From lehigh.edu!virus-l Tue Sep 29 15:39:09 1992 Date: Tue, 29 Sep 1992 08:31:19 -0400 Message-Id: <9209291207.AA13078@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V5 #157 Status: R VIRUS-L Digest Tuesday, 29 Sep 1992 Volume 5 : Issue 157 Today's Topics: Product Test 45, Virus Prevention Plus, version 5.10 (PC) Revision to Product Test 3, VIRUSCAN, Version 93 (PC) Exactly 1000 words on Sophos "VACCINE" (PC) Review of Intel LANProtect (PC) Review of VDS (PC) Review of Data Physician Plus (PC) Product Test 46, Citadel (Mac) Antivirus BBS list VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 27 Jul 92 07:40:34 -0600 From: Chris McDonald ASQNC-TWS-R-SO Subject: Product Test 45, Virus Prevention Plus, version 5.10 (PC) ******************************************************************************* PT-45 July 1992 ******************************************************************************* 1. Product Description: Virus Prevention Plus is a commercial software program to provide access control and virus protection for IBM PC or MS-DOS compatible systems. This product test addresses version 5.10. 2. Product Acquisition: The product is available from PC Guardian Security Products, 118 Alto Street, San Rafael, CA 94901. The account representative who provided me an evaluation copy was Mr. Dan Marley, 1-800-288-8126. Site licenses are available. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-5712, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I received an evaluation copy of Virus Prevention Plus, version 5.10, in June 1992. The program arrived on one 5 1/4" high density disk with a 129 page Operators Manual. The virus protection component of the product is Fridrik Skulason's F-PROT (reference product evaluation, PT-17, revised February 1992). b. I tested the product on a Zenith 248, MS-DOS 3.30 and on a Gateway 2000 386/25, MS-DOS 5.0. The minimum system requirement, according to the documentation, is IBM or MS-DOS, version 3.3, 4.0, or 5.0 with 512K of free memory. The documentation does identify that certain hardware vendors, such as Wyse, Zenith, Tandon and NEC, may modify DOS resulting in incompatibilities with Virus Prevention Plus. My testing on the Zenith system was only to confirm this fact. The test period extended from June 22 to July 15, 1992. [Moderator's note: The remainder of this product review (and MANY other product reviews) is available by anonymous FTP on cert.org (192.88.209.5) in the pub/virus-l/docs/reviews/pc directory, under the filename mcdonald.virus.prev.plus.] ------------------------------ Date: Thu, 30 Jul 92 08:17:01 -0600 From: Chris McDonald ASQNC-TWS-R-SO Subject: Revision to Product Test 3, VIRUSCAN, Version 93 (PC) ****************************************************************************** PT-3 November 1989 Revised July 1992 ****************************************************************************** 1. Product Description: VIRUSCAN is a shareware program to detect known viral signatures for IBM PC and compatible computers. If one utilizes available options, it may be possible to identify the presence of unknown malicious code. This product test revision addresses Version 8.6V93. 2. Product Acquisition: Viruscan is available from the McAfee Associates bulletin board, from other bulletin boards, and from hosts on the INTERNET to include simtel20 [192.88.110.20]. The registration fee is $25.00 for individua l users in a home environment for one year. Site licenses are also available for commercial, government, and university environments. The McAfee Associates board number is 408-988-4004. The mailing address is McAfee Associates, 3350 Scott Boulevard, Building 14, Santa Clara, CA 95054-3107. Registration include s free assistance from McAfee Associates for manually removing any virus found or for information on disinfection utilities. The telephone number for assistance is 408-988-3832. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-5172, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I obtained a copy of Version 30 of the product in August 1989 through a download from the MS-DOS repository on the Army host simtel20. The repository manager obtains all McAfee Associates shareware software directly from the vendor. I have continued to download and test each successive version over the last three years. This revision supersedes the September 1991 evaluation test report. [Moderator's note: The remainder of this product review (and MANY other product reviews) is available by anonymous FTP on cert.org (192.88.209.5) in the pub/virus-l/docs/reviews/pc directory, under the filename mcdonald.viruscan.] ------------------------------ Date: Wed, 22 Jul 92 08:54:48 -0700 From: rslade@sfu.ca (Robert Slade) Subject: Exactly 1000 words on Sophos "VACCINE" (PC) PCSOPHOS.RVW 920721 Comparison Review Company and product: Sophos Limited 21 The Quadrant Abingdon Science Park Abingdon, Oxfordshire OX14 3YS UK (0235) 559933 fax: (0235) 559935 Vaccine-Anti-Viral Software Summary: Change detection and scanning Cost Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 2 Ease of use 2 Help systems 1 Compatibility 2 Company Stability 3 Support 1 Documentation 2 Hardware required 2 Performance 3 Availability 2 Local Support General Description: The SWEEP program appears to be a very minor component of the package, suggested only for use to check for existing viral programs before installing the VACCINE change detection. VACCINE provides the calculation of the check value, but the detection of any changes is done by the DIAGNOSE program. SU is a utility program which allows examination and some manipulation of disk and memory areas. Comparison of features and specifications User Friendliness Installation The Sophos VACCINE package is shipped on non-writable disks, both 5 1/4" and 3 1/2" low density media. After having reviewed so many antiviral programs that demand you trust them with your hard disk (Trust us!), it was refreshing to see that Sophos actually suggests that you install the program onto a floppy disk! Unfortunately, this means nothing, as the installation program refuses to install the package unless a hard disk is present. In fact, none of the programs except SWEEP will work on a floppy-only system. The documentation does give detailed instructions for manual instruction. As the SWEEP program is intended only as an initial check, nothing is said about updating the program. However, the documentation does warn that it "has a limited useful life", and the program itself warns if it is more than four months old. Ease of use Basic functions of the programs can be accessed reasonably easily. However, specification of some of the command line options and "lists" of items to check would definitely be beyond the grasp of novice users, and likely beyond intermediate users as well. Help systems Some "online" help systems are provided, but they do not provide much assistance. Compatibility Company Stability Sophos is a fairly major player in the system security field, in minicomputer and communications systems as well as micro software. It is also the publisher of the "Virus Bulletin" periodical (and convener of that publications conference). Company Support Only the address, phone and fax numbers are given: no mention is made of support. (If SWEEP detects a virus a message instructs the user to call Sophos "for advice".) It is noteworthy that my review copy arrived with a note saying that the related D-Fence program would be dispatched "next week". In spite of waiting eight months before committing the review to paper, the program has never arrived. Documentation There are five "manuals" shipped with the VACCINE package. Four are packaged together in a binder: the "Quick Start Manual", "VACCINE User Manual", "Using VACCINE in a large organisation" and "Sophos Utilities User Manual". The fifth, "Data Security Reference Guide", is paperbound separately. The user manuals are definitely technical reference level. There is a great deal of information regarding the use of the program for the experience user. There is also information regarding the limitations of the program, or best means of use, but this is often very brief, and one has to be almost looking for it to find it. The general description of viral programs is extremely limited. Some of the points are plainly incorrect. For example, the description of viral programs states that "[a]fter some time, all programs on the hard disk will be infected" thus implying that all viral programs are file infectors, and then goes on to list a number of viri, the first three of which are boot sector infectors. Among the "rules" for avoiding viral programs are the same tired "avoid BBSes, avoid shareware, buy commercial" themes. The manual also appears to claim that a change detection system can prevent damage by trojan horse programs and logic bombs. The "Data Security Reference Guide" appears to be a separate item. The name and separate binding would imply that this is a textbook for security issues. Slightly more than half of the book (the last half) is a catalogue of the security products Sophos sells. The first part covers general security related issues, such as choice of password. Fully half of the pages in this first section are devoted to a chapter on "Computer Viruses". This chapter is an odd mix of the magnificent (helpful diagrams of items ranging from boot sector viri to write protect tabs) and the useless (BBSes are evil, commercial software is good). Overall the reference guide would be a helpful learning tool for educating users about data security, but only with direction and additional material. Hardware Requirements None of the programs, except SWEEP, will work on a floppy only system. Performance The documentation admits, albeit briefly and unwillingly, to the weaknesses of change detection, and even specifically mentions that "stealth" type viral programs will not be detected if the virus is active. The ability to "snapshot" areas of memory, the interrupt table and specific (system) areas of the hard disk is a valuable plus. The SWEEP programs functions quite well against common viral programs with the exception that it tends to "find" more than one virus in an infected file (up to eight in the case of a single "Jerusalem" infection). Local Support None provided. Support Requirements A novice user, installing this on a system after all other software had been installed, would likely be provided with good protection against viral programs. However, it is likely that use of this product in any normal business operation would require the support of personnel expert in computer use as well as viral operation. General Notes One would have to say that VACCINE is a product for the use of experts. The package seems to tacitly admit this with the additional section of the manual for use in a large concern. As a tool for serious support personnel, the product does provide very significant utilities for protection of computer systems. copyright Robert M. Slade, 1992 PCSOPHOS.RVW 920721 ============= Vancouver ROBERTS@decus.ca | Life is Institute for Robert_Slade@sfu.ca | unpredictable: Research into rslade@cue.bc.ca | eat dessert User p1@CyberStore.ca | first. Security Canada V7K 2G6 | ------------------------------ Date: Mon, 31 Aug 92 22:31:56 -0700 From: rslade@sfu.ca Subject: Review of Intel LANProtect (PC) PCINTEL.RVW 920831 Comparison Review Company and product: Intel Corp. 3065 Bowers Ave. Santa Clara, CA 95051 USA 503-629-7000 Sales: 800-538-3373 44-793-431-155 BBS: 503-645-6275 44-793-432-955 Fax: 800-458-6231 503-629-7580 44-793-431-166 FaxBACK800-525-3019 44-793-432-509 503-629-7576 Pay: 900-288-7700 ($30 per call) 44-793-431-144 44-793-421-777 (French) 44-793-421-333 (German) LANProtect 1.0 Summary: Netware scanner with scheduling utility. Cost Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 2 Ease of use 2 Help systems 1 Compatibility 2 Company Stability 3 Support 3 Documentation 1 Hardware required 2 Performance 2 Availability 2 Local Support 1 General Description: Detect-only scanner with scheduling provisions. Server-based within a network. Comparison of features and specifications User Friendliness Installation Shipped unprotected on writable media, both 720K and 360K disks. The product received is identified as a "30 day test drive version". This may account for the fact that it doesn't work. An installation program is provided. There is no provision for manual installation. You must install with "SUPERVISOR" rights. Therefore, you must have an expendable Netware system to test this product. Ease of use The product uses the standard Novell menuing system interface, and should not be difficult to use. However, the product appears to have much the same options as Novell security in general, and therefore a thorough grounding in Novell security would seem to be a pre-requisite. Help systems None provided. Compatibility A special "Michelangelo" disinfector is provided. The documentation for it states that it will overlay an infected boot sector with a "standard" boot sector. This it does. Bootable disks will thus become unbootable. As it only overlays the boot sector, it is ineffective against Michelangelo infections on hard disks: likely a good thing. You wouldn't want to lose your partition table. Company Stability Intel? Surely you jest. Company Support A number of options for communicating with Intel's NetDirect system are listed. Registered users receive signature updates for a year. Note that the "800" numbers for the US and Canada do, indeed, work from Canada. As with everyone else, Intel received a copy of the initial evaluation for their own review. I received a telephone call from one of their service people who asked about some of the points raised. He seemed to be quite genuinely interested in the points raised, and asked about other antiviral software that addresses the shortcomings of the LANProtect product. He also stated that the "current" product is now 1.5, and that it does contain some disinfection capability. Documentation The documentation is extremely short. It gives directions on the invocation of the program, and some of the options in terms of when to scan, who to report the results to, and so forth. There is a READ.ME file on disk which contains errata. It also suggests that "Detailed information on viruses can be obtained through a product such as:" and then presents a promotional blurb for the Hoffman Virus Summary list. Probably a good thing. The "What is a Computer Virus" section is terse to the point of being useless. I'll bet you didn't know that a BSI could "spread via the network cabling". Or that a "TSR" virus "infect[s] all files as they are run" (like DIR-II, perhaps?) And, of course, we have the obligatory mention of the modem as a source fo infection. Hardware Requirements Novell Network. Performance The manual lists endorsements from both Novell and the NCSA: the NCSA has slightly more cautious wording. Note that no disinfection capability is mentioned for this product. Local Support None provided. Support Requirements Likely requires thorough knowledge of Novell security provisions. copyright Robert M. Slade, 1992 PCINTEL.RVW 920831 ============= Vancouver ROBERTS@decus.ca | "Kill all: God will know his own." Institute for Robert_Slade@sfu.ca | - originally spoken by Papal Research into rslade@cue.bc.ca | Legate Bishop Arnald-Amalric User p1@CyberStore.ca | of Citeaux, at the siege of Security Canada V7K 2G6 | Beziers, 1209 AD ============= for back issues: Contacts list: cert.org, /pub/virus-l/docs/reviews Reviews: cert.org, /pub/virus-l/docs/reviews/pc Column: cert.org, /pub/virus-l/docs/slade.cvp.articles For those without ftp, see Jim Wright's posting, or use Cyberstore. Also FREQ from 1:153/733 The Cage 604-261-2347. ------------------------------ Date: Fri, 11 Sep 92 16:06:51 -0700 From: rslade@sfu.ca Subject: Review of VDS (PC) As usual, I have given the developers a chance to respond to the draft review. i have made some minor changes on the basis of this response, but I suspect that Tarken will be responding to this review at great length. PCVDS.RVW 920911 Comparison Review Company and product: VDS Advanced Research Group P.O. Box 9393 Baltimore, MD 21228 (410) 247-7117 e-mail: tyetiser@ssw02.ab.umd.edu VDS 2.1 change detector and scanner Summary: Change detection with emphasis on hard disk system area protection Cost: $25 for single user, many other options Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 2 Ease of use 3 Help systems 1 Compatibility 1 Company Stability 1 Support 1 Documentation 2 Hardware required 2 Performance 2 Availability 2 Local Support 1 General Description: VDS is change detection software with hard disk boot sequence protection features. VDSFSCAN is a scanner which appears to be merely an adjunct to the change detection program. The installation procedure is obviously concerned with detecting and avoiding pre-existing viral infections, particularly of boot sector viral programs. VITALFIX is an MBR saving/repair program. Comparison of features and specifications User Friendliness Installation VDS was originally announced as shareware. Disks were shipped to me from VDS Advanced Research Group, along with a printed version of the documentation which is shipped with the shareware archive. I initially received a copy of version 2.0, and later a copy of 2.1. Along with the manual, but not bound in, was a single sheet "VDS 2.10 Installation Guide". Some references in this document, and in the manual itself, seem to indicate that the normally distributed shareware version does not have the full set of features of the package, but these passages are unclear and open to other interpretations. In any case, I am not sure of which of the seemingly many possible "versions" (trial, registered, complimentary, personal, academic, charity or business) I have reviewed. (In response to the initial draft of the review, I was told I had received a registered version.) Installation is a manual process. That it cannot easily be fully automated is obvious from the fact that the system must be "cold booted" at least twice during the process. The procedure is lengthy, but carefully explained. There are some points at which a familiarity with DOS would be of assistance in understanding some options, but this should not present a problem to a reasonably intelligent person. The instructions in the manual are quite clear, but the files presented on-screen at parts of the installation process are less so. At one point the user is directed to re-boot the computer: this, of course, is not what is desired. The instruction refers to the re-booting that should have taken place earlier, but this may not be clear to a novice user. Once the last part of the installation starts a windowed screen is presented. There is little for the user to do at this point, so the reason for the interface or display is unclear. Certain parts of the installation instructions seem to indicate, to the knowledgeable user, that the MBR is replaced: this is never confirmed. There is also no "uninstall" procedure listed. At a later point in the documentation, the possibility of saving, backing up or replacing the MBR with the VITALFIX program *is* discussed, but there is still no confirmation or denial of any modification during the installation process. The VDS documentation does state that the drivers installed remove themselves from memory after checking, and this appears to be true. Testing of installation seems to indicate that no modification is made to the MBR. (This was confirmed in the response to the draft review.) Installation should take about half an hour, or perhaps slightly less with practice. The last stage, that of "checksumming" each file, took eight minutes on an XT with a 20 meg hard disk. Installation must be done individually: a driver is customized for each machine, and, presumably, drivers could only be compatible if the BIOS, memory and disk partitioning is identical between machines. Ease of use The VDS program presents a "windowed" interface, but there are, in fact, no user options on it. The only options are in the command line switches used on invocation. About the only useful options in the command line switches are those for either more speed, or more thoroughness in verification. Note that if one wishes to use the "turbo" mode for initial checking at boot time the command line switch must be manually added to the entry in the AUTOEXEC.BAT file. VDSFSCAN, on the other hand, does have menu options, but does not have any command line switches listed in the documentation. (In response to the draft review, I was told that it does have command line switches; these can be listed with the /? switch.) Therefore, there is no possibility of, for example, disabling memory checking, or speeding up the scanning process. Help systems None provided. In fact, VDSFSCAN does tell you that help is available through the F1 key: the F1 key does nothing perceptible. (This is disputed by the developers. F1 is supposed to provide "context sensitive" help. However, in testing it did not.) Compatibility VDS is incompatible with "disk expansion" software, and certain other similar programs. This is seen by the developers as unavoidable. Company Stability Unknown. Company Support For product support, only the postal address is given. Although a phone number is given in the documentation, it is specifically restricted to software orders only. Documentation The original documentation for VDS 2.0 was very flippant, and resulted in a very negative reaction to the product from some quarters. In particular, the version 2.0 documentation made very negative comments about other (unnamed) antiviral products. The version 2.1 documentation is more serious in tone, but some passages are best understood in light of possible reaction to earlier negative comment. There are sections identified as "meant to be funny" and some remarks that "sensitive individuals should skip this section". The "VDS Risk Factor Analysis Test" is one of the sections that has been criticized. I feel this criticism is unwarranted. The test, while not perfect, does give a reasonable measure of risk, and has not been attempted before at this level. The documentation, overall, is best described as "patchy". Although the grammar is improving, and the tone is generally very readable, there is little substantive material. An initial reading left me wondering whether I had missed some section explaining the use of the program. While the manual protests that the information cannot be revealed without jeopardizing the security of the system, this seems to have been taken to extremes. However, there are nuggets of knowledge interspersed throughout the manual. Hardware Requirements MS-DOS 3.x or higher, must be installed on hard disk, and in specified directory, cannot be used with "drive expansion" software. None of the programs, in fact, will run "uninstalled", and so they afford absolutely no protection to "floppy only" systems, or LAN stations with no local hard drive. One of the disk files seems to indicate that VDSFSCAN can be run on any system: this is not true. A possible alternate explanation is that it may work on some of the drives that VDS is not normally compatible with. However, since the programs do not appear to work if not installed as directed, this would seem to be moot. (The developers protest this section, and say that VDSFSCAN will run not only uninstalled, but will run on a "single floppy" system because the entire program can be loaded into memory and other floppy disks can be scanned when the program disk has been removed. This is an advantage, and one which some scanners lack. However, my own observation is that VDSFSCAN will not run unless it has been installed, but that it can then be copied to a floppy and used on a floppy only system. This still means that one must have a hard disk to install the program onto, before it can be run on other systems.) A "known clean" MS-DOS system disk with MS-DOS files is also required for the installation process. Performance The initial verification at boot time adds two minutes to the boot process on an XT with a 20 meg drive. If the "turbo" switch is added manually, the results are significantly faster. VDSFSCAN is able to detect most common viral programs. A fairly large number in the test suite were missed, including all examples of Washburn programs used. A large number of those infections detected were misidentified. However, as disinfection appears limited to erasure, this need not be a problem. (The "cure" option of VDS appears limited to system areas of the disk.) Scanning is definitely only a sidelight for this package. Local Support None provided. Support Requirements The package, while seemingly aimed at the novice user, still would require at least an intermediate level knowledge of MS-DOS. Even at that, a thorough reading of the manual would seem to be in order. General Notes The installation procedure for VDS appears to be directed at the novice user who may already be infected with a virus. The attempt is laudable, and may provide additional security to the process. However, certain aspects of the implementation still require significant work. The program is recommended for intermediate users as having a strong detection component to add to other antiviral measures. Reaction to the draft review elicited the information that some of the problems mentioned in the review are now being addressed, particularly that of being able to schedule checking of the disk. Mention was also made of plans to release a commercial version of VDS. copyright Robert M. Slade, 1992 PCVDS.RVW 920911 ============== Vancouver ROBERTS@decus.ca | "If you do buy a Institute for Robert_Slade@sfu.ca | computer, don't Research into rslade@cue.bc.ca | turn it on." User p1@CyberStore.ca | Richards' 2nd Law Security Canada V7K 2G6 | of Data Security ------------------------------ Date: Wed, 16 Sep 92 18:32:43 -0700 From: rslade@sfu.ca Subject: Review of Data Physician Plus (PC) PCDATPHS.RVW 920914 Comparison Review Company and product: Digital Dispatch, Inc. 55 Lakeland Shores Road Lakeland, Minn 55043-9601 612-436-1000 800-221-8091 Data Physician Plus! 3.1A Summary:Resident and non-resident scanning, disinfection, activity monitoring, change detection Cost Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 2 Ease of use 2 Help systems 1 Compatibility 3 Company Stability 2 Support 2 Documentation 2 Hardware required 4 Performance 2 Availability 2 Local Support 1 General Description: VIRHUNT is a non-resident scanner, change detector and disinfector (with "generic" disinfection). RESSCAN is a resident scanning program (with a Windows compatible component WIN-RS and a network component, RS-NET). VIRALERT is an activity monitor (with a Windows component, WIN-VA). ANTIGEN adds a change detection module onto executable files, which can also disinfect unknown viral programs which do not change original code, and can add password protection to programs to prevent unauthorized use. Two other (file viewing and "Disk Killer" recovery) utilities are included. Also notable is the fact that the installation program will save copies of the CMOS and "boot records" of the hard drive. Comparison of features and specifications User Friendliness Installation Data Physician Plus! is shipped on two writable and unprotected 360K diskettes. (Each is clearly stamped with the serial number in very large, clear digits: not always an easy item to find on any software.) A "Quick Start" sheet, separate from the manual, suggests that you simply run RESSCAN, and then use VIRHUNT if a virus is discovered. (RESSCAN, by default, does a full scan of the disk when invoked, and then remains resident.) The manual is fairly imposing and technically oriented at first glance. (It is unbound, printed one side, and three-hole punched.) Page 11 is the first mention of installation, and suggests that you might wish to run the INSTALL program in order to copy the files into whichever directory you choose. It also states that INSTALL gives a description of each program, but that you should read the rest of the manual at some point anyway. INSTALL is a "menued" program, but it is hard to say that it is very useful. It does describe the programs, but does so in language that a novice would likely not be comfortable with. The description is not very long, but is followed by the full list of command line options for the program. Programs are installed one at a time or "all" (you do not choose which ones you want and then have them all installed at once) and is limited to not much more than a copying function. (ANTIGEN is not included in the installation options.) It is difficult, therefore, to understand the need for the installation program at all. INSTALL does have two interesting features. One is the "Recovery" function, which allows the CMOS and boot sector (and presumably the MBR, although this is not explicitly stated) to be stored offline, and restored if necessary to recover a "damaged" disk. (This function is shared by VIRHUNT.) The other is the ability to create "batch" files for running the various programs. A "fill in the blanks" form is presented, and a batch file is created which will run the specified program with the specified options. (The F1 key is stated to give "information": this turns out to be simply the program descriptions as above.) A major deficiency in this function is that the default filename for the batch files is always the same. At first I thought that this meant one batch file could be created in order to run all the programs, but this is not so. Each batch file overwrites the previous one: if a filename exists the user is not warned that the previous file will be lost. (With this in mind, the option to "pause" the batch file if a virus is found becomes somewhat ridiculous.) Do *NOT* use this on AUTOEXEC.BAT. (After installation of a program, there is a similar function to update AUTOEXEC.BAT. It will install RESSCAN and RS-NET in AUTOEXEC. It allows the user the option to backup AUTOEXEC.BAT before changing it.) Ease of use The interface, while not overly difficult, is not particularly easy or consistent. A user familiar with a variety of interfaces will likely be able to find out how it works by trial and error, but a novice may get stuck in certain places. A number of the options are difficult to figure out. Partially this is simply a matter of the complexity of a "useful" system. (Data Physician has a large number of options which could be helpful in a wide variety of situations.) However, in a number of cases it is based upon poorly chosen wording or a lack of information. For example, ANTIGEN can not be used from a write protected disk, even when it is protecting files on another, since it creates temporary work files in its own area. However, the error message is extremely terse and gives no indication of the real problem. As another example, once a list of files for ANTIGEN to protect has been selected, the command to proceed is "Quit". Even having read the manual thoroughly, and after having gotten VIRHUNT to create a signature file for change detection, it took me three runs, by trial and error, to find the correct setting to have VIRHUNT use the signature file to "generically remove" a new virus. A number of option combinations give odd results. For example, in order to use the "generic disinfection", one must "turn off" virus checking. However, if virus checking is turned off while scanning to *create* the change detection signature files, a file with no signatures is created. (To make matters worse, if you specify creation of the signature file, any previous file is overwritten without warning.) Help systems Little provided. A list of viral programs and their "characteristics" is provided in VIRHUNT: it is extremely terse and of very little use. Compatibility Data Physician appears to be very compatible with a variety of hardware, networks and Windows. Company Stability Digital Dispatch's antiviral programs have been on the market for many years, although not widely publicized or marketed. Other products by the company are unknown. Company Support Nothing is mentioned about support, specifically, except that if you get a copy of a new virus to DDI, they will get a fix out by the next day. However, you have to hunt around a bit in order to find the address and phone number. (In fact, the printed address only ever mentions the five digit Zip code. The "5+4" code is found in the "About DDI" section of the VIRHUNT program.) In suggesting that you send a copy of a virus to them mention is made of sending it by modem: no BBS number is listed anywhere. Documentation The documentation is not necessarily poorly written, but is extremely technical in nature. Some of the early sections are a bit jarring in the sudden changes of subject that go on. As the technical reference sections appear, the writing becomes more confident. The type of document DDI is used to producing is very obvious. There is little general discussion of viral programs, nor of the strengths and weaknesses of various portions of the program. There is a substantial READ.ME file on the disk. Also, the documentation for the virus description language (for specifying newly found, or your "own", viral programs) is almost entirely on the disk file CIL.DOC. Hardware Requirements At least one disk drive, 384K and MS-DOS 2.x or higher. All of the programs will run on a single floppy system. Performance Virus scanning is relatively slow, in comparison to other current products. Most common viral programs are detected, but not all. Identification of some new viral programs which are similar to older ones is not particularly good. Change detection is effective with VIRHUNT, as is the generic disinfection. ANTIGEN however, is much less so. On one test, it did not detect the presence of an infection, although the "protective" code seemed to go through the checking cycle twice. (That test also allowed the infect of other files.) In another test, the infection was caught and successfully removed, but only after infection of another file had occurred. ANTIGEN was never able to stop the infection operation, be it direct action or memory infection. ANTIGEN will conflict with programs with internal loaders or non-standard headers. Local Support None provided. Support Requirements It is unlikely that the novice user would be comfortable using the program at all. The intermediate user may be able to obtain some protection through the use of the program, but is unlikely to be able to utilize it to the fullest extent. Advanced support personnel should be responsible for the installation and configuration of the program. General Notes This is definitely a program for the advanced technical user with a good background in antiviral protection. The package contains a number of protective layers and options, and can perform in a great many situations. The configuration and command line options allow for many different kinds of protection in different environments. It is, however, not a product for the average user. It can certainly be installed on a novice's system by advanced technical support, and contains a number of options for doing exactly that in a large corporate environment. The ability to specify notices to users in the event of infection and the configuration files are two examples here. The product would also be of use to the serious virus researcher supporting a user population. The CIL virus specification language is extremely detailed, and much more effective, in this case, than simple string searching capabilities of other scanners. Recommended for the advanced technical user with advanced knowledge of computer viral programs, in a large user population with centralized responsibility for security. copyright Robert M. Slade, 1992 PCDATPHS.RVW 920914 ============== Vancouver ROBERTS@decus.ca | "It says 'Hit any Institute for Robert_Slade@sfu.ca | key to continue.' Research into rslade@cue.bc.ca | I can't find the User p1@CyberStore.ca | 'Any' key on my Security Canada V7K 2G6 | keyboard." ------------------------------ Date: Mon, 31 Aug 92 08:15:04 -0600 From: Chris McDonald ASQNC-TWS-R-SO Subject: Product Test 46, Citadel (Mac) ****************************************************************************** PT-46 August 1992 ****************************************************************************** 1. Product Description: Citadel is a commercial access control and malicious program detector/disinfector product for the Macintosh. It also provides additional utilities for encryption and for media sanitization. 2. Product Acquisition: Citadel is available from Microcom, Inc., P.O. Box 51489, Durham, NC 27717. The telephone number is 919-490-1277. The price from the vendor has varied from between $50.00 to $99.00 depending upon special promotions and upon whether a customer has already purchased other Microcom products. Site licenses are available. There are also a variety of mail order firms which offer significant savings on a single copy purchase. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-5712, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I obtained my copy directly from Microcom under a promotional offer for those customers who had purchased other Microcom products. I discovered that Citadel includes a complete copy of Microcom's Virex program. Virex provides virus and trojan horse signature detection and disinfection as well as tools to potentially detect "new" malicious" code. Since I have previously evaluated Virex under Product Test 10, revised February 1992, this review will forego any additional analysis. Product testing of Citadel occurred on a Mac IIcx, OS 6.0.5, and extended from June 1 through August 10, 1992. The version tested was 1.0 which is System 7 compatible. [Moderator's note: The remainder of this product review (and MANY other product reviews) is available by anonymous FTP on cert.org (192.88.209.5) in the pub/virus-l/docs/reviews/mac directory, under the filename mcdonald.citadel.] ------------------------------ Date: Mon, 31 Aug 92 22:48:00 -0700 From: rslade@sfu.ca Subject: Antivirus BBS list Having culled all my resources, here is the first (semi) formal cut at a BBS listing. Waiting to receive corrections and additions. Thanks to Bill Dirks, Sara Gordon and Jon Freivald for some responses to my first "rough" cut. The V.I.R.U.S./Virus Doctor BBS List For sorting purposes the wide variety of bracket, slash, space and hyphen placement have been removed from the phone numbers. Apologies for the difficulties this may cause with European numbers, but those familiar with the areas should be able to sort them out. In order to avoid line wrap on Fidonet mail readers, the "node number" has been "right justified" at 75 columns. For those on the Internet, it is possible to send mail to these systems. The node number is in the format :/ and can be converted to an Internet address as user.name@f.n.z.fidonet.org so that Rob Slade may be reached at The Cage (1:153/733, see "604") as Rob.Slade@f733.n153.z1.fidonet.org or at Cardz as Rob.Slade@f7050.n153.z1.fidonet.org or at Deep Cove as Robert.Slade@f915.n153.z1.fidonet.org Key: AM = Amiga AT = Atari MC = Macintosh PC = MS-DOS Fidonet echoes carried: VIRINF = VIRUS_INFO VIR = VIRUS WRN = WARNINGS Files archived: CVP = Computer Viral Programs column RVW = Antiviral reviews In this initial draft of the listing the numbers have been collected from sigblocks and taglines from messages on the three virus related Fidonet echoes (discussion areas). All BBSes listed in the CONTACTS.LST have also been included. Where verification is possible, the "node number" is followed by a "V" and the initials of the reviewer. 0209313663 >The board is Fred's BBs and the number is We have a lot 0418807845 Alba Maximus, Glasgow [Line2 HST] (2:259/2) 053303902 KIM Gebruikersclub Nederland (KGN) - /328506 (2:512/32) 053328506 KIM Gebruikersclub Nederland (KGN) - (2:512/32) 093348175 Ed's BBS, Sulzdorf, FRG (2:246/86) 2013401340 The Quill & Inkpot BBS * Garfield, NJ * (1:2604/407) 2054792327 The Intrepid BBS -- Mobile, AL -- VIR (1:3625/467.0) 2128896438 Ross Greenburg Software Concepts Design Flushot, VIRx 2132765263 Gilmore Systems FICHECK/MFICHECK change detection software 2133202523 Trend Micro Devices Inc. PC-cillin 2133242188 Ashton-Tate/Borland Control Room with antiviral utility 2142381805 Master Control node 2 * Dallas * (1:124/5107) 2156234897 Stiller Research Runway BBS Integrity Master 2156236203 Stiller Research Runway BBS Integrity Master 2156236845 Stiller Research Runway BBS Integrity Master 2163561431 Nerd's Nook - HST (1:157/3) 2167528134 Certus International 2192348004 Treasure Chest ML-TBBS - South Bend, IN VIR (1:227/3) 2192732431 VFR Systems Sara Gordon VIRINF/VIR/WRN/NET/INT (1:227/190) 27012283124 Virus section available on RGN BBS (5:7101/32) 27317655045 SOFTEL Monster BBS - Natal - Node 2 (5:7103/1.0) 3018635312 The Combat Zone(TM) (1:2612/10) 3019485717 National Institute of Standards and Technology (NIST) 3036517745 The Eighth Dimension (1:104/118.0) 3093876690 Zeller East - - GROVELAND, IL! (1:232/43) 3153770281 Big Hole [HST/DS] (2:283/303) 3153773628 Big Hole /770281 [HST/DS] (2:283/303) 31703898822 INFOdesk BBS The Hague, Frans Hagelaars VIRINF/VIR (2:512/2) 3177870559 De Werkplaats bbs Venlo Ned (2:500/255) 3224606546 RTV-SAT BBS * Belgium * * 5 lines at V32b (2:291/709.108) 3531711047 TOPPSI [1] - Dublin - Ireland -773547 / (2:263/151.0) 3531773547 TOPPSI [1] - Dublin - Ireland - /711047 (2:263/151.0) 3592737484 Lab of Computer Virology Bulgaria Assen Sharlandjiev(2:359/110) 4013646343 The Razors Edge - Richmond, RI VIRINF (1:323/401.0) 4032867545 THE MESSHALL [Calgary, AB] HST DS (1:134/73) 4044438693 SpacePort Atlanta - [Supra 14.4] (1:133/524.0) 4048795985 ATLANTA-ATLANTA PCUG (They have 5 high speed lines) 4052480528 The Bargain BBS Lawton, OK (1:385/17.0) 4082440813 Patricia M. Hoffman Virus Summary Document 4089739598 Symantec/Peter Norton Norton AntiVirus and Norton Utilites 4089884004 --- BBS McAfee 4109749305 The North Star - RA/FD - VIR (1:261/1108) 4126783202 McKeesport Pa. (1:129/165) 4129813151 Mabel's Mansion Sharon, PA (1:2601/100) 4154542893 International Microcomputer Software (IMSI) VirusCure Plus 4158261707 Foley Hi-Tech Systems Safety Disk 4158618290 Coconino County San Francisco, CA (1:125/28) 4167690022 Peter Avgerinos. SysOp of CompuNet. (Node 1) Node 2:(1:250/407) 4167693401 Peter Avgerinos. SysOp of CompuNet. (Node 1) Node 1:(1:250/407) 44494724946 S&S International Ltd. Dr. Solomon's Anti-Virus Toolkit 44617072008 DOA The UK's Number 1 AntiVirus BBS (2:250/110) 44793432955 Intel Corp. LANProtect 1.0 4626275710 Mikael Larsson (2:205/204) 5023662349 the Southwest Cemetery of Psychos * (1:2320/140) 5024259941 TopSoft Support - 9942 (1:2320/4) 5024259942 TopSoft Support - (1:2320/4) 5033905057 RUDE BBS SALEM, OR (1:105/609) 5033935540 Resource (franchised DPS) 5034882251 International Computer Virus Institute Eliminator 5035917882 ATC Aloha,Or. VIRINF (1:105/343) 5036235530 White Dragon BBS Dallas Or. USA - VIRINF (1:105/630) 5036456275 Intel Corp. LANProtect 1.0 5048862157 WSTPC BBS Nolan Lee (1:390/5) 5068497511 Programmer's Corner [9600 CSP/V32b] (1:255/6.0) 5085282295 COMPUTER CONFIDENT! HST,5 GIG,100s echos (1:322/594) 5088758009 MSI S/W BBS-Framingham MA (1:322/327) 5123211324 The Rendezvous BBS,Hayes V32_Bastrop,Tx VIRINF (1:382/92) 5147281247 Radio-Amateur BBS Mtl. Que. USR DS (1:167/134) 5164835841 Wizzard's Cave Jon Freivald INT 6025692420 * Origin: The Virus Exchange - Phoenix, AZ - (1:114/189) 6029706901 RG Software Systems Diskwatcher 2.0, ViSpy, Virus Bulletin 6035369618 The Hobby Center bbs, Plymouth,NH, (1:132/180) 6042612347 TheCage;MC/PC;VIRINF/VIR/WRN/NET/INT;CVP/RVW archive(1:153/733) Vrms 6045257715 RAVE; PC; no net, CVP-VC archive Vrms 6045263676 CyberStore, $; AM/AT/MC/PC; Virus Doctor feed Vrms 6045365885 Deep Cove, $; AM/AT/MC/PC; no net; RVW archive (1:153/915) Vrms 6047345901 Cardz, part $; MC/PC; VIRINF/VIR/WRN (1:153/7050) Vrms 6124821716 Calmer Software Services TBSCAN, TBRESCUE, TBSCANX, Thunderbyte card 6135472479 Challenged-I For the abled. Kingston,ON, (1:249/138) 6137313419 Steve Tibbett VirusX for Amiga 6154422833 Thunderbyte Support USA * * Tenn. * (1:3643/1) 6155263347 Cumberland BBS TN HST-V32bis (1:3637/1) 6192840799 The Programmers WorkShop SD CA CSP,v.32B (1:202/204) 6194571836 NetLink Online Communications TSCAN125 TVSCAN110 6622555981 Bangkok Security Associates 7033690672 OS/2@Manassas (703)FOX-0-OS2 (1:265/101) 7037201624 End of the Line BBS, Duane Brown VIRINF/NET (1:274/16) 7038153244 SENTRY NET BBS @ Doug Stevens VIRINF/VIR (1:109/229) 7045681663 Carolina Forum *IBM/AMIGA/MAC* 1031 Meg (8:926/2) 7065683151 Hill Side BBS (1:3613/1) 7084597267 * Origin: >>>>>> THE HELL PIT BBS <<*>> <<<<<< (1:115/459.0) 7149231031 The Diamond Bar BBS - - Ontario, CA (1:207/101) 7176893123 Brinkman's Hollow USR HST 214 Megs (1:268/324) 8092694970 Ranger BBS "No One Leaves Here Alive" (1:367/23) 8139800228 Does Your Mother Know? Tampa, FL. HST/DS (1:377/37) 9142250501 WINCOMP OPUS (1.99.11) (1:272/29.0) 9146776948 Bear Heaven BBS Walter & Debbie Bodin VIR (1:272/53) 9147626954 Implosion BBS : : Millwood, NY : (1:272/54) 9163448146 SILVERADO EXPRESS,No. Highlands,CA. VIRINF (1:203/1102) 9169659361 The Genesis Satellite System (1:203/965) 9194191602 Microcom Software Division Virex-PC, also Virex for Mac - scanner ============= Vancouver ROBERTS@decus.ca | "The only thing necessary Institute for Robert_Slade@sfu.ca | for the triumph of evil Research into rslade@cue.bc.ca | is for good men to do User p1@CyberStore.ca | nothing." Security Canada V7K 2G6 | - Edmund Burke ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 157] ******************************************