RADAI@HUJIVMS.BITNET (Y. Radai) (08/09/90)
Sigurd Andersen asks for opinions on F-PROT. In my opinion, this package of 21 utilities includes some excellent programs. I'll des- cribe only a few of them: F-DRIVER is a small device driver which (1) checks RAM for boot-sec- tor and partition-record viruses when it is initially activated and (2) checks each program which is about to be executed to see if it contains a known file virus. If so, it stops execution. F-LOCK is a RAM-resident program which monitors suspicious activi- ties. It is effective not only against known viruses but also against Trojans and unknown viruses. In this respect, it resembles FluShot+. However, it is designed to stop even viruses which write to the disk by jumping directly to an interrupt handler instead of diverting interrupt vectors in the normal way. In practice, this does not work on all such viruses (e.g. it does not seem to be effective against the 4096), but since the idea behind the prevention of such viruses seems to be sound, it's possible that this is just a bug which will soon be removed. F-DISINF scans boot sectors and partition records for known viruses and optionally removes them. F-FCHK scans files for known viruses and new mutations of them and can cure such files in almost all cases. F-SYSCHK scans memory for known viruses. F-MMAP displays a map of memory. It includes memory blocks which other such utilities do not show (e.g. those near the TOM, where most boot-sector viruses hide, and I think even those above the 640K mark). What I *don't* like in the package are the "self-checking" programs. I think there are better ways of achieving the same thing. But, of course, you don't have to use everything in the package. The prices for F-PROT are as follows: > Educational institutions: 1-14 computers $15 > 15-500 computers $1 per computer > over 500 computers $500 > > Everybody else: 1-7 computers $15 > 8-500 computers $2 per computer > over 500 computers $1000 F-DRIVER corresponds (approx.) to McAfee's VSHIELD, while F-DISINF and F-FCHK do the equivalent of McAfee's SCAN and CLEAN (on almost the same number of viruses). Prior to Ver. 1.11, F-FCHK was quite slow. But its speed has since been improved. It still takes about 50% more time than SCAN, but it can probably detect more mutations of known vi- ruses since it uses 2 or 3 identifying strings for almost every virus. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET (Note new address)