This is where the ingenuity of the BRM patent lies (the one that was at the core
of Untouchable).
Saving 8 kb per file is dumb and shows total misunderstanding of executable
files structure and how they work. The point Raid tried to make was that he
could restore from his own overwriting "virus", which was one of a kind and a
dead end. Overwriters had no real presence in the wild, and shouldn't be
considered as virus at all since they do not preserve the host's functionality.
The purpose of the integrity signature is not necessarily to restore infected
files, but mostly to provide a means to discriminate between viral changes and
benign ones (like the replacement of a program with a newer version, for
example). The selection of 66 bytes per file in IV's design was driven by the
above consideration, and not from recovery ones.
It's worth to mention here that the original method is still used in IV for the
detection of viral changes in PE objects, which is at the base of IV's
Interceptor real-time integrity monitoring - see
www.invircible.com/news/item/81.
The method was plagiarized by Eyal Dotan from my early V-Guard product,
pretending that he invented it (he was an eleven years old kid when his father's
company, Tegam, started selling our product in France). Even the product's name
was stolen from ours. See
www.invircible.com/download/tegam/
There are more infection schemes that the above method cannot recover.
Personally, I think that generic recovery of infected PE isn't worth the effort,
only detection.
Oversimplified and plain incorrect. FWIW, even 16 bit infectors aren't pure
prependers nor appenders. A simple example are COM infectors derived from
'Jerusalem' (there are well over a hundred strains, of which almost all became
common and were in the wild at one time or another) do both prepend and append.
The program does not store the entire contents of the file; unless
said file is under 8k; then I think? it's all stored in the .tav file.
Raid mentioned in the documentation that cavity infectors? Would not
be removable with ToadAV due to the infection method they use. Is this
what you mean with headers?
Raid demonstrated remarkable ignorance when making his claims. Cavity infectors
are all about the EXE header and are disinfected by header oriented recovery
methods (like in IV, and also implemented in NAV, Thunderbyte, and eSafe). Raid
proved to have no clue on the subject which is why he needed eight kbytes of
"database" per file.
ToadAV (paraphrasing from poor
documentation) was designed to remove some overwriters, prependers and
appender based viruses only. The documentation stated this restoration
would work with those class of viruses on almost any executable
format; As long as you weren't dealing with something larger then 8k.
ToadAV had no potential to evolve into a useful utility for the simple reason
that it used brute force where brain is required. The huge eight kbyte database
per secured file is useless and was less potent than the 36 significant bytes
per file used in IV (that's correct, of the 66 bytes per file, only 36 are
significant to restore an EXE object from infection, the rest are overhead like
the filename and spare.
A simple example will clarify how senseless Raid's choices were: MPLAYER.EXE is
a simple PE file of 156 kbytes in size. Its code entry point is at offset
92,000, roughly, with PE sections scattered from the end of the 16 bit stub to
the code section entry point. How do you cater for changes in several sections
with just 8 kbytes, and senselessly selected?
I merely pointed ToadAV as an option for some limited usage, when Zvi
Netiv? suggested nothing existed for PE based executables; Which
caused him to mislead? or attempt to do so, imho readers of this
forum.
ToadAV had no potential to handle genuinely infected PE files. PE infectors
apply complex transformations by modifying sections and sometimes rearranging
them. Which is why the detection of viral changes in a PE object requires a
different algorithm from the one required to process 16 bit objects, not to
mention to restore them. ToadAV had nothing of the sort nor the potential to
evolve into.
While I admit I'm not a programmer, I'm not blind either.
I've seen ToadAV in action when I mangled some of my windows executables;
What I saw happen and what Zvi claims are not one in the same.
If testing generic recovery was as simple as "mangling", then the NCSA wouldn't
ask for a sum with four zeros to develop a test protocol required to certify
generic AV products like ours, when I asked them to in the mid nineties.
What you saw happen is trivial and one must be quite some ignorant to accept
primitive mangling as a valid test of generic recovery.
My apologies for making this thread longer over abandoned software then
it needed to be. I'm sure I'm not the first to respond to mr Netiv's
bogus claims.
Before yelling foul, please learn the correct use of "then" and "than".
Regards, Zvi
Maybe because unlike yourself, I do not insist