A new release of InVircible Anti-Virus Build 569 is available
for download. The new build has real-time integrity checking
(RTIC) for advanced Win 32 platforms (W2K / XP).
Additional features\fixes in the new build are:
- A problem experienced with 565 on XP boxes running
under Active Directory, has been resolved.
- A new Interceptor alert dialog panel, with both 'rename'
and delete options.
- Bug fixed in Ivproof.exe mailscanning module.
- Real time integrity monitoring is now active for
W2K / XP and NT platforms. The RTIC feature won't run under
Win 9x/ME. To support the real-time integrity feature, a
new "check integrity" option is added to the Interceptor
options dialog box, as well as to IVCONFIG (under Interceptor
tab), to let configure RTIC in the corporate environment.
- IVADMIN (build 99) was amended to display the
"integrity check failed" message among the "important
messages" default list . The message importance status
can be changed through IVAdmin's 'options' panel (last message
on the options list).
Real Time Integrity Monitoring
General information: Real time integrity monitoring
(RTIM) is a generic technique used to stop a PE virus attack
in its tracks, based on the detection of integrity changes,
and preventing such compromised programs from running.
RTIM is based on InVircible's offline (on-demand) integrity
monitoring technology, first introduced to antivirus by
NetZ Computing, in 1990. Real-time integrity monitoring
is implemented in IV Interceptor, and runs concurrently
with other techniques also implemented in the IV real time
protection module. RTIM is supported only under NT based
operating systems (NT4, W2K, 2003 Server, and XP).
RTIM is especially effective in the containment of new
viruses, where other AV methods fail. As demonstrated many
times, a great deal of the damage caused by new viruses
occurs in the first hours and days from its release in the
wild, until AV producers succeed in producing new virus
definition for their product. This is especially true for
viruses that propagate through sharing, as the latter attain
worldwide distribution within hours from release, while
AV updates become available within days, at best. InVircible’s
RTIM is the only solution that stops such outbreak in its
tracks, without requiring software updates whatsoever.
Operation and use: RTIM uses the integrity database that
exists on every IV protected PC. The integrity database
is automatically created and managed by the daily run of
the Audit & Integrity Expert System (installation default).
When a file is accessed by Windows, IV Interceptor first
checks it to determine if it’s safe to let Windows
continue and open it. If the file type is contained in the
IV secured files list (executables, by default), and has
an integrity “signature” in the IV database, then
the file's current integrity signature is checked against
the last recorded one, in the database, to assure that no
viral changes were made to it.
The InVircible integrity monitoring technique is unique
in its ability to distinguish between legitimate changes,
like the replacement of a file by an upgrade version, etc.,
and changes that were made by a viral process, or by Trojan.
No user action is expected in order to setup and configure
RTIM. The Audit & Integrity expert system takes care
of creating the database for RTIM and does manage the integrity
signature files on daily basis through the scheduled run
of the A&I expert system.
Proceed as follows to check if A&I is scheduled properly:
Click IV on the taskbar, select ‘IV Scheduler’,
and press the A&I 'schedule' button
Verify that A&I is scheduled to run daily (every day),
at 1:00 PM, with the following settings
The start directory should be 'All local drives'
Tick the 'run unattended’ box, if clear
Select 'check only' mode
You may change the time of the daily A&I run, if required
(e.g. the computer is off at 13:00, as would be the case
for home computers), or change the scheduling to 'every
12 hours’.
When set properly, the scheduled A&I will keep the
integrity database up-to-date, by adding integrity signatures
for newly added programs, and automatically renew the signature
of files that were upgraded, or changed by a non-viral process.
The following is an example of the message displayed when
Interceptor detects a file which had its integrity compromised:
If not sure whether the file is infected or not, then 'rename'.
Renaming will render the file inert (it won’t execute
even if double clicked) by replacing the last character
of its extension with tilde (~). Use 'delete’ only
if absolutely sure that the file is infected and you prefer
replacing it rather than disinfecting.
A suspicious and renamed file may be submitted for online
inspection and identification of the virus, if already known
to filetest@virusdefence.com.au.
Back
