PC Format 8 (5.25")

home *** CD-ROM | disk | FTP | other *** search

/ PC Format 8 (5.25") / PC Format - Issue 8 May 1992 - Disk 1.ima / TBSCNX26.EXE / TBSCANX.DOC < prev next >

Wrap

Text File | 1991-04-20 | 33.9 KB | 794 lines

DOCUMENTATION FOR TBSCANX V2.6 REGULATIONS WITH REGARD TO USE AND DISTRIBUTION OF TBSCANX ---------------------------------------------------------- Both TbScanX and the accompanying documentation are SHAREWARE. This simply means the program is covered by the copyrights of ESaSS, but can be used and distributed freely as long as the following regulations are observed. + Concerning the distribution of the TbScanX program no administration and/or shipping costs exceeding the amount of $5,- may be charged. + Distribution of TbScanX may only take place when both the program and the documentation are left unmodified and only when the complete program is supplied. + So it is not allowed to distribute the program apart from the documentation. + ESaSS accepts no responsibility in case the program malfunctions or does not function at all. + ESaSS can never be held responsible for damage, directly or indirectly resulting from the use of TbScanX. + Using TbScanX means that you agree on these regulations. DESCRIPTION TBSCANX ------------------- TbScanX is a program that was developed to trace viruses, Trojan Horses and other threats to your valuable data. It is a so-called virus scanner. A virus scanner is a program that is able to search a signature that has been determined beforehand. Most viruses consist of a unique signature, so by means of checking for the appearance of this signature we can see whether or not a program has been infected. By searching all your program files for the signatures of all viruses already identified you can easily find whether your system has been infected and, if that is the case, with which virus. By now already many virus scanners have been developed. The problem with all these scanners is that you have to execute them. Suppose you have the virusscanner automatically invoked in your autoexec.bat file. If no viruses are found, your system is supposed to be uninfected. But, to be sure that no virus can infect your system, you have to run the scanner every time before you copy a file to your harddisk, after downloading a file from your BBS, or after unarchiving an archive such as a ZIP file. Be honest, do YOU actually invoke your scanner every time? TbScanX has a unique feature to overcome this drawback, it will remain resident in memory, and AUTOMATICALLY scan all files you execute, copy, download, modify, or unarchive! Probably you think that a resident virus scanner consumes much memory, makes your system slow, and is a source of many problems. But, if you already know our free-ware scanner TBSCAN, you know that this scanner can scan your files ten times faster compared with other scanners. Also TbScanX achieves this lightning fast speed. Actually, TbScanX is a lot faster, since it will not access your disk to scan the files, because all files to be created or modified reside already in memory! Besides this, TbScanX consumes only 8 Kb of memory, including the signatures to scan for! If there is expanded memory available, TbScanX uses even less than 1Kb of memory! TbScanX carries the same feature of its transient brother TBSCAN: + TbScanX is fully programmable by means of a data file. Most of the time viruses spread quickly. After a new virus has been found there is often no time to adapt your virus checker in order to make it capable of recognizing this new virus. That is why TbScanX uses a data file in which the signatures of the viruses occur. This file can quickly be adapted, possibly by yourself, for example when you are informed of a new virus through the media. TbScanX supports among other things the format which is used in the file "virscan.dat". This file is regularly adapted and can be obtained at a lot of data banks. + TbScanX supports wildcards in the signature. A lot of viruses encrypt themselves after each infection, so the signatures always look different. There is one part of the virus however that cannot be modified: the routine that has to "unpack" the modified part of the virus. But it is a misunderstanding that this part of the virus always should look the same. The fact is there are viruses that pepper their unpack-routine with useless instructions which have no effect and which are continuously replaced by other nonsensical instructions. Although the unpack-routine always functions the same, it looks different every time because of these changing fake instructions! By inserting wildcards on places where the fake instructions occur in the signatures of the data file, such a virus can still be traced and identified. This is the case because any character may be used on the place of a wildcard. It is also possible to skip a variable amount of garbage bytes in the signature. + TbScanX supports normal text as the signature. Most signatures are inserted in ASCII-HEX. But when desired you can also specify a normal text as the signature. In this case you put the text between double quotation marks. + TbScanX offers other software an universal hook to scan data for viruses. If you are a programmer, you can instruct your programs to scan information read from disk for viruses before using the data. USAGE OF THE PROGRAM -------------------- TbScanX is easy to use. Simply type TBSCANX. The program can also be invoked from within your config.sys file by inserting the line "device=TBSCANX.COM". The advantage of the last method is that TbScanX will get a better position in the memory and is able to protect the system before other programs are executed. TbScanX uses also less memory in device driver mode. (NOTE: If you invoke TbScanX from within your config.sys you have to specify the extension .COM) If you use MS-Windows you should load TbScanX BEFORE starting Windows. If you do that there is only one copy of TbScanX in memory, but every DOS-window will nevertheless have a fully functional TbScanX in it. TbScanX detects if Windows is starting up, and will switch itself in multitasking mode if neccesary. Options available: -? = Display help sreen. -d = Disable TbScanX. -e = Enable TbScanX. -r = Remove TbScanX from memory. -f <filename> = Use the specified file as signature file. -o = Optimize signatures. -n = no scan at execute. -me = Use Expanded memory. -mu = Use Upper memory. -mh = Use Hercules-half memory. -mf = Use Hercules-full memory. -mc = Use CGA/EGA/VGA memory. -u = Unauthorized signatures allowed. -D If you specify this option TbScanX will be disabled, but it will remain in memory. -E If you use this option TbScanX will be activated again after you disabled it with the -D option. -F This option tells TbScanX which file should be used as signature file. Use this option if you use TbScanX as a device driver, or if the signature file can not be found in the current or home directory. -O If you specify this option TbScanX will optimize the signatures by merging signatures that are more than 75% equal. Look at the next two signatures: Signature 1: CD2145A689BF452F1E77CBCD21 Signature 2: CD2111A689BF4A3F1E77CBCD21 TbScanX will replace the differences between the two signatures by wildcards and removes the second signature. The resulting signature of the example above is: Signature 3: CD21??A689BF????1E77CBCD21 It is obvious that this option can save some memory and increases the scanning speed somewhat. This option has never the result that some viruses go by undetected, but instead, the chance for false alarms increases somewhat. -N TbScanX normally scans files also just before they are executed. If you don't like that you can use this option to disable this feature. This option can only be used at the initial invokation of TbScanX. -M TbScanX offsers you some possibilities to minimize the usage of conventional memory. The -M option requires a parameter that tells TbScanX which memory should be used. All parameters except "U" reduce the usage of conventional memory to less than one Kilobyte. The rest will be stored in the specified memory. The "U" parameter can even reduce the usage of conventional memeory to zero bytes! It is also the only parameter that can be used in combination with other memory parameters. X If you specify this parameter TbScanX will use expAnded memory to store the signatures and a part of its program code. Expanded memory is allocated in 16Kb blocks, so the minimum amount of expanded memory you loose is 16Kb. However, conventional memory is more valuable to your programs than expanded memory, so using this option is recommended. H If you specify this parameter TbScanX will use some part of the Hercules videomemory to store the signatures. As long as the videocard remains in the text mode it uses only a little part of its videomemory. The rest can be used by... TbScanX. Videomemory is very slow, so also TbScanX will slowdown somewhat. If you execute a program that switches the card into the graphics mode TbScanX will disable itself completely. You can re-activate TbScanX by running it again. It will automatically remove the old resident part of TbScanX that might be left in memory. F This parameter does the same as the H parameter, but it will switch the Hercules card in the so called full mode. TbScanX then uses videomemory that will not be used by even most of the graphics software. You can run a graphics program while TbScanX remains active at the same time! But watch out! If you have two videocards in your machine at the same time, DO NOT USE this option! C This parameter does the same as the H parameter, but it will now use CGA/EGA/VGA videomemory. U This parameter can be used to load TbScanX into upper memory. Upper memory is available on many 80386 based machines which run memory managers like QEMM. TbScanX will load itself in upper memory, do don't use special highload programs. If you use this parameter in combination with other parameters it will load the remaining part of TbScanX in conventional memory to upper memory. So TbScanX can use Expanded memory and high memory at the same time. The result is that also the amount of upper memory required is minimized. -U TbScanX checks the signature file for modifications. If you change the contents of that file TbScanX will issue a warning. If you don't want the warning to be displayed, use the -U option. -R This option can be used to remove the resident part of TbScanX from your memory. All memory used by TbScanX will be freed. Unfortunately, the removing of a TSR is not always possible. TbScanX checks whether it is safe to remove the resident part from memory, if it is not safe it just disables TbScanX. A TSR can not be removed if some other TSR is started after TbScanX. If this is the case TbScanX will completely disable itself. If the character device "SCANX" exists it will be renamed to "$CANX". If you invoke TbScanX again at some later time the device will be renamed and re-used automatically. TbScanX looks for the data file in the way mentioned hereunder: 1) It uses the file specified with the -f option. 2) It searches in the active directory for a file with the name TBSCAN.DAT. 3) It searches for TBSCAN.DAT in the same directory as the program file TBSCAN.COM itself is located. 4) It searches in the active directory for a file with the name VIRSCAN.DAT. Example: c:\utils\tbscanx -f c:\tb\tbscan.dat -me or: device=c:\utils\tbscanx.com -f c:\tb\tbscan.dat -me -o Whenever a program tries to write to an executable file (files with the extensions .COM and .EXE), you will shortly see the text "*Scanning*" in the upper left corner of your screen. As long as TbScanX is scanning this text will appear. Since TbScanX takes not much time to scan the file, the message will only appear shortly. When TbScanX has detected a virus, it will display the the message WARNING, <filename> is infected with <virus name>! Abort? (Y/n) Press "N" to continue, press any other key to abort. To display the name of the virus, TbScanX needs the signature file again. It will automatically use the signature file that was used when you invoked the program. If the signature file is missing (because you deleted it, or because you removed the floppy with it), or no file handles are left, TbScanX will still detect viruses, but it is no longer able to display the name of the virus. It will display [Name unknown] instead. When TbScanX has been started from within the config.sys file (as a device driver) it has added a character device with the name "SCANX". When you sent data to this device the data will be scanned for signatures. Try this: copy testvir.com scanx /b No file will be created with the name "scanx" but the input (the contents of the file "testvir.com") will be scanned for viruses. This way you can easy inspect any file (also the non-executables) for the existence of virus signatures without the need to invoke a special program. If the device "scanx" detects a signature in the input it will simulate a DOS "write protect error". Note that you have to specify the "/b" option. Otherwise DOS will sent the characters to the device one by one. This consumes a lot of time and of course, no signatures will be found in one byte sequences! REGISTERING ----------- The unregistered version of TbScanX will prompt you to press a key while starting up, except when you have a Thunderbyte add-on card installed. To register TbScanX, see the register.doc file. Only the registered version of TbScanX is able to make use of expanded memory without random restrictions. Once registered, you can use all future versions of TbScanX for free! --> YOU DON'T HAVE TO REGISTER TBSCANX IF YOU USE IT IN A PC WITH A THUNDERBYTE ADD-ON CARD INSTALLED! FORMAT OF THE DATA FILE ----------------------- The data file (called TBSCAN.DAT or VIRSCAN.DAT) can be read and/or modified with every ASCII editor. All lines beginning with ";" are comment lines. TbScanX ignores these lines completely. When the ";" character is followed by a percent-sign the remaining part of the line will be displayed on the screen. A maximum of 15 lines can be printed on the screen. Nice for "HOT NEWS"... In the first line the name of a virus is expected. The second line contains one or more of the next words: BOOT SYS EXE COM HIGH LOW These words may be separated by spaces, tabs or commas. TbScanX will only scan for viruses with the keywords COM or EXE. The other keywords will be ignored, and are only used by the non-resident version: TBSCAN. Also note that TbScanX will not distinguish between COM and EXE files. All executable files will be scanned for both EXE and COM viruses. This saves some memory. BOOT means that the virus is a bootsector virus. SYS, EXE and COM indicate the virus can occur in files with these extensions. Also overlay files (with the extension OV?) will be searched for EXE viruses. HIGH shows that the virus can occur in the memory of your PC, namely in the memory located above the TBSCAN program itself. LOW means that the virus can occur in the memory of your PC, namely in the memory located under the TBSCAN program itself. In the third line the signature is expected in ASCII-HEX. Every virus character is described by means of two characters. Instead of two HEX characters, two question marks (the wild- card) may also occur. The latter means that every byte on that position matches the signature. Below you will find an example of a signature: A5E623CB??CD21??83FF3E You can also use the asterisk followed by an ASCII-HEX character to skip a variable amount of bytes in the signature. The ASCII-HEX character specifies the amount of bytes that should be skipped. The signature could be: A5E623CB*3CD2155??83FF3E The next sequence of bytes will be recognised as a virus: A5E623CB142434CD21554583FF3E Instead of a signature in ASCII-HEX you can also specify a normal text. This should be put between double quotation marks. A correct signature is for example: "I have got you!" This series of three lines should be repeated for every virus. Between all lines comment lines may occur. LIMITATIONS ----------- + 128 Kb of free memory is needed to start the program. (5 Kb of memory once installed in memory) + DOS version 3.0 or later is needed. + The size of the data file has a maximum of 64 Kb. + The name of a virus may consist of maximally 30 characters. + The ASCII-HEX signature can consist of maximally 80 characters. + Up to 500 different signatures may be specified. + All filenames have a maximum length of 48 characters. ERRORMESSAGES ------------- Errormessages that can be displayed: + Not enough memory There is not enough free memory. + Error in data line at line <number>. There is an error in the specified line of the data file. + Limit exceeded. The data file was too long or too many virus signatures occur in it. + Data file not found. TbScanX has not been able to locate the data file. + Processor type does not match. You are using a processor dependant version of TbScanX and it can not be executed by the current processor. SPECIAL VERSIONS ---------------- The file TBSCANX.COM is fully functional. However, we supplied two special versions of TbScanX to be used with certain processor types. If you use the special 286 or 386 version of TbScanX you will get the best out of your processor concerning memory usage and speed. If you want to use the 286 version of TbScanX, just rename the file TBSCANX.286 to TBSCANX.COM. The same applies to the file TBSCANX.386. TBSCANX.COM: Universal version. Runs on all processor types. Supports Windows 386-enhanced-mode. Uses more memory and is somewhat slower compared to the other versions. TBSCANX.286: Runs on machines with a NEC-V20, NEC-V30, 80286, 80386 and 80486 processor. Does NOT support Windows 386-enhanced-mode. This version uses almost 100 bytes less compared to the other versions and is somewhat faster. TBSCANX.386: Runs on machines with a 80386 or 80486 type processor. Supports Windows 386-enhanced-mode. Uses less memory compared to the standard version, but more than the 286 version due to the Windows support. It is the fastest version available. Application Interface --------------------- If you are a software developer you can use TbScanX to check data for viruses. A program can perform a self check as soon as it is invoked by sending its code to TbScanX. A program that processes other programs or parts of it (by example scramblers or executable file compressors) should check the data for viruses before processing it. High-level control This method is most usefull for the so-called high level programming languages and languages that lack the ability to generate interrupts. Try to open the file "SCANX". If this file exists TBSCANX has been invoked from within the config.sys and is active in the machine. Open the file in the binairy mode. Write the data to be scanned to the opened file. If the data contains a signature of a virus TbScanX simulates a DOS "write protect error". If nothing happens and the data is accepted no signature could be found in it. Low-level control This method is more complex, but offers more possibilities. If your programming language supports issuing interrups you should be able to use this method. This method also functions when TbScanX has not been started as device driver but as a normal TSR. The interface consist of some multiplex calls (int 2Fh). Register AH should contain CAh. Register AL contains the function request number. Supported function requests: AL=0 InstallationCheck Return value: AL=0 TbScanX not installed AL=FFh TbScanX installed If BX was 'TB' then it is now changed into 'tb'. AL=1 GetStatus Return value: AH Version number TbScanX in BCD. (CAh if version < 2.2) AL=0 TbScanX disabled AL=1 TbScanX enabled BX Segment swap area. Zero if not swapped. CX Number of signatures that will be searched. DX EMS_Handle. -1 if no expanded memory in use. AL=2 SetStatus BL=0 Disable TbScanX BL=1 Enable TbScanX Return value: NONE AL=3 ScanBuffer DS:DX Address of buffer to scan. CX Length of buffer to scan. Return value: No Carry flag set No signatures found in buffer. Carry: Signature found in buffer! ES:BX ASCIIZ-name of virus (null terminated) Registers altered: AX,BX,CX,DX,ES The contents of the buffer remains unchanged. AL=4 ScanFile DS:DX Name of the program file to be scanned. WARNING! There should be at least 4 Kb of free memory to perform this function! Return value: No Carry flag set No signature found in file. Carry: Signature found in buffer! ES:BX ASCIIZ-name of virus (null terminated) Registers altered: AX,BX,CX,DX,ES Assembler example: mov ah,0CAh ;Multiplex number mov al,0 int 02Fh ;Installation check cmp al,0FFh ;If AL=FFh TbScanX has been installed. jne notinstalled ;Else TbScanX has not been installed. lea dx,buffer ;Address of the buffer in DS:DX mov cx,512 ;Length of our buffer mov ah,0CAh ;Multiplex number mov al,3 int 02Fh ;ScanBuffer jnc notinfected ;No carry? Then no virus found! call print ;Virus found. Print name ES:BX notinfected: THUNDERBYTE ----------- Virus scanners have a number of very serious disadvantages! + They cannot prevent infection. Virus scanners can only tell you whether or not your system has been infected and if so, whether any damage has already been done. By then only a good (non-infected) backup can still save you. + They can only recognize viruses that have already been identified. When a new virus has been launched it will take a while before someone discovers it. After that it will take some time before a reliable signature is dis- tilled from the virus and it will also take a while for you to get hold of the newest virscan.dat. All this means that there is a real chance that your system is infected at a moment virus scanners have not yet recognized "your" virus! Viruses get more and more advanced. Among other things because of all the attention the media is paying to the phenomenon computer virus. It has even become a real sport for sick minds to write computer viruses. Even viruses that have no stable signature anymore have already been discovered. Because TBSCAN allows wildcards in the data file it can still trace this kind of viruses quite often. But it will not take much time anymore before viruses will be created that have no special charac- teristics at all by which they can be identified. And then even TBSCAN cannot help you anymore. Even viruses that look for the DOS entry point in the same way as TBSCAN does, avoi- ding detection by protection programs in an effective way, already exist. To provide programs with a checksum is neither a solution: as soon as a file is read in, viruses can disinfect it, so every infected program looks like one that is not. There is however ONE solution for the abovementioned problems: *** ThunderByte! *** ThunderByte was developed to protect Personal Computers against computer viruses, Trojan Horses and other threats to valuable data. It is a hardware protection, consisting of an adapter card, an installation and configuration program and a clear manual. The working of ThunderByte is not based on knowledge of specific viruses, so ThunderByte also protects against future viruses. A hardware protection offers much more protection than a software protection. ThunderByte is already active before the operating system is loaded, so the computer will be totally protected right after the starting of the PC. Because of the many configuration possibilities and the intel- ligent algorisms, the use of ThunderByte will never become a burden: you will hardly notice the presence of ThunderByte in an environment without any viruses. Advantages of a hardware protection: + The protection uses very little (1Kb) RAM + The protection is already active before the first boot attempt of the PC, and therefore protects also against bootsector viruses. A software protection can not protect you against bootsector viruses, since it has not been executed at boot time. + De hard disks can not be accessed directly anymore, because ThunderByte is connected to the hard disk cable. + It is impossible to forget to start ThunderByte, even if the machine is booting with a diskette. ThunderByte offers you many kinds of protection: + Protection against loss of data. ThunderByte is connected between the cable of the hard disk and the controller. It prevents the hard disk from being accessed directly. The only way to access the drive from now on is by initiating an int 13h. In addition ThunderByte detects all direct disk writes which try to achieve a modification or damage of the data and it checks which program orders the execution of such operations. Only the operating system can preform these operations unmentioned. Standard DOS already has the possibility of protecting files against overwriting and modification by means of the read only attribute. However this protection can be very easily eliminated by software. But ThunderByte pre- vents this protection from being ruled out without this being noticed, so now it is nevertheless possible to protect your files effectively with a standard method. + Protection against infection. ThunderByte protects programs (files with the extension EXE, COM or SYS) against infection by judging all modifi- cations on their intention. The functionality is not influenced by this. Compiling, linking, etc., are not disturbed and neither are programs that save their confi- guration internally. Furthermore software can be protec- ted with the help of the aforementioned read only attribute. Attempts to modify the bootsector of the disk are detected, so the dreaded bootsector viruses are also eliminated. Keep in mind that the bootsector can hardly be protected by software. Only ThunderByte already beco- mes active before the system tries to boot! + Detection of viruses. In addition to the abovementioned ways of detecting the presence of viruses, ThunderByte can also do so because viruses carry out a number of special operations. For example, the marking of already infected programs in order to recognize them, is detected by ThunderByte. So are the attempts of viruses to reside in the memory in a suspicious way and the abnormal manipulations with interrupt vectors. + Password protection. ThunderByte has the possibility of installing a password. There are two kinds of passwords: one that is always asked for or one that you only have to enter when attempts are made to start from a diskette instead of the hard disk. + Safety. A lot of attention has been paid to the safety of ThunderByte The program code of ThunderByte is located in ROM and there is no way it can be modified. There is not one method of eliminating ThunderByte through software. All the important settings are realized with the help of dipswitches on the adapter card. And despite all their wasted intelligence, viruses will never be able to turn switches or to influence their read outs. Viruses that approach the controller of the hard disk directly will have a rude awakening: ThunderByte will only pass disk writes when the write or format command has followed the normal (checked) course. There are a lot of different versions of ThunderByte (functioning identically however) that are supplied on the basis of capriciousness. That is why knowledge of the internal working of only one ThunderByte system is not sufficient to damage or destroy its protective working. ThunderByte is constantly checking upon its own variables with a kind of control number that is different for each version. The positions of the memory where the variables are kept are also different for each version. + Extra possibilities. ThunderByte offers you some interesting bonuses, like booting from drive B:. CONCLUSION ---------- Are you surprised about the relative great effect and inventiveness of such a small virusscan program? Get Thunderbyte and keep on amazing yourself! If you appreciate TbScanX or if it has already been of help in a difficult situation: Buy Thunderbyte, or register TbScanX For more information you can contact: ESaSS B.V. Tel: 31 - 80 - 787 771 P.o. box 1380 Fax: 31 - 80 - 777 327 6501 BJ Nijmegen Data: 31 - 85 - 212 395 The Netherlands (2:280/200 @fidonet) TbScanX is written by Frans Veldman. TbScan and the signature files are available on ESaSS / Thunderbyte support BBS, Tel: 31-85-212395 (300/1200/2400 bps). If you are running a electronic mail system, you can also file-request TBSCAN to get the latest version of TBSCAN.COM, TBSCANX to get the resident automatic version of TBSCANX, and VIRUSSIG to obtain a copy of the latest update of the signature file.