PCSCAN.RVW 950921 Comparison Review Company and product: Company: McAfee Associates Address: 2710 Walsh Avenue, Suite 200, Santa Clara, California, 95051-0963 Phone: +1-408-988-3832 Fax: +1-408-970-9727 Email: mcafee@aol.com, mcafee@netcom.com, support@mcafee.com, scott_gordon@cc.mcafee.com Other: BBS +1-408-988-4004, mcafee.com is IP 192.187.128.1 Product: Scan suite Summary: scanning, disinfection and resident scanning modular suite Cost: $25 - $35 US per program Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 2 Ease of use 3 Help systems 2 Compatibility 2 Company Stability 3 Support 3 Documentation 2 Hardware required 3 Performance 2 Availability 3 Local Support 1 General Description: SCAN is a boot sector, memory and file scanning program, with some disinfection and change detection capabilities. Disinfection is now accomplished by a switch in the SCAN program. VSHIELD and SENTRY are resident file infection and activity checking programs. A Windows interface is also available. FSHIELD, Sentry and VCOPY have been discontinued and are no longer supported. Comparison of features and specifications User Friendliness Installation SCAN does not require installation as such. All programs, however, are distributed in .ZIP format and use PKUNZIP version 2.04G for unpacking with authenticity verification. VSHIELD is distributed in two, mutually exclusive, versions. One version requires the use of SCAN's /AV or /AF option, which adds an authentication CRC check onto programs. A second level of protection is added in one version with file infection checking for known viral programs. The programs can also be used to prevent the running of unauthorized programs. VSHIELD must be installed "manually" by the user in the AUTOEXEC.BAT file with all desired options and switches. (Installation utilities are separately available from certain dealers.) The distribution of SCAN as shareware has led to the "release" of many "trojan" versions of SCAN. McAfee Associates has attempted to deal with the security problem in two ways: the use of the "authentic verification" envelope on ZIP archives, and the VALIDATE program produced by McAfee Associates itself. Unfortunately, both methods have problems. The "-AV" codes have been "spoofed" by copies of PKZIP which will add a code, not necessarily that of McAfee Associates. More recently, the security of the PKZIP "-AV" codes has been broken: it is now possible to duplicate any code. The VALIDATE code is more secure, (although it has been cracked) but requires a knowledge of the validation code from a "trusted source". Ease of use The SCAN program is fairly simple to execute, but provides for a very large number of options in the form of software "switches". These can complicate the use of the program, but probably will not be used by most users. The base scanning function is simple to operate, and novice users will probably not use any other functions. (The one major exception is the /AV option. If used on a program that is already "self checking" it will likely cause the program to terminate, and so must be identified and removed. The program has therefore added an /AF option which will store the change detection information to a file rather than appending to the program.) Help systems If SCAN is invoked with no specifications, it gives three "screens" of a listing of the "command line switches". This can also be obtained with the /?, /H or /HELP switches. Compatibility SCAN and the other programs in the suite are updated frequently, and the latest version should be able to handle almost all viruses that a user would encounter. Unfortunately, recent versions have seen a major decrease in the accuracy of virus identification. A number of scan strings have become "generic", and will identify a number of viral strains. Some of these have been so identified (as "Gen_"): a number still report the name of a specific virus regardless of the actual strain found. Along with this, there has been a corresponding decline in the ability of /CLEAN to disinfect programs and disks. Company Stability McAfee Associates has been producing versions of SCAN for a number of years, updating on a frequent but somewhat irregular basis. SCAN is probably the most widely used virus scanner in North America at present. The company has recently "gone public" in order to expand into the shareware utilities market, and is buying programs from other shareware authors. In the past year there have been major changes to both the corporate and support structure of the company. McAfee Associates now appears to be concentrating on a position as a leading provider of network and corporate utilities. Company Support The company appears to be trying to promote support through CompuServe rather than other sources. Documentation The directions for use of the programs are restricted to listings of the "command line switches". They are clear in all cases, if somewhat concise. Novice users will find little conceptual information about viruses, or specific information about the various viral programs that SCAN will deal with. The list of viral programs, VIRLIST.TXT, is no longer included in the archive. The documentation, while not quite alarmist, certainly strongly suggests that the user, if any virus is ever found, should retain the services of McAfee Associates or an authorized Agent. Also, outside sources (such as the Hoffman virus list) often state that viri can be dealt with by, for example, using the "SCAN /D" option, without warning that this merely deletes and overwrites the existing file. Hardware Requirements The only stated requirement is DOS 3 or higher. Performance SCAN now ranks as one of the slower scanners reviewed. Note also the loss of some accuracy in identifying individual viral strains. Note that /CLEAN has come under increasing criticism for its performance in removing infections, particularly in the area of BSI and MBR viral strains. Versions of the earlier CLEAN program tested (and MDISK) have, in my own experience, occasionally left the computer or disk in a worse state than the virus. Local Support Because of the very wide use, local support of SCAN is more generally available. The available version, however, is not always the latest, as many users, in my experience, tend to use the one version they obtain for at least a year before seeking another. There are also a number of shareware products that "enhance" the use of SCAN, such as menuing "front ends" or programs to assist in checking archived files. Support Requirements If at all possible, it would be best if knowledgeable users assisted with the use of SCAN. The programs are simple enough to be operated by a novice user, and no harm should result, but best results will be obtained with the program if someone aware and informed of virus operation is involved. General Notes Version numbering, which has been problematic in the past, is now standardized and explained in a file in the distribution archive. copyright 1991, 1992, 1994, 1995 Robert M. Slade PCSCAN.RVW 950921 ====================== ROBERTS@decus.ca, rslade@cln.etc.bc.ca, rslade@freenet.vancouver.bc.ca "Information Superhighway" anagram - "When forming, utopia's hairy." Author "Robert Slade's Guide to Computer Viruses" 0-387-94311-0/3-540-94311-0