Low Cost PCB's Low Cost Components

Author Topic: When did modern anti-virus software stop detecting DOS and Windows 9x viruses?  (Read 1246 times)

0 Members and 1 Guest are viewing this topic.

Offline Halcyon

  • Super Contributor
  • ***
  • Posts: 2061
  • Country: au
I just tested out ESET NOD32 antivirus on a folder full of old DOS viruses, basically to see if it would still detect very old signatures. Turns out, it doesn't and ESET is not alone. Most of the big-name programs don't include the old stuff in their definitions databases.

I not only rely on my modern virus scanner to protect from new threats, but old ones as well since I run a file server with a bunch of old DOS and 16-bit Windows applications stored on them. Most are from reputable sources (i.e.: I've created the images of disks or CDs myself from original media), others purport to be original images but are downloaded from the internet, so you never really know.

What's the solution here to be absolutely safe? Run a separate NAS with an old enough operating system to run the old virus scanners? For those of you who might remember back to the 1980's and 1990's, there were some viruses could do actual physical damage to old machines or at the very least, render BIOS chips unusable. There were even those which would cause CRT monitors to over-scan or stress components to the point of failure (I don't recall the exact machine(s)/virus code right at the moment).
 

Offline IanMacdonald

  • Regular Contributor
  • *
  • Posts: 211
  • Country: gb
Dunno, but it might be worth sending a few to http://virustotal.com and see what is reported.
 
The following users thanked this post: wraper, rs20

Offline WastelandTek

  • Frequent Contributor
  • **
  • Posts: 283
  • Country: 00
this is the kind of thing that really keeps one up at night

at least I don't have any bitcoin to worry about
I'm new here, but I tend to be pretty gregarious, so if I'm out of my lane please call me out.
 

Offline Ian.M

  • Super Contributor
  • ***
  • Posts: 5179
I *guess* that most AV companies probably started dropping support for DOS virus detection after the Win95 EOL (end 2001) as the number of systems that could dual-boot into DOS and Windows on the same disk volume became vanishingly small.   Dropping DOS and early Win9x signatures probably sped up after WinME EOL (mid 2006).

Maybe take a look at https://en.wikipedia.org/wiki/Clam_AntiVirus
The engine is FOSS and it already supports detection against custom signatures and server side scanning using them.  If they don't have DOS signatures, you should be able to build  a set from your virus archive.
 

Offline Rbastler

  • Regular Contributor
  • *
  • Posts: 200
  • Country: at
    • Rbastlers Blog
You say most anti virus Programms from big name companies dont detect them.
Which anti virus does then detect them ?

Sent from my A0001 using Tapatalk


http://rbastlerblog.jimdo.com/
-1kV PMT supply: Check
 

Offline Kryoclasm

  • Regular Contributor
  • *
  • Posts: 174
  • Country: us
  • KL3DL
When 16bit applications were no longer supported.
“I predict that very shortly the old-fashioned incandescent lamp, having a filament heated to brightness by the passage of electric current through it, will entirely disappear.” -Nikola Tesla
 

Offline Halcyon

  • Super Contributor
  • ***
  • Posts: 2061
  • Country: au
You say most anti virus Programms from big name companies dont detect them.
Which anti virus does then detect them ?

*shrug* I'm guessing older (unsupported) programs? VSafe, Old Mcafee versions?

I do note though that Trend detects the old Junkie virus but only since 2000. I remember once we got that particular virus off a floppy disk back in the mid-1990's.
 

Offline Jeroen3

  • Super Contributor
  • ***
  • Posts: 2368
  • Country: nl
  • Embedded Engineer
    • jeroen3.nl
Why do you need to detect virusses you cannot execute?
 

Offline Halcyon

  • Super Contributor
  • ***
  • Posts: 2061
  • Country: au
Why do you need to detect virusses you cannot execute?

I can, on old machines I own which connect to the same file server through a firewall.
 

Offline Jeroen3

  • Super Contributor
  • ***
  • Posts: 2368
  • Country: nl
  • Embedded Engineer
    • jeroen3.nl
Yes, but on that machine you have a different version of antivirus, right?
 

Offline Halcyon

  • Super Contributor
  • ***
  • Posts: 2061
  • Country: au
Yes, but on that machine you have a different version of antivirus, right?

Yes I can, but that should only be considered a "last resort" detection mechanism considering how outdated it is. All files should be deemed safe and infection free the moment they hit my network.

I have run a few tests since which ESET has passed.
 

Offline Jeroen3

  • Super Contributor
  • ***
  • Posts: 2368
  • Country: nl
  • Embedded Engineer
    • jeroen3.nl
You still have the Windows 9x machine networked?
 

Offline Mr. Scram

  • Frequent Contributor
  • **
  • Posts: 411
  • Country: 00
I can, on old machines I own which connect to the same file server through a firewall.
The problem does not seem to be the lack of support, but the choice of having very old and unsupported OSs in your network. If you insist on having those, you will need to be very concious about the risk they pose and mitigate those appropriately. Regardless, the old systems will always be a weak spot and a possible point of entry.
 

Offline Halcyon

  • Super Contributor
  • ***
  • Posts: 2061
  • Country: au
You still have the Windows 9x machine networked?

Not just Windows 9x but Windows 3.11 and MS-DOS machines. They are networked but in their own DMZ and only have very limited access to the internet (pretty much HTTP, HTTPS and FTP only). Internally, they only have limited access to the file server, but no other devices on the "trusted" LAN.
 

Offline Ian.M

  • Super Contributor
  • ***
  • Posts: 5179
Ah, the joys of MS-NET 3.0 Server running on a 386 under DOS 3.31.  40MB ST506 HDD, approx 7MB for the OS and utilities and a wopping great 32MB FAT16, 8.3 naming, data partition!  Then you need NETBEUI protocol on all PCs that access it, and that was discontinued after Windows XP.   OTOH it cant even see the internet because it doesn't have TCP/IP so the risks of having it on the same LAN as more modern systems is minimal.
 

Offline stj

  • Super Contributor
  • ***
  • Posts: 1162
  • Country: gb
windows XP runs DOS programs.

safe solution is to not run windows.
 

Offline Mr. Scram

  • Frequent Contributor
  • **
  • Posts: 411
  • Country: 00
windows XP runs DOS programs.

safe solution is to not run windows.
The only safe solution is not to run anything. The rare exceptions possibly being fully formally verified software, even though there are a few caveats there too.
« Last Edit: September 12, 2017, 06:08:58 AM by Mr. Scram »
 

Offline Cyberdragon

  • Frequent Contributor
  • **
  • Posts: 622
  • Country: us
Ask Dancoot1 on YouTube for a list of old viruses. Note, people still make viruses for old machines just for fun, and probably don't care if they accidentally release one into the wild of the internet because they think there are no host machines left to infect. That is, untill they seep through the internet and find your system as lunch!
*BZZZZZZAAAAAP*
Voltamort strikes again!
Explodingus - someone who frequently causes accidental explosions
 

Offline Halcyon

  • Super Contributor
  • ***
  • Posts: 2061
  • Country: au
Ask Dancoot1 on YouTube for a list of old viruses. Note, people still make viruses for old machines just for fun, and probably don't care if they accidentally release one into the wild of the internet because they think there are no host machines left to infect. That is, untill they seep through the internet and find your system as lunch!

That's the great thing about old systems, even if "connected to the internet" there is enough air gap in between the legacy gear and the modern stuff that it had no effect unless you deliberately introduce it to the system.
 

Offline Mr. Scram

  • Frequent Contributor
  • **
  • Posts: 411
  • Country: 00
That's the great thing about old systems, even if "connected to the internet" there is enough air gap in between the legacy gear and the modern stuff that it had no effect unless you deliberately introduce it to the system.
An air gap and internet connection are mutually exclusive. Are you sure that's what you meant?
 

Online hendorog

  • Frequent Contributor
  • **
  • Posts: 791
  • Country: nz
Ask Dancoot1 on YouTube for a list of old viruses. Note, people still make viruses for old machines just for fun, and probably don't care if they accidentally release one into the wild of the internet because they think there are no host machines left to infect. That is, untill they seep through the internet and find your system as lunch!

That's the great thing about old systems, even if "connected to the internet" there is enough air gap in between the legacy gear and the modern stuff that it had no effect unless you deliberately introduce it to the system.


Haha interesting point. So as OS's age they actually become safer (defined as less likely to be infected) - as they lose compatibility with modern malware.

 

Offline Halcyon

  • Super Contributor
  • ***
  • Posts: 2061
  • Country: au
That's the great thing about old systems, even if "connected to the internet" there is enough air gap in between the legacy gear and the modern stuff that it had no effect unless you deliberately introduce it to the system.
An air gap and internet connection are mutually exclusive. Are you sure that's what you meant?

"Air gap" can mean a number of different things. In what I was describing, while there is a physical connection, there are no protocols to support connectivity. As opposed to a physical break at the physical layer, you have one at the network layer.

Another example of "air gap", is the conversion from a traditional copper conductor to optic fibre. You don't break connectivity but you break the electrical connection to eliminate things like surges or where network connectivity is required in locations such as Faraday rooms where traditional cables can act as pathway for unwanted RF.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf