Date: Sun, 23 Dec 90 00:06:04 PST From: Robert Slade Subject: Antiviral evaluation guidelines Attached herewith is an article outlining the different classes of anti-viral software, and features to check for in each class. This is meant as an introduction to the anti-viral product reviews, which will be coming out every few weeks for the next little while. (The first review should be included in this same issue of the digest. It is for FPROT.) [Ed. A wholehearted thanks for the effort, Robert! I normally just place articles of this length into the archives with a pointer to them in the digests, but I'm making an exception in this case. In addition, I'm placing this and any other reviews in the archives, on cert.sei.cmu.edu in pub/virus-l/docs/reviews.] Reviewing Anti-virus Products Robert Michael Slade 3118 Baird Road North Vancouver, B. C. V7K 2G6 (604) 988-4097 I am quite certain that the first question to do with "anti- viral" or other data security packages will be "which one is best?" This ignores two vitally important points. The first is that "the best" may not be good enough by itself. No security force would ever pick "the best" guard, and then leave him to guard an entire refinery by himself. The second point is that, even within the limited realm of anti- viral programs, data security software operates in many different ways. Thus, one type of security may be better in one situation, while another variety may be better in a different environment. (Which make better guards, dogs or men? Wise security firms use both.) There are basically five "classes" of anti-viral packages; vaccines, change detection software, operation restricting software, encrypting software and scanners. Each type has it's own strengths and weaknesses. Vaccine Vaccine software is memory resident and watches for "suspicious" activity. It may, for example, check for any calls to "format" a disk while a program other than the operating system is "in control". It may be more sophisticated, and check for any program that attempts to alter or delete a program file. It is, however, very hard to tell the difference between a word processor updating a file and a virus infecting a file. Vaccine programs may be more trouble than they are worth by continually asking for confirmation of valid activities. They also may be bypassed by viri that do "low level" programming rather than using the standard operating system "calls". It is very difficult to specify, in advance, what you should check for in vaccine software, since the developers are loath to state, in specific detail, exactly what the vaccine will be checking for. (This reluctance is understandable: if a vaccine developer "advertises" exactly what the product checks for, virus or "trojan" writers will simply use another route.) Vaccine software should be thoroughly tested in a "real" working environment (one that uses all the programs you normally do, in the ways you normally use them) for some time in order to ensure that the vaccine does not conflict with "normal" operation. Change detection software Change detection software examines system and/or program files and configuration, stores the information, and compares it against the actual configuration at a later time. Most of these programs perform a "checksum" or "cyclic redundancy check" (CRC) that will detect changes to a file even if the length is unchanged. The disadvantages of this system are 1) it provides no protection, but only notification after the fact, 2) some change detection software is limited to operating system software only, 3) you must "inform" the software of any changes you make in the system and 4) change detection software may not "see" changes made by "stealth" viri. Some versions of this software run only at "boot time", others check each program as it is run. Some of these programs attach a small piece of code to the programs they are "protecting", and this may cause programs which have their own change detection features to fail. A major factor in judging change detection systems is that of installation and operation time. Since the system will be calculating "signatures" of all (or all selected) programs on your system (sometimes with very sophisticated algorithms), it may take some time to install, and to "re-install" each time you make a change to your system. It may also take an unacceptable amount of time to check out a program before it will allow it to run. You should also find out how and where the security system will "store" the necessary program signatures, particularly if you run programs from diskette. Also, since these types of systems are heavily influenced by the mini- and mainframe data security community, it is important to query whether they have made provisions for checking for boot sector viri, or other viri that may not show up as changes to program files. Operation restricting software Operation restricting software is similar to vaccine software, except that instead of watching for suspicious activities it "automatically" prevents them. As with mainframe security "permission" systems, some of these packages allow you to restrict the activities that programs can perform, sometimes on a "file by file" basis. However, the more options these programs allow, the more time they will take to set up. Again, the program must be modified each time you make a valid change to the system, and, as with vaccine programs, some viri may be able to evade the protection by using low level programming. It is important, with this software, that the operator is given the option of "allowing" an operation. It is also important that the operator be informed, not only that a particular program or operation should be halted, but also why. There should not be too many "false alarms" generated by the software, and it would be helpful to have the option of "tuning" the software to be less, or more, sensitive to a given type of activity. Encrypting software Encrypting software writes programs and/or data onto your disks in a non-standard way and then "decrypts" the program or file when you need to use it. This means that if a virus does try to infect the system, it usually only scrambles the data and is easily detectable. Used in conjunction with operation restricting software features, encrypting software essentially changes the whole operating environment, hopefully to one that a virus cannot survive in. Again, there is the need to do a lot of work in setting up the protection system, and keeping it up to date when you make changes. (It is also possible, if the system is not configured properly to begin with, to end up with a system that you cannot use and cannot repair.) There are two major "holes" in the security of the system, 1) some part of the system must remain "unencrypted" and is therefore vulnerable to "attack" and 2) if you start with already infected files, the system will quite happily encrypt the virus and allow it to operate. One vitally important feature to consider in encrypting software, particularly if it is coupled with operation restricting software, is the ability to recover if anything goes wrong. Do you have a recoverable backup, or are all your backup files encrypted, and useless without the proper code? Can you boot off a floppy to recover if your "security" program dies? If you can boot off a floppy, what provisions guard against boot sector viri? Scanners Scanning software is, paradoxically, the least protective and most useful of anti-viral software. These programs examine files, boot sectors and/or memory for evidence of viral infection. They generally look for viral "signatures", sections of program code that are known to be in specific viri but not in most other programs. Because of this, scanning software will only detect "known" viri, and must be updated regularly. Some scanning software has "resident" versions that check each file as it is run, but most require that you run the software "manually". It is also the classic case of "bolting the door after the horse is gone" since "scanners" only find infections after they occur. Why then, with all the disadvantages of scanning software, are they the most successful of anti-viral packages? Generally speaking, it is because they force the user to pay attention to the system. Again, when a user relies on one particular method of protection they are most vulnerable. Scanning software should be able to identify the largest possible number of viri, and should be able to identify variations on the more important sections of code (that is, it should be able to "accept" the removal of text strings and other simple modifications that "bush league hackers" might make.) For ease and speed of updating, the "signatures" should be stored in a separate file and there should be a source for the addition of new viral signatures to the file. For security, both scanning software program and signature files should be renameable. Areas scanned should include not only the identifiable program files, but all files, if necessary. Scanners should have the ability to search the more common archiving formats as well, particularly those that support "self extraction" functions. Disk boot sector and hard disk partition boot records should be scanned, as well (in this day of stealth viri) as memory. copyright 1990 Robert M. Slade