Subject: Review of Certus LAN (PC) From: p1@arkham.wimsey.bc.ca (Rob Slade) Date: Thu, 02 May 91 21:20:48 PDT Coincidentally, there was a recent request for information on Certus just as I was finishing this ... Comparison Review Company and product: Certus International 13110 Shaker Square Cleveland, Ohio 44120 USA 216-752-8181 fax 216-752-8188 800-722-8737 Certus LAN version 2.0 Summary: Scanning, change detection and operation restricting software, particularly for LANs. Cost Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 1 Ease of use 3 Help systems 3 Compatibility 2 Company Stability 2 Support 3 Documentation 2 Hardware required 3 Performance 2 Availability 3 Local Support ? General Description: A suite of programs and utilities to provide for security and hard disk integrity, with special attention paid to compatibility with LAN systems. Most important are CERTUS, resident change detection and operation restricting; CERTUSVS, signature scanning; QUICK, program approval/verification and attribute setting utility; and BOOTLOCK, protection of the hard disk against password access bypass or boot sector infection from booting off a floppy. VSRES, stated to be a resident signature scanning program, was not available in the package received for review. A number of other utilities verify or safeguard system areas or CMOS, and the system will provide a "Critical disk" to help recover from hard disk failures. Comparison of features and specifications User Friendliness Installation Disks are shipped write protected, but on writable disks. Files on the disk are marked with read-only attribute. Directions in the documentation are to give the command INSTALL CERTUS. When installing to a disk for which the defaults are not appropriate this gives an error message regarding disk space, along with the injunction to "Press any key: Install will terminate". The program does not terminate unless the ESC key is pressed. Although the system requirements are stated to be only one floppy drive for installation, the program will not install onto a floppy drive. The documentation states that "default" installation and operation of CERTUS is for security level 3, which means that "new or modified" programs will generate an alert, but the user has the option of allowing them to run. This is not the case: by default CERTUS apparently runs at security level 1 and will not allow any "new" program to run, including programs from the Certus package. This allows the possibility of "locking up" the system on installation. Although non-standard installation of Certus should not be attempted by other than experienced personnel, the problem of installation in a large and disparate user environment has been addressed in the form of a "clone" installation option, whereby a specialised installation can be made once and then "copied" to subsequent machines. The documentation states that installation is possible with as little as 50K free space available on disk, but details about the specifics about the operation of each program, and the necessity for each program, are not sufficiently clear in the documentation to make this a simple operation, even for skilled personnel. Ease of use All programs in the package can be run with command line switches, even those that are interactive and present windows and menus. This dual access is much appreciated by experienced users. Options and defaults in the interactive programs, however, are not always well chosen, and the features and implications of some choices will not always be clear to naive users (cf the choice of "Quick" scanning as the default in CERTUSVS.) Help systems Onscreen help is available for any interactive program in the package through the F1 key. Help is context sensitive, but cannot be obtained for the package as a whole. Compatibility The package is said to be compatible with Windows 3, but this "compatibility" is strictly limited. The resident portion of the program will pass an alert to Windows, and windows will generate an error message before an infected file is run, but the message to the user will only state that an unknown error has occurred before the attempt to run the program is aborted. Any utility software which attempts any direct disk writing will come into conflict with CERTUS, and therefore it is suggested, by Certus, that any such programs be run from batch files which will disable CERTUS operations during the invocation of the utility program. As protection levels are set "globally" and cannot be determined for individual programs, this is the only means of running programs which use direct disk writes or "self-modifying" programs such as Word Perfect (which would otherwise be prevented from running because of being "altered".) This leaves a security hole for the infection of such programs. One function of the program is "validity checking" of known "good" program signatures (checksum or CRC is not made clear.) The "Certus Blue Disk" contains a file of shareware signatures which is said to be updated quarterly. Of the ten programs I checked for, six were unknown to the program, and of the remaining four (CED, MS/PC/KERMIT, SCAN and LIST), none of the entries matched any of the versions I have. Company Stability Certus is apparently the successor to FoundationWare. Certus currently has a significant presence in security/integrity software, particularly in LAN installations. The company is presently sponsoring research into the size of the virus problem. Company Support Technical support phone numbers are listed for voice, fax and BBS. Documentation Certus' hardcopy documentation is well written and uses appealing and effective layout. While the content and progression should be easily understandable by a naive computer user, the size of the manual would be daunting. For experienced users the lack of explanation of certain injunctions and the "delay" in explaining operations (explanation of the individual program towards the back of the manual) is frustrating. The necessary "positioning" of commands to call the various programs from CONFIG.SYS and AUTOEXEC.BAT is never discussed for some of the programs, and what discussion there is must be searched for under various locations in the manual. This is a pity, since the strengths of the package require well informed installation and choice to be most effective. The disk documentation file (README.CTS) is stated in the hardcopy documentation to be, variously; special instructions for installation on infected systems, a "bare bones" installation procedure and the latest information on the program. The file contained with my version did contain some changes, but was primarily concerned with omissions from the printed manual and problems with Windows compatibility.. Hardware Requirements While the box and documentation state that a minimum of one floppy drive is required for installation, default installation requires a hard disk with at least one megabyte of free space. Performance CERTUS will not, of course, prevent infection of the computer memory or hard disk by booting from a boot sector infected floppy disk. CERTUS does provide checking for direct disk writes, and so in theory is able to prevent spread of boot sector infectors even when the computer is infected, but in practice this is, by default, limited to the hard disk. Therefore, CERTUS does not, by default, protect against spread of infection by such viral programs as "Stoned" and, in testing, did not do so. The security "hole" provided by booting from an infected floppy disk is said to be covered by the use of the CHKBOOT and BOOTLOCK programs. CHKBOOT checks the boot sector at startup and compares it with a stored copy of the boot sector as it was at installation. This, of course, does not address the problem of an existing boot sector infection at the time of installation, nor would it suffice to catch a "stealth" boot sector infection. The BOOTLOCK program promises considerably more. It is stated to, once installed, run "before any other part of DOS or the operating system is loaded, and before any part of the hard disk boot-up has been performed." This, together with the statement that BOOTLOCK prevents booting from the A: drive, indicates a replacement of the partition boot record, and possibly a non-standard formatting of the hard disk system areas. I must admit that at this point my nerve gave out: BOOTLOCK will not be fully tested until I have access to a redundant hard drive. (Certus is not very forthcoming about the dangers inherent here. The closest they come to admitting that you can be locked out of your own computer is in the statements "... [if] you lose ... your passwords ... [Certus] will not be useful in gaining access to your computer ... " (p. 142) and "Losing your password can be very unforgiving if your system is fully secured with Certus and BOOTLOCK." (p.148) Caveat emptor.) The CERTUSVS scanning program is exceptionally slow, particularly when checking memory. (So much so that during testing several runs were aborted by rebooting under the mistaken impression that the program had "hung". Scanning 640K of memory on an original IBM PC will take over 20 minutes.) When an infected program is detected, the screen is "shifted" up one line, then a second (never more than two) and never corrected so that it becomes difficult to read. Also, of the scanning programs reviewed so far, CERTUSVS has the poorest record for identifying viral infections, identifying just over half of the relatively common infections presented to it. An unusual feature, in a scanning program, is that by default it checks only the first and last 2K of any file, and therefore will only find appenders, prependers or overwriters that happen to be close to the beginning or end of the file. CERTUSVS does not provide any disinfection functions other than an overwriting deletion. Local Support None available. Support Requirements Basic installation of the program is possible for a naive user, but problems are likely if the defaults, as initially obtained by the package, are used. Installation by experienced support personnel will give best results, but even sophisticated users will require a period of thorough testing of the product before the system can be used on a trouble free basis. The more advanced (and secure) features definitely require supported installation to ensure that the user isn't "painted into a corner" and locked out. General Notes The documentation makes many claims which give the impression that the Certus package is a complete disk and computer management system, and that other utilities are unnecessary. The problem with running other utility software is constantly downplayed. The protection provided by the program, while potentially very powerful, is overplayed to the point of being inaccurate. (For example, the documentation states that file attributes cannot be set or altered except through the use of the QUICK program.) Also, the documentation emphasizes the utility of the "Critical Disk", which will be helpful in recovering a lost boot sector or MBR/PBR, but will not help in the case of a "hard failure." The package potentially provides significant protection against viral program attacks, but possibly at the cost of functionality of the computer system. Careful installation should alleviate most problems. A period of testing and tuning of the installation should be provided for before the installation is considered complete. copyright Robert M. Slade 1991 PCCERTUS.RVW 910502 ============= Vancouver p1@arkham.wimsey.bc.ca | "Don't buy a Institute for Robert_Slade@mtsg.sfu.ca | computer." Research into (SUZY) INtegrity | Richards' First User Canada V7K 2G6 | Law of Data Security | Security