home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The 640 MEG Shareware Studio 2
/
The 640 Meg Shareware Studio CD-ROM Volume II (Data Express)(1993).ISO
/
virus
/
tbav503.zip
/
TBMEM.DOC
< prev
next >
Wrap
Text File
|
1992-12-29
|
19KB
|
721 lines
Thunderbyte memory guard. (C) Copyright 1992 Thunderbyte B.V.
Table of Contents
1. INTRODUCTION...................................... 2
1.1. Purpose of TbMem............................ 2
1.2. A Quick start............................... 2
1.3. Benefits.................................... 2
2. USAGE OF THE PROGRAM.............................. 4
2.1. System requirements......................... 4
2.2. Program invocation.......................... 4
2.2.1. Invocation in Config.Sys.............. 5
2.2.2. Invocation in network environment..... 5
2.2.3. Invocation when using MS-Windows...... 5
2.3. What is a memory resident program?.......... 5
2.4. Detecting memory resident software.......... 5
2.5. Command line options........................ 6
2.5.1. help ................................. 6
2.5.2. off .................................. 6
2.5.3. on ................................... 7
2.5.4. remove ............................... 7
2.5.5. secure ............................... 7
2.5.6. hotkey ............................... 7
2.5.7. nocancel ............................. 7
2.6. Examples:................................... 7
2.7. The Cancel hot key.......................... 7
3. CONSIDERATIONS AND RECOMMENDATIONS................ 9
3.1. Site installation........................... 9
3.2. Solving incompatibility problems............ 9
3.3. Reducing the memory requirements........... 10
Page i
Page 1
Thunderbyte memory guard. (C) Copyright 1992 Thunderbyte B.V.
1. INTRODUCTION
1.1. Purpose of TbMem
Most viruses remain resident in memory once they have been
executed. While resident in memory, they may have many
opportunities to infect other files in the background, interfere
with the system operation, hide themselves from virus scanners or
checksummers, and/or perform other nasty tasks.
On the other hand, because so many viruses remain resident in
memory, it is easy to detect most of them once the process of
becoming resident in memory is monitored.
TbMem monitors the system and ensures that no program will remain
resident in memory without permission! This will draw attention to
any software that attempts to remain resident, thereby reducing the
likelihood that a virus will be able to go unnoticed.
1.2. A Quick start
Although we highly recommend a complete reading of this manual, here
are some directions for a quick run of TbMem:
Load TbDriver first if it is not yet loaded. Type "TbDriver" and
press return.
To load TbMem type "TbMem" and press return.
The invocation syntax is:
TBMEM [<options>]...
For fast online help type "TbMem ?" or "TbMem help".
1.3. Benefits
TbMem has several advantages over other memory guards:
+ TbMem not only informs you when a program tries to remain
resident in memory, it also offers you the option to abort
the program before it can become resident.
+ Detection of 'stealth' TSR techniques. TbMem will guard the DOS
TSR function calls, while also monitoring important interrupts
and memory structures.
+ Easy maintenance. TbMem uses the Anti-Vir.Dat records to
determine if a program is allowed to remain resident in memory.
Many common TSRs will be recognized by TbSetup. However, if
TbSetup doesn't recognize a TSR, TbMem will ask your permission
Page 2
Thunderbyte memory guard. (C) Copyright 1992 Thunderbyte B.V.
for the TSR to load. Permission information will be maintained
in the Anti-Vir.Dat files, to prevent TbMem from bothering you
when an approved TSR is loading.
+ Easy site installation. Once you have 'taught' TbMem which
programs are TSRs and which are not on one machine, you can use
TbSetup to set the permission flag of these files on other
machines.
+ As an extra bonus, TbMem installs a hot key that can be used to
escape from nearly all programs.
+ TbMem is fully network compatible. It does not require you to
reload the checker after logging on to a network. Other
resident anti-virus utilities force you to choose between
protection before the network is started, or protection after
the network is started, but not both.
+ TbMem can display its messages in your local language.
+ TbMem uses less than 600 bytes of memory, and it can be loaded
into upper memory.
Page 3
Thunderbyte memory guard. (C) Copyright 1992 Thunderbyte B.V.
2. USAGE OF THE PROGRAM
2.1. System requirements
TbMem runs perfectly on standard machines, in line with our
philosophy that there should be a limit to limitations.
+ TbMem can be executed under DOS version 3.00 (and all later
versions). However, Dos 5.0 or higher is recommended, since
TbMem has been optimized and designed primarily for use with
these DOS versions.
+ TbMem requires about 4 Kb of free memory to be invoked.
After termination it requires only 600 bytes of memory.
2.2. Program invocation
It is recommended to invoke TbMem automatically from within your
Config.Sys or Autoexec.Bat file. It is important to invoke TbMem
as early as possible after the machine has booted. For that reason
it is desirable to invoke TbMem from within the Config.Sys file.
TbMem requires TbDriver to be loaded first!
TbMem is easy to use. The syntax is as follows:
TbMem [<options>]...
There are three possible ways to invoke TbMem:
To invoke TbMem from the DOS prompt or within the Autoexec.Bat
file:
<path>TbMem
To invoke TbMem from the Config.Sys as a TSR (Dos 4+):
Install=<path>TbMem.Exe
To invoke TbMem from the Config.Sys as a device driver:
Device=<path>TbMem.Exe
TbMem should always work correctly after being started from
within the Autoexec.Bat. The "Install=" Config.Sys command is
NOT available in DOS 3.xx.
In addition to the three invocation possibilities DOS 5+ users can
"highload" TbMem into an UMB (upper memory block) if it is
available:
LoadHigh <path>TbMem.Exe
Within the Config.Sys file TbMem can also be loaded high:
DeviceHigh=<path>TbMem.Exe
Page 4
Thunderbyte memory guard. (C) Copyright 1992 Thunderbyte B.V.
2.2.1. Invocation in Config.Sys
-> Invoking TbMem as a device driver does not work in all OEM
versions of DOS. You have to try it, if it doesn't work use the
"Install=" command or load TbMem from within the Autoexec.Bat.
2.2.2. Invocation in network environment
-> Unlike other anti-virus products, the Thunderbyte anti-virus
utlities can be loaded before the network is started without
losing the protection after the network has been started.
2.2.3. Invocation when using MS-Windows
-> Windows users should invoke TbMem BEFORE starting Windows.
If you do that there is only one copy of TbMem in memory, but
every DOS-window will nevertheless have a fully functional
TbMem in it. TbMem detects if Windows is starting up, and
will switch itself into multitasking mode if necessary. You can
even disable TbMem in one window without affecting the
functionality in another window.
2.3. What is a memory resident program?
Most programs will be invoked by a command on the DOS command line,
perform some task, and finally terminate, placing you right back
where you started.
Some programs however continue to operate after they are
terminated. These programs load themselves into memory of your PC,
remain resident in memory and perform some task on the background.
Programs in this category are disk caches, print spoolers, network
software, etc. These programs are often referred to as
'TSR-software', which means 'Terminate-and-Stay-Resident'.
Most viruses remain resident in memory too, and that is why the
process of becoming resident in memory should be controlled in
some way, preferably by TbMem.
2.4. Detecting memory resident software
If TbMem detects that a program tries to remain resident in memory,
a pop-up window will appear with a message, informing you about
this in your own language. You can either choose to continue, or to
abort the program invocation.
If you answer 'NO' to the question 'Remove program from memory?' the
program will continue undisturbed, and TbMem places a mark in the
Anti-Vir.Dat file about this program. Next time you invoke the same
resident program, TbMem will not disturb you again.
Page 5
Thunderbyte memory guard. (C) Copyright 1992 Thunderbyte B.V.
There are a lot of programs which normally remain resident in
memory, such as disk caches, print spoolers, etc. How does TbMem
distinguish between these programs and viruses?
TbMem uses the Anti-Vir.Dat records generated by TbSetup to keep
track of which files are normal TSRs and which are not. Most common
resident software will be marked as such by TbSetup, so you don't
have to worry about these files.
If TbMem pops up with the message that a program tries to remain
resident in memory, you have to consider the purpose of the program
mentioned. Is the program supposed to continue to operate in the
background? The answer is obviously yes if the program mentioned is
a disk cache, print spooler, pop-up utility or system extension
software.
However, if the message appears after you have finished a text
processing job, or terminated a database or spreadsheet
application, something is definitely wrong! You had better
terminate the program and use a virus scanner to check the system.
The same applies when software that operates normally without
staying resident in memory suddenly changes its behavior and tries
to remain resident in memory indeed.
2.5. Command line options
It is possible to specify options on the command line. The upper
four options are always available, the other options are only
available if TbMem is not already resident in memory.
optionword parameter short explanation
---------- --------- ----- ----------------------------
help ? =display this helpscreen
off d =disable checking
on e =enable checking
remove r =remove TbMem from memory
secure s =do not execute unauthorized TSRs
keycode =<keycode> k =specify hotkey scancode
nocancel n =do not install cancel hot key
2.5.1. help (?)
If you specify this option TbMem will show you the brief help as
shown above.
2.5.2. off (d)
If you specify this option TbMem will be disabled, but it will
Page 6
Thunderbyte memory guard. (C) Copyright 1992 Thunderbyte B.V.
remain in memory.
2.5.3. on (e)
If you use this option TbMem will be activated again after you
disabled it with the 'off' option.
2.5.4. remove (r)
This option can be used to remove the resident part of TbMem from
your system's memory. All memory used by TbMem will be released.
Unfortunately, the removal of a TSR (like TbMem) is not always
possible. TbMem checks whether it is safe to remove the resident
part from memory. If it is not safe it just disables TbMem. A TSR
can not be removed if another TSR has been started after it. If
this happens with TbMem it will completely disable itself.
2.5.5. secure (s)
TbMem normally asks the user to continue or to cancel when a
program tries to remain resident in memory. In some business
environments however this choice should not be made by employees.
By using option 'secure' it is no longer possible to execute new or
unknown resident software.
2.5.6. hotkey (k)
The program cancel hot key of TbMem is by default Ctrl-Alt-Insert.
If you wish, you can specify another keyboard option with option
'hotkey =<keycode>'. The scancode is specified in a 4 digit
hexadecimal number. The left most bytes specify the shift-key
mask, the right most byte specifies the keyboard scancode. Consult
your machine manual for a list of scancodes. The default scancode
is 0C52h (Ctrl-Alt-Insert). The scancode for Ctrl-Alt-Escape is
0C01h.
2.5.7. nocancel (n)
TbMem normally installs the program cancel hot key
(Ctrl-Alt-Insert). If you don't want this specify this option. This
also saves a few bytes of memory.
2.6. Examples:
C:\utils\TbMem
or:
Device=C:\utils\TbMem.Exe
2.7. The Cancel hot key.
Page 7
Thunderbyte memory guard. (C) Copyright 1992 Thunderbyte B.V.
TbMem offers you a reliable way to escape from any program by
pressing a special key combination. This can be used to escape from
programs that 'hang', but of course also to escape from software
that seems to be malicious (although powering down and rebooting from
a write-protected system disk is recommended). The key combination
is Ctrl-Alt-Insert.
Page 8
Thunderbyte memory guard. (C) Copyright 1992 Thunderbyte B.V.
3. CONSIDERATIONS AND RECOMMENDATIONS
3.1. Site installation.
If you have to install TbMem on a lot of machines in one company,
it would be tedious to invoke every single TSR on each machine in
order to 'teach' TbMem which programs are TSRs and which are not.
Fortunately, this is not necessary. If a resident utility named
TSRUTIL.EXE is used throuhgout the company, use TbSetup to
determine the length and CRC of the program. Now put the name of
this program along with the other information in the file
TbSetup.Dat and assign the value '0010' to it. Example:
TSRUTIL.EXE 01286 E387AB21 0010 ;Our TSR utility
Also consult the TbSetup documentation.
If you now run TbSetup on every machine (you have to do this
anyway) it will recognize this utility and it will set the
TSR permission flag for TbMem automatically.
3.2. Solving incompatibility problems.
Although TbMem has been designed to cooperate with other resident
software, other software may not have been, causing system errors or
worse.
The problems most often incurred:
Problem:
After I have given permission for a program to remain resident
in memory, TbMem asks the same quesion next time.
Solution:
1) The 'secure' option of TbDriver is specified. Remove this
option, reboot and try again.
2) The program mentioned does not appear in the Anti-Vir.Dat
file and therefore TbMem can not permanently store the
permission flag. Use TbSetup to generate the Anti-Vir.Dat
record of this program!
Problem:
If TbMem tries to display a message, the text 'message file
<filename> could not be opened' appears.
Solution:
Specify the FULL path and filename of the file that you will
use as message file after the TbDriver invocation. The default
filename is TbDriver.Lng
Page 9
Thunderbyte memory guard. (C) Copyright 1992 Thunderbyte B.V.
Problem:
You are running a network. TbMem is installed succesfully,
but it does not detect TSRs anymore.
Solution:
Use the command 'TbDriver net' after the network has been
loaded.
Problem:
The system sometimes hangs when you answer 'NO' (do NOT abort
program) to a TbMem message.
Solution:
Try using StackMan. StackMan is supplied in the TBAV package.
Problem:
The system sometimes hangs when you answer 'YES' (abort
program) to a TbMem message.
Solution:
None. Some resident programs deeply interfere with the system,
and once they are rejected from memory the state of the system
is not stable anymore.
3.3. Reducing the memory requirements.
Most PC users try to maintain as much free DOS memory as possible.
TbMem is designed to use a very small amount of DOS memory. To
decrease the memory requirements of TbMem even further do the
following:
- Load TbMem from within the Config.Sys file. If loaded as a
device driver TbMem has no Program Segment Prefix (PSP),
and that will save 256 bytes.
- If you invoke TbMem from within the Autoexec.Bat file do this
before establishing environment variables. DOS maintains a list
of environment variables for every resident program, so keep
this list small while installing TSRs. Once all TSRs have been
installed you can define all environment variables without
affecting the memory requirements of the TSRs.
- If you have DOS 5 or higher try to load TbMem into an upper
memory block using the "loadhigh" or "devicehigh" commands.
- Specify option 'nocancel'. This will save a few bytes.
- Use one of the processor specific versions of TbMem. They all
consume less memory than the generic version of TbMem.
Processor optimized versions are available on any Thunderbyte
support BBS.
Page 10
Thunderbyte memory guard. (C) Copyright 1992 Thunderbyte B.V.
Page 11
