VB Comparative: Netware 6.5 - August 2005


Matt Ham

Virus Bulletin
Editor: Helen Martin


Matt Ham finds NetWare 6.5 to be significantly more tolerable than previous versions of the operating system. Find out whether the products for NetWare show similar improvement.


Those who have read Virus Bulletin's previous reviews of NetWare products will be familiar with my views about the platform - overall, I have found the platform less than convenient to work with and the products themselves generally even worse.

To be reasonable, however, NetWare has become significantly more tolerable with version 6 and newer, though to a certain degree this is a function of the fact that hardware has only recently been able to deal with the demands of NetWare's GUI. Thankfully, the GUI in NetWare 6.5 has been relieved of the images of eccentric gymnasts which graced version 5, which has also made the review process a little more bearable.

With the improvements to the operating system, therefore, it was left to the products to determine whether the review experience would be pleasant or otherwise. One issue made itself known early on: several products caused message boxes to pop up on the client when viruses were detected on the server, and there was no obvious way to remove this feature. With large test sets the added network traffic slowed down scanning and the client emitted irritating beeps as a result. I hoped that no greater irritations would come my way.

Products, test sets and platform

The deadline for the submission of products for this review was 4 July 2005 - unwittingly causing some chaos for reasons that will be obvious to those in the US. NetWare itself was installed freshly from the minimum patch files provided on Novell's site, for both client and server on 29 June 2005. Thus the version of NetWare used was Novell Open Enterprise Server NetWare 6.5 Support Pack Revision 03, Server Version 5.70.03. NetWare Client version was used on Windows XP Professional Service Pack 2. The client and server were connected over a 100Mbs LAN link.

The test sets were based on the April 2005 WildList, since this was the most up-to-date version available at the time. As has been noted in recent comparative reviews, the new additions to the WildList seem to become more tedious on every occasion, though they increase numerically as if to compensate. With the new additions closing in on the 100 mark, there was only one that was not a direct variant of a sample already contained in the sets - W32/Serflog.

The majority of the new additions to the In the Wild (ItW) test set were multiple variants of W32/Sdbot and W32/Mytob. With decent handling of archives and some care in creating generic detections, these variants can, in many cases, be detected as soon as they are produced. Therefore, it seemed from the outset that simply having a NetWare product would almost be enough for a developer to gain a VB 100% award.

CA eTrust Antivirus 7.1

eTrust is a useful example of the two facets of administration where NetWare products are concerned. The two main methods are to administer from a GUI (either on a client or server) or simply to interact in the server console. The latter tends to look very archaic compared with the usual interfaces for such software. In the case of eTrust, the on-demand scanning can be controlled fully through the server console. This may also be controlled through an administration tool on a client. If full control of on-access scanning is required, however, this must be performed from the client.

Having been somewhat confused by this division of control options, the actual scanning processes were easy by contrast. Even better, NetWare logging is free from those strange formats which plague the Windows versions of eTrust. When logs were parsed there were no real surprises and a VB 100% award was the result.

Please refer to the PDF for test data

CAT Quick Heal Antivirus 8.00

Installation of Quick Heal is by a client-side installation routine, though the same effect may be obtained manually with little trouble. Along with this simplicity of installation, the interface is simple both in appearance (it operates through the server console) and in the limited number of options available. All the usual options are present, it is simply that they are more conveniently grouped than in many products and are not obscured by components of dubious value. Admittedly, this feeling of a lack of clutter is much helped by the fact that the on-demand and on-access components are separate NLMs. Offsetting the clarity somewhat was the log file, which changed the cases of filenames and reduced long file names to 8+3 format, somewhat hindering extraction of test results.

In fact, of all the products in this test, the results for Quick Heal showed the most variation between on access and on demand. Despite this, however, Quick Heal detected all the samples in the ItW test set, and generated no false positives, and a VB 100% award is thus due.

Please refer to the PDF for test data

Doctor Web Dr.Web 4.32c (

Doctor Web's NetWare product remains essentially the same in look and feel as when I inspected it several years ago. Setting it up is performed simply by copying the files to the server and loading the NLM. This either results in a working interface or exits with the reason for failure dumped to a log. The lack of an on-screen message to inform me that the licence key was not found, caused me a little perplexity until I found this log. However, once installed all went smoothly.

Scanning results were much the same as have been noted in recent Windows testing. Dr.Web seems to alternate between full detection and missing a small number of samples - the latter presumably being due to the tweaking of older definitions for efficiency. No misses occurred in the ItW set, however, and with no false positives Dr.Web receives a VB 100%

Please refer to the PDF for test data

Eset NOD32 1.11.61

Likewise unchanged since the last few tests, the on-demand and on-access scanners of NOD32 are each comprised of an NLM which is loaded from the server console. The word 'loaded' is perhaps a little misleading in the case of the on-demand scanner which, alone in these tests, operates as a command-line scanner rather than having any more advanced interface.

This rather aged interface might cause second thoughts for some users. The full detection rates and good scanning speed, however, can cause no such issues and result in a further VB 100% award for Eset.

Please refer to the PDF for test data

Kaspersky Anti-Virus 5.6.1

The Kaspersky product is rather more evolutionarily advanced than some others, the default installation from the client being one sign of this. It installs as a snap-in to ConsoleOne, Novell's NetWare GUI. After installation there are two server console interfaces, one each for the on-demand and on-access scans. These are, however, informational rather than interactive, and scanning during testing was controlled via the ConsoleOne interface. Logging proved somewhat confusing for a while, until it became clear that the use of ampersands in file names was causing the log entries to become garbled.

With the log files unravelled there was a small difference in results between the on-access and on-demand tests, with the latter showing full detection. However, the files missed on access were due to the understandable removal of archive handling for files in this mode - a common efficiency measure. None of the files missed were in the ItW test set and thus Kaspersky receives another VB 100% in this month's bumper crop.

Please refer to the PDF for test data

McAfee NetShield 4.6.3 4.4.00 4.0.4529

The installation of NetShield was delayed a little by the requirement for a Java runtime to be available on the machine from which the install will take place. Once this hurdle had been overcome, the process of installation from a client was simple enough. Updates and upgrades were applied to the software by the expedient of unloading the NLMs and overwriting old files with new - which seems to be a common method in NetWare.

The main NLM for NetShield operates as a server console-viewable interface, though it can only be inspected in this state. In order to adjust the configuration, the client side application must be used. This offers exactly the same interface as NetShield on other platforms. The developers seem to have opted for minimising network traffic during scanning, since despite having a scan status visible in the GUI, this status was not updated between the start and end point of any scan.

With no samples missed in any of the test sets, and no false positives generated in the clean set, McAfee is due a VB 100% award without further ado.

Please refer to the PDF for test data

Norman FireBreak 4.74 2311

The installation procedure for FireBreak is performed from the client, requiring a drive to be mapped to the root of SYS: on the server. A ConsoleOne snap-in and Internet update module are installed as part of this process, though the server console interface was used for testing.

On the occasion of the last review, there were a number of problems for Norman's product, associated with scanning. Thankfully these were notable only by their absence this time.

The detection rate was very much at the level usually achieved by Norman. Weaknesses still exist in the handling of relatively modern polymorphic viruses, though none of these were present in the ItW test set. A VB 100% award is the net result.

Please refer to the PDF for test data

Sophos Anti-Virus 3.95.0

Another product adhering firmly to the server console style of interface, Sophos Anti-Virus is also very much unchanged by the passage of time. Installation is by the loading of a single NLM, which creates the appropriate directories and populates them. This is a convenient set up procedure, which avoids the irritation of setting search paths and directory structures. Having added supplementary virus identities the product is ready for operation.

Age-old niggles still exist during operation, however. The requirement to prepend '>' to paths in order to force recursive scanning is among the more idiosyncratic parts of the interface. The log file is now out of step even with other Sophos products, still reducing long file names to the less than useful '?????~?.???' format. It should be noted that it is impossible to scan anything other than a full volume using the extension lists supplied, thus the scanning here was performed on all files in a supplied path. Despite these peculiarities the scanning performed without any hitches and resulted in a full detection of ItW files. A VB 100% is thus secured by Sophos.

Please refer to the PDF for test data

VirusBuster VirusBuster 2005 v2.02.003

VirusBuster installs by copying its files to the server, setting the location as a search path and loading the main NLM. The main issue with VirusBuster concerned its speed of scanning infected files. This was noticeably slow in the ItW test set, though this is common enough with the unpacking required for some of the bot samples in the collection.

Rather more frustrating were some polymorphic samples. In particular, Satanbug.5000.A took over a minute per sample to be scanned in many cases. With 500 samples of this virus alone in the test sets, scanning was a time-consuming and tedious process indeed. On the plus side, the VirusBuster logs now make a distinction between worms and viruses, though with the eternal debate over the fine distinctions of the nomenclature, this may only serve to inflame passions.

VirusBuster demonstrated the only false positive in the tests, although this was simply a sample which was declared suspicious rather than a full-blown declaration of viral content. Unfortunately, however, VirusBuster missed the W32/Lovelorn.A sample in .HTM form both on access and on demand. As this sample is in the wild, VirusBuster misses out on a VB 100% on this occasion.

Please refer to the PDF for test data


Looking back over the last few NetWare reviews (see for example VB, August 2004, p. 14 and VB, August 2003, p.17) I find myself repeating my comments, especially concerning the two broad groups into which the developers have fallen. On the one hand some developers continue to add to their products administrative functionality and integration within a managed anti-virus environment. On the other hand there are those whose only developmental effort seems to have been in making the product detect more viruses, with all other features remaining in stasis.

NetWare itself seems in a healthier state than it has been in the recent past, with Novell's strategic partnerships being chosen to bring the company out of the dark corner into which it was pushed by other server offerings. Whether this will be enough to encourage further anti-virus developer effort remains to be seen.

Technical details

Test environment.  Identical 1.6 GHz Intel Pentium machines with 512 MB RAM, 20 GB dual hard disks, DVD/CD-ROM and 3.5-inch floppy drive. Server running Novell Open Enterprise Server NetWare 6.5 Support Pack Revision 03, Server version 5.70.03. Client running Novell NetWare Client version installed on Windows XP Professional Service Pack 2.

Virus test sets.  Complete listings of the test sets used can be found at http://www.virusbtn.com/vb100/archive/2005/08/testsets.

Results calculation protocol.  A complete description of the results calculation protocol can be found at http://www.virusbtn.com/virusbulletin/archive/1998/01/vb199801-vb100-protocol.


30 August 2005: Unfortunately, due to a combination of miscommunication and missed communications, Symantec AntiVirus was not included in this NetWare 6.5 comparative review. VB has since tested the product and is pleased to reveal that Symantec AntiVirus detected all samples in the wild, with no false positives, and is duly awarded a VB 100%.



Latest articles:

A review of the evolution of Andromeda over the years before we say goodbye

Andromeda, also known as Gamaru and Wauchos, is a modular and HTTP-based botnet that was discovered in late 2011. From that point on, it managed to survive and continue hardening by evolving in different ways. This paper describes the evolution of…

VB2012 paper: Malware taking a bit(coin) more than we bargained for

When a new system of currency gains acceptance and widespread adoption in a computer-mediated population, it is only a matter of time before malware authors attempt to exploit it. As of halfway through 2011, we started seeing another means of…

VB2017 paper: VirusTotal tips, tricks and myths

Outside of the anti-malware industry, users of VirusTotal generally believe it is simply a virus-scanning service. Most users quickly reach erroneous conclusions about the meaning of various scanning results. At the same time, many very technical…

The threat and security product landscape in 2017

VB Editor Martijn Grooten looks at the state of the threat and security product landscape in 2017.

VB2017 paper: Nine circles of Cerber

The Cerber ransomware was mentioned for the first time in March 2016 on some Russian underground forums, on which it was offered for rent in an affiliate program. Since then, it has been spread massively via exploit kits, infecting more and more…

Bulletin Archive