"VIRUS BULLETIN", June 1999

DialogueScience AntiVirus Kit v3.0

The spotlight this month falls upon a Russian product as we take a look at DialogueScience’s AntiVirus Kit (DSAV). The complete package provides the user with a file integrity checking module, an anti-virus package, a mail scanning module (optional) and a card security module (optional). In this review, we investigate the first two components of this package – Advanced Diskinfoscope for Windows 9x/NT and DrWeb32 v4.10. Are the programs really two modules of a complete protection kit, or merely two standalone products bundled together by the marketing team?

Installation

For the time being at least DSAV is only distributed in electronic form and so ‘the fully boxed product’ which we normally require for standalone reviews was not available. Instead, a CD was supplied, containing the programs and the on-line documentation.

Splash The product was installed onto Windows 95, 98 and NT platforms. The CD-ROM autoruns when inserted into the PC, and following the DSAV splash screen the installation routine begins under the fatherly guidance of InstallShield. Due to the electronic distribution of this product, the lack of a manual came as no surprise. What was a surprise however was the lack of any readme file prior to the installation process. It may be that the product has been designed to be used with on-line help only, but as pointed out within those help files – ‘it is recommended that you do not install ADinf32 until you have scanned your hard disk with DrWeb32 and a disk utility package’. A touch of chicken and egg syndrome since this message cannot be read until you have already installed the product.

The usual choice of typical, compact or custom installations are offered by InstallShield, following which a summary of the components the user has selected to install is shown. In choosing a custom install, options to install ADinf32, DrWeb32, and SpIDer Guard for Windows are provided.

Once the chosen options are confirmed, file copying takes place. Subsequently the user is prompted to reboot the system when installing on an NT machine, but not on Windows 9x machines, despite the fact that changes to system files have been made in all cases. Upon rebooting, two icons are placed on the desktop to load either DrWeb32 or ADinf32. Alternatively, each of the programs can be loaded from the Windows Start Menu.

What is Advanced Diskinfoscope?

Strictly speaking, file integrity checkers are not pure anti-virus products. However, a product capable of monitoring the size, date attributes and (in some cases) content of files is certainly a logical weapon to use in the anti-virus war. It is with this in mind that Dialogue Science have integrated Advanced Diskinfoscope into DSAV. The product is supplied in two versions, a 32-bit version (ADinf32) for Windows 9x and NT, and a 16-bit version (ADinf) for use in DOS and Windows 3.xx environments.

The help files for ADinf32 are well set out and reasonably thorough. The first few pages present a brief description of the various types of computer virus, and offer some general computing advice where the importance of learning how to manage files, perform frequent backups and correctly use anti-virus software is stressed. Following this, the use of ADinf32 is described in detail with frequent screen shots to help familiarise the user with the product.

The principles of operation of ADinf32 are reasonably straightforward. Upon disk scanning, information concerning the logical drives, boot sector, bad clusters and file tree is recorded. Additionally, a form of checksumming is used to verify the integrity of files – a Cyclic Redundancy Check (CRC) of each is performed. All this information is stored in data files referred to in DSAV as “diskinfo tables”.

When first executed, ADinf32 has to scan the PC in order to build these files. Once created, they act as references to which fresh data from subsequent scans can be compared. As well as the standard disk scan, ADinf32 also provides a facility to search for stealth viruses. For this it compares the information returned by the OS to that it reads direct from the BIOS (Win9x) or physical device (WinNT) – any differences suggest of a suspected stealth virus infection.

DSAV uses different CRC methods depending upon the format of the scanned file. Of particular relevance to current computer virus threats, ADinf32 parses the macro components from Word and Excel files and includes only this information in the file CRC. Thus only changes to the macro content of such a file will actually trigger ADinf32 into thinking that it has changed – additions to the content of the document or spreadsheet are ignored.

Using Advanced Diskinfoscope

Without a hard copy of any user manual to hand, there are two ways of approaching ADinf32 – either peruse the help files religiously, noting down the important points, or just point, click and use the on-line help when necessary. Initially, the latter approach was chosen and the ease with which the program was used bears testimony to the logical and user friendly interface.

As with any ‘non-essential’ utility program, if ADinf32 encroaches too much into the user’s normal routine, it would not be used. Pleasingly therefore the overhead in running ADinf32 is quite low. When first executed, it prompts the user to create the diskinfo tables for each of the fixed drives. This process is reasonably quick (approximately 15MB/sec of data was catalogued during testing). Subsequent disk scans were performed at a similar rate, and so if scheduled to run at Windows startup they would be finished in the time taken to make the morning cup of tea. Scanning for stealth viruses was slower however, with scan rates of approximately 5 MB/sec being achieved.

ScreenShoot The concept of profiles is used to configure and manage ADinf32. Besides the default and boot-up profiles that are part of the package, additional customised profiles can be created in order to automate integrity checks of the system. To facilitate this process, it is possible to copy one of the existing profiles, make the required changes and save it as a new profile. Information as to what drives and files are scanned, and what action should be taken if any changes are detected is stored within each of the profiles. Thus it is possible to configure ADinf32 to scan certain file types or specific files/folders at each (or just the first) Windows startup.

If changes are detected during a disk scan, the user is prompted to view the results in an Explorer-esque window. From this window, right-clicking any of the displayed files enables options to Scan for viruses (using DrWeb32), View properties, or apply Special marks (e.g. hide changes, declare file as stable). A detailed summary of all the changes is also written to a log file (ADINF32.LOG), and a list of the files in question are retained in ADINF.LST. Upon quitting ADinf32 the user is asked whether the diskinfo table should be updated to reflect the changes. For changes that ADinf32 considers non-suspicious, the focus is on the ‘Update’ button. Following this, the user is prompted to scan the non-suspicious files for viruses – exactly which anti-virus scanner is used (be it Windows or command-line based) can be configured within the profile setup. The scanner can be set to start automatically immediately after quitting ADinf32 (with no user prompt).

ScreenShoot Certain changes are considered suspicious by ADinf32. For example changes to the boot sectors (master or DOS), changes to files that have been declared as ‘stable’, or the existence of peculiar date/time file stamps all trigger it into suspecting a virus infection. Additionally, changes to the macro content of Word and Excel files are considered suspicious. Following a scan in which suspicious changes have been detected, the user is warned, and after having viewed the results prompted (logically) not to update the detected changes to the diskinfo tables. Subsequently however, a peculiarity in the action that ADinf32 undertakes was noticed. Above it was noted that upon detection of freshly created files the user is prompted to scan them. Surprisingly though, this same action is not recommended when the detected changes to the file system are considered suspicious. Surely a more satisfactory integration between the integrity checker and the scanner would be to enforce the scanning of suspected objects?

Virus ‘Detection’ with Advanced Diskinfoscope

The use of ADinf32 as a protective measure against viral infection was then tested. Infected Word documents were copied into the My Documents directory and the diskinfo tables were updated to include these infected files. Subsequently, goat files in the same directory were infected from these documents. ADinf32 successfully detected that the macro content of the goat files and the NORMAL.DOT template had changed, and warned that this was potentially due to a macro virus infection.

ScreenShoot Thus far, mention has only been made of Word and Excel files – this unfortunately mirrors the situation as far as Dialogue Science are concerned, since at the time of writing ADinf32 does not cope successfully with PowerPoint and Access file formats. Modifying the configuration profile to associate PPT and MDB file extensions with macros made the situation worse, since the increase in total file size upon macro infection is ignored as ADinf32 attempts to parse the macro content.

As part of their replication cycle, some macros deposit files on to the hard disk – i.e. W97M/Ethan.A and {Win32/ W97M}/Beast (see p.6 of this issue). ADinf32 provides a useful tool for monitoring such activity, detecting these dropped files which may otherwise get missed by anti-virus scanners especially if they possess odd file extensions.

Boot virus infections were also successfully detected by ADinf32. Details concerning the boot sectors before and after the change are displayed, with the changes highlighted. The user has the option of restoring the original configuration, although it would be nice to have the option of scanning the boot sectors for viruses prior to this decision, since the change may be due to a legitimate reason.

DrWeb32 anti-virus scanner

Lovers of stylish logos and dramatic splash screens will not gain satisfaction from DrWeb32. The splash screen displayed upon loading is more reminiscent of early Windows 3.xx products. The program is easily controlled either by using the drop down menus, or from the buttons on the toolbar. These buttons enable the user to view folders to scan, view scan results, show scan statistics, clear scan results, obtain updates (via a TCP/IP connection), configure setup options, or exit the program altogether.

A slight lack of attention to detail is apparent in the on-line help files supplied with the submitted product. They seemed to have been designed for a slightly older version of DrWeb32, since some of the screen shots seem to be missing certain options that have more recently been added.

Using DrWeb32

Fairly standard configuration options are offered by DrWeb32, but there is no concept of user profiles to enable specific tasks to be set up and then repeatedly performed by a single click. Instead changes to the configuration must be made manually prior to each scan.

By default, files are scanned ‘By format’, although this can be changed to ‘All files’, ‘Selected types’ (i.e. by extension) or ‘User masks’. Archives and packed executables are included in the scan, and there is an option to scan ‘E-mail files’ (although this is greyed out unless the Mail module of DSAV is also installed). Currently the product is only designed for use on workstations and so infection reports are only written to a log file and to the screen. Presumably as the product is developed to provide network functionality, remote reporting options will appear.

The action DrWeb32 takes upon finding an infection depends on whether the file is considered infected, incurable or suspicious. Options to report only, attempt cure, delete, rename or move the files in question, are provided for each of these three conditions.

As is becoming increasingly popular in anti-virus packages, a facility to obtain updates from a remote site is provided, and assuming the user has a valid username and password they can be obtained (weekly or monthly) on a day of your choice from the DialogueScience FTP site automatically.

In terms of scanning speed DrWeb32 has changed little from that reported in recent Comparative Reviews, lying on the slower end of the scale relative to other anti-virus scanners. If using the DSAV package however the scanning speed of the anti-virus module is less important than that of the integrity checker, since only selected new or modified files will regularly require scanning.

SpIDer Guard provides the on-access component of anti-virus protection. Following installation and a system rebbot, it is automatically started but can also be loaded from the Start Menu. An icon in the taskbar confirms that SpIDer Guard is loaded, and double clicking the icon gives access to the configuration options. These are very straight-forward and reminiscent of those for DrWeb32.

Detection Rates

Throughout recent comparative reviews, DrWeb32 has shown itself to be up there with the big names in terms of detection rates, setting an example to some major products. This time around, detection rates were excellent again. For both on-demand and on-access scanning, 100% detection against the ItW (file and boot) and Polymorphic test-sets was matched by 99.9% detection in the Standard and Macro sets. Templates infected with W97M/Boom.A.De and W97M/ZMK.F, and a Win32/Ska infected DLL file accounted for the misses during on-demand scanning. SpIDer Guard missed these samples also, as well as MDB files infected with A97M/AccessiV (A and B variants).

Conclusions

As with other similarly packaged programs that are available, the question of integration between the modular components is of particular interest. In DSAV’s case, the results suggest that integration has only been weakly implemented thus far. Notably, the package could be greatly improved by altering the way in which ‘changes’ detected by ADinf32 are handled. The issue of updating the data files (diskinfo tables) of an integrity checker with recent changes to the system is of fundamental importance to its successful operation. After all, updating the data files to include potentially infective files (essentially validating them) completely undermines such a program. It is interesting therefore that upon detecting (non-suspicious) changes to the system ADinf32 prompts the user to update the diskinfo tables prior to scanning the files in question with DrWeb32.

Another area which needs attention is the handling of PowerPoint and Access files by the ADinf32 module. O97M/Triplicate.D made its premiиre on the WildList last month and with the current prevalence of macro viruses this is a matter of some importance.

The developers have informed VB that extensions to the package to include a 32-bit ADinf Cure module (to aid file recovery), Windows NTFS support and network administration are under way. Coupled with the resolution of the few problems uncovered during testing, such additions will no doubt fortify what is a promising product.

Technical Details
Product: DialogueScience AntiVirus Kit.
Developer: DialogueScience Inc, 40 Vavilova St., Moscow,
117786, Russia; Tel +7 095 9382970, email sales@antivir.ru,
WWW http://www.antivir.ru/.
Availability: Windows 9x/NT, 16MB RAM & 10MB disk space.
Version Evaluated: 3.0.
Price: Annual subscription (inclusive of full updates) – $29 for ADinf32, $49 for DrWeb32. Contact distributor for multiple or site licence details.
Hardware Used: 166MHz Pentium-MMX with 64MB of RAM, 4 GB hard disk, CD-ROM drive and 3.5-inch floppy, running Windows 95, 98 and NT.
^[1] Virus Test-sets: Complete listings of the test-sets used are at http://www.virusbtn.com/Comparatives/Win98/199905/test_sets.html.

VIRUS BULLETIN ©1999 Virus Bulletin Ltd, The Pentagon, Abingdon, Oxfordshire, OX14 3YP, England. Tel +44 1235 555139. /99/$0.00+2.50
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.