home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The World of Computer Software
/
The World of Computer Software.iso
/
tbav503.zip
/
TBSCAN.DOC
< prev
next >
Wrap
Text File
|
1992-12-29
|
117KB
|
2,821 lines
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
Table of Contents
1. INTRODUCTION...................................... 2
1.1. Purpose of TbScan........................... 2
1.2. A Quick start............................... 2
1.3. Historical overview......................... 2
1.4. Benefits.................................... 3
1.4.1. Speed................................. 3
1.4.2. Reliability........................... 4
1.4.3. Flexibility........................... 5
1.4.4. Smart scanning........................ 6
1.5. Limitations of scanners..................... 7
2. USAGE OF THE PROGRAM.............................. 8
2.1. System requirements......................... 8
2.2. Program invocation.......................... 8
2.3. While scanning.............................. 9
2.4. Detecting viruses........................... 9
2.5. Integrity checking......................... 10
2.6. Heuristic scanning......................... 11
2.6.1. False positives...................... 13
2.6.2. C - File has been changed............ 14
2.6.3. c - No integrity check............... 14
2.6.4. F - Suspicious file access........... 14
2.6.5. R - Suspicious relocator............. 14
2.6.6. A - Suspicious Memory Allocation..... 14
2.6.7. N - Wrong name extension............. 14
2.6.8. S - Search for executables........... 15
2.6.9. ..................................... 15
2.6.10. V - Validated program............... 15
2.6.11. E - Flexible Entry-point............ 15
2.6.12. L - program Load trap............... 16
2.6.13. D - Direct disk access.............. 16
2.6.14. M - Memory resident code............ 16
2.6.15. .................................... 16
2.6.16. T - Invalid timestamp............... 17
2.6.17. J - Suspicious jump construct....... 17
2.6.18. ? - Inconsistent header............. 17
2.6.19. G - Garbage instructions............ 17
2.6.20. U - Undocumented system call........ 17
2.6.21. Y - Invalid bootsector.............. 18
2.6.22. Z - EXE/COM determinator............ 18
2.6.23. O - code Overwrite.................. 18
2.6.24. B - Back to entry................... 18
2.6.25. K - Unusual stack................... 18
2.6.26. p - Packed or compressed file....... 18
2.6.27. w - Windows or OS/2 header.......... 19
2.6.28. h - Hidden or System file........... 19
2.6.29. i - Internal overlay................ 19
2.7. Program validation......................... 19
2.8. Command line options....................... 20
Page i
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
2.8.1. help ................................ 21
2.8.2. pause ............................... 21
2.8.3. mono ................................ 21
2.8.4. quick ............................... 21
2.8.5. allfiles ............................ 21
2.8.6. mutant .............................. 22
2.8.7. heuristic ........................... 22
2.8.8. direct .............................. 22
2.8.9. extract ............................. 23
2.8.10. valid .............................. 23
2.8.11. once ............................... 23
2.8.12. secure ............................. 24
2.8.13. compat ............................. 24
2.8.14. ignofile ........................... 24
2.8.15. noboot ............................. 24
2.8.16. sector ............................. 24
2.8.17. nomem .............................. 24
2.8.18. hma ................................ 24
2.8.19. nohmem ............................. 25
2.8.20. nosub .............................. 25
2.8.21. noavr .............................. 25
2.8.22. delete ............................. 25
2.8.23. rename ............................. 25
2.8.24. move ............................... 25
2.8.25. path ............................... 26
2.8.26. batch .............................. 26
2.8.27. repeat ............................. 26
2.8.28. log ................................ 26
2.8.29. session ............................ 27
2.8.30. loglevel ........................... 27
2.8.31. expertlog .......................... 27
2.8.32. sigfile ............................ 27
2.9. Examples:.................................. 28
2.10. The configuration file.................... 28
2.11. The TbScan.Msg file....................... 29
2.12. Residence of the signature files.......... 30
2.13. Residence of the AVR-modules.............. 30
2.14. Error messages............................ 30
2.15. Exit codes................................ 31
3. FORMAT OF THE DATA FILE.......................... 32
3.1. Format of a signature entry................ 32
3.2. Wildcards.................................. 32
3.3. Limitations................................ 33
3.4. Defining new signatures.................... 34
4. CONSIDERATIONS AND RECOMMENDATIONS............... 36
4.1. What should be scanned?.................... 36
4.2. The internals of TbScan.................... 37
4.2.1. How is that blazing speed achieved?.. 37
4.2.2. The code interpreter................. 38
4.2.3. The algorithms....................... 39
Page ii
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
4.2.3.1. Looking........................ 39
4.2.3.2. Checking....................... 39
4.2.3.3. Tracing........................ 40
4.2.3.4. Scanning....................... 40
4.2.3.5. Browsing....................... 40
4.2.3.6. Skipping....................... 40
4.2.4. Option 'compat'...................... 41
4.3. The Sanity check........................... 41
4.4. How many viruses does it detect?........... 42
4.5. Testing the scanner........................ 42
4.6. Scan scheduling............................ 42
4.7. Extensions to the format of the data file.. 43
4.8. Compressed files........................... 43
Page iii
Page 1
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
1. INTRODUCTION
1.1. Purpose of TbScan
TbScan is a virus scanner: it has been specifically developed to
detect viruses, Trojan Horses and other such threats to your
valuable data.
A virus scanner is a program that is able to detect given virus
signatures in given environments. Most viruses consist of a unique
sequence of instructions, called a signature. Hence through
checking for the appearance of such signatures in a file we can
find out whether or not a program has been infected.
Scanning all your program files for the signatures of all known
viruses helps you to find out quickly whether or not your system
has been infected and, if so, by what virus.
Every PC owner should use a virus scanner frequently. It is the
least he or she should do to avoid damage caused by a virus.
1.2. A Quick start
Although we highly recommend a complete reading of this manual, we
offer you some directions for a quick run of TbScan here:
Type 'TbScan C:\' at the DOS prompt. This will be sufficient for a
standard scan session. It is allowed to specify more drives:
'TbScan C:\ D:\'.
The invocation syntax is:
TBSCAN [@][<path>][<filename>]... [<options>]...
If your system does not allow TbScan to run properly, set the
'compat' option: TBSCAN C:\ compat
For fast online help type 'TbScan ?' or 'TbScan help'. The latter
will provide for a more detailed description of the command line
options.
1.3. Historical overview
Some years ago the PC community was confronted by a new phenomenon:
Computer viruses. In the early days of computer viruses one had to
examine each file separately for a single viral code pattern. It
didn't take long before programmers created small programs that
were able to tell whether or not a specified program had been
infected.
Page 2
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
Enhanced versions of these programs were able to search all files
automatically, still checking for a single viral code. In a short
period of time many such scanners were written, each capable of
detecting a specified virus signature.
As the number of viruses kept on increasing, programmers started to
combine several scan programs into one: the multi-string scanner
was born. These early scanners worked properly, but could not last.
As the amount of viruses was rapidly growing, a scanner was
outdated soon. Simultaneously the number of multi-string scanning
programs also increased, and scanning programs began detecting each
other's internal search patterns (signatures), wrongly informing
the user of a virus infection. Naturally a lot of people got
confused by these false alarms.
A solution to these problems was to separate the search engine from
the signatures it would search for. The separate signature data
files that were the result could be updated and distributed much
faster through text media. Secondly, by separating the search
patterns from the executable file, a scanner would no longer
trigger false alarms.
TbScan uses the signature file VIRSCAN.DAT, originally created for
a program called VIRSCAN.EXE. When VIRSCAN.EXE was developed, the
number of viruses was relatively small. However, when the number of
viruses increased, the Virscan program slowed down considerably as
a result of signature additions.
At that time we developed the Thunderbyte add-on card, a universal
anti-virus device. Since the Thunderbyte card recognizes virus
activities rather than signatures, it will establish whether or not
a system has been infected, but it will not identify the virus
itself. To provide for such identification we decided to supply a
virus scanner along with our anti-virus hardware product, and we
developed TbScan.
We introduced many very sophisticated ideas in the first version of
TbScan, such as: the use of wildcards in the signature, scanning
the memory of your PC, scanning only specific parts of a file
rather than the complete file, etc. Today, many competitive
products have adopted some of these new ideas.
1.4. Benefits
By now many different virus scanners have been developed. However,
TbScan has a number of important and unique advantages over other
scanners. These are:
1.4.1. Speed
Most virus scanners do not operate very fast, which means that
Page 3
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
scanning your PC for viruses can be a tedious, time-consuming
affair. Not many people will enjoy staring at their display for
a quarter of an hour or more while their system is being
scanned. Consequently many people do not run their virus
scanners as often as they should. Under those circumstances
even the best virus scanner will become obsolete, simply
because it is not being used properly.
Hence it was our goal to create a scanner fast enough to invite
users to invoke it from within their AUTOEXEC.BAT file every
morning.
The speed depends on many system characteristics, so we will
not tell you how many times faster TbScan performs, but you
will easily find out yourself. The speed of our program has
been increased with almost every new release, and the current
version is faster than any other scanner known to us. Try it
yourself!
TbScan is designed to scan for a large amount of virus
signatures. The current version of TbScan is able to scan for
over 2500 signatures (without additional memory requirements).
Because of its design, TbScan will not slow down if the number
of signatures increases. It doesn't matter whether you scan an
item for 10 or 1000 signatures.
TbScan has a special mode to check a stack of diskettes at a
high speed. You don't have to signal TbScan through keyboard
input that a diskette has been changed: The program determines
this completely automatically.
1.4.2. Reliability
TbScan checks itself on invocation. If it detects that it has
been infected it aborts with an error. This minimizes the risk
that the TbScan program itself will transfer a virus and so
infect your system.
TbScan can bypass viruses that are already active in memory.
This is possible through a built-in interrupt debugger!
TbScan can also detect yet unknown viruses, because the
built-in disassembler is able to detect suspicious instruction
sequences and abnormal program lay-outs. This feature is
called 'heuristic scanning' and it is partially enabled by
default. Heuristic scanning is performed on files and
bootsectors, so for both items TbScan is able to find new and
yet unknown viruses.
A lot of viruses are memory resident, which means that they
lodge themselves in the memory of your computer. There they can
comfortably affect all active programs. There are even 'smart'
Page 4
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
viruses that temporarily 'disinfect' a program file, as soon as
they notice that attempts are made to read the program file as
is the case during a scanning operation. Most virus scanners
will then find that this program file has not been infected
(which is true at the time of scanning !). But after the
scanner has completed its scan the virus becomes operant, again
ridiculing the scanner report that no virus has been found.
TbScan offers a unique solution to this problem: it contains an
automatic debugger that works its way through the chain of
interrupts 'single stepping' until it reaches the DOS program
code. It saves the address which is then found and uses it for
communication with DOS. In this way most viruses will not
notice the operation of TbScan.
TbScan is able to scan Upper Memory, Video Memory and the HMA.
Many of the other scanners (still) don't recognize this memory.
TbScan scans the video memory of your PC. Most anti-virus
products are not aware of the fact that it is possible to
install TSR programs (including viruses) in unused parts of
your video memory. TbScan scans all memory, including the video
memory, just to make sure.
TbScan is able to search a complete disk at sector level. This
procedure will not allow any virus to remain undetected. Even
viruses that have already been eliminated can be detected this
way.
TbScan is able to detect mutants of a virus. A mutant is a
virus that has been modified slightly and therefore does not
match the original signature anymore. TbScan is able to detect
such a mutant, even if no wildcards are used in the virus
signature.
TbScan is able to detect droppers of bootsector viruses. The
dropper program itself has not been infected, but it is there
to install the bootsector virus in your system.
TbScan also checks for file changes if you have used TbSetup to
generate the Anti-Vir.Dat files. When a virus infects a file,
the file changes and therefore the checksum does not match
anymore. TbScan informs you about such an unexpected file
change.
1.4.3. Flexibility
TbScan offers the flexibility of a data file that can be edited
quickly.
As new viruses spread quickly there is often no time available
to continually adapt your own virus checker in order to make it
Page 5
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
capable of recognizing each new virus as it appears. That is
why TbScan uses a separate data file listing the signatures of
all known viruses. This file can be adapted quickly, possibly
by yourself. TbScan supports, among others, the format which is
used in the file VIRSCAN.DAT. This file is regularly updated
and can be obtained through a lot of data banks.
TbScan supports wildcards in the signature. Many viruses are
adapted and converted versions of existing viruses. Such a
modified virus - a mutant - is similar to the original virus,
but that part of the virus program which contains the signature
has often been changed. Most scanners will fail to recognize
the mutant unless the new signature has been incorporated into
the scanning program. TbScan has been designed to approach this
problem differently: by replacing the modified parts of the
signature by wildcards TbScan can still recognize mutant virus
activities. Hence all mutant versions of, for instance, the
Jerusalem/PLO virus can be discovered by TbScan through just
one signature instead of the, say, 25 that several other virus
scanners require. This also explains why TbScan uses 'only' 500
signatures but still detects all 1200 viruses known.
There are viruses that are so completely encrypted that it is
no longer possible to define any signature for them, even when
using wildcards. The Dark Avenger Mutation Engine viruses are
such viruses. The only way to detect these viruses is by making
use of algorithmic routines. TbScan is the first scanner that
implemented the use of AVR (Algorithmic Virus Recognition)
modules, which contain the routines to detect such viruses. An
AVR-module is extremely flexible, it can perform almost any
operation necessary to detect an encrypted virus.
TbScan offers registered users the possibility to define their
own signatures through the 'extract' option. You don't have to
be an assembler programmer anymore, if a signature has to be
defined in an emergency situation!
1.4.4. Smart scanning
TbScan is not just a scanner, it is a disassembling scanner.
This means that TbScan not only scans the file but also
interprets the contents and adjusts the scanning algorithm to
gain the highest reliability and speed. By reliability we do
not only mean a low 'false negative' ratio, but a low 'false
positive' ratio as well. No one needs a scanner that yells
'virus!' all the time. A good scanner should only yell 'virus!'
if there really IS a virus to be found in a file.
Apart from the capability of adjusting the scanning algorithm,
TbScan also displays additional information about the file
itself. It can detect instruction sequences that are intended
to cause direct disk writes, to make program code resident, to
Page 6
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
decrypt code, etc. TbScan even flags files as being infected by
an unknown virus if the disassembly shows that the file must
contain a virus even though a matching signature cannot be
found. All this information is displayed while a scan is being
performed!
1.5. Limitations of scanners
Although TbScan is a very sophisticated scanner, it shares some of
the limitations that all other scanners have:
+ It cannot prevent infection.
Virus scanners can only tell you whether or not your system has
been infected and if so, whether any damage has already been
done. By that time only a non-infected backup or a recovery pro-
gram such as TbClean will properly counter a virus infection.
+ It cannot execute itself.
You will have to be active in taking measures to protect your
system from virus infection. You should boot from a clean and
write-protected diskette and then execute the scanner at least
once every week, since some viruses can perfectly hide
themselves once resident in memory. Unfortunately it is an
illusion to think that employees will perform this task
correctly at all times. For company use we recommend additional
protection, in the shape of a permanently active immunizer such
as the Thunderbyte add-on card.
Page 7
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
2. USAGE OF THE PROGRAM
2.1. System requirements
TbScan runs perfectly on standard machines, in line with our
philosophy that there should be a limit to limitations.
+ TbScan requires 224 Kb of free memory. If you decide to use a
log file TbScan will need an additional 16 Kb of memory for the
log file buffer. TbScan also allocates memory to keep all AVR
modules in memory. If there is still memory left, TbScan will
use it to set up cache buffers in order to increase the
scanning speed. Note that the memory requirements are
independent of the number of signatures. The current memory
requirements suffice to manage at least 2500 signatures.
+ TbScan can be executed under DOS version 3.00 (and all later
versions). However, Dos 3.3 or higher is recommended, since
TbScan has been optimized and designed primarily for use with
these DOS versions.
+ The sum total of all AVR-modules should not exceed 64Kb.
2.2. Program invocation
TbScan is easy to use. The syntax is as follows:
TBSCAN [@][<path>][<filename>]... [<options>]...
Drive and path tell TbScan where it should perform its scanning
operation. To search disks C: and D: you should enter:
TBSCAN C:\ D:\
When no filename has been specified but a drive and/or path
instead, the specified path will be used as top-level path. All
its subdirectories will be processed too.
When a filename has been specified only the specified path will be
searched. Subdirectories will not be processed.
Wildcards in the filename are allowed. You may even specify '*.*'
which will result in all files being processed.
You can also tell TbScan to use a list file. A list file is a file
that contains a list of paths/filenames to be scanned. Have the
filename preceded by the character '@' on the TbScan command line:
TBSCAN @TBSCAN.LST
Page 8
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
2.3. While scanning
TbScan divides the screen into three windows: an information
window, a scanning window and a status window. The upper window is
the information window and it initially displays the comments found
in the data file.
If TbScan detects infected files the names of the file and the
virus will be displayed in the upper window. The information will
stack up and scroll off the screen if it doesn't fit anymore.
The lower left window displays the names of the files being
processed, the algorithm in use, info and heuristic flags,
and finally an OK statement or the name of the virus
detected.
Example:
TEST.EXE <Scanning...> FR OK
| | | |
| | | result of scan
| | heuristic flags
| algorithm being used to process file
name of file in process
You will see comments following each file name:
'Looking', 'Checking', 'Tracing', 'Browsing', 'Scanning' or
'Skipping'. These refer to the various algorithms being used to
scan files.
Other comments that TbScan can display here are the heuristic
flags. Consult the 'Heuristic flags' chapter (3.5) for more
information on these warning characters.
The lower right window is the status window. It displays the number
of files and directories encountered, the amount of viruses found,
etc.
The cache hit indicator displays the percentage of FAT or directory
information that has been retrieved from the cache buffers, or in
other words, the percentage of disk access saved. Note that the
cache hit only applies to the FAT and directory sectors. The
contents of files will never be cached and will not be reflected in
the cache hit indicator.
The process can be aborted by pressing Ctrl-Break.
2.4. Detecting viruses
As soon as an infected program is found, the name of the virus will
be displayed. If you did not specify one of the options 'batch',
'rename', 'delete' or 'move', TbScan will prompt you to delete,
Page 9
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
rename or move the infected file, or to continue without action. If
you choose to rename the file, the first character of the extension
will be replaced by the character 'V'. This prevents the file from
being executed accidentally before it has been investigated more
thoroughly. If you choose to move the file, the file will be moved
to the TbScan directory or to the directory specified by option
'path'.
In some situations TbScan will offer you an additional menu option:
V)alidate program. For more information about this menu option
consult option 'Program validation'.
When TbScan detects an infected file it will display a message like:
Infected by [name of virus]
It is also possible that TbScan detects a bootsector virus dropper.
A dropper is a program that has not been infected itself, but which
does contain a bootsector virus and is able to install it in your
bootsector. If TbScan detects a bootsector virus in a file it
displays the message:
Dropper of [name of virus]
It is also possible that TbScan encounters a file that seems to be
infected by a virus, although a signature could not be found. In
this case TbScan displays the prefix 'Probably' before the message.
If you have specified option 'heuristic' or 'mutant' or both, it is
likely that TbScan will find some files which looks like a virus,
and in this case TbScan uses the prefix 'Might be' to inform you
about it. So, if TbScan displays
Might be infected by [name of virus]
it does not mean that the file is infected, but just that the file
might be infected by a virus. There are a lot of files that look
like a virus but they aren't.
TbScan needs access to its data file to be able to tell you the
name of a virus. If it cannot access the data file it displays the
message [Cannot read datafile] instead of a virus name.
2.5. Integrity checking
TbScan will also perform integrity checking while scanning. You
have to use TbSetup to generate the Anti-Vir.Dat files. Once these
files exist on your system TbScan will check that every file being
scanned matches the information maintained in the Anti-Vir.Dat
files. If a virus infects a file, the maintained information will
not match anymore with the now changed file, and TbScan will inform
you about this. There are no command line options to enable this
Page 10
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
feature: TbScan will perform integrity checking automatically
if it detects the Anti-Vir.Dat files. Note that TbScan only reports
file changes that could indicate a virus. Internal configuration
areas of program files may also change, but TbScan does normally
not report this. However, if a file gets infected with any virus -
known or unknown - the vital information will change and TbScan
will indeed report it to you!
It is however possible that the checked file changes itself or
changes frequently due to another cause. In this case you might
want to exclude the program from integrity checking to avoid future
false alarms. TbScan will offer you an additional menu option:
'V)alidate program'. For more information about this menu option
consult option 'Program validation'.
2.6. Heuristic scanning
TbScan is not just a signature scanner. It also disassembles the
file being processed. This serves three purposes:
1) By disassembling the file the scanner can restrict itself to the
area of the file where the virus might reside, reducing false
alarms and speeding up the process.
2) It makes it possible to use the algorithmic detection method on
encrypted viruses whose signatures would otherwise remain
invisible to the scanner.
3) And it makes it possible to detect suspicious instruction
sequences.
The detection of suspicious instruction sequences is named
'heuristic scanning'. It is a very powerful feature that enables
you to detect new or modified viruses and to verify the results of
the signature scan. You no longer have to rely on the vendor of the
scanner having the same virus as you might have. In normal cases a
scanner can only find a virus if the developer of the scanner has
had a sample of that virus, to be able to make a suitable
signature. With heuristic scanning a signature is no longer
required, so the scanner can detect viruses that are not known to
the developer of the scanner. You should not underestimate the
importance of heuristic scanning, as every month there appear at
least 50 new viruses. It is very unlikely that the developer of a
scanner is the first one that gets those new viruses...
How does heuristic scanning actually work? Every program contains
instructions for the processor of the PC. By looking into the file
contents and by interpreting the instructions TbScan is able to
detect the purpose of these instructions. If the purpose seems to
be to format a disk, or to infect a file, TbScan issues a
warning. There are a lot of instruction sequences which are very
common for viruses, but very unlikely for normal programs. Every
suspicious instruction sequence is assigned to a character: a
Page 11
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
heuristic flag. Every heuristic flag has a score. If the total
score exceeds a predefined limit, TbScan assumes the file contains
a virus.
There are actually two predefined limits: the first one is quite
sensitive and can be reached by some normal innocent programs. If
this limit is reached, TbScan highlights the heuristic flags that
are displayed on the screen and increases the 'suspected items'
counter, but TbScan does not indicate there is a virus, unless you
have specified option 'heuristic'. If you have specified option
'heuristic', TbScan tells you that the file 'Might be infected by
an unknown virus'. The second heuristic-limit will be triggered by
a lot of viruses, but not by normal programs. If this limit is
reached TbScan tells you that the file is 'Probably infected by an
unknown virus.'
Heuristic level 1 Heuristic level 2
-------------------------------- ----------------------------
Always enabled Only with option 'heuristic'
Detects 50% of the unknown viruses Detects 90% of the viruses
Almost never causes false alarms Causes a few false alarms
Displays 'Probably infected' Displays 'Might be infected'
TEST.EXE <scanning...> OK (no flags)
TEST.EXE <scanning...> R OK (nothing serious)
TEST.EXE <scanning...> FRM
might be infected by an unknown virus (reached level 2)
TEST.EXE <scanning...> FRALM#
probably infected by an unknown virus (reached level 1)
Note that unlike other scanners, TbScan has heuristic scanning
always enabled. Whether TbScan decides to inform the user of
a possible virus depends on the heuristic score, unless option
'heuristic' has been specified.
Heuristic flags consist of single characters that are printed behind
the name of the file that has been processed. There are two kinds
of flags: the informative ones are printed in lower-case
characters, and the more serious flags are printed in upper-case
characters. The lower-case flags are indicative of special
characteristics of the file being processed, whereas the upper-case
warnings may indicate a virus. If the 'loglevel' is 3 or above, the
important warnings will not only appear as a warning character, but
there will also be a description printed in the log file.
How should you treat the flags? The less important lower-case
flags can be considered to be for your information only. They
provide you with file information you might find interesting. The
more serious warning flags printed in upper-case MIGHT point
Page 12
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
towards a virus. It is quite normal that you have some files in
your system which trigger an upper-case flag.
Anyway, if TbScan does not highlight a combination of warnings you
should not pay too much attention to these flags. For more than 90%
of the viruses TbScan will highlight the flags (or even indicates
the file as infected if option 'heuristic' is specified), so it is
unlikely that a file which only has some flags set really contains
a virus.
Note!
TbScan performs heuristic analysis only nearby the entry-point of a
file, so it is normal that TbScan does not detect that some disk
utilities write to disk directly, and it is normal that TbScan does
not detect that some programs are TSR programs. This is just the
result of one approach to minimize false alarms. In case of a
virus, the offending instructions are always nearby the entry-point
(except when the virus is over 10Kb in size) so TbScan will detect
the suspicious facts in these situations anyway.
2.6.1. False positives.
Important!
False alarms are part of the nature of heuristic scanning. In
default mode it is very unlikely that TbScan issues a false alarm.
However, if you have specified option 'heuristic' some false alarms
might occur. How to deal with these false alarms? If TbScan thinks
it has found a virus it tells you the reason for this suspicion. In
most cases you will be able to evaluate these reasons when you
consider the purpose of the suspected file.
Note that viruses infect other programs. It is highly unlikely that
you will find only a few infected files on a hard disk used
frequently. You should ignore a the result of a heuristic scan if
only a few programs on your hard disk trigger it. But, if your
system behaves in a 'strange' manner and many programs cause TbScan
to issue an alarm with the same serious flags, your system could
very well be infected by a (yet unknown) virus.
If TbScan finds a file to be very suspicious and pops up with the
virus alert window, you can avoid future false alarms by pressing
'V' (Validate program). Note that this only works if there is an
Anti-Vir.Dat record of the file available. Once a program is
validated it will no longer be subject to heuristic analyzis,
unless the program changes and does not match the Anti-Vir.Dat
record anymore. This will be the case if such a file gets infected
afterwards, so TbScan will still report infections on these files.
Note that a validated program is still subject to the conventional
signature scanning.
Page 13
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
2.6.2. C - File has been changed.
This warning can only appear if you used TbSetup to generate the
Anti-Vir.Dat files. If this warning appears this means that the
file has been changed. If you did not upgrade the software it is
very likely that a virus infected the file! Note that TbScan does
not display this warning if only some internal configuration area
of the file changes. This warning means that code at the program
entry point, the entry-point itself and/or the file size have been
changed.
2.6.3. c - No integrity check.
This warning indicates that no checksum/recovery information has
been found about the indicated file. It is highly recommended to
use TbSetup in this case to store information of the mentioned
file. This info can later be used for integrity checking and to
recover from virus infections.
2.6.4. F - Suspicious file access.
TbScan has found instruction sequences common to infection schemes
used by viruses. This flag will appear with those programs that
are able to create or modify existing files.
2.6.5. R - Suspicious relocator.
Flag 'R' refers to a suspicious relocator. A relocator is a
sequence of instructions that changes the proportion of CS:IP. It
is often used by viruses, especially COM type infectors. Tests on a
large collection of viruses show that TbScan issues this flag for
about 65% of all viruses. Those viruses have to relocate the CS:IP
proportion because they have been compiled for a specific location
in the executable file; a virus that infects another program can
hardly ever use its original location in the file as it is appended
to this file. Sound programs 'know' their location in the
executable file, so they don't have to relocate themselves. On
systems that operate normally only a small percentage of the
programs should therefore cause this flag to be displayed.
2.6.6. A - Suspicious Memory Allocation.
The program uses a non-standard way to search for, and/or allocate
memory. A lot of viruses try to hide themselves in memory so they use
a non-standard way to allocate this memory. Some programs
(high-loaders or diagnostic software) also use non-standard ways
to search or allocate memory.
2.6.7. N - Wrong name extension.
Name conflict. The program carries the extension .EXE but appears
to be an ordinary .COM file, or it has the extension .COM but the
Page 14
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
internal layout of an .EXE file. TbScan does not take any risk in
this situation, but scans the file for both EXE and COM type
signatures. A wrong name extension might in some cases indicate a
virus, but in most cases it doesn't.
2.6.8. S - Search for executables.
The program searches for *.COM or *.EXE files. This by itself does
not indicate a virus, but it is an ingredient of most viruses anyway
(they have to search for suitable files to spread themselves). If
accompanied by other flags, TbScan will assume the file is infected
by a virus.
2.6.9. # - Decryptor code found.
The file possibly contains a self-decryption routine. Some
copy-protected software is encrypted so this warning may appear for
some of your files. But if this warning appears in combination
with, for example, the 'T' warning, there could be a virus involved
and TbScan assumes the file is contaminated! Many viruses encrypt
themselves and cause this warning to be displayed.
2.6.10. V - Validated program
The program has been validated to avoid false alarms.
- The design of this program would normally cause a false alarm
by the heuristic scan mode of TbScan.
or:
- This program might change frequently, and the file is excluded
from integrity checking.
These exclusions are stored in the Anti-Vir.Dat file by either
TbSetup (automatically) or by TbScan (manually).
2.6.11. E - Flexible Entry-point
The program starts with a routine that determines the location of
itself within the program file. This is rather suspicious because
sound programs have a fixed entry-point so they do not have to
determine this location. For viruses however this is quite common:
about 50% of the available viruses cause this flag to be displayed.
The DOS FORMAT.COM program is an instance where this flag will be
displayed by TbScan. This cannot be avoided because Microsoft did
some strange things to this program. It appears that the file was
originally an .EXE file which has been converted into a .COM file
by adding a shell-like structure to it. (What is actually the
difference between infecting a file and converting it this way?)
Anyway, you should ignore this warning as to the DOS FORMAT
Page 15
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
program.
2.6.12. L - program Load trap.
The program might trap the execution of other software. If the
file also causes flag M (memory resident code) to be displayed, it
is very likely that the file is a resident program that determines
when another program is executed. A lot of viruses trap the program
load and use it to infect the program. Some anti-virus utilities
also trap the program load.
2.6.13. D - Direct disk access.
This flag is displayed if the program being processed has
instructions near the entry-point to write to a disk directly. It
is quite normal that some disk-related utilities cause this flag
to be displayed. As usual, if many of your files (which have no
business writing directly to the disk) cause this flag to be
displayed, your system might be infected by an unknown virus.
Note that a program that accesses the disk directly does not always
have to be marked by the 'D' flag. Only when the direct disk
instructions are near the program entry point it will be reported
by TbScan. If a virus is involved the harmful instructions are
always near the entry point and that is the place where TbScan
looks for them.
2.6.14. M - Memory resident code.
TbScan has found instruction sequences which could cause the
program to hook into important interrupts. A lot of TSR (Terminate
and Stay Resident) programs will trigger this flag, because
hooking into interrupts is part of their usual behavior. However,
if a lot of non-TSR programs cause this warning flag to appear, you
should be suspicious. It is then likely that your files have been
infected by a virus that remains resident in memory.
Note that this warning does not appear with all true TSR programs.
Nor can TSR detection in non-TSR programs always be relied upon.
2.6.15. ! - Invalid program.
Invalid opcode (non-8088 instructions) or out-of-range branche.
The program has either an entry point that has been located outside
the body of the file, or reveals a chain of 'jumps' that can be
traced to a location outside the program file.
Another possibility is that the program contains invalid processor
instructions.
The program being checked is probably damaged, and cannot be
Page 16
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
executed in most cases. Anyway, TbScan does not take any risk and
uses the 'scan' or 'browse' method to scan the file.
2.6.16. T - Invalid timestamp.
The timestamp of the program is invalid: e.g. the number of seconds
in the timestamp is illegal, or the date is illegal or later than
the year 2000. This is suspicious because many viruses set the
timestamp to an illegal value (like 62 seconds) to mark that they
already infected the file, preventing themselves from infecting a
file for a second time round. It is possible that the program being
checked is contaminated with a virus that is still unknown,
especially if many files on your system have an invalid timestamp.
If only a very few programs have an invalid timestamp you'd better
correct it and scan frequently to check that the timestamp of the
files remain valid.
2.6.17. J - Suspicious jump construct.
The program did not start at the program entry point. The code has
jumped at least two times before reaching the final start-up code,
or the program jumped using an indirect operand. Sound programs
should not display this kind of strange behavior. If many files
cause this warning to be displayed, you should investigate your
system thoroughly.
2.6.18. ? - Inconsistent header.
The program being processed has an exe-header that does not reflect
the actual program lay-out. The DOS SORT.EXE program will cause
this warning to be displayed, because the actual size of the
program file is less than reported in the 'size-of-load module'
field in the exe-header! Many viruses do not update the exe-header
of an EXE file correctly after they have infected the file, so if
this warning appears a lot it seems you have a problem. You should
ignore this warning for the DOS SORT.EXE program. (Hopefully
MicroSoft will correct the problem before the next release of DOS).
2.6.19. G - Garbage instructions.
The program contains code that seems to have no purpose other than
encryption or avoiding recognition by virus scanners. This flag is
very important, in fact it is the only flag that will cause TbScan
to report an infection without the presence of any other flags. In
most cases there will not be any other flags since the file is
encrypted and the instructions are hidden from the scanner. In a
few cases this flag will appear for 'normal' files. These files
however are badly designed and that is the reason the 'garbage'
flag appears.
2.6.20. U - Undocumented system call.
Page 17
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
The program uses unknown DOS calls or interrupts. These unknown
calls can be issued to invoke undocumented DOS features, or to
communicate with an unknown driver in memory. Since a lot of
viruses use undocumented DOS features, or communicate with memory
resident parts of a previously loaded instance of the virus, it is
suspicious if a program performs unknown or undocumented
communications. However, it does not necessarily indicate a virus
because some 'tricky' programs use undocumented features too.
2.6.21. Y - Invalid bootsector.
The bootsector is not completely according to the IBM defined
bootsector format. It is likely that the bootsector contains a
virus or has been corrupted.
2.6.22. Z - EXE/COM determinator.
The program seems to check whether a file is a COM or EXE type
program. Infecting a COM file is a process that is not similar to
infecting an EXE file, so viruses that are able to infect both
program types should be able to distinguish between them.
There are of course also innocent programs that need to find out
whether a file is a COM or EXE file. Executable file compressors,
EXE2COM converters, debuggers, and high-loaders are examples of
programs that may contain a routine to distinguish between EXE and
COM files.
2.6.23. O - code Overwrite.
This flag will be displayed if TbScan detects that the program
overwrites some of its own instructions. However, it does not seem
to have a complete (de)cryptor routine.
2.6.24. B - Back to entry.
The program seems to execute some code, and after that it jumps
back to the entry-point of the program. Normally this would result
in an endless loop, except when the program has also modified some
of its instructions. This is quite common behavior for computer
viruses. In combination with any other flag TbScan will report a
virus.
2.6.25. K - Unusual stack.
The EXE file being processed has an odd (instead of even) stack
offset or a suspicious stack segment. Many viruses are quite buggy
by setting up an illegal stack value.
2.6.26. p - Packed or compressed file.
The program has been packed or compressed. There are some utilities
Page 18
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
that are able to compress a program file, like EXEPACK or PKLITE.
If the file was infected after the file had been compressed, TbScan
will be able to detect the virus. However, if the file had already
been infected before it was compressed, the virus has also been
compressed in the process, and a virus scanner might not be able to
recognize the virus anymore.
Fortunately, this does not happen a lot, but you should beware! A
new program might look clean, but can turn out to be the carrier of
a compressed virus. Other files in your system will then be
infected too, and it is these infections that will be clearly
visible to virus scanners.
2.6.27. w - Windows or OS/2 header.
The program can be or is intended to be used in a Windows (or OS/2)
environment. As yet TbScan does not offer a specialized scanning
method for these files. Of course that will change as soon as
Windows- or OS/2-specific viruses start occurring.
2.6.28. h - Hidden or System file.
The file has the 'Hidden' or the 'System' file attribute set. This
means that the file is not visible in a DOS directory display but
TbScan will scan it anyway. If you don't know the origin and/or
purpose of this file, you might be dealing with a 'Trojan Horse' or
a 'joke' virus program. Copy such a file onto a diskette; then
remove it from it's program environment and check if the program
concerned is missing the file. If a program does not miss it, you
will have freed some disk space, and maybe you have saved your
system from future disaster in the process.
2.6.29. i - Internal overlay.
The program being processed has additional data or code behind the
load-module as specified in the exe-header of the file. The program
might have internal overlay(s), or configuration or debug
information appended behind the load-module of the EXE file.
2.7. Program validation.
This chapter only applies if you use TbSetup to generate the
Anti-Vir.Dat records. Without these records program validation is
not an option.
TbScan will perform as intended on most programs. However, there
are some programs that require special attention, in order to avoid
false alarms. Most of these programs are recognized automatically
by the TbSetup program. However, it is certainly possible that you
have a few files on your system that meet the following criteria:
Page 19
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
1) Programs that trigger the heuristic alarm of TbScan.
2) Programs that change frequently.
If an 'infection' has been found with the heuristic analyzis or
integrity checking only and if there is a Anti-Vir.Dat record
available, TbScan offers an additional option in its virus-alert
window: 'V)alidate program'. If you are convinced that the
indicated program does NOT contain a virus, you can press 'V' to
set a flag in the program's record. This makes it possible to
avoid future false alarms.
There are two validation modes: if the TbScan virus alarm is due
to a file change, the validation applies to future file changes
only, if the virus alarm is due to heuristic analysis, the
validation only applies to heuristic results. When the file is
exluded from heuristic analysis the file will still be checksummed,
if the file is excluded from integrity checking TbScan will still
perform heuristic analysis on that file.
Note: if you replaced a file (software upgrade) and you did not use
TbSetup, TbScan will pop-up its virus alert window to inform you
about the file change. Do NOT select the validation option in this
case, because this would exclude the file for future integrity
checking. You had better abort TbScan and run TbSetup on the
changed file(s).
2.8. Command line options
It is possible to specify options on the command line. Tbscan
recognizes option short-keys and option words. The words are easier
to memorize, and they will be used in this manual for convenience.
optionword parameter short explanation
---------- --------- ----- -------------------------------------
help he =help (-? = short help)
pause pa =enable 'Pause' prompt
mono mo =force monochrome
quick qs =quick scan (uses Anti-Vir.Dat)
allfiles af =scan non-executable files too
mutant mu =enable fuzzy search
heuristic hr =enable heuristic alerts
direct dd =direct calls into DOS/BIOS
extract ex =extract signature (registered only)
valid va =force signature file authorization
once oo =only once a day
secure se =user abort now allowed (reg. only)
compat co =maximum-compatibility mode
ignofile in =ignore no-file-error
noboot nb =skip bootsector check
sector ss =scan all disk sectors
Page 20
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
nomem nm =skip memory check
hma hm =force HMA scan
nohmem nh =skip UMB/HMA scan
nosub ns =skip sub-directories
noavr na =do not use AVR-modules
repeat rp =scan multiple diskettes
batch ba =batch mode. No user input
delete de =delete infected files
move mv =move infected files
expertlog el =no heuristic descriptions in log
log [=<filename>] lo =append log file
session [=<filename>] sl =create session log file
loglevel =<0..4> ll =set log level
path =<move-path> mp =set move-path
rename [=<ext-mask>] rn =rename infected files
sigfile [=<filename>] sf =signature file to be used
2.8.1. help (he)
If you specify this option TbScan displays the contents of the
TBSCAN.HLP file if it is available in the home directory of TbScan.
If you specify the '?' option you will get the summarized help info
as listed above.
2.8.2. pause (pa)
When you enter option 'pause' TbScan will stop after it has checked
the contents of one window. This gives you the possibility to
examine the results without having to consult a log file
afterwards.
2.8.3. mono (mo)
This option forces TbScan to refrain from using colors in the
screen output. This might enhance the screen output on some LCD
screens or color-emulating monochrome systems.
2.8.4. quick (qs)
If you specify this option TbScan will use the Anti-Vir.Dat files
to check for file changes since the last time only. If a file has
been changed (CRC change) or is not yet listed in Anti-Vir.Dat it
will be scanned.
2.8.5. allfiles (af)
This option causes TbScan to scan non-executable files (files
without extension COM, EXE, SYS or BIN) too. If TbScan finds out
that such a file does not contain anything that can be executed by
the processor the file will be 'skipped'. Otherwise the file will
be searched for AVR, COM, EXE and SYS signatures. TbScan however
will not perform heuristic analysis on these files.
Page 21
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
Since viruses do not infect non-executable files it is not
necessary to scan non-executable files too. We even recommend not
to use this option unless you have a good reason to scan all files.
Once again: a virus needs to be executed to perform what it is
programmed to do, and since non-executable files will not be
executed a virus in such a file can not do anything. For this
reason viruses do not even try to infect such files.
2.8.6. mutant (mu)
TbScan is able to detect mutants of viruses while performing a
regular (default) scan, since many of its signature search keys
contain wildcards. However, if you use the 'mutant' option TbScan
does not restrict itself to the wildcard specification, but allows
up to two extra changes anywhere in the signature. Needless to say,
if you use this option false alarms may occur. Therefore this
option is not recommended to be used in a regular scan session.
However, you should use this option if you suspect that your system
has been infected even though TbScan has not detected a virus
during its regular scan. If you scan again, specifying the 'mutant'
option TbScan could then report many files to be 'possibly
infected' by one particular virus. This would point to an infection
by a yet unknown variant of this virus.
If you are faced with a situation like this, we recommend you to
have one such 'possibly infected' file examined by a virus expert
before embarking on a clean-up operation.
2.8.7. heuristic (hr)
TbScan always performs a heuristic scan on the files being
processed. However, only if a file is very probably infected with a
virus TbScan will report the file as being infected. If you use
option 'heuristic' TbScan is somewhat more sensitive. In this mode
90% of the new, unknown, viruses will be detected without any
signature, but some false alarms may occur. Consult also chapter
2.5 ('Heuristic scanning').
2.8.8. direct (dd)
TbScan communicates with DOS through interrupt 21h and with the
disk BIOS via interrupt 13h. To prevent this from being
'monitored' by viruses, option 'direct' can be entered on the
command line. TbScan will use its built-in debugger to trace
through the chain of interrupts until it has reached the DOS and
BIOS entry point. These addresses are shown on the display and from
then on they will be used for the communication with DOS and the
BIOS. Resident programs, such as viruses, are then excluded from
taking part in the virus scan process.
Please note that your regular resident programs will not be aware
of TbScan's file access either. That is why we do not recommend
Page 22
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
the use of this option in a multi-tasking or network environment.
Also note that many protection software packages will be fooled by
TbScan when it uses the 'direct' option. Don't be surprised when
TbScan scans files you don't actually have any access to...
When you use this option do not pop up resident programs while
TbScan is active! This is because resident programs are not aware
of the fact that a program performs file access in the foreground
and a system crash may be the result.
When you have installed the Thunderbyte card in your PC, or if you
are using TbDriver/TbDisk, TbScan will not bypass these anti virus
products. This is necessary to avoid alarms. Viruses invoked AFTER
the anti virus utilities will still be bypassed by TbScan.
2.8.9. extract (ex)
This option is available to registered users only. See the chapter
'Defining a Signature' (4.4.) on how to use the option 'extract'.
2.8.10. valid (va)
As a standard procedure TbScan checks the signature file for
modifications. If you have changed the contents of that file,
TbScan will issue a warning to that effect. If you don't want this
warning to be displayed, use the 'valid' option.
2.8.11. once (oo)
If you specify this option TbScan will 'remember' after its scan
that is has been executed that day, and that it should not be run
again the same day with this particular option set. This option is
very useful if you incorporate it in your AUTOEXEC.BAT file in
combination with a list file:
TbScan @Everyday.Lst once rename
TbScan will now scan the list of files and/or paths specified in
the file EVERYDAY.LST during the first boot-up of the day. If the
systems boots more often that day, TbScan will then return to DOS
immediately. This option does not interfere with the regular use
of TbScan. If you invoke TbScan without the 'once' option it will
always run, regardless of a previous run with the 'once' option set.
Note that TbScan 'once' will be executed regardless of regular
TbScan sessions earlier that day.
Also note that if TbScan cannot write to TBSCAN.EXE because it has
been flagged 'read-only' or is located on a write-protected
diskette, the 'once' option will fail and the scanner will run
without it.
Page 23
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
2.8.12. secure (se)
This option is available to registered users only. If this option
is specified it is no longer possible to cancel TbScan by pressing
Ctrl-Break, or to respond to a virus alert window.
2.8.13. compat (co)
If you specify this option, TbScan attempts to be more compatible
with your system. Use this option if the program does not behave as
can be expected or even halts the system. This option will slow
down the scanning process so it should only be used when necessary.
Note that option 'compat' does not affect the results of a scan.
2.8.14. ignofile (in)
If this option is specified and no files can be found, TbScan will
not display the 'no files found' message, nor does it exit with
errorlevel 1. This option might be useful for automatic archive
contents scanning. If the archive contains no executable files,
TbScan will not return with an error condition.
2.8.15. noboot (nb)
If you specify this option TbScan will not scan the bootsector.
2.8.16. sector (ss)
This option is experimental. It enables the scanning operation of a
disk at sector level. This way you can trace those viruses that
reside outside files and bootsector and the hard-to-spot stealth
viruses.
This option might also tell you that a virus ever resided in your
system in the past. If so, this does not mean that the virus
itself is still active. Even if TbScan itself deleted an infected
file in the past, this option still enables TbScan to detect the
signature for quite a while. Hence this option is NOT recommended
for a regular scan.
Note that TbScan cannot disassemble files in this mode. False
alarms may occur frequently since everything is being searched, and
the search even covers unused disk space containing garbage.
2.8.17. nomem (nm)
If you specify this option TbScan will not scan the memory of the
PC for viruses.
2.8.18. hma (hm)
TbScan detects the presence of an XMS-driver, and scans HMA
Page 24
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
automatically. If you have an HMA-driver that is not compatible
with the XMS standard you can use the 'hma' option to force TbScan
to scan HMA.
2.8.19. nohmem (nh)
By default TbScan identifies RAM beyond the DOS limit and scans
that too. This means that video memory and the current EMS pages
are scanned by default. You can use the 'nohmem' option to disable
the scanning of non-DOS memory.
2.8.20. nosub (ns)
By default TbScan will search sub-directories for executable files,
unless a filename (wildcards allowed!) has been specified. If you
use this option, TbScan will not scan sub-directories.
2.8.21. noavr (na)
If you specify this option TbScan will not look for its AVR-modules
(Algorithmic Virus Recognition modules; .AVR files) at start-up and
will not perform any algorithmic scans on files.
2.8.22. delete (de)
If TbScan detects a virus in a file it prompts the user to delete,
move or rename the infected file, or to continue without action.
If you specify the 'delete' option, TbScan will not ask the user
what to do but will delete the infected file automatically. Use
this option if you have established that your system has been
infected. Make sure that you have a clean back-up, and that you
really want to get rid of all infected files at once.
2.8.23. rename (rn)
If TbScan detects a file virus it prompts the user to delete, move
or rename the infected file, or to continue without action. If you
specify the 'rename' option, TbScan will not ask the user what to do
but will rename the infected file automatically. By default, the
first character of the file extension will be replaced by the
character 'V'. An .EXE file will be renamed to .VXE, and a .COM
file to .VOM. This prevents the infected programs from being
executed, spreading the infection. At the same time they can be
kept for later examination and repair.
You may also add a parameter to this option specifying the target
extension. This parameter should always contain 3 characters;
question marks are allowed. The default target extension is 'V??'.
2.8.24. move (mv)
If TbScan detects a virus in a file it prompts the user to delete,
Page 25
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
move or rename the infected file, or to continue without action. If
you specify the 'move' option, TbScan will not ask the user what to
do but will move the infected file to another directory
automatically.
The file will be moved to the TbScan directory or to the directory
specified with option 'path'.
2.8.25. path (mp)
This option can be used to specify the move-path. The move path is
used to move an infected file if option -move is specified or when
the user selects the M) in the virus alert window.
2.8.26. batch (ba)
If TbScan detects a file virus it prompts the user to delete, move
or rename the infected file, or to continue without action. If you
specify the 'batch' option TbScan will always continue. This option
is designed for use in a batch file that is executed without the
user attending. We highly recommended you to use a log file in such
situations, as a scanning operation does not make much sense
without the return messages being read.
2.8.27. repeat (rp)
This option is very useful if you want to check a large amount of
diskettes. TbScan does not return to DOS after checking a disk, but
it waits until you insert another disk in the drive. You don't have
to press a key on the keyboard when ready. TbScan detects
automatically when the drive is ready to be accessed. This way you
can check a large amount of diskettes without having to touch your
keyboard.
Note that the motor of the disk drive keeps spinning, and the light
keeps burning when a diskette has been processed. You can safely
open and close the drive door to remove or insert a diskette while
the motor still runs. Many back-up programs handle the drives the
same way as TbScan does, without causing any harm.
2.8.28. log (lo)
When you use this option, TbScan creates a LOG-file. The default
filename is TBSCAN.LOG and it will be created in the current
directory. You may optionally specify a path and filename. The
LOG-file lists all infected program files, specifying upper-case
heuristic flags and complete pathnames. If the log file already
exists, it will not be overwritten. Instead the new LOG-file will
be appended to the existing one.
If you use this option often, it is recommended to delete or
truncate the log file every month to avoid unlimited growth.
Page 26
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
If you want to print the results, you can specify a printer device
name rather than a filename (log=lpt1).
2.8.29. session (sl)
This option is nearly identical to the 'log' option above. The
difference is that if a log file already exists, the 'session'
option will make sure that this will be overwritten by new log
information. Hence a log file created by the 'session' option will
only contain information obtained from a single scanning session.
2.8.30. loglevel (ll)
The 'loglevel' option determines which files will be put in the
log file. There are five log levels:
0 Log only infected files. If there are no infected files
do not create or change the log file.
1 Put a summary and timestamp in the log file. Put only
infected files in the log file.
2 Same as loglevel=2, but now also 'suspected' files are
logged. Suspected files are files that would trigger
the heuristic alarm if option 'heuristic' had been
specified.
3 Same as loglevel=2, but all files that have a warning
character printed behind the filename will be logged
too.
4 All files being processed will be put into the log
file.
The default log level is 1.
Note: you have to combine this option with option 'log' or
'session'.
2.8.31. expertlog (el)
If you specify this option TbScan will not display the descriptions
of the heuristic flags into the log file.
2.8.32. sigfile (sf)
You can override the default path and name of the signature file by
using this option.
TbScan normally tries to locate a signature file by itself. See
chapter 3.10 for information on how TbScan searches such a data
file. If TbScan does not succeed in recognizing or locating the
default data file, or if you want to override TbScan's default data
search path, you should use the 'sigfile' option.
Note: if you specify option 'sigfile' without filename parameter,
TbScan assumes that you want to scan heuristically only, and it
Page 27
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
will scan without any signature or AVR information. Option
'heuristic' is implied in this situation.
2.9. Examples:
TbScan \ sigfile=c:\TbScan.Dat noboot
Process all executable files in the root directory and its
sub-directories. Skip the bootsector scan. Use the
signature file 'c:\TbScan.Dat'.
TbScan \*.*
Process all files in the root directory. Don't process
sub-directories.
TbScan c:\ log=c:\test.log loglevel=2
All executable files on drive C: will be checked. A
LOG file with the name c:\test.log will be created. The log
file will contain all infected and suspected files.
TbScan \ sigfile log=lpt1
TbScan will scan the root directory and its sub-directories
without signature or AVR information. Option 'heuristic' is
assumed in this case. The results are redirected to the
printer rather than to a log file.
2.10. The configuration file
Those people that are accustomed to the use of configuration files
may devise a similar file for use with TbScan. The TbScan
configuration file should be located in the same directory where
the file TBSCAN.EXE resides, and it should be called TBS.BAT
(surprise, surprise!). The format of this configuration file is as
follows:
tbscan %1 %2 %3 %4 %5 %6 %7 %8 %9 [<default options...>]
Example:
tbscan %1 %2 %3 %4 %5 %6 %7 %8 direct sigfile=c:\virus\Virscan.Dat
To execute this configuration file you should type 'TBS C:\' at the
DOS prompt. If you wish to override the default options specified
in your TBS.BAT file, just type 'TBSCAN'.
This configuration file can offer great possibilities. You may
incorporate mnemonics like 'DAILY' and 'WEEKLY' to invoke a
predefined scan session. The user may be allowed to specify
additional options on the command line. You can make sure that if
TbScan detects a virus, a file called VIRUS.TXT will be printed on
Page 28
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
the screen, offering a user important information such as the
emergency phone number of the company helpdesk and the phone number
of your security officer.
An example:
@echo off
if '%1'=='daily' goto daily
if '%1'=='weekly' goto weekly
:help
echo Type 'TBS weekly' or 'TBS daily' to start a scan event
goto end
:daily
tbscan c:\system d:\ %2 %3 %4
if errorlevel 2 goto virus
if errorlevel 1 goto help
goto end
:weekly
tbscan c:\ d:\ e:\ log=c:\logs\tbscan.log %2 %3 %4
if errorlevel 2 goto virus
if errorlevel 1 goto help
goto end
:virus
type virus.txt
:end
For more information about setting up this kind of powerful
'configuration' file please consult the chapter on batch files in
your DOS manual.
Too few people are aware of the power of the DOS batch file
features. Why learn yet another configuration file language if
a DOS batch file will suit your needs perfectly? You can predefine
scan sessions, define default options, and branch to a specific
routine if TbScan detects a virus.
Your TbScan diskette is supplied with a sample BATCH file called
TBS.BAT. You can edit it to suit your needs.
2.11. The TbScan.Msg file
TbScan prints the TBSCAN.MSG file on your screen a few seconds after
start-up. This file also appears when TbScan has finished scanning
without detecting a virus. The file TBSCAN.MSG as supplied by us
displays our address and registration info. However, you can edit
this file as you please, for instance by adding your company logo.
You may add color codes to the TbScan.MSG file. A color code is
preceeded by the character '|'. The following color codes are
available: (all numbers are in hex).
Color Foreground Highlight Background
Black 00 08 00
Page 29
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
Blue 01 09 10
Green 02 0A 20
Cyan 03 0B 30
Red 04 0C 40
Magenta 05 0D 50
Yellow/Brown 06 0E 60
White/gray 07 0F 70
Example: To make a highligted green character on a red
background the color code would be 0A+40=4A. To make the character
blink add 80h to the result.
2.12. Residence of the signature files
TbScan looks for the data file in the following order:
1) If the 'sigfile' option has been set, it will use the file
specified in the search path.
2) It searches a file with the name VIRSCAN.DAT in the active
directory.
3) It searches VIRSCAN.DAT in the same directory where the program
file TBSCAN.EXE itself resides.
4) It searches a file with the name TBSCAN.DAT in the active
directory.
5) It searches TBSCAN.DAT in the same directory where the program
file TBSCAN.EXE itself resides.
TbScan also looks for a data file containing last-minute update
signatures. The file should be named ADDNSIGS.DAT and it should be
located either in the current directory or in the TbScan home
directory.
2.13. Residence of the AVR-modules
The AVR-modules are only searched in the directory where the
program TBSCAN.EXE itself resides.
2.14. Error messages
Error messages that might be displayed:
+ Error in data file at line <number>.
There is an error in the specified line of the data file.
+ Failed to locate DOS entry point.
TbScan has not been able to locate the DOS entry point, but
continues as if option 'direct' has not been specified.
+ Limit exceeded.
The total amount of internal signature information exceeded
Page 30
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
64Kb. This message will be displayed if the number of
signatures reaches 2500. You can either reduce the number of
signatures or make them shorter.
+ Command line error.
An invalid or illegal command line option has been specified.
+ No matching executable files found.
The path specified does not exist, is empty, or the specified
file does not exist or is not an executable file.
+ Cannot create logfile.
The specified log file path is illegal, the disk is full or
write protected, or the file already exists and cannot be
overwritten.
+ Sanity check failed!
TbScan detected that its internal checksum does not match
anymore. TbScan is possibly contaminated by a virus.
Obtain a clean copy of TbScan, put it on a WRITE PROTECTED
bootable diskette, boot from that diskette, and try again!
2.15. Exit codes
TbScan terminates with one of the following exit codes:
Errorlevel 0: no viruses found, no error occurred.
Errorlevel 1: some error occurred.
Errorlevel 255: sanity check failed.
Errorlevel >1 and <128: one or more viruses detected.
When a virus is detected the errorlevel is used as a bit field:
bit 1 (02): SYS file infected.
bit 2 (04): EXE file infected.
bit 3 (08): COM file infected.
bit 4 (16): virus found in LOW memory.
bit 5 (32): virus found in BOOTsector.
bit 6 (64): virus found in HIGH memory.
An errorlevel of 26 means that a SYS, COM and LOW virus is found
(26 = 02+08+16).
Page 31
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
3. FORMAT OF THE DATA FILE
3.1. Format of a signature entry
The data file (called TBSCAN.DAT or VIRSCAN.DAT) can be read and/or
modified using any DOS text editor.
All lines starting with ';' are comment lines. TbScan ignores these
lines. When the ';' character is followed by a percentage sign the
remaining part of the line will be displayed on the screen. A
maximum of 8 lines can be printed on the screen.
In the first line the name of a virus is expected. The second line
contains one or more of the following terms:
BOOT SYS EXE COM HIGH LOW
These terms may be separated by spaces, tabs or commas.
BOOT means that the virus is a bootsector virus. the terms SYS, EXE
and COM indicate that the virus must be scanned for in files with
these extensions. Overlay files (with the extension OV?) will be
scanned for EXE viruses. BIN files will be scanned for SYS viruses.
HIGH means that the virus can occur in the memory of your PC at a
location higher than the TbScan program itself. LOW means that the
virus can occur in the memory of your PC at a location lower than
the TbScan program itself.
In the third line the signature is expected in ASCII-HEX. Each
virus character is described by means of two characters.
An entry in the signature file should look like this:
;
Test virus
EXE COM
ABCD21436587ABCD
;
It is allowed to use spaces in the ASCII-HEX signature for your own
convenience. TbScan will ignore those spaces.
The three central lines should be present in each virus
description. Between these lines comment lines may be inserted.
3.2. Wildcards
TbScan allows you to use wildcards in a signature. Wildcards can be
used to define one signature that recognizes several related
viruses.
Page 32
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
- The ? wildcard.
The question mark specifies a wildcard nibble, which means that
the corresponding half of the byte may have any value.
Example:
A5E623CB??CD21?883FF3E
- The * wildcard.
You can use the asterisk followed by an ASCII-HEX character to
skip a fixed amount of bytes in the signature. The ASCII-HEX
character specifies the amount of bytes that should be skipped.
Example:
A5E623CB*3CD2155??83FF3E?BCD
Hence the following sequence of bytes will be recognized as a
virus:
A5E623CB142434CD21554583FF3E3BCD
- The % wildcard.
A percentage sign (%) followed by an ASCII-HEX character
indicates that the remaining part of the signature could be
located a number of bytes away. The ASCII-HEX character
specifies the maximum distance at which the remaining part
should be found.
- The ** wildcard.
You can use the '**' wildcard to skip an unlimited variable
amount of bytes in the signature.
3.3. Limitations.
+ The name of a virus may contain up to 30 characters.
+ The ASCII-HEX signature may contain up to 132 characters.
+ A signature must contain at least one sequence of two
non-wildcard bytes. A sequence of four however is recommended.
+ The signature should start with a non-wildcard byte.
+ The % wildcard should not be followed by any other wildcard.
Examine the VIRSCAN.DAT file for examples of how signatures can be
Page 33
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
made to fit the format of the signature file.
3.4. Defining new signatures.
This chapter is intended for advanced users who own a TBAV.KEY
file or a Thunderbyte add-on card.
Although the VIRSCAN.DAT data file supplied with the TbScan package
is updated frequently, new viruses are created each day, outpacing
the regular upgrading service of this data file. It is therefore
possible that one day your system gets infected by a recently
created virus that has not yet been listed in the VIRSCAN.DAT file.
TbScan will not always detect the virus in such cases, not even
with the 'mutant' option set. If you are convinced that your system
must have been infected without TbScan confirming this, this
chapter will supply you with a valuable tool to detect undocumented
viruses with. We offer you step-by-step assistance here in creating
an emergency signature that can be (temporarily) added to your copy
of VIRSCAN.DAT.
- Collect some infected files and copy them into a temporary
directory.
- Boot from a clean write-protected diskette. Do NOT execute ANY
program from the infected system, even though you expect this
program to be clean.
- Execute TbScan from your write-protected TbScan diskette with
the 'extract' option set. Make sure that the temporary directory
where you put the infected files will be TbScan's target
directory. With its 'extract' option set, TbScan will NOT scan
the files but, instead, display the first instructions that are
found at the entry-point of the infected programs. Please note
that we highly recommend you to simultaneously set the
'session' option of TbScan.
- Compare the 'signatures' extracted by TbScan. You should see
something like this:
NOVIRUS1.COM 2E67BCDEAB129090909090ABCD123490CD
NOVIRUS2.COM N/A
VIRUS1.COM 1234ABCD5678EFAB909090ABCD123478FF
VIRUS2.COM 1234ABCD5678EFAB901234ABCD123478FF
VIRUS3.COM 1234ABCD5678EFAB9A5678ABCD123478FF
If the 'signatures' are completely different, the files are
probably not infected, else they have been infected by a
polymorphic virus that requires an AVR module to detect it.
- Replace all differences in the 'signatures' by question marks
Page 34
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
('?'). A signature to detect the 'virus' in the example above
could be:
1234ABCD5678EFAB9?????ABCD123478FF
- Add the signature to the data file of TbScan. Give the virus a
name in the first line of its entry. Specify the EXE and COM
keywords in the second line. Enter the signature on the third
(see 4.1.).
- Run TbScan again in the directory containing the infected
files. TbScan should now detect the virus.
- Send a couple of infected files to a recommended virus expert,
preferably to us.
Congratulations! You have defined a signature all by yourself! Now
you can scan all your machines in search of the new virus.
However, keep in mind that this method of extracting a signature
is a 'quick-and-dirty' solution to viral problems. The extracted
signature will not detect the presence of the virus in all cases. A
signature that is guaranteed to detect all instances of the virus
can be made only after complete disassembly of the new virus. For
these reasons you should NOT distribute your home-made 'signature'
to others. The signature eventually assembled by experienced
anti-virus researchers will be completely different in most cases!
Page 35
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
4. CONSIDERATIONS AND RECOMMENDATIONS
4.1. What should be scanned?
In the early days of viruses, virus scanners just scanned
everything. Today we know that this approach has serious
disadvantages: the number of false alarms is very high, the scan
speed is very, very slow, etc.
Before we proceed, let's first establish some facts about viruses.
A virus is just a program. Like any other program, it will have no
effect as long as it is not executed. Consequently, data files like
text files can never spread a virus. Of course, it is always
possible to copy a virus into a .TXT file, but since the text file
itself will never be executed, the virus can never be activated
from that location. A virus signature in a .TXT file is treated as
just any other stream of bytes to be found there. A program and a
bootsector, however, will be executed, and if they contain a
virus, the virus will gain control and do its nasty job.
We now know that it doesn't make sense to scan non-executable
files. What we therefore need to scan are files with the extensions
EXE COM OV? SYS and BIN. Note that a batch file (.BAT) is just a
text file. Though it can be 'executed' in some way, it is not
possible to program a virus in the batch file language.
What do executable programs consist of? Naturally they contain
program code, but they also contain data. The texts that will be
displayed on the screen by that program are just data. They will
never be 'executed'. We don't have to scan them.
The exe-header of an exe file does not contain any code either,
only data. The exe-header is there to assist DOS in loading the
program, and it is thrown away before DOS passes control to the
program itself. We don't have to scan it.
The same applies to the bytes following the load-module of the
file. This area of a file will not be loaded into memory at
start-up. We don't have to scan it.
Unfortunately, the code part of the executable file is mostly the
larger one. The code-data ratio differs for each program, but on an
average we can state that about two thirds of a program consist of
code. However, it is hardly possible to separate the two. Even the
operating system is not able to do this, only the program itself.
What actually happens is that when you execute a program, the
operating system passes control to the program at a fixed location
in the program file. This location, referred to as ENTRY-POINT in
this manual, is the first byte in case of a .COM file, or a
location specified in the exe-header of an .EXE file. This location
is the only location in a file of which we can be 100% sure it
contains code. As to other locations we can only guess.
Page 36
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
How does a virus work?
A virus that is about to infect a file cannot just throw its viral
code at a random location in that file, it won't work. The virus
has to be sure that its code will be executed before the host
program gains control. Why? Because if the contaminated program
finds itself altered, it will behave in an unexpected manner. If
the program accesses internal resources that have been overwritten
by the virus, the program will crash. Besides, how should the virus
know whether that random location will ever be executed?
There is only ONE location that will always be executed, and that
is the entry-point of the program. To infect a file the virus has
to attach itself to the entry-point and store the original
instructions of the program at another location. Only there and
then can the virus be certain it will gain control instead of the
host program, and that it can restore the original instructions
before it passes on control. All reports of virus infections of
program files indicate that a virus ALWAYS attaches itself to the
entry-point of a program.
This leads us to a basic principle: if we scan the location where
we can find the first instructions of the program, we can be
certain we are scanning the area where the virus would reside.
TbScan uses this knowledge when scanning a window of about 4Kb (as
it does by default) around the program-entry point. This is called
'Checking' or 'Looking'. If you wish to know more about this
procedure consult chapter 6.2.: 'The Internals of TbScan'.
Note that we do not take any risks when limiting the area where we
scan for viruses. If their signatures are assembled according to
the basic principles set out above, viruses cannot escape from
detection, simply because they have to be in the 'window' where we
scan for them. To prove our point many other competitive virus
scanners have adopted our scanning strategy.
Also note that if TbScan is not completely sure about the exact
location of the entry-point of the file, it scans ALL the program
code of the file using the 'browse' or 'scan' algorithms.
4.2. The internals of TbScan
4.2.1. How is that blazing speed achieved?
The speed of TbScan is achieved by many measures.
To avoid false alarms, TbScan scans restricted areas of the
file. Naturally this approach benefits the scanning speed.
Disk access is minimized, and not much data has to be
searched.
Page 37
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
TbScan is entirely written in assembly language. High-level
languages like Pascal and Basic have an enormous overhead which
not only affects the size of the program but also reduces the
execution speed.
The search routine has been highly optimized. Every byte to be
scanned is only accessed once, regardless of the number of
signatures. Execution time will hardly increase when it has to
scan for 3000 signatures instead of 500. The search algorithm
used can be described as 'rotating semi-double 16-bits
hashing'.
The number of DOS function calls has been minimized. DOS is
relatively slow, and access should be avoided as much as
possible. For this reason TbScan walks through a directory
just once instead of first processing the files and the
sub-directories afterwards or vice versa.
TbScan writes directly to the screen instead of calling on DOS
or BIOS to do this. Although TbScan has a scrolling window,
screen access is minimized as much as possible without
affecting the visual display of the program output.
TbScan has a built-in disk cache. Although a disk cache has
already been installed in many systems, a standard disk cache
slows down the scanning speed of a virus scanner instead of
increasing it! This slow-down is caused by the disk cache,
trying to make assumptions as to what the program will be
reading next. The standard disk cache will fail here because
it doesn't know that files will be accessed only once. Neither
is it aware of the fact that after a file has been partially
scanned, the remaining part will not be accessed by TbScan at
all. The cache wastes many clock cycles reading ahead and
maintaining megabytes of data which the scanner is not
interested in. On the other hand, the directories and the FAT
are accessed a lot, and a standard disk cache could increase
TbScan's performance a lot here, if it would just restrict
itself to those areas. Our solution is to temporarily install
one that 'knows' which data are required and which are not.
Depending on the hardware specifications of a machine, the
scanning speed will be increased by 10%.
4.2.2. The code interpreter
Viruses can only infect program files according to a fixed
strategy. There is only one single point in a program file that
a virus can be certain will be executed, namely the starting
point of the program. It cannot be sure of any other location
which explains why it will not attempt to put its first code
just anywhere in the program file that it is planning to
infect. The virus will always have to put AT LEAST one
instruction at the entry-point of the program.
Page 38
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
TbScan uses this knowledge to restrict the number of bytes that
have to be read in a file as much as possible. Just like the
loader of DOS itself, it determines where the entry point of
the program is located: right at the beginning of a COM-file or
at the address specified in the exe-header of an EXE-file.
However, this is not where TbScan will stop. As jump or other
branch instructions are being found at the entry-point of a
program file, TbScan will follow this jump - or chain of jumps
- until it does not come across a jump anymore. By then we have
located the real starting-point of the program or, in case it
has been infected, the virus itself.
There is the possibility, however, that after TbScan has
followed through a chain of jumps it then finds that there are
new significant IP-modifying instructions (calls, rets, irets,
jumps) not far from the real starting-point that it has just
established. Could this future jump point to a virus code, or
have we really reached the starting-location? TbScan does not
take any chances and will read the entire file scanning for
viruses. Only when it is 100% sure to have found the real
starting-point of a file - at least 20 bytes of continuous
(hence 'stable') code - TbScan will limit its check to the 4 Kb
surrounding this spot.
Note that very few viruses require more than 4 Kb. In those
cases TbScan will scan for the first 4 Kb of their signatures
inside its scanning window.
4.2.3. The algorithms
When TbScan processes a file it prints 'Looking', 'Checking',
'Tracing', 'Browsing', 'Scanning' or 'Skipping'.
4.2.3.1. Looking
'Looking' means that TbScan has successfully located the entry
point of the program, and that the code has been identified as
something known. 'Looking' is the fastest and most reliable
scan algorithm, but it can only be applied on programs produced
by known software, such as known compilers, file compressors,
etc. 'Looking' is almost the same as 'Checking' but the
predefined information is used to increase the speed of
scanning.
Looking will be used on files that are produced by known
software.
4.2.3.2. Checking
'Checking' means that TbScan has successfully located the entry
point of the program, and is scanning a frame of about 4Kb
Page 39
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
around the entry point. If the file is infected the signature
of the virus will be in this area. 'Checking' is a very fast
and reliable scan algorithm.
Checking will be used on most files that are not produced by
known software.
4.2.3.3. Tracing
'Tracing' means that TbScan has successfully traced a chain of
jumps or calls while locating the entry-point of the program,
and is scanning a frame of about 4Kb around this location. If
the file has been infected, the signature of the virus will be
in this area. 'Tracing' is a fast and reliable scan algorithm.
Tracing will be primarily used for TSR-type COM files or Turbo
Pascal-compiled programs. Most viruses will force TbScan to use
'Tracing'.
4.2.3.4. Scanning
'Scanning' means that TbScan is scanning the entire file
(except for the exe-header which cannot contain any viral
code). This algorithm will be used if 'Looking', 'Checking' or
'Tracing' cannot be safely used. This is the case when the
entry-point of the program contains other jumps and calls to
code located outside the scanning frame. 'Scanning' is a slow
algorithm. Because it processes almost the entire file,
including data areas, false alarms are more likely to occur.
The 'Scanning' algorithm will be used while scanning
bootsectors, SYS and BIN files.
4.2.3.5. Browsing
'Browsing' is nearly identical to the 'Scanning' algorithm,
but it performs a little better on files containing long
sequences of low ASCII, 00 or FF bytes. On other files (like
compressed files) it performs worse. Hence TbScan decides which
is the most efficient algorithm when scanning a file.
'Browsing' is as reliable as 'Scanning' but it also shares the
tendency to cause false alarms. In fact, any dumb scan
algorithm (i.e. algorithm without intelligence) will suffer
from this kind of unreliability.
Like the 'Scanning' algorithm, 'Browse' will be used while
scanning memory, bootsectors, SYS and BIN files.
4.2.3.6. Skipping
'Skipping' will occur with SYS and OVL files only. It simply
means that the file will not be scanned. As there are many SYS
Page 40
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
files that contain no code at all (like CONFIG.SYS) it makes
absolutely no sense to scan these files for viruses.
The same applies to .OV? files. Many overlay files do not
deserve to be called as such as they lack an exe-header. Such
files cannot be invoked through DOS making them just as
invulnerable to direct virus attacks as .TXT files are. If a
virus is reported to have infected an .OV? file, it involved
one of the relatively few overlay files that does contain an
exe-header. The infection was then the result of the virus
monitoring the DOS exec-call (function 4Bh) and infecting any
program being invoked that way, including 'real' overlay files.
4.2.4. Option 'compat'
The 'compat' option is used to increase compatibility with your
system if the default behavior of TbScan causes problems. The
differences between the default and compatibility modes are:
- In default mode, TbScan installs a disk cache if
enough memory is available. In the compatibility mode
TbScan will not install the TbScan disk cache.
- While scanning memory, TbScan temporarily disables the
interrupts for each 32 Kb-block being scanned. In
compatibility mode, however, TbScan performs a
non-destructive scan and does not disable interrupts at
all. It offers the highest compatibility but memory
scanning may slow down considerably in some instances.
- If the 'compat' switch has been specified TbScan does
not use AVR-modules to scan memory. Memory-related
AVR-modules contain virus-specific function requests
that could interfere with resident software. The
compatibility mode does make use of AVR-modules,
however, when scanning files.
4.3. The Sanity check
TbScan performs a sanity check when it fires up. However, to be
honest, it is NOT possible to make software 100% virus-resistant.
If this was the case, the virus problem could be solved simply by
incorporating a self-check in every program.
Unfortunately, a sanity check does not work if a 'stealth' type of
virus is involved. A stealth virus can hide itself completely when
a self-check is being performed. Do note that we are not dealing
with a TbScan bug here. The failure to detect stealth viruses is
common to ALL software performing a sanity check. Therefore, we
recommend you to keep a clean version of TbScan on a
write-protected diskette. Use this diskette to check other machines
once you have found a virus in your own system.
Page 41
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
4.4. How many viruses does it detect?
Some people think that TbScan recognizes only 500 viruses, based
upon the fact that the signature file contains only 500 signatures.
What they do not realize is that the signatures are family
signatures, which means that each signature covers many viruses.
For instance, our PLO/Jerusalem signature detects over 25 viruses
which are all related to the 'original' Jerusalem virus! Only one
(wildcarded) signature is needed by TbScan to cover all these
mutants.
Some competitive products treat each virus mutant as a separate
virus, and so claim to detect over 1200 viruses. However, TbScan
detects even more viruses using 'only' 500 signatures.
4.5. Testing the scanner
Many people understandably wish to test the product they are using.
While it is very easy to test, for instance, a word processor, it
is very difficult to test a smart scanner like TbScan. You cannot
extract 25 bytes from an executable and insert it in the TBSCAN.DAT
or VIRSCAN.DAT data file as a bogus signature just to find out
whether or not TbScan will detect the 'signature' in the file it
was copied from. It is very likely that TbScan does NOT find it
because it only scans the entry-area of the file whereas the
'signature' you extracted might be taken from some other location
within the file.
You might ask: 'How then can I test the scanner if using a 'test
signature' does not work?' We think you can't, unless you are an
experienced assembler programmer. Sorry, but testing a
disassembling scanner should be performed by virus experts only.
Fortunately, you don't have to rely on our tests solely. There are
anti-virus magazines that regularly publish tests of all virus
scanners. At the end of this manual you will find names and
addresses of such magazines. Anyway, third parties have tested our
scanner along with several others, and they found TbScan to have a
very high hit rate. It detects even more viruses than many popular
scanners do.
4.6. Scan scheduling
It is highly advisable to devise your own schedule for a regular
scan of your system. Creation of a special TbScan boot diskette is
highly recommended in this respect.
Boot from your original DOS diskette. Use the diskcopy command to
copy the DOS diskette onto a new diskette. Delete all files from
this diskette, except for the two hidden system files and
Page 42
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
COMMAND.COM. Copy all TbScan files to the diskette. Create a new
AUTOEXEC.BAT file which should contain the line 'TbScan C:\'.
Write-protect the diskette with the write-protect tab.
The following scan sessions (listed in order of preference) are
recommended:
- Run TbScan from A WRITE-PROTECTED BOOTABLE DISKETTE once a
week. Boot from this diskette before invoking the scanner. We
agree that it may be inconvenient to boot from a diskette, but
it is the only way to make sure that no stealth virus will
become resident in memory.
- It is recommended to invoke a daily scan. You can invoke
TbScan with the 'once' option from within the autoexec.bat file
to perform the daily scan session automatically. It is not
necessary to boot from the bootable TbScan diskette to perform
the daily scan.
The 'sector' and the 'mutant' option should never be used in a
normal scan session but only when you expect the system to be
infected by a virus.
4.7. Extensions to the format of the data file
There are a number of other scanners which are compatible with the
data file format used by TbScan. Some of these scanners allow for
certain extensions to the data file which we consider absurd and
therefore refuse to implement. These extensions include special
signatures for upper memory, overlay files, and numerous (highly)
confusing filename extensions, different keywords for the same
items, and XOR-decryption directives. TbScan scans upper memory
for LOW-type viruses (since any LOW-type TSR can be loaded in upper
memory through DOS 5.0), and overlay files for EXE-type viruses
(since overlays are just a special kind of EXE file). TbScan's XOR
decryptions are performed much more efficiently through its own AVR
modules.
4.8. Compressed files
Many executable files are compressed or packed. They contain an
unpacking routine which unpacks the executable in memory to restore
the original program size. The simplest compressor is the Microsoft
ExePack program. This compressor is even included in the link
program itself (use the /E option while linking to pack the
executable).
If the program contained a virus BEFORE compression took place, the
virus has been compressed too. A scanner will not recognize the
virus because of its compressed signature. The virus will still be
Page 43
Thunderbyte virus detector. (C) Copyright 1989-1992 Thunderbyte B.V.
able to execute though.
If a virus resides inside a compressed file, it betrays its
presence by infecting other files in your system. Hence the
signature will be visible in all the newly infected files, which
the scanner will dutifully report. The compressed file that brought
the (compressed) virus into your system will probably not trigger
an alarm itself. The virus inside this program can do its worst all
over again unless you isolate this compressed file as the source of
the infection.
TbScan displays a 'p' behind each file that it finds to be
compressed by ExePack or any other compressor. TbScan does not
unpack files, since too many files are compressed nowadays.
Decompressing each one of them in your system would only be
feasible if there was a limited number of compression schemes. Even
if there were, TbScan unpacking all your compressed files would be
consuming too much time, the more so as most of the time this
action would be quite unnecessary. Once you have established that a
compressed file does not contain a virus, you can rest assured that
this file will not get internally infected at a later date. Hence
it makes no sense to have TbScan unpack these files time and time
again. If there wasn't a virus the first time you checked, there
will not be one at subsequent times.
Note that if the compressed file gets infected AFTER it has been
compressed, the virus has NOT been compressed and will be clearly
visible to a scanner. The problem we referred to above only exists
when a file has been infected first and compressed afterwards.
Fortunately, you can treat compression as a minor risk when files
have been compressed by the programmer of the product (as is often
the case). Most programmers are aware of the existence of viruses
and go about compression with great care. If the programmer did not
compress the file, well, then the file has not been compressed and
the problem does not exist at all,...that is, if you obtained the
original version of a program of course.
If you obtained your copy of the program from another copy, you
have joined ranks with those that use illegal (!) copies of
software and thereby take great risks! One of the previous owners
of the program may have compressed it, treating you (perhaps
unknowingly) to a nasty virus infection.
Page 44
