Date: Wed, 23 Oct 91 15:22:28 MDT From: Chris McDonald ASQNC-TWS-R-SO Subject: Revision to Product Test--FPROT, version 2.0 ******************************************************************************* PT-17 August 1990 Revised October 1991 ******************************************************************************* 1. Product Description: F-PROT is a program designed to provide malicious program detection, disinfection, and protection. This product test addresses version 2.0. 2. Product Acquisition: F-PROT is a shareware program distributed by Fridrik Skulason, Box 7180, IS-127 Reykjavik, Iceland. Mr. Skulason has posted F-PROT on a number of Internet sites. The program is on the USAISC-White Sands host simtel20. With version 1.14 the program became free if a user utilizes it on a single personally-owned computer. There is a registration fee for commercial and government users. Site licenses are available as well as discounts for multiple copy registrations. The path on simtel20 [192.88.110. 20] for anonymous ftp downloading is: pd1:. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I obtained a copy of F-PROT from our simtel20 MS-DOS repository in mid 1990. The first version tested was 1.07. I have continued to download updates with the most current version 2.0, dated 27 August 1991. b. I tested the product initially on a Unisys PC, Model 3137, MS-DOS 3.10, 512K. I have subsequently conducted additional tests on IBM, Gateway, Wyse and Zenith platforms running MS-DOS 3.3 and 4.0 without any difficulties. c. Version 2.0 represents a complete redesign of the program. F-PROT now has a menu-interface and has consolidated seven separate programs into two: (1) F2.EXE is the main program which provides malicious program detection, disinfection and information. (2) VIRSTOP.EXE is the terminate-and-stay-resident (TSR) program which prevents the execution of programs infected with known malicious code. d. I tested both of these programs which appeared to function as described in the documentation. I used the "semiautomatic" installation feature without any difficulties. I did not test any network configurations, although F-PROT documentation identifies its network capabilities. Version 2.0 will run under Windows 3.0, but is not a Windows application. e. Version 2.0 claims to identify 96% (i.e., 53 out of 55) of those viruses characterized as "common" by Patricia Hoffman in her HyperText Virus Summary List, 22 September 1991. The documentation identifies 250 families of viruses, with each family having between 1 and 50 variations. The F2.EXE program successfully identified all of the 80+ viral code samples in my possession. There are additional evaluations of the detection effectiveness of the program which have been posted to the Internet, particularly to Virus-L. Finally, the National Computer Security Association evaluated an earlier version of the program in a report "Virus Scanners: An Evaluation", dated 4 March 1991. f. Version 2.0 also claims to identify 8 specific trojan horse programs. The F2.EXE program did identify my test sample of the Twelve Tricks Trojan. The Twelve Tricks Trojan has been thoroughly examined by a number of reputable sources who have documented their analysis in the public domain. I have seen few sighting reports on the trojan during the last year, but must defer to the experts who collect such statistical information and consider it to be a threat. g. A user executes the F2.EXE program by the command and a carriage return. The program does an integrity check of itself and then scans memory for known viral signatures. A user may abort the memory scanning by pressing the ESC key. A menu with six selections appears upon the completion or interruption of the memory scan. The selections include: (1) Scan (2) Install (3) Viruses (4) Analyse (5) Program (6) Quit One chooses a selection by entering the first letter of the selection, or by the use of arrow keys and a carriage return. The program author has identified mouse support as a possible future enhancement. Selection of settings and options follows the same convention. h. The Scan selection presents five settings which offer a variety of options: (1) Method: Full Scan, Quick Scan, Secure Scan (2) Search: Hard Disk, Diskette Drive, Network, User-Specified (3) Action: Report Only, Disinfect/Query, Automatic Disinfection, Delete/Query, Automatic Deletion, Rename (4) Target: All Viruses, Only File Viruses, Only Boot Sector Viruses, All Viruses+Trojans, User-Defined Strings (5) Files: Standard Executables, User-Specified I successfully tested all the options with the exception of Search (Network), 2 Target (User-Defined Strings), and Files (User-Specified). i. The Install selection presents four options: (1) Language: The current shareware version supports English. Program documentation states that a German version is under development, with additional languages planned for the end of 1991. (2) Setup: Sorts the list of viruses known by column or line (3) Install: Copy the program to hard disk (4) VIRSTOP.EXE: Install or remove VIRSTOP.EXE j. The Virus selection presents two options: (1) Information: Provides information on known viruses (2) New Signatures: Allows a user to add, delete and list user- defined hexadecimal search patterns The main issue under the selection is that the information option does not show all the viruses which F-PROT can detect. I verified this fact with the author who indicated he was addressing it. k. The Analyse selection is a new feature available in version 2.0. It is an attempt using "heuristic analysis" to identify unknown viruses. A user can analyze memory, a program, or a boot sector. Program documentation states that this feature is "experimental". The Analyse selection attempts to report on suspicious code by monitoring for generic activities common to actual viruses. A user may receive various message when suspicious code is found. Tests of the Analyse feature had these results: (1) Against 45 files infected with known viruses, Analyse generated a warning messages for 44. The one exception was a file infected with the Virus-101. Analyse did not generate a message for suspicious code, although the Scan selection correctly identified the infection. (2) 80% of the messages were: "This program contains several features which are normally only found in virus programs. It is almost certainly virus-infected." Three other messages accounted for the remaining 20%. These additional messages were less strident, but sufficient in my opinion to cause a user to think twice before executing the program. (3) Analyse generated an appropriate boot sector warning message against all boot sector virus samples. (4) Analyse has a problem with certain security-related programs which provide boot protection. On several programs Analyse generated this message: "The Partition Boot Sector contains invalid information. This may indicate a 3 virus infection or just a corruption. This boot sector is not an usual DOS boot sector. It may be infected with an unknown virus or just formatted by some other program other than FORMAT.COM". l. The Program selection provides information on the author, cost, performance and updating of F-PROT. m. The Quit selection exits the program. One can also use the ESC key to exit the program. 5. Product Advantages: a. F-PROT presents a comprehensive approach to malicious program detection, prevention and treatment. b. The product is cheap under the current licensing plan. I have been advised over the last two years that at least two government agencies were not allowed to acquire F-PROT because it was "foreign" produced and conflicted with "Buy American". I am not a lawyer, but I did purchase my own personal copy. It was my understanding, based upon a telephone conversation with Mr. David Stang from the National Computer Security Association on 13 May 1991, that Mr. Stang might become a U.S. distributor for F-PROT to address this matter. However, as a member of NCSA, I have received no further information. NCSA does distribute F-PROT to its members. c. Distribution over the Internet is reliable. d. The menu-driven interface makes it easy for users to choose a variety of options, to include printing reports on detection operations. e. Readers of VIRUS-L and RISKS FORUM will recognize that the author, Mr. Skulason, appears to be extremely knowledgeable and articulate as a viral researcher. 6. Product Disadvantages: a. The Internet has carried messages indicating compatibility problems between version 2.0 and certain DOS flavors. Mr. Skulason has acknowledged these issues and promised an update. The historical pattern is that Mr. Skulason has been responsive in addressing bugs and problems. b. The Analyse feature can generate 20 different warning messages. The typical user, such as myself, will have to rely on someone with more expertise to actually investigate the code causing the alarm. The author has not provided, perhaps with good reason, the rules which govern the heuristic analysis. For this reason one might have questions on how well-constructed these rules are. c. Although it is possible to contact Mr. Skulason over the Internet, program support is informal and perhaps untimely for certain users. There are also a large number of commercial and government users for whom the Internet is still a mystery. 4 d. There is always the potential that Mr. Skulason will simply be unable to support the program in the future. 7. Comments: It seems reasonable that one would stockpile at least two virus protection programs to ensure continuity of operations in the event one program source either terminated support or was no longer available. Two programs also give one a better opportunity to confirm an infection and to eliminate the possibility of a false alarm. Since F-PROT is the creation of a single individual, commercial and government organizations should recognize the real potential for the interruption of support. This consideration in no way diminishes the apparent effectiveness of the program. The Analyse feature represents an innovative approach to malicious code detection. While there are obviously "bugs" in any experimental work, this feature represents the next level of malicious program detection suggested in Catherine Young's paper "A Taxonomy of Computer Virus Defense Mechanisms". FOR FURTHER REFERENCE: PRODUCT TEST NUMBER DATE PRODUCT PT-3 November 1989 VIRUSCAN (MS-DOS) (Revised September 1991) PT-4 December 1989 DATA PHYSICIAN (MS-DOS) PT-11 June 1990 AVSEARCH, 2.24 (MS-DOS) (Revised February 1991) PT-12 June 1990 VIRUCIDE (MS-DOS) (Revised August 1991) PT-23 March 1991 VIREX-PC (MS-DOS) (Revised May 1991) PT-24 July 1991 VIRUSAFE (MS-DOS) PT-27 May 1991 FLU-SHOT+, 1.81 (MS-DOS) PT-28 February 1991 NORTON ANTIVIRUS (MS-DOS) (Revised October 1991) PT-34 April 1991 IBM ANTI-VIRUS, version 2.1.2 (MS-DOS & OS/2) (Revised September 1991) PT-36 June 1991 CENTRAL POINT ANTI-VIRUS (MS-DOS) PT-39 August 1991 THUNDERBYTE SCANNER (MS-DOS) PT-41 July 1991 VIRx (MS-DOS) (Revised August 1991) PT-43 September 1991 SEER (MS-DOS) [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] 5