Date: Fri, 18 Oct 91 08:44:28 MDT From: Chris McDonald ASQNC-TWS-R-SO Subject: Product Test Report--Rival (Macintosh) ****************************************************************************** PT-44 October 1991 ****************************************************************************** 1. Product Description: RIVAL is a commercial software program for the prevention, detection, and elimination of known computer viruses and trojan horses for the Macintosh. 2. Product Acquisition: Rival is available at a list price of $99.00 from the Microseeds Publishing, Inc., 5801 Benjamin Center Drive, Suite 103, Tampa, Florida 33634. Their telephone number is 813-882-8635. The authors of the program are actually Frederic Miserey and Jean-Michel Decombe from France. Site licenses are available. There are also a variety of mail order companies which have recently advertised significantly reduced prices for a single copy. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I obtained a copy of Rival from MacConnection for $49.00 plus shipping in August 1991. The version received was 1.1.6. During the test phase I had the occasion to telephone Microseeds regarding certain characteristics of the program. Their technical representative answered my questions and volunteered to send me free of charge version 1.1.8. This product test addresses both. b. I tested the product on a MACINTOSH IIcx running system 6.0.5 with a 80MB hard drive. Product documentation stated that Rival works on all Macintoshes running System 6.0 or later. Version 1.1.8 documentation claimed System 7.0 compatible. The test period extended from 9 September to 16 October 1991. c. The Rival User's Guide has a concise description of initial "disinfection" of one's system. Essentially one inserts the Rival disk, turns on the Mac, and then the Control Panel automatically opens to Rival. The user clicks on the "Analyze" button to initiate the detection sequence. When Rival completes the analysis, it reports the number of files checked, the total number of errors encountered, and plays a "melody". An "optimistic" melody denotes that it did not detect any malicious code. A "pessimistic" melody denotes an infected or damaged file. The User's Guide directs the reader to additional sections of the manual in the event of the latter result. Upon the successful completion of this operation a user installs Rival on the system's hard disk by simply dragging the Rival icon into the System Folder. Under System 7.0 Rival is kept in the Control Panels folder in the System Folder. d. The program documentation identifies in a general sense those viral programs which Rival can detect and remove. Testing against actual Macintosh viruses and variations confirmed the effectiveness of the program and validated the documentation. The test samples included all known Macintosh viruses for which Rival claimed to have a "vaccine". e. The program documentation identifies four specific trojan horses for which Rival has a vaccine: Font Finder, Mosaic, Steroid, VirusInfo. While test samples were not available, the performance against viral code leads me to have confidence that Rival's performance against these malicious programs is equally as effective. f. When one installs Rival on a hard disk, the program provides these protection features: (1) It checks files and applications as they are opened. (2) It checks for viruses run at startup. (3) It allows a user to initiate detection/disinfection operations against disks, files and folders. (4) It helps to prevent the unexpected initialization of any volume, excluding floppy disks. g. I tested all these features which functioned as described in the documentation. Testing of the protection against unexpected initialization was by design limited. Should such an attempt occur, Rival displays a dialog box informing the user of this fact. The user has the option to deny or to allow the operation. This feature does not alert a user in those cases where there is a deliberate choice of initialization, such as when one chooses "Erase Disk" under the Finder's Special Menu. h. When installed on a hard disk, Rival places a square frame around the Apple menu in the menu bar to advise a user that it is active. If the frame does not appear, the documentation suggests that either Rival has been installed incorrectly, or its installed vaccines have been removed or corrupted. One also sees a startup icon which appeared to me as a blue piranha with upper and lower rows of teeth facing to the left. The comments on teeth and facing position have significance because this same icon appears in the Rival Control Panel window. If the user opens the Control Panel and sees that the icon is facing to the right, this indicates that the user deactivated Rival at startup. If the user opens the Control Panel and sees that the icon is facing to the left but has no teeth, this indicates the no vaccines are installed or that they are corrupted. One would expect the frame around the Apple menu to be absent as well in both instances. i. One accesses the Rival Control Panel window by pulling down the Apple menu, choosing the Control Panel item, scrolling down to Rival's icon, and clicking once on it. The Control Panel window contains a central display area, several selector options, and a control button. The documentation describes each of these. There is also on-line documentation which a user can access by clicking once on the Help mode selector indicated by an icon in the shape of a life preserver. j. I tested all of the selectors and control buttons which performed as documented. I did note the following: (1) Rival, when active at startup, interferes with the detection 2 capabilities of Disinfectant, SAM, and Virex. Since I am an advocate for having at least two different programs for detection and disinfection of known malicious programs, I consciously installed all four of the programs on my system. After I had successfully confirmed that Rival detected my viral samples, I next ran each of the three other programs against the same samples. When I invoked each of these programs, however, Rival presented a dialog box informing me that the sample about to be scanned by the other program was infected. This box appeared before Disinfectant, SAM, or Virex had apparently completed their respective detection operations. The Rival dialog box offered two buttons: Stun and Repair. If a file is locked or on a write-protected disk, one only has the option to click the Stun button to continue. Rival's documentation states that "clicking the Stun button causes the virus to be disabled, but does not repair the infected file". When I clicked on the Stun button, this interfered with the ability of the other three programs to function properly. Where before all programs had shown a 100% detection effectiveness against 24 viral samples, these numbers changed dramatically. If I deinstalled Rival, or deactivated it during startup, all programs returned to their normal effectiveness. There was no interference with VirusDetective's detection capabilities, although VD ran very slowly with the constant Rival interrupts. (2) Version 1.1.6 correctly identified three different strains of the Zuc virus. The report mode created by Rival on the identifications had the notation: "This is a vacci . . . is still present." When I spoke with the Microseeds technical representative, he had no explanation for the notation. I had the impression that no one else had ever asked about that specific matter. Version 1.1.8 identified the same three strains of the Zuc virus but omitted this notation in its report mode. (3) The documentation stated that Rival can capture additional information on a specific file infection, such as the file's path, its creation and modification dates, its type and creator signatures, the file's size in bytes, and the nature of the detected viruses or error. I was never able to actually capture all of this information under the report mode. The creation and modification dates, which might be used to track the source of an infection, never appeared. I could obtain such information from the test samples with Disinfectant, SAM and Virex. I have no explanation for the results on this point. (4) There is no way at the present time to print out the information captured under the report mode. This information is lost when one closes the Rival Control Panel window. The Microseeds technical representative suggested that the program's authors would address this in version 2.0. 5. Product Advantages: a. Rival appears to detect known malicious programs. b. Technical support is available for registered users. c. A user may obtain new Rival vaccines in a variety of ways. One can 3 download vaccines from the Microseeds BBS and from CompuServe; or one can subscribe for $50.00 to have new vaccines mailed directly. This subscription fee entitles a registered user to receive disks and documentation for each of the next six vaccines Microseeds releases. There is also an option by which Microseeds will distribute updates to authorized User Groups for distribution to registered users. d. At startup Rival checks its own integrity and notifies the user if there is a problem. 6. Product Disadvantages: a. Rival through version 1.1.8 only identifies and repairs what it knows as malicious. There are no features or options for addressing unknown or new malicious programs. b. While the interference with other Macintosh detection programs can be avoided by deactivating Rival, program documentation does not speak to the problem. There is also the unresolved issue of how consistently Rival can capture certain information in the report mode. It may be that my experience during the test period was atypical. c. The Rival Control Panel window icons are not as intuitive as they might be. While I recognize this is really a subjective opinion, the mode selector icons were particularly obtuse to me. d. During a detection operation Rival does not alarm or pause when it encounters known malicious code. It rather completes the entire operation and sends the user to the report mode for actual results. An option to configure a more dramatic alarm or pause as the program detects malicious code would be a desirable feature. 7. Comments: Readers may consult two other published reviews on Rival for additional information: (1) "MacWEEK", 10 July 1990, pages 62-67; and (2) "MACWORLD", February 1991, pages 211-213. While both reviews discuss earlier versions of the program, they are still beneficial. FOR FURTHER REFERENCE: PRODUCT TEST NUMBER DATE PRODUCT PT-9 January 1990 DISINFECTANT (Revised July 1991) PT-10 March 1990 VIREX (Revised July 1991) PT-20 November 1990 SAM (Revised July 1991) PT-30 May 1991 VIRUSDETECTIVE [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] 4