Date: Mon, 13 May 91 12:03:44 MDT From: Chris McDonald ASQNC-TWS-R-SO Subject: Revised Product Test - - VIREX-PC, version 1.20 ******************************************************************************* PT-23 March 1991 Revised May 1991 ******************************************************************************* 1. Product Description: Virex-PC is a software package to detect, disinfect and prevent computer viruses and malicious programs for the MS-DOS environment. 2. Product Acquisition: Virex-PC is available from Microcom Software Division, P.O. Box 51816, Durham, NC 27717. The telephone number is 919-490- 1277. The price is $99.00. There are several third party vendors who sell single copies at a significantly reduced cost. 3. Product Testers: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I acquired Version 1.0 in December 1990 for $70.00 from Telemart in Phoenix, Arizona. After I completed and mailed the registration card, Microcom shipped me Version 1.1a. I thought this was a good marketing strategy on their part, even though they were under no obligation to do so. In May 1991 I received Version 1.20 directly from Microcom. This was a surprise since I expected to have to pay for any upgrade and because I had not subscribed to their annual update service. A telephone conversation with a Microcom represented confirmed that the vendor had chosen to send out the upgrade to all registered users free of charge. I have no idea how long this will continue. b. Product tests occurred on the following systems: (1) Unisys PC, Model 3137, MS-DOS 3.10, 512K; and (2) Zenith PC, Model 248, MS-DOS 3.30, 640K. The minimum hardware and software configuration is as follows: an IBM PC/XT, IBM PC/AT, IBM PS-2 or 100% compatible computer using the PC-DOS (MS-DOS) 2.1 or later operating system with 30K of memory and a minimum of 512K recommended. c. Virex-PC contains two separate programs: VPCScan and Virex-PC. The first program, VPCScan, identifies known viruses and can repair many common viruses. The second program, Virex-PC, is a terminate-and-stay-resident (TSR) program that provides detection and prevention features by a continuous monitoring of PC activities. The TSR specifically alerts a user whenever the following occurs: (1) Attempts to format a disk (2) Attempts to write directly to a disk (3) Attempts by a program to terminate-and-stay-resident (4) Attempts to run a program that has not been "registered" with Virex-PC (5) Modification of a registered program's "checksum" (6) Attempts to perform an operation specifically prohibited by a user under customized protection d. Version 1.20 contains viral definitions for 351 known viruses and variations. Clearly, if one only uses "total numbers" as the criteria for a scanning product, McAfee's VIRUSCAN, Skulason's F-PROT, Central Point's ANTI-VIRUS have the edge (see the other respective product tests on these programs). VPCScan does identify the ten viruses which John McAfee proposes account for 95% of all reported infections. VPCScan can identify 92% (i.e., 25 out of 27) of those viruses characterized as "common" by Patricia Hoffman in her excellent Virus Summary List, 17 March 1991. While I have not had the occasion yet to review Ms. Hoffman's April edition, I would expect that the number of "common" viruses will remain constant based on an analysis of her last four lists. e. Although I do not have code for all the malicious programs which VPCScan claims to detect, it did identify those 60+ viruses in my possession. There are various scanning options available, which unfortunately are not within the printed documentation. The read_me.1st file provides this additional information. When VPCScan identifies a known malicious program, it gives the user an audible and visual alarm. Upon the completion of scanning the user has the option to review a report of the scan on the screen or to have the report printed. f. Repair capabilities are modest when compared to other programs. If VPCScan cannot repair an infected file, the user will have the option to delete it. The program performed as stated in the documentation. g. The Virex-PC TSR program performed as documented. I successfully caused the program to alarm under all of the stated events. I must qualify that malicious code in my possession is limited. Any certification of 100% effectiveness is beyond my capabilities. The list of options allows one to customize protection against "unknown" malicious programs and to closely monitor system activity in general. The features of potentially most value include: (1) Alerts of a program's attempt to terminate-and-stay resident (2) Alerts on the attempt of an unregistered program to execute (3) Alerts whenever the checksum of a registered file changes (4) Alerts upon user-specified prohibited operations h. The user-specified prohibited operations produced the most alarms when I maximized the protection. For example, a user can prohibit write to, or reading from files without triggering an alert. A user can prohibit deletion or renaming of files without direct authorization. The theory behind the protection is that viruses commonly attempt read, write, delete, or rename operations on user files. Virex-PC alerts a user to such attempts with the option to disallow suspicious activity. Alarms result in an audible and visual pop-up display in which the user has the option to allow the operation to go 2 unchecked for one time, to allow the operation to go unchecked until the program undertaking the operation exits, or to disallow the operation. i. Modification to a file's checksum includes these identical options with additional information on the current and original checksum calculated. Whenever a program attempts to terminate-and-stay-resident, the user receives a pop-up warning message with the options to allow the TSR or to remove it. j. Virex-PC has an install program which is straight-forward. There are 28 different steps in the process. Where appropriate, the user can choose the default settings supplied for a particular feature. The user in the installation program has the option to run Virex-PC at startup by modifying the autoexec.bat file. Although VPScan can be run at any time, Virex-PC is a TSR which must be loaded for continuous monitoring to occur. 5. Product Advantages: a. Virex-PC provides a comprehensive approach to malicious code protection in one program. b. The installation program simplifies the configuration of the TSR element. There is also the capability to customize the configuration for situations in which multiple users access the same personal computer. In this situation each user can have different protection, if necessary. c. Version 1.20 announces in its read_me.1st file that the program "can be updated in the field to detect currently unknown viruses". This represents a major design and marketing change. It remains to be seen how this feature will work. The vendor has adopted the same philosophy for its Macintosh anti-viral program. d. Microcom Software Division has a credible reputation for its Macintosh scanning, disinfecting and protection program Virex. It decided in 1990 to enter the MS-DOS market. There is free technical assistance to registered Virex-PC users, but the quality of that support is unknown. 6. Product Disadvantages: a. The cost of the product may discourage many government users who are already on tight budgets. Even if one pursued a site license agreement, it may be that the risk management assessment will not support such protection for every PC within the organization. b. The User's Guide is deficient in omitting any reference to the VPCScan options. c. The operation of VPCScan requires a user to provide a syntax statement, which for many users is inconvenient. For the cost of the product a menu- driven capability is not an unreasonable request. Several other commercial programs have this capability now. d. The TSR program offers a variety of protection capabilities which the 3 experienced MS-DOS user will appreciate. It remains an open question as to whether the majority of users within an organization will be able to configure the TSR themselves, or whether they will be able to interpret and respond to respective alarms. 7. Comments: Fred Cohen's original paper on his first computer virus experiments concluded that detection of viruses by their appearance or behavior was "undecidable". Yet seven years after the publication of his work, detection of viruses by their appearance and behavior remains the most common form of viral defense for the MS-DOS environment. Virex-PC provides the mechanisms to monitor attributes of change and to recognize a virus by its appearance. It also has an intrusion detection capability through its TSR program. The challenge for the user remains the interpretation of what the TSR identifies as "suspicious" activity. This challenge is not unique to Virex-PC. It does reinforce the proposition that, if one chooses to acquire a product which integrates detection, disinfection and prevention, one must have a strategy for supporting users in the interpretation of alarms and probably in the actual configuration. Version 1.20 offers the capability to scan a network and to scan compressed files under PKLite and LZEXE. I did not test the latter feature because .ARC and .ZIP are the two compression programs used in my environment. There has been significant Internet discussion on the ability of various anti-viral programs to detect and to prevent infection, to include Virex-PC. I emphasize that, in the absence of having code for all malicious programs, it is simply impossible to certify that any protection program will perform as advertised or expected with 100% effectiveness. I personally advocate the use of two or more protection programs in cooperation to address this issue as well as the matter of continuity of operations should one vendor or supplier vanish from the marketplace. FOR FURTHER REFERENCE: PRODUCT TEST NUMBER DATE PRODUCT PT-3 November 1989 VIRUSCAN (MS-DOS) (Revised February 1991) PT-11 June 1990 ANTI-VIRAL SEARCH, 2.23e (Revised February 1991) PT-12 June 1990 VIRUCIDE (MS-DOS) (Revised February 1991) PT-17 August 1990 F-PROT (MS-DOS) (Revised May 1991) PT-28 February 1991 NORTON ANTIVIRUS (Revised 12 February 1991) PT-34 April 1991 IBM ANTI-VIRUS 4