PCVC.RVW 921212 Comparison Review Company and product: Bangkok Security Associates 888/32-33 Ploenchit Road Bangkok 10330 Thailand TEL: 662-251-2574 BBS: 662-255-5981 FAX: 662-253-6868 or Delta Base Enterprises 221 - 32853 Landeau Place Abbotsford, BC, V2S 6S6 TEL: 853-2998 FAX: 853-9164 effective NOV18/92 72137.603@compuserve.com or a682@mindlink.bc.ca or Computer Security Associates (803)-796-1935 Lannatec Associates Inc, 166 Anna Avenue, Ottawa, Ont. K1Z 7V2 (613)-724-5978. Victor Charlie 5.0 Summary: Change detection with "baiting" files and viral signature capture Cost $99 Cdn Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 2 Ease of use 2 Help systems 2 Compatibility 2 Company Stability 3 Support 1 Documentation 3 Hardware required 3 Performance 2 Availability 2 Local Support 2 General Description: Victor Charlie is a series of batch and data files that generate a number of programs for trapping of viral infections. There is also provision for the capture of viral signatures. Utilities are included for viewing of boot sectors and recovery of hard disk system areas. Version 5.0 no longer requires DEBUG.COM. Comparison of features and specifications User Friendliness Installation The product is shipped on writable but protected 720K and 360K floppies. The installation procedure outlined in the manual starts "earlier" in the process than most antivirals. An initial "Quick Start" section of the manual relies on an intermediate knowledge of MS-DOS by the user, but this is stated at the beginning. Installation of VC is not foolproof by any means. Almost all error messages are hidden from the user, and a lack of file space or an incorrect assumption regarding drive specifications will cause the installation to fail to complete. This, however, is not communicated to the user, and may not be obvious. To the novice this can be dangerous, in that the user may consider that the system is protected when, in fact, it is not. Experienced users will be able to custom tailor the installation to their own needs, since everything is done through batch files. The product can be apparently installed on floppy drives, but only portions of the program will actually function if this is done. Some of the change detection programs and routines will be set up and run: the VCHECK program, in particular, will not. This is nowhere stated, and there are no error messages indicating this problem, even when using functions of the program which rely on the files generated by VCHECK. One important factor is missed by the installation, and not mentioned in the documentation. The "path" must be entered into the environment space or the program must be run from the directory the program is installed into. Because of the extensive use of batch files, the program recommended to be most frequently used will fail to find its ancillary files, even if the initiating program (VC5.BAT) is properly invoked. The installation program makes no attempt to either modify the AUTOEXEC.BAT or to point this out. Another area that could use a lot of improvement is in the choice of "important" files to be checked. The drive, full path and full filename must be entered. The path must be entered even if the file to be checked is in the directory currently in use. There is no assistance to the user, even in terms of a directory listing of program files. Ease of use The ability to use the programs effectively is very much dependent upon the installation chosen. With proper installation, occasional virus checks can be as simple as a single keystroke (Alt-V). The program can, however, give conflicting messages. When the Stoned virus was active, it correctly detected that something had happened to the boot sequence. On a floppy system it was not able to recover the boot sector, but finished the sequence with a message that "Right now, you have NO active virus on this computer." Operation is very inconsistent at times. When testing it against a very simple non-resident COM infector, most checks of the system would report that files had been changed. However, a number of runs reported a virus active in memory, one reported a boot sector infection, and one, immediately after a reboot forced by the report of the boot sector infection, reported no virus presence at all, even though the system files were still infected. Help systems There is help of various sorts provided for, but in testing the program very often "lost" its help file, even when installed as directed. In the earlier version 4.0, messages explaining what has been found, what type of virus this indicates, and what to do about it were very clear and helpful, even to a novice user. This has not, unfortunately, carried over into version 5.0. Compatibility Although no part of the package is "resident", it warns against having TSR's active during installation. It also warns against any type of disk caching during system checking, which would basically mean the elimination of disk caching altogether, as it is suggested to run quick checks frequently. Company Stability The program is produced by Bangkok Security Associates (programmer John DeHaven, technical writer Alan Dawson, marketing director Simon Royle and financial director Ramesh Indhewat). BSA is a Thai company registered in the British Virgin Islands from Hong Kong. Company Support Support for the product, over the past two years, has had its ups and downs. Canadian distribution now seems to be done by two companies: at one point it was almost a year since I had heard from the local distributor and wondered if the company was still active. BSA has been attempting to establish their BBS on Fidonet: at one time they appeared to be active, only to disappear again. Documentation The earlier "entertaining" aspects of VC's documentation have, unfortunately, disappeared. So has much of the material on the general aspects of viral operation and protection. The manual is well written and generally clear, but suffers, as all too many do, from the dedication to "security by obscurity". The fear of giving away secrets tends to mean that a great many words are used to "dance around" functions which the authors have no intention of actually explaining. While much of the material which made the earlier manual so valuable to the novice user is gone, the manual should not confuse them. The novice will be able to use almost the full power of this system. (A note on this business of directions to novice users. It may seem like a "fractal" type of problem, in that no matter how much you explain, there is still more to do. For example, TBSCAN's documentation suggests write protecting diskettes, and explains how to do it on a 3.5" diskette, but not on a 5.25". The earlier Victor Charlie did explain that you should put a "... sticker ... over the notch at the right-hand side of the disk when you look at it from the front." However, failing to mention that the notch is *square*, on the *side* of the disk cover and that you cannot see the magnetic disk through it might allow some to permanently read *and* write protect the disk by placing the sticker over the drive head access slot.) There are, however, some omissions which are important enough to count as errors in the manual. I have mentioned the problem with the "path" settings. Another is the repeated statement that changes to the VC1.CFG file (such as adding a new program to be checked) require a re-initialization of the Victor Charlie package. There is absolutely no mention of how this is to be done, nor was I able to find such a function in running the various programs. The tone of the documentation (both hardcopy and on disk) varies between jingoism ("... ultimate security ... defeat any current or future virus") and realism, while ultimately falling somewhat short in terms of actual details. In testing the system, I came to the conclusion that, while suitable for any users as a warning system, technical personnel will need more details as to the ultimate effectiveness, and how far to trust the package. Hardware Requirements MS-DOS 3.0 or higher and a minimum 256K of RAM, 512K if the shell is used. Performance Unfortunately, even at this point, I am unable to state the performance of the system with confidence. It will find viral infections of programs, and of boot sectors. (In spite of the difficulties encountered in installing the system to a floppy, it had no difficulty in identifying "Stoned" infections on floppy. Further testing revealed that it was, somehow, detecting a change in the boot sector, rather than memory. Although the program checks memory and the system areas of the disk, the "signatures" of the original system are not stored with program file signatures.) The actions of the package as a whole, regenerating itself from batch and data files, are quite fascinating. The program is a radical departure from any other reviewed system, and should be a valuable extra component for system security. The program, as it stands, is most useful against memory resident, program file infecting viri. Specific identification of sources of infection is not strong. The program is definitely not sufficiently clear in terms of what is checked and when. Up to 15 files may be specified as "important", and to be checked on every pass. Five of these may be backed up, while the remainder will be checked only. Unfortunately, the system appears to assume that "system" files are to be backed up, but if they are entered to be checked, the backup is not done. The program does not appear to offer any protection against companion viri. It also appears to be ineffective against "stealth" and "FAT" viral program technology. Local Support Limited. Support Requirements Installation of the program is possible for novice users with standard computer configurations, but should likely be supported for any non-standard systems. Novice or intermediate users will require assistance to identify the source of infection if a virus is detected. General Notes This package is quite fascinating in its novel approach to virus detection. There are numerous shortcomings, but the approach could be a valuable adjunct to current methods. While the current implementation has significant shortcomings, particularly in non-standard configurations, the concept is a valuable one and, hopefully, future development will make the package more valuable as a stand alone product. copyright Robert M. Slade, 1991, 1992 PCVC.RVW 921212 ====================== roberts@decus.ca rslade@vcn.bc.ca rslade@vanisl.decus.ca Ah! When I were lad, we used to 'ave t'wait 40 milliseconds on noisy channel for a network link to come oop--and login both ends! - per Linda Richards Author "Robert Slade's Guide to Computer Viruses" 0-387-94663-2 (800-SPRINGER)