C
Craig
This is the product that is so perfect and wonderful that it never ever
needed updating.
http://www.idg.co.nz/magazine/pcworld/may98/invircib.htm
New and Improved: Antivirus Software
Invircible Not A Credible Anti-Virus Program
Juha Saarinen
Invircible has caused a storm in the anti-virus teacup for some time now.
Its New Zealand distributor, the Virus Defence Bureau (formerly known as
Second Sight Limited) says Invircible is controversial because it threatens
the livelihood of other anti-virus vendors, claiming Invircible '. detects
all viruses at the point of propagation', and that it 'Finds and repairs ALL
viruses [sic] known and unknown.'
However, after extensive testing, NZ PC World reached the conclusion that
Invircible is a poor anti-virus program that doesn't work as advertised and
offers substandard protection against viruses. We advise readers to avoid
it.
Plethora of programs
Priced at $180 ex GST for a single-user licence, Invircible comes with a set
of 10 16-bit Dos utilities, and six 32-bit Windows 95/NT modules.
Utilities for Windows 3.x are included too, ditto a set of network tools,
but we didn't look at those for this review.
The Windows 95/NT utilities have similar, easy-to-use interfaces, but the
Dos ones vary from app to app. The Dos utilities must be used for the
Invircible virus defence strategy but all make use of poorly documented
command-line switches. (There is a text file in the compressed archive on IV
diskette 1 that explains the switches, but it is deleted after
installation.)
The Dos programs also suffer from a confusing melée of hot keys, pop-up
menus, <Ctrl>-key and <Alt>-key combinations, making it nigh impossible to
figure them out.
Generics not unique to Invircible
Invircible's developer, Net Z Computing, say it is based on generic
anti-virus methods. Usually, this means change-detecting software, and
integrity checkers, which compare system files and alert for modifications.
However, all features of Invircible seem 'generic'. To quote from the sales
brochure: 'At the point of installation Invircible performs around twenty
five generic tests to ensure it is being installed to a clean environment'.
The distributor never told us what these 25 tests were, however.
Generic anti-virus technologies are nothing new or unique, despite
Invircible's developers' and distributors' claims. The first anti-virus
products were change detectors, and well-known utilities like IBM Anti-Virus
and Dr Solomon's Anti-Virus' signature scanners also use it today. It is
disingenuous of Invircible's makers to suggest otherwise.
Installation
Invircible takes a snapshot of the system during installation as a base for
its detection and restoration mechanism so it is vitally important that the
program is installed to a clean system. The crude installation routine,
consisting of self-extracting Winzip archives with Dos batch files, runs a
number of utilities to ensure the system is virus-free. Among these is the
IVZ scanner that has 900 signatures in its database and hasn't been updated
for over 30 months, according to the distributor. Leading AV scanners detect
15,000 viruses or more in comparison, so IVZ does little to ensure a
virus-free environment for Invircible.
If a virus is found, IVZ halts to display a report. However, it won't clean
the infected files, and continues the installation after the report. Even if
you abort the installation, Invircible wouldn't be able to disinfect the
system, as it doesn't come with a clean boot disk. The manual recommends in
several places that a 'third-party scanner' is used and I think I know why.
Invircible also runs the IVX 'hyper correlator' that scans files for virus
signatures based on samples given to it. IVX uses a temporary Ini file with
the signatures of 22 viruses, but this file is deleted at the end of
installation.
Finally, IVX is run in Word macro virus detection mode, after which the IVB
integrity checker takes a 'snapshot' of system files (including ones
infected by undetected viruses) for restoration purposes. ResQDisk then runs
and backs up the master boot record and the partition sector. The Windows
utilities are installed next.
The installation routine doesn't create a rescue disk automatically (this is
done with the Dos Install program instead) and doesn't reboot the system,
without which the installation won't complete. Even after a reboot, however,
Invircible never ceased complaining about an 'Incomplete Installation'. I
asked the distributor why, but never received a reply.
Annoyingly, the Dos installation path is fixed as C:\IV, unlike the Windows
one that can be changed. A bug in the installation routine leaves the Winzip
self-extractor waiting for the Dos window to close before the program exits
and cleans up its temp files. If you close the Winzip dialogue, a number of
temp files are left on the disk.
On Windows NT 4.0 Workstation, Invircible must be installed under the
Administrator user code, with user permissions set manually. ResQDisk is not
usable under NT and IVINIT isn't run at boot up either. The program is
limited to scanning for file infecting viruses and macros under NT, and can'
t check boot sectors, according to the manual.
After installation is finished, there is a green IV icon in the Windows 95
Systray. This gives access to the Macro Sweeper, the integrity checker, a
scheduler, options for the Interceptor and Watchdog resident scanners, and
also online help. The IVINIT program runs every boot-up from Autoexec.bat,
ditto the IVB (twice!) and IVX utilities. IVINIT compares the MBR, partition
sector and Cmos with three 'snapshot' files in the root directory. I deleted
these, but IVINIT simply recreated them without warning, so a targetted
attack against the fixed names of these files would be trivial to implement
for virus writers.
Documentation a shambles
A manual last revised in June 1996 accompanies Invircible and contains
nuggets like 'It is yet unsure whether the WinWord macro viruses are the
first of a kind or will remain an episode in computer's [sic] virology', and
suffers from poor proof reading. It talks about programs not included with
the Invircible suite, like IVSCAN and ResQPro, but doesn't mention the
Windows programs. The Invircible distributor says an updated manual is
available in Hebrew.
The online help files are up-to-date, both under Dos and Windows. However,
the read-me files with installation information are in Word 2.0 format,
unreadable by Wordpad in Windows 95. As there will be situations when the
online help files on the hard disk won't be accessible, there is no excuse
for the substandard manual.
So Does Invircible Work?
To find out how well Invircible fends off viruses, I asked Virus Bulletin,
the respected UK anti-virus publication to test it. For further information
on Virus Bulletin, email (e-mail address removed) or surf to www.virusbtn.com.
The Virus Bulletin ran IVZ against its 852-virus test set of file infectors.
IVZ detected a mere 53 of these, a detection rate of approximately 6.22%. Of
the total set, 172 viruses were represented in the January 1998 Wild List,
and IVZ detected 29 of these, or 29%. Both results are extremely poor. IVZ
fared better against the 87 In-the-Wild boot sector viruses in the Virus
Bulletin test set. It spotted 61, for a detection rate of roughly 70%.
However, IVZ missed some of the most common ones like Stoned, Ripper, NYB
and WelcomB.
Virus Bulletin also tested IVINIT with six boot viruses that IVZ missed:
Baboon, Bye, Chinese_Fish, Crazy Boot, Cruel and WelcomB. Two of the most
common boot viruses, Form.A and Junkie were also used.
With Bye, IVINIT warned that the partition sector was stealthed, and
prompted to replace the MBR using Invircible's See Thru (direct IDE port
access) technique, and asked to reboot the computer. Afterwards the disk was
disinfected. The Crazy_Boot and WelcomB infections followed similar
patterns.
Baboon made IVINIT flash a '1KB of Dos memory missing!' warning, but
confusingly, also 'No virus activity detected in memory'. The default option
was to Quit and continue booting. This left the system with an active,
infective virus. The Cruel infection followed the same modus operandi. In
both cases, ignoring the default option and restoring the MBR disinfected
the system.
Chinese_Fish rendered the test system unbootable, so ResQDisk was used from
a floppy. After finding the right key combination to press in ResQDisk's
cluttered interface the system was restored. ResQDisk offers little advice
for situations like these so novice users would have difficulties knowing
what to do.
The common Junkie virus is poorly written and corrupts the Dos 7.x
command.com because it ignores the fact that it is actually an Exe-style
program. (Invircible's distributor said Junkie trashes Win.com instead.) The
system won't boot from the hard disk, and IVINIT can't run. It's not
described anywhere, but you need to whip out ResQDisk, restore the boot
record and then use IVB to restore Command.com.
Virus Bulletin staff observed that during the Form.A infection, IVINIT
reported '2KB of Dos memory missing!' but also said, 'The hard disk is
infected with a boot infector!' a clear virus indication for a change.
However, on acknowledging the message, IVINIT said 'No Virus activity
detected in memory!' and 'The Master Boot Sector is intact!' and exited. The
VB tester was unable to do anything as Windows 95 started up with Form.A was
active and infectious. This is a major bug in IVINIT. Using ResQDisk
restored the boot sector, but an average user wouldn't know to use it in
this situation.
Add-ons asked for
The distributor claims that earlier versions Invircible detected and removed
a particularly nasty virus, One Half, when it first appeared in New Zealand.
I infected a system with One Half, and this time, IVINIT detected the virus
by its name, but said to use 'XONEHALF' to disinfect the system. ResQDisk
said the same.
One Half encrypts a varying number of sectors on your disk, so generic
restoration is impossible, hence Invircible's reticence. XONEHALF, a utility
not written by Invircible's developers, is not included with the program. It
can be download it from Invircible's Web site, a poor solution if One Half
has whacked your hard drive. The Monkey virus is also handled by a separate
utility, available at the Web site.
I also infected a Compaq Deskpro with the common virus Da'Boys. Due to
Compaq's non-standard disk partitioning it wrote itself to the boot sector
of the diagnostics partition, rendering it unbootable. IVINIT didn't notice
this infection, but ResQDisk said, 'Could be a virus!' when coaxed to look
at the diagnostics boot sector, where the text string 'DA'BOYS' was clearly
visible. The manual suggested procedure for restoring the boot sector didn't
work. When I tried it, a message saying: 'This function only supported in
RESQPRO!' popped up. RESQPRO is separate utility, priced at $US299,
according to the Invircible Web site. I asked Invircible's distributor about
this, and was told 'both ResQDisk and the ResQPro can recover from this'.
The distributor suggested 'changing the partition parameters', which didn't
work either.
File infectors given free rein
Two integrity checkers are provided with Invircible to handle file
infectors: the Dos IVB and the Windows IVB32. When run, the integrity
checkers compare files to 66-byte 'snapshot' signature files said to contain
all the information necessary to restore them. These 'snapshots' can be
renamed and stored off-line, but they can be deleted without any reaction
from IVB/IVB32.
To see whether Invircible could detect any virus, prevent its propagation
and restore the infected files as promised, I used the KRiLE virus. KRiLE
attacks executables in the PATH variable, encrypting the first 5,696 bytes
of it. Because Invircible's lack of memory resident protection, KRiLE was
able to infect as many files it liked. These included the Invircible Dos
programs, unfortunately. The Dos and Windows integrity checkers showed that
some executables had grown by 5696 bytes, and gave me the option of
restoring them. Both programs claimed success, but executing the restored
files showed that they didn't work.
An email from the Invircible developer, Zvi Netiv, confirmed that this is
how the program works. Invircible doesn't prevent virus infections, it only
tries to recover from them. Files infected by non-overwriting infectors
stand a better chance being recovered by IVB/IVB32. Without testing each and
every virus on the Wild List it's hard to say exactly what the chances are.
However, it is safe to say that Invircible does not 'find and repair all
viruses known and unknown'. (On a side note, IVB restored virus infections
to several files that had been disinfected by other AV utilities.)
False alerts galore
Software upgrades had IVB/IVB32 putting up copious amounts of false alerts
as it detected the new files. Messages like 'Winword.exe: modified,
increased by xxxxx bytes. Probably a new version pop up', leaving it to you
to decide if it's a virus or not. Sometimes the 'probably' doesn't appear so
users could easily end up with non-functional systems due to mistaken
restoration attempts of legitimate files.
IVB/IVB32 can revalidate all the new files automatically, but that could
mean missing infected files - permanently. In the end I asked myself: 'why
bother with all this?' A good on-access scanner from would have prevented
the infections, and saved huge amounts of time. For day-to-day protection
against file viruses, Invircible simply doesn't cut it.
Sweeping Macro Protection
Invircible's Word macro detection seems to have abandoned the generic
approach in favour of scanning, based on simple heuristics (that is, rules).
Resident on-access protection is also provided. This is because it would be
impossible to restore infected documents generically the way IVB does with
program files.
No Access virus protection
Four utilities handle Word macro viruses: the Macro Sweeper on-demand
scanner, the Watchdog on-access scanner for Word, and the Interceptor
on-access scanner for other applications. Also, IVX can be used to detect
macros with the /mac switch.
The Macro Sweeper scanner can investigate files with non-standard extensions
and handles Word documents embedded in, say, an Excel workbook. It had no
problems detecting and deactivating a great variety of Word Basic viruses,
but threw up six false positives or 'Suspicious Template' alerts against
legitimate macros on the Office 95 CD.
Strangely enough, Invircible ignored Word 97 macro viruses like Steroid, and
so-called up-converted viruses (Word 97 automatically converts Word Basic
macros to the VBA 5 format). A Word 95 document with only the word 'AutoOpen
' in it and saved as a template file with a *.dot extension was flagged by
the Invircible macro utilities a 'suspicious template'. Even though there
were no macros in the template, the Invircible utilities offered to
deactivate them, and claimed success if you let them. This was repeatable
with files containing the names of common Word virus macros like 'Wazzu',
'Bandung', 'CAP' and 'Concept'.
Further, changing a document template file's extension to *.doc caused
Invircible to flag it as an 'Active Document' and prompted to deactivate it.
This is a blunderbuss approach to Word macro viruses that catches innocent
documents in the process. That Invircible ignores infected Word 97 documents
points to the programs assuming the older Word 6/7 format, which is
different from the Word 8 file format.
Upgrading to a newer version of Office overwrites the Watchdog macros
installed into Word's NORMAL.DOT template, but Invircible doesn't notice.
The Excel macro virus protection won't work unless the included IVEXCEL.XLS
worksheet is loaded manually or at installation. It looks for two strings,
'Laroux' and 'PLDT' - the names of two viral VBA modules. IVEXCEL also takes
over the OnWindow, OnSheetActivate, and OnSheetDeactivate VBA events, which
meant that undetected viruses like Robocop and Don that don't use the above
VBA modules couldn't replicate (but their payloads were intact). Legitimate
macros depending on the aforementioned events won't work either. You've been
warned.
InVircible 7.01f
Pros: None significant
Cons: Average user will find interface difficult and confusing, poor
documentation, and low virus detection rate
Value: A disjointed and ineffective collection of utilities that fails to
live up to its sales claims
Price ex GST: $180
Phone: Virus Defence Bureau, 0-9-366 1593
--
needed updating.
http://www.idg.co.nz/magazine/pcworld/may98/invircib.htm
New and Improved: Antivirus Software
Invircible Not A Credible Anti-Virus Program
Juha Saarinen
Invircible has caused a storm in the anti-virus teacup for some time now.
Its New Zealand distributor, the Virus Defence Bureau (formerly known as
Second Sight Limited) says Invircible is controversial because it threatens
the livelihood of other anti-virus vendors, claiming Invircible '. detects
all viruses at the point of propagation', and that it 'Finds and repairs ALL
viruses [sic] known and unknown.'
However, after extensive testing, NZ PC World reached the conclusion that
Invircible is a poor anti-virus program that doesn't work as advertised and
offers substandard protection against viruses. We advise readers to avoid
it.
Plethora of programs
Priced at $180 ex GST for a single-user licence, Invircible comes with a set
of 10 16-bit Dos utilities, and six 32-bit Windows 95/NT modules.
Utilities for Windows 3.x are included too, ditto a set of network tools,
but we didn't look at those for this review.
The Windows 95/NT utilities have similar, easy-to-use interfaces, but the
Dos ones vary from app to app. The Dos utilities must be used for the
Invircible virus defence strategy but all make use of poorly documented
command-line switches. (There is a text file in the compressed archive on IV
diskette 1 that explains the switches, but it is deleted after
installation.)
The Dos programs also suffer from a confusing melée of hot keys, pop-up
menus, <Ctrl>-key and <Alt>-key combinations, making it nigh impossible to
figure them out.
Generics not unique to Invircible
Invircible's developer, Net Z Computing, say it is based on generic
anti-virus methods. Usually, this means change-detecting software, and
integrity checkers, which compare system files and alert for modifications.
However, all features of Invircible seem 'generic'. To quote from the sales
brochure: 'At the point of installation Invircible performs around twenty
five generic tests to ensure it is being installed to a clean environment'.
The distributor never told us what these 25 tests were, however.
Generic anti-virus technologies are nothing new or unique, despite
Invircible's developers' and distributors' claims. The first anti-virus
products were change detectors, and well-known utilities like IBM Anti-Virus
and Dr Solomon's Anti-Virus' signature scanners also use it today. It is
disingenuous of Invircible's makers to suggest otherwise.
Installation
Invircible takes a snapshot of the system during installation as a base for
its detection and restoration mechanism so it is vitally important that the
program is installed to a clean system. The crude installation routine,
consisting of self-extracting Winzip archives with Dos batch files, runs a
number of utilities to ensure the system is virus-free. Among these is the
IVZ scanner that has 900 signatures in its database and hasn't been updated
for over 30 months, according to the distributor. Leading AV scanners detect
15,000 viruses or more in comparison, so IVZ does little to ensure a
virus-free environment for Invircible.
If a virus is found, IVZ halts to display a report. However, it won't clean
the infected files, and continues the installation after the report. Even if
you abort the installation, Invircible wouldn't be able to disinfect the
system, as it doesn't come with a clean boot disk. The manual recommends in
several places that a 'third-party scanner' is used and I think I know why.
Invircible also runs the IVX 'hyper correlator' that scans files for virus
signatures based on samples given to it. IVX uses a temporary Ini file with
the signatures of 22 viruses, but this file is deleted at the end of
installation.
Finally, IVX is run in Word macro virus detection mode, after which the IVB
integrity checker takes a 'snapshot' of system files (including ones
infected by undetected viruses) for restoration purposes. ResQDisk then runs
and backs up the master boot record and the partition sector. The Windows
utilities are installed next.
The installation routine doesn't create a rescue disk automatically (this is
done with the Dos Install program instead) and doesn't reboot the system,
without which the installation won't complete. Even after a reboot, however,
Invircible never ceased complaining about an 'Incomplete Installation'. I
asked the distributor why, but never received a reply.
Annoyingly, the Dos installation path is fixed as C:\IV, unlike the Windows
one that can be changed. A bug in the installation routine leaves the Winzip
self-extractor waiting for the Dos window to close before the program exits
and cleans up its temp files. If you close the Winzip dialogue, a number of
temp files are left on the disk.
On Windows NT 4.0 Workstation, Invircible must be installed under the
Administrator user code, with user permissions set manually. ResQDisk is not
usable under NT and IVINIT isn't run at boot up either. The program is
limited to scanning for file infecting viruses and macros under NT, and can'
t check boot sectors, according to the manual.
After installation is finished, there is a green IV icon in the Windows 95
Systray. This gives access to the Macro Sweeper, the integrity checker, a
scheduler, options for the Interceptor and Watchdog resident scanners, and
also online help. The IVINIT program runs every boot-up from Autoexec.bat,
ditto the IVB (twice!) and IVX utilities. IVINIT compares the MBR, partition
sector and Cmos with three 'snapshot' files in the root directory. I deleted
these, but IVINIT simply recreated them without warning, so a targetted
attack against the fixed names of these files would be trivial to implement
for virus writers.
Documentation a shambles
A manual last revised in June 1996 accompanies Invircible and contains
nuggets like 'It is yet unsure whether the WinWord macro viruses are the
first of a kind or will remain an episode in computer's [sic] virology', and
suffers from poor proof reading. It talks about programs not included with
the Invircible suite, like IVSCAN and ResQPro, but doesn't mention the
Windows programs. The Invircible distributor says an updated manual is
available in Hebrew.
The online help files are up-to-date, both under Dos and Windows. However,
the read-me files with installation information are in Word 2.0 format,
unreadable by Wordpad in Windows 95. As there will be situations when the
online help files on the hard disk won't be accessible, there is no excuse
for the substandard manual.
So Does Invircible Work?
To find out how well Invircible fends off viruses, I asked Virus Bulletin,
the respected UK anti-virus publication to test it. For further information
on Virus Bulletin, email (e-mail address removed) or surf to www.virusbtn.com.
The Virus Bulletin ran IVZ against its 852-virus test set of file infectors.
IVZ detected a mere 53 of these, a detection rate of approximately 6.22%. Of
the total set, 172 viruses were represented in the January 1998 Wild List,
and IVZ detected 29 of these, or 29%. Both results are extremely poor. IVZ
fared better against the 87 In-the-Wild boot sector viruses in the Virus
Bulletin test set. It spotted 61, for a detection rate of roughly 70%.
However, IVZ missed some of the most common ones like Stoned, Ripper, NYB
and WelcomB.
Virus Bulletin also tested IVINIT with six boot viruses that IVZ missed:
Baboon, Bye, Chinese_Fish, Crazy Boot, Cruel and WelcomB. Two of the most
common boot viruses, Form.A and Junkie were also used.
With Bye, IVINIT warned that the partition sector was stealthed, and
prompted to replace the MBR using Invircible's See Thru (direct IDE port
access) technique, and asked to reboot the computer. Afterwards the disk was
disinfected. The Crazy_Boot and WelcomB infections followed similar
patterns.
Baboon made IVINIT flash a '1KB of Dos memory missing!' warning, but
confusingly, also 'No virus activity detected in memory'. The default option
was to Quit and continue booting. This left the system with an active,
infective virus. The Cruel infection followed the same modus operandi. In
both cases, ignoring the default option and restoring the MBR disinfected
the system.
Chinese_Fish rendered the test system unbootable, so ResQDisk was used from
a floppy. After finding the right key combination to press in ResQDisk's
cluttered interface the system was restored. ResQDisk offers little advice
for situations like these so novice users would have difficulties knowing
what to do.
The common Junkie virus is poorly written and corrupts the Dos 7.x
command.com because it ignores the fact that it is actually an Exe-style
program. (Invircible's distributor said Junkie trashes Win.com instead.) The
system won't boot from the hard disk, and IVINIT can't run. It's not
described anywhere, but you need to whip out ResQDisk, restore the boot
record and then use IVB to restore Command.com.
Virus Bulletin staff observed that during the Form.A infection, IVINIT
reported '2KB of Dos memory missing!' but also said, 'The hard disk is
infected with a boot infector!' a clear virus indication for a change.
However, on acknowledging the message, IVINIT said 'No Virus activity
detected in memory!' and 'The Master Boot Sector is intact!' and exited. The
VB tester was unable to do anything as Windows 95 started up with Form.A was
active and infectious. This is a major bug in IVINIT. Using ResQDisk
restored the boot sector, but an average user wouldn't know to use it in
this situation.
Add-ons asked for
The distributor claims that earlier versions Invircible detected and removed
a particularly nasty virus, One Half, when it first appeared in New Zealand.
I infected a system with One Half, and this time, IVINIT detected the virus
by its name, but said to use 'XONEHALF' to disinfect the system. ResQDisk
said the same.
One Half encrypts a varying number of sectors on your disk, so generic
restoration is impossible, hence Invircible's reticence. XONEHALF, a utility
not written by Invircible's developers, is not included with the program. It
can be download it from Invircible's Web site, a poor solution if One Half
has whacked your hard drive. The Monkey virus is also handled by a separate
utility, available at the Web site.
I also infected a Compaq Deskpro with the common virus Da'Boys. Due to
Compaq's non-standard disk partitioning it wrote itself to the boot sector
of the diagnostics partition, rendering it unbootable. IVINIT didn't notice
this infection, but ResQDisk said, 'Could be a virus!' when coaxed to look
at the diagnostics boot sector, where the text string 'DA'BOYS' was clearly
visible. The manual suggested procedure for restoring the boot sector didn't
work. When I tried it, a message saying: 'This function only supported in
RESQPRO!' popped up. RESQPRO is separate utility, priced at $US299,
according to the Invircible Web site. I asked Invircible's distributor about
this, and was told 'both ResQDisk and the ResQPro can recover from this'.
The distributor suggested 'changing the partition parameters', which didn't
work either.
File infectors given free rein
Two integrity checkers are provided with Invircible to handle file
infectors: the Dos IVB and the Windows IVB32. When run, the integrity
checkers compare files to 66-byte 'snapshot' signature files said to contain
all the information necessary to restore them. These 'snapshots' can be
renamed and stored off-line, but they can be deleted without any reaction
from IVB/IVB32.
To see whether Invircible could detect any virus, prevent its propagation
and restore the infected files as promised, I used the KRiLE virus. KRiLE
attacks executables in the PATH variable, encrypting the first 5,696 bytes
of it. Because Invircible's lack of memory resident protection, KRiLE was
able to infect as many files it liked. These included the Invircible Dos
programs, unfortunately. The Dos and Windows integrity checkers showed that
some executables had grown by 5696 bytes, and gave me the option of
restoring them. Both programs claimed success, but executing the restored
files showed that they didn't work.
An email from the Invircible developer, Zvi Netiv, confirmed that this is
how the program works. Invircible doesn't prevent virus infections, it only
tries to recover from them. Files infected by non-overwriting infectors
stand a better chance being recovered by IVB/IVB32. Without testing each and
every virus on the Wild List it's hard to say exactly what the chances are.
However, it is safe to say that Invircible does not 'find and repair all
viruses known and unknown'. (On a side note, IVB restored virus infections
to several files that had been disinfected by other AV utilities.)
False alerts galore
Software upgrades had IVB/IVB32 putting up copious amounts of false alerts
as it detected the new files. Messages like 'Winword.exe: modified,
increased by xxxxx bytes. Probably a new version pop up', leaving it to you
to decide if it's a virus or not. Sometimes the 'probably' doesn't appear so
users could easily end up with non-functional systems due to mistaken
restoration attempts of legitimate files.
IVB/IVB32 can revalidate all the new files automatically, but that could
mean missing infected files - permanently. In the end I asked myself: 'why
bother with all this?' A good on-access scanner from would have prevented
the infections, and saved huge amounts of time. For day-to-day protection
against file viruses, Invircible simply doesn't cut it.
Sweeping Macro Protection
Invircible's Word macro detection seems to have abandoned the generic
approach in favour of scanning, based on simple heuristics (that is, rules).
Resident on-access protection is also provided. This is because it would be
impossible to restore infected documents generically the way IVB does with
program files.
No Access virus protection
Four utilities handle Word macro viruses: the Macro Sweeper on-demand
scanner, the Watchdog on-access scanner for Word, and the Interceptor
on-access scanner for other applications. Also, IVX can be used to detect
macros with the /mac switch.
The Macro Sweeper scanner can investigate files with non-standard extensions
and handles Word documents embedded in, say, an Excel workbook. It had no
problems detecting and deactivating a great variety of Word Basic viruses,
but threw up six false positives or 'Suspicious Template' alerts against
legitimate macros on the Office 95 CD.
Strangely enough, Invircible ignored Word 97 macro viruses like Steroid, and
so-called up-converted viruses (Word 97 automatically converts Word Basic
macros to the VBA 5 format). A Word 95 document with only the word 'AutoOpen
' in it and saved as a template file with a *.dot extension was flagged by
the Invircible macro utilities a 'suspicious template'. Even though there
were no macros in the template, the Invircible utilities offered to
deactivate them, and claimed success if you let them. This was repeatable
with files containing the names of common Word virus macros like 'Wazzu',
'Bandung', 'CAP' and 'Concept'.
Further, changing a document template file's extension to *.doc caused
Invircible to flag it as an 'Active Document' and prompted to deactivate it.
This is a blunderbuss approach to Word macro viruses that catches innocent
documents in the process. That Invircible ignores infected Word 97 documents
points to the programs assuming the older Word 6/7 format, which is
different from the Word 8 file format.
Upgrading to a newer version of Office overwrites the Watchdog macros
installed into Word's NORMAL.DOT template, but Invircible doesn't notice.
The Excel macro virus protection won't work unless the included IVEXCEL.XLS
worksheet is loaded manually or at installation. It looks for two strings,
'Laroux' and 'PLDT' - the names of two viral VBA modules. IVEXCEL also takes
over the OnWindow, OnSheetActivate, and OnSheetDeactivate VBA events, which
meant that undetected viruses like Robocop and Don that don't use the above
VBA modules couldn't replicate (but their payloads were intact). Legitimate
macros depending on the aforementioned events won't work either. You've been
warned.
InVircible 7.01f
Pros: None significant
Cons: Average user will find interface difficult and confusing, poor
documentation, and low virus detection rate
Value: A disjointed and ineffective collection of utilities that fails to
live up to its sales claims
Price ex GST: $180
Phone: Virus Defence Bureau, 0-9-366 1593
--