Date: Tue, 16 Jul 91 11:58:05 MDT From: Chris McDonald ASQNC-TWS-R-SO Subject: Revision to PT-9, Disinfectant 2.5.1 ****************************************************************************** PT-9 January 1990 Revised July 1991 ****************************************************************************** 1. Product Description: DISINFECTANT is a public domain program to detect and to repair virus activity for Macintosh systems. The author is Dr. John Norstad, Academic Computing and Network Services, Northwestern University, 2129 Sheridan Road, Evanston, IL 60208. Dr. Norstad's BITNET address is jln@nuacc; the INTERNET address is jln@acns.nwu.edu. 2. Product Acquisition: DISINFECTANT is available on several university and public bulletin boards. It resides in the MS-DOS repository on the Information Systems Command host simtel20 [192.88.110.20] at White Sands Missile Range: pd3:. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I obtained a copy of DISINFECTANT, Version 1.5, in January 1990 from the Macintosh repository on the the USAISC-White Sands host simtel20. The repository has been registered with HQ ISC, and has been approved for operation by the Commander, USAISC-White Sands, under the policy of AR 380-19. I have continued to receive updates with the most recent version 2.5.1, 7 July 1991. b. I have tested the product over the last two years on a variety of Macintosh platforms, to include the Macintosh SE, the Macintosh II and IIcx, and the portable Macintosh. The minimum configuration required is 512K memory, System 3.2 or later, and the HFS and MFS files systems. The program has an internal self-checking mechanism to hopefully notify the user of any tampering. c. The program has detailed on-line documentation on various topics. These include: (1) a detailed description and history of the known Macintosh viruses; (2) a sample of all error and alert messages which DISINFECTANT generates; (3) a description of and recommendation on other public domain and shareware virus tools; (4) a history of the development and testing of DISINFECTANT; and (5) a listing of all those individuals who have contributed in some way to the development, peer review, and testing of DISINFECTANT. d. The author recommends that a user initially run DISINFECTANT on a 3 1/2" diskette formatted as a system disk with the write protect tab engaged. In this way one minimizes the potential for a "clean" copy of DISINFECTANT to become infected. After the program completes its self-checking mechanism, a user receives a screen with eight options or selections: (1) Drive Selection; (2) Eject Selection; (3) Scan Selection; (4) Disinfect Selection; (5) Save Selection; (6) About Selection; (7) Cancel Selection; (8) Quit Selection. e. The program directs a user to first select the "About" option if he or she has never run DISINFECTANT. This provides a user with all of the on-line documentation. I followed this instruction and found the information to be informative, easy to follow, and a good tutorial on virus detection and prevention. f. I selected the "Drive" and "Scan" options and tested various system hard drives and disks. The program gives one a screen display of the running count of files/disks scanned along with a display by percentage of how far the program has progressed through the specific media (i.e., hard disk, disk). If one selects the "Cancel" option at any time, the program will terminate and provide a numerical count of files scanned to that point. When the program runs to completion, the user receives a summary report on the screen of the total number of files/disks scanned and a notification of any viral infection by individual file. If no infections are found, then the program states that fact. The "Save" option will print the summary report to a file identified by the user which can be saved or edited for whatever purpose. g. I tested all the options. All tests were successful and provided the results described in the documentation. By chance I was able to confirm the effectiveness of the program to detect and to repair an actual viral infection. During the week of 14-18 January 1990 representatives from Falcon Microsystems, from the Apple Federal Systems Group, and from approximately 10 other vendors visited White Sands to conduct product demonstrations, displays, and training classes on Macintosh hardware and software. The vendors brought their own hardware and software consisting of several different configurations. As soon as the vendors had connected the systems through their own fiber optics network, individual systems began to "lock-up" and to beep. A government employee, who maintains the Macintosh repository on simtel20, happened to be present when this occurred. He had his copy of DISINFECTANT and immediately ran it on one of the affected systems. DISINFECTANT identified the problem as the "n-Vir, Type B" and the "WDEF" viruses. Apparently the viruses were introduced from a single vendor disk which infected the file server to which all the systems had been connected. The employee then used DISINFECTANT to successfully "disinfect" the systems. The employee notified me of what had occurred. Subsequently I interviewed other individuals present to confirm the accuracy of the information. It was interesting to learn that the vendors themselves had copies of DISINFECTANT. At no time was any government owned or leased system infected; nor was any government owned, leased, or developed software involved in the incident. 5. Product Advantages: a. The program works as advertised. b. The program is "free", and contains the most detailed description of all known Macintosh viruses within its documentation. c. The author has submitted his program to extensive "peer review". 6. Product Disadvantages: a. Technical support of the program is admittedly informal. However, the author has a good reputation for responsiveness and technical expertise. Since 2 there is a large group of individuals who participate in the "peer review" of the program, these individuals are conceivably additional sources for advice and assistance. b. The mechanism of distributing updates to the program may be a problem for many users. While INTERNET access is taken for granted by many of us, there are many users who do not have such facilities. Therefore, organizations and users who decide to utilize the program must make provisions for the acquisition of the program and for the distribution of updates. c. The program searches only for "viruses", not trojan horses. Although the occurrence of trojan horses has been limited in the Macintosh environment, one would have to use available commercial programs for trojan horse detection. d. The program only identifies "known" viruses. Protection against "new" viruses is not available in version 2.5.1. There has been some INTERNET discussion on whether the next release of DISINFECTANT would include some sort of checksumming capability, comparable to those features found in two of the most popular commercial programs SAM and VIREX. However, it is unclear as to whether this additional capability will ever be available. The author has already contributed immeasurably to anti-viral protection. So it perhaps begs the question to ask for more at no charge. 7. Comments: While one could engage in a debate on the advantages of a commercial product over this public domain program, such a debate is in my opinion counterproductive. DISINFECTANT demonstrates a significant difference between the MS-DOS and Macintosh worlds. The best of the MS-DOS viral detection and eradication programs are either commercial or shareware programs which require payment for their use. Here one of the best programs is free. An intelligent strategy would be to have at least two separate programs available for use within an enterprise for defense against malicious programs. The flexibility of dual products can provide both financial and technical advantages. It also provides protection in the event one program for whatever reason ceases to be available. Version 2.5.1 will detect these viruses: Scores, nVir and nVir B clones, INIT 29, Anti-A and Anti-B, MacMag, WDEF-A, WDEF-B, MDEF-A (Garfield), MDEF-B (Top Cat), MDEF-C, MDEF-D, Frankie, CDEF, Zuc-A, Zuc-B and Zuc-C. FURTHER REFERENCES: PT-10 March 1990 Virex (Revised February 1991) PT-20 November 1990 Symantec Antivirus for Macintosh (SAM) (Revised April 1991) PT-30 May 1991 VirusDetective [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] 3