p1@arkham.wimsey.bc.ca (Rob Slade) (06/18/91)
Comparison Review
Company and product:
IBM High Integrity Computing Lab
Thomas J. Watson Research Center
P. O. Box 218
Yorktown Heights, New York
USA 10598
Bill Arnold, author
David Chess CHESS@YKTVMV.IBM.COM, CHESS@YKTVMV.BITNET
VIRSCAN 2.00.01 dated 910307
Summary:
Non-resident scanner with user extensible signature file.
Cost $35 US for original license, $10 for upgrades, enterprise wide
license
Rating (1-4, 1 = poor, 4 = very good)
"Friendliness"
Installation 3
Ease of use 3
Help systems 3
Compatibility 3
Company
Stability 3
Support 2
Documentation 3
Hardware required 4
Performance 3
Availability 2
Local Support 1
General Description:
IBM's VIRSCAN product appears to fall somewhat oddly between commercial
software and shareware. Although IBM retains all rights to the program
(in a license agreement written as only IBM can), there is no printed
documentation, and the package is available on either single disks or
via the IBMLINK service. The price is reasonable for an individual, but
almost absurdly low given the "enterprise wide" license.
VIRSCAN is a non-resident scanner with a non-encrypted and user
extensible signature file. Command line switches can be used to obtain
a variety of information about the system. The program makes no attempt
to disinfect or delete infections.
Recommended for any situation, but particularly for medium to large
companies and for intermediate to advanced users.
Comparison of features and specifications
User Friendliness
Installation
VIRSCAN, when supplied on disk, is shipped on "non-writable" diskettes.
IBM does not suggest installation on the hard drive at all. The
suggested use of the program is to boot from a protected floppy, and run
the program from the floppy disk. The documentation does give
directions on how to prepare a bootable floppy with the scanning program
on it. These directions are very complete. (Directions are even given
on how to write protect a 3 1/2" floppy disk, although they are not as
explicit for 5 1/4" disks.)
An explanation of "resident" viri is given, and directions for booting
from the original system floppy are given. The directions do assume
that you have original IBM equipment and operating system disks, but
should be clear for most systems, even for novice users.
The documentation is written with the novice user in mind, and is, in
places, excellent. Some "obvious" steps are missing in the directions,
but by and large they are very clear, and cover ground often missing in
the documentation of other products.
Ease of use
As the product has evolved, a number of command line switches have been
added. The default settings, however, are very well chosen, and novice
users should not need to know the various options. Advanced users will
be able to use them without problems.
One possible problem is that by default the scan proceeds to conclusion
even when the screen has filled with warning messages. This should not
be a problem in normal operation, but may be of concern in scanning a
heavily infected system. (The "-Z" switch will, however, cause the
program to pause at each signature found and this may be an acceptable
alternative.)
Help systems
Two levels of help are available from the command line, called by
switches. (Somewhat counterintuitively, the "?" switch gives more
extensive and complicated assistance than does the "??" switch.) As the
program is run from the command line only, "onscreen help" is not an
issue.
Compatibility
VIRSCAN will run under both DOS and OS/2, and will examine drives with
both DOS/FAT and HPFS file structures.
The structure of the signature file is outlined in the manual, and at
least one other scanning program obtained for evaluation (Thunderbyte
Scan from Frans Veldman) uses this same file format as a standard. This
allows the use of additional signature information with the program, and
also allows users to add new signatures to update the package, or their
own signatures if a new virus is found.
Mention is made in the documentation of a switch to disable "high
memory" checking, which appears to indicate that the program will check
high memory by default. The extent of this is not, however, clearly
specified in the documentation. In a communication from David Chess, it
was explained that "high memory" is defined as the area between 640K and
1 meg. No scanning is done above 1 meg. (Note that when run from OS/2,
the program does *not* check system memory. Memory is only checked when
the program is run from DOS or the DOS compatibility box.)
Company Stability
They'll probably be around for a while.
Company Support
Those on the Internet and Usenet who receive VIRUS-L/comp.virus will
have access to David Chess' postings and email address. IBMLINK
subscribers will have access to upgrades and information.
Documentation
The documentation is available only in softcopy on the disk. While
sections are excellent, the presentation and order of the manual
(VIRSCAN.DOC) would likely be daunting to the novice.
A major strength is the discussion of the weaknesses of the program, and
a warning against trusting it too far.
Hardware Requirements
The documentation does not state any minimum requirements for operation.
Performance
While VIRSCAN does not search for as many viri as FPROT or SCAN, it
catches all common viri. Speed of operation is neither the slowest nor
the fastest tested, and is quite acceptable.
Note that VIRSCAN makes no attempt to disinfect or delete infected
files.
Local Support
Local support, even from IBM staff, is unfortunately undependable.
There are numerous instances of those staff who should, presumably, be
familiar with the product being unaware of its particulars and
availability, or even giving out false information. (I was twice
contacted by IBM staff who *offered* to get me copies of the program for
evaluation, and then were unable to find it themselves.) There have
been a number of cases of IBM local representatives giving versions
intended for internal use only to outside clients.
Support Requirements
The program should be suitable for any user. Support staff will find
additional functions that novice users would not use.
If, however, an infection is detected, additional support will be
required. It is likely that only advanced users would be able to take
effective action, and even then would likely require other antiviral
packages to correct the situation.
General Notes
This product is an excellent value for any company. It is easy to see
that IBM could lose control over the integrity of the product if it were
to be distributed as shareware or "freeware". It is also reasonable
that IBM be allowed to make some return on the resources devoted to this
product. That said, I still could wish for some attempt to make the
product more available to the general user community.
The lack of support available through IBM representatives is disturbing.
Against, while it is understandable that not all staff can be expert in
all products, the lack of support for a product of such universal
importance is to be regretted.
In comparison to other scanners, the lack of disinfection would tend to
make this product an adjunct rather than the only tool used. It is
still, though, a high quality tool, and could easily be chosen as the
primary virus alert product.
copyright Robert M. Slade, 1991 PCIBMSCN.RVW 910617
=============
Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a
Institute for Robert_Slade@mtsg.sfu.ca | computer, don't
Research into (SUZY) INtegrity | turn it on."
User Canada V7K 2G6 | Richards' 2nd Law
Security | of Data Security