The World of Computer Software

home *** CD-ROM | disk | FTP | other *** search

/ The World of Computer Software / The World of Computer Software.iso / esdscn20.zip / ESDSCAN.DOC < prev next >

Wrap

Text File | 1992-07-20 | 13KB | 344 lines

ESD Trojan - Virus Scanning Utility ESDSCAN.EXE is copyright (C)1990-1991 by Electronic Systems Design, and is released as as shareware. It is not free software, if you use ESDSCAN, please register it. ESDSCAN may be distributed in archived format on BBS systems as long as this documentation is included in the archive. Overview: The ESD Trojan / Virus Scanner Utility addresses a need for a through, user-configurable analysis of files that have been extracted from downloaded archives. This product is not meant to replace other fine virus scanners, it should be used along with them. This software was developed to provide the user with added insight into the files aquired by downloading, and has the ability to spot the trojans and bombs most other virus scanners miss. Complete user configurabilty is the main feature of the ESDScan product. You actually specify the ASCII and HEX signatures that you want to be made aware of in your files, by editing the ESDSCAN.DAT file. You may include or exclude strings to scan for, thus reducing the depenance for periodic virus scanner update releases. Multiple archives may be automatically processed using the batch processor, (BATPROC.EXE), utility, included. This allows automatic checking of uploads for SYSOPs. Features: - PKLITE file compression/encryption is detected, and compressed files are optionally expanded, for scanning purposes. The file, PKLITE.EXE must be available in your PATH for this feature. - By default, all files in the current sub-directory are scanned. - The program can be run from batch files, and returns errorlevels based on the results of the run. - In batch mode, a report is created in the current sub-directory detailing the positive matches found, along with comments. In 1 ESD Trojan - Virus Scanning Utility interactive mode, the user may view the report. - The signature file, ESDSCAN.DAT can reside in the current sub-directory, or elsewhere on disk. An environment variable, "ESD" points to the location of this file. - User configurable ASCII HEX signatures can be found, as well as ASCII text based signatures, and ANSI escape sequences. - Batch Processing utility is helpful to SYSOP's and others who would like to scan an entire sub-directory of archives. Bad archives are moved to another sub-directory, and a log file is created. - An additional utility is provided to aid in analizing files. DUMP.EXE will perform a HEX/ASCII dump of a file to screen. Hit the space bar to pause the display, hit the "A" key for a pop-up ASCII chart, hit ESC to abort. The results of a dump may be redirected to a file by using the command: DUMP filename > file Where: "filename" is the file to dump, and "file" is the file to create. Careful! You will overwrite "file" if it already exists. Installation: 1. Copy the following files into your UTILITY sub-directory. This sub-directory must be in your PATH. ESDSCAN.EXE, ESDSCAN.DAT, DUMP.EXE 2. Set the ESD environment variable by typing... SET ESD=C:\UTILITY\ Add the following line to your AUTOEXEC.BAT file: SET ESD=C:\UTILITY\ Where: UTILITY is the name you have given to your UTILITY files sub-directory. The word, ESD, should be in caps. 3. You may print this document by using the following command: 2 ESD Trojan - Virus Scanning Utility COPY ESDSCAN.DOC PRN Configuration: You may edit the ESDSCAN.DAT file using a text editor to suit your needs. It comes with some default signatures of popular trojan, bomb, and viral code. See comments inside this signature file. This file must adhere to the following format rules: 1. General comments are preceded by a semi-colon, and are ignored by the scanner, with the following exception: 2. The comment line that precedes each target signature line will be included in the report that is generated if a positive match is found. This comment line should be worded as a message that will be displayed to the user. 3. ASCII text signatures and ANSI escape sequenses appear on a line by themselves, as they would literally be found in the files to be scanned. 4. Machine code, and other strings can be found if you specify the signature in ASCII HEX form. One byte is represented by two alpha-numeric characters. If the HEX value is one digit, as in "F", then you should specify it as "0F", because ESDSCAN expects to read in HEX characters by twos. Do not insert any spaces. To specify that the signature should be interpreted and converted to HEX, precede the signature with the "&H:" directive. Example: ;This is a comment for a sample HEX signature... &H:4142430F ...Would find the string "ABC". Running ESDSCAN: Usage: ESDSCAN [ /P ] Where: /P - Expand COM and EXE files processed with PKLITE before scanning. /B - Batch mode, don't display or write the report. /H - The help screen. ESDSCAN will, by default, scan all the files in the current 3 ESD Trojan - Virus Scanning Utility sub-directory. COM and EXE files will be checked for the presence of the PKLITE copyright string. If one is found, the message "PKLITE Detected" will show next to the file being scanned, and a message suggesting that you re-scan using the /P option will be displayed. If any file tests postive for a signature match, ESDSCAN will beep with each hit, and a message will be displayed tell you of a positive match, possibly a trojan/virus in your files. A report will be created in memory, (30 hits, maximum). The program will prompt you to display and optionally print "ESDSCAN.RPT" to disk, in the default sub-directory. The DOS errorlevel will be set to 1. Use a file viewer to futher examine the suspected files. If you feel you must execute any of the suspected programs, try using a hard disk write protect program ahead of time. If an error occurs, the DOS errorlevel will be set to 2. If no signatures are found, the DOS errorlevel will be set to 0. Using batch mode, the program will perform as usual, except that the user will not be able to view the report, and it will not be written to disk. This mode is of benefit to SYSOP's who perform automated scans of files, and write the calling batch file such that it takes action based on returned errorlevels. Running BATPROC: Usage: BATPROC [ /P /M /A ] Where: /P - Expand COM and EXE files processed with PKLITE before scanning. /M - Scan using McAffee's as well as ESDSCAN. /A - Scan only the archives having the archive attribute set, and reset it. BATPROC will create a sub-directory called SCAN_TMP under the default sub-directory. Files in the default sub-directory with the extensions ZIP, ARC, LZH, ARJ will be un-archived in the SCAN_TMP sub-directory, using external archivers PKUNZIP, PKXARC, LHA, ARJ, which must reside in a sub-directory in the PATH. ESDSCAN will be called to scan all the files in the SCAN_TMP sub-directory. A log file called BATPROC.LOG will be appended to 4 ESD Trojan - Virus Scanning Utility in the root directory of the default drive, noting the results of the scan process. BATPROC will return an errorlevel of 1 for trojan/virus found, errorlevel 2 if an error, and 0 if no trojans/viruses found. Note that BATPROC automatically calls ESDSCAN using the /Batch option. Optionally, McAffee's SCAN can be called in addition to ESDSCAN, for additional protection, by specifying the /M switch. SCAN.EXE must also reside in a sub-directory in the PATH. The /A option is useful to SYSOPs who allow uploads to their downloading sub-directory. Using this option, all the archives that have the archive attribute set will be scanned, then the archive attribute will be reset. The next time BATPROC is run using the /A switch, BATPROC will scan only the new uploads. If you do not wish all archives to be scanned initially, but rather only have new uploads scanned, then you must first reset the archive attributes on all files. An example: CD\BBS\FILES ATTRIB -A *.* You may elect to have BATPROC scan all new uploads using the techniques described above, to be performed automatically during your BBS's nighttime batch procedure. About ESDSCAN: ESDSCAN was written in Microsoft Professional Development System 7.1 using routines written in Assembler and linked with PDQ by Crescent Software, by Robert Schoolfield. It was written as a tool to benefit people who download software from BBS's. ESDSCAN is distributed as shareware, which simply means if you care to support our programming efforts, please register your copy. For personal or BBS use, on up to three computers: $5.00, (US). For academic use, on up to twenty-five computers: $15.00, (US). For corporate, business, or commercial use, unlimited site license: $25.00, (US). You will be pleased to know your unregistered copy ESDSCAN is fully functional, and there are no timed messages, counted executions, or annoying reminders in this software. Can I count on your registration? 5 ESD Trojan - Virus Scanning Utility The latest version will be mailed to registered users, on request for $5.00 additional to cover postage and handling, (US), or can be downloaded from Propriety Business Systems, (PBS:), or CompuServe. The user agrees to hold harmless Electronic Systems Design for any loss or damage incurred in using this software. There are no warranties expressed or implied. As with all downloaded software, use at your own risk. Your check may be mailed to: Robert Schoolfield, Electronic Systems Design, P.O. Box 26431, Colorado Springs, CO 80936. Support is provided by Robert Schoolfield, email to either: SYSOP: PBS: (719) 550-1696 8N1 300-2400 bps, 24 hours. - or - Robert Schoolfield: CompuServe: 70404, 3430 6