Date: Mon, 30 Dec 91 14:27:21 MST From: Chris McDonald ASQNC-TWS-R-SO Subject: Product Test--Data Physician Plus! (with VirHunt) ****************************************************************************** PT-31 December 1991 ****************************************************************************** 1. Product Description: DATA PHYSICIAN PLUS! is a set of programs designed to protect PC-DOS and MS-DOS computer systems from software viruses and potentially other malicious software. The program set includes: Antigen, Filepeek, Resscan, RS-Net, Safeboot, VirAlert, VirHunt, and Unkill. Readers may wish to consult PT-4, dated December 1989, which addresses DATA PHYSICIAN. One can then have an insight as to the genesis of this program. 2. Product Acquisition: DATA PHYSICIAN PLUS! is available from Digital Dispatch Inc. (DDI), 55 Lakeland Shores Road, Lakeland, Minnesota 55043. The telephone number is 612-436-1000 or 800-221-8091. Pricing information is variable so one should contact DDI directly for single copy or site license information. 3. Product Tester: Chris Mc Donald, Computer System Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. As a registered user of DATA PHYSICIAN, I upgraded to DATA PHYSICIAN PLUS! for $25.00 in October 1991 to version V3.0A. I had in 1990 tested the beta version of the virus detection component (VirHunt) of the product, and later version 1.3 in early 1991. Tests of V3.0A occurred during the October to December 1991 timeframe on a Unisys PC 286, Model 3137, MS-DOS 3.1, 512K. DATA PHYSICIAN PLUS! requires an IBM PC/XT, AT, or compatible system with one floppy disk drive, at least 320K of available RAM, and DOS 2.0 or higher. b. A description of each program within DATA PHYSICIAN PLUS! follows: (1) Antigen allows virus protection to be installed directly on any executable program. Antigen places a security prefix in place of the normal DOS file header. Each time the protected program is run, it checks itself for tampering and is capable of removing most viruses on its own. (2) Filepeek allows you to inspect programs for suspicious-looking messages. (3) Resscan is a RAM-resident virus scanner that provides continual virus scaning as one works. It checks programs for viruses as you run them, or when they are copied or opened in any way. Resscan requires approximately 20K of memory. There is a Windows version of Resscan called WIN-RS which requires an additional 8.4K of RAM. (4) RS-Net assists in the use of the Resscan resident protection feature on a local area network. (5) Safeboot protects your operating system files and installs a custom DOS boot record that decrypts them into memory as needed. (6) VirAlert is a program to intercept changes to executable and operating system files (.EXE, .COM and .SYS). VirALERT watches for changes to the boot record, disk formatting attempts, terminate and stay resident program installations, and "other" techniques used primarily by viruses. There is a Windows version of VirAlert called WIN-VA which requires an additional 8.4K of RAM. (7) VirHunt is a program to scan for and remove viruses from executable files and boot records. (8) Unkill restores a disk that has been damaged by the Disk Killer virus. c. The heart of DATA PHYSICIAN PLUS! is the VirHunt program. This program combines the Datamd program of the earlier DATA PHYSICIAN to provide malicious program detection and removal with "signature" generation. There is a lengthy discussion of the Datamd program in PT-4. V3.0A claims to identify 355 known computer viruses and over 700 including variations. I tested the program against 604 malicious programs with these results: (1) The program identified 100% of the "common" viruses in the malicious program suite which consists of 45 out of the 58 common viruses listed in Patricia Hoffman's November 22, 1991 Virus Summary List. (2) The program failed to identify 12 virus samples which on-line documentation states that it should detect. Both McAfee's Viruscan, version 85, and Skulason's F-PROT, version 2.01, identified these same samples as virus contaminated. I double-checked the on-line documentation, and repeated the VirHunt scanning operation against the samples with identical results. It is possible that the malicious samples are unique mutations (notwithstanding the Viruscan and F-PROT results), or that the VirHunt detection strings are deficient, or perhaps a combination of both. (3) There are dozens of options on configuration, scanning and signature generation. I tested approximately 60% of these options which appeared to function properly. The menu presentations, invoked by the command "virhunt" (case insensitive), are occasionally distracting in that some menus overlay others. Although the on-line documentation refers to this as "shadow mode", I did not remember this feature in version 1.3. (4) Signature generation under VirHunt presents significant differences than generation under the older DATA PHYSICIAN Datamd program. Since one normally generates and then compares signatures during scanning operations, one has to pay close attention to the Signature Mode options. For example, if one creates signatures for the first time and on a subsequent scanning a signature of a particular program has changed, VirHunt will notify the user of the particular component which may have changed (e.g., time/date, checksum, contents). The notification will also advise one if a file with a signature is "missing" or for some reason is "inaccessible". At this point it is indeterminate that a virus or some malicious activity has occurred, particularly if VirHunt has completed its viral detection check with negative results. If a user knows that he or she has changed a file, or deleted a 2 program, then the change in signature should be expected. On the other hand, if one did not change a file, and did not delete a program, then the analysis of the change must begin. In those cases where one knew that a change had occurred under the DATA PHYSICIAN Datamd program, one had the option to "update" the signature automatically. VirHunt requires that one create a new signature file (VirHunt.Sig) to complete the update function. This is obviously more time consuming since one creates an entirely new signature file, rather than just updating the entry in question. (5) I created numerous signature files, and experimented with changing and deleting individual files. In every case VirHunt identified the signature change. These tests occurred in a benign environment with no direct attempt to defeat the signature mechanism. d. I ran the Antigen program by entering "antigen". This program places a security prefix in place of the normal DOS file header. When a program with a security prefix executes, the prefix takes control first and checks both itself and the application program for signs of tampering or virus contamination. If it detects any problem, the user has the option of removing, if possible, the contamination and of returning to DOS rather than continuing the altered application. e. The Antigen has a menu format. A user has the option to include a password on the security prefix. If the user chooses the password option, then a program will only run upon the submission of the password. Additionally the security prefix cannot be removed without it. One has several choices to protect one program, a list of programs, or all executable programs in a specified directory. I added the prefix to all executables in the \DOS directory on my hard disk. I exited the Antigen program and tested to see if the password protection functioned as advertised. It did. The "nu" program from Norton Utilities showed that a prefix had been attached, but neither the password nor any other information to decipher the prefix. The Antigen program increased the size of each protected file from 2.9K to 4.6K bytes. f. I verified that the Filepeek program worked. Those familiar with the public domain CHK4BOMB program will be aware of the advantages/disadvantages of "searching" for suspicious narrative messages within programs. Filepeek automates the "search" through a menu-driven presentation which gives a user several options to select files, directories and search strings. It also has facilities to more logically handle the review of those files/programs actually scanned. g. I tested the Resscan RAM-resident program on a single system, not in the local area network configuration (RS-NET). The documentation identifies three major differences between Resscan and VirHunt: (1) Resscan loads as a TSR and checks programs for viruses as one runs the program, or when one copys or opens a program in any way. (2) Resscan cannot remove viruses. 3 (3) Resscan does not have a menu format. A user must specify all options on the DOS command line, or in a separate configuration file. I verified the functionality of many of the Resscan options, which are less numerous than those of VirHunt. Detection operations were identical to those of VirHunt. h. I verified only that the Safeboot program worked on floppy diskettes. i. VirAlert is a device driver which intercepts changes to executable and operating system files (i.e., .exe, .com and .sys). VirAlert cannot remove malicious code. There are a host of optional parameters: (1) W = warns about a write attempt to executable or system files using FCBs (2) Q = warns about a questionable write attempt to disk (i.e., INT 13H, INT 21H IOCTL, INT 26H, INT 40H) (3) V = reminds you that VirAlert has been temporarily turned off (4) T = warns about a Terminate-Stay-Resident program installation (5) F = warns you about Format call to floppy disks (by default all Format calls to hard drives are intercepted) (6) I = skips the initial check for disconnected memory blocks (7) X = excludes a file(s) from VirAlert protection (8) Y = lists a specific file(s) under VirAlert protection (9) Z = excludes a specific file(s) from a TSR watch When VirAlert alarms, it opens a window on your screen and displays one of 13 warning messages. The user then has several options either to continue, fail, abort, inactivate VirAlert, or reboot the system. I tested options (1), (3), (4), and (5) which appeared to function as advertised. My impression is that VirAlert is not for the novice user, particularly since there is no menu assistance. j. I did not test the Unkill program, though I have a copy of the Disk Killer virus. The written documentation had interesting warnings about "DDI is NOT responsible for any damage that may occur to your system as a result of using UNKILL" and "Only attempt a partial unkill if you are an expert with . . . an editor [disk editor]". 5. Product Advantages: a. The construction of the product allows a user to implement the level of protection appropriate for a particular work environment. The modular nature of DATA PHYSICIAN PLUS! allows one to address the computing skills of any user. 4 b. The product provides a complete range of malicious program strategies, to include detection and disinfection of known viruses, monitoring of system operations for potential malicious activity, and comparison of signatures for the possible detection of "new" malicious code. 6. Product Disadvantages: a. The VirHunt detection results warrant further analysis, particularly since VirHunt did not detect viruses it claimed that it could. b. The signature analysis portions of the Resscan and VirHunt programs detect changes to "protected" files. But "changes" do not necessarily mean that a computer virus is present. A user can thus expect to encounter Type I or "false" positive warning messages. It is also true that the VirAlert program may alarm on activity which has nothing to do with a virus or malicious activity. These features are not unique to DATA PHYSICIAN PLUS!, but can be found in programs with similar capabilities. c. DDI admits in the read.me file contained on the V3.0A distribution disk that the hardcopy manual needs revision. The manual has no samples of the VirHunt menu, but only references to DOS command line options. This was similarly the case with the manual for V1.3. While DDI has probably updated the manual by now, registered users are advised to contact their technical support for an update but do not automatically receive a copy. d. Although I have been a registered owner of first DATA PHYSICIAN and now DATA PHYSICIAN PLUS! for several years, I have yet to receive any update information from DDI. On three separate occasions since November 1989 I have had to contact DDI to inquire about program revisions. While the DDI representatives have always been extremely courteous, it has been apparent that my numerous registration cards have never make it into the DDI customer database. This is particularly frustrating since in the preparation of this product test evaluation I received information that DDI may have issued version v3.0C as of December 1991. Customer support for this individual user has presented a problem. e. If the construction of the product is an advantage, the set of programs may present a disadvantage. Most users will have no problem with VirHunt, but will need help with VirAlert and Resscan. Few users will ever need Unkill, and even fewer will be experienced enough to safely use it. Filepeek offers insignificant features. Unbundling the programs for certain user communities will probably make sense. 7. Comments: I have recently authored a paper entitled "Beyond the Hype--What Can One Expect from Anti-Viral/Virus Detection Programs?" which attempts to summarize my experiences in testing DATA PHYSICIAN PLUS! and twenty other MS-DOS and MACINTOSH programs. The first edition of the paper has appeared in the DOE Computer Security News, November 1991. An updated version will appear in the next edition of the Information System Security Association (ISSA) Access Magazine. 5 [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] FOR FURTHER REFERENCE PRODUCT TEST NUMBER DATE PRODUCT PT-3 November 1989 VIRUSCAN (MS-DOS) (Revised September 1991) PT-4 December 1989 DATA PHYSICIAN (MS-DOS) PT-7 January 1990 CHKSUM (MS-DOS) PT-8 January 1990 FILETEST (MS-DOS) PT-11 June 1990 AVSEARCH, 2.24 (MS-DOS) (Revised February 1991) PT-12 June 1990 VIRUCIDE (MS-DOS) (Revised October 1991) PT-17 August 1990 F-PROT (MS-DOS) (Revised October 1991) PT-23 March 1991 VIREX-PC (MS-DOS) (Revised May 1991) PT-24 July 1991 VIRUSAFE (MS-DOS) PT-28 February 1991 NORTON ANTIVIRUS (MS-DOS) (Revised October 1991) PT-34 April 1991 IBM ANTI-VIRUS, version 2.1.2 (MS-DOS & OS/2) (Revised December 1991) PT-36 June 1991 CENTRAL POINT ANTI-VIRUS (MS-DOS) PT-39 August 1991 THUNDERBYTE SCANNER (MS-DOS) (Revised December 1991) PT-41 July 1991 VIRx (MS-DOS) (Revised August 1991) PT-43 September 1991 SEER (MS-DOS) PT-48 October 1991 VIRUSCURE+ (MS-DOS) 6