Quarantine technology
Encyclopedia
Quarantine Technology is a function of virus protection software that voluntarily isolates any infected files on a computers hard disk. Quarantine Technology protects these infected files from corrupting other files on a computer.
In December, 1988, shortly after the Morris Worm, Jay Nickson started work on Quarantine, an anti-malware and file reliability product. released in April, 1989, Quarantine was the first such product to use file signature instead of viral signature methods.
The original Quarantine used Hunt's B-tree
database of files with both their CRC16 and CRC-CCITT signatures. Doubling the signatures rendered useless, or at least immoderately difficult, attacks based on CRC invariant modifications. Release 2, April 1990, used a CRC-32 signature and one based on CRC-32 but with a few bits in each word shuffled. The subsequent MS-AV from Microsoft, 'designed' by Check Point
, apparently relied on only an eight bit checksum—at least out of a few thousand files there were hundreds with identical signatures.
Quarantine
In 1990 Quarantine received the LAN Magazine, Best of Year, Security award. In that year "Quarantine" was reportedly responsible for finding the first stealth virus at the University of Toronto
, when all pattern matching virus detectors had failed.
The 1990 version also allowed
Quarantine allowed system managers to track all modifications of a selected files or file structures, hence Quarantine users also got early warnings of failing disks or disk interface cards.
The efforts and expenses to convert Quarantine to other platforms went unrewarded as Tripwire
's 1991 copy of Quarantine for *nix was better funded and publicized than OnDisk could afford to match.
Jay's later efforts include modularized reliability and intrusion approaches that include either SHA-1 or MD5 signatures, or both if you like. Quarantine stopped shipping in 1994.
In December, 1988, shortly after the Morris Worm, Jay Nickson started work on Quarantine, an anti-malware and file reliability product. released in April, 1989, Quarantine was the first such product to use file signature instead of viral signature methods.
The original Quarantine used Hunt's B-tree
B-tree
In computer science, a B-tree is a tree data structure that keeps data sorted and allows searches, sequential access, insertions, and deletions in logarithmic time. The B-tree is a generalization of a binary search tree in that a node can have more than two children...
database of files with both their CRC16 and CRC-CCITT signatures. Doubling the signatures rendered useless, or at least immoderately difficult, attacks based on CRC invariant modifications. Release 2, April 1990, used a CRC-32 signature and one based on CRC-32 but with a few bits in each word shuffled. The subsequent MS-AV from Microsoft, 'designed' by Check Point
Check Point
Check Point Software Technologies Ltd. is a global provider of IT security solutions. Best known for its firewall and VPN products, Check Point first pioneered the industry with FireWall-1 and its patented stateful inspection technology...
, apparently relied on only an eight bit checksum—at least out of a few thousand files there were hundreds with identical signatures.
Quarantine
- allowed suspect files to be
- Deleted
- Moved to a quarantine area
- Flagged in a report
- Standard executable were scanned, or, one could use up to twenty file matching patterns
- Twenty exclusion patters were also available
- Twenty directory paths could be included, or twenty excluded.
In 1990 Quarantine received the LAN Magazine, Best of Year, Security award. In that year "Quarantine" was reportedly responsible for finding the first stealth virus at the University of Toronto
University of Toronto
The University of Toronto is a public research university in Toronto, Ontario, Canada, situated on the grounds that surround Queen's Park. It was founded by royal charter in 1827 as King's College, the first institution of higher learning in Upper Canada...
, when all pattern matching virus detectors had failed.
The 1990 version also allowed
- Background processing
- Checking of executables and libraries as a file is opened
- Timing of checks, e.g. if one opened a word file, WORD and all its libraries could be checked:
- immediately
- Every half an hour
- once a day or every ten day, etc.
Quarantine allowed system managers to track all modifications of a selected files or file structures, hence Quarantine users also got early warnings of failing disks or disk interface cards.
The efforts and expenses to convert Quarantine to other platforms went unrewarded as Tripwire
Tripwire
A tripwire is a passive triggering mechanism. Typically, a wire or cord is attached to some device for detecting or reacting to physical movement...
's 1991 copy of Quarantine for *nix was better funded and publicized than OnDisk could afford to match.
Jay's later efforts include modularized reliability and intrusion approaches that include either SHA-1 or MD5 signatures, or both if you like. Quarantine stopped shipping in 1994.