home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
PC Format 8 (5.25")
/
PC Format - Issue 8 May 1992 - Disk 1.ima
/
TBSCNX26.EXE
/
TBSCANX.DOC
< prev
next >
Wrap
Text File
|
1991-04-19
|
35KB
|
794 lines
DOCUMENTATION FOR TBSCANX V2.6
REGULATIONS WITH REGARD TO USE AND DISTRIBUTION OF TBSCANX
----------------------------------------------------------
Both TbScanX and the accompanying documentation are SHAREWARE. This
simply means the program is covered by the copyrights of ESaSS, but
can be used and distributed freely as long as the following
regulations are observed.
+ Concerning the distribution of the TbScanX program no
administration and/or shipping costs exceeding the amount of
$5,- may be charged.
+ Distribution of TbScanX may only take place when both the
program and the documentation are left unmodified and only when
the complete program is supplied.
+ So it is not allowed to distribute the program apart from the
documentation.
+ ESaSS accepts no responsibility in case the program
malfunctions or does not function at all.
+ ESaSS can never be held responsible for damage, directly or
indirectly resulting from the use of TbScanX.
+ Using TbScanX means that you agree on these regulations.
DESCRIPTION TBSCANX
-------------------
TbScanX is a program that was developed to trace viruses, Trojan
Horses and other threats to your valuable data. It is a so-called
virus scanner.
A virus scanner is a program that is able to search a signature
that has been determined beforehand. Most viruses consist of a
unique signature, so by means of checking for the appearance of
this signature we can see whether or not a program has been
infected.
By searching all your program files for the signatures of all
viruses already identified you can easily find whether your system
has been infected and, if that is the case, with which virus.
By now already many virus scanners have been developed. The problem
with all these scanners is that you have to execute them. Suppose
you have the virusscanner automatically invoked in your
autoexec.bat file. If no viruses are found, your system is supposed
to be uninfected. But, to be sure that no virus can infect your
system, you have to run the scanner every time before you copy a
file to your harddisk, after downloading a file from your BBS, or
after unarchiving an archive such as a ZIP file. Be honest, do YOU
actually invoke your scanner every time?
TbScanX has a unique feature to overcome this drawback, it will
remain resident in memory, and AUTOMATICALLY scan all files you
execute, copy, download, modify, or unarchive!
Probably you think that a resident virus scanner consumes much
memory, makes your system slow, and is a source of many problems.
But, if you already know our free-ware scanner TBSCAN, you know
that this scanner can scan your files ten times faster compared
with other scanners. Also TbScanX achieves this lightning fast
speed. Actually, TbScanX is a lot faster, since it will not access
your disk to scan the files, because all files to be created or
modified reside already in memory!
Besides this, TbScanX consumes only 8 Kb of memory, including the
signatures to scan for! If there is expanded memory available,
TbScanX uses even less than 1Kb of memory!
TbScanX carries the same feature of its transient brother TBSCAN:
+ TbScanX is fully programmable by means of a data file.
Most of the time viruses spread quickly. After a new virus has
been found there is often no time to adapt your virus checker
in order to make it capable of recognizing this new virus. That
is why TbScanX uses a data file in which the signatures of the
viruses occur. This file can quickly be adapted, possibly by
yourself, for example when you are informed of a new virus
through the media. TbScanX supports among other things the
format which is used in the file "virscan.dat". This file is
regularly adapted and can be obtained at a lot of data banks.
+ TbScanX supports wildcards in the signature.
A lot of viruses encrypt themselves after each infection, so
the signatures always look different. There is one part of the
virus however that cannot be modified: the routine that has to
"unpack" the modified part of the virus.
But it is a misunderstanding that this part of the virus always
should look the same. The fact is there are viruses that pepper
their unpack-routine with useless instructions which have no
effect and which are continuously replaced by other nonsensical
instructions. Although the unpack-routine always functions the
same, it looks different every time because of these changing
fake instructions!
By inserting wildcards on places where the fake instructions
occur in the signatures of the data file, such a virus can
still be traced and identified. This is the case because any
character may be used on the place of a wildcard.
It is also possible to skip a variable amount of garbage bytes
in the signature.
+ TbScanX supports normal text as the signature.
Most signatures are inserted in ASCII-HEX. But when desired you
can also specify a normal text as the signature. In this case
you put the text between double quotation marks.
+ TbScanX offers other software an universal hook to scan data
for viruses. If you are a programmer, you can instruct your
programs to scan information read from disk for viruses before
using the data.
USAGE OF THE PROGRAM
--------------------
TbScanX is easy to use. Simply type TBSCANX. The program can also
be invoked from within your config.sys file by inserting the line
"device=TBSCANX.COM". The advantage of the last method is that
TbScanX will get a better position in the memory and is able to
protect the system before other programs are executed. TbScanX uses
also less memory in device driver mode. (NOTE: If you invoke
TbScanX from within your config.sys you have to specify the
extension .COM)
If you use MS-Windows you should load TbScanX BEFORE starting
Windows. If you do that there is only one copy of TbScanX in
memory, but every DOS-window will nevertheless have a fully
functional TbScanX in it. TbScanX detects if Windows is starting
up, and will switch itself in multitasking mode if neccesary.
Options available:
-? = Display help sreen.
-d = Disable TbScanX.
-e = Enable TbScanX.
-r = Remove TbScanX from memory.
-f <filename> = Use the specified file as signature file.
-o = Optimize signatures.
-n = no scan at execute.
-me = Use Expanded memory.
-mu = Use Upper memory.
-mh = Use Hercules-half memory.
-mf = Use Hercules-full memory.
-mc = Use CGA/EGA/VGA memory.
-u = Unauthorized signatures allowed.
-D If you specify this option TbScanX will be disabled, but it
will remain in memory.
-E If you use this option TbScanX will be activated again after
you disabled it with the -D option.
-F This option tells TbScanX which file should be used as
signature file. Use this option if you use TbScanX as a device
driver, or if the signature file can not be found in the
current or home directory.
-O If you specify this option TbScanX will optimize the signatures
by merging signatures that are more than 75% equal. Look at the
next two signatures:
Signature 1: CD2145A689BF452F1E77CBCD21
Signature 2: CD2111A689BF4A3F1E77CBCD21
TbScanX will replace the differences between the two signatures
by wildcards and removes the second signature. The resulting
signature of the example above is:
Signature 3: CD21??A689BF????1E77CBCD21
It is obvious that this option can save some memory and
increases the scanning speed somewhat. This option has never
the result that some viruses go by undetected, but instead, the
chance for false alarms increases somewhat.
-N TbScanX normally scans files also just before they are executed.
If you don't like that you can use this option to disable this
feature. This option can only be used at the initial invokation
of TbScanX.
-M TbScanX offsers you some possibilities to minimize the usage of
conventional memory. The -M option requires a parameter that
tells TbScanX which memory should be used. All parameters
except "U" reduce the usage of conventional memory to less than
one Kilobyte. The rest will be stored in the specified memory.
The "U" parameter can even reduce the usage of conventional
memeory to zero bytes! It is also the only parameter that can
be used in combination with other memory parameters.
X If you specify this parameter TbScanX will use expAnded
memory to store the signatures and a part of its
program code. Expanded memory is allocated in 16Kb
blocks, so the minimum amount of expanded memory you
loose is 16Kb. However, conventional memory is more
valuable to your programs than expanded memory, so
using this option is recommended.
H If you specify this parameter TbScanX will use some
part of the Hercules videomemory to store the
signatures. As long as the videocard remains in the
text mode it uses only a little part of its
videomemory. The rest can be used by... TbScanX.
Videomemory is very slow, so also TbScanX will slowdown
somewhat. If you execute a program that switches the
card into the graphics mode TbScanX will disable
itself completely. You can re-activate TbScanX by
running it again. It will automatically remove the old
resident part of TbScanX that might be left in memory.
F This parameter does the same as the H parameter, but
it will switch the Hercules card in the so called full
mode. TbScanX then uses videomemory that will not be
used by even most of the graphics software. You can run
a graphics program while TbScanX remains active at the
same time! But watch out! If you have two videocards in
your machine at the same time, DO NOT USE this option!
C This parameter does the same as the H parameter, but
it will now use CGA/EGA/VGA videomemory.
U This parameter can be used to load TbScanX into upper
memory. Upper memory is available on many 80386 based
machines which run memory managers like QEMM. TbScanX
will load itself in upper memory, do don't use
special highload programs. If you use this parameter in
combination with other parameters it will load the
remaining part of TbScanX in conventional memory to
upper memory. So TbScanX can use Expanded memory and
high memory at the same time. The result is that also
the amount of upper memory required is minimized.
-U TbScanX checks the signature file for modifications. If you
change the contents of that file TbScanX will issue a warning.
If you don't want the warning to be displayed, use the -U
option.
-R This option can be used to remove the resident part of TbScanX
from your memory. All memory used by TbScanX will be freed.
Unfortunately, the removing of a TSR is not always possible.
TbScanX checks whether it is safe to remove the resident part
from memory, if it is not safe it just disables TbScanX. A TSR
can not be removed if some other TSR is started after TbScanX.
If this is the case TbScanX will completely disable itself. If
the character device "SCANX" exists it will be renamed to
"$CANX". If you invoke TbScanX again at some later time the
device will be renamed and re-used automatically.
TbScanX looks for the data file in the way mentioned hereunder:
1) It uses the file specified with the -f option.
2) It searches in the active directory for a file with the
name TBSCAN.DAT.
3) It searches for TBSCAN.DAT in the same directory as the
program file TBSCAN.COM itself is located.
4) It searches in the active directory for a file with the
name VIRSCAN.DAT.
Example:
c:\utils\tbscanx -f c:\tb\tbscan.dat -me
or:
device=c:\utils\tbscanx.com -f c:\tb\tbscan.dat -me -o
Whenever a program tries to write to an executable file (files with
the extensions .COM and .EXE), you will shortly see the text
"*Scanning*" in the upper left corner of your screen. As long as
TbScanX is scanning this text will appear. Since TbScanX takes not
much time to scan the file, the message will only appear shortly.
When TbScanX has detected a virus, it will display the the message
WARNING, <filename> is infected with <virus name>!
Abort? (Y/n)
Press "N" to continue, press any other key to abort.
To display the name of the virus, TbScanX needs the signature file
again. It will automatically use the signature file that was used
when you invoked the program. If the signature file is missing
(because you deleted it, or because you removed the floppy with
it), or no file handles are left, TbScanX will still detect
viruses, but it is no longer able to display the name of the virus.
It will display [Name unknown] instead.
When TbScanX has been started from within the config.sys file (as a
device driver) it has added a character device with the name
"SCANX". When you sent data to this device the data will be scanned
for signatures. Try this:
copy testvir.com scanx /b
No file will be created with the name "scanx" but the input (the
contents of the file "testvir.com") will be scanned for viruses.
This way you can easy inspect any file (also the non-executables)
for the existence of virus signatures without the need to invoke a
special program. If the device "scanx" detects a signature in the
input it will simulate a DOS "write protect error".
Note that you have to specify the "/b" option. Otherwise DOS will
sent the characters to the device one by one. This consumes a lot
of time and of course, no signatures will be found in one byte
sequences!
REGISTERING
-----------
The unregistered version of TbScanX will prompt you to press a key
while starting up, except when you have a Thunderbyte add-on card
installed. To register TbScanX, see the register.doc file.
Only the registered version of TbScanX is able to make use of
expanded memory without random restrictions.
Once registered, you can use all future versions of TbScanX for
free!
--> YOU DON'T HAVE TO REGISTER TBSCANX IF YOU USE IT IN A PC WITH A
THUNDERBYTE ADD-ON CARD INSTALLED!
FORMAT OF THE DATA FILE
-----------------------
The data file (called TBSCAN.DAT or VIRSCAN.DAT) can be read and/or
modified with every ASCII editor.
All lines beginning with ";" are comment lines. TbScanX ignores
these lines completely. When the ";" character is followed by a
percent-sign the remaining part of the line will be displayed on
the screen. A maximum of 15 lines can be printed on the screen.
Nice for "HOT NEWS"...
In the first line the name of a virus is expected. The second line
contains one or more of the next words:
BOOT SYS EXE COM HIGH LOW
These words may be separated by spaces, tabs or commas.
TbScanX will only scan for viruses with the keywords COM or EXE.
The other keywords will be ignored, and are only used by the
non-resident version: TBSCAN. Also note that TbScanX will not
distinguish between COM and EXE files. All executable files will be
scanned for both EXE and COM viruses. This saves some memory.
BOOT means that the virus is a bootsector virus. SYS, EXE and COM
indicate the virus can occur in files with these extensions. Also
overlay files (with the extension OV?) will be searched for EXE
viruses. HIGH shows that the virus can occur in the memory of your
PC, namely in the memory located above the TBSCAN program itself.
LOW means that the virus can occur in the memory of your PC, namely
in the memory located under the TBSCAN program itself.
In the third line the signature is expected in ASCII-HEX. Every
virus character is described by means of two characters. Instead
of two HEX characters, two question marks (the wild- card) may also
occur. The latter means that every byte on that position matches
the signature. Below you will find an example of a signature:
A5E623CB??CD21??83FF3E
You can also use the asterisk followed by an ASCII-HEX character to
skip a variable amount of bytes in the signature. The ASCII-HEX
character specifies the amount of bytes that should be skipped. The
signature could be:
A5E623CB*3CD2155??83FF3E
The next sequence of bytes will be recognised as a virus:
A5E623CB142434CD21554583FF3E
Instead of a signature in ASCII-HEX you can also specify a normal
text. This should be put between double quotation marks. A correct
signature is for example:
"I have got you!"
This series of three lines should be repeated for every virus.
Between all lines comment lines may occur.
LIMITATIONS
-----------
+ 128 Kb of free memory is needed to start the program.
(5 Kb of memory once installed in memory)
+ DOS version 3.0 or later is needed.
+ The size of the data file has a maximum of 64 Kb.
+ The name of a virus may consist of maximally 30 characters.
+ The ASCII-HEX signature can consist of maximally 80 characters.
+ Up to 500 different signatures may be specified.
+ All filenames have a maximum length of 48 characters.
ERRORMESSAGES
-------------
Errormessages that can be displayed:
+ Not enough memory
There is not enough free memory.
+ Error in data line at line <number>.
There is an error in the specified line of the data file.
+ Limit exceeded.
The data file was too long or too many virus signatures
occur in it.
+ Data file not found.
TbScanX has not been able to locate the data file.
+ Processor type does not match.
You are using a processor dependant version of TbScanX and
it can not be executed by the current processor.
SPECIAL VERSIONS
----------------
The file TBSCANX.COM is fully functional. However, we supplied two
special versions of TbScanX to be used with certain processor types. If
you use the special 286 or 386 version of TbScanX you will get the best
out of your processor concerning memory usage and speed. If you want to
use the 286 version of TbScanX, just rename the file TBSCANX.286 to
TBSCANX.COM. The same applies to the file TBSCANX.386.
TBSCANX.COM: Universal version. Runs on all processor types.
Supports Windows 386-enhanced-mode.
Uses more memory and is somewhat slower compared to the
other versions.
TBSCANX.286: Runs on machines with a NEC-V20, NEC-V30, 80286, 80386
and 80486 processor.
Does NOT support Windows 386-enhanced-mode.
This version uses almost 100 bytes less compared to the
other versions and is somewhat faster.
TBSCANX.386: Runs on machines with a 80386 or 80486 type processor.
Supports Windows 386-enhanced-mode.
Uses less memory compared to the standard version, but
more than the 286 version due to the Windows support.
It is the fastest version available.
Application Interface
---------------------
If you are a software developer you can use TbScanX to check data for
viruses. A program can perform a self check as soon as it is invoked by
sending its code to TbScanX. A program that processes other programs or
parts of it (by example scramblers or executable file compressors)
should check the data for viruses before processing it.
High-level control
This method is most usefull for the so-called high level programming
languages and languages that lack the ability to generate interrupts.
Try to open the file "SCANX". If this file exists TBSCANX has been
invoked from within the config.sys and is active in the machine. Open
the file in the binairy mode. Write the data to be scanned to the
opened file. If the data contains a signature of a virus TbScanX
simulates a DOS "write protect error". If nothing happens and the data
is accepted no signature could be found in it.
Low-level control
This method is more complex, but offers more possibilities. If your
programming language supports issuing interrups you should be able to
use this method. This method also functions when TbScanX has not been
started as device driver but as a normal TSR.
The interface consist of some multiplex calls (int 2Fh). Register AH
should contain CAh. Register AL contains the function request number.
Supported function requests:
AL=0 InstallationCheck
Return value:
AL=0 TbScanX not installed
AL=FFh TbScanX installed
If BX was 'TB' then it is now changed into 'tb'.
AL=1 GetStatus
Return value:
AH Version number TbScanX in BCD. (CAh if version < 2.2)
AL=0 TbScanX disabled
AL=1 TbScanX enabled
BX Segment swap area. Zero if not swapped.
CX Number of signatures that will be searched.
DX EMS_Handle. -1 if no expanded memory in use.
AL=2 SetStatus
BL=0 Disable TbScanX
BL=1 Enable TbScanX
Return value:
NONE
AL=3 ScanBuffer
DS:DX Address of buffer to scan.
CX Length of buffer to scan.
Return value:
No Carry flag set No signatures found in buffer.
Carry: Signature found in buffer!
ES:BX ASCIIZ-name of virus (null terminated)
Registers altered:
AX,BX,CX,DX,ES
The contents of the buffer remains unchanged.
AL=4 ScanFile
DS:DX Name of the program file to be scanned.
WARNING! There should be at least 4 Kb of free memory to
perform this function!
Return value:
No Carry flag set No signature found in file.
Carry: Signature found in buffer!
ES:BX ASCIIZ-name of virus (null terminated)
Registers altered:
AX,BX,CX,DX,ES
Assembler example:
mov ah,0CAh ;Multiplex number
mov al,0
int 02Fh ;Installation check
cmp al,0FFh ;If AL=FFh TbScanX has been installed.
jne notinstalled ;Else TbScanX has not been installed.
lea dx,buffer ;Address of the buffer in DS:DX
mov cx,512 ;Length of our buffer
mov ah,0CAh ;Multiplex number
mov al,3
int 02Fh ;ScanBuffer
jnc notinfected ;No carry? Then no virus found!
call print ;Virus found. Print name ES:BX
notinfected:
THUNDERBYTE
-----------
Virus scanners have a number of very serious disadvantages!
+ They cannot prevent infection. Virus scanners can only tell you
whether or not your system has been infected and if so, whether
any damage has already been done. By then only a good
(non-infected) backup can still save you.
+ They can only recognize viruses that have already been
identified. When a new virus has been launched it will take a
while before someone discovers it. After that it will take some
time before a reliable signature is dis- tilled from the virus
and it will also take a while for you to get hold of the newest
virscan.dat. All this means that there is a real chance that
your system is infected at a moment virus scanners have not
yet recognized "your" virus!
Viruses get more and more advanced. Among other things because of
all the attention the media is paying to the phenomenon computer
virus. It has even become a real sport for sick minds to write
computer viruses. Even viruses that have no stable signature
anymore have already been discovered. Because TBSCAN allows
wildcards in the data file it can still trace this kind of viruses
quite often. But it will not take much time anymore before viruses
will be created that have no special charac- teristics at all by
which they can be identified. And then even TBSCAN cannot help you
anymore. Even viruses that look for the DOS entry point in the same
way as TBSCAN does, avoi- ding detection by protection programs in
an effective way, already exist.
To provide programs with a checksum is neither a solution: as soon
as a file is read in, viruses can disinfect it, so every infected
program looks like one that is not.
There is however ONE solution for the abovementioned problems:
*** ThunderByte! ***
ThunderByte was developed to protect Personal Computers against
computer viruses, Trojan Horses and other threats to valuable data.
It is a hardware protection, consisting of an adapter card, an
installation and configuration program and a clear manual. The
working of ThunderByte is not based on knowledge of specific
viruses, so ThunderByte also protects against future viruses.
A hardware protection offers much more protection than a software
protection. ThunderByte is already active before the operating
system is loaded, so the computer will be totally protected right
after the starting of the PC.
Because of the many configuration possibilities and the intel-
ligent algorisms, the use of ThunderByte will never become a
burden: you will hardly notice the presence of ThunderByte in an
environment without any viruses.
Advantages of a hardware protection:
+ The protection uses very little (1Kb) RAM
+ The protection is already active before the first boot attempt
of the PC, and therefore protects also against bootsector
viruses. A software protection can not protect you against
bootsector viruses, since it has not been executed at boot
time.
+ De hard disks can not be accessed directly anymore, because
ThunderByte is connected to the hard disk cable.
+ It is impossible to forget to start ThunderByte, even if the
machine is booting with a diskette.
ThunderByte offers you many kinds of protection:
+ Protection against loss of data.
ThunderByte is connected between the cable of the hard disk and
the controller. It prevents the hard disk from being accessed
directly. The only way to access the drive from now on is by
initiating an int 13h.
In addition ThunderByte detects all direct disk writes which
try to achieve a modification or damage of the data and it
checks which program orders the execution of such operations.
Only the operating system can preform these operations
unmentioned.
Standard DOS already has the possibility of protecting files
against overwriting and modification by means of the read only
attribute. However this protection can be very easily
eliminated by software. But ThunderByte pre- vents this
protection from being ruled out without this being noticed, so
now it is nevertheless possible to protect your files
effectively with a standard method.
+ Protection against infection.
ThunderByte protects programs (files with the extension EXE,
COM or SYS) against infection by judging all modifi- cations on
their intention. The functionality is not influenced by this.
Compiling, linking, etc., are not disturbed and neither are
programs that save their confi- guration internally.
Furthermore software can be protec- ted with the help of the
aforementioned read only attribute.
Attempts to modify the bootsector of the disk are detected, so
the dreaded bootsector viruses are also eliminated. Keep in
mind that the bootsector can hardly be protected by software.
Only ThunderByte already beco- mes active before the system
tries to boot!
+ Detection of viruses.
In addition to the abovementioned ways of detecting the
presence of viruses, ThunderByte can also do so because viruses
carry out a number of special operations. For example, the
marking of already infected programs in order to recognize
them, is detected by ThunderByte. So are the attempts of
viruses to reside in the memory in a suspicious way and the
abnormal manipulations with interrupt vectors.
+ Password protection.
ThunderByte has the possibility of installing a password.
There are two kinds of passwords: one that is always asked for
or one that you only have to enter when attempts are made to
start from a diskette instead of the hard disk.
+ Safety.
A lot of attention has been paid to the safety of ThunderByte
The program code of ThunderByte is located in ROM and there is
no way it can be modified.
There is not one method of eliminating ThunderByte through
software. All the important settings are realized with the help
of dipswitches on the adapter card. And despite all their
wasted intelligence, viruses will never be able to turn
switches or to influence their read outs.
Viruses that approach the controller of the hard disk directly
will have a rude awakening: ThunderByte will only pass disk
writes when the write or format command has followed the normal
(checked) course.
There are a lot of different versions of ThunderByte
(functioning identically however) that are supplied on the
basis of capriciousness. That is why knowledge of the internal
working of only one ThunderByte system is not sufficient to
damage or destroy its protective working.
ThunderByte is constantly checking upon its own variables with
a kind of control number that is different for each version.
The positions of the memory where the variables are kept are
also different for each version.
+ Extra possibilities.
ThunderByte offers you some interesting bonuses, like booting
from drive B:.
CONCLUSION
----------
Are you surprised about the relative great effect and inventiveness
of such a small virusscan program? Get Thunderbyte and keep on
amazing yourself!
If you appreciate TbScanX or if it has already been of help in a
difficult situation:
Buy Thunderbyte, or register TbScanX
For more information you can contact:
ESaSS B.V. Tel: 31 - 80 - 787 771
P.o. box 1380 Fax: 31 - 80 - 777 327
6501 BJ Nijmegen Data: 31 - 85 - 212 395
The Netherlands (2:280/200 @fidonet)
TbScanX is written by Frans Veldman.
TbScan and the signature files are available on ESaSS / Thunderbyte
support BBS, Tel: 31-85-212395 (300/1200/2400 bps).
If you are running a electronic mail system, you can also
file-request TBSCAN to get the latest version of TBSCAN.COM,
TBSCANX to get the resident automatic version of TBSCANX, and
VIRUSSIG to obtain a copy of the latest update of the signature
file.
