KRiLE and Zvi Netiv... for old times sake
- From: Dustin Cook <bughunter.dustin@xxxxxxxxx>
- Date: Thu, 03 Jun 2010 18:03:55 GMT
New and Improved: Antivirus Software
Invircible Not A Credible Anti-Virus Program
Invircible has caused a storm in the anti-virus teacup for some time
now. Its New Zealand distributor, the Virus Defence Bureau (formerly
known as Second Sight Limited) says Invircible is controversial because
it threatens the livelihood of other anti-virus vendors, claiming
Invircible '. detects all viruses at the point of propagation', and that
it 'Finds and repairs ALL viruses [sic] known and unknown.'
However, after extensive testing, NZ PC World reached the conclusion
that Invircible is a poor anti-virus program that doesn't work as
advertised and offers substandard protection against viruses. We advise
readers to avoid it.
Plethora of programs
Priced at $180 ex GST for a single-user licence, Invircible comes with a
set of 10 16-bit Dos utilities, and six 32-bit Windows 95/NT modules.
Utilities for Windows 3.x are included too, ditto a set of network
tools, but we didn't look at those for this review.
The Windows 95/NT utilities have similar, easy-to-use interfaces, but
the Dos ones vary from app to app. The Dos utilities must be used for
the Invircible virus defence strategy but all make use of poorly
documented command-line switches. (There is a text file in the
compressed archive on IV diskette 1 that explains the switches, but it
is deleted after installation.)
The Dos programs also suffer from a confusing melée of hot keys, pop-up
menus, <Ctrl>-key and <Alt>-key combinations, making it nigh impossible
to figure them out.
Generics not unique to Invircible
Invircible's developer, Net Z Computing, say it is based on generic
anti-virus methods. Usually, this means change-detecting software, and
integrity checkers, which compare system files and alert for
modifications. However, all features of Invircible seem 'generic'. To
quote from the sales brochure: 'At the point of installation Invircible
performs around twenty five generic tests to ensure it is being
installed to a clean environment'. The distributor never told us what
these 25 tests were, however.
Generic anti-virus technologies are nothing new or unique, despite
Invircible's developers' and distributors' claims. The first anti-virus
products were change detectors, and well-known utilities like IBM
Anti-Virus and Dr Solomon's Anti-Virus' signature scanners also use it
today. It is disingenuous of Invircible's makers to suggest otherwise.
Invircible takes a snapshot of the system during installation as a base
for its detection and restoration mechanism so it is vitally important
that the program is installed to a clean system. The crude installation
routine, consisting of self-extracting Winzip archives with Dos batch
files, runs a number of utilities to ensure the system is virus-free.
Among these is the IVZ scanner that has 900 signatures in its database
and hasn't been updated for over 30 months, according to the
distributor. Leading AV scanners detect 15,000 viruses or more in
comparison, so IVZ does little to ensure a virus-free environment for
If a virus is found, IVZ halts to display a report. However, it won't
clean the infected files, and continues the installation after the
report. Even if you abort the installation, Invircible wouldn't be able
to disinfect the system, as it doesn't come with a clean boot disk. The
manual recommends in several places that a 'third-party scanner' is used
and I think I know why.
Invircible also runs the IVX 'hyper correlator' that scans files for
virus signatures based on samples given to it. IVX uses a temporary Ini
file with the signatures of 22 viruses, but this file is deleted at the
end of installation.
Finally, IVX is run in Word macro virus detection mode, after which the
IVB integrity checker takes a 'snapshot' of system files (including ones
infected by undetected viruses) for restoration purposes. ResQDisk then
runs and backs up the master boot record and the partition sector. The
Windows utilities are installed next.
The installation routine doesn't create a rescue disk automatically
(this is done with the Dos Install program instead) and doesn't reboot
the system, without which the installation won't complete. Even after a
reboot, however, Invircible never ceased complaining about an
'Incomplete Installation'. I asked the distributor why, but never
received a reply.
Annoyingly, the Dos installation path is fixed as C:\IV, unlike the
Windows one that can be changed. A bug in the installation routine
leaves the Winzip self-extractor waiting for the Dos window to close
before the program exits and cleans up its temp files. If you close the
Winzip dialogue, a number of temp files are left on the disk.
On Windows NT 4.0 Workstation, Invircible must be installed under the
Administrator user code, with user permissions set manually. ResQDisk is
not usable under NT and IVINIT isn't run at boot up either. The program
is limited to scanning for file infecting viruses and macros under NT,
and can' t check boot sectors, according to the manual.
After installation is finished, there is a green IV icon in the Windows
95 Systray. This gives access to the Macro Sweeper, the integrity
checker, a scheduler, options for the Interceptor and Watchdog resident
scanners, and also online help. The IVINIT program runs every boot-up
from Autoexec.bat, ditto the IVB (twice!) and IVX utilities. IVINIT
compares the MBR, partition sector and Cmos with three 'snapshot' files
in the root directory. I deleted these, but IVINIT simply recreated them
without warning, so a targetted attack against the fixed names of these
files would be trivial to implement for virus writers.
Documentation a shambles
A manual last revised in June 1996 accompanies Invircible and contains
nuggets like 'It is yet unsure whether the WinWord macro viruses are the
first of a kind or will remain an episode in computer's [sic] virology',
and suffers from poor proof reading. It talks about programs not
included with the Invircible suite, like IVSCAN and ResQPro, but doesn't
mention the Windows programs. The Invircible distributor says an updated
manual is available in Hebrew.
The online help files are up-to-date, both under Dos and Windows.
However, the read-me files with installation information are in Word 2.0
format, unreadable by Wordpad in Windows 95. As there will be situations
when the online help files on the hard disk won't be accessible, there
is no excuse for the substandard manual.
So Does Invircible Work?
To find out how well Invircible fends off viruses, I asked Virus
Bulletin, the respected UK anti-virus publication to test it. For
further information on Virus Bulletin, email editor@xxxxxxxxxxxx or surf
The Virus Bulletin ran IVZ against its 852-virus test set of file
infectors. IVZ detected a mere 53 of these, a detection rate of
approximately 6.22%. Of the total set, 172 viruses were represented in
the January 1998 Wild List, and IVZ detected 29 of these, or 29%. Both
results are extremely poor. IVZ fared better against the 87 In-the-Wild
boot sector viruses in the Virus Bulletin test set. It spotted 61, for a
detection rate of roughly 70%. However, IVZ missed some of the most
common ones like Stoned, Ripper, NYB and WelcomB.
Virus Bulletin also tested IVINIT with six boot viruses that IVZ missed:
Baboon, Bye, Chinese_Fish, Crazy Boot, Cruel and WelcomB. Two of the
most common boot viruses, Form.A and Junkie were also used.
With Bye, IVINIT warned that the partition sector was stealthed, and
prompted to replace the MBR using Invircible's See Thru (direct IDE port
access) technique, and asked to reboot the computer. Afterwards the disk
was disinfected. The Crazy_Boot and WelcomB infections followed similar
Baboon made IVINIT flash a '1KB of Dos memory missing!' warning, but
confusingly, also 'No virus activity detected in memory'. The default
option was to Quit and continue booting. This left the system with an
active, infective virus. The Cruel infection followed the same modus
operandi. In both cases, ignoring the default option and restoring the
MBR disinfected the system.
Chinese_Fish rendered the test system unbootable, so ResQDisk was used
from a floppy. After finding the right key combination to press in
ResQDisk's cluttered interface the system was restored. ResQDisk offers
little advice for situations like these so novice users would have
difficulties knowing what to do.
The common Junkie virus is poorly written and corrupts the Dos 7.x
command.com because it ignores the fact that it is actually an Exe-style
program. (Invircible's distributor said Junkie trashes Win.com instead.)
The system won't boot from the hard disk, and IVINIT can't run. It's not
described anywhere, but you need to whip out ResQDisk, restore the boot
record and then use IVB to restore Command.com.
Virus Bulletin staff observed that during the Form.A infection, IVINIT
reported '2KB of Dos memory missing!' but also said, 'The hard disk is
infected with a boot infector!' a clear virus indication for a change.
However, on acknowledging the message, IVINIT said 'No Virus activity
detected in memory!' and 'The Master Boot Sector is intact!' and exited.
The VB tester was unable to do anything as Windows 95 started up with
Form.A was active and infectious. This is a major bug in IVINIT. Using
ResQDisk restored the boot sector, but an average user wouldn't know to
use it in this situation.
Add-ons asked for
The distributor claims that earlier versions Invircible detected and
removed a particularly nasty virus, One Half, when it first appeared in
New Zealand. I infected a system with One Half, and this time, IVINIT
detected the virus by its name, but said to use 'XONEHALF' to disinfect
the system. ResQDisk said the same.
One Half encrypts a varying number of sectors on your disk, so generic
restoration is impossible, hence Invircible's reticence. XONEHALF, a
utility not written by Invircible's developers, is not included with the
program. It can be download it from Invircible's Web site, a poor
solution if One Half has whacked your hard drive. The Monkey virus is
also handled by a separate utility, available at the Web site.
I also infected a Compaq Deskpro with the common virus Da'Boys. Due to
Compaq's non-standard disk partitioning it wrote itself to the boot
sector of the diagnostics partition, rendering it unbootable. IVINIT
didn't notice this infection, but ResQDisk said, 'Could be a virus!'
when coaxed to look at the diagnostics boot sector, where the text
string 'DA'BOYS' was clearly visible. The manual suggested procedure for
restoring the boot sector didn't work. When I tried it, a message
saying: 'This function only supported in RESQPRO!' popped up. RESQPRO is
separate utility, priced at $US299, according to the Invircible Web
site. I asked Invircible's distributor about this, and was told 'both
ResQDisk and the ResQPro can recover from this'. The distributor
suggested 'changing the partition parameters', which didn't work either.
File infectors given free rein
Two integrity checkers are provided with Invircible to handle file
infectors: the Dos IVB and the Windows IVB32. When run, the integrity
checkers compare files to 66-byte 'snapshot' signature files said to
contain all the information necessary to restore them. These 'snapshots'
can be renamed and stored off-line, but they can be deleted without any
reaction from IVB/IVB32.
To see whether Invircible could detect any virus, prevent its
propagation and restore the infected files as promised, I used the KRiLE
virus. KRiLE attacks executables in the PATH variable, encrypting the
first 5,696 bytes of it. Because Invircible's lack of memory resident
protection, KRiLE was able to infect as many files it liked. These
included the Invircible Dos programs, unfortunately. The Dos and Windows
integrity checkers showed that some executables had grown by 5696 bytes,
and gave me the option of restoring them. Both programs claimed success,
but executing the restored files showed that they didn't work.
An email from the Invircible developer, Zvi Netiv, confirmed that this
is how the program works. Invircible doesn't prevent virus infections,
it only tries to recover from them. Files infected by non-overwriting
infectors stand a better chance being recovered by IVB/IVB32. Without
testing each and every virus on the Wild List it's hard to say exactly
what the chances are. However, it is safe to say that Invircible does
not 'find and repair all viruses known and unknown'. (On a side note,
IVB restored virus infections to several files that had been disinfected
by other AV utilities.)
False alerts galore
Software upgrades had IVB/IVB32 putting up copious amounts of false
alerts as it detected the new files. Messages like 'Winword.exe:
modified, increased by xxxxx bytes. Probably a new version pop up',
leaving it to you to decide if it's a virus or not. Sometimes the
'probably' doesn't appear so users could easily end up with
non-functional systems due to mistaken restoration attempts of
IVB/IVB32 can revalidate all the new files automatically, but that could
mean missing infected files - permanently. In the end I asked myself:
'why bother with all this?' A good on-access scanner from would have
prevented the infections, and saved huge amounts of time. For day-to-day
protection against file viruses, Invircible simply doesn't cut it.
Sweeping Macro Protection
Invircible's Word macro detection seems to have abandoned the generic
approach in favour of scanning, based on simple heuristics (that is,
rules). Resident on-access protection is also provided. This is because
it would be impossible to restore infected documents generically the way
IVB does with program files.
No Access virus protection
Four utilities handle Word macro viruses: the Macro Sweeper on-demand
scanner, the Watchdog on-access scanner for Word, and the Interceptor
on-access scanner for other applications. Also, IVX can be used to
detect macros with the /mac switch.
The Macro Sweeper scanner can investigate files with non-standard
extensions and handles Word documents embedded in, say, an Excel
workbook . It had no
problems detecting and deactivating a great variety of Word Basic
viruses, but threw up six false positives or 'Suspicious Template'
alerts against legitimate macros on the Office 95 CD.
Strangely enough, Invircible ignored Word 97 macro viruses like Steroid,
and so-called up-converted viruses (Word 97 automatically converts Word
Basic macros to the VBA 5 format). A Word 95 document with only the word
'AutoOpen ' in it and saved as a template file with a *.dot extension
was flagged by the Invircible macro utilities a 'suspicious template'.
Even though there were no macros in the template, the Invircible
utilities offered to deactivate them, and claimed success if you let
them. This was repeatable with files containing the names of common Word
virus macros like 'Wazzu', 'Bandung', 'CAP' and 'Concept'.
Further, changing a document template file's extension to *.doc caused
Invircible to flag it as an 'Active Document' and prompted to deactivate
it. This is a blunderbuss approach to Word macro viruses that catches
innocent documents in the process. That Invircible ignores infected Word
97 documents points to the programs assuming the older Word 6/7 format,
which is different from the Word 8 file format.
Upgrading to a newer version of Office overwrites the Watchdog macros
installed into Word's NORMAL.DOT template, but Invircible doesn't
The Excel macro virus protection won't work unless the included
IVEXCEL.XLS worksheet is loaded manually or at installation. It looks
for two strings, 'Laroux' and 'PLDT' - the names of two viral VBA
modules. IVEXCEL also takes over the OnWindow, OnSheetActivate, and
OnSheetDeactivate VBA events, which meant that undetected viruses like
Robocop and Don that don't use the above VBA modules couldn't replicate
(but their payloads were intact). Legitimate macros depending on the
aforementioned events won't work either. You've been warned.
Pros: None significant
Cons: Average user will find interface difficult and confusing, poor
documentation, and low virus detection rate
Value: A disjointed and ineffective collection of utilities that fails
to live up to its sales claims
Price ex GST: $180
Phone: Virus Defence Bureau, 0-9-366 1593
Are you a former BBSer? Want to go back in time to the old days of
ANSI and Renegade? Fire up telnet and go here then: ttb.slyip.com
- Prev by Date: Re: The Drivel Which Emanates From A Psychopathic Mind
- Next by Date: Re: Proof Of Raid/Dustin Cook's "Snuff" Post To A Woman
- Previous by thread: Pierre Vandevenne an "AV Genius"????? ROTFLMFAO!!!!!
- Next by thread: Re: KRiLE and Zvi Netiv... for old times sake