home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Shareware 1 2 the Maxx
/
sw_1.zip
/
sw_1
/
VIRUS
/
TBAV503.ZIP
/
TBFILE.DOC
< prev
next >
Wrap
Text File
|
1992-12-29
|
20KB
|
721 lines
Thunderbyte file guard. (C) Copyright 1992 Thunderbyte B.V.
Table of Contents
1. INTRODUCTION...................................... 2
1.1. Purpose of TbFile........................... 2
1.2. A Quick start............................... 2
1.3. Benefits.................................... 2
2. USAGE OF THE PROGRAM.............................. 4
2.1. System requirements......................... 4
2.2. Program invocation.......................... 4
2.2.1. Invocation in Config.Sys.............. 5
2.2.2. Invocation in network environment..... 5
2.2.3. Invocation when using MS-Windows...... 5
2.3. Detection of suspicious activity............ 5
2.4. Command line options........................ 8
2.4.1. help ................................. 8
2.4.2. off .................................. 8
2.4.3. on ................................... 8
2.4.4. remove ............................... 8
2.4.5. secure ............................... 9
2.4.6. allattrib ............................ 9
2.5. Examples:................................... 9
3. CONSIDERATIONS AND RECOMMENDATIONS............... 10
3.1. Solving incompatibility problems........... 10
3.2. Reducing the memory requirements........... 10
Page i
Page 1
Thunderbyte file guard. (C) Copyright 1992 Thunderbyte B.V.
1. INTRODUCTION
1.1. Purpose of TbFile
There are several categories of viruses. The two most important
ones are bootsector viruses and file viruses. The file viruses have
in common that they infect programs. Infecting a program is a very
specific operation that does not look like any other file
operation, and therefore it is possible to detect this activity.
TbFile monitors the system and detects attempts of programs to
infect other programs. Unlike other file guards, TbFile monitors
the system only for virus specific file modifications. TbFile does
not generate an alarm when a program changes itself for
configuration purposes, nor does it bother you when you update a
program or even create a program yourself. In normal system
configurations you will never get a false alarm!
1.2. A Quick start
Although we highly recommend a complete reading of this manual, here
are some directions for a quick run of TbFile:
Load TbDriver first if it is not yet loaded. Type "TbDriver" and
press return.
To load TbFile type "TbFile" and press return.
The invocation syntax is:
TbFile [<options>]...
For fast online help type "TbFile ?" or "TbFile help".
1.3. Benefits
TbFile has several advantages over other file guards:
+ TbFile not only detects attempts to infect programs, it also
offers you the option to abort the infection process and to
continue the program.
+ TbFile detects other suspicious activities - like setting the
seconds to an illegal value - too.
+ TbFile has a very sophisticated infection detector and it will
not give a false alarm when you perform standard file
operations. In normal configurations you will never get a false
alarm!
+ Files can be protected against unwanted modifications by means
Page 2
Thunderbyte file guard. (C) Copyright 1992 Thunderbyte B.V.
of the read-only attribute. Without TbFile this standard DOS
protection can be circumvented easily. TbFile however makes
sure any attempts to sabotage the readonly attribute will not
go undetected. This gives you added security by letting you use
an uncomplicated method to fully protect your files against
destruction and infection.
+ TbFile is fully network compatible. It does not require you to
reload the checker after logging on to a network. Other
resident anti-virus utilities force you to choose between
protection before the network is started, or protection after
the network is started, but not both.
+ TbFile can display its messages in your local language.
+ TbFile uses less than 2Kb of memory, and it can be loaded
into upper memory.
Page 3
Thunderbyte file guard. (C) Copyright 1992 Thunderbyte B.V.
2. USAGE OF THE PROGRAM
2.1. System requirements
TbFile runs perfectly on standard machines, in line with our
philosophy that there should be a limit to limitations.
+ TbFile can be executed under DOS version 3.00 (and all later
versions). However, Dos 5.0 or higher is recommended, since
TbFile has been optimized and designed primarily for use with
these DOS versions.
+ TbFile requires about 5 Kb of free memory to be invoked.
After termination it requires only 2Kb of memory.
2.2. Program invocation
It is recommended to invoke TbFile automatically from within your
Config.Sys or Autoexec.Bat file. It is important to invoke TbFile
as early as possible after the machine has booted. For that reason
it is desirable to invoke TbFile from within the Config.Sys file.
TbFile requires TbDriver to be loaded first!
TbFile is easy to use. The syntax is as follows:
TbFile [<options>]...
There are three possible ways to invoke TbFile:
To invoke TbFile from the DOS prompt or within the Autoexec.Bat
file:
<path>TbFile
To invoke TbFile from the Config.Sys as a TSR (Dos 4+):
Install=<path>TbFile.Exe
To invoke TbFile from the Config.Sys as a device driver:
Device=<path>TbFile.Exe
TbFile should always work correctly after being started from
within the Autoexec.Bat. The "Install=" Config.Sys command is
NOT available in DOS 3.xx.
In addition to the three invocation possibilities DOS 5+ users can
"highload" TbFile into an UMB (upper memory block) if it is
available:
LoadHigh <path>TbFile.Exe
Within the Config.Sys file TbFile can also be loaded high:
DeviceHigh=<path>TbFile.Exe
Page 4
Thunderbyte file guard. (C) Copyright 1992 Thunderbyte B.V.
2.2.1. Invocation in Config.Sys
-> Invoking TbFile as a device driver does not work in all OEM
versions of DOS. You have to try it, if it doesn't work use the
"Install=" command or load TbFile from within the Autoexec.Bat.
2.2.2. Invocation in network environment
-> Unlike other anti-virus products, the Thunderbyte anti-virus
utlities can be loaded before the network is started without
losing the protection after the network has been started.
2.2.3. Invocation when using MS-Windows
-> Windows users should invoke TbFile BEFORE starting Windows.
If you do that there is only one copy of TbFile in memory, but
every DOS-window will nevertheless have a fully functional
TbFile in it. TbFile detects if Windows is starting up, and
will switch itself into multitasking mode if necessary. You can
even disable TbFile in one window without affecting the
functionality in another window.
2.3. Detection of suspicious activity.
If TbFile detects suspicious activities it alerts your with a
pop-up window with a message in your own language. You can either
choose to continue, or to abort the suspicious operation.
The following messages can appear:
┌────────────────────────────────────────────┐
│ Attempt to modify the startup code of │
│ <filename>. This is the way a VIRUS │
│ contaminates a program! │
│ You are strongly advised to press "Y"! │
│ Cancel program modification? (Y/N) │
└────────────────────────────────────────────┘
Cause:
A virus contaminating a program will always try to execute its own
code ahead of the original program code. To be able to do that it
must patch the victim's startup code, pointing to its own routine
first, before permitting a jump back to the original start of the
program. TbFile detects this and issues a stern warning you do not
wat to ignore.
There are no programs which store their configuration setup in the
startup code! This message can only mean that a virus is about to
infect a program, or that you are using a programming tool which
alters the startup code of your program legitimately. One such a
program is the EXEPACK utility. Compilers and linkers are not
Page 5
Thunderbyte file guard. (C) Copyright 1992 Thunderbyte B.V.
likely to be mistaken for viruses.
┌────────────────────────────────────────────┐
│ Attempt to add some code to program │
│ file <filename>. It could be a │
│ VIRUS attaching itself to that program. │
│ It is recommended to press "Y"! │
│ Cancel program modification? (Y/N) │
└────────────────────────────────────────────┘
Cause:
TbFile detected a flagrant attempt to add code to a program file.
You have almost certainly to do with a virus.
Please note that stealth viruses will hide the added data again
afterwards. TbFile however detects that data is going to be added!
┌────────────────────────────────────────────┐
│ Attempt to modify <filename>, using │
│ obsolete FCB functions. It could be a │
│ VIRUS attaching itself to that program! │
│ It is recommended to press "Y"! │
│ Cancel program modification? (Y/N) │
└────────────────────────────────────────────┘
Cause:
This is a warning about one program trying to manipulate another.
FCB functions are a heritage of early DOS versions. Viruses
sometimes use them in the assumption that anti-virus products won't
bother to check for rare FCB operations. That may be true for some,
but NOT for TbFile.
File Control Block functions are rarely needed in modern-day
programming and have been totally abandoned by programming tools.
As it is possible that you are dealing with a virus it is wisest to
respond with YES and abort, and then try to locate the cause.
┌────────────────────────────────────────────┐
│ Attempt to rename <filename> to │
│ <filename>. TbFile will only protect │
│ executables, so after this file has │
│ been renamed, it can be infected │
│ without interception! Cancel (Y/N) │
└────────────────────────────────────────────┘
Cause:
An attempt is made to rename an executable EXE or COM file to a
name with a different extension. As TbFile only protects program
files against infection, this is how a virus might try to escape
attention first, then finishing the job by restoring the original
extension.
Page 6
Thunderbyte file guard. (C) Copyright 1992 Thunderbyte B.V.
If you gave the rename command yourself, you'll know that you may
safely ignore this message. If you did not use the rename command
it is likely that there is a virus in your program and you should
choose to cancel.
┌────────────────────────────────────────────┐
│ Attempt to set the seconds part of │
│ <filename>'s timestamp to an │
│ invalid value! Normally the seconds are │
│ hidden, so some viruses use this value │
│ as a signature. Cancel (Y/N) │
└────────────────────────────────────────────┘
Cause:
Viruses want to avoid infecting a program a second time, which is
not only useless but makes detection more likely. A number of
viruses check whether a program has been infected already by
reading part of the program file and comparing this with
themselves. This takes a relatively long time and is therefore
highly conspicuous. That is why some viruses use the seconds part
of the timestamp as a mark. As the seconds do not normally appear
on the screen when you call up a directory, a virus can easily
change them to an unusual value, such as 62, so that it will know
instantly that the program has had an earlier visit.
It is highly recommended to abort the current action and to
investigate the program being executed or copied.
┌────────────────────────────────────────────┐
│ Attempt to remove the read-only │
│ attribute for <filename>. │
│ After this attribute has been removed, │
│ the file can be modified or deleted. │
│ Keep the readonly attribute? (Y/N) │
└────────────────────────────────────────────┘
Cause:
You will receive a message as soon as an attempt is made to reset a
readonly attribute. A virus must remove it before it is able to
infect a file. It is therefore recommended to let TbSetup set the
readonly attribute of all program files. For more information about
this consult the TbSetup documentation.
Some utilities permit users to remove and set read-only attributes
at will, in which case the operation should be allowed to continue.
If you are using option 'allattrib' the following may apply to you
as well: There are also programs that 'protect' their data files
by setting this attribute as a matter of course, resetting it
temporarily whenever the file needs updating. This causes the
message to appear each time they do.
Page 7
Thunderbyte file guard. (C) Copyright 1992 Thunderbyte B.V.
It is possible to allow certain programs to remove the read-only
attribute by using TbSetup. Flag-value 0040 is used for this
purpose. You can either set this flag by adding the name of the
program to the TbSetup.Dat file or by using the command:
TbSetup <filename> Set=0040
Consult the documentation of TbSetup for more information.
TbSetup itself has this permission flag already set, so you will
not get an alarm if you use TbSetup to remove the readonly
attributes.
2.4. Command line options
It is possible to specify options on the command line. The upper
four options are always available, the other options are only
available if TbFile is not already resident in memory.
optionword parameter short explanation
---------- --------- ----- ----------------------------
help ? =display this helpscreen
off d =disable checking
on e =enable checking
remove r =remove TbFile from memory
secure s =all permissions denied
allattrib a =readonly check on all files
2.4.1. help (?)
If you specify this option TbFile will show you the brief help as
shown above.
2.4.2. off (d)
If you specify this option TbFile will be disabled, but it will
remain in memory.
2.4.3. on (e)
If you use this option TbFile will be activated again after you
disabled it with the 'off' option.
2.4.4. remove (r)
This option can be used to remove the resident part of TbFile from
your system's memory. All memory used by TbFile will be released.
Unfortunately, the removal of a TSR (like TbFile) is not always
possible. TbFile checks whether it is safe to remove the resident
part from memory. If it is not safe it just disables TbFile. A TSR
can not be removed if another TSR has been started after it. If
Page 8
Thunderbyte file guard. (C) Copyright 1992 Thunderbyte B.V.
this happens with TbFile it will completely disable itself.
2.4.5. secure (s)
TbFile normally asks the user to continue or to cancel when a
program tries to perform a suspicious operation. In some business
environments however this choice should not be made by employees.
By using option 'secure' it is no longer possible to allow
suspicious operations.
2.4.6. allattrib (a)
TbFile normally only protects the readonly attribute of executables
(program files with the extension COM and EXE). If you want to have
the readonly check on all files add option 'allattrib'. In this
case you always get an alarm when an attempt is made to remove the
readonly attribute of any file.
2.5. Examples:
C:\utils\TbFile allattrib
or:
Device=C:\utils\TbFile.Exe allattrib
Page 9
Thunderbyte file guard. (C) Copyright 1992 Thunderbyte B.V.
3. CONSIDERATIONS AND RECOMMENDATIONS
3.1. Solving incompatibility problems.
Although TbFile has been designed to cooperate with other resident
software, other software may not have been, causing system errors or
worse.
The problems most often incurred:
Problem:
If TbFile tries to display a message, the text 'message file
<filename> could not be opened' appears.
Solution:
Specify the FULL path and filename of the file that you will
use as message file after the TbDriver invocation. The default
filename is TbDriver.Lng.
Problem:
You are running a network. TbFile is installed succesfully,
but it does not detect anything anymore.
Solution:
Use the command 'TbDriver net' after the network has been
loaded.
Problem:
The system sometimes hangs when you answer 'NO' (do NOT abort
program) to a TbFile message.
Solution:
Try using StackMan. StackMan is supplied in the TBAV package.
3.2. Reducing the memory requirements.
Most PC users try to maintain as much free DOS memory as possible.
TbFile is designed to use a very small amount of DOS memory. To
decrease the memory requirements of TbFile even further do the
following:
- Load TbFile from within the Config.Sys file. If loaded as a
device driver TbFile has no Program Segment Prefix (PSP),
and that will save 256 bytes.
- If you invoke TbFile from within the Autoexec.Bat file do this
before establishing environment variables. DOS maintains a list
of environment variables for every resident program, so keep
this list small while installing TSRs. Once all TSRs have been
installed you can define all environment variables without
Page 10
Thunderbyte file guard. (C) Copyright 1992 Thunderbyte B.V.
affecting the memory requirements of the TSRs.
- If you have DOS 5 or higher try to load TbFile into an upper
memory block using the "loadhigh" or "devicehigh" commands.
- Use one of the processor specific versions of TbFile. They all
consume less memory than the generic version of TbFile.
Processor optimized versions are available on any Thunderbyte
support BBS.
Page 11