PCTBAV.RVW 950921 Comparison Review Company and product: Company: ESaSS B.V. Address: P.o. box 1380, , 6501 BJ Nijmegen, The Netherlands Phone: 31 - 80 - 787 881 Fax: 31 - 80 - 789 186 Sales: Calmer Software Services, 361 Somerville Rd, Hornsby Heights NSW 2077, AUSTRALIA, +61 2 4821715; or P.O. Box 527, Dagsboro, DE 19939, +1-302-732-3105, fax +1-302-732-3105 Contact: Frans Veldman Email: Veldman@esass.iaf.nl Other: Data: 31 - 85 - 212 395, (2:280/200 @fidonet) Product: Thunderbyte Utilities Summary: Scanning, disinfection, change detection, operation restriction, encryption Cost U$35 Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 2 Ease of use 3 Help systems 3 Compatibility 2 Company Stability 3 Support 2 Documentation 2 Hardware required 3 Performance 2 Availability 2 Local Support 1 General Description: An extension of the earlier Thunderbyte Rescue and Thunderbyte Scan programs. These programs are still contained in the set, but are supported by a disinfector with two "generic" disinfection modes (TBCLEAN), a change detector (TBCHECK), an "overwriting" delete (TBDEL), operation restricting programs (TBDISK, TBFILE and TBMEM), a menuing interface (TBAV) and standardized TSR handling for compatibility with Windows and Novell Netware. (Associated, though not separately reviewed, is a "quarantine" component called TBfence which is similar to the D-Fence program by Sophos.) Comparison of features and specifications User Friendliness Installation Installation is a matter of copying the programs to disk and deciding how to run them. The documentation, while clear enough as to use, does not supply much in the way of direction for installation. With the new, larger set of utilities, there is a section on installation in the documentation file. While an intermediate or experienced user will be able to determine how best to use these programs fairly easily, novice users may not have sufficient information for installation. Intermediate users may also have difficulty in deciding how best to use the programs, as weaknesses and shortcomings of the various modules are not noted. Ease of use The programs are very easy to use. The command line switches should not be strictly necessary for effective use, but can provide significant extra information or use for the expert. Help systems Because of the newer programs which do not require command line switches, an "empty" invocation does not bring up a list of command line options. However, an invocation of any program with a "?" or "help" argument will. Compatibility Incompatibilities with specific programs or networks are noted in the .DOC files with suggestions for workarounds. Company Stability The company has been supporting this product, with regular updates, for quite some time now. An "agent network" has been established. An earlier announcement of a commercial product based on the technology does not seem to have led to any actual product. Company Support Contacts with the company have been sketchy so far. Some of the agents, particularly Jeff Cook of the United States, have been very active in promoting the product on Fidonet. Documentation The documentation has been substantially improved in the matter of grammar and errors. However, there is still little coverage of viral concepts in general, and the shortcomings and weaknesses of the program modules in particular. A section of the documentation entitled "Anti-Virus Strategy" contains no general discussion, policies or procedures, but simply refers to the use of specific modules of the package. Installation of the program overall still needs work. Hardware Requirements None stated. Performance The Thunderbyte Scan program has always been one of the fastest scanners available. Even with heuristic scanning implemented, it still shows startling speed. A test run on a 386 machine with a "normally" loaded 75 meg hard drive completed in under half a minute. A test on a 486/33 with a full 350 meg drive took 36 seconds. The "price" of this speed is debatable. Most scanners no longer scan the entire length of a program, but only the "top and tail", where most viral programs must attach in order to function. Although such programs will detect most viral programs, it will not find those which can insert themselves anywhere, such as the "Commander Bomber". Some of those connected with Thunderbyte, most recently one of the agents, have stated that this is one of the means to speed up the program. Frans Veldman, who should know, strongly objects to this statement. However, it is extremely unlikely that TBScan does scan the whole file. TBSCAN does report some changes to files, but a test run on a directory of antiviral programs showed that numerous updated programs were ignored. The operation restricting programs operate as advertised, although such programs always operate under the proviso that whatever software can protect, software can circumvent. Interestingly, the Thunderbyte programs are not automatically exempt from interference: an attempt to disinfect a program with the TBFILE program resident resulted in a warning. (Another interesting point is that an attempt to infect one file, while stopped, was allowed to change the file creation date. This is used by this particular virus as an infection marker.) The most attractive part of this new package is the second "generic" disinfection mode. Most generic disinfectors use a "return to state" algorithm, much like the hamming code used for error correction in memory or communications systems. This relies on the calculation of an "image" identity of the original, uninfected file, and is of no use "after the fact". TBCLEAN uses this, but also has a "heuristic" cleaning mode, which does not rely on any "prior knowledge" of either the infecting virus or the original file. A success rate of 80% is claimed for the heuristic cleaning mode. However there are two factors to be considered. The second is the ability to clean files infected with an unknown virus. The first comes to us from Hippocrates' injunction to physicians, "First, do no harm". Therefore, TBCLEAN was tested against some uninfected files. Of the six files tested, the four COM files were not harmed, but both EXE files were damaged, and thereafter useless. Subsequent tests of disinfection of infected COM files were successful and restored files to their original state. In attempting to use the "checksum" method of disinfection, I found that the TBSETUP program *cannot* be used to find an infected file. Running TBSETUP after an infection will void the ability to recover. (This is mentioned in the documentation, but given the difference between this and other programs, it bears repeating.) However, this disinfection mode otherwise works well. Local Support As noted above, it is difficult to get in touch with the principals via the posted email addresses, but the agents, particularly Jeff Cook, are active on the Fidonet virus related echoes. Unfortunately, this activity does not seem to extend to VIRUS-L/comp.virus where there have been few postings from anyone related to the company. Franz Veldman has recently been active in private virus discussion groups, but this provides little support to the average user. Support Requirements On a "scan only" basis, the program is simple to use. Invocation of any of the various modules is also quite simple. Installation will require more expert assistance. General Notes Thunderbyte was, for a time, one of the fastest developing programs, and is a very good set of utilities. However, the principles and agents of the company have been very averse to any and all reviews. The distribution archive, in fact, contains an editorial directed against the scanner tests included in the Hoffman VSUM list. The American agent conducted a vendetta against one reviewer which resulted in a flame war on Fidonet lasting more than a year, and the cancellation of that series of reviews. That same test of the product sparked the comment, from Franz Veldman, that no test or review should be released unless it could be proven to be absolutely without flaw. Unfortunately, this same standard does not seem to apply to their product. This attitude, and the lack of development over the past year, do not bode well for the future of the product. copyright Robert M. Slade, 1991, 1992, 1994, 1995 PCTBAV.RVW 950921 ====================== ROBERTS@decus.ca, rslade@cln.etc.bc.ca, Rob.Slade@f733.n153.z1.fidonet.org If you can tell good advice from bad advice, you don't *need* any advice Author "Robert Slade's Guide to Computer Viruses" 0-387-94311-0/3-540-94311-0