home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Shareware 1 2 the Maxx
/
sw_1.zip
/
sw_1
/
VIRUS
/
TBAV503.ZIP
/
TBCHECK.DOC
< prev
next >
Wrap
Text File
|
1992-12-29
|
17KB
|
601 lines
Thunderbyte resident integrity checker. (C) 1992 Thunderbyte B.V.
Table of Contents
1. INTRODUCTION...................................... 2
1.1. Purpose of TbCheck.......................... 2
1.2. A Quick start............................... 2
1.3. Benefits.................................... 2
2. USAGE OF THE PROGRAM.............................. 4
2.1. System requirements......................... 4
2.2. Program invocation.......................... 4
2.2.1. Invocation in Config.Sys.............. 5
2.2.2. Invocation in network environment..... 5
2.2.3. Invocation when using MS-Windows...... 5
2.3. While checking.............................. 5
2.4. Detecting file changes...................... 5
2.5. Command line options........................ 5
2.5.1. help ................................. 6
2.5.2. off .................................. 6
2.5.3. on ................................... 6
2.5.4. remove ............................... 6
2.5.5. noavok ............................... 6
2.5.6. fullcrc .............................. 7
2.5.7. secure ............................... 7
2.6. Examples:................................... 7
3. CONSIDERATIONS AND RECOMMENDATIONS................ 8
3.1. Solving incompatibility problems............ 8
3.2. Reducing the memory requirements............ 8
3.3. Testing the checker......................... 9
Page i
Page 1
Thunderbyte resident integrity checker. (C) 1992 Thunderbyte B.V.
1. INTRODUCTION
1.1. Purpose of TbCheck
TbCheck is an integrity checker. It uses the Anti-Vir.Dat records
generated by TbSetup to detect file changes. The Anti-Vir.Dat
records contain information like file sizes and checksums of
every executable file. By comparing this information with the
actual file status it is possible to detect any change of these
files, and thus to detect infections caused by viruses.
By now already many integrity checkers have been developed. The
problem with all these checkers is that you have to execute them.
Suppose you have the integrity checker automatically invoked in
your autoexec.bat file. If no files are changed, your system is
supposed to be uninfected. But, to be sure that no virus can infect
your system, you have to run the checker frequently.
TbCheck has a unique feature to overcome this tedious checking.
Once invoked it will remain resident in memory, and AUTOMATICALLY
scan all programs you try to execute!
You probably think that a resident integrity checker consumes much
memory, makes your system slow, and is a source of many problems.
But, if you are familiar with our shareware scanner TBSCAN, you know
that this scanner can scan and check your files faster than any
other scanner. TbCheck achieves lightning fast speed as well.
TbCheck itself requires only 600 bytes and can be loaded in upper
memory.
1.2. A Quick start
Although we highly recommend a complete reading of this manual, here
are some directions for a quick run of TbCheck:
Load TbDriver first if it is not yet loaded. Type "TbDriver" and
press return.
To load TbCheck type "TbCheck" and press return.
The invocation syntax is:
TBCHECK [<options>]...
For fast online help type "TbCheck ?" or "TbCheck help".
1.3. Benefits
By now many different integrity checkers have been developed.
However, TbCheck has a number of important and unique advantages
Page 2
Thunderbyte resident integrity checker. (C) 1992 Thunderbyte B.V.
over other checkers. These are:
+ TbCheck is fully network compatible. It does not require you to
reload the checker after logged on to the network. Other
resident anti-virus utilities force you to choose between
protection before the network is started, or protection after
the network is started, but not both.
+ TbCheck can display its messages in your local language.
+ TbCheck uses very little memory when compared to other resident
integrity checkers. TbCheck and TbDriver require together less
than 4Kb of memory. Of course you can also load these programs
into upper memory.
Page 3
Thunderbyte resident integrity checker. (C) 1992 Thunderbyte B.V.
2. USAGE OF THE PROGRAM
2.1. System requirements
TbCheck runs perfectly on standard machines, in line with our
philosophy that there should be a limit to limitations.
+ TbCheck can be executed under DOS version 3.00 (and all later
versions). However, Dos 5.0 or higher is recommended, since
TbCheck has been optimized and designed primarily for use with
these DOS versions.
+ TbCheck requires about 4 Kb of free memory to be invoked.
After termination it requires only 600 bytes of memory.
2.2. Program invocation
It is recommended to invoke TbCheck automatically from within your
Config.Sys or Autoexec.Bat file. It is important to invoke TbCheck
as early as possible after the machine has booted. For that reason
it is possible to invoke TbCheck from within the Config.Sys file.
TbCheck requires TbDriver to be loaded first!
TbCheck is easy to use. The syntax is as follows:
TbCheck [<options>]...
There are three possible ways to invoke TbCheck:
To invoke TbCheck from the DOS prompt or within the Autoexec.Bat
file:
<path>TbCheck
To invoke TbCheck from the Config.Sys as a TSR (Dos 4+):
Install=<path>TbCheck.Exe
To invoke TbCheck from the Config.Sys as a device driver:
Device=<path>TbCheck.Exe
TbCheck should always work correctly after being started from
within the Autoexec.Bat. The "Install=" Config.Sys command is
NOT available in DOS 3.xx.
In addition to the three invocation possibilities DOS 5 users can
"highload" TbCheck in an UMB (upper memory block) if it is
available:
LoadHigh <path>TbCheck.Exe
Within the Config.Sys file TbCheck can also be loaded high:
DeviceHigh=<path>TbCheck.Exe
Page 4
Thunderbyte resident integrity checker. (C) 1992 Thunderbyte B.V.
2.2.1. Invocation in Config.Sys
-> Invoking TbCheck as a device driver does not work in all OEM
versions of DOS. You have to try it, if it doesn't work use the
"Install=" command or load TbCheck from within the Autoexec.Bat.
2.2.2. Invocation in network environment
-> Unlike other anti-virus products, the Thunderbyte anti-virus
utlities can be loaded before the network is started without
losing the protection after the network is started.
2.2.3. Invocation when using MS-Windows
-> Windows users should invoke TbCheck BEFORE starting Windows.
If you do that there is only one copy of TbCheck in memory, but
every DOS-window will nevertheless have a fully functional
TbCheck in it. TbCheck detects if Windows is starting up, and
will switch itself into multitasking mode if necessary. You can
even disable TbCheck in one window without affecting the
functionality in another window.
2.3. While checking
Whenever a program tries to write to an executable file (files with
the extensions .COM and .EXE), you will shortly see the text
"*Checking*" in the upper left corner of your screen. As long as
TbCheck is checking this text will appear. Since TbCheck takes not
much time to check the file, the message will only appear shortly.
2.4. Detecting file changes
TbCheck quicly checks a program when that program gets invoked.
If TbCheck detects that a file has been changed, a pop-up window
will appear with a message, informing you about this in your own
language. You can either choose to continue, or to abort the
program invocation.
If there is no information (Anti-Vir.Dat) about the program,
TbCheck will inform you about this too. You can either choose to
continue without checking, or to abort the program invocation.
2.5. Command line options
It is possible to specify options on the command line. The upper
four options are always available, the other options are only
available if TbCheck is not already resident in memory.
Page 5
Thunderbyte resident integrity checker. (C) 1992 Thunderbyte B.V.
optionword parameter short explanation
---------- --------- ----- ----------------------------
help ? =display this helpscreen
off d =disable checking
on e =enable checking
remove r =remove TbCheck from memory
noavok [=<drives>] o =check for mismatches only
fullcrc f =calculate full CRC (slow!)
secure s =do not execute unauthorized files
2.5.1. help (?)
If you specify this option TbCheck will show you the brief help as
shown above. Once TbCheck has been loaded the help option will not
show all options anymore.
2.5.2. off (d)
If you specify this option TbCheck will be disabled, but it will
remain in memory.
2.5.3. on (e)
If you use this option TbCheck will be activated again after you
disabled it with the 'off' option.
2.5.4. remove (r)
This option can be used to remove the resident part of TbCheck from
your memory. All memory used by TbCheck will be released.
Unfortunately, the removal of a TSR (like TbCheck) is not always
possible. TbCheck checks whether it is safe to remove the resident
part from memory, if it is not safe it just disables TbCheck. A TSR
can not be removed if another TSR is started after it. If this
happens with TbCheck it will completely disable itself.
2.5.5. noavok (o)
TbCheck will display a message if it can not find the checksum
information located in the Anti-Vir.Dat file. This makes sure that
if a malicious program deletes the Anti-Vir.Dat file, or if sombody
adds a program to your system, you will get a warning. Although it
is recommended to maintain Anti-Vir.Dat files on all drives, it
might not be practical to maintain an Anti-Vir.Dat file on floppy
disks, ramdisks, CD-ROM disks, etc. You can exclude specific drives
from the Anti-Vir.Dat requirement by using option 'noavok'. With
this option you can specify the drives on which Anti-Vir.Dat
records are not required. For instance, if you don't want an alarm
if a program on a floppy disk (A: and B:) or on your ramdisk (E:)
doesn't have an Anti-Vir.Dat record, you should specify:
Page 6
Thunderbyte resident integrity checker. (C) 1992 Thunderbyte B.V.
"NoAvOk=ABE". If you don't specify a parameter to option 'noavok'
TbCheck will never issue a warning if an Anti-Vir record is missing
on any drive. Note that this offers a security hole for viruses: by
deleting the Anti-Vir.Dat file you will not detect the file change
caused by the infection.
Of course option 'noavok' has no effect on the detection of
infected programs: if a program has been changed and the Anti-Vir
record is available, you will get an alarm regardless of the use of
option 'noavok'.
2.5.6. fullcrc (f)
TbCheck by default only checks the part of the file near the entry
point. If a virus infects the file, this area is guaranteed to
change, so this is sufficient to detect all infections. Other file
changes (like configuration information) will not trigger the
alarm. However, if you want for any reason a full check that
detects any change of the file, you can use this option. Note that
this slows down the system considerably! This option is not
recommended for normal (anti-virus) usage!
2.5.7. secure (s)
TbCheck normally asks the user to continue or to cancel when a file
has been changed or when there is no checksum information
available. In some business environments however this choice should
not be made by employees. By using option 'secure' it is no longer
possible to execute new or unknown programs, or programs that have
been changed.
2.6. Examples:
C:\utils\TbCheck secure
(load TbCheck and do not allow it to run unauthorized files)
or:
Device=C:\utils\TbCheck.Exe noavok=abe
(load TbCheck and do not warn for missing Anti-Vir.Dat records
on drive A:, B: and E:).
Page 7
Thunderbyte resident integrity checker. (C) 1992 Thunderbyte B.V.
3. CONSIDERATIONS AND RECOMMENDATIONS
3.1. Solving incompatibility problems.
Although TbCheck has been designed to cooperate with other resident
software, other software may not have been, causing system errors or
worse.
The problems most often inccurred:
Problem:
If TbCheck tries to display a message, the text 'message file
<filename> could not be opened' appears.
Solution:
Specify the FULL path and filename of the file that you will
use as message file after the TbDriver invocation. The default
filename is TbDriver.Lng
Problem:
You are running a network. TbCheck is installed succesfully,
but it does not display the "*checking*" message while
accessing files. It also does not detect viruses.
Solution:
Use the command 'TbDriver net' after the network has been
loaded.
Problem:
The system sometimes hangs when the message "*checking*" is on
the screen. The problem however is hard to reproduce.
Solution:
Try using StackMan. StackMan is supplied in the TBAV package.
Problem:
Everything works well, but as soon as I load a specific TSR the
system hangs immediately after the TSR goes resident.
Solution:
Use StackMan with the -dos option and try again.
3.2. Reducing the memory requirements.
Most PC users try to maintain as much free DOS memory as possible.
TbCheck is designed to use a very small amount of DOS memory. To
decrease the memory requirements of TbCheck any further do the
following:
- Load TbCheck from within the Config.Sys file. If loaded as a
Page 8
Thunderbyte resident integrity checker. (C) 1992 Thunderbyte B.V.
device driver TbCheck has no Program Segment Prefix (PSP),
and that saves 256 bytes.
- If you invoke TbCheck from within the Autoexec.Bat file do this
before establishing environment variables. DOS maintains a list
of environment variables for every resident program, so keep
this list small while installing TSRs. Once all TSRs are
installed you can define all environment variables without
affecting the memory requirements of the TSRs.
- If you have DOS 5 or higher try to load TbCheck into an upper
memory block using the "loadhigh" or "devicehigh" commands.
- Use one of the processor specific versions of TbCheck. They all
consume less memory than the generic version of TbCheck.
Processor optimized versions are available on any Thunderbyte
support BBS.
3.3. Testing the checker
Many people understandably wish to test the product they are using.
While it is very easy to test, for instance, a word processor, it
is very difficult to test a smart integrity checker like TbCheck.
You cannot randomly change 25 bytes from an executable just to
find out whether or not TbCheck will detect the file change. It is
very likely that TbCheck will NOT detect it because it only checks
the entry-area of the file whereas the changed bytes might be
located on another location within the file.
Page 9