****************************************************************************** PT-3 November 1989 Revised July 1992 ****************************************************************************** 1. Product Description: VIRUSCAN is a shareware program to detect known viral signatures for IBM PC and compatible computers. If one utilizes available options, it may be possible to identify the presence of unknown malicious code. This product test revision addresses Version 8.6V93. 2. Product Acquisition: Viruscan is available from the McAfee Associates bulletin board, from other bulletin boards, and from hosts on the INTERNET to include simtel20 [192.88.110.20]. The registration fee is $25.00 for individual users in a home environment for one year. Site licenses are also available for commercial, government, and university environments. The McAfee Associates board number is 408-988-4004. The mailing address is McAfee Associates, 3350 Scott Boulevard, Building 14, Santa Clara, CA 95054-3107. Registration includes free assistance from McAfee Associates for manually removing any virus found or for information on disinfection utilities. The telephone number for assistance is 408-988-3832. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-5172, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I obtained a copy of Version 30 of the product in August 1989 through a download from the MS-DOS repository on the Army host simtel20. The repository manager obtains all McAfee Associates shareware software directly from the vendor. I have continued to download and test each successive version over the last three years. This revision supersedes the September 1991 evaluation test report. b. Over the last three years I have tested the product on several different MS-DOS platforms, to include IBM, Gateway, Unisys, Zenith, Nec, Everex and Wyse systems at versions of MS-DOS 2.11 through 5.0. Documentation states that the program requires a PC with 320Kb and DOS 2.00 or greater. Certain users have reported minor anomalies to the Virus-L Internet discussion group regarding these minimum requirements and with incompatibilities under certain configurations. I have personnally experienced no problems in this regard. c. Although I do not have actual code for every malicious program which Viruscan claims to be able to detect, it continues to have good detection capabilities against a test suite of 605 malicious signatures. The suite includes 73% of the "common" viruses (i.e., 53 of the 71) identified in Patricia Hoffman's latest Hypertext Virus Summary List. The National Computer Security Association and the CARO Center in Europe have published additional reports on the effectiveness of the program against a larger number of test samples. While these reports present slightly different effectiveness evaluations, the reality is that probably 20 viruses and their variants account for 90% to 95% of all reported infections. So measurement against numbers of viruses may be a "red herring" as an exclusive criteria. The VDS Advanced Research Group has posted results to Virus-L (Volume 5, Issue 122) of the program's effectiveness against the Mutation Engine (MtE) contained in the Dedicated and Pogue viruses. d. With Version 93 options include: (1) /A Scan all files (2) /AF filename Store recovery data/validation codes to file (3) /AG filename Add recovery data/validation codes to files except those listed in filename (4) /AV filename Add validation codes to files except those listed in filename (5) /BELL Beep whenever a virus is found (6) /CERTIFY List files that do not have a validation code (7) /CF filename Check for viruses using recovery data/validation codes stored in filename (8) /CHKHI Check memory from 0Kb to 1088Kb (9) /CG Check recovery data/validation codes on file (10) /CV Check validation codes on files (11) /D Overwrite and delete infected file (12) /DATE Save the date and time Viruscan was last run (13) /E Scan overlay extensions (14) /EXT filename Scan using external virus data file (15) /FAST Speed up Viruscan's output (16) /FR Display messages in French (17) /HISTORY filename Create infection log, appending to old log (18) /M Scan memory for all viruses (19) /MAINT Scan "invalid media" error (damaged) disk (20) /MANY Scan multiple floppies (21) /NLZ Skip internal scan of LZEXE compressed files (22) /NOBREAK Disable Ctrl-C/Ctrl Brk during scanning (23) /NOEXPIRE Do not display expiration notice (24) /NOMEN Skip memory checking (25) /NOPAUSE Disable screen pause when scanning (26) /NPKL Skip internal scan of PKLITE compressed files (27) /REPORT Create infection log, deleting old log (28) /RF filename Remove recovery data/validation codes stored in filename (29) /RG Remove recovery data/validation codes from files (30) /RV Remove validation codes from specified files (31) /SAVE Save specified command line options as new defaults (32) /SHOWDATE Show date and time Viruscan was last run (33) /SP Display messages in Spanish (34) /SUB Scan subdirectories under a subdirectory (34) @filename Scan using options under configuration file e. I verified the functionality of all the options. I did not test the actual strength of the validation codes against all viral samples; nor did I attempt to directly attack the validation algorithms; nor did I attempt any recovery operations. If one uses the validation options, it is important to read the documentation since there are certain types of files which should not have validation codes added. Validation code options did present two results 2 which perhaps are undesirable in some environments: (1) When I changed with a disk editor certain executable files on which I had placed validation codes, Viruscan alarmed: "File has been modified. A virus infection may have occurred". The final report summary at the end of the audit trail log stated: "X file contains a virus". It is actually indeterminate at this point that a viral infection has occurred. An inexperienced user may be mislead. (2) If one deletes a file with a validation code, Viruscan does not alarm, even when one uses the /AF filename option. (3) As more qualified individuals have posted to Virus-L, the program does alarm for "generic" infections. For example, during my tests Version 93 identified the Fish Boot virus as a generic boot infection. It may be important in certain instances to be specific in the classification of a particular viral signature. This generic identification issue appears to have generated Internet readership concern with the release of Version 89. f. The default scanning extensions are .app, .bin, .com, .exe, .ov?, .pgm., .pif, .prg, .swp, .sys and .xtp. 5. Product Advantages: a. The product appears to perform as documented. b. Customer assistance is by all accounts responsive, although the INTERNET has carried comments from a few users who have experienced "busy" telephone lines. c. Upgrades to the product appear quickly in response to the identification and analysis of "new" viruses as well as to suggestions from users. Electronic distribution is an extremely desirable feature. d. The search strings for the identification of specific viruses are encrypted to make it more difficult for individuals to modify viruses for the purpose of avoiding detection. e. McAfee Associates has candidly admitted whenever versions of the product have been "buggy" or have failed to function properly. 6. Product Disadvantages: a. The product will not prevent an infection from a known viral signature unless a user specifically invokes it against any new piece of software about to be run on a "clean" system. [NOTE: There is a memory resident version of Viruscan which is Vshield and which requires a separate registration fee. The resident version, if entered in your autoexec.bat file, will become active each time the system is powered-on or re-booted. It will check the critical areas of the system for viral signatures, including itself, and then monitor all program loads.] b. The product does not have disinfection capabilities. One would need to 3 acquire another McAfee product, Clean, or some other disinfector. c. The registration fee has increased rather dramatically since 1989. There is at least one government agency and one commercial firm to my knowledge which no longer recommend Viruscan to their respective user communities because of site licensing concerns and the costs associated with obtaining such a license. It is my perception that commercial and government users have to make up the loss of revenue to the vendor from individuals who fail to pay the mandatory registration fee. d. Since McAfee Associates does not really want to be in the distribution business, those users who want to receive a diskette directly from McAfee will have to pay an additional $9.00 in distribution costs. With a newer version of the product appearing at least once a month, downloading from McAfee Associates bulletin board or from some other "trusted" source (such as simtel20) is clearly the more desirable alternative. Electronic distribution of the program has facilitated the appearance of several "hacked" versions of the program in the public domain. For example, McAfee Associates never issued a Version 92 because a trojan horse of Viruscan appeared in New York under that designation. e. A menu-interface for Viruscan does exist, but it requires an additional registration fee. Most users, to fully utilize all the options, would probably be more comfortable with a menu. 7. Comments: Although "detection" of viruses is typically rated at the low end of the protection scheme, Viruscan remains an important tool for any credible anti-virus program. It allows one to easily and quickly obtain a "picture" of one's system for the presence of known MS-DOS computer viruses. While it is difficult to gather accurate information on the actual cases of infections, there is substantial evidence to support McAfee's assertion that Viruscan will identify those viruses which have caused 95% of all reported infections. Since few of us have the expertise or the resources to "test" all software or to examine source code for those programs which we run, Viruscan provides a reasonable degree of assurance that a system is not infected. So long as one understands the limitations of the product, it provides a protection control measure which can be integrated into an organization's written policies and procedures on automation security. The use of validation codes results in situations where expert support is necessary to investigate and to resolve unexpected changes in executables. Many sites may fail to incorporate support costs in their economic analysis prior to acquisition. Viruscan has probably been examined more closely than any other comparable program. The personality of John McAfee and the ubiquitous distribution of the program account in my mind for this examination. There is no doubt that Viruscan has certain technical limitations which have been discussed in Virus-L. My recommendation is that no user or organization should restrict 4 themselves to a single product or to a single vendor. It makes good business sense to have at least two detection programs available as part of any contingency planning process. There is also a strategic planning function which must be initiated to move beyond "scanning" as the primary viral defense. [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.]