Date: Thu, 18 Jul 91 15:06:43 MDT From: Chris McDonald ASQNC-TWS-R-SO Subject: Revised Product Test- - Virex ****************************************************************************** PT-10 March 1990 Revised July 1991 ****************************************************************************** 1. Product Description: VIREX is a commercial program which includes virus detection, virus treatment, and virus prevention. The program also identifies "major" Macintosh trojan horses. The current version is 3.5 as of July 1991. 2. Product Acquisition: The product is available from Microcom, P.O. Box 51489, Durham, NC 27717. There are also several mail order software firms which market VIREX, generally at substantial savings for a single copy. Site licensing arrangements are available from the vendor. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I obtained a copy of VIREX from MacWarehouse in July 1989. The purchase price at that time was about 30% below the manufacturer's suggested retail quote. The registration form received with the software gave one two options to obtain any future upgrades to the product. The first option was a $75.00 Annual Update Service. For this fee Microcom (then known as HJC Software) would provide automatic updates for a year. The second option was to purchase single updates for $15.00 upon notification of any VIREX new release. I chose the second option given that VIREX at version 2.0 identified and repaired all known Macintosh viruses as of that time. I wanted to build some historical knowledge as to the frequency with which updates might occur before committing myself to the automatic annual fee. I have subsequently purchased upgrades at the 2.1, 2.5, 3.0, 3.2 and now 3.5 version. b. VIREX is compatible with the Macintosh Plus, SE and II personal computers. Virex is compatible with the Macintosh System Software versions 4.1, 5.0, 6.0 and AUX. I have tested the product (Versions 2.0, 2.1 and 2.5) on both a Macintosh SE and on a Macintosh II. I have tested Version 3.0 and Version 3.2 only on a Macintosh IIcx. Version 3.5 guarantees full compatibility with System 7 and allegedly is in the mail to me. Since I have to complete evaluations on other programs which are not yet System 7 compatible, it will be sometime before I upgrade my MAC. Therefore, I have chosen to revise this product test report rather than wait. c. The documentation instructs a user to initially run VIREX from a 3 1/2" diskette formatted as a system disk with the write protect tab engaged. In this way one can minimize the potential for infecting a"clean" copy of VIREX prior to installation on a hard drive. d. Double-clicking on the VIREX Icon launches the application. One then clicks on the Diagnose Icon to examine the hard disk for any infection. The Diagnose function checks for any known virus and for several trojan horses. It does not repair any infection and will not modify the files. One has the option to scan an entire hard disk, server, a series of floppy disks, a single floppy disk, or an individual file. When one begins to diagnose a disk, a bar-graph will appear to show the progress of the run. One may cancel a run at any time by simultaneously pressing the Command key and the Period. When the diagnosis finishes, one can review the listing to see what VIREX found. One may print the report by selecting Print from the File menu. e. I tested all the options. All tests were successful and provided the results described in the documentation. I was not able to test against all known viral or trojan horse code. However, numerous discussions on the INTERNET forum VIRUS-L attest to the effectiveness of the product. f. If one detected an actual virus, then one would click on the Repair Icon. The VIREX documentation highlights the difficulty in repairing viral infection with this caution: "WARNING: A FILE BECOMES IRREVERSIBLY ALTERED DURING REPAIR, AND ON OCCASION CAN BE DAMAGED!" The documentation then goes on to recommend that, before attempting to repair a file that VIREX has diagnosed as infected, one return to the desktop and make a backup of that file onto a floppy disk. VIREX will ask for one's permission before repairing each infected file. g. VIREX has two other application programs which address viral prevention. The first, VIREX INIT, works to prevent virus activity in two ways: (1) It examines diskettes for known viruses whenever you insert a disk into one of the disk drives; and (2) It examines files for known viruses every time you open a file. If a virus is present, the VIREX INIT will deny access to the disk or file before it has a chance to spread a virus. The VIREX INIT monitors the system in background as an INIT type of program in the System Folder. h. The second program, RECORD/SCAN, scans the selected disk or hard drive, and places a record of each file in a record that resides either on your Desktop or in the System Folder. The record contains the following information about each file on the disk: file size, date of last modification, code resources that are present, and checksum analysis. Essentially, each RECORD/SCAN provides a picture of one's system at a particular point in time. Comparison analysis may then detect a change in the system which in turn may imply viral or malicious activity. 5. Product Advantages: a. The program works as advertised. While viral detection by scanning techniques remains controversial, the methodology is effective for "known" viruses and trojan horses. b. The free program support obtained with the license is a nice feature. I tried out the VIREX Help Hotline. My questions were not life-threatening, so I specifically stated that someone could call me back when the woman who answered the line informed me that all the support personnel were on other telephone lines. The woman thanked me because ten other callers had to have "immediate" answers. 2 c. The procedures to notify registered users of updates to the product are effective. My initial registration of version 2.0 resulted in a continuous stream of announcements on new releases and on information related to site licensing plans. Site licensing can result in a price of $25.00 to $30.00 per machine licensed, depending upon the option one chooses. d. Version 3.0 finally allowed a user to add additional malicious code definitions without a mandatory subscription or upgrade charge. Unfortunately Version 3.2, to specifically address the 3 Tunes (HC) HyperCard Virus, required a formal product update. Version 3.0 announced that registered users of Virex would receive an update card in the mail from Microcom whenever a new virus/trojan horse is discovered. The card will give the specific information necessary either to update the product or to add a viral signature. I have been unable to test this feature since the vendor forced an upgrade at Version 3.2, and did not identify any new code in its Version 3.5 upgrade notification. e. VIREX incorporates viral detection and repair with viral prevention. The REPAIR/SCAN application will provide some protection against "unknown" viruses by alerting one to changes in a system. Notwithstanding the debate over how robust the "checksum" procedure must be to actually deter a malicious viral or trojan horse author, the option theoretically provides an additional measure of software security. 6. Product Disadvantages: a. Documentation is adequate, but for the price somewhat thin in the description of viruses, trojan horses, and specific "checksumming" techniques for RECORD/SCAN. For example, when I received version 2.5 which specifically added trojan horse detection, I did not receive any information on the trojan horses. While the INTERNET Virus-L forum has discussed the trojans, I think it possible that many registered VIREX users will not have access to Virus-L. The one page news release received with the update provided no technical information or any update to the VIREX User's Guide. I did receive a revised User's Guide with my upgrade to Version 3.0. That Guide has additional information on those malicious programs now detected. b. Although Microcom has responded to the issue of costly upgrades by allowing users to add definitions with Version 3.0, a registered user would have had to invest $25.00 to obtain Version 3.0 in addition to the initial acquisition cost and any upgrades. I conclude that competition from other anti-viral vendors, who have offerred the capability to add malicious code definitions, may have prompted Microcom to adopt a similar philosophy. For a large enterprise site licensing and subscription services may be necessary. c. There has been a noticeable increase in the delivery time of product upgrades. Usually two weeks was standard. Receipt of the last two revisions, howver, has taken between 3-4 weeks. 7. Comments: I would propose for continuity of operations planning that one should have 3 more than one anti-viral package for Macintosh environments. There has been, for example, at least one Macintosh anti-viral vendor who has already bitten the dust. One currently can choose from three commercial vendors, supplemented by the public domain program DISINFECTANT and/or by several shareware programs such as VirusDetective and Gatekeeper, for comprehensive viral detection and repair. While there are many other public domain programs to detect and to repair known viruses, these with a few exceptions search for one or two viruses and related variants during a single pass. It is logical to use a single, comprehensive scanning program rather than run 3 or 4 to accomplish the same objective. The commercial programs and certain shareware programs also provide varying degrees of protection against "unknown" programs and potentially new malicious code. Interested users should refer to anti-viral software product reviews in the January 1990 edition of "MACWORLD" or in the August 1991 edition of "MacUser". Version 3.2 will detect Scores, nVir and variants (Hpat, MEV#, AIDS, nFlu, J-nVIR, prod, nCAM), Init 29, ANTI, MacMag (Peace), WDEF and variants, ZUC-A, ZUC-B, MDEF and variants, Frankie, CDEF, Dukakis, ANTI-ANGE, ANTI-O, 3 Tunes (HC) HyperCard, Mosaic*, Steroid*, Fontfinder* and Virus Info*. * = Trojan Horse FURTHER REFERENCES: PT-9 January 1990 DISINFECTANT (Revised July 1991) PT-20 November 1990 SYMANTEC ANTIVIRUS FOR MACINTOSH (SAM) (Revised July 1991) PT-30 May 1991 VIRUSDETECTIVE [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] 4