72 Wouldn't adding self-checking code to your programs be a good idea?
Description
This article is from the Computer Viruses FAQ, by Nick FitzGerald n.fitzgerald@csc.canterbury.ac.nz with numerous contributions by others.
72 Wouldn't adding self-checking code to your programs be a good idea?
Every few months somebody suggests the idea of adding a small piece of
code to existing programs. This code would check for virus infections
when the program is executed by comparing a previously computed CRC or
cryptographic checksum (hash value) of the file in its known clean state
with its current value. The idea is that this will detect any virus
infection immediately, and is thus effective against unknown viruses.
A simple and intuitively attractive idea--in fact, some antivirus
programs have included options to do just this. There are, however,
some serious flaws with this approach.
This method cannot prevent the program from getting infected in the
first place. Further, if a program that has been protected this way
becomes infected later, whenever it is run the virus code will be
activated first. The virus may then be able to detect or even remove
the self-checking code, or it might make it totally ineffective by using
stealth techniques, so the self-checking code only "sees" the original,
non-infected program.
Some programs contain an internal self-check--much antivirus software,
for example. Such internal code might also be unable to detect stealth
viruses, but unless the external self-check code uses stealth techniques
too, the result will be a conflict, where the internal check will notice
the newly added code and decide that it has been "infected".
Moreover, this method is ineffective against "companion" viruses that
don't modify the applications they infect.
It may not be possible to protect all programs this way. For example,
under DOS it is relatively easy to add code of this type to most COM
files (unless the original program was slightly less than 64K, and the
resulting file would break that limit). However, EXE files are more of
a problem--especially those containing internal overlays, where one
cannot append the code to the file, as the resulting file might become
too big to load. Windows applications are also a problem, as they have
two different entry points, and special care has to be taken to handle
that correctly.
On the other hand, adding internal self-checking to programs as part of
their development is a good idea. Although it has the same limitations
regarding stealth viruses, it does not cause the conflicts described
above, and can be put in any program at compile-time. It is also much
more difficult for viruses to bypass.
Continue to:
My Books
