Seven convenient and effective programs that defend against the threat of computer viruses
When virus prevention is handled strictly from the workstation, protection is only as good as its weakest point--be it lax security, the disabling of workstation protection, or the passing of files to the network without first checking for viruses during the file-copy process. Thanks to its built-in security, Novell NetWare is a much safer environment than individual workstations. It minimizes virus infection by using the operating system's internal security measures.
For instance, loading the SERVER.EXE file on the server machine clears the system memory and then lets you work from a NetWare partition, effectively diminishing the problems of boot-sector viruses and file viruses residing in server memory. In addition, viruses cannot infect file
s to which the originating user does not have modify or write access. Also, NetWare's virus control is effective and virtually tamperproof; no known NetWare-specific viruses have been discovered.
However, network usage contributes to the virus problem by providing viruses with a means of storage and transport: Copying files to a network and giving users unlimited access to directories containing executable files gives viruses an opening through which to infect individual workstations. As the computing world becomes increasingly interconnected through LANs, wide-area links, the Internet, on-line services, and other external connections, corporations are becoming ever more vulnerable to the threat of computer viruses.
Virus-prevention NLMs (NetWare loadable modules) provide an extra layer of virus protection to network systems. Because NLMs load first and cannot be disabled by casual users, they provide administrators with an effective tool for combating virus infections.
Evaluation Criteria
NSTL evaluated five NLMs as tools for virus prevention. In addition to these full-featured workstation and NLM products (Central Point Anti-Virus for NetWare, Command Software Systems' Net-Prot, Ontrack Computer Systems' Dr. Solomon's Anti-Virus Toolkit for NetWare, McAfee's NetShield, and Symantec's Norton AntiVirus for NetWare), we also looked at Cheyenne's InocuLAN and Intel's LANDesk Virus Protect for comparison purposes. Both of these network-only products provide TSR programs for workstation protection, but they lack the depth of workstation features, such as integrity checking, found in the other products.
At a minimum, NLMs should offer the ability to scan immediately (i.e., they should be user driven), schedule a scan for off-peak hours, and perform real-time scanning (i.e., check files as they copy or execute). NLMs should also be compatible with other NLMs, have little impact on network performance, and offer a full range of management features, including reporting and alerting options.
Dr. Solomon's Anti-Virus Toolkit, a limited NLM without real-time scanning capability, is included in this evaluation based on the strength portrayed by its companion workstation product.
Protection Against Viruses
A multilayered defense is mandatory for protection against computer viruses, be they file infectors, boot infectors, multipartite viruses, stealth viruses, polymorphic viruses, or Trojan Horses. The most common type of defense is scanning, a method of handling viruses that is reactionary: By the time a virus is detected, it has already managed to infect files. Scanning is versatile because the user can look for virus signatures (which consist of known code strings) or scan files using algorithmic rules, ranging from complex heuristic techniques to matching strings, before confirming a virus's identity.
Integrity checking, another reactionary method, requires an initial active step. The user inoculates or validates the files by having the virus-prevention program make a validation
code called a fingerprint (a calculated value using CRCs [cyclic redundancy checks] or complex checksums) for each file. Once these fingerprints have been calculated, the user can then have the program recalculate the values to ensure the file has not changed. This procedure does not work well for self-modifying executable files, however.
A more proactive virus-detection method known as monitoring, or behavior blocking, is designed to stop viruses before they infect a file. Monitoring employs a TSR module that scans a file before it executes to see if it is infected (thus stopping further infection), checks the file with its validation code before it executes, and looks for virus-like behavior. Such behavior may include terminating but staying resident, working beneath typical DOS calls (e.g., writing directly to the hard disk), attempting to change executable files, and attempting to change file attributes.
The access-control virus-prevention technique works by denying users the ability to writ
e to certain disks, directories, and boot tracks. Hardware-control and password-protection programs are good examples of this type of virus prevention.
Performance
For this review, we defined NLM performance as the overhead required when an NLM is loaded and monitoring files. For example, a score of 10 seconds on our benchmark tests means that the tested procedure was delayed by 10 seconds because of the virus-prevention activity. Products that add less delay time boast better performance.
Our benchmarks measure this time in two general categories. In the first, a small two-node network with one workstation copying over 500 files to the server measures the raw speed of the NLM while it has the server's full attention (i.e., nothing else is running on the network). In the second category, performance degradation is measured on a larger 32-node network with heavy traffic, with the server being utilized to the fullest.
Scanning speeds differ among the products but have no bearing on perfo
rmance. All the products allow the user to schedule a scan at any time; thus, a scan can be scheduled to take place in the middle of the night, on a weekend, or when network usage is known to be low.
Net-Prot, Norton AntiVirus, and InocuLAN allow the user to enter a maximum CPU utilization rate that, when reached, causes the product to suspend virus scanning to allow other applications to access more of the server's resources. Dr. Solomon's Anti-Virus Toolkit and NetShield allow network administrators to enter a priority number that slows scanning and enhances performance by entering delays between file scans. Although the latter option is a plus, the former is a more useful feature, as it allows the NLM to make full use of the server CPU when it's available and then suspend operation, instead of slowing down, when utilization of the server peaks.
The best option is to go with a lean, fast NLM, and Net-Prot fits the bill. The program uses only 46 KB of RAM for the NLM itself and allocates approx
imately 60 KB for the tests that we ran. It uses two threads, and its performance is fast. Only Dr. Solomon's Anti-Virus Toolkit required less time for our tests to run, but it does not have real-time scanning capability. Thus, it just sits in memory, waiting for a scheduled scan to begin. Net-Prot really differentiated itself on the Heavy Load benchmark, recording speeds that were four to five times faster than those of its nearest competitors.
Quality
The quality tests evaluated the programs' ability to detect infected files. Using a list of 1953 infected files provided by the National Computer Security Association (10 South Courthouse Ave., Carlisle, PA 17013, (717) 258-1816; fax (717) 243-8642), we ran the scanner to identify infected files and attempted to copy the infected files to the server with the real-time scanning capability invoked. The number of infected files detected gauged product effectiveness; however, the number of files that a product flags changes frequently as vendors update t
he virus signature to incorporate new viruses and virus strains.
All the programs except Net-Prot give excellent protection against viruses. Net-Prot caught a good number of viruses, but fewer than the other programs did. Its sibling workstation product, F-Prot Professional (which comes bundled with the NLM), catches many more viruses than the NLM does. In fact, when we ran the quality tests on the bundled F-Prot package, F-Prot caught more viruses than any of the other NLM products.
Net-Prot's lower virus-catching capability should be no cause for concern, however, because research shows that the 10 most common viruses account for 80 percent to 95 percent of all infections. Net-Prot catches the most common viruses, and F-Prot Professional provides more in-depth scanning (as well as impressive heuristic scanning for suspicious files).
Management
Management of programs and the alerts they generate is an important NLM feature. When an alert is received on a workstation, the user knows wh
ere it is coming from. In a network environment, however, the administrator must know where an infection occurs in order to isolate a department, a set of computers, or a set of files and quickly eradicate a virus before it becomes an epidemic. Reporting features must be able to quickly merge all virus-detection information for the entire enterprise and allow the administrator to manipulate that information.
Central Point Anti-Virus did the best job at management. It provides a wealth of options for reporting, updating, and gathering virus-detection information. The program also provides the best enterprise-wide management, allowing cross-server updating and gathering of virus-detection data from other servers and workstations.
When the number of workstations on a network reaches into the hundreds, it becomes impossible for the administrator to go to each workstation and update signature files and configure products. All the products reviewed except Norton AntiVirus either automatically update s
ignature files or compare the files and update all instances of the virus-prevention package with the latest-dated file. Central Point Anti-Virus, Net-Prot, LANDesk Virus Protect, and InocuLAN also let the administrator configure all nodes from one location. Central Point Anti-Virus, LANDesk Virus Protect, and Norton AntiVirus can also update other servers automatically from a central server.
All the programs provide audit files or log files so the administrator can determine where and when any infections take place. Central Point Anti-Virus, Norton AntiVirus, and LANDesk Virus Protect provide the most in-depth reporting capabilities. These programs allow the administrator to determine which information goes in the report and permits the searching, sorting, and filtering of data according to date, virus name, and other criteria. NetShield and Dr. Solomon's Anti-Virus Toolkit have simple audit logs that can be viewed, printed, or saved to a file. Net-Prot's reporting features are somewhat limited, as a
file can be saved only as an ASCII file and cannot be printed from the program.
Another important aspect of protecting against viruses is the alerting of users and administrators. User alerts are achieved by broadcasting a message that a file is infected. Alerting the administrator is more difficult, however. All the reviewed products broadcast virus alerts and allow the administrator to determine a list of users to receive such alerts. Central Point Anti-Virus, Norton AntiVirus, LANDesk Virus Protect, and InocuLAN all have the ability to send an E-mail message to the designated person upon detection of a virus in addition to broadcasting alerts. Central Point Anti-Virus, Norton AntiVirus, and InocuLAN can also be set up to send a beeper message. InocuLAN can send a fax notification for the enterprise-wide accounting of virus detection.
LANDesk Virus Protect will alert the network administrator about any infections that occur when an infected workstation is not logged on. Central Point Anti-Viru
s will alert the administrator if the infected user is logged off but the network drivers remain loaded. Both of these programs notify the administrator of infections when he or she logs on, and both can define domains (i.e., more than one server) for scanning. Central Point Anti-Virus communicates alerts from server to server for a truly centralized account of virus activity over a WAN (wide-area network).
Other Features
The most important feature in a virus-prevention NLM is three-pronged scanning capability: manual or on-demand, scheduled, and real-time. Reporting, alerting, and performance issues are also very important. Other features, such as integrity checking, full-featured workstation products, scanning Macintosh files, and virus cleaning, are desirable but not as important.
Central Point Anti-Virus includes the entire Macintosh workstation product with the NLM, so the product not only scans Macintosh files on the server but also protects Macintosh workstations. Norton AntiVirus, LAN
Desk Virus Protect, and InocuLAN also provide scanning capability for Macintosh files on the server.
Central Point Anti-Virus, Net-Prot, and NetShield bundle their workstation products with the NLM. NetShield now includes printed documentation for the workstation version as well. Note that the products from Central Point Software and Command Software Systems scored the highest overall ratings for virus prevention for single systems, and both of these companies bundle these products with their NLMs.
Although compressed infected files will not infect other files until they are decompressed, an NLM that scans compressed files can catch such infected files while they reside on the server. Otherwise, many files might be compressed, copied to the network, copied to another workstation, and then decompressed, thus bypassing the network security guards. Net-Prot, NetShield, and LANDesk Virus Protect can all scan certain types of compressed files.
New Versions
New versions of three of these pro
grams will be released by the time you read this. Unfortunately, they were not available in time to be tested for this review.
Central Point Anti-Virus for NetWare 2.5 will include a feature called CentralCommand, which allows the network administrator to centrally configure and manage virus protection on networked Windows workstations. It will also enable the administrator to remotely clean infected workstations. A Workstation Sentry feature will provide transparent virus protection and scheduled scanning for Windows workstations. Version 2.5 will also forward alerts to NetControl, expand LANAlert support, check the version of the signature file automatically, and then update the signature file to the current version. In addition, it will have improved compatibility with Novell's new client SDK (software development kit) and add EMS 2.0 support, making it compatible with all versions of PC Tools for Windows.
Version 1.25 of Net-Prot will be able to scan specific volumes, update other servers,
and update configurations from server to server. The new version will also greatly expand the alerting features, adding the ability to alert the administrator even if an infection occurs while the affected workstation is not logged on to the network, the ability to alert the network administrator via pager or fax, and server-to-server communication of alerts.
Version 3.0 of InocuLAN will add domain support so that modifications made to the master server's configuration will automatically establish each member server's default configuration. The audit logs of each member server will upload to the master server, thus centralizing the monitoring of possible virus infections. Reporting features allow you to query the data using such criteria as file server, date, and time.
The new version will also include both DOS and Microsoft Windows managers, enabling supervisors to perform administrative tasks from their workstations. The program will add a full Windows interface for graphical access to all fu
nctionality. InocuLAN 3.0 will also allow an administrator to designate file servers to automatically download virus-signature files from Cheyenne Software's BBS.
NSTL Recommendations
The workstation version of Central Point Anti-Virus has only one glaring weakness: performance (it finished third). But because it has excellent usability and the best quality and most features of the products we reviewed, it captured the top overall position for virus-prevention NLMs. It offers the utmost in enterprise-wide virus prevention and management, allowing the administrator to configure workstations and other servers from a central server and gather virus alerts from any server or workstation and put them on a central server. The product's quality is top-notch, and its only usability flaw is the difficulty involved in attempting to learn the myriad options provided.
Net-Prot provides the best performance by requiring the least amount of server degradation. It also provides excellent usability, good ver
satility, and good quality. It requires the least system resources of any of the reviewed products, making it the product of choice if system resources are your primary concern.
The Facts
Central Point Anti-Virus for NetWare 2.0
$1199 per NetWare license; free download of updated virus signatures from BBS
Central Point Software, Inc.
15220 Northwest Greenbrier Pkwy.,
Suite 150
Beaverton, OR 97006
(800) 964-6896
(503) 690-8088
Dr. Solomon's Anti-Virus Toolkit for NetWare 1.03
$640; quarterly updates for virus signatures, $95
Ontrack Computer Systems, Inc.
6321 Bury Dr.
Eden Prairie, MN 55346
(800) 752-1333
(612) 937-1107
InocuLAN 2.5d
$495 for up to 25 user servers; $995 for unlimited servers (includes unlimited workstation managers); free download of updated virus signatures from BBS or CompuServe forum for one year
Cheyenne Software, Inc.
3 Expressway Plaza
Roslyn Heights, NY 11577
(800) 243-9462
(516) 484-5110
LANDesk Virus Protect 2.1
$995 for a single server; free download of updated virus signatures from BBS
Intel Corp.
734 East Utah Valley Dr.
American Fork, UT 84003
(800) 538-3373
(801) 763-2200
Net-Prot 1.24
$995 for 25 users; free download of updated virus signatures from BBS
Command Software Systems, Inc.
1061 East Indiantown Rd.,
Suite 500
Jupiter, FL 33477
(800) 423-9147
(407) 575-3200
NetShield 1.6
$595 for first server; virus-signature upgrades free with two-year license
McAfee Associates, Inc.
2710 Walsh Ave.,
Suite 200
Santa Clara, CA 95051
(800) 866-6585
(408) 988-3832
Norton AntiVirus for NetWare 1.0
$995 per server; free downloa
d of updated virus signatures from BBS
Symantec Corp.
10201 Torre Ave.
Cupertino, CA 95014
(800) 441-7234
(408) 253-9600
Overview: Virus-Prevention NLMs
NSTL Rating Version Performance Quality
**** Central Point Anti-Virus 2.0 # #
**** Net-Prot 1.24 # #
**** Norton AntiVirus 1.0 ## #
*** LANDesk Virus Protect 2.1 ### #
*** NetShield 1.6 ### #
** InocuLAN 2.56 ### #
* Dr. Solomon's Anti-Virus Toolkit 1.03 # ###
NSTL Ease of
Rating Version Versatility Learning
**** Central Point Anti-Virus 2.0 # #
**** Net-Prot 1.24 #
#
**** Norton AntiVirus 1.0 ## #
*** LANDesk Virus Protect 2.1 # #
*** NetShield 1.6 # #
** InocuLAN 2.56 # #
* Dr. Solomon's Anti-Virus Toolkit 1.03 ## ###
Ease of
NSTL Rating Version Use Price
**** Central Point Anti-Virus 2.0 # $1199
**** Net-Prot 1.24 # $995
**** Norton AntiVirus 1.0 # $995
*** LANDesk Virus Protect 2.1 ## $995
*** NetShield 1.6 # $595
** InocuLAN 2.56 # $495
* Dr. Solomon's Anti-Virus Toolkit 1.03 ### $640
Key
***** Outstanding # Good
**** Excellent ## Fair
*** Average ### Unacceptable
** Below average
* Poor
Highlights
Central Point Anti-Virus
Strengths Catches the most viruses.
Alerts administrators via broadcast, E-mail, and pager.
Best at maintaining virus protection across multiple servers.
Limitations Loads eight modules.
Cannot configure from the server console.
Scheduled scanning could be easier.
Dr. Solomon's Anti-VirusToolkit
Strengths Little server-performance degradation.
Caught a good percentage of infected files.
Excellent virus encyclopedia.
Limitations No real-time scanning.
Doesn't check Macintosh files.
Limited reporting features.
InocuLAN
Strengths Caught a good percentage of infected files.
Alerts administrators via broadcast
, E-mail, fax, and pager.
Stops scanning at user-specified CPU-utilization level.
Limitations Slow performance.
High server-resource requirement.
No integrity-checking or file-validation capability.
LANDesk Virus Protect
Strengths Caught a good percentage of infected files.
Scans compressed files.
Alerts administrator of infections even
if infection occurs while off-line.
Limitations Configuring options is tedious.
Cannot configure from the server console.
No integrity-checking or file-validation capability.
Net-Prot
Strengths Little server-performance degradation.
Stops scanning at user-specified CPU-utilization level.
Scans compressed files.
Limitations Cannot configure from the server console.
Limited reporting features.
Doesn't check Macintosh files.
Ne
tShield
Strengths Caught a good percentage of infected files.
Can configure from workstation or server console.
Scans compressed files.
Limitations Slow performance.
High server-resource requirement.
Doesn't check Macintosh files.
Norton AntiVirus
Strengths Caught a good percentage of infected files.
Alerts administrator via broadcast, E-mail, and pager.
Stops scanning at user-specified CPU-utilization level.
Limitations Requires Microsoft Windows to configure.
Cannot configure from the server console.
Cannot password-protect NLM configuration.
Table: NLMs Software Roundup (This table is not available electronically. Please see August, 1994, issue.)
Illustration: Graph: NLM Performance
The NSTL performance benchmarks measure the delay of executing files when the antivirus NLM is scanning the files as
they execute. All times are in seconds; lower numbers indicate faster performance. The Light Load benchmark copied 594 files in 22 directories from a workstation to the server, measuring the raw speed of the NLM. In the first iteration, the product's default file list was used; in the second iteration, only EXE and COM files were scanned, forcing the NLMs to scan the same number of files. The Heavy Load benchmark used a 32-node network with the server being utilized to the fullest. Unlike the other products tested, Dr. Solomon's Anti-Virus Toolkit does not perform any real-time scanning, so the program just sits in memory, waiting to perform a scheduled scan. InocuLAN could not complete the Heavy Load test because of sharing violations. NSTL believes this problem occurs because of the concurrent hitting of a single file and InocuLAN's inability to quickly scan the file and then release it.
Illustration: Real-time scanning slows the server because the NLM must immediately stop the file bei
ng executed to check for viruses. Such performance delays can be minimized by limiting the scan to specific extensions. All the NLM products reviewed have this capability. Shown here is the top-rated Central Point Anti-Virus for NetWare.
Illustration: All the antivirus NLMs let you schedule a scan at any time. For example, a scan can be scheduled in the middle of the night, on a weekend, or when network usage is known to be low. Shown here is Norton AntiVirus for NetWare.
Virus-Prevention NLMs
