Date: Fri, 29 Mar 91 10:54:49 MST
From: Chris McDonald  ASQNC-TWS-RA <cmcdonal@wsmr-emh03.army.mil>
Subject: Product Test - - Avsearch (MS-DOS)


******************************************************************************
                                                                          PT-11
                                                                      June 1990
                                                          Revised February 1991
******************************************************************************

1.  Product Description: AVSEARCH, version 2.23,  is  a  shareware  program  to
detect  computer  viruses  and  certain  trojan  horses for the MS-DOS computer
environment.

2.  Product Acquisition: The program is the work of at least two individuals in
West  Germany  who  also  license  a commercial product AntiVir.  The names and
address of the individuals are  in  the  file  avs_read.me  included  with  the
executables.   This  file  contains  the  following  statements: "AVSEARCH is a
'shareware program' and is provided at no charge to the  user  for  evaluation.
And  well,  the  evaluation  period  is  almost undefinite for this revision of
AVSEARCH, since we don't want to make any money from (yet, maybe  later)."  The
program  is  available in the MS-DOS repository of the the US Army Informations
Systems Command host simtel20 in the path pd1:<msdos.trojan-pro>avs*.zip.1.

3.  Product Tester: Chris Mc  Donald,  Computer  Systems  Analyst,  Information
Systems  Command,  White Sands Missile Range, NM 88002-5506, DSN 258-4176, DDN:
cmcdonal@wsmr-emh03.army.mil.

4.  Product Test:

    a.  I downloaded the program from simtel20 in May 90 and conducted  initial
tests  from  15  May through 21 Jun 90.  I retested the product in January 1991
upon the release of version 2.23e.  I have tested the program on IBM,  Gateway,
Unisys, Wyse, and Zenith systems without any difficulties.

    b.  I ran McAfee's VIRUSCAN, the early VIRUS BUSTER (Version 1.10), F-PROT,
the  commercial  programs  VIRUCIDE (Version 1.2e) and NORTON ANTIVIRUS against
AVSEARCH.  There were no alarms and no evidence of "false positive" reactions.

    c.  The system requirements for AVSEARCH are minimal: (1)  IBM  PC,  PC/XT,
PC/AT  or  compatible computer; (2) 120 kilobytes of memory; (3) MS-DOS release
3.0 or higher.

    d.  The avs_read.me file advises new users to obtain initial information on
how  to  run  the  program  by  typing  the  name of the program with /H as the
parameter  on  the  command  line  (Syntax:  AVSEARCH  /H).

    e.   The  /H  parameter  provides  syntax  examples  and  a  description of
available options.  Those options include the following:

        (1)  /A         Test All Drives/All Subdirectories
        (2)  /B         Batch Mode
        (3)  /BW        Setting for Some Laptops with Monochrome Displays
        (4)  /D         Delete Infected Files
        (5)  /E         Extensive Search (i.e., search any file for any virus)
        (6)  /L         List of Supported Virus Types
        (7)  /P         Write Results to \AVSEARCH.LOG
        (8)  /S         Scan All Subdirectories
        (9)  /M         Test Memory for Virus Infection

   f.   The  syntax  for running AVSEARCH is: AVSEARCH [Path][Searchmask]
[Options].  The "Searchmask" defines the file extensions to  test.   The
default  standard extensions  include  *.EXE,  *.COM,  *.PIF,  *.BIN, *.SYS,
*.OVL, *.OVR, *.OVG, *.OV1, and *.OV2.  

   g.  I tested all the options with the exception of Batch Mode.  I was unable
to test against all the known viruses and trojan horses which the  program  can
allegedly  detect.   I  did  test  against  some  60  viruses in my possession.
AVSEARCH detected  these  viruses  in  every  case.   The  AVSEARCH  /L  option
identifies    viruses,  although  three  of the listings are actually trojan
horses (i.e., Aids Information, 12 Tricks and 12  Tricks-B).   All  tests  were
successful  on a Unisys PC (Intel 80286), MS-DOS 3.10, 512 kilobytes RAM, 33 MB
hard drive, CGA video display.

   h.   When  the program detects malicious code which it recognizes, it issues
an audible alarm and writes to the screen the name of the virus or trojan horse
detected  immediately  after  the  file with the infection.  The /P option will
write all results to a file (AVSEARCH.LOG).

5.  Product Advantages:

    a.  While viral detection by scanning techniques remains controversial, the
methodology is effective for "known" viruses and trojan horses.  

    b.  AVSEARCH in its present form  is  "free"  and  potentially  offers  the
ability to provide all users with a limited tool for viral defense.

6.  Product Disadvantages:

    a.  There is no assurance that the authors  will  update  the  program;  or
that, if there is an update, the program will remain "free".

    b.   Documentation  is  inadequate  in  that  it  fails  to  identify   the
methodology used in developing specific virus search strings.

    c.   The  program  gives occasional "false" alarms, particularly when using
the /E option.  Version 2.23  has  dramatically  reduced  the  number  of  such
alarms.

    d.   It is uncertain at this time as to the effectiveness of the program to
detect viruses and trojan horses since actual code for all 158 of the malicious
programs  was  unavailable.   Although  the  authors  appear  to  be  reliable,
independent confirmation of their program's total abilities is not possible  by
this  reviewer.   Since  this  free  shareware program may offer some immediate
assistance to users who do  not  have  access  to  other  proven  shareware  or
commercial  viral  scanning  programs,  individuals  who read this product test
evaluation should understand that it is incomplete.



                                       2

7.  Comments:

    I  would propose for continuity of operations planning that one should have
more than one anti-viral package for the MS-DOS environments.

    If one can believe the  statistics  of  reported  infections  published  by
McAfee  Associates,  the  IBM  Corporation, and the University of Hamburg Virus
Test Center, then VIRUSCAN, AVSEARCH, and VIRUCIDE appear to be important tools
in  any  information  systems  security  program.   What  remains to be seen is
whether infection patterns will change, or whether  the  spreading  rate  of  a
"new"  virus  might  be  rapid  enough  to  cause  significant  damage before a
detection product could  be  modified  or  developed.   The  historical  record
through  December  1990 suggests that only 7 viruses (to include variants) have
caused from 70-93 percent of all reported viral incidents  depending  upon  the
specific  geographical  location.  The record also supports the conclusion that
no virus has successful avoided detection 100% of the time.

    On the assumption that someone is working to write that "super" virus which
can  avoid  detection  under  all  conditions,  it seems prudent to continue to
pursue  additional  and  potentially  more   effective   anti-viral   defensive
strategies.

    The  absence  of an available test center within the Army, which has copies
of real viruses and trojan horses for evaluation and test purposes, must  defer
a  final  determination on the effectiveness of AVSEARCH.  It is appropriate to
warn users of the product's limitations and to request  that  they  report  all
"alarms"  to  their  respective  information  systems  security representative.
Analysis of these reports may eventually answer the question of  the  program's
utility.

    If  information  systems security representatives forward me reports on the
ability of the program to  actually  detect  malicious  programs,  or  if  they
forward   reports  on  false  alarms,  I  will  compile  that  information  and
redistribute   to    all    addressees.     You    may    send    reports    to
cmcdonal@wsmr-emh03.army.mil, or DSN 258-4176.

















                                       3