Revision 6.12c, December 96 --------------------------- ResQdisk had a new 'physical' mode added, providing extended capability for handling sectors through the entire hard drive, not only the boot areas. The new mode can be toggled in and out through ^P or with the mode selection menu, ^L. Two search modes are provided in physical drive access mode: search for candidate boot or partition sectors (^B), and case insensitive search (^F) for a user defined string. Extended ASCII characters, from ASCII 128 to 255 can be entered with Alt + numeric keys. Extended sector editing capability (^E) is provided in physical mode. A particularly useful feature of the physical mode is its ability to save a range of contiguous sectors to file (^S). The latter provides for user guided data recovery. The 'save to file' and extended editing features are available to registered ResQpro users only. IVB changes. IVB can be configured (see below) to either automatically renew the signature file when a program's new version is found or to prompt the user before replacing the signatures. IVB will return an errorlevel 16 when only renewing signatures, errorlevel 1 when an infection is suspected and errorlevel 0 if nothing is found. The renewing of a signature file is now recorded in both IVB and the audit reports. A 'configuration' option was added to INSTALL. The following parameters can be set through the configuration menu: The attribute of the signature files can be selected from 'none', 'read-only' or 'hidden'. The memory stealing test can be set to 'skip' or the threshold can be reset to the current value. Renewal of the signature file in case of a new version can be set to either renew automatically or prompt the user first. The IVINIT CMOS test can be set to 'skip' or 'run'. This option could be useful on laptops that are used in both stand alone and docked mode. The NOCMOS switch in IVINIT and the utility with the same name are not required anymore. The default of IVB's piggybacking detection (PBD) is as follows: PBD is enabled when running under DOS or Windows 3.11 on local drives and disabled when checking remote (network) drives. To prevent false piggybacking alerts, PBD in IVB is now disabled when invoked trough the IV menu shell while running under Windows NT or 95. False piggybacking alert is caused by PBD running non-exclusively on a particular drive. This could be the case on a network drive or in a multi tasking environment such as Win-95 and NT, hence the above mentioned default states. For advanced users and system administrators, an 'exclusivity modifier' was introduced which overrides the default. The IVB /NE (non-exclusive) modifier inhibits piggybacking detection altogether regardless of the default. The /EX (exclusive) modifier will enable piggybacking detection wherever possible, including network drives regardless of the default. A timed message was added to indicate when piggybacking detection is disabled. The following changes were made to IVX: The correlation algorithm was improved, based on experience gained in the last couple of years. In result, the discrimination ability of IVX increased significantly and its use was simplified. Some of the default parameters and dialog items were changed accordingly. The 'wildcards' option in the user defined signature mode was removed as IVX now processes 'approximate' signatures automatically. The sampling 'offset' parameter, formerly available only in command line mode was added to the dialog, where applicable. This way, IVX can now be used in full capacity from the IV shell. The default value of the detection threshold in statistical mode was changed from 20% to 40%, due to the increased sensitivity of IVX. Also, the string matching mode now has a controllable threshold, with a default value of 80%. The way how to use the improved IVX need some changes, in order to take full advantage of the new capabilities. The recommended strategy for using IVX consists of two stages: Stage 1: Establish the search parameters that give best results. The parameters to use while optimizing are the selection of the sample file and the sampling offset. Stage 2: Run IVX in string matching mode, against the latest (best) recorded signature. IVX automatically extracts a signature from the sample file on every run and saves it in a file (IVX.LOG). Enhanced macro handling in IVX. The handling of macro viruses and Trojans has been significantly improved in this version as well as the rejection of false positives. A new IVX feature is its ability to detect and restore documents from botched macro disinfection. The thermometer scale in IVB and IVSCAN was refined to indicate progress in increments of 1% rather than per directory, as before. A problem reported about IV sometimes dropping out of bad or corrupted directories was fixed. The change applies to IVB, IVX and IVSCAN. The processing under NT of the boot sector on floppies was improved in IVSCAN and FIXBOOT. NT requires different techniques than DOS (and Win 95) for disk direct access. The online IV manual (MANUAL.H!) was updated with the recent changes. The printable Word manual and the Windows help will be updated at a later date. Revision 6.12b - October 1996 ----------------------------- The rescue diskette procedure in the INSTALL module has been augmented to produce an NT boot floppy. A 'logical drive' mode was added in ResdQdisk as well as modes for handling Windows NT. An NT option was added to FixBoot as well. The /M switch was added in IVX to process modified files only. The InVircible passive Armoring for floppies has been augmented to detect the presence of boot infectors as well as the presence of stealth file infectors. Introduction of the IVB.NOT skip marker. Revision 6.12a - September 1996 ------------------------------- The ResQdata module was added to InVircible. Revision 6.11c - July 1996 -------------------------- New option to INSTALL. It's possible now to specify the directory where to install InVircible right from the command line. Either INSTALL and IVLOGIN will accept the new command option. Syntax: "DIR=pathname". Virus detection through dodgy date or time stamp. Many viruses mark infected files by setting the year's date to +100 years (i.e year 2096 instead of 1996), or by setting the seconds to a value larger than 59. The faked date/time stamp are not revealed by the DIR command but are detected by IVSCAN. IV will indicate "dodgy date or time, possibly infected". Concurrently, NetZ released a freeware utility named GETDATE that will let inspect drives for files with dodgy date/time mark and rename those files on request. GETDATE can also spot files with a a specified "seconds" setting. Certain viruses use a specific value in the seconds field to mark infected files, e.g. HD Euthanasia sets the seconds of infected files to 34. GetDate can be used as a first-aid and fast disinfector. Due to the nature of macro viruses, it is impossible to distinguish legitimate auto-macros from potentially harmful ones. Customized templates and forms that use auto-macros can be saved in separate directories. These directories can be marked to be skipped by the IVX macro cleaner. To mark a directory to skip, just create a zero length file named IVX.NOT in it. To create a zero length file, type from the DOS prompt "TYPE PLAIN_GARBAGE > IVX.NOT", without the quotation marks. Extended partitions on EIDE drives running in LBA mode will be corrupted by DOS programs running in a Win-95 MS-DOS shell, if the partition was created by Windows 95 FDISK. Win-95 introduced new extended partition types (types 0E, 0F - decimal 14, 15) for EIDE /w LBA. Other than Win-95 OS do not recognize these partitions and erroneously reflect the C logical partition into the higher one. ResQdisk has been upgraded to check whether this problem exists. When examining a partition with ResQdisk, a warning message will indicate the presence of partition types 0E or 0F. The user is then advised to correct the problem, to prevent possible damage. Revision 6.11b - June 1996 -------------------------- NEW AUDIT FEATURE IN IVB. IVB now provides for the auditing of specified directories and drives. The audit function is based on the IVB integrity database and runs concurrently with IVB integrity checking. New, missing and modified files are reported in the audit log. Auditing can run either on-demand or automatically. Auditing can be used in private user and corporate/network environment to keep track of program inventory. Auditing combined with IVB's integrity functions and IVX report is useful in spotting the source of an infection. In the institutional environment auditing can help system administrators in monitoring software uploads to servers. Revision 6.11a - May 1996 ------------------------- A generic "Word Macros" mode added to IVX. The latter will detect forced macros in Word documents and templates and CLEAN them on request. IVX can be used in batch mode for handling macro viruses. INSTALL has been updated to edit the test for macro malware right into the autoexec (see below). The Word Macro mode in IVX has provisions for testing a workstation's integrity right at logging in to the network. Affected workstations can be spotted now right as they login and refused access to the network. For details see appendix G in the DOS online hypertext, or search for "macro" in the Windows IV manual. INSTALL program changes: convenience. The on-line registration is now assigned to F10 and was removed from the menus. Where Winword is found in the search path, the user will be prompted if to include the Word templates integrity check against macro malware, in the autoexec. The templates test is extremely fast, it takes just a few seconds and is highly recommended. New IVLOGIN /Q switch. When run with the /Q switch, IVLOGIN will query the workstation whether the daily integrity check (IVB DAILY) did run. IVLOGIN returns an errorlevel 0 if the test was run and 1 otherwise. The integrity query switch can be used by network administrators to refuse access to users that disabled the IV daily integrity check. Revision 6.11 - April 1996 -------------------------- The Windows user guide was added from this version. The file's name is IVMANUAL.HLP. The editing of the Bios Parameter Block (BPB) of logical drives' boot sector was added to ResQdisk. This facilitates the recovery of hard drives with non-standard configurations such as Compaq models and multiple partitions with dynamic boot overlay drives (DDO), as well as NT servers and workstations. Batch processing of floppies with the IVX correlator was added. The IVX correlation-scan parameters need to be entered just once to process floppies in bulk. Revision 6.10e - March 1996 --------------------------- The CMOS monitoring function of IV was relaxed to watch only for hard drive configuration changes. Improved protection against path companion viruses. Revision 6.10d - January 1996 ----------------------------- New appendix H added to the IV online manual, covering hard disk and data recovery methods. Revision 6.10c -------------- A partition sector editor was added to ResQdisk Professional. The licensing utility (LICENSE) for system administrators was introduced. Available from authorized NetZ agents. Revision 6.10b -------------- FIXBOOT was upgraded to support Microsoft's 1.68 mbytes DMF floppies format, used in Win 95 and MS-Office installation kits. The rescue procedure was upgraded to create the A:\HD_DATA.NTZ file, containing the hard drives' configuration and setup data. A GET-HD utility was added to the standard IV package, as well. The rescue procedure now supports also Norton's UNFORMAT.EXE, in addition to the DOS default UNFORMAT.COM. The file is renamed to UNFORMT! on the IV rescue floppy. The number of both IVB checklist's includes and excludes was increased from five to ten, for each. The syntax was extended and pathnames are now allowed for the exclude (SKIP=) files. Revision 6.10a -------------- Improved Windows 95 rescue floppy procedures. FixBoot was upgraded to automatically handle Windows 95 boot floppies. FIND-SIG housekeeping utility added. Find-Sig removes orphan IVB signature files. Only active signature files are left. Revision 6.10 ------------- The online hypertext and the full manual were completely revised. The full manual on-line hypertext was added. ResQdisk new option: Compare track zero to backup, added. New option to INSTALL and IVLOGIN: Installation with predetermined signature filename. Syntax: SIG=filename. Up to five filespecs can be added to the IVB checklist. Add a line for each additional filespec in IVB.INI using the syntax: INCL=filespec to add. The IVMENU.EXE user interface shell was renamed to IV.EXE. Product upgrade, 6.02b ---------------------- Online backup when renewing the IVB signatures was added. The older file is renamed to *.000. Further improvement in the correlator, IVX, advanced options. Fixing an offset for sampling is now possible from the command line. Improved FIXBOOT feature: Automatic selection of the boot system, either PC-DOS or MS-DOS. ResQdisk Professional (ResQpro) is merged in a single module with the standard ResQdisk program. The Pro floppy is available for authorized NetZ agents. Single session password for ResQpro was added to ResQdisk. The SYS option for refreshing the hard disk boot sector was added to ResQdisk. "Signature killer" detection was added to all the IV scanning programs (IVB, IVX and IVSCAN). A random signature filename can be specified from either INSTALL or IVLOGIN's command line. Syntax: INSTALL or IVLOGIN /RANDOM. Revision 6.02a -------------- Automatic signature extraction and scanning were added to the statistical correlator, IVX. Detection of PKLITE'd droppers and Trojans was added to IVSCAN. Exception list added to IVB, to exclude up to 5 filenames from IVB's checklist. The syntax for excluding a filespec in the IVB.INI file is SKIP = only_filename_to_exclude (no path). Revision 6.02 ------------- Improved handling of EIDE drives using DDO, in all IV modules. DOS access to boot sectors was added to ResQdisk, in addition to the existing INT 13h access, for handling EIDE drives using DDO (where no LBA is available). Revision 6.01d -------------- ResQdisk improved editing features were added. The 'Edit' menu (Alt+E) was added including: sector read / write, from backup or from file, and a special "decrypt" routine to handle drives ruined by Monkey. Improved ResQdisk track 0 maintenance features (Alt+Z) were added. Revision 6.01c - January 1995 ----------------------------- Automatic IV version upgrades in network: IVLOGIN can now be used for both the automatic installation of InVircible to workstations in a networked environment, as well as the upgrading of an older IV version to a newer one. Revision 6.01b - December 1994 ------------------------------ Installation of InVircible on networked PC: Revision 6.01B has an additional file, IVLOGIN.EXE. As its name implies, its use is from the user login script in networks.