ProfitPress Mega CDROM2 Shareware Freeware (MSDOS)(1992)(Eng)

home *** CD-ROM | disk | FTP | other *** search

/ ProfitPress Mega CDROM2 …eeware (MSDOS)(1992)(Eng) / ProfitPress-MegaCDROM2.B6I / UTILITY / VIRUS / TBSCNX31.ZIP / TBSCANX.DOC < prev next >

Wrap

Text File | 1992-04-23 | 78.5 KB | 2,341 lines

TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. Table of Contents 1. COPYRIGHT, LICENCES AND DISCLAIMER................ 2 1.1. Copyright................................... 2 1.2. Distribution and usage...................... 2 1.3. Disclaimer.................................. 3 1.4. Trademarks.................................. 3 1.5. Registration................................ 3 1.6. The registration key........................ 3 2. INTRODUCTION...................................... 5 2.1. Purpose of TbScanX.......................... 5 2.2. A Quick start............................... 6 2.3. Benefits.................................... 6 2.4. Who are we?................................. 7 3. USAGE OF THE PROGRAM.............................. 8 3.1. System requirements......................... 8 3.2. Program invokation.......................... 8 3.2.1. Invokation in Config.Sys.............. 9 3.2.2. Invokation in network environment..... 9 3.2.3. Invokation when using MS-Windows...... 9 3.3. While scanning.............................. 9 3.4. Detecting viruses........................... 9 3.5. Testing for viruses........................ 10 3.6. Command line options....................... 11 3.6.1. -help................................ 11 3.6.2. -off................................. 11 3.6.3. -on.................................. 11 3.6.4. -remove.............................. 11 3.6.5. -compatx............................. 12 3.6.6. -data................................ 12 3.6.7. -noexec.............................. 12 3.6.8. -allexec............................. 12 3.6.9. -noboot.............................. 12 3.6.10. -quiet.............................. 13 3.6.11. -valid.............................. 13 3.6.12. -yes................................ 13 3.6.13. -lock............................... 13 3.6.14. -nologo............................. 13 3.6.15. -ems................................ 13 3.6.16. -xms................................ 13 3.6.17. -herchalf........................... 14 3.6.18. -hercfull........................... 14 3.6.19. -cga................................ 14 3.7. Examples:.................................. 14 3.8. Residence of the signature file............ 14 3.9. Special versions........................... 15 3.10. Error messages............................ 15 4. FORMAT OF THE DATA FILE.......................... 17 4.1. Format of a signature entry................ 17 Page i TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. 4.2. Wildcards.................................. 17 4.3. Limitations................................ 18 5. A VIRUS, NOW WHAT?............................... 19 5.1. Prevention................................. 19 5.2. Confirmation............................... 19 5.3. Identification............................. 20 5.4. No Panic!.................................. 20 5.5. Recovering................................. 21 6. CONSIDERATIONS AND RECOMMENDATIONS............... 22 6.1. Solving incompatibility problems........... 22 6.2. Reducing the memory requirements........... 23 6.3. How many viruses does it detect?........... 24 6.4. Testing the scanner........................ 24 6.5. Extensions to the format of the data file.. 24 6.6. Compressed files........................... 25 6.7. Other products............................. 26 7. APPLICATION INTERFACE............................ 28 7.1. High-level control......................... 28 7.2. Low-level control.......................... 28 8. OUR OTHER PRODUCTS............................... 31 8.1. TbScan..................................... 31 8.2. TbRescue................................... 31 8.3. Thunderbyte................................ 32 9. NAMES AND ADDRESSES.............................. 35 9.1. Contacting the author...................... 35 9.2. ESaSS...................................... 35 9.3. Thunderbyte support BBS's.................. 35 9.4. Recommended magazines and organisations.... 35 Page ii Page 1 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. 1. COPYRIGHT, LICENCES AND DISCLAIMER 1.1. Copyright TbScanX is copyright 1989-1992 ESaSS B.V.. All rights reserved. The diskettes provided with TbScanX are not copy protected. This does not imply that they can be freely copied in unlimited quantities. TbScanX is protected by copyright law, which applies to computer software as well. No part of the printed manual accompanying TbScanX may be reproduced, transmitted, transcribed, stored in a retrieval system or translated into any language, in any form or by any means, without the prior written permission of ESaSS B.V.. 1.2. Distribution and usage Both TbScanX and the accompanying documentation are SHARE-WARE. You are hereby granted a licence by ESaSS to distribute the evaluation copy of TbScanX and its documentation, subject to the following conditions: 1. The evaluation package of TbScanX may be distributed freely without charge in evaluation form only. 2. The evaluation package of TbScanX may not be sold or licensed. Neither may a fee be charged for its use. If a fee is charged in connection with TbScanX at all, it should only cover the cost of copying or distribution. UNDER NO CIRCUMSTANCES should payment of such fees be understood to constitute legal ownership. 3. The evaluation package of TbScanX must be presented in its complete form. It is not allowed to distribute the program and its documentation files separately. 4. Neither TbScanX nor its documentation may be amended or altered in any way. 5. By granting you the right to distribute the evaluation copy of TbScanX, you do not become the owner of TbScanX in any form. 6. ESaSS accepts no responsibility in case the program malfunctions or does not function at all. 7. ESaSS can never be held responsible for damage, directly or indirectly resulting from the use of TbScanX. 8. Using TbScanX means that you agree to these conditions. Any other use, distribution or representation of TbScanX is Page 2 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. expressly forbidden without the written permission by ESaSS. 1.3. Disclaimer Neither ESaSS B.V. nor anyone else who has been involved in the creation, production or delivery of TbScanX or this manual grants any warranties in respect of the contents of the software or this manual and each specifically disclaims any implied warranties of merchantability or fitness for any purpose. ESaSS B.V. reserves the right to revise the software and the manual and to make changes from time to time in the contents without obligation to notify any person. 1.4. Trademarks. TbScan, TbScanX and Thunderbyte PC Immunizer are registered trademarks of ESaSS B.V.. All other product names mentioned are ackowledged to be the marks of their producing companies. 1.5. Registration. THIS IS NOT FREE SOFTWARE! If you paid a "public domain" vendor for this program, you paid for the service of copying the program, and not for the program itself. Proceeds from such transactions would never reach the makers of this product.You may evaluate this product, but if you decide to make use of it, you should register your copy. To register: fill in the file REGISTER.DOC and return it to us. We offer several inducements to you for registering. First of all, you receive the most up-to-date copy of the program that we have (we do update the product on a regular basis). Secondly, you are entitled to support for TbScanX, which can be quite valuable at times. In the third place, you will receive the complete documentation of this product in print. A "do-it-yourself" update service is offered to registered users through our own support BBS. And finally, we include an evaluation package of some of our other software products, again without copy protection and fully oprational. Once you have become a registered user of TbScanX all future upgrades will be free. Naturally, registered TbScanX users are licensed to use TbScanX on a machine where the Thunderbyte add-on card has been installed. 1.6. The registration key Page 3 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. Registered users receive a key file named TbScan.KEY. The key file contains important information such as the licence number and the name of the licensee. It is NOT allowed to sell or give away the key file TbScan.KEY. TbScanX searches for the key file in the current directory. If it does not find it there, it searches the same directory where the program file TBSCANX.EXE resides (DOS 3.nn and later versions). If the key file is corrupt or invalid, TbScanX continues without error message although your version of TbScanX will then be treated as a SHARE-WARE version. If your key is only valid for TbScan.EXE (the non memory resident version of TbScanX), TbScanX will ignore it when run. Page 4 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. 2. INTRODUCTION 2.1. Purpose of TbScanX TbScanX is a virus scanner: it has been specifically developed to detect viruses, Trojan Horses and other such threats to your valuable data. A virus scanner is a program that is able to search a virus signature that has been determined beforehand. Most viruses consist of a unique sequence of instructions, called a signature, so by means of checking for the appearance of this signature in a file we can see whether or not a program has been infected. By searching all your program files for the signatures of all viruses already identified you can easily find whether your system has been infected and, if that is the case, with which virus. Every PC owner should use a virus scanner frequently. It is the least he or she can do to avoid possible damage caused by a virus. By now already many virus scanners have been developed. The problem with all these scanners is that you have to execute them. Suppose you have the virus scanner automatically invoked in your autoexec.bat file. If no viruses are found, your system is supposed to be uninfected. But, to be sure that no virus can infect your system, you have to run the scanner every time before you copy a file to your harddisk, after downloading a file from a bulletin board system, or after unarchiving an archive such as a ZIP file. Be honest, do YOU actually invoke your scanner every time you introduce a new file into the system? If you don't, you take the risk that within a couple of hours all files are infected by a virus... TbScanX has a unique feature to overcome this tedious scanning. Once invoked it will remain resident in memory, and AUTOMATICALLY scan all files you execute, copy, download, modify, or unarchive! The same approach is used to protect against bootsector viruses: Every time you put a diskette into a drive the bootsector will be scanned. If the disk is contaminated with a boot sector virus TbScanX will warn you! Probably you think that a resident virus scanner consumes much memory, makes your system slow, and is a source of many problems. But, if you already know our free-ware scanner TBSCAN, you know that this scanner can scan your files faster than any other scanner. Also TbScanX achieves a lightning fast speed. Actually, TbScanX is a lot faster, since it will not access your disk to scan the files, because all files to be created or modified reside already in memory! TbScanX just monitors every byte going to any Page 5 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. executable file on the harddisk. The amount of memory used depends on the number of signatures. With all features enabled TbScanX uses 10Kb of memory when scanning for 360 family signatures. If you enable swapping TbScanX normally uses only 1Kb of memory. You can swap to EMS, XMS or even unused video memory. Of course the remaining kilobyte of TbScanX can be loaded in upper memory. 2.2. A Quick start Although we highly recommend a complete reading of this manual, we offer you some directions for a quick run of TbScanX here: Type "TbScanX". This will be sufficient to load TbScanX in memory. The invokation syntaxis is: TBSCANX [<options>]... For fast online help type "TbScanX -?" or "TbScanX -help". 2.3. Benefits By now many different virus scanners have been developed. However, TbScanX has a number of important and unique advantages over other scanners. These are: TbScanX offers the flexibility of a data file that can be edited quickly. As new viruses spread quickly there is often no time available to continually adapt your own virus checker in order to make it capable of recognizing each new virus as it appears. That is why TbScanX uses a separate data file listing the signatures of all known viruses. This file can be adapted quickly, possibly by yourself. TbScanX supports, among others, the format which is used in the file VIRSCAN.DAT. This file is regularly updated and can be obtained through a lot of data banks. TbScanX supports wildcards in the signature. Many viruses are adapted and converted versions of existing viruses. Such a modified virus - a mutant - is similar to the original virus, but that part of the virus program which contains the signature has often been changed. Most scanners will fail to recognize the mutant unless the new signature has been incorporated into the scanning program. TbScanX has been designed to approach this problem differently: by replacing the modified parts of the signature by wildcards TbScanX can still recognize mutant virus activities. Hence all mutant versions of, for instance, the Jerusalem/PLO virus can be discovered by TbScanX through just Page 6 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. one signature instead of the, say, 25 that several other virus scanners require. This also explains why TbScanX uses 'only' 300 signatures but still detects all 800 viruses known. TbScanX offers other software an universal hook to scan data for viruses. If you are a programmer, you can instruct your programs to scan information read from disk for viruses before using the data. TbScanX does not use much memory compared to other resident virus scanners. On almost every machine it should be possible to configure TbScanX that it uses only 1Kb of memory. Of course you can also load this kilobyte into upper memory. 2.4. Who are we? TbScanX has been developed by Frans Veldman, chief executive of the ESaSS company. ESaSS is the company that developed the well-known Thunderbyte card, the first hardware PC immunizer, and that has gained a great deal of experience with and knowledge of viruses and assembler-written system software. Of course, we do have a large collection of viruses to test our products on. Page 7 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. 3. USAGE OF THE PROGRAM 3.1. System requirements TbScanX runs perfectly on standard machines, in line with our philosophy that there should be a limit to limitations. + TbScanX can be executed under DOS version 3.00 (and all later versions). However, Dos 5.0 or higher is recommended, since TbScanX has been optimized and designed primarily for use with these DOS versions. + TbScanX requires about 10 Kb of free memory to get invoked. If you enable swapping it does NOT require additional standard DOS memory to initialise itself. If you don't enable swapping the amount of memory depends on the amount of signatures in the data file. TbScanX can handle up to approximately 2500 signatures, depending on which swapping mode is used. Without swapping mode TbScanX can utilize up to 50Kb, when swapping to expanded memory 64Kb, when swapping to extended memory 50Kb, when swapping to Hercules memory 28Kb, and when swapping to CGA/EGA/VGA memory 24Kb. + The size of the signature file should not exceed 2Mb. 3.2. Program invokation It is recommended to invoke TbScanX automatically from within your Config.Sys or Autoexec.Bat file. It is important to invoke TbScanX as early as possible after the machine has booted. For that reason it is possible to invoke TbScanX from within the Config.Sys file. TbScan is easy to use. The syntaxis is as follows: TBSCANX [<options>]... There are three possible ways to invoke TbScanX: To invoke TbScanX from the DOS prompt or within the Autoexec.Bat file: <path>TbScanX To invoke TbScanX from the Config.Sys as a TSR (Dos 4+): Install=<path>TbScanX.Exe To invoke TbScanX from the Config.Sys as a device driver: Device=<path>TbScanX.Exe TbScanX should always work correctly after being started from within the Autoexec.Bat. The "Install=" Config.Sys command is NOT available in DOS 3.xx. Page 8 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. In addition to the three invokation possibilities DOS 5 users can "highload" TbScanX in an UMB (upper memory block) if it is available: LoadHigh <path>TbScanX.Exe Within the Config.Sys file TbScanX can also be loaded high: DeviceHigh=<path>TbScanX.Exe 3.2.1. Invokation in Config.Sys -> Invoking TbScanX as a device driver does not work in all OEM versions of DOS. You have to try it, if it doesn't work use the "Install=" command or load TbScanX from within the Autoexec.Bat. 3.2.2. Invokation in network environment -> Network users should load TbScanX AFTER logged on to their server. If you load TbScanX before logging to the host, TbScanX will not be active while accessing files on a remote drive, so make sure you invoke TbScanX AFTER finishing the log-on procedure. 3.2.3. Invokation when using MS-Windows -> Windows 3.0 users should invoke TbScanX BEFORE starting Windows. If you do that there is only one copy of TbScanX in memory, but every DOS-window will nevertheless have a fully functional TbScanX in it. TbScanX detects if Windows is starting up, and will switch itself in multitasking mode if necessary. You can even disable TbScanX in one window without affecting the functionality in another window. 3.3. While scanning Whenever a program tries to write to an executable file (files with the extensions .COM and .EXE), you will shortly see the text "*Scanning*" in the upper left corner of your screen. As long as TbScanX is scanning this text will appear. Since TbScanX takes not much time to scan the file, the message will only appear shortly. The text "*Scanning*" will also appear if you execute a program directly from a diskette, and if DOS accesses the bootsector of a diskette drive. 3.4. Detecting viruses If TbScanX detects a signature going to be written into a file, it will display the message: WARNING, <filename> contains <virus name>! Abort? (Y/n) Page 9 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. Press "N" to continue, press any other key to abort. If TbScanX detects a signature in a boot sector, it will display the message: WARNING, Disk in <drive> contains <virus name>! Press a key... Although a virus seems to be on the bootsector of the specified drive, the virus can not do anything since it has not been executed yet. However, if you reboot the machine with the contaminated diskette in the drive, the virus will copy itself to your harddisk. To display the name of the virus, TbScanX needs the signature file again. It will automatically use the signature file that was used when you invoked the program. If the signature file is missing (because you deleted it, or because you removed the floppy with it), or no file handles are left, TbScanX will still detect viruses, but it is no longer able to display the name of the virus. It will display [Name unknown] instead. -> If you have an active Thunderbyte card in your system TbScanX will not display the message by itself, but instead Thunderbyte pops up with its interception window, providing you a more sophisticated message. Thunderbyte can pop up even while using a graphics video mode, and Thunderbyte restores the screen completely after having informed you about the virus. Consult the Thunderbyte manual for more information. 3.5. Testing for viruses Although TbScanX detects viruses automatically when you try to create or modify an executable file, it can be handy to force TbScanX to test a specific file for viruses. TbScanX has created a character device with the name "SCANX" while installing itself in memory. When you sent data to this device the data will be scanned for the occurences of viruses. Try this: copy /b testvir.com scanx No file will be created with the name "scanx" but the input (the contents of the file "testvir.com") will be scanned for viruses. This way you can easy inspect any file (also the non-executables) for the existence of virus signatures without the need to invoke a special program. If the device "scanx" detects a signature in the input it will simulate a DOS "write protect error". Note that you have to specify the "/b" option. Otherwise DOS will sent the characters to the device one by one. This consumes a lot of time and of course, no viruses will be found in one byte sequences! Page 10 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. 3.6. Command line options It is possible to specify so-called options on the command line. The upper four options are always available, the other options are only available if TbScanX is not already resident in memory. Options available: -help =display this helpscreen -off =disable scanning -on =enable scanning -remove =remove TbScanX from memory -compatx =use alternate interrupt -noexec =never scan at execute -allexec =always scan at execute -noboot =do not scan bootsectors -quiet =do not display *Scanning* -ems =use expanded memory (EMS) -xms =use extended memory (XMS) -herchalf =use Hercules-half memory -hercfull =use Hercules-full memory -cga =use CGA/EGA/VGA memory -yes =always respond with Yes -lock =lock PC when virus detected -nologo =no comment and memory report -valid =unauthorized signatures allowed [-data] <filename> =use specified signature file 3.6.1. -help If you specify this option TbScan will show you the brief help as shown above. 3.6.2. -off If you specify this option TbScanX will be disabled, but it will remain in memory. 3.6.3. -on If you use this option TbScanX will be activated again after you disabled it with the -off option. 3.6.4. -remove This option can be used to remove the resident part of TbScanX from your memory. All memory used by TbScanX will be released. Unfortunately, the removing of a TSR (like TbScanX) is not always possible. TbScanX checks whether it is safe to remove the resident part from memory, if it is not safe it just disables TbScanX. A TSR can not be removed if another TSR is started after it. If this Page 11 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. happens with TbScanX it will completely disable itself. The character device "SCANX" will disappear also. 3.6.5. -compatx In most systems TbScanX performs very well. It is however possible that another TSR program conflicts with TbScanX. If the other TSR is loaded first, TbScanX will normally detect the conflict and use an alternate interrupt. Is the other TSR however to be loaded after TbScanX, and does it abort with a message telling you that it has already been loaded, you can use the -compatx switch of TbScanX (when installing it in memory). 3.6.6. -data You can override the default path and name of the signature file by using this option. TbScanX normally tries to locate a signature file by itself. See chapter 3.10 for information on how TbScan searches such a data file. If TbScanX does not succeed in recognizing or locating the default data file, or if you want to override TbScanX's default data search path, you should use the -data option. 3.6.7. -noexec TbScanX normally scans files located on removable media just before they are executed. If you don't like that you can use this option to disable this feature completely. 3.6.8. -allexec TbScanX normally scans files to be executed only if they reside on removable media. Files on the harddisk are trusted, because files on the harddisk have to be copied or downloaded before they can exist on your disk. And by that time TbScanX already scanned them automatically. But if you also like every file to be scanned before it will be executed, no matter whether they reside on harddisk or removable media, you should use this option. 3.6.9. -noboot TbScanX monitors the disk system: every time the bootsector is being read, TbScanX automatically scans it for bootsector viruses. If you change a disk, the first thing DOS has to do is reading the bootsector, otherwise it can not know what kind of disk is in the drive. And as soon as DOS reads the bootsector, TbScanX checks it for viruses. If you don't like this feature, or if it causes problems, you can switch it off using the -noboot option. If you specify this option TbScanX will also require less memory, because the bootsector signatures will not be stored in memory. Page 12 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. 3.6.10. -quiet TbScanX normally displays a rectangle with "*Scanning*" in the upper left corner of your screen while it performs its scanning. You can disable that by using this option. This option can only be used at the initial invokation of TbScanX. 3.6.11. -valid TbScanX checks the signature file for modifications. If you change the contents of that file TbScanX will issue a warning. If you don't want the warning to be displayed, use the -valid option. 3.6.12. -yes If you are a system operator, you can disable the possibility to continue after TbScanX detected a signature. Normally the user will be prompted "Abort Y/N", but if you specify -yes on the command line, TbScanX will always assume the user responds with "Y". No unaware user can now give permission for unwanted, dangerous activities. 3.6.13. -lock If you are a system operator, you can use this option to instruct TbScanX to lock the system once a virus is detected. 3.6.14. -nologo If you specify this option TbScanX does not display data file comments and the memory report when installing itself resident in memory. 3.6.15. -ems If you specify this option TbScanX will use expanded memory (like provided by LIM/EMS expansion boards or 80386 memory managers) to store the signatures and part of its program code. Expanded memory is allocated in 16Kb blocks, so the minimum amount of expanded memory allocated is 16Kb. However, conventional memory is more valuable to your programs than expanded memory, so use of this option is recommended. TbScanX can use up to 64Kb of EMS memory. 3.6.16. -xms If you specify this option TbScanX will use extended memory to store the signatures and part of its program code. An XMS driver (like HIMEM.SYS) needs to be installed to be able to use this option. XMS memory is not directly accessable from within DOS, so every time TbScanX has to scan data it has to copy the signatures to conventional memory. To be able to save the original memory contents TbScanX needs a double amount of XMS memory. Swapping to Page 13 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. XMS is slower than swapping to EMS memory, so if you have EMS memory available swapping to EMS is recommended. It is possible that swapping to XMS conflicts with some other software, so if you experience problems try using TbScanX without the XMS option. TbScanX can use about 2*50Kb of extended memory. 3.6.17. -herchalf If you specify this parameter TbScanX will use some part of the Hercules videomemory to store the signatures. As long as the videocard remains in the text mode it uses only a little part of its videomemory. The rest can be used by... TbScanX. Videomemory is very slow, so also TbScanX will slowdown somewhat. If you execute a program that switches the card into the graphics mode TbScanX will disable itself completely. You can re-activate TbScanX by running it again. It will automatically remove the old resident part of TbScanX that might be left in memory. TbScanX can use up to 28Kb of Hercules memory. 3.6.18. -hercfull This parameter does the same as the -herchalf parameter, but it will switch the Hercules card into the so called full mode. TbScanX then uses videomemory that will not be used by even most of the graphics software. You can run a graphics program while TbScanX remains active at the same time! But watch out! If you have two videocards in your machine at the same time, DO NOT USE this option! 3.6.19. -cga This parameter does the same as the -herchalf or -hercfull option, but it will now use CGA/EGA/VGA videomemory instead of Hercules memory. TbScanX can use up to 24Kb of video memory. 3.7. Examples: C:\utils\TbScanX -data C:\tb\TbScan.Dat -ems or: Device=C:\utils\TbScanX.Exe -data C:\tb\TbScan.Dat -xms -noboot 3.8. Residence of the signature file TbScanX looks for the data file in the following order: 1) If the -data option is used it will use the specified file. 2) It searches in the active directory for a file with the name TBSCAN.DAT. 3) It searches for TBSCAN.DAT in the same directory as the program file TBSCANX.EXE itself is located. Page 14 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. 4) It searches in the active directory for a file with the name VIRSCAN.DAT. 5) It searches for VIRSCAN.DAT in the same directory as the program file TBSCANX.EXE itself is located. 3.9. Special versions The file TBSCANX.EXE is fully functional. However, we supply some special versions of TbScanX to be used with certain processor types. This enables you to get the best out of your processor concerning memory usage and speed. TBSCANX.EXE: Universal version. Runs on all processor types. Supports Windows 386-enhanced-mode and XMS swapping. Uses more memory and is somewhat slower compared to the other versions. TBSCANX0.EXE Special version for true 8088 or 8086 processors. This version has no support for Windows 386-enhanced mode and does not support XMS swapping, causing TbScanX to use less memory. TBSCANX1.EXE This version of TbScanX requires at least a 80186, NEC-V20 or NEC-V30 processor. It is almost the same version as TbScanX0, but due to the use of shorter and faster instructions it requires less memory and performs somewhat faster. TBSCANX2.EXE This version of TbScanX requires at least a 80286 processor. It is almost the same a the TbScanX1 version, but it has support for XMS swapping. TBSCANX3.EXE Runs on machines with a 80386 or 80486 type processor. Supports Windows 386-enhanced-mode. Uses less memory compared to the standard version, but more than the 286 version due to the Windows support. 3.10. Error messages Errormessages that might be displayed: + Error in data file at line <number>. There is an error in the specified line of the data file. + Not enough memory There is not enough free memory to process the data file. Try to enable swapping, or if you are already doing so, try another swapping mode. See also chapter "limitations". Page 15 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. + Data file not found. TbScanX has not been able to locate the data file. + This version of TbScanX requires a <typeID> processor. You are using a processor dependant version of TbScanX and it can not be executed by the current processor. Page 16 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. 4. FORMAT OF THE DATA FILE 4.1. Format of a signature entry The data file (called TBSCAN.DAT or VIRSCAN.DAT) can be read and/or modified using any DOS-text editor. All lines starting with ";" are comment lines. TbScanX ignores these lines. When the ";" character is followed by a percentage sign the remaining part of the line will be displayed on the screen. A maximum of 8 lines can be printed on the screen. In the first line the name of a virus is expected. The second line contains one or more of the following words: BOOT SYS EXE COM HIGH LOW These words may be separated by spaces, tabs or commas. BOOT means that the virus is a bootsector virus. EXE and COM indicate the virus can occur in files with these extensions. The other keywords are not intended for use with TbScanX. TbScanX skips signatures without one of the keywords EXE, COM or BOOT. In the third line the signature is expected in ASCII-HEX. Each virus character is described by means of two characters. An entry in the signature file should look like this: ; Test virus EXE COM ABCD21436587ABCD ; It is allowed to use spaces in the ASCII-HEX signature for your own convenience. TbScanX will ignore those spaces. The three central lines should be present in each virus description. Between these lines comment lines may be inserted. 4.2. Wildcards TbScanX allows you to use wildcards in a signature. Wildcards can be used to define one signature that recognizes several related viruses. - The ? wildcard. The question mark specifies a wildcard nibble, which means that Page 17 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. the corresponding half of the byte may have any value. Example: A5E623CB??CD21?883FF3E - The * wildcard. You can use the asterisk followed by an ASCII-HEX character to skip a fixed amount of bytes in the signature. The ASCII-HEX character specifies the amount of bytes that should be skipped. Example: A5E623CB*3CD2155??83FF3E?BCD Hence the following sequence of bytes will be recognised as a virus: A5E623CB142434CD21554583FF3E3BCD - The % wildcard. A percentage sign (%) followed by an ASCII-HEX character indicates that the remaining part of the signature could be located a number of bytes away. The ASCII-HEX character specifies the maximum distance at which the remaining part should be found. - The ** wildcard. You can use the "**" wildcard to skip an unlimited variable amount of bytes in the signature. 4.3. Limitations. + The name of a virus may contain up to 30 characters. + The ASCII-HEX signature may contain up to 132 characters. + A signature must contain at least one sequence of two non-wildcard bytes. A sequence of four however is recommended. + The signature should start with a non-wildcard byte. + The % wildcard should not be followed by any other wildcard. Examine the VIRSCAN.DAT or TBSCAN.DAT file for examples of how signatures can be made to fit the format of the signature file. Page 18 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. 5. A VIRUS, NOW WHAT? 5.1. Prevention It is always better to be safe now than to be sorry afterwards. You can prevent an infection by using reliable software only, i.e. software of which the origins are known. MAKE SURE YOU HAVE AN UNINFECTED WRITE-PROTECTED BOOTABLE DOS DISK STORED IN A SAFE PLACE. The disk will be needed in case of infection. Without an uninfected bootable disk you will never be able to get rid of any virus! The disk should be write-protected to make sure it will remain uninfected! Only boot from your hard disk or from your original DOS diskette. NEVER use someone else's disk to boot from. Should you have a hard disk, make certain that you have opened the door to your floppy drive before resetting or booting your PC. Use the DOS program ChkDsk frequently (without the /F switch). ChkDsk is able to detect some viruses because the viruses change the disk structure in an incorrect manner, causing disk errors in the process. Look out for changes in the behaviour of your software or system. Any change in their behaviour is suspect, unless you know its cause. Some highly suspicious symptoms are: - The amount of available memory space has decreased. - Programs need more time to execute. - Programs do not operate as they used to, or cause the system to crash or reboot after some time. - Data disappear or get damaged. - The size of one or more programs has increased. - The screen behaves strangely, or you will find unusual information displayed there. - ChkDsk detects many errors. 5.2. Confirmation Once you think your system may have been infected by a virus, try to get confirmation. You can get confirmation by using a virus scanner, or by booting from the uninfected write-protected DOS diskette and comparing the files on the hard disk to the known uninfected original copies. DO NOT RUN ANY PROGRAM ON THE HARD DISK WHILE AND BEFORE PERFORMING THIS TEST TO PREVENT THE VIRUS FROM GOING RESIDENT IN MEMORY. If the files have not been changed you are not dealing with a file virus. However, if they all appear changed in the same manner, it is very likely that the files have been infected. The bootsector is more difficult to test. Use the Page 19 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. DOS SYS command to replace the bootsector in case of doubt. Note that file viruses infect other programs. It is highly unlikely that you will find a few infected programs on a hard disk used frequently. If TbScan reports a virus in only 1% of the files on your hard disk, you should treat it as a false alarm. If you did not expect to find a virus but used the -analyze option of TbScan which detected a 'virus', forget about it. The -analyze option has never caused a virus to be detected that remains undetected in normal scan sessions. It causes many false alarms instead. If you find a virus, do NOT use your copy of TbScan to check other machines, unless you have copied it to a write-protected diskette before the system became infected. Although TbScan performs a sanity check on invokation, there are some viruses that are able to fool a self-check, and TbScan might therefore carry such a virus without detecting it itself. 5.3. Identification Identify the virus. This is extremely important because if you know which virus infected your system, you know what the virus must have done there, and whether or not your data files can still be relied upon. You can use a virus scanner to identify a virus. Once you know the name of the virus you should obtain additional information about the virus. Log on to our support BBS, consult literature on this subject, or consult a virus expert. If the virus only infects executable files you need only replace executable files. But if the virus swaps some bytes at a random location of your hard disk each time you execute a program, you have to replace your data files too, even though you didn't notice any changes in the data files themselves. 5.4. No Panic! The most important thing to do is NOT TO PANIC! Panicking doesn't help you, as you need to be calm to deal with the situation properly. In most cases of virus infection in the past, most of the damage was done by the operator of the system, not by the virus itself. Do nothing at all except for identifying the virus and obtaining information about it. An instant reformat of your hard disk(s) is the worst you can do. Once you know exactly what the virus does, you can work out a strategy to recover from the infection. Page 20 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. DO NOT MAKE A NEW BACK-UP OF YOUR SYSTEM THAT WILL OVERWRITE AN ALREADY EXISTING BACK-UP. Make a separate back-up instead and label it as being infected and unreliable. 5.5. Recovering When recovering from a virus infection it is important that you boot from an uninfected write-protected DOS diskette. Do NOT run any program from your hard disk! The virus must be denied access to your memory while you clean up the system. Restore the DOS system and bootsector by using the DOS SYS command. In case of a file virus, restore all executables. A virus removal utility is not recommended unless you don't have a back-up of the uninfected executable files. Depending on the kind of virus it might also be necessary to replace all data files. If the system has been infected by a virus that modifies the partition table it might be necessary to perform a low level reformat of your hard disk(s). If you used a utility to back up the partition table (like TbRescue) it isn't necessary to reformat the disk(s). TbRescue restores the partition table for you. Once the system has been cleaned, check all diskettes, back-ups, etc. One infected diskette can cause you the same trouble all over again. Therefore we highly recommend you to take measures to protect your system against re-infections, since there is always the possibility that you forgot to clean up one of your diskettes. Use a virus scanner frequently, install a resident scanner (like TbScanX), or even better, install the Thunderbyte PC Immunizer. Page 21 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. 6. CONSIDERATIONS AND RECOMMENDATIONS 6.1. Solving incompatibility problems. Although TbScanX has been designed to cooperate with other resident software, other software may not, causing system errors or worse. The problems most often occured: Problem: You are running a network. TbScanX is installed succesfully, but it does not display the "*scanning*" message while accessing files. It does also not detect viruses. Solution: Load TbScanX AFTER logging on to the network. Problem: It is impossible to start a TSR after TbScanX has been loaded. The TSR software reports that it already has been loaded in memory, which is not true. Solution: Use the -compatx switch of TbScanX while loading it. The TSR and TbScanX are using the same multiplex interrupt call. Problem: The system sometimes hangs when the message "*scanning*" is on the screen. The problem however is hard to reproduce. Solution: Try using StackMan. (StackMan is a resident stack manager developed by ESaSS and it is available on the Thunderbyte support BBS). Problem: The system sometimes hangs when the message "*scanning*" is on the screen when using a specific application. The problem can be reproduced. Solution: If you are using the -xms option, load TbScanX without it. If the problem is solved, you should not use the -xms option. If the problem is not related to the -xms option, try using StackMan. Problem: Everything works well, but as soon as I load a specific TSR the system hangs immediately after the TSR goes resident. The TbScanX option -compatx does not solve the problem. Page 22 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. Solution: Use StackMan with the -dos option and try again. 6.2. Reducing the memory requirements. Most PC users try to maintain as much free DOS memory as possible. TbScanX is designed to use only a little amount of DOS memory. To decrease the memory requirements of TbScanX any further do the following: - Load TbScanX from within the Config.Sys file. If loaded as a device driver TbScanX has not a Program Segment Prefix (PSP), and that saves 256 bytes for free. - If you invoke TbScanX from within the Autoexec.Bat file do this before establishing environment variables. DOS maintains a list of environment variables for every resident program, so keep this list small while installing TSRs. Once all TSRs are installed you can define all environment variables without affecting the memory requirements of the TSRs. - Use swapping. By using one of the options -ems, -xms, -cga, -hercfull or -herchalf TbScanX swaps itself to non-DOS memory, leaving only 1 Kb of code in DOS memory. Swapping to expanded memory (-ems) is preferred. - If you have DOS 5 or higher try to load TbScanX into an upper memory block using the "loadhigh" or "devicehigh" commands. It is recommended to enable swapping also to limit the usage of upper memory. A "hole" of 10Kb should be sufficient to load TbScanX into upper memory while using one of the swapping modes except -xms. If you don't use swapping TbScanX needs also memory to store the signatures. If you enable XMS swapping TbScanX needs to built the data structures in normal memory before copying them to XMS. This causes TbScanX to require additional memory at initialisation time. You can also combine the -xms option with one of the other swapping options. In that case TbScanX will finally use -xms as swapping memory, but while initialising TbScanX uses the other swapping mode enabling you to load TbScanX into an upper memory "hole" of only 10Kb. - Use one of the processor specific versions of TbScanX. They all consume less memory than the universal version of TbScanX. - To minimize the signature data you can consider to specify the -noboot option. In this case TbScanX does not maintain data for viruses with only the BOOT keyword set. - Finally you can edit the data file, deleting the less wide spread viruses and truncating the remaining signatures. Of Page 23 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. course we don't recommend this but if memory is tight it might be the only solution. 6.3. How many viruses does it detect? Some people think that TbScanX recognizes only 300 viruses, based upon the fact that the signature file contains only 300 signatures. What they do not realise is that the signatures are family signatures, which means that each signature covers many viruses. For instance, our PLO/Jerusalem signature detects over 25 viruses which are all related to the 'original' Jerusalem virus! Only one (wildcarded) signature is needed by TbScanX to cover all these mutants. Some competitive products treat each virus mutant as a separate virus, and so claim to detect over 800 viruses. However, TbScanX detects even more viruses using 'only' 300 signatures. 6.4. Testing the scanner Many people understandably wish to test the product they are using. While it is very easy to test, for instance, a word processor, it is very difficult to test a smart scanner like TbScanX. You cannot extract 25 bytes from an executable and insert it in the TBSCAN.DAT or VIRSCAN.DAT data file as a bogus signature just to find out whether or not TbScan will detect the 'signature' in the file it was copied from. It is very likely that TbScanX does NOT find it because it only scans the entry-area of the file whereas the 'signature' you extracted might be taken from some other location within the file. Even the -analyze option will not always cause such a test signature to trigger an alarm. You might ask: 'How then can I test the scanner if using a 'test signature' does not work?' We think you can't, unless you are an experienced assembler programmer. Sorry, but testing a disassembling scanner should be performed by virus experts only. Fortunately, you don't have to rely on our tests solely. There are anti-virus magazines that regularly publish tests of all virus scanners. At the end of this manual you will find names and addresses of such magazines. Anyway, third parties tested our scanner along several others, and they found TbScanX to have a very high hit rate. It detects even more viruses than many popular scanners do. 6.5. Extensions to the format of the data file There are a number of other scanners which are compatible with the data file format used by TbScanX. Some of these scanners allow for certain extensions to the data file which we consider absurd and Page 24 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. therefore refuse to implement. These extensions include special signatures for upper memory, overlay files, and numerous (highly) confusing filename extensions, different keywords for the same items, and XOR-decryption directives. 6.6. Compressed files Many executable files are compressed or packed. They contain an unpacking routine which unpacks the executable in memory to restore the original program size. The simplest compressor is the Microsoft ExePack program. This compressor is even included in the link program itself (use the /E option while linking to pack the executable). If the program contained a virus BEFORE compression took place, the virus has been compressed too. A scanner will not recognize the virus because of its compressed signature. The virus will still be able to execute though. If a virus resides inside a compressed file, it betrays its presence by infecting other files in your system. Hence the signature will be visible in all the newly infected files, which the scanner will dutifully report. The compressed file that brought the (compressed) virus into your system will probably not trigger an alarm itself. The virus inside this program can do its worst all over again unless you isolate this compressed file as the source of the infection. TbScanX does not unpack files, since too many files are compressed nowadays. Decompressing each one of them in your system would only be feasible if there was a limited number of compression schemes. Even if there were, TbScanX unpacking all your compressed files would be consuming too much time, the more so as most of the time this action would be quite unnecessary. Once you have established that a compressed file does not contain a virus, you can rest assured that this file will not get internally infected at a later date. Hence it makes no sense to have TbScanX unpack these files time and time again. If there wasn't a virus the first time you checked, there will not be one at subsequent times. Note that if the compressed file gets infected AFTER it has been compressed, the virus has NOT been compressed and will be clearly visible to a scanner. The problem we referred to above only exists when a file has been infected first and compressed afterwards. Fortunately, you can treat compression as a minor risk when files have been compressed by the programmer of the product (as is often the case). Most programmers are aware of the existence of viruses and go about compression with great care. If the programmer did not compress the file, well, then the file has not been compressed and the problem does not exist at all,...that is, if you obtained the Page 25 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. original version of a program of course. If you obtained your copy of the program from another copy, you have joined ranks with those that use illegal (!) copies of software and thereby take great risks! One of the previous owners of the program may have compressed it, treating you (perhaps unknowingly) to a nasty virus infection. 6.7. Other products A resident virus scanner is just one of the tools that are available to defend your system against viruses. Other products that might help you in your battle against viruses are: - Checksummers. Calculating a cryptographic checksum (or CRC) for every file and comparing it with previously recorded information may tell you whether a file has been changed since the last checksum event. Keep in mind though that the return messages of checksum programs can only be relied upon if the system had not been infected before the initial checksum calculation was made. Note that no checksum program is able to detect stealth viruses, unless you boot from a clean write-protected diskette before performing the checksum calculations. Also note that it is quite normal for some executables to change: e.g. some will allow for configuration information to be stored inside the executable itself. It is up to the user to interpret the information of the checksummer. Checksummers should only be used as part of your strategy. You can never fully rely on them as they have a high false-positive rate, and a high false-negative rate as well. They can, however, be a handy additional tool. - Transient (non-resident) scanners. Although memory resident scanners can be very convenient, it is recommended to use a normal scanner once a week. Transient scanners can create a log file, rename or delete infected files, they can scan the memory of your PC and the partition table, they can perform algorithmic searches etc. Because transient scanners have more memory available while scanning, they can handle more exceptions, perform their job even more reliable, and they can often scan for viruses that don't have a steady signature. Some virus scanners are even able to detect "unknown" viruses by interpreting the contents of a file. A transient scanner you might consider is TbScan. It has all these features and is the fastest scanner available. Page 26 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. - Virus removal utilities. Virus removal utilities (also called clean-up software) can be used after a file has been infected, to separate the virus from the file. Although the removal utilities are very popular we don't recommend their use. There are many mutant viruses that look like their known original but which are in fact slightly altered variations on them. The removal utility might not recognise the virus for being the mutant it is, and the utility removes either too many or too few bytes, causing the executables concerned to get fatally damaged. Instead of using virus removal utilities we recommend the strategy of replacing the infected files by their non-infected originals. So if you still have not made a back-up of your system, make one NOW! - Memory resident monitoring software. It is possible to install software that monitors all DOS and BIOS activity and traps attempts to modify executable files, attempts to install TSR programs, attempts to modify bootsectors, etc. Although this method is very reliable, it is always possible to by-pass software using other software. Also keep in mind that the protection software has to be resident in memory before any virus can become active. TSR type viruses can be blocked this way, but bootsector viruses install themselves in memory before any protection software can be loaded. Once the virus resides in memory before any protection software has been activated, the virus can re-route all interrupts and the protection software will not be able to detect anything suspicious. Note that resident monitoring software consumes a lot of you precious memory too. - Hardware immunizers. Hardware immunizers are the best possible solution. They don't consume much memory and are guaranteed to be first in memory. They are even active before the machine tries to boot and they cannot be by-passed. A disadvantage to such a device is that its installation is more complicated than that of the other anti-virus tools, and it requires a free expansion slot of course. Page 27 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. 7. APPLICATION INTERFACE If you are a software developer you can use TbScanX to check data for viruses. A program can perform a self check as soon as it is invoked by sending its code to TbScanX. A program that processes other programs or parts of it (by example scramblers or executable file compressors) should check the data for viruses before processing it. 7.1. High-level control This method is most usefull for the so-called high level programming languages and languages that lack the ability to generate interrupts. Try to open the file "SCANX". If this file exists TBSCANX is installed in the machine. Open the file in the binairy mode. Write the data to be scanned to the opened file. If the data contains a signature of a virus TbScanX simulates a DOS "write protect error". If nothing happens and the data is accepted no signature could be found in it. 7.2. Low-level control This method is more complex, but offers more possibilities. If your programming language supports issuing interrups you should be able to use this method. The interface consist of some multiplex calls (int 2Fh). Register AH should contain CAh. Register AL contains the function request number. On the Thunderbyte support BBS you will find additional information, examples and libraries. Supported function requests: AL=0 InstallationCheck Return value: AL=0 TbScanX not installed AL=FFh TbScanX installed If BX was 'TB' then it is now changed into 'tb'. AL=1 GetStatus Return value: Page 28 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. AH Version number TbScanX in BCD. (CAh if version < 2.2) AL=0 TbScanX disabled AL=1 TbScanX enabled BX Segment swap area. Zero if not swapped. CX Number of signatures that will be searched. DX EMS_Handle. -1 if no expanded memory in use. If DX is not equal to -1 but BX contains zero then TbScanX uses XMS swapping. DX contains the XMS handle in that case. AL=2 SetStatus BL=0 Disable TbScanX BL=1 Enable TbScanX Return value: NONE AL=3 ScanBuffer DS:DX Address of buffer to scan. CX Length of buffer to scan. Return value: No Carry flag set No signatures found in buffer. Carry: Signature found in buffer! ES:BX ASCIIZ-name of virus (null terminated) Registers altered: AX,BX,CX,DX,ES The contents of the buffer remains unchanged. AL=4 ScanFile DS:DX Name of the program file to be scanned. WARNING! There should be at least 4 Kb of free memory to perform this function! Return value: No Carry flag set No signature found in file. Carry: Signature found in buffer! ES:BX ASCIIZ-name of virus (null terminated) Registers altered: AX,BX,CX,DX,ES Page 29 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. Assembler example: mov ah,0CAh ;Multiplex number mov al,0 int 02Fh ;Installation check cmp al,0FFh ;If AL=FFh TbScanX has been installed. jne notinstalled ;Else TbScanX has not been installed. lea dx,buffer ;Address of the buffer in DS:DX mov cx,512 ;Length of our buffer mov ah,0CAh ;Multiplex number mov al,3 int 02Fh ;ScanBuffer jnc notinfected ;No carry? Then no virus found! call print ;Virus found. Print name ES:BX notinfected: Page 30 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. 8. OUR OTHER PRODUCTS 8.1. TbScan There is also a (shareware) non memory resident version of TbScanX available with the name TbScan. TbScan is one of the fastest (and at this moment the fastest) virus scanner available. Besides its blazingly speed it has many configuration options, it can detect mutants of viruses, it disassembles all files on the fly, detecting suspicious instruction sequences, it can bypass stealth type viruses, etc. TbScan is available on many BBSses. It is of course also available at any Thunderbyte support BBS. At the end of this document you can find some phone numbers. 8.2. TbRescue Some viruses copy themselves onto the partition table of the hard disk. Unlike bootsector viruses, they are hard to remove. The only solution would seem to be to low-level format the hard disk and to create a new partition table. TbRescue offers a more convenient alternative to such radical measures. It makes a back-up of your uninfected partition table and boot sector. If these get infected in your system, the TbRescue back-up can be used as a verifying tool and as a means to restore the original (uninfected) partition table and bootsector without the need for a disk format. The program can also restore the CMOS configuration for you. If a back-up of your partition table is not available, TbRescue will try to create a new partition table anyhow, again avoiding the need for a low-level format. Another important feature of TbRescue is that it can be used to replace the partition table code by new code that offers greater resistance to viruses. The TbRescue partition code will be executed before the boot sector gains control, enabling it to check this sector in a clean environment. The TbRescue partition code performs a CRC calculation on the boot sector just prior to control is passed to it. If the boot sector has been modified the Tbrescue partition code will warn you about this. The Tbrescue partition code also checks the RAM lay-out and informs you whether or not it has been changed. It carries out these checks each time you boot from your hard disk. Note that once the boot sector has been executed unchecked, it is very difficult to check it afterwards. A virus could have become Page 31 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. resident in memory during boot-up and have hidden its presence. Once again, TbRescue will offer you a great deal of security here as it is active BEFORE the boot sector is executed. Also note that the use of TbRescue is much more convenient than the traditional strategy of booting from a clean DOS diskette for an undisturbed inspection of the boot sector. 8.3. Thunderbyte Thunderbyte was developed to protect Personal Computers against computer viruses, Trojan Horses and other such threats to your valuable data. It is hardware protection, consisting of an adapter card, an installation and configuration program and a clear manual. The Thunderbyte add-on card has been designed to protect your system against ANY virus attack offering you maximum protection now...and in the future. Do note that Thunderbyte does not need to know which particular virus is about to harm your system. It recognizes virus ACTIVITIES and blocks them before they can affect your system. Our hardware protection offers much greater security than any software protection. Thunderbyte is already active before the operating system is loaded, so the computer will be totally protected right from the moment you switch on your PC. Because of the many configuration possibilities and the application of intelligent algorithms, the use of Thunderbyte will never become a burden: you will hardly notice its presence in an environment without any viruses. Of course Thunderbyte is Windows-compatible and can be used in Local Area Networks. Advantages of our hardware protection: + It requires very little (1Kb) RAM + The protection is already active before the first boot attempt of the PC, thereby preventing boot sector viruses from becoming active. Note that software protection cannot protect you against boot sector viruses, since such protection will be activated AFTER the system boot-up. + Direct access to hard disk(s) is no longer possible as the hard disk cable passes through Thunderbyte. + Thunderbyte will ALWAYS become active, even if your system is booting from a diskette. Thunderbyte offers you many kinds of protection: Page 32 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. + Protection against loss of data. Thunderbyte is connected to the hard disk cable on one end and to the controller cable on the other. This enables it to prevent the hard disk from being accessed directly. The only way to access the drive from the moment of Thunderbyte installation onwards is by using interrupt 13h. In addition Thunderbyte detects all direct disk writes which try to modify or damage your data. It also checks which program is responsible for such harmful instructions. Naturally the operating system itself should be allowed direct disk access which Thunderbyte grants without any interference. Though DOS offers some means of protecting your files against overwriting and modification through the 'read-only' file attribute, this protection can be very easily circumvented by other software. Thunderbyte makes sure that such a file attribute cannot be removed without you being notified. Hence in the precence of Thunderbyte you can REALLY protect your files effectively through the DOS ATTRIB command. + Protection against infection. Thunderbyte protects programs (files with the extensions EXE, COM or SYS) against infection by monitoring all their modifications for any harmful effect they might have. The operation of your system will not be affected by this in any way. Compiling, linking, etc. will not be interfered with. Nor will programs be prevented from storing configuration information internally. Furthermore, Thunderbyte will make sure that once DOS attributes have been set, they will remain set. Attempts to modify the boot sector of the disk are intercepted by Thunderbyte, so the dreaded boot sector viruses will be successfully blocked. Keep in mind that the boot sector can hardly be protected by software. Maximum protection can ONLY be offered by Thunderbyte here as it is already active before the system tries to boot! + Detection of viruses. Thunderbyte detects virus-specific activities in a number of other ways as well. It notices a virus flagging a file as being infected in order to avoid re-infection. It also notices the suspicious manner in which viruses attempt to reside in memory and the abnormal manipulation of interrupt vectors. + Password protection. Thunderbyte has the possibility of installing a password. There are two kinds of passwords: one that is always requested Page 33 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. or one that you only have to enter when attempts are made to boot from a diskette instead of the hard disk. + Safety. A lot of attention and care has been devoted to making Thunderbyte impregnable to viruses. The program code of Thunderbyte is located in ROM and there is no way it can be modified there. It is impossible to manipilate and/or modify Thunderbyte's operation through software. All the important settings have to be chosen by means of dipswitches on the adapter card. And despite all their ill-begotten intelligence, viruses will never be able to turn switches or to influence their read-outs. Viruses that approach the controller of the hard disk directly will have a rude awakening: Thunderbyte will only allow disk writes when the write or format command has followed its normal (checked) course. We supply our Thunderbyte cards in a number of different internal lay-outs to make sure that knowledge of the internal workings of only one Thunderbyte card is not sufficient to devise means of damaging or destroying the protective working of all the others. Naturally the different Thunderbyte versions are functionally identical to each other. Thunderbyte is continuously checking its own variables with a checksum that is different for each version. The locations of the memory where the variables are maintained are also different for each version. The particular version of the Thunderbyte card sent to you is selected on a purely random basis. + Extra possibilities. Thunderbyte offers you some interesting bonuses, like booting from drive B:. Page 34 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. 9. NAMES AND ADDRESSES 9.1. Contacting the author. TbScanX has been written by Frans Veldman. You can leave messages for him at the Dutch support BBS. Registered users can also phone ESaSS for technical support. To register, see the file REGISTER.DOC. 9.2. ESaSS For more information about Thunderbyte you can contact: ESaSS B.V. Tel: + 31 - 80 - 787 881 P.o. box 1380 Fax: + 31 - 80 - 789 186 6501 BJ Nijmegen Data: + 31 - 85 - 212 395 The Netherlands (2:280/200 @fidonet) 9.3. Thunderbyte support BBS's. TbScan, TbScanX and the signature files (TbVirSig) are available on Thunderbyte support BBS's: Thunderbyte headquarters in the Netherlands: +31- 85- 212 395 (2:280/200 @fidonet) Thunderbyte support Germany (Androtec): +49- 2381- 461565 (2:245/50 @fidonet) Thunderbyte support Italy/S.Marino/Vaticano/Malta: +39- 766- 540 899 (2:335/5 @fidonet) Thunderbyte support Sweden (Virus Help Centre): +46- 26- 275 710 (2:205/204 @fidonet, 9:9/0 @virnet) Thunderbyte support Australia (Calmer): +61- 2- 482- 1716 If you are running an electronic mail system, you can also file-request TBSCAN to get the latest version of TBSCAN.EXE, TBSCANX to get the resident automatic version of TBSCANX, and VIRUSSIG to obtain a copy of the latest update of the signature file. 9.4. Recommended magazines and organisations. Virus Bulletin. Virus Bulletin Ltd. Page 35 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. 21 The Quadrant, Abingdon Science Park, Oxon, OX14 3YS, England. Tel. +44-235-555139. National Computer Security Association. 227 West Main Street. Mechanicsburg, PA 17055, United States. Tel. +1-717-258-1816 Virus News International. Berkley court, Millstreet, Berkhamsted, Hertfordshire, HP4 2HB, England. Tel. +44-442-877877. Page 36 TbScanX resident virus scanner v3.1 (C) Copyright 1989-1992 ESaSS B.V. Page 37