From: Chris McDonald STEWS-IM-CM-S (10/4/93) To: orvis@icdc.llnl.gov Mail*Link¨ SMTP Product Test PT-69, VI-SPY, ******************************************************************************* PT-69 September 1993 ******************************************************************************* 1. Product Description: VI-SPY is a comprehensive virus protection program for the MS-DOS environment. It provides detection and disinfection services, integrity checking, and memory-resident protection modules. This product test addresses version 11.06.93. 2. Product Acquisition: Vi-SPY is available from RG Software Systems, Inc., 6900 East Camelback Road, Suite 630, Scottsdale, AZ 85251. The telephone number is (602) 423-8000; the FAX number is (602) 423-8389. The cost for a single copy is $149.95 which includes updates and support for a year. Site licenses are available. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM, DSN 258-7548, DDN cmcdonal@wsmr-emh34.army.mil. 4. Product Test: a. I obtained an evaluation copy directly from RG Software in July 1993. Testing occurred from July 25 through September 19, 1993 on various 386 platforms running MS-DOS 5.0. Program documentation states that the program is MS-DOS 6.0 compliant, and will support Windows operations as well as LAN servers. b. The evaluation copy contained two write-protected VI-SPY system disks, one 3 1/2" and one 5 1/4"; a forty-five page "Guide to Operations"; a one page Super Fast Start card; and a copy of "Computer Virus Primer and Troubleshooting Guide". The "Guide to Operations" had a date of June 2, 1992 and addressed version 9.0. However, there was an insert, dated March 22, 1993 which specifi- cally addressed what was new in version 11.0 and in version 10.0. c. Installation was quick and conformed to the documentation description. As is the case for most competent anti-virus tools, VI-SPY completes a scanning operation of the hard drive before the installation of any programs. There is an option to modify the AUTOEXEC.BAT file to schedule a full system scanning check on the first boot of each day and then to invoke VI-SPY's memory-resident protection program. d. One can choose to initiate a scanning operation either from the command line or from a menu. The options under both are extensive, although one does have greater flexibility in the command line invocation. The major programs on the Vi-SPY system disk include: (1) VI-SPY.EXE The primary virus detection program. (2) VSREM.OVR An overlay module used by VI-SPY.EXE to remove viruses from infected programs. (3) RVS.EXE A memory-resident program which (a) automatically checks diskette boot sectors for viruses upon the first access to the diskette; (b) checks programs upon load and on execution; (c) checks program files which move anywhere on the system (i.e., copy, unzip, download, etc.); (d) reports when a program becomes resident after execution; (e) reports if a program changes size after execution; and (f) intercepts a "warm boot" to require user action to continue the boot process if a diskette is active in drive A. (4) RVSCDF.EXE Another version of RVS.EXE which utilizes the change detection facility available at version 10.0. (5) VSRECOVR.EXE A utility to recover a hard disk from a partition table or boot sector virus infection with optional repair of the File Allocation Table (FAT). (6) INSTALL.EXE The program used to install VI-SPY. (7) AUTOVS.EXE A utility to schedule the running of VI-SPY during the boot process. (8) VISPYVIM.DAT The signature file used by VI-SPY.EXE and by RVS.EXE. (9) VSMENU.EXE The program provides a menu to run VI-SPY. (10) MAKEDISK.BAT The batch file used to make a "working copy" of the VI-SPY system on a diskette. (11) VSPRODOC.BAT The batch file used to print the documentation files. e. While I do not have code for every malicious program which VI-SPY claims to detect, I did test its detection capabilities against a suite of 630 malicious samples. The test suite included 75% to 85% of the common or "in the wild" viruses based upon survey information provided by the National Computer Security Association, "Virus Bulletin" and other comparable reporting mechanisms. The suite also included samples of the Virus Creation Laboratory (VCL), the Mutation Engine (MtE), and the TridenT Polymorphic Engine (TPE). f. VI-SPY identified 100% of the common or "in the wild" samples and identified what it claimed it could against the remaining. It had no problem in identifying VCL and MtE samples. It did not claim to identify TPE creations, and in fact did not alarm for those in the suite. Discussion with vendor personnel confirmed that TPE detection is a future objective. g. The January 1993 edition of "Virus Bulletin" tested version 10.0 with impressive results against the publications's "in the wild", "standard", and "enlarged" test sets. There was a problem noted in the detection of Mutation Engine-encrypted files. Discussion with vendor personnel confirmed that version 11.0 has corrected the difficulty. h. I tested all of the VSMENU options as well as all command line formats. VI-SPY offers three levels of file scanning. 2 (1) Maximum: Scans every byte of all files for all viruses. (2) Intense: Scans every byte of .bin, .com, .dll, .exe, .ov?, .sys files for all viruses. (3) Optimal: Scans for all appropriate viruses in .bin, .com, .exe, .sys files. (This is the default.) The program similarly offers three levels of reports creation: verbose, quite and background. One may capture report information on a screen, printer, or file. Testing confirmed that the options functioned as documented. i. RVS.EXE testing focused on 15 "in the wild" file infectors and six "common" boot sector infectors. Tests against the modified test suite confirmed that RVS.EXE performed as documented. One should be aware that RVS.EXE performs two distinct operations as a memory-resident program: (1) It scans for known virus signatures; and (2) It looks for suspicious activity (i.e., change in program size after execution and program becoming memory-resident). While it does not block or prevent "suspicious" activity, it does provide another layer of protection. The September 1993 edition of "Virus Bulletin" conducted more exhaustive tests of six memory-resident anti-viral protection programs, to include RVS.EXE. The following is a summary statement of those tests: "With the exception of VI-SPY, in every single case, the memory-resident scanners were incapable of detecting viruses which were clearly known to the product developers, most of whom did not point this out in their manuals. Vi-SPY is the only product to come through this test unscathed, and is thoroughly recommended." j. I conducted limited testing of RVSCDF.EXE. If one utilizes the change detection facility of VI-SPY to create a so-called "CDF database", then RVSCDF can prevent a modified file registered within the database from executing whenever the file appears modified. The program appeared to function as documented. However, since the evaluation of an integrity checker is not an easy task, readers should be cautioned as to the conclusions which one may infer from these preliminary results. 5. Product Advantages: a. VI-SPY appears to be an effective anti-viral tool with a host of features for every category of user. b. With so many products in the MS-DOS marketplace VI-SPY offers some attractive options: (1) Its virus naming convention follows the "Virus Bulletin" conventions; (2) When it identifies a virus signature, it will oftentimes provide known aliases; (3) It has a MAKEDISK.BAT file to easily create a "working copy" of VI-SPY on a diskette; (4) It has an option to allow a user to display a "map of memory" as it is checked; and (5) Its VSRECOVR.EXE program for repair of boot sector and partition table infections is extremely easy to use. c. The program development over the last several years has been consistent in the addition of new capabilities and enhanced protection. 3 d. The "Computer Virus Primer and Troubleshooting Guide" offers great technical advice for any category of user. It is the best document that I have seen available from a commercial vendor in the MS-DOS anti-viral marketplace. 6. Product Disadvantages: Documentation on the change detection facility is vague on the specific mechanisms by which the program creates the "CDF database". There is a direct suggestion on the part of the National Institute of Standards and Technology that one should have an understanding of the specific algorithm or procedure in effect for an integrity checking program. Discussion with vendor personnel determined their position is that "too much disclosure of detailed information aids the computer virus authors". 7. Comments: It seems reasonable that one would stockpile at least two virus protection programs to ensure continuity of operations in the event one program source either terminated support or was no longer available. Two programs also give one a better opportunity to confirm an infection and to eliminate the possibility of a false alarm. The acquisition and use of viral detection programs requires some thought. Interested readers may consult the Proceedings of the National Computer Security Association's 2nd International Virus Prevention Conference & Exhibition, February 1993, for several papers on the subject to include one entitled "Selecting an Anti-Virus Product". The National Institute of Standards and Technology has issued a Special Publication 800-5, "A Guide to the Selection of Anti-Virus Tools and Techniques", December 2, 1992. The publication is available for anonymous ftp from the NIST host 129.6.54.11 in the path /pub/nistpubs. One may also call Ms. Dianne Ware, NIST, at 301-975-2821 for one free copy. [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] FOR FURTHER REFERENCE: PRODUCT TEST NUMBER PRODUCT PT-3 VIRUSCAN PT-4 DATA PHYSICIAN 4 PT-6 VCHECK PT-7 CHKSUM PT-8 FILETEST PT-11 AVSEARCH PT-12 VIRUCIDE PT-17 F-PROT PT-23 VIREX-PC PT-24 VIRUSAFE PT-25 DR. SOLOMON'S TOOLKIT PT-27 FLU-SHOT+ PT-28 NORTON ANTIVIRUS PT-31 DATA PHYSICIAN PLUS! (VirHunt) PT-34 IBM ANTI-VIRUS PT-36 CENTRAL POINT ANTI-VIRUS PT-39 THUNDERBYTE SCANNER PT-40 ALLSAFE PT-41 VIRx PT-43 SEER PT-45 VIRUS PREVENTION PLUS PT-48 VIRUSCURE+ PT-51 PC-RX PT-52 VIRUSCLEAN PT-55 GOBBLER-II PT-58 VIRUS BUSTER PT-59 IBM ANTIVIRUS/DOS PT-60 VIRUS TERMINATOR PT-61 VDS PRO PT-64 STOPLIGHT PT-65 F-PROT PROFESSIONAL PT-70 ProTec 5 ------------------ RFC822 Header Follows ------------------ Received: by internetqm.llnl.gov with SMTP;4 Oct 1993 12:01:55 -0800 Return-path: cmcdonal@wsmr-emh34.army.MIL Received: from icdc.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01H3PPN72Z9CAW5VTT@icdc.llnl.gov>; Mon, 4 Oct 1993 12:01:36 PDT Received: from pierce.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01H3PPM3G1O0AW5VRW@icdc.llnl.gov>; Mon, 4 Oct 1993 12:00:48 PDT Received: by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA01812; Mon, 4 Oct 93 12:01:35 PDT Received: from wsmr-emh34.army.mil by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA01803; Mon, 4 Oct 93 12:01:20 PDT Date: 04 Oct 1993 12:42:47 -0600 (MDT) From: Chris McDonald STEWS-IM-CM-S Subject: Product Test PT-69, VI-SPY, version 11.0 Resent-to: BILL_ORVIS@QUICKMAIL.llnl.GOV To: orvis@icdc.llnl.gov Resent-message-id: <01H3PPN76QAQAW5VTT@icdc.llnl.gov> Message-id: <9310041901.AA01803@pierce.llnl.gov> X-Envelope-to: BILL_ORVIS@QUICKMAIL.llnl.gov X-VMS-To: IN%"orvis@icdc.llnl.gov" Content-transfer-encoding: 7BIT [To]: cmcdonal@wsmr-emh34.army.mil [Cc]: krvw@agarne.ims.disa.mil Apparently-To: orvis@icdc.llnl.gov ======================================================================