******************************************************************************* PT-12 June 1990 Revised May 1992 ******************************************************************************* 1. Product Description: VIRUCIDE PLUS is a commercial anti-virus program to detect and to remove known computer virus signatures for the MS-DOS computer environment. This report addresses version 2.41, released April 1, 1992. 2. Product Acquisition: The product is available from Parsons Technology, Inc. The address is Parsons Technology, Inc., One Parsons Drive, P.O. Box 100, Hiawatha, IA 52233. The company has a toll free number for orders, 1-800-223-6925, or 1-319-395-9626. The cost of a single copy, as of May 1992, was $69.00. Registered users of VIRUCIDE can upgrade to VIRUCIDE PLUS for $32.00 which includes shipping and handling. The vendor states that upgrades will remain on approximately a quarterly basis for $15.00 with shipping and handling. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-5712, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I ordered my original copy of VIRUCIDE and all upgrades directly from Parsons Technology. The upgrade to VIRUCIDE PLUS (VP) cost $29.00 which included a new User's Guide. VP retains the same detection and disinfection component licensed from McAfee Associates, but adds a terminate and stay resident (TSR) component, VIRUCIDE SHIELD, licensed from Trend Micro Devices, Inc. b. I had known when I placed my original order that McAfee Associates had copyrighted the VIRUCIDE software and that Parsons Technology had both trademarked and licensed VIRUCIDE. Upon receipt of the product I learned that Yuval Tal and Uzi Apple had actually written the software. These individuals had authored an early anti-viral scanning program, VIRUS BUSTER [see PT-5, December 1989]. The look and feel of VIRUCIDE clearly builds on that program. Two other individuals are also given as authors: Igor Grebert and Morgan Schweers. c. VIRUCIDE PLUS introduces VIRUCIDE SHIELD, version 3.13, licensed from Trend Micro Devices which also markets a commercial virus protection program for MS-DOS systems called PC-RX . PC-RX has two components: detection/disinfection and a TSR. The TSR component is known as PC-RX Virus Trap. I am currently conducting an evaluation of PC-RX under Product Test 51. A comparison of the VIRUCIDE PLUS User's Guide with the PC-RX User's Manual as well as actual testing of VIRUCIDE SHIELD suggests that there are differences between the two TSRs. d. I found no conflicts or false alarms between version 2.41 and the detection portion of several other protection programs, to include Viruscan, F-PROT, Norton Antivirus, Virex-PC, the IBM Anti-Virus Product, Central Point Anti-Virus, ViruSafe, and VIRx. e. The system requirements for VIRUCIDE PLUS are minimal: (1) IBM PC, PC/XT, PC/AT or compatible computer; (2) 256 kilobytes or more of RAM; (3) MS-DOS (or IBM-PC DOS) release 2.11 or higher. f. The syntax for running the program remains: VIRUCIDE [drive][path]. The first screen to appear provides VP copyright information. Pressing any key will then give a program screen with the "Enter Search Directory" window displayed. The User Guide suggested that one press the F10 key to review the menu options before conducting a search. The menu gives five main options: Options, Report, Save Options, Virus Info and Exit. One can either use the right and left arrow keys, or type the letter of choice to make a selection. g. Under Options one has seven selections: (1) automatic virus removal; (2) backup infected files; (3) search in subdirectories; (4) clean read-only files; (5) check overlay files; (6) network operations; and (7) compressed files. The up and down arrow keys highlight the selection. One then presses the ENTER key or picks the letter of choice to toggle between Yes and No to each item. Some of the selections have additional pull-down menus. One then returns to the main menu by pressing the ESC key. [NOTE: The default selections are (1) No; (2) No; (3) Yes; (4) Yes; (5) Yes or OV*; (6) No; and (7) No. The ability to examine files compressed by the programs LHARC and PKLITE became available at version 2.33. h. A major change at version 2.24 was the ability to edit the overlay extension file such that one now has the capability to scan all files or to add extensions at the user's choice. The default under the option is to only treat files with the following extensions as overlays: .ovr, .ovl, .prg, .dat, .bin, and .sys. I tested this option which functioned as documented. i. Under Report one has two selections: (1) the report type; and (2) the destination of the report. There are three report type options: none, detailed, and short. There are two destination options: printer or file. The detailed report lists every file scanned with the full path name, and a cumulative total at the end which identifies (1) the number of directories scanned; (2) the number of EXE files scanned; (3) the number of COM files scanned; (4) the number of overlay files scanned; (5) the number of infected files; (6) the number of boot sector viruses; and (7) the percentage of infected files. The short report provides only the cumulative total. Both reports have a subject line "Virus Analyst Report", copyright notifications, and the date/time of the report's generation. [NOTE: The default selection is for report type "none". The default file name if one selects either a detailed or short report is "VIRUCIDE.RPT".] j. Virus Info has two pop-up screens. On the right side is a listing of all malicious programs identified. On the left side is a summary of the number of programs identified by total number and by characteristics (i.e., boot, file, stealth, discrete strains). It is possible to scroll through the list of viruses, press the Enter key at a particular selection, and obtain a brief description of the entry. It was apparent during testing of version 2.41 that the list of viruses requires updating. VP identified several virus signatures by name which were not shown in scrolling through the list. I infer that the left side summary information is similarly questionable. 2 k. Version 2.41 claims to identify 920 known viruses. This represents an increase of only 2 new viruses from version 2.37. The number includes 96% or 65 of the 68 viruses characterized as "common" by Patricia Hoffman in her April 24, 1992 HyperText Virus Summary List. Against a suite of 606 malicious programs, to include a sample of the Twelve Tricks Trojan, VP identified what it claimed it could. The suite included 53 of the 68 common viruses. l. Under Exit one has two selections: (1) No; and (2) Yes. The option allows one to return to the DOS prompt. m. Under Save one has one selection. Selection of the option allows one to retain automatically selections made under Options and Report on subsequent executions of the program. If one chooses Save, the program creates a file in the program directory "virucide.cfg". n. A user activates VIRUCIDE SHIELD (VS) by copying the respective VP files to a hard drive and editing the autoexec.bat file to execute the command: vs. One can configure VS by the command: vscfg . When the configuration menu appears, one has four options: Sensitivity, Display, Message, and Exceptions. The version of VS shipped in the upgrade to VP was 3.13. (1) Sensitivity offers five options. The default is for all options to be ON. These include: (a) checking for viruses in the partition tables and boot sector of the hard drive upon booting; (b) checking for abnormal code residing in system dynamic memory or RAM; (c) checking to see if any files are opened or created under abnormal circumstances; (d) write-protecting the partition tables and boot sector of the system disk; (e) checking the boot sector of any floppy disk each time a user accesses it; and (f) allowing the continuation of operations after a virus has been detected. (2) Display offers two options: (a) a VS sign-on screen upon booting; and (b) a "face" symbol in the upper right-hand corner of the screen when the program is running. Although the User's Guide states that the default is for both options to be ON, the readme.com file stated that the Guide was in error and that the "face" feature was OFF by default. I verified this was the case. (3) Message offers the capability to customize a warning message if VS alarms. (4) Exceptions allows one to enter the names of files that may conflict with VS (i.e., programs that generate a Type I or false positive alarm for a viral signature). o. I tested all of the VS options with these results: (1) The feature under Sensitivity to "write-protect" the partition tables and boot sector of the system disk does not preclude infection by a boot sector virus under all conditions. For example, I ran a test in which I booted the test system from a non-system floppy disk infected with the Stoned virus. When I received the error message that this was not a system disk, I followed 3 MS-DOS's instruction to remove the disk and strike any key. The system then booted from the hard drive. When VS executed from the autoexec.bat file, it alarmed to advise: "The disk that you booted the system with is infected with a virus. Press [enter] for VC Shield to clean the infected system." Rather than press enter, I turned the power off and then rebooted from a clean floppy system disk. I scanned the hard drive from the floppy drive with two different virus signature detection programs, VIRUSCAN and VIRUCIDE PLUS. Both confirmed that the Stone virus had infected the hard drive. (2) When VS alarms for a boot sector virus either when it checks the partition tables and boot sector during startup, or when a user accesses a floppy disk, the alarm is non-specific for identifying the signature. Documentation for PC-RX suggests that PC-RX Virus Trap will also provide the actual name of the virus (i.e., Stoned, Azusa, etc.). (3) I did not do any testing on triggering alarms because of "abnormal" code or circumstances. While the documentation is thin on what is actually meant by "abnormal", my capabilities are limited in this area. (4) All other features appeared to function as documented. 5. Product Advantages: a. The program appears to work as advertised. While viral signature detection by scanning techniques remains controversial, the methodology is effective for "known" viruses and trojan horses. b. The free, unlimited technical support obtained with the license is a nice feature. The support on two separate occasions has been satisfactory. c. The Menu Options are easy to use and eliminate the guesswork found in other comparable products. The ability to generate reports provides an audit trail record which many users and their organizations require. The audit trail is cumulative which minimizes the potential for overwriting unintentionally. d. The window displays are informative, particularly the running count of where the program is at any given moment in its scanning. 6. Product Disadvantages: a. Updates to the product may be too slow for certain users, particularly when one cannot add search strings for "new" malicious programs as they appear. b. The unique arrangement by which McAfee Associates and Trend Micro Devices have copyrighted the software and Parsons Technology has licensed the property raises questions as to future support. Both vendors have their own commercial programs for purchase. The marketplace has literally dozens of products competing for the same customers. Whether that customer base is large enough to support the number of available products, let alone competing products originating from the same source, is unknown at this time. McAfee has also marketed Virucide to another firm which sells it under the VirusCure+ name (see Product Test 48, October 1991). 4 7. Comments: The National Computer Security Association (NCSA) did not evaluate VIRUCIDE in its latest report on virus scanners, January 1, 1992. The report predates the shipment of VIRUCIDE PLUS. [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.]