Date: 01 Feb 1994 07:47:13 -0700 (MST) From: Chris McDonald IM-CM-S Subject: Revised Product Test, PT-59, IBM AntiVirus DOS To: orvis@icdc.llnl.gov Content-transfer-encoding: 7BIT [To]: cmcdonal@wsmr-emh34.army.mil [Cc]: krvw@agarne.ims.disa.mil Apparently-To: orvis@icdc.llnl.gov ******************************************************************************* PT-59 Revised February 1994 ******************************************************************************* 1. Product Description: The IBM AntiVirus/DOS is a commercial program to detect and to remove viruses. This product test addresses version 1.04. 2. Product Acquisition: The IBM AntiVirus/DOS is available from the IBM Corporation Distribution Center, 1420 Presidential Drive, Richardson, TX 75081. The telephone number is (800) 551-3579. Information on site licensing and on IBM AntiVirus Services may be obtained by calling (800) 742-2493. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5006, DSN 258-7548, DDN cmcdonal@wsmr-emh34.army.mil. 4. Product Test: a. I acquired version 1.0 of the program in November 1992 by calling the toll free number. Upon receipt of version 1.00 I conducted initial testing and enrolled in the annual protection plan to verify the efficiency of the service. I have continued to receive updates through the distribution program. I received version 1.04, dated November 15, 1993 in early December 1993. b. Product tests have occurred on a variety of MS-DOS platforms running MS-DOS 3.3 through 5.0. Readers should be aware that IBM offers two distinct software programs: IBM AntiVirus/DOS for DOS version 3.3 and later with a Windows version 3.0 and 3.1; and IBM AntiVirus/2 for OS/2 version 1.3 and 2.0. Version 1.04 documentation now identifies IBM AntiVirus for NetWare, a "new component for Novell NetWare servers . . . available to customers of IBM AntiVirus Services". However, this component is a separate purchase item. c. All versions have arrived on two write-protected disks. One has the option to specify media size. The User's Guide has continued to grow and at version 1.04 is now twice the size of the Guide distributed with version 1.00. d. The automatic install program continues to function as documented. I have also chosen on occasion to choose the customized installation option. (1) There are several introductory screens followed by a viral check of memory. (2) One selects the configuration from two choices: DOS or DOS/Windows. (3) One selects the drive on which to install the program. (4) One selects the installation directory or accepts the default \IBMAV. (5) One receives options to modify the system's config.sys and autoexec. bat files. If one wishes to install automatic checking of the system or to install DOS shielding, one must answer "yes" at this point. If one answers "no", the installation program provides an example of what instructions need to be added manually to both files. (6) One has the option to perform an initial viral scanning operation on the system. (7) The final selection is a choice to view the readme.doc file included within the installation disk. e. The documentation identifies two "kinds of automated protection": "automated checking" when one boots the system and DOS session shielding. DOS session shielding "monitors programs as you run them in DOS sessions". The theory behind the latter protection is that one will receive notifi- cation if an infected program executes. The documentation on shielding seems to equivocate when it states that "in most cases the virus will be prevented from becoming active or spreading, and you can use the infected program without spreading the infection". I tested these two protection features as well as manual execution of viral scanning with these results. (1) While I do not have code for all the malicious programs which the product claims to identify, I did test against a suite of 2,073 malicious programs which included 88% to 94% of the so-called "in the wild" viruses. The percentage varies depending upon whose "in the wild" suite one chooses (i.e, "Virus Bulletin", VSUM by Patricia Hoffman, or FreqList by Joe Wells. The program identified 100% of the "in the wild" samples and overall flagged 1, 820 samples as infected or probably infected. (2) The "Virus Bulletin", January 1994, evaluated the performance of version 1.04 with equally impressive results against the Bulletin's "in the wild", standard, and Mutation Engine test sets. The program was one of six out of nineteen to have had an accuracy of 100%. (3) The program still did not identify VCL samples in my possession. It is unclear as to why the program continues to omit such identification. (4) The program did not identify any TPE samples. The documentation does not claim to identify TPE creations. The "Virus Bulletin" test sets did not included TPE samples. Since the TPE code has been in distribution for at least one year, however, one might have expected that the program would have detected it. (5) DOS shielding functioned as documented. With shielding active I attempted to execute six of the common file infector viruses (i.e., 1575, 4096, 1701, 1704, Jerusalem and Yankee Doodle). The shielding alarmed upon the execution of the respective infectors and did prevent spreading of any infection. A reviewer in the January 1993 edition of "Virus Bulletin" made this comment: "It is worth pointing out that the integrity shield can only detect viruses that are at large - it does not detect the vast majority of viruses which, so far, have not been circulated 2 outside the virus writing and anti-virus communities. This is a double-edged sword because the user has no control over which viruses the shield is capable of detecting - a virus which is believed not to be in circulation one day may well appear 'in the wild' the next." Personally I prefer the IBM approach given that one still has the ability to utilize the main scanning program to complement shielding and given that infection rate statistics continue to reflect the reality of only 15-20 viruses accounting for 85%-90% of all reported viral attacks. (6) DOS shielding has several options: (a) warn when viral activity occurs; (b) check diskette boot records when used; and (c) prevent common DOS viruses. I was able to validate the functionality of (b) and (c), but lack the expertise to comment on (a). Program documentation provides a brief description of seven possible messages which one might receive upon a warning of possible viral activity. The difficulty is that activity in itself may not be viral. Therefore, this option may generate Type I alarms (i.e, false positives), and will of necessity demand a knowledgeable user to interpret the results. f. The IBM program has a distinctive operation. It first constructs a database containing integrity information about the files to be scanned. On subsequent invocations the program examines the integrity "record" of the file against the previously stored image. If there is a difference, the file is scanned. If they are identical, the next file is processed. The scanning operation also provides four possible results: Infected, Probably Infected, Suspicious, and Clean. Unfortunately the written documentation does not provide any definitions for "probably infected" and "suspicious". I think it would be appropriate to clarify these terms in print and in the on-line help. g. The menu-interface for running the program is attractive with options in my opinion for every level of user. The default settings for operations appeared reasonable and on-line assistance was satisfactory. It is possible as well to run the scanning program interactively. Those users familiar with the IBM Anti-Virus Product (reference Product Test 34) will find the options almost identical. One of the reasons that the program comes on two disks is to facilitate standalone program execution. I tested the program from the command line and verified that all options functioned as documented. h. Audit trail information is available. The program generates a current, previous, and cumulative log which one may view as ordinary files. These logs contain data on when one checked the system, what files one checked, and whether one detected a viral signature. 5. Product Advantages: a. The IBM Antivirus/DOS program appears to perform as documented to detect known computer viruses. It provides removal facilities for a large number of viruses "in the wild". Finally, it offers a memory resident component, DOS shielding, as an additional protection tool. 3 b. IBM provides competent and professional technical assistance for registered users. c. Since the program creates a checksum database of all files on a disk, and only scans those files which have changed, subsequent invocations of the program will result in faster scanning times. d. IBM has bundled the program as part of IBM PC-DOS 6.1. My tests and those of other independent researchers suggests that this is in the words of a "Virus Bulletin" reviewer "a class above MSAV". 6. Product Disadvantages: a. For some high risk environments quarterly updates may present a concern. Although business users with a corporate license may access an electronic bulletin board for immediate updates, the documentation makes no such provisions for single copy users. b. The documentation is somewhat terse on its description of "heuristic" scanning. Unlike another program, ThunderByte Scanner, which provides a detailed explanation of heuristic operations, the IBM program gives few specifics. c. The program's use of "probably infected" to denote less than a perfect match of a sequence of bytes may initially concern users unfamiliar with the "fuzzy scanning" techniques which the program employs. 7. Comments: There are many issues in the acquisition and use of viral detection tools. Interested readers may consult the Proceedings of the National Computer Security Association's 2nd International Virus Prevention Conference & Exhibition, February 1993, for several papers on the subject to include one entitled "Selecting an Anti-Virus Product". The National Institute of Standards and Technology, Computer Security Division, has issued Special Publication 800-5, "A Guide to the Selection of Anti-Virus Tools and Techniques", December 2, 1992. The publication is available for anonymous ftp from the NIST host 129.5.54.11 in the path /pub/ nistpubs. [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] 4 FOR FURTHER REFERENCE: PRODUCT TEST NUMBER PRODUCT PT-3 VIRUSCAN PT-11 AVSEARCH, 2.24 PT-12 VIRUCIDE PT-17 F-PROT PT-23 VIREX-PC PT-24 VIRUSAFE PT-25 DR. SOLOMON'S TOOLKIT PT-28 NORTON ANTIVIRUS PT-31 DATA PHYSICIAN PLUS! (VirHunt) PT-34 IBM ANTI-VIRUS (MS-DOS & OS/2) PT-36 CENTRAL POINT ANTI-VIRUS PT-39 THUNDERBYTE SCANNER PT-40 ALLSAFE PT-41 VIRX PT-45 VIRUS PREVENTION PLUS PT-48 VIRUSCURE+ PT-51 PC-RX PT-52 VIRUSCLEAN PT-55 GOBBLER-II PT-58 VIRUS BUSTER PT-60 VIRUS TERMINATOR PT-61 VDS PRO PT-64 STOPLIGHT PT-65 F-PROT PROFESSIONAL PT-69 VI-SPY 5