|
INFECTIOUS BEHAVIOUR
STANDFIRST
Computer viruses are nasty little things that can really
spoil your day... Rick Maybury looks at two anti-virus packages that will
hopefully keep infections at bay, and provide emergency first aid if the worst
happens
COPY
Several times each year the media get their knickers into a
twist over some new strain of computer virus. They’re normally timed to go off
on a particular day, or triggered by a set of events and promise to wreak havoc
on the nation’s PCs. So what happens? Sod all usually. In fact the actual
threat to most stand-alone PC users from the 10,000 or so known viruses is
relatively small, but that’s cold comfort to those who do get caught out.
The chances of infection are at their greatest if you
download a lot of files from the internet, receive unsolicited e-mail, load
files and programs from discs of uncertain origin or use bootleg software.
Within the past three years a new threat has emerged in the shape of Macro
viruses. They lurk hidden inside word processor documents and spreadsheet files
and are easily spread by swapping discs and e-mail.
Even if you’re in a low-risk category the fear of catching a
virus, whether real or imagined, is there. If only for your peace of mind it is
prudent to take some precautions. If you feel your PC is vulnerable to attack
then it is even more important to treat the matter seriously, and that means
using anti-virus software.
There’s plenty of them to choose from, including demos on
magazine cover discs, freebies, down-loadable shareware and high-performance
utilities, two of which we’re looking at here. Cheyenne Antivirus and PC-Cillin
are amongst the best known anti-virus programs on the market. They have quite a
lot in common, including the price (both are currently selling around the £40
mark), and they can both be updated via the internet. However, the
presentation, the way in which they work and the impact they have on a system,
are different.
CHEYENNE ANTIVIRUS
Antivirus is the more elaborate of the two, with plenty of
functionality for advanced Windows and DOS users. Cheyenne claim that it can
detect 100% of known and unknown viruses. Clearly that’s something that we’re
unable to verify (see The Tests) but they are certified by the National
Computer Security Association, (NCSA) an authoritative and independent US
organisation that checks such things.
The program uses four virus detecting strategies. It checks
the integrity of a program, to see if there have been any changes due to virus
infection or activity. A rule-based Polymorphic Analyser monitors the behaviour
of programs for suspicious activity. Interrupt Monitoring constantly checks the
operating system for actions that may indicate a virus is at work, and Signature
Scanning checks for known virus codes. Updated signature files be automatically
downloaded from the Cheyenne web site.
Antivirus has Windows 95 32-bit capability. It operates from
switch on, checking the master boot sector, before the operating system starts
to load. It verifies CMOS RAM information, the partition table, I/O systems,
shell file and Windows. This all adds to the time taken to boot up. On one
test-bed PC (P133/16Mb) the time taken for the machine to get to the Win 95
desktop increased from one to one and a half minutes, and even then the hard
disc was still chuntering away in the background.
Any or all local drives can be scanned at any time. A
virtual device driver called Wimmune.VXD operates in the background, checking
all programs and files as they’re addressed or executed. Active Monitor looks
at all incoming and outgoing files for viruses, including compressed data using
.ZIP or .ARJ formats. During installation Antivirus offers the option to create
a rescue disc containing Critical Disc Area information.
Presentation is very simple. The main desktop has four main
functions: scan all local disc drives, create a critical area backup disc,
automate the scanning schedule, and download the latest signature update. Once
Antivirus has carried out a full disc scan and been configured, it can be left
pretty much to get on with the job and you won’t see it again, unless you want
to, or it discovers a virus. If an infection is found during the initial scan
it offers various options, from deleting the file, virus removal -- when it
knows how to -- renaming the file, moving it from its current directory or
purging it completely, so that it cannot be recovered. If a virus is detected
when the PC is operating the procedure is to close all active applications,
switch off the PC, re-boot with the rescue disk then run a disc scan utility
from DOS.
That all sounds fairly straightforward on paper but the
recovery procedures do require some familiarity with the workings of DOS. We
suspect those weaned on point and click Windows may well find the instructions
tough going. Moreover, Antivirus demands a certain amount of discipline on the
part of the user, to regularly update the critical area disc files. Antivirus
feels as though it is doing a thorough job and it inspires a good deal of
confidence, though it’s not especially friendly and is better suited to more
experienced PC users.
Advanced virus detection software for high-risk users, who
know what they’re doing
Street price £45
System req. IBM PC 486 or higher 8Mb RAM, 8Mb
free hard disc space, Windows 95, modem and internet connection recommended
Media CD ROM, 3.5-in floppies
Main Features detects
known and unknown boot sector, polymorphic, stealth and macro viruses, scans
loading files and internet downloads, on-line updates
Contact Roderick Manhatten Group Ltd., telephone
0181-875 4441
CV Ratings
Features ****
Performance ****
Ease of Use ****
Value for money ****
Overall rating 85%
TOUCHSTONE PC-CILLIN II DELUXE
PC-Cillin II Deluxe
gets off to a good start with a friendly, approachable, manual that gives a
good clear explanation about what viruses are, how it finds them, and what it
does with them, if it finds any. Like Antivirus it is NCSA certified and claims
to be able to detect all known viruses and catch new strains, that have yet to
be identified.
Installation is a breeze on Windows 95 PCs. It carries out a
pre-scan before loading, eliminating the possibility of loading the program
into an already infected machine, then it offers to create an emergency rescue
disc. PC-Cillin II uses a number of virus detection systems. Virus
Instructional Code Emulator (VICE) looks for known virus patterns. An advanced
Mutation Virus cleaning engine identifies parts of files that are infected so
they can be surgically removed. Rule-Based Technology monitors requests made to
the PC’s interrupt table, in particular unexpected calls to write to the boot
sector, open executable programs for writing, and changes to resident memory.
Files are scanned before they are executed and as they are saved, created or
copied, all this happens behind the scenes, without the user having to do
anything.
A utility called Macro Shield loads at the same time as MS
Word, screening against macro viruses, before they have the opportunity to do
any damage. In addition to known infections Macro Shield can also detect new
strains, and if found, removed. PC-Cillin also scans all internet downloads,
e-mails and attachments plus compressed files with PKZIP, WINZIP and LHARC
extensions.
Smart Monitor sits on the Windows 95 task bar, quietly going
about its business. When opened it displays a set of meters showing the current
status and activity logs. A ‘threat’ meter shows how many systems are
operating, that are vulnerable to attack (modem connection, disc drives etc.).
There are also meters showing CPU activity, the level of protection being
applied, time since the last full scan and virus pattern file (VPF) update. The
main desktop covers scanning operations, configuration and a huge amount of
information on known viruses, what they do, and how they’re detected.
If a virus is found an on-screen alert appears and PC-Cillin
offers users a number of manual options, or the ‘Clean Wizard’, which takes the
user gently by the hand through the disinfection process. Affected files can be
cleaned or deleted; if the threat is
judged to be negligible it can be left alone. It can renamed, or moved to a
‘quarantine’ directory, where it will do no further harm, until you decide what
to do with it. Cleaning removes known viruses from a file, leaving them
undamaged.
When the cleaning process has been completed a ‘send e-mail’
window appears. This contains a prepared message that can be sent to anyone
that you share files or discs with, warning them of the nature of the
infection, and what they can do about it. This can be either sent straight
away, or printed out and sent using snail mail. Support is available 24-hours a
day for the first 90 days and the manufacturers offer an emergency virus
removal service, where they can download infected files from your PC, and
hopefully clean them up for you.
PC-Cillin is very easy to use, even by complete novices, who
are arguably the most vulnerable to virus attack, and the least able to cope
when it happens. The level of support appears very impressive. There’s not so
many rules or things to tinker around with, compared with Antivirus, but it
gives the impression of providing the same sort of high-level protection, with
the reassurance of regular updates, as and when new viruses appear.
Reassuringly simple virus protection with a good feeling of
security
Street price £41
System req. IBM PC or compatible, 386 or higher,
8Mb RAM, 10Mb free hard disc space, Windows 3.1/95/NT
Media CD ROM, 3.5-in floppies
Main Features detects
known and unknown boot sector, polymorphic, stealth and macro viruses, scans
loading files and internet downloads, on-line
Contact Quarterdeck UK Ltd., (01245) 494940
CV Ratings
Features ****
Performance ****
Ease of Use ****
Value for money ****
Overall rating 85%
BOX COPY 1
WHAT IS A VIRUS
In the broadest sense a computer virus is any program that
gets loaded into your system without your knowledge or permission. A lot of
viruses do nothing particularly harmful, other than display a message, or muck
about with the display, others do real damage, from changing, scrambling or
hiding data, to corrupting and erasing the hard disc.
The worst kind of viruses are those that lay dormant,
possibly for weeks or months, waiting for a particular event to occur. It could
be something predictable, like a certain date -- Friday the thirteenth is very
popular -- or a purely random
occurrence, such as a combination of keystrokes. Viruses come in very many
different forms but there are several readily identifiable characteristics.
Master Boot Sector Viruses are amongst the hardest to detect
as they reside in a part of the disc that contains software that determines how
the PC operates, and is not routinely scanned by disc monitoring tools. Viruses
in the boot sector are easily loaded into memory and spread to other discs.
Macro Viruses are now the most prolific type. They’re
relatively easy to write, using the simple programming language incorporated
into many word processor and spreadsheet programs. They can be hidden inside
files and once loaded, infect the memory, where they can be transferred to
other systems by file transfer and e-mail.
Memory Resident Viruses live in the PCs memory. Once
activated they take control of the operating system by attaching themselves to
particular files, normally executable types with .EXE, .COM or .SYS extensions
Stealth Viruses are one of the most sophisticated types as
they actively hide or modify themselves to conceal their presence. This
includes tricks like deleting bytes from a program, so that the file size
remains unchanged after infection.
Polymorphic Viruses periodically mutate, changing their
‘signature’ or code by which they can be identified, making them incredibly difficult
to detect.
BOX COPY 2
THE TESTS
Unfortunately anti-virus software is rather difficult to
test in a real-life situation, you should treat magazine reviews that claim to
road test various products with a good deal of scepticism. For obvious reasons
samples of the latest and most damaging viruses are not that easy to come by,
outside of the anti-virus industry. That’s undoubtedly a good thing -- there’s
more than enough viruses in the ‘wild’ without clumsy magazine reviewers adding
to them -- but it does make our job harder and we have to take a lot of the
manufacturers claims on trust. However, we can still comment on the
functionality of the programs, what they do and how they do it, as well as how
easy they are to use, and what they will do for you, if the worst should happen.
---end---
Ó
R. Maybury 1997 0408
| 
