Norton AntiVirus for Windows 95
Software Review by Mike Bianchi

VIRUS ALERT!! Have I got your attention? Is the adrenaline pumping? There is probably nothing more effective than a virus to strike fear into the hearts of computer users.

But what exactly is a virus? A virus is a program that attaches itself to other programs; when those programs are run, the virus activates and attaches to other programs. Computer viruses, like their biological counterpart come in many varieties. Some do nothing more than replicate themselves; one that was prevalent about 5-6 years ago did nothing more than change the volume label on the disk it was attached to and occasionally posted a message on the screen that said, in effect, "See what I can do". Others, again to use the biological analogy, can be particularly 'pathogenic', damaging or deleting files or even completely reformatting your hard drive.

Here are a few points to keep in mind about viruses:

• Point 1: Although viruses are usually spread accidently through the carelessness or ignorance of the user, their origination is never by accident. They are created by malicious programmers with the specific intent to cause problems on other people's computers. I have my own ideas as to what should be done with people like that, but a family oriented magazine like this is not the place for that discussion.

• Point 2: Viruses are spread by attaching themselves to executable program files or, in some of the more recent developments, to program documents or macro files, particularly Microsoft Office files and macros. I am not aware of any viruses that can attach to document or macro files for programs other than Office, but if they don't exist, its only a matter of time before someone figures out how to do it. The point of this discussion is that a virus cannot be spread through a text document such as an Internet news group article or an e-mail message (be cautious of attachments, though). It seems the newest fad for some of the 'Net-Sickies' to get their jollies is by spreading false virus alert warnings.

• Point 3: Viruses can cause problems only if you don't know how to deal with them.

So, how DO you deal them? I'm glad you asked me that. Let me tell you about a product that is designed specifically for that purpose.

Norton AntiVirus for Windows 95, version 2.0 is a product of Symantec Corp of Cupertino CA. The Win95 version will run ONLY in Win95. Symantec also produces separate versions of Norton AntiVirus for DOS, Windows 3.x, NT, NetWare, and Macintosh.

A check of local vendors gives a price range of $70-85. Mail order prices range from $65 to $90.

Symantec's web site is located at http://www.symantec.com; customer service can be reached at (800) 441-7234 in the US and Canada. They are also available in Australia, Mexico, Brazil and several European locations.

Tech Support

System Requirements

Installation:

I'm one of those weird people who actually reads the documentation, but the installation instructions could not be found anywhere in the User's Guide. I finally found them on the separate QuickStart card. However, if you have ever installed any software in Windows 95, you won't need the instructions. You simply select your preferred method, from the several provided by Win95, to execute the SETUP program on the first disk.

The first step of the installation process is an automatic scan to make sure you don't already have a virus on your system. If you know for sure that you do already have a virus infection, the QuickStart card gives instructions on how to remove it before installation of Norton AntiVirus.

The installation recognized that I was using Netscape Navigator and set itself up as a Helper Application. It did not recognize that I also had four other web browsers installed; it has to be configured manually for use with these browsers. The instructions for manual configuration are included in a text file on the disk.

Features:

Manual Scans: You can tell Norton AntiVirus to check for viruses whenever you wish with the manual scan feature. You can select specific files, folders or entire disks to examine.

Scheduled Scans: Norton AntiVirus includes an event scheduler that can be used to run a scan at a predetermined time. By default, the installation program schedules a scan to be run weekly. If you have Microsoft Plus! you can also use the System Agent to run a prescheduled scan.

Startup Scans: By default, Norton AntiVirus is configured to run a scan every time you turn your computer on. This is the best way to detect viruses that infect your system files and boot records that the computer needs to run.

Auto-Protect: This feature runs in the background and scans files as they are used or copied.

There are thousands of known viruses. They function by adding pieces of code (known as the virus signature) to the infected file. Scans work by searching files and memory for the signature. This is done by comparing files against the Virus Definition File which contains all the known signatures. However, with 3-4 new viruses being created EVERY DAY, it is possible that the virus you picked up is not even included in the Definition File yet. Norton AntiVirus's Auto-Protect includes a feature known as Virus Sensor that is capable of identifying the presence of unknown viruses by monitoring your system for 'virus like activity', that is, the type of activity that a virus would use to infect or damage a file, such as trying to format your hard drive.

Inoculation: Once you know that you do not have or have gotten rid of any viruses, the Inoculation feature adds another line of protection. This records critical information about a file that future scans can use for comparison. If the file has been changed so that it does not match this 'fingerprint', you will be notified as this could indicate the presence of a virus. It is important to remember, however, that an Inoculation discrepancy can be also caused by events that are not related to a virus. For example, installing a version upgrade will probably cause an Inoculation error report to be generated.

So What Happens If a Virus Is Found:

The Repair Wizard can be configured to repair files manually one at a time or automatically (recommended). The automatic setting will ask for confirmation before taking any action. The options available are:

• REPAIR removes the virus and returns the file to its original state.

• DELETE removes the file from the disk. Deleted files cannot be recovered and will have to be reinstalled or restored from an uninfected backup. You did make a backup didn't you?

• STOP blocks the reported action from taking place. This option may prevent a virus from spreading but does not solve the problem.

• CONTINUE allows the reported action to take place. This should be used when the action that is being reported is valid in the context of what you are trying to do. For example, if Auto-Protect tells you that a program file is being overwritten while you are running an upgrade installation.

• EXCLUDE excludes the file from future scans and allows the operation to continue. This option should be used with caution only if you know that it is not a real problem and would expect the alert to pop up again.

• INOCULATE adds or updates the file's inoculation data. Changes in the inoculation data would occur normally during an upgrade installation, at other times may indicate the presence of an unknown virus.

• INFO displays detailed information about the virus that was found.

System files cannot be deleted. If they cannot be repaired, you will need to shut off the computer then reboot from an uninfected floppy; either the rescue disk created when you installed Norton AntiVirus, the Startup disk created when you installed Windows or a boot disk created from DOS 3.1 or higher. Be sure to have one of these disks created BEFORE your system becomes infected and that the disk is write protected when you use it. Once your system has been rebooted, you will need to reinstall Windows. Unrepairable boot records can be restored from the rescue disk.

Updates

A feature called Live Update will connect you through your Internet connection or modem, down load the file and automatically install it on your system. I tried the Internet feature and was unable to get a connection through my ISP, it probably requires a direct connection but I was unable to get confirmation of that (see my comments above on tech support). If you use the modem option, expect to find a call on your phone bill to Eugene OR. The file can also be obtained from Symantec's BBS or from our own, from America Online, CompuServe, Microsoft Network, Internet or though the mail. I downloaded it from Symantec's FTP site and before I got the usual Win95 SaveAs window, Norton AntiVirus popped up a window informing me that it had determined that the file was virus free, a nice touch.

Evaluation

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVI
RUS-TEST-FILE!$H+H *

then save it to any filename with a .COM extension; if you are using Windows 95 be sure to enclose the filename in quotes or it will automatically be given a .TXT extension.

Results

Rebooting the computer to activate the Startup Scan gave similar results; the problem file was located, the boot procedure was halted and I was presented with a text screen to determine how to deal with the situation. A second reboot after the infected file was moved out of the root directory missed it entirely. The Startup Scan is designed to catch viruses that infect system files and boot records, as such, it only examines executables in the root directory and WIN.COM.

Running the Manual Scan feature, the virus was located as expected and the Repair Wizard was activated. Attempting to repair the file resulted in a message saying that the file could not be repaired and recommended deletion. This makes sense because, as discussed previously, the Repair function removes the virus and returns the file to the state it was in prior to infection. In the case of my test file, the virus was the entire file and removing it would have left nothing. Since a real virus would function by replicating itself to infect additional files, I next ran a scan with multiple copies of the file scattered around to different folders. All copies were located with the same options being offered for each as were available with the single copy.

The next test I ran was to check Norton AntiVirus's performance on compressed files. I compressed the file using PKZIP. Again the procedure was blocked by Auto-Protect (as was decompressing). Although the Scan was able to locate the virus and report the name of the compressed file where it was located, it was unable to repair or delete the file while in the compressed state.

The final test was to transfer the file through the modem. Once again Auto-Protect saved the day by detecting the virus and terminating the transfer. However, the problem file was missed completely when the zipped file was transferred and the transmission was completed without any alert being triggered. This is the closest thing that I found to a negative result to any of the tests I ran. Although I think it would be a handy feature to be able to detect viruses in compressed files as they are being transferred, this is really not much more than an inconvenience because all downloaded files are manually scanned before they are used anyway (aren't they?).

Conclusion