Date: Fri, 31 May 91 10:16:21 MDT From: Chris McDonald ASQNC-TWS-R-SO Subject: Product Test - - VirusDetective (Mac) ****************************************************************************** PT-30 May 1991 ****************************************************************************** 1. Product Description: VirusDetective is a shareware program to detect and to delete known viruses and trojan horses for the Macintosh. 2. Product Acquisition: VirusDetective is available from its author Jeffrey S. Shulman, P.O. Box 1218, Morgantown, WV 26507-1218. The cost is $40.00 for U.S. customers and $45.00 for others. A registered user receives a program diskette, a license, and automatic notification of future malicious code search strings. One can also download the program from many Internet sites and bulletin board systems. Mr. Shulman states in his documentation that multiple copy discounts are available. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I obtained the product from the Macintosh repository on the Internet host simtel20 [192.88.110.20] in late 1990. I obtained updates over the last six months from the Internet and from the local Apple Users Group. Version 4.0.3a with updates identifies Macintosh viruses with the exception of the latest 3 Tunes HyperCard virus. It also identifies three major trojan horses (i.e., Mosaic/Fontfinder, Virus Info, and Steroid). All tests occurred on a Macintosh IIcx running system 6.0.5 with a 80MB hard drive. b. VirusDetective installs as a Desk Accessory (DA) and provides the capability to "search through files looking for specific resources". In this case those "resources" are known malicious code strings. DAs must be installed in the system with Font/DA Mover or organized with Suitcase II or MasterJuggler, and then they become available on the Apple menu. The installation of the DA presented no problems. Since this was not the first DA that I had ever installed, my experience may not be typical--particularly for a new Macintosh user. There are some classic comments regarding the intuitiveness, or the lack thereof, of the Font/DA Mover. This concern will become a mute point with System 7.0 because DAs are double-clickable applications that can be located anywhere. If a user wants VirusDetective in the Apple menu, then he or she will simply copy the program to the Apple Menu Items folder. c. When one opens the program from the Apple Menu, there are six highlighted commands within a bordered display: Disk/Folder Scan #D Option Configuration #O Credits #C Scan one File #F Modify Search String #M Help #? I tested all of these commands which functioned as described. Other commands/options appear dependent upon the results of the scan and of the user's configuration decisions. d. As VirusDetective executes its search looking for specific resources, the user has a visual display of the program's progress, and may cancel a scan at any time. If the program detects a known malicious code string, the user receives notification with the option to "delete" the resource or to "delete" the file containing the resource. When the program completes its search, the user receives two summary lines which appear at the top of the display. These lines confirm that the "Check" has been completed; that there either were or were not any "matching files"; and that "x" number of files have been checked. If VirusDetective is for whatever reason unable to check a file/folder, the user will also receive an error message to that effect. e. The Option Configuration and the Modify Search String commands merit some additional comments. Under the Option Configuration a user may ask that a log file be created to record search results. The log can capture all files scanned with the results, or can simply record only those files with a matched string. The program is "intelligent" enough to require that the user specifically authorize the overwriting of any log file, thereby minimizing the potential for inadvertently losing a valuable record. The user may also specify the format of the log record (e.g., TeachText, MacWrite). f. With the Modify Search String command a user may add additional strings or may substitute a file containing strings other than those included within VirusDetective. The author has included a file containing the search strings of all those contained within the installed DA in the event the DA's strings become corrupted. He has also provided an "alternate search string" file which might detect mutations or unusual variations of the known malicious programs. This latter file increases the search time, but nothing unaccept- able. 5. Product Advantages: a. VirusDetective performs as advertised to detect known malicious code. b. The shareware cost appears reasonable, particularly when one factors in the upgrade notifications. c. The author has a good reputation on the Internet. 6. Product Disadvantages: a. The program detects and deletes malicious resources. Deletion of that resource does not necessarily equal "disinfection" in the sense of returning a file or application to its original condition prior to infection. Therefore, users must exercise safe computing practices to invoke VirusDetective and to have clean backup copies of programs. b. The user must specifically invoke the program. There is no automatic scanning such as might be available through the respective INITs of DISINFECTANT, SAM, or VIREX. If users can be trained to utilize the DA properly, then this should not be a major drawback. 2 c. The Help #? command provides very concise descriptions of the commands. Consequently, it might be inadvisable to have every user modifying search strings or setting optional configurations without first providing additional documentation or actual training. d. As is the case with most one person operations, should something happen to Mr. Shulman the future of VirusDetective may be in doubt. Since the program allows a user to enter his or her own search strings, it does offer some inherent survivability. The challenge would be in actually obtaining "new" search strings in a timely manner and in a syntax consistent with VirusDetective requirements. 7. Comments: Malicious program defenses are still in their infancy. It seems prudent to utilize a variety of programs to complement one another. VirusDetective identifies those trojan horse programs, for example, which the freeware program DISINFECTANT does not. DISINFECTANT provides the "disinfection" services which VirusDetective does not. While my personal recommendation would be to have at least one commercial program in-house as a prudent management decision, those individuals and organizations on a restricted budget or perhaps no budget at all could hardly go wrong with this combination. I would only caution that the future of these programs depends heavily upon their creators. FOR FURTHER REFERENCE: PRODUCT TEST NUMBER DATE PRODUCT PT-9 January 1990 DISINFECTANT (Revised February 1991) PT-10 March 1990 VIREX (Revised February 1991) PT-20 November 1990 SYMANTEC ANTIVIRUS FOR MACINTOSH (Revised April 1991) 3