From: Chris McDonald STEWS-IM-CM-S (11/23/93) To: abland@dodds-wash.af.MIL, adpsec@mercury.arl.army.MIL, aeagisb2@grafenwoeh-emh1.army.M, agorosp@mepcom-emh1.army.MIL, asqe-x-kis@kaiserslau-emh1.army, bcertain@redstone-emh2.army.MIL, bennypat@usarc-emh1.army.MIL, brunsc@pentagon-hqdadss.army.MI, bstring@heidelberg-emh17.army.M, carrigm@nic.ddn.MIL, csrc@nist.GOV, dibblel@cc.ims.disa.MIL, dickerr0@hoffman-emh1.army.MIL, dlang@tacom-emh1.army.MIL, dnichols@wsmr-emh86.army.MIL, dwatson@wsmr-emh81.army.MIL, ecastor@wsmr-emh82.army.MIL, ecortes@philly.cerf.fred.ORG, griffin@stl-06sima.army.MIL, jbarnes@wsmr-emh100.army.MIL, jims%fs6.ima@baileys-emh3.army., jmcleod@apg-9.apg.army.MIL, jwilson@alexandria-emh1.army.MI, kaplan@mis.arizona.EDU, karyn@cheetah.llnl.GOV, knoxpao@ftknox-amedd.army.MIL, LaBarge@dockmaster.ncsc.MIL, lgraham@pica.army.MIL, Mildner@dockmaster.ncsc.MIL, moszman@wsmr-emh34.army.MIL, orvis@llnl.GOV, peter_roome@merck.COM, pockbert@ansbach-emh1.army.MIL, postmaster@hemkosys.COM, reich%doim2@monmouth-emh3.army., rogers@marlin.nosc.MIL, rthum@wsmr-emh34.army.MIL, scheftel@dockmaster.ncsc.MIL, schillip@ftbliss-emh1.army.MIL, sclark@apg-9.apg.army.MIL, thinkle@letterkenn-emh2.army.MI, tnguyen@dodds-wash.af.MIL, tucker@gordon-emh2.army.MIL, vavrina@melpar-emh3.army.MIL, wancho@wsmr-emh34.army.MIL CC: dorian@cobalt.house.GOV, krvw@bull-run.ims.disa.MIL Mail*Link¨ SMTP Revised Product Test 9, Dis ****************************************************************************** PT-9 Revised November 1993 ****************************************************************************** 1. Product Description: Disinfectant is a freeware program to detect and to repair virus activity for Macintosh systems. The author is Mr. John Norstad, Academic Computing and Network Services, Northwestern University, 2129 North Campus Drive, Evanston, IL 60208. Mr. Norstad's Internet address is j-norstad@nwu.edu. This product test evaluates version 3.3. 2. Product Acquisition: Disinfectant is available on the Internet, from bulletin board systems, and from Apple User Groups. Whenever there is a new release, Mr. Norstad posts a notification to the Virus-L Internet mailing. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5030, DSN 258-7548, DDN cmcdonald@wsmr-emh34.army.mil. 4. Product Test: a. I have obtained copies of the program either directly from the author or from other Internet repositories. I obtained version 3.3 from the author's ftp server, ftp.acns.nwu.edu. (129.105.113.52). b. I have tested the program on a variety of Macintosh platforms running either system 6.0.5, system 6.0.7 or system 7.0. The latest test occurred from November 10-19, 1993. The program requires System 6.0 or later. c. The program has detailed on-line documentation on various topics. These include: (1) a detailed description and history of the known Macintosh viruses; (2) a sample of all error and alert messages which Disinfectant generates; (3) a description of and recommendation on other public domain and shareware virus tools; (4) a history of the development and testing of Disinfectant; and (5) a listing of all those individuals who have contributed in some way to the development, peer review, and testing of Disinfectant. d. The program has an internal self-checking mechanism to hopefully notify the user of any tampering. After the program completes its self-checking mechanism, a user receives a menu screen with specific options or selection choices. A user may choose the pull-down menus (i.e., File, Edit, Scan, Disinfect, Protect) to configure Disinfectant for detection or disinfection operations. The program supports numerous choices for scanning as well as the ability to generate a written report of such operations. When one has set the configuration, clicking on an individual option initiates the program. e. I selected the "Scan" option under various configuration settings and tested various system hard drives and disks. The program gives one a screen display of the running count of files/disks scanned along with a display of how far the program has progressed through the specific media (i.e., hard disk, floppy disk). If one selects the "Cancel" option at any time, the program will terminate and provide a numerical count of files scanned to that point. When the program runs to completion, the user receives a summary report on the screen of the total number of files/disks scanned and a notification of any viral infection by individual file. If no infections are found, then the program states that fact. f. I tested Disinfectant against a test suite of all those malicious programs which it claims to detect. The test suite included these samples: Scores, nVir (A & B), Init 29, Anti (A & B), MacMag, WDEF (A & B), Zuc (A, B & C), MDEF (A, B, C & D), Frankie, MBDF (A & B), Init 1984, Code 252, T4 (A, B & C), CDEF, Init 17, Init-M and Code-1. Disinfectant had a 100% detection rate, and performed disinfection operations as described in the documentation. It is important to remember that Disinfectant, as well as other shareware and commercial anti-viral programs, cannot repair every viral infection. g. I tested all the other menu options which provided the results described in the documentation. The installation of the Disinfectant INIT caused no conflict with other anti-viral software, such as Gatekeeper, SAM, VirusDetective and Virex. The INIT functioned to identify and to block those malicious programs identified in the documentation. h. Version 3.3 adds detection and repair facilities for the Code-1 and MBDF-B viruses. It also provides a color icon suite for the first time. 5. Product Advantages: a. The program works as advertised. b. The program is "free", and contains the most detailed description of all known Macintosh viruses within its documentation. c. The author has submitted his program to extensive "peer review". The efficiency and the quality of updates is exceptional. 6. Product Disadvantages: a. Technical support of the program is admittedly informal. However, the author has a good reputation for responsiveness and technical expertise. Since there is a large group of individuals who participate in the "peer review" of the program, these individuals are conceivably additional sources for advice and assistance. b. The mechanism of distributing updates to the program may be a problem for many users. While INTERNET access is taken for granted by many, there are many users who do not have such facilities. Therefore, organizations and users who decide to utilize the program must make provisions for the acquisition of the program and for the distribution of updates. c. The program does not identify several HyperCard viruses, such as Dukakis and Three Tunes; nor does it address several trojan horses. While the distribution rate of HyperCard viruses and Macintosh trojan horses has been extremely limited, certain organizations and individuals may consider this omission of some concern. 2 d. The program identifies "known" viruses, but does not offer any mechanism for potentially detecting "new" viruses. 7. Comments: While one could engage in a debate on the advantages of a commercial product over this public domain program, such a debate is in my opinion counterproductive. Disinfectant demonstrates a significant difference between the MS-DOS and Macintosh worlds. The best of the MS-DOS viral detection and eradication programs are either commercial or shareware programs which require payment for their use. Here one of the best programs is free. An intelligent strategy would be to have at least two separate programs available for use within an enterprise for defense against malicious programs. The flexibility of dual products can provide both financial and technical advantages. It also provides protection in the event one program for whatever reason ceases to be available. There are many issues in the acquisition and use of viral detection tools. Interested readers may consult the Proceedings of the National Computer Security Association's 2nd International Virus Prevention Conference & Exhibition, February 1993, for several papers on the subject to include one entitled "Selecting an Anti-Virus Product". The National Institute of Standards and Technology, Computer Security Division, has issued Special Publication 800-5, "A Guide to the Selection of Anti-Virus Tools and Techniques", December 2, 1992. The publication is available for anonymous ftp from the NIST host 129.5.54.11 in the path /pub/ nistpubs. One may also call Ms. Dianne Ware, NIST, at 301-975-2821 for one free copy. [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] FOR FURTHER REFERENCES: PRODUCT TEST NUMBER PRODUCT PT-10 VIREX PT-20 SYMANTEC ANTIVIRUS FOR MACINTOSH (SAM) PT-30 VIRUSDETECTIVE/VIRUSBLOCKADE II PT-32 MACTOOLS PT-44 RIVAL PT-46 CITADEL PT-53 GATEKEEPER/GATEKEEPER AID 3 ------------------ RFC822 Header Follows ------------------ Received: by mckinley.llnl.gov with SMTP;23 Nov 1993 15:09:22 -0800 Return-path: cmcdonal@wsmr-emh34.army.MIL Received: from icdc.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01H5NQRHCPZKBSJCD3@icdc.llnl.gov>; Tue, 23 Nov 1993 15:08:44 PST Received: from pierce.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01H5NQQ4YD9CBSJCES@icdc.llnl.gov>; Tue, 23 Nov 1993 15:08:23 PST Received: by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA12240; Tue, 23 Nov 93 15:08:35 PST Received: from wsmr-emh34.army.mil by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA12230; Tue, 23 Nov 93 15:08:25 PST Date: 23 Nov 1993 15:40:13 -0700 (MST) From: Chris McDonald STEWS-IM-CM-S Subject: Revised Product Test 9, Disinfectant, version 3.3 Resent-to: BILL_ORVIS@QUICKMAIL.llnl.GOV To: jwilson@alexandria-emh1.army.MIL, bcertain@redstone-emh2.army.MIL, sclark@apg-9.apg.army.MIL, wancho@wsmr-emh34.army.MIL, jims%fs6.ima@baileys-emh3.army.MIL, vavrina@melpar-emh3.army.MIL, agorosp@mepcom-emh1.army.MIL, jmcleod@apg-9.apg.army.MIL, schillip@ftbliss-emh1.army.MIL, bennypat@usarc-emh1.army.MIL, griffin@stl-06sima.army.MIL, rthum@wsmr-emh34.army.MIL, dnichols@wsmr-emh86.army.MIL, dwatson@wsmr-emh81.army.MIL, jbarnes@wsmr-emh100.army.MIL, lgraham@pica.army.MIL, bstring@heidelberg-emh17.army.MIL, kaplan@mis.arizona.EDU, dibblel@cc.ims.disa.MIL, adpsec@mercury.arl.army.MIL, dickerr0@hoffman-emh1.army.MIL, dlang@tacom-emh1.army.MIL, thinkle@letterkenn-emh2.army.MIL, reich%doim2@monmouth-emh3.army.MIL, brunsc@pentagon-hqdadss.army.MIL, ecastor@wsmr-emh82.army.MIL, abland@dodds-wash.af.MIL, scheftel@dockmaster.ncsc.MIL, tucker@gordon-emh2.army.MIL, carrigm@nic.ddn.MIL, tnguyen@dodds-wash.af.MIL, aeagisb2@grafenwoeh-emh1.army.MIL, knoxpao@ftknox-amedd.army.MIL, asqe-x-kis@kaiserslau-emh1.army.MIL, peter_roome@merck.COM, moszman@wsmr-emh34.army.MIL, csrc@nist.GOV, rogers@marlin.nosc.MIL, karyn@cheetah.llnl.GOV, postmaster@hemkosys.COM, Mildner@dockmaster.ncsc.MIL, LaBarge@dockmaster.ncsc.MIL, ecortes@philly.cerf.fred.ORG, orvis@llnl.GOV, pockbert@ansbach-emh1.army.MIL Cc: krvw@bull-run.ims.disa.MIL, dorian@cobalt.house.GOV Resent-message-id: <01H5NQRHF4SYBSJCD3@icdc.llnl.gov> Message-id: <9311232308.AA12230@pierce.llnl.gov> X-Envelope-to: BILL_ORVIS@QUICKMAIL.llnl.gov X-VMS-To: IN%"jwilson@alexandria-emh1.army.MIL", IN%"bcertain@redstone-emh2.army.MIL", IN%"sclark@apg-9.apg.army.MIL", IN%"wancho@wsmr-emh34.army.MIL", IN%"jims%fs6.ima@baileys-emh3.army.MIL", IN%"vavrina@melpar-emh3.army.MIL", IN%"agorosp@mepcom-emh1.army.MIL", X-VMS-Cc: IN%"krvw@bull-run.ims.disa.MIL", IN%"dorian@cobalt.house.GOV" Content-transfer-encoding: 7BIT ======================================================================