REVIEWS

Taking The Measure Of NetWare Antivirus Software

by Jay Milne

We tested seven NetWare-based anti-virus products in our San Mateo lab. Each had a combination of client software and an NLM that did real-time, on-demand and scheduled scanning. We tested how effective they were in detecting viruses and the overhead their real-time scanning engines imposed.

Intel and Symantec had complete virus protection solutions, with excellent client support and good enterprise management and alerting. They had all the bells and whistles. Command Software's F-PROT Professional/NET-PROT NLM had the best performance scores and consumed the least amount of memory on the server. It's mainly geared for smaller LANs or sites that don't need much centralized administration, however. It's fast, simple and effective.

Intel LANDesk Virus Protect 3.0

LANDesk Virus Protect 3.0 proved itself to be the most well-rounded product for the dollar. It offers a complete solution, at a reasonable price, with plenty of features. This version is vastly improved, with better performance and scanning technology. It identified 80 percent of our sample viruses.

Virus Protect is one component of Intel's LANDesk management suite and can use some of its other components, such as the Alert Management System (AMS). If you've installed LAN Desk, Virus Protect will use the existing AMS installation.

Layers of Protection Virus Protect's Integrity Shield is a second layer of file protection on top of NetWare's, similar to McAfee's Network Security. You can designate certain files and directories to protect from modification. While some may consider this a duplication of what you can get from NetWare, it's easy to use, and it can be turned on and off dynamically.

In addition to Integrity Shield, Intel uses two different file integrity checksum methods: It calculates RSA Data Security's Message Digest Algorithm (MD5) and Critical Data Snapshot (CDS), which stores information about key regions of the file, storing those values in the NetWare file system. Using two file integrity values makes it more difficult for a virus to alter or corrupt these values. For outgoing files, if there was already a complete scan and you've selected the CDS option, the real-time scanner only compares the CDS values and doesn't do a pattern-based check, increasing performance.

Intel provides reasonable centralized management, letting you configure and organize servers in domains. It's the only product, besides Norton AntiVirus, that is NetWare 4.1 NDS-aware, and it will install into your NDS tree. However, it lacks the ability to configure different workstation settings centrally based on NetWare groups, like EliaShim and Cheyenne do. Yet it can download, install and update workstation files using a DOS program in your login script (as do all these anti-virus programs).

Along with Cheyenne's InocuLAN and Central Point's AntiVirus, Virus Protect offers one of the most complete set of alerting mechanisms, making it better suited for larger environments. Alerting is done via AMS, which provides a centralized alerting system that supports MHS, MAPI, VIM, paging, fax (requires Intel NetSatisfaction), SNMP traps and NetWare broadcasts. This capability includes considerable customization.

You can customize reports via the Windows-based ReportTool application. Before you can use ReportTool, you have to export the data from the log files into a format ReportTool understands. Once exported, you can sort and filter that data, as well as graph it in 2-D or 3-D. No other product had such sophisticated reporting.

Examining Quirks We found one very annoying peculiarity. When we had scheduled every scan, and then selected an option to scan only a certain directory, Virus Protect took a long time to bring up the server directory--much longer than any of the other products. This is because Virus Protect searches and retrieves the whole volume directory structure, instead of only the top-level directories. Intel is looking into resolving this.

On the other hand, Virus Protect has the unique ability to merge the local workstation and server log files automatically when users log in. This lets you receive information about virus activity on machines not attached to the server--especially ideal for mobile users.

Macintosh workstations are supported. However, the Macintosh client only allows for identification, not eradication, like Cheyenne, Central Point and Norton products do.

Norton AntiVirus for NetWare

Norton's AntiVirus for NetWare has excellent overall performance and plenty of features. However, its pricing model is a major downfall. Norton says the next version will combine features from Norton and Central Point. This should be a strong offering if they can integrate Central Point's enterprise management features with the flexibility and client support of AntiVirus.

AntiVirus did fairly well on our Windows load test, adding 27 percent overhead on the server. It also found 76 percent of our test viruses, placing it on par with Cheyenne and EliaShim.

Norton's administration capabilities are adequate. It doesn't allow you to group servers into domains, which would let you administer lots of servers with different configurations. However, you can monitor and update other servers via a Windows application, making it better suited for smaller LANs, or where servers are not centrally administered.

AntiVirus also fully supports NetWare 4.x NDS. It can, like Intel LANDesk Virus Protect, manage NDS objects, like users and servers.

AntiVirus cannot automatically download virus patterns like Cheyenne's InocuLAN can. However, it can distribute pattern files to individual servers, or all servers on the network, making updates a little less time consuming.

AntiVirus can route workstation-generated alerts to the server for more advanced notification, like paging, MHS or NetWare broadcast. It also supports the unique ability for an infected server to login to a different server to notify users who aren't connected to the infected server. Its client support is the best of this bunch.

While AntiVirus lets you run reports on individual servers from a central console, there is no way to run one report that includes data from all the servers. We found the ability to apply filters to the various logs very helpful, because it let us see only the events pertaining to a particular user or a certain class of events. These filters are available on both the server and workstation software.

Extending Protection AntiVirus includes real-time server scanning, as well as on-demand and scheduled server volume scanning. You can schedule these events using the Windows control program and on any server AntiVirus can see. Symantec documents the SAP types it uses, making it easier for you to configure your routers properly to pass or filter these SAPs.

Additionally, AntiVirus creates checksums for files and stores them as extended attributes in NetWare. These extended attributes move with a file if you use the NetWare NCOPY command. Using other copy programs that don't copy the extended attribute of a file under NetWare means recreating the checksum. The use of NetWare's extended attributes doesn't necessarily protect any better than an encrypted database, but it does force the virus writer to have a good understanding of NetWare.

AntiVirus offers the most complete suite of workstation components. DOS and Windows components monitor for virus-like activity and enable on-demand workstation scans. You also get Symantec AntiVirus for Macintosh. There is no native OS/2 applic ation. Anti-Virus can scan PKZIP files via the workstation utility, but not via the server-based, real-time or scheduled scanner.

Central Point Anti-Virus 2.5 for NetWare

Central Point's Anti-Virus for NetWare has potential. It's a strong product with well-written documentation, but it has some major flaws. It does, however, provide the kind of centralized support and configuration capabilities that would make it ideal for a centralized multiserver LAN environment. Central Point provides complete workstation software for DOS, Windows and Macintosh.

According to Symantec (which now owns Central Point), there won't be a future version of this product. Instead, Symantec will release a new product that will combine the capabilities of Norton AntiVirus and Central Point Anti-Virus.

It did poorly on our virus detection test. The real-time scanning engine received average marks in our Windows load test, with an overhead of 27 percent.

The CRC value is stored in a hidden file on the server. There are currently viruses that can attack the hidden file and change the value so that when the application scans the file and looks at the CRC, it does not detect the presence of the virus. Strategies like the ones Intel has for using two different file integrity values or storing the value in the NetWare file system make CRC values more difficult to get to, but not impossible.

The product is easy to use and offers a complete centralized system for alerts using Central Alert applications that can notify multiple users via pager (numeric and alphanumeric), broadcasts, MHS or SNMP. If centralized administration and management are your top priorities, Central Point Anti-Virus is the ideal product--once the bugs are worked out. The CentralCommand program displays all the workstations running the Sentry TSR in Windows (unfortunately, there is no comparable DOS product). From here, you can initiate a scan of the local hard disk, and you can stop that scan and make a variety of changes to the workstation's configurati on.

Limited Scope There are two notable bugs, however: CentralCommand's inability to "see" workstations not on the local segment and its inability to see more than eight workstations at a time as Sentry-enabled. Central Point has acknowledged these two problems, but gave us no date for when a fix will be available. With a little work, you can compensate for these problems. Central Point also lets you group servers into domains for easy administration.

Command Software Systems F-PROT Professional v2.17

"Lean and mean" best describes F-PROT Professional from Command Software Systems. If you have NetWare servers, NET-PROT, the server NLM component (as opposed to F-PROT, the workstation virus protection program) is included free. While it doesn't have all the bells and whistles some other products do (like multiserver management applications, centralized server administration and sophisticated alerting options), NET-PROT does what it is supposed to do--catch viruses. At $9.50 per user for large sites, it can be very affordable, and only Cheyenne matches Command Software's 24-hour support.

It was by far the best performer on our Windows load test, imposing a 6 percent overhead--way below any other. It also takes up very little memory on the server (only 135 KB of cache buffers).

The NET-PROT configuration utility comes only as a DOS-based application, like EliaShim's, and while it's adequate, it doesn't offer the same flexibility and customization that Windows-based tools from Intel, Symantec, Cheyenne or Central Point do. You can configure the real-time scanning, which will scan files that are being read, written to or executed from the server. Scheduled scanning is also available. On-demand scanning can be scheduled via the server console screen, but no other options are available.

Virus alerting is not a strength of NET-PROT. It can only send out Novell 25th-line messages. Once a virus is found, the file can be moved, renamed, deleted or disinfected. NET-PROT is one of three p roducts (along with EliaShim and Cheyenne) that lets the server component attempt to remove the virus from the infected file--a useful feature that allows the product to operate unattended.

Workstation Components As with Intel's product, NET-PROT uses a special LOGIN.COM that lets you load TSRs into workstation memory without losing a considerable amount of RAM. We didn't test this claim, but we found no problems using the new login program.

Workstations can be denied server access if the workstation real-time scanning TSR isn't loaded. The process executes a command in the login script that checks for the existence of the TSR and returns an error level if it's not there. Based on that error level, the user could be logged out, for instance. While this is not as sophisticated as some of the other applications, such as Cheyenne InocuLAN's Enforcement feature, it does work.

EliaShim Microcomputers ViruSafe

ViruSafe did well in our performance tests, incurring 30 percent overhead without calculating checksums for the various Windows executables, and 16 percent with checksums.

Just the Basics ViruSafe consists of a full-featured workstation antivirus application, an NLM that's responsible for on-demand, scheduled and real-time scanning and ViruSafe LAN, which provides the tools for monitoring and administering servers and workstations. All of the network management and configuration utilities are DOS utilities and are easy to use, but we would have preferred a Windows component as well.

ViruSafe does have a real-time file server-based scanner, but it only works when the workstation TSR is loaded. This is the only program that requi res the workstation component to do server-based, real-time scanning. When a file is either executed or copied on the server or the workstation, the TSR checks to see if there is a checksum for that file (these checksums are stored in a file in each directory). If there is, and no changes have been made, the operation continues. If there is no checksum, or if the checksum has changed, the file is sent to VS.NLM on the server for checking. While this does bring higher performance, it can leave a serious hole in the system if a user logs into the network and somehow unloads the TSR.

There are no controls for ViruSafe from the NetWare console screen, which can be important when there are no workstations available to log in with, or if you want to perform a scan, but without any workstations attached to the server. All job scheduling and configuration is done via DOS utilities. The system can be configured to download a copy of ViruSafe to local hard disks and to update local files whenever a user logs in. NetWare groups aren't supported.

ViruSafe lacks some alerting bells and whistles, such as paging support, SNMP traps or unified error log files. Only under NetWare 3.11 does EliaShim write to the Novell error log. There are also only 25th-line broadcast alerts, or alerts that attach to a particular server running EliaShim's notification TSR. This aspect of ViruSafe was the weakest among all the products.

Cheyenne InocuLAN 3.0

InocuLAN's ability to integrate with Cheyenne's ARCserve for NetWare backup product and its very aggressive pricing make it a good choice for those who want to buy multiple administration tools from a single vendor--namely, Cheyenne. When used with ARCserve, the backup software can initiate a virus scan before backing up the file.

InocuLAN's didn't do well on our Windows load test, adding 62 percent overhead. It consumed more than 1 MB of cache buffers. It did fairly well on the virus detection test, identifying 76 percent of the viruses.

InocuLAN provides comprehensive pr otection against viruses by not only having real-time virus scanning and scheduled scanning, but also letting you log workstations off the network if the workstation antivirus TSR is not loaded. While this Enforcement feature seems effective, it wasn't 100 percent reliable in our tests. Cheyenne indicated that it hasn't seen these problems, but was unable to resolve ours by press time.

InocuLAN, like Intel and Central Point, lets you group servers into logical domains, for more centralized server management. You can report on all the servers in the various domains.

InocuLAN is unique in that the server can automatically download the latest pattern file and distribute it to other servers in a domain. This can help automate the process, but there's no way to make sure the new pattern file has been downloaded safely. It's often better to download the newest pattern file manually and verify its ability to detect viruses before rolling it out to the enterprise.

Cheyenne's alerting application passes on InocuLAN-generated alerts via pager, fax (you must use Cheyenne's FAXserve), SNMP, NetWare broadcast, MHS or printer (there's no support for PostScript printers). All supported client platforms, including Macintosh clients, can generate alerts.

We had problems getting the alert application to work, especially the pager feature. However, Cheyenne has a new version, 3.0, which is a free upgrade available via Cheyenne's BBS or FTP sites. This version adds alphanumeric paging and MIBs for HP OpenView and Novell NMS Managewise. We were still unable to get version 3.0 paging to work, or determine the cause by press time. Cheyenne informed us that some of the NetWare drivers aren't 100 percent reliable. Workstation installs can be done over the network without a third-party software distribution product, although a little setup is involved.

McAfee NetShield

NetShield v2.11 is a simple product, ill-suited for a large multiserver environment where enterprise management is critical. While it did well on our virus detection test, its real-time I/O performance would be a major hindrance on most servers. According to McAfee, its next version (2.2) will be significantly faster and will have more enterprise management features such as NetWare 4.1 NDS support, Global MHS support, a Windows-based console and enhanced security functionality.

NetShield provides several methods to secure the server. It can monitor inbound and/or outbound server traffic and provides a basic CRC facility that keeps the CRC values in a database on the server. Its Network Security function, which is very similar to Intel's Integrity Shield, can be used to restrict write operating from select groups of files, providing an additional layer of file integrity above NetWare's. Keep in mind, of course, that some viruses are actually written to interrogate and corrupt those CRC values.

You can configure McAfee's ViruShield workstation product (not bundled with NetShield) to send alerts to the server for further processing, but that is where the integration stops. There are no tools that allow automatic workstation file installation or updating.

For alerts, NetShield supports the standard NetWare broadcast to a select list of users, messages sent to the server console and entries to a log file. It also supports Novell MHS and pagers (numeric messages only). It will page several users, if necessary.

NetShield was the only product without a workstation management utility. All configuration happens at the server console. There, configurations can be stored in files, so that you can use different configurations by merely specifying the correct file when loading the NLM.

There's no multiserver management to speak of, except automatically updating other NetShield servers. It does this by keeping a list of which NetShield servers have which version, via NetWare SAPs. But it won't let you logically group servers to send out these updates.

Antivirus NLMs Put To The Test In The Labs

We tested real-time performance overhead by measuring the amount of time it took to load Windows 3.1 and 12 Windows applications from the network while the real-time scanner was loaded, comparing the numbers to loading the applications without scanning. Our numbers represent a worst-case scenario. We tested five times, flushing the NetWare cache between each test, and took the average score. The numbers only represent performance in our very static environment.

Our virus detection test ran a scheduled scan against the server with 829 infected virus files--a mix of polymorphic, multi-partite and stealth viruses, some of which are in the wild and some that are very rare. We tested three times to validate the results. We received and verified the virus files from a private, outside source. While this test does provide some insight into how well a product will catch a known virus, it does not rate the product's ability to find mutations of polymorphic viruses. We ran the memory usage test by subtracting the amount of cache buffers available before and after loading each product, as reported by Novell's Monitor utility.

How To Catch A Virus-Just For Testing

A short list of common viruses, sometimes called viruses "in the wild," is available on Compu-Serve in the NCSA forum. Most virus attacks are caused by 15 to 20 viruses. The other thousands of viruses are either very rare or only found in academia.

How do you tell if a virus scanner is effective? How do you test to see if it can find mutation viruses and their offspring? You have to make the mutation virus multiply, verify that each offspring is truly a virus, then run the scanner against it and determine the percentage of viruses found.

There is no way to measure definitively the effectiveness of an antivirus scanner. No antivirus product is 100 percent reliable. Still, one that employs a variety of methods is more likely to catch a virus than one that uses only one strategy.

Jay Milne can be reached at jmilne@nwc.com.

September 15, 1995