Received: from fidoii.CC.Lehigh.EDU by abacus.hgs.se (5.65c/1.5)
	id AA28502; Mon, 8 Feb 1993 20:05:31 +0100
Received: from  (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA19632
  (5.67a/IDA-1.5 for <mikael@abacus.hgs.se>); Mon, 8 Feb 1993 11:19:35 -0500
Date: Mon, 8 Feb 1993 11:19:35 -0500
Message-Id: <9302081453.AA01918@barnabas.cert.org>
Comment: Virus Discussion List
Originator: virus-l@lehigh.edu
Errors-To: krvw@cert.org
Reply-To: <virus-l@lehigh.edu>
Sender: virus-l@lehigh.edu
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: "Kenneth R. van Wyk" <krvw@cert.org>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V6 #20
Status: RO

VIRUS-L Digest   Monday,  8 Feb 1993    Volume 6 : Issue 20

Today's Topics:

Revised Product Test 34, IBM Anti-Virus Scanning Program, v2.2.3 (PC)
Revised Product Test, CPAV, version 1.4 (PC)
Product Test 58, Virus Buster, version 3.93 (PC)
Product Test 60, Virus Terminator (PC)
Revised Product Test 32, Mactools, version 2.0 (with CP Anti-Virus) (Mac)
Product Test 53, Gatekeeper (Mac)
How to review antiviral software (general)
Review and column checklist
Review of ViruSafe (PC)
Review of "Computer Viruses and Data Protection", Burger (general)
Review of Thunderbyte Utilities (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with
your real name.  Send contributions to VIRUS-L@LEHIGH.EDU.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list.  A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5).  Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@CERT.ORG>.

   Ken van Wyk

----------------------------------------------------------------------

Date:    Thu, 19 Nov 92 14:08:10 -0700
From:    Chris McDonald ASQNC-TWS-R-SO <cmcdonal@wsmr-emh03.army.mil>
Subject: Revised Product Test 34, IBM Anti-Virus Scanning Program, v2.2.3 (PC)

*******************************************************************************
                                                                          PT-34
 						          Revised November 1992
*******************************************************************************


1.  Product Description:  The IBM Virus Scanning Program is a program to detect
computer virus signatures in the PC-DOS (MS-DOS) and OS/2 environments.  This
product test addresses version 2.2.3 which is a part of the IBM Anti-Virus
Product version 2.2.3.

2.  Product Acquisition:  The program has been available from the IBM
Corporation in a variety of options.  Through October 1992 it had been
available for an initial licensing fee of $35.00.  IBM has now announced two
new products:  (a)  the IBM AntiVirus/DOS and (2)  the IBM AntiVirus/2.  Users
should contact an IBM representative at 800-551-3579 for specific cost and
technical information on these programs which are in my perception replacements
for the IBM Anti-Virus Product.

3.  Product Tester:  Chris Mc Donald, Computer Systems Analyst, Directorate of
Information Management, White Sands Missile Range, NM 88002-5506, DSN:  258-
7548, DDN:  cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil.

[Moderator's note: The remainder of this product review (and MANY
other product reviews) is available by anonymous FTP on cert.org
(192.88.209.5) in: pub/virus-l/docs/reviews/mcdonald.ibm.antivirus]

------------------------------

Date:    Mon, 30 Nov 92 14:42:55 -0700
From:    Chris McDonald ASQNC-TWS-R-SO <cmcdonal@wsmr-emh03.army.mil>
Subject: Revised Product Test, CPAV, version 1.4 (PC)

*******************************************************************************
                                                                          PT-36
  							  Revised November 1992
*******************************************************************************


1.  Product Description:  Central Point Anti-Virus (CPAV) is a product to
detect, disinfect, or remove viral signatures.  It also provides protection
against the introduction of "unknown" and/or malicious code through integrity
checking (checksumming) and through the detection of "suspicious" activity.
This test report addresses version 1.4.

2.  Product Acquisition:  CPAV is available from Central Point Software, Inc.,
15220 N.W. Greenbrier Parkway., Suite 200, Beaverton, OR 97006-5764.  The
published customer service number is 503-690-8090.  The list price for a single
copy is $129.00.  Site licenses are available.  Central Point has announced tha
t
CPAV will be bundled within PC-Tools, version 8.0.

3.  Product Testers:  Don Rhodes, Information Systems Management Specialist,
Directorate of Information Management, White Sands Missile Range, NM
88002-5030, DSN:  258-8174, DDN:  drhodes@wsmr-emh04.army.mil; Chris Mc Donald,
Computer Systems Analyst, Directorate of Information Management, White Sands
Missile Range, NM 88002-5030, DSN:  258-7548, DDN:  cmcdonal@wsmr-emh03.army.
mil or cmcdonald@wsmr-simtel20.army.mil.

[Moderator's note: The remainder of this product review (and MANY
other product reviews) is available by anonymous FTP on cert.org
(192.88.209.5) in: pub/virus-l/docs/reviews/pc/mcdonald.cpav]

------------------------------

Date:    Sun, 07 Feb 93 16:35:18 -0700
From:    Chris McDonald STEWS-IM-CM-S <cmcdonal@wsmr-emh03.army.mil>
Subject: Product Test 58, Virus Buster, version 3.93 (PC)

*******************************************************************************
                                                                          PT-58
  								  February 1993
*******************************************************************************

1.  Product Description:  Virus Buster consists of a collection of programs
which provide for access control, boot protection, checksumming, signature
scanning, system monitoring, and restoration.  This product test addresses
version 3.93.

2.  Product Acquisition:  Virus Buster is available from Leprechaun Software
International, Ltd., P.O. Box 669306, Marietta, GA 30066-0106.  The Sales
telephone number is 404-971-8900 or 800-521-8849.  The FAX number is 404-971-
8828.  The cost of the product appears to be dependent upon volume.  Corporate
and Government site licenses are available for either perpetual or 5 year
licenses.  An annual maintenance fee applies to corporate/site license holders
at 15% of the existing license value.

3.  Product Tester:  Chris Mc Donald, Computer Systems Analyst, Directorate of
Information Management, White Sands Missile Range, NM 88002-5030, DSN:  258-
7548, DDN:  cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil.

[Moderator's note: The remainder of this product review (and MANY
other product reviews) is available by anonymous FTP on cert.org
(192.88.209.5) in: pub/virus-l/docs/reviews/pc/mcdonald.virus.buster]

------------------------------

Date:    Sun, 07 Feb 93 16:47:29 -0700
From:    Chris McDonald STEWS-IM-CM-S <cmcdonal@wsmr-emh03.army.mil>
Subject: Product Test 60, Virus Terminator (PC)

*******************************************************************************
                                                                          PT-60
          						           January 1993
*******************************************************************************

1.  Product Description:  Virus Terminator is a program to detect known virus
signatures and to monitor changes to specified files in the MS-DOS and DR-DOS
environments.  This product test addresses version 2.1.

2.  Product Acquisition:  The program is copyrighted by COSMI, Inc., 431 N.
Figueroa Street, Wilmington, CA 90744.  The telephone number is 310-835-9687.
The program is also found in discount software establishments for under $20.00.

3.  Product Tester:  Chris Mc Donald, Computer Systems Analyst, Directorate of
Information Management, White Sands Missile Range, NM 88002-5506, DSN:  258-
7548, DDN:  cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil.

[Moderator's note: The remainder of this product review (and MANY
other product reviews) is available by anonymous FTP on cert.org
(192.88.209.5) in: pub/virus-l/docs/reviews/pc/mcdonald.virus.terminator]

------------------------------

Date:    Fri, 27 Nov 92 09:16:22 -0700
From:    Chris McDonald ASQNC-TWS-R-SO <cmcdonal@wsmr-emh03.army.mil>
Subject: Revised Product Test 32, Mactools, version 2.0 (with CP Anti-Virus) (Mac)

******************************************************************************
									 PT-32
     							 Revised November 1992
******************************************************************************


1.  Product Description:  MacTools is a collection of utilities that provide
data protection and recovery as well as virus identification, prevention and
removal for the Macintosh.  This product test addresses version 2.0 which
includes CP Anti-Virus.

2.  Product  Acquisition:  The commercial program is available from Central
Point Software, Inc., 15220 N.W. Greenbrier Parkway, Suite 200, Beaverton, OR
97006-5764.  One sales number identified in the documentation is 800-445-2110.
The published customer service number is 503-690-8090.  The list price for a
single copy is $149.00.  A variety of mail order services offer single copies
at significantly reduced costs.

3.  Product Tester:  Chris Mc Donald, Computer Systems Analyst, Directorate of
Information Management, White Sands Missile Range, NM 88002-5506, DSN:
258-7548, DDN:  cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.
mil.


[Moderator's note: The remainder of this product review (and MANY
other product reviews) is available by anonymous FTP on cert.org
(192.88.209.5) in: pub/virus-l/docs/reviews/mac/mcdonald.mactools]

------------------------------

Date:    Sun, 07 Feb 93 16:40:38 -0700
From:    Chris McDonald STEWS-IM-CM-S <cmcdonal@wsmr-emh03.army.mil>
Subject: Product Test 53, Gatekeeper (Mac)

******************************************************************************
									 PT-53
       								  January 1993
******************************************************************************


1.  Product Description:  Gatekeeper and Gatekeeper Aid are freeware programs
which work in conjunction to address malicious software activity.  Gatekeeper
is a program designed to continuously monitor the operation of a Macintosh,
watching for operations that are commonly carried out by viruses as they
attempt to spread.  Gatekeeper Aid is a program that searches for and removes
families of known viruses which Gatekeeper either can't stop at all, or can't
stop completely enough to render harmless.  This product test addresses version
1.2.6.  {Version 1.2.7 released one day after distribution of this report with 
no major changes which affect its contents.}

2.  Product  Acquisition:  Gatekeeper is available from numerous Internet
archives sites.  The author, Chris Johnson, places the latest version on the
host microlib.cc.utexas.edu in the directory microlib/mac/virus.  The author
will even accept U.S. mail requests under specific conditions, but only as a
last resort.  Mr. Johnson's mail address is 3311 Red River #305, Austin, TX
78705.  His electronic addresses are as follows:  (a)  Internet at chrisj@emx.
cc.utexas.edu; (b)  UUCP at {husc6|uunet}!cs.utexas.edu!ut-emx!chrisj; (c)
BITNET at chrisj@utxvm.bitnet; (d)  Apple Link at chrisj@emx.cc.utexas.edu@
internet#; (e)  CompuServe at >INTERNET:chrisj@emx.cc.utexas.edu; and (f)  MCI
Mail at TO Chris Johnson (EMS), EMS Internet, MBX chrisj@emx.cc.utexas.edu.

3.  Product Tester:  Chris Mc Donald, Computer Systems Analyst, Directorate of
Information Management, White Sands Missile Range, NM 88002-5506, DSN:
258-7548, DDN:  cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.
mil.

[Moderator's note: The remainder of this product review (and MANY
other product reviews) is available by anonymous FTP on cert.org
(192.88.209.5) in: pub/virus-l/docs/reviews/mac/mcdonald.gatekeeper]

------------------------------

Date:    Fri, 20 Nov 92 18:45:51 -0800
From:    rslade@sfu.ca
Subject: How to review antiviral software (general)

VIREVIEW.GEN   921120
Reviewing Anti-virus Products
 
I am quite certain that the first question to do with "anti-viral" or
other data security packages will be "which one is best?"  This
ignores two vitally important points.  The first is that "the best"
may not be good enough by itself.  No security force would ever pick
"the best" guard, and then leave him to guard an entire refinery by
himself.
 
The second point is that, even within the limited realm of anti-viral
programs, data security software operates in many different ways.
Thus, one type of security may be better in one situation, while
another variety may be better in a different environment.  (Which make
better guards, dogs or men?  Wise security firms use both.)  There are
basically five "classes" of anti-viral packages; activity monitors,
change detection software, operation restricting software, encrypting
software and scanners.  Each type has it's own strengths and
weaknesses.
 
Before going into detail on the specific types of programs, I would
like to address some issues which can be applied to reviewing any
antiviral software.  Aside from the specific efficacy against large
numbers, and certain types, of viral programs, there are
considerations of "user" aspects of the system in question.  This does
not relate solely to the chimera of "user-friendliness", but to the
fact that a given system is intended not only to be somehow effective
against viral programs, and must be used by a "user population" in a
given work, social and technical environment.
 
It is very easy to "rank" antiviral software on the basis of how many
viral programs or strains that it will identify.  It is not quite as
easy to assess many other, more important, features.  Although there
may be more than 2000 different strains of viral programs in the
MS-DOS "world" (fewer in the other environments), one percent of that
number are likely responsible for ninety nine percent of infections.
Thus it is of far greater importance that, for example, one particular
antiviral program does not prevent infection by the "Stoned" virus (as
of this writing the most common virus), than that it "protects"
against literally thousands of others.
 
Also of very high importance is the fact that the proportion of
computer users who have a thorough understanding of viral operations
in comparison to the total user population is so small that it is
statistically insignificant.  Therefore, it is vital that any
antiviral program be judged on the basis of installation and use by
"naive" users.  A "naive" user in this case may be one with
significant technical skills, but little background in regard to viral
programs.
 
(I realize that my statement regarding the naivete of computer users
may be extremely controversial.  Recall, however, that there are about
one hundred million users of MS-DOS, and then compare that with the
number of people who take an active interest in prevention of computer
viral programs.  Note that less than a quarter of computers have any
defense against viral attack.  Note a "clipping file" covering 30
general computer industry periodicals over a period of two years with
only eleven articles on computer viral programs.  Note also the very
high sales of some highly publicized programs known by the virus
research community to have very definite shortcomings.)
 
It is critical, therefore, to judge the interaction of the program
with the user.  Again, this interaction is not simply the presence or
absence of a menu, but the total intercourse between the program and
the user, by way of the documentation, installation, and user
interface and messages.  It is important to note how the total package
"comes to" the user.  Given that the user's system may already be
infected, what can the package do to remedy the situation?  Also,
while the package may have significant strengths if installed
correctly, is the "normal" user likely to be able to do the setup and
installation properly?
 
Part of the assessment of the user is the user environment.  This
aspect covers not only the "corporate culture" (eg. home user, user in
a large corporation with internal support staff, etc.) but also the
operating system environment.  For example, the MS-DOS environment has
a very large number of viral strains, with more being produced every
day.  The Macintosh environment has relatively few viral programs.
Therefore, "generic" identification of "new and unknown" viral
programs is more important to MS-DOS users than to Macintosh.
(Interestingly, while Macintosh antivirals are quite mature, and
protected Macintosh systems have a negligible infection rate, the
infection rate on unprotected Macs is astronomical.  This, too, should
be taken into account.)
 
Related to the interaction of the user and the program is the
potential negative impact of the security program.  Antiviral programs
consume time and disk space, and may also interfere with the normal
operation of the computer system.  As Jeff Richards' first law of data
security has it, you can guarantee security if you don't buy a
computer.  It's just not a very useful alternative.  Computer systems
can be secured more and more by restricting the operations more and
more, but restriction of "dangerous" operations also restricts useful
ones.  There comes a point at which the trade-off for greater security
becomes more than users want to pay.
 
There are other factors that contribute to the value of antiviral
software that can be judged on the same basis as any other software.
To turn, however, to the specifics of antiviral software, there are :
 
Activity Monitors
 
    Activity monitoring software, which was often referred as a "vaccine" by
    commercial software houses, is memory resident and watches for "suspicious"
    activity.  It may, for example, check for any calls to "format" a disk
    while a program other than the operating system is "in control".  It may be
    more sophisticated, and check for any program that attempts to alter or
    delete a program file.
 
    It is, however, very hard to tell the difference between a word processor
    updating a file and a virus infecting a file.  Activity monitoring programs
    may be more trouble than they are worth by continually asking for
    confirmation of valid activities.  They also may be bypassed by viri that
    do "low level" programming rather than using the standard operating system
    "calls".
 
    It is very difficult to specify, in advance, what you should check for in
    activity monitoring software, since the developers are loath to state, in
    specific detail, exactly what the program will be checking for.  (This
    reluctance is understandable: if a developer "advertises" exactly what the
    product checks for, virus or "trojan" writers will simply use another
    route.)  Activity monitoring software should be thoroughly tested in a
    "real" working environment (one that uses all the programs you normally do,
    in the ways you normally use them) for some time in order to ensure that
    the vaccine does not conflict with "normal" operation.
 
    While activity monitors have a good chance to detect viral activity of
    "new" and unknown viral strains, it would be very difficult to agree with
    those that claim to be able to detect "all current and future" viral
    programs.  While it might generally be held to be a "good thing" to prevent
    changes to the file allocation table, it is unlikely that FAT or "system"
    viri could have been foreseen prior to the existence of the "DIR" family. 
    Activity monitors are also unlikely to work well against "companion" type
    viral programs without specific safeguards in place.
 
Change detection software
 
    Change detection software examines system and/or program files and
    configuration, stores the information, and compares it against the actual
    configuration at a later time.  Most of these programs perform a "checksum"
    or "cyclic redundancy check" (CRC) that will detect changes to a file even
    if the length is unchanged.  
 
    The disadvantages of this system are 1) it provides no protection, but only
    notification after the fact, 2) some change detection software is limited
    to operating system software only, 3) you must "inform" the software of any
    changes you make in the system and 4) change detection software may not
    "see" changes made by "stealth" viri.  Some versions of this software run
    only at "boot time", others check each program as it is run.  Some of these
    programs attach a small piece of code to the programs they are
    "protecting", and this may cause programs which have their own change
    detection features, or non-standard internal structures, to fail.
 
    A major factor in judging change detection systems is that of installation
    and operation time.  Since the system will be calculating "signatures" of
    all (or all selected) programs on your system (sometimes with very
    sophisticated algorithms), it may take some time to install, and to "re-
    install" each time you make a change to your system.  It may also take an
    unacceptable amount of time to check out a program before it will allow it
    to run.
 
    You should also find out how and where the security system will "store" the
    necessary program signatures, particularly if you run programs from
    diskette.  Also, since these types of systems are heavily influenced by the
    mini- and mainframe data security community, it is important to query
    whether they have made provisions for checking for boot sector viri, or
    other viri that may not show up as changes to program files.
 
    A sufficiently advanced change detection system, which takes all factors
    including "system" areas of the disk and the computer memory into account,
    has the best chance of detecting "all current and future" viral strains. 
    However, change detection also has the highest probability of "false
    alarms" since it will not know whether a change is viral or valid. 
    Addition of "intelligent" analysis of the changes detected may assist with
    this failing.
 
Operation restricting software
 
    Operation restricting software is similar to activity monitoring software,
    except that instead of watching for suspicious activities it
    "automatically" prevents them.  As with mainframe security "permission"
    systems, some of these packages allow you to restrict the activities that
    programs can perform, sometimes on a "file by file" basis.  
 
    However, the more options these programs allow, the more time they will
    take to set up.  Again, the program must be modified each time you make a
    valid change to the system, and, as with activity monitors, some viri may
    be able to evade the protection by using low level programming.
 
    It is important, with this software, that the operator is given the option
    of "allowing" an operation.  It is also important that the operator be
    informed, not only that a particular program or operation should be halted,
    but also why.  There should not be too many "false alarms" generated by the
    software, and it would be helpful to have the option of "tuning" the
    software to be less, or more, sensitive to a given type of activity.
 
Encrypting software
 
    Encrypting software writes programs and/or data onto your disks in a
    non-standard way  and then "decrypts" the program or file when you need to
    use it.  This means that if a virus does try to infect the system, it
    usually only scrambles the data and is easily detectable.  Used in
    conjunction with operation restricting software features, encrypting
    software essentially changes the whole operating environment, hopefully to
    one that a virus cannot survive in.  
 
    Again, there is the need to do a lot of work in setting up the protection
    system, and keeping it up to date when you make changes.  (It is also
    possible, if the system is not configured properly to begin with, to end up
    with a system that you cannot use and cannot repair.)  There are two major
    "holes" in the security of the system, 1) some part of the system must
    remain "unencrypted" and is therefore vulnerable to "attack" and 2) if you
    start with already infected files, the system will quite happily encrypt
    the virus and allow it to operate.
 
    One vitally important feature to consider in encrypting software,
    particularly if it is coupled with operation restricting software, is the
    ability to recover if anything goes wrong.  Do you have a recoverable
    backup, or are all your backup files encrypted, and useless without the
    proper code?  Can you boot off a floppy to recover if your "security"
    program dies?  If you can boot off a floppy, what provisions guard against
    boot sector viri?
 
Scanners
 
    Scanning software is, paradoxically, the least protective and most useful
    of anti-viral software.  These programs examine files, boot sectors and/or
    memory for evidence of viral infection.  They generally look for viral
    "signatures", sections of program code that are known to be in specific
    viri but not in most other programs.  Because of this, scanning software
    will only detect "known" viri, and must be updated regularly.  Some
    scanning software has "resident" versions that check each file as it is
    run, but most require that you run the software "manually".  It is also the
    classic case of "bolting the door after the horse is gone" since "scanners"
    only find infections after they occur.
 
    Why then, with all the disadvantages of scanning software, are they the
    most successful of anti-viral packages?  Generally speaking, it is because
    they force the user to pay attention to the system.  Again, when a user
    relies on one particular method of protection they are most vulnerable.
 
    Scanning software should be able to identify the largest possible number of
    viri, and should be able to identify variations on the more important
    sections of code (that is, it should be able to "accept" the removal of
    text strings and other simple modifications that "bush league hackers"
    might make.)  (Note, however, the proviso that it is more important to
    identify some viral programs than others.)  For ease and speed of updating,
    the "signatures" should be stored in a separate file and there should be a
    means for the addition of new viral signatures to the file.  For security,
    both scanning software program and signature files should be renameable.
 
    Areas scanned should include not only the identifiable program files, but
    all files, if necessary.  Scanners should have the ability to search the
    more common archiving formats as well, particularly those that support
    "self extraction" functions.  Disk boot sector and hard disk partition boot
    records should be scanned, as well (in this day of stealth viri) as memory.
 
    A recent addition to scanners is intelligent analysis of unknown code,
    currently referred to as "heuristic" scanning.  More closely akin to
    activity monitoring functions than traditional signature scanning, this
    looks for "suspicious" sections of code that are generally found in viral
    programs.  While it is possible for normal programs to want to "go
    resident", look for other program files, or modify their own code, these
    are tell-tale signs that would help an informed user to come to some
    decision about the advisability of running or installing a given "new and
    unknown" program.  "Heuristics", however, generate a lot of false alarms,
    and may either scare novice users, or give them a false sense of security
    after "wolf" has been cried too often.
 
Scanners, as noted above, are the easiest of antiviral programs to
"rank".  It is much more difficult to determine the utility of those
types of programs which purport to protect against unknown and
"future" viral programs.  It is, indeed, impossible to judge these
programs against any "absolute" standard: they will be judged by
future events, and the future isn't here yet.
 
Many future viral programs will follow the patterns of those from the
past.  Most "new" viral programs are very simple modifications of
existing ones.  However, while it may be possible to foresee some of
the potential "loopholes" that viral programs might use, it is
impossible to know which ones actually will be used.  It would also be
excessively difficult to protect against all of the myriad potential
means of attack.
 
(When all the viral programs we had seen were either boot sector
infectors, or prepending, appending or overwriting file infectors,
"companion" and "system" viri came as quite a shock to most.  While I
have some nifty ideas for new "hiding places", I will undoubtedly be
surprised by the new ones that, in reality, get released "into the
wild".  Fortunately, many of the virus authors must also be surprised
at how poorly their "new creations" do, but this doesn't make the
assessment of "generic" antiviral software any easier.)
 
Antiviral software should be tested against a suite of current viral
programs.  It is useful to know how well programs may rank in
"numbers" tests, but it is likely more important to choose
"representative" viral programs.  Choose the most common viral
infectors (which tend to vary somewhat, geographically), as well as
representatives of viral "types": boot sector infectors, MBR
infectors, "stealth", multipartite, polymorphic, resident and
non-resident and so forth.  However, since this does not include any
representation from "future" viral programs, it is also very useful to
try to do "odd" things with utility programs, to try to "simulate"
attacks that have not yet been incorporated into existing viral
programs.
 
Evaluation of antiviral software requires at once the most complex of
technical assessments, and at the same time the greatest attention to
human factors engineering.  While the interactions of viral and
antiviral at the lowest levels of the operating system is fascinating,
always remember that what is really being protected here is the user.
Any antiviral program, in order to be considered at all successful,
must primarily inform the user accurately and realistically about any
threat to the system.  It must also be sufficiently easy for the user
to install and maintain.  The most technically advanced security
system is of absolutely no use if the user cannot run or understand
it.
 
copyright 1990, 1992 Robert M. Slade   VIREVIEW.GEN   921120

==============
Vancouver      ROBERTS@decus.ca         | "Is it plugged in?"
Institute for  Robert_Slade@sfu.ca      | "I can't see."
Research into  rslade@cue.bc.ca         | "Why not?"
User           p1@CyberStore.ca         | "The power's off
Security       Canada V7K 2G6           |  here."

------------------------------

Date:    20 Jan 93 23:51:00 -0600
From:    "Rob Slade, DECrypt Editor, VARUG NLC rep, 604-984-4067" <roberts@decus.arc.ab.ca>
Subject: Review and column checklist

For those who are archiving my antiviral product reviews, and weekly column,
the following is a listing of the files to date.

Please note that the ZIP files are maintained by Brian Hampson of The Cage,
and are available only from him.  (Call +1-604-261-2347 for The Cage.  14.4
v.32 is supported.)

Please note that some recent files have not yet been released for distribution.

                 <**Reviews and columns by Robert Slade**>
 
                         ------COLUMNS------
 
INTRO1.CVP      2560 01-26-92  [  4] Introduction and explanation to the 
                                     weekly column (.CVP files)
 
DEFGEN1.CVP     2560 01-26-92  [ 10] Definition of virus
DEFGEN2.CVP     3328 01-26-92  [ 11] What viral programs are not
DEFGEN3.CVP     2432 01-26-92  [  9] Special definitions
DEFGEN4.CVP     2816 01-26-92  [  7] Related terms
DEFMTH1.CVP     2816 01-26-92  [  7] Myth of malice
DEFMTH2.CVP     2688 01-26-92  [  7] Myth of hardware damage
DEFMTH3.CVP     2944 01-26-92  [  6] Myth of write protection - software
DEFMTH4.CVP     2688 01-26-92  [  6] Write protect hardware
DEFMTH5.CVP     2304 01-26-92  [  6] More hardware myths
DEFMTH6.CVP     2944 01-26-92  [  6] "Modem" virus myth
DEFMTH7.CVP     5632 01-26-92  [  6] "Desert Storm" virus myth
DEFMTH8.CVP     2944 04-25-92  [  6] Commercial safety myth
DEFMTH9.CVP     2432 03-02-92  [  7] The myth of the virus danger from BBSes
DEFMTHA.CVP     2048 08-05-92  [  4] More media myths
FUNBOT1.CVP     2816 01-29-92  [ 12] Boot sector infectors
FUNBOT2.CVP     3200 01-29-92  [ 12] Boot sequence
FUNBOT3.CVP     3584 01-29-92  [ 11] Boot sequence - part 2
FUNGEN1.CVP     2816 01-27-92  [ 10] Computer operations
FUNGEN2.CVP     2816 01-27-92  [  9] Viral operations
FUNGEN3.CVP     2688 01-27-92  [  9] Viral use of operating systems
FUNGEN4.CVP     2688 01-27-92  [  9] System layers
FUNGEN5.CVP     2944 01-27-92  [  9] Viral activation
FUNGEN6.CVP     2688 01-27-92  [  8] Change detection
FUNGEN7.CVP     2816 01-27-92  [ 10] File checking
FUNGEN8.CVP     3072 01-27-92  [  9] File checking - part 2
FUNGEN9.CVP     2688 01-27-92  [  8] System checking
FUNGENA.CVP     2816 01-27-92  [  8] Detection avoidance
FUNPIV1.CVP     2560 01-29-92  [  8] File infecting viri
FUNPIV2.CVP     2432 01-29-92  [  8] Viral code insertion
FUNPIV3.CVP     2560 01-29-92  [  8] Viral code addition
FUNPIV4.CVP     2944 01-29-92  [  8] Viral code "association"
FUNPIV5.CVP     2944 01-29-92  [  8] Infection Variations
HISINT1.CVP     2944 06-02-92  [  3] Earliest viral history
HISINT2.CVP     2944 06-02-92  [  3] Early viral related programs
HISINT3.CVP     2304 06-09-92  [  3] Fred Cohen
HISINT4.CVP     2816 06-09-92  [  3] Pranks and Trojans
HISINT5.CVP     2944 06-25-92  [  3] AIDS Information Trojan
HISVIR1.CVP     2688 06-25-92  [  6] Apple virus 1, 2 and 3
HISVIR2.CVP     2560 07-03-92  [  6] The "Lehigh" virus
HISVIR3.CVP     2816 07-16-92  [  7] Jerusalem virus part 1
HISVIR4.CVP     2944 07-22-92  [  5] Jerusalem virus part 2
HISVIR5.CVP     2560 07-31-92  [  5] Jerusalem part 3
HISVIR6.CVP     2816 08-15-92  [  5] (c) Brain part 1
HISVIR7.CVP     2560 08-21-92  [  5] Brain part 2
HISVIR8.CVP     2176 08-27-92  [  5] Brain part 3
HISVIR9.CVP     2176 09-04-92  [  7] Brain part 4
HISVIRA.CVP     2688 09-11-92  [  5] MacMag/Brandow/Peace Virus part 1
HISVIRB.CVP     2944 09-18-92  [  6] MacMag authorship
HISVIRC.CVP     2688 09-24-92  [  7] MacMag spread
HISVIRD.CVP     2944 10-02-92  [  6] MacMag as "data virus"
HISVIRE.CVP     2176 10-08-92  [  6] MacMag and commercial software
HISVIRF.CVP     3200 10-24-92  [  8] Scores virus
HISVIRG.CVP     2432 10-31-92  [  7] Scores functions
HISVIRH.CVP     2944 11-04-92  [  8] CHRISTMA EXEC worm - the "card"
HISVIRI.CVP     2688 11-14-92  [  7] CHRISTMA EXEC effects
HISVIRJ.CVP                          CHRISTMA Data
HISVIRK.CVP     2816 11-27-92  [  7] CHRISTMA - Trusted source
HISVIRL.CVP     2560 12-05-92  [  6] CHRISMA EXEC Wannabes
HISVIRM  CVP     2541  10-25-92   1:16a "     "      "     2
HISVIRN  CVP     2719  10-25-92   1:19a CHRISTMA wrapup
HISVIRO  CVP     3066  12-24-92   1:22a Internet Worm Intro
HISVIRP.CVP     2944 01-07-93  [  5] Internet Worm Functions
HISVIRQ.CVP     2688 01-07-93  [  4] Internet Worm Functions 2
HISVIRR  CVP     2809  12-24-92   1:27a Internet Worm - Media
HISVIRS  CVP     2682  12-24-92   1:28a
HISVIRT  CVP     2661  12-24-92   1:31a
HISVIRU  CVP     2204  12-24-92   1:33a
MEMOIR1.CVP     5376 07-10-92  [  4] Memoirs of an (English speaking) virus 
MEMOIR2.CVP     3584 10-16-92  [  5] Memoirs of a (cross border) virus 
MEMOIR3  CVP     2922  12-14-92   9:51p
MEMOIR4  CVP     2447  12-14-92  10:17p
MEMOIR5  CVP     2936  12-14-92  11:00p
PRTCKL1.CVP     2432 03-04-92  [  8] Antiviral checklist - part 1
PRTCKL2.CVP     2816 03-16-92  [  5] Checklist part 2
PRTCKL3.CVP     2304 03-16-92  [  5] Checklist part 3
PRTCKL4.CVP     2048 03-16-92  [  5] Checklist part 4
PRTCKL5.CVP     2176 03-16-92  [  5] Checklist part 5
PRTCKL6.CVP     2944 03-20-92  [  5] Checklist part 6
PRTCKL7.CVP     2688 03-29-92  [  6] Checklist part 7
PRTCKL8.CVP     2816 04-03-92  [  5] Checklist part 8
PRTCKL9.CVP     2688 04-27-92  [  4] Checklist part 9
PRTCKLA.CVP     2176 04-27-92  [  4] Checklist part 10
PRTCKLB.CVP     2816 04-25-92  [  4] Checklist part 11
PRTCKLC.CVP     2688 05-02-92  [  7] Checklist part 12
PRTCKLD.CVP     2560 05-08-92  [  3] Chekclist part 13
PRTCKLE.CVP     1664 05-15-92  [  6] Wrap up of antiviral checklist
PRTGEN1.CVP     2560 03-02-92  [  5] Antiviral protection guidelines
 
COLUMNS.ZIP   124592 01-07-93  [ 20] All Columns written by Rob Slade up to 
                                     the date of this file
 
                         ------REVIEWS------
 
920306MI.ZIP   52572 03-10-92  [  6] Michaelangelo Reports from the Dreaded 
                                     Day.
 
VIREVIEW.GEN   19072 11-23-92  [  5] How to review antiviral software
BKBURGER.RVW   11520 12-07-92  [  3] Review of "Computer Viruses" by R. Burger
BKLUDWIG RVW     6838   1-12-93   9:22p
PCADVGRV.RVW    6784 01-27-92  [  1] Review of Advanced Security
PCANTIVP.RVW    8448 01-26-92  [   ] Review of Anti-Virus Plus by IRIS/Techmar
PCANTIVR.RVW    6656 01-26-92  [   ] Review of Anti-Virus by IRIS/Fink 
PCCERTUS.RVW   14208 01-26-92  [   ] Review of Certus LAN
PCCILLIN.RVW    9856 01-26-92  [   ] Review of PC-Cillin by Trend Microdevices
PCCPAV.RVW      6272 01-29-92  [   ] Review of Central Point Anti-Virus
PCCTRLRM.RVW    5888 01-29-92  [   ] Review of Control Room by Borland
PCDATPHS.RVW   10624 09-18-92  [  3] Data Physician Plus by Digital Dispatch
PCDSAVT.RVW     7424 05-11-92  [  1] Review of Dr. Solomon's Anti-Virus Toolkit
PCDSKSEC.RVW    4224 04-25-92  [   ] Review of DISKSECURE (related to FixMBR)
PCELMNTR.RVW    5888 04-25-92  [   ] Review of Eliminator
PCFPROT2.RVW    8832 11-09-92  [  1] Review of 2.xx version of F-PROT
PCIBMAV  RVW     7701  12-11-92   9:08p IBM Antivirus/DOS
PCIBMSCN.RVW    7936 04-25-92  [  1] Review of IBM's VIRSCAN
PCIM.RVW       14208 10-07-92  [  3] Review of Integrity Master
PCINTEL.RVW     4480 09-04-92  [  1] Review of Intel's LANProtect
PCMACE.RVW      7424 04-25-92  [   ] Review of Mace VACCINE
PCNRTNAV.RVW   11904 01-26-92  [  6] Review of Norton Antivirus
PCSAFE   RVW     7427  11-16-92   8:49p Micronyx SAFE
PCSAFWRD.RVW   10880 04-25-92  [   ] Review of SafeWord
PCSCAN2.RVW    11904 10-31-92  [  3] Updated review of SCAN
PCSOPHOS.RVW    6912 07-22-92  [  1] Review of Sophos VACCINE
PCTBAV   RVW    11403  12-16-92  12:02p Thunderbyte Utilities
PCTBSCAN.RVW    5376 04-25-92  [   ] Review of Thunderbyte Scan
PCUNTUCH.RVW   14080 10-02-92  [  2] Review of Untouchable
PCVC.RVW       10752 04-25-92  [   ] Review of "Victor Charlie"
PCVCNWWS.RVW    6912 04-15-92  [  1] Review of VACCINE by Worldwide Software
PCVDS.RVW      10368 09-11-92  [  2] Review of VDS change detector
PCVIRAWY RVW     5222   6-12-91   5:32p Techmar VirAway
PCVIRCID.RVW    6784 01-26-92  [  1] Review of Virucide by Parsons/McAfee
PCVIREX.RVW     9728 01-26-92  [   ] Review of Virex-PC by Datawatch
PCVIRSAF RVW     6480  11-25-92  10:50p Eliashim/Xtree ViruSafe
PCVISPY.RVW     7424 07-11-92  [  1] Review of Vi-Spy
PCVRBSTR.RVW    7680 04-25-92  [   ] Review of Virus0Buster
PCWDIMMN RVW    20876  11-09-92   3:37p Western Digital "Immunizer"
 
QUICKREF.RVW    4352 07-16-92  [  6] "Quick reference" comparison chart for 
                                     Antiviral software
CONTACT.LST    28928 09-21-92  [  1] Antiviral contacts address list

============= 
Vancouver      ROBERTS@decus.ca         | "Kill all: God will know his own."
Institute for  Robert_Slade@sfu.ca      |       - originally spoken by Papal
Research into  rslade@cue.bc.ca         |         Legate Bishop Arnald-Amalric
User           p1@CyberStore.ca         |         of Citeaux, at the siege of
Security       Canada V7K 2G6           |         Beziers, 1209 AD
=============

------------------------------

Date:    02 Dec 92 18:08:00 -0600
From:    "Rob Slade, author and virus researcher, 604-988-4097" <roberts@decus.arc.ab.ca>
Subject: Review of ViruSafe (PC)



PCVIRSAF.RVW   921125
                               Comparison Review
 
Company and product:
 
EliaShim Microcomputers
520 W. Hwy. 436, #1180-30
Altamonte Springs, Florida
USA
407-682-1587
fax: 407-869-1409
XTree Co.
4330 Santa Fe Road
(4115 Broad Street, Building 1?)
San Luis Obispo, CA   93401-7993
USA
800-477-1587
805-541-0604
fax: 805-541-4762
BBS: 805-546-9150
75300.2266@Compuserve.com
ViruSafe 4.6
 
Summary: activity monitor, scanner, change detection, operation restriction,
utilities, and "bait" program
 
Cost                          
 
Rating (1-4, 1 = poor, 4 = very good)
      "Friendliness"
            Installation      2
            Ease of use       3
            Help systems      1
      Compatibility           1
      Company
            Stability         2
            Support           ?
      Documentation           2
      Hardware required       2
      Performance             2
      Availability            2
      Local Support           ?
 
General Description:
 
Menu or command line driven multi-layered defense.  Significant tools for those
studying viral operation and experienced in their functions.
 
                  Comparison of features and specifications
 
 
 
User Friendliness
 
Installation
 
The program is shipped on two non-writable 5 1/4" disks or one write protected
3 1/2" disk.  The program can be run off the disk, or installed on the hard
disk through an installation program.  Manual installation and command line
switch descriptions are also available.
 
Ease of use
 
The menu interface is generally straightforward and simple.  There are some
exceptions, and the interface could not be said to be completely intuitive. 
Configuration screens give no indication of how to "complete" the setup once
choices have been made.  As well, the behaviour of the "List of Viruses"
function is difficult.  The screen format, and cursor movement keys, of the
list and the resulting information do not match.  However, it is helpful to
have this feature onscreen.
 
Help systems
 
Limited.  Help is context sensitive, but seldom tells you what you want to know
about.
 
Compatibility
 
Additional virus signatures can be added in an external text file.  The format
for the signatures is given in the READ.ME text on disk, and is not difficult
to figure out.  In addition, the system is able to add signatures of new viral
programs which it finds in memory.  However, the format is not compatible with
the fairly widely used IBM VIRSCAN format.  Also, a maximum of 64 signatures
can be added in this way.
 
Program testing on machines fitting the hardware requirements occasionally
failed for unknown reasons.
 
Company Stability
 
Xtree is a fairly well established company, known for utility and disk
management software.  The version of ViruSafe obtained from Xtree does not
differ significantly from the earlier version obtained from EliaShim, but does
appear to contain programs that were developed by Xtree.
 
Company Support
 
Unknown.  
 
Documentation
 
The documentation is quite brief.  While clear, the manual is quite terse and
seems to be designed for the more advanced user.  Much of the documentation is
a description of how the menuing system and command line switches work.  No
specifics are given as to how functions (such as "revealing the presence of"
unknown viral programs in memory) are accomplished.  More important is the fact
that no "defaults" for any of the programs are listed.  For example, the
activity monitoring program, VS, has a long list of command line switches for
various functions, but no indication as to which of them are "on" when started
without switches.
 
It is fairly obvious that the new documentation has been copied wholesale from
an earlier edition without adequate proof-reading.  For example, installation
of new virus signatures refers repeatedly to "Chapter 2", but this manual has
no numbered chapters.
 
A very helpful feature is a "latest information" button on the menu interface
which presents the disk READ.ME file.  Thus the latest program info, helpful
hints and the hardcopy errata can be browsed onscreen.
 
Hardware Requirements
 
At least two disk drives, one of which must be a floppy, 512K memory and DOS
3.0 or higher.
 
Performance
 
It is gratifying to note the importance that ViruSafe gives to boot sector
viri.  The package contains provisions to save and restore the boot sector and
partition records for the hard disk.
 
Testing of this program was very problematic.  This version of the program
still would not run properly on the primary testing machine (a NEC Multispeed).
 
The system locked up, repeatedly on most attempts to invoke any of the programs
in the package, including the installation and menuing program.
 
Testing of the programs is not as complete as I would prefer.  However, it can
be said that the claims made for this package exceed performance.  The package
is able to detect known viral programs, and can deal with most effectively. 
Performance with viral programs not known to the authors/program indicates that
these viri are able to bypass protections.
 
The change detection module, PIC, has a "generic disinfection" feature.  In
tests this worked very well, and was much simpler to operate that other
reviewed programs with the same feature.
 
Local Support
 
Not provided.
 
Support Requirements
 
Users at any level should be able to run the program without assistance.  The
instructions for installing the programs on a system which may be infected are
clear and should be helpful in clearing up existing infections before
installation proceeds.  However, the plethora of options with regard to
activity monitoring and change detection would best be set up by an advanced
user experienced in virus protection.
 
                                 General Notes
 
The package has a multilayered approach to virus detection and prevention.  It
should be suitable for most users in situations of normal risk.  While the
package would effectively deal with the bulk of infections one would normally
encounter, some of its claims would appear to be overrated.  The package
tacitly admits this: while it claims to be able to find both known and unknown
viral programs, it does recommend buying the upgrades.  Nevertheless, its use
would significantly reduce risk of infection.
 
copyright Robert M. Slade, 1992   PCVIRSAF.RVW   921125
 
============= 
Vancouver      ROBERTS@decus.ca         | "Kill all: God will know his own."
Institute for  Robert_Slade@sfu.ca      |       - originally spoken by Papal
Research into  rslade@cue.bc.ca         |         Legate Bishop Arnald-Amalric
User           p1@CyberStore.ca         |         of Citeaux, at the siege of
Security       Canada V7K 2G6           |         Beziers, 1209 AD
============= for back issues:
Contacts list: cert.org, /pub/virus-l/docs/reviews
Reviews: cert.org, /pub/virus-l/docs/reviews/pc
Column: cert.org, /pub/virus-l/docs/slade.cvp.articles
           For those without ftp, see Jim Wright's posting, or use Cyberstore. 
           Also FREQ from 1:153/733 The Cage 604-261-2347.

------------------------------

Date:    07 Dec 92 13:41:00 -0600
From:    "Rob Slade, DECrypt Editor, VARUG NLC rep, 604-984-4067" <roberts@decus.arc.ab.ca>
Subject: Review of "Computer Viruses and Data Protection", Burger (general)

BKBURGER.RVW   921206
 
Computer Viruses and Data Protection
Ralph Burger
1991, 353 pp., general audience
Abacus, 5370 52nd Street SE, Grand Rapids, MI   49512
1-55755-123-5
 
 
A most telling quote is to be found on page 31 of this book.  In answer to the
question, " What do you think about the publication of information about
computer viruses", Burger quotes a "highly knowledgeable" although "secret"
source as saying:
    "I feel that it's the people who know the least about it that talk the
    most.  You tend to hear little from people who actually understand
    something about computer viruses. ... You don't have to include
    instructions on how to use computer viruses."
The quote is telling on three counts: 1) Burger tends to go on at great length
(350 pages) without giving out much information, 2) there is little hard
information in the book which would be of use to the average home or corporate
user concerned about protection against viral programs, and 3) Burger's
fancy for publishing viral source code seems to have no purpose except to build
notoriety.
 
(Before all the virus-writer-wannabes rush out to order copies, let me state
that he doesn't publish much, and what he publishes is not very good.)
 
Burger's propensity for publishing source code might be easier to take if the
book itself was a valuable resource.  It isn't.  The writing style is
disorganized and hard to follow, the information is untrustworthy and
recommendations for security are weak, outlandish or aimed at problems
unrelated to the current computer virus situation.
 
Even Burger's vocabulary bears little relation to the jargon of virus research.
 
He invents the phrase "logical virus" in a section on viral-like programs.  The
definition makes little sense, and one suspects that Burger is simply confusing
it with a "logic bomb".  In another section the author confuses the aspect of
the "von Neumann" computer architecture which means that the program and data
share the same "storage" space with the "von Neumann bottleneck" having to do
with limitations on processing speed.
 
One is left with the feeling that Burger has gathered a great volume of
information, and is publishing it without truly understanding it.  A section is
devoted to the work of Fred Cohen.  A subsection refers to "Cohen's
Contradictory Virus".  It seems to be related to Cohen's proof, by
contradiction, that the problem of identification of any given program as
"viral" or "non-viral" is undecidable.  In Burger's book, however, there is no
proof, little logic, and only patches of pseudo-code which really don't
demonstrate anything.
 
In fact, a great deal of the book consists of statements which are made and
never supported.  I read my wife the section on "virus experts", and her
immediate reaction was "doesn't he have to *prove* any of that?"  (Among other
things, the section seems to indicate that most virus research is being
conducted in grave secrecy by governments and large corporations.)  At the same
time, Burger's closing statements and opinions are so weakly worded that one is
reminded of the hapless TV reporter in "Doonesbury" who is never able to make a
definitive proclamation on any subject, no matter how simple.  (An amusing
example of this: Chapter 3 is entitled "Computer Virus Dangers", Chapter 4 is
"Is There a Danger?")
 
Burger's writing style is very difficult.  Even with section headings and
marginal annotations it is extremely difficult to follow the discussion.  There
is very little structure to the flow of arguments, and occasional bizarre
changes of subject.  At one point Burger reproduces a letter that he sent to
various corporations, and then complains that the poor response he got
indicates that the companies did not understand the gravity of the virus
situation.  While the one point that I can agree with Burger on is his repeated
assertion that too few people are "virus literate", I can certainly sympathize
with the companies.  They probably couldn't understand his letter.
 
It is hard to understand why certain information was included, and other
material was not.  The chapter on specific viral programs spends five pages
listing eight viral programs: it also spends five pages giving the names of
thirty "trojan" programs, which presumably could be renamed at will.  The
"Lehigh" virus, generally thought to be almost extinct "in the wild", is
described: "Stoned" and "Michelangelo" are quite notable by their absence. 
(While "Brain" is one of the viri described, the book nowhere deals with the
functions of boot sector viral programs.)  No Mac viri are described or listed
although there is one example each from the Atari and Amiga environments.
 
The chapter on protection strategies, while it does have some useful points,
also places heavy emphasis on such bizarre suggestions as writing custom
software for all applications, or running everything from EPROMs.  (It also
suggests the use of CD-ROM for software media, apparently unaware of the fact
that CD-ROMs have already been shipped with infected software.)  A section on
an "EDP High Security Complex" may prevent people from contaminating a keyboard
with spilled coffee, but won't do much to prevent viral infections.
 
A specific recommendation is instructive.  Burger twice suggests the use of the
RENAME system proposed by A. G. Buchmeier.  On an MS-DOS system, all .EXE files
are to be renamed to .XXX extensions.  There are then to be started with a
simple START.BAT file which contains the instructions:
         ren %1.XXX %1.EXE
         %1
         ren %1.EXE %1.XXX
(To be fair, Burger does give a listing of a fuller START.BAT which deals with
COM files as well.)  While this system would be somewhat effective against most
"direct action" viral programs, it would create great problems for the many
systems today which rely on cooperation between programs which "call" each
other at need.  It would also be of no use against "resident" viral programs
which infect on "file open": the programs would be infected as soon as they
were renamed or run.  (Interestingly, it would be rather effective against
"system" or "FAT" viral programs.)
 
Errors are legion.  Some mistakes are understandable and unimportant, such as
referring to the "Jerusalem" virus as the "Israeli PC" and "TSR" virus (p. 68).
 
Others might have more significance, such as the statement that the "Israeli
PC" virus makes all infected files into TSRs (p. 68).  In some places the book
contradicts itself, warning against BBSes and shareware on page 129 and yet
saying that the danger of receiving viri from data transfer is no higher than
through other means on page 292.  Still other statements are flatly impossible,
such as the assertion that the DEFENDER trojan "[writes] to ROM BIOS" (p. 110).
 
It would be pointless to try to list them all, but I would be willing to bet
that there are not three consecutive pages in the book which do not contain
errors of fact.  Chapter 5 is supposed to give examples of viral programs.  (In
fact, most of the chapter is occupied by reprints of the McAfee VIRLIST.TXT and
an early version of Jan Terpstra's virus signature list.)  Of the virus
description material that Burger wrote, the only entries which do not contain
errors are those which don't contain any information.
 
(One of the errors that Burger makes is highly amusing.  He examines Fred
Cohen's calculations in support of the assertion that a virus could not appear
spontaneously by a generation from random errors.  "Correcting" Dr. Cohen's
figures, and factoring in the increasing speed of computers, he comes up with a
figure of ten to the 283rd power for the number of years before a virus is
generated.  He sees this as "slightly different" and indicative of the
possibility of such a virus.  He is obviously boggled by the large numbers:
even given the most enthusiastic boosts for the increase in the number of
computers and computing power, he still would come up with a figure that is not
only longer than recorded history, but more than twenty five times greater than
the entire age of the known universe.)
 
Burger's stated purpose in publishing the viral source (Preface, page viii) is
to show how easy it is to write a virus.  In this aim, he must be said to fail
miserably.  Although the assembly listings in the book will hold no terrors for
those with a significant background in low-level programming in the MS-DOS
environment, those people wouldn't need any direction on how to build a virus. 
A "batch" virus, which would be easily within the range of the intermediate
user, turns out to use DEBUG in order to build some small but vital components,
with completely unexplained parameters.  Those who are familiar with the
architecture know that building a virus is trivial: those who aren't will not
find here a convincing demonstration of ease.
 
Another excuse for including the code (p. 315) is to "illustrate the weak
points in your computer system".  Again, this rationale is unconvincing.  Few
readers, outside of those familiar with assembly programming, would be either
able or willing to compile and test the code provided.  (Indeed, Burger, only
five paragraphs beyond the previous statement, warns readers *not* to "proceed
with risky tests of virus programs".)  Certainly, the code itself proves
nothing in terms of the strengths and weaknesses of any computer system.  More
extensive "case histories" of either viral infestations or specific viral
programs would have been far more convincing.
 
Burger's attitude to this business of virus source code is strangely
inconsistent.  Although there is source code listed in the book, Burger
specifically states that he will not publish the source for his VIRDEM.COM
program.  Although he doesn't publish the source, a copy of the VIRDEM program
is supposed to be on the companion disk for the book.  I didn't get one: the
companion disk was not shipped with the book.  I'm not hurt: VIRDEM is out in
the wild anyway and I have a copy from another source.
 
The situation of the missing companion disk raises another point.  The book
advertises Burger's own "Virus Secure for Windows", as does a catalogue for
other Abacus products bound into the back of the book.  However, I have been
informed by Abacus that "Virus Secure for Windows" is no longer available.
 
For all of its flaws, the book is a very complete overview of the topic in that
it ranges over all possible related subjects.  Although he often fails to
distinguish between the "blue sky" possible and the "here and now" real,
Burger's speculations do touch on a number of topics which are too often lost
in the immediate concerns about current data security problems.
 
For those who are completely new to the field, this book is too untrustworthy
to recommend as a primer.  Neither will it be very useful to those looking for
direction on protecting either home or corporate systems.  For those with some
serious study of viral programs or data security, the book raises interesting
points for discussion, although the specifics asserted may have to be tested
and challenged.  For those who are interested in writing their own viral
programs - fortunately, this book is *not* going to be a big help.
 
copyright Robert M. Slade, 1992   BKBURGER.RVW   921206

==============                      ______________________  
Vancouver      ROBERTS@decus.ca    |    |     /\     |    | swiped
Institute for  Robert_Slade@sfu.ca |    | __ |  | __ |    | from
Research into  rslade@cue.bc.ca    |    | \ \    / / |    | Mike
User           p1@CyberStore.ca    |    | /________\ |    | Church
Security       Canada V7K 2G6      |____|_____][_____|____| @sfu.ca
                                                            

------------------------------

Date:    23 Dec 92 11:25:00 -0600
From:    "Rob Slade, DECrypt Editor, VARUG NLC rep, 604-984-4067" <roberts@decus.arc.ab.ca>
Subject: Review of Thunderbyte Utilities (PC)



PCTBAV.RVW   921214
                               Comparison Review
Company and product:
 
Frans Veldman
ESaSS B.V.       
P.o. box 1380    
6501 BJ  Nijmegen
The Netherlands  
Tel:  31 - 80 - 787 881 
Fax:  31 - 80 - 789 186
Data: 31 - 85 - 212 395     (2:280/200 @fidonet)
bartjan@blade.stack.urc.tue.nl (Bartjan Wattel)
c/o Jeroen W. Pluimers
P.O. Box 266
2170 AG Sassenheim
The Netherlands
home:  +31-2522-20908 19:00-23:00 UTC
email: jeroenp@rulfc1.LeidenUniv.nl
       Jeroen_Pluimers@f256.n281.z2.fidonet.org
       100013.1443@compuserve.com
Thunderbyte AntiVirus Utilities
 
Summary:
 
Scan, disinfection, change detection, operation restriction, encryption
 
Cost   
 
Rating (1-4, 1 = poor, 4 = very good)
      "Friendliness"
            Installation      2
            Ease of use       3
            Help systems      3
      Compatibility           2
      Company
            Stability         3
            Support           2
      Documentation           2
      Hardware required       3
      Performance             2
      Availability            2
      Local Support           1
 
General Description:
 
An extension of the earlier Thunderbyte Rescue and Thunderbyte Scan programs. 
These programs are still contained in the set, but are supported by a
disinfector with two "generic" disinfection modes (TBCLEAN), a change detector
(TBCHECK), an "overwriting" delete (TBDEL), operation restricting programs
(TBDISK, TBFILE and TBMEM), encryption (TBGARBLE), a menuing interface (TBAV)
and standardized TSR handling for compatibility with Windows and Novell
Netware.                  Comparison of features and specifications
 
 
User Friendliness
 
Installation
 
Installation is a matter of copying the programs to disk and deciding how to
run them.  The documentation, while clear enough as to use, does not supply
much in the way of direction for installation.  With the new, larger set of
utilities, there is a section on installation in the INTRO.DOC file, but not
until page 10.  There is a "quick start" section at the beginning of each file
associated with a specific program, but there is still much room for
improvement.  Unfortunately, with the additions to the program, this matter has
become more important than it was heretofore, with only the scanners and the
TBRESCUE program.
 
While an intermediate or experienced user will be able to determine how best to
use these programs fairly easily, novice users may not have sufficient
information for installation.  Intermediate users may also have difficulty in
deciding how best to use the programs, as weaknesses and shortcomings of the
various modules are not noted.
 
Ease of use
 
The programs are very easy to use.  The command line switches should not be
strictly necessary for effective use, but can provide significant extra
information or use for the expert.
 
Note that there are still occasional grammatical errors in the screen displays
of the various programs.
 
Help systems
 
Because of the newer programs which do not require command line switches, an
"empty" invocation does not bring up a list of command line options.  However,
an invocation of any program with a "?" or "help" argument will.
 
Compatibility
 
Unfortunately, the program still shows signs of incompatibility and locking up
systems on some machines.  The more mature products (TBSCAN et al) are
generally well behaved, but the newer programs are not as robust in all
situations.  The programs also seem to be incompatible with each other: when
there were TB programs resident in memory and TBAV or other programs were being
used, the system would occasionally lock up.
 
Company Stability
 
The company has been supporting this product, with regular updates, for quite
some time now.  Recently there has been significant expansion in the
establishment of an "agent network".
 
Company Support
 
Contacts with the company have been sketchy so far.  Extensive efforts to
contact the principals via the electronic mail links provided did not produce
any return messages for the first review.  This time I was more successful. 
Some of the agents, particularly Jeff Cook of the United States, have been very
active in promoting the product on Fidonet.
 
In reaction to the first draft of this review, Frans Veldman stated that the
primary means of support were voice and fax.
 
One factor to consider here is the confusion over the virus signature files
used by the program.  The Thunderbyte scanner can use the signature format used
by the former IBM VIRSCAN program.  This format has recently been extended in
the case of Thunderbyte and the VSIG archive files generally used with
Thunderbyte.  However, it should be noted that the VSIG files are not produced
by the company that produces the Thunderbyte Utilities.  Frans Veldman has
stated that in the near future there will be a major change in the VSIG files.
 
It has been difficult, in the past, to get new releases of either the
Thunderbyte programs or the signature files on a timely basis.  As the files
are now distributed through the Fidonet related VirNet, this situation should
improve significantly.
 
Documentation
 
The documentation has been substantially improved in the matter of grammar and
errors.  However, there is still little coverage of viral concepts in general,
and the shortcomings and weaknesses of the program modules in particular. 
Installation of the program overall still needs work.
 
The documentation has also been standardized, and is very well laid out with a
table of contents prepended to the lengthier documents.
 
The documentation is of considerable size, with the Thunderbyte Scan portion
alone over 100K in length and the total size of the documentation approaching
300K.  Although the INTRO.DOC is reasonable coverage of the program, it is
*highly* recommended that you read everything thoroughly.
 
Hardware Requirements
 
Documentation for the various files deals with the specific needs of each
module.
 
Performance
 
The Thunderbyte Scan program has always been one of the fastest scanners
available.  Even with heuristic scanning implemented, it still shows startling
speed.  A test run on a 386 machine with a "normally" loaded 75 meg hard drive
completed in under half a minute.  
 
The "price" of this speed is debatable.  Most scanners no longer scan the
entire length of a program, but only the "top and tail", where most viral
programs must attach in order to function.  Although such programs will detect
most viral programs, it will not find those which can insert themselves
anywhere, such as the "Commander Bomber".  Some of those connected with
Thunderbyte, most recently one of the agents, have stated that this is one of
the means to speed up the program.  Frans Veldman, who should know, strongly
objects to this statement.  However, it is extremely unlikely that TBScan does
scan the whole file.
 
The documentation seems to indicate, and Frans Veldman states, that TBSCAN now
includes change detection in the scanning, but I found no evidence of this in
testing.  Specifically, manual changes to files that have been entered into the
data base are not reported to the user.
 
One possible concern: during testing I found that the DEBUG program gave rise
to a false alarm during scanning.  This is possibly to be expected with a
heuristic scanner.  What is of concern is that the same file, copied to a
different (but still COM) filename was not treated the same way.
 
The operation restricting programs operate as advertised, although such
programs always operate under the proviso that whatever software can protect,
software can circumvent.  Interestingly, the Thunderbyte programs are not
automatically exempt from interference: an attempt to disinfect a program with
the TBFILE program resident resulted in a warning.  (Another interesting point
is that an attempt to infect one file, while stopped, was allowed to change the
file creation date.  This is used by this particular virus as an infection
marker.)
 
The most attractive part of this new package is the second "generic"
disinfection mode.  Most generic disinfectors use a "return to state"
algorithm, much like the hamming code used for error correction in memory or
communications systems.  This relies on the calculation of an "image" identity
of the original, uninfected file, and is of no use "after the fact".  TBCLEAN
uses this, but also has a "heuristic" cleaning mode, which does not rely on any
"prior knowledge" of either the infecting virus or the original file.
 
A success rate of 80% is claimed for the heuristic cleaning mode.  However
there are two factors to be considered.  The second is the ability to clean
files infected with an unknown virus.  The first comes to us from Hippocrates'
injunction to physicians, "First, do no harm".  Therefore, TBCLEAN was tested
against some uninfected files.  Of the six files tested, the four COM files
were not harmed, but both EXE files were damaged, and thereafter useless.
 
Subsequent tests of disinfection of infected COM files were successful and
restored files to their original state.
 
In attempting to use the "checksum" method of disinfection, I found that the
TBSETUP program *cannot* be used to find an infected file.  Running TBSETUP
after an infection will void the ability to recover.  (This is mentioned in the
documentation, but given the difference between this and other programs, it
bears repeating.)  However, this disinfection mode otherwise works well.
 
Local Support
 
As noted above, it is difficult to get in touch with the principals via the
posted email addresses, but the agents, particularly Jeff Cook, are active on
the Fidonet virus related echoes.  Unfortunately, this activity does not seem
to extend to VIRUS-L/comp.virus where there have been few postings from anyone
related to the company.
 
Support Requirements
 
On a "scan only" basis, the program is simple to use.  Invocation of any of the
various modules is also quite simple.  Installation will require more expert
assistance.
 
                                 General Notes
 
The speed of the scanner, and its ability to use IBM's VIRSCAN signatures (and
have the user extend the signature file) make this a handy tool for "first
line" defense.  The product has been substantially improved even in respect of
the scanner alone, since last reviewed.  The addition of "heuristic" scanning
and reporting has made the scanner an excellent tool for the serious researcher
as well.
 
The package overall is recommended as a strong viral detection component.  It
is highly recommended as an adjunct to other protection, given some of the
unique features.  Novice users are strongly recommended to read all of the
documentation.
 
The addition of the new modules moves this product out of the "scanner" genre
and puts it in a class with the major "multilayered" programs.  Unfortunately,
there are still some questions to be answered with regard to the quality and
consistency of the protection provided.  Given the rapid development of the
Thunderbyte programs during this year (I was not yet finished this review when
the developers announced that version 5.02 was ready), it is to be hoped that
these questions will be addressed very soon.
 
copyright Robert M. Slade, 1991, 1992   PCTBAV.RVW   921214

==============
Vancouver      ROBERTS@decus.ca         | Omne ignotum pro magnifico.
Institute for  Robert_Slade@sfu.ca      |  - Anything little known
Research into  rslade@cue.bc.ca         |    is assumed to be
User           p1@CyberStore.ca         |    wonderful.
Security       Canada V7K 2G6           |               - Tacitus

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 20]
*****************************************

