|
4- VERV - A Prototype Virus Verifier and RemoverAt HICL, we are currently using and developing a virus verifier and remover called ``VERV'' for PC-DOS viruses. The current version can verify over 40 different viruses and variants, which accounts for nearly all of the actual infections that we see in day-to-day operation. It has recently been enhanced to attempt to remove about a dozen of the most common file-infecting viruses (we have other tools, which will eventually be integrated, for removing boot-sector-infecting viruses). As well as being used in the lab, and as a research prototype, VERV is used by IBM's internal Computer Emergency Response Teams (CERTs), as part of routine incident handling. It is an independent tool at the moment; in the long run, we expect to integrate it with our other anti-virus programs. It can use either a CRC algorithm or a byte-for-byte comparison to verify the identity of a virus. In the laboratory, we use the byte-for-byte compare to test new samples against old ones. In the field, our users use the CRC algorithm to verify the virus in infected objects before applying cleanup measures.
VERV includes an interpreter for a small virus-description
language.
Virus-description languages, for this and other purposes, have
been around for some time; Christoph Fischer at the University
of Karlsruhe, Morton Swimmer in Hamburg, Alan Solomon in the UK,
and no doubt many
others in the field, have worked on similar things
(personal correspondence; one motivation for this paper is
to encourage others, who have perhaps done it better, to
publish their work).
VERV's language is very simple, and provides for lower-level
hooks (instructions to call special-purpose C routines) when
a virus requires actions that cannot be described in the
high-level language.
We will describe the language in some detail, not because it
is particularly interesting as a language, or because we think
we have it all correct and optimal, but rather so that other
people working on the same sorts of things can benefit from
both our ideas and our mistakes.
We hope this will help inspire continued discussion and exchange.
|