From: Chris McDonald STEWS-IM-CM-S (12/6/93) To: orvis@icdc.llnl.gov Mail*Link¨ SMTP Revised Product Test # 53, ****************************************************************************** PT-53 December 1993 ****************************************************************************** 1. Product Description: Gatekeeper and Gatekeeper Aid are freeware programs which work in conjunction to address malicious software activity. Gatekeeper is a program designed to continuously monitor the operation of a Macintosh, watching for operations that are commonly carried out by viruses as they attempt to spread. Gatekeeper Aid is a program that searches for and removes families of known viruses which Gatekeeper either can't stop at all, or can't stop completely enough to render harmless. Gatekeeper Aid also detects and removes some viruses that Gatekeeper can stop successfully, but which can be easily detected and removed. This product test addresses version 1.3, November 12, 1993. 2. Product Acquisition: Gatekeeper is available from numerous Internet archives sites. The author, Chris Johnson, places the latest version on the host microlib.cc.utexas.edu in the directory microlib/mac/virus. The author will even accept U.S. mail requests under specific conditions, but only as a last resort. Mr. Johnson's mail address is 4505-B Avenue H, Austin, TX 78751. His electronic addresses are as follows: (a) Internet at chrisj@mbs.telesys. utexas.edu; (b) UUCP at {husc6|uunet}!cs.utexas.edu!ut-emx!chrisj; (c) Apple Link at chrisj@mbs.telesys.utexas.edu@internet#; and (d) CompuServe at >INTERNET:chrisj@mbs.telesys.utexas.edu. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5506, DSN: 258-7548, DDN: cmcdonal@wsmr-emh34.army.mil. 4. Product Test: a. Products tests have occurred on several different Macintosh platforms running either System 6.0.5 or System 7.0. Version 1.3 primarily addresses the Code-1 virus, but does contain other enhancements. b. The author continues to supply an excellent document on program installation and configuration entitled "Introduction to Gatekeeper". Installation consists of selecting the Gatekeeper, Gatekeeper Aid and Gatekeeper Control files and then dragging them onto the System Folder's icon. One then restarts the system to configure specific controls and audit logs. c. The documentation provides a brief description of what basic "classes" of operations Gatekeeper restricts. Within the two classes are three "variants". In effect, Gatekeeper watches for six separate operations which may signal potential viral activity. Since, as the author observes, "some perfectly normal programs carry out some of the same basic operations that viruses do", Gatekeeper has a mechanism to address Type I or false alarms. d. If Gatekeeper is a general purpose anti-virus utility in that it knows little or nothing about a specific virus, Gatekeeper Aid is a utility that search for and removes families of known viruses. The author acknowledges it is possible to employ Gatekeeper Aid independent of Gatekeeper; however, he recommends the use of both products. e. When one opens Gatekeeper from the Control Panel, there are six sections. Scrolling and clicking on a section name takes one to that section. (1) The General Section supplies the name and version/date of the program. (2) The Help Section provides a quick reference to Gatekeeper's features. There is no searching or indexing capability, but this hardly seems necessary if one has printed the "Introduction to Gatekeeper". (3) The On/Off Section allows a user to turn off Gatekeeper for a specific timeframe. Though there is a maximum time for turn off, the author has dramatically increased that period from earlier versions which had a limit of thirty minutes. Gatekeeper will automatically turn itself on again after the time limit has expired. Most importantly, turning Gatekeeper off does not turn off Gatekeeper Aid. (4) The Settings Section defines the manner in which Gatekeeper operates. There are three separate options. (a) When a Privilege Violation Occurs: A user has two radio buttons from which to choose. The first, Stop the Operation (Notify & Veto), will stop any suspicious activity observed and will provide the user with an immediate warning message. The second, Permit the Operation (Notify Only), will not interfere with a suspicious operation but will inform the user what has occurred. The installation default is the second. (b) When an Important Event Occurs: A user has two check boxes, Display an Alert and Record it in the Log File. The installation default is for both to be checked. (c) During Startup: A user has two check boxes, Show the Gatekeeper Icon and Display a Mode Warning Alert. The installation default is for both to be checked. Similarly, whenever Gatekeeper is in Notify Only mode, the "warning" alert will appear after startup to remind a user of that fact. (5) The Log Section records all "important" events if the user has selected that option in the Settings Section. "Important" events include startup and shutdown messages, Res and File privilege violation entries, and other entries as appropriate. Each entry in the log file occupies one line with entries for different days separated by a line. Entries have the day and time recorded for an event with all privilege violations drawn in bold red text for easy identification. One can select a specific entry and then click on the "Get Info" button for an explanation of the event, to include the name of the program responsible for the operation and the name of the disk that program was stored on at the time. Alternatively, one may double-click on the entry to perform the same operation. The Log Section identifies the size of the Gatekeeper log file, and contains a button to clear the log. (6) The Privileges Section allows a user to identify what programs legitimately require permission to perform what otherwise might be considered 2 suspicious virus-like behavior. The author has distributed Gatekeeper with a large list of common programs which require privileges. This has the effect of eliminating those Type I alarms which in earlier program versions may have frustrated many a user. There are buttons and boxes to add programs, to delete programs, and to specify what special operations each program requires. f. Installation and testing of Gatekeeper and Gatekeeper Aid confirmed that the programs function as documented. Against a suite of known Macintosh viruses and trojan horses Gatekeeper alarmed and prevented virus operations when configured in the Stop the Operation mode. The test suite included: Scores, nVir (A & B), INIT 29, Anti (A & B), MacMag, WDEF (A & B), Zuc (A, B & C), MDEF (A, B, C & D), Frankie, MBDF (A & B), INIT 1984, Code 252, T4 (A & B), INIT 17, INIT M, CDEF and Code-1. g. The log records were informative and helpful in analyzing what operations Gatekeeper had flagged as suspicious. Though the documentation does not discuss how one may print out a log entry, it is possible to read and to print the Gatekeeper Log file with an editor in addition to the view obtained through the Gatekeeper Control Panel. h. It is important to stress that upon installation Gatekeeper is in the Warning Only Mode. This means that running an infected application will result in an alarm, but will not prevent an infection. I intentionally infected one test system with a variant of the nVIR virus while in the installation default mode. I did receive a Gatekeeper warning message which in turn generated a log section entry. This highlights the point which the author makes that one might choose to run an anti-viral detection program prior to Gatekeeper installation, or might configure Gatekeeper for maximum protection before running an untrusted application. i. It was my observation that, even though Gatekeeper has a default set of privileged programs, there will be occasions where Gatekeeper will still alarm for activities performed by those programs. This occurs because a user may configure a program to best fit her or his requirements. These additional alarms will demand respective user action depending upon the Gatekeeper mode implemented. j. The author has provided a Gatekeeper Extras Folder for the experienced user. While I have reviewed the documentation, I have not tested the features available in the additional control panel provided. 5. Product Advantages: a. Gatekeeper and Gatekeeper Aid are effective tools to address known and unknown malicious program activity. Peer review on the Internet has confirmed that the program has detected "suspicious activity" of "new" viruses without requiring an update. A few examples include: the T4-C (February 1993), the INIT 17 (April 1993), the INIT M (April 1993), and the MBDF B (November 1993). b. The programs are copyrighted, but totally free for users in any 3 computing environment (government, home use, private industry, university, etc.). c. The installation and configuration are easy for even the novice user. 6. Product Disadvantages: a. The product is dependent upon one individual. Should something happen to Chris Johnson, maintenance of the programs might end. b. What is free today may not be free tomorrow. No one can predict that such an excellent product will remain available forever without charge. There is at least one example in the MS-DOS world where a well-known freeware program suddenly changed itself into an expensive shareware program for government and for private industry users. c. Gatekeeper may still result in Type I alarms or interfere with legitimate operations because it is simply impossible to anticipate every conceivable program which may require privileges for its operations. Therefore, one should always have access to a "knowledgeable" user or support staff, if necessary, to anticipate user requests for assistance in analyzing warning messages. d. Distribution of the product over the Internet may present a problem for certain user communities whose policies and procedures preclude connection to "open" networks. There is also the reality that certain commercial businesses and government agencies prohibit the use of public domain or freeware programs. 7. Comments: Any effective strategy for anti-viral defense must employ a variety of techniques and tools. Gatekeeper and Gatekeeper Aid present technical solutions with no direct cost to the user. There is an indirect cost in the acquisition, distribution, installation and configuration of Gatekeeper. Yet such expense can hardly be more than might be experienced with a comparable commercial product. One should expect an indirect cost as well in analyzing log files and in determining privileges for programs which have legitimate operations but which are not in the default installation. Detection of suspicious activity is a step above virus detection by signature identification. Several commercial products offer comparable activity monitoring for those interested in reviewing different implementations. It remains undecided at this point as to whether one can exploit features in the System 7 operating system to avoid Gatekeeper controls. Notwithstanding that Chris Johnson has made a significant contribution to the security of the Macintosh, continuity of operation concerns dictate that any user have at least another protection program to supplement Gatekeeper. There are many issues in the acquisition and use of viral detection tools. 4 Interested readers may consult the Proceedings of the National Computer Security Association's 2nd International Virus Prevention Conference & Exhibition, February 1993, for several papers on the subject to include one entitled "Selecting an Anti-Virus Product". The National Institute of Standards and Technology, Computer Security Division, has issued Special Publication 800-5, "A Guide to the Selection of Anti-Virus Tools and Techniques", December 2, 1992. The publication is available for anonymous ftp from the NIST host 129.5.54.11 in the path /pub/ nistpubs. One may also call Ms. Dianne Ware, NIST, at 301-975-2821 for one free copy. [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] FOR FURTHER REFERENCE: PRODUCT TEST NUMBER PRODUCT PT-9 DISINFECTANT PT-10 VIREX PT-20 SYMANTEC ANTIVIRUS FOR MACINTOSH PT-30 VIRUSDETECTIVE PT-32 MACTOOLS PT-44 RIVAL PT-46 CITADEL PT-71 MACRX 5 ------------------ RFC822 Header Follows ------------------ Received: by smtpqm.llnl.gov with SMTP;6 Dec 1993 08:14:37 -0800 Return-path: cmcdonal@wsmr-emh34.army.MIL Received: from icdc.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01H65I2LLM8090MYOR@icdc.llnl.gov>; Mon, 6 Dec 1993 08:13:52 PST Received: from pierce.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01H65I2409AO90MYOQ@icdc.llnl.gov>; Mon, 6 Dec 1993 08:13:30 PST Received: by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA00194; Mon, 6 Dec 93 08:14:24 PST Received: from wsmr-emh34.army.mil by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA00154; Mon, 6 Dec 93 08:14:12 PST Date: 06 Dec 1993 08:43:34 -0700 (MST) From: Chris McDonald STEWS-IM-CM-S Subject: Revised Product Test # 53, Gatekeeper/Gatekeeper Aid Resent-to: BILL_ORVIS@QUICKMAIL.llnl.GOV To: orvis@icdc.llnl.gov Resent-message-id: <01H65I2LOAO290MYOR@icdc.llnl.gov> Message-id: <9312061614.AA00154@pierce.llnl.gov> X-Envelope-to: BILL_ORVIS@QUICKMAIL.llnl.gov X-VMS-To: IN%"orvis@icdc.llnl.gov" Content-transfer-encoding: 7BIT [To]: cmcdonal@wsmr-emh34.army.mil [Cc]: krvw@agarne.ims.disa.mil, dorian@cobalt.house.gov, sysadmin%ers.bitnet@vtbit.cc.vt.edu Apparently-To: orvis@icdc.llnl.gov ======================================================================