DEFMTH3.CVP   920105
 
                  Write protection - software
 
An aspect related to hardware damage is that of "write
protection".  Although this aspect of security is a part of
normal computer operation, the details are not necessarily well
understood by the general public.  In addition, certain
procedures related to write protection often recommended as
anti-viral measures are of little or no use.  They may, indeed,
be "dangerous", in that they encourage users to think themselves
safe and not to take further measures.
 
First of all, there is software write protection.  Many user
manuals for antiviral programs have suggested changing the file
attributes of all program files to "read-only" and "hidden".  A
minor problem with this is that a number of programs write to
themselves when making a change in configuration.  However, the
more major problem is that this action provides almost no real
protection.  What software (the operating system or protection
program) can do, software (a virus) can undo.  The overcoming of
this protection in MS-DOS is so trivially simple that utility
programs, asked to make a change to a protected program, simply
remind the user that the file is protected and ask for
permission to proceed.  (At least, the better written ones ask. 
Such is the contempt for "read-only" flags, that some programs
just "do it".)
 
There are, as well, programs which attempt to write protect the
hard disk as a whole, or individual files.  Since these programs
use methods other than the standard OS calls they are generally
more successful in protecting against "outside intrusion". 
However, I must again repeat that what software can prevent,
software can circumvent.
 
Software write protection must, of course, be running to do any
good.  Thus boot sector infectors, and any other viri which
manage to start up before the software protection is invoked,
have little to fear from these programs.  Some of the protection
programs start themselves as replacements for the master or
partition boot record, in order to get around such "early"
infectors.  However, in testing none have been able to prevent
infection by the ubiquitous "Stoned" virus.  (Regular readers of
the reviews will note the recent trial of one such hard disk
security program which not only did not prevent the infection,
but would not, thereafter, allow disinfection!  In my reviewing
I have come to be much more afraid of antiviral programs than of
viri themselves.)
 
(In talking of these PBR replacements, I must make an exception
for Padgett Peterson's excellent DISKSECURE, SAFEMBR and FIXMBR
programs.  This simple but elegant concept in system change
detection should be THE antiviral product of 1991.  Micro OS
vendors, are you listening?)
 
copyright Robert M. Slade, 1992   DEFMTH3.CVP   920105

==============
Vancouver      ROBERTS@decus.ca         | "virtual information"
Institute for  Robert_Slade@sfu.ca      |   - technical description of
Research into  rslade@cue.bc.ca         |     marketing info disguised
User           p1@CyberStore.ca         |     as technical description
Security       Canada V7K 2G6           |            - Greg Rose