Department of Energy, ATTN: Robert Wilson, HR-421, GTN, 1000 Independence Avenue, S.W., Washington, DC 20585

70 -- ADPE - COMMERCIAL-OFF-THE-SHELF ANTI-VIRAL SOFTWARE POC Robert Wilson, (301) 903-4604 70 ADPE---Sources Sought Synopsis---ADP Software and Software Maintenance Support---The U.S. Department of Energy has a requirement to purchase from a single vendor a perpetual, DOE-wide corporate license for Commercial-off-the-Shelf (COTS) anti-viral (or ''anti-virus'') software product with updates, software support services, and supporting documentation. The following are the base components that DOE requires of an integrated anti-viral solution and which must be provided by a single vendor: (A) The product must include a real-time, memory-resident behavioral monitoring program for standalone DOS (versions MS- and PC-DOS 3.3 and higher) workstations that uses less than 20K bytes of computer memory, which can be loaded into (but does not require the use of) upper memory blocks or extended memory. As a behavioral monitor, it must not rely on the existence of virus signatures to detect computer viruses. In instances when the monitoring program is active and detects a virus or an attempt by a virus to infect the system or system files, it must sound an audible alarm and display a message on the monitor with the location of the virus and, if the virus is attempting to infect a system element, then provide the capability to stop that infection from occurring and prevent the virus from becoming active. The monitor must not produce false alarms when the following COTS packages are running: DOS 6.x, Windows 3.1x, the Microsoft Office Windows suite of products, the Novell PerfectOffice Windows suite of products, WordPerfect 5.x for DOS, WordPerfect 6.x for DOS, and Novell 3.x and 4.x. The monitor must use some technique to minimize false alarms and must not rely on exception lists to reduce or eliminate false alarms. The monitor must be a device driver (and thus must be loaded in the CONFIG.SYS file) and must be self-protecting, ensuring that it has not been corrupted or compromised by a computer virus. (B) The product must provide a non-memory-resident scanning program or option that can accurately detect, identify, and remove viruses. Where technically feasible, the scanner must identify and display the name of the detected virus and be able to remove all detectedviruses, leaving infected systems or files in their original state. The user must be able to schedule scan activation on a daily, weekly, or monthly basis or on demand. The scanner must be available for both the DOS and Windows environments. The DOS-based programs must include a user-friendly (i.e., menu driven) interface option. The scanner must be able to scan a system's memory (which must occur first in the scanning sequence when selected), Master Boot Record (MBR), boot sector, executable files, and compressed files. The scanner must be able to scan internal hard drives, removable media, 5.25'' diskettes, 3.5'' diskettes, and other industry-standard storage media. At the user's discretion, the scanner must be able to scan an entire drive, multiple drives on a single system, directories and subdirectories, executable files and programs, and/or specific files designated by the user. The user must be able to select which system elements should be scanned (e.g., to disable memory checking during diskette scans). Scanning results must be able to be displayed on the workstation screen or posted to a file or printer. It must provide options for selecting desired files, directories, and logical drives. In addition, the scanner must be able to scan workstation-accessible network drives, which must not require the termination of remote access to the server resources (i.e., users may remain logged in). (C) The product must include a NetWare Network Loadable Module (NLM) for Novell servers that continuously detects (in real-time) when file infector viruses are copied to or from a Novell server, infected executable files are renamed, or new virus-infected files are created on the server. In addition to this real-time monitoring function, the network scanner must be able to perform a manual scan of the network server, scanning all executable files on all available volumes. As with the workstation scanner, the NLM scanner must not require the termination of remote access to the server resources (i.e., users may remain logged in). When the NLM detects a virus-infected file, it must provide options to delete the file, rename the file (to a non-executable name), or move the file into a quarantined area (not accessible to non-supervisory or other designated users). The response option must be selectable by the network supervisor, and the ability to not allow users to override the desired respone option must be inherent. All monitoring and scanning modules must perform a self-diagnosis prior to any other monitoring or scanning to ensure that they have not been compromised, sounding an audible alarm, displaying a message on the monitor, and halting its operation if corruption is detected. (D) Any virus occurring on a workstation detected by the workstation's monitor or scanner must be reported immediately both to the attached server and to a central WAN server that acts as the focal point for all enterprise-wide file servers. This automated reporting mechanism must function whenever a workstation attached to a Novell network has the appropriate network drivers activated (i.e., does not further require that the user has run the LOGIN command to log onto a specific server). Incidents that occur while the user is not attached to the network must be reported when the user does eventually access a protected server. The reporting mechanism must have the ability to activate a paging system to notify the Virus Response Team (ViRT) that an incident has occurred. (E) The product must provide a mechanism for updating its workstation-based anti-viral products (monitor and scanner) from the network, but only doing so when necessary (i.e., only when anti-viral software is not installed or not activated or is an outdated version). This module must be able to be launched via the network login function for transparent activation and must make any adjustments necessary (e.g., modifications to the AUTOEXEC.BAT and/or CONFIG.SYS) to ensure that the workstation monitoring program is activated automatically when the user subsequently restarts the system. In addition, it must be possible to transmit any or all product elements electronically to other DOE sites worldwide. (F) An extensive virus research database that provides information on all viruses specifically identifiable by the scanning (removal) module must be accessible. Information on the propagation mechanism, symptoms, and damage; attack trigger and actions; and removal process should be included, where known. When a virus arises, it is essential that information regarding the impact of that virus within the community be available. (G) The vendor must be able to provide access to emergency support 24 hours a day, seven days a week, in order to correct instances where product deficiencies (e.g., bugs) are found, the monitoring pogram generates false alarms, or a virus is detected within the DOE environment that the vendor's removal program cannot properly eradicate. In the case of a new virus, the vendor must be able to provide an eradication mechanism for the virus within 2 working days of receiving a copy of the virus from the DOE point of contact. Vendors that can provide software and services that meet these basic requirements should submit complete technical details and price information to be received no later than 15 days from the date of this publication to: Mr. Robert Wilson, HR-421, GTN, U.S. Department of Energy, 1000 Independence Avenue, S.W., Washington, D.C. 20585. This is not a request for formal quotation or proposal, but is provided as information to the marketplace and is an invitation to express interest in performing all the work described. (0264)

Loren Data Corp. http://www.ld.com (SYN# 0326 19950922\70-0007.SOL)