Date: Fri, 19 Jul 91 15:50:34 MDT From: Chris McDonald ASQNC-TWS-R-SO Subject: Revision to the Revised Product Test on SAM ****************************************************************************** PT-20 November 1990 Revised July 1991 ****************************************************************************** 1. Product Description: Symantec AntiVirus for Macintosh (MAC) is a commercial software program for the prevention, detection, and elimination of viruses for the Macintosh. 2. Product Acquisition: SAM is available from Symantec Corporation, 10201 Torre Avenue, Cupertino, CA 95014-2132 for $99.95. However, there are several mail order services which offer a single copy of the product at a reduced cost. Symantec's telephone number is 408-253-9600. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil; and Robert Thum, Systems Administrator, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-7739, DDN: rthum@simtel20.army.mil. 4. Product Test: a. I obtained a copy of SAM, Version 2.0, in October 1990 from MacWarehouse in Lakewood, NJ for $67.00 dollars. I have previously purchased software from this source with satisfactory results. I upgraded to version 3.0 for $25.00 in March 1991 directly from Symantec. b. I tested the product on a MACINTOSH SE, MACINTOSH II, and Macintosh Portable. SAM works on the following Macintosh computers with Macintosh System File version 6.0 and Finder version 6.1 or later: Macintosh 512Ke, Macintosh Plus Macintosh SE, Macintosh SE/30, Macintosh II, Macintosh IIx, Macintosh IIcx, Macintosh IIci, and Macintosh Portable as well as on the three recently announced low cost MACs. SAM works with all floppy disks (single- or double-sided or high density), hard disks (SCSI and non-SCSI), removable hard disks, volume partitions, and any volume on a network. SAM supports both the MFS and HFS file systems. Version 3.0 is System 7.0 compatible. c. The program has two primary components: (1) SAM Intercept; and (2) SAM Virus Clinic. SAM Intercept is the prevention program. SAM Virus Clinic is the viral detection and disinfection program. d. I ran the SAM Virus Clinic first on the test systems. The detection program launches by double-clicking on its icon. The Virus Clinic window has three main areas: (1) The Mounted Volumes Area displays the volumes currently mounted by your system. The area can display ten different volumes at one time. (2) The Results Area displays the results of scanning the files, folders, and volumes. It also alerts the user to any infected or irregular file. (3) The Progress Indicator Area displays the progress during a scan, from 0% to 100%. e. There are three types of warning which SAM Virus Clinic may issue. The first type of warning is the infection warning. If SAM detects any virus infected file on the volumes scanned, it displays a virus alert dialog box and issues an infection warning in the Results Area for each infected file. The warning contains the name of the file, the folder in which it resides, the virus it is infected with, and the date/time it was last modified. The second type of warning is the virus-like resource warning. A virus-like resource is a "resource of the same type as a predefined viral resource, such as nVIR." Files containing virus-like resources may be infected by a new clone of the virus, or they may be immunized with a virus inhibitor. The third type of warning is the anomaly warning. When SAM detects something irregular in a file, such as an INIT in a non-startup file, it issues the anomaly warning. While an anomaly is not necessarily a virus, the user has the option to investigate. f. SAM Virus Clinic supports a number of options for scanning operations. There are Basic, Intermediate, and Advanced scanning configurations available to the user. I confined my tests to the Basic and Intermediate configurations. At the Advanced configuration a user may activate a "checksum" feature to derive a checksum for each file scanned. Upon subsequent scanning operations SAM compares the results of a new checksum operation against the previously stored result. If the values do not match, then this fact is noted in the Results Area. g. All Virus Clinic scanning operations performed as described in the user's manual. While I did not have actual Macintosh viruses to test against, Mr. Thum has confirmed its detection features for all known MAC viruses and trojan horses. h. SAM Intercept is a combination INIT (Initialization Program) and cdev (Control Panel Device). The INIT portion intercepts all suspicious activity, displays the SAM Intercept alerts, and records instructions for dealing with such activity. The cdev portion allows an individual user to configure specific aspects of SAM Intercept's protection, such as when to scan files, folders, and volumes. Version 3.0 allows a user to launch Virus Clinic directly from SAM Intercept. i. Mr. Thum has extensive experience with SAM Intercept's ability to detect "suspicious" activity, particularly in reference to known malicious software such as viruses and trojan horses. He evaluates this component highly. j. When the Intercept program alerts a user that suspicious activity is about to occur, it results in screen flashes at ten second intervals. The alert normally contains these lines of information: line one tells the user what type of activity is being attempted; line two shows the name of the file or disk being affected; and line three identifies the application that is currently active. The user must respond to the alert by clicking on the Allow, Deny, or Learn button. Allow permits the particular activity to occur this time only. Deny prevents the current attempt from taking place. Learn permits the current attempt to take place, and enters this particular attempt into an 2 Exceptions List. The Exceptions List will allow a user to avoid future Intercept alerts when the same activity is about to occur. k. The user has the option to configure SAM Intercept through the cdev portion. There are four levels of protection: Basic, Standard, Advanced, or Custom. SAM Intercept monitors twelve different types or categories of "suspicious" activity through which all currently known viruses infect files. The user's manual describes each of these categories. The default is Standard. At the Advanced and the Custom levels one should have a technical understanding of one's Macintosh and really know what he or she is doing. l. SAM Intercept has three audit trail options: none, viruses only, and all SAM Alerts. If a user select audit trails, then the log contains the type of alerts, the times, and the user's responses. The log is saved as a text file in the System Folder. m. I did not evaluate the "protection options" under the SAM Virus Clinic component. This protection is different than that provided by SAM Intercept. Essentially a user has the option to inoculate specific files with varying degrees of protection. When a user opens an inoculated file, SAM Intercept recomputes the data and compares it to the original data written by SAM Virus Clinic. If the data matches, the file is assumed to be fine. If the data does not match, SAM Intercept issues an alert. There are three protection options: (1) Basic protection inoculates applications and startup documents. Inoculation adds specific, code-dependent data to the protected files. (2) Intermediate protection inoculates applications and startup documents, but also protects the CODE resource in the file with a write-protect attribute. (3) Advanced protection inoculates applications and startup documents, protects the CODE resource with a write-protect attribute, and locks the file to prevent any modification to any part. I lack the technical qualifications to test these options. It is evident that generally files do not modify their own code. Therefore, modification may be a good indication of a viral infection. The user's manual suggests that inoculating files is a strategy to address "new" viruses. But inoculation requires a user to choose a protection option and to decide which files will be protected. This may be too demanding for many users. At the Advanced protection option the user has to know exactly what each application does. n. Version 3.0 adds these features: (1) Automatic disinfection of desktop files (reference viruses or strains of WDEF, INIT 29, and CDEF) (2) Separate virus definition file to simplify updates (3) Faster scanning speed 3 (4) Ability to scan drives directly from SAM Intercept (5) SAM Intercept Junior for users with limited disk and memory space (6) Compatibility with System 7.0 5. Product Advantages: a. The effectiveness of SAM to detect known computer viruses and other malicious software and to alert on suspicious activity has verification from many sources. b. The user's manual is an excellent document, particularly in its description of the various user-defined configuration options. c. Technical support is available for registered users. d. The user has the option to "Add" virus definitions for both the Virus Clinic and the SAM Intercept components. This means that as new viruses or malicious programs appear it is not necessary to pay an additional fee to upgrade SAM. The vendor has several options for users to receive the necessary information to upgrade themselves at no cost. Adding a definition is simple. Version 3.0 with its separate virus definition file simplifies this procedure. e. At startup SAM checks itself for modifications. At shutdown a routine part of SAM Intercept's virus protection is a series of integrity checks. Both operations result in an Infection Alert if there has been some change. 6. Product Disadvantages: a. The sheer number of protection features demands that management decide what options will or will not be utilized. Unfortunately "management" may be ill-equipped to make such decisions unless someone in the organization is familiar with SAM's components, and can provide technical assistance to allow an informed decision. b. The variety of protection options for both of SAM's components will require user training. There are few Macintosh users, and I include myself, who know enough about system software and applications to understand the actual theory behind what constitutes "suspicious" activity. While SAM's default protection settings may be appropriate for most, there probably are environments where Advanced and Custom levels of protection will be advantageous. In those instances a formal user training program would be essential. c. "SAM Virus Clinic cannot scan files that have been compressed or packed. This includes files that have been compressed by backup programs such as FastBack, and files that have been compressed by programs such as Stuffit or Packit." (reference SAM User's Manual) 4 7. Comments: Those familiar with Fred Cohen's original paper on computer viruses, "Computer Viruses: Theory and Experiments", should be struck as to how SAM builds its protection options on several of the "undecidable problems" which appear at the end of the paper. It is interesting that all three major Macintosh commercial virus protection programs (i.e., SAM, VIREX, RIVAL) have adopted similar philosophies on design. There is at least INTERNET discussion which suggests that the vendors of SAM and VIREX, along with the author of DISINFECTANT, share information for their mutual benefit, and ultimately I would think for the benefit of the user. The "public persona" of the Macintosh vendors stands in marked contrast to some of their counterparts in the MS-DOS vendor community. While continuity of operations is an important consideration, redundancy of software options in the Macintosh world is facilitated by the design of available commercial products which has been greatly determined by the system platform. There are also robust shareware programs, such as GateKeeper and VirusDetective, which can complement any information system security effort. Version 3.0 with user-added definitions identifies these malicious programs as of July 1991: Anti (A & B), Init 29, Scores (A & B), nVirA, nVirB, MacMag, WDEF, Zuc (A, B, C), MDEF (A, B, C, D), CDEF, Frankie, Dukakis, HC Virus, Mosaic*, Font Finder*, Steroid*, Virus Info*. * = Trojan Horse FOR FURTHER REFERENCE: PRODUCT TEST NUMBER DATE PRODUCT PT-9 January 1990 DISINFECTANT (Revised July 1991) PT-10 March 1990 VIREX (Revised July 1991) PT-30 May 1991 VIRUSDETECTIVE [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] 5