Comparison Review Company and product: Trend Micro Devices Inc. 2421 W. 205th St., #D-100 Torrance, CA 90501 USA 213-782-8190 PC-cillin - program change detection hardware/software - version 2.95L Summary: A change detection and vaccine program with some scanning functions. Change detection is applied to boot sectors and partition boot records as well. System status information is stored in a hardware device connected to a parallel port. Cost US $139.00 Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 3 Ease of use 3 Help systems 2 Compatibility 2 Company Stability ? Support 2 Documentation 3 Hardware required 3 Performance 2 Availability 2 Local Support ? General Description: The best functioning parts of the package appear to be the scanning, and "resident scanning" operations. Not highly recommended; most suitable for novice users with operations primarily limited to a single hard disk and strictly limited disk swapping. Comparison of features and specifications User Friendliness Installation Note that there is no indication on the packaging as to version number. The first version tested had files dated November 2, 1990 and was stated to be version 2.95 in the README.DOC file on disk. The second package received (from a different source) was identical except for two added stickers identifying the item as "Made in Taiwan R O C", but had file dates of November 8, 1990 to January 23, 1991 and was stated to be version 2.95L in the README.DOC file. Further reading of the README.DOC indicates that this version is now "LAN aware", more viral programs are recognized, scanning is faster and that minor cosmetic changes are made to the display. (Previous problems with documentation have also been rectified, and the package now contains both disk sizes.) The disk is shipped write protected, although only by a write protect tab. (The disk is not a "notchless" read-only disk.) The installation procedure is written with a "pre-infected" system in mind, and, if followed carefully, should provide against infection by any virus known to the program. (The procedure to be followed in case of partition table infection, although quite clear in its explanation of the problem, is deficient in not recommending making a backup before beginning the procedure.) PC-cillin can install from, or to, any drive, but will not install to the drive from which the installation files are being run. Installation is simple and reasonably quick. Modification to AUTOEXEC.BAT or CONFIG.SYS is simple, but non-destructive and maintains a backup file. When "verifying for known viruses" during installation, PC-cillin states that it is checking high memory. This is an intriguing report, as the machine used for testing has only the standard 640K and a CGA card. Based on relative times, the program appeared to be checking aproximately 2 megabyte of memory that did not exist. Upon installation to a boot virus infected system, PC-cillin identified the virus, but allowed the installation to proceed. Upon "rebooting", PC-cillin alerted for the presence of a boot sector virus. Interestingly, once the disk was disinfected, PC-cillin allowed the disk to boot normally. Without having access to the encoding system used, it is difficult to say what check is used to detect a change in the boot sector. A deliberate change made in the boot sector text had no effect. The package makes provision for software updates of the "signature" programs without the need for reinstallation of the entire system. Ease of use A single program, PCC.EXE, gives access to all functions, installation, scanning (called "Quarantine" by PC-cillin) and the production of a "rescue diskette". Installation and scanning are clear and self-explanatory in operation. The making of a rescue diskette is less so, involving unnecessary disk swapping. When scanning, PC-cillin does not disinfect infected files, but does offer to delete them. The decision is left to the user. Boot sector viri on floppies are not disinfected, even if they are the "boot floppy" that PC-cillin was installed on. Repair information is apparently only stored for the hard disk PC-cillin is installed on. Because of its "background" operation, PC-cillin presents an "inverse face" (PC graphics character 02H) in the upper right hand corner of the screen when in operation. The documentation states that this display can be toggled off or on with , and that the operation of PC-cillin in background can be toggled on and off with . The message displayed by the PCCILLIN program at invocation now indicates the same key sequence, but the toggle still does not work. Help systems None provided. Compatibility The scanning function of PC-cillin is now stated to recognize 176 different viri, and it does recognize the most common viri that make up the bulk of current infections. The "vaccine" functions of the product are either very intelligent or very doubtful: the program will allow programs to modify themselves, other programs and disk boot sectors, as well as deleting program files. (Disk writing by certain programs appears to be restricted, but in testing no alarms were generated by multiple attempts to write to program files through the use of different programs and editors.) Protection of boot sectors appears limited to the "installed" hard disk: the program will not recover an infected boot sector floppy. Company Stability Unknown. Company Support When the company first shipped the product for review, an incorrect Customs declaration for shipping to Canada delayed shipping of the review copy. The program makes provision for software updates of the "signature" programs, but does not indicate any definite way to keep customers informed. Although my copies are registered, I have received no notice of the change in versions. Documentation The documentation is clear and well laid out, and contains an excellent discussion of general viral operations. The progression through the book is logical, and novice users should be able to follow it clearly. Advanced users will still find items of interest in the section on general viral concepts. The "stiff" binding and grammatical errors in the README.DOC file have been corrected. Hardware Requirements At least one parallel (printer) port is required. The "Immunizer Box" attachment is said to be transparent to user data. Performance The product is "aware" of the currently most common viri. Identification in various areas relies on known viral activity: although memory is checked, it does not appear to "find" memory resident viri which can also be found on disk. Vaccine or recovery activities are restricted at best. Local Support None provided Support Requirements The program is easy enough for a novice to use and install without assistance. If a virus is found, it is recommended that experienced personnel deal with it. General Notes A great deal of thought and planning has gone into the concept and packaging of this product. Provision for the use of floppy diskettes, and a general strengthening of the "vaccine" and change detection portions of the program would benefit it immensely. copyright Robert M. Slade 1991 PCCILL2N.RVW 910417 ====================== ROBERTS@decus.ca rslade@vanisl.decus.ca Rob.Slade@f733.n153.z1.fidonet.org If you can tell good advice from bad advice, you don't *need* any advice Author "Robert Slade's Guide to Computer Viruses" 0-387-94663-2 (800-SPRINGER)