ThunderBYTE
Anti-Virus Utilities
USER MANUAL
�
The ThunderBYTE Anti-Virus Utilities are a product of:
ESaSS B.V.
P.O. Box 1380
6501 BJ NIJMEGEN
The Netherlands
COPYRIGHT (c) 1996 by: ThunderBYTE B.V.,
Wijchen, The Netherlands.
All rights reserved. No part of this manual may be reproduced, stored in
a retrieval system, or transmitted in any form, by print, microfilm, or
by any other means without written permission from ThunderBYTE B.V.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page i
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
A Word (or Two) of Thanks . . . . . . . . . . . . . . . . . . . 1
What Are the TBAV Utilities? . . . . . . . . . . . . . . . . . . 1
The TBAV Utilities User Interface . . . . . . . . . . . . . . . 5
Conventions Used in This Manual . . . . . . . . . . . . . . . . 6
How To Use This Manual . . . . . . . . . . . . . . . . . . . . . 6
1 TBAV QuickStart . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.1 Installing the TBAV Utilities . . . . . . . . . . . . . . . 8
1.1.1 Understanding System requirements . . . . . . . . . . 8
1.1.2 Running INSTALL . . . . . . . . . . . . . . . . . . . 8
1.1.3 Installation on a network . . . . . . . . . . . . . 11
1.1.4 Starting And Ending TBAV . . . . . . . . . . . . . 11
1.1.5 Using TBAV Commands . . . . . . . . . . . . . . . . 14
1.1.6 Getting Help . . . . . . . . . . . . . . . . . . . 15
1.1.7 Configuring TBAV . . . . . . . . . . . . . . . . . 16
1.2 Understanding TbSetup . . . . . . . . . . . . . . . . . . 18
1.3 Understanding TbDriver . . . . . . . . . . . . . . . . . . 19
1.4 Maintaining the System . . . . . . . . . . . . . . . . . . 20
1.4.1 Maintaining ANTI-VIR.DAT Files . . . . . . . . . . 20
1.4.2 Creating a New Recovery Diskette . . . . . . . . . 20
1.4.3 Getting Updates . . . . . . . . . . . . . . . . . . 20
1.4.4 Maintaining a Network . . . . . . . . . . . . . . . 21
1.4.5 Using the PKUNZIP Utility . . . . . . . . . . . . . 22
2 Defining Your Anti-Virus Strategy . . . . . . . . . . . . . . . . 24
2.1 Protecting Yourself Against Virus Infection . . . . . . . 24
2.2 Recovering from Virus Infection . . . . . . . . . . . . . 29
3 Using the TBAV utilities . . . . . . . . . . . . . . . . . . . . 33
3.1 Using TbSetup . . . . . . . . . . . . . . . . . . . . . . 33
3.1.1 Understanding TbSetup . . . . . . . . . . . . . . . 33
3.1.2 Working with the TbSetup Menu . . . . . . . . . . . 34
3.1.3 Maximizing TbSetup . . . . . . . . . . . . . . . . 40
3.1.4 Understanding TbSetup's Operation . . . . . . . . . 44
3.1.5 Understanding TBSETUP.DAT Files . . . . . . . . . . 45
3.2 Using TbScan . . . . . . . . . . . . . . . . . . . . . . . 47
3.2.1 Understanding TbScan . . . . . . . . . . . . . . . 47
3.2.2 Working with the TbScan Menus . . . . . . . . . . . 48
3.2.3 Maximizing TbScan . . . . . . . . . . . . . . . . . 62
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page ii
3.2.4 Understanding the Scanning Process . . . . . . . . 72
3.2.5 Understanding Heuristic Flags . . . . . . . . . . . 76
3.3 Using TbDriver . . . . . . . . . . . . . . . . . . . . . . 78
3.3.1 Understanding TbDriver . . . . . . . . . . . . . . 78
3.3.2 Working with TbDriver . . . . . . . . . . . . . . . 78
3.3.3 Maximizing TbDriver . . . . . . . . . . . . . . . . 79
3.4 Using TbScanX . . . . . . . . . . . . . . . . . . . . . . 84
3.4.1 Understanding TbScanX . . . . . . . . . . . . . . . 84
3.4.2 Working with TbScanX . . . . . . . . . . . . . . . 84
3.4.3 Maximizing TbScanX . . . . . . . . . . . . . . . . 86
3.4.4 Understanding the Scanning Process . . . . . . . . 90
3.5 Using TbCheck . . . . . . . . . . . . . . . . . . . . . . 92
3.5.1 Understanding TbCheck . . . . . . . . . . . . . . . 92
3.5.2 Working with TbCheck . . . . . . . . . . . . . . . 92
3.5.3 Maximizing TbCheck . . . . . . . . . . . . . . . . 94
3.5.4 Understanding the Scanning Process . . . . . . . . 96
3.5.5 Testing TbCheck . . . . . . . . . . . . . . . . . . 96
3.6 Using TbClean . . . . . . . . . . . . . . . . . . . . . . 98
3.6.1 Understanding TbClean . . . . . . . . . . . . . . . 98
3.6.2 Working with the TbClean Menus . . . . . . . . . . 99
3.6.3 Using TbClean Command Line Options . . . . . . . . 101
3.6.4 Understanding the Cleaning Process . . . . . . . . 104
3.6.5 Understanding Cleaning Limitations . . . . . . . . 106
3.7 Using TbMem . . . . . . . . . . . . . . . . . . . . . . . 108
3.7.1 Introducing the TbMem, TbFile & TbDisk Utilities . 108
3.7.2 Loading TbMem, TbFile and TbDisk . . . . . . . . . 108
3.7.3 Using Command Line Options . . . . . . . . . . . . 110
3.7.4 Understanding TbMem . . . . . . . . . . . . . . . . 110
3.7.5 Working with TbMem . . . . . . . . . . . . . . . . 111
3.7.6 Maximizing TbMem . . . . . . . . . . . . . . . . . 112
3.7.7 Understanding TbMem's Operation . . . . . . . . . . 114
3.8 Using TbFile . . . . . . . . . . . . . . . . . . . . . . . 116
3.8.1 Understanding TbFile . . . . . . . . . . . . . . . 116
3.8.2 Working with TbFile . . . . . . . . . . . . . . . . 117
3.8.3 Maximizing TbFile . . . . . . . . . . . . . . . . . 117
3.9 Using TbDisk . . . . . . . . . . . . . . . . . . . . . . . 120
3.9.1 Understanding TbDisk . . . . . . . . . . . . . . . 120
3.9.2 Working with TbDisk . . . . . . . . . . . . . . . . 121
3.9.3 Maximizing TbDisk . . . . . . . . . . . . . . . . . 122
3.9.4 Understanding TbDisk's Operation . . . . . . . . . 125
3.10 Using TbUtil . . . . . . . . . . . . . . . . . . . . . . 126
3.10.1 Understanding and using TbUtil . . . . . . . . . . 126
3.10.2 Working with the TbUtil Menu . . . . . . . . . . . 127
3.10.3 Maximizing TbUtil . . . . . . . . . . . . . . . . 131
3.10.4 Using the Anti-Virus Partition . . . . . . . . . . 137
3.10.5 Using the TbUtil diskette . . . . . . . . . . . . 137
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page iii
3.11 Using TbLog . . . . . . . . . . . . . . . . . . . . . . . 139
3.11.1 Understanding and using TbLog . . . . . . . . . . 139
3.11.2 Working with TbLog . . . . . . . . . . . . . . . . 139
3.11.3 Maximizing TbLog . . . . . . . . . . . . . . . . . 141
3.12 Using TbNet . . . . . . . . . . . . . . . . . . . . . . . 143
3.12.1 Understanding TbNet . . . . . . . . . . . . . . . 143
3.12.2 Working with TbNet . . . . . . . . . . . . . . . . 143
3.12.3 Maximizing TbNet . . . . . . . . . . . . . . . . . 144
4 Understanding Advanced User Information . . . . . . . . . . . . . 147
4.1 Understanding Memory Considerations . . . . . . . . . . . 147
4.1.1 Understanding Memory Requirements . . . . . . . . . 147
4.1.2 Reducing Memory Requirements . . . . . . . . . . . 148
4.2 Understanding TbSetup . . . . . . . . . . . . . . . . . . 150
4.2.1 Understanding ANTI-VIR.DAT File Design . . . . . . 150
4.2.2 Editing the TBSETUP.DAT File . . . . . . . . . . . 150
4.2.3 Simplifying Installation on Several Machines . . . 152
4.3 Understanding TbScan . . . . . . . . . . . . . . . . . . . 153
4.3.1 Understanding Heuristic Scanning . . . . . . . . . 153
4.3.2 Understanding How Heuristic Scanning Works . . . . 155
4.3.3 Understanding Integrity Checking . . . . . . . . . 156
4.3.4 Understanding the Scan Algorithms . . . . . . . . . 157
4.3.5 Understanding the TBSCAN.LNG File . . . . . . . . . 159
4.3.6 Understanding the TBAV.MSG File . . . . . . . . . . 160
4.4 Understanding TbClean . . . . . . . . . . . . . . . . . . 161
4.4.1 Understanding how a Virus infects a file . . . . . 161
4.4.2 Understanding Conventional Cleaners . . . . . . . . 161
4.4.3 Understanding Generic Cleaners . . . . . . . . . . 163
4.5 Using TbGenSig . . . . . . . . . . . . . . . . . . . . . . 165
4.5.1 Understanding and using TbGenSig . . . . . . . . . 165
4.5.2 Working with TbGenSig . . . . . . . . . . . . . . . 165
4.5.3 Defining a Signature with TbScan . . . . . . . . . 166
4.5.4 Understanding Keywords . . . . . . . . . . . . . . 168
4.5.5 Understanding a Sample Signature: Haifa.Mozkin . . 173
Appendices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Appendix A: TBAV messages . . . . . . . . . . . . . . . . . . 175
A.1 TbClean . . . . . . . . . . . . . . . . . . . . . . . 175
A.2 TbDriver . . . . . . . . . . . . . . . . . . . . . . 177
A.3 TbScan . . . . . . . . . . . . . . . . . . . . . . . 178
A.4 TbScanX . . . . . . . . . . . . . . . . . . . . . . . 179
Appendix B: TbScan Heuristic Flag Descriptions . . . . . . . . 180
Appendix C: Solving Incompatibility Problems . . . . . . . . . 186
Appendix D: TBAV Exit Codes and Batch Files . . . . . . . . . 189
D.1 TbScan Exit Codes . . . . . . . . . . . . . . . . . . 189
D.2 TbUtil Exit Codes . . . . . . . . . . . . . . . . . . 189
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page iv
D.3 General Exit Codes . . . . . . . . . . . . . . . . . 189
D.4 Program Installation Check . . . . . . . . . . . . . 189
Appendix E: Virus Detection and Naming . . . . . . . . . . . . 191
E.1 How Many Viruses Does TbScan Detect? . . . . . . . . 191
E.2 The Virus Naming Convention . . . . . . . . . . . . . 191
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 1
Introduction
A Word (or Two) of Thanks
Congratulations! By purchasing the ThunderBYTE Anti-Virus utilities you
have taken the basic step in building a massive anti-viral safety wall
around your precious computer system. Setting up the appropriate defense
using the TBAV utilities is a personal matter. Therefore, we recommend
to read this manual thoroughly, so you are well aware of the different
kinds of security measures you can take.
What Are the TBAV Utilities?
ThunderBYTE Anti-Virus (TBAV) is a comprehensive tool kit designed to
protect against, and recover from, computer viruses. While TBAV focuses
heavily on numerous ways to prevent a virus infection, the package would
not be complete without various cleaner programs to purge a system, in
the unlikely event that a virus manages to slip through. The package,
therefore, consists of several programs, each of which helps you to
prevent viruses from accomplishing their destructive purposes. Here is a
quick overview.
TbSetup: Collecting Software Information
TbSetup is a program that collects information from all software it
finds on your system. It places this information in files named
ANTI-VIR.DAT and uses it for integrity checking, program validation,
and cleaning infected files.
TbDriver: Enable Memory Resident TBAV Utilities
While TbDriver provides little protection against viruses by itself,
you must load it in advance to enable the memory resident
ThunderBYTE Anti-Virus utilities to perform properly. These
utilities include: TbScanX, TbCheck, TbMem, TbFile, and TbDisk.
TbDriver also provides basic protection against ANSI bombs and
stealth viruses.
TbScan: Scanning for Viruses
TbScan is both a fast signature scanner and a so-called heuristic
scanner. Besides its blazing speed, it has many configuration
options. It can detect mutants of viruses, bypass stealth type
viruses, etc. The signature file TbScan uses is a coded TBSCAN.SIG
file, which you can update yourself in case of emergency.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 2
TbScan will disassemble files. This makes it possible to detect
suspicious instruction sequences and detect yet unknown viruses. As
pointed out earlier, this generic detection, named heuristic
analysis, is a technique that makes it possible to detect about 90%
of all viruses by searching for suspicious instruction sequences
rather than relying on any signature. For that purpose TbScan has a
built-in disassembler and code analyzer.
Another feature of TbScan is the integrity checking it performs when
it finds the ANTI-VIR.DAT files generated by TbSetup. Integrity
checking means that TbScan verifies that every file it scans
matches the information which was captured when the file was first
analyzed by TbSetup and is maintained in the ANTI-VIR.DAT files. If
a virus infects a file, the information in the ANTI-VIR.DAT file
will indicate that the file has been changed, and TbScan will inform
you of this. TbScan performs an integrity check automatically, and
it does not have the false alarm rate other integrity checkers have.
The goal is to detect viruses and NOT to detect configuration
changes!
TbScanX: Automatic Scanning
TbScanX is the memory resident version of TbScan. This signature
scanner remains resident in memory and automatically scans those
files that are being executed, copied, de-archived, downloaded, etc.
TbScanX does not require much memory. It can swap itself into
expanded, XMS, or high memory, using only one kilobyte of
conventional memory.
TbCheck: Check While Loading
TbCheck is a memory resident integrity checker that remains resident
in memory and automatically checks every file just before it
executes. TbCheck uses a fast integrity checking method, which
consumes only 400 bytes of memory. You can configure it to reject
files with incorrect checksums, and/or reject files that do not have
a corresponding ANTI-VIR.DAT record.
TbUtil: Restoring Infected Boot-Sector, CMOS and Partition Tables
Some viruses copy themselves into the hard disk's partition table,
which makes them far more difficult to remove than boot sector
viruses. Performing a low-level format is an effective, but rather
drastic measure.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 3
TbUtil offers a more convenient alternative by making a
precautionary backup of uninfected partition tables and the boot
sector. If an infection occurs, you can use the TbUtil backup as a
verifying tool and as a means to restore the original (uninfected)
partition table and boot sector, without the need for a destructive
disk format. TbUtil can also restore the CMOS configuration for you.
If a backup of your partition table is not available, TbUtil tries
to create a new partition table anyway, again avoiding the need for
a low-level format.
Another important feature of TbUtil is the option to replace the
partition table code with new code offering greater resistance to
viruses. TbUtil executes the partition code BEFORE the boot sector
gains control, enabling it to check this sector in a clean
environment. The TbUtil partition code performs a CRC calculation on
the master boot sector just before the boot sector code activates
and issues a warning if the boot sector has been modified. The
TbUtil partition code also checks and reports changes in the RAM
layout. It performs these checks whenever the computer boots from
the hard disk.
We should point out that boot sector verification is imperative
before allowing the boot sector code to execute. A virus could
easily become resident in memory during boot-up and hide its
presence. TbUtil offers total security at this stage by being active
before the boot sector executes. TbUtil is far more convenient than
the traditional strategy of booting from a clean DOS diskette for an
undisturbed inspection of the boot sector.
TbClean: Reconstructing Infected Files
TbClean is a generic file cleaning utility. It uses the ANTI-VIR.DAT
files generated by TbSetup to enhance file cleaning and/or to verify
the results. TbClean can also work without these files. It
disassembles and emulates the infected file and uses this analysis
to reconstruct the original file.
TbMem, TbFile and TbDisk: Resident Safeguards
The TBAV utilities include a set of memory resident anti-virus
utilities, consisting of TbMem, TbFile and TbDisk. Most other
resident anti-virus products offer you the choice to either invoke
them before the network loads (thereby losing the protection after
the logon procedure), or to load the anti-viral software after
logging onto the network, resulting in a partially unprotected
system. The TBAV utilities, on the other hand, recognize the network
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 4
software and utilize their auto-configuration capabilities to ensure
their continued functionality.
TbMem: Safeguarding Memory
TbMem detects attempts from programs to remain resident in memory
and ensures that no program can remain resident in memory without
permission. Since most viruses remain resident in memory, this is a
powerful weapon against all such viruses, known or unknown. TbMem
also protects your CMOS memory against unwanted modifications. The
ANTI-VIR.DAT files maintain a database of the permission
information.
TbFile: Executable File Protection
TbFile detects attempts from programs to infect other programs. It
also guards read-only attributes, detects illegal time-stamps, etc.
It ensures that no virus succeeds in infecting programs.
TbDisk: Protecting The Disk
TbDisk is a disk guard program that detects attempts from programs
to write directly to disk (that is, without using DOS), attempts to
format, etc., and makes sure that no malicious program succeeds in
destroying your data. This utility also traps tunneling and direct
calls into the BIOS code. The ANTI-VIR.DAT files maintain permission
information about those rare programs that write directly to and/or
format the disk.
TbGenSig: Define Your Own Signatures
Since TBAV includes an up-to-date, ready-to-use signature file, you
do not really need to maintain a signature file yourself. If,
however during a crisis, you need to define your own virus
signatures, then the TbGenSig utility enables you to do this. You
can use either published signatures or define your own if you are
familiar with the structure of computer code.
TbDel: Remove Infected Files
The DOS DEL or ERASE command does not actually erase a file. It
simply deletes the first filename character in the directory listing
and frees up the space by changing the disk's internal location
tables (File Allocation Tables). TbDel is a small program with a
single, yet all-important purpose: it overwrites every single byte
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 5
in a file with the zero character (0) before deleting it, thereby
obliterating all the data and making it totally unrecoverable.
TbMon: Installed Device Checker
To check for the presence of the resident TBAV utilities (TbScanX,
TbCheck, TbMem, TbFile, TbDisk or TbLog) in batch files or login
scripts, you can use the TbMon utility. TbMon returns a DOS error
level, depending on the installed ThunderBYTE resident programs.
The following list specifies the ThunderBYTE resident utilities and
their respective error levels:
+------------+-----------+
|Utility Name|Error level|
+------------+-----------+
| TbScanX | 1 |
| TbCheck | 2 |
| TbMem | 4 |
| TbFile | 8 |
| TbDisk | 16 |
| TbLog | 32 |
+------------+-----------+
The error level returned by TbMon is the cumulative sum of the error
levels of the installed devices. For example, if you have TbScanX
and TbMem installed, TbMon will return error level 5 (1+ 4 = 5).
Another example: if you have all utilities loaded, TbMon will return
error level 63 (1+2+4+8+16+32=63). If none of the resident
ThunderBYTE utilities are installed, TbMon will return error level 0
(zero).
The TBAV Utilities User Interface
The DOS version of TBAV utilizes a menu-driven interface that enables you
to execute the utilities easily. You can also execute many of the
utilities directly from the DOS prompt. One advantage to this is that you
can use the utilities in batch files.
The Microsoft Windows version of TBAV utilizes the standard Windows
interface, providing you a way to protect yourself from viruses while
still working in the user-friendly Windows environment. TBAV-for-Windows
is not described in this document. Please refer to the TBAV-for-Windows
documentation for more information.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 6
Conventions Used in This Manual
This manual uses several special conventions:
References to the keyboard are as they appear on the 101-key
enhanced keyboard. File names, DOS commands, emphasized words, and
information that you are to type appears in UPPERCASE letters. The
context should clearly dictate which of these is true in each case.
References to individual TBAV utilities use a combination of
uppercase and lowercase letters. For example, while TBSCAN.SIG
refers to a signature file, TbScan refers to the utility itself.
How To Use This Manual
This manual consists of six chapters.
Chapter 1 provides you with the fastest way to get started with the
TBAV utilities. It presents the major features of the program in a
step-by- step format. We recommend that you start with this chapter.
Chapter 2 contains instruction on how to prevent viruses from
infecting your computer system and directions on how to handle
viruses when they do strike. We recommend that you also read this
chapter because it contains several useful tips.
Chapter 3 contains a detailed description of both the purpose and
functionality of all the TBAV for DOS utilities.
Chapter 4 contains advanced user information for those users who
are more technically oriented.
This manual also contains five appendices. Appendix A describes TBAV
messages, Appendix B describes heuristic flags, Appendix C addresses some
incompatibility problems, Appendix D lists various exit codes for use in
batch files, and Appendix E contains information on naming viruses.
Finally, the Index provides you with the means of quickly finding any
major topic.
NOTE:
A complete reading of this manual is indispensable in order to
become familiar with the many facets of the ThunderBYTE AntiVirus
utilities; to know what steps you can, and must, take to ensure
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 7
adequate protection and be fully prepared for a complete recovery,
if and when disaster strikes.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 8
1 TBAV QuickStart
One of the problems with software manuals is they sometimes beat around
the bush and don't get to the point, namely, how to use the software
right now. This chapter presents the major features of TBAV and will get
you up and running in the minimum amount of time.
1.1 Installing the TBAV Utilities
This section provides the initial installation instructions of the TBAV
utilities for DOS. See the TBAV for Windows documentation for installing
TBAV for Windows or the TBAV for Networks documentation for installing
TBAV for Networks.
1.1.1 Understanding System requirements
The ThunderBYTE Anti-Virus utilities will run on any IBM or compatible PC
that meets the following requirements:
At least 1 megabyte of disk space
256 kilobytes of free internal memory
DOS version 3.0 (DOS 5.0 or later recommended)
A mouse is optional
NOTE:
The TBAV utilities are compatible with networks, MS-Windows,
Novell-DOS, etc.
1.1.2 Running INSTALL
You can install the TBAV utilities either by using the following instal-
lation procedure or by a fully customized procedure that you ll find in
Chapter 2. To use the fast approach, follow these steps:
1. Insert the TBAV installation diskette in the diskette drive, type
A: or B:, and press the ENTER key.
2. Type INSTALL and press ENTER. After a few seconds, the following
window appears:
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 9
+-------------------------+
| Quit Installation |
| View TBAV.DOC file > |
| License TBAV > |
| Upgrade TBAV > |
| Custom Installation > |
| Express Installation > |
+-------------------------+
3. Since this is your first time to install the TBAV package you
choose the first option, which is already highlighted, so just press
ENTER. Notice also that you can always select a menu option by
pressing its first letter. Install now displays the Licensing
Agreement.
4. Press the cursor movement keys (up and down arrows and Page Up
and Page Down) to view the Agreement. When you finish reading the
agreement, press ESC. Install now asks you to acknowledge the
Agreement.
NOTE:
You can exit Install at anytime by pressing the ESC key until you
get to the Main Menu or even to the DOS prompt.
5. Select the Your Name field, type in your name, and press ENTER.
6. Select the company field and repeat the procedure to enter your
company name.
7. Press I to select the Terms field, type in YES to accept the
agreement, and press ENTER. The Install Menu now appears.
8. While you will probably accept the defaults, if you need to
change the source path (the path where the installation program
itself resides, usually drive A:) or the default Destination path
(where Install places the TBAV program files, usually C:\TBAV),
select the field, make your changes, and press ENTER.
9. Press B (or highlight Begin Installation and press ENTER) to
begin the installation. Install now scans your system to ensure that
it is clean (that is, no files are infected by a virus) and
informs you when it is done.
10. Press any key to continue. Install now copies the TBAV files to
the destination directory and makes a backup of your AUTOEXEC.BAT
file before making a few modifications to it. The installation
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 10
program adds the TBAV directory to your PATH and adds a statement
that will automatically run the TBSTART.BAT file.
NOTE:
The TBSTART.BAT file, which resides in the TBAV directory, contains
the following commands:
C:\TBAV\TBDRIVER
C:\TBAV\TBSCANX
C:\TBAV\TBCHECK
C:\TBAV\TBMEM
C:\TBAV\TBFILE
C:\TBAV\TBSCAN ONCE ALLDRIVES
You can configure these commands to suit your own personal needs.
Notice:
Install now displays a message that Recommends that you create a
Recovery Diskette, which you can use in the future, for example, to
restore your destroyed CMOS data, or restore your hard disk's
partition table after it has been tampered with.
11. Press any key to continue to the Final Menu. To create a
Recovery Diskette, press M, insert a clean formatted diskette into
Drive A, and press any key to continue. TBAV now copies the system
files to the diskette. See the Prepare a Recovery Diskette section
in Chapter 2 for more information. If you do not want to create a
Recovery Diskette, press Q to Quit Install.
12. When TBAV finishes, press any key to continue. TBAV invokes
TbSetup to generate an ANTI-VIR.DAT file for drive A and returns you
to the Final Menu.
13. Press Q to Quit Install. Install now invokes TbSetup again to
generate the ANTI-VIR.DAT reference files for your hard disk and
then returns you to the DOS prompt.
CAUTION:
It is extremely likely that some of the TBAV utilities are going to
display messages if you now reboot and continue using the computer
as you normally would. This is because some programs perform
operations that the TBAV utilities monitor. TBAV, therefore, needs
to learn which programs need proper permission. Before rebooting,
execute some of the programs you use regularly and respond
appropriately when TBAV requests permission to authorize or deny
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 11
their use. TBAV remembers the settings and will not bother you
again. Reboot the computer at the end of this test run.
14. After running some of the programs you use regularly (see
Caution box above), reboot your system.
The TBAV utilities are now ready to monitor your system and will issue a
warning if something suspicious (or worse!) is about to happen. The TBAV
utilities also warn you if any new file contains a possible virus, well
before it can do any harm.
1.1.3 Installation on a network
If a workstation does not have a hard disk, you can invoke the TBAV
utilities from a login script. You create a TbStart.Bat file containing
the following:
@echo off
x:\apps\tbav\tbdriver.exe
x:\apps\tbav\tbscanx.exe
x:\apps\tbav\tbcheck.exe
x:\apps\tbav\tbfile.exe
x:\apps\tbav\tbmem.exe
x:\apps\tbav\tbscan.exe alldrives
exit
In the login script add the following line:
#x:command.com /c /x:\apps\tbav\tbstart.bat
NOTE:
You need to enter the correct drive ID for 'X:'!
1.1.4 Starting And Ending TBAV
You can run TBAV in two ways: run the menu interface or run individual
utilities from the DOS prompt.
Starting TBAV With the Menu Interface
You can access most of the TBAV utilities from within the TBAV menu. To
start TBAV with the menu, follow these steps:
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 12
1. At the DOS prompt, type CD \TBAV and press ENTER. This places you
in the TBAV directory.
NOTE:
This first step is actually optional since the TBAV directory was
added to the PATH during installation. You would need this step,
however, if you ever decided to remove that directory from the PATH.
2. Type TBAV and press ENTER. This starts TBAV and displays the menu
interface.
3. A common task is to scan your hard disk for viruses. To do this,
press S on the "Main Menu" to select the TbScan command. Press S
again to select the "Start Scanning" command on the TbScan Menu.
Press D on the "Path Menu" and press ENTER.
4. If TbScan finds a virus, it presents an action menu. "D)elete"
deletes the infected file. "K)ill" also deletes the infected file,
but in such a way that it can't be undeleted by an undelete utility
(such as DOS's UNDELETE command). "R)ename" renames an EXE extension
to VXE and a COM extension to VOM, preventing the execution of
infected programs and thereby precluding the spread of an infection,
and also enabling you to keep the file for later examination and
repair. "C)ontinue scanning" continues the scan without taking
action on the virus. "N)onstop continue" instructs TbScan not to
stop when it detects a virus.
NOTE:
If you use C or N, we recommend that you select L on the "TbScan
Menu" and then O on the "TbScan Log Menu" so that TbScan will log
detected viruses. To view this log, select V from the "TbScan Menu."
5. Another common task is to scan a diskette. To scan a diskette in
drive A, press A, or to scan a diskette in drive B, press B.
6. You can use one of three methods to end TBAV:
Press X to exit and save any configuration settings
you have set
Press Q to exit without saving any configuration
settings
Press ESC, which is the same as pressing Q
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 13
Starting TBAV Utilities from the DOS Prompt
You can also start each of the individual TBAV utilities directly from
the DOS prompt by typing the command name followed by one or more options
(or switches) to control special features. You can use either the full
name of the option or its one- or two-letter mnemonic to shorten the
command line.
For example, if you want to use TbScan to scan for viruses on your hard
disk, you could execute either one of the following commands:
TBSCAN ALLDRIVES
TBSCAN AD
The advantage of being able to execute individual utilities is that you
can use the utilities in batch files to create your own custom routines.
A simple example of this is putting TbScan in your AUTOEXEC.BAT file so
that it will scan for viruses when you boot up. To accomplish this, do
the following:
1. If you are using DOS 5 or later, type CD\ and press ENTER to go
to the root directory. Now type EDIT AUTOEXEC.BAT and press ENTER to
load this file into the MS-DOS text editor Edit.
NOTE:
If you are using a version of DOS prior to version 5.0, consult your
DOS manual on how to edit AUTOEXEC.BAT. You might have your own text
editor that you can use, or you could even use a word processor to
edit the file and then save it as an ASCII text file. Consult your
word processor's documentation for instructions.
2. Add the following line to the beginning of the file, making sure
you separate the options from the command and from each other using
a space:
C:\TBAV\TBSCAN AllDrives Once
3. Press ALT, F, S to save the file again, and then press ALT, F, X
to exit the editor (that is, if you are using the MS-DOS text editor
EDIT; otherwise, use the commands of your favourite editor to save
the file, and to exit the editor).
4. Reboot your computer so the changes will take effect.
CAUTION:
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 14
This line already exists in the TBSTART.BAT file, which runs
automatically from AUTOEXEC.BAT. If you don't want to load all the
TSR utilities that TBSTART.BAT loads, you could replace TBSTART.BAT
with the above TBSCAN command. While this is still good protection,
be aware that it doesn't fully protect your system. Refer to the
Configuring TBAV section later in this chapter for more information
on configuring TBAV.
Now the first time you boot your computer on a given day, TbScan
will check for viruses on all fixed drives. Because of the OO
option, however, if you boot again, you'll receive the Option once
already used today message, meaning that since TbScan has already
run once that day, it will not run again.
Another useful TBAV utility, not just for deleting infected files but any
files you want destroyed, is TbDel. This utility overwrites every byte of
a file with a nul character, thereby completely obliterating the file.
If, for security reasons, you have files you want to destroy and prevent
someone from undeleting using a file recovery program, enter the
following command:
TBDEL [filename]
WARNING:
Be absolutely sure you want to destroy a file before using TbDel.
Once you execute the command, the file is gone forever, and no file
recovery utility can bring it back.
1.1.5 Using TBAV Commands
There are many commands in The TBAV Utilities, but most of them are
available from the menu. You can select commands using either the
keyboard or the mouse. To select a command, do one of the following:
Highlight an option using the arrow keys and press Enter
Press the highlighted letter of a command
Move the mouse pointer to a command and click the left button
As mentioned earlier, you can use all TBAV commands directly from the DOS
prompt. You must separate the command from the first option and options
from each other using a space. You can use the standard slash (/)
character or hyphen (-) before an option, but it is not necessary.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 15
The standard command line syntax for all ThunderBYTE Anti-Virus commands
is:
COMMAND [<path>][<filename>] [<option>] [<option>]
where <path> and <filename> is where you want the command to execute and
<option> is the specific option you want to use. For example, the
following command executes a virus scan on all executable files in the
root directory of drive C: and all subdirectories and skips the boot
sector scan:
TBSCAN C:\ NOBOOT
1.1.6 Getting Help
TBAV enables you to get help at any time, whether you are working from
the menu or the DOS prompt.
Getting Help From the Menu
To get help at anytime while working from the TBAV menu, follow these
steps:
1. From the Main Menu, select Documentation.
2. From the Documentation menu, select TBAV User Manual.
3. Use the up and down arrow keys and Page Up and Page Down to move
through the manual.
4. Press ESC to exit the manual.
TIP:
Instead of using the internal file viewer to view the User Manual,
you can substitute your own favorite viewer. See the Configuring
TBAV section later in this chapter for details.
Getting Help at the DOS Prompt
To get help about proper syntax when working with individual TBAV
utilities, do one of the following:
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 16
Type the name of the command followed by a question mark (?), TBSCAN
?, for example. Some commands (TbClean, TbDel, and TbUtil) display
the Help screen if you type the command name only.
Each command also displays the help screen if you issue the command
with an invalid option.
1.1.7 Configuring TBAV
The choices you made when installing the TBAV utilities might need a
little fine tuning. You might want to edit AUTOEXEC.BAT, as mentioned
earlier, for example, or you might want to edit TBSTART.BAT file, which
AUTOEXEC.BAT executes.
Additionally, you might want to change how TBAV operates within the menu
interface. This section explains how you can configure the TBAV utilities
and use them the way you prefer. The following sections explain how to
customize TBAV.
NOTE:
After making certain changes and then initializing and rebooting
your system, TBAV needs to be "trained" as it encounters new TSR's.
NOTE:
Options that have a check mark beside them indicate that they are
selected. Options may be toggled by selecting: the highlighted
letter, clicking on them with your mouse or moving the highlight bar
with your cursor keys and then pressing Enter.
+-----Main menu-----+
| Confi+----------TBAV configuration---------+
| TbSca|v Use colors |
| TbSet| Save configuration to TBAV.INI |
| TbUti| File view utility |
| TbCLe|v Wait after program execution |
| Virus| Show command line before executing |
| TBAV |v Edit path string before scanning |
| Docum+-------------------------------------+
| Register TBAV |
| About |
| Quit and save |
| eXit (no save) |
+-------------------+
The "Use Colors" Option
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 17
If you disable this option, that is, select it so the check mark
disappears, TBAV appears in monochrome mode, which is convenient for use
on laptop and notebook computers. When you select the Configure TBAV
option from the Main Menu, the Configuration menu appears:
The "Save Configuration to TBAV.INI" Option
When you select this option, TBAV saves all configuration values set
within the TBAV menu in the TBAV.INI file. The next time you load the
TBAV utilities, these configuration values take effect. These values
apply to the TBAV menu itself and the utilities TbSetup, TbScan and
TbClean.
Although you can edit the TBAV.INI file manually, we recommend that you
allow the TBAV menu to do it. By default, the contents of the TBAV.INI
file are valid only while using the TBAV menu shell. You can, however,
enable the Use TBAV.INI file options (or specify the USEINI switches in
the TBAV.INI file itself) for each of the TBAV utilities.
For example, to use the settings in TBAV.INI with TbScan, you would
follow these steps:
1. Select TbScan from the Main Menu. This displays the TbScan Menu.
2. From this menu, select the Options Menu option.
3. From this menu, select the Use TBAV.INI option and notice that a
check mark appears beside it.
After selecting this option, TbScan also uses the TBAV.INI when you
run TbScan from the DOS prompt. The same is true if you select this
option for TbSetup and TbClean.
CAUTION:
Be careful, since command line options do NOT undo TBAV.INI
settings. TBAV creates a TBAV.INI file when enabling this option for
the first time. This file lists all valid configuration switches.
Additionally, a semicolon precedes disabled switches.
The "File View Utility" Option
TbSetup and TbScan generate a data file and a log file respectively. By
default, you can view these files, as well as the TBAV documentation
mentioned earlier, from the TBAV menu using TBAV's internal file view
utility.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 18
If you prefer, however, you can specify your own file viewing utility. To
do this, follow these steps:
1. Press F to select the File View Utility option.
2. Type in the complete path and the file name, including the
extension, of the utility you want to use (e.g.,
C:\DIRNAME\VIEWER.EXE), and press ENTER.
The "Wait After Program Execution" Option
If you enable this option, TBAV displays the message "Press any key to
return to the TBAV menu..." after executing an external utility.
The "Show Command Line Before Executing" Option
Enabling this option forces TBAV to display the DOS command that loads
the external file viewing utility. This option comes in handy for
enabling you to see the command(s) you specified before. After pressing
ENTER, TBAV then executes the DOS commands.
The "Edit Path String Before Scanning" Option
If you enable this option, TBAV prompts you to edit or confirm the path
to scan after you select Start Scanning from a scan menu.
1.2 Understanding TbSetup
By way of analogy, if you think of TbScan as being the heart of TBAV, you
can think of TbSetup as being the skeleton. TbSetup collects information
from all software it finds on your system and places this information in
files, one in each directory, named ANTI-VIR.DAT and uses this informati-
on for integrity checking, program validation, and cleaning infected
files.
WARNING:
NEVER, NEVER, NEVER use TbSetup when there is the slightest evidence
of a virus on your system.
Since TbSetup was run during the installation program, it is not really
necessary for you to run it again. In fact, the less you run it the
better. The only time you should run TbSetup again is in directories with
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 19
new or changed program files. Assume you just added a new program to your
system, which installed into a new directory called NEWPRO. To run
TbSetup on that new directory, you could execute one of the following
procedures:
From the TBAV Main Menu, select TbSetup, select Start TbSetup from
the TbSetup Menu, type in C:\NEWPRO as the path to process, and then
press ENTER.
From the DOS prompt, enter TBSETUP C:\NEWPRO and press ENTER.
See the "Using TbSetup" section in Chapter 3 for more information about
using TbSetup.
WARNING:
NEVER, NEVER, NEVER use TbSetup when there is the slightest evidence
of a virus on your system.
1.3 Understanding TbDriver
TbDriver is a small memory resident (TSR) program that you must load
before loading any of the other five TBAV memory resident programs, which
include: TbScanX, TbCheck, TbMem, TbFile, and TbDisk. Chapter 3 fully
explains all of these programs, but to conclude our earlier analogy, if
TbScan is the heart of TBAV, and TbSetup is the skeleton, then TbDriver
and the other TSRs are the muscles. They simply wait in memory until
called into action. When they detect suspicious code or other
irregularities, they immediately inform you and take appropriate action.
TBAV Install places a call to TBSTART.BAT in your AUTOEXEC.BAT file so
that all of these TSRs, except TbDisk, load automatically when you boot.
For maximum security, we recommend that you allow these utilities to load
and remain in memory.
TIP:
If you prefer, you can put the memory resident utilities listed in
TBSTART.BAT in your CONFIG.SYS file. Remove the call to TBSTART.BAT
from AUTOEXEC.BAT, and then use a DEVICE= command in CONFIG.SYS for
each utility. Don't forget to use the full path and to specify the
.EXE extension. If you are using DOS 5 or higher, you can load these
utilities into upper memory using the
LOADHIGH command in either TBSTART.BAT or CONFIG.SYS.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 20
1.4 Maintaining the System
All systems need maintenance, and the TBAV utilities are no different.
This section, therefore, describes how to maintain the TBAV utilities.
1.4.1 Maintaining ANTI-VIR.DAT Files
Whenever you add, update or replace programs on your system, be sure to
use TbSetup to generate or update their fingerprints in the ANTI-VIR.DAT
files. See the Using TbSetup section earlier in this chapter and the
Using TbSetup section in Chapter 3 for more information.
1.4.2 Creating a New Recovery Diskette
There will be times when you will want to create a new recovery diskette.
This will be necessary, for example, when you install a new version of
DOS because this changes the boot sector. You should also do this if you
change the configuration of your hard disk because this can affect the
partition tables and the CMOS setup. You should prepare a new recovery
diskette after all system modifications. See the Prepare a Recovery
Diskette section in the next chapter for more information.
1.4.3 Getting Updates
As new viruses emerge, which is almost daily, you need to replace
TbScan's signature file (TBSCAN.SIG) periodically with a more up to date
one. You can get the latest signature file from your local ThunderBYTE
dealer. Subscribing to the ThunderBYTE update service at your local
dealer is a convenient way to guarantee the delivery of each new update.
You can also download the file directly from the ThunderBYTE support
Bulletin Board Systems (BBS).
To download updates, follow these steps:
1. Using your telecommunications program, dial the BBS phone number.
2. When the modem logs on, press the ESC twice to go to the
ThunderBYTE On-line Service.
3. From the File Menu select Download Latest ThunderBYTE Anti-Virus
Utilities .
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 21
4. Select the File Transfer Protocol "zmodem" or "ymodem" from the
Protocol Menu to select the file protocol you want to use, and then
begin your download procedure.
Additionally, you can check with a local bulletin board regularly, as
many of them offer updated versions of our software.
We issue the standard complete release in an archive named: TBAVxxx.ZIP,
where xxx represents the three-digit version number. The archive
extension might vary on local bulletin boards using a different archive
method.
The release of TBAV for Windows is archived in a file named:
TBAVWxxx.ZIP. Again, xxx represents the three-digit version number of
TBAV for Windows. The same holds for the release of TBAV for Networks; it
is distributed in a file called TBAVNxxx.ZIP.
To maintain the highest reliability, the Dutch and US ThunderBYTE support
sites issue regular beta releases, also containing only the files that
have changed. You can identify beta versions by a B in the filename,
such as TBAVBxxx.ZIP.
The resident ThunderBYTE Anti-Virus utilities are also available in
processor optimized formats. These processor optimized versions, named
TBAVXxxx.ZIP, are for registered users only. You can buy these versions
through your local ThunderBYTE dealer.
NOTE:
The ThunderBYTE Anti-Virus utilities currently support several
languages, by means of separate language files. Check your local
ThunderBYTE dealer for the availability of the TBAV support file in
your language.
1.4.4 Maintaining a Network
Since you should replace the signature file TBSCAN.SIG frequently, this
can turn into much work if you have to update all workstations on a
network manually. Fortunately, there are several possibilities to do this
job automatically.
Using the TbLoad Utility
The TbLoad utility that ships with TBAV for Windows is used to
automatically update the existing ThunderBYTE Anti-Virus software
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 22
installed on your system. Please refer to the section about TbLoad in the
TBAV for Windows documentation.
Using the DOS REPLACE Command
Maintain a directory \TBAV_UPD\ on a public server drive and place any
new version of the TBAV utilities or any new signature file (TBSCAN.SIG)
in this directory.
The workstations should execute a batch file automatically after users
login on the network. This batch file should contain the following lines:
REM UPDATE TBAV IF A NEW RELEASE IS AVAILABLE.
REPLACE X:\TBAV_UPD\*.* C:\TBAV /U /R
REPLACE X:\TBAV_UPD\*.* C:\TBAV /A /R
REPLACE is a standard DOS utility. If the /U option is specified, it
copies the files specified by the first parameter ONLY if they are newer
than the files specified in the second parameter. The /A option makes
sure that REPLACE copies files that do not yet exist in the destination
directory (specified by the second parameter). Make sure REPLACE is in
the current path, and that the specified paths are valid for your
configuration. The x in the above example represents the drive letter
of the public server drive.
Using this technique, you only have to update one drive with the new
signature file or anti-virus software; all workstations will then update
themselves when users login! You can also add the /S option if you want
REPLACE to scan all directories on the workstations drives for matching
files. Please consult your DOS Operating System manual for more details.
WARNING:
Don't forget to execute TbSetup on the new utilities in the
X:\TBAV_UPD directory, thus ensuring that the REPLACE command also
copies the new ANTI-VIR.DAT file.
1.4.5 Using the PKUNZIP Utility
Maintain a directory \TBAV_UPD\ on a public server drive and place any
new version of the TBAV utilities or any new signature file (TBSCAN.SIG)
in this directory.
The workstations should execute a batch file automatically after users
login on the network. This batch file should contain the following lines:
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 23
REM UPDATE TBAV IF A NEW RELEASE IS AVAILABLE.
PKUNZIP -N -O X:\TBAV_UPD\TBAV???.ZIP C:\TBAV
Make sure the file PKUNZIP.EXE is in the current path, and that the paths
specified are valid for your configuration.
Following this procedure, the PKUNZIP command comes into action only when
you just updated the ZIP files in the X:\TBAV_UPD directory. Now you only
have to update one drive with the new anti-virus software, and all
workstations update themselves when users login.
WARNING:
If you did not create a Recovery Diskette during installation, we
recommended that you do so. See the "Create a Recovery Diskette"
section in Chapter 2 for instructions on how to do this. The example
setups assume you have created such a recovery diskette.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 24
2 Defining Your Anti-Virus Strategy
In this chapter, you learn how to accomplish two things: how to protect
yourself against virus infection, and how to recover from virus
infection. We recommend you read this chapter because it contains several
useful tips.
2.1 Protecting Yourself Against Virus Infection
Maintaining a reliable safety system implies that you actively take
measures to protect your system from virus infection, since some viruses
can hide themselves perfectly once resident in memory.
TIP:
At least once a week you should boot from a clean and
write-protected diskette and execute TbScan to check your computer
for virus infections.
The tightness of your safety system really depends on two things:
1. The vitality of the appropriate computer system
2. The amount of time you want to invest to let the safety measures
take place
For example, on a standalone computer containing low risk data, and in an
environment with little exchange of computer software, a daily scan is
usually sufficient. For company use, however, in a network environment
where users exchange diskettes frequently, where disks contain highly
vulnerable information, and where a network going down means the loss
of an extensive amount of money, protection must be as tight as the
organization can practically handle.
With this in mind, it's impossible to define one strategy for system
protection that will work for everybody. It all depends on your demands
and possibilities.
The TBAV utilities, however, are extremely flexible and enable you to
define your own strategy, one that will work for your special needs.
Although the following six basic precautions are NOT intended to be a
complete protection system, they do provide a foundation on which you can
build your own strategy.
1. Install TBAV on your hard disk
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 25
You can customize the installation to suit your specific needs. Be
sure to use TbSetup to maintain recovery information of all
executable files of your system! Refer to the Installing the TBAV
Utilities section in Chapter 1 for details.
The following examples assume that all utilities reside in the
default directory \TBAV. All example setups require that TbSetup is
running. If your system has more hard disks or disk partitions, you
should repeat the TbSetup invocation for every drive or partition.
TIP
Remember that you can use the ALLDRIVES and ALLNET options to
make TbSetup process all local respectively remote
non-removable drives.
Furthermore, the example setups assume you have created a recovery
diskette.
2. Prepare a recovery diskette
It is imperative to have a clean recovery diskette to recover from
virus infection. If you didn't create a recovery diskette during the
TBAV installation, take a few minutes to prepare one now. Later,
when a virus infects your system, it's too late! To create a
recovery diskette, follow these steps:
1. Insert a new diskette in drive A:, and then change to the
DOS directory by typing CD \DOS and pressing ENTER.
2. Type FORMAT A: /S, and press ENTER. The /S switch copies
the DOS system files to the disk so you can boot the computer
with it.
3. Type COPY SYS.COM A: and press ENTER. This copies the
SYS.COM program, which is the program that DOS uses to copy its
system files to a disk.
4. Type CD \TBAV to return to the TBAV directory.
5. Type MAKERESC A: and press ENTER to create a recovery disk
in drive A.
WARNING:
If your computer has two floppy disk drives, be sure you
know which one is drive A and create your recovery disk
there. A PC never tries to boot from drive B.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 26
The MAKERESC.BAT procedure creates a reliable recovery diskette
by creating or copying the following:
- A backup of the boot sector, partition sector and CMOS
configuration.
- A CONFIG.SYS file, containing:
FILES=20
BUFFERS=20
DEVICE=TBDRIVER.EXE
DEVICE=TBCHECK.EXE FULLCRC
- An AUTOEXEC.BAT file, containing:
@ECHO OFF
ECHO OFF
PATH=A:\
TBAV
CLS
ECHO WARNING!!!
ECHO IF YOU SUSPECT A VIRUS, DO NOT EXECUTE
ANYTHING FROM THE HARD DISK!
- The following files:
TBAV.EXE
TBAV.LNG
TBSCAN.EXE
TBSCAN.LNG
TBSCAN.SIG
TBDRIVER.EXE
TBDRIVER.LNG
TBCHECK.EXE
TBCLEAN.EXE
TBUTIL.EXE
TBUTIL.LNG
6. Copy to the diskette any other utilities that could come in
handy in an emergency, such as a simple editor to edit
CONFIG.SYS and AUTOEXEC.BAT files. If your hard disk needs
special device drivers to unlock added features, such as
DoubleSpace or Stacker, copy the appropriate drivers to the
recovery diskette and install them in the CONFIG.SYS file on
drive A:, being careful to avoid statements that access the
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 27
hard disk. Be sure to check the instructions in the device
driver's manual for the correct procedures.
CAUTION:
If you are using the text editor that ships with DOS 5.0
or later, be sure to not only copy the file EDIT.COM to
drive A:, but also QBASIC.EXE, which EDIT.COM uses.
7. Make sure you write protect your recovery disk. Now label it
"Recovery Disk" and include on the label the identification of
the PC to which the diskette belongs. Store the diskette in a
safe place.
TIP:
For additional security, make another recovery diskette
and store it in a separate location.
3. Prevent the Installation of Unauthorized Software
Many companies do not allow employees to install or execute
unauthorized software. Similarly, perhaps you want to keep family
members from invading your computer with haphazard games and sundry
software. TBAV provides a watchdog function that can help to enforce
this. Follow these steps:
1. First you need to add the following lines to the CONFIG.SYS
file:
DEVICE=C:\TBAV\TBDRIVER.EXE
DEVICE=C:\TBAV\TBCHECK.EXE SECURE
Alternately, if you are using the TBSTART.BAT file, then you
would add the following two lines to it:
C:\TBAV\TBDRIVER
C:\TBAV\TBCHECK SECURE
2. Run TbSetup on the system by typing "TBSETUP ALLDRIVES" and
pressing ENTER.
3. Reboot the system.
From now on, TbCheck puts an effective clamp on any user who tries
to execute software that TbSetup has not duly authorized first.
Whenever someone is trying to execute an unknown program, TBAV
displays the following message:
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 28
+-----------TBAV Interception-----------+
| The requested program (GAME.EXE) |
| is not authorized and can not be |
| executed. |
| Execution cancelled! Press any key... |
+---------------------------------------+
4. Restrict User Access
Most of the TBAV utilities are interactive; that is, they
communicate with a knowledgeable user to establish appropriate
action in ambiguous situations. Many companies, however, insist that
the system operator be the sole authority allowed to communicate
with TBAV, and so avoid wrong doing by possibly inept employees.
It is for this very reason that most of the TBAV utilities support
the SECURE option. When you specify this option, TBAV suspends all
user interaction with the utilities. In other words, TBAV never asks
users for permission to allow questionable operations, avoiding
erroneous decisions that might well result in irreparable havoc.
This option also prevents the user from disabling or unloading the
TBAV utilities.
5. Never Use "Strange" Diskettes to Boot
Boot only from your hard disk or from your original DOS diskette.
NEVER use someone else's disk to boot the computer. If you have a
hard disk, make certain that the door to your floppy drive is open
before resetting or booting the machine.
6. Run the DOS CHKDSK Command Often Use the DOS program CHKDSK
frequently (without the /F switch). CHKDSK can sometimes indicate
the presence of a virus simply because some viruses change the disk
structure incorrectly, thereby causing disk errors in the process.
Look out for changes in the behavior of your software or your PC.
Any change in their behavior is suspect, unless you know its cause.
Some highly suspicious symptoms are:
A decrease in the amount of available memory space.
CHKDSK should report 655,360 total bytes of memory.
Programs require more time to execute.
Programs do not operate as they used to, or they cause
the system to crash or reboot after some time.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 29
Data mysteriously disappears or becomes damaged.
The size of one or more programs has increased.
The screen behaves strangely or displays unusual
information.
CHKDSK detects many errors.
TIP:
You can also instruct TbScan to mimic the behavior of the DOS
command CHKDSK. Simply execute TbScan with the fatcheck option
enabled. For example, if you want TbScan to scan your C: and D:
drive once a day, and to check the integrity of those disks,
place the following command in your AUTOEXEC.BAT file:
TbScan C:\ D:\ FATCHECK ONCE
2.2 Recovering from Virus Infection
This section presents some tips on how to clean your computer system when
it is has been compromised by a virus.
1. Backup Your Data
The very first thing to do when you realize that your system might
be infected is to back up all important files immediately. Label the
new backup as unreliable, since some of the files might be infected.
CAUTION:
Use fresh backup media and do not overwrite a previous backup
set. You might need the previous set to replace lost or
contaminated files.
2. Boot From a Recovery Diskette
When you become aware of a virus infection, it is imperative that
you boot only from a reliable, write protected recovery system
diskette.
3. Know the Symptoms of a Virus
Now execute TbScan for an indication of what is wrong, or boot from
a recovery diskette and compare its system files with those on the
hard disk to check for changes. During this test you should take
care to stay logged onto your system diskette.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 30
TbScan reports the virus name if it knows the virus, or it gives a
summary of file changes if it can't identify the virus. If you use
the command line below, for example, TbScan processes all
non-removable drives and prints the results of the scan process to
the printer.
TBSCAN ALLDRIVES LOGNAME=LPT1 LOG
Also run TbUtil, to check the boot sector, partition code and the
CMOS configuration, using the following command:
TBUTIL COMPARE
WARNING:
To prevent a virus from invading the system's memory and
possibly masking the test results, do not execute any program
on your hard disk. TbCheck warns you if you accidentally try to
execute an infected or unauthorized program on your hard disk.
Remember that it is in the nature of a file virus to infect as many
programs as possible over a short period. You ll seldom find only a
few programs on a hard disk to be infected. A TbScan virus alert
that flags a mere one percent of the files on a hard-worked system
is probably just a false alarm that has nothing to do with a real
virus.
In other words, if the file compare test indicates that all of them
are still the same, you know at least that you are not dealing with
a file virus. Avoid using the same copy of the TbScan program on
another system after discovering a virus. Like any other program
file, TBSCAN.EXE itself can become infected!
To check infections of the TbScan program, the program performs a
sanity check when it runs. Unfortunately, there is no way to make
software 100% virus-proof. A sanity check does not work if a
stealth-type virus is at work. A stealth virus can hide itself
completely when you run a self-check.
In case you are wondering, this is not a bug in TbScan. The failure
to detect stealth viruses is common to all software that performs a
sanity check. We, therefore, recommend that you keep a clean version
of TbScan on a write-protected diskette. Use this diskette to check
other machines once you have found a virus on your system.
4. Identify Virus Characteristics
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 31
Viruses come in many different guises and have their own
peculiarities. It is extremely important to know at the earliest
possible stage which particular kind of virus you are dealing with.
This gives you at least some indication of the nature and the amount
of the damage it might have caused already.
Some viruses infect only executable files that you can easily
reinstall or replace from a clean source. Others swap some random
bytes anywhere on the hard disk, which could affect data files as
well, although the results might not be noticeable for some time.
Then there are those viruses that damage the hard disk partition
table or file allocation table. Some of the even nastier viruses,
the so-called multipartite viruses, operate in more than one area.
Once you isolate the virus, either contact your support BBS, consult
literature on virus problems, or get in touch with a virus expert.
WARNING:
Whatever you do, DON'T PANIC! An inexperienced user, reacting
in confusion, can often create more havoc than the virus
itself, such as blindly eradicating important data. While an
instant reformat might get rid of the virus, it will definitely
destroy all your recent work as well.
5. Restore the System
Again, while recovering from a virus infection, it is particularly
important to boot only from a clean write-protected system diskette.
This the only way to keep a virus out of the system's memory. Never
execute a program from the hard disk.
Using the SYS command on the system or recovery diskette, restore
the master boot sector and the DOS system files to the hard disk. If
the boot sector or partition code contains a virus, you can also use
the following command to get rid of it by restoring clean sectors:
TBUTIL RESTORE
WARNING:
Many modern hard disks, notably IDE or AT drives using advanced
pre-formatting methods, are low-level formatted by the
manufacturer, ready for partitioning and a DOS format. NEVER
try to low-level format these drives yourself. Doing so can
ruin the drive. It is always better to back up the partition
table with a utility such as TbUtil, which restores the
partition table for you without reformatting.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 32
If TBAV identifies the virus as a file virus, the safest course is
to remove the infected files (using TbDel) and to copy or reinstall
all executables from a CLEAN source. A virus cleaning utility, such
as TbClean, won't always be able to fully restore the original
program code, so use this only as a last resort, such as when you
don't have a reliable backup. It might be necessary to replace data
files as well if the virus is known to cause damage in that area.
CAUTION:
After reassuring yourself that the system is absolutely clean
again, run a careful check on all diskettes and backups to
remove every single trace of the virus. Keep in mind that it
takes only one infected diskette to reacquire the problem.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 33
3 Using the TBAV utilities
This chapter fully describes each of the TBAV utilities. For quick
reference, we will present each utility using at least three sections:
Understanding the utility, Working with the utility, and Maximizing the
utility. Most discussions also include a fourth section: Understanding
the utility's operating process.
3.1 Using TbSetup
Even though TbSetup does not take an active part in actual virus
detection or cleaning, it is nonetheless an indispensable tool in adding
support to the rest of the ThunderBYTE Anti-Virus utilities. TbSetup
organizes control and recovery information, thereby giving extra power to
the other utilities. It gathers information, mainly from program files,
into a single ANTI-VIR.DAT reference file, one in each directory.
NOTE:
See the "Understanding ANTI-VIR.DAT Files" section at the end of
this chapter for a fuller explanation of these files.
3.1.1 Understanding TbSetup
Although the ThunderBYTE utilities can work perfectly well without the
ANTI-VIR.DAT files, we recommend that you have TbSetup generate these
files. TBAV uses these files for several purposes:
TbScan and the memory resident TbCheck program perform an integrity
check while scanning if it can detect the ANTI-VIR.DAT file. If a
file becomes infected by a virus, the information in the
ANTI-VIR.DAT file will not match the actual file contents, and
TbScan and TbCheck will inform you that the file has been changed.
The TbSetup program recognizes some files that need special
treatment. An example of such a file is a disk image file of a
network remote boot disk. You should completely scan such a file,
which actually represents a complete disk. TbSetup puts a mark in
the ANTI-VIR.DAT file to ensure that TbScan scans the entire file
for all viruses.
Once a file becomes infected, TbClean can reconstruct the original
file. The information in the ANTI-VIR.DAT file will be of great help
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 34
to TbClean. TbClean can cure some infected programs only if there is
information about the program in the ANTI-VIR.DAT file.
TbCheck (a tiny resident integrity checker) has no purpose if there
are no ANTI-VIR.DAT files on your system. The resident TBAV
utilities need the ANTI-VIR.DAT files to maintain permission
information. Without ANTI-VIR.DAT files you can't prevent false
alarms other than by disabling a complete feature.
NOTE:
Be aware that the ANTI-VIR.DAT directory entries have by default the
attribute hidden and therefore do not show up when you use
standard directory commands. You can see the filenames only with the
help of special utilities or with the DOS 6 command DIR AH.
3.1.2 Working with the TbSetup Menu
This is the one program where the rule applies: The less you use the
program, the better your protection against viruses! Why? Keep in mind
that an ANTI-VIR.DAT file stores vital information needed to detect a
virus, as well as data for subsequent recovery and for cleaning.
Consider, then, what would happen if you were to execute TbSetup after a
virus entered the system. The information in the ANTI-VIR.DAT file would
be updated to the state of the infected file, wiping out all traces of
data needed to reconstruct the original file to its uninfected state.
WARNING:
NEVER, NEVER, NEVER, use TbSetup when there is the slightest
evidence of a virus on your system. Once TbSetup generates
ANTI-VIR.DAT files as part of the initial setup, you should confine
any subsequent use of TbSetup to directories with new or changed
program files.
Now we will explore these menu options.
Selecting the "TbSetup" option from the Main Menu displays the following
menu:
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 35
+-----Main menu------+
| Confi+-----TbSetup menu------+
| TbSca| Start TbSetup |
| TbSet| Options menu >|
| TbUti| Flags menu >|
| TbCLe| Data file path/name |
| Virus| View data file |
| TBAV +-----------------------+
| Documentation >|
| Register TBAV |
| About |
| eXit (no save) |
| Quit and save |
+--------------------+
The "Start TbSetup" Option
Select this option only after you complete your selection of other
options on this menu and other sub-menus. When you select this option,
the "Enter disk / path / file(s) to process:" window appears. Type in the
drive and directory you want to setup and press ENTER.
The "Options Menu" Option
Selecting this option displays the following menu:
+-----Main menu------+
| Confi+-----TbSetup menu------+
| TbSca| Start+-----------TbSetup options----------+
| TbSet| Optio| Use TBAV.INI file |
| TbUti| Flags| Prompt for pause |
| TbCLe| Data | Only new files |
| Virus| View | Remove Anti-Vir.Dat files |
| TBAV +-------| Test mode (Don't change anything) |
| Documentation|v Hide Anti-Vir.Dat files |
| Register TBAV| Make executables readonly |
| About | Clear readonly attributes |
| Quit and save|v Sub-Directory scan |
| eXit (no save+------------------------------------+
+--------------------+
Use TBAV.INI file.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 36
By enabling this option, the TbSetup configuration values, saved in
the TBAV.INI file, will also apply when loading TbSetup from the
command line.
CAUTION:
If you specify options in the TBAV.INI file, you cannot undo
them on the command line.
Prompt for pause.
When you specify this option, TbSetup stops after it processes the
contents of one window. This enables you to examine the results.
Only new files.
Use this option if you want to add new files to the ANTI-VIR.DAT
database but prevent the information of changed files from being
updated. Updating the information of changed files is dangerous
because if the files are infected, the information to detect and
cure the virus is overwritten. This option prevents the information
from being overwritten but still allows adding information of new
files to the database.
Remove ANTI-VIR.DAT files.
If you want to stop using the ThunderBYTE utilities you do not have
to remove all the ANTI-VIR.DAT files yourself. By using this option
TbSetup neatly removes all ANTI-VIR.DAT files from your system.
Test mode (Don't change anything).
Use this option if you want to see the effects of an option without
the risk of activating something you don't want to activate. This
option instructs the program to behave as it normally would but not
change or update anything on your hard disk.
Hide ANTI-VIR.DAT files.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 37
The ANTI-VIR.DAT files are normally not visible in a directory
listing. If you prefer them to be visible, disable this option.
NOTE:
Be aware that this option applies only for new ANTI-VIR.DAT
files
Make executables read-only.
Since TbFile permanently guards the read-only attribute, we
recommend that you make all executable files read-only to prevent
any modifications on these files. TbSetup automatically does this
job for you if you enable this option. TbSetup recognizes files that
you should not make read-only.
Clear read-only attributes.
Use this option to reverse the "Make executables read-only"
operation. If you enable this option, TBAV clears all read-only
attributes on all executable files.
Sub-Directory scan.
By default, TbSetup searches sub-directories for executable files,
unless you specify a filename (wildcards allowed). If you disable
this option, TbSetup will not process sub-directories.
The "Flags Menu" Option
Selecting this option displays the following menu:
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 38
+-----Main menu------+
| Confi+-----TbSetup menu------+
| TbSca| Start+-----TbSetup flags------+
| TbSet| Optio|v Use normal flags |
| TbUti| Flags| Set flags manually |
| TbCLe| Data | Reset flags manually |
| Virus| View | Define flags >|
| TBAV +-------+------------------------+
| Documentation >|
| Register TBAV |
| About |
| Quit and save |
| eXit (no save) |
+--------------------+
NOTE:
"Flags" refer to internal indicators, created by ThunderBYTE to
signal internal file attributes.
This menu contains the following options:
Use normal flags.
This is the default setting for TbSetup.
Set flags manually.
This option is for advanced users only. Using this option, you can
manually set permission flags in the ANTI-VIR.DAT record. This
option requires a hexadecimal bit mask for the flags to set; you can
specify this bit mask by selecting one of more of the items listed
in the "Define flags" sub-menu, which appears below.
Reset flags manually.
This option is for advanced users only. Using this option, you can
manually reset permission flags or prevent flags from being set in
the ANTI-VIR.DAT record. This option requires a hexadecimal bit mask
for the flags to reset; you can specify this bit mask by selecting
one or more of the items listed in the "Define flags" sub-menu,
which appears below.
Define flags.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 39
Selecting this option displays the changed following menu:
+-----Main menu------+
| Confi+-----TbSetup menu------+
| TbSca| Start+-----TbSetup flags------+
| TbSet| Optio|v Use n+--Define flags to be--------+
| TbUti| Flags| Set f| 0001: Heuristic analysis |
| TbCLe| Data | Reset| 0002: Checksum changes |
| Virus| View | Defin| 0004: Disk image File |
| TBAV +-------+-------| 0008: Read only sensitive |
| Documentation >| | 0010: TSR program |
| Register TBAV | | 0020: Direct disk access |
| About | | 0040: Attribute modifier |
| Quit and save | | 8000: Interrupt rehook |
| eXit (no save) | +----------------------------+
+--------------------+
Selecting one or more of these options accomplishes the following:
0001: Heuristic analysis.
Programs with the 0001 flag will not be heuristically scanned.
0002: Checksum changes.
Programs with the 0002 flag will not be checked for file changes.
0004: Disk image File.
Files with this flag contain a disk layout and are checked
completely.
0008: Read only sensitive.
Files with this flag cannot be changed to read-only.
0010: TSR program.
Programs with this flag have permission to stay resident in memory.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 40
0020: Direct disk access.
Programs with this flag have permission to write directly to the
disk.
0040: Attribute modifier.
Programs with this flag have permission to change program
attributes.
8000: Interrupt rehook.
After a program with this flag starts, TbDriver should rehook
interrupts.
The "Data File Path Name" Option
TbSetup searches for "special" files by using a file named TBSETUP.DAT.
You can use this option to specify another path or filename that contains
a list of special files. Select the option, and then enter the name
(and path if necessary) of the data file you want to use.
The "View Data File" Option
Selecting this option displays the TBSETUP.DAT file on the screen for
your viewing. Use the cursor movement keys to move through the file.
TIP:
Instead of using the internal file viewer to view the User Manual,
you can substitute your own favorite viewer. See the "Configuring
TBAV" section in Chapter 1 for details..
3.1.3 Maximizing TbSetup
Now that you know how to use TbScan's menus, you can more easily
understand how to maximize its performance by using command line options.
The following table summarizes these options:
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 41
option parameter short explanation
------------------ ----- ----------------------------------------
help he help
pause pa enable "Pause" prompt
mono mo force monochrome output
nosub ns skip sub-directories
newonly no do not update changed records
alldrives ad process all local fixed drives
allnet an process all network drives
remove rm remove ANTI-VIR.DAT files
test te do not create / change anything
nohidden nh do not make ANTI-VIR.DAT files hidden
readonly ro set read-only attribute on executables
nordonly nr remove / do not set read-only attribute
set=<flags> se set flags
reset=<flags> re reset flags / do not set flags
datfile=<filename> df specify the data file to be used
The explanations in the above table serve as a quick reference, but the
following descriptions provide more information about each option.
help (he).
Specifying this option displays a short list of available options,
as listed above.
pause (pa).
Specifying this option stops after processing the contents of one
window. This enables you to examine the results.
mono (mo).
This option enhances the screen output on some LCD screens or
color-emulating monochrome systems.
nosub (ns).
By default, TbSetup searches sub-directories for executable files,
unless you specify a filename (wildcards allowed). If you specify
this option, TbSetup will not process sub-directories.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 42
newonly (no).
Use this option if you want to add new files to the ANTI-VIR.DAT
database but prevent the information of changed files from being
updated. Updating the information of changed files is dangerous
because if the files become infected, the information to detect and
cure the virus is overwritten. This option prevents the information
from being overwritten but still allows adding information of new
files to the database.
alldrives (ad).
If you want TbSetup to process all local non-removable drives you
can specify this option. Except for the initial execution, it isn't
a good idea to use this option.
allnet (an).
Specify this option if you want TbSetup to process all network
drives.
WARNING:
Except for the initial execution of the TBAV utilities, it
isn't a good idea to use the "allnet" option
remove (rm).
If you want to stop using the ThunderBYTE utilities, you do not have
to remove all the ANTI-VIR.DAT files manually. By using this option,
TbSetup neatly removes all ANTI-VIR.DAT files from your system.
test (te).
Use this option if you want to see the effects of an option without
the risk of activating something you don't want to activate. If you
specify this option, the program behaves as it would normally but
does not change or update anything on your hard disk.
nohidden (nh).
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 43
The ANTI-VIR.DAT files are normally not visible in a directory
listing. If you prefer the ANTI-VIR.DAT files to be visible, use
this option.
NOTE:
Be aware that the "nohidden" option applies only for new
ANTI-VIR.DAT files
readonly (ro).
Since, TbFile permanently guards the read-only attribute, we
recommend that you make all executable files read-only to prevent
any modifications on these files. TbSetup automatically does this
job for you if you use this option. TbSetup recognizes files that
you should not make read-only.
nordonly (nr).
This option reverses the operation of READONLY option. If you use
this option, TbSetup clears the read-only attribute from all
executable files.
set (se).
This option is for advanced users only. Using this option you can
manually set permission flags in the ANTI-VIR.DAT record. This
option requires a hexadecimal bit mask for the flags to set. For
information about the bit mask consult the TBSETUP.DAT file. Option
format: Set =<flags>; for example: Set = 0001.
reset (re).
This option is for advanced users only. With this option you can
manually reset permission flags or prevent flags from being set in
the ANTI-VIR.DAT record. This option requires a hexadecimal bit mask
for the flags to reset. For information about the bit mask consult
the TBSETUP.DAT file. Option format: Reset =<flags>; for example:
Reset = 0001.
datfile (df).
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 44
After the datfile option you can specify the name of the data file
to use.
For the initial installation of TBAV, you could use the following
command:
TBSETUP ALLDRIVES
Using the following command, you could specify which drives (C: and D:,
for example) you want TbSetup to process:
TBSETUP C:\ D:\
Since you did not specify a filename in the above command, TbSetup
assumes that the specified path to be the top-level path. In other words,
TbSetup processes all its sub-directories. If you do specify a filename,
TbSetup processes only that path, not any subdirectories. You can use
wildcards (the asterisk [*] or the question mark [?]) in the filename.
You can use the NEWONLY option to prevent TbSetup from overwriting
existing information. To help you remember that you need to run TbSetup
again, the next time you run TbScan it displays either a small 'c'
after the file to indicate a new file or a capital 'C' if a file has
simply been changed.
If you add a new file called TEST.EXE to your directory C:\TESTING, you
should execute the following command:
TBSETUP C:\TESTING\TEST.EXE
If you install a new product in a new directory, C:\NEW, you should use
the following command:
TBSETUP C:\NEW
3.1.4 Understanding TbSetup's Operation
TbSetup divides the screen into three windows: an information window
displaying data file comments across the top of the screen, a scanning
window on the left, and a status window on the right.
The lower left window lists the names of the files being processed, along
with file specific information in the following way:
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 45
TEST.EXE 01234 12AB23CD Added * 0001
| | | | | |
| | | | | |
| | | | | 'flags' set for this file
| | | | indicates 'special' file
| | | action performed
| | 32-bit CRC (checksum)
| file size in hexadecimal number
name of file in process
Do not be concerned if the information flies too fast for you to read, or
if it puzzles you. These details are provided purely for diagnostic use.
The scanning window also displays an action performed field, which
indicates whether an entry in the ANTI-VIR.DAT was added, changed or
updated:
Added.
Means that there was no previous entry for this file in the
ANTI-VIR.DAT record and that a new entry was added.
Changed.
Means that there was an existing entry but the file has been changed
and ANTI-VIR.DAT information was updated.
Updated.
Means that there was an ANTI-VIR.DAT record and the file was found
to be unchanged. TbSetup did, however, change some of the program's
permission flags, due to either an entry in the TBSETUP.DAT file or
in compliance with a SET or RESET option.
TIP:
You can abort TbSetup at any time by pressing Ctrl+Break.
3.1.5 Understanding TBSETUP.DAT Files
Although the ThunderBYTE utilities perform well on almost every file
without extra help, there are some files that need special attention.
TbSetup uses information collected in the TBSETUP.DAT data file, to flag
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 46
these special files in the ANTI-VIR.DAT file. The other ThunderBYTE
utilities then use this information to determine how they should treat
such a "special" file.
Some programs maintain configuration information inside the
executable file (EXE, COM) itself. Whenever you change the
configuration of these programs, the executable file changes as
well, along with its checksum. As a result, the new checksum no
longer matches the one stored in the TBSETUP.DAT file. Since some
TBAV utilities use this checksum information to verify integrity or
cleanup results, they need to know when a file's checksum is allowed
to change. TbScan can use generic detection methods such as
"heuristic" analysis to detect unknown viruses. Since heuristic
analysis implies inevitable false alarms when a file looks like a
virus, TbScan might have to decide not to do a heuristic analysis on
such a program.
Some of the TBAV utilities guard the read-only attribute and ensure
that it can be removed only with the user's explicit permission. A
few programs, however, refuse to run properly with the read-only
attribute set.
TbScan's default scanning method performs perfectly well with just
about any file, but there are some that need special analysis. Such
a file is the Novell NET$DOS.SYS file, which is not a device driver
as the filename extension suggests, but a disk image of the bootable
disk. You should, therefore, scan it completely for all signatures,
including COM and BOOT. The resident monitoring utilities of the
TBAV package detect all sorts of virus-specific behavior. Some
programs, even though they might act like a virus, are still
perfectly normal and should be permitted to execute without TBAV
interference.
You need not worry if you discover that a few files will be excluded from
heuristic analysis. TBAV still scans these files in the conventional way
for signatures. Furthermore, TBAV will not grant heuristic exclusion
unless a file exactly matches its entry in the TBSETUP.DAT file,
including its name, size, and 32-bit CRC checksum.
This safety feature eliminates security holes effectively, since if a
listed file is already infected, its checksum won't match the 32-bit CRC
in the TBSETUP.DAT file and the exclusion does not apply. By the same
token, if a program becomes infected at a later date, the result is a
change in at least one of its characteristics, so the record in the
ANTI-VIR.DAT file no longer matches and the file will be subject to full
heuristic analysis like any other.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 47
3.2 Using TbScan
TbScan is the program you will most likely use the most detect virus
infections.
3.2.1 Understanding TbScan
TbScan is a scanner which has been specifically designed to detect
viruses, Trojan Horses and other such threats to your valuable data. Most
viruses consist of a unique sequence of instructions, called a
signature. By checking for the appearance of such signatures in a file
we can find out whether a program has been infected. Scanning all program
files for the signatures of all known viruses helps you to find out
quickly whether your system has been infected and, if so, by which virus.
Understanding TbScan involves understanding three main features of the
program.
Fast Scanning
TbScan is the fastest scanner on the market today. It, therefore,
invites you to use it from within your AUTOEXEC.BAT file every
morning. Thanks to its design, TbScan does not slow down if the
number of signatures increases. It doesn't matter whether you scan a
file for 10 or a 1000 signatures.
TbScan even checks itself upon launching. If it detects infection,
it aborts and displays an error. This minimizes the risk of the
TbScan program itself transferring a virus to your system.
Heuristic Scanning
TbScan can detect unknown viruses. The built-in disassembler is able
to detect suspicious instruction sequences and abnormal program
layouts. This feature is called "heuristic scanning" and is
partially enabled by default. TBAV performs heuristic scanning on
files and boot sectors.
NOTE.
Virus scanners can only tell you whether your system has been
infected. By that time only a non-infected backup or a recovery
program such as TbClean can properly counter a virus infection.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 48
Scan Scheduling
Every PC owner should use a virus scanner frequently. It is the
least one should do to avoid damage caused by a virus. We recommend
that you devise your own schedule for a regular scan of your system.
See Chapter 2 for details.
We recommend the following scan sessions, to be used in combination
with each other:
Execute TbScan from write-protected bootable diskette once a
week. Boot from this diskette before invoking the scanner.
Booting from a clean diskette is the only way to make sure that
no stealth virus can become resident in memory.
Invoke a daily scan. You can invoke TbScan with the ONCE option
from within the AUTOEXEC.BAT file to perform the daily scan
session automatically, which is the default if you used the
standard installation procedure for TBAV (see Chapter 1). It is
not necessary to boot from the bootable TbScan diskette to
perform the daily scan.
Scan each new diskette. You should scan EVERY diskette you
receive from a friend or acquaintance for viruses to ensure
that a virus hasn't been included along with a copy of "a great
game!"
3.2.2 Working with the TbScan Menus
For daily use you can activate TbScan by loading the program from the DOS
command line (e.g., in the AUTOEXEC.BAT file), or through the TBAV menu.
For weekly use, when scanning from the TbScan diskette, you could use the
DOS command. The Maximizing TbScan section of this chapter lists the
TbScan DOS options. This section describes the use of the TbScan Menu,
which is part of the TBAV menu. Taking each menu item in order, we ll
explore the function of each.
Selecting the "TbScan" option from the TBAV menu displays the following
menu:
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 49
+-----Main menu-----+
| Confi+----TbScan menu-----+
| TbSca| Start scanning |
| TbSet| Options menu >|
| TbUti| Advanced options >|
| TbCLe| If virus found >|
| Virus| Log file menu >|
| TBAV | View log file |
| Docum+--------------------+
| Register TBAV |
| About |
| Quit and save |
| eXit (no save) |
+-------------------+
The "Start Scanning" Option
Selecting the "Start Scanning" option from the TbScan Menu displays one
of the following "Path Menu" configurations:
+-----Main menu-----+
| Confi+----TbScan menu-----+
| TbSca| Sta+---------Path menu---------+
| TbSet| Opt| Specified files/paths |
| TbUti| Adv| Current directory |
| TbCLe| If | Diskette in drive A: |
| Virus| Log| Diskette in drive B: |
| TBAV | Vie| All fixed Drives |
| Docum+-----| All fixed Local drives |
| Register TB| All fixed Network drives |
| About +---------------------------+
| Quit and save |
| eXit (no save) |
+-------------------+
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 50
+-----Main menu-----+
| Confi+----TbScan menu-----+
| TbSca| Sta+---------Path menu---------+
| TbSet| Opt| Specified files/paths |
| TbUti| Adv| Current directory |
| TbCLe| If | CD-ROM |
| Virus| Log| Drive_a |
| TBAV | Vie| Fullscan |
| Docum+-----| Local |
| Register TB+---------------------------+
| About |
| Quit and save |
| eXit (no save) |
+-------------------+
The first menu configuration includes scan targets such as CD-ROM,
Drive_a, etc. Primarily, TBAV for Windows uses these scan targets, but
TbScan for DOS can also use them. If the TBAV menu finds one or more of
these scan targets (the targets are really files with the filename
extension SCN), the Path Menu will then display the list of available
targets. If no such scan targets exist, the second Path Menu
configuration will appear.
NOTE:
Please be aware that the actual menu items you come across in the
Path menu might differ slightly, depending on your system
configuration.
The Path Menus list the following options:
Specified files/paths.
This option always presents you with a small prompt window in which
you can specify the drives, paths, or even files you want to scan.
You can specify multiple path specifications by separating each with
spaces. This specification automatically initializes with the last
path you scanned before you saved the configuration.
Current directory.
Select this option if you want to scan only the directory from which
you started the TBAV menu shell.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 51
Diskette in drive A: or Diskette in drive B:.
If you want to scan multiple diskettes, you might wish to activate
the Repeat option of TbScan. See the TbScan Options Menu for more
information.
All fixed drives.
This option instructs TbScan to scan all available drives (except
the removable ones) completely. Depending on the settings in the
TBAV configuration menu, TbScan prompts you to confirm the selected
drives.
All fixed Local drives.
If you are on a network, you probably don't want to scan the entire
network. Using this option you can scan just the drives that reside
in your machine. Depending on the settings in the TBAV configuration
menu, TbScan prompts you to confirm the selected drives.
All fixed Network drives.
Using this option you can scan all network drives. Depending on the
settings in the TBAV configuration menu, TbScan prompts you to
confirm the selected drives.
The "Options Menu" Option
Selecting the "Options Menu" option displays the following menu:
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 52
+-----Main menu-----+
| Confi+----TbScan menu-----+
| TbSca| Start+------TbScan options-------+
| TbSet| Optio| Use TBAV.INI file |
| TbUti| Advan| Prompt for pause |
| TbCLe| If vi| Quick scan |
| Virus| Log f| Maximum Compatibility |
| TBAV | View |v Bootsector scan |
| Docum+-------|v Memory scan |
| Register TBAV| HMA scan forced |
| About |v Upper memory scan |
| Quit and save|v File scan |
| eXit (no save|v Windows-OS/2-virus scan |
+--------------|v Sub-Directory scan |
| Repeat scanning |
|v Abort on Ctrl-Break |
| Sound Effects |
|v Fast scrOlling |
|v Large directories |
| FAT checking |
+---------------------------+
Taking each menu item in order, we ll explore the function of each.
Use TBAV.INI file.
TbScan searches for a file named TBAV.INI in the TBAV directory. By
enabling this option, the TbScan configuration values, saved in the
TBAV.INI file, will also be valid when loading TbScan from the
command line.
CAUTION:
Be aware that if you specify options in the TBAV.INI, you
cannot undo them when running TbScan from the command line.
Prompt for pause.
When you activate this option, TbScan stops after it checks the
contents of each window. As each window fills with files, a
"[More]" prompt appears at the bottom of the screen. Simply press
any key to view the next list of files. Using this feature enables
you to examine the results of the scan without having to consult a
log file afterwards.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 53
Quick scan.
This option instructs TbScan to use the ANTI-VIR.DAT files to check
for file changes since the last scan. TbScan scans only those files
that have changed (CRC change) or are not yet listed in
ANTI-VIR.DAT. The other files are just checked for matching
ANTI-VIR.DAT records. By default, TbScan always scans files (the
quick scan option is not enabled by default).
Maximum compatibility.
If you select this option, TbScan attempts to be more compatible
with your system. Use this option if the program does not behave as
you would expect or if it halts the system. Be aware, however, that
this option slows down the scanning process. Therefore, use it only
when necessary. Be aware also that this option does not affect the
results of a scan.
Boot sector scan.
Enabling this option forces TbScan to scan the boot sector. A boot
sector is a certain part of a disk, which is used by the operating
system to initialize itself. A special class of viruses (boot sector
viruses) use this special part of a disk to infect your system.
Memory scan.
Enabling this option forces TbScan to scan the memory of the PC.
HMA scan forced.
By default, TbScan automatically detects the presence of an
XMS-driver and scans the HMA. If you are using an HMA-driver that is
not compatible with the XMS standard, you can use this option to
force TbScan to scan HMA.
Upper memory scan.
By default, TbScan identifies RAM beyond the DOS limit and scans
that memory. This means that it scans video memory and the current
EMS. You can use this option to enable the scanning of non-DOS
memory.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 54
File scan.
By default, TbScan checks files for viruses. Removing the check mark
disables file scanning. This option is particularly useful if, for
example, you have been struck by a boot sector virus. In order to
scan only boot sectors of your floppy disks, you can disable file
scan using this option.
Windows-OS/2-virus scan.
By default, TbScan scans Windows and OS/2 files for viruses.
Removing the check mark disables Windows and OS/2 file scanning.
Subdirectory scan.
By default, TbScan searches sub-directories for executable files,
unless you specify a filename (wildcards allowed). If you disable
this option, TbScan does not scan sub-directories.
Repeat scanning.
This option is very useful if you want to check a large number of
diskettes. TbScan does not return to DOS after checking a disk,
rather it prompts you to insert another disk in the drive.
Abort on Ctrl-Break.
If you don't want to be able to abort the scanning process by
pressing Ctrl+Break, you can disable this option.
Sound Effects.
Checking this option enables an audible sound when TbScan detects a
virus.
Fast scrolling.
TbScan displays processed files in a scrolling window, which scrolls
in one of two methods: fast scrolling, in which the files appear on
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 55
top of the previous ones if the window becomes full, and the
conventional slow method of scrolling, in which the files at the
bottom "push up" the previous ones. By default TbScan uses the
faster but less attractive method of scrolling.
Large directories.
If TbScan's directory table runs out of space, which is very
unlikely, you can use this option to allocate a large directory
table.
Fat checking.
If this option is specified, and TbScan is able to use its internal
file system, it will check the disks for lost clusters, cross linked
clusters, invalid cluster numbers, and invalid allocation sizes.
These errors often indicate system problems and need to be corrected
as soon as possible. Because TbScan needs to read the FAT and all
directories anyway, it can perform this important check without
using additional time.
The "Advanced Options" Option
When you select the Advanced Options option, the following menu is
displayed:
+-----Main menu-----+
| Confi+----TbScan menu-----+
| TbSca| Start+------TbScan advanced options-----+
| TbSet| Optio| High heuristic sensitivity |
| TbUti| Advan|v Auto heuristic sensitivity |
| TbCLe| If vi| Low heuristic sensitivity |
| Virus| Log f| Non-executable scan |
| TBAV | View | FAT info (fragmented files) |
| Docum+-------| Extract signatures |
| Register TBAV| Configure executable extensions |
| About +----------------------------------+
| Quit and save |
| eXit (no save) |
+-------------------+
Let's now explore these options.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 56
High heuristic sensitivity.
While TbScan always performs a heuristic scan on the files being
rocessed, it reports a file as infected only if it is very probable
that the file is infected. If you select this option, TbScan is
somewhat more sensitive. In this mode, TbScan detects 90% of the
new, unknown viruses without any signature. Be aware, however, that
some false alarms might occur.
Auto heuristic sensitivity.
By default, TbScan automatically adjusts the heuristic detection
level after it finds a virus. In other words, when TbScan finds a
virus, it then goes on as if you had selected High heuristic
sensitivity. This option provides you maximum detection
capabilities in case you need it, while at the same time keeps false
alarms at a minimum.
Low heuristic sensitivity.
In this mode TbScan almost never issues a false alarm. It still,
however, detects about 50% of the new, unknown viruses.
Non-executable scan.
This option instructs TbScan to scan non-executable files (files
with an extension other than COM, EXE, SYS, OV? or BIN) as well as
executables. If TbScan finds out that such a file does not contain
anything that the processor can execute, it skips the file.
Otherwise TbScan searches the file for COM, EXE and SYS signatures.
Be aware that TbScan does not perform heuristic analysis on
non-executable files. Since viruses normally do not infect
non-executable files, it is not necessary to scan non-executable
files too. We recommend, in fact, that you NOT use this option
unless you have a good reason to scan all files. Again, you must
execute a virus before it can do what it was programmed to do, and
since you do not execute non-executable files, a virus in such a
file cannot do anything. For this reason viruses do not even try to
infect such files. Some viruses, however, do write to non-executable
files, but this is a result of "incorrect" programming. And even
though these non-executable files contain corrupted data, they still
won't harm other program or data files.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 57
FAT info (fragmented files).
If this option is specified, TbScan displays the number of
fragmented files after it has finished scanning. If the number of
fragmented files is high, you can increase the system performance by
using a disk optimizer. This option is only valid if the option
'fatcheck' has been specified, and TbScan is using its internal file
system.
Extract signatures.
This option is available to registered users only. See the Using
TbGenSig section in Chapter 4 for more information.
Configure executable extensions.
By default, TbScan scans only those files that have a filename
extension that indicates that the file is a program file. Viruses
that do not infect executable code simply do not exist. Files with
the extension EXE, COM, BIN, SYS, and OV? (note the wildcard: the
OV? specification includes files such as OVR and OVL) are considered
executable. There are, however, some additional files that have an
internal layout that makes them suitable for infection by viruses.
Although it is not likely that you will ever execute most of these
files, you might want to scan them anyway. Some filename extensions
that might indicate an executable format include: .DLL (MS-Windows
Dynamic Link Library), .SCR (MS-Windows screen saver file), .MOD
(MS-Windows file), .CPL (MS-Windows Control Panel application), .00?
and .APP. While infection of such files is not likely, you might
want to scan them once in while. To force TbScan to scan these files
by default, select this option and fill out the extensions you want
TbScan to scan. For example, you can specify .DLL.SCR.CPL (with no
spaces in between). You can also use the question mark wildcard.
WARNING:
Be careful which extensions you specify. Scanning a
non-executable file, for example, causes unpredictable results,
and might result in false alarms.
The "If Virus Found" Option
Selecting this option displays the following menu:
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 58
+-----Main menu-----+
| Confi+----TbScan menu----+
| TbSca| Start+--What if a virus is found?-+
| TbSet| Optio|v Present action menu |
| TbUti| Advan| Just continue (logonly) |
| TbCLe| If vi| Delete infected file |
| Virus| Log f| Kill infected file |
| TBAV | View | Rename infected file |
| Docum+-------+----------------------------+
| Register TBAV |
| About |
| Quit and save |
| eXit (no save) |
+-------------------+
Let's explore these options.
Present action menu.
This option (the default) instructs TbScan to display a menu listing
four possible actions if it detects a virus: just continue, delete,
kill or rename the infected file.
Just continue (logonly).
By default, if TbScan detects an infected file, it prompts you to
delete or rename the infected file, or to continue without action.
If you select this option, however, TbScan always continues. We
recommend that you use a log file in such situations, since a
scanning operation does not make much sense if you don't read the
return messages (see the Log File Menu option below for further
information).
Delete infected file.
By default, if TbScan detects a virus in a file it prompts you to
delete or rename the infected file, or to continue without action.
If you select this option, however, TbScan deletes the infected file
automatically, without prompting you first. Use this option if you
know your computer is infected by a virus and you want to erase all
files the virus has infected. Make sure you have a clean backup and
that you really want to get rid of all infected files at once.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 59
Kill infected file.
This option is almost the same as the "Delete infected file" option
with one major difference. The DOS UNDELETE command enables you can
recover a deleted file, but if you delete the infected file using
this "Kill" option, recovery is no longer possible.
Rename infected file.
By default, if TbScan detects a file virus it prompts you to delete
or rename the infected file, or to continue without action. If you
select this option, however, TbScan renames the infected file
automatically, without prompting you first. By default, TbScan
replaces the first character of the file extension by the character
'V'. It names an .EXE file, to .VXE, for example, and a .COM file to
.VOM. This prevents the execution of infected programs and thereby
spreading the infection. This also enables you to keep the files for
later examination and repair.
The "Log File Menu" Option
You can use the "TbScan Log Menu" to handle the results of the scan
process (write them to a file or to a printer, for example). The menu
appears below, followed by a description of the options.
+----Main menu-----+
| Confi+------TbScan menu------+
| TbSet| Start+-------TbScan LOG menu-------+
| TbSca| Optio| Log file path/name |
| TbUti| Advan| Output to log file |
| TbCLe| If vi| Specify log-level >|
| TBAV | Log f| Append to existing log |
| Docum| View | No heuristic descriptions |
| Regis+-------| Truename filenames |
| Quit and save+-----------------------------+
| eXit (no save) |
+------------------+
Log file path/name.
Using this option you can specify the name of the log file you want
to use. TbScan creates the file in the current directory unless you
specify a path and filename. If the log file already exists, TbScan
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 60
overwrites the file (unless you selected the "Append to existing
log" option. If you want to print the results, you can specify a
printer device name rather than a filename (LPT1 instead of
C:\TBAV\TBSCAN.LOG, for example).
CAUTION:
To create the log file, you must select the "Output to log
file" option.
Output to logfile.
When you select this option, TbScan creates a log file. The log file
lists all infected program files, specifying heuristic flags (see
Appendix B) and complete pathnames.
Specify log-level.
This option enables you to configure the actual contents of the log
file using the following menu:
+----Main menu-----+
| Confi+------TbScan menu------+
| TbSet| Start+-------TbScan LOG menu-------+
| TbSca| Optio| Log f+--------Log-level menu--------+
| TbUti| Advan| Outpu| 0: Log only infected files |
| TbCLe| If vi| Speci|v 1: Log summary too |
| TBAV | Log f| Appen| 2: Log suspected too |
| Docum| View | No he| 3: Log all warnings too |
| Regis+-------| Truen| 4: Log clean files too |
| Quit and save+-------+------------------------------+
| eXit (no save) |
+------------------+
These levels determine what kind of file information TbScan notes in
the log file. The default log level is 1, but you can select one of
five levels:
0: Logonly infected files.
Specifies that if there are no infected files, do not create or
change the log file.
1: Log summary too.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 61
Places a summary and time stamp in the log file, and specifies
that TbScan put only infected files in the log file.
2: Log suspected too.
This is almost the same as level 1, but TbScan also logs
suspected files, files that would trigger the heuristic alarm
if you specify the "High heuristic" sensitivity option.
3: Log all warnings too.
This level is an extension of the previous level. It specifies
that TbScan log all files that have a warning character printed
behind the filename.
4: Log clean files too.
This places the information of all files being processed into
the log file.
Append to existing log.
If you select this option, TbScan appends new information to the
existing log file instead of overwriting it. If you use this option
often, we recommended that you delete or truncate the log file once
in a while to avoid unlimited growth.
CAUTION:
To create the log file, you must select the "Output to log
file" option.
No heuristic descriptions.
If you enable this option, TbScan does not specify the descriptions
of the heuristic flags in the log file. See Appendix B for the
heuristic flag descriptions.
Truename filenames.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 62
If this option is specified, TbScan uses 'truenames' rather than DOS
filenames. If you process a file on a network, accessed by DOS as
F:\USER\FILE.EXE then TbScan will use the fully expanded filename
(like \\SERVER2\PUBLIC\USER\FILE.EXE) on the screen and in the log
file.
The "View Log File" Option
If you activate one of the above log file options, you can then select
this option to view and study the log. Otherwise, this option is not
available.
TIP:
See the "Configuring TBAV" section in Chapter 1 for how you can
specify your own file viewer using the "Configure TBAV, File view
utility" command.
3.2.3 Maximizing TbScan
Now that you know how to use TbScan's menus, you can more easily
understand the power of using it from the command line.
When you run TbScan from the DOS command line, it recognizes command line
options (often called "switches" in DOS terms). These options appear as
"key-words" or "key-letters." The words are easier to memorize, so we
will use these in this manual for convenience.
When you run TbScan, it looks for a file named TBAV.INI in the TBAV
directory. If the keyword USEINI appears in the [TbScan] section of the
TBAV.INI file, the other options listed in the [TbScan] section will be
includede when you run TbScan from the command line.
CAUTION:
Be aware that if you specify options in the TBAV.INI file, you
cannot undo them when you run TbScan from the command line.
The following table lists the TbScan command line options:
option parameter short explanation
------------------ ----- ----------------------------------------
help he help
pause pa enable Pause prompt
mono mo force monochrome output
quick qs quick scan (use ANTI-VIR.DAT)
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 63
allfiles af scan non-executables too
alldrives ad scan all local non-removable drives
allnet an scan all network drives
heuristic hr enable heuristic alerts
extract ex extract signatures (registered users only)
once oo scan only once a day
slowscroll ss enable conventional (slow) scrolling
secure se disable "user abort" (registered users
only)
compat co maximum compatibility mode
ignofile in ignore no-file error
largedir ld use large directory table
fatcheck fc check the FAT for errors
fatinfo fi display amount of fragmented files
old ol disable the "This program is old" message
noboot nb skip boot sector check
nofiles nf skip scanning of files
nomem nm skip memory check
hma hm force HMA scan
nohmem nh skip UMB/HMA scan
nosub ns skip sub-directories
noautohr na auto heuristic level adjust
nowin nw do not scan for Windows-OS/2 viruses
repeat rp scan multiple diskettes
audio aa make noise if virus found
batch ba batch mode - no user input
delete de automatically delete infected files
kill ki automatically kill infected files
truename tn use true name instead of DOS name
log lo output to log file
append ap log file append mode
expertlog el no heuristic descriptions in log
logname=<filename> ln set path/name of log file
loglevel=<0...4> ll set log level
wait=<0...255> wa amount of timer-ticks to wait
rename[=<text-mask>] rn rename infected files
exec=.<ext-mask> ee specify executable extensions
The explanations in the above table serve as a quick reference, but the
following descriptions provide more information about each option.
TIP:
Remember that you can display these options from the command line by
entering TBSCAN ?.
help (he).
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 64
If you specify this option TbScan displays the help as listed above.
pause (pa).
When you specify the PAUSE option, TbScan stops after it checks the
contents of one window. This enables you to examine the results
without having to consult a log file later.
mono (mo).
This option prevents TbScan from using colors in the screen output.
This might enhance the screen output on some LCD screens or
color-emulating monochrome systems.
quick (qs).
This option instructs TbScan to use the ANTI-VIR.DAT files to check
for file changes since the last scan. TbScan scans only those files
that have changed (CRC change) or do not appear in ANTI-VIR.DAT. By
default, TbScan always scans files.
allfiles (af).
If you specify this option, TbScan also scans non-executable files
(that is, files without a .COM, .EXE, .SYS or .BIN extension). If
TbScan finds that such a file does not contain executable code, it
"skips" that file. Otherwise, TbScan searches the file for COM, EXE
and SYS signatures. Be aware that TbScan does not perform heuristic
analysis on non-executable files. Since viruses normally do not
infect non-executable files, it is not necessary to scan them. We
recommend, in fact, that you do not use this option unless you have
a good reason to scan all files since a file infected with a virus
must normally be executed before it can perform what it is
programmed to do, and since you can't execute a non-executable file,
a virus in such a file cannot do anything. Some viruses write to
non-executable files, but this is simply a result of "incorrect"
programming or a specific targeted attack-- the result of which
may be corrupted data, which will not likely harm other program or
data files.
alldrives (ad).
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 65
This option instructs TbScan to scan all local non-removable disks.
allnet (an).
This option instructs TbScan to scan all network drives.
heuristic (hr).
While TbScan always performs a heuristic scan on the files being
processed, if you select this option TbScan increases it's level of
sensitivity. In this mode, TbScan detects 90% of the unknown viruses
without any signatures. Be aware, however, that some false alarms
might occur. See the "Understanding Heuristic Scanning" section
later in this chapter for more information.
extract (ex).
This option is available to registered users only. See the "Using
TbGenSig" section in Chapter 4 for more information.
once (oo).
If you specify this option, TbScan "remembers" whether it has run
that day, and that if it has, it will not run again. In other words,
this instructs TbScan to run only once a day, regardless of how many
times you actually enter the command from the DOS prompt or a batch
file. This command is very useful in your AUTOEXEC.BAT file, for
example: TBSCAN @EVERYDAY.SCN ONCE RENAME. TbScan now scans the list
of files and/or paths specified in the file EVERYDAY.SCN during the
first boot-up of the day. If the systems boots more often that day,
TbScan returns to the DOS prompt immediately. This option does not
interfere with the regular use of TbScan. If you invoke TbScan
without this option, it always runs, regardless of a previous run
with the ONCE option set.
NOTE:
If TbScan cannot write to TBSCAN.EXE because it is flagged
"read-only" or is located on a write-protected diskette, the
ONCE option fails and the scanner executes without it.
slowscroll (ss).
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 66
If you specify this option, TbScan scrolls the files in the files
window conventionally. This method is slower but looks more
attractive.
secure (se).
This option is available to registered users only. If you use it, it
is no longer possible to cancel TbScan by pressing Ctrl+Break, or to
respond to a virus alert window.
compat (co).
If you select this option, TbScan attempts to be more compatible
with your system. Use this option if the program does not behave as
you would expect, or if it even halts the system. This option slows
down the scanning process, so you should use it only if necessary.
This option in no way affects the results of a scan.
ignofile (in).
If you specify this option and TbScan doesn't find any files, TbScan
does not display the no files found message, nor does it exit with
ERRORLEVEL 1. You might use this option for automatic contents
scanning.
largedir (ld).
If TbScan's directory table runs out of space, which is very
unlikely, you can use this option to allocate a large directory
table.
fatcheck (fc).
If this option is specified, and TbScan is able to use its internal
file system, it will check the disk(s) for lost clusters, cross
linked clusters, invalid cluster numbers, and invalid allocation
sizes. These errors often indicate system problems and need to be
corrected as soon as possible. Because TbScan needs to read the FAT
and all directories anyway, it can perform this important check
without using additional time.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 67
fatinfo (fi).
If this option is specified, TbScan displays the amount of
fragmented files after it finished scanning. If the amount of
fragmented files is high, you can increase the system performance by
using a disk optimizer. This option can only be used in combination
with option "fatcheck", and if TbScan is using its internal file
system.
old (ol).
This option suppresses the message that appears if TbScan is 6
months old.
noboot (nb).
If you specify this option, TbScan does not scan the boot sector.
nofiles (nf).
This option disables the scanning of files. This can be useful if
you are the victim of a boot sector virus and want to scan a large
stack of diskettes as fast as possible.
nomem (nm).
If you specify this option, TbScan does not scan memory.
hma (hm).
By default, TbScan automatically detects the presence of an
XMS-driver and scans HMA. If you have an HMA-driver that is not
compatible with the XMS standard, you can use this option to force
TbScan to scan HMA.
nohmem (nh).
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 68
By default, TbScan identifies RAM beyond the DOS limit and scans it.
This means that it scans video memory and the current EMS pages. You
can, therefore, use this option to disable the scanning of non-DOS
memory.
nosub (ns).
By default, TbScan searches sub-directories for executable files,
unless you specify a filename (wildcards allowed). If you enable
this option, TbScan does not scan sub-directories.
noautohr (na).
TbScan automatically adjusts the heuristic detection level after it
locates a virus. In other words, when TbScan finds a virus, it
continues as if you used the HEURISTIC option. This provides you
maximum detection capabilities in case you need it, while keeping
the amount of false alarms to a minimum. If you don't want this, you
can specify option NOAUTOHR.
nowin (nw).
By default, TbScan scans Windows and OS/2 files for viruses.
Removing the checkmark disables Windows and OS/2 file scanning.
repeat (rp).
This option is very useful if you want to check a large amount of
diskettes. Instead of returning to DOS after checking a disk, TbScan
prompts you to insert another disk in the drive.
audio (aa).
This enables an audible alarm sound when TbScan finds a virus.
batch (ba).
By enabling this option, TbScan scans without displaying any
messages. If you use this option, we recommend that you use a log
file (see the LOG option below).
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 69
delete (de).
By default, if TbScan detects a virus in a file, it prompts you to
delete or rename the infected file, or to continue without action.
If you specify this option, however, TbScan deletes the infected
file automatically, without prompting you first. Use this option if
you know there is a virus infection. Make sure that you have a clean
backup, and that you really want to get rid of all infected files at
once.
kill (ki).
By default, if TbScan detects a virus in a file it prompts you to
delete or rename the infected file, or to continue without action.
If you specify the DELETE option, TbScan deletes the infected file
automatically, without prompting you first. Unlike the DELETE
option, however, KILL prevents files from being undeleted. Be
careful if you use this option. Make sure you have a clean backup!
truename (tn).
This option instructs TbScan to use "truenames" rather than DOS
names. For example, if you process a file on a network that DOS
accesses using the name F:\USER\FILE.EXE, TbScan uses the full name
\\SERVER\PUBLIC\USER\FILE.EXE on the screen and in the log.
log (lo).
When you use this option, TbScan creates a log file. The log file
lists all infected program files, specifying heuristic flags (see
Appendix B) and complete pathnames.
append (ap).
If you use this option, TbScan appends new information to an
existing log file rather than overwriting it. If you use this option
often, we recommend that you delete or truncate the log file
occasionally to avoid unlimited growth.
NOTE:
If you use this option, you must also use the LOG option.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 70
expertlog (el).
If you enable this option, TbScan does not specify the descriptions
of the heuristic flags in the log file. Appendix B lists the
heuristic flag descriptions
logname =<filename> (ln).
Using this option, you can specify the name of the log file you want
to use. TbScan creates the file in the current directory unless you
specify a path and filename after selecting this option. If the log
file already exists, TbScan overwrites it. If you want to print the
results, you can specify a printer device name rather than a
filename (for example, you can specify LOGNAME=LPT1).
NOTE:
If you use this option, you must also use the LOG option.
loglevel =<0..4> (ll).
These levels determine what kind of file information the log file
stores. The default log level is 1, but you can select one of five
log levels:
0 : Log only infected files.
This specifies that if there are no infected files, do not
create or change the log file.
1 : Log summary too.
This places a summary and time stamp in the log file, and
specifies that TbScan put only infected files in the log file.
2 : Log suspected too.
This is almost the same as level 1, but TbScan also logs
"suspected files," files that would trigger the heuristic alarm
if you specify the "High heuristic" sensitivity option.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 71
3 : Log all warnings too.
This level is an extension of the previous level. It specifies
that TbScan log all files that have a warning character printed
behind the filename.
4 : Log clean files too.
This places the information of all files being processed into
the log file.
NOTE:
If you use this option, you must also use the LOG option.
wait =<0..255> (wa).
Use this option to delay TbScan. This might be handy if you want to
scan a very busy network but don't want to occupy the network too
heavily. You have to specify the amount of timer ticks you want to
insert between scanned files.
rename [=<text-mask>] (rn).
By default, if TbScan detects a file virus, it prompts you to delete
or rename the infected file, or to continue without action. If you
select this option, TbScan renames the infected file automatically,
without prompting you first. Also by default, TbScan replaces the
first character of the file extension with the character 'V.' It
renames an .EXE file to .VXE, for example, and a .COM file to .VOM.
This prevents the execution of infected programs and thereby
prevents spreading the infection. This option also enables you to
keep the infected files for later examination and repair. You can
also add a parameter to this option specifying the target extension.
This parameter should always contain three characters; you can use
question marks. The default target extension is "V??."
exec =.<ext-mask> (ee).
Using this option you can add filename extensions that indicate what
files are executable. If you want to use this option, you probably
want to put it in the configuration file. Refer to the "Advanced
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 72
Options" Option section earlier in this chapter for an explanation
of configuring executable extensions.
Here are a few examples using TbScan from the DOS command line.
1. This command:
TBSCAN C:\ NOBOOT
scans all executable files in the root directory and its
subdirectories and skips the boot sector scan.
2. This command:
TBSCAN \*.*
scans all files in the root directory but does not process
subdirectories.
3. This command:
TBSCAN C:\ LOG LOGNAME=C:\TEST.LOG LOGLEVEL=2
scans all executable files on drive C: and creates a LOG file named
C:\TEST.LOG that contains all infected and suspected files.
4. This command:
TBSCAN \ LOG LOGNAME=LPT1
scans the root directory and its subdirectories and then redirects
the results to the printer instead of a log file.
3.2.4 Understanding the Scanning Process
This section adds to your knowledge of TbScan by explaining a little more
about the scanning process. TbScan starts scanning immediately whenever
you run it from the DOS command line or select the Start Scanning
option in the TbScan Menu. As TbScan begins its scan, your screen will
look similar to the following:
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 73
TbScan divides the screen into three windows: an information window (at
the top), a scanning window (the bottom-left window) and a status window
(to the right of the scanning window). The information window initially
displays the vendor information only.
+-----------------------------------------------------------------+
|Thunderbyte virus detector (C) 1989-95, Thunderbyte B.V. |
| |
| TBAV is upgraded every two months. Free hotline support is |
| provided for all registered users via telephone, fax and |
| electronic bulletin board. Read the comprehensive documentation |
| files for detailed info. |
| |
| C:\DOS\ |
| |
| ANSI.SYS scanning..> OK signatures: 986 |
| COUNTRY.SYS skipping..> OK |
| DISKCOPY.COM tracing...> OK file system: OWN |
| DISPLAY.SYS scanning..> OK |
| DRIVER.SYS scanning..> OK directories: 01 |
| EGA.CPI skipping..> OK total files: 17 |
| FASTOPEN.EXE looking...> OK executables: 12 |
| FDISK.EXE looking...> OK CRC verified: 10 |
| FORMAT.COM tracing...> E OK changed files: 00 |
| GRAFTABL.COM tracing...> OK infected items: 00 |
| GRAPHICS.COM tracing...> OK |
| GRAPHICS.PRO skipping..> OK elapsed time: 00:05 |
| Kb /second: 57 |
+-----------------------------------------------------------------+
If TbScan detects infected files, it displays the names of the file and
the virus in the upper window. The lower left window displays the names
of the files being processed, the algorithm in use, information and
heuristic flags, and finally an OK statement or the name of the virus
detected.
Notice the following example:
NLSFUNC.EXE checking..> FU OK
| | | |
| | | result of scan
| | heuristic flags
| algorithm being used to process file
name of file in process
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 74
You will see comments following each file name, such as: "looking,"
"checking," "tracing," "scanning," or "skipping." These refer to the
various algorithms being used to scan files.
Other comments that TbScan displays here are the heuristic flags. Consult
the Understanding Heuristic Flags section later in this chapter and
Appendix B for more information on these warning characters.
The lower right window is the status window. It displays the number of
files and directories encountered as well as the number of viruses found.
It also displays which file system is being used: either DOS or OWN.
The latter means that TbScan is able to bypass DOS. If this is the case,
TbScan reads all files directly from disk for extra security and speed.
You can abort the scanning process by pressing the two keys Ctrl+Break
simultaneously (that is, if you didn't specify the "SECURE" option).
When TbScan detects an infected program, it displays the name of the
virus. If you did not specify the BATCH, RENAME or DELETE options, TbScan
prompts you to specify the appropriate action. If you choose to rename
the file, TbScan replaces the first character of the file extension with
the character 'V.' This prevents you or someone else from accidentally
executing the file before you can investigate it more thoroughly.
If TbScan detects an infected file, it displays one of the following
messages:
[Name of file] is infected by [name of virus] virus.
The file is infected by the virus mentioned.
[Name of file] is Joke named [name of Joke].
Some programs simulate that the system is infected by a virus; such
a program is a "joke." A joke is completely harmless; however it
causes confusion and might cause people to stop using the computer,
and should therefore be removed..
[Name of file] is Trojan named [name of Trojan].
The file is a Trojan Horse. A Trojan Horse is a program that
pretends to be a harmless program (like a game) but it is designed
to do something harmful like erasing a disk. Some Trojan Horses also
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 75
install viruses on your system. Do not execute the program, but
delete it instead.
[Name of file] damaged by [name of virus].
Unlike an infected file, which carries the virus itself, a damaged
file has only been damaged by the virus.
[Name of file] dropper of [name of virus].
A "dropper" is a program that has not been infected itself, but
which does contain a boot sector virus and is able to install it
into your boot sector.
[Name of file] garbage: (not a virus) [name of garbage].
A "garbage" program is a file that does not work because it is badly
damaged or may have been overwritten with "garbage." Some virus
collections (i.e. a CD-ROM based virus collection) contain
"garbage-like" program code that was designed specifically to
trigger virus detection programs (and fool them), which is exactly
why ThunderBYTE identifies them as "garbage."
It is also possible for TbScan to encounter a file that appears infected
by a virus, although it could not find a signature. In this case TbScan
displays the prefix "Probably" before the message.
If TbScan finds a file to be suspicious and displays a virus alert
window, you can avoid future false alarms by pressing V (Validate
program). Note that this works only if there is an ANTI-VIR.DAT record of
the file available. Once TbScan validates a program, the program is no
longer subject to heuristic analysis, unless the program changes and no
longer matches the ANTI-VIR.DAT record. This will be the case if such a
file becomes infected at a later time. In such a case, TbScan still
reports infections on these files.
NOTE:
Be aware that a validated program is still subject to the
conventional signature scanning.
If you specify the HEURISTIC or the HIGH HEURISTIC SENSITIVITY option, it
is likely that TbScan will find some files that look like a virus. In
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 76
this case, TbScan uses the prefix "Might be" to inform you about it. So,
if TbScan displays:
[Name of file] Probably infected by an unknown virus
or:
[Name of file] Might be infected by an unknown virus
it does not necessarily mean that the file is infected. There are a
lot of files that look like a virus but are not.
It is extremely important to understand that false alarms are part of the
nature of heuristic scanning. In its default mode, it is very unlikely
that TbScan will issue a false alarm. If you specify the HEURISTIC
option, however, some false alarms might occur.
How should you deal with false alarms? If TbScan thinks it has found a
virus, it tells you the reason for this suspicion. In most cases you will
be able to evaluate these reasons when you consider the purpose of the
suspected file.
NOTE:
Viruses infect other programs. It is, therefore, unlikely that you
will find only a few infected files on a hard disk you use
frequently. You should ignore the result of a heuristic scan if only
a few programs on your hard disk trigger it. If, on the other hand,
your system behaves "strangely" and several programs trigger the
TbScan alarm with the same serious flags, your system
could very well be infected by a (yet unknown) virus.
3.2.5 Understanding Heuristic Flags
Heuristic flags consist of single characters that appear behind the name
of the file that just scanned. There are two kinds of flags: the
informative ones, which appear in lower-case characters, and the more
serious flags, which appear in upper-case characters.
The lower-case flags indicate special characteristics of the file being
scanned, whereas the upper-case warnings might indicate a virus. If the
loglevel is 3 or above, the important warnings not only appear as a
warning character, but TbScan also adds a description to the log file.
How should you treat the flags? You can consider the less important
lower-case flags to be informational only; they provide file information
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 77
you might find interesting. The more serious uppercase warning flags
MIGHT (we repeat, MIGHT) indicate a virus. It is quite normal that you
have some files in your system that trigger an uppercase flag.
NOTE:
Appendix B lists the heuristic flag descriptions.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 78
3.3 Using TbDriver
TbDriver is a small memory-resident (TSR) program that you must load
before any of the other TBAV memory-resident utilities. This brief
section explains the use of TbDriver.
3.3.1 Understanding TbDriver
By itself, TbDriver does not provide much protection against viruses,
rather its use is to enable the memory resident ThunderBYTE Anti-Virus
utilities, such as TbScanX, TbCheck, TbMem, TbFile, and TbDisk, to
perform properly. It is the source for some of the routines these
utilities have in common, including: support to generate the pop-up
window routines, driving the translation unit that enables the
possibility of displaying messages in your native language, and support
for networks. Additionally, TbDriver also contains basic protection
against "stealth" viruses and against "ANSI bombs."
NOTE:
See the NOFILTER option below for an explanation of an ANSI bomb.
3.3.2 Working with TbDriver
You must load TbDriver before loading any of the other memory-resident
TBAV utilities. If you ran the TBAV Install program, TbDriver is already
set up to load automatically when you boot. Your AUTOEXEC.BAT file calls
the TBSTART.BAT file, which in turn loads TbDriver.
If you prefer, you can load TbDriver directly from the command line or
from an individual line in AUTOEXEC.BAT by using this command:
<PATH>TBDRIVER
If TbDriver resides in the TBAV directory on drive C:, for example, you
could enter C:\TBAV\TBDRIVER.
An even more secure way to load TbDriver, and the other TBAV
memory-resident utilities (which we ll examine in more detail in the
Using TbScanX section later in this chapter), is to load it via the
CONFIG.SYS file. After removing the call to TBSTART.BAT in AUTOEXEC.BAT,
you could put the following command in CONFIG.SYS:
DEVICE=<PATH>TBDRIVER.EXE
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 79
If TbDriver resides in the TBAV directory on drive C:, for example, you
could enter DEVICE=C:\TBAV\TBDRIVER.EXE.
TIP:
If you want protection against ANSI-bombs, you should load TbDriver
AFTER the ANSI.SYS driver. Also, if you install TbDriver on a
machine that boots from a boot ROM, specify the message file with
the drive and path where it resides AFTER the machine boots. The
default message file will no longer be accessible after the machine
boots.
3.3.3 Maximizing TbDriver
This section describes how to use TbDriver's option to maximize its
performance and how to get foreign language support for the TBAV
utilities.
When you run TbDriver from the DOS command line, it recognizes command
line options (often called "switches" in DOS terms). These options appear
as "key-words" or "key-letters." The words are easier to memorize, so we
will use these in this manual for convenience.
TbDriver enables you to specify loading options on the command line. It
treats a filename specification as a language file specification (see the
following "Getting Language Support" section).
The first three options in the following table are always available. The
other options are available only if TbDriver is not already memory
resident. The command-line syntax is as follows:
TBDRIVER [<PATH>][<FILENAME>]... [<OPTIONS>]...
TbDriver recognizes the following options:
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 80
option parameter short explanation
------------------ ----- -----------
help ? help
net n force LAN support
remove r remove TbDriver from memory
mode=<m|c> m override video mode (mono|color)
freeze j freeze the machine after an alert
lcd l enhance output on LCD screens
noavok=<drives> o assume permission for specified drives when
ANTI-VIR.DAT record is missing
quiet q do not display activity
secure s do not allow permission updates
notunnel t do not detect tunneling
nofilter f do not filter dangerous ANSI codes
nostack ns do not install a stack
The explanations in the above table serve as a quick reference, but the
following descriptions provide more information about each option.
TIP:
Remember that you can display these options from the command line by
entering TBDRIVER ?.
help (?).
If you specify this option, TbDriver shows you the valid command
line options as listed above.
net (n).
TbDriver cooperates well with most networks. In normal situations
you will not need the NET option at all. You should use it only if
both the following conditions are true at the same time:
1. You make a connection to a Novell network and TBDRIVER.EXE
before using the logon command.
2. There is no valid ANTI-VIR.DAT record in the directory where
the NET?.COM program resides or after renaming the NET?.COM
file.
remove (r).
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 81
This option disables TbDriver and attempts to remove the resident
part of its code from memory and return this memory space to the
system.
Unfortunately, this works only if you loaded TbDriver last. An
attempt to remove a TSR after you load another TSR leaves a useless
gap in memory and could disrupt the interrupt chain. TbDriver checks
whether it is safe to remove its resident code; if not, it simply
disables itself.
mode (m).
On dual video systems TbDriver uses the currently active screen. It
might be forced to use the alternate screen with the MODE=M option
for monochrome or the MODE=C option for color systems.
lcd (l).
This option enhances the output on LCD screens.
freeze (f).
This option freezes the computer when there is a virus alert.
noavok (o).
We don't recommend this option for normal use. You might need it to
grant permission automatically for programs without an ANTI-VIR.DAT
record. The option requires a parameter specifying the drives to
which the default permission applies. If, for example, you do not
want TbMem to display a message when a TSR without ANTI-VIR.DAT
executes from drive E: and F:, you could specify NOAVOK=EF on the
TbDriver command line. Additionally, if you want to exclude network
drives, you should use an asterisk [*]. For example, if you want to
grant permission for all files without ANTI-VIR.DAT records on drive
A:, your ram disk F: and your remote network drives, specify
NOAVOK=AF*.
quiet (q).
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 82
Some resident TBAV utilities display an activity status. TbScanX,
for instance, displays a rectangle with the word Scanning in the
upper left corner of your screen while scanning a file. The QUIET
option disables this message.
secure (s).
Some ThunderBYTE utilities can store permission flags in the
ANTI-VIR.DAT files. You can use this option if you don't want these
flags changed. It has no effect on flags already set, so you can use
the option after installing new programs or packages.
notunnel (t).
"Tunneling" is a technique viruses apply to determine the location
of the DOS system code in memory, and to use that address to
communicate with DOS directly. This inactivates all TSR programs,
including resident anti-virus software. TbDriver is able to detect
these tunneling attempts, and informs you about it. Some other
anti-virus products also rely on tunneling techniques to bypass
resident viruses, thereby causing false alarms. If you are currently
executing other anti-viral products, the NOTUNNEL option disables
TbDriver's tunneling detection.
nofilter (f).
The original ANSI driver has a feature to assign text strings to
keys. Years ago people used this feature, for example, to assign the
DIR /W command to the F10 key. Such reprogramming can be done simply
by embedded ANSI codes in batch files. Almost no one uses this
feature nowadays. Some misguided people, however, use this feature,
for example, to make a text file that reprograms the Enter key to
execute the DEL *.* command or something even worse. Such a file is
an "ANSI-bomb." TbDriver protects you against ANSI-bombs by
filtering out the keyboard reprogramming codes. All other ANSI codes
pass without interference. If you don't want this protection, or if
you want to use this obsolete ANSI feature, you can use the NOFILTER
option.
nostack (ns).
By default, TbDriver maintains a stack for the resident TBAV
utilities. For most systems, however, this isn't necessary. If you
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 83
use this option, TbDriver uses the application stack, saving a few
hundred bytes of memory. If the system hangs or becomes unstable,
however, discontinue use of this option.
You can use the optional filename specification to direct TbDriver to the
location of the language file you want to use. TbDriver retrieves pop-up
window messages from a TBDRIVER.LNG file, which it expects to find in its
own home directory. The default English language file is TBDRIVER.LNG,
which you can replace with a file in your local language. You can order
separate language support packages at your local ThunderBYTE dealer, or
download the language file from a ThunderBYTE support BBS. See the
Maintaining the System section in Chapter 1 for more information about
the ThunderBYTE support BBS.
To load a language file, either rename it to the default (TBDRIVER.LNG),
or specify the full path and filename following the command. You can also
switch to another language by calling TbDriver again with a different
message file. This will not take up any extra memory.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 84
3.4 Using TbScanX
TbScanX is virtually identical to TbScan, with one important difference:
TbScan is memory-resident. This section describes TbScanX in detail.
3.4.1 Understanding TbScanX
To implement real-time or on-the-fly virus protection, the TBAV for DOS
utilities include the TbScanX program, a memory-resident (TSR) program
that tracks all file operations. If you copy an infected file from a
diskette to your hard disk, for example, TbScanX recognizes the virus
hidden in the file and informs you about it, BEFORE the virus becomes
active.
Why use TbScanX? Let's assume you have a virus scanner that automatically
runs from your AUTOEXEC.BAT file. If it doesn't find any viruses, your
system should be uninfected. Right? Not necessarily. To be sure that no
virus infects your system, you need to execute the scanner every time you
copy a file to your hard disk, after downloading a file from a bulletin
board system, or after unarchiving an archive such as a ZIP file. Now be
honest, do YOU invoke your scanner every time you introduce a new file
into the system? If you don t, you take the risk that within a couple of
hours all files will become infected by a virus.
Once you load TbScanX, it remains resident in memory and automatically
scans all files you execute and all executable files you copy, create,
download, modify, or unarchive. It uses the same approach to protect
against boot sector viruses; every time you put a diskette into a drive,
TbScanX scans the boot sector. If the disk is contaminated with a boot
sector virus, TbScanX warns you in time!
NOTE:
TbScanX is fully network compatible. It does not require you to
reload the scanner after logging onto the network.
3.4.2 Working with TbScanX
Since TbScanX is memory resident, you can execute and configure the
program from the command line or from within a batch file. It is
important to load TbScanX as early as possible after the machine boots.
We therefore recommend that you execute TbScanX from within the
CONFIG.SYS file.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 85
CAUTION:
TbScanX requires that you load TbDriver first! See the previous
section on "Using TbDriver" for details.
There are three possible ways to load TbScanX:
1. From the DOS prompt or within the AUTOEXEC.BAT file:
<PATH>TBSCANX
2. From the CONFIG.SYS files as a TSR (DOS 4+ and above):
INSTALL=<PATH>TBSCANX.EXE
The INSTALL= CONFIG.SYS command is NOT available in DOS 3.xx.
3. From the CONFIG.SYS as a device driver:
DEVICE=<PATH>TBSCANX.EXE
NOTE:
Using TbScanX as a device driver does not work in all OEM
versions of DOS. If it does not work, use the INSTALL= command
or load TbScanX from within the AUTOEXEC.BAT. TbScanX should
always work correctly if you run it from AUTOEXEC.BAT.
Unlike other anti-virus products, you can load the ThunderBYTE Anti-Virus
Utilities before starting a network without losing the protection
afterwards.
In addition to the three loading possibilities, you can also load TbScanX
into an available UMB (upper memory block) if you are using DOS version 5
or higher. To accomplish this from AUTOEXEC.BAT, use the following
command:
LOADHIGH <PATH>TBSCANX
Alternately, to accomplish this from CONFIG.SYS, use the following
command:
DEVICEHIGH=<PATH>TBSCANX.EXE
If you are using Microsoft Windows, you should load TbScanX BEFORE
starting Windows. When you do this, there is only one copy of TbScanX in
memory regardless of how many DOS windows you might open. Every DOS
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 86
window (that is, every virtual machine ) has a fully functional copy of
TbScanX running in it.
TbScanX automatically detects if Windows is running, and switches itself
in multitasking mode if necessary. You can even disable TbScanX in one
window without affecting the functionality in another window.
NOTE:
TBAV for Windows includes a full-featured resident scanner. Please
refer to the TBAV for Windows documentation for more information.
3.4.3 Maximizing TbScanX
When you run TbScanX from the DOS command line, it recognizes command
line options (often called "switches" in DOS terms). These options appear
as "key-words" or "key-letters." The words are easier to memorize, so we
will use these in this manual for convenience.
You can maximize TbScanX's performance by using one or more command line
options. The first four options in the following table are always
available. The other options are available only if TbScanX is not already
resident in memory.
option parameter short explanation
------------------ ----- ----------------------------------------
help ? display on-line help
off d disable scanning
on e enable scanning
remove r remove TbScanX from memory
noexec n never scan at execute
allexec[=<drives>] a always scan at execute
noboot b do not scan boot sectors
wild w only search viruses which appear "in the
wild"
ems me use expanded memory (EMS)
xms mx use extended memory (XMS)
secure s deny all suspicious operations
lock l lock PC when a virus is detected
api i load TbScanX's Application Program
Interface
compat c increase compatibility
The explanations in the above table serve as a quick reference, but the
following descriptions provide more information about each option.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 87
TIP:
Remember that you can display these options from the command line by
entering TBSCANX ?.
help (?).
This option displays the command line options as shown above. Once
you load TbScanX, however, this option does not display all the
options.
off (d).
This option disables TbScanX, but leaves it in memory.
on (e).
This option re-enables TbScanX after you disable it with the OFF
option.
remove (r).
This option disables TbScanX and attempts to remove the resident
part of its code from memory and return this memory space to the
system. Unfortunately, this works only if you loaded TbScanX last.
An attempt to remove a TSR after you load another TSR leaves a
useless gap in memory and could disrupt the interrupt chain. TbScanX
checks whether it is safe to remove its resident code; if not, it
simply disables itself.
noexec (n).
TbScanX normally scans files located on removable media just before
they execute. You can use this option to disable this feature
completely.
allexec (a).
TbScanX normally scans executable files only if they reside on
removable media. It "trusts" files on the hard disk, since these
files must have been copied or downloaded before, and since by this
time TbScanX has already scanned them automatically. If you want to
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 88
scan every file before it executes, however, regardless of whether
it is on the hard disk or removable media, you should use this
option. It is possible to explicitly specify drives from which you
want executed files to be scanned. For example, if you specify
option ALLEXEC=DF, then TbScanX will only scan files being executed
that reside on either drive D: or drive F:.
noboot (b).
TbScanX automatically monitors the disk system. Every time DOS reads
the boot sector, TbScanX scans the disk for boot sector viruses. If
you change a disk, DOS first reads the boot sector; otherwise it
does not know what kind of disk is in the drive. As soon as DOS
reads the boot sector, TbScanX checks it for viruses. If you don't
like this feature, or if it causes problems, you can switch it off
using the NOBOOT option.
wild (w).
TbScanX can distinguish viruses that do not appear "in the wild"
from frequently appearing viruses. In order to reduce the memory
requirements of TbScanX, you can specify option WILD, which makes
TbScanX load and use the viruses signatures from viruses that
frequently appear "in the wild." This option is disabled by default.
ems (me).
If you specify this option, TbScanX uses expanded memory (such as
that provided by the LIM/EMS expansion boards or 80386 memory
managers) to store the signatures and part of its program code.
Since conventional memory is more valuable to your programs than
expanded memory, we recommend the use of EMS memory. TbScanX can use
up to 64Kb of EMS memory. (Refer to the XMS option also.)
xms (mx).
If you specify this option TbScanX uses extended memory to store the
signatures and part of its program code. An XMS driver (such as
DOS's HIMEM.SYS) must be installed to be able to use this option.
XMS memory is not directly accessible from within DOS, so every time
TbScanX has to scan data it has to copy the signatures to
conventional memory. To be able to save the original memory
contents, TbScanX needs a double amount of XMS memory. Swapping to
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 89
XMS is slower than swapping to EMS memory, so if you have EMS memory
available, we recommend swapping to EMS. Swapping to XMS might
conflict with some other software, so if you experience problems try
using TbScanX without the XMS option.
secure (s).
TbScanX normally asks you to continue or to cancel when it detects a
virus. In some business environments, however, employees should not
make this choice. By using the SECURE option, you can disallow
suspicious operations.
NOTE:
This option also disables the OFF and REMOVE options.
lock (l).
If you are a system operator, you can use this option to instruct
TbScanX to lock the system when it detects a virus.
api (i).
This option is for advanced users only. It enables TbScanX's
Application Program Interface (API), which is necessary if you want
to call TbScanX from within your application. Consult the
ADDENDUM.DOC file for detailed programming information.
compat (c).
In most systems TbScanX performs trouble free. Another TSR program,
however, might conflict with TbScanX. If you load the other TSR
first, TbScanX normally detects the conflict and uses an alternate
interrupt. If, on the other hand, you load the other TSR after
TbScanX, and it aborts with a message telling you that it is already
loaded, you can use the COMPAT switch of TbScanX (when installing it
in memory). It is also possible for TbScanX to conflict with other
resident software that is using EMS or XMS. In this case, the system
will hang. Again, the COMPAT option solves this problem, but be
aware that due to extensive memory swapping, TbScanX's performance
will slow down.
TIP:
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 90
If you are using DOS version 5 or above and have extended
memory (XMS) on your system, you can use EMM386.SYS to treat a
portion or extended memory as expanded memory (EMS). See your
DOS manual for details.
Here is one example of loading TbScanX:
DEVICE=C:\TBAV\TBSCANX.EXE XMS NOBOOT
In this example, the memory resident portion of TbScanX loads into
extended memory (XMS) and will not scan boot sectors for viruses.
3.4.4 Understanding the Scanning Process
This section adds to your knowledge of TbScanX by explaining a little
more about the scanning process.
Whenever a program tries to write to an executable file (files with the
extensions .COM and .EXE), you will briefly see the text "*Scanning*" in
the upper left corner of your screen. As long as TbScanX is scanning,
this text appears. Since TbScanX takes very little time to scan a file,
the message appears very briefly. The text "*Scanning*" also appears if
you execute a program directly from a diskette, and if DOS accesses the
boot sector of a diskette drive.
If TbScanX detects a suspicious signature that is about to be written
into a file, a window appears similar to the one displayed below:
+---------TBAV interception---------+
| WARNING! |
| TbScanX detected that COMMAND.COM |
| is infected with |
| Yankee_Doodle {1} |
| Abort? (Y/N) |
+-----------------------------------+
Whenever this message appears, you should press N to continue, or any
other key to abort. If TbScanX detects a suspicious signature in a boot
sector, it displays a message like the following:
+------------TBAV interception-----------+
| WARNING! |
| TbScanX detected that the bootsector |
| of disk in drive A: is infected with |
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 91
| Form |
| Do NOT attempt to boot with that disk! |
+----------------------------------------+
Although a virus seems to be in the boot sector of the specified drive,
the virus cannot do anything since it has not yet executed. If you reboot
the machine with the contaminated diskette in the drive, however, the
virus copies itself into memory and onto your hard disk.
NOTE:
To display the name of a virus, TbScanX needs access to the virus
signature file (TBSCAN.SIG). If for any reason TbScanX cannot access
this file, it still detects viruses, but no longer displays the name
of the virus. It displays "[Name unknown]" instead.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 92
3.5 Using TbCheck
This section describes another one of TBAV's memory resident (TSR)
utilities, TbCheck.
3.5.1 Understanding TbCheck
TbCheck is a memory-resident integrity checker that comes into action
whenever the system is about to execute a file. It uses the ANTI-VIR.DAT
records TbSetup generates to detect file changes, which is often the
first sign of a virus infection. These records contain information, such
as file sizes and checksums, of every executable file in a directory. By
comparing this information with the actual file status, it is possible to
detect automatically any changes, including infections caused by viruses.
Assume your AUTOEXEC.BAT file automatically loads a conventional
integrity checker. If no files appear changed, your system should be
uninfected, but to be sure that no virus can infect your system, you have
to execute the checker frequently. In contrast, once you load TbCheck, it
remains resident in memory, and automatically checks all programs you try
to execute.
NOTE:
TbCheck is fully network compatible. It does not require you to
reload the checker after you are logged onto the network.
3.5.2 Working with TbCheck
Since TbCheck is a memory resident program, you can execute and configure
it from the DOS command line or from within a batch file. You should,
however, load TbCheck automatically when the computer boots, preferably
during the execution of AUTOEXEC.BAT, or better yet, CONFIG.SYS.
CAUTION:
Be sure to load TbDriver before trying to load TbCheck. TbCheck will
refuse to load without it.
There are three possible ways to start TbCheck:
1. From the DOS prompt or within the AUTOEXEC.BAT file:
<PATH>TBCHECK
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 93
2. From CONFIG.SYS as a TSR (DOS 4 or above):
INSTALL=<PATH>TBCHECK.EXE
The INSTALL= CONFIG.SYS command is NOT available in DOS 3.xx.
3. From CONFIG.SYS as a device driver:
DEVICE=<PATH>TBCHECK.EXE
NOTE:
Executing TbCheck as a device driver does not work in all OEM
versions of DOS. If it doesn't work, use the INSTALL= command
or load TbCheck from AUTOEXEC.BAT. TbCheck should always work
correctly if you load it from AUTOEXEC.BAT. Also, unlike other
anti-virus products, you can load the ThunderBYTE Anti-Virus
utilities before starting a network without losing the
protection after the network is started.
In addition to the three loading possibilities, if you are using DOS
version 5 or above, you can load TbCheck into an available UMB (upper
memory block) from AUTOEXEC.BAT using this command:
LOADHIGH <PATH>TBCHECK
You can also load TbCheck into high memory from within the CONFIG.SYS
using this command:
DEVICEHIGH=<PATH>TBCHECK.EXE
If you are using Microsoft Windows, you should load TbCheck BEFORE
starting Windows. When you do this, there is only one copy of TbCheck in
memory regardless of how many DOS windows you might open. Every DOS
window (that is, every virtual machine ) has a fully functional copy of
TbCheck running in it.
TbCheck automatically detects if Windows is running, and switches itself
into multi-tasking mode if necessary. You can even disable TbCheck in one
window without effecting the functionality in another window.
NOTE:
TBAV for Windows comes with a full-fledges Windows-based version of
TbCheck. Please refer to the documentation of TBAV for Windows for
more information.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 94
3.5.3 Maximizing TbCheck
When you run TbCheck from the DOS command line, it recognizes command
line options (often called "switches" in DOS terms). These options appear
as "key-words" or "key-letters." The words are easier to memorize, so we
will use these in this manual for convenience.
You can maximize TbCheck's performance by using it's various options. The
first four options in the following table are always available. The other
options are available only if TbCheck is not yet memory resident.
option parameter short explanation
----------------- ----- ----------------------------------------
help ? display on-line help
remove r remove TbCheck from memory
off d disable checking
on e enable checking
noavok [=<drives>] o do not warn for missing ANTI-VIR.DAT record
fullcrc f calculate full CRC (slow!)
secure s do not execute unauthorized files
The explanations in the above table serve as a quick reference, but the
following descriptions provide more information about each option.
TIP:
Remember that you can display these options from the command line by
entering TBCHECK ?.
help (?).
Specifying this option displays the above options list.
remove (r).
This option disables TbCheck and attempts to remove the resident
part of its code from memory and return this memory space to the
system. Unfortunately, this works only if you loaded TbCheck last.
An attempt to remove a TSR after you load another TSR leaves a
useless gap in memory and could disrupt the interrupt chain. TbCheck
checks whether it is safe to remove its resident code; if not, it
simply disables itself.
off (d).
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 95
This option disables TbCheck, but leaves it in memory.
on (e).
This re-enables TbCheck after having been disabled with the OFF
option.
noavok (o).
TbCheck looks in the ANTI-VIR.DAT file for checksum information on
the file you want to check. TbCheck displays a message if it finds
no checksum information or if the specific checksum is incorrect.
This ensures that you will receive a warning whenever a malicious
program deletes the ANTI-VIR.DAT file. Although we recommend that
you maintain ANTI-VIR.DAT files on all drives, this might not always
be practical with floppy disks, RAM disks, or CD-ROM disks. This
option, therefore, tells TbCheck not to look for an ANTI-VIR.DAT on
specific drives. For example, if you don't want TbCheck to alert you
about the absence of an ANTI-VIR.DAT record on floppy disks A: and
B: or on your RAM disk E:, you should load TbCheck using the
following command line:
<PATH>TBCHECK NOAVOK=ABE
If you don't want a message when an ANTI-VIR.DAT record is missing
on network drives, you should specify an asterisk (*) instead of a
drive letter. If you don't specify a drive to the NOAVOK option,
TbCheck never issues a warning if an ANTI-VIR.DAT record is missing
on any drive.
CAUTION:
This presents a security hole for viruses: by deleting the
ANTI-VIR.DAT file you will not be able to detect file changes
caused by a viral infection. Also, please note that the NOAVOK
option does not prevent the detection of infected programs if
the ANTI-VIR record is available. If a program has changed and
the ANTI-VIR record is available, you will still get an alarm
regardless of how you implement the NOAVOK option.
fullcrc (f).
By default, TbCheck verifies only that part of the file near the
program's entry point. If a virus infects the file, this area will
definitely change, so this is perfectly adequate to detect all
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 96
infections. Other file changes, notably configuration variations,
will not trigger the alarm. If, however, you should ever desire a
full check that detects ANY file changes, this option takes care of
it. Be aware that this option slows down the system considerably, so
we don't recommend its use in normal circumstances.
secure (s).
TbCheck normally asks whether you want to continue or cancel when a
file has been changed or when there is no checksum information
available. In a business environment it may be unwise to leave such
decisions to employees. Option SECURE makes it impossible to execute
new or unknown programs, or programs that have been changed.
NOTE:
Be aware that the SECURE option also disables the OFF and
REMOVE options.
3.5.4 Understanding the Scanning Process
This section adds to your knowledge of TbCheck by explaining a little
more about the scanning process.
Whenever a program wants to execute, TbCheck steps in to see if it really
has the authority to do so. During that time it displays the message
"*Checking*" in the upper left hand corner of the screen. TbCheck
operates at lightning speed, so the message appears only momentarily.
TbCheck quickly checks a program when the program loads. If TbCheck
detects that a file has changed, a notification message appears. At this
point, you can choose to either continue, or to abort the program's
execution.
If there is no information in the ANTI-VIR.DAT file about the program,
TbCheck also informs you of this. You can either choose to continue
without checking, or to abort the program's execution.
TIP:
You can prevent users from executing unauthorized software by using
the SECURE option.
3.5.5 Testing TbCheck
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 97
Understandably, many users wish to test the product they are using. In
contrast to a word processor, for example, it is very difficult to test a
smart integrity checker like TbCheck. You cannot change a random 25 bytes
of an executable file just to find out whether TbCheck detects the file
change. On the contrary, it is very likely that TbCheck will NOT detect
it because the program checks only the entry area of the file, whereas
the changed bytes might reside in another location within the file. But
again, if a virus infects the file, this entry area will definitely
change, so this is perfectly adequate to detect all infections.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 98
3.6 Using TbClean
In case a virus infects one or more files, and you wish to remove the
virus from those files (for example, in case you do not have a clean
backup of the files), you can use TbClean. TbClean is the program that
can remove viruses from infected files, even without knowing the virus
itself. This section explores TbClean.
3.6.1 Understanding TbClean
TbClean isolates viral code in an infected program and removes it. It is
then safe to use the program again, since TbClean securely eliminates the
risk of other files becoming infected or damaged.
Understanding the Repair Cleaner
TbClean works differently from conventional virus cleaners because it
does not actually recognize any specific virus. TbClean's disinfection
scheme is unique, employing ThunderBYTE's heuristic ( learn as you go )
technology so that it works with almost any virus.
Actually, the TbClean program contains two cleaners: a "repair" cleaner,
and a "heuristic" cleaner. The repair cleaner needs an ANTI-VIR.DAT file
generated by the TbSetup program before the infection occured. This
ANTI-VIR.DAT file contains essential information such as the original
file size, the bytes at the beginning of the program, a cryptographic
checksum to verify the results, etc. This information enables TbClean to
disinfect almost every file, regardless of the specific virus that has
infected it, even if it is unknown.
Understanding the Heuristic Cleaner
In the heuristic cleaning mode TbClean does not need any information
about viruses either, but it has the added advantage that it does not
even care about the original, uninfected state of a program. This
cleaning mode is very effective if your system becomes infected with an
unknown virus and you neglected to let TbSetup generate the ANTI-VIR.DAT
files in time.
In the heuristic mode, TbClean loads the infected file and starts
emulating the program code to find out which part of the file belongs to
the original program and which belongs to the virus. The result is
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 99
successful if TbClean restores the functionality of the original program,
and reduces the functionality of the virus to zero.
NOTE:
This does not imply that the cleaned file is 100% equal to the
original. Please read on.
When TbClean uses heuristic cleaning to disinfect a program, the file
most likely will not be exactly the same as in its original state. This
does not imply a failure on TbClean s part, nor does it mean the file is
still infected in some way.
It is actually normal that the heuristically cleaned file is still larger
than the original. This is normal because TbClean tries to be on the safe
side and avoids removing too much. The bytes left at the end of the file
are dead code, that is, instructions that will never execute again
since TbClean removes the jump at the beginning of the program. If the
cleaned file is an EXE type file, it is likely that some bytes in front
of the program (the EXE-header ) are different. There are several
suitable solutions for reconstructing the EXE-header, so TbClean
cannot, of course, know the original state of the program. The
functionality of the cleaned file will nevertheless be the same.
NOTE:
This applies only to heuristic cleaning. If there is a suitable
ANTI-VIR.DAT record available, the cleaned program will normally be
exactly the same as the original clean file.
It's also possible for a virus to infect a file with multiple viruses, or
multiple instances of the same virus. Some viruses keep on infecting
files, and in such cases the number of infected files keeps growing. If
TbClean used its heuristic cleaning mode, it is very likely that TbClean
removed only one instance of the virus. In this case, it is necessary to
repeat the cleaning process until TbClean reports that it cannot remove
anything else.
3.6.2 Working with the TbClean Menus
Selecting TbClean from TBAV's Main Menu displays the following menu:
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 100
+-----Main menu-----+
| Confi+------TbClean men-------+
| TbSca| Start cleaning |
| TbSet| List file name |
| TbUti| Use TBAV. INI file |
| TbCLe| Prompt for pause |
| Virus|v Use Anti-Vir.Dat |
| TBAV |v Use Heuristics |
| Docum|v Expanded memory |
| Regis| Display program loops |
| About| Make list file |
| Quit +------------------------+
| eXit (no save) |
+-------------------+
We'll now explore these menu options.
The "Start Cleaning" Option
After tracking one or more viruses, all you should do is select the
Start cleaning option. After specifying the relevant filename, TbClean
goes into action. Before beginning, however, you can select various
parameters. We will explore these in the following sections.
The "List File Name" Option
By selecting this option you can specify a filename to use as a list file
(see also the Make list file option below).
The "Use TBAV.INI File" Option
If you enable this option, the TbClean configuration values, saved in the
TBAV.INI file, will also be valid if you run TbClean from the DOS command
line. Be careful, however, since if you specify options in the TBAV.INI
file, you cannot undo them on the command line. See the "Configuring
TBAV" section of Chapter 1 for details about TBAV.INI.
The "Prompt For Pause" Option
This option instructs TbClean to stop disassembling information after
each full screen, enabling you to examine the results.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 101
The "Use ANTI-VIR.DAT" Option
If you turn this option off, TbClean acts as if there were no
ANTI-VIR.DAT records available and therefore performs heuristic cleaning.
The "Use Heuristics" Option
If you turn this option off, TbClean does not try to apply heuristic
cleaning, even when there are no ANTI-VIR.DAT records available.
The "Expanded Memory" Option
If you select this option, TbClean detects the presence of expanded
memory and uses it in heuristic mode. You might want to disable EMS usage
if it is too slow or if your expanded memory manager is not very stable.
The "Show Program Loops" Option
By default TbClean keeps track of looping conditions to prevent
repetitive data from appearing on your screen thousands of times. If you
select this option, TbClean "works out" every loop.
CAUTION:
Using this option drastically reduces TbClean's performance speed.
Also, do not combine this option with the "Make list file" option,
because the list file might grow too big
The "Make List File" Option
Selecting this option instructs TbClean to generate an output file with a
chronological disassembly of the virus being removed.
Maximizing TbClean
Now that you know how to use TbClean's menus, you can more easily
understand the power of using it from the command line.
3.6.3 Using TbClean Command Line Options
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 102
When you run TbClean from the DOS command line, it recognizes command
line options (often called "switches" in DOS terms). These options appear
as "key-words" or "key-letters." The words are easier to memorize, so we
will use these in this manual for convenience.
You can maximize TbClean's performance by using its command line options.
The following table lists these options:
option parameter short explanation
------------------ ----- ----------------------------------
help he display on-line help
pause pa enable pause prompt
mono mo force monochrome display output
noav na do not use ANTI-VIR.DAT records
noheur nh do not use heuristic cleaning
noems ne do not use expanded memory
showloop sl show every loop iteration (slow!)
list[=<filename>] li create list file
The explanations in the above table serve as a quick reference, but the
following descriptions provide more information about each option.
TIP:
Remember that you can display these options from the command line by
entering TBCLEAN ?.
help (he).
Specifying this option displays the above options list.
pause (pa).
This option instructs TbClean to stop disassembling information
after each full screen, enabling you to examine the results. The
PAUSE option is available for registered users only.
mono (mo).
This option enhances the screen output on some LCD screens or
color-emulating monochrome systems.
noav (na).
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 103
If you specify this option, TbClean acts as if there were no
ANTI-VIR.DAT records available and therefore performs heuristic
cleaning.
noheur (nh).
If you specify this option, TbClean does not try to apply heuristic
cleaning, even when there are no ANTI-VIR.DAT records available.
noems (ne).
If you specify this option, TbClean does not detect the presence of
expanded memory and use it in heuristic mode. You might want to
disable EMS use if it is too slow, or if your expanded memory
manager is not very stable.
showloop (sl).
By default TbClean keeps track of looping conditions to prevent
repetitive data from appearing on your screen thousands of times. If
you select this option, TbClean "works out" every loop.
CAUTION:
Using this option drastically reduces TbClean's performance
speed. Also, do not combine this option with the "Make list
file" option, because the list file might grow too big
list [=<filename>] (li).
This option instructs TbClean to generate an output file with a
chronological disassembly of the virus being removed. The LIST
option is available for registered users only.
Here are two examples of using TbClean from the command line:
1. This command:
TBCLEAN VIRUS.EXE
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 104
instructs TbClean to make a backup of the file VIRUS.EXE using the
name filename VIRUS.VIR, and then disinfect VIRUS.EXE.
2. This command:
TBCLEAN VIRUS.EXE TEST.EXE
instructs TbClean to copy the file called VIRUS.EXE to the new
filename TEST.EXE and then disinfect TEST.EXE.
3.6.4 Understanding the Cleaning Process
TbClean's cleaning process is extremely important. To better illustrate
it, let's look at a sample file cleaning.
Assume you want to clean a file called COMMAND.COM, which resides in the
TMP directory on drive G. To do so, you would follow these steps:
1. Select the "Start cleaning" option on the TBAV menu. The following
window appears:
+-------------------------------------------------------------------+
| |
|Enter name of program to clean. TbClean will create a backup first!|
| |
| |
+-------------------------------------------------------------------+
The ThunderBYTE utility cleans on a file-by-file approach; that is, it
cleans one file, verifies the result, and continues on to the next file.
This helps you keep track of which file is clean, which file is damaged
and should be restored from a backup, and which file is still infected.
2. Specify the name of the file. In this case, you would type
G:\TMP\COMMAND.COM and press ENTER. The following window appears:
+-------------------------------------------------------------------+
| |
| Enter name of cleaned file. Keep blank if infected program may be | |
changed. |
| |
| |
+-------------------------------------------------------------------+
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 105
3. Type a new file name and press ENTER. In this case, we'll use
G:\TMP\TEST.EXE. TbClean now begins the cleaning process.
By specifying a different name you ensure that the cleaned file cannot
overwrite the original file. In this example TbClean copies COMMAND.COM
to TEST.COM and disinfects TEST.COM.
If you do not specify a backup filename, TbClean creates a backup with
the .VIR extension. In this example, the TbClean would copy the original
file to COMMAND.VIR and then clean COMMAND.COM.
During the cleaning process, TbClean displays as much information as
possible about the current operation, as illustrated below. All the major
actions appear in the emulation window at the lower half of the screen,
which displays a disassembly and the register contents of the program
under scrutiny, as well as a progress report. The top-left and top-right
status windows reveal useful details of the infected file and (if TbClean
can find a suitable ANTI-VIR.DAT file) the file's original status. You
can abort the cleaning process by pressing Ctrl+Break.
+-----------------------------------------------------------------+
| Thunderbyte clean utility (C) 1992-95 Thunderbyte B.V. |
+---------Infected state----------++---------Original state-------+
| Entry point (CS:IP) 34BF:0012 || Entry point (CS:IP) 34BF:0012|
| File length || File length UNKNOWN! |
| Cryptographic CRC 9F90F52A || Cryptographic CRC UNKNOWN! |
+---------------------------------++------------------------------+
| |
| Starting clean attempt. Analyzing infected file... |
| Anti-Vir not found: original state unknown. Trying emulation... |
| Emulation terminated: |
| |
| G:\VIRUS\COMMAND.COM |
| CS:IP Instruction AX BX CX DX DS SI ES DI SS SP |
| 9330:0101 mov ah,40 FFFE9330FFFFEFFFD382FFEDEFFEFFFF9520007E|
| 9330:0103 mov bx,0002 40FE9330FFFFEFFFD382FFEDEFFEFFFF9520007E|
| 9330:0106 mov cx,0016 40FE0002FFFFEFFFD382FFEDEFFEFFFF9520007E|
| 9330:0109 mov dx,cs 40FE00020016EFFFD382FFEDEFFEFFFF9520007E|
| 9330:010B mov ds,dx 40FE000200169330D382FFEDEFFEFFFF9520007E|
| 9330:010D mov dx,0117 40FE0002001693309330FFEDEFFEFFFF9520007E|
| 9330:0110 int 21 40FE0002001601179330FFEDEFFEFFFF9520007E|
| 9330:0112 mov ax,4CFF 40FE0002001601179330FFEDEFFEFFFF9520007E|
| 9330:0115 int 21 4CFF0002001601179330FFEDEFFEFFFF9520007E|
| 9330:0115 <End of emulation> |
+-----------------------------------------------------------------+
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 106
A successful purge is not the end of the story! Your job is only
partially complete. Some viruses damage data files. They could randomly
change bytes on your disks, swap sectors, or perform other nasty tricks.
A cleaning utility can never repair data!
4. Check your data files thoroughly and consult a virus expert to find
out what the virus is capable of doing. If there is any doubt, restoring
the data is definitely the most reliable option.
WARNING:
Under no circumstances should you continue to use cleaned software!
Cleaning is a temporary solution that simply enables you to delay a
large restore operation until a more practical time. You should
never rely on a cleaned program for any length of time. This is not
a criticism of anti-viral cleaning agents. If your data is valuable
to you, you should care for it as much as possible, and sticking to
original software is simply an elementary precaution. In other
words, restore the original programs as soon as possible!
3.6.5 Understanding Cleaning Limitations
Although TbClean has a very high success rate and is able to clean
programs that other cleaners refuse to process, it simply cannot remove
all viruses and cannot clean every file. Examples of computer viruses
that TbClean (or other virus cleaners) cannot clean include:
Overwriting viruses. This type of virus does not add itself to the
end of the original program, rather it copies itself over the
original file. Further, it does not attempt to start the original
program but simply hangs the machine or returns you to DOS after it
activates. Since it overwrites the original file, no cleaner can
restore the file.
Some encrypted viruses. TbClean is usually able to decrypt the
virus. However, some viruses use anti-debugger features that TbClean
cannot yet cope with (but we re working on it!).
The construction of some program files makes them impossible to
clean, making reinstallation the only option. Some of these file
types include:
EXE-programs with internal overlays. TbScan marks these files
with an "i" flag. Any infection is sure to cause major damage
to these files. Some viruses recognize such programs and do not
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 107
infect them, but most viruses infect these programs anyway and
corrupt them. No cleaner can repair this kind of damage.
Programs with sanity check routines. Some programs (mostly
anti-virus software or copy-protected programs) perform their
own kind of sanity check. Heuristic cleaning of an infected
program normally results in a program that is not physically
identical to the original. So, although TbClean removes the
virus from the program and the program is functionally
identical to the original, the program's internal sanity check
usually detects the slight changes and aborts the program.
Cleaning Multiple Files
TbClean has no provisions for cleaning multiple programs in one run.
There are two reasons for this omission:
1. TbClean cannot search for viruses automatically since it does not
know any virus.
2. We recommend that you clean the system on a file-by-file basis.
Clean one file, verify the result, and go on to the next file.
Again, this helps you keep track of which files are clean, which
files are damaged and should be restored from a backup, and which
files are still infected.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 108
3.7 Using TbMem
TBAV provides three extra utilities that help you build a massive
security wall around your computer system. This set includes: TbMem,
TbFile and TbDisk. In this section, we'll introduce these three utilities
collectively as a set and then examine each individual utility.
3.7.1 Introducing the TbMem, TbFile & TbDisk Utilities
As the old saying goes, An ounce of prevention is worth a pound of cure,
and the computer virus threat gives this old saying new meaning. TBAV is
the best product on the market for removing viruses, but if this is all
it did, it would be of little use. It's much wiser to prevent virus
infection than wait until you get one and remove it.
This is where a set of three small memory-resident (TSR) programs come
in. These utilities are shipped with TBAV for DOS; they monitor specific
areas of your system and protect against virus infection. These three
utilities are:
TbMem.
This program detects attempts by programs to remain resident in
memory and ensures that no program can remain resident in memory
without permission.
TbFile.
This program detects attempts by programs to infect other programs.
TbDisk.
This program detects attempts by programs to write directly to the
disk (bypassing DOS), attempts to format disks, and other such
destructive actions.
3.7.2 Loading TbMem, TbFile and TbDisk
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 109
The TbMem, TbFile and TbDisk programs load in the same way. The following
sections contain specific information on each of the programs, but here
we present loading information that is common to all of them.
CAUTION:
You must load TbDriver before you can load any of the TbMem, TbFile
or TbDisk utilities. These utilities will refuse to load without it.
There are three possible ways to load TbMem, TbFile or TbDisk. Please
note that we call the programs TbXXX here. Naturally, you will replace
the XXX with either Mem, File, or Disk when you load each utility.
1. From the DOS prompt or within the AUTOEXEC.BAT file:
<PATH>TBXXX
2. From the CONFIG.SYS file as a TSR (DOS 4 or higher):
INSTALL=<PATH>TBXXX.EXE
The INSTALL= CONFIG.SYS command is NOT available in DOS 3.xx.
3. From the CONFIG.SYS as a device driver:
DEVICE=<PATH>TBXXX.EXE
NOTE:
Executing one of the utilities TbMem, TbFile or TbDisk as a device
driver does not work in all OEM versions of DOS. If it doesn't work,
use the INSTALL= command or load the desired program from within the
AUTOEXEC.BAT. TbMem, TbFile and TbDisk should always work correctly
after being started from within the AUTOEXEC.BAT file. Also, unlike
other anti-virus products, you can load the ThunderBYTE Anti-Virus
utilities before starting a network without losing the protection
after the network starts.
In addition to the three loading possibilities, if you are using DOS
version 5 or above, you can load the TbMem, TbFile or TbDisk programs in
an available UMB (upper memory block) from AUTOEXEC.BAT using the
following command:
LOADHIGH <PATH>TBXXX.EXE
You can load TbMem, TbFile or TbDisk high from within the CONFIG.SYS
using the following command:
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 110
DEVICEHIGH=<PATH>TBXXX.EXE
If you are using Microsoft Windows, you should load the resident TBAV
programs BEFORE starting Windows. When you do this, there is only one
copy of the program in memory regardless of how many DOS windows you
might open. Every DOS window (that is, every virtual machine ) has a
fully functional copy of the program running in it.
Each of the programs automatically detects if Windows is running, and
switches itself into multitasking mode if necessary. You can even disable
each of the programs in one window without affecting the functionality in
another window.
3.7.3 Using Command Line Options
You can load all the TbMem, TbFile or TbDisk utilities using several
command line options. See the description of each individual utility for
further information.
3.7.4 Understanding TbMem
Once they execute, most viruses remain resident in memory. While resident
in memory, they might have many opportunities to infect other files in
the background, interfere with the system operation, hide themselves from
virus scanners or checksumming programs, and/or perform other nasty
tasks.
On the other hand, because so many viruses remain resident in memory,
most of them are easy to detect by monitoring the process of becoming
memory resident.
TbMem monitors the system and ensures that no program can remain resident
in memory without permission. This brings to your attention any software
that attempts to remain resident, thereby reducing the likelihood of a
virus going unnoticed.
TbMem also protects CMOS (a small area of memory that stores vital
information concerning your computer).
NOTE:
What exactly is a memory-resident program? Most programs run by
executing a command at the DOS command line, perform some task, and
then terminate, placing you back where you started. Some programs,
however, continue to operate after you terminate them. These
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 111
programs load themselves into memory, remain resident in memory, and
perform some task in the background. Programs in this category
include: disk caches, print spoolers and network software. These
programs are often referred to as TSR (Terminate and Stay Resident)
programs.
Like a TSR program, most viruses also remain resident in memory, and it
is for this reason that TbMem should be usedto control the process of
becoming resident in memory.
If a program attempts to become resident, TbMem offers you the option to
abort the attempt. It does this by guarding the DOS TSR function calls
while also monitoring important interrupts and memory structures. TbMem
uses the ANTI-VIR.DAT records to determine whether it will allow a
specific program to remain resident in memory.
TbSetup recognizes many common TSRs. If it doesn't recognize a TSR,
however, TbMem asks your permission for the TSR to load. It then
maintains permission information in the ANTI-VIR.DAT files to prevent
TbMem from bothering you when an approved TSR is loading.
TbMem also checks the contents of the CMOS configuration memory after
each program termination to ensure that programs have not changed. TbMem
offers you the option of restoring the CMOS configuration when it
changes. Once you teach TbMem which programs are TSRs and which are not
on a PC, you can use TbSetup to set the permission flag of these files on
other machines.
TbMem also installs a hot key that you can use to escape from nearly all
programs.
TbMem is fully network compatible. It does not require you to reload the
checker after logging onto a network.
3.7.5 Working with TbMem
Since TbMem is a memory resident program, you can execute and configure
it from the command line or from within a batch file. It is more
efficient, however, to load TbMem at boot up from either CONFIG.SYS or
AUTOEXEC.BAT. See the "Introducing the TbMem, TbFile and TbDisk
Utilities" section earlier in this chapter for details.
CAUTION:
You must load TbDriver before you can load TbMem. TbMem will refuse
to load without it.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 112
3.7.6 Maximizing TbMem
You can maximize the performance of TbMem by using its command line
options. The first four options in the table below are always available.
The other options are available only if TbMem is not yet memory resident.
option parameter short explanation
------------------ ----- ----------------------------------------
help ? display on-line help
remove r remove TbMem from memory
on e enable checking
off d disable checking
secure s do not execute unauthorized TSRs
hotkey<=keycode> k specify keyboard scancode for the program
cancel hotkey
nocancel n do not install the cancel hotkey
nocmos m do not protect CMOS memory
The explanations in the above table serve as a quick reference, but the
follow descriptions provide more information about each option.
TIP:
Remember that you can display these options from the command line by
entering TBMEM ?.
help (?).
Specifying this option displays the brief help as shown above.
remove (r).
This option disables TbMem and attempts to remove the resident part
of its code from memory and return this memory space to the system.
Unfortunately, this works only if you loaded TbMem last. An attempt
to remove a TSR after you load another TSR leaves a useless gap in
memory and could disrupt the interrupt chain. TbMem checks whether
it is safe to remove its resident code; if not, it simply disables
itself.
on (e).
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 113
This option reactivates TbMem after you disable it using the OFF
option.
off (d).
Specifying this option disables TbMem but leaves it in memory.
secure (s).
TbMem normally asks the user to continue or to cancel when a program
tries to remain resident in memory. In some business environments,
however, employees should not make this choice. If you use this
option, it is no longer possible to execute new or unknown resident
software. It is also no longer possible to use the REMOVE or OFF
options.
hotkey (k).
TbMem offers you a reliable way to escape from any program by
pressing a special key combination. You can not only use this
feature to escape from programs that "hang," but also from software
that seems to be malicious (although we recommend powering down and
rebooting from a write-protected system disk). Instead of the
default combination (Ctrl+Alt+Insert), you can specify another
keyboard combination using the HOTKEY=<KEYCODE> option. You must
specify the scancode using a 4-digit hexadecimal number; the first
two digits specify the shift-key mask, and the last two digits
specify the keyboard scancode. Consult your PC manual for a list of
"scan codes." For example, the default scan code is 0C52, but you
can change this to another code, such as 0C01, the code for
Ctrl+Alt+Esc.
nocancel (n).
TbMem normally installs the program cancel hot key
(Ctrl+Alt+Insert). If you do not want to use the program cancel hot
key, specify this option, since this saves a few bytes of memory.
nocmos (m).
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 114
TbMem normally protects the CMOS memory if available. If you do not
want TbMem to do this, you can specify this option.
The following command loads TbMem as a device driver in the CONFIG.SYS,
configures the "program cancel hot key" as Ctrl+Alt+Esc, and cancels
protection of CMOS memory:
DEVICE=C:\TBAV\TBMEM.EXE HOTKEY=0C01 NOCMOS
To achieve the same functionality, you could execute TbMem from the DOS
command line rather then specifying the TbMem command line in the
CONFIG.SYS by entering the following command at the DOS command line:
C:\TBAV\TBMEM.EXE HOTKEY=0C01 NOCMOS
3.7.7 Understanding TbMem's Operation
If TbMem detects that a program tries to remain resident in memory, it
displays a pop-up window displaying a message to that effect. You can
either choose to continue, or to abort the program's loading. If you
answer "NO" to the question "Remove program from memory?" the program
continues undisturbed, and TbMem places a mark in the ANTI-VIR.DAT file
about this program. Next time you invoke the same resident program, TbMem
will not disturb you again.
There are many programs that normally remain resident in memory, such as:
disk caches, print spoolers, and others. How, then, does TbMem
distinguish between these programs and viruses?
TbMem uses the ANTI-VIR.DAT records generated by TbSetup to keep track of
which files are normal TSRs and which are not. It marks most common
resident software as being common so you don't have to worry about these
files.
If TbMem pops up with the message that a program tries to remain resident
in memory, you have to consider the purpose of the program mentioned. For
example, is the program supposed to continue to operate in the
background? The answer is obviously yes if the program is a disk cache,
print spooler, pop-up utility or system extension software.
If, on the other hand, the message appears after you have exited your
word processor, database, spreadsheet application, something is
definitely wrong! You ought to terminate the program immediately and use
a virus scanner to check the system. The same applies when software that
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 115
operates normally without staying resident in memory suddenly changes its
behavior and tries to remain resident in memory.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 116
3.8 Using TbFile
This section concerns another resident TBAV utility, TbFile, which checks
programs for virus infections as they begin to load.
3.8.1 Understanding TbFile
The two most dangerous virus categories are the boot sector and the file
variants. File viruses all have a common purpose, namely, to infect
programs. Infecting a program involves very unusual file manipulations
that are quite dissimilar to normal file handling procedures, so in order
to detect viral activity it is essential to keep an eye out for program
file changes involving peculiar actions.
TbFile monitors the system and detects attempts by programs to infect
other programs. Unlike other file guards, TbFile monitors the system only
for virus specific file modifications. TbFile doesn't generate an alarm
when a program modifies itself for configuration purposes, nor does it
bother you when you update a program or create one yourself. On an
average system, configurations should never cause a false alarm. TbFile
has a very sophisticated infection detector and will not give a false
alarm when you perform standard file operations. In normal configurations
you will never get a false alarm!
TbFile not only detects attempts to infect programs, it also offers you
the option of aborting the infection process and continuing a program's
execution.
TbFile also detects other suspicious activities, including setting the
seconds value of time stamps to an illegal value.
TIP:
As many users know, you can protect files against unwanted
modifications by means of the read-only attribute. Without TbFile,
however, someone can easily circumvent this standard DOS protection.
TbFile detects any attempts to sabotage the read-only attribute.
This gives you added security by enabling you to use this
uncomplicated method to fully protect your files against
destruction and infection.
TbFile is fully network compatible. It does not require you to reload the
checker after logging onto a network. In contrast, other resident
anti-virus utilities force you to choose between protection BEFORE you
start the network, or protection AFTER you start network, but not both.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 117
3.8.2 Working with TbFile
Since TbFile is a memory resident program, you can execute and configure
it from the command line or from within a batch file. It is more
efficient, however, to load TbFile at boot up from either CONFIG.SYS or
AUTOEXEC.BAT. See the "Introducing the TbMem, TbFile and TbDisk
Utilities" section earlier in this chapter for details.
CAUTION:
You must load TbDriver before you can load TbFile. TbFile will
refuse to load without it.
3.8.3 Maximizing TbFile
You can maximize the performance of TbFile by using its command line
options. The first four options in the table below are always available.
The other options are available only if TbFile is not yet memory
resident.
option parameter short explanation
------------------ ----- ------------------------------
help ? display on-line help
remove r remove TbFile from memory
on e enable checking
off d disable checking
secure s all permissions denied
allattrib a readonly check on all files
compat c allow CPM-style file I/O calls
The explanations in the above table serve as a quick reference, but the
following descriptions provide more information about each option.
TIP:
Remember that you can display these options from the command line by
entering TBFILE ?.
help (?).
Specifying this option displays the brief help shown above.
remove (r).
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 118
This option disables TbFile and attempts to remove the resident part
of its code from memory and return this memory space to the system.
Unfortunately, this works only if you loaded TbFile last. An attempt
to remove a TSR after you load another TSR leaves a useless gap in
memory and could disrupt the interrupt chain. TbFile checks whether
it is safe to remove its resident code; if not, it simply disables
itself.
on (e).
This option reactivates TbFile after you disabled it using the OFF
option.
off (d).
Specifying this options disable TbFile, but leaves it in memory.
secure (s).
TbFile normally asks you to continue or to cancel when a program
tries to perform a suspicious operation. In some business
environments, however, employees should not make this decision. If
you use the SECURE option, it is no longer possible to allow
suspicious operations. It is also no longer possible to use the OFF
and REMOVE options.
allattrib (a).
TbFile normally protects only the read-only attribute of executable
files (program files with the extension COM and EXE). If you want to
have the read-only check on all files, add this option. In this case
you always get an alarm when something attempts to remove the
read-only attribute of any file.
compat (c).
DOS still contains some CPM (an earlier operating system) internal
functions, even though DOS programs no longer use these functions.
Some viruses, however, use these functions to bypass anti-virus
software. TbFile closes these backdoors by default, but you can
prevent this by specifying this option.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 119
The following command loads as a device driver in CONFIG.SYS and it
guards the read-only attribute of all files:
DEVICE=C:\TBAV\TBFILE.EXE ALLATTRIB
To achieve the same functionality, you could execute TbFile from the DOS
command line rather then specifying the TbFile command line in the
CONFIG.SYS by entering the following command at the command line:
C:\TBAV\TBFILE.EXE ALLDRIVES
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 120
3.9 Using TbDisk
This section deals with TbDisk, which prevents viruses from damaging data
on your hard disk.
3.9.1 Understanding TbDisk
Many viruses try to damage the data on disk. They accomplish this by
various actions, such as, formatting the disk, overwriting the FAT, and
swapping disk sectors, among others. Almost anything is possible!
Another category of malicious software, known as boot sector virus
droppers, install a boot sector virus on the disk. The program itself is
not a virus, so detection with virus scanners and other anti-viral
software is very difficult. The only way to detect such a program is by
monitoring its behavior.
The main problem in all this lies in the way these programs manage to
avoid the usual DOS procedures: they go directly to the BIOS (Basic
Input/Output System). This is the reason you need TbDisk, to monitor the
system and to ensure that no program can write directly to disk without
permission. TbDisk draws attention to any software that attempts to write
directly to disk, thereby reducing the likelihood of a virus remaining
unnoticed. TbDisk prevents viruses from damaging data on your disk and
stops boot sector virus droppers in their tracks.
TbDisk not only informs you when a program tries to write directly to the
disk, it also offers you the option to abort the program before it can
cause any damage.
TbDisk is able to detect stealth techniques, that is, attempts to
single step through the BIOS software, and even monitors the use of
undocumented calls that could cause disk damage. For example, TbDisk is
able to distinguish whether DOS or an application makes direct write
attempts via Int 13h (a system call implemented in the BIOS of your
computer). Direct writes are perfectly legal for DOS, but unusual for
application software.
TbDisk does require a little maintenance. TbDisk uses the ANTI-VIR.DAT
records to determine if it should allow a program (including popular disk
utilities, which TbSetup recognizes) to write directly to the disk. In
the absence of an ANTI-VIR.DAT record, TbDisk asks your permission first
and, if granted it, updates the record accordingly to avoid repeated
warnings about the same program.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 121
TbDisk is fully network compatible. It does not require you to reload the
program after logging onto a network. Other resident anti-virus utilities
force you to choose between either protection BEFORE the network is
started, or protection AFTER it starts, but not both..
TIP:
TbDisk also comes in handy if you ever need to write protect a hard
disk. This bonus feature often helps when testing new software.
3.9.2 Working with TbDisk
Since TbDisk is a memory resident program, you can execute and configure
it from the command line or from within a batch file. It is more
efficient, however, to load TbFile at boot up from either CONFIG.SYS or
AUTOEXEC.BAT. See the "Introducing the TbMem, TbFile and TbDisk
Utilities" section earlier in this chapter for details.
CAUTION:
You must load TbDriver before you can load TbDisk. TbDisk will
refuse to load without it.
In addition to all this, there are several special considerations in
using TbDisk.
Loading TbDisk
Improper installation of TbDisk can cause excessive false alarms! If you
want to install TbDisk in your CONFIG.SYS or AUTOEXEC.BAT file, we
recommend that you use the INSTALL option of TbDisk first. If the system
continues to behave normally and TbDisk does not give false alarms when
you copy files on your hard disk, TbDisk is installed correctly and you
can remove the INSTALL option from the command.
WARNING:
Failure to use the Install option when you install TbDisk in
CONFIG.SYS or AUTOEXEC.BAT file might cause loss of data! Please
read on.
While the INSTALL option instructs TbDisk to allow all disk accesses, it
also displays a message as it would do in normal mode. If no false alarms
occur when you copy files on your hard disk, TbDisk is installed
correctly and you can remove the INSTALL option.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 122
If TbDisk causes false alarms, load TbDisk further ahead in your
CONFIG.SYS or AUTOEXEC.BAT file until it works as it should.
CAUTION:
Unlike the other TBAV utilities, we recommend that you load TbDisk
after other resident software! Failure to do so can cause false
alarms!
TbDisk detects if Windows is running and automatically switches into
multitasking mode if necessary. You can even disable TbDisk in one window
without affecting the functionality in another. If you are using Windows
fast 32-bit disk access, you might need to use TbDisk's WIN32 option if
Windows displays an error-message.
3.9.3 Maximizing TbDisk
You can maximize TbDisk's performance by using its command
line options. The first four options are always available.
The other options are available only if TbDisk is not yet
memory resident.
option parameter short explanation
------------------ ----- -----------------------------------
help ? display on-line help
remove r remove TbDisk from memory
on e enable checking
off d disable checking
wrprot p makes hard disk write protected
nowrprot n allow writes to hard disk
win32 w allow Windows 32-bit disk access
secure s deny access without asking first
notunnel t do not detect tunneling
nostealth a do not detect stealth disk access
install i installation test mode
The explanations in the above table serve as a quick reference, but the
following descriptions provide more information about each option.
TIP:
Remember that you can display these options from the command line by
entering TBDISK ?.
help (?).
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 123
Specifying this option displays the brief help as shown above. After
loading TbDisk into memory, not all options appear.
remove (r).
This option disables TbDisk and attempts to remove the resident part
of its code from memory and return this memory space to the system.
Unfortunately, this works only if you loaded TbDisk last. An attempt
to remove a TSR after you load another TSR leaves a useless gap in
memory and could disrupt the interrupt chain. TbDisk checks whether
it is safe to remove its resident code; if not, it simply disables
itself.
on (e).
This option activates TbDisk after you disabled it using the OFF
option.
off (d).
Specifying this option disables TbDisk but leaves it in memory.
wrprot (p).
Hard disks are more difficult to protect against writing than
floppies, which adds considerable risk when doing such things as
testing new software. Sometimes you might want to find out what this
software does to your hard disk and how this could possibly affect
your valuable data. Using the "WRPROT" option makes this safer to
do. Whenever a program wishes to write to a protected disk, you will
see a message such as:
Write protect error writing drive C: A)bort, R)etry, I)gnore?
You can then take the appropriate action.
CAUTION:
Software write protection is not absolutely reliable. Some
viruses can bypass this protection, but fortunately they are
few and far between. Despite its shortcomings, this option can
be a valuable shield against most malicious software.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 124
nowrprot (n).
Use this option to undo the WRPROT option.
win32 (w).
Windows 386 Enhanced Mode uses some undocumented DOS calls to
retrieve the original BIOS disk handler when you enable 32-bit disk
access. Since TbDisk guards these calls, 32-bit disk access will no
longer be possible, unless you specify the WIN32 option when you
initialize TbDisk.
CAUTION:
Use this option only in Windows 386 Enhanced Mode with fast
32-bit disk access enabled as it reduces anti-viral security to
some extent.
secure (s).
TbDisk normally asks whether the user wants to continue or cancel
when a program tries to perform direct disk access. In some business
environments, however, employees should not make this decision. This
option disables direct disk access permission to new or unknown
software. It also disables the OFF and REMOVE options.
notunnel (t).
"Tunneling" is a technique viruses apply to determine the location
of the DOS system code in memory, and to use that address to
communicate with DOS directly. This inactivates all TSR programs,
including resident anti-virus software. TbDisk is able to detect
these "tunneling" attempts, and informs you about it. Some other
anti-virus products also rely on tunneling techniques to bypass
resident viruses, thereby causing false alarms. If you are currently
executing other anti-viral products, the NOTUNNEL option disables
TbDisk's tunneling detection.
nostealth (a).
TbDisk tries to detect direct calls into the BIOS. If such an
attempt occurs, TbDisk pops up with a message that something is
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 125
accessing the disk in an unusual way. If this feature causes false
alarms, you can use this option to turn it off.
install (i).
Incorrect installation can result in a large number of false alarms.
You should use this option when installing TbDisk because it reduces
the risk of canceling a valid disk write operation as a result of
false alarms.
3.9.4 Understanding TbDisk's Operation
What is Direct Disk Access? Programs usually access files through the
operating system (DOS). Whenever a program wants to update a file, for
example, it asks DOS to write the data to disk. It is also possible,
however, to write to a disk without using DOS. This is called direct
disk access.
While normal programs do not write to the disk directly, there are some
programs that need to do so, including:
Format utilities. Direct disk access is the only way to format a
disk.
Disk diagnosis utilities (such as the Norton Disk Doctor, and DOS's
CHKDSK command and ScanDisk utility).
Disk optimizers and defragmenters (such as Norton SpeedDisk and
DOS's Defrag utility).
Since many viruses can perform direct disk access, it is essential to
control this. TbDisk can distinguish between legitimate programs and a
virus with the help of the ANTI-VIR.DAT records, which you can generate
using TbSetup.
Whenever TbDisk pops up a message that says a program accesses to the
disk directly, consider its purpose carefully. While it is perfectly
acceptable for a format utility or a disk optimizer to format or edit
disk sectors, this is not acceptable for a word processor or database.
When TbDisk warns you that a spreadsheet or some other normal program
is about to format a sector, you can be sure that something is wrong.
Terminate the program pronto! Then check things out with a virus scanner
before the worst happens.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 126
3.10 Using TbUtil
This section describes TbUtil, which is designed primarily to make a
precautionary backup of clean partition tables and boot sectors.
3.10.1 Understanding and using TbUtil
TbUtil provides a defense against partition table and boot sector
viruses. TbUtil can be used to:
Copy the partition table, boot sector and CMOS data area into a
file. You can use TbUtil on a regular basis to compare both the
current and the original versions of the partition table, boot
sector and CMOS data area. After an accident virus, (virus or
otherwise), you can restore the copy using the TbUtil program.
Remove a partition table virus without having to low-level format
the hard disk, even if there is no backup of the partition table.
Remove boot sector viruses and creates a partition table that has
some first-line virus defenses built-in.
Replace the infected or clean boot sector with a safe TBAV boot
sector.
NOTE:
What is a partition table? A physical hard disk might consist of
more than one "partition" (or division). Each partition is a logical
disk drive and has it own ID, such as C:, D:, and E:. The partition
table, then, contains the disk lay-out and the starting and ending
cylinder of every partition. The partition table also contains
information about the operating system of a partition and which
partition should be used to boot. The partition table (also called
the Master Boot Record, or MBR) always resides at the very first
sector of the hard disk.
Unlike most file viruses, partition table viruses are hard to remove. The
only solution is to low-level format the hard disk and to make a new
partition table, or to make use of scantily documented DOS commands.
TbUtil, however, makes a backup of the partition table and boot sector
and uses this backup to compare and restore both the original partition
table and boot sector once they become infected. You no longer have to
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 127
format your disk to get rid of a partition table or boot sector virus.
The program can also restore the CMOS configuration.
Optionally, TbUtil replaces the partition table code with an immunized
partition table containing facilities against viruses. The TbUtil
partition code executes before the boot sector gains control, so it is
able to check the boot sector in a clean environment. Once the boot
sector executes, it is difficult to check it because the virus is already
resident in memory and can deceive a protection scheme. Instead of
booting from a clean DOS diskette just to inspect the boot sector, the
TbUtil partition code performs a CRC calculation on the boot sector just
before passing control to it.
If TbUtil detects a change in the boot sector, the TbUtil partition code
warns you about it. The TbUtil partition code also checks the RAM layout
and informs you when it changes. TbUtil does all of this every time you
boot from your hard disk.
TbUtil can replace infected and clean diskette boot sectors with a new
and specialized boot sector, which has several advantages over the
standard boot sector:
It has boot sector virus detection capabilities.
It performs a sanity check.
It offers you the possibility to redirect the boot process to the
hard disk without opening the diskette drive door.
3.10.2 Working with the TbUtil Menu
The TbUtil module contains several programs, which you can execute from
either the TbUtil Menu or, in case of an emergency, from a TbUtil recove-
ry diskette using the DOS command line. The menu, however, offers some
additional menu options. Selecting the "TbUtil" option from the TBAV Main
Menu displays the following menu:
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 128
+------Main menu------+
| Confi+-----------TbUtil menu-----------+
| TbSet| System maintenance menu >|
| TbSca| Immunize/clean bootsector A: |
| TbUti| Immunize/clean bootsector B: |
| TbCLe| Immunize/clean partition code |
| Virus+---------------------------------+
| TBAV Monitor >|
| Documentation >|
| Register TBAV |
| About |
| Quit and save |
| eXit (no save) |
+---------------------+
We'll now explore these menu options.
The "System Maintenance Menu" Option
Selecting the "System maintenance menu" option displays the System
Maintenance menu:
+------Main menu------+
| Confi+-----------TbUtil menu-----------+
| TbSet| Syste+-------System maintenance-------+
| TbSca| Immun| Execute TbUtil |
| TbUti| Immun| Describe this machine |
| TbCLe| Immun| Save system configuration |
| Virus+-------|v Compare system configuration |
| TBAV Monitor | Restore system configuration |
| Documentation|v process CMOS memory |
| Register TBAV|v process Partition code |
| About |v process Bootsector |
| Quit and save+--------------------------------+
| eXit (no save) |
+---------------------+
This menu contains the actual TbUtil program. The program takes care of
saving, restoring or comparing the system configuration of your PC. It
stores the backup system configuration on a diskette in a file with
either a default name or a name you can specify yourself.
WARNING:
You can only restore a system configuration data file on the machine
that created the data file. Restoring a configuration file from one
PC to another makes the PC inaccessible!
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 129
The "System Maintenance Menu" contains the following items:
Execute TbUtil.
Before activating this option, you must select one of the optional
functions: Save, Compare, or Restore the system configuration. Move
to the desired option you want to activate and press ENTER. A check
mark indicates that an option is active.
Describe this machine.
Enter a meaningful description of the machine. Enter something like,
"486DX4 @ 100MHz, 32Mb, 2 Gb SCSI disk, room 12, Mr. Smith." You do
NOT have to remember this description; TbUtil displays it on the
screen when comparing or restoring, which helps you to verify that
the data file belongs to the machine.
Save system configuration.
This option stores the partition table, boot sector and CMOS data
area into the TbUtil data file.
WARNING:
Since the PC is completely inaccessible to DOS if the partition
table becomes damaged, we RECOMMEND that you store both the TbUtil
data file AND the program TBUTIL.EXE itself on a "rescue" diskette!
If the partition table is damaged or destroyed, then the only
solution to the problem may reside on the "rescue"
diskette, since your hard drive may be inaccessible!
When loading TbUtil from the command line you must specify a
filename after the STORE option. In contrast, using the TBAV menu,
you can use the default filename TBUTIL.DAT. If you own more than
one PC, we recommend that you create one TbUtil diskette with all
TbUtil data files of all your PC's on it. Use the extension of the
file for PC identification, as in the following:
A:TBUTIL.<NUMBER>
Compare system configuration.
This option enables you to check on a regular basis that everything
is still okay. If you specify this option, TbUtil compares the
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 130
information in the TbUtil data file against the partition table,
boot sector, and CMOS data areas. It also displays the comment
stored in the data file. Using this option also guarantees that the
TbUtil data file is still readable.
Restore system configuration.
This option enables you to restore the partition table, boot sector,
and CMOS data area. It asks you to confirm that the data file
belongs to the current machine. Finally, it can restore the
partition table, boot sector of the partition to be used to boot,
and the CMOS data area.
Process CMOS memory,
Process Partition code, and
Process Boot sector.
By default, TbUtil restores the partition code, boot sector, and
CMOS if you specify the "Restore system configuration" option. If
you use one of the above options in combination with the "Restore
option," TbUtil restores only the items you specify.
The "Immunize/Clean Boot sector A: [or] B:" Options
You can use these options to clean diskettes infected by a boot sector
virus or to replace the standard boot sector with a boot sector that has
advantages over the original one:
The TBAV boot sector has virus detection capabilities. The TBAV boot
sector checks that it resides on the correct place on the diskette,
and that Int 13h and/or Int 40h still exist in system ROM. This
makes it possible to detect even stealth and boot sector viruses.
The TBAV boot sector can load the system files if they are available
on the disk, but if the DOS system files are not on the disk, the
TBAV boot sector displays a small menu offering you two
possibilities: retry the boot operation with another diskette, or
boot from the hard disk. If you select the latter, you don't have to
open the diskette drive door.
The "Immunize/Clean Partition Code" Option
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 131
This is an extremely powerful option, which you can use to clean an
infected partition table if there is no TbUtil data file. It saves
the original partition code in a file and replaces the existing
partition table code with a new partition routine that contains some
virus detection capabilities. You must execute TbUtil from a floppy
drive or you have to specify the name of the file (the specified
drive should be a diskette drive) to store the original partition
code.
If the original partition table becomes irreparably damaged and
can't be used to build a new one, TbUtil scans the entire disk for
information about the original disk layout. TbUtil also searches for
TbUtil data files on the hard disk.
CAUTION:
While it is a good idea to keep a copy of the data file on the
hard disk, we recommend that you store the data file on a
diskette. Just in case!
If your system configuration changes, that is, you update your DOS
version or change the amount of memory, you need to update the
information stored in the immune partition as well. You can do this
by using this option.
In the unlikely event that the system does not boot properly, you
can restore the original partition table using the TbUtil RESTORE
option (refer to The "System Maintenance Menu Option" section
above) or by using the DOS version 5 or above FDISK /MBR command
(which creates a new partition table).
TIP:
If you have installed two hard drives in your computer, you can
immunize the partition code of the second hard drive by
specifying the physical drive number rather than the drive ID
(i.e., execute the command TbUtil 2: )
If the new partition code works properly, you should make a backup
copy of it on a diskette using the TbUtil STORE option (refer to
The "System Maintenance Menu Option" section above).
3.10.3 Maximizing TbUtil
This section describes how to fully maximize TbUtil in three ways: use
command line option, use the anti-virus partition, use the TbUtil
diskette.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 132
Now that you know how to use TbUtil's menus, you can more easily
understand how to maximize its performance by using its command line
options.
option parameter short explanation
------------------ ----- -------------------------------------
immunize <drive> im Immunize/Clean boot sector or MBR of
<drive>
getboot <drive> gb Save boot sector/MBR into file
store [<filename>] st Store system information
restore [<filename>] re Restore system information
compare [<filename>] co Compare system information
Sub-options of immunize option:
--------------------------------------------------------------
norepeat nr Do not ask for next diskette
nomem nm Do not check for amount of RAM
batch ba Do not prompt to insert a disk
Sub-options of store option:
--------------------------------------------------------------
description=<descr.> de Add description to data file
Sub-options of restore option:
--------------------------------------------------------------
part pt Restore partition table
boot bo Restore boot sector of hard disk
cmos cm Restore CMOS data memory
The explanations in the above table serve as a quick reference, but the
following descriptions provide more information about each option.
Immunize <floppy drive> (im).
You can use this option to clean diskettes infected by a boot sector
virus or to replace the standard boot sector by a boot sector that
has advantages over the original one:
The TBAV boot sector has virus detection capabilities. The boot
sector checks that it still resides on the correct place on the
diskette, and that Int 13h and/or Int 40h still exist in system
ROM. This makes it possible to detect even stealth and boot
sector viruses.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 133
The TBAV boot sector is able to load the system files if they
are available on the disk, but if the DOS system files are not
on the disk, the TBAV boot sector displays a small menu
offering you two possibilities: retry the boot operation with
another diskette, or boot from the hard disk. If you select the
latter, you don't have to open the diskette drive door.
Immunize c: (im c:).
This is an extremely powerful option, which you can use to clean an
infected partition table if there is no TbUtil data file. It saves
the original partition code in a file and replaces the existing
partition table code with a new partition routine that contains some
virus detection capabilities. You have to execute TbUtil from a
floppy drive or you have to specify the name of the file (the
specified drive should be a diskette drive) to store the original
partition code.
TIP:
If you have installed two hard drives in your computer, you can
immunize the partition code of the second hard drive by
specifying the physical drive number rather than the drive ID
(i.e., execute the command TbUtil 2: )
If the original partition table becomes irreparably damaged and
consequently can't be used to build a new one, TbUtil scans the
entire disk for information about the original disk layout. TbUtil
also searches for TbUtil data files on the hard disk.
CAUTION:
While it is a good idea to keep a copy of the data file on the
hard disk, we recommend that you store the data file on a
diskette. Just in case!
If your system configuration changes, that is, you update your DOS
version or change the amount of memory, you need to update the
information stored in the immune partition as well. You can do this
by using this option.
In the unlikely event that the system does not boot properly, you
can restore the original partition table using the TbUtil RESTORE
option (refer to The "System Maintenance Menu Option" section
above) or by using the DOS version 5 or above FDISK /MBR command
(which creates a new partition table).
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 134
getboot <drive> (gb).
With this option you can copy the boot sector of the specified drive
into a file.
store [<filename>] (st).
This option stores the partition table, boot sector and CMOS data
area into the TbUtil data file.
WARNING:
Since the PC is completely inaccessible to DOS if the partition
table becomes damaged, we RECOMMEND that you store both the
TbUtil data file AND the program TBUTIL.EXE itself on a rescue
diskette! If the partition table is damaged or destroyed, then
the only solution to the problem may reside on the "rescue"
diskette, since your hard drive may be inaccessible!
When loading TbUtil from the command line you must specify a
filename after the STORE option. In contrast, using the TBAV menu,
you can use the default filename TBUTIL.DAT. If you own more than
one PC, we recommend that you create one TbUtil diskette with all
TbUtil data files of all your PC's on it. Use the extension of the
file for PC identification, as in the following:
A:TBUTIL.<NUMBER>
restore [<filename>] (re).
This option enables you to restore the partition table, boot sector,
and CMOS data area. It asks you to confirm that the data file
belongs to the current machine. Finally, it restores the partition
table, boot sector of the partition to be used to boot, and the CMOS
data area.
compare [<filename>] (co).
This option enables you to check on a regular basis that everything
is still okay. If you specify this option, TbUtil compares the
information in the TbUtil data file against the partition table,
boot sector, and CMOS data area. It also displays the comments
stored in the data file. Using this option guarantees that the
TbUtil data file is still readable.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 135
norepeat (nr).
By default, TbUtil prompts you for the next diskette after you have
immunized a diskette. This option disables this function.
nomem (nm).
If you specify this option when you are immunizing your partition
code, the partition code skips the RAM check while booting. This is
necessary for some systems that change the memory setup during the
boot process.
batch (ba).
If you specify this option, TbUtil will assume a disk has already
been inserted in your disk drive. This option is particularly useful
with batch files.
description =<descr.> (de).
For <desc.> enter a meaningful description of the machine. Enter
something like, "486DX4 @ 100MHz, 32 Mb, 2 Gb SCSI disk, room 12,
Mr. Smith." You do NOT have to remember this description; TbUtil
displays it on the screen when comparing or restoring, which helps
you to verify that the data file belongs to the machine.
part (pt) ,
boot (bo), and
cmos (cm).
By default, TbUtil restores the partition code, boot sector, and
CMOS if you specify the RESTORE option. If you use one of these
options in combination with the RESTORE option, however, TbUtil
restores only the items you specify.
In the following two examples TbUtil simply store system information
gathered from the partition table and boot sectors of your fixed disk(s)
and the CMOS data area into a file in the current directory called
TBUTIL.DAT.
TBUTIL STORE
TBUTIL ST
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 136
The following example does the same as the previous, except that TbUtil
stores the information on a diskette instead of in the current directory.
TBUTIL STORE A:TBUTIL.DAT
It's a good idea to describe the machine from which you are saving
information about the partition table, boot sectors and CMOS data. You
can use the DESCRIPTION option to add a small, single-line description of
the machine:
TBUTIL STORE A:TBUTIL.DAT DESCRIPTION = "TEST MACHINE"
You can always fall back on the information TbUtil stores if you suspect
an infection by a boot sector virus. Suppose the information gathered
earlier by TbUtil is stored in the file A:\TBUTIL.DAT. To compare the
current system information with the information stored in the TbUtil data
file, you could use this command:
TBUTIL COMPARE A:TBUTIL.DAT
Now suppose that TbUtil informs you that the current system information
(that is, the partition table and the CMOS data area) does not match the
information stored earlier. If you did not change the configuration of
your computer, it is most likely that a virus is guilty of the change.
You could restore the old system information using this command:
TBUTIL RESTORE A:TBUTIL.DAT PART CMOS
In case of a boot sector virus infection, we recommend that you disinfect
(clean) all diskettes. Using the following command, TbUtil cleans and
immunizes the boot sector of the diskette in drive A: and then repeats
the action after asking you to insert other (possibly) infected diskettes
into the disk drive:
TBUTIL IMMUNIZE A:
In case of a virus infection you should always make certain that the
Master Boot Record of your fixed disk is not infected. The following
command specifies an extra option, which you must use in case your
computer changes its memory setup during the boot process:
TBUTIL IMMUNIZE C: NOMEM
You can easily view the contents of a TBUTIL.DAT by using the DOS TYPE
command:
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 137
TYPE A:TBUTIL.DAT
3.10.4 Using the Anti-Virus Partition
If you install the ThunderBYTE partition code (by using TbUtil's IMMUNIZE
option), you will see the following when booting a clean system:
Thunderbyte anti-virus partition (C)1993-95 Thunderbyte BV.
Checking boot sector CRC -> OK!
Checking available RAM -> OK!
Checking INT 13h -> OK!
In contrast, if there is a virus in the boot sector or partition table,
you will see this message:
Thunderbyte anti-virus partition (C)1993-95 Thunderbyte BV.
Checking boot sector CRC -> OK!
Checking available RAM -> Failed!
System might be infected. Continue? (N/Y)
Other messages that might appear are:
"No system." This message means that there is no active partition on
the disk.
"Disk error." The meaning of this message is obvious.
3.10.5 Using the TbUtil diskette
To use the TbUtil diskette, follow these steps:
1. Take a new diskette and format it as a bootable diskette (by
using the DOS FORMAT /S command).
2. Copy the TbUtil files onto the diskette using this command:
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 138
COPY TBUTIL.* A:
The TbUtil files you need are TBUTIL.EXE and TBUTIL.LNG.
3. In case of an emergency (such as a damaged or infected partition
table, for example), boot from the TbUtil diskette.
4. Run the TbUtil program, using the IMMUNIZE option:
A:\TBUTIL IMMUNIZE C:
This cleans the partition table.
5. You should now be able to boot from your hard disk normally.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 139
3.11 Using TbLog
This section describes TbLog, which is designed primarily to create log
files in response to various TBAV alert messages.
3.11.1 Understanding and using TbLog
TbLog is a memory resident TBAV utility that writes a record into a log
file whenever one of the resident TBAV utilities pops up with an alert
message. It also records when a virus is detected.
This utility is primarily for network users. If all workstations have
TbLog installed and configured to maintain the same log file, the
supervisor can easily keep track of what's going on. When a virus enters
the network he is able to determine which machine introduced the virus,
and he can take action in time.
A TbLog record provides three pieces of information:
The time stamp of when the event took place.
The name of the machine on which the event occurred.
An informative message about what happened and which files were
involved.
This information is very comprehensive and takes only one line.
3.11.2 Working with TbLog
Since TbLog is a memory resident program, you can execute and configure
it from the DOS command line or from within a batch file. You should,
however, load TbLog automatically and when the computer boots, preferably
during the execution of AUTOEXEC.BAT, or better yet, CONFIG.SYS.
You should install TbLog on every workstation. If you want to use all
workstations to maintain the same log file, we recommend that you load
TbLog after starting the network.
By default, TbLog maintains a log file with the name TBLOG.LOG in the
TBAV directory. If you want to use another filename or another disk
and/or directory, you can specify a filename (and path) on the TbLog
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 140
command line. In a network environment, we recommend that you put the log
file on a server disk.
CAUTION:
Be sure to load TbDriver before trying to load TbLog. TbLog will
refuse to load without it.
There are three possible ways to load TbLog:
1.From the DOS prompt or within the AUTOEXEC.BAT file:
<PATH>TBLOG
2.From CONFIG.SYS as a TSR (DOS 4 or above):
INSTALL=<PATH>TBLOG.EXE
The INSTALL= CONFIG.SYS command is NOT available in DOS 3.xx.
3.From CONFIG.SYS as a device driver:
DEVICE=<PATH>TBLOG.EXE
NOTE:
Executing TbLog as a device driver does not work in all OEM versions
of DOS. If you encounter problems, use the INSTALL= command or make
sure to load TbLog from the AUTOEXEC.BAT. Also, unlike other
anti-virus products, you can load the ThunderBYTE Anti-Virus
utilities before starting a network without losing the protection
after the network is started.
In addition to the three loading possibilities, if you are using DOS
version 5 or above, you can load TbLog into an available UMB (upper
memory block) from AUTOEXEC.BAT using this command:
LOADHIGH <PATH>TBLOG
You can also load TbLog into high memory from within the CONFIG.SYS using
this command:
DEVICEHIGH=<PATH>TBLOG.EXE
If you are using Microsoft Windows, you should load TbLog BEFORE starting
Windows. When you do this, there is only one copy of TbLog in memory
regardless of how many DOS windows you might open. Every DOS window (that
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 141
is, every virtual machine ) has a fully functional copy of TbLog running
in it.
TbLog automatically detects if Windows is running, and switches itself
into multi-tasking mode if necessary. You can even disable TbLog in one
window without affecting its functionality in another window.
3.11.3 Maximizing TbLog
You can maximize TbLog's performance by using its command line options.
The first five options in the following table are always available. The
other options are available only if TbLog is not yet memory resident.
option parameter short explanation
------------------ ----- ---------------------------------
help ? Display some on-line help
remove r Remove TbLog from memory
on e Enable TbLog
off d Disable TbLog
test t Log test message
machine=<descr.> m Description/name of your machine
secure s Do not allow removal of TbLog
The explanations in the above table serve as a quick reference, but the
following descriptions provide more information about each option.
help (?).
Specifying this option displays the brief help as shown above.
remove (r).
This option disables TbLog and attempts to remove the resident part
of its code from memory and return this memory space back to the
system. Unfortunately, this works only if you loaded TbLog last. An
attempt to remove a TSR after you load another TSR leaves a useless
gap in memory and could disrupt the interrupt chain. TbLog checks
whether it is safe to remove its resident code; if not, it simply
disables itself.
on (e).
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 142
This option reactivates TbLog after you disabled it using the OFF
option.
off (d).
Specifying this option disables TbLog but leaves it in memory.
test (t).
Use this option to record a test message. If you use this option at
the initial loading of TbLog, it records the time and machine name
into the log file. If you use this option after the initial loading,
it simply places a test message into the log file.
machine (m).
Using this option, you can specify the name of the machine on which
TbLog is running. This machine name appears in the log file. By
default, TbLog uses the network machine name on NetBios compatible
machines. On other networks, such as Novell, you must enter the
network name on the TbLog command line.
secure (s).
If you specify this option, it is not possible to use the OFF and
REMOVE options.
The following command loads TbLog, disables, the OFF and REMOVE options,
specifies that the logfile reside in directory F:\SECURITY, and
identifies the machine as DESK3:
C:\TBAV\TBLOG F:\SECURITY\TBLOG.LOG SECURE MACHINE=DESK3
The following CONFIG.SYS command loads TbLog, creates the logfile in
directory X:\LOGS, and specifies that the first line of the log file
contain a date/time stamp and the name of the computer:
DEVICE=C:\TBAV\TBLOG X:\LOGS\TBLOG.LOG MACHINE=JOHN TEST
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 143
3.12 Using TbNet
TBAV for DOS can cooperate with TBAV for Networks, another ThunderBYTE
product, via the program called TbNet. If you do not want to use the
combination of TBAV for DOS and TBAV for Networks, you can skip this
section.
NOTE:
For more information about TBAV for Networks, please refer its
documentation. If you did not purchase TBAV for Networks yet, your
local dealer can inform you about this product.
3.12.1 Understanding TbNet
TbNet is a memory resident TBAV utility that implements the communication
between TBAV for DOS and TBAV for Networks. TBAV for Networks has several
options for controlling remote workstations. For Windows workstations,
TBAV for Windows contains all logic needed to implement the communication
between the workstation and TBAV for Networks. For DOS workstations you
need TbNet for this communication.
3.12.2 Working with TbNet
Since TbNet is a memory resident program, you can execute and configure
it from the DOS command line or from within a batch file. You should,
however, load TbNet automatically when the computer boots, preferably
during the execution of AUTOEXEC.BAT, or better yet, CONFIG.SYS.
You should install TbNet on every workstation.
CAUTION:
Since TbNet uses a public network directory for its communication
with TBAV for Networks, you must load TbNet after starting the
network.
There are three possible ways to load TbNet:
1. From the DOS prompt or within the AUTOEXEC.BAT file:
<PATH>TBNET
2. From CONFIG.SYS as a TSR (DOS 4 or above):
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 144
INSTALL=<PATH>TBNET.EXE
The INSTALL= CONFIG.SYS command is NOT available in DOS 3.xx.
3. From CONFIG.SYS as a device driver:
DEVICE=<PATH>TBNET.EXE
NOTE:
Executing TbNet as a device driver does not work in all OEM
versions of DOS. If it doesn't work, use the INSTALL= command
or load TbNet from AUTOEXEC.BAT. TbNet should always work
correctly if you load it from AUTOEXEC.BAT. Also, unlike other
anti-virus products, you can load the ThunderBYTE Anti-Virus
utilities before starting a network without losing the
protection after the network is started.
In addition to the three loading possibilities, if you are using DOS
version 5 or above, you can load TbNet into an available UMB (upper
memory block) from AUTOEXEC.BAT using this command:
LOADHIGH <PATH>TBNET
You can also load TbNet into high memory from within the CONFIG.SYS using
this command:
DEVICEHIGH=<PATH>TBNET.EXE
We recommend that you do not use TbNet if you use MS-Windows, but use
TBAV for Windows instead. TBAV for Windows has built-in functionality for
communication with TBAV for Networks.
If you do want to use TbNet with MS-Windows for some reason, you should
load TbNet BEFORE starting Windows. When you do this, there is only one
copy of TbNet in memory regardless of how many DOS windows you might
open. Every DOS window (that is, every "virtual machine") has a fully
functional copy of TbNet running in it.
TbNet automatically detects if Windows is running, and switches itself
into multi-tasking mode if necessary. You can even disable TbNet in one
window without affecting the functionality in another window.
3.12.3 Maximizing TbNet
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 145
You can maximize TbNet's performance by using its command line options.
The help and remove options in the following table are always
available. The other options are available only if TbNet is not yet
memory resident.
option parameter short explanation
------------------ ----- --------------------------------------
help ? Display some on-line help
remove r Remove TbNet from memory
netname=<netname> n Netname of the workstation
commdir=<path> c Communication directory used by workstation
frequency=<seconds> f Poll frequency (default is 30 seconds)
buffers=<number> b Number of disk buffers (default is 2)
The explanations in the above table serve as a quick reference, but the
following descriptions provide more information about each option.
help (?).
Specifying this option displays the brief help as shown above.
remove (r).
This option disables TbNet and attempts to remove the resident part
of its code from memory and return this memory space back to the
system. Unfortunately, this works only if you loaded TbNet last. An
attempt to remove a TSR after you load another TSR leaves a useless
gap in memory and could disrupt the interrupt chain. TbNet checks
whether it is safe to remove its resident code; if not, it simply
disables itself
netname (n).
TBAV for Networks distinguishes workstations by their unique
netnames. These netnames are assigned by TBAV for Networks; the
agents software running at the workstations (i.e., TbNet or TBAV for
Windows) receive this netname upon registering the workstation with
TBAV for Networks. You need to specify this netname for correct
behavior of TbNet.
commdir (c).
The communication between TBAV for Networks and the agent software
running at the workstations (i.e., TbNet or TBAV for Windows) takes
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 146
place via a special "communication directory," a directory that is
public to all users. You must specify the path of this directory
when loading TbNet.
frequency (f).
TbNet checks the communication directory every once in a while, to
see if messages originating from TBAV for Networks need to be
processed. You can change the default period of 30 seconds by
specifying the FREQUENCY option.
buffers (b).
TbNet internally needs some buffers to speed up the communication
with TBAV for Networks. The number of these disk buffers used by
TbNet can be changed by using the BUFFERS option.
The following command loads TbNet, for workstation 001AE3, making use of
the communication directory J:\TBAVNW.NET.
C:\TBAV\TBNET NETNAME=001AE3COMMDIR=J:\TBAVNW.NET
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 147
4 Understanding Advanced User Information
This chapter presents some advanced information on using memory, TbSetup,
TbScan, and TbClean. It also introduces you to another TBAV utility,
TbGenSig, signature file compiler. While some of this material is simply
for a better understanding of the utilities and might not be of interest
to you, we recommend that you at least look at the first section on
memory considerations.
4.1 Understanding Memory Considerations
This section presents the memory requirements for each of the TBAV
utilities and how you can reduce the requirements of each utility.
4.1.1 Understanding Memory Requirements
The following table lists the memory requirements for each of the TBAV
utilities:
TBAV Utility Memory Memory
needed consumed
to load after exiting
TbScan * 200 Kb -
TbScanX ** 10 Kb 800 bytes
TbCheck 4 Kb 600 bytes
TbUtil 64 Kb -
TbClean *** 96 Kb -
TbMem 4 Kb 600 bytes
TbFile 5 Kb 1 Kb
TbDisk 4 Kb 800 bytes
TbDriver 5 Kb 3 Kb
TbLog 5 Kb 1 Kb
* If you decide to use a log file, TbScan requires an additional 16
kilobytes of memory for the log file buffer. If TbScan uses its own
built-in file system, it uses additional memory to keep the FAT in
memory. Note that the memory requirements are independent of the number
of signatures. The current memory requirements are adequate to manage at
least 2500 signatures.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 148
** The amount of memory TbScanX requires depends on the number of
signatures. If you enable all features, TbScanX uses 30 kilobytes of
memory when scanning for 1400 family signatures. If you enable swapping,
TbScanX normally uses only one kilobyte of memory. You can swap to EMS
and XMS memory. Naturally you can load the remaining kilobyte of TbScanX
into upper memory.
*** In the heuristic cleaning mode TbClean requires much more memory,
depending on the size of the infected file. TbClean can also use expanded
memory (EMS).
4.1.2 Reducing Memory Requirements
Most PC users try to maintain as much free DOS memory as possible. The
memory resident TBAV utilities (TbScanX, TbCheck, TbMem, TbFile, TbDisk,
TbLog and TbDriver) use only a small amount of DOS memory. To decrease
the memory requirements of these utilities even further, do the
following:
Load the programs from within the CONFIG.SYS file. When loaded as a
device driver, a TBAV utility has no Program Segment Prefix (PSP, a
DOS-internal memory area), which saves 256 bytes for each TBAV
utility.
If you load the TBAV utilities from within the AUTOEXEC.BAT file,
load them before establishing environment variables. DOS maintains a
list of environment variables for every resident program, so keep
this list small while installing TSRs. Once you install all TSRs,
you can then define all environment variables without affecting the
memory requirements of the TSRs.
Make use of memory swapping. If you use the EMS or XMS option,
TbScanX swaps itself to non-DOS memory, leaving only one kilobyte of
code in DOS memory. It is better to swap to expanded memory (EMS
option) because it is faster.
Use high memory if possible. If you have DOS 5 or higher, try to
load the program into an upper memory block using the LOADHIGH or
DEVICEHIGH commands. We recommend that you also enable swapping to
limit the use of upper memory.
Use one of the processor specific versions of the relevant TBAV
utility. They all consume less memory than the generic versions.
Processor optimized versions are available on any ThunderBYTE
support BBS.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 149
Use memory-saving program options. Consider using TbDriver's NOSTACK
option, TbMem's NOCANCEL option, and TbScanX's NOBOOT, EMS and XMS
options.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 150
4.2 Understanding TbSetup
This section presents advanced user information about TbSetup. It
explains the design of ANTI-VIR data files, editing the TBSETUP.DAT file,
and how to easily install TBAV on several machines.
4.2.1 Understanding ANTI-VIR.DAT File Design
Most ThunderBYTE Anti-Virus utilities expect every directory on your
system with executable files to contain its own ANTI-VIR.DAT file. Some
other anti-virus products maintain a somewhat similar fingerprint list
of all executable files, but in one large file rather than a separate
file in each directory. TBAV's approach is superior for several reasons:
One file in each directory is easy to maintain. If you want to
remove the complete product, you can remove the accompanying ANTI-
VIR.DAT file as well.
It consumes less disk space because it is not necessary to store
full path information in the information file.
The TBAV utilities perform faster because they do not have to search
through a huge file to locate the information for one specific file.
Installation is easier and more reliable in network environments. On
a network, it is not unusual that the same files have different
drive ID's on different workstations. If there is only one
information file, the drive-IDs should be stored as well, so every
workstation should maintain its own list. The supervisor can quickly
lose control in this type of situation.
4.2.2 Editing the TBSETUP.DAT File
Editing the TBSETUP.DAT file is useful to TBAV site installation (see the
next section). Therefore, some information on the format of this file is
necessary.
Understanding the Format of TBSETUP.DAT
The format of the TbSetup.Dat file is quite simple. You can either ignore
empty lines, lines starting with a semi-colon (;), and lines starting
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 151
with a percentage symbol (%), or you can treat them as comment lines. The
lines with a preceding percentage symbol also appear in TbSetup's upper
window.
Each entry in the TBSETUP.DAT file has four items:
1. The filename. The filename MUST appear in capital letters and
without spaces.
2. The length of the file in hexadecimal notation. This field might
contain a single asterisk [*] if an exact file length match is not
required.
3. The file's 32-bit CRC in hexadecimal notation. You can use a
single asterisk if an exact checksum match is not required.
4. The hexadecimal number representing flags you want set when the
listed file is found on the system.
You can use the rest of the line for a brief comment.
You can use the following flags. If several flags require setting for a
file, you can combine them using the bitwise OR operation:
bit 0: (0001) Do not perform heuristic analysis
bit 1: (0002) Ignore CRC changes (self-modifying file)
bit 2: (0004) Scan for all signatures (LAN remote boot file)
bit 3: (0008) Do not change read-only attribute of this file
bit 4: (0010) The program stays resident in memory
bit 5: (0020) The program performs direct disk access
bit 6: (0040) Program is allowed to remove read-only
attributes
bit 15: (8000) Interrupt rehook required for TBDRIVER.EXE
The following are a few example entries from a TBSETUP.DAT file:
; filename Length 32-bit CRC Flags Comment
; Files that trigger the heuristic alarm of TbScan:
4DOS.COM 19FEA * 0001 ;4Dos 4.0a
AFD.COM 0FEFE 4B351A86 0001 ;AFD debugger
ARGV0FIX.COM 001D8 431E70C0 0001 ;Argv[0]fix
EXE2COM.EXE 00BEA 49276F89 0001 ;Exe to Com conv. util
KILL.EXE 00632 74D41811 0001 ;PcTools 6.0 utility
WATCH.COM 003E1 2353625D 0001 ;TSR monitoring util
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 152
; Files that need to be scanned completely, for ALL viruses:
NET$DOS.SYS * * 0004 ;Disk-image Novell boot
; Files without fixed checksum due to internal config area's:
Q.EXE * * 000A ;Qedit (all versions)
TBCONFIG.COM * * 000A ;all versions
Defining New Entries in TBSETUP.DAT
If you have any files that we should include in TBSETUP.DAT, please let
us know! We would like to receive a copy to enhance our products and keep
TBSETUP.DAT up to date. Candidates for inclusion are any programs that
trigger the heuristic analysis of TbScan.
Whenever you choose "V)alidate program" in the TbScan message window, you
will discover that on subsequent occasions TbSetup displays the value
"0001" in the flags field. If your company has several files like this
installed on multiple machines, you might want to include these files in
the TBSETUP.DAT file yourself. To do this, execute TbSetup for the file
in question and make a note of its file length and 32-bit CRC, as
displayed on the screen. Then edit the TBSETUP.DAT file, entering the
exact filename, the file length, and the CRC number, plus the number of
any flags you wish to set for that file. If you now use TbSetup on
another machine (using the updated TBSETUP.DAT file), it sets the
appropriate flags automatically.
TIP:
You can manually set or clear a flag field value when executing
TbSetup at the DOS prompt using the SET or RESET option as follows:
TBSETUP TEST.EXE SET=0001.
4.2.3 Simplifying Installation on Several Machines
If you need to install the TBAV utilities on several machines in one
company, it would be tedious, for example, to run every TSR and disk
utility on each machine to "teach" TBAV which programs are valid and
which are not. Fortunately, this is not necessary. We present here some
examples of how to simplify installation on several machines.
If a resident utility named, for example, TSRUTIL.EXE, is in use
throughout the company, you can predefine permission by using TbSetup.
First, use TbSetup to determine the length and CRC of the program.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 153
Second, put the name of the program, along with its other information,
in the TBSETUP.DAT file, and then assign the flag 0010 to it:
TSRUTIL.EXE 01286 E387AB21 0010 ;OUR TSR UTILITY
If a disk utility named, for example, DISKUTIL.EXE, is in use throughout
the company, you can predefine permission by using TbSetup. First, use
TbSetup to determine the length and CRC of the program. Second, put the
name of the program, along with its other information, in the TBSETUP.DAT
file, and then assign the flag 0020 to it:
DISKUTIL.EXE 01286 E387AB21 0020 ;OUR DISK UTILITY
If a utility named, for example, UTIL.EXE, causes TbScan to give false
positives and is in use throughout the company, you can use TbSetup to
"teach" TbScan to avoid heuristic scanning of the program. First, use
TbSetup to determine the length and CRC of the program. Second, put the
name of the program, along with its other information, in the TBSETUP.DAT
file, and then assign the value 0001 to it:
UTIL.EXE 01286 E387AB21 0001 ;OUR UTILITY
If you now run TbSetup on every machine (you have to do this anyway), it
recognizes the utilities you added in the TBSETUP.DAT file. Additionally,
all the TBAV utilities automatically adapt their behavior for those
files.
TIP:
Consult the TBSETUP.DAT file itself. It contains useful comments on
this subject.
4.3 Understanding TbScan
This section offers advanced information about TbScan, including:
heuristic scanning, integrity checking, program validation, algorithms,
and the TBSCAN.LNG file.
4.3.1 Understanding Heuristic Scanning
What makes TbScan so unique is that it is not just a signature scanner,
but it is also a disassembler. It disassembles files for the following
purposes:
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 154
By disassembling a file, the scanner restricts itself to the area of
the file where the virus might reside, reducing false alarms and
speeding up the process. Disassembling a file makes it possible to
use the algorithmic detection method on encrypted viruses whose
signatures would otherwise remain invisible to the scanner.
Disassembling the file makes it possible to detect suspicious
instruction sequences.
This detection of suspicious instruction sequences is "heuristic
scanning." This extremely powerful feature enables you to detect new or
modified viruses and to verify the results of the signature scan. You no
longer have to rely on the scanner's publisher having the same virus as
you might have. In normal cases a scanner can find a virus only if the
scanner's publisher had a sample of that virus and includes that virus's
signature in a signature file. In contrast, heuristic scanning does not
require signatures, enabling the scanner to detect yet unknown viruses by
looking for the characteristics of a virus instead of a signature.
Never underestimate the importance of heuristic scanning, since every
month at least 50 new viruses are reported, and it is extremely unlikely
that a publisher is the first one to get a new virus.
TbScan distinguishes two heuristic levels. The following table describes
the properties of these levels:
Heuristic Level 1 Heuristic Level 2
----------------------- ---------------------------------------
always enabled only enabled with command-line option
"heuristic", or TBAV menu option "High
heuristic sensitivity," or after a virus
has been found
detects 50 % of (yet) detects 90 % of (yet) unknown viruses
unknown viruses
almost never causes might cause few false alarms
false alarms
displays "Probably displays "Might be infected"
infected"
The following lines show the effect of scanning four files, each having
its own characteristics. Please note the heuristic flags that appear next
to the word "scanning."
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 155
FILE1.EXE scanning...OK (no flags)
FILE2.EXE scanning...ROK (nothing serious)
FILE3.EXE scanning...FRM might be infected by unknown virus
FILE4.EXE scanning...FRALM# probably infected by unknown virus
It is obvious from these four examples that heuristic scanning (resulting
in the heuristic flags) is very powerful for finding yet unknown viruses.
4.3.2 Understanding How Heuristic Scanning Works
Every program contains instructions for the computer's microprocessor. By
looking into the file's contents and interpreting the instructions,
TbScan is able to detect the purpose of these instructions. If the
purpose appears to be formatting a disk, or infecting a file, TbScan
issues a warning. There are many instruction sequences that are very
common for viruses but are very uncommon for normal programs. TbScan,
therefore, assigns every suspicious instruction sequence to a character
called a heuristic flag. Every heuristic flag denotes a score. If the
total score (that is, the sum of scores for each flag that triggered)
exceeds a predefined limit, TbScan assumes the file contains a virus.
There are actually two predefined limits. The first limit is quite
sensitive and can be reached by some normal innocent programs. If the
suspicious program reaches this limit, TbScan highlights the heuristic
flags that appear on the screen and increases the suspicious item's
counter. TbScan does not indicate the existence of a virus unless you
specify the heuristic or high heuristic sensitivity option. If you do
specify this option, TbScan informs you that the file Might be infected
by an unknown virus.
In contrast to the first option, many viruses trigger the second
heuristic limit, while normal programs do not. If a suspicious program
reaches this limit, TbScan informs you that the file is Probably
infected by an unknown virus.
NOTE:
TbScan performs heuristic analysis only near the entry-point of a
file. Therefore, TbScan does not detect direct writes to disk by
some disk utilities nor does it detect some programs as TSR
programs. This is simply the result of a specific approach that
minimizes false alarms. In case of a virus, the offending
instructions are always near the entry-point (except when the virus
is over 10Kb in size), so TbScan detects suspicious
phenomena in these situations anyway.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 156
4.3.3 Understanding Integrity Checking
TbScan performs integrity checking while scanning. For this purpose, you
must use TbSetup to generate the ANTI-VIR.DAT files. Once these files
exist on your system, TbScan verifies that every file being scanned
matches the information maintained in the ANTI-VIR.DAT files. If a virus
infects a file, the maintained information no longer matches the now
changed file, and TbScan informs you of this.
NOTE:
There are no command line options to enable this feature. TbScan
performs integrity checking automatically if it detects the ANTI-
VIR.DAT files.
Note that TbScan reports only those file changes that could indicate a
virus. While internal configuration areas of program files might also
change, TbScan normally does not report these. If a file becomes infected
with a known or unknown virus, however, the vital information does change
and TbScan does indeed report it to you!
In contrast, there might be files that change themselves frequently or
change frequently due to another cause. In such a case you might want to
exclude the program from integrity checking to avoid future false alarms.
If TbScan detects such a change, it informs you of it. Additionally,
TbScan offers the possibility to Validate the program, which is the
subject of the next section.
Understanding Program Validation This section applies only if you use
TbSetup to generate the ANTI-VIR.DAT records. Without these records,
program validation is not an option.
TbScan performs as intended on most programs. There are some programs,
however, that require special attention in order to avoid false alarms.
TbSetup recognizes most of these programs automatically. Nevertheless it
is certainly possible your PC contains some program files that trigger
the heuristic alarm of TbScan and/or programs files that change
frequently.
If TbScan finds an infection using heuristic analysis or integrity
checking, and if there is an ANTI-VIR.DAT record available, it offers an
additional option in its virus-alert window, namely, V)alidate program.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 157
If you are sure that the indicated program does not contain a virus, you
can press V to set a flag in the program s ANTI-VIR.DAT record. This
avoids future false alarms.
There are two validation modes. If TbScan alarms you to a file change,
the validation applies to future file changes only. If the alarm is due
to heuristic analysis, the validation applies only to heuristic results.
If you exclude the file from heuristic analysis, TbScan still performs an
integrity check. Conversely, if you exclude the file from integrity
checking, TbScan still performs heuristic analysis.
CAUTION:
If you replaced a file (for example, because of a software upgrade)
and you did not apply TbSetup to the changed files, TbScan pops up
its virus alert window to inform you of the file change. Do not
select the validation option in this case, because this would
exclude the file from future integrity checking. You should abort
TbScan and execute TbSetup on the changed file(s) instead.
4.3.4 Understanding the Scan Algorithms
When TbScan processes a file it displays one of the following messages:
Looking.
"Looking" indicates that TbScan has successfully located the entry
point of the program in one step; that is, it has identified the
program code so it knows where to search without the need of
additional analysis. TbScan uses "Looking" on most known software.
Checking.
"Checking" indicates TbScan has successfully located the entry point
of the program, and is scanning a frame of about two kilobytes
around the entry point. If the file is infected, the virus signature
appears in this area. "Checking" is a very fast and reliable scan
algorithm, so TbScan applies it to most unknown software.
Tracing.
"Tracing" means that TbScan has successfully traced a chain of jumps
or calls while locating the entry point of the program and is
scanning a frame of about two kilobytes around this location. If the
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 158
file has been infected, the signature of the virus appears in this
area. "Tracing" is a fast and reliable scan algorithm. TbScan uses
it primarily for memory resident COM programs. Most viruses force
TbScan to use "Tracing."
Scanning.
"Scanning" indicates that TbScan is scanning the entire file (except
for the EXE-header that cannot contain any viral code). It uses this
only if it can't safely use "Looking," "Checking," or "Tracing."
Such is the case when the entry point of the program contains other
jumps and calls to code located outside the scanning frame, or when
the heuristic analyzer finds something that you should investigate
more thoroughly. Because Scanning is a slow algorithm, it
processes almost the entire file, including data areas, and it is
more likely to trigger false alarms. TbScan uses this algorithm when
scanning boot sectors, SYS files, and BIN files.
Skipping.
"Skipping" occurs only with SYS and OVL files. It simply means that
the file will not be scanned. As there are many SYS files (such as
CONFIG.SYS) that contain no code at all, it makes absolutely no
sense to scan these files for viruses. The same applies to .OV?
files. Many overlay files do not deserve the name overlay because
they lack an EXE-header. Such files cannot execute through DOS,
which in-turn makes them just as invulnerable to direct virus
attacks as .TXT files. If TbScan reports that a virus has infected
an .OV? file, that file is one of the relatively few overlay files
that does contain an EXE-header. In such a case, the infection was
the result of the virus monitoring the DOS exec-call (function 4Bh)
and thereby infecting any program that executes that way, including
real overlay files.
Decrypting.
TbScan detected that the file is encrypted, and decrypts it to be
able to "look inside." TbScan performs signature scanning and
heuristic analysis on the decrypted code since that is very reliable
and also reveals polymorphic viruses.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 159
4.3.5 Understanding the TBSCAN.LNG File
The TBSCAN.LNG file contains all the text that TbScan displays. You can
translate or customize the messages with any ASCII editor. A dollar sign
[$] separates the messages.
The first message displays our address and registration information. You
can edit this message as you please, adding, for example, your company
name and logo.
CAUTION:
Take care in customizing messages so that you don't change the
essence of the message.
You can also add color codes to the TBSCAN.LNG file. You must precede a
color code with the "pipe" [|] character. Each color code consists of a
foreground (or highlight) color and a background color. The following
table lists the available color codes (all numbers are in hexadecimal
notation):
Color Foreground Highlight Background
--------- -------------- -------------- ----------
Black 00 08 00
Blue 01 09 10
Green 02 0A 20
Cyan 03 0B 30
Read 04 0C 40
Magenta 05 0D 50
Brown 06 0E (yellow) 60
Gray 07 0F (white) 70
To make characters blink, add 80 to the background color codes.
Here are few examples of defining colors:
To make a highlighted green character on a red background, use the
color code 0A+40=4A. To make the character blink, add 80h to the
result (4A+80=CA). To display white characters on a blue background,
use the color code 0F in combination with color code 10: 0F+10=1F.
If you prefer a cyan background with a gray foreground, you should
add 30 to 07 (30+07=37). If you want the characters to blink, the
color code becomes 37+80=B7.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 160
4.3.6 Understanding the TBAV.MSG File
The TBAV menu displays the contents of a file named TBAV.MSG, if it
exists in the ThunderBYTE directory. You can use this feature to display
your company logo on the TBAV screen. As in the TbScan language file, you
can embed color codes in this file. Consult the previous section for more
information about color codes.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 161
4.4 Understanding TbClean
This section takes a look at how TbClean works by explaining how a virus
goes about infecting a file and the difference between conventional
cleaners and generic cleaners.
4.4.1 Understanding how a Virus infects a file
To understand how a cleaning program works, try to imagine how a virus
usually goes about infecting a program. The basic principle is really
quite simple. A virus, which is simply another computer program, adds
itself to the end of the program it infects. The additional viral code
obviously increases the size of the program.
Simply appending a viral program to another program, however, is not
enough to do any real harm. To do damage, the viral code must first be
executed. To accomplish this, the virus grabs the first few bytes at the
start of the program and replaces them with a jump instruction to its
own viral code. That way the virus is able to take control when the
program starts. Chances are you will never even notice the momentary
delay while the extra code executes and does whatever the virus has been
programmed to do. The virus then restores the original instructions and
restarts the program (jumps to the original start of the program). Your
program, more often than not, works as usual, and of course, any virus
worth its salt makes sure it doesn't draw undue attention to itself, at
least not too soon.
So, in order to purge a program, we must first restore the starting
instruction bytes, which the virus replaced with the jump to its own
code. The virus is going to need these bytes again later on, so it stores
them somewhere in the viral code. The cleaner starts out to find those
bytes, puts them back in their proper place, and trims the file to the
original size.
Cleaner programs basically come in two types: the conventional type, for
specific types of viruses, and the far more advanced generic cleaner,
which offers a much wider scope. Let's take a closer look at both cleaner
types and find out where they differ.
4.4.2 Understanding Conventional Cleaners
A conventional cleaner has to know which virus to remove. Suppose one of
your programs is infected with a Jerusalem/PLO virus. This means that the
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 162
infected program has grown in size in comparison with the original
program, and that the first few bytes have been replaced by a "jump"
instruction to the viral code. The following drawing ilustrates this
process:
original program infected program
+--------------+ +--------------+
| | | |
| p | 100: |jump |
| r | |to 2487 |
| o | | o |
| g | | g |
| r | | r |
| a | | a |
| m | | m |
| | | |
| c | | c |
| o | | o |
| d | | d |
| e | | e |
| | | |
+--------------+ +--------------+
2487: | |
| VIRUS! p |
| r |
|jmp 100 |
+--------------+
When you start a conventional cleaner, a procedure much like the
following takes place:
"Hey, the signature file tells me this file is infected with the
Jerusalem/PLO virus. Okay, let's see, this virus tacks on 1873 bytes
at the end and overwrites the first three bytes of the original
program with a jump to itself. The original bytes are located at
offset 483 in the viral code. So, I have to take those bytes, copy
them to the beginning of the file, and then remove 1873 bytes of the
file. That's it!"
But there are several pitfalls to worry about in a scenario like this.
For one thing, the cleaner obviously must have some means to recognize
the virus it should remove. A conventional cleaner cannot cope with a
virus unless it knows exactly what to look for.
To make matters worse, it's even more important to establish whether or
not the virus is exactly the same one that the cleaner knows about.
Imagine what would happen if the virus in our example had been modified
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 163
and is now 1869 bytes in size instead of 1873. The cleaner would remove
too much! This is not an exceptional case at all. On the contrary, there
is a virtual epidemic of countless so-called mutant strains. The
Jerusalem/PLO family, to name but one example, now has more than 100
mutant members!
4.4.3 Understanding Generic Cleaners
A generic cleaner works on the principle that any kind of virus, whether
or not it has made the signature "charts," is just plain bad news. That's
why TbClean works with a completely different disinfection scheme that is
effective with almost all viruses; it doesn't even need to recognize
them. Actually, TbClean represents two cleaners in one: a "repair"
cleaner and a "heuristic" cleaner.
Repair cleaning
Repair cleaning needs an ANTI-VIR.DAT file generated by TbSetup before
the infection occurred. The ANTI-VIR.DAT file stores vital information
about programs, including their original size, the first few instruction
codes, and a cryptographic checksum. This information is usually all it
takes to disinfect a file, no matter what virus, known or unknown, caused
the infection. The cleaner simply restores the bytes at the beginning of
the program, trims the file to its original size, and verifies the result
using the original checksum. It's just that simple (and effective).
Heuristic cleaning
TbClean is the first cleaner in the world that has a heuristic cleaning
mode. Like the repair cleaner, this mode does not need any information
about viruses either, but it also has the added advantage that it doesn't
even care about the original, uninfected state of a program. This
cleaning mode is very effective if your system becomes infected with an
unknown virus and you neglected to let TbSetup generate the ANTI-VIR.DAT
files before infection.
In heuristic mode, TbClean loads the infected file and starts emulating
the program code. It uses a combination of disassembly, emulation and,
sometimes, execution to trace the flow of the viral code, pretending to
do more or less exactly what the virus would normally be doing. When the
virus gets to the original program's instructions and jumps back to the
original program code, TbClean stops the emulation process, with a
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 164
tongue-in-check thank you to the virus for its cooperation in
restoring the original bytes.
The actual cleaning process involves almost the same three steps as with
repair cleaning. First, TbClean repairs the program startup code and
copies it back to the file. Second, it removes the now ineffective code
for the sake of security. Third, it does a final analysis of the purged
program file.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 165
4.5 Using TbGenSig
This final section of Chapter 4 introduces you to TbGenSig, an advanced
user utility that enables you to define your own virus signatures.
4.5.1 Understanding and using TbGenSig
TbGenSig is a signature file compiler. Since we distribute TBAV with an
up to date, ready-to-use signature file, you do not really need the
signature file compiler.
If, however, you want to define your own virus signatures, you will need
this utility. You can use either published signatures or define your own,
if you are familiar with the structure of software.
One way or another, you need to do this only in case of an emergency,
such as in the unfortunate event that a yet unknown, and thus
unrecognized, virus attacks your machine, or even your company. We
recommend that you send a few samples of the virus to some of our
researchers, to insure that they can be examined and the results included
in one of the subsequent updates to our software.
NOTE:
Since it's not possible to explain the whole subject of virus
hunting in one manual, this section assumes you have enough
experience and knowledge to create your own virus signatures.
TbGenSig searches for the USERSIG.DAT file in the current directory. This
file should contain the signatures you want to add to the TBAV signature
file TBSCAN.SIG. TbGenSig checks the contents of the USERSIG.DAT file and
applies it to the TBSCAN.SIG file.
If you want to delete or modify your signatures, just edit or delete the
USERSIG.DAT file and run TbGenSig again.
TbGenSig lists all signatures in the TBSCAN.SIG file on screen as it
runs.
4.5.2 Working with TbGenSig
This section describes how to use TbGenSig. It outlines how to format the
text in the USERSIG.DAT file, add published signatures, define your own
signatures, and other procedures.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 166
Formatting Text in USERSIG.DAT
You can create and edit the USERSIG.DAT file using any DOS text editor
(such as DOS 5+ EDIT program) that uses un-formatted (ASCII) text. All
lines starting with a semicolon (;) are comment lines. TbGenSig ignores
these lines. Lines starting with a percentage character (%) appear in the
upper TbGenSig window.
The first line should contain the name of a virus, the second line
contains one or more keywords, and the third line contains the signature
itself. We call this combination of three lines a signature record. A
signature record should look like this:
TEST VIRUS
EXE COM INF
ABCD21436587ABCD
You can use spaces in the signature for your own convenience; TbGenSig
will just ignore them.
Adding a Published Signature
As outlined above, adding an already published signature is simply a
matter of editing or creating the USERSIG.DAT file to convert the
signature to an acceptable format for TbGenSig. Format the three lines
to include the virus name, keywords, and the signature, as in the
following:
NEW VIRUS
EXE COM BOOT INF
1234ABCD5678EFAB
After editing the file, execute TbGenSig.
4.5.3 Defining a Signature with TbScan
This section is for advanced users who have registered their copy of
ThunderBYTE Anti-Virus.
Although the TBSCAN.SIG file updates frequently, new viruses appear every
day, outpacing the regular upgrading service of the TbScan signature
file. It is possible for your system to become infected by a recently
created virus not yet listed in the signature file. TbScan will not
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 167
always detect the virus in such cases, not even with its heuristic
analysis. If you are sure that your system has become infected without
TbScan confirming this, this section will supply you with a valuable tool
to detect unknown viruses. This section offers step-by-step assistance in
creating an emergency signature that you can (temporarily) add to your
copy of TbScan.Sig
1. Collect some infected files and copy them into a temporary
directory.
2. Boot from a clean write-protected diskette.
WARNING:
Do NOT execute ANY program from the infected system, even
though you expect this program to be clean.
3. Execute TbScan from your write-protected TbScan diskette using
the EXTRACT option. Make sure that the temporary directory where
you stored the infected files is TbScan's target directory. Using
the EXTRACT option, TbScan will NOT scan the files but, instead,
displays the first instructions that it finds at the entry-point of
the infected programs.
NOTE:
We recommend that you also set TbScan's LOG option to generate
a log file.
4. Compare the "signatures" extracted by TbScan. You should see
something like this:
NOVIRUS1.COM 2E67BCDEAB1290909 09090 ABCD123490CD
NOVIRUS2.COM N/A
VIRUS1.COM 1234ABCD5678EFAB9 09090 ABCD123478FF
VIRUS2.COM 1234ABCD5678EFAB9 01234 ABCD123478FF
VIRUS3.COM 1234ABCD5678EFAB9 A5678 ABCD123478FF
If the "signatures" of the files are completely different, the files
are either probably not infected, or they have become infected by a
polymorphic virus that requires an algorithmic detection module to
detect it.
5. If there are some differences in the "signatures," you can use
the question mark wildcard (?). A signature to detect the virus in
the example above could be:
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 168
1234ABCD5678EFAB ?3 ABCD123478FF
The "?3" means that there are three bytes at that position that
should be skipped. Note that two digits in the signature represent a
byte in your program.
6. Add the signature to USERSIG.DAT. Give the virus a name in the
first line of its entry, specify the COM, EXE, INF, and ATE in the
second line, and enter the signature in the third, as in the
following:
NEW VIRUS
EXE COM ATE INF
1234ABCD5678EFAB?3ABCD123478FF
7. Run TbGenSig. Make sure the resulting TbScan.Sig file is in the
TBSCAN directory.
8. Run TbScan again in the directory containing the infected files.
TbScan should now detect the virus.
9. Send a couple of infected files to a recommended virus expert,
preferably to the ThunderBYTE Corporation.
Congratulations! You have defined a signature all by yourself! Now you
can scan all your machines in search of the new virus.
CAUTION:
Keep in mind that this method of extracting a signature is a
"quick-and-dirty" solution to viral problems. The extracted
signature might not detect the presence of the virus in all cases.
You can make a signature guaranteed to detect all instances of the
virus only after complete disassembly of the new virus. For these
reasons you should NEVER distribute your home-made "signature" to
others. In most cases, the signature eventually assembled by
experienced anti-virus researchers may be different from your
homemade version.
4.5.4 Understanding Keywords
You can use keywords for several purposes. You can separate them by
spaces, commas, or tabs and use a maximum line length of 80 characters.
You also should specify at least one of the following flags: BOOT, COM,
EXE, HIGH, LOW, SYS, or WIN.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 169
These seven flags fall into three categories: "Item Keywords," "Message
Keywords," and "Position Keywords."
Using Item Keywords
Item keywords tell the scanner where to search for viruses with those
keywords. For example, the BOOT keyword tells the scanner that the
accompanying virus signature can reside only in a boot sector or
partition table. The Item keywords include the following:
BOOT. Specifies that the signature can be found in boot sectors
and/or partition tables.
COM. Specifies that the signature can be found in COM programs.
This flag instructs the scanner to search for this
signature in executable files that do not have an EXE
header or device header.
NOTE: Always keep in mind that the file content determines
the file type, not the filename extension!
EXE. Specifies that the signature can be found in EXE programs.
This flag instructs the scanner to search for this
signature in the load module of EXE type files. EXE files
are files that have an EXE header. (See the Note under the
COM keyword.)
HIGH. Specifies that the signature can be found in HIGH memory
(above program).This flag instructs the scanner to search
for this signature in memory above the memory allocated by
the scanner. This keyword is for resident viruses that
allocate memory at "system boot" or viruses that decrease
the size of the last MCB (Memory Control Block). Please
note that the flag HIGH does not mean that the signature
should be searched in UPPER memory.
LOW. Specifies that the signature can be found in LOW memory.
This flag instructs the scanner to search for this
signature in memory below the PSP (Program Segment Prefix)
of the scanner and in the UMBs (Upper Memory Blocks). This
keyword is for viruses that remain resident in memory,
using the normal DOS TSR (Terminate and Stay Resident)
function calls.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 170
SYS. Specifies that the signature can be found in SYS programs,
such as device drivers.
WIN. Specifies that the signature can be found in Windows
programs.
Message keywords
Message keywords describe the type and behavior of the virus. For each
keyword, this results in the scanner displaying a different message when
it finds such a virus. These keywords include the following:
DAM. Message prefix: damaged by.
DROP. Message prefix: dropper of.
FND. Message prefix: found the.
INF. Message prefix: infected by.
Message suffix: virus.
JOKE. Message prefix: joke named.
OVW. Message prefix: garbage: (not a virus).
PROB. Message pre-prefix: probably.
TROJ. Message prefix: trojanized by.
Position keywords
Position keywords indicate special file areas where the virus can be
found. If you use a position keyword, the virus must reside at the
specific position. TbGenSig can handle three position keywords:
UATE. Specifies that the signature starts directly at the
unresolved entry-point of the viral code. With some
polymorphic viruses, it might be possible to create a
signature from the degarbling routine, although it might
be either too short or give false positives with a global
search. An initial branch instruction can be part of the
signature. The unresolved entry-point is defined for COM-,
EXE-, and Windows-type files:
COM type files: top of file (IP 0100h).
EXE type files: CS:IP as defined in the EXE-header.
WIN type files: Non-DOS CS:IP of the new EXE-header.
NOTE:
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 171
The UATE keyword is not allowed for BOOT, SYS, LOW,
HMA, or HIGH type signatures.
ATE. Specifies that the signature starts directly at the
entry-point of the viral code. With some polymorphic
viruses, it might be possible to create a signature from
the degarbling routine, although it might either be too
short or give false positives with a global search.
Therefore, use the ATE keyword to ensure that the scanners
do not scan the entire file for the signature, but only
look at the entry-point for the signature.
The first instruction that is not equal to either a "JUMP
SHORT," a "JUMP," or a "CALL NEAR" instruction defines the
entry point of a virus.
Let's examine the following code fragment:
Unresolved entry point: 1 JUMP SHORT 3
2 ...
3 JUMP 5
4 ...
5 CALL NEAR 7
6 ...
7 CALL NEAR 9
8 ...
Resolved entry point: 9 POP <reg>
The entry-point of the above fragment is Line 9, as this
is the first instruction to execute that is not a "JUMP
SHORT," a "JUMP," or a "CALL NEAR."
NOTE: You can determine the entry-point by a code analyzer
to cope with tricks such as coding an NOP or DEC just
before the branch instruction. Therefore test the results
of the scanner carefully. In case of trouble, use the
TbScan EXTRACT option to find out what TbScan considers to
be the entry point of the program. Also, the ATE flag is
not allowed for BOOT, SYS, LOW, HMA or HIGH type
signatures.
XHD. Specifies that the signature can be found at offset 2 of
the EXE header, but is rarely used. You should use it only
to detect the also very rare high-level language viruses,
viruses written in a programming language such as C or
Basic. These viruses normally contain standard setup
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 172
routines and library routines that are not suitable to
defining a signature. Use this keyword as a last resort to
detect such viruses.
NOTE:
You can use this flag only for EXE or WIN type
signatures.
Using Wildcards
You can use wildcards characters in a virus signature to recognize so
called polymorphic (self-modifying or self-mutating) virus code.
TbGenSig distinguishes two wildcard categories: position wildcards and
opcode wildcards (note that all numbers are in hexadecimal):
Using Position Wildcards
Position wildcard affect the position where the parts of the signature
match.
Skip fixed amount of bytes
?n Skip n bytes and continue.(0h <= n <= Fh)
?@nn Skip nn bytes and continue.(00h <= nn <= 7Fh)
Skip variable amount of bytes
*n Skip up to n bytes and continue. (0h <= n <= Fh)
*@nn Skip up to nn bytes and continue. (00h <= nn <= 1Fh)
Using Opcode wildcards
The opcode wildcards detect instruction ranges.
Low opcode
nL One of the interactions in the range of n0h to n7h.
High opcode
nH One of the interactions in the range of n8h up to nFh.
Since the opcode wildcards are rather difficult to understand, let's
explore an example.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 173
Suppose a polymorphic virus puts a value in a word register (using a MOV
WREG,VALUE instruction), increments a register (using an INC WREG
instruction), and pops a word register from the stack (using a POP
instruction). Both the registers and the value are variable. This means
that the signature you are writing to detect this virus should be able to
detect all code sequences for every value of the registers and the value,
but this is far too much work. Now, consider that B8-BF are the opcodes
for MOV WREG,VALUE, that 40-47 are the opcodes for INC WREG, and that
58-5F are the opcodes for POP REG.
By using the opcode wildcards, you can detect a sequence of these three
instructions using the following signature fragment:
bH4L5H
4.5.5 Understanding a Sample Signature: Haifa.Mozkin
To show the power of using the appropriate keywords and wildcards, here
is the signature of the Haifa.Mozkin virus. This virus is highly
polymorphic and encrypted. It contains a small variable decryptor to
decrypt the virus.
There are two problems here: most bytes are encrypted or variable, thus
not suitable to be part of a signature, and the remainder is short and
would cause dozens of false alarms.
Using the appropriate keywords and wildcards, however, it s possible to
define a reliable signature. TbScan actually uses the signature below to
detect the Haifa.Mozkin virus.
Haifa.Mozkin
com exe ate inf
bh?2bh?109?2*22e80?24l4h75fl
Now let's analyze this signature. The first line describes the name of
the virus. The second line tells the scanner to search for this signature
in COM and EXE type files. It also tells the scanner that it should
report the file as infected if the signature matches. The keyword ATE
instructs the scanner to match this signature only at the resolved
entry-point of the file. The virus starts, of course, by decrypting
itself, so it is certain that the scanner will scan this location. The
ATE instruction limits the scope of this signature to just one position
in a file, so this significantly reduces the chances of false alarms.
The third line is the signature definition. Let's reverse engineer it:
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 174
bh?2 Means a byte in the B8-BF range is followed by two
variable bytes. B8-BF is a MOV WREG,VALUE instruction.
From the register we only know it is a word register; the
value is unknown as well.
bh?109 Means another MOV WREG,VALUE instruction. The register is
a word register, and from the value we know that it is in
the range 0900 to 09FF.
?2*2 Means skip two to four bytes. The virus inserts this
instruction to make it harder to define a signature.
2e80?2 Means that the virus performs an arithmetic byte sized
operation with an immediate value (decrypts one byte) with
a CS: segment override. The exact operation, the memory
location, and the value are unknown.
4l Means a byte in the 40-47 range. This is an INC WREG
instruction. The virus increments the counter to the next
byte to be decrypted.
4h Means a byte in the 48-4F range. This is a DEC WREG
instruction. The virus decrements the iteration count.
75fl Opcode 75 is a JNZ instruction. If the decremented
register did not reach zero, the virus jumps back and
repeats the operation. How much does it jump? That tells
the fl part: somewhere between -16 (F0h) to -8 (F7h)
bytes.
NOTE:
Although the signature language of TbGenSig is extremely powerful,
there are viruses that are simply so highly polymorphic that they
require even more sophisticated wildcards, keywords, or even special
detection algorithms. The explanation of these wildcards, keywords,
and algorithmic detection definitions, however, is beyond the scope
of this user manual.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 175
Appendices
Appendix A: TBAV messages
The TBAV utilities might display various messages when run. Most messages
are self-explanatory, but here is some additional information about
specific messages.
A.1 TbClean
ANTI-VIR.DAT record found: information matches the currentstate of the
file.
The ANTI-VIR.DAT record has been found, but the information matches
the current state of the file.
The ANTI-VIR.DAT file was created after the infection. Trying
emulation...
The ANTI-VIR.DAT record was created after the file became infected,
or the file is not changed at all. TbClean is going to emulate the
file to clean it heuristically.
ANTI-VIR.DAT record found: reconstructing original state...
The ANTI-VIR.DAT record that belongs to the infected file has been
found. The information will be used to reconstruct the file.
ANTI-VIR.DAT record not found: original state unknown. Trying
emulation...
The ANTI-VIR.DAT file did not exist or did not contain information
about the infected program, so the original state of the infected
program is unknown to TbClean. TbClean switches to its heuristic
mode to determine the state of the original file.
NOTE:
To prevent this situation, use the TbSetup program to generate
the ANTI-VIR.DAT records. These records are of great help to
TbClean. After infection, it's too late to generate the
ANTI-VIR.DAT records.
Emulation terminated: <Reason>
The emulation process terminated for the reason specified. TbClean
now consults the collected information to see if it can disinfect
the file. The reason for termination can be one of the following:
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 176
Jump to BIOS code. The virus tried to perform a call or jump
directly into BIOS code. TBAV cannot emulate this process, so
aborts. The infected program probably cannot be disinfected.
Approached stack crash. The emulated program is approaching a
crash. Something went wrong while emulating the program so it
aborts. The infected program probably cannot be disinfected.
Attempt to violate license agreements. TbClean will not
disassemble this program for obvious reasons.
Encountered keyboard input request. The emulated program tries
to read the keyboard. This is very unusual for viruses, so the
file is probably not infected at all.
Encountered an invalid instruction. The emulator encountered an
unknown instruction. For some reason the emulation failed. The
infected program probably cannot be disinfected.
DOS program-terminate request. The emulated program requests
DOS to stop execution. The program is either not infected at
all, or infected by an overwriting virus that does not pass
control to its host program. The infected program cannot be
disinfected.
Jumped to original program entry point. The program jumped back
to the start position. It is very likely infected, but can
probably be disinfected.
Undocumented DOS call with pointers to relocated code. This is
very common for viruses that add themselves in front of the COM
type program. The program can probably be disinfected.
Encountered an endless loop. TbClean encountered a situation in
which the program is executing the same instruction sequences
repeatedly for hundreds of thousands of times. It is unlikely
that the program will ever escape from this loop, so the
emulation aborts.
Ctrl-break pressed. The user pressed <Ctrl>-<Break> so the
clean attempt aborts.
Emulation aborted for unknown reason. If this message appears,
please send a copy of the file being emulated to the
ThunderBYTE organization or one of the support BBS .
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 177
Sorry, the collected information is not sufficient to clean
file... The heuristic cleaning mode of TbClean aborts with
success. The only option left is to restore the file from a
backup or to re-install the program.
Collected enough information to attempt a reliable clean
operation... The emulation of the virus provided TbClean with
all information needed to disinfect the file.
Some DOS error occurred. TbClean aborted! Some DOS error
occurred while trying to clean the file. Check that no files
are read-only or located on a write protected disk, and make
sure there is a reasonable amount of free disk space.
The clean attempt seems to be successful. Test the file
carefully! TbClean thoroughly and reliably removed the virus
from the file. However, take care and test the file carefully
to see if it works as correctly.
Reconstruction failed. Program might be overwritten. Trying
emulation... TbClean tried to reconstruct the original file
with the help of the ANTI-VIR.DAT record, but the attempt
failed. TbClean is going to emulate the file to try to clean it
heuristically.
Reconstruction successfully completed. TbClean has
reconstructed the file to its original state with the help of
the information in the ANTI-VIR.DAT record. The CRC (checksum)
of the original file and the cleaned file are completely equal,
so it is almost certain that the cleaned file is equal to the
original file.
Starting clean attempt. Analyzing infected file... TbClean is
analyzing the infected file and trying to locate the
ANTI-VIR.DAT record.
A.2 TbDriver
Another version of TbDriver is already resident!
You started a TBDRIVER.EXE with another version number or processor
type than the TbDriver already in memory.
Cannot remove TbDriver. Unload other TSRs first!
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 178
You tried to remove TbDriver from memory, but other resident
software was loaded after TbDriver. You can only remove resident
programs from memory by unloading them in reverse order.
LAN support was already installed.
You tried to use the NET option a second time, or TbDriver already
enabled network support automatically.
TbDriver not active. Load TbDriver first!
The resident TBAV utilities need TbDriver, so you need to load
TbDriver first.
TbDriver is not <version>.
The version of TbDriver found in memory does not match the version
number of this resident TBAV utility. Be sure you do not mix version
numbers!
This version of TbDriver requires a <typeID> processor.
You are using a processor optimized version of TbDriver that the
current processor cannot execute.
A.3 TbScan
Cannot create logfile.
The specified log file path is illegal, the disk is full or write
protected, or the file already exists and cannot be overwritten.
[Cannot read datafile]
TbScan needs access to its data file to be able to tell you the name
of the virus. If it cannot access the data file, it displays this
message instead of the virus.
Command line error.
You specified an invalid or illegal command line option.
No matching executable files found.
The specified path does not exist, is empty, or is not an executable
file.
Sanity check failed!
TbScan detected that its internal checksum no longer matches. It is
possible that TbScan is contaminated by a virus. Obtain a clean copy
of TbScan, copy the program on a write protected system diskette,
boot from that diskette, and try again.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 179
A.4 TbScanX
Data file not found.
TbScanX cannot locate the data file.
Not enough memory.
There is not enough free memory to process the data file. Try to
enable swapping, or if you are already doing so, try another
swapping mode. See also the Understanding Memory Considerations
section in Chapter 4.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 180
Appendix B: TbScan Heuristic Flag Descriptions
This appendix describes TBAV's heuristic flags.
# - Decryptor code found
The file possibly contains a self-decryption routine. Some copy-protected
software is encrypted, so this warning might appear for some of your
files. If, however, this warning appears in combination with, for
example, the "T" warning, there could be a virus involved and TbScan
assumes contamination. Many viruses encrypt themselves and trigger this
warning.
! - Invalid program.
Invalid opcode (non-8088 instructions) or out-of-range branch. The
program has either an entry point that located outside the body of the
file, or reveals a chain of jumps that can be traced to a location
outside the program file. Another possibility is that the program
contains invalid processor instructions. The program being checked is
probably damaged and cannot execute in most cases. At any rate, TbScan
avoids risk and uses the scan method to scan the file.
1 - 80186+ instructions.
The file contains instructions which cannot be executed by 8088
processors, and require an 80186 or better processor.
@ - Strange instructions
The file contains instructions which are not likely to be generated by an
assembler, but by some code generator like a polymorphic virus instead.
? - Inconsistent header.
The program being processed has an EXE-header that does not reflect the
actual program lay-out. Many viruses do not update the EXE-header of an
EXE file correctly after they infect the file, so if this warning pops up
frequently, it appears you have a problem.
c - No integrity check
This warning indicates that TBAV found no checksum/recovery information
for the indicated file. We recommend you use TbSetup in this case to
store the file's information. TBAV uses this information for integrity
checking and to recover from virus infections.
h - Hidden or System file.
The file has the Hidden or the System file attribute set. This means
that the file is not visible in a DOS directory display but TbScan scans
it anyway. If you don t know the origin and/or purpose of this file, you
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 181
might be dealing with a Trojan Horse or a joke virus program. Copy
such a file onto a diskette, remove it from its program environment, and
then check if the program concerned is missing the file. If a program
does not miss it, you not only have freed some disk space, but you might
also have prevented a future disaster.
i - Internal overlay.
The program being processed has additional data or code behind the
load-module as specified in the EXE-header of the file. The program might
have internal overlay(s) or configuration or debug information appended
behind the load-module of the EXE file.
p - Packed or compressed file.
This means that the program is packed or compressed. There are some
utilities that can compress program files, such as EXEPACK and PKLITE.
If the file became infected after compression, TbScan is able to detect
the virus. However, if the file became infected before compression, the
virus was also compressed in the process, and a virus scanner might no
longer be able to recognize the virus. Fortunately, this does not happen
very often, but you should still beware! A new program might look clean,
but can turn out to be the carrier of a compressed virus. Other files in
your system will become infected too, and it is these infections that
will be clearly visible to virus scanners.
w - Windows or OS/2 header.
The program can be or is intended to run in a Windows (or OS/2)
environment. TbScan offers a specialized scanning method for these files.
A - Suspicious Memory Allocation
The program uses a non-standard way to search for, and/or to allocate
memory. Many viruses try to hide themselves in memory, so they use a
non-standard way to allocate this memory. Some programs (such as
high-loaders or diagnostic software) also use non-standard ways to search
or allocate memory.
B - Back to entry.
The program seems to execute some code, and after that jumps back to the
entry-point of the program. Normally this results in an endless loop,
except when the program also modifies some of its instructions. This is
quite common behavior for computer viruses. In combination with any other
flag, TbScan reports a virus.
C - File has been changed
This warning appears only if you use TbSetup to generate the ANTI-VIR.DAT
files and means the file has been changed. Upgrading the software would
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 182
trigger this message. Otherwise, it is very likely that a virus infected
the file!
NOTE:
TbScan does not display this warning if only some internal
configuration area of the file changes. This warning means that code
at the program entry point, the entry-point itself, and/or the file
size has been changed.
D - Direct disk access
This flag appears if the program being processed has instructions near
the entry-point to write to a disk directly. It is quite normal that some
disk related utilities trigger this flag. If several files that should
not be writing directly to the disk trigger this flag, your system might
be infected by an unknown virus.
NOTE:
A program that accesses the disk directly does not always have the
"D" flag. Only when the direct disk instructions are near the
program entry point does TbScan report it. If a virus is at fault,
the harmful instructions are always near the entry point, so it is
only there that TbScan looks for them.
E - Flexible Entry-point
This flag indicates that the program starts with a routine that
determines its location within the program file. This is rather
suspicious because sound programs have a fixed entry-point so they do not
have to determine this location. For viruses, however, this is quite
common. Approximately 50% of the known viruses trigger this flag.
F - Suspicious file access
TbScan has found instruction sequences common to infection schemes that
viruses use. This flag appears with those programs that are able to
create or modify existing files.
G - Garbage instructions.
The program contains code that seems to have no purpose other than
encryption or avoiding recognition by virus scanners. In most cases there
won't be any other flag since the file is encrypted and the instructions
are hidden.
NOTE:
This flag appears occasionally on "normal" files. This simply
indicates, however, that these are poorly designed, not infected..
J - Suspicious jump construct.
The program did not start at the program entry point. The code has either
jumped at least twice before reaching the final startup code, or the
program jumped using an indirect operand. Sound programs should not
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 183
display this kind of strange behavior. If several files trigger this
flag, you should investigate your system thoroughly.
K - Unusual stack.
The EXE file being processed has an odd (instead of even) stack offset or
a suspicious stack segment. Many viruses are quite buggy by setting up
an illegal stack value.
L - Program load trap
The program might trap the execution of other software. If the file also
triggers the "M" flag (memory resident code), it is very likely that the
file is a resident program that determines when another program executes.
Many viruses trap the program load and use it to infect the program. Some
anti-virus utilities also trap the program load.
M - Memory resident code.
TbScan has found instruction sequences that could cause the program to
hook into important interrupts. Many TSR (Terminate and Stay Resident)
programs trigger this flag because hooking into interrupts is part of
their usual behavior. If several non-TSR programs trigger this warning
flag, however, you should be suspicious. It is likely that a virus that
remains resident in memory infected your files.
NOTE:
This warning does not appear with all true TSR programs, nor can you
always rely upon TSR detection in non-TSR programs.
N - Wrong name extension.
Indicates a name conflict; that is, the program carries the extension
.EXE but appears to be an ordinary .COM file, or it has the extension
.COM but the internal layout of an .EXE file. A wrong name extension
might in some cases indicate a virus, but in most cases it does not.
O - code Overwrite.
This flag appears if TbScan detects that the program overwrites some of
its instructions. However, it does not seem to have a complete
(de)cryptor routine.
R - Suspicious relocator
Indicates a suspicious relocator. A relocator is a sequence of
instructions that changes the proportion of CS:IP. Viruses often use
this. Those viruses have to relocate the CS:IP proportion because they
were compiled for a specific location in the executable file; a virus
that infects another program can hardly ever use its original location in
the file as it is appended to this file. Sound programs know their
location in the executable file, so they don t have to relocate
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 184
themselves. On systems that operate normally, only a small percentage of
the programs should trigger this flag.
S - Search for executables
The program searches for *.COM or *.EXE files. This by itself does not
indicate a virus, but it is an ingredient of most viruses, since they
have to search for suitable files to spread themselves. If accompanied by
other flags, TbScan assumes the file is infected by a virus.
T - Invalid timestamp.
The timestamp of the program is invalid; that is, the number of seconds
in the time stamp is illegal, or the date is illegal or later than the
year 2000. This is suspicious because many viruses set the time stamp to
an illegal value (such as 62 seconds) to mark that they already infected
the file so they won't infect a file a second time. It is possible that
the program being checked is contaminated with a virus that is still
unknown, especially if several files on your system have an invalid time
stamp. If only very few programs have an invalid time stamp, you d better
correct it and scan frequently to check that the time stamp of the files
remains valid.
U - Undocumented system call.
The program uses unknown DOS calls or interrupts. These unknown calls can
be issued to invoke undocumented DOS features, or to communicate with an
unknown driver in memory. Since many viruses use undocumented DOS
features, or communicate with memory resident parts of a previously
loaded instance of the virus, a program is suspicious if it performs
unknown or undocumented communications. This does not necessarily
indicate a virus, however, since some tricky programs also use
undocumented features.
V - Validated program
The program has been validated to avoid false alarms. The design of this
program would normally cause a false alarm by the heuristic scan mode of
TbScan, or this program might change frequently, and TbScan excludes the
file from integrity checking. Either TbSetup (automatically) or by TbScan
(manually) stores these exclusions in the ANTI-VIR.DAT.
Y - Invalid boot sector.
The boot sector is not completely according to the IBM defined boot
sector format. It is possible that the boot sector contains a virus or
has been corrupted.
Z - EXE/COM determinator.
The program seems to check whether a file is a COM or EXE type program.
Infecting a COM file is a process that is not similar to infecting an EXE
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 185
file, which implies that viruses able to infect both program types should
also be able to distinguish between them. There are, of course, innocent
programs that need to find out whether a file is a COM or EXE file.
Executable file compressors, EXE2COM, converters, debuggers, and
high-loaders are examples of programs that might contain a routine to
distinguish between EXE and COM files.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 186
Appendix C: Solving Incompatibility Problems
Although TBAV utilities cooperate very well with other resident software,
other software might not behave so well. This can cause system errors or
even more serious problems. This section describes some common problems
and their solutions.
PROBLEM:
If a TBAV utility tries to display a message, the text message
"file <filename> could not be opened" appears.
Specify the FULL path and filename of the file to use as a message
file after the TbDriver loading command. The default file name is
TBDRIVER.LNG.
PROBLEM:
One of your utilities is loading a TSR into memory without an
executable filename extension, such as .EXE or .COM. Since TbSetup
creates ANTI-VIR.DAT records only for files with an executable
extension, there is no ANTI-VIR.DAT, so TbMem is not able to record
the TSR permission information.
Run TbSetup and specify the exact filename of the TSR. TbSetup
creates an ANTI-VIR.DAT record, regardless of the filename
extension, so TbMem can now record its information.
Although the ANTI-VIR.DAT record exists, TbScan does not use it to
check the CRC to avoid false alarms.
PROBLEM:
You are running a network, and one of the following problems arises:
1. TbScanX is installed, but does not display the *scanning*
message while accessing files. It also does not detect viruses.
2. TbCheck is installed, but does not display the *checking*
message while accessing files. It also does not detect viruses.
3. TbFile is installed, but does not detect anything.
4. TbMem is installed, but does not detect TSRs.
Use the "TbDriver net" command after the network loads.
PROBLEM:
The system sometimes hangs when the message *scanning* is on the
screen.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 187
Try TbScanX without the EMS or XMS option. If TbScanX now works
without any problems, add the EMS or XMS option again along with the
COMPAT option. On some systems, you cannot use the TbScanX XMS
option at all because these systems do not allow resident software
to use extended memory.
If the problem relates to the XMS option and still occurs when you
use the COMPAT option, you can use the XMSSEG = <VALUE> option to
change the XMS swap segment address. The value should be between
2000 and 8000. The default value is 4000.
PROBLEM:
After you have given permission for a program to remain resident in
memory, TbMem asks the same question the next time.
First, the SECURE option of TbDriver is in use. Remove this option,
reboot and try again.
Second, the program mentioned does not appear in the ANTI-VIR.DAT
file and, therefore, TbMem cannot permanently store the permission
flag. Use TbSetup first to generate this program's ANTI-VIR.DAT
record.
Third, for some reason it is not possible to write to the
Anti-Vir.Dat file. The file might reside on a write protected
diskette, on a network in a read-only directory, or the Anti-Vir.Dat
file has the read-only attribute set.
PROBLEM:
The system sometimes hangs when you answer "YES" (abort program) to
a TbMem message.
A solution here is difficult. Some resident programs seriously
interfere with the system, and once rejected from memory, the system
becomes unstable.
PROBLEM:
When you load TbDisk from the DOS command prompt, everything works
fine. When you install TbDisk from within the CONFIG.SYS or
AUTOEXEC.BAT file, however, it continually warns that programs write
to disk directly.
Load TbDisk at the end of your AUTOEXEC.BAT file.
PROBLEM:
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 188
You formatted the hard disk using DOS FORMAT, but TbDisk did not
display a message until the process was almost complete.
This is not a problem. A high level format program such as DOS's
FORMAT.COM does not actually format the disk (that is, divide the
disk into tracks and sectors), rather it reads all tracks to locate
possible bad spots and clears the FAT and directory structure. Only
this last step implies a disk write, so it is the only one TbDisk
detects.
PROBLEM:
After you give permission for a program to perform direct disk
access, TbDisk asks the same question the next time.
First, the SECURE option of TbDriver is in use. Remove this option,
reboot and try again.
Second, the program mentioned does not appear in the ANTI-VIR.DAT
file and therefore TbDisk can not permanently store the permission
flag. Use TbSetup first to generate this program's ANTI-VIR.DAT
record.
PROBLEM:
If you try to use Windows fast 32-bit disk access, Windows displays
an error message.
Use the WIN32 option on the TbDisk command line.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 189
Appendix D: TBAV Exit Codes and Batch Files
All TBAV utilities return to DOS with an error code that you can use with
DOS's ERRORLEVEL command. The chief use of these error codes is in batch
files. This appendix lists these error codes. Consult your DOS manual for
information how to use error codes in batch files.
D.1 TbScan Exit Codes
TbScan terminates with one of the following exit codes:
Errorlevel Description
---------- -------------------------------------
0 No viruses found/ No error occurred
1 No files found
2 An error occurred
3 Files have changed
4 Virus found using heuristic analysis
5 Virus found using signature scanning
255 Sanity check failed
D.2 TbUtil Exit Codes
TbUtil terminates with one of the following exit codes:
Errorlevel Description
---------- -------------------------------------
0 No error occurred
1 Option "compare" failed/An error occurred
D.3 General Exit Codes
All the TBAV utilities except TbScan and TbUtil (see above) exit with one
of the following exit codes:
Errorlevel Description
---------- -------------------------------------
0 No error occurred
1 A error occurred
D.4 Program Installation Check
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 190
To detect within a batch file whether a resident TBAV utility loaded, you
can check for the device names. All TBAV utilities install a device name,
whether they load from CONFIG.SYS or AUTOEXEC.BAT.
You can use the DOS IF EXIST batch file command to check for the device
names. The following example, illustrating a part of a batch file, uses
this construction to test whether TbScanX is loaded:
@ECHO OFF
IF NOT EXIST SCANX ECHO TBSCANX HAS NOT BEEN LOADED!
You could also branch to a label by using the GOTO command:
@ECHO OFF
IF NOT EXIST SCANX GOTO NOSCANX
ECHO TBSCANX EXISTS !
GOTO END
:NOSCANX
ECHO TBSCANX DOES NOT EXIST !
:END
Finally, the following table lists the device names used by the TBAV
utilities:
TBAV program Device name
------------ -------------------------------------
TbScanX SCANX
TbCheck TBCHKXXX
TbMem TBMEMXXX
TbFile TBFILXXX
TbDisk TBDSKXXX
TbLog TBLOGXXX
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page 191
Appendix E: Virus Detection and Naming
E.1 How Many Viruses Does TbScan Detect?
Most of the TbScan signatures are family signatures; that is, one
signature detects an entire set of viruses. All these viruses relate to
one another. The Jerusalem signature, for example, covers more than 100
viruses. For this reason, there is no way of knowing how many viruses
TbScan detects.
Some competitive products treat each virus mutant as a separate virus,
thus claiming to detect over 4000 viruses. TbScan, however, detects
viruses using only 2000 signatures. If you want to compare virus
scanners, you have to rely on the tests frequently published in
magazines.
E.2 The Virus Naming Convention
TbScan follows the CARO virus naming recommendations. CARO is an
organization in which leading anti-virus researchers participate. The
CARO approach groups viruses in a hierarchical tree, which indicates to
which family viruses belong. TbScan shows the complete CARO name where
possible.
In contrast, however, many other anti-virus products simply indicate the
family name or the member name. For example, many products might refer to
the Leprosy.Seneca.493 using the family name Leprosy or member name
Seneca, or even by the variant name 493. Worse yet, anti-virus
products developed by non CARO members might even use a completely
different name.
TbScan, however, tries to display as much of the name as possible.
Building on the previous example, if TbScan can t distinguish between the
Leprosy.Seneca.493 and Leprosy.Seneca.517 viruses, it indicates both
by the name Leprosy.Seneca
Some viruses mutate themselves frequently. To detect all instances of
such a virus, it is sometimes necessary to use multiple signatures.
Although these signatures cover exactly the same virus, they do have a
slightly different indication. Behind the name of the virus you will see
a number in angle brackets. This number has nothing to do with the name
of the virus, but is there just for maintenance reasons.
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page i
Index
Algorithms . . . . . . . . . . . . . . . . . . . . . . 74, 153, 157, 174
ANTI-VIR.DAT 1-4, 10, 18, 20, 22, 33-38, 41-43, 45, 46, 53, 62, 64, 75,
80-82, 92, 94, 95, 96, 98-103, 105, 111, 114, 120, 125, 150,
156, 157, 163, 175, 177, 181, 184, 186-188
Cleaner . . . . . . . . . . . . . . . . . . . . 1, 98, 106, 107, 161-163
Command line options 17, 40, 62, 79, 80, 86, 87, 94, 101, 102, 110, 112,
117, 132, 141, 145, 156
Communication . . . . . . . . . . . . . . . . . . . . . . . . . . 143-146
Configurations . . . . . . . . . . . . . . . . . . . . . . . . . 49, 116
Configuring TBAV . . . . . . . . . . . . . . . . . . 14-16, 40, 62, 100
Direct disk access . . . . . . . . . . . 39, 40, 124, 125, 151, 182, 188
Environment . . . . . . . . . . . . . . 3, 5, 24, 96, 127, 140, 148, 181
Exit codes . . . . . . . . . . . . . . . . . . . . . . . . . . . 6, 189
Generic cleaner . . . . . . . . . . . . . . . . . . . . . . . . 161, 163
Help . 15, 16, 27, 33, 34, 41, 44, 45, 62-64, 80, 86, 87, 94, 102, 108,
112, 117, 122, 123, 125, 141, 145, 175, 177
Heuristic cleaner . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Heuristic flags . . . . . . 6, 60, 61, 69, 70, 73, 74, 76, 154, 155, 180
Heuristic scanning . . . . . . . . . . . . . . . . . 47, 65, 76, 153-155
Immunized partition table . . . . . . . . . . . . . . . . . . . . . . 127
Installation . 8, 9, 11, 12, 18, 23, 25, 27, 44, 48, 121, 122, 125, 150,
152, 189
Integrity checking . . . . . . . . . . 1, 2, 18, 153, 156, 157, 180, 184
Interface . . . . . . . . . . . . . . . . . . . . . 5, 11, 12, 16, 86, 89
Maintenance . . . . . . . . . . . . . . 20, 120, 128, 129, 131, 133, 191
Memory requirements . . . . . . . . . . . . . . . . . . . . 88, 147, 148
Menu interface . . . . . . . . . . . . . . . . . . . . . . . 11, 12, 16
Microsoft Windows . . . . . . . . . . . . . . . . . . 5, 85, 93, 110, 140
Procedure . . . . . . . . . . . . . . . . . 3, 8, 9, 21, 23, 26, 48, 162
Program validation . . . . . . . . . . . . . . . . . . . 1, 18, 153, 156
Recovery diskette . . . . . . . . . . . . 10, 20, 23, 25-27, 29, 31, 127
Repair cleaner . . . . . . . . . . . . . . . . . . . . . . . . . 98, 163
Signature definition . . . . . . . . . . . . . . . . . . . . . . . . 173
Signature scanning . . . . . . . . . . . . . . . . . . . . 75, 158, 189
System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
TBAV for DOS . . . . . . . . . . . . . . . . . . . . . . 6, 84, 108, 143
TBAV for Networks . . . . . . . . . . . . . . . . . . . . 8, 21, 143-146
TBAV for Windows . . . . . . . . . . . . 8, 21, 22, 50, 86, 93, 143-145
TbCheck . . 1, 2, 5, 10, 11, 19, 26, 27, 30, 33, 34, 78, 92-97, 147, 148,
186, 190
TbClean
3, 16, 17, 26, 32-34, 47, 98-107, 147, 148, 161, 163, 164, 175-177
TbDel . . . . . . . . . . . . . . . . . . . . . . . . . . . 4, 14, 16, 32
TbDisk . 1, 3-5, 19, 78, 108-111, 117, 120-125, 147, 148, 187, 188, 190
�
TBAV User Manual. Copyright (C) 1989-1996 ThunderBYTE B.V. Page ii
TbDriver . 1, 10, 11, 19, 26, 27, 40, 78-83, 85, 92, 109, 111, 117, 121,
140, 147, 148, 149, 151, 177, 178, 186-188
TbFile 1, 3-5, 10, 11, 19, 37, 43, 78, 108-111, 116-119, 121, 147, 148,
186, 190
TbGenSig . . . . . . . . . 4, 57, 65, 147, 165, 166, 168, 170, 172, 174
TbLoad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21, 22
TbMem
1, 3-5, 10, 11, 19, 78, 81, 108-114, 117, 121, 147-149, 186, 187, 190
TbMon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
TbNet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143-146
TbScan 1, 2, 6, 10-15, 17-22, 24, 26, 29, 30, 33, 40, 44, 46-76, 84, 91,
106, 147, 151-160, 165-168, 171, 173, 178, 180-184, 186, 189, 191
TBSCAN.SIG . . . . . . . . . . . . . . . . 1, 6, 20-22, 26, 91, 165-168
TbScanX . 1, 2, 5, 10, 11, 19, 78, 82, 84-91, 147-149, 179, 186, 187, 190
TbSetup . 1-3, 10, 17-20, 22, 25, 27, 33-46, 92, 98, 111, 114, 120, 125,
147, 150, 151, 152, 153, 156, 157, 163, 175, 180, 181, 184, 186-188
TBSETUP.DAT . . . . . . . . . . . . . . . . . . . 40, 43, 45, 46, 150-153
TbUtil . . . . . . . . . . . . . 2, 3, 16, 26, 30, 31, 126-138, 147, 189
Thanks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1, 47
Updates . . . . . . . . . . . . . . . . . . . . . . 20, 80, 120, 165, 166
USERSIG.DAT . . . . . . . . . . . . . . . . . . . . . . . . 165, 166, 168
Virus detection . . . . . . . . . . . . . . . . 33, 75, 127, 130-133, 191
Virus infection . . . . . . . . . 1, 24, 25, 29, 31, 47, 69, 92, 108, 136
Virus naming . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Virus protection . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Windows . 5, 8, 21, 22, 44, 50, 52, 54, 57, 63, 68, 73, 85, 86, 93, 105,
110, 122, 124, 140, 141, 143-145, 170, 181, 188
Workstation . . . . . . . . . . . . . . . . . 11, 139, 143, 145, 146, 150
�