Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!network!ucsd!usc!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: portal!cup.portal.com!Charles_M_Preston@Sun.COM Newsgroups: comp.virus Subject: Viruscan test (PC) Message-ID: <0006.8908141126.AA08231@ge.sei.cmu.edu> Date: 13 Aug 89 16:48:20 GMT Sender: Virus Discussion List Lines: 92 Approved: krvw@sei.cmu.edu For the past couple weeks I have been testing the latest versions of John McAfee's virus scanning program, Viruscan, downloaded as SCANV29.ARC, SCANV33.ARC, etc., and very briefly the resident version archived as SCANRES4.ARC. While I have not completed the testing protocol with each virus, perhaps an interim report will be of interest. The testing protocol is: 1. Scan a disk containing a copy of a virus in some form; 2. Have the virus infect at least one other program (for .COM and .EXE infectors) or disk (for boot infectors) so Viruscan must locate the virus signature as it would normally be found in an infected machine; 3. Modify the virus in the most common ways people change them (cosmetic changes to ASCII text messages or small modifications to the code and try Viruscan again. Step 2 arises from testing another PC anti-virus product which was supposed to scan for viruses. When I found that it would not detect a particular boot virus on an infected floppy, I asked the software vendor about it. I was told that it would detect a .COM program which would produce an infected disk - not useful to most people with infected disks, the common way this virus is seen Even though the viruses tested are not technically self-mutating, my intent is to test Viruscan against later generation infections, as they would be found in a normal computing environment. Naturally, there is a problem knowing which virus is actually being found, since they go under different names and are frequently modified. The viruses are currently identified by their length, method of infection, symptoms of activity or trigger, and any imbedded text strings, based on virus descriptions from a variety of sources. These include Computers & Security journal, and articles which have been on Virus-L, such as Jim Goodwin's descriptions modified by Dave Ferbrache, and reports by Joe Hirst from the British Computer Virus Research Centre. There is a proposal for checksumming of viruses in the June Computers & Security, which would allow confirmation that a found virus is the identical one already disassembled and described by someone. In the meantime, identification has been made as mentioned. So far, Viruscan has detected the following viruses: Boot infectors - Brain, Alameda/Yale, Ping-Pong, Den Zuk, Stoned, Israeli virus that causes characters to fall down the screen; .COM or .EXE infectors - Jerusalem -several versions including sURIV variants, 1701-1704-several versions, Lehigh, 1168, 1280, DOS62-Vienna, Saratoga, Icelandic, Icelandic 2, April First, and Fu Manchu. SCANV33 has a byte string to check for the 405.com virus, but does not detect it. SCANV34 has been modified to allow proper detection. SCANRES 0.7V34, the resident version of Viruscan, correctly detects the 405 virus when an infected program is run. I have not had any false positives on other commercial or shareware programs that have been scanned. Viruscan appears to check for viruses only in reasonable locations for those particular strains. If there is a virus that infects only .COM files, and an infected file has a .VOM or other extension, it will not be reported. Of course, it is not immediately executable, either. On the other side of the coin, if a disk has been infected by a boot infector, and still has a modified boot record, it will be reported by Viruscan. This is true even if the rest of the virus code normally hidden in other sectors has been destroyed, thus making the disk non-bootable and non infectious. This is a desirable warning, however, since the boot record is not original, and since other disks may be still infected. Disclaimer: I am a computer security consultant and have been working with PC and Macintosh microcomputer viruses and anti- virus products for about 18 months. I have no obligation to John McAfee except to report the outcome of the tests. I am a member of the Computer Virus Industry Association, which is operated by John McAfee. Charles M. Preston 907-344-5164 Information Integrity MCI Mail 214-1369 Box 240027 BIX cpreston Anchorage, AK 99524 cpreston@cup.portal.com