Virus Scanners

A review of three virus scanners.

Tim Daniels

September 30, 1995

11 Min Read
ITPro Today logo in a gray background | ITPro Today

It's a Dangerous World Out There

Let's face it; the odds are stacked against us. Sooner or later, all of our systems will be infected with a virus. As more and more companies go on-line and viruses become more sophisticated, the possibility of infection looms even larger.

Just as viruses have evolved and become more ingenious, so have the virus scanners. They must now check for boot-sector viruses, polymorphic viruses, SMEG (Simulated Metamorphic Encryption Generator) viruses, and even stealth viruses (see the sidebar "Virus Morphology,").

Viruses are part of life in this age of interconnectivity. They can be complex and deadly to your data, and they are very real. To protect your enterprise network without alienating your users--and still maintain your sanity--you need a virus scanner.

At Your Service
The first task of a virus scanner is to detect viruses. It can have the world's slickest interface and run super fast, but if it doesn't detect viruses, what good is it? To adequately test the three virus scanners I found for Windows NT, I enlisted the help of Richard Ford at the National Computer Security Association (NCSA--not to be confused with the National Center for Supercomputing Applications--see the sidebar >"The NCSA" ). Ford is the former editor of Virus Bulletin (UK) and one of the world's foremost experts on computer viruses. The virus detection tests were performed against 5383 different viruses that break down as follows:

*Zoo test set: 2638 viruses from the NCSA Virus Library

*SMEG test set: 2490 genuine replications of the SMEG virus attached to goat files (sacrificial files for the virus to attack and infect)

*Wild test set: 255 genuine infections known to inhabit computers in the real world

In addition, several polymorphic and boot-sector viruses were used. The test system was a 66-MHz Pentium, Award Modula BIOS v5.04G, with 16MB of RAM, and a 540MB Quantum SCSI disk drive powered by Windows NT Server 3.51.

The second task of a virus scanner is to help you neutralize the virus or at least notify someone that your system may be infected. And third, you need to be able to update the set of viruses that your scanner looks for, because practically as soon as you get the software, it's out of date. New viruses are created more quickly than virus scanners can keep up with them. A good rule of thumb is to update your virus software every four months. This is usually accomplished by downloading some files from the Internet, from a company BBS, or from a disk.

NT Anti-Virus 1.00 Beta 4.1
Installation
Installation was a breeze. You unzip the archive, run the setup program, and you're there. You will be prompted for the standard company information, and for a directory to install NT Anti-Virus (NTAV) in. Total installation time: 5 minutes.

NT Anti-Virus 1.00, Beta 4.1

Requirements: 16MB RAM, 10MB disk space

Contact: Carmel Software Engineering, Phone: 972-4-416976, Fax: 972-4-416979, Email: [email protected], CompuServe: 100274,1103

Price: $129.00

Setting Up and Using NTAV
NTAV's strongest feature is its user interface. It's intuitive and clear, giving you the right amount of information without seeming cluttered. You can control all aspects of the scanner by creating and scheduling scan jobs for both local and networked disk drives. You can tell NTAV to scan boot sectors, data files, or just .EXE and .DLL files. In addition, you can exclude specific directories or files from your scans. NTAV's main screen is a toolbar that makes these tasks quick and easy.

NTAV scanned the 540MB disk in about 1:05 minutes and the 1GB disk in about 4:40 minutes, making it the fastest of all the scanners we tested. However, any advantage implied disappears when you learn that NTAV crashed on many of the viruses NCSA tested (see Table 1). The version I tested was the beta version available on the Internet.

The impact on system performance of running NTAV seems nominal. Since it's designed to be a stand-alone virus scanner, impact on a central server is not a concern. NTAV uses a standard log file to capture information about the viruses encountered. You can configure it to automatically neutralize or eliminate infected files without shutting down the operating system.

A Good First Effort
NTAV is a good first effort from Carmel. Even though this is beta software, the installation program is first-rate. The user interface is as good or better than many commercial virus scanners, but, obviously, crashing is not acceptable. If the product can't scan for viruses, the rest is moot.

I'd like to see some sort of centralized reporting or notification so that system administrators don't have to read a separate log file for each system scanned. Better customer support would be a plus as well. I have never been able to contact the people at Carmel. I have sent repeated messages to the Internet address as well as to phone and fax numbers--all with no response. Strangely enough, however, I did receive an announcement detailing the release of beta version 4.1.

InocuLAN 1.0 (Virus Signatures 3.02)
Installation
Installing InocuLAN was a real pleasure. After running the SETUP.EXE program and inserting the license disk, I was prompted for the type of installation I wanted: express, which takes all the defaults, or custom, which gives you complete control. After these questions, the program is installed, and program groups are created automatically.

InocuLAN installs as a service and prompts you to start the InocuLAN service and the Alert Notification service. If you choose No, you can start these services later through the InocuLAN Service Manager. Total installation time: 5 minutes.

InocuLAN 1.0(Virus Signatures 3.02)

Requirements: 16MB RAM, 8MB disk space

Contact: Cheyenne Software, Phone: 800-243-9832, Fax: 516-484-3493, Web: http://www.chey.com, BBS: 516-484-3445, CompuServe: GO CHEYENNE

Price: $895 for one server, $3995 for five servers

Setting Up and Using InocuLAN
InocuLAN consists of two parts: the server, which controls the when, where, and what to scan, and the client, which performs the actual scan. By using the Quick Access toolbar, configuring InocuLAN is easy. The server controls one or more groups of clients (NT, Windows, or Macintosh). These groups are called domains. The domain manager allows you to create and schedule scan jobs and configure most options (see Screen 1). If your client is another NT machine, InocuLAN automatically starts the scanner and records the results in the server log file. If your client is not an NT machine, you must schedule jobs on the local machine using the local scanner option.

In addition, InocuLAN can notify you of the virus in a variety of ways: via broadcasts, pager, email, trouble tickets, or Simple Network Management Protocol (SNMP). You can configure the Alert Service to notify you about almost any event that InocuLAN encounters. Once configured and scheduled, InocuLAN runs the scan jobs at the designated times.

You can limit the impact on system performance by setting the maximum percentage of the CPU that InocuLAN can use. Scan times ranged from 1:45 minutes on the 540MB system to a little more than 6 minutes on the 1GB system. The programs displayed information about the files being scanned and kept me up-to-date with its progress.

InocuLAN did very well on the NCSA tests (see Table 1). It had some problems reading several boot-sector viruses and came up with the following error message: "Boot: Error msg 'Error accessing drive while trying to scan. Please verify and try again.'"

This scanner has many options for notification. I found the broadcasts useful for actual virus detection. I used the email and trouble-ticket options to notify me when a scan job had run without incident, as well as to report suspicious behavior. To receive broadcasts from clients other than NT, you must have the IPX/SPX protocol installed and running on the server. The pager function is easy to configure and requires that your server have a modem and a phone line attached. The messages are somewhat cryptic, so I wouldn't recommend a pager alert unless something bad happens.

If you know SNMP, then configuring InocuLAN will come as no surprise. You need to know your SNMP server identity and either the IP or IPX address. When a virus is detected, InocuLAN can attempt to neutralize the infected file by overwriting or deleting it. These recovery methods work while NT is up and running. No shutdown is necessary.

Editor's Choice
InocuLAN is an extremely easy to install, configure, and use virus scanner that works on the whole enterprise. It has minimum impact on system performance and provides reliable virus detection and recovery. I wish that it were as well integrated with non-NT clients as it is with NT clients. Making the Alert Service work with non-NT clients over NetBEUI or IP as well as IPX would be a big plus.

The fact that InocuLAN takes advantage of a well-thought-out client/server architecture and previous experience in enterprise network environments makes it a very good choice.

Sweep/Intercheck for Windows NT 2.75
Installation
Installing Sophos' virus scanner is not an easy task. In the manual, Sophos explains that its current install program doesn't work under NT. You must create directories and user groups and assign permissions manually. This process is not complex, but it is tedious and time-consuming. I had to do a lot of tinkering to get everything installed correctly.

Sweep for Windows NT can run either stand-alone or as a server, and Sophos also provides an DOS/Windows client. After running the install program, you need to edit configuration files and add some parameters, which are spelled out in the manual. Total installation time for both client and server: 1:45 hours.

Sweep/Intercheck for Windows NT 2.75

Requirements: 16MB RAM, 10MB disk space

Contact: US: Alternative Computer Technology, Inc., Phone: 301-493-6893, 513-755-1957, 412-920-8600, Web: http://www.icubed.com/sophos.html, International: Sophos Plc, Phone: +44 1235 559933

Price: $795 for 20 users

Setting Up and Using Sweep/Intercheck
Sweep has many options allowing you to customize the program to your needs. Unfortunately, all options must be specified via command-line parameters (see Screen 2). The manuals were confusing and terse, and I had to make several calls to customer support. When everything was set up, I tried Sweep in stand-alone mode. It scanned the 1GB disk in about 3:30 minutes.

Next, I set up Sweep in Intercheck Server mode. The Intercheck server runs on the NT host and communicates with other computers running the Intercheck client. When the client is run for the first time, it must read all your files and "fingerprint" them. This process can take a fair amount of time. It took me about 20 minutes to fingerprint the 540MB disk. Once files have been fingerprinted, however, they don't have to be scanned for viruses again unless they change. While the initial overhead is high, in the long run you actually spend less time scanning files, as the client stores a database on its local disk (four bytes per file).

When it copies a new file to the client, Intercheck checks the local database and then the server database and informs you that it's checking the file against the central database. If it finds a virus, it halts the operation; if not, it copies the file and adds the fingerprint information to the central database.

Sophos Sweep/Intercheck faired well in the NCSA virus-detection test (see Table 1) except for Intruder Boot, where Sweep reported that it was unable to scan the infected disk.

Intercheck logs all virus detections to a log file which is a plain text file and can be viewed with any text editor. A log file for each machine scanned is kept in a shared directory on the server. Depending on how you configure it, Intercheck can attempt to neutralize the infected file, erase it, or render it invalid by writing over it--without shutting down NT. If the virus is found on a client, Intercheck can halt the client and not allow further access until the virus is removed or neutralized.

System Impact
The Intercheck server had minimal impact on my server: a 486/50 EISA with 32MB of RAM and a 2GB SCSI-2 hard drive. When I initially "fingerprinted" my clients, the amount of time needed to complete the operation varied. One heavily used system with a 1GB disk took well over two hours, while another system with a 540MB hard disk took only 15 minutes. It depends on how full your hard disks are.

Needs Work
While Sweep/Intercheck did very well on actual virus detection, it needs a lot of work to become an enterprise tool. Tom Farrel of Sophos told me that the company is rewriting the manuals, and a new release sporting a GUI interface and an installation program should be available in September. But at press time, Sweep/Intercheck version 2.75 was the current version, and it was difficult to install and configure. Once properly set up, however, Sweep/Intercheck is an effective virus-detection tool. I look forward to seeing its next release.

Windows NT Virus Scanner Features

Carmel

InocuLAN

Sweep/Intercheck

Electronic Updates

Good

Good

Good

Installation

Good

Good

Poor

Configuration

Excellent

Excellent

Poor

Reporting

Good

Excellent

Good

Scheduling

Excellent

Excellent

Poor

Detection

Poor

Excellent

Excellent

Neutralization

Good

Good

Good

Client Support

Not applicable

Excellent

Good

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like