******************************************************************************* PT-10 Revised February 1995 ******************************************************************************* 1. Product Description: VIREX is a commercial program which includes virus detection, virus treatment, and virus prevention. The program also identifies "major" Macintosh trojan horses. This product test addresses version 5.5.1 with definitions through February 1995. 2. Product Acquisition: The product is available from Datawatch Corporation, 234 Ballardvale Street, Wilmington, MA 01887. The telephone number is (508) 988-9700. Datawatch offers a variety of licensing and update options. If one were interested in a single copy purchase, there are numerous mail order firms which have attractive pricing arrangements. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5506, DSN 258-7548, DDN cmcdonal@wsmr-emh34.army.mil. 4. Product Test: a. I obtained a copy of Virex from MacWarehouse in July 1989. The purchase price at that time was about 30% below the manufacturer's suggested retail quote. Whenever the vendor has announced a redesign or significant product enhancement, I have acquired the update directly from the vendor. All transactions have been efficient and timely. The most recent transaction occurred in February 1995 with the upgrade to version 5.5.1. b. Tests have occurred on a variety of Macintosh platforms running System 7.0. Over the years I have utilized the following malicious test suite for evaluation: Scores, nVir (A & B), Init 29, Anti (A & B), MacMag, WDEF (A & B), Zuc (A, B & C), MDEF (A, B, C & D), NVP, MBDF (A & B), Frankie, Init 1984, Code 252, T4 (A, B & C), Init 17, Init-M, CPro.141, ChinaTalk, CODE-1, CDEF, and Init 9403. Virex has always had a 100% detection rate against these samples. c. The Virex Installer remains efficient and fully in-line with the documentation supplied with the version 5.5.1 update. The user has the option to scan the startup disk, or all local volumes except CD-ROMS (the default), or all mounted volumes prior to installation. When the initial scan has been completed, the user has various options to initially configure the program. (1) Remove old versions of Virex (2) Install Virex Control Panel on (user selection) (a) Accelerated for Power Macintosh (b) Save current preferences (3) Install Virex application on (user selection) (a) Accelerated for Power Macintosh (b) Save current preferences With the exception of the Power Macintosh option, I tested all others which functioned as described. d. The Virex Control Panel protective features have matured over the years to offer an increased range of options. The Panel now presents the following preferences. (1) General (a) Allow scans to be stopped (b) Count files before scanning folders (c) Scan files when opened (d) Show Virex Control Panel cursor (e) Allow repairs (f) Use SpeedScan (g) Use Snapshot (h) Scan compressed files (i) Load Control Panel (j) Show icon at startup (k) Show splash screen at startup (2) Automatic (a) Scan when mounted (b) Scan startup disk at mount (c) Scan hard disks as mounted (d) Scan read-only volumes (e) Scan floppy disks upon insertion (f) Scan ejectables as mounted (g) Scan remote volumes as mounted 2 (h) Scan at shutdown (i) Skip scanning until (user chooses time or "next restart") e. I retested all of these options at version 5.5.1 with no difficulties encountered. "SpeedScan" is a proprietary, trademarked technology to provide increased speed without sacrificing accuracy. "Snapshot", formerly referred to as "Record/Scan" in earlier versions of Virex, creates a baseline status of files and then on subsequent invocations looks for changes to files. The presence of "change" may alert a user to the presence of a "new" piece of malicious code. f. The Virex Control Panel also provides security preferences which would be useful in a network or enterprise environment. (1) Password protection for access to the Control Panel (2) Lock Virex Control Panel in the system folder so that the Panel cannot be moved, renamed or deleted (3) Write Control Panel events to log file g. The final aspect of the Virex Control Panel involves preferences for default buttons, actions and messages for alert boxes. The documentation describes these options and offers reasonable suggestions for default configurations to assist individual users as well as network administrators. h. One may also customize the basic Virex application. There exists a logical overlap between preferences for the Virex Control Panel and for the Virex application. The preferences for the Virex application address four areas: diagnosis, repair, startup and reporting. I did at least a functionality test of all options without any anomaly. 5. Product Advantages: a. Virex performs as documented. Its SpeedScan feature appears to result in the fastest Macintosh anti-viral scanner that I have tested. b. Datawatch Corporation has an effective marketing and technical staff to support the program. c. Virex incorporates detection, removal and prevention of computer viruses and major trojan horses for stand-alone and networked systems. 6. Product Disadvantages: a. The "Snapshot" feature to detect changes in files does not necessarily confirm the presence of malicious code. More importantly, "Snapshot" does not prevent the introduction of malicious code. The User's Guide has little data on the operation of the feature or on the algorithm/methodology by which it creates a baseline description. 3 b. While "SpeedScan" accurately detects known viruses and trojan horses, there is the potential that a malicious code author might have an easier time modifying an existing virus or trojan horse to avoid detection on the assumption that "SpeedScan" gains its speed by only scanning a specific area of a file. The documentation is mute on the specific proprietary factors which account for its performance. This is obviously necessary to protect Datawatch proprietary information. Although "SpeedScan" is the default in the Virex Conrol Panel, I would recommend the slower scanning option for initial scans of all new software and systems. c. While Virex has an option to scan compressed files, one may frustrate the option by encrypting or password-protecting the compressed file. If Virex encounters an encrypted or password-protected file, it issues the following message: "A file in archive 'xxxxx' could not be decompressed because an unknown error has occurred (-50)." This message is ambiguous and likely to mislead many users. d. Datawatch has adopted the strategy that it will provide users with update instructions whenever a new virus or Trojan Horse appears. However, the update will ONLY PROVIDE DETECTION, NOT REPAIR CAPABILITY. This forces authorized users to pay for full Virex updates, or to utilize other programs for disinfection. An individual user, who wishes to rely on Virex for both detection and repair, will have invested significantly more resources on it than had he or she chosen another comparable commercial program. 7. Comments: Virex has continued to improve with age. However, the inability of a user to obtain both detection and repair upgrades without an additional cost continues to be a personal sore point with me. I remain skeptical as well that "Snapshot" as an option is as effective as other products which offer capabilities to detect "unusual" or "suspicious" activity. The historical record appears to support the conclusion that activity monitors, such as those found in Gatekeeper and in SAM, have greater success in detecting "new" malicious code. These monitors also have demonstrated success in preventing damage by "new" viruses/trojan horses, if properly configured. An intelligent strategy would be to have at least two separate programs available for use within an enterprise for defense against malicious programs. The flexibility of dual products can provide both financial and technical advantages. It also provides protection in the event one program for whatever reason ceases to be available. There are many issues in the acquisition and use of viral detection tools. Interested readers may consult the Proceedings of the National Computer Security Association's 2nd International Virus Prevention Conference & Exhibition, February 1993, for several papers on the subject to include one entitled "Selecting an Anti-Virus Product". The National Institute of Standards and Technology, Computer Security Division, has issued Special Publication 800-5, "A Guide to the Selection of 4 Anti-Virus Tools and Techniques", December 2, 1992. The publication is available for anonymous ftp from the NIST host 129.5.54.11 in the path /pub/ nistpubs. [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] FOR FURTHER REFERENCE: PRODUCT TEST NUMBER PRODUCT PT-9 DISINFECTANT PT-20 SYMANTEC ANTIVIRUS FOR MACINTOSH PT-30 VIRUSDETECTIVE/VIRUSBLOCKADE PT-32 MACTOOLS PT-44 RIVAL PT-46 CITADEL PT-53 GATEKEEPER/GATEKEEPER AID PT-71 MACRX 5