Frisk Software International - Technical note #11


                 Why external self-checking is a bad idea

Every now and then somebody gets the bright idea of adding a small piece of
code to existing programs, which will check for virus infection when the
program is executed.  The idea is that this will detect any virus infection
immediately, and is also effective against unknown viruses.

There are some serious flaws with this approach, however.

    1) This method cannot prevent the program from getting infected in the
       first place, and whenever an infected program that has been protected
       this way is run, the virus code will be activated first.  The virus
       might be able to detect or even remove the self-checking code, but
       it might also make it totally ineffective by using stealth techniques,
       so the self-checking code only "sees" the original, non-infected
       program.

    2) Some program contain an internal self-check - F-PROT.EXE is an example.
       That internal code might also be unable to detect stealth viruses, but
       unless the external self-check code uses stealth techniques too, the
       result will be a conflict, where the internal check will notice the
       newly added code and determine that the application has been infected.

    3) This method is ineffective against "companion" viruses that don't
       modify the applications they infect.

    4) It may not be possible to protect all programs this way.  It is
       relatively easy to add code of this type to most .COM files, unless
       the original program was slightly less than 64K, and the resulting
       file would break that limit.  EXE files are more of a problem, in
       particular those containing internal overlays, where one cannot append
       the code to the file, as the resulting file might become too big to
       load.  Windows applications are also a problem, as they have two
       different entry points, and special care has to be taken to handle that
       correctly.

On the other hand, adding internal self-checking to programs is a good idea,
although it has the same limitations regarding stealth viruses, it does not
cause the conflicts described above, and can be put in any program at
compile-time.   It is also much more difficult for viruses to bypass.
