Date: Wed, 14 Aug 91 12:28:26 MDT From: Chris McDonald ASQNC-TWS-R-SO Subject: Product Test - - TbScan ******************************************************************************* PT-39 August 1991 ******************************************************************************* 1. Product Description: TbScan is a copyrighted program written to detect computer viruses and malicious programs for MS-DOS environments. 2. Product Acquisition: The program documentation states that TbScan "can be used for free in non-commercial organisations and by private users. Government and commercial organisations have to register the usage of TbScan". There is a registration form included which describes costs, to include multiple copy acquisitions. Frans Veldman is the program author. The documentation gives the following address for more information: ESaSS B.V, P.O. Box 1380, 6501 BJ Nijmegen, The Netherlands. The author has registered the copyright and made the program available on many bulletin boards and software repositories, to include the MS-DOS repository on simtel20 [192.88. 110.20]. The current path on simtel20 is pd1:tbscan28.zip. On simtel20 the number "28" in the zipped file denotes version 2.8. One will also require a virus signature data file supplied by Jan Terpstra. The path on simtel20 is pd1:vs910731.zip. This denotes a signature file of 31 July 1991. Since the signature file is updated frequently, users should recognize that the path can change. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I acquired version 2.2 through version 2.8 from the simtel20 repository. b. Product tests occurred on the following system: Unisys 286 PC, Model 3137, MS-DOS 3.10, 512K. The test period extended from April through August 1991. c. Version 2.8 with the most available signature file contains viral definitions for 317 known viruses, variations and malicious programs. The program claims to identify 82% (i.e., 24 out of 29) of those viruses characterized as "common" by Patricia Hoffman in her Hypertext Virus Summary List, 25 Jul 91. If I have erred in this analysis, it results from the specific naming conventions that the program uses for its list of malicious code. e. Although I do not have code for all the malicious programs which TbScan claims to detect, it did identify the 60+ viruses, variations, and trojan horses in my possession. I did note one anomaly for which I have no explanation. When I scanned a disk with two .com files infected with the Liberty virus, the program only identified one of the files as infected. I used every logical option available and never received an alarm on the second file. What makes this puzzling is that both infected files were obtained from the same system. McAfee Associate's Viruscan, Skulason's F-PROT, the Norton Anti-Virus, and Microcom's Virex-PC all alarmed on both .com files. f. One invokes the program by the syntax "TBSCAN [path] [options]" or for example "TBSCAN c:\". By default the program will scan memory, the boot sector/partition table, and files with known executable extensions, such as .com, .exe., and .sys. The more significant options include switches to scan a specified directory or file; to scan all files without regard for extensions; to log the results of a detection operation in a log file; to scan all sectors of a specified disk; and to scan multiple diskettes. g. I tested all these options which functioned as described in the documentation file. There were no conflicts against the detection portion of these programs: Viruscan, Avsearch, Virucide, F-PROT, Virex-PC, ViruSafe, Norton Anti-Virus, IBM Anti-Virus Product, VIRx, and Central Point Anti-Virus. There were false positives for the Cascade and DataCrime II viruses under the sector scan option of my hard drive. I also received numerous false positives when scanning those files which TbScan interpreted as compressed either with EXEPACK or with LZX. This later development only occurred with the most current signature data file. Previous signature files had never resulted in alarms. The documentation for the July 1991 signature file contains this entry: "Added signatures for exe/com file compressors (Tnx Edwin Cleton)". It seems logical that these additions were responsible. Two nice features were: (1) The program scanned hidden files and marked them as such. (2) The program did not automatically overwrite or delete log files. So, if a user continues to utilize the log option, he or she will have the results of each detection operation appended to the default log file. The user may also specify a name for the log file. 5. Product Advantages: a. TbScan appears to provide good detection capabilities for those malicious programs it recognizes. b. The program syntax is simple with a variety of options for more experienced users. c. The program contains lengthy documentation files which describe many of the mechanics behind its design and operation. d. Updating of the signature data file occurs on a frequent basis. e. The authors of the program have established credible reputations for their work. 6. Product Disadvantages: a. TbScan is a detection program only. Users will need some other program for disinfection and prevention capabilities. b. There is naturally no formal technical support for the product. While it is possible to contact the authors, formal technical support would require a user to acquire the commercial version of the product. 2 c. The licensing agreement makes a clear distinction between private users and those in the commercial and government sectors. Users must be careful to observe those requirements to legally distribute and utilize the program. d. The documentation on program design can be overkill for the normal user. I have to admit that I did not fully understand the discussion on checking, tracing and analyzing. e. Though the authors update the program, version 2.8 through July 1991 identified only 317 malicious programs. The number of malicious programs detected may be an important criteria for certain users or organizations. f. Acquisition of the program over Internet or bulletin board systems may be inconvenient. 7. Comments: The National Computer Security Association has issued a report "Virus Scanners: An Evaluation", dated March 4 1991. The report evaluates an earlier version of the TbScan. While it would be unfair to make a direct comparison, a reader can obtain additional confirmation of its detection capabilities and other features. Robert Slade has also posted his review of the product to the Virus-L repository on cert.sei.cmu.edu [192.88.209.5]. The authors of TbScan have a shareware memory resident version of TbScan called TbScanX which uses the same virus signature data file. There is finally a hardware implementation known as Thunderbyte. FOR FURTHER REFERENCE: PRODUCT TEST NUMBER DATE PRODUCT PT-3 November 1989 VIRUSCAN (Revised February 1991) PT-5 December 1989 VIRUS BUSTER PT-11 June 1990 AVSEARCH, 2.24 (Revised February 1991) PT-12 June 1990 VIRUCIDE (Revised August 1991) PT-17 August 1990 F-PROT (Revised May 1991) PT-23 March 1991 VIREX-PC (Revised May 1991) PT-24 July 1991 VIRUSAFE PT-28 February 1991 NORTON ANTIVIRUS (Revised February 1991) PT-34 April 1991 IBM ANTI-VIRUS PT-36 June 1991 CENTRAL POINT ANTI-VIRUS PT-41 July 1991 VIRX (Revised August 1991) 3