From: Chris McDonald STEWS-IM-CM-S (2/21/93) To: marty%belvoir-prism.army.mil@be, marty@belvoir-prism.army.MIL CC: /usr/cmcdonal/virrevlist:@wsmr-, Mail*Link¨ SMTP Product Test 55, Gobbler II ******************************************************************************* PT-55 February 1993 ******************************************************************************* 1. Product Description: Gobbler II, Advanced Anti-Virus Tooklit, is a viral signature identification and removal program copyrighted by COMRAC, the Netherlands. This product test addresses version 3.0. 2. Product Acquisition: In June 1992 a Victor Smith contacted me over the Internet and asked if I would test Gobbler II. He identified himself as "one"of the programers involved with the program which had started in February 1989. The Dutch company COMRAC apparently acquired the program in early 1990. Victor sent me the program UUENCODED in mid July 1992; however, checksum errors accompanied the transmission. He successfully retransmitted the program on July 21, 1992. He indicated that additional materials would follow via land mail. This never occurred. Electronic mail communications with Victor Smith ceased to be responsive in October 1992 so details on the program are incomplete. Vesselin Bontchev from the Virus Test Centre-Hamburg has issued a report on Gobbler II's effectiveness against the MtE object module in which he gives the status of the program as "Shareware?". 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5030, DSN: 258- 7548, DDN: cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. Product tests occurred on a variety of platforms running MS-DOS 3.3 through 5.0. The lack of documentation hinders any definite statements on the minimum hardware and software configuration required. Initial testing extended from July through September 1992. On the chance that electronic mail communications might be reestablished, it seemed prudent to defer publication of any test results. Further tests occurred from 3-18 February 1993 to refresh my test notes on the program. b. The operative word which describes the version of Gobbler II in my possession is "incomplete". It is clear that certain modules were missing which affected the program's operation. c. The program has an attractive menu-interface which reminds one of F-PROT and TBScan displays. There are five significant menu options which a user can adjust. (1) Search: One has options to scan all hard disks, the current disk, the current directory, a specific directory, a specific file, or a network. (2) Action: One has options to report only, to disinfect with a prompt, to have automatic disinfection, to delete an infected file with a prompt, or to rename. (3) Files: One can choose to scan standard executables or all files. (4) Targets: This option includes "targets" to search for (i.e., file viruses, boot sector viruses, polymorphic viruses and trojans/jokes). (5) Output: One can have alarm messages written to the screen, to a log file, or to a printer. The output options also include additional "warning" messages which may be captured for analysis. The messages have heuristic characteristics similar to those in TBScan, but are very limited by comparison. d. Testing verified the functionality of all the options. Against a suite of 611 known malicious viral/trojan horse signatures Gobbler II identified what it claimed it could. The test suite included 75% of the "common" viruses identified in the January 1993 edition of Patricia Hoffman's Virus Summary List. That percentage would be higher if one used the list of "common" viruses identified by the International Computer Security Association (ICSA) and by other researchers. Vesselin Bontchev has tested the program against MtE- based viruses. His results have been posted to Virus-L and are available in the January 1993 edition of "Virus News International". Vesselin writes: "The algorithm for MtE detection . . . seems to be excellent, except for the CryptLab virus, which the author of the program seems not to have. This was the only program that properly identified each one of the samples. The other scanners just said, 'MtE virus' or something similar". e. There were problems identified during the tests. (1) Although I could generate log files, I was unable to print a log file from the DOS command line. While I could view the log files with the Norton Utilities editor or with the DOS "type" command, it was clear the files were either in a special format or corrupted in some way. It was possible to display the results directly to a screen and to a printer during an individual scanning operation. (2) The Help option did not function. If one did not use a mouse, certain Help screens would lockup the program and the system. One then had no way to exit but through a cold reboot. (3) Viral Definitions under the Database menu option were almost all empty. Again it appeared that something was missing. Without a mouse there were several occasions in which I could not remove the Database information from the screen, even though I could launch scanning operations and change option settings. This really cluttered the screen. (4) After some scanning operations, Gobbler II would lockup the system. The problem did not seem related to any particular option selections, but rather to the program overflowing memory. In all cases a cold reboot was necessary. (5) The heuristic warning report options were obtuse for someone with my limited abilities. It was really not that meaningful to be told that Gobbler II had encountered a "packed file", or that a file had an "incorrect time stamp", or that a file had an "incorrect EXE header". Against actual viral 2 samples I was able to trigger most, but not all, of the options. Without on-line Help facilities or a manual to fill in what these warnings "might" mean, however, these options would probably be more confusing than helpful. 5. Product Advantages: Gobbler II obviously has some attractive detection capabilities. The copy under evaluation does not unfortunately provide a realistic basis for making a definitive assessment. Although the heuristic scanning report options appear primitive when compared against those in F-PROT and TBScan, clearly the program authors have made an attempt. 6. Product Disadvantages: The "unfinished" nature of the program, as noted by Vesselin Bontchev, presents a major concern. It is not clear if the program is commercial or shareware, or whether a technical support staff exists. 7. Comments: There are many issues in the acquisition and use of viral detection tools. Interested readers may consult the Proceedings of the National Computer Security Association's 2nd International Virus Prevention Conference & Exhibition, February 1993, for several papers on the subject to include one entitled "Selecting an Anti-Virus Product". The paper discusses criteria which may be important in the evaluation and selection process. The National Institute of Standards and Technology, Computer Security Division, has issued Special Publication 800-5, "A Guide to the Selection of Anti-Virus Tools and Techniques", December 2, 1992. The publication is available for anonymous ftp from the NIST host 129.6.54.11 in the path /pub/ nistpubs. One may also call Ms. Dianne Ward, NIST, at 301-975-2821 for one free copy. [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] FOR FURTHER REFERENCE: PRODUCT TEST NUMBER PRODUCT PT-3 VIRUSCAN PT-11 AVSEARCH, 2.24 PT-12 VIRUCIDE PT-17 F-PROT 3 PT-23 VIREX-PC PT-24 VIRUSAFE PT-25 DR. SOLOMON'S TOOLKIT PT-27 FLU-SHOT+, 1.81 PT-28 NORTON ANTIVIRUS PT-31 DATA PHYSICIAN PLUS! (VirHunt) PT-34 IBM ANTI-VIRUS (MS-DOS & OS/2) PT-36 CENTRAL POINT ANTI-VIRUS PT-39 THUNDERBYTE SCANNER PT-40 ALLSAFE PT-41 VIRx PT-45 VIRUS PREVENTION PLUS PT-48 VIRUSCURE+ PT-51 PC-RX PT-52 VIRUSCLEAN PT-58 VIRUS BUSTER PT-59 in process IBM ANTIVIRUS/DOS PT-60 VIRUS TERMINATOR PT-61 in process VDS PRO 4 ------------------ RFC822 Header Follows ------------------ Received: by internetqm.llnl.gov with SMTP;21 Feb 1993 17:38:30 U Return-path: cmcdonal <@WSMR-SIMTEL20.ARMY.MIL:cmcdonal@wsmr-emh03.army.mil> Received: from icdc.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01GUZPIXRVZ48ZEAQN@icdc.llnl.gov>; Sun, 21 Feb 1993 17:29:26 PST Received: from pierce.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01GUZPI8QCC08ZE9EM@icdc.llnl.gov>; Sun, 21 Feb 1993 17:28:56 PST Received: by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA13052; Sun, 21 Feb 93 17:29:24 PST Received: from WSMR-SIMTEL20.ARMY.MIL by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA13037; Sun, 21 Feb 93 17:29:08 PST Received: from wsmr-emh03.army.mil by WSMR-SIMTEL20.ARMY.MIL with TCP; Sun, 21 Feb 1993 18:27:27 -0700 (MST) Date: 21 Feb 1993 18:23:12 -0700 (MST) From: Chris McDonald STEWS-IM-CM-S Subject: Product Test 55, Gobbler II, version 3.0 Resent-to: BILL_ORVIS@QUICKMAIL.llnl.GOV To: marty%belvoir-prism.army.mil@belvoir.army.MIL, marty@belvoir-prism.army.MIL Cc: /usr/cmcdonal/virrevlist:@wsmr-emh03.army.mil Resent-message-id: <01GUZPIYCIN68ZEAQN@icdc.llnl.gov> Message-id: <9302220129.AA13037@pierce.llnl.gov> X-Envelope-to: BILL_ORVIS@QUICKMAIL.llnl.gov X-VMS-To: IN%"marty%belvoir-prism.army.mil@belvoir.army.MIL", IN%"marty@belvoir-prism.army.MIL" X-VMS-Cc: IN%"/usr/cmcdonal/virrevlist:@wsmr-emh03.army.mil" Content-transfer-encoding: 7BIT ======================================================================