From owner-freebsd-questions Thu Jun 20 18:18:49 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id SAA02510 for questions-outgoing; Thu, 20 Jun 1996 18:18:49 -0700 (PDT) Received: from mistery.mcafee.com (jimd@mistery.mcafee.com [192.187.128.69]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id SAA02504 for ; Thu, 20 Jun 1996 18:18:47 -0700 (PDT) Received: (from jimd@localhost) by mistery.mcafee.com (8.6.11/8.6.9) id SAA06494; Sun, 20 Jun 2010 18:27:24 -0700 From: Jim Dennis Message-Id: <201006210127.SAA06494@mistery.mcafee.com> Subject: Re: Missing Memory & shrinking drives To: nate@sri.MT.net (Nate Williams) Date: Sun, 20 Jun 110 18:27:24 -0700 (PDT) Cc: jimd@mcafee.com, nate@sri.MT.net, questions@freebsd.org In-Reply-To: <199606202029.OAA11078@rocky.sri.MT.net> from "Nate Williams" at Jun 20, 96 02:29:00 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > Jim Dennis writes: > > > > > > > Greetings, > > > > How does FreeBSD handle the presence of the various types of viruses. > > > > Is it similar to the way NT handles them?? Are there any anti-virus > > > > utilities available for FBSD? > > [ My claim that FreeBSD isn't succeptible to virus's for multiple reasons ] > > > Mostly correct. Note that most PC virii are not OS specific -- > > they rely on the initial behaviour of the BIOS (these are > > boot sector virii; there are a few hundred of them like > > 'Stoned' and 'Michealangelo'). > > True. But I claim that 'most' is probably too strong. Many are > Boot-sector virus's. I was a bit unclear on this point. Most virii are file infectors (about 7,000 known depending on who you ask and how they count them). Most infections (by a huge margin) are via the boot sector. Way over 90% of all confirmed infections in the AV tech support teams at McAfee and at Symantec (a year and a half ago when I was there) were BSV's. Most of those were simple BSV and not even multi-partite. So, to elaborate my original statement: PC's running various 32-bit OS', including Free/Net/Open/386-BSD and Linux, are technically as susceptible to the most prolific virii as PC's running DOS. Your PC can catch the bug -- even though the bug won't often propagate beyond it. I like to explain this to people using the phrase PC virus (i.e. those that rely on the BIOS) rather than DOS virus (file infectors that are specific to DOS and DOS emulators). This is not a standard terminology -- just a point of clarification. > Exactly my point. In order to get/pass the virus your OS must allow it > to be passed on, and Unix doesn't allow this. > > So, to get a boot-sector virus chances are *very* high that it came from > a DOS/Windows floppy, so you should be able to use any of the > DOS/Windows software to remove it. If you have a DOS floppy you are > running DOS, and can run the DOS software to remove it. :) Agreed. You can use your DOS tools to remove it -- Usually you can use FDISK /MBR (or the appropriate 'dd' command or sysinstall) to remove most MBR BSV's, use DOS' SYS command (or the equivalent) to fix the logical boot record (there's one MBR per drive, and on LBR per partition). Note that many DOS emulators (like merge, and dosemu, and SoftPC/SoftWindows) can "catch" PC/DOS viruses and infect the emulated MBR/LBR and executable files on their (partition| virtual volumes|whatever your brand x calls it). Basically a virus is just a program. Any emulator that's sufficiently powerful to run a reasonable range of DOS programs is powerful enough to "catch" a virus. > > Good point. > > The Moral of the story is: > "Never post a small description of a problem when you know a complete > expert in the field is lurking in the wings." :) I'd hardly consider myself an expert -- but I do play one on the 'net. Actually the sad news (for some) is that I'm going to be leaving (this list for now and this company for ....). I'll probably sign back into this list from another account (once I get my uucp feed working from rahul). > Nate