home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Tech Arsenal 1
/
Tech Arsenal (Arsenal Computer).ISO
/
tek-12
/
fp-208a.zip
/
VIRSTOP.DOC
< prev
next >
Wrap
Text File
|
1993-05-07
|
4KB
|
87 lines
VIRSTOP
The primary purpose of the VIRSTOP.EXE program is to prevent the execution
of programs infected with known viruses. VIRSTOP installs itself in RAM as
a standard TSR and intercepts the so-called "Load-and-execute" function.
This means that whenever an attempt is made to run a program VIRSTOP gets
a chance to examine it first.
It must be noted that it may not be possible to install VIRSTOP on
machines with the Cyrix 486 processor, as it is not fully compatible.
VIRSTOP uses a simple but fast search to check for viruses, but it does
not make an accurate identification - "Full Scan" or "Secure Scan" are
necessary for that purpose.
If VIRSTOP finds a virus, it will abort the execution of the program,
display a message and return an error. For example, if you attempt to run
a program infected with the Cascade virus, with VIRSTOP active in memory,
you might see something like this:
This program is infected with the Cascade virus.
Cannot execute A:\INF-PROG.COM
VIRSTOP has a secondary function as well - it attempts to check for any
active boot sector virus when it is run.
Older versions of F-PROT (pre-2.0) contained two programs (F-DRIVER.SYS and
F-NET.EXE) which are now replaced by VIRSTOP.EXE. Using a .SYS program is
in some ways preferable to using an .EXE program, in particular as it
reduces the chances than an infected program is run before the monitoring
program (VIRSTOP or F-DRIVER). However, this caused problems on networked
machines, as network software often takes over the "Load-and-execute"
function, disabling the monitoring program.
VIRSTOP is supplied as an .EXE file, so that it can be run after the
network software is installed (in AUTOEXEC.BAT). On stand-alone machines
the program may be loaded as a device-driver, with a command such as
DEVICE=C:\F-PROT\VIRSTOP.EXE
IMPORTANT! - If HIMEM.SYS is used, it must be loaded before VIRSTOP.
VIRSTOP.EXE includes one additional feature - it is designed to be able to
detect if it has been infected by a "stealth" virus - an ability which
is rather unusual. It is also often (but not always) able to detect
attempts to run "stealth"-virus infected programs, even though the virus is
active in memory.
In order to test if VIRSTOP is properly installed, the program F-TEST is
provided. It is NOT a virus, but it is detected by VIRSTOP the same way as
a virus-infected program.
If VIRSTOP is not installed or not active, F-TEST will print out a message
when run. If it is active and working, VIRSTOP will display a message
saying so, and return a code of 1, which can be checked with the
ERRORLEVEL command.
VIRSTOP supports the following command-line switches:
/DISK - do not store virus signatures in memory, but read them
in from disk when necessary. This reduces the memory requirements
from 14K to around 2K, but cannot be used if you run VIRSTOP from
a diskette which is later removed. If this switch is used, and
VIRSTOP is loaded from CONFIG.SYS, it is critical that the full
path name is given. DO NOT USE /DISK IF YOU USE DEVICEHIGH= OR
LOADHI TO LOAD VIRSTOP.
/OLD - do not complain, even if the program has "expired". Use of
this switch is generally not recommended.
/NOMEM Do not perform a memory scan when starting.
/FREEZE Stop the computer when a virus is found.
The following switches have just been added and have not been fully tested
under all circumstances. If you use /COPY, /BOOT or /WARM to enable the
new features, some problems might appear...in that case, please report the
problems to Frisk Software International.
/[NO]COPY [Do not] check files when they are accessed/copied.
/[NO]BOOT [Do not] check boot sectors when a diskette is accessed.
/[NO]WARM [Do not] check the diskette in drive A: when the user
presses Ctrl-Alt-Del
