PCUNTUCH.RVW 920912 Comparison Review Company and product: Fifth Generation Systems, Inc. P.O. Box 83560 Baton Rouge, Louisiana USA 70884-3560 10049 N. Reiger Rd. Baton Rouge, Louisiana USA 70809-4559 800-677-1848 or 800-365-3186 1-800-873-4384 sales and info (number invalid?) 504-291-7283 800-766-7283 tech support Business Phone: (504) 291-7221 FAX: (504) 295-3268 or 504-292-4465 Clivedon Office Village Lancaster Road, High Wycomb Bucks, HP12 3YZ, England Business Phone: +44-(0)-494-442224 FAX: +44-(0)-494-442225 Sales/Support: +44-(0)-494-442223 3715 Sun Hung Kai Centre 30 Harbour Rd. Waichai, Hong Kong Business Phone: (852) 827 6977 Fax: (852) 824 3200 Untouchable 1.1, a renaming of V-Analyst by B.R.M. Technologies, Israel Summary: Change detector with resident and manual scanning, also "generic" disinfection Cost Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 2 Ease of use 2 Help systems 1 Compatibility 2 Company Stability 3 Support 2 Documentation 2 Hardware required 2 Performance 2 Availability 2 Local Support 1 General Description: UT change detection program and "generic" disinfection, UTSCAN manual scanner, UTRES resident scanner. Comparison of features and specifications User Friendliness Installation The product is shipped on a writable but protected 3 1/2" (720K) disk. A return card is available to order the program on 5 1/4" media. My copy arrived with a physically damaged disk in that the "gate" was dislodged and moved around on the diskette. The spring for the gate was missing. (When replacement disks did arrive, the 720K disks were writable but protected: the 360K disks were unwritable.) The package provides for both automatic and manual installation. Both require the use of the installation program, as changes are made to the UT program to enable it to run. There is really no difference between the methods, except for a false sense of control promoted by the "manual" method. The manual method does allow the user to "leave out" some parts of the installation, but it would be foolish to do so in any case. Although "automatic" and "manual" installation is possible, and a "custom" setup, there is really very little that can be done to customize the installation. The manual speaks of "subsets" of files to be checked, but there are only two subsets, "system" and "full". The "contents" of these subsets can be modified, but, again, it would be foolish to do so. Installation takes about an hour on an XT, considerably less on machines with faster CPUs. In order to "invoke" the changes made during installation, the computer must be rebooted after installation is complete. This is not mentioned either in the manual or by the installation program (although it is mentioned in the READ.ME file on disk). Ease of use Although there is a graphical user interface, with windows and menus, the structure and layout of the program is not easy to follow. Some of the menu choices are positively misleading: "Program Configuration" has no option to change drives, "Edit Database" does. Menus do not behave consistently throughout the program. At a number of places in the program it is possible for a user well familiar with the vagaries to stumble through a series of keystrokes that might get to the desired goal; for a novice, it might be impossible. Even with the automation and lack of choice in the program, it is impossible to say that it is really "easy to use". Menus and screens are not well designed, and certainly not intuitive. One might say that some of the most basic functions are presented more easily than some of the more advanced, but this is only relative to the excessive difficulty of finding the advanced functions. The "GUI" is not well designed or used. In addition, screen redrawing of these very simple menus is so slow as to compare unfavourably with full window redrawing within, say, Windows itself. The more advanced options are, actually, relatively few in number. There are command line switches to invoke them: they seem to provide so little control as to hardly make them worth the effort to learn. The primary use of the system, however, seems to be in the automated change detection. The program is set up, by default, for a series of daily, weekly and "every 21 days" checks of increasing sophistication and invasiveness. The schedule is well chosen, and should provide for significant detection capability. Help systems Context sensitive help is available, but is very seldom useful. If you can't figure out the menu choices from the names, the help screen for that screen is unlikely to help you. Context sensitivity is limited to screens, rather than fields, and even then, a subordinate menu or screen is likely to display the same level of "help" as the next "higher" level screen. Compatibility While no conflicts were found during testing, the UT program appears to require much more memory than stated. Company Stability Fifth Generation has recently been purchased by Symantec. Callers were immediately told that previous Fifth Generation supported products were no longer supported and offered an "upgrade" to the Norton AntiVirus. BRM has stated that Untouchable will still be available in some form. Company Support My experience was with Fifth Generation. My copy of the package arrived with a physically damaged disk. The "800" number for sales appears to be out of service. The "800" number for technical support, however, even works from Canada and Puerto Rico. I was asked for my "shipping number", which nowhere appeared in the package. I offered the serial number, but that was apparently of no use to the operator, who asked for my name instead. She was apparently able to find it, but while she was doing so was carrying on an unrelated conversation with a co-worker, which was plainly audible to me (and somewhat disconcerting). I was told a replacement disk would be shipped, but via mail, so to allow seven to ten days wait. (There was apparently no option on this.) Ordered on July 22, the replacement had not arrived by August 29th. I called again and, three days after Hurricane Andrew, they were not yet back in operation. I was told that an agent would call me back on Monday, but no one did. I called again on September 1 and was told that another copy would be sent. No explanation was given for the delay. (Interestingly, when I called back to speak to a supervisor and had to leave a message, I was asked for the serial number of the product.) The supervisor was unavailable, and I left a message. The supervisor called back the next afternoon while I was out, and left a message that he would call again. He never did. Due to press of other reviews I did not get around to calling before a package finally arrived on September 8th. The package had been shipped airmail, but the postmark was September 2nd. Obviously, this had been shipped after my third call. It contained three diskette mailers, one with the replacement 720K disk, one with two 360K disks and one which was supposed (according to the shipping slip) to contain a 1.2M diskette, but instead contained two 360K disks of version 1.0. I called again and spoke with the supervisor. He was disturbed by the report, and most apologetic. (After the extensive dealings I had had with the company, I made extra efforts to ensure the draft review was made available to the company. In spite of extending the response period to 14 days from the usual seven, I have not received any response from the company at all.) The recent acquisition by Symantec and the subsequent treatment of customers cannot, of course, have any bearing on the product itself, nor on future support should BRM be successful in finding another American distrubutor. However, overall it reflects poorly on all three companies. Documentation The Untouchable printed documentation is initially very clear, well laid out and readable. The one quibble one might have is that the installation section doesn't start until well into the book, but the installation program itself is quite explicit and gives clear directions. It is absolutely refreshing to find a manual which not only lists shrink wrapped software among the possible vectors of virus transmission, but also lists bulletin boards last on the list of transmission agents. It also correctly states that the *most* common means of virus transmission is via floppy disk. Unfortunately, the "Virus Infection Symptoms" are not quite as good: they still list long program load times, slower system performance and unusual disk access, which seldom appear in the more common viral programs. However, as one gets into the "guts" of the program, the manual degenerates rapidly. There are errors such as the omission of "labels" or titles beside descriptions of what certain keys should do. In a number of sections, the explanation of certain functions is unclear and open to many interpretations. Hardware Requirements A hard disk is specified as necessary to operation. The automatic installation will not install to a floppy disk (giving an erroneous message about something not being mapped), but some sections of the program will operate on a system without a hard disk, thus providing some protection to non-standard systems. DOS 3.x or higher is required. Performance Identification of viral infections appears at some points to be very sophisticated, but less so in others. A virus (Vengeance) "new" since the file date of the UTSCAN program was identified as "similar" to "535a". A file which had been infected three times with the Jerusalem virus was identified as having that infection and 5424 extra bytes. The extremely rare "Halloween" virus was identified as such, but the "Amilia/i99i" strain of Murphy, very similar to the HIV strain, was instead identified as a variant of "Dark Avenger Virus" (presumably "Eddie"). (Naming is very close to that of VIRx.) When a viral infection is "known" by UTSCAN it offers to remove, disinfect all files, erase the file, continue or abort; when the infection is "similar" the options are only to erase, continue or abort. When an infection is "similar", you are requested to forward a copy of the infected file to Fifth Generation and the "default" option is continue. If the virus is known, and an overwriter the default option is erase. (Identification of the "Dbf", "Piter", "Mlt1" or "Polish" viral programs identified them as such, but requested a copy be sent in order to perfect a disinfector.) Identification of known viral strains is often accompanied by lengthy disk accesses to the original program. The ability of UTSCAN to scan files within compressed archives is one that is long overdue. The ability to scan "archives within archives" is interesting. It is not perfect, however. Some files within archives are simply not found and in some infected files within archives infections are not found even if the infected file can be identified outside of the archive. Encrypted ZIP files cannot be scanned. In tests of the ability to detect changes, UT was able to detect changes to AUTOEXEC.BAT, infections with unknown viral programs and deletions of directories. (Interestingly, the default choice for dealing with any changes detected is only to alert the user: the "suggested" option therefore seems to be "not to decide".) Movement of files was seen as deletion of the "originals" and "new files installed". (Default options in the case of "new" or "deleted old" files is to accept the changes.) Although considerable information was retrieved on the changes to AUTOEXEC.BAT, the file was considered unrecoverable. A "quick check" of a 20 meg hard drive on an XT required between two and six minutes. Numerous attempts to use the "generic" disinfection on files (which UT stated were recoverable) resulted in consistent failures due to memory shortfalls. Subsequent attempts, after removing TSRs and rebooting, resulted in the same file now being shown as unrecoverable. Eventually, after all TSRs and environment variables had been removed, a recovery (of COMMAND.COM) was successful. The file compares perfectly with the original, with the exception that an "end of file" character has been added (so that COMMAND.COM no longer shows "slack space" at the end of the file). (In pursuit of this test, a number of efforts were made to "check" a single file, or to add it to the data base. I am still unclear as to how successful this was: in the end it seemed the only way to check for the files I had deliberately infected was to check the whole disk -- at up to six minutes per run.) Local Support None provided. Support Requirements A novice user should be able to install the program, which should then provide significant detection capabilities. However, dealing with an infection once detected would still be problematic. General Notes My initial reaction to the program was very positive. However, the confusion of the more advanced options of the program, and the failure of the "generic" disinfection in testing, call some of the utility of the program into question. Fifth Generation market and support a number of products purchased from other developers. They previously marketed Mace Utilities and Mace Vaccine (see PCMACE.RVW). In conversation with the support supervisor, he indicated that the Mace products are no longer marketed by Fifth Generation, but that some resellers are still selling them. Fifth Generation is continuing to support the products as best it can. (Mace Utilities are still listed in the manual as being in the "Fifth Generation Systems Family of Utility Products".) copyright Robert M. Slade, 1992 PCUNTUCH.RVW 920912 ====================== roberts@decus.ca rslade@vcn.bc.ca rslade@vanisl.decus.ca "Internet, the information network you _can't_ outgrow." - Ido Dubrawsky Author "Robert Slade's Guide to Computer Viruses" 0-387-94663-2 (800-SPRINGER)