From: rslade@sfu.ca Subject: Review of F-prot (PC) Date: Mon, 9 Nov 92 23:43:55 PST PCFPROT.RVW 921107 Antiviral Protection Comparison Review Company and product: Fridrik Skulason Frisk Software International Postholf 7180 IS-127 Reykjavik Iceland +354-1-694749 fax: +354-1-28801 frisk@complex.is F-PROT 2.xx Virus detection/protection/disinfection Summary: Highly recommended for any situation. Best "value for cost" of any package reviewed to date. Cost: free for non-commercial personal use, Site license $1(US) per computer (minimum $20), 25% educational discount Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 3 Ease of use 4 Help systems 3 Compatibility 3 Company Stability 3 Support 3 Documentation 3 Hardware required 4 Performance 4 Availability 3 Local Support ? General Description: Scanning, resident scanning and disinfection capabilities. The informational utilities present in the earlier (1.xx) versions have been replaced by heuristic analysis scanning. Change detection and operation restricting utilities have been removed and not replaced. Comparison of features and specifications User Friendliness Installation Installation is now added as a feature in the main program. Manual installation is still an option, and is likely the one most used by those familiar with the program. Since the program is shareware, and since installation is little more than copying of files, unless VIRSTOP is installed, it is unlikely to present any problems. In the automated installation, VIRSTOP is installed to be invoked from AUTOEXEC.BAT. Those wishing to invoke it from CONFIG.SYS must do the installation manually. Ease of use Except for resident scanning, F-PROT is now invoked from a single program. The user, by default, is presented with a graphical interface, but command line switches are an option for those wanting more speed, or a standard invocation for a large group of users. There is no "help" key, but the options are fairly simple, and explained in text boxes where necessary. Help systems There is no help per se, although a listing of command line switches is available. Compatibility F-PROT consistently maintains the highest ratings in all independent tests of scanning of known viral programs, including my own. In terms of disinfection capability, only Alan Solomon's Anti-Virus Toolkit has similar ratings. Because of an external language file, F-PROT is available in at least six languages, and can be readily translated into others. Sporadically, F-PROT will fail to scan large drives which are divided into multiple partitions. This problem is fairly rare. It has been addressed, but it is unknown as to the success in all situations. There have been ongoing reports of problems installing the VIRSTOP resident program under MS-DOS 5.0. Moving VIRSTOP in the boot sequence, particularly with respect to memory managers, generally is successful in alleviating the problem. The heuristic analysis portion of the program occasionally generates a "false positive" alert about a program that is not, in fact, infected. This is to be expected from this type of scanning, and the incidence is much reduced from when this function was first included with the program. The heuristic analysis feature has been generally effective in identifying new and "unknown" viral strains, but is not perfect. (Perfection is, of course, inherently unattainable in this type of program.) Indeed, the documentation for this feature states that it is still to be considered experimental, and is very conservative in its claims. Programs known to cause false positives are listed. F-PROT may be run under Windows, but is not a Windows program. This is planned to be addressed in future, as are improvements for VIRSTOP to make it run with Windows, and to check files as they are copied, to check floppy disks as accessed, and to use EMS memory. Company Stability Fridrik Skulason has left the university, and is concentrating full time on the research and development of this product. His company now employs four staff in addition to himself. F-PROT is being included in commercial programs, and a commercial version of F-PROT will be announced shortly. frisk has, however, committed to continuing to support the shareware version. Company Support Fridrik Skulason is available through the Internet, and replies to queries can be expected within a week or less. Recently the program has become much more popular with the general public, and numerous people have requested his Fidonet address. Unfortunately, frisk is not active on either Fidonet or VirNet. Documentation Being shareware, the package has no printed documentation. The text files included with the programs are very clear and thorough, and provide an excellent primer on virus functions and protection, as it relates to scanning and disinfection. The large single USAGE.TXT file has been broken into smaller "chapter" files, which allows for quicker access to a particular function or feature. As some of the other virus detection and prevention capabilities have been dropped from the package, so the very excellent discussions of the different types of antiviral software, and their strengths and weaknesses, have been dropped from the documentation. It is recommended that interested parties obtain old (1.xx) versions of F-PROT for this material. The virus information files previously contained in separate text files have been included as a virus information feature within the main program. Hardware Requirements No special hardware is required. Performance During testing, FPROT has consistently identified more viri than the "current release" of any other product. FPROT is generally slower at scanning because of the multiple signatures being used to check for each virus, but is not the slowest scanner tested. The user is in control of FPROT at all times, with the exception that VIRSTOP will not allow the boot sequence to continue in the case of a boot sector infection at startup. FPROT, in two years of my testing, has not given a false positive alarm on any normal program, nor has it interfered with any normal program operation. The various functions and utilities that have been dropped from the 2.xx version programs still have significant value. Serious virus researchers and consultants would do well to obtain copies of older (1.xx) versions. These have been retained, and are available, at better antiviral source sites. Local Support Since FPROT is shareware, there are no local dealers to obtain support from. FPROT has fewer users in North America than SCAN, and so local help may be harder to obtain, but the documentation should make up any deficiencies. For users in Europe, FPROT is available in places as a commercially distributed product. Support Requirements Very little support should be needed for this program. On occasion assistance my be needed in disinfection, or in positively identifying a new viral strain, but no product tested deals with this situation better than F-PROT. General Notes Because of its "shareware" distribution, FPROT is best compared against John McAfee's SCAN program. F-PROT is kept up to date with regular additions to the signature file, and constant improvements to the program. SCAN versions are released at approximately the same frequency as FPROT, but in two and a half years FPROT releases consistently identified more viri, and with greater accuracy than did the "same level" releases of SCAN. SCAN also needs to release far more "bug fix" versions than does F-PROT. Fridrik Skulason publishes fewer signatures of new viri on the VIRUS-L (Usenet comp.virus) distribution lists than he used to, but some others are supplying appropriate signature strings in his format. F-PROT is significantly cheaper than the SCAN suite as well, and is complete in one package, although the SCAN suite in total now offers some edge in utility. I am personally sorry to see that the former utilities are not included in the current package. However, it is unarguably simpler for novice users to install and use the newer package, free from the confusion of the multiplicity of files contained in the previous version. copyright Robert M. Slade, 1990, 1992 PCFPROT.RVW 921107 ============== Vancouver ROBERTS@decus.ca | "If you do buy a Institute for Robert_Slade@sfu.ca | computer, don't Research into rslade@cue.bc.ca | turn it on." User p1@CyberStore.ca | Richards' 2nd Law Security Canada V7K 2G6 | of Data Security