From: Chris McDonald STEWS-IM-CM-S (3/11/93) To: /usr/cmcdonal/maillist:@wsmr-em, CC: /usr/cmcdonal/virrevlist:@wsmr-, Mail*Link( SMTP Revised Product Test, PT-20 ****************************************************************************** PT-20 Revised March 1993 ****************************************************************************** 1. Product Description: Symantec AntiVirus for Macintosh (SAM) is a commercial software program for the prevention, detection, and elimination of viruses and certain trojan horse programs for the Macintosh. This product test addresses version 3.5.1 with virus definitions through February 22, 1993. 2. Product Acquisition: SAM is available from Symantec Corporation, 10201 Torre Avenue, Cupertino, CA 95014-9854. Site licensing arrangements are available. Symantec's telephone number is 800-441-7234. Mail order firms typically sell a single copy for around $63.00 to $75.00. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5030, DSN 258-7548, DDN cmcdonald@wsmr-simtel20.army.mil; and Robert Thum, Systems Administrator, Directorate of Information Management, White Sands Missile Range, NM 88002- 5030, DSN 258-7739, DDN rthum@wsmr-emh34.army.mil. 4. Product Test: a. I obtained a copy of SAM, version 2.0, in October 1990 from MacWarehouse in Lakewood, NJ for $67.00 dollars. I upgraded to version 3.0 and subsequently to version 3.5.1 directly from Symantec. With version 3.0 one obtained the capability to add additional viral and other malicious code definitions without the requirement for a formal update. I have successfully downloaded such definitions from the Symantec BBS (408-973-9598) and from Internet sites. b. Tests have occurred on a variety of Macintosh platforms running System 6.0.5, System 6.0.7 and System 7.0. The most recent tests extended from February 22 through March 10, 1993. c. The program has two primary components: (1) SAM Intercept; and (2) SAM Virus Clinic. SAM Intercept is the prevention program. It loads into memory when one starts the system and monitors for any activity that might indicate "the presence of a virus" or other "suspicious" activity. SAM Virus Clinic is the viral detection and disinfection program. One can scan files, folders, hard disks or volumes for known malicious code; repair or delete infected files; protect files from viral infection; and add or delete virus or malicious program definitions. d. One receives a revised User's Guide & Reference with version 3.5. The guide identifies these enhancements. (1) Enhanced User Interface. Both SAM Intercept and SAM Virus Clinic have a "new" look. It is somewhat subjective as to whether or not it is "easier to see" certain items or to select certain options. Those who are already familiar with SAM will probably be the least impressed. (2) Scan Compressed Files. SAM will now uncompress and scan files compressed by CompactPro, CompactPro (SEA), Stuffit Classic, Stuffit Deluxe, and Stuffit Deluxe (SEA). This represents a first for Macintosh anti-viral tools. (3) SAM Scheduler. One can now schedule unattended virus scans of a folder, a volume, or volumes. SAM Virus Clinic will perform its scan in the background if one has opened another task. (4) Automatic Installation Program. The SAM Installer has been dramatically updated. One can scan and repair the installation target volume before installation. The Installer handles first-time installation as well as upgrades. One has the option of either an Easy Install of all SAM modules or a so-called Custom Install of selected SAM modules. (5) Increased Virus Protection Under System 7. The User's Guide states that "the technology has been strengthened so that SAM monitors suspicious activities more closely under System 7". There is a touch of perhaps "security through emphatic assertion" on this point. While the User's Guide does a good job of describing the 14 different categories of suspicious activities, it is not at all clear how monitoring under System 7 differs from monitoring under System 6.0.5 or System 6.0.7. Since documentation for earlier versions of SAM addressed basically these same categories, perhaps only a true "technocrat" is qualified to evaluate the accuracy of the claim. (6) Increased Software Installation Compatibility. SAM Intercept is "now more aware of how other installation programs function". It is not unusual for a program to specifically direct that one disable all anti-viral programs prior to its installation. The intent is obviously to address the installation of other programs without having to deinstall one's protection. (7) Password Protection for SAM Virus Clinic Features. One can now password protect scan and protection options. This obviously has advantages in an enterprise which requires mandatory invocation of viral protection and a degree of uniformity in its installation process. (8) Updated and Expanded On-Line Help. Ballon Help is fully supported under System 7. (9) Ability to Install Over a Network. Customers who purchase multi-user packs and site licenses receive a Symantec Network Installer for Macintosh. With this Installer a system administrator may install and upgrade SAM on multiple platforms connected to an AppleTalk network. e. The Automatic Installation Program functioned as documented. I chose the Custom Install and experienced no difficulties. f. I tested SAM Virus Clinic and SAM Intercept against a test suite of malicious programs. The test suite included these samples: Scores, nVir (A & B), Init 29, Anti (A & B), MacMag, WDEF (A & B), Zuc (A, B & C), MDEF (A, B, C & D), Frankie, MBDF (A & B), Init 1984, ChinaTalk, Tetracycle, Code 252 and T4 (A, B & C). Both components had a 100% detection rate against the samples, and performed disinfection or removal operations as described in the documentation. 2 g. The performance of the two components remained uniformly high. One reviewer in a recent MacUser article stated that the scanning "speed" of SAM had increased some 20% in his tests. I personally did not experience any significant increase from earlier versions. h. The number of options for both components remains impressive. The novice as well as the experienced user will feel equally comfortable. There are four different prevention levels for SAM Intercept: Basic, Standard, Advanced and Custom. The documentation does a decent job in describing the distinctions in monitoring for suspicious activity. Clearly one needs to know what represents "normal" operation for the software installed so as to prepare for whatever SAM Intercept alerts that may arise. In a large enterprise where one has the ability to provide technical support in the event of alerts, it is probably smart to set stringent monitoring options with mandatory invocation. In those cases where an individual user has to sort out an alert message without the ability to reference an in-house expert, one should seriously consider configuring SAM Intercept to minimize alerts. i. SAM Virus Clinic provides a multitude of scanning options which have always appeared to function as documented. For example, one can choose either a comprehensive or a limited scan. A comprehensive scan examines all files that contain a resource fork or a data fork that might be infected by a virus. A limited scan examines only executable files (applications, system extensions, system files, desktop files, and HyperCard documents). There is also an option to compute checksums during a scanning operation which in conjunction with SAM Intercept might be a practical defense against "new" or unknown malicious code. j. Audit trails are available for both components, and have always performed well. k. I did not evaluate the "protection options" under the SAM Virus Clinic component. This protection is different than that provided by SAM Intercept. Essentially a user has three options. The first option is to inoculate specific files. When a user opens an inoculated file, SAM Intercept recomputes the data and compares it to the original data written by SAM Virus Clinic. If the data matches, the file is assumed to be fine. If the data does not match, SAM Intercept issues an alert. The second option is to protect CODE resources. One chooses to set the protect attribute of each CODE resource in a file so that the resource cannot be modified. The documentation states that this technique "can stop some viruses from infecting the application". The third option is to lock an application similar to clicking the Locked checkbox in an application's Get Info window. The documentation states that "sometimes locking an application will stop a virus from infecting a file". I lack the technical qualifications to test these options. It is evident that generally files do not modify their own code. Therefore, modification may be a good indication of suspicious activity. My sense is that for most users options two and three will potentially present a host of problems for those who are unfamiliar with an application's operation. I include myself in that category. 5. Product Advantages: 3 a. The effectiveness of SAM to detect known computer viruses and other malicious software has been verified. While I have seen no other independent tests of Macintosh anti-viral tools outside of MacWeek, MacWorld, MacUser, and my own, the trade publications have consistently rated SAM as an excellent product. b. The user's manual is an excellent document, particularly in its description of the various user-defined configuration options and in its use of actual screen displays. c. Technical support is available for registered users. Several users from commercial firms have commented to me on their satisfaction with the technical support. d. The user has the option to "Add" virus definitions for both the Virus Clinic and the SAM Intercept components. This means that as new viruses or malicious programs appear it is not necessary to pay an additional fee to upgrade SAM. The vendor has several options for users to receive the necessary information to upgrade themselves at no direct cost. Adding a definition is simple. 6. Product Disadvantages: a. The sheer number of protection features demands that management decide what options will or will not be utilized in an enterprise. Unfortunately "management" may be ill-equipped to make such decisions unless someone in the organization is familiar with SAM's components, and can provide technical assistance to facilitate an informed decision. b. The variety of protection options for both of SAM's components will in my opinion require user training. There are few Macintosh users, and I include myself, who know enough about system software and applications to understand the actual theory behind what constitutes "suspicious" activity. While SAM's default protection settings may be appropriate for most, there probably are environments where Advanced and Custom levels of protection will be advantageous. In those instances a formal user training program would be essential. 7. Comments: Those familiar with Fred Cohen's original paper on computer viruses, "Computer Viruses: Theory and Experiments", should be struck as to how SAM builds its protection options on several of the "undecidable problems" which appear at the end of the paper. While continuity of operations is an important consideration, redundancy of software options in the Macintosh world is facilitated by the design of available commercial products which has been driven by the system architecture. There are also robust freeware (Disinfectant) and shareware programs (Gatekeeper/Gatekeeper Aid and VirusDetective) which can complement any information system security effort. 4 An intelligent strategy would be to have at least two separate programs available for use within an enterprise for defense against malicious programs. The flexibility of dual products can provide both financial and technical advantages. It also provides protection in the event one program for whatever reason ceases to be available. There are many issues in the acquisition and use of viral detection tools. Interested readers may consult the Proceedings of the National Computer Security Association's 2nd International Virus Prevention Conference & Exhibition, February 1993, for several papers on the subject to include one entitled "Selecting an Anti-Virus Product". The National Institute of Standards and Technology, Computer Security Division, has issued Special Publication 800-5, "A Guide to the Selection of Anti-Virus Tools and Techniques", December 2, 1992. The publication is available for anonymous ftp from the NIST host 129.5.54.11 in the path /pub/ nistpubs. One may also call Ms. Dianne Ware, NIST, at 301-975-2821 for one free copy. [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] FOR FURTHER REFERENCE: PRODUCT TEST NUMBER PRODUCT PT-9 DISINFECTANT PT-10 VIREX PT-30 VIRUSDETECTIVE/VIRUSBLOCKADE II PT-32 MACTOOLS PT-44 RIVAL PT-53 GATEKEEPER/GATEKEEPER AID 5 ------------------ RFC822 Header Follows ------------------ Received: by internetqm.llnl.gov with SMTP;11 Mar 1993 19:17:26 -0800 Return-path: cmcdonal <@WSMR-SIMTEL20.ARMY.MIL:cmcdonal@wsmr-emh03.army.mil> Received: from icdc.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01GVOY85LYR49BWL98@icdc.llnl.gov>; Thu, 11 Mar 1993 19:07:50 PST Received: from pierce.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01GVOY6FXXU89BWLCR@icdc.llnl.gov>; Thu, 11 Mar 1993 19:07:24 PST Received: by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA00860; Thu, 11 Mar 93 19:07:03 PST Received: from WSMR-SIMTEL20.ARMY.MIL by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA00850; Thu, 11 Mar 93 19:05:41 PST Received: from wsmr-emh03.army.mil by WSMR-SIMTEL20.ARMY.MIL with TCP; Thu, 11 Mar 1993 20:04:02 -0700 (MST) Date: 11 Mar 1993 19:56:58 -0700 (MST) From: Chris McDonald STEWS-IM-CM-S Subject: Revised Product Test, PT-20, SAM, version 3.5.1 Resent-to: BILL_ORVIS@QUICKMAIL.llnl.GOV To: /usr/cmcdonal/maillist:@wsmr-emh03.army.mil Cc: /usr/cmcdonal/virrevlist:@wsmr-emh03.army.mil Resent-message-id: <01GVOY85QSCY9BWL98@icdc.llnl.gov> Message-id: <9303120305.AA00850@pierce.llnl.gov> X-Envelope-to: BILL_ORVIS@QUICKMAIL.llnl.gov X-VMS-To: IN%"/usr/cmcdonal/maillist:@wsmr-emh03.army.mil" X-VMS-Cc: IN%"/usr/cmcdonal/virrevlist:@wsmr-emh03.army.mil" Content-transfer-encoding: 7BIT ======================================================================