p1@arkham.wimsey.bc.ca (Rob Slade) (04/18/91)
Due to a request from one of the PC rags, the review of PC-cillin has
been updated. PC-cillin has released a new version since last reviewed,
but the changes, as noted in the review, are fairly minor.
[Ed. The archive copy of this review has been updated on
cert.sei.cmu.edu. Along with this review, the rest of Rob Slade's
product reviews and Chris McDonald's product reviews are available for
anonymous FTP on cert.sei.cmu.edu in pub/virus-l/docs/reviews]
Comparison Review
Company and product:
Trend Micro Devices Inc.
2421 W. 205th St., #D-100
Torrance, CA 90501
USA
213-782-8190
PC-cillin - program change detection hardware/software - version 2.95L
Summary:
A change detection and vaccine program with some scanning functions.
Change detection is applied to boot sectors and partition boot records
as well. System status information is stored in a hardware device
connected to a parallel port.
Cost US $139.00
Rating (1-4, 1 = poor, 4 = very good)
"Friendliness"
Installation 3
Ease of use 3
Help systems 2
Compatibility 2
Company
Stability ?
Support 2
Documentation 3
Hardware required 3
Performance 2
Availability 2
Local Support ?
General Description:
The best functioning parts of the package appear to be the scanning, and
"resident scanning" operations. Not highly recommended; most suitable
for novice users with operations primarily limited to a single hard disk
and strictly limited disk swapping.
Comparison of features and specifications
User Friendliness
Installation
Note that there is no indication on the packaging as to version number.
The first version tested had files dated November 2, 1990 and was stated
to be version 2.95 in the README.DOC file on disk. The second package
received (from a different source) was identical except for two added
stickers identifying the item as "Made in Taiwan R O C", but had file
dates of November 8, 1990 to January 23, 1991 and was stated to be
version 2.95L in the README.DOC file. Further reading of the README.DOC
indicates that this version is now "LAN aware", more viral programs are
recognized, scanning is faster and that minor cosmetic changes are made
to the display. (Previous problems with documentation have also been
rectified, and the package now contains both disk sizes.)
The disk is shipped write protected, although only by a write protect
tab. (The disk is not a "notchless" read-only disk.) The installation
procedure is written with a "pre-infected" system in mind, and, if
followed carefully, should provide against infection by any virus known
to the program. (The procedure to be followed in case of partition
table infection, although quite clear in its explanation of the problem,
is deficient in not recommending making a backup before beginning the
procedure.)
PC-cillin can install from, or to, any drive, but will not install to
the drive from which the installation files are being run. Installation
is simple and reasonably quick. Modification to AUTOEXEC.BAT or
CONFIG.SYS is simple, but non-destructive and maintains a backup file.
When "verifying for known viruses" during installation, PC-cillin states
that it is checking high memory. This is an intriguing report, as the
machine used for testing has only the standard 640K and a CGA card.
Based on relative times, the program appeared to be checking
aproximately 2 megabyte of memory that did not exist.
Upon installation to a boot virus infected system, PC-cillin identified
the virus, but allowed the installation to proceed. Upon "rebooting",
PC-cillin alerted for the presence of a boot sector virus.
Interestingly, once the disk was disinfected, PC-cillin allowed the disk
to boot normally. Without having access to the encoding system used, it
is difficult to say what check is used to detect a change in the boot
sector. A deliberate change made in the boot sector text had no effect.
The package makes provision for software updates of the "signature"
programs without the need for reinstallation of the entire system.
Ease of use
A single program, PCC.EXE, gives access to all functions, installation,
scanning (called "Quarantine" by PC-cillin) and the production of a
"rescue diskette". Installation and scanning are clear and self-
explanatory in operation. The making of a rescue diskette is less so,
involving unnecessary disk swapping.
When scanning, PC-cillin does not disinfect infected files, but does
offer to delete them. The decision is left to the user. Boot sector
viri on floppies are not disinfected, even if they are the "boot floppy"
that PC-cillin was installed on. Repair information is apparently only
stored for the hard disk PC-cillin is installed on.
Because of its "background" operation, PC-cillin presents an "inverse
face" (PC graphics character 02H) in the upper right hand corner of the
screen when in operation. The documentation states that this display
can be toggled off or on with <Alt><Ctrl><Tab>, and that the operation
of PC-cillin in background can be toggled on and off with
<Alt><Ctrl><Backspace>. The message displayed by the PCCILLIN program
at invocation now indicates the same key sequence, but the toggle still
does not work.
Help systems
None provided.
Compatibility
The scanning function of PC-cillin is now stated to recognize 176
different viri, and it does recognize the most common viri that make up
the bulk of current infections. The "vaccine" functions of the product
are either very intelligent or very doubtful: the program will allow
programs to modify themselves, other programs and disk boot sectors, as
well as deleting program files. (Disk writing by certain programs
appears to be restricted, but in testing no alarms were generated by
multiple attempts to write to program files through the use of different
programs and editors.) Protection of boot sectors appears limited to
the "installed" hard disk: the program will not recover an infected boot
sector floppy.
Company Stability
Unknown.
Company Support
When the company first shipped the product for review, an incorrect
Customs declaration for shipping to Canada delayed shipping of the
review copy.
The program makes provision for software updates of the "signature"
programs, but does not indicate any definite way to keep customers
informed. Although my copies are registered, I have received no notice
of the change in versions.
Documentation
The documentation is clear and well laid out, and contains an excellent
discussion of general viral operations. The progression through the
book is logical, and novice users should be able to follow it clearly.
Advanced users will still find items of interest in the section on
general viral concepts. The "stiff" binding and grammatical errors in
the README.DOC file have been corrected.
Hardware Requirements
At least one parallel (printer) port is required. The "Immunizer Box"
attachment is said to be transparent to user data.
Performance
The product is "aware" of the currently most common viri.
Identification in various areas relies on known viral activity: although
memory is checked, it does not appear to "find" memory resident viri
which can also be found on disk. Vaccine or recovery activities are
restricted at best.
Local Support
None provided
Support Requirements
The program is easy enough for a novice to use and install without
assistance. If a virus is found, it is recommended that experienced
personnel deal with it.
General Notes
A great deal of thought and planning has gone into the concept and
packaging of this product. Provision for the use of floppy diskettes,
and a general strengthening of the "vaccine" and change detection
portions of the program would benefit it immensely.
copyright Robert M. Slade 1991 PCCILL2N.RVW 910417
=============
Vancouver p1@arkham.wimsey.bc.ca | "Don't buy a
Institute for Robert_Slade@mtsg.sfu.ca | computer."
Research into (SUZY) INtegrity | Richards' First
User Canada V7K 2G6 | Law of Data
Security | Security