From: Chris McDonald STEWS-IM-CM-S (12/1/93) To: orvis@icdc.llnl.gov Mail*Link¨ SMTP Revised Product Test # 30, ****************************************************************************** PT-30 Revised December 1993 ****************************************************************************** 1. Product Description: VirusDetective and VirusBlockade II are shareware programs to detect and to delete known viruses and trojan horses for the Macintosh. This product test addresses VirusDetective V5.0.10. The current version of VirusBlockade is V2.0.8. 2. Product Acquisition: Both programs are available from their author Jeffrey S. Shulman through Shulman Software CO., 1111 W. El Camino Real, Suite 109MAC, Sunnyvale, CA 94087-1057. A registered user receives a program diskette, an overview guide, a user license, and automatic notification of future malicious code search strings. Mr. Shulman has an Internet address for customer support and pricing information, kilroy@netcom.com. On November 12, 1993 Mr. Shulman issued a written announcement that he would no longer accept any new registra- tions for the programs. Registered users may update to the latest (and perhaps last) versions for $10.00 per program. The cost is $15.00 for non-US users. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5506, DSN 258-7548, DDN cmcdonal@wsmr-emh34.army.mil. 4. Product Test: a. I initially obtained VirusDetective (version 4.0) from the Macintosh repository on the Internet host simtel20 [192.88.110.20] in late 1990. I have obtained updates over the years from the Internet, from the local Apple Users Group, and from Shulman Software Company as a registered user. Tests have occurred on a variety of Macintosh platforms running System 6.0.5 through System 7.0. b. VirusDetective is a desk accessory which performs malicious code detection and removal. VirusBlockade II is a Control Panel and startup document which allows one to configure VirusDetective operations as well as to provide other enhancements. VirusDetective can standalone; VirusBlockade II requires VirusDetective. c. VirusDetective installs as a Desk Accessory (DA) and provides the capability to "search through files looking for specific resources". In this case those "resources" are known malicious code strings. d. When one opens the program from the Apple Menu, there are four sections in the Main Window: (1) the "Status Box"; (2) the "Scan Folder/Disk" to "Help" buttons; (3) the "Next File" to "Cancel" buttons; and (4) the "Automatically scan floppy disks when VirusDetective is open" checkbox. e. As VirusDetective executes its search looking for specific resources, the user has a visual display of the program's progress in the first section, and may cancel a scan at any time. The sign that VirusDetective is scanning it a spinning "four diamond" cursor. The Progress Bar displays only during a full disk scan and visually indicates how much of the disk has already been scanned as well as how much remains to be scanned. If the program detects a known malicious code string, the user receives notification with the option to "remove" the resource or to "delete" the file containing the resource. When the program completes its search, the user receives two summary lines which appear at the top of the display. These lines confirm that the "Scan" has been completed; that there either were or were not any "matching files"; and that "x" number of files have been checked. If VirusDetective is for whatever reason unable to check a file/folder, the user will also receive a message to that effect. f. The Option button and the Search Strings dialog box in section two merit special attention for any user. Under the Option button a user may ask that a log file be created to record search results. The log can capture all files scanned with the results, or can simply record only those files with a matched string. The program is "intelligent" enough to require that the user specifically authorize the overwriting of any log file, thereby minimizing the potential for inadvertently losing a valuable record. The user may also specify the format of the log record (e.g., TeachText, MacWrite, Word, WriteNow, MacWrite II). g. With the Search Strings dialog box a user may add, change, remove and save search strings. The author has included a file containing the search strings of all those contained within the installed DA in the event the DA's strings become corrupted. He has also provided an "alternate search string" file which might detect mutations or unusual variations of the known malicious programs. This latter file increased the search time, but nothing unaccept- able. h. The third section of the Main Window activates when VirusDetective finds an infected file. Each button either performs an action or leads to a dialog box. The most interesting dialog boxes are those that provide information on the infected file or infected resource. i. The fourth section allows a user to scan floppy disk as you insert them, one after another when VirusDetective is the active window, or to scan floppy disks on a sporadic basis when VirusDetective is not the active window. j. I tested VirusDetective against a suite of malicious programs. The suite included: Scores, nVir (A & B), Init 29, Anti (A & B), MacMag, WDEF (A & B), Zuc (A, B & C), MDEF (A, B, C & D), Frankie, MBDF (A & B), CDEF, Code-1, Frankie, Init 1984, Code 252, T4 (A, B & C), Init 17, Init-M, CPro.141, and ChinaTalk. VirusDetective had a 100% detection rate against the samples. k. I tested all of the buttons and dialog box options which appeared to function as documented. The on-line help facilities are extensive and provide material not found in the overview guide. l. VirusBlockade II testing began in May 1991 and has extended to the present time. The program allows a user to direct how, when and where VirusDetective will conduct search operations. m. When a user opens the Control Panel and clicks once on the 2 VirusBlockade II icon, the Main Window has five sections: (1) the Title Box; (2) the automatically "Scan Disks" and "Scan Files" dialog boxes; (3) the automatically "Lock or Unlock Disks" dialog box; (4) The manually "Lock or Unlock Disks" button; and (5) the "Options, Help and About" buttons. The Help button in the fifth section provides adequate information on the various buttons and dialog boxes. n. The second section gives a user the option to specify under what conditions VirusDetective will scan an entire disk or file. The user can use an activity, the time of day, the day of the week, or any combination to configure disk scanning operations. The "Scan Files" dialog box offers the option to scan upon the "creation" of a file or "upon the change" of any resource. o. The third and fourth sections control write-protection of disks. When one write-protects a disk, the disk's contents cannot be changed or deleted. Files and folders on a locked disk cannot be created, deleted or changed, but the information can still be read. p. The "Options" button in the fifth section opens to a dialog box which provides some interesting features. First, one can set a password to control access to the options. Second, one can set an option to automatically eject a floppy disk inserted and then display a customized message to the user. Third, one can set a so-called "Rookie Switch". With this engaged a user has all operations frozen in the event VirusDetective scans and detects any infection. The user receives a message that: "a possible virus or similar problem has been detected on your (disk/file/disk or file). You will NOT be able to proceed. Restarting will not allow you to gain control". One may also insert an additional message directing a user to notify a specific individual before continuing any work. The critical point is that the system will be frozen prior to the infection. q. I tested the majority of the Control Panel options over a six month period. The program appeared to perform as documented. I am not qualified to attempt any surreptitious attack on the disk ejection, disk locking, and "Rookie Switch" features. My observations were only that the selections did not test the networked/file server options, nor have I have tested enhancements which require System 7.1. 5. Product Advantages: a. VirusDetective performs as advertised to detect known malicious code. VirusBlockade II provides additional configuration controls and enhancements. b. The shareware cost appears reasonable, particularly when one factors in the upgrade notifications. If one chooses only to buy VirusDetective, the author sends a demonstration version of VirusBlockade II. c. The author has a good reputation on the Internet and among those who specialize in security-related software for Macintosh systems. The efficiency 3 on the distribution of updates is exceptional. d. Testing against known malicious code has demonstrated that the author has constructed "search strings" which offer protection against minor changes or modifications to existing viruses and trojan horses. The potential that an author of malicious code or some other individual might modify a known virus or trojan horse to escape detection is already a reality in the MS-DOS world, and could become a reality in the Macintosh environment. 6. Product Disadvantages: a. The program detects and deletes malicious resources. Deletion of that resource does not necessarily equal "disinfection" in the sense of returning a file or application to its original condition prior to infection. Therefore, users must exercise safe computing practices to invoke VirusDetective and to have clean backup copies of programs. b. Mr. Shulman's business decision to defer new registrations illustrates the difficulty of a small concern competing with commercial vendors. The quality of a program does not in itself guarantee sufficient market share. While Mr. Shulman's announcement states that he will continue to create search strings as new "viruses, trojan horses and worms are discovered", it is conceivable that he will simply be unable to maintain support for existing registered users. 7. Comments: The appearance of malicious code in the Macintosh environment does not currently mirror the situation in the MS-DOS world. Therefore, requirements for updates and for technical support are generally less important selection criteria. Any acquisition and actual use of detection software must include user education on the capabilities and limitations of such programs. It is clear that intelligent users would employ several different tools to address the contingency that a supplier would no longer be available. Multiple tools also provide technical advantages which exist because of the unique characteristics of individual products. There are many issues in the acquisition and use of viral detection tools. Interested readers may consult the Proceedings of the National Computer Security Association's 2nd International Virus Prevention Conference & Exhibition, February 1993, for several papers on the subject to include one entitled "Selecting an Anti-Virus Product". The National Institute of Standards and Technology has issued a Special Publications 800-5, "A Guide to the Selection of Anti-Virus Tools and Techniques", December 2, 1992. The publication is available for anonymous ftp from NIST host 129.5.54.11 in the path /pub/nistpubs. One may also call Ms. Dianne Ware, NIST, at 301-975-2821 for one free copy. Since my original review of VirusDetective, Mr. Shulman offered several users at White Sands the option of becoming beta testers for future revisions. 4 In the interest of full disclosure I acknowledge that beta test association. Neither I nor my organization have a financial interest or direct involvement with Shulman Software Co. [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] PRODUCT TEST NUMBER PRODUCT PT-9 DISINFECTANT PT-10 VIREX PT-20 SYMANTEC ANTIVIRUS FOR MACINTOSH PT-32 MACTOOLS PT-44 RIVAL PT-46 CITADEL PT-53 GATEKEEPER PT-71 MACRX 5 ------------------ RFC822 Header Follows ------------------ Received: by smtpqm.llnl.gov with SMTP;1 Dec 1993 10:06:30 -0800 Return-path: cmcdonal@wsmr-emh34.army.MIL Received: from icdc.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01H5YMIHVCSW90MTCQ@icdc.llnl.gov>; Wed, 1 Dec 1993 10:05:41 PST Received: from pierce.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01H5YMHWF0Z490MTCO@icdc.llnl.gov>; Wed, 1 Dec 1993 10:05:13 PST Received: by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA05889; Wed, 1 Dec 93 10:06:06 PST Received: from wsmr-emh34.army.mil by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA05376; Wed, 1 Dec 93 09:59:50 PST Date: 01 Dec 1993 08:29:19 -0700 (MST) From: Chris McDonald STEWS-IM-CM-S Subject: Revised Product Test # 30, VirusDetective/Virus Blockade Resent-to: BILL_ORVIS@QUICKMAIL.llnl.GOV To: orvis@icdc.llnl.gov Resent-message-id: <01H5YMIHYKJM90MTCQ@icdc.llnl.gov> Message-id: <9312011759.AA05376@pierce.llnl.gov> X-Envelope-to: BILL_ORVIS@QUICKMAIL.llnl.gov X-VMS-To: IN%"orvis@icdc.llnl.gov" Content-transfer-encoding: 7BIT [To]: cmcdonal@wsmr-emh34.army.mil [Cc]: krvw@agarne.ims.disa.mil, dorian@cobalt.house.gov Apparently-To: orvis@icdc.llnl.gov ======================================================================