From: Chris McDonald STEWS-IM-CM-S (3/9/93) To: /usr/cmcdonal/maillist:@wsmr-em, CC: trent%rock.concert.net@wsmr-sim, Mail*Link¨ SMTP Revision to Product Test PT ******************************************************************************* PT-41 Revised March 1993 ******************************************************************************* 1. Product Description: VIRx is a copyrighted program written by Ross M. Greenberg to detect computer viruses and malicious programs. Glenn Jordan at trent@rock.concert.net has assumed the responsibility of maintaining and updating the program code. VIRx is the detection portion (VPCScan) of the commercial protection program Virex-PC (reference PT-23). This product test addresses version 2.6D, February 1993. 2. Product Acquisition: The program is freely distributed by Datawatch Corporation, Post Office Box 51489, Durham, North Carolina 27717, with special instructions for business and corporate users. These users have only a 30 day license for product evaluation, after which they must contact Datawatch for site license authorization. THIS MAJOR LICENSING CHANGE OCCURRED AT VERSION 1.9. Datawatch has made VIRx available on its own bulletin board system (919-419-1602, on other bulletin boards and on software repositories, to include the MS-DOS repository on simtel20 [192.88.110.20]. The current path on simtel20 is pd1:virx26D.zip. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5030, DSN 258-7548, DDN cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. Mr. Ross Greenberg originally provided version 1.5 of VIRx to the simtel20 repository. I have conducted tests of all versions released since that point. Glenn Jordan personally provided version 2.6D for evaluation. b. Product tests have occurred on a variety of MS-DOS platforms running MS-DOS 3.3 through 5.0. Recent tests occurred from February 15 through March 8, 1993. c. Version 2.6D contains viral signatures for 1298 known viruses and variations as well as other types of malicious programs, to include detection of programs produced by the the MtE object module, by the Virus Creation Laboratory (VCL), by the Virus Construction Set, and by the PS-MPC generator. The program claims to identify at least 96% of those viruses characterized as "common" by Patricia Hoffman in her HyperText Virus Summary List (VSUM). I say "at least" because differences in virus naming conventions present some confusion in the absence of having samples of all viruses identified. Readers should be aware that the accuracy of Ms. Hoffman's list has come under attack from several well-known viral researchers. d. Although I do not have code for all the malicious programs which VIRx claims to detect, I tested the program against 620 malicious programs which included 76% of the so-called common viruses in the "wild" and the eight VCL viruses distributed by NoWhere Man. (1) The program identified 100% of the "common" viruses in the test suite and effectively identified what it claimed it could. (2) The "Virus Bulletin", January 1993, evaluated the performance of the commercial version of VIRx, Virex-PC version 2.3, for readers interested in a more detailed analysis of detection capabilities. (3) The "Virus News International", January 1993, evaluated the performance of VIRx, version 2.6, against 8 MtE-based viruses. The author of the evaluation, Vesselin Bontchev, has also posted his results to Virus-L. In these tests VIRx missed only 1 replicant out of 15,940 samples. (4) The program specifically identified the eight VCL samples. (5) The program no longer gave a Type I or false positive alarm on the executable file of another anti-viral program known as Virucide. In the past there had been an alarm for the "Spanish-Telecom-2 Virus". It should be noted that, since the conduct of the last test, I had upgraded my copy of Virucide to version 3.0. e. One invokes the VIRx program by the syntax "virx [drive specification]" or for example "virx c:\". By default the program will only scan files with known executable extensions, such as .com and .exe. The more significant options include switches to scan only a specified or a default directory; to scan the entire contents of a file or a "long" scan; to scan all types of files not just those with executable extensions; to record the results of a scan operation in a log file; to scan memory above 640K to just under 1 Megabyte; and several options for batch operations. I tested these options which performed as documented. While there are obviously performance delays in scanning all files or in choosing a long scan, VIRx continues to be one of the fastest scanners available irrespective of the option. 5. Product Advantages: a. VIRx appears to provide excellent detection capabilities at no cost for certain categories of users. Business and government users will have to make a decision with the change to licensing instructions. b. The operation of the program is simple. VIRx is one of the fastest and at the same time reliable detection programs available at this time. c. Both Ross Greenberg and Glenn Jordan have established extremely credible reputations for their work. 6. Product Disadvantages: a. My initial review of VIRx stated: "Free programs may not always be free." Business and government users must now face that reality. I contacted a marketing representative on January 6, 1992 to obtain additional details on site licensing. At my activity we had site licensed another anti-viral detection program, but had also distributed earlier versions of VIRx as an additional tool for MS-DOS systems. The preliminary information I received was not encouraging. The representative wanted business and government users to site license their full commercial program Virex-PC. This program includes 2 detection, disinfection and a host of other capabilities (reference PT-23). While it was possible to site license just VIRx, or the detection module, the representative's price quote was at the time unacceptable. Since this discussion took place when Microcom, not Datawatch Corporation, was the vendor, it may be appropriate to put the same question to a Datawatch representative and see what happens. b. VIRx is a detection program only. Users will need some other program for disinfection and prevention capabilities unless they decide to site license the commercial version. The vendor did provide temporary removal capabilities of the Michelangelo virus only in version 2.0. c. There is naturally no formal technical support for the product. While it is possible to contact Mr. Jordan and Datawatch over the Internet and through Datawatch's BBS, Datawatch will only support the complete version of the Virex-PC program. 7. Comments: VIRx documentation for the last several versions states that the program will warn a user when it becomes "outdated". This is a welcome change from the first version in which the program would cease to function on a specified cut-off date. The notification will alert a user to the need to obtain an update. Version 2.6D is "valid" until April 7, 1993. It seems to me that there are environments in which users only need detection tools, and that one can stockpile disinfectors for use when needed. I take this position because of overall risk management assessments, because of the different computing skills of particular user communities, and because of the cost involved in purchasing software for a large inventory of systems. While the trend is for vendors to bundle anti-viral protection tools into one comprehensive product, there may be something to be said for "unbundling" these programs so that users can choose what they really need. An intelligent strategy would be to have at least two separate programs available for use within an enterprise for defense against malicious programs. The flexibility of dual products can provide both financial and technical advantages. It also provides protection in the event one program for whatever reason ceases to be available. There are many issues in the acquisition and use of viral detection tools. Interested readers may consult the Proceedings of the National Computer Security Association's 2nd International Virus Prevention Conference & Exhibition, February 1993, for several papers on the subject to include one entitled "Selecting an Anti-Virus Product". The National Institute of Standards and Technology, Computer Security Division, has issued Special Publication 800-5, "A Guide to the Selection of Anti-Virus Tools and Techniques", December 2, 1992. The publication is available for anonymous ftp from the NIST host 129.5.54.11 in the path /pub/ nistpubs. One may also call Ms. Dianne Ware, NIST, at 301-975-2821 for one free copy. 3 [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] FOR FURTHER REFERENCE: PRODUCT TEST NUMBER PRODUCT PT-3 VIRUSCAN PT-11 AVSEARCH, 2.24 PT-12 VIRUCIDE PT-17 F-PROT PT-23 VIREX-PC PT-24 VIRUSAFE PT-25 DR. SOLOMON'S TOOLKIT PT-28 NORTON ANTIVIRUS PT-31 DATA PHYSICIAN PLUS! (VirHunt) PT-34 IBM ANTI-VIRUS (MS-DOS & OS/2) PT-36 CENTRAL POINT ANTI-VIRUS PT-39 THUNDERBYTE SCANNER PT-40 ALLSAFE PT-45 VIRUS PREVENTION PLUS PT-48 VIRUSCURE+ PT-51 PC-RX PT-52 VIRUSCLEAN PT-55 GOBBLER-II PT-58 VIRUS BUSTER PT-59 in process IBM ANTIVIRUS/DOS PT-60 VIRUS TERMINATOR PT-61 in process VDS PRO PT-64 in process STOPLIGHT 4 ------------------ RFC822 Header Follows ------------------ Received: by internetqm.llnl.gov with SMTP;9 Mar 1993 20:04:34 -0800 Return-path: cmcdonal <@WSMR-SIMTEL20.ARMY.MIL:cmcdonal@wsmr-emh03.army.mil> Received: from icdc.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01GVM79SUCQ89BWFBC@icdc.llnl.gov>; Tue, 9 Mar 1993 19:54:52 PST Received: from pierce.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01GVM79897LC9BWFET@icdc.llnl.gov>; Tue, 9 Mar 1993 19:54:28 PST Received: by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA25777; Tue, 9 Mar 93 19:55:02 PST Received: from WSMR-SIMTEL20.ARMY.MIL by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA25770; Tue, 9 Mar 93 19:54:53 PST Received: from wsmr-emh03.army.mil by WSMR-SIMTEL20.ARMY.MIL with TCP; Tue, 9 Mar 1993 20:53:33 -0700 (MST) Date: 09 Mar 1993 20:48:11 -0700 (MST) From: Chris McDonald STEWS-IM-CM-S Subject: Revision to Product Test PT-41, VIRx, version 2.6D Resent-to: BILL_ORVIS@QUICKMAIL.llnl.GOV To: /usr/cmcdonal/maillist:@wsmr-emh03.army.mil Cc: trent%rock.concert.net@wsmr-simtel20.army.MIL Resent-message-id: <01GVM79T2E369BWFBC@icdc.llnl.gov> Message-id: <9303100354.AA25770@pierce.llnl.gov> X-Envelope-to: BILL_ORVIS@QUICKMAIL.llnl.gov X-VMS-To: IN%"/usr/cmcdonal/maillist:@wsmr-emh03.army.mil" X-VMS-Cc: IN%"trent%rock.concert.net@wsmr-simtel20.army.MIL" Content-transfer-encoding: 7BIT ======================================================================