Received: from fidoii.CC.Lehigh.EDU by abacus.hgs.se (5.65c/1.5) id AA28502; Mon, 8 Feb 1993 20:05:31 +0100 Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA19632 (5.67a/IDA-1.5 for ); Mon, 8 Feb 1993 11:19:35 -0500 Date: Mon, 8 Feb 1993 11:19:35 -0500 Message-Id: <9302081453.AA01918@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V6 #20 Status: RO VIRUS-L Digest Monday, 8 Feb 1993 Volume 6 : Issue 20 Today's Topics: Revised Product Test 34, IBM Anti-Virus Scanning Program, v2.2.3 (PC) Revised Product Test, CPAV, version 1.4 (PC) Product Test 58, Virus Buster, version 3.93 (PC) Product Test 60, Virus Terminator (PC) Revised Product Test 32, Mactools, version 2.0 (with CP Anti-Virus) (Mac) Product Test 53, Gatekeeper (Mac) How to review antiviral software (general) Review and column checklist Review of ViruSafe (PC) Review of "Computer Viruses and Data Protection", Burger (general) Review of Thunderbyte Utilities (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 19 Nov 92 14:08:10 -0700 From: Chris McDonald ASQNC-TWS-R-SO Subject: Revised Product Test 34, IBM Anti-Virus Scanning Program, v2.2.3 (PC) ******************************************************************************* PT-34 Revised November 1992 ******************************************************************************* 1. Product Description: The IBM Virus Scanning Program is a program to detect computer virus signatures in the PC-DOS (MS-DOS) and OS/2 environments. This product test addresses version 2.2.3 which is a part of the IBM Anti-Virus Product version 2.2.3. 2. Product Acquisition: The program has been available from the IBM Corporation in a variety of options. Through October 1992 it had been available for an initial licensing fee of $35.00. IBM has now announced two new products: (a) the IBM AntiVirus/DOS and (2) the IBM AntiVirus/2. Users should contact an IBM representative at 800-551-3579 for specific cost and technical information on these programs which are in my perception replacements for the IBM Anti-Virus Product. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5506, DSN: 258- 7548, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. [Moderator's note: The remainder of this product review (and MANY other product reviews) is available by anonymous FTP on cert.org (192.88.209.5) in: pub/virus-l/docs/reviews/mcdonald.ibm.antivirus] ------------------------------ Date: Mon, 30 Nov 92 14:42:55 -0700 From: Chris McDonald ASQNC-TWS-R-SO Subject: Revised Product Test, CPAV, version 1.4 (PC) ******************************************************************************* PT-36 Revised November 1992 ******************************************************************************* 1. Product Description: Central Point Anti-Virus (CPAV) is a product to detect, disinfect, or remove viral signatures. It also provides protection against the introduction of "unknown" and/or malicious code through integrity checking (checksumming) and through the detection of "suspicious" activity. This test report addresses version 1.4. 2. Product Acquisition: CPAV is available from Central Point Software, Inc., 15220 N.W. Greenbrier Parkway., Suite 200, Beaverton, OR 97006-5764. The published customer service number is 503-690-8090. The list price for a single copy is $129.00. Site licenses are available. Central Point has announced tha t CPAV will be bundled within PC-Tools, version 8.0. 3. Product Testers: Don Rhodes, Information Systems Management Specialist, Directorate of Information Management, White Sands Missile Range, NM 88002-5030, DSN: 258-8174, DDN: drhodes@wsmr-emh04.army.mil; Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5030, DSN: 258-7548, DDN: cmcdonal@wsmr-emh03.army. mil or cmcdonald@wsmr-simtel20.army.mil. [Moderator's note: The remainder of this product review (and MANY other product reviews) is available by anonymous FTP on cert.org (192.88.209.5) in: pub/virus-l/docs/reviews/pc/mcdonald.cpav] ------------------------------ Date: Sun, 07 Feb 93 16:35:18 -0700 From: Chris McDonald STEWS-IM-CM-S Subject: Product Test 58, Virus Buster, version 3.93 (PC) ******************************************************************************* PT-58 February 1993 ******************************************************************************* 1. Product Description: Virus Buster consists of a collection of programs which provide for access control, boot protection, checksumming, signature scanning, system monitoring, and restoration. This product test addresses version 3.93. 2. Product Acquisition: Virus Buster is available from Leprechaun Software International, Ltd., P.O. Box 669306, Marietta, GA 30066-0106. The Sales telephone number is 404-971-8900 or 800-521-8849. The FAX number is 404-971- 8828. The cost of the product appears to be dependent upon volume. Corporate and Government site licenses are available for either perpetual or 5 year licenses. An annual maintenance fee applies to corporate/site license holders at 15% of the existing license value. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5030, DSN: 258- 7548, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. [Moderator's note: The remainder of this product review (and MANY other product reviews) is available by anonymous FTP on cert.org (192.88.209.5) in: pub/virus-l/docs/reviews/pc/mcdonald.virus.buster] ------------------------------ Date: Sun, 07 Feb 93 16:47:29 -0700 From: Chris McDonald STEWS-IM-CM-S Subject: Product Test 60, Virus Terminator (PC) ******************************************************************************* PT-60 January 1993 ******************************************************************************* 1. Product Description: Virus Terminator is a program to detect known virus signatures and to monitor changes to specified files in the MS-DOS and DR-DOS environments. This product test addresses version 2.1. 2. Product Acquisition: The program is copyrighted by COSMI, Inc., 431 N. Figueroa Street, Wilmington, CA 90744. The telephone number is 310-835-9687. The program is also found in discount software establishments for under $20.00. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5506, DSN: 258- 7548, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. [Moderator's note: The remainder of this product review (and MANY other product reviews) is available by anonymous FTP on cert.org (192.88.209.5) in: pub/virus-l/docs/reviews/pc/mcdonald.virus.terminator] ------------------------------ Date: Fri, 27 Nov 92 09:16:22 -0700 From: Chris McDonald ASQNC-TWS-R-SO Subject: Revised Product Test 32, Mactools, version 2.0 (with CP Anti-Virus) (Mac) ****************************************************************************** PT-32 Revised November 1992 ****************************************************************************** 1. Product Description: MacTools is a collection of utilities that provide data protection and recovery as well as virus identification, prevention and removal for the Macintosh. This product test addresses version 2.0 which includes CP Anti-Virus. 2. Product Acquisition: The commercial program is available from Central Point Software, Inc., 15220 N.W. Greenbrier Parkway, Suite 200, Beaverton, OR 97006-5764. One sales number identified in the documentation is 800-445-2110. The published customer service number is 503-690-8090. The list price for a single copy is $149.00. A variety of mail order services offer single copies at significantly reduced costs. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5506, DSN: 258-7548, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army. mil. [Moderator's note: The remainder of this product review (and MANY other product reviews) is available by anonymous FTP on cert.org (192.88.209.5) in: pub/virus-l/docs/reviews/mac/mcdonald.mactools] ------------------------------ Date: Sun, 07 Feb 93 16:40:38 -0700 From: Chris McDonald STEWS-IM-CM-S Subject: Product Test 53, Gatekeeper (Mac) ****************************************************************************** PT-53 January 1993 ****************************************************************************** 1. Product Description: Gatekeeper and Gatekeeper Aid are freeware programs which work in conjunction to address malicious software activity. Gatekeeper is a program designed to continuously monitor the operation of a Macintosh, watching for operations that are commonly carried out by viruses as they attempt to spread. Gatekeeper Aid is a program that searches for and removes families of known viruses which Gatekeeper either can't stop at all, or can't stop completely enough to render harmless. This product test addresses version 1.2.6. {Version 1.2.7 released one day after distribution of this report with no major changes which affect its contents.} 2. Product Acquisition: Gatekeeper is available from numerous Internet archives sites. The author, Chris Johnson, places the latest version on the host microlib.cc.utexas.edu in the directory microlib/mac/virus. The author will even accept U.S. mail requests under specific conditions, but only as a last resort. Mr. Johnson's mail address is 3311 Red River #305, Austin, TX 78705. His electronic addresses are as follows: (a) Internet at chrisj@emx. cc.utexas.edu; (b) UUCP at {husc6|uunet}!cs.utexas.edu!ut-emx!chrisj; (c) BITNET at chrisj@utxvm.bitnet; (d) Apple Link at chrisj@emx.cc.utexas.edu@ internet#; (e) CompuServe at >INTERNET:chrisj@emx.cc.utexas.edu; and (f) MCI Mail at TO Chris Johnson (EMS), EMS Internet, MBX chrisj@emx.cc.utexas.edu. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5506, DSN: 258-7548, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army. mil. [Moderator's note: The remainder of this product review (and MANY other product reviews) is available by anonymous FTP on cert.org (192.88.209.5) in: pub/virus-l/docs/reviews/mac/mcdonald.gatekeeper] ------------------------------ Date: Fri, 20 Nov 92 18:45:51 -0800 From: rslade@sfu.ca Subject: How to review antiviral software (general) VIREVIEW.GEN 921120 Reviewing Anti-virus Products I am quite certain that the first question to do with "anti-viral" or other data security packages will be "which one is best?" This ignores two vitally important points. The first is that "the best" may not be good enough by itself. No security force would ever pick "the best" guard, and then leave him to guard an entire refinery by himself. The second point is that, even within the limited realm of anti-viral programs, data security software operates in many different ways. Thus, one type of security may be better in one situation, while another variety may be better in a different environment. (Which make better guards, dogs or men? Wise security firms use both.) There are basically five "classes" of anti-viral packages; activity monitors, change detection software, operation restricting software, encrypting software and scanners. Each type has it's own strengths and weaknesses. Before going into detail on the specific types of programs, I would like to address some issues which can be applied to reviewing any antiviral software. Aside from the specific efficacy against large numbers, and certain types, of viral programs, there are considerations of "user" aspects of the system in question. This does not relate solely to the chimera of "user-friendliness", but to the fact that a given system is intended not only to be somehow effective against viral programs, and must be used by a "user population" in a given work, social and technical environment. It is very easy to "rank" antiviral software on the basis of how many viral programs or strains that it will identify. It is not quite as easy to assess many other, more important, features. Although there may be more than 2000 different strains of viral programs in the MS-DOS "world" (fewer in the other environments), one percent of that number are likely responsible for ninety nine percent of infections. Thus it is of far greater importance that, for example, one particular antiviral program does not prevent infection by the "Stoned" virus (as of this writing the most common virus), than that it "protects" against literally thousands of others. Also of very high importance is the fact that the proportion of computer users who have a thorough understanding of viral operations in comparison to the total user population is so small that it is statistically insignificant. Therefore, it is vital that any antiviral program be judged on the basis of installation and use by "naive" users. A "naive" user in this case may be one with significant technical skills, but little background in regard to viral programs. (I realize that my statement regarding the naivete of computer users may be extremely controversial. Recall, however, that there are about one hundred million users of MS-DOS, and then compare that with the number of people who take an active interest in prevention of computer viral programs. Note that less than a quarter of computers have any defense against viral attack. Note a "clipping file" covering 30 general computer industry periodicals over a period of two years with only eleven articles on computer viral programs. Note also the very high sales of some highly publicized programs known by the virus research community to have very definite shortcomings.) It is critical, therefore, to judge the interaction of the program with the user. Again, this interaction is not simply the presence or absence of a menu, but the total intercourse between the program and the user, by way of the documentation, installation, and user interface and messages. It is important to note how the total package "comes to" the user. Given that the user's system may already be infected, what can the package do to remedy the situation? Also, while the package may have significant strengths if installed correctly, is the "normal" user likely to be able to do the setup and installation properly? Part of the assessment of the user is the user environment. This aspect covers not only the "corporate culture" (eg. home user, user in a large corporation with internal support staff, etc.) but also the operating system environment. For example, the MS-DOS environment has a very large number of viral strains, with more being produced every day. The Macintosh environment has relatively few viral programs. Therefore, "generic" identification of "new and unknown" viral programs is more important to MS-DOS users than to Macintosh. (Interestingly, while Macintosh antivirals are quite mature, and protected Macintosh systems have a negligible infection rate, the infection rate on unprotected Macs is astronomical. This, too, should be taken into account.) Related to the interaction of the user and the program is the potential negative impact of the security program. Antiviral programs consume time and disk space, and may also interfere with the normal operation of the computer system. As Jeff Richards' first law of data security has it, you can guarantee security if you don't buy a computer. It's just not a very useful alternative. Computer systems can be secured more and more by restricting the operations more and more, but restriction of "dangerous" operations also restricts useful ones. There comes a point at which the trade-off for greater security becomes more than users want to pay. There are other factors that contribute to the value of antiviral software that can be judged on the same basis as any other software. To turn, however, to the specifics of antiviral software, there are : Activity Monitors Activity monitoring software, which was often referred as a "vaccine" by commercial software houses, is memory resident and watches for "suspicious" activity. It may, for example, check for any calls to "format" a disk while a program other than the operating system is "in control". It may be more sophisticated, and check for any program that attempts to alter or delete a program file. It is, however, very hard to tell the difference between a word processor updating a file and a virus infecting a file. Activity monitoring programs may be more trouble than they are worth by continually asking for confirmation of valid activities. They also may be bypassed by viri that do "low level" programming rather than using the standard operating system "calls". It is very difficult to specify, in advance, what you should check for in activity monitoring software, since the developers are loath to state, in specific detail, exactly what the program will be checking for. (This reluctance is understandable: if a developer "advertises" exactly what the product checks for, virus or "trojan" writers will simply use another route.) Activity monitoring software should be thoroughly tested in a "real" working environment (one that uses all the programs you normally do, in the ways you normally use them) for some time in order to ensure that the vaccine does not conflict with "normal" operation. While activity monitors have a good chance to detect viral activity of "new" and unknown viral strains, it would be very difficult to agree with those that claim to be able to detect "all current and future" viral programs. While it might generally be held to be a "good thing" to prevent changes to the file allocation table, it is unlikely that FAT or "system" viri could have been foreseen prior to the existence of the "DIR" family. Activity monitors are also unlikely to work well against "companion" type viral programs without specific safeguards in place. Change detection software Change detection software examines system and/or program files and configuration, stores the information, and compares it against the actual configuration at a later time. Most of these programs perform a "checksum" or "cyclic redundancy check" (CRC) that will detect changes to a file even if the length is unchanged. The disadvantages of this system are 1) it provides no protection, but only notification after the fact, 2) some change detection software is limited to operating system software only, 3) you must "inform" the software of any changes you make in the system and 4) change detection software may not "see" changes made by "stealth" viri. Some versions of this software run only at "boot time", others check each program as it is run. Some of these programs attach a small piece of code to the programs they are "protecting", and this may cause programs which have their own change detection features, or non-standard internal structures, to fail. A major factor in judging change detection systems is that of installation and operation time. Since the system will be calculating "signatures" of all (or all selected) programs on your system (sometimes with very sophisticated algorithms), it may take some time to install, and to "re- install" each time you make a change to your system. It may also take an unacceptable amount of time to check out a program before it will allow it to run. You should also find out how and where the security system will "store" the necessary program signatures, particularly if you run programs from diskette. Also, since these types of systems are heavily influenced by the mini- and mainframe data security community, it is important to query whether they have made provisions for checking for boot sector viri, or other viri that may not show up as changes to program files. A sufficiently advanced change detection system, which takes all factors including "system" areas of the disk and the computer memory into account, has the best chance of detecting "all current and future" viral strains. However, change detection also has the highest probability of "false alarms" since it will not know whether a change is viral or valid. Addition of "intelligent" analysis of the changes detected may assist with this failing. Operation restricting software Operation restricting software is similar to activity monitoring software, except that instead of watching for suspicious activities it "automatically" prevents them. As with mainframe security "permission" systems, some of these packages allow you to restrict the activities that programs can perform, sometimes on a "file by file" basis. However, the more options these programs allow, the more time they will take to set up. Again, the program must be modified each time you make a valid change to the system, and, as with activity monitors, some viri may be able to evade the protection by using low level programming. It is important, with this software, that the operator is given the option of "allowing" an operation. It is also important that the operator be informed, not only that a particular program or operation should be halted, but also why. There should not be too many "false alarms" generated by the software, and it would be helpful to have the option of "tuning" the software to be less, or more, sensitive to a given type of activity. Encrypting software Encrypting software writes programs and/or data onto your disks in a non-standard way and then "decrypts" the program or file when you need to use it. This means that if a virus does try to infect the system, it usually only scrambles the data and is easily detectable. Used in conjunction with operation restricting software features, encrypting software essentially changes the whole operating environment, hopefully to one that a virus cannot survive in. Again, there is the need to do a lot of work in setting up the protection system, and keeping it up to date when you make changes. (It is also possible, if the system is not configured properly to begin with, to end up with a system that you cannot use and cannot repair.) There are two major "holes" in the security of the system, 1) some part of the system must remain "unencrypted" and is therefore vulnerable to "attack" and 2) if you start with already infected files, the system will quite happily encrypt the virus and allow it to operate. One vitally important feature to consider in encrypting software, particularly if it is coupled with operation restricting software, is the ability to recover if anything goes wrong. Do you have a recoverable backup, or are all your backup files encrypted, and useless without the proper code? Can you boot off a floppy to recover if your "security" program dies? If you can boot off a floppy, what provisions guard against boot sector viri? Scanners Scanning software is, paradoxically, the least protective and most useful of anti-viral software. These programs examine files, boot sectors and/or memory for evidence of viral infection. They generally look for viral "signatures", sections of program code that are known to be in specific viri but not in most other programs. Because of this, scanning software will only detect "known" viri, and must be updated regularly. Some scanning software has "resident" versions that check each file as it is run, but most require that you run the software "manually". It is also the classic case of "bolting the door after the horse is gone" since "scanners" only find infections after they occur. Why then, with all the disadvantages of scanning software, are they the most successful of anti-viral packages? Generally speaking, it is because they force the user to pay attention to the system. Again, when a user relies on one particular method of protection they are most vulnerable. Scanning software should be able to identify the largest possible number of viri, and should be able to identify variations on the more important sections of code (that is, it should be able to "accept" the removal of text strings and other simple modifications that "bush league hackers" might make.) (Note, however, the proviso that it is more important to identify some viral programs than others.) For ease and speed of updating, the "signatures" should be stored in a separate file and there should be a means for the addition of new viral signatures to the file. For security, both scanning software program and signature files should be renameable. Areas scanned should include not only the identifiable program files, but all files, if necessary. Scanners should have the ability to search the more common archiving formats as well, particularly those that support "self extraction" functions. Disk boot sector and hard disk partition boot records should be scanned, as well (in this day of stealth viri) as memory. A recent addition to scanners is intelligent analysis of unknown code, currently referred to as "heuristic" scanning. More closely akin to activity monitoring functions than traditional signature scanning, this looks for "suspicious" sections of code that are generally found in viral programs. While it is possible for normal programs to want to "go resident", look for other program files, or modify their own code, these are tell-tale signs that would help an informed user to come to some decision about the advisability of running or installing a given "new and unknown" program. "Heuristics", however, generate a lot of false alarms, and may either scare novice users, or give them a false sense of security after "wolf" has been cried too often. Scanners, as noted above, are the easiest of antiviral programs to "rank". It is much more difficult to determine the utility of those types of programs which purport to protect against unknown and "future" viral programs. It is, indeed, impossible to judge these programs against any "absolute" standard: they will be judged by future events, and the future isn't here yet. Many future viral programs will follow the patterns of those from the past. Most "new" viral programs are very simple modifications of existing ones. However, while it may be possible to foresee some of the potential "loopholes" that viral programs might use, it is impossible to know which ones actually will be used. It would also be excessively difficult to protect against all of the myriad potential means of attack. (When all the viral programs we had seen were either boot sector infectors, or prepending, appending or overwriting file infectors, "companion" and "system" viri came as quite a shock to most. While I have some nifty ideas for new "hiding places", I will undoubtedly be surprised by the new ones that, in reality, get released "into the wild". Fortunately, many of the virus authors must also be surprised at how poorly their "new creations" do, but this doesn't make the assessment of "generic" antiviral software any easier.) Antiviral software should be tested against a suite of current viral programs. It is useful to know how well programs may rank in "numbers" tests, but it is likely more important to choose "representative" viral programs. Choose the most common viral infectors (which tend to vary somewhat, geographically), as well as representatives of viral "types": boot sector infectors, MBR infectors, "stealth", multipartite, polymorphic, resident and non-resident and so forth. However, since this does not include any representation from "future" viral programs, it is also very useful to try to do "odd" things with utility programs, to try to "simulate" attacks that have not yet been incorporated into existing viral programs. Evaluation of antiviral software requires at once the most complex of technical assessments, and at the same time the greatest attention to human factors engineering. While the interactions of viral and antiviral at the lowest levels of the operating system is fascinating, always remember that what is really being protected here is the user. Any antiviral program, in order to be considered at all successful, must primarily inform the user accurately and realistically about any threat to the system. It must also be sufficiently easy for the user to install and maintain. The most technically advanced security system is of absolutely no use if the user cannot run or understand it. copyright 1990, 1992 Robert M. Slade VIREVIEW.GEN 921120 ============== Vancouver ROBERTS@decus.ca | "Is it plugged in?" Institute for Robert_Slade@sfu.ca | "I can't see." Research into rslade@cue.bc.ca | "Why not?" User p1@CyberStore.ca | "The power's off Security Canada V7K 2G6 | here." ------------------------------ Date: 20 Jan 93 23:51:00 -0600 From: "Rob Slade, DECrypt Editor, VARUG NLC rep, 604-984-4067" Subject: Review and column checklist For those who are archiving my antiviral product reviews, and weekly column, the following is a listing of the files to date. Please note that the ZIP files are maintained by Brian Hampson of The Cage, and are available only from him. (Call +1-604-261-2347 for The Cage. 14.4 v.32 is supported.) Please note that some recent files have not yet been released for distribution. <**Reviews and columns by Robert Slade**> ------COLUMNS------ INTRO1.CVP 2560 01-26-92 [ 4] Introduction and explanation to the weekly column (.CVP files) DEFGEN1.CVP 2560 01-26-92 [ 10] Definition of virus DEFGEN2.CVP 3328 01-26-92 [ 11] What viral programs are not DEFGEN3.CVP 2432 01-26-92 [ 9] Special definitions DEFGEN4.CVP 2816 01-26-92 [ 7] Related terms DEFMTH1.CVP 2816 01-26-92 [ 7] Myth of malice DEFMTH2.CVP 2688 01-26-92 [ 7] Myth of hardware damage DEFMTH3.CVP 2944 01-26-92 [ 6] Myth of write protection - software DEFMTH4.CVP 2688 01-26-92 [ 6] Write protect hardware DEFMTH5.CVP 2304 01-26-92 [ 6] More hardware myths DEFMTH6.CVP 2944 01-26-92 [ 6] "Modem" virus myth DEFMTH7.CVP 5632 01-26-92 [ 6] "Desert Storm" virus myth DEFMTH8.CVP 2944 04-25-92 [ 6] Commercial safety myth DEFMTH9.CVP 2432 03-02-92 [ 7] The myth of the virus danger from BBSes DEFMTHA.CVP 2048 08-05-92 [ 4] More media myths FUNBOT1.CVP 2816 01-29-92 [ 12] Boot sector infectors FUNBOT2.CVP 3200 01-29-92 [ 12] Boot sequence FUNBOT3.CVP 3584 01-29-92 [ 11] Boot sequence - part 2 FUNGEN1.CVP 2816 01-27-92 [ 10] Computer operations FUNGEN2.CVP 2816 01-27-92 [ 9] Viral operations FUNGEN3.CVP 2688 01-27-92 [ 9] Viral use of operating systems FUNGEN4.CVP 2688 01-27-92 [ 9] System layers FUNGEN5.CVP 2944 01-27-92 [ 9] Viral activation FUNGEN6.CVP 2688 01-27-92 [ 8] Change detection FUNGEN7.CVP 2816 01-27-92 [ 10] File checking FUNGEN8.CVP 3072 01-27-92 [ 9] File checking - part 2 FUNGEN9.CVP 2688 01-27-92 [ 8] System checking FUNGENA.CVP 2816 01-27-92 [ 8] Detection avoidance FUNPIV1.CVP 2560 01-29-92 [ 8] File infecting viri FUNPIV2.CVP 2432 01-29-92 [ 8] Viral code insertion FUNPIV3.CVP 2560 01-29-92 [ 8] Viral code addition FUNPIV4.CVP 2944 01-29-92 [ 8] Viral code "association" FUNPIV5.CVP 2944 01-29-92 [ 8] Infection Variations HISINT1.CVP 2944 06-02-92 [ 3] Earliest viral history HISINT2.CVP 2944 06-02-92 [ 3] Early viral related programs HISINT3.CVP 2304 06-09-92 [ 3] Fred Cohen HISINT4.CVP 2816 06-09-92 [ 3] Pranks and Trojans HISINT5.CVP 2944 06-25-92 [ 3] AIDS Information Trojan HISVIR1.CVP 2688 06-25-92 [ 6] Apple virus 1, 2 and 3 HISVIR2.CVP 2560 07-03-92 [ 6] The "Lehigh" virus HISVIR3.CVP 2816 07-16-92 [ 7] Jerusalem virus part 1 HISVIR4.CVP 2944 07-22-92 [ 5] Jerusalem virus part 2 HISVIR5.CVP 2560 07-31-92 [ 5] Jerusalem part 3 HISVIR6.CVP 2816 08-15-92 [ 5] (c) Brain part 1 HISVIR7.CVP 2560 08-21-92 [ 5] Brain part 2 HISVIR8.CVP 2176 08-27-92 [ 5] Brain part 3 HISVIR9.CVP 2176 09-04-92 [ 7] Brain part 4 HISVIRA.CVP 2688 09-11-92 [ 5] MacMag/Brandow/Peace Virus part 1 HISVIRB.CVP 2944 09-18-92 [ 6] MacMag authorship HISVIRC.CVP 2688 09-24-92 [ 7] MacMag spread HISVIRD.CVP 2944 10-02-92 [ 6] MacMag as "data virus" HISVIRE.CVP 2176 10-08-92 [ 6] MacMag and commercial software HISVIRF.CVP 3200 10-24-92 [ 8] Scores virus HISVIRG.CVP 2432 10-31-92 [ 7] Scores functions HISVIRH.CVP 2944 11-04-92 [ 8] CHRISTMA EXEC worm - the "card" HISVIRI.CVP 2688 11-14-92 [ 7] CHRISTMA EXEC effects HISVIRJ.CVP CHRISTMA Data HISVIRK.CVP 2816 11-27-92 [ 7] CHRISTMA - Trusted source HISVIRL.CVP 2560 12-05-92 [ 6] CHRISMA EXEC Wannabes HISVIRM CVP 2541 10-25-92 1:16a " " " 2 HISVIRN CVP 2719 10-25-92 1:19a CHRISTMA wrapup HISVIRO CVP 3066 12-24-92 1:22a Internet Worm Intro HISVIRP.CVP 2944 01-07-93 [ 5] Internet Worm Functions HISVIRQ.CVP 2688 01-07-93 [ 4] Internet Worm Functions 2 HISVIRR CVP 2809 12-24-92 1:27a Internet Worm - Media HISVIRS CVP 2682 12-24-92 1:28a HISVIRT CVP 2661 12-24-92 1:31a HISVIRU CVP 2204 12-24-92 1:33a MEMOIR1.CVP 5376 07-10-92 [ 4] Memoirs of an (English speaking) virus MEMOIR2.CVP 3584 10-16-92 [ 5] Memoirs of a (cross border) virus MEMOIR3 CVP 2922 12-14-92 9:51p MEMOIR4 CVP 2447 12-14-92 10:17p MEMOIR5 CVP 2936 12-14-92 11:00p PRTCKL1.CVP 2432 03-04-92 [ 8] Antiviral checklist - part 1 PRTCKL2.CVP 2816 03-16-92 [ 5] Checklist part 2 PRTCKL3.CVP 2304 03-16-92 [ 5] Checklist part 3 PRTCKL4.CVP 2048 03-16-92 [ 5] Checklist part 4 PRTCKL5.CVP 2176 03-16-92 [ 5] Checklist part 5 PRTCKL6.CVP 2944 03-20-92 [ 5] Checklist part 6 PRTCKL7.CVP 2688 03-29-92 [ 6] Checklist part 7 PRTCKL8.CVP 2816 04-03-92 [ 5] Checklist part 8 PRTCKL9.CVP 2688 04-27-92 [ 4] Checklist part 9 PRTCKLA.CVP 2176 04-27-92 [ 4] Checklist part 10 PRTCKLB.CVP 2816 04-25-92 [ 4] Checklist part 11 PRTCKLC.CVP 2688 05-02-92 [ 7] Checklist part 12 PRTCKLD.CVP 2560 05-08-92 [ 3] Chekclist part 13 PRTCKLE.CVP 1664 05-15-92 [ 6] Wrap up of antiviral checklist PRTGEN1.CVP 2560 03-02-92 [ 5] Antiviral protection guidelines COLUMNS.ZIP 124592 01-07-93 [ 20] All Columns written by Rob Slade up to the date of this file ------REVIEWS------ 920306MI.ZIP 52572 03-10-92 [ 6] Michaelangelo Reports from the Dreaded Day. VIREVIEW.GEN 19072 11-23-92 [ 5] How to review antiviral software BKBURGER.RVW 11520 12-07-92 [ 3] Review of "Computer Viruses" by R. Burger BKLUDWIG RVW 6838 1-12-93 9:22p PCADVGRV.RVW 6784 01-27-92 [ 1] Review of Advanced Security PCANTIVP.RVW 8448 01-26-92 [ ] Review of Anti-Virus Plus by IRIS/Techmar PCANTIVR.RVW 6656 01-26-92 [ ] Review of Anti-Virus by IRIS/Fink PCCERTUS.RVW 14208 01-26-92 [ ] Review of Certus LAN PCCILLIN.RVW 9856 01-26-92 [ ] Review of PC-Cillin by Trend Microdevices PCCPAV.RVW 6272 01-29-92 [ ] Review of Central Point Anti-Virus PCCTRLRM.RVW 5888 01-29-92 [ ] Review of Control Room by Borland PCDATPHS.RVW 10624 09-18-92 [ 3] Data Physician Plus by Digital Dispatch PCDSAVT.RVW 7424 05-11-92 [ 1] Review of Dr. Solomon's Anti-Virus Toolkit PCDSKSEC.RVW 4224 04-25-92 [ ] Review of DISKSECURE (related to FixMBR) PCELMNTR.RVW 5888 04-25-92 [ ] Review of Eliminator PCFPROT2.RVW 8832 11-09-92 [ 1] Review of 2.xx version of F-PROT PCIBMAV RVW 7701 12-11-92 9:08p IBM Antivirus/DOS PCIBMSCN.RVW 7936 04-25-92 [ 1] Review of IBM's VIRSCAN PCIM.RVW 14208 10-07-92 [ 3] Review of Integrity Master PCINTEL.RVW 4480 09-04-92 [ 1] Review of Intel's LANProtect PCMACE.RVW 7424 04-25-92 [ ] Review of Mace VACCINE PCNRTNAV.RVW 11904 01-26-92 [ 6] Review of Norton Antivirus PCSAFE RVW 7427 11-16-92 8:49p Micronyx SAFE PCSAFWRD.RVW 10880 04-25-92 [ ] Review of SafeWord PCSCAN2.RVW 11904 10-31-92 [ 3] Updated review of SCAN PCSOPHOS.RVW 6912 07-22-92 [ 1] Review of Sophos VACCINE PCTBAV RVW 11403 12-16-92 12:02p Thunderbyte Utilities PCTBSCAN.RVW 5376 04-25-92 [ ] Review of Thunderbyte Scan PCUNTUCH.RVW 14080 10-02-92 [ 2] Review of Untouchable PCVC.RVW 10752 04-25-92 [ ] Review of "Victor Charlie" PCVCNWWS.RVW 6912 04-15-92 [ 1] Review of VACCINE by Worldwide Software PCVDS.RVW 10368 09-11-92 [ 2] Review of VDS change detector PCVIRAWY RVW 5222 6-12-91 5:32p Techmar VirAway PCVIRCID.RVW 6784 01-26-92 [ 1] Review of Virucide by Parsons/McAfee PCVIREX.RVW 9728 01-26-92 [ ] Review of Virex-PC by Datawatch PCVIRSAF RVW 6480 11-25-92 10:50p Eliashim/Xtree ViruSafe PCVISPY.RVW 7424 07-11-92 [ 1] Review of Vi-Spy PCVRBSTR.RVW 7680 04-25-92 [ ] Review of Virus0Buster PCWDIMMN RVW 20876 11-09-92 3:37p Western Digital "Immunizer" QUICKREF.RVW 4352 07-16-92 [ 6] "Quick reference" comparison chart for Antiviral software CONTACT.LST 28928 09-21-92 [ 1] Antiviral contacts address list ============= Vancouver ROBERTS@decus.ca | "Kill all: God will know his own." Institute for Robert_Slade@sfu.ca | - originally spoken by Papal Research into rslade@cue.bc.ca | Legate Bishop Arnald-Amalric User p1@CyberStore.ca | of Citeaux, at the siege of Security Canada V7K 2G6 | Beziers, 1209 AD ============= ------------------------------ Date: 02 Dec 92 18:08:00 -0600 From: "Rob Slade, author and virus researcher, 604-988-4097" Subject: Review of ViruSafe (PC) PCVIRSAF.RVW 921125 Comparison Review Company and product: EliaShim Microcomputers 520 W. Hwy. 436, #1180-30 Altamonte Springs, Florida USA 407-682-1587 fax: 407-869-1409 XTree Co. 4330 Santa Fe Road (4115 Broad Street, Building 1?) San Luis Obispo, CA 93401-7993 USA 800-477-1587 805-541-0604 fax: 805-541-4762 BBS: 805-546-9150 75300.2266@Compuserve.com ViruSafe 4.6 Summary: activity monitor, scanner, change detection, operation restriction, utilities, and "bait" program Cost Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 2 Ease of use 3 Help systems 1 Compatibility 1 Company Stability 2 Support ? Documentation 2 Hardware required 2 Performance 2 Availability 2 Local Support ? General Description: Menu or command line driven multi-layered defense. Significant tools for those studying viral operation and experienced in their functions. Comparison of features and specifications User Friendliness Installation The program is shipped on two non-writable 5 1/4" disks or one write protected 3 1/2" disk. The program can be run off the disk, or installed on the hard disk through an installation program. Manual installation and command line switch descriptions are also available. Ease of use The menu interface is generally straightforward and simple. There are some exceptions, and the interface could not be said to be completely intuitive. Configuration screens give no indication of how to "complete" the setup once choices have been made. As well, the behaviour of the "List of Viruses" function is difficult. The screen format, and cursor movement keys, of the list and the resulting information do not match. However, it is helpful to have this feature onscreen. Help systems Limited. Help is context sensitive, but seldom tells you what you want to know about. Compatibility Additional virus signatures can be added in an external text file. The format for the signatures is given in the READ.ME text on disk, and is not difficult to figure out. In addition, the system is able to add signatures of new viral programs which it finds in memory. However, the format is not compatible with the fairly widely used IBM VIRSCAN format. Also, a maximum of 64 signatures can be added in this way. Program testing on machines fitting the hardware requirements occasionally failed for unknown reasons. Company Stability Xtree is a fairly well established company, known for utility and disk management software. The version of ViruSafe obtained from Xtree does not differ significantly from the earlier version obtained from EliaShim, but does appear to contain programs that were developed by Xtree. Company Support Unknown. Documentation The documentation is quite brief. While clear, the manual is quite terse and seems to be designed for the more advanced user. Much of the documentation is a description of how the menuing system and command line switches work. No specifics are given as to how functions (such as "revealing the presence of" unknown viral programs in memory) are accomplished. More important is the fact that no "defaults" for any of the programs are listed. For example, the activity monitoring program, VS, has a long list of command line switches for various functions, but no indication as to which of them are "on" when started without switches. It is fairly obvious that the new documentation has been copied wholesale from an earlier edition without adequate proof-reading. For example, installation of new virus signatures refers repeatedly to "Chapter 2", but this manual has no numbered chapters. A very helpful feature is a "latest information" button on the menu interface which presents the disk READ.ME file. Thus the latest program info, helpful hints and the hardcopy errata can be browsed onscreen. Hardware Requirements At least two disk drives, one of which must be a floppy, 512K memory and DOS 3.0 or higher. Performance It is gratifying to note the importance that ViruSafe gives to boot sector viri. The package contains provisions to save and restore the boot sector and partition records for the hard disk. Testing of this program was very problematic. This version of the program still would not run properly on the primary testing machine (a NEC Multispeed). The system locked up, repeatedly on most attempts to invoke any of the programs in the package, including the installation and menuing program. Testing of the programs is not as complete as I would prefer. However, it can be said that the claims made for this package exceed performance. The package is able to detect known viral programs, and can deal with most effectively. Performance with viral programs not known to the authors/program indicates that these viri are able to bypass protections. The change detection module, PIC, has a "generic disinfection" feature. In tests this worked very well, and was much simpler to operate that other reviewed programs with the same feature. Local Support Not provided. Support Requirements Users at any level should be able to run the program without assistance. The instructions for installing the programs on a system which may be infected are clear and should be helpful in clearing up existing infections before installation proceeds. However, the plethora of options with regard to activity monitoring and change detection would best be set up by an advanced user experienced in virus protection. General Notes The package has a multilayered approach to virus detection and prevention. It should be suitable for most users in situations of normal risk. While the package would effectively deal with the bulk of infections one would normally encounter, some of its claims would appear to be overrated. The package tacitly admits this: while it claims to be able to find both known and unknown viral programs, it does recommend buying the upgrades. Nevertheless, its use would significantly reduce risk of infection. copyright Robert M. Slade, 1992 PCVIRSAF.RVW 921125 ============= Vancouver ROBERTS@decus.ca | "Kill all: God will know his own." Institute for Robert_Slade@sfu.ca | - originally spoken by Papal Research into rslade@cue.bc.ca | Legate Bishop Arnald-Amalric User p1@CyberStore.ca | of Citeaux, at the siege of Security Canada V7K 2G6 | Beziers, 1209 AD ============= for back issues: Contacts list: cert.org, /pub/virus-l/docs/reviews Reviews: cert.org, /pub/virus-l/docs/reviews/pc Column: cert.org, /pub/virus-l/docs/slade.cvp.articles For those without ftp, see Jim Wright's posting, or use Cyberstore. Also FREQ from 1:153/733 The Cage 604-261-2347. ------------------------------ Date: 07 Dec 92 13:41:00 -0600 From: "Rob Slade, DECrypt Editor, VARUG NLC rep, 604-984-4067" Subject: Review of "Computer Viruses and Data Protection", Burger (general) BKBURGER.RVW 921206 Computer Viruses and Data Protection Ralph Burger 1991, 353 pp., general audience Abacus, 5370 52nd Street SE, Grand Rapids, MI 49512 1-55755-123-5 A most telling quote is to be found on page 31 of this book. In answer to the question, " What do you think about the publication of information about computer viruses", Burger quotes a "highly knowledgeable" although "secret" source as saying: "I feel that it's the people who know the least about it that talk the most. You tend to hear little from people who actually understand something about computer viruses. ... You don't have to include instructions on how to use computer viruses." The quote is telling on three counts: 1) Burger tends to go on at great length (350 pages) without giving out much information, 2) there is little hard information in the book which would be of use to the average home or corporate user concerned about protection against viral programs, and 3) Burger's fancy for publishing viral source code seems to have no purpose except to build notoriety. (Before all the virus-writer-wannabes rush out to order copies, let me state that he doesn't publish much, and what he publishes is not very good.) Burger's propensity for publishing source code might be easier to take if the book itself was a valuable resource. It isn't. The writing style is disorganized and hard to follow, the information is untrustworthy and recommendations for security are weak, outlandish or aimed at problems unrelated to the current computer virus situation. Even Burger's vocabulary bears little relation to the jargon of virus research. He invents the phrase "logical virus" in a section on viral-like programs. The definition makes little sense, and one suspects that Burger is simply confusing it with a "logic bomb". In another section the author confuses the aspect of the "von Neumann" computer architecture which means that the program and data share the same "storage" space with the "von Neumann bottleneck" having to do with limitations on processing speed. One is left with the feeling that Burger has gathered a great volume of information, and is publishing it without truly understanding it. A section is devoted to the work of Fred Cohen. A subsection refers to "Cohen's Contradictory Virus". It seems to be related to Cohen's proof, by contradiction, that the problem of identification of any given program as "viral" or "non-viral" is undecidable. In Burger's book, however, there is no proof, little logic, and only patches of pseudo-code which really don't demonstrate anything. In fact, a great deal of the book consists of statements which are made and never supported. I read my wife the section on "virus experts", and her immediate reaction was "doesn't he have to *prove* any of that?" (Among other things, the section seems to indicate that most virus research is being conducted in grave secrecy by governments and large corporations.) At the same time, Burger's closing statements and opinions are so weakly worded that one is reminded of the hapless TV reporter in "Doonesbury" who is never able to make a definitive proclamation on any subject, no matter how simple. (An amusing example of this: Chapter 3 is entitled "Computer Virus Dangers", Chapter 4 is "Is There a Danger?") Burger's writing style is very difficult. Even with section headings and marginal annotations it is extremely difficult to follow the discussion. There is very little structure to the flow of arguments, and occasional bizarre changes of subject. At one point Burger reproduces a letter that he sent to various corporations, and then complains that the poor response he got indicates that the companies did not understand the gravity of the virus situation. While the one point that I can agree with Burger on is his repeated assertion that too few people are "virus literate", I can certainly sympathize with the companies. They probably couldn't understand his letter. It is hard to understand why certain information was included, and other material was not. The chapter on specific viral programs spends five pages listing eight viral programs: it also spends five pages giving the names of thirty "trojan" programs, which presumably could be renamed at will. The "Lehigh" virus, generally thought to be almost extinct "in the wild", is described: "Stoned" and "Michelangelo" are quite notable by their absence. (While "Brain" is one of the viri described, the book nowhere deals with the functions of boot sector viral programs.) No Mac viri are described or listed although there is one example each from the Atari and Amiga environments. The chapter on protection strategies, while it does have some useful points, also places heavy emphasis on such bizarre suggestions as writing custom software for all applications, or running everything from EPROMs. (It also suggests the use of CD-ROM for software media, apparently unaware of the fact that CD-ROMs have already been shipped with infected software.) A section on an "EDP High Security Complex" may prevent people from contaminating a keyboard with spilled coffee, but won't do much to prevent viral infections. A specific recommendation is instructive. Burger twice suggests the use of the RENAME system proposed by A. G. Buchmeier. On an MS-DOS system, all .EXE files are to be renamed to .XXX extensions. There are then to be started with a simple START.BAT file which contains the instructions: ren %1.XXX %1.EXE %1 ren %1.EXE %1.XXX (To be fair, Burger does give a listing of a fuller START.BAT which deals with COM files as well.) While this system would be somewhat effective against most "direct action" viral programs, it would create great problems for the many systems today which rely on cooperation between programs which "call" each other at need. It would also be of no use against "resident" viral programs which infect on "file open": the programs would be infected as soon as they were renamed or run. (Interestingly, it would be rather effective against "system" or "FAT" viral programs.) Errors are legion. Some mistakes are understandable and unimportant, such as referring to the "Jerusalem" virus as the "Israeli PC" and "TSR" virus (p. 68). Others might have more significance, such as the statement that the "Israeli PC" virus makes all infected files into TSRs (p. 68). In some places the book contradicts itself, warning against BBSes and shareware on page 129 and yet saying that the danger of receiving viri from data transfer is no higher than through other means on page 292. Still other statements are flatly impossible, such as the assertion that the DEFENDER trojan "[writes] to ROM BIOS" (p. 110). It would be pointless to try to list them all, but I would be willing to bet that there are not three consecutive pages in the book which do not contain errors of fact. Chapter 5 is supposed to give examples of viral programs. (In fact, most of the chapter is occupied by reprints of the McAfee VIRLIST.TXT and an early version of Jan Terpstra's virus signature list.) Of the virus description material that Burger wrote, the only entries which do not contain errors are those which don't contain any information. (One of the errors that Burger makes is highly amusing. He examines Fred Cohen's calculations in support of the assertion that a virus could not appear spontaneously by a generation from random errors. "Correcting" Dr. Cohen's figures, and factoring in the increasing speed of computers, he comes up with a figure of ten to the 283rd power for the number of years before a virus is generated. He sees this as "slightly different" and indicative of the possibility of such a virus. He is obviously boggled by the large numbers: even given the most enthusiastic boosts for the increase in the number of computers and computing power, he still would come up with a figure that is not only longer than recorded history, but more than twenty five times greater than the entire age of the known universe.) Burger's stated purpose in publishing the viral source (Preface, page viii) is to show how easy it is to write a virus. In this aim, he must be said to fail miserably. Although the assembly listings in the book will hold no terrors for those with a significant background in low-level programming in the MS-DOS environment, those people wouldn't need any direction on how to build a virus. A "batch" virus, which would be easily within the range of the intermediate user, turns out to use DEBUG in order to build some small but vital components, with completely unexplained parameters. Those who are familiar with the architecture know that building a virus is trivial: those who aren't will not find here a convincing demonstration of ease. Another excuse for including the code (p. 315) is to "illustrate the weak points in your computer system". Again, this rationale is unconvincing. Few readers, outside of those familiar with assembly programming, would be either able or willing to compile and test the code provided. (Indeed, Burger, only five paragraphs beyond the previous statement, warns readers *not* to "proceed with risky tests of virus programs".) Certainly, the code itself proves nothing in terms of the strengths and weaknesses of any computer system. More extensive "case histories" of either viral infestations or specific viral programs would have been far more convincing. Burger's attitude to this business of virus source code is strangely inconsistent. Although there is source code listed in the book, Burger specifically states that he will not publish the source for his VIRDEM.COM program. Although he doesn't publish the source, a copy of the VIRDEM program is supposed to be on the companion disk for the book. I didn't get one: the companion disk was not shipped with the book. I'm not hurt: VIRDEM is out in the wild anyway and I have a copy from another source. The situation of the missing companion disk raises another point. The book advertises Burger's own "Virus Secure for Windows", as does a catalogue for other Abacus products bound into the back of the book. However, I have been informed by Abacus that "Virus Secure for Windows" is no longer available. For all of its flaws, the book is a very complete overview of the topic in that it ranges over all possible related subjects. Although he often fails to distinguish between the "blue sky" possible and the "here and now" real, Burger's speculations do touch on a number of topics which are too often lost in the immediate concerns about current data security problems. For those who are completely new to the field, this book is too untrustworthy to recommend as a primer. Neither will it be very useful to those looking for direction on protecting either home or corporate systems. For those with some serious study of viral programs or data security, the book raises interesting points for discussion, although the specifics asserted may have to be tested and challenged. For those who are interested in writing their own viral programs - fortunately, this book is *not* going to be a big help. copyright Robert M. Slade, 1992 BKBURGER.RVW 921206 ============== ______________________ Vancouver ROBERTS@decus.ca | | /\ | | swiped Institute for Robert_Slade@sfu.ca | | __ | | __ | | from Research into rslade@cue.bc.ca | | \ \ / / | | Mike User p1@CyberStore.ca | | /________\ | | Church Security Canada V7K 2G6 |____|_____][_____|____| @sfu.ca ------------------------------ Date: 23 Dec 92 11:25:00 -0600 From: "Rob Slade, DECrypt Editor, VARUG NLC rep, 604-984-4067" Subject: Review of Thunderbyte Utilities (PC) PCTBAV.RVW 921214 Comparison Review Company and product: Frans Veldman ESaSS B.V. P.o. box 1380 6501 BJ Nijmegen The Netherlands Tel: 31 - 80 - 787 881 Fax: 31 - 80 - 789 186 Data: 31 - 85 - 212 395 (2:280/200 @fidonet) bartjan@blade.stack.urc.tue.nl (Bartjan Wattel) c/o Jeroen W. Pluimers P.O. Box 266 2170 AG Sassenheim The Netherlands home: +31-2522-20908 19:00-23:00 UTC email: jeroenp@rulfc1.LeidenUniv.nl Jeroen_Pluimers@f256.n281.z2.fidonet.org 100013.1443@compuserve.com Thunderbyte AntiVirus Utilities Summary: Scan, disinfection, change detection, operation restriction, encryption Cost Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 2 Ease of use 3 Help systems 3 Compatibility 2 Company Stability 3 Support 2 Documentation 2 Hardware required 3 Performance 2 Availability 2 Local Support 1 General Description: An extension of the earlier Thunderbyte Rescue and Thunderbyte Scan programs. These programs are still contained in the set, but are supported by a disinfector with two "generic" disinfection modes (TBCLEAN), a change detector (TBCHECK), an "overwriting" delete (TBDEL), operation restricting programs (TBDISK, TBFILE and TBMEM), encryption (TBGARBLE), a menuing interface (TBAV) and standardized TSR handling for compatibility with Windows and Novell Netware. Comparison of features and specifications User Friendliness Installation Installation is a matter of copying the programs to disk and deciding how to run them. The documentation, while clear enough as to use, does not supply much in the way of direction for installation. With the new, larger set of utilities, there is a section on installation in the INTRO.DOC file, but not until page 10. There is a "quick start" section at the beginning of each file associated with a specific program, but there is still much room for improvement. Unfortunately, with the additions to the program, this matter has become more important than it was heretofore, with only the scanners and the TBRESCUE program. While an intermediate or experienced user will be able to determine how best to use these programs fairly easily, novice users may not have sufficient information for installation. Intermediate users may also have difficulty in deciding how best to use the programs, as weaknesses and shortcomings of the various modules are not noted. Ease of use The programs are very easy to use. The command line switches should not be strictly necessary for effective use, but can provide significant extra information or use for the expert. Note that there are still occasional grammatical errors in the screen displays of the various programs. Help systems Because of the newer programs which do not require command line switches, an "empty" invocation does not bring up a list of command line options. However, an invocation of any program with a "?" or "help" argument will. Compatibility Unfortunately, the program still shows signs of incompatibility and locking up systems on some machines. The more mature products (TBSCAN et al) are generally well behaved, but the newer programs are not as robust in all situations. The programs also seem to be incompatible with each other: when there were TB programs resident in memory and TBAV or other programs were being used, the system would occasionally lock up. Company Stability The company has been supporting this product, with regular updates, for quite some time now. Recently there has been significant expansion in the establishment of an "agent network". Company Support Contacts with the company have been sketchy so far. Extensive efforts to contact the principals via the electronic mail links provided did not produce any return messages for the first review. This time I was more successful. Some of the agents, particularly Jeff Cook of the United States, have been very active in promoting the product on Fidonet. In reaction to the first draft of this review, Frans Veldman stated that the primary means of support were voice and fax. One factor to consider here is the confusion over the virus signature files used by the program. The Thunderbyte scanner can use the signature format used by the former IBM VIRSCAN program. This format has recently been extended in the case of Thunderbyte and the VSIG archive files generally used with Thunderbyte. However, it should be noted that the VSIG files are not produced by the company that produces the Thunderbyte Utilities. Frans Veldman has stated that in the near future there will be a major change in the VSIG files. It has been difficult, in the past, to get new releases of either the Thunderbyte programs or the signature files on a timely basis. As the files are now distributed through the Fidonet related VirNet, this situation should improve significantly. Documentation The documentation has been substantially improved in the matter of grammar and errors. However, there is still little coverage of viral concepts in general, and the shortcomings and weaknesses of the program modules in particular. Installation of the program overall still needs work. The documentation has also been standardized, and is very well laid out with a table of contents prepended to the lengthier documents. The documentation is of considerable size, with the Thunderbyte Scan portion alone over 100K in length and the total size of the documentation approaching 300K. Although the INTRO.DOC is reasonable coverage of the program, it is *highly* recommended that you read everything thoroughly. Hardware Requirements Documentation for the various files deals with the specific needs of each module. Performance The Thunderbyte Scan program has always been one of the fastest scanners available. Even with heuristic scanning implemented, it still shows startling speed. A test run on a 386 machine with a "normally" loaded 75 meg hard drive completed in under half a minute. The "price" of this speed is debatable. Most scanners no longer scan the entire length of a program, but only the "top and tail", where most viral programs must attach in order to function. Although such programs will detect most viral programs, it will not find those which can insert themselves anywhere, such as the "Commander Bomber". Some of those connected with Thunderbyte, most recently one of the agents, have stated that this is one of the means to speed up the program. Frans Veldman, who should know, strongly objects to this statement. However, it is extremely unlikely that TBScan does scan the whole file. The documentation seems to indicate, and Frans Veldman states, that TBSCAN now includes change detection in the scanning, but I found no evidence of this in testing. Specifically, manual changes to files that have been entered into the data base are not reported to the user. One possible concern: during testing I found that the DEBUG program gave rise to a false alarm during scanning. This is possibly to be expected with a heuristic scanner. What is of concern is that the same file, copied to a different (but still COM) filename was not treated the same way. The operation restricting programs operate as advertised, although such programs always operate under the proviso that whatever software can protect, software can circumvent. Interestingly, the Thunderbyte programs are not automatically exempt from interference: an attempt to disinfect a program with the TBFILE program resident resulted in a warning. (Another interesting point is that an attempt to infect one file, while stopped, was allowed to change the file creation date. This is used by this particular virus as an infection marker.) The most attractive part of this new package is the second "generic" disinfection mode. Most generic disinfectors use a "return to state" algorithm, much like the hamming code used for error correction in memory or communications systems. This relies on the calculation of an "image" identity of the original, uninfected file, and is of no use "after the fact". TBCLEAN uses this, but also has a "heuristic" cleaning mode, which does not rely on any "prior knowledge" of either the infecting virus or the original file. A success rate of 80% is claimed for the heuristic cleaning mode. However there are two factors to be considered. The second is the ability to clean files infected with an unknown virus. The first comes to us from Hippocrates' injunction to physicians, "First, do no harm". Therefore, TBCLEAN was tested against some uninfected files. Of the six files tested, the four COM files were not harmed, but both EXE files were damaged, and thereafter useless. Subsequent tests of disinfection of infected COM files were successful and restored files to their original state. In attempting to use the "checksum" method of disinfection, I found that the TBSETUP program *cannot* be used to find an infected file. Running TBSETUP after an infection will void the ability to recover. (This is mentioned in the documentation, but given the difference between this and other programs, it bears repeating.) However, this disinfection mode otherwise works well. Local Support As noted above, it is difficult to get in touch with the principals via the posted email addresses, but the agents, particularly Jeff Cook, are active on the Fidonet virus related echoes. Unfortunately, this activity does not seem to extend to VIRUS-L/comp.virus where there have been few postings from anyone related to the company. Support Requirements On a "scan only" basis, the program is simple to use. Invocation of any of the various modules is also quite simple. Installation will require more expert assistance. General Notes The speed of the scanner, and its ability to use IBM's VIRSCAN signatures (and have the user extend the signature file) make this a handy tool for "first line" defense. The product has been substantially improved even in respect of the scanner alone, since last reviewed. The addition of "heuristic" scanning and reporting has made the scanner an excellent tool for the serious researcher as well. The package overall is recommended as a strong viral detection component. It is highly recommended as an adjunct to other protection, given some of the unique features. Novice users are strongly recommended to read all of the documentation. The addition of the new modules moves this product out of the "scanner" genre and puts it in a class with the major "multilayered" programs. Unfortunately, there are still some questions to be answered with regard to the quality and consistency of the protection provided. Given the rapid development of the Thunderbyte programs during this year (I was not yet finished this review when the developers announced that version 5.02 was ready), it is to be hoped that these questions will be addressed very soon. copyright Robert M. Slade, 1991, 1992 PCTBAV.RVW 921214 ============== Vancouver ROBERTS@decus.ca | Omne ignotum pro magnifico. Institute for Robert_Slade@sfu.ca | - Anything little known Research into rslade@cue.bc.ca | is assumed to be User p1@CyberStore.ca | wonderful. Security Canada V7K 2G6 | - Tacitus ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 20] *****************************************