What's In The VFind Security Toolkit
VFind is the virus scanner and pattern analysis tool. It is unlike any other virus scanner in existence. It was the first antivirus scanner for UNIX, the first heterogeneous virus scanner and the first scanner to incorporate a full virus description language, CVDL. Unlike most virus scanners, it actually searches for attacks in a file based upon what the file actually is. Most virus scanners assume that the filename is a description of the file type. VFind determines the file type by direct examination of the file's contents. This makes VFind significantly more powerful than a virus scanner that only searches in files with the ".com" and ".exe" filename extensions. [ more about VFind ]
VFind Daemon provides user applications virus scanning and detection services at a high level of performance. Running as a daemon process eliminates the need to re-initialize the scan engines on each request. Without the overhead of initialization, files are processed as they are received, improving response time and minimizing the effect of virus scanning on the main application.[ more about VFind Daemon ]
CIT detects virus, hacker, sabotage and baseline configuration violations from any source, using cryptographic change detection. Reduces help desk turnaround time from hours to minutes! The system doesn't work. The users claim they didn't change anything and a proposal on the system is due out the door by noon, today. Is it a user error, virus attack or sabotage? CIT will never lie and can not be tricked! [ more about CIT ]
THD answers the question of how do you find a chameleon Trojan horse attack when there is no contents to scan. The chameleon Trojan horse attack works because a user is able to redirect a system command to a program of the same name in a different location. The chameleon may or may not have contents. [ more about THD ]
UAD solves two difficult problems, identification and decomposition. Decomposition of a file to it's smallest indivisible parts (universal atomic disintegration using classical Greek language meanings) is a difficult problem. First the program must have infallible identification of the file in order to decompose it. This is not a problem for UAD which identifies the file by direct examination of it's contents. [ more about UAD ]
MvFilter disinfects OLE documents (Microsoft Word, Excel and PowerPoint) from macro viruses (both VBA and Word Basic). It does this in the same way that all antivirus programs disinfect macro viruses, by removal of the macro. The difference is that MvFilter was designed as a tool. As such it can be used for compartmentalization purposes in addition to it's reactive disinfection role. [ more about MvFilter ]
Avatar maintains the system Baseline Configuration. It does so by executing system security policies that act as an intrusion detection and response system. The most important function of Avatar is, response. If the system Baseline Configuration is modified, for any reason, it will be detected by Avatar and returned to the correct Baseline Configuration. The value of Avatar's response system is that it enforces discipline by non-subjective automated process which can execute many times per day. Avatar is only available with VSTK Professional. [ more about Avatar ]
VGUI allows access to VFind, CIT, Avatar, and other functions via virtually any web browser homed to the Miniweb Server running on the target machine. The user can scan the system for viruses via VFind, baseline the system via AVATAR, and integrity check the system via CIT. The VGUI allows even a non-UNIX user access to the great majority of the VSTK tools. Most functions can be executed by one or two simple button clicks. [ more about VGUI ]
The MiniWeb Server is a compact web server based on the HTTP 1.1 standard. It supports the HEAD, GET, POST, and PUT access methods, the .htaccess file for access security, and SecureSocket Layer. The Server is implemented on all platforms supported by VSTK, except those on which POSIXthreads are not available. Those platforms are HPUX-10, IRIX-6.2-MIPS, and OSF-ALPHA. [ more about MiniWeb ]
The Quick Training Handbook for the Security Handbook: Now available for download the comprehensive training guide on how to use the VFind Security ToolKit to it's fullest potential. Get insight into the many features of VSTK/P along with learning some basic theories on computer security. Find out how VSTK/P can do more than just help you catch viruses.
What's New in VFind Security Toolkit Version 170
(This information applies to VSTK, VSTKP, and Turbo version)
VFind Security ToolKit (VSTK) 170, which is an upgrade from the current VSTK/P 169, was recently released and is now available! VSTK/P 170 improves reliability, functionality, performance and integration. With all these upgrades, VSTK/P 170 will require LESS memory. CyberSoft works constantly to find ways to improve all of its products. Customers with current Maintenance and Support contracts are eligible for a free VSTK/P upgrade.
What's new in VSTK Version 170
Here is a brief summary of the changes for each component in this release of the toolkit. If a component is not listed here, then it is unchanged in this release.
New option -overwrite, forces creation of a new database. Bug fixed, sometimes the last deleted file could go unreported. Bug fixed on tru64, avoid treating a NULL string as a file argument.
Added support for binary MIME attachments.
Improved error checking when creating temporary files.
Warning message added if the filename is a zip file local record differs from the filename in the central directory.
Fixed bug causing core dumps with some encrypted RAR files.
This is a new program in this release. It is used by VFind to compile VDL pattern files into internal data structures, which helps minimize VFind startup time. There is normally no reason to invoke this program explicitly.
Now recursively scans directories, without the help of find.
Note that this is an incompatible change. When feeding vfind from find, take care NOT to feed it any directories, only their content, as the content will otherwise be scanned twice.
Creation of scanning data structures is delegated to the vdlc program, which gives VFind itself smaller memory footprint and faster startup.
Output has been restructured so that all chevron-marked text goes to stdout, and none to stderr.
New options --noscan, --noscans, --force-scan, --trig-count; see the man page for details.
Bug fixed in VDL file type restriction, where an empty restriction could cause a core dump.
New CVDL operator, NAME ~= "...", matches file names.
All CVDL word operators and file types are now case insensitive.
VFind output can now be tuned by setting variables in vdl.list and in the individual vdl files; a pattern that recognizes something other than a virus can now report this correctly.
New Bayesian analysis engine, can match files based on statistical data gathered by the new chash, chashmerge and cbayes programs.
New Platforms
- Debian 3.1
- Fedora Core 3
- OS X 10.4
Known Problems and Limitations
The following platforms have problems extracting RAR archives:
- BSDI x86 4.1
- OSF Alpha 3.2
- Tru 64 5.1
The following platforms do not support multi-threaded applications, which includes miniweb and the VSTK Web GUI:
- BSDI x86 4.1
- HP/UX 10.20
- HP/UX 11.00
- IBM AIX 4.1
- IBM AIX 4.3
- OSF Alpha 3.2
- SCO Open Desktop 5
- SGI Irix 6.2
Please note that GNU find is no longer distributed with VSTK. Use the find that comes with your system for the same purpose.
The chart below explains which version of each individual tool is included with a specific VSTK/P Toolkit Package. Click on the Toolkit version number for more details about the updated features in each VSTK/P version.
|
|||||||||||||||||||||||||||||||||||||||||||||
*Available only with VSTKP
**Available only with VSTK-Turbo and VSTKP-Turbo
- To view the VFind® Security ToolKit Component Reference Chart. Click here.
- To view the list of support platforms for this release. Click here.
- To view a listing of the VFind® Security ToolKit release dates. Click here.