krvw%CERT.SEI.CMU.EDU@vm.ucs.UAlberta.CA ("The Moderator Kenneth R. van Wyk") (03/05/91)
VIRUS-L Digest Tuesday, 5 Mar 1991 Volume 4 : Issue 37 Today's Topics: Protection and AI (PC) innoc update (PC) Virex-PC review (PC) Virucide Review (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Mon, 04 Mar 91 09:03:42 -0500 From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) Subject: Protection and AI (PC) >From: Bob Bosen <71435.1777@CompuServe.COM> >What exactly is AI anyway? An explicit description is not suitable for a general audience, but I am told that the cows don't mind it a bit. >From: eldar@lomi.spb.su (Eldar A. Musaev) >Subject: Re: How to disable boot up from A: (PC) >That is very simple, if you have only one floppy. Open your computer >and set DIP switches and cable connections to make A: as B:... I used to think that this would work also but was chagrined (shimatta) to learn that many PC BIOSes check for floppy A as part of POST and will generate a "601" error and halt the boot process if drive A does not respond to the controller. >From: Bureau de Guerra <PH461A04@VAX1.UMKC.EDU> >Subject: Mac Viruses vs. PC Viruses: Coding Comparison >Because of 1,3,4, & 5 vs. 2, I conclude that programing a mac virus >is more difficult than programming a pc virus. >Jonathan E. Oberg ph461a04@vax1.umkc.edu True, it is probably more difficult for an amateur but orders of magnatude less than producing a good word processor. Also in the PC, a user must request a boot/execution of a virus while a MAC will execute floppy code without being asked. The "scan on floppy insertion" is possible (and should be a part of any good protection scheme) on the PC, it just hasn't been done yet (or has it, I am sometimes behind ?). >From: Bob Bosen <71435.1777@CompuServe.COM> >Subject: PC-DACS (PC) >two different versions I tested during 1988 and again in 1990 yielded >easily to attacks using only readily- available software tools brought >in on a bootable diskette.... Without hardware modification, >only ENCRYPTION can provide any kind of real security. >...and those few that are strong enough to enforce true security are >based on ENCRYPTION or HARDWARE or BOTH. Yup, confidentiality can be preserved with encryption, but only hardware can protect from destruction (if there is no FAT, it isn't DOS). However, the same software that redirects tables can also disallow writing to them. The question is one of risk vs cost just like the fact that experiments I have been making can be defeated easily manually if it is known to be there. Easy for a skilled person but very difficult for software unless directly targetted. The user has to decide the level of protection necessary and the price that is willing to be paid. My point is that a "normal" PC has NO defense and that quite a good level of protection from malicious software can be had with "simple" software techniques. Incidently, if a high level of CIA (confidentiality, integrity, & availability) is needed, Mr. Bosen's products are very good. (personal opinion). Padgett Note to indexer: all paragraphs relate to PC protection with the exception of AI which doesn't relate to anything. ------------------------------ Date: Mon, 04 Mar 91 08:41:34 -0600 From: James Ford <JFORD@UA1VM.BITNET> Subject: innoc update (PC) The file "innoc.zip" has been replaced with a new version. This new version has the following files in it: innoc.asm - Source code (same code in the other version of innoc.zip) innoc.com - Compiled code innoc.doc - Documentation. - ---------- Whatever hits the fan will not be evenly distributed. - ---------- James Ford - JFORD@UA1VM.UA.EDU, James_Ford@mib.eng.ua.edu The University of Alabama (in Tuscaloosa, Alabama) ------------------------------ Date: Thu, 28 Feb 91 15:51:26 -0800 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Virex-PC review (PC) ]Ed. Both of these reviews are now available by anonymous FTP on cert.sei.cmu.edu in pub/virus-l/docs/reviews, along with the rest of Rob Slade's (and a few others') reviews.( Comparison Review Company and product: Microcom Software Division 3700-B Lyckan Parkway Durham, NC 27717 USA 919-490-1277 Virex-PC, also Virex for Mac - scanner and vaccine Summary: VPCSCAN is the fastest scanning product yet reviewed. VIREX-PC vaccine is customizable with multiple options and allows "protection" of specified files as well as alerts on "formatting" and "program modification" and is recommended for "expert" users. Documentation is an excellent overview of viral and PC operations. Cost US $99.00 Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 2 Ease of use 4 Help systems 2 Compatibility 3 Company Stability 4 Support 3 Documentation 4 Hardware required 4 Performance 3 Availability 4 Local Support ? General Description: VPCSCAN is a virus detection and disinfection product. It will remove some viri from files or optionally delete the file if it cannot be disinfected. Disinfection or deletion is at user control. VIREXPC is a "resident" "activity" and "change detection" program which checks for formatting calls, direct disk writes, TSR initiation, "registration" of programs, "checksum" changes or program specific (user defined) prohibited operations. (During this review, Virex-PC refers to the whole package, VIREX-PC to the TSR vaccine program only.) Ross Greenburg was one of the first to produce an anti-viral product, Flu-Shot. Microcom's Virex product for the Macintosh is also well established. SCANDEMO, a "scan only" demonstration product, is available free of charge on some electronic bulletin board systems. Please, when reading this review, note a built in bias towards Ross Greeburg's work. Comparison of features and specifications User Friendliness Installation Disks shipped write protected. Documentation stresses the importance of write protecting the disks, suggests making "working copy" of the original disk, and checking the computer system with VPCSCAN before making installation onto the hard disk, but the suggested procedure could leave the "working copy" infected. Installation requires the Virex-PC diskette in drive A:, regardless of which drive it is invoked from. If you wish to install the program onto a "boot floppy", the diskette to be installed "to" must be in drive B:. Effective installation is impossible without reading the documentation and understanding the concepts and system configuration thoroughly. The documentation is complete and quite clear, but "naive" users may find the number of functions and features, and the explanations, daunting to tackle. Subsequent to installation, the "Protection File" can be editted. However, the "README" file notes that this should not be done while VIREX-PC is active, and if you invoke VIREX-PC automatically at boot time, you will have to boot from a floppy in order to modify your protection. Ease of use Once installed, the system operates without intervention, unless viral activity is detected. The alert screens are clear and informative. The decisions necessary, and the usefulness or "hindrance" of the system depends largely on the installation, which should be "matched" to the experience of the user. VPCSCAN's screen display shows the files checked individually, but continues to display the directories checked until the screen is full, so that a number of directories can be seen at once. This is much clearer than the practice of other programs which only display one file at a time, or only the directories checked, especially given the speed of VPCSCAN's operation. Help systems Alert screens contain somewhat esoteric, but very complete information on the activity taking place. This will be very helpful to expert users, but even novices will find it easier to make an "informed" decision on whether or not to allow an operation. Compatibility VPCSCAN, in contrast to the lists known to SCAN and FPROT, finds relatively few viri. Those that it does find, however, would likely account for better than 99% of actual infections. The manual states that updates are made quarterly, and that registered users will receive "notification" of updates. (According to the registration cards, updates will be $25 each, or you may receive a year's "subscription" for $75.) However, it is now three months (one "quarter") since I registered my copy, and I have yet to receive any notification. (It is possible, although improbable, that this period exactly coincides with one "update period.") Although one of the standard alerts in the package is for "direct writes to diskette", and even though the Stoned/New Zealand virus is one which VPCSCAN will identify (although not disinfect), VIREX-PC was not able to protect against, and did not warn of, infection by the Stoned virus. Although VIREX-PC will make a checksum of disk or diskette boot sectors, it does not checksum partition boot records. Company Stability Microcom is a stable and diverisfied company, if somewhat samller than a Lotus or Microsoft. Virex for the Mac has been around for some time, although it is not one fo the current "leaders" among Mac antivirals. Ross Greenburg was one of the first to write an antiviral program for MS-DOS (Flu-Shot) and it is still a viable program. Company Support Virex-PC was the third to arrive of all the commercial programs I had requested for review. Microcom had no problems with shipping across the border, although the package did arrive crushed. Note also the lack of update notification for the period specified. Documentation Very good (clear, concise) section on general virus information. The procedure given in the Quick Start section could produce an infected "working copy" of the Virex-PC disk. The installation "prompts" are no better or worse than others reviewed, but the documentation explains all options very clearly, both in terms of the options available, and the reasons for the options. Hardware Requirements There are no special hardware requirements. Performance VPCSCAN is amazingly fast. File checking is at least twice as fast as either FPROT or SCAN across all platforms tested. VIREX-PC has more options than other vaccine type programs, as well as change detection capabilities. However, although one of the standard alerts in the package is for "direct writes to diskette", and even though the Stoned/New Zealand virus is one which VPCSCAN will identify (although not disinfect), VIREX-PC was not able to protect against, and did not warn of, infection by the Stoned virus. Although VIREX-PC will make a checksum of disk or diskette boot sectors, it does not checksum partition boot records. Local Support No provisions. Support Requirements The installation and operation of VIREX-PC and VPCSCAN should not be beyond the average intelligent user who is willing to spend time with the manual before installation. However, in supported environments, it would be best to have the support staff perform installation. General Notes Although in many respects a superior product, the inability to prevent infection by the ubiquitous "Stoned" virus must be seen as a failing. However, Virex-PC will detect the "Stoned" virus, and, with some care, recovery can take place without recourse to other specialised products. copyright Robert M. Slade 1991 ============== Vancouver p1@arkham.wimsey.bc.ca | "It says 'Hit any Institute for Robert_Slade@mtsg.sfu.ca | key to continue.' Research into (SUZY) INtegrity | I can't find the User Canada V7K 2G6 | 'Any' key on my Security | keyboard." ------------------------------ Date: Fri, 01 Mar 91 11:26:44 -0800 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Virucide Review (PC) Comparison Review Company and product: Parsons Technology 375 Collins Road NE Cedar Rapids, IA 52402 USA 319-395-9626 Virucide Summary: Menu driven scanning and disinfecting program, apparently written by McAfee Associates. Recommended for novice or intermediate users in non- critical situations, or as "first line" defence. Cost US $49.00 Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation Ease of use 4 Help systems 3 Compatibility 3 Company Stability 2 Support 4 Documentation 3 Hardware required 4 Performance 3 Availability 3 Local Support ? General Description: A simple and relatively inexpensive virus scanning and disinfecting program. The menu driven interface provides a number of useful options, including on-screen virus information. Comparison of features and specifications User Friendliness Installation Installation is clear and straightforward, being simply the copying of the program and related files to the appropriate disk or area. Although the manual indicates installation is to be done from drive A:, it can be performed from any drive, and to any drive, including floppies. Installation takes a longer time than one might think, given the elementary copying operation, but the installation program is clear and "well prompted". Ease of use Operation is easier than the manual indicates. The default settings are well chosen, and although there are command line switches and options that can be set on screen, they merely provide alternate avenues to the same operations. All options are available as menu items, and the menu interface provides a sense of being "in command" with all functions at the user's fingertips. Prompts are clear and informative. The "3-D windowing", although attractive, does, at times, clutter the screen and distract from the functionality by overlaying and higlighting portions of the menus that are not currently being used. Help systems There is no "help" per se, but the program is easy enough to use that this should not be a problem. One decided advantage is the "Virus Info" window, which provides a list of viri, and will bring up two or three paragraphs of information on selected viri. While useful to a novice or intermdiate user, this function does not require extensive disk space, as it is simply a "boilerplate" expansion of the McAfee VIRINFO.TXT table which is supplied with the disk. (Indeed, do not make the mistake of deleting this file under the impression that it serves no purpose.) Compatibility Virucide will detect all of the most common viri, and is roughly "level" in that regard to most commercial products, although it lags behind such scanners as SCAN and FPROT. Given the association between Virucide and McAfee Associates, this is rather odd. (Version 2.0 of Virucide is dated January 28, 1991, but the copyright date on the VIRINFO.TXT file is 1989.) However, a "current" version of Virucide should prove effective against better than 99% of viri encountered. Company Stability Parson's Technology is a mid sized software distribution house, with a very wide selection of products. Company Support Of the first group of commercial vendors contacted, Virucide was the first product actually received for review. Having received the May 1990 version in December, I received the January 1991 version in mid February as a "free upgrade". I have seen numerous references by users of other Parsons' products to superior customer service. Documentation The documentation is clear and concise, but at times makes the product appear to be more difficult to use than is actually the case. There is no general discussion of viral operation. Hardware Requirements No special hardware required. Performance As above, Virucide has no particular strengths, or weaknesses, in speed of operation or numbers of viri detected. Local Support No provisions. Support Requirements For general installation and operation, Virucide should not need any support. The novice user should be able to use the system as is, and the intermediate user will be able to make better use of the options available. General Notes The only advantage that the advanced user will find in Virucide is the "Virus Info" window as a "ready reference". However, as a "quick check" for novice or intermediate users, the product deserves consideration. copyright Robert M. Slade 1991 ============== Vancouver p1@arkham.wimsey.bc.ca | "It says 'Hit any Institute for Robert_Slade@mtsg.sfu.ca | key to continue.' Research into (SUZY) INtegrity | I can't find the User Canada V7K 2G6 | 'Any' key on my Security | keyboard." ------------------------------ End of VIRUS-L Digest ]Volume 4 Issue 37( *****************************************