VIRUS-L Digest Wednesday, 10 Jul 1991 Volume 4 : Issue 122

VIRUS-L Digest Wednesday, 10 Jul 1991 Volume 4 : Issue 122

Today's Topics:

New reviews
Review of TBSCAN (PC)
Product Test - - ViruSafe (PC)
Product Test - - VIRx (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Wed, 10 Jul 91 15:17:15 -0400
From: Kenneth R. van Wyk <[email protected]>
Subject: New reviews

The following three anti-virus product reviews have been received over
the past several days. I decided to bundle them together in one
digest as time/space permitted. All three, and a BUNCH of previous
reviews by both Rob Slade and Chris McDonald, are available by
anonymous FTP on cert.sei.cmu.edu (NEW IP number = 192.88.209.5) in
the pub/virus-l/docs/reviews directory.

As always, a wholehearted thanks to Rob and to Chris for their
excellent contributions.

Ken

Kenneth R. van Wyk
Moderator VIRUS-L/comp.virus
Technical Coordinator, Computer Emergency Response Team
Software Engineering Institute
Carnegie Mellon University
[email protected] (work)
[email protected] (home)
(412) 268-7090 (CERT 24 hour hotline)

------------------------------

Date: Fri, 28 Jun 91 15:26:28 -0700
From: [email protected] (Rob Slade)
Subject: Review of TBSCAN (PC)

Comparison Review

Company and product:

Frans Veldman
ESaSS B.V.
P.o. box 1380
6501 BJ Nijmegen
The Netherlands
Tel: 31 - 80 - 787 771
Fax: 31 - 80 - 777 327
Data: 31 - 85 - 212 395
(2:280/200 @fidonet)
c/o Jeroen W. Pluimers/Smulders
P.O. Box 266
2170 AG Sassenheim
The Netherlands
work: +31-71-274245 9.00-17.00 CET
home: +31-2522-11809 19:00-23:00 CET
email: 2:281/521 or 2:281/515.3
email: [email protected]
[email protected]
ugw.utcs.utoronto.ca!rulgl.LeidenUniv.nl!FTHSMULD
Thunderbyte Scan promotional programs

Summary:

Resident and non-resident scanner and boot sector repair programs

Cost free of charge

Rating (1-4, 1 = poor, 4 = very good)
"Friendliness"
Installation 2
Ease of use 3
Help systems 3
Compatibility 2
Company
Stability 3
Support 2
Documentation 2
Hardware required 3
Performance 2
Availability 2
Local Support 1

General Description:

The programs tested are TBSCAN 2.2 dated 910314, TBRESCUE 1.2 dated
910211, and TBSCANX 2.6 dated 910419. These are "freeware" (no charge
but copyright) programs distributed to promote the Thunderbyte
security card (product not available for testing.) The scanners use
IBM's VIRSCAN signature file format, and are very fast, but provide no
disinfection.

Comparison of features and specifications

User Friendliness

Installation

Installation is a matter of copying the programs to disk and deciding
how to run them. The documentation, while clear enough as to use,
does not supply much in the way of direction as to the invocation of,
say, the resident scanner, TBSCANX.

In another sense, the "use" of TBRESCUE is also its "installation", in
the production of a repair file, while it could be used, in its
"compare" mode, to check the system areas at boot time.

While an experienced user will be able to determine how best to use
these programs fairly easily, novice or intermediate users may not
have sufficient information to use them effectively.

Ease of use

The programs are fairly easy to use. The command line switches should
not be strictly necessary for effective use, but can provide
significant extra information or use for the expert.

Help systems

If invoked incorrectly, the program displays a brief summary of the
command line switches.

Compatibility

During testing significant problems were encountered. The
documentation does warn against the use of resident or pop-up
programs, and this may have contributed to the problem. At this time,
the problems remain unresolved.

On one machine, TBSCAN would fail to check any files after a memory
checking program had been run. No error message was displayed.

Company Stability

Unknown, but one report indicates that the company has recently made a
significant sale to Phillips.

Company Support

Contacts with the company have been sketchy so far.

Documentation

The English documentation is definitely written for the intermediate
or experienced user, and contains numerous grammatical errors. It
does, however, provide some helpful and realistic discussion of the
limitations of these types of programs. (This is to be expected,
since the programs are used for the promotion of the hardware card.)

Hardware Requirements

None stated. Difficulty was encountered in running the program on an
old IBM compact/portable, but may have been related to programs run
before TBSCAN.

Performance

TBRESCUE will not work on a "floppy only" system.

TBSCAN and TBSCANX fail to identify the "Stoned" virus in memory,
although TBSCAN will identify it on disk. TBSCANX will not alert you
to a boot sector infection when accessing (DIR or other) an infected
disk.

TBSCANX 2.2 failed to identify the Jerusalem virus in infected files,
although TBSCAN would identify them on disk. TBSCANX 2.6 has fixed
this, but no longer permits you to run the files. It still does not,
however, prevent Jerusalem from "going resident" and infecting other
files. (Subsequently infected files, for some reason, will run,
although TBSCAN will terminate with no error message. It will do this
when infected with a virus as well.)

Local Support

None provided.

Support Requirements

On a "scan only" basis, the program is simple to use. Installation,
and disinfection will require expert assistance.

General Notes

The speed of the scanner, and its ability to use IBM's VIRSCAN
signatures (and have the user extend the signature file) make this a
handy tool for "first line" defense. It does not, in its present
state, seem advisable to depend upon this product alone.

Also note - although the documentation states that the program is free
of charge, occasionally when invoking the TBSCANX program a message
appeared urging the user to register this "evaluation copy".

copyright Robert M. Slade, 1991 PCTBSCAN.RVW 910612

=============
Vancouver [email protected] | "If you do buy a
Institute for [email protected] | computer, don't
Research into (SUZY) INtegrity | turn it on."
User Canada V7K 2G6 | Richards' 2nd Law
Security | of Data Security

------------------------------

Date: Mon, 08 Jul 91 10:46:14 -0600
From: Chris McDonald ASQNC-TWS-R-SO <[email protected]>
Subject: Product Test - - ViruSafe (PC)

*******************************************************************************
PT-24
July 1991
*******************************************************************************

1. Product Description: ViruSafe is a commercial software package to detect,
disinfect and prevent computer viruses and malicious programs for the MS-DOS
environment.

2. Product Acquisition: ViruSafe is available from EliaShim Microcomputers,
520 W. Highway 436, Suite 1180-30, Altamonte Springs, FL 32714. The commercial
telephone number is Area Code 407-682-1587. The FAX number is Area Code 407-
869-1409. The suggested retail price for a single copy is $80.00. Site
licenses are available.

3. Product Testers: Chris Mc Donald, Computer Systems Analyst, Information
Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN:
[email protected] or [email protected].

4. Product Test:

a. I obtained an evaluation copy of ViruSafe (Version 4.02) in May 1991
from Mr. Bob Greenwald, the government account specialist for EliaShim
Microcomputers. Mr. Greenwald had obtained my name and address from other Army
representatives. The software arrived on a 5 1/4" write-protected disk with
a 56 page User's Manual.

b. Product tests occurred on the following systems: (1) Unisys PC, Model
3137, MS-DOS 3.10, 512K; and (2) Unisys PC, Model 3137, MS-DOS 3.30, 640K. Th
e
minimum hardware and software configuration is as follows: an IBM PC/XT/AT or
compatible computer using the MS/PC-DOS (Version 3.00 and up) with 512K.
Actual tests occurred from 24 May through 5 July 1991.

c. ViruSafe has several major components which a user can generally invoke
from a menu or from the DOS command line. The first program, UNVIRUS.EXE,
performs detection and removal of known computer viruses and malicious
programs. The second program, PIC.EXE, records information about files and
checks their integrity for signs of change. This information includes the size
of the file, its contents, the date and the time. The third program, VC.EXE,
detects and removes viruses active in memory and in the boot sector. The
fourth program, VS.EXE, installs as a terminate-and-stay-resident (TSR) program
that detects and identifies viruses when they attempt to enter memory and
prevents infection of programs and boot sectors. The fifth program, VSCOPY.EXE
,
performs the DOS COPY function only after it checks that what a user is
attempting to copy is not infected by a known virus. The sixth program,
VSMENU.EXE, is the menu-driven utility through which a user may operate
ViruSafe after installation.

d. ViruSafe has an utility for installing and uninstalling itself. The
User's Manual contains instructions for using the program to test one's system
before actually installing it on a hard drive. The instructions were adequate.
One invokes the menu by the command "vsmenu" at the DOS prompt.

e. Version 4.02 contains viral definitions for 412 known viruses and
mutations. ViruSafe does identify the ten viruses which John McAfee once
proposed account for 95% of all reported infections. ViruSafe can identify 92%
(i.e., 25 out of 27) of those viruses characterized as "common" by Patricia
Hoffman in her Virus Summary List, 15 May 1991.

f. Although I do not have code for all the malicious programs which
ViruSafe claims to detect, it did identify those 60+ viruses in my possession.
When ViruSAfe identifies a known malicious program, it gives the user an
audible and visual alarm if one has directed the program to report such
information to the screen. If one chooses to have the program direct all
results to a log file or to a printer, there is no audible or visual alarm.
The log file option will cause results to appear on the screen; however, the
screen clears automatically at the completion of the detection operation.

g. The "Check and Remove" menu has various options to check only for
virus signatures, to check and remove program viruses, to check and remove boot
sector viruses, to check and remove all file viruses, and to check only for a
virus in memory. I tested all these options which functioned as documented. I
did verify that all "check and remove" options were automatic. So, for
example, if ViruSafe detects a virus in an .exe file, it will attempt to remove
the virus without any further user authorization or intervention. The user
will have no permanent record of the detection and removal unless he or she has
asked for a printer or log file result.

h. The vendor representatives emphasized the disinfection capabilities of
ViruSafe in their discussions with me prior to the actual test. I can say that
the product performed as advertised against those viruses in my possession.
One of the main menu options is a "List of Viruses Handled". This list
identifies those viruses and malicious programs which ViruSafe can actually
remove. I found this an extremely nice feature because I could determine in
advance, if I choose to do so, whether ViruSafe would perform disinfection.

i. The Program Integrity Check (PIC.EXE) option in the VSMENU offers a
user these features:

(1) Check Integrity of Marked Files

(2) Recalculate Marked Files

(3) Display List of Marked Files

(4) Mark and Save Boot Sectors

(5) Mark Programs

I tested all the options which performed as indicated. I intentionally changed
the contents and size of various files. In each case there was a notification.
I must emphasize that I made no deliberate attempt to defeat the mechanism
since that is beyond my capabilities. The User's Manual states that Program
Integrity Check (PIC) is a "special digital signature, calculated for marked
files". There is no other information on what exactly this calculation
entails. I am not an expert on this subject but discussions on the Internet
and on Virus-L in particular can provide any user with additional information
in this area.

j. The VS.EXE TSR program performed as documented. I successfully
caused the program to alarm under all of the stated events. I must qualify
that malicious code in my possession is limited. Any certification of 100%
effectiveness is beyond my capabilities. The list of options allows one to
customize protection against "unknown" malicious programs and to closely
monitor system activity in general. The VSMENU presents a user with these
options:

(1) Check Resident Programs (TSR) [The default is OFF.]

(2) Check Access to Program Files [The default is OFF.]

(3) Check Write to Boot Sectors [The default is ON.]

(4) Check Diskettes Infection [The default is ON.]

(5) Check Memory Infection [The default is ON.]

(6) Write Protect Hard Disk [The default is OFF.]

(7) Sound Warning Alarm [The default is ON.]

(8) Check Memory Size Changes [The default is ON.]

(9) Check Virus on Program Exit [The default is OFF.]

k. The VSCOPY.EXE program functioned as described in the document. I
tested with boot sector, .com and .exe viruses.

l. There is an Advanced Features option in the main VSMENU. I tested
three of the selections which functioned as advertised. I did not test the
selections to restore or to repair the master hard drive boot sector and
partition table. The User's Manual in my opinion oversells the significance
of the features to display a boot sector and to provide a memory allocation
map. These are not very helpful tools for viral and malicious code detection.

5. Product Advantages:

a. ViruSafe provides a comprehensive approach to malicious code protection
in one program. It offers detection, disinfection and prevention--a trend
which most commercial vendors now follow.

b. The product provides a good menu system to assist the novice user.

c. The product by version 4.0 allows a user to add new virus signatures
without a formal upgrade. [Note: I did not have the opportunity to test this
feature.]

d. EliaShim Microcomputers has established a credible reputation for
technical support of its products. The technical representative was extremely
helpful during the evaluation period.

6. Product Disadvantages:

a. The cost of the product may discourage many users who are already on
tight budgets. Even if one pursued a site license agreement, it may be that
the risk management assessment will not support such protection for every PC
within the organization.

b. The User's Manual is accurate, but clearly has been overtaken by
upgrades to the product. For example, although I received the Lan version of
the product, the manual has very little to say about network operations. The
read.me file on the program disk contains information that at least by version
4.0 a user may add new virus signatures without a formal upgrade. The manual
is silent on this subject. There are other minor features which I noticed in
running the program which would be nice to document formally.

c. The TSR program offers a variety of protection capabilities which the
experienced MS-DOS user will appreciate. It remains an open question as to
whether the majority of users within an organization will be able to configure
the TSR themselves, or whether they will be able to interpret and respond to
respective alarms.

7. Comments:

Fred Cohen's original paper on his first computer virus experiments
concluded that detection of viruses by their appearance or behavior was
"undecidable". Yet seven years after the publication of his work, detection of
viruses by their appearance and behavior remains the most common form of viral
defense for the MS-DOS environment.

ViruSafe provides the mechanisms to monitor attributes of change and to
recognize a virus by its appearance. It also has an intrusion detection
capability through its TSR program. The challenge for the user remains the
interpretation of what the TSR identifies as "suspicious" activity. This
challenge is not unique to ViruSafe. It does reinforce the proposition that,
if one chooses to acquire a product which integrates detection, disinfection
and prevention, one must have a strategy for supporting users in the
interpretation of alarms and probably in the actual configuration.

The National Computer Security Association has issued a report "Virus
Scanners: An Evaluation", dated March 4, 1991. The report evaluates an
earlier version of ViruSafe so readers should recognize that my comments
pertain to version 4.02. I obtained a copy of the report after the majority of
my tests were completed. I am happy to report that it provided a quality
control measure on my own modest efforts.

FOR FURTHER REFERENCE:

PRODUCT TEST NUMBER DATE PRODUCT

PT-3 November 1989 VIRUSCAN
(Revised February 1991)
PT-5 December 1989 VIRUS BUSTER
PT-11 June 1990 ANTI-VIRAL SEARCH, 2.24
(Revised February 1991)
PT-12 June 1990 VIRUCIDE
(Revised February 1991)
PT-17 August 1990 F-PROT
(Revised May 1991)
PT-23 March 1991 VIREX-PC
(Revised May 1991)
PT-28 February 1991 NORTON ANTIVIRUS
(Revised 12 February 1991)
PT-34 April 1991 IBM ANTI-VIRUS
PT-36 June 1991 CENTRAL POINT ANTI-VIRUS

5

------------------------------

Date: Wed, 10 Jul 91 08:38:08 -0600
From: Chris McDonald ASQNC-TWS-R-SO <[email protected]>
Subject: Product Test - - VIRx (PC)

*******************************************************************************
PT-41
July 1991
*******************************************************************************

1. Product Description: VIRx is a copyrighted program written by Ross M.
Greenberg to detect computer viruses and malicious programs. VIRx is the
detection portion (VPCScan) of the commercial protection program VIREX-PC
(reference PT-23, revised May 1991).

2. Product Acquisition: The program is free. Mr. Greenberg has made it
available on many bulletin boards and software repositories, to include the
MS-DOS repository on simtel20 [192.88.110.20]. The current path on simtel20 is
pd1:<msdos.trojan-pro>virx16.zip.

3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information
Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN:
[email protected] or [email protected].

4. Product Test:

a. I acquired version 1.5 and version 1.6 of VIRx from the simtel20 MS-DOS
repository. Mr. Greenberg provided the programs directly to our repository
manager.

b. Product tests occurred on the following systems: (1) Unisys 286 PC,
Model 3137, MS-DOS 3.10, 512K; and (2) Unisys 386 PC, Model PW 820-F, MS-DOS
4.01, 8MB.

c. Version 1.6 contains viral definitions for 501 known viruses,
variations and malicious programs. VIRx can identify 96% (i.e., 26 out of
27) of those viruses characterized as "common" by Patricia Hoffman in her
Virus Summary List, 15 May 1991.

e. Although I do not have code for all the malicious programs which
VIRx claims to detect, it did identify 60+ viruses and variations in my
possession. The program did not detect a copy of the Virus-101 research virus,
although documentation in VIRx version 1.6 identifies it as detectable. I used
both the normal and -L "long" scan options with negative results. The Virus-
101, according to several virus catalogs and summary lists, does nothing but
replicate, and is for all practical purposes extinct in the real world. McAfee
Associate's VIRUSCAN, Skulason's F-PROT and the Norton Anti-Virus product were
three programs which did alarm on my copy of the Virus-101.

f. One invokes the VIRx program by the syntax "virx [drive specification]"
or for example "virx c:\". By default the program will only scan files with
known executable extensions, such as .com and .exe. The more significant
options include switches to scan only a specified or a default directory; to
scan the entire contents of a file or a "long" scan; to scan all types of files
not just those with executable extensions; to record the results of a scan
operation in a log file; and to scan memory above 640K to just under 1
Megabyte.

g. I tested all these options which functioned as described in the
documentation file. The only false positive or conflict which I found in
running VIRx against other detection programs was that it identified two
executable programs within the commercial program ViruSafe as infected with the
"Stoned-A (New Zealand 1)". I did test for conflicts against Viruscan,
Avsearch, Virucide, F-PROT, Virex-PC, ViruSafe, Norton Anti-Virus, IBM
Anti-Virus Product, TbScan, and Central Point Anti-Virus.

5. Product Advantages:

a. VIRx appears to provide excellent detection capabilities at no cost.

b. The operation of the program is simple. VIRx is one of the fastest,
if not the fastest, detection program available at this time.

c. The author of the program has established a credible reputation for his
work.

6. Product Disadvantages:

a. Free programs may not always be free. Microcom has a marketing
interest in encouraging users to migrate from the free detection program to its
more comprehensive commercial program Virex-PC. One cannot predict how long
Mr. Greenberg or the vendor will allow users the free use of one-third of its
commercial program.

b. VIRx is a detection program only. Users will need some other program
for disinfection and prevention capabilities.

c. There is naturally no formal technical support for the product. While
it is possible to contact Mr. Greenberg over the Internet, Microcom will only
support the "complete version of the VIREX-PC program".

7. Comments:

The National Computer Security Association has issued a report "Virus
Scanners: An Evaluation", dated March 4 1991. The report evaluates an earlier
version of the VPCScan element of VIREX-PC. While it would be unfair to
make a direct comparison between the VPCScan evaluation and this product test
of version 1.6 of VIRx, a reader can obtain additional information and
confirmation of its detection capabilities.

VIRx documentation for the last several versions states that the program
will warn a user when it becomes "outdated". This is a welcome change from the
first version in which the program would cease to function on a specified
cut-off date. The notification will alert a user to the need to obtain an
update.

A final observation is that, while Mr. Greenberg has issued versions 1.4,
1.5, and 1.6 of VIRx, I as a registered user of VIREX-PC have yet to receive
any notification from Microcom of an actual upgrade to the commercial
product. Registration, according to the literature, should result in automatic
notifications of all revisions when they become available. This reinforces for
me the position that one cannot rely exclusively on a single product for viral
protection. In this case the availability of other programs for disinfection
and prevention becomes essential until such time as the vendor revises
VIREX-PC. It also supports Mr. Greenberg's documentation which suggests that
one use VIRx in conjunction with the current version of the commercial program.

FOR FURTHER REFERENCE:

PRODUCT TEST NUMBER DATE PRODUCT

PT-3 November 1989 VIRUSCAN
(Revised February 1991)
PT-5 December 1989 VIRUS BUSTER
PT-11 June 1990 ANTI-VIRAL SEARCH, 2.23e
(Revised February 1991)
PT-12 June 1990 VIRUCIDE
(Revised February 1991)
PT-17 August 1990 F-PROT
(Revised May 1991)
PT-23 March 1991 VIREX-PC
PT-28 February 1991 NORTON ANTIVIRUS
(Revised 12 February 1991)
PT-34 April 1991 IBM ANTI-VIRUS
PT-36 June 1991 CENTRAL POINT ANTI-VIRUS

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 122]
******************************************

Downloaded From P-80 International Information Systems 304-744-2253