BEGPANB.CVP 931111 Other Antivirals - Change Detectors If your "generic" antiviral is a change detection program, then you will probably have a much better idea of what is infected, although less idea of how. Change detectors will usually tell you that the boot sector, or master boot record, or a specific file has been changed. Sometimes, in the case of a stealth virus, it will not be able to "see" any change on the disk, but will report a change in memory of the interrupts. Activity monitors usually run all the time, and so, in addition to sometimes telling you, specifically, what type of action is being done, they generally give you some clues by catching something as it happens. Change detectors are usually run at set intervals, often at boot time, and so only report after the fact. However, because change detection software identifies specific objects, you will generally get more information from them about boot sector infectors than you will get from activity monitors, and boot infectors are much more common. As with activity monitors, if the antiviral identifies a file that you can easily replace, copy it off and replace it. If a change detector shows only one file changed, then it is highly unlikely that any other files are infected. If a cluster of files are changed, particularly in one directory, then the chances are very good that you do have a real infection. However, like activity monitors, change detectors are subject to false positive alarms. If you have made changes to WordPerfect, SETVER or another program, these will generate alerts from change detectors. If you upgrade your DOS version, the boot sector will change. If you repartition the disk, the master boot record will change. If, therefore, it is inconvenient to replace the modified program, or if the boot sector appears to be infected, then you may have to do the same types of investigations as were outlined for activity monitors. Since boot sector infectors are more likely to be identified here, trying to trap an infection on a floppy disk is more important. If you have two different sized floppy disks, then format two new disks, one for each. Label each as to whether it is drive A: or B: on the computer. Copy some files onto them, and take several directory listings. If you have utility software, try to look at the boot sectors of the floppy disks. The reason for all this activity is that one must try to force the virus to infect the disk, and this is not always as easy as it sounds. Also, if a boot sector infector is identified, recovery is not quite as simple as replacing a file. Boot from a system disk that is known to be free from infection. If you cannot access the hard disk at this point, do not try anything further. If the hard drive is readable, then do a SYS C: command (if the boot sector is changed) or an FDISK /MBR (if the master boot record has been altered). This should fix the problem, but you will also need to check *all* diskettes for infection. copyright Robert M. Slade, 1993 BEGPANB.CVP 931111 ============== Vancouver ROBERTS@decus.ca | Slade's Law of Computer Institute for Robert_Slade@sfu.ca | Literacy: Research into rslade@cue.bc.ca | - There is no such thing User p1@CyberStore.ca | as "computer illiteracy"; Security Canada V7K 2G6 | only illiteracy itself.