******************************************************************************* PT-28 Revised October 1992 ******************************************************************************* 1. Product Description: Norton AntiVirus is a virus protection utility for the IBM PC and its compatibles. The product includes virus signature detection, disinfection, and protection. This revision addresses version 2.1. 2. Product Acquisition: Norton AntiVirus is available from Symantec Corporation, 10201 Torre Avenue, Cupertino, CA 95014-2132. The customer service number is (800) 441-7234 in the United States and Canada. The retail price is $129.95; but there are numerous secondary sources with single copy prices that have ranged from $78.00 to $83.00 in trade publication advertisements. Authorized users may upgrade to version 2.1 for $27.00 plus shipping and handling charges. The upgrade number in the United Staes is (800) 343-4712; the number is (800) 465-2266 in Canada. Site licenses are available. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, White Sands Missile Range, NM 88002-5506, DSN: 258-7548, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I acquired version 1.0 in December 1990 for $83.00 from Telemart in Phoenix, Arizona. As a registered user, Symantec Corporation sent a free upgrade to version 1.5 in September 1991. I subsequently upgraded directly >from the vendor to version 2.0 and then to 2.1 in September 1992. b. Product tests have occurred on a variety of platforms running MS-DOS version 3.0 through version 5.0. The minimum hardware and software configuration is as follows: an IBM PC, XT, AT, PS-2 or 100% compatible, 448K of RAM, DOS 3.1 or higher, Windows version 3.0 or later, and 800K of disk space. Version 2.1 is network compatible to include Novell 286 and Novell 386, OS/2 Lan Manager, 3COM OPEN, DEC Pathworks, LANtastic, Banyan VINES, and AT&T Starlan. The latest series of tests occurred from 10 September through 9 October 1992. c. Norton AntiVirus attempts to offer a comprehensive solution to the problem of malicious software, in particular the computer virus. The product has two primary components: Virus Intercept and Virus Clinic. Virus Intercept is a Terminate-and-Stay-Resident (TSR) utility that loads into memory when a user starts the PC. The TSR attempts to prevent viruses from infecting a system and in alerting a user to a potentially infected program before it executes. Version 2.1 continues to offer three versions of the Virus Intercept with varying capabilities: NAV_.SYS (approximately 40K), NAV&.SYS/B (approximately 6k), and NAV&.SYS (approximately 2K). Virus Clinic is the detection and elimination component that provides scanning for known and unknown viruses. d. Version 2.1, as of September 1992, contains viral definitions for 772 known viruses with a total count of 1,470 malicious strains. Norton AntiVirus claims to identify 97% (i.e., 67 out of 69) of those viruses characterized as "common" by Patricia Hoffman in her Hypertext Virus Summary List, 25 September 1992. e. Although I do not have code for all the malicious programs which Norton AntiVirus claims to detect and to prevent, it did identify and block those which it claims it can in my test suite of 606 malicious programs. The suite includes 76% (i.e., 53 out of 69) of the so-called "common" viruses. A reader may refer to these other references for additional product reviews which independently comment on the strengths and weaknesses of the product: (1) PC/COMPUTING, "Be Smart: Use Norton AntiVirus To Protect PCs Against Viruses", pp 37-38, January 1991. (2) PC WEEK, "Norton AntiVirus Battles 142 Threats With Three Methods" pp 30 and 35, January 7, 1991. (3) "Virus Scanners: An Evaluation", National Computer Security Association, January 1, 1992. (4) VSUM Virus Scanning Product Certification (included within each VSUM release) The third reference is by far the most credible and informative. f. Virus Clinic scanning and disinfection is menu-driven with help screens at every option. Version 2.1 presents these main menu selections: Scan, Definitions, Tools, Options, and Help. (1) Scan allows the user to select the drive, directory, and/or file to scan. (2) Definitions allows the user to view the lists of malicious programs identified by the shipped version of Norton AntiVirus and to add additional virus definitions supplied by a 24-Hour Virus Newsline, or from the Symantec BBS, or from an on-line FAX system, or from Compuserve. At version 1.5 NAV began to list how many unique virus strains could be detected. This feature continues in version 2.1. The statistic is automatically updated whenever a user installs a new definition. (3) Tools allows one to create a "rescue" disk, to "restore" from the rescue disk, and to remove or to delete the inoculation data file. Creating a rescue disk saves the partition table, boot record, and CMOS values. The theory is that, if one experiences a serious disk or system error, or an infection by a boot-sector or partition-table virus, one can restore the parameters from the rescue disk. The option to remove the inoculation data file addresses a problem in versions 1.0 and in 1.5. If one has chosen to inoculate an executable, the actual file which contains the inoculation signatures becomes obsolete as one deletes or moves files. The solution in Tools, not very elegant in my opinion, is to delete the data file and to reinoculate the files requiring such protection. (4) Options allows the user to configure Virus Clinic and Virus Intercept for each user's preferences. Options provides five selections: 2 Clinic, Intercept, Global, Set Password, and Video/Mouse Options. Clinic enables and disables Virus Clinic command buttons. Intercept sets the Virus Intercept alert box options, enables an audit log, write-protects hard disk system areas, write-protects floppy disk system areas, scans all floppies on reboot, and allows the reinoculation of a file if one has chosen inoculation and the file changes. Global enables one to customize Virus Intercept and Virus Clinic alert messages, to choose auto-inoculation of executables, and to limit scanning to executables only. (5) Help allows the user to receive assistance by selecting from index topics. g. I used the install program to load Norton AntiVirus. Installation of Virus Clinic and Virus Intercept requires about two minutes. Since the Virus Intercept component requires a modification to a system's config.sys file, I aborted that part of the automatic installation that would have modified the config.sys file. I chose to manually insert the Virus Intercept device statements to activate the TSR program. h. The Virus Clinic component has an attractive presentation as scanning occurs. The user is aware of the directory/file under examination; has a graphic display of how far scanning has progressed as a running bar graph percentage of material identified for scanning; and has the option to cancel scanning at any time. I configured the component to maintain an audit trail of scanning activity and successfully printed out the output. Version 2.0 changed the main menu options as well as the presentation of most buttons. Version 2.1 makes no perceived menu changes. i. The Virus Intercept component or TSR utility automatically loads when the system boots, assuming of course the user has properly configured the config.sys file. Virus Intercept checks whenever a file is copied or executed for the presence of known viruses. If a virus is detected, the utility presents an audible and visual warning alarm. The audible alarm, which can be disabled under the Options menu, is particularly loud and siren-like. The warning message identifies the suspected infected file and the strain of virus. The user has the option to either stop the execution of the potentially infected file, or to proceed with the execution. The TSR alarmed as advertised during my tests. But I must qualify that malicious code in my possession is limited. Any certification of 100% effectiveness is beyond my capabilities. j. The option to inoculate an executable in theory provides a measure of protection against "unknown" malicious code. If the signature of a file changes, then perhaps an infection has occurred. The issue is that a "change" does not in itself confirm the presence of a computer virus or of malicious code. It is important to remember that a change in checksum is detected under two separate conditions: (1) The user does a Scan of the file for which a checksum exists. (2) The user has installed Virus Intercept and then starts a program. 3 Limited testing of the inoculation option confirmed that it functioned as documented. I did generate a large number of Type I alarms for modifications to inoculated files by non-viral activity. Version 2.1 stores all inoculation data in a single file. There was massive criticism of version 1.0's approach in creating individual inoculation data files for each inoculated file in the directory of the inoculated file. k. I did only limited functionality testing of the network capabilities on two different Novell networks. l. These comments pertain specifically to version 2.1 test experiences. (1) Even if one enables the write-protect hard disk system areas option, Virus Intercept will not protect against a boot sector/partition table infection, such as Stoned, if one attempts a system boot from an infected disk. (2) There are command line switches and parameters which, so as far as I can ascertain, continue to be unavailable from the various menus. For example, the ability to enable or disable memory scanning remains a command line feature. (3) The option to manually add viral signature definitions remains present. Realistically only a user with masochistic tendencies would ever use it, particularly since a single viral definition can require 200+ keystrokes. Loading a viral definitions file obtained from Symantec's BBS is the thinking person's option. (4) The number of Type I or false positive alarms appears to have been reduced. While all viral signature detection programs may have varying degrees of susceptibility to this problem, Norton AntiVirus has consistently received negative Internet comments. (5) The detection capabilities of Virus Clinic, when tested against the large sample sizes of NCSA and VSUM, have generally remained lower than other commercial products. However, performance against the so-called "common" viruses or against the most prevalent viral infections reported has remained in the 85% to 95% range. (6) Users who upgrade to version 2.1 receive a complete set of revised documentation. The revisions reflect a number of subtle changes to highlight material requiring careful attention. 5. Product Advantages: a. Norton AntiVirus provides a comprehensive approach to malicious code detection, disinfection and protection in one program. b. The automatic installation program and menu-driven screens are easy to use. Norton AntiVirus can be configured to run under Norton Utilities. c. The ability to add viral definitions by downloading new definitions >from a variety of sources provides an alternative to costly upgrade costs. I 4 have successfully tested the telephone Virus Newsline, the FAXLINE, and the Symantec BBS. I would not recommended the Virus Newsline because of the length of the definitions, and the large number of definitions which generally appear in each update. The FAXLINE is preferable for those users who do not have electronic access to the Symantec BBS or CompuServe. One still has the laborious job of manually deleting the old definitions and adding the new. The preferred method of updating is clearing downloading from the BBS. One then has only to chose the appropriate button options for automatic updating. d. Peter Norton and Symantec Corporation have good reputations for quality products and customer support. Symantec already produces one of the best integrated virus defense products for the Macintosh environment (see PT-20, Symantec AntiVirus for Macintosh). I had one occasion at version 1.5 to utilize telephone support with excellent results. e. Symantec has shipped updated documentation with each major upgrade. The quality of the material is quite good in comparison to other commercial vendors. The vendor provides a separate manual for using Norton AntiVirus under Network Manager. 6. Product Disadvantages: a. The cost of the product may discourage many users who are already on tight budgets. Even if one pursued a site license agreement, it may be that the risk management assessment will not support such protection for every PC within the organization. Specifically, it may be important to give every user a detection capability, but a disinfection and a inoculation capability may be overkill. b. There have been instances where the program has issued a Type I or false positive alarm. This phenomenon is not unique to Norton AntiVirus, but rather illustrates a generic disadvantage of detection programs. In large organizations it may be necessary to provide in-house support personnel to resolve these alarms. c. The percentage of "common" viruses which NAV currently detects has increased from 88% in the last review to 95% at version 2.1. The total number of viruses detected, however, remains behind the other major commercial players. d. Version 2.0 introduced new menu displays. One change in particular was strange. If one wishes to view what viruses can be detected, one now chooses the "Modify" selection under the Definitions option in the main menu. In previous versions one chose the "List Definitions" selection which had a certain logic. 7. Comments: Fred Cohen's original paper on his first computer virus experiments concluded that detection of viruses by their appearance or behavior was "undecidable". Yet eight years after the publication of his work, detection of 5 viruses by their appearance and behavior remains the most common form of viral defense for the MS-DOS environment. Norton AntiVirus provides the mechanisms to monitor attributes of change and to recognize a virus by its appearance. It also has an intrusion detection capability through the inoculation option and the Virus Intercept component. I continue to recommend the stockpiling of more than one virus detection program for contingency purposes and to resolve potential Type I alarms. One would hope that the next generation of defenses would look beyond just the attributes of appearance and behavior. In this regard I direct your attention to a paper by Ms. Catherine L. Young published in the proceedings of the NCSC/ NIST annual security conference several years ago, "Taxonomy of Computer Virus Defense Mechanisms". [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.]