home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
WinDesk 95 - An MPC Encyclopedia
/
WinDesk 95 - An MPC Encyclopedia.iso
/
power
/
invb610a.000
/
history.txt
< prev
next >
Wrap
Text File
|
1995-12-05
|
21KB
|
374 lines
September, 1995
Product upgrade, 6.10
---------------------
Revised documentation. The online hypertext and the full manual were
completely revised to reflect the changes and the additions made in IV.
New appendices were added, as well as discussion on many anti-virus and
virus related subjects. A chapter on disaster recovery methods and
techniques was added, specifically addressing the use of ResQdisk and
ResQpro.
Full manual hypertext. The InVircible electronic manual was processed
into a hypertext that can now be browsed with the same browser as the
online help (IVHELP.EXE). It is possible to select and switch between
the two databases by using F6 when running the hypertext browser. The
manual hypertext is contained in the archived IV package and on the
distribution floppy. The new manual hypertext is NOT copied to the hard
disk when installing IV, the user should take care of this if s/he
wishes to have the hypertext manual available online.
Retro-piggybacking options removed from IV (*). Retro-piggybacking is
seldom used from the IV user interface. The retro-piggybacking options
were removed from IV, to declutter the display
Retro-piggybacking (RP) enabled from command line. Retro-piggybacking
method 1 was disabled in former versions since it could be activated
from IV. In specific cases, such as when infected with a
cluster infector, without the virus being memory resident and active,
deliberate retro-piggybacking would had a negative effect (permanently
fixing the virus in the file). RP method 1 was automatically enabled
when certain viruses were detected such as Necropolis and Frodo. Since
method 1 was removed from IV, it is now enabled for deliberate
activation from the command line. It provides an additional method to
remove full stealth viruses, when active, such as Tremor and others.
File killer detection message - bug fixed. The source of a bug causing
a false alarms of killer file piggybacking was spotted and fixed.
ResQdisk - Compare track zero backup. New feature to compare track zero
with backup was added to ResQdisk. The new feature helps in spotting
new boot stealth infections on other than IDE drives. It also helps
analyzing boot infections on all drives. The new feature is included
under the ^Z (track zero) menu, in addition to the existing ones.
Special /DM switch in ResQdisk. Use /DM /B to backup the active
partition boot sector of a Disk manager 6.03 partition, and /DM /R to
restore the boot sector. The drive must be booted with the special DM
driver loaded in memory, either from the hd itself, or from a floppy
specially prepared for the purpose.
IVLOGIN installation with predetermined signature filename. Run IVlogin
with the following parameter: IVLOGIN SIG=<filename>. If a random
filename is preferred then run IVLOGIN /RANDOM.
The Memory Stealing threshold presetting was removed from all programs,
except from INSTALL and IV, against the inadvertent resetting by
inexperienced users.
Improved ResQdiskquette. SeeThru is not available on SCSI and other
non-IDE hard drives. This rendered the detection of stealth boot
infectors difficult, as it had to rely on the detection of memory
stealing mainly, or on running IV after booting from a clean DOS
floppy. From this version on, even if there is a stealth virus active
on the system, the rescue diskette prepared by INSTALL/R will still
have a clean boot sector. Hard drives that cannot be checked with
active SeeThru can now be verified and CLEANED from the rescue diskette
prepared on the infected machine!
Including additional file types in IVB's checklist. IVB, the integrity
analyzer and restore program, secures and can restore executable files
if infected. The list of file extensions currently supported in IVB's
checklist are COM, EXE, SYS, BIN, OV?, NLM, VLM, 386 and VXD. There
are additional types that are not included in IVB's checklist such as
Windows' DLL, FOT, FTT etc., although they have a binary and executable
structure. Additional filespecs are added to the checklist by NetZ on a
need-to basis. Since IVB processes binary executable files only, then
there is no point including data or text files such as batches (BAT) in
IVB's checklist. Yet, users may wish to include certain file types in
IVB's list. There is now an option to add up to five extension specs to
IVB's list. Edit the IVB.INI file in the IVB.EXE directory with an
ASCII editor. For each desired extension you wish IVB to check, add a
line as in the following example (for DLL files): "INCL=*.DLL". The
'*,?' wildcards are permitted.
(*) The IVMENU.EXE user interface shell was renamed to IV.EXE.
Product upgrade, 6.02B
----------------------
Online backup of IVB signatures. Existing IVB signatures were usually
overwritten every time a new signatures file was created. From this
version, the current IVB signature is backed up before a new one is
written, by renaming the existing file with the extension *.000, and by
changing its attribute to 'read only'. The back up is done when IVB
renews a signature (because it found new files in a directory, or
because of tampering with one of the signatures, or more) in the
current file. The back up signature can be used with the /X switch
(user defined filename). No backup is created when new signatures are
purposely rewritten.
Improvement in IVX: A new feature was added to IVX, enabling the
selection of the offset past the entry point, to look for the
extraction of a signature string. This option improves IVX capability
as an automatic signature extractor. Look in Appendix C, in IV's
manual for details how to use this feature.
IDE hardware access fix. InVircible uses hardware access to overcome
stealth boot viruses. IV's hardware access is usually well behaved, yet
there are controllers and 32 bit access drivers with which IV had
problems. This is taken care of by timing out the hardware access if
unsuccessful. If timed out, then SeeThru will not be available with the
specific hardware or driver. This will be indicated in IVinit, IVtest
and in ResQdisk. Usually, the unavailability of SeeThru on 32 bit
hardware should not constitute a problem, as boot virus stealth is
disabled when 32 bit disk access is present and these viruses are then
detected by other IV features, i.e sector analysis and memory stealing.
Improvements in FixBoot. The FixBoot utility was added to IV since
version 6.02. It's purpose is to clean the boot sector of floppies in
bulk processing, by the replacement of the boot sector. The new
additions to FixBoot are: a prompt to process another floppy, and the
detection of which operating system is present on the diskette, to keep
it bootable. The default boot sector is MS-DOS. An IBM boot sector
(PC-DOS/DR-DOS) will be installed instead, if IBM system files are
found on the floppy.
ResQdisk Professional. ResQpro is an extremely powerful tool for
recovering lost hard drives and its professional version, ResQpro, has
already saved users thousands of dollars, by recovering data that was
considered total loss. The ResQpro features are now available in
ResQdisk, to users that purchase the professional license. The Pro
version is recommended to data recovery specialists, computer servicing
labs, to institutions and organizations, and to power users with
special needs for data recovery. The Pro version license is available
through a special distribution floppy only, available from authorized
IV vendors. ResQpro upgrades are identical to IV's, via the Internet
and the major nets.
ResQdisk single session authorization. ResQdisk can restore access to a
hard drive, on condition that the cause is not a hardware failure. Yet
the full advanced features of ResQdisk and ResQpro are available only
to licensed users of IV. The new version enables an authorized dealer
of IV to authorize ResQdisk over the phone, for the present session.
The authorization is done through the exchange of a password pair
(press ^F10 when running ResQdisk to generate the password), while in
a hotline support session.
Handling the boot sector through DOS - new feature in ResQdisk. There
are instances when the active partition's boot sector needs to be
addressed through DOS instead of interrupt 13h. Such is the case when
special boot drivers are used such as Disk Manager or EZ-Drive. The
edit functions (^E) of ResQdisk were duplicated under the ^B (boot)
command. The active boot sector of drive C: is then handled through DOS
interrupts 25h (read) and 26h (write). Note that the designation under
DOS is the logical drive C:, rather than hard drive # 1, with BIOS
interrupt 13h. The options are: read sector to clipboard, write
clipboard to boot sector, read from file, write sector to file, and SYS
(the equivalent of refreshing the boot sector with the command SYS C:).
Detection of signature killer. InVircible has proven that it's possible
to anticipate viral technologies and counter them, before they become a
real threat. Although such threat didn't yet materialize, it's possible
to write a virus that could target InVircible's database to destroy its
files. To prevent such possibility, the new version detects the
presence of a signature killer and will alert on its presence.
Random signature filename. Use the IVLOGIN /RANDOM switch to select a
random signature filename.
Enhanced rescue floppy procedure. Users may wish to have their favorite
utilities such as an ASCII editor on the rescue diskette. To do so,
just copy the additional files to a newly formatted floppy before
starting the rescue disk procedure, run INSTALL/R and answer "no" to
whether to wipe the floppy clean or not.
Product upgrade, 6.02A
----------------------
IVX major upgrade. New features were added to IVX, enabling automatic
signature extraction and signature scanning. IVX now creates its own
signatures database from sampled files. The extraction of the
signatures is automatic and does not require any special skills. The
signatures can then be used to scan for their presence in other files.
IVX also accepts user defined signatures by editing the database with
an ASCII editor. An average user can now easily generate a signature
for a new virus and announce it on the net or else. IV user can now
scan for the presence of new viruses announced on the net. The new
features of IVX reduce the response time to new virus alerts.
The algorithm of IVX in statistical mode was refined and its detection
capability improved, especially against some of the more difficult
polymorphs, such as MtE viruses.
IVB history file. The IVB.RPT file is overwritten when a new report is
created. In a networked environment, the current daily report will be
appended to the IVB.HIS (history) file. The implementation is through
the AUTOEXEC file, by adding a couple of lines after the IVB daily
command. The appropriate lines are added automatically by the INSTALL
program when installation from server is detected (or selected, in
INSTALL's main menu). To add this feature in an existing installation,
add the following lines in the autoexec, after IVB DAILY:
IF EXIST \IVB.RPT COPY \IVB.HIS+\IVB.RPT \IVB.HIS
IF EXIST \IVB.RPT DEL \IVB.RPT
Licensing for OS/2 and Win 95. In version 6.02, InVircible's license
reverted to Sentry when in Windows' or OS/2's DOS shell. Version 6.02A
fixed that problem. Yet, you will need to run IV once in real DOS in
order to upgrade your license from a former version, to 6.02A. This
procedure does not apply to new licensed users, since the license can
be installed to disk only in REAL DOS mode.
Detection of PKLITE'd droppers and Trojans. During the last year,
several droppers and Trojans were found, that used PKLITE in order to
conceal the gen-1 file. Gen-1 is the designation of the first
generation of a virus, usually the one used to launch the virus. While
scanners usually find the offsprings, the gen-1 file will not be
suspected, as many times it isn't recognized to be a compressed file,
as the PKlite marks were removed, or disguised. The most recent case
that used the PKlite method is related to the Big Caibua virus. The
detection of potential droppers was added to IVscan, as the default.
This feature should help SysOps and network administrators to keep
their board and systems clean.
Improved IVB signatures. Functional changes were made in order to
improve IVB's discrimination between non-viral and legal modification
of program, as well as to improve their immunity to dedicated viruses
attacks. The new signatures are no more compatible with the lower
versions of IVB. To avoid confusion, or the loss of the former
database, the default filename of the signature files was changed to
IVB .NTZ. Note that there is a trailing character 255 (it looks like a
space, but it is not!) between the IVB filename, and the .NTZ
extension.
No escape in Sentry mode. System administrators asked to disable Sentry
users from escaping IVB's daily full check. Adding the /ESC switch to
the command line re-enables the Esc key when scanning daily. This
change applies only to the Sentry mode.
IVB exceptions list. There are instances when you may want to exclude a
file from IVB's list of files to process. IVB has now provisions to
exclude up to 5 filenames. Edit IVB.INI in the IVB.EXE directory with
an ASCII editor, or create a new file with the above name, if it
doesn't exist yet. Add a line for each file to exclude as follows: SKIP
= EXCLUDE.BIN
The CMOS "Restore" option was removed from IVINIT in Sentry mode.
Product upgrade, 6.02
---------------------
The major change in version 6.02 is the handling of large capacity IDE
drives. These drives appeared on the market in mid 1994 and they are
now quite common. Several enhancements to handle the large capacity IDE
were already introduced in version 6.01D. The new drives present
technical challenges in the area of disaster recovery and vulnerability
to boot and mbr viruses, that were unforeseen by both the drive's
producers, and the AV industry. Version 6.02 consolidates the former
enhancements and lays the grounds for further improvements, especially
in the disaster recovery area of these drives. Read also in UPGRADE.TXT
how to upgrade your licensed copy of InVircible.
Licensing of large capacity IDE. The installation of the license record
to large capacity IDE, was impossible with earlier versions, if the
Ontrack extended boot driver (DM 6.03+) was used. It could be done only
with plain FDISK partition, using the LBA (logical block access) option
in the setup. Version 6.02 will allow the licensing of these drives
too.
Version 6.02 consolidates changes done to the hardware access routines,
used in InVircible, to suit the newer fast access hard disks and boards
(100 mhz and higher). Hardware access is sensitive to timing, and new
industry standards were introduced in the last year. Therefore, we
recommend that InVircible copies earlier than 6.01D are upgraded.
Version 6.01B and 6.01C still have some slow routines that won't work
properly with the newer fast disks. Also, versions earlier than 6.01D
still have a routine that conflicts with a defect in design of some
older models of Maxtor hard drives. The problem has been identified by
NetZ Computing and acknowledged by Maxtor. From version 6.01D and on,
there should be no problem anymore, all models of Maxtor included.
ResQdisk improvement, fixing the boot sector via DOS, the ResQdisk ^B
function. There are instances when the boot sector of hard drive #1 is
infected, and it cannot be accessed via regular int 13 functions. Such
is the case with the newer large capacity IDE drives. The active
partition's boot sector can then be refreshed through the ^B key
combination. The ^B function operates on the boot sector, the same way
that does FDISK/MBR on the mbr - it refreshes the bootstrap code,
without affecting the BPB data. The ^B function should only be used
when booted from the hard drive.
Product upgrade, 6.01D
----------------------
Daily inspection for companion virus. The companion virus verification
was added to IVB, since IVB runs daily. The same routine is retained in
IVscan, for operational redundancy.
The user interface in ResQdisk was improved further. The newer features
were grouped in three menus, Edit (accessible by pressing ^E), Track
Zero maintenance (^Z) and Analyze sector (^A). Also, the new ^B
function was added. The latter will refresh the boot sector of drive C:
while accessing via DOS instead of the BIOS, and is the equivalent of
the SYS C: command. The ^B function is helpful in removing boot sector
viruses such as Da'Boys, Boot-437, Form etc.
Improved editing features in ResQdisk. Additional editing features were
added to resQdisk. The sequence ^E ^F will read a file into the sector
clipboard, while ^E ^D drops the content of the displayed sector into a
file. The combination ^E ^Y will decrypt an encrypted sector into the
clipboard and display it on screen. The later is especially useful for
the recovery of damaged hard drives, like from the Monkey virus. It is
indispensable for rescuing hard drives lost to inappropriate
disinfection procedures, like with fdisk/mbr, or inadequate antiviral
products. The above further improve ResQdisk as the best disaster
recovery and boot-antiviral utility.
Improved "track 0" maintenance features. ResQdisk is used in the rescue
diskette for backing up track zero of the hard disk to floppy and for
restoring track zero from file to the hard drive. The "track 0"
functions are now available on-line, with the visual inspection of
ResQdisk, in both SeeThru modes (backup only, recovery is always done
with SeeThru off). The track 0 functions are started by the ^Z keys
combination, followed by ^B for backup to file or ^R for restore from
file.
Compatibility with large capacity IDE. IVTEST was corrected to ignore
the dynamic boot loader of large capacity IDE disks.
Revision 6.01c was compatible with only Ontrack's Disk Manager extended
bios drivers (XBIOS.OVL). The new revision is also compatible with
other brands, recently introduced into the market - e.g. MicroHouse's
EZ-DRIVE.
January, 1995
Product upgrade, InVircible 6.01C
---------------------------------
Improved performance in networked environment: Revision 6.01C has
further improvements for the operation of InVircible in the networked
environment. All the scanning modules; IVB, IVscan and IVX were revised
to avoid Novell's Netware files. The verification of Netware files
under DOS created errors because of the special attributes of Netware's
system files. IV's current revision avoids these files.
Automatic IV version upgrades in network: IVLOGIN can now be used for
both the automatic installation of InVircible to workstations in a
networked environment, as well as the upgrading of an older IV version
to a newer one. IVLOGIN checks whether its own version is newer than
the current one installed on the hard drive. An older version will be
automatically replaced by a new one, by just invoking IVLOGIN. It is
recommended that the IVLOGIN command should always be included in the
users login script, in networks.
Improved piggybacking detection: Revision 6.01C has higher sensitivity
of piggybacking detection. The detection threshold has been lowered to
detect piggybacking within few affected files. The improved sensitivity
has no effect on speed since the loss in speed was compensated for with
a better search algorithm.
December 1994
Product upgrade, InVircible 6.01B
---------------------------------
Installation of InVircible on networked PC: Revision 6.01B has an
additional file, IVLOGIN.EXE. As its name implies, its use is from the
user login script in networks. When a workstation connects to the
network, IVLOGIN verifies whether it has a hard drive, and if
InVircible is installed on that disk. If not, INSTALL/FAST is invoked
to install IV to the hard disk. The LAN administrator is required to
install IV to the server and add the IVLOGIN command to the user login
script. The rest is done automatically.
Install upgrades: The French version of InVircible configures now the
rescue diskette to start with a French keyboard. Install also takes
care to REM out the Thunderbyte TSR in the autoexec, at the
installation of IV. The TB TSR intercept IV initialization checks and
may crash the system. Also, Install will now install the IV
registration key to hard drives having the Compaq configuration (see
ResQdisk, above).
