Date: 01 Feb 1994 08:01:53 -0700 (MST) From: Chris McDonald IM-CM-S Subject: Revised Product Test, PT-64, F-PROT Professional To: orvis@icdc.llnl.gov Content-transfer-encoding: 7BIT [To]: cmcdonal@wsmr-emh34.army.mil [Cc]: krvw@agarne.ims.disa.mil Apparently-To: orvis@icdc.llnl.gov ******************************************************************************* PT-65 Revised February 1994 ******************************************************************************* 1. Product Description: F-PROT Professional is a comprehensive virus protection program for the MS-DOS environment. It provides detection and disinfection services as well as file integrity checking. This product test addresses version 2.10c. 2. Product Acquisition: F-PROT Professional is a commercial program distributed by Command Software Systems, INC., 1061 East Indiantown Road, Jupiter, FL 33477. The program author is Fridrik Skulason. Command Software Systems' telephone number is (407) 575-3200. The firm has a BBS at (407) 575-1281 as well as MCI and Internet connections. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM, DSN 258-7548, DDN cmcdonal@wsmr-emh34.army.mil. 4. Product Test: a. F-PROT Professional differs from the shareware version, F-PROT, in that the commercial version adds file integrity checking with two additional programs: CHECK.EXE and CS-TSR.COM. Since I have completed a thorough review of F-PROT, version 2.08a, in Product Test # 17, May 1993 (Revised), I will not repeat the entire discussion on F-PROT Professional's virus detection and disinfection characteristics. The following is a synopsis of the major attributes. (1) Tests have occurred on a variety of 286, 386 and 486 platforms running MS-DOS 3.0 through 5.0. Tests have also occurred on Netware and 10Net configurations. (2) The virus detection and protection components consist of two programs: F-PROT.EXE and VIRSTOP.EXE. The former provides a full menu virus detection and disinfection capability; the latter as a terminate-and-stay-resident (TSR) program prevents the execution of programs infected with known malicious code and has several option switches. (3) I tested F-PROT.EXE against a suite of 2, 073 malicious programs which included 88% to 94% of the so-called "in the wild" viruses. The percentage varies depending upon whose "in the wild" suite one chooses (i.e., "Virus Bulletin", VSUM by Patricia Hoffman, or FreqList by Joe Wells). The program identified 100% of the "in the wild" samples and overall flagged 2, 032 samples as infected and 10 samples as suspicious. (4) The "Virus Bulletin", January 1994, evaluated the performance of version 2.09f, with equally impressive results against the Bulletin's "in the wild", standard, and Mutation Engine test sets. The program was one of six out of nineteen to have had an accuracy of 100%. (5) VIRSTOP.EXE testing was confined to 15 "in the wild" file infectors and six "common" boot sector infectors. The program supports these switch options: (a) /[NO]BOOT [Do not] check boot sectors when a diskette is accessed. (b) /[NO]COPY [Do not] check files when they are accessed/ copied. (c) /DISK Do not store virus signatures in memory, but read them in from disk when necessary. (d) /FREEZE Stop the system when a virus is found. (e) /NOMEM Do not perform a memory scan when starting. (f) /OLD Do not complain if the program has "expired". (g) /[NO]WARM [Do not] check a diskette in drive A: when a user presses Ctrl-Alt-Del (6) Tests confirmed that VIRSTOP.EXE performed as documented against the reduced suite of malicious programs. While one might question the use of certain switches, particularly those which disable a protective function, the program author has clearly tried to accommodate various user demands. The author has included a program F-TEST.COM to test if one has installed VIRSTOP.EXE properly. (7) The "Virus Bulletin", September 1993, contains a comparative review of VIRSTOP.EXE and five other memory-resident components (i.e., AVTK, CPAV, MSAV, VI-SPY and VSHIELD). b. Integrity checking offers the potential to detect new or unknown malicious code. F-PROT Professional utilizes the program CHECK.EXE to initialize and to maintain a file integrity database. The CS-TSR.COM program is the memory resident component which verifies a program's integrity before allowing it to execute. c. Execution of CHECK.EXE results in the appearance of a Main Menu with six options. (1) Initialize checklist This creates the file integrity database. (2) List all files on checklist This displays a window of all files in the database. (3) Check/Restore boot sectors and files This compares the files on a system with those in the integrity database. If a comparison fails, CHECK.EXE will "in most cases" be able 2 to restore the file or boot sector to its original state. (4) Find new and modified files This locates new and modified files based upon the drive/ paths specified by the user. (5) Add files to checklist This adds new files to the database. (6) Delete files from checklist This removes files from the database. d. Testing of the menu options confirmed that all selections performed as documented. When one initializes the file integrity database, there are several nice features. First, one is prompted to answer whether one has executed F-PROT.EXE to ensure that there are no known viruses on the system. If one answer "no", then CHECK.EXE aborts so that one may complete the detection operation. Second, one has the option to password-protect the file integrity database. In theory this would provide increased protection from modification of the database by an individual or by a program. Third, one can choose the number of groups into which the files in the database will be placed. If one selects a value greater than one, then CHECK.EXE will separate the files into as many groups as one specifies. Each group will then be checked on a different day. e. The CS-TSR.COM program offers three mutually exclusive options. (1) /NOTIFY This option notifies the user when a program about to be executed does not appear in the database. The user has the option to run the program or to abort it. (2) /SILENT This option allows a program to run if it was not found in the database. Unlike the /NOTIFY option the user receives no warning message. (3) /STOP This option disallows the execution of any program that does not appear in the database. f. Testing of the three options in a benign environment confirmed that they performed satisfactorily. Any attempt to execute a program not in the database generated the appropriate warning message for the respective option selected (i.e., /NOTIFY or /STOP). Similarly, any attempt to execute a program in the database which had been modified generated comparable advisories. 3 5. Product Advantages: a. F-PROT Professional offers a comprehensive approach to the detection and removal of malicious or suspicious programs. b. The menu-driven interfaces make it easy for users to install and to use the suite of programs. c. Readers of VIRUS-L and RISKS FORUM will recognize that the author, Mr. Skulason, is an extremely knowledgeable and articulate viral researcher. d. "Virus Bulletin" concludes that "F-PROT is an excellent scanner for any anti-virus tool-chest". This reviewer has over three years experience with the program and concurs. 6. Product Disadvantages: a. Viral scanning programs will at some point generate Type I or false positive alarms. F-PROT.EXE has had this happen. Similarly, the program author has acknowledged the existence of "bugs" in certain releases. b. Experience suggests that the integrity checking components of the program will generate Type I alarms because "change" does not necessarily imply a malicious agent or activity. c. The heuristic scanning feature can generate 20 different warning messages. The typical user, such as myself, will have to rely on someone with more expertise to actually investigate the code causing the alarm. d. Although the manual provided with the evaluation copy is adequate for the overwhelming number of users and organizations interested in such a product, it does not give the user any idea as to how CHECK.EXE computes the file integrity database. Therefore, the strengths and weaknesses of the procedure may be indeterminate to some readers. 7. Comments: It seems reasonable that one would stockpile at least two virus protection programs to ensure continuity of operations in the event one program source either terminated support or was no longer available. Two programs also give one a better opportunity to confirm an infection and to eliminate the possibility of a false alarm. The heuristic scanning feature represents an innovative approach to malicious code detection. While there are obviously "bugs" in any experimental work, this feature represents the next level of malicious program detection suggested in Catherine Young's paper "A Taxonomy of Computer Virus Defense Mechanisms". In the same vein integrity checking represents an additional tool to augment conventional viral signature detection techniques. The acquisition and use of viral detection programs requires some thought. 4 Interested readers may consult the Proceedings of the National Computer Security Association's 2nd International Virus Prevention Conference & Exhibition, February 1993, for several papers on the subject to include one entitled "Selecting an Anti-Virus Product". The National Institute of Standards and Technology has issued a Special Publication 800-5, "A Guide to the Selection of Anti-Virus Tools and and Techniques", December 2, 1992. The publication is available for anonymous ftp from the NIST host 129.6.54.11 in the path /pub/nistpubs. [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] FOR FURTHER REFERENCE: PRODUCT TEST NUMBER PRODUCT PT-3 VIRUSCAN PT-4 DATA PHYSICIAN PT-6 VCHECK PT-7 CHKSUM PT-8 FILETEST PT-11 AVSEARCH PT-12 VIRUCIDE PT-17 F-PROT PT-23 VIREX-PC PT-24 VIRUSAFE PT-25 DR. SOLOMON'S TOOLKIT PT-27 FLU-SHOT+ PT-28 NORTON ANTIVIRUS PT-31 DATA PHYSICIAN PLUS! (VirHunt) PT-34 IBM ANTI-VIRUS PT-36 CENTRAL POINT ANTI-VIRUS PT-39 THUNDERBYTE SCANNER PT-40 ALLSAFE PT-41 VIRx PT-45 VIRUS PREVENTION PLUS PT-48 VIRUSCURE+ PT-51 PC-RX PT-52 VIRUSCLEAN PT-55 GOBBLER-II PT-58 VIRUS BUSTER PT-59 IBM ANTIVIRUS/DOS PT-60 VIRUS TERMINATOR PT-61 VDS PRO PT-64 STOPLIGHT PT-69 VI-SPY 5