Date: Fri, 4 Oct 91 15:08:41 MDT From: Chris McDonald ASQNC-TWS-R-SO Subject: Update to Product Test on Norton AntiVirus, version 1.5 ******************************************************************************* PT-28 February 1991 Revised October 1991 ******************************************************************************* 1. Product Description: Norton AntiVirus is a virus protection utility for the IBM PC and its compatibles. The product includes virus detection, disinfection, and protection. This revision addresses version 1.5. 2. Product Acquisition: Norton AntiVirus is available from Symantec Corporation, Peter Norton Group, 10201 Torre Avenue, Cupertino, CA 95014-2132. The retail price is $129.95; but there are numerous secondary sources with single copy prices that have ranged from $78.00 to $83.00 in trade publication advertisements. Site licenses are also available. 3. Product Testers: Chris Mc Donald, Computer Systems Analyst, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I acquired version 1.0 in December 1990 for $83.00 from Telemart in Phoenix, Arizona. As a registered user, Symantec Corporation sent a free upgrade to version 1.5 in September 1991. b. Product tests occurred on the following systems: (1) Unisys PC, Model 3137, MS-DOS 3.10, 512K; (2) Zenith PC, Model 248, MS-DOS 3.30, 640K; and (3) Gateway PC, Model 2000, MS-DOS 3.30, 1MB. The minimum hardware and software configuration is as follows: an IBM PC, XT, AT, PS-2 or 100% compatible, 384K of RAM, DOS 2.0 or higher. Version 1.5 is Windows 3.0 compatible, and network compatible to include Novell NetWare 286 & 386, 3COM, OS/2 Lan Server. c. Norton AntiVirus attempts to offer a comprehensive solution to the problem of malicious software, in particular the computer virus. The product has two primary components: Virus Intercept and Virus Clinic. Virus Intercept is a Terminate-and-Stay-Resident (TSR) utility that loads into memory when a user starts the PC. The TSR attempts to prevent viruses from infecting a system and in alerting a user to a potentially infected program before it executes. Virus Clinic is the detection and elimination component that provides scanning for known and unknown viruses. Although other products offer virus detection and disinfection capabilities of "known" malicious software, Norton AntiVirus proposes to provide protection against "unknown" malicious code through the Advanced Scan option. If a user choses this option, then the Virus Clinic portion of Norton AntiVirus creates a checksum file for all files that get started, such as the .EXE files, in two instances: namely, when files are scanned and when the user starts a software program for the first time. Once a checksum file exists, Virus Clinic will notify the user of any change during subsequent scans. If the user installs the Virus Intercept portion, the user will receive notification of any checksum change prior to starting a program. Version 1.5 offers three versions of the Virus Intercept with varying capabilities: the original (approximately 36K), a 4K version, and a 1K version. d. Version 1.5, as of 2 October 1991, contains viral definitions for 326 known viruses with a total count of 902 malicious strains. Norton AntiVirus claims to identify 100% (i.e., 32 out of 32) of those viruses characterized as "common" by Patricia Hoffman in her Hypertext Virus Summary List, 22 August 1991. e. Virus Clinic scanning and disinfection is menu-driven with help screens at every option. The main menus include: Scan, Definitions, Options, Exit and Help. (1) Scan allows the user to select the drive, directory, and/or file to scan. (2) Definitions allows the user to view the lists of malicious programs identified by the shipped version of Norton AntiVirus and to add additional virus definitions supplied by a 24-Hour Virus Newsline, or from the Symantec BBS, or from an on-line FAX system, or from Compuserve. Version 1.5 now lists how many unique virus strains can be detected. This statistic is automatically updated whenever a user installs a new definition. (3) Options allows the user to configure Virus Clinic and Virus Intercept for each user's preferences. The user has the option to password protect all configuration options. The password can be from 4-15 characters. Version 1.5 permits a user to scan only executable files (.com, .exe, .ov-, .sys, .drv). (4) Exit returns the user to DOS. (5) Help allows the user to receive assistance by selecting from index topics. f. I used the install program to load Norton AntiVirus. Installation of Virus Clinic and Virus Intercept requires about a minute. Since the Virus Intercept component requires a modification to a system's config.sys file, and since the access control package on the test systems (i.e., PC-Vault) also modifies the config.sys file, I aborted that part of the automatic installation that would have modified the config.sys file. I chose to manually insert the Virus Intercept device statement to activate the TSR program. g. Although I do not have code for all the malicious programs which Norton AntiVirus claims to detect and to prevent, it did identify and block those 80+ viruses in my possession, which includes approximately 40% of the so-called "common" viruses. I have read three additional product reviews which independently comment on the strengths and weaknesses of the product: (1) PC/COMPUTING, "Be Smart: Use Norton AntiVirus To Protect PCs Against Viruses", pp 37-38, January 1991. (2) PC WEEK, "Norton AntiVirus Battles 142 Threats With Three Methods" pp 30 and 35, January 7, 1991. 2 (3) "Virus Scanners: An Evaluation", National Computer Security Association, March 4, 1991. The third reference is by far the most credible and informative. Readers should be advised that the NCSA evaluation addresses version 1.0.0. Many issues raised in the evaluation appear to have been addressed in version 1.5. h. The Virus Clinic component has an attractive presentation as scanning occurs. The user is aware of the directory/file under examination; has a graphic display of how far scanning has progressed as a running bar graph percentage of material identified for scanning; and has the option to cancel scanning at any time. I configured the component to maintain an audit trail of scanning activity and successfully printed out the output. i. The repair capability within Virus Clinic is menu-driven and extremely fast. While Virus Clinic could identify infections in 61 test files, it could not repair every test file. Certain viruses cause irreparable harm to their infected host files. In those instances deletion of the infected host is the only option. The documentation addresses this issue. j. The Virus Intercept component or TSR utility automatically loads when the system boots, assuming of course the user has properly configured the config.sys file. Virus Intercept checks whenever a file is copied or executed for the presence of known viruses. If a virus is detected, the utility presents an audible and visual warning alarm. The audible alarm, which can be disabled under the Options menu, is particularly loud and siren-like. The warning message identifies the suspected infected file and the strain of virus. The user has the option to either stop the execution of the potentially infected file, or to proceed with the execution. The TSR alarmed as advertised during my tests. But I must qualify that malicious code in my possession is limited. Any certification of 100% effectiveness is beyond my capabilities. k. The Virus Intercept component, if a user chooses to enable the Advanced Scan option in Virus Clinic, appears to offer protection against "unknown" malicious code and file modifications. The Advanced Scan option creates a hidden checksum file for each program file that is scanned. The checksum file stores information about each software program file. If the checksum changes, or if the user attempts to execute a program for which no checksum exists, Virus Intercept uses the checksum file to issue an alert message. In the case of a file which has not been checksummed or "inoculated", the user has the options to PROCEED, INOCULATE, or STOP the execution. In the case of a file which has had its checksum changed for whatever reason, the user has the options to PROCEED, REINOCULATE, or STOP. I tested both options successfully. l. The issue is that a "change" does not in itself confirm the presence of a computer virus or of malicious code. It is important to remember that a change in checksum is detected under two separate conditions: (1) The user does a Scan of the file for which a checksum exists. (2) The user has installed Virus Intercept and then starts a program. 3 It is possible to detect a change in checksum without installing Virus Intercept. A user may choose to simply scan more frequently, or to include the scan command as an autoexec.bat command. But, if one does not install Virus Intercept, one sacrifices the ability to prevent infections by known viruses. The checksum capability depends upon the user configuring Norton AntiVirus for the Advanced Scan option. m. I was unable to test the network support features of Norton AntiVirus because we currently have no such networks at my activity. 5. Product Advantages: a. Norton AntiVirus provides a comprehensive approach to malicious code protection in one program. b. The automatic installation program and menu-driven screens are easy to use. Norton AntiVirus can be configured to run under Norton Utilities, a feature which I tested during the evaluation of version 1.5. c. The ability to add viral definitions by downloading new definitions from a variety of sources provides an alternative to costly upgrade costs. I successfully tested both the telephone Virus Newline and FAX services. d. Peter Norton and Symantec Corporation have good reputations for quality products and customer support. Symantec already produces one of the best integrated virus defense products for the Macintosh environment (see PT-20, Symantec AntiVirus for Macintosh). The free upgrade from version 1.0 to 1.5 was an example of such support. 6. Product Disadvantages: a. The cost of the product may discourage many users who are already on tight budgets. Even if one pursued a site license agreement, it may be that the risk management assessment will not support such protection for every PC within the organization. b. There have been instances where the program has issued a "false" positive alarm. This phenomenon is not unique to Norton AntiVirus, but rather illustrates a generic disadvantage of detection programs. 7. Comments: Fred Cohen's original paper on his first computer virus experiments concluded that detection of viruses by their appearance or behavior was "undecidable". Yet seven years after the publication of his work, detection of viruses by their appearance and behavior remains the most common form of viral defense for the MS-DOS environment. Norton AntiVirus provides the mechanisms to monitor attributes of change and to recognize a virus by its appearance. It also has an intrusion detection capability through the Advanced Scan option and the Virus Intercept component. 4 Symantec's initial registration documentation indicated that users would receive notification of additional viral definitions through postal mail channels. That procedure was to the best of my knowledge never implemented. Therefore, a user must on a periodic basis consult one of the distribution sources to determine if new definitions exist. I continue to recommend the stockpiling of more than one virus detection program for contingency purposes and to resolve potential false alarms. One would hope that the next generation of defenses would look beyond just the attributes of appearance and behavior. In this regard I direct your attention to a paper by Ms. Catherine L. Young published in the proceedings of the NCSC/ NIST annual security conference several years ago, "Taxonomy of Computer Virus Defense Mechanisms". FOR FURTHER REFERENCE: PRODUCT TEST NUMBER DATE PRODUCT PT-3 November 1989 VIRUSCAN (Revised September 1991) PT-4 December 1989 DATA PHYSICIAN PT-5 December 1989 VIRUS BUSTER PT-11 June 1990 ANTI-VIRAL SEARCH, 2.24 (Revised February 1991) PT-12 June 1990 VIRUCIDE (Revised August 1991) PT-17 August 1990 F-PROT (Revised May 1991) PT-23 March 1991 VIREX-PC (Revised May 1991) PT-24 July 1991 VIRUSAFE PT-34 April 1991 IBM ANTI-VIRUS PRODUCT (Revised September 1991) PT-36 June 1991 CENTRAL POINT ANTI-VIRUS PT-41 July 1991 VIRX (Revised August 1991) PT-43 September 1991 SEER [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] 5