******************************************************************************* PT-24 July 1991 Revised May 1992 ******************************************************************************* 1. Product Description: ViruSafe is a commercial software package to detect, disinfect and prevent computer viruses and malicious programs for the MS-DOS environment. This product test addresses version 4.55. 2. Product Acquisition: ViruSafe is available from XTREE Company, a division of Executive Systems, Inc., 4330 Santa Fe Road, San Luis Obispo, CA 93401. EliaShim MicroComputers originally developed the software. The suggested retail price for a single copy is $99.00. Site licenses are available. XTREE telephone numbers are 800-634-5545 or 805-541-0604. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-5712, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I obtained an evaluation copy of ViruSafe (Version 4.02) in May 1991 >from Mr. Bob Greenwald, the government account specialist for EliaShim Microcomputers. Mr. Greenwald had obtained my name and address from other Army representatives. The software arrived on a 5 1/4" write-protected disk with a 56 page User's Manual. XTREE acquired the program in late 1991. Through Mr. Greenwald I received evaluation copies of versions 4.50 and 4.55. b. Product tests have occurred on the following systems: (1) Unisys PC, Model 3137, MS-DOS 3.10, 512K; (2) Unisys PC, Model 3137, MS-DOS 3.30, 640K; (3) Zenith PC, Model 248, MS-DOS 3.30, 640K; and (4) Zenith PC, Model 184, MS-DOS 5.0, 640K. The minimum hardware and software configuration according to the revised 4.50 manual is as follows: an IBM PC/XT/AT or compatible computer using the MS-DOS/PC-DOS (Version 3.00 and up) with 256K. A user should be advised that 256K is insufficient to run full menus. The original manual stated that 512K was necessary which all tests have confirmed. The latest tests occurred during April-May 1992. c. ViruSafe has several major components which a user can generally invoke >from a menu or from the DOS command line. The first program, UNVIRUS.EXE, performs detection and removal of known computer viruses and malicious programs. The second program, PIC.EXE, records information about files and checks their integrity for signs of change. This information includes the size of the file, its contents, the date and the time. The third program, VC.EXE, detects and removes viruses active in memory and in the boot sector. The fourth program, VS.EXE, installs as a terminate-and-stay-resident (TSR) program that detects and identifies viruses when they attempt to enter memory and prevents infection of programs and boot sectors. The fifth program, VSCOPY.EXE, performs the DOS COPY function only after it checks that what a user is attempting to copy is not infected by a known virus. The sixth program, VSMENU.EXE, is the menu-driven utility through which a user may operate ViruSafe after installation. d. ViruSafe has an utility for installing and uninstalling itself. The vendor has completely revised the User's Guide at version 4.50, and has significantly improved the quality and readability. Installation procedures were concise and performed as documented. e. Version 4.55 contains viral definitions for 971 known viruses and mutations. ViruSafe claims to identify 94% (i.e., 66 out of 68) of those viruses characterized as "common" by Patricia Hoffman in her Virus Summary List, April 24, 1992. f. Although I do not have code for all the malicious programs which ViruSafe claims to detect, it did perform satisfactorily against a suite of 606 malicious programs. The suite included 77% (i.e., 53 out of 68) of the common viruses. When ViruSAfe identifies a known malicious program, it gives the user an audible and visual alarm if one has directed the program to report such information to the screen. If one chooses to have the program direct all results to a log file or to a printer, there is no audible or visual alarm. The log file option will cause results to appear on the screen; however, the screen clears automatically at the completion of the detection operation. The default scanning file extensions are .com, .exe, .ov?, and .xtp. One can easily configure the program for additional extensions. g. The "Check and Remove" menu has various options to check only for virus signatures, to check and remove program viruses, to check and remove boot sector viruses, to check and remove all file viruses, and to check only for a virus in memory. I tested all these options which functioned as documented. I did verify that all "check and remove" options were automatic. So, for example, if ViruSafe detects a virus in an .exe file, it will attempt to remove the virus without any further user authorization or intervention. The user will have no permanent record of the detection and removal unless he or she has asked for a printer or log file result. h. One of the main menu options is a "List of Viruses Handled". This list identifies those viruses and malicious programs which ViruSafe can actually remove. I found this an extremely nice feature because I could determine in advance, if I choose to do so, whether ViruSafe would perform disinfection. This same option allows a user to obtain information on a known malicious program. The quality of the on-line information is nothing exceptional. In fact, there are numerous entries in which the information consists of one sentence: "No information is currently available about this virus." i. The Program Integrity Check (PIC.EXE) option in the VSMENU offers a user these features: (1) Mark Files (2) List of Marked Files (3) Check Integrity of Marked Files (4) Recalculate Marked Files 2 The menu has changed from version 4.02, and appears to have a more logical design with increased speed. I tested all the options which performed as indicated. I intentionally changed the contents and size of various files. In each case there was a notification. I must emphasize that I made no deliberate attempt to defeat the mechanism since that is beyond my capabilities. The User's Guide states that the Program Integrity Check (PIC) is a module which records "the size of the file, its 'signature' (a checksum--not to be confused with a virus signature), and the date and the time". There is no other information on what exactly this calculation entails. I am not an expert on the subject but discussions on the Internet and on Virus-L in particular can provide any user with additional information on this rather controversial area. One might also consult the National Computer Security Association report "Product Evaluation: Programs to Detect Changes in Programs" for possible evaluation criteria. j. The VS.EXE TSR program performed as documented. I successfully caused the program to alarm under all of the stated events. I must qualify that malicious code in my possession is limited. Any certification of 100% effectiveness is beyond my capabilities. The list of options allows one to customize protection against "unknown" malicious programs and to closely monitor system activity in general. The VS.EXE program presents a user with these options from the VS Monitor menu: (1) Check Resident Programs (TSR) [The default is OFF.] (2) Check Access to Program Files [The default is OFF.] (3) Check Write to Boot Sectors [The default is ON.] (4) Check Diskettes Infection [The default is ON.] (5) Check Memory Infection [The default is ON.] (6) Write Protect Hard Disk [The default is OFF.] (7) Sound Warning Alarm [The default is ON.] (8) Check Memory Size Changes [The default is ON.] (9) Check Virus on Program Exit [The default is OFF.] One can also configure the options through the VSMENU program. The VSMENU configuration, howver, is slightly different. For example, it does not offer "write protect the hard disk", does not offer the "sound warning alarm", and adds an option "disable known virus access". Unfortunately neither the manual nor on-line documentation could tell me what this last option does. k. The VSCOPY.EXE program functioned as described in the document. I tested with boot sector, .com and .exe viruses. l. There is an Advanced Features option in the VSMENU Virus Protection 3 menu. I tested four of the six selections which functioned as advertised. I did not test the selections to restore or to repair the master hard drive boot sector and partition table. The feature to add/learn virus signatures will accept either user or vendor supplied signatures. 5. Product Advantages: a. ViruSafe provides a comprehensive approach to malicious code protection in one program. It offers detection, disinfection and prevention--a trend which most commercial vendors now follow. b. The product had a good menu system to assist the novice user which has only been improved with versions 4.50 and 4.55. 6. Product Disadvantages: a. The cost of the product may discourage many users who are already on tight budgets. Even if one pursued a site license agreement, it may be that the risk management assessment will not support such protection for every PC within the organization. b. The TSR program offers a variety of protection capabilities which the experienced MS-DOS user will appreciate. It remains an open question as to whether the majority of users within an organization will be able to configure the TSR themselves, or whether they will be able to interpret and to respond intelligently when alarms occur. 7. Comments: Fred Cohen's original paper on his first computer virus experiments concluded that detection of viruses by their appearance or behavior was "undecidable". Yet eight years after the publication of his work, detection of viruses by their appearance and behavior remains the most common form of viral defense for the MS-DOS environment. ViruSafe provides the mechanisms to monitor attributes of change and to recognize a virus by its appearance. It also has an intrusion detection capability through its TSR program. The challenge for the user remains the interpretation of what the TSR identifies as "suspicious" activity. This challenge is not unique to ViruSafe. It does reinforce the proposition that, if one chooses to acquire a product which integrates detection, disinfection and prevention, one must have a strategy for supporting users in the interpretation of alarms and probably in the actual configuration. The National Computer Security Association has issued a report "Virus Scanners: An Evaluation", January 1, 1992. The report evaluates an earlier version of ViruSafe. [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] 4