Chip 1999 July

home *** CD-ROM | disk | FTP | other *** search

/ Chip 1999 July / Chip_1999-07_cd.bin / zkuste / TBAV / tbav_dos / TBAV.TXT < prev next >

Wrap

Text File | 1999-01-11 | 391.6 KB | 10,948 lines

ThunderBYTE Anti-Virus Utilities USER MANUAL The ThunderBYTE Anti-Virus Utilities are a product of: ESaSS B.V. P.O. Box 1380 6501 BJ NIJMEGEN The Netherlands COPYRIGHT (c) 1996 by: ThunderBYTE B.V., Wijchen, The Netherlands. All rights reserved. No part of this manual may be reproduced, stored in a retrieval system, or transmitted in any form, by print, microfilm, or by any other means without written permission from ThunderBYTE B.V. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page i Table of Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 A Word (or Two) of Thanks . . . . . . . . . . . . . . . . . . . 1 What Are the TBAV Utilities? . . . . . . . . . . . . . . . . . . 1 The TBAV Utilities User Interface . . . . . . . . . . . . . . . 5 Conventions Used in This Manual . . . . . . . . . . . . . . . . 6 How To Use This Manual . . . . . . . . . . . . . . . . . . . . . 6 1 TBAV QuickStart . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.1 Installing the TBAV Utilities . . . . . . . . . . . . . . . 8 1.1.1 Understanding System requirements . . . . . . . . . . 8 1.1.2 Running INSTALL . . . . . . . . . . . . . . . . . . . 8 1.1.3 Installation on a network . . . . . . . . . . . . . 11 1.1.4 Starting And Ending TBAV . . . . . . . . . . . . . 11 1.1.5 Using TBAV Commands . . . . . . . . . . . . . . . . 14 1.1.6 Getting Help . . . . . . . . . . . . . . . . . . . 15 1.1.7 Configuring TBAV . . . . . . . . . . . . . . . . . 16 1.2 Understanding TbSetup . . . . . . . . . . . . . . . . . . 18 1.3 Understanding TbDriver . . . . . . . . . . . . . . . . . . 19 1.4 Maintaining the System . . . . . . . . . . . . . . . . . . 20 1.4.1 Maintaining ANTI-VIR.DAT Files . . . . . . . . . . 20 1.4.2 Creating a New Recovery Diskette . . . . . . . . . 20 1.4.3 Getting Updates . . . . . . . . . . . . . . . . . . 20 1.4.4 Maintaining a Network . . . . . . . . . . . . . . . 21 1.4.5 Using the PKUNZIP Utility . . . . . . . . . . . . . 22 2 Defining Your Anti-Virus Strategy . . . . . . . . . . . . . . . . 24 2.1 Protecting Yourself Against Virus Infection . . . . . . . 24 2.2 Recovering from Virus Infection . . . . . . . . . . . . . 29 3 Using the TBAV utilities . . . . . . . . . . . . . . . . . . . . 33 3.1 Using TbSetup . . . . . . . . . . . . . . . . . . . . . . 33 3.1.1 Understanding TbSetup . . . . . . . . . . . . . . . 33 3.1.2 Working with the TbSetup Menu . . . . . . . . . . . 34 3.1.3 Maximizing TbSetup . . . . . . . . . . . . . . . . 40 3.1.4 Understanding TbSetup's Operation . . . . . . . . . 44 3.1.5 Understanding TBSETUP.DAT Files . . . . . . . . . . 45 3.2 Using TbScan . . . . . . . . . . . . . . . . . . . . . . . 47 3.2.1 Understanding TbScan . . . . . . . . . . . . . . . 47 3.2.2 Working with the TbScan Menus . . . . . . . . . . . 48 3.2.3 Maximizing TbScan . . . . . . . . . . . . . . . . . 62 TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page ii 3.2.4 Understanding the Scanning Process . . . . . . . . 72 3.2.5 Understanding Heuristic Flags . . . . . . . . . . . 76 3.3 Using TbDriver . . . . . . . . . . . . . . . . . . . . . . 78 3.3.1 Understanding TbDriver . . . . . . . . . . . . . . 78 3.3.2 Working with TbDriver . . . . . . . . . . . . . . . 78 3.3.3 Maximizing TbDriver . . . . . . . . . . . . . . . . 79 3.4 Using TbScanX . . . . . . . . . . . . . . . . . . . . . . 84 3.4.1 Understanding TbScanX . . . . . . . . . . . . . . . 84 3.4.2 Working with TbScanX . . . . . . . . . . . . . . . 84 3.4.3 Maximizing TbScanX . . . . . . . . . . . . . . . . 86 3.4.4 Understanding the Scanning Process . . . . . . . . 90 3.5 Using TbCheck . . . . . . . . . . . . . . . . . . . . . . 92 3.5.1 Understanding TbCheck . . . . . . . . . . . . . . . 92 3.5.2 Working with TbCheck . . . . . . . . . . . . . . . 92 3.5.3 Maximizing TbCheck . . . . . . . . . . . . . . . . 94 3.5.4 Understanding the Scanning Process . . . . . . . . 96 3.5.5 Testing TbCheck . . . . . . . . . . . . . . . . . . 96 3.6 Using TbClean . . . . . . . . . . . . . . . . . . . . . . 98 3.6.1 Understanding TbClean . . . . . . . . . . . . . . . 98 3.6.2 Working with the TbClean Menus . . . . . . . . . . 99 3.6.3 Using TbClean Command Line Options . . . . . . . . 101 3.6.4 Understanding the Cleaning Process . . . . . . . . 104 3.6.5 Understanding Cleaning Limitations . . . . . . . . 106 3.7 Using TbMem . . . . . . . . . . . . . . . . . . . . . . . 108 3.7.1 Introducing the TbMem, TbFile & TbDisk Utilities . 108 3.7.2 Loading TbMem, TbFile and TbDisk . . . . . . . . . 108 3.7.3 Using Command Line Options . . . . . . . . . . . . 110 3.7.4 Understanding TbMem . . . . . . . . . . . . . . . . 110 3.7.5 Working with TbMem . . . . . . . . . . . . . . . . 111 3.7.6 Maximizing TbMem . . . . . . . . . . . . . . . . . 112 3.7.7 Understanding TbMem's Operation . . . . . . . . . . 114 3.8 Using TbFile . . . . . . . . . . . . . . . . . . . . . . . 116 3.8.1 Understanding TbFile . . . . . . . . . . . . . . . 116 3.8.2 Working with TbFile . . . . . . . . . . . . . . . . 117 3.8.3 Maximizing TbFile . . . . . . . . . . . . . . . . . 117 3.9 Using TbDisk . . . . . . . . . . . . . . . . . . . . . . . 120 3.9.1 Understanding TbDisk . . . . . . . . . . . . . . . 120 3.9.2 Working with TbDisk . . . . . . . . . . . . . . . . 121 3.9.3 Maximizing TbDisk . . . . . . . . . . . . . . . . . 122 3.9.4 Understanding TbDisk's Operation . . . . . . . . . 125 3.10 Using TbUtil . . . . . . . . . . . . . . . . . . . . . . 126 3.10.1 Understanding and using TbUtil . . . . . . . . . . 126 3.10.2 Working with the TbUtil Menu . . . . . . . . . . . 127 3.10.3 Maximizing TbUtil . . . . . . . . . . . . . . . . 131 3.10.4 Using the Anti-Virus Partition . . . . . . . . . . 137 3.10.5 Using the TbUtil diskette . . . . . . . . . . . . 137 TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page iii 3.11 Using TbLog . . . . . . . . . . . . . . . . . . . . . . . 139 3.11.1 Understanding and using TbLog . . . . . . . . . . 139 3.11.2 Working with TbLog . . . . . . . . . . . . . . . . 139 3.11.3 Maximizing TbLog . . . . . . . . . . . . . . . . . 141 3.12 Using TbNet . . . . . . . . . . . . . . . . . . . . . . . 143 3.12.1 Understanding TbNet . . . . . . . . . . . . . . . 143 3.12.2 Working with TbNet . . . . . . . . . . . . . . . . 143 3.12.3 Maximizing TbNet . . . . . . . . . . . . . . . . . 144 4 Understanding Advanced User Information . . . . . . . . . . . . . 147 4.1 Understanding Memory Considerations . . . . . . . . . . . 147 4.1.1 Understanding Memory Requirements . . . . . . . . . 147 4.1.2 Reducing Memory Requirements . . . . . . . . . . . 148 4.2 Understanding TbSetup . . . . . . . . . . . . . . . . . . 150 4.2.1 Understanding ANTI-VIR.DAT File Design . . . . . . 150 4.2.2 Editing the TBSETUP.DAT File . . . . . . . . . . . 150 4.2.3 Simplifying Installation on Several Machines . . . 152 4.3 Understanding TbScan . . . . . . . . . . . . . . . . . . . 153 4.3.1 Understanding Heuristic Scanning . . . . . . . . . 153 4.3.2 Understanding How Heuristic Scanning Works . . . . 155 4.3.3 Understanding Integrity Checking . . . . . . . . . 156 4.3.4 Understanding the Scan Algorithms . . . . . . . . . 157 4.3.5 Understanding the TBSCAN.LNG File . . . . . . . . . 159 4.3.6 Understanding the TBAV.MSG File . . . . . . . . . . 160 4.4 Understanding TbClean . . . . . . . . . . . . . . . . . . 161 4.4.1 Understanding how a Virus infects a file . . . . . 161 4.4.2 Understanding Conventional Cleaners . . . . . . . . 161 4.4.3 Understanding Generic Cleaners . . . . . . . . . . 163 4.5 Using TbGenSig . . . . . . . . . . . . . . . . . . . . . . 165 4.5.1 Understanding and using TbGenSig . . . . . . . . . 165 4.5.2 Working with TbGenSig . . . . . . . . . . . . . . . 165 4.5.3 Defining a Signature with TbScan . . . . . . . . . 166 4.5.4 Understanding Keywords . . . . . . . . . . . . . . 168 4.5.5 Understanding a Sample Signature: Haifa.Mozkin . . 173 Appendices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Appendix A: TBAV messages . . . . . . . . . . . . . . . . . . 175 A.1 TbClean . . . . . . . . . . . . . . . . . . . . . . . 175 A.2 TbDriver . . . . . . . . . . . . . . . . . . . . . . 177 A.3 TbScan . . . . . . . . . . . . . . . . . . . . . . . 178 A.4 TbScanX . . . . . . . . . . . . . . . . . . . . . . . 179 Appendix B: TbScan Heuristic Flag Descriptions . . . . . . . . 180 Appendix C: Solving Incompatibility Problems . . . . . . . . . 186 Appendix D: TBAV Exit Codes and Batch Files . . . . . . . . . 189 D.1 TbScan Exit Codes . . . . . . . . . . . . . . . . . . 189 D.2 TbUtil Exit Codes . . . . . . . . . . . . . . . . . . 189 TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page iv D.3 General Exit Codes . . . . . . . . . . . . . . . . . 189 D.4 Program Installation Check . . . . . . . . . . . . . 189 Appendix E: Virus Detection and Naming . . . . . . . . . . . . 191 E.1 How Many Viruses Does TbScan Detect? . . . . . . . . 191 E.2 The Virus Naming Convention . . . . . . . . . . . . . 191 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 1 Introduction A Word (or Two) of Thanks Congratulations! By purchasing the ThunderBYTE Anti-Virus utilities you have taken the basic step in building a massive anti-viral safety wall around your precious computer system. Setting up the appropriate defense using the TBAV utilities is a personal matter. Therefore, we recommend to read this manual thoroughly, so you are well aware of the different kinds of security measures you can take. What Are the TBAV Utilities? ThunderBYTE Anti-Virus (TBAV) is a comprehensive tool kit designed to protect against, and recover from, computer viruses. While TBAV focuses heavily on numerous ways to prevent a virus infection, the package would not be complete without various cleaner programs to purge a system, in the unlikely event that a virus manages to slip through. The package, therefore, consists of several programs, each of which helps you to prevent viruses from accomplishing their destructive purposes. Here is a quick overview. TbSetup: Collecting Software Information TbSetup is a program that collects information from all software it finds on your system. It places this information in files named ANTI-VIR.DAT and uses it for integrity checking, program validation, and cleaning infected files. TbDriver: Enable Memory Resident TBAV Utilities While TbDriver provides little protection against viruses by itself, you must load it in advance to enable the memory resident ThunderBYTE Anti-Virus utilities to perform properly. These utilities include: TbScanX, TbCheck, TbMem, TbFile, and TbDisk. TbDriver also provides basic protection against ANSI bombs and stealth viruses. TbScan: Scanning for Viruses TbScan is both a fast signature scanner and a so-called heuristic scanner. Besides its blazing speed, it has many configuration options. It can detect mutants of viruses, bypass stealth type viruses, etc. The signature file TbScan uses is a coded TBSCAN.SIG file, which you can update yourself in case of emergency. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 2 TbScan will disassemble files. This makes it possible to detect suspicious instruction sequences and detect yet unknown viruses. As pointed out earlier, this generic detection, named heuristic analysis, is a technique that makes it possible to detect about 90% of all viruses by searching for suspicious instruction sequences rather than relying on any signature. For that purpose TbScan has a built-in disassembler and code analyzer. Another feature of TbScan is the integrity checking it performs when it finds the ANTI-VIR.DAT files generated by TbSetup. Integrity checking means that TbScan verifies that every file it scans matches the information which was captured when the file was first analyzed by TbSetup and is maintained in the ANTI-VIR.DAT files. If a virus infects a file, the information in the ANTI-VIR.DAT file will indicate that the file has been changed, and TbScan will inform you of this. TbScan performs an integrity check automatically, and it does not have the false alarm rate other integrity checkers have. The goal is to detect viruses and NOT to detect configuration changes! TbScanX: Automatic Scanning TbScanX is the memory resident version of TbScan. This signature scanner remains resident in memory and automatically scans those files that are being executed, copied, de-archived, downloaded, etc. TbScanX does not require much memory. It can swap itself into expanded, XMS, or high memory, using only one kilobyte of conventional memory. TbCheck: Check While Loading TbCheck is a memory resident integrity checker that remains resident in memory and automatically checks every file just before it executes. TbCheck uses a fast integrity checking method, which consumes only 400 bytes of memory. You can configure it to reject files with incorrect checksums, and/or reject files that do not have a corresponding ANTI-VIR.DAT record. TbUtil: Restoring Infected Boot-Sector, CMOS and Partition Tables Some viruses copy themselves into the hard disk's partition table, which makes them far more difficult to remove than boot sector viruses. Performing a low-level format is an effective, but rather drastic measure. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 3 TbUtil offers a more convenient alternative by making a precautionary backup of uninfected partition tables and the boot sector. If an infection occurs, you can use the TbUtil backup as a verifying tool and as a means to restore the original (uninfected) partition table and boot sector, without the need for a destructive disk format. TbUtil can also restore the CMOS configuration for you. If a backup of your partition table is not available, TbUtil tries to create a new partition table anyway, again avoiding the need for a low-level format. Another important feature of TbUtil is the option to replace the partition table code with new code offering greater resistance to viruses. TbUtil executes the partition code BEFORE the boot sector gains control, enabling it to check this sector in a clean environment. The TbUtil partition code performs a CRC calculation on the master boot sector just before the boot sector code activates and issues a warning if the boot sector has been modified. The TbUtil partition code also checks and reports changes in the RAM layout. It performs these checks whenever the computer boots from the hard disk. We should point out that boot sector verification is imperative before allowing the boot sector code to execute. A virus could easily become resident in memory during boot-up and hide its presence. TbUtil offers total security at this stage by being active before the boot sector executes. TbUtil is far more convenient than the traditional strategy of booting from a clean DOS diskette for an undisturbed inspection of the boot sector. TbClean: Reconstructing Infected Files TbClean is a generic file cleaning utility. It uses the ANTI-VIR.DAT files generated by TbSetup to enhance file cleaning and/or to verify the results. TbClean can also work without these files. It disassembles and emulates the infected file and uses this analysis to reconstruct the original file. TbMem, TbFile and TbDisk: Resident Safeguards The TBAV utilities include a set of memory resident anti-virus utilities, consisting of TbMem, TbFile and TbDisk. Most other resident anti-virus products offer you the choice to either invoke them before the network loads (thereby losing the protection after the logon procedure), or to load the anti-viral software after logging onto the network, resulting in a partially unprotected system. The TBAV utilities, on the other hand, recognize the network TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 4 software and utilize their auto-configuration capabilities to ensure their continued functionality. TbMem: Safeguarding Memory TbMem detects attempts from programs to remain resident in memory and ensures that no program can remain resident in memory without permission. Since most viruses remain resident in memory, this is a powerful weapon against all such viruses, known or unknown. TbMem also protects your CMOS memory against unwanted modifications. The ANTI-VIR.DAT files maintain a database of the permission information. TbFile: Executable File Protection TbFile detects attempts from programs to infect other programs. It also guards read-only attributes, detects illegal time-stamps, etc. It ensures that no virus succeeds in infecting programs. TbDisk: Protecting The Disk TbDisk is a disk guard program that detects attempts from programs to write directly to disk (that is, without using DOS), attempts to format, etc., and makes sure that no malicious program succeeds in destroying your data. This utility also traps tunneling and direct calls into the BIOS code. The ANTI-VIR.DAT files maintain permission information about those rare programs that write directly to and/or format the disk. TbGenSig: Define Your Own Signatures Since TBAV includes an up-to-date, ready-to-use signature file, you do not really need to maintain a signature file yourself. If, however during a crisis, you need to define your own virus signatures, then the TbGenSig utility enables you to do this. You can use either published signatures or define your own if you are familiar with the structure of computer code. TbDel: Remove Infected Files The DOS DEL or ERASE command does not actually erase a file. It simply deletes the first filename character in the directory listing and frees up the space by changing the disk's internal location tables (File Allocation Tables). TbDel is a small program with a single, yet all-important purpose: it overwrites every single byte TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 5 in a file with the zero character (0) before deleting it, thereby obliterating all the data and making it totally unrecoverable. TbMon: Installed Device Checker To check for the presence of the resident TBAV utilities (TbScanX, TbCheck, TbMem, TbFile, TbDisk or TbLog) in batch files or login scripts, you can use the TbMon utility. TbMon returns a DOS error level, depending on the installed ThunderBYTE resident programs. The following list specifies the ThunderBYTE resident utilities and their respective error levels: +------------+-----------+ |Utility Name|Error level| +------------+-----------+ | TbScanX | 1 | | TbCheck | 2 | | TbMem | 4 | | TbFile | 8 | | TbDisk | 16 | | TbLog | 32 | +------------+-----------+ The error level returned by TbMon is the cumulative sum of the error levels of the installed devices. For example, if you have TbScanX and TbMem installed, TbMon will return error level 5 (1+ 4 = 5). Another example: if you have all utilities loaded, TbMon will return error level 63 (1+2+4+8+16+32=63). If none of the resident ThunderBYTE utilities are installed, TbMon will return error level 0 (zero). The TBAV Utilities User Interface The DOS version of TBAV utilizes a menu-driven interface that enables you to execute the utilities easily. You can also execute many of the utilities directly from the DOS prompt. One advantage to this is that you can use the utilities in batch files. The Microsoft Windows version of TBAV utilizes the standard Windows interface, providing you a way to protect yourself from viruses while still working in the user-friendly Windows environment. TBAV-for-Windows is not described in this document. Please refer to the TBAV-for-Windows documentation for more information. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 6 Conventions Used in This Manual This manual uses several special conventions: References to the keyboard are as they appear on the 101-key enhanced keyboard. File names, DOS commands, emphasized words, and information that you are to type appears in UPPERCASE letters. The context should clearly dictate which of these is true in each case. References to individual TBAV utilities use a combination of uppercase and lowercase letters. For example, while TBSCAN.SIG refers to a signature file, TbScan refers to the utility itself. How To Use This Manual This manual consists of six chapters. Chapter 1 provides you with the fastest way to get started with the TBAV utilities. It presents the major features of the program in a step-by- step format. We recommend that you start with this chapter. Chapter 2 contains instruction on how to prevent viruses from infecting your computer system and directions on how to handle viruses when they do strike. We recommend that you also read this chapter because it contains several useful tips. Chapter 3 contains a detailed description of both the purpose and functionality of all the TBAV for DOS utilities. Chapter 4 contains advanced user information for those users who are more technically oriented. This manual also contains five appendices. Appendix A describes TBAV messages, Appendix B describes heuristic flags, Appendix C addresses some incompatibility problems, Appendix D lists various exit codes for use in batch files, and Appendix E contains information on naming viruses. Finally, the Index provides you with the means of quickly finding any major topic. NOTE: A complete reading of this manual is indispensable in order to become familiar with the many facets of the ThunderBYTE AntiVirus utilities; to know what steps you can, and must, take to ensure TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 7 adequate protection and be fully prepared for a complete recovery, if and when disaster strikes. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 8 1 TBAV QuickStart One of the problems with software manuals is they sometimes beat around the bush and don't get to the point, namely, how to use the software right now. This chapter presents the major features of TBAV and will get you up and running in the minimum amount of time. 1.1 Installing the TBAV Utilities This section provides the initial installation instructions of the TBAV utilities for DOS. See the TBAV for Windows documentation for installing TBAV for Windows or the TBAV for Networks documentation for installing TBAV for Networks. 1.1.1 Understanding System requirements The ThunderBYTE Anti-Virus utilities will run on any IBM or compatible PC that meets the following requirements: At least 1 megabyte of disk space 256 kilobytes of free internal memory DOS version 3.0 (DOS 5.0 or later recommended) A mouse is optional NOTE: The TBAV utilities are compatible with networks, MS-Windows, Novell-DOS, etc. 1.1.2 Running INSTALL You can install the TBAV utilities either by using the following instal- lation procedure or by a fully customized procedure that you ll find in Chapter 2. To use the fast approach, follow these steps: 1. Insert the TBAV installation diskette in the diskette drive, type A: or B:, and press the ENTER key. 2. Type INSTALL and press ENTER. After a few seconds, the following window appears: TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 9 +-------------------------+ | Quit Installation | | View TBAV.DOC file > | | License TBAV > | | Upgrade TBAV > | | Custom Installation > | | Express Installation > | +-------------------------+ 3. Since this is your first time to install the TBAV package you choose the first option, which is already highlighted, so just press ENTER. Notice also that you can always select a menu option by pressing its first letter. Install now displays the Licensing Agreement. 4. Press the cursor movement keys (up and down arrows and Page Up and Page Down) to view the Agreement. When you finish reading the agreement, press ESC. Install now asks you to acknowledge the Agreement. NOTE: You can exit Install at anytime by pressing the ESC key until you get to the Main Menu or even to the DOS prompt. 5. Select the Your Name field, type in your name, and press ENTER. 6. Select the company field and repeat the procedure to enter your company name. 7. Press I to select the Terms field, type in YES to accept the agreement, and press ENTER. The Install Menu now appears. 8. While you will probably accept the defaults, if you need to change the source path (the path where the installation program itself resides, usually drive A:) or the default Destination path (where Install places the TBAV program files, usually C:\TBAV), select the field, make your changes, and press ENTER. 9. Press B (or highlight Begin Installation and press ENTER) to begin the installation. Install now scans your system to ensure that it is clean (that is, no files are infected by a virus) and informs you when it is done. 10. Press any key to continue. Install now copies the TBAV files to the destination directory and makes a backup of your AUTOEXEC.BAT file before making a few modifications to it. The installation TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 10 program adds the TBAV directory to your PATH and adds a statement that will automatically run the TBSTART.BAT file. NOTE: The TBSTART.BAT file, which resides in the TBAV directory, contains the following commands: C:\TBAV\TBDRIVER C:\TBAV\TBSCANX C:\TBAV\TBCHECK C:\TBAV\TBMEM C:\TBAV\TBFILE C:\TBAV\TBSCAN ONCE ALLDRIVES You can configure these commands to suit your own personal needs. Notice: Install now displays a message that Recommends that you create a Recovery Diskette, which you can use in the future, for example, to restore your destroyed CMOS data, or restore your hard disk's partition table after it has been tampered with. 11. Press any key to continue to the Final Menu. To create a Recovery Diskette, press M, insert a clean formatted diskette into Drive A, and press any key to continue. TBAV now copies the system files to the diskette. See the Prepare a Recovery Diskette section in Chapter 2 for more information. If you do not want to create a Recovery Diskette, press Q to Quit Install. 12. When TBAV finishes, press any key to continue. TBAV invokes TbSetup to generate an ANTI-VIR.DAT file for drive A and returns you to the Final Menu. 13. Press Q to Quit Install. Install now invokes TbSetup again to generate the ANTI-VIR.DAT reference files for your hard disk and then returns you to the DOS prompt. CAUTION: It is extremely likely that some of the TBAV utilities are going to display messages if you now reboot and continue using the computer as you normally would. This is because some programs perform operations that the TBAV utilities monitor. TBAV, therefore, needs to learn which programs need proper permission. Before rebooting, execute some of the programs you use regularly and respond appropriately when TBAV requests permission to authorize or deny TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 11 their use. TBAV remembers the settings and will not bother you again. Reboot the computer at the end of this test run. 14. After running some of the programs you use regularly (see Caution box above), reboot your system. The TBAV utilities are now ready to monitor your system and will issue a warning if something suspicious (or worse!) is about to happen. The TBAV utilities also warn you if any new file contains a possible virus, well before it can do any harm. 1.1.3 Installation on a network If a workstation does not have a hard disk, you can invoke the TBAV utilities from a login script. You create a TbStart.Bat file containing the following: @echo off x:\apps\tbav\tbdriver.exe x:\apps\tbav\tbscanx.exe x:\apps\tbav\tbcheck.exe x:\apps\tbav\tbfile.exe x:\apps\tbav\tbmem.exe x:\apps\tbav\tbscan.exe alldrives exit In the login script add the following line: #x:command.com /c /x:\apps\tbav\tbstart.bat NOTE: You need to enter the correct drive ID for 'X:'! 1.1.4 Starting And Ending TBAV You can run TBAV in two ways: run the menu interface or run individual utilities from the DOS prompt. Starting TBAV With the Menu Interface You can access most of the TBAV utilities from within the TBAV menu. To start TBAV with the menu, follow these steps: TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 12 1. At the DOS prompt, type CD \TBAV and press ENTER. This places you in the TBAV directory. NOTE: This first step is actually optional since the TBAV directory was added to the PATH during installation. You would need this step, however, if you ever decided to remove that directory from the PATH. 2. Type TBAV and press ENTER. This starts TBAV and displays the menu interface. 3. A common task is to scan your hard disk for viruses. To do this, press S on the "Main Menu" to select the TbScan command. Press S again to select the "Start Scanning" command on the TbScan Menu. Press D on the "Path Menu" and press ENTER. 4. If TbScan finds a virus, it presents an action menu. "D)elete" deletes the infected file. "K)ill" also deletes the infected file, but in such a way that it can't be undeleted by an undelete utility (such as DOS's UNDELETE command). "R)ename" renames an EXE extension to VXE and a COM extension to VOM, preventing the execution of infected programs and thereby precluding the spread of an infection, and also enabling you to keep the file for later examination and repair. "C)ontinue scanning" continues the scan without taking action on the virus. "N)onstop continue" instructs TbScan not to stop when it detects a virus. NOTE: If you use C or N, we recommend that you select L on the "TbScan Menu" and then O on the "TbScan Log Menu" so that TbScan will log detected viruses. To view this log, select V from the "TbScan Menu." 5. Another common task is to scan a diskette. To scan a diskette in drive A, press A, or to scan a diskette in drive B, press B. 6. You can use one of three methods to end TBAV: Press X to exit and save any configuration settings you have set Press Q to exit without saving any configuration settings Press ESC, which is the same as pressing Q TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 13 Starting TBAV Utilities from the DOS Prompt You can also start each of the individual TBAV utilities directly from the DOS prompt by typing the command name followed by one or more options (or switches) to control special features. You can use either the full name of the option or its one- or two-letter mnemonic to shorten the command line. For example, if you want to use TbScan to scan for viruses on your hard disk, you could execute either one of the following commands: TBSCAN ALLDRIVES TBSCAN AD The advantage of being able to execute individual utilities is that you can use the utilities in batch files to create your own custom routines. A simple example of this is putting TbScan in your AUTOEXEC.BAT file so that it will scan for viruses when you boot up. To accomplish this, do the following: 1. If you are using DOS 5 or later, type CD\ and press ENTER to go to the root directory. Now type EDIT AUTOEXEC.BAT and press ENTER to load this file into the MS-DOS text editor Edit. NOTE: If you are using a version of DOS prior to version 5.0, consult your DOS manual on how to edit AUTOEXEC.BAT. You might have your own text editor that you can use, or you could even use a word processor to edit the file and then save it as an ASCII text file. Consult your word processor's documentation for instructions. 2. Add the following line to the beginning of the file, making sure you separate the options from the command and from each other using a space: C:\TBAV\TBSCAN AllDrives Once 3. Press ALT, F, S to save the file again, and then press ALT, F, X to exit the editor (that is, if you are using the MS-DOS text editor EDIT; otherwise, use the commands of your favourite editor to save the file, and to exit the editor). 4. Reboot your computer so the changes will take effect. CAUTION: TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 14 This line already exists in the TBSTART.BAT file, which runs automatically from AUTOEXEC.BAT. If you don't want to load all the TSR utilities that TBSTART.BAT loads, you could replace TBSTART.BAT with the above TBSCAN command. While this is still good protection, be aware that it doesn't fully protect your system. Refer to the Configuring TBAV section later in this chapter for more information on configuring TBAV. Now the first time you boot your computer on a given day, TbScan will check for viruses on all fixed drives. Because of the OO option, however, if you boot again, you'll receive the Option once already used today message, meaning that since TbScan has already run once that day, it will not run again. Another useful TBAV utility, not just for deleting infected files but any files you want destroyed, is TbDel. This utility overwrites every byte of a file with a nul character, thereby completely obliterating the file. If, for security reasons, you have files you want to destroy and prevent someone from undeleting using a file recovery program, enter the following command: TBDEL [filename] WARNING: Be absolutely sure you want to destroy a file before using TbDel. Once you execute the command, the file is gone forever, and no file recovery utility can bring it back. 1.1.5 Using TBAV Commands There are many commands in The TBAV Utilities, but most of them are available from the menu. You can select commands using either the keyboard or the mouse. To select a command, do one of the following: Highlight an option using the arrow keys and press Enter Press the highlighted letter of a command Move the mouse pointer to a command and click the left button As mentioned earlier, you can use all TBAV commands directly from the DOS prompt. You must separate the command from the first option and options from each other using a space. You can use the standard slash (/) character or hyphen (-) before an option, but it is not necessary. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 15 The standard command line syntax for all ThunderBYTE Anti-Virus commands is: COMMAND [<path>][<filename>] [<option>] [<option>] where <path> and <filename> is where you want the command to execute and <option> is the specific option you want to use. For example, the following command executes a virus scan on all executable files in the root directory of drive C: and all subdirectories and skips the boot sector scan: TBSCAN C:\ NOBOOT 1.1.6 Getting Help TBAV enables you to get help at any time, whether you are working from the menu or the DOS prompt. Getting Help From the Menu To get help at anytime while working from the TBAV menu, follow these steps: 1. From the Main Menu, select Documentation. 2. From the Documentation menu, select TBAV User Manual. 3. Use the up and down arrow keys and Page Up and Page Down to move through the manual. 4. Press ESC to exit the manual. TIP: Instead of using the internal file viewer to view the User Manual, you can substitute your own favorite viewer. See the Configuring TBAV section later in this chapter for details. Getting Help at the DOS Prompt To get help about proper syntax when working with individual TBAV utilities, do one of the following: TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 16 Type the name of the command followed by a question mark (?), TBSCAN ?, for example. Some commands (TbClean, TbDel, and TbUtil) display the Help screen if you type the command name only. Each command also displays the help screen if you issue the command with an invalid option. 1.1.7 Configuring TBAV The choices you made when installing the TBAV utilities might need a little fine tuning. You might want to edit AUTOEXEC.BAT, as mentioned earlier, for example, or you might want to edit TBSTART.BAT file, which AUTOEXEC.BAT executes. Additionally, you might want to change how TBAV operates within the menu interface. This section explains how you can configure the TBAV utilities and use them the way you prefer. The following sections explain how to customize TBAV. NOTE: After making certain changes and then initializing and rebooting your system, TBAV needs to be "trained" as it encounters new TSR's. NOTE: Options that have a check mark beside them indicate that they are selected. Options may be toggled by selecting: the highlighted letter, clicking on them with your mouse or moving the highlight bar with your cursor keys and then pressing Enter. +-----Main menu-----+ | Confi+----------TBAV configuration---------+ | TbSca|v Use colors | | TbSet| Save configuration to TBAV.INI | | TbUti| File view utility | | TbCLe|v Wait after program execution | | Virus| Show command line before executing | | TBAV |v Edit path string before scanning | | Docum+-------------------------------------+ | Register TBAV | | About | | Quit and save | | eXit (no save) | +-------------------+ The "Use Colors" Option TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 17 If you disable this option, that is, select it so the check mark disappears, TBAV appears in monochrome mode, which is convenient for use on laptop and notebook computers. When you select the Configure TBAV option from the Main Menu, the Configuration menu appears: The "Save Configuration to TBAV.INI" Option When you select this option, TBAV saves all configuration values set within the TBAV menu in the TBAV.INI file. The next time you load the TBAV utilities, these configuration values take effect. These values apply to the TBAV menu itself and the utilities TbSetup, TbScan and TbClean. Although you can edit the TBAV.INI file manually, we recommend that you allow the TBAV menu to do it. By default, the contents of the TBAV.INI file are valid only while using the TBAV menu shell. You can, however, enable the Use TBAV.INI file options (or specify the USEINI switches in the TBAV.INI file itself) for each of the TBAV utilities. For example, to use the settings in TBAV.INI with TbScan, you would follow these steps: 1. Select TbScan from the Main Menu. This displays the TbScan Menu. 2. From this menu, select the Options Menu option. 3. From this menu, select the Use TBAV.INI option and notice that a check mark appears beside it. After selecting this option, TbScan also uses the TBAV.INI when you run TbScan from the DOS prompt. The same is true if you select this option for TbSetup and TbClean. CAUTION: Be careful, since command line options do NOT undo TBAV.INI settings. TBAV creates a TBAV.INI file when enabling this option for the first time. This file lists all valid configuration switches. Additionally, a semicolon precedes disabled switches. The "File View Utility" Option TbSetup and TbScan generate a data file and a log file respectively. By default, you can view these files, as well as the TBAV documentation mentioned earlier, from the TBAV menu using TBAV's internal file view utility. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 18 If you prefer, however, you can specify your own file viewing utility. To do this, follow these steps: 1. Press F to select the File View Utility option. 2. Type in the complete path and the file name, including the extension, of the utility you want to use (e.g., C:\DIRNAME\VIEWER.EXE), and press ENTER. The "Wait After Program Execution" Option If you enable this option, TBAV displays the message "Press any key to return to the TBAV menu..." after executing an external utility. The "Show Command Line Before Executing" Option Enabling this option forces TBAV to display the DOS command that loads the external file viewing utility. This option comes in handy for enabling you to see the command(s) you specified before. After pressing ENTER, TBAV then executes the DOS commands. The "Edit Path String Before Scanning" Option If you enable this option, TBAV prompts you to edit or confirm the path to scan after you select Start Scanning from a scan menu. 1.2 Understanding TbSetup By way of analogy, if you think of TbScan as being the heart of TBAV, you can think of TbSetup as being the skeleton. TbSetup collects information from all software it finds on your system and places this information in files, one in each directory, named ANTI-VIR.DAT and uses this informati- on for integrity checking, program validation, and cleaning infected files. WARNING: NEVER, NEVER, NEVER use TbSetup when there is the slightest evidence of a virus on your system. Since TbSetup was run during the installation program, it is not really necessary for you to run it again. In fact, the less you run it the better. The only time you should run TbSetup again is in directories with TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 19 new or changed program files. Assume you just added a new program to your system, which installed into a new directory called NEWPRO. To run TbSetup on that new directory, you could execute one of the following procedures: From the TBAV Main Menu, select TbSetup, select Start TbSetup from the TbSetup Menu, type in C:\NEWPRO as the path to process, and then press ENTER. From the DOS prompt, enter TBSETUP C:\NEWPRO and press ENTER. See the "Using TbSetup" section in Chapter 3 for more information about using TbSetup. WARNING: NEVER, NEVER, NEVER use TbSetup when there is the slightest evidence of a virus on your system. 1.3 Understanding TbDriver TbDriver is a small memory resident (TSR) program that you must load before loading any of the other five TBAV memory resident programs, which include: TbScanX, TbCheck, TbMem, TbFile, and TbDisk. Chapter 3 fully explains all of these programs, but to conclude our earlier analogy, if TbScan is the heart of TBAV, and TbSetup is the skeleton, then TbDriver and the other TSRs are the muscles. They simply wait in memory until called into action. When they detect suspicious code or other irregularities, they immediately inform you and take appropriate action. TBAV Install places a call to TBSTART.BAT in your AUTOEXEC.BAT file so that all of these TSRs, except TbDisk, load automatically when you boot. For maximum security, we recommend that you allow these utilities to load and remain in memory. TIP: If you prefer, you can put the memory resident utilities listed in TBSTART.BAT in your CONFIG.SYS file. Remove the call to TBSTART.BAT from AUTOEXEC.BAT, and then use a DEVICE= command in CONFIG.SYS for each utility. Don't forget to use the full path and to specify the .EXE extension. If you are using DOS 5 or higher, you can load these utilities into upper memory using the LOADHIGH command in either TBSTART.BAT or CONFIG.SYS. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 20 1.4 Maintaining the System All systems need maintenance, and the TBAV utilities are no different. This section, therefore, describes how to maintain the TBAV utilities. 1.4.1 Maintaining ANTI-VIR.DAT Files Whenever you add, update or replace programs on your system, be sure to use TbSetup to generate or update their fingerprints in the ANTI-VIR.DAT files. See the Using TbSetup section earlier in this chapter and the Using TbSetup section in Chapter 3 for more information. 1.4.2 Creating a New Recovery Diskette There will be times when you will want to create a new recovery diskette. This will be necessary, for example, when you install a new version of DOS because this changes the boot sector. You should also do this if you change the configuration of your hard disk because this can affect the partition tables and the CMOS setup. You should prepare a new recovery diskette after all system modifications. See the Prepare a Recovery Diskette section in the next chapter for more information. 1.4.3 Getting Updates As new viruses emerge, which is almost daily, you need to replace TbScan's signature file (TBSCAN.SIG) periodically with a more up to date one. You can get the latest signature file from your local ThunderBYTE dealer. Subscribing to the ThunderBYTE update service at your local dealer is a convenient way to guarantee the delivery of each new update. You can also download the file directly from the ThunderBYTE support Bulletin Board Systems (BBS). To download updates, follow these steps: 1. Using your telecommunications program, dial the BBS phone number. 2. When the modem logs on, press the ESC twice to go to the ThunderBYTE On-line Service. 3. From the File Menu select Download Latest ThunderBYTE Anti-Virus Utilities . TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 21 4. Select the File Transfer Protocol "zmodem" or "ymodem" from the Protocol Menu to select the file protocol you want to use, and then begin your download procedure. Additionally, you can check with a local bulletin board regularly, as many of them offer updated versions of our software. We issue the standard complete release in an archive named: TBAVxxx.ZIP, where xxx represents the three-digit version number. The archive extension might vary on local bulletin boards using a different archive method. The release of TBAV for Windows is archived in a file named: TBAVWxxx.ZIP. Again, xxx represents the three-digit version number of TBAV for Windows. The same holds for the release of TBAV for Networks; it is distributed in a file called TBAVNxxx.ZIP. To maintain the highest reliability, the Dutch and US ThunderBYTE support sites issue regular beta releases, also containing only the files that have changed. You can identify beta versions by a B in the filename, such as TBAVBxxx.ZIP. The resident ThunderBYTE Anti-Virus utilities are also available in processor optimized formats. These processor optimized versions, named TBAVXxxx.ZIP, are for registered users only. You can buy these versions through your local ThunderBYTE dealer. NOTE: The ThunderBYTE Anti-Virus utilities currently support several languages, by means of separate language files. Check your local ThunderBYTE dealer for the availability of the TBAV support file in your language. 1.4.4 Maintaining a Network Since you should replace the signature file TBSCAN.SIG frequently, this can turn into much work if you have to update all workstations on a network manually. Fortunately, there are several possibilities to do this job automatically. Using the TbLoad Utility The TbLoad utility that ships with TBAV for Windows is used to automatically update the existing ThunderBYTE Anti-Virus software TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 22 installed on your system. Please refer to the section about TbLoad in the TBAV for Windows documentation. Using the DOS REPLACE Command Maintain a directory \TBAV_UPD\ on a public server drive and place any new version of the TBAV utilities or any new signature file (TBSCAN.SIG) in this directory. The workstations should execute a batch file automatically after users login on the network. This batch file should contain the following lines: REM UPDATE TBAV IF A NEW RELEASE IS AVAILABLE. REPLACE X:\TBAV_UPD\*.* C:\TBAV /U /R REPLACE X:\TBAV_UPD\*.* C:\TBAV /A /R REPLACE is a standard DOS utility. If the /U option is specified, it copies the files specified by the first parameter ONLY if they are newer than the files specified in the second parameter. The /A option makes sure that REPLACE copies files that do not yet exist in the destination directory (specified by the second parameter). Make sure REPLACE is in the current path, and that the specified paths are valid for your configuration. The x in the above example represents the drive letter of the public server drive. Using this technique, you only have to update one drive with the new signature file or anti-virus software; all workstations will then update themselves when users login! You can also add the /S option if you want REPLACE to scan all directories on the workstations drives for matching files. Please consult your DOS Operating System manual for more details. WARNING: Don't forget to execute TbSetup on the new utilities in the X:\TBAV_UPD directory, thus ensuring that the REPLACE command also copies the new ANTI-VIR.DAT file. 1.4.5 Using the PKUNZIP Utility Maintain a directory \TBAV_UPD\ on a public server drive and place any new version of the TBAV utilities or any new signature file (TBSCAN.SIG) in this directory. The workstations should execute a batch file automatically after users login on the network. This batch file should contain the following lines: TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 23 REM UPDATE TBAV IF A NEW RELEASE IS AVAILABLE. PKUNZIP -N -O X:\TBAV_UPD\TBAV???.ZIP C:\TBAV Make sure the file PKUNZIP.EXE is in the current path, and that the paths specified are valid for your configuration. Following this procedure, the PKUNZIP command comes into action only when you just updated the ZIP files in the X:\TBAV_UPD directory. Now you only have to update one drive with the new anti-virus software, and all workstations update themselves when users login. WARNING: If you did not create a Recovery Diskette during installation, we recommended that you do so. See the "Create a Recovery Diskette" section in Chapter 2 for instructions on how to do this. The example setups assume you have created such a recovery diskette. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 24 2 Defining Your Anti-Virus Strategy In this chapter, you learn how to accomplish two things: how to protect yourself against virus infection, and how to recover from virus infection. We recommend you read this chapter because it contains several useful tips. 2.1 Protecting Yourself Against Virus Infection Maintaining a reliable safety system implies that you actively take measures to protect your system from virus infection, since some viruses can hide themselves perfectly once resident in memory. TIP: At least once a week you should boot from a clean and write-protected diskette and execute TbScan to check your computer for virus infections. The tightness of your safety system really depends on two things: 1. The vitality of the appropriate computer system 2. The amount of time you want to invest to let the safety measures take place For example, on a standalone computer containing low risk data, and in an environment with little exchange of computer software, a daily scan is usually sufficient. For company use, however, in a network environment where users exchange diskettes frequently, where disks contain highly vulnerable information, and where a network going down means the loss of an extensive amount of money, protection must be as tight as the organization can practically handle. With this in mind, it's impossible to define one strategy for system protection that will work for everybody. It all depends on your demands and possibilities. The TBAV utilities, however, are extremely flexible and enable you to define your own strategy, one that will work for your special needs. Although the following six basic precautions are NOT intended to be a complete protection system, they do provide a foundation on which you can build your own strategy. 1. Install TBAV on your hard disk TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 25 You can customize the installation to suit your specific needs. Be sure to use TbSetup to maintain recovery information of all executable files of your system! Refer to the Installing the TBAV Utilities section in Chapter 1 for details. The following examples assume that all utilities reside in the default directory \TBAV. All example setups require that TbSetup is running. If your system has more hard disks or disk partitions, you should repeat the TbSetup invocation for every drive or partition. TIP Remember that you can use the ALLDRIVES and ALLNET options to make TbSetup process all local respectively remote non-removable drives. Furthermore, the example setups assume you have created a recovery diskette. 2. Prepare a recovery diskette It is imperative to have a clean recovery diskette to recover from virus infection. If you didn't create a recovery diskette during the TBAV installation, take a few minutes to prepare one now. Later, when a virus infects your system, it's too late! To create a recovery diskette, follow these steps: 1. Insert a new diskette in drive A:, and then change to the DOS directory by typing CD \DOS and pressing ENTER. 2. Type FORMAT A: /S, and press ENTER. The /S switch copies the DOS system files to the disk so you can boot the computer with it. 3. Type COPY SYS.COM A: and press ENTER. This copies the SYS.COM program, which is the program that DOS uses to copy its system files to a disk. 4. Type CD \TBAV to return to the TBAV directory. 5. Type MAKERESC A: and press ENTER to create a recovery disk in drive A. WARNING: If your computer has two floppy disk drives, be sure you know which one is drive A and create your recovery disk there. A PC never tries to boot from drive B. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 26 The MAKERESC.BAT procedure creates a reliable recovery diskette by creating or copying the following: - A backup of the boot sector, partition sector and CMOS configuration. - A CONFIG.SYS file, containing: FILES=20 BUFFERS=20 DEVICE=TBDRIVER.EXE DEVICE=TBCHECK.EXE FULLCRC - An AUTOEXEC.BAT file, containing: @ECHO OFF ECHO OFF PATH=A:\ TBAV CLS ECHO WARNING!!! ECHO IF YOU SUSPECT A VIRUS, DO NOT EXECUTE ANYTHING FROM THE HARD DISK! - The following files: TBAV.EXE TBAV.LNG TBSCAN.EXE TBSCAN.LNG TBSCAN.SIG TBDRIVER.EXE TBDRIVER.LNG TBCHECK.EXE TBCLEAN.EXE TBUTIL.EXE TBUTIL.LNG 6. Copy to the diskette any other utilities that could come in handy in an emergency, such as a simple editor to edit CONFIG.SYS and AUTOEXEC.BAT files. If your hard disk needs special device drivers to unlock added features, such as DoubleSpace or Stacker, copy the appropriate drivers to the recovery diskette and install them in the CONFIG.SYS file on drive A:, being careful to avoid statements that access the TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 27 hard disk. Be sure to check the instructions in the device driver's manual for the correct procedures. CAUTION: If you are using the text editor that ships with DOS 5.0 or later, be sure to not only copy the file EDIT.COM to drive A:, but also QBASIC.EXE, which EDIT.COM uses. 7. Make sure you write protect your recovery disk. Now label it "Recovery Disk" and include on the label the identification of the PC to which the diskette belongs. Store the diskette in a safe place. TIP: For additional security, make another recovery diskette and store it in a separate location. 3. Prevent the Installation of Unauthorized Software Many companies do not allow employees to install or execute unauthorized software. Similarly, perhaps you want to keep family members from invading your computer with haphazard games and sundry software. TBAV provides a watchdog function that can help to enforce this. Follow these steps: 1. First you need to add the following lines to the CONFIG.SYS file: DEVICE=C:\TBAV\TBDRIVER.EXE DEVICE=C:\TBAV\TBCHECK.EXE SECURE Alternately, if you are using the TBSTART.BAT file, then you would add the following two lines to it: C:\TBAV\TBDRIVER C:\TBAV\TBCHECK SECURE 2. Run TbSetup on the system by typing "TBSETUP ALLDRIVES" and pressing ENTER. 3. Reboot the system. From now on, TbCheck puts an effective clamp on any user who tries to execute software that TbSetup has not duly authorized first. Whenever someone is trying to execute an unknown program, TBAV displays the following message: TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 28 +-----------TBAV Interception-----------+ | The requested program (GAME.EXE) | | is not authorized and can not be | | executed. | | Execution cancelled! Press any key... | +---------------------------------------+ 4. Restrict User Access Most of the TBAV utilities are interactive; that is, they communicate with a knowledgeable user to establish appropriate action in ambiguous situations. Many companies, however, insist that the system operator be the sole authority allowed to communicate with TBAV, and so avoid wrong doing by possibly inept employees. It is for this very reason that most of the TBAV utilities support the SECURE option. When you specify this option, TBAV suspends all user interaction with the utilities. In other words, TBAV never asks users for permission to allow questionable operations, avoiding erroneous decisions that might well result in irreparable havoc. This option also prevents the user from disabling or unloading the TBAV utilities. 5. Never Use "Strange" Diskettes to Boot Boot only from your hard disk or from your original DOS diskette. NEVER use someone else's disk to boot the computer. If you have a hard disk, make certain that the door to your floppy drive is open before resetting or booting the machine. 6. Run the DOS CHKDSK Command Often Use the DOS program CHKDSK frequently (without the /F switch). CHKDSK can sometimes indicate the presence of a virus simply because some viruses change the disk structure incorrectly, thereby causing disk errors in the process. Look out for changes in the behavior of your software or your PC. Any change in their behavior is suspect, unless you know its cause. Some highly suspicious symptoms are: A decrease in the amount of available memory space. CHKDSK should report 655,360 total bytes of memory. Programs require more time to execute. Programs do not operate as they used to, or they cause the system to crash or reboot after some time. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 29 Data mysteriously disappears or becomes damaged. The size of one or more programs has increased. The screen behaves strangely or displays unusual information. CHKDSK detects many errors. TIP: You can also instruct TbScan to mimic the behavior of the DOS command CHKDSK. Simply execute TbScan with the fatcheck option enabled. For example, if you want TbScan to scan your C: and D: drive once a day, and to check the integrity of those disks, place the following command in your AUTOEXEC.BAT file: TbScan C:\ D:\ FATCHECK ONCE 2.2 Recovering from Virus Infection This section presents some tips on how to clean your computer system when it is has been compromised by a virus. 1. Backup Your Data The very first thing to do when you realize that your system might be infected is to back up all important files immediately. Label the new backup as unreliable, since some of the files might be infected. CAUTION: Use fresh backup media and do not overwrite a previous backup set. You might need the previous set to replace lost or contaminated files. 2. Boot From a Recovery Diskette When you become aware of a virus infection, it is imperative that you boot only from a reliable, write protected recovery system diskette. 3. Know the Symptoms of a Virus Now execute TbScan for an indication of what is wrong, or boot from a recovery diskette and compare its system files with those on the hard disk to check for changes. During this test you should take care to stay logged onto your system diskette. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 30 TbScan reports the virus name if it knows the virus, or it gives a summary of file changes if it can't identify the virus. If you use the command line below, for example, TbScan processes all non-removable drives and prints the results of the scan process to the printer. TBSCAN ALLDRIVES LOGNAME=LPT1 LOG Also run TbUtil, to check the boot sector, partition code and the CMOS configuration, using the following command: TBUTIL COMPARE WARNING: To prevent a virus from invading the system's memory and possibly masking the test results, do not execute any program on your hard disk. TbCheck warns you if you accidentally try to execute an infected or unauthorized program on your hard disk. Remember that it is in the nature of a file virus to infect as many programs as possible over a short period. You ll seldom find only a few programs on a hard disk to be infected. A TbScan virus alert that flags a mere one percent of the files on a hard-worked system is probably just a false alarm that has nothing to do with a real virus. In other words, if the file compare test indicates that all of them are still the same, you know at least that you are not dealing with a file virus. Avoid using the same copy of the TbScan program on another system after discovering a virus. Like any other program file, TBSCAN.EXE itself can become infected! To check infections of the TbScan program, the program performs a sanity check when it runs. Unfortunately, there is no way to make software 100% virus-proof. A sanity check does not work if a stealth-type virus is at work. A stealth virus can hide itself completely when you run a self-check. In case you are wondering, this is not a bug in TbScan. The failure to detect stealth viruses is common to all software that performs a sanity check. We, therefore, recommend that you keep a clean version of TbScan on a write-protected diskette. Use this diskette to check other machines once you have found a virus on your system. 4. Identify Virus Characteristics TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 31 Viruses come in many different guises and have their own peculiarities. It is extremely important to know at the earliest possible stage which particular kind of virus you are dealing with. This gives you at least some indication of the nature and the amount of the damage it might have caused already. Some viruses infect only executable files that you can easily reinstall or replace from a clean source. Others swap some random bytes anywhere on the hard disk, which could affect data files as well, although the results might not be noticeable for some time. Then there are those viruses that damage the hard disk partition table or file allocation table. Some of the even nastier viruses, the so-called multipartite viruses, operate in more than one area. Once you isolate the virus, either contact your support BBS, consult literature on virus problems, or get in touch with a virus expert. WARNING: Whatever you do, DON'T PANIC! An inexperienced user, reacting in confusion, can often create more havoc than the virus itself, such as blindly eradicating important data. While an instant reformat might get rid of the virus, it will definitely destroy all your recent work as well. 5. Restore the System Again, while recovering from a virus infection, it is particularly important to boot only from a clean write-protected system diskette. This the only way to keep a virus out of the system's memory. Never execute a program from the hard disk. Using the SYS command on the system or recovery diskette, restore the master boot sector and the DOS system files to the hard disk. If the boot sector or partition code contains a virus, you can also use the following command to get rid of it by restoring clean sectors: TBUTIL RESTORE WARNING: Many modern hard disks, notably IDE or AT drives using advanced pre-formatting methods, are low-level formatted by the manufacturer, ready for partitioning and a DOS format. NEVER try to low-level format these drives yourself. Doing so can ruin the drive. It is always better to back up the partition table with a utility such as TbUtil, which restores the partition table for you without reformatting. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 32 If TBAV identifies the virus as a file virus, the safest course is to remove the infected files (using TbDel) and to copy or reinstall all executables from a CLEAN source. A virus cleaning utility, such as TbClean, won't always be able to fully restore the original program code, so use this only as a last resort, such as when you don't have a reliable backup. It might be necessary to replace data files as well if the virus is known to cause damage in that area. CAUTION: After reassuring yourself that the system is absolutely clean again, run a careful check on all diskettes and backups to remove every single trace of the virus. Keep in mind that it takes only one infected diskette to reacquire the problem. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 33 3 Using the TBAV utilities This chapter fully describes each of the TBAV utilities. For quick reference, we will present each utility using at least three sections: Understanding the utility, Working with the utility, and Maximizing the utility. Most discussions also include a fourth section: Understanding the utility's operating process. 3.1 Using TbSetup Even though TbSetup does not take an active part in actual virus detection or cleaning, it is nonetheless an indispensable tool in adding support to the rest of the ThunderBYTE Anti-Virus utilities. TbSetup organizes control and recovery information, thereby giving extra power to the other utilities. It gathers information, mainly from program files, into a single ANTI-VIR.DAT reference file, one in each directory. NOTE: See the "Understanding ANTI-VIR.DAT Files" section at the end of this chapter for a fuller explanation of these files. 3.1.1 Understanding TbSetup Although the ThunderBYTE utilities can work perfectly well without the ANTI-VIR.DAT files, we recommend that you have TbSetup generate these files. TBAV uses these files for several purposes: TbScan and the memory resident TbCheck program perform an integrity check while scanning if it can detect the ANTI-VIR.DAT file. If a file becomes infected by a virus, the information in the ANTI-VIR.DAT file will not match the actual file contents, and TbScan and TbCheck will inform you that the file has been changed. The TbSetup program recognizes some files that need special treatment. An example of such a file is a disk image file of a network remote boot disk. You should completely scan such a file, which actually represents a complete disk. TbSetup puts a mark in the ANTI-VIR.DAT file to ensure that TbScan scans the entire file for all viruses. Once a file becomes infected, TbClean can reconstruct the original file. The information in the ANTI-VIR.DAT file will be of great help TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 34 to TbClean. TbClean can cure some infected programs only if there is information about the program in the ANTI-VIR.DAT file. TbCheck (a tiny resident integrity checker) has no purpose if there are no ANTI-VIR.DAT files on your system. The resident TBAV utilities need the ANTI-VIR.DAT files to maintain permission information. Without ANTI-VIR.DAT files you can't prevent false alarms other than by disabling a complete feature. NOTE: Be aware that the ANTI-VIR.DAT directory entries have by default the attribute hidden and therefore do not show up when you use standard directory commands. You can see the filenames only with the help of special utilities or with the DOS 6 command DIR AH. 3.1.2 Working with the TbSetup Menu This is the one program where the rule applies: The less you use the program, the better your protection against viruses! Why? Keep in mind that an ANTI-VIR.DAT file stores vital information needed to detect a virus, as well as data for subsequent recovery and for cleaning. Consider, then, what would happen if you were to execute TbSetup after a virus entered the system. The information in the ANTI-VIR.DAT file would be updated to the state of the infected file, wiping out all traces of data needed to reconstruct the original file to its uninfected state. WARNING: NEVER, NEVER, NEVER, use TbSetup when there is the slightest evidence of a virus on your system. Once TbSetup generates ANTI-VIR.DAT files as part of the initial setup, you should confine any subsequent use of TbSetup to directories with new or changed program files. Now we will explore these menu options. Selecting the "TbSetup" option from the Main Menu displays the following menu: TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 35 +-----Main menu------+ | Confi+-----TbSetup menu------+ | TbSca| Start TbSetup | | TbSet| Options menu >| | TbUti| Flags menu >| | TbCLe| Data file path/name | | Virus| View data file | | TBAV +-----------------------+ | Documentation >| | Register TBAV | | About | | eXit (no save) | | Quit and save | +--------------------+ The "Start TbSetup" Option Select this option only after you complete your selection of other options on this menu and other sub-menus. When you select this option, the "Enter disk / path / file(s) to process:" window appears. Type in the drive and directory you want to setup and press ENTER. The "Options Menu" Option Selecting this option displays the following menu: +-----Main menu------+ | Confi+-----TbSetup menu------+ | TbSca| Start+-----------TbSetup options----------+ | TbSet| Optio| Use TBAV.INI file | | TbUti| Flags| Prompt for pause | | TbCLe| Data | Only new files | | Virus| View | Remove Anti-Vir.Dat files | | TBAV +-------| Test mode (Don't change anything) | | Documentation|v Hide Anti-Vir.Dat files | | Register TBAV| Make executables readonly | | About | Clear readonly attributes | | Quit and save|v Sub-Directory scan | | eXit (no save+------------------------------------+ +--------------------+ Use TBAV.INI file. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 36 By enabling this option, the TbSetup configuration values, saved in the TBAV.INI file, will also apply when loading TbSetup from the command line. CAUTION: If you specify options in the TBAV.INI file, you cannot undo them on the command line. Prompt for pause. When you specify this option, TbSetup stops after it processes the contents of one window. This enables you to examine the results. Only new files. Use this option if you want to add new files to the ANTI-VIR.DAT database but prevent the information of changed files from being updated. Updating the information of changed files is dangerous because if the files are infected, the information to detect and cure the virus is overwritten. This option prevents the information from being overwritten but still allows adding information of new files to the database. Remove ANTI-VIR.DAT files. If you want to stop using the ThunderBYTE utilities you do not have to remove all the ANTI-VIR.DAT files yourself. By using this option TbSetup neatly removes all ANTI-VIR.DAT files from your system. Test mode (Don't change anything). Use this option if you want to see the effects of an option without the risk of activating something you don't want to activate. This option instructs the program to behave as it normally would but not change or update anything on your hard disk. Hide ANTI-VIR.DAT files. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 37 The ANTI-VIR.DAT files are normally not visible in a directory listing. If you prefer them to be visible, disable this option. NOTE: Be aware that this option applies only for new ANTI-VIR.DAT files Make executables read-only. Since TbFile permanently guards the read-only attribute, we recommend that you make all executable files read-only to prevent any modifications on these files. TbSetup automatically does this job for you if you enable this option. TbSetup recognizes files that you should not make read-only. Clear read-only attributes. Use this option to reverse the "Make executables read-only" operation. If you enable this option, TBAV clears all read-only attributes on all executable files. Sub-Directory scan. By default, TbSetup searches sub-directories for executable files, unless you specify a filename (wildcards allowed). If you disable this option, TbSetup will not process sub-directories. The "Flags Menu" Option Selecting this option displays the following menu: TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 38 +-----Main menu------+ | Confi+-----TbSetup menu------+ | TbSca| Start+-----TbSetup flags------+ | TbSet| Optio|v Use normal flags | | TbUti| Flags| Set flags manually | | TbCLe| Data | Reset flags manually | | Virus| View | Define flags >| | TBAV +-------+------------------------+ | Documentation >| | Register TBAV | | About | | Quit and save | | eXit (no save) | +--------------------+ NOTE: "Flags" refer to internal indicators, created by ThunderBYTE to signal internal file attributes. This menu contains the following options: Use normal flags. This is the default setting for TbSetup. Set flags manually. This option is for advanced users only. Using this option, you can manually set permission flags in the ANTI-VIR.DAT record. This option requires a hexadecimal bit mask for the flags to set; you can specify this bit mask by selecting one of more of the items listed in the "Define flags" sub-menu, which appears below. Reset flags manually. This option is for advanced users only. Using this option, you can manually reset permission flags or prevent flags from being set in the ANTI-VIR.DAT record. This option requires a hexadecimal bit mask for the flags to reset; you can specify this bit mask by selecting one or more of the items listed in the "Define flags" sub-menu, which appears below. Define flags. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 39 Selecting this option displays the changed following menu: +-----Main menu------+ | Confi+-----TbSetup menu------+ | TbSca| Start+-----TbSetup flags------+ | TbSet| Optio|v Use n+--Define flags to be--------+ | TbUti| Flags| Set f| 0001: Heuristic analysis | | TbCLe| Data | Reset| 0002: Checksum changes | | Virus| View | Defin| 0004: Disk image File | | TBAV +-------+-------| 0008: Read only sensitive | | Documentation >| | 0010: TSR program | | Register TBAV | | 0020: Direct disk access | | About | | 0040: Attribute modifier | | Quit and save | | 8000: Interrupt rehook | | eXit (no save) | +----------------------------+ +--------------------+ Selecting one or more of these options accomplishes the following: 0001: Heuristic analysis. Programs with the 0001 flag will not be heuristically scanned. 0002: Checksum changes. Programs with the 0002 flag will not be checked for file changes. 0004: Disk image File. Files with this flag contain a disk layout and are checked completely. 0008: Read only sensitive. Files with this flag cannot be changed to read-only. 0010: TSR program. Programs with this flag have permission to stay resident in memory. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 40 0020: Direct disk access. Programs with this flag have permission to write directly to the disk. 0040: Attribute modifier. Programs with this flag have permission to change program attributes. 8000: Interrupt rehook. After a program with this flag starts, TbDriver should rehook interrupts. The "Data File Path Name" Option TbSetup searches for "special" files by using a file named TBSETUP.DAT. You can use this option to specify another path or filename that contains a list of special files. Select the option, and then enter the name (and path if necessary) of the data file you want to use. The "View Data File" Option Selecting this option displays the TBSETUP.DAT file on the screen for your viewing. Use the cursor movement keys to move through the file. TIP: Instead of using the internal file viewer to view the User Manual, you can substitute your own favorite viewer. See the "Configuring TBAV" section in Chapter 1 for details.. 3.1.3 Maximizing TbSetup Now that you know how to use TbScan's menus, you can more easily understand how to maximize its performance by using command line options. The following table summarizes these options: TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 41 option parameter short explanation ------------------ ----- ---------------------------------------- help he help pause pa enable "Pause" prompt mono mo force monochrome output nosub ns skip sub-directories newonly no do not update changed records alldrives ad process all local fixed drives allnet an process all network drives remove rm remove ANTI-VIR.DAT files test te do not create / change anything nohidden nh do not make ANTI-VIR.DAT files hidden readonly ro set read-only attribute on executables nordonly nr remove / do not set read-only attribute set=<flags> se set flags reset=<flags> re reset flags / do not set flags datfile=<filename> df specify the data file to be used The explanations in the above table serve as a quick reference, but the following descriptions provide more information about each option. help (he). Specifying this option displays a short list of available options, as listed above. pause (pa). Specifying this option stops after processing the contents of one window. This enables you to examine the results. mono (mo). This option enhances the screen output on some LCD screens or color-emulating monochrome systems. nosub (ns). By default, TbSetup searches sub-directories for executable files, unless you specify a filename (wildcards allowed). If you specify this option, TbSetup will not process sub-directories. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 42 newonly (no). Use this option if you want to add new files to the ANTI-VIR.DAT database but prevent the information of changed files from being updated. Updating the information of changed files is dangerous because if the files become infected, the information to detect and cure the virus is overwritten. This option prevents the information from being overwritten but still allows adding information of new files to the database. alldrives (ad). If you want TbSetup to process all local non-removable drives you can specify this option. Except for the initial execution, it isn't a good idea to use this option. allnet (an). Specify this option if you want TbSetup to process all network drives. WARNING: Except for the initial execution of the TBAV utilities, it isn't a good idea to use the "allnet" option remove (rm). If you want to stop using the ThunderBYTE utilities, you do not have to remove all the ANTI-VIR.DAT files manually. By using this option, TbSetup neatly removes all ANTI-VIR.DAT files from your system. test (te). Use this option if you want to see the effects of an option without the risk of activating something you don't want to activate. If you specify this option, the program behaves as it would normally but does not change or update anything on your hard disk. nohidden (nh). TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 43 The ANTI-VIR.DAT files are normally not visible in a directory listing. If you prefer the ANTI-VIR.DAT files to be visible, use this option. NOTE: Be aware that the "nohidden" option applies only for new ANTI-VIR.DAT files readonly (ro). Since, TbFile permanently guards the read-only attribute, we recommend that you make all executable files read-only to prevent any modifications on these files. TbSetup automatically does this job for you if you use this option. TbSetup recognizes files that you should not make read-only. nordonly (nr). This option reverses the operation of READONLY option. If you use this option, TbSetup clears the read-only attribute from all executable files. set (se). This option is for advanced users only. Using this option you can manually set permission flags in the ANTI-VIR.DAT record. This option requires a hexadecimal bit mask for the flags to set. For information about the bit mask consult the TBSETUP.DAT file. Option format: Set =<flags>; for example: Set = 0001. reset (re). This option is for advanced users only. With this option you can manually reset permission flags or prevent flags from being set in the ANTI-VIR.DAT record. This option requires a hexadecimal bit mask for the flags to reset. For information about the bit mask consult the TBSETUP.DAT file. Option format: Reset =<flags>; for example: Reset = 0001. datfile (df). TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 44 After the datfile option you can specify the name of the data file to use. For the initial installation of TBAV, you could use the following command: TBSETUP ALLDRIVES Using the following command, you could specify which drives (C: and D:, for example) you want TbSetup to process: TBSETUP C:\ D:\ Since you did not specify a filename in the above command, TbSetup assumes that the specified path to be the top-level path. In other words, TbSetup processes all its sub-directories. If you do specify a filename, TbSetup processes only that path, not any subdirectories. You can use wildcards (the asterisk [*] or the question mark [?]) in the filename. You can use the NEWONLY option to prevent TbSetup from overwriting existing information. To help you remember that you need to run TbSetup again, the next time you run TbScan it displays either a small 'c' after the file to indicate a new file or a capital 'C' if a file has simply been changed. If you add a new file called TEST.EXE to your directory C:\TESTING, you should execute the following command: TBSETUP C:\TESTING\TEST.EXE If you install a new product in a new directory, C:\NEW, you should use the following command: TBSETUP C:\NEW 3.1.4 Understanding TbSetup's Operation TbSetup divides the screen into three windows: an information window displaying data file comments across the top of the screen, a scanning window on the left, and a status window on the right. The lower left window lists the names of the files being processed, along with file specific information in the following way: TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 45 TEST.EXE 01234 12AB23CD Added * 0001 | | | | | | | | | | | | | | | | | 'flags' set for this file | | | | indicates 'special' file | | | action performed | | 32-bit CRC (checksum) | file size in hexadecimal number name of file in process Do not be concerned if the information flies too fast for you to read, or if it puzzles you. These details are provided purely for diagnostic use. The scanning window also displays an action performed field, which indicates whether an entry in the ANTI-VIR.DAT was added, changed or updated: Added. Means that there was no previous entry for this file in the ANTI-VIR.DAT record and that a new entry was added. Changed. Means that there was an existing entry but the file has been changed and ANTI-VIR.DAT information was updated. Updated. Means that there was an ANTI-VIR.DAT record and the file was found to be unchanged. TbSetup did, however, change some of the program's permission flags, due to either an entry in the TBSETUP.DAT file or in compliance with a SET or RESET option. TIP: You can abort TbSetup at any time by pressing Ctrl+Break. 3.1.5 Understanding TBSETUP.DAT Files Although the ThunderBYTE utilities perform well on almost every file without extra help, there are some files that need special attention. TbSetup uses information collected in the TBSETUP.DAT data file, to flag TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 46 these special files in the ANTI-VIR.DAT file. The other ThunderBYTE utilities then use this information to determine how they should treat such a "special" file. Some programs maintain configuration information inside the executable file (EXE, COM) itself. Whenever you change the configuration of these programs, the executable file changes as well, along with its checksum. As a result, the new checksum no longer matches the one stored in the TBSETUP.DAT file. Since some TBAV utilities use this checksum information to verify integrity or cleanup results, they need to know when a file's checksum is allowed to change. TbScan can use generic detection methods such as "heuristic" analysis to detect unknown viruses. Since heuristic analysis implies inevitable false alarms when a file looks like a virus, TbScan might have to decide not to do a heuristic analysis on such a program. Some of the TBAV utilities guard the read-only attribute and ensure that it can be removed only with the user's explicit permission. A few programs, however, refuse to run properly with the read-only attribute set. TbScan's default scanning method performs perfectly well with just about any file, but there are some that need special analysis. Such a file is the Novell NET$DOS.SYS file, which is not a device driver as the filename extension suggests, but a disk image of the bootable disk. You should, therefore, scan it completely for all signatures, including COM and BOOT. The resident monitoring utilities of the TBAV package detect all sorts of virus-specific behavior. Some programs, even though they might act like a virus, are still perfectly normal and should be permitted to execute without TBAV interference. You need not worry if you discover that a few files will be excluded from heuristic analysis. TBAV still scans these files in the conventional way for signatures. Furthermore, TBAV will not grant heuristic exclusion unless a file exactly matches its entry in the TBSETUP.DAT file, including its name, size, and 32-bit CRC checksum. This safety feature eliminates security holes effectively, since if a listed file is already infected, its checksum won't match the 32-bit CRC in the TBSETUP.DAT file and the exclusion does not apply. By the same token, if a program becomes infected at a later date, the result is a change in at least one of its characteristics, so the record in the ANTI-VIR.DAT file no longer matches and the file will be subject to full heuristic analysis like any other. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 47 3.2 Using TbScan TbScan is the program you will most likely use the most detect virus infections. 3.2.1 Understanding TbScan TbScan is a scanner which has been specifically designed to detect viruses, Trojan Horses and other such threats to your valuable data. Most viruses consist of a unique sequence of instructions, called a signature. By checking for the appearance of such signatures in a file we can find out whether a program has been infected. Scanning all program files for the signatures of all known viruses helps you to find out quickly whether your system has been infected and, if so, by which virus. Understanding TbScan involves understanding three main features of the program. Fast Scanning TbScan is the fastest scanner on the market today. It, therefore, invites you to use it from within your AUTOEXEC.BAT file every morning. Thanks to its design, TbScan does not slow down if the number of signatures increases. It doesn't matter whether you scan a file for 10 or a 1000 signatures. TbScan even checks itself upon launching. If it detects infection, it aborts and displays an error. This minimizes the risk of the TbScan program itself transferring a virus to your system. Heuristic Scanning TbScan can detect unknown viruses. The built-in disassembler is able to detect suspicious instruction sequences and abnormal program layouts. This feature is called "heuristic scanning" and is partially enabled by default. TBAV performs heuristic scanning on files and boot sectors. NOTE. Virus scanners can only tell you whether your system has been infected. By that time only a non-infected backup or a recovery program such as TbClean can properly counter a virus infection. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 48 Scan Scheduling Every PC owner should use a virus scanner frequently. It is the least one should do to avoid damage caused by a virus. We recommend that you devise your own schedule for a regular scan of your system. See Chapter 2 for details. We recommend the following scan sessions, to be used in combination with each other: Execute TbScan from write-protected bootable diskette once a week. Boot from this diskette before invoking the scanner. Booting from a clean diskette is the only way to make sure that no stealth virus can become resident in memory. Invoke a daily scan. You can invoke TbScan with the ONCE option from within the AUTOEXEC.BAT file to perform the daily scan session automatically, which is the default if you used the standard installation procedure for TBAV (see Chapter 1). It is not necessary to boot from the bootable TbScan diskette to perform the daily scan. Scan each new diskette. You should scan EVERY diskette you receive from a friend or acquaintance for viruses to ensure that a virus hasn't been included along with a copy of "a great game!" 3.2.2 Working with the TbScan Menus For daily use you can activate TbScan by loading the program from the DOS command line (e.g., in the AUTOEXEC.BAT file), or through the TBAV menu. For weekly use, when scanning from the TbScan diskette, you could use the DOS command. The Maximizing TbScan section of this chapter lists the TbScan DOS options. This section describes the use of the TbScan Menu, which is part of the TBAV menu. Taking each menu item in order, we ll explore the function of each. Selecting the "TbScan" option from the TBAV menu displays the following menu: TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 49 +-----Main menu-----+ | Confi+----TbScan menu-----+ | TbSca| Start scanning | | TbSet| Options menu >| | TbUti| Advanced options >| | TbCLe| If virus found >| | Virus| Log file menu >| | TBAV | View log file | | Docum+--------------------+ | Register TBAV | | About | | Quit and save | | eXit (no save) | +-------------------+ The "Start Scanning" Option Selecting the "Start Scanning" option from the TbScan Menu displays one of the following "Path Menu" configurations: +-----Main menu-----+ | Confi+----TbScan menu-----+ | TbSca| Sta+---------Path menu---------+ | TbSet| Opt| Specified files/paths | | TbUti| Adv| Current directory | | TbCLe| If | Diskette in drive A: | | Virus| Log| Diskette in drive B: | | TBAV | Vie| All fixed Drives | | Docum+-----| All fixed Local drives | | Register TB| All fixed Network drives | | About +---------------------------+ | Quit and save | | eXit (no save) | +-------------------+ TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 50 +-----Main menu-----+ | Confi+----TbScan menu-----+ | TbSca| Sta+---------Path menu---------+ | TbSet| Opt| Specified files/paths | | TbUti| Adv| Current directory | | TbCLe| If | CD-ROM | | Virus| Log| Drive_a | | TBAV | Vie| Fullscan | | Docum+-----| Local | | Register TB+---------------------------+ | About | | Quit and save | | eXit (no save) | +-------------------+ The first menu configuration includes scan targets such as CD-ROM, Drive_a, etc. Primarily, TBAV for Windows uses these scan targets, but TbScan for DOS can also use them. If the TBAV menu finds one or more of these scan targets (the targets are really files with the filename extension SCN), the Path Menu will then display the list of available targets. If no such scan targets exist, the second Path Menu configuration will appear. NOTE: Please be aware that the actual menu items you come across in the Path menu might differ slightly, depending on your system configuration. The Path Menus list the following options: Specified files/paths. This option always presents you with a small prompt window in which you can specify the drives, paths, or even files you want to scan. You can specify multiple path specifications by separating each with spaces. This specification automatically initializes with the last path you scanned before you saved the configuration. Current directory. Select this option if you want to scan only the directory from which you started the TBAV menu shell. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 51 Diskette in drive A: or Diskette in drive B:. If you want to scan multiple diskettes, you might wish to activate the Repeat option of TbScan. See the TbScan Options Menu for more information. All fixed drives. This option instructs TbScan to scan all available drives (except the removable ones) completely. Depending on the settings in the TBAV configuration menu, TbScan prompts you to confirm the selected drives. All fixed Local drives. If you are on a network, you probably don't want to scan the entire network. Using this option you can scan just the drives that reside in your machine. Depending on the settings in the TBAV configuration menu, TbScan prompts you to confirm the selected drives. All fixed Network drives. Using this option you can scan all network drives. Depending on the settings in the TBAV configuration menu, TbScan prompts you to confirm the selected drives. The "Options Menu" Option Selecting the "Options Menu" option displays the following menu: TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 52 +-----Main menu-----+ | Confi+----TbScan menu-----+ | TbSca| Start+------TbScan options-------+ | TbSet| Optio| Use TBAV.INI file | | TbUti| Advan| Prompt for pause | | TbCLe| If vi| Quick scan | | Virus| Log f| Maximum Compatibility | | TBAV | View |v Bootsector scan | | Docum+-------|v Memory scan | | Register TBAV| HMA scan forced | | About |v Upper memory scan | | Quit and save|v File scan | | eXit (no save|v Windows-OS/2-virus scan | +--------------|v Sub-Directory scan | | Repeat scanning | |v Abort on Ctrl-Break | | Sound Effects | |v Fast scrOlling | |v Large directories | | FAT checking | +---------------------------+ Taking each menu item in order, we ll explore the function of each. Use TBAV.INI file. TbScan searches for a file named TBAV.INI in the TBAV directory. By enabling this option, the TbScan configuration values, saved in the TBAV.INI file, will also be valid when loading TbScan from the command line. CAUTION: Be aware that if you specify options in the TBAV.INI, you cannot undo them when running TbScan from the command line. Prompt for pause. When you activate this option, TbScan stops after it checks the contents of each window. As each window fills with files, a "[More]" prompt appears at the bottom of the screen. Simply press any key to view the next list of files. Using this feature enables you to examine the results of the scan without having to consult a log file afterwards. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 53 Quick scan. This option instructs TbScan to use the ANTI-VIR.DAT files to check for file changes since the last scan. TbScan scans only those files that have changed (CRC change) or are not yet listed in ANTI-VIR.DAT. The other files are just checked for matching ANTI-VIR.DAT records. By default, TbScan always scans files (the quick scan option is not enabled by default). Maximum compatibility. If you select this option, TbScan attempts to be more compatible with your system. Use this option if the program does not behave as you would expect or if it halts the system. Be aware, however, that this option slows down the scanning process. Therefore, use it only when necessary. Be aware also that this option does not affect the results of a scan. Boot sector scan. Enabling this option forces TbScan to scan the boot sector. A boot sector is a certain part of a disk, which is used by the operating system to initialize itself. A special class of viruses (boot sector viruses) use this special part of a disk to infect your system. Memory scan. Enabling this option forces TbScan to scan the memory of the PC. HMA scan forced. By default, TbScan automatically detects the presence of an XMS-driver and scans the HMA. If you are using an HMA-driver that is not compatible with the XMS standard, you can use this option to force TbScan to scan HMA. Upper memory scan. By default, TbScan identifies RAM beyond the DOS limit and scans that memory. This means that it scans video memory and the current EMS. You can use this option to enable the scanning of non-DOS memory. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 54 File scan. By default, TbScan checks files for viruses. Removing the check mark disables file scanning. This option is particularly useful if, for example, you have been struck by a boot sector virus. In order to scan only boot sectors of your floppy disks, you can disable file scan using this option. Windows-OS/2-virus scan. By default, TbScan scans Windows and OS/2 files for viruses. Removing the check mark disables Windows and OS/2 file scanning. Subdirectory scan. By default, TbScan searches sub-directories for executable files, unless you specify a filename (wildcards allowed). If you disable this option, TbScan does not scan sub-directories. Repeat scanning. This option is very useful if you want to check a large number of diskettes. TbScan does not return to DOS after checking a disk, rather it prompts you to insert another disk in the drive. Abort on Ctrl-Break. If you don't want to be able to abort the scanning process by pressing Ctrl+Break, you can disable this option. Sound Effects. Checking this option enables an audible sound when TbScan detects a virus. Fast scrolling. TbScan displays processed files in a scrolling window, which scrolls in one of two methods: fast scrolling, in which the files appear on TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 55 top of the previous ones if the window becomes full, and the conventional slow method of scrolling, in which the files at the bottom "push up" the previous ones. By default TbScan uses the faster but less attractive method of scrolling. Large directories. If TbScan's directory table runs out of space, which is very unlikely, you can use this option to allocate a large directory table. Fat checking. If this option is specified, and TbScan is able to use its internal file system, it will check the disks for lost clusters, cross linked clusters, invalid cluster numbers, and invalid allocation sizes. These errors often indicate system problems and need to be corrected as soon as possible. Because TbScan needs to read the FAT and all directories anyway, it can perform this important check without using additional time. The "Advanced Options" Option When you select the Advanced Options option, the following menu is displayed: +-----Main menu-----+ | Confi+----TbScan menu-----+ | TbSca| Start+------TbScan advanced options-----+ | TbSet| Optio| High heuristic sensitivity | | TbUti| Advan|v Auto heuristic sensitivity | | TbCLe| If vi| Low heuristic sensitivity | | Virus| Log f| Non-executable scan | | TBAV | View | FAT info (fragmented files) | | Docum+-------| Extract signatures | | Register TBAV| Configure executable extensions | | About +----------------------------------+ | Quit and save | | eXit (no save) | +-------------------+ Let's now explore these options. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 56 High heuristic sensitivity. While TbScan always performs a heuristic scan on the files being rocessed, it reports a file as infected only if it is very probable that the file is infected. If you select this option, TbScan is somewhat more sensitive. In this mode, TbScan detects 90% of the new, unknown viruses without any signature. Be aware, however, that some false alarms might occur. Auto heuristic sensitivity. By default, TbScan automatically adjusts the heuristic detection level after it finds a virus. In other words, when TbScan finds a virus, it then goes on as if you had selected High heuristic sensitivity. This option provides you maximum detection capabilities in case you need it, while at the same time keeps false alarms at a minimum. Low heuristic sensitivity. In this mode TbScan almost never issues a false alarm. It still, however, detects about 50% of the new, unknown viruses. Non-executable scan. This option instructs TbScan to scan non-executable files (files with an extension other than COM, EXE, SYS, OV? or BIN) as well as executables. If TbScan finds out that such a file does not contain anything that the processor can execute, it skips the file. Otherwise TbScan searches the file for COM, EXE and SYS signatures. Be aware that TbScan does not perform heuristic analysis on non-executable files. Since viruses normally do not infect non-executable files, it is not necessary to scan non-executable files too. We recommend, in fact, that you NOT use this option unless you have a good reason to scan all files. Again, you must execute a virus before it can do what it was programmed to do, and since you do not execute non-executable files, a virus in such a file cannot do anything. For this reason viruses do not even try to infect such files. Some viruses, however, do write to non-executable files, but this is a result of "incorrect" programming. And even though these non-executable files contain corrupted data, they still won't harm other program or data files. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 57 FAT info (fragmented files). If this option is specified, TbScan displays the number of fragmented files after it has finished scanning. If the number of fragmented files is high, you can increase the system performance by using a disk optimizer. This option is only valid if the option 'fatcheck' has been specified, and TbScan is using its internal file system. Extract signatures. This option is available to registered users only. See the Using TbGenSig section in Chapter 4 for more information. Configure executable extensions. By default, TbScan scans only those files that have a filename extension that indicates that the file is a program file. Viruses that do not infect executable code simply do not exist. Files with the extension EXE, COM, BIN, SYS, and OV? (note the wildcard: the OV? specification includes files such as OVR and OVL) are considered executable. There are, however, some additional files that have an internal layout that makes them suitable for infection by viruses. Although it is not likely that you will ever execute most of these files, you might want to scan them anyway. Some filename extensions that might indicate an executable format include: .DLL (MS-Windows Dynamic Link Library), .SCR (MS-Windows screen saver file), .MOD (MS-Windows file), .CPL (MS-Windows Control Panel application), .00? and .APP. While infection of such files is not likely, you might want to scan them once in while. To force TbScan to scan these files by default, select this option and fill out the extensions you want TbScan to scan. For example, you can specify .DLL.SCR.CPL (with no spaces in between). You can also use the question mark wildcard. WARNING: Be careful which extensions you specify. Scanning a non-executable file, for example, causes unpredictable results, and might result in false alarms. The "If Virus Found" Option Selecting this option displays the following menu: TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 58 +-----Main menu-----+ | Confi+----TbScan menu----+ | TbSca| Start+--What if a virus is found?-+ | TbSet| Optio|v Present action menu | | TbUti| Advan| Just continue (logonly) | | TbCLe| If vi| Delete infected file | | Virus| Log f| Kill infected file | | TBAV | View | Rename infected file | | Docum+-------+----------------------------+ | Register TBAV | | About | | Quit and save | | eXit (no save) | +-------------------+ Let's explore these options. Present action menu. This option (the default) instructs TbScan to display a menu listing four possible actions if it detects a virus: just continue, delete, kill or rename the infected file. Just continue (logonly). By default, if TbScan detects an infected file, it prompts you to delete or rename the infected file, or to continue without action. If you select this option, however, TbScan always continues. We recommend that you use a log file in such situations, since a scanning operation does not make much sense if you don't read the return messages (see the Log File Menu option below for further information). Delete infected file. By default, if TbScan detects a virus in a file it prompts you to delete or rename the infected file, or to continue without action. If you select this option, however, TbScan deletes the infected file automatically, without prompting you first. Use this option if you know your computer is infected by a virus and you want to erase all files the virus has infected. Make sure you have a clean backup and that you really want to get rid of all infected files at once. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 59 Kill infected file. This option is almost the same as the "Delete infected file" option with one major difference. The DOS UNDELETE command enables you can recover a deleted file, but if you delete the infected file using this "Kill" option, recovery is no longer possible. Rename infected file. By default, if TbScan detects a file virus it prompts you to delete or rename the infected file, or to continue without action. If you select this option, however, TbScan renames the infected file automatically, without prompting you first. By default, TbScan replaces the first character of the file extension by the character 'V'. It names an .EXE file, to .VXE, for example, and a .COM file to .VOM. This prevents the execution of infected programs and thereby spreading the infection. This also enables you to keep the files for later examination and repair. The "Log File Menu" Option You can use the "TbScan Log Menu" to handle the results of the scan process (write them to a file or to a printer, for example). The menu appears below, followed by a description of the options. +----Main menu-----+ | Confi+------TbScan menu------+ | TbSet| Start+-------TbScan LOG menu-------+ | TbSca| Optio| Log file path/name | | TbUti| Advan| Output to log file | | TbCLe| If vi| Specify log-level >| | TBAV | Log f| Append to existing log | | Docum| View | No heuristic descriptions | | Regis+-------| Truename filenames | | Quit and save+-----------------------------+ | eXit (no save) | +------------------+ Log file path/name. Using this option you can specify the name of the log file you want to use. TbScan creates the file in the current directory unless you specify a path and filename. If the log file already exists, TbScan TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 60 overwrites the file (unless you selected the "Append to existing log" option. If you want to print the results, you can specify a printer device name rather than a filename (LPT1 instead of C:\TBAV\TBSCAN.LOG, for example). CAUTION: To create the log file, you must select the "Output to log file" option. Output to logfile. When you select this option, TbScan creates a log file. The log file lists all infected program files, specifying heuristic flags (see Appendix B) and complete pathnames. Specify log-level. This option enables you to configure the actual contents of the log file using the following menu: +----Main menu-----+ | Confi+------TbScan menu------+ | TbSet| Start+-------TbScan LOG menu-------+ | TbSca| Optio| Log f+--------Log-level menu--------+ | TbUti| Advan| Outpu| 0: Log only infected files | | TbCLe| If vi| Speci|v 1: Log summary too | | TBAV | Log f| Appen| 2: Log suspected too | | Docum| View | No he| 3: Log all warnings too | | Regis+-------| Truen| 4: Log clean files too | | Quit and save+-------+------------------------------+ | eXit (no save) | +------------------+ These levels determine what kind of file information TbScan notes in the log file. The default log level is 1, but you can select one of five levels: 0: Logonly infected files. Specifies that if there are no infected files, do not create or change the log file. 1: Log summary too. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 61 Places a summary and time stamp in the log file, and specifies that TbScan put only infected files in the log file. 2: Log suspected too. This is almost the same as level 1, but TbScan also logs suspected files, files that would trigger the heuristic alarm if you specify the "High heuristic" sensitivity option. 3: Log all warnings too. This level is an extension of the previous level. It specifies that TbScan log all files that have a warning character printed behind the filename. 4: Log clean files too. This places the information of all files being processed into the log file. Append to existing log. If you select this option, TbScan appends new information to the existing log file instead of overwriting it. If you use this option often, we recommended that you delete or truncate the log file once in a while to avoid unlimited growth. CAUTION: To create the log file, you must select the "Output to log file" option. No heuristic descriptions. If you enable this option, TbScan does not specify the descriptions of the heuristic flags in the log file. See Appendix B for the heuristic flag descriptions. Truename filenames. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 62 If this option is specified, TbScan uses 'truenames' rather than DOS filenames. If you process a file on a network, accessed by DOS as F:\USER\FILE.EXE then TbScan will use the fully expanded filename (like \\SERVER2\PUBLIC\USER\FILE.EXE) on the screen and in the log file. The "View Log File" Option If you activate one of the above log file options, you can then select this option to view and study the log. Otherwise, this option is not available. TIP: See the "Configuring TBAV" section in Chapter 1 for how you can specify your own file viewer using the "Configure TBAV, File view utility" command. 3.2.3 Maximizing TbScan Now that you know how to use TbScan's menus, you can more easily understand the power of using it from the command line. When you run TbScan from the DOS command line, it recognizes command line options (often called "switches" in DOS terms). These options appear as "key-words" or "key-letters." The words are easier to memorize, so we will use these in this manual for convenience. When you run TbScan, it looks for a file named TBAV.INI in the TBAV directory. If the keyword USEINI appears in the [TbScan] section of the TBAV.INI file, the other options listed in the [TbScan] section will be includede when you run TbScan from the command line. CAUTION: Be aware that if you specify options in the TBAV.INI file, you cannot undo them when you run TbScan from the command line. The following table lists the TbScan command line options: option parameter short explanation ------------------ ----- ---------------------------------------- help he help pause pa enable Pause prompt mono mo force monochrome output quick qs quick scan (use ANTI-VIR.DAT) TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 63 allfiles af scan non-executables too alldrives ad scan all local non-removable drives allnet an scan all network drives heuristic hr enable heuristic alerts extract ex extract signatures (registered users only) once oo scan only once a day slowscroll ss enable conventional (slow) scrolling secure se disable "user abort" (registered users only) compat co maximum compatibility mode ignofile in ignore no-file error largedir ld use large directory table fatcheck fc check the FAT for errors fatinfo fi display amount of fragmented files old ol disable the "This program is old" message noboot nb skip boot sector check nofiles nf skip scanning of files nomem nm skip memory check hma hm force HMA scan nohmem nh skip UMB/HMA scan nosub ns skip sub-directories noautohr na auto heuristic level adjust nowin nw do not scan for Windows-OS/2 viruses repeat rp scan multiple diskettes audio aa make noise if virus found batch ba batch mode - no user input delete de automatically delete infected files kill ki automatically kill infected files truename tn use true name instead of DOS name log lo output to log file append ap log file append mode expertlog el no heuristic descriptions in log logname=<filename> ln set path/name of log file loglevel=<0...4> ll set log level wait=<0...255> wa amount of timer-ticks to wait rename[=<text-mask>] rn rename infected files exec=.<ext-mask> ee specify executable extensions The explanations in the above table serve as a quick reference, but the following descriptions provide more information about each option. TIP: Remember that you can display these options from the command line by entering TBSCAN ?. help (he). TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 64 If you specify this option TbScan displays the help as listed above. pause (pa). When you specify the PAUSE option, TbScan stops after it checks the contents of one window. This enables you to examine the results without having to consult a log file later. mono (mo). This option prevents TbScan from using colors in the screen output. This might enhance the screen output on some LCD screens or color-emulating monochrome systems. quick (qs). This option instructs TbScan to use the ANTI-VIR.DAT files to check for file changes since the last scan. TbScan scans only those files that have changed (CRC change) or do not appear in ANTI-VIR.DAT. By default, TbScan always scans files. allfiles (af). If you specify this option, TbScan also scans non-executable files (that is, files without a .COM, .EXE, .SYS or .BIN extension). If TbScan finds that such a file does not contain executable code, it "skips" that file. Otherwise, TbScan searches the file for COM, EXE and SYS signatures. Be aware that TbScan does not perform heuristic analysis on non-executable files. Since viruses normally do not infect non-executable files, it is not necessary to scan them. We recommend, in fact, that you do not use this option unless you have a good reason to scan all files since a file infected with a virus must normally be executed before it can perform what it is programmed to do, and since you can't execute a non-executable file, a virus in such a file cannot do anything. Some viruses write to non-executable files, but this is simply a result of "incorrect" programming or a specific targeted attack-- the result of which may be corrupted data, which will not likely harm other program or data files. alldrives (ad). TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 65 This option instructs TbScan to scan all local non-removable disks. allnet (an). This option instructs TbScan to scan all network drives. heuristic (hr). While TbScan always performs a heuristic scan on the files being processed, if you select this option TbScan increases it's level of sensitivity. In this mode, TbScan detects 90% of the unknown viruses without any signatures. Be aware, however, that some false alarms might occur. See the "Understanding Heuristic Scanning" section later in this chapter for more information. extract (ex). This option is available to registered users only. See the "Using TbGenSig" section in Chapter 4 for more information. once (oo). If you specify this option, TbScan "remembers" whether it has run that day, and that if it has, it will not run again. In other words, this instructs TbScan to run only once a day, regardless of how many times you actually enter the command from the DOS prompt or a batch file. This command is very useful in your AUTOEXEC.BAT file, for example: TBSCAN @EVERYDAY.SCN ONCE RENAME. TbScan now scans the list of files and/or paths specified in the file EVERYDAY.SCN during the first boot-up of the day. If the systems boots more often that day, TbScan returns to the DOS prompt immediately. This option does not interfere with the regular use of TbScan. If you invoke TbScan without this option, it always runs, regardless of a previous run with the ONCE option set. NOTE: If TbScan cannot write to TBSCAN.EXE because it is flagged "read-only" or is located on a write-protected diskette, the ONCE option fails and the scanner executes without it. slowscroll (ss). TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 66 If you specify this option, TbScan scrolls the files in the files window conventionally. This method is slower but looks more attractive. secure (se). This option is available to registered users only. If you use it, it is no longer possible to cancel TbScan by pressing Ctrl+Break, or to respond to a virus alert window. compat (co). If you select this option, TbScan attempts to be more compatible with your system. Use this option if the program does not behave as you would expect, or if it even halts the system. This option slows down the scanning process, so you should use it only if necessary. This option in no way affects the results of a scan. ignofile (in). If you specify this option and TbScan doesn't find any files, TbScan does not display the no files found message, nor does it exit with ERRORLEVEL 1. You might use this option for automatic contents scanning. largedir (ld). If TbScan's directory table runs out of space, which is very unlikely, you can use this option to allocate a large directory table. fatcheck (fc). If this option is specified, and TbScan is able to use its internal file system, it will check the disk(s) for lost clusters, cross linked clusters, invalid cluster numbers, and invalid allocation sizes. These errors often indicate system problems and need to be corrected as soon as possible. Because TbScan needs to read the FAT and all directories anyway, it can perform this important check without using additional time. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 67 fatinfo (fi). If this option is specified, TbScan displays the amount of fragmented files after it finished scanning. If the amount of fragmented files is high, you can increase the system performance by using a disk optimizer. This option can only be used in combination with option "fatcheck", and if TbScan is using its internal file system. old (ol). This option suppresses the message that appears if TbScan is 6 months old. noboot (nb). If you specify this option, TbScan does not scan the boot sector. nofiles (nf). This option disables the scanning of files. This can be useful if you are the victim of a boot sector virus and want to scan a large stack of diskettes as fast as possible. nomem (nm). If you specify this option, TbScan does not scan memory. hma (hm). By default, TbScan automatically detects the presence of an XMS-driver and scans HMA. If you have an HMA-driver that is not compatible with the XMS standard, you can use this option to force TbScan to scan HMA. nohmem (nh). TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 68 By default, TbScan identifies RAM beyond the DOS limit and scans it. This means that it scans video memory and the current EMS pages. You can, therefore, use this option to disable the scanning of non-DOS memory. nosub (ns). By default, TbScan searches sub-directories for executable files, unless you specify a filename (wildcards allowed). If you enable this option, TbScan does not scan sub-directories. noautohr (na). TbScan automatically adjusts the heuristic detection level after it locates a virus. In other words, when TbScan finds a virus, it continues as if you used the HEURISTIC option. This provides you maximum detection capabilities in case you need it, while keeping the amount of false alarms to a minimum. If you don't want this, you can specify option NOAUTOHR. nowin (nw). By default, TbScan scans Windows and OS/2 files for viruses. Removing the checkmark disables Windows and OS/2 file scanning. repeat (rp). This option is very useful if you want to check a large amount of diskettes. Instead of returning to DOS after checking a disk, TbScan prompts you to insert another disk in the drive. audio (aa). This enables an audible alarm sound when TbScan finds a virus. batch (ba). By enabling this option, TbScan scans without displaying any messages. If you use this option, we recommend that you use a log file (see the LOG option below). TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 69 delete (de). By default, if TbScan detects a virus in a file, it prompts you to delete or rename the infected file, or to continue without action. If you specify this option, however, TbScan deletes the infected file automatically, without prompting you first. Use this option if you know there is a virus infection. Make sure that you have a clean backup, and that you really want to get rid of all infected files at once. kill (ki). By default, if TbScan detects a virus in a file it prompts you to delete or rename the infected file, or to continue without action. If you specify the DELETE option, TbScan deletes the infected file automatically, without prompting you first. Unlike the DELETE option, however, KILL prevents files from being undeleted. Be careful if you use this option. Make sure you have a clean backup! truename (tn). This option instructs TbScan to use "truenames" rather than DOS names. For example, if you process a file on a network that DOS accesses using the name F:\USER\FILE.EXE, TbScan uses the full name \\SERVER\PUBLIC\USER\FILE.EXE on the screen and in the log. log (lo). When you use this option, TbScan creates a log file. The log file lists all infected program files, specifying heuristic flags (see Appendix B) and complete pathnames. append (ap). If you use this option, TbScan appends new information to an existing log file rather than overwriting it. If you use this option often, we recommend that you delete or truncate the log file occasionally to avoid unlimited growth. NOTE: If you use this option, you must also use the LOG option. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 70 expertlog (el). If you enable this option, TbScan does not specify the descriptions of the heuristic flags in the log file. Appendix B lists the heuristic flag descriptions logname =<filename> (ln). Using this option, you can specify the name of the log file you want to use. TbScan creates the file in the current directory unless you specify a path and filename after selecting this option. If the log file already exists, TbScan overwrites it. If you want to print the results, you can specify a printer device name rather than a filename (for example, you can specify LOGNAME=LPT1). NOTE: If you use this option, you must also use the LOG option. loglevel =<0..4> (ll). These levels determine what kind of file information the log file stores. The default log level is 1, but you can select one of five log levels: 0 : Log only infected files. This specifies that if there are no infected files, do not create or change the log file. 1 : Log summary too. This places a summary and time stamp in the log file, and specifies that TbScan put only infected files in the log file. 2 : Log suspected too. This is almost the same as level 1, but TbScan also logs "suspected files," files that would trigger the heuristic alarm if you specify the "High heuristic" sensitivity option. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 71 3 : Log all warnings too. This level is an extension of the previous level. It specifies that TbScan log all files that have a warning character printed behind the filename. 4 : Log clean files too. This places the information of all files being processed into the log file. NOTE: If you use this option, you must also use the LOG option. wait =<0..255> (wa). Use this option to delay TbScan. This might be handy if you want to scan a very busy network but don't want to occupy the network too heavily. You have to specify the amount of timer ticks you want to insert between scanned files. rename [=<text-mask>] (rn). By default, if TbScan detects a file virus, it prompts you to delete or rename the infected file, or to continue without action. If you select this option, TbScan renames the infected file automatically, without prompting you first. Also by default, TbScan replaces the first character of the file extension with the character 'V.' It renames an .EXE file to .VXE, for example, and a .COM file to .VOM. This prevents the execution of infected programs and thereby prevents spreading the infection. This option also enables you to keep the infected files for later examination and repair. You can also add a parameter to this option specifying the target extension. This parameter should always contain three characters; you can use question marks. The default target extension is "V??." exec =.<ext-mask> (ee). Using this option you can add filename extensions that indicate what files are executable. If you want to use this option, you probably want to put it in the configuration file. Refer to the "Advanced TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 72 Options" Option section earlier in this chapter for an explanation of configuring executable extensions. Here are a few examples using TbScan from the DOS command line. 1. This command: TBSCAN C:\ NOBOOT scans all executable files in the root directory and its subdirectories and skips the boot sector scan. 2. This command: TBSCAN \*.* scans all files in the root directory but does not process subdirectories. 3. This command: TBSCAN C:\ LOG LOGNAME=C:\TEST.LOG LOGLEVEL=2 scans all executable files on drive C: and creates a LOG file named C:\TEST.LOG that contains all infected and suspected files. 4. This command: TBSCAN \ LOG LOGNAME=LPT1 scans the root directory and its subdirectories and then redirects the results to the printer instead of a log file. 3.2.4 Understanding the Scanning Process This section adds to your knowledge of TbScan by explaining a little more about the scanning process. TbScan starts scanning immediately whenever you run it from the DOS command line or select the Start Scanning option in the TbScan Menu. As TbScan begins its scan, your screen will look similar to the following: TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 73 TbScan divides the screen into three windows: an information window (at the top), a scanning window (the bottom-left window) and a status window (to the right of the scanning window). The information window initially displays the vendor information only. +-----------------------------------------------------------------+ |Thunderbyte virus detector (C) 1989-95, Thunderbyte B.V. | | | | TBAV is upgraded every two months. Free hotline support is | | provided for all registered users via telephone, fax and | | electronic bulletin board. Read the comprehensive documentation | | files for detailed info. | | | | C:\DOS\ | | | | ANSI.SYS scanning..> OK signatures: 986 | | COUNTRY.SYS skipping..> OK | | DISKCOPY.COM tracing...> OK file system: OWN | | DISPLAY.SYS scanning..> OK | | DRIVER.SYS scanning..> OK directories: 01 | | EGA.CPI skipping..> OK total files: 17 | | FASTOPEN.EXE looking...> OK executables: 12 | | FDISK.EXE looking...> OK CRC verified: 10 | | FORMAT.COM tracing...> E OK changed files: 00 | | GRAFTABL.COM tracing...> OK infected items: 00 | | GRAPHICS.COM tracing...> OK | | GRAPHICS.PRO skipping..> OK elapsed time: 00:05 | | Kb /second: 57 | +-----------------------------------------------------------------+ If TbScan detects infected files, it displays the names of the file and the virus in the upper window. The lower left window displays the names of the files being processed, the algorithm in use, information and heuristic flags, and finally an OK statement or the name of the virus detected. Notice the following example: NLSFUNC.EXE checking..> FU OK | | | | | | | result of scan | | heuristic flags | algorithm being used to process file name of file in process TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 74 You will see comments following each file name, such as: "looking," "checking," "tracing," "scanning," or "skipping." These refer to the various algorithms being used to scan files. Other comments that TbScan displays here are the heuristic flags. Consult the Understanding Heuristic Flags section later in this chapter and Appendix B for more information on these warning characters. The lower right window is the status window. It displays the number of files and directories encountered as well as the number of viruses found. It also displays which file system is being used: either DOS or OWN. The latter means that TbScan is able to bypass DOS. If this is the case, TbScan reads all files directly from disk for extra security and speed. You can abort the scanning process by pressing the two keys Ctrl+Break simultaneously (that is, if you didn't specify the "SECURE" option). When TbScan detects an infected program, it displays the name of the virus. If you did not specify the BATCH, RENAME or DELETE options, TbScan prompts you to specify the appropriate action. If you choose to rename the file, TbScan replaces the first character of the file extension with the character 'V.' This prevents you or someone else from accidentally executing the file before you can investigate it more thoroughly. If TbScan detects an infected file, it displays one of the following messages: [Name of file] is infected by [name of virus] virus. The file is infected by the virus mentioned. [Name of file] is Joke named [name of Joke]. Some programs simulate that the system is infected by a virus; such a program is a "joke." A joke is completely harmless; however it causes confusion and might cause people to stop using the computer, and should therefore be removed.. [Name of file] is Trojan named [name of Trojan]. The file is a Trojan Horse. A Trojan Horse is a program that pretends to be a harmless program (like a game) but it is designed to do something harmful like erasing a disk. Some Trojan Horses also TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 75 install viruses on your system. Do not execute the program, but delete it instead. [Name of file] damaged by [name of virus]. Unlike an infected file, which carries the virus itself, a damaged file has only been damaged by the virus. [Name of file] dropper of [name of virus]. A "dropper" is a program that has not been infected itself, but which does contain a boot sector virus and is able to install it into your boot sector. [Name of file] garbage: (not a virus) [name of garbage]. A "garbage" program is a file that does not work because it is badly damaged or may have been overwritten with "garbage." Some virus collections (i.e. a CD-ROM based virus collection) contain "garbage-like" program code that was designed specifically to trigger virus detection programs (and fool them), which is exactly why ThunderBYTE identifies them as "garbage." It is also possible for TbScan to encounter a file that appears infected by a virus, although it could not find a signature. In this case TbScan displays the prefix "Probably" before the message. If TbScan finds a file to be suspicious and displays a virus alert window, you can avoid future false alarms by pressing V (Validate program). Note that this works only if there is an ANTI-VIR.DAT record of the file available. Once TbScan validates a program, the program is no longer subject to heuristic analysis, unless the program changes and no longer matches the ANTI-VIR.DAT record. This will be the case if such a file becomes infected at a later time. In such a case, TbScan still reports infections on these files. NOTE: Be aware that a validated program is still subject to the conventional signature scanning. If you specify the HEURISTIC or the HIGH HEURISTIC SENSITIVITY option, it is likely that TbScan will find some files that look like a virus. In TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 76 this case, TbScan uses the prefix "Might be" to inform you about it. So, if TbScan displays: [Name of file] Probably infected by an unknown virus or: [Name of file] Might be infected by an unknown virus it does not necessarily mean that the file is infected. There are a lot of files that look like a virus but are not. It is extremely important to understand that false alarms are part of the nature of heuristic scanning. In its default mode, it is very unlikely that TbScan will issue a false alarm. If you specify the HEURISTIC option, however, some false alarms might occur. How should you deal with false alarms? If TbScan thinks it has found a virus, it tells you the reason for this suspicion. In most cases you will be able to evaluate these reasons when you consider the purpose of the suspected file. NOTE: Viruses infect other programs. It is, therefore, unlikely that you will find only a few infected files on a hard disk you use frequently. You should ignore the result of a heuristic scan if only a few programs on your hard disk trigger it. If, on the other hand, your system behaves "strangely" and several programs trigger the TbScan alarm with the same serious flags, your system could very well be infected by a (yet unknown) virus. 3.2.5 Understanding Heuristic Flags Heuristic flags consist of single characters that appear behind the name of the file that just scanned. There are two kinds of flags: the informative ones, which appear in lower-case characters, and the more serious flags, which appear in upper-case characters. The lower-case flags indicate special characteristics of the file being scanned, whereas the upper-case warnings might indicate a virus. If the loglevel is 3 or above, the important warnings not only appear as a warning character, but TbScan also adds a description to the log file. How should you treat the flags? You can consider the less important lower-case flags to be informational only; they provide file information TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 77 you might find interesting. The more serious uppercase warning flags MIGHT (we repeat, MIGHT) indicate a virus. It is quite normal that you have some files in your system that trigger an uppercase flag. NOTE: Appendix B lists the heuristic flag descriptions. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 78 3.3 Using TbDriver TbDriver is a small memory-resident (TSR) program that you must load before any of the other TBAV memory-resident utilities. This brief section explains the use of TbDriver. 3.3.1 Understanding TbDriver By itself, TbDriver does not provide much protection against viruses, rather its use is to enable the memory resident ThunderBYTE Anti-Virus utilities, such as TbScanX, TbCheck, TbMem, TbFile, and TbDisk, to perform properly. It is the source for some of the routines these utilities have in common, including: support to generate the pop-up window routines, driving the translation unit that enables the possibility of displaying messages in your native language, and support for networks. Additionally, TbDriver also contains basic protection against "stealth" viruses and against "ANSI bombs." NOTE: See the NOFILTER option below for an explanation of an ANSI bomb. 3.3.2 Working with TbDriver You must load TbDriver before loading any of the other memory-resident TBAV utilities. If you ran the TBAV Install program, TbDriver is already set up to load automatically when you boot. Your AUTOEXEC.BAT file calls the TBSTART.BAT file, which in turn loads TbDriver. If you prefer, you can load TbDriver directly from the command line or from an individual line in AUTOEXEC.BAT by using this command: <PATH>TBDRIVER If TbDriver resides in the TBAV directory on drive C:, for example, you could enter C:\TBAV\TBDRIVER. An even more secure way to load TbDriver, and the other TBAV memory-resident utilities (which we ll examine in more detail in the Using TbScanX section later in this chapter), is to load it via the CONFIG.SYS file. After removing the call to TBSTART.BAT in AUTOEXEC.BAT, you could put the following command in CONFIG.SYS: DEVICE=<PATH>TBDRIVER.EXE TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 79 If TbDriver resides in the TBAV directory on drive C:, for example, you could enter DEVICE=C:\TBAV\TBDRIVER.EXE. TIP: If you want protection against ANSI-bombs, you should load TbDriver AFTER the ANSI.SYS driver. Also, if you install TbDriver on a machine that boots from a boot ROM, specify the message file with the drive and path where it resides AFTER the machine boots. The default message file will no longer be accessible after the machine boots. 3.3.3 Maximizing TbDriver This section describes how to use TbDriver's option to maximize its performance and how to get foreign language support for the TBAV utilities. When you run TbDriver from the DOS command line, it recognizes command line options (often called "switches" in DOS terms). These options appear as "key-words" or "key-letters." The words are easier to memorize, so we will use these in this manual for convenience. TbDriver enables you to specify loading options on the command line. It treats a filename specification as a language file specification (see the following "Getting Language Support" section). The first three options in the following table are always available. The other options are available only if TbDriver is not already memory resident. The command-line syntax is as follows: TBDRIVER [<PATH>][<FILENAME>]... [<OPTIONS>]... TbDriver recognizes the following options: TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 80 option parameter short explanation ------------------ ----- ----------- help ? help net n force LAN support remove r remove TbDriver from memory mode=<m|c> m override video mode (mono|color) freeze j freeze the machine after an alert lcd l enhance output on LCD screens noavok=<drives> o assume permission for specified drives when ANTI-VIR.DAT record is missing quiet q do not display activity secure s do not allow permission updates notunnel t do not detect tunneling nofilter f do not filter dangerous ANSI codes nostack ns do not install a stack The explanations in the above table serve as a quick reference, but the following descriptions provide more information about each option. TIP: Remember that you can display these options from the command line by entering TBDRIVER ?. help (?). If you specify this option, TbDriver shows you the valid command line options as listed above. net (n). TbDriver cooperates well with most networks. In normal situations you will not need the NET option at all. You should use it only if both the following conditions are true at the same time: 1. You make a connection to a Novell network and TBDRIVER.EXE before using the logon command. 2. There is no valid ANTI-VIR.DAT record in the directory where the NET?.COM program resides or after renaming the NET?.COM file. remove (r). TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 81 This option disables TbDriver and attempts to remove the resident part of its code from memory and return this memory space to the system. Unfortunately, this works only if you loaded TbDriver last. An attempt to remove a TSR after you load another TSR leaves a useless gap in memory and could disrupt the interrupt chain. TbDriver checks whether it is safe to remove its resident code; if not, it simply disables itself. mode (m). On dual video systems TbDriver uses the currently active screen. It might be forced to use the alternate screen with the MODE=M option for monochrome or the MODE=C option for color systems. lcd (l). This option enhances the output on LCD screens. freeze (f). This option freezes the computer when there is a virus alert. noavok (o). We don't recommend this option for normal use. You might need it to grant permission automatically for programs without an ANTI-VIR.DAT record. The option requires a parameter specifying the drives to which the default permission applies. If, for example, you do not want TbMem to display a message when a TSR without ANTI-VIR.DAT executes from drive E: and F:, you could specify NOAVOK=EF on the TbDriver command line. Additionally, if you want to exclude network drives, you should use an asterisk [*]. For example, if you want to grant permission for all files without ANTI-VIR.DAT records on drive A:, your ram disk F: and your remote network drives, specify NOAVOK=AF*. quiet (q). TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 82 Some resident TBAV utilities display an activity status. TbScanX, for instance, displays a rectangle with the word Scanning in the upper left corner of your screen while scanning a file. The QUIET option disables this message. secure (s). Some ThunderBYTE utilities can store permission flags in the ANTI-VIR.DAT files. You can use this option if you don't want these flags changed. It has no effect on flags already set, so you can use the option after installing new programs or packages. notunnel (t). "Tunneling" is a technique viruses apply to determine the location of the DOS system code in memory, and to use that address to communicate with DOS directly. This inactivates all TSR programs, including resident anti-virus software. TbDriver is able to detect these tunneling attempts, and informs you about it. Some other anti-virus products also rely on tunneling techniques to bypass resident viruses, thereby causing false alarms. If you are currently executing other anti-viral products, the NOTUNNEL option disables TbDriver's tunneling detection. nofilter (f). The original ANSI driver has a feature to assign text strings to keys. Years ago people used this feature, for example, to assign the DIR /W command to the F10 key. Such reprogramming can be done simply by embedded ANSI codes in batch files. Almost no one uses this feature nowadays. Some misguided people, however, use this feature, for example, to make a text file that reprograms the Enter key to execute the DEL *.* command or something even worse. Such a file is an "ANSI-bomb." TbDriver protects you against ANSI-bombs by filtering out the keyboard reprogramming codes. All other ANSI codes pass without interference. If you don't want this protection, or if you want to use this obsolete ANSI feature, you can use the NOFILTER option. nostack (ns). By default, TbDriver maintains a stack for the resident TBAV utilities. For most systems, however, this isn't necessary. If you TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 83 use this option, TbDriver uses the application stack, saving a few hundred bytes of memory. If the system hangs or becomes unstable, however, discontinue use of this option. You can use the optional filename specification to direct TbDriver to the location of the language file you want to use. TbDriver retrieves pop-up window messages from a TBDRIVER.LNG file, which it expects to find in its own home directory. The default English language file is TBDRIVER.LNG, which you can replace with a file in your local language. You can order separate language support packages at your local ThunderBYTE dealer, or download the language file from a ThunderBYTE support BBS. See the Maintaining the System section in Chapter 1 for more information about the ThunderBYTE support BBS. To load a language file, either rename it to the default (TBDRIVER.LNG), or specify the full path and filename following the command. You can also switch to another language by calling TbDriver again with a different message file. This will not take up any extra memory. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 84 3.4 Using TbScanX TbScanX is virtually identical to TbScan, with one important difference: TbScan is memory-resident. This section describes TbScanX in detail. 3.4.1 Understanding TbScanX To implement real-time or on-the-fly virus protection, the TBAV for DOS utilities include the TbScanX program, a memory-resident (TSR) program that tracks all file operations. If you copy an infected file from a diskette to your hard disk, for example, TbScanX recognizes the virus hidden in the file and informs you about it, BEFORE the virus becomes active. Why use TbScanX? Let's assume you have a virus scanner that automatically runs from your AUTOEXEC.BAT file. If it doesn't find any viruses, your system should be uninfected. Right? Not necessarily. To be sure that no virus infects your system, you need to execute the scanner every time you copy a file to your hard disk, after downloading a file from a bulletin board system, or after unarchiving an archive such as a ZIP file. Now be honest, do YOU invoke your scanner every time you introduce a new file into the system? If you don t, you take the risk that within a couple of hours all files will become infected by a virus. Once you load TbScanX, it remains resident in memory and automatically scans all files you execute and all executable files you copy, create, download, modify, or unarchive. It uses the same approach to protect against boot sector viruses; every time you put a diskette into a drive, TbScanX scans the boot sector. If the disk is contaminated with a boot sector virus, TbScanX warns you in time! NOTE: TbScanX is fully network compatible. It does not require you to reload the scanner after logging onto the network. 3.4.2 Working with TbScanX Since TbScanX is memory resident, you can execute and configure the program from the command line or from within a batch file. It is important to load TbScanX as early as possible after the machine boots. We therefore recommend that you execute TbScanX from within the CONFIG.SYS file. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 85 CAUTION: TbScanX requires that you load TbDriver first! See the previous section on "Using TbDriver" for details. There are three possible ways to load TbScanX: 1. From the DOS prompt or within the AUTOEXEC.BAT file: <PATH>TBSCANX 2. From the CONFIG.SYS files as a TSR (DOS 4+ and above): INSTALL=<PATH>TBSCANX.EXE The INSTALL= CONFIG.SYS command is NOT available in DOS 3.xx. 3. From the CONFIG.SYS as a device driver: DEVICE=<PATH>TBSCANX.EXE NOTE: Using TbScanX as a device driver does not work in all OEM versions of DOS. If it does not work, use the INSTALL= command or load TbScanX from within the AUTOEXEC.BAT. TbScanX should always work correctly if you run it from AUTOEXEC.BAT. Unlike other anti-virus products, you can load the ThunderBYTE Anti-Virus Utilities before starting a network without losing the protection afterwards. In addition to the three loading possibilities, you can also load TbScanX into an available UMB (upper memory block) if you are using DOS version 5 or higher. To accomplish this from AUTOEXEC.BAT, use the following command: LOADHIGH <PATH>TBSCANX Alternately, to accomplish this from CONFIG.SYS, use the following command: DEVICEHIGH=<PATH>TBSCANX.EXE If you are using Microsoft Windows, you should load TbScanX BEFORE starting Windows. When you do this, there is only one copy of TbScanX in memory regardless of how many DOS windows you might open. Every DOS TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 86 window (that is, every virtual machine ) has a fully functional copy of TbScanX running in it. TbScanX automatically detects if Windows is running, and switches itself in multitasking mode if necessary. You can even disable TbScanX in one window without affecting the functionality in another window. NOTE: TBAV for Windows includes a full-featured resident scanner. Please refer to the TBAV for Windows documentation for more information. 3.4.3 Maximizing TbScanX When you run TbScanX from the DOS command line, it recognizes command line options (often called "switches" in DOS terms). These options appear as "key-words" or "key-letters." The words are easier to memorize, so we will use these in this manual for convenience. You can maximize TbScanX's performance by using one or more command line options. The first four options in the following table are always available. The other options are available only if TbScanX is not already resident in memory. option parameter short explanation ------------------ ----- ---------------------------------------- help ? display on-line help off d disable scanning on e enable scanning remove r remove TbScanX from memory noexec n never scan at execute allexec[=<drives>] a always scan at execute noboot b do not scan boot sectors wild w only search viruses which appear "in the wild" ems me use expanded memory (EMS) xms mx use extended memory (XMS) secure s deny all suspicious operations lock l lock PC when a virus is detected api i load TbScanX's Application Program Interface compat c increase compatibility The explanations in the above table serve as a quick reference, but the following descriptions provide more information about each option. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 87 TIP: Remember that you can display these options from the command line by entering TBSCANX ?. help (?). This option displays the command line options as shown above. Once you load TbScanX, however, this option does not display all the options. off (d). This option disables TbScanX, but leaves it in memory. on (e). This option re-enables TbScanX after you disable it with the OFF option. remove (r). This option disables TbScanX and attempts to remove the resident part of its code from memory and return this memory space to the system. Unfortunately, this works only if you loaded TbScanX last. An attempt to remove a TSR after you load another TSR leaves a useless gap in memory and could disrupt the interrupt chain. TbScanX checks whether it is safe to remove its resident code; if not, it simply disables itself. noexec (n). TbScanX normally scans files located on removable media just before they execute. You can use this option to disable this feature completely. allexec (a). TbScanX normally scans executable files only if they reside on removable media. It "trusts" files on the hard disk, since these files must have been copied or downloaded before, and since by this time TbScanX has already scanned them automatically. If you want to TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 88 scan every file before it executes, however, regardless of whether it is on the hard disk or removable media, you should use this option. It is possible to explicitly specify drives from which you want executed files to be scanned. For example, if you specify option ALLEXEC=DF, then TbScanX will only scan files being executed that reside on either drive D: or drive F:. noboot (b). TbScanX automatically monitors the disk system. Every time DOS reads the boot sector, TbScanX scans the disk for boot sector viruses. If you change a disk, DOS first reads the boot sector; otherwise it does not know what kind of disk is in the drive. As soon as DOS reads the boot sector, TbScanX checks it for viruses. If you don't like this feature, or if it causes problems, you can switch it off using the NOBOOT option. wild (w). TbScanX can distinguish viruses that do not appear "in the wild" from frequently appearing viruses. In order to reduce the memory requirements of TbScanX, you can specify option WILD, which makes TbScanX load and use the viruses signatures from viruses that frequently appear "in the wild." This option is disabled by default. ems (me). If you specify this option, TbScanX uses expanded memory (such as that provided by the LIM/EMS expansion boards or 80386 memory managers) to store the signatures and part of its program code. Since conventional memory is more valuable to your programs than expanded memory, we recommend the use of EMS memory. TbScanX can use up to 64Kb of EMS memory. (Refer to the XMS option also.) xms (mx). If you specify this option TbScanX uses extended memory to store the signatures and part of its program code. An XMS driver (such as DOS's HIMEM.SYS) must be installed to be able to use this option. XMS memory is not directly accessible from within DOS, so every time TbScanX has to scan data it has to copy the signatures to conventional memory. To be able to save the original memory contents, TbScanX needs a double amount of XMS memory. Swapping to TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 89 XMS is slower than swapping to EMS memory, so if you have EMS memory available, we recommend swapping to EMS. Swapping to XMS might conflict with some other software, so if you experience problems try using TbScanX without the XMS option. secure (s). TbScanX normally asks you to continue or to cancel when it detects a virus. In some business environments, however, employees should not make this choice. By using the SECURE option, you can disallow suspicious operations. NOTE: This option also disables the OFF and REMOVE options. lock (l). If you are a system operator, you can use this option to instruct TbScanX to lock the system when it detects a virus. api (i). This option is for advanced users only. It enables TbScanX's Application Program Interface (API), which is necessary if you want to call TbScanX from within your application. Consult the ADDENDUM.DOC file for detailed programming information. compat (c). In most systems TbScanX performs trouble free. Another TSR program, however, might conflict with TbScanX. If you load the other TSR first, TbScanX normally detects the conflict and uses an alternate interrupt. If, on the other hand, you load the other TSR after TbScanX, and it aborts with a message telling you that it is already loaded, you can use the COMPAT switch of TbScanX (when installing it in memory). It is also possible for TbScanX to conflict with other resident software that is using EMS or XMS. In this case, the system will hang. Again, the COMPAT option solves this problem, but be aware that due to extensive memory swapping, TbScanX's performance will slow down. TIP: TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 90 If you are using DOS version 5 or above and have extended memory (XMS) on your system, you can use EMM386.SYS to treat a portion or extended memory as expanded memory (EMS). See your DOS manual for details. Here is one example of loading TbScanX: DEVICE=C:\TBAV\TBSCANX.EXE XMS NOBOOT In this example, the memory resident portion of TbScanX loads into extended memory (XMS) and will not scan boot sectors for viruses. 3.4.4 Understanding the Scanning Process This section adds to your knowledge of TbScanX by explaining a little more about the scanning process. Whenever a program tries to write to an executable file (files with the extensions .COM and .EXE), you will briefly see the text "*Scanning*" in the upper left corner of your screen. As long as TbScanX is scanning, this text appears. Since TbScanX takes very little time to scan a file, the message appears very briefly. The text "*Scanning*" also appears if you execute a program directly from a diskette, and if DOS accesses the boot sector of a diskette drive. If TbScanX detects a suspicious signature that is about to be written into a file, a window appears similar to the one displayed below: +---------TBAV interception---------+ | WARNING! | | TbScanX detected that COMMAND.COM | | is infected with | | Yankee_Doodle {1} | | Abort? (Y/N) | +-----------------------------------+ Whenever this message appears, you should press N to continue, or any other key to abort. If TbScanX detects a suspicious signature in a boot sector, it displays a message like the following: +------------TBAV interception-----------+ | WARNING! | | TbScanX detected that the bootsector | | of disk in drive A: is infected with | TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 91 | Form | | Do NOT attempt to boot with that disk! | +----------------------------------------+ Although a virus seems to be in the boot sector of the specified drive, the virus cannot do anything since it has not yet executed. If you reboot the machine with the contaminated diskette in the drive, however, the virus copies itself into memory and onto your hard disk. NOTE: To display the name of a virus, TbScanX needs access to the virus signature file (TBSCAN.SIG). If for any reason TbScanX cannot access this file, it still detects viruses, but no longer displays the name of the virus. It displays "[Name unknown]" instead. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 92 3.5 Using TbCheck This section describes another one of TBAV's memory resident (TSR) utilities, TbCheck. 3.5.1 Understanding TbCheck TbCheck is a memory-resident integrity checker that comes into action whenever the system is about to execute a file. It uses the ANTI-VIR.DAT records TbSetup generates to detect file changes, which is often the first sign of a virus infection. These records contain information, such as file sizes and checksums, of every executable file in a directory. By comparing this information with the actual file status, it is possible to detect automatically any changes, including infections caused by viruses. Assume your AUTOEXEC.BAT file automatically loads a conventional integrity checker. If no files appear changed, your system should be uninfected, but to be sure that no virus can infect your system, you have to execute the checker frequently. In contrast, once you load TbCheck, it remains resident in memory, and automatically checks all programs you try to execute. NOTE: TbCheck is fully network compatible. It does not require you to reload the checker after you are logged onto the network. 3.5.2 Working with TbCheck Since TbCheck is a memory resident program, you can execute and configure it from the DOS command line or from within a batch file. You should, however, load TbCheck automatically when the computer boots, preferably during the execution of AUTOEXEC.BAT, or better yet, CONFIG.SYS. CAUTION: Be sure to load TbDriver before trying to load TbCheck. TbCheck will refuse to load without it. There are three possible ways to start TbCheck: 1. From the DOS prompt or within the AUTOEXEC.BAT file: <PATH>TBCHECK TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 93 2. From CONFIG.SYS as a TSR (DOS 4 or above): INSTALL=<PATH>TBCHECK.EXE The INSTALL= CONFIG.SYS command is NOT available in DOS 3.xx. 3. From CONFIG.SYS as a device driver: DEVICE=<PATH>TBCHECK.EXE NOTE: Executing TbCheck as a device driver does not work in all OEM versions of DOS. If it doesn't work, use the INSTALL= command or load TbCheck from AUTOEXEC.BAT. TbCheck should always work correctly if you load it from AUTOEXEC.BAT. Also, unlike other anti-virus products, you can load the ThunderBYTE Anti-Virus utilities before starting a network without losing the protection after the network is started. In addition to the three loading possibilities, if you are using DOS version 5 or above, you can load TbCheck into an available UMB (upper memory block) from AUTOEXEC.BAT using this command: LOADHIGH <PATH>TBCHECK You can also load TbCheck into high memory from within the CONFIG.SYS using this command: DEVICEHIGH=<PATH>TBCHECK.EXE If you are using Microsoft Windows, you should load TbCheck BEFORE starting Windows. When you do this, there is only one copy of TbCheck in memory regardless of how many DOS windows you might open. Every DOS window (that is, every virtual machine ) has a fully functional copy of TbCheck running in it. TbCheck automatically detects if Windows is running, and switches itself into multi-tasking mode if necessary. You can even disable TbCheck in one window without effecting the functionality in another window. NOTE: TBAV for Windows comes with a full-fledges Windows-based version of TbCheck. Please refer to the documentation of TBAV for Windows for more information. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 94 3.5.3 Maximizing TbCheck When you run TbCheck from the DOS command line, it recognizes command line options (often called "switches" in DOS terms). These options appear as "key-words" or "key-letters." The words are easier to memorize, so we will use these in this manual for convenience. You can maximize TbCheck's performance by using it's various options. The first four options in the following table are always available. The other options are available only if TbCheck is not yet memory resident. option parameter short explanation ----------------- ----- ---------------------------------------- help ? display on-line help remove r remove TbCheck from memory off d disable checking on e enable checking noavok [=<drives>] o do not warn for missing ANTI-VIR.DAT record fullcrc f calculate full CRC (slow!) secure s do not execute unauthorized files The explanations in the above table serve as a quick reference, but the following descriptions provide more information about each option. TIP: Remember that you can display these options from the command line by entering TBCHECK ?. help (?). Specifying this option displays the above options list. remove (r). This option disables TbCheck and attempts to remove the resident part of its code from memory and return this memory space to the system. Unfortunately, this works only if you loaded TbCheck last. An attempt to remove a TSR after you load another TSR leaves a useless gap in memory and could disrupt the interrupt chain. TbCheck checks whether it is safe to remove its resident code; if not, it simply disables itself. off (d). TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 95 This option disables TbCheck, but leaves it in memory. on (e). This re-enables TbCheck after having been disabled with the OFF option. noavok (o). TbCheck looks in the ANTI-VIR.DAT file for checksum information on the file you want to check. TbCheck displays a message if it finds no checksum information or if the specific checksum is incorrect. This ensures that you will receive a warning whenever a malicious program deletes the ANTI-VIR.DAT file. Although we recommend that you maintain ANTI-VIR.DAT files on all drives, this might not always be practical with floppy disks, RAM disks, or CD-ROM disks. This option, therefore, tells TbCheck not to look for an ANTI-VIR.DAT on specific drives. For example, if you don't want TbCheck to alert you about the absence of an ANTI-VIR.DAT record on floppy disks A: and B: or on your RAM disk E:, you should load TbCheck using the following command line: <PATH>TBCHECK NOAVOK=ABE If you don't want a message when an ANTI-VIR.DAT record is missing on network drives, you should specify an asterisk (*) instead of a drive letter. If you don't specify a drive to the NOAVOK option, TbCheck never issues a warning if an ANTI-VIR.DAT record is missing on any drive. CAUTION: This presents a security hole for viruses: by deleting the ANTI-VIR.DAT file you will not be able to detect file changes caused by a viral infection. Also, please note that the NOAVOK option does not prevent the detection of infected programs if the ANTI-VIR record is available. If a program has changed and the ANTI-VIR record is available, you will still get an alarm regardless of how you implement the NOAVOK option. fullcrc (f). By default, TbCheck verifies only that part of the file near the program's entry point. If a virus infects the file, this area will definitely change, so this is perfectly adequate to detect all TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 96 infections. Other file changes, notably configuration variations, will not trigger the alarm. If, however, you should ever desire a full check that detects ANY file changes, this option takes care of it. Be aware that this option slows down the system considerably, so we don't recommend its use in normal circumstances. secure (s). TbCheck normally asks whether you want to continue or cancel when a file has been changed or when there is no checksum information available. In a business environment it may be unwise to leave such decisions to employees. Option SECURE makes it impossible to execute new or unknown programs, or programs that have been changed. NOTE: Be aware that the SECURE option also disables the OFF and REMOVE options. 3.5.4 Understanding the Scanning Process This section adds to your knowledge of TbCheck by explaining a little more about the scanning process. Whenever a program wants to execute, TbCheck steps in to see if it really has the authority to do so. During that time it displays the message "*Checking*" in the upper left hand corner of the screen. TbCheck operates at lightning speed, so the message appears only momentarily. TbCheck quickly checks a program when the program loads. If TbCheck detects that a file has changed, a notification message appears. At this point, you can choose to either continue, or to abort the program's execution. If there is no information in the ANTI-VIR.DAT file about the program, TbCheck also informs you of this. You can either choose to continue without checking, or to abort the program's execution. TIP: You can prevent users from executing unauthorized software by using the SECURE option. 3.5.5 Testing TbCheck TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 97 Understandably, many users wish to test the product they are using. In contrast to a word processor, for example, it is very difficult to test a smart integrity checker like TbCheck. You cannot change a random 25 bytes of an executable file just to find out whether TbCheck detects the file change. On the contrary, it is very likely that TbCheck will NOT detect it because the program checks only the entry area of the file, whereas the changed bytes might reside in another location within the file. But again, if a virus infects the file, this entry area will definitely change, so this is perfectly adequate to detect all infections. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 98 3.6 Using TbClean In case a virus infects one or more files, and you wish to remove the virus from those files (for example, in case you do not have a clean backup of the files), you can use TbClean. TbClean is the program that can remove viruses from infected files, even without knowing the virus itself. This section explores TbClean. 3.6.1 Understanding TbClean TbClean isolates viral code in an infected program and removes it. It is then safe to use the program again, since TbClean securely eliminates the risk of other files becoming infected or damaged. Understanding the Repair Cleaner TbClean works differently from conventional virus cleaners because it does not actually recognize any specific virus. TbClean's disinfection scheme is unique, employing ThunderBYTE's heuristic ( learn as you go ) technology so that it works with almost any virus. Actually, the TbClean program contains two cleaners: a "repair" cleaner, and a "heuristic" cleaner. The repair cleaner needs an ANTI-VIR.DAT file generated by the TbSetup program before the infection occured. This ANTI-VIR.DAT file contains essential information such as the original file size, the bytes at the beginning of the program, a cryptographic checksum to verify the results, etc. This information enables TbClean to disinfect almost every file, regardless of the specific virus that has infected it, even if it is unknown. Understanding the Heuristic Cleaner In the heuristic cleaning mode TbClean does not need any information about viruses either, but it has the added advantage that it does not even care about the original, uninfected state of a program. This cleaning mode is very effective if your system becomes infected with an unknown virus and you neglected to let TbSetup generate the ANTI-VIR.DAT files in time. In the heuristic mode, TbClean loads the infected file and starts emulating the program code to find out which part of the file belongs to the original program and which belongs to the virus. The result is TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 99 successful if TbClean restores the functionality of the original program, and reduces the functionality of the virus to zero. NOTE: This does not imply that the cleaned file is 100% equal to the original. Please read on. When TbClean uses heuristic cleaning to disinfect a program, the file most likely will not be exactly the same as in its original state. This does not imply a failure on TbClean s part, nor does it mean the file is still infected in some way. It is actually normal that the heuristically cleaned file is still larger than the original. This is normal because TbClean tries to be on the safe side and avoids removing too much. The bytes left at the end of the file are dead code, that is, instructions that will never execute again since TbClean removes the jump at the beginning of the program. If the cleaned file is an EXE type file, it is likely that some bytes in front of the program (the EXE-header ) are different. There are several suitable solutions for reconstructing the EXE-header, so TbClean cannot, of course, know the original state of the program. The functionality of the cleaned file will nevertheless be the same. NOTE: This applies only to heuristic cleaning. If there is a suitable ANTI-VIR.DAT record available, the cleaned program will normally be exactly the same as the original clean file. It's also possible for a virus to infect a file with multiple viruses, or multiple instances of the same virus. Some viruses keep on infecting files, and in such cases the number of infected files keeps growing. If TbClean used its heuristic cleaning mode, it is very likely that TbClean removed only one instance of the virus. In this case, it is necessary to repeat the cleaning process until TbClean reports that it cannot remove anything else. 3.6.2 Working with the TbClean Menus Selecting TbClean from TBAV's Main Menu displays the following menu: TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 100 +-----Main menu-----+ | Confi+------TbClean men-------+ | TbSca| Start cleaning | | TbSet| List file name | | TbUti| Use TBAV. INI file | | TbCLe| Prompt for pause | | Virus|v Use Anti-Vir.Dat | | TBAV |v Use Heuristics | | Docum|v Expanded memory | | Regis| Display program loops | | About| Make list file | | Quit +------------------------+ | eXit (no save) | +-------------------+ We'll now explore these menu options. The "Start Cleaning" Option After tracking one or more viruses, all you should do is select the Start cleaning option. After specifying the relevant filename, TbClean goes into action. Before beginning, however, you can select various parameters. We will explore these in the following sections. The "List File Name" Option By selecting this option you can specify a filename to use as a list file (see also the Make list file option below). The "Use TBAV.INI File" Option If you enable this option, the TbClean configuration values, saved in the TBAV.INI file, will also be valid if you run TbClean from the DOS command line. Be careful, however, since if you specify options in the TBAV.INI file, you cannot undo them on the command line. See the "Configuring TBAV" section of Chapter 1 for details about TBAV.INI. The "Prompt For Pause" Option This option instructs TbClean to stop disassembling information after each full screen, enabling you to examine the results. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 101 The "Use ANTI-VIR.DAT" Option If you turn this option off, TbClean acts as if there were no ANTI-VIR.DAT records available and therefore performs heuristic cleaning. The "Use Heuristics" Option If you turn this option off, TbClean does not try to apply heuristic cleaning, even when there are no ANTI-VIR.DAT records available. The "Expanded Memory" Option If you select this option, TbClean detects the presence of expanded memory and uses it in heuristic mode. You might want to disable EMS usage if it is too slow or if your expanded memory manager is not very stable. The "Show Program Loops" Option By default TbClean keeps track of looping conditions to prevent repetitive data from appearing on your screen thousands of times. If you select this option, TbClean "works out" every loop. CAUTION: Using this option drastically reduces TbClean's performance speed. Also, do not combine this option with the "Make list file" option, because the list file might grow too big The "Make List File" Option Selecting this option instructs TbClean to generate an output file with a chronological disassembly of the virus being removed. Maximizing TbClean Now that you know how to use TbClean's menus, you can more easily understand the power of using it from the command line. 3.6.3 Using TbClean Command Line Options TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 102 When you run TbClean from the DOS command line, it recognizes command line options (often called "switches" in DOS terms). These options appear as "key-words" or "key-letters." The words are easier to memorize, so we will use these in this manual for convenience. You can maximize TbClean's performance by using its command line options. The following table lists these options: option parameter short explanation ------------------ ----- ---------------------------------- help he display on-line help pause pa enable pause prompt mono mo force monochrome display output noav na do not use ANTI-VIR.DAT records noheur nh do not use heuristic cleaning noems ne do not use expanded memory showloop sl show every loop iteration (slow!) list[=<filename>] li create list file The explanations in the above table serve as a quick reference, but the following descriptions provide more information about each option. TIP: Remember that you can display these options from the command line by entering TBCLEAN ?. help (he). Specifying this option displays the above options list. pause (pa). This option instructs TbClean to stop disassembling information after each full screen, enabling you to examine the results. The PAUSE option is available for registered users only. mono (mo). This option enhances the screen output on some LCD screens or color-emulating monochrome systems. noav (na). TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 103 If you specify this option, TbClean acts as if there were no ANTI-VIR.DAT records available and therefore performs heuristic cleaning. noheur (nh). If you specify this option, TbClean does not try to apply heuristic cleaning, even when there are no ANTI-VIR.DAT records available. noems (ne). If you specify this option, TbClean does not detect the presence of expanded memory and use it in heuristic mode. You might want to disable EMS use if it is too slow, or if your expanded memory manager is not very stable. showloop (sl). By default TbClean keeps track of looping conditions to prevent repetitive data from appearing on your screen thousands of times. If you select this option, TbClean "works out" every loop. CAUTION: Using this option drastically reduces TbClean's performance speed. Also, do not combine this option with the "Make list file" option, because the list file might grow too big list [=<filename>] (li). This option instructs TbClean to generate an output file with a chronological disassembly of the virus being removed. The LIST option is available for registered users only. Here are two examples of using TbClean from the command line: 1. This command: TBCLEAN VIRUS.EXE TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 104 instructs TbClean to make a backup of the file VIRUS.EXE using the name filename VIRUS.VIR, and then disinfect VIRUS.EXE. 2. This command: TBCLEAN VIRUS.EXE TEST.EXE instructs TbClean to copy the file called VIRUS.EXE to the new filename TEST.EXE and then disinfect TEST.EXE. 3.6.4 Understanding the Cleaning Process TbClean's cleaning process is extremely important. To better illustrate it, let's look at a sample file cleaning. Assume you want to clean a file called COMMAND.COM, which resides in the TMP directory on drive G. To do so, you would follow these steps: 1. Select the "Start cleaning" option on the TBAV menu. The following window appears: +-------------------------------------------------------------------+ | | |Enter name of program to clean. TbClean will create a backup first!| | | | | +-------------------------------------------------------------------+ The ThunderBYTE utility cleans on a file-by-file approach; that is, it cleans one file, verifies the result, and continues on to the next file. This helps you keep track of which file is clean, which file is damaged and should be restored from a backup, and which file is still infected. 2. Specify the name of the file. In this case, you would type G:\TMP\COMMAND.COM and press ENTER. The following window appears: +-------------------------------------------------------------------+ | | | Enter name of cleaned file. Keep blank if infected program may be | | changed. | | | | | +-------------------------------------------------------------------+ TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 105 3. Type a new file name and press ENTER. In this case, we'll use G:\TMP\TEST.EXE. TbClean now begins the cleaning process. By specifying a different name you ensure that the cleaned file cannot overwrite the original file. In this example TbClean copies COMMAND.COM to TEST.COM and disinfects TEST.COM. If you do not specify a backup filename, TbClean creates a backup with the .VIR extension. In this example, the TbClean would copy the original file to COMMAND.VIR and then clean COMMAND.COM. During the cleaning process, TbClean displays as much information as possible about the current operation, as illustrated below. All the major actions appear in the emulation window at the lower half of the screen, which displays a disassembly and the register contents of the program under scrutiny, as well as a progress report. The top-left and top-right status windows reveal useful details of the infected file and (if TbClean can find a suitable ANTI-VIR.DAT file) the file's original status. You can abort the cleaning process by pressing Ctrl+Break. +-----------------------------------------------------------------+ | Thunderbyte clean utility (C) 1992-95 Thunderbyte B.V. | +---------Infected state----------++---------Original state-------+ | Entry point (CS:IP) 34BF:0012 || Entry point (CS:IP) 34BF:0012| | File length || File length UNKNOWN! | | Cryptographic CRC 9F90F52A || Cryptographic CRC UNKNOWN! | +---------------------------------++------------------------------+ | | | Starting clean attempt. Analyzing infected file... | | Anti-Vir not found: original state unknown. Trying emulation... | | Emulation terminated: | | | | G:\VIRUS\COMMAND.COM | | CS:IP Instruction AX BX CX DX DS SI ES DI SS SP | | 9330:0101 mov ah,40 FFFE9330FFFFEFFFD382FFEDEFFEFFFF9520007E| | 9330:0103 mov bx,0002 40FE9330FFFFEFFFD382FFEDEFFEFFFF9520007E| | 9330:0106 mov cx,0016 40FE0002FFFFEFFFD382FFEDEFFEFFFF9520007E| | 9330:0109 mov dx,cs 40FE00020016EFFFD382FFEDEFFEFFFF9520007E| | 9330:010B mov ds,dx 40FE000200169330D382FFEDEFFEFFFF9520007E| | 9330:010D mov dx,0117 40FE0002001693309330FFEDEFFEFFFF9520007E| | 9330:0110 int 21 40FE0002001601179330FFEDEFFEFFFF9520007E| | 9330:0112 mov ax,4CFF 40FE0002001601179330FFEDEFFEFFFF9520007E| | 9330:0115 int 21 4CFF0002001601179330FFEDEFFEFFFF9520007E| | 9330:0115 <End of emulation> | +-----------------------------------------------------------------+ TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 106 A successful purge is not the end of the story! Your job is only partially complete. Some viruses damage data files. They could randomly change bytes on your disks, swap sectors, or perform other nasty tricks. A cleaning utility can never repair data! 4. Check your data files thoroughly and consult a virus expert to find out what the virus is capable of doing. If there is any doubt, restoring the data is definitely the most reliable option. WARNING: Under no circumstances should you continue to use cleaned software! Cleaning is a temporary solution that simply enables you to delay a large restore operation until a more practical time. You should never rely on a cleaned program for any length of time. This is not a criticism of anti-viral cleaning agents. If your data is valuable to you, you should care for it as much as possible, and sticking to original software is simply an elementary precaution. In other words, restore the original programs as soon as possible! 3.6.5 Understanding Cleaning Limitations Although TbClean has a very high success rate and is able to clean programs that other cleaners refuse to process, it simply cannot remove all viruses and cannot clean every file. Examples of computer viruses that TbClean (or other virus cleaners) cannot clean include: Overwriting viruses. This type of virus does not add itself to the end of the original program, rather it copies itself over the original file. Further, it does not attempt to start the original program but simply hangs the machine or returns you to DOS after it activates. Since it overwrites the original file, no cleaner can restore the file. Some encrypted viruses. TbClean is usually able to decrypt the virus. However, some viruses use anti-debugger features that TbClean cannot yet cope with (but we re working on it!). The construction of some program files makes them impossible to clean, making reinstallation the only option. Some of these file types include: EXE-programs with internal overlays. TbScan marks these files with an "i" flag. Any infection is sure to cause major damage to these files. Some viruses recognize such programs and do not TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 107 infect them, but most viruses infect these programs anyway and corrupt them. No cleaner can repair this kind of damage. Programs with sanity check routines. Some programs (mostly anti-virus software or copy-protected programs) perform their own kind of sanity check. Heuristic cleaning of an infected program normally results in a program that is not physically identical to the original. So, although TbClean removes the virus from the program and the program is functionally identical to the original, the program's internal sanity check usually detects the slight changes and aborts the program. Cleaning Multiple Files TbClean has no provisions for cleaning multiple programs in one run. There are two reasons for this omission: 1. TbClean cannot search for viruses automatically since it does not know any virus. 2. We recommend that you clean the system on a file-by-file basis. Clean one file, verify the result, and go on to the next file. Again, this helps you keep track of which files are clean, which files are damaged and should be restored from a backup, and which files are still infected. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 108 3.7 Using TbMem TBAV provides three extra utilities that help you build a massive security wall around your computer system. This set includes: TbMem, TbFile and TbDisk. In this section, we'll introduce these three utilities collectively as a set and then examine each individual utility. 3.7.1 Introducing the TbMem, TbFile & TbDisk Utilities As the old saying goes, An ounce of prevention is worth a pound of cure, and the computer virus threat gives this old saying new meaning. TBAV is the best product on the market for removing viruses, but if this is all it did, it would be of little use. It's much wiser to prevent virus infection than wait until you get one and remove it. This is where a set of three small memory-resident (TSR) programs come in. These utilities are shipped with TBAV for DOS; they monitor specific areas of your system and protect against virus infection. These three utilities are: TbMem. This program detects attempts by programs to remain resident in memory and ensures that no program can remain resident in memory without permission. TbFile. This program detects attempts by programs to infect other programs. TbDisk. This program detects attempts by programs to write directly to the disk (bypassing DOS), attempts to format disks, and other such destructive actions. 3.7.2 Loading TbMem, TbFile and TbDisk TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 109 The TbMem, TbFile and TbDisk programs load in the same way. The following sections contain specific information on each of the programs, but here we present loading information that is common to all of them. CAUTION: You must load TbDriver before you can load any of the TbMem, TbFile or TbDisk utilities. These utilities will refuse to load without it. There are three possible ways to load TbMem, TbFile or TbDisk. Please note that we call the programs TbXXX here. Naturally, you will replace the XXX with either Mem, File, or Disk when you load each utility. 1. From the DOS prompt or within the AUTOEXEC.BAT file: <PATH>TBXXX 2. From the CONFIG.SYS file as a TSR (DOS 4 or higher): INSTALL=<PATH>TBXXX.EXE The INSTALL= CONFIG.SYS command is NOT available in DOS 3.xx. 3. From the CONFIG.SYS as a device driver: DEVICE=<PATH>TBXXX.EXE NOTE: Executing one of the utilities TbMem, TbFile or TbDisk as a device driver does not work in all OEM versions of DOS. If it doesn't work, use the INSTALL= command or load the desired program from within the AUTOEXEC.BAT. TbMem, TbFile and TbDisk should always work correctly after being started from within the AUTOEXEC.BAT file. Also, unlike other anti-virus products, you can load the ThunderBYTE Anti-Virus utilities before starting a network without losing the protection after the network starts. In addition to the three loading possibilities, if you are using DOS version 5 or above, you can load the TbMem, TbFile or TbDisk programs in an available UMB (upper memory block) from AUTOEXEC.BAT using the following command: LOADHIGH <PATH>TBXXX.EXE You can load TbMem, TbFile or TbDisk high from within the CONFIG.SYS using the following command: TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 110 DEVICEHIGH=<PATH>TBXXX.EXE If you are using Microsoft Windows, you should load the resident TBAV programs BEFORE starting Windows. When you do this, there is only one copy of the program in memory regardless of how many DOS windows you might open. Every DOS window (that is, every virtual machine ) has a fully functional copy of the program running in it. Each of the programs automatically detects if Windows is running, and switches itself into multitasking mode if necessary. You can even disable each of the programs in one window without affecting the functionality in another window. 3.7.3 Using Command Line Options You can load all the TbMem, TbFile or TbDisk utilities using several command line options. See the description of each individual utility for further information. 3.7.4 Understanding TbMem Once they execute, most viruses remain resident in memory. While resident in memory, they might have many opportunities to infect other files in the background, interfere with the system operation, hide themselves from virus scanners or checksumming programs, and/or perform other nasty tasks. On the other hand, because so many viruses remain resident in memory, most of them are easy to detect by monitoring the process of becoming memory resident. TbMem monitors the system and ensures that no program can remain resident in memory without permission. This brings to your attention any software that attempts to remain resident, thereby reducing the likelihood of a virus going unnoticed. TbMem also protects CMOS (a small area of memory that stores vital information concerning your computer). NOTE: What exactly is a memory-resident program? Most programs run by executing a command at the DOS command line, perform some task, and then terminate, placing you back where you started. Some programs, however, continue to operate after you terminate them. These TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 111 programs load themselves into memory, remain resident in memory, and perform some task in the background. Programs in this category include: disk caches, print spoolers and network software. These programs are often referred to as TSR (Terminate and Stay Resident) programs. Like a TSR program, most viruses also remain resident in memory, and it is for this reason that TbMem should be usedto control the process of becoming resident in memory. If a program attempts to become resident, TbMem offers you the option to abort the attempt. It does this by guarding the DOS TSR function calls while also monitoring important interrupts and memory structures. TbMem uses the ANTI-VIR.DAT records to determine whether it will allow a specific program to remain resident in memory. TbSetup recognizes many common TSRs. If it doesn't recognize a TSR, however, TbMem asks your permission for the TSR to load. It then maintains permission information in the ANTI-VIR.DAT files to prevent TbMem from bothering you when an approved TSR is loading. TbMem also checks the contents of the CMOS configuration memory after each program termination to ensure that programs have not changed. TbMem offers you the option of restoring the CMOS configuration when it changes. Once you teach TbMem which programs are TSRs and which are not on a PC, you can use TbSetup to set the permission flag of these files on other machines. TbMem also installs a hot key that you can use to escape from nearly all programs. TbMem is fully network compatible. It does not require you to reload the checker after logging onto a network. 3.7.5 Working with TbMem Since TbMem is a memory resident program, you can execute and configure it from the command line or from within a batch file. It is more efficient, however, to load TbMem at boot up from either CONFIG.SYS or AUTOEXEC.BAT. See the "Introducing the TbMem, TbFile and TbDisk Utilities" section earlier in this chapter for details. CAUTION: You must load TbDriver before you can load TbMem. TbMem will refuse to load without it. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 112 3.7.6 Maximizing TbMem You can maximize the performance of TbMem by using its command line options. The first four options in the table below are always available. The other options are available only if TbMem is not yet memory resident. option parameter short explanation ------------------ ----- ---------------------------------------- help ? display on-line help remove r remove TbMem from memory on e enable checking off d disable checking secure s do not execute unauthorized TSRs hotkey<=keycode> k specify keyboard scancode for the program cancel hotkey nocancel n do not install the cancel hotkey nocmos m do not protect CMOS memory The explanations in the above table serve as a quick reference, but the follow descriptions provide more information about each option. TIP: Remember that you can display these options from the command line by entering TBMEM ?. help (?). Specifying this option displays the brief help as shown above. remove (r). This option disables TbMem and attempts to remove the resident part of its code from memory and return this memory space to the system. Unfortunately, this works only if you loaded TbMem last. An attempt to remove a TSR after you load another TSR leaves a useless gap in memory and could disrupt the interrupt chain. TbMem checks whether it is safe to remove its resident code; if not, it simply disables itself. on (e). TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 113 This option reactivates TbMem after you disable it using the OFF option. off (d). Specifying this option disables TbMem but leaves it in memory. secure (s). TbMem normally asks the user to continue or to cancel when a program tries to remain resident in memory. In some business environments, however, employees should not make this choice. If you use this option, it is no longer possible to execute new or unknown resident software. It is also no longer possible to use the REMOVE or OFF options. hotkey (k). TbMem offers you a reliable way to escape from any program by pressing a special key combination. You can not only use this feature to escape from programs that "hang," but also from software that seems to be malicious (although we recommend powering down and rebooting from a write-protected system disk). Instead of the default combination (Ctrl+Alt+Insert), you can specify another keyboard combination using the HOTKEY=<KEYCODE> option. You must specify the scancode using a 4-digit hexadecimal number; the first two digits specify the shift-key mask, and the last two digits specify the keyboard scancode. Consult your PC manual for a list of "scan codes." For example, the default scan code is 0C52, but you can change this to another code, such as 0C01, the code for Ctrl+Alt+Esc. nocancel (n). TbMem normally installs the program cancel hot key (Ctrl+Alt+Insert). If you do not want to use the program cancel hot key, specify this option, since this saves a few bytes of memory. nocmos (m). TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 114 TbMem normally protects the CMOS memory if available. If you do not want TbMem to do this, you can specify this option. The following command loads TbMem as a device driver in the CONFIG.SYS, configures the "program cancel hot key" as Ctrl+Alt+Esc, and cancels protection of CMOS memory: DEVICE=C:\TBAV\TBMEM.EXE HOTKEY=0C01 NOCMOS To achieve the same functionality, you could execute TbMem from the DOS command line rather then specifying the TbMem command line in the CONFIG.SYS by entering the following command at the DOS command line: C:\TBAV\TBMEM.EXE HOTKEY=0C01 NOCMOS 3.7.7 Understanding TbMem's Operation If TbMem detects that a program tries to remain resident in memory, it displays a pop-up window displaying a message to that effect. You can either choose to continue, or to abort the program's loading. If you answer "NO" to the question "Remove program from memory?" the program continues undisturbed, and TbMem places a mark in the ANTI-VIR.DAT file about this program. Next time you invoke the same resident program, TbMem will not disturb you again. There are many programs that normally remain resident in memory, such as: disk caches, print spoolers, and others. How, then, does TbMem distinguish between these programs and viruses? TbMem uses the ANTI-VIR.DAT records generated by TbSetup to keep track of which files are normal TSRs and which are not. It marks most common resident software as being common so you don't have to worry about these files. If TbMem pops up with the message that a program tries to remain resident in memory, you have to consider the purpose of the program mentioned. For example, is the program supposed to continue to operate in the background? The answer is obviously yes if the program is a disk cache, print spooler, pop-up utility or system extension software. If, on the other hand, the message appears after you have exited your word processor, database, spreadsheet application, something is definitely wrong! You ought to terminate the program immediately and use a virus scanner to check the system. The same applies when software that TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 115 operates normally without staying resident in memory suddenly changes its behavior and tries to remain resident in memory. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 116 3.8 Using TbFile This section concerns another resident TBAV utility, TbFile, which checks programs for virus infections as they begin to load. 3.8.1 Understanding TbFile The two most dangerous virus categories are the boot sector and the file variants. File viruses all have a common purpose, namely, to infect programs. Infecting a program involves very unusual file manipulations that are quite dissimilar to normal file handling procedures, so in order to detect viral activity it is essential to keep an eye out for program file changes involving peculiar actions. TbFile monitors the system and detects attempts by programs to infect other programs. Unlike other file guards, TbFile monitors the system only for virus specific file modifications. TbFile doesn't generate an alarm when a program modifies itself for configuration purposes, nor does it bother you when you update a program or create one yourself. On an average system, configurations should never cause a false alarm. TbFile has a very sophisticated infection detector and will not give a false alarm when you perform standard file operations. In normal configurations you will never get a false alarm! TbFile not only detects attempts to infect programs, it also offers you the option of aborting the infection process and continuing a program's execution. TbFile also detects other suspicious activities, including setting the seconds value of time stamps to an illegal value. TIP: As many users know, you can protect files against unwanted modifications by means of the read-only attribute. Without TbFile, however, someone can easily circumvent this standard DOS protection. TbFile detects any attempts to sabotage the read-only attribute. This gives you added security by enabling you to use this uncomplicated method to fully protect your files against destruction and infection. TbFile is fully network compatible. It does not require you to reload the checker after logging onto a network. In contrast, other resident anti-virus utilities force you to choose between protection BEFORE you start the network, or protection AFTER you start network, but not both. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 117 3.8.2 Working with TbFile Since TbFile is a memory resident program, you can execute and configure it from the command line or from within a batch file. It is more efficient, however, to load TbFile at boot up from either CONFIG.SYS or AUTOEXEC.BAT. See the "Introducing the TbMem, TbFile and TbDisk Utilities" section earlier in this chapter for details. CAUTION: You must load TbDriver before you can load TbFile. TbFile will refuse to load without it. 3.8.3 Maximizing TbFile You can maximize the performance of TbFile by using its command line options. The first four options in the table below are always available. The other options are available only if TbFile is not yet memory resident. option parameter short explanation ------------------ ----- ------------------------------ help ? display on-line help remove r remove TbFile from memory on e enable checking off d disable checking secure s all permissions denied allattrib a readonly check on all files compat c allow CPM-style file I/O calls The explanations in the above table serve as a quick reference, but the following descriptions provide more information about each option. TIP: Remember that you can display these options from the command line by entering TBFILE ?. help (?). Specifying this option displays the brief help shown above. remove (r). TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 118 This option disables TbFile and attempts to remove the resident part of its code from memory and return this memory space to the system. Unfortunately, this works only if you loaded TbFile last. An attempt to remove a TSR after you load another TSR leaves a useless gap in memory and could disrupt the interrupt chain. TbFile checks whether it is safe to remove its resident code; if not, it simply disables itself. on (e). This option reactivates TbFile after you disabled it using the OFF option. off (d). Specifying this options disable TbFile, but leaves it in memory. secure (s). TbFile normally asks you to continue or to cancel when a program tries to perform a suspicious operation. In some business environments, however, employees should not make this decision. If you use the SECURE option, it is no longer possible to allow suspicious operations. It is also no longer possible to use the OFF and REMOVE options. allattrib (a). TbFile normally protects only the read-only attribute of executable files (program files with the extension COM and EXE). If you want to have the read-only check on all files, add this option. In this case you always get an alarm when something attempts to remove the read-only attribute of any file. compat (c). DOS still contains some CPM (an earlier operating system) internal functions, even though DOS programs no longer use these functions. Some viruses, however, use these functions to bypass anti-virus software. TbFile closes these backdoors by default, but you can prevent this by specifying this option. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 119 The following command loads as a device driver in CONFIG.SYS and it guards the read-only attribute of all files: DEVICE=C:\TBAV\TBFILE.EXE ALLATTRIB To achieve the same functionality, you could execute TbFile from the DOS command line rather then specifying the TbFile command line in the CONFIG.SYS by entering the following command at the command line: C:\TBAV\TBFILE.EXE ALLDRIVES TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 120 3.9 Using TbDisk This section deals with TbDisk, which prevents viruses from damaging data on your hard disk. 3.9.1 Understanding TbDisk Many viruses try to damage the data on disk. They accomplish this by various actions, such as, formatting the disk, overwriting the FAT, and swapping disk sectors, among others. Almost anything is possible! Another category of malicious software, known as boot sector virus droppers, install a boot sector virus on the disk. The program itself is not a virus, so detection with virus scanners and other anti-viral software is very difficult. The only way to detect such a program is by monitoring its behavior. The main problem in all this lies in the way these programs manage to avoid the usual DOS procedures: they go directly to the BIOS (Basic Input/Output System). This is the reason you need TbDisk, to monitor the system and to ensure that no program can write directly to disk without permission. TbDisk draws attention to any software that attempts to write directly to disk, thereby reducing the likelihood of a virus remaining unnoticed. TbDisk prevents viruses from damaging data on your disk and stops boot sector virus droppers in their tracks. TbDisk not only informs you when a program tries to write directly to the disk, it also offers you the option to abort the program before it can cause any damage. TbDisk is able to detect stealth techniques, that is, attempts to single step through the BIOS software, and even monitors the use of undocumented calls that could cause disk damage. For example, TbDisk is able to distinguish whether DOS or an application makes direct write attempts via Int 13h (a system call implemented in the BIOS of your computer). Direct writes are perfectly legal for DOS, but unusual for application software. TbDisk does require a little maintenance. TbDisk uses the ANTI-VIR.DAT records to determine if it should allow a program (including popular disk utilities, which TbSetup recognizes) to write directly to the disk. In the absence of an ANTI-VIR.DAT record, TbDisk asks your permission first and, if granted it, updates the record accordingly to avoid repeated warnings about the same program. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 121 TbDisk is fully network compatible. It does not require you to reload the program after logging onto a network. Other resident anti-virus utilities force you to choose between either protection BEFORE the network is started, or protection AFTER it starts, but not both.. TIP: TbDisk also comes in handy if you ever need to write protect a hard disk. This bonus feature often helps when testing new software. 3.9.2 Working with TbDisk Since TbDisk is a memory resident program, you can execute and configure it from the command line or from within a batch file. It is more efficient, however, to load TbFile at boot up from either CONFIG.SYS or AUTOEXEC.BAT. See the "Introducing the TbMem, TbFile and TbDisk Utilities" section earlier in this chapter for details. CAUTION: You must load TbDriver before you can load TbDisk. TbDisk will refuse to load without it. In addition to all this, there are several special considerations in using TbDisk. Loading TbDisk Improper installation of TbDisk can cause excessive false alarms! If you want to install TbDisk in your CONFIG.SYS or AUTOEXEC.BAT file, we recommend that you use the INSTALL option of TbDisk first. If the system continues to behave normally and TbDisk does not give false alarms when you copy files on your hard disk, TbDisk is installed correctly and you can remove the INSTALL option from the command. WARNING: Failure to use the Install option when you install TbDisk in CONFIG.SYS or AUTOEXEC.BAT file might cause loss of data! Please read on. While the INSTALL option instructs TbDisk to allow all disk accesses, it also displays a message as it would do in normal mode. If no false alarms occur when you copy files on your hard disk, TbDisk is installed correctly and you can remove the INSTALL option. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 122 If TbDisk causes false alarms, load TbDisk further ahead in your CONFIG.SYS or AUTOEXEC.BAT file until it works as it should. CAUTION: Unlike the other TBAV utilities, we recommend that you load TbDisk after other resident software! Failure to do so can cause false alarms! TbDisk detects if Windows is running and automatically switches into multitasking mode if necessary. You can even disable TbDisk in one window without affecting the functionality in another. If you are using Windows fast 32-bit disk access, you might need to use TbDisk's WIN32 option if Windows displays an error-message. 3.9.3 Maximizing TbDisk You can maximize TbDisk's performance by using its command line options. The first four options are always available. The other options are available only if TbDisk is not yet memory resident. option parameter short explanation ------------------ ----- ----------------------------------- help ? display on-line help remove r remove TbDisk from memory on e enable checking off d disable checking wrprot p makes hard disk write protected nowrprot n allow writes to hard disk win32 w allow Windows 32-bit disk access secure s deny access without asking first notunnel t do not detect tunneling nostealth a do not detect stealth disk access install i installation test mode The explanations in the above table serve as a quick reference, but the following descriptions provide more information about each option. TIP: Remember that you can display these options from the command line by entering TBDISK ?. help (?). TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 123 Specifying this option displays the brief help as shown above. After loading TbDisk into memory, not all options appear. remove (r). This option disables TbDisk and attempts to remove the resident part of its code from memory and return this memory space to the system. Unfortunately, this works only if you loaded TbDisk last. An attempt to remove a TSR after you load another TSR leaves a useless gap in memory and could disrupt the interrupt chain. TbDisk checks whether it is safe to remove its resident code; if not, it simply disables itself. on (e). This option activates TbDisk after you disabled it using the OFF option. off (d). Specifying this option disables TbDisk but leaves it in memory. wrprot (p). Hard disks are more difficult to protect against writing than floppies, which adds considerable risk when doing such things as testing new software. Sometimes you might want to find out what this software does to your hard disk and how this could possibly affect your valuable data. Using the "WRPROT" option makes this safer to do. Whenever a program wishes to write to a protected disk, you will see a message such as: Write protect error writing drive C: A)bort, R)etry, I)gnore? You can then take the appropriate action. CAUTION: Software write protection is not absolutely reliable. Some viruses can bypass this protection, but fortunately they are few and far between. Despite its shortcomings, this option can be a valuable shield against most malicious software. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 124 nowrprot (n). Use this option to undo the WRPROT option. win32 (w). Windows 386 Enhanced Mode uses some undocumented DOS calls to retrieve the original BIOS disk handler when you enable 32-bit disk access. Since TbDisk guards these calls, 32-bit disk access will no longer be possible, unless you specify the WIN32 option when you initialize TbDisk. CAUTION: Use this option only in Windows 386 Enhanced Mode with fast 32-bit disk access enabled as it reduces anti-viral security to some extent. secure (s). TbDisk normally asks whether the user wants to continue or cancel when a program tries to perform direct disk access. In some business environments, however, employees should not make this decision. This option disables direct disk access permission to new or unknown software. It also disables the OFF and REMOVE options. notunnel (t). "Tunneling" is a technique viruses apply to determine the location of the DOS system code in memory, and to use that address to communicate with DOS directly. This inactivates all TSR programs, including resident anti-virus software. TbDisk is able to detect these "tunneling" attempts, and informs you about it. Some other anti-virus products also rely on tunneling techniques to bypass resident viruses, thereby causing false alarms. If you are currently executing other anti-viral products, the NOTUNNEL option disables TbDisk's tunneling detection. nostealth (a). TbDisk tries to detect direct calls into the BIOS. If such an attempt occurs, TbDisk pops up with a message that something is TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 125 accessing the disk in an unusual way. If this feature causes false alarms, you can use this option to turn it off. install (i). Incorrect installation can result in a large number of false alarms. You should use this option when installing TbDisk because it reduces the risk of canceling a valid disk write operation as a result of false alarms. 3.9.4 Understanding TbDisk's Operation What is Direct Disk Access? Programs usually access files through the operating system (DOS). Whenever a program wants to update a file, for example, it asks DOS to write the data to disk. It is also possible, however, to write to a disk without using DOS. This is called direct disk access. While normal programs do not write to the disk directly, there are some programs that need to do so, including: Format utilities. Direct disk access is the only way to format a disk. Disk diagnosis utilities (such as the Norton Disk Doctor, and DOS's CHKDSK command and ScanDisk utility). Disk optimizers and defragmenters (such as Norton SpeedDisk and DOS's Defrag utility). Since many viruses can perform direct disk access, it is essential to control this. TbDisk can distinguish between legitimate programs and a virus with the help of the ANTI-VIR.DAT records, which you can generate using TbSetup. Whenever TbDisk pops up a message that says a program accesses to the disk directly, consider its purpose carefully. While it is perfectly acceptable for a format utility or a disk optimizer to format or edit disk sectors, this is not acceptable for a word processor or database. When TbDisk warns you that a spreadsheet or some other normal program is about to format a sector, you can be sure that something is wrong. Terminate the program pronto! Then check things out with a virus scanner before the worst happens. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 126 3.10 Using TbUtil This section describes TbUtil, which is designed primarily to make a precautionary backup of clean partition tables and boot sectors. 3.10.1 Understanding and using TbUtil TbUtil provides a defense against partition table and boot sector viruses. TbUtil can be used to: Copy the partition table, boot sector and CMOS data area into a file. You can use TbUtil on a regular basis to compare both the current and the original versions of the partition table, boot sector and CMOS data area. After an accident virus, (virus or otherwise), you can restore the copy using the TbUtil program. Remove a partition table virus without having to low-level format the hard disk, even if there is no backup of the partition table. Remove boot sector viruses and creates a partition table that has some first-line virus defenses built-in. Replace the infected or clean boot sector with a safe TBAV boot sector. NOTE: What is a partition table? A physical hard disk might consist of more than one "partition" (or division). Each partition is a logical disk drive and has it own ID, such as C:, D:, and E:. The partition table, then, contains the disk lay-out and the starting and ending cylinder of every partition. The partition table also contains information about the operating system of a partition and which partition should be used to boot. The partition table (also called the Master Boot Record, or MBR) always resides at the very first sector of the hard disk. Unlike most file viruses, partition table viruses are hard to remove. The only solution is to low-level format the hard disk and to make a new partition table, or to make use of scantily documented DOS commands. TbUtil, however, makes a backup of the partition table and boot sector and uses this backup to compare and restore both the original partition table and boot sector once they become infected. You no longer have to TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 127 format your disk to get rid of a partition table or boot sector virus. The program can also restore the CMOS configuration. Optionally, TbUtil replaces the partition table code with an immunized partition table containing facilities against viruses. The TbUtil partition code executes before the boot sector gains control, so it is able to check the boot sector in a clean environment. Once the boot sector executes, it is difficult to check it because the virus is already resident in memory and can deceive a protection scheme. Instead of booting from a clean DOS diskette just to inspect the boot sector, the TbUtil partition code performs a CRC calculation on the boot sector just before passing control to it. If TbUtil detects a change in the boot sector, the TbUtil partition code warns you about it. The TbUtil partition code also checks the RAM layout and informs you when it changes. TbUtil does all of this every time you boot from your hard disk. TbUtil can replace infected and clean diskette boot sectors with a new and specialized boot sector, which has several advantages over the standard boot sector: It has boot sector virus detection capabilities. It performs a sanity check. It offers you the possibility to redirect the boot process to the hard disk without opening the diskette drive door. 3.10.2 Working with the TbUtil Menu The TbUtil module contains several programs, which you can execute from either the TbUtil Menu or, in case of an emergency, from a TbUtil recove- ry diskette using the DOS command line. The menu, however, offers some additional menu options. Selecting the "TbUtil" option from the TBAV Main Menu displays the following menu: TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 128 +------Main menu------+ | Confi+-----------TbUtil menu-----------+ | TbSet| System maintenance menu >| | TbSca| Immunize/clean bootsector A: | | TbUti| Immunize/clean bootsector B: | | TbCLe| Immunize/clean partition code | | Virus+---------------------------------+ | TBAV Monitor >| | Documentation >| | Register TBAV | | About | | Quit and save | | eXit (no save) | +---------------------+ We'll now explore these menu options. The "System Maintenance Menu" Option Selecting the "System maintenance menu" option displays the System Maintenance menu: +------Main menu------+ | Confi+-----------TbUtil menu-----------+ | TbSet| Syste+-------System maintenance-------+ | TbSca| Immun| Execute TbUtil | | TbUti| Immun| Describe this machine | | TbCLe| Immun| Save system configuration | | Virus+-------|v Compare system configuration | | TBAV Monitor | Restore system configuration | | Documentation|v process CMOS memory | | Register TBAV|v process Partition code | | About |v process Bootsector | | Quit and save+--------------------------------+ | eXit (no save) | +---------------------+ This menu contains the actual TbUtil program. The program takes care of saving, restoring or comparing the system configuration of your PC. It stores the backup system configuration on a diskette in a file with either a default name or a name you can specify yourself. WARNING: You can only restore a system configuration data file on the machine that created the data file. Restoring a configuration file from one PC to another makes the PC inaccessible! TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 129 The "System Maintenance Menu" contains the following items: Execute TbUtil. Before activating this option, you must select one of the optional functions: Save, Compare, or Restore the system configuration. Move to the desired option you want to activate and press ENTER. A check mark indicates that an option is active. Describe this machine. Enter a meaningful description of the machine. Enter something like, "486DX4 @ 100MHz, 32Mb, 2 Gb SCSI disk, room 12, Mr. Smith." You do NOT have to remember this description; TbUtil displays it on the screen when comparing or restoring, which helps you to verify that the data file belongs to the machine. Save system configuration. This option stores the partition table, boot sector and CMOS data area into the TbUtil data file. WARNING: Since the PC is completely inaccessible to DOS if the partition table becomes damaged, we RECOMMEND that you store both the TbUtil data file AND the program TBUTIL.EXE itself on a "rescue" diskette! If the partition table is damaged or destroyed, then the only solution to the problem may reside on the "rescue" diskette, since your hard drive may be inaccessible! When loading TbUtil from the command line you must specify a filename after the STORE option. In contrast, using the TBAV menu, you can use the default filename TBUTIL.DAT. If you own more than one PC, we recommend that you create one TbUtil diskette with all TbUtil data files of all your PC's on it. Use the extension of the file for PC identification, as in the following: A:TBUTIL.<NUMBER> Compare system configuration. This option enables you to check on a regular basis that everything is still okay. If you specify this option, TbUtil compares the TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 130 information in the TbUtil data file against the partition table, boot sector, and CMOS data areas. It also displays the comment stored in the data file. Using this option also guarantees that the TbUtil data file is still readable. Restore system configuration. This option enables you to restore the partition table, boot sector, and CMOS data area. It asks you to confirm that the data file belongs to the current machine. Finally, it can restore the partition table, boot sector of the partition to be used to boot, and the CMOS data area. Process CMOS memory, Process Partition code, and Process Boot sector. By default, TbUtil restores the partition code, boot sector, and CMOS if you specify the "Restore system configuration" option. If you use one of the above options in combination with the "Restore option," TbUtil restores only the items you specify. The "Immunize/Clean Boot sector A: [or] B:" Options You can use these options to clean diskettes infected by a boot sector virus or to replace the standard boot sector with a boot sector that has advantages over the original one: The TBAV boot sector has virus detection capabilities. The TBAV boot sector checks that it resides on the correct place on the diskette, and that Int 13h and/or Int 40h still exist in system ROM. This makes it possible to detect even stealth and boot sector viruses. The TBAV boot sector can load the system files if they are available on the disk, but if the DOS system files are not on the disk, the TBAV boot sector displays a small menu offering you two possibilities: retry the boot operation with another diskette, or boot from the hard disk. If you select the latter, you don't have to open the diskette drive door. The "Immunize/Clean Partition Code" Option TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 131 This is an extremely powerful option, which you can use to clean an infected partition table if there is no TbUtil data file. It saves the original partition code in a file and replaces the existing partition table code with a new partition routine that contains some virus detection capabilities. You must execute TbUtil from a floppy drive or you have to specify the name of the file (the specified drive should be a diskette drive) to store the original partition code. If the original partition table becomes irreparably damaged and can't be used to build a new one, TbUtil scans the entire disk for information about the original disk layout. TbUtil also searches for TbUtil data files on the hard disk. CAUTION: While it is a good idea to keep a copy of the data file on the hard disk, we recommend that you store the data file on a diskette. Just in case! If your system configuration changes, that is, you update your DOS version or change the amount of memory, you need to update the information stored in the immune partition as well. You can do this by using this option. In the unlikely event that the system does not boot properly, you can restore the original partition table using the TbUtil RESTORE option (refer to The "System Maintenance Menu Option" section above) or by using the DOS version 5 or above FDISK /MBR command (which creates a new partition table). TIP: If you have installed two hard drives in your computer, you can immunize the partition code of the second hard drive by specifying the physical drive number rather than the drive ID (i.e., execute the command TbUtil 2: ) If the new partition code works properly, you should make a backup copy of it on a diskette using the TbUtil STORE option (refer to The "System Maintenance Menu Option" section above). 3.10.3 Maximizing TbUtil This section describes how to fully maximize TbUtil in three ways: use command line option, use the anti-virus partition, use the TbUtil diskette. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 132 Now that you know how to use TbUtil's menus, you can more easily understand how to maximize its performance by using its command line options. option parameter short explanation ------------------ ----- ------------------------------------- immunize <drive> im Immunize/Clean boot sector or MBR of <drive> getboot <drive> gb Save boot sector/MBR into file store [<filename>] st Store system information restore [<filename>] re Restore system information compare [<filename>] co Compare system information Sub-options of immunize option: -------------------------------------------------------------- norepeat nr Do not ask for next diskette nomem nm Do not check for amount of RAM batch ba Do not prompt to insert a disk Sub-options of store option: -------------------------------------------------------------- description=<descr.> de Add description to data file Sub-options of restore option: -------------------------------------------------------------- part pt Restore partition table boot bo Restore boot sector of hard disk cmos cm Restore CMOS data memory The explanations in the above table serve as a quick reference, but the following descriptions provide more information about each option. Immunize <floppy drive> (im). You can use this option to clean diskettes infected by a boot sector virus or to replace the standard boot sector by a boot sector that has advantages over the original one: The TBAV boot sector has virus detection capabilities. The boot sector checks that it still resides on the correct place on the diskette, and that Int 13h and/or Int 40h still exist in system ROM. This makes it possible to detect even stealth and boot sector viruses. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 133 The TBAV boot sector is able to load the system files if they are available on the disk, but if the DOS system files are not on the disk, the TBAV boot sector displays a small menu offering you two possibilities: retry the boot operation with another diskette, or boot from the hard disk. If you select the latter, you don't have to open the diskette drive door. Immunize c: (im c:). This is an extremely powerful option, which you can use to clean an infected partition table if there is no TbUtil data file. It saves the original partition code in a file and replaces the existing partition table code with a new partition routine that contains some virus detection capabilities. You have to execute TbUtil from a floppy drive or you have to specify the name of the file (the specified drive should be a diskette drive) to store the original partition code. TIP: If you have installed two hard drives in your computer, you can immunize the partition code of the second hard drive by specifying the physical drive number rather than the drive ID (i.e., execute the command TbUtil 2: ) If the original partition table becomes irreparably damaged and consequently can't be used to build a new one, TbUtil scans the entire disk for information about the original disk layout. TbUtil also searches for TbUtil data files on the hard disk. CAUTION: While it is a good idea to keep a copy of the data file on the hard disk, we recommend that you store the data file on a diskette. Just in case! If your system configuration changes, that is, you update your DOS version or change the amount of memory, you need to update the information stored in the immune partition as well. You can do this by using this option. In the unlikely event that the system does not boot properly, you can restore the original partition table using the TbUtil RESTORE option (refer to The "System Maintenance Menu Option" section above) or by using the DOS version 5 or above FDISK /MBR command (which creates a new partition table). TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 134 getboot <drive> (gb). With this option you can copy the boot sector of the specified drive into a file. store [<filename>] (st). This option stores the partition table, boot sector and CMOS data area into the TbUtil data file. WARNING: Since the PC is completely inaccessible to DOS if the partition table becomes damaged, we RECOMMEND that you store both the TbUtil data file AND the program TBUTIL.EXE itself on a rescue diskette! If the partition table is damaged or destroyed, then the only solution to the problem may reside on the "rescue" diskette, since your hard drive may be inaccessible! When loading TbUtil from the command line you must specify a filename after the STORE option. In contrast, using the TBAV menu, you can use the default filename TBUTIL.DAT. If you own more than one PC, we recommend that you create one TbUtil diskette with all TbUtil data files of all your PC's on it. Use the extension of the file for PC identification, as in the following: A:TBUTIL.<NUMBER> restore [<filename>] (re). This option enables you to restore the partition table, boot sector, and CMOS data area. It asks you to confirm that the data file belongs to the current machine. Finally, it restores the partition table, boot sector of the partition to be used to boot, and the CMOS data area. compare [<filename>] (co). This option enables you to check on a regular basis that everything is still okay. If you specify this option, TbUtil compares the information in the TbUtil data file against the partition table, boot sector, and CMOS data area. It also displays the comments stored in the data file. Using this option guarantees that the TbUtil data file is still readable. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 135 norepeat (nr). By default, TbUtil prompts you for the next diskette after you have immunized a diskette. This option disables this function. nomem (nm). If you specify this option when you are immunizing your partition code, the partition code skips the RAM check while booting. This is necessary for some systems that change the memory setup during the boot process. batch (ba). If you specify this option, TbUtil will assume a disk has already been inserted in your disk drive. This option is particularly useful with batch files. description =<descr.> (de). For <desc.> enter a meaningful description of the machine. Enter something like, "486DX4 @ 100MHz, 32 Mb, 2 Gb SCSI disk, room 12, Mr. Smith." You do NOT have to remember this description; TbUtil displays it on the screen when comparing or restoring, which helps you to verify that the data file belongs to the machine. part (pt) , boot (bo), and cmos (cm). By default, TbUtil restores the partition code, boot sector, and CMOS if you specify the RESTORE option. If you use one of these options in combination with the RESTORE option, however, TbUtil restores only the items you specify. In the following two examples TbUtil simply store system information gathered from the partition table and boot sectors of your fixed disk(s) and the CMOS data area into a file in the current directory called TBUTIL.DAT. TBUTIL STORE TBUTIL ST TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 136 The following example does the same as the previous, except that TbUtil stores the information on a diskette instead of in the current directory. TBUTIL STORE A:TBUTIL.DAT It's a good idea to describe the machine from which you are saving information about the partition table, boot sectors and CMOS data. You can use the DESCRIPTION option to add a small, single-line description of the machine: TBUTIL STORE A:TBUTIL.DAT DESCRIPTION = "TEST MACHINE" You can always fall back on the information TbUtil stores if you suspect an infection by a boot sector virus. Suppose the information gathered earlier by TbUtil is stored in the file A:\TBUTIL.DAT. To compare the current system information with the information stored in the TbUtil data file, you could use this command: TBUTIL COMPARE A:TBUTIL.DAT Now suppose that TbUtil informs you that the current system information (that is, the partition table and the CMOS data area) does not match the information stored earlier. If you did not change the configuration of your computer, it is most likely that a virus is guilty of the change. You could restore the old system information using this command: TBUTIL RESTORE A:TBUTIL.DAT PART CMOS In case of a boot sector virus infection, we recommend that you disinfect (clean) all diskettes. Using the following command, TbUtil cleans and immunizes the boot sector of the diskette in drive A: and then repeats the action after asking you to insert other (possibly) infected diskettes into the disk drive: TBUTIL IMMUNIZE A: In case of a virus infection you should always make certain that the Master Boot Record of your fixed disk is not infected. The following command specifies an extra option, which you must use in case your computer changes its memory setup during the boot process: TBUTIL IMMUNIZE C: NOMEM You can easily view the contents of a TBUTIL.DAT by using the DOS TYPE command: TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 137 TYPE A:TBUTIL.DAT 3.10.4 Using the Anti-Virus Partition If you install the ThunderBYTE partition code (by using TbUtil's IMMUNIZE option), you will see the following when booting a clean system: Thunderbyte anti-virus partition (C)1993-95 Thunderbyte BV. Checking boot sector CRC -> OK! Checking available RAM -> OK! Checking INT 13h -> OK! In contrast, if there is a virus in the boot sector or partition table, you will see this message: Thunderbyte anti-virus partition (C)1993-95 Thunderbyte BV. Checking boot sector CRC -> OK! Checking available RAM -> Failed! System might be infected. Continue? (N/Y) Other messages that might appear are: "No system." This message means that there is no active partition on the disk. "Disk error." The meaning of this message is obvious. 3.10.5 Using the TbUtil diskette To use the TbUtil diskette, follow these steps: 1. Take a new diskette and format it as a bootable diskette (by using the DOS FORMAT /S command). 2. Copy the TbUtil files onto the diskette using this command: TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 138 COPY TBUTIL.* A: The TbUtil files you need are TBUTIL.EXE and TBUTIL.LNG. 3. In case of an emergency (such as a damaged or infected partition table, for example), boot from the TbUtil diskette. 4. Run the TbUtil program, using the IMMUNIZE option: A:\TBUTIL IMMUNIZE C: This cleans the partition table. 5. You should now be able to boot from your hard disk normally. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 139 3.11 Using TbLog This section describes TbLog, which is designed primarily to create log files in response to various TBAV alert messages. 3.11.1 Understanding and using TbLog TbLog is a memory resident TBAV utility that writes a record into a log file whenever one of the resident TBAV utilities pops up with an alert message. It also records when a virus is detected. This utility is primarily for network users. If all workstations have TbLog installed and configured to maintain the same log file, the supervisor can easily keep track of what's going on. When a virus enters the network he is able to determine which machine introduced the virus, and he can take action in time. A TbLog record provides three pieces of information: The time stamp of when the event took place. The name of the machine on which the event occurred. An informative message about what happened and which files were involved. This information is very comprehensive and takes only one line. 3.11.2 Working with TbLog Since TbLog is a memory resident program, you can execute and configure it from the DOS command line or from within a batch file. You should, however, load TbLog automatically and when the computer boots, preferably during the execution of AUTOEXEC.BAT, or better yet, CONFIG.SYS. You should install TbLog on every workstation. If you want to use all workstations to maintain the same log file, we recommend that you load TbLog after starting the network. By default, TbLog maintains a log file with the name TBLOG.LOG in the TBAV directory. If you want to use another filename or another disk and/or directory, you can specify a filename (and path) on the TbLog TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 140 command line. In a network environment, we recommend that you put the log file on a server disk. CAUTION: Be sure to load TbDriver before trying to load TbLog. TbLog will refuse to load without it. There are three possible ways to load TbLog: 1.From the DOS prompt or within the AUTOEXEC.BAT file: <PATH>TBLOG 2.From CONFIG.SYS as a TSR (DOS 4 or above): INSTALL=<PATH>TBLOG.EXE The INSTALL= CONFIG.SYS command is NOT available in DOS 3.xx. 3.From CONFIG.SYS as a device driver: DEVICE=<PATH>TBLOG.EXE NOTE: Executing TbLog as a device driver does not work in all OEM versions of DOS. If you encounter problems, use the INSTALL= command or make sure to load TbLog from the AUTOEXEC.BAT. Also, unlike other anti-virus products, you can load the ThunderBYTE Anti-Virus utilities before starting a network without losing the protection after the network is started. In addition to the three loading possibilities, if you are using DOS version 5 or above, you can load TbLog into an available UMB (upper memory block) from AUTOEXEC.BAT using this command: LOADHIGH <PATH>TBLOG You can also load TbLog into high memory from within the CONFIG.SYS using this command: DEVICEHIGH=<PATH>TBLOG.EXE If you are using Microsoft Windows, you should load TbLog BEFORE starting Windows. When you do this, there is only one copy of TbLog in memory regardless of how many DOS windows you might open. Every DOS window (that TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 141 is, every virtual machine ) has a fully functional copy of TbLog running in it. TbLog automatically detects if Windows is running, and switches itself into multi-tasking mode if necessary. You can even disable TbLog in one window without affecting its functionality in another window. 3.11.3 Maximizing TbLog You can maximize TbLog's performance by using its command line options. The first five options in the following table are always available. The other options are available only if TbLog is not yet memory resident. option parameter short explanation ------------------ ----- --------------------------------- help ? Display some on-line help remove r Remove TbLog from memory on e Enable TbLog off d Disable TbLog test t Log test message machine=<descr.> m Description/name of your machine secure s Do not allow removal of TbLog The explanations in the above table serve as a quick reference, but the following descriptions provide more information about each option. help (?). Specifying this option displays the brief help as shown above. remove (r). This option disables TbLog and attempts to remove the resident part of its code from memory and return this memory space back to the system. Unfortunately, this works only if you loaded TbLog last. An attempt to remove a TSR after you load another TSR leaves a useless gap in memory and could disrupt the interrupt chain. TbLog checks whether it is safe to remove its resident code; if not, it simply disables itself. on (e). TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 142 This option reactivates TbLog after you disabled it using the OFF option. off (d). Specifying this option disables TbLog but leaves it in memory. test (t). Use this option to record a test message. If you use this option at the initial loading of TbLog, it records the time and machine name into the log file. If you use this option after the initial loading, it simply places a test message into the log file. machine (m). Using this option, you can specify the name of the machine on which TbLog is running. This machine name appears in the log file. By default, TbLog uses the network machine name on NetBios compatible machines. On other networks, such as Novell, you must enter the network name on the TbLog command line. secure (s). If you specify this option, it is not possible to use the OFF and REMOVE options. The following command loads TbLog, disables, the OFF and REMOVE options, specifies that the logfile reside in directory F:\SECURITY, and identifies the machine as DESK3: C:\TBAV\TBLOG F:\SECURITY\TBLOG.LOG SECURE MACHINE=DESK3 The following CONFIG.SYS command loads TbLog, creates the logfile in directory X:\LOGS, and specifies that the first line of the log file contain a date/time stamp and the name of the computer: DEVICE=C:\TBAV\TBLOG X:\LOGS\TBLOG.LOG MACHINE=JOHN TEST TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 143 3.12 Using TbNet TBAV for DOS can cooperate with TBAV for Networks, another ThunderBYTE product, via the program called TbNet. If you do not want to use the combination of TBAV for DOS and TBAV for Networks, you can skip this section. NOTE: For more information about TBAV for Networks, please refer its documentation. If you did not purchase TBAV for Networks yet, your local dealer can inform you about this product. 3.12.1 Understanding TbNet TbNet is a memory resident TBAV utility that implements the communication between TBAV for DOS and TBAV for Networks. TBAV for Networks has several options for controlling remote workstations. For Windows workstations, TBAV for Windows contains all logic needed to implement the communication between the workstation and TBAV for Networks. For DOS workstations you need TbNet for this communication. 3.12.2 Working with TbNet Since TbNet is a memory resident program, you can execute and configure it from the DOS command line or from within a batch file. You should, however, load TbNet automatically when the computer boots, preferably during the execution of AUTOEXEC.BAT, or better yet, CONFIG.SYS. You should install TbNet on every workstation. CAUTION: Since TbNet uses a public network directory for its communication with TBAV for Networks, you must load TbNet after starting the network. There are three possible ways to load TbNet: 1. From the DOS prompt or within the AUTOEXEC.BAT file: <PATH>TBNET 2. From CONFIG.SYS as a TSR (DOS 4 or above): TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 144 INSTALL=<PATH>TBNET.EXE The INSTALL= CONFIG.SYS command is NOT available in DOS 3.xx. 3. From CONFIG.SYS as a device driver: DEVICE=<PATH>TBNET.EXE NOTE: Executing TbNet as a device driver does not work in all OEM versions of DOS. If it doesn't work, use the INSTALL= command or load TbNet from AUTOEXEC.BAT. TbNet should always work correctly if you load it from AUTOEXEC.BAT. Also, unlike other anti-virus products, you can load the ThunderBYTE Anti-Virus utilities before starting a network without losing the protection after the network is started. In addition to the three loading possibilities, if you are using DOS version 5 or above, you can load TbNet into an available UMB (upper memory block) from AUTOEXEC.BAT using this command: LOADHIGH <PATH>TBNET You can also load TbNet into high memory from within the CONFIG.SYS using this command: DEVICEHIGH=<PATH>TBNET.EXE We recommend that you do not use TbNet if you use MS-Windows, but use TBAV for Windows instead. TBAV for Windows has built-in functionality for communication with TBAV for Networks. If you do want to use TbNet with MS-Windows for some reason, you should load TbNet BEFORE starting Windows. When you do this, there is only one copy of TbNet in memory regardless of how many DOS windows you might open. Every DOS window (that is, every "virtual machine") has a fully functional copy of TbNet running in it. TbNet automatically detects if Windows is running, and switches itself into multi-tasking mode if necessary. You can even disable TbNet in one window without affecting the functionality in another window. 3.12.3 Maximizing TbNet TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 145 You can maximize TbNet's performance by using its command line options. The help and remove options in the following table are always available. The other options are available only if TbNet is not yet memory resident. option parameter short explanation ------------------ ----- -------------------------------------- help ? Display some on-line help remove r Remove TbNet from memory netname=<netname> n Netname of the workstation commdir=<path> c Communication directory used by workstation frequency=<seconds> f Poll frequency (default is 30 seconds) buffers=<number> b Number of disk buffers (default is 2) The explanations in the above table serve as a quick reference, but the following descriptions provide more information about each option. help (?). Specifying this option displays the brief help as shown above. remove (r). This option disables TbNet and attempts to remove the resident part of its code from memory and return this memory space back to the system. Unfortunately, this works only if you loaded TbNet last. An attempt to remove a TSR after you load another TSR leaves a useless gap in memory and could disrupt the interrupt chain. TbNet checks whether it is safe to remove its resident code; if not, it simply disables itself netname (n). TBAV for Networks distinguishes workstations by their unique netnames. These netnames are assigned by TBAV for Networks; the agents software running at the workstations (i.e., TbNet or TBAV for Windows) receive this netname upon registering the workstation with TBAV for Networks. You need to specify this netname for correct behavior of TbNet. commdir (c). The communication between TBAV for Networks and the agent software running at the workstations (i.e., TbNet or TBAV for Windows) takes TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 146 place via a special "communication directory," a directory that is public to all users. You must specify the path of this directory when loading TbNet. frequency (f). TbNet checks the communication directory every once in a while, to see if messages originating from TBAV for Networks need to be processed. You can change the default period of 30 seconds by specifying the FREQUENCY option. buffers (b). TbNet internally needs some buffers to speed up the communication with TBAV for Networks. The number of these disk buffers used by TbNet can be changed by using the BUFFERS option. The following command loads TbNet, for workstation 001AE3, making use of the communication directory J:\TBAVNW.NET. C:\TBAV\TBNET NETNAME=001AE3COMMDIR=J:\TBAVNW.NET TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 147 4 Understanding Advanced User Information This chapter presents some advanced information on using memory, TbSetup, TbScan, and TbClean. It also introduces you to another TBAV utility, TbGenSig, signature file compiler. While some of this material is simply for a better understanding of the utilities and might not be of interest to you, we recommend that you at least look at the first section on memory considerations. 4.1 Understanding Memory Considerations This section presents the memory requirements for each of the TBAV utilities and how you can reduce the requirements of each utility. 4.1.1 Understanding Memory Requirements The following table lists the memory requirements for each of the TBAV utilities: TBAV Utility Memory Memory needed consumed to load after exiting TbScan * 200 Kb - TbScanX ** 10 Kb 800 bytes TbCheck 4 Kb 600 bytes TbUtil 64 Kb - TbClean *** 96 Kb - TbMem 4 Kb 600 bytes TbFile 5 Kb 1 Kb TbDisk 4 Kb 800 bytes TbDriver 5 Kb 3 Kb TbLog 5 Kb 1 Kb * If you decide to use a log file, TbScan requires an additional 16 kilobytes of memory for the log file buffer. If TbScan uses its own built-in file system, it uses additional memory to keep the FAT in memory. Note that the memory requirements are independent of the number of signatures. The current memory requirements are adequate to manage at least 2500 signatures. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 148 ** The amount of memory TbScanX requires depends on the number of signatures. If you enable all features, TbScanX uses 30 kilobytes of memory when scanning for 1400 family signatures. If you enable swapping, TbScanX normally uses only one kilobyte of memory. You can swap to EMS and XMS memory. Naturally you can load the remaining kilobyte of TbScanX into upper memory. *** In the heuristic cleaning mode TbClean requires much more memory, depending on the size of the infected file. TbClean can also use expanded memory (EMS). 4.1.2 Reducing Memory Requirements Most PC users try to maintain as much free DOS memory as possible. The memory resident TBAV utilities (TbScanX, TbCheck, TbMem, TbFile, TbDisk, TbLog and TbDriver) use only a small amount of DOS memory. To decrease the memory requirements of these utilities even further, do the following: Load the programs from within the CONFIG.SYS file. When loaded as a device driver, a TBAV utility has no Program Segment Prefix (PSP, a DOS-internal memory area), which saves 256 bytes for each TBAV utility. If you load the TBAV utilities from within the AUTOEXEC.BAT file, load them before establishing environment variables. DOS maintains a list of environment variables for every resident program, so keep this list small while installing TSRs. Once you install all TSRs, you can then define all environment variables without affecting the memory requirements of the TSRs. Make use of memory swapping. If you use the EMS or XMS option, TbScanX swaps itself to non-DOS memory, leaving only one kilobyte of code in DOS memory. It is better to swap to expanded memory (EMS option) because it is faster. Use high memory if possible. If you have DOS 5 or higher, try to load the program into an upper memory block using the LOADHIGH or DEVICEHIGH commands. We recommend that you also enable swapping to limit the use of upper memory. Use one of the processor specific versions of the relevant TBAV utility. They all consume less memory than the generic versions. Processor optimized versions are available on any ThunderBYTE support BBS. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 149 Use memory-saving program options. Consider using TbDriver's NOSTACK option, TbMem's NOCANCEL option, and TbScanX's NOBOOT, EMS and XMS options. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 150 4.2 Understanding TbSetup This section presents advanced user information about TbSetup. It explains the design of ANTI-VIR data files, editing the TBSETUP.DAT file, and how to easily install TBAV on several machines. 4.2.1 Understanding ANTI-VIR.DAT File Design Most ThunderBYTE Anti-Virus utilities expect every directory on your system with executable files to contain its own ANTI-VIR.DAT file. Some other anti-virus products maintain a somewhat similar fingerprint list of all executable files, but in one large file rather than a separate file in each directory. TBAV's approach is superior for several reasons: One file in each directory is easy to maintain. If you want to remove the complete product, you can remove the accompanying ANTI- VIR.DAT file as well. It consumes less disk space because it is not necessary to store full path information in the information file. The TBAV utilities perform faster because they do not have to search through a huge file to locate the information for one specific file. Installation is easier and more reliable in network environments. On a network, it is not unusual that the same files have different drive ID's on different workstations. If there is only one information file, the drive-IDs should be stored as well, so every workstation should maintain its own list. The supervisor can quickly lose control in this type of situation. 4.2.2 Editing the TBSETUP.DAT File Editing the TBSETUP.DAT file is useful to TBAV site installation (see the next section). Therefore, some information on the format of this file is necessary. Understanding the Format of TBSETUP.DAT The format of the TbSetup.Dat file is quite simple. You can either ignore empty lines, lines starting with a semi-colon (;), and lines starting TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 151 with a percentage symbol (%), or you can treat them as comment lines. The lines with a preceding percentage symbol also appear in TbSetup's upper window. Each entry in the TBSETUP.DAT file has four items: 1. The filename. The filename MUST appear in capital letters and without spaces. 2. The length of the file in hexadecimal notation. This field might contain a single asterisk [*] if an exact file length match is not required. 3. The file's 32-bit CRC in hexadecimal notation. You can use a single asterisk if an exact checksum match is not required. 4. The hexadecimal number representing flags you want set when the listed file is found on the system. You can use the rest of the line for a brief comment. You can use the following flags. If several flags require setting for a file, you can combine them using the bitwise OR operation: bit 0: (0001) Do not perform heuristic analysis bit 1: (0002) Ignore CRC changes (self-modifying file) bit 2: (0004) Scan for all signatures (LAN remote boot file) bit 3: (0008) Do not change read-only attribute of this file bit 4: (0010) The program stays resident in memory bit 5: (0020) The program performs direct disk access bit 6: (0040) Program is allowed to remove read-only attributes bit 15: (8000) Interrupt rehook required for TBDRIVER.EXE The following are a few example entries from a TBSETUP.DAT file: ; filename Length 32-bit CRC Flags Comment ; Files that trigger the heuristic alarm of TbScan: 4DOS.COM 19FEA * 0001 ;4Dos 4.0a AFD.COM 0FEFE 4B351A86 0001 ;AFD debugger ARGV0FIX.COM 001D8 431E70C0 0001 ;Argv[0]fix EXE2COM.EXE 00BEA 49276F89 0001 ;Exe to Com conv. util KILL.EXE 00632 74D41811 0001 ;PcTools 6.0 utility WATCH.COM 003E1 2353625D 0001 ;TSR monitoring util TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 152 ; Files that need to be scanned completely, for ALL viruses: NET$DOS.SYS * * 0004 ;Disk-image Novell boot ; Files without fixed checksum due to internal config area's: Q.EXE * * 000A ;Qedit (all versions) TBCONFIG.COM * * 000A ;all versions Defining New Entries in TBSETUP.DAT If you have any files that we should include in TBSETUP.DAT, please let us know! We would like to receive a copy to enhance our products and keep TBSETUP.DAT up to date. Candidates for inclusion are any programs that trigger the heuristic analysis of TbScan. Whenever you choose "V)alidate program" in the TbScan message window, you will discover that on subsequent occasions TbSetup displays the value "0001" in the flags field. If your company has several files like this installed on multiple machines, you might want to include these files in the TBSETUP.DAT file yourself. To do this, execute TbSetup for the file in question and make a note of its file length and 32-bit CRC, as displayed on the screen. Then edit the TBSETUP.DAT file, entering the exact filename, the file length, and the CRC number, plus the number of any flags you wish to set for that file. If you now use TbSetup on another machine (using the updated TBSETUP.DAT file), it sets the appropriate flags automatically. TIP: You can manually set or clear a flag field value when executing TbSetup at the DOS prompt using the SET or RESET option as follows: TBSETUP TEST.EXE SET=0001. 4.2.3 Simplifying Installation on Several Machines If you need to install the TBAV utilities on several machines in one company, it would be tedious, for example, to run every TSR and disk utility on each machine to "teach" TBAV which programs are valid and which are not. Fortunately, this is not necessary. We present here some examples of how to simplify installation on several machines. If a resident utility named, for example, TSRUTIL.EXE, is in use throughout the company, you can predefine permission by using TbSetup. First, use TbSetup to determine the length and CRC of the program. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 153 Second, put the name of the program, along with its other information, in the TBSETUP.DAT file, and then assign the flag 0010 to it: TSRUTIL.EXE 01286 E387AB21 0010 ;OUR TSR UTILITY If a disk utility named, for example, DISKUTIL.EXE, is in use throughout the company, you can predefine permission by using TbSetup. First, use TbSetup to determine the length and CRC of the program. Second, put the name of the program, along with its other information, in the TBSETUP.DAT file, and then assign the flag 0020 to it: DISKUTIL.EXE 01286 E387AB21 0020 ;OUR DISK UTILITY If a utility named, for example, UTIL.EXE, causes TbScan to give false positives and is in use throughout the company, you can use TbSetup to "teach" TbScan to avoid heuristic scanning of the program. First, use TbSetup to determine the length and CRC of the program. Second, put the name of the program, along with its other information, in the TBSETUP.DAT file, and then assign the value 0001 to it: UTIL.EXE 01286 E387AB21 0001 ;OUR UTILITY If you now run TbSetup on every machine (you have to do this anyway), it recognizes the utilities you added in the TBSETUP.DAT file. Additionally, all the TBAV utilities automatically adapt their behavior for those files. TIP: Consult the TBSETUP.DAT file itself. It contains useful comments on this subject. 4.3 Understanding TbScan This section offers advanced information about TbScan, including: heuristic scanning, integrity checking, program validation, algorithms, and the TBSCAN.LNG file. 4.3.1 Understanding Heuristic Scanning What makes TbScan so unique is that it is not just a signature scanner, but it is also a disassembler. It disassembles files for the following purposes: TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 154 By disassembling a file, the scanner restricts itself to the area of the file where the virus might reside, reducing false alarms and speeding up the process. Disassembling a file makes it possible to use the algorithmic detection method on encrypted viruses whose signatures would otherwise remain invisible to the scanner. Disassembling the file makes it possible to detect suspicious instruction sequences. This detection of suspicious instruction sequences is "heuristic scanning." This extremely powerful feature enables you to detect new or modified viruses and to verify the results of the signature scan. You no longer have to rely on the scanner's publisher having the same virus as you might have. In normal cases a scanner can find a virus only if the scanner's publisher had a sample of that virus and includes that virus's signature in a signature file. In contrast, heuristic scanning does not require signatures, enabling the scanner to detect yet unknown viruses by looking for the characteristics of a virus instead of a signature. Never underestimate the importance of heuristic scanning, since every month at least 50 new viruses are reported, and it is extremely unlikely that a publisher is the first one to get a new virus. TbScan distinguishes two heuristic levels. The following table describes the properties of these levels: Heuristic Level 1 Heuristic Level 2 ----------------------- --------------------------------------- always enabled only enabled with command-line option "heuristic", or TBAV menu option "High heuristic sensitivity," or after a virus has been found detects 50 % of (yet) detects 90 % of (yet) unknown viruses unknown viruses almost never causes might cause few false alarms false alarms displays "Probably displays "Might be infected" infected" The following lines show the effect of scanning four files, each having its own characteristics. Please note the heuristic flags that appear next to the word "scanning." TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 155 FILE1.EXE scanning...OK (no flags) FILE2.EXE scanning...ROK (nothing serious) FILE3.EXE scanning...FRM might be infected by unknown virus FILE4.EXE scanning...FRALM# probably infected by unknown virus It is obvious from these four examples that heuristic scanning (resulting in the heuristic flags) is very powerful for finding yet unknown viruses. 4.3.2 Understanding How Heuristic Scanning Works Every program contains instructions for the computer's microprocessor. By looking into the file's contents and interpreting the instructions, TbScan is able to detect the purpose of these instructions. If the purpose appears to be formatting a disk, or infecting a file, TbScan issues a warning. There are many instruction sequences that are very common for viruses but are very uncommon for normal programs. TbScan, therefore, assigns every suspicious instruction sequence to a character called a heuristic flag. Every heuristic flag denotes a score. If the total score (that is, the sum of scores for each flag that triggered) exceeds a predefined limit, TbScan assumes the file contains a virus. There are actually two predefined limits. The first limit is quite sensitive and can be reached by some normal innocent programs. If the suspicious program reaches this limit, TbScan highlights the heuristic flags that appear on the screen and increases the suspicious item's counter. TbScan does not indicate the existence of a virus unless you specify the heuristic or high heuristic sensitivity option. If you do specify this option, TbScan informs you that the file Might be infected by an unknown virus. In contrast to the first option, many viruses trigger the second heuristic limit, while normal programs do not. If a suspicious program reaches this limit, TbScan informs you that the file is Probably infected by an unknown virus. NOTE: TbScan performs heuristic analysis only near the entry-point of a file. Therefore, TbScan does not detect direct writes to disk by some disk utilities nor does it detect some programs as TSR programs. This is simply the result of a specific approach that minimizes false alarms. In case of a virus, the offending instructions are always near the entry-point (except when the virus is over 10Kb in size), so TbScan detects suspicious phenomena in these situations anyway. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 156 4.3.3 Understanding Integrity Checking TbScan performs integrity checking while scanning. For this purpose, you must use TbSetup to generate the ANTI-VIR.DAT files. Once these files exist on your system, TbScan verifies that every file being scanned matches the information maintained in the ANTI-VIR.DAT files. If a virus infects a file, the maintained information no longer matches the now changed file, and TbScan informs you of this. NOTE: There are no command line options to enable this feature. TbScan performs integrity checking automatically if it detects the ANTI- VIR.DAT files. Note that TbScan reports only those file changes that could indicate a virus. While internal configuration areas of program files might also change, TbScan normally does not report these. If a file becomes infected with a known or unknown virus, however, the vital information does change and TbScan does indeed report it to you! In contrast, there might be files that change themselves frequently or change frequently due to another cause. In such a case you might want to exclude the program from integrity checking to avoid future false alarms. If TbScan detects such a change, it informs you of it. Additionally, TbScan offers the possibility to Validate the program, which is the subject of the next section. Understanding Program Validation This section applies only if you use TbSetup to generate the ANTI-VIR.DAT records. Without these records, program validation is not an option. TbScan performs as intended on most programs. There are some programs, however, that require special attention in order to avoid false alarms. TbSetup recognizes most of these programs automatically. Nevertheless it is certainly possible your PC contains some program files that trigger the heuristic alarm of TbScan and/or programs files that change frequently. If TbScan finds an infection using heuristic analysis or integrity checking, and if there is an ANTI-VIR.DAT record available, it offers an additional option in its virus-alert window, namely, V)alidate program. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 157 If you are sure that the indicated program does not contain a virus, you can press V to set a flag in the program s ANTI-VIR.DAT record. This avoids future false alarms. There are two validation modes. If TbScan alarms you to a file change, the validation applies to future file changes only. If the alarm is due to heuristic analysis, the validation applies only to heuristic results. If you exclude the file from heuristic analysis, TbScan still performs an integrity check. Conversely, if you exclude the file from integrity checking, TbScan still performs heuristic analysis. CAUTION: If you replaced a file (for example, because of a software upgrade) and you did not apply TbSetup to the changed files, TbScan pops up its virus alert window to inform you of the file change. Do not select the validation option in this case, because this would exclude the file from future integrity checking. You should abort TbScan and execute TbSetup on the changed file(s) instead. 4.3.4 Understanding the Scan Algorithms When TbScan processes a file it displays one of the following messages: Looking. "Looking" indicates that TbScan has successfully located the entry point of the program in one step; that is, it has identified the program code so it knows where to search without the need of additional analysis. TbScan uses "Looking" on most known software. Checking. "Checking" indicates TbScan has successfully located the entry point of the program, and is scanning a frame of about two kilobytes around the entry point. If the file is infected, the virus signature appears in this area. "Checking" is a very fast and reliable scan algorithm, so TbScan applies it to most unknown software. Tracing. "Tracing" means that TbScan has successfully traced a chain of jumps or calls while locating the entry point of the program and is scanning a frame of about two kilobytes around this location. If the TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 158 file has been infected, the signature of the virus appears in this area. "Tracing" is a fast and reliable scan algorithm. TbScan uses it primarily for memory resident COM programs. Most viruses force TbScan to use "Tracing." Scanning. "Scanning" indicates that TbScan is scanning the entire file (except for the EXE-header that cannot contain any viral code). It uses this only if it can't safely use "Looking," "Checking," or "Tracing." Such is the case when the entry point of the program contains other jumps and calls to code located outside the scanning frame, or when the heuristic analyzer finds something that you should investigate more thoroughly. Because Scanning is a slow algorithm, it processes almost the entire file, including data areas, and it is more likely to trigger false alarms. TbScan uses this algorithm when scanning boot sectors, SYS files, and BIN files. Skipping. "Skipping" occurs only with SYS and OVL files. It simply means that the file will not be scanned. As there are many SYS files (such as CONFIG.SYS) that contain no code at all, it makes absolutely no sense to scan these files for viruses. The same applies to .OV? files. Many overlay files do not deserve the name overlay because they lack an EXE-header. Such files cannot execute through DOS, which in-turn makes them just as invulnerable to direct virus attacks as .TXT files. If TbScan reports that a virus has infected an .OV? file, that file is one of the relatively few overlay files that does contain an EXE-header. In such a case, the infection was the result of the virus monitoring the DOS exec-call (function 4Bh) and thereby infecting any program that executes that way, including real overlay files. Decrypting. TbScan detected that the file is encrypted, and decrypts it to be able to "look inside." TbScan performs signature scanning and heuristic analysis on the decrypted code since that is very reliable and also reveals polymorphic viruses. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 159 4.3.5 Understanding the TBSCAN.LNG File The TBSCAN.LNG file contains all the text that TbScan displays. You can translate or customize the messages with any ASCII editor. A dollar sign [$] separates the messages. The first message displays our address and registration information. You can edit this message as you please, adding, for example, your company name and logo. CAUTION: Take care in customizing messages so that you don't change the essence of the message. You can also add color codes to the TBSCAN.LNG file. You must precede a color code with the "pipe" [|] character. Each color code consists of a foreground (or highlight) color and a background color. The following table lists the available color codes (all numbers are in hexadecimal notation): Color Foreground Highlight Background --------- -------------- -------------- ---------- Black 00 08 00 Blue 01 09 10 Green 02 0A 20 Cyan 03 0B 30 Read 04 0C 40 Magenta 05 0D 50 Brown 06 0E (yellow) 60 Gray 07 0F (white) 70 To make characters blink, add 80 to the background color codes. Here are few examples of defining colors: To make a highlighted green character on a red background, use the color code 0A+40=4A. To make the character blink, add 80h to the result (4A+80=CA). To display white characters on a blue background, use the color code 0F in combination with color code 10: 0F+10=1F. If you prefer a cyan background with a gray foreground, you should add 30 to 07 (30+07=37). If you want the characters to blink, the color code becomes 37+80=B7. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 160 4.3.6 Understanding the TBAV.MSG File The TBAV menu displays the contents of a file named TBAV.MSG, if it exists in the ThunderBYTE directory. You can use this feature to display your company logo on the TBAV screen. As in the TbScan language file, you can embed color codes in this file. Consult the previous section for more information about color codes. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 161 4.4 Understanding TbClean This section takes a look at how TbClean works by explaining how a virus goes about infecting a file and the difference between conventional cleaners and generic cleaners. 4.4.1 Understanding how a Virus infects a file To understand how a cleaning program works, try to imagine how a virus usually goes about infecting a program. The basic principle is really quite simple. A virus, which is simply another computer program, adds itself to the end of the program it infects. The additional viral code obviously increases the size of the program. Simply appending a viral program to another program, however, is not enough to do any real harm. To do damage, the viral code must first be executed. To accomplish this, the virus grabs the first few bytes at the start of the program and replaces them with a jump instruction to its own viral code. That way the virus is able to take control when the program starts. Chances are you will never even notice the momentary delay while the extra code executes and does whatever the virus has been programmed to do. The virus then restores the original instructions and restarts the program (jumps to the original start of the program). Your program, more often than not, works as usual, and of course, any virus worth its salt makes sure it doesn't draw undue attention to itself, at least not too soon. So, in order to purge a program, we must first restore the starting instruction bytes, which the virus replaced with the jump to its own code. The virus is going to need these bytes again later on, so it stores them somewhere in the viral code. The cleaner starts out to find those bytes, puts them back in their proper place, and trims the file to the original size. Cleaner programs basically come in two types: the conventional type, for specific types of viruses, and the far more advanced generic cleaner, which offers a much wider scope. Let's take a closer look at both cleaner types and find out where they differ. 4.4.2 Understanding Conventional Cleaners A conventional cleaner has to know which virus to remove. Suppose one of your programs is infected with a Jerusalem/PLO virus. This means that the TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 162 infected program has grown in size in comparison with the original program, and that the first few bytes have been replaced by a "jump" instruction to the viral code. The following drawing ilustrates this process: original program infected program +--------------+ +--------------+ | | | | | p | 100: |jump | | r | |to 2487 | | o | | o | | g | | g | | r | | r | | a | | a | | m | | m | | | | | | c | | c | | o | | o | | d | | d | | e | | e | | | | | +--------------+ +--------------+ 2487: | | | VIRUS! p | | r | |jmp 100 | +--------------+ When you start a conventional cleaner, a procedure much like the following takes place: "Hey, the signature file tells me this file is infected with the Jerusalem/PLO virus. Okay, let's see, this virus tacks on 1873 bytes at the end and overwrites the first three bytes of the original program with a jump to itself. The original bytes are located at offset 483 in the viral code. So, I have to take those bytes, copy them to the beginning of the file, and then remove 1873 bytes of the file. That's it!" But there are several pitfalls to worry about in a scenario like this. For one thing, the cleaner obviously must have some means to recognize the virus it should remove. A conventional cleaner cannot cope with a virus unless it knows exactly what to look for. To make matters worse, it's even more important to establish whether or not the virus is exactly the same one that the cleaner knows about. Imagine what would happen if the virus in our example had been modified TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 163 and is now 1869 bytes in size instead of 1873. The cleaner would remove too much! This is not an exceptional case at all. On the contrary, there is a virtual epidemic of countless so-called mutant strains. The Jerusalem/PLO family, to name but one example, now has more than 100 mutant members! 4.4.3 Understanding Generic Cleaners A generic cleaner works on the principle that any kind of virus, whether or not it has made the signature "charts," is just plain bad news. That's why TbClean works with a completely different disinfection scheme that is effective with almost all viruses; it doesn't even need to recognize them. Actually, TbClean represents two cleaners in one: a "repair" cleaner and a "heuristic" cleaner. Repair cleaning Repair cleaning needs an ANTI-VIR.DAT file generated by TbSetup before the infection occurred. The ANTI-VIR.DAT file stores vital information about programs, including their original size, the first few instruction codes, and a cryptographic checksum. This information is usually all it takes to disinfect a file, no matter what virus, known or unknown, caused the infection. The cleaner simply restores the bytes at the beginning of the program, trims the file to its original size, and verifies the result using the original checksum. It's just that simple (and effective). Heuristic cleaning TbClean is the first cleaner in the world that has a heuristic cleaning mode. Like the repair cleaner, this mode does not need any information about viruses either, but it also has the added advantage that it doesn't even care about the original, uninfected state of a program. This cleaning mode is very effective if your system becomes infected with an unknown virus and you neglected to let TbSetup generate the ANTI-VIR.DAT files before infection. In heuristic mode, TbClean loads the infected file and starts emulating the program code. It uses a combination of disassembly, emulation and, sometimes, execution to trace the flow of the viral code, pretending to do more or less exactly what the virus would normally be doing. When the virus gets to the original program's instructions and jumps back to the original program code, TbClean stops the emulation process, with a TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 164 tongue-in-check thank you to the virus for its cooperation in restoring the original bytes. The actual cleaning process involves almost the same three steps as with repair cleaning. First, TbClean repairs the program startup code and copies it back to the file. Second, it removes the now ineffective code for the sake of security. Third, it does a final analysis of the purged program file. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 165 4.5 Using TbGenSig This final section of Chapter 4 introduces you to TbGenSig, an advanced user utility that enables you to define your own virus signatures. 4.5.1 Understanding and using TbGenSig TbGenSig is a signature file compiler. Since we distribute TBAV with an up to date, ready-to-use signature file, you do not really need the signature file compiler. If, however, you want to define your own virus signatures, you will need this utility. You can use either published signatures or define your own, if you are familiar with the structure of software. One way or another, you need to do this only in case of an emergency, such as in the unfortunate event that a yet unknown, and thus unrecognized, virus attacks your machine, or even your company. We recommend that you send a few samples of the virus to some of our researchers, to insure that they can be examined and the results included in one of the subsequent updates to our software. NOTE: Since it's not possible to explain the whole subject of virus hunting in one manual, this section assumes you have enough experience and knowledge to create your own virus signatures. TbGenSig searches for the USERSIG.DAT file in the current directory. This file should contain the signatures you want to add to the TBAV signature file TBSCAN.SIG. TbGenSig checks the contents of the USERSIG.DAT file and applies it to the TBSCAN.SIG file. If you want to delete or modify your signatures, just edit or delete the USERSIG.DAT file and run TbGenSig again. TbGenSig lists all signatures in the TBSCAN.SIG file on screen as it runs. 4.5.2 Working with TbGenSig This section describes how to use TbGenSig. It outlines how to format the text in the USERSIG.DAT file, add published signatures, define your own signatures, and other procedures. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 166 Formatting Text in USERSIG.DAT You can create and edit the USERSIG.DAT file using any DOS text editor (such as DOS 5+ EDIT program) that uses un-formatted (ASCII) text. All lines starting with a semicolon (;) are comment lines. TbGenSig ignores these lines. Lines starting with a percentage character (%) appear in the upper TbGenSig window. The first line should contain the name of a virus, the second line contains one or more keywords, and the third line contains the signature itself. We call this combination of three lines a signature record. A signature record should look like this: TEST VIRUS EXE COM INF ABCD21436587ABCD You can use spaces in the signature for your own convenience; TbGenSig will just ignore them. Adding a Published Signature As outlined above, adding an already published signature is simply a matter of editing or creating the USERSIG.DAT file to convert the signature to an acceptable format for TbGenSig. Format the three lines to include the virus name, keywords, and the signature, as in the following: NEW VIRUS EXE COM BOOT INF 1234ABCD5678EFAB After editing the file, execute TbGenSig. 4.5.3 Defining a Signature with TbScan This section is for advanced users who have registered their copy of ThunderBYTE Anti-Virus. Although the TBSCAN.SIG file updates frequently, new viruses appear every day, outpacing the regular upgrading service of the TbScan signature file. It is possible for your system to become infected by a recently created virus not yet listed in the signature file. TbScan will not TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 167 always detect the virus in such cases, not even with its heuristic analysis. If you are sure that your system has become infected without TbScan confirming this, this section will supply you with a valuable tool to detect unknown viruses. This section offers step-by-step assistance in creating an emergency signature that you can (temporarily) add to your copy of TbScan.Sig 1. Collect some infected files and copy them into a temporary directory. 2. Boot from a clean write-protected diskette. WARNING: Do NOT execute ANY program from the infected system, even though you expect this program to be clean. 3. Execute TbScan from your write-protected TbScan diskette using the EXTRACT option. Make sure that the temporary directory where you stored the infected files is TbScan's target directory. Using the EXTRACT option, TbScan will NOT scan the files but, instead, displays the first instructions that it finds at the entry-point of the infected programs. NOTE: We recommend that you also set TbScan's LOG option to generate a log file. 4. Compare the "signatures" extracted by TbScan. You should see something like this: NOVIRUS1.COM 2E67BCDEAB1290909 09090 ABCD123490CD NOVIRUS2.COM N/A VIRUS1.COM 1234ABCD5678EFAB9 09090 ABCD123478FF VIRUS2.COM 1234ABCD5678EFAB9 01234 ABCD123478FF VIRUS3.COM 1234ABCD5678EFAB9 A5678 ABCD123478FF If the "signatures" of the files are completely different, the files are either probably not infected, or they have become infected by a polymorphic virus that requires an algorithmic detection module to detect it. 5. If there are some differences in the "signatures," you can use the question mark wildcard (?). A signature to detect the virus in the example above could be: TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 168 1234ABCD5678EFAB ?3 ABCD123478FF The "?3" means that there are three bytes at that position that should be skipped. Note that two digits in the signature represent a byte in your program. 6. Add the signature to USERSIG.DAT. Give the virus a name in the first line of its entry, specify the COM, EXE, INF, and ATE in the second line, and enter the signature in the third, as in the following: NEW VIRUS EXE COM ATE INF 1234ABCD5678EFAB?3ABCD123478FF 7. Run TbGenSig. Make sure the resulting TbScan.Sig file is in the TBSCAN directory. 8. Run TbScan again in the directory containing the infected files. TbScan should now detect the virus. 9. Send a couple of infected files to a recommended virus expert, preferably to the ThunderBYTE Corporation. Congratulations! You have defined a signature all by yourself! Now you can scan all your machines in search of the new virus. CAUTION: Keep in mind that this method of extracting a signature is a "quick-and-dirty" solution to viral problems. The extracted signature might not detect the presence of the virus in all cases. You can make a signature guaranteed to detect all instances of the virus only after complete disassembly of the new virus. For these reasons you should NEVER distribute your home-made "signature" to others. In most cases, the signature eventually assembled by experienced anti-virus researchers may be different from your homemade version. 4.5.4 Understanding Keywords You can use keywords for several purposes. You can separate them by spaces, commas, or tabs and use a maximum line length of 80 characters. You also should specify at least one of the following flags: BOOT, COM, EXE, HIGH, LOW, SYS, or WIN. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 169 These seven flags fall into three categories: "Item Keywords," "Message Keywords," and "Position Keywords." Using Item Keywords Item keywords tell the scanner where to search for viruses with those keywords. For example, the BOOT keyword tells the scanner that the accompanying virus signature can reside only in a boot sector or partition table. The Item keywords include the following: BOOT. Specifies that the signature can be found in boot sectors and/or partition tables. COM. Specifies that the signature can be found in COM programs. This flag instructs the scanner to search for this signature in executable files that do not have an EXE header or device header. NOTE: Always keep in mind that the file content determines the file type, not the filename extension! EXE. Specifies that the signature can be found in EXE programs. This flag instructs the scanner to search for this signature in the load module of EXE type files. EXE files are files that have an EXE header. (See the Note under the COM keyword.) HIGH. Specifies that the signature can be found in HIGH memory (above program).This flag instructs the scanner to search for this signature in memory above the memory allocated by the scanner. This keyword is for resident viruses that allocate memory at "system boot" or viruses that decrease the size of the last MCB (Memory Control Block). Please note that the flag HIGH does not mean that the signature should be searched in UPPER memory. LOW. Specifies that the signature can be found in LOW memory. This flag instructs the scanner to search for this signature in memory below the PSP (Program Segment Prefix) of the scanner and in the UMBs (Upper Memory Blocks). This keyword is for viruses that remain resident in memory, using the normal DOS TSR (Terminate and Stay Resident) function calls. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 170 SYS. Specifies that the signature can be found in SYS programs, such as device drivers. WIN. Specifies that the signature can be found in Windows programs. Message keywords Message keywords describe the type and behavior of the virus. For each keyword, this results in the scanner displaying a different message when it finds such a virus. These keywords include the following: DAM. Message prefix: damaged by. DROP. Message prefix: dropper of. FND. Message prefix: found the. INF. Message prefix: infected by. Message suffix: virus. JOKE. Message prefix: joke named. OVW. Message prefix: garbage: (not a virus). PROB. Message pre-prefix: probably. TROJ. Message prefix: trojanized by. Position keywords Position keywords indicate special file areas where the virus can be found. If you use a position keyword, the virus must reside at the specific position. TbGenSig can handle three position keywords: UATE. Specifies that the signature starts directly at the unresolved entry-point of the viral code. With some polymorphic viruses, it might be possible to create a signature from the degarbling routine, although it might be either too short or give false positives with a global search. An initial branch instruction can be part of the signature. The unresolved entry-point is defined for COM-, EXE-, and Windows-type files: COM type files: top of file (IP 0100h). EXE type files: CS:IP as defined in the EXE-header. WIN type files: Non-DOS CS:IP of the new EXE-header. NOTE: TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 171 The UATE keyword is not allowed for BOOT, SYS, LOW, HMA, or HIGH type signatures. ATE. Specifies that the signature starts directly at the entry-point of the viral code. With some polymorphic viruses, it might be possible to create a signature from the degarbling routine, although it might either be too short or give false positives with a global search. Therefore, use the ATE keyword to ensure that the scanners do not scan the entire file for the signature, but only look at the entry-point for the signature. The first instruction that is not equal to either a "JUMP SHORT," a "JUMP," or a "CALL NEAR" instruction defines the entry point of a virus. Let's examine the following code fragment: Unresolved entry point: 1 JUMP SHORT 3 2 ... 3 JUMP 5 4 ... 5 CALL NEAR 7 6 ... 7 CALL NEAR 9 8 ... Resolved entry point: 9 POP <reg> The entry-point of the above fragment is Line 9, as this is the first instruction to execute that is not a "JUMP SHORT," a "JUMP," or a "CALL NEAR." NOTE: You can determine the entry-point by a code analyzer to cope with tricks such as coding an NOP or DEC just before the branch instruction. Therefore test the results of the scanner carefully. In case of trouble, use the TbScan EXTRACT option to find out what TbScan considers to be the entry point of the program. Also, the ATE flag is not allowed for BOOT, SYS, LOW, HMA or HIGH type signatures. XHD. Specifies that the signature can be found at offset 2 of the EXE header, but is rarely used. You should use it only to detect the also very rare high-level language viruses, viruses written in a programming language such as C or Basic. These viruses normally contain standard setup TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 172 routines and library routines that are not suitable to defining a signature. Use this keyword as a last resort to detect such viruses. NOTE: You can use this flag only for EXE or WIN type signatures. Using Wildcards You can use wildcards characters in a virus signature to recognize so called polymorphic (self-modifying or self-mutating) virus code. TbGenSig distinguishes two wildcard categories: position wildcards and opcode wildcards (note that all numbers are in hexadecimal): Using Position Wildcards Position wildcard affect the position where the parts of the signature match. Skip fixed amount of bytes ?n Skip n bytes and continue.(0h <= n <= Fh) ?@nn Skip nn bytes and continue.(00h <= nn <= 7Fh) Skip variable amount of bytes *n Skip up to n bytes and continue. (0h <= n <= Fh) *@nn Skip up to nn bytes and continue. (00h <= nn <= 1Fh) Using Opcode wildcards The opcode wildcards detect instruction ranges. Low opcode nL One of the interactions in the range of n0h to n7h. High opcode nH One of the interactions in the range of n8h up to nFh. Since the opcode wildcards are rather difficult to understand, let's explore an example. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 173 Suppose a polymorphic virus puts a value in a word register (using a MOV WREG,VALUE instruction), increments a register (using an INC WREG instruction), and pops a word register from the stack (using a POP instruction). Both the registers and the value are variable. This means that the signature you are writing to detect this virus should be able to detect all code sequences for every value of the registers and the value, but this is far too much work. Now, consider that B8-BF are the opcodes for MOV WREG,VALUE, that 40-47 are the opcodes for INC WREG, and that 58-5F are the opcodes for POP REG. By using the opcode wildcards, you can detect a sequence of these three instructions using the following signature fragment: bH4L5H 4.5.5 Understanding a Sample Signature: Haifa.Mozkin To show the power of using the appropriate keywords and wildcards, here is the signature of the Haifa.Mozkin virus. This virus is highly polymorphic and encrypted. It contains a small variable decryptor to decrypt the virus. There are two problems here: most bytes are encrypted or variable, thus not suitable to be part of a signature, and the remainder is short and would cause dozens of false alarms. Using the appropriate keywords and wildcards, however, it s possible to define a reliable signature. TbScan actually uses the signature below to detect the Haifa.Mozkin virus. Haifa.Mozkin com exe ate inf bh?2bh?109?2*22e80?24l4h75fl Now let's analyze this signature. The first line describes the name of the virus. The second line tells the scanner to search for this signature in COM and EXE type files. It also tells the scanner that it should report the file as infected if the signature matches. The keyword ATE instructs the scanner to match this signature only at the resolved entry-point of the file. The virus starts, of course, by decrypting itself, so it is certain that the scanner will scan this location. The ATE instruction limits the scope of this signature to just one position in a file, so this significantly reduces the chances of false alarms. The third line is the signature definition. Let's reverse engineer it: TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 174 bh?2 Means a byte in the B8-BF range is followed by two variable bytes. B8-BF is a MOV WREG,VALUE instruction. From the register we only know it is a word register; the value is unknown as well. bh?109 Means another MOV WREG,VALUE instruction. The register is a word register, and from the value we know that it is in the range 0900 to 09FF. ?2*2 Means skip two to four bytes. The virus inserts this instruction to make it harder to define a signature. 2e80?2 Means that the virus performs an arithmetic byte sized operation with an immediate value (decrypts one byte) with a CS: segment override. The exact operation, the memory location, and the value are unknown. 4l Means a byte in the 40-47 range. This is an INC WREG instruction. The virus increments the counter to the next byte to be decrypted. 4h Means a byte in the 48-4F range. This is a DEC WREG instruction. The virus decrements the iteration count. 75fl Opcode 75 is a JNZ instruction. If the decremented register did not reach zero, the virus jumps back and repeats the operation. How much does it jump? That tells the fl part: somewhere between -16 (F0h) to -8 (F7h) bytes. NOTE: Although the signature language of TbGenSig is extremely powerful, there are viruses that are simply so highly polymorphic that they require even more sophisticated wildcards, keywords, or even special detection algorithms. The explanation of these wildcards, keywords, and algorithmic detection definitions, however, is beyond the scope of this user manual. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 175 Appendices Appendix A: TBAV messages The TBAV utilities might display various messages when run. Most messages are self-explanatory, but here is some additional information about specific messages. A.1 TbClean ANTI-VIR.DAT record found: information matches the currentstate of the file. The ANTI-VIR.DAT record has been found, but the information matches the current state of the file. The ANTI-VIR.DAT file was created after the infection. Trying emulation... The ANTI-VIR.DAT record was created after the file became infected, or the file is not changed at all. TbClean is going to emulate the file to clean it heuristically. ANTI-VIR.DAT record found: reconstructing original state... The ANTI-VIR.DAT record that belongs to the infected file has been found. The information will be used to reconstruct the file. ANTI-VIR.DAT record not found: original state unknown. Trying emulation... The ANTI-VIR.DAT file did not exist or did not contain information about the infected program, so the original state of the infected program is unknown to TbClean. TbClean switches to its heuristic mode to determine the state of the original file. NOTE: To prevent this situation, use the TbSetup program to generate the ANTI-VIR.DAT records. These records are of great help to TbClean. After infection, it's too late to generate the ANTI-VIR.DAT records. Emulation terminated: <Reason> The emulation process terminated for the reason specified. TbClean now consults the collected information to see if it can disinfect the file. The reason for termination can be one of the following: TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 176 Jump to BIOS code. The virus tried to perform a call or jump directly into BIOS code. TBAV cannot emulate this process, so aborts. The infected program probably cannot be disinfected. Approached stack crash. The emulated program is approaching a crash. Something went wrong while emulating the program so it aborts. The infected program probably cannot be disinfected. Attempt to violate license agreements. TbClean will not disassemble this program for obvious reasons. Encountered keyboard input request. The emulated program tries to read the keyboard. This is very unusual for viruses, so the file is probably not infected at all. Encountered an invalid instruction. The emulator encountered an unknown instruction. For some reason the emulation failed. The infected program probably cannot be disinfected. DOS program-terminate request. The emulated program requests DOS to stop execution. The program is either not infected at all, or infected by an overwriting virus that does not pass control to its host program. The infected program cannot be disinfected. Jumped to original program entry point. The program jumped back to the start position. It is very likely infected, but can probably be disinfected. Undocumented DOS call with pointers to relocated code. This is very common for viruses that add themselves in front of the COM type program. The program can probably be disinfected. Encountered an endless loop. TbClean encountered a situation in which the program is executing the same instruction sequences repeatedly for hundreds of thousands of times. It is unlikely that the program will ever escape from this loop, so the emulation aborts. Ctrl-break pressed. The user pressed <Ctrl>-<Break> so the clean attempt aborts. Emulation aborted for unknown reason. If this message appears, please send a copy of the file being emulated to the ThunderBYTE organization or one of the support BBS . TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 177 Sorry, the collected information is not sufficient to clean file... The heuristic cleaning mode of TbClean aborts with success. The only option left is to restore the file from a backup or to re-install the program. Collected enough information to attempt a reliable clean operation... The emulation of the virus provided TbClean with all information needed to disinfect the file. Some DOS error occurred. TbClean aborted! Some DOS error occurred while trying to clean the file. Check that no files are read-only or located on a write protected disk, and make sure there is a reasonable amount of free disk space. The clean attempt seems to be successful. Test the file carefully! TbClean thoroughly and reliably removed the virus from the file. However, take care and test the file carefully to see if it works as correctly. Reconstruction failed. Program might be overwritten. Trying emulation... TbClean tried to reconstruct the original file with the help of the ANTI-VIR.DAT record, but the attempt failed. TbClean is going to emulate the file to try to clean it heuristically. Reconstruction successfully completed. TbClean has reconstructed the file to its original state with the help of the information in the ANTI-VIR.DAT record. The CRC (checksum) of the original file and the cleaned file are completely equal, so it is almost certain that the cleaned file is equal to the original file. Starting clean attempt. Analyzing infected file... TbClean is analyzing the infected file and trying to locate the ANTI-VIR.DAT record. A.2 TbDriver Another version of TbDriver is already resident! You started a TBDRIVER.EXE with another version number or processor type than the TbDriver already in memory. Cannot remove TbDriver. Unload other TSRs first! TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 178 You tried to remove TbDriver from memory, but other resident software was loaded after TbDriver. You can only remove resident programs from memory by unloading them in reverse order. LAN support was already installed. You tried to use the NET option a second time, or TbDriver already enabled network support automatically. TbDriver not active. Load TbDriver first! The resident TBAV utilities need TbDriver, so you need to load TbDriver first. TbDriver is not <version>. The version of TbDriver found in memory does not match the version number of this resident TBAV utility. Be sure you do not mix version numbers! This version of TbDriver requires a <typeID> processor. You are using a processor optimized version of TbDriver that the current processor cannot execute. A.3 TbScan Cannot create logfile. The specified log file path is illegal, the disk is full or write protected, or the file already exists and cannot be overwritten. [Cannot read datafile] TbScan needs access to its data file to be able to tell you the name of the virus. If it cannot access the data file, it displays this message instead of the virus. Command line error. You specified an invalid or illegal command line option. No matching executable files found. The specified path does not exist, is empty, or is not an executable file. Sanity check failed! TbScan detected that its internal checksum no longer matches. It is possible that TbScan is contaminated by a virus. Obtain a clean copy of TbScan, copy the program on a write protected system diskette, boot from that diskette, and try again. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 179 A.4 TbScanX Data file not found. TbScanX cannot locate the data file. Not enough memory. There is not enough free memory to process the data file. Try to enable swapping, or if you are already doing so, try another swapping mode. See also the Understanding Memory Considerations section in Chapter 4. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 180 Appendix B: TbScan Heuristic Flag Descriptions This appendix describes TBAV's heuristic flags. # - Decryptor code found The file possibly contains a self-decryption routine. Some copy-protected software is encrypted, so this warning might appear for some of your files. If, however, this warning appears in combination with, for example, the "T" warning, there could be a virus involved and TbScan assumes contamination. Many viruses encrypt themselves and trigger this warning. ! - Invalid program. Invalid opcode (non-8088 instructions) or out-of-range branch. The program has either an entry point that located outside the body of the file, or reveals a chain of jumps that can be traced to a location outside the program file. Another possibility is that the program contains invalid processor instructions. The program being checked is probably damaged and cannot execute in most cases. At any rate, TbScan avoids risk and uses the scan method to scan the file. 1 - 80186+ instructions. The file contains instructions which cannot be executed by 8088 processors, and require an 80186 or better processor. @ - Strange instructions The file contains instructions which are not likely to be generated by an assembler, but by some code generator like a polymorphic virus instead. ? - Inconsistent header. The program being processed has an EXE-header that does not reflect the actual program lay-out. Many viruses do not update the EXE-header of an EXE file correctly after they infect the file, so if this warning pops up frequently, it appears you have a problem. c - No integrity check This warning indicates that TBAV found no checksum/recovery information for the indicated file. We recommend you use TbSetup in this case to store the file's information. TBAV uses this information for integrity checking and to recover from virus infections. h - Hidden or System file. The file has the Hidden or the System file attribute set. This means that the file is not visible in a DOS directory display but TbScan scans it anyway. If you don t know the origin and/or purpose of this file, you TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 181 might be dealing with a Trojan Horse or a joke virus program. Copy such a file onto a diskette, remove it from its program environment, and then check if the program concerned is missing the file. If a program does not miss it, you not only have freed some disk space, but you might also have prevented a future disaster. i - Internal overlay. The program being processed has additional data or code behind the load-module as specified in the EXE-header of the file. The program might have internal overlay(s) or configuration or debug information appended behind the load-module of the EXE file. p - Packed or compressed file. This means that the program is packed or compressed. There are some utilities that can compress program files, such as EXEPACK and PKLITE. If the file became infected after compression, TbScan is able to detect the virus. However, if the file became infected before compression, the virus was also compressed in the process, and a virus scanner might no longer be able to recognize the virus. Fortunately, this does not happen very often, but you should still beware! A new program might look clean, but can turn out to be the carrier of a compressed virus. Other files in your system will become infected too, and it is these infections that will be clearly visible to virus scanners. w - Windows or OS/2 header. The program can be or is intended to run in a Windows (or OS/2) environment. TbScan offers a specialized scanning method for these files. A - Suspicious Memory Allocation The program uses a non-standard way to search for, and/or to allocate memory. Many viruses try to hide themselves in memory, so they use a non-standard way to allocate this memory. Some programs (such as high-loaders or diagnostic software) also use non-standard ways to search or allocate memory. B - Back to entry. The program seems to execute some code, and after that jumps back to the entry-point of the program. Normally this results in an endless loop, except when the program also modifies some of its instructions. This is quite common behavior for computer viruses. In combination with any other flag, TbScan reports a virus. C - File has been changed This warning appears only if you use TbSetup to generate the ANTI-VIR.DAT files and means the file has been changed. Upgrading the software would TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 182 trigger this message. Otherwise, it is very likely that a virus infected the file! NOTE: TbScan does not display this warning if only some internal configuration area of the file changes. This warning means that code at the program entry point, the entry-point itself, and/or the file size has been changed. D - Direct disk access This flag appears if the program being processed has instructions near the entry-point to write to a disk directly. It is quite normal that some disk related utilities trigger this flag. If several files that should not be writing directly to the disk trigger this flag, your system might be infected by an unknown virus. NOTE: A program that accesses the disk directly does not always have the "D" flag. Only when the direct disk instructions are near the program entry point does TbScan report it. If a virus is at fault, the harmful instructions are always near the entry point, so it is only there that TbScan looks for them. E - Flexible Entry-point This flag indicates that the program starts with a routine that determines its location within the program file. This is rather suspicious because sound programs have a fixed entry-point so they do not have to determine this location. For viruses, however, this is quite common. Approximately 50% of the known viruses trigger this flag. F - Suspicious file access TbScan has found instruction sequences common to infection schemes that viruses use. This flag appears with those programs that are able to create or modify existing files. G - Garbage instructions. The program contains code that seems to have no purpose other than encryption or avoiding recognition by virus scanners. In most cases there won't be any other flag since the file is encrypted and the instructions are hidden. NOTE: This flag appears occasionally on "normal" files. This simply indicates, however, that these are poorly designed, not infected.. J - Suspicious jump construct. The program did not start at the program entry point. The code has either jumped at least twice before reaching the final startup code, or the program jumped using an indirect operand. Sound programs should not TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 183 display this kind of strange behavior. If several files trigger this flag, you should investigate your system thoroughly. K - Unusual stack. The EXE file being processed has an odd (instead of even) stack offset or a suspicious stack segment. Many viruses are quite buggy by setting up an illegal stack value. L - Program load trap The program might trap the execution of other software. If the file also triggers the "M" flag (memory resident code), it is very likely that the file is a resident program that determines when another program executes. Many viruses trap the program load and use it to infect the program. Some anti-virus utilities also trap the program load. M - Memory resident code. TbScan has found instruction sequences that could cause the program to hook into important interrupts. Many TSR (Terminate and Stay Resident) programs trigger this flag because hooking into interrupts is part of their usual behavior. If several non-TSR programs trigger this warning flag, however, you should be suspicious. It is likely that a virus that remains resident in memory infected your files. NOTE: This warning does not appear with all true TSR programs, nor can you always rely upon TSR detection in non-TSR programs. N - Wrong name extension. Indicates a name conflict; that is, the program carries the extension .EXE but appears to be an ordinary .COM file, or it has the extension .COM but the internal layout of an .EXE file. A wrong name extension might in some cases indicate a virus, but in most cases it does not. O - code Overwrite. This flag appears if TbScan detects that the program overwrites some of its instructions. However, it does not seem to have a complete (de)cryptor routine. R - Suspicious relocator Indicates a suspicious relocator. A relocator is a sequence of instructions that changes the proportion of CS:IP. Viruses often use this. Those viruses have to relocate the CS:IP proportion because they were compiled for a specific location in the executable file; a virus that infects another program can hardly ever use its original location in the file as it is appended to this file. Sound programs know their location in the executable file, so they don t have to relocate TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 184 themselves. On systems that operate normally, only a small percentage of the programs should trigger this flag. S - Search for executables The program searches for *.COM or *.EXE files. This by itself does not indicate a virus, but it is an ingredient of most viruses, since they have to search for suitable files to spread themselves. If accompanied by other flags, TbScan assumes the file is infected by a virus. T - Invalid timestamp. The timestamp of the program is invalid; that is, the number of seconds in the time stamp is illegal, or the date is illegal or later than the year 2000. This is suspicious because many viruses set the time stamp to an illegal value (such as 62 seconds) to mark that they already infected the file so they won't infect a file a second time. It is possible that the program being checked is contaminated with a virus that is still unknown, especially if several files on your system have an invalid time stamp. If only very few programs have an invalid time stamp, you d better correct it and scan frequently to check that the time stamp of the files remains valid. U - Undocumented system call. The program uses unknown DOS calls or interrupts. These unknown calls can be issued to invoke undocumented DOS features, or to communicate with an unknown driver in memory. Since many viruses use undocumented DOS features, or communicate with memory resident parts of a previously loaded instance of the virus, a program is suspicious if it performs unknown or undocumented communications. This does not necessarily indicate a virus, however, since some tricky programs also use undocumented features. V - Validated program The program has been validated to avoid false alarms. The design of this program would normally cause a false alarm by the heuristic scan mode of TbScan, or this program might change frequently, and TbScan excludes the file from integrity checking. Either TbSetup (automatically) or by TbScan (manually) stores these exclusions in the ANTI-VIR.DAT. Y - Invalid boot sector. The boot sector is not completely according to the IBM defined boot sector format. It is possible that the boot sector contains a virus or has been corrupted. Z - EXE/COM determinator. The program seems to check whether a file is a COM or EXE type program. Infecting a COM file is a process that is not similar to infecting an EXE TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 185 file, which implies that viruses able to infect both program types should also be able to distinguish between them. There are, of course, innocent programs that need to find out whether a file is a COM or EXE file. Executable file compressors, EXE2COM, converters, debuggers, and high-loaders are examples of programs that might contain a routine to distinguish between EXE and COM files. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 186 Appendix C: Solving Incompatibility Problems Although TBAV utilities cooperate very well with other resident software, other software might not behave so well. This can cause system errors or even more serious problems. This section describes some common problems and their solutions. PROBLEM: If a TBAV utility tries to display a message, the text message "file <filename> could not be opened" appears. Specify the FULL path and filename of the file to use as a message file after the TbDriver loading command. The default file name is TBDRIVER.LNG. PROBLEM: One of your utilities is loading a TSR into memory without an executable filename extension, such as .EXE or .COM. Since TbSetup creates ANTI-VIR.DAT records only for files with an executable extension, there is no ANTI-VIR.DAT, so TbMem is not able to record the TSR permission information. Run TbSetup and specify the exact filename of the TSR. TbSetup creates an ANTI-VIR.DAT record, regardless of the filename extension, so TbMem can now record its information. Although the ANTI-VIR.DAT record exists, TbScan does not use it to check the CRC to avoid false alarms. PROBLEM: You are running a network, and one of the following problems arises: 1. TbScanX is installed, but does not display the *scanning* message while accessing files. It also does not detect viruses. 2. TbCheck is installed, but does not display the *checking* message while accessing files. It also does not detect viruses. 3. TbFile is installed, but does not detect anything. 4. TbMem is installed, but does not detect TSRs. Use the "TbDriver net" command after the network loads. PROBLEM: The system sometimes hangs when the message *scanning* is on the screen. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 187 Try TbScanX without the EMS or XMS option. If TbScanX now works without any problems, add the EMS or XMS option again along with the COMPAT option. On some systems, you cannot use the TbScanX XMS option at all because these systems do not allow resident software to use extended memory. If the problem relates to the XMS option and still occurs when you use the COMPAT option, you can use the XMSSEG = <VALUE> option to change the XMS swap segment address. The value should be between 2000 and 8000. The default value is 4000. PROBLEM: After you have given permission for a program to remain resident in memory, TbMem asks the same question the next time. First, the SECURE option of TbDriver is in use. Remove this option, reboot and try again. Second, the program mentioned does not appear in the ANTI-VIR.DAT file and, therefore, TbMem cannot permanently store the permission flag. Use TbSetup first to generate this program's ANTI-VIR.DAT record. Third, for some reason it is not possible to write to the Anti-Vir.Dat file. The file might reside on a write protected diskette, on a network in a read-only directory, or the Anti-Vir.Dat file has the read-only attribute set. PROBLEM: The system sometimes hangs when you answer "YES" (abort program) to a TbMem message. A solution here is difficult. Some resident programs seriously interfere with the system, and once rejected from memory, the system becomes unstable. PROBLEM: When you load TbDisk from the DOS command prompt, everything works fine. When you install TbDisk from within the CONFIG.SYS or AUTOEXEC.BAT file, however, it continually warns that programs write to disk directly. Load TbDisk at the end of your AUTOEXEC.BAT file. PROBLEM: TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 188 You formatted the hard disk using DOS FORMAT, but TbDisk did not display a message until the process was almost complete. This is not a problem. A high level format program such as DOS's FORMAT.COM does not actually format the disk (that is, divide the disk into tracks and sectors), rather it reads all tracks to locate possible bad spots and clears the FAT and directory structure. Only this last step implies a disk write, so it is the only one TbDisk detects. PROBLEM: After you give permission for a program to perform direct disk access, TbDisk asks the same question the next time. First, the SECURE option of TbDriver is in use. Remove this option, reboot and try again. Second, the program mentioned does not appear in the ANTI-VIR.DAT file and therefore TbDisk can not permanently store the permission flag. Use TbSetup first to generate this program's ANTI-VIR.DAT record. PROBLEM: If you try to use Windows fast 32-bit disk access, Windows displays an error message. Use the WIN32 option on the TbDisk command line. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 189 Appendix D: TBAV Exit Codes and Batch Files All TBAV utilities return to DOS with an error code that you can use with DOS's ERRORLEVEL command. The chief use of these error codes is in batch files. This appendix lists these error codes. Consult your DOS manual for information how to use error codes in batch files. D.1 TbScan Exit Codes TbScan terminates with one of the following exit codes: Errorlevel Description ---------- ------------------------------------- 0 No viruses found/ No error occurred 1 No files found 2 An error occurred 3 Files have changed 4 Virus found using heuristic analysis 5 Virus found using signature scanning 255 Sanity check failed D.2 TbUtil Exit Codes TbUtil terminates with one of the following exit codes: Errorlevel Description ---------- ------------------------------------- 0 No error occurred 1 Option "compare" failed/An error occurred D.3 General Exit Codes All the TBAV utilities except TbScan and TbUtil (see above) exit with one of the following exit codes: Errorlevel Description ---------- ------------------------------------- 0 No error occurred 1 A error occurred D.4 Program Installation Check TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 190 To detect within a batch file whether a resident TBAV utility loaded, you can check for the device names. All TBAV utilities install a device name, whether they load from CONFIG.SYS or AUTOEXEC.BAT. You can use the DOS IF EXIST batch file command to check for the device names. The following example, illustrating a part of a batch file, uses this construction to test whether TbScanX is loaded: @ECHO OFF IF NOT EXIST SCANX ECHO TBSCANX HAS NOT BEEN LOADED! You could also branch to a label by using the GOTO command: @ECHO OFF IF NOT EXIST SCANX GOTO NOSCANX ECHO TBSCANX EXISTS ! GOTO END :NOSCANX ECHO TBSCANX DOES NOT EXIST ! :END Finally, the following table lists the device names used by the TBAV utilities: TBAV program Device name ------------ ------------------------------------- TbScanX SCANX TbCheck TBCHKXXX TbMem TBMEMXXX TbFile TBFILXXX TbDisk TBDSKXXX TbLog TBLOGXXX TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 191 Appendix E: Virus Detection and Naming E.1 How Many Viruses Does TbScan Detect? Most of the TbScan signatures are family signatures; that is, one signature detects an entire set of viruses. All these viruses relate to one another. The Jerusalem signature, for example, covers more than 100 viruses. For this reason, there is no way of knowing how many viruses TbScan detects. Some competitive products treat each virus mutant as a separate virus, thus claiming to detect over 4000 viruses. TbScan, however, detects viruses using only 2000 signatures. If you want to compare virus scanners, you have to rely on the tests frequently published in magazines. E.2 The Virus Naming Convention TbScan follows the CARO virus naming recommendations. CARO is an organization in which leading anti-virus researchers participate. The CARO approach groups viruses in a hierarchical tree, which indicates to which family viruses belong. TbScan shows the complete CARO name where possible. In contrast, however, many other anti-virus products simply indicate the family name or the member name. For example, many products might refer to the Leprosy.Seneca.493 using the family name Leprosy or member name Seneca, or even by the variant name 493. Worse yet, anti-virus products developed by non CARO members might even use a completely different name. TbScan, however, tries to display as much of the name as possible. Building on the previous example, if TbScan can t distinguish between the Leprosy.Seneca.493 and Leprosy.Seneca.517 viruses, it indicates both by the name Leprosy.Seneca Some viruses mutate themselves frequently. To detect all instances of such a virus, it is sometimes necessary to use multiple signatures. Although these signatures cover exactly the same virus, they do have a slightly different indication. Behind the name of the virus you will see a number in angle brackets. This number has nothing to do with the name of the virus, but is there just for maintenance reasons. TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page i Index Algorithms . . . . . . . . . . . . . . . . . . . . . . 74, 153, 157, 174 ANTI-VIR.DAT 1-4, 10, 18, 20, 22, 33-38, 41-43, 45, 46, 53, 62, 64, 75, 80-82, 92, 94, 95, 96, 98-103, 105, 111, 114, 120, 125, 150, 156, 157, 163, 175, 177, 181, 184, 186-188 Cleaner . . . . . . . . . . . . . . . . . . . . 1, 98, 106, 107, 161-163 Command line options 17, 40, 62, 79, 80, 86, 87, 94, 101, 102, 110, 112, 117, 132, 141, 145, 156 Communication . . . . . . . . . . . . . . . . . . . . . . . . . . 143-146 Configurations . . . . . . . . . . . . . . . . . . . . . . . . . 49, 116 Configuring TBAV . . . . . . . . . . . . . . . . . . 14-16, 40, 62, 100 Direct disk access . . . . . . . . . . . 39, 40, 124, 125, 151, 182, 188 Environment . . . . . . . . . . . . . . 3, 5, 24, 96, 127, 140, 148, 181 Exit codes . . . . . . . . . . . . . . . . . . . . . . . . . . . 6, 189 Generic cleaner . . . . . . . . . . . . . . . . . . . . . . . . 161, 163 Help . 15, 16, 27, 33, 34, 41, 44, 45, 62-64, 80, 86, 87, 94, 102, 108, 112, 117, 122, 123, 125, 141, 145, 175, 177 Heuristic cleaner . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Heuristic flags . . . . . . 6, 60, 61, 69, 70, 73, 74, 76, 154, 155, 180 Heuristic scanning . . . . . . . . . . . . . . . . . 47, 65, 76, 153-155 Immunized partition table . . . . . . . . . . . . . . . . . . . . . . 127 Installation . 8, 9, 11, 12, 18, 23, 25, 27, 44, 48, 121, 122, 125, 150, 152, 189 Integrity checking . . . . . . . . . . 1, 2, 18, 153, 156, 157, 180, 184 Interface . . . . . . . . . . . . . . . . . . . . . 5, 11, 12, 16, 86, 89 Maintenance . . . . . . . . . . . . . . 20, 120, 128, 129, 131, 133, 191 Memory requirements . . . . . . . . . . . . . . . . . . . . 88, 147, 148 Menu interface . . . . . . . . . . . . . . . . . . . . . . . 11, 12, 16 Microsoft Windows . . . . . . . . . . . . . . . . . . 5, 85, 93, 110, 140 Procedure . . . . . . . . . . . . . . . . . 3, 8, 9, 21, 23, 26, 48, 162 Program validation . . . . . . . . . . . . . . . . . . . 1, 18, 153, 156 Recovery diskette . . . . . . . . . . . . 10, 20, 23, 25-27, 29, 31, 127 Repair cleaner . . . . . . . . . . . . . . . . . . . . . . . . . 98, 163 Signature definition . . . . . . . . . . . . . . . . . . . . . . . . 173 Signature scanning . . . . . . . . . . . . . . . . . . . . 75, 158, 189 System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 TBAV for DOS . . . . . . . . . . . . . . . . . . . . . . 6, 84, 108, 143 TBAV for Networks . . . . . . . . . . . . . . . . . . . . 8, 21, 143-146 TBAV for Windows . . . . . . . . . . . . 8, 21, 22, 50, 86, 93, 143-145 TbCheck . . 1, 2, 5, 10, 11, 19, 26, 27, 30, 33, 34, 78, 92-97, 147, 148, 186, 190 TbClean 3, 16, 17, 26, 32-34, 47, 98-107, 147, 148, 161, 163, 164, 175-177 TbDel . . . . . . . . . . . . . . . . . . . . . . . . . . . 4, 14, 16, 32 TbDisk . 1, 3-5, 19, 78, 108-111, 117, 120-125, 147, 148, 187, 188, 190 TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page ii TbDriver . 1, 10, 11, 19, 26, 27, 40, 78-83, 85, 92, 109, 111, 117, 121, 140, 147, 148, 149, 151, 177, 178, 186-188 TbFile 1, 3-5, 10, 11, 19, 37, 43, 78, 108-111, 116-119, 121, 147, 148, 186, 190 TbGenSig . . . . . . . . . 4, 57, 65, 147, 165, 166, 168, 170, 172, 174 TbLoad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21, 22 TbMem 1, 3-5, 10, 11, 19, 78, 81, 108-114, 117, 121, 147-149, 186, 187, 190 TbMon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 TbNet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143-146 TbScan 1, 2, 6, 10-15, 17-22, 24, 26, 29, 30, 33, 40, 44, 46-76, 84, 91, 106, 147, 151-160, 165-168, 171, 173, 178, 180-184, 186, 189, 191 TBSCAN.SIG . . . . . . . . . . . . . . . . 1, 6, 20-22, 26, 91, 165-168 TbScanX . 1, 2, 5, 10, 11, 19, 78, 82, 84-91, 147-149, 179, 186, 187, 190 TbSetup . 1-3, 10, 17-20, 22, 25, 27, 33-46, 92, 98, 111, 114, 120, 125, 147, 150, 151, 152, 153, 156, 157, 163, 175, 180, 181, 184, 186-188 TBSETUP.DAT . . . . . . . . . . . . . . . . . . . 40, 43, 45, 46, 150-153 TbUtil . . . . . . . . . . . . . 2, 3, 16, 26, 30, 31, 126-138, 147, 189 Thanks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1, 47 Updates . . . . . . . . . . . . . . . . . . . . . . 20, 80, 120, 165, 166 USERSIG.DAT . . . . . . . . . . . . . . . . . . . . . . . . 165, 166, 168 Virus detection . . . . . . . . . . . . . . . . 33, 75, 127, 130-133, 191 Virus infection . . . . . . . . . 1, 24, 25, 29, 31, 47, 69, 92, 108, 136 Virus naming . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Virus protection . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Windows . 5, 8, 21, 22, 44, 50, 52, 54, 57, 63, 68, 73, 85, 86, 93, 105, 110, 122, 124, 140, 141, 143-145, 170, 181, 188 Workstation . . . . . . . . . . . . . . . . . 11, 139, 143, 145, 146, 150