DEFMTH3.CVP 920105 Write protection - software An aspect related to hardware damage is that of "write protection". Although this aspect of security is a part of normal computer operation, the details are not necessarily well understood by the general public. In addition, certain procedures related to write protection often recommended as anti-viral measures are of little or no use. They may, indeed, be "dangerous", in that they encourage users to think themselves safe and not to take further measures. First of all, there is software write protection. Many user manuals for antiviral programs have suggested changing the file attributes of all program files to "read-only" and "hidden". A minor problem with this is that a number of programs write to themselves when making a change in configuration. However, the more major problem is that this action provides almost no real protection. What software (the operating system or protection program) can do, software (a virus) can undo. The overcoming of this protection in MS-DOS is so trivially simple that utility programs, asked to make a change to a protected program, simply remind the user that the file is protected and ask for permission to proceed. (At least, the better written ones ask. Such is the contempt for "read-only" flags, that some programs just "do it".) There are, as well, programs which attempt to write protect the hard disk as a whole, or individual files. Since these programs use methods other than the standard OS calls they are generally more successful in protecting against "outside intrusion". However, I must again repeat that what software can prevent, software can circumvent. Software write protection must, of course, be running to do any good. Thus boot sector infectors, and any other viri which manage to start up before the software protection is invoked, have little to fear from these programs. Some of the protection programs start themselves as replacements for the master or partition boot record, in order to get around such "early" infectors. However, in testing none have been able to prevent infection by the ubiquitous "Stoned" virus. (Regular readers of the reviews will note the recent trial of one such hard disk security program which not only did not prevent the infection, but would not, thereafter, allow disinfection! In my reviewing I have come to be much more afraid of antiviral programs than of viri themselves.) (In talking of these PBR replacements, I must make an exception for Padgett Peterson's excellent DISKSECURE, SAFEMBR and FIXMBR programs. This simple but elegant concept in system change detection should be THE antiviral product of 1991. Micro OS vendors, are you listening?) copyright Robert M. Slade, 1992 DEFMTH3.CVP 920105 ============== Vancouver ROBERTS@decus.ca | "virtual information" Institute for Robert_Slade@sfu.ca | - technical description of Research into rslade@cue.bc.ca | marketing info disguised User p1@CyberStore.ca | as technical description Security Canada V7K 2G6 | - Greg Rose