D1) What is the best protection policy for my computer? There is no "best" anti-virus policy. In particular, there is no program that can magically protect you against all viruses. But you can design an anti-virus protection strategy based on multiple layers of defense. There are three main kinds of anti-viral software, plus several other means of protection (such as hardware write-protect methods). 1) GENERIC MONITORING programs. These try to prevent viral activity before it happens, such as attempts to write to another executable, reformat the disk, etc. Examples: SECURE and FluShot+ (PC), and GateKeeper (Macintosh). 2) SCANNERS. Most look for known virus strings (byte sequences which occur in known viruses, but hopefully not in legitimate software) or patterns, but a few use heuristic techniques to recognize viral code. A scanner may be designed to examine specified disks or files on demand, or it may be resident, examining each program which is about to be executed. Most scanners also include virus removers. Examples: FindViru in Dr Solomon's Anti-Virus Toolkit, FRISK's F-Prot, McAfee's VIRUSCAN (all PC), Disinfectant (Macintosh). Resident scanners: McAfee's V-Shield, and VIRSTOP. Heuristic scanners: the Analyse module in FRISK's F-PROT package, and SCANBOOT. 3) INTEGRITY CHECKERS or MODIFICATION DETECTORS. These compute a small "checksum" or "hash value" (usually CRC or cryptographic) for files when they are presumably uninfected, and later compare newly calculated values with the original ones to see if the files have been modified. This catches unknown viruses as well as known ones and thus provides *generic* detection. On the other hand, modifications can also be due to reasons other than viruses. Usually, it is up to the user to decide which modifications are intentional and which might be due to viruses, although a few products give the user help in making this decision. As in the case of scanners, integrity checkers may be called to checksum entire disks or specified files on demand, or they may be resident, checking each program which is about to be executed (the latter is sometimes called an INTEGRITY SHELL). A third implementation is as a SELF-TEST, i.e. the checksumming code is attached to each executable file so that it checks itself just before execution. Examples: Fred Cohen's ASP Integrity Toolkit (commercial), and Integrity Master and VDS (shareware), all for the PC. 3a) A few modification detectors come with GENERIC DISINFECTION. I.e., sufficient information is saved for each file that it can be restored to its original state in the case of the great majority of viral infections, even if the virus is unknown. Examples: V-Analyst 3 (BRM Technologies, Israel), marketed in the US as Untouchable (by Fifth Generation), and the VGUARD module of V-care. Of course, only a few examples of each type have been given. All of them can find their place in the protection against computer viruses, but you should appreciate the limitations of each method, along with system-supplied security measures that may or may not be helpful in defeating viruses. Ideally, you would arrange a combination of methods that cover the loopholes between them. A typical PC installation might include a protection system on the hard disk's MBR to protect against viruses at load time (ideally this would be hardware or in BIOS, but software methods such as DiskSecure and PanSoft's Immunise are pretty good). This would be followed by resident virus detectors loaded as part of the machine's startup (CONFIG.SYS or AUTOEXEC.BAT), such as FluShot+ and/or VirStop together with ScanBoot. A scanner such as F-Prot or McAfee's SCAN could be put into AUTOEXEC.BAT to look for viruses as you start up, but this may be a problem if you have a large disk to check (or don't reboot often enough). Most importantly, new files should be scanned as they arrive on the system. If your system has DR DOS installed, you should use the PASSWORD command to write-protect all system executables and utilities. If you have Stacker or SuperStore, you can get some improved security from these compressed drives, but also a risk that those viruses stupid enough to directly write to the disk could do much more damage than normal; using a software write-protect system (such as provided with Disk Manager or Norton Utilities) may help, but the best solution (if possible) is to put all executables on a disk of their own, protected by a hardware read-only system that sounds an alarm if a write is attempted. If you do use a resident BSI detector or a scan-while-you-copy detector, it is important to trace back any infected diskette to its source; the reason why viruses survive so well is that usually you cannot do this, because the infection is found long after the infecting diskette has been forgotten with most people's lax scanning policies. Organizations should devise and implement a careful policy, that may include a system of vetting new software brought into the building and free virus detectors for home machines of employees/students/etc who take work home with them. Other anti-viral techniques include: (a) Creation of a special MBR to make the hard disk inaccessible when booting from a diskette (the latter is useful since booting from a diskette will normally bypass the protection in the CONFIG.SYS and AUTOEXEC.BAT files of the hard disk). Example: GUARD. (b) Use of Artificial Intelligence to learn about new viruses and extract scan patterns for them. Examples: V-Care (CSA Interprint, Israel; distributed in the U.S. by Sela Consultants Corp.), Victor Charlie (Bangkok Security Associates, Thailand; distributed in the US by Computer Security Associates). (c) Encryption of files (with decryption before execution). .