CyberSoft White Papers

Anti-Virus for Multimedia Publishers

Peter V. Radatti
www.cyber.com

Copyright © May 1995, May 1996 by Peter V. Radatti. All Rights Reserved.

People Believe CD-ROMs Provide Immunity

Just as restaurants can be sued for serving contaminated food that make people sick, you as a multimedia publisher may be sued if your products physically or financially harm someone. In this case, the harm that I am referring to may arise from software contaminated with computer viruses, Trojan Horses, logic bombs or other forms of attack software. It is becoming important for publishers to perform integrity tests of their products as part of due diligence. People reasonably expect shrink wrapped software to be free of viruses. This expectation is not always fulfilled.

In many cases end users of CD-ROMs believe that they are immune to attack because of the write protected nature of CD-ROM technology. This is not true. The write protection will keep the data on the CD-ROM from becoming infected but if the programs put onto the CD-ROM at the factory were infected prior to burn-in then they will continue to be infected on the CD-ROM. The infected files will then infect other files, which are not write protected, on the end user's computer. There has been many instances of CD-ROMs, shrink wrapped floppy diskettes and ready to run computer systems delivered to customers, factory fresh, already infected with viruses. As proof that CD-ROMs are not immune I present the case of American Eagle Publications (telephone: 1-800-719-4957) who market a set of CD-ROMs which only contain computer viruses. These virus libraries are used for instructional and testing purposes. An example of an unintentional distribution of computer viruses by a large international corporation occurred in 1995 when a European automobile manufacturer distributed media containing virus infected programs detailing their new product line. It was a major embarrassment and a public relations problem. I hope that manufacturer paid more attention to the development and manufacturing of their automobiles as they did to the media they distributed.

One of the problems with computer viruses is that they have no relationship to the program that acted as the unwitting carrier. No one can tell if a program is infected by its intended function. Once a virus infects a system it affects all of the operations of the computer, creating a snow ball effect. Only anti-virus software can detect computer viruses.

Computer virus infections can cost millions of dollars and possibly kill people. As a case in point, I was told a story by the Director of Biomedical Engineering at a local hospital. I don't know if the story is true, but there is no technical reason why it can't be. He said that a field technician from the manufacturer of a blood analyzer called and stated that there was a recall on their system and he needed to perform the repair. When the technician arrived he was supervised by the Director who noticed that the technician was replacing the ROMs. After talking with the technician the Director was told that the ROMs were infected with a computer virus. The virus had no effect on the operation of the system but it didn't belong there so the manufacture was replacing all of the contaminated ROM's, world wide at no charge. This raises the question of how did the virus get into the ROMs in the first place? The answer is usually simple. One of the systems used to develop or manufacture the software contained in the ROMs was also used to process other programs and one of them was infected. When I think about this type of problem I think about the systems used to design airplanes, run power plants, execute monetary transactions, factory automation and the many thousands of other necessary, dangerous or expensive tasks that can go wrong if a virus gets into the wrong system at the wrong time. Many of these systems are PC based and may be far down in the chain of usage, just as the blood analyzer must have been in the example given. I wouldn't be surprised to learn that the source of the infection was a computer game run by someone during their lunch break. Their system became infected. When they delivered their work to the next person in the chain of command, it infected their system, et all.

Protection for the Publisher

How can you as a responsible publisher protect yourself? There are many companies willing to sell you solutions, including my company. Virus scanners, integrity subsystems, risk analyzers, disk fencing systems, heuristic modeling programs are all valid tools. However, there are trade-offs with every method. To reduce the exposure created by these trade-offs I suggest that you use multiple methods from multiple vendors. Use a virus scanner to check for known viruses. Use an integrity subsystem like CyberSoft's Cryptographic Integrity Tool to keep track of every file that was modified, added or deleted from your system. An integrity tool can tell you all of the files on your system that have been modified, added and deleted since the last time it was run. When files that you did not change are modified, then there is a problem even if the virus scanner didn't find anything. Virus scanners can only tell you if it locates a virus that it already knows about. No one can write a scanner that looks for the viruses that will be written next month. (There is a technology call Emulation that can locate unknown viruses but can not identify them or detect other forms of hostile software attacks such as logic bombs or Trojan Horses.) Integrity systems can only tell you if a file was modified The combination of a virus scanner with an integrity system can be used to catch all known and unknown viruses. Of course this takes a little awareness on the part of the end user. You can resolve the awareness problem by adopting some basic rules. CyberSoft's half dozen rules of antivirus common sense can be a start for your own policy on computer viruses.

The CyberSoft Half Dozen Rules of Anti-Virus Common Sense

1. Always virus scan new software prior to installation.
2. Save a floppy diskette with a cryptographic integrity snap shot of how your system looks. Do it before your system is infected so you can detect the changes later.
3. Scan the system and use the integrity system often. I suggest daily, but many people live with the risk of running them weekly.
4. Use the keyboard lock to keep people out of your system when you are not there.
5. Scan software copied from other people's systems prior to use.
6. Backup your disk often. You can always retrieve destroyed data if you have it backed up.

Additional Rules For Publishers

In addition to these rules, publishers must add some additional rules. Remember that once you manufacture a CD-ROM and it is later discovered to be virus infected your reputation is damaged and your warehouse full of products become waste. Very few people will buy an infected product. Since your exposure is greater, I suggest that you use anti virus products from three different companies. Each company has its own proprietary ways of detecting viruses. Very few companies share this data and if you scan your product in this way then you are as safe as is humanly possible. Don't forget to scan going into the mastering process so you can catch any thing that might be there before spending money on pressing and do it again on the final product just to make sure that someone at the mastering service didn't infect it.

If you are using the UNIX or Microsoft NT environments then please consider the products manufactured by my company, CyberSoft, Inc. We manufacture VFind, the first anti-virus product in the UNIX marketplace. VFind has been continuously available since 1991 and includes both a virus scanner and a cryptographic integrity subsystem.

Special Notice

The predecessor of this paper was published by the National Multimedia Association of American (NMAA) in their June 1995 newsletter, "Point & Click" starting on page 8. ANTI-VIRUS FOR MULTIMEDIA PUBLISHERS 

Copyright © 1996 CyberSoft, Inc.

Back