******************************************************************************
                                                                          PT-8
 							          January 1990
******************************************************************************


1.  Product Description:  FILETEST is a public domain program to compute the 
cyclic redundancy check (CRC) for any file and to periodically test the CRC to
detect any changes.  FILETEST uses a list of all the files on the default drive
which a user wishes to trace (FILETEST.FIL) and, when run for the first time,
creates an original list (FILETEST.OLD) of those files along with the creation
date, file size, and a CRC for each file.  When FILETEST is run again, it
creates a new list (FILETEST.NEW) and compares this against the old list.  The
author of FILETEST is Dr. Len Levine, Department of Electrical Engineering and
Computer Science, University of Wisconsin-Milwaukee, P.O. Box 785, Milwaukee,
WI 53201.  Dr. Levine added to and modified the public domain program FILECRC
written by Dr. Ted Emigh, Department of Genetics, North Carolina State
University, P.O. Box 7614, Raleigh, NC 27695-7614.

2.  Product Acquisition:  FILETEST is available on several public bulletin
boards.  It resides in the following path on the Directorate of Information
Management host simtel20 at White Sands Missile Range:  pd1:<msdos.trojan-pro>
filetest.arc.1.  

3.  Product Tester:  Chris Mc Donald, Computer Systems Analyst, Directorate of
Information Management, White Sands Missile Range, NM  88002-5030, DSN 258-7548
or DDN:  cmcdonal@wsmr-emh03.army.mil.

4.  Product Test:

    a.  I obtained a copy of FILETEST in December 1989 from the MS-DOS
repository on the Internet host simtel20.  The repository manager obtained the
copy from the author.

    b.  I ran the current version of VIRUSCAN against the FILETEST programs
with negative results for the detection of any known viral signature.

    c.  I examined the FILETEST programs with "nu" from NORTON Utilities and 
saw nothing unusual or suspicious.

    d.  During the testing of FILETEST I saw no infection or modification of
those files protected with DATA PHYSICIAN (see product test PT-4).  

    e.  The execution of the program is very simple.  The syntax <FILETEST>
initiates the program.  The most difficult task is to construct FILETEST.FIL,
which contains those files to be CRC traced.  The user has the discretion to
use the "default" FILETEST.FIL, provided with the FILETEST package, as a
starting point.  The default file is very short and intends only to show a user
the proper way to construct the file.  FILETEST.FIL is an ASCII list of every
file the user wishes traced.  Full pathnames and upper case are necessary
(e.g., C:\DOS\COMMAND.COM and C:\MIO.SYS).  

    f.  After a user has run FILETEST for the first time and created a
FILETEST.
OLD file containing the creation date, file size, and CRC of specific files,

subsequent execution of the program can result in five possible results.

    (1)  If no modifications have occurred, there is no report.

    (2)  If a file has been modified through normal DOS handling, a notice
will appear on the screen which identifies the file, its OLD and NEW
attributes, its OLD and NEW byte sizes, and its OLD and NEW CRCs.  

    (3)  If a file has been deleted since the last time FILETEST was run, a
notice will appear on the screen which identifies the file, its attribute,
size,
CRC, and date/time the file was last traced by the FILETEST program.

    (4)  If a file has appeared that was not on the disk at the time of the
previous run of FILETEST, and has been added to the FILETEST.FIL file, a notice
will appear on the screen which identifies the file, its attribute, size, and
CRC.

    (5)  If a file has been modified in a way which bypasses normal DOS
handling, such as might occur with NORTON UTILITIES, a notice will appear on
the screen which identifies the file, its OLD and NEW attributes, its OLD and
NEW byte sizes, and its OLD and NEW CRCs.

    g.  I tested all these possibilities.  All tests were successful and gave 
the results described in the program documentation.  For those results in which
there is a modification or a changed condition, FILETEST displays a summary of
the actions after the screen notice.  The format of that summary is as follows.


	Number of Files in the last CRC check:
	Number of Files that are the same as last time:
	Number of New Files:
	Number of Removed Files:
	Number of Updated Files:
	Number of Invalidly Modified Files:

	Should I update FILETEST.OLD to agree with FILETEST.NEW (YN)?


5.  Product Advantages:

    a.  The program works as advertised.

    b.  The program is "free".

    c.  FILETEST will work with a large number of files and directories.  The
author indicates the maximum is 200 directories and 1800 files with any number
of files within any particular directory.

6.  Product Disadvantages:

    a.  Each user must create the FILETEST.FIL file for his or her system.  It
is possible, probably essential, that a core list of files be traced on all


				       2

systems, individual users have to make this determination and then maintain the
list.  While the "default" FILETEST.FIL file gives users a good starting point,
many users will require training and suggestions on using the program to obtain
maximum protection.

    b.  The program gives you no feedback as it runs.  Therefore, if you have a
large number of files to trace, this may be inconvenient because all
modifications and results appear only upon the completion of the program.  As
I mentioned earlier, if there are no modifications or changes, the program
gives the user no message.  It simply returns you to the system prompt.

    c.  Technical support of the program is obviously left to the user.  While
Dr. Levine contributes freely to the INTERNET on the subject of computer 
security and computer viruses in particular, he has no financial interest in 
user support.  

7.  Comments:

    I have now looked at four programs which compute "signatures" for
files:  (1)  Data Physician (commercial product, reference PT-4); (2)  Virus
Checker (shareware product, reference PT-6); and (3) CHKSUM (public domain
product, reference PT-7).  Each program operates on the assumption that it can
detect changes to that signature and that such changes may be virus related.  

    FILETEST is in my opinion the second best of the tested products,
ranking below Data Physician.  But, if one does not have the financial
resources to buy Data Physician, I would highly recommend FILETEST.  

    As I have stated in each of the test evaluations, "signature"
protection of files can provide a significant security advantage.  If one uses
"CRC computations", one has increased the problem for the virus writer or for
the malicious programmer in general.  How substantial the "increase" may be a
secondary concern depending upon the user's particular operating environment.
It is also apparent that a support staff to assist users in the installation
and maintenance of FILETEST and of any other security product is absolutely
essential.  


[The opinions expressed in this evaluation are those of the author, and should
not be taken as representing official Department of Army positions or a
commercial endorsement.]












				       3


======================================================================