Testing Files for Viruses (virscan Command)

AIX Version 4.3 System User's Guide: Operating System and Devices

Testing Files for Viruses (virscan Command)

The virscan command is designed to detect many common computer viruses. It scans executable files, looking for signatures of viruses known when this version of the program was made available. A signature is a bit-pattern that is found in a particular virus. Virus signatures are obtained by performing "reverse engineering" on virus samples. To find virus signatures, the files that are scanned by the virscan program must be in their native executable form (not encrypted and not packed).

Note: The virscan command does not remove viruses, inhibit virus propagation, or recover any damage caused by viruses to programs or data. If you suspect that your computer system may be infected by a computer virus, contact the appropriate help desk, system administrator, or area information coordinator.

The virscan command scans files looking for bit-patterns matching the virus signatures. There may be viruses that currently exist, or that will exist in the future, that this program will not detect. There is no available, guaranteed solution to the computer virus problem. Therefore, it is recommended that data be backed up regularly and that caution is exercised in acquiring and using software.

For example, to scan for viruses in the /usr file system, enter:

virscan /usr

For further information on virscan and to view the online help, enter virscan without any arguments. To display a complete list of the available command-line options, enter:

virscan -h

See the virscan command in the AIX Version 4.3 Commands Reference for the exact syntax.

Signature Files Format

The virscan command uses the virus signatures found in the virsig.lst and the addenda.lst files, if present, to scan for viruses.

In both files, comment lines begin with an asterisk (*). The virscan command does not use these lines in its virus scan. Comment lines are used to give additional, human-readable comments about the information in the signature files.

The body of the file consists of entries that tell the virscan command what to do for each virus. Each entry is made up of three lines:

The first entry should consist of a hexadecimal string that the virscan command looks for to determine if a particular virus is contained in the file. The following recommendations are made for signatures:
- Use at least 24 hexadecimal digits (that is, at least 12 bytes) in any signature that is added to the addenda.lst file, and more whenever possible. Shorter signatures have a larger chance of leading to false reports of viruses.
- Take the signature from a code area of the virus, rather than a data area, to minimize the possibility of false alarms.
- Test new signatures against a number of programs before using them widely to ensure that no common programs give false alarms for the signature.
  To indicate that a specified byte position in the signature string can have any value, use two question mark characters (??) in place of a pair of hexadecimal characters representing a signature byte. This indicates that the specified byte position in the signature string may have any value. Do not count the ?? bytes when following the signature length guidelines. If a signature string has any ?? substrings in it, no scan for variations on the signature is performed, even if the -m flag is used. If a signature string has any ?? strings in it, any FF values in the signature string will be treated as ?? bytes.
The second entry should contain a message that is displayed if the string is found in the specified files. This message indicates that the virus was found. The text of this message can be in either uppercase or lowercase characters.

The third entry should contain one or more strings that indicate what the virscan command should do if the signature is found. These strings are as follows:

EXE	Tells the virscan command that it should display the indicated message if the signature is found in an executable file.
Offset	The next string after Offset (delimited by blanks) must be a numeric string and is used as an integer offset into the object file at which the virus signature is expected to be found. If the signature is found elsewhere, the indicated message will not be displayed.
No mutants	Tells the virscan command to not search for variations on this virus even when the -m flag is used. If a signature is found to be prone to false alarms when the -m flag is used, this string will eliminate the false alarms.

For example, suppose that a new virus, called Purple Virus, is discovered. This virus is found to infect executables, and you determined that the following string appears in every copy of the virus:

EA6061626364786566676869716A6B6C6D6E516FC0C1C8C958D6F1

The following lines could be added to the addenda.lst file to scan for this virus:

*
* Entry for the nonexistent Purple Virus (just an example)
*
EA6061626364786566676869716A6B6C6D6E516FC0C1C8C958D6F1
A file on this disk may have the Purple Virus.
(EXE)

Adding Additional Virus Signatures

To scan for signatures other than those in the virsig.lst file, perform the following:

Create a file named addenda.lst containing the new signatures.
Place the addenda.lst file in the /usr/lib/security/scan directory so the virscan command can find it. If the virscan command can find the addenda.lst file, it loads it with the virsig.lst file.
Use the -v flag option to verify that virscan is loading the addenda.lst file correctly.

The addenda.lst file follows the same format as the virsig.lst file.

Related Information

Commands Overview

Processes Overview

File Systems Overview

Directory Overview

Files Overview

Backup Files and Storage Media