Date: Tue, 21 May 91 14:54:49 MDT From: Chris McDonald ASQNC-TWS-R-SO Subject: Product Test, Flu_Shot+ (PC) ******************************************************************************* PT-27 May 1991 ******************************************************************************* 1. Product Description: Flu_Shot+ is a shareware program to assist a user in detecting "suspicious" activity which may be indicative of a malicious program. 2. Product Acquisition: Flu_Shot+ is available from Software Concepts Design, 594 Third Avenue, New York City, NY 10016. The cost for version 1.81 is $15.00 plus $4.00 handling charges. Site licenses are available. The program is available on the Internet to include the host simtel20 in the path: pd1: fsp_181.zip. The author of the program is Ross Greenberg, who is also associated with the commercial program Virex-PC (see PT-23, Revised May 1991). 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I acquired version 1.5 in January 1989 from the simtel20 repository. Then the registration fee was $10.00 plus $4.00 handling. I registered my copy at that time and have continued to download revisions to the program through version 1.81 to look for any significant changes. At version 1.7 Mr. Greenberg indicated that future upgrades to Flu_Shot+ might end because he had entered into an agreement with a commercial firm to market the program's protection features with additional viral scanning and disinfection capabilities. The commercial firm is now Microcom Software Division which markets Virex-PC. While Mr. Greenberg actually sold Microcom Flu_Shot++, not Flu_Shot+, I was somewhat surprised when version 1.81 reached the repository in December 1990. This version came bundled with a demonstration copy of the viral scanning capability of Virex-PC. Subsequent electronic communications with Mr. Greenberg suggest that Microcom may view continued releases of Flu_Shot+ as a commonsense marketing strategy to migrate users to their commercial product. b. Product tests occurred on the following system: Unisys PC, Model 3137, MS-DOS 3.10, 512K. The minimum hardware and software configuration is as follows: an IBM PC/XT, IBM PC/AT, IBM PS-2 or 100% compatible computer using the PC-DOS (MS-DOS) 2.1 or later operating system. c. Flu_Shot+ is a terminate and stay resident (TSR) program which alerts a user to these activities: (1) Attempts to format a disk (2) Attempts to write directly to a disk (3) Attempts by a program to terminate-and-stay-resident (4) Modification of a registered program's "checksum" (5) Attempts to perform an operation specifically prohibited by a user under customized protection Registered users have an installation routine to assist them, particularly when they are updating a previous version. For this test I chose to manually install version 1.81. There were eleven steps in the so-called "down and dirty installation". The steps were easy to follow with the most time-consuming process involving the establishment of "checksum" values. d. After one has completed installation, the simple command "fsp" loads the program. A user may also choose to place the command in the autoexec.bat file for automatic execution. The program executes by reading the flushot.dat file which contains the default protection values as modified by the user. The user has several commands available to establish these values which include: (1) P Write protect the file named (2) R Read protect the file named (3) E Exclude the file named from matching P or R lines (4) T The named file is a legitimate TSR (5) C Perform checksum operations on the file named When the program finishes executing the instructions in the flushot.dat file, it presents the user with almost a full screen notification that Flus_Shot+ has been installed and advises that "Nasty operations will be intercepted". The notification also advises the user of copyright information and of two other operational features described in the user's manual. e. The TSR program performed as documented. I successfully caused the program to alarm under all of the stated events. I must qualify that malicious code in my possession is limited. Any certification of 100% effectiveness is beyond my capabilities. There have been several independent evaluations of Flu_Shot, to include one by the "Computer & Security" journal. Similar discussion on the effectiveness or ineffectiveness of the product have appeared in Virus-L. Clearly a sensible approach to addressing malicious software would incorporate a layering of products for in-depth protection. f. There is a list of options which allows one to customize protection against "unknown" malicious programs and to closely monitor system activity in general. The features of potentially most value include: (1) Alerts of a program's attempt to terminate-and-stay resident (2) Alerts whenever the checksum of a registered file changes (3) Alerts upon user-specified prohibited operations g. The user-specified prohibited operations produced the most alarms when 2 I maximized the protection. For example, a user can prohibit write to, or reading from files without triggering an alert. A user can prohibit deletion or renaming of files without direct authorization. The theory behind the protection is that viruses commonly attempt read, write, delete, or rename operations on user files. Flu_Shot+ alerts a user to such attempts with the option to disallow suspicious activity. Alarms result in an audible and visual pop-up display in which the user has the option to allow the operation to go unchecked for one time, to allow the operation to go unchecked until the program undertaking the operation exits, or to disallow the operation. 5. Product Advantages: a. Flu_Shot+ appears to function as documented. Its general theory of operation has been adopted by many other commercial vendors. b. The price is right for most organizations. c. Mr. Greenberg has developed a reputation for credible work. 6. Product Disadvantages: a. The program offers a variety of protection capabilities which the experienced MS-DOS user will appreciate. It remains an open question as to whether the majority of users within an organization will be able to configure their flushot.dat files themselves, or whether they will be able to interpret and respond to respective alarms. b. The program highlights the "undecidable" nature of malicious program detection. I was able to generate many alarms in which no malicious program was at work. If one generates a lot of these Type I errors (i.e., alarms in the absence of malicious code), the result can be annoying and time-consuming. On the other hand, if one reduces the protection values to reduce the rate of alarms, one may increase the number of Type II errors (i.e., no alarms in the presence of potentially malicious code). c. Construction of protection values, particularly when performing checksum operations, is a manual operation. There are also, according to the documentation, limitations on the size of the flushot.dat file. d. When I downloaded version 1.81 of the program, I read: "Registered users of earlier versions of Flu-Shot+ will receive an invitation in the mail to register this version". The Pony Express has never delivered such notice. 7. Comments: Flu_Shot+ has its detractors and its supporters. Its author has been very vocal in expressing his displeasure with those individuals who write and distribute malicious code. In fact, someone actually wrote a destructive trojan version of Flu_Shot in an attempt to embarrass him. For those organizations and individuals with limited resources the program 3 offers an opportunity to get some firsthand experience with a protection product at a minimal investment. It will also, assuming that Mr. Greenberg and Microcom continue the marketing strategy, give one the opportunity to experience free of charge the scanning capabilities of Virex-PC for a limited time. The Virex-PC demonstration has a finite event life. 4