******************************************************************************* PT-40 October 1992 ******************************************************************************* 1. Product Description: AllSafe is a commercial software program to provide access control and virus protection for IBM PC or MS-DOS compatible systems. This product test addresses version 1.0. 2. Product Acquisition: The product is available from XTREE Company, 4330 Santa Fe Road, San Luis Obispo, CA 93401. One can obtain general information by calling 805-541-0604. The cost for a single copy is usually around $100.00. Site licenses are available. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-5712, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I received an evaluation copy of the program from Mr. Robert Greenwald, a government marketing representative for XTREE. The program arrived in two media formats: two 5 1/4" low density disks and one 3 1/2" disk. There was also a 169 page User's Guide. The virus protection component of the product is ViruSafe (reference product evaluation, PT-24, revised May 1992). b. I tested the product on a Zenith 248, MS-DOS 3.30. The minimum system requirements, according to the documentation, is an IBM PC, XT AT, PS/2, or compatible computer with at least 512K bytes of memory with MS-DOS or PC-DOS, version 3.1 or above. The documentation states that AllSafe is compatible with MS-Windows 3.0, GEM, and DESQview. In a network environment the documentation recommends that one utilize the ViruSafe/LAN product rather that ViruSafe. AllSafe in such an environment provides single user protection at the individual workstation or PC. Access to files is a function of the LAN security system. The test period extended from 16 July to 11 September 1992. c. AllSafe provides these capabilities: (1) User authentication (2) Boot or hard disk protection (3) User privileges or restrictions (4) Password screen blanker and lock (5) Software data encryption (proprietary and DES implementations) (6) Virus signature detection and disinfection (7) Audit trail logs d. The installation of the program was very simple. One inserts the respective program disk in Drive A and types: install. The ViruSafe component first performs a viral signature analysis of the system. If there are no malicious signatures found, the program then prompts the user through the installation. One has the option to have the program modify one's autoexec.bat file to provide automatic virus signature scanning upon each subsequent reboot. The final option is for the user to create an Emergency Rescue Diskette to be used in the event of damage to the system's boot sector, partition table, or CMOS RAM. e. The installation process essentially copies all of the necessary program files without actually activating any of the security access control features. When the program files have been copied onto the hard drive, one first configures the security system and then activates it. The command to configure the system is: ASMENU . f. AllSafe allows for an administrator or "security password" and for user passwords. The default security password is XTREE and the default user password is PASSWORD. The documentation states that one "should change these right away". When one has changed the defaults, there are a number of Global Security options for the administrator to set. (1) Password Expiration One has the option to set a range of from 10 to 250 logins before expiration, or to turn the option OFF. (2) Request Password on Boot The default is ON. (3) Echo Password on Screen The default is ON. The echo consists of small blocks as one types the password. (4) Log Active There are three options. The default is for a BRIEF log which includes all logins, logoffs, execution of programs, and attempts to violate user privileges. The FULL option records all computer activity for the administrator and the user. The USER option records only user actions. (5) Auto Screen Saver (minutes) The default is 15 minutes since the last keystroke. One can adjust the range from 2-60 minutes, or turn the option OFF. One must enter the correct password to unlock the system. (6) Mouse Type The options are SERIAL, BUS, or NONE. (7) Encryption Key This alphanumeric character can be up to eight characters. If one wishes to exchange encrypted files between systems, one must choose the same encryption/decryption key. (8) Secure Directory The administrator has the option to limit user access to directories and subdirectories. (9) User Privileges The administrator can enable or disable the following features: hard disk write protection; floppy disk write protection; hard disk read protection; printer access; manual keyboard lock with 2 screen saver; DOS shell access and Ctrl-C/Break protection; attribute change protection; date/time change protection; mkdir/rmdir protection; config.sys and autoexec.bat protection; format/fdisk protection; program integrity checking and execution restrictions on individually marked programs; and restrictions on copying .com and .exe files. g. I created an administrator and a user to test all the options, features and privileges. These were the results. (1) All settings performed as indicated with one exception. I had difficulties in reviewing audit trail records through the available administrator's menu under the FULL option. Although I could view the raw audit trail log file either with a simple MS-DOS read command or with a text editor, I could not view the log via the menu option. There were no problems with the BRIEF and USER audit options, so I have no explanation for the difference. (2) During the installation process the ViruSafe component issued a Type I or false alarm for the DataCrime virus. Previous versions of ViruSafe had never issued such an alarm. I subsequently tested version 4.6 of ViruSafe against the test system with negative results. (3) After I completed configuration and activated the security system, McAfee Associate programs Viruscan and Vshield issued a Type I alarm for a "generic boot sector virus". Obviously the boot protection mechanism of AllSafe caused the alarm. I have had similar experiences with other access control programs. In this particular instance there were no Type I alarms from other major viral signature detection programs, to include F-PROT, Norton Anti- Virus, the IBM Anti-Virus Product, TbScan, and Virucide. (4) One might attempt to bypass the boot protection scheme by using a system disk to boot from the floppy drive and then attempt to change drives. I tested boot protection and found that it worked to deny me access to the hard drive. Attempts to view the hard drive from the floppy drive with Norton Utilities and with Professional Master Key were similarly unsuccessful. With both programs the hard drive was simply non-existent. (5) The software encryption feature was fully menu-driven with a host of options. Unfortunately the documentation does not identify what specific DES mode of operation AllSafe implements. The User's Guide states: "AllSafe uses the newest, modified DES method that is faster than the original DES implementation and provides nearly the same amount of security". This is very confusing, if not contradictory, since I am unaware of the distinction between an "original" and a "new" DES. Federal Information Processing Standards 46-1 and 81 make no reference to such a distinction. (6) Within the encryption menu is a Zap feature to overwrite a highlighted or marked file. The document states: "The procedure is so effective that it meets the U.S. Government's Specification for the destruction of classified data (DOD 5220.22-M)". The on-line and written documentation, however, does not identify the specific method of overwriting. Tests of the Zap utility 3 confirmed that recovery of files with a standard disk recovery utility, such as Norton Utilities, PC-Tools, and Professional Master Key, was not possible. 5. Product Advantages: a. AllSafe combines access control with malicious program signature identification and removal. The myriad options and features allow one flexibility to configure a software security system for different environments and for users of different skill levels. b. The viral signature identification component, ViruSafe, has received good ratings from other independent agencies, such as the National Computer Security Association. 6. Product Disadvantages: a. There may be user resistance to any type of control on personal computers. It may be difficult, in the absence of written policy which mandates the installation of an access control package, to find an audience for the product. b. The product requires that one fully understand the options and preferences, and that one make conscious decisions on configuration prior to the activation of controls. A single user will require some time to become familiar with all the features. It may even be desirable for larger organizations to dedicate individuals as system administrators to ensure configuration management and correct installation. Many organizations may fail to account for these support costs. c. The prevention features in the ViruSafe component will result in Type I alarms. Management may find it advisable to have knowledgeable persons available to assist users when such alarms occur. d. The User's Guide requires some additional information on the encryption and on the erasure options. 7. Comments: The use of any access control/virus protection product should be a function of a realistic assessment of one's particular operating environment. It would be a mistake to impose the mandatory implementation of an access control package without such an assessment and without the user community's commitment to the installation. It should be noted as well that there are other approaches to access control on a personal computer which employ hardware and/or a combination of hardware and software techniques. Various authors have commented on the increased protection in those products which have a hardware foundation (i.e., DES hardware versus software implementation). For those on a restricted budget many vendors now provide password and boot protection as a discretionary feature of their set-up and/or configuration programs (i.e., Everex, Alpha 4 Systems Laboratory, etc.). AllSafe, as presently configured, will probably never be submitted to the National Computer Security Center for evaluation under its subsystem criteria because it does not provide the four functional requirements associated with the subsystem interpretation. This does not in my opinion present a significant problem for most environments. While many users confuse evaluation of products under the subsystem interpretation with certification under the Orange Book, the subsystem evaluation process is distinct from the rating schema established under the Orange Book. Government users will need to consult their specific organizational policies and procedures on the use of software implementations of DES encryption and on sanitization programs. The combination of access control and viral protection is an innovative idea. Although many access control vendors advertise "viral defense" in their sales literature, they actually provide no specific viral signature identification and disinfection. Rather they rely on some type of checksum or signature analysis to detect changes in boot sectors, partition tables, and executable programs. AllSafe provides not only this type of protection, but also automatic and manual virus signature scanning with disinfection. Finally, no software access control package is 100% secure. I have witnessed the defeat of software-controlled boot protection at a Department of Energy training workshop. While the product defeated was one other than AllSafe, the description of the attack methodology appears independent of a specific vendor. The good news is that the methodology appears to require a sophisticated skill level. [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.]