BEGPANA.CVP  931111
 
             3.2  Other Antivirals - Activity Monitors
 
Scanners are still the most widely used of antiviral software, and
result in by far the highest number of infections detected.  When
this happens, you usually get a name associated with the report of
an infection.  You may, however, have one of the other two types of
antivirals, sometimes lumped together under the term "generic"
antivirals, since they do not rely on a specific identification
(and, indeed, cannot perform it).  These are activity monitoring
software and change detection software.
 
If you have activity monitoring software, you will likely have been
told that a suspicious activity has been detected, or that a certain
program has virus-like characteristics, or even simply that a
certain program is infected with a virus.  If a specific program is
named, the easiest thing to do might be to get rid of it.  Copy the
program on to a disk, first, so that someone qualified can study it. 
Then re-install the program from the original (or original backup)
disks.  There is a chance, and a fairly good one, that you still
have other infected programs somewhere on your disk, but at least
you have dealt with the immediate problem.
 
I said there is a good chance that other programs were infected: 
this is assuming that the alarm was valid and that the program named
*was* infected.  This is by no means always the case.  Both activity
monitors and change detectors are subject to "false positive"
alarms.  This occurs when the antiviral detects something similar to
a virus, but which actually is not infected.
 
In the case of activity monitors, programs are being checked for
suspicious actions.  Viral programs will try to change other
programs, or change the boot sector on floppy disks, or do "direct"
writes to the hard disk (bypassing the operating system).  The
trouble is, other programs have valid reasons, sometimes, for doing
the same thing.
 
If, therefore, it is inconvenient to replace the program, you will
have to do some more investigating.  What were you doing just before
the alert?  Were you using one program to delete another?  Were you
trying to format a floppy disk?  Both of these will trigger some
activity monitors.  Were you changing some settings in WordPerfect? 
A number of settings cause the program to rewrite its own code,
which will trigger alarms.  So will setting up a new program with
SETVER, a part of DOS 5 and 6.  Utility programs will often set off
all kinds of alarms.
 
Make a copy of the suspect program, and get it to a recognized
researcher.  Someone who knows the field can perform more
sophisticated tests.  One quick one, even if you don't replace the
file, is to compare it for size with the original.
 
Or, just get a really good scanner, and check things out.
 
copyright Robert M. Slade, 1993   BEGPANA.CVP  931111

==============
Vancouver      ROBERTS@decus.ca         | Omne ignotum pro magnifico.
Institute for  Robert_Slade@sfu.ca      |  - Anything little known
Research into  rslade@cue.bc.ca         |    is assumed to be
User           p1@CyberStore.ca         |    wonderful.
Security       Canada V7K 2G6           |               - Tacitus