Home
Skip to main content
a technical website in support of
Link to CyberSoft.com
CyberSoft News Virus Alerts White Papers Training & Support Downloads

CyberSoft White Papers

Who, What, Why

CyberSoft, Inc.
March 2001

Presented by
Peter V. Radatti
President / CEO

Why does CyberSoft exist and who is Peter Radatti?

Prior to starting CyberSoft, Inc. (www.cybersoft.com) Peter Radatti spend over 15 years working in the aerospace and military industries for companies like Control Data Corporation at the Naval Air Development Center, General Electric at the Valley Forge Space Center and SRA in Moorestown New Jersey. He got the idea for CyberSoft’s first commercial product while at General Electric. GE had no interest at that time in the product which was an antivirus scanner for Sun Microsystems Unix computers. Undeterred, he purchased a Sun workstation and completed the project at home. When the program was completed, he was going to enter it into the public domain but General Electric suddenly took an interest in the program and asked him to wait.

While GE was interested in obtaining the program for resale they were not interested in compensating Radatti for the product and lost interest. GE’s interest in the program, called VFind“, made Radatti realize that he might have something of serious commercial value. At the time, his mother Marie Radatti worked for Bell Atlantic who had started an entrepreneurial program. Bell Atlantic also had an interest in the program but also was not willing to compensate Mr. Radatti for it. With two major corporations showing an interest in the program, Mr. Radatti decided to withdraw part of his savings and demonstrated the program at the Unix Expo International in October 1991 at the Jacob Javits Center in Manhattan. His trust paid off and he made enough of a profit to seriously launch his company, CyberSoft. Much later, both General Electric Valley Forge (now Lockheed Martin Valley Forge) and Bell Atlantic (now Verizon) became customers.

Who Is Cybersoft, Inc.?

CyberSoft, Inc. is a corporation registered in Pennsylvania. It was founded July 29, 1988 and incorporated January 1, 1993. The first commercial product announcement, VFind,“ was made available to the general public at the Unix Expo International in New York City on October 30, 1991. The company is privately held.

A substantial percentage of all CyberSoft income is derived from United States DOD sales. An undisclosed amount of these sales are for products which are not made available or advertised to the public.

What does CyberSoft make?

At a very high level description, CyberSoft manufactures computer security tools.

These tools tend to concentrate, but are not limited, in a few areas; pattern analysis, meta data creation and usage, cryptographic data, key management systems and brute force solutions to complex problems. In addition, we have created the glue necessary for the top to bottom integration of these tools into customer systems. Normally, CyberSoft is customer driven and excels at difficult tasks but it can also be very introspective within predefined problem sets. For example, Unix system and network security.

An example of a difficult customer driven problem resulted in the creation of our NTI and NTI-Crypto products which solved a problem created when Netscape eliminated their Suite Spot Cryptography Proxy and a U.S. patent held by a foreign company was the only obvious solution.

Very often, problem sets require CyberSoft to invest in basic and applied research. Due to “patent wars” in the computer security industry, CyberSoft now files for patents on all significant technology. The primary reason for this is that a foreign company with U.S. offices was granted a U.S. patent on an existing CyberSoft invention. (CyberSoft’s invention was on the market for 3 years prior to the foreign company’s claimed date of invention by foreign nationals.) This created a legal denial of service attack (LDOS) against CyberSoft. (See NTI-Crypto above.) By filing for patents, CyberSoft protects its investment and shields customers from LDOS attacks. In addition, CyberSoft has successfully made lemonade from lemons. In every instance where CyberSoft was faced with a LDOS problem, it invented a new and better solution then filed for patent protection for the new technology. CyberSoft has filed for over 15 computer security software patents as of January 2001 with the rate of filing increasing.

CyberSoft normally works on a payment for product solutions basis. If we cannot successfully solve the customer’s problems by creating a new tool, then we can’t deliver the tool or get paid for its delivery. This mode of operation allows CyberSoft to own the technology while the customer benefits by having its problems solved with newly created technology. Exceptions to this mode of payment are possible.

Why you should care

CyberSoft is a niche player. We only make computer security products. We do one thing and we try to do it very well.

CyberSoft is a real team player. On a recent major project CyberSoft took up the slack from another subcontractor that exited. Since no additional funding was available, we did so at no price increase. (The other subcontractor is no longer in business.)

Unlike most vendors, our products are tools. Most computer security products are monolithic. They do what they do and nothing else. Our customers constantly surprise us with new uses for the tools in our products. Each tool can stand alone or be linked together as “software objects” with our other tools. The use of standard input, standard output and “smart scan” make third party interface to our products simple. (See: An Example of a Customer Created Use of One CyberSoft Tool.)

CyberSoft brings new solutions to difficult problems. On the same project, CyberSoft invented new technology to solve problems that could not be solved by other means. We love really difficult problems.

CyberSoft normally is the most cost effective vendor, including cost to own. In a recent Dun and Bradstreet report created for the General Services Administration, CyberSoft was rated by its customers as outstanding in Total Cost and near outstanding in Overall Rating, Timeliness, Problem Responsive, Quality, Technical Support, Quantity and Attitude. As an example, many antivirus vendors charge a seat price for each unique email address processed by a mail server. CyberSoft prices are set on a per box basis and the default is a perpetual license. Preparing a budget for CyberSoft products is easy since all you need to do is count the number of boxes. The cost of our product is the same no matter how many users are on the server.

Should You Use CyberSoft Tools?

1) If you want a computer security toolkit instead of a monolithic program.

To the best of our knowledge, CyberSoft is the only company that makes products like ours. While there are competing products, they are not tool kits and they are not as versatile as our products. For example, an antivirus product only scans for viruses. It does not have a universal identification and decomposition tool and it does not have a cryptographic integrity tool. At least one competing product does part of what the Avatar program does but costs $50,000.00 vs the VSTKP list price of $2,400.00.

2) If you want to virus scan on Unix systems

CyberSoft invented Unix antivirus. We are the only company to support all major Unix platforms. Solaris Sparc and Intel, HPUX, AIX, IRIX, Linux, Compaq DEC Alpha True64 and OSF, DGUX Intel and 88K, SCO Unix, SCO UnixWare, BSDi, Nixdorf and others. We also support Windows NT and some versions of DII/COE for Solaris and HPUX.

3) If you want the exact same product to run on all your systems. (Unix & Windows)

We currently support all major Unix systems. Additionally, we support Windows NT and Windows 2000 with plans to support additional versions of Windows.

CyberSoft also has a liberal porting policy. We will port to any Unix system for the cost of the system and necessary software development environment. Some Unix computer manufactures have taken advantage of this policy by supplying CyberSoft with systems or upgrades. (Data General, Nixdorf and Compaq DEC)

4) If you need a strong general purpose pattern matching language.

Many parts of the Federal Government have used the VFind tool without the virus database to handle the de classification of data. It has also been used for the downward movement of compartmentalized data and for the cleanup of multi compartment data spills. While we do not have first hand knowledge of it being used to monitor the movement of data within a network, this ability has been well known for many years.

Finally, the VFind tool can be combined with the NTI tool to provide the same functionality on a live TCP/IP network. Data moving into, out of, or within a network can be intercepted by NTI and processed for specific pattern monitoring.

5) If you want at least 2 virus database updates per week.

CyberSoft has averaged 2 or more virus database updates per week. These database updates are for real live viruses that are found in operation around the world. They are not “zoo” viruses found on some “virus hacker” web site.

CyberSoft will also put out PANDEMIC warnings with database updates as soon as we can determine one exists. We are normally ahead of the curve simply because we are on the east coast and the time zone difference helps us. We took care the IloveYou virus by 8:30 AM on the day it struck. We did similarly with the LoveLetter and AnnaKournikova viruses. We had a code for the Nimda-A Virus weeks before it struck but we called it the “Readme” Virus since it didn't have a name at that point.

6) If you want the antivirus manufacturer to operate your email antivirus solution.

CyberSoft offers email filtering as a service, www.safeinternetemail.com. We will operate this service in our datacenter or in your datacenter. To the best of my knowledge we are the only company that manufactures this type of software that will also operate it as a service for the customer.

7) If your budget requirements don't fit normal software pricing schemes.

We will work with your buyers. We have an advantage immediately because we charge on a “per system” basis, not on a per seat basis for our software products. That means that a server with 40,000 seats can purchase a copy of VSTK for the same price as a server with 1 seat. We also do not distinguish between systems. The price for a 1 CPU system is the same as the price for a 500 CPU system. Software is licensed on a perpetual basis. This does not include maintenance and updates but if you don't need them there is no reoccurring costs.

Finally, we will work with a buyer attempting to integrate our products into a major system where quantity and other factors are not well understood.

8) If you want the only antivirus product made 100% in the United States.

I may be wrong on this but I believe that the antivirus tool in our product (actually all of the tools) is the only antivirus product currently 100% made in the United States by U.S. citizens. While there are currently undocumented features (for future release) there are no back doors. We are also a Small Business Administration registered small business.

9) If you need the manufacturer to integrate the product into your system.

The last one of these that we did was for the US government. It took 2 years and yielded many new patents. We do what has to be done. In fact, the company slogan is “We Make It Work”. References available upon request.

What are some of CyberSoft’s Commercial Tools?

CyberSoft products are generally sold as computer security tool kits. Three of these tool kits are the VFind Security Tool Kit Standard Edition (VSTK), the VFind Security Tool Kit Professional Edition (VSTKP) and the VFind Security Tool Kit for Cyber War (VSTKCW). In ascending order (VSTK, VSTKP, VSTKCW), each tool kit is a subset of the next higher tool kit. There are also breakout tools such as the CIT/THD Combo Package and Wave Antivirus. Computer security consulting and product training are also available. In general, for CyberSoft tools, the higher priced products provide a greater return on investment for the customer. For example, the VSTK product sells for $695.00 while the VSTKP product sells for $1,795.00. The difference is $1,100.00 which accounts for the addition of the Avatar tool. This tool enforces system baseline conformance to file system security policies. A tool of this type can be used to allow computers to detect when they are “sick” and then “heal” themselves. (Usually in the middle of the night saving personnel costs.) The closest competing product to Avatar only works for web pages and starts at $50,000.00. This is in addition to the fact that all of the other tools in the VSTK product are included.

The fountain head tool for the three tool kits listed above is VFind. It was the first tool and continues to be the most used. VFind is a general purpose pattern analysis tool that comes loaded with an attack software identification database (viruses, Trojan horses, etc.). The pattern analysis language, CVDL, is fully featured, includes boolean operators and is directly accessible to the end user. One of the more unusual features of VFind is that it scans every byte of every file scanned. It is the only antivirus tool in the world that does this. This makes it especially useful for informational spill cleanup, computer forensic investigation of file systems, enforcement of compartmentalization rules and any other use a pattern analyzer can be put to use. For example, the www.safeinternetemail.com service uses VFind and UAD with some bourne shell scripts to provide a new type of service. This service, SIE, has been eliminating over 90% of all English language unsolicited bulk email in addition to scanning for verbal assault, sexual and racial harassment in addition to scanning for viruses. This is accomplished using the VFind tool with new pattern definitions in the CVDL language. In addition, SIE has successfully stopped new previously unknown VBA based worm attacks using spin off information from the UAD tool. UAD decomposes and identifies data by its content. For example, if a zip compressed file “xyz.zip” is renamed “test.doc”, the UAD tool will still recognize it as a zip compressed file and recursively render all of its contents for processing. UAD is the only tool of its type that assumes a hostile environment and ignores filenames as indicators of content.

The CIT tool produces a cryptographic (currently MD5) database of the entire or any part of the file system. Using CIT, you can ascertain if hackers have broken into your system and what modifications they made. You can also detect unauthorized modifications by authorized personnel. CIT also produces a machine readable report of all files that should be virus scanned. Finally, CIT produces aggregate data information which can be used to determine if personnel are doing their jobs, are not doing their jobs and specifically what happened at a file system level on a computer many years later. This is especially useful if a trusted individual is later determined to have not been worthy of trust. Lastly, the CIT database can be used to determine if duplicate files exist on a system or if specific data has “wandered” on to the system. The uses for this tool exceed what can be written in a single white paper.

The Network Traffic Interceptor (NTI) intercepts all TCP/IP and UDP traffic entering or exiting a system and diverts it for security processing. It is a general rule of thumb that 80% of all computer security attacks are from inside of a firewall. Using NTI, you can effectively put a firewall on every system, eliminating the 80% rule. NTI can be configured to process data for any port address. It understands ftp, http, sendmail, pop3 and telnet. Using the NTI-Crypto feature it can also “crack” and scan all SSL, HTTPS connections in addition to reading the Netscape cryptographic key database for scanning of SMIME email messages.

Significant computer security problems are ghosts. Viral ghosts. Most antivirus products on the market leave viral residue in programs as part of the disinfection process. This is especially true of disinfected OLE file structures where the virus is normally left intact but deactivated. Different manufacturers use different methods to disinfect and to mark a virus as disinfected. Within a manufacturer’s product set this is not a problem since their scanner will recognize the virus as disinfected and not report it. The problem comes in because people share documents, most commonly via email. If the receiving entity is using a different manufacturer’s product to detect viruses, it may detect the “disinfected” virus but not understand that it is disinfected. This system will then attempt to disinfect the already disinfected virus causing unpredictable results. CyberSoft customers have complained to us about files that we detect viruses in that another product does not detect viruses in. This is most often a ghost. We have had Word documents sent to us that were disinfected dozens of times by multiple vendor’s products, yet the virus sample was still whole. CyberSoft solves this problem using our MvFilter tool. This product disinfects OLE files by removing the virus and zeroing out the space previously occupied by the virus. No product will then detect the virus as a ghost since no ghost exists.

An Example of a Customer Created Use of One CyberSoft Tool

One CyberSoft customer developed an idea for the use of the UAD tool to block email messages with attachments of types they wanted to restrict. They realized that not only did UAD decompose complex files for scanning and analysis but it also identified each component of a complex file. Email messages are complex “file” types that consist of a message header, message body and encapsulated attachments. UAD identified each attachment by it’s encapsulated method and its contents. Using a small shell script on their Unix mail server they used UAD to identify all attachments they wanted to restrict and quarantined these messages.

For those of you who prefer Unix script languages to the English language here is a small example:

$VSTK_HOME/bin/uad -z $filename 2>/dev/null | nawk '$2 == "Name:" && ( \
$3 ~ /\.vbs$/ || $3 ~ /\.com$/ || $3 ~ /\.exe$/ || \
$3 ~ /\.shs$/ || $3 ~ /\.wsf$/ || $3 ~ /\.wsh$/ || \
$3 ~ /\.scr$/ || $3 ~ /\.dll$/ || $3 ~ /\.hlp$/ || \
$3 ~ /\.js$/ ) { print "bad attachment type: "$3 }'

We have also had reports of customers using UAD to decompose and identify data objects prior to incorporation in a data warehouse, VFind to scan “erased” files on raw removable media prior to shipping from a facility that worked with “restricted data” and another customer that uses CIT to insure magnetic tapes weren't degraded. We have also suggested methods of embedding Avatar in space craft systems to automatically “rebuild” these systems if damaged by solar flair radiation bursts. The uses for these tools are only restricted by the needs of the user.

Recap

Our virus scanner is a general purpose pattern analysis tool that can be used to scan every byte of every file for any type of data you need to locate. In addition, we release database updates at a minimum of twice per week. The databases include patterns for Microsoft, Unix, Linux, Java, Macintosh and almost any other type of attack we can obtain samples for.

All of the products use as little System Administrator time as possible. They are easy to install and maintain and whenever possible the products operate without human intervention and perform their work in the background. The installation instructions for the Unix products are to execute the “install” script.

CyberSoft products are sold as a perpetual license and have a low cost to own.

CyberSoft manufactures computer security tools. Most computer security software products are monolithic. They do what they do and cannot be used to solve any other problems.

Our products assume little to nothing about the environment they are operating in. We assume that the system is under attack and that very little can be trusted.

PostScript

If this is a computer security tool kit, then how come you spend so much time talking about antivirus?

Answer: There doesn't appear to be a commercial market for computer security tool kits but the antivirus market is large and well established. Since one of the tools included in the tool kit is a very good antivirus tool, we qualify.

Back

© 2007 CyberSoft, Inc. All rights reserved.
Questions or comments? Please email the webmaster.