RESIDENT PROGRAM AND MEMORY CONFIGURATION This file explains how the "Resident program and memory" configuration check works and how to best use this new feature. IM checks your PC to see if anything has changed the low-level memory resident programs that provide access to your hardware. This allows IM to detect memory resident viruses unknown to its scanner component without booting from a floppy. It also provides you a warning if the configuration of your PC has changed. You can invoke the configuration check by using the "Resident program and memory" or "Entire disk integrity" options on the Check menu or with the /CM command line switch. IM will return an ERRORLEVEL of 24 if it finds memory changes that resemble those a virus would make or an ERRORLEVEL of 16 if the changes are significant but not likely to be due to a virus. You can use the command line /MS# option (or SetupIM) to vary the sensitivity of IM to resident program configuration changes. The sensitivity can be set from 0 to 9. 0 turns the check off, and 9 provides maximum sensitivity to changes. 4 is the default (and recommended) setting. 9 is useful for for researchers and on systems where there should be no software changes at all. WHAT TO DO IF IM FINDS A CONFIGURATION CHANGE --------------------------------------------- After each check IM provides a display of what has changed. IF THERE IS A SIGN OF A CONFIGURATION CHANGE WHICH COULD BE DUE TO A VIRUS OR WHICH COULD AFFECT THE SECURE OPERATION OF YOUR PC, IM WILL ALERT YOU. Here's what you should do: 1) Boot from a clean write protected diskette containing IM.EXE and IM.PRM. 2) Run a full (not quick update) check on your disk. A virus would be indicated by change to a boot sector or changes to your executable files. 3) If there is no sign of a virus, then the change is probably normal and you can "Initialize" (IM /IM) to record the current configuration. You may wish to determine exactly what has changed, though. See the list under NORMAL CHANGES below. 4) If your environment frequently changes, you may wish to decrease IM's sensitivity to detecting these changes. The sensitivity level is normally set to 4 (/MS4). You can use the SetupIM "advanced option" menu or the /MS command line parameter to do this (e.g. "/MS3" will set the sensitivity to 3). NORMAL CHANGES -------------- Here is a list of changes in your configuration that will be detected as memory and/or interrupt changes: o Installing a new version of an operating system (e.g., DOS, OS/2, Windows, or Network). o Installing a new device driver (e.g. a DEVICE= statement in your CONFIG.SYS file) o Installing new memory resident (TSR) software. o Installing a new memory manager or changing the settings that control your memory manager (in other words changing what gets loaded in high or upper memory). o Changing your cache or print spooler o If your PC is running as a network server, there will be a difference depending upon the state of the server (e.g., starting, stopping, suspending, etc.). o Changing the DOS session settings under Windows or OS/2. (Under Windows or OS/2, you can change settings for DOS sessions such as amount of extended memory, display handling, mouse, file handles, etc.) DETAILS OF IM'S CONFIGURATION CHANGE DISPLAY -------------------------------------------- IM provides a detailed display of what has changed in your PCs configuration. It is NOT necessary to understand these changes, since IM will alert you if these changes require any action. For the more technically inclined users here is what IM displays: DOS version - This shows the release of DOS running currently and the version which was running when IM last recorded (initialized) configuration data for your PC. A DOS version 10 or 20 indicates OS/2. (Note that Win95 still runs on a base DOS system.) Windows Version - If Windows is active when IM is running the version will be displayed here. Win95 reports itself as version 4 and Windows NT as 3.5. Available CPU Speed - This value is a measure of how many typical 80x86 instructions IM can execute in 1/9 of a second. This value will vary if your real time clock is unstable or if there are other programs executing at the same time Variation in this value is normal under Windows, OS/2 and other multitasking operating systems. This value value varies from 3 for a 8mhz PC/XT, 66 for a 386/33 to 800 for a Pentium/230. Program Load Address - This is the address in DOS memory where your programs are loaded for execution. An increase in this address means something has grown or something new is occupying your low memory. You can use your memory manager to reduce this value by loading programs into upper memory. Maximum DOS memory - This is the total amount of conventional DOS memory available on your PC. It's usually 655,360 bytes but some PCs load a driver into this memory. Most boot sector viruses will reduce this value. Unallocated DOS memory - This shows how much conventional memory is available in the first 1mb. Any new resident software (e.g. a resident virus) will reduce this value. Resident programs changed for these interrupts: IM displays a list of interrupt numbers which have software that has changed. Interrupts are a low-level way to access your hardware or provide basic function for your PC. Memory resident viruses or installing new hardware, drivers or operating systems, will change the software associated with the interrupts. IM traces the actual interrupt code to determine what has changed and will occasionally report an interrupt number (especially Int 13h, the low-level disk interrupt) a number of times on the list when their are multiple programs that service the interrupt. Note that the multiplex interrupt (2F) will be different depending upon how you launch a program under Win 95. IM takes this difference into account when analyzing the changes. USE UNDER WINDOWS AND OS/2 -------------------------- If you run IM in a DOS session (virtual DOS machine) under Windows or OS/2, you will see changes if you modify the DOS session settings. This essentially changes the resident software which will be detected by IM. Keep your settings consistent to avoid confusion. You will also see variation in the CPU speed reported by IM. This is due to two factors: 1) Since other tasks execute in the background, these tasks will steal CPU power from IM. 2) The timer is less consistent under Windows than DOS so IM. 3) The memory load address of IM or part of the system has changed. This will change the CPU cache hits and misses and can change reported speed by up to 90 percent. HANDLING MULTIPLE CONFIGURATIONS (OR MULTI-BOOT) ------------------------------------------------ IF YOU CHANGE ANY BASIC SOFTWARE (E.G., DRIVERS, TSRS, CACHES, MEMORY MANAGERS, ETC.) IM WILL RECOGNIZE THIS AS A SERIOUS CHANGE. For this reason, it's important to compare within a fixed configuration. IM provides support for multiple operating systems on your PC. IM stores the configuration of your PC in a different file for each operating system. IM uses a file name of MEMD.SRL (for DOS), MEMW.SRL (Win 3.x), MEM9.SRL (Win95), or MEMO.SRL (OS/2). If you are running a network, the 3rd character of the filename becomes an "N" (e.g, MEND.SRL). This allows you to run resident program checks under different PC configurations. ÉÍÍÍÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÍÍÍÍÍ» º DOS only ³ Windows 3.x ³ Windows 95 º ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÎÍÍÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÍÍ͹ ºWithout network active:º MEMD.SRL ³ MEMW.SRL ³ MEM9.SRL º ÇÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ×ÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄĶ ºWith network active: º MEND.SRL ³ MENW.SRL ³ MEN9.SRL º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÊÍÍÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÍÍͼ What this means is that if the only change you make to your configuration is to switch between running DOS, Windows or a network, IM will handle this automatically. If you make changes beyond this and wish to run a configuration check in each one you will need to use the /MF= command line parameter IM provides the /MF=filename command line parameter so that you can store multiple memory configuration files in your home directory. To do this, you will use a different filename with /MF= in each unique configuration.