Date: Thu, 31 Oct 91 11:17:26 MST From: Chris McDonald ASQNC-TWS-R-SO Subject: Product Test - - VirusCure Plus ******************************************************************************* PT-48 October 1991 ******************************************************************************* 1. Product Description: VIRUSCURE PLUS is a commercial anti-virus program to detect and to repair known computer viruses for the MS-DOS computer environment. The report addresses version 2.30, released 5 August 1991. 2. Product Acquisition: The program is available from International Microcomputer Software Inc. (IMSI), 1938 Fourth Street, San Rafael, CA 94901. The telephone number is 415-454-7101 or 800-833-4674. The price of the program is approximately $100.00. IMSI does have an aggressive marketing campaign which has resulted in significantly reduced prices for a single copy. Documentation states that site licenses are also available. The User's Guide contains this statement: "The VirusCure Plus software is licensed property of IMSI, and is Copyright 1990 by IRIS Software & Computers LTD. and by McAfee Associates". 3. Product Testers: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-4176, DDN cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil; and Michael Oszman, Information Systems Security Manager, White Sands Missile Range, NM 88002-5041, DSN 258-2503, DDN moszman@wsmr-emh10.army.mil. 4. Product Test: a. A colleague answered a reader service card in a commercial trade publication, and received an invitation from IMSI to purchase a copy of VirusCure Plus for $20.00. When he received the software, he asked me to evaluate it along with him. b. Sales literature for the product had shown menu screens which appeared very similar to another commercial program, VIRUCIDE. Examination of VirusCure Plus confirmed that the viral detection, disinfection and information features were identical to Virucide. John McAfee Associates has copyrighted both programs which have the same authors identified on the initial menu screen: Yuval Tal, Uzi Apple, Igor Grebert and Morgan Schweers. c. The major differences between VirusCure Plus and Virucide are: (1) IMSI markets VirusCure Plus; Parsons Technology markets Virucide. (2) VirusCure Plus contains two "virus protection modules" which load as terminate and stay resident (TSR) programs through an entry in a user's autoexec.bat file; Virucide does not currently offer these modules. (3) IMSI offers free updates for two years to registered users through its BBS; Parsons Technology does not currently offer free updates. (4) VirusCure Plus for a single copy is about twice as much as a copy of Virucide. The additional cost provides a user with "protection modules" and two years of free upgrades. d. I found no conflicts or false alarms between version 2.30 and the detection portion of several other protection programs, to include Avsearch, Viruscan, F-PROT, Norton Antivirus, Virex-PC, Thunderbyte Scanner, the IBM Anti-Virus Product, Central Point Anti-Virus, ViruSafe, and VIRx. VirusCure Plus could not open the Norton Antivirus file \nav\nav_.sys with Norton's TSR component installed. I did test for conflicts against several anti-viral TSR components, to include Vshield, NAV and F-PROT. There were none against the current program versions of these three. e. The system requirements for VirusCure Plus are minimal: (1) IBM PC, PC/XT, PC/AT or compatible computer; (2) 256 kilobytes or more of RAM; (3) MS-DOS (or IBM-PC DOS) release 2.0 or higher. f. The syntax for running the program is: CURE [drive][path]. The first screen to appear provides program copyright information. Pressing any key will then give a program screen with the "Enter Search Directory" window displayed. The menu gives five main options: Options, Report, Save Options, Virus Info and Exit. One can either use the right and left arrow keys, or type the letter of choice to make a selection. g. Under Options one has six selections: (1) automatic virus removal; (2) backup infected files; (3) search in subdirectories; (4) clean read-only files; (5) check overlay files; and (6) network operations. The up and down arrow keys highlight the selection. One then presses the ENTER key or picks the letter of choice to toggle between Yes and No to each item. Some of the selections have additional pull-down menus. One then returns to the main menu by pressing the ESC key. [NOTE: The default selections are (1) No; (2) No; (3) Yes; (4) Yes; (5) Yes or OV*; (6) No. The ability to examine files compressed by the programs LHARC and PKLITE became available in Virucide at version 2.33. Since the version of VirusCure Plus under evaluation was only 2.30, one would expect that this option is present at the most current release. [NOTE: My colleague upon the receipt of version 2.30 received a telephone call from an IMSI representative who confirmed that an update to the version shipped was now available.] h. Under Report one has two selections: (1) the report type; and (2) the destination of the report. There are three report type options: none, detailed, and short. There are two destination options: printer or file. The detailed report lists every file scanned with the full path name, and a cumulative total at the end which identifies (1) the number of directories scanned; (2) the number of EXE files scanned; (3) the number of COM files scanned; (4) the number of overlay files scanned; (5) the number of infected files; (6) the number of boot sector viruses; and (7) the percentage of infected files. The short report provides only the cumulative total. i. Virus Info has two pop-up screens. On the right side is a listing of all malicious programs identified. On the left side is a summary of the number of programs identified by total number and by characteristics (i.e., boot, file, stealth, discrete strains). Version 2.30 claims to identify 636 known viruses. Since the current version of Virucide identifies 95% or 52 of the 55 viruses characterized as "common" by Patricia Hoffman in her 22 September 1991 HyperText Virus Summary List, one would anticipate that the latest version of VirusCure Plus will have similar capabilities. Version 2.30 identified all of the 80+ viruses in my possession, to include a sample of the Twelve Tricks Trojan. 2 j. Under Exit one has two selections: (1) No; and (2) Yes. The option allows one to return to the DOS prompt. k. Under Save a user has one selection under version 2.30. Selection of the option allows one to retain automatically selections made under Options and Report on subsequent executions of the program. l. Test of the two virus protection modules was limited to actual installation, to the reaction of the modules against a few specific viral test samples, and to the monitoring of the TSRs for possible conflicts with other TSR protection programs, such as Vshield, NAV and F-PROT. The tests were not sufficient to provide any technical evaluation as to the actual effectiveness of the modules. Other researchers and organizations, such as the National Computer Security Association, are more qualified to address this issue. The documentation provides this description of the modules: (1) PROTECT1 is a terminate and stay resident program which functions as a general immunization tool. It does not detect specific virus signatures, rather it looks for viral symptoms. If PROTECT1 detects "hostile activities", it will halt the execution of the program displaying a particular viral symptom. PROTECT 1 specifically looks for a change in interrupt vectors, a change in the original DOS code, and a change in the memory control block chain. (2) PROTECT2 is a terminate and stay resident program that immunizes the computer against viruses by monitoring the DOS function calls. When it loads, PROTECT2 checks computer memory. It will also check every diskette inserted into the floppy drive for boot sector infections. The monitoring of DOS function calls involves three separate methods: namely, checking the values of registers aginst the values of known viruses; calculating a checksum on the code that calls the DOS interrupt service routine against the checksum of a known virus; and searching for 2 strings in the executed program for known viruses. 5. Product Advantages: a. The program appears to work as advertised for detection, disinfection and information. A user has the option to install the protection modules as additional features. b. The free upgrade support for two years through the IMSI BBS offers an alternative to Parsons Technology which has no such provisions for Virucide. c. The Menu Options are easy to use and eliminate the guesswork found in other comparable products. The ability to generate reports provides a audit trail record which many users and their organizations require. d. The window displays are informative, particularly the running count of where the program is at any given moment in its scanning. 6. Product Disadvantages: 3 a. The protection modules may result in alarms which many users will not understand. This means that some expert or group of experts must be available to assist users such as myself who choose to install the TSRs. Many organizations may overlook this factor. b. The unique arrangement by which McAfee Associates has copyrighted the software and made it available for distribution by IMSI raises the question of future support. McAfee Associates sells comparable anti-viral scanning programs, to include the agreement with Parsons Technology to market Virucide. The marketplace has literally dozens of products competing for the same customers. Whether that customer base is large enough to support the number of available products, let alone competing products originating from the same source, is unknown at this time. c. The documentation states that IMSI will provide customer support. It is not clear to me what this actually means since the central component of the product originates from another vendor, McAfee Associates. 7. Comments: I would propose for continuity of operations planning that one should have more than one detection/disinfection program for the MS-DOS environment. My own experience is that Type I alarms or false positives have increased over the last year in my use of anti-viral products. Occasionally using three different programs has been helpful to reasonably conclude that a Type I alarm has occurred. In many environments this may be more practical than engaging in code analysis or in quarantine procedures. FOR FURTHER REFERENCE: PT-3 November 1989 VIRUSCAN (MS-DOS) (Revised September 1991) PT-11 June 1990 AVSEARCH, 2.24 (MS-DOS) (Revised February 1991) PT-12 June 1990 VIRUCIDE (MS-DOS) (Revised October 1991) PT-17 August 1990 F-PROT (MS-DOS) (Revised October 1991) PT-23 March 1991 VIREX-PC (MS-DOS) (Revised May 1991) PT-24 July 1991 VIRUSAFE (MS-DOS) PT-28 February 1991 NORTON ANTIVIRUS (MS-DOS) (Revised October 1991) PT-34 April 1991 IBM ANTI-VIRUS, version 2.1.2 (MS-DOS & OS/2) (Revised September 1991) PT-36 June 1991 CENTRAL POINT ANTI-VIRUS (MS-DOS) PT-41 July 1991 VIRx (MS-DOS) (Revised August 1991) [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] 4