home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Software Vault: The Gold Collection
/
Software Vault - The Gold Collection (American Databankers) (1993).ISO
/
cdr32
/
tbav602.zip
/
TBSCAN.DOC
< prev
next >
Wrap
Text File
|
1993-05-04
|
91KB
|
2,221 lines
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
Table of Contents
1. INTRODUCTION...................................... 2
1.1. Purpose of TbScan........................... 2
1.2. A Quick start............................... 2
1.3. Historical overview......................... 2
1.4. Benefits.................................... 3
1.4.1. Speed................................. 4
1.4.2. Reliability........................... 4
1.4.3. Smart scanning........................ 5
1.5. Limitations of scanners..................... 6
2. USAGE OF THE PROGRAM.............................. 7
2.1. System requirements......................... 7
2.2. Program invocation.......................... 7
2.3. While scanning.............................. 7
2.4. Detecting viruses........................... 8
2.5. Integrity checking......................... 10
2.6. Heuristic scanning......................... 10
2.6.1. False positives...................... 12
2.6.2. C - File has been changed............ 13
2.6.3. c - No integrity check............... 13
2.6.4. F - Suspicious file access........... 13
2.6.5. R - Suspicious relocator............. 13
2.6.6. A - Suspicious Memory Allocation..... 14
2.6.7. N - Wrong name extension............. 14
2.6.8. S - Search for executables........... 14
2.6.9. ..................................... 14
2.6.10. V - Validated program............... 14
2.6.11. E - Flexible Entry-point............ 14
2.6.12. L - program Load trap............... 15
2.6.13. D - Direct disk access.............. 15
2.6.14. M - Memory resident code............ 15
2.6.15. .................................... 16
2.6.16. T - Invalid timestamp............... 16
2.6.17. J - Suspicious jump construct....... 16
2.6.18. ? - Inconsistent header............. 16
2.6.19. G - Garbage instructions............ 16
2.6.20. U - Undocumented system call........ 17
2.6.21. Y - Invalid bootsector.............. 17
2.6.22. Z - EXE/COM determinator............ 17
2.6.23. O - code Overwrite.................. 17
2.6.24. B - Back to entry................... 17
2.6.25. K - Unusual stack................... 18
2.6.26. p - Packed or compressed file....... 18
2.6.27. w - Windows or OS/2 header.......... 18
2.6.28. h - Hidden or System file........... 18
2.6.29. i - Internal overlay................ 18
2.7. Program validation......................... 19
2.8. Command line options....................... 19
2.8.1. help ................................ 20
Page i
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
2.8.2. pause ............................... 20
2.8.3. mono ................................ 20
2.8.4. quick ............................... 20
2.8.5. allfiles ............................ 21
2.8.6. heuristic ........................... 21
2.8.7. extract ............................. 21
2.8.8. once ................................ 21
2.8.9. secure .............................. 22
2.8.10. compat ............................. 22
2.8.11. ignofile ........................... 22
2.8.12. noboot ............................. 22
2.8.13. nomem .............................. 22
2.8.14. hma ................................ 22
2.8.15. nohmem ............................. 22
2.8.16. nosub .............................. 22
2.8.17. noautohr ........................... 23
2.8.18. delete ............................. 23
2.8.19. rename ............................. 23
2.8.20. move ............................... 23
2.8.21. path ............................... 23
2.8.22. batch .............................. 24
2.8.23. repeat ............................. 24
2.8.24. log ................................ 24
2.8.25. session ............................ 24
2.8.26. loglevel ........................... 24
2.8.27. expertlog .......................... 25
2.9. Examples:.................................. 25
2.10. The configuration file.................... 25
2.11. The TbScan.Lng file....................... 26
2.12. Error messages............................ 27
2.13. Exit codes................................ 28
3. CONSIDERATIONS AND RECOMMENDATIONS............... 29
3.1. What should be scanned?.................... 29
3.2. The internals of TbScan.................... 30
3.2.1. How is that blazing speed achieved?.. 30
3.2.2. The algorithms....................... 31
3.2.2.1. Looking........................ 31
3.2.2.2. Checking....................... 31
3.2.2.3. Tracing........................ 31
3.2.2.4. Scanning....................... 32
3.2.2.5. Skipping....................... 32
3.3. The Sanity check........................... 32
3.4. How many viruses does it detect?........... 33
3.5. Testing the scanner........................ 33
3.6. Scan scheduling............................ 33
3.7. Compressed files........................... 34
Page ii
Page 1
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
1. INTRODUCTION
1.1. Purpose of TbScan
TbScan is a virus scanner: it has been specifically developed to
detect viruses, Trojan Horses and other such threats to your
valuable data.
A virus scanner is a program that is able to detect given virus
signatures in given environments. Most viruses consist of a unique
sequence of instructions, called a signature. Hence through
checking for the appearance of such signatures in a file we can
find out whether or not a program has been infected.
Scanning all your program files for the signatures of all known
viruses helps you to find out quickly whether or not your system
has been infected and, if so, by what virus.
Every PC owner should use a virus scanner frequently. It is the
least he or she should do to avoid damage caused by a virus.
1.2. A Quick start
Although we highly recommend a complete reading of this manual, we
offer you some directions for a quick run of TbScan here:
Type 'TbScan C:\' at the DOS prompt. This will be sufficient for a
standard scan session. It is allowed to specify more drives:
'TbScan C:\ D:\'.
The invocation syntax is:
TBSCAN [@][<path>][<filename>]... [<options>]...
If your system does not allow TbScan to run properly, set the
'compat' option: TBSCAN C:\ compat
For fast online help type 'TbScan ?' or 'TbScan help'. The latter
will provide for a more detailed description of the command line
options.
1.3. Historical overview
Some years ago the PC community was confronted by a new phenomenon:
Computer viruses. In the early days of computer viruses one had to
examine each file separately for a single viral code pattern. It
didn't take long before programmers created small programs that
were able to tell whether or not a specified program had been
infected.
Page 2
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
Enhanced versions of these programs were able to search all files
automatically, still checking for a single viral code. In a short
period of time many such scanners were written, each capable of
detecting a specified virus signature.
As the number of viruses kept on increasing, programmers started to
combine several scan programs into one: the multi-string scanner
was born. These early scanners worked properly, but could not last.
As the amount of viruses was rapidly growing, a scanner was
outdated soon. Simultaneously the number of multi-string scanning
programs also increased, and scanning programs began detecting each
other's internal search patterns (signatures), wrongly informing
the user of a virus infection. Naturally a lot of people got
confused by these false alarms.
A solution to these problems was to separate the search engine from
the signatures it would search for. The separate signature data
files that were the result could be updated and distributed much
faster through text media. Secondly, by separating the search
patterns from the executable file, a scanner would no longer
trigger false alarms.
TbScan used originally the signature file VIRSCAN.DAT, originally
created for a program called VIRSCAN.EXE. When VIRSCAN.EXE was
developed, the number of viruses was relatively small. However,
when the number of viruses increased, the Virscan program slowed
down considerably as a result of signature additions.
At that time we developed the Thunderbyte add-on card, a universal
anti-virus device. Since the Thunderbyte card recognizes virus
activities rather than signatures, it will establish whether or not
a system has been infected, but it will not identify the virus
itself. To provide for such identification we decided to supply a
virus scanner along with our anti-virus hardware product, and we
developed TbScan.
When the number of viruses increased the VirScan.Dat file was no
longer suitable anymore, and we developed our own signature file
TbScan.Sig.
We introduced many very sophisticated ideas in the first version of
TbScan, such as: the use of wildcards in the signature, scanning
the memory of your PC, scanning only specific parts of a file
rather than the complete file, partially disassemble the file being
scanned, etc. Today, many competitive products have adopted some
of these new ideas.
1.4. Benefits
By now many different virus scanners have been developed. However,
TbScan has a number of important and unique advantages over other
Page 3
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
scanners. These are:
1.4.1. Speed
Most virus scanners do not operate very fast, which means that
scanning your PC for viruses can be a tedious, time-consuming
affair. Not many people will enjoy staring at their display for
a quarter of an hour or more while their system is being
scanned. Consequently many people do not run their virus
scanners as often as they should. Under those circumstances
even the best virus scanner will become obsolete, simply
because it is not being used properly.
Hence it was our goal to create a scanner fast enough to invite
users to invoke it from within their AUTOEXEC.BAT file every
morning.
The speed depends on many system characteristics, so we will
not tell you how many times faster TbScan performs, but you
will easily find out yourself. The speed of our program has
been increased with almost every new release, and the current
version is faster than any other scanner known to us. Try it
yourself!
TbScan is designed to scan for a large amount of virus
signatures. The current version of TbScan is able to scan for
over 2500 signatures (without additional memory requirements).
Because of its design, TbScan will not slow down if the number
of signatures increases. It doesn't matter whether you scan an
item for 10 or 1000 signatures.
1.4.2. Reliability
TbScan checks itself on invocation. If it detects that it has
been infected it aborts with an error. This minimizes the risk
that the TbScan program itself will transfer a virus and so
infect your system.
TbScan can also detect yet unknown viruses, because the
built-in disassembler is able to detect suspicious instruction
sequences and abnormal program lay-outs. This feature is
called 'heuristic scanning' and it is partially enabled by
default. Heuristic scanning is performed on files and
bootsectors, so for both items TbScan is able to find new and
yet unknown viruses.
A lot of viruses are memory resident, which means that they
lodge themselves in the memory of your computer. There they can
comfortably affect all active programs. There are even 'smart'
viruses that temporarily 'disinfect' a program file, as soon as
they notice that attempts are made to read the program file as
is the case during a scanning operation. Most virus scanners
Page 4
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
will then find that this program file has not been infected
(which is true at the time of scanning!). But after the
scanner has completed its scan the virus becomes operant, again
ridiculing the scanner report that no virus has been found.
TbScan can bypass viruses that are already active in memory.
This is possible because TbScan does not use DOS to read the
files, but instead, TbScan interprets the File Allocation Table
and reads all files directly from disk.
TbScan is able to scan Upper Memory, Video Memory and the HMA.
Many of the other scanners (still) don't recognize this memory.
TbScan scans the video memory of your PC. Most anti-virus
products are not aware of the fact that it is possible to
install TSR programs (including viruses) in unused parts of
your video memory. TbScan scans all memory, including the video
memory, just to make sure.
TbScan is able to detect mutants of a virus. A mutant is a
virus that has been modified slightly and therefore does not
match the original signature anymore. TbScan is able to detect
such a mutant, even if no wildcards are used in the virus
signature.
TbScan is able to detect droppers of bootsector viruses. The
dropper program itself has not been infected, but it is there
to install the bootsector virus in your system.
TbScan also checks for file changes if you have used TbSetup to
generate the Anti-Vir.Dat files. When a virus infects a file,
the file changes and therefore the checksum does not match
anymore. TbScan informs you about such an unexpected file
change.
1.4.3. Smart scanning
TbScan is not just a scanner, it is a disassembling scanner.
This means that TbScan not only scans the file but also
interprets the contents and adjusts the scanning algorithm to
gain the highest reliability and speed. By reliability we do
not only mean a low 'false negative' ratio, but a low 'false
positive' ratio as well. No one needs a scanner that yells
'virus!' all the time. A good scanner should only yell 'virus!'
if there really IS a virus to be found in a file.
Apart from the capability of adjusting the scanning algorithm,
TbScan also displays additional information about the file
itself. It can detect instruction sequences that are intended
to cause direct disk writes, to make program code resident, to
decrypt code, etc. TbScan even flags files as being infected by
an unknown virus if the disassembly shows that the file must
Page 5
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
contain a virus even though a matching signature cannot be
found. This process is called "heuristic analysis". All this
information is displayed while a scan is being performed!
TbScan offers registered users the possibility to define their
own signatures through the 'extract' option. You don't have to
be an assembler programmer anymore, if a signature has to be
defined in an emergency situation!
1.5. Limitations of scanners
Although TbScan is a very sophisticated scanner, it shares some of
the limitations that all other scanners have:
+ It cannot prevent infection.
Virus scanners can only tell you whether or not your system has
been infected and if so, whether any damage has already been
done. By that time only a non-infected backup or a recovery pro-
gram such as TbClean will properly counter a virus infection.
+ It cannot execute itself.
You will have to be active in taking measures to protect your
system from virus infection. You should boot from a clean and
write-protected diskette and then execute the scanner at least
once every week, since some viruses can perfectly hide
themselves once resident in memory. Unfortunately it is an
illusion to think that employees will perform this task
correctly at all times. For company use we recommend additional
protection, in the shape of a permanently active immunizer such
as the Thunderbyte add-on card.
Page 6
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
2. USAGE OF THE PROGRAM
2.1. System requirements
TbScan runs perfectly on standard machines, in line with our
philosophy that there should be a limit to limitations.
+ TbScan requires 200 Kb of free memory. If you decide to use a
log file TbScan will need an additional 16 Kb of memory for the
log file buffer. If TbScan uses its own built-in file system it
uses additional memory to keep the FAT in memory.
Note that the memory requirements are independent of the number
of signatures. The current memory requirements suffice to
manage at least 2500 signatures.
+ TbScan can be executed under DOS version 3.00 (and all later
versions). However, Dos 3.3 or higher is recommended, since
TbScan has been optimized and designed primarily for use with
these DOS versions.
2.2. Program invocation
TbScan is easy to use. The syntax is as follows:
TBSCAN [@][<path>][<filename>]... [<options>]...
Drive and path tell TbScan where it should perform its scanning
operation. To search disks C: and D: you should enter:
TBSCAN C:\ D:\
When no filename has been specified but a drive and/or path
instead, the specified path will be used as top-level path. All
its subdirectories will be processed too.
When a filename has been specified only the specified path will be
searched. Subdirectories will not be processed.
Wildcards in the filename are allowed. You may even specify '*.*'
which will result in all files being processed.
You can also tell TbScan to use a list file. A list file is a file
that contains a list of paths/filenames to be scanned. Have the
filename preceded by the character '@' on the TbScan command line:
TBSCAN @TBSCAN.LST
2.3. While scanning
Page 7
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
TbScan divides the screen into three windows: an information
window, a scanning window and a status window. The upper window is
the information window and it initially displays the comments found
in the data file.
If TbScan detects infected files the names of the file and the
virus will be displayed in the upper window. The information will
stack up and scroll off the screen if it doesn't fit anymore.
The lower left window displays the names of the files being
processed, the algorithm in use, info and heuristic flags,
and finally an OK statement or the name of the virus
detected.
Example:
TEST.EXE <Scanning...> FR OK
| | | |
| | | result of scan
| | heuristic flags
| algorithm being used to process file
name of file in process
You will see comments following each file name:
'Looking', 'Checking', 'Tracing', 'Scanning' or 'Skipping'. These
refer to the various algorithms being used to scan files.
Other comments that TbScan can display here are the heuristic
flags. Consult the 'Heuristic flags' chapter (3.5) for more
information on these warning characters.
The lower right window is the status window. It displays the number
of files and directories encountered, the amount of viruses found,
etc. It also displays which file system is being used: either "DOS"
or "OWN". The latter means that TbScan is able to bypass DOS and
reads all files directly from disk for extra security and speed.
The process can be aborted by pressing Ctrl-Break.
2.4. Detecting viruses
As soon as an infected program is found, the name of the virus will
be displayed. If you did not specify one of the options 'batch',
'rename', 'delete' or 'move', TbScan will prompt you to delete,
rename or move the infected file, or to continue without action. If
you choose to rename the file, the first character of the extension
will be replaced by the character 'V'. This prevents the file from
being executed accidentally before it has been investigated more
thoroughly. If you choose to move the file, the file will be moved
to the TbScan directory or to the directory specified by option
'path'.
Page 8
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
In some situations TbScan will offer you an additional menu option:
V)alidate program. For more information about this menu option
consult option 'Program validation'.
When TbScan detects an infected file it will display a message like:
Infected by [name of virus] virus
Several texts can precede the name of the virus:
Infected by [name of virus] virus
The file is infected by the virus mentioned.
Dropper of [name of virus]
A dropper is a program that has not been infected
itself, but which does contain a bootsector virus and
is able to install it in your bootsector.
Damaged by [name of virus]
Some viruses damage files. A damaged file contains -
unlike an infected file - not the virus itself, but has
been damaged by the virus.
Overwritten by [name of virus]
Some viruses overwrite files. An overwritten file
contains - unlike an infected file - not the virus
itself, but has been overwritten with garbage.
Is Trojan named [name of Trojan]
The file is a Trojan Horse. Do not execute the program
but delete it.
Is Joke named [name of Joke]
There are some programs wich simulate the system is
infected by a virus. A joke is completely harmless.
It is also possible that TbScan encounters a file that seems to be
infected by a virus, although a signature could not be found. In
this case TbScan displays the prefix 'Probably' before the message.
If you have specified option 'heuristic' it is likely that TbScan
will find some files which looks like a virus, and in this case
TbScan uses the prefix 'Might be' to inform you about it. So, if
TbScan displays Might be infected by [name of virus] it does not
mean that the file is infected, but just that the file might be
infected by a virus. There are a lot of files that look like a
virus but they aren't.
TbScan needs access to its data file to be able to tell you the
name of a virus. If it cannot access the data file it displays the
message [Cannot read datafile] instead of a virus name.
Page 9
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
2.5. Integrity checking
TbScan will also perform integrity checking while scanning. You
have to use TbSetup to generate the Anti-Vir.Dat files. Once these
files exist on your system TbScan will check that every file being
scanned matches the information maintained in the Anti-Vir.Dat
files. If a virus infects a file, the maintained information will
not match anymore with the now changed file, and TbScan will inform
you about this. There are no command line options to enable this
feature: TbScan will perform integrity checking automatically
if it detects the Anti-Vir.Dat files. Note that TbScan only reports
file changes that could indicate a virus. Internal configuration
areas of program files may also change, but TbScan does normally
not report this. However, if a file gets infected with any virus -
known or unknown - the vital information will change and TbScan
will indeed report it to you!
It is however possible that the checked file changes itself or
changes frequently due to another cause. In this case you might
want to exclude the program from integrity checking to avoid future
false alarms. TbScan will offer you an additional menu option:
'V)alidate program'. For more information about this menu option
consult option 'Program validation'.
2.6. Heuristic scanning
TbScan is not just a signature scanner. It also disassembles the
file being processed. This serves three purposes:
1) By disassembling the file the scanner can restrict itself to the
area of the file where the virus might reside, reducing false
alarms and speeding up the process.
2) It makes it possible to use the algorithmic detection method on
encrypted viruses whose signatures would otherwise remain
invisible to the scanner.
3) And it makes it possible to detect suspicious instruction
sequences.
The detection of suspicious instruction sequences is named
'heuristic scanning'. It is a very powerful feature that enables
you to detect new or modified viruses and to verify the results of
the signature scan. You no longer have to rely on the vendor of the
scanner having the same virus as you might have. In normal cases a
scanner can only find a virus if the developer of the scanner has
had a sample of that virus, to be able to make a suitable
signature. With heuristic scanning a signature is no longer
required, so the scanner can detect viruses that are not known to
the developer of the scanner. You should not underestimate the
importance of heuristic scanning, as every month there appear at
least 50 new viruses. It is very unlikely that the developer of a
Page 10
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
scanner is the first one that gets those new viruses...
How does heuristic scanning actually work? Every program contains
instructions for the processor of the PC. By looking into the file
contents and by interpreting the instructions TbScan is able to
detect the purpose of these instructions. If the purpose seems to
be to format a disk, or to infect a file, TbScan issues a
warning. There are a lot of instruction sequences which are very
common for viruses, but very unlikely for normal programs. Every
suspicious instruction sequence is assigned to a character: a
heuristic flag. Every heuristic flag has a score. If the total
score exceeds a predefined limit, TbScan assumes the file contains
a virus.
There are actually two predefined limits: the first one is quite
sensitive and can be reached by some normal innocent programs. If
this limit is reached, TbScan highlights the heuristic flags that
are displayed on the screen and increases the 'suspected items'
counter, but TbScan does not indicate there is a virus, unless you
have specified option 'heuristic'. If you have specified option
'heuristic', TbScan tells you that the file 'Might be infected by
an unknown virus'. The second heuristic-limit will be triggered by
a lot of viruses, but not by normal programs. If this limit is
reached TbScan tells you that the file is 'Probably infected by an
unknown virus.'
Heuristic level 1 Heuristic level 2
-------------------------------- ----------------------------
Always enabled Only with option 'heuristic'
or after a virus has been
found.
Detects 50% of the unknown viruses Detects 90% of the viruses
Almost never causes false alarms Causes a few false alarms
Displays 'Probably infected' Displays 'Might be infected'
TEST.EXE <scanning...> OK (no flags)
TEST.EXE <scanning...> R OK (nothing serious)
TEST.EXE <scanning...> FRM
might be infected by an unknown virus (reached level 2)
TEST.EXE <scanning...> FRALM#
probably infected by an unknown virus (reached level 1)
Note that unlike other scanners, TbScan has heuristic scanning
always enabled. Whether TbScan decides to inform the user of
a possible virus depends on the heuristic score, unless option
'heuristic' has been specified.
Heuristic flags consist of single characters that are printed behind
the name of the file that has been processed. There are two kinds
Page 11
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
of flags: the informative ones are printed in lower-case
characters, and the more serious flags are printed in upper-case
characters. The lower-case flags are indicative of special
characteristics of the file being processed, whereas the upper-case
warnings may indicate a virus. If the 'loglevel' is 3 or above, the
important warnings will not only appear as a warning character, but
there will also be a description printed in the log file.
How should you treat the flags? The less important lower-case
flags can be considered to be for your information only. They
provide you with file information you might find interesting. The
more serious warning flags printed in upper-case MIGHT point
towards a virus. It is quite normal that you have some files in
your system which trigger an upper-case flag.
Anyway, if TbScan does not highlight a combination of warnings you
should not pay too much attention to these flags. For more than 90%
of the viruses TbScan will highlight the flags (or even indicates
the file as infected if option 'heuristic' is specified), so it is
unlikely that a file which only has some flags set really contains
a virus.
Note!
TbScan performs heuristic analysis only nearby the entry-point of a
file, so it is normal that TbScan does not detect that some disk
utilities write to disk directly, and it is normal that TbScan does
not detect that some programs are TSR programs. This is just the
result of one approach to minimize false alarms. In case of a
virus, the offending instructions are always nearby the entry-point
(except when the virus is over 10Kb in size) so TbScan will detect
the suspicious facts in these situations anyway.
2.6.1. False positives.
Important!
False alarms are part of the nature of heuristic scanning. In
default mode it is very unlikely that TbScan issues a false alarm.
However, if you have specified option 'heuristic' some false alarms
might occur. How to deal with these false alarms? If TbScan thinks
it has found a virus it tells you the reason for this suspicion. In
most cases you will be able to evaluate these reasons when you
consider the purpose of the suspected file.
Note that viruses infect other programs. It is highly unlikely that
you will find only a few infected files on a hard disk used
frequently. You should ignore a the result of a heuristic scan if
only a few programs on your hard disk trigger it. But, if your
system behaves in a 'strange' manner and many programs cause TbScan
to issue an alarm with the same serious flags, your system could
very well be infected by a (yet unknown) virus.
Page 12
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
If TbScan finds a file to be very suspicious and pops up with the
virus alert window, you can avoid future false alarms by pressing
'V' (Validate program). Note that this only works if there is an
Anti-Vir.Dat record of the file available. Once a program is
validated it will no longer be subject to heuristic analyzis,
unless the program changes and does not match the Anti-Vir.Dat
record anymore. This will be the case if such a file gets infected
afterwards, so TbScan will still report infections on these files.
Note that a validated program is still subject to the conventional
signature scanning.
2.6.2. C - File has been changed.
This warning can only appear if you used TbSetup to generate the
Anti-Vir.Dat files. If this warning appears this means that the
file has been changed. If you did not upgrade the software it is
very likely that a virus infected the file! Note that TbScan does
not display this warning if only some internal configuration area
of the file changes. This warning means that code at the program
entry point, the entry-point itself and/or the file size have been
changed.
2.6.3. c - No integrity check.
This warning indicates that no checksum/recovery information has
been found about the indicated file. It is highly recommended to
use TbSetup in this case to store information of the mentioned
file. This info can later be used for integrity checking and to
recover from virus infections.
2.6.4. F - Suspicious file access.
TbScan has found instruction sequences common to infection schemes
used by viruses. This flag will appear with those programs that
are able to create or modify existing files.
2.6.5. R - Suspicious relocator.
Flag 'R' refers to a suspicious relocator. A relocator is a
sequence of instructions that changes the proportion of CS:IP. It
is often used by viruses, especially COM type infectors. Tests on a
large collection of viruses show that TbScan issues this flag for
about 65% of all viruses. Those viruses have to relocate the CS:IP
proportion because they have been compiled for a specific location
in the executable file; a virus that infects another program can
hardly ever use its original location in the file as it is appended
to this file. Sound programs 'know' their location in the
executable file, so they don't have to relocate themselves. On
systems that operate normally only a small percentage of the
programs should therefore cause this flag to be displayed.
Page 13
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
2.6.6. A - Suspicious Memory Allocation.
The program uses a non-standard way to search for, and/or allocate
memory. A lot of viruses try to hide themselves in memory so they use
a non-standard way to allocate this memory. Some programs
(high-loaders or diagnostic software) also use non-standard ways
to search or allocate memory.
2.6.7. N - Wrong name extension.
Name conflict. The program carries the extension .EXE but appears
to be an ordinary .COM file, or it has the extension .COM but the
internal layout of an .EXE file. TbScan does not take any risk in
this situation, but scans the file for both EXE and COM type
signatures. A wrong name extension might in some cases indicate a
virus, but in most cases it doesn't.
2.6.8. S - Search for executables.
The program searches for *.COM or *.EXE files. This by itself does
not indicate a virus, but it is an ingredient of most viruses anyway
(they have to search for suitable files to spread themselves). If
accompanied by other flags, TbScan will assume the file is infected
by a virus.
2.6.9. # - Decryptor code found.
The file possibly contains a self-decryption routine. Some
copy-protected software is encrypted so this warning may appear for
some of your files. But if this warning appears in combination
with, for example, the 'T' warning, there could be a virus involved
and TbScan assumes the file is contaminated! Many viruses encrypt
themselves and cause this warning to be displayed.
2.6.10. V - Validated program
The program has been validated to avoid false alarms.
- The design of this program would normally cause a false alarm
by the heuristic scan mode of TbScan.
or:
- This program might change frequently, and the file is excluded
from integrity checking.
These exclusions are stored in the Anti-Vir.Dat file by either
TbSetup (automatically) or by TbScan (manually).
2.6.11. E - Flexible Entry-point
The program starts with a routine that determines the location of
Page 14
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
itself within the program file. This is rather suspicious because
sound programs have a fixed entry-point so they do not have to
determine this location. For viruses however this is quite common:
about 50% of the available viruses cause this flag to be displayed.
The DOS FORMAT.COM program is an instance where this flag will be
displayed by TbScan. This cannot be avoided because Microsoft did
some strange things to this program. It appears that the file was
originally an .EXE file which has been converted into a .COM file
by adding a shell-like structure to it. (What is actually the
difference between infecting a file and converting it this way?)
Anyway, you should ignore this warning as to the DOS FORMAT
program.
2.6.12. L - program Load trap.
The program might trap the execution of other software. If the
file also causes flag M (memory resident code) to be displayed, it
is very likely that the file is a resident program that determines
when another program is executed. A lot of viruses trap the program
load and use it to infect the program. Some anti-virus utilities
also trap the program load.
2.6.13. D - Direct disk access.
This flag is displayed if the program being processed has
instructions near the entry-point to write to a disk directly. It
is quite normal that some disk-related utilities cause this flag
to be displayed. As usual, if many of your files (which have no
business writing directly to the disk) cause this flag to be
displayed, your system might be infected by an unknown virus.
Note that a program that accesses the disk directly does not always
have to be marked by the 'D' flag. Only when the direct disk
instructions are near the program entry point it will be reported
by TbScan. If a virus is involved the harmful instructions are
always near the entry point and that is the place where TbScan
looks for them.
2.6.14. M - Memory resident code.
TbScan has found instruction sequences which could cause the
program to hook into important interrupts. A lot of TSR (Terminate
and Stay Resident) programs will trigger this flag, because
hooking into interrupts is part of their usual behavior. However,
if a lot of non-TSR programs cause this warning flag to appear, you
should be suspicious. It is then likely that your files have been
infected by a virus that remains resident in memory.
Note that this warning does not appear with all true TSR programs.
Nor can TSR detection in non-TSR programs always be relied upon.
Page 15
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
2.6.15. ! - Invalid program.
Invalid opcode (non-8088 instructions) or out-of-range branch.
The program has either an entry point that has been located outside
the body of the file, or reveals a chain of 'jumps' that can be
traced to a location outside the program file.
Another possibility is that the program contains invalid processor
instructions.
The program being checked is probably damaged, and cannot be
executed in most cases. Anyway, TbScan does not take any risk and
uses the 'scan' method to scan the file.
2.6.16. T - Invalid timestamp.
The timestamp of the program is invalid: e.g. the number of seconds
in the timestamp is illegal, or the date is illegal or later than
the year 2000. This is suspicious because many viruses set the
timestamp to an illegal value (like 62 seconds) to mark that they
already infected the file, preventing themselves from infecting a
file for a second time round. It is possible that the program being
checked is contaminated with a virus that is still unknown,
especially if many files on your system have an invalid timestamp.
If only a very few programs have an invalid timestamp you'd better
correct it and scan frequently to check that the timestamp of the
files remain valid.
2.6.17. J - Suspicious jump construct.
The program did not start at the program entry point. The code has
jumped at least two times before reaching the final start-up code,
or the program jumped using an indirect operand. Sound programs
should not display this kind of strange behavior. If many files
cause this warning to be displayed, you should investigate your
system thoroughly.
2.6.18. ? - Inconsistent header.
The program being processed has an exe-header that does not reflect
the actual program lay-out. The DOS SORT.EXE program will cause
this warning to be displayed, because the actual size of the
program file is less than reported in the 'size-of-load module'
field in the exe-header! Many viruses do not update the exe-header
of an EXE file correctly after they have infected the file, so if
this warning appears a lot it seems you have a problem. You should
ignore this warning for the DOS SORT.EXE program. (Hopefully
MicroSoft will correct the problem before the next release of DOS).
2.6.19. G - Garbage instructions.
Page 16
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
The program contains code that seems to have no purpose other than
encryption or avoiding recognition by virus scanners. This flag is
very important, in fact it is the only flag that will cause TbScan
to report an infection without the presence of any other flags. In
most cases there will not be any other flags since the file is
encrypted and the instructions are hidden from the scanner. In a
few cases this flag will appear for 'normal' files. These files
however are badly designed and that is the reason the 'garbage'
flag appears.
2.6.20. U - Undocumented system call.
The program uses unknown DOS calls or interrupts. These unknown
calls can be issued to invoke undocumented DOS features, or to
communicate with an unknown driver in memory. Since a lot of
viruses use undocumented DOS features, or communicate with memory
resident parts of a previously loaded instance of the virus, it is
suspicious if a program performs unknown or undocumented
communications. However, it does not necessarily indicate a virus
because some 'tricky' programs use undocumented features too.
2.6.21. Y - Invalid bootsector.
The bootsector is not completely according to the IBM defined
bootsector format. It is likely that the bootsector contains a
virus or has been corrupted.
2.6.22. Z - EXE/COM determinator.
The program seems to check whether a file is a COM or EXE type
program. Infecting a COM file is a process that is not similar to
infecting an EXE file, so viruses that are able to infect both
program types should be able to distinguish between them.
There are of course also innocent programs that need to find out
whether a file is a COM or EXE file. Executable file compressors,
EXE2COM converters, debuggers, and high-loaders are examples of
programs that may contain a routine to distinguish between EXE and
COM files.
2.6.23. O - code Overwrite.
This flag will be displayed if TbScan detects that the program
overwrites some of its own instructions. However, it does not seem
to have a complete (de)cryptor routine.
2.6.24. B - Back to entry.
The program seems to execute some code, and after that it jumps
back to the entry-point of the program. Normally this would result
in an endless loop, except when the program has also modified some
of its instructions. This is quite common behavior for computer
Page 17
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
viruses. In combination with any other flag TbScan will report a
virus.
2.6.25. K - Unusual stack.
The EXE file being processed has an odd (instead of even) stack
offset or a suspicious stack segment. Many viruses are quite buggy
by setting up an illegal stack value.
2.6.26. p - Packed or compressed file.
The program has been packed or compressed. There are some utilities
that are able to compress a program file, like EXEPACK or PKLITE.
If the file was infected after the file had been compressed, TbScan
will be able to detect the virus. However, if the file had already
been infected before it was compressed, the virus has also been
compressed in the process, and a virus scanner might not be able to
recognize the virus anymore.
Fortunately, this does not happen a lot, but you should beware! A
new program might look clean, but can turn out to be the carrier of
a compressed virus. Other files in your system will then be
infected too, and it is these infections that will be clearly
visible to virus scanners.
2.6.27. w - Windows or OS/2 header.
The program can be or is intended to be used in a Windows (or OS/2)
environment. As yet TbScan does not offer a specialized scanning
method for these files. Of course that will change as soon as
Windows- or OS/2-specific viruses start occurring.
2.6.28. h - Hidden or System file.
The file has the 'Hidden' or the 'System' file attribute set. This
means that the file is not visible in a DOS directory display but
TbScan will scan it anyway. If you don't know the origin and/or
purpose of this file, you might be dealing with a 'Trojan Horse' or
a 'joke' virus program. Copy such a file onto a diskette; then
remove it from it's program environment and check if the program
concerned is missing the file. If a program does not miss it, you
will have freed some disk space, and maybe you have saved your
system from future disaster in the process.
2.6.29. i - Internal overlay.
The program being processed has additional data or code behind the
load-module as specified in the exe-header of the file. The program
might have internal overlay(s), or configuration or debug
information appended behind the load-module of the EXE file.
Page 18
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
2.7. Program validation.
This chapter only applies if you use TbSetup to generate the
Anti-Vir.Dat records. Without these records program validation is
not an option.
TbScan will perform as intended on most programs. However, there
are some programs that require special attention, in order to avoid
false alarms. Most of these programs are recognized automatically
by the TbSetup program. However, it is certainly possible that you
have a few files on your system that meet the following criteria:
1) Programs that trigger the heuristic alarm of TbScan.
2) Programs that change frequently.
If an 'infection' has been found with the heuristic analyzis or
integrity checking only and if there is a Anti-Vir.Dat record
available, TbScan offers an additional option in its virus-alert
window: 'V)alidate program'. If you are convinced that the
indicated program does NOT contain a virus, you can press 'V' to
set a flag in the program's record. This makes it possible to
avoid future false alarms.
There are two validation modes: if the TbScan virus alarm is due
to a file change, the validation applies to future file changes
only, if the virus alarm is due to heuristic analysis, the
validation only applies to heuristic results. When the file is
exluded from heuristic analysis the file will still be checksummed,
if the file is excluded from integrity checking TbScan will still
perform heuristic analysis on that file.
Note: if you replaced a file (software upgrade) and you did not use
TbSetup, TbScan will pop-up its virus alert window to inform you
about the file change. Do NOT select the validation option in this
case, because this would exclude the file for future integrity
checking. You had better abort TbScan and run TbSetup on the
changed file(s).
2.8. Command line options
It is possible to specify options on the command line. Tbscan
recognizes option short-keys and option words. The words are easier
to memorize, and they will be used in this manual for convenience.
optionword parameter short explanation
---------- --------- ----- -------------------------------------
help he =help (-? = short help)
pause pa =enable 'Pause' prompt
mono mo =force monochrome
quick qs =quick scan (uses Anti-Vir.Dat)
Page 19
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
allfiles af =scan non-executable files too
heuristic hr =enable heuristic alerts
extract ex =extract signature (registered only)
once oo =only once a day
secure se =user abort now allowed (reg. only)
compat co =maximum-compatibility mode
ignofile in =ignore no-file-error
noboot nb =skip bootsector check
nomem nm =skip memory check
hma hm =force HMA scan
nohmem nh =skip UMB/HMA scan
nosub ns =skip sub-directories
noautohr na =no auto heuristic level adjust
repeat rp =scan multiple diskettes
batch ba =batch mode. No user input
delete de =delete infected files
move mv =move infected files
expertlog el =no heuristic descriptions in log
log [=<filename>] lo =append log file
session [=<filename>] sl =create session log file
loglevel =<0..4> ll =set log level
path =<move-path> mp =set move-path
rename [=<ext-mask>] rn =rename infected files
sigfile [=<filename>] sf =signature file to be used
2.8.1. help (he)
If you specify this option TbScan displays the contents of the
TBSCAN.HLP file if it is available in the home directory of TbScan.
If you specify the '?' option you will get the summarized help info
as listed above.
2.8.2. pause (pa)
When you enter option 'pause' TbScan will stop after it has checked
the contents of one window. This gives you the possibility to
examine the results without having to consult a log file
afterwards.
2.8.3. mono (mo)
This option forces TbScan to refrain from using colors in the
screen output. This might enhance the screen output on some LCD
screens or color-emulating monochrome systems.
2.8.4. quick (qs)
If you specify this option TbScan will use the Anti-Vir.Dat files
to check for file changes since the last time only. If a file has
been changed (CRC change) or is not yet listed in Anti-Vir.Dat it
will be scanned.
Page 20
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
2.8.5. allfiles (af)
This option causes TbScan to scan non-executable files (files
without extension COM, EXE, SYS or BIN) too. If TbScan finds out
that such a file does not contain anything that can be executed by
the processor the file will be 'skipped'. Otherwise the file will
be searched for COM, EXE and SYS signatures. TbScan however will
not perform heuristic analysis on these files.
Since viruses do not infect non-executable files it is not
necessary to scan non-executable files too. We even recommend not
to use this option unless you have a good reason to scan all files.
Once again: a virus needs to be executed to perform what it is
programmed to do, and since non-executable files will not be
executed a virus in such a file can not do anything. For this
reason viruses do not even try to infect such files.
2.8.6. heuristic (hr)
TbScan always performs a heuristic scan on the files being
processed. However, only if a file is very probably infected with a
virus TbScan will report the file as being infected. If you use
option 'heuristic' TbScan is somewhat more sensitive. In this mode
90% of the new, unknown, viruses will be detected without any
signature, but some false alarms may occur. Consult also chapter
2.5 ('Heuristic scanning').
2.8.7. extract (ex)
This option is available to registered users only. See the chapter
'Defining a Signature' (4.4.) on how to use the option 'extract'.
2.8.8. once (oo)
If you specify this option TbScan will 'remember' after its scan
that is has been executed that day, and that it should not be run
again the same day with this particular option set. This option is
very useful if you incorporate it in your AUTOEXEC.BAT file in
combination with a list file:
TbScan @Everyday.Lst once rename
TbScan will now scan the list of files and/or paths specified in
the file EVERYDAY.LST during the first boot-up of the day. If the
systems boots more often that day, TbScan will then return to DOS
immediately. This option does not interfere with the regular use
of TbScan. If you invoke TbScan without the 'once' option it will
always run, regardless of a previous run with the 'once' option set.
Note that TbScan 'once' will be executed regardless of regular
TbScan sessions earlier that day.
Page 21
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
Also note that if TbScan cannot write to TBSCAN.EXE because it has
been flagged 'read-only' or is located on a write-protected
diskette, the 'once' option will fail and the scanner will run
without it.
2.8.9. secure (se)
This option is available to registered users only. If this option
is specified it is no longer possible to cancel TbScan by pressing
Ctrl-Break, or to respond to a virus alert window.
2.8.10. compat (co)
If you specify this option, TbScan attempts to be more compatible
with your system. Use this option if the program does not behave as
can be expected or even halts the system. This option will slow
down the scanning process so it should only be used when necessary.
Note that option 'compat' does not affect the results of a scan.
2.8.11. ignofile (in)
If this option is specified and no files can be found, TbScan will
not display the 'no files found' message, nor does it exit with
errorlevel 1. This option might be useful for automatic archive
contents scanning. If the archive contains no executable files,
TbScan will not return with an error condition.
2.8.12. noboot (nb)
If you specify this option TbScan will not scan the bootsector.
2.8.13. nomem (nm)
If you specify this option TbScan will not scan the memory of the
PC for viruses.
2.8.14. hma (hm)
TbScan detects the presence of an XMS-driver, and scans HMA
automatically. If you have an HMA-driver that is not compatible
with the XMS standard you can use the 'hma' option to force TbScan
to scan HMA.
2.8.15. nohmem (nh)
By default TbScan identifies RAM beyond the DOS limit and scans
that too. This means that video memory and the current EMS pages
are scanned by default. You can use the 'nohmem' option to disable
the scanning of non-DOS memory.
2.8.16. nosub (ns)
Page 22
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
By default TbScan will search sub-directories for executable files,
unless a filename (wildcards allowed!) has been specified. If you
use this option, TbScan will not scan sub-directories.
2.8.17. noautohr (na)
TbScan automatically adjusts the heuristic detection level after a
virus has been found. This provides you maximum detection
capabilities in case you need it, while the amount of false alarms
due to heuristics remains small in normal situations. With other
words: as soon as a virus has been found, TbScan will anticipate
and proceed as if option 'heuristic' has been specified. If you
don't want this, you can specify option 'noautohr'.
2.8.18. delete (de)
If TbScan detects a virus in a file it prompts the user to delete,
move or rename the infected file, or to continue without action.
If you specify the 'delete' option, TbScan will not ask the user
what to do but will delete the infected file automatically. Use
this option if you have established that your system has been
infected. Make sure that you have a clean back-up, and that you
really want to get rid of all infected files at once.
2.8.19. rename (rn)
If TbScan detects a file virus it prompts the user to delete, move
or rename the infected file, or to continue without action. If you
specify the 'rename' option, TbScan will not ask the user what to do
but will rename the infected file automatically. By default, the
first character of the file extension will be replaced by the
character 'V'. An .EXE file will be renamed to .VXE, and a .COM
file to .VOM. This prevents the infected programs from being
executed, spreading the infection. At the same time they can be
kept for later examination and repair.
You may also add a parameter to this option specifying the target
extension. This parameter should always contain 3 characters;
question marks are allowed. The default target extension is 'V??'.
2.8.20. move (mv)
If TbScan detects a virus in a file it prompts the user to delete,
move or rename the infected file, or to continue without action. If
you specify the 'move' option, TbScan will not ask the user what to
do but will move the infected file to another directory
automatically.
The file will be moved to the TbScan directory or to the directory
specified with option 'path'.
2.8.21. path (mp)
Page 23
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
This option can be used to specify the move-path. The move path is
used to move an infected file if option -move is specified or when
the user selects the M) in the virus alert window.
2.8.22. batch (ba)
If TbScan detects a file virus it prompts the user to delete, move
or rename the infected file, or to continue without action. If you
specify the 'batch' option TbScan will always continue. This option
is designed for use in a batch file that is executed without the
user attending. We highly recommended you to use a log file in such
situations, as a scanning operation does not make much sense
without the return messages being read.
2.8.23. repeat (rp)
This option is very useful if you want to check a large amount of
diskettes. TbScan does not return to DOS after checking a disk, but
it prompts you to insert another disk in the drive.
2.8.24. log (lo)
When you use this option, TbScan creates a LOG-file. The default
filename is TBSCAN.LOG and it will be created in the current
directory. You may optionally specify a path and filename. The
LOG-file lists all infected program files, specifying upper-case
heuristic flags and complete pathnames. If the log file already
exists, it will not be overwritten. Instead the new LOG-file will
be appended to the existing one.
If you use this option often, it is recommended to delete or
truncate the log file every month to avoid unlimited growth.
If you want to print the results, you can specify a printer device
name rather than a filename (log=lpt1).
2.8.25. session (sl)
This option is nearly identical to the 'log' option above. The
difference is that if a log file already exists, the 'session'
option will make sure that this will be overwritten by new log
information. Hence a log file created by the 'session' option will
only contain information obtained from a single scanning session.
2.8.26. loglevel (ll)
The 'loglevel' option determines which files will be put in the
log file. There are five log levels:
0 Log only infected files. If there are no infected files
do not create or change the log file.
1 Put a summary and timestamp in the log file. Put only
infected files in the log file.
Page 24
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
2 Same as loglevel=2, but now also 'suspected' files are
logged. Suspected files are files that would trigger
the heuristic alarm if option 'heuristic' had been
specified.
3 Same as loglevel=2, but all files that have a warning
character printed behind the filename will be logged
too.
4 All files being processed will be put into the log
file.
The default log level is 1.
Note: you have to combine this option with option 'log' or
'session'.
2.8.27. expertlog (el)
If you specify this option TbScan will not display the descriptions
of the heuristic flags into the log file.
2.9. Examples:
TbScan c:\ noboot
Process all executable files in the root directory and its
sub-directories. Skip the bootsector scan.
TbScan \*.*
Process all files in the root directory. Don't process
sub-directories.
TbScan c:\ log=c:\test.log loglevel=2
All executable files on drive C: will be checked. A
LOG file with the name c:\test.log will be created. The log
file will contain all infected and suspected files.
TbScan \ log=lpt1
TbScan will scan the root directory and its
sub-directories. The results are redirected to the printer
rather than to a log file.
2.10. The configuration file
Those people that are accustomed to the use of configuration files
may devise a similar file for use with TbScan. The TbScan
configuration file should be located in the same directory where
the file TBSCAN.EXE resides, and it should be called TBS.BAT
(surprise, surprise!). The format of this configuration file is as
follows:
tbscan %1 %2 %3 %4 %5 %6 %7 %8 %9 [<default options...>]
Page 25
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
Example:
tbscan %1 %2 %3 %4 %5 %6 %7 %8 %9 log=c:\logfiles\tbscan.log ll=1
To execute this configuration file you should type 'TBS C:\' at the
DOS prompt. If you wish to override the default options specified
in your TBS.BAT file, just type 'TBSCAN'.
This configuration file can offer great possibilities. You may
incorporate mnemonics like 'DAILY' and 'WEEKLY' to invoke a
predefined scan session. The user may be allowed to specify
additional options on the command line. You can make sure that if
TbScan detects a virus, a file called VIRUS.TXT will be printed on
the screen, offering a user important information such as the
emergency phone number of the company helpdesk and the phone number
of your security officer.
An example:
@echo off
if '%1'=='daily' goto daily
if '%1'=='weekly' goto weekly
:help
echo Type 'TBS weekly' or 'TBS daily' to start a scan event
goto end
:daily
tbscan c:\system d:\ %2 %3 %4
if errorlevel 2 goto virus
if errorlevel 1 goto help
goto end
:weekly
tbscan c:\ d:\ e:\ log=c:\logs\tbscan.log %2 %3 %4
if errorlevel 2 goto virus
if errorlevel 1 goto help
goto end
:virus
type virus.txt
:end
For more information about setting up this kind of powerful
'configuration' file please consult the chapter on batch files in
your DOS manual.
Too few people are aware of the power of the DOS batch file
features. Why learn yet another configuration file language if
a DOS batch file will suit your needs perfectly? You can predefine
scan sessions, define default options, and branch to a specific
routine if TbScan detects a virus.
2.11. The TbScan.Lng file
Page 26
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
The TbScan.Lng file contains all texts being displayed by TbScan.
You can translate or customize the messages with any ASCII editor.
The messages are separated by the dollar sign ($). The first
message displays our address and registration info. You can edit
this message as you please, for instance adding your company logo.
You may add color codes to the TbScan.Lng file. A color code is
preceeded by the character '|'. The following color codes are
available: (all numbers are in hex).
Color Foreground Highlight Background
Black 00 08 00
Blue 01 09 10
Green 02 0A 20
Cyan 03 0B 30
Red 04 0C 40
Magenta 05 0D 50
Yellow/Brown 06 0E 60
White/gray 07 0F 70
Example: To make a highligted green character on a red
background the color code would be 0A+40=4A. To make the character
blink add 80h to the result.
2.12. Error messages
Error messages that might be displayed:
+ Limit exceeded.
The total amount of internal signature information exceeded
64Kb. This message will be displayed if the number of
signatures reaches 2500. You can either reduce the number of
signatures or make them shorter.
+ Command line error.
An invalid or illegal command line option has been specified.
+ No matching executable files found.
The path specified does not exist, is empty, or the specified
file does not exist or is not an executable file.
+ Cannot create logfile.
The specified log file path is illegal, the disk is full or
write protected, or the file already exists and cannot be
overwritten.
+ Sanity check failed!
TbScan detected that its internal checksum does not match
anymore. TbScan is possibly contaminated by a virus.
Obtain a clean copy of TbScan, put it on a WRITE PROTECTED
bootable diskette, boot from that diskette, and try again!
Page 27
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
2.13. Exit codes
TbScan terminates with one of the following exit codes:
Errorlevel 0: no viruses found, no error occurred.
Errorlevel 1: some error occurred.
Errorlevel 255: sanity check failed.
Errorlevel >1 and <128: one or more viruses detected.
When a virus is detected the errorlevel is used as a bit field:
bit 1 (02): SYS file infected.
bit 2 (04): EXE file infected.
bit 3 (08): COM file infected.
bit 4 (16): virus found in LOW memory.
bit 5 (32): virus found in BOOTsector.
bit 6 (64): virus found in HIGH memory.
An errorlevel of 26 means that a SYS, COM and LOW virus is found
(26 = 02+08+16).
Page 28
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
3. CONSIDERATIONS AND RECOMMENDATIONS
3.1. What should be scanned?
In the early days of viruses, virus scanners just scanned
everything. Today we know that this approach has serious
disadvantages: the number of false alarms is very high, the scan
speed is very, very slow, etc.
Before we proceed, let's first establish some facts about viruses.
A virus is just a program. Like any other program, it will have no
effect as long as it is not executed. Consequently, data files like
text files can never spread a virus. Of course, it is always
possible to copy a virus into a .TXT file, but since the text file
itself will never be executed, the virus can never be activated
from that location. A virus signature in a .TXT file is treated as
just any other stream of bytes to be found there. A program and a
bootsector, however, will be executed, and if they contain a
virus, the virus will gain control and do its nasty job.
We now know that it doesn't make sense to scan non-executable
files. What we therefore need to scan are files with the extensions
EXE COM OV? SYS and BIN. Note that a batch file (.BAT) is just a
text file. Though it can be 'executed' in some way, it is not
possible to program a virus in the batch file language.
What do executable programs consist of? Naturally they contain
program code, but they also contain data. The texts that will be
displayed on the screen by that program are just data. They will
never be 'executed'. We don't have to scan them.
The exe-header of an exe file does not contain any code either,
only data. The exe-header is there to assist DOS in loading the
program, and it is thrown away before DOS passes control to the
program itself. We don't have to scan it.
The same applies to the bytes following the load-module of the
file. This area of a file will not be loaded into memory at
start-up. We don't have to scan it.
Unfortunately, the code part of the executable file is mostly the
larger one. The code-data ratio differs for each program, but on an
average we can state that about two thirds of a program consist of
code. However, it is hardly possible to separate the two. Even the
operating system is not able to do this, only the program itself.
What actually happens is that when you execute a program, the
operating system passes control to the program at a fixed location
in the program file. This location, referred to as ENTRY-POINT in
this manual, is the first byte in case of a .COM file, or a
location specified in the exe-header of an .EXE file. This location
is the only location in a file of which we can be 100% sure it
contains code. As to other locations we can only guess.
Page 29
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
How does a virus work?
A virus that is about to infect a file cannot just throw its viral
code at a random location in that file, it won't work. The virus
has to be sure that its code will be executed before the host
program gains control. Why? Because if the contaminated program
finds itself altered, it will behave in an unexpected manner. If
the program accesses internal resources that have been overwritten
by the virus, the program will crash. Besides, how should the virus
know whether that random location will ever be executed?
There is only ONE location that will always be executed, and that
is the entry-point of the program. To infect a file the virus has
to attach itself to the entry-point and store the original
instructions of the program at another location. Only there and
then can the virus be certain it will gain control instead of the
host program, and that it can restore the original instructions
before it passes on control. All reports of virus infections of
program files indicate that a virus ALWAYS attaches itself to the
entry-point of a program.
This leads us to a basic principle: if we scan the location where
we can find the first instructions of the program, we can be
certain we are scanning the area where the virus would reside.
TbScan uses this knowledge when scanning a window of about 4Kb (as
it does by default) around the program-entry point. This is called
'Checking' or 'Looking'. If you wish to know more about this
procedure consult chapter 6.2.: 'The Internals of TbScan'.
Note that we do not take any risks when limiting the area where we
scan for viruses. If their signatures are assembled according to
the basic principles set out above, viruses cannot escape from
detection, simply because they have to be in the 'window' where we
scan for them. To prove our point many other competitive virus
scanners have adopted our scanning strategy.
Also note that if TbScan is not completely sure about the exact
location of the entry-point of the file, it scans ALL the program
code of the file using the 'scan' algorithms.
3.2. The internals of TbScan
3.2.1. How is that blazing speed achieved?
The speed of TbScan is achieved by many measures.
To avoid false alarms, TbScan scans restricted areas of the
file. Naturally this approach benefits the scanning speed.
Disk access is minimized, and not much data has to be
searched.
Page 30
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
TbScan is entirely written in assembly language. High-level
languages like Pascal and Basic have an enormous overhead which
not only affects the size of the program but also reduces the
execution speed.
The search routine has been highly optimized. Every byte to be
scanned is only accessed once, regardless of the number of
signatures. Execution time will hardly increase when it has to
scan for 3000 signatures instead of 500. The search algorithm
used can be described as 'rotating semi-double 16-bits
hashing'.
The number of DOS function calls has been minimized. DOS is
relatively slow, and access should be avoided as much as
possible. In most cases TbScan even does not use DOS to access
the files to be scanned.
TbScan writes directly to the screen instead of calling on DOS
or BIOS to do this. Although TbScan has a scrolling window,
screen access is minimized as much as possible without
affecting the visual display of the program output.
3.2.2. The algorithms
When TbScan processes a file it prints 'Looking', 'Checking',
'Tracing', 'Scanning' or 'Skipping'.
3.2.2.1. Looking
'Looking' means that TbScan has successfully located the entry
point of the program in one step. The program code has been
identified so TbScan knows where to search without the need of
additional analysis.
Looking will be used on most files produced by known software.
3.2.2.2. Checking
'Checking' means that TbScan has successfully located the entry
point of the program, and is scanning a frame of about 4Kb
around the entry point. If the file is infected the signature
of the virus will be in this area. 'Checking' is a very fast
and reliable scan algorithm.
Checking will be used on most files that are not produced by
known software.
3.2.2.3. Tracing
'Tracing' means that TbScan has successfully traced a chain of
jumps or calls while locating the entry-point of the program,
and is scanning a frame of about 4Kb around this location. If
Page 31
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
the file has been infected, the signature of the virus will be
in this area. 'Tracing' is a fast and reliable scan algorithm.
Tracing will be primarily used for TSR-type COM files or Turbo
Pascal-compiled programs. Most viruses will force TbScan to use
'Tracing'.
3.2.2.4. Scanning
'Scanning' means that TbScan is scanning the entire file
(except for the exe-header which cannot contain any viral
code). This algorithm will be used if 'Looking', 'Checking' or
'Tracing' cannot be safely used. This is the case when the
entry-point of the program contains other jumps and calls to
code located outside the scanning frame, or when the heuristic
analyzer found something that should be investigated more
thoroughly. 'Scanning' is a slow algorithm. Because it
processes almost the entire file, including data areas, false
alarms are more likely to occur.
The 'Scanning' algorithm will be used while scanning
bootsectors, SYS and BIN files.
3.2.2.5. Skipping
'Skipping' will occur with SYS and OVL files only. It simply
means that the file will not be scanned. As there are many SYS
files that contain no code at all (like CONFIG.SYS) it makes
absolutely no sense to scan these files for viruses.
The same applies to .OV? files. Many overlay files do not
deserve to be called as such as they lack an exe-header. Such
files cannot be invoked through DOS making them just as
invulnerable to direct virus attacks as .TXT files are. If a
virus is reported to have infected an .OV? file, it involved
one of the relatively few overlay files that does contain an
exe-header. The infection was then the result of the virus
monitoring the DOS exec-call (function 4Bh) and infecting any
program being invoked that way, including 'real' overlay files.
3.3. The Sanity check
TbScan performs a sanity check when it fires up. However, to be
honest, it is NOT possible to make software 100% virus-resistant.
If this was the case, the virus problem could be solved simply by
incorporating a self-check in every program.
Unfortunately, a sanity check does not work if a 'stealth' type of
virus is involved. A stealth virus can hide itself completely when
a self-check is being performed. Do note that we are not dealing
with a TbScan bug here. The failure to detect stealth viruses is
Page 32
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
common to ALL software performing a sanity check. Therefore, we
recommend you to keep a clean version of TbScan on a
write-protected diskette. Use this diskette to check other machines
once you have found a virus in your own system.
3.4. How many viruses does it detect?
Some people think that TbScan recognizes only 500 viruses, based
upon the fact that the signature file contains only 500 signatures.
What they do not realize is that the signatures are family
signatures, which means that each signature covers many viruses.
For instance, our PLO/Jerusalem signature detects over 100 viruses
which are all related to the 'original' Jerusalem virus! Only one
(wildcarded) signature is needed by TbScan to cover all these
mutants.
Some competitive products treat each virus mutant as a separate
virus, and so claim to detect over 2000 viruses. However, TbScan
detects even more viruses using 'only' 500 signatures.
3.5. Testing the scanner
Many people understandably wish to test the product they are using.
While it is very easy to test, for instance, a word processor, it
is very difficult to test a smart scanner like TbScan. You cannot
extract 25 bytes from an executable and insert it in the TBSCAN.DAT
or VIRSCAN.DAT data file as a bogus signature just to find out
whether or not TbScan will detect the 'signature' in the file it
was copied from. It is very likely that TbScan does NOT find it
because it only scans the entry-area of the file whereas the
'signature' you extracted might be taken from some other location
within the file.
You might ask: 'How then can I test the scanner if using a 'test
signature' does not work?' We think you can't, unless you are an
experienced assembler programmer. Sorry, but testing a
disassembling scanner should be performed by virus experts only.
Fortunately, you don't have to rely on our tests solely. There are
anti-virus magazines that regularly publish tests of all virus
scanners. At the end of this manual you will find names and
addresses of such magazines. Anyway, third parties have tested our
scanner along with several others, and they found TbScan to have a
very high hit rate. It detects even more viruses than many popular
scanners do.
3.6. Scan scheduling
It is highly advisable to devise your own schedule for a regular
scan of your system. Creation of a special TbScan boot diskette is
Page 33
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
highly recommended in this respect.
Boot from your original DOS diskette. Use the diskcopy command to
copy the DOS diskette onto a new diskette. Delete all files from
this diskette, except for the two hidden system files and
COMMAND.COM. Copy all TbScan files to the diskette. Create a new
AUTOEXEC.BAT file which should contain the line 'TbScan C:\'.
Write-protect the diskette with the write-protect tab.
The following scan sessions (listed in order of preference) are
recommended:
- Run TbScan from A WRITE-PROTECTED BOOTABLE DISKETTE once a
week. Boot from this diskette before invoking the scanner. We
agree that it may be inconvenient to boot from a diskette, but
it is the only way to make sure that no stealth virus will
become resident in memory.
- It is recommended to invoke a daily scan. You can invoke
TbScan with the 'once' option from within the autoexec.bat file
to perform the daily scan session automatically. It is not
necessary to boot from the bootable TbScan diskette to perform
the daily scan.
3.7. Compressed files
Many executable files are compressed or packed. They contain an
unpacking routine which unpacks the executable in memory to restore
the original program size. The simplest compressor is the Microsoft
ExePack program. This compressor is even included in the link
program itself (use the /E option while linking to pack the
executable).
If the program contained a virus BEFORE compression took place, the
virus has been compressed too. A scanner will not recognize the
virus because of its compressed signature. The virus will still be
able to execute though.
If a virus resides inside a compressed file, it betrays its
presence by infecting other files in your system. Hence the
signature will be visible in all the newly infected files, which
the scanner will dutifully report. The compressed file that brought
the (compressed) virus into your system will probably not trigger
an alarm itself. The virus inside this program can do its worst all
over again unless you isolate this compressed file as the source of
the infection.
TbScan displays a 'p' behind each file that it finds to be
compressed by ExePack or any other compressor. TbScan does not
unpack files, since too many files are compressed nowadays.
Decompressing each one of them in your system would only be
Page 34
Thunderbyte virus detector. (C) Copyright 1989-1993 Thunderbyte B.V.
feasible if there was a limited number of compression schemes. Even
if there were, TbScan unpacking all your compressed files would be
consuming too much time, the more so as most of the time this
action would be quite unnecessary. Once you have established that a
compressed file does not contain a virus, you can rest assured that
this file will not get internally infected at a later date. Hence
it makes no sense to have TbScan unpack these files time and time
again. If there wasn't a virus the first time you checked, there
will not be one at subsequent times.
Note that if the compressed file gets infected AFTER it has been
compressed, the virus has NOT been compressed and will be clearly
visible to a scanner. The problem we referred to above only exists
when a file has been infected first and compressed afterwards.
Fortunately, you can treat compression as a minor risk when files
have been compressed by the programmer of the product (as is often
the case). Most programmers are aware of the existence of viruses
and go about compression with great care. If the programmer did not
compress the file, well, then the file has not been compressed and
the problem does not exist at all,...that is, if you obtained the
original version of a program of course.
If you obtained your copy of the program from another copy, you
have joined ranks with those that use illegal (!) copies of
software and thereby take great risks! One of the previous owners
of the program may have compressed it, treating you (perhaps
unknowingly) to a nasty virus infection.
Page 35
