home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Chip 1999 July
/
Chip_1999-07_cd.bin
/
zkuste
/
TBAV
/
tbav_9x
/
TBAV.FA_
/
TBAV.FA
Wrap
Text File
|
1999-01-11
|
24KB
|
509 lines
This is a list with Frequently Asked Questions.
If you have a question about our product, or want to know why our product
differs from some competitive products, please check out the questions
below.
User related questions
----------------------
What do viruses usually infect?
Generally there are two different types of infections: bootsector and
file viruses. Bootsectorviruses infect the hard diskÆs bootsector or
master boot record and floppy disks that have not been write-
protected. Viruses will try to infect executable files which have
.EXE, .COM, .SYS, .BIN, or OV? extension. Nowadays, other files that
can get infected are those that contain macros (Word, Excel and Ami-
Pro).
Can I get a virus by doing a DIR (directory) on a diskette?
NO! A virus must first be æexecuted' in order to become active. If the
diskette has been infected with a bootsector virus, you would have to
boot your computer with the infected diskette in your A: drive in
order to activate this virus. Should the diskette contain an infected
executable file, you would have to execute this file on the diskette
for the virus to become active.
What is a rescue diskette?
A rescue diskette is a virus-free and write-protected bootable
diskette (not the same for every computer), with the same DOS version
as your computer. It also contains vital system information which will
allow you to recover from damage caused by a crash or a virus attack.
Make sure that the rescue diskette always remains write-protected!
How do I create a rescue diskette?
You will need a new, empty diskette (for example, the green TBAV
recovery diskette). Place it in the diskette station, and on the DOS-
directory prompt you enter the following commands:
FORMAT A: /S
COPY SYS.COM A:
Return to the TBAV directory:
CD\TBAV
Execute the MAKERESC batch file:
MAKERESC A:
Write-protect your rescue diskette and keep it in a safe place!
ATTENTION! This rescue diskette is a random indication of your system.
Should you change the DOS-version, the hardware or the computer, a new
rescue diskette has to be created. Refer to the TBAV Utilities-Guide,
Chapter 2.1 "Virus protection", for more information.
What should I do with infected files?
The best solution, once you have booted your computer with a resue
diskette, is to replace the original files. In case there is no master
disk to replace the infected programs, try to replace clean backup
copies that were made before the virus infected the computer. When
both solutions are not possible you may try to clean the files using
TBCLEAN.
Remark:
In case you do not have a rescue diskette you may use a DOS-bootable
diskette, for example the MS-DOS 'Diskette 1 - Setup' diskette. (In
the main menu you push the F3 button twice to interrupt the
installation). However, we highly recommend to create a rescue
diskette in a virus-free situation.
How do I clean a virus from within Windows?
All virus cleaning is to be performed in DOS after booting from a
rescue diskette. This is necessary to avoid serious problems that may
occur when you try to remove the virus WHILE it is still active.
Remark:
In case you do not have a rescue diskette you may use a DOS-bootable
diskette, for example the MS-DOS 'Diskette 1 - Setup' diskette. (In
the main menu you push the F3 button twice to interrupt the
installation). However, we highly recommend to create a rescue
diskette in a virus-free situation.
How do I uninstall TBAV for Windows 3.x?
Follow these instructions in order to successfully remove TBAV for
Windows:
Step 1
Start TBAV for Windows
Step 2
Select TBSETUP in the pull down menu and choose 'Options'
Step 3
Select 'REMOVE ANTI-VIR.DAT files' and click OK
Step 4
Select 'All local hard drives' as the target
Step 5
Click the SETUP button and click Yes to continue
Step 6
Use Notepad to change WIN.INI in the WINDOWS directory
Step 7
Use Notepad to search for 'TBAVÆ
Step 8
Delete the LOAD statement part that refers to TBAV
For example: C:\TBAV\TBLOAD.EXE
Step 9
Have Notepad perform another search for 'TBAV'
Step 10
Remove the three lines that refer to TBAV
For instance:
[TBAVWIN]
DirectDiskOffs...
DirectDiskSegm...
Step 11
Save WIN.INI and edit the SYSTEM.INI file
Step 12
Search for and remove the line that refers to æTBAVÆ
For instance:
device=c:\tbav\tbavwin.386...
Step 13
Save and exit the SYSTEM.INI file and Notepad
Step 14
Quit Windows and return to the ROOT of your C: drive
Step 15
Edit AUTOEXEC.BAT and remove the CALL statement for TBAV
For instance:
Call c:\tbav\tbstart.bat
Step 16
Remove TBAV from the PATH-statement as well
For instance:
PATH=%PATH%;C:\TBAV;
Step 17
Save AUTOEXEC.BAT and quit the editor
Step 18
Delete all files in your TBAV directory, then remove the TBAV
directory
Step 19
Reboot your computer
How do I remove the 3 TBAV checks from my master boot record?
Having a DOS version 5.00 or higher, execute the following command:
C:\>FDISK /MBR <Enter>
How can I avoid getting TBCHECK interceptions when running programs
from a file server?
The reason TBCHECK intercepts network files is because TBSETUP has
not been executed on the file server. There are two possible
solutions. The first is to run TBSETUP on the file server (in this
case the user has to be supervisor), the second is to modify the
TBSTART.BAT file in your TBAV directory and to add to TBCHECK the
NOAVOK option(1).
For instance:
C:\TBAV\TBCHECK.EXE NOAVOK=*
* Indicates all network drives.
In case this only applies to F: and G:, the NOAVOK option looks like
this:
C:\TBAV\TBCHECK.EXE NOAVOK=FG
(1) The NOAVOK parameter makes sure that TBCHECK will not check
programs for the volumes indicated.
What to do when the memory has been virus-infected and TBCLEAN is not
able to clean it?
When a virus in the memory is detected, the virus will already be
active. Turn off your computer as soon as possible in order to avoid
more damage. The reason TBCLEAN is not able to do something about it is
because TBCLEAN is only able to clean DOS files!
Turn off the computer and reboot with a rescue diskette. Then you have
to scan your local hard disks with the latest version of TBAV for DOS.
There is a fair chance that a virus will be detected in the boot sector
and/or the master boot record. How to clean this will be answered after
the question: æWhat to do when the hard diskÆs boot sector/master boot
record has been infected?Æ
Remark:
In case you do not have a rescue diskette you may use a DOS-bootable
diskette, for example the MS-DOS 'Diskette 1 - Setup' diskette. (In
the main menu you push the F3 button twice to interrupt the
installation). However, we highly recommend to create a rescue diskette
in a virus-free situation.
The hard diskÆs boot sector/master boot record has been infected. What do
I have to do?
Use the following steps to remove the boot sector virus:
Having a rescue diskette:
Step 1
Boot the computer with a rescue diskette
Step 2
Select TBUTIL from TBAV main menu
Step 3
Select SYSTEM MAINTENANCE MENU from TBUTIL menu
Step 4
Choose RESTORE SYSTEM CONFIGURATION
(Restore System Configuration will be selected)
Step 5
Select (from the same menu): Execute TBUTIL
Step 6
Give <Enter>
Step 7
Follow the on-screen instructions
Not having a rescue diskette:
Step 1
Boot the computer with a MS-DOS bootable diskette
In case you do not have a rescue diskette you may use a DOS-bootable
diskette, for example the MS-DOS 'Diskette 1 - Setup' diskette (In
the main menu you push the F3 button twice to interrupt the
installation). However, we highly recommend to create a rescue
diskette in a virus-free situation.
Step 2
Execute the SYS C: command
Step 3
Execute the FDISK /MBR command
Remark:
Removing a boot sector/master boot record virus by using a rescue
diskette gives you a 100% guarantee that every boot sector/master boot
record virus in your system will be removed. Using the SYS C: and
FDISK /MBR does not give this guarantee!
What to do when the diskette boot sector has been infected?
In order to remove a boot sector virus from a diskette, use the following
steps:
Step 1
Start TBAV
Step 2
Select TBUTIL from the main menu
Step 3
Select Immunize/Clean bootsector A: (or B:) in TBUTIL
Step 4
Follow the on-screen instructions
I am having (e.g.) the following interception :
╒════════ TBAV interception ═════════╕
│ WARNING! │
│ TbCheck could not find the NEW.COM |
| checksum information. │
│ The integrity of this file cannot │
│ be checked. Cancel execution? (Y/N) │
╘══════════════════════════════════════╛
How is this possible and how can I avoid it?
This interception is caused by the fact that no NEW.COM Checksum
information is available. Usually it concerns new software that has not
been validated by TBSETUP. Perform the following steps:
Step 1
Scan the NEW.COM loaded directory
For instance:
TBSCAN C:\SOFTWARE\NEW\*.*
Step 2
**
Only to be performed when no viruses have been detected by the
previous act.
**
Execute a TBSETUP in the NEW.COM directory
For instance:
TBSETUP C:\SOFTWARE\NEW\*.*
See for more information: 'How can I avoid TBCHECK interceptions when
running programs from a file server?'.
When loading TbScanX, 'Not enough memory' is mentioned. What does it
mean and how do I solve it?
This is caused by the missing of two options in the TBSCAN.EXE boot
command. As a rule, TBAV utilities are loaded via TBSTART.BAT, which
is called by a CALL statement from the AUTOEXEC.BAT.
Use the following steps:
Step 1
Use a text editor to open TBSTART.BAT in de TBAV directory
Step 2
Search for the line with TBSCANX
Step 3
Adjust the line in the following way:
C:\TBAV\TBSCANX.EXE XMS EMS
Step 4
Save the adjusted contents of TBSTART.BAT and close the editor
Step 5
Reboot the computer
Should I install TBAV for DOS in Windows 95?
TBAV for DOS utilities are not designed to work in Windows 95.
This means you can not use the memory resident TBAV utilities
(TbDriver, TbScanX etc.) in Windows 95. So, you must never start
INSTALL.EXE from the TBAV for DOS diskette (the TBAV for DOS TSR's
will be installed). If you want to have the TBAV for DOS on your
hard-disk, create a new TBAV directory and copy all the files of
the TBAV for DOS diskette in this directory. Now you can use TbScan,
TbUtil etc. in a Windows 95 DOS-Box.
How to make a Rescue Diskette in Windows 95
You can create a TBAV Rescue Diskette in Windows 95. Creating such a
disk ensures you, you can remove ANY bootsector virus from your PC.
* Start a DOS-Box (or go to the DOS-Prompt)
* Copy (NOT install!) TBAV for DOS in a TBAV directory.
* Format a diskette with 'format a: /u /s'
* Go to the TBAV (for DOS) directory and type: MakeResc.Bat A:
Now a Rescue Diskette will be created of your Windows 95 machine.
Make the diskette write-protected and keep it on a safe place. Some-
times the Rescue Diskette is the only way to remove a virus from
your PC.
Design philosophy
-----------------
Why does TbSetup create an Anti-Vir.Dat file in every directory (in which
are executable files), in stead of generating just ONE reference file for the
entire system?
1. It is more intuitive. It is much easier for a user to see whether
or not a directory has been processed by the checksummer. At a
single glance you can see what the last time was that you modified
the Anti-Vir.Dat file, and whether this fits in with the latest
date-and-time stamp of the executable files.
2. Maintenance. When an entire directory is deleted, the Anti-Vir.Dat
file (the checksum information) will be gone too. Automatically!
Using the single file approach, you will have to run an update
utility or you will have to accept that the database will
constantly get bigger. The same goes for moving one directory to
another disk or subdirectory. You do not have to worry about the
Anti-Vir.Dat files as they will be moved automatically!
3. Security. When a company decides to introduce new software, it can
make a backup of the diskettes, scan it for viruses, install the
Anti-Vir.Dat files and distribute them within the company. Anyone
who uses the diskettes will have the correct Anti-Vir.Dat files
near at hand, and TbSetup is not to be used anymore. The new Anti-
Vir.Dat files do not interfere with already existing files.
4. Networks. Different users of a network may have access to a direc-
tory via another path. E.g., one user may see the F:\JOHN directory
whereas another user with more access rights may refer to the same
directory as G:\USERS\JOHN. Using the single file approach you will
have to create a separate database for every user. Using an Anti-
Vir.Dat file for each directory, the supervisor needs to create
only ONE Anti-Vir.Dat file per directory. No matter what access
rights a user has, he automatically has access to the Anti-Vir.Dat
file. When a network product update is being done, the supervisor
simply has to create a new Anti-Vir.Dat file for that specific
directory, and EVERY network user will immediately have the correct
checksum information.
Why does TbScanX, unlike some other products, not scan a boot sector
when you press Ctrl-Alt-Delete?
First of all, TbScanX will scan a boot sector immediately when you try
to get access to a diskette. Most people insert a diskette because
they need a diskette file, or want to copy to it, or because they want
to look into a directory. In all of these cases TbScanX will check the
boot sector, long time before one presses Ctrl-Alt-Del. Therefore
there is no need for TbScanX to check the boot sector when you reboot;
it has been done.
The second reason is that it might be dangerous to scan a diskette
while rebooting. You do not usually reboot for fun! Most of the times
you reboot because the system has become instable, or because a
program instructed you to reboot after having changed vital hard disk
information. Having a instable system you may damage data by trying to
get access to a disk. When the program tells you to reboot, this
reboot is often necessary because the system is not informed of
configuration changes. Without having appropriate drivers it is
dangerous to continue and try to get access to the disks.
The third reason is that it could cause people to believe that
rebooting and having a dikette in the drive is OK, because the
diskette will be scanned anyway. Unfortunately, checking a diskette
can only be done before a soft boot and not when one hits the reset
button. It is only partially a solution. For many people the
difference between a hard and a soft boot is not entirely clear, and
they will assume that rebooting with a diskette inserted will always
be safe.
Concluding you may say that it is dangerous, unreliable, confusing
and in most cases unnecessary. Therefore it is decided not to scan
after having pressed Ctrl-Alt-Delete.
Why does TbClean not clean ALL files in one time?
Let us see what happens when your system has been infected by a virus
and you would run an 'automatic' cleaner. Having only ONE virus, every
executable will be in one of the following conditions after the
cleaning has been done:
1. Files that have not been infected by this virus at all.
2. Infected files that have been cleaned successfully.
3. Files that have been damaged (not infected) by the virus and that
can not be cleaned because they have been deleted or have been
overwritten.
4. Files which have been successfully cleaned according to the cleaner
but which do not function anymore afterwards (e.g., because of copy
protection or various othere reasons).
5. Files of which the cleaner says that it failed to clean them and
which have to be replaced because they still are infected.
Are you going to sort out the condition of all the files after the
æautomaticÆ cleaning has been done? A much better approach is to work
through the files one by one: clean a file, check the result, test
the file and only then proceed with the next one. Tedious? Yes, so an
even better approach is to take the back-up tape and to restore all
executable files.
Remember that viruses have not been written to be bug-free and
compatible using present-dayÆs complex configurations. In no way a
cleaner can clean files that have been infected by a æbuggyÆ virus;
automatic cleaning is an illusion. Nevertheless, if you insist on
using a cleaner, you have the best chances of success by going through
your files one by one.
I have seen on Internet some information how to fool TbScan. What are you
going to do about it?
This is nothing to worry about. We know that it is possible to
fool heuristics. We know that it is possible to design a virus
that TbScan can not yet detect. We have seen many examples of
this in the past.
Encrypted viruses have been invented to make signature scanning
useless, until the AV industry invented signature wildcards and
entry point tracers. Polymorphic viruses have been invented to
make signature scanning completely impossible, until the
anti-virus industry invented generic decryption.
It is an endless battle. Some strategics are involved as well.
Sometimes it is better to leave an easy to close door open,
and let a virus writer spend weeks to write something
that exploits this 'loophole' and then just slam this door
without any trouble and any damage, than to attempt to foresee all
possible future virus-writing-developments and to close all
doors in advance, and let someone discover something that is much
more difficult to solve. Someone who wants to attac a specific
anti-virus product will finally discover something that can be
used. This applies to all anti-virus products, no matter how
clever they are. That's why all serious anti-virus products have
to be frequently updated.
If a virus is able to escape heuristic detection, we will find it
with a signature. If some information leads to a virus that indeed
succeeds to remain unspotted, we will do something about it. We have
been doing so dozens of times in the past, and we will keep doing so.
So far, there is no reason to believe that virus writers will
finally come up with something that we can't handle.
Why is your scanner not scanning .DLL files?
So far, we have been following the approach that we don't scan
something if there are no viruses yet to infect it. We could have
scanned for macro viruses for years, but it didn't make sense
until someone actually created a macro virus. Technically, it is
possible to infect a .DLL file, but there are no viruses which
are doing this. As soon as there is a virus that infects .DLL
files, we will have to create a signature for that virus anyway,
and this is the right time to include the .DLL extension in the
default scan list as well.
Granted, there are a few viruses which think a .DLL file is a DOS
executable, since it contains an EXE header. They might add their
virus code to the .DLL file. But since you are never going to
execute the .DLL file from the DOS command prompt, you are not
going to introduce a virus on your system this way. The virus
won't get activated when you use the .DLL file in a Windows
environment. Of course, if you have a standard executable file
(.EXE or .COM) which is infected by a virus, this virus may
'infect' the .DLL file, so once you have a virus, it is a good
idea to include the /allfiles option.
Network related questions
-------------------------
We installed TBAV on a server and we are using the TbScan æonceÆ option.
However, when the PCs are being turned on in the morning, only the first
workstation is scanned and the others are not. Why is that?
When TbScan uses the 'once' option, information will be written to
TBSCAN.EXE. The first PC scans and updates the information in
TBSCAN.EXE. The other PCs will conclude that TbScan has already been
used that day and they will proceed without scanning.
In order to solve this problem you may specify a file name behind the
æonceÆ option. Instead of putting the information in the TBSCAN.EXE
program, TbScan puts it in the specified file.
Use for instance æTbScan once=c:\config.sysÆ to ensure that every PC
maintains its own ælast time scannedÆ record.
Attention please! TbScan does not alter the specified fileÆs contents.
It records the information in a different way and therefore you may
specify any EXISTING file.
We have installed TBAV on a server and we are using the TbScan æonceÆ
option. However, when the PCs are booted several times a day TbScan is
always scanning instead of only once. Why is that?
The users probably do not have write access rights for TBSCAN.EXE.
Perfect! Use the method as has been described in the previous
question.