Subject: Review of SafeWord Virus-Safe (PC) From: p1@arkham.wimsey.bc.ca (Rob Slade) Date: Thu, 23 May 91 11:54:27 PDT I believe there was a recent announcement by Bob Bosen of version 2.0, but he has had this review for over a week now and I haven't heard anything back. Comparison Review Company and product: Enigma Logic Inc. 2151 Salvio Street, #301 Concord, CA 94565 USA Tel: (415) 827-5707 FAX: (415) 827-2593 Internet: 71435.1777@COMPUSERVE.COM SafeWord Virus-Safe release 1.12 (900831) Summary: Change detection software. Cost: not stated Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 3 Ease of use 4 Help systems 3 Compatibility 3 Company Stability 3 Support 2 Documentation 2 Hardware required 4 Performance 3 Availability 2 Local Support ? General Description: SafeWord (R) Virus-Safe 1.12 is a manual or TSR program file checking package based upon signatures which the program calculates when installed. Signature algorithms can include a DES or MAC based calculation. Enigma Logic makes similar programs for various mini and mainframe operating systems. As suggested by this association and the documentation, Safeword is best used in a managed environment. The package is, however, simple enough to give significant protection to a naive user. Comparison of features and specifications User Friendliness Installation The disk received was not write protected. The installation procedure first specifies the creation of a "sterile kernel diskette", and warns you not to execute any programs that might be infected while this diskette is in the drive. However, the procedure, as specified in the SafeWord Virus-Safe User Guide (Release 1.0, July 1989) does not give any indication as to how one might be able to deal with any existing viral infection. The procedure does warn against using the "sterile kernel diskette" for any other purpose, but does not mention write protecting it. The procedure also indicates that the sterile diskette should be prepared before installation on to the system. This would seem to indicate that the sterile diskette will be using the "check signatures" stored on the system, and not "offline". Preparation of the sterile diskette is not part of the automated installation, although the directions given do not indicate why it could not be. Automated installation is suggested to be invoked from the A: drive, but can be performed from, and to, any drive, including floppy diskettes. The installation process is fairly standard, creating a sub- directory and copying files. At one point it asks for a "seed phrase" in order to ensure that check signatures differ for each machine that the program is installed on. Given the sophistication of the signature generation contained in the package, this may seem to be overkill, but it does provide an additional measure of security. Default automated installation should not take more than 10 minutes on any machine. Although the installation program is stated to deal with the CONFIG.SYS and AUTOEXEC.BAT files, when installing onto a floppy boot disk system it will not. Nor does it check or create signatures for the system areas. A brief manual installation procedure is listed, which will allow non- standard installations, but it still does not provide security to the system areas of floppy diskettes. SafeWord starts, by default, in "Learn" mode, which means that minimal installation can be performed. Once the SafeWord package is installed and operating, it will query each "new" program the first time it is invoked. (The package also contains a batch file for removal or de-installation of the program, and this is simply, elegantly and thoughtfully designed.) Ease of use Default installation and operation is extremely easy, and should be able to be performed by almost any user without introduction or even reference to the manual. The "Learn" mode is very self-explanatory to the user, and even gives some direction on the choice of the security level (in terms of the trade off between sophistication of checking and time required for analysis.) Of all programs evaluated so far, SafeWord offers the best on-screen information regarding the problems detected, and the options available to the user. The command line switches, which allow for a greater variety of security checking, are not prompted for, or accessible aside from the command line, but would generally be used by more experienced personnel in any case. Help systems There are no help systems per se, but the menus and prompts should be very clear to the user. Compatibility The program requires minimal hardware. In testing, it did not conflict with any other resident programs, although the documentation does suggest running SWVSAFE.COM after all other device drivers in the CONFIG.SYS file if invoked from CONFIG.SYS. Interestingly, invoking the SWVEDIT program while the Jerusalem-B virus is resident in memory caused a "divide overflow" error (invoking SWVSAFE with Jerusalem resident did not.) If a change in a program is detected on invocation, SafeWord will not arbitrarily shut operation down, as do many other programs, but explains the change detected, and presents the various options that could have caused the change. It also allows the option to update the checklist file. This feature makes SafeWord much more compatible with programs like Word Perfect which make changes to their own program code when making configuration changes, and with "active" computer environments where configuration changes are frequent. As the program relies on change detection only, protection against "stealth" viri would be problematic. The ability of the program to check files either at boot time or on invocation would allow for an assortment of files to be checked at boot time, and give some probability of detection of the infection before the stealth virus had a chance to become resident and circumvent the checking. In the case of infection of the boot sector, or infected programs run before SWVSAFE was invoked the package would not provide any protection. Tests against "spawning" viral activity (the renaming of a small .COM file to the same filename as a larger .EXE file and marking it as hidden) show that an aware user would have indications of a problem. The first time the .EXE file is "infected", SWVSAFE.COM will bring up the alert screen stating that the .COM program is not registered. On subsequent runs, the small "checking" window will show up twice as both the .COM and .EXE file are run. (This is only if the self-check alert window has not been "turned off". It also depends upon the alertness of the user: I am certain that most people can bring to mind users to whom this phenomenon would not seem the least bit bothersome.) Company Stability Unknown, but the production of products for multiple platforms indicates a good presence in the market. Company Support Aside from the address and phone number for the company listed in the documentation, Bob Bosen is a contributor to the VIRUS-L/comp.virus list. The package I received did not contain any means of "registering" the program, nor did I receive any direct notice of an update which was announced by Bob Bosen on VIRUS-L during the time that I was evaluating the program. Documentation The only piece of documentation that was received with the package was the SafeWord Virus-Safe User Guide (Release 1.0, July, 1989). A README.TXT file was included on the disk dated January 30, 1990, although the program files were dated August 31, 1990. The README.TXT file did not refer to any version number or date, but a file called SWVSVERS, created when the program was installed, identifies it as version 1.12. The documentation also refers to SafeWord PC-Safe and PC- Safe II User and Supervisor Guides, although this appears to be data encryption software (the documentation is not completely clear.) The indications in the manual are that the program is intended to be used in a managed environment, and the structure of the manual is written with this in mind. Sections one and two deal with an overview of the program and background information on viral programs and file image signatures. As the manual is quite small, these sections do not contain much significant information, but they would be of interest to a computer user at the supervisory or support level. They would not, however, be of much interest to a naive user. Given the ease of use and standard installation, a reordering of the contents to place section 3.2 (Automated Installation) at the beginning would make this package suitable to a much wider market. The manual is, otherwise, fairly clear and would not be threatening to a novice. The one area of concern, as mentioned earlier, is the procedure for the making of a "sterile" diskette, and this could be noted as an area best left for support staff or knowledgeable users. Hardware Requirements Does not require special hardware, but does not make provisions for the protection of system areas for floppy diskettes. Performance There does not seem to be a "linear" measure of how fast a file is checked. Checking of a 28K .COM file takes about 10 seconds while a 30K .EXE takes 20 seconds (on a 10 MHz PC). An "analysis" of Word Perfect 4.2 (WP.EXE, 267K), at the highest "security" level (ANSI X9.9/DES) took more than a minute, while the delay in invoking the program subsequently was about twice that (this on a program which takes 30 seconds to load.) Because the program does not check the system areas of floppy diskettes, there is no protection against boot sector viri on floppy drive only systems. Local Support None specified. Support Requirements The package could, unsupported, provide significant protection to any user. With more experience, or a greater level of support, further protection can be realised. General Notes In its current state, the program provides strong protection against viral infections of program files and non-stealth boot sector infections of hard disk systems. Used in conjunction with other types of antiviral programs, it would provide significant protection in all types of computing environments, and for all levels of computer users. Provision of checking of system areas for floppy disks, and possibly checking of system memory configuration, use and interrupts would likely strengthen the product. copyright Robert M. Slade, 1991 PCSAFWRD.RVW 910513 ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security