Message-Id: <9109162106.AA24899@cert.sei.cmu.edu>
Date: Mon, 16 Sep 91 14:59:10 MDT
From: Chris McDonald  ASQNC-TWS-R-SO <cmcdonal@wsmr-emh03.army.mil>
Subject: Revision to Product Test on VIRUSCAN
To: /usr/cmcdonal/maillist:@wsmr-emh03.army.mil
Cc: /usr/cmcdonal/virrevlist:@wsmr-emh03.army.mil


******************************************************************************
                                                                          PT-3
							         November 1989
						        Revised September 1991
******************************************************************************


1.  Product Description:  VIRUSCAN is a shareware program to scan individual
files, diskettes or entire MS-DOS systems for any pre-existing PC virus
infection.  VIRUSCAN will indicate the specific files or system areas that are
infected and will identify the virus strain which has caused the infection.  As
of August 1991 Version 7.6V80 was available.

2.  Product Acquisition:  VIRUSCAN is available from the McAfee Associates
bulletin board, from other bulletin boards, from hosts on the INTERNET, and
from simtel20.  The registration fee is $25.00 for individual users in a home
environment for one year.  Site licenses are also available for commercial,
government, and university environments.  The McAfee Associates board number is:
408-988-4004, 1200/22400, N,8,1; 5 lines.  The mailing address is:  McAfee
Associates, 4423 Cheeney Street, Santa Clara, CA 95054.  Registration includes
free assistance from McAfee Associates for manually removing any virus found or
for information on disinfection utilities.  The telephone number for assistance
is 408-988-3832.

3.  Product Tester:  Chris Mc Donald, Computer Systems Analyst, Information
Systems Command, White Sands Missile Range, NM  88002-5506, DSN 258-4176, DDN:
cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil.

4.  Product Test:

    a.  I obtained a copy of Version 30 of the product in Aug 89 through a
download from the MS-DOS repository on the USAISC-WS host simtel20
[192.88.110.20].  The repository manager obtained the copy directly from McAfee
Associates.  I have continued to download and test each successive version over
the last two years.

    b.  I immediately registered my copy as an individual and contacted McAfee
to see if indeed "free" assistance was available upon registration.  I confirmed
that this was the case.  Registration procedures have changed dramatically
since 89.  The registration fee at that time was $15.00 forever.  The price
rose to $25.00 forever.  The current price structure for a single copy is
$25.00 per year.  Site licensing procedures have also evolved as commercial,
government, and university users have recognized the significance of the
computer virus phenomenon.

    c.  Over the last two years I have tested the product on several different
MS-DOS platforms, to include IBM, Gateway, Unisys, Zenith and Wyse.  I have 
never encountered any difficulties.

    d.  Although I do not have actual code for every malicious program which
VIRUSCAN claims to be able to detect, it has successfully identified those 80+
viruses in my possession.  Version 80 identifies 100% of those viruses
identified as "common" in Patricia Hoffman's latest Hypertext Virus Summary
List.  VIRUS-L in particular has numerous confirmations of the program's
ability to detect known viruses.

    e.  With Version 80 options include: 

	 (1)  /A         Scan all files
	 (2)  /AV        Add validation codes to specified files
	 (3)  /CV        Check validation codes
	 (4)  /D         Overwrite and delete infected files
	 (5)  /E         Scan overlay extensions
	 (6)  /EXT       Scan using external virus data file
	 (7)  /FR        Display messages in French
	 (8)  /M         Scan memory for all viruses
	 (9)  /MANY      Put Scan into loop checking drive(s)
	 (10) /NLZ       Skip scanning of LZEXE compressed files
	 (11) /NOBREAK   Disable Ctrl-C/Ctrl Brk during scanning
         (12) /NOMEN     Skip memory checking
	 (13) /NOPAUSE   Disable screen pause when scanning
	 (14) /REPORT    Create report of infected files
	 (15) /RV        Remove validation codes from specified files
	 (16) /SUB       Scan subdirectories

5.  Product Advantages:

    a.  The product does what it is suppose to do.

    b.  Customer assistance is by all accounts responsive, although the
INTERNET has had a few users who experienced "busy" telephone lines.

    c.  Upgrades to the product appear quickly in response to the 
identification and analysis of "new" viruses as well as to suggestions from
users.  
 
    d.  The search strings for the identification of specific viruses are
encrypted to make it more difficult for individuals to modify viruses for the
purpose of avoiding detection.

    e.  McAfee Associates has candidly admitted whenever versions of the product
have been "buggy" or have failed to function properly.  

6.  Product Disadvantages:

    a.  The product will not prevent an infection unless a user specifically
invokes it against any new piece of software about to be run on a "clean"
system.  [NOTE:  There is a memory resident version of VIRUSCAN which is
VSHIELD and which requires a separate registration fee.  The resident version,
if entered in your AUTOEXEC.BAT file, will become active each time the system
is powered-on or re-booted.  It will check the critical areas of the system for
viruses, including itself, and then monitor all program loads.]

    b.  The registration fee has increased rather dramatically.  There is at
least one government agency to my knowledge which no longer recommends VIRUSCAN
to its user community because of site licensing concerns and the costs
associated with obtaining such a license.


				       2

    c.  Since McAfee Associates does not really want to be in the distribution
business, those users who want to receive a diskette directly from McAfee will
have to pay an additional $9.00 in distribution costs.  With a newer version of
the product appearing at least once a month, downloading from McAfee Associates
bulletin board or from some other "trusted" source (such as simtel20) is
clearly the more desirable alternative.

7.  Comments:

    Although "detection" of viruses is typically rated at the low end of
the protection scheme, VIRUSCAN is an excellent tool for any credible
anti-virus program.  It allows one to easily and quickly obtain a "picture" of
one's system for the presence of known MS-DOS computer viruses.  While it is
difficult to gather accurate information on the actual cases of infections,
there is substantial evidence to support McAfee's assertion that VIRUSCAN will
identify those viruses which have caused 95% of all reported infections.  Since
few of us have the expertise or the resources to "test" all software or to
examine source code for those programs which we run, VIRUSCAN provides a
reasonable degree of assurance that a system is not infected.  So long as one
understands the limitations of the product, it provides a protection control
measure which can be integrated into an organization's written policies and
procedures on automation security.

    VIRUSCAN was to my knowledge the "first" scanning program which was
available from many locations at an extremely reasonable price.  The quality of
the program to detect malicious code remains unsurpassed.

    It is a reality, however, that the marketplace now sees a variety of
vendors who offer comparable programs.  I have tested many of those, such as
AVSEARCH, F-PROT, VIRUCIDE, NORTON ANTIVIRUS, AND VIREX-PC.  These and other 
programs provide for increased competition.  It is also significant that many
commercial products, such as NORTON ANTIVIRUS AND VIREX-PC, have begun to
package virus scanning, virus prevention, and virus treatment functions into
one program.

     My personal opinion is that no user or organization should restrict
themselves to a single product or to a single vendor.  It makes good business
sense to have at least two scanning programs available as part of any
contingency planning process.  There is also a strategic planning function
which must be initiated to move beyond "scanning" as the primary viral defense.


[The opinions expressed in this evaluation are those of the author, and should
not be taken as representing official Department of Army positions or a
commercial endorsement.]


				       3