No More #*!$ Viruses

At last - at last!

November 25th, 1995 -- Someone has at last brought a return to sanity in
providing protection against PC viruses. I refer to a new product called
No More #*!$ Viruses released by R.G. Software in Scottsdale, Arizona.

Evaluating anti-virus products has long been a problem and it is very easy
to pick holes in most products. When a product comes along that offers a
genuine, sensible and effective solution to a major part of the problem it
becomes extremely difficult to know just where to start. If it is so
simple, why didn't someone think of it before? If it is so effective, why
is the problem still with us? To attempt an answer to these questions let
me begin with a brief analysis of the problem ...

The difficulty with computer viruses has always been that protection and
recovery from their effects has required technical skill beyond the
capacity of most users. The ideal solution from the point of view of the
anti virus vendors would be to put a product on every PC that provided
limited protection for the user with no risk of any action for damages if
it failed to detect a virus. In order to maintain the market, the product
(and the threat) should be infinitely upgradeable, thus forcing users into
a continuous payment scheme for every PC that they operated.

This Holy Grail was the Anti-virus Scanner program which was designed to
scan for virus code every time you switched on your machine. The user buys
it together with an initial period of upgrades. He uses it and it finds a
virus, all well and good. However, if he has a virus problem even while
using it, a complaint to the vendor can be met with: "Ah! That's a new
virus - it will be covered in our next upgrade". As the end of the upgrade
period approaches, the user must re-subscribe to maintain his defence and
thus becomes part of the endless circle generating wealth for the product
vendor. This does not mean that anti-virus scanners are a bad thing. They
have an important place in identifying virus code in order that users can
be given accurate advice on how to deal with an outbreak, but they should
not be the first line of defence nor should they be installed on every
computer.

The ideal solution from the user's point of view would be a magic program
which he could fit and forget. Once installed it would provide 100%
protection against all possible viruses forever, without ever bothering
him about the problem again. Unfortunately, this could only be achieved by
completely isolating each machine and thus destroying one of the most
powerful capabilities of modern computing - its inter-connectivity. The
malicious little morons who write virus code are well aware of this and
continue to capitalize on it.

Somewhere between these two ideals there has to be an acceptable median.
Until now, most anti-virus vendors have insisted that they know best and
have continued to promote the "scanners for all" approach that they know
and love. I reckon that this situation is about to change and my reasoning
goes like this:-

If you were in a battle, defending your position against attacks by an Army
and an Air Force, you would seek all means to protect yourself. Shooting
individual attackers as they approached would be A Good Thing but consider
the costs of replenishing your ammunition on a regular basis and upgrading
your armour to withstand new attack weapons. Now one of your guys invents
a magic raygun that disables all the opposing aircraft. This doesn't end
the ware but it does remove at a stroke a large part of your defence
problem!

No More #*!$ Viruses represents just such a magic raygun it doesn't win the
war but it will surely nullify a large part of the problem! So I'll tell
you how I see it ...

The PC virus threat can usefully be divided into two parts - Boot viruses
and Parasitic viruses. Although the Boot type account for less than 2% of
the total number of known viruses, they produce more than 50% of reported
virus attacks. No More #*!$ Viruses successfully nullifies all Boot sector
viruses by simply knowing exactly what the system boot arena should look
like and repairing it if it becomes compromised. During nearly 10 years of
research in this field I have collected sample of over 6000 viruses of
which 73 are boot sector types. I tried all of these in attempting to
infect a machine protected by No More #*!$ Viruses. Not one of them
succeeded. I then tried altering single bits within the boot arena and
this too was detected and repaired. On Boot Sector Viruses, this product
provided 100% protection and short of actually targeting this product I
cannot conceive of a boot sector type that could penetrate its
protection!!! I have waited nearly 10 years to be able to say that about
any antivirus product.

So how do you use this magic raygun?

The product is shipped on a single 3.5" disk and is accompanied by a well
written 63 page manual. Installation took me just 3 minutes on my standard
machine and was never longer than 6 minutes on other hardware and software
configurations that I tried. This included the time need to create the
clean boot disk which is an integral part of the installation process. I
opted initially for the automatic repair facility since this is how I
think anti-virus software should operate - quietly, without trumpeting.
Once installed, I hit it with everything I could and got nowhere. I
infected machines with Boot Sector viruses, Partition Sector Viruses,
Multipartite viruses and even some Parasitic viruses. I installed a new
version of DOS, I built multi-boot systems, I even installed Windows 95.
None of these seemed to affect No More #*!$ Viruses and it faithfully
detected and repaired all attempts at system subversion.

Because this product is so deceptively simple and does not produce pretty
marching columns of file names each time you run it, don't be misled into
thinking that it is in any way trivial. This software is very
sophisticated and was able to detect system subversion even when I
introduced it at the very lowest level. During the tests I had no problems
with false positives and no clashes with any of the wide range of
investigative software that I use. No More #*!$ Viruses is now permanently
installed on my main development and investigation machines.

So far, this evaluation reads like something written by an advertising
copywriter and it is my experience that glowing tributes of this nature
are rarely reliable. With this in mind I tried to think of and test for
all the possible situations that a user might meet during normal computing
activity. The results were interesting in that they were all mentioned in
the manual.

No More #*!$ Viruses complete all of its activity during the boot phase of
a machine's activity. It leaves nothing in memory to monitor any
subsequent system activity and cannot therefore detect the activity of any
virus or trojan which may be introduced to the system later. However, in
most cases it will detect and repair the results of such activity when the
machine is next switched on.

Since the primary boot process is completed before No More #*!$ Viruses
begins its checks, any damage or corruption caused (for example by a virus
triggering) during this time cannot be repaired. I am aware of five boot
sector viruses which have a slight risk of corruption during their initial
infection phase - none of these is particularly common and they do not
represent a significant threat. For this reasons alone I would recommend
installing No More #*!$ Viruses in a mode which will report when an
infection is found in order that users can verify the integrity of their
system if it happens. I did deliberately set a machine date to 6th March
(after first installing No More #*!$ Viruses) and then infected it with
the Michelangelo virus. The virus triggered during the infection stage and
wiped out much of the disk content including the anti-virus protection.
However, the clean boot disk enabled me to gain access to the damaged disk
and while it did not recover the destroyed data it greatly reduced the
time taken to collect what was recoverable and eased the process of
re-configuration.

For a number of years I have assisted the Metropolitan Police Computer
Crime Unit at New Scotland Yard in identifying and tracking computer virus
attacks. During such work it is vital that I have samples of the viruses
for analysis. In the recent case of the Crown versus Christopher Pile (the
infamous "Black Baron") an important part of the prosecution case centered
around the inclusion of infection generation numbers within the virus
code. This evidence was instrumental in getting Pile sent to prison for
his activities and could not have been gained without detailed sample
analysis. When I first examined the methodology of No More #*!$ Viruses I
was a little worried that during its repair phase it might be completely
destroying evidence of a virus attack and thus make it virtually
impossible to track down the nature and source of the infection. This is
not the case, a sample of the intruding code is saved in a non-executable
format and - just as important - an incident log is maintained to indicate
just what occurred and when. All of these capabilities are mentioned in
the manual which itself is quite unusual in its honest and straightforward
presentation of the virus problem.

In the course of my research I have met many corporate users who complain
about the continuing problem of updating their anti-virus protection. In
some instances they could have as many as 70% of their machines always at
least three months out of date because of the sheer time involved in
installation. No More #*!$ Viruses doesn't need upgrading and this is a
major cause for celebration amongst these large users. In the real world
this represents a very real and worthwhile solution.

There is however, one problem which this product is likely cause for me and
anyone else involved in trying to bring the virus writers to book ... In
English Law, the severity of a crime is often closely linked to the actual
damage that it causes. This was confirmed in the Black Baron trial and the
lack of reported damage prevented the ARCV perpetrators from being
prosecuted. If everyone installed No More #*!$ Viruses, the amount of
damage and consequential loss and inconvenience from Boot Sector Viruses
would drop to negligible proportions and in England this would mean little
chance of prosecution for the virus writers. It saddens me that there may
be virus writers who will NOT be strung up by their thumbs - but maybe
I'll have time to help catch other, more vicious villains.

Conclusions

This is not an unsolicited testimonial - I was asked for an opinion on this
product by R.G. Software. However, I am delighted to see such an excellent
product appear in a field which has never had a particularly high
reputation for honesty and quality. I cannot speak highly enough of this
product and I will be buying more of No More #*!$ Viruses to protect my
other machines. Without hesitation I urge everyone else to do likewise.
Individuals will benefit from its simplicity and reliability and corporate
users will save millions in time and money from its no nonsense solution
to a large part of the virus problem.

Ray Glath and his team are to be congratulated, this is a real
breakthrough. I look forward to the possibility of a similar ground
breaking approach to parasitic viruses. Other vendors should take note,
once word gets around they may lose a significant number of their golden
geese.

Jim Bates - November 1995
 
 =========================================================
 From the 'New Product News' Electronic News Service on...
 AOL (Keyword = New Products) and Delphi (GO COMP PROD)
 =========================================================
 This information was processed from data provided by the
 company/author mentioned. For additional details, please
 contact them directly at the address/phone# indicated.
 Trademarks are the property of their respective owners!
 =========================================================
 All submissions for this service should be addressed to:
 BAKER ENTERPRISES,  20 Ferro Dr,  Sewell, NJ  08080  USA
 Email:   rbakerpc@delphi.com   --or--   rbakerpc@aol.com
 =========================================================
