From: Chris McDonald (4/12/93) To: securitylist:;@WSMR-SIMTEL20.AR, CC: virreviews:;@WSMR-SIMTEL20.ARMY, Mail*Link¨ SMTP Product Test #61, VDS PRO, ******************************************************************************* PT-61 April 1993 ******************************************************************************* 1. Product Description. Virus Detection System (VDS) Professional (PRO) is an integrity checker which creates a "fingerprint" of all system areas and executable files. This product test addresses version 1.0. 2. Product Acquisition: VDS PRO is available from Z-RAM, Inc., Post Office Box 2087, Church Circle Station, Annapolis, MD 21404. The telephone number is (800) 638-2000. A single copy costs $49.00 plus shipping charges. Site licenses for federal, local and state governments are available. A "special discount" exists for academic institutions. The primary individual identified with the program development is Mr. Tarkan Yetiser. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5030, DSN 258-7548, DDN cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I obtained an evaluation copy in December 1992 from Mr. Bill Whittington, Z-RAM, Inc. Over the next two months I received updates to the initial program disk. b. I have tested the program on a variety of platforms running MS-DOS 3.10 through 5.0. The documentation identifies these minimum hardware and software requirements: MS/PC-DOS 3.0 or higher, a hard disk (not compressed or encrypted), 384Kb available memory, 500Kb free space on the hard disk, less than 1500 executable files per partition, and no file larger than 2Mb. c. The VDS PRO distribution disk contains: (1) VDS.EXE The program file used for installation and verification. (2) WARNING.TXT Information on incompatibilities with certain systems. (3) ORDERFRM.TXT Instructions on ordering. (4) VITALFIX.EXE An automated recovery utility to be used in the case of a MBR or a floppy BR infection. (5) VDSFSCAN.EXE A viral identification program that can be used to scan floppy disks and network drives. (6) Boot Sector A special boot sector placed on the VDS distribution disk to ensure a secure installa- tion. (7) VDSDEV.DDR A customized device driver created for each system during the installation routine. d. VDS PRO has a very specific installation procedure. One must first coldboot the target system with the VDS distribution disk, remove the VDS disk, and then warmboot from a "genuine" DOS disk. The documentation stresses that the DOS disk must be "clean" or uninfected. One then reinserts the VDS disk and types "install.bat". From this point one simply answers some questions and chooses some options to complete the installation. e. I found that the installation routine performed as documented. It does take some time for the program to complete an initial "fingerprint". The default is for VDS to generate a baseline for all executable files as well as system areas such as the master boot record (MBR), partition table and the boot record (BR). File name, size, date, time and signature combine to form a database scheme, to include a fingerprint of the VDS program itself. f. One invokes the program by placing a line in the autoexec.bat file. The automatic installation will add the line. When VDS runs, it verifies the integrity of its own code and then launches "decoys" (i.e., small executable programs created at run-time) into the system to see if an active virus will "take the bait". VDS next verifies the system areas and all executable code. g. During dozens of operations the sequence described above functioned as documented. I intentionally altered "fingerprints" through several disk editors, infected files with known viral samples, deleted files with fingerprints, and added files without creating a fingerprint. In every case VDS provided an alert message and generated a record in its vds-stat.log file. Upon an alert the program offers a user many options. One may, for example, overwrite a file whose fingerprint has changed; one may choose to update the fingerprint when it is apparent that the change is non-malicious; one may choose to establish a fingerprint for a non-malicious file which may have been recently loaded to the system. These are only examples and do not represent a complete listing of options. h. I must caution that my experience with integrity programs is limited, and that I lack the expertise to deliberately attack either the VDS device drive or its fingerprint schema. I can state that the program functioned as documented to detect changes to the baseline view of the system. Whenever the program detected changes, I received concise alert messages with logical suggestions on what course of action I should take. i. In September 1992 Robert Slade had posted a review of an earlier release of VDS in which he experienced problems in running VDSFSCAN as an independent program. Mr. Slade indicated that he had to install the module during the program installation. Although the developer, Mr. Yetiser, stated that the program would run independently, there was some controversy at the time Mr. Slade published his final results. I can state that the version I tested fully supports the ability to run VDSFSCAN as an independent program. j. Although I do not have code for all the malicious programs which VDSFSCAN claims to detect, I did test the program against 621 malicious programs which included at least 76% of the so-called "common" or "in the wild" viruses as well as the eight sample VCL viruses distributed by NoWhere Man. (1) The program identified 100% of the "common" viruses in the test suite and effectively identified what it claimed it could within the test samples. There are certain qualifications, however, to these results. First, 2 VDSFSCAN did not alarm for a specific identification of a boot sector virus, the Air Cop virus. It rather alarmed for an unusual boot sector, gave me an option to capture the boot sector after viewing it, and then offered to remove the possibly new infection by restoring a clean boot sector. Second, although the program identified the eight VCL viruses included within the Virus Creation Laboratory distribution, it failed to identify an additional VCL-creation distributed by Mark Ludwig in an edition of the Computer Virus Developments Quarterly. Third, while it could identify samples of the 1381 and the Vacsina viruses, it did not identify these infectors if the samples infected were compressed with LZEXE. In these instances the integrity component of VDS PRO detected the infections after infection had changed "fingerprints". (2) The "Virus News International", January 1993, evaluated the performance of CatchMte, which is the freeware version of the MtE detection module incorporated within VDS PRO. Vesselin Bontchev, Virus Test Center of VTC-Hamburg, documented that the module had a 100% detection rate against 15,994 samples of eight MtE virus samples. 5. Product Advantages: a. VDS PRO appears to perform as documented. It provides features beyond those of simple viral signature identification to address the potential threat of malicious program activity. b. The installation procedure at version 1.0 is painless, though it might seem complicated to a novice user. c. VDS provides a user with the capability to automate recovery in the event of a MBR/BR infection. d. The program provides an audit record feature to assist in the analysis and investigation of changes to the baseline. e. The VDSFSCAN component will allow a user to add additional viral signatures without the requirement for a formal update from the vendor. 6. Product Disadvantages: a. While VDS PRO should be devoid of false negatives for the identifi- cation of a change to a file, change in itself doe not always imply that a viral infection has occurred. For example, a change to a baseline may only reflect non-malicious self-modification, recompilation, or intentional user update to a fingerprint. Consequently a knowledgeable user, perhaps a support staff for a large organization, may be necessary to resolve alarm messages. b. The documentation included with the evaluation copy might overwhelm a novice user. Conversely, many expert users may demand detailed information on the procedures and algorithm utilized to generate the VDS device driver and the baseline fingerprint. 3 7. Comments: The National Institute of Standards and Technology, Computer Security Division, has issued Special Publication 800-5, "A Guide to the Selection of Anti-Virus Tools and Techniques", December 2, 1992. The publication is available for anonymous ftp from the NIST host 129.5.54.11 in the path /pub/ nistpubs. One may also call Ms. Dianne Ware, NIST, at 301-975-2821 for one free copy. [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] FOR FURTHER REFERENCE: PRODUCT TEST NUMBER PRODUCT PT-3 VIRUSCAN PT-7 CHKSUM PT-8 FILETEST PT-11 AVSEARCH, 2.24 PT-12 VIRUCIDE PT-17 F-PROT PT-23 VIREX-PC PT-24 VIRUSAFE PT-25 DR. SOLOMON'S TOOLKIT PT-28 NORTON ANTIVIRUS PT-31 DATA PHYSICIAN PLUS! (VirHunt) PT-34 IBM ANTI-VIRUS (MS-DOS & OS/2) PT-36 CENTRAL POINT ANTI-VIRUS PT-39 THUNDERBYTE SCANNER PT-40 ALLSAFE PT-41 VIRX PT-45 VIRUS PREVENTION PLUS PT-48 VIRUSCURE+ PT-51 PC-RX PT-52 VIRUSCLEAN PT-55 GOBBLER-II PT-58 VIRUS BUSTER PT-59 IBM ANTIVIRUS/DOS PT-60 VIRUS TERMINATOR PT-64 in process STOPLIGHT PT-65 in process F-PROT PROFESSIONAL 4 ------- ------------------ RFC822 Header Follows ------------------ Received: by internetqm.llnl.gov with SMTP;12 Apr 1993 07:10:21 -0800 Return-path: CMCDONALD@WSMR-SIMTEL20.ARMY.MIL Received: from icdc.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01GWWYGHXXBK9VVA85@icdc.llnl.gov>; Mon, 12 Apr 1993 07:09:26 PDT Received: from pierce.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01GWWYFXPALS9VVABO@icdc.llnl.gov>; Mon, 12 Apr 1993 07:09:00 PDT Received: by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA28354; Mon, 12 Apr 93 07:09:39 PDT Received: from WSMR-SIMTEL20.ARMY.MIL by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA28347; Mon, 12 Apr 93 07:09:30 PDT Date: 12 Apr 1993 07:47:40 -0700 (MDT) From: Chris McDonald Subject: Product Test #61, VDS PRO, version 1.0 Resent-to: BILL_ORVIS@QUICKMAIL.llnl.GOV To: securitylist:;@WSMR-SIMTEL20.ARMY.MIL Cc: virreviews:;@WSMR-SIMTEL20.ARMY.MIL Resent-message-id: <01GWWYGI9G1U9VVA85@icdc.llnl.gov> Message-id: <12868537487.18.CMCDONALD@WSMR-SIMTEL20.ARMY.MIL> X-Envelope-to: BILL_ORVIS@QUICKMAIL.llnl.gov X-VMS-To: IN%"securitylist:;@WSMR-SIMTEL20.ARMY.MIL" X-VMS-Cc: IN%"virreviews:;@WSMR-SIMTEL20.ARMY.MIL" Content-transfer-encoding: 7BIT ======================================================================