No.More #*!$ Viruses Review


Virus Bulletin

November 1995, Product Review p.21-23



No.More #*!$ Viruses

Dr. Keith Jackson

[Jump to Conclusions. (Pun partially intended)]

No.More #*!$ Viruses (NoMore) is a new product. Not only is it new to the marketplace, its very concept is different from other anti-virus products. It is not based on scanning technology. Its main function is to detect boot sector viruses, but it can also detect multi-partite and system infectors. It does this by executing at power-up, and checking that the system is clean. NoMore was provided for review on a single 3.5-inch, low density (720 Kbyte) floppy disk.

Documentation

The product's documentation comprises a single, 63-page A5 booklet. Its style is quite straightforward, if (as are all too many such tomes) a tad boring for the poor reviewers who actually have to read it, as opposed to using it merely for reference purposes.

Thinking along such lines, the manual contains no index, and no detailed explanation of any error messages which may appear, so finding things is not too easy. However, it must be said that the long descriptions in the Table of Contents do help matters somewhat.

The manual itself is well-written, with explanations by somebody who obviously knows what he is talking about. The content is well-explained, even if it does not resort to great detail -- do not expect to use this volume as your sole guide to fighting computer viruses.

The documentation makes it clear that NoMore is not intended to be a complete virus protection system; the manual states that "NoMore is not intended to replace scanning technology such as our Vi-Spy Professional and Vi-Spy Universal NIM...it is designed to complement them".

Under Warranty

It is not often that I comment on the legal agreements which accompany various anti-virus products, but there are exceptions to every rule. In the terms of the licence agreement which covers NoMore, the user must agree to certify in writing to the developers that all copies of NoMore have been destroyed if and/or when the license is terminated.

This is a fine example of lawyers inhabiting a different planet from the rest of us mere mortals. How many people are going to comply with this constraint and write off to explain that they no longer wish to use a product?

(RG Comment: NoMore's license verbiage is standard in the industry in the US. If the user violates the license by disassembling or modifying any portion of the software, or makes illegal copies of the software for third parties, then and only then would the user be required to stop using the software.)

The warranty provided with NoMore is also a curious document, I quote: "In the event of any Warranty claims, RG, at its sole discretion, will repair or replace the diskette". So you'll get a new floppy disk--if you're really unlucky, the company might even repair (their words!) the original. All this gobbledygook, and other clauses which exclude all liability (unless the local legislature has had the sense to outlaw such shenanigans), has no place in a serious product. Unfortunately, many products these days have such bizarre legal agreements--perhaps its time to bring lawyers back to the real world?

(RG Comment: Many products, including some from Microsoft, specifically provide no warranty whatsoever.)

Installation

The manual which is provided with the product claims that the installation should "typically take 3-5 minutes": this is a claim which corresponds closely to what actually happened. I had no problems installing NoMore - it really was very straight-forward.

The installation program asks first if you are using an "active software security package" (e.g. an access control system or a disk encryption system). Given the way in which NoMore operates, it cannot perform properly if such a product is present. This fact is well explained in the manual, and installation does not proceed unless the answer to this questions is "No".

Continuing onwards, the installation program then says that "PC Thermometer is analyzing your system". Note that this name is even trademarked! The manual claims that PC Thermometer will "check your system for the presence of an active virus". When PC Thermometer executes, it produces onscreen messages saying 60º, 75º, 80º, 85º, 92º, 98.6º (body temperature in Fahrenheit, geddit?). I have no idea what all this means, and as the manual does not give any details, I also have no idea how my computer was checked for viruses --but it certainly seemed happy enough with my system.

(RG Comment: PC Thermometer is new technology that enables NoMore to ensure that it gets installed on a clean machine. RG considers this breakthrough technology to be proprietary, and thus doesn't describe its modus operandi.)

After choosing between a few customization options (for example, whether NoMore should ask before removing a virus, or whether a password is required), and performing a couple of reboots, installation was complete. During the installation process, NoMore creates a fixed-name subdirectory (C:\MBBOOT) and creates 125 Kbytes (marginally more than the 120 Kbytes claimed in the manual, but still a small amount) of files within it.

The next point which must be noted is that the diskette used for installation is, and must be, write-enabled, as the installation program insists on writing back to the floppy disk. The manual explains at some length that the installation process writes PC-specific information back to the floppy disk, allowing disaster recovery.

(RG Comment: The NoMore installation diskette actually becomes a bootable, system disk that automatically runs NoMore to allow automatic recovery of DOS boot components that may have been damaged by a virus or other causes.)

I can think of no reason why this information could not be written to a blank diskette, which could then be stored in a secure place [RG Software believes it is easier for users not to need a blank formatted diskette before beginning the installation process. Ed.].

NoMore modifies AUTOEXEC.BAT and CONFIG.SYS, installing its own code as the first line in each of these files. A backup is taken of each of these files before any alterations are made.

Operation

When a PC is rebooted with the product active, its position as the first line on CONFIG.SYS and AUTOEXEC.BAT ensures that it can perform its tasks before any other program has loaded. This location is enforced by NoMore's software. If the product's device driver has been moved away from the first line of CONFIG.SYS, NoMore will replace it at the start of the file. Problems would arise, however, if another product turns up which also requires to be in this special position.

By making a comparison with the snapshot of the PC taken during installation, the NoMore device driver checks that none of the vital component parts of the PC's software have been altered. The manual also states that specific "viral detection checks" are made; however, as (unsurprisingly) no details of the company's proprietary algorithms are provided, I cannot comment on their efficacy.

(RG Comment: Viruses utilize a large variety of "tricks" to hide their presence and make removal a non-trivial task. NoMore deals with these situations properly and ensures proper removal of the infection.)

If no evidence of a virus infection is found, NoMore removes itself from memory, and the PC boots as normal. Nothing is left behind in memory -- NoMore is not a TSR. All checks are performed in about five seconds (presumably less on a fast PC), making NoMore very transparent indeed; and thus less likely to be disabled by the user.

One customization feature offered by NoMore is to make it run silently, with no displays unless something is amiss--this, in tandem with the speed with which the product operates, could make it valuable for those who do not want their users even to see that their systems are being checked for viruses.

Methodology

I tested how well NoMore detects virus infections by repeatedly infecting my test PC with various boot sector viruses. This PC was booted from a floppy disk known to be free from viruses, which also contained a scanner (Dr Solomon's AVTK). Executing this scanner confirmed that the hard disk of the test PC really was infected.

If an infection was found, the PC was rebooted from the hard disk, and the action taken by NoMore was observed. Before the next infection was tested, the reboot from a clean floppy, followed by a scan of the hard disk, was repeated to check that NoMore had removed the previous infection.

Detection of Virus Infection

NoMore's virus detection capabilities were checked against eleven boot sector viruses; namely: AntiEXE, BootEXE, EXEBug, Form, Junkie, LZR, Natas, Stoned, NoInt, NYB, Quox, and Sampo.

In these eleven samples, NoMore always correctly detected the presence of the virus, and also gave a short description of the changes which had been made to one or more of the DOS boot record, the Master Boot Record (MBR), the partition information, and the command interpreter.

In all of these cases, NoMore was able to remove the virus infection successfully by restoring information about the hard disk preserved when the product was first installed. This result is impressive; a 100% hit rate.

Note that NoMore did not know which virus had affected the test PC; it merely knew that something had changed, and took the appropriate replacement action. Samples of whatever were thought to be virus infections are saved on the disk by NoMore as DOS files, and subsequent examination by a scanner (SWEEP from Sophos) confirmed that they were, in fact, virus infections.

NoMore also maintains a file called INCIDENT.LOG which contains details of all detected problems. The contents of this file can be examined using a utility which is provided with the product--this utility is placed on the hard disk at installation time.

Integrity Checking

I used the Norton Utilities to make various single-bit changes to the DOS boot record and the "boot area" (I am not exactly sure what Norton means by this term). NoMore detected every modification that I made, and could also remove all alterations. I have no complaints about this.

In addition, when I made single-bit changes to the DOS command interpreter file (COMMAND.COM), NoMore always succeeded in detecting these changes when made to the copy of COMMAND.COM stored in the root subdirectory. This was accurate, but somewhat less than useful, as the PC was set up to use another copy of COMMAND.COM which was stored in the DOS subdirectory.

The problem is actually more complicated than it appears at first sight. I use a multi-boot system which sometimes uses a shareware command interpreter called 4DOS. This is contained within a file called (unsurprisingly!) 4DOS.COM. No matter what type of boot is performed, NoMore always simply checks the copy of COMMAND.COM stored in the root subdirectory. This file will be the one attacked by a direct system infector; however, the technique cannot be considered foolproof.

(RG Comment: PC's using 4DOS are very rare in the corporate environment.)

Damage

Given the above results, NoMore performs its claimed features very well. It really does detect any boot sector virus at boot time. Given that it can detect single bit alterations, it seems likely that the developer's claim of being able to "Detect and provide no-hassle immediate repair of any boot virus, past, current and future" is likely to be true. Personally, I would have toned down the use of the word any, as some smart virus writer could possibly find a way round NoMore, but that's a quibble rather than an objection.

Even so, there is a problem lurking behind all this seemingly limitless capability. Firstly (and this is made clear by the manual) the product does not provide a complete solution to the problem of file-infecting viruses. It does not attempt to hide this point, and the manual advises use of a scanner in conjunction with NoMore (RG's own, of course.).

NoMore will, of course, spot multi-partite viruses, but only after they have dropped their boot sector portions. This fact is not made clear in the documentation, but is intuitively obvious from the method by which the product functions.

It could be suggested that checking only at boot time for the presence of a boot sector virus is insufficient. However, consider how a pure boot sector virus infects --it does so at boot time, if a floppy is accidentally left in the disk drive. By definition, immediately after the hard disk becomes infected, a reboot occurs, at which time NoMore should spot the infection.

In addition, NoMore cannot detect damage caused either to data or executable files. However, neither can conventional scanners, and this is not NoMore's stated aim. Nonetheless, I am left with a slight sense of incompleteness.

(RG Comment: NoMore eliminates an entire class of viruses that account for over 90% of the problem. Every a-v product can be said to leave one with a slight sense of incompleteness.)

Conclusions

Although this review refers to this product as NoMore, its official title is No.More #*!$ Viruses. The disadvantage with names such as this is that, although on first hearing they raise a smile, it is difficult to know how to refer to the product in everyday use. The developers would be advised to think about changing this name, as the joke wears thin after a while. Whoever wrote the product manual seems to agree, as the name reverts to merely NoMore on the fourth page.

(RG Comment: RG has found that customers love the name. After all, isn't this what you're muttering under your breath as you battle the latest viral intruder?)

The name, and the propensity to write back to the installation disk, are a pity, because NoMore does what it sets out to do very well indeed. It is true (currently!) that the majority of virus infections are caused by boot sector viruses: in all my testing I did not find a single boot sector infection which NoMore failed to spot. Given the fact that it also spotted single-bit alterations (no matter where I made them), this is not surprising.

NoMore cannot prevent a hard disk from becoming infected with a boot sector virus, but it can spot that such an infection has occurred the next time the PC is rebooted.

This works well against purely boot sector viruses, because (as described above) the computer is in the process of rebooting when an infection occurs.

Overall, NoMore allows a 'hands-free' response to the current most common type of virus -- what has become known as a "Fully Automated Response" (FAR)-- and as such will probably find a home in large organizations.

Technical Details

Product: No.More #*!$ Viruses, v1.07.95. (Currently v2.10.95, which runs on Windows 95, DOS, and Windows).

Developer/Vendor: RG Software Systems Inc, 6900 East Camelback Road, #630, Scottsdale AZ 85251, USA, Tel +1 602 423 8000, fax +1 602 423 8389, Internet http://www.rg-av.com

Availability: Any PC running DOS version 3.0 or above. A hard disk drive with 120 Kbytes of available space, and one floppy disk drive, are also required.

Licensing: Available with single copy purchases as well as corporate license and disk distribution plans.

Hardware used: A Toshiba 3100SX; a 16 Mhz 386 laptop computer with one 3.5-inch (1.4 MByte) floppy disk drive, a 40 MByte hard disk and 5 MBytes RAM, running under MS-DOS v5.00 and Windows v3.1.

The boot sector viruses used for testing in this review are: AntiEXE, BootEXE, EXEBug, Form, Junkie, LZR, Natas, NYB, Quox, Sampo, and Stoned.NoInt.

(Reprinted by RG Software Systems, Inc. with permission from Virus Bulletin Ltd., Abingdon, Oxfordshire, England.)

RG Note: This review has been reprinted verbatim in its entirety. RG has added a few comments to areas where the reviewer drifted away from the product's technical aspects.

Top of Page

Back to Reviews



RG Software
7430 E. Stetson Drive, #205, Scottsdale, AZ 85251
Phone: 602-423-8000 Fax: 602-423-8389
Home Page RG Software No More #*!$ Viruses Vi-Spy Reviews
Sales News Employment Opportunities Guest Book Links to Other Sites

Copyright © 1997 RG Software; All rights reserved. | Part of VC Search
Please send comments to webmaster@rg-av.com.