******************************************************************************* PT-34 Revised November 1992 ******************************************************************************* 1. Product Description: The IBM Virus Scanning Program is a program to detect computer virus signatures in the PC-DOS (MS-DOS) and OS/2 environments. This product test addresses version 2.2.3 which is a part of the IBM Anti-Virus Product version 2.2.3. 2. Product Acquisition: The program has been available from the IBM Corporation in a variety of options. Through October 1992 it had been available for an initial licensing fee of $35.00. IBM has now announced two new products: (a) the IBM AntiVirus/DOS and (2) the IBM AntiVirus/2. Users should contact an IBM representative at 800-551-3579 for specific cost and technical information on these programs which are in my perception replacements for the IBM Anti-Virus Product. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5506, DSN: 258- 7548, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I acquired the original copy of the program and version 2.2.3 through Computerland. The initial licensing and upgrade fees were sent directly to the IBM Corporation, Grand Central Station, P.O. Box 2646, New York, NY 10163. Computerland (located in Las Cruces, NM, USA) has continued to charge me nothing for their time or intercession. b. Product tests have occurred on a variety of platforms running MS-DOS 3.0 through 5.0. I have run limited tests of the network options on Novell and 10Net configurations. The documentation states that the program will run on these operating systems: (1) PC-DOS versions 2.0, 2.1, 3.0, 3.1, 3.2, 3.3, 4.0 and 5.0. (2) OS/2, both Standard Edition and Extended Edition, version 1.0, 1.1, 1.2, 1.3 and 2.0. c. Version 2.2.3 claims to contain viral definitions for approximately 884 known viruses and variations, to include detection of the MtE object module. Clearly, if one only uses "total numbers" as the criteria for a detection program, the IBM product has always had fewer numbers in all independent tests by the National Computer Security Association and by the International Computer Security Association. On the other hand, if one restricts one's concern to the identification of viral signatures which are "common" causes of reported infections and which realistically might present a threat, then the IBM program claims to identify 100% (i.e., 69 out of 69) of those viruses characterized as "common" by Patricia Hoffman in her HyperTest Virus Summary List (VSUM), September 25, 1992. d. Although I do not have code for all the malicious programs which the IBM product claims to detect, I did test it against samples of 607 malicious samples which included 76% of the so-called common viruses (i.e., 53 out of 69). The program detected what it claimed it could. Users may refer to more detailed test results from other reputable sources such as the Virus Test Center, the International Computer Security Center, and the National Computer Security Center. e. Operation of the program conformed to its documentation. The program continues to provide options to satisfy both the novice and the experienced user. The default is for the program to check three of its own files for modification; then to check system memory and files of type EXE, COM, OV?, INI, SYS, BIN, PRG, DOS, and OS/2; and finally to check boot records. A user can obtain a list of options at the DOS prompt by typing: virscan ? . The virscan.doc file also contains a good description of the options with samples of acceptable commands. f. Those options actually tested have included: (1) * Scan all fixed disks. (2) -b Scan system boot sector of specified logical drive. (3) -v Maximize messages. Display a list of files and boot sectors as they are scanned. Also forces hexadecimal display of any virus signatures found. (4) -a Scan all files on the indicated drives. (5) -m Maybe detect mutants. Tries to detect small variations on the viruses specified in the signature file. More sensitive (and slower) than the default mutant detection. (6) -vv Very verbose. Like -v except that a hex dump of boot sectors is also displayed. (7) -r Removable media. If this switch is specified for a drive, the user will be prompted to insert a diskette in the drive before the scan. This allows on to scan multiple diskettes. (8) -nla Do not display the banner containing the copyright notice, or issue the associated prompt. (9) -nms No memory scan. Completely disable scanning for memory resident viruses. (10) -qq Completely quite operation. No messages at all will be displayed, unless a terminal error occurs. (11) -z When the scan finishes, if any virus signatures were found, wait for the user to press a key and beep once per second. 2 (12) -vl Produce a detailed log file. Default filename is virscan.lgf in the current directory. (13) *n Scan all network drives. (14) -nb Disable the beep when virus signatures are found. (15) -t Scan a single file. (16) -x Test mode. (17) -g Guru mode. A feature for the "technically-inclined" user to scan for known viral signatures in locations which are not the default locations. g. All these options performed as indicated in the documentation. The program has a self-checking mechanism to examine itself and its list of virus signatures before executing scanning operations. Should any modifications be detected in this mechanism, the program will terminate. A user normally receives the following message at the completion of the scan, unless he or she has chosen the -qq option. The following is one of the messages actually recorded during this product test: Scan completed. 55 files were scanned. 1 system boot sector was scanned. System memory was scanned for dangerous and/or well hidden resident viruses. Total bytes scanned = 1192745, in 62 seconds. 59 Viral signatures found in 50 objects. The -vl option, although it does record the program version number, the date/ time of execution, the names of files infected, and the identification of the infecting agent, does not capture the above summary. The program automatically overwrites the default log file (virscan.lgf) unless the user takes some specific action to save a file prior to subsequent executions of the option. h. The documentation states that the product cannot find virus signatures in files that are compressed or encrypted. With the -a option, however, I discovered that the program would scan and identify strains of the Cascade, Datacrime, Vienna and Washburn viruses which had been compressed under PKZIP. I encrypted the same compressed files with a software implementation of the Data Encryption Standard. The product did not identify the four viruses under this encrypted format. I attribute no significance to the detection of a few viruses in compressed form. The strategy to uncompress and then scan is obviously the correct choice when using the IBM product. 5. Product Advantages: a. The IBM product performs as advertised. 3 b. The cost of the license agreement is extremely reasonable, particularly when one reads the agreement. A user may, for example, use a copy of the scanning program on one or more machines at a time; and may make additional license copies of the scanning program for distribution and use within one's enterprise. c. The documentation is readable and presents a realistic assessment of the strengths and limitations of the product. There is an honest discussion, rarely found in other vendor documentation, on how viral signatures have been obtained. d. The user has the option to add additional viral definitions. 6. Product Disadvantages: a. The IBM program provides viral detection only. A user must have other alternatives for disinfection and recovery. b. The frequency of revisions has been indeterminate. It is my expectation that the new IBM products, IBM AntiVirus/DOS and IBM AntiVirus/2, will eliminate this issue because both permit one to automatically receive updates for an additional subscription fee. c. The product is available on an "AS IS" basis. Therefore, a user should not expect direct technical assistance. This really should not present a problem if one has access to the Internet. Through the Internet a user can contact a variety of reliable and technically qualified persons within IBM and without on any problems or questions generated by the product. 7. Comments: There are many issues in the acquisition and use of viral detection tools. Interested readers may consult the ISSA Access Magazine, 1st Quarter 92, for an article entitled "Beyond the Hype: What Can One Expect from Anti-Viral Detection Programs?" The article discusses criteria which may be important in the evaluation and selection process. The IBM Virus Scanning Program has been an extremely cost-effective site licensing solution for viral signature detection. With the announcement of the IBM AntiVirus/DOS and IBM AntiVirus/2 products it would appear that the IBM Anti-Virus Product will cease to exist as a separate option. I have ordered the first of the new products, and will issue a separate product test report upon its receipt. [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] 4