DelProtect INIT For MacOS 9, version 1.1.1

DelProtect.gif

The DelProtect INIT is a generic antivirus suspicious delete blocker that will guard against unauthorized file deletes.

System Needs:

DelProtect needs a 68000 processor or greater. It also needs at least System version 7.0.0.

Operations:

DelProtect continuously monitors the System for suspicious calls that Delete files.

NOTE: It is normal for DelProtect to report an "HDelete('file',0)" on the file you are working on if the program is not in the Exceptions file. Just ignore this message or if you prefer to stop it from showing, edit the "DelProtect Exceptions" file and add the name of the program that reports the action. (See section below on Creating exceptions).

Operational Details:

Some viruses, besides spreading can also deliver a malignant payload. They can, for example, attempt to erase your default drive. DelProtect guards against such a behavior and tries to intercept unauthorized calls that attempt to delete files.

I have tested DelProtect with the following viruses which try to Delete files in the default drive:

The DelProtect INIT will protect you from these viruses trying to delete your drive.

DelProtect will NOT prevent infections from the AutoStart worm. To be protected from the worm, if you are a programmer, you can modify the source to block the AutoStart, but you better know what you are doing. For example, you could add patches to some file manager routines, like PBSetFInfo, etc).

You may prefer to use a commercial Intercept Extension such as SAM Intercept which is part of SAM or now NAM. In fact I encourage you to do so. But if you can't afford it or don't want to buy NAM or SAM, DelProtect will do quite a good job. However I am not aware of any commercial or freeware/shareware program that will protect from unauthorized file Deletes.

Creating Exceptions:

WARNING!! DelProtect can cause application crashes and other ill behavior!! The reason for this is quite simple. Lots of programs out there, use temporary (called "scratch") files which they occasionally need to delete in order to update their program contents. Some such programs are Microsoft Word 5.0, GraphicConverter, ResEdit, Netscape Navigator, and Adobe Photoshop. See the section Notes on Exceptions for a more thorough analysis of the situation. If you see a program that attempts to issue lots of calls to delete a certain file and you are sure its not a virus (like MS Word), you can configure DelProtect to ignore it, using a very simple way. Edit the SimpleText "DelProtect Exceptions" TEXT file and copy in it the names of the programs that you want to ignore. Just write the program's name as it appears on the Finder (or copy the name if possible from the Finder and paste them in the SimpleText file). Separate all the program names by a simple return. Then save the file (leave its name EXACTLY "DelProtect Exceptions"). I have included a sample file for you on the download. Close the file and drag a copy of this file into your extensions Folder. Then Restart. At the time of loading, DelProtect will read this file, and will ignore applications or programs that issue such calls if their names are included in the SimpleText file. If there is no such file in the Extensions Folder, DelProtect will inform you using a notification that no exceptions will be made, and all programs that issue suspicious calls will be intercepted (See Warning above!!). You can add as many program names as you like in the SimpleText file, as long as the size of the file does not exceed 1024 bytes. NOTE: It is normal for DelProtect to report a "HDelete('file,0)" action on the file you are working on sometimes when you first open it from a program that is not in the exception file. If you want to stop this from occuring, just add the program in the "DelProtect Exceptions" file. Also, be SURE to include the name "Finder" in the "DelProtect Exceptions" file if you install "DelProtect" (the included file contains it), otherwise you won't be able to empty your trash and there may be problems with Virtual Memory files and other programs. DelProtect is as you can see, easily configurable, and it is hard to tamper with, unless someone restarts the machine, after it has modified DelProtect's exception file. You can, in addition, make the exception file invisible with ResEdit, so that people cannot tamper with the programs that DelProtect allows to legally call the above routine, if you run DelProtect in a networking environment. By also removing the file Extensions Manager, this makes the setup virtually bullet-proof.

Programmer Notes:

The reason DelProtect needs a 68000 at least is quite simple. Contrary to the patches to _AddResource and _ChangedResource, the patch to _HDelete has no arguments, so the THINK C compiler generates a simple RTS to return to the caller. This leaves all the registers untouched, the way we restore them.

DelProtect could be easily augmented to deal with the autostart worm. You'd have to add a patch to some file manager routines like FSpCreate to prevent unauthorized creation of suspicious files. This way the Autostart would never be able to install itself. There are also a couple of other neat programming tricks, such as unlimited notification storage. DelProtect should be sufficient protection against malignant payloads. Be careful however, if another extension loads first, it CAN bypass DelProtect. Feel free to experiment with it. I basically created DelProtect to protect myself from the Graphics Accelerator virus.

DelProtect patches "_HDelete" so it can intercept calls that deal with deleting of files. Several exceptions are made for this patch, which you can see by examining the code, because certain aliases need to be updated. Please be careful if you change the code. Make sure you know you are absolutely sure what you are doing.

Download DelProtect (with source) here.

Back to Programming

web stats

Valid HTML 4.01 Transitional