VIRUS-L Digest Wednesday, 10 Jul 1991 Volume 4 : Issue 122 Today's Topics: New reviews Review of TBSCAN (PC) Product Test - - ViruSafe (PC) Product Test - - VIRx (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 10 Jul 91 15:17:15 -0400 From: Kenneth R. van Wyk Subject: New reviews The following three anti-virus product reviews have been received over the past several days. I decided to bundle them together in one digest as time/space permitted. All three, and a BUNCH of previous reviews by both Rob Slade and Chris McDonald, are available by anonymous FTP on cert.sei.cmu.edu (NEW IP number = 192.88.209.5) in the pub/virus-l/docs/reviews directory. As always, a wholehearted thanks to Rob and to Chris for their excellent contributions. Ken Kenneth R. van Wyk Moderator VIRUS-L/comp.virus Technical Coordinator, Computer Emergency Response Team Software Engineering Institute Carnegie Mellon University krvw@CERT.SEI.CMU.EDU (work) ken@OLDALE.PGH.PA.US (home) (412) 268-7090 (CERT 24 hour hotline) ------------------------------ Date: Fri, 28 Jun 91 15:26:28 -0700 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Review of TBSCAN (PC) Comparison Review Company and product: Frans Veldman ESaSS B.V. P.o. box 1380 6501 BJ Nijmegen The Netherlands Tel: 31 - 80 - 787 771 Fax: 31 - 80 - 777 327 Data: 31 - 85 - 212 395 (2:280/200 @fidonet) c/o Jeroen W. Pluimers/Smulders P.O. Box 266 2170 AG Sassenheim The Netherlands work: +31-71-274245 9.00-17.00 CET home: +31-2522-11809 19:00-23:00 CET email: 2:281/521 or 2:281/515.3 email: PLUIMERS@HLERUL5.BITNET FTHSMULD@rulgl.LeidenUniv.nl ugw.utcs.utoronto.ca!rulgl.LeidenUniv.nl!FTHSMULD Thunderbyte Scan promotional programs Summary: Resident and non-resident scanner and boot sector repair programs Cost free of charge Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 2 Ease of use 3 Help systems 3 Compatibility 2 Company Stability 3 Support 2 Documentation 2 Hardware required 3 Performance 2 Availability 2 Local Support 1 General Description: The programs tested are TBSCAN 2.2 dated 910314, TBRESCUE 1.2 dated 910211, and TBSCANX 2.6 dated 910419. These are "freeware" (no charge but copyright) programs distributed to promote the Thunderbyte security card (product not available for testing.) The scanners use IBM's VIRSCAN signature file format, and are very fast, but provide no disinfection. Comparison of features and specifications User Friendliness Installation Installation is a matter of copying the programs to disk and deciding how to run them. The documentation, while clear enough as to use, does not supply much in the way of direction as to the invocation of, say, the resident scanner, TBSCANX. In another sense, the "use" of TBRESCUE is also its "installation", in the production of a repair file, while it could be used, in its "compare" mode, to check the system areas at boot time. While an experienced user will be able to determine how best to use these programs fairly easily, novice or intermediate users may not have sufficient information to use them effectively. Ease of use The programs are fairly easy to use. The command line switches should not be strictly necessary for effective use, but can provide significant extra information or use for the expert. Help systems If invoked incorrectly, the program displays a brief summary of the command line switches. Compatibility During testing significant problems were encountered. The documentation does warn against the use of resident or pop-up programs, and this may have contributed to the problem. At this time, the problems remain unresolved. On one machine, TBSCAN would fail to check any files after a memory checking program had been run. No error message was displayed. Company Stability Unknown, but one report indicates that the company has recently made a significant sale to Phillips. Company Support Contacts with the company have been sketchy so far. Documentation The English documentation is definitely written for the intermediate or experienced user, and contains numerous grammatical errors. It does, however, provide some helpful and realistic discussion of the limitations of these types of programs. (This is to be expected, since the programs are used for the promotion of the hardware card.) Hardware Requirements None stated. Difficulty was encountered in running the program on an old IBM compact/portable, but may have been related to programs run before TBSCAN. Performance TBRESCUE will not work on a "floppy only" system. TBSCAN and TBSCANX fail to identify the "Stoned" virus in memory, although TBSCAN will identify it on disk. TBSCANX will not alert you to a boot sector infection when accessing (DIR or other) an infected disk. TBSCANX 2.2 failed to identify the Jerusalem virus in infected files, although TBSCAN would identify them on disk. TBSCANX 2.6 has fixed this, but no longer permits you to run the files. It still does not, however, prevent Jerusalem from "going resident" and infecting other files. (Subsequently infected files, for some reason, will run, although TBSCAN will terminate with no error message. It will do this when infected with a virus as well.) Local Support None provided. Support Requirements On a "scan only" basis, the program is simple to use. Installation, and disinfection will require expert assistance. General Notes The speed of the scanner, and its ability to use IBM's VIRSCAN signatures (and have the user extend the signature file) make this a handy tool for "first line" defense. It does not, in its present state, seem advisable to depend upon this product alone. Also note - although the documentation states that the program is free of charge, occasionally when invoking the TBSCANX program a message appeared urging the user to register this "evaluation copy". copyright Robert M. Slade, 1991 PCTBSCAN.RVW 910612 ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security ------------------------------ Date: Mon, 08 Jul 91 10:46:14 -0600 From: Chris McDonald ASQNC-TWS-R-SO Subject: Product Test - - ViruSafe (PC) ******************************************************************************* PT-24 July 1991 ******************************************************************************* 1. Product Description: ViruSafe is a commercial software package to detect, disinfect and prevent computer viruses and malicious programs for the MS-DOS environment. 2. Product Acquisition: ViruSafe is available from EliaShim Microcomputers, 520 W. Highway 436, Suite 1180-30, Altamonte Springs, FL 32714. The commercial telephone number is Area Code 407-682-1587. The FAX number is Area Code 407- 869-1409. The suggested retail price for a single copy is $80.00. Site licenses are available. 3. Product Testers: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I obtained an evaluation copy of ViruSafe (Version 4.02) in May 1991 from Mr. Bob Greenwald, the government account specialist for EliaShim Microcomputers. Mr. Greenwald had obtained my name and address from other Army representatives. The software arrived on a 5 1/4" write-protected disk with a 56 page User's Manual. b. Product tests occurred on the following systems: (1) Unisys PC, Model 3137, MS-DOS 3.10, 512K; and (2) Unisys PC, Model 3137, MS-DOS 3.30, 640K. Th e minimum hardware and software configuration is as follows: an IBM PC/XT/AT or compatible computer using the MS/PC-DOS (Version 3.00 and up) with 512K. Actual tests occurred from 24 May through 5 July 1991. c. ViruSafe has several major components which a user can generally invoke from a menu or from the DOS command line. The first program, UNVIRUS.EXE, performs detection and removal of known computer viruses and malicious programs. The second program, PIC.EXE, records information about files and checks their integrity for signs of change. This information includes the size of the file, its contents, the date and the time. The third program, VC.EXE, detects and removes viruses active in memory and in the boot sector. The fourth program, VS.EXE, installs as a terminate-and-stay-resident (TSR) program that detects and identifies viruses when they attempt to enter memory and prevents infection of programs and boot sectors. The fifth program, VSCOPY.EXE , performs the DOS COPY function only after it checks that what a user is attempting to copy is not infected by a known virus. The sixth program, VSMENU.EXE, is the menu-driven utility through which a user may operate ViruSafe after installation. d. ViruSafe has an utility for installing and uninstalling itself. The User's Manual contains instructions for using the program to test one's system before actually installing it on a hard drive. The instructions were adequate. One invokes the menu by the command "vsmenu" at the DOS prompt. e. Version 4.02 contains viral definitions for 412 known viruses and mutations. ViruSafe does identify the ten viruses which John McAfee once proposed account for 95% of all reported infections. ViruSafe can identify 92% (i.e., 25 out of 27) of those viruses characterized as "common" by Patricia Hoffman in her Virus Summary List, 15 May 1991. f. Although I do not have code for all the malicious programs which ViruSafe claims to detect, it did identify those 60+ viruses in my possession. When ViruSAfe identifies a known malicious program, it gives the user an audible and visual alarm if one has directed the program to report such information to the screen. If one chooses to have the program direct all results to a log file or to a printer, there is no audible or visual alarm. The log file option will cause results to appear on the screen; however, the screen clears automatically at the completion of the detection operation. g. The "Check and Remove" menu has various options to check only for virus signatures, to check and remove program viruses, to check and remove boot sector viruses, to check and remove all file viruses, and to check only for a virus in memory. I tested all these options which functioned as documented. I did verify that all "check and remove" options were automatic. So, for example, if ViruSafe detects a virus in an .exe file, it will attempt to remove the virus without any further user authorization or intervention. The user will have no permanent record of the detection and removal unless he or she has asked for a printer or log file result. h. The vendor representatives emphasized the disinfection capabilities of ViruSafe in their discussions with me prior to the actual test. I can say that the product performed as advertised against those viruses in my possession. One of the main menu options is a "List of Viruses Handled". This list identifies those viruses and malicious programs which ViruSafe can actually remove. I found this an extremely nice feature because I could determine in advance, if I choose to do so, whether ViruSafe would perform disinfection. i. The Program Integrity Check (PIC.EXE) option in the VSMENU offers a user these features: (1) Check Integrity of Marked Files (2) Recalculate Marked Files (3) Display List of Marked Files (4) Mark and Save Boot Sectors (5) Mark Programs I tested all the options which performed as indicated. I intentionally changed the contents and size of various files. In each case there was a notification. I must emphasize that I made no deliberate attempt to defeat the mechanism since that is beyond my capabilities. The User's Manual states that Program Integrity Check (PIC) is a "special digital signature, calculated for marked files". There is no other information on what exactly this calculation entails. I am not an expert on this subject but discussions on the Internet and on Virus-L in particular can provide any user with additional information in this area. j. The VS.EXE TSR program performed as documented. I successfully caused the program to alarm under all of the stated events. I must qualify that malicious code in my possession is limited. Any certification of 100% effectiveness is beyond my capabilities. The list of options allows one to customize protection against "unknown" malicious programs and to closely monitor system activity in general. The VSMENU presents a user with these options: (1) Check Resident Programs (TSR) [The default is OFF.] (2) Check Access to Program Files [The default is OFF.] (3) Check Write to Boot Sectors [The default is ON.] (4) Check Diskettes Infection [The default is ON.] (5) Check Memory Infection [The default is ON.] (6) Write Protect Hard Disk [The default is OFF.] (7) Sound Warning Alarm [The default is ON.] (8) Check Memory Size Changes [The default is ON.] (9) Check Virus on Program Exit [The default is OFF.] k. The VSCOPY.EXE program functioned as described in the document. I tested with boot sector, .com and .exe viruses. l. There is an Advanced Features option in the main VSMENU. I tested three of the selections which functioned as advertised. I did not test the selections to restore or to repair the master hard drive boot sector and partition table. The User's Manual in my opinion oversells the significance of the features to display a boot sector and to provide a memory allocation map. These are not very helpful tools for viral and malicious code detection. 5. Product Advantages: a. ViruSafe provides a comprehensive approach to malicious code protection in one program. It offers detection, disinfection and prevention--a trend which most commercial vendors now follow. b. The product provides a good menu system to assist the novice user. c. The product by version 4.0 allows a user to add new virus signatures without a formal upgrade. [Note: I did not have the opportunity to test this feature.] d. EliaShim Microcomputers has established a credible reputation for technical support of its products. The technical representative was extremely helpful during the evaluation period. 6. Product Disadvantages: a. The cost of the product may discourage many users who are already on tight budgets. Even if one pursued a site license agreement, it may be that the risk management assessment will not support such protection for every PC within the organization. b. The User's Manual is accurate, but clearly has been overtaken by upgrades to the product. For example, although I received the Lan version of the product, the manual has very little to say about network operations. The read.me file on the program disk contains information that at least by version 4.0 a user may add new virus signatures without a formal upgrade. The manual is silent on this subject. There are other minor features which I noticed in running the program which would be nice to document formally. c. The TSR program offers a variety of protection capabilities which the experienced MS-DOS user will appreciate. It remains an open question as to whether the majority of users within an organization will be able to configure the TSR themselves, or whether they will be able to interpret and respond to respective alarms. 7. Comments: Fred Cohen's original paper on his first computer virus experiments concluded that detection of viruses by their appearance or behavior was "undecidable". Yet seven years after the publication of his work, detection of viruses by their appearance and behavior remains the most common form of viral defense for the MS-DOS environment. ViruSafe provides the mechanisms to monitor attributes of change and to recognize a virus by its appearance. It also has an intrusion detection capability through its TSR program. The challenge for the user remains the interpretation of what the TSR identifies as "suspicious" activity. This challenge is not unique to ViruSafe. It does reinforce the proposition that, if one chooses to acquire a product which integrates detection, disinfection and prevention, one must have a strategy for supporting users in the interpretation of alarms and probably in the actual configuration. The National Computer Security Association has issued a report "Virus Scanners: An Evaluation", dated March 4, 1991. The report evaluates an earlier version of ViruSafe so readers should recognize that my comments pertain to version 4.02. I obtained a copy of the report after the majority of my tests were completed. I am happy to report that it provided a quality control measure on my own modest efforts. FOR FURTHER REFERENCE: PRODUCT TEST NUMBER DATE PRODUCT PT-3 November 1989 VIRUSCAN (Revised February 1991) PT-5 December 1989 VIRUS BUSTER PT-11 June 1990 ANTI-VIRAL SEARCH, 2.24 (Revised February 1991) PT-12 June 1990 VIRUCIDE (Revised February 1991) PT-17 August 1990 F-PROT (Revised May 1991) PT-23 March 1991 VIREX-PC (Revised May 1991) PT-28 February 1991 NORTON ANTIVIRUS (Revised 12 February 1991) PT-34 April 1991 IBM ANTI-VIRUS PT-36 June 1991 CENTRAL POINT ANTI-VIRUS 5 ------------------------------ Date: Wed, 10 Jul 91 08:38:08 -0600 From: Chris McDonald ASQNC-TWS-R-SO Subject: Product Test - - VIRx (PC) ******************************************************************************* PT-41 July 1991 ******************************************************************************* 1. Product Description: VIRx is a copyrighted program written by Ross M. Greenberg to detect computer viruses and malicious programs. VIRx is the detection portion (VPCScan) of the commercial protection program VIREX-PC (reference PT-23, revised May 1991). 2. Product Acquisition: The program is free. Mr. Greenberg has made it available on many bulletin boards and software repositories, to include the MS-DOS repository on simtel20 [192.88.110.20]. The current path on simtel20 is pd1:virx16.zip. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I acquired version 1.5 and version 1.6 of VIRx from the simtel20 MS-DOS repository. Mr. Greenberg provided the programs directly to our repository manager. b. Product tests occurred on the following systems: (1) Unisys 286 PC, Model 3137, MS-DOS 3.10, 512K; and (2) Unisys 386 PC, Model PW 820-F, MS-DOS 4.01, 8MB. c. Version 1.6 contains viral definitions for 501 known viruses, variations and malicious programs. VIRx can identify 96% (i.e., 26 out of 27) of those viruses characterized as "common" by Patricia Hoffman in her Virus Summary List, 15 May 1991. e. Although I do not have code for all the malicious programs which VIRx claims to detect, it did identify 60+ viruses and variations in my possession. The program did not detect a copy of the Virus-101 research virus, although documentation in VIRx version 1.6 identifies it as detectable. I used both the normal and -L "long" scan options with negative results. The Virus- 101, according to several virus catalogs and summary lists, does nothing but replicate, and is for all practical purposes extinct in the real world. McAfee Associate's VIRUSCAN, Skulason's F-PROT and the Norton Anti-Virus product were three programs which did alarm on my copy of the Virus-101. f. One invokes the VIRx program by the syntax "virx [drive specification]" or for example "virx c:\". By default the program will only scan files with known executable extensions, such as .com and .exe. The more significant options include switches to scan only a specified or a default directory; to scan the entire contents of a file or a "long" scan; to scan all types of files not just those with executable extensions; to record the results of a scan operation in a log file; and to scan memory above 640K to just under 1 Megabyte. g. I tested all these options which functioned as described in the documentation file. The only false positive or conflict which I found in running VIRx against other detection programs was that it identified two executable programs within the commercial program ViruSafe as infected with the "Stoned-A (New Zealand 1)". I did test for conflicts against Viruscan, Avsearch, Virucide, F-PROT, Virex-PC, ViruSafe, Norton Anti-Virus, IBM Anti-Virus Product, TbScan, and Central Point Anti-Virus. 5. Product Advantages: a. VIRx appears to provide excellent detection capabilities at no cost. b. The operation of the program is simple. VIRx is one of the fastest, if not the fastest, detection program available at this time. c. The author of the program has established a credible reputation for his work. 6. Product Disadvantages: a. Free programs may not always be free. Microcom has a marketing interest in encouraging users to migrate from the free detection program to its more comprehensive commercial program Virex-PC. One cannot predict how long Mr. Greenberg or the vendor will allow users the free use of one-third of its commercial program. b. VIRx is a detection program only. Users will need some other program for disinfection and prevention capabilities. c. There is naturally no formal technical support for the product. While it is possible to contact Mr. Greenberg over the Internet, Microcom will only support the "complete version of the VIREX-PC program". 7. Comments: The National Computer Security Association has issued a report "Virus Scanners: An Evaluation", dated March 4 1991. The report evaluates an earlier version of the VPCScan element of VIREX-PC. While it would be unfair to make a direct comparison between the VPCScan evaluation and this product test of version 1.6 of VIRx, a reader can obtain additional information and confirmation of its detection capabilities. VIRx documentation for the last several versions states that the program will warn a user when it becomes "outdated". This is a welcome change from the first version in which the program would cease to function on a specified cut-off date. The notification will alert a user to the need to obtain an update. A final observation is that, while Mr. Greenberg has issued versions 1.4, 1.5, and 1.6 of VIRx, I as a registered user of VIREX-PC have yet to receive any notification from Microcom of an actual upgrade to the commercial product. Registration, according to the literature, should result in automatic notifications of all revisions when they become available. This reinforces for me the position that one cannot rely exclusively on a single product for viral protection. In this case the availability of other programs for disinfection and prevention becomes essential until such time as the vendor revises VIREX-PC. It also supports Mr. Greenberg's documentation which suggests that one use VIRx in conjunction with the current version of the commercial program. FOR FURTHER REFERENCE: PRODUCT TEST NUMBER DATE PRODUCT PT-3 November 1989 VIRUSCAN (Revised February 1991) PT-5 December 1989 VIRUS BUSTER PT-11 June 1990 ANTI-VIRAL SEARCH, 2.23e (Revised February 1991) PT-12 June 1990 VIRUCIDE (Revised February 1991) PT-17 August 1990 F-PROT (Revised May 1991) PT-23 March 1991 VIREX-PC PT-28 February 1991 NORTON ANTIVIRUS (Revised 12 February 1991) PT-34 April 1991 IBM ANTI-VIRUS PT-36 June 1991 CENTRAL POINT ANTI-VIRUS ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 122] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253