Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!network!ucsd!usc!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw
From: portal!cup.portal.com!Charles_M_Preston@Sun.COM
Newsgroups: comp.virus
Subject: Viruscan test (PC)
Message-ID: <0006.8908141126.AA08231@ge.sei.cmu.edu>
Date: 13 Aug 89 16:48:20 GMT
Sender: Virus Discussion List 
Lines: 92
Approved: krvw@sei.cmu.edu


    For the past couple weeks I have been testing the latest
versions of John McAfee's virus scanning program, Viruscan,
downloaded as SCANV29.ARC, SCANV33.ARC, etc., and very briefly
the resident version archived as SCANRES4.ARC.

    While I have not completed the testing protocol with each
virus, perhaps an interim report will be of interest.

    The testing protocol is:
      1. Scan a disk containing a copy of a virus in some form;
      2. Have the virus infect at least one other program (for
         .COM and .EXE infectors) or  disk (for boot infectors)
         so Viruscan must locate the virus signature as it would
         normally be found in an infected machine;
      3. Modify the virus in the most common ways people change
         them (cosmetic changes to ASCII text messages or small
         modifications to the code and try Viruscan again.

    Step 2 arises from testing another PC anti-virus product
which was supposed to scan for viruses.  When I found that it
would not detect a particular boot virus on an infected floppy,
I asked the software vendor about it.  I was told that it would
detect a .COM program which would produce an infected disk - not
useful to most people with infected disks, the common way this
virus is seen  Even though the viruses tested are not technically
self-mutating, my intent is to test Viruscan against later
generation infections, as they would be found in a normal
computing environment.

    Naturally, there is a problem knowing which virus is actually
being found, since they go under different names and are
frequently modified.  The viruses are currently identified by
their length, method of infection, symptoms of activity or
trigger, and any imbedded text strings, based on virus
descriptions from a variety of sources. These include Computers &
Security journal, and articles which have been on Virus-L, such
as Jim Goodwin's descriptions modified by Dave Ferbrache, and
reports by Joe Hirst from the British Computer Virus Research
Centre.

    There is  a proposal for  checksumming of viruses in the June
Computers & Security, which would allow confirmation that a found
virus is the identical one already disassembled and described by
someone.  In the meantime, identification has been made as
mentioned.

    So far, Viruscan has detected the following viruses:

    Boot infectors - Brain, Alameda/Yale, Ping-Pong, Den Zuk,
      Stoned, Israeli virus that causes characters to fall down
      the screen;

    .COM or .EXE infectors - Jerusalem -several versions
      including sURIV variants, 1701-1704-several versions,
      Lehigh, 1168, 1280, DOS62-Vienna, Saratoga, Icelandic,
      Icelandic 2, April First, and Fu Manchu.

    SCANV33 has a byte string to check for the 405.com virus, but
does not detect it.  SCANV34 has been modified to allow proper
detection.

    SCANRES 0.7V34, the resident version of Viruscan, correctly
detects the 405 virus when an infected program is run.

    I have not had any false positives on other commercial or
shareware programs that have been scanned.  Viruscan appears to
check for viruses only in reasonable locations for those
particular strains.  If there is a virus that infects only .COM
files, and an infected file has a .VOM or other extension, it
will not be reported.  Of course, it is not immediately
executable, either.

    On the other side of the coin, if a disk has been infected by
a boot infector, and still has a modified boot record, it will be
reported by Viruscan.  This is true even if the rest of the virus
code normally hidden in other sectors has been destroyed, thus
making the disk non-bootable and non infectious.  This is a
desirable warning, however, since the boot record is not
original, and since other disks may be still infected.

Disclaimer:  I am a computer security consultant and have been
working with PC and Macintosh microcomputer viruses and anti-
virus products for about 18 months. I have no obligation to John
McAfee except to report the outcome of the tests.  I am a member
of the Computer Virus Industry Association, which is operated by
John McAfee.

Charles M. Preston                       907-344-5164
Information Integrity                    MCI Mail  214-1369
Box 240027                               BIX  cpreston
Anchorage, AK  99524                     cpreston@cup.portal.com