******************************************************************************* PT-23 March 1991 Revised January 1992 ******************************************************************************* 1. Product Description: Virex-PC is a software package to detect, disinfect and prevent computer viruses and malicious programs for the MS-DOS environment. This product test addresses version 2.0. 2. Product Acquisition: Virex-PC is available from Microcom Software Division, P.O. Box 51489, Durham, NC 27717. The telephone number is 919-490- 1277. The price is $99.00. There are several third party vendors who sell single copies at a significantly reduced cost. Registered users receive discounts on product upgrades. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I acquired Version 1.0 in December 1990 for $70.00 from Telemart in Phoenix, Arizona. After I completed and mailed the registration card, Microcom shipped me Version 1.1a. I thought this was a good marketing strategy on their part, even though they were under no obligation to do so. In May 1991 I received Version 1.20 directly from Microcom. This was a surprise since I expected to have to pay for any upgrade and because I had not subscribed to their annual update service. A telephone conversation with a Microcom represented confirmed that the vendor had chosen to send out the upgrade to all registered users free of charge. I obtained version 2.0 in late October 1991 for a $25.00 upgrade charge. b. Product tests occurred on the following systems: (1) Unisys PC, Model 3137, MS-DOS 3.10, 512K; and (2) Zenith PC, Model 248, MS-DOS 3.30, 640K. The minimum hardware and software configuration is as follows: an IBM PC/XT, IBM PC/AT, IBM PS-2 or 100% compatible computer using the PC-DOS (MS-DOS) 3.X or later operating system with a minimum of 512Kb recommended. c. Version 2.0 represent a major revision to Virex-PC. The product now contains three separate programs: VPCScan, Virex, and VirexPro. (1) VPCScan. This program identifies known viruses and can repair many common viruses. (2) Virex. This program is a terminate and stay resident (TSR) program that alerts a user when he or she attempts to run a program infected with a known virus, or when a protected program has had its checksum signature changed. (3) VirexPro. This program is a terminate and stay resident (TSR) program that provides the protection of the Virex program as well as the continuous monitoring of the system for activity which may indicate malicious activity. Those monitoring activities include: (a) Attempts to format a disk (b) Attempts to write directly to a disk (c) Attempts by a program to terminate and stay resident (d) Attempts to run a program that has not been "registered" with VirexPro (e) Modification of a registered program's "checksum" (f) Attempts to perform an operation specifically prohibited for a user under customized protection (g) Attempts to run a program infected with a known virus d. Version 2.0 contains viral definitions for 542 known viruses and variations. Virex-PC claims to identify 91% (i.e., 53 out of 58) of those viruses characterized as "common" by Patricia Hoffman in her HyperText Virus Summary List, 22 December 1991. e. Although I do not have code for all the malicious programs which Virex-PC claims to detect, I tested the program against 605 malicious programs with these results. (1) The program identified 100% of the "common" viruses in the malicious program suite which it claimed that it could (i.e., 41 out of the 45 available). (2) The program did not identify the test sample of the Virus101. Since Virex-PC is the commercial version of the freely distributed detection program VIRx, this means that version 2.0 of Virex-PC is essentially at version 1.6 of VIRx. VIRx at that version had the same anomaly which the author addressed at the next release (reference PT-41, January 1992, for the current evaluation of VIRx). (3) The VPCScan program continues to give a Type I or false positive alarm on the executable file of another anti-viral program known as Virucide. The alarm is for the "Spanish-Telecom-2 Virus". Since another vendor also markets the identical detection and disinfection features of Virucide under the product name VirusCure+, I would anticipate a similar alarm will appear (reference PT-12 and PT-48 respectively for information on Virucide and VirusCure+). There were no alarms against McAfee's Viruscan, Skulason's F-PROT, Symantec's NAV, or the IBM Anti-Virus Product. f. The VirexPro TSR component performed as documented. The program alarmed under all of the stated events. The actual testing of each alert condition was not exhaustive, but rather attempted to demonstrate the operation of the alert. The documentation emphasizes that VirexPro requires a more knowledgeable user, so those in that category would in my opinion want to test for themselves the 2 advanced features of the component. g. The specified prohibited operations under VirexPro produced the most alarms when I maximized the protection. For example, a user can prohibit write to, or reading from files. A user can prohibit deletion or renaming of files without direct authorization. The theory behind this protection is that viruses commonly attempt read, write, delete, or rename operations on user files. VirexPro alerts a user to such attempts with the option to disallow suspicious activity. Alarms result in an audible and visual pop-up display in which the user has the option to allow the operation to go unchecked for one time, to allow the operation to go unchecked until the program undertaking the operation exits, to disallow or "fail" the operation, or to abort the program initiating the operation. VirexPro maintains a log of all such alerts. h. Modification to a file's checksum includes similar options along with additional information on the current and original checksum calculated. A user can update the checksum for the file, execute the program without updating, or fail the execution of the program. i. Whenever a program attempts to terminate and stay resident, the user receives a pop-up warning message with the options to allow the TSR or to disallow it. j. These observations pertain to the VirexPro component tests. (1) The VirexPro log in its present format records events, but does not have facilities for on-line analysis. (2) If a user deletes a file, or even an entire directory of files which have a checksum established, VirexPro does not alarm. It would be advisable to utilize the file protection features in VirexPro in conjunction with checksum analysis. In this way one would receive an alert in the event an important program were about to be deleted for some reason. (3) There were several instances in which VirexPro alarmed as programs attempted to go TSR. Although I pressed "Y" to allow the operation, and although it appeared that the TSR had gone memory resident, the test system hung. I then had to reboot the system. It is possible to register TSRs with VirexPro to avoid this problem. Users should test all of their TSRs for possible conflicts. 5. Product Advantages: a. Virex-PC provides a comprehensive approach to malicious code protection in one program. b. The installation programs simplify the installation of the product as well as the configuration of the respective TSR elements. There is a capability to customize the configuration with password protection for situations in which multiple users access the same personal computer. 3 c. Version 2.0 has a revised User's Guide which is a distinct improvement over the former. 6. Product Disadvantages: a. The cost of the product may discourage many government users who are already on tight budgets. Even if one pursued a site license agreement, it may be that the risk management assessment will not support such protection for every PC within the organization. It in fact may be appropriate to "unbundle" detection and disinfection features in many environments. b. Although I was led to believe by vendor representatives that version 2.0 would offer a menu-driven capability for VPCScan operations, that did not occur. For the cost of the product such a capability is not an unreasonable request. c. The VirexPro component offers a variety of protection capabilities which the experienced MS-DOS user will appreciate. It remains an open question as to whether the majority of users within an organization will be able to configure the TSR themselves, or whether they will be able to interpret and to respond to respective alarms. d. My initial enthusiasm over the vendor's efficiency in marketing has waned. It took over 6 weeks for the upgrade to arrive after my order. When it did arrive, the vendor had billed me for the upgrade and for a subscription service which I had not ordered. The saga of the credit card charge problem enters its fourth month this week. e. The frequency of updates has become indeterminate. Although I have been a registered user since verion 1.0, I have yet to receive any information after the announcement of version 2.0. As mentioned previously, version 2.0 is now several releases behind the VIRx distribution. 7. Comments: Virex-PC provides the mechanisms to monitor attributes of change and to recognize a virus by its appearance. It also has an intrusion detection capability through its TSR programs. The challenge for the user remains the interpretation of what the TSR components identify as "suspicious" activity. This challenge is not unique to Virex-PC. It does reinforce the proposition that, if one chooses to acquire a product which integrates detection, disinfection and prevention, one must have a strategy for supporting users in the interpretation of alarms and probably in the actual configuration. [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] 4