct" writes to the hard disk (bypassing the operating system). The trouble is, other programs have valid reasons, sometimes, for doing the same thing. If, therefore, it is inconvenient to replace the program, you will have to do some more investigating. What were you doing just before the alert? Were you using one program to delete another? Were you trying to format a floppy disk? Both of these will trigger some activity monitors. Were you changing some settings in WordPerfect? A number of settings cause the program to rewrite its own code, which will trigger alarms. So will setting up a new program with SETVER, a part of DOS 5 and 6. Utility programs will often set off all kinds of alarms. Make a copy of the suspect program, and get it to a recognized researcher. Someone who knows the field can perform more sophisticated tests. One quick one, even if you don't replace the file, is to compare it for size with the original. Or, just get a really good scanner, and check things out. copyright Robert M. Slade, 1993 BEGPANA.CVP 931111 ============== Vancouver ROBERTS@decus.ca | Omne ignotum pro magnifico. Institute for Robert_Slade@sfu.ca | - Anything little known Research into rslade@cue.bc.ca | is assumed to be User p1@CyberStore.ca | wonderful. Security Canada V7K 2G6 | - Tacitus