Date: Tue, 25 Jun 91 08:02:40 MDT From: Chris McDonald ASQNC-TWS-R-SO Subject: Product Test - - Central Point Anti-Virus ******************************************************************************* PT-36 June 1991 ******************************************************************************* 1. Product Description: Central Point Anti-Virus (CPAV) is a product to detect, disinfect and prevent virus infections as well as protection against the introduction of "unknown" and/or malicious code. 2. Product Acquisition: CPAV is available from Central Point Software, Inc., 15220 NEW Greenbrier Pkwy., Suite 200, Beaverton, OR 97006. A marketing number, current as of 6 Jun 91, is 1-800-445-4064. The retail price of the product is $129.00. Site licenses are available. 3. Product Testers: Don Rhodes, Information Systems Management Specialist, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-8174, DDN: drhodes@wsmr-emh04.army.mil; Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20. army.mil. 4. Product Test: a. Don Rhodes obtained an evaluation copy of CPAV V1 in April 1991. The evaluation copy arrived just before Central Point launched an aggressive marketing campaign in several trade publications. The evaluation package contained a user's manual, a certificate to obtain one free virus protection update contingent upon product registration, two 5 1/4" disks, and one 3 1/2" disk. All disks were write-protected. b. Product tests occurred on the following systems: (1) Unisys 286 PC, Model 3137, MS-DOS 3.10, 512K; (2) Unisys 286 PC, MS-DOS 3.30, 640K; and (3) Unisys 386 PC, Model PW 820-F, MS-DOS 4.01, 8MB. The minimum hardware and software configuration is as follows: IBM PS/2 (all models), PC, XT, AT, and most IBM-compatible DOS 3.0 or higher with 512K (DOS 3.2 or higher is "recommended"). c. CPAV is by far the most complex protection program evaluated to date in terms of its number of advertised capabilities, functions and protection options. Its marketing literature has emphasized its Windows and Novell network compatibilities. Don Rhodes verified the Windows functionality; but neither of us addressed the networking features since this is not presently a high priority in our specific computing environment. The actual testing of the product began on 25 April 1991 and extended through 24 June 1991. d. CPAV has an automatic installation program to assist users. The user's manual and the screen presentations during installation were helpful. One invokes the program either with a mouse or with the syntax: cpav (case insensitive). When the program runs, the default is for Full Menus. The user does have the option to move to a so-called Express Menu. Full Menus offer a variety of options and configurations. We tested all of these features with only one anomaly. The user's manual indicates that the "Check All Files" option defaults to ON in the automatic installation. This is incorrect. The actual default is for a "Fast Detection" option. If a user sets both the "Fast Detection" and the "Check All Files" options ON at the same time, all tests resulted in the "Fast Detection" overriding the more recursive option. e. CPAV V1 claims to contain viral signatures for 534 known viruses and variations. This places it in a range with McAfee's VIRUSCAN and Skulason's F-PROT. CPAV does identify those central viruses which John McAfee once proposed account for 95% of all reported infections. CPAV can identify 96% (i.e., 26 out of 27) of those viruses characterized as "common" by Patricia Hoffman in her Virus Summary List, 15 May 1991. f. Although we do not have code for all the malicious programs which CPAV claims to detect, we were able to test against 60 viruses in our possession. CPAV in its "Fast Detect" option, which is the default, failed to detect three of these test samples. The viruses were the Do Nothing, the S-Vir, and the Virus-101. All three viruses are extremely rare according to various catalogs and summary lists in my possession. All three viruses appear to do nothing but replicate. I telephonically notified Central Point of this development in the first week of May. Since I was told that someone would contact me, I decided to conduct additional detection tests until I could talk with someone. g. The user's manual states that "Fast Detect . . . checks the parts of files where viruses usually attack instead of checking the entire file. This greatly accelerates the detection process". On the chance that perhaps my copies of the virus were "unusual", I activated the "Check All Files" option. This option resulted in the detection of the Do Nothing and the S-Vir viruses. The option did not alarm for Virus-101 despite several scanning operations. h. While the "Check All Files" option provided enhanced detection capabilities in this instance, I must note some rather interesting results. In all fairness the user's manual states that turning this option "off will increase the speed of the scan". I was prepared when I activated the option that the detection operation would be longer than the "Fast Detect". Neither Don or I were prepared for what occurred. The "Fast Detect" scan of my hard drive without any alarm for the three viruses in question took 2 minutes and 16 seconds to examine 203 files. The "Check All Files" scan of the same hard drive with two alarms for the detection of the Do Nothing and S-Vir viruses took 48 minutes and 15 seconds to examine 508 files. The CPAV program itself provided the times and the number of files scanned at the conclusion of the detection operations. Since this seemed a very long time, I repeated the experiment several days later. In the second test the "Check All Files" scan of the same hard drive took 1 hour and 40 minutes to examine 580 files. Again the CPAV program provided the time and the number of files. The increase in files resulted from additional material which I had added to the hard drive since the first test. i. I estimate that one can subtract approximately 20 seconds from "Check All Files" scanning tests to account for the alarms on the Do Nothing and S-Vir viruses. When CPAV detects a known signature, it alarms and freezes on the 2 potentially infected file. The user then has the option to disinfect or to continue the scan. My choice was to continue the scan in all tests. j. Don's results were as follows. In each case his detection operations were against a 40MB hard disk with 32 directories and 1470 files. (1) Under DOS Graphics Mode = 1 Hour and 11 Minutes Text Mode = 1 Hour and 17 Minutes (2) Under Windows 3.0 = 1 Hour and 12 Minutes k. It may be that my copy of Virus-101 is "unusual". I note only that every other freeware, shareware, or commercial program which has claimed to detect this virus has alarmed on my copy. I made a second telephone call to the Central Point technical staff on 22 May 1991. I was told once again that someone would contact me. Since my supply of malicious code is approximately 10% of the total number of malicious programs CPAV lists as detectable, it is difficult to extrapolate from the "Fast Detect" and "Check All Files" results. My experience leads me to feel more comfortable in using the "Check All Files" detection option on a previously unscanned system, disk or file. l. CPAV has a memory resident component program called VSafe. VSafe has eight options which I tested. (1) HD Low-Level Format Warns of formatting which could completely erase the hard disk. The default installation is ON. (2) Resident Warns of any attempt by a program to use standard DOS methods to stay in memory. The default installation is OFF. (3) General Write Protect Prevents all writing to the disk. The default installation is OFF. (4) Check Executable Files Checks any executable file opened by DOS for known viruses. The default installation is ON. (5) Boot Sector Viruses Checks any disk used in the system for the presence of boot sector viruses. The default installation is ON. (6) Protect HD Boot Sector Warns of any attempt to write to the boot sector and partition table of the hard disk. The default installation is ON. 3 (7) Protect Floppy Boot Warns of a program attempting to write Sector to the disk boot sector of a floppy disk. The default installation is OFF. (8) Protect Executable Files Warns of any attempt to modify executable files. The default installation is ON. m. VSafe tests resulted in these observations. First, although the documentation in more than one place indicates that the "Protect Executable Files" has a default of ON, two different automatic installations resulted in the option inserted into my autoexec.bat file as OFF. Second, both the IBM Anti-Virus Product and Skulason's F-PROT alarmed on VSafe when it was memory resident for the Flip virus. The IBM program also alarmed on the vsafe.com file when VSafe was not memory resident. F-PROT had no alarm under its file checking program when VSafe was not memory resident. McAfee's Viruscan and Norton Anti-Virus had no such alarms under any conditions. I ran the most current version of these four programs. Third, the "Protect Executable Files" option alarmed on attempts to modify files only with extensions .com or .exe. The definition of "executable files" for VSafe operations differs significantly from the definition of an "executable file" under the detection configuration option. The detection definition includes .exe, .com., .ovl, .ovr, .sys, .bin, .app, .pmg, .pif, .prg, .xtp and .cmd. n. The disinfection capabilities of CPAV performed as indicated. However, the limited amount of malicious code in our possession and our lack of technical expertise to address the issue of successfully cleaning secondary and perhaps even tertiary infections of the same file must be highlighted in discussing disinfection. Whenever CPAV could not repair or disinfect, it gave a dialog box indicating that fact and suggesting deletion of the infected file. o. CPAV has an option to create checksums on files and to verify the integrity of that checksum. When a user selects the option, CPAV creates a checklist file called chklist.cps during a scanning detection operation. Each directory has its own chklist.cps file which contains information on a file's size, attributes, date and time. If upon a future detection operation there is a change in the checksum, CPAV issues an integrity alarm notifying a user that a change has occurred. We tested this feature by modifying various file information. In all cases CPAV issued an alarm. I should caution that our tests did not include any attempt to specifically defeat the mechanism. p. The "immunization" component of CPAV was only partially tested. The user's manual describes "immunization" in this manner: "Central Point Anti-Virus can immunize executable files against virus infection. Once immunized, a file has its own anti-virus capabilities allowing it to notify you of any change that may occur. If a change is detected, the immunized file can 'heal' itself, returning to its original state. Immunization adds less than 1K to a file, but does not occupy any space in system memory." 4 The warning message displayed in the manual, however, is an "integrity" warning. It seemed to me that if a user utilized the detection scanning operation with the checksum operation and chose the VSafe memory resident program, then any other change would have to be a "new" malicious piece of code or a legitimate change. The one advantage of immunization is that any file immunized checks itself every time prior to execution. Clearly "immunization" addresses those situations in which the user has not configured VSafe to detect attempted changes to .com and to .exe files, or to environments where the user perhaps does not activate detection scanning on a regularly basis. q. We did test the menu features of immunizing and disimmunizing files. There are at least six categories of files which the documentation states cannot be immunized. If a user attempts to immunize a file from one of those categories, then the user receives a dialog box advising of this fact. Those menu features functioned as advertised with one exception: namely, there was one instance in which a file with its own self-checking system did not trigger the dialog box. Such a file according to the documentation cannot be immunized. The file in question was another anti-viral executable from a different vendor. r. There was one item in immunization which unfortunately functioned as described. The documentation indicates that "occasionally" a file which has been immunized will not function properly. I had that experience. Several files in my DOS directory once immunized resulted in my autoexec.bat file executing down to my "mode" statement and then rebooting my system in a continuous loop. Removing immunizing corrected the problem. I encountered a minor problem in removal. So I actually had to delete certain files and then restore from an original disk. All of Don's tests on immunization were successful. Since testing the "file heal thyself" option would require expertise beyond our immediate capabilities and in the interest of time, we chose not to evaluate this capability. s. CPAV has options to maintain activity logs on detection, disinfection and immunization operations. The user has the choice to write such activity to the screen, to a printer, or to a file. The feature performed as documented. t. Finally, we did not test the VWatch component or Bootsafe components of CPAV. VWatch is a smaller memory-resident program for those users who cannot employ VSafe because of memory limitations. Bootsafe is a boot sector and partition table security utility. When Bootsafe is run from your autoexec.bat file, it looks for any existing boot sector viruses by comparing the current boot sector and partition table against their images created during the installation process. 5. Product Advantages: a. CPAV offers a comprehensive set of components for establishing a control program for virus and malicious software detection, disinfection, and prevention. The components appear to perform as documented with some exceptions. 5 b. The installation program allows the user to configure the product to his or her own preferences. There is also the opportunity to change a configuration very easily after installation. c. All CPAV menu displays were clear and informative. The Full Menu display has a split screen presentation in which a directory information box appears on the left and files within the directory appear on the right box. As CPAV executes a particular operation, the directory and specific file under detection, disinfection, immunization, ete., are highlighted. Movement within the displays is easy with usually multiple ways to issue a command or perform an operation. CPAV worked well under Windows and with a Logitech three button mouse (mouse driver 5.01). d. CPAV has an automatic update capability for adding "new" malicious search strings. One can obtain such information from Central Point's virus hotline, its BBS, Compuserve, U.S. mail, and fax. I checked the hotline number on 29 April, 28 May, 10 June and 24 June 1991 to determine if any updates had occurred. There had been no change to the recorded message of 29 March 1991. e. Central Point Software has an excellent reputation for its products and for its technical assistance. The look-and-feel of CPAV will be deja vu for those users of PC-Tools. 6. Product Disadvantages: a. The "Check All Files" option is a real killer as to its speed of operation. There may be a simple reason as to why our test systems performed so slowly. Perhaps our experiences are simply abnormal. b. The range of options almost suggests that CPAV is a product for the advanced user or for that special high risk environment. It may not be reasonable to give everyone a copy, particularly if individual users only want detection and disinfection capabilities. c. The "Fast Detection" operation against the Do Nothing, S-Vir and Virus-101 viruses raises a concern as to the manner in which CPAV sets defaults in its search detection methodology. It may be advisable to mandate a "Check All Files" option and pay the speed penalty for assurance. d. The user's manual has a lengthy section on listing viruses and their characteristics. This discussion is actually thin on substance and does not consistently advise a user if a virus can or cannot be removed. The manual also suffers from unnecessary repetition. For example, there are three identical descriptions of the VSafe options spread throughout the document. 7. Comments: Fred Cohen's original paper on his first computer virus experiments concluded that detection of viruses by their appearance or behavior was 6 "undecidable". Yet seven years after the publication of his work, detection of viruses by their appearance and behavior remains the most common form of viral defense for the MS-DOS environment. CPAV provides the mechanisms to monitor attributes of change and to recognize a virus by its appearance. It has an intrusion detection capability through its TSR program, checksum capability, and file immunization. The challenge for the user remains the interpretation of what the program identifies as "suspicious" activity. It does reinforce the proposition that, if one chooses to acquire a product which integrates detection, disinfection and prevention, one must have a strategy for supporting users in the interpretation of alarms and probably in the actual configuration. With all of its options this may not be a package for the novice or inexperienced user. The myraid components and configurations, particularly for VSafe/VWatch, will undoubtedly result in Type I alarms (i.e., alarms in the absence of anything malicious). These alarms can be annoying to many users. It is logical to have sufficient personnel trained on the product to address such eventualities and to investigate those alarms which appear to be outside the norm. In all fairness any comment on the perceived complexity of CPAV applies as well to other commercial anti-viral programs which offer comparable features. The management decision in regards to these high-end programs will be to determine if resources are available to support the proposed user community which will undoubtedly have a wide range in computer expertise and literacy. If management is unwilling or unable to commit these resources, then perhaps another acquisition choice would be more appropriate. It seems pointless to spend money on a high-end program and then not utilize its capabilities. FOR FURTHER REFERENCE: PRODUCT TEST NUMBER DATE PRODUCT PT-3 November 1989 VIRUSCAN (MS-DOS) (Revised February 1991) PT-11 June 1990 ANTI-VIRAL SEARCH, 2.23e (Revised February 1991) PT-12 June 1990 VIRUCIDE (MS-DOS) (Revised February 1991) PT-17 August 1990 F-PROT (MS-DOS) (Revised May 1991) PT-23 March 1991 VIREX-PC (Revised May 1991) PT-28 February 1991 NORTON ANTIVIRUS (Revised 12 February 1991) PT-34 April 1991 IBM ANTI-VIRUS 7