From lehigh.edu!virus-l Fri May 28 08:05:15 1993 remote from vhc Received: by vhc.se (1.65/waf) via UUCP; Fri, 28 May 93 20:01:12 1 for mikael Received: from fidoii.CC.Lehigh.EDU by mail.swip.net (5.65c8-/1.2) id AA12869; Fri, 28 May 1993 19:55:40 +0200 Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA19150 (5.67a/IDA-1.5 for ); Fri, 28 May 1993 12:05:15 -0400 Date: Fri, 28 May 1993 12:05:15 -0400 Message-Id: <9305281459.AA01070@agarne.ims.disa.mil> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: virus-l@agarne.ims.disa.mil Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: VIRUS-L Moderator To: Multiple recipients of list Subject: VIRUS-L Digest V6 #87 VIRUS-L Digest Friday, 28 May 1993 Volume 6 : Issue 87 Today's Topics: Document/review spring cleanup Review (maybe) of "Computers Under Attack" Review of "Syslaw" by Rose/Wallace Review of "Rogue Programs", L. Hoffman, ed. Review of "Computer Viruses ... Your System" by Haynes/McAfee Polymorphic Viruses Review of BootX (Amiga) Review of Chasseur II (Atari) Review of FCHECK (Atari) Revised Product Test, PT-20, SAM, version 3.5.1 (Mac) Revision to Product Test PT-9, DISINFECTANT, 3.0 (Mac) Revised Product Test, PT-30, VirusDetective, v5.0.9 (Mac) Review of Western Digital's "Immunizer" (PC) Review of "Victor Charlie" 5.0 (PC) Product Test 55, Gobbler II, version 3.0 (PC) Revision to Product Test PT-41, VIRx, version 2.6D (PC) Product Test #61, VDS PRO, version 1.0 (PC) Product Test Report # 59, IBM ANTI-VIRUS/DOS, version 1.01 (PC) Revised Product Test 36, CPAV, version 1.4 (PC) Revised Product Test PT-17, F-PROT, version 2.08a (PC) Revised Product Test PT-3, VIRUSCAN, version 104 (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@AGARNE.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 28 May 93 10:44:12 -0400 From: "Kenneth R. van Wyk" Subject: Document/review spring cleanup VIRUS-L/comp.virus readers: I'm currently (finally!) cleaning up the queue of product reviews and documentation that I have here. My apologies for taking so long to get these out the door. My move here to DC caused the logistics for updating files on CERT.ORG to change quite a bit. Now that the procedure seems to be working well, I'll try to resume a steady flow of product reviews and submitted papers. Thanks for everyone's patience. Cheers, Ken Kenneth R. van Wyk Moderator, VIRUS-L/comp.virus krvw@Agarne.IMS.DISA.MIL ------------------------------ Date: 19 Feb 93 14:33:00 -0600 From: "Rob Slade" Subject: Review (maybe) of "Computers Under Attack" BKDENING.RVW 930209 ACM Press 11 W. 42nd St., 3rd Floor New York, NY 10036 212-869-7440 Computers Under Attack: intruders, worms and viruses, Peter J. Denning, ed., 0-201-53067-8 This book is a very readable, enjoyable and valuable resource for anyone interested in "the computer world". That said, I must admit that I am still not sure what the central theme of this book is. Denning has brought together a collection of very high quality essays from experts in various fields, and at one point refers to it as a "forum". That it is, and with a very distinguished panel of speakers, but it is difficult to pin down the topic of the forum. Not all of the fields are in data security, nor even closely related to it. (Some of the works, early in the book, relating to what we now generally term "the Internet", do contain background useful in understanding later works regarding "cracking" intrusions and worm programs.) [Moderator's note: The remainder of this product review (and MANY other product reviews - including book reviews) is available by anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file: pub/virus-l/docs/reviews/books/slade.computers.under.attack ] copyright Robert M. Slade, 1993 BKDENING.RVW 930209 ============== ______________________ Vancouver ROBERTS@decus.ca | | /\ | | swiped Institute for Robert_Slade@sfu.ca | | __ | | __ | | from Research into rslade@cue.bc.ca | | \ \ / / | | Mike User p1@CyberStore.ca | | /________\ | | Church Security Canada V7K 2G6 |____|_____][_____|____| @sfu.ca ------------------------------ Date: 07 Apr 93 17:34:00 -0600 From: "Rob Slade" Subject: Review of "Syslaw" by Rose/Wallace BKSYSLAW.RVW 930402 PC Information Group, Inc. 1126 East Broadway Winona, MN 55987 Syslaw, 2nd ed., Lance Rose and Jonathan Wallace, 1992 The introduction to "Syslaw" states that although the title implies the existence of a new kind of law relating to electronic bulletin board systems, in reality it is simply and extension of existing laws, mores and practices. In the same way, although the book states itself to be aimed at the BBS community, and particularly sysops, there is much here of interest and moment to anyone involved with sharing information through computer systems. [Moderator's note: The remainder of this product review (and MANY other product reviews - including book reviews) is available by anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file: pub/virus-l/docs/reviews/books/slade.syslaw ] copyright Robert M. Slade, 1993 BKSYSLAW.RVW 930402 ------------------------------ Date: 11 Apr 93 14:08:00 -0600 From: "Rob Slade" Subject: Review of "Rogue Programs", L. Hoffman, ed. BKHOFMAN.RVW 930401 Van Nostrand Reinhold c/o Nelson Canada 1120 Birchmont Road Scarborough, Ontario M1K 5G4 416-752-9100 fax: 416-752-9646 Rogue Programs: Viruses, Worms and Trojan Horses, Ed. Lance J. Hoffman, 1990, 0-442-00454-0 Reading the list of contributors to this work was rather like "old home week" at VIRUS-L. The introduction states that the book arose from Hoffman's frustration over the lack of a suitable text for a virus seminar and that the seminar participants compiled the material from available sources. Even one of the seminar participants, Chris Feudo, has recently released a computer virus handbook (see BKFEUDO.RVW). [Moderator's note: The remainder of this product review (and MANY other product reviews - including book reviews) is available by anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file: pub/virus-l/docs/reviews/books/slade.rogue.programs ] copyright Robert M. Slade, 1993 BKHOFMAN.RVW 930401 ============== Vancouver ROBERTS@decus.ca | "A ship in a harbour Institute for Robert_Slade@sfu.ca | is safe, but that is Research into rslade@cue.bc.ca | not what ships are User p1@CyberStore.ca | built for." Security Canada V7K 2G6 | John Parks ------------------------------ Date: 03 May 93 00:31:00 -0600 From: "Rob Slade" Subject: Review of "Computer Viruses ... Your System" by Haynes/McAfee BKMCAFEE.RVW 930404 St. Martin's Press 175 Fifth Ave. New York, NY 10010 USA Computer Viruses, Worms, Data Diddlers, Killer Programs and Other Threats to Your System: what they are, how they work and how to defend your PC, Mac or mainframe, John McAfee and Colin Hayes, 1989, 0-312-02889-X If you buy only one book to learn about computer viral programs -- this is *not* the one to get. As a part of a library of other materials it may raise some interesting questions, but it is too full of errors to serve as a "single source" reference. [Moderator's note: The remainder of this product review (and MANY other product reviews - including book reviews) is available by anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file: pub/virus-l/docs/reviews/books/slade.mcaffee.virus.book ] copyright Robert M. Slade, 1993 BKMCAFEE.RVW 930404 ============== Vancouver ROBERTS@decus.ca | "Don't buy a Institute for Robert_Slade@sfu.ca | computer." Research into rslade@cue.bc.ca | Jeff Richards' User p1@CyberStore.ca | First Law of Security Canada V7K 2G6 | Data Security ------------------------------ Date: Fri, 30 Apr 93 19:43:34 -0400 From: tyetiser@umbc.edu (Mr. Tarkan Yetiser) Subject: Polymorphic Viruses Polymorphic Viruses: Implementation, Detection, and Protection Copyright (c) 1993 by VDS Advanced Research Group P.O. Box 9393 Baltimore, MD 21228, U.S.A. prepared by Tarkan Yetiser e-mail: tyetiser@umbc5.umbc.edu Jan 24, 1993 PA, U.S.A. Summary This paper discusses the subject of polymorphic engines and viruses. It looks at general characteristics of polymorphism as currently implemented. It tries to maintain a practical presentation of the subject matter rather than an academic and abstract approach that would confuse many people. Basic knowledge of the Intel 80x86 instruction set will be highly useful in understanding the material presented. A very detailed discussion is avoided not to have the side effect of "teaching" how to create polymorphic engines or viruses. The purpose is to help computer professionals understand this trend of virus development and the threats it poses. It should serve as a starting point for individuals who would like to get an idea about the polymorphic viruses and how they are implemented. Long gone are the days of innocence, when any schoolboy could write a virus scanner using a few signatures extracted from captured virus samples. The subject of polymorphism can be extended to other areas such as anti-reverse-engineering or anti-direct-attacks, and it can be argued to be useful in that context. This paper only looks at the use of polymorphism in PC viruses to avoid simple detection techniques. [Moderator's note: The remainder of this document is available by anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file: pub/virus-l/docs/yetiser.polymorphic ] ------------------------------ Date: Sun, 23 May 93 02:06:29 -0400 From: "Rob Slade" Subject: Review of BootX (Amiga) 930430 AMBOOTX.RVW Comparison Review Company and product: Peter Stuer Kauwlei 21 B-2550 Kontich Belgium Peter.Stuer@p7.f603.n292.z2.FidoNet.Org BootX 5.23 Summary: Scanner and disinfector with some operation restriction Cost Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation Ease of use Help systems Compatibility Company Stability Support Documentation Hardware required Performance Availability Local Support General Description: Comparison of features and specifications User Friendliness Installation Both automated and manual installation is provided. Ease of use BootX can be run from either the CLI or the Workbench. Once invoked it can be made the "foreground task" by a "hot key" call. The program is menu driven, with a comprehensive range of actions. Help systems Can use the AmigaGuide.library function if available. Compatibility Unknown but unlikely to cause problems. Some problems are noted with Enforcer. Will work with certain compression programs to check compressed executables. Company Stability Unknown, but this is currently one of the major recommended Amiga antivirals. The program is distributed as freeware. Company Support The author's mail and email addresses are given, as well as contact info for "Safe Hex International". Documentation Simple but straightforward directions on the installation and running of the program. There is little general discussion of viral programs and operation, but some is mentioned in conjunction with certain features of the program. Unusually for a shareware/freeware package there is an extensive glossary which may provide some background. (I learned, for instance, that a "linkvirus" is the term for what is more generally known as a program or file infecting virus.) System Requirements 512K RAM or higher and at least one disk drive. KickStart v2.04 and ReqTools.library v38 or higher. Workbench v2.1 or higher to use the language independence utility and v3.0 or higher to use the AmigaGuide.library help feature. Various decompression programs may be needed to check compressed executables. Performance Unknown at this time due to lack of a test suite. Currently one of the most highly recommended Amiga antivirals. Local Support The author is reachable via Fidonet and Internet mail. Support Requirements Users experienced with using shareware should have no problems. copyright Robert M. Slade, 1993 930430 AMBOOTX.RVW ============== Vancouver ROBERTS@decus.ca | Slade's Law of Computer Institute for Robert_Slade@sfu.ca | Literacy: Research into rslade@cue.bc.ca | - There is no such thing User p1@CyberStore.ca | as "computer illiteracy"; Security Canada V7K 2G6 | only illiteracy itself. ------------------------------ Date: 04 May 93 15:04:00 -0600 From: "Rob Slade" Subject: Review of Chasseur II (Atari) Of course no one will believe it, but this is *not* prompted by the recent spate of calls for Atari and Amiga stuff. I recently had an opportunity to do some partial testing of some antivirals on other systems and took it. Unfortunately, the tests are not complete, and cannot be finished at this time due to the absence of a viable "test suite". I have, however, attempted to give some indication of the shareware utilities I was able to round up, and have added the contact info to the CONTACTS.LST. Herewith, then, is the first. ATCHSSR2.RVW 930430 Comparison Review Company and product: A. & Z. Vidovic Tour Panoramique Duchere 69009 Lyon France Chasseur II Summary: Boot sector overwriter Cost 50 Fr (U$15) Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation Ease of use Help systems Compatibility Company Stability Support Documentation Hardware required Performance Availability Local Support General Description: Comparison of features and specifications User Friendliness Installation The files (at least BOOTBASE.DAT) *must* be installed in a directory called \CHASSEUR.II or else the program will not function. Ease of use There are only three options on the main menu: check disk, vaccinate and check memory. These are represented by icons, with no words. Help systems None provided. Compatibility Unknown. The vaccinate function, although stated to be irreversible (which, oddly, appears to contradict the documentation), seems not to harm MS-DOS disks, since it adds a jump at the beginning, and adds a short message at the end. (MS-DOS "system" disks, of course, will no longer be bootable.) Company Stability Unknown. Company Support None provided. Documentation A README.VIR file states that they believe the program is simple enough that there is no need for documentation. This is generally true, but it is a pity that there is not more detail on some of the claims made for the program. System Requirements None stated. Performance Unknown. This seems to be a tool for very technically literate users, aimed at boot sector infectors only. Local Support None provided. Support Requirements It is unlikely that even intermediate users would understand, say, the memory listings generated. However, it should be effective against boot sector infectors even in novice cases. (One should note that *all* of the Atari boot sector overwriting programs may damage certain self-booting disks.) copyright Robert M. Slade, 1993 ATCHSSR2.RVW 930430 ============= Vancouver ROBERTS@decus.ca | Life is Institute for Robert_Slade@sfu.ca | unpredictable: Research into rslade@cue.bc.ca | eat dessert User p1@CyberStore.ca | first. Security Canada V7K 2G6 | ------------------------------ Date: Mon, 17 May 93 15:49:34 -0400 From: "Rob Slade" Subject: Review of FCHECK (Atari) ATFCHECK.RVW 930430 Comparison Review Company and product: Roger Lindberg Cyklonvagen 3 451 60 Uddevalla SWEDEN FLIST and FCHECK Summary: change detection software Cost Pounds 5 Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation Ease of use Help systems Compatibility Company Stability Support Documentation Hardware required Performance Availability Local Support General Description: Comparison of features and specifications User Friendliness Installation FLIST must be run first in order to make a FILELIST.LIS comparison database. Thereafter, FCHECK can be run in the same directory as the database in order to note changes. (FCHECK can be run from the AUTO folder as long as FILELIST.LIS is present as well.) (A sense of humour! When invoked, the program presents a message box stating "I am not a wealthy man Please consider a donation", signed Roger Lindberg 1991. The acknowledgement "button" does not state the normal "OK" but rather "I WILL". :-) Ease of use If FILELIST.LIS exists (which it does, in the distribution file), it must be deleted first, or a new name must be chosen. (The documentation states that the name *must* be FILELIST.LIS.) Creating the file is not exactly straightforward: the file must be created, then loaded and then a new menu selected to add those files to be checked. Files must be selected individually. Then the file must be saved before exitting the FLIST program. The FCHECK program has no options: it simply checks the file length and checksum against the stored values. It must be watched: if their is some problem the fact is noted, but the program does not leave the information onscreen before it terminates. Help systems None provided. Compatibility Unknown. Generally should not be a problem, but will report changes in programs which alter their own code. Company Stability Unknown. Company Support Unknown. Documentation Not extensive, but adequate if read carefully. System Requirements None stated. Performance Reasonably quick operation, once set up. A bit difficult in doing the initial installation. No attempt to "diagnose" changes on the disk. Local Support None provided. Support Requirements Likely will require assistance of at least intermediate user and someone versed in the potential of viral programs to alter other program files. copyright Robert M. Slade, 1993 ATFCHECK.RVW 930430 ============== Vancouver ROBERTS@decus.ca | "virtual information" Institute for Robert_Slade@sfu.ca | - technical description of Research into rslade@cue.bc.ca | marketing info disguised User p1@CyberStore.ca | as technical description Security Canada V7K 2G6 | - Greg Rose ------------------------------ Date: Thu, 11 Mar 93 19:56:58 -0700 From: Chris McDonald STEWS-IM-CM-S Subject: Revised Product Test, PT-20, SAM, version 3.5.1 (Mac) ****************************************************************************** PT-20 Revised March 1993 ****************************************************************************** 1. Product Description: Symantec AntiVirus for Macintosh (SAM) is a commercial software program for the prevention, detection, and elimination of viruses and certain trojan horse programs for the Macintosh. This product test addresses version 3.5.1 with virus definitions through February 22, 1993. 2. Product Acquisition: SAM is available from Symantec Corporation, 10201 Torre Avenue, Cupertino, CA 95014-9854. Site licensing arrangements are available. Symantec's telephone number is 800-441-7234. Mail order firms typically sell a single copy for around $63.00 to $75.00. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5030, DSN 258-7548, DDN cmcdonald@wsmr-simtel20.army.mil; and Robert Thum, Systems Administrator, Directorate of Information Management, White Sands Missile Range, NM 88002- 5030, DSN 258-7739, DDN rthum@wsmr-emh34.army.mil. [Moderator's note: The remainder of this product review (and MANY other product reviews - including book reviews) is available by anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file: pub/virus-l/docs/reviews/mac/mcdonald.sam ] ------------------------------ Date: Mon, 05 Apr 93 08:41:17 -0700 From: Chris McDonald Subject: Revision to Product Test PT-9, DISINFECTANT, 3.0 (Mac) ****************************************************************************** PT-9 Revised April 1993 ****************************************************************************** 1. Product Description: Disinfectant is a freeware program to detect and to repair virus activity for Macintosh systems. The author is Mr. John Norstad, Academic Computing and Network Services, Northwestern University, 2129 North Campus Drive, Evanston, IL 60208. Mr. Norstad's Internet address is j-norstad@nwu.edu. This product test evaluates version 3.0. The only changes from the last test report involve the updating of Mr. Norstad's addresses. 2. Product Acquisition: Disinfectant is available on the Internet, from bulletin board systems, and from Apple User Groups. Whenever there is a new release, Mr. Norstad posts a notification to the Virus-L Internet mailing. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5030, DSN 258-7548, DDN cmcdonald@wsmr-simtel20.army.mil. [Moderator's note: The remainder of this product review (and MANY other product reviews - including book reviews) is available by anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file: pub/virus-l/docs/reviews/mac/mcdonald.disinfectant ] ------------------------------ Date: Fri, 14 May 93 12:18:50 -0700 From: Chris McDonald Subject: Revised Product Test, PT-30, VirusDetective, v5.0.9 (Mac) ****************************************************************************** PT-30 Revised May 1993 ****************************************************************************** 1. Product Description: VirusDetective and VirusBlockade II are shareware programs to detect and to delete known viruses and trojan horses for the Macintosh. This product test addresses VirusDetective V5.0.9. The current version of VirusBlockade if one upgrades to System 7.1 is V2.0.7. 2. Product Acquisition: Both programs are available from their author Jeffrey S. Shulman through Shulman Software CO., 1111 W. El Camino Real, Suite 109MAC, Sunnyvale, CA 94087-1057. A registered user receives a program diskette, an overview guide, a user license, and automatic notification of future malicious code search strings. Mr. Shulman has an Internet address for customer support and pricing information, kilroy@netcom.com. As of the date of this product test, registered VD+VB owners may order the latest version of BOTH programs for $20.00 ($25.00 for non-US users). Site licenses are available. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5506, DSN 258-7548, DDN cmcdonal@wsmr-emh34.army.mil. [Moderator's note: The remainder of this product review (and MANY other product reviews - including book reviews) is available by anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file: pub/virus-l/docs/reviews/mac/mcdonald.virus.detective ] ------------------------------ Date: 07 May 93 14:56:00 -0600 From: "Rob Slade" Subject: Review of Western Digital's "Immunizer" (PC) PCWDIMMN.RVW 921109 Comparison Review Company and product: Western Digital Corporation 8105 Irvine Center Drive Irvine, CA 92716 714-932-5000 714-932-6250 Letty Ledbetter Robert McCarroll, Product Manager, Systems Logic Group 714-932-7013 Terry Walker (and Robert Lee, developer) fax: 714-932-7097 Mark Levitt fax: 714-932-7098 Benjamin Group (marketing) Suite 480, 100 Pacifica Ave. Irvine, CA 92718 714-753-0755 (Erin Jones, Sari Barnhard and Carolyn Fromm) fax: 714-753-0844 Immunizer (new technology to be announced 921109) Summary: concept proposal for hardware component for data security Cost: N/A Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 1 Ease of use 1 Help systems 1 Compatibility 2 Company Stability 2 Support 1 Documentation 1 Hardware required 2 Performance 2 Availability 1 Local Support 1 General Description: The "Immunizer" concept involves a cooperative effort between BIOS makers, board manufacturers and antiviral software producers. The central component, as far as Western Digital is concerned, is the 7855 system controller chip. With proper implementation, the concept should allow protection of hard disk and memory areas, while at the same time allowing the user the option to "lift" the protection via software in order to allow for normal system maintenance functions. [Moderator's note: The remainder of this product review (and MANY other product reviews - including book reviews) is available by anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file: pub/virus-l/docs/reviews/pc/slade.immunizer ] copyright Robert M. Slade, 1992 PCWDIMMN.RVW 921109 ------------------------------ Date: 12 Feb 93 15:14:00 -0600 From: "Rob Slade" Subject: Review of "Victor Charlie" 5.0 (PC) PCVC.RVW 921212 Comparison Review Company and product: Bangkok Security Associates 888/32-33 Ploenchit Road Bangkok 10330 Thailand TEL: 662-251-2574 BBS: 662-255-5981 FAX: 662-253-6868 or Delta Base Enterprises 221 - 32853 Landeau Place Abbotsford, BC, V2S 6S6 TEL: 853-2998 FAX: 853-9164 effective NOV18/92 72137.603@compuserve.com or a682@mindlink.bc.ca or Computer Security Associates (803)-796-1935 Lannatec Associates Inc, 166 Anna Avenue, Ottawa, Ont. K1Z 7V2 (613)-724-5978. Victor Charlie 5.0 Summary: Change detection with "baiting" files and viral signature capture Cost $99 Cdn Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 2 Ease of use 2 Help systems 2 Compatibility 2 Company Stability 3 Support 1 Documentation 3 Hardware required 3 Performance 2 Availability 2 Local Support 2 General Description: Victor Charlie is a series of batch and data files that generate a number of programs for trapping of viral infections. There is also provision for the capture of viral signatures. Utilities are included for viewing of boot sectors and recovery of hard disk system areas. Version 5.0 no longer requires DEBUG.COM. [Moderator's note: The remainder of this product review (and MANY other product reviews - including book reviews) is available by anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file: pub/virus-l/docs/reviews/pc/slade.victor.charlie ] copyright Robert M. Slade, 1991, 1992 PCVC.RVW 921212 ============= Vancouver ROBERTS@decus.ca | "Kill all: God will know his own." Institute for Robert_Slade@sfu.ca | - originally spoken by Papal Research into rslade@cue.bc.ca | Legate Bishop Arnald-Amalric User p1@CyberStore.ca | of Citeaux, at the siege of Security Canada V7K 2G6 | Beziers, 1209 AD ============= for back issues: Contacts list: cert.org, /pub/virus-l/docs/reviews Reviews: cert.org, /pub/virus-l/docs/reviews/pc Column: cert.org, /pub/virus-l/docs/slade.cvp.articles For those without ftp, see Jim Wright's posting, or use Cyberstore. Also FREQ from 1:153/733 The Cage 604-261-2347. ------------------------------ Date: Sun, 21 Feb 93 18:23:12 -0700 From: Chris McDonald STEWS-IM-CM-S Subject: Product Test 55, Gobbler II, version 3.0 (PC) ******************************************************************************* PT-55 February 1993 ******************************************************************************* 1. Product Description: Gobbler II, Advanced Anti-Virus Tooklit, is a viral signature identification and removal program copyrighted by COMRAC, the Netherlands. This product test addresses version 3.0. 2. Product Acquisition: In June 1992 a Victor Smith contacted me over the Internet and asked if I would test Gobbler II. He identified himself as "one"of the programers involved with the program which had started in February 1989. The Dutch company COMRAC apparently acquired the program in early 1990. Victor sent me the program UUENCODED in mid July 1992; however, checksum errors accompanied the transmission. He successfully retransmitted the program on July 21, 1992. He indicated that additional materials would follow via land mail. This never occurred. Electronic mail communications with Victor Smith ceased to be responsive in October 1992 so details on the program are incomplete. Vesselin Bontchev from the Virus Test Centre-Hamburg has issued a report on Gobbler II's effectiveness against the MtE object module in which he gives the status of the program as "Shareware?". 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5030, DSN: 258- 7548, DDN: cmcdonald@wsmr-simtel20.army.mil. [Moderator's note: The remainder of this product review (and MANY other product reviews - including book reviews) is available by anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file: pub/virus-l/docs/reviews/pc/mcdonald.gobbler ] ------------------------------ Date: Tue, 09 Mar 93 20:48:11 -0700 From: Chris McDonald STEWS-IM-CM-S Subject: Revision to Product Test PT-41, VIRx, version 2.6D (PC) ******************************************************************************* PT-41 Revised March 1993 ******************************************************************************* 1. Product Description: VIRx is a copyrighted program written by Ross M. Greenberg to detect computer viruses and malicious programs. Glenn Jordan at trent@rock.concert.net has assumed the responsibility of maintaining and updating the program code. VIRx is the detection portion (VPCScan) of the commercial protection program Virex-PC (reference PT-23). This product test addresses version 2.6D, February 1993. 2. Product Acquisition: The program is freely distributed by Datawatch Corporation, Post Office Box 51489, Durham, North Carolina 27717, with special instructions for business and corporate users. These users have only a 30 day license for product evaluation, after which they must contact Datawatch for site license authorization. THIS MAJOR LICENSING CHANGE OCCURRED AT VERSION 1.9. Datawatch has made VIRx available on its own bulletin board system (919-419-1602, on other bulletin boards and on software repositories, to include the MS-DOS repository on simtel20 [192.88.110.20]. The current path on simtel20 is pd1:virx26D.zip. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5030, DSN 258-7548, DDN cmcdonald@wsmr-simtel20.army.mil. [Moderator's note: The remainder of this product review (and MANY other product reviews - including book reviews) is available by anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file: pub/virus-l/docs/reviews/pc/mcdonald.virx ] ------------------------------ Date: Mon, 12 Apr 93 07:47:40 -0700 From: Chris McDonald Subject: Product Test #61, VDS PRO, version 1.0 (PC) ******************************************************************************* PT-61 April 1993 ******************************************************************************* 1. Product Description. Virus Detection System (VDS) Professional (PRO) is an integrity checker which creates a "fingerprint" of all system areas and executable files. This product test addresses version 1.0. 2. Product Acquisition: VDS PRO is available from Z-RAM, Inc., Post Office Box 2087, Church Circle Station, Annapolis, MD 21404. The telephone number is (800) 638-2000. A single copy costs $49.00 plus shipping charges. Site licenses for federal, local and state governments are available. A "special discount" exists for academic institutions. The primary individual identified with the program development is Mr. Tarkan Yetiser. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5030, DSN 258-7548, DDN cmcdonald@wsmr-simtel20.army.mil. [Moderator's note: The remainder of this product review (and MANY other product reviews - including book reviews) is available by anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file: pub/virus-l/docs/reviews/pc/mcdonald.vds.pro ] ------------------------------ Date: Thu, 08 Apr 93 16:22:28 -0700 From: Chris McDonald Subject: Product Test Report # 59, IBM ANTI-VIRUS/DOS, version 1.01 (PC) ******************************************************************************* PT-59 April 1993 ******************************************************************************* 1. Product Description: The IBM AntiVirus/DOS is a commercial program to detect and to remove viruses. This product test addresses version 1.00 and version 1.01. 2. Product Acquisition: The IBM AntiVirus/DOS is available from the IBM Corporation Distribution Center, 1420 Presidential Drive, Richardson, TX 75081. The telephone number is (800) 551-3579. A single copy is $29.95 plus shipping and handling. One may enroll in an annual protection plan for $59.95 plus sales tax which entitles one to four updates. If a business has 50 or more personal computers, site licenses are available by calling (800) 742-2493. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5030, DSN 258-7548, DDN cmcdonald@wsmr-simtel20.army.mil. [Moderator's note: The remainder of this product review (and MANY other product reviews - including book reviews) is available by anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file: pub/virus-l/docs/reviews/pc/mcdonald.ibm.antivirus ] ------------------------------ Date: Mon, 26 Apr 93 09:26:48 -0700 From: Chris McDonald Subject: Revised Product Test 36, CPAV, version 1.4 (PC) ******************************************************************************* PT-36 Revised April 1993 ******************************************************************************* 1. Product Description: Central Point Anti-Virus (CPAV) is a commercial product to detect and to disinfect known MS-DOS viral infections. The program provides additional protection against the introduction of "unknown" and/or malicious code through integrity checking (checksumming) and through the detection of "suspicious" activity. This test report addresses version 1.4 with updates through April 1993. It also eliminates errors in the previous test report and clarifies certain results pertaining to Type I alarms. 2. Product Acquisition: CPAV is available from Central Point Software, Inc., 15220 N.W. Greenbrier Parkway., Suite 200, Beaverton, OR 97006-5764. The published customer service number is 503-690-8090. The list price for a single copy is $129.00. Site licenses are available. MicroSoft has bundled a flavor of CPAV in its shipment of MS-DOS 6, known as Microsoft Anti-Virus (MSAV). Published information states that Central Point will handle all upgrades to MSAV. As of April 15, 1993, no upgrades to MSAV had occurred. 3. Product Testers: Don Rhodes, Information Systems Management Specialist, Directorate of Information Management, White Sands Missile Range, NM 88002-5030, DSN: 258-8174, DDN: drhodes@wsmr-emh35.army.mil; Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5030, DSN: 258-7548, DDN: cmcdonal@wsmr-emh34.army. mil or cmcdonald@wsmr-simtel20.army.mil. [Moderator's note: The remainder of this product review (and MANY other product reviews - including book reviews) is available by anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file: pub/virus-l/docs/reviews/pc/mcdonald.cpav ] ------------------------------ Date: Fri, 21 May 93 16:20:50 -0700 From: Chris McDonald Subject: Revised Product Test PT-17, F-PROT, version 2.08a (PC) ******************************************************************************* PT-17 Revised May 1993 ******************************************************************************* 1. Product Description: F-PROT is a program designed to provide malicious program detection, disinfection, and protection. This product test addresses version 2.08a, May 1993. 2. Product Acquisition: F-PROT is a shareware program distributed by Fridrik Skulason, Box 7180, IS-127 Reykjavik, Iceland. Mr. Skulason has posted F-PROT on a number of Internet sites. The program is on the U.S. Army White Sands host simtel20. The path on simtel20 [192.88.110] for anonymous ftp downloading is pd1:. The program is free for home use on a single personally-owned computer. There is a registration fee for commercial and government users. Site licenses are available as well as discounts for multipl e copy registrations. Finally Mr. Skulason has negotiated several agreements where other vendors have bundled or incorporated F-PROT into access control/ viral protection programs. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM, DSN 258-7548, DDN cmcdonal@wsmr-emh34.army.mil. [Moderator's note: The remainder of this product review (and MANY other product reviews - including book reviews) is available by anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file: pub/virus-l/docs/reviews/pc/mcdonald.f-prot ] ------------------------------ Date: Tue, 25 May 93 17:45:48 -0700 From: Chris McDonald Subject: Revised Product Test PT-3, VIRUSCAN, version 104 (PC) ****************************************************************************** PT-3 Revised May 1993 ****************************************************************************** 1. Product Description: VIRUSCAN is a shareware program to detect known viral signatures for IBM PC and compatible computers. If one utilizes available options, it may be possible to identify the presence of "new" malicious code. This product test revision addresses Version 9.15V104, May 1993. 2. Product Acquisition: VIRUSCAN is available from the McAfee Associates bulletin board and from its Internet host, from other bulletin board systems, and from other Internet hosts to include simtel20 [192.88.110.20]. The registration fee is $25.00 for individual home users. Site licenses are available for commercial,government and university environments. Registration entitles the user to unlimited upgrades as well as technical support for one year. "Registration" is for home users only. The McAfee BBS number is (408) 988-3832; the Internet address is mcafee.com or 192.187.128.1 for anonymous ftp downloading. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5506, DSN 258- 7548, DDN cmcdonal@wsmr-emh34.army.mil. [Moderator's note: The remainder of this product review (and MANY other product reviews - including book reviews) is available by anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file: pub/virus-l/docs/reviews/pc/mcdonald.virusscan ] ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 87] *****************************************