|
Anti- Viral Product Evaluation
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
Anti-Viral Product Evaluation
May 5, 1989
This evaluation paper has been written by Jim Goodwin, Lynn
Marsh and Tim Sankary. It is copyrighted, 1989, and is intended
for circulation among fellow members of the virus research
community who use IBM PCs or compatibles. We do not consider it
complete, since we did not evaluate every available product, and
it is not intended as a public guide to selecting antiviral
programs. We hope, however, that it will prove useful to other
members of the community who work with live viruses and need
ongoing protection for their systems. This document may be
freely copied and distributed providing the disclaimer and
copyright are kept intact, and no changes, additions or deletions
are made to the text.
We would like to acknowledge the ample research data
provided by Jim Bates and Rusty Davis in England, Ivan Grebert of
Acal Corporation in Paris, Colin Haynes of the International
Computer Virus Institute, and the many volunteer researchers from
the Silicon Valley area that contributed so much to our efforts.
We would also like to acknowledge the HomeBase users group for
providing their detailed log of infection occurrences and other
epidemiological data.
The Need for a Reasonable Evaluation:
In the April issue of PC Magazine you will find a review of
11 antiviral products. The review, while well intentioned,
tested products against only two viruses (plus one simulated
virus that was developed by the magazine). None of the viruses
were boot sector infectors (viruses which attach to the boot
sector) and none were among the most common viruses. Since the
vast majority of virus infections are boot sector infections, and
since most viruses are much more difficult to detect than the two
chosen, the results of the review were next to meaningless. The
PC Magazine review was similar to many others published in the
past year. It was performed without adequate access to the
viruses actually causing problems in the user community.
A second problem with these reviews, is that many of the
reviewers have had limited experience with the broad range of
infections that have occurred within the past 18 months. They
base evaluations on assumptions that do not hold for the real
world. This is not necessarily the fault of the reviewers.
Viruses are a new phenomenon and few people have dedicated their
time and resources to a long term study. A reviewer who has had
experience with only one or two viruses might naturally draw
incorrect conclusions about "generic" virus issues.
For example, a number of viruses infect programs using
common DOS calls (interrupt 21 or other interrupt call). This
type of infection can be easily detected and prevented. An
entire class of products, called Filters, has grown up around the
assumption that virus infections can be prevented by redirecting
certain interrupts and intercepting the infection replication
process. It works for a few viruses. The vast majority of
infections, though, are caused by viruses that use non-standard
I/O, and these infections cannot be prevented through interrupt
re-vectoring techniques. Thus, filter type products - included
among them are C-4 and Flu-Shot+ - are virtually useless against
most viruses. Yet many reviewers, and some product developers,
still believe that viruses can be stopped through re-directing
system interrupts.
The criteria:
A lot of time and effort has gone into the various checksum,
encryption, logging and chaining algorithms proposed as safe
techniques for detecting viruses. And much discussion and
argumentation has gone one regarding the various merits of high
security algorithms. Yet, every generic application infector
that we have seen to date could have been detected by merely
checking to see if the SIZE of the file had changed. Developing
such a virus detector requires less than an hour of programming
time and is as effective as available products costing hundreds
of dollars. We're not suggesting that size checking should be
the criteria for detecting viruses (we know better), we are
merely pointing out the vast gulf between theory and current
reality. We understand that viruses of today may not reflect the
situation two years from now, and we also understand that current
boot sector viruses and certain operating system viruses pose a
special case to our size example, but the first step in solving
any problem must be a solid understanding of the current state of
the problem. And the current problem is in a different world
from the theoretical solutions proposed for it.
An astute reader might ask at this point why we would be
concerned if the proposed solutions to viruses were overkill.
Isn't it better, you might think, to include as much protection
as is available, to get as close to 100% security as possible?
We think not. Beta testing of virus products in many
corporations and our own experience with these products over the
past year has shown that, beyond a certain point of
reasonableness, increased security functions begin to hinder the
computing process. Either increases in required run time, or
user constraints or annoying additions to the system make the
products so cumbersome to use that the user ultimately discards
them. Alternately, false alarms and questionable product
conditions desensitize the user, and thus real virus alarms, when
they occur, are disregarded.
Again, we are not saying that sound security principles
should not be included in a given product. We are only
suggesting that the search for the 100% solution must have its
limits. The theoretical discussions about batch file viruses,
viruses that can imbed themselves within a program without
changing initial branch addresses, and viruses that can infect
without making any modifications to a program are interesting and
entertaining. But if you are selecting a product based on the
ability to detect such viruses, then you will be disappointed.
In general then, our criteria for evaluating antiviral
programs are:
1. The program's effectiveness against existing viruses.
There are anywhere from two dozen to over 50 different
PC viruses (depending on how you classify them) that
can infect your system today. If the product cannot
detect these viruses, then it certainly cannot detect
tomorrow's viruses. We rated this criteria the
highest.
2. The techniques used by the program to anticipate new
viruses. We have to admit to some subjectivity here.
No-one really knows what virus may pop up tomorrow, but
reasonable people can make reasonable guesses (Tim
Sankary is the only member of this review team who
admits to being unreasonable). We do expect to see
viruses in the next few years that can imbed themselves
inside a generic COM or EXE program without changing
its size. We anticipate system infectors and other
program-specific viruses that can imbed themselves AND
not change initial branch instructions. (We feel these
viruses, however, will be limited to common programs
such as IBMBIO, IBMSYS, COMMAND.COM etc.). We
anticipate viruses that will encrypt themselves in such
a way that every infection will be different (1704
nearly achieves that now). We anticipate boot sector
viruses that will not need to save and execute the
original boot sector. We also expect viruses that will
entirely replace system modules, such as the command
interpreter.
3. The usability of the software. This is the most
subjective criteria and we accordingly weighted it the
least. We decided, however, that if we felt like
screaming, smashing the monitor or savagely beating the
family pets while trying to install or use the program,
then we would subtract points for lack of user
friendliness.
The Viruses:
Jim Goodwin insisted that there were 61 PC viruses and that
we should test them all. He includes in this list three versions
of the Pakistani Brain that differ only in the imbedded text and
volume label copyright display, and four identical versions of
the 1704 that differ only in their activation dates. Lynn
Marsh, who has a new beau, and, we suspected, would like to
spend time with him, suggested that there were only 14 base PC
viruses. Any modifications to these viruses, she insisted, were
inconsequential and should be ignored. A compromise was reached
along the following lines:
Any modification to a base virus that materially
altered its ability to be detected would be considered
a different virus for our testing purpose.
Frankly, the definition didn't help us much because we
continued to squabble, but it eventually worked itself out. It
became clear that certain modifications to base viruses did
indeed materially affect our test results. As an example, one
modification to the Israeli virus, called the New Jerusalem,
performs a format of the hard disk when it activates, and it
additionally does not have the EXE infector bug that the
original Israeli had. When this virus activated, one antiviral
products that was able to detect the original Israeli file-delete
activation and prevent it, was unable to detect the modified
virus's format attempt. There were numerous other such
examples. Even machine or configuration type changes (such as
the numerous 1704 modifications) had an effect on testing under
certain circumstances. We finally narrowed the field down to 27
distinct viruses, 11 of which were boot sector infectors.
We realize that our test base is skewed if you compare it
to infection reporting statistics (where over 80% of infections
are boot sector infections), but we feel the sampling will become
more valid over time, since the boot infector ratio appears to be
slowly declining.
The Testing:
All testing was performed on systems with fixed disks.
Where applicable, the infection was introduced onto the hard
disk. The only exceptions to this were five boot sector viruses
which would not replicate onto a fixed disk. When testing
against these floppy-only viruses, a 5 and 1/4 inch, 360KB
diskette was used. The test systems each contained over 300
executable programs, approximately 2/3 EXE programs and 1/3 COM
programs, arranged in multiple levels of directories. Programs
with overlay structures were also included. DOS 2.0 and 3.3 were
both used, and testing was performed with and without the memory
resident program and shell routine - Carousel and Norton
Commander. Monochrome and VGA graphics adaptors were also
included.
All product detection tests were made while boot sector
viruses were already in memory and in control. This was a
critical point for us. For example, the Pakistani Brain is a
trivial virus to detect if you insert an infected floppy into an
uninfected system and run a detection program against it. If you
boot from an infected diskette, however, the detection process
becomes much more difficult (since the virus traps all attempts
to read the boot sector). We found only one generic product that
was able to detect the Brain while it was active.
When testing against generic COM and EXE infectors, we used
two approaches. First, we loaded the protection software onto a
clean machine and then infected it. Second, we infected a
machine with the virus, then installed the protection software,
and then allowed the virus to continue the infection process.
Throughout the review process, we considered a product to be
ineffective against a given virus if any of the following
occurred:
- The program was unable to detect the presence of
infection activity during its normal check cycle.
- The system hung when the virus was introduced, or
during the check cycle, and no warning indication was
given by the program prior to the hang-up. (This
assumed, of course, that the virus ran normally without
the prevention product being present)
- A loss of data occurred during the checking process.
A product was considered to be effective against a given
virus if all of the following occurred:
- The product identified the presence of infection
activity.
- The product was able to identify each and every
infected component of the system, name each infected
program, and specify the program's directory path.
Usability ratings were loosely handled as follows:
1. Global detection products that required more than two
seconds per program for a system scan (ten minutes on
our test system) scored high on our aggravation scale.
2. Programs that required us to use new system command
structures or required us to modify the way in which we
normally interface with the operating system or our
application programs were placed in the questionable
category.
3. Programs that required constant attention to the user's
manual in order to be useful were frowned on.
(Allowances were made for Tim Sankary's slow thought
processes).
4. Programs that caused false alarms were given an
annoyance ratio proportional to the number of false
alarms.
5. Programs that installed in ten minutes and remained
invisible thereafter were well liked and much
appreciated.
Please don't mistake our lighthearted attitude to the user
friendly category. It's just that we could not come up with a
really objective measure here. No matter how hard we tried, it
usually ended up being a matter of personal opinion. Keep in
mind that we weighted the whole user interface area low in
importance.
The Products:
We were able to identify over twenty PC products being
distributed through vendor channels and through public
domain/shareware channels. We chose five to review that we felt
were the most commonly available and most widely used.
C-4
From McAfee Associates, 4423 Cheeney St, Santa Clara, CA 95054
408 988 3832
*** NOT RECOMMENDED ***
C-4 is a classic virus filter product which is simple to
install, easy to use and creates few false alarms. It is a
memory resident program that requires about 12K of memory (not
much) and seems to run efficiently, consuming few system
resources. The instruction manual is brief, concise and to the
point. It comes with an automatic install utility, and the
installation takes about 30 seconds. From there on it's
automatic. The checking function can be easily turned on and off
through a keyboard toggle, and a simple mechanism for excluding
"safe" programs is included. A pop-up window appears whenever a
violation is reported, and the name of the violating program, and
its target, are displayed. Programs that violate C-4's filter
criteria can be frozen and prevented from continuing the suspect
activity. All in all we found this product to be well designed,
solid, easy to use and fairly unobtrusive. A solid piece of
software engineering.
So what's the problem? Well, it doesn't work. Like all
filter products, it is limited to viruses that conform to
standard operating system conventions. These conventions include
using interrupts rather than branching directly into the BIOS,
keeping the original boot sector intact, not modifying the
command interpreter, etc. As we all know, not all viruses play
by these rules.
The net result of our testing showed that C-4 was unable to
prevent or detect any of the boot sector viruses. Additionally,
if the system was infected before loading c-4, it was unable to
detect future infections from any memory resident.
We cannot recommend this program.
Flu-shot+ (Shareware)
from Software Concepts Design, 594 Third Avenue, NY, NY 10016
212 889 6438
*** NOT RECOMMENDED ***
FluShot+ is a mixture of filter program and detection
program. Like C-4, it attempts to trap system interrupts and
catch viruses in the act of replication. Like C-4, it is equally
unsuccessful. The infection detection aspects of the program add
little to its ability to protect against infection, but they do
contribute substantially to the overall cumbersome and
frustrating user interface.
The complicated documentation and installation required by
FluShot+, however, was not our overriding concern. The program
simply did not work. No boot sector virus was stopped or
detected by FluShot+, and the false alarm rate was high enough to
motivate many system users to ignore a real virus infection,
whenever one could be detected.
If we add to this the numerous quirks of the program, such
as problems running with graphics software and conflicts with
certain memory resident programs, we find little positive value
in it.
We cannot recommend this program.
Sentry (Shareware)
From McAfee Associates, 4423 Cheeney St, Santa Clara, CA 95054
408 988 3832
*** HIGHLY RECOMMENDED ***
Every so often an easier, simpler approach really does work,
and Sentry appears to be a one-in-a-million jewel of simplicity
and effectiveness. The most invisible product that we tested,
Sentry can be installed by anyone able to type the word
"install", and thereafter nothing more is seen or heard of it
until a virus hits the system. When it does, it's certain to get
caught. Sentry was the only product able to catch every one of
our test viruses.
It does have some small faults however. First, it
increases the system boot-up time by about 10 seconds for every
100 programs in your system. For the average user this will not
be a problem (the average person uses less than 50 programs, we
are told). For some folks however, this may become burdensome.
If you are one of those rare people who use (or at least have)
2,000 programs or more, you can expect to wait over 5 minutes
extra every time you boot your system.
A second fault is that people who do a lot of programming or
software development will constantly be changing executable files
on the disk. Sentry will prod you about these changes every time
you boot. The only way to shut it up is to re-install it so that
it can take a new snapshot of the current system state. We all
found this annoying (although, to be fair, every product that we
have seen has this same annoyance). One way around it is to do
all compiles, links, etc. in a given subdirectory and instruct
Sentry to ignore all the happenings in that subdirectory. This
works quite well. If you do not frequently compile, or daily
update your software to new versions, however, then Sentry should
remain innocuous.
A final caution about Sentry. It does not work properly in
the DOS 4.0 environment and should not be used in this
environment. We understand that a new version that will correct
this problem is currently under development.
Sentry works by creating a snapshot file of all critical
system elements and comparing that snapshot file to the current
state of the system at boot time. If you power down or re-boot
your system at least once a week, then Sentry will flag any
infection long before the infection will activate and cause
damage. If you are running in a networked environment, or in any
other environment where the machine is seldom turned off or re-
booted, then Sentry can be manually invoked by typing the command
- SENTRY.
Sentry uses a unique approach to detecting a virus. It
does not checksum the entire program, but only those areas of the
program would would have to change when any virus attaches to the
program. This allows it to execute very rapidly, and thus makes
periodic scans of the entire system feasible. This separates
Sentry from all other products. The second separator, of course,
is that it is effective against all of the viruses that currently
exist. We believe that this effectiveness will continue for new
viruses.
Virus-Pro
From International Security Technologies, 515 Madison Avenue, NY,
NY 10022 212 288 3101
** RECOMMENDED **
Virus-Pro is a product designed for large corporations, and
we include it here for those researchers studying epidemiological
data using multiple computers as a study base.
Virus-Pro is much more than a virus detector. Virus-Pro
includes sophisticated audit trails and history information that
can be used track the origin of an infection within an
organization, and to monitor the use and movement of programs
from PC to PC. It does require a fair amount of run time for the
checking process, and a dedicated Virus-Pro systems administrator
or co-ordinator is needed, but it is an excellent system level
product.
The basic function of Virus-pro is to monitor the status of
the executable programs on the logical drives and to report on
changes and exceptions. Virus-Pro stores five parameters about
each executable or hidden file in a scan file. These parameters
are:
(1) The name, extension and path
(2) The size in bytes
(3) The date-time stamp
(4) The attributes (hidden, system, and read-only).
(5) A checksum of the program
In addition, the program stores information about the
logical drive's boot track. Virus-Pro then compares the scan
file with both a prior scan file from the same logical drive and
a baseline file which has been created using scans of individual
software distribution diskettes. Differences in or matches to
one or more of these five parameters are used to determine the
presence of infection.
Administrative software makes it easy for an organization's
Virus-Pro co-ordinator to prepare diskettes for site co-
ordinators. Each site co-ordinator has similar facilities to
make Virus-Pro diskettes for his or her PC "owners". PC owner
diskettes include a disk scanning and analysis program. Site co-
ordinators use a program called MAKEBASE to place data extracted
from vendor diskettes into baseline files which a baseline
analysis program compares with the disk scan outputs. The
analysis can spot viruses, pirated software, wrong program
versions and a host of other inconsistencies of interest to a co-
ordinator. Two system-wide administrative programs maintain
master files of site co-ordinators and PC owners, print complete
name/address/phone number lists of co-ordinators and owners,
prepare diskettes, and provide other administrative functions.
Virus-Pro is the most comprehensive system level antivirus
product that we have seen or heard of. It does however require
more maintenance than stand-alone utility antiviral products, and
it did fail to catch four of the boot sector viruses (but caught
all others). In spite of this, We feel that it provides a fair
level of protection, and excellent audit trail capabilities for
tracking virus spread.
A note of caution: This is not a product for the individual
user of a stand-alone system. It is specifically designed for
the corporate environment.
Disk Defender
From Director Technologies, 906 University Place, Evanston, IL
60201 312 491 2334
** RECOMMENDED **
Disk defender is an add-on board for IBM PCs and
compatibles. The product write protects the hard disk from
erasure or modification to programs or data files that do not
require frequent changes. It can therefor protect against
viruses trying to attach to system or application programs, or
even to the boot sector. It blocks their attempts and provides a
visual indication that disk writes are being attempted to a write
protected area.
A switch attached to the board write protects the entire
disk, just a portion, or none of the disk. The switch can be
set, then removed and stored in a secure place. In addition, the
board allows a portion of the hard disk to be write protected,
while allowing normal writes to other areas.
Disk defender allows the hard disk to be divided into two
active DOS partitions and allows the user to designate an area or
zone as read only or as read/write. Indicator lights on the
switch box illuminate when an attempt is made to write to a
protected partition.
The disk defender is one of the most effective antiviral
products available for protecting the hard disk.. Clearly, if a
virus cannot physically access its host program, then it cannot
infect the system. It does not, however, protect against floppy
viruses. There is no software utility included with the package
to prevent or detect floppy boot sector infectors, for example.
Thus the 5 floppy based boot viruses lived and prospered quite
happily in the system with Disk Defender installed. There are
some other drawbacks as well. Installation is non trivial and
requires a backup of all data and a re-format of the hard disk.
Then all data and programs must be restored. Disk defender also
requires that files be re-organized, and some application
programs will have to be reconfigured if they use the C drive for
temporary storage. Thus, a degree of flexibility is lost which
may be unacceptable to some people.
In spite of its limits, however, Disk Defender is a highly
reliable and secure product for protecting your hard disk.
Jim Goodwin, Lynn Marsh and Tim Sankary
From the HomeBase Virus Research Group
408 988 4004X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X
|
|
