******************************************************************************* PT-45 July 1992 ******************************************************************************* 1. Product Description: Virus Prevention Plus is a commercial software program to provide access control and virus protection for IBM PC or MS-DOS compatible systems. This product test addresses version 5.10. 2. Product Acquisition: The product is available from PC Guardian Security Products, 118 Alto Street, San Rafael, CA 94901. The account representative who provided me an evaluation copy was Mr. Dan Marley, 1-800-288-8126. Site licenses are available. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-5712, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I received an evaluation copy of Virus Prevention Plus, version 5.10, in June 1992. The program arrived on one 5 1/4" high density disk with a 129 page Operators Manual. The virus protection component of the product is Fridrik Skulason's F-PROT (reference product evaluation, PT-17, revised February 1992). b. I tested the product on a Zenith 248, MS-DOS 3.30 and on a Gateway 2000 386/25, MS-DOS 5.0. The minimum system requirement, according to the documentation, is IBM or MS-DOS, version 3.3, 4.0, or 5.0 with 512K of free memory. The documentation does identify that certain hardware vendors, such as Wyse, Zenith, Tandon and NEC, may modify DOS resulting in incompatibilities with Virus Prevention Plus. My testing on the Zenith system was only to confirm this fact. The test period extended from June 22 to July 15, 1992. c. Virus Prevention Plus provides these capabilities: (1) User identification and authentication. (2) Boot or hard disk protection (3) Password screen blanker and lock (4) Levels of user access rights (5) Virus signature detection and disinfection (6) Program approval through registration and signature analysis (7) Write protection for specified drives (8) Copy protection for .com and .exe files on fixed drives (i.e., not applicable to floppy drives or to network file server drives) d. The installation of the program requires that a user insert the single high density disk into the system's floppy drive and type PCG . The first step is for the program to automatically scan the floppy drive and all local drives on the hard disk for known viral signatures. Upon the completion of the scanning operation the installation program will copy files from the installation disk to the hard drive. The user has various set up screens which address the individual modules within the product. When the user has chosen specific options, the installation program prompts the user to enter a unique character description for the system. This description is attached to the backup files that are created and saved during the installation. The program than generates a "one time password master key" which a user must remember. This password provides several features, the most important being the mechanism to access the system when the normal password logon process has failed, or when the system's boot or partition table sector has experienced damage. The final operation is for the installation program to prompt the user to insert a formatted "Administrator's Disk" into the floppy drive so that the system's original partition sectors and character description can be saved for any emergency situation. The user then reboots the system to engage the program. e. My experience was that installation required my complete attention. Since I had previously reviewed the documentation, and have had experience with other access control and virus protection products, I clearly had an advantage over the normal user--assuming there is such a person. One must correctly save critical information, such as the password master key. It also seems important to determine in advance what programs will be registered for execution and what options one will choose in the various modules. If one does not make these decisions, the installation process can be time-consuming. f. For the benefit of those who do not have high density floppy drives I did test the instructions for transferring the installation files on the single high density disk to four low density disks. The documented procedures for the transfer worked as advertised. I did, however, notice one unexpected item when I installed the product using the low density disks. The program did not prompt me to insert another disk. Instead I received an error message that the installation program could not find a file. I discovered that this was the "cue" to insert the next disk. Although the documentation stated that I should have received a prompt, this was not my experience. g. One might attempt to bypass the boot protection scheme by using a system disk to boot from the floppy drive and then attempt to change drives. I tested boot protection and found that it worked to deny me access to the hard drive. Attempts to view the hard drive from the floppy drive with Norton Utilities and with Professional Master Key were similarly unsuccessful. With both programs the hard drive was simply non-existent. h. During the installation process the user first installs the Access Control Module. The module has five separate components: (1) Set Up Accounts (2) Access and Password Management 2 (3) Prevent Writing to Drives (4) Prevent Copying of COMs and EXEs (5) Customize Messages i. In setting up accounts there is a hierarchy of user privileges: Corporate Administrator, Local Administrator, and General User. The Corporate Administrator can change or delete any user or password. The Local Administrator can change or delete his or her entry, and that of any General User. A General User cannot access the set up accounts screen. I created a Corporate Administrator, Local Administrator, and a General User account. The account restrictions worked as documented. j. The access and password management features are extensive. (1) Require Password During Bootup Installed as YES (2) Allow Password Changing Installed as YES (3) Minimum Password Length (from 0 to 20) (4) Password Expiration (from 0 to 365) (5) Check for Password Reusage Installed as YES (6) Allowable Logon Attempts (from 1 to 99) (7) Disable Control/C or Break Installed as NO (8) 1 Time Password for Administrator Installed as NO I created several General User accounts and ran tests against the above features with the exception of password reusage. All tests confirmed that the program was effective. I did not test the password reusage feature because the documentation stated that, when one chooses this option, a General User cannot use the last 100 passwords. I don't think I could remember my last 3 passwords, let alone 100. The Corporate Administrator has the option to lock most of these parameters so that the Local Administrator and/or a General User cannot change them. k. The restrictions on writing to any drive functioned as documented. This restriction applies only to General Users. l. Restrictions on the copying of .com and .exe files applies to General Users from selected fixed local drives, not to floppy drives and network servers. The documentation identifies a number of exclusions to this control, such as all Windows 3.0 programs. I verified only the functionality of this option. 3 m. Under the option to customize messages one has two choices: namely, a virus alert contact message and a logon banner. Again I verified the functionality of the option. n. The program provides either an automatic or a manual screen blanking and keyboard locking mechanism. The user must enter his or her legitimate password to restore the screen and unlock the keyboard. One has the option to establish hot keys and to specify the idle keyboard time for automatic invocation. The documentation states that the feature is compatible with Windows 3.0, but does offer special installation instructions. Tests confirmed that the feature performed as documented. I did not test in a Windows environment. o. The Program Approval and Automatic Virus Control Module was not tested for these reasons. (1) The Program Approval portion allows an Administrator to approve the execution of programs on a system. During the approval process each program receives "a mathematical fingerprint". If the fingerprint changes, then the program should not execute. There are options to configure program approval and to restrict a General User from executing specific approved programs. I am not qualified to evaluate the effectiveness of the algorithm or procedure used to generate the "mathematical fingerprint", particularly since the documentation does not describe this process. It would also require a great deal of time to adequately address the functionality of this portion. (2) The virus control portion currently utilizes F-PROT. Product test PT-17 addresses this program. The memory resident program distributed with F-PROT, VIRSTOP.EXE, is not a part of Virus Prevention Plus, version 5.10 p. Removal of the program from the test systems was easy and conformed with the documentation. q. I tested the emergency access procedures by loading Virus Prevention Plus on the Zenith test system. The documentation and discussions with the vendor representative had confirmed that the program would not be compatible with Zenith's MS-DOS 3.30. I went through the complete installation procedure and rebooted the system. I then received an error message that the disk partition was unreadable. The procedures to gain access and to restore the system worked perfectly. Although the documentation identifies three different levels of emergency access procedures, Level 1 procedures were sufficient. r. Program documentation states that Virus Prevention Plus is compatible with Novell Netware 286, V.2.10 or higher, Banyan Vines, PC Lan, Unix with DOS Windows, and 3COM. I did not test this compatibility because I lacked a LAN testbed. 5. Product Advantages: a. Virus Prevention Plus offers numerous access and virus protection features which may be configured for different operating environments. 4 b. The product appears to function as documented for its intended purpose. c. The vendor has another product, Data Security Plus, which includes Virus Prevention Plus and which adds modules for audit trails, DES encryption, access restrictions on individual directories, and other features. If one had an installed base of Virus Prevention Plus and wished to migrate to an increased level of security, the transition would be facilitated. 6. Product Disadvantages: a. The installation of Virus Prevention Plus requires that one carefully read the documentation. There are numerous configuration options to select, and critical information which must be retained. While reading the documentation may seem to be mandatory for any program, the reality is that most users never do unless they are motivated to do so. b. There may be user resistance to any type of control on personal computers. It may be difficult, in the absence of written policy which mandates the installation of an access control package, to find an audience for the product. For many users who simply want access control, Virus Prevention Plus may be overkill. c. If Fridrik Skulason were no longer available to support F-PROT, there might be a temporary problem with updating the virus protection module. Since the vendor's representative indicated that Virus Prevention Plus had once used another vendor's anti-viral program before F-PROT, my feeling is that the structure of the program should allow for the introduction of another protection module. d. Since approximately 60% of my activity's installed systems are Zeniths, the incompatibility of Virus Prevention Plus creates a major problem. The vendor's representative stated in a telephone conversation on July 16, 1992, that the next release of the program would eliminate this incompatibility. I am to receive this release in approximately 60 days for testing. 7. Comments: The use of any access control/virus protection product should be a function of a realistic assessment of one's particular operating environment. It would be a mistake to impose the mandatory implementation of an access control package without such an assessment and without the user community's commitment to the installation. It should be noted as well that there are other approaches to access control on a personal computer which employ hardware and/or a combination of hardware and software techniques. Various authors have commented on the increased protection in those products which have a hardware foundation (i.e., DES hardware versus software implementation). Virus Prevention Plus, as presently configured, will probably never be 5 submitted to the National Computer Security Center for evaluation under its subsystem criteria because it does not provide the four functional requirements associated with the subsystem interpretation. This does not in my opinion present a significant problem for most environments. It should also be noted that many users confuse evaluation of products under the subsystem interpretation with certification under the Orange Book. The subsystem evaluation process is distinct from the rating schema established under the Orange Book. The combination of access control and viral protection is an innovative idea. Although many access control vendors advertise "viral defense" in their sales literature, they actually provide no specific viral signature identification and disinfection. Rather they rely on some type of checksum or signature analysis to detect changes in boot sectors, partition tables, and executable programs. Virus Prevention Plus provides not only this type of protection, but also automatic and manual virus signature scanning with disinfection. Finally, no software access control package is 100% secure. I have witnessed the defeat of software-controlled boot protection at a Department of Energy training workshop. While the product defeated was one other than Virus Prevention Plus, the description of the attack methodology appears independent of a specific vendor. The good news is that the methodology appears to require a sophisticated skill level. [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.]