home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The World of Computer Software
/
The World of Computer Software.iso
/
esdscn20.zip
/
ESDSCAN.DOC
< prev
next >
Wrap
Text File
|
1992-07-20
|
13KB
|
344 lines
ESD Trojan - Virus Scanning Utility
ESDSCAN.EXE is copyright (C)1990-1991 by Electronic Systems
Design, and is released as as shareware. It is not free
software, if you use ESDSCAN, please register it. ESDSCAN may be
distributed in archived format on BBS systems as long as this
documentation is included in the archive.
Overview:
The ESD Trojan / Virus Scanner Utility addresses a need for a
through, user-configurable analysis of files that have been
extracted from downloaded archives.
This product is not meant to replace other fine virus scanners,
it should be used along with them. This software was developed
to provide the user with added insight into the files aquired by
downloading, and has the ability to spot the trojans and bombs
most other virus scanners miss.
Complete user configurabilty is the main feature of the ESDScan
product. You actually specify the ASCII and HEX signatures that
you want to be made aware of in your files, by editing the
ESDSCAN.DAT file. You may include or exclude strings to scan
for, thus reducing the depenance for periodic virus scanner
update releases.
Multiple archives may be automatically processed using the batch
processor, (BATPROC.EXE), utility, included. This allows
automatic checking of uploads for SYSOPs.
Features:
- PKLITE file compression/encryption is detected, and compressed
files are optionally expanded, for scanning purposes. The file,
PKLITE.EXE must be available in your PATH for this feature.
- By default, all files in the current sub-directory are scanned.
- The program can be run from batch files, and returns
errorlevels based on the results of the run.
- In batch mode, a report is created in the current sub-directory
detailing the positive matches found, along with comments. In
1
ESD Trojan - Virus Scanning Utility
interactive mode, the user may view the report.
- The signature file, ESDSCAN.DAT can reside in the current
sub-directory, or elsewhere on disk. An environment variable,
"ESD" points to the location of this file.
- User configurable ASCII HEX signatures can be found, as well as
ASCII text based signatures, and ANSI escape sequences.
- Batch Processing utility is helpful to SYSOP's and others who
would like to scan an entire sub-directory of archives. Bad
archives are moved to another sub-directory, and a log file is
created.
- An additional utility is provided to aid in analizing files.
DUMP.EXE will perform a HEX/ASCII dump of a file to screen. Hit
the space bar to pause the display, hit the "A" key for a pop-up
ASCII chart, hit ESC to abort. The results of a dump may be
redirected to a file by using the command:
DUMP filename > file
Where: "filename" is the file to dump, and "file" is the file to
create. Careful! You will overwrite "file" if it already
exists.
Installation:
1. Copy the following files into your UTILITY sub-directory.
This sub-directory must be in your PATH.
ESDSCAN.EXE, ESDSCAN.DAT, DUMP.EXE
2. Set the ESD environment variable by typing...
SET ESD=C:\UTILITY\
Add the following line to your AUTOEXEC.BAT file:
SET ESD=C:\UTILITY\
Where: UTILITY is the name you have given to your UTILITY files
sub-directory. The word, ESD, should be in caps.
3. You may print this document by using the following command:
2
ESD Trojan - Virus Scanning Utility
COPY ESDSCAN.DOC PRN
Configuration:
You may edit the ESDSCAN.DAT file using a text editor to suit
your needs. It comes with some default signatures of popular
trojan, bomb, and viral code. See comments inside this signature
file. This file must adhere to the following format rules:
1. General comments are preceded by a semi-colon, and are
ignored by the scanner, with the following exception:
2. The comment line that precedes each target signature line
will be included in the report that is generated if a positive
match is found. This comment line should be worded as a message
that will be displayed to the user.
3. ASCII text signatures and ANSI escape sequenses appear on a
line by themselves, as they would literally be found in the files
to be scanned.
4. Machine code, and other strings can be found if you specify
the signature in ASCII HEX form. One byte is represented by two
alpha-numeric characters. If the HEX value is one digit, as in
"F", then you should specify it as "0F", because ESDSCAN expects
to read in HEX characters by twos. Do not insert any spaces. To
specify that the signature should be interpreted and converted to
HEX, precede the signature with the "&H:" directive. Example:
;This is a comment for a sample HEX signature... &H:4142430F
...Would find the string "ABC".
Running ESDSCAN:
Usage: ESDSCAN [ /P ]
Where: /P - Expand COM and EXE files processed with PKLITE
before scanning.
/B - Batch mode, don't display or write the report.
/H - The help screen.
ESDSCAN will, by default, scan all the files in the current
3
ESD Trojan - Virus Scanning Utility
sub-directory. COM and EXE files will be checked for the
presence of the PKLITE copyright string. If one is found, the
message "PKLITE Detected" will show next to the file being
scanned, and a message suggesting that you re-scan using the /P
option will be displayed.
If any file tests postive for a signature match, ESDSCAN will
beep with each hit, and a message will be displayed tell you of a
positive match, possibly a trojan/virus in your files. A report
will be created in memory, (30 hits, maximum). The program will
prompt you to display and optionally print "ESDSCAN.RPT" to disk,
in the default sub-directory. The DOS errorlevel will be set to
1.
Use a file viewer to futher examine the suspected files. If you
feel you must execute any of the suspected programs, try using a
hard disk write protect program ahead of time.
If an error occurs, the DOS errorlevel will be set to 2.
If no signatures are found, the DOS errorlevel will be set to 0.
Using batch mode, the program will perform as usual, except that
the user will not be able to view the report, and it will not be
written to disk. This mode is of benefit to SYSOP's who perform
automated scans of files, and write the calling batch file such
that it takes action based on returned errorlevels.
Running BATPROC:
Usage: BATPROC [ /P /M /A ]
Where: /P - Expand COM and EXE files processed with PKLITE
before scanning.
/M - Scan using McAffee's as well as ESDSCAN.
/A - Scan only the archives having the archive attribute
set, and reset it.
BATPROC will create a sub-directory called SCAN_TMP under the
default sub-directory. Files in the default sub-directory with
the extensions ZIP, ARC, LZH, ARJ will be un-archived in the
SCAN_TMP sub-directory, using external archivers PKUNZIP, PKXARC,
LHA, ARJ, which must reside in a sub-directory in the PATH.
ESDSCAN will be called to scan all the files in the SCAN_TMP
sub-directory. A log file called BATPROC.LOG will be appended to
4
ESD Trojan - Virus Scanning Utility
in the root directory of the default drive, noting the results of
the scan process. BATPROC will return an errorlevel of 1 for
trojan/virus found, errorlevel 2 if an error, and 0 if no
trojans/viruses found.
Note that BATPROC automatically calls ESDSCAN using the /Batch
option.
Optionally, McAffee's SCAN can be called in addition to ESDSCAN,
for additional protection, by specifying the /M switch. SCAN.EXE
must also reside in a sub-directory in the PATH.
The /A option is useful to SYSOPs who allow uploads to their
downloading sub-directory. Using this option, all the archives
that have the archive attribute set will be scanned, then the
archive attribute will be reset. The next time BATPROC is run
using the /A switch, BATPROC will scan only the new uploads.
If you do not wish all archives to be scanned initially, but
rather only have new uploads scanned, then you must first reset
the archive attributes on all files. An example:
CD\BBS\FILES
ATTRIB -A *.*
You may elect to have BATPROC scan all new uploads using the
techniques described above, to be performed automatically during
your BBS's nighttime batch procedure.
About ESDSCAN:
ESDSCAN was written in Microsoft Professional Development System
7.1 using routines written in Assembler and linked with PDQ by
Crescent Software, by Robert Schoolfield. It was written as a
tool to benefit people who download software from BBS's. ESDSCAN
is distributed as shareware, which simply means if you care to
support our programming efforts, please register your copy.
For personal or BBS use, on up to three computers: $5.00, (US).
For academic use, on up to twenty-five computers: $15.00, (US).
For corporate, business, or commercial use, unlimited site
license: $25.00, (US).
You will be pleased to know your unregistered copy ESDSCAN is
fully functional, and there are no timed messages, counted
executions, or annoying reminders in this software. Can I count
on your registration?
5
ESD Trojan - Virus Scanning Utility
The latest version will be mailed to registered users, on request
for $5.00 additional to cover postage and handling, (US), or can
be downloaded from Propriety Business Systems, (PBS:), or
CompuServe.
The user agrees to hold harmless Electronic Systems Design for
any loss or damage incurred in using this software. There are no
warranties expressed or implied. As with all downloaded
software, use at your own risk.
Your check may be mailed to: Robert Schoolfield, Electronic
Systems Design, P.O. Box 26431, Colorado Springs, CO 80936.
Support is provided by Robert Schoolfield, email to either:
SYSOP: PBS: (719) 550-1696 8N1 300-2400 bps, 24 hours.
- or -
Robert Schoolfield: CompuServe: 70404, 3430
6