begpan9.cvp

BEGPAN9.CVP  931105
 
                           3.1 Scanners
 
OK.  You suspect you have a virus.  You have made what preparations
you can.  Let us look at what to do in light of the different ways
this problem has come to your attention.
 
If you truly do have a virus, you probably have been alerted by a
virus signature scanning program.  Scanners, for all their faults,
still account for the vast majority of virus infection alerts, as
much as 90%, according to one study.  Therefore, you probably even
know the name of the virus.  Thus, you may be in a position to call
for help with that specific virus.  But, be careful.
 
This type of request is made all the time on the nets, and the
answer is always the same.  Which scanner did you test it with? 
Which version of the scanner do you have (and is it up to date)? 
Have you confirmed this with another scanner?  The reason behind
these questions is that all scanners do not use the same name for
the same virus.  In particular, some of the very popular commercial
programs feel no need to correspond to anyone else.  Therefore, the
names they assign may be very arbitrary, and of no help to someone
trying to help you.
 
Furthermore, all scanners are subject to "false positive" results. 
This is when a virus signature used in the scanner matches a string
in a non-infected file.  Most viral scanning programs use signatures
that are worked out independently and, therefore, they work slightly
differently.  Therefore, it is a good idea to check the results of
one scanner against another, or even more.  Also, it is a good idea
to ensure that you have the latest version of any given scanner, so
that any problems previously noted may have been ironed out.
 
If you do a second test with an updated version of your scanner and
it reports a different virus name, this is not unusual.  Virus
researchers, and scanner authors, have to give a virus *some* name
when they receive it.  They may later change the name when others
are using a more suitable or standardized name.
 
In summary: if you are using scanning software, have more than one
scanner around.  In fact, it might be a very good idea *not* to
standardize on a single product.  If you have a very large company,
you might license three different antiviral programs, each for a
third of your computers.  If the various scanners are distributed
throughout the company, it is almost as good as having all three on
each machine, since infections tend to occur in geographic clumps. 
Keep your scanners up to date, and when an alarm is raised, check it
out with other programs.
 
copyright Robert M. Slade, 1993   BEGPAN9.CVP  931105

==============
Vancouver      ROBERTS@decus.ca         | "My son, beware ... of the
Institute for  Robert_Slade@sfu.ca      |  making of books there is
Research into  rslade@cue.bc.ca         |  no end, and much study is
User           p1@CyberStore.ca         |  a weariness of the flesh."
Security       Canada V7K 2G6           |          Ecclesiastes 12:12