Date: 26 Jun 91 09:47:22 GMT
From: mcafee@netcom.COM (McAfee Associates)
Subject: Virus protection: what to use.

avinash@felix.contex.com (Avinash Chopde) writes:
>I was looking around on the garbo.uwasa.fi site and found it had
>plenty of virus scanners/fixer programs.  Do I need to get hold of all
>of them, or are there one or two which should suffice ?
>And, I'm interested in hearing about any of your own procedures that you
>follow to prevent virus infections and perform virus cleanups.

Hello Mr. Chopde,

There are lots of anti-viral programs available now, both shareware and
commercial, so without trying to be too specific, here are some things
you may wish to look for:

1.      Type of virus detection offered:  That is, upon what criteria does
the anti-viral program base its "decision" that a virus has been found?
This is generally broken down into three categories:  filters, changer
checkers, and scanners.

A filter is a program that installs itself as a TSR and monitors the
system for virus-like activity (i.e., attempting to format a hard disk,
write to a program file, and so forth).  Filters have the advantage of
being able to detect new viruses because they are not looking for
specific viruses, but rather virus-methods.  The disadvantage is that
they can be prone to false-alarms by programs which may do virus-like
activities for legitimate reasons (say an OS or application update
program that patches the executable code of the original program); they
also have to be periodically updated when new virus-techniques appear
that the program did not monitor; also they may have to be configured
to allow programs that may do virus-like activities (say, a disk
optimization program) to function--this is not really a problem with
individual (home) users, but if you're responsible for several 100's of
PC's, installation could be painful.

A change checker (and this is a category that includes checksum, cyclic
redundancy checks (CRC's), cryptographic checks, and so on) is a
program that computes a known value for a program file (or other area
of the system) and is then periodically run to compare the program file
against.  If the known value and the just-computed value don't match,
then the file has been modified and may be infected with a virus or
otherwise tampered with.

The advantages to change checkers are that they will detect known and
unknown viruses, like the filter, because they are not checking for
specific pieces of code, but rather for changes to a computed value.
They're also good for spotting tampering - more of a computer
security-related concern then virus- specific, but it is a function.
The disadvantages of this method are that this only works if the change
checker is installed on a virus-free machine, otherwise the known
values computed will reflect the viral code attached to its host; also,
it's been theorized that if the method of change checking is known, a
virus could be written to add itself to files in such a way that a
checksum identical to the known (good) checksum is generated.  The last
problem I can think of with change checkers is that if there is a
"stealth" virus present (A virus that installs itself as kind of a
"file handler" in the OS) then the virus will trap reads by the change
checking program, remove the viral code from the infected file, and
then pass on to the CC program a "clean" file.  This last one can be
prevented by booting the computer with a clean (virus-free) operating
system and then running the change checking program.

A scanner works by checking the system for pieces of code unique to
each virus.  The scanner reads the files (boot sector, partition table,
etc) of a disk and does a match against a database of bytes that are
segments of viral code unique to each virus.  When a match occurs, a
virus is reported.  This is effective for finding known viruses, since
a positive ID against the virus is made.  Of course, a false alarm
could also occur if a file had the same instructions in it.  Scanners
can also check for "generic" routines, like a series of program
instructions to format a disk, but these are not as reliable as the
matching of viral code with its "fingerprint" of bytes because a file
may have use such a routine for legitimate purposes.  Disadvantages to
this are that a scanner will only detect known viruses and must be
updated frequently, a "stealth" virus could hide from the scanner, and
possible false alarms.  And of course, as more viruses are added, the
scanner gets s l o w e r.

2.  Vendor Support:  That is, what sort of assistance will the
manufacturer provide?

Anti-viral software (like any software tool, only more so <GRIN>)
generally requires more assistance then other forms of software, or
perhaps I should say, more assistance of a specialized nature.
Removing a virus can be somewhat tricky because a long set of steps
have to be precisely followed to remove a virus AND prevent
re-infection.  And of course, there is the matter of any data on
infected media that may have been corrupted in some way.  So, knowledge
(and it's accompanying twin, experience) are a factor.  What sort of
assistance does the vendor provide?  Does the vendor have a telephone
number, a fax, a BBS, internet or online services address that you can
access?  Is the telephone number 24 hours toll free?  Or limited hours
and toll.  Is there a charge for assistance or is it free?  If there is
a charge, do you have a certain amount of free assistance?  What about
local reps?  Is support handled through the head office which may be in
another country, or are there manufacturer's reps or a branch office in
your state (province, district) or country?

Another factor is currency (yes, money too, but more about that next),
by which I mean how current is the program?  Does it need to regularly
updated?  Does an update file need to be added, or does the package
have to be completely reinstalled each time?  How are updates made
available, and for how long?  Can they be downloaded or mailed or faxed
to you?  Are they free or do you have to pay for them?  Do you get a
certain amount of free updates?  If so, how is this handled?  If there
is a cost for updates, how much is it?

Is the software purchased (or licensed) for life or for a certain
amount of time?  If for a limited time, then how long?  What happens
when the license period runs out?

And how much does it all cost?  And referrals.  Does the manufacturer
have satisfied customers whom you can ask about product?

Well, sorry for making such a long post, but I did want to address as
many issues as I could think of off the top of my head.  I hope this
gives you some factors to consider.

DISCLAIMER:  Yes, I am an employee of McAfee Associates, makers of the
VIRUSCAN and CLEAN-UP anti-viral programs.  However, I have tried to
make this as objective as possible, without mention of anyone's
products, goods, or services.

Aryeh Goretsky
--
McAfee Associates        | Voice (408) 988-3832 | mcafee@netcom.com
4423 Cheeney Street      | FAX   (408) 970-9727 | (Aryeh Goretsky)
Santa Clara, California  | BBS   (408) 988-4004 |
95054-0253  USA          | v.32  (408) 988-5190 | mrs@netcom.com
ViruScan/CleanUp/VShield | HST   (408) 988-5138 | (Morgan Schweers)

WHAT'S NEW

VIRUSCAN

     Versions 78 and 79 of VIRUSCAN were skipped because of two trojan
horse versions that appeared.  Version 80 of SCAN logically follows
V77.

     Version 80 adds several new features to VIRUSCAN: The first is
that SCAN now checks inside of files compressed with PKWare's PKLITE
program for viruses.  Files infected before compression will be
reported as being infected internally.  Files infected after
compression will be reported as being infected externally.

     When a subdirectory is scanned, SCAN will check subdirectories
below that subdirectory when the /SUB option is used.

     The extension .SWP has been added to the list of extensions
scanned by default.

     The /REPORT option now displays version number, options used, date
and time, and validation code results.

     Also, the capabilty to detect unknown boot sector viruses by
scanning for virus-like code has been added.  If a boot sector is found
that contains suspicious code, SCAN will report that the disk contains
a Unrecognized Boot Sector Virus.

     51 new viruses have been added.

