Liren Large Software Subsidy 16

home *** CD-ROM | disk | FTP | other *** search

/ Liren Large Software Subsidy 16 / 16.iso / t / t269 / 1.img / TBAV.DOC < prev next >

Wrap

Text File | 1993-10-19 | 301.4 KB | 7,606 lines

TBAV user manual (C) Copyright 1993 Thunderbyte B.V. CONTENTS SECTION 0. INTRODUCTION 1. How to use the manual . . . . . . . . . . . . . . . . . 0 - 1 2. Overview of the TBAV utilities . . . . . . . . . . . . 0 - 1 SECTION I. INSTALLING TBAV 1. How to install TBAV . . . . . . . . . . . . . . . . . I - 1 1.1 Initial installation . . . . . . . . . . . . . . I - 1 1.2 Windows . . . . . . . . . . . . . . . . . . . . . I - 4 2. Configuration . . . . . . . . . . . . . . . . . . . . . I - 6 3. TbSetup . . . . . . . . . . . . . . . . . . . . . . . . I - 8 3.1. The Purpose of TbSetup . . . . . . . . . . . . . I - 8 3.2. How to use TbSetup . . . . . . . . . . . . . . . I - 8 3.3. Command line options . . . . . . . . . . . . . . I - 13 3.4. While executing . . . . . . . . . . . . . . . . I - 15 4. TbDriver . . . . . . . . . . . . . . . . . . . . . . . I - 18 4.1. Purpose of TbDriver . . . . . . . . . . . . . . I - 18 4.2. Command line options . . . . . . . . . . . . . . I - 18 4.3. Language support . . . . . . . . . . . . . . . . I - 20 5. System maintenance . . . . . . . . . . . . . . . . . . I - 21 6. Network maintenance . . . . . . . . . . . . . . . . . . I - 23 6.1. Using DOS REPLACE . . . . . . . . . . . . . . . I - 23 6.2. Using PkUnZip . . . . . . . . . . . . . . . . . I - 23 SECTION II. ANTI-VIRUS STRATEGY 1. Protection against viruses . . . . . . . . . . . . . . II - 1 1.1. Introduction . . . . . . . . . . . . . . . . . . II - 1 1.2. Basic precautions . . . . . . . . . . . . . . . II - 1 2. What to do when a virus strikes . . . . . . . . . . . . II - 6 2.1. Detection of viruses . . . . . . . . . . . . . . II - 6 2.2. Recovering from viruses . . . . . . . . . . . . II - 7 SECTION III. USING THE TBAV UTILITIES 1. TbScan . . . . . . . . . . . . . . . . . . . . . . . III - 1 1.1. The Purpose of TbScan . . . . . . . . . . . . III - 1 1.2. How to use Tbscan . . . . . . . . . . . . . . III - 2 1.3. Command line options . . . . . . . . . . . . . III - 9 1.4. The scanning process . . . . . . . . . . . . . III - 14 2. TbScanX . . . . . . . . . . . . . . . . . . . . . . III - 18 2.1. The Purpose of TbScanX . . . . . . . . . . . . III - 18 2.2. How to use TbScanX . . . . . . . . . . . . . . III - 18 2.3. Command line options . . . . . . . . . . . . . III - 19 2.4. While scanning . . . . . . . . . . . . . . . . III - 22 3. TbCheck . . . . . . . . . . . . . . . . . . . . . . III - 23 3.1. The Purpose of TbCheck . . . . . . . . . . . . III - 23 3.2. How to use TbCheck . . . . . . . . . . . . . . III - 23 3.3. Command line options . . . . . . . . . . . . . III - 24 3.4. While checking . . . . . . . . . . . . . . . . III - 26 3.5. Testing TbCheck . . . . . . . . . . . . . . . III - 26 4. TbClean . . . . . . . . . . . . . . . . . . . . . . . III - 27 4.1. The Purpose of TbClean . . . . . . . . . . . . III - 27 4.2. How to use TbClean . . . . . . . . . . . . . . III - 28 4.3. Command line options . . . . . . . . . . . . . III - 30 4.4. The cleaning process . . . . . . . . . . . . . III - 31 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. CONTENTS 5. Ongoing virus prevention: TbMon . . . . . . . . . . . III - 35 5.1. TbMem . . . . . . . . . . . . . . . . . . . . III - 37 5.2. TbFile . . . . . . . . . . . . . . . . . . . . III - 40 5.3. TbDisk . . . . . . . . . . . . . . . . . . . . III - 42 6. TBAV Tools . . . . . . . . . . . . . . . . . . . . . III - 48 6.1. TbUtil . . . . . . . . . . . . . . . . . . . . III - 48 6.2. StackMan . . . . . . . . . . . . . . . . . . . III - 56 SECTION IV. ADVANCED USER INFORMATION 1. Memory requirements . . . . . . . . . . . . . . . . . . IV - 1 2. TbSetup . . . . . . . . . . . . . . . . . . . . . . . . IV - 3 2.1. Anti-Vir.Dat design considerations . . . . . . . IV - 3 2.2. Format of TbSetup.Dat . . . . . . . . . . . . . IV - 3 2.3. TBAV site installation . . . . . . . . . . . . . IV - 5 3. TbScan . . . . . . . . . . . . . . . . . . . . . . . . IV - 7 3.1. Heuristic scanning . . . . . . . . . . . . . . . IV - 7 3.2. Integrity checking . . . . . . . . . . . . . . . IV - 8 3.3. Program validation . . . . . . . . . . . . . . . IV - 9 3.4. The algorithms . . . . . . . . . . . . . . . . . IV - 9 3.5. The TbScan.Lng file . . . . . . . . . . . . . IV - 10 4. TbClean . . . . . . . . . . . . . . . . . . . . . . . IV - 12 5. TbGensig . . . . . . . . . . . . . . . . . . . . . . IV - 15 5.1 The Purpose of TbGenSig . . . . . . . . . . . . IV - 15 5.2 Defining signatures . . . . . . . . . . . . . . IV - 15 5.3 Keywords . . . . . . . . . . . . . . . . . . . IV - 18 5.4 Wildcards . . . . . . . . . . . . . . . . . . . IV - 21 APPENDIX A. TBAV messages APPENDIX B. TbScan - Heuristic flag descriptions APPENDIX C. Solving incompatibility problems Appendix D. Exit codes Appendix E. Virus naming TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION 0 SECTION 0. INTRODUCTION 1. How to use the manual Congratulations! By purchasing the ThunderBYTE Anti-Virus utilities you have taken the basic step in building a massive anti-viral safety wall around your precious computer system. Setting up the appropriate defen- se, using the TBAV utilities, is a 'personal matter'. Therefore, we highly recommend to read this manual thoroughly, so you are well aware of all different kinds of security measures you may take. This manual consists of four main sections. Section I instructs you how to install the TBAV utilities on your hard disk(s), including some useful hints on customized initialization. Section II gives an instruc- tion on how to prevent viruses from infecting your computer system(s) and directions on how to handle when you actually have been struck by a computer virus. In section III, both purpose and functionality of all TBAV utilities are described. For those who want to know more about the subject, some 'advanced user information' on the ThunderBYTE Anti-Virus utilities is presented in section IV. You may use the TBAV manual as a reference manual, via an extensive index and appendices referring to the TBAV error messages. => Note that a complete reading of the manual is indispensible in order to become familiar with the many facets of ThunderBYTE Anti-Virus, to know what steps can - and must - be taken to ensure adequate protection and to be fully prepared for a complete recovery, if and when disaster strikes. 2. Overview of the TBAV utilities What is ThunderBYTE Anti-Virus? ThunderBYTE Anti-Virus (TBAV) is a comprehensive toolkit designed to protect against - and recover from - computer viruses. While TBAV focuses heavily on numerous ways to prevent a virus infection, the package would not be complete without various cleaner programs to purge a system, in the unlikely event that a virus manages to slip through. The package therefore consists of a number of programs each of which help you to prevent viruses to do their destructive jobs. Here is a quick overview. Collecting software information: TbSetup TbSetup is a program that collects information from all software found on your system. The information will be put in files named Anti-Vir.Dat. 0 - 1 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION 0 The information maintained in these files can be used for integrity checking, program validation, and to clean infected files. Enable memory resident TBAV utilities: TbDriver TbDriver does not provide protection against viruses by itself, but must be loaded in advance to enable the memory resident ThunderBYTE Anti- Virus utilities, such as TbScanX, TbCheck, TbMem, TbFile and TbDisk to do their job properly. Scanning for viruses: TbScan TbScan is both a very fast signature scanner and a so-called heuristic scanner. Besides its blazing speed it has many configuration options. It can detect mutants of viruses, it can bypass stealth type viruses, etc. The signature file used by TbScan is a coded 'TbScan.Sig' file, which can be updated by yourself in case of emergency. TbScan is able to disassemble files. This makes it possible to detect suspicious instruc- tion sequences and to detect yet unknown viruses. This generic detecti- on, named heuristic analysis, is a technique that makes it possible to detect about 90% of all viruses by searching for suspicious instruction se-quences rather than using any signature. For that purpose TbScan contains a real disassembler and code analyzer. Another feature of TbScan is the integrity checking it performs when it finds the Anti-Vir.Dat files generated by TbSetup. 'Integrity checking' means that TbScan will check that every file being scanned matches the information maintained in the Anti-Vir.Dat files. If a virus infects a file, the maintained information will not match the now changed file anymore, and TbScan will inform you about this. TbScan performs an integrity check automatically, and it does not have the false alarm rate other integrity checkers have. The goal is to detect viruses and not to detect configuration changes! Automatic scanning: TbScanX TbScanX is the memory resident version of TbScan. This signature scanner remains resident in memory and automatically scans those files which are being executed, copied, de-archived, downloaded, etc. TbScanX does not require much memory. It can swap itself into expanded, XMS, or high memory, using only 1Kb of conventional memory. Check while loading: TbCheck TbCheck is a memory resident integrity checker. This program remains resident in memory and checks automatically every file just before it is being executed. TbCheck uses a fast integrity checking method, consuming 0 - 2 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION 0 only 400 bytes of memory. It can be configured to reject files with incorrect checksums, and/or to reject files that do not have a corres- ponding Anti-Vir.Dat record. Restoring infected boot-sector, CMOS and partition tables: TbUtil Some viruses copy themselves into the hard disk's partition table, which makes them far more difficult to remove than bootsector viruses. Perfor- ming a low-level format is an effective, but rather drastic measure. TbUtil offers a more convenient alternative by making a precautionary back-up of uninfected partition tables and the boot sector. If an infection occurs, the TbUtil back-up can be used as a verifying tool and as a means to restore the original (uninfected) partition table and bootsector without the need for a destructive disk format. The program can also restore the CMOS configuration for you. If a back-up of your partition table is not available, TbUtil will try to create a new partition table anyway, again avoiding the need for a low-level format. Another important feature of TbUtil is the option to replace the parti- tion table code with new code offering greater resistance to viruses. The TbUtil partition code is executed before the boot sector gains control, enabling it to check this sector in a clean environment. The TbUtil partition code performs a CRC calculation on the master boot sector just before the boot sector code is activated and issues a warning if the boot sector has been modified. The TbUtil partition code also checks and reports changes in the RAM lay-out. These checks are carried out whenever the computer is booted from the hard disk. It should be noted that boot sector verification is imperative before allowing the boot sector code to execute. A virus could easily become resident in memory during boot-up and hide its presence. TbUtil offers total security at this stage by being active before the boot sector is executed. Obviously, TbUtil is far more convenient than the traditional strategy of booting from a clean DOS diskette for an undisturbed inspection of the boot sector. Reconstructing infected files: TbClean TbClean is a generic file cleaning utility. It uses the Anti-Vir.Dat files generated by TbSetup to enhance file cleaning and/or to verify the results. TbClean can however also work without these files. It disassem- bles and emulates the infected file and uses this analysis to recon- struct the original file. Resident safeguard: TbMon TbMon is a set of memory resident anti-virus utilities, consisting of TbMem, TbFile and TbDisk. Most other resident anti-virus products offer you the choice to invoke them before the network is loaded and losing 0 - 3 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION 0 the protection after the logon procedure, or to load the anti-viral software AFTER the logon to the network, resulting in a partially unprotected system. The ThunderBYTE Anti-Virus utilities however recog- nize the network software and take appropriate actions to ensure their functionality. Controlling memory: TbMem TbMem detects attempts from programs to remain resident in memory, and makes sure that no program can remain resident in memory without permis- sion. Since most viruses remain resident in memory, this is a powerful weapon against all those viruses, known or unknown. Permission informa- tion is maintained in the Anti-Vir.Dat files. Preventing infection: TbFile TbFile detects attempts from programs to infect other programs. It also guards read-only attributes, detects illegal time-stamps, etc. It will make sure that no virus succeeds in infecting programs. Protecting the disk: TbDisk TbDisk is a disk guard program which detects attempts from programs to write directly to disk (without using DOS), attempts to format, etc., and makes sure that no malicious program will succeed in destroying your data. This utility also traps tunneling and direct calls into the BIOS code. Permission information about the rare programs that write directly and/or format the disk is maintained in the Anti-Vir.Dat files. Define your own signatures (in case of an emergency): TbGensig Since TBAV is distributed with an up-to-date, ready-to-use signature file, you do not really need to maintain a signature file yourself. If, however, you want to define your own virus signatures, you will need the TbGensig utility. You can use either published signatures or define your own ones if you are familiar with the structure of software. Remove infected files: TbDel The DOS 'DEL' command does not actually erase a file. It simply changes the first filename character in the directory listing and frees up the space by changing the disk's internal location tables. TbDel is a small program with just one but important purpose: it replaces every single byte in a file with zero characters before deleting it. The entire contents are therefore obliterated and totally unrecoverable. 0 - 4 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION 0 An effective stack manager: StackMan To avoid problems with memory resident software ('TSR' programs) DOS is able to maintain a stack pool and to switch to a dedicated stack if a hardware interrupt occurs. The "Stacks" statement in the Config.Sys can be used to control this stack pool. The DOS stack switching however, has some drawbacks. TBAV StackMan offers important additional functionality above the DOS "Stacks" command. 0 - 5 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION I SECTION I. INSTALLING TBAV 1. How to install TBAV System requirements The ThunderBYTE Anti-Virus utilities can be executed on any IBM or compatible PC with at least 1 Mb disk space. The TBAV utilities need 256 Kb free internal memory and require DOS 3. However, DOS 5 or a later version is recommended. The TBAV utilities are compatible with networks, Windows, DR-DOS, etc. 1.1 Initial installation You can install the TBAV utilities either by using the installation procedure (which is explained below) or by a fully customized TBAV installation (which is explained in sections I - 3 and II). Insert the TBAV installation diskette in the diskette drive. Type: A: or B: Type: install C:\TBAV <Enter> +---------------------------------------+ | F1 First time installation | | F2 Update installation | | F3 About.... | | F4 Exit.... | +---------------------------------------+ Since this is the first time you install the TBAV package you choose the first option by pressing <Enter> or <F1>. ----- [ Please select Drive to install TBAV to: ]----- You need at least 1024 KB of available space to install TBAV ! C: 3581952 D: 21291008 Toggle to the disk on which the TBAV utilities must be installed. TBAV Install displays the amount of free disk space of each available disk. I - 1 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION I Next, TBAV Install will prompt you for the TBAV directory. The default directory is \TBAV: -----[ Please select Directory to install TBAV to: ]----- [C:\TBAV ] If the specified directory does not exist, the installation pro-gram will create it. Subsequently, the TBAV files are copied onto your hard disk. +-----------------------------------------------------------+ | The documentation for TBAV is compressed into a file. | | The documentation-file will now be self-extracted. | | Press any key when ready.... | | | | | | Inflating: c:/tbav/TBSCAN.DOC -AV | | Inflating: c:/tbav/TBSCANX.DOC -AV | | Inflating: c:/tbav/TBCLEAN.DOC -AV | +-----------------------------------------------------------+ The packed text files are copied onto your hard disk and inflated. After copying all files, TbSetup is loaded, which will generate or update the Anti-Vir.Dat file of the TBAV directory. +-----------------------------------------------------------+ | TbSetup will now generate or update the Anti-Vir.Dat | | file of the directory C:\TBAV | | Press any key when ready... | +-----------------------------------------------------------+ The ThunderBYTE Anti-Virus utilities are copied to the destination directory. The installation program helps you to setup the utilities in their most standard and non-customized way. After reading the manual thoroughly, you can configure the package to suit your own personal needs. +-----------------------------------------------------------+ | This installation program helps you to setup the utilities| | in their most standard and non-customized way. | | Do you want to continue ? (Y/N) | +-----------------------------------------------------------+ If 'No', TBAV Install will not prompt you for placing the memory resi- dent TBAV utilities in the autoexec.bat file, nor for creating the Anti- Vir.Dat files. If yes, TBAV Install backs up your original Autoexec.Bat file and appends a call to the tbstart.bat file. For easy access of the TBAV utilities it is recomended to put them into your PATH environment variable. Your Autoexec.Bat file now looks like this: I - 2 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION I @ECHO OFF PATH C:\TBAV call C:\TBAV\tbstart.bat Subsequently, TbSetup will process the indicated drive to generate the Anti-Vir.Dat files. You may need to repeat this process for other drives. Consult the relevant section for more information! The TBAV package contains some utilities that can be instal- led in the memory of your PC. For each of these utilities you can indicate whether the installation program must add them to the Tbstart.bat file: TBSCANX is a memory resident virus scanner. Do you want to install it ? (Y/N) TBCHECK is a memory resident integrity checker. Do you want to install it ? (Y/N) TBMEM is a resident memory guard. Do you want to install it ? (Y/N TBFILE is a resident file guard. Do you want to install it ? (Y/N) If you answer the subsequent question with Yes, TBAV will scan your system for viruses automatically once every day: Do you want the system to be scanned automatically for viruses every day ? (Y/N) The installation program will write the indicated configuration values in the 'tbstart.bat' file, which is located in the Thunder-BYTE directo- ry you specified before, eg.: C:\TBAV\tbdriver C:\TBAV\tbscanx C:\TBAV\tbcheck C:\TBAV\tbmem C:\TBAV\tbfile C:\TBAV\tbscan once C:\ Finally, you can force the TBAV utilities to scan your disk right away. It is very likely that some of the TBAV utilities are going to display messages when you reboot and continue using the computer as you normally would. Some programs perform operations that are monitored by the TBAV utilities, so TBAV must first 'learn' which programs need proper permis- I - 3 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION I sion. Execute some of the programs you use regularly and at each rele- vant query respond with 'Y' to authorize or 'N' to deny permission. TBAV will remember the settings and not bother you again. Reboot the computer at the end of this test run. The TBAV utilities are now ready to monitor the system and will issue a warning if something suspicious - or worse - is about to happen. They will also warn you if any new file contains a possible virus - well before it can do any harm. 1.2 Windows When used under Windows, the utilities remain active in every DOS box, without interfering with the operation of adjacent windows. All TBAV utilities may be loaded in a graphics DOS box inside Windows, providing trouble-free support using a no-nonsense interface. There are a number of good reasons for this TBAV package design strate- gy, at the risk of alienating Windows fans expecting ornate GUI applica- tions. A Windows based scanner may look prettier, but offers no added functionality. On the contrary, a graphics interface requires more system resources, inflates program size, performs more sluggishly and puts a penalty on overall reliability. Also, consider what happens if one of the Windows executables becomes infected. From that point onwards Windows may very well refuse to work altogether and simply hang the computer. Your Windows based scanner will not do you much good at this point - just when you need it most, you can't start it up in order to find out what went wrong. And what about another dilemma. In order to be able to cope with stealth viruses you must power down and reboot from a clean DOS diskette prior to scanning or checking - but have you ever tried to boot Windows 3.1 from a diskette? TBAV menu and command syntax You can activate most of the TBAV utilities from within the TBAV menu, by loading: cd\tbav tbav In order to execute the utilities automatically, all TBAV drivers and utilities may be executed from the DOS prompt. In a systemized setup, however, the drivers should be installed and activated in your Con- fig.Sys, with a device= or install= directive, or in the TbStart.Bat file as a TSR. Similarly, most utilities can be started automatically - in the case of TbScan restricted to once a day - in the TbStart.Bat I - 4 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION I file. The two exceptions are TbClean and TbDel, which should be executed only from the DOS prompt and (TbClean) from within the TBAV menu. All commands for ThunderBYTE Anti-Virus can be used with command line switches or options to control special features. The options may either be written out in full, or abbreviated to their one- or two-letter mnemonic to shorten the command line. Throughout this manual the exam- ples are given with options in verbose, unabbreviated form for clarity. Options must be separated by spaces. They do not need a preceding switch character, but you may use the customary slash or hyphen switch charac- ters if you wish. The standard command line syntax for all ThunderBYTE Anti-Virus commands is: command [<path>] [<filename>] [<option>] ... [<suboption>] ... You may review the correct syntax for any command, including a complete option list, with the command followed by the word 'help' or a question mark, as in: tbcheck ? The same on-line help is provided whenever the command is issued with an invalid option. The examples, presented in this manual assume that all utilities were installed in the default \TBAV directory. Create a recovery diskette! It is highly recommended to make a recovery diskette. The example setups assume you have created such a recovery diskette (see the instructions in section II). I - 5 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION I 2. Configuration The choices you made when installing the TBAV utilities may need some tuning, for instance by appending options to the loading command. This tuning can be done by editing the TBSTART.BAT file, which automatically loads the memory resident utilities. => If suitable, you may write the relevant commands in the Config.Sys file instead. Do not forget to specify the .EXE extension in the Config.Sys file! Below, some basic hints are presented, to customize the initial settings to suit your own needs. After initializing and rebooting your system for the first time afterwards, TBAV will need your response in the initial 'learning' stage. TBAV menu configuration The TBAV menu allows some configuration, as well. +----Main menu-----+ | Confi+----------TBAV configuration----------+ | TbSet|v Use colors | | TbSca| Save configuration to TBAV.INI | | TbUti| File view utility | | TbCLe|v Wait after program execution | | TBAV | Display cmd line before executing | | Docum|v Edit command line before executing | | Quit +--------------------------------------+ | eXit (no save) | +------------------+ You can activate the configuration options by toggling to the relevant choice and pressing <Enter>. Use colors If disabled, TBAV will be displayed in monochrome mode, which is conve- nient for use on laptop computers. Save configuration to TBAV.INI All configuration values, set within the TBAV menu, are saved in the 'TBAV.INI' file, once you have selected this option. The next time you load the TBAV utilities the configuration values in the current TBAV.INI file will be valid. These values apply to the TBAV menu itself and the utilities TbSetup, TbScan and TbClean. Although you may edit the TBAV.I- NI file manually, it is recommended to let the TBAV menu shell generate it. By default, the contents of the TBAV.INI file is only valid while I - 6 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION I using the TBAV menu shell. You may, however, enable the "Use TBAV.INI file" options (or specify the 'UseIni' switches in the TBAV.INI file itself) for each of the utilities mentioned above. Doing so, the confi- guration, saved in the TBAV.INI file will also be valid when TbSetup, TbScan or TbClean are loaded from the command line. Be careful, since options specified in the TBAV.INI file can not be undone on the command line. TBAV will create a TBAV.INI file when enabling this option for the first time. In this file all valid configuration switches are listed. The disabled switches are preceded by a semicolon. File view utility TbSetup and TbScan generate a datafile and a logfile respectively. By default, you can view these files from the TBAV menu using an internal file view utility. By using this option you are able to attach your favorite external file view utility. Enter the complete path and the file name, including the extension. Wait after program execution By enabling this option, TBAV will display the message: "Press any key to return to the TBAV utilities" after executing an external utility. Display command line before executing Enabling this option will force TBAV to display the DOS command, which will load the external utility. This option comes in handy in order to see the command(s) you specified before. After pressing <Enter> TBAV will execute the DOS commands. Edit command line before executing If enabled, you may change the DOS command, which will load the external utility. I - 7 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION I 3. TbSetup 3.1. The Purpose of TbSetup TbSetup is an indispensible tool, adding support to the rest of the ThunderBYTE Anti-Virus utilities, even though it does not take an active part in actual virus detection or cleaning itself. TbSetup organizes control and recovery information giving extra power to the other utili- ties. The information is gathered, mainly from program files, into a single reference file called Anti-Vir.Dat, one each per directory. The nature of Anti-Vir.Dat files will be explained more fully at the end of this chapter. Although the ThunderBYTE utilities can work perfectly well without the Anti-Vir.Dat files it is highly recommended to have TbSetup generate these files. The Anti-Vir.Dat files can be used for several purposes: Integrity checking. TbScan and the memory resident TbCheck program will perform an integrity check while scanning if it can detect the Anti- Vir.Dat file. If a file gets infected by a virus, the information in the Anti-Vir.Dat file will not match the actual file contents, and TbScan and TbCheck will inform you that the file has been changed. The TbSetup program recognizes some files that need special treatment. An example of such a file is a disk image file of a network remote boot disk. - Such a file that actually represents a complete disk - should be scanned completely, and for all viruses. TbSetup will put a mark in the Anti-Vir.Dat file to make sure that TbScan scans the complete file for all viruses. Once a file is infected, TbClean will reconstruct the original file. The information in the Anti-Vir.Dat file will be of great help to TbClean. Some infected programs can only be cured if there is information about the program in the Anti-Vir.Dat file. TbCheck (a tiny resident integrity checker) has no purpose if there are no Anti-Vir.Dat files on your system. The resident TBAV utilities need the Anti-Vir.Dat files to maintain permission information. Without Anti-Vir.Dat files you can not get rid of false alarms other than by disabling a complete feature. 3.2. How to use TbSetup This is the one program where the rule applies: The less you use the program, the better your protection against viruses! Why? Keep in mind that an Anti-Vir.Dat file stores vital information needed to detect a virus, as well as data for subsequent recovery and for cleaning. But consider what would happen if you were to execute TbSetup after a virus entered the system: the information in the Anti-Vir.Dat file would be I - 8 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION I 'updated' to the state of the infected file, wiping out all traces of data needed to reconstruct the file of the original, uninfected state. Never use TbSetup when there is the slightest evidence of a virus in your system. Once the Anti-Vir.Dat files have been generated as part of the initial setup, any subsequent usage of TbSetup should be confined to directories with new or changed program files. Please note that the Anti-Vir.Dat directory entries will have the attribute 'hidden' and therefore do not show up when you use standard directory commands. You can see the filenames only with the help of special utilities. You may load TbSetup either from the DOS command line or from the TBAV menu. Drive and path tell TbSetup where it should perform its setup operation. To setup disks C: and D: you should enter: TbSetup C:\ D:\ When no filename has been specified but a drive and/or path instead, the specified path will be used as top-level path. All its sub-directories will be processed too. When a filename has been specified only the specified path will be processed. Sub-directories will not be processed. Wildcards in the filename are allowed. When executed from the DOS command line, the 'newonly' option can be used to prevent existing information from being overwritten. To help you remember that TbSetup needs to be executed again, the next time you execute TbScan it will display either a small 'c' after the file to indicate a new file or a capital 'C' if a file has simply been changed. Example: You add a new file TEST.EXE to your directory C:\FOO. TbSetup C:\FOO\TEST.EXE Example: You install a new product in a new directory C:\NEW. TbSetup C:\NEW When using the DOS command you may append a number of loading options. These options are presented in section 3.3. of this chapter. I - 9 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION I The 'TbSetup' menu +----Main menu-----+ | Confi+------TbSetup menu------+ | TbSet| Start TbSetup | | TbSca| Files/Paths to setup | | TbUti| Options menu >| | TbCLe| Flags menu >| | TBAV | Data file path/name | | Docum| View data file | | Quit +------------------------+ | eXit (no save) | +------------------+ Data file path/name TbSetup will search for 'special' files in a file named TbSetup.Dat. After selecting this option 'datfile' you can specify another path or filename that contains a list of 'special' files. Option format: Datfile [=<filename>] Example: TbSetup Datfile = c:\tbav\tbsetup.dat +----Main menu-----+ | Confi+------TbSetup menu------+ | TbSet| Start+-------TbSetup options-------+ | TbSca| Files| Use TBAV.INI file | | TbUti| Optio| Prompt for pause | | TbCLe| Flags| Only new files | | TBAV | Data | Remove Anti-Vir.Dat files | | Docum| View | Do not change anything | | Quit +-------|v Hide Anti-Vir.Dat files | | eXit (no save| Make executables readonly | +---------------| Clear readonly attributes | |v Sub-Directory scan | +-----------------------------+ Use TBAV.INI file By enabling this option, the TbSetup configuration values, saved in the TBAV.INI file, will also be valid when loading TbSetup from the command line. Be careful, since options specified in the TBAV.INI file can not be undone on the command line. See chapter I-2 ('Configuration'). I - 10 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION I Prompt for pause When you enter option 'pause' TbSetup will stop after it has processed the contents of one window. This gives you the possibility to examine the results. Only new files If you want to add new files to the Anti-Vir.Dat database, but prevent the information of changed files from being updated use option 'newonly'. Updating the information of changed files is dangerous because if the files are infected, the information to detect and cure the virus will be overwritten. Option 'newonly' prevents the information from being overwritten but it still allows information of new files to be added to the database. Remove Anti-Vir.Dat files If you want to stop using the ThunderBYTE utilities you do not have to remove all the Anti-Vir.Dat files yourself. By using this option TbSetup will neatly remove all Anti-Vir.Dat files from your system. Do not change anything If you want to see the effect of an option without the risk that somet- hing is activated you do not want, use option 'test'. If that option is specified the program will behave as it would normally, but it will not change or update anything on your hard disk. Hide Anti-Vir.Dat files The Anti-Vir.Dat files are normally not visual in a directory listing. If you prefer to have normal - i.e. visible - files disable this option. => Note that this option only applies for new Anti-Vir.Dat files. Make executables read-only As TbFile guards the read-only attribute permanently it is highly recommended to make all executable files read-only to prevent any modifications on these files. TbSetup will do the job if you enable option 'read-only'. Files that should not be made read-only are recogni- zed by TbSetup. I - 11 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION I Clear read-only attributes This option can be used to reverse the operation of option 'read-only'. If you enable this option all read-only attributes of all executable files will be cleared. Sub-Directory scan By default TbSetup will search sub-directories for executable files, unless a filename (wildcards allowed!) has been specified. If you disable this option, TbSetup will not process sub-directories. +----Main menu-----+ | Confi+------TbSetup menu------+ | TbSet| Start+-----TbSetup flags------+ | TbSca| Files|v Use normal flags | | TbUti| Optio| Set flags manually | | TbCLe| Flags| Reset flags manually | | TBAV | Data | Define flags >| | Docum| View +------------------------+ | Quit +------------------------+ | eXit (no save) | +------------------+ Set flags manually This option is for advanced users only. With this option you can manual- ly set permission flags in the Anti-Vir.Dat record. This option requires a hexadecimal bitmask for the flags to set. For information about the bitmask consult the TbSetup.Dat file. Option format: Set =<flags> Example: Set = 0001 Reset flags manually This option is for advanced users only. With this option you can manual- ly reset permission flags or prevent flags to be set in the Anti-Vir.Dat record. This option requires a hexadecimal bitmask for the flags to reset. For information about the bit mask consult the TbSetup.Dat file. Option format: Reset =<flags> Example: Reset = 0001 I - 12 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION I +----Main menu-----+ | Confi+------TbSetup menu------+ | TbSet| Start+-----TbSetup flags------+ | TbSca| Files|v Use n+--Define flags to be changed--+ | TbUti| Optio| Set f| 0001: Heuristic analysis | | TbCLe| Flags| Reset| 0002: Checksum changes | | TBAV | Data | Defin| 0004: Disk image File | | Docum| View +-------| 0008: Readonly sensitive | | Quit +---------------| 0010: TSR program | | eXit (no save) | | 0020: Direct disk access | +------------------+ | 0040: Attribute modifier | | 8000: Interrupt rehook | +------------------------------+ 3.3. Command line options TbSetup allows options to be specified on the command line. TbSetup recognizes option short-keys and option words. The words are easier to memorize, and they will be used in this manual for convenience. The syntax is as follows: TbSetup [<path>][<filename>]... [<options>]... option parameter short explanation ---------------------------------------------------------------- help he help (-? = short help) pause pa enable 'Pause' prompt mono mo force monochrome nosub ns skip sub-directories newonly no do not update changed records remove rm remove Anti-Vir.Dat files test te do not create / change anything nohidden nh do not make Anti-Vir.Dat files hidden readonly ro set read-only attribute on executables nordonly nr remove / do not set read-only attribute set =<flags> se set flags reset =<flags> re reset flags / do not set flags datfile [=<filename>] df data file to be used help (he) If you specify this option, TbSetup displays the contents of the TBSE- TUP.HLP file (if available) in the home directory of TbSetup. If you specify the '?' option you will get the summarized help info as listed above. pause (pa) When you specify 'pause' TbSetup will stop after it has processed the contents of one window. This gives you the possibility to examine the results. I - 13 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION I mono (mo) This option forces TbSetup to refrain from using colors in the screen output. This might enhance the screen output on some LCD screens or color-emulating monochrome systems. nosub (ns) By default TbSetup will search sub-directories for executable files, unless a filename (wildcards allowed!) has been specified. If you specify this option, TbSetup will not process sub-directories. newonly (no) If you want to add new files to the Anti-Vir.Dat database, but prevent the information of changed files from being updated, use option 'newon- ly'. Updating the information of changed files is dangerous because if the files are infected, the information to detect and cure the virus will be overwritten. Option 'newonly' prevents the information from being overwritten but it still allows information of new files to be added to the database. remove (rm) If you want to stop using the ThunderBYTE utilities you do not have to remove all the Anti-Vir.Dat files yourself. By using this option TbSetup will neatly remove all Anti-Vir.Dat files from your system. test (te) If you want to see the effect of an option without the risk that somet- hing is activated you do not want, use option 'test'. If that option is specified the program will behave as it would normally, but it will not change or update anything on your hard disk. nohidden (nh) The Anti-Vir.Dat files are normally not visual in a directory listing. If you prefer to have normal - i.e. visible - files specify this option. => Note that this option only applies for new Anti-Vir.Dat files. readonly (ro) As TbFile guards the read-only attribute permanently it is highly recommended to make all executable files read-only to prevent any modifications on these files. TbSetup will do the job if you enable option 'read-only'. Files that should not be made read-only are recogni- zed by TbSetup. nordonly (nr) This option can be used to reverse the operation of option 'read-only'. If you enable this option all read-only attributes of all executable files will be cleared. set (se) This option is for advanced users only. With this option you can manual- ly set permission flags in the Anti-Vir.Dat record. This option requires I - 14 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION I a hexadecimal bitmask for the flags to set. For information about the bitmask consult the TbSetup.Dat file. Option format: Set =<flags> Example: Set = 0001 reset (re) This option is for advanced users only. With this option you can manual- ly reset permission flags or prevent flags to be set in the Anti-Vir.Dat record. This option requires a hexadecimal bitmask for the flags to reset. For information about the bit mask consult the TbSetup.Dat file. Option format: Reset =<flags> Example: Reset = 0001 datfile (df) After the datfile option you can specify the name of the data file to be used. 3.4. While executing TbSetup divides the screen into three windows: an information window displaying data file comments across the top of the screen, a scanning window on the left and a status window on the right. The lower left window lists the names of the files being processed, along with file specific information: TEST.EXE 01234 12AB23CD Added * 0001 | | | | | | | | | | | | | | | | | 'flags' set for this file | | | | indicates 'special' file | | | action performed | | 32-bit CRC (checksum) | file size in hexadecimal number name of file in process Do not be concerned if the information flies too fast for you to read, or if it puzzles you. You will probably never need these details anyway. The scanning window has an 'action performed' field indicating whether an entry in the Anti-Vir.Dat was added, changed or updated: Added There was no previous entry for this file in the Anti-Vir.Dat record. A new entry has been added. I - 15 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION I Changed There was an existing entry, but the file has been changed. The Anti- Vir.Dat information has been updated. Updated There was an Anti-Vir.Dat record and the file was found to be unchanged. TbSetup did, however, change some of the program's permission flags, on account of an entry in the TbSetup.Dat file, or in compliance with a 'Set' or 'Reset' option. The process may be aborted by pressing Ctrl-Break. Purpose of the TbSetup.Dat file Although the ThunderBYTE utilities perform well on almost every file without extra help, there are some files that need particular attention. TbSetup uses information collected in a special data file, TbSetup.Dat, to flag such files in the Anti-Vir.Dat file. The other ThunderBYTE utilities then use that information to determine how such a 'special' file should be treated: Examples of such files: Some programs maintain configuration information inside the executable file (EXE, COM) itself. Whenever you change the configuration of these programs, the executable file will change as well, along with its checksum. The new checksum will not match the one stored in the TbSe- tup.Dat file anymore. Since some ThunderBYTE utilities use this checksum information to verify integrity or cleanup results, they need to 'know' when a file's checksum is not a fixed item and should be allowed to change. TbScan can use generic detection methods such as 'heuristic' analysis to detect unknown viruses. Since heuristic analysis implies inevitable false alarms when a file looks like a virus, TbScan may have to decide not to do a heuristic analysis on such a program. Some of the ThunderBYTE utilities guard the read-only attribute and make sure that it can be removed only with the user's explicitpermission. A few programs, however, refuse to run properly with the read-only attri- bute set. TbScan's default scanning method performs perfectly well with just about any file, but there are some that need special analysis. Such a file is the Novell NET$DOS.SYS file, not a device driver - as the filename extension suggests - but a disk image of the bootable disk. It should be scanned completely and for all signatures, including COM and BOOT. The resident monitoring utilities of the TBAV package detect all sorts of virus-specific behaviour. Some programs, even though they may act I - 16 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION I like a virus, are still perfectly normal and should be permitted to be executed without TBAV interference. You need not be concerned to find that a few files will be excluded from heuristic analysis. Those files will still be scanned the conventional way for signatures and all the rest. Furthermore, no heuristic exclusion will be granted unless a file matches exactly with the entry in the TbSetup.Dat file - including its name, size and the 32-bit CRC checksum. This eliminates security holes effectively: if a listed file is already infected, its checksum won't match the 32-bit CRC in the TbSetup.Dat file and the exclusion will not apply. By the same token, if a program is infected at a later date, the result would be a change in at least one of its characteristics; the record in the Anti-Vir.Dat file will not match any longer and the file will be subject to full heuristic analysis like any other. I - 17 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION I 4. TbDriver 4.1. Purpose of TbDriver TbDriver does not provide protection against viruses by itself, but must be loaded in advance to enable the memory resident ThunderBYTE Anti- Virus utilities, such as TbScanX, TbCheck, TbMem, TbFile and TbDisk, to do their job properly. It is the source for some of the routines these utilities have in common, including support to generate the pop-up window routines, driving the translation unit which enables the possibi- lity of displaying messages in your native language, and support for networks. How to use TbDriver Loading TbDriver must be loaded before (one of) the other memory TbDri- ver resident TBAV utilities. For loading instructions, please consult the following pages. In normal situations it is not necessary to use the 'net' option of TbDriver. If you install TbDriver on a machine that is booted from a boot ROM, specify the message file with the drive and path where it can be found AFTER the machine has booted. The default message file will not be accessible anymore after the machine has booted. 4.2. Command line options Tbdriver allows loading options to be specified on the command line. A filename specification will be treated as a language file specification. The upper three options are always available, the other options are only available if TbDriver is not already memory resident. option parameter short explanation -------------------- -------------------------------- help ? display this helpscreen net n force LAN support remove r remove TbDisk from memory mode =<m|c> m override video mode noavok =<drives> o assume permission when AV record is missing quiet q do not display activity secure s do not allow permission updates notunnel t do not detect tunneling I - 18 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION I help (?) If you specify this option TbDriver will show you the valid command line options as listed above. net (n) TbDriver cooperates well with most networks; in normal situations option 'net' will not be needed at all. It should be used only if all of the following conditions are true: A connection to a Novell network is made, and TbDriver.Exe is started before the logon command was used, and there is no valid Anti-Vir.Dat record in the directory where the NET?.COM program resides, or after the NET?.COM file has been renamed. remove (r) This option disables TbDriver and will try to remove the resident part of its code from memory in an attempt to restore this memory space back to the system. Unfortunately, this can work only if TbDriver was loaded last. An attempt to remove a TSR after another TSR has been started will simply leave a useless gap in memory and could disrupt the interrupt chain. TbDriver checks whether it is safe to remove its resident code; if not, it will simply disable itself. mode (m) On dual video systems TbDriver will use the currently active screen. It may be forced to use the alternate screen with option 'mode=m' for monochrome, or 'mode=c' for color systems. noavok (o) This option is not recommended for normal usage. You may need it in order to grant permission automatically for programs without an Anti- Vir.Dat record. Option 'noavok' requires a parameter specifying the drives to which the default permission applies. If, for example, you do not want a message from TbMem when a TSR without Anti-Vir.Dat record is executed from drive G: and H:, you could specify 'noavok=gh' on the TbDriver command line. quiet (q) Some resident TBAV utilities display an activity status. TbScanX, for instance, displays a rectangle with "*Scanning*" in the upper left corner of your screen while scanning a file. You can disable this with the 'quiet' option when TbDriver is loaded. secure (s) Some ThunderBYTE utilities are able to store permission flags in the Anti-Vir.Dat files. If you don't want these flags to be changed, specify this option. It has no effect on flags that are already set, so the option 'secure' may be used after installing new programs or packages. notunnel (t) TbDriver normally detects tunneling attempts on the part of viruses. 'Tunneling' is a technique viruses apply to determine the location of the DOS system code in memory, and to use that address to communicate with DOS directly. This will inactivate all TSR programs, including I - 19 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION I resident anti-virus software. TbDriver is able to detect 'tunneling' attempts, and informs you about this. Some other anti-virus products also rely on tunneling techniques to bypass resident viruses, causing false alarms. If you are currently executing other anti-viral products, option 'notunnel' will disable tunneling detection. 4.3. Language support The optional filename specification is used to determine where the language file can be found. TbDriver retrieves pop-up window messages from a TBDRIVER.LNG file, which it expects to find in its own home directory. The default English language file is TBDRIVER.LNG, which may be replaced by a file in your local language. You can order separate language support packages at your local ThunderBYTE dealer, or download the language file from a ThunderBYTE support BBS. Please refer to page I-38 for further details. To load a localized language file, either rename it to the default original, or specify the full path and filename following the command. You may also switch to another language by calling TbDriver again with a different message file. This will not take up any extra memory. I - 20 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION I 5. System maintenance All systems need maintenance and so do the TBAV utilities. As new viruses emerge, TbScan's signature file must be updated to avert new dangers. You may either get the latest signature file from your local ThunderBYTE dealer or download the file from one of our support Bulletin Board Systems. Whenever you add, update or replace programs on your system, be sure to use TbSetup to generate or update their fingerprints in the Anti-Vir.Dat files. Sometimes you will want to create a new recovery diskette. When you install a new version of DOS, the bootsector will be different. Changing the configuration of your hard disks may affect the partition tables and the CMOS setup. You should prepare a new recovery diskette after all system modifications. Updates The ThunderBYTE Anti-Virus utilities are updated at frequent intervals. Subscription to the ThunderBYTE update service (at your local dealer) guarantees delivery of each new update. You may download new revisions any time from any ThunderBYTE support BBS. Or check with a local bulle- tin board regularly, as many of them offer updated versions of our software. The standard complete release is issued in an archive named: TBAVxxx.ZIP, where 'xxx' stands for the three-digit version number. The archive extension may vary on local bulletin boards using a different archive method. To minimize download costs we also distribute smaller upgrade archives with only the files that have been changed since the previous official release. Upgrade archives have a 'U' in the filename, such as TBAVUxxx.ZIP. In order to maintain the highest reliability, the Dutch and US Thunder- BYTE support sites issue regular beta releases, also containing only the files that have been changed. Beta versions can be identified by a 'B' in the filename, such as TBAVBxxx.ZIP. The resident ThunderBYTE Anti-Virus utilities are also available in processor optimized formats. These processor optimized versions, named TBAVXxxx.ZIP, are for registered users only. You can purchase these versions via your local ThunderBYTE dealer. Distribution of the signature file The signature file (TBSCAN.SIG) is updated frequently. It will be distributed via the ThunderBYTE dealers and via several Bulletin Board Systems. The BBS file is stored in an archive called TBSG###%.ZIP (### = release sequence number, % = sub-release eg. TBSG604b.ZIP). Most Bulle- tin Board Systems will get a fresh copy of this file within 48 hours I - 21 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION I after the master copy has been updated at Thunderbyte support BBS in The Netherlands. The most recent signature files can also be obtained from any other Thunderbyte support BBS. Language support The ThunderBYTE Anti-Virus utilities currently support several langua- ges, by means of separate language files. Check your local ThunderBYTE dealer for the availability of the TBAV support file in your language. I - 22 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION I 6. Network maintenance The signature file TbScan.Sig should be replaced frequently. This can be a lot of work if you want to update all work stations on a network manually. Fortunately, there are several possibilities to do this job automatically. 6.1. Using DOS REPLACE Maintain a directory \TBAV_UPD\ on a public server drive. Any new version of the TBAV utilities or any new signature file TbScan.Sig should be placed it in this directory. The work stations should execute a batch file automatically after users log in on the network. This batch file should contain the following lines: rem Update the anti-virus product if a new one is available. replace x:\tbav_upd\*.* c:\tbav /u /r 'Replace' is a standard DOS utility. It copies the files specified by the first parameter ONLY if they are newer than the files specified in the second parameter. Make sure the 'replace' command is in the current path, and that the specified paths are valid for your configuration. The 'x', used in the above example, denotes the drive specification. Thus, you only have to update one drive with the new signature file or anti-virus software, and all workstations will update themselves as soon as they log in! You can also add the /S option if you want REPLACE to scan all directories on the workstations' drives for matching files. Please consult the DOS manual for more details. => Note: Do not forget to execute TbSetup on the new utilities in the x:\tbav_upd directory, thus ensuring that the REPLACE command also copies the new Anti-Vir.Dat file. 6.2. Using PkUnZip Maintain a directory \TBAV_UPD\ on a public server drive. Any new version of the TBAV distribution archive should be placed in this directory. The work stations should execute a batch file automatically after users log in on the network. This batch file should contain the following lines: rem Update the anti-virus product if a new one is available. PkUnZip -n -o x:\tbav_upd\TBAV???.ZIP c:\tbav I - 23 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION I => Make sure the file PkUnZip.Exe is in the current path, and that the paths specified are valid for your configuration. Following this procedure, the 'PkUnZip' command will only come into action when you just updated the ZIP files in the x:\tbav_upd directory. Now you only have to update one drive with the new anti-virus software, and all workstations will update themselves as soon as they log in! I - 24 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION II SECTION II. ANTI-VIRUS STRATEGY 1. Protection against viruses 1.1. Introduction Maintaining a reliable safety system implies that you will be active in taking measures to protect your system from virus infection, since some viruses can hide themselves perfectly once resident in memory. At least once every a week you should boot from a clean and write-protected diskette and execute TbScan. The tightness of your safety system very much depends on the amount of time you want to invest to let the safety measures take place and the vitality of the appropriate computer system. For use on a stand alone computer containing low risk data, in an environment with little exchan- ge of computer software, a daily scan will appear to be sufficient. For company use however, in a network environment where diskettes are exchanged frequently, where disks contain highly vulnerable information, where a network going 'down' means the loss of an extensive amount of money, protection must be as tight as the organisation can practically handle. Considering the above, a simple instruction on how to use the -highly flexible - TBAV utilities cannot be given. It all depends on your own demands and possibilities. Therefore, you are advised to study this manual thoroughly so you will be able to determine your own safety measures. To prevent viruses from doing any harm you should at least under-take the activities as presen- ted below. 1.2. Basic precautions 1. Install TBAV on your hard disk You may customize the installation to suit your own needs. Make sure you use TbSetup to maintain recovery information of all executable files of your system! Please refer to the installation section (I) of this manual. In the following examples it is assumed that all utilities are copied in the (default) directory named TBAV. For all example setups it is requi- red that TbSetup has been executed. If your system has more hard disks or disk partitions you should repeat the TbSetup invocation for every drive or partition. The example setups assume you have created a recovery diskette. II - 1 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION II The example setups outlined below are just intended to give you some ideas about the use of the TBAV utilities, and these examples are not intended as a full featured protection setup! 2. Prepare a recovery diskette You will absolutely need a clean recovery diskette in order to be able to get rid of a virus at all later on. Take a few minutes to prepare one now well ahead of a possible future contamination when it would be too late. Take a new, empty diskette, put it in drive A:, go to your DOS directory and execute the following commands: Format A: /S Copy SYS.COM A: Now return to the TBAV directory, eg.: CD \TBAV Execute the MakeResc batch file: makeresc A: The MakeResc batch file will create a reliable recovery diskette by creating or copying the following files. - A backup of the bootsector, partition sector and CMOS configu- ration. - A Config.Sys file, containing: Files=20 Buffers=20 Device=TbDriver.Exe Device=TbCheck.Exe FullCRC - An Autoexec.Bat file, containing: @echo off echo off PATH=A:\ TBAV Cls Echo Warning!!! Echo If you suspect a virus, do NOT execute anything Echo from the hard disk! II - 2 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION II - The following files: TBAV.EXE TBAV.LNG TBSCAN.EXE TBSCAN.LNG TBSCAN.SIG TBDRIVER.EXE TBDRIVER.LNG TBCHECK.EXE TBCLEAN.EX TBUTIL.EXE TBUTIL.LNG Copy to the diskette any other utilities that could come in handy in an emergency situation, including a simple editor to edit Config.Sys and AutoExec.Bat files. If your hard disk needs special device drivers to unlock added features, such as DoubleSpace or Stacker, copy the approp- riate drivers to the recovery diskette and install them in the Con- fig.Sys file on drive A:, taking care to avoid statements that will access the hard disk. Be sure to check the instructions in the device driver's manual for the correct procedures. Make the disk write protected. Label the diskette 'Recovery' together with a short of the PC the diskette belongs to. Store the diskette in a safe place. Use it only in case of an emergency, so make a copy if you need a similar diskette for general purposes. 3. Keep shady software out Many companies do not allow employees to install or execute unauthorized software. Or perhaps you wish to keep family members from invading your computer with haphazard games and sundry software. TBAV provides a watchdog function that can help to enforce this. First you will need to add the following lines to the Config.Sys file: Device=C:\TBAV\TbDriver.Exe Device=C:\TBAV\TbCheck.Exe secure If you have installed the TBAV Utilities using the TBAV installation program, you can - instead of editing the CONFIG.SYS file - adjust the TBSTART.BAT file, appending the 'secure' option to the TbCheck command: C:\TBAV\TbDriver C:\TBAV\TbCheck secure Execute TbSetup on the system: TbSetup C:\ II - 3 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION II Reboot the system by pressing <Ctrl>-<Alt>-<Del>. From now on, TbCheck will put an effective clamp on any user who tries to execute software which has not been duly authorized first by TbSetup. Whenever someone is trying to execute an unknown program, TBAV will display the following message: +---------- TBAV interception ---------+ | WARNING! | | The requested program (GAME.EXE) | | is not authorized and can not be | | executed. | | Execution cancelled! Press any key...| +--------------------------------------+ 4. Restrict user access Most of the TBAV utilities are interactive. They need to communicate with a knowledgable user in order to establish appropriate action in ambiguous situations. Many companies, however, insist that the system operator be the sole authority allowed to communicate with TBAV and so avoid wrong decisions on the part of possibly inept employees. That is why most of TBAV utilities support the option 'secure'. When this option is specified, all user interaction with any of the TBAV utilities is suspended. In other words, users will never be queried for permission to allow questionable operations, avoiding erroneous decisions which may well result in irreparable havoc. 5. Never use 'strange' diskettes to boot Only boot from your hard disk or from your original DOS diskette. NEVER use someone else's disk to boot from. Should you have a hard disk, make certain that you have opened the door to your floppy drive before resetting or booting your PC. 6. Use ChkDsk frequently Use the DOS program ChkDsk frequently (without the /F switch). ChkDsk is able to detect some viruses, because such viruses change the disk structure in an incorrect manner, causing disk errors in the process. Look out for changes in the behaviour of your software or your PC. Any change in their behaviour is suspect, unless you know its cause. Some highly suspicious symptoms are: - The amount of available memory space has decreased. - Programs need more time to execute. II - 4 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION II - Programs do not operate as they used to, or cause the system to crash or reboot after some time. - Data disappears or gets damaged. - The size of one or more programs has increased. - The screen behaves strangely, or unusual information is displayed. - ChkDsk detects many errors. II - 5 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION II 2. What to do when a virus strikes 2.1. Detection of viruses The first thing to do when you become aware that your system may have been infected is to back up all important files immediately. Use fresh backup media and do not overwrite a previous back up set. You may need the previous set to replace lost or contaminated files. Label the new backup as unreliable, as some of the files may be infected. As soon as you become aware of a virus infection it is imperative that you boot only from a reliable, write protected recovery system diskette. Know the symptoms Next, execute TbScan for an indication about what is wrong, or boot from a recovery diskette and compare its system files with those on the hard disk to check for changes. During this test you should take care to stay logged on to your system diskette. TbScan will report the virus name if the virus is known, or give a summary of file changes if the virus cannot be identified: TbScan C:\ logname=lpt1 log Also execute TbUtil to check the bootsector, partition code and the CMOS configuration. TbUtil compare Do not execute any program on your hard disk to prevent a virus from invading the system's memory and possibly masking the test results. TbCheck will warn you if you accidentially try to execute an infected or unauthorized program on your hard disk. Please bear in mind that it is in the nature of a file virus to infect as many programs as possible over a short period. You'll hardly find only a few infected programs on a hard disk that is in constant use. A TbScan virus alert flagging a mere one percent of the files on a hard- worked system is probably just a false alarm that has nothing to do with a real virus. If the file compare test indicates that all of them are still the same, you know at least that you are not dealing with a file virus. Avoid using the same copy of the TbScan program on another system after discovering a virus. TbScan performs a sanity check when it fires up. Unfortunately there is no way to make software 100% virus-resistant. A sanity check does not work if a 'stealth' type of virus is involved. A stealth virus can hide itself completely when a self-check is being performed. Do note that we are not dealing with a TbScan bug here. The II - 6 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION II failure to detect stealth viruses is common to all software performing a sanity check. Therefore, we recommend to keep a clean version of TbScan on a write-protected diskette. Use this diskette to check other machines once you have found a virus in your own system. Identify the characteristics Viruses come in many different guises and have their own peculiarities. It is extremely important to know at the earliest possible stage which particular kind of virus you are dealing with. That will give you at least some indication of the nature and the amount of the damage it may have caused already. Some viruses infect only executable files that can easily be reinstalled or replaced from a clean source. Others swap some random bytes anywhere on the hard disk, which could affect data files as well, although the results may not be noticeable for some time. Then there are those that damage the hard disk partition table or file allocation table, while some of the even nastier ones, the multipartite viruses, operate in more than one area. Whatever you do, don't panic! An inexperienced user, reacting in confu- sion, can often create more havoc than the virus itself, such as eradi- cating important data in no time. While an instant reformat may get rid of the virus, it will definitely destroy all your recent work as well. Once isolated the virus, either contact your support BBS, consult literature on virus problems, or get in touch with a virus expert. 2.2. Recovering from viruses While recovering from a virus infection it is particularly important to boot only from a clean write-protected system diskette. That is the only way to keep a virus out of the system's memory. Never execute a program from the hard disk. Restore the master boot sector and the DOS system files on the hard disk, using the SYS command on the system diskette. If the bootsector or partition code contains a virus, you may also use TbUtil to get rid of it by restoring clean sectors: TbUtil restore Many modern hard disks, notably IDE or AT drives using advanced prefor- matting methods, are low-level formatted by the supplier, ready for partitioning and a DOS format. Do not try to low-level format these drives yourself. It is always better to back up the partition table with a utility such as TbUtil, which restores the partition table for you without reformatting. If the virus has been identified as a file virus, it will be safest to remove the infected files (by using TbDel) and to copy or reinstall all II - 7 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION II executables from a clean source. A virus cleaning utility, such as TbClean, won't always be able to fully restore the original program code and should be used only as a last resort, such as when you don't have a reliable backup. It may be necessary to replace data files as well if the virus is known to cause damage in that area. After reassuring yourself that the system is absolutely clean again, run a careful check on all diskettes and backups to remove every single trace of the virus. Keep in mind that it takes only one infected disket- te to cause the same trouble all over again. II - 8 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III SECTION III. USING THE TBAV UTILITIES 1. TbScan 1.1. The Purpose of TbScan TbScan is a virus scanner: it has been specifically developed to detect viruses, Trojan Horses and other such threats to your valuable data. Most viruses consist of a unique sequence of instructions, called a signature. Hence through checking for the appearance of such signatures in a file we can find out whether or not a program has been infected. Scanning all program files for the signatures of all known viruses helps you to find out quickly whether or not your system has been infected and, if so, by which virus. Fast Scanning TbScan is the fastest scanner on the market today, therefore it invites users to invoke it from within their AUTOEXEC.BAT file every morning. Thanks to its design, TbScan will not slow down if the number of signa- tures increases. It doesn't matter whether you scan a file for 10 or a 1000 signatures. TbScan checks itself on invocation. If it detects that it has been infected it aborts with an error. This minimizes the risk of transfer- ring a virus by the TbScan program itself and infecting your system. Heuristic Scanning TbScan can detect yet unknown viruses. The built-in disassembler is able to detect suspicious instruction sequences and abnormal program lay- outs. This feature is called 'heuristic scanning' and it is partially enabled by default. Heuristic scanning is performed on files and boots- ectors. => Note that virus scanners can only tell you whether or not your system has been infected and if so, if any damage has already been done. By that time only a non-infected backup or a recovery program such as TbClean can properly counter a virus infection. Scan Scheduling Every PC owner should use a virus scanner frequently. At least one should do to avoid damage caused by a virus. It is highly recommended to devise your own schedule for a regular scan of your system. Creating a special TbScan boot diskette is also recommended in this respect. III - 1 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III The following scan sessions (listed in order of preference) are recom- mended: Execute TbScan from a write-protected bootable diskette once a week. Boot from this diskette before invoking the scanner. Booting from a diskette is the only way to make sure that no stealth virus will become resident in memory. Invoke a daily scan. You can invoke TbScan with the 'once' option from within the autoexec.bat file to perform the daily scan session automati- cally. It is not necessary to boot from the bootable TbScan diskette to perform the daily scan. Scan new diskettes. 1.2. How to use Tbscan For daily use you can activate TbScan by loading the program from the DOS commandline (eg. in the autoexec.bat file), or via the TBAV menu. For weekly use, when scanning from the TbScan diskette, you could use the DOS command. The TbScan DOS options are listed in section 1.3. of this chapter. The 'TbScan' menu +----Main menu-----+ | Confi+------TbScan menu------+ | TbSet| Start scanning | | TbSca| Files/Paths to scan | | TbUti| Options menu | | TbCLe| Advanced options | | TBAV | If virus found | | Docum| Path configuration | | Quit | Log file menu | | eXit | View log file | +-------+-----------------------+ Files/path to scan Drive and path tell TbScan where it should perform its scanning operati- on. To search both disks C: and D: you should enter: C:\ D:\ When no filename has been specified but a drive and/or path instead, the specified path will be used as top-level path. All its subdirectories will be processed too. If a filename is specified, only the specified path will be searched. Subdirectories will not be processed. III - 2 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III Wildcards in the filename are allowed. You may even specify '*.*' which will result in all files being processed. View log file If one of the log file options is activated (see below) you can study the log file using this option. The 'TbScan options' menu +----Main menu-----+ | Confi+------TbScan menu------+ | TbSet| Start+-----TbScan options------+ | TbSca| Files| Use TBAV.INI file | | TbUti| Optio| Prompt for pause | | TbCLe| Advan| Quick scan | | TBAV | If vi| Non-executable scan | | Docum| Log f| Maximum Compatibility | | Quit | View |v Bootsector scan | | eXit +-------|v Memory scan | +---------------| HMA scan forced | |v Upper memory scan | |v Sub-Directory scan | | Repeat scanning | |v Abort on Ctrl-Break | +-------------------------+ Use TBAV.INI file TbScan searches for a file named TBAV.INI in the TbScan directory. By enabling this option, the TbScan configuration values, saved in the TBAV.INI file, will also be valid when loading TbScan from the command line. Be careful, since options specified in the TBAV.INI file can not be undone on the command line. See chapter I-2 ('Configuration'). Prompt for pause When you activate the 'pause' option TbScan will stop after it has checked the contents of one window. This gives you the possibility to examine the results without having to consult a log file afterwards. Quick scan TbScan will use the Anti-Vir.Dat files to check for file changes since the last time. Only if a file has been changed (CRC change) or is not yet listed in Anti-Vir.Dat it will be scanned. Normally TbScan will always scan files. III - 3 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III Non-executable scan With this option TbScan will scan non-executable files (files without extension COM, EXE, SYS or BIN) too. If TbScan finds out that such a file does not contain anything that can be executed by the processor the file will be 'skipped'. Otherwise the file will be searched for COM, EXE and SYS signatures. TbScan however will not perform heuristic analysis on non-executable files. Since viruses normally do not infect non- executable files it is not necessary to scan non-executable files too. We even recommend not to use this option unless you have a good reason to scan all files. Once again: a virus needs to be executed to perform what it is program- med to do, and since non-executable files will not be executed a virus in such a file can not do anything. For this reason viruses do not even try to infect such files. Some viruses however will write to non-execu- table files as a result of 'incorrect' programming. If so, these non- executable files will never harm other program or data files, but do contain corrupted data. Maximum compatibility If you select this option, TbScan attempts to be more compatible with your system. Use this option if the program does not behave as you would expect, or even halts the system. This option will slow down the scan- ning process. Therefore, it should only be used if necessary. => Note that this option does not affect the results of a scan. Bootsector scan Enabling this option will force TbScan to scan the bootsector as well. Memory scan Enabling this option will force TbScan to scan the memory of the PC. HMA scan forced TbScan detects the presence of an XMS-driver, and scans HMA automa- tically. If you have an HMA-driver which is not compatible with the XMS standard you can use the 'HMA' option to force TbScan to scan HMA. Upper memory scan By default TbScan identifies RAM beyond the DOS limit and scans that too. This means that video memory and the current EMS pages are scanned III - 4 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III by default. You can use this option to enable the scanning of non-DOS memory. Subdirectory scan By default TbScan will search sub-directories for executable files, unless a filename (wildcards allowed!) is specified. If you disable this option, TbScan will not scan sub-directories. Repeat scanning This option is very useful if you want to check a large amount of diskettes. TbScan does not return to DOS after checking a disk, but it prompts you to insert another disk in the drive. The 'TbScan advanced options' menu +----Main menu-----+ | Confi+------TbScan menu------+ | TbSet| Start+----TbScan advanced options----+ | TbSca| Files| Full heuristic scan | | TbUti| Optio| Extract signatures | | TbCLe| Advan|v Auto heuristic level adjust | | TBAV | If vi+-------------------------------+ | Docum| Path configuration >| | Quit | Log file menu >| | eXit | View log file | +-------+-----------------------+ Full heuristic scan TbScan always performs a heuristic scan on the files being processed. However, only if a file is very probably infected with a virus, TbScan will report the file as being infected. If you use option 'heuristic', TbScan is somewhat more sensitive. In this mode 90% of the new, unknown, viruses will be detected without any signature, but some false alarms may occur. Consult also section 'Heuristic scanning' of this chapter (3.1). Extract signatures This option is available to registered users only. See the chapter 'TbGensig' (IV-5) on how to use the option 'extract'. III - 5 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III Auto heuristic level adjust TbScan automatically adjusts the heuristic detection level after a virus has been found. This provides you maximum detection capabilities in case you need it, while the amount of false alarms due to heuristics remains small in normal situations. In other words: as soon as a virus has been found, TbScan will anticipate and proceed as if option 'heuristic' has been specified. The 'If virus found' menu In this menu, you can configure the actions TbScan should take, if detecting a virus. +----Main menu-----+ | Confi+------TbScan menu------+ | TbSet| Start+--What if a virus is found?--+ | TbSca| Files|v Present action menu | | TbUti| Optio| Just continue (log only) | | TbCLe| Advan| Delete infected file | | TBAV | If vi| Rename infected file | | Docum| Log f+-----------------------------+ | Quit | View log file | | eXit +-----------------------+ +------------------+ Present action menu If TbScan detects a virus, the program will display a menu containing the possible actions to be taken: just continu, delete or rename the infected file. Just continue (log only) If TbScan detects an infected file it prompts the user to delete or rename the infected file, or to continue without action. If you select this option, TbScan will always continue. We highly recommend you to use a log file in such situations, as a scanning operation does not make much sense without the return messages being read (see 'Command line options'). Delete infected file If TbScan detects a virus in a file it prompts the user to delete or rename the infected file, or to continue without action. If you specify the 'delete' option, TbScan will delete the infected file automatically, without prompting the user first. Use this option if you have determined III - 6 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III it is a virus infection. Make sure that you have a clean back-up, and that you really want to get rid of all infected files at once. Rename infected file If TbScan detects a file virus it prompts the user to delete or rename the infected file, or to continue without action. If you select the 'rename' option, TbScan will rename the infected file automatically, without prompting the user first. By default, the first character of the file extension will be replaced by the character 'V'. An .EXE file will be renamed to .VXE, and a .COM file to .VOM. This prevents the infected programs from being executed, spreading the infection. At the same time they can be kept for later examination and repair. The 'TbScan LOG' menu +----Main menu-----+ | Confi+------TbScan menu------+ | TbSet| Start+-------TbScan LOG menu-------+ | TbSca| Files| Output to log file | | TbUti| Optio| Log file path/name | | TbCLe| Advan| Specify log-level >| | TBAV | If vi| Append to existing log | | Docum| Log f| No heuristic descriptions | | Quit | View +-----------------------------+ | eXit +-----------------------+ +------------------+ Output to logfile When you use this option, TbScan creates a log file. The log file lists all infected program files, specifying heuristic flags (see: appendix B) and complete pathnames. Log file path/name With option logname you can specify the name of the log file to be used. TbScan will create the file in the current directory unless you specify a path and filename after selecting this option. If the log file already exists, it will be overwritten. If you want to print the results, you can specify a printer device name rather than a filename (logname=lpt1). => Note: you have to combine this option with option 'log'. III - 7 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III Append to existing log If you use this option, TbScan will not overwrite an existing log file but append the new information to it. If you use this option often, it is recommended to delete or truncate the log file once in a while to avoid unlimited growth. => Note: you have to combine this option with option 'log'. No heuristic descriptions If you enable this option TbScan will not specify the descrip-tions of the heuristic flags in the log file. The heuristic flag descriptions are listed in appendix B. The 'LOG level' menu +----Main menu-----+ | Confi+------TbScan menu------+ | TbSet| Start+-------TbScan LOG menu-------+ | TbSca| Files| Log f+--------Log-level menu--------+ | TbUti| Optio| Outpu| 0: Log only infected files | | TbCLe| Advan| Speci|v 1: Log summary too | | TBAV | If vi| Appen| 2: Log suspected too | | Docum| Log f| No he| 3: Log all warnings too | | Quit | View +-------| 4: Log clean files too | | eXit +---------------+------------------------------+ +------------------+ Loglevel These levels determine what kind of file information will be stored in the log file. The default log level is 1. You may select one of five log levels: 0 Log only infected files. If there are no infected files do not create or change the log file. 1 Log summary too. Put a summary and timestamp in the log file. Put only infected files in the log file. 2 Log suspected too. Same as loglevel=1, but now also 'suspected' files are logged. Suspected files are files that would trigger the heuristic alarm if option 'heuristic' had been specified. 3 Log all warnings too. Same as loglevel=2, but all files that have a warning character printed behind the filename will be logged too. 4 Log clean files too. All files being processed will be put into the log file. III - 8 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III 1.3. Command line options When loaded from the DOS command line, Tbscan recognizes option short- keys and option words. The words are easier to memorize, and they will be used in this manual for convenience. TbScan searches for a file named TBAV.INI in the TbScan directory. If the keyword 'UseIni' is specified in the [TbScan] section of the TBAV.INI file, the options will also be valid when TbScan is invoked from the command line. Be careful, as options specified in the TBAV.INI file can not be undone on the command line. option parameter short explanation ----------------------------------------------------------------- help he help pause pa enable 'Pause' prompt mono mo force monochrome quick qs quick scan (uses Anti-Vir.Dat) allfiles af scan non-executable files too heuristic hr enable heuristic alerts extract ex extract signature (registered only) once oo only once a day secure se user abort not allowed (reg. only) compat co maximum-compatibility mode ignofile in ignore no-file-error noboot nb skip bootsector check nomem nm skip memory check hma hm force HMA scan nohmem nh skip UMB/HMA scan nosub ns skip sub-directories noautohr na auto heuristic level adjust repeat rp scan multiple diskettes batch ba batch mode. No user input delete de delete infected files log lo output to logfile append ap log file append mode expertlog el no heuristic descriptions in log logname =<filename> ln set path/name of log file loglevel =<0..4> ll set log level rename [=<text-mask>] rn rename infected files You can find an explanation on most of the command line options at the similar menu descriptions presented above. help (he) If you specify this option TbScan will display the help as listed above. III - 9 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III pause (pa) When you activate the 'pause' option TbScan will stop after it has checked the contents of one window. This gives you the possibility to examine the results without having to consult a log file afterwards. mono (mo) This option forces TbScan to refrain from using colors in the screen output. This might enhance the screen output on some LCD screens or color-emulating monochrome systems. quick (qs) TbScan will use the Anti-Vir.Dat files to check for file changes since the last time only. Only if a file has been changed (CRC change) or is not yet listed in Anti-Vir.Dat it will be scanned. Normally TbScan will always scan files. allfiles (af) With this option TbScan will scan non-executable files (files without extension COM, EXE, SYS or BIN) too. If TbScan finds out that such a file does not contain anything that can be executed by the processor the file will be 'skipped'. Otherwise the file will be searched for COM, EXE and SYS signatures. TbScan however will not perform heuristic analysis on non-executable files. Since viruses normally do not infect non-executable files it is not necessary to scan non-executable files too. We even recommend not to use this option unless you have a good reason to scan all files. Once again: a virus needs to be executed to perform what it is programmed to do, and since non-executable files will not be executed a virus in such a file can not do anything. For this reason viruses do not even try to infect such files. Some viruses however will write to non-executable files as a result of 'incorrect' programming. If so, these non-executable files will never harm other program or data files, but do contain corrupted data. heuristic (hr) TbScan always performs a heuristic scan on the files being processed. However, only if a file is very probably infected with a virus, TbScan will report the file as being infected. If you use option 'heuristic', TbScan is somewhat more sensitive. In this mode 90% of the new, unknown, viruses will be detected without any signature, but some false alarms may occur. Consult also section 'Heuristic scanning' of this chapter (3.1). extract (ex) This option is available to registered users only. See the chapter 'TbGensig' (IV-5) on how to use the option 'extract'. once (oo) If you specify this option TbScan will 'remember' after its scan that is has been executed that day, and that it should not be executed again the same day with this particular option set. This option is very useful if III - 10 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III you incorporate it in your AUTOEXEC.BAT file in combination with a list file: TbScan @Everyday.Lst once rename TbScan will now scan the list of files and/or paths specified in the file EVERYDAY.LST during the first boot-up of the day. If the systems boots more often that day, TbScan will then return to DOS immediately. This option does not interfere with the regular use of TbScan. If you invoke TbScan without the 'once' option it will always be executed, regardless of a previous run with the 'once' option set. => Note that if TbScan cannot write to TBSCAN.EXE because it has been flagged 'read-only' or is located on a write-protected diskette, the 'once' option will fail and the scanner will be executed without it. secure (se) This option is available to registered users only. If this option is specified it is no longer possible to cancel TbScan by pressing Ctrl- Break, or to respond to a virus alert window. compat (co) If you select this option, TbScan attempts to be more compatible with your system. Use this option if the program does not behave as you would expect, or even halts the system. This option will slow down the scan- ning process. Therefore, it should only be used if necessary. Note that this option does not affect the results of a scan. ignofile (in) If this option is specified and no files can be found, TbScan will not display the 'no files found' message, nor does it exit with errorlevel 1. This option might be useful for automatic contents scanning. noboot (nb) If you specify this option TbScan will not scan the bootsector. nomem (nm) If you specify this option TbScan will not scan the memory of the PC for viruses. hma (hm) TbScan detects the presence of an XMS-driver, and scans HMA automa- tically. If you have an HMA-driver which is not compatible with the XMS standard you can use the 'HMA' option to force TbScan to scan HMA. nohmem (nh) By default TbScan identifies RAM beyond the DOS limit and scans that too. This means that video memory and the current EMS pages are scanned by default. You can use this option to disable the scanning of non-DOS memory. III - 11 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III nosub (ns) By default TbScan will search sub-directories for executable files, unless a filename (wildcards allowed!) is specified. If you enable this option, TbScan will not scan sub-directories. noautohr (na) TbScan automatically adjusts the heuristic detection level after a virus has been found. This provides you maximum detection capabilities in case you need it, while the amount of false alarms due to heuristics remains small in normal situations. In other words: as soon as a virus has been found, TbScan will anticipate and proceed as if option 'heuristic' has been speci-fied. If you don't want this, you can specify option 'noau- tohr'. repeat (rp) This option is very useful if you want to check a large amount of diskettes. TbScan does not return to DOS after checking a disk, but it prompts you to insert another disk in the drive. batch (ba) By enabling this option TbScan will scan without displaying any messa- ges. Therefore, the use of a LOG file is highly advisable. delete (de) If TbScan detects a virus in a file it prompts the user to delete or rename the infected file, or to continue without action. Ifyou specify the 'delete' option, TbScan will delete the infected file automatically, without prompting the user first. Use this option if you have determined it is a virus infection. Make sure that you have a clean back-up, and that you really want to get rid of all infected files at once. log (lo) When you use this option, TbScan creates a log file. The log file lists all infected program files, specifying heuristic flags (see: appendix B) and complete pathnames. append (ap) If you use this option, TbScan will not overwrite an existing log file but append the new information to it. If you use this option often, it is recommended to delete or truncate the log file once in a while to avoid unlimited growth. => Note: you have to combine this option with option 'log'. expertlog (el) If you enable this option TbScan will not specify the descriptions of the heuristic flags in the log file. The heuristic flag descriptions are listed in appendix B. logname =<filename> (ln) With option logname you can specify the name of the log file to be used. TbScan will create the file in the current directory unless you specify III - 12 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III a path and filename after selecting this option. If the log file already exists, it will be overwritten. If you want to print the results, you can specify a printer device name rather than a filename (logname=lpt1). => Note: you have to combine this option with option 'log'. loglevel =<0..4> (ll) These levels determine what kind of file information will be stored in the log file. The default log level is 1. You may select one of five log levels: 0 Log only infected files. If there are no infected files do not create or change the log file. 1 Log summary too. Put a summary and timestamp in the log file. Put only infected files in the log file. 2 Log suspected too. Same as loglevel=1, but now also 'suspected' files are logged. Suspected files are files that would trigger the heuristic alarm if option 'heuristic' had been specified. 3 Log all warnings too. Same as loglevel=2, but all files that have a warning character printed behind the filename will be logged too. 4 Log clean files too. All files being processed will be put into the log file. => Note: you have to combine this option with option 'log'. rename [=<text-mask>] If TbScan detects a file virus it prompts the user to delete or rename the infected file, or to continue without action. If you select the 'rename' option, TbScan will rename the infected file automatically, without prompting the user first. By default, the first character of the file extension will be replced by the character 'V'. An .EXE file will be renamed to .VXE, and a .COM file to .VOM. This prevents the infected programs from being executed, spreading the infection. At the same time they can be kept for later examination and repair. You may also add a parameter to this option specifying the target extension. This parameter should always contain 3 characters; question marks are allowed. The default target extension is 'V??'. Examples: TbScan c:\ noboot Process all executable files in the root directory and its subdirecto- ries. Skip the bootsector scan. TbScan \*.* Process all files in the root directory. Don't process subdirectories. III - 13 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III TbScan c:\ log logname=c:\test.log loglevel=2 All executable files on drive C: will be checked. A LOG file with the name c:\test.log will be created. The log file will contain all infected and suspected files. TbScan \ log logname=lpt1 TbScan will scan the root directory and its subdirectories. The results are redirected to the printer rather than to a log file. 1.4. The scanning process Choose the 'Start scanning' option in the TbScan menu or start the TbScan program from the DOS command line. TbScan will start scanning right away. +-----------------------------------------------------------------+ |Thunderbyte virus detector v6.04 - (C) 1989-93, Thunderbyte B.V. | | | | TBAV is upgraded every two months. Free hotline support is | | provided for all registered users via telephone, fax and | | electronic bulletin board. Read the comprehensive documentation | | files for detailed info. BBS: +31- 85- 212 395 | | | | C:\DOS\ | | ** Unregistered evaluation version. Don't forget to register! **| | | | ANSI.SYS scanning..> OK signatures: 986 | | COUNTRY.SYS skipping..> OK | | DISKCOPY.COM tracing...> OK file system: OWN | | DISPLAY.SYS scanning..> OK | | DRIVER.SYS scanning..> OK directories: 01 | | EGA.CPI skipping..> OK total files: 17 | | FASTOPEN.EXE looking...> OK executables: 12 | | FDISK.EXE looking...> OK CRC verified: 10 | | FORMAT.COM tracing...> E OK changed files: 00 | | GRAFTABL.COM tracing...> OK infected items: 00 | | GRAPHICS.COM tracing...> OK | | GRAPHICS.PRO skipping..> OK elapsed time: 00:05 | | Kb /second: 57 | | | +-----------------------------------------------------------------+ TbScan divides the screen into three windows: an information window, a scanning window and a status window. The information window will initi- ally display the vendor information only. III - 14 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III While Scanning If TbScan detects infected files the names of the file and the virus will be displayed in the upper window. The lower left window displays the names of the files being processed, the algorithm in use, info and heuristic flags, and finally an OK statement or the name of the virus detected. Example: NLSFUNC.EXE checking..> FU OK | | | | | | | result of scan | | heuristic flags | algorithm being used to process file name of file in process You will see comments following each file name: 'looking', 'checking', 'tracing', 'scanning' or 'skipping'. These refer to the various algo- rithms being used to scan files. Other comments that TbScan can display here are the heuristic flags. Consult the 'Heuristic flags' chapter (1.3) for more information on these warning characters. The lower right window is the status window. It displays the number of files and directories encountered, the amount of viruses found. It also displays which file system is being used: either "DOS" or "OWN". The latter means that TbScan is able to bypass DOS. If this is the case, TbScan reads all files directly from disk for extra security and speed. The scanning process can be aborted by pressing Ctrl-Break. Detecting Viruses As soon as an infected program is found, TbScan will display the name of the virus. If you did not specify one of the options 'batch', 'rename' or 'delete', TbScan will prompt you to specify the appropriate action. If you choose to rename the file, the first character of the file extension will be replaced by the character 'V'. This prevents the file from being executed by accident before it has been investigated more thoroughly. If an infected file is detected, TbScan will display a message: Infected by [name of virus] virus. The file is infected by the virus mentioned. III - 15 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III Is Joke named [name of Joke] There are some programs which simulate that the system is infected by a virus. A joke is completely harmless. Is Trojan named [name of Trojan] The file is a Trojan Horse.Do not execute the program but delete it. Damaged by [name of virus] A damaged file contains - unlike an infected file - not the virus itself, but has been damaged by the virus. Dropper of [name of virus] A dropper is a program that has not been infected itself, but which does contain a bootsector virus and is able to install it in your bootsector. Overwritten by [name of virus] Some viruses overwrite files. An overwritten file contains - unlike an infected file - not the virus itself, but has been overwritten with garbage. It is also possible that TbScan encounters a file that seems to be infected by a virus, although a signature could not be found. In this case TbScan displays the prefix 'Probably' before the message. Program Validation If TbScan finds a file to be very suspicious and pops up with the virus alert window, you can avoid future false alarms by pressing 'V' (Valida- te program). Note that this only works if there is an Anti-Vir.Dat record of the file available. Once a program is validated it will no longer be subject to heuristic analysis, unless the program changes and does not match the Anti-Vir.Dat record anymore. This will be the case if such a file gets infected afterwards, so TbScan will still report infections on these files. => Note that a validated program is still subject to the conventional signature scanning. Heuristic Scanning If you have specified the option 'heuristic' it is likely that TbScan will find some files which look like a virus, and in this case TbScan uses the prefix 'Might be' to inform you about it. So, if TbScan dis- plays: Probably infected by an unknown virus (level 1) or: Might be infected by an unknown virus (level 2) III - 16 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III it does not necessarily mean that the file is infected. There are a lot of files that look like a virus but are not. => The heuristic levels are explained in section IV (page 9). False Positives => Important! False alarms are part of the nature of heuristic scanning. In default mode it is very unlikely that TbScan issues a false alarm. However, if you have specified option 'heuristic' some false alarms might occur. How to deal with these false alarms? If TbScan thinks it has found a virus it tells you the reason for this suspicion. In most cases you will be able to evaluate these reasons when you consider the purpose of the suspected file. => Note that viruses infect other programs. It is highly unlikely that you will find only a few infected files on a hard disk used frequently. You should ignore the result of a heuristic scan if only a few programs on your hard disk trigger it. But, if your system behaves in a 'strange' manner and many programs cause TbScan to issue an alarm with the same serious flags, your system could very well be infected by a (yet un- known) virus. Heuristic flags Heuristic flags consist of single characters that are printed behind the name of the file that has been processed. There are two kinds of flags: the informative ones are printed in lower-case characters; the more serious flags are printed in upper-case characters. The lower-case flags are indicative of special characteristics of the file being processed, whereas the upper-case warnings may indicate a virus. If the 'loglevel' is 3 or above, the important warnings will not only appear as a warning character, but there will also be a description printed in the log file. How should you treat the flags? The less important lower-case flags can be considered to be for your information only.They provide you with file information you might find interesting. The more serious warning flags printed in upper-case MIGHT point towards a virus. It is quite normal that you have some files in your system which trigger an upper-case flag. The heuristic flag descriptions are listed in appendix B. III - 17 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III 2. TbScanX 2.1. The Purpose of TbScanX TbScanX is the resident version of the TbScan program, checking files on the basis of a virus signature list. Suppose you have a virus scanner automatically executed from your autoexec.bat file. If no viruses are found, your system is supposed to be uninfected. But, to be sure that no virus will infect your system, you have to execute the scanner every time after copying a file to your harddisk, after downloading a file from a bulletin board system, or after unarchiving an archive such as a ZIP file. Be honest, do YOU actually invoke your scanner every time you introduce a new file into the system? If you don't, you take the risk that within a couple of hours all files are infected by a virus... Once loaded, TbScanX will remain resident in memory, and will automati- cally scan all files you execute and all executable files you copy, create, download, modify, or unarchive. The same approach is used to protect against bootsector viruses: every time you put a diskette into a drive the bootsector will be scanned. If the disk is contaminated with a boot sector virus TbScanX will warn you in time! TbScanX is fully network compatible. It does not require to reload the scanner after logging on to the network. 2.2. How to use TbScanX Since TbScanX is memory resident, the program can be executed and configured from the command line or from within a batch file. It is important to load TbScanX as early as possible after the machine has booted. Therefore it is recommended to execute TbScanX from within the Config.Sys file. => Note that TbScanX requires TbDriver to be loaded first! Loading TBScanX There are three possible ways to load TbScanX: 1. From the DOS prompt or within the Autoexec.Bat file: <path>TbScanX 2. From the Config.Sys as a TSR (Dos 4+): Install=<path>TbScanX.Exe The "Install=" Config.Sys command is NOT available in DOS 3.xx. 3. From the Config.Sys as a device driver: Device=<path>TbScanX.Exe III - 18 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III => Note that executing TbScanX as a device driver does not work in all OEM versions of DOS. If it does not work use the "Install=" command or load TbScanX from within the Autoexec.Bat. TbScanX should always work cor- rectly after being started from within the Autoexec.Bat. Unlike other anti-virus products, the ThunderBYTE anti-virus utlities can be loaded before the network is started without loosing the protec- tion afterwards. Highload TBScanX In addition to the three invocation possibilities users of DOS 5 and higher versions can "highload" TbScanX in UMB (upper memory block) if it is available: LoadHigh <path>TbScanX.Exe Within the Config.Sys file TbScanX can also be loaded high: DeviceHigh=<path>TbScanX.Exe TbScanX and MS-Windows Windows users should load TbScanX BEFORE starting MS-Windows. If you do that there is only one copy of TbScanX in memory, but every DOS-window will nevertheless have a fully functional TbScanX in it. TbScanX detects if Windows is starting up, and will switch itself in multitasking mode if necessary. You can even disable TbScanX in one window without affec- ting the functionality in another window. 2.3. Command line options TbScanx can be configured from the command line. The upper four options are always available, the other options are only available if TbScanX is not already resident in memory. III - 19 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III option short explanation -------------------------------------------------- help ? display this helpscreen off d disable scanning on e enable scanning remove r remove TbScanX from memory noexec n never scan at execute allexec a always scan at execute noboot b do not scan bootsectors ems me use expanded memory (EMS) xms mx use extended memory (XMS) secure s deny access without asking lock l lock PC when virus detected compat c increased compatibility help (?) If you specify this option TbScanX will show you the commandline options as shown above. Once TbScanX has been loaded the help option will not show all options anymore. off (d) If you specify this option TbScanX will be disabled, but it will remain in memory. on (e) If you use this option TbScanX will be activated again after you dis- abled it with the 'off' option. remove (r) This option can be used to remove the resident part of TbScanX from your memory. All memory used by TbScanX will be released. Unfortunately, removing a TSR (like TbScanX) is not always possible. TbScanX checks whether it is safe to remove the resident part from memory, if it is not safe it just disables TbScanX. A TSR can not be removed if another TSR is started after it. If this happens with TbScanX it will completely disable itself. compat (c) In most systems TbScanX performs troublefree. Another TSR program may however conflict with TbScanX. If the other TSR is loaded first, TbScanX will normally detect the conflict and use an alternate interrupt. If the other TSR is loaded after TbScanX, and it does abort with a message telling you that it has already been loaded, you can use the 'compat' switch of TbScanX (when installing it in memory). It is also possible that TbScanX conflicts with other EMS or XMS using resident software. In this case the system will hang. Option 'compat' will solve this problem, but due to extensive memory swapping the performance of TbScanX will slow down. III - 20 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III noexec (n) TbScanX normally scans files located on removable media just before they are executed. You can use this option to disable this feature complete- ly. allexec (a) TbScanX normally scans files to be executed only if they reside on removable media. Files on the harddisk are trusted, because these files must have been copied or downloaded before. And by that time TbScanX has already scanned them automatically. However if you want every file to be scanned before executing, no matter whether on harddisk or removable media, you should use this option. noboot (b) TbScanX monitors the disk system: every time the bootsector is being read, TbScanX automatically scans the disk for bootsector viruses. If you change a disk, the first thing DOS has to do is read the bootsector, otherwise it does not know what kind of disk is in the drive. And as soon as DOS reads the bootsector, TbScanX checks it for viruses. If you don't like this feature, or if it causes problems, you can switch it off using the 'noboot' option. If you specify this option TbScanX will also require less memory, because the bootsector signatures will not be stored in memory. secure (s) TbScanX normally asks the user to continue or to cancel when it detects a virus. In some business environments however this choice should not be made by employees. By using option 'secure' it is no longer possible to allow suspicious operations. lock (l) System operators can use this option to instruct TbScanX to lock the system once a virus is detected. ems (me) If you specify this option TbScanX will use expanded memory (like provided by LIM/EMS expansion boards or 80386 memory managers) to store the signatures and part of its program code. Since conventional memory is more valuable to your programs than expanded memory, the use of EMS memory is recommended. TbScanX can use up to 64Kb of EMS memory. Expan- ded memory is allocated in 16Kb blocks. xms (mx) If you specify this option TbScanX will use extended memory to store the signatures and part of its program code. An XMS driver (like HIMEM.SYS) needs to be installed to be able to use this option. XMS memory is not directly accessable from within DOS, so every time TbScanX has to scan data it has to copy the signatures to conventional memory. To be able to save the original memory contents TbScanX needs a double amount of XMS memory. Swapping to XMS is slower than swapping to EMS memory, so if you have EMS memory available swapping to EMS is recommen- III - 21 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III ded. It is possible that swapping to XMS conflicts with some other software, so if you experience problems try using TbScanX without the XMS option. Example Device=C:\utils\TbScanX.Exe xms noboot 2.4. While scanning Whenever a program tries to write to an executable file (files with the extensions .COM and .EXE), you will briefly see the text "*Scanning*" in the upper left corner of your screen. As long as TbScanX is scanning this text will appear. Since TbScanX takes very little time to scan the file, the message will only appear very briefly. The text "*Scanning*" will also appear if you execute a program directly from a diskette, and if DOS accesses the bootsector of a diskette drive. Detecting Viruses If TbScanX detects a suspicious signature that is about to be written into a file, a window will appear with the message: WARNING, <filename> contains <virus name>! Abort? (Y/n) Press "N" to continue, press any other key to abort. If TbScanX detects a suspicious signature in a boot sector, it will display the message: WARNING, Disk in <drive> contains <virus name>! Press a key... Although a virus seems to be on the bootsector of the specified drive, the virus cannot do anything since it has not been executed yet. Howe- ver, if you reboot the machine with the contaminated diskette in the drive, the virus will copy itself to your harddisk. To display the name of the virus, TbScanX needs the signature file again. It will automatically use the signature file that was used when you invoked the program. If the signature file is missing (because you deleted it, or because you removed the floppy containing it), or no file handles are left, TbScanX will still detect viruses, but it is no longer able to display the name of the virus. It will display [Name unknown] instead. III - 22 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III 3. TbCheck 3.1. The Purpose of TbCheck TbCheck is a memory-resident integrity checker, coming into action whenever a file is about to be executed. It uses the Anti-Vir.Dat records generated by TbSetup to detect file changes, often the first sign of a virus infection. These records contain information, such as file sizes and checksums, of every executable file in a directory. By comparing this information with the actual file status it is possible to detect any changes, including infections caused by viruses - automati- cally. Suppose you have a conventional integrity checker automatically invoked in your autoexec.bat file. If no files are changed, your system is supposed to be uninfected. But, to be sure that no virus can infect your system, you have to execute the checker frequently. Once loaded TbCheck will remain resident in memory, and will automa- tically check all programs you try to execute. TbCheck is fully network compatible. It does not require you to reload the checker after logged on to the network. 3.2. How to use TbCheck Since TbCheck is a memory resident program, it can be executed and configured from the command line or from within a batch file. TbCheck should however be started automatically and as soon as the computer boots up, preferably during the execution of Config.Sys or Autoexec.Bat file. => Be sure TbDriver has already been loaded - TbCheck wil refuse to start up without it. Loading TbCheck There are three possible ways to start TbCheck: 1. From the DOS prompt or within the Autoexec.Bat file: <path>TbCheck 2. From the Config.Sys as a TSR (Dos 4+): Install=<path>TbCheck.Exe The "Install=" Config.Sys command is NOT available in DOS 3.xx. 3. To invoke TbCheck from the Config.Sys as a device driver: Device=<path>TbCheck.Exe III - 23 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III Executing TbCheck as a device driver does not work in all OEM versions of DOS. If it doesn't work use the "Install=" command or load TbCheck from within the Autoexec.Bat. TbCheck should always work correctly after being started from within the Autoexec.Bat. Unlike other anti-virus products, the Thunderbyte anti- virus utilities can be loaded before the network is started without losing the protection after the network is started. Highload TbCheck In addition to the three invocation possibilities DOS 5 users can "highload" TbCheck in a UMB (upper memory block) if it is available: LoadHigh <path>TbCheck.Exe Within the Config.Sys file TbCheck can also be loaded high: DeviceHigh=<path>TbCheck.Exe TbCheck and MS-Windows Windows users should load TbCheck BEFORE starting Windows. If you do that, there is only one copy of TbCheck in memory, but every DOS-window will nevertheless have a fully functional TbCheck in it. TbCheck detects if Windows is starting up, and will switch itself into multitas- king mode if necessary. You can even disable TbCheck in one window without affecting the functionality in another window. 3.3. Command line options It is possible to specify options on the command line. The upper four options are always available, the other options are available only if TbCheck is not memory resident. option parameter shortexplanation ------ --------- ----------------------- help ? display this helpscreen off d disable checking on e enable checking remove r remove TbCheck from memory noavok [=<drives>]o check for mismatches only fullcrc f calculate full CRC (slow!) secure s do not execute unauthorized files III - 24 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III help (?) If you specify this option TbCheck displays the above options list. off (d) Disables TbCheck, but it will remain in memory and can be reactivated. on (e) TbCheck will be reactivated after having been disabled with the 'off' option. remove (r) This option disables TbCheck and will try to remove the resident part from memory. Unfortunately, this can only work if TbCheck was loaded last. An attempt to remove a TSR after another TSR has been started will simply leave a useless gap in memory and could disrupt the interrupt chain. TbCheck will try to find out whether it is safe to remove its resident code; if not, it will simply disable itself. noavok (o) TbCheck will look for checksum information on the file you want to be checked in the Anti-Vir.Dat file. TbCheck will display a message if no checksum information is found or if the specific checksum is incorrect. This makes sure that you will receive a warning whenever a malicious program deletes the Anti-Vir.Dat file. Although it is recommended to maintain Anti-Vir.Dat files on all drives, this may not always be practical with floppy disks, RAM disks or CD-ROM disks. Option 'noavok' tells TbCheck not to look for an Anti-Vir.Dat on specific drives. For instance, if you don't want to be alerted about the absence of an Anti-Vir.Dat record on floppy disks (A: and B:) or on your RAM disk (E:) you should specify: "NoAvOk=ABE" If you don't specify a drive to the 'noavok' option, TbCheck will never issue a warning if an Anti-Vir record is missing on any drive. => Note that this presents a security hole for viruses: by deleting the Anti-Vir.Dat file you will not be able to detect file changes caused by a viral infection. => Please note that the 'noavok' option does not do anything to prevent the detection of infected programs if the Anti-Vir record is available. If a program has been changed and the Anti-Vir record is available, you will still get an alarm regardless of how option 'noavok' was implemented. fullcrc (f) By default, TbCheck only verifies that part of the file near the pro- gram's entry point. If a virus infects the file, this area is guaranteed to change, so this is perfectly adequate to detect all infections. Other file changes, notably configuration variations, will not trigger the alarm. If, however, you should ever desire a full check that detects any III - 25 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III file changes, this option will take care of it. Note that this slows down the system considerably - this option is not recommended for normal (anti-virus) usage! secure (s) TbCheck normally asks whether the user wants to continue or cancel when a file has been changed or when there is no checksum information availa- ble. In a business environment it may be unwise to leave such decisions to employees. Option 'secure' makes it impossible to execute new or unknown programs, or programs that have been changed. 3.4. While checking Whenever a program wants to execute, TbCheck steps in to see if it really has the authority to do so. During that time it will display '*Checking*' in the screen's upper left hand corner. TbCheck operates at lightning speed, therefore the message will appear only momentarily. Since TbCheck does not take much time to check the file, you will see the message only in a short notice of time. Detecting File Changes TbCheck quickly checks a program when that program is loaded. If TbCheck detects that a file has been changed, a pop-up window will appear to inform you. You can either choose to continue, or to abort the program invocation. If there is no information (Anti-Vir.Dat) about the program, TbCheck will inform you about this too. You can either choose to continue without checking, or to abort the program invocation. => Note that you can prevent users from executing non authorized software by combining the TbCheck command with the 'secure' option. 3.5. Testing TbCheck Many people understandably wish to test the product they are using. In contrast with, for instance, a word processor, it is very difficult to test a smart integrity checker like TbCheck. You cannot change a random 25 bytes of an executable file just to find out whether or not TbCheck will detect the file change. On the contrary, it is very likely that TbCheck will NOT detect it because the program only checks the entry- area of the file whereas the changed bytes might be located on another location within the file. III - 26 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III 4. TbClean 4.1. The Purpose of TbClean TbClean isolates viral code in an infected program and removes it. From then on it will be safe to use the program again, as the risk of other files being infected or damaged by it will have been securely elimina- ted. Generic Cleaners TbClean works completely different compared to 'conventional cleaners. First of all, it does not recognize any virus. Its disinfection scheme is completely different and it works with almost any virus. Actually, the TbClean program contains two cleaners: a 'repair' cleaner, and a 'heuristic' cleaner. The repair cleaner needs an Anti-Vir.Dat file that is generated by the TbSetup program before the infection occurs. In this Anti-Vir.Dat file essential information is stored, like the original file size, the bytes at the beginning of the program, a cryptographic checksum to verify the results, etc. This information enables TbClean to disinfect almost every file, regardless of the virus it has been infec- ted with, known or unknown. No information available? In the heuristic cleaning mode TbClean does not need any information about viruses either, but it has the added advantage that it does not even care about the original, uninfected state of a program. This cleaning mode is very effective if your system is infected with an unknown virus and yo neglected to let TbSetup generate the Anti-Vir.Dat files in time. In the heuristic mode, TbClean loads the infected file and starts emulating the program code to find out which part of the file belongs to the original program and which to the virus. The result is successful if the functionality of the original program is restored, and the functio- nality of the virus has been reduced to zero. => Note that this does not imply that the cleaned file is 100% equal to the original. When TbClean uses heuristic cleaning to disinfect the program, the file will most likely not be exactly the same as in its original state. This is not an indication of failure of TbClean, nor does it mean the file is still infected in some way. First of all, it is normal that the heuris- tically cleaned file is still larger than the original. This is normal because TbClean tries to be on the safe side and it will avoid removing too much. The bytes left at the end of the file are 'dead' code, the instructions will never be executed again since the 'jump' at the III - 27 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III beginning of the program has been removed. If the cleaned file is an EXE type file, it is likely that some bytes in front of the program - the exeheader - are different. There are many suitable solutions to reconstruct the exeheader, and TbClean can of course never know the original state of the program. The functionality of the cleaned file will nevertheless be the same! => Note that this only applies to heuristic cleaning: if there is a suit- able Anti-Vir.Dat record available, the cleaned program will normally be exactly the same as the original clean file. It is possible that the infected file is infected with multiple viruses, or multiple instances of the same virus! Some viruses keep on infecting files, and in such case the infected files will keep growing. If TbClean used its heuristic cleaning mode, it is very likely that TbClean removed only one instance of the virus. In this case, it is necessary to repeat the cleaning process until TbClean reports that it can not remove anything anymore. 4.2. How to use TbClean After tracking one or more viruses, all you should do is select the 'Start cleaning' option in the TbClean menu. After specifying the relevant filename, TbClean will come into action. Beforehand, TbClean allows some additional parameters. These parameters are discussed below. The TbClean menu You can execute TbClean in combination with some useful parameters, which are listed in the TbClean menu. You can activate these parameters by toggling the selection bar to the desired option and type <ENTER>. A checkmark indicates that the specific parameter is ON. +----Main menu-----+ | Confi+-----TbClean menu-----+ | TbSet| Start cleaning | | TbSca| List-file name | | TbUti| Use TBAV.INI file | | TbCLe| Prompt for pause | | TBAV |v Use Anti-Vir.Dat | | Docum|v Expanded memory | | Quit | Show program loops | | eXit | Make list file | +-------+----------------------+ III - 28 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III List-file name By selecting this option you may specify a filename to be used as list- file (see also option 'make list-file'). Use TBAV.INI file By enabling this option, the TbClean configuration values, saved in the TBAV.INI file, will also be valid when loading TbClean from the command line. Be careful, since options specified in the TBAV.INI file can not be undone on the command line. See chapter I-2 ('Configuration'). Prompt for pause TbClean will stop disassembling information after each full screen to let you examine the results. Use Anti-Vir.Dat If this option is deselected, TbClean will act as if there were no Anti- Vir.Dat records available and will therefore perform heuristic cleaning. Show program loops By default TbClean keeps track of looping conditions to keep an iterati- on that would be emulated thousands of times from being listed on your screen. With this option TbClean 'works out' every loop. => Note that TbClean will perform at a drastically reduced speed. Do not combine this option with the 'list' option, because the list file might grow too big. Expanded memory If activated, TbClean will detect the presence of expanded memory and will use it in heuristic mode. You may disable EMS usage if it is too slow, or if your expanded memory manager is not very stable. Make list file TbClean will generate an output file with a chronological disassembly of the virus being removed. III - 29 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III 4.3. Command line options TbClean recognizes option short-keys and option words. The words are easier to memorize, and they will be used in this manual for convenien- ce. option parameter shortexplanation --------------------------------------------------------------- help he help (-? = short help) pause pa enable 'Pause' prompt mono mo force monochrome noav na do not use Anti-Vir.Dat record noems ne do not use expanded memory showloop sl show every loop iteration list [=<filename>] li create list file Below, all command line options are explained briefly. help (he) If you specify this option TbClean displays the contents of the TBCLE- AN.HLP file if it is available in the home directory of TbClean. If you specify the '?' option you will get the summarized help info as listed above. pause (pa) TbClean will stop disassembling information after each full screen to let you examine the results. mono (mo) This option forces TbClean to refrain from using colors in the screen output. This might enhance the screen output on some LCD screens or color-emulating monochrome systems. noav (na) If this option is specified, TbClean will act as if there were no Anti- Vir.Dat records available and will therefore perform heuristic cleaning. noems (ne) If specified, TbClean will not detect the presence of expanded memory and will use it in heuristic mode. You may disable EMS usage if it is too slow, or if your expanded memory manager is not very stable. showloop (sl) By default TbClean keeps track of looping conditions to keep an iterati- on that would be emulated thousands of times from being listed on your screen. With this option TbClean 'works out' every loop. III - 30 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III => Note that TbClean will perform at a drastically reduced speed. Do not combine this option with the 'list' option, because the list file might grow too big. list [=<filename>] (li) TbClean will generate an output file with a chronological disassembly of the virus being removed. Examples TbClean VIRUS.EXE TbClean will make a backup with the name VIRUS.VIR and it will disinfect VIRUS.EXE TbClean VIRUS.EXE TEST.EXE TbClean will copy VIRUS.EXE to TEST.EXE and disinfect TEST.EXE 4.4. The cleaning process Choose 'Start cleaning' in the TBAV menu. Now you specify the name of the file that has to be cleaned. Suppose you want an infected program file named 'virus.exe' to be cleaned: Enter name of program to clean. TbClean will create a backup first! C:\VIRUS\VIRUS.EXE The ThunderBYTE utility cleans on a file-by-file approach: clean one file, verify the result, and proceed with the next file. This helps you to keep track of which file is clean, which file is damaged and should be restored from a backup, and which file is still infected. Enter name of cleaned file. Keep blank if infected program may be changed. C:\VIRUS\TEST.EXE By specifying a different name (eg. 'test.exe') you indicate that the cleaned file may not overwrite the original .exe file. In this example TbClean will copy VIRUS.EXE to TEST.EXE and disinfect TEST.EXE. Next, TbClean will start the cleaning process. If you do not specify a backup filename, TbClean will create a backup with the '.vir' extension (eg. VIRUS.VIR) and it will disinfect the .exe file. III - 31 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III +-----------------------------------------------------------------+ | Thunderbyte clean utility v6.03 (C) 1992-93 Thunderbyte B.V. | +---------Infected state----------++---------Original state-------+ | Entry point (CS:IP) 34BF:0012 || Entry point (CS:IP) 34BF:0012| | File length || File length UNKNOWN! | | Cryptographic CRC 9F90F52A || Cryptographic CRC UNKNOWN! | +---------------------------------++------------------------------+ | | | Starting clean attempt. Analyzing infected file... | | Anti-Vir not found: original state unknown. Trying emulation... | | Emulation terminated: | | | | C:\VIRUS\TEST.EXE | | CS:IP Instruction AX BX CX DX DS SI ES DI SS SP | | 9330:0101 mov ah,40 FFFE9330FFFFEFFFD382FFEDEFFEFFFF9520007E| | 9330:0103 mov bx,0002 40FE9330FFFFEFFFD382FFEDEFFEFFFF9520007E| | 9330:0106 mov cx,0016 40FE0002FFFFEFFFD382FFEDEFFEFFFF9520007E| | 9330:0109 mov dx,cs 40FE00020016EFFFD382FFEDEFFEFFFF9520007E| | 9330:010B mov ds,dx 40FE000200169330D382FFEDEFFEFFFF9520007E| | 9330:010D mov dx,0117 40FE0002001693309330FFEDEFFEFFFF9520007E| | 9330:0110 int 21 40FE0002001601179330FFEDEFFEFFFF9520007E| | 9330:0112 mov ax,4CFF 40FE0002001601179330FFEDEFFEFFFF9520007E| | 9330:0115 int 21 4CFF0002001601179330FFEDEFFEFFFF9520007E| | 9330:0115 <End of emulation> | +-----------------------------------------------------------------+ While Cleaning TbClean will display as much information as possible about the current operation, as illustrated above. All the major actions will be in the emulation window, displaying a disassembly and the register contents of the program under scrutiny, along with a progress report. The status windows reveal useful details of the infected file and, if TbClean can find a suitable Anti-Vir.Dat file, its original status. You may abort the cleaning process by pressing <Ctrl-Break>. The job isn't done yet A successful purge is not the end of the story! Your job is only parti- ally completed. Some viruses damage data files. They could randomly change bytes on your disks, swap sectors, or perform other nasty tricks. A cleaning utility will never be able to repair your data! Check your data files thoroughly and consult a viral expert to find out what the virus is capable of doing. If there is any doubt, restoring the data is definitely the most reliable option. => Under no circumstances should you continue to use cleaned software! Cleaning is a temporary solution to allow you to delay a large restore operation until the first available slack period. You should not rely on a cleaned program for any length of time. Please, don't take this as a III - 32 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III put down of antiviral cleaning agents. If your data is valuable to you, you should care for it as much as possible, and sticking to original software only is no more than an elementary precaution. In other words, restore the original programs as soon as possible! Cleaning Limitations Although TbClean has a very high success rate and is able to clean programs that other cleaners refuse to process, not all viruses can be removed, and not all files can be cleaned. Viruses that cannot be removed from an infected file: Overwriting viruses. This type of virus does not add itself to the end of the original program, they just copy themselves over the original file. They do not attempt to start the original program but they will simply return you to DOS after they are activated or will hang the machine. Since the origi- nal file is overwritten and damaged, no cleaner can remove the virus. Some encrypted viruses. TbClean is usually able to decrypt the virus. However, some viruses use anti-debugger features that TbClean cannot cope with yet. The way some program files are constructed makes them impossible to clean and reinstatement will be the only option. This category includes: EXE-programs with internal overlays. TbScan marks these files with an 'i' flag. Any infection is bound to cause major damage to these files. Some viruses recognize such programs and do not infect them, but most viruses infect these programs anyway, and corrupt the program. No cleaner can repair such damage. Programs with sanity check routines. Some programs - mostly anti-virus software or copy-protected programs - perform some kind of sanity check. Heuristic cleaning of an infected program normally results in a program that is not physically identical to the original. Although the virus is removed from the program and the program is functionally identical to the original, the sanity check will usually detect the slight changes and abort the program. III - 33 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III Multiple files cleaning TbClean has no provisions for cleaning multiple programs in one run. There are two reasons for this omission: - TbClean can not search for viruses automatically since it does not know any virus. - We highly recommend to clean the system on a file-by-file approach. Clean one file, verify the result, and proceed with the next file. This helps you to keep track of which file is clean, which file is damaged and should be restored from a backup, and which file is still infected. III - 34 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III 5. Ongoing virus prevention: TbMon The Purpose of TbMon utilities TbMon is a set of three memory resident anti-virus utilities: TbMem Detects attempts of programs to remain resident in memory, and makes sure that no program can remain resident in memory without permission. TbFile detects attempts of programs to infect other programs. TbDisk detects attempts of programs to write directly to the disk (without using DOS), attempts to format, etc. Instructions on how to use these utilities are presented below. How to use TbMon programs Loading TBMon programs The TbMon programs are all loaded in the same way. For specific informa- tion on each of the programs, such as commandline options, please refer to the appropriate sections in this chapter. There are three possible ways to start the TbMon programs: From the DOS prompt or within the Autoexec.Bat file: <path>Tbxx From the Config.Sys as a TSR (Dos 4+): Install=<path>Tbxxx.Exe The "Install=" Config.Sys command is NOT available in DOS 3.xx. To invoke a TbMon program from the Config.Sys as a device driver: Device=<path>Tbxxx.Exe Executing a TbMon program as a device driver does not work in all OEM versions of DOS. If it doesn't work use the "Install=" command or load the program from within the Autoexec.Bat. A TbMon program should always work correctly after being started from within the Autoexec.Bat. Unlike other anti-virus products, the Thunder- byte anti-virus utilities can be loaded before the network is started without losing the protection after the network is started. III - 35 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III Highload TBMon programs In addition to the three invocation possibilities DOS 5 users can "highload" TbMon programs in a UMB (upper memory block) if it is availa- ble: LoadHigh <path>Tbxxx.Exe Within the Config.Sys file a TbMon program can also be loaded high: DeviceHigh=<path>Tbxxx.Exe TBMon and MS-Windows Windows users should load a TbMon program BEFORE starting Windows. If you do that there is only one copy of the TbMon program in memory, but every DOS-window will nevertheless have the fully functional TbMon program in it. The TbMon program detects if Windows is starting up, and will switch itself into multitasking mode if necessary. You can even disable the program in one window without affecting the functionality in another window. Command line options All TbMon utilities can be loaded in combination with several options. You may specify the options listed below in combination with all three utilities. The specific options are described in the relevant sections. help (?) If you specify this option the TbMon program will show you the brief help as shown above. off (d) If you specify this option the TbMon program will be disabled, but it will remain in memory. on (e) If you use this option the TbMon program will be activated again after you disabled it with the 'off' option. remove (r) This option can be used to remove the resident part of the TbMon program from your system's memory. All memory used by the TbMon program will be released. Unfortunately, the removal of a TSR is not always possible. The TbMon program checks whether it is safe to remove the resident part from memory. If it is not safe it just disables the TbMon program. A TSR can not be removed if another TSR has been started after it. If this happens with the TbMon program, it will completely disable itself. III - 36 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III 5.1. TbMem The Purpose of TbMem Most viruses remain resident in memory once they have been executed. While resident in memory, they may have many opportunities to infect other files in the background, interfere with the system operation, hide themselves from virus scanners or checksummers, and/or perform other nasty tasks. On the other hand, because so many viruses remain resident in memory, it is easy to detect most of them once the process of becoming resident in memory is monitored. TbMem monitors the system and ensures that no program will remain resident in memory without permission. This will draw attention to any software that attempts to remain resident, thereby reducing the likeli- hood that a virus will be able to go unnoticed. TbMem also protects CMOS. What is a memory-resident program? Most programs will be invoked by a command on the DOS command line, perform some task, and finally terminate, placing you right back where you started. Some programs however continue to operate after they are terminated. These programs load themselves into memory of your PC, remain resident in the memory and perform some task in the background. Programs in this category are disk caches, print spoolers, network software, etc. These programs are often referred to as 'TSR-software', which means 'Termina- te-and-Stay-Resident'. Most viruses remain resident in memory too, and that is why the process of becoming resident in memory should be controlled in some way, prefe- rably by TbMem. TbMem offers you the option to abort the program before it can become resident. TbMem will guard the DOS TSR function calls, while also monitoring important interrupts and memory structures. TbMem uses the Anti-Vir.Dat records to determine whether a program is allowed to remain resident in memory. Many common TSRs will be recognized by TbSetup. However, if TbSetup doesn't recognize a TSR, TbMem will ask your permission for the TSR to load. Permission information will be maintained in the Anti-Vir.Dat files, to prevent TbMem from bothering you when an approved TSR is loading. TbMem will also check the contents of the CMOS configuration memory after each program termination, to make sure that programs do not change III - 37 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III it unnoticed. TbMem offers the possibility to restore the CMOS configu- ration when it has been changed. Once you have 'taught' TbMem which programs are TSRs and which are not on one PC, you can use TbSetup to set the permission flag of these files on other machines. TbMem installs a hot key that can be used to escape from nearly all programs. TbMem is fully network compatible. It does not require you to reload the checker after logging on to a network. How to use TbMem Since TbMem is a memory resident program, it can be executed and confi- gured from the command line or from within a batch file. TbMem should however be started automatically and as soon as the computer boots up, preferably during the execution of Config.Sys or Autoexec.Bat file. Be sure TbDriver has already been loaded - TbMem wil refuse to start up without it. Command line options It is possible to specify options on the command line. The upper four options are always available, the other options are available only if TbMem is not memory resident. option parameter short explanation -------------------------------------------------------------- help ? display this helpscreen off d disable checking on e enable checking remove r remove TbMem from memory secure s do not execute unauthorized TSRs hotkey <keycode> k specify keyboard scancode for hotkey nocancel n do not install cancel hot key nocmos m do not protect CMOS help (?) If you specify this option TbMem will show you the brief help as shown above. off (d) If you specify this option TbMem will be disabled, but it will remain in memory. III - 38 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III on (e) If you use this option TbMem will be activated again after you disabled it with the 'off' option. remove (r) This option can be used to remove the resident part of TbMem from your system's memory. All memory used by TbMem will be released. Unfortunate- ly, the removal of a TSR (like TbMem) is not always possible. TbMem checks whether it is safe to remove the resident part from memory. If it is not safe it just disables TbMem. A TSR can not be removed if another TSR has been started after it. If this happens with TbMem it will completely disable itself. secure (s) TbMem normally asks the user to continue or to cancel when a program tries to remain resident in memory. In some business environments however this choice should not be made by employees. By using option 'secure' it is no longer possible to execute new or unknown resident software. nocancel (n) TbMem normally installs the program cancel hot key (Ctrl-Alt-Insert). If you do not want this, specify this option. This also saves a few bytes of memory. hotkey (k) TbMem offers you a reliable way to escape from any program by pressing a special key combination. This can be used to escape from programs that 'hang', but of course also to escape from software that seems to be malicious (although powering down and rebooting from a write-protected system disk is recommended). The program cancel hot key of TbMem is by default Ctrl-Alt-Insert. If you wish, you can specify another keyboard option with option 'hotkey =<keycode>'. The scancode is specified in a 4 digit hexadecimal number. The far left bytes specify the shift-key mask, the far right bytes specify the keyboard scancode. Consult your machine manual for a list of scancodes. The default scancode is 0C52h (Ctrl-Alt-Insert). The scancode for Ctrl-Alt-Escape is 0C01h. nocmos (m) TbMem normally protects the CMOS memory if available. If you do not want TbMem to do this you can specify this option. Examples C:\utils\TbMem or: Device=C:\utils\TbMem.Exe III - 39 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III TbMem in process If TbMem detects that a program tries to remain resident in memory, a pop-up window will appear with a message. You can either choose to continue, or to abort the program invoca-tion. If you answer 'NO' to the question 'Remove program from memory?' the program will continue undis- turbed, and TbMem places a mark in the Anti-Vir.Dat file about this program. Next time you invoke the same resident program, TbMem will not disturb you again. There are a lot of programs which normally remain resident in memory, such as disk caches, print spoolers, etc. How does TbMem distinguish between these programs and viruses? TbMem uses the Anti-Vir.Dat records generated by TbSetup to keep track of which files are normal TSRs and which are not. Most common resident software will be marked as such by TbSetup, so you don't have to worry about these files. If TbMem pops up with the message that a program tries to remain resi- dent in memory, you have to consider the purpose of the program mentio- ned. Is the program supposed to continue to operate in the background? The answer is obviously yes if the program mentioned is a disk cache, print spooler, pop-up utility or system extension software. However, if the message appears after you have finished a text proces- sing job, or terminated a database or spreadsheet application, something is definitely wrong! You ought to terminate the program and use a virus scanner to check the system. The same applies when software that operates normally without staying resident in memory suddenly changes its behavior and tries to remain resident in memory. 5.2. TbFile The Purpose of TbFile The two most perilous viral categories are the bootsector and the file variants. File viruses all have a common purpose -they infect programs. Infecting a program involves very unusual file manipulations that are quite dissimilar to normal files handling procedures, so in order to detect viral activity it is essential to keep an eye out for program file changes involving peculiar actions. TbFile monitors the system and detects attempts of programs to infect other programs. Unlike other file guards, TbFile monitors the system only for virus specific file modifications. TbFile won't generate an alarm when a program modifies itself for configuration purposes, nor does it bother you when you update a program or create one yourself. III - 40 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III Running an average system, configurations should never cause a false alarm. TbFile not only detects attempts to infect programs, it also offers you the option to abort the infection process and to continue the program. TbFile detects other suspicious activities - including setting the seconds value of time stamps to an illegal value. TbFile has a very sophisticated infection detector and it will not give a false alarm when you perform standard file operations. In normal configurations you will never get a false alarm! Files can be protected against unwanted modifications by means of the read-only attribute. Without TbFile this standard DOS protection can be circumvented easily. TbFile however makes sure any attempts to sabotage the readonly attribute will not go undetected. This gives you added security by letting you use an uncomplicated method to fully protect your files against destruction and infection. TbFile is fully network compatible. It does not require you to reload the checker after logging on to a network. Other resident anti-virus utilities force you to choose between protection before the network is started, or protection after the network is started, but not both. Command line options It is possible to specify options on the command line. The upper four options are always available, the other options are only available if TbFile is not already memory-resident. option short explanation ---------- ---------------------------- help ? display this helpscreen off d disable checking on e enable checking remove r remove TbFile from memory secure s all permissions denied allattrib a readonly check on all files help (?) If you specify this option TbFile will show you the brief help as shown above. off (d) If you specify this option TbFile will be disabled, but it will remain in memory. III - 41 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III on (e) If you use this option TbFile will be activated again after you disabled it with the 'off' option. remove (r) This option can be used to remove the resident part of TbFile from your system's memory. All memory used by TbFile will be released. Unfortunately, the removal of a TSR (like TbFile) is not always possi- ble. TbFile checks whether it is safe to remove the resident part from memory. If it is not safe it just disables TbFile. A TSR can not be removed if another TSR has been started after it. If this happens with TbFile it will completely disable itself. secure (s) TbFile normally asks the user to continue or to cancel when a program tries to perform a suspicious operation. In some business environments however this choice should not be made by employees. By using option 'secure' it is no longer possible to allow suspicious operations. allattrib (a) TbFile normally only protects the readonly attribute of executables (program files with the extension COM and EXE). If you want to have the readonly check on all files add option 'allattrib'. In this case you will always get an alarm when an attempt is made to remove the readonly attribute of any file. Examples C:\utils\TbFile allattrib or: Device=C:\utils\TbFile.Exe allattrib 5.3. TbDisk The Purpose of TbDisk Many viruses try to damage the data on the disk. They accomplish this by formatting the disk, overwriting the FAT, swapping disk sectors, etc. Almost anything is possible. Another category of malicious software, known as 'bootsector virus droppers', installs a bootsector virus on the disk. The program itself is not a virus, so detection with virus scanners and other anti-viral software is very difficult. The only way to detect such programs is by monitoring their behavior. The main problem lies in the way these programs manage to avoid the usual DOS procedures - they go directly to the BIOS, the Basic In- put/Output System. That is why you need TbDisk - to monitor the system and to ensure that no program can write directly to disk without permis- sion! It draws attention to any software that attempts to write directly III - 42 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III to disk, thereby reducing the likelihood that a virus will remain unnoticed. TbDisk prevents viruses from damaging data on your disk and stops bootsector virus droppers in their tracks. TbDisk will come in handy, too, if you ever need to write protect a hard disk. This bonus feature often helps when testing new software. TbDisk not only informs you when a program tries to write directly to the disk, it also offers you the option to abort the program before it can cause any damage. Detection of 'stealth' techniques. TbDisk is able to detect attempts to single step through the BIOS handler, and even monitor the use of undocumented calls that could cause disk damage. TbDisk is able to distinguish whether DOS or an application makes direct write attempts via Int 13h. Direct writes are perfectly legal for DOS, but unusual for application software. TbDisk needs little maintenance. TbDisk uses the Anti-Vir.Dat records to determine if a program is allowed to write directly to the disk, inclu- ding popular disk utilities, which will have been recognized by TbSetup. In the absence of an Anti-vir.Dat record, TbDisk will ask your approval first and, if granted, updates the record accordingly in order to avoid repeated warnings about the same program. TbDisk is fully network compatible. It does not require you to reload the program after logging on to a network. Other resident anti-virus utilities force you to choose between either protection before the network is started, or protection after. How to use TbDisk Loading TBDisk Improper installation can cause excessive amounts of false alarms! If you want to install TbDisk in your Config.Sys or AutoExec.Bat file, it is highly recommended to use the 'install' option of TbDisk first. If the system continues to behave normally and TbDisk does not give false alarms when you copy files on your hard disk, TbDisk is installed correctly and you can remove option 'install'. TBDisk in your Install Failure to use option 'install' when you install TbDisk Config.Sys or AutoExec.Bat file may cause loss of data! Option 'install' causes TbDisk to allow all disk accesses, it will however pop-up a message like it would do in normal mode. If no false alarms occur when you copy files on your hard disk, TbDisk is installed correctly and option 'install' can be removed. III - 43 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III If TbDisk causes false alarms you should load TbDisk further ahead in your Config.Sys or AutoExec.Bat file, until it works as it should do. Unlike the other TBAV utilities it is recommended to load TbDisk after other resident software! Failure to do so can cause excessive amounts of false alarms! TBDisk and MS-Windows TbDisk detects if Windows is starting up, and will switch itself into multi tasking mode if necessary. You can even disable TbDisk in one window without affecting the functionality in another window. If you configured Windows to use fast 32-bit disk access you might need TbDisk option 'win32' if Windows displays an error-message. Command line options It is possible to specify options on the command line. The upper four options are always available, the other options are available only if TbDisk is not memory resident. option shortexplanation ------ ----------------------- help ? display this helpscreen remove r remove TbDisk from memory off d disable checking on e enable checking wrprot p make hard disk write protected nowrprot n allow writes to hard disk win32 w allow Windows 32bit disk access secure s deny access without asking nostealth a do not detect stealth disk access notunnel t do not detect tunneling install i installation test mode help (?) If you specify this option TbDisk will show you the brief help as shown above. Once TbDisk has been loaded the help option will not show all options anymore. remove (r) This option can be used to remove the resident part of TbDisk from your system's memory. All memory used by TbDisk will be released. Unfortunately, the removal of a TSR (like TbDisk) is not always possi- ble. TbDisk checks whether it is safe to remove the resident part from memory. If it is not safe it just disables TbDisk. A TSR can not be III - 44 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III removed if another TSR has been started after it. If this happens with TbDisk it will completely disable itself. off (d) If you specify this option TbDisk will be disabled, but it will remain in memory. on (e) If you use this option TbDisk will be activated again after you disabled it with the 'off' option. wrprot (p) Hard disks are more difficult to protect against writing than floppies, which adds considerably to the risks involved when, for instance, testing new software. Sometimes you might want to find out what this software will do to your hard disk and how this could possibly affect your valuable data. With option 'wrprot' it will be safer to do so. Whenever a program wishes to write to a protected disk you will receive a message such as: "Write protect error writing drive C: A)bort, R)etry, I)gnore?" You may then take appropriate action. => Note: A software write protection solution is not absolutely reliable. It can be bypassed, but, fortunately, viruses that are actually capable to do so are few and far between. It can be a valuable shield against most malicious software, despite its shortcomings. nowrprot (n) You can use this option to undo the option 'wrprot'. win32 (w) Windows 386 Enhanced Mode uses some undocumented DOS calls to retrieve the original BIOS disk handler when 32-bit disk access has been enabled. Since TbDisk guards these calls, 32-bit disk access will no longer be possible, unless you specify option 'win32' when TbDisk is initialized. => Note: Use this option, which reduces antiviral security to some extent, only in Windows 386 Enhanced Mode with fast 32-bit disk access enabled! secure (s) TbDisk normally asks whether the user wants to continue or cancel when a program tries to perform direct disk access. In some business environ- ments, however, this should not be left up to employees. Option 'secure' disables direct disk access permission to new or unknown software. nostealth (a) TbDisk tries to detect direct calls into the BIOS. If such an attempt occurs, TbDisk pops up with a message that the disk is accessed in an unusual way. If this feature causes false alarms, you can use this option to turn it off. III - 45 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III notunnel (t) One of TbDisk's regular tasks is to detect tunneling attempts on the part of viruses. 'Tunneling' is a technique used by viruses to determine the location of the BIOS system code in memory, and to use that address to communicate with the BIOS directly. This will inactivate all TSR programs, including resident anti-virus software. TbDisk can detect 'tunneling' attempts in advance and informs you about this. Some other antiviral products employ tunneling techniques also to bypass resident viruses, causing a false alarm. If you make use of such other anti-virus products, you may use the option 'notunnel' to disable tunneling-detec- tion. install (i) Incorrect installation may result in a large number of false alarms. You should use option 'install' when installing TbDisk, which will reduce the risk of cancelling a valid disk write operation as a result of false alarms. TbDisk in process What is Direct Disk Access? Programs often access files, usually through the operating system (DOS). Whenever a program wants to update a file, for example, it asks DOS to write the data to disk. There are however also possibilities to write to a disk without using DOS. This is called 'direct disk access'. Normal programs do not write to the disk directly. However, there are some programs that need to write to disk directly. Programs in this category are: - Format utilities. A disk can only be formatted by direct disk access. - Disk diagnosis utilities (such as the NORTON disk doctor, DOS chkdsk, etc.) - Disk optimizers. As many viruses are able to perform direct disk access as well, it is essential to have some control over all this. TbDisk can distinguish between legitimate programs and a virus with the help of the Anti- Vir.Dat records, generated by TbSetup under your guidance. Detecting direct disk accesses Whenever TbDisk pops up with the message that a program accesses to the disk directly, consider its purpose carefully. While it is perfectly acceptable for a format utility or a disk optimizer to format or edit disk sectors, the same cannot be said about a word processor or databa- se. When TbDisk warns you that a spreadsheet or some other 'normal' III - 46 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III program is about to format a sector, you can be sure that something is wrong. Terminate the program -pronto!- and check things out with a virus scanner before the worst can happen. III - 47 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III 6. TBAV Tools 6.1. TbUtil The Purpose of TbUtil TbUtil provides a defense against partition table and bootsector viru- ses: TbUtil copies the partition table, bootsector and CMOS data area into a file. On a regular base you can use TbUtil to compare both the current and the copied versions of the partition table, bootsector and CMOS data area. After a (virus) accident you can restore the copy with the TbUtil program. TbUtil removes a partition table virus without having to low-level format the hard disk, even if there is no backup of the partition table. TbUtil removes bootsector viruses. TbUtil creates a partition table that has some first-line virus defenses built-in. TbUtil replaces the infected or clean bootsector by a safe TBAV boots- ector. What is a partition table? A partition is a logical drive on a hard disk. A physical hard disk can contain multiple DOS partitions. Every DOS partition has its own drive ID (eg. C: D: E:). The partition table contains the disk lay-out and the start and end cylinder of every partition. The partition table also carries information about the operating system of a partition and which partition should be used to boot. The partition table is always located at the first sector of the hard disk. It is called the "Master Boot Record". No format needed Unlike most file viruses, partition table viruses are hard to remove. The only solution is to low-level format the hard disk and to make a new partition table, or to make use of undocumented DOS commands. TbUtil makes a backup of the partition table and bootsector, and will use this backup to compare and restore both the original partition table and bootsector once they have been infected. You don't have to format your disk anymore to get rid of a partition table or bootsector virus. The program can also restore the CMOS configuration. III - 48 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III If desired TbUtil replaces the partition table code with an immunized partition table, containing facilities against viruses. The TbUtil partition code will be executed before the bootsector gains control, so it is able to check the bootsector in a clean environment. Once the bootsector is executed it is difficult to check it, because the virus is already resident in memory and can fool any protection. Instead of booting from a clean DOS diskette just to inspect the bootsector, the TbUtil partition code performs a CRC calculation on the bootsector just before control is passed to it. If the bootsector has been modified the TbUtil partition code will warn you about this. The TbUtil partition code also checks the RAM layout and informs you when it has changed. It does this every time you boot from your hard disk. TbUtil can replace infected and clean diskette bootsectors by a new bootsector, which has advantages over the standard bootsector. It has bootsector virus detection capabilities, it performs a sanity check, and it offers you the possibility to redirect the boot process to the hard disk without opening the diskette drive door. How to use TbUtil The TbUtil module contains several programs, which can be executed from the TbUtil menu or in case of an emergency from a TbUtil recovery diskette using the DOS command line. TbUtil allows some additional menu options. These options are discussed below. The corresponding command line parameters are listed in chapter 6 of this section. The system maintenance menu This menu contains the actual TbUtil program. The program takes care of saving, restoring or comparing the system configuration of your PC. The backup system configuration is stored on a diskette in a file with either a default name or a name you can specify yourself. => Warning: You can only restore a system configuration datafile on the machine which created the datafile. If not, restoring such a file will make your PC inaccessible! III - 49 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III +----Main menu-----+ | Confi+-----------TbUtil menu-----------+ | TbSet| Syste+-------System maintenance-------+ | TbSca| Immun| Execute TbUtil | | TbUti| Immun| Name of TbUtil data file | | TbCLe| Immun| Describe this machine | | TBAV +-------| Save system configuration | | Documentation|v Compare system configuration | | Quit and save| Restore system configuration | | eXit (no save|v process CMOS memory | +---------------|v process Partition code | |v process Bootsector | +--------------------------------+ Execute TbUtil Before activating this option, you must select one of the optional functions: save, compare or restore the system configuration. Toggle to the desired option and type <ENTER>. A checkmark will indicate the selected option. Name of TbUtil data file With the 'Save' option, the system configuration is saved in a file. You can add a description to this TbUtil data file, which makes it easier to determine which datafile belongs to which machine. Describe this machine Enter a meaningful description of the machine. Enter something like "AT 12MHz, 4Mb, room 12, Mr. Smith". You do NOT have to remember it, TbUtil will display it on the screen when comparing or restoring, but it helps you to verify that the data file belongs to the machine. Save system configuration This option stores the partition table, bootsector and CMOS data area into the TbUtil data file. =>> Attention! Since the PC is completely inaccessible to DOS if the parti- tion table gets damaged, it is HIGHLY RECOMMENDED to store both the TbUtil data file and the program TbUtil.Exe itself on a diskette! It is not nice if the partition table is destroyed and the only solution to the problem resides on the same inaccessible disk... When loading TbUtil from the command line you must specify a filename after the 'store' option. Using the TBAV menu, you may use the default filename 'TBUTIL.DAT'. If you own more than one PC, it is advisable to III - 50 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III create one TbUtil diskette with all TbUtil data files of all your PC's on it. Use the extension of the file for PC identification, eg.: a:TbUtil.<number> Compare system configuration This option enables you to check on a regular basis that everything is still OK. If you specify this option TbUtil will compare the information in the TbUtil data file against the partition table, bootsector and CMOS data area. It will also show the comment stored in the data file. And of course, if you use this option you will also be guaranteed that the TbUtil data file is still readable. Restore system configuration This option enables you to restore the partition table, bootsector, and CMOS data area. It will ask you to confirm that the data file belongs to the current machine. Finally it will restore the partition table, bootsector of the partition to be used to boot, and the CMOS data area. Process Partition code/Bootsector/CMOS memory TbUtil will by default restore the partition code, bootsector and CMOS if option 'restore' is specified. If you use one of the above mentioned options in combination with the option 'restore' TbUtil will restore just the items specified. The TbUtil menu Apart from the System maintenance menu, the TbUtil menu contains some useful programs to prevent bootsector virus infection or to remove these viruses. +----Main menu-----+ | Confi+-----------TbUtil menu-----------+ | TbSet| System maintenance menu >| | TbSca| Immunize/clean bootsector A: | | TbUti| Immunize/clean bootsector B: | | TbCLe| Immunize/clean partition code | | TBAV +---------------------------------+ | Documentation >| | Quit and save | | eXit (no save) | +------------------+ III - 51 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III Immunize/clean diskette You can use the 'immunize' program to clean diskettes infected by a bootsector virus or to replace the standard bootsector by a bootsector which has advantages over the original one: It has virus detection capabilities. The bootsector will check that it is still located on the correct place on the diskette, and that Int 13h and/or Int 40h are still located in system ROM. This makes it possible to detect even 'stealth' and bootsector viruses. The TBAV bootsector is able to load the system files if they are availa- ble on the disk, but if the DOS system files are not on the disk the TBAV bootsector will present a small menu and offers you two possibili- ties: retry the boot operation with another diskette, or to boot from the harddisk. If the user selects the latter, it is not required to open the diskette drive door. Immunize/clean hard disk This is a very powerful option, which can be used to clean an infected partition table if there is no TbUtil data file. It replaces the exis- ting partition table code by a new partition routine containing some virus detection capabilities. The original partition code will be saved in a file. You have to execute TbUtil from a floppy drive or you have to specify the name of the file (the specified drive should be a diskette drive) to store the original partition code. If the original partition table is completely damaged and cannot be used to build a new one, TbUtil will scan the entire disk for information about the original disk layout. TbUtil will also search for TbUtil data files on the hard disk. It is however recommended to store the data file on a diskette, although it is a good idea to keep a copy of it on the hard disk. Just in case! If your system configuration changes, i.e. you update your DOS version, or change the amount of memory, you need to update the information stored in the immune partition as well. You can do this by using this option. In the unlikely event that the system does not boot properly, you can restore the original partition table using the TbUtil 'restore' option or by using the DOS 5+ 'FDISK /MBR' command (which will create a new partition table). If the new partition code works properly, you should make a back-up copy of it on a diskette using the TbUtil 'store' option. III - 52 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III Command line options TbUtil recognizes option-characters and option-words. The words are easier to remember, and they will be used in this manual for convenien- ce. option parameter short explanation ------ --------- ---- -------------------- immunize <drive> im Immunize/Clean boot/MBR of <drive> store [<filename>] st Store system information restore [<filename>] re Restore system information compare [<filename>] co Compare system information Sub-options of option 'Immunize': norepeat nr Do not ask for next diskette Sub-options of option 'Store': description<descr.> de Add description to data file Sub-options of option 'Restore': part pt Restore partition table boot bo Restore bootsector of HD cmos cm Restore CMOS Below, the command line options are explained briefly. immunize diskette <drive> (im) You can use the 'immunize' program to clean diskettes infected by a bootsector virus or to replace the standard bootsector by a bootsector which has advantages over the original one: - It has virus detection capabilities. The bootsector will check that it is still located on the correct place on the diskette, and that Int 13h and/or Int 40h are still located in system ROM. This makes it possible to detect even 'stealth' and bootsector viruses. - The TBAV bootsector is able to load the system files if they are available on the disk, but if the DOS system files are not on the disk the TBAV bootsector will present a small menu and offers you two possibilities: retry the boot operation with another diskette, or to boot from the harddisk. If the user selects the latter, it is not required to open the diskette drive door. Immunize c: (im c:) This is a very powerful option, which can be used to clean an infected partition table if there is no TbUtil data file. It replaces the exis- ting partition table code by a new partition routine containing some virus detection capabilities. The original partition code will be saved in a file. You have to execute TbUtil from a floppy drive or you have to specify the name of the file (the specified drive should be a diskette drive) to store the original partition code. III - 53 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III If the original partition table is completely damaged and cannot be used to build a new one, TbUtil will scan the entire disk for information about the original disk layout. TbUtil will also search for TbUtil data files on the hard disk. It is however recommended to store the data file on a diskette, although it is a good idea to keep a copy of it on the hard disk. Just in case! If your system configuration changes, i.e. you update your DOS version, or change the amount of memory, you need to update the information stored in the immune partition as well. You can do this by using this option. In the unlikely event that the system does not boot properly, you can restore the original partition table using the TbUtil 'restore' option or by using the DOS 5+ 'FDISK /MBR' command (which will create a new partition table). If the new partition code works properly, you should make a back-up copy of it on a diskette using the TbUtil 'store' option. store [<filename>] (st) This option stores the partition table, bootsector and CMOS data area into the TbUtil data file. =>> Attention! Since the PC is completely inaccessible to DOS if the parti- tion table gets damaged, it is HIGHLY RECOMMENDED to store both the TbUtil data file and the program TbUtil.Exe itself on a diskette! It is not nice if the partition table is destroyed and the only solution to the problem resides on the same inaccessible disk... When loading TbUtil from the command line you must specify a filename after the 'store' option. Using the TBAV menu, you may use the default filename 'TBUTIL.DAT'. If you own more than one PC, it is advisable to create one TbUtil diskette with all TbUtil data files of all your PC's on it. Use the extension of the file for PC identification, eg.: a:TbUtil.<number> restore [<filename>] (re) This option enables you to restore the partition table, bootsector, and CMOS data area. It will ask you to confirm that the data file belongs to the current machine. Finally it will restore the partition table, bootsector of the partition to be used to boot, and the CMOS data area. compare [<filename>] (co) This option enables you to check on a regular basis that everything is still OK. If you specify this option TbUtil will compare the information in the TbUtil data file against the partition table, bootsector and CMOS data area. It will also show the comment stored in the data file. And of course, if you use this option you will also be guaranteed that the TbUtil data file is still readable. norepeat (nr) TbUtil will prompt you for next diskette after you immunized a diskette. With option 'norepeat' you can disable this. III - 54 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III description <descr.> (de) Enter a meaningful description of the machine. Enter something like "AT 12MHz, 4Mb, room 12, Mr. Smith". You do NOT have to remember it, TbUtil will display it on the screen when comparing or restoring, but it helps you to verify that the data file belongs to the machine. part (pt) boot (bo) cmos (cm) TbUtil will by default restore the partition code, bootsector and CMOS if option 'restore' is specified. If you use one of the above mentioned options in combination with the option 'restore' TbUtil will restore just the items specified. Examples TbUtil store TbUtil st TbUtil store A:TbUtil.Dat TbUtil store A:TbUtil.Dat description = "Test machine" TbUtil compare A:TbUtil.Dat TbUtil restore A:TbUtil.Dat part cmos TbUtil immunize A: Type A:TbUtil.Dat Using the anti-virus partition If you install the Thunderbyte partition code (TbUtil immunize), you will see the following while booting a clean system: Thunderbyte anti-virus partition v6.03 (C) 1993 Thunderbyte BV. Checking bootsector CRC -> OK! Checking available RAM -> OK! Checking INT 13h -> OK! If there is a virus in the bootsector or partition table you will see this: Thunderbyte anti-virus partition v6.03 (C) 1993 Thunderbyte BV. Checking bootsector CRC -> OK! Checking available RAM -> Failed! System might be infected. Continue? (N/Y) III - 55 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III Some other messages that can be displayed are "No system.", which means that there is no active partition on the disk, and "Disk error" of which the meaning is obvious. Using the TbUtil diskette Take a new diskette, format it as a bootable diskette (eg. by using the dos 'format /s' command). Copy the TbUtil files onto the diskette: copy tbutil.* a: The TbUtil files you need are: tbutil.exe tbutil.lng 'Tbutil.doc' is a documentation file which is not necessarily needed, but it might be of some assistance to you. Trouble-Shooting In case of an emergency, eg. a damaged or infected partition table, you should boot from the TbUtil diskette. Subsequently, you start the TbUtil program, using the 'immunize' option: a:\tbutil immunize c: 6.2. StackMan Purpose of Stackman Have you ever experienced your machine hanging unexpectedly? Have you ever experienced programs dumping beeping garbage on the screen? Ever found your overnight working machine hanging when you return to work even though the same programs work well during the day? Ever seen the message "Stack overflow"? Ever found some resident or background softwa- re to hang the machine as soon as you want to activate them? Does your system run unreliably when you put the statement "Stacks=0,0" in your Config.Sys file? Do some programs crash when using them in combination with some TSR's? If you can answer all these questions with "No" the Stack Manager will not be useful for you. If some of these events frequently happen to you, these problems are probably caused by stack over-flows. Mostly these problems can be solved by using the Config.Sys statement "Stacks 9,256". Sometimes they cannot. Anyway, the "Stacks" statement consumes precious memory and it is hard to guess the correct values. The "Stacks" state- ment is not explained very well in most manuals. Only a few users seem to understand its purpose. III - 56 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III What is a stack? A stack is a memory buffer used by software and the procesor itself to store temporary data. All programs establish a stack when they are executed. Background or resident software have to use the stack of the foreground program as well. As soon as you press a key the processor is interrupted by the keyboard processor to fetch the pressed key. With every timer tick the processor is interrupted to increase the system timer. All these background processes consume some stack space. How does it fail? Sometimes a timer tick, a keyboard interrupt and another interrupt all occur at the same time. It will not happen often, but when it happens, all these processes need some stack space at the very same time. If no more stack space is available the system will simply hang... And as you might expect, these random events are hard to reproduce... Although it is recommended to supply plenty of stack space in a program, many programmers keep the stack very small to save memory, especially if the program is intended to remain resident in memory. Of course resi- dent programs can set up their own temporary stack as soon as they are activated, but before they are able to do that they need to use some of the foreground stack space, and the resident stack is often also very small for obvious reasons. If you have a lot of resident software and/or background software the stack might be too small in some cases. To avoid these problems DOS is able to maintain a stack pool and it switches to a dedicated stack if a hardware interruptoccurs. The "Stacks" statement in the Config.Sys can be used to control this stack pool. The DOS stack switching however, has some drawbacks and this is one of the reasons why StackMan has been developed. StackMan offers the same functionality as the DOS "Stacks" command, but in addition to this: If you use DOS 5 or higher, StackMan can be loaded high and/or into the HMA. DOS instead always maintains the stack pool in conventional memory. When using StackMan you free up about 1.5Kb of memory. The parameters of StackMan are more flexible. You can define just one stack frame if it is sufficient. The minimum of DOS is 8. StackMan can be loaded AFTER your TSR's become resident. This causes the TSR's to use the stackspace provided by StackMan. The DOS stacks pool however is only available for the DOS and BIOS code. TSR's still use the foreground program's stack, and if this causes problems the DOS stacks command will not solve this. III - 57 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III The DOS stacks command offers the user a type of roulette: the only way to find the correct values is by trial and error. StackMan can print a report and it is easy to find out the stack requirements of your system configuration. It is easy to fine-tune the StackMan parameters to suit your system configuration perfectly. Sometimes DOS stacks seem to disappear. Although this can be considered as a bug from one of the TSR's or foreground programs it is hard to deal with the resulting DOS message "Stack overflow. System halted". This never happens immediately but a short while after the offending program corrupted a stack. StackMan however recognizes this situation and it will automatically recover the lost stack without interrupting the program. Although StackMan can be used to replace the DOS stacks command it has additional features: In some cases the total stack requirements of all resident int 21h handlers may exceed the available stack space, especially when using a program that maintains a tiny stack (like some popular swap utilities). Although these programs may perform well at the machine of the develo- per, many other users may experience problems. StackMan can be used to force a normal stack space for DOS at all times. To be safe TSR's should maintain their own stack, but that means that the TSR program would occupy some extra memory to hold the stack. Because a dedicated stack is only necessary on a few systems, this would normally be a waste of your precious memory. StackMan has been designed to handle stack requests of TSR programs to solve this problem. Many TSR programs can share a few of the stacks provided by StackMan. The stack is available when the TSR activates, and gone as soon as the TSR resumes system control. It just saves memory... How to use StackMan Before using StackMan it is recommended to put the statement "Stacks=0,0" into the Config.Sys file. Using any other (or the default values) just causes DOS to waste memory. The syntax of StackMan is: StackMan [[=] <num of stacks),<stack size>] [<options...>] The best location to load StackMan is at the end of your Autoexec.Bat file. This way resident software will use the stacks provided by Stack- Man automatically. You can highload StackMan if you want to. As a first test it is recommended to use large values like: StackMan = 18,384 III - 58 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III Now use the system as you do normally and test if some of the problems are solved. Invoke all TSR's you have and try also to activate multiple TSR's at the same time. Use your modem, mouse, etc. It is not necessary to execute large programs since they have their own stack and they will not affect the results of StackMan. Now execute StackMan again. You should see a message like this: StackMan already installed, with 18 stacks of 384 bytes.Maximum stacks/space ever used: 6 stacks of 112 bytes. You now can reduce the parameter values of StackMan. It is highly recommended to maintain some extra overhead. "Special events" are very hard to reproduce. Reliable values for this example are: "StackMan = 8,192". If the first value of the StackMan report is below or equal to 3 and the second does not exceed 48 you can use your system without StackMan. In other cases unlikely events are able to crash the machine and you should use StackMan to avoid random problems. It is recommended to check the output of StackMan once in a while to fine-tune the system and anticipate on increasing stack requirements of your configuration. If still some of the problems occur you can test if the -dos parameter solves it. Specify this on the command line after a reboot: StackMan = 18,384 -dos -noirq The report of StackMan should now be treated differently: the first value will always show the maximum stacks amount available, only the stackspace used is reliable. If this value exceeds 48 you should consi- der the use of the -dos option of StackMan. If the first test shows that you have to use StackMan anyway you should remove the -noirq option. If only DOS needs StackMan you can keep this parameter. If you use the -dos option you should allocate two extra stack frames in addition to the values achieved by the first test. Command line options It is possible to specify options on the command line. -help This option shows a little help screen. III - 59 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION III -dos This option causes StackMan to force a fresh stack before entering DOS. This may solve some problems, especially if they occur at program startup or termination or in combination with swapping shell programs. -noirq If you specify this option StackMan will not switch the stack after an interrupt occurs. The only functionality left in this case is the -dos option and the stack sharing of StackMan-supporting TSR programs. -hma This option can only be specified if you are using DOS 5+ when DOS is loaded into the HMA (with the dos=high statement). You cannot use this option in combination with the -dos option. The -hma option causes StackMan to keep the stacks in the HMA space left by DOS. Although this saves memory you should test very thoroughly if your system allows the use of the HMA by StackMan. III - 60 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION IV SECTION IV. ADVANCED USER INFORMATION 1. Memory requirements Free memory needed: min. min. to be after loaded: termination: TbScan 200 Kb TbScanX 10 Kb 800 bytes TbCheck 4 Kb 600 bytes TbUtil 64 Kb TbClean 96 Kb TbMem 4 Kb 600 bytes TbFile 5 Kb 2 Kb TbDisk 4 Kb 800 bytes TbDriver 5 Kb 3 Kb TbGarble 4 Kb 600 bytes If you decide to use a log file TbScan will need an additional 16 Kb of memory for the log file buffer. If TbScan uses its own built-in file system it uses additional memory to keep the FAT in memory. => Note that the memory requirements are independent of the number of signatures. The current memory requirements are adequate to manage at least 2500 signatures. The amount of memory TbScanX requires depends on the number of signatu- res. With all features enabled TbScanX uses 30 Kb of memory when scan- ning for 1000 family signatures. If you enable swapping TbScanX normally uses only 1Kb of memory. You can swap to EMS and XMS memory. Of course the remaining kilobyte of TbScanX can be loaded in upper memory. In the heuristic cleaning mode TbClean needs much more memory, depending on the size of the infected file. TbClean can also use expanded memory (EMS). Reducing memory requirements Most PC users try to maintain as much free DOS memory as possible. The memory resident TBAV utilities (TbScanX, TbCheck, TbMem, TbFile, TbDisk and TbDriver) are designed to use only a little amount of DOS memory. To decrease the memory requirements of these utilities even further do the following: IV - 1 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION IV Load the program from within the Config.Sys file. If loaded as a device driver it has no Program Segment Prefix (PSP), which saves 256 bytes for each TBAV utility. If you load the TBAV utilities from within the Autoexec.Bat file, load them before establishing environment variables. DOS maintains a list of environment variables for every resident program, so keep this list small while installing TSRs. Once all TSRs are installed you can define all environment variables without affecting the memory requirements of the TSRs. Use swapping. By using one of the options 'ems' or 'xms' TbScanX swaps itself to non- DOS memory, leaving only 1 Kb of code in DOS memory. Swapping to expan- ded memory ('ems') is preferred. If you have DOS 5 or higher try to load the program into an upper memory block using the "loadhigh" or "devicehigh" commands. It is recommended to enable swapping also to limit the usage of upper memory. Use one of the processor specific versions of the relevant TBAV utility. They all consume less memory than the generic versions. Processor optimized versions are available on any ThunderBYTE support BBS. IV - 2 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION IV 2. TbSetup 2.1. Anti-Vir.Dat design considerations ThunderBYTE Anti-Virus expects every directory on your system with executable files to have its own Anti-Vir.Dat file. Some other anti- virus products maintain a somewhat similar 'fingerprint' list of all executable files, but in one large file rather than a separate file in every directory. TBAV contains a separate file in every directory instead of one file with all file information because of the following: One file in every directory will ease maintenance. If you want to remove a complete product, the accompanying Anti-Vir.Dat file can be removed as well. It will consume less disk space because path information need not to be stored in the information file. The TBAV utilities will perform faster because they do not have to search through a huge file to locate the information of one specific file. Installation is easier and more reliable in network environments. On networks it is not unusual that the same files have different drive ID's on different workstations. In case of only one information file the drive-ID's should be stored as well, so every workstation should main- tain its own list. The supervisor would easily lose control in this situation. 2.2. Format of TbSetup.Dat Editing the TbSetup.Dat file is useful to TBAV site installation (see IV-8). Therefore, some information on the format of this file is neces- sary. The format of the TbSetup.Dat file is very simple. Empty lines, or lines starting with a semi-colon (';') or percent symbol, are either ignored or treated as comment lines. The lines with a preceding percent symbol are also displayed in TbSetup's upper window. Every entry in the TbSetup.Dat file has four items: The filename. The filename must be written in capital letters and without spaces. The length of the file in hexadecimal notation. This field may contain a single asterisk ('*') if an exact filelength match is not required. The file's 32-bit CRC in hexadecimal notation. A single asterisk is allowed if an exact checksum match is not required. IV - 3 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION IV The hexadecimal number representing flags that should be set when the listed file is found on the system. The rest of the line may be used for a brief comment. You may use the following flags: bit 0 (0001) Do not perform heuristic analysis bit 1: (0002) Ignore CRC changes (self-modifying file) bit 2: (0004) Scan for all signatures (lan remote boot file) bit 3: (0008) Do not change read-only attribute of this file bit 4: (0010) The program stays resident in memory bit 5: (0020) The program performs direct disk access bit 6: (0040) Program is allowed to remove read-only attributes bit 15:(8000) Interrupt rehook required for TbDriver.Exe This is what the entries in TbSetup.Dat look like: ; filename Length 32-bit CRC Flags Comment ; Files that trigger the heuristic alarm of TbScan: 4DOS.COM 19FEA * 0001 ;4Dos 4.0a AFD.COM 0FEFE 4B351A86 0001 ;AFD debugger ARGV0FIX.COM 001D8 431E70C0 0001 ;Argv[0]fix EXE2COM.EXE 00BEA 49276F89 0001 ;Exe to Com conv. utility KILL.EXE 00632 74D41811 0001 ;PcTools 6.0 utility WATCH.COM 003E1 2353625D 0001 ;TSR monitoring utility ; Files that need to be scanned completely, for ALL viruses: NET$DOS.SYS * * 0004 ;Disk image Novell boot ; Files without fixed checksum due to internal config area's: Q.EXE * * 000A ;Qedit (all versions) TBCONFIG.COM * * 000A ;all versions Defining new entries If you have any files that should be included in the list, please let us know! We would like to receive a copy to enhance our products and keep TbSetup.Dat up to date. Candidates for inclusion would be any program that triggers the heuristic analysis of TbScan. Whenever you choose 'V)alidate program' in the TbScan message window, you will find that on subsequent occasions TbSetup displays the value '0001' in the flags field. If your company has many files like this installed on multiple machines, you may want to include these files in the TbSetup.Dat file yourself. In order to do that execute TbSetup for the file in question and make a note of its filelength and 32-bit CRC, as displayed on the screen. Then edit the TbSetup.Dat file entering the exact filename, the file length and the CRC number, plus the number of any flags you wish to IV - 4 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION IV set for that file. If you now use TbSetup on another machine it will set the appropriate flags automatically. => Note:You may manually set or clear a flag field value when executing TbSetup at the DOS prompt with option 'set' and 'reset' as follows: TBSETUP TEST.EXE SET=0001 2.3. TBAV site installation If you have to install the TBAV utilities on a lot of machines in one company, it would be tedious to invoke for instance every single TSR and disk utility on each machine in order to 'teach' TBAV which programs are valid and which are not. Fortunately, this is not necessary. In the present section, three examples are presented on how to simplify instal- lation on several machines. 1. If a resident utility named, for instance, TSRUTIL.EXE is used throughout the company, you can predefine permission by using TbSetup to determine the length and CRC of the program. Now put the name of this program along with the other information in the file TbSetup.Dat and assign the value '0010' to it. Example: TSRUTIL.EXE 01286 E387AB21 0010 ;Our TSR utility 2. If a disk utility named, for instance, DISKUTIL.EXE is used throug- hout the company, you can predefine permission by using TbSetup to determine the length and CRC of the program. Now put the name of this program along with the other information in the file TbSetup. dat and assign the value '0020' to it. Example: DISKUTIL.EXE 01286 E387AB21 0020 ;Our DISK utility If you now execute TbSetup on every machine (you have to do this anyway) it will recognize this utility and it will set the disk access permissi- on flag for TbMem / TbDisk automatically. 3. If a utility named, for instance, UTIL.EXE is used throughout the company which causes TbScan to give false positives, you can predefine TbSetup to avoid heuristic scanning of the relevant program. Put the name of this program along with the other informa- tion in the file TbSetup.Dat and assign the value '0001' to it. IV - 5 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION IV Example: UTIL.EXE 01286 E387AB21 0001 ;Our utility If you now execute TbSetup on every machine (you have to do this anyway) it will recognize this utility and TbScan will not perform heuristic scanning. Also consult the TbSetup.Dat file. IV - 6 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION IV 3. TbScan 3.1. Heuristic scanning TbScan is not just a signature scanner. It also disassembles the file being processed, for the following purposes: 1) By disassembling the file the scanner can restrict itself to the area of the file where the virus might reside, reducing false alarms and speeding up the process. 2) It makes it possible to use the algorithmic detection method on encrypted viruses whose signatures would otherwise remain invisible to the scanner. 3) And it makes it possible to detect suspicious instruction sequen- ces. The detection of suspicious instruction sequences is named 'heuristic scanning'. It is a very powerful feature that enables you to detect new or modified viruses and to verify the results of the signature scan. You no longer have to rely on the scanner's publisher having the same virus as you might have. In normal cases a scanner can only find a virus if the scanner's publisher did have a sample of that virus, in order to make a suitable signature. With heuristic scanning a signature is no longer required, enabling the scanner to detect yet unknown viruses. You should not underestimate the importance of heuristic scanning, since every month at least 50 new viruses are reported. It is very unlikely that a publisher is the first one to get these new viruses... Heuristic level 1 Heuristic level 2 ------------------------------------------------------------ Always enabled Only with option 'heuris tic' or after a virus has been found. Detects 50% of the unknown viruses. Detects 90% of the viruses Almost never causes false alarms. Causes a few false alarms. Displays 'Probably infected' Displays 'Might be infec ted' TEST.EXE <scanning...> OK (no flags) TEST.EXE <scanning...> R OK (nothing serious) TEST.EXE <scanning...> FRM might be infected by unknown virus TEST.EXE <scanning...> FRALM# probably infected by unknown virus How does heuristic scanning actually work? Every program contains instructions for the PC's processor. By looking into the file's contents and by interpreting the instructions TbScan is able to detect the purpose of these instructions. If the purpose seems to be to format a disk, or to infect a file, TbScan issues a warning. There are a lot of IV - 7 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION IV instruction sequences which are very common for viruses, but very uncommon for normal programs. Every suspicious instruction sequence is assigned to a character: a heuristic flag. Every heuristic flag denotes a score. If the total score exceeds a predefined limit, TbScan assumes the file contains a virus. There are actually two predefined limits: the first one is quite sensi- tive and can be reached by some normal innocent programs. If this limit is reached, TbScan highlights the heuristic flags that are displayed on the screen and increases the 'suspected items' counter. TbScan does not indicate the existence of a virus, unless you have specified the 'heu- ristic' option. If you do have specified this option, TbScan tells you the file 'Might be infected by an unknown virus'. The second heuristic limit will be triggered by a lot of viruses, but not by normal programs. If this limit is reached TbScan tells you that the file is 'Probably infected by an unknown virus.' => Note: TbScan performs heuristic analysis only nearby the entry-point of a file. Therefore, TbScan does not detect direct writes to disk by some disk utilities nor does TbScan detect some programs as TSR programs. This is just the result of a specific approach to minimize false alarms. In case of a virus, the offending instructions are always nearby the entry-point (except when the virus is over 10Kb in size) so TbScan will detect suspicious phenomenons in these situations anyway. 3.2. Integrity checking TbScan will perform integrity checking while scanning. You have to use TbSetup to generate the Anti-Vir.Dat files. Once these files exist on your system TbScan will check that every file being scanned matches the information maintained in the Anti-Vir.Dat files. If a virus infects a file, the maintained information will not match anymore with the now changed file, and TbScan will inform you about this. There are no (command line) options to enable this feature: TbScan will perform integrity checking automatically if it detects the Anti-Vir.Dat files. Note that TbScan only reports file changes that could indicate a virus. Internal configuration areas of program files may also change, but TbScan does normally not report this. However, if a file gets infected with any virus -known or unknown - the vital information will change and TbScan will indeed report it to you! It is however possible that the checked file changes itself or changes frequently due to another cause. In this case you might want to exclude the program from integrity checking to avoid future false alarms. TbScan will offer you an additional menu option: 'V)alidate program'. For more information about this menu option consult 'Program validation' (page 6 of this section). IV - 8 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION IV 3.3. Program validation This chapter only applies if you use TbSetup to generate the Anti- Vir.Dat records. Without these records program validation is not an option. TbScan will perform as intended on most programs. There are some pro- grams, however, that require special attention in order to avoid false alarms. Most of these programs are recognized automatically by the TbSetup program. Nevertheless it is certainly possible your PC contains some program files which trigger the heuristic alarm of TbScan and/or programs files which change frequently. If an 'infection' has been found with the heuristic analysis or integri- ty checking only and if there is an Anti-Vir.Dat record available, TbScan offers an additional option in its virus-alert window: 'V)alidate program' If you are convinced that the indicated program does not contain a virus, you can press 'V' to set a flag in the program's record. This makes it possible to avoid future false alarms. There are two validation modes. If TbScan alarms you due to a file change, the validation applies to future file changes only. If the alarm is due to heuristic analysis, the validation only applies to heuristic results. If the file is excluded from heuristic analysis the file will still be checksummed. If the file is excluded from integrity checking TbScan will still perform heuristic analysis on the file. => Note: if you replaced a file (software upgrade) and you did not use TbSetup, TbScan will pop-up its virus alert window to inform you about the file change. Do not select the validation option in this case, because this would exclude the file for future integrity checking. You should abort TbScan and execute TbSetup on the changed file(s) instead. 3.4. The algorithms When TbScan processes a file it will display either 'Looking', 'Chec- king', 'Tracing', 'Scanning' or 'Skipping'. Looking With 'Looking' TbScan indicates it has successfully located the entry point of the program in one step. The program code has been identified so TbScan knows where to search without the need of additional analysis. 'Looking' will be used on most known software. IV - 9 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION IV Checking 'Checking' indicates TbScan has successfully located the entry point of the program, and is scanning a frame of about 4Kb around the entry point. If the file is infected, the virus' signature will be located in this area. 'Checking' is a very fast and reliable scan algorithm. Checking will be used on most unknown software. Tracing 'Tracing' means that TbScan has successfully traced a chain of jumps or calls while locating the entry-point of the program, and is scanning a frame of about 4Kb around this location. If the file has been infected, the signature of the virus will be located in this area. 'Tracing' is a fast and reliable scan algorithm. Tracing will be primarily used for TSR-type COM files or Turbo Pascal-compiled programs. Most viruses will force TbScan to use 'Tracing'. Scanning TbScan is scanning the entire file (except for the exe-header which cannot contain any viral code). This algorithm will be used if 'Look- ing', 'Checking' or 'Tracing' can't be used safely. This is the case when the entry-point of the program contains other jumps and calls to code located outside the scanning frame, or when the heuristic analyzer found something that should be investigated more thoroughly. 'Scanning' is a slow algorithm. Since it processes almost the entire file, inclu- ding data areas, false alarms are more likely to occur. The 'Scanning' algorithm will be used while scanning bootsectors, SYS and BIN files. Skipping 'Skipping' will occur with SYS and OVL files only. It simply means that the file will not be scanned. As there are many SYS files containing no code at all (like CONFIG.SYS), it makes absolutely no sense to scan these files for viruses. The same applies to .OV? files. Many overlay files do not deserve to be called as such as they lack an exe-header. Such files cannot be invoked through DOS, which makes them just as invulnerable to direct virus attacks as .TXT files are. If a virus is reported to have infected an .OV? file, it involved one of the relative- ly few overlay files which do contain an exe-header. In that case the infection was the result of the virus monitoring the DOS exec-call (function 4Bh) and infecting any program being invoked that way, inclu- ding 'real' overlay files. 3.5. The TbScan.Lng file The TbScan.Lng file contains all texts being displayed by TbScan. You can translate or customize the messages with any ASCII editor. IV - 10 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION IV The messages are separated by the dollar sign ($). The first message displays our address and registration info. You can edit this message as you please, for instance adding your company logo. You may add color codes to the TbScan.Lng file. A color code is precee- ded by the character '|'. The following color codes are available: (all numbers are in hex). Color Foreground Highlight Background Black 00 08 00 Blue 01 09 10 Green 02 0A 20 Cyan 03 0B 30 Red 04 0C 40 Magenta 05 0D 50 Yellow/Brown06 0E 60 White/gray 07 0F 70 Example: To make a highligted green character on a red background the color code would be 0A+40=4A.To make the character blink add 80h to the result. IV - 11 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION IV 4. TbClean In order to understand the way a cleaning program operates, try to imagine how a virus usually goes about infecting a program. The basic principle is not difficult. A virus - just another program really - adds itself to the end of the program it is going to infect. The additional viral code, naturally, increases the size of the program. But simply appending a viral program to another program is not enough, to do any real harm - the viral code has to be executed first. So, the virus grabs the first few bytes at the start of the program, and replaces them with a 'jump' instruction to its own viral code. That way the virus is able to take control as soon as the program is started. Chances are you will never even notice the momentary delay while the extra code is executed, doing whatever the virus has been programmed to do. The virus then restores the original instructions and restarts the program (jump to the start). Your program, more often than not, works as usual - and it goes without saying that any virus worth its salt will make sure it isn't going to draw undue attention too soon! So, in order to purge a program, we must first restore the starting instruction bytes, which the virus replaced with the jump to its own code. The virus is going to need these bytes again later on, so they will be stored somewhere in the viral code. The cleaner starts out to find those bytes, puts them back in their old place, and truncates the file to the original size. Cleaner programs basically come in two types - the conventional type, for specific types of viruses, and the far more advanced generic clea- ner, offering a much wider scope. Let's take a closer look at both cleaner types and find out where they differ. Conventional cleaners A conventional cleaner has to know which virus to remove. Suppose your system is infected with a Jerusalem/PLO virus. When you start such a conventional cleaner, a procedure much like the following will take place: IV - 12 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION IV original program infected program +--------------+ +--------------+ | | | | | p | 100: |jump | | r | |to 2487 | | o | | o | | g | | g | | r | | r | | a | | a | | m | | m | | | | | | c | | c | | o | | o | | d | | d | | e | | e | | | | | +--------------+ +--------------+ 2487: | | | VIRUS! p | | r | |jmp 100 | +--------------+ The conventional cleaner: 'Hey, the signature file tells me this file is infected with the Jerusalem/PLO virus. Ok, let's see, this virus tacks on 1783 bytes at the end, and it overwrites the first three bytes of the original program with a jump to itself. The original bytes are located at offset 483 in the viral code. So, I have to take those bytes, copy them to the beginning of the file, and I have to remove 1873 bytes of the file. That's it!' There are several pitfalls to worry about in a scenario like this. Obviously, the cleaner has to be given some means to recognize the virus it is supposed to remove. A conventional cleaner cannot cope with a virus unless it knows what to look for. It is even more important to establish the fact that the virus is exactly the same one that the cleaner knows about after checking the validation data. Imagine what whould happen if the virus used in the example had been modified and is now 1869 bytes in size instead of 1873... The cleaner would remove too much! This is not an exceptional case, certainly not after the unslaught of countless so-called mutant straints. The Jerusalem/PLO family, to name but one example, now has more than 100 mutant members! Generic cleaners A generic cleaner works on the principle that any kind of virus - whether or not it has made the signature 'charts' - is bad news. That's why TbClean works with a completely different disinfection scheme that is effective with almost all viruses - it does not even need to recogni- IV - 13 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION IV ze them. Actually, TbClean represents two cleaners in one: a 'repair' cleaner and a 'heuristic' cleaner. Repair cleaning Repair cleaning needs an Anti-Vir.Dat file that was generated by TbSetup before the infection occurred. The Anti-Vir.Dat file stores vital information about programs, including their original size, the first few instruction codes and a cryptographic checksum. This information is usually all it takes to disinfect a file, no matter what virus, known or unknown, caused the infection. The cleaner will simply restore the bytes at the beginning of the program, truncate the file to the original size, and verify the result by way of the original checksum. Heuristic cleaning TbClean is the first cleaner in the world that has a heuristic cleaning mode. This mode does not need any information about viruses either, but it has the added advantage that it doesn't even care about the original, uninfected state of a program. This cleaning mode is very effective if your system is infected with an unknown virus and you neglected to let TbSetup generate the Anti-Vir.Dat files in time. In heuristic mode, TbClean loads the infected file and starts emulating the program code. It uses a combination of disassembly, emulation and, sometimes, execution to trace the flow of the viral code, pretending to do more or less exactly what the virus would normally be doing. When the virus gets to the original program's instructions and jumps back to the original program code, TbClean stops the emulation process, with a 'thank you' to the virus for its cooperation in restoring the original bytes. The actual cleaning process involves almost the same three steps as with repair cleaning. First the program startup code is repaired and copied back to the file. Then the viral code, now rendered useless and ineffec- tive, is removed and, for the sake of security, TbClean will do a final analysis of the purged program file. IV - 14 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION IV 5. TbGensig 5.1 The Purpose of TbGenSig TbGenSig is a signature file compiler. Since TBAV is distributed with an up to date, ready-to-use signature file, you do not really need the signature file compiler. If, however, you want to define your own virus signatures, you will need the TbGensig utility. You can use either published signatures or define your own ones if you are familiar with the structure of software. One way or another, you only need to do this in case of an emergency, like in case of the unfortunate event that your machine or even your company is attacked by a yet unknown, thus not recognized virus. It is recommended to send a few samples of the virus to some virus experts anyway, in order to let scanners recognize the virus in the next upgra- de. Since it is not possible to explain the whole subject of virus hunting in one manual, this document assumes you have enough experience and knowledge to make your own signatures. TbGenSig searches for a file named UserSig.Dat in the current directory. This file should contain the signatures you want to add to the TBAV signature file TbScan.Sig. TbGenSig checks the contents of the User- Sig.Dat file and applies it to the TbScan.Sig file. If you want to delete or modify your signatures, just edit or delete the UserSig.Dat file and execute TbGenSig again. TbGenSig will list all signatures in the TbScan.Sig file on screen while being executed. 5.2 Defining signatures Format of the UserSig.dat text You can create and edit the UserSig.Dat file with every DOS editor which is able to output unformatted text. All lines starting with ';' are comment lines. TbGenSig file ignores these lines. Lines starting with '%' will be displayed in the upper TbGenSig window. In the first line the name of a virus is expected. The second line contains one or more keywords. The third line contains the signature itself. This combination of three lines is called a 'signature record'. IV - 15 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION IV A signature record should look like this: Test virus exe com inf abcd21436587abcd You may use spaces in the signature for your own convenience. TbGenSig will ignore these spaces. Adding a published signature If you want to add a signature that has been published, you should act as illustrated below. - Edit or create the UserSig.Dat file. Convert the published signatu- re to an acceptable format for TbGenSig. - Use keywords COM EXE BOOT INF You would get: New virus exe com boot inf 1234abcd5678efab - Execute TbGenSig. Defining a Signature with TBScan This section is intended for advanced users who own a TBAV.KEY file. Although the TbScan.Sig file is updated frequently, new viruses are created every day, outpacing the regular upgrading service of this data file. It is therefore possible that one day your system gets infected by a recently created virus that has not yet been listed in the signature file. TbScan will not always detect the virus in such cases, not even with the heuristic analysis. If you are convinced that your system must have been infected without TbScan confirming this, thischapter will supply you with a valuable tool to detect unknown viruses with. This section offers step-by-step assistance in creating an emergency signatu- re that can be (temporarily) added to your copy of TbScan.Sig - Collect some infected files and copy them into a temporary directo- ry. - Boot from a clean write-protected diskette. Do NOT execute ANY program from the infected system, even though you expect this program to be clean. IV - 16 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION IV - Execute TbScan from your write-protected TbScan diskette with the 'extract' option set. Make sure that the temporary directory where you stored the infected files will be TbScan's target directory. With its 'extract' option set, TbScan will NOT scan the files but, instead, display the first instructions that are found at the entry-point of the infected programs. => Please note that we highly recommend you to simultaneously set the 'log' option of TbScan to generate a log file. - Compare the 'signatures' extracted by TbScan. You should see something like this: NOVIRUS1.COM 2E67BCDEAB129090909090ABCD123490CD NOVIRUS2.COM N/A VIRUS1.COM 1234ABCD5678EFAB909090ABCD123478FF VIRUS2.COM 1234ABCD5678EFAB901234ABCD123478FF VIRUS3.COM 1234ABCD5678EFAB9A5678ABCD123478FF If the 'signatures' are completely different, the files are either probably not infected, or they have been infected by a polymorphic virus that requires an algorithmic detection module to detect it. - There might be some differences in the 'signatures'. You can use the question mark wildcard ('?') in this case. A signature to detect the 'virus' in the example above could be: 1234ABCD5678EFAB ?3 ABCD123478FF The '?3' means that there are three bytes on that position that should be skipped. - Add the signature to the data file UserSig.Dat. Give the virus a name in the first line of its entry. Specify the following key- words: COM, EXE, INF, ATE in the second line. Enter the signature in the third. You would get: New virus exe com ate inf 1234abcd5678efab?3abcd123478ff - Execute TbGenSig. Make sure the resulting TbScan.Sig file is in the TbScan directory. IV - 17 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION IV - Execute TbScan again in the directory containing the infected files. TbScan should now detect the virus. - Send a couple of infected files to a recommended virus expert, preferably to the ThunderBYTE organisation. Congratulations! You have defined a signature all by yourself! Now you can scan all your machines in search of the new virus. However, keep in mind that this method of extracting a signature is a 'quick-and-dirty' solution to viral problems. The extracted signature might not detect the presence of the virus in all cases. A signature that is guaranteed to detect all instances of the virus can be made only after complete disassembly of the new virus. For these reasons you should NOT distribute your home-made 'signature' to others. The signatu- re eventually assembled by experienced anti-virus researchers will be completely different in most cases! 5.3 Keywords Keywords are used for several purposes. They are classified in catego- ries. Keywords may be separated by spaces, commas or tabs. The maximum line length is 80 characters. At least one of the following flags should be specified: BOOT, COM, EXE, HIGH, LOW, SYS or WIN. Item keywords BOOT Signature can be found in bootsector/partition COM Signature can be found in COM programs. This flag initiates the scanner to search for this signature in executa- ble files that do not have an EXE header or device header. => Note: The file contents determines the file type, not the filename extension! EXE Signature can be found in EXE programs. This flag initiates the scanner to search for this signature in the load module of EXE type files. EXE files are files that have an EXE header. => Note: The file contents determines the file type, not the filename extension! HIGH Signature can be found in HIGH memory (above program).This flag initiates the scanner to search for this signature in memory above the memory allocated by the scanner. IV - 18 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION IV This keyword is intended for resident viruses that allocate memory at system boot, or viruses that decrease the size of the last MCB (Memory Control Block). => Note: The flag HIGH does not mean that the signature should be searched in UPPER memory. LOW Signature can be found in LOW memory. This flag initiates the scanner to search for this signature in memory below the PSP (Program Segment Prefix) of the scanner and in the UMB (Upper Memory Blocks). This keyword is intended for viruses that remain resident in memory, using the normal DOS TSR (Terminate and Stay Resident) function calls. SYS Signature can be found in SYS programs. WIN Signature can be found in Windows programs. Message keywords DAM Message prefix: 'damaged by'. DROP Message prefix: 'dropper of'. FND Message prefix: 'found the'. INF Message prefix: 'infected by' Message suffix: 'virus' JOKE Message prefix: 'joke named'. OVW Message prefix: 'overwritten by'. PROB Mess. pre-prefix:'probably'. TROJ Message prefix: 'trojanized by'. Position keywords UATE Signature should be found at unresolved entry-point. Purpose: The signature starts directly at the unresolved entry-point of the viral code. With some polymorphic viruses, it may be possible to create a signature from the degarbling routine, although it may either be too short or give false positives with a global search. An initial branch instruction may be part of the signature. COM type files: top of file (IP 0100h). EXE type files: CS:IP as defined in the EXE-header. WIN type files: Non-DOS CS:IP of the new EXE-header. IV - 19 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION IV Remarks: The keyword UATE is not allowed for BOOT, SYS, LOW, HMA or HIGH type signatures. ATE Signature should be found AT ENTRY point. Purpose: The signature starts directly at the entry-point of the viral code. With some polymorphic viruses, it may be possible to create a signature from the degarbling routine, although it may either be too short or give false positives with a global search. Therefore the keyword ATE is used to make sure that the scanners do not scan the entire file for the signature, but only look at the entry-point for the signature. The entry-point of a virus is defined by the first byte that is not equal to either a JUMP SHORT, JUMP LONG or a CALL NEAR. Unresolved entry point:1JUMP LONG 3 2 ... 3 JUMP SHORT 5 4 ... 5 CALL FAR 7 6 ... 7 CALL NEAR 9 8 ... Resolved entry point:9 POP <reg> The entry-point of the above fragment is Line 9 as this is the first code to be executed which is not a JUMP SHORT, JUMP LONG or CALL NEAR or CALL FAR. Remarks: 1) The entry-point can be determined by a code analyzer to cope with tricks like coding a NOP or DEC just before the branch instruction. Therefore the results of the scanner should be tested carefully. In case of trouble use the TbScan 'extract' option to find out what TbScan considers to be the entry point of the program. 2) The flag ATE is not allowed for BOOT, SYS, LOW, HMA or HIGH type signatures. XHD Signature can be found at offset 2 of the EXE header. Purpose: This position keyword is rarely used. It should only be used to detect the also very rare high-level language viruses; viruses written in a language like C or Basic. These viruses normally contain standard setup routines and library routines which are not suitable to define a signa- IV - 20 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION IV ture. The XHD keyword can be used as a last resort to detect such viruses. Remarks: This flag may only be used for EXE or WIN type signatures. 5.4 Wildcards In a virus signature, wildcards characters may be used to recognize so called polymorphic (self- modifying/mutating) virus code. Below a description is presented of the wildcard notation. All numbers are in hexadecimal. Position Wildcards Position wildcards affect the position where the parts of the signature will be matched. Skip ?n = Skip n amount of bytes and continue. ?@nn = Skip nn amount of bytes and continue. nn should not exceed 7F. Variable *n = Skip up to n bytes. *@nn = Skip up to nn bytes and continue. nn should not exceed 1F. Opcode wildcards The 'opcode' wildcards are shaped to detect instruction ranges: Low opcode nL = One of the values in the range n0-n7. High opcode nH = One of the values in the range n8-nF. Intended use of the opcode wildcards: Suppose a polymorphic virus puts a value in a word register (using a MOV WREG,VALUE instruction), and increments a register (using an INC WREG instruction, and pops a word register from the stack (using a POP instruction). Both the registers and the value are variable. You could code it like this: bh4l5h IV - 21 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION IV B8-BF are the opcodes for 'MOV WREG,VALUE', 40-47 are the opcodes for 'INC WREG', and 58-5F are the opcodes for 'POP REG'. Example To show the power of the use of the appropriate keywords and wildcards here is the signature of the Haifa.Mozkin virus. This virus is highly polymorphic and encrypted. It contains a small variable decryptor to decrypt the virus. There are two problems here: most bytes are encrypted or variable, thus not suitable to be part of a signature, and the remainder is short and would cause dozens of false alarms. However, using the appropriate keywords and wildcards, it is possible to define a reliable signature. The signature below is used by TbScan to detect the Haifa.Mozkin virus. Haifa.Mozkin com exe ate inf bh?2bh?109?2*22e80?24l4h75fl Let's analyze it. The first line describes the name of the virus. The second line tells the scanner to search for this signature in COM and EXE type files. It also tells the scanner that it should report the file as infected if the signature can be matched. The keyword ATE instructs the scanner to match this signature only at the resolved entry-point of the file. The virus starts of course with decrypting itself, so it is guaranteed that the scanner will scan this location. The ATE instruction limits the scope of this signature to just one position in a file, so this will reduce the chances of false alarms significantly. The third line is the signature definition. Let's reverse engineer it: bh?2 This means: a byte in the range B8-BF followed by two variable bytes. B8-BF is a 'MOV WREG,VALUE' instruction. From the register we only know it is a word register, the value is unknown as well. bh?109 This means: another 'MOV WREG,VALUE' instruction. The register is a word register, and from the value we know that it is in the range 0900 to 09FF. ?2*2 This means: skip two to four bytes. This instruction is inser- ted by the virus to make it harder to define a signature. IV - 22 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. SECTION IV 2e80?2 This means: the virus performs an arithmethic byte sized operation with an immediate value (decrypts one byte) with a CS: segment override. The exact operation, the memory location and the value are unknown. 4l This means: a byte in the range 40-47. This is an 'INC WREG' instruction. The virus increments the counter to the next byte to be decrypted. 4h This means: a byte in the range 48-4F. This is a 'DEC WREG' instruction. The virus decrements the iteration count. 75fl Opcode 75 is a JNZ instruction. If the decremented register did not reach zero, the virus jumps back and repeats the operation. How much does it jump? That tells the 'fl' part: somewhere between -16 (F0h) to -8 (F7h) bytes. Although the signature language of TbGenSig is very powerful, there are viruses which are so highly polymorphic that they require even more sophisticated wildcards, keywords or even special detection algorithms. The explanation however of these wildcards, keywords or algorithmic detection definitions is so complicated that it is not suitable to be presented in a user manual. IV - 23 TBAV user manual (C) Copyright 1993 Thunderbyte B.V. APPENDIX A APPENDIX A. TBAV messages The TBAV utilities may display various messages when executed. Most messages will be clear enough, but here is some additional information followed by the name of the appropriate TBAV utility. TbClean Anti-Vir.Dat record The Anti-Vir.Dat record has been found, but found: information mat- the information matches the current state ches the current state of the file. The Anti-Vir.Dat record was of the file. Anti- created after the file got infected, or the Vir.Dat file was created file is not changed at all. TbClean is after the infection. going to emulate the file to clean it heu- Trying emulation... ristically. Anti-Vir.Dat record The Anti-Vir.Dat record that belongs to the found: reconstructing infected file has been found. The informa- original state... tion will be used to reconstruct the file. Anti-Vir.Dat record not The Anti-Vir.Dat file did not exist or did found: original state not contain information of the infected unknown. Trying emulati- program, so the original state of the in- on... fected program is unknown to TbClean. Tb- Clean will switch to its heuristic mode to determine the state of the original file. Note: to prevent a situation like this, make sure to use the TbSetup program to generate the Anti-Vir.Dat records. These records are of great help to TbClean. When the file is already infected it is too late to generate the Anti-Vir.Dat records. Emulation terminate: The emulation process has been terminated <reason> for the reason specified. TbClan will now <reason> can be one of consult the collected information to see if the following: it can disinfect the file. Jump to BIOS code. The virus tried to perform a call or jump directly into BIOS code. This process can not be emulated so it will be aborted. The program can probably not be disinfected. Approached stack crash. The emulated program is approaching a crash. Something went wrong while emulating the program so it will be aborted. The program can probably not be disinfected. TBAV user manual (C) Copyright 1993 Thunderbyte B.V. APPENDIX A Attempt to violate li- TbClean will not disassemble this program cense agreements. for obvious reasons. Encountered keyboard The emulated program tries to read the input request. keyboard. This is very unusual for viruses, so the file is probably not infected at all. Encountered an invalid The emulator encountered an unknown in- instruction. struction. For some reason the emulation failed. The program can probably not be disinfected. DOS program-terminate The emulated program requests DOS to stop request. execution. The program is not infected at all, or infected by an overwriting virus that does not pass control to its host program. The program can not be disinfec- ted. Jumped to original pro- The program jumped back to the start po- gram entry point. sition. It is very likely it is infected. The program can probably be disinfected. Undocumented DOS call This is very common for viruses that add with pointers to reloca- themselves in front of the COM type pro- ted code. gram. The program can probably be disin- fected. Encountered an endless TbClean encountered a situation in which loop. the program is executing the same in- struction sequences over and over again for hundreds of thousands of times. It is unli- kely that the program will ever escape from this loop, so the emulation will be abor- ted. Ctrl-break pressed. The user pressed <Ctrl><Break> so the clean attempt is aborted. Emulation aborted for If this message is shown, please send a unknown reason. copy of the file being emulated to ESaSS BV or one of the support BBSs. Sorry, the collected The heuristic cleaning mode of TbClean is information is not suf- aborted and has not been successful. The ficient to clean file... only option left is to restore the file from a backup or to re-install the program. Collected enough infor- The emulation of the virus provided TbClean mation to attempt a re- with all information to disinfect the file. liable clean opera- tion... TBAV user manual (C) Copyright 1993 Thunderbyte B.V. APPENDIX A Some DOS error occured. Some DOS error occured while trying to TbClean aborted! clean the file. Check that no files are read-only or located on a write protected disk, and make sure there is a reasonable amount of free disk space. The clean attempt seems It seems that TbClean removed the virus to be successful. Test from the file. No doubt about the virus: it the file carefully! is gone. However, take care and test the file carefully to see if it works as expec- ted. Reconstruction failed. TbClean tried to reconstruct the original Program might be over- file with the help of the Anti-Vir.Dat written. Trying emulati- record. However, the attempt failed. Tb- on... Clean is going to emulate the file to try to clean it heuristically. Reconstruction succes- The file has been reconstructed to its sfully completed. original state with help of the information of the Anti-Vir.Dat record. The CRC (check- sum) of the original file and the cleaned file are completely equal, so the cleaned file is almost certain equal to the origi- nal file. Staring clean attempt. TbClean is analyzing the infected file and Analyzing infected fi- tries to locate the Anti-Vir.Dat record. le... TbDriver Another version of Tb- You started a TbDriver.Exe with another Driver is already resi- version number or processor type than the dent! TbDriver already in memory. Cannot remove TbDriver. You tried to remove TbDriver from memory, Unload other TSRs first! but other resident software as loaded after TbDriver. Resident software can only be removed from memory by unloading them in reversed order. LAN support was already You tried to use the option 'net' for a installed. second time, or TbDriver already enabled network support automatically. TbDriver not active. The resident TBAV utilities need TbDriver, Load TbDriver first! so you have to load TbDriver first. TbDriver is not <versi- The version of TbDriver found in memory on>. does not match the version number of this resident TBAV utility. Make sure you do not mix version numbers! TBAV user manual (C) Copyright 1993 Thunderbyte B.V. APPENDIX A This version of TbDriver You are using a processor optimized version requires a <typeID> pro- of TbDriver which can not be executed by cessor. the current processor. TbScan Cannot create logfile. The specified log file path is illegal, the disk is full or write protected, or the file already exists and cannot be overwrit- ten. [Cannot read datafile] TbScan needs access to its data file to be able to tell you the name of the virus. If it cannot access the data file it displays this message instead of the virus. Command line error. An invalid or illegal commandline option has been specified. No matching executable The specified path does not exist, is emp- files found. ty, or is not an executable file. Sanity check failed! TbScan detected that its internal checksum does not match anymore. TbScan is possibly contaminated by a virus. Obtain a clean copy of TbScan, copy the program on a write protected diskette, boot from that diskette and try again! TbScanX Data file not found. TbScanX has not been able to locate the data file. Not enough memory. There is not enough free memory to process the data file. Try to enable swapping, or if you are already doing so, try another swapping mode. See also section IV, chapter "Memory requirements". TBAV user manual (C) Copyright 1993 Thunderbyte B.V. APPENDIX B APPENDIX B. TbScan - Heuristic flag descriptions # - Decryptor code found The file possibly contains a self-decryption routine. Some copy-protec- ted software is encrypted so this warning may appear for some of your files. If, however, this warning appears in combination with, for example, the 'T' warning, there could be a virus involved and TbScan assumes the file is contaminated! Many viruses encrypt themselves and cause this warning to be displayed. ! - Invalid program. Invalid opcode (non-8088 instructions) or out-of-range branch. The program has either an entry point that has been located outside the body of the file, or reveals a chain of 'jumps' that can be traced to a location outside the program file. Another possibility is that the program contains invalid processor instructions. The program being checked is probably damaged, and cannot be executed in most cases. Anyway, TbScan does not take any risk and uses the 'scan' method to scan the file. ? - Inconsistent header. The program being processed has an exe-header that does not reflect the actual program lay-out. The DOS SORT.EXE program will cause this warning to be displayed, because the actual size of the program file is less than reported in the 'size-of-load module' field in the exe-header! Many viruses do not update the exe-header of an EXE file correctly after they have infected the file, so if this warning pops up frequently, it seems you have a problem. You should ignore this warning for the DOS SORT.EXE program. (Hopefully MicroSoft will correct the problem before the next release of DOS). c - No integrity check This warning indicates that no checksum/recovery information has been found about the indicated file. It is highly recommended to use TbSetup in this case to store information of the mentioned file. This info can be used later on for integrity checking and to recover from virus infections. h - Hidden or System file. The file has the 'Hidden' or the 'System' file attribute set. This means that the file is not visible in a DOS directory display but TbScan will scan it anyway. If you don't know the origin and/or purpose of this file, you might be dealing with a 'Trojan Horse' or a 'joke' virus program. Copy such a file onto a diskette; then remove it from it's program environment and check if the program concerned is missing the file. If a program does not miss it, you will have freed some disk space, and maybe you have saved your system from a future disaster in the process. i - Internal overlay. The program being processed has additional data or code behind the load- module as specified in the exe-header of the file. The program might TBAV user manual (C) Copyright 1993 Thunderbyte B.V. APPENDIX B have internal overlay(s), or configuration or debug information appended behind the load-module of the EXE file. p - Packed or compressed file. The program has been packed or compressed. There are some utilities that are able to compress a program file, like EXEPACK or PKLITE. If the file was infected after the file had been compressed, TbScan will be able to detect the virus. However, if the file had already been infected before it was compressed, the virus has also been compressed in the process, and a virus scanner might not be able to recognize the virus anymore. Fortunately, this does not happen very often, but you should beware! A new program might look clean, but can turn out to be the carrier of a compressed virus. Other files in your system will then be infected too, and it is these infections that will be clearly visible to virus scan- ners. w - Windows or OS/2 header. The program can be or is intended to be used in a Windows (or OS/2) environment. As yet TbScan does not offer a specialized scanning method for these files. Of course that will change as soon as Windows- or OS/2- specific viruses start occurring. A - Suspicious Memory Allocation The program uses a non-standard way to search for, and/or to allocate memory. A lot of viruses try to hide themselves in memory so they use a non-standard way to allocate this memory. Some programs (high-loaders or diagnostic software) also use non-standard ways to search or allocate memory. B - Back to entry. The program seems to execute some code, and after that it jumps back to the entry-point of the program. Normally this would result in an endless loop, except when the program has also modified some of its instructi- ons. This is quite common behaviour for computer viruses. In combination with any other flag TbScan will report a virus. C - File has been changed This warning can only appear if you used TbSetup to generate the Anti- Vir.Dat files. If this warning appears this means that the file has been changed. If you did not upgrade the software it is very likely that a virus infected the file! Note that TbScan does not display this warning if only some internal configuration area of the file changes. This warning means that code at the program entry point, the entry-point itself and/or the file size have been changed. D - Direct disk access This flag is displayed if the program being processed has instructions near the entry-point to write to a disk directly. It is quite normal that some disk-related utilities cause this flag to be displayed. As usual, if many of your files (which have no business writing directly to the disk) cause this flag to be displayed, your system might be infected by an unknown virus. => Note that a program that accesses the disk directly does not always have to be marked by the 'D' flag. Only when the direct disk instructions are TBAV user manual (C) Copyright 1993 Thunderbyte B.V. APPENDIX B near the program entry point it will be reported by TbScan. If a virus is involved the harmful instructions are always near the entry point, which is the place where TbScan looks for them. E - Flexible Entry-point The program starts with a routine that determines its own location within the program file. This is rather suspicious because sound pro- grams have a fixed entry-point so they do not have to determine this location. For viruses however this is quite common: about 50% of the known viruses cause this flag to be displayed. F - Suspicious file access TbScan has found instruction sequences common to infection schemes used by viruses. This flag will appear with those programs that are able to create or modify existing files. G - Garbage instructions. The program contains code that seems to have no purpose other than encryption or avoiding recognition by virus scanners. In most cases there will not be any other flags since the file is encrypted and the instructions are hidden. In a few cases this flag will appear for 'normal' files. These files however are badly designed, which is the reason the 'garbage' flag appears. J - Suspicious jump construct. The program did not start at the program entry point. The code has jumped at least two times before reaching the final start-up code, or the program jumped using an indirect operand. Sound programs should not display this kind of strange behaviour. If many files cause this warning to be displayed, you should investigate your system thoroughly. K - Unusual stack. The EXE file being processed has an odd (instead of even) stack offset or a suspicious stack segment. Many viruses are quite 'buggy' by setting up an illegal stack value. L - program Load trap The program might trap the execution of other software. If the file also causes flag M (memory resident code) to be displayed, it is very likely that the file is a resident program that determines when another program is executed. A lot of viruses trap the program load and use it to infect the program. Some anti-virus utilities also trap the program load. M - Memory resident code. TbScan has found instruction sequences which could cause the program to hook into important interrupts. A lot of TSR (Terminate and Stay Resi- dent) programs will trigger this flag, because hooking into interrupts is part of their usual behaviour. If, however, a lot of non-TSR programs cause this warning flag to appear, you should be suspicious. It is likely that your files have been infected by a virus that remains resident in memory. Note that this warning does not appear with all true TSR programs. Nor can TSR detection in non-TSR programs always be relied upon. TBAV user manual (C) Copyright 1993 Thunderbyte B.V. APPENDIX B N - Wrong name extension Name conflict. The program carries the extension .EXE but appears to be an ordinary .COM file, or it has the extension .COM but the internal layout of an .EXE file. A wrong name extension might in some cases indicate a virus, but in most cases it does not. O - code Overwrite. This flag will be displayed if TbScan detects that the program overwri- tes some of its own instructions. However, it does not seem to have a complete (de)cryptor routine. R - Suspicious relocator Flag 'R' refers to a suspicious relocator. A relocator is a sequence of instructions that changes the proportion of CS:IP. It is often used by viruses. Those viruses have to relocate the CS:IP proportion because they have been compiled for a specific location in the executable file; a virus that infects another program can hardly ever use its original location in the file as it is appended to this file. Sound pro- grams'know' their location in the executable file, so they don't have to relocate themselves. On systems that operate normally only a small percentage of the programs should therefore cause this flag to be displayed. S - Search for executables The program searches for *.COM or *.EXE files. This by itself does not indicate a virus, but it is an ingredient of most viruses anyway (they have to search for suitable files to spread themselves). If accompanied by other flags, TbScan will assume the file is infected by a virus. T - Invalid timestamp. The timestamp of the program is invalid: e.g. the number of seconds in the timestamp is illegal, or the date is illegal or later than the year 2000. This is suspicious because many viruses set the timestamp to an illegal value (like 62 seconds) to mark that they already infected the file, preventing themselves from infecting a file for a second time around. It is possible that the program being checked is contaminated with a virus that is still unknown, especially if many files on your system have an invalid timestamp. If only a very few programs have an invalid timestamp you'd better correct it and scan frequently to check that the timestamp of the files remains valid. U - Undocumented system call. The program uses unknown DOS calls or interrupts. These unknown calls can be issued to invoke undocumented DOS features, or to communicate with an unknown driver in memory. Since a lot of viruses use undocumen- ted DOS features, or communicate with memory resident parts of a previ- ously loaded instance of the virus, it is suspicious if a program performs unknown or undocumented communications. Nevertheless, it does not necessarily indicate a virus, since some 'tricky' programs use undocumented features also. TBAV user manual (C) Copyright 1993 Thunderbyte B.V. APPENDIX B V - Validated program The program has been validated to avoid false alarms. - The design of this program would normally cause a false alarm by the heuristic scan mode of TbScan, or: - This program might change frequently, and the file is excluded from integrity checking. These exclusions are stored in the Anti-Vir.Dat file by either TbSetup (automatically) or by TbScan (manually). Y - Invalid bootsector. The bootsector is not completely in accordance with the IBM defined bootsector format. It is possible that the bootsector contains a virus or has been corrupted. Z - EXE/COM determinator. The program seems to check whether a file is a COM or EXE type program. Infecting a COM file is a process that is not similar to infecting an EXE file, which implies that viruses able to infect both program types should also be able to distinguish between them. There are of course also innocent programs that need to find out whether a file is a COM or EXE file. Executable file compressors, EXE2COM converters, debuggers, and high-loaders are examples of programs that may contain a routine to distinguish between EXE and COM files. TBAV user manual (C) Copyright 1993 Thunderbyte B.V. APPENDIX C APPENDIX C. Solving incompatibility problems Although TBAV utilities have been designed to cooperate with other resident software, other software may not, causing system errors or worse. Problem: If any TBAV utility tries to display a message, the text 'message file <filename> could not be opened' appears. Solution: Specify the FULL path and filename of the file you will use as message file after the TbDriver loading command. The default file name is "TbDriver.Lng". Problem: You are running a network. TbScanX is installed succesfully, but it does not display the "*scanning*" message while accessing files. It does not detect viruses either. TbCheck is installed succesfully, but it does not display the "*checking*" message while accessing files. It does not detect viruses either. TbFile is installed succesfully, but it does not detect anyt- hing anymore. TbMem is installed succesfully, but it does not detect TSRs anymore. Solution: Use the command 'TbDriver net' after the network has been loaded. Problem: The system sometimes hangs when the message "*scanning*" or "*checking*" is on the screen. The problem however is hard to reproduce. The system sometimes hangs when you answer 'NO'(do NOT abort program) to a TbMem, TbFile or TbDisk message. Solution: Try using StackMan. StackMan is supplied in the TBAV package. TbScanX: if StackMan doesn't help, try TbScanX without option 'EMS' or 'XMS'. If TbScanX now works without any problems, add option 'EMS' or 'XMS' again along with option 'compat'. On some systems the TbScanX 'XMS' option cannot be used at all, because these systems do not allow the use of extended memory by resident softwa- re. TBAV user manual (C) Copyright 1993 Thunderbyte B.V. APPENDIX C Problem: It is impossible to start a specific TSR after TbScanX has been loaded. The TSR reports that it already has been loaded in memory, which is not true. Solution: Use the 'compat' switch of TbScanX while loading it. The TSR and TbScanX are using the same multiplex interrupt call. Problem: Everything works well, but as soon as you load a specific TSR the system hangs immediately after the TSR becomes resident. The TbScanX option 'compat' does not solve the problem. Solution: Use StackMan with the -dos option and try again. Problem: After you have given permission for a program to remain resi- dent in memory, TbMem asks the same question the next time. Solution: 1) The 'secure' option of TbDriver is specified. Remove this option, reboot and try again. 2) The program mentioned does not appear in the Anti-Vir.Dat file and therefore TbMem cannot permanently store the permission flag. Use TbSetup to generate the Anti-Vir.Dat record of this program! Problem: The system sometimes hangs when you answer 'YES' (abort pro- gram) to a TbMem message. Solution: None. Some resident programs deeply interfere with the system, and once they are rejected from memory the state of the system is not stable anymore. Problem: When you load TbDisk from the DOS command prompt every-thing works OK. However, when you install TbDisk from within the Config.Sys or AutoExec.Bat file it keeps on warning that programs write to disk directly. Solution: Load TbDisk at the end of your AutoExec.Bat file. Problem: You formatted the hard disk using DOS FORMAT.COM, but TbDisk did not come up with a message until the process was almost finished. Solution: This is not a problem. A high level format program like DOS FORMAT.COM does actually not format the disk, but it reads all TBAV user manual (C) Copyright 1993 Thunderbyte B.V. APPENDIX C tracks to locate possible bad spots, and finally it clears the FAT and directory structure. Only this last step implies a disk write, so only this last step is detected by TbDisk. Problem: After you have given permission for a program to perform direct disk access, TbDisk asks the same question next time. Solution: 1) The 'secure' option of TbDriver is specified. Remove this option, reboot and try again. 2) The program mentioned does not appear in the Anti-Vir.Dat file and therefore TbDisk can not permanently store the permission flag. Use TbSetup to generate the Anti-Vir.Dat record ofthis program! Problem: If you try to use Windows fast 32 bit disk access, Windows comes up with an error message. Solution: Use option 'win32' on the TbDisk command line. TBAV user manual (C) Copyright 1993 Thunderbyte B.V. APPENDIX D Appendix D. Exit codes TbScan terminates with one of the following exit codes: Errorlevel 0 No viruses found / No error occurred 1 No files found 2 Error occurred 3 Files have been changed 4 Virus found by heuristic analysis 5 Virus found by signature scanning 255 Sanity check failed TbUtil terminates with one of the following exit codes: Errorlevel 0 No error occurred 1 When option 'compare' fails or an error occurs All other ultilities exit with one of the following exit codes: Errorlevel 0 No error occurred 1 Error occurred TBAV user manual (C) Copyright 1993 Thunderbyte B.V. APPENDIX E Appendix E. Virus naming How many viruses does TbScan detect? Most of the TbScan signatures are family signatures: one signature detects a whole set of viruses. All these viruses are related to each other. The Jerusalem signature for instance covers more than 100 viru- ses. For this reason one cannot tell how many viruses TbScan detects. Some competitive products treat each virus mutant as a separate virus, thus claiming to detect over 2000 viruses. TbScan, however can detect viruses using 'only' 1000 signatures. If you want to compare virus scanners, you have to rely on the tests frequently published in magazi- nes. The virus naming convention TbScan follows the CARO virus naming recommendations. CARO is an organi- sation in which leading anti-virus researchers participate. Viruses are grouped in a hierarchical tree, which indicates to which family viruses belong. TbScan shows the complete CARO name where possible. Many other anti-virus products however just show the family name or the member name. For instance, the 'Leprosy.Seneca.493' virus might be indicated by the familiy name 'Leprosy' or member name 'Seneca', or even by the variant name '493'. Anti-virus products developed by non CARO members might even use a completely different name. TbScan however tries to display as much of the name as possible. If TbScan is not able to distinguish between the 'Leprosy.Seneca.493' and 'Leprosy.Seneca.517' viruses, both viruses are indicated by the name 'Leprosy.Seneca'. Some viruses mutate themselves frequently. To detect all instances of such a virus it is sometimes necessary to use multiple signatures. Although these signatures cover exactly the same virus, they do have a slightly different indication. Behind the name of the virus you will see a number between anglebrackets. This number however has nothing to do with the name of the virus, but is there just for maintenance reasons.