ÛÜßÛÛÛÛÛÜ ÜÜÛÛÛÛÛÛÛÛÛÛÛÛÛÛß ÛÛÛÜßÛÛÛÛÛÜ ÜÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛß ÛÛÛÛÛ ßÛÛÛÛÛÜ ÜÛÛÛÛÛÛÛÛÛßßßßßßßßß ÛÛÛÛÛ ßÛÛÛÛÛÜ ÛÛÛÛÛÛÛß ÛÛÛÛÛ ßÛÛÛÛÛÜ ÛÛÛÛÛÛß ÛÛÛÛÛ ßÛÛÛÛÛÜ ÜßÜÛÛÛÛÛ ÛÛÛÛÛ ßÛÛÛÛÛÜ Û ÛÛÛÛÛÛ ÛÛÛÛÛ ßÛÛÛÛÛÜ ÛÛ ÛÛÛÛÛ ÛÛÛÛÛÛÛÛÛÛ ÛÛÛÛÛ ßÛÛÛÛÛÜ ÜÛÛ ÛÛÛÛÛÛ ÛÛÛÛÛÛÛÛÛÛ ÛÛÛÛÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜßÛÛÛÛÛÜÜÛÛÛÜßÛÛÛÛÛ ßßßßÛÛÛÛÛÛ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÜßÛÛÛÛÛÛÛÛÛÛ ÛÛÛÛÛÛÜ ÜÛÛÛÛÛÛß ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÜßÛÛÛÛÛÛÛÛ ÛÛÛÛÛÛÛÜÜÜ ÜÛÛÛÛÛÛÛß ÛÛÛÛÛ ßÛÛÛÛÛÛ ßÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛß ÛÛÛÛÛ ßÛÛÛÛ ßßÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛß ÛÛÛÛÛ ßÛÛ ßßÛÛÛÛÛÛÛÛßßß ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º º º º º º º This is the FREEWARE version of AVG 4.1 anti-virus system. º º It is protected by copyright but can be used subject º º to the conditions which are inseparable part º º of AVG FREEWARE º º º º º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ This is the FREEWARE version of AVG 4.1 anti-virus system. It is protected by copyright but can be used subject to the following conditions: It may be used by anybody for their private use for an unlimited length of time. Commercial, educational, medical or any state run organisation may use it for a period of only 60 days from the day on which it was first obtained. Thereafter the software must be uninstalled or upgraded to the commercial version. The software may be copied and passed on to third parties but must not be modified in any way and nobody can charge for the software. The authors of AVG FREEWARE do not take any responsibility for any consequences of the use/misuse of the software or for the consequences of computer virus infection on a computer running AVG. Limitations of FREEWARE AVG The FREEWARE version of AVG does not come with the driver AVGSYS.EXE, so will not provide resident protection, and will not remove a virus from your computer (it will remove boot viruses). These features are reserved for the commercial version. ************************************************************************** How to use this manual ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ We know from experience that in order to be comprehensible, much of the manual must explain the principles behind the various functions and not merely describe how they are used. Those passages applicable to both DOS and WINDOWS versions will be of normal format, text pertaining to only one version will be indented as below: ÚÄÄÄÄ¿ ³C:\>³ This symbol denotes passages applying specificallyto AVG for DOS. ÀÄÄÄÄÙ ÉÍÑÍ» This symbol denotes parts of the text concerning ÇÄÅĶ AVG for WINDOWS. ÈÍÏͼ ßÛÛÛÛß This symbol will denote information of key ßß importance. ßß ******************************************************************************* Updating AVG ÍÍÍÍÍÍÍÍÍÍÍÍ In view of rapid developments in the virus world, the AVG antivirus system is being developed continuously. There are two ways in which GRISOFT(c) SOFTWARE keeps its customers up to date: New versions of AVG ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ These are issued regularly (approx. once a year). The new versions involve considerable qualitative changes, i.e. improved techniques for searching for viruses, new functions, and so on. All registered users are notified by the manufacturer and can purchase the Upgrade at a discount. Updating AVG ÄÄÄÄÄÄÄÄÄÄÄÄ Updates are released each month. These include new virus information and minor changes to the program. All files are in one self-extracting archive and can be downloaded from the Internet free of charge (file UPDATE.TXT contains all addresses and telephone numbers). A postal diskette service is available at a nominal cost. The distribution file has the following format: xxyyyAVG.EXE, where xx = the year in which updated program was created, e.g. 95 yyy = number of the day of the year in which the program was updated (e.g. 046 = 15 February). **************************************************************************** Installation ÍÍÍÍÍÍÍÍÍÍÍÍ Before installation, we recommend copying the installation diskette and then using the copy rather than the original. If, however, virus free environment cannot be guaranteed, install from the master diskette and make a copy later. Starting installation ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Throughout this section we assume that installation is from drive A:. Should any other drive be used, substitute the appropriate drive letter for A:. ÚÄÄÄÄ¿ From the command line type A:\INSTALL. This ³C:\>³ command will install AVG for DOS only. ÀÄÄÄÄÙ ÉÍÑÍ» From explorer (file manager in WINDOWS 3.x) ÇÄÅĶ choose A:\SETUP. This will install AVG for both DOS and WINDOWS. ÈÍÏͼ AVG detects automatically which version of WINDOWS is running. During installation a name and serial number will be requested. The serial number can be found on the registration card. If an incorrect number is entered three times the program will be declared unregistered. AVG will work correctly but it will not be possible to use the free updates. Deleting older versions of AVG is optional. If this is selected the installation program looks for an older version of AVG and deletes it. Interactive setting of the resident AVGSYS driver is optional - towards the end of installation various AVGSYS parameters will be offered. Installing AVG to a diskette is optional - a blank formatted diskette, preferably with system files, will be needed. Only the DOS version can be installed to a diskette which will contain just necessary files. Next the configuration files will be amended. The optional resident driver AVGSYS.EXE is inserted in CONFIG.SYS and AUTOEXEC.BAT will be extended by adding the AVG directory to the path. AVGSYSW.EXE is also added, if AVG for WINDOWS is being installed. For changes made during installation to take effect the system must be restarted. **************************************************************************** Resident Drivers NOT AVAILABLE IN FREEWARE ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ An important part of AVG is the resident driver AVGSYS.EXE. It is permanently located in memory to prevent virus infiltration and constantly monitors system activities. Anything suspicious or incorrect is interrupted and will not proceed unless confirmed. Another driver, AVGSYSW.EXE, is required for WINDOWS to enable communication between AVGSYS and WINDOWS 3.x or AVGWD.VXD and WINDOWS 95. In WINDOWS 95 the driver, AVGWD.VXD, is added to SYSTEM.INI during installation. The default settings can be changed by running Driver Settings from the AVG group. Installation - DOS and WINDOWS 3.x ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ The driver must be loaded when the computer is booted - by the DEVICE= command in CONFIG.SYS. It is not possible to activate the driver in any other way. DEVICE = disk:\directory\AVGSYS.EXE /parameters Since the driver uses XMS memory, it should be started after the driver that controls the XMS memory in your computer - usually this is HIMEM.SYS. If AVGSYS cannot use XMS memory then the boot sector of diskettes cannot be checked. Parameters ÄÄÄÄÄÄÄÄÄÄ /AXMS[+/-] Determines whether the driver uses XMS memory. About 33 kB is used as a working area. If XMS memory is not available or not used (/AXMS-) the driver will use the hard disk as a working area. Environment : DOS and WINDOWS Default : /AXMS+ Recommended : /AXMS+ Use : only in CONFIG.SYS file /MESG[+/-] Determines whether AVGSYS displays messages on the first line of the screen. Environment : DOS Default : /MESG+ Recommended : /MESG+ Use : CONFIG.SYS and from command line /BEEP[+/-] Determines whether sound is used. Environment : DOS and WINDOWS Default : /BEEP+ Recommended : /BEEP+ Use : CONFIG.SYS and from command line /FWRI[+/-] Turns on/off checking of COM/EXE files being opened with write permission. If detected the following is possible: Yes - permits file to be opened No - file will not be opened for writing Always - same effect as Yes up to the end of the calling program or until the time limit of about 60 seconds is reached Environment : DOS and WINDOWS Default : /FWRI+ Recommended : /FWRI+ Use : CONFIG.SYS and from command line /DWRI[+/-] Turns on/off checking for writes to system areas. If detected the following is possible: Yes - write to system areas will be allowed No - write to system areas will not be allowed - an error code will be returned to the process which made this request. Ignore - write will not be allowed. Error-free status will be returned to the process which made this request - as though the operation had been carried out. Environment : DOS and WINDOWS Default : /DWRI- Recommended : /DWRI+ Use : CONFIG.SYS and from command line /SCAN[+/-] Turns on/off scan-test of opened files. Environment : DOS and WINDOWS Default : /SCAN- Recommended : /SCAN+ Use : CONFIG.SYS and from command line /COMP[+/-] Turns on/off comparative test of file when opened. Environment :DOS and WINDOWS Default : /COMP- Recommended : /COMP- Use : CONFIG.SYS and from command line /RENM[+/-] Turns on/off checking for renaming COM/EXE files. If detected the following is possible: Yes - renaming permitted No - renaming not permitted. Environment : DOS and WINDOWS Default : /RENM- Recommended : /RENM+ Use : CONFIG.SYS and from command line /BOOT[+/-] Turns on/off checking of diskette boot sector in drive A:. This can be used only if XMS memory is available. Environment : DOS and WINDOWS Default : /BOOT- Recommend : /BOOT+ Use : CONFIG.SYS and from command line /OPEN[+/-] Turns on/off scan-test on files when opened. Environment : DOS and WINDOWS Default : /OPEN- Recommended : /OPEN- Use : CONFIG.SYS and from command line /WARM[+/-] Turns on/off checking for presence of diskette in drive A: when Ctrl+Alt+Del is pressed. Environment : DOS Default : /WARM- Recommended : /WARM+ Use : CONFIG.SYS and from command line /GRWR[+-/] Determines whether AVGSYS displays messages in DOS applications running in a graphics mode. Note that first line on the screen cannot be restored in graphics mode. Environment : DOS Default : /GRWR- Recommended : /GRWR+ Use : CONFIG.SYS and from command line /TUNN[+/-] Turns on/off checking for INT13/INT21 tunnelling. Environment : DOS and WINDOWS Default : /TUNN- Recommended : /TUNN+ Use : CONFIG.SYS and from command line /NETW[+/-] Determines whether network drives are to be checked by /SCAN, /COMP, /OPEN, /FWRI. AVGSYS /NETW+ must be run after loading network drivers. Parameters can be changed either from the command line or with the help of SETSYS.EXE - these changes do not affect settings in CONFIG.SYS. Updating the Driver ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ A list of active parameters can be obtained by executing the AVGSYS.EXE driver without a parameter. AVGSYS /? displays a list of parameters available - the letters in brackets mean: i - can be initialised from CONFIG.SYS file m - can be modified from the command line Loading AVGSYS when booting can be suppressed by holding down the left Ctrl and left Alt while CONFIG.SYS is being processed. **************************************************************************** Starting AVG for DOS ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ This chapter describes the three ways of running AVG for DOS: Interactive mode - most common Command file - for automatic testing Command line - for quick testing Interactive mode ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ For interactive mode the command line syntax is as follows: AVG.EXE [/T] [/G] [SD[number]] [/VGAHI[number]] [/ANALYSE[+/-]] [/FASTREAD[+/-]] [/XMS[+/-]] [STEALTH[+/-]] [/BREAK[+/-] [/NONSTOP] [/SUBDIR[+/-]] [/NOMEM] [/NOSELF] [/NOEXPORT] [/REPORTfilename] The switches mean the following: /T Starts AVG in text mode. /G Starts AVG in VGA graphic mode. /SD[number] Loads default background in graphics mode - otherwise chosen at random from the few possibilities. The number ranges from 0 to 5 and is linked to a background. /VGAHI[number] Starts in graphic mode of 800x600 pixels. The number must be hexadecimal and is used for direct setting of the video card mode - consult the video card manual. /ANALYSE [+/-] Turns on/off the fast heuristic analysis in scan-test. /FASTREAD[+/-] Turns on/off fast reading. /STEALTH[+/-] Turns on/off anti-stealth technology. /BREAK[+/-] Turns on/off Ctrl-Break. /NONSTOP Tests and reports only. No user input expected. /SUBDIR[+/-] Turns on/off testing of subdirectories. /NOMEM Does not test RAM. /NOSELF Does not run AVG internal integrity check. /NOEXPORT Prevents creation of _GRISOFT.VIR file. /REPORTfilename Creates a text file containing the results of the tests.The name of the file must be specified. If none of the above parameters is given, the setting is either taken from the configuration file or is the default. The following shows the parameters, their defaults and whether or not they are stored in the configuration file: Parameter Default In configuration file /T or /G /G Yes /SD random No /VGAHI - No /ANALYSIS + Yes /FASTREAD + Yes /XMS + Yes /STEALTH + Yes /BREAK - No /NONSTOP - Yes /SUBDIR + No /NOMEM - Yes /NOSELF - No /NOEXPORT - Yes /REPORT none Yes Desktop After carrying out the initial tests the basic working area appears with the following menus: Info - basic information about AVG Tests - test functions Settings - setting program parameters Utilities - backup and restore system areas and other utilities Exit - exits AVG Help line The bottom line of the desktop gives more information on the highlighted menu item. Help F1 calls up context sensitive help. Mode indicator The top right corner shows four letters (S, X, A, F) which indicate the current use of: S - anti-stealth technology X - XMS memory A - fast heuristic analysis F - fast read from the disk The letters are displayed all the time, bright white when active, otherwise grey. Note that they do not show the settings but current usage. For instance, the letter F will be bright white only when fast read is actually used. Starting AVG with a command file ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ AVG can be started with a command file to automate testing. ÉÍÑÍ» This feature is not available in WINDOWS since it is designed ÇÄÅĶ for MS-DOS only. Macros will achieve similar ÈÍÏͼ result - see chapter Macros. The command file is an ASCII file containing permitted commands and must not contain any other symbols such as control codes of text editor. AVG will be controlled by the commands from this file and no menu is displayed. In this mode AVG only detects and reports - it will not repair or update the comparative database. Creating a command file ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ The following commands can be used in the command file: SCAN Activates Scan-test. The full syntax is: SCAN [DEVICE:[\DIRECTORY[\FILE]] [:number of days] DEVICE:\DIRECTORY\FILE - device and/or directory, or a particular file which is to be tested. :number of days - time interval between tests run from command file. If omitted or set to 0, the command is always executed. Example - SCAN C: D:\MYDIR:7 Runs Scan-test, if more than 7 days have passed since the last test, on the whole of C: drive but on D: only directory \MYDIR is tested. COMP Activates comparative test. The syntax is the same as for the SCAN command. HEUR Activates heuristic analysis. Syntax is the same as for the SCAN command. STOP errorlevel AVG returns an ERRORLEVEL on exit. The value corresponds to what AVG found. Generally, the higher the value, the more serious the finding. The STOP command defines the ERRORLEVEL value beyond which the process must not go. For instance STOP 7 will prevent AVG from continuing if Scan-test finds a virus. List of ERRORLEVEL values used by AVG : 0 AVG found nothing important or suspicious 1 AVG was aborted by Ctrl-Break 2 AVG detected error 3 Comparative test found change in file(s) 4 Comparative test found change in system areas 5 Code analysis detected suspect file 6 Code analysis detected suspect system area 7 Scan-test found file infected by known virus 8 Scan-test found system area infected by known virus 9 Memory test found virus 10 Memory test found aggressive virus 11 AVG found internal error The following switches can also be used in a command file: /SUBDIR[+/-] Turns on/off testing of subdirectories. /ANALYSIS[+/-] Turns on/off fast heuristic analysis. /FASTREAD[+/-] Turns on/off fast reading. /XMS[+/-] Turns on/off XMS memory usage. /STEALTH[+/-] Turns on/off anti-stealth technology. /REPORTfilename Defines the name of the file to which the results of the tests are to be logged. /NOMEM Does not test RAM. /BREAK[+/-] Turns on/off Ctrl-Break. Starting AVG with a command file ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ The command line syntax is ; AVG /@command file name Example command file: /STOP 5 /SUBDIR+ /FASTREAD+ /ANALYSIS+ SCAN C:\DOS : 0 SCAN C:\ : 1 /SUBDIR- COMP C:\ : 7 HEUR C:\ : 7 When AVG is started with this command file it carries out: Scan-test of directory C:\DOS (including subdirectories) each time it is run (even several times a day). Scan-test of directory C:\ (including subdirectories) once a day. Comparative test C:\ provided more than 7 days have elapsed since last run from command line. Full heuristic analysis C:\ provided more than 7 days have elapsed since last run from command line. If AVG finds an event with an errorlevel of 5 or higher in any of the above tests, it stops the computer and gives a warning. The switches below are valid from the moment they are introduced to the end of the command file or until any changes override them: /SUBDIR+ /FASTREAD+ /ANALYSIS+ ******************************************************************************* Starting AVG for WINDOWS ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ The WINDOWS 95 and WINDOWS 3.x versions of AVG have the same user interface. AVG for WINDOWS starts with a few tests of which the self-check is the most important. Failure can be corrected only by re-installing AVG. As in DOS the self-check can be omitted with the parameter /NOSELF. Further, AVG looks for _GRISOFT.VIR, checks that the databases are up to date, checks the scheduler and tests memory (if not switched off in Settings - General settings). Desktop Note that AVG has only a full sized working window. Menu items: Information - basic information about AVG Tests - test functions Settings - setting program parameters Utilities - backup/restore system areas and other utilities Exit - exits AVG Help - contents of help Icons: Scan-test Full heuristic analysis Comparative test Memory test Macros Exit Temporary files ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ AVG creates a number of temporary files on the hard disk. The names of these files follow the pattern AVG_xxx.$$$. AVG deletes these files when it ends normally. If AVG ends incorrectly (system crash etc.) the files will remain on the hard disk and must be deleted manually. **************************************************************************** Info menu ÍÍÍÍÍÍÍÍÍ It is clear from its name that this menu contains functions of a predominantly informative character. About AVG Displays information about the AVG version you are using, including subversion, date of release for distribution and information on language versions. The serial number and the name of the licensee are important. They are written into the AVG program during installation and cannot be changed later. The information about the AVI and AVF files is important. These files influence the range and capability of the tests, i.e. two programs of the same version but with different data files will differ in their capabilities. If the user employs his own files for user validation and/or his own description of external viruses, the appropriate information is displayed in the window. About viruses Displays basic data on viruses detected by your installation of AVG (the number of detected viruses depends on which version you have installed and on the AVI/AVF files). It should be pointed out that the information given here has been abbreviated considerably, i.e. it contains only the name of the virus and type of attack (file/system area). AVG contains a detailed description of the commonest viruses, it is not available for all viruses contained in the virus databank. System information Displays information on the working environment - type and version of the operating system, memory controls, processor mode, size of base and XMS memory etc. ******************************************************************************* Scan-test ÍÍÍÍÍÍÍÍÍ The Scan-test in AVG consists of three independent techniques which appear as one compact test. We shall deal with the three parts separately. Standard search The standard way to detect known viruses is to search for virus identifiers (sequence of symbols characteristic of a given virus). Individual algorithms Individual algorithms are for detecting some known mutation viruses of the Tremor, MtE, TPE etc. Each file tested is checked to see if it contains a coding algorithm characteric of a known type of mutation virus. Fast heuristic analysis The principle of this technique consists in analysing code of the file being tested and in understanding the meaning of the instructions. The analysis can reveal suspicious activities. In contrast to full heuristic analysis (analysis with code emulation), which is a separate test, fast heuristic analysis does not carry out consistent "pseudo-operation" of the instructions. It is not able to detect new mutation viruses protected by an as yet unknown encryption routine. Fast heuristic analysis can be switched off in Scan-test settings. During the test it is possible to determine whether fast analysisi is switched on. ÚÄÄÄÄ¿ Refer to the letter A in the top right corner of the screen - if ³C:\>³ fast analysis is active the letter is brights white, otherwise it is ÀÄÄÄÄÙ grey. ÉÍÑÍ» If fast heuristic analysis is active, then the 'bullet' is green, ÇÄÅĶ otherwise it is grey. ÈÍÏͼ During the Scan-test the above techniques appear to the user as one compact test. The advantage of this is that file being tested is checked thoroughly and the test can thus detect both known and also the great majority of unknown viruses. Anti-Stealth ÄÄÄÄÄÄÄÄÄÄÄÄ ÚÄÄÄÄ¿ The AVG uses anti-stealth technology to detect stealth viruses. ³C:\>³ Refer to the letter S in the top right corner of the screen - if ÀÄÄÄÄÙ anti-stealth is active the letter is bright white, otherwise it is grey. ÉÍÑÍ» ÇÄÅĶ Anti-stealth technology cannot be used in a WINDOWS environment. ÈÍÏͼ Selection of Devices ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Before the actual analysis, a window containing a list of the devices available appears, including more detailed information about each one. The user must now select the device, or its directory, which is to be tested. The following information about each device is shown: Logical name of device Type of device - local/network/or SUBST Type of device - HDD or FDD Whether the device contains a comparative database The symbol þ or 'OK' denotes that a comparative database exists on the device. The symbol '!' indicates that a comparative database does not exist on the device The comparative database (for detailed information on this see chapter Comparative test is a very important source of information for AVG. For this reason the existence of the database on the device is checked when the program is started and the user is warned if the database does not exist. AVG does not check for the database on diskettes or network devices, only on local hard disks. ÚÄÄÄÄ¿ Information about a device, i.e. the logical name of a device, its ³C:\>³ type and whether a comparative database exists, are shown on one ÀÄÄÄÄÙ line in AVG.EXE. To test just one device, highlight it and press ENTER. If more than one device is to be tested, selection/deselection can be made by INSERT key. Once all required devices are selected press ENTER to access the menu below with the following options: Run test Starts test of selected device(s). Directory Tests selected directory only. The directories will be listed - use the cursor and ENTER key to select one. Press F9 to start the test of this directory or F10 to start the test of this directory plus its subdirectories. Extension User selectable file name extension(s) to be tested. This can also be done in Settings and stored in the configuration file. Changes made here are only temporary. ÉÍÑÍ» In AVG for WINDOWS the type of device and the existence of a ÇÄÅĶ comparative database are shown separately under the list of ÈÍÏͼ devices.One or more devices can be chosen from a list. Individual directories can be selected - all subdirectories will be tested as well. To run the test highlight the device and click on Start test or just double-click the left mouse button on the target device. To test a particular directory, highlight the device, and choose Directory. Then from the tree highlight the directory and click on Select. When finished click on OK to return to the previous screen where the selected directories will be shown. To test several devices/directories together, use Add. Highlight the required device/directory in the above way and click on Add. The selected device/directory appears in the list at the bottom of the window. When finished, click on Run Test and all listed devices/directories will be tested. To clear the list of devices/directories, click on Clear List. The options in the dialogue of the device/directory to be tested are as follows: Return Ends selection of device/directory. Add Adds a device/directory to the list in the lower part of the window. Clear Deletes contents of the list in lower part of the window. Settings Calls up a window with the possibility of changing some of the test parameters. Run test Activates test on all devices/directories in the list or, if this list is empty, then the highlighted device/directory. Directory Displays directory tree where one directory can be chosen. Test areas The list of devices/directories to be tested. This list can be edited manually - the items must be separated by a semicolon. If the hard disk is not accessible ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ It can happen that due to a virus or as a result of a computer crash the hard disk is not accessible - the operating system refuses to recognise it as a valid device. In this case the only thing to do is to boot from a system diskette, start AVG and use the backup copies of the system areas. If AVG.EXE finds that no hard disk exists, it tries to find it directly by means of the BIOS and not through the operating system. If it finds that a disk is physically connected, it includes it in the list of existing devices and calls it "Physical Disk 1" and so on, whereby it is made available at least for testing the system areas - partition table. It is here that the cause of the inaccessibility of the device usually lies and AVG can thus test this area and correct it if necessary. With a device accessed like this it will not be possible to carry out tests of files. If the partition table is repaired, the device will be available after rebooting. Test of system areas ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ The system areas of the device are tested first (AVG determines the type of device and how the system areas will therefore be tested. For hard disks this means the partition table and the boot sector. For diskettes it is only the boot sector. With network devices or with some pseudo-devices the test of the system area is omitted since these areas are under the control of the network operating system. If the system areas are in order, the program continues testing files, otherwise, the user is alerted and AVG offers the following options: Continue Continues testing other system areas or starts testing files. The virus is left in the infected area. Information Gives detailed information about the virus found. Remove Removes virus from the system area using one of the two following techniques: (NA in freeware) Repair Treats the infected system area using a general technique based on the fact that practically all viruses of this type use the same principle to spread. Reconstruction With hard disks this replaces the infected system area by the previously created backup copy (see Backup system areas in the Utility menu). With diskettes the infected boot sector is replaced by a generally valid structure. As the system areas are of key importance, it is possible to make an UNDO disk before running repair or reconstruction. If switched on in Settings, a name and path for the UNDO file must be entered when prompted. This file can be used at any time later (see Complete reconstruction in Utilities menu) to restore the area to the state it was in before running repair or reconstruction. ßÛÛÛÛß Note that altering the system areas is potentially dangerous. We ßß therefore recommend that UNDO be used all the time. ßß File test ÄÄÄÄÄÄÄÄÄ After testing the system areas Scan-test continues testing files. During the test, information is displayed as follows: ÚÄÄÄÄ¿ The screen contains three windows. The directory tree is ³C:\>³ displayed in the top left window, while the files and results ÀÄÄÄÄÙ are shown in the window to the right. OK - the file is in order - no virus found. ? - no known virus found - but file has non-standard structure. @ - the file is internally compressed (PKLITE, LZEXE, DIET etc.) or is immunised by some other antivirus software. In both cases the test is not 100% accurate as the test cannot access the file - but neither can a virus. reporting non-standard files can be suppressed in the menu Settings - Heuristic analysis settings - Report non-standard files. ! - a specific virus has been found or heuristic analysis has detected so many suspicious operations that the file has been flagged as possibly infected by an unknown virus. The third window displays information about the viruses found, about files with non-standard structure and so on. ÉÍÑÍ» AVG for WINDOWS displays the tested file/directory and any ÇÄÅĶ important information is reported in the lower part of the window. ÈÍÏͼ This gives not only information on infected but also on non-standard files. Reporting non-standard files can be suppressed in the menu Settings - Scan-test settings - Report non-standard files. If an infected file is found the type and name of the virus is displayed. It should be pointed out that AVG distinguishes several levels of attack - from files which are entirely OK through suspect to actually infected by a specific virus. A list of the warning levels including description can be found in the appendix to this manual. Continue Calls up a submenu with options to continue until a further infection is found or to continue non-stop to the end of the test or abort the test. Information Displays detailed information about the virus found together with the relevant flags. Remove Calls up a submenu with the following options: Repair NOT AVAILABLE IN FREEWARE This function, when successfully carried out, leads to elimination of the virus from the infected file and returns the file to its original state. AVG incorporates two treatment techniques: Reconstruction Reconstruction uses information stored in the comparative database (see the chapter Comparative test) to reconstruct the infected file to its original state. AVG analyses the infected file and automatically chooses the order of the above techniques according to the type of file and virus. The choice cannot be influenced. After treatment the file is tested again so that the effectiveness of eliminating the virus from the file can be determined. We recommend that the infected file is backed up (see chapter Settings - Common settings for all tests). Rename This renames an infected file so it can be kept on the device without change and without the danger of it being accidentally executed. Erase This destroys the infected file so that it cannot be resurrected. Repair all Repair all is the same as Repair except that the program automatically tests the remainder of the device and tries to repair all the infected files it finds - best for treating devices with many infected files. However, the device must be tested again to ensure that all viruses have been removed. After carrying out a test, a summary is displayed - the number of files tested, the number of viruses found and files treated etc. ******************************************************************************* Full Heuristic Analysis ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ This function could better be described as "heuristic analysis with code emulation". Since this is a novelty for most users, we shall explain the basic principles of heuristic analysis before going on to describe it in detail. Principle of heuristic analysis ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Heuristic analysis, unlike the Scan-test, does not look for anything specific in the objects being tested. Rather, it examines the code in the file, i.e. it follows the instructions and analyses their practical meaning. It is able to pick up dubious activities of a program (e.g. taking control over the operating system, a non-standard method of becoming memory resident). Each incorrect activity is characterised by a "flag" - a letter from 'A' to 'Z' or 'a' to 'z'. Each flag has a different value ie. not every symbol has the same weight. During the heuristic analysis the virus database is continuously checked for a known virus. When the total weight reaches a critical limit and no match is found in the virus database, the virus is declared unknown. Unknown virus ÄÄÄÄÄÄÄÄÄÄÄÄÄ When no specific virus has been found, but heuristic analysis has detected many significant symptoms, the file contains either an unknown virus or has a non-standard structure. The user is warned (with comments) that an unknown virus may be present. The great advantage of Heuristic Analysis is its ability to detect a virus even if it is unknown. _GRISOFT.VIR file ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ The analysis also exports a sample of the suspect file (if switched on in Settings) to the _GRISOFT.VIR file, located in the C:\ directory. This file should be sent to GRISOFT (UK) Ltd. to be analysed and possibly added to the main AVG.AVF validation file and thus eliminate false alarms for all. Users may, however, judge for themselves the seriousness of the heuristic analysis report. The following may act as a general guide: If the user is confident that the file in question is either non-standard (e.g. a device driver) or is virus free then the warning can be ignored or user validation performed. More detailed information about user validation can be found in the chapter User Validation - MANAVF.EXE.If, however, the program is new and untested or the file is suspect, great care should be taken. If analysis finds several suspect files with greatly dissimilar symptoms, it can be assumed that the alarm is false. If analysis finds several suspect files with similar symptoms, there may be an unknown virus. Change in analysis sensitivity ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ A range of parameters that influence the behaviour and sensitivity of the heuristic analysis can be changed in the menu Settings - Heuristic analysis settings - Advanced. It should be pointed out, however, that changing the default values of these parameters may lead to a great increase in sensitivity and thus increasing the possibility of false alarms. To give the less experienced user an idea of how changing the parameters can influence the analysis, Show settings will display a graph of the following: Sensitivity (i.e. ability to detect an unknown virus) Speed of test False alarms When heuristic analysis is run with non-default settings, the new parameters are displayed in the Information window. User validation ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ If the user is convinced that a file is completely in order although heuristic analysis has indicated it is infected by an unknown virus, it is possible to carry out "user validation". This will eliminate an alarm for this file in future analysis. More detailed information about user validation can be found in the chapter User validation - MANAVF.EXE. If a known virus is detected, the name of the infected file is displayed together with the type and name of the virus. A complete list of the symbols (flags) used by heuristic analysis, together with a brief description of each, is given in the appendix to this manual. Anti-Stealth ÄÄÄÄÄÄÄÄÄÄÄÄ ÚÄÄÄÄ¿ The AVG uses anti-stealth technology to detect stealth viruses. ³C:\>³ Refer to the letter S in the top right corner of the screen - if ÀÄÄÄÄÙ anti-stealth is active the letter is bright white, otherwise it is grey. ÉÍÑÍ» ÇÄÅĶ Anti-stealth technology cannot be used in a WINDOWS environment. ÈÍÏͼ Selection of Devices ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Before the actual analysis, a window containing a list of the devices available appears, including more detailed information about each one. The user must now select the device, or its directory, which is to be tested. The following information about each device is shown: Logical name of device Type of device - local/network/or SUBST Type of device - HDD or FDD Whether the device contains a comparative database The symbol þ or 'OK' denotes that a comparative database exists in the device. The symbol '!' indicates that a comparative database does not exist in the device The comparative database (for detailed information on this see chapter Comparative test is a very important source of information for AVG. For this reason the existence of the database on the device is checked when the program is started and the user is warned if the database does not exist. AVG does not check for the database on diskettes or network devices, only on local hard disks. ÚÄÄÄÄ¿ Information about a device, i.e. the logical name of a device, its ³C:\>³ type and whether a comparative database exists, are shown on one ÀÄÄÄÄÙ line in AVG.EXE. To test just one device, highlight it and press ENTER. If more than one device is to be tested, selection/deselection can be made by INSERT key. Once all required devices are selected press ENTER to access the menu below with the following options: Run test Starts test of selected device(s). Directory Tests selected directory only. The directories will be listed - use the cursor and ENTER key to select one. Press F9 to start the test of this directory or F10 to start the test of this directory plus its subdirectories. Extension User selectable file name extension(s) to be tested. This can also be done in Settings and stored in the configuration file. Changes made here are only temporary. ÉÍÑÍ» In AVG for WINDOWS the type of device and the existence of a ÇÄÅĶ comparative database are shown separately under the list of ÈÍÏͼ devices. One or more devices can be chosen from a list. Individual directories can be selected - all subdirectories will be tested as well. To run the test highlight the device and click on Start test or just double-click the left mouse button on the target device. To test a particular directory, highlight the device, and choose Directory. Then from the tree highlight the directory and click on Select. When finished click on OK to return to the previous screen where the selected directories will be shown. To test several devices/directories together, use Add. Highlight the required device/directory in the above way and click on Add. The selected device/directory appears in the list at the bottom of the window. When finished, click on Run Test and all listed devices/directories will be tested. To clear the list of devices/directories, click on Clear List. The options in the dialogue of the device/directory to be tested are as follows: Return Ends selection of device/directory. Add Adds a device/directory to the list in the lower part of the window. Clear Deletes contents of the list in lower part of the window. Settings Calls up a window with the possibility of changing some of the test parameters. Run test Activates test on all devices/directories in the list or, if this list is empty, then the highlighted device/directory. Directory Displays directory tree where one directory can be chosen. Test areas The list of devices/directories to be tested. This list can be edited manually - the items must be separated by a semicolon. If the hard disk is not accessible ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ It can happen that due to a virus or as a result of a computer crash the hard disk is not accessible - the operating system refuses to recognise it as a valid device. In this case the only thing to do is to boot from a system diskette, start AVG and use the backup copies of the system areas. If AVG.EXE finds that no hard disk exists, it tries to find it directly by means of the BIOS and not through the operating system. If it finds that a disk is physically connected, it includes it in the list of existing devices and calls it "Physical Disk 1" and so on, whereby it is made available at least for testing the system areas - partition table. It is here that the cause of the inaccessibility of the device usually lies and AVG can thus test this area and correct it if necessary. With a device accessed like this it will not be possible to carry out tests of files. If the partition table is repaired, the device will be available after rebooting. Test of system areas ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ The system areas of the device are tested first (AVG determines the type of device and how the system areas will therefore be tested. For hard disks this means the partition table and the boot sector. For diskettes it is only the boot sector. With network devices or with some pseudo-devices the test of the system area is omitted since these areas are under the control of the network operating system. If the system areas are in order, the program continues testing files, otherwise, the user is alerted and AVG offers the following options: Continue Continues testing other system areas or starts testing files. The virus is left in the infected area. Information Gives detailed information about the virus found. Remove Removes virus from the system area using one of the two following techniques: (NA in freeware) Repair Treats the infected system area using a general technique based on the fact that practically all viruses of this type use the same principle to spread. Reconstruction With hard disks this replaces the infected system area by the previously created backup copy (see Backup system areas in the Utility menu). With diskettes the infected boot sector is replaced by a generally valid structure. As the system areas are of key importance, it is possible to make an UNDO disk before running repair or reconstruction. If switched on in Settings, a name and path for the UNDO file must be entered when prompted. This file can be used at any time later (see Complete reconstruction in Utilities menu) to restore the area to the state it was in before running repair or reconstruction. ßÛÛÛÛß Note that altering the system areas is potentially dangerous. We ßß therefore recommend that UNDO be used all the time. ßß File test ÄÄÄÄÄÄÄÄÄ After testing the system areas Scan-test continues testing files. During the test, information is displayed as follows: ÚÄÄÄÄ¿ The screen contains three windows. The directory tree is ³C:\>³ displayed in the top left window, while the files and results ÀÄÄÄÄÙ are shown in the window to the right. OK - the file is in order - no virus found. ? - no known virus found - but file has non-standard structure. @ - the file is internally compressed (PKLITE, LZEXE, DIET etc.) or is immunised by some other antivirus software. In both cases the test is not 100% accurate as the test cannot access the file - but neither can a virus. reporting non-standard files can be suppressed in the menu Settings - Heuristic analysis settings - Report non-standard files. ! - a specific virus has been found or heuristic analysis has detected so many suspicious operations that the file has been flagged as possibly infected by an unknown virus. The third window displays information about the viruses found, about files with non-standard structure and so on. ÉÍÑÍ» AVG for WINDOWS displays the tested file/directory and any ÇÄÅĶ important information is reported in the lower part of the window. ÈÍÏͼ This gives not only information on infected but also on non-standard files. Reporting non-standard files can be suppressed in the menu Settings - Heuristic analysis settings - Report non-standard files. If an infected file is found the type and name of the virus is displayed. It should be pointed out that AVG distinguishes several levels of attack - from files which are entirely OK through suspect to actually infected by a specific virus. A list of the warning levels including description can be found in the appendix to this manual. Continue Calls up a submenu with options to continue until a further infection is found or to continue non-stop to the end of the test or abort the test. Information Displays detailed information about the virus found together with the relevant flags. Remove Calls up a submenu with the following options: Repair NOT AVAILABLE IN FREEWARE This function, when successfully carried out, leads to elimination of the virus from the infected file and returns the file to its original state. AVG incorporates two treatment techniques: Heuristic treatment is based on the fact that the most modern viruses can preserve their host in an executable state - the virus temporarily returns the host (infected file) to its original uninfected state so that it can be run. A certain guide to the possibility of heuristic treatment is given by the flag {B} - return to entry point. If this flag appears amongst those found by the analysis, heuristic treatment will probably be successful. If flag {B} is not shown try to set a Special mode in the menu Setting - Heuristic analysis settings - Advanced and test the infected file again. Heuristic analysis will now work slightly differently to try to detect the necessary flag {B} and thus enable heuristic treatment to take place. Reconstruction uses information stored in the comparative database (see the chapter Comparative test) to reconstruct the infected file to its original state. AVG analyses the infected file and automatically chooses the order of the above techniques according to the type of file and virus. The choice cannot be influenced. After treatment the file is tested again so that the effectiveness of eliminating the virus from the file can be determined. ßÛÛÛÛß We recommend that the infected file is backed up (see chapter ßß Settings - Common settings for all tests). ßß Rename This renames an infected file so it can be kept on the device without change and without the danger of it being accidentally executed. Erase This destroys the infected file so that it cannot be resurrected. Repair all Repair all is the same as Repair except that the program automatically tests the remainder of the device and tries to repair all the infected files it finds - best for treating devices with many infected files. However, the device must be tested again to ensure that all viruses have been removed. After carrying out a test, a summary is displayed - the number of files tested, the number of viruses found and files treated etc. ******************************************************************************* Comparative test ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ Each infection changes its victim - files in their size and contents, sometimes also the date and time is changed, system areas merely in their contents. This fact is used by the Comparative Test, which creates and maintains a database (called the comparative database) by means of which it can ascertain what has changed. Selection of Devices ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Before the actual comparative test, a window containing a list of the devices available appears, including more detailed information about each one. The user must now select the device, or its directory, which is to be tested. The following information about each device is shown: Logical name of device Type of device - local/network/or SUBST Type of device - HDD or FDD Whether the device contains a comparative database The symbol þ or 'OK' denotes that a comparative database exists in the device. The symbol '!' indicates that a comparative database does not exist in the device ÚÄÄÄÄ¿ Information about a device, i.e. the logical name of a device, its ³C:\>³ type and whether a comparative database exists, are shown on one ÀÄÄÄÄÙ line in AVG.EXE. To test just one device, highlight it and press ENTER. If more than one device is to be tested, selection/deselection can be made by INSERT key. Once all required devices are selected press ENTER to access the menu below with the following options: Run test Starts test of selected device(s). Directory Tests selected directory only. The directories will be listed - use the cursor and ENTER key to select one. Press F9 to start the test of this directory or F10 to start the test of this directory plus its subdirectories Extension User selectable filename extension(s) to be tested. This can also be done in Settings and stored in the configuration file. Changes made here are only temporary In AVG for WINDOWS the type of device and the existence of a ÉÍÑÍ» comparative database are shown separately under the list of devices. ÇÄÅĶ One or more devices can be chosen from a list. Individual ÈÍÏͼ directories can be selected - all subdirectories will be tested as well. To run the test highlight the device and click on Start test or just double-click the left mouse button on the target device. To test a particular directory, highlight the device, and choose Directory. Then from the tree highlight the directory and click on Select. When finished click on OK to return to the previous screen where the selected directories will be shown. To test several devices/directories together, use Add. Highlight the required device/directory in the above way and click on Add. The selected device/directory appears in the list at the bottom of the window. When finished, click on Run test and all listed devices/directories will be tested. To clear the list of devices/directories, click on Clear list. The options in the dialogue of the device/directory to be tested are as follows: Return Ends selection of device/directory. Add Adds a device/directory to the list in the lower part of the window. Clear Deletes contents of the list in lower part of the window. Settings Calls up a window with the possibility of changing some of the test parameters. Run test Activates test on all devices/directories in the list or, if this list is empty, then the highlighted device/directory. Directory Displays directory tree where one directory can be chosen. Test areas The list of devices/directories to be tested. This list can be edited manually - the items must be separated by a semicolon. Creating comparative database ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ If there is no comparative database on a device to be tested the user is informed and the option to create one is offered. The default name for this file is AVG.GRS and can be changed in the menu Settings - Scan-test settings. The following information about each file under test is stored in the comparative database: Name of file including path. Size of file in bytes. Checksum of important parts of file. Only the file header and some other important parts are stored - not the whole file. Attributes of file (Archive/Hidden/System/Read-only). Time and date of creation of file. Additional information to aid scan-test and heuristic analysis is also stored in the comparative database. System areas - Only checksum data of the system area is stored in the comparative database. Test against existing database ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ If comparative database already exists on tested device, real comparative test follows - comparing data from database with a reality. Comparative test is fully automated and information about currently tested directory and file is available to user, brief description of detected changes is also displayed. When the test is completed, all detected changes are again displayed together with detailed description. Comparative test detects these type of changes: Change in system area This change should be taken seriously. Unless a new operating system, some system software or new hardware (new hard disk, etc.) has been installed since the last test this change is a strong indication of a virus attack. A change in system area (boot sector) of pseudo-devices (e.g. compressed disks - Stacker, DoubleSpace...) may not be caused by virus. Change in file The comparative test has found a discrepancy between the file and its record in the database. If there is no known reason for the file to have changed since last tested (e.g. replaced by a new version), this discrepancy may signal virus infiltration. It is important to know what has changed - a change in the file attributes or in the time of creation is not as important as a change in the content of the file and/or its length. File deleted A file recorded in the database was not found. It has probably been deleted, renamed or moved to another directory. File is new A file exists on the device but has no record in the database. Evaluating changes ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ When testing is over, the changes are listed. It is up to the user to mark changes which are considered correct, and record them in the database as a standard for future tests. The new and/or deleted files can be updated automatically according to the settings - see menu Settings - Comparative test settings. Any changes found are selected and tagged in the following way: ÚÄÄÄÄ¿ The changes are tagged (or un-tagged) by ENTER or INS. ³C:\>³ F2 to add changes to comparative database. ÀÄÄÄÄÙ ESC aborts evaluation of changes without updating comparative database. Tag is used to select groups of changes quickly. It displays a menu with the following choices: Tag all Un-tag all Tag changed Un-tag changed Tag deleted Un-tag deleted Tag new Un-tag new Auto-Tag analyses the changes then automatically indicates all changes that it regards as correct. F2 will update the database. ESC will abort comparative test without updating database. ÉÍÑÍ» Mouse click selects/deselects a changed file. ÇÄÅĶ ÈÍÏͼ To select/deselect groups of files, choose from the following: Select all Deselect all Select changed Deselect changed Select erased Deselect erased Select new Deselect new Other choices are: Information which gives more detailed information on a change found. Exit without update ends the comparative test without updating the database. Update database ends the comparative test and updates the database with all selected changes. The last screen displayed by the Comparative test is a window containing the test results. This window is common to all tests and only items relevant to the type of test run are highlighted. To sum up ÄÄÄÄÄÄÄÄÄ The comparative test is an important source of information, used by the scan-test in eliminating viruses. We consider a comparative database to be almost vital on every device (with the exception of diskettes and some network devices). We recommend that the comparative test is run frequently. Remember that it is the user who must make a decision about the changes found. He must know what has taken place in the system since it was last used and whether the changes are correct or not. The greater the number of changes the more frequently the comparative test should be run. From our experience we can recommend running this test once or twice a week. ************************************************************************** Memory Test ÍÍÍÍÍÍÍÍÍÍÍ This tests memory for the presence of a virus. It is run automatically when AVG is started unless suppressed in Settings - Common settings for all tests or by using the parameter /NOMEM. ÉÍÑÍ» In windows environment AVGSYSW.EXE must be loaded to test memory. ÇÄÅĶ ÈÍÏͼ AVG tests only those parts of memory that are used by viruses. If a virus is found, the option to continue (particularly useful with some portable computers) or restart computer is given. ******************************************************************************* Interrupt vectors analysis ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ The analysis of interrupt vectors is a progressive method for detecting new resident viruses. Basically, it is heuristic analysis of the vectors INT21 and INT13. ÉÍÑÍ» This analysis has no meaning in a WINDOWS environment and is ÇÄÅĶ therefore not available. ÈÍÏͼ What are INT21 and INT13? ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Fundamental system functions are located in ROM memory. The addresses of these functions are located in the interrupt vectors - INT21 (operating system) and INT13 (disk operation). These addresses are very often changed by resident viruses to obtain control over the system. Heuristic analysis tests the code to which the vectors point and can determine whether a virus has taken control of the system. Some modern viruses cannot be detected by conventional memory test and so heuristic analysis of vectors of interrupts compensates for this shortcoming. ******************************************************************************* Environment test ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ AVG tests the environment by trying to detect incorrect activity in the system. ÉÍÑÍ» This test has no meaning in a WINDOWS environment and is therefore ÇÄÅĶ not available. ÈÍÏͼ Principle of test ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Most present-day viruses reside in memory to monitor system activity and attack when a suitable situation occurs. AVG deliberately activates system functions (used by viruses to spread) to trick them into revealing themselves. File viruses AVG simulates system operations to provoke a active virus in the computer to act. Boot viruses A formatted diskette, not write-protected, must be present in the drive before carrying out this test. ßÛÛÛÛß Data on this diskette will be destroyed. ßß ßß ******************************************************************************* Settings ÍÍÍÍÍÍÍÍ It is possible to configure many of AVG's functions to the user's needs and preferences. Scan test, heuristic analysis and comparative test settings will be dealt with in subsequent chapters. Settings common to all tests ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÚÄÄÄÄ¿ Direct disk reading ³C:\>³ AVG uses its own technique for reading data from disk. The main ÀÄÄÄÄÙ advantage, apart from speeding up tests, is increased sensitivity to stealth file viruses (e.g. Tremor). AVG analyses the type of device to be tested and the software used and automatically switches off direct reading if its use is impossible or unsuitable. Manual override can be set. Refer to the letter F in the top right corner of the screen - if fast reading is active the letter is bright white, otherwise it is grey. When XMS memory cannot be used then fast reading occupies base memory otherwise used by other routines. Should there be insufficient free memory AVG terminates prematurely. Access to XMS memory is recommended (see /FASTREAD+ and /XMS+). Defend against Stealth viruses AVG uses anti-STEALTH technology - the operating system is not used to read devices as it may be under the control of stealth viruses. Refer to the letter S in the top right corner of the screen - if anti-Stealth technology is active the letter is bright white, otherwise it is grey. Use XMS Determines whether AVG will use XMS memory. The default is to use XMS memory, which speeds up tests. XMS memory is used for fast reading from disk. To use this an XMS memory driver must be installed (i.e. HIMEM.SYS or EMM386.EXE). Test RAM Upper Memory Determines whether Memory RAM test will test memory in the region 640KB-1MB. Create backup file AVG can create a backup of an infected file before each attempt to repair. This copy can be useful if repair is unsuccessful - the infected file has been unrecoverably damaged. A functional, although infected, copy of the file is retained. The extension of the backup is altered - e.g. COMMAND.COM becomes COMMAND.C##. Memory test on start Determines whether memory is tested on starting AVG. ÉÍÑÍ» Double Click with Mouse ÇÄÅĶ To simplify the selection of devices, a double click of the ÈÍÏͼ left button on your mouse can be used. Double click can be defined in General settings. The default setting for double click is Start test. Other possible settings are Directory selection, Add to list or Not used. Start test - starts test. Directory selection - selects directory to be tested. Add to list - adds a selected device/directory to the list of areas to be tested. Not used - double clicking has no effect. List of tested areas Determines whether the list of tested areas is to be cleared or preserved from the last test. AVG environment settings Sound Determines whether AVG uses sound effects on detecting an important event. Report Sets the name of a report file, into which AVG will write extra information about tests. Save configuration Configuration changes can be saved automatically to AVG.CFG on exit. AVG creates a configuration file with the name AVG.CFG. AVG for WINDOWS creates a configuration file with the name AVGW.CFG. Thus the two programs may have different configurations saved. ÚÄÄÄÄ¿ Graphic mode Sets AVG to either graphics or text mode. This ³C:\>³ is stored in the configuration file. Unless ÀÄÄÄÄÙ over-ridden, graphical mode is used for VGA cards and text mode for any other display adapter. Screen dimming If set on the screen is dimmed after ten minutes of inactivity. Pressing any key will reset the screen to normal. Password AVG contains privileged functions accessible only after a valid password has been entered. The standard generally valid password cannot be changed and is located in the {PWD} file on the installation diskette. Apart from this password it is possible to define a user password and use it in day to day work. The use of such a password is possible only if a valid password has been entered in the present session. Font The font in the menu information line can be changed. AVG must be re-started for this to take effect. Save settings to disk Unless changes to settings are saved, they will apply only for the current session. AVG creates a configuration file with the name AVG.CFG. AVG for WINDOWS creates a configuration file with the name AVGW.CFG. Thus the two programs may have different configurations saved. A configuration can also be saved automatically - see Settings - Environment settings. Network communication In a Novell Netware environment it is possible to use the Network communication feature. If enabled and the user/group is valid, then a message will be sent if scan-test or heuristic analysis finds a virus on your computer. If network messaging is set to YES, the name of the user to whom messages should be sent must be entered. The file to which the messages are sent must be specified - in case the recipient is not accessible. The network administrator must ensure that the AVG user has the necessary rights to create the log file in the given directory. Default settings Restores settings to default values. This feature is privileged and is available only after entering a valid password in Utilities. ****************************************************************************** Scan-test settings ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ The following parameters can be set for Scan-test: Extension Extension box contains the following: Default - this group cannot be changed Other - user definable list of extensions is used Extensions - to customise a list of extensions It should be noted that files like *.TXT, *.DBF are not important as far as viruses are concerned. Only program files ( *.EXE, *.COM *.OVL etc. ) and some document files ( *.DOC ) should be tested. Testing, for example, text files could lead to false alarms. Report non-standard files Determines whether non-standard files (PKLITE, DIET, LZEXE, immunised programs etc.) will be reported. Quick analysis Determines whether fast heuristic analysis will be used during a scan-test - see chapter Scan-test. Test without messages By default messages are displayed during testing when an infected or a suspicious file is found. Testing is suspended and continues only after user intervention. If Test without messages is set to YES, then scan-test will run non-stop until all files have been tested and action can be taken when finished. Scheduler Allows a time interval (in days) for a scheduled test to be defined. Whenever AVG is run the date is checked and the user prompted when the time has come to run the test. ****************************************************************************** Heuristic analysis settings ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ The following parameters can be set for heuristic analysis: Extension Extension box contains the following: Default this group cannot be changed Other user definable list of extensions is used Extensions to customise a list of extensions It should be noted that files like *.TXT, *.DBF are not important as far as viruses are concerned. Only program files (*.EXE, *.COM *.OVL etc.) and some document files (*.DOC) should be tested. Testing, for example, text files could lead to false alarms. Report non-standard files Determines whether non-standard files (PKLITE, DIET, LZEXE, immunised programs etc.) will be reported. Export suspicious files Determines whether heuristic analysis will save a sample of a suspicious file to _GRISOFT.VIR ÚÄÄÄÄ¿ Heuristic analysis can display the contents of CPU registers and the ³C:\>³ instructions in the tested code. These details are mainly ÀÄÄÄÄÙ informative and can be suppressed. The screen area is then allocated to the messages about detected viruses and non-standard files. Test without messages By default messages are displayed during testing when an infected or a suspicious file is found. Testing is suspended and continues only after user intervention. Scheduler Allows a time interval (in days) for a scheduled test to be defined. Whenever AVG is run the date is checked and the user prompted when the time has come to run the test. Advanced Contains the following options: Time limit Limits the time spent on testing each file. The default is ten seconds. It is important to realise that for the great majority of files this limit is not reached. Depth and Maximum number of instructions These two parameters influence the number of instructions tested by heuristic analysis. They have a very similar function but differ in one important fact. The parameter Max. number of instructions sets the number of instructions to be tested. Depth of test determines how far down the program listing analysis should penetrate. The difference between the two parameters is best shown by the following example. Imagine that there are repeating cycles in the code of the program under test. In repeatedly passing through these cycles the number of instructions counted continually rises but the depth of penetration ignores this repetition and increases only as the analysis penetrates deeper into the file. The default values are 400 for the depth and 1,000,000 for the maximum number of instructions. Significantly faster execution of heuristic analysis can be achieved by decreasing these parameters but at the risk of not detecting complex polymorphic viruses. Analyse non-standard files Files with non-standard structure - those produced by PKLITE, DIET, LZEXE etc. take longer to analyse. Although heuristic analysis recognises these files their analysis is usually unnecessary. Sensitive cycle detection Analysis can detect the occurrence of loops in a program and pass through them quickly. With high sensitivity even complex and fragmented viruses can be detected. Low sensitivity speeds up the test at the cost of the potential to detect complex polymorphic viruses. Alternative addresses Examines the code reached by a conditional jump. Using this feature makes information about the possibility of a virus in a file more complete but could lead to a false alarm. Special mode (for treatment) Heuristic treatment is based on the fact that the most modern viruses can preserve their host in an executable state - the virus temporarily returns the host (infected file) to its original uninfected state so that it can be run. A certain guide to the possibility of heuristic treatment is given by the flag {B} - return to entry point. If this flag appears amongst those found by the analysis, heuristic treatment will probably be successful. Special mode of heuristic analysis can help to remove some very complex polymorphic viruses when flag {B} is not shown. Emulate instruction queue The effort to speed up execution of instructions led Intel to use instruction queues. The processor reads instructions from memory, which it anticipates will be needed, into a queue. If a program changes an instruction in memory which is already in the queue, the CPU may not know this and process the original instruction. Manipulating instructions in this way is a relatively common technique used by viruses as a defence against being tracked or analysed. Instruction queues did not exist on 8086 processors, and although the Pentium has them it can recognise any mismatch and re-read the instruction. AVG sets this parameter to a value corresponding to the processor it is running on. With an 80286, 80386 or 80486 it is on, with an 8086 or a Pentium emulation is off. Show Updates the graph to show the effect of any changes. ****************************************************************************** Comparative test settings ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ The following parameters can be set for Comparative test: Extension Extension box contains the following: Default - this group cannot be changed Other - user definable list of extensions is used Extensions... - to customise a list of extensions It should be noted that files like *.TXT, *.DBF often change and are unimportant as far as viruses are concerned. Only program files - *.EXE, *.COM *.OVL etc. should be tested. New and Erased files The comparative test detects and reports not only changed files, but also new files (their checksum is not in the database) and erased files (their checksum is in the database but the files are no longer on the drive). These changes are usually not of great value and the user can therefore set the update to automatic - that means that new and erased file checksums will automatically be updated in the database and user confirmation is not required.It should be noted that, to a certain extent, automatic updating reduces control over some types and changes and should be chosen only in justifiable cases. Database name Sets the name of the comparative database - default is AVG.GRS. Scheduler Allows a time interval (in days) for a scheduled test to be defined. Whenever AVG is run the date is checked and the user prompted when the time has come to run the test. ****************************************************************************** Utilities ÍÍÍÍÍÍÍÍÍ Utilities contains the following: Password A password protects those features of AVG which are considered as privileged. These features are not accessible as standard (they are coloured differently in the menu) and must first be activated with the password. This password, which is always valid, is stored in the file {PWD} on the installation diskette. This file is not copied to the hard disk during installation. Backup system areas The system areas of disks and diskettes carry information vital to the correct running of a computer and are the prime targets of some viruses. Removal of viruses from these regions is a very sensitive procedure entailing the possibility of a system crash. The simplest and most reliable method is to back them up. If system regions are infected and/or damaged then they can be restored to their original condition. All important system areas are stored in one file from which they can be retrieved. In AVG the following areas are backed up: Partition table Extended partition tables Boot sectors of hard disks CMOS memory. Devices which DOS views as networked cannot be backed-up. The first step is to name the backup file. The default name is A:\SYSTAB.GRS. Both name and path can be changed. ßÛÛÛÛß Do not save backup copies to the hard drive as they will be ßß inaccessible if the system crashes - save them on a diskette. ßß Backup follows entry of a file name. If this file already exists, the user is warned and must confirm that the file be over-written. AVG also checks that backup copies are not infected - in this case the program refuses to create a backup. Restore partition table and Restore boot sector A list of devices is displayed. The file containing the backup must be selected. AVG will accept only a file with the correct structure and restore only after further confirmation. Restore CMOS memory The file containing the backup must be selected. AVG will accept only a file with the correct structure and restore only after further confirmation. The date and time will not be restored. ÉÍÑÍ» The menu item Restore system areas opens a dialogue box from ÇÄÅĶ which the selection is made. The process is then the same as ÈÍÏͼ given above. Complete Reconstruction ÚÄÄÄÄ¿ Restores all system areas together. Should be used when more ³C:\>³ then one area is damaged and individual area restoration is not ÀÄÄÄÄÙ possible. It is usually necessary to boot from a system diskette then run AVG from diskette. All system areas will be restored without verification as to whether or not they comply with current configuration. On diskette this function replaces the Boot sector with a generally valid structure of this region. ÉÍÑÍ» Complete reconstruction is not available because low-level ÇÄÅĶ access is not allowed. ÈÍÏͼ File viewer ÚÄÄÄÄ¿ ³C:\>³ Displays text files distributed with AVG antivirus system. ÀÄÄÄÄÙ ÉÍÑÍ» ÇÄÅĶ Not included in AVG as notepad in WINDOWS is adequate. ÈÍÏͼ Single step This makes full heuristic analysis accessible in the form of a debugger and allows code to be tested instruction by instruction. It is intended for users with advanced knowledge of the system and assembler to help them judge whether code is correct. With this tool you can test: Selected files Partition table Boot sectors INT13 - Disk services control INT21 - Operating system services Single step is controlled by ENTER or Space bar. One step is displayed after pressing a key. To run non-stop press ALT+F. Pressing ALT+F again will return to single step. These parameters may be set: EXE relocation - recalculation of relocations in EXE files is made. Detect cycles - jumps to repeating addresses are detected. Log file - creates single step report file. ************************************************************************** EXIT ÍÍÍÍ Correctly exits AVG Exit Exits program and returns to operating system Restart Computer An alternative is to reset the system. This should ALWAYS be used when a virus has just been removed otherwise the virus may remain active in memory and continue to infect. Restart Windows Availabe only in windows *************************************************************************** Macros ÍÍÍÍÍÍ Macros are a useful way of carrying out frequent tests. A macro file is a text file containing AVG commands, similar to the commands in a command file. The file can have any name but its extension must be MAK. AVG checks for MAK files on start-up. ÚÄÄÄÄ¿ ³C:\>³ A list of macros is displayed by pressing keys ALT-M. ÀÄÄÄÄÙ ÉÍÑÍ» A list of macros is evoked by clicking on the macro icon (camera). ÇÄÅĶ ÈÍÏͼ Macro commands The following commands can be used in a macro: SCAN Activates Scan-test. The full syntax is: SCAN [DEVICE:[\DIRECTORY[\FILE]] [:number of days] DEVICE:\DIRECTORY\FILE - device and/or directory, or a particular file which is to be tested. : number of days - time interval between tests run from command file. If omitted or set to 0, the command is always executed. Example SCAN C: D:\MYDIR:7 Runs Scan-test, if more than 7 days have passed since the last test, on the whole of C: drive but on D: only directory \MYDIR is tested. COMP Activates comparative test. The syntax is the same as for the SCAN command. HEUR Activates heuristic analysis. Syntax is the same as for the SCAN command. /SUBDIR [+/-] Turns on/off testing of subdirectories. /ANALYSIS[+/-] Turns on/off fast heuristic analysis. /REPORTfilename Defines the name of the file to which the results of the tests are to be logged. /FASTREAD [+/-] Turns on/off fast reading. /XMS[+/-] Turns on/off XMS memory usage. /STEALTH [+/-] Turns on/off anti-Stealth technology. More detailed information on the parameters /FASTREAD, /STEALTH and /XMS can be found in the chapter Settings. ÉÍÑÍ» The parameters /STEALTH, /XMS and /FASTREAD are ignored in AVG for ÇÄÅĶ WINDOWS as they are inapplicable. ÈÍÏͼ ************************************************************************** User definition of new viruses ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ AVG works with a virus database (AVG.AVI) which is updated regularly. Should this file not exist most features will be unavailable. It is possible to compliment AVG.AVI with EXTERN.AVI in which additional virus definitions can be entered. This file must have a name EXTERN.AVI. Each virus definition must be on one line with the following syntax: Sequence First give the sequence (virus identifier) which must be written in hexadecimal form. If the sequence contains a variable byte, use the symbol ??. When defining a variable number of variable bytes, use the symbol [x], where x is the number of variable bytes, e.g. [3] is the same as ?? ?? ??, [0-3] is the same as ?? or ?? ??, or ?? ?? ??. Virus name The name of the virus follows in quotes. Type of infection The type of virus infection defines where this virus can be found: M - infects memory C - infects COM files E - infects EXE files B - infects system areas Comment A comment can follow - must be preceded by double slash //. A typical example could be this definition of an imaginary virus: CD 21 BB 00 2A ?? BB FF [0-5] FF "Imaginary" MCE //comment ßÛÛÛÛß Sequences published in technical literature ßß should be weighed with care. They are sometimes inaccurate and could ßß cause false alarms or significantly decrease the speed of AVG. Some published sequences are not for general use and can be used only with a particular brand of antivirus software. ****************************************************************************** User validation ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ As was stated in the chapters on fast heuristic analysis and full heuristic analysis, one of their properties is some sensitivity to non-standard programs. However, it is a fact that a number of programs must bypass the operating system in order to achieve the required result. What is validation? One way to eliminate false alarms in heuristic analysis is the method of validation. Heuristic analysis has a list of files (AVG.AVF) which are known to cause false alarms. Whenever a suspect file is encountered, AVG.AVF is referred to and providing that all data (CRC etc.) correspond, the analysis denotes the file as correct - no alarm is given. AVG.AVF is created and updated regularly by GRISOFT. However, it has been found to be very useful to allow the user to add his own entries to a separate validation file EXTERN.AVF. ßÛÛÛÛß The possibility of user validation also involves a certain degree ßß of danger. If, by mistake, a file is validated that has really ßß been infected by a virus, AVG will not be able to detect the virus in this file!!! User validation should only be carried out by an experienced user and then only for those programs which are definitely uninfected, or their design has been discussed with their manufacturer. User entry into AVG.AVF file To add a new entry to EXTERN.AVF, use the command: MANAVF.EXE name_of_file Give the name of the file together with its path so that the file can be found by MANAVF.EXE and calculate checksum information for it. MANAVF.EXE opens or creates EXTERN.AVF and adds information about the validated/corrected file - its name, checksum, length of file. Deletion of entry Each entry in EXTERN.AVF has its own line. The user can thus later delete any validation by editing the EXTERN.AVF file. Use of EXTERN.AVF file EXTERN.AVF is always read by AVG on start-up. If AVG is copied to a diskette, AVG.AVF and EXTERN.AVF must be copied with it. ****************************************************************************** Appendices ÍÍÍÍÍÍÍÍÍÍ List of ERRORLEVEL values returned by AVG 0 AVG found nothing important or suspicious 1 AVG was aborted by Ctrl-Break 2 AVG detected error 3 Comparative test found change in files 4 Comparative test found change in system areas 5 Code analysis detected suspect file 6 Code analysis detected suspect system area 7 Scan-test found file infected by known virus 8 Scan-test found system area infected by known virus 9 Memory test found virus 10 Memory test found aggressive virus 11 AVG found internal error Test evaluation AVG evaluation of files/system areas ranges from OK to Infected by a known virus. Since some users have been confused by the different kinds of wording, we give here a survey of all commands together with an explanation of each. File OK The tested file is completely in order. Faulty file File contains incorrect instruction - may not run or crash the system. Can cause system RESET Analysis has found an instruction that would lead to RESET of the computer. This might be the residue of a virus infection or probably a file destroyed by a virus. Suspicion Analysis has detected some unusual symptoms in a file. In most cases this does not mean the presence of a virus. Could be infected Analysis has detected many symptoms in a file. The file is either infected or extremely non-standard. Probably infected by an unknown virus Analysis has detected so many symptoms that presence of an unknown virus is highly likely. Probably infected by a known virus Analysis has detected a known virus in the file but with fewer symptoms than expected. The file is most probably infected. Infected A known virus has been found. Heuristic analysis flags - in alphabetical order. {&} Asynchronous code An asynchronous move is used in the code which could be employed for trick modification of the code. Heuristics cannot guarantee exact emulation of the asynchronnic move. {a} Sets file attributes A routine which modifies file attributes. Typical of file viruses which can then infect READ-ONLY files. {A} Suspect allocation of memory Uses methods which normally occur in memory resident file viruses. {B} Return to entry point A jump to the original entry address was detected. For COM files this means a return to the address PSP:100h, with EXE files calculation of the address or calling up of an indexed jump, e.g. by the instruction JMP[SI+jjkk] by which the virus joins on to its host, is found first. This symptom is of key importance for heuristic treatment. {b} Uses direct disk services A method used by many viruses. Normal programs do not usually use these services. {c} Incorrect date and time The file has nonsensical time. A virus can mark its victim by using an incorrect time-stamp. {C} Sets incorrect file time Used by viruses to mark files that are infected. As a rule, the file is given a nonsensical time-stamp, such as 10:00:62. From this the virus knows that it has already infected this file. {D} Controls disk services Takes control of disk operations. Typical of some utilities working with a disk and of all boot viruses and some file viruses, particularly of the stealth type. {e} Seek to end of file Analysis detected that the pointer is sent to the end of the file. File viruses can append themselves in this way. {E} Finds dynamic entry point Locates relative address. Typical of some file viruses. {f} Suspicious access to files Detected file access techniques which rarely occur in normal programs. {g} Confusing instructions Instructions found that are aimed at making identification of a virus difficult and which obviously have no other significance. Typical for mutation viruses which interweave their code loops with many different short instructions in order to confuse the antivirus software. {i} Faulty instructions Analysis has detected a faulty instruction or synchronisation of heuristic analysis has failed. In the latter case the final evaluation may not be entirely exact. {J} Suspect jump Detected a suspiciously constructed jump typical for most file viruses. {l} Code in lower memory Uses free spaces in the base memory to place its code. This technique is impure and is used by viruses and some protective programs. In this way the virus achieves greater fragmentation of its code in order to make detection difficult. {L} Controls opening of files If a virus is resident it can attack files when they are opened. A function which is connected with the DOS interrupt service and is activated when the file (function 4B/int21) is opened. {m} Modifies memory Direct modification of the MCB structures has taken place. Typical of resident file viruses which in this way gain a place in the memory to control the system. {M} Changes size of base memory A change detected in the size of base memory. Typical for boot viruses and some resident file viruses. {o} Opens file Opens EXE/COM files with write permission. Used by viruses to infect files when opened. It can also occur in normal applications. {O} Controls services of operating system Takes control over the operating system. Typical for all resident viruses and some correct resident programs. {p} Writing to ports Writing to ports can be used for uncontrollable operations. It occurs with some viruses and with special programs (drivers). {r} Reads file Reads an open EXE/COM file. Can also occur in correct programs. {R} Resident code Code becomes resident. Common to all resident viruses and is also used by correct resident programs. If this flag is found, first determine whether the tested program is resident. {s} Suspiciously set stack Stack can be interleaved with code. This is typical of viruses but also occurs with special programs. {S} Seeks executable files Seeks out files on a disk. Typical of viruses that attack directly - they usually seek out files under the mask of *.COM and *.EXE. {t} Requests date and time If this is a virus then it is activated when specific time conditions are fulfilled. {T} Checks steps and breakpoints Rewriting vectors makes difficult or even impossible any decoding of a program by means of a debugger. This method is used only by viruses and protective programs. {U} Uses undocumented function By calling up a non-standard function the program can ascertain whether it is already resident in memory. This occurs with some resident applications and with most resident file viruses. {w} Write to EXE/COM files Typical of file viruses. {W} Direct write to disk A routine which writes directly to disk detected. Typical of boot viruses and with all destructive viruses. {x} Interrupted Time limit reached or test aborted by key press - test not completed. To adjust maximum time see Settings - Heuristic analysis settings - Advanced. {X} Coded Detected a decoding routine. Typical of mutation viruses. {Z} Distinguishes between EXE and COM Used by file viruses which need to determine the type of host before attack. Correct programs generally have no need of such a distinction. {!} Switches off resident antivirus protection Typical of a virus which before spreading tries to switch off antivirus defences. Acknowledgements AVG is a registered trademark of GRISOFT(c)SOFTWARE IBM PC XT/AT are registered trademarks of IBM MS-DOS, Windows, Windows 95, Windows NT are registered trademarks of Microsoft Corporation DR-DOS, DoubleStore, DoubleSpace are registered trademarks of Digital Research Inc. Novell Netware is a registered trademark of Novell Inc. Stacker is a registered trademark of STAC Electronics