User`s guide

ManualsBrandsAMSTRAD ManualsComputer equipmentPC-ECD

/90/$0.00+2.50 This bulletin is available only to qualified subscribers. No part of this publication may be reproduced, stored in a retrieval system, or transmitted

by any form or by any means, electronic, magnetic, optical or photocopying, without the prior written permission of the publishers.

VIRUS BULLETINPage 24 August 1991

Figure 2. In contrast to most scanning programs, ProScan, upon detecting a

virus infection, provides cursory information about the offending culprit.

‘Disinfection’ Capability

Each time an infection is discovered, a

menu-box appears with four options:

‘Continue checking’, ‘Remove virus’,

‘Info on virus’ and ‘Stop checking’.

The removal option produced some

interesting results. When instructed to

remove an infection of the Amstrad

virus, ProScan reported that the virus

had been successfully removed and that

the file size had been reduced from 384

to 64226 bytes When ProScan had

completed its scan, I checked to see the

exact state of this ‘disinfected’ file.

Sure enough, the Amstrad-infected file

had genuinely grown from 384 bytes to

64226! [This failure was caused by

ProScan misidentifying the virus as one

of Amstrad’s 847 byte variants. Tech.

Ed.] Moreover, a file infected with the

Advent virus continued to contain this

infection after the file was reported to

have been successfully ‘disinfected’ by

ProScan.

Virus disinfection is an inexact art

which requires an intimate knowledge

and understanding of each virus and the

ability to identify it exactly and in all

instances. Unfortunately, ProScan is

unable to disinfect virus infections

reliably and this removal option should

only be used with extreme caution.

As a warning to end-users of virus

‘disinfection’ software it should be

pointed out that ProScan is by no

means unique in failing in this way -

anomalous ‘freak’ results have been

recorded time and time again with so

called ‘disinfection’ programs (unreli-

able disinfection software will be the

subject of an article currently in

preparation for VB). The secure way to

recover from a parasitic virus infection

is to overwrite infected files, delete

them with the DOS DEL command,

and restore from trusted write-

protected master software.

When ProScan detects a virus, the user

can access information about it; this is

essentially the same option as the

‘Virus info’ choice in the Options

menu, except that information is

restricted to the virus discovered.

.OV?, .PRG, .DAT, .BIN and .SYS

extensions. (See Figure 1.) These latter

extensions can be toggled on and off.

Additional extensions can be included

by the user. Wildcard characters

(‘*’ and ‘?’) are accepted. You can also

delete unwanted extensions using the

Delete key.

The Report sub-menu sets up the report

type allowing ‘none’, ‘detailed’ (details

of all files checked) or ‘short’ (details

of infections found) and the file or

device name that is to receive the

report.

Unlike other McAfee products, you can

obtain information about each of the

viruses that ProScan claims to detect.

When ProScan starts up, it reads the

contents of PRO-INFO.TXT and uses

this to provide cursory descriptions of

the various viruses.

You can access information about any

of the viruses ProScan knows about

from within the Virus Info choice in

the Options menu. (See Figure 2.)

Accuracy Rating

For details of the virus test-suite and

testing protocols employed, see VB

April 1991, p.8 and June 1991, p.34.

ProScan neither checks its own

integrity nor performs any memory

checks. The shareware programs

produced by McAfee Associates

incorporate basic integrity checking

methods (see VB, May 1991, p.11) to

prevent unauthorised modification once

they are released into general circula-

tion. Since ProScan is circulated by

more secure means, this precaution was

presumably considered unnecessary.

ProScan detected 270 of the 365

parasitic infections and six of the eight

boot sector infections. These results are

partly due to the fact that the version

submitted for review (2.24) was

created on 21st May 1991. Also, given

the international makeup of the VB

virus test suite, it is possible that some

of the strains used have yet to be

analysed by the program’s authors.