Solutions for Macintosh and Windows - Anti-virus Tools

Dr. Alan Solomon, the virus expert behind Dr. Solomon's Anti-Virus Toolkit, estimates that the worldwide virus count currently tops 11,000 viruses, and that hundreds of new viruses appear each month. According to Symantec's team of virus experts, over one-third of current viruses are of the word processor macro variety. These viruses can be spread simply by opening an email attachment or reading a document. Unfortunately, viruses aren't the only security problems computer users face, either. Trojan Horses, malicious Web applets, data snoopers and other PC invasions via the Internet are also possible. Here's how to protect yourself and your computer.

Windows 95 and NT
McAfee VirusScan is perhaps the best known of the antivirus tools. In July, 1997, the U.S. Department of Defense awarded a contract to McAfee Associates Inc. to supply anti-virus software to approximately 2 million seats. VirusScan versions 3.0 and newer have the ability to update themselves automatically using either a direct modem call or via the Internet. The updates can be voluminous: we updated version 3.00, released in February 1997 to the July version, using the "Update Data file and Virus Engine" option, and the program downloaded a file 4286K in size -- taking over two hours at 28.8 Kbps! We experienced two failed downloads during our tests, which seemed to be related to the McAfee website being overloaded.

The Dr. Solomon website (www.drsolomon.com/) is a source of downloadable evaluation versions of several antivirus products for Intel-based PCs. We tested Dr. Solomon's FindVirus, an antivirus utility for Windows 95 and NT4. We tested version 7.65, which is available as a retail product, and is also shipped as part of CyberMedia's First Aid 97.

Dr. Solomon's FindVirus utility took 803 seconds to complete a deep scan of our 800 MB "C" drive. The package's Quick Scan mode took 65 seconds. A full check of all files on our C and D drives (2.7MB in all) took 3447 seconds.

Dr. Solomon's FindVirus includes a comprehensive encyclopedia of known viruses, trojans and variants with their symptoms and whereabouts and can fix a large number of the most common kinds of virus, including stealth and polymorphic types.

Unfortunately, Dr. Solomon's FindVirus does not offer any easy way of automatically updating its data files via modem or the Internet as most other tools mentioned here do. Worse, as of July 1997, the company did not offer any ability whatsoever to download updates to the program. A message on the company's website says "Watch the site for future announcements about the availability of on-line updates." The Help file included with the product states, "the full Dr. Solomon's toolkit is supported by monthly or quarterly updates to keep up with the appearance of new viruses. To upgrade, print out the form...."

Despite FindVirus' superior virus detection rates (it exceeded second-best McAfee in several areas), we cannot recommend this or any other anti-virus program that cannot easily be kept up to date.

Fortunately, the company's newest product, dubbed Dr. Solomon's Anti-Virus, addresses some of our concerns. Unlike earlier releases from the company, this product can be updated automatically via a modem or the Internet. A splash screen appears each month, reminding you to update your virus definitions. The bad news is, the automatic update feature (which downloads a 1940K "virus definition" file) didn't work on our test system. In fact, it failed at least once on on three different systems before we got it to work via modem, and we never could make it work via our office's direct Internet connection. Also, the program's US$49 purchase price includes only one free update. Future updates are US$29.95 per year if downloaded, or US$99/year on disk. A company spokesperson admitted that this makes the product slightly more expensive than its competitors initially, but says that over the course of two years, it becomes a better value than the Symantec or McAfee products, which require yearly licenses. Dr. Solomon's Anti-Virus is available for evaluation from the company's website.

Symantec's Norton Antivirus 2.0 (often referred to as "NAV"), FPROT and ThunderByte (Like the McAfee and Norton offerings, Thunderbyte is updated more frequently than many of its competitors to detect new viruses in a timely fashion) are also popular antivirus tools. Compared to McAfee or Dr. Soloman, the Norton program was speedy at updating virus definitions. It downloaded an automatic update via the Internet in just over five minutes. However, we found that NAV seemed to increase the likelihood of Windows 95 "Kernel32" errors. Removing NAV from our system eliminated the non-fatal crashes that suddenly appeared after installing it.

There are several other worthy antivirus tools, including Touchstone's PC-cillan, IBM AntiVirus (now at version 3.0, this enterprise-oriented package uses heuristic detection methods to provide optimum protection against previously unknown viruses, and also protects Office 97 documents from macro viruses. It supports NetWare, LANs, OS/2, NT, Win95, Win3.x, and DOS. For more details, see www.av.ibm.com) Other enterprise-oriented solutions include Sophos' Virus Detection System. Sophos offers versions of the program for DOS/Windows (including systems with FAT32 drives), Windows NT (i386 and Alpha AXP), Novell Netware, OS/2, Banyan VINES and OpenVMS (VAX and Alpha AXP) systems; we tested the NT/Win95/DOS versions. See www.sophos.com for details, including an interesting page with information on how to spot and deal with the top 10 viruses). Another package worth checking out is the US$89 shareware Carmel Antivirus utility for Windows 95/NT and Windows 3.x. Of the pack, however, we'd name McAfee's product as the best bet for most PC users (Windows 3.x, 95 and NT versions are available) for its easy, albeit time-consuming, updates, low false alarm potential and near-perfect detection. Dr. Solomon's FindVirus was the lowest profile of the virus tools. It worked quietly in the background and never annoyed us. The Norton tool offered the most options and the quickest updates. The IBM and Sophos packages were the best suited to networked office envionments.

Sidebar: Too Much Protection
Sometimes, antivirus software is too aggressive in its endeavors to seek out and destroy viral invaders. For example, a reader wrote us recently to tell us that our website's home page contained a virus. It didn't but his antivirus package falsely reported that it did.

He wrote, "The infected file was found either on your entrance page (www.tcp.ca) or your home page. We are running the latest version and updates of Cheyenne Inoculan (Version 4.0, virus update 3.38) on our Novell servers. The platform I was using on the network was MSIE 3.0 under Windows 3.1."

The message continued, "I am unable to identify the exact file because Inoculan immediately rendered it unusable. (We have found Inoculan to be an extremely aggressive antiviral package.) However, I can tell you that the offending file appears to be 1920 bytes long. I deleted my cache and returned to your site to have exactly the same thing happen. This has occurred 4 times now. Cheyenne Inoculan is identifying this as virus ZZ-412."

In response to this reader's concerns, we note that our website's www.tcp.ca directory contains NO Java and does NOT contain any executable Microsoft Windows or Macintosh code or other executable code capable of housing a virus (and, indeed, is not served by a Windows computer at all, nor is the monthly issue even produced using Windows machines!). These, and other facts make it safe to say this virus alert is false. There is every indication that Inoculan is giving a false reading, as some "heuristic" antivirus packages are inclined to do. There's no evidence that it is a virus. The only page on our site that is exactly 1920 bytes long is a plain text file called "index.html" and I can assure readers, that plain text file is too small to house a virus and no virus exists that disguises itself as a plain text file.

In cases like this, it is the antivirus software package -- in this case Inoculan -- that is causing the problem, not a virus. See our previous article "Virus Wars Escalate," for more info on heuristic detection methods and terminologies.

Macintosh
On our Macintosh computers, we tested four antivirus tools: Symantec Antivirus for Mac, McAfee VirusScan for Macintosh, Datawatch's Virex 5.7.1 and the freeware Disinfectant 3.7.1 by John Norstad.

The latter title lacks support for Word macro viruses and other recent types of viruses and hence is unable to check for more than a third of the most common Macintosh viruses. Although it was updated fairly regularly until the first half of 1995, it has seen few updates in recent years and we do not recommend it.

McAfee purchased a non-exclusive license from Northwestern University for the source code to Disinfectant. They used parts of this source code to develop the virus detection and repair engine in their new Macintosh anti-viral product. Northwestern University still owns Disinfectant and its copyright. Disinfectant author John Norstad says Northwestern continues to maintain and support it, and will continue to distribute it for free to anyone who wants a copy.

McAfee added support for macro viruses and other recent types of virus code to its product based on the Disinfectant source. At first, we did not like the McAfee product for Macintosh for what may seem a petty reason: when it checks a disk or file, it informs you that it is "now cleaning this disk." In fact, it is usually not cleaning the disk at all; it is merely checking it. We found this statement always left us with a nagging insecurity about what it was doing. Was there a problem? It always seemed to suggest there might be.

However, a bug report on the McAfee Internet Support Forum (http://netra2.mcafee.com/cgi-bin/net.Thread.pl/message/3/12/279?user=&em...) reveals a much more serious problem. McAfee technical support confirms that v2.10 of VirusScan doesn't detect virus-infected files copied to a hard disk, even if the "Check on File Modification" task is active. MacAfee suggests doing a manual scan to find infections or using the previous version (v.2.09a), which detected viruses as soon as they were copied to the hard disk as a temporary workaround until it fixes this bug.

As mentioned above, the ballooning size of virus definition updates can cause problems. The July update of Virex, which is perhaps the fastest Macintosh virus checker, includes a so-called "Memory Expander" that adjusts the memory partition of the program to allow for the ever-increasing memory requirements of macro virus detection and repair.

Our favorite Mac virus tool ended up being Virex, for its speed and non-intrusiveness. We also liked Symantec Antivirus for Mac, colloquially known as "SAM," although we had some incompatibility problems on one of the Macs we tested it on -- it was already fully laden with extensions and control panels and SAM seemed to push it over the edge. The Mac wouldn't even start up until SAM was disabled. Two other Macs behaved much better with SAM onboard.

As mentioned earlier, there are other risks to your data, especially is you have access to the Internet. One product that can help is Symantec's Norton Safe on the Web. Norton Safe on the Web promises to protect users against Internet threats to system security and user privacy.

Norton Safe on the Web is touted as an easy-to-use security product designed for individual users as well as for organizations that utilize the Internet for business purposes and demand security for their mission-critical data. Norton Safe on the Web provides protection from malicious Web content, Internet PC invasion, and data snooping. Symantec says the product is designed for both experienced as well as new Internet enthusiasts. Further details and a free limited time tryout version are available at http://www.symantec.com/

Indeed, downloadable tryout versions of most of the tools mentioned here are available from their respective websites. Don't risk your data -- or your reputation.

Data Security Strategies:

Back up your important data
Invite an Internet expert over to your home or office and ask him or her to make sure your system is not at risk.
Use an up-to-date antivirus program
Don't run programs from unknown sources or use pirated software
Be especially wary of programs or offers that sound too good to be true. They probably are. (For example, we've seen programs that promised miraculous "speed doubling" results for an Internet program called Hotline. Actually, the "Hotline Doubler" program collects and transmits your private information to the wily hacker that devised the code.) Be careful - and be prepared.

For more info:

Virex