From: Chris McDonald (6/29/93) To: securitylist:;@WSMR-SIMTEL20.AR, CC: virreviews:;@WSMR-SIMTEL20.ARMY, Mail*Link¨ SMTP Revised Product Test, PT-44 ****************************************************************************** PT-44 Revised June 1993 ****************************************************************************** 1. Product Description: Rival is a commercial software program for the prevention, detection, and elimination of known computer viruses and trojan horses for the Macintosh. This product test addresses version 1.1.9 with the latest refresher update and Rival vaccines through May 1993. 2. Product Acquisition: Rival was until 1992 available from the Microseeds Publishing, Inc., 5801 Benjamin Center Drive, Suite 103, Tampa, Florida 33634. In July 1992 Inline Design took over all customer support for Rival with the exception of technical support. Microseeds retained this function. Registered users can contact Microseeds at (802) 879-3365 or on their BBS at (802) 879-3634. Although I am a registered user, and although I had purchased an annual subscription service for vaccine updates, I have received no customer literature or formal notification of updates since Inline Design assumed customer support operations. I have for the last year obtained updates directly from one of the developers. Users interested in price information should contact Inline Design at (203) 435-4995. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5506, DSN 258- 7548, DDN cmcdonal@wsmr-emh34.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I initially tested the product on a Macintosh IIcx running system 6.0.5 with a 80MB hard drive. The latest tests occurred on the same Macintosh system with System 7.0 installed. b. The Rival User's Guide has a concise description of initial "disinfection" of one's system. Essentially one inserts the Rival disk, turns on the Mac, and then the Control Panel automatically opens to Rival. The user clicks on the "Analyze" button to initiate the detection sequence. When Rival completes the analysis, it reports the number of files checked, the total number of errors encountered, and plays a "melody". An "optimistic" melody denotes that it did not detect any malicious code. A "pessimistic" melody denotes an infected or damaged file. The User's Guide directs the reader to additional sections of the manual in the event of the latter result. Upon the successful completion of this operation a user installs Rival on the system's hard disk by simply dragging the Rival icon into the System Folder. c. I tested Rival against a suite of malicious programs. The test suite included: Scores, nVir (A & B), Init 29, Anti (A & B), MacMag, WDEF (A & B), Zuc (A, B & C), MDEF (A, B, C & D), Frankie, MBDF (A & B), Frankie, Init 1984, Code 252, T4 (A, B & C), Init 17, Init-M, CPro.141, and ChinaTalk. Rival had a 100% detection rate against the samples. d. When one installs Rival on a hard disk, the program provides these protection features: (1) It checks files and applications as they are opened. (2) It checks for viruses at startup. (3) It allows a user to initiate detection/disinfection operations against disks, files and folders. (4) It helps to prevent the unexpected initialization of any volume, excluding floppy disks. e. I tested all these features which functioned as described in the documentation. Testing of the protection against unexpected initialization was by design limited. Should such an attempt occur, Rival displays a dialog box informing the user of this fact. The user has the option to deny or to allow the operation. This feature does not alert a user in those cases where there is a deliberate choice of initialization, such as when one chooses "Erase Disk" under the Finder's Special Menu. f. When installed on a hard disk, Rival places a square frame around the Apple menu in the menu bar to advise a user that it is active. If the frame does not appear, the documentation suggests that either Rival has been installed incorrectly, or its installed vaccines have been removed or corrupted. One also sees a startup icon which appeared to me as a blue piranha with upper and lower rows of teeth facing to the left. The comments on teeth and facing position have significance because this same icon appears in the Rival Control Panel window. If the user opens the Control Panel and sees that the icon is facing to the right, this indicates that the user deactivated Rival at startup. If the user opens the Control Panel and sees that the icon is facing to the left but has no teeth, this indicates the no vaccines are installed or that they are corrupted. One would expect the frame around the Apple menu to be absent as well in both instances. g. One accesses the Rival Control Panel window by pulling down the Apple menu, choosing the Control Panel item, scrolling down to Rival's icon, and clicking once on it. The Control Panel window contains a central display area, several selector options, and a control button. The documentation describes each of these. There is also on-line documentation which a user can access by clicking once on the Help mode selector indicated by an icon in the shape of a life preserver. h. I tested all of the selectors and control buttons which performed as documented. I did note the following: (1) Rival, when active at startup, interferes with the detection capabilities of Disinfectant, SAM, and Virex. Since I am an advocate for having at least two different programs for detection and disinfection of known malicious programs, I consciously installed all four of the programs on my system. After I had successfully confirmed that Rival detected my viral samples, I next ran each of the three other programs against the same samples. When I invoked each of these programs, however, Rival presented a dialog box informing me that the sample about to be scanned by the other program was 2 infected. This box appeared before Disinfectant, SAM, or Virex had apparently completed their respective detection operations. The Rival dialog box offered two buttons: Stun and Repair. If a file is locked or on a write-protected disk, one only has the option to click the Stun button to continue. Rival's documentation states that "clicking the Stun button causes the virus to be disabled, but does not repair the infected file". When I clicked on the Stun button, this interfered with the ability of the other three programs to function properly. (2) Rival did not interfere with the operation of VirusDetective. I did note an impact on VD's performance speed. (3) There is no way at the present time to print out the information captured under the report mode. This information is lost when one closes the Rival Control Panel window. A Microseeds technical representative suggested that the program's authors would address this in version 2.0. i. A user can update Rival "vaccines" without a formal upgrade. A vaccine provides detection and disinfection capabilities. One can obtain a new vaccine file from the Microseeds BBS, from Internet hosts, from CompuServe, from user groups, or through the subscription service. I have obtained vaccines from the BBS, from Internet hosts, and through the subscription service. In all cases I found it very easy to install updates. 5. Product Advantages: a. Rival appears to detect known malicious programs in a reliable manner. It is extremely easy to install for the novice user. b. Technical support is available for registered users. 6. Product Disadvantages: a. Rival only identifies and repairs what it knows as malicious. There are no features or options for addressing unknown or new viruses and/or trojan horses. b. While the interference with other Macintosh detection programs can be avoided by deactivating Rival, program documentation does not speak to the problem. c. The Rival Control Panel window icons are not as intuitive as they might be. While I recognize this is really a subjective opinion, the mode selector icons were particularly obtuse to me. d. During a detection operation Rival does not alarm or pause when it encounters known malicious code. It rather completes the entire operation and sends the user to the report mode for actual results. An option to configure a more dramatic alarm or pause as the program detects malicious code would be a desirable feature. 3 7. Comments: Rival offers simplicity of operations. A user does not have to worry about setting configurations or interpreting alarm interruptions. Several other reviewers have commented favorably on this feature. An intelligent strategy would be to have at least two separate programs available for use within an enterprise for defense against malicious programs. The flexibility of dual products can provide both financial and technical advantages. It also provides protection in the event one program for whatever reason ceases to be available. There are many issues in the acquisition and use of viral detection tools. Interested readers may consult the Proceedings of the National Computer Security Association's 2nd International Virus Prevention Conference & Exhibition, February 1993, for several papers on the subject to include one entitled "Selecting an Anti-Virus Product". The National Institute of Standards and Technology, Computer Security Division, has issued Special Publication 800-5, "A Guide to the Selection of Anti-Virus Tools and Techniques", December 2, 1992. The publication is available for anonymous ftp from the NIST host 129.5.54.11 in the path /pub/ nistpubs. One may also call Ms. Dianne Ware, NIST, at 301-975-2821 for one free copy. [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] FOR FURTHER REFERENCE: PRODUCT TEST NUMBER DATE PRODUCT PT-9 March 1993 DISINFECTANT (Revised) PT-10 June 1993 VIREX (Revised) PT-20 March 1993 SYMANTEC ANTIVIRUS FOR (Revised) MACINTOSH PT-32 November 1992 MACTOOLS (Revised) PT-46 August 1992 CITADEL PT-53 January 1993 GATEKEEPER PT-66 in process SAFELOCK 4 ------- ------------------ RFC822 Header Follows ------------------ Received: by internetqm.llnl.gov with SMTP;29 Jun 1993 09:53:45 -0800 Return-path: CMCDONALD@WSMR-SIMTEL20.ARMY.MIL Received: from icdc.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01GZY2W1LXR4A3F0F3@icdc.llnl.gov>; Tue, 29 Jun 1993 09:52:50 PST Received: from pierce.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01GZY2VK9ORKA3F17I@icdc.llnl.gov>; Tue, 29 Jun 1993 09:52:27 PST Received: by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA21416; Tue, 29 Jun 93 09:53:17 PDT Received: from WSMR-SIMTEL20.ARMY.MIL by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA21406; Tue, 29 Jun 93 09:53:07 PDT Date: 29 Jun 1993 10:30:47 -0700 (MDT) From: Chris McDonald Subject: Revised Product Test, PT-44, Rival (MACINTOSH) Resent-to: BILL_ORVIS@QUICKMAIL.llnl.GOV To: securitylist:;@WSMR-SIMTEL20.ARMY.MIL Cc: virreviews:;@WSMR-SIMTEL20.ARMY.MIL Resent-message-id: <01GZY2W1P5HUA3F0F3@icdc.llnl.gov> Message-id: <12889014414.25.CMCDONALD@WSMR-SIMTEL20.ARMY.MIL> X-Envelope-to: BILL_ORVIS@QUICKMAIL.llnl.gov X-VMS-To: IN%"securitylist:;@WSMR-SIMTEL20.ARMY.MIL" X-VMS-Cc: IN%"virreviews:;@WSMR-SIMTEL20.ARMY.MIL" Content-transfer-encoding: 7BIT ======================================================================