Vi-Spy Review


Virus Bulletin

June 1996, Product Review p.29-31



Vi-Spy

Dr. Keith Jackson

[Jump to Conclusions. (Pun partially intended)]

Vi-Spy is a well-established product which has been reviewed by VB three times before: June 1994, August 1992, and May 1990. I have written all these reviews--regular as clockwork, every two years, the latest Vi-Spy drops on to my doormat.

The product, which works under DOS or Windows, provides a scanner, memory-resident anti-virus software, checksumming features, and disinfection facilities. Also included was a disk marked 'Windows 95 Release Candidate #1'; however, I do not yet run Windows 95, so this review does not discuss that disk. Likewise, many of the Vi-Spy features are network-aware, but I have no means of testing these.

Documentation

The printed documentation comprises two A5 books, a Guide to Operations (154 pages), and a Computer Virus Primer and Troubleshooting Guide (67 pages). Both manuals seemed very similar to those provided for the last review: closer examination revealed that the Guide to Operations was identical to that used two years ago. Not even a minor revision.

On the whole, even given the passage of time, Vi-Spy's documentation is very good, and very easy to use; however, it must be said that the Windows parts are not well documented. In fact, I do not remember seeing the words Windows 95 in either book; however, the issue is discussed in READMEs and on extra sheets enclosed. This is perhaps not surprising, as the Windows 95 product was not a full release at the time this review was written.

The Computer Virus Primer has been updated: it now dates from January 1995. I put the latest and the previous versions side by side and I'm hanged if I can spot a difference. Both Tables of Contents are identical, even the length of each individual section. The differences must be minor indeed.

Installation

The DOS/Windows version of Vi-Spy occupied a single 3.5 inch (1.44 MB) floppy disk. When installed as described below, Vi-Spy placed 50 files, occupying 1.4 MB on the hard disk of my test PC. The documentation explains how to install Vi-Spy files manually should this prove necessary.

Installation of Vi-Spy onto a hard disk has always been straightforward. When executed from floppy, the installation program scans 'critical system areas', then decides if this is an upgrade or a new installation. Amusingly, it found a copy: I had stored a copy of the master disk in a subdirectory. I just told the installation program to ignore it.

The user is asked whether the Windows part of Vi-Spy should be installed, and for the name of the subdirectory to hold the Vi-Spy files. Changes are made to WIN.INI and AUTOEXEC.BAT (if confirmed by the user). The memory-resident components of Vi-Spy are installed by means of extra lines added to the end of AUTOEXEC.BAT.

If Vi-Spy's Windows components have been requested, the installation program fires up Windows, requests that paths to desired subdirectory locations are specified, leaves the user in Windows to test things, and states that installation will only be complete when Windows is exited. On leaving Windows, the DOS installation program completes its tasks, and provides a summary of what has been done.

Scanning

Vi-Spy claims knowledge of 4104 virus 'names' (each name will detect multiple viruses), a claim made subject to a caveat that users should beware the virus numbers game. The warning is useful, even though Vi-Spy is more restrained than other scanners regarding such claims. Of course, the number of viruses known to Vi-Spy has risen inexorably: in May 1990, it knew of 46 viruses. Two years later the total was 750, and two years after that, 1879.

The scanner is available as a command-line driven DOS program, a DOS program which uses drop-down menus, and a Windows program. They all use the same core engine.

Scanning Speed: DOS and Windows

In its default state, the DOS version of Vi-Spy reported that it scanned the hard disk of my test PC (714 files in total, 293 files scanned, 23.0 MB) in 1 minute 54 seconds. The time as measured by a stopwatch was 2 minutes 27 seconds.

The reason for this is clearer when memory checks are removed from the scan. Here, the time taken is 2 minutes 8 seconds, and time reported onscreen stays the same. The time reported onscreen seems to include time taken to check memory.

Vi-Spy has various options to tailor scanning. The default, 'Optimal', (aka 'Turbo') scans only parts of files 'where viruses are most likely to exist'. The fastest mode, 'DOS critical only', checks the computer's CMOS and the hard disk's boot sector and partition table--in four seconds!

A scan can also be 'Intense' (executable files are scanned byte by byte), which took 8 minutes 12 seconds, or 'Maximal' (all files scanned), which took 13 minutes 33 seconds. As above, scan times reported onscreen were just under 30 seconds less than those measured. 'Optimal' and 'Maximal' scans do not commence until the user presses a key. I do not know why this feature only applies to these two scans.

In comparison, Dr. Solomon's AVTK scanned the hard disk of the test PC in 4 minutes 21 seconds; Sophos' Sweep, in 7 minutes 38 seconds--considerably slower than Vi-Spy. Both of the products used for comparison have onscreen scan times less than measured scan time; however, the discrepancy between the two times is less than that of Vi-Spy.

Though Vi-Spy knows of many types of compressed files--e.g. ZIP, ARC--it only warns that they exist and does not scan within them. The TSR, like all of its type, will pick up the files as they are decompressed by the user. I was, however, surprised that Vi-Spy said I had LZH files on my disk, it turned out that they were Vi-Spy's own--I have no LZH files on my test PC!

The Windows version of Vi-Spy is a front-end which garners settings for invoking the DOS Vi-Spy scanner. When this version was tested, scan times always increased over the figures reported for the DOS scanner, as expected.

Using a stopwatch, 'Optimal' scan time rose to 2 minutes 47 seconds, an 'Intense' scan took 18 minutes 39 seconds. Each figure includes a 25-second discrepancy between the times shown above and times reported onscreen. In comparison with the DOS scan times reported above, 'Maximal' scan time is affected by Windows more than the other methods.

Detection

I tested the virus detection capability of Vi-Spy against the test-sets listed in Technical Details. Against In the Wild viruses, and using default settings, Vi-Spy detected 281 of the 286 test samples (98.3%). It failed to spot the three samples of Markt.1553, and the two of Bosnia:TPE.1_4.

Against the Standard test-set, again using default settings, Vi-Spy did almost as well, detecting 260 of the 265 test samples (98.1%). The only viruses missed were the two samples of Phantom1, the two of Cruncher, and the single Kamikaze. All in all an excellent performance.

When Vi-Spy's settings were changed from its default values, the results were somewhat curious. The 'Intense' and 'Maximal' scanning methods are intended to provide a more in-depth scan for viruses. When run against In the Wild test-set, an 'Intense' or a 'Maximal' scan detected, in each case, one virus less than when the Optimal scan was invoked. All nine viruses which were missed by the Optimal scan remained undetected, but for some strange reason, one EXE sample of One_Half.3544 also went un detected.

When the Standard test-set was used, things became stranger. Both Intense and Maximal scans detected the Kamikaze sample which the Optimal method had missed. However, the Intense scan failed to detect December_24th and one of the two Vcomm samples.

Therefore, the Maximal method tested against the Standard test-set was the only occasion when any of the more in-depth scanning methods performed better than the Optimal (Turbo) scanning method.

I suppose that some of these odd results reflect the fact that all the Vi-Spy scanning methods get close to 100% successful detection on both sets... though I'm hanged if I can explain why a more thorough look for a virus should actually perform worse than a quick (Turbo) scan.

Of the polymorphic samples, Vi-Spy detected 3988 of the 5500 test samples, a detection rate of 72%. The overall figure is quite good; however, it does hide a more complicated picture when results are examined in greater detail.

Vi-Spy detected all samples of DSCE.Demo, Groove and Coffee_Shop, Pathogen:SMEG and SatanBug.5000.A. All bar one sample of One_Half.3544 were detected: this was the very virus (albeit a different sample) which caught out more in-depth scanning methods from the In the Wild test-set.

Detection of the other polymorphic viruses was variable, ranging from 89% of the Neuroquila.A test samples, to just 8% for the MTZ.4510 test samples. Vi-Spy also detected all of the twenty boot sector test samples.

The product has always been very good at detection viruses, and nothing much has changed in that department. In its last review, it detected all the non-polymorphic test set, 83% of the polymorphic viruses, and all the boot sector viruses.

Since those halcyon days, the test-sets, particularly the polymorphic, have expanded greatly, but Vi-Spy's detection capability has kept up admirably. The apparent fall in the polymorphic detection rate is almost certainly due to the fact that the test-set is much more demanding: the samples therein are more varied and much more difficult to detect with certainty.

Memory-resident Software

Three separate memory-resident programs are provided. The default, called RVS, checks program files as they are executed or otherwise accessed, prevents the user from accidentally booting from a floppy, inspects all floppy boot sector, warns when a program is about to go memory resident or changes in size, and also prevents anything writing to the partition table or boot sector on the hard disk.

The second of these, RVSCDF, has all the features of RVS coupled with checksum verification for each executable program before execution. RVI-SPY, the last memory-resident program, checks floppy disks, attempts to become memory-resident, and changes in executable program size.

This software installs itself in one of seven ways, using the smallest possible 'footprint' in lower memory, and mixes of Expanded and Extended memory. On my PC, the message 'Running in EMS swapping mode' showed the storage strategy. When the line 'DOS=HIGH UMB' was not in CONFIG.SYS, RVS occupied 16 KB; RVSCDF 17 KB, and RVI-SPY, 7 KB. With this line, base memory usage dropped to zero. All figures refer to lower memory.

Against In the Wild and Standard test-sets, the detection of the memory-resident component was identical to that offered by Vi-Spy's stand-alone scanner in 'Optimal' mode. Few products can claim such a 100% match. Certainly, I have reviewed nothing capable of that in the past year or so.

Any memory-resident monitoring program which carries out tests before allowing access to a file must have an impact on system performance. I measured the overhead imposed by copying 40 executable files (1.25 MB) from one subdirectory to another. With no memory-resident software present, this took 23.8 seconds, rising to 46.4 seconds with RVS present, or 45.2 seconds under RVSCDF. With RVI-SPY present in memory, the time to copy the files dropped to 22.2 seconds. This I cannot explain: the result is, however, consistent.

Checksums

Vi-Spy can create a database of checksum information about each executable file present on a hard disk. The manual states that 17 bytes are required for each database entry.

The checksumming component of Vi-Spy adds, as expected, a huge amount of time to a hard disk scan when it is first executed and it creates its database of checksums. Reams of onscreen messages report the files added to the database.

After this first run, scan time increases only marginally. For instance, an 'Optimal' scan of the hard disk of my test PC rose to an onscreen reported time of 2 minutes 8 seconds, just 14 seconds more than the default time reported above.

The Rest

Vi-Spy claims to be able to clean viruses from infected files, but in common with my usual stance, I have not tested this. Infected files should be replaced with known clean copies.

Vi-Spy still maintains some of its files in a subdirectory (RGVSPYDB) in the root of drive C. This is a nuisance, but unlike previous versions, the files can now be placed in any desired subdirectory by using a command-line switch.

Vi-Spy includes a scheduler which can be used to invoke a scan at any desired interval. The installation program uses this to ensure that a scan is carried out at least daily--assuming that a PC is rebooted at least once every day.

Conclusions

Vi-Spy lives or dies by its scanning ability (from either the stand-alone scanner or the memory-resident software). This was true four years ago, it was true two years ago and it remains true today. Given some of the more complex anti-virus software I have seen in recent years, Vi-Spy's simplicity stands out, at least to me, as a virtue. It is refreshing to review an anti-virus product with less features than a modern word processor.

Vi-Spy has long had an enviable record as far as its memory-resident software is concerned. This remains so. Its detection rate capabilities are particularly impressive.

I previously concluded that Vi-Spy is 'simple to understand, easy to use, and fleet of foot in searching for virus signatures on a disk'. That remains true, although it is a shame that the speed impact of the resident software is as large as it is.

The results show that this product was at least twice as fast at scanning the hard disk of my test computer as the packages used for comparison. It also performed well at virus detection. The percentage detected has dropped slightly in recent years, but this is more to do with the explosion in virus numbers, and the expansion of the VB test-set, than anything else.

In summary; Vi-Spy was 'heartily recommended' in my first VB review. It still is.

Technical Details

Product: Vi-Spy v14, Rel.02.96. No serial number visible.

Developer/Vendor: RG Software Systems Inc, 6900 East Camelback Road, Suite 630, Scottsdale AZ 85251, USA. Tel +1 602 423 8000, Fax +1 602 423 8389, BBS +1 602 970 6901.

Availability: PC with an 8088 processor or above with 256 KB available RAM, and 1.5 MB free hard disk space. Windows components require higher specifications. Memory-resident components require MS-DOS v3.2 or above.

Licensing: A Vi-Spy Single user licenses may be purchased. Corporate discounts are also available, starting at a 25-user license.

Hardware Used: A Toshiba 3100SX; a 16 MHZ 386 laptop with one 3.5-inch (1.4 MB) floppy disk drive, a 40 MB hard disk and 5 MB RAM, running under MS-DOS v5.00 and Windows v3.1.

Viruses used for testing purposes:

For a detailed listing of the contents of the Boot Sector test-set, see VB, March 1996, p.23. The Standard, Polymorphic, and In the Wild test-sets are listed in VB, January 1996, p.20. For a complete explanation of each virus, and the nomenclature used, please refer to the list of PC viruses published regularly in VB.

(Reprinted by RG Software Systems, Inc. with permission from Virus Bulletin Ltd., Abingdon, Oxfordshire, England.)

Top of Page

Back to Reviews



RG Software
9015 E. Via Linda, #107-223, Scottsdale, AZ 85258
Phone: (602) 657-6900

Home Page RG Software No More #*!$ Viruses Vi-Spy Reviews
Sales News Employment Opportunities Guest Book Links to Other Sites

Copyright © 2024 RG Software; All rights reserved. | Part of VC Search
Please send comments to webmaster@rg-av.com.