Date: Mon, 29 Apr 91 15:09:01 MST From: Chris McDonald ASQNC-TWS-R-SO Subject: Product Test - - - IBM Anti-Virus Product ******************************************************************************* PT-34 April 1991 ******************************************************************************* 1. Product Description: The IBM Anti-Virus Product is a program to detect computer viruses in the PC-DOS (MS-DOS) and OS/2 environments. 2. Product Acquisition: The program is available from the IBM Corporation through a variety of means. The cost of the program is $35.00. IBM retains title to the scanning program but licenses its use in the United States and Puerto Rico. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I acquired a copy of the program through Computerland in March 1991. I sent $35.00 to the IBM Corporation, Grand Central Station, P.O. Box 2646, New York, NY 10163. The IBM representative, who provided the software to Computerland, advised that upon payment of the licensing fee I would receive future updates automatically. Computerland (located in Las Cruces, NM, USA) charged me nothing for their time or intercession. b. Product tests occurred on the following systems: (1) Unisys PC, Model 3137, MS-DOS 3.10, 512K; and (2) Zenith PC, Model 248, MS-DOS 3.30, 640K. The The program's documentation states that it will run on these operating systems: (1) PC-DOS versions 2.0, 2.1, 3.0, 3.1, 3.2, 3.3, and 4.0. (2) OS/2, both Standard Edition and Extended Edition, version 1.0, 1.1, 1.2, and 1.3. c. I received version 2.00.01 of the anti-virus product. The executable and documentation files had the dates of February and March 1991. The whatis.new file identified 13 changes and enhancements since the previous release. The copyright notice referenced "1989, 1990, 1991" which perhaps reinforces the IBM representative's statement that he had shipped Computerland the most current version available for public release. d. Version 2.00.01 contains viral definitions for 226 known viruses and variations. Clearly, if one only uses "total numbers" as the criteria for a scanning product, McAfee's VIRUSCAN, Skulason's F-PROT, and Central Point's ANTI-VIRUS have the edge (see the other respective product tests on these programs). The IBM Product does identify the ten viruses which John McAfee proposes account for 95% of all reported infections. It does identify 96% (i.e., 26 out of 27) of those viruses characterized as "common" by Patricia Hoffman in her excellent Virus Summary List, 17 March 1991. e. Although I do not have code for all the malicious programs which the IBM product claims to detect, it did identify those 60+ viruses in my possession. Operation of the program was fast with numerous options available for the novice and experienced user. The default is to scan files with the following extensions: .exe, .com, .ovl, .ini, .sys, .bin. The usage syntax of the program is: virscan options. Those options actually tested included: (1) -d Scan a PC-DOS or OS/2 logical drive. (2) -bdrive Scan system boot sector of specified logical drive. (3) -v Maximize messages. Display a list of files and boot sectors as they are scanned. Also forces hexadecimal display of any virus signatures found. (4) -a Scan all files on the indicated drives. (5) -m Maybe detect mutants. Tries to detect small variations on the viruses specified in the signature file. More sensitive (and slower) than the default mutant detection. (6) -vv Very verbose. Like -v except that a hex dump of boot sectors is also displayed. (7) -rdrive Removable media. If this switch is specified for a drive, the user will be prompted to insert a diskette in the drive before the scan. This allows on to scan multiple diskettes. (8) -nla Do not display the banner containing the copyright notice, or issue the associated prompt. (9) -nms No memory scan. Completely disable scanning for memory resident viruses. (10) -qq Completely quite operation. No messages at all will be displayed, unless a terminal error occurs. (11) -z When the scan finishes, if any virus signatures were found, wait for the user to press a key and beep once per second. (12) -vl Produce a detailed log file. Default filename is virscan.lgf in current directory. f. All these options performed as indicated in the documentation. The program has a self-checking mechanism to examine itself and its list of virus signatures before executing scanning operations. Should any modifications be detected in this mechanism, the program will terminate. A user normally receives the following message at the completion of the scan, unless he or she has chosen the -qq option. The following is one of the messages actually recorded during this product test: 2 Scan completed. 55 files were scanned. 1 system boot sector was scanned. System memory was scanned for dangerous and/or well hidden resident viruses. Total bytes scanned = 1192745, in 62 seconds. 59 Viral signatures found in 50 objects. The -vl option, although it does record the program version number, the date/ time of execution, the names of files infected, and the identification of the infecting agent, does not capture the above summary. g. The documentation states that the product cannot find virus signatures in files that are compressed or encrypted. With the -a option, however, I discovered that the program would scan and identify strains of the Cascade, Datacrime, Vienna and Washburn viruses which had been compressed under PKZIP. I encrypted the same compressed files with a software implementation of the Data Encryption Standard. The product did not identify the same four viruses in encrypted format. I attribute no significance to the detection of a few viruses in compressed form. The strategy to uncompress and then scan is obviously the correct choice when using the IBM product. 5. Product Advantages: a. The IBM product performs as advertised. b. The cost of the license agreement is extremely reasonable, particularly when one reads the agreement. A user may, for example, use a copy of the scanning program on one or more machines at a time; and may make additional license copies of the scanning program for distribution and use within one's enterprise. There are other conditions in the read.me file which are in my opinion reasonable. c. The documentation is readable and presents a realistic assessment of the strengths and limitations of the product. d. The user has the option to add additional viral definitions through the creation of an addenda.lst signature file. 6. Product Disadvantages: a. The IBM program provides viral detection only. A user must have other alternatives for disinfection and recovery. b. The frequency of revisions is apparently indeterminate. The Internet is usually a good source for obtaining information on revisions available to the public. If a licensed user automatically receives updates, as the IBM representative verbally indicated to me, then this addresses a major part of the anxiety for those without Internet access. The timeliness of incorporating 3 additional viral signatures may still present some concern for certain users. While I do not subscribe to the theory that the product which scans for the most signatures is necessarily the best, there may be environments where users must have the assurance that they are actually able to scan for every known virus identified. I use the word "scan" rather than "detect" since the vast majority of users simplify cannot independently confirm the effectiveness of scanning programs. c. The product is available on an "AS IS" basis. Therefore, a user should not expect direct technical assistance. This really should not present a problem if one has access to the Internet. Through the Internet a user can contact a variety of reliable and technically qualified persons within IBM and without on any problems or questions generated by the product. 7. Comments: Fred Cohen's original paper on his first computer virus experiments concluded that detection of viruses by their appearance or behavior was "undecidable". Yet seven years after the publication of his work, detection of viruses by their appearance and behavior remains the most common form of viral defense for the MS-DOS environment. I continue to advocate the stockpiling of more than one virus defense product and to hope that the next generation of defenses would look beyond just the attributes of appearance and behavior. In this regard I direct your attention to a paper by Ms. Catherine L. Young published in the proceedings of the NCSC/NIST annual security conference several years ago, and which I have referenced in the past: "Taxonomy of Computer Virus Defense Mechanisms". FOR FURTHER REFERENCE: PRODUCT TEST NUMBER DATE PRODUCT PT-3 November 1989 VIRUSCAN (Revised February 1991) PT-4 December 1989 DATA PHYSICIAN PT-11 June 1990 ANTI-VIRAL SEARCH, 2.23 (Revised February 1991) PT-12 June 1990 VIRUCIDE (Revised February 1991) PT-17 August 1990 F-PROT (Revised February 1991) PT-23 March 1991 VIREX-PC PT-28 February 1991 NORTON ANTIVIRUS (Revised 12 February 1991) PT-36 in process CENTRAL POINT ANTI-VIRUS 4