General
DelProtect INIT is a generic antivirus suspicious delete blocker that will guard against unauthorized file deletes.
System Needs
DelProtect needs a 68000 processor or greater. It also needs at least System version 7.0.0.
Installing
To install DelProtect, drag the two files (both of them) "DelProtect" and "DelProtect Exceptions" into your Extensions Folder and then restart.
Operation
DelProtect continuously monitors the System for suspicious calls that Delete files. It is normal for DelProtect to report an "HDelete('file',0)" on the file you are working on if the program is not in the Exceptions file. Just ignore this message or if you prefer to stop it from showing, edit the "DelProtect Exceptions" file and add the name of the program that reports the action (see section below on Creating exceptions).
Details
Some viruses, besides spreading can also deliver a malignant payload. They can, for example, attempt to erase your default drive. DelProtect guards against such a behavior and tries to intercept unauthorized calls that attempt to delete files.
The author has tested DelProtect with the following viruses which try to Delete files in the default drive:
The DelProtect INIT will protect you from these viruses trying to delete your drive. DelProtect will NOT prevent infections from the AutoStart worm. To be protected from the worm, if you are a programmer, you can modify the source to block the AutoStart. For example, you could add patches to some file manager routines, like PBSetFInfo, etc.
You may prefer to use a commercial Intercept Extension such as SAM Intercept which is part of SAM or now NAM. In fact the author encourages you to do so. But if you can't afford it or don't want to buy NAM or SAM, DelProtect will do quite a good job. However this author is not aware of any commercial or freeware/shareware program that will protect from unauthorized file Deletes.
Creating Exceptions
Lots of 68k programs use temporary ("scratch") files which they occasionally need to delete in order to update their program contents. Some such programs are Microsoft Word 5.0, GraphicConverter, ResEdit, Netscape Navigator, and Adobe Photoshop. If you see a program that attempts to issue lots of calls to delete a certain file and you are sure its not a virus (like MS Word), you can configure DelProtect to ignore it, using a simple way (see Exceptions). Edit the SimpleText "DelProtect Exceptions" TEXT file and copy in it the names of the programs that you want to ignore. Just write the program's name as it appears on the Finder or copy the name if possible from the Finder and paste them in the SimpleText file. Separate all the program names by a simple return. Then save the file. The author has included a sample file for you on the download. Close the file and drag a copy of this file into your extensions Folder. Then Restart. At the time of loading, DelProtect will read this file, and will ignore applications or programs that issue such calls if their names are included in the SimpleText file. If there is no such file in the Extensions Folder, DelProtect will inform you using a notification that no exceptions will be made, and all programs that issue suspicious calls will be intercepted. You can add as many program names as you like in the SimpleText file, as long as the size of the file does not exceed 1024 bytes. It is normal for DelProtect to report a "HDelete('file,0)" action on the file you are working on sometimes when you first open it from a program that is not in the exception file. If you want to stop this from occurring, just add the program in the "DelProtect Exceptions" file. Also, be sure to include the name "Finder" in the "DelProtect Exceptions" file if you install "DelProtect", otherwise you won't be able to empty your trash and there may be problems with Virtual Memory files and other programs. DelProtect is easily configurable, and it is hard to tamper with, unless someone restarts the machine, after it has modified DelProtect's exception file. You can, in addition, make the exception file invisible with ResEdit, so that people cannot tamper with the programs that DelProtect allows to legally call the above routine, if you run DelProtect in a networking environment. By also removing the file Extensions Manager, this makes the setup virtually bullet-proof.
Programmer Notes
The reason DelProtect needs a 68000 at least is simple. Contrary to the patches to _AddResource and _ChangedResource, the patch to _HDelete has no arguments, so the THINK C compiler generates a simple RTS to return to the caller. This leaves all the registers untouched, the way we restore them.
DelProtect could be easily augmented to deal with the Autostart worm. You'd have to add a patch to some file manager routines like FSpCreate to prevent unauthorized creation of suspicious files. This way the Autostart would never be able to install itself. There are also a couple of other nifty programming tricks, such as unlimited notification storage. DelProtect should be sufficient protection against malignant payloads. If another extension loads first, it can bypass DelProtect, however. The author created DelProtect to protect himself from the Graphics Accelerator virus.
DelProtect patches "_HDelete" so it can intercept calls that deal with deleting of files. Several exceptions are made for this patch, which you can see by examining the code, because certain aliases need to be updated. Be careful if you change the code.
Download
Download DelProtect (with source) here.