Date: Tue, 29 Oct 91 09:27:02 MST From: Chris McDonald ASQNC-TWS-R-SO Subject: Revision to Product Test -- Virucide, Version 2.33 ****************************************************************************** PT-12 June 1990 Revised October 1991 ******************************************************************************* 1. Product Description: VIRUCIDE is a commercial anti-virus program to detect and to repair known computer viruses for the MS-DOS computer environment. The report addresses version 2.33, released 15 October 1991. 2. Product Acquisition: The product is available from Parsons Technology, Inc. The address is Parsons Technology, Inc., One Parsons Drive, Hiawatha, IA 52233. The company has a toll free number for orders, 1-800-223-6925. The cost of a single copy, as of 28 October 1991, was $49.00. Each of four program upgrades has been $15.00 which includes shipping and handling. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I ordered my original copy of the product and all upgrades directly from Parsons Technology. One can specify the disk format. All disks come write-protected. There is a concise User Guide supplemented by a readme.txt or a readme.com file included in each of the upgrades. b. I had known when I placed the order that McAfee Associates had copyrighted the VIRUCIDE software and that Parsons Technology had both trademarked and licensed VIRUCIDE. Upon receipt of the product I learned that Yuval Tal and Uzi Apple had actually written the software. These individuals had authored an early anti-viral scanning program, VIRUS BUSTER [see PT-5, December 1989]. The look and feel of VIRUCIDE clearly builds on that program. Two other individuals are also given as authors: Igor Grebert and Morgan Schweers. c. I found no conflicts or false alarms between version 2.33 and the detection portion of several other protection programs, to include Avsearch, Viruscan, F-PROT, Norton Antivirus, Virex-PC, Thunderbyte Scanner, the IBM Anti-Virus Product, Central Point Anti-Virus, ViruSafe, and VIRx. Virucide could not open the Norton Antivirus file \nav\nav_.sys with Norton's TSR component installed. I did test for conflicts against several anti-viral TSR components, to include Vshield, NAV and F-PROT. There were none against the current program versions of these three. d. The system requirements for VIRUCIDE are minimal: (1) IBM PC, PC/XT, PC/AT or compatible computer; (2) 256 kilobytes or more of RAM; (3) MS-DOS (or IBM-PC DOS) release 2.0 or higher. e. The VIRUCIDE program disk, as distributed, has no write tab on it so that it cannot be altered or damaged by a virus or by another type of malicious software. However, Section 1 of the User Guide discusses the automatic program installation of the software on one's hard drive without first advising users to run the product against the hard drive from drive A before installation. Section 2 of the User Guide notes that "the program cannot cure any damage caused by a virus that was active prior to the operation of VIRUCIDE." The opinion among most anti-viral authors is that one should first determine the relative health of the hard drive. f. The syntax for running VIRUCIDE is: VIRUCIDE [drive][path]. The first screen to appear provides VIRUCIDE copyright information. Pressing any key will then give a program screen with the "Enter Search Directory" window displayed. The User Guide suggested that one press the F10 key to review the menu options before conducting a search. The menu gives five main options: Options, Report, Save Options, Virus Info and Exit. One can either use the right and left arrow keys, or type the letter of choice to make a selection. The Virus Info option was new at version 2.01. g. Under Options one has seven selections: (1) automatic virus removal; (2) backup infected files; (3) search in subdirectories; (4) clean read-only files; (5) check overlay files; (6) network operations; and (7) compressed files. The up and down arrow keys highlight the selection. One then presses the ENTER key or picks the letter of choice to toggle between Yes and No to each item. Some of the selections have additional pull-down menus. One then returns to the main menu by pressing the ESC key. [NOTE: The default selections are (1) No; (2) No; (3) Yes; (4) Yes; (5) Yes or OV*; (6) No; and (7) No. The ability to examine files compressed by the programs LHARC and PKLITE became available at version 2.33. h. A major change at version 2.24 was the ability to edit the overlay extension file such that one now has the capability to scan all files or to add extensions at the user's choice. The default under the option is to only treat files with the following extensions as overlays: .ovr, .ovl, .prg, .dat, .bin, and .sys. I tested this new option which functioned as documented. I did note one minor curiosity in the readme.txt instruction file. When a user enters a new extension, the instructions read to press the [Ins] key and enter the extension to be added. At this point one has to press the [Enter] key to highlight the extension and press the [Enter] key again to activate it. I am somewhat slow and only hit the [Enter] key once. The wild card extension to scan all files (.*) appeared in the overlay column, but obviously was not working when I ran the program. I ended up calling Parsons Technology for assistance. Interestingly the technical person was running a previous version of the program and had to call me back. Within 5 minutes the representative had the answer, which was to check the overlay column and see if the wild card extension had a "small box" next to it. This small box verifies activation and appears upon striking that second [Enter] key. I could have found this in the readme.txt file if I had been a careful reader. i. Under Report one has two selections: (1) the report type; and (2) the destination of the report. There are three report type options: none, detailed, and short. There are two destination options: printer or file. The detailed report lists every file scanned with the full path name, and a cumulative total at the end which identifies (1) the number of directories scanned; (2) the number of EXE files scanned; (3) the number of COM files scanned; (4) the number of overlay files scanned; (5) the number of infected files; (6) the number of boot sector viruses; and (7) the percentage of 2 infected files. The short report provides only the cumulative total. Both reports have a subject line "Virus Analyst Report", copyright notifications, and the date/time of the report's generation. [NOTE: The default selection is for report type "none". The default file name if one selects either a detailed or short report is "VIRUCIDE.RPT".] j. Virus Info has two pop-up screens. On the right side is a listing of all malicious programs identified. On the left side is a summary of the number of programs identified by total number and by characteristics (i.e., boot, file, stealth, discrete strains). Version 2.33 claims to identify 893 known viruses. This includes 95% or 52 of the 55 viruses characterized as "common" by Patricia Hoffman in her 22 September 1991 HyperText Virus Summary List. Version 2.33 identified all of the 80+ viruses in my possession, to include a sample of the Twelve Tricks Trojan. k. Under Exit one has two selections: (1) No; and (2) Yes. The option allows one to return to the DOS prompt. l. Under Save one has one selection under version 2.33. Selection of the option allows one to retain automatically selections made under Options and Report on subsequent executions of the program. If one chooses Save, the program creates a file in the program directory "virucide.cfg". The User Guide does not alert the user to this fact. 5. Product Advantages: a. The program appears to work as advertised. While viral detection by scanning techniques remains controversial, the methodology is effective for "known" viruses and trojan horses. b. The free, unlimited technical support obtained with the license is a nice feature. The support on two separate occasions has been satisfactory. c. The Menu Options are easy to use and eliminate the guesswork found in other comparable products. The ability to generate reports provides a audit trail record which many users and their organizations require. d. The window displays are informative, particularly the running count of where the program is at any given moment in its scanning. 6. Product Disadvantages: a. Updates to the product may be too slow for certain users, particularly when one cannot add search strings for "new" malicous programs as they appear. When I first purchased the program, I was told that updates would be twice a year. The time between the release of 2.24 and the current release 2.33 was approximately 150 days. b. The unique arrangement by which McAfee Associates has copyrighted the software and Parsons Technology has licensed the property raises questions as to future support. McAfee Associates sells comparable anti-viral scanning 3 programs. The marketplace has literally dozens of products competing for the same customers. Whether that customer base is large enough to support the number of available products, let alone competing products originating from the same source, is unknown at this time. McAfee has also marketed Virucide to another firm which sells it under the VirusCure+ name (see Product Test 48, October 1991). 7. Comments: I continue to propose for continuity of operations planning that one should have more than one detection program for the MS-DOS environment. I continue to be impressed by VIRUCIDE's effectiveness, price and update notification procedures. I am also pleased at Parsons Technology's realistic licensing statement. In light of certain vendors' attitude to those in commercial and government entities, Parsons has adopted exactly the opposite tact. I quote a portion of the licensing statement: "You are free to move this software from one computer location to another, as long as there is no possibility of its being used at two locations at one time. This software should be treated like a book, which cannot be read by two people at two different locations at the same time (unless, of course, Parsons' License Statement has been violated)." FOR FURTHER REFERENCE: PRODUCT TEST NUMBER DATE PRODUCT PT-3 November 1989 VIRUSCAN (MS-DOS) (Revised September 1991) PT-11 June 1990 AVSEARCH, 2.24 (MS-DOS) (Revised February 1991) PT-17 August 1990 F-PROT (MS-DOS) (Revised October 1991) PT-23 March 1991 VIREX-PC (MS-DOS) (Revised May 1991) PT-24 July 1991 VIRUSAFE (MS-DOS) PT-28 February 1991 NORTON ANTIVIRUS (MS-DOS) (Revised October 1991) PT-34 April 1991 IBM ANTI-VIRUS, version 2.1.2 (MS-DOS & OS/2) (Revised September 1991) PT-36 June 1991 CENTRAL POINT ANTI-VIRUS (MS-DOS) PT-39 August 1991 THUNDERBYTE SCANNER (MS-DOS) PT-41 July 1991 VIRx (MS-DOS) (Revised August 1991) PT-48 October 1991 VIRUSCURE+ (MS-DOS) [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] 4