Date: Thu, 20 Feb 92 10:26:56 MST From: Chris McDonald ASQNC-TWS-R-SO Subject: Revised Product Test 17, F-PROT, Version 2.02D ******************************************************************************* PT-17 August 1990 Revised February 1992 ******************************************************************************* 1. Product Description: F-PROT is a program designed to provide malicious program detection, disinfection, and protection. This product test addresses version 2.02D, 7 February 1992. 2. Product Acquisition: F-PROT is a shareware program distributed by Fridrik Skulason, Box 7180, IS-127 Reykjavik, Iceland. Mr. Skulason has posted F-PROT on a number of Internet sites. The program is on the USAISC-White Sands host simtel20. With version 1.14 the program became free if a user utilizes it on a single personally-owned computer. There is a registration fee for commercial and government users. Site licenses are available as well as discounts for multiple copy registrations. The path on simtel20 [192.88.110. 20] for anonymous ftp downloading is: pd1:. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I obtained a copy of F-PROT from our simtel20 MS-DOS repository in mid 1990. The first version tested was 1.07. I have continued to download updates with the most current version 2.02D. b. I tested the product initially on a Unisys PC, Model 3137, MS-DOS 3.10, 512K. I have subsequently conducted additional tests on IBM, Gateway, Wyse and Zenith platforms running MS-DOS 3.3 and 4.0 without any difficulties. Certain problems have arisen on systems with MS-DOS 5.0 configurations. c. Version 2.0 represented a complete redesign of the program. For the first time a menu-interface became available. There was also a major consolidation of several programs into two: (1) F-PROT.EXE is the main program which provides malicious program detection, disinfection and information. Version 2.02 changed the name of this program from F2.EXE back to its previous name. (2) VIRSTOP.EXE is the terminate-and-stay-resident (TSR) program which prevents the execution of programs infected with known malicious code. d. I tested both of these programs which appeared to function as described in the documentation. I used the "semiautomatic" installation feature without any difficulties. I did limited testing of F-PROT.EXE on a 10Net network configuration. Version 2.02D will run under Windows 3.0, but is not a Windows application. I did not test any Windows configuration. e. Version 2.02D claims to identify 100% (i.e., 58 out of 58) of those viruses characterized as "common" by Patricia Hoffman in her HyperText Virus Summary List, 22 December 1991. The documentation identifies 338 families of viruses, with each family having between 1 and 50 variations. Detection operations against a suite of 605 malicious programs had these results. (1) The F-PROT.EXE program successfully identified 100% of the "common" viruses in the test suite or 45 samples. (2) Results against the remaining samples confirmed that the program can detect what it claims. (3) Version 2.02D also claims to identify 8 specific trojan horse programs. The program did identify my test sample of the Twelve Tricks Trojan. The Twelve Tricks Trojan has been thoroughly examined by a number of reputable sources who have documented their analysis in the public domain. I have seen few sighting reports on the trojan during the last year, but must defer to the experts who collect such statistical information and consider it to be a threat. f. A user executes the F-PROT program by the command F-PROT and a carriage return. The program does an integrity check of itself and then scans memory for known viral signatures. At version 2.02D a user cannot abort the memory scanning by pressing the ESC key. This feature had been available at version 2.0. A menu with five selections appears: (1) Scan (2) Install (3) Viruses (4) Program (5) Quit One chooses a selection by entering the first letter of the selection, or by the use of arrow keys and a carriage return. The program author has identified mouse support as a possible future enhancement. Selection of settings and options follows the same convention. g. The Scan selection presents five settings which offer a variety of options: (1) Method: Secure Scan, Quick Scan, Heuristics (2) Search: Hard Disk, Diskette Drive, Network, User-Specified (3) Action: Report Only, Disinfect/Query, Automatic Disinfection, Delete/Query, Automatic Deletion, Rename (4) Target: Boot Sectors, File Viruses, Trojan & Joke Programs, User- Defined Strings, Packed Files (5) Files: Standard Executables, User-Specified 2 I tested all the options with the exception of Target (User-Defined Strings). There was only one problem encountered: namely, when I attempted to use the menu format to select "Trojan & Joke Programs" under the Target option, the program would not select the option. I was able to run F-PROT at the command line (i.e., f-prot /trojan) which did allow me to activate the "Trojan & Joke Programs" definitions. I then saved this configuration setting without any difficulty. The Target options have changed slightly since version 2.0. h. The Install selection presents four options: (1) Language: The current shareware version supports English. Program documentation states that a German version is under development, with additional languages planned for the end of 1991. (2) Setup: Sorts the list of viruses known by column or line (3) Install: Copy the program to hard disk (4) VIRSTOP.EXE: Install or remove VIRSTOP.EXE i. The Virus selection presents two options: (1) Information: Provides information on known viruses (2) New Signatures: Allows a user to add, delete and list user- defined hexadecimal search patterns The main issue under the selection is that the information option may not always show all the viruses which F-PROT can detect. I verified this fact with the author who indicated he was addressing it. One can also read the "whatsnew" file distributed with each release for a complete overview. j. At version 2.02 the Analysis option, available as a separate selection at version 2.0, has become part of the Scan selection. It is now identified as the "heuristic" scanning option. Heuristic analysis attempts to report on suspicious code by monitoring for generic activities common to actual viruses. A user may receive various message when suspicious code is found. Tests of the heuristic feature had these results: (1) Against 45 files infected with known viruses, heuristic scanning generated a warning message for 44. The one exception was a file infected with the Virus-101. There was no message for suspicious code, although the Secure Scan option correctly identified the infection. (2) 80% of the messages were: "This program contains several features which are normally only found in virus programs. It is almost certainly virus-infected." Three other messages accounted for the remaining 20%. These additional messages were less strident, but sufficient in my opinion to cause a user to think twice before executing the program. 3 (3) Heuristic scanning generated an appropriate boot sector warning message against all boot sector virus samples. (4) Heuristic scanning has a problem with certain security-related programs which provide boot protection. On several programs such scanning generated this message: "The Partition Boot Sector contains invalid information. This may indicate a virus infection or just a corruption. This boot sector is not an usual DOS boot sector. It may be infected with an unknown virus or just formatted by some other program other than FORMAT.COM". k. The Program selection provides information on the author, cost, performance and updating of F-PROT. l. The Quit selection exits the program. One can also use the ESC key to exit the program. 5. Product Advantages: a. F-PROT presents a comprehensive approach to malicious program detection, prevention and treatment. b. The product is cheap under the current licensing plan. Version 2.02D documentation states that a site license for 10,000 systems would cost $.25 per system for one year. c. Distribution over the Internet is reliable. d. The menu-driven interface makes it easy for users to choose a variety of options, to include printing reports on detection operations. e. Readers of VIRUS-L and RISKS FORUM will recognize that the author, Mr. Skulason, appears to be extremely knowledgeable and articulate as a viral researcher. 6. Product Disadvantages: a. The Internet carried messages indicating compatibility problems between version 2.0 and certain DOS flavors. Mr. Skulason acknowledged those issues and delivered several updates. Internet discussion suggests that additional conflicts have been documented. The historical pattern is that Mr. Skulason will address these as time permits. b. The heuristic scanning feature can generate 20 different warning messages. The typical user, such as myself, will have to rely on someone with more expertise to actually investigate the code causing the alarm. The author has not provided, perhaps with good reason, the rules which govern the heuristic analysis. For this reason one might have questions on how well-constructed these rules are. c. Although it is possible to contact Mr. Skulason over the Internet, program support is informal and perhaps untimely for certain users. There are also a large number of commercial and government users for whom the Internet is still a mystery. 4 d. There is always the potential that Mr. Skulason will simply be unable to support the program in the future. 7. Comments: It seems reasonable that one would stockpile at least two virus protection programs to ensure continuity of operations in the event one program source either terminated support or was no longer available. Two programs also give one a better opportunity to confirm an infection and to eliminate the possibility of a false alarm. Since F-PROT is the creation of a single individual, commercial and government organizations should recognize the real potential for the interruption of support. This consideration in no way diminishes the apparent effectiveness of the program. The heuristic scanning feature represents an innovative approach to malicious code detection. While there are obviously "bugs" in any experimental work, this feature represents the next level of malicious program detection suggested in Catherine Young's paper "A Taxonomy of Computer Virus Defense Mechanisms". The National Computer Security Association (NCSA) evaluated version 2.0 of F-PROT in its latest report on virus scanners, January 1, 1992. FOR FURTHER REFERENCE: PRODUCT TEST NUMBER DATE PRODUCT PT-3 November 1989 VIRUSCAN (MS-DOS) (Revised September 1991) PT-11 June 1990 AVSEARCH, 2.24 (MS-DOS) (Revised February 1991) PT-12 June 1990 VIRUCIDE (MS-DOS) (Revised February 1992) PT-23 March 1991 VIREX-PC (MS-DOS) (Revised February 1992) PT-24 July 1991 VIRUSAFE (MS-DOS) PT-27 May 1991 FLU-SHOT+, 1.81 (MS-DOS) PT-28 February 1991 NORTON ANTIVIRUS (MS-DOS) (Revised October 1991) PT-34 April 1991 IBM ANTI-VIRUS, version 2.1.5 (MS-DOS & OS/2) (Revised December 1991) PT-36 June 1991 CENTRAL POINT ANTI-VIRUS (MS-DOS) PT-39 August 1991 THUNDERBYTE SCANNER (MS-DOS) (Revised December 1991) PT-41 July 1991 VIRx (MS-DOS) (Revised February 1992) [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] 5