From: Chris McDonald (4/26/93) To: securitylist:;@WSMR-SIMTEL20.AR, CC: virreviews:;@WSMR-SIMTEL20.ARMY, Mail*Link¨ SMTP Revised Product Test 36, CP ******************************************************************************* PT-36 Revised April 1993 ******************************************************************************* 1. Product Description: Central Point Anti-Virus (CPAV) is a commercial product to detect and to disinfect known MS-DOS viral infections. The program provides additional protection against the introduction of "unknown" and/or malicious code through integrity checking (checksumming) and through the detection of "suspicious" activity. This test report addresses version 1.4 with updates through April 1993. It also eliminates errors in the previous test report and clarifies certain results pertaining to Type I alarms. 2. Product Acquisition: CPAV is available from Central Point Software, Inc., 15220 N.W. Greenbrier Parkway., Suite 200, Beaverton, OR 97006-5764. The published customer service number is 503-690-8090. The list price for a single copy is $129.00. Site licenses are available. MicroSoft has bundled a flavor of CPAV in its shipment of MS-DOS 6, known as Microsoft Anti-Virus (MSAV). Published information states that Central Point will handle all upgrades to MSAV. As of April 15, 1993, no upgrades to MSAV had occurred. 3. Product Testers: Don Rhodes, Information Systems Management Specialist, Directorate of Information Management, White Sands Missile Range, NM 88002-5030, DSN: 258-8174, DDN: drhodes@wsmr-emh35.army.mil; Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5030, DSN: 258-7548, DDN: cmcdonal@wsmr-emh34.army. mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. Don Rhodes obtained an evaluation copy of CPAV V1 in April 1991. The evaluation copy arrived just before Central Point launched an aggressive marketing campaign in several trade publications. The evaluation package contained a user's manual, a certificate to obtain one free virus protection update contingent upon product registration, two 5 1/4" disks, and one 3 1/2" disk. All disks were write-protected. I enrolled in the automatic update program for an additional fee, and subsequently received version 1.3 and version 1.4. I downloaded the last update from the Central Point BBS in January 1993. From that time through April 23, 1993, no other updates have appeared on the BBS. b. Product tests have occurred on a variety of 286 and 386 platforms running MS-DOS 3.0 through 5.0. The minimum hardware and software configuration identified in the documentation is: IBM PS/2 (all models), PC, XT, AT, and most IBM-compatible DOS 3.0 or higher with 512K (DOS 3.2 or higher is "recommended"). Product testing for this revision occurred from 9 through 15 April 1993. c. CPAV continues to be one of the more complex protection programs evaluated to date in terms of its number of advertised capabilities, functions, and protection options. Its marketing literature has emphasized its Windows and Novell network compatibilities. Don Rhodes verified the Windows functionality; but neither of us addressed the networking features since this is not presently a high priority in our specific computing environment. d. CPAV has an automatic installation program to assist users. The user's manual and the screen presentations during installation were helpful. One invokes the program either with a mouse or with the syntax: cpav (case insensitive). When the program runs, the default is for Full Menus. The user does have the option to move to a so-called Express Menu. Full Menus offer a variety of options and configurations. e. CPAV version 1.4 claims to contain viral signatures for close to 1400 known viruses and variations. While we did not have code for all the malicious programs which the product claims to identify, we did test against a test suite of 621 malicious programs which included 76% of the so-called common viruses in the "wild" and nine different viruses created by the Virus Creation Laboratory. The results of our tests as well as the results from other competent reviewers follow: (1) CPAV detected 100% of the common or "in the wild" samples. This fact remains significant because CPAV has had no formal updates since late January 1993. If one simply used the "in the wild" test suite proposed by the "Virus Bulletin", then our test suite actually included just over 80% of the most common viruses found outside of research and vendor hands. (2) Although CPAV has a separate entry for the Liberty and for the Mystic-1/Mystic-2 viruses, version 1.4 identified all test samples of the Liberty virus as Mystic-1. Other reviewers have commented on the "virus naming convention of the program" with the observation that the program may detect the wrong virus on occasions. This issue of "correctness" has become a key criteria in the evaluation guidelines proposed by a recent National Institute of Standards and Technology special publication. The citation for the publication can be found in the "Comments" section of this product test. (3) The "Virus Bulletin", January 1993, evaluated the performance of version 1.4 against a variety of test suites in the magazine's annual scanner update. The overall results against those viruses in the wild was nothing exceptional when compared against the other 17 programs evaluated. One major shortfall was the inability to reliably detect MtE-based samples. Dr. Keith Jackson discovered that the program locked up after 255 viruses had been entered in the report of viral infections. In Dr. Jackson's tests the CPAV lockup occurred while he was running it against 1024 samples of the Groove virus. Dr. Jackson utilized PC Tools to recover the unsaved report file, and found that CPAV had identified 92% of the first 256 samples. He further reported that CPAV failed to detect his test samples of the Kamikaze, Rat and Amstrad viruses. In our own tests we had samples of the Kamikaze and the Amstrad viruses which version 1.4 with the January 1993 updates correctly identified. (4) The "Virus News International", January 1993, published Vesselin Bontchev's MtE detection test results of 17 different programs. CPAV, version 1.3, was in his tests not a "reliable" detector of MtE-based viruses. The test results are also available for anonymous ftp from several Internet sites, to include 192.88.209.5 (cert.sei.cmu.edu). 2 f. CPAV has a memory resident component program called VSafe to detect "suspicious" activity and to scan for viral signatures under specific operations. VSafe has eight options which I tested. (1) HD Low-Level Format Warns of formatting which could completely erase the hard disk. The default installation is ON. (2) Resident Warns of any attempt by a program to use standard DOS methods to stay in memory. The default installation is OFF. (3) General Write Protect Prevents all writing to the disk. The default installation is OFF. (4) Check Executable Files Checks any executable file opened by DOS for known viruses. The default installation is ON. (5) Boot Sector Viruses Checks any disk used in the system for the presence of boot sector viruses. The default installation is ON. (6) Protect HD Boot Sector Warns of any attempt to write to the boot sector and partition table of the hard disk. The default installation is ON. (7) Protect Floppy Boot Warns of a program attempting to write Sector to the disk boot sector of a floppy disk. The default installation is OFF. (8) Protect Executable Files Warns of any attempt to modify executable files. The default installation is OFF. h. VSafe tests resulted in these observations. (1) I experienced two Type I alarms in that VSAFE warned of an attempt to modify executables when I used another scanning program to test for the presence of CPAV's unencrypted search strings in buffers. I duplicated the alarm when I used yet another scanning program. (2) On test systems with limited memory (no more than 640Kb) I occasionally had the systems hang with the VSAFE option set to alarm upon the attempt of a program to go memory resident. VSAFE would present a dialog box to stop or to allow the operation. When I chose to allow the operation, I instead had to reboot the system. The incidents were few in number and probably resulted from the memory constraints rather than from some program flaw. 3 i. The disinfection capabilities of CPAV performed as documented. I do have reservations in that the program does not prompt a user before performing disinfection. While this does result in a "fast" cleanup, it may be premature if one wishes to run a second scanning program before disinfection. So one should be cautious before choosing the scan/remove option. In a real world environment I have used CPAV as a reliable disinfector for the Form, Yankee Doodle and Stoned viruses. j. CPAV has an option to create checksums on files and to verify the integrity of that checksum. When a user selects the option, CPAV creates a checklist file called chklist.cps during a scanning detection operation. Each directory has its own chklist.cps file which contains information on a file's size, attributes, date and time. If upon a future detection operation there is a change in the checksum, CPAV issues an integrity alarm notifying a user that a change has occurred. We tested this feature by modifying various file information. In all cases CPAV issued an alarm. I should caution that our tests did not include any attempt to specifically defeat the mechanism. The documentation available to me does not discuss the checksumming algorithm, and more experienced reviewers have commented that the "checksum" does not seem "to be calculated across the entire file". k. The "immunization" component of CPAV was only partially tested. The user's manual describes "immunization" in this manner: "Central Point Anti-Virus can immunize executable files against virus infection. Once immunized, a file has its own anti-virus capabilities allowing it to notify you of any change that may occur. If a change is detected, the immunized file can 'heal' itself, returning to its original state. Immunization adds less than 1K to a file, but does not occupy any space in system memory." The warning message displayed in the manual, however, is an "integrity" warning. It seemed to me that if a user utilized the detection scanning operation with the checksum operation and chose the VSafe memory resident program, then any other change would have to be a "new" malicious piece of code or a legitimate change. The one advantage of immunization is that any file immunized checks itself every time prior to execution. Clearly "immunization" addresses those situations in which the user has not configured VSafe to detect attempted changes to .com and to .exe files, or to environments where the user perhaps does not activate detection scanning on a regularly basis. l. We did test the menu features of immunizing and disimmunizing files. There are at least six categories of files which the documentation states cannot be immunized. If a user attempts to immunize a file from one of those categories, then the user receives a dialog box advising of this fact. Those menu features functioned as advertised with one exception: namely, there was one instance in which a file with its own self-checking system did not trigger the dialog box. Such a file according to the documentation cannot be immunized. The file in question was another anti-viral executable from a different vendor. 4 m. CPAV has options to maintain activity logs on detection, disinfection and immunization operations. The user has the choice to write such activity to the screen, to a printer, or to a file. The option performed as documented. n. Tests of the VWatch component, a smaller memory-resident program for those users who cannot employ VSafe because of memory limitations, confirmed its functionality. o. We did not test the Bootsafe and the Scheduler components of CPAV. When Bootsafe is run from your autoexec.bat file, it looks for any existing boot sector viruses by comparing the current boot sector and partition table against their images created during the installation process. Scheduler allows one to configure times and frequencies for automatic detection operations. 5. Product Advantages: a. CPAV offers a comprehensive set of components for establishing a control program for virus and malicious software detection, disinfection, and prevention. The program offers more than just viral signature detection scanning. The components appear to perform as documented under a non-hostile test environment. b. The installation program allows the user to configure the product to her or his own preferences. There is also the opportunity to change a configuration very easily after installation. c. All CPAV menu displays are clear and informative. The Full Menu display has a split screen presentation in which a directory information box appears on the left and files within the directory appear on the right box. As CPAV executes a particular operation, the directory and specific file under detection, disinfection, immunization, ete., are highlighted. Movement within the displays is easy with usually multiple ways to issue a command or perform an operation. CPAV worked well under Windows and with a Logitech three button mouse (mouse driver 5.01). d. CPAV has an automatic update capability for adding "new" malicious search strings. One can obtain such information from Central Point's virus hotline, its BBS, Compuserve, U.S. mail, and fax. The BBS service appears to be the most logical way to update the program. 6. Product Disadvantages: a. Failure to encrypt virus scan patterns causes CPAV to generate Type I alarms if one utilizes other scanning programs. While the number of alarms appears to have decreased in my testing program, this is still a problem. b. The range of options may suggest that CPAV is a product for the advanced user or for that special high risk environment. It may not be reasonable to give everyone a copy, particularly if individual users only want detection and disinfection capabilities. There may also be economic considerations if one decides to site license the product, but with the intent 5 to vary the installation of components within the community served. For example, one might site license CPAV detection and disinfection for 2,000 machines, but only want to install VSafe on 200 machines. c. Although the subscription update service has been satisfactory, I have never received a revised manual. Since there have been significant changes since version 1.1, I think it reasonable to have expected the receipt of a new manual with the version 1.4 disks. d. The upgrade procedures appear to be in a state of transition. As a registered user of the program I have connected to the Central Point BBS for some time. The most frequently asked question from users of the BBS appears to be when the next update will be available. On March 17, 1993 a Central Point Technical Systems representative stated that Central Point had no formal policy on updates, but that generally it aimed for monthly updates. When users then inquired why the last update was in January 1993, the same representative repeated that there was no firm policy. On April 7, 1993 the representative in response to the same question stated that an update should be available in a "week or so". The update was still not available on the BBS as of April 23, 1993. The existing update policy, or lack thereof, may present a problem for certain users. 7. Comments: Fred Cohen's original paper on his first computer virus experiments concluded that detection of viruses by their appearance or behavior was "undecidable". Yet nine years after the publication of his work, detection of viruses by their appearance and behavior remains the most common form of viral defense for the MS-DOS environment. CPAV provides the mechanisms to monitor attributes of change and to recognize a virus by its appearance. It has an intrusion detection capability through its TSR program, checksum capability, and file immunization. The challenge for the user remains the interpretation of what the program identifies as "suspicious" activity. It does reinforce the proposition that, if one chooses to acquire a product which integrates detection, disinfection and prevention, one must have a strategy for supporting users in the interpretation of alarms and probably in the actual configuration. There are many issues in the acquisition and use of viral detection tools. Interested readers may consult the Proceedings of the National Computer Security Association's 2nd International Virus Prevention Conference & Exhibition, February 1993, for several papers on the subject to include one entitled "Selecting an Anti-Virus Product". The National Institute of Standards and Technology has issued a Special Publication 800-5, "A Guide to the Selection of Anti-Virus Tools and Techniques", December 2, 1992. The publication is available for anonymous ftp from the NIST host 129.5.54.11 in the path /pub/nistpubs. One may also call Ms. Dianne Ware, NIST, at 301-975-2821 for one free copy. 6 [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] FOR FURTHER REFERENCE: PRODUCT TEST NUMBER PRODUCT PT-3 VIRUSCAN PT-11 AVSEARCH, 2.24 PT-12 VIRUCIDE PT-17 F-PROT PT-23 VIREX-PC PT-24 VIRUSAFE PT-25 DR. SOLOMON'S TOOLKIT PT-28 NORTON ANTIVIRUS PT-31 DATA PHYSICIAN PLUS! (VirHunt) PT-34 IBM ANTI-VIRUS (MS-DOS & OS/2) PT-39 THUNDERBYTE SCANNER PT-40 ALLSAFE PT-41 VIRX PT-45 VIRUS PREVENTION PLUS PT-48 VIRUSCURE+ PT-51 PC-RX PT-52 VIRUSCLEAN PT-55 GOBBLER-II PT-58 VIRUS BUSTER PT-59 IBM ANTIVIRUS/DOS PT-60 VIRUS TERMINATOR PT-61 VDS PRO PT-64 in process STOPLIGHT PT-65 in process F-PROT PROFESSIONAL 7 ------- ------------------ RFC822 Header Follows ------------------ Received: by internetqm.llnl.gov with SMTP;26 Apr 1993 09:29:26 -0800 Return-path: CMCDONALD@WSMR-SIMTEL20.ARMY.MIL Received: from icdc.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01GXGND69UK09ZM0Y0@icdc.llnl.gov>; Mon, 26 Apr 1993 09:28:07 PST Received: from pierce.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01GXGNBE6XR49ZM12E@icdc.llnl.gov>; Mon, 26 Apr 1993 09:26:41 PST Received: by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA03019; Mon, 26 Apr 93 09:26:46 PDT Received: from WSMR-SIMTEL20.ARMY.MIL by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA02965; Mon, 26 Apr 93 09:26:21 PDT Date: 26 Apr 1993 09:26:48 -0700 (MDT) From: Chris McDonald Subject: Revised Product Test 36, CPAV, version 1.4 Resent-to: BILL_ORVIS@QUICKMAIL.llnl.GOV To: securitylist:;@WSMR-SIMTEL20.ARMY.MIL Cc: virreviews:;@WSMR-SIMTEL20.ARMY.MIL Resent-message-id: <01GXGND79HCY9ZM0Y0@icdc.llnl.gov> Message-id: <12872225551.20.CMCDONALD@WSMR-SIMTEL20.ARMY.MIL> X-Envelope-to: BILL_ORVIS@QUICKMAIL.llnl.gov X-VMS-To: IN%"securitylist:;@WSMR-SIMTEL20.ARMY.MIL" X-VMS-Cc: IN%"virreviews:;@WSMR-SIMTEL20.ARMY.MIL" Content-transfer-encoding: 7BIT ======================================================================