VIRUS-L Digest Wednesday, 22 Feb 1989 Volume 2 : Issue 54 Today's Topics: Macintosh Viruses Dealing with nVIR on a large scale (Mac) Disk Washing -- or -- Sanitation in our Public Microlab (Mac) Public Mac facilities at Cornell Re: Interferon vs. AppleShare (Mac) --------------------------------------------------------------------------- Date: Wed, 22 Feb 89 13:18 EST From: EROSKOS@pisces.rutgers.edu Subject: Macintosh Viruses Hello, My name is Ed and I work for Rutgers University (NJ). We have been hit with a few different Mac viruses in the past and have become unfortunately well acquainted with them. In fact, a very significant number of students who own disks still have viruses on them. One virus we have come across is nVIR. A few different "strains" have actually appeared. The best known remedy for this virus that I have found is ANTI-PAN. There are also remedies for the scores virus (which we were also hit with). But is there a remedy for the ANTI virus? We haven't been hit with it, but it might be safer to be prepared. Thanks. Ed, IN%"EROSKOS@ZODIAC.BITNET" ------------------------------ Date: Wed, 22 Feb 89 13:48 EST From: "Christopher Tate" Subject: Dealing with nVIR on a large scale (Mac) Here at Penn State there are some general guidelines we use to avoid massive infestations of viruses. These rules were adopted after a major epidemic of both nVIR and Scores last semester. First, all of the software available for student use is kept on remote servers (AppleShare), which the individual machines (Mac SE's) link to via AppleTalk. The servers are READ-ONLY, to prevent the applications from becoming infected through the network. Second, the lab operators check each network startup disk for viruses when it is returned (this is done with Virus Detective). If a disk is infected, it is recopied from a permanently locked master disk. This recopying is done with Copy II Mac, and is a complete rewrite of the disk. This may not be totally necessary, but is a fairly fast and absolutely secure method of restoring a damaged startup disk. Note that no attempt is made to "repair" damaged startup disks. It is much easier and faster to simply recopy them. If, however, a user turns in an infected startup disk, then the operator can offer to check the user's own disks for viruses. Often the user's disks are also infected. In this case, the operator (or one of the operator's friends who is familiar with the correct procedures) can use programs such as KillScores, Ferret, Vaccination, etc. to "disinfect" the user's disks. This procedure works fairly well, but once a virus appears on campus it will probably remain a lingering problem. The only to keep the incidence of infection down is to be diligent in checking the public-use disks EVERY TIME THEY ARE USED. If two operators working two consecutive shifts here neglect to check for viruses, the percentage of network startup disks that are infected more than doubles. - ------- Christopher Tate | Mercy (noun): Internet: cxt105@psuvm.psu.edu | The infrequent art of turning Bitnet: cxt105@psuvm | thumbs-up on your opponent at Uucp: ...!psuvax1!psuvm.bitnet!cxt105 | the end of your rapier. ------------------------------ Date: Wed, 22 Feb 89 12:06:46 PLT From: Joshua Yeidel Subject: Disk Washing -- or -- Sanitation in our Public Microlab (Mac) We have a Microcomputer Lab which is used for "open-access" when it is not reserved for classes. Last November we discovered that it was a sink of infection for the Scores virus. The situation was particularly serious because we were recommending that everyone use our "MicroLab Laser Startup" disks so that everyone on the AppleTalk network had the same LaserWriter driver (avoiding many restarts of the LW). People routinely used their applications with our systems, so infection could readily spread from their app disk to our system disk, then from our system to the next user's app disk, and so on. As a result, we have now adopted what I call "disk washing" as a policy and procedure. We have clean backups for each disk which we hand out to users. When we get the disk back from the user, we "wash" it by doing a sector copy from the backup. No disk is recirculated until it has been washed. (Same rule as in a restaurant, *mutatis mutandis*). In practice, we have a "dirty disks" box in which disks pile up until a slack time, when the monitor goes through and recopies from backups). So far, we have not seen any re-infection (we check regularly). I am not qualified to way that there could NEVER be a virus which could defeat this disk-washing approach, but no Mac virus yet described in the literature (VIRUS-L) can do it. I don't know how this would apply to AppleShare volumes. I also don't know how one would manage hard-disk equipped public micros. I am recommending that, when we ourgrow diskettes, we use removable hard disks (Syquest), "big" floppies (Jasmine), or some other technology which will permit "washing" between uses. ------------------------------ Date: Wed, 22 Feb 89 15:18 EST From: "Mark H. Anbinder" Subject: Public Mac facilities at Cornell The public Macintosh facilities at Cornell have antivirus procedures that seem to be working fine here. Each of the several facilities has one Mac set aside for users to check their disks for viruses. These Macs are equipped with a software-locked hard disk on which resides Vaccine, Interferon, and various other programs for finding and removing viruses. Many of the users are using these machines to check their disks... some don't take the time, but that's to be expected. Also, since our public facilities have copies of various software products on disk to lend out, these disks must be handled very carefully. The policy that was implemented a couple of months ago is that ALL of these disks, when they are returned to the facility's operator, are initialized, and restored from locked originals. This entirely eliminates the possibility that users are infecting the public disks (but it assumes, of course, that the originals are not infected... this is, obviously, very important!). All of the facilities have signs up that tell users to turn off the machines when they're done. The signs also say that, if a machine is found still on, it should be turned off and back on before it's used. These measures seem to have done a good job of slowing the spread of viruses at Cornell, which HAS been hit by several viruses. I'd be interested to hear some descriptions of the measures being taken at public facilities at the institutions of our other subscribers. Mark H. Anbinder Dept. of Media Services Cornell University ------------------------------ Date: Wed, 22 Feb 1989 11:00 - From: Peter W. Day Subject: Re: Interferon vs. AppleShare (Mac) RE Eric Davies statement that Interferon 3.0 chokes on AppleShare volumes, I wonder if it only has problems when running against the volume from an AppleShare client. If the AppleShare server is a Mac, he should be able to take down the server and run it on the server directly as a standalone micro. ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253