From: Chris McDonald (8/26/93) To: virreviews:;@WSMR-SIMTEL20.ARMY, Mail*Link¨ SMTP Product Test PT-71, MacRx ******************************************************************************* PT-71 August 1993 ******************************************************************************* 1. Product Description: MacRx is a commercial program to detect known viruses for the Macintosh. This product test addresses version 1.0. 2. Product Acquisition: The product is available from Trend Micro Devices, Inc., 2421 West 205th Street, Suite D-100, Torrance, CA 90501. The telephone number is (310) 782-8190; the fax number is (310) 328-5892. The vendor offers site license arrangements and bundles MacRx with another of its products called SafeLock (reference PT-66). The cost of this bundled package is $49.00 plus shipping. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5506, DSN 258-7548, DDN cmcdonal@wsmr-emh34.army.mil. 4. Product Test: a. I obtained a copy of MacRx bundled with SafeLock directly from Trend Micro Devices Incorporated in late March 1993. Although the program was shipped in March 1993, its creation date from the "Get Info" selection in the Apple menu was July 1992. A backlog of test reports prevented an actual test of MacRx until August 1993. While it was my original intention to update my copy so as to test its detection capabilities against the most recent Macintosh viruses, I decided to run the test against my virus test suite but to omit those virus samples identified after July 1992 (i.e., the INIT-17 of April 1993, the INIT-M of April 1993 and the T4-C of February 1993). b. The revised test suite included: Scores, nVir (A & B), INIT 29, Anti (A & B), MacMag, WDEF (A & B), Zuc (A, B & C), MDEF (A, B, C & D), Frankie, MBDF (A & B), MDEF (A, B, C & D), INIT 1984, Code 252 and T4 (A & B). The program does not claim to identify any known Macintosh trojan horses. c. I installed the program on a MAC IIcx running System 7.0. Program documentation states that MacRx will run on System 6 (minimum 1 MB memory) and on System 7 (minimum 2MB memory). The program requires 256K of free memory for execution. d. One installs the program by copying the MacRx application file and the MacRx virus pattern file onto the hard disk. One then double-clicks on the MacRx icon and opens the main menu. This menu offers three buttons: Scan, Stop and Quit. Above the buttons are status lines which report on each viral scanning operation. The lines include: (1) Currently Scanning Folder (2) Currently Scanning File (3) No. of Files Scanned (4) No. of Infected Files (5) Current Action e. When one selects the Scan button, a Standard File Dialog Box opens. One then has the opportunity to select any object to scan. There is also the option to create a report of the scanning operation. f. The test results against actual viral samples were surprising. MacRx did not identify these viruses: CDEF, WDEF-A, WDEF-B, INIT 1984 and Code 252. Program documentation indicated that these viruses should have been detected. The program failed to detect all of the T4 samples. But it is my belief that the copy of the program shipped, notwithstanding its date of creation, had not been updated to identify T4. Therefore, I simply deleted T4 samples from the overall evaluation. g. I repeated the scanning operations against the test suite three times with identical results. As a quality control measure, I ran three other anti-viral programs against the same test suite. These programs were SAM, VIRUSDETECTIVE, and VIREX. All these programs alarmed against those samples which MacRx did not identify as infected. h. The scanning reports captured the number of files scanned during an operation and identified those files infected. The reports indicated that MacRx is generic in its identification of a viral infection. For example, all variations of MDEF (A through D) appeared as "MDEF" infections; and all variations of Zuc (A through C) appeared as "ZUC" infections. The reports did not capture the date or time of infection. 5. Product Advantages: My initial thought in acquiring the program was the attractiveness of bundling access control and anti-viral protection at a reasonable price. Testing of the anti-viral component has admittedly diminished my enthusiasm. 6. Product Disadvantages: a. A detection program must be able to detect reliably what it says that it can. MacRx did not meet that standard during my tests. b. The program cannot repair infections. A user must delete any infected file which is a significant limitation. c. The program offers no protection against unknown malicious code, such as detection of suspicious activity or file integrity checking. d. The program documentation has an unnecessary number of misspelled words, questionable grammar, and debatable claims. In the latter category I offer this quote from page 2-3 in the Users Manual: "This brings us to MacRx's limitations: Trend does not guarantee that MacRx will be able to detect every virus that ever comes around. All we can say is this: at the time you bought it, it could detect all known viruses in the wild." 2 7. Comments: An intelligent strategy would be to have at least two separate programs available for use within an enterprise for defense against malicious programs. The flexibility of dual products can provide both financial and technical advantages. It also provides protection in the event one program for whatever reason ceases to be available. There are many issues in the acquisition and use of viral detection tools. Interested readers may consult the Proceedings of the National Computer Security Association's 2nd International Virus Prevention Conference & Exhibition, February 1993, for several papers on the subject to include one entitled "Selecting an Anti-Virus Product". The National Institute of Standards and Technology, Computer Security Division, has issued Special Publication 800-5, "A Guide to the Selection of Anti-Virus Tools and Techniques", December 2, 1992. The publication is available for anonymous ftp from the NIST host 129.5.54.11 in the path /pub/ nistpubs. One may also call Ms. Dianne Ware, NIST, at 301-975-2821 for one free copy. [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] FOR FURTHER REFERENCE: PRODUCT TEST NUMBER PRODUCT PT-9 DISINFECTANT PT-10 VIREX PT-20 SYMANTEC ANTIVIRUS FOR MACINTOSH PT-30 VIRUSDETECTIVE PT-32 MACTOOLS PT-44 RIVAL PT-46 CITADEL PT-53 GATEKEEPER 3 ------- ------------------ RFC822 Header Follows ------------------ Received: by internetqm.llnl.gov with SMTP;26 Aug 1993 13:56:47 -0800 Return-path: CMCDONALD@WSMR-SIMTEL20.ARMY.MIL Received: from icdc.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01H27CB7E774AW4CKB@icdc.llnl.gov>; Thu, 26 Aug 1993 13:56:30 PDT Received: from pierce.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01H27CAQFXOGAW4DY2@icdc.llnl.gov>; Thu, 26 Aug 1993 13:56:09 PDT Received: by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA23707; Thu, 26 Aug 93 13:57:01 PDT Received: from WSMR-SIMTEL20.ARMY.MIL by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA23665; Thu, 26 Aug 93 13:56:35 PDT Date: 26 Aug 1993 14:35:35 -0700 (MDT) From: Chris McDonald Subject: Product Test PT-71, MacRx Resent-to: BILL_ORVIS@QUICKMAIL.llnl.GOV To: virreviews:;@WSMR-SIMTEL20.ARMY.MIL Resent-message-id: <01H27CB7HOKYAW4CKB@icdc.llnl.gov> Message-id: <12904263331.18.CMCDONALD@WSMR-SIMTEL20.ARMY.MIL> X-Envelope-to: BILL_ORVIS@QUICKMAIL.llnl.gov X-VMS-To: IN%"virreviews:;@WSMR-SIMTEL20.ARMY.MIL" Content-transfer-encoding: 7BIT ======================================================================