*******************************************************************************
                                                                          PT-51
               						              June 1992
*******************************************************************************


1.  Product Description:   PC-RX is a viral detection and disinfection
program for IBM personal computers or compatibles.  This product test addresses
version 1.1, March 1992.

2.  Product Acquisition:  PC-RX is available from Trend Micro Devices
Incorporated, 2421 West 205th Street, Suite D-100, Torrance, CA 90501.  Site
licenses are available.

3.  Product Tester:  Chris Mc Donald, Computer Systems Analyst, White Sands
Missile Range, NM 88002-5506, DSN:  258-4176, DDN: cmcdonal@wsmr-emh03.army.mil
or cmcdonald@wsmr-simtel20.army.mil.

4.  Product Test:

    a.  I obtained a free evaluation copy of PC-RX directly from Trend Micro
Devices by responding to a reader's service add in ISPNews.  The product
arrived in early May 1992 on both 5 1/4" and 3 1/2" media.  The package
included a Users Manual and a coupon for one free upgrade to version 2.0.  

    b.  Product tests occurred on a Zenith PC, Model 248, MS-DOS 3.30, 640K.
The test period extended from May 21 to June 4.

    c.  PC-RX consists of four components:

    (1)  PC-RX Virus Trap is a memory resident program which attempts to "trap"
viruses before they infect.  

    (2)  PC-RX Virus Scan is the signature detection program.  The program
automatically scans memory, the boot sector and partition table, and a file
with a .com, .exe or .sys extension.

    (3)  Rescue Disk is the program to restore or to recreate the hard disk 
boot sector and partition table from a "clean" version stored on a Rescue Disk.
One creates this Rescue Disk during the installation procedures.

    (4)  Virus Removal programs are in a separate subdirectory on the
distribution disk.  The Users Manual strongly recommends that, if one detects a
file virus, one use Virus Scan's delete option to completely wipe the file.
The documentation identifies the major removal program as Virus-Guard, version
4.20.

    d.  The installation program is unique from other programs.  When one
invokes it, the user must install PC-RX Virus Trap.  There is no option to
abort the installation of the memory resident component.  The installation
modifies one'a autoexec.bat file.  My experience was that this caused no
problem in that everything executed in my autoexec.bat file after modification.
If one wishes to change the PC-RX settings, one does so after installation by
invoking the command PCRXCFG <cr>.  

    e.  PC-RX performs a viral signature scanning of one's system during the
installation, and makes a record of the results.  This record is overwritten if
a user choose the option to create a report upon subsequent scannings.  The
Users Manual is silent on the issue of overwriting the initial audit record.  

    f.  Program documentation states that PC-RX Virus Scan can identify 923
viruses which include 32 boot sector viruses.  Unfortunately neither the
documentation nor any on-line command identifies the names of those signatures.
Viewing the Virus Scan program with the Norton Utilities editor revealed the
alert messages for numerous virus signatures, but this was not an effective
procedure for a variety of reasons.  I then ran tests against a test suite
which included 53 of the 68 common viruses identified in Patricia Hoffman's
Virus Summary List, May 22, 1992.  Version 1.1 alarmed for 48 of the 53 test
samples.  Against the test suite the program identified what it claimed it
could.  When I combined the two methods, it appears that Version 1.1 can
identify at a minimum 83% (57 out of 68) of the common viruses.

    g.  The PC-RX Virus Scan menu options appeared to function as documented.
There were two items of specific interest.  First, there was no mention that
the audit reports overwrite one another.  Second, if one chooses to create a
report from the menu option, one has to write the report to the root directory
of the drive scanned.  This feature is particularly inconvenient for removable
media because one must, for example, write all results to a potentially
infected disk.  If one runs Virus Scan from the command line, however, the
report is automatically written to the hard drive to a file named PCCSCAN.RPT.
Although the Users Manual identifies the name of the file as PCRXSCAN.RPT, this
was not my experience.  Since Trend Micro Devices marketed an earlier program
called Pccscan, and since the report name for that product was also
PCCSCAN.RPT, it seems obvious that PC-RX utilizes components of the earlier
program.

    h.  Tests of the PC-RX Virus Trap component confirmed that it performed
as documented in the reference manual.  I successfully caused alarms under
these conditions:  attempts to run infected programs, attempts to access a
floppy disk infected with a boot sector virus, and attempts to low-level format
the hard disk.  A user may configure the sensitivity of Virus Trap, although
the initial installation turns all features ON.  These sensitivity features
include:

    (1)  Boot Security              Warns of a boot sector virus

    (2)  Abnormal Memory Resident   Warns of an attempt by an abnormal program
         Program Detect             to reside in RAM via virus-like methods

    (3)  Abnormal File Open/        Warns of programs that open themselves
         Creation Detect

    (4)  Partition/Boot Sector      Warns of an attempt to overwrite the hard
	 Write Protect              disk partition table and the boot sector

    (5)  Floppy Disk Boot           Scans a floppy disk whenever a disk is
	 Virus Check                accessed


				       2

    (6)  Continue                   Allows the user to continue operations
				    after a virus alarm

I did not test items (2) and (3) since the documentation was very non-specific
on what is meant by "abnormal" and since I lack the technical expertise.

5.  Product Advantages:

    a.  PC-RX appears to detect those malicious signatures which it claims it
can.

    b.  The installation routine worked very well.  

6.  Product Disadvantages:

    a.  The number of viruses detected at version 1.1 may be too small for
certain organizations and users.  While the total number of virus signatures
detected should never be the only criteria for product selection, many
individuals play the "numbers" game.  Since version 1.1 was a free evaluation
copy, my suspicion is that version 2.0 will address this matter.

    b.  Unless I missed it in the documentation, PC-RX does not allow a user to
easily know what virus signatures it can identify.  It also does not allow a
user to add signatures.

    c.  The Users Manual could benefit from some minor additions.  It would be
helpful to know more about "abnormal" programs in the operation of PC-RX Virus
Trap.  

    d.  The menu option does not appear to give a user the ability to write an
audit report wherever he or she wishes, but instead defaults to the root
directory of the drive scanned.  Since the command line operation of the
program is more flexible in this respect, it would be desirable to have this
same flexibility in the menu.

7.  Comments:

    The National Computer Security Association (NCSA) issued a report "Virus
Scanners:  An Evaluation" on January 1, 1992 which addresses a Trend Micro
Devices product called Pccscan, version 3.02.  The command line operation of
PC-RX Virus Scan suggests that there is a relationship between the two
programs.  However, a reader should be cautioned that NCSA has obviously
evaluated a program which predates version 1.1 of PC-RX.



[The opinions expressed in this evaluation are those of the author, and should
not be taken as representing official Department of Army positions or a
commercial endorsement.]





				       3