From: Chris McDonald STEWS-IM-CM-S (2/7/93) To: /usr/cmcdonal/maillist:@wsmr-em, CC: /usr/cmcdonal/reviewlist:@wsmr-, Mail*Link¨ SMTP Product Test Report 58, Vir ******************************************************************************* PT-58 February 1993 ******************************************************************************* 1. Product Description: Virus Buster consists of a collection of programs which provide for access control, boot protection, checksumming, signature scanning, system monitoring, and restoration. This product test addresses version 3.93. 2. Product Acquisition: Virus Buster is available from Leprechaun Software International, Ltd., P.O. Box 669306, Marietta, GA 30066-0106. The Sales telephone number is 404-971-8900 or 800-521-8849. The FAX number is 404-971- 8828. The cost of the product appears to be dependent upon volume. Corporate and Government site licenses are available for either perpetual or 5 year licenses. An annual maintenance fee applies to corporate/site license holders at 15% of the existing license value. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5030, DSN: 258- 7548, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I received an evaluation copy of the product in November 1992. All programs arrived on a 3 1/2" disk accompanied by a seven page Features Guide to Virus Buster. While the guide provided enough information to install the anti- virus components of the product, a regular copy of Virus Buster comes with a 300+ page users manual. b. Product tests occurred on a variety of platforms running MS-DOS 3.3 through 5.0. The documentation states that the product is Windows 3.0 and network compatible (i.e., 3COM, 3COM3+, PC-NFS, Novell, IBM Token Ring and Banyan Vines). There are also versions for OS/2 and SCO Unix. For a standalone system or workstation Virus Buster requires MS-DOS or PC-DOS 2.1 or greater, 256Kb memory with 512Kb recommended, and 700Kb hard disk space with 1 Mb recommended. Product testing extended from November 17, 1992 to January 28, 1993. c. The operative words which Virus Buster developers use to describe it are "multiple layered strategy". The strategy depends upon distinct program modules functioning together. (1) Buster is a "generic virus detection" program which takes a checksum of a file and/or system area and then reports any change. "Generic", as used in the documentation, means that the protection is not specific to any particular family or strain of virus. (2) Doctor is the program which perform viral signature detection and removal of known viruses. (3) Watchdog is a memory resident program which watches for "suspicious activity" such as attempts to format a disk or to write to a write-protected disk; which calculates a checksum on executable programs and then verifies that checksum before the program runs; which detects a program attempting to become memory resident, attempting to write to a read-only file, and attempting to write to a .com file, .exe file or system area. (4) VBShield is a memory resident program installed as a device driver which scans a program for known viruses before it executes. The documentation refers to this module as a "memory resident version of The Doctor". (5) GetSign is a program to extract suitable "signatures" from virus infected files and disks. (6) List is a program to display log files produced by Virus Buster programs such as Buster and Doctor. (7) OnceADay is a batch utility to run selected modules either once a day, or once a week on a specific day. (8) Protect is a program to establish Watchdog checksums. (9) VBCopy is a utility which provides the functionality of the DOS COPY and XCOPY commands while it scans for known viral signatures in the copied files. (10) DiskLok/KeyLok are programs to provide access control and boot protection. (11) VBSaver is a device driver to specifically combat stealth viruses. d. The basic functionality of all programs was verified with the exception of these modules: GetSign, DiskLok and VBSaver. By definition GetSign extracts "signatures" of new viruses so that one can update the VBShield data base. Assuming for the moment that one could prove that a "suspicious" program was actually a "new" virus, one would still have to have that suspicious program available. I had no such sample. Without the complete users manual I was hesitant to test the DiskLok program given possibility of locking oneself out of one's system. Finally, I lack the technical expertise to test VBSaver against a stealth virus attack. e. Individual program modules generated these observations. (1) Buster The program has an attractive menu-interface which, as one pulls down a menu item, displays a brief synopsis of the selection at the bottom of the screen. Generation of initial checksums was fast in comparison to other comparable products. The default was for the creation of checksums for files with .bin, .com, .exe, .ov?, and .dll extensions. One may choose to add additional extensions. The file of checksums was not created as either write-protected or as a hidden file. Consequently, it was possible to delete the file. While the next execution of Buster indicated that checksum file could not be located, it probably would have been desirable to afford the file 2 some type of protection against either accidental or deliberate deletion. There was no attempt made to surreptitiously alter the contents of the checksum file. There were at least three visible attributes which Buster recorded for the checksum of a file: directory location, header, and contents. Benign tests which changed the contents of checksummed files always resulted in an appropriate alarm. Upon any alarm one had six options which ranged from ignoring the warning to the actual deletion of the file. It was interesting that one could delete a checksummed file without receiving a Buster alarm. On the other hand, if one added a file, Buster would alarm wherever the additional file had an extension identified as a candidate for checksumming. Each operation of Buster generated a buster.log file which recorded the results. The log file was cumulative which avoided the problem of deleting or overwriting a previous operation. It would also have permitted an observant user to notice the deletion of a checksummed file by comparing the total number of files reported against a previous report. The buster.log file was not created as either write-protected or as a hidden file. (2) Doctor Version 3.93 claims to contain viral definitions for approximately 1,010 known viruses and variations, to include detection of the MtE object module. I use the word "approximately" cautiously since program architecture and virus-naming conventions makes it difficult to arrive at a specific number. The program claimed to identify at least 94% of those viruses characterized as "common" by Patricia Hoffman in her HyperTest Virus Summary List (VSUM), December 20, 1992. Readers should be aware that the accuracy of Ms. Hoffman's list has come under increasing attack from several well-known viral researchers. Although I do not have code for all the malicious programs which the Doctor claims to detect, I did test it against samples of 610 malicious samples which included 75% of the so-called common viruses. The program detected what it claimed it could. Users may refer to more detailed test results from other reputable sources such as the Virus Test Center and the International Computer Security Association. Two other publications, "Computers & Security" (March 1992) and "Virus Bulletin" (November 1991), have similarly reviewed earlier versions of Virus Buster. Docter generally uses the identical menu-interface found in the Buster module. Scanning speed is fast with a variety of options for scanning, file extension selections, and reports generation. Default scanning selections were intelligent and logical. All options performed satisfactorily. (3) Watchdog The module serves as a memory resident Buster, but provides additional features which may be indications of "suspicious" activity. For example, one can activate options to stop the loading of terminate-and-stay-resident 3 programs, to stop the execution of programs from a floppy, to check for changes to memory, and to stop writing to files with a .com or a .exe extension. I tested all of these options which resulted in the appropriate alarm in each case. When an alarm occurs, one has options similar to those in Buster warnings. The difference is that the number of options is less. Since Watchdog creates its own checksums distinct from those generated by Buster, one has two options to create initial checksums. One can either activate Watchdog and then generate checksums individually as one invokes individual programs; or one can use the Protect module to generate checksums for all programs. I tested both methods, but clearly the latter is the preferable alternative. (4) KeyLok, VBCopy and VBShield Limited functionality testing confirmed these modules performed as described in the Features Guide. 5. Product Advantages: a. Virus Buster has an impressive range of tools. The module nature of the product allows one to select the appropriate protection. b. The product provides more than just viral signature identification. It addresses the issue of malicious programs by creating checksums and by monitoring for "suspicious" activity. c. The user has the option to add additional viral signatures in advance of a formal revision. d. Site licensing costs appear attractive, particularly if one considers that Virus Buster provides both virus and access control protection through the the DiskLok/KeyLok modules. 6. Product Disadvantages: a. Although the Features Guide states that Buster creates "encrypted checksums", it would be appropriate to enquire further as to what this actually means. Since the evaluation copy did not contain the documentation normally distributed with the product, it is not possible to make any meaningful comment on this matter. Readers should be aware that the Risks Forum and the Virus-L discussion groups have carried copious discussion on the strength of checksumming techniques and on desirable algorithms. There is also the distinction between checksumming and cycle redundancy checks (CRC). While many individuals use the terms interchangeably, there is a real difference. b. Programs which provide checksumming and which monitor "suspicious" activity naturally cause Type I or false positive alarms. If a user receives an alarm, he or she must either have sufficient information to select the appropriate option, or have access to individuals who can provide such expertise. 4 7. Comments: There are many issues in the acquisition and use of viral detection tools. Interested readers may consult the ISSA Access Magazine, 1st Quarter 92, for an article entitled "Beyond the Hype: What Can One Expect from Anti-Viral Detection Programs?" The article discusses criteria which may be important in the evaluation and selection process. The National Institute of Standards and Technology, Computer Security Division, has recently issued Special Publication 800-5, "A Guide to the Selection of Anti-Virus Tools and Techniques", December 2, 1992. The publication is available for anonymous ftp from the NIST host 129.6.54.11 in the path /pub/nistpubs. I successfully downloaded and printed a postscript copy of the document. One may also call Ms. Dianne Ward, NIST, at 301-975-2821 for one free copy. [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] FOR FURTHER REFERENCE: PRODUCT TEST NUMBER PRODUCT PT-3 VIRUSCAN PT-4 DATA PHYSICIAN PT-6 VIRUS CHECKER (VCHECK) V1.1E PT-7 CHKSUM PT-8 FILETEST PT-11 AVSEARCH, 2.24 PT-12 VIRUCIDE PT-17 F-PROT PT-23 VIREX-PC PT-24 VIRUSAFE PT-25 DR. SOLOMON'S TOOLKIT PT-27 FLU-SHOT+, 1.81 PT-28 NORTON ANTIVIRUS PT-31 DATA PHYSICIAN PLUS! (VirHunt) PT-34 IBM ANTI-VIRUS (MS-DOS & OS/2) PT-36 CENTRAL POINT ANTI-VIRUS PT-39 THUNDERBYTE SCANNER PT-40 ALLSAFE PT-41 VIRx PT-45 VIRUS PREVENTION PLUS PT-48 VIRUSCURE+ PT-51 PC-RX PT-52 VIRUSCLEAN PT-55 in process GOBBLER-II PT-59 in process IBM ANTIVIRUS/DOS PT-60 VIRUS TERMINATOR PT-61 in process VDS PRO (MS-DOS) 5 ------------------ RFC822 Header Follows ------------------ Received: by internetqm.llnl.gov with SMTP;7 Feb 1993 15:22:41 U Received: from icdc.llnl.gov by icdc.llnl.gov (PMDF #12441) id <01GUG0ZESSJKERXV6O@icdc.llnl.gov>; Sun, 7 Feb 1993 15:21 PST Received: from pierce.llnl.gov by icdc.llnl.gov (PMDF #12441) id <01GUG0YYJE2OERXV33@icdc.llnl.gov>; Sun, 7 Feb 1993 15:21 PST Received: by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA16769; Sun, 7 Feb 93 15:21:34 PST Received: from WSMR-SIMTEL20.ARMY.MIL by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA16762; Sun, 7 Feb 93 15:20:58 PST Received: from wsmr-emh03.army.mil by WSMR-SIMTEL20.ARMY.MIL with TCP; Sun, 7 Feb 1993 16:19:30 -0700 (MST) Resent-date: Sun, 7 Feb 1993 15:21 PST Date: Sun, 7 Feb 93 16:13:58 MST From: Chris McDonald STEWS-IM-CM-S Subject: Product Test Report 58, Virus Buster, version 3.93 Resent-to: BILL_ORVIS@QUICKMAIL.llnl.GOV To: /usr/cmcdonal/maillist:@wsmr-emh03.army.mil Cc: /usr/cmcdonal/reviewlist:@wsmr-emh03.army.mil Resent-message-id: <01GUG0ZESSJKERXV6O@icdc.llnl.gov> Message-id: <9302072320.AA16762@pierce.llnl.gov> X-Envelope-to: BILL_ORVIS@QUICKMAIL.llnl.gov X-VMS-To: IN%"/usr/cmcdonal/maillist:@wsmr-emh03.army.mil" X-VMS-Cc: IN%"/usr/cmcdonal/reviewlist:@wsmr-emh03.army.mil" ======================================================================