p1@arkham.wimsey.bc.ca (Rob Slade) (03/16/91)
Comparison Review
Company and product:
Symantec/Peter Norton
10201 Torre Avenue
Cupertino, CA 95014
USA
408-253-9600
800-343-4714
800-441-7234
408-252-3570
416-923-1033
Norton AntiVirus
Summary:
Manual and TSR virus scanning, as well as change detection.
Cost $130 US
Rating (1-4, 1 = poor, 4 = very good)
"Friendliness"
Installation 3
Ease of use 2
Help systems 2
Compatibility 3
Company
Stability 3
Support 3
Documentation 2
Hardware required 4
Performance 3
Availability 4
Local Support 1
General Description:
The NAV.EXE program has the ability to scan memory, boot sectors and
files for the presence of known viral programs, and to "inoculate"
programs against change. It can also recover some damage to programs
and boot sectors. The NAV_.SYS program provides TSR checking of files,
although it does not detect viral programs in memory, or deal
effectively with boot sector viri.
Comparison of features and specifications
User Friendliness
Installation
The program is shipped on "read only" disks, therefore cannot be
infected at the user's site without active intervention.
It is absolutely essential to read the on disk READ.ME file, as the
documentation is incorrect in many places including installation. The
printed documentation fails to mention the NAV.DEF virus definition file
and the program will not function without it.
Installation can be done from any drive to any drive, including floppy
drives. If old versions of Norton Antivirus are found they can be
overwritten or backed up at the user's discretion. The installation
program is clear and simple to use, and gives clear instructions and
explanations of the various options. (With some exceptions. For
example, the program assumes that old copies of NAV are to be found in
C:\NAV, and states that there is no old version if nothing is found
there. If this is not the path for the files, and the proper path is
specified, the request to choose between backing up and overwriting old
versions comes shortly after the announcement that there are no old
versions.) A "completion bar" shows the progress of most lengthy
operations (throughout the program.)
The installation is quite intelligent and useful in dealing with the
necessary changes to system files. An editing screen is presented for
the insertion of the command line in CONFIG.SYS. The default placement
is explained clearly enough to give novices confidence, but will allow
more advanced users the ability to select optimum positioning. Backup
files are created for the original AUTOEXEC.BAT and CONFIG.SYS.
The installation program is not very intelligent in dealing with
configuration options. Upon invocation of the installation program, it
asks about the type of monitor used. Upon completion, however, the
configuration of the NAV program defaults to "CGA" monitor type, which
does not allow some options or "command keys" to be seen on monochrome
screens. Also upon completion, if "Quit" is chosen instead of "Reboot",
the "target" drive and directory becomes default.
Ease of use
The program is "menu driven", but use without a mouse is not necessarily
intuitive, nor do all menus work consistently. (For example, all
options on the main menu are accessed by initial letter except "Exit"
which is only accessible by pressing the "X" or "ESC" keys.) Ten pages
of the manual are devoted to the use of the interface. The menus are,
however, generally clear and readable. (Unless, as mentioned above, the
monitor type is not consistent with "highlights" generated in CGA mode.)
The "Advanced scan" and "Auto-inoculate" features of the system are
simply variations on checksumming and change detection, but are set up
and explained in a manner which appears to be unnecessarily confusing.
The options available in the "Options/Configuration" menu allow for a
considerable degree of customization, but reasons for choosing certain
options are not clear in the initial installation section of the manual.
The monitor "box" in the menu is not accessible in any way, nor is it
explained in either the manual or the help text. Some options do not
appear to work: I did not chose to "Disable scan Cancel *b*utton" (*b*
being the letter used to access this option), but the "cancel scan"
option was disabled on my program anyway.
If a virus is detected in memory at the beginning of a scan, the program
will refuse to scan further. This is an advantage in that it prevents
infection by viri which infect each file as it is open, but there is no
"discretion" on this feature, and it activates even when boot sector
viri are found. The program does not terminate, but will not perform
(in terms of scanning). No help is given at this point: the user is
referred to a section of the manual.
Help systems
The program contains an extensive help file. Personally, I did not find
the onscreen help to be very useful, generally having to go to the
reference section of the manual if I could not figure out the operation
from the menus.
Compatibility
Norton Antivirus is stated to be compatible with Windows. However,
careful examination of the disk READ.ME file indicates that this
compatibility is true only in that the TSR scanner can continue to alert
users through the "siren" if the "alert boxes" are turned off while
Windows is in operation. NAV is not compatible with Desqview, and has
difficulty with a number of other TSRs and related utilities. Careful
reading of the READ.ME file is suggested on systems with extensive use
of TSR programs.
The program shipped as of December 7, 1990 identifies a significant
proportion of the viral programs identified by the Brunnstein, Hoffman,
McAfee and Skulason lists. The company has also provided a means of
regular updates of "signature" information.
The "change detection" information is not added to the file to be
checked, so it does not interfere with "internal" self checks. However,
the information is not stored in a single outside file, but in a
"hidden, system" file created for each program to be checked. As the
READ.ME file indicates, this may take up considerable space on a hard
disk, and may be difficult to recover even after programs are removed.
Company Stability
Symantec and Peter Norton have both been solid companies in their
respective environments.
Company Support
The company provides both a technical support line and a "Virus
Newsline" for update information on new viral signatures. There is
provision for access to information through "voice mail", fax and
commercial information services. Suggestions from the company indicate
that this is seen as valuable primarily to corporate customers, who can
take advantage of economies of scale in distributing the information
internally and recovering the cost of obtaining the information.
It should be noted that although the program was promised to the
reviewer in November, that it required eleven return phone calls to five
different offices to finally have it delivered over three months later.
Documentation
The documentation is extensive, but the layout would not be simple for a
novice to follow. While the information is all there, even after a
thorough reading it is hard to remember where a specific item is. The
"Quick Start" section does provide an acceptable installation, if
default values are all valid in the user's system.
The "clean start" provisions of both the "Quick Start" and installation
sections should prevent installation on an infected system *if followed
rigorously*. However, even here the directions may be confusing to a
novice. The "About Viruses" section is of little use.
As mentioned before, many corrections and omissions from the manual are
pointed out in the READ.ME file on disk, and the documentation should
not be considered complete without it.
Hardware Requirements
No special hardware is required.
Performance
As mentioned, the NAV program identifies a larger number of viral
signatures than does any commercial product reviewed to date, with
provisions for constant updating of the signature files. The scanning
is also very fast, approaching the speed of TBSCAN and VPCSCAN.
The TSR scanner, NAV_.SYS, is invoked from CONFIG.SYS (cf F-DRIVER.SYS
in the FPROT package.) While it cannot prevent infection of the system
from a "boot sector" infected diskette, it does not detect the presence
of such a virus in memory, and it neither prevents infection of
diskettes, nor alerts the user to the use of an infected diskette or the
operation of infecting.
Repair of viral programs appeared to be affective.
Local Support
Although local sales offices of Symantec/Peter Norton are widely
available, support is only provided through the central technical
support and "Virus Newsline" numbers.
Support Requirements
In its current form, the product is suitable for novice users, but
installation and actions when a virus is found may require more expert
support.
General Notes
The provision of access to update information gives this product a
significant advantage. There are, however, some weaknesses to be dealt
with, and a general improvement is needed in the documentation and ease
of use before it is suitable for all users.
copyright Robert M. Slade 1991 PCNRTNAV.RVW 910315
=============
Vancouver p1@arkham.wimsey.bc.ca | You realize, of
Institute for Robert_Slade@mtsg.sfu.ca | course, that these
Research into (SUZY) INtegrity | new facts do not
User Canada V7K 2G6 | coincide with my
Security | preconceived ideastzdroj@hpuxa.acs.ohio-state.edu (Tomasz R. Zdrojewski) (03/29/91)
The NAV program is not suitable for normal virus removal. It a personal test, I was able to infect my command.com, NAV itself and quite a few other files. The program ignored the sample virus I ran and said the system was fine. I would only recommend it for its ability to add new virus tags. Tom
c-rossgr@uunet.uu.net (04/09/91)
>Date: Thu, 28 Mar 91 16:13:24 +0000 >From: tzdroj@hpuxa.acs.ohio-state.edu (Tomasz R. Zdrojewski) > >The NAV program is not suitable for normal virus removal. It a >personal test, I was able to infect my command.com, NAV itself and >quite a few other files. The program ignored the sample virus I ran >and said the system was fine. I would only recommend it for its >ability to add new virus tags. Not to take away from Norton's new entry in the anti-virus field, lots of scanners have the ability to add new virus tags through an external file, including my own. In fact, to document this file for the first time publicly: 1) The file must be on the C: drive in a directory called "C:\VIREXPC" 2) The file must be called "VIREXPC.VIR" 3) The file consists of lines. Each line starts with a 'P', a 'B' or a '#'. A line starting with a '#' is a comment line. A line starting with a 'P' is a "Program Virus" A line starting with a 'B' is a "Boot Virus" 4) Following the 'B' or 'P' is a single space. 5) Following the single space is the hex representation of upto sixteen bytes of signature information. Although you may have less then sixteen bytes, you must have at least ten bytes. Additionally, you must have an even number of bytes. This is the ASCII representation of the value of these signature bytes: If searching for 'AB', then the resulting hex search string would be "4141". 6) Optionally, after the signature bytes maybe come a checksum and a "nasty" flag. If you're including either, follow the signature bytes by a single space. If the virus is a "nasty" virus -- one that you'd want to halt the scanner if you find it in memory, use the "Nasty Virus" flag: a single exclamation point. The checksum is a simple unsigned checksum of the signature byte's real value: not the value of the ASCII representation of these values, but the actual values. An example: # This here is a comment P ProgVName 123434565678789090121234 1234! No, the checksums don't add up on that example. Ross M. Greenberg Author, Virex-PC & FLU_SHOT+