Date: Mon, 8 Jul 91 10:46:14 MDT From: Chris McDonald ASQNC-TWS-R-SO Subject: Product Test - - ViruSafe ******************************************************************************* PT-24 July 1991 ******************************************************************************* 1. Product Description: ViruSafe is a commercial software package to detect, disinfect and prevent computer viruses and malicious programs for the MS-DOS environment. 2. Product Acquisition: ViruSafe is available from EliaShim Microcomputers, 520 W. Highway 436, Suite 1180-30, Altamonte Springs, FL 32714. The commercial telephone number is Area Code 407-682-1587. The FAX number is Area Code 407- 869-1409. The suggested retail price for a single copy is $80.00. Site licenses are available. 3. Product Testers: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I obtained an evaluation copy of ViruSafe (Version 4.02) in May 1991 from Mr. Bob Greenwald, the government account specialist for EliaShim Microcomputers. Mr. Greenwald had obtained my name and address from other Army representatives. The software arrived on a 5 1/4" write-protected disk with a 56 page User's Manual. b. Product tests occurred on the following systems: (1) Unisys PC, Model 3137, MS-DOS 3.10, 512K; and (2) Unisys PC, Model 3137, MS-DOS 3.30, 640K. The minimum hardware and software configuration is as follows: an IBM PC/XT/AT or compatible computer using the MS/PC-DOS (Version 3.00 and up) with 512K. Actual tests occurred from 24 May through 5 July 1991. c. ViruSafe has several major components which a user can generally invoke from a menu or from the DOS command line. The first program, UNVIRUS.EXE, performs detection and removal of known computer viruses and malicious programs. The second program, PIC.EXE, records information about files and checks their integrity for signs of change. This information includes the size of the file, its contents, the date and the time. The third program, VC.EXE, detects and removes viruses active in memory and in the boot sector. The fourth program, VS.EXE, installs as a terminate-and-stay-resident (TSR) program that detects and identifies viruses when they attempt to enter memory and prevents infection of programs and boot sectors. The fifth program, VSCOPY.EXE, performs the DOS COPY function only after it checks that what a user is attempting to copy is not infected by a known virus. The sixth program, VSMENU.EXE, is the menu-driven utility through which a user may operate ViruSafe after installation. d. ViruSafe has an utility for installing and uninstalling itself. The User's Manual contains instructions for using the program to test one's system before actually installing it on a hard drive. The instructions were adequate. One invokes the menu by the command "vsmenu" at the DOS prompt. e. Version 4.02 contains viral definitions for 412 known viruses and mutations. ViruSafe does identify the ten viruses which John McAfee once proposed account for 95% of all reported infections. ViruSafe can identify 92% (i.e., 25 out of 27) of those viruses characterized as "common" by Patricia Hoffman in her Virus Summary List, 15 May 1991. f. Although I do not have code for all the malicious programs which ViruSafe claims to detect, it did identify those 60+ viruses in my possession. When ViruSAfe identifies a known malicious program, it gives the user an audible and visual alarm if one has directed the program to report such information to the screen. If one chooses to have the program direct all results to a log file or to a printer, there is no audible or visual alarm. The log file option will cause results to appear on the screen; however, the screen clears automatically at the completion of the detection operation. g. The "Check and Remove" menu has various options to check only for virus signatures, to check and remove program viruses, to check and remove boot sector viruses, to check and remove all file viruses, and to check only for a virus in memory. I tested all these options which functioned as documented. I did verify that all "check and remove" options were automatic. So, for example, if ViruSafe detects a virus in an .exe file, it will attempt to remove the virus without any further user authorization or intervention. The user will have no permanent record of the detection and removal unless he or she has asked for a printer or log file result. h. The vendor representatives emphasized the disinfection capabilities of ViruSafe in their discussions with me prior to the actual test. I can say that the product performed as advertised against those viruses in my possession. One of the main menu options is a "List of Viruses Handled". This list identifies those viruses and malicious programs which ViruSafe can actually remove. I found this an extremely nice feature because I could determine in advance, if I choose to do so, whether ViruSafe would perform disinfection. i. The Program Integrity Check (PIC.EXE) option in the VSMENU offers a user these features: (1) Check Integrity of Marked Files (2) Recalculate Marked Files (3) Display List of Marked Files (4) Mark and Save Boot Sectors (5) Mark Programs I tested all the options which performed as indicated. I intentionally changed the contents and size of various files. In each case there was a notification. I must emphasize that I made no deliberate attempt to defeat the mechanism since that is beyond my capabilities. The User's Manual states that Program Integrity Check (PIC) is a "special digital signature, calculated for marked files". There is no other information on what exactly this calculation 2 entails. I am not an expert on this subject but discussions on the Internet and on Virus-L in particular can provide any user with additional information in this area. j. The VS.EXE TSR program performed as documented. I successfully caused the program to alarm under all of the stated events. I must qualify that malicious code in my possession is limited. Any certification of 100% effectiveness is beyond my capabilities. The list of options allows one to customize protection against "unknown" malicious programs and to closely monitor system activity in general. The VSMENU presents a user with these options: (1) Check Resident Programs (TSR) [The default is OFF.] (2) Check Access to Program Files [The default is OFF.] (3) Check Write to Boot Sectors [The default is ON.] (4) Check Diskettes Infection [The default is ON.] (5) Check Memory Infection [The default is ON.] (6) Write Protect Hard Disk [The default is OFF.] (7) Sound Warning Alarm [The default is ON.] (8) Check Memory Size Changes [The default is ON.] (9) Check Virus on Program Exit [The default is OFF.] k. The VSCOPY.EXE program functioned as described in the document. I tested with boot sector, .com and .exe viruses. l. There is an Advanced Features option in the main VSMENU. I tested three of the selections which functioned as advertised. I did not test the selections to restore or to repair the master hard drive boot sector and partition table. The User's Manual in my opinion oversells the significance of the features to display a boot sector and to provide a memory allocation map. These are not very helpful tools for viral and malicious code detection. 5. Product Advantages: a. ViruSafe provides a comprehensive approach to malicious code protection in one program. It offers detection, disinfection and prevention--a trend which most commercial vendors now follow. b. The product provides a good menu system to assist the novice user. c. The product by version 4.0 allows a user to add new virus signatures without a formal upgrade. [Note: I did not have the opportunity to test this feature.] 3 d. EliaShim Microcomputers has established a credible reputation for technical support of its products. The technical representative was extremely helpful during the evaluation period. 6. Product Disadvantages: a. The cost of the product may discourage many users who are already on tight budgets. Even if one pursued a site license agreement, it may be that the risk management assessment will not support such protection for every PC within the organization. b. The User's Manual is accurate, but clearly has been overtaken by upgrades to the product. For example, although I received the Lan version of the product, the manual has very little to say about network operations. The read.me file on the program disk contains information that at least by version 4.0 a user may add new virus signatures without a formal upgrade. The manual is silent on this subject. There are other minor features which I noticed in running the program which would be nice to document formally. c. The TSR program offers a variety of protection capabilities which the experienced MS-DOS user will appreciate. It remains an open question as to whether the majority of users within an organization will be able to configure the TSR themselves, or whether they will be able to interpret and respond to respective alarms. 7. Comments: Fred Cohen's original paper on his first computer virus experiments concluded that detection of viruses by their appearance or behavior was "undecidable". Yet seven years after the publication of his work, detection of viruses by their appearance and behavior remains the most common form of viral defense for the MS-DOS environment. ViruSafe provides the mechanisms to monitor attributes of change and to recognize a virus by its appearance. It also has an intrusion detection capability through its TSR program. The challenge for the user remains the interpretation of what the TSR identifies as "suspicious" activity. This challenge is not unique to ViruSafe. It does reinforce the proposition that, if one chooses to acquire a product which integrates detection, disinfection and prevention, one must have a strategy for supporting users in the interpretation of alarms and probably in the actual configuration. The National Computer Security Association has issued a report "Virus Scanners: An Evaluation", dated March 4, 1991. The report evaluates an earlier version of ViruSafe so readers should recognize that my comments pertain to version 4.02. I obtained a copy of the report after the majority of my tests were completed. I am happy to report that it provided a quality control measure on my own modest efforts. 4 FOR FURTHER REFERENCE: PRODUCT TEST NUMBER DATE PRODUCT PT-3 November 1989 VIRUSCAN (Revised February 1991) PT-5 December 1989 VIRUS BUSTER PT-11 June 1990 ANTI-VIRAL SEARCH, 2.24 (Revised February 1991) PT-12 June 1990 VIRUCIDE (Revised February 1991) PT-17 August 1990 F-PROT (Revised May 1991) PT-23 March 1991 VIREX-PC (Revised May 1991) PT-28 February 1991 NORTON ANTIVIRUS (Revised 12 February 1991) PT-34 April 1991 IBM ANTI-VIRUS PT-36 June 1991 CENTRAL POINT ANTI-VIRUS 5