From: rslade@sfu.ca
Subject: Review of McAfee suite (PC)
Date: Sat, 31 Oct 92 18:27:45 PST

PCSCAN.RVW   921021
                               Comparison Review
 
Company and product:
 
McAfee Associates
3350 Scott Blvd, Bldg 14
Santa Clara, California
95054-3107  USA
Voice (408) 988-3832
FAX   (408) 970-9727
BBS   (408) 988-4004
CompuServe ID: 76702,1714 or GO MCAFEE
Aryeh Goretsky,Tech Support
mcafee@netcom.com
aryeh@mcafee.com
support@mcafee.com
mcafee.com is IP 192.187.128.1
Viruscan suite of programs: SCAN, CLEAN, VSHIELD, NETSCAN, WSCAN, SENTRY
- virus detection, disinfection and protection, version 97 tested
 
Summary: 
                               
A useful and regularly updated set of products with a large user base. 
Separate distribution of the programs may be a problem.
 
 
Cost: $25 - $35 US per program
 
Rating (1-4, 1 = poor, 4 = very good)
      "Friendliness"
            Installation      2
            Ease of use       3
            Help systems      2
      Compatibility           2
      Company
            Stability         3
            Support           3
      Documentation           2
      Hardware required       4
      Performance             2
      Availability            3
      Local Support           2
 
General Description:
 
SCAN is a boot sector, memory and file scanning program, with some
disinfection and change detection capabilities.  CLEAN is a disinfection
program.  VSHIELD and SENTRY are resident file infection and activity
checking programs.  WSCAN contains the SCAN.EXE program, but is
primarily a "front end" for MS Windows 3.x use of SCAN.
 
FSHIELD and VCOPY have been discontinued and are no longer supported.
 
                  Comparison of features and specifications
 
 
 
User Friendliness
 
Installation
 
SCAN and CLEAN do not require installation as such.  All programs,
however, are distributed in .ZIP format and, beginning with version 72,
require PKUNZIP version 1.10 for unpacking with authenticity
verification.  (Archives obtained from the Shareware Distribution
Network or VirNet may have the ZIP archive contained within an ARJ
envelope as well.)
 
VSHIELD is distributed in two, mutually exclusive, versions.  One
version requires the use of SCAN's /AV or /AG option, which adds an
authentication CRC check onto programs.  A second level of protection is
added in one version with file infection checking for known viri.  The
programs can also be used to prevent the running of unauthorized
programs.  VSHIELD must be installed "manually" by the user in the
AUTOEXEC.BAT file with all desired options and switches.  (Installation
utilities are separately available from certain dealers.)
 
SENTRY is a change detection program which examines boot sectors, system
software and even memory structure.  It is distributed as an
installation program, but as any change to the system (including
software updates) will cause alarm warnings, it must be re-installed
upon each change.  This program has not been updated since the last
review, but is due for a new release very shortly.
 
The distribution of SCAN as shareware has led to the "release" of many
"trojan" versions of SCAN recently.  McAfee Associates has attempted to
deal with the security problem in two ways: the use of the "authentic
verification" envelope on ZIP archives, and the VALIDATE program
produced by McAfee Associates itself.  Unfortunately, both methods have
problems.  The "-AV" codes have been "spoofed" by copies of PKZIP which
will add a code, not necessarily that of McAfee Associates.  More
recently, the security of the PKZIP "-AV" codes has been broken: it is
now possible to duplicate any code.  The VALIDATE code is more secure,
but requires a knowledge of the validation code from a "trusted source".
 
Ease of use
 
The SCAN program is fairly simple to execute, but provides for a very
large number of options in the form of software "switches".  These can
complicate the use of the program, but probably will not be used by most
users.  The base scanning function is simple to operate, and novice
users will probably not use any other functions.  (The one major
exception is the /AV option.  If used on a program that is already "self
checking" it will likely cause the program to terminate, and so must be
identified and removed.  The program has therefore added an /AF option
which will store the change detection information to a file rather than
appending to the program.)
 
Use of CLEAN or VSHIELD is complicated by the fact that SCAN must be a
part of the process, but again the basic operation is straightforward.
 
Help systems
 
If SCAN is invoked with no specifications, it gives three "screens" of a
listing of the "command line switches".  This can also be obtained with
the /?, /H or /HELP switches.
 
 
Compatibility
 
SCAN and the other programs in the suite are updated frequently, and the
latest version should be able to handle almost all viri that a user
would encounter.  The addition of the external file option in version 71
is also a major increase in utility.
 
Unfortunately, recent versions have seen a major decrease in the
accuracy of virus identification.  A number of scan strings have become
"generic", and will identify a number of viral strains.  Some of these
have been so identified: a number still report the name of a specific
virus regardless of the actual strain found.  Along with this, there has
been a corresponding decline in the ability of CLEAN to disinfect
programs and disks.
 
Company Stability
 
McAfee Associates has been producing versions of SCAN for a number of
years, updating on a frequent but somewhat irregular basis.  SCAN is
probably the most widely used virus scanner in North America at present. 
The company has recently "gone public" in order to expand into the
shareware utilities market, and is buying programs from other shareware
authors.
 
Recent versions have been subject to a number of "bug fix" releases.
 
Company Support
 
McAfee Associates lists their address and phone number in all
documentation, and support the Homebase BBS.  In recent years, Aryeh
Goretsky has become an active participant in the Virus-L/comp.virus
group.  However, the company still has no "presence" in the Fidonet
virus related "echoes".  Some people were unaware that the Computer
Virus Help Forum on Compuserve was actually run by McAfee Associates, it
has now been renamed to McAfee Virus Help Forum.
 
Documentation
 
The directions for use of the programs are restricted to listings of the
"command line switches".  They are clear in all cases, if somewhat
concise.  Novice users will find little conceptual information about
viri, or specific information about the various viri that SCAN will deal
with.  A list of viral programs, VIRLIST.TXT, is included in the
archive, but sometimes is not updated for a number of releases.  The
information in this file is not generally regarded as highly accurate.
 
The documentation, while not quite alarmist, certainly strongly suggests
that the user, if any virus is ever found, should "retain" the services
of McAfee Associates or an "authorized Agent".  Also, outside sources
(such as the Hoffman virus list) often state that viri can be dealt with
by, for example, using the "SCAN /D" option, without warning that this
merely deletes and overwrites the existing file.
 
 
Hardware Requirements
 
No special hardware is required.  The SCAN program itself will not work
with local area networks, but a NETSCAN program is available (again as a
separate package which must be separately obtained.)  A new NETSHIELD
program, which works as a Netware Loadable Module is also available. 
Note that NETSHIELD does not conform to the same numbering sequence of
the other programs.
 
Performance
 
SCAN now ranks as one of the slower scanners reviewed.  Note also the
loss of some accuracy in identifying individual viral strains.
 
Note that CLEAN has come under increasing criticism for its performance
in removing infections, particularly in the area of BSI and MBR viral
strains.  Versions of CLEAN tested (and the earlier MDISK) have, in my
own experience, occasionally left the computer or disk in a worse state
than the virus.
 
The SCAN/CLEAN combination is now stated to have "generic" disinfection
capabilities if the "/AG" setting is used first.  Tests with a simple
COM appender, which Data Physician and Untouchable successfully removed,
were unsuccessful with SCAN.  No error messages or explanations were
given for the failure.
 
Local Support
 
Because of the very wide use, local support of SCAN is more generally
available.  The available version, however, is not always the latest, as
many users, in my experience, tend to use the one version they obtain
for at least a year before seeking another.
 
There are also a number of shareware products that "enhance" the use of
SCAN, such as menuing "front ends" or programs to assist in checking
archived files.
 
Support Requirements
 
If at all possible, it would be best if knowledgeable users assisted
with the use of SCAN.  The programs are simple enough to be operated by
a novice user, and no harm should result, but best results will be
obtained with the program if someone aware and informed of virus
operation is involved.
 
 
                                 General Notes
 
SCAN is a very useful virus scanning program, and John McAfee is to be
commended for keeping it updated over the years.  It has undoubtedly
saved, without exaggeration, many millions of dollars in lost computer
services.  That said, one is still left with the impression that the
program, as a program, could benefit from more attention to function,
and less to the promotion of the services of McAfee Associates.  The
breaking of the program into different packages for distribution
increases the difficulty in installation and use, and seems only to
serve to hide the true cost of the program, which is very high for
shareware.
 
The "version" numbering of the VIRUSCAN products are often
misunderstood.  I received the following from Aryeh Goretsky, and feel
it is important information:
"You mentioned that NETSHIELD does not use the same numbering sequence
as the other programs--the current numbering sequence is a bit cryptic
and  I'd like to explain it.  When VIRUSCAN is run, it pops up a message
like:
 
"SCAN 8.9V97  Copyright 1989-1992 {etcetera}
 
"The first number, "8" refers to the major version, or version of the
scanning engine.  Or at least, it did until the minor version, which
indicates new features or new algorithms for polymorphic viruses,
reached "9."  There  have only been 3-4 scanning engines, actually
(although numerous modifications have been made).
 
"The second number (which appears after the period), "9" refers to the
minor version, which I've explained above.
 
"Next comes the letter.  This refers to the status of the release.  If
its a beta sign (ASCII 225) or the word "BETA" then it is a beta-test
version.  If it is the letter "V" then it marks the first release of
that version.  If a bug fix is required, then the letter changes to a B,
C, D, and so forth  (although by the time a "C" would be required, we
would probably ready to do a new release).
 
"The last two digits refer to the version number of the list of virus
strings embedded in the program.  This is the "real" version number that
users should refer to.  A change in this means new viruses have been
added to the program.
 
"Because of the fact that the current numbering scheme is so confusing,
we will probably be changing this in the future to something more like
the on NETSHIELD uses, which we hope will be clearer."
 
copyright 1991, 1992 Robert M. Slade   PCSCAN.RVW   921021

==============
Vancouver      ROBERTS@decus.ca         | "My son, beware ... of the
Institute for  Robert_Slade@sfu.ca      |  making of books there is
Research into  rslade@cue.bc.ca         |  no end, and much study is
User           p1@CyberStore.ca         |  a weariness of the flesh."
Security       Canada V7K 2G6           |          Ecclesiastes 12:12