BKBVRTPR.RVW 20000822 "Bigelow's Virus Troubleshooting Pocket Reference", Ken Dunham, 2000, 0-07-212627-2, U$19.99/C$31.95 %A Ken Dunham antivirus.guide@about.com %C 300 Water Street, Whitby, Ontario L1N 9B6 %D 2000 %G 0-07-212627-2 %I McGraw-Hill Ryerson/Osborne %O U$19.99/C$31.95 510-548-2805 800-227-0900 %P 267 p. %T "Bigelow's Virus Troubleshooting Pocket Reference" Apparently somewhat before Dunham started work on this volume, he also started a mailing list of virus information. This mailing list names a number of viruses, but provides no details, protective strategies, or understanding of the basic antiviral concepts. Much the same is true of the book. In the very first paragraph of the book proper, we are told that computer viruses were explored by many people in the 1960s and 1970s (although many such claims are made, I've never, in thirteen years of research, found documented evidence of any such research), and that Fred Cohen formally defined viruses in a security experiment in 1983 (so trivial a mention of his pioneering work being almost insulting). Subsequent sentences have unsupported dates, idiosyncratic definitions, and claims and opinion presented as fact. Ironically, the most accurate part of the whole work might be the disclaimer, warning you that nobody is going to take any responsibility for the mistakes in the book. (Although what "ac and high voltage power sources" have to do with computer viruses is a mystery to me.) The preface claims that the book is comprehensive, which it certainly isn't, and concise, which is questionable as well. Chapter one looks at something of the history of viruses. Where Dunham has been given competing or contradictory versions of a story or fact he simply puts down everything, without evidence of any analysis to find out the truth. Assertions are laid down in some vaguely chronological order, without any relation to each other (Q. What do the inclusion of an antivirus with DOS, the emergence of the WildList, and the fact that SatanBug was written by someone below the legal drinking age have to do with each other? A. Nothing.), and without any explanation of the implications of developments or trends. (I take it back: the book states that the invention of System 7 for the Macintosh eliminated compatibility with previous viruses, which isn't always true.) Although entitled "Malware," chapter two has little material on malicious software other than viruses. It is a grab bag of random content, looking briefly at many topics without staying long enough to effectively cover anything. There are many lists in the work, but the substance is not always reliable. Table 2.2, for example, on virus characteristics lists Whale as an example of an armored virus (Whale is usually considered an example of limited polymorphism, and "armored" does not have a commonly agreed technical meaning in virus research), doesn't mention prepending or appending of file infectors, describes Lehigh as a "cavity" virus (possibly technically correct, but only because of the odd file format of COMMAND.COM), and tells us that a multipartite virus "is often very successful In the Wild but is rare In the Wild." There has to be some irony in the number of errors in a chapter called "Myths and Hoaxes." For instance, the simple statement that the Scores virus was only released to a company intranet and therefore was not an issue in the wild ignores the fact that Scores was developed before there were intranets and that Scores *did* make it into the wild, as attested by the fact that one of its aliases (noted in the previous chapter) celebrates a government institution it infected: NASA. The first item on the list of ways to detect a virus hoax says that the source of the email is unknown to the user: most hoaxes get passed around from friend to friend. (The list of classic virus hoax messages also contains the Gullibility Virus, which is a satire on the phenomenon. There is a brief mention that it is a joke, but that fact is certainly not clear from the inclusion.) "Detecting Malware," in chapter four, starts off with the usual list of virus symptoms, most of which appear in all sloppy virus books, and none of which are any kind of dependable indication that you have an infection. The look at antiviral software concentrates, of course, almost exclusively on scanning. Dunham does mention change detection, although not in any comprehensive way, and also mentions "behavioral analysis," which is described as a "bold and progressive approach" by a new company. Otherwise known as activity monitoring, this is, in fact, the approach used by the oldest antivirus program, Flu-Shot. The chapter ends with procedures for capturing viruses that would only work by accident, and wouldn't work at all against the most common current email viruses, as listed by the book's own prevalence chart. Chapter five, on preventative measures, is a real mixed bag. Some points are good, such as the recommendations about verification of installation, the risk of a lack of security policy, a parent-child contract for computer use, and the warning against the use of FDISK as a disinfectant. Most of the rest of the chapter, however, is incomplete, contestable, or misleading. "Black market software" has very little connection with viruses. Incomplete removal of software is a danger, but how is the naive user to determine that disinfection is concluded? Screen saver passwords have nothing to do with viruses, and are weak, in any case. Microsoft Office protections against macro viruses are, as the book notes, not failproof, but the point is not made with adequate emphasis. Boot disks cannot be made for Windows 9x or NT systems (at least not as suggested) and are of little use with FAT32 and NTFS file systems. Changing file associations is more complex than the text suggests. (And the section on F-Prot makes almost no sense at all.) This is definitely a case where if you can tell good advice from bad advice you don't need any advice: non- specialists simply cannot be sure about the counsel they are getting from this volume. It is rather odd that there is a separate chapter for antivirus software, since both preceding chapters have extensive (if not very credible) software sections. However, the intent seems to be to concentrate on evaluation of an antivirus. Unfortunately, the material is fragmentary and inconsistent. The section on certification and reviews fails to point out that all the certification sites mentioned only do "zoo" tests (measures of how many viruses are identified from a given set), that some charge companies for submitting software for testing, and that the VTC (Virus Test Center) is the only site with its full protocol available online and a zoo that even approximates the tens of thousands of viruses that exist. Mini-reviews are given, but only for Mac software. There is an evaluation form, but only a very few specialists would be able to fill it out in its entirety. (Microsoft is also listed as an antivirus software update site.) Chapter seven, on removing malware, is very short, and half of it is dedicated to telling you why you might not be able to disinfect your system. Still, some of the points are worthwhile, and, if you are infected by an old boot sector or file infector, nothing in this chapter should do you any harm. (The discussion is not relevant to more current macro or email infections.) Other than a reprint of the Good Times Virus Hoax FAQ the appendices are not particularly useful. Overall, the text is a mass of trivia, interspersing fact, speculation, and inaccuracy in an unreliable and misleading mix. The content, as presented, betrays almost no knowledge of the fundamental technologies, either on the virus or the antivirus side. When details are provided, they are thrown at the reader in an undifferentiated and unanalyzed lump, which will annoy the specialist, and confuse the average computer user. The book is small, but hardly pocket sized, and the internal structure is nowhere near being organized enough to lay claim to the appellation of reference. As with Schmauder's "Virus Proof" (cf. BKVRSPRF.RVW), this latest attempt to fill the long gap in virus literature has almost nothing to contribute to the field. copyright Robert M. Slade, 2000 BKBVRTPR.RVW 20000822