funsec mailing list archives

RE: Vulnerability-based IPS Patent


From: Drsolly <drsollyp () drsolly com>
Date: Thu, 30 Mar 2006 13:17:56 +0100 (BST)

There's an interesting question on what is meant by "written to disk. 
There's three stages; file opened for writing, bytes written, file closed. 
You could argue that until the file is closed, the file isn't written to 
disk (if you look at the directory entry of a file that's interrupted at 
that point, you have a zero-byte file).

Virus Guard scanned the file before it was written to disk, as I 
recollect. But before going on oath on that, I'd want to do some research 
to check my memory.

On Wed, 29 Mar 2006, Richard M. Smith wrote:

So did these TSR scanners look at files after they were stored on disk or
while the files were coming through DOS before being stored on disk?  The
latter approach is required to be prior art for the patent.

Richard 

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On
Behalf Of Nick FitzGerald
Sent: Wednesday, March 29, 2006 8:06 PM
To: funsec () linuxbox org
Subject: RE: [funsec] Vulnerability-based IPS Patent

Richard M. Smith wrote:

Be interested to hear what you can dig up.  Virus Guard would have had 
to ship before Sept. 29, 1991 to be considered prior art.  Had it 
shipped between 9/29/1991 and 9/29/1992 things are more murky.  In 
addition, it's functionality would have to match up with all the patent
claims.

Further to Alan's and Roger's recolections that they shipped TSR scanners
prior to the prior-art cut-off for this patent, I submit the following text
verbatim from the Virus-L (don't ask) archives):

------------------------------

Date:    Tue, 30 Jan 90 08:36:04 -0600
From:    James Ford <JFORD1@UA1VM.BITNET>
Subject: New files to MIBSRV. (PC)

These files have been placed on MIBSRV.MIB.ENG.UA.EDU (130.160.20.80) for
anonymous FTP.  They are:

SCANV57.ZIP   -   ViruScan 2.7V57 (update)
SCANRS57.ZIP  -   TSR version of ViruScan (update)
NETSCN57.ZIP  -   Network Version of ViruScan (update)
CLEANP57.ZIP  -   Clean-Up Virus Remover (update)

NETFIX10.ZIP  -   Equivalent to NETSCAN & CLEAN-UP (*new*)

All files were downloaded directly from Homebase BBS on 1/29/90
- ----------
    James Ford - JFORD1@UA1VM.BITNET, JFORD () MIBSRV MIB ENG UA EDU

------------------------------

I don't know _when_ McAfee shipped the first TSR version of their scanner
(though soemone there should be able to tell you and a "near enough"
reference might be found in very old back issues of Virus Bulletin), but by
30 Jan 1990 they were shiopping _updates_ for it, so the first ever version
presumably shipped somewhat before that date.

You can check the above reference (and search for more, back or forward in
the archive) at:

http://www.phreak.org/archives/The_Collection/newsletr/virus/virus_l/199
0/vlnl03.026


I'd be surprised if there were not earlier references to TSR scanners, BUT
note that a lot of talk about TSR AV at that time was about _behaviour
blockers_ (Ross Greenburg's (sp?) FluShot[+], disk boot record integrity
checkers, etc) and NOT scanners.


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


Current thread: