JXA5@MARISTB.BITNET (John Councill) (04/25/91)
Hi. I'm sure that this question has been asked here before, but I'll ask it again: Can anyone reading this recommend a reliable program that will sit in memory and warn against writes to .EXE and .COM files, as well as other suspicious virus-like activity without degrading performance of the machine too much? Are there products like this that you've had bad experiences with? And while I'm posting this, I'll comment that it would be a GOOD THING if someone from IBM who reads this, and is affiliated with VIRSCAN, could announce new releases of this program on VIRUS-L. Such notification would help me out a lot, as our IBM rep is usually ignorant about it. AND it would help avoid the kind of rumor flurrying that surrounded the last release. Thanks, John A. Councill Bitnet: JXA5@MARISTB Technical Assistant Voice: 914-758-7494 Henderson Computer Resources Center of Bard College in Idyllic Annandale-on-Hudson NY <Opinions expressed are not necessarily those of my humble leaders.>
RADAI@HUJIVMS.BITNET (Y. Radai) (05/08/91)
John Councill asks: >Can anyone reading this recommend a reliable program that will sit in >memory and warn against writes to .EXE and .COM files, as well as >other suspicious virus-like activity without degrading performance of >the machine too much? Several months ago, I made a quick comparison between several pro- grams of this type which I have. (I call them "monitoring" programs. There are other reasonable names, and also one which I consider very inappropriate: Robert Slade's term "vaccine" software.) When I saw John's question, I thought this would be a good opportu- nity to make my comparison more complete, but I see I'm not going to find the time, so for now I'm reporting only my previous results. The programs which I compared were F-LOCK, FSP, SECURE, TSAFE, and VTAC. I decided that the most important criterion was the ability to prevent infection by the largest number of viruses (without giving too many false alarms, of course), and that the type of virus which would be most likely to separate the good programs from the mediocre would be those viruses which avoid re-direction of interrupt vectors (by jumping directly to the interrupt handlers or by issuing commands directly to the controller). So I threw 4 viruses of this type against each of the above programs. The number which each program stopped was as follows: SECURE 4 F-LOCK 1 others 0 On this criterion, SECURE is clearly the best monitoring program. (Fridrik Skulason has an alternative version of F-LOCK which would do better, but he hasn't released it because of conflicts with certain software.) It's conceivable that other viruses would give opposite results, but I very much doubt it. On the other hand, there are many other criteria which I did not subject to a systematic comparison, such as false alarms, slowing down of ordinary computer activity, flexibility and convenience. Btw, the author of SECURE, Mark Washburn, is also the author of the V2P* virus series, all of which are variable self-encrypting viruses designed to demonstrate the futility of relying on programs which attempt to detect viruses by scanning for characteristic strings. V2P1 (better known as the 1260) was distributed publicly, and while it is not itself destructive, someone evidently used its disassembly as the basis for the Casper virus, which is quite destructive. This, of course, does not prevent SECURE from being the best moni- toring program, at least judging by my limited comparison. I can only hope that others will make more thorough tests. (All of the above except TSAFE are available from Simtel20 in <MSDOS.TROJAN-PRO>.) Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL
esaholm@utu.fi (Esa Holmberg) (05/09/91)
RADAI@HUJIVMS.BITNET (Y. Radai) writes: > The programs which I compared were F-LOCK, FSP, SECURE, TSAFE, and I'm afraid you have tested a wrong program; F-DRIVER would be the actual resident virus tester of the F-PROT package, and not F-LOCK. I wonder, what the results would look like with F-DRIVER instead of F-LOCK ? - -- __________________________________________________ ) Esa Holmberg -- esaholm@utu.fi, ekho@ttl.fi, ) / ekho@f152.n222.z2.fidonet.org / / fax : +358 21 510 017, Elisa : Holmberg Esa TTL /
frisk@rhi.hi.is (Fridrik Skulason) (05/12/91)
esaholm@utu.fi (Esa Holmberg) writes: >RADAI@HUJIVMS.BITNET (Y. Radai) writes: > >> The programs which I compared were F-LOCK, FSP, SECURE, TSAFE, and > > I'm afraid you have tested a wrong program; F-DRIVER > would be the actual resident virus tester of the F-PROT > package, and not F-LOCK. I wonder, what the results > would look like with F-DRIVER instead of F-LOCK ? Well, no - Y. Radai tested the correct program - the important question was not how effective the programs were against KNOWN viruses, but rather how effective they were against the methods used, and how effective they would be against new viruses using those methods. I had a version of F-LOCK which was able to stop all the viruses from accessing the system directly, but I removed that feature in version 1.08, (I think) as it conflicted with some programs, including my cache program. Besides - I don't currently put much emphasis on the F-LOCK part of my package, for two reasons - it does not work with Windows (F-DRIVER will), and it is being rewritten for version 2.0 Regarding version 2.0, which was originally scheduled to be released two months ago - I have been seriously considering to change the name of the product. The most likely new name is taken from the Greek mythology, 'Argus' - the name of the hundred-eye all-seeing giant. Any suggestions ? - -frisk Fridrik Skulason Technical Editor of the Virus Bulletin (UK) (author of F-PROT) E-Mail: frisk@rhi.hi.is Fax: 354-1-28801
RADAI@HUJIVMS.BITNET (Y. Radai) (05/13/91)
In connection with my comparison of F-LOCK, FSP, SECURE, TSAFE, and VTAC, Esa Holmberg writes: > I'm afraid you have tested a wrong program; F-DRIVER > would be the actual resident virus tester of the F-PROT > package, and not F-LOCK. No, that's incorrect. I don't know if your mistake is in not knowing how F-DRIVER works or in confusing two different types of resident anti-viral programs: (I) Those which search for *specific strings* (or patterns), each characteristic of a particular *known* virus, within program files which are about to be executed, and (usually) also in boot records when the anti-viral program is loaded. Such programs must be updated continually to catch new viruses. (II) Those which warn of suspicious activity by intercepting attempts to modify executable files, to stay resident, to format disks, etc., regardless of the source of this activity. (It might be a virus, a Trojan, or some perfectly innocuous program; and if a virus, it may be a known one or an unknown one.) Such programs do not ordinarily require updating. Now John Councill's question certainly resembled Type II more than Type I, so I referred to the five programs of this type which I had compared, and that includes F-LOCK. F-DRIVER, on the other hand, is of Type I, and therefore was not an appropriate program for my compa- rison. (When I say that a program is of Type I, it may include a few Type-II features as well, but certainly F-DRIVER and V-Shield are basically of Type I.) Perhaps my posting would have been clearer if, instead of calling Type-II programs simply "monitoring" programs, I had called them *generic* monitoring programs. F-LOCK is generic; F-DRIVER is not. (Btw, there are also generic *disinfection* programs, i.e. programs which in the great majority of cases can restore a file to its original state regardless of the virus which infected it.) Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL