- Quarantine technology
In December, 1988, shortly after the
Morris Worm , Jay Nickson started work on "Quarantine", an anti-malware and file reliability product. released in April, 1989, "Quarantine" was the first such product to use file signature instead of viral signature methods.The original "Quarantine" used Hunt's
B-tree database of files with both theirCRC16 and CRC-CCITT signatures. Doubling the signatures rendered useless, or at least immoderately difficult, attacks based on CRC invariant modifications. Release 2, April 1990, used aCRC-32 signature and one based on CRC-32 but with a few bits in each word shuffled. The subsequent MS-AV from Microsoft, 'designed' byCheckpoint , apparently relied on only an eight bit checksum -- at least out of a few thousand files there were hundreds with identical signatures."Quarantine"
*allowed suspect files to be
** Deleted
** Moved to a quarantine area
** Flagged in a report
* Standard executable were scanned, or, one could use up to twenty file matching patterns
* Twenty exclusion patters were also available
* Twenty directory paths could be included, or twenty excluded.In 1990 "Quarantine" received the LAN Magazine, Best of Year, Security award. In that year "Quarantine" was reportedly responsible for finding the first stealth virus at the
University of Toronto , when all pattern matching virus detectors had failed.The 1990 version also allowed
* Background processing
* Checking of executables and libraries as a file is opened
** Timing of checks, e.g. if one opened a word file, WORD and all its libraries could be checked:
** immediately
** Every half an hour
** once a day or every ten day, etc."Quarantine" allowed system managers to track all modifications of a selected files or file structures, hence "Quarantine" users also got early warnings of failing disks or disk interface cards.
The efforts and expenses to convert "Quarantine" to other platforms went unrewarded as
Tripwire 's 1991 copy of "Quarantine" for *nix was better funded and publicized than OnDisk could afford to match.Jay's later efforts include modularized reliability and intrusion approaches that include either SHA-1 or MD5 signatures, or both if you like. "Quarantine" stopped shipping in 1994.
Wikimedia Foundation. 2010.
