Computer Forensics Limited


Technical Support and Development Division
The Old Barn-Wistow-Leicester LE8 OQF
Tel: -+44 (0) 116 2593010 - Fax: -+44 (0) 116 2593878

Jim Bates - November 25th, 1995

[Jump to Conclusions. (Pun partially intended)]

No More #*!$ Viruses


At last - At last!

Someone has at last brought a return to sanity in providing protection against PC viruses. I refer to a new product called No More #*!$ Viruses released by R.G. Software in Scottsdale, Arizona.

Evaluating anti-virus products has long been a problem and it is very easy to pick holes in most products. When a product comes along that offers a genuine, sensible and effective solution to a major part of the problem it becomes extremely difficult to know just where to start. If it is so simple, why didn't someone think of it before? If it is so effective, why is the problem still with us? To attempt an answer to these questions let me begin with a brief analysis of the problem. . .

The difficulty with computer viruses has always been that protection and recovery from their effects has required technical skill beyond the capacity of most users.

The ideal solution from the point of view of the anti-virus vendors would be to put a product on every PC that provided limited protection for the user with no risk of any action for damages if it failed to detect a virus. In order to maintain the market, the product (and the threat) should be infinitely upgradeable, thus forcing users into a continuous payment scheme for every PC that they operated.

This Holy Grail was the Anti-Virus Scanner program which was designed to scan for virus code every time you switched on your machine. The user buys it together with an initial period of upgrades. He uses it and finds a virus, all well and good. However, if he has a virus problem even while using it , a complaint to the vendor can be met with: "Ah! That's a new virus - it will be covered in our next upgrade". As the end of the upgrade period approaches, the user must re-subscribe to maintain his defense and thus becomes part of the endless circle generating wealth for the product vendor.

This does not mean that virus scanners are a bad thing. They have an important place in identifying virus code in order that users can be given accurate advice on how to deal with an outbreak, but they should not be the first line of defense nor should they be installed on every computer.

The ideal solution from the user's point of view would be a magic program which he could fit and forget. Once installed it would provide 100% protection against all possible viruses forever, without ever bothering him about the problem again. Unfortunately, this could only be achieved by completely isolating each machine and thus destroying one of the most powerful capabilities of modern computing - its inter-connectivity. The malicious little morons who write virus code are well aware of this and continue to capitalise on it.

Somewhere between these two ideals there has to be an acceptable median. Until now, most anti-virus vendors have insisted that they know best and have continued to promote the "scanners for all" approach that they know and love.

I reckon that this situation is about to change and my reasoning goes like this:

If you were in a battle, defending your position against attacks by an Army and an Air Force, you would seek all means to protect yourself. Shooting individual attackers as they approached would be A Good Thing but consider the costs of replenishing your ammunition on a regular basis and upgrading your armour to withstand new attack weapons. Now one of your guys invents a magic raygun that disables all the opposing aircraft. This doesn't end the war but it does remove at a stroke a large part of your defense problem.

No More #*!$ Viruses represents just such a magic raygun - it doesn't win the war but it will nullify a large part of the problem! So I'll tell you how I see it. . .

The PC virus threat can usefully be divided into two parts - Boot viruses and Parasitic viruses. Although the Boot type account for less than 2% of the total number of known viruses, they produce more than 50% of reported virus attacks. No More #*!$ Viruses successfully nullifies all Boot sector viruses by simply knowing exactly what the system boot arena should look like and repairing it if it becomes compromised. During nearly 10 years research in this field I have collected samples of over 6000 viruses of which 73 are boot sector types. I tried all of these in attempting to infect a machine protected by No More #*!$ Viruses. Not one of them succeeded. I then tried altering single bits within the boot arena and this too was detected and repaired. On Boot Sector Viruses, this product provided 100% protection and short of actually targeting this product I cannot conceive of a boot sector type that could penetrate its protection!!! I have waited nearly 10 years to be able to say that about any anti-virus product.

So how do you use this magic raygun?

The product is shipped on a single 3.5" disk and is accompanied by a well written 63 page manual. Installation took me just 3 minutes on my standard machine and was never longer than 6 minutes on other hardware and software configurations that I tried. This included the time needed to create the clean boot disk which is an integral part of the installation process. I opted initially for the automatic repair facility since this is how I think anti-virus software should operate - quietly, without trumpeting. Once installed, I hit it with everything I could and got nowhere. I infected machines with Boot Sector viruses, Partition Sector Viruses, Multipartite viruses and even some parasitic viruses. I installed a new version of DOS, I built multi-boot systems, I even installed Windows 95. None of these seemed to affect No More #*!$ Viruses and it faithfully detected repaired all attempts at system subversion.

Because this product is so deceptively simple and does not produce pretty marching columns of file names each time you run it, don't be misled into thinking that it is in any way trivial. This software is very sophisticated and was able to detect system subversion even when I introduced it at the very lowest level. During the tests I had no problems with false positives and no clashes with any of the wide range of investigative software that I use. No More #*!$ Viruses is now permanently installed on my main development and investigation machines.

So far, this evaluation reads like something written by an advertising copywriter and it is my experience that glowing tributes of this nature are rarely reliable. With this in mind I tried to think of and test for all the possible situations that a user might meet during normal computing activity. The results were interesting in that they were all mentioned in the manual.

No More #*!$ Viruses completes all of its activity during the boot phase of a machine's activity. It leaves nothing in memory to monitor any subsequent system activity and cannot therefore detect the activity of any virus or trojan which may be introduced to the system later. However, in most cases it will detect and repair the results of such of such activity when the machine is next switched on.

Since the primary boot process is completed before No More #*!$ Viruses begins its checks, any damage or corruption caused (for example by a virus triggering) during this time cannot be repaired. I am aware of five boot sector viruses which have a slight risk of corruption during their initial infection phase - none of these is particularly common and they do not represent a significant threat. For this reason alone I would recommend installing No More #*!$ Viruses in a mode which will report when an infection is found in order that users can verify the integrity of their system if it happens. I did deliberately set a machine date to 6th March (after first installing No More #*!$ Viruses) and then infected it with the Michelangelo virus. The virus triggered during the infection stage and wiped out much of the disk content including the anti-virus protection. However, the clean boot disk enabled me to gain access to the damaged disk and while it did not recover the destroyed data it greatly reduced the time taken to collect what was recoverable and eased the process of re-configuration.

For a number of years I have assisted the Metropolitan Police Computer Crime Unit at New Scotland Yard in identifying and tracking computer virus attacks. During such work it is vital that I have samples of the viruses for analysis. In the recent case of the Crown versus Christopher Pile (the infamous "Black Barron") an important part of the prosecution case centered around the inclusion of infection generation numbers within virus code. This evidence was instrumental in getting Pile sent to prison for his activities and could not have been gained without detailed sample analysis.

When I first examined the methodology of No More #*!$ Viruses I was a little worried that during its repair phase it might be completely destroying evidence of a virus attack and thus make it virtually impossible to track down the nature and source of the infection. This is not the case, a sample of the intruding code is saved in a non-executable format and - just as important - an incident log is maintained to indicate just what occurred and when. All of these capabilities are mentioned in the manual which itself is quite unusual in its honest and straightforward presentation of the virus problem.

In the course of my research I have met many corporate users who complain about the continuing problem of updating their anti-virus protection. In some instances they could have as many as 70% of their machines always at least three months out of date because of the sheer time involved in installation. No More #*!$ Viruses doesn't need upgrading and this is a major cause for celebration amongst these large users. In the real world this represents a very real and worthwhile solution.

There is however, one problem which this product is likely to cause for me and anyone else involved in trying to bring the virus writers to book. . .

In English Law, the severity of a crime is often closely linked to the actual damage that it causes. This was confirmed in the Black Barron trial and the lack of reported damage prevented the ARCV perpetrators from being prosecuted. If everyone installed No More #*!$ Viruses, the amount of damage and consequential loss and inconvenience from Boot Sector Viruses would drop to negligible proportions and in England this would mean little chance of prosecution for the virus writers. It saddens me that there may be virus writers who will NOT be strung up by their thumbs - but maybe I'll have time to help catch other, more vicious villains.

Conclusions


This is not an unsolicited testimonial - I was asked for an opinion on this product by R.G. Software. However, I am delighted to see such an excellent product appear in a field which has never had a particularly high reputation for honesty and quality. I cannot speak highly enough of this product and I will be buying more of No More #*!$ Viruses to protect my other machines. Without hesitation I urge everyone else to do likewise. Individuals will benefit from its simplicity and reliability and corporate users will save millions in time and money from its no nonsense solution to a large part of the virus problem.

Ray Glath and his team are to be congratulated, this is a real breakthrough. I look forward to the possibility of a similar approach to parasitic viruses. Other vendors should take note, once word gets around they may lose a significant number of their golden geese.

Jim Bates - November 1995

Top of Page

Back to Reviews



RG Software
7430 E. Stetson Drive, #205, Scottsdale, AZ 85251
Phone: 602-423-8000 Fax: 602-423-8389
Home Page RG Software No More #*!$ Viruses Vi-Spy Reviews
Sales News Employment Opportunities Guest Book Links to Other Sites

Copyright © 1997 RG Software; All rights reserved. | Part of VC Search
Please send comments to webmaster@rg-av.com.