PCTBAV.RVW   950921
                               Comparison Review
Company and product:
 
Company: ESaSS B.V.
Address: P.o. box 1380, , 6501 BJ  Nijmegen, The Netherlands
Phone:   31 - 80 - 787 881 
Fax:                                   31 - 80 - 789 186
Sales:   Calmer Software Services, 361 Somerville Rd, Hornsby Heights NSW 2077,
         AUSTRALIA, +61 2 4821715; or P.O. Box 527, Dagsboro, DE 19939,
         +1-302-732-3105, fax +1-302-732-3105
Contact:                               Frans Veldman
Email:   Veldman@esass.iaf.nl
Other:   Data: 31 - 85 - 212 395, (2:280/200 @fidonet)
Product: Thunderbyte Utilities
 
 
Summary: Scanning, disinfection, change detection, operation restriction,
         encryption
 
Cost   U$35
 
Rating (1-4, 1 = poor, 4 = very good)
      "Friendliness"
            Installation      2
            Ease of use       3
            Help systems      3
      Compatibility           2
      Company
            Stability         3
            Support           2
      Documentation           2
      Hardware required       3
      Performance             2
      Availability            2
      Local Support           1
 
General Description:
 
An extension of the earlier Thunderbyte Rescue and Thunderbyte Scan programs. 
These programs are still contained in the set, but are supported by a
disinfector with two "generic" disinfection modes (TBCLEAN), a change detector
(TBCHECK), an "overwriting" delete (TBDEL), operation restricting programs
(TBDISK, TBFILE and TBMEM), a menuing interface (TBAV) and standardized TSR
handling for compatibility with Windows and Novell Netware.
 
(Associated, though not separately reviewed, is a "quarantine" component called
TBfence which is similar to the D-Fence program by Sophos.)
 
 
                  Comparison of features and specifications
 
 
User Friendliness
 
Installation
 
Installation is a matter of copying the programs to disk and deciding how to
run them.  The documentation, while clear enough as to use, does not supply
much in the way of direction for installation.  With the new, larger set of
utilities, there is a section on installation in the documentation file.
 
While an intermediate or experienced user will be able to determine how best to
use these programs fairly easily, novice users may not have sufficient
information for installation.  Intermediate users may also have difficulty in
deciding how best to use the programs, as weaknesses and shortcomings of the
various modules are not noted.
 
Ease of use
 
The programs are very easy to use.  The command line switches should not be
strictly necessary for effective use, but can provide significant extra
information or use for the expert.
 
Help systems
 
Because of the newer programs which do not require command line switches, an
"empty" invocation does not bring up a list of command line options.  However,
an invocation of any program with a "?" or "help" argument will.
 
Compatibility
 
Incompatibilities with specific programs or networks are noted in the .DOC
files with suggestions for workarounds.
 
Company Stability
 
The company has been supporting this product, with regular updates, for quite
some time now.  An "agent network" has been established.  An earlier
announcement of a commercial product based on the technology does not seem to
have led to any actual product.
 
Company Support
 
Contacts with the company have been sketchy so far.  Some of the agents,
particularly Jeff Cook of the United States, have been very active in promoting
the product on Fidonet.
 
Documentation
 
The documentation has been substantially improved in the matter of grammar and
errors.  However, there is still little coverage of viral concepts in general,
and the shortcomings and weaknesses of the program modules in particular.  A
section of the documentation entitled "Anti-Virus Strategy" contains no general
discussion, policies or procedures, but simply refers to the use of specific
modules of the package.  Installation of the program overall still needs work.
 
Hardware Requirements
 
None stated.
 
Performance
 
The Thunderbyte Scan program has always been one of the fastest scanners
available.  Even with heuristic scanning implemented, it still shows startling
speed.  A test run on a 386 machine with a "normally" loaded 75 meg hard drive
completed in under half a minute.  A test on a 486/33 with a full 350 meg drive
took 36 seconds.
 
The "price" of this speed is debatable.  Most scanners no longer scan the
entire length of a program, but only the "top and tail", where most viral
programs must attach in order to function.  Although such programs will detect
most viral programs, it will not find those which can insert themselves
anywhere, such as the "Commander Bomber".  Some of those connected with
Thunderbyte, most recently one of the agents, have stated that this is one of
the means to speed up the program.  Frans Veldman, who should know, strongly
objects to this statement.  However, it is extremely unlikely that TBScan does
scan the whole file.
 
TBSCAN does report some changes to files, but a test run on a directory of
antiviral programs showed that numerous updated programs were ignored.
 
The operation restricting programs operate as advertised, although such
programs always operate under the proviso that whatever software can protect,
software can circumvent.  Interestingly, the Thunderbyte programs are not
automatically exempt from interference: an attempt to disinfect a program with
the TBFILE program resident resulted in a warning.  (Another interesting point
is that an attempt to infect one file, while stopped, was allowed to change the
file creation date.  This is used by this particular virus as an infection
marker.)
 
The most attractive part of this new package is the second "generic"
disinfection mode.  Most generic disinfectors use a "return to state"
algorithm, much like the hamming code used for error correction in memory or
communications systems.  This relies on the calculation of an "image" identity
of the original, uninfected file, and is of no use "after the fact".  TBCLEAN
uses this, but also has a "heuristic" cleaning mode, which does not rely on any
"prior knowledge" of either the infecting virus or the original file.
 
A success rate of 80% is claimed for the heuristic cleaning mode.  However
there are two factors to be considered.  The second is the ability to clean
files infected with an unknown virus.  The first comes to us from Hippocrates'
injunction to physicians, "First, do no harm".  Therefore, TBCLEAN was tested
against some uninfected files.  Of the six files tested, the four COM files
were not harmed, but both EXE files were damaged, and thereafter useless.
 
Subsequent tests of disinfection of infected COM files were successful and
restored files to their original state.
 
In attempting to use the "checksum" method of disinfection, I found that the
TBSETUP program *cannot* be used to find an infected file.  Running TBSETUP
after an infection will void the ability to recover.  (This is mentioned in the
documentation, but given the difference between this and other programs, it
bears repeating.)  However, this disinfection mode otherwise works well.
 
Local Support
 
As noted above, it is difficult to get in touch with the principals via the
posted email addresses, but the agents, particularly Jeff Cook, are active on
the Fidonet virus related echoes.  Unfortunately, this activity does not seem
to extend to VIRUS-L/comp.virus where there have been few postings from anyone
related to the company.  Franz Veldman has recently been active in private
virus discussion groups, but this provides little support to the average user.
 
Support Requirements
 
On a "scan only" basis, the program is simple to use.  Invocation of any of the
various modules is also quite simple.  Installation will require more expert
assistance.
 
                                 General Notes
 
Thunderbyte was, for a time, one of the fastest developing programs, and is a
very good set of utilities.  However, the principles and agents of the company
have been very averse to any and all reviews.  The distribution archive, in
fact, contains an editorial directed against the scanner tests included in the
Hoffman VSUM list.  The American agent conducted a vendetta against one
reviewer which resulted in a flame war on Fidonet lasting more than a year, and
the cancellation of that series of reviews.  That same test of the product
sparked the comment, from Franz Veldman, that no test or review should be
released unless it could be proven to be absolutely without flaw. 
Unfortunately, this same standard does not seem to apply to their product. 
This attitude, and the lack of development over the past year, do not bode well
for the future of the product.
 
copyright Robert M. Slade, 1991, 1992, 1994, 1995   PCTBAV.RVW   950921
 
====================== 
ROBERTS@decus.ca,  rslade@cln.etc.bc.ca,  Rob.Slade@f733.n153.z1.fidonet.org
    If you can tell good advice from bad advice, you don't *need* any advice
Author "Robert Slade's Guide to Computer Viruses" 0-387-94311-0/3-540-94311-0