From lehigh.edu!virus-l  Fri May 28 08:05:15 1993 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Fri, 28 May 93 20:01:12 1
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mail.swip.net (5.65c8-/1.2)
	id AA12869; Fri, 28 May 1993 19:55:40 +0200
Received: from  (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA19150
  (5.67a/IDA-1.5 for <mikael@vhc.se>); Fri, 28 May 1993 12:05:15 -0400
Date: Fri, 28 May 1993 12:05:15 -0400
Message-Id: <9305281459.AA01070@agarne.ims.disa.mil>
Comment: Virus Discussion List
Originator: virus-l@lehigh.edu
Errors-To: virus-l@agarne.ims.disa.mil
Reply-To: <virus-l@lehigh.edu>
Sender: virus-l@lehigh.edu
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: VIRUS-L Moderator <virus-l@agarne.ims.disa.mil>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V6 #87

VIRUS-L Digest   Friday, 28 May 1993    Volume 6 : Issue 87

Today's Topics:

Document/review spring cleanup
Review (maybe) of "Computers Under Attack"
Review of "Syslaw" by Rose/Wallace
Review of "Rogue Programs", L. Hoffman, ed.
Review of "Computer Viruses ... Your System" by Haynes/McAfee
Polymorphic Viruses
Review of BootX (Amiga)
Review of Chasseur II (Atari)
Review of FCHECK (Atari)
Revised Product Test, PT-20, SAM, version 3.5.1 (Mac)
Revision to Product Test PT-9, DISINFECTANT, 3.0 (Mac)
Revised Product Test, PT-30, VirusDetective, v5.0.9 (Mac)
Review of Western Digital's "Immunizer" (PC)
Review of "Victor Charlie" 5.0 (PC)
Product Test 55, Gobbler II, version 3.0 (PC)
Revision to Product Test PT-41, VIRx, version 2.6D (PC)
Product Test #61, VDS PRO, version 1.0 (PC)
Product Test Report # 59, IBM ANTI-VIRUS/DOS, version 1.01 (PC)
Revised Product Test 36, CPAV, version 1.4 (PC)
Revised Product Test PT-17, F-PROT, version 2.08a (PC)
Revised Product Test PT-3, VIRUSCAN, version 104 (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform - diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on cert.org or upon request.)  Please sign submissions
with your real name; anonymous postings will not be accepted.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list.  A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on CERT.org (192.88.209.5).

Administrative mail (e.g., comments, suggestions, beer recipes)
should be sent to me at: krvw@AGARNE.IMS.DISA.MIL.

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Ken van Wyk


----------------------------------------------------------------------

Date:    Fri, 28 May 93 10:44:12 -0400
From:    "Kenneth R. van Wyk" <krvw@agarne.ims.disa.mil>
Subject: Document/review spring cleanup

VIRUS-L/comp.virus readers:

I'm currently (finally!) cleaning up the queue of product reviews and
documentation that I have here.  My apologies for taking so long to
get these out the door.  My move here to DC caused the logistics for
updating files on CERT.ORG to change quite a bit.  Now that the
procedure seems to be working well, I'll try to resume a steady flow
of product reviews and submitted papers.  Thanks for everyone's
patience.

Cheers,

Ken

Kenneth R. van Wyk
Moderator, VIRUS-L/comp.virus
krvw@Agarne.IMS.DISA.MIL

------------------------------

Date:    19 Feb 93 14:33:00 -0600
From:    "Rob Slade" <roberts@decus.arc.ab.ca>
Subject: Review (maybe) of "Computers Under Attack"

BKDENING.RVW   930209
 
ACM Press
11 W. 42nd St., 3rd Floor
New York, NY   10036
212-869-7440
Computers Under Attack: intruders, worms and viruses, Peter J. Denning, ed.,
0-201-53067-8
 
This book is a very readable, enjoyable and valuable resource for anyone
interested in "the computer world".
 
That said, I must admit that I am still not sure what the central theme of this
book is.  Denning has brought together a collection of very high quality essays
from experts in various fields, and at one point refers to it as a "forum". 
That it is, and with a very distinguished panel of speakers, but it is
difficult to pin down the topic of the forum.  Not all of the fields are in
data security, nor even closely related to it.  (Some of the works, early in
the book, relating to what we now generally term "the Internet", do contain
background useful in understanding later works regarding "cracking" intrusions
and worm programs.)
 
[Moderator's note: The remainder of this product review (and MANY
other product reviews - including book reviews) is available by
anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file:
  pub/virus-l/docs/reviews/books/slade.computers.under.attack
]

 
copyright Robert M. Slade, 1993   BKDENING.RVW   930209

==============                      ______________________  
Vancouver      ROBERTS@decus.ca    |    |     /\     |    | swiped
Institute for  Robert_Slade@sfu.ca |    | __ |  | __ |    | from
Research into  rslade@cue.bc.ca    |    | \ \    / / |    | Mike
User           p1@CyberStore.ca    |    | /________\ |    | Church
Security       Canada V7K 2G6      |____|_____][_____|____| @sfu.ca
                                                            

------------------------------

Date:    07 Apr 93 17:34:00 -0600
From:    "Rob Slade" <roberts@decus.arc.ab.ca>
Subject: Review of "Syslaw" by Rose/Wallace

BKSYSLAW.RVW   930402

PC Information Group, Inc.
1126 East Broadway
Winona, MN   55987
Syslaw, 2nd ed., Lance Rose and Jonathan Wallace, 1992

The introduction to "Syslaw" states that although the title implies the
existence of a new kind of law relating to electronic bulletin board systems,
in reality it is simply and extension of existing laws, mores and practices. 
In the same way, although the book states itself to be aimed at the BBS
community, and particularly sysops, there is much here of interest and moment
to anyone involved with sharing information through computer systems.

[Moderator's note: The remainder of this product review (and MANY
other product reviews - including book reviews) is available by
anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file:
  pub/virus-l/docs/reviews/books/slade.syslaw
]


copyright Robert M. Slade, 1993   BKSYSLAW.RVW   930402

------------------------------

Date:    11 Apr 93 14:08:00 -0600
From:    "Rob Slade" <roberts@decus.arc.ab.ca>
Subject: Review of "Rogue Programs", L. Hoffman, ed.

BKHOFMAN.RVW   930401
 
Van Nostrand Reinhold
c/o Nelson Canada
1120 Birchmont Road
Scarborough, Ontario
M1K 5G4
416-752-9100
fax: 416-752-9646
Rogue Programs: Viruses, Worms and Trojan Horses, Ed. Lance J. Hoffman, 1990,
0-442-00454-0
 
Reading the list of contributors to this work was rather like "old home week"
at VIRUS-L.  The introduction states that the book arose from Hoffman's
frustration over the lack of a suitable text for a virus seminar and that the
seminar participants compiled the material from available sources.  Even one of
the seminar participants, Chris Feudo, has recently released a computer virus
handbook (see BKFEUDO.RVW).
 
[Moderator's note: The remainder of this product review (and MANY
other product reviews - including book reviews) is available by
anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file:
  pub/virus-l/docs/reviews/books/slade.rogue.programs
]

 
copyright Robert M. Slade, 1993   BKHOFMAN.RVW   930401
 
 
==============
Vancouver      ROBERTS@decus.ca         | "A ship in a harbour
Institute for  Robert_Slade@sfu.ca      |  is safe, but that is
Research into  rslade@cue.bc.ca         |  not what ships are
User           p1@CyberStore.ca         |  built for."
Security       Canada V7K 2G6           |           John Parks

------------------------------

Date:    03 May 93 00:31:00 -0600
From:    "Rob Slade" <roberts@decus.arc.ab.ca>
Subject: Review of "Computer Viruses ... Your System" by Haynes/McAfee

BKMCAFEE.RVW   930404
 
St. Martin's Press
175 Fifth Ave.
New York, NY   10010
USA
    Computer Viruses, Worms, Data Diddlers, Killer Programs and Other Threats
         to Your System: what they are, how they work and how to defend your
         PC, Mac or mainframe, John McAfee and Colin Hayes, 1989, 0-312-02889-X
 
If you buy only one book to learn about computer viral programs -- this is
*not* the one to get.  As a part of a library of other materials it may raise
some interesting questions, but it is too full of errors to serve as a "single
source" reference.

[Moderator's note: The remainder of this product review (and MANY
other product reviews - including book reviews) is available by
anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file:
  pub/virus-l/docs/reviews/books/slade.mcaffee.virus.book
]
 
copyright Robert M. Slade, 1993   BKMCAFEE.RVW   930404

==============
Vancouver      ROBERTS@decus.ca         | "Don't buy a
Institute for  Robert_Slade@sfu.ca      |     computer."
Research into  rslade@cue.bc.ca         | Jeff Richards'
User           p1@CyberStore.ca         | First Law of
Security       Canada V7K 2G6           | Data Security


------------------------------

Date:    Fri, 30 Apr 93 19:43:34 -0400
From:    tyetiser@umbc.edu (Mr. Tarkan Yetiser)
Subject: Polymorphic Viruses

      Polymorphic Viruses: Implementation, Detection, and Protection
                         
                              Copyright (c) 1993
                                 
                                      by
                  
                          VDS Advanced Research Group
                                P.O. Box 9393
                          Baltimore, MD 21228, U.S.A.

                                  prepared by
                          
                                Tarkan Yetiser
                    
                        e-mail: tyetiser@umbc5.umbc.edu
        
                                Jan 24, 1993
                                  PA, U.S.A.                           


                                   Summary
                              
This paper discusses the subject of polymorphic engines and viruses. It looks 
at general characteristics of polymorphism as currently implemented. It tries 
to maintain a practical presentation of the subject matter rather than an 
academic and abstract approach that would confuse many people. Basic 
knowledge of the Intel 80x86 instruction set will be highly useful in 
understanding the material presented. A very detailed discussion is avoided 
not to have the side effect of "teaching" how to create polymorphic engines 
or viruses. The purpose is to help computer professionals understand this 
trend of virus development and the threats it poses. It should serve as a 
starting point for individuals who would like to get an idea about the 
polymorphic viruses and how they are implemented. Long gone are the days of 
innocence, when any schoolboy could write a virus scanner using a few 
signatures extracted from captured virus samples.

The subject of polymorphism can be extended to other areas such as 
anti-reverse-engineering or anti-direct-attacks, and it can be argued to be 
useful in that context. This paper only looks at the use of polymorphism in 
PC viruses to avoid simple detection techniques.

[Moderator's note: The remainder of this document is available by
anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file:
  pub/virus-l/docs/yetiser.polymorphic
]

------------------------------

Date:    Sun, 23 May 93 02:06:29 -0400
From:    "Rob Slade" <roberts@decus.arc.ab.ca>
Subject: Review of BootX (Amiga)


930430  AMBOOTX.RVW
 
                               Comparison Review
 
Company and product:
 
Peter Stuer
Kauwlei 21
B-2550 Kontich
Belgium
Peter.Stuer@p7.f603.n292.z2.FidoNet.Org
BootX 5.23
 
Summary: Scanner and disinfector with some operation restriction
                              
 
Cost                          
 
Rating (1-4, 1 = poor, 4 = very good)
      "Friendliness"
            Installation      
            Ease of use       
            Help systems      
      Compatibility           
      Company
            Stability         
            Support           
      Documentation           
      Hardware required       
      Performance             
      Availability            
      Local Support           
 
General Description:
 
 
 
                  Comparison of features and specifications
 
 
 
User Friendliness
 
Installation
 
Both automated and manual installation is provided.
 
Ease of use
 
BootX can be run from either the CLI or the Workbench.  Once invoked it can be
made the "foreground task" by a "hot key" call.  The program is menu driven,
with a comprehensive range of actions.
 
Help systems
 
Can use the AmigaGuide.library function if available.
 
Compatibility
 
Unknown but unlikely to cause problems.  Some problems are noted with Enforcer.
 
Will work with certain compression programs to check compressed executables.
 
Company Stability
 
Unknown, but this is currently one of the major recommended Amiga antivirals. 
The program is distributed as freeware.
 
Company Support
 
The author's mail and email addresses are given, as well as contact info for
"Safe Hex International".
 
Documentation
 
Simple but straightforward directions on the installation and running of the
program.  There is little general discussion of viral programs and operation,
but some is mentioned in conjunction with certain features of the program. 
Unusually for a shareware/freeware package there is an extensive glossary which
may provide some background.  (I learned, for instance, that a "linkvirus" is
the term for what is more generally known as a program or file infecting
virus.)
 
System Requirements
 
512K RAM or higher and at least one disk drive.  KickStart v2.04 and
ReqTools.library v38 or higher.  Workbench v2.1 or higher to use the language
independence utility and v3.0 or higher to use the AmigaGuide.library help
feature.  Various decompression programs may be needed to check compressed
executables.
 
Performance
 
Unknown at this time due to lack of a test suite.  Currently one of the most
highly recommended Amiga antivirals.
 
Local Support
 
The author is reachable via Fidonet and Internet mail.
 
Support Requirements
 
Users experienced with using shareware should have no problems.
 
copyright Robert M. Slade, 1993   930430   AMBOOTX.RVW

==============
Vancouver      ROBERTS@decus.ca         | Slade's Law of Computer 
Institute for  Robert_Slade@sfu.ca      |        Literacy:
Research into  rslade@cue.bc.ca         |   - There is no such thing
User           p1@CyberStore.ca         |     as "computer illiteracy";
Security       Canada V7K 2G6           |     only illiteracy itself.


------------------------------

Date:    04 May 93 15:04:00 -0600
From:    "Rob Slade" <roberts@decus.arc.ab.ca>
Subject: Review of Chasseur II (Atari)

Of course no one will believe it, but this is *not* prompted by the recent
spate of calls for Atari and Amiga stuff.  I recently had an opportunity to
do some partial testing of some antivirals on other systems and took it.
Unfortunately, the tests are not complete, and cannot be finished at this
time due to the absence of a viable "test suite".  I have, however, 
attempted to give some indication of the shareware utilities I was able to
round up, and have added the contact info to the CONTACTS.LST.

Herewith, then, is the first.

ATCHSSR2.RVW   930430
 
                               Comparison Review
 
Company and product:
 
A. & Z. Vidovic
Tour Panoramique
Duchere
69009 Lyon
France
Chasseur II
 
Summary: Boot sector overwriter
                              
 
Cost  50 Fr (U$15)
 
Rating (1-4, 1 = poor, 4 = very good)
      "Friendliness"
            Installation      
            Ease of use       
            Help systems      
      Compatibility           
      Company
            Stability         
            Support           
      Documentation           
      Hardware required       
      Performance             
      Availability            
      Local Support           
 
General Description:
 
 
 
                  Comparison of features and specifications
 
 
 
User Friendliness
 
Installation
 
The files (at least BOOTBASE.DAT) *must* be installed in a directory called
\CHASSEUR.II or else the program will not function.
 
Ease of use
 
There are only three options on the main menu: check disk, vaccinate and check
memory.  These are represented by icons, with no words.
 
Help systems
 
None provided.
 
Compatibility
 
Unknown.  The vaccinate function, although stated to be irreversible (which,
oddly, appears to contradict the documentation), seems not to harm MS-DOS
disks, since it adds a jump at the beginning, and adds a short message at the
end.  (MS-DOS "system" disks, of course, will no longer be bootable.)
 
Company Stability
 
Unknown.
 
Company Support
 
None provided.
 
Documentation
 
A README.VIR file states that they believe the program is simple enough that
there is no need for documentation.  This is generally true, but it is a pity
that there is not more detail on some of the claims made for the program.
 
System Requirements
 
None stated.
 
Performance
 
Unknown.  This seems to be a tool for very technically literate users, aimed at
boot sector infectors only.
 
Local Support
 
None provided.
 
Support Requirements
 
It is unlikely that even intermediate users would understand, say, the memory
listings generated.  However, it should be effective against boot sector
infectors even in novice cases.  (One should note that *all* of the Atari boot
sector overwriting programs may damage certain self-booting disks.)
 
copyright Robert M. Slade, 1993   ATCHSSR2.RVW   930430
 
============= 
Vancouver      ROBERTS@decus.ca         | Life is
Institute for  Robert_Slade@sfu.ca      | unpredictable:
Research into  rslade@cue.bc.ca         | eat dessert
User           p1@CyberStore.ca         | first.
Security       Canada V7K 2G6           | 

------------------------------

Date:    Mon, 17 May 93 15:49:34 -0400
From:    "Rob Slade" <roberts@decus.arc.ab.ca>
Subject: Review of FCHECK (Atari)

ATFCHECK.RVW   930430
 
                               Comparison Review
 
Company and product:
 
Roger Lindberg
Cyklonvagen 3
451 60  Uddevalla
SWEDEN
FLIST and FCHECK
 
Summary: change detection software
                              
 
Cost  Pounds 5
 
Rating (1-4, 1 = poor, 4 = very good)
      "Friendliness"
            Installation      
            Ease of use       
            Help systems      
      Compatibility           
      Company
            Stability         
            Support           
      Documentation           
      Hardware required       
      Performance             
      Availability            
      Local Support           
 
General Description:
 
                  Comparison of features and specifications
 
 
 
User Friendliness
 
Installation
 
FLIST must be run first in order to make a FILELIST.LIS comparison database. 
Thereafter, FCHECK can be run in the same directory as the database in order to
note changes.  (FCHECK can be run from the AUTO folder as long as FILELIST.LIS
is present as well.)
 
(A sense of humour!  When invoked, the program presents a message box stating
"I am not a wealthy man  Please consider a donation", signed Roger Lindberg
1991.  The acknowledgement "button" does not state the normal "OK" but rather
"I WILL".  :-)
 
Ease of use
 
If FILELIST.LIS exists (which it does, in the distribution file), it must be
deleted first, or a new name must be chosen.  (The documentation states that
the name *must* be FILELIST.LIS.)  Creating the file is not exactly
straightforward: the file must be created, then loaded and then a new menu
selected to add those files to be checked.  Files must be selected
individually.  Then the file must be saved before exitting the FLIST program.
 
The FCHECK program has no options: it simply checks the file length and
checksum against the stored values.  It must be watched: if their is some
problem the fact is noted, but the program does not leave the information
onscreen before it terminates.
 
Help systems
 
None provided.
 
Compatibility
 
Unknown.  Generally should not be a problem, but will report changes in
programs which alter their own code.
 
Company Stability
 
Unknown.
 
Company Support
 
Unknown.
 
Documentation
 
Not extensive, but adequate if read carefully.
 
System Requirements
 
None stated.
 
Performance
 
Reasonably quick operation, once set up.  A bit difficult in doing the initial
installation.  No attempt to "diagnose" changes on the disk.
 
Local Support
 
None provided.
 
Support Requirements
 
Likely will require assistance of at least intermediate user and someone versed
in the potential of viral programs to alter other program files.
 
copyright Robert M. Slade, 1993   ATFCHECK.RVW   930430

==============
Vancouver      ROBERTS@decus.ca         | "virtual information"
Institute for  Robert_Slade@sfu.ca      |   - technical description of
Research into  rslade@cue.bc.ca         |     marketing info disguised
User           p1@CyberStore.ca         |     as technical description
Security       Canada V7K 2G6           |            - Greg Rose


------------------------------

Date:    Thu, 11 Mar 93 19:56:58 -0700
From:    Chris McDonald STEWS-IM-CM-S <cmcdonal@wsmr-emh03.army.mil>
Subject: Revised Product Test, PT-20, SAM, version 3.5.1 (Mac)

******************************************************************************
									 PT-20
   						            Revised March 1993
******************************************************************************


1.  Product Description:  Symantec AntiVirus for Macintosh (SAM) is a commercial
software program for the prevention, detection, and elimination of viruses and
certain trojan horse programs for the Macintosh.  This product test addresses
version 3.5.1 with virus definitions through February 22, 1993.

2.  Product Acquisition:  SAM is available from Symantec Corporation, 10201
Torre Avenue, Cupertino, CA 95014-9854.  Site licensing arrangements are
available.  Symantec's telephone number is 800-441-7234.  Mail order firms
typically sell a single copy for around $63.00 to $75.00.

3.  Product Tester:  Chris Mc Donald, Computer Systems Analyst, Directorate of
Information Management, White Sands Missile Range, NM 88002-5030, DSN 258-7548,
DDN cmcdonald@wsmr-simtel20.army.mil; and Robert Thum, Systems Administrator,
Directorate of Information Management, White Sands Missile Range, NM 88002-
5030, DSN 258-7739, DDN rthum@wsmr-emh34.army.mil.

[Moderator's note: The remainder of this product review (and MANY
other product reviews - including book reviews) is available by
anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file:
  pub/virus-l/docs/reviews/mac/mcdonald.sam
]

------------------------------

Date:    Mon, 05 Apr 93 08:41:17 -0700
From:    Chris McDonald <CMCDONALD@WSMR-SIMTEL20.ARMY.MIL>
Subject: Revision to Product Test PT-9, DISINFECTANT, 3.0 (Mac)

******************************************************************************
                                                                          PT-9
        					            Revised April 1993
******************************************************************************


1.   Product Description: Disinfectant is a freeware program to detect and
to repair virus activity for Macintosh systems.  The author is Mr. John
Norstad, Academic Computing and Network Services, Northwestern University, 2129
North Campus Drive, Evanston, IL 60208.  Mr. Norstad's Internet address is
j-norstad@nwu.edu.  This product test evaluates version 3.0.  The only changes
from the last test report involve the updating of Mr. Norstad's addresses. 

2.  Product Acquisition:  Disinfectant is available on the Internet, from
bulletin board systems, and from Apple User Groups.  Whenever there is a new
release, Mr. Norstad posts a notification to the Virus-L Internet mailing.

3.  Product Tester:  Chris Mc Donald, Computer Systems Analyst, Directorate of
Information Management, White Sands Missile Range, NM 88002-5030, DSN 258-7548,
DDN cmcdonald@wsmr-simtel20.army.mil.

[Moderator's note: The remainder of this product review (and MANY
other product reviews - including book reviews) is available by
anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file:
  pub/virus-l/docs/reviews/mac/mcdonald.disinfectant
]

------------------------------

Date:    Fri, 14 May 93 12:18:50 -0700
From:    Chris McDonald <CMCDONALD@WSMR-SIMTEL20.ARMY.MIL>
Subject: Revised Product Test, PT-30, VirusDetective, v5.0.9 (Mac)

******************************************************************************
                                                                         PT-30
 							      Revised May 1993
******************************************************************************


1.  Product Description:  VirusDetective and VirusBlockade II are shareware
programs to detect and to delete known viruses and trojan horses for the
Macintosh.  This product test addresses VirusDetective V5.0.9.  The current
version of VirusBlockade if one upgrades to System 7.1 is V2.0.7.

2.  Product Acquisition:  Both programs are available from their author Jeffrey
S. Shulman through Shulman Software CO., 1111 W. El Camino Real, Suite 109MAC,
Sunnyvale, CA 94087-1057.  A registered user receives a program diskette, an
overview guide, a user license, and automatic notification of future malicious
code search strings.  Mr. Shulman has an Internet address for customer support
and pricing information, kilroy@netcom.com.  As of the date of this product 
test, registered VD+VB owners may order the latest version of BOTH programs
for $20.00 ($25.00 for non-US users).  Site licenses are available.

3.  Product Tester:  Chris Mc Donald, Computer Systems Analyst, Directorate of
Information Management, White Sands Missile Range, NM 88002-5506, DSN 258-7548,
DDN cmcdonal@wsmr-emh34.army.mil.                              

[Moderator's note: The remainder of this product review (and MANY
other product reviews - including book reviews) is available by
anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file:
  pub/virus-l/docs/reviews/mac/mcdonald.virus.detective
]

------------------------------

Date:    07 May 93 14:56:00 -0600
From:    "Rob Slade" <roberts@decus.arc.ab.ca>
Subject: Review of Western Digital's "Immunizer" (PC)

PCWDIMMN.RVW   921109
                               Comparison Review
 
Company and product:
 
Western Digital Corporation
8105 Irvine Center Drive
Irvine, CA   92716
714-932-5000
714-932-6250 Letty Ledbetter
Robert McCarroll, Product Manager, Systems Logic Group
714-932-7013 Terry Walker (and Robert Lee, developer) fax: 714-932-7097
Mark Levitt fax: 714-932-7098
Benjamin Group (marketing)
Suite 480, 100 Pacifica Ave.
Irvine, CA   92718
714-753-0755 (Erin Jones, Sari Barnhard and Carolyn Fromm) fax: 714-753-0844
Immunizer (new technology to be announced 921109)
 
Summary: concept proposal for hardware component for data security
                              
Cost: N/A
 
Rating (1-4, 1 = poor, 4 = very good)
      "Friendliness"
            Installation      1
            Ease of use       1
            Help systems      1
      Compatibility           2
      Company
            Stability         2
            Support           1
      Documentation           1
      Hardware required       2
      Performance             2
      Availability            1
      Local Support           1
 
General Description:
 
The "Immunizer" concept involves a cooperative effort between BIOS makers,
board manufacturers and antiviral software producers.  The central component,
as far as Western Digital is concerned, is the 7855 system controller chip. 
With proper implementation, the concept should allow protection of hard disk
and memory areas, while at the same time allowing the user the option to "lift"
the protection via software in order to allow for normal system maintenance
functions.

[Moderator's note: The remainder of this product review (and MANY
other product reviews - including book reviews) is available by
anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file:
  pub/virus-l/docs/reviews/pc/slade.immunizer
]
 
 
copyright Robert M. Slade, 1992   PCWDIMMN.RVW   921109

------------------------------

Date:    12 Feb 93 15:14:00 -0600
From:    "Rob Slade" <roberts@decus.arc.ab.ca>
Subject: Review of "Victor Charlie" 5.0 (PC)

PCVC.RVW   921212
                               Comparison Review
 
Company and product:
 
Bangkok Security Associates
888/32-33 Ploenchit Road
Bangkok 10330
Thailand
TEL: 662-251-2574
BBS: 662-255-5981
FAX: 662-253-6868
or Delta Base Enterprises
221 - 32853 Landeau Place
Abbotsford, BC, V2S 6S6
TEL: 853-2998
FAX: 853-9164 effective NOV18/92
72137.603@compuserve.com or a682@mindlink.bc.ca
or Computer Security Associates
(803)-796-1935 
Lannatec Associates Inc,
166 Anna Avenue,
Ottawa, Ont. 
K1Z 7V2
(613)-724-5978.
Victor Charlie 5.0
 
Summary: Change detection with "baiting" files and viral signature capture
 
Cost   $99 Cdn
 
Rating (1-4, 1 = poor, 4 = very good)
      "Friendliness"
            Installation      2
            Ease of use       2
            Help systems      2
      Compatibility           2
      Company
            Stability         3
            Support           1
      Documentation           3
      Hardware required       3
      Performance             2
      Availability            2
      Local Support           2
 
General Description:
 
Victor Charlie is a series of batch and data files that generate a number of
programs for trapping of viral infections.  There is also provision for the
capture of viral signatures.  Utilities are included for viewing of boot
sectors and recovery of hard disk system areas.  Version 5.0 no longer requires
DEBUG.COM.

[Moderator's note: The remainder of this product review (and MANY
other product reviews - including book reviews) is available by
anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file:
  pub/virus-l/docs/reviews/pc/slade.victor.charlie
]

copyright Robert M. Slade, 1991, 1992   PCVC.RVW   921212
 
============= 
Vancouver      ROBERTS@decus.ca         | "Kill all: God will know his own."
Institute for  Robert_Slade@sfu.ca      |       - originally spoken by Papal
Research into  rslade@cue.bc.ca         |         Legate Bishop Arnald-Amalric
User           p1@CyberStore.ca         |         of Citeaux, at the siege of
Security       Canada V7K 2G6           |         Beziers, 1209 AD
============= for back issues:
Contacts list: cert.org, /pub/virus-l/docs/reviews
Reviews: cert.org, /pub/virus-l/docs/reviews/pc
Column: cert.org, /pub/virus-l/docs/slade.cvp.articles
           For those without ftp, see Jim Wright's posting, or use Cyberstore. 
           Also FREQ from 1:153/733 The Cage 604-261-2347.

------------------------------

Date:    Sun, 21 Feb 93 18:23:12 -0700
From:    Chris McDonald STEWS-IM-CM-S <cmcdonal@wsmr-emh03.army.mil>
Subject: Product Test 55, Gobbler II, version 3.0 (PC)

*******************************************************************************
                                                                          PT-55
  								  February 1993
*******************************************************************************


1.  Product Description:  Gobbler II, Advanced Anti-Virus Tooklit, is a viral
signature identification and removal program copyrighted by COMRAC, the
Netherlands.  This product test addresses version 3.0.

2.  Product Acquisition:  In June 1992 a Victor Smith contacted me over the
Internet and asked if I would test Gobbler II.  He identified himself as 
"one"of the programers involved with the program which had started in February
1989.  The Dutch company COMRAC apparently acquired the program in early 1990.
Victor sent me the program UUENCODED in mid July 1992; however, checksum errors
accompanied the transmission.  He successfully retransmitted the program on
July 21, 1992.  He indicated that additional materials would follow via land
mail.  This never occurred.  Electronic mail communications with Victor Smith
ceased to be responsive in October 1992 so details on the program are
incomplete.  Vesselin Bontchev from the Virus Test Centre-Hamburg has issued a
report on Gobbler II's effectiveness against the MtE object module in which he
gives the status of the program as "Shareware?".

3.  Product Tester:  Chris Mc Donald, Computer Systems Analyst, Directorate of
Information Management, White Sands Missile Range, NM 88002-5030, DSN:  258-
7548, DDN:  cmcdonald@wsmr-simtel20.army.mil.

[Moderator's note: The remainder of this product review (and MANY
other product reviews - including book reviews) is available by
anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file:
  pub/virus-l/docs/reviews/pc/mcdonald.gobbler
]

------------------------------

Date:    Tue, 09 Mar 93 20:48:11 -0700
From:    Chris McDonald STEWS-IM-CM-S <cmcdonal@wsmr-emh03.army.mil>
Subject: Revision to Product Test PT-41, VIRx, version 2.6D (PC)

*******************************************************************************
                                                                          PT-41
   					                     Revised March 1993
*******************************************************************************


1.  Product Description:  VIRx is a copyrighted program written by Ross M.
Greenberg to detect computer viruses and malicious programs.  Glenn Jordan at
trent@rock.concert.net has assumed the responsibility of maintaining and
updating the program code.  VIRx is the detection portion (VPCScan) of the
commercial protection program Virex-PC (reference PT-23).  This product test
addresses version 2.6D, February 1993.

2.  Product Acquisition:  The program is freely distributed by Datawatch
Corporation, Post Office Box 51489, Durham, North Carolina 27717, with special
instructions for business and corporate users.  These users have only a 30 day
license for product evaluation, after which they must contact Datawatch for
site license authorization.  THIS MAJOR LICENSING CHANGE OCCURRED AT VERSION
1.9.  Datawatch has made VIRx available on its own bulletin board system
(919-419-1602, on other bulletin boards and on software repositories, to
include the MS-DOS repository on simtel20 [192.88.110.20].  The current path on
simtel20 is pd1:<msdos.virus>virx26D.zip.

3.  Product Tester:  Chris Mc Donald, Computer Systems Analyst, Directorate of
Information Management, White Sands Missile Range, NM 88002-5030, DSN 258-7548,
DDN cmcdonald@wsmr-simtel20.army.mil.

[Moderator's note: The remainder of this product review (and MANY
other product reviews - including book reviews) is available by
anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file:
  pub/virus-l/docs/reviews/pc/mcdonald.virx
]

------------------------------

Date:    Mon, 12 Apr 93 07:47:40 -0700
From:    Chris McDonald <CMCDONALD@WSMR-SIMTEL20.ARMY.MIL>
Subject: Product Test #61, VDS PRO, version 1.0 (PC)

*******************************************************************************
                                                                          PT-61
 
   					                             April 1993
*******************************************************************************


1.  Product Description.  Virus Detection System (VDS) Professional (PRO) is
an integrity checker which creates a "fingerprint" of all system areas and
executable files.  This product test addresses version 1.0. 

2.  Product Acquisition:  VDS PRO is available from Z-RAM, Inc., Post Office
Box 2087, Church Circle Station, Annapolis, MD 21404.  The telephone number is
(800) 638-2000.  A single copy costs $49.00 plus shipping charges.  Site
licenses for federal, local and state governments are available.  A "special
discount" exists for academic institutions.  The primary individual identified
with the program development is Mr. Tarkan Yetiser.

3.  Product Tester:  Chris Mc Donald, Computer Systems Analyst, Directorate of
Information Management, White Sands Missile Range, NM 88002-5030, DSN 258-7548,
DDN cmcdonald@wsmr-simtel20.army.mil.

[Moderator's note: The remainder of this product review (and MANY
other product reviews - including book reviews) is available by
anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file:
  pub/virus-l/docs/reviews/pc/mcdonald.vds.pro
]

------------------------------

Date:    Thu, 08 Apr 93 16:22:28 -0700
From:    Chris McDonald <CMCDONALD@WSMR-SIMTEL20.ARMY.MIL>
Subject: Product Test Report # 59, IBM ANTI-VIRUS/DOS, version 1.01 (PC)

*******************************************************************************
                                                                          PT-59
 
   					                             April 1993
*******************************************************************************


1.  Product Description:  The IBM AntiVirus/DOS is a commercial program to
detect and to remove viruses.  This product test addresses version 1.00 and
version 1.01. 

2.  Product Acquisition:  The IBM AntiVirus/DOS is available from the IBM
Corporation Distribution Center, 1420 Presidential Drive, Richardson, TX 75081.
The telephone number is (800) 551-3579.  A single copy is $29.95 plus shipping
and handling.  One may enroll in an annual protection plan for $59.95 plus
sales tax which entitles one to four updates.  If a business has 50 or more   
personal computers, site licenses are available by calling (800) 742-2493.
 
3.  Product Tester:  Chris Mc Donald, Computer Systems Analyst, Directorate of
Information Management, White Sands Missile Range, NM 88002-5030, DSN 258-7548,
DDN cmcdonald@wsmr-simtel20.army.mil.

[Moderator's note: The remainder of this product review (and MANY
other product reviews - including book reviews) is available by
anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file:
  pub/virus-l/docs/reviews/pc/mcdonald.ibm.antivirus
]

------------------------------

Date:    Mon, 26 Apr 93 09:26:48 -0700
From:    Chris McDonald <CMCDONALD@WSMR-SIMTEL20.ARMY.MIL>
Subject: Revised Product Test 36, CPAV, version 1.4 (PC)

*******************************************************************************
                                                                         PT-36
  							    Revised April 1993 
 
*******************************************************************************


1.  Product Description:  Central Point Anti-Virus (CPAV) is a commercial
product to detect and to disinfect known MS-DOS viral infections.  The program
provides additional protection against the introduction of "unknown" and/or
malicious code through integrity checking (checksumming) and through the
detection of "suspicious" activity.  This test report addresses version 1.4
with updates through April 1993.  It also eliminates errors in the previous
test report and clarifies certain results pertaining to Type I alarms.

2.  Product Acquisition:  CPAV is available from Central Point Software, Inc.,
15220 N.W. Greenbrier Parkway., Suite 200, Beaverton, OR 97006-5764.  The
published customer service number is 503-690-8090.  The list price for a single
copy is $129.00.  Site licenses are available.  MicroSoft has bundled a flavor 
 
of CPAV in its shipment of MS-DOS 6, known as Microsoft Anti-Virus (MSAV).
Published information states that Central Point will handle all upgrades to
MSAV.  As of April 15, 1993, no upgrades to MSAV had occurred.

3.  Product Testers:  Don Rhodes, Information Systems Management Specialist,
Directorate of Information Management, White Sands Missile Range, NM
88002-5030, DSN:  258-8174, DDN:  drhodes@wsmr-emh35.army.mil; Chris Mc Donald,
Computer Systems Analyst, Directorate of Information Management, White Sands
Missile Range, NM 88002-5030, DSN:  258-7548, DDN:  cmcdonal@wsmr-emh34.army.
mil or cmcdonald@wsmr-simtel20.army.mil.

[Moderator's note: The remainder of this product review (and MANY
other product reviews - including book reviews) is available by
anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file:
  pub/virus-l/docs/reviews/pc/mcdonald.cpav
]

------------------------------

Date:    Fri, 21 May 93 16:20:50 -0700
From:    Chris McDonald <CMCDONALD@WSMR-SIMTEL20.ARMY.MIL>
Subject: Revised Product Test PT-17, F-PROT, version 2.08a (PC)

*******************************************************************************
                                                                          PT-17
     						               Revised May 1993
*******************************************************************************


1.  Product Description:  F-PROT is a program designed to provide malicious
program detection, disinfection, and protection.  This product test addresses
version 2.08a, May 1993.        

2.  Product Acquisition:  F-PROT is a shareware program distributed by
Fridrik Skulason, Box 7180, IS-127 Reykjavik, Iceland.  Mr. Skulason has posted
F-PROT on a number of Internet sites.  The program is on the U.S. Army White   
Sands host simtel20.  The path on simtel20 [192.88.110] for anonymous ftp 
downloading is pd1:<msdos.virus>.  The program is free for home use on a single
personally-owned computer.  There is a registration fee for commercial and
government users.  Site licenses are available as well as discounts for multipl
e
copy registrations.  Finally Mr. Skulason has negotiated several agreements
where other vendors have bundled or incorporated F-PROT into access control/
viral protection programs.

3.  Product Tester:  Chris Mc Donald, Computer Systems Analyst, Directorate
of Information Management, White Sands Missile Range, NM, DSN 258-7548, DDN
cmcdonal@wsmr-emh34.army.mil.

[Moderator's note: The remainder of this product review (and MANY
other product reviews - including book reviews) is available by
anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file:
  pub/virus-l/docs/reviews/pc/mcdonald.f-prot
]

------------------------------

Date:    Tue, 25 May 93 17:45:48 -0700
From:    Chris McDonald <CMCDONALD@WSMR-SIMTEL20.ARMY.MIL>
Subject: Revised Product Test PT-3, VIRUSCAN, version 104 (PC)

******************************************************************************
                                                                          PT-3
     						              Revised May 1993 
******************************************************************************


1.  Product Description:  VIRUSCAN is a shareware program to detect known viral
signatures for IBM PC and compatible computers.  If one utilizes available
options, it may be possible to identify the presence of "new" malicious code.
This product test revision addresses Version 9.15V104, May 1993.

2.  Product Acquisition:  VIRUSCAN is available from the McAfee Associates
bulletin board and from its Internet host, from other bulletin board systems,
and from other Internet hosts to include simtel20 [192.88.110.20].  The      
registration fee is $25.00 for individual home users.  Site licenses are
available for commercial,government and university environments.  Registration
entitles the user to unlimited upgrades as well as technical support for one
year.  "Registration" is for home users only.  The McAfee BBS number is (408)
988-3832; the Internet address is mcafee.com or 192.187.128.1 for anonymous
ftp downloading.

3.  Product Tester:  Chris Mc Donald, Computer Systems Analyst, Directorate
of Information Management, White Sands Missile Range, NM 88002-5506, DSN 258- 
7548, DDN cmcdonal@wsmr-emh34.army.mil.

[Moderator's note: The remainder of this product review (and MANY
other product reviews - including book reviews) is available by
anonymous FTP on cert.org (IP number 192.88.209.5) in the path/file:
  pub/virus-l/docs/reviews/pc/mcdonald.virusscan
]

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 87]
*****************************************


