Keith Jackson
"VIRUS BULLETIN", March 1996, pp.21-23
March 1996
Dr Web is a relative newcomer to the scanner stable. A Russian package, the product can be run either in interactive mode (drop-down menus) or in batch mode (executing a specified scan and returning an error level code). The latter can be used to execute Dr Web from AUTOEXEC.BAT whenever a reboot takes place.
This product is the easiest package I have installed in a long, long time. After using anti-virus packages that draw pretty pictures, spend aeons copying files, and update my system files thoroughly, it is a pleasure to use a product which merely instructs the user to copy all the files contained on the Dr Web disk into any desired subdirectory. It really is that simple.
Dr Web was provided for review on a single 1.44MB (3.5-inch) floppy disk. The files on this disk occupied only 373KB - of course, the same amount of hard disk space is required. Dr Web is itself a DOS program, and its only concession to Windows is the provision of a Windows icon and PIF file.
The documentation provided with Dr Web came in the form of a 69 KB long text file, which was stored on diskette. This file explains the available options in a clear and concise manner. Another file contains all the error messages which can be produced by Dr Web - unfortunately, however, these error messages are not explained in the help file. This omission should be corrected.
The product currently claims knowledge of 1450 viruses, and a file provided on floppy disk gives details of the known properties of each of these viruses. This file is very easy to follow - it is somewhat terse, but nonetheless comprehensive. As it is plain text, it can be examined at will for information about any particular virus.
Dr Web includes a content-sensitive help system which can be activated by pressing the F1 key. Although this system is eminently understandable, it is one of the weaker points of the entire package, as the on-line help does not go into any great detail.
I was also underwhelmed to see the following message in Dr. Web: 'The entire risk as to the quality and performance of the program lies with the user', a disclaimer so sweeping and generalised that, in many parts of the world, it is almost certainly illegal.
Dr Web can be tailored in many ways to provide a specific scan. One selection screen offers expanding windows, mouse support, various display options, font changing, even a language change option. Currently, Dr Web can operate either in Russian or in English - the default for the copy provided for review was English. This proved useful; my Russian is rather rusty!
For each scan, it is possible to enable or disable the memory test, the boot sector test, the report log, various scanning selections, and heuristic analysis. The third (and final) setup screen will permit selection of the path to be scanned, the log file name, and checking for a TSR virus - this is jargon for testing whether the size of a file has altered after it has been opened.
Dr Web offers three levels of scanning, collectively known as 'heuristics'. This is a term which is used by many anti-virus products when they use virus-non-specific tests to decide whether or not a program is infected. Simply put, the product examines the file to see whether or not it contains code which appears to be in some way virus-like, or is a standard uninfected file.
This means that, even if the heuristic testing finds what it thinks is an infected file, it does not know which virus is causing the infection. Heuristic methods also increase the prevalence of false alarms; however, they do enable products to detect some viruses which are not specifically known to that software.
Dr Web offers these three levels of heuristics: 'minimal', 'optimal' and 'paranoid'. The higher the level of checking, the slower the product (see Operation, below). When the 'paranoid' mode is used, one of the additional checks Dr Web performs is an examination of a file's date and/or time stamps. This can sometimes be an indication of virus infection: for example, some viruses set certain fields of the time stamp to illegal values as a flag which indicates that the file is infected.
Once again, VB has provided me with a shiny new virus test-set. It has been only three months since the last upgrade, but things are obviously moving apace if we need to upgrade the test set with such frequency.
The content of the test-set is listed in the Technical Details section [for a complete listing of viruses in the standard, polymorphic, and in-the-wild test-sets, see VB January 1996 p.20]. It includes 5500 polymorphic viruses, a 'Standard' test-set, an 'In the Wild' test-set, and twenty Boot Sector viruses. Even though the total number of polymorphic virus samples has remained of the same magnitude, there are now 500 samples each of several more polymorphic viruses.
When Dr Web is executed, it first scans memory, then the Master Boot Record (MBR), and then whatever particular set of files, subdirectories or drives have been selected.
The first noticeable occurrence was that when using the default settings, the scan of the hard disk of my test computer took a long time. A very long time - 44 minutes and one second, to be precise. The default settings also provided an onscreen listing of all the files which were found to be compressed by programs such as PKLITE, DIET, LZEXE and EXEPACK.
Comparative results of scanning speed are the only fair way to measure how fast a scanner can operate, so I timed how long it took Dr Web to scan the hard disk of my test computer with various options selected, and compared these scanning times with two other well-known scanners.
The default Dr Web scan time stated above could be reduced to 30 minutes 45 seconds by not scanning inside packed or archived files, and further reduced to exactly 20 minutes by switching off all heuristic scanning. Although I tried disabling other options, including memory scan, boot sector scanning, and even the log file. I was unable to reduce the scan of the entire hard disk below 19 minutes 25 seconds. This is, however, unsurprising, as the first two of these are one-time loads at the start of the scan, and the third is unsignificant.
By way of comparison, Dr Solomon's Anti-Virus Toolkit could scan the same hard disk in 4 minutes 8 seconds, and Sweep from Sophos required 3 minutes 12 seconds to perform the same task. Whichever way this is presented, there is no doubt whatsoever that Dr Web is very slow at scanning. Impressively so.
Because there are so many options available, the detection capabilities of this product are difficult to express in just a few words.
Without any heuristic detection enabled, Dr Web detected only 182 of the 286 In the Wild virus test samples, corresponding to a detection rate of 64%. With 'minimal' heuristics, the total number detected rose to 267, and with either 'optimal' or 'paranoid' heuristics, the score reached a detected total of 270, a detection rate of 94%. Detection of the In the Wild viruses reaches high levels only when heuristic detection is used.
When Dr Web was tested against the viruses in the Standard test-set, it detected just 83 of the 265 test samples without heuristic detection enabled. This gives a detection rate of merely 31%, by no stretch of the imagination a high score.
When heuristic detection was enabled (at any of the three levels), Dr Web detected 238 of the 265 viruses (90%). Even more so than with the In the Wild test-set, heuristic detection is needed to provide a high level of virus detection.
Without heuristic detection, Dr Web detected only fourteen of the twenty boot sector viruses in the test-set: it failed to detect Da_Boys, Peanut, Quox, Ripper, She_Has, Unashamed, and Urkel. All of these boot sector virus test samples were spotted as 'suspected for infection' when optimal heuristic scanning was enabled.
When tested against the polymorphic virus samples, Dr Web performed very well indeed. It was 100% perfect against ten of the eleven sets, and missed only fourteen of the of 500 DSCE.Demo test samples. This adds up to 5486 of the 5500 polymorphic test samples detected correctly, an overall detection rate of 99.7%. DialogueScience states that this oversight has now been corrected.
This result is impressive, and makes the product in that respect one of the best I have tested. The score was achieved without resorting to any of the heuristic detection options.
When the 'paranoid' level of heuristic scanning was used, the polymorphic detection rate rose to 100%, as Dr Web then spotted the final fourteen polymorphic viruses as having a 'strange creation time'. That is not an explicit virus detection, but it would be enough to alert a user that something odd was afoot.
Dr Web slowed down enormously when the polymorphic virus samples were scanned. The time taken to perform the first scan of the Magneto-Optical disk containing the complete virus test-set listed in the Technical Details section was 8 hours 44 minutes. When heuristic detection was used, this increased to a maximum of 10 hours and 50 minutes. Dr Web was taking so long to scan the entire test-set that I had to run tests overnight for four consecutive nights.
Rather curiously, the highest level of heuristic detection ('paranoid') was actually faster than the other two levels of heuristic detection. It scanned the test-set in a time which was only five minutes longer than having no heuristics enabled. I know not why.
The onscreen reported times were also rather intriguing. Whilst a scan time of 7 hours 37 minutes and 14 seconds was correctly displayed as H7:37:14, the scan time of ten hours 49 minutes 56 seconds was shown as H0:49:56. Once again I have no idea why, but would suggest the developers test Dr Web against a very long scan time. A bug is lurking there.
Dr Web maintains a log file which contains details of anything has been found during a scan. Along with various other options, the name of this log file can be chosen at will.
There is no memory-resident software provided with the product: it is therefore imperative either to scan manually, or to place Dr Web in AUTOEXEC.BAT, so that a scan is performed every time the computer is rebooted.
Dr Web provides an option to 'Cure' an infected file, but in common with my usual stance, this has not been reviewed. Infected files should be replaced with copies known to be uninfected. Doing anything less is just playing games.
As long as heuristic scanning is enabled, Dr Web is quite competent at detecting viruses. However, it has a basic lack of knowledge of many (most?) of the viruses in the In the Wild and the Standard test-sets, and needs its heuristic options to raise the detection rate to reasonable levels.
This need to resort to heuristic detection means that Dr Web does not always know which specific virus has caused a particular infection. DialogueScience states that its reasoning for this is that Dr Web is usually sold in tandem with its product Virus Hunter, which provides for further detection of the more standard viruses.
When it comes to detecting polymorphic viruses, Dr Web is excellent. It requires no heuristic detection to detect these, and gets as close to 100% perfection as it reasonable to expect of any product. A performance as good as this with such reliance on heuristic scanning is impressive.
The main drawback with Dr Web is that it is very slow at scanning. The most recent Virus Bulletin comparative review found that, of all products tested, it was the slowest: I can only agree with this result. Contrary to expectations, it may well be that resolving the speed problem will be more difficult for the developers than the addition of specific information about more viruses to Dr Web. Both of these tasks, however, need to be done.
Product: Dr Web. Developer/Vendor: DialogueScience Inc, Room 102, 40 Vavilov Street, 117786, Moscow, Russia. Tel +7 095 938 2970, fax +7 095 938 2855, BBS +7 095 938 2856, Email:antivir@dials.msk.su, FidoNet 2:5020/69. Availability: Not stated. Version evaluated: 3.08. Serial number: None visible. Price: Dr Web can be purchased separately as a stand-alone program, or as an integral component, along with three other anti-virus programs, of the DialogueScience Anti-Virus kit (DSAV). Dr Web itself is available as a one-off purchase or as an annual subscription. Hardware used: A Toshiba 3100SX; a 16 MHz 386 laptop computer with one 3.5-inch (1.44MB) floppy disk drive, a 40MB hard disk and 5MB of RAM, running under MS-DOS v5.00 and Windows v3.1. Viruses used for testing purposes: Where more than one variant of a virus is available, the number of examples of each virus is shown in brackets after the virus name (if the total is greater than one). For a complete explanation of each virus, and the nomenclature used, please refer to the list of PC viruses published regularly in VB. The boot sector test-set contains twenty boot sector viruses, one each of: AntiCMOS.A, AntiEXE, Da_Boys, Empire.Monkey.B, EXE_Bug.A, Form.A, IntAA, Jumper.B, Junkie, Natas.4744, NYB, Parity_Boot.B, Peanut, Quox, Ripper, Sampo, She_Has, Stoned.Angelina, Unashamed, Urkel The polymorphic, the standard, and the In the Wild test-sets are listed in detail in Virus Bulletin January 1996 p.20.[Back to index] [Comments (0)]