PCIBMSCN.RVW 910617 Comparison Review Company and product: IBM High Integrity Computing Lab Thomas J. Watson Research Center P. O. Box 218 Yorktown Heights, New York USA 10598 Bill Arnold, author David Chess CHESS@YKTVMV.IBM.COM, CHESS@YKTVMV.BITNET VIRSCAN 2.00.01 dated 910307 Summary: Non-resident scanner with user extensible signature file. Cost $35 US for original license, $10 for upgrades, enterprise wide license Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 3 Ease of use 3 Help systems 3 Compatibility 3 Company Stability 3 Support 2 Documentation 3 Hardware required 4 Performance 3 Availability 2 Local Support 1 General Description: IBM's VIRSCAN product appears to fall somewhat oddly between commercial software and shareware. Although IBM retains all rights to the program (in a license agreement written as only IBM can), there is no printed documentation, and the package is available on either single disks or via the IBMLINK service. The price is reasonable for an individual, but almost absurdly low given the "enterprise wide" license. VIRSCAN is a non-resident scanner with a non-encrypted and user extensible signature file. Command line switches can be used to obtain a variety of information about the system. The program makes no attempt to disinfect or delete infections. Recommended for any situation, but particularly for medium to large companies and for intermediate to advanced users. Comparison of features and specifications User Friendliness Installation VIRSCAN, when supplied on disk, is shipped on "non-writable" diskettes. IBM does not suggest installation on the hard drive at all. The suggested use of the program is to boot from a protected floppy, and run the program from the floppy disk. The documentation does give directions on how to prepare a bootable floppy with the scanning program on it. These directions are very complete. (Directions are even given on how to write protect a 3 1/2" floppy disk, although they are not as explicit for 5 1/4" disks.) An explanation of "resident" viri is given, and directions for booting from the original system floppy are given. The directions do assume that you have original IBM equipment and operating system disks, but should be clear for most systems, even for novice users. The documentation is written with the novice user in mind, and is, in places, excellent. Some "obvious" steps are missing in the directions, but by and large they are very clear, and cover ground often missing in the documentation of other products. Ease of use As the product has evolved, a number of command line switches have been added. The default settings, however, are very well chosen, and novice users should not need to know the various options. Advanced users will be able to use them without problems. One possible problem is that by default the scan proceeds to conclusion even when the screen has filled with warning messages. This should not be a problem in normal operation, but may be of concern in scanning a heavily infected system. (The "-Z" switch will, however, cause the program to pause at each signature found and this may be an acceptable alternative.) Help systems Two levels of help are available from the command line, called by switches. (Somewhat counterintuitively, the "?" switch gives more extensive and complicated assistance than does the "??" switch.) As the program is run from the command line only, "onscreen help" is not an issue. Compatibility VIRSCAN will run under both DOS and OS/2, and will examine drives with both DOS/FAT and HPFS file structures. The structure of the signature file is outlined in the manual, and at least one other scanning program obtained for evaluation (Thunderbyte Scan from Frans Veldman) uses this same file format as a standard. This allows the use of additional signature information with the program, and also allows users to add new signatures to update the package, or their own signatures if a new virus is found. Mention is made in the documentation of a switch to disable "high memory" checking, which appears to indicate that the program will check high memory by default. The extent of this is not, however, clearly specified in the documentation. In a communication from David Chess, it was explained that "high memory" is defined as the area between 640K and 1 meg. No scanning is done above 1 meg. (Note that when run from OS/2, the program does *not* check system memory. Memory is only checked when the program is run from DOS or the DOS compatibility box.) Company Stability They'll probably be around for a while. Company Support Those on the Internet and Usenet who receive VIRUS-L/comp.virus will have access to David Chess' postings and email address. IBMLINK subscribers will have access to upgrades and information. Documentation The documentation is available only in softcopy on the disk. While sections are excellent, the presentation and order of the manual (VIRSCAN.DOC) would likely be daunting to the novice. A major strength is the discussion of the weaknesses of the program, and a warning against trusting it too far. Hardware Requirements The documentation does not state any minimum requirements for operation. Performance While VIRSCAN does not search for as many viri as FPROT or SCAN, it catches all common viri. Speed of operation is neither the slowest nor the fastest tested, and is quite acceptable. Note that VIRSCAN makes no attempt to disinfect or delete infected files. Local Support Local support, even from IBM staff, is unfortunately undependable. There are numerous instances of those staff who should, presumably, be familiar with the product being unaware of its particulars and availability, or even giving out false information. (I was twice contacted by IBM staff who *offered* to get me copies of the program for evaluation, and then were unable to find it themselves.) There have been a number of cases of IBM local representatives giving versions intended for internal use only to outside clients. Support Requirements The program should be suitable for any user. Support staff will find additional functions that novice users would not use. If, however, an infection is detected, additional support will be required. It is likely that only advanced users would be able to take effective action, and even then would likely require other antiviral packages to correct the situation. General Notes This product is an excellent value for any company. It is easy to see that IBM could lose control over the integrity of the product if it were to be distributed as shareware or "freeware". It is also reasonable that IBM be allowed to make some return on the resources devoted to this product. That said, I still could wish for some attempt to make the product more available to the general user community. The lack of support available through IBM representatives is disturbing. Against, while it is understandable that not all staff can be expert in all products, the lack of support for a product of such universal importance is to be regretted. In comparison to other scanners, the lack of disinfection would tend to make this product an adjunct rather than the only tool used. It is still, though, a high quality tool, and could easily be chosen as the primary virus alert product. copyright Robert M. Slade, 1991 PCIBMSCN.RVW 910617 ====================== roberts@decus.ca slade@freenet.victoria.bc.ca Rob_Slade@mindlink.bc.ca "No passion in the world is equal to the passion to alter someone else's draft" - H. G Wells Author "Robert Slade's Guide to Computer Viruses" 0-387-94663-2 (800-SPRINGER)