Date: 02 Jun 1994 14:21:59 -0600 (MDT) From: Chris McDonald Subject: Information Systems Security Update, # 94-10 To: orvis@icdc.llnl.gov Content-transfer-encoding: 7BIT [To]: cmcdonal@wsmr-emh34.army.mil [Cc]: krvw@agarne.ims.disa.mil Apparently-To: orvis@icdc.llnl.gov # 94-10 Contents SPA Training Network Intrusion Detector (NID) Virus Product Review - - Another Opinion CD-ROM from American Eagle - - Viruses Galore 1. The Software Publishers Association (SPA) has begun a 50 city tour to present a one day class entitled "Certified Software Manager". The class aims to assist in "getting legal" for software compliance by teaching the principles of software asset management. Completion of the class is the first step in SPA's goal to create a new computer speciality, the Certified Software Manager. Attendees must then pass a one-hour examination administrated by Drake Training and Technologies for certification. The cost of the class is $395.00. One may contact SPA at 202-452-1600 for additional information and reservations. 2. At the recent DOE Annual Computer Security Training Conference there was an update on the Network Intrusion Detector (NID). The Computer Security Technology Center at LLNL is now supporting the package which detects malicious activity over a network. The target environment is Unix at this time. The information release flyer states that NID requires a Sun SPARCstation with Sun OS 4.x, 8MB RAM and 100MB to 1GB available disk space. NID is available to the DOE and DoD communities by contacting Robert Palasek, LLNL, palasek@llnl.gov or telephone 510-422-8527. Other government agencies should contact Doug Mansur, CSTC, at cstc@llnl.gov. If you would like a copy of the flyer, send me your fax number. 3. The July 1994 edition of "MacWorld" has an article by Bruce Schneier on "Virus Killers" for Macintosh platforms. Mr. Schneier has written extensively on DES-based and Public Key encryption schemes, particularly those implemented in software. In the article he discusses results on testing of four products against the MacWorld's virus collection. The products include Disinfectant, MacTools, Sam and Virex. Since I have produced test reports on these programs, I feel qualified to comment and to disagree with some of his conclusions and recommendations. First, he misses the point that he is in several instances comparing apples and oranges (no pun intended). There is a significant difference between checksums and monitoring for suspicious or potential malicious code activation. I do not believe this point receives the necessary emphasis. Second, I have been recommending for years that an enterprise requires more than one product for an effective program. No direct mention of this appears in the article. Third, the selection of Virex because of speed and of price may be debtable. For example, as a registered user of Virex, I can receive detection string updates, but must pay for the removal/ disinfection capability. SAM, on the other hand, provides both detection strings and removal/disinfection capabilities to registered users without an additional cost. There is little information available from Datawatch, the producer of Virex, on any potential tradeoffs between speed and the detection of modified variants of known Macintosh viruses. I have seen the speed against my test suite, which closely parallels the MacWorld collection, but am not qualified to comment on whether subtle variations in known viruses might escape detection. While all anti-virus tools have to make compromises on the detection of known virus signatures and scanning efficiency, Mr. Schneier's recommendation would have greater credibility if he had conducted additional tests. The reality is that I use all the products discussed and recognize the strengths and limitations of each, but I would hesitate to say that any product is necessarily better than another. 4. I obtained the CD-ROM advertised by American Eagle Publications to contain actual live viruses. The CD-ROM contains 14 major directories, one of which is named "Live-Vir". This directory contains 4318 files, 3788 of the files are executable. I ran the latest version of F-PROT and TBAV against the executable files only and obtained viral detection alarms for over 3700 known signatures from each of the anti-viral programs. There is a another directory named "Testbed" which contains 1000 reiterations of MTE and TPE samples. I ran F-PROT and TBAV against the MTE reiterations and had viral detection alarms for all files from each of the anti-viral programs. There is another directory named "New-Vir" which the documentation identifies as "new and/or undetectable viruses, trojans, and virus-related utilities . . ." When time permits, I will do a cursory review of several anti-viral scanners against this directory's files. I can state that, when Mr. Ludwig has made similar claims in his quarterly CVDQ, existing scanners have detected so-called "new" viruses. While it would take up too much space to discuss all of the remaining directories, one other warrants mention at this time, "Other-OS". It appears this directory contains the code for the Internet Worm, one version of the IBM XMAS Exec, and a DEC VMS critter. The CD-ROM contains more than one advisory on the purpose of the collection as well as injunctions against using the contents of the CD-ROM to spread viruses. [Disclaimer: Information Systems Security Updates represent the opinions and views of the author, not his employer. Recipients are free to quote all/parts of the ISSU with credit/blame to the author.]