******************************************************************************* PT-25 May 1992 ******************************************************************************* 1. Product Description: Dr. Solomon's Anti-Virus Toolkit is a collection of programs for the detection, removal, and prevention of malicious program activity. This product test addresses version v5.55, February 1992. 2. Product Acquisition: Dr. Solomon's Anti-Virus Toolkit is copyrighted by S&S International, Berkley Court, England. The commercial program is available in the United States from Ontrack Computer Systems, 6321 Bury Drive, Suite 16- 19, Eden Prairie, MN 55346. Their telephone number is 612-937-1107; the FAX number is 612-937-5815. The Toolkit cost is $149.00 for a single copy with an additional fee for two different types of update services. Site licenses are available. The program is also available through software mail order firms at a significantly reduced cost for a single copy. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I obtained a 30 day evaluation copy from Ontrack Computer Systems in late March 1992. The invoice identified the version shipped as V5.55. I did observe, however, that individual programs in the Toolkit have varying version numbers displayed. I never saw a "V5.55" on any of the programs actually examined. b. Product testing occurred on the following system: Zenith PC, Model 248, MS-DOS 3.30, 640K. The test period extended from 6-17 April 1992. c. The Toolkit provides more programs than most users will ever use. Robert Slade, whose review of the product is available from CERT, has commented that the Toolkit offers an expert user a wealth of options. I agree completely with that opinion. Since most users--and I include myself--are not experts, this may be of some significance for many organizations. d. Toolkit.exe is the menu-driven interface which integrates the majority of the programs. One enters the menu by the command: toolkit . One can also execute all programs from the command line. The following is a brief description of the major individual programs. (1) Author.com is a utility intended for use with VirusGuard to mark diskettes with an authorization code. If a user chooses, only diskettes with an authorization code can be accessed without causing an alarm. (2) Checkmem.exe provides a memory map of the system, mapping those items which use MS-DOS approved methods for memory-residency (available from the menu). (3) Chkvirus.exe (CheckVirus) detects changes in executable files (i.e., .com, .exe, .sys, .ovl, or .bin files) which may reflect a virus infection. The program also detects changes in the boot sector and in the partition sector (available from the menu). (4) Cleanboo.exe (CleanBoot) replaces the boot sector on a disk with a valid, non-infected boot sector (available from the menu). (5) Cleanpar.exe (CleanPart) diagnoses and repairs partition sectors (available from the menu). (6) Findviru.exe (FindVirus) performs the basic virus signature search of the boot sector, partition sector, and file viruses. The default file extensions checked are .com, .exe, .bin, .sys, .ovl and .ovr. The program checks files which are hidden, system, and read only (available from the menu). (7) Guard.com and Guardem.com form the VirusGuard program. VirusGuard is a memory resident program which alarms in the presence of known malicious code (i.e., code which Findviru.exe recognizes). (8) Nofloppy.com offers write protection or read-and-write protection for all floppy drives. (9) Nohard.com offers write protection for the hard drive. (10) Peeka.exe permits the inspection of boot sectors of floppy diskettes as well as the boot sector and partition record of hard drives (available from the menu). (11) Qcv.exe (QuickCheckVirus) performs the same purpose as CheckVirus, but only detects changes in file size, date or time. It is "quicker" than CheckVirus (available from the menu). (12) Shred.exe performs a three time overwriting of selected files (available from the menu). (13) Unvirus.exe provides disinfection of known malicious signatures, where possible (available from the menu). e. FindVirus claims to identify 1230 known viruses. The number includes 98% or 67 of the 68 viruses characterized as "common" by Patricia Hoffman in her April 24, 1992 HyperText Virus Summary List. Against a suite of 606 malicious programs FindVirus identified what it claimed it could. The suite included 53 of the 68 common viruses. [NOTE: The virus naming convention of FindVirus has several differences from those adopted by U.S. vendors.] f. Menu options for FindVirus were straight-forward. One can specify the search path, generate audit records, and scan multiple floppy disks. All options performed as documented. g. CheckVirus calculates a unique signature for each executable. The menu options provide several alternatives to speed up the signature calculations as well as to enhance the strength of the calculations to resist an 2 attack on the program's algorithm. While I am not in a position to evaluate the effectiveness of such alternatives, it was noteworthy that the vendor's documentation did address the issue of a malicious program attack on the signature strategy. Many other commercial vendors avoid any discussion. h. I created a signature.dat file for the hard disk of the test system. I then altered and deleted files to test the ability of CheckVirus to alarm upon a change. The program performed as documented. There was no attempt made to consciously defeat the checksum calculation. I did note that in order to legitimately update the signature of an individual file one must recompute the signatures for all files. i. QuickCheckVirus (QCV) has the same function as CheckVirus, but only looks for changes in the size, date and time of an executable file. While the documentation emphasizes that this is less secure than CheckVirus, there is a dramatic increase in speed. The QCV options functioned as documented. QCV ran in 3 seconds versus 32 seconds for CheckVirus on the same test files. j. VirusGuard is essentially a memory-resident version of FindVirus. One activates the TSR by the command: guard . One can also include the command in the autoexec.bat file. Documentation stated that the vendor either has or will soon have a guard.sys implementation to load in the boot sequence before command.com. The TSR is an extremely small program in comparison to other comparable commercial products. VirusGuard appeared to function as documented in that it alarmed whenever I attempted to run a program infected with a known malicious signature. It would also identify boot sector viruses on floppy disks if I simply did a "dir" of the floppy disk. There was no attempt to intentionally defeat the TSR. k. I verified the functionality of the remaining programs with the exception of the author.com. All performed as documented. 5. Product Advantages: a. Dr. Soloman's Toolkit has excellent detection and disinfection capabilities for known malicious signatures. Other testing agencies, such as the National Computer Security Association (NCSA) and the Virus Test Center, give it high marks. b. The menu-interface, with the possible exception of the CheckVirus screens, is self-explanatory. The on-line information is concise and helpful. c. The collection of programs gives one the opportunity to choose a protection strategy appropriate for a particular computing environment. 6. Product Disadvantages: a. Though one can negotiate some attractive site license options, the Toolkit represents a significant financial investment. Since many users will only use a few programs, one may wonder if the vendor might consider bundling the programs in different packages. It seems somehow wasteful to purchase a 3 suite of programs, but use only 50% of them. If a user could select a combination of programs, then the vendor could price the combination accordingly. b. The Toolkit, as is the case with all other comparable products, will require the availability of a technical support staff. For example, programs such as CheckVirus will cause Type I or false positive alarms for actual malicious code. There must be a technical representative available to analyze such alarms otherwise users may lose confidence in the program. It would also seem appropriate to have an in-house training effort established to provide users with an overview of the product, given that few individuals normally take the time to read documentation. There is a potential benefit that users might actually use more of the programs if they had some understanding on a program's possible application within different computing situations. A minimum benefit would be that a user would use an individual program more efficiently. c. The printed documentation is rather imposing. Over 50% of it is nothing more than a description of individual viruses. Since that information constantly changes at each formal upgrade, and since there is on-line information on the viruses detected as well as brief descriptions of most of them, the vendor might consider providing a separate and smaller user's manual minus the viral data. d. A user cannot add his or her own viral signatures. One can add signatures without a formal upgrade, but one must obtain such signatures from the vendor. 7. Comments: The National Computer Security Association (NCSA) evaluated an earlier version of Dr. Solomon's Toolkit in its report "Virus Scanners: An Evaluation", January 1, 1992. Robert Slade, as mentioned previously, has posted his analysis to CERT. The Virus Test Center comments appeared in Virus-L, Volume 5, Issue 107, May 20, 1992, and are available over the Internet via ftp. [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] 4