******************************************************************************* PT-52 April 1992 ******************************************************************************* 1. Product Description: VirusClean is a viral detection and disinfection program for IBM personal computers or compatibles. This product test addresses version 2.15, February 1992. 2. Product Acquisition: VirusClean is available from Computer Consulting Group, Inc., 1130 Old Highway 99 South, Ashland, Oregon 97520. The telephone number is 503-488-3237. The program cost is $99.00 for a single copy. Site licenses are available. The copyrighted author of VirusClean is Joe Hirst, Thecia Systems Ltd. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I acquired VirusClean, version 2.15, directly from Computer Consulting Group, Inc., by answering a special offer to acquire the program for $49.00 which would include updates for 1 year. This represented a $50.00 saving over the normal advertised cost. b. Product tests occurred on the following systems: (1) Zenith PC, Model 248, MS-DOS 3.30, 640K; and (2) Zenith PC, Model 184, MS-DOS 4.01, 640K. The test period extended from 18 March-6 April 1992. c. VirusClean consists of two programs. (1) Virus Monitor (VM.COM) is a memory resident program which tests programs prior to execution for known viruses. If a program has an infection, Virus Monitor will prevent the execution of the program and notify the user. (2) Virus Clean (VC.COM) is the detection and removal program which a user may run from a menu or from the command line. d. Unlike other viral detection programs the author of VirusClean has chosen a rather unique method of structuring search strings by "families". Specifically, he has decided to name the "first virus in any recognizable chain of development to describe all the variants of that family". As long as there is only one virus in such a family, the virus name will be the same as the family name. As variants appear, the author will assign numbers for major variants and letters for minor variants. e. This sounded confusing to me as I read the documentation, and actual testing against a suite of 605 malicious programs increased my confusion. First, it is difficult to reliably determine how many malicious programs Virus Clean can detect. Second, it is frustrating to evaluate how well VirusClean may perform against the so-call 68 "common" viruses as identified by Patricia Hoffman in her Hypertext Virus Summary List, 27 March 1992. f. Tests against 76% of the "common" viruses (i.e., 52 out of 68) essentially replicated the results described in the National Computer Security Association's report, 1 January 1992, "Virus Scanners: An Evaluation". NCSA concluded: "Computer Consulting Group's VirusClean is fast, produces no false alarms, but seems to miss most viruses". Even where the program detected a "common" virus, there was one occasion where the identification was completely different from other comparable programs. VirusClean identified a test sample of the Michelangelo virus, but the alarm was for the "New Zealand (8)". Readers should be advised that the NCSA report does address an earlier version of the program, version 2.11, 10 September 1991. g. Tests of the Virus Monitor (VM) component confirmed that it performed as documented in the reference manual. One can invoke the component by the command "VM". The manual suggests a user add the command to the autoexec.bat file. I successfully caused VM to alarm under these conditions: attempts to run infected programs, attempts to access a floppy disk infected with a boot sector virus, and attempts to low-level format the hard disk. h. Tests of the Virus Clean (VC) component were equally as successful. One invokes the menu mode by the command "VC". The user then has the following selections. (1) Choose Options There are three selections: Search options, Removal options, Other options. Search options include the ability to search only for boot viruses; to search for "parasitic" viruses which is the program author's name for non-boot sector viruses; to examine all files (the default is to search only .com and .exe files); to examine specific file extensions chosen by the user; and to list all files examined during the search operation. Removal options include the ability to remove boot viruses; to remove parasitic viruses from .com files; to remove parasitic viruses from .exe files; and to delete infected files. The Other options include the ability to output search messages to a disk file or to create an audit record; to halt or pause the display of messages to the screen during a search operation when the screen is full; to scan a single drive; to return to the main menu after a search operation (the default is to return to the DOS command line after an operation); and to change the menu display from color to black and white. (2) Scan for Viruses (3) Return to Default Options (4) Write Options to Disk (Change Defaults) (5) List Known Viruses (6) Exit to DOS i. There were no problems with any of the menu selections. I did find it annoying that, when one selects the List Known Viruses item, the list by default scrolls off the screen. If one turns on the halt or pause option under 2 the Other Options menu, this corrects the situation. But the reference manual, which is otherwise very concise and easy to read, did not give me a clue on this point. When one chooses to create an audit record, the file written to disk is cumulative avoiding the risk of overwriting previous results. j. Both VM and VC perform integrity checks of themselves when first loaded, and check RAM for any memory resident virus. 5. Product Advantages: a. VirusClean does detect and disinfect that malicious code which it claims it can. b. Installation and operation of the program is extremely simple. c. The program includes a VM_TEST file to verify the correct installation of the Virus Monitor component and to provide an example of a typical alarm message which the Virus Clean component might generate. 6. Product Disadvantages: a. The number of viruses detected at version 2.15 may be too small for many organizations and users. The reference manual states that "updates will normally be issued quarterly, although there will be occasions when there is an over-riding need for a special update". When I receive my first update, I will revise this product test and have more information to assess further the significance of this issue. b. The reference manual devotes 41 of its 64 pages to a description of the viruses detected. The information provided is of marginal value. Curiously, the manual does not indicate whether the user can remove a particular virus with VirusClean or whether the user must simply delete the infected file. I believe this data would have been more beneficial. 7. Comments: I continue to recommend the stockpiling of more than one virus detection program for contingency purposes and to resolve potential false alarms. One would hope that the next generation of defenses would look beyond just the attributes of appearance and behavior. In this regard I direct your attention to a paper by Ms. Catherine L. Young published in the proceedings of the NCSC/ NIST annual security conference several years ago, "Taxonomy of Computer Virus Defense Mechanisms". [The opinions expressed in these evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.]