Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!pacific.mps.ohio-state.edu!linac!att!pacbell.com!iggy.GW.Vitalink.COM!widener!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: RADAI@HUJIVMS.BITNET (Y. Radai) Newsgroups: comp.virus Subject: Re: TSR Virus Detector (PC) Message-ID: <0005.9105081310.AA02449@ubu.cert.sei.cmu.edu> Date: 8 May 91 12:28:00 GMT Sender: Virus Discussion List Lines: 51 Approved: krvw@sei.cmu.edu John Councill asks: >Can anyone reading this recommend a reliable program that will sit in >memory and warn against writes to .EXE and .COM files, as well as >other suspicious virus-like activity without degrading performance of >the machine too much? Several months ago, I made a quick comparison between several pro- grams of this type which I have. (I call them "monitoring" programs. There are other reasonable names, and also one which I consider very inappropriate: Robert Slade's term "vaccine" software.) When I saw John's question, I thought this would be a good opportu- nity to make my comparison more complete, but I see I'm not going to find the time, so for now I'm reporting only my previous results. The programs which I compared were F-LOCK, FSP, SECURE, TSAFE, and VTAC. I decided that the most important criterion was the ability to prevent infection by the largest number of viruses (without giving too many false alarms, of course), and that the type of virus which would be most likely to separate the good programs from the mediocre would be those viruses which avoid re-direction of interrupt vectors (by jumping directly to the interrupt handlers or by issuing commands directly to the controller). So I threw 4 viruses of this type against each of the above programs. The number which each program stopped was as follows: SECURE 4 F-LOCK 1 others 0 On this criterion, SECURE is clearly the best monitoring program. (Fridrik Skulason has an alternative version of F-LOCK which would do better, but he hasn't released it because of conflicts with certain software.) It's conceivable that other viruses would give opposite results, but I very much doubt it. On the other hand, there are many other criteria which I did not subject to a systematic comparison, such as false alarms, slowing down of ordinary computer activity, flexibility and convenience. Btw, the author of SECURE, Mark Washburn, is also the author of the V2P* virus series, all of which are variable self-encrypting viruses designed to demonstrate the futility of relying on programs which attempt to detect viruses by scanning for characteristic strings. V2P1 (better known as the 1260) was distributed publicly, and while it is not itself destructive, someone evidently used its disassembly as the basis for the Casper virus, which is quite destructive. This, of course, does not prevent SECURE from being the best moni- toring program, at least judging by my limited comparison. I can only hope that others will make more thorough tests. (All of the above except TSAFE are available from Simtel20 in .) Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL