I N T E G R I T Y M A S T E R (tm) Version 3.21 An easy to use, data integrity and anti-virus program which also provides PC security, change control and disk error detection. Users Guide plus Data Integrity and Virus Guide ________________________________________________ Copyright 1990 - 1997 by Wolfgang Stiller All rights reserved ___________________ Stiller Research 1265 Big Valley Dr. Colorado Springs, CO 80919-1014 U.S.A. Electronic mail to: CompuServe: 74777,3004 Internet, Bitnet, etc.: support@stiller.com Uunet: uunet!support@stiller.com Integrity Master (tm) - 2 - Version 3.21 Fifth Edition May 1996 -- updated August 1997 Copyright 1990-1997 Stiller Research. All Rights reserved. The following paragraph does not apply where such provisions are inconsistent with law: Stiller Research provides this document "AS IS" without warranty of any kind, either express or implied, including, but not limited to the warranties of merchantability or fitness for a particular purpose. This document may include technical inaccuracies or typographical errors. We continually update and correct this document with the latest available information. Note to U.S. Government users: Use, duplication, or disclosure by the U.S. Government of the computer software and documentation in this package shall be subject to the restricted rights applicable to commercial computer software as set forth in subdivision (b)(3)(ii) of Rights in Technical Data and Computer Software clause at 253.217- 7013 (DFARS 53.217-7013). The manufacturer is Stiller Research, 1265 Big Valley Dr., Colorado Springs, CO 80919. Integrity Master and Integrity Advisor are trademarks of Stiller Research. Microsoft, Windows and MS/DOS are trademarks of Microsoft corporation. IBM and OS/2 are trademarks of International Business Machines Corporation. Vines is a trademark of BANYAN Inc. NetWare is a trademark of Novell Inc. Unix is a trademark of AT&T. Sidekick is a trademark of Borland International. Integrity Master (tm) - 3 - Version 3.21 Use of Integrity Master (tm) (also known as IM) requires acceptance of the following license terms and warranty disclaimer. L I C E N S E T E R M S TO USE INTEGRITY MASTER, YOU MUST AGREE TO AND UNDERSTAND THE FOLLOWING LICENSE TERMS AND WARRANTY DISCLAIMER, OTHERWISE DO NOT USE THIS PROGRAM. Each PC protected by Integrity Master must have its own license. To use Integrity Master on more than one PC, you must license extra copies. W A R R A N T Y D I S C L A I M E R: INTEGRITY MASTER AND ALL ASSOCIATED PROGRAMS ARE LICENSED "AS-IS". STILLER RESEARCH AND WOLFGANG STILLER MAKE NO WARRANTIES, EITHER EXPRESSED OR IMPLIED, WITH RESPECT TO THESE PROGRAMS, THEIR QUALITY, PERFORMANCE, MERCHANTABILITY, OR FITNESS FOR ANY PARTICULAR PURPOSE. IN PARTICULAR, INTEGRITY MASTER IS NOT GUARANTEED TO PREVENT OR DETECT DAMAGE TO YOUR DATA OR PROGRAMS. IN NO EVENT SHALL STILLER RESEARCH OR WOLFGANG STILLER BE LIABLE FOR ANY CLAIMS FOR LOST PROFITS OR ANY DAMAGE, INCLUDING BUT NOT LIMITED TO SPECIAL, INCIDENTAL, CONSEQUENTIAL OR OTHER DAMAGE. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU. IF YOU USE INTEGRITY MASTER (IM), YOU ASSUME EXCLUSIVE RESPONSIBILITY AND LIABILITY FOR ANY LOSS OR DAMAGE DIRECTLY OR INDIRECTLY ARISING OUT OF THE USE OF THE PROGRAM. IN NO CASE SHALL STILLER RESEARCH'S OR WOLFGANG STILLER'S LIABILITY EXCEED THE LICENSE FEES PAID FOR THE RIGHT TO USE THE LICENSED SOFTWARE. THE LICENSE AGREEMENT AND WARRANTY DISCLAIMER SHALL BE CONSTRUED, INTERPRETED AND GOVERNED BY THE LAWS OF THE STATE OF COLORADO. Integrity Master (tm) - 4 - Version 3.21 T A B L E O F C O N T E N T S PART ONE - Integrity Master (tm) Users Guide License and Warranty Terms ........................ 3 CHAPTER ONE - WHY INTEGRITY MASTER Welcome! ..................................... 7 Don't Read This .............................. 7 Do Read This ................................. 7 Why the Users Guide .......................... 8 What Can Integrity Master Do? ................ 8 How Does Integrity Master Do These Things?.... 9 What Makes Integrity Master Special?.......... 9 Requirements and Limitations ................ 10 CHAPTER TWO - INSTALLING INTEGRITY MASTER Special Quick Install........................ 11 Full Installation............................ 11 Vital Files ................................. 12 Screen Colors ............................... 13 Using Integrity Master Menus................. 14 CHAPTER THREE - RUNNING INTEGRITY MASTER Integrity Master Screen Contents ............ 15 The Initialize Menu ......................... 15 Initializing Integrity Data.................. 15 What Is Integrity Data? ..................... 16 The Check Menu .............................. 16 CMOS Memory.............................. 18 The Report File ............................. 20 System Sectors .............................. 21 Reloading ................................ 21 Fixing ................................... 22 The Commands Menu ........................... 24 Disk Change and Directory Change ......... 24 Quit - Exit Integrity Master ............. 24 Uninstall - Delete Integrity Data ........ 25 The Statistics Summary ...................... 25 Virus Checking Procedure .................... 26 Scanning for Viruses ..................... 27 Quick scanning ........................... 29 Scanning uploads ......................... 29 Detecting Viruses ........................ 30 Detecting Unknown (new) viruses .......... 30 The Integrity Master virus report ........ 31 False Alarms ............................. 32 Destroying Viruses ....................... 33 Data Corruption .......................... 33 Integrity Master and Disk Problems ......... 34 Integrity Master for PC Security ............ 36 Integrity Master for Change Control ......... 37 Integrity Master for Laptop Configuration.... 37 Integrity Master (tm) - 5 - Version 3.21 COMMAND LINE (BATCH) EXECUTION .............. 38 Syntax ................................... 38 Error Levels ............................ 40 Using IMCHECK ............................... 40 Add-on programs.............................. 41 RunMaybe - Conditional execution.......... 41 Other Operating Systems ......................45 Microsoft Windows and OS/2................ 45 Networks ................................. 46 Using IM on a Network .................... 46 CHAPTER FOUR - CUSTOMIZING The Parameter (Options) File ................ 49 Options Menu ................................ 50 Options in SETUPIM .......................... 56 Integrity Data Options ...................... 58 Toggle CMOS Check Type ...................... 58 Home Directory Options ...................... 58 Updating Your Hardware Configuration ........ 59 The Advanced Option Menu..................... 59 CHAPTER FIVE - ERRORS Solving Problems ............................ 63 Answers to Common Questions ................. 63 PART TWO - DATA INTEGRITY AND VIRUSES CHAPTER ONE - THREATS TO YOUR DATA Introduction - Viruses Get All The Glory .... 67 Hardware and Power Faults ................... 68 Finger Checks ............................... 68 Malicious or Careless Damage................. 68 Software Problems ........................... 69 Software Attacks ............................ 69 Logic Bombs ............................. 69 Trojans ................................. 70 Worms ................................... 70 Viruses ................................. 70 General Virus Behavior................ 71 System Sector Viruses................. 72 Boot Sectors ...................... 72 Partition Sectors ................. 73 File Viruses ......................... 74 Macro Viruses ..................... 75 Polymorphic Viruses................ 79 Virus Toolkits .................... 80 IN PRINTED BOOK ONLY How Many Viruses Are There?.................. 80 CHAPTER TWO - PROTECTION FOR YOUR PC Hardware Protection ......................... 83 "Fixing" your disk .......................... 83 Goof Protection ............................ 83 Intrusion Protection......................... 84 Virus Defenses ............................. 85 Scanners ................................. 85 Disinfectors ............................. 86 Interceptors ............................. 87 Inoculators .............................. 87 Integrity Checkers ....................... 88 Prevention................................ 90 Integrity Master (tm) - 6 - Version 3.21 CHAPTER THREE - VIRUS MYTHS Mythical Sources ............................ 91 Quick and Easy Cures ........................ 92 Silly Tricks ................................ 92 Retail Software Only? ....................... 92 Write-Protecting Your Hard Disk ............. 93 Safe Computing (Safe Hex?)................... 94 CHAPTER FOUR - VIRUS REALITIES The ONLY Real Source of Viruses ............. 95 Shareware Is as Safe or Safer ............... 95 Few Virus Free Programs ..................... 95 Write-Protecting Floppies ................... 96 Beware the CE and the Demo! ................. 96 CHAPTER FIVE - WHAT TO DO - SOME SUGGESTIONS Action is Vital - Now! ...................... 97 Backup Policy ............................... 98 Integrity Checking Policy ................... 98 Run CHKDSK .................................. 99 Determining Causes of Corruption ............ 99 Education ................................... 99 Signs of Software Problems ...............100 Signs of Viruses .........................100 Policy and Routine ..........................101 Networks and Viruses ........................101 Guidelines for Using Anti-virus Software.....102 CHAPTER SIX - SAFELY USING COMPRESSION AND CACHE IN PRINTED BOOK ONLY Safely Getting Maximum Benefit ..............103 IN PRINTED BOOK ONLY CHAPTER SEVEN- HANDLING A VIRUS ATTACK Report the Attack ...........................109 Play Detective...............................109 Clean House (Steps to Remove the Virus)......210 Guard the House .............................210 CHAPTER EIGHT- SPECIAL ANTI-VIRUS TECHNIQUES IN PRINTED BOOK ONLY Using Common Utilities Against Viruses ......211 IN PRINTED BOOK ONLY Guidelines for Consultants ..................213 IN PRINTED BOOK ONLY Using Advanced Anti-virus Tools .............216 IN PRINTED BOOK ONLY CHAPTER NINE- THE LATEST INFORMATION ON VIRUSES IN PRINTED BOOK ONLY Why Do People Write Viruses?.................219 IN PRINTED BOOK ONLY The Virus Underground .......................120 IN PRINTED BOOK ONLY East Block Viruses ..........................121 IN PRINTED BOOK ONLY How Viruses Mutate ..........................122 IN PRINTED BOOK ONLY Descriptions of Common Viruses ..............123 IN PRINTED BOOK ONLY Chapter Ten - About Stiller Research and the Author 139 IN PRINTED BOOK ONLY The author at work (graphic) ................140 IN PRINTED BOOK ONLY INDEX .............................................141 IN PRINTED BOOK Integrity Master (tm) - 7 - Version 3.21 PART ONE - INTEGRITY MASTER(tm) USERS GUIDE CHAPTER 1 - INTRODUCTION ____________________________________________________________________ WELCOME! Welcome to the family of Integrity Master(tm) users! Integrity Master (also known as IM) is the fastest, most powerful data integrity and anti-virus software available for any price. I hope that you'll find Integrity Master an indispensable part of your PC tool kit. From now on, you'll be back in control of all the data on your PC. DON'T READ THIS! You do not need to read the Users Guide before installing or using Integrity Master. Most people should only rarely need to read the Users Guide. If you're reading this to learn how to use Integrity Master, you're here for the wrong reason. Just follow the directions on the diskette or on the cover letter. The tutorial in SetupIM should tell you all you need to know to get started. For additional help when using Integrity Master (IM), just press F1 and select the index. The odds are, what you need to know is there. DO READ THIS! Please do read PART TWO - Data Integrity and Viruses of this book. It explains the threats to the integrity of your PC. It also explains viruses in detail so that you can understand how to fully protect yourself using Integrity Master. Also please do read the section on detecting "Unknown viruses" on page 31. Please do read the README.TXT file which comes with your copy of Integrity Master. It contains information on anything that might have changed since we printed this manual. You can read this file by using your favorite file viewer or the IMVIEW program included with Integrity Master. The command "IMVIEW README.TXT" will let you browse through this file or "IMPRINT README.TXT" will print it. If you have any questions about IM or encounter any problems, please read the QUESTION.TXT file. Integrity Master (tm) - 8 - Version 3.21 WHY READ THE USERS GUIDE (Part One) ? I've written this users guide for three reasons: 1) To provide more information on how to get the greatest benefit out of Integrity Master. You'll learn how to: o use IM to detect totally new viruses o tell if file damage is likely due to a hardware problem, or possibly a virus or a trojan o use IM to protect your PC from unauthorized tampering, etc. 2) To explain certain aspects of Integrity Master in more detail and in different terms than the explanation available from IM's internal help screens. 3) To satisfy people who prefer to read things on paper. If you prefer to read things on paper, then you're here for the right reason. Although, I'll bet the tutorial in SetupIM will surprise you. (Give it a try!) What Can Integrity Master Do? 1) Detect and remove viruses. IM will even detect viruses that are not known to exist at this point. For known viruses, IM will recognize them by name and describe what they do. 2) Detect possible file corruption due to hardware or software problems. This type of file damage is apparently at least 100 times more likely than virus infection, yet it usually goes undetected. 3) Supplement or replace any PC security programs you have. IM will inform you if anyone changed something on your PC's disk while you were gone. 4) You just compressed your disk or you restored your files from a backup. Are all the files really OK? IM will tell you. 5) You wanted to delete all your .BAK files, but you entered: "DEL *.BAT" by mistake. Oops! IM will tell you exactly which files you need to restore. 6) You need a change management system to keep track of growth on your hard disk. Where is all that disk space going? IM will tell you. Integrity Master (tm) - 9 - Version 3.21 7) You're having problems with your disk drive. Your diagnostic programs say all is OK . . . now. But were some files damaged last night? IM tells you! 8) Your hard disk is having problems. DOS will not even recognize it as a disk. IM can reload your partition and boot sectors to "fix" your disk! How Does Integrity Master Do All These Things? 1) It reads files as well as parts of the operating system on your disk known as system sectors. The first time you use IM, you will run an "initialize" that will read your disk and calculate cryptographic signatures for each file and system sector. While it's doing this, IM is also checking for signs of known viruses. 2) This signature data, along with other information such as the file size, is encrypted and recorded in the "integrity data" file. IM creates one such file for each directory on your disk. 3) On subsequent checks, the files and system sectors are read again and the computed integrity data is compared with the prior values. This allows IM to determine if anything has changed, even if the time and date stamps reveal no change. 4) IM detects changes that a virus may make to associate itself (companion and cluster viruses) with an existing program. A virus can only infect your PC by associating itself with your programs or system sectors. In order to do this, a virus must change some existing data on your PC. If nothing has changed, you can be absolutely certain that you don't have a virus. IM can detect these changes if a virus tries to infect your system. What Makes Integrity Master Special? 1) Integrity Master is not just an anti-virus product but a complete data integrity system. Viruses are but one threat to the integrity of your PC. With Integrity Master you have a complete solution. 2) Unlike other integrity checking programs, Integrity Master contains extensive information regarding known viruses. If IM recognizes part of a known virus, it will identify the specific virus and provide specific steps to remove it (offering to do this automatically) and check for possible damage. If it detects other file changes that are characteristic of a virus, it will alert you to that fact and provide appropriate instructions. 3) Unlike a virus scanner, Integrity Master allows you to detect unknown as well as known viruses. Integrity Master (tm) - 10 - Version 3.21 4) Unlike anti-virus products that merely find known viruses, Integrity Master also detects files and sectors damaged (not just infected!) by viruses. 5) Integrity Master is fast! We wrote it in 100% highly optimized assembler language. 6) Integrity Master utilizes easy to use menus with lots of help. You don't have to fully understand some of the more complex areas of data integrity, such as system sectors, yet you can be fully protected. 7) Integrity Master is the only anti-virus product that can check and report specific CMOS changes. It will also (if needed) reload the PC's CMOS. 8) IM can do ultra-fast scanning. By running IM regularly (daily or every-other-day) in its "quick update" mode, you can scan a typical 1.2gb disk in 20 to 40 seconds and maintain a change history at the same time. 9) Integrity Master is useful with disk diagnostics. You can run your normal test programs to check if your disk drive is working OK right now, but was it working correctly at 3 PM yesterday? Integrity Master will detect any disk errors which caused data damage earlier. INTEGRITY MASTER REQUIREMENTS AND LIMITATIONS: o IM requires a PC with 310 thousand bytes of available memory and DOS 2 or later. (At least 390 thousand bytes are needed for maximum speed.) o Also runs under Windows 3.x, Win 95, Win NT, or OS/2. o IM supports super-large disks and files. o IM supports a maximum of 2621 files in a single directory. o Do not use the DOS APPEND, SUBST or ASSIGN commands together with IM. These can cause results that are misleading if you don't carefully consider the effects of these commands. If you use Disk Manager or other special software loaded in the partition sector, be sure to read QUESTION.TXT for any special precautions. Integrity Master (tm) - 11 - Version 3.21 CHAPTER TWO - INSTALLING INTEGRITY MASTER ____________________________________________________________________ Please follow the instruction on the cover letter or the diskette label to install Integrity Master. If you are a Windows user, you can use the "File Manager" or "Explorer" to double-click on the IMWIN.EXE file located in the \IM_HOME directory. This creates the Windows IM Program group and automatically runs SetupIM to begin the customization for your PC. After this completes, Click on the "2nd" icon to complete the install (If you need to rerun SetupIM, click on the "1st" Icon.) SPECIAL QUICK INSTALL PROCEDURE Since you may be wanting to do a quick evaluation of Integrity Master to see how it meets your needs, we offer a short cut install procedure. In contrast, the full install procedure is intended to guard against unknown viruses already infecting your system or an attack by a sophisticated user, and is not necessary for an evaluation under normal circumstances. The program SetupIM will offer you the quick install. (SetupIM runs automatically during the install.) FULL INSTALLATION 1) Follow the directions (normally by running IMsetup) in the cover letter to install the IM files on your hard disk and run SetupIM (SetupIM is started automatically by IMsetup). 2) SetupIM will guide you from there. SetupIM will offer you a full tutorial on using Integrity Master menus and give you an overview of how Integrity Master works. SetupIM will then analyze your needs and check out your hardware configuration. SetupIM's Integrity Advisor(tm) component will customize IM's options so that it will work best to meet your needs. The Integrity Advisor(tm) will also prepare a custom designed procedure to finish the install and a plan for day-to-day use of IM. In addition to displaying this plan on your screen, the Integrity Advisor will write the plan to file IMPROC.TXT. You can use your favorite utility to read IMPROC.TXT or you can enter the command: IMVIEW IMPROC.TXT to read it, or the command IMPRINT IMPROC.TXT to print the file. Integrity Master (tm) - 12 - Version 3.21 IMPROC.TXT contains IMCHECK check values for IM.EXE and IMCHECK.EXE so that you can verify that you have a good copy of these programs. EASY ACCESS TO INTEGRITY MASTER You may wish to copy *.EXE and IM.PRM into a directory on your DOS PATH (e.g., "\DOS") to make IM convenient to run from any location on your system. VITAL FILES Please check file README.TXT for a full list of files that come with Integrity Master and what's important about each file. To read README.TXT, type: "IMVIEW README.TXT" and press ENTER. After you install Integrity Master, there will be only two files you absolutely need to use Integrity Master: IM.EXE - Integrity Master itself IM.PRM - The parameter file which controls how IM works - This file is created by SETUPIM.EXE If you want to reinstall IM, or change advanced features of IM, you will need: SETUPIM.EXE The setup and install program (It creates and updates IM.PRM) IM.DAT Needed for initial installation of IM only. This file contains your serial number and name. When you install IM, SetupIM will create these files: IMPROC.TXT Instructions on how to finish installation and run IM IM.PRM The parameter file (all option settings are stored here) Integrity Master (tm) - 13 - Version 3.21 SCREEN COLORS IM normally detects the type of video adapter you have automatically and uses appropriate colors for your equipment. There are two things that can confuse IM: 1) Some programs change the DOS video mode from color to monochrome or vice-versa. To correct this, just enter the appropriate mode command (e.g., "MODE CO80") 2) Some equipment appears to have a different display than it really has, such as an LCD display on a laptop. (Most modern laptops do a good job displaying colors directly or of mapping colors into shades of gray and you won't need to do any special.) If you find your display hard to read, you may want to override IM's choice of video mode (colors). The best way to do this is to experiment by using the command line parameters to specify an alternate set of colors. Try each option and choose what looks the most pleasing. Generally, modern Laptops will work well in color mode. Both IM and SetupIM accept these command line parameters: /L - For older CGA type liquid crystal displays (e.g., Toshiba 1000 laptops) /M - Forces monochrome mode /C - Forces color mode /A - Forces automatic video detection mode (default). Example: "IM /M" will use colors appropriate for a monochrome display even if the display appears to be of a color display. Once you've found the video mode (colors) that work the best, it's usually easiest to use SetupIM to select that video mode and save it as your normal video mode. From then on, IM will use this video mode without a command line parameter. Integrity Master (tm) - 14 - Version 3.21 USING INTEGRITY MASTER MENUS Integrity Master (IM) and SetupIM both employ an advanced menu system. When you first install using SetupIM, it will offer you an extensive guided tour of how these menus work. This is the best way to learn how to use the menus. Within Integrity Master, just press F1 and select "Help using the menus" from the help menu for assistance. On most menus you will see one selection shown in a different color (or underlined) from the other selections. The different color (highlight) indicates that this is the chosen line. You can use the arrow (cursor) keys to select any of the items on the menu. Each menu line has a single capitalized letter displayed in a different color. Pressing the key matching that letter will also select that menu item. On many menus, an extended explanation automatically appears as you select any menu line. After you have chosen the appropriate menu item, you must press the ENTER key before anything will happen. Integrity Master (tm) - 15 - Version 3.21 CHAPTER THREE - RUNNING INTEGRITY MASTER(TM) ____________________________________________________________________ INTEGRITY MASTER SCREEN CONTENTS The top part of the Integrity Master screen tells you what options are in effect and what IM is currently doing. The menus appear below this. Be sure to go through the tutorial in SetupIM to learn how to use the menus. When IM is busy checking your files, the report screen pops up and replaces the lower half of the screen including the menu area. The best way to get familiar with the information presented to you on the IM screen is by pressing the F1 (help) key and selecting the "Explanation of the display" entry. This will give you a step by step guided tour of IM's display. INITIALIZING INTEGRITY DATA Before you can check your disk, you must initialize the integrity data that describes the disk. You can use either the command line parameter (/IE) or the Initialize menu within IM. Press "I" or alt/I (hold down the ALT key and press "I") to get to the Initialize menu. ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÉÍÍÍÍÍÍÍÍÍÍ»ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Help Options Check ºInitializeº ReLoad CoMmands ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Éͼ ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» ÄÄÄÙ º Entire disk integrity º º Files on current Disk º º Current and Lower directories º º Current diRectory only º º Boot sector º º Partition sector º º CMOS memory º º Resident Programs and memory º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ From this menu, you create (initialize) the integrity data that describes your files, CMOS memory, resident programs, and system sectors. While IM is initializing the integrity data, it will (unless you turned virus checking off) check for known viruses, and check for other indications of viruses or system problems. For the system (boot and partition) sectors and CMOS, IM will save reload information. This enables you to restore your system sectors (using the ReLoad menu) if anything should ever infect or damage them. IM writes the reload data to files CMOS.SRL, BOOT.SRL, and PART.SRL for the CMOS memory, DOS boot sector, and partition sector respectively. Be sure to read the section in Part Two, Chapter One, that explains why system sectors are important. Integrity Master (tm) - 16 - Version 3.21 When you first use IM, please select "Entire disk integrity" to initialize the integrity data for all files and system sectors (the boot or partition sectors) that exist on the current disk. IM will also create the system reload files (CMOS.SRL, BOOT.SRL, and PART.SRL). IM will create file MEMD.SRL (MEMW.SRL if running under Windows or MEMO.SRL under OS/2) to contain the resident program and memory configuration. Be sure to save a copy of these files on diskette to help you recover when your hard disk fails. (Not all disks have both boot and partition sectors). WHAT IS INTEGRITY DATA? When IM checks a file, it uses each byte of the file in a calculation to compute cryptographic signatures for that file. A change to any part of a file will result in a different signature. These signatures, along with other significant information such as file size, are what I call integrity data. IM writes an integrity data file for each directory on your disk. These files can be stored with the files that they describe or stored on separate diskettes. When you first run SetupIM, it chooses, at random, a unique algorithm to compute the cryptographic signatures, and also chooses a unique algorithm to encrypt your integrity data files. WHAT ARE CRYPTOGRAPHIC SIGNATURES? Just as your signature uniquely identifies you, the cryptographic signatures serve to identify the contents of each file. If a virus or a hardware problem changes a file, the signature computed for that file will be different, although the file size and time and date stamps may be the same. A change or the rearrangement of data in a file will result in a different signature. When you execute SetupIM, it will randomly select a unique algorithm for computing the cryptographic signatures. THE CHECK MENU From the Check menu, you can check files or system sectors for changes. Use the up and down arrow keys to select the type of checking you'd like to do. You may choose to check only specific things on your disk, such as the system sectors or individual files, or you can check everything on the entire disk. IM will report any added, deleted, or changed files as well as any signs of viruses or other known problems. If integrity checking is on, IM will read the files and check for any changes. Use the Options menu to control whether full integrity checking is on and the type of files to check. The fourth line at the top of the screen shows the current status of integrity checking including the type of files to be checked. If you see: "Integrity check: On", this indicates that full checking will be done on all files. Integrity Master (tm) - 17 - Version 3.21 You can reach the Check menu by pressing "C" or alt/C. ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÉÍÍÍÍÍ»ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Help Options ºCheckº Initialize ReLoad CoMmands ³ ÀÄÄÄÄÄ ÉÍÍÍÍÍÍÍÍÍÍÍÍÍͼ ÈÍÍÍÍÍÍÍÍÍÍÍÍ» ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ º All disks º º Entire disk integrity º º Files on current Disk º º Current and Lower directories º º Current diRectory only º º Specific file(s) º º Boot sector º º Partition sector º º Disk for known Viruses º º CMOS memory (FULL) º º Resident Programs and memory º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ Entire disk integrity Selecting this option and pressing the ENTER key will check any system sectors (the boot or partition sectors) that exist on the current disk for changes and then check all files in all directories. Files on current Disk Selecting this option and pressing the ENTER key will check only files on the current disk. System sectors will not be checked. Current and Lower directories Selecting this option and pressing the ENTER key will check files in the current directory and any files in any directories which are defined as descendant from the current directory. If the current directory happens to be the root directory (e.g., C:\) then all files on that disk will be checked since all other directories are descendant from the root directory. Another example: if you're in directory \DOS, directories such as \DOS\A, \DOS\UTILS or \DOS\A\B will be checked in addition to \DOS. Current diRectory only Selecting this option and pressing the ENTER key will check only files in the current directory. Specific file(s) Selecting this option and pressing the ENTER key allows you to enter the name of a specific file to check. Boot sector Selecting this option and pressing the ENTER key will read the DOS boot sector and check it for any changes. Please see the explanation of system sectors later in this guide. Integrity Master (tm) - 18 - Version 3.21 Partition sector Selecting this option and pressing the ENTER key will read the partition sector (also known as the master boot record or MBR) and check it for any changes. Please see the explanation of system sectors later in this guide. Disk for known Viruses The option to check "Disk for known Viruses" is intended mostly for quick virus scans or to do checks of all files (not just those identified as executable files) for known viruses. You can do a virus scan on just the current directory, the current directory and all lower subdirectories, or on the entire disk. If you choose the entire disk, then the appropriate system sectors will be checked as well as all executable files. IM provides an option to scan only floppy boot sectors for viruses. I suggest you use this option to screen all your floppies if you should ever encounter a system sector virus. IM also provides an option to scan all files (not just executables) for viruses. Scanning all types of files is useful as a double check in the event that IM detects an existing virus. This is suggested since it's possible that you may have a program somewhere that uses a file with a nonstandard extension to store executable code (e.g., overlays). If you are aware of a program that uses extensions which IM does not recognize as executable, then you may wish to use the Advanced menu in SetupIM to add this extension to the list of extensions recognized by IM. You generally won't need the virus scanning option except in these special cases, since IM automatically checks for viruses during its normal processing. You can also use the /VA, /VB, /VM, /VO, /VR, or /VL command line parameters to perform a virus scan. CMOS Memory Integrity Master can check the CMOS memory describing the configuration of your PC. It can check either the "FULL", the "BASE" (the standard 64 byte AT CMOS portion) CMOS, or the "CORE" CMOS. "CORE" is the standard setting and checks only those parts of CMOS that are vital to the integrity of your PC. The menu will display whether "FULL", "BASE", or "CORE" CMOS is being checked. You can use SetupIM to change this. Most modern PCs now have more than the standard 64 byte base CMOS memory. IM can check your entire CMOS. IM ignores the "known to change" portions of your CMOS when checking. CMOS is used differently by each manufacturer, but IM will diagnose the change to CMOS and report as much information as possible regarding what has changed. For example, if you install a new floppy drive, you would expect the CMOS describing the floppy setup to change. If you see that many items in your CMOS have changed, then it's a good bet that your battery is failing or a buggy program may have trashed your entire CMOS. In this case, let IM reload your CMOS for you. Integrity Master (tm) - 19 - Version 3.21 CMOS is the special battery powered memory that contains information on how your PC is configured. If this memory is changed, your PC may be unable to boot so be sure to save the CMOS.SRL file on a floppy. Generally, XT class (and earlier) PCs don't have CMOS memory. There's usually a setup program (sometimes accessible only at boot time) that allows you to change your PC's configuration and thereby change the CMOS contents. If you do this, be sure to use the CMOS option on the Initialize menu to update IM's saved copy of your CMOS (in file CMOS.SRL). CMOS is powered by a battery so that its contents will stay intact when your PC is off. You must periodically replace this battery. When it starts to fail, you will notice unexpected changes to your CMOS. After you replace the battery, use the ReLoad menu to restore your original configuration. Most modern PCs now have more than the standard 64 byte base CMOS memory. IM ignores the non-critical or "known to change" portions of your CMOS when checking. CMOS is used differently by each manufacturer, but IM will diagnose the change to CMOS and report as much information as possible regarding what has changed. For example, if you install a new floppy drive, you would expect the CMOS describing the floppy setup to change. If you see that many items in your CMOS have changed, then it's a good bet that your battery is failing or a buggy program may have trashed your entire CMOS. In this case, let IM reload your CMOS for you. CMOS is not implemented the same way on all PCs. Integrity Master follows the standard definition for the IBM PC AT which is now extended for modern PCs. IM supports the most common configurations, but it's possible that your PC may use portions of your CMOS memory in a different way. Don't be alarmed if an area of your CMOS changes (especially if you use a laptop); some PCs use portions of CMOS for special purposes with the result that there may be one area that normally changes. The area that you are most likely to see changing on your PC is what IM calls the "OEM options' area. If IM only reports a change to only one area, you need not be concerned--this is normal. If your CMOS supports a boot password for your PC, you will see a change to CMOS each time you change your password. When this happens, it's best to use the Initialize menu to save a copy of the updated CMOS with your new password. Integrity Master (tm) - 20 - Version 3.21 Resident Programs and memory This option allows you to make sure that your resident programs have not changed and that no new programs (such as memory-resident viruses) are active on your PC. In addition to alerting you to potential system problems, this protects you against unknown memory-resident viruses without you needing to boot from a diskette. It also checks to make sure your available memory does not show signs of a suspicious decrease. IM accomplishes this by examining the programs and the interrupts that are resident in your PC's memory. If you install a new resident program or if you change device drivers (these are usually found in entries in your CONFIG.SYS and AUTOEXEC.BAT files), IM will report a change. The "/CM" command line switch allows you to invoke this option. It is vital that you run the "resident program check" always at the same point, such as immediately after boot. If you execute other programs which stay resident in memory, or if you have programs that change their allocation of memory while you use your PC, you can expect IM to report these changes. If you have multiple boot configurations, you can use the "/MF=" command line option to specify a different memory configuration file for each situation. Important Reminders Before Checking: o Before using IM, be sure that you've run SetupIM (new install) and followed the directions provided for you in file IMPROC.TXT. o Before checking your files for the first time, run an "Entire disk integrity" initialize (Windows users can click on the "2nd" icon). o For protection against previously unknown viruses, be sure you cold boot from a write-protected floppy before checking. (With version three or later you will be able to do a resident program check to provide similar protection.) THE REPORT FILE In addition to seeing a report of IM's findings on screen, you may wish to save a report on disk or on paper. The Options menu in both IM and SetupIM allows you to set the type of report (if any) IM will create. I recommend that you allow IM to write its findings to an "auto-named" disk file. By saving these report files, you can discover what changed last April 1 or when you last changed a particular file. Each time you run IM, it will write its findings to the end of the report file for that day. For example, on June 1, 1996, the report would be in file "0601.REP" (you can control the name given to these files). By saving the report files, you can maintain a complete change history for your PC. If you ever want to find out what happened to a file, the Integrity Master (tm) - 21 - Version 3.21 full history will be available. If you wish to keep more than one year of history on-line, try copying all the report files (COPY *.REP) to another disk or subdirectory. If you choose an "auto-named" report file, you can elect that IM place the file in the IM "home directory" (usually "\IM_HOME") of whichever disk is being checked, or you may choose to place the report files on a specific disk of your choice. For normal installations, the report file is written to disk C. If you installed IM from a version before 2.31, then your report files may still be written to the root directory rather than the IM "home directory". (Run SetupIM if you want to start using the "home directory") You can also give the report file absolutely any name you wish. If you choose a specific filename, you should include the disk and directory as part of the filename. If you do not specify a disk or directory as part of the filename, then IM will create this file in the current directory at the time IM starts checking. You can also specify a specific report file name by using the "/RF=" command line parameter. If you elect printed output, IM will ask you to choose LPT1, 2, or 3. In the rare event that this does not work with your printer, you may also print by asking IM to write the report to a specific file name such as "PRN" (the printer). If you use "PRN", you will get less sophisticated error handling and messages since DOS drives the printer rather than IM. SYSTEM SECTORS System sectors are special areas on your disk containing programs that are executed when you boot your computer. These sectors are invisible to normal programs but are vital for correct operation of your PC. They are a common target for viruses. Please read the detailed description of Boot and Partition sectors in Chapter One of PART TWO - Data Integrity and Viruses. RELOADING You can reach the ReLoad menu by pressing "L" or alt/L from any of the other primary IM menus. ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÉÍÍÍÍÍÍ»ÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Help Options Check Initialize ºReLoadº CoMmands ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Éͼ ÈÍÍÍÍÍÍÍÍÍÍÍÍ» Ù º Boot sector º º Floppy boot sector º º Partition sector º º Missing partition º º PArtition boot codeº º CMOS memory º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ From the ReLoad menu, you may reload your CMOS memory, DOS Integrity Master (tm) - 22 - Version 3.21 boot sector, or your partition sector (master boot record), in the event that they have become damaged or infected with a virus. The "reload Missing partition" option must be used if you have a disk so badly damaged that DOS will not recognize that the disk exists. You will then be prompted to identify the disk on which to reload. You can identify it either by the logical disk letter (A-Z) or by the physical device number (0 for the first physical hard drive, 1 for the second, and so on). RELOADING CMOS If you reload your CMOS, its contents will be reset to their state at the time you let IM initialize the CMOS (with the exception of the time and date information). If your CMOS has a boot password, this will be reset also. IM must have file CMOS.SRL in the IM "home directory" or a root directory of one of your disks in order to reload the CMOS. CMOS is not implemented the same way on all PCs. Some (rare) PCs can disable write to CMOS or do so in a non-standard way; in this case, IM may not be able to reload your CMOS. (Please check your motherboard manual for details on your CMOS.) REWRITING (FIXING) BOOT SECTOR CODE There are two options that actually reconstruct and rewrite the sector rather than reload from a save copy (an *.SRL file). These options are "Floppy Boot Sector" and PArtition boot code." REWRITING (FIXING) FLOPPY BOOT SECTORS The "Floppy Boot Sector" option will check the disk parameters and replace the executable code in the boot sector with a clean selfchecking program. This option can be used to remove boot sector viruses from floppy diskettes when IM has no reload data. It can correct the disk parameters (diskette type, size, # of tracks, etc.) if needed. Since viruses and disk corruption can damage or change the diskette parameters, Integrity Master displays the diskette type before rewriting the boot sector: ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º Your diskette appears to be of the º º type selected below. If this is OK, º º just press ENTER, otherwise select º º the correct type and press ENTER. º ºÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĺ º 180K 5.25" º º 360K 5.25" º º 1.2mb 5.25" º º 720K 3.5" º º 1.44mb 3.5" º º 2.88mb 3.5" º º Bad or non-standard diskette type º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ Integrity Master (tm) - 23 - Version 3.21 IM indicates the detected diskette type by highlighting one of the lines above. You should verify that this is the correct type and hit ENTER. If this is not the correct type, you can change the selection and IM will correct the diskette parameters accordingly. If you select, "Bad or non-standard diskette type", IM will not change the existing diskette parameters but will rewrite the executable code in the boot sector. The most common diskette type today, is the 1.44mb 3.5 inch diskette. This diskette can be identified by the two square holes on the corners of the diskette. The next most common type, the 720K 3.5 inch diskette has only a single hole (the hole with the write-protect tab). If booted, this boot sector will do a check on its own integrity and display the message: "This is not a bootable diskette Please remove and reboot." if the self-checks are OK. The command line switch: "/RF" (Reload Floppy) will invoke this option. REWRITING THE PARTITION BOOT CODE The ReLoad menu option titled, "Partition Boot code" (and there the associated command line switch: "/RE") will check the partition table and replace the executable code in the partition sector (AKA Master Boot Record) with a clean self-checking program. This can be used to remove boot sector viruses from your hard disk when IM has no reload data. This code is compatible with DOS 2.1 or later, OS/2, Win 95, Win NT and other operating systems. When you boot from a hard disk with the new boot code you will see the message: Partition Sector V2 Copyright 1996 by Stiller Research If you don't see the above message it can indicate that the boot sector has been replaced. You may have to watch carefully to see this message since other messages in the boot process will quickly overlay this message. If the self-checks detect a problem you will see: Partition Sector is damaged or infected. Boot from a diskette and run a full Integrity Master check. These checks are intended only as an aid, not a replacement for normal Integrity Master checks since they will not detect infection by some stealth viruses. Integrity Master (tm) - 24 - Version 3.21 THE COMMANDS MENU You can reach the "CoMmands menu" by pressing "M" or alt/M from any of the other primary IM menus. ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÉÍÍÍÍÍÍÍÍ»ÄÄÄ¿ ³ Help Options Check Initialize ReLoad ºCoMmandsº ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ ÈÍ» Ù º Temporarily Shell out to DOS º º Quit - exit Integrity Master º º Disk change º º DiRectory change º º Uninstall - delete integrity data º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ Temporarily Shell out to DOS This allows you to exit IM to the DOS prompt, but leaves Integrity Master loaded in memory so you can quickly return by using the Exit command. Shelling allows you to exit IM, and execute most other programs at the DOS prompt (such as copying files or formatting disks). Disk Change and DiRectory Change You'll mostly use this menu to change the current disk or directory. (You can also use the "/D" command line option to change to one or more other disks or use the "/P" command line parameter to start in a different directory) Quit - exit Integrity Master In addition to using the "Quit - exit Integrity Master" option on the CoMmands menu, you can use the ESCape and alt/X keys to terminate IM from any point. The ESCape key allows you to terminate most IM menus without taking any action and return to the prior menu. The only exceptions to this are menus which require a response one way or another. These are usually the result of a detected error of some type. If you press ESCape enough times, IM will ask if you really want to quit. You must select "Yes" and press ENTER to exit. The fastest way to exit IM, is by pressing alt/X (hold the ALTernate key down and press the "X" key). This allows you to quickly exit without the final "Do you really want to quit?" prompt. Integrity Master (tm) - 25 - Version 3.21 Uninstall - delete integrity data If you have integrity data files in each directory of your hard disk, you can quickly delete these files by selecting Uninstall on the CoMmands menu. If your integrity data is stored on a different disk than the files it describes (such as a floppy) then this option will have no effect. THE STATISTICS SUMMARY Whenever you finish checking files, IM will show you a summary of its findings. Since the summary contains a time and date stamp, you can use the report file as a chronological log of all changes on your PC, even if you have it going to the printer. The summary shows statistics for all file changes, as well as system sector and memory checking. IM reports the number of times it checked a file's integrity data against the DOS directory information, as "files processed". It also reports a separate count of the number of files actually read and checked. IM resets all statistics (with the exception of the memory check results) each time after it displays the summary statistics. This means that on subsequent file checks, the system sectors will be indicated as "Not checked" even though they were indicated as checked on the prior display. Why is this? IM does this because some disks are removable and disk X may suddenly be a different disk. IM shows the statistics for any viruses, suspicious files, or system corruption (which includes file open and read errors) in red. The item "PC Config.:" displays the results of the "Resident programs and memory" check. VIRUSES - WHAT ARE THEY? Viruses are but one of many threats to your data. You are far less likely to be hurt by a virus than by other causes of data damage such as software conflicts and general glitches of various types. Viruses are programs that attach themselves to other programs in such a way that when the other program is executed, the virus code will also execute. The infected program usually appears to execute normally but the virus may be attaching itself to additional programs each time the infected program runs. Many viruses are triggered by some event (such as a particular time or date) into an attack phase, resulting in anything from music to serious file damage. Viruses often wait a long time before attacking; their goal is to spread as far as possible before revealing their presence. Some viruses go resident in your PC's memory, taking over your PC. This enables them to infect at will and elude detection attempts. A virus may attach itself to programs in two ways that many people are not aware of. The first way is to infect the programs that are in the system (boot and partition) sectors of your PC. The second way is by changing system information on your PC so that the virus code is executed before the intended program. The most obvious way Integrity Master (tm) - 26 - Version 3.21 to do this depends on the fact that if both a .COM and .EXE file have the same name, DOS will execute the .COM file instead of the .EXE file. Such a virus is commonly called a companion or spawning virus. These viruses locate .EXE files and then plant themselves as .COM files of the same name. The virus (the .COM file) can execute, spread further, and then run the .EXE program so that everything appears normal. (Don't worry; IM detects all types of viruses!) Please read PART TWO -- Data Integrity and Viruses to learn more about viruses. VIRUS CHECKING PROCEDURE When you install Integrity Master using SetupIM, the Integrity Advisor will prepare a complete procedure for running IM. If you indicated that you wanted to detect viruses, then this procedure would include the steps you need to check for viruses. This step by step procedure is customized to your own preferences, so be sure to read file IMPROC.TXT first. To be certain of detecting even unknown viruses, it is best to cold boot from your write-protected floppy containing IM before checking for viruses. Do NOT use Ctrl/alt/del to boot, but turn your PC off and then on. Some PCs have a reset button that will force a cold boot. (Version three of IM provides an alternative to cold booting by performing a resident program check that will detect memory-resident viruses.) Whenever you engage in any activity that changes or rearranges many files, run at least a "Quick update", so that your integrity data accurately reflects the status of your PC. Use the Options menu to change the type of integrity checking. o With Integrity "CHECK ON", do a full integrity check (rather than a "quick update") of all files at least once a month to detect any unexpected changes. o If your work exposes you to programs that may be infected with viruses, do a daily full check of your disk for any unauthorized changes. To save time, use the Options menu to limit checking to executable programs. Check at least the current directory if you have executed any new or "strange" programs. o After installing any new software, IMMEDIATELY run IM to initialize the integrity data for the new files you have created. Be sure that you save a write-protected disk containing a copy of the software. It is vital that you do this before you start to use the software. o It is worth doing some extra checking any time you copy programs (e.g., *.EXE or *.COM files). When you copy programs, copy your integrity data also. For example, if you are doing something Integrity Master (tm) - 27 - Version 3.21 like a "COPY *.EXE D:\DOS", then also enter a command to copy the integrity data to "D:\DOS". (If you're not sure what the names of your integrity data files are, check your IMPROC.TXT file or select "Integrity data options" on the SetupIM Change menu.) If you simply copy all files (COPY *.*), then you won't have to worry; the integrity data will automatically be copied along with the programs. Afterwards, run IM to check that the files were copied without damage or virus infection. Naturally, IM will report any files that weren't copied as deleted when you run this check. SCANNING FOR VIRUSES To quickly do nothing but scan one or more disks for known viruses: o Use the CoMmands menu or the "/Dx" command line parameter to change to the drive you want to scan. o Use the Options menu to turn the report off or to set the report to go to the printer or your hard disk. o From the Check menu choose "Disk for known Viruses". Press ENTER and select either "One-time scan of disk" or (if you're planning to check several floppies) "Check Multiple diskettes". o Some viruses will create a boot sector that can hang DOS or Windows. If your PC should freeze while checking a diskette, then reboot and select "Scan floppy Boot sectors" from the "Disk for known Viruses" menu. This will check the diskette without using DOS. o This scans the first disk. When you see the display summarizing the results of the scan, insert the next diskette and press enter to scan that diskette or press ESCape if you're done scanning. You can also use the command "IM /Dx /VM" to scan multiple diskettes in drive x. Use "/VO" rather than "/VM" to scan only one diskette. IM will return a DOS error level of 64 or greater if it detects a known virus, so you can have a batch file do automated scanning. We provide some batch files that do this for you and serve as samples for using IM in your own batch files: IMSCAN.BAT This batch file allows you to scan files on an entire disk or specific directory on a disk and all lower subdirectories. For example, to scan files on disk C, type "IMSCAN C:" or to scan subdirectory DOS and all lower directories (e.g., \DOS\UTILS) type "IMSCAN \DOS". If you don't want to check memory each time include a "/B" (e.g., "IMSCAN \DOS /B" IMSCAND.BAT This allows you to scan a specific subdirectory. You can specify just the subdirectory or both the subdirectory and the disk (e.g., "IMSCAND C:\PCB\UPLOADS"). Integrity Master (tm) - 28 - Version 3.21 IMSCANM.BAT Allows you to scan multiple diskettes for known viruses. After each diskette, IM will prompt you to insert another. IMQ.BAT Does a check in "Quick Update" mode of your current disk. This scans memory and the system sectors for known viruses and then checks only the files that have changed, providing a very fast way to check an entire disk for known viruses. This also keeps your integrity data current for all files so that you are up-to-date in case of a problem. If you want to specify a different disk to check, you must use the "/Dx" command line switch (e.g., "IMQ /DCF" will check both drive C and drive F). IMONCE.BAT Uses RunMaybe to run a "Quick Update" once a day. This is the fastest way to make sure your disk stays clear of viruses. IMAUTO.BAT Will create a backup copy of your AUTOEXEC.BAT file and then modify it to include the once-aday "Quick Update" from IMONCE.BAT. This way your PC will get a daily quick check. To scan a disk for known viruses AND to get data integrity protection: o Use the Options menu and set the "Files to iNitialize" option to "Executable programs." o Use the Initialize menu to initialize "Entire disk integrity". The command line options: /VA, /VB, /VM, /VO, /VR, and /VL are available for scanning. Remember that virus scanning will detect only viruses known at the time this program was written. As with any scan program, you should have the latest version if you intend to rely upon scanning for serious protection. SCANNING DISKETTES If you have detected a boot sector virus on your hard disk, you will want to scan all your floppy diskettes for infected boot sectors. To do this, , select "Disk for known Viruses", (from the "Check" menu) then select "Scan floppy Boot sectors" or just start IM with the "/VB" command line option. This will allow you to quickly scan diskettes (bypassing DOS) and remove any viruses found. Using this option, you can scan diskettes that contain boot sectors that are unreadable by DOS (or which will cause DOS to crash.) QUICK SCANNING Integrity Master provides an ultra-fast way to effectively perform Integrity Master (tm) - 29 - Version 3.21 a full scan of your hard disk. We call this "Quick scanning". Quick scanning is only possible on disks where you have allowed IM to perform an initialize to establish initial disk integrity. Once you have initialized a disk, you can ask IM to check in "quick update" mode. This fully checks only files that show signs of changes or that have been added. This is not as effective as running Integrity Master in it's normal mode which provides full integrity checking, but this provides scanning as effective as that provided by any of the other scan programs and runs much, much faster. These types of checks are so fast that most users don't mind including a daily scan. One way to make sure this happens regularly is to execute IMAUTO. This will modify your AUTOEXEC.BAT so that IM runs in quick update mode once a day. Take a look at the IMQ batch file or follow these steps to do a quick scan: o Choose a disk on which you have run an "IM initialize" at some point in time. (This initialize need not be recent.) Use the CoMmands menu or the "/Dx" command line parameter to change to the drive you want to scan. o Use the Options menu or the "/Q" command line parameter to place IM in "quick update" mode. o Now run a check of this disk. If you do this frequently, you can check even a very large disk very quickly. The command: "IM /Q /N /DCD" would very quickly scan disks C and D as well as provide a report of any changes. SCANNING UPLOADS You can use IM to scan uploads to your BBS. The command IM /VR /ND /B will scan the current directory or IM /VR /ND /B /Pxxxx will scan the directory (and/or disk) specified by xxxxxx. If your upload processor provides a filespec like "*.*" or "*.COM", you do not need to feed it to IM on the command line. However, if it does, you can include it as the first parameter. (e.g. "IM @FILES@ /B /VR /ND"). IM returns an ERRORLEVEL of 64 or greater if it finds a virus. SCANNING .ZIP FILES FOR VIRUSES We provide some utilities that automate scanning of zip compressed files. File scanzip.zip contains these .bat files. You can use the unzip.exe program that is on the IM distribution diskette to extract the contents of scanzip.zip. Read or print file Integrity Master (tm) - 30 - Version 3.21 READMEZ.TXT for directions on how to scan a single .zip file or a complete disk of .zip files. These utilities require the use of program PKunzip to decompress the .zip files. READMEZ.TXT also explains how to process other archive types such as ARJ. DETECTING VIRUSES o Make sure that you specified that you wanted virus protection when you installed IM. If you didn't, then run SetupIM and select "Reinstall". o For maximum protection make sure that you carefully followed SetupIM's instructions in IMPROC.TXT (created only when you do a full install with SetupIM). o If a virus is found on your PC, IM will almost always recognize it by name and explain how to remove it. IM will also advise if viral signs are present on changes that don't match known viruses. o Whenever IM reports a change to an executable program, it's important to discover the cause. Some programs modify themselves when you change their options; some programs change themselves every time they run. Changes to executable programs are indicated in red on the report screen and are bracketed by "...." to make these changes obvious. o If only a single program has changed and IM does not reveal this to be corruption, then you probably do NOT have a virus. If you have any doubt that a program change may be a virus, be very careful and run full checks with IM after executing this program. (Cold boot (power off and on) from a floppy before running IM) Any program changes detected at this point indicate a virus. Please report this (see file VIRREP.TXT for complete details on reporting viruses.). o For speed, use the Options menu to limit checking to executable files. DETECTING UNKNOWN (NEW) VIRUSES IM has the capability to detect infection by an unknown (new) virus as well as the ability to identify known viruses and their characteristics. If IM detects an unknown virus, it clearly can't provide the detailed information that it provides when it detects a known virus. Because of some of the generic detection techniques used in IM, there's a good chance that it will identify and describe a new virus. How is this possible? This is only possible if the virus is not totally new but a modification of an existing virus. In this case, IM may identify the "new" virus as a virus it knows about because someone created the new virus by simply making some changes to an existing virus. (Most "new" viruses are created in exactly this way.) IM will usually notice the code from the old virus still present in the new virus and identify it in this way. Integrity Master (tm) - 31 - Version 3.21 What about totally new viruses? These are a little more work to identify. In this case, IM will inform you that it has detected a change in a file or a system sector, but won't announce that a virus is present, unless it's similar to a known virus. How do we decide whether a virus is responsible for the detected change? Consider the following factors: o Has IM identified virus-like symptoms with this change? Such symptoms include an unusual value in the DOS time or date stamp, and file corruption detected (no change to the time and date stamp but a change to the file). o Are numerous unrelated executable files changed? If the answer to one or both of these questions is "yes" then it's time to do some more checking to see if it's really a virus. Please read the section on Virus Signs and Playing Detective in Part Two - Data Integrity and Viruses. Following these procedures will let you determine if you have encountered a brand new virus (lucky you!). If you have encountered a virus, or you are not sure, please contact us; see file VIRREP.TXT for details on reporting viruses. THE INTEGRITY MASTER VIRUS REPORT When IM detects a known virus it will optionally present at least one full screen of information. The virus report screen gives you the following information: o The name of the virus. This is usually the CARO (Computer Antivirus Research Organization) name or the name used by the UK's Virus Bulletin, but in some cases we use an abbreviated or more common name. This name corresponds to an entry in file VTEXT.TXT. Many viruses have been built as modifications to existing viruses. By identifying common (hard to change) code elements in the base virus, IM can identify multiple viruses by spotting their common characteristics. This means for example that if IM reports the Jerusalem virus, it could also be the Anarkia, Anarkia-B or the Payday virus. Since viruses go by many names, alternate names for the same virus are listed in this table too. o IM lists the type of files or system sectors infected by this virus. o If the virus is known to seriously interfere with normal operation of your PC, this is mentioned. We don't classify messages, bouncing balls, or music as serious interference. We do consider slowing execution of your PC or halting the system as serious. o IM will mention if the virus is known to either deliberately or inadvertently damage data on your disk. Beware though, some idiot Integrity Master (tm) - 32 - Version 3.21 could, at any point in time, modify a previously harmless virus to do something destructive. An example of this is the Cascade virus (letters cascade down on your screen when this virus activates). The first version of this virus was harmless, but someone created a variant that will format your disk. In this case, IM makes a special check for the dangerous variant of the virus and warns you if it's detected. In spite of this, please, NEVER assume that a virus is harmless. If we don't mention that a virus is known to damage files, it means only that no one has reported damage from this virus. Be careful; you may have a variant of the virus that might very well be dangerous! o IM presents step-by-step removal instructions for the virus as well as the option of automatic removal. Sometimes IM presents additional screens describing necessary or suggested actions. This is true if the virus is detected in memory. When IM first starts, it checks the memory of the PC for the presence of known viruses (unless you deactivate this check using SetupIM or the "/B" (bypass) command line parameter); if IM detects a virus, it will ask you to immediately cold boot your PC. Checking further at this point could be very dangerous since it might spread the virus. If IM detects a special virus such as a companion or cluster virus, (see PART TWO for details) it will display an extra screen identifying that virus along with more detailed information about the virus. FALSE ALARMS If IM announces detection of a known virus, could this be a false alarm (not really a virus)? If IM has checked this file before or if it has found more than one file infected, then you very likely have a REAL VIRUS! If this is the first time that IM checked this file, and if it found only one file infected after checking your entire disk, then it's probably a false alarm (unless this file is COMMAND.COM or one of the programs provided with DOS). There is always some risk that a legitimate program might contain code that matches a virus. IF YOU THINK YOU HAVE A FALSE ALARM, PLEASE NOTIFY STILLER RESEARCH. WE WILL DETERMINE IF A VIRUS IS PRESENT; IF IT IS A FALSE ALARM, WE WILL, IF POSSIBLE, SEND A CORRECTED VERSION OF IM. Some anti-virus programs contain unencrypted virus fragments that IM may detect. It's usually safe to assume these programs are not infected. Some of these programs also leave virus fragments in memory that IM may then detect and announce as a memory resident virus. Please do not take any chances in such a case and follow IM's instructions to cold boot, even though it's likely to be a false alarm. Integrity Master (tm) - 33 - Version 3.21 If you have just read an infected disk or a file, there is a chance that IM may detect a piece of this file in memory and announce a resident virus when one really isn't resident. In such cases, it's best to play it safe and cold boot from a write-protected diskette. DESTROYING VIRUSES If IM detects a known virus, it will display the steps to remove the virus and offer to remove it automatically. If IM detects program or system sector changes that may be due to a virus, please follow these steps: o Save at least one infected diskette or file and report this to us. This will allow us to update IM to recognize this virus and hopefully track down the source of the virus! See file VIRREP.TXT for complete details. o Cold boot your PC (power off and on) from a write-protected floppy disk. o Run an "Entire disk integrity" check, noting any changed programs or other possible damage by the virus. o You can allow IM to remove the virus or follow its directions to remove the virus manually. Restore infected files from the original program diskettes if possible. o Reload your system sectors if they were damaged. o Restore any damaged files or programs from the original diskettes if possible. o Very carefully check any floppies you've used. If you have encountered a system sector virus, use the /VB command line option to quickly scan your floppies. o Run an "Entire disk integrity" check daily for a while. DATA CORRUPTION If a program changes a file by normal means, the file's time and date stamp will be updated to reflect this change. On the other hand, if a virus or a hardware or software problem causes a file to be changed, there is often no change to the file's time and date stamps. IM calls this file corruption and raises a special alarm if it detects this. If you find a corrupted file, the odds are it's NOT a virus. The most likely cause of corrupted files is software conflicts. The next most common cause is hardware problems. In any case, if you have a corrupted file, it's essential you find what the cause is. In Part Two - Data Integrity and Viruses", I have a chapter titled Determining the Cause of Data Corruption. Integrity Master (tm) - 34 - Version 3.21 Please read that chapter very carefully when you detect a corrupted file. The next section describes using IM when you are having suspected disk hardware problems. INTEGRITY MASTER AND DISK PROBLEMS It's an unfortunate fact of life that all disk drives will eventually fail; sometimes at the worst possible moment! Before disk drives totally fail, they usually start exhibiting signs of problems, such as inability to reliably read and write certain areas on the disk. Unfortunately, these failures tend to be intermittent. The result may be that you have damaged files, but when you run your disk diagnostic software, no problems are found. By using IM to do periodic full checks, you can detect these problems when they first begin and prevent more major disk problems, such as total failure, from taking you by surprise. If you have an MFM, RLL, or ESDI type of disk drive you probably can extend its life slightly by doing a low level format, or using a product such as Steve Gibson's SpinRite(R) that can do a nondestructive low level format. The key here is to detect disk problems early before any serious damage is done. IM replaces the DOS critical error handler with its own more advanced routine. If a disk error occurs, you will see a warning screen explaining what has happened, rather than the dreaded "Abort, retry, or fail" message that DOS provides. IM may also present a menu offering you additional options (depending upon the type of error and the circumstances) such as repeating (retrying) the operation. If an error occurs while IM is checking files, it will report either "Read fail" or "Open fail" in place of the normal signature data on its report: Name and Signature File Update Update Status: Type: Extension: Val1: Val2: Size: Date: Time: ------- -------- ---------- ---- ---- ---------- -------- -------- Added File NORMAL EXE 0D83 4E93 2048 11/05/93 14:00:56 Added File DISKERR EXE Read fail 140792 11/05/93 14:01:02 Added File CANTOPN FIL Open fail 123 10/05/93 10:11:20 In addition to "Read fail" or "Open fail" appearing in the IM report, additional information regarding the type of error will also appear and be recorded in the report file (or printout) as well as in the on-screen report. Whenever IM encounters an error reading a file, it will NOT replace the original integrity data with the current (in error) data. This means that if you have a read error on a file, and you either "fix" the file using some utility or restore the file from a backup, you can then run a check on that file and know whether or not your file was correctly restored. Integrity Master (tm) - 35 - Version 3.21 If you run IM in an environment where more than one program can have a file open, you may get an "Open fail" or "IO error" due to another program having this file open. This can happen on networks (LANs), with OS/2, or with Windows. When this error occurs, you will see a detailed explanation along with a menu offering several options. We recommend you select the option to ignore any further open errors; this way you will still see detailed information on any other problems discovered by IM. You can avoid this error display and most others by using the "/NE" command line parameter (pause on emergencies only). Integrity Master (tm) - 36 - Version 3.21 INTEGRITY MASTER FOR PC SECURITY Although there are no 100 percent reliable techniques to prevent someone from making unauthorized changes to your data while you are away, IM does offer a reliable way of detecting these changes. If you specified that security was important when you first executed SetupIM, its Integrity Advisor will make recommendations on how to use IM to get the level of protection you need. It saves these recommendations in file IMPROC.TXT. By storing your integrity data on diskettes and keeping these diskettes in a safe location, you can detect any changes that occur on your PC. This should provide you protection even against a user who understands how IM works and is technically adept. For most situations this is probably overkill! (Using variably named integrity data files and using your own name and location for your IM.PRM file will stop all but the most determined intruder.) Keeping the integrity data on diskette may provide more protection than you need. Simply keeping your parameter file (IM.PRM) on a diskette will provide a very high level of protection. Since a user breaking into your PC will not be able to tell how the integrity data is computed, this user will not be able to change a file and then adjust the integrity data to hide the changes, even if they have a copy of the IM program. This provides almost as much protection as keeping the integrity data on diskettes. You can ask SetupIM to make the names of your integrity data files variable (each file will have a different name) so that it is even more difficult for someone to attack your integrity data. If you keep the parameter file on the same disk with the files, you check, it's possible that someone could modify your files and then run IM to update the integrity data, in this way covering their tracks. This person would obviously have to have enough knowledge about your PC to know that you use IM. If you'd like to keep your parameter file on the diskette with your files, you can still achieve a high degree of security by renaming IM.PRM and locating it in an unlikely directory. When you invoke IM you will have to specify the name of the directory and the new name for the parameter file. For example, the command: "IM D:\DOS\UTILS\BORING.DAT" will read the IM parameter information from file BORING.DAT in directory \DOS\UTILS on disk D. Integrity Master (tm) - 37 - Version 3.21 INTEGRITY MASTER FOR CHANGE CONTROL To use IM for change management, you really don't need to use integrity checking. Simply running IM in "Quick update" mode (which does not actually read files unless the DOS time/date stamp or file size have changed), is adequate to provide change management. "Quick update" mode only requires about 10 to 20 seconds to check about 1,000 megabytes (9000 files). To keep a full record of what has changed on your PC, I recommend you use "auto-named" report files and that you keep all your report files. At the end of the year, you may wish to copy all the old report files into a directory for that year. For example, on January 1, 1996: CD \IM_Home (or "CD \" if not using "home directories") MD REP96 COPY *.REP \REP96 DEL *.REP This creates a directory called "\REP96", copies all report files to that directory, and then deletes the old report files. By following this procedure you have a complete record of all changes on your PC. If you want to know when a particular file last changed, it's easy to search through the report files for that filename. If you want to know where all your disk space is going, you can go back and see which files were added or which files grew. INTEGRITY MASTER FOR LAPTOP CONFIGURATION If your organization lends laptop PCs to its employees or customers then you should consider using Integrity Master to assure that the laptops are correctly configured and ready for the next person to use. If you use IM to check the integrity of the laptop when it is returned you can make sure that no files are missing and any changed files are restored to their original form. This way you know not only that the laptops are free of viruses but that all the installed software is ready to go the next time someone needs to use the laptop. (For absolute security you can use SetupIM to configure IM to record the integrity data on floppy; this way there is no risk of the laptop user deleting the integrity data files on the hard disk.) Integrity Master (tm) - 38 - Version 3.21 Command Line Execution Integrity Master is really designed to work by use of its menus. However, most functions can be automatically invoked from the command line to allow you to start IM from batch files. Syntax: IM Fspec /A /B /C /Cx /Dxyz /F /H /Ix /L /M /Nx /NOB /Ppath /Q /Rx /REPA /RF=filespec /Vx /1 ========================================================================== FSpec specifies the name of the parameter file to be used. It's best to specify the disk and directory path as part of the filespec. For example: use "IM C:\dos\NEW.PRM" rather than "IM NEW.PRM". If you don't use this option, IM will search for file "IM.PRM", looking first in the current directory, then in the directory with the IM program (IM.EXE), and finally in the root directories of all available disks. -------------------------------------------------------------------------- "/Dxyz" Change to disk "x", process and then change to disk "y", etc. If used with more than one disk, this should be used with one of the "/Cx" "/Ix" or "/Vx" parameters. You may also use the /Dx:y:z:" form. "/Ppath" Change to directory (and optionally disk). If you specify a disk here, you can't also use the "/Dxyz" parameter. (e.g. "/P\dos" or "/Pc:\dos") "/1" Only "1 line" virus reports. Turns off the detailed virus descriptions. "/B" Bypass memory check. "/F" Forces full integrity checking if quick update is set as the default. "/H" (or /?) produces this help display. "/NOB" No Beep. Disables sound. "/NA" No Abort - disables the ESCape and ALT/X keys during checking "/N" Nonstop: the same as setting "Halt" to "Serious problems" on the Options menu. IM will stop only on viruses or serious problems. "/NE" Stop on Emergencies only. This almost never stops. "/ND" Stop on Emergencies only with no screen display (unattended exec) "/Q" Forces IM to run in "Quick update" mode. "/REPA" Report all. When scanning, IM lists all files scanned for viruses. When initializing, IM lists all files processed on the report file. "/MS#" You can use the command line /MS# option (or SetupIM) to vary the sensitivity of IM to resident program configuration changes. The sensitivity can be set from 0 to 9. 0 turns the check off, and 9 provides maximum sensitivity to changes. /MS4 is the default (and recommended) setting. /MS9 is useful for for researchers and on systems where there should be no software changes at all. "/RF=filespec" Writes the report to "filespec" (can include disk + path). (The form /RF:filespec is also valid) "/MF=XXXX.SRL" Specifies the file used by check "Resident programs and memory" command. Integrity Master (tm) - 38 - Version 3.21 ----------------------------------------------------------------------------- /Cx values: do type "x" integrity check and then quit: "/CE" Check Entire disk integrity. "/CB" Check Boot sector. "/CD" Check all files on DOS disk. "/CP" Check Partition sector. "/CR" Check files in this diRectory. "/CF=filespec" Check this one File. "/CL" Check this + Lower directories (The form /CF:filespec is also valid) "/CC" Check CMOS memory "/CM" Check resident programs and memory ----------------------------------------------------------------------------- /Ix values: do type "x" initialize of integrity data and then quit: "/IE" Init Entire disk integrity "/IB" Init Boot sector "/ID" Init all files on DOS Disk "/IP" Init Partition sector "/IR" Init files in this diRectory "/IC" Init CMOS "/IL" Init files in the current directory and all lower directories ------------------------------------------------------------------------------ /Vx options scan system sectors and files for signs of known viruses: "/VA" Scan ALL files on a disk (not just executables). "/VB" Scan only floppy disk boot sectors. This allows rapid screening of floppies for boot sector viruses and access to (otherwise ureadable) floppies crash DOS. "/VM" Virus scans of multiple diskettes - only 1 key-press needed per disk. "/VO" one-time virus scan of programs on current disk. "/VR" scan of programs in current directory. "/VL" scan of programs in current and lower directories. ------------------------------------------------------------------------------ /Rx values will rewrite or reload one of the system sectors: "/RP" Reload Partition sector "/RB" Reload DOS Boot sector "/RE" Rewrite partition Executable code "/RF" Rewrite Floppy boot sector ------------------------------------------------------------------------------ The following /Ux options control when IM updates its integrity data files: "/UN" Undate integrity data NEVER. When you run a check IM will not update your integrity data files (even for added or deleted files). "/UO" Update off. IM will not update integrity data for changed files. "/UP" IM will not update integrity data for changed programs. "/UA" Update activate - update integrity data (default). ------------------------------------------------------------------------------ The following may be used to override video mode selected during install: "/A" Auto adjust of video mode. "/L" Use colors for older LCDs "/C" Force use of full color mode. "/M" Use monochrome colors. Ordinarily, you don't need ANY parameters. Just enter: "IM". IM is menu driven with lots of on-line help. The command line parameters are most often used for automatic unattended integrity checking. If you don't have "HALT" set to "Serious problems" or "Emergencies only" (on the Options menu), use "/N" (or "/NE") to avoid pausing for input. If you wish to have IM automatically locate your parameter file, DO NOT specify it on the command line. If you specify it on the command line and it is not located in the current directory, then you must include the drive and directory of the parameter file along with the name. Examples: "IM /L /CE /DEF" Uses colors appropriate for an older (CGA type) LCD display and checks the system sectors as well as all files on disk E and then changes to disk F and repeats the check there. "IM /IR" Creates new integrity data for files in this diRectory. "IM /CF=A:\X\IO.SYS" Checks the file IO.SYS in directory \X on disk A:. "IM D:\IO\X.PRM /CD" Checks all files in the current disk using options saved in the parameter file "X.PRM" located in "D:\IO". "IM /RF /DA" Writes a self-checking boot sector onto disk A:. We've provided some sample batch files that illustrate ways to automatically execute IM. See the descriptions listed under "Scanning for Viruses" earlier. Here are the steps to execute IM automatically in unattended (batch) mode: o Use the Options menu to activate the report file. Save this change by selecting the first option on the Options menu, "Write option changes to disk." (Or use the "/RF=" command line parameter.) o Either set the halt options to "Serious problems" (on the Options menu) or use the "/N", "/ND" or "/NE" command line parameters. (e.g., "IM /ND"). Integrity Master (tm) - 40 - Version 3.21 o Prepare the IM command line to do the type of checking that you want. For example: "IM /N /DFG /CE" will run nonstop on disk G and check the entire disk (/CE), including system sectors. o You may wish to add IM to any batch file that you run regularly, such as a nightly backup batch file. You can use RunMaybe with IM to give you control over how often IM runs. ERROR LEVELS Integrity Master returns the following DOS error levels. You can check for these error levels in a batch file and execute your own special procedures depending upon IM's findings. One of our beta testers has their PCs automatically phone their help desk if an error level 24 or greater is encountered. 00 Processing complete with no changes detected 08 Checking complete with added or deleted files detected 12 Checking complete with changed files detected 16 Checking complete with changed programs detected 24 Checking complete with suspicious file changes detected 32 Checking complete but a file or system sector showed signs of corruption or an I/O error. This will be in addition to any of the lower valued indicators such as change to a program. So if a program changed, the error level would be 16 + 32 = 48. 64 One or more viruses were detected. Any of the lower status indicators will be included with this one. 128 If a vital IM file is determined to be missing or damaged 192 A fatal error occurred during execution, such as not enough memory or a disk error in internal processing. 200 Command line error (an error in IM's "/" parameters). USING IMCHECK IMCHECK.EXE is a fast stand-alone file checker. It will read whatever files you specify and compute signature data similar to what Integrity Master uses as part of its integrity data. If you print the IMPROC.TXT file created by SetupIM, you will see the check values that IMcheck should report for IM.EXE and IMcheck itself. Integrity Master (tm) - 41 - Version 3.21 The syntax is: IMCHECK [d:] [path] filename [/D] [/1] [/2] "filename" specifies the files to check. Wild card characters such as * or ? may be used. "/D" Display directory entries as well as files. "/1" Utilize an alternate algorithm for check value one. "/2" Utilize an alternate algorithm for check value two. Entering IMCHECK with no parameters will display an explanation of how to use IMcheck. For example: IMCHECK D:\DOS\TEST.* would check all files in the DOS directory on disk D: whose names begin with "TEST". (e.g., TEST.COM, TEST.ABC, etc.) IMcheck can be very handy when you send files to others and you want to make sure that they got a good copy of your files. Simply run IMCHECK on your files. You will see a report like: IMCHECK 1.2 - Integrity Master (TM) standalone file checker. Copyright 1990-1991 by Wolfgang Stiller - all rights reserved. Checking: MYFILE.* File Name + Check Check File Update Update Extension: Val1: Val2: Size: Date: Time: ---------- ---- ---- ------- ------ ------ MYFILE.001 AC57 C1C4 1551 11/05/93 22:38:40 MYFILE.DAT 2D53 B1D6 8666 11/07/93 18:57:30 Total======> F5AA 66A7 Record the check values and make sure the other person runs IMcheck to compare the check values. The "Total=====>" values will match only if the files are checked in the same order. SPECIAL LICENSE TERMS FOR IMCHECK: Registered users of Integrity Master are granted permission to distribute copies of IMcheck to anyone who needs to verify the integrity of files sent by the registered user. This other user may use and keep IMcheck but may not further distribute it. ONLY registered (licensed) IM users may distribute IMcheck. ADD-ON PROGRAMS Regisetered user receive some supplementary programs to augment the function of Integrity Master: RunMaybe Allows you to execute IM (or any other program) on specific days or at specific intervals. This enables you to do an automatic daily, weekly or monthly check of your PC. ASQ ASQ analyzes and reports your PC configuration. It provides both a tutorial on your PC's hardware and configuration as well as an excellent configuration analysis. (Since ASQ is being provided to Integrity Master customers courtesy of Qualitas (the makers of 386MAX(tm), it may be withdrawn or replaced without notice.) To use ASQ, just type "ASQ" and hit ENTER. Integrity Master (tm) - 42 - Version 3.21 RunMaybe - Version 1.1 Unlike ASQ, RunMaybe may not be shared with others. RunMaybe is licensed software available only to Stiller Research customers. WHAT IS RUNMAYBE? RunMaybe is a small, fast (100% assembly language) program that gives you a way to execute a program, DOS command, or batch file on specific days. By keeping track of when you last executed your program, RunMaybe makes sure that the program is executed when you want and also no more frequently than you desire. o You can choose specific days of the week, days of the month, or an elapsed number of days to determine whether the desired program will be executed. o RunMaybe will (if you wish) run a program at the next opportunity if it was not run on a designated day (with the /N parameter). HOW DO YOU USE RUNMAYBE? 1) Decide how often (or on what days) you want to execute your program and formulate an appropriate RunMaybe command. For example, to execute CHKDSK once a day, you would use the command: "RunMaybe /E CHKDSK". 2) You place the RunMaybe command in a batch file that you execute at intervals, such as your AUTOEXEC.BAT file (which is executed every time you boot your PC). HOW TO INSTALL RUNMAYBE o Copy RUNMAYBE.EXE to any directory on your DOS path. (Type "PATH" and hit ENTER to see what directories are on your path) or o Copy the RUNMAYBE.EXE program to any convenient directory on your disk. If it is not in a directory on the DOS path, you will need to include the full path of the program to execute it. (e.g, if RUNMAYBE.EXE is located in D:\UTILS\IM, then your batch file command line would look like: "D:\UTILS\IM\RunMaybe /E CHKDSK" ) How to execute multiple programs at multiple (varying) intervals: o If you merely want to execute several programs together at a single interval, simply place them all in a batch file and then execute that Integrity Master (tm) - 43 - Version 3.21 batch file from RunMaybe. This can even be done in the middle of another batch file. (There's no need to use CALL to accomplish this). o If you want to run programs at different intervals, then RunMaybe will have to keep track of "last run" information for each program separately. The best way to do this is to use a different "last run" file for each program you want to schedule. Let's assume you want to run program "PROG1" every second day and that you want to run "PROG2" on Mondays, Wednesdays, and Fridays. You could use the following commands: "RunMaybe C:\Data\PROG1.LR /E2 PROG1" "RunMaybe C:\Data\PROG2.LR /W1,3,5 PROG2" In each case, the first parameter ("C:\data\PROG1") specifies the name and directory of the file where RunMaybe will record the "last run" information. The path "C:\DATA\" can be any disk and directory you choose and the file names "PROG1.LR" and "PROG2.LR" can be any file names you choose. When RunMaybe executes for the first time, it will create those files. COMPLETE SYNTAX FOR THE RUNMAYBE COMMAND LINE: RunMaybe [LastRun Filespec] /E# /H /M##,##,##,.. /N /W#,#,#,... ProgName "LastRun FileSpec" - This is optional. (You only need this if you want multiple programs to run according to different schedules.) "FileSpec" specifies the name and location of the file where RunMaybe stores the last time and date that it was executed. Be sure to specify the complete path (disk and directory) so RunMaybe can find this file. If you don't specify this parameter, RunMaybe will create a last run file called "RUNMAYBE.LR" in the same directory with the RUNMAYBE.EXE program. RunMaybe will search for "RUNMAYBE.LR" by looking first in the current directory and then in the directory in which the RUNMAYBE.EXE program is located. Use this option if you want to use RunMaybe to run different programs at different intervals. You will use a different "LastRun" file to keep track of each program. /H or /? produce a help display /N Specifies that the program should run on the next possible opportunity if it did not run on the designated day. This applies only to the /M and /W parameters. For example, if you specified that a program should run very Monday but you take a holiday on a particular Monday, the program will be run whenever you return if you include the /N parameter. /E# Run the program every # days. # must be from 1 to 99 days. If you don't specify a "#" (number of days), then it will default to "1" and the program will be run daily. (For example, "RunMaybe /E2 IM" will run IM every second day.) /M##,##,##... RunMaybe will run the program only on those specific days of any month. You can specify a single day or a a list of up to 30 days. These days MUST be listed in ascending order. (e.g., "RunMaybe /M10,20,30 CHKDSK" will run CHKDSK on the 10th, 20th and 30th of any month.) /W#,#,#... RunMaybe will run the program only on those specific days of the week. These days MUST be listed in ascending order. You can specify a single day of the week or a list of up to 6 days. You specify a number for each day of the week: 0 = Sunday 1 = Monday 2 = Tuesday 3=Wednesday 4 = Thursday 5 = Friday 6 = Saturday Integrity Master (tm) - 44 - Version 3.21 For example, " RunMaybe /M1,3,5 IM" will run IM on Monday, Wednesday and Friday. "ProgName" specifies the name of the DOS command, program or batch file you want to execute. You can include any parameters that the program, command or batch file needs. You can safely use this command to execute batch files from within other batch files. DOS ERROR LEVELS RunMaybe returns the following DOS error levels for use in your batch files: 0 Everything went well and your program was executed. (Note, that RunMaybe can not actually determine if your program executed correctly; it simply knows that DOS reported no errors.) 1 There was no need to run a program at this particular time. 64 The system date on the PC is suspect. The current date is earlier than the date that RunMaybe was last executed. 128 A bad or unreadable last run file. (RunMaybe aborted) 200 A problem on the RunMaybe Command line. (An invalid or missing parameter.) HERE ARE SOME RUNMAYBE EXAMPLES: RunMaybe /E IM /B /VO /DEF /N The above command, if placed in your AUTOEXEC.BAT file, would execute IM daily (/E) (but only once a day even if you boot multiple times). The program IM will be executed with options set to bypass the memory check (/B), scan the entire disk for viruses (/VO) and only pause on serious problems (/N). Disks E and F will be checked (/DEF). Note that the only RunMaybe parameter used in this example is "/E". RunMaybe /W1 /N IM This command, if placed in your AUTOEXEC.BAT file, would execute IM once a week on Monday. Since the "/N" parameter was included it will run IM on the next chance it gets, if you don't boot your PC on Monday. RunMaybe /W1,2,3,4,5 IMBAT \DOS\NewUpl Here IMBAT.BAT is a batch file with these contents: @ECHO OFF IM /B /VR /DE /P%1 /ND IF NOT ERRORLEVEL 64 GOTO OK ECHO A virus was detected - please delete infected PAUSE :OK This will, only on weekdays (days 1 to 5 which represent Monday to Friday), scan the upload directory, "\DOS\NewUpl", for known Integrity Master (tm) - 45 - Version 3.21 viruses and display a message to delete the bad files if any are found. "\DOS\NewUpl" is a parameter which is passed to the IMBAT batch file and substituted in the IM command line (in place of %1) to produce: IM /B /VR /DE /P\DOS\NewUpl /ND IM will bypass memory checking, change to disk E, change to directory \DOS\NewUpl\ and check it for known viruses. The next line of the IMBAT batch file then checks the DOS Errorlevel. If it is 64 or less no virus was found. OTHER OPERATING SYSTEMS Although Integrity Master is designed to run in the DOS environment on Intel 80x86 family microprocessors, it is useful with other operating systems and processors such as OS/2, Unix, Microsoft Windows (this includes Win 95 and NT) and various Network (LAN) operating systems such as Netware and VINES. You can even use it on a Macintosh with DOS emulation. On some of these non-DOS systems you can't check the system sectors in the same way as under DOS since the underlying operating system support is different. Since these operating systems are multitasking, Integrity Master may find that it can't read certain files that are in use by the operating system. This is normal and will not interfere with a full system check. There's more information on this in the section on Integrity Master and Disk Problems. While it may be most convenient to do most of your checking under your normal operating system, I strongly suggest that you prepare a DOS boot check and occasionally check under native DOS. This is currently the only way to give your system the most secure checking possible. MICROSOFT WINDOWS AND OS/2 Integrity Master will run quite happily under Windows or OS/2 as a DOS application. You can even run IM in the background while you use a different application. However, this will probably prevent it from checking whatever files you are currently using. If you are using a non-DOS file system such as the "High Performance File System" (HPFS) under OS/2, Integrity Master will be able to check only those files that DOS can access. For OS/2 HPFS this means that files with more than eight characters in the file name or more than three characters in the extension cannot be checked. For example, IM could check file 12345678.ABC but not file 123456789.ABC.D under HPFS. Integrity Master (tm) - 46 - Version 3.21 When you run IM under Windows or OS/2, it may report "General failure" reading some files. This is normally a hardware error but in this case it simply means that Microsoft Windows has certain files open. This prevents IM from reading these files but is no cause for concern. The message returned to IM varies from one PC to another. On some PCs, you may see merely that certain files cannot be opened. When this error occurs, you will see a detailed explanation along with a menu offering several options. We recommend you select the option to ignore any further open errors; this way you will still see detailed information on any other problems discovered by IM. You can avoid this error display and most others by using the "/NE" command line parameter (pause on emergencies only). NETWORKS If you have a local area network (LAN), you can use Integrity Master on both the file server and the workstations. (Each workstation requires a separate license for IM; we offer very reasonable site license pricing.) IM can be used on a network by running it on the separate workstations as well as on the server. It can be configured in different ways. If you place IM.EXE on a shared disk available to all workstations, you can have separate parameter (IM.PRM) files for each workstation or you could have a central IM.PRM in the directory with the shared IM.EXE. Using a common IM.PRM file makes it easier to copy or move files and then immediately check to make sure the files are intact. If the server does not run or emulate DOS, then you will need to check the files on the server from one of the DOS workstations. PART TWO contains a section titled Networks and Viruses that provides some general procedures to make sure you keep your LAN free of viruses. It's particularly important that you follow the guidelines there on access rights and supervisor privileges. If you periodically boot each workstation from a write-protected floppy and do a full check of that PC, you can be assured of maximum protection for your LAN. Using IM on a Network The following suggestions come from users of Integrity Master on a variety of different local area networks. The details vary slightly from network to network but the following procedure should allow you to get benefit with minimum work. The benefits of this procedure are: 1) You can run SetupIM only once to get IM installed for most users, yet anyone who has special needs can configure IM to work exactly the way they want by running SetupIM on their workstation. 2) Since there's only one copy of IM.EXE and SetupIM.EXE, you can quickly update everyone's software by doing a single copy operation. Integrity Master (tm) - 47 - Version 3.21 3) Any files that are transferred from workstation to workstation can easily have their integrity verified since all workstations share a common integrity data encryption format. 4) Each workstation will automatically maintain a complete change history in the form of the report files on that workstation. This facilitates centralized problem solving; if anything stops working on that workstation, the report files provide a complete change log to track down exactly what was changed, added, or deleted. SUGGESTED INSTALLATION: 1) Copy IM*.* and SetupIM.EXE to a directory on a server which is included in the DOS path of all workstations on the LAN. It's best if LAN access rights do not allow the workstations to write to this directory. An alternate technique is to place a .BAT file to invoke IM on each workstation. This allows IM.EXE to still be stored in a central location on the network. The batch file would look something like this: Q:\shared\antivir\IM /Dxyz /Q /CE %1 %2 %3 In this case, IM.EXE and IM.PRM would be stored on the server's "Q:\shared\antivir" disk. Disks x, y, and z would be the disks that need to be checked for this workstation. "%1 %2 %3" allows the workstation user to specify some additional IM command line parameters. 2) Run SetupIM (new install) on a workstation that has the most common configuration on the LAN. What matters here is the organization of the disks on the workstation. By this I mean the physical partitioning of the hard drives. If the first disk is usually partitioned as two logical drives, choose a PC with that arrangement. An arrangement that is a superset of another is the best choice. In other words, if your most common configuration is to have two floppy drives with the first hard drive partitioned as two logical drives, choose such a PC. But if some of these PCs also have additional hard drives, that's even better. Choose one of the PCs with the extra hard drives to run SetupIM. 3) Move the IM.PRM file created in step 2 to the shared directory where the IM.EXE file is located. This allows all PCs that have a compatible configuration to execute IM and allows you to quickly upgrade to new versions of IM by simply copying the new IM.EXE file over the old one. Integrity Master (tm) - 48 - Version 3.21 4) If you have workstations with incompatible configurations or users with special needs, you can run SetupIM separately on those workstations (but do not place a copy of SetupIM on the workstation; simply execute the copy on the server). This will create an IM.PRM file local to the workstation. The user of that workstation will still execute the shared copy of IM.EXE but IM will behave according to the configuration and options information stored in the local copy of IM.PRM rather than the shared copy. It's useful to install a batch file in a directory on the DOS path of the workstation to make sure that the local copy of IM.PRM is always used. The batch file contains this line: IM C:\LOCAL\IM.PRM %1 %2 %3 %4 %4 %5 %6 ("C:\LOCAL\IM.PRM" could be any disk, directory or file name.) This procedure allows a single setup for most users, but still allows the flexibility to enable anyone to configure IM exactly the way they want. 5) Run an Initialize "Entire disk integrity" ("IM /IE") on each workstation. This will scan the entire PC for known viruses and also provide full integrity checking of all files. Next ask IM to initialize the "CMOS memory". (If you wish to do only conventional virus scanning, you can skip this step.) SUGGESTED USAGE: 1) Configure each workstation so that it runs a daily check in "quick update" mode. The IMQ.BAT and IMONCE.BAT files contain some statements that can be inserted into the AUTOEXEC.BAT file or elsewhere to make sure this happens. (IMAUTO will do this for you.) Some people prefer to just let the user of each workstation run a quick update once a day (or other appropriate interval). IM comes with RunMaybe, a program that allows you to execute IM (or any other program) at any interval you choose. The quick update (quick scan) will catch viruses as effectively as conventional virus scanning but is much, much, faster and optionally provides a complete change log for the workstation. If you wish to do only conventional virus scanning, you can substitute a virus scan for this step ("IM /VO"). 2) Each workstation user should use IM to scan or check all new diskettes and especially all new software. The batch files, IMSCAN, IMSCANM, and IMSCAND, will scan disks, multiple diskettes, or single directories respectively. 3) A full integrity check should be run at intervals on each workstation. This will make sure that the disk is thoroughly checked and will detect more subtle hardware or software problems as well as unknown viruses. Once a week seems to be the most popular interval to run a full check. Integrity Master (tm) - 49 - Version 3.21 CHAPTER FOUR - CUSTOMIZING ____________________________________________________________________ CUSTOMIZING INTEGRITY MASTER When you first install Integrity Master, SetupIM does an initial customization for you based upon your needs and preferences. Integrity Master offers you a myriad of different options so that you can set it up to work just the way you want. From the Integrity Master Options menu, you can control almost all options that regulate how IM functions. Your option changes may be either temporary or permanent. To make your changes permanent, select "Write option changes to disk" from the Options menu. This will save your new option settings in the parameter file. These options will be in effect the next time you execute IM. In addition to initially installing IM, SetupIM allows you to change the less frequently used options. The more advanced options (which you may never need to change) are segregated onto their own menu. These options include turning off virus checking, changing which files IM considers to be programs and deciding where IM will store your integrity data. SetupIM also allows you to permanently change the colors that IM uses on the display. These options are stored in the parameter file (IM.PRM). You may, if you wish, keep multiple versions of this file around to represent different sets of options. You can specify a different name for this file on IM's command line. THE PARAMETER (OPTIONS) FILE The parameter file (IM.PRM) contains all the options that control how IM works. IM and SetupIM look for this file by searching the following locations: o the current directory, o the directory where IM.EXE is located, o or the root directory on any disk. Whenever you change any options and save the changes, the parameter file is rewritten. You save the changes by using the option "Write option changes to disk" on IM's Options menu. Integrity Master (tm) - 50 - Version 3.21 THE OPTIONS MENU You can reach the Options menu from any primary IM menu by pressing the "O" or alt/O keys. From the Options menu, you can control almost all options that determine how IM works. These options include all normal day-to-day choices. (There are few lesscommonly used options that can only be changed through SetupIM.) ÚÄÄÄÄÄÄÄÄÄÄÉÍÍÍÍÍÍÍ»ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Help ºOptionsº Check Initialize ReLoad CoMmands ³ ÀÄ ÉÍÍÍÍÍÍͼ ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ º Write option changes to disk º º Integrity: CHECKING ON/off=quick update º º Integrity Update: Ask for prog changes º º Files to Check: Executable programs º º Files to iNitialize: Executable programs º º Halt on: ALL changes, adds or deletes º º Sound ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> ON/off º º Report: (file or print)--------> on/OFF º º Video (screen) report ÄÄÄÄÄÄÄÄÄ> ON/off º º Ignore Time/date changes ÄÄÄÄÄÄ> on/OFF º º Only changes reported ÄÄÄÄÄÄÄÄÄ> on/OFF º º Exclude: OFF and exclude report OFF º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ In addition to allowing you to set all the above options, the Options menu displays the current settings of these options. The options that have "on/off" settings, are toggled between their "on" and "off" states by pressing the ENTER key. The current setting of the option is displayed in capital letters, as well as in a distinctive color. Write option changes to disk This allows you to save any changed option settings in the parameter file, making your option changes effective the next time you execute IM. This option does not exist on the SetupIM version of the Options menu. (SetupIM automatically saves any changes unless you tell it not to.) Integrity: CHECKING ON/off=quick update This is the most crucial item on the Options menu. Pressing the ENTER key toggles IM between doing full integrity checking and doing only quick integrity data updating. When you press ENTER, either "Checking ON" or "OFF=Quick update" will be in all capital letters and in a different color (on most displays). This discloses whether full integrity checking is on or off. The status of integrity checking is also always visible on the fourth line at the top of the screen. Quick update mode provides a very fast way to bring all your integrity data up-to-date and to scan your disk viruses. IM reads and integrity checks only files whose size, time stamp or date stamp have changed. To detect file corruption and unknown (new) viruses, it's essential to regularly turn "Checking ON" to do full integrity checks. Integrity Master (tm) - 51 - Version 3.21 Integrity Update: IM normally updates the integrity data describing a file whenever the file changes (unless the file is affected by a known virus or a disk error). This option allows you control when IM updates the integrity data describing changed files. This option is handy if you expect to find some damaged files and you want to save the old integrity data so that you can restore the file and then use IM to verify that the file is back to its original state. The Option menu item itself displays the current setting for this option. Integrity Update can have five values: "On for any changes" - this is the normal mode where the integrity data will be updated whenever a file changes. "Off for any changes" - IM will NOT overwrite the old integrity data with the new when a file changes. "Off for prog changes"- IM will NOT overwrite the old integrity data with the new when an executable file (a program) changes. "Ask for any changes" - IM will ask you if it should overwrite the old integrity data with the new when a file changes. "Ask for prog changes"- IM will ask you if it should overwrite the old integrity data with the new when an executable file (a program) changes. "NEVER" - IM will never update integrity data. This includes added or deleted files. (All other options affect only changed files.) "FORCED" - IM will always update its integrity data even if it finds corrupted files or read errors. The right-most part of the second line at the top of your screen will also display an indication if you have Integrity Updating set to anything other than "On". Integrity Master (tm) - 52 - Version 3.21 Files to Check: You can use this option to limit IM's checking to only executable or source programs. Even if you are interested only in virus detection, I strongly recommend that you also periodically set this option to check all files, so that you can be alerted to the other (more common) causes of file damage. The Advanced menu in SetupIM allows you to change which files IM considers to be executable or source programs. Files to iNitialize: Use this option to limit IM's initializing of integrity data to only executable or source programs. Even if your primary interest is viruses only, I strongly recommend that you set this option to read all files, so that you can be alerted to the other (more common) causes of file damage. The Advanced menu in SetupIM allows you to change which files IM considers to be executable or source programs. Halt on: ALL changes IM lists each new file change that it detects at the top of the report screen. The other changes on the screen shift downward (scroll) as each new line is added at the top of the screen. By setting the halt options, you control when this scrolling will pause and wait for you to press a key. This prevents a change from scrolling off the screen without your having seen it. The halt options appear on this menu: ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º Halt on: º º All detected differences º º Changed files only º º Changes to Executable programs º º Changes to any Program º º File corruption or worse º º Serious problems º º Emergencies Only (not viruses) º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ If you halt scrolling on "All detected differences", anytime a line written to the report screen is about to disappear off the bottom of the screen, the display will pause and wait for you to press a key to acknowledge that you've seen all the lines on the display. After you press a key, the display will not pause until all the lines currently on the screen have scrolled off and a new unseen line is about to scroll off the screen. If you halt scrolling on "Changed files only", the scrolling will pause only when a modified file is about to disappear off the bottom of the screen. After you press ENTER, the display will not stop scrolling until a changed file is about to scroll off the bottom. This changed file must not have been on the screen during the prior pause. Integrity Master (tm) - 53 - Version 3.21 If you halt scrolling on "Changes to Executable programs", the scrolling will pause only when a program is about to disappear off the bottom of the screen. After you press ENTER, the display will not stop scrolling until a program that was not on the previous display is about to scroll off the bottom. You can use the "Advanced option" menu in SetupIM to check or change what IM considers to be executable programs. If you halt scrolling on "Changes to any Program", the scrolling will pause only when a program (either source or executable) is about to disappear off the bottom of the screen. After you press ENTER, the display will not stop scrolling until a program that was not on the previous display is about to scroll off the bottom. You can use the "Advanced option" menu in SetupIM to check or change what IM considers to be either source or executable programs. If you halt scrolling on "File corruption or worse", only signs of viruses, corrupted files, or possible hardware errors will pause the display. If you tell IM to halt on "Serious problems", then the display will pause only when it detects a virus or critical error, such as a hardware error. This affects scrolling in the same way as using the "/N" parameter on the command line. If you set halt to this option, be sure that IM is writing a report to a file or to the printer; otherwise, you may miss some important warnings. If you tell IM to halt on "Emergencies Only", then the display will almost never pause. IM will continue processing even if it detects a known virus in a file or can't read the disk. IM will only stop if it considers it dangerous to continue, or if you're in danger of losing important information. This affects scrolling in the same way as using the "/NE" parameter on the command line. The "/ND" parameter works like "/NE" but IM executes optimized for unattended execution with no screen display of file checking or summary display. If you set halt to "Emergencies only" (/NE or /ND), be sure that IM is writing a report to a file or to the printer, otherwise you may miss some important warnings. You can always halt scrolling by pressing the "P" key. Sound -------------------------> ON/off IM will provide beeps and tones to alert you that something important has happened (or that you've pressed an unsupported key). Pressing ENTER toggles whether or not you hear these sounds. Integrity Master (tm) - 54 - Version 3.21 Report: (xxxxxxxxxxxxx)--------> on/OFF This allows you to turn the report file off or to ask IM to write a report of its activities to either the printer or a disk file. The "xxxxxxxxx" on the option line represents the name of the current report file or printer. The disk file can be automatically named by IM or can be any file of your choice. Please see "The Report File" in Chapter Three for more details on these options. This option line, along with the third line from the top of IM's screen, display the status of the report file. Video (screen) report ---------> ON/off If you have a very slow video board (such as some old CGA adapters), IM will run a little faster if you turn the screen report off. (Be sure to turn the report file on!) Ignore Time/date changes ------> on/OFF Sometimes the DOS time or date stamp on a file will change, but the file itself won't change. If you do not want to have such files reported as changed, set this option to "ON". Only changes reported ---------> on/OFF If you do not want reports of added or deleted files, turn this option "on". If "Only changes reported" is set to "on", then you will see only reports of file changes; IM will not report added or deleted files. IM will still update the integrity data to reflect the added or deleted files, but it won't report these files. All other processing also continues normally, including the detection of companion viruses (viruses that appear only as added files). Exclude: ON and exclude report OFF Selecting this option will pop up the Exclude menu: ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º IM will optionally exclude selected º º files or directories from checking. º º º º Please press ESCape when you are done º ÇÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĶ º Exclude checking is now OFF; turn it ON º º Reporting is now OFF; turn it ON º º Select files or directories to exclude º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ The Exclude menu allows you to exclude files or entire directories from checking, scanning, or initializing. The bottom line of the Options menu along with the lines on the Exclude menu show whether excluding of files or directories is turned on and whether reporting of excluded objects is turned on. Either may be toggled on or off at the press of a key. If reporting of excluded files is "ON" and excluding itself is "ON", then a line will appear on the report every time a file or directory is bypassed from checking, Integrity Master (tm) - 55 - Version 3.21 scanning, or initializing. The line will list the particular file or directory that was excluded. If exclude checking is "ON", Integrity Master will exclude the hidden directory "\SENTRY" that Central Point PC Tools and MSDOS use with their "Delete Sentry" method of undelete protection. This directory will be excluded during integrity checking but still be checked when using Integrity Master as a scanner. You may exclude a file by specifying the precise file name or using the wild card characters to specify a series of files. You can also exclude all files within a directory by excluding that directory from checking. Either files or directories can be excluded based on wild cards. For example, you can tell IM to ignore any directory beginning with the characters "IM" by using the wild card: "IM*". Or you could tell IM to ignore all your ZIP files (all filenames ending in ".ZIP") by using the wild card "*.ZIP". When you're entering file or directory names to exclude, you may use the DOS wild card characters: * and ?. The "*" character matches zero or any number of characters, while "?" matches one and only one character. Some examples: This name: Would exclude: But not: A?.* AB.ABC, AC.D ABC.ABC, A.DEF, AX ??.ABC XY.ABC, AB.ABC A.ABC, XYZ.ABC A*.A? A.AB, ABC.AX A.CB, A.ABC Note that a wild card in the form "X*" will exclude any filename beginning with "X" (with or without an extension) while "X.*" will exclude only files which have an extension. If a file or directory is excluded, Integrity Master will no longer record information for it. If integrity data already exists, then IM will remove it. To make sure you are aware of this, IM will always notify you that it is updating the integrity data. For this reason, you may see changes reported in a directory when you otherwise wouldn't expect any. By asking IM to report what is being excluded you can see exactly what is being affected. Be very careful when excluding directories. If a directory is excluded, IM will not look at any of the files in that directory or any of the subdirectories within that directory. This means you can exclude an entire series of subdirectories (and their associated files) by excluding a single directory. If you un-exclude files and directories, they will appear as "added" the next time you run a check. Integrity Master (tm) - 56 - Version 3.21 OPTIONS IN SETUPIM When you execute SetupIM for the first time, the Integrity Advisor(tm) will set your options in a way most likely to meet your needs and interests. You can later go back and change any of the options that were set for you. If you specify that it's not your first install of IM, you will see this menu: ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º Select an option and press ENTER: º º º º Overview of IM setup and operation º º Change how Integrity Master operates º º Repeat the install on this PC º º Install IM on another PC º º Quit º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ From this menu, you can select "Change how Integrity Master operates" and press ENTER. This brings you to the Change menu: ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º Select an option and press ENTER: º º º º Screen display mode º º Integrity data options º º Advanced options º º Toggle CMOS check type (now FULL) º º Home directory options º º Update hardware configuration º º Exit - save any changes and end º º Abort - Quit and abandon any changes º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ OPTIONS AVAILABLE ONLY IN SETUPIM SetupIM allows you to change certain options that you would only want to change very rarely. All the options on this menu are not available within IM itself. SCREEN DISPLAY MODE This allows you to set the screen colors as explained in the Chapter Two section titled Screen Colors. Unless you have problems reading the screen, I strongly recommend that you allow IM to continue to operate in automatic video mode. This way it will choose which colors are best for your video equipment. Integrity Master (tm) - 57 - Version 3.21 INTEGRITY DATA OPTIONS This allows you to change how IM stores the integrity data describing your files and system sectors. You can change the name, attributes, or the location of your integrity data files. You can also use this menu selection to check what the characteristics of your integrity data files are. INTEGRITY DATA FILE ATTRIBUTES You can ask IM to make your integrity data files hidden, read-only, or both. Unless you are used to working with read-only and hidden files and consider yourself fairly expert with DOS, we suggest that you not set these attributes. There are quite a few programs that will cause confusing results when they work with hidden or read-only files. These attributes can easily by overridden by a knowledgeable user or program. INTEGRITY DATA FILE NAMES: You can choose the names that IM will use for the integrity data files. These filenames can be either fixed or variable. If you did not specify a name for your integrity data files or select variable names, then your integrity data is stored in files named "ZZ##.IM". Each file has this same fixed name. If you run SetupIM, you can choose your own name for these files or ask IM to use variable names. Use the IM CoMmands menu to remove (Uninstall) the old files before you run SetupIM to assign new names to your integrity data files. VARIABLE INTEGRITY DATA FILE NAMES To make it more difficult for rogue programs to attack your integrity data files, IM can use variable file names. Both the file name and the extension contain some characters which will be different for each file. Plus, the remainder of the file name will be different for each installation. When you first install, the Integrity Advisor usually selects variable file names to store your integrity data. SetupIM will then explain how these file names are formed for your particular installation. It will also record this in the IMPROC.TXT file in case you need to quickly check this later. If you install on another PC, these file names will be different unless you use the original parameter file. To make these files easier for you to find, you may choose part of both the file name and the extension. FIXED INTEGRITY DATA FILE NAMES If you choose fixed file names, then every integrity data file will have the same name. This makes it very easy to locate these files. The drawback is that this also makes it very easy for someone else to locate your integrity data files if you keep them in the same directory with the files they describe. A destructive program could deliberately delete these files, causing loss of protection. Integrity Master (tm) - 58 - Version 3.21 LOCATION OF INTEGRITY DATA As IM checks your files, it must store the integrity data that describes these files. Using SetupIM you can change where IM stores these files. There are two options: 1) It can store the integrity data in the same directory along with the files being checked, or 2) It can store the integrity data on a separate disk (usually a floppy). Storing the integrity data on a floppy gives you additional protection against a virus or a person changing a file and then modifying the integrity data to cover up the change. For viruses, this threat is fairly remote since the virus would have to be written specifically to attack files created by IM. This would be very difficult since these files are encrypted differently on each PC. Storing the integrity data with the files being checked is usually easier and more flexible since the integrity data can be copied along with the files. This also makes it easy for you to use IM to verify that you've made a good copy when you copy or move the files. If you want to restore an old copy of a file from a backup, you can restore the integrity data along with the file and then ask IM to check that the file was restored correctly. If you move your files, it's easier to move the integrity data along with the files if it's stored in the same directory as the files. TOGGLE CMOS CHECK TYPE This option displays the current type of CMOS checking that IM will do (either "CORE", "FULL", or "BASE"). When you hit ENTER the check type will switch between "CORE", "FULL", and "BASE". Full checking will check all of your PC's available CMOS. Since checking the full CMOS may cause too many reports of changes on some PCs, we offer the option of checking only the more standard "BASE" 64 byte CMOS or the "CORE" CMOS (the portions of the CMOS that are important to the integrity of your PC.) Changing this option does not affect your ability to reload your full CMOS if it should become necessary. HOME DIRECTORY OPTIONS This allows you to specify a name and location for your home directory. This is the directory where IM will store its files, including its "auto-named" report files and the reload files. (e.g., BOOT.SRL, PART.SRL, CMOS.SRL). Integrity Master (tm) - 59 - Version 3.21 If you have installed a version prior to 2.31, then these files are located in the root directory and you should use this option to activate use of the IM "home directory". If you are converting from an earlier version, be sure to move your existing files to the "home directory" on each disk after you run SetupIM. UPDATE HARDWARE CONFIGURATION Please use this option whenever you change the configuration of disk drives on your computer, or if you use software that changes the assignment of DOS logical disk letters (A to Z) to your physical disk drives. SetupIM will check the capabilities of each of your installed disk drives. This will produce a display showing the drives that SetupIM recognizes. It will also list any drives that do not contain DOS boot sectors and any that do not have partition sectors (master boot records). EXIT - SAVE ANY CHANGES AND END This updates the parameter file (IM.PRM) with any option changes you've selected, and exits SetupIM. ABORT - QUIT AND ABANDON ANY CHANGES This allows you to exit SetupIM without writing any of your changes. All option settings will be as they were before you entered SetupIM. THE ADVANCED OPTION MENU If you select this option on the SetupIM change menu, the Advanced option menu will appear. ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º Select an option and press ENTER: º º (Press ESCape when you're done) º º º º Specify Names of hidden system files º º Define which files are Executable programs º º Define which files are Source programs º º Check all files for Macros is ON; turn if off º º Check for virus in memory is ON; turn it off º º General virus checking is ON; turn it off º º Change Format for date or time º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ This menu is intended for more technically advanced users. Most IM users should never need to use this menu. When you're finished making changes on this menu, just press ESCape to go back to the previous menu. The Advanced Option menu offers you these options: Specify Names of hidden system files Integrity Master (tm) - 60 - Version 3.21 SPECIFY NAMES OF HIDDEN SYSTEM FILES Selecting this option will allow you to change the names of the files that IM recognizes as the hidden system files. This option is only needed on nonstandard PCs that don't use the standard Microsoft or the IBM names for the hidden system files. The files SetupIM recognizes by default are: IBMBIO.COM, IBMDOS.COM, IO.SYS and MSDOS.SYS. If you execute "IMCHECK *.*", in your root directory and you don't see two of the above files, but instead see two other similarly named files, you may wish to use this option so IM recognizes those files. If you don't understand what this is all about, don't worry. IM's ability to recognize your hidden system files is NOT that important. It simply allows IM to provide more specific information in two warning messages. DEFINE WHICH FILES ARE EXECUTABLE PROGRAMS This option allows you to specify which file extensions (the letters after the "." in the file name) IM should consider to represent executable programs. This is important for three reasons: 1) Non-executable files are not normally checked for known viruses. 2) IM provides special warning when executable programs change. 3) If you use the Options menu to limit checking to executable programs, only these files will be checked. Initially, IM will consider files ending in the following extensions to be executable programs: .OV? (where ? can be any character) .DLL .BAT .DRV .BIN .EXE .BTM .PIF .CMD .SYS .COM Note that not all these files can actually be affected by viruses, but all these files in one way or another contain instructions that are executed by your PC. DEFINE WHICH FILES ARE SOURCE PROGRAMS This option allows you to specify which file extensions (the letters after the "." in the file name) IM should consider to be source programs. Source programs are the programs a programmer would use to create executable programs. If you are not a programmer then you probably don't care about this option. This option is intended mostly to provide programmers with extra warning if something or someone is modifying their source code. Integrity Master (tm) - 61 - Version 3.21 CHECK ALL FILES FOR MACROS Some programs store sequences of commands called macros in their data files. These macros can be executed just like a program. In some cases the macros will be automatically executed when the data file is opened. Viruses written in the product's macro language take advantage of this to attach themselves to other files. The Concept virus does this with respect to MS Word documents (actually templates disguised as documents). Using this option you toggle whether IM checks all files for macros or just those files that normally contain macros (e.g., .DOC and .DOT for MS Word or .XLS for Excel.) If you use nonstandard extensions, you should set this option to check all files for the presence of macros. Checking all files, requires IM to open and partially read all files to determine if they contain macros. Beware: this will slow IM's speed considerably! CHECK FOR VIRUS IN MEMORY Selecting this option will toggle the checking of memory for known viruses on or off. If you toggle memory checking on, the option line will be changed to read: Check for virus in memory is ON; turn it off. This indicates that memory checking is now "ON". If you press ENTER at this point, you will turn it "off", and the option will then read: Check for virus in memory is OFF; turn it on. Having this option "ON" allows IM to detect known viruses that are resident in memory. If you always cold boot from a known good copy of DOS on a write-protected diskette, you could safely turn this option off, since there would be no way for a virus to be resident in memory. Since it's hard to guarantee that you always cold boot, please leave resident memory checking turned on. If you execute IM multiple times and you don't want to wait for the memory check to complete, you can use the"/B" (Bypass) command line parameter to bypass the resident memory check. Integrity Master (tm) - 62 - Version 3.21 GENERAL VIRUS CHECKING Selecting this option and pressing enter will toggle checking of files for known viruses on or off. If you have absolutely no interest in viruses, you can speed up IM's initialize processing and its check processing (only when it encounters changed files) by 10 to 20 percent. Since this option imposes so little overhead in normal file checking, I suggest everyone leave it turned on. Integrity Master (tm) - 63 - Version 3.21 CHAPTER FIVE - ERRORS ____________________________________________________________________ ERROR RECOVERY: IM replaces the normal DOS error recovery routines with its own more sophisticated routines. If you encounter a hardware error, you'll generally see a message announcing what happened followed by a screen that will give you the option of retrying the failed operation, aborting (allowing whatever IM was trying to do, to fail), or other options depending upon the circumstances. These other options may include "Shelling to DOS". Shelling allows you to temporarily leave IM and execute any DOS command (such as formatting a disk) you wish. You then return to IM by typing the EXIT command. This returns you to the same point in IM, just as if you had never left. SOLVING PROBLEMS: If you encounter a problem with IM, please read file QUESTION.TXT (for a list of common questions and answers) and file SUPPORT.TXT (for the complete procedure on how to quickly get technical support). File DISKHELP.TXT contains specific information on how to handle problems if IM won't recognize your disk drive. You can use IMPRINT or IMVIEW to read any of these files. Example: "IMVIEW SUPPORT.TXT" ANSWERS TO COMMON QUESTIONS: File QUESTION.TXT contains common questions and answers regarding IM. You can read these by entering the command "IMVIEW QUESTION.TXT" at the DOS prompt or print them with the command "IMPRINT QUESTION.TXT". Integrity Master (tm) - 64- Data Integrity and Viruses NOTES Integrity Master (tm) - 65 - Data Integrity and Viruses PART TWO Data Integrity and Viruses ___________________________________________ How do I make sure that my programs and files really are safe? What threats are even more likely to damage my data than viruses? What really works against viruses? What doesn't work against viruses? Why are viruses so dangerous? How do I kill a virus? ___________________________________________ Copyright 1990-1997, Wolfgang Stiller, All rights reserved. Integrity Master (tm) - 66 - Data Integrity and Viruses Integrity Master (tm) - 67 - Data Integrity and Viruses PART TWO - Data Integrity and Viruses CHAPTER ONE - THREATS TO YOUR DATA ____________________________________________________________________ INTRODUCTION - VIRUSES GET ALL THE GLORY Do you have data or programs on your PC which you can't afford to have unexpectedly damaged? How can you make sure that your data is safe? To protect the integrity of your data, you must first understand the nature of the threats against it. The most publicized threats to your computer are software-based attacks often lumped together as "viruses" by the media. Although viruses are often sensationalized by media coverage, they do present a very real menace to your data. (See the section in this chapter titled How serious are viruses?.) Even if a virus never attacks your PC, it is almost inevitable that system glitches will someday corrupt data or programs on your PC. Considering that viruses are but one threat to your data and not the most likely threat by far, it's ironic that so many people have anti-virus software but so few people take steps to protect the integrity of their programs and data from other hazards. Can anyone afford NOT to know that each and every byte on their disk is undamaged? So what's the explanation? Why do so few people take steps to assure the integrity of the data on their PCs? The main reason is that data integrity gets almost no media coverage (even in the trade journals), while a virus story may make the local evening news. The result is that people just don't give data integrity a second thought. It's all too easy to take the reliability of our modern PCs for granted -- and, as you'll see, all too dangerous! You may be reading this primarily because you're interested in viruses. If that's true, then, for you, the media attention to viruses will have had a very beneficial effect. You are about to learn how to protect your PC against much more than just viruses! Data integrity is not a very glamorous subject, yet it's both crucial and fundamental to using any computer. Without positive assurance of data integrity, computers cannot be depended upon to process any type of important data. How would you respond if someone were going to change a byte of data somewhere at random on your disk? You'd be pretty upset -- right? Well, the odds are, it has already happened but you were not aware of it. Perhaps the result was that a program quit working or CHKDSK/Scandisk found lost or cross-linked clusters. Or perhaps, if you're lucky, the damage was to some inconsequential part of your disk. Let's explore the different threats to your files and programs: Integrity Master (tm) - 68 - Data Integrity and Viruses HARDWARE AND POWER FAULTS These are well known but also all too common. We all know that when your PC or disk gets old, it might start acting erratically and damage some data before it totally dies. Unfortunately, hardware errors frequently damage data on even young PCs and disks. Your PC is busy writing data to the disk and the lights go out! "Arghhhh!" Is everything OK? Maybe so, but it's vital to know for sure if anything was damaged. If your disk drive is starting to fail, you may start to experience occasional damage to your files. Regrettably, it's not a question of "if", but a question of "when" in regard to disk failure. There are tools (NORTON, MACE, PCtools, etc) to assist in recovery from disk problems, but how do you know all the data is OK? These tools do not always recover good copies of the original files. It's vital to have some way to check that these tools really do their job correctly. You can have hardware problems on a perfectly healthy PC if you have devices installed that do not properly share interrupts. This problem is getting more and more frequent as we see multiple adapters installed in a PC that use the same interrupt (IRQ). Sometimes problems are immediately obvious, other times they are subtle and depend upon certain events to happen at just the wrong time, then suddenly strange things happen! FINGER CHECKS (TYPOS AND "OOPS! I DIDN'T MEAN TO DO THAT.") These are an all too frequent cause of data corruption. This commonly happens when you are intending to delete or replace one file but actually get another. By using wild cards, you may experience a really "wild" time. "Hmmm I thought I deleted all the *.BAK files . . . but they're still here . . . something was deleted . . . what was it? . . . or was I in the other directory?" Of course if you're a programmer or if you use sophisticated tools like Norton's sector editor (NU), then your fingers can really get you into trouble! MALICIOUS OR CARELESS DAMAGE Someone may accidentally or deliberately delete or change a file on your PC when you're not around. If you don't keep your PC locked in a safe, then this is a risk. Who knows what was changed or deleted? Wouldn't it be nice to know if anything changed over the weekend? Most of such damage is done unintentionally by someone who you probably know. This person didn't mean to cause trouble; he simply didn't know what he was doing when he used your PC. Software Problems This category accounts for more damage to programs and data than any other. We're talking about non-malicious software problems here, not viruses. Software conflicts, by themselves, are much more likely threats to your PC than virus attacks. We run our PCs today in a complex environment. There are many resident programs (TSRs such as Sidekick) running simultaneously with various versions of DOS, BIOS and device drivers. All these programs execute at the same time, share data and are vulnerable to unforeseen interactions between each other. Naturally, this means that there may be some subtle bugs waiting to "byte" us. Anytime a program goes haywire, there's the risk it may damage information on disk. There's the further problem that not all programs do what we hope they will. If you have just undeleted a file, did you really get all the correct clusters back in the right order? When CHKDSK or Scandisk "fixes" your disk for you, isn't it essential to know exactly what files it changed to do its job? This is one more reason why everyone must have the capability to verify data integrity. Integrity Master (tm) - 69 - Data Integrity and Viruses DANGER WITH COMPRESSION AND CACHE Disk cache and compression programs (e.g. DriveSpace or Stacker) can cause random and unpredictable errors when reading or writing the disk. This can cause random damage to your data. In chapter six, I offer a full explanation of how to make sure you are using such programs safely. SOFTWARE ATTACKS These are programs written deliberately to vandalize someone's computer or to use that computer in an unauthorized way. Even though some viruses do not intentionally damage your data, I consider all viruses to be malicious software since they modify your programs without your permission, with occasional disastrous results. There are many forms of malicious software; sometimes the media refers to all malicious software as viruses. It's important to understand the distinction between the various types. Let's examine the different types of malicious software. LOGIC BOMBS Just like a real bomb, a logic bomb will lie dormant until triggered by some event. The trigger can be a specific date, the number of times executed, a random number, or even a specific event such as deletion of an employee's payroll record. When the logic Integrity Master (tm) - 70 - Data Integrity and Viruses bomb is triggered, it will usually do something unpleasant. This can range from changing a random byte of data somewhere on your disk to making the entire disk unreadable. Changing random data may be the most insidious attack since it generally causes substantial damage before anyone notices that something is wrong. It's vital to have some data integrity software in place so that such damage can be quickly detected. Although you can detect it after the fact, there is unfortunately no way to prevent a well written logic bomb from damaging your system. On the other hand, a logic bomb that uses standard DOS or BIOS requests to do its dirty work can be caught by most interceptor type programs (see Chapter Two). TROJANS These are named after the Trojan horse, which delivered soldiers into the city of Troy. Likewise, a trojan program is a vehicle for delivering some destructive code (such as a logic bomb or a virus) into a computer. The trojan program appears to be a useful program of some type, but when a certain event occurs, it does something nasty and often destructive to the system. WORMS A worm is a self-reproducing program that does not infect other programs as a virus will, but instead creates copies of itself, that create even more copies. These are usually seen on networks and on multi-tasking operating systems, where the worm will create copies of itself that are also executed. Each new copy will create more copies quickly clogging the system. The so-called ARPANET/INTERNET "virus" was actually a worm. It created copies of itself through the ARPA network, eventually bringing the network to its knees. It did not infect other programs as a virus would, but simply kept creating copies of itself that would then execute and try to spread to other machines. VIRUSES Viruses are a subject of much confusion and a target of considerable misinformation even from some so-called virus experts. Let's define what we mean by virus: A virus is a program that reproduces its own code by attaching itself to other programs in such a way that the virus code is executed when the infected program is executed. You could probably also say that the virus must do this without the permission or knowledge of the user, but that's not a vital distinction for purposes of our discussion here. Integrity Master (tm) - 71 - Data Integrity and Viruses Most viruses do their "job" by placing self-replicating code in other programs, so that when those other programs are executed, even more programs are "infected" with the self-replicating code. This self-replicating code, when triggered by some event, may do a potentially harmful act to your computer. Viruses are initially distributed in the form of a trojan. In other words, the virus code has been planted in some useful program. Since the virus infects other useful programs, absolutely any piece of executable code can suddenly become a trojan delivery vehicle for the virus. Another way of looking at viruses is to consider them to be programs written to create copies of themselves. These programs attach these copies onto other programs (infecting those programs). When one of these other programs is executed, the virus code (which was attached to that program) executes, and links copies of itself to even more programs. GENERAL VIRUS BEHAVIOR Viruses come in a great many different forms, but they all potentially have two phases to their execution, the infection phase and the attack phase: 1) When the virus executes, it will infect other programs. What's often not clearly understood is precisely WHEN it will infect the other programs. Some viruses infect other programs each time they are executed; other viruses infect only upon a certain trigger. This trigger could be anything; it could be a day or time, an external event on your PC, a counter within the virus, etc. Modern viruses have become more selective about when they infect programs. Being selective improves the virus' chance to spread; if they infect too often, they will tend to be detected before they have enough time to spread widely. Virus writers want their programs to spread as far as possible before anyone notices them. This brings up an important point which bears repeating: It is a mistake to execute a program a few times, find nothing infected, and presume there are no viruses in the program. You can never be sure that the virus simply hasn't triggered its infection phase! Many viruses go resident in the memory of your PC in the same way as terminate and stay resident (TSR) programs such as Sidekick. This means the virus can wait for some external event before it infects additional programs. The virus may silently lurk in memory waiting for you to insert a diskette, copy a file, or execute a program, before it infects any other programs. This makes these viruses more difficult to analyze since it's hard to guess what trigger condition they use for their infection. Resident viruses Integrity Master (tm) - 72 - Data Integrity and Viruses frequently corrupt the system software on the PC to hide their existence. This technique is called "stealth" and I'll cover this in more detail shortly. 2) The second phase is the attack phase. Many viruses do unpleasant things such as deleting files or changing random data on your disk, simulating typos or merely slowing your PC down; some viruses do less harmful things such as playing music or creating messages or animation on your screen. Just as the virus's infection phase can be triggered by some event, the attack phase also has its own trigger. Viruses usually delay revealing their presence by launching their attack only after they have had ample opportunity to spread. This means that the attack may be delayed for years after the initial infection. The attack phase is optional; many viruses simply reproduce and have no trigger for an attack phase. Does this mean that these are "good" viruses? No, unfortunately not! Anything that writes itself to your disk without your permission is stealing storage and CPU cycles. This is made worse since viruses that "just infect", with no attack phase, damage the programs or disks they infect. This is not an intentional act of the virus, but simply a result of the fact that many viruses contain extremely poor quality code. One of the most common viruses, the STONED virus is not intentionally harmful. Unfortunately, this virus will write to an area on diskettes that may result in file corruption. Now that we've examined general virus behavior, let's take a closer look at the two major categories of viruses and how they operate. SYSTEM SECTOR VIRUSES These are viruses that plant themselves in your system sectors. System sectors are special areas on your disk containing programs that are executed when you boot your PC. Sectors are not files but simply small areas on your disk that your hardware reads in single chunks. Under DOS, sectors are most commonly 512 bytes in length. These sectors are invisible to normal programs but are vital for correct operation of your PC. They are a common target for viruses. There are two types of system sectors found on DOS PCs: DOS BOOT SECTORS The very first sector on a disk or diskette that DOS is aware of is the boot sector. From a DOS perspective, this is the first sector on a disk. This sector can contain an executable program whether the disk is bootable or not. Since this program is executed every time you power on or boot your PC, it is very vulnerable to virus attack. Damage to this sector can make your disk appear to be unreadable. This sector is rewritten whenever you do a "SYS" or a "FORMAT /S" to a disk. Integrity Master (tm) - 73 - Data Integrity and Viruses Warning: Even a non-bootable floppy can contain a virus in the boot sector. If you leave the floppy in your PC when you power on or boot, you will be infected even though the PC won't successfully boot from that floppy. PARTITION SECTORS On hard (fixed) disk drives, the very first sector is the partition sector (also known as the master boot record or partition table). Each physical hard disk drive has one of these sectors. A single physical disk can be partitioned into one or more logical disks. For example, you may have a physical drive partitioned into C: and D: logical disks so that your single physical disk appears (to DOS) to be two logical disks. The single partition sector contains the information that describes both logical disks. If the partition sector is damaged, then DOS may not even recognize that your disk exists. The partition sector also contains a program that is executed every time you power up or boot your PC. This program executes and reads the DOS boot sector that also contains a program. Many viruses plant their code in the partition sector. System sector viruses modify the program in either the DOS boot sector or the partition sector. Since there isn't much room in the system sector (only 512 bytes), these viruses usually have to hide their code somewhere else on the disk. These viruses sometimes cause problems when this spot already contains data that is then overwritten. Some viruses, such as the Pakistani BRAIN virus, mark the spot where they hide their code as bad clusters. This is one reason to be alarmed if CHKDSK (or Scandisk)suddenly reports additional bad sectors on your disk. These viruses usually go resident in memory on your PC, and infect any floppy disk that you access. Simply doing a DIR on a floppy disk may cause it to be infected. Some viruses will infect your diskette immediately when you close the drive door. Since they are active in memory (resident), they can hide their presence. If BRAIN is active on your PC, and you use a sector editor such as Norton's NU to look at the boot sector of an infected diskette, the virus will intercept the attempt to read the infected boot sector and return instead a saved image of the original boot sector. You will see the normal boot sector instead of the infected version. Viruses that do this are known as stealth viruses. In addition to infecting diskettes, some system sector viruses spread by also infecting files. Viruses of this type are called "multipartite" (multiple part) viruses. Since they can infect both files and system sectors, they have more avenues to spread and are more difficult to remove. Integrity Master (tm) - 74 - Data Integrity and Viruses FILE VIRUSES In terms of sheer number of viruses, these are the most common kind. The simplest file viruses work by locating a type of file that they know how to infect (usually a file name ending in ".COM" or ".EXE") and overwriting part of the program they are infecting. When this program is executed, the virus code executes and infects more files. These overwriting viruses do not tend to be very successful since the overwritten program rarely continues to function correctly and the virus is almost immediately discovered. The more sophisticated file viruses save (rather than overwrite) the original instructions when they insert their code into the program. This allows them to execute the original program after the virus finishes so that everything appears normal. Just as system sector viruses can remain resident in memory and use "stealth" techniques to hide their presence, file viruses can hide this way also. If you do a directory listing, you will not see any increase in the length of the file and if you attempt to read the file, the virus will intercept the request and return your original uninfected program to you. This can sometimes be used to your advantage. If you have a "stealth" virus (such as 4096 or Dir-2), you can copy your program files (*.EXE and *.COM files) to files with other extensions and allow the virus to automatically disinfect your files! If you "COPY *.COM *.CON", and then cold boot your PC from a known good copy of DOS and "REN *.CON *.COM", this will disinfect the renamed files. Some file viruses (such as 4096) also infect overlay files as well as the more usual *.COM and *.EXE files. Overlay files have various extensions, but ".OVR" and ".OVL" are common examples. MIRACLE INFECTIONS Would you believe that a virus can infect your files without changing a single byte in the file? Well, it's true! There are two types of viruses that can do this. The more common kind is called the companion or spawning type virus. This virus infects your files by locating a file name ending in ".EXE". The virus then creates a matching file name ending in ".COM" that contains the viral code. Here's what happens; let's say a companion virus is executing (resident) on your PC and decides it's time to infect a file. It looks around and happens to find a file called "WP.EXE". It now creates a file called "WP.COM" containing the virus. The virus usually plants this file in the current directory although it could place it in any directory on your DOS path. If you type "WP" and press ENTER, DOS will execute "WP.COM" instead of "WP.EXE". The virus executes, possibly infecting more files and then loads and executes "WP.EXE". The user probably won't notice anything wrong. This type of virus is fortunately easy to detect by the presence of the extra ".COM" files. There are some instances where it is normal to have both ".COM" and ".EXE" files of the same name Integrity Master (tm) - 75 - Data Integrity and Viruses (such as DOS 5's DOSSHELL) but this is relatively rare. Companion viruses could also work by creating other file types such as .EXE files to match existing .BAT files. A companion virus could also insert matching executable files into a different directory on your DOS path. Since DOS searches the directories in the PATH sequentially, a file in an earlier directory will be executed before one contained in a later directory. Be sure to look very closely if you notice unexpected new files appearing on your disk. There is another type of virus known as a "cluster" virus that infects your files not by changing the file or planting extra files but by changing the DOS directory information so that directory entries point to the virus code instead of the actual program. When you type the name of the program, DOS loads and executes the virus code, the virus then locates the actual program and executes it. Dir-2 is an example of this type of virus and is now spreading rapidly around the world. I am deliberately keeping the description of this type of virus rather vague to avoid making it easier to write this type of virus. MACRO VIRUSES Many programs (e.g., most spreadsheets and word processors) provide what they call a "macro" capability. In their most simple form, macros allow you to record key strokes and then later play them back. Many popular programs, such as MS Word, Excel, AmiPro, and Lotus 1-2-3, go far beyond keystroke recording and provide a mini programming language. The macros are intended to help users of these products to automate routine or complicated tasks but they can also be used to write viruses. Since these macros can then be saved in data files by the program, these data files must be considered to be executable (at least for people who have the program that can execute the macros stored in these files). These data files cannot execute by themselves but require the program (i.e, the word processor or spreadsheet) to execute them. Any program that supports such macros (especially if there is a way to automatically execute such macros without the user being aware) is potentially susceptible to infection by a virus written in the macro language used by that product. We have currently seen a number of viruses that infect MS Word documents (and recently AMI Pro documents). The very first macro virus to spread in the wild was Concept (AKA "Prank Macro" and WordMacro.Concept). (It was discovered in August of 1995) This virus is now one of the most common viruses world-wide based on reports from our customers. Concept can infect any computer that uses MS Word 6.0 (or later Integrity Master (tm) - 76 - Data Integrity and Viruses release). Since there is also a version of MS Word for Apple Macintosh computers as well as PCs, this virus will spread to (or from) a Macintosh if an infected document is exchanged. While Concept can spread outside the PC environment, it's important to recognize this is a very limited virus. It will only spread to computers running MS Word. Actually it's more limited than that; it will only spread to computers using English language versions of MS Word 6.0. It will not spread to German, French, Spanish, or Russian versions of MS Word. If you take a quick look at Concept, it seems to break the rules for viruses. Concept infects MS Word documents. Simply opening an infected document causes the virus to infect your PC. I mentioned previously that viruses infect only executable programs. It seems a contradiction that a virus could infect documents. I also stated that to become infected by a virus, you must execute an infected program. Both these statements still hold true. To see how this is possible, let's take a close look at how Concept works. HOW CONCEPT WORKS: Concept was written using the "Macro" capability built into MS Word. Actually it is somewhat of a misnomer to call this just a macro capability since it uses a full programming language called Word Basic that Microsoft provides with each copy of Word. The virus was written in Word Basic. But MS Word documents can't contain macros so how does the virus attach itself to documents? It does this by creating a "template" rather than a document. Templates are special files supported by MS word that are used as a pattern for new documents. Templates, unlike documents can contain macros. Concept causes infected documents to be saved as templates but with the ".DOC" extension normally associated with documents. After this happens, the original document no longer exists as a document but rather as a template with a ".DOC" extension. Templates normally have ".DOT" extensions so the fact that the document has been converted to a template is not at all obvious. The virus consists of the macros that are stored inside of the template. But what causes the virus macros to be executed in the first place? AUTOMATIC MACRO VIRUS EXECUTION MS Word provides the capability to automatically execute a macro (in this case a Word Basic program) when you open a new template. The infected templates contain such an AutoOpen macro; this is how the virus code (in the form of a Word Basic macro program) is executed when you open an infected document. This makes the virus very deceptive. Few users of MS Word realize that every time they open what they think is a document, they could Integrity Master (tm) - 77 - Data Integrity and Viruses be executing a viral program. This exposure is not unique to MS Word but it is also present in other environments that support macro languages such as MS Excel, Amir Pro, Lotus 1-2-3, and Quatro Pro. HOW CONCEPT SPREADS Concept creates a "FileSaveAs" macro. This is the code that executes when you select "File Save As" from the MS Word File menu. After opening an infected document, any use of "File Save As" will result in the document being saved as an infected template with the standard ".DOC" extension normally associated with documents. Since documents and templates are handled almost identically by MS Word, the user is not aware that anything unusual has happened when document is converted to an infected template by the "FileSaveAs" macro. Another interesting aspect of this virus is that once you open an infected document, the MS Word environment itself becomes infected. This means that if you restart MS Word with no files open, you will already be infected; all files saved with "File Save As" will be infected templates. The virus accomplishes this by modifying the "NORMAL.DOT" file. This file contains the global macros used by MS Word. Essentially this makes the virus' macros always present (and active) in the MS Word environment. IS CONCEPT REALLY A VIRUS? Microsoft originally called this virus "Prank Macro" and did not refer to it as a virus. Does this really qualify as a virus? Yes, unfortunately it does. When you open an infected document (actually a template), you automatically execute the virus code. This code modifies the MS Word environment so that all future documents saved using "File Save As" will be infected templates. This transfers the infection from one host document to another and is actually spreading in the wild. Concept is fortunately very easy to spot. When you open an infected file for the first time, you will see a box appear containing the number "1" and nothing else. This apparently was intended by the author of the virus. The virus does not have a destructive payload but it creates a macro called "Payload" that could easily be modified to do something destructive. Several quickie removers leave the "Payload" macro in place since the presence of this macro will prevent reinfection by the virus. The virus checks for the presence of a macro called "Payload" and will not infect if it sees a macro called "Payload" already there. The virus also adds two other macros to the global macro pool: "AAAZA0" and "AAAZFS". These macros are very easy to spot and provide a quick way to check if you are infected. In MS Word, simply click on "Tools" and then "Macros" and check if these macros are listed. Beyond spreading, this virus does no real damage. The same is not be true for other macro based viruses. Integrity Master (tm) - 78 - Data Integrity and Viruses Concept is fairly easy to deal with. Other viruses of this type will not be so easy. If you don't use MS Word you may think you are safe but any language that supports a similar macro language is vulnerable to a virus of this type. MS Excel, Lotus 1-2-3, Ami Pro, and Quatro Pro contain languages which would allow writing of viruses that could spread in these environments. It's important to understand that such viruses would spread only within those specific environments rather than universally (the way existing executable and boot sector viruses spread). PROTECTION AGAINST FUTURE MACRO VIRUSES There are steps you can take now to protect yourself against future macro viruses similar to Concept. 1) If you click on "Options" under "Save" you can ask MS Word to get your approval before modifying NORMAL.DOT. This will disable one of the tricks used by Concept and likely used in future viruses of this type. 2) It should be obvious to you that the reason this virus works is that it executes without your knowledge in the "AutoOpen" macro. Turning this off would eliminate this type of attack and the MS Word documentation provides a way to do this. Just start MS Word with the command: winword.exe /mDisableAutoMacros This supposedly disables all auto macros. unfortunately it doesn't work! I hope Microsoft will soon fix this so we can use the above option to prevent automatic execution of viral macros. 3) A technique which does work is to enter the following macro. Click on "Tools" and then "Macros" and create a new macro called "autoexec". (This macro will automatically execute every time you start MS Word.) Enter the following text as your macro (it's a short Word Basic program): SUB MAIN DisableAutoMacros 1 MSGBox "Automatic Macro Execution is now OFF",-1 END SUB Every time you now start up Word, it will turn off Automatic Macros effectively eliminating a viral attack using automatic execution macros. Integrity Master (tm) - 79- Data Integrity and Viruses 4) Integrity Master as well as some other more recent anti-virus products will detect Concept and other more recent macro viruses. POLYMORPHIC VIRUSES To confound virus scanning programs, virus writers created polymorphic viruses. These viruses are more difficult to detect by scanning because each copy of the virus looks different than the other copies. Several virus authors have created tool-kits for other virus writers to use. The best known tool-kit is called the "Dark Avenger's Mutation Engine" (also known as MtE). This allows someone who has a normal virus to use the mutation engine with their virus code. If they use the mutation engine, each file infected by their virus will have what appears to be totally different virus code attached to it. Fortunately, the code isn't totally different and now anyone foolish enough to use the mutation engine with their virus will be creating a virus that will be immediately detected by most of the existing scanners. Most of the viruses (such as Pogue, Dedicated, CoffeeShop, CryptLab, and Groove) which use the mutation engine pose little threat since they are all simple minded and rather buggy. There are now several other tool-kits available to create polymorphic viruses such as the Trident Polymorphic Engine (TPE) and NED, but these have not resulted in significantly better viruses. The polymorphic viruses that we actually see in the wild do not appear to be created using a polymorphic toolkit but were created from the ground up to be polymorphic. Tremor, Maltese Amoeba, and Pathogen are examples of these viruses. (Pathogen claims to use something called SMEG but we haven't seen this as a separate tool-kit.) These viruses are all spreading quite widely since the scanners were late in detecting them. These viruses are now quite common. Integrity Master (tm) - 79- Data Integrity and Viruses VIRUS TOOL KITS Besides the polymorphic toolkits (e.g., the mutation engine), there are now several tool kits available to help people create viruses. HOW MANY PC VIRUSES ARE THERE? There are more PC viruses than all other types of viruses combined (by a large margin). Estimates of exactly how many there are vary widely and the number is constantly growing. In 1990, estimates ranged from 200 to 500; then in 1991 estimates ranged from 600 to 1300 different viruses. In late 1992, estimates were ranging from 1000 to 2300 viruses. In late 1994 we had over 5,000 known viruses. Now in early 1996, we have over 8,000 different viruses in our collection but at least one person counts 12,000 viruses. This confusion exists partly because it's difficult to agree on how to count viruses. New viruses frequently arise from some idiot taking an existing virus that does something like put a message out on your screen saying: "Your PC is now stoned" and changing it to say something like "Donald Duck is a lie". Is this a new virus? Most "experts" say "yes." This is a trivial change that can be done in less than two minutes resulting in yet another "new" virus. Another problem comes from viruses that try to conceal themselves from scanners by mutating. In other words, every time the virus infects another file, it will try to use a different version of itself. These viruses are known as "polymorphic" viruses. One example, the WHALE (a huge clumsy 10,000 byte virus) creates 33 different versions of itself when it infects files. At least one person counted this as 33 different viruses on his list. Many of the large number of viruses known to exist have not been detected in the wild but probably exist only in someone's virus collection. Several authors of anti-virus products, including Mark Washburn and Ralph Burger, have written sophisticated viruses that are now on the loose, but other viruses that they created apparently exist only in virus collections. David M. Chess of IBM's High Integrity Computing Laboratory reports in the November 1991 Virus Bulletin that "about 30 different viruses and variants account for nearly all of the actual infections that we see in day-to-day operation." We now find that about 60 different viruses account for almost all the viruses that actually spread in the wild. How can there be only 60 viruses active when some "experts" report such high numbers? This is probably because most viruses are poorly written and cannot spread at all or cannot spread without betraying their presence. Although the actual number of viruses will probably continue to be hotly debated, what is clear is that the total number of viruses is increasing rapidly, although perhaps not quite as rapidly as the numbers might suggest. Integrity Master (tm) - 81- Data Integrity and Viruses HOW SERIOUS ARE VIRUSES? It's important to keep viruses in perspective. There are many other threats to your programs and data that are MUCH more likely to harm you than viruses. A well known anti-virus researcher once said that you have more to fear from a cup of coffee (which may spill) than from viruses. While the growth in number of viruses now puts this statement into question, it's still clear that there are many more occurrences of data corruption from other causes than from viruses. So, does this mean that viruses are nothing to worry about? Emphatically, no! It just means that it's foolish to spend much money and time on addressing the threat of viruses if you've done nothing about the other more likely threats to your files. Because viruses are deliberately written to invade and possibly damage your PC, they are the most difficult threat to guard against. It's pretty easy to understand the threat that disk failure represents and what to do about it (although surprisingly few people even address this threat). The threat of viruses is much more difficult to deal with. There are no "cures" for the virus problem. Why is this so? We'll explore this in the next chapter on Protecting Your PC. Integrity Master (tm) - 82- Data Integrity and Viruses NOTES Integrity Master (tm) - 83- Data Integrity and Viruses CHAPTER TWO - PROTECTING YOUR PC ____________________________________________________________________ HARDWARE PROTECTION Hardware is the foundation upon which your whole system is built. If you have more than one or two PC's, you probably owe it to yourself to buy some diagnostic programs. If your PC is performing strangely or if a file is damaged, it's crucial to be able to determine whether hardware is the cause. You probably don't want to call in a repair person each time something strange happens. Even if you have just one or two PCs, there are some modestly priced diagnostic programs that are worth having. One problem with diagnostic software (and hardware too, for that matter) is that when you run the diagnostics, everything may work perfectly, yet some time earlier there definitely was a problem. Intermittent problems like this are all too common. Disk problems can be the most insidious in this respect. When you run the diagnostics everything works fine. How can you find out what's happening? Run a comprehensive data integrity product (surprise)! This way you can find out if some data was damaged, but you don't have to spend days running diagnostics. This also gives you early warning if your disk is just starting to have problems. If you haven't already, consider buying whatever you can to prevent your hardware from failing in the first place. Buy surge protectors, keep your PC clean, and regularly clean the heads on your tape and diskette drives. Be sure to protect your PC and keyboard from spilled coffee and similar threats. Your hard disk is going to fail! It's not "if" but "when"! It's absolutely vital to be able to deal with this threat. Basic to dealing with this threat and most of the others is having backups. Please read the section in Chapter five on Backup Policy. Your hard disk will most likely start performing erratically before it totally fails. It's essential to detect this as early as possible before much data gets damaged. It will very likely NOT be obvious to you whether a hardware problem, software problem or a virus is damaging your files. More on making this determination in the section in Chapter Five titled Determining Causes of Corruption. "FIXING" YOUR DISK Damage to your files could be caused by hardware, software or who knows what. When you are having the problem, your main concern is often not what caused it, but how to fix the damage. This is where the disk utility programs offered by Gibson, Norton, Mace, and Central Point are often very handy. They can sometimes take Integrity Master (tm) - 84- Data Integrity and Viruses unreadable data and extract some of it, or if you have logical damage to your disk such as cross-linked clusters, these programs (and DOS CHKDSK/SCANDISK) may be able to fix things for you. Unfortunately, things are not always fixed perfectly when these programs say they are. Using a data integrity product (such as Integrity Master) will allow you to determine if everything really was put back together again. More importantly, a data integrity product can be used to more accurately diagnose what is wrong to begin with, so you don't attempt a repair which actually makes things worse. GOOF PROTECTION Who has never accidentally deleted or copied onto the wrong files? Very few of us! If you have a data integrity product (such as Integrity Master), a utility package (Norton, Mace, PCtools, etc.) and current backups, you're all set. You could probably do without the utilities, but it's rather convenient to be able to unerase files after you inadvertently delete the wrong ones (this is built into DOS 5 and later releases). Of course, a backup program or an undelete utility won't help you if you didn't notice the incorrect delete when it happened and you now don't know what to restore or undelete. That's why data integrity software is a vital component of handling this threat. INTRUSION PROTECTION This may not be an issue if you keep your PC locked in a vault when you're not using it, but otherwise you can never be sure that an intruder hasn't changed something on your PC. Do you think I am exaggerating? I am not! The intruder may be your spouse or offspring. They probably have no intention of changing anything but may be confused on how to use one of the programs on your PC, with the result that they inadvertently change the wrong file. On the other hand, you may work in an environment where someone may want to deliberately do you harm or perhaps just "play a little joke" on you. There are programs available that modify the partition sector on your PC so that the hard disk is unavailable unless someone provides a password. There are add-in boards that provide the same function. Some PCs (e.g., PS/2 PCs) come with a power-up password. You can lock the case to your PC to make it more difficult to open. You may wish to consider any of these options depending upon how much risk you face, but please realize that they can all be bypassed in less than ten minutes by a knowledgeable user. Surveillance cameras are regarded as a fairly good deterrent to PC tampering. While you can't totally stop someone from breaking into your PC, you can detect and correct the damage. By using an integrity program that allows you to encrypt the integrity data or store the data off-line (on floppies), you can detect any illegal tampering, even from a technically advanced adversary. Integrity Master (tm) - 85- Data Integrity and Viruses VIRUS DEFENSES There are various methods in use to protect against viruses. What follows is a quick review of the viral defense mechanisms that are widely used today. SCANNERS Once a virus has been detected, it is possible to write programs that look for telltale code (signature strings) characteristic of the virus. The writers of the scanner then extract identifying strings from the virus. The scanner uses these signature strings to search memory, files, and system sectors. If the scanner finds a match, it announces that it has found a virus. This obviously detects only known, pre-existing, viruses. Many so-called "virus writers" create "new" viruses by modifying existing viruses. This takes only a few minutes but creates what appears to be a new virus. It happens all too often that these viruses are changed simply to fool the scanners. The major advantage of scanners is that they allow you to check programs before they are executed. Scanners provide the easiest way to check new software for old (known) viruses. Since they have been aggressively marketed and since they provide what appears to be a simple painless solution to viruses, scanners are the most widely used anti-virus technique. (Integrity Master can of course be used as a pure scanner but we strongly suggest you allow it protect you fully by also utilizing its integrity checking capabilities.) Too many people seem to regard "anti-virus product" and "scanner" as synonymous terms. The peril here is that if too many people depend solely upon scanners, newly created viruses will spread totally unhindered causing considerable damage before the scanners catch up with the viruses. An example of this was the attack by the Maltese Amoeba (Irish) virus in the UK. This virus was not detected prior to its destructive activation on November 1, 1991. Prior to its attack, it had managed to spread quite widely and none of the existing (mostly scanner-based) products detected this virus. According to the December 1991 Virus Bulletin: "Prior to November 2, 1991, no commercial or shareware scanner (of which VB has copies) detected the Maltese Amoeba virus. Tests showed that not ONE of the major commercial scanners in use (the latest releases of Scan, Norton Anti-virus, Vi-Spy, VISCAN, Findvirus, Sweep, Central Point Anti-virus, et al.) detected this virus." Integrity Master (tm) - 86- Data Integrity and Viruses This incident points out the hazard of depending upon scanner technology or active monitor technology for virus protection. Another major drawback to scanners is that it's dangerous to depend upon an old scanner. With the dramatic increase in the number of viruses appearing, it's risky to depend upon anything other than the most current scanner. Even that scanner is necessarily a step behind the latest crop of viruses since there's a lot that has to happen before the scanner is ready: o The virus has to be detected somehow to begin with. Since the existing scanners won't detect the new virus, it will have some time to spread before someone detects it by other means. o The newly discovered virus must be sent to the programmers to analyze and extract a suitable signature string. This string must be tested for false positives on legitimate programs. o This string must be incorporated into the next release of the virus scanner. o The virus scanner must be distributed to the customer. o In the case of retail software, the software must be sent to be packaged, to the distributors, and then on to the retail outlets. Commercial retail software takes so long to get to the shelves, that it is almost certainly out of date. Yet, many retail products depend upon their scanner for most of their effectiveness. If you depend upon a scanner, be sure to get the latest version directly from the author. Also, be sure that you boot from a clean write-protected copy of DOS before running the scanner; there's a good chance that the scanner can detect a resident virus in memory, but if it misses the virus in memory, the scanner will wind up spreading the virus rather than detecting it. Every susceptible program on your disk could be infected in a matter of minutes this way! DISINFECTORS Most vendors that sell scanners also sell a disinfector (sometimes it's the same program). A disinfector has the same limitations that a scanner has, in that it must be current to be safe to use and it's always one step behind the latest crop of viruses. The disinfector, however, has an even bigger disadvantage: Many viruses simply cannot be removed without damaging the infected file. There have also been numerous reports that files are still Integrity Master (tm) - 87- Data Integrity and Viruses damaged even when the program claims to have disinfected the file. A disinfector, like a scanner, can be a very handy tool in your anti-virus arsenal, but it must be used with care. If you use a disinfector, be sure you have the latest version direct from the author and use an integrity check to verify that all files and system sectors are correctly restored. Currently, one of the oldest and most common infectors of files is the Jerusalem (1813) virus. All disinfectors naturally claim to be able to remove this virus. Yet the Jerusalem virus frequently overwrites part of the original file (due mostly to its many bugs) making it impossible to restore the infected program. In spite of this, most (if not all) disinfectors claim to disinfect Jerusalem infected files. A very dangerous situation! I'd like to stress that: IT IS TOTALLY UNSAFE AND IRRESPONSIBLE TO DEPEND UPON DISINFECTORS AS A WAY TO RECOVER FROM VIRUS INFECTIONS. INTERCEPTORS Interceptors (also known as resident monitors) are particularly useful for deflecting logic bombs and trojans. The interceptor monitors operating system requests that write to disk or do other things that the program considers threatening (such as installing itself as a resident program). If it finds such a request, the interceptor generally pops up and asks you if you want to allow the request to continue. There is, however, no reliable way to intercept direct branches into low level code or to intercept direct input and output instructions done by the virus itself. Some viruses even manage to disable the monitoring program itself. It is important to realize that monitoring is a risky technique. Some products that use this technique are so annoying to use (due to their frequent messages popping up) that some users consider the cure worse than the disease! An interception (monitoring) product would be a useful adjunct to a data integrity program, as protection against some the more simple minded logic bombs. INOCULATORS There are two types of inoculators or so-called "immunizers." One modifies files or system sectors in an attempt to fool viruses into thinking that you are already infected. The inoculator does this by making the same changes that the viruses use to identify the file or sector as infected. Presumably, the virus will not infect anything because it thinks everything is already infected. This works only for a very small number of viruses. The second technique is actually an attempt to make your programs self-checking by attaching a small section of check code onto your Integrity Master (tm) - 88- Data Integrity and Viruses programs. When your program executes, the check code first computes the check data and compares it with the stored data. It will warn you if it finds any changes to the program. Not only can this be circumvented by existing stealth viruses, but the self-checking code and check data can be modified or disabled as well. Another problem arises because some programs refuse to run if they have been modified in this way. This also creates alarms from other anti-virus programs since the attached self-check code changes the original program in the same way a virus would. Some products use this technique to substantiate their claim to detect unknown viruses. ROM AND ENCRYPTION Placing executable code on a hardware write-protected device, will protect all those programs on that device. Some PCs provide DOS in ROM (Read-only Memory). This provides some degree of protection, but all the other programs are still vulnerable to infection. The more programs you can isolate on a write-protected device, the more effective this technology is. It's important to note, that write-protected devices such as CD-ROMs can contain infected programs that can infect programs on your hard disk. In other words, the CD will not become infected while on your system but it can contain a pre-existing infection that can spread to your PC. Encryption is a promising technique that so far has not been successfully used to protect a system. Encrypting as many of your files as possible makes life harder for viruses, but does not stop them since there is always some unencrypted code around (boot sector, BIOS, DOS, device drivers, etc). INTEGRITY CHECKERS Integrity check based products work by reading your entire disk and recording integrity data that acts as a signature for the files and system sectors. A quality integrity check program is the only solution that can handle all the threats to your data along with viruses. Integrity checkers also provide the only reliable way to discover what damage a virus has done. A well-written integrity checker should be able to detect any virus, not just known viruses. So, why isn't everyone using an integrity checker? Well, until recently, there hasn't been an integrity checker available without some significant drawbacks. In fact, many anti-virus products now incorporate integrity checking techniques. One problem with many products is that they don't use these techniques in a comprehensive way. There are still too many things not being checked. Some older integrity checkers were simply too slow or hard to use to be truly effective. A disadvantage of a bare-bones integrity checker is that it can't differentiate file corruption caused by a bug from corruption caused by a virus. Only recently have advanced integrity checkers (e.g., Integrity Master) become available that incorporate the smarts to analyze the nature of the changes and recognize changes caused by a virus. Some integrity checkers now use other anti-virus techniques along with integrity checking to improve their intelligence and ease of use. Integrity Master (tm) - 89- Data Integrity and Viruses If you choose an integrity checker, be sure it has all these features: o It's easy to use with clear, unambiguous reports and built-in help. o It hides complexity, so that complicated details of system file or system sector changes are only presented if they present information the user must act upon. o The product recognizes the various special system files on the PC so it can alert the user with special warnings if vital files have changed. o It's fast. An integrity checker is of no use if it's too slow to run. o It recognizes known viruses, so the user doesn't have to do all the work to determine if a change is due to a software conflict, or if it's due to a virus. o It's important that the integrity computation be more sophisticated than a mere checksum. Two sectors may get reversed in a file or other damage may occur that otherwise rearranges data in a file. A checksum will not detect these changes. o It's comprehensive. Some integrity checkers, in order to improve their speed, don't read each file in its entirety. They read only portions of larger files. They just spot check. This is unacceptable -- it's important to know the file hasn't changed, not just that some of the file hasn't changed. o It checks and restores both boot and partition sectors. Some programs check only files. o It stores the integrity data in a secure (tamper-proof) manner and optionally stores it on a removable medium (e.g., a diskette). (Fortunately, Integrity Master does all these things. ) Integrity Master (tm) - 90- Data Integrity and Viruses GADGETS (Hardware protection) There are currently some gadgets (hardware devices) that are sold as virus protection. So far, I haven't seen anything that provides protection beyond what is offered by software-only products. Beyond putting some of the anti-virus code in read-only memory (ROM), I've seen little that can be accomplished by existing hardware. In one product, the hardware was used to store some integrity data; a floppy disk can do the same thing and it's actually more secure. PREVENTION: Hardware techniques, such as placing all your programs in read-only memory (ROM), can, in theory, provide virus prevention, but nothing even comes close to doing this yet. Pure software techniques can probably not prevent all viruses. There are all sorts of schemes that make it more difficult for a virus to penetrate your system, but none totally eliminate the threat of a virus. For each software-based technique, there is a way a virus could circumvent it. Software helps a lot, but isn't absolute protection. While prevention of viruses may not be possible, detection is. Detection, if applied carefully, can detect all viruses, no matter how tricky. If viruses are detected before they spread, the most serious aspect of the virus threat is eliminated. If integrity checking (detection) is practiced widely, the threat of a virus spreading to millions of PCs and then years later performing a destructive act can be eliminated. Integrity Master (tm) - 91- Data Integrity and Viruses CHAPTER THREE - VIRUS MYTHS ____________________________________________________________________ MYTHICAL SOURCES Attachment to a network or BBS Simply being attached to a network (such as CompuServe, or Internet), a bulletin board system (BBS), or even a local area network (LAN) will not make you susceptible to viruses. The only way you can get a virus is to execute a program on your PC that you obtained over the network. The mere act of downloading the program is harmless; it's only by downloading and then executing an infected program that your PC can become infected. I hope it's clear that the mere act of reading electronic mail cannot infect your PC. There is one thing that can happen though. If you have the device driver ANSI.SYS (or an equivalent) loaded (in your CONFIG.SYS file), someone could send a sequence of characters to your screen (ANSI sequence) that assigns a set of key strokes to a key on your keyboard. These keystrokes could easily be something harmful like "DEL *.*". When you press the key that was reassigned, the command would execute just as if you had typed it yourself. This "practical joke" could cause some trouble, but it certainly can't reproduce and isn't a virus. From Data Since data is not executed, you cannot become infected from data. If someone sent you a data file that contained a virus, you would have to rename the file and then execute it to become infected! You can, however, become infected from a diskette that is not bootable and contains no (apparent) programs. The explanation for this is that all diskettes have a boot sector that contains a program that can become infected by a boot sector virus. If you leave such an infected diskette in your drive when you power up or boot, your PC will be infected! From CMOS Memory PC AT (80286) type computers and later models contain a small amount of battery backed CMOS memory to store the configuration and to maintain the time and date. This memory is never executed, so although it could be damaged by a virus, you can never become infected from CMOS memory. While no virus will infect your CMOS, there are several that will change or erase your CMOS data. Integrity Master (tm) - 92- Data Integrity and Viruses QUICK AND EASY CURES I've discussed the various approaches to the virus problem, and you've no doubt seen that there are no instant cures for viruses, yet many products make claims that they can't quite support. Everyone would like to just buy product X, run it, and be rid of viruses forever. Unfortunately there is no such easy cure. SILLY TRICKS There have been many articles and books written by various virus "experts" that propose doing all kinds of things to virus proof your PC. Here are some of the tricks that I consider most widespread and most useless: WRITE-PROTECTING YOUR FILES You can use the DOS ATTRIB command to set the read-only bit on files. This is so easy for a virus (or any program) to bypass, that it simply causes far more problems than it cures. HIDING OR RENAMING COMMAND.COM COMMAND.COM is a program that executes each time you boot your PC. There was an early virus that only infected COMMAND.COM, so the idea of hiding or renaming this file began. Today, many viruses actually go out of their way to avoid infecting this file, since some anti-virus products single out this file and a few others for special scrutiny. With today's viruses, hiding COMMAND.COM is utterly futile. CHECKING TIME AND DATE STAMPS While it's helpful to check the time and date stamps of your executable files for unexpected changes, this is not a reliable way to catch viruses. Many viruses are smart enough not to change the time and date stamps when they infect a file. Some viruses even hide the change to a file's size when they infect a file. RETAIL SOFTWARE ONLY? Several "virus experts" have suggested that users avoid downloading software and avoid shareware. There are no facts to support this viewpoint. The most common viruses are boot sector viruses such as Stoned and Michelangelo that spread when someone boots from an infected diskette. To spread these viruses, a physical disk must be passed around and then booted. Michelangelo spread widely because software distribution disks were infected with this virus. There was no reported incident of this virus spreading via shareware. It is, of course, wise to make sure that you download your software from a source that screens each program for known viruses. You are actually more likely to be infected from software purchased at a retail outlet than from shareware. Quite a few viruses have been Integrity Master (tm) - 93- Data Integrity and Viruses shipped directly from the software manufacturer in the shrink wrapped packages. One major software company has on at least two separate occasions shipped a virus with their product. Buying shrink wrapped retail software is much more dangerous than many people think it is, since many retailers accept returned software and then simply rewrap the software and sell it again. This software could have easily been infected by the first user who tried it and then returned it. WRITE-PROTECTING YOUR HARD DISK There are several programs that claim to write-protect your hard disk. Since this is done in software, it can be bypassed by a virus. This technique, however, will stop a few viruses and will protect your disk from someone inadvertently writing to it. These programs are generally less effective than the virus interception products. It IS possible to write-protect a disk using hardware, but this does not seem to be readily available. VIRUSES ARE THE BIG THREAT? As we've seen in examining the other threats to the integrity of your data, viruses are among the less likely threats that you face. Don't protect yourself against viruses and ignore the other threats! Integrity Master (tm) - 94- Data Integrity and Viruses SAFE COMPUTING (SAFE HEX?) You may have heard this rumor: "You don't need an anti-virus product, just backup your disk regularly and keep an eye on your programs." Yes, it is vital to have good backups, but that is no longer enough. You may also have heard that provided you don't share programs or download (practice "safe hex"), you have nothing to worry about. This is no longer sufficient protection; every time you buy a software package you are exposing yourself to virus infection. It is not possible to be safe from viruses by secluding your PC! There are now some viruses that can do considerable damage. The worst ones damage your files slowly so even your backups may be useless unless you detect the damage before it's too late. Although viruses may not be very likely to attack your system when compared to other threats, they do represent a very real and very dangerous threat -- a threat you cannot ignore or combat merely with good backups, seclusion, or common sense. Integrity Master (tm) - 95- Data Integrity and Viruses CHAPTER FOUR - VIRUS REALITIES ____________________________________________________________________ THE ONLY REAL SOURCE OF VIRUSES You can't get a virus merely by being connected to a network or bulletin board system (BBS). There is only one way you can get a virus and that's to execute a program containing a virus. Period. End of story. Well, almost the end of the story. What some people don't know is that every disk and diskette has a program on it, even if it appears empty. This program is in the boot sector. Most people don't think of boot sectors as programs or perhaps even know that boot sectors exist. If you leave a data diskette in your A drive and boot your PC, you could be executing an infected program in the boot sector, thereby infecting your PC with a virus. Make sure you NEVER boot from a diskette unless it's a known good copy of DOS. SHAREWARE IS AS SAFE OR SAFER There is no reason to avoid shareware. If you want to get the latest anti-virus software, it's easiest to get it as shareware since you are buying directly from the author. Shareware does not have to go from the author to the publisher, then through the distribution chain before it even gets to sit on the shelf. Who knows how long your retail package has been on that shelf? FEW VIRUS FREE PROGRAMS Unfortunately, there is no way to look at a program (unless you wrote the program yourself in assembly language) and positively declare there's no virus in it. All you can say is that the program contains no known virus. You never know what may be lurking inside of a program waiting for just the right trigger to begin infection or perhaps an attack. While you can't be sure of detecting a virus while it's inert inside a program, you definitely CAN detect it as it infects or attacks your files. The changes which must be made by a virus can always be detected with the appropriate software. Integrity Master (tm) - 96- Data Integrity and Viruses OTHER CAUSES MORE LIKELY Viruses are not the greatest threat to your data, so let's not forget about the other threats too. WRITE-PROTECTING FLOPPIES While write-protecting your files and your hard disk is of questionable value, you definitely CAN write-protect your floppy disks. Just cover the notch on the 5.25 inch diskettes, or on 3.5 inch diskettes, slide the little tab to expose the hole. The only risk here is that some diskette drives may be defective and still allow writing on the diskette. If in doubt, do a test and check out your drive. BEWARE THE CE AND THE DEMO! According to our reports, one of the major sources for infections is the customer engineer (CE) or repairman. The CEs frequently carry diagnostic diskettes with them when they go from PC to PC on service calls. It's all too easy for these diskettes to become infected. Sales people doing demos on various PCs are also very susceptible to getting their demo diskettes infected. Integrity Master (tm) - 97- Data Integrity and Viruses CHAPTER FIVE - WHAT TO DO? SOME SUGGESTIONS: ____________________________________________________________________ ACTION IS VITAL - NOW! Too many people wait for a virus to attack their PC before they take any action. Once a virus reveals its presence on your PC, it may be too late to recover damaged files. There are many viruses that cannot be successfully removed due to the way the virus infects the program. It's absolutely vital to have protection before the virus strikes. It's vital that you protect against all threats to data integrity, not just viruses. All threats to data integrity are much easier to deal with if they are detected as early as possible. If you wait until you notice that your hard disk is losing data, you may already have hundreds of damaged files. BACKUP POLICY It's essential to carefully protect all your software and regularly backup the data on all your disks. Do you have a single disk that you can afford NOT to regularly backup? It's rare to find any PC that does not have some type of important data stored on it. SUGGESTED BACKUP POLICY: 1) All original software (program) diskettes should immediately be write-protected, copied and stored in two secure, separate, locations after installation. If you are using an integrity check program, immediately record (initialize) the integrity data for the new programs after installing. 2) Determine a schedule for full backups by considering how frequently your data changes. It is an excellent idea to have three full sets of backup tapes or diskettes and to store one set at another location to protect against fire, theft, or some other disaster. If your data is critical, you may wish to have a separate cycle of backups (e.g., quarterly or yearly) that can be used to recover when someone damages (or deletes) a vital file, but the deletion isn't discovered until months later. 3) The full backups should be coordinated with periodic incremental backups. The incremental backup, which copies just the files that have changed, normally runs very quickly and takes just a minute or so. Many people find that an incremental backup run at the end of each day works quite well. This way their data is protected should anything happen overnight. Integrity Master (tm) - 98- Data Integrity and Viruses 4) Make sure you use reliable backup hardware and software. Periodically test by restoring from a backup. Too many people have discovered that their backup program couldn't recover their files when it was too late. If you use an integrity check program you can verify that the restored files are correct. INTEGRITY CHECKING POLICY Each PC which has data that you can't afford to lose or have corrupted should have a schedule of regular integrity checking, similar to the backup schedule. By doing once a week full integrity checks, you can stay one step ahead of any trouble. By doing a quick update of your integrity data on a daily basis, you can stay aware of exactly what changes in your PC and why. This way if you start to encounter a software conflict, a failing hard disk, or a virus, you'll be able to quickly differentiate the unusual changes from the usual ones. Whenever you install new software, immediately record the integrity data for those programs, so that any future infection or damage can be detected. Whenever you copy programs, check that the new programs are exact copies of the originals. The easiest way to do this is to always copy integrity data along with the programs. You can also use any integrity checker, checksum program, CRC program, cryptographic signature program, or even the DOS COMPARE utility to verify that you made good copies. Do this check only when you know no virus is in control of your PC; therefore, it's best to cold boot from a write-protected floppy to verify your program copies are good. A good scanner such as Integrity Master will verify that no known viruses are in memory but it's nice to have assurance that no unknown viruses are present. If you have diagnostic software, plan to run it at intervals. If you leave your PCs turned on at night, why not leave them running diagnostics? RUN CHKDSK OR SCANDISK Run CHKDSK, (or some equivalent program such as NDD or SCANDISK) regularly on each PC, and pay attention to the results. If you are seeing problems, be sure you understand what's causing the problems. If you are experiencing cross-linked or lost clusters, something is being damaged. Run an integrity checker to find out exactly what is being damaged. Also pay attention to the amount of available memory. If this suddenly changes with no new resident (TSR) software installed, you may have a virus. Integrity Master (tm) - 99- Data Integrity and Viruses DETERMINING CAUSES OF CORRUPTION It's not a question of "if" but a question of "when"; all too soon you are going to encounter a damaged file (a file that has changed for unknown reasons). How can you discover what caused the damage? o First gather as much information as possible. Did you do anything unusual? Did you install any new software? Did you execute any programs that you don't normally use? Have you seen any signs of hardware problems? (See the section following on signs of hardware problems). o Run CHKDSK or Scandisk to see if your directories and other areas are OK. o Run a full integrity check to see if anything else has changed. o If you suspect hardware problems as the culprit, then run any diagnostic programs you have. If the diagnostics don't turn anything up, but you still suspect a hardware problem, then run your integrity check in full check mode daily for a while. This should help track down exactly what's happening in your PC. o If you suspect software problems, run the software in question and then run your integrity check to see if anything is being corrupted. When doing this, it's very helpful to duplicate the original situation of the problem as closely as possible. Make sure the hardware is the same and that you have exactly the same resident programs and device drivers loaded as when the problem first occurred. o Could the problem be a virus? If you think so, have you seen any of the signs of virus activity listed in the next section? Are only executable files (such as files ending in .EXE, .COM, .OVR, .OVL .BIN, or .SYS) affected? If so, how many? If more than one or two unrelated program files have mysteriously changed, it could likely be a virus. Remember that some programs (such as WordStar and SETVER) modify themselves as part of normal execution. If the programs have changed but the DOS time and date stamps haven't, this is further reason to suspect either a serious problem or a virus. If you are not using an advanced integrity checker (such as Integrity Master) that recognizes known viruses, you may wish to get a virus scanner at this point to see if you have a known virus. If this turns up nothing, then it's time to play detective - you may have discovered a brand new virus (lucky you!). Please see the section in Chapter Seven on Playing Detective. EDUCATION One very important thing that you can do to assure the integrity of the data in your PCs is to educate everyone who uses a PC. It's vital that they understand how to backup their files and which Integrity Master (tm) -100- Data Integrity and Viruses files normally change on their PC and which ones don't. If you can teach them to understand the output of a thorough integrity check program, then you'll be able to sleep at night knowing that all is well with your PCs! Even lacking an integrity check program, it's vital that everyone be aware of what problem signs to look out for. This way the more dangerous threats to data integrity will not go unnoticed. SIGNS OF HARDWARE PROBLEMS Watch out for recurring error messages that the disk is not ready when you try to boot the PC. If you periodically experience any type of disk-error message, or if disk accesses seem to be getting consistently slower, you may be experiencing the beginning of a serious disk problem. SIGNS OF SOFTWARE PROBLEMS These symptoms could reveal software conflicts or bugs: o CHKDSK or Scandisk reporting problems. o A file that was just processed by a program (such as a spreadsheet) is damaged or unreadable by the program but you can copy the file with no error messages. SIGNS OF VIRUSES These symptoms may betray the existence of a virus: o Disk activity when there should not be any activity. (Some disk caches cause this to happen normally.) o Programs taking longer to load but the disk drive appears to be healthy. o Any unexplained behavior on the PC such as music, bouncing balls, black areas on the screen, falling letters, weird messages, or unexplained slowdown of the PC. o Less total or free (available) memory on your PC (use CHKDSK or MEM). This should change only when you add new resident programs or device drivers. Note, most PCs have 655360 total bytes of memory but certain models (i.e., some PS/2s) reserve a thousand bytes of high memory. o Unexplained bad spots on your disk or fewer total bytes (as reported by CHKDSK). o If you find extra executable files (e.g., ".COM" files) showing up, you may have a companion style virus. Integrity Master (tm) -101- Data Integrity and Viruses RESPONSIBILITY If you are in a larger organization, it's crucial that someone has the responsibility for assuring data integrity. The first task facing this person would be to assure that all important data is backed up and that all users are educated with respect to normal operation of their PC. The next step would be to start a regular program of integrity checking. POLICY AND ROUTINE The procedures for backing up and checking the integrity of critical data cannot be left to word of mouth, but should be clearly explained in a written set of procedures. Data integrity is too important to leave to chance. If this isn't done, guess what gets put on the back burner (in other words: not done), when people get busy? (Who isn't busy?). Some recommended procedures: o Never leave a floppy disk inserted in a drive longer than necessary. Remove all diskettes immediately. This reduces the chance of inadvertently booting from the diskette and picking up a boot sector virus. o Check the integrity of all files after installing new software or copying programs. o If a stranger (such as a sales or repair person) runs software on a PC, do a full integrity check immediately afterwards. o Immediately write-protect and backup all diskettes containing software. o Schedule regular incremental and full backups. NETWORKS AND VIRUSES Make sure that any shared executable files allow only execute or read access. Execute-only is best, but it's essential not to allow write access. Most network compatible programs allow you to store the files they write to on separate disks from the programs themselves. Be sure to limit write access with access rights not with file attributes (Netware FLAG or FLAGDIR). A virus can easily bypass file attributes, but access rights can thwart the virus's attempts to write to the shared disk. The LAN administrator needs to have two accounts -- one privileged and one not. For normal use, the LAN administrator should use the less privileged account. The privileged account should be used only when the job requires supervisor rights. It's critical that any user with supervisory rights log off as soon as possible and never execute any other programs, especially those on a workstation. Integrity Master (tm) -102- Data Integrity and Viruses Run regular integrity checks on the file server. This is important on the workstations too, but is critical on the file server since an infected file here could quickly infect all the workstations on the network. Never access an unchecked workstation with network administrator (supervisor) authority! GUIDELINES FOR USING ANTI-VIRUS PRODUCTS Most modern anti-virus products use a combination of the techniques I just mentioned. Unfortunately, most products still get almost all of their protection from their scanner component. It's vital to understand exactly how your product works so that you understand what type of protection you really have. Here are some rules that will help you make sure that you get maximum protection out of whatever product you already have: o Be sure to cold boot your PC from a write-protected diskette before virus checking. This provides the best protection against unknown resident viruses. Most anti-virus products make this recommendation, but this rarely gets done because the recommendation is often buried in some obscure location in the documentation. If your PC is infected with a virus that your scanner does not recognize, you could infect all the programs on your disk. Don't take this chance; boot from a write-protected diskette before you scan. (IM version three offers a resident program check as an alternative to cold booting.) o If you are using a product which depends mostly on its scanner component, make sure that you always have the latest version. Scanners are often updated every 30 to 60 days. o Before you execute or install any new software, check it first. If it comes with an install program, check again after you install the software; an install program will frequently change or decompress executable programs. After you first execute brand new software do an additional check of your system to make sure everything is as it should be. o If your product contains a scanner component, consider checking the boot sector on all diskettes brought in from another location -- EVEN DATA DISKETTES! Inevitably someone will leave one of these diskettes in their A drive, potentially spreading a boot sector virus. Integrity Master (tm) -109- Data Integrity and Viruses (Note: pages 103 to 108 are not included in this file.) CHAPTER SEVEN - HANDLING A VIRUS ATTACK ____________________________________________________________________ DON'T PANIC Don't do anything rash if you suspect a virus attack. Be skeptical, there are quite a few practical joke programs that behave exactly like viruses. There's even a virus simulator that simulates the Ping Pong (bouncing ball), Jerusalem (black hole), Cascade (falling letters on the screen), Yankee doodle (music) and a few other viruses. It's perfectly harmless, but it has alarmed many people. Don't do anything drastic until you confirm that it really is a virus. REPORT THE ATTACK Report the virus attack to the police or to a virus researcher or anti-virus developer. We need to stop sweeping this under the rug. If we can track where viruses first get started, then maybe we can apprehend the culprits who are writing and distributing these things. PLAY DETECTIVE It is very important that you track down how you got the virus. If you got it from someone's software, it's vital that they be notified. The sooner these viruses are detected, the less damage they can do. Suppose you have indications of a virus, but your software doesn't identify it as a known virus. What do you do? First, cold boot (press the red reset button or power off and back on) from a known good write-protected copy of DOS on a diskette. Run a full integrity check. Run CHKDSK and print the results. Now execute any suspect programs. Execute them several times. Viruses may wait for some trigger event to begin infection. Run CHKDSK again to see if the amount of free memory has been reduced. This is a sign of a virus going resident in memory. Now cold boot again and rerun an integrity check. Repeat this cycle with the various suspect programs. This should track down the guilty program if you've got one. Keep in mind that if it's a virus, it will modify other programs and those programs should themselves further modify other programs. By executing the modified programs, it's possible to tell whether you really have a virus or you just have a buggy program that is accidentally writing to other programs. Integrity Master (tm) -110- Data Integrity and Viruses CLEAN HOUSE Follow these steps when removing a virus from your PCs: o Cold boot (Power off and on or press the reset button) from a known good write-protected copy of DOS. o Delete all infected files. o Reload any infected system sectors. If you do not have a utility to reload the DOS boot sector, you can use the DOS "SYS" command after cold booting from a write-protected diskette (e.g., "SYS C:"). o Rerun a full integrity check, or at least a scan if you don't have an integrity checker. o Check any floppies that may have been infected. Remember, if you have a system sector virus such as Stoned, Joshi or Brain, even empty data diskettes can be infected. Check them all. o Notify any other PC users you have contact with to check their PCs. GUARD THE HOUSE Virus infections return in a very high number of cases. This is usually because somewhere there is an infected file or diskette that was missed in the first cleaning. Run your integrity checker or antivirus program daily, for the next month, to catch a possible repeat infection. This file is a portion of the book "Defeating Viruses and Other Threats to Data Integrity" that accompanies the registered version of Integrity Master. All portions of this file are copyright by Stiller Research (1990-1997) and no portion of this text may be used or quoted without written permission from Stiller Research.