Date: Fri, 16 Aug 91 15:24:37 MDT From: Chris McDonald ASQNC-TWS-R-SO Subject: Revised Product Test for VIRx - - Version 1.7 ******************************************************************************* PT-41 July 1991 Revised August 1991 ******************************************************************************* 1. Product Description: VIRx is a copyrighted program written by Ross M. Greenberg to detect computer viruses and malicious programs. VIRx is the detection portion (VPCScan) of the commercial protection program VIREX-PC (reference PT-23, revised May 1991). 2. Product Acquisition: The program is free. Mr. Greenberg has made it available on many bulletin boards and software repositories, to include the MS-DOS repository on simtel20 [192.88.110.20]. The current path on simtel20 is pd1:virx17.zip. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I acquired versions 1.5 through 1.7 of VIRx from the simtel20 MS-DOS repository. Mr. Greenberg provided the programs directly to our repository manager. b. Product tests occurred on the following systems: (1) Unisys 286 PC, Model 3137, MS-DOS 3.10, 512K; and (2) Unisys 386 PC, Model PW 820-F, MS-DOS 4.01, 8MB. c. Version 1.7 contains viral definitions for 543 known viruses, variations and malicious programs. VIRx claims to identify 96% (i.e., 28 out of 29) of those viruses characterized as "common" by Patricia Hoffman in her HyperText Virus Summary List, 25 July 1991. e. Although I do not have code for all the malicious programs which VIRx claims to detect, it did identify 60+ viruses, variations, and trojan horses in my possession. Version 1.7 did identify copies of the Virus-101 research virus in my possession. This addresses an anomaly discussed in the product test of version 1.6. Mr. Greenberg in the whatsnew file has included this statement: "All the viruses that could sometimes escape detection, such as the 'research' Virus-101, are now caught". f. One invokes the VIRx program by the syntax "virx [drive specification]" or for example "virx c:\". By default the program will only scan files with known executable extensions, such as .com and .exe. The more significant options include switches to scan only a specified or a default directory; to scan the entire contents of a file or a "long" scan; to scan all types of files not just those with executable extensions; to record the results of a scan operation in a log file; and to scan memory above 640K to just under 1 Megabyte. g. I tested all these options which functioned as described in the documentation file. The only false positive or conflict which I found in running VIRx against other detection programs was that it identified two executable programs within the commercial program ViruSafe as infected with the "Stoned-A (New Zealand 1)". I did test for conflicts against Viruscan, Avsearch, Virucide, F-PROT, Virex-PC, ViruSafe, Norton Anti-Virus, IBM Anti-Virus Product, TbScan, and Central Point Anti-Virus. 5. Product Advantages: a. VIRx appears to provide excellent detection capabilities at no cost. b. The operation of the program is simple. VIRx is one of the fastest, if not the fastest, detection program available at this time. c. The author of the program has established a credible reputation for his work. 6. Product Disadvantages: a. Free programs may not always be free. Microcom has a marketing interest in encouraging users to migrate from the free detection program to its more comprehensive commercial program Virex-PC. One cannot predict how long Mr. Greenberg or the vendor will allow users the free use of one-third of its commercial program. b. VIRx is a detection program only. Users will need some other program for disinfection and prevention capabilities. c. There is naturally no formal technical support for the product. While it is possible to contact Mr. Greenberg over the Internet, Microcom will only support the "complete version of the VIREX-PC program". 7. Comments: The National Computer Security Association has issued a report "Virus Scanners: An Evaluation", dated March 4 1991. The report evaluates an earlier version of the VPCScan element of VIREX-PC. While it would be unfair to make a direct comparison between the VPCScan evaluation and this product test of version 1.7 of VIRx, a reader can obtain additional information and confirmation of its detection capabilities. VIRx documentation for the last several versions states that the program will warn a user when it becomes "outdated". This is a welcome change from the first version in which the program would cease to function on a specified cut-off date. The notification will alert a user to the need to obtain an update. A final observation is that, while Mr. Greenberg has issued versions 1.4, 1.5, 1.6, and 1.7 of VIRx, I as a registered user of VIREX-PC have yet to receive any notification from Microcom of an actual upgrade to the commercial product. Registration, according to the literature, should result in automatic notifications of all revisions when they become available. 2 Mr. Greenberg sent me an electronic message after this original product test was posted to Virus-L suggesting that I contact Microcom directly. I did this during the week of 5 August. A Microcom representative advised me that the commercial product was under major design changes, and that my last update to version 1.2 was the most current. This reinforces Mr. Greenberg's documentation which suggests that one use VIRx in conjunction with the current version of the commercial program. It also means that one must have other programs for disinfection until such time as the upgrade to the commercial program reaches the same level of VIRx. FOR FURTHER REFERENCE: PRODUCT TEST NUMBER DATE PRODUCT PT-3 November 1989 VIRUSCAN (Revised February 1991) PT-5 December 1989 VIRUS BUSTER PT-11 June 1990 ANTI-VIRAL SEARCH, 2.24 (Revised February 1991) PT-12 June 1990 VIRUCIDE (Revised August 1991) PT-17 August 1990 F-PROT (Revised May 1991) PT-23 March 1991 VIREX-PC (Revised May 1991) PT-24 July 1991 VIRUSAFE PT-28 February 1991 NORTON ANTIVIRUS (Revised 12 February 1991) PT-34 April 1991 IBM ANTI-VIRUS PT-36 June 1991 CENTRAL POINT ANTI-VIRUS [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] 3