PCWDIMMN.RVW   921109
                               Comparison Review
 
Company and product:
 
Western Digital Corporation
8105 Irvine Center Drive
Irvine, CA   92716
714-932-5000
714-932-6250 Letty Ledbetter
Robert McCarroll, Product Manager, Systems Logic Group
714-932-7013 Terry Walker (and Robert Lee, developer) fax: 714-932-7097
Mark Levitt fax: 714-932-7098
Benjamin Group (marketing)
Suite 480, 100 Pacifica Ave.
Irvine, CA   92718
714-753-0755 (Erin Jones, Sari Barnhard and Carolyn Fromm) fax: 714-753-0844
Immunizer (new technology to be announced 921109)
 
Summary: concept proposal for hardware component for data security
                              
Cost: N/A
 
Rating (1-4, 1 = poor, 4 = very good)
      "Friendliness"
            Installation      1
            Ease of use       1
            Help systems      1
      Compatibility           2
      Company
            Stability         2
            Support           1
      Documentation           1
      Hardware required       2
      Performance             2
      Availability            1
      Local Support           1
 
General Description:
 
The "Immunizer" concept involves a cooperative effort between BIOS makers,
board manufacturers and antiviral software producers.  The central component,
as far as Western Digital is concerned, is the 7855 system controller chip. 
With proper implementation, the concept should allow protection of hard disk
and memory areas, while at the same time allowing the user the option to "lift"
the protection via software in order to allow for normal system maintenance
functions.
 
                  Comparison of features and specifications
 
 
User Friendliness
 
Installation
 
The test unit arrived with the Immunizer protection in place.  The notes with
the system do not specify how the protection program (ANTIDOTE) was to be
invoked or removed, other than at boot time.
 
Physical examination of the unit found an AMD NG80386SXLVIO-25 CPU and a Caviar
280 85Meg drive.  Bus slots were labelled "do not use bus" and "5V".  The
system boot messages referred to a "7855 3.3V Notebook system".
 
Initial assessment of the system found that the two FAT tables did not agree,
and that there were numerous "duplicate filenames" in the root and directories
created before the system was shipped.  Examination of the root directory
showed multiple filenames of ANTIDOTES_R.  (Addition and protection of new
program files increases the number of these entries.)
 
To begin with, I could not understand the purpose of these files, supposing
that they might point to table information regarding which files were to be
protected.  However, the number of protected files did not exactly correspond
with the number of ANTIDOTES_R entries.  Eventually I found that groups of
these entries always end at sector boundaries.  This would indicate that
protection is on the basis of disk sectors and that the entries are used as
"spacers" to keep data files out of the protected sectors.
 
Note that removal of these file entries requires sector editing, and that
directories that have such entries cannot be removed even if "all files" have
been deleted from the directory.  I had hoped that disabling protection,
deleting all files, and then running the "organize and protect" function again
would solve the problem, but it did not.  It did, however, remove the
protection from the directories so that a tool like NDD was able to remove
duplicate entries.  One ANTIDOTES_R entry remained, and could not be deleted
from the command line, but another utility program was then able to remove the
single remaining entry.  This, however, seems to be excessive trouble for such
a common procedure.
 
Analysis of the FAT with one tool initially showed that a file at cluster 5276
had no directory entry.  On a second run, that had changed to 5398.  Further
runs after addition of more files indicated that this particular cluster is a
fixture of the system.  Examination showed the contents to be very similar, and
similar to the FAT data structure.
 
Ease of use
 
As noted, the notes shipped with the test system did not indicate how to invoke
the ANTIDOTE program, other than by rebooting the computer.
 
An attempt to write to the root directory entries (overwriting the duplicated
ANTIDOTES_R filenames, in fact) with PCTools invoked an alert screen.  This
screen stated that a suspicious write had been detected.  The options presented
were to reboot the computer, or to disable protection.  There was no option to
disallow the operation, but continue with the session.  The screen noted that
if the operation was allowed to proceed, ANTIDOTE would not be active until
again invoked (by rebooting?).  Choosing to reboot presents a second screen to
confirm the choice.  The system appears to be able to discriminate between
program and non-program directory entries.
 
(Subsequent testing demonstrated that the alert system, at least, would remain
in place even if the option to disable protection was selected.)
 
There are only six menu selectable items on the main ANTIDOTE screen, and using
the menu should not present any problem to a user with even moderate computer
experience.  The only item that presents any further complexity of use is the
option to select files to be protected.  It should be comprehensible to any
user of "dual window" file managers.
 
Help systems
 
None provided aside from brief (one sentence) explanations of the six menu
items on the ANTIDOTE program.
 
Compatibility
 
Utility programs show numerous potential problems with inconsistent entries
between the two FAT tables, and with numerous "duplicate" filenames, as well as
lost chains whenever the "Protect" functions are used.  Use of programs to
attempt to correct these problems is almost inevitably fatal.  The ANTIDOTES_R
"files" are, of course, part of the protection system, and rightly attempt to
defend themselves, but it would help if the implementation was not such a
problem to other utilities.  Attempts to reconcile the two FAT tables appear to
be allowed, but will need to be done again after each use of the ANTIDOTE
program to protect new or modified files.
 
An attempt to test compatibility with other antiviral programs raised an
interesting point.  The protection system does *not* appear to really start
from the BIOS level.  Installation of the DISKSECURE system seemed to eliminate
the ANTIDOTE system entirely.  However, attempts to infect the system with boot
sector infectors from floppies did not work: the system was able to prevent
infection.
 
There is considerable interference from the system in terms of false alarms. 
In fact, there were numerous times when the "alert" screen popped up when no
disk activity should have been taking place.  In the limited time available it
is difficult to say for sure how much was unwarranted interference with normal
operations, particularly as the only option is to reboot or shut down the
protection.
 
Initially, I was not aware of too many false alarms; after all, I had little
idea of how the system should work and was obviously making mistakes.  As I
started to load software into it, I began to suspect that large scale copying
operations "confused" the system as to what was supposed to be protected.  The
problem seems to get much worse as the disk is "loaded": at 80% full the system
"alarms" on almost every operation that copies data, or even reads the disk. 
At 95% full, invocation of programs larger than one cluster will consistently
generate a warning.
 
I was, however, able to determine that numerous alerts (at least six when I
tested the system conditions both before and after the alert) were fully in
error.  Some of the cases were inconsistent in generating the warnings.  In any
case, false alarms seem to occur at a rate of one out of ten disk operations
when the disk is half full.
 
At 95% full or higher, there are also numerous false alarms when the system
boots.  Interestingly, removal of programs to reduce the "load" to 60% and
reprotecting the system did not rectify the errors.  ("Cold" booting does
improve the success rate.)
 
There are occasions, however, when the "false" alarms aren't really false, but
are misleading just the same.  This occurs when a protected program or file has
been deleted.  As noted, the system allows you the option of allowing an
operation.  The alert screen states that the protection system will be shut
down after a restricted operation is allowed, but, in fact, doesn't. 
Therefore, while the area formerly occupied by the deleted file looks (to DOS)
to be available, to the protection system this area of the disk is still to be
protected.  This is more than just a bug in the current implementation; it is a
significant obstacle to the utility of the concept as a whole, and needs to be
seriously addressed.
 
Another bug in the current program concerns the computer system it is installed
in, and the diagnostics.  Roughly half of the attempts to reboot the system
resulted in some failure of the diagnostic tests, although there was no
apparent problem with the items that had failed.
 
It should be noted that, aside from the rather random interference with normal
computer operations that go on from time to time, nothing in the system
mitigates against "companion" (also known as "spawning" or "precedence") viral
programs.  Duplicate filenames with different extensions may exist, and are not
noted in any way.
 
The system, as currently configured, prevents booting from a floppy disk except
when the protection is disabled.  While this seems generally reasonable, note
that it means that checking of the system is problematic.  (During testing, I
attempted a "clean boot" to ensure that a stealth virus had not, in fact,
affected the system.  I then, inadvertently, wiped out the disk with a trojan.)
 
If the system is infected by a boot sector infector, it will not prevent
subsequent infection of floppy diskettes.
 
A version of the Traceback virus was able to consistently lock up the system. 
This should be explored as indicating a possible weakness in the protection
system.
 
Company Stability
 
Western Digital is well known for their drive controller and network cards. 
This is their first effort in the antiviral arena.
 
Company Support
 
I was first contacted by "The Benjamin Group", which appears to be a marketing
company hired by Western Digital for the promotion of this concept.  An
evaluation unit was promised to be shipped.  I was very careful to spell out
the conditions under which I would accept the unit for review: these were
agreed to by Benjamin, but were apparently not communicated to Western Digital.
 
Significant problems were encountered in shipping.  The unit was to have been
shipped over the weekend: because of problems with declarations at Customs the
shipment was received a week late.  Equal, or worse, problems were encountered
in attempting to get information from Western Digital in order to return the
unit.
 
Because of the miscommunication over review conditions, and because of the
delay in shipping, this review has been conducted under less than ideal
conditions and time frame.  A series of questions was put to Western Digital in
order to better structure the review.  Unfortunately, the answers were somewhat
misleading.
 
Western Digital stated that although full documentation is not available with
the system, some description of the concepts and theory were enclosed with the
package.  User notes were said to be enclosed regarding the anti-viral
management software.  In fact, there was no material relating to the theory and
concept, and the user notes simply reproduced the explanations listed with each
menu item on the ANTIDOTE screen.
 
The software and system was said to be complete and debugged so far as the
"proof of concept" is concerned, although it was not to be judged as a
commercial and saleable product.  This is fair as far as it goes, but it would
be hard to defend the mistakes that the system makes in terms of losing files
and clusters in terms of a fully debugged program.
 
Some software, particularly Windows 3.1, was said to be installed and available
on the system.  In fact, only MS-DOS (and not all of that), F-PROT and a virus
"storyboard" presentation were on the system.
 
There were additional problems with contacts.  Phone calls and faxes were not
returned.  Several times Western Digital requested action on my part on a rush
basis, but when further information was requested in order to pursue this
action, calls by me were left unreturned by Western Digital for days at a time. 
To date I am still waiting for some materials promised by Western Digital and
The Benjamin Group.
 
Documentation
 
Basically, none is yet available beyond the press releases and a "white paper".
 
Hardware Requirements
 
At present, the system is limited to those systems with SMI equipped 386/486
level processors.  The system will need the proper BIOS and the WD 7855 system
controller.  The protection is limited to ISA IDE hard drives, and only to the
first physical and logical drive.
 
In terms of exactly how the technology works to protect the disk, it would seem
to be possible in a number of ways.  However, the current implementation seems
to require all programs (or other files to be protected) to be contiguous on
the disk.  This suggests that the protection is applied on a "cluster" or
"sector" basis, rather than at the higher, logical, level of file protection.
 
In terms of the files to be protected, this is not a major problem.  However,
the FAT clusters must also be protected.  (Directory "files" listing the files
within the directory also appear to be protected in some way.  Renaming of
files in some ways is allowed: methods that involve direct disk access appear
to be restricted.  This may present a security loophole.)  
 
The implications here are more serious since data files, which are not to be
protected, must not occupy any of the clusters in the FAT which are protected. 
Observation of the test system indicates that data files are therefore
restricted from certain areas of the disk.  The exact restriction will depend
upon the amount of space required for program files, the FAT type (12 or 16
byte), the cluster size and the size of the hard disk.  (Given the number of
variables, I have not attempted to calculate specific examples.  The precise
extent of this restriction as an obstacle to computing is difficult to
determine.)  My initial observations indicated that this might require a
restriction of disk usage limiting disk utilization to 50 percent or possibly
even less.  Subsequent observations did not confirm this, since I was able to
fill the disk to 99% capacity.  However, it should be noted that when the disk
allocation reached 50% of capacity there was a significant increase in the
number of false alarms.
 
In relation to this, "FAT" or "system" viral programs were tried against the
Immunizer system.  While they did not infect the system, neither did they
prompt any alarms.  Although two copies of DIR II were tried, my suspicion is
that somehow the system prevented their operation, rather than preventing the
infection.  This will require further testing.
 
Performance
 
Invocation of the "Protect" or "Organize and Protect" functions of the ANTIDOTE
program results in a major disk reorganization.  Each addition or modification
to a program, therefore, requires significant time for re-establishment of
protection.
 
In addition, the disk reorganization appears to have some bugs currently, and
each run resulted in some truncated files and lost clusters.  The files lost or
truncated tend to be data files, although at least one overlay file was
truncated during testing.  Each run also results in inconsistencies between the
two FATs.
 
After the addition of some files required an "Organize and Protect" run of more
than 35 minutes duration, I attempted to build a metric for this activity. 
Therefore, having protected, organized and cleaned up the disk errors on the
system, I installed Windows 3.0 as being fairly representative of the mix of
programs and data in today's commercial software.  52 megabytes of the 83
megabytes available on disk were occupied, and Windows added approximately 5
megabytes to that.  The organize and protect run took 21 minutes to complete. 
An initial run with CHKDSK did not find any lost clusters.  Correcting the FAT
inconsistencies with NDD took a further 9 minutes.  It found four truncated
files and 97 chains of 1218 lost clusters, the correction of which took a
further 3 minutes.  The cost of the addition and protection of one commercial
package, therefore, is generally more than half an hour for protection, and a
random loss of data files.
 
However, observation suggests that this is neither consistent nor predictable. 
Most runs took 30 to 40 minutes, regardless of the space available on disk or
the number and size of program files added.  On the other hand, after one
addition of a large number of program files the organize and protect run took
only five minutes to complete.
 
A "worst case" test was done with the disk 99% full.  This took 4.5 hours to
complete.  After this was done, the system "alarmed" on every bootup. 
Interestingly, on this run only one file and 24 cluster chains were lost.
 
Note that removal of files requires a similar time investment.  Deleting 35
megabytes of (mostly program) files required an "organize and protect" run of
24 minutes.  
 
Recovery of files was generally unsuccessful.  On two notable occasions very
large data files were recovered with reasonable success after extended efforts. 
Lost clusters tended to be mixtures of files; in many cases mixtures of files
and directories.
 
The processing overhead added by the protection system is not perceptible to
the user in normal operation.  Numerical tests of disk speed, however, reveal a
very different story.
 
          Coretest  Transfer ratePerf. index/  SI Disk Index
 
with protection349.65.7564.3
without protection942.09.2917.0
 
While processing does not appear to be adversely affected, disk access
certainly is.  Where disk performance is a factor, this must be a
consideration.
 
Although memory protection was mentioned (in a teleconference promoting the
release) system areas of memory do not appear to be protected.  However, upon
further information from the company, an area of memory was found which is
protected.
 
Additional "bugs" were found in the system.  The ANTIDOTE alert screen did not
recognize both "Enter" keys on the keyboard: in certain situations it requires
one, in others the other.  At times the system would not "free" memory after a
program had completed a run.  At times the system seemed to interfere with
parameters being passed to programs.
 
Support Requirements
 
Even without the bugs, the current concept would need to be installed and
managed by those who thoroughly understood both virus protection and the level
and type of activity on the computer to be protected.  Certain files not
covered by the default protection would need to be added and certain programs
would need to be "writable" in certain situations.  It is, of course, possible
for the user or operator to override the protection, but they would need to be
informed of the times when they safely could, and times when they shouldn't. 
The fact that the alert screen is so vague does not help this decision, but
this could be changed, hopefully without adding too much overhead.  The
addition of more "intelligence" to the alert screen, in order to inform the
user of what part of the disk was being written to, and what the implications
were, would help here.
 
                                 General Notes
 
The concept appears to have substantial potential.  However, the current
implementation has a sufficient number of bugs as to make judgement of the
value of the concept, separate from this implementation, problematic.
 
As currently implemented, the system does appear to provide substantial
protection against infection of program and specific protected files on the
target machine by most types of viral and trojan programs.  The cost of this
protection, in terms of the reduced utility of the system, would be
unacceptable in all but the highest risk environments.  A combination of
software defenses and user training would provide almost the same level of
protection at greatly reduced cost.
 
There are indications of loopholes in the current implementation.  Specific
identification of such requires further testing.
 
This concept should be pursued, but in conjunction with established antiviral
researchers and antiviral software developers.  Numerous existing programs
could contribute to patching the gaps in this implementation.
 
copyright Robert M. Slade, 1992   PCWDIMMN.RVW   921109

======================
roberts@decus.ca           rslade@vcn.bc.ca           rslade@vanisl.decus.ca
Ah! When I were lad, we used to 'ave t'wait 40 milliseconds on noisy channel
 for a network link to come oop--and login both ends! - per Linda Richards
Author "Robert Slade's Guide to Computer Viruses" 0-387-94663-2 (800-SPRINGER)