p1@arkham.wimsey.bc.ca (Rob Slade) (06/18/91)
[Ed. My apologies for the length of this digest. The reviews below,
and the vendor list, are available on cert.sei.cmu.edu for anonymous
FTP in the pub/virus-l/docs/reviews directory. Thanks once again to
Rob Slade for all of this work which he is making available to all of
us!]
Comparison Review
Company and product:
Delta Base Enterprises
9800A - 140th St.
Surrey, B. C.
V3T 4M5
604-582-15922
Fax: (604) 582-0101
CIS# 72137,603
Bangkok Security Associates
BBS: 662-255-5981
Victor Charlie 4.0
Summary:
Change detection with self generating "bait" files and viral signature
capture
Cost $99 Cdn
Rating (1-4, 1 = poor, 4 = very good)
"Friendliness"
Installation 2
Ease of use 3
Help systems 4
Compatibility 2
Company
Stability 3
Support 3
Documentation 3
Hardware required 4
Performance 2
Availability 2
Local Support 2
General Description:
Victor Charlie is a series of batch and data files that generate a
number of programs for trapping of viral infections. There is also
provision for the capture of viral signatures. Utilities are included
for viewing of boot sectors and recovery of hard disk system areas.
Requires DEBUG.COM for some operations.
Version 5.0 has, as of this writing, been released, but has not yet been
received for review. Due to the novelty of the program, and its
relative anonymity in North America and Europe, I am releasing this
review now, with some notes about version 5.0, rather than wait for the
next version.
Comparison of features and specifications
User Friendliness
Installation
The installation procedure outlined in the manual starts "earlier" in
the process than any other reviewed so far. Not only does it recommend
booting from a floppy, but it suggests that you SYS and replace the
COMMAND.COM file on the hard disk before doing anything else. An
initial "Quick Start" section of the manual relies on an intermediate
knowledge of MS-DOS by the user, but this is stated at the beginning.
(Unfortunately, it does not immediately point novice users to the later,
and more detailed, VINSTALLATION chapter, nor does it point out the
possible dangers of replacing the operating system on the hard disk.
Also, although there is some discussion is the alter chapter about the
DOS disk, some discussion of the importance of write protection of the
original disks might avoid possibilities for infection at this point.)
Installation of VC is not foolproof by any means. Almost all error
messages are hidden from the user, and a lack of file space or an
incorrect assumption regarding drive specifications will cause the
installation to fail to complete. This, however, is not communicated to
the user, and may not be obvious. To the novice this can be dangerous,
in that the user may consider that the system is protected when, in
fact, it is not. Experienced users will be able to custom tailor the
installation to their own needs, since everything is done through batch
files.
Although the documentation does indicate that the package can be run on
floppy only systems, installations onto floppies is problematic. If the
command VINSTALL A: is given, the system will determine that A: is not a
hard drive, and install only a portion of the full set of files. If,
however, the command VINSTALL A:\VC is given, the program will not
determine that A: is a floppy. When installing to a floppy drive, the
boot sector and other system areas are "protected" (VC will detect an
infection by a BSI), but not reparable (the back file of the boot sector
is not generated.) A floppy installation program, FINSTALL.BAT, is
provided, but it does not seem to work properly unless called from
VINSTALL. Even then, on every attempt to install the program terminated
with an error message about an improper drive or path specification.
Although not mentioned in the manual until page 64, DEBUG.COM is
required by a number of VC's programs. It should be on the computer,
and in a directory in the active path.
Options in regard to installation are legion, but should be performed
only by experienced users, as they are not necessarily well explained
for the novice.
Path and directory settings are vitally important, and it is quite
possible to generate additional copies of the program which no longer
will trap changes to programs.
Ease of use
The ability to use the programs effectively is very much dependent upon
the installation chosen. With proper installation, occasional virus
checks can be as simple as a single keystroke (Alt-V).
The program can, however, give conflicting messages. When the Stoned
virus was active, it correctly detected that something had happened to
the boot sequence. On a floppy system it was not able to recover the
boot sector, but finished the sequence with a message that "Right now,
you have NO active virus on this computer."
Help systems
There is help of various sorts provided for, but in testing the program
very often "lost" its help file, even when installed as directed.
When a virus is detected, the messages that appear give a useful
explanation of what has happened and why. The steps to take, and
optional explanations of what has happened are realistic, and should be
clear even to a novice.
Compatibility
Although no part of the package is "resident", it warns against having
TSR's active during installation.
Company Stability
The program is produced by Bangkok Security Associates (programmer John
DeHaven, technical writer Alan Dawson, marketing director Simon Royle
and financial director Ramesh Indhewat). BSA is a Thai company
registered in the British Virgin Islands from Hong Kong.
Company Support
In Australia, where the product has had its major success to date, the
product is supported by Combat Software. Otherwise company support is
provided by the BBS listed above.
Documentation
The manual is entertainingly written, and contains a great deal of
information on viral programs in general. Parts of the manual explain
computer operations to the novice in great detail. There are, however,
other parts that give out brief, or even misleading, information.
(A note on this business of directions to novice users. It may seem
like a "fractal" type of problem, in that no matter how much you
explain, there is still more to do. For example, TBSCAN's documentation
suggests write protecting diskettes, and explains how to do it on a 3.5"
diskette, but not on a 5.25". Victor Charlie does explain that you
should put a "... sticker ... over the notch at the right-hand side of
the disk when you look at it from the front." However, failing to
mention that the notch is *square*, on the *side* of the disk cover and
that you cannot see the magnetic disk through it might allow some to
permanently read *and* write protect the disk by placing the sticker
over the drive head access slot. Still, in many cases Victor Charlie
gives the best explanation to novice users yet reviewed.)
The tone of the documentation (both hardcopy and on disk) varies between
jingoism ("... ultimate security ... defeat any current or future
virus") and realism, while ultimately falling somewhat short in terms of
actual details. In testing the system, I came to the conclusion that,
while suitable for any users as a warning system, technical personnel
will need more details as to the ultimate effectiveness, and how far to
trust the package.
Hardware Requirements
MS-DOS 2.0 or higher and a minimum 64K of RAM.
Performance
Unfortunately, even at this point, I am unable to state the performance
of the system with confidence. It will find viral infections of
programs, and of boot sectors. (In spite of the difficulties
encountered in installing the system to a floppy, it had no difficulty
in identifying "Stoned" infections on floppy. Further testing revealed
that it was, somehow, detecting a change in the boot sector, rather than
memory. Although the program checks memory and the system areas of the
disk, the "signatures" of the original system are not stored with
program file signatures.)
The actions of the package as a whole, regenerating itself from batch
and data files, are quite fascinating. The program is a radical
departure from any other reviewed system, and should be a valuable extra
component for system security.
The change detection of the signature list may possibly be bypassed by a
sophisticated virus, as it depends upon file length and checksum, rather
than some of the more rigourous mathematical methods. However, the
checksum is described by the company as "double-encrypted", and the
method of calculation and protection, while not user definable, is not
uniform throughout any release of the product.
The program, as it stands, is most useful against memory resident,
program file infecting viri. Specific identification of sources of
infection is not strong.
Local Support
In Australia, provided by Combat Software.
Support Requirements
Installation of the program is possible for novice users with standard
computer configurations, but should likely be supported for any non-
standard systems. Novice or intermediate users will require assistance
to identify the source of infection if a virus is detected.
General Notes
This package is quite fascinating in its novel approach to virus
detection. There are numerous shortcomings, but the approach could be a
valuable adjunct to current methods. While the current implementation
has significant shortcomings, particularly in non-standard
configurations, the concept is a valuable one and, hopefully, future
development will make the package more valuable as a stand alone
product.
Version 5.0 is said to be a major rewrite and upgrade. The virus
signature library, which contains only two signatures in version 4.01,
will identify all viral programs identified as "common" in the Hoffman
Summary listing (the date of the listing is not specified.) The library
will also "accumulate" signatures as new viral programs are encountered.
Changes effective in version 5.0 will include a new interface and
installation process. New utilities will be added, and protection
against "stealth" viri will be enhanced. System requirements will
increase to 256K RAM and DOS 3.0 or higher, but the use of DEBUG.COM
will be dropped. The documentation will include a 200 page book on
computer viral operations, with separate version specific technical
references.
copyright Robert M. Slade, 1991 PCVC.RVW 910617
=============
Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a
Institute for Robert_Slade@mtsg.sfu.ca | computer, don't
Research into (SUZY) INtegrity | turn it on."
User Canada V7K 2G6 | Richards' 2nd Law
Security | of Data Security