home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Computer Buyer 1997 January
/
dpcb197.iso
/
tools
/
avg
/
INSTALL.DAT
/
AVGF_DOC.TXT
< prev
next >
Wrap
Text File
|
1996-10-30
|
118KB
|
2,613 lines
█▄▀█████▄ ▄▄██████████████▀
███▄▀█████▄ ▄████████████████▀
█████ ▀█████▄ ▄█████████▀▀▀▀▀▀▀▀▀
█████ ▀█████▄ ███████▀
█████ ▀█████▄ ██████▀
█████ ▀█████▄ ▄▀▄█████
█████ ▀█████▄ █ ██████
█████ ▀█████▄ ██ █████ ██████████
█████ ▀█████▄ ▄██ ██████ ██████████
█████▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀█████▄▄███▄▀█████ ▀▀▀▀██████
█████████████████████▄▀██████████ ██████▄ ▄██████▀
███████████████████████▄▀████████ ███████▄▄▄ ▄███████▀
█████ ▀██████ ▀██████████████████████▀
█████ ▀████ ▀▀█████████████████▀
█████ ▀██ ▀▀████████▀▀▀
╔══════════════════════════════════════════════════════════════╗
║ ║
║ ║
║ ║
║ This is the FREEWARE version of AVG 4.1 anti-virus system. ║
║ It is protected by copyright but can be used subject ║
║ to the conditions which are inseparable part ║
║ of AVG FREEWARE ║
║ ║
║ ║
╚══════════════════════════════════════════════════════════════╝
This is the FREEWARE version of AVG 4.1 anti-virus system. It is
protected by copyright but can be used subject to the following
conditions: It may be used by anybody for their private use for an
unlimited length of time. Commercial, educational, medical or any
state run organisation may use it for a period of only 60 days from
the day on which it was first obtained. Thereafter the software must
be uninstalled or upgraded to the commercial version. The software
may be copied and passed on to third parties but must not be modified
in any way and nobody can charge for the software.
The authors of AVG FREEWARE do not take any responsibility for any
consequences of the use/misuse of the software or for the consequences of
computer virus infection on a computer running AVG.
Limitations of FREEWARE AVG
The FREEWARE version of AVG does not come with the driver AVGSYS.EXE,
so will not provide resident protection, and will not remove a virus
from your computer (it will remove boot viruses). These features are
reserved for the commercial version.
**************************************************************************
How to use this manual
══════════════════════
We know from experience that in order to be comprehensible, much of
the manual must explain the principles behind the various functions
and not merely describe how they are used.
Those passages applicable to both DOS and WINDOWS versions will be
of normal format, text pertaining to only one version will be indented
as below:
┌────┐
│C:\>│ This symbol denotes passages applying specificallyto AVG for DOS.
└────┘
╔═╤═╗ This symbol denotes parts of the text concerning
╟─┼─╢ AVG for WINDOWS.
╚═╧═╝
▀████▀ This symbol will denote information of key
▀▀ importance.
▀▀
*******************************************************************************
Updating AVG
════════════
In view of rapid developments in the virus world, the AVG antivirus
system is being developed continuously. There are two ways in which
GRISOFT(c) SOFTWARE keeps its customers up to date:
New versions of AVG
───────────────────
These are issued regularly (approx. once a year). The new versions
involve considerable qualitative changes, i.e. improved techniques
for searching for viruses, new functions, and so on. All registered
users are notified by the manufacturer and can purchase the Upgrade
at a discount.
Updating AVG
────────────
Updates are released each month. These include new virus
information and minor changes to the program. All files are in
one self-extracting archive and can be downloaded from the Internet
free of charge (file UPDATE.TXT contains all addresses and telephone
numbers). A postal diskette service is available at a nominal cost.
The distribution file has the following format: xxyyyAVG.EXE,
where xx = the year in which updated program was created,
e.g. 95 yyy = number of the day of the year in which the
program was updated (e.g. 046 = 15 February).
****************************************************************************
Installation
════════════
Before installation, we recommend copying the installation diskette
and then using the copy rather than the original. If, however, virus
free environment cannot be guaranteed, install from the master diskette
and make a copy later.
Starting installation
─────────────────────
Throughout this section we assume that installation is from
drive A:. Should any other drive be used, substitute the
appropriate drive letter for A:.
┌────┐ From the command line type A:\INSTALL. This
│C:\>│ command will install AVG for DOS only.
└────┘
╔═╤═╗ From explorer (file manager in WINDOWS 3.x)
╟─┼─╢ choose A:\SETUP. This will install AVG for both DOS and WINDOWS.
╚═╧═╝ AVG detects automatically which version of WINDOWS is running.
During installation a name and serial number will be requested.
The serial number can be found on the registration card. If an
incorrect number is entered three times the program will be declared
unregistered. AVG will work correctly but it will not be possible
to use the free updates.
Deleting older versions of AVG is optional. If this is selected the
installation program looks for an older version of AVG and deletes it.
Interactive setting of the resident AVGSYS driver is optional - towards
the end of installation various AVGSYS parameters will be offered.
Installing AVG to a diskette is optional - a blank formatted diskette,
preferably with system files, will be needed. Only the DOS version can
be installed to a diskette which will contain just necessary files.
Next the configuration files will be amended. The optional resident
driver AVGSYS.EXE is inserted in CONFIG.SYS and AUTOEXEC.BAT will be
extended by adding the AVG directory to the path. AVGSYSW.EXE is also
added, if AVG for WINDOWS is being installed.
For changes made during installation to take effect the system must
be restarted.
****************************************************************************
Resident Drivers NOT AVAILABLE IN FREEWARE
════════════════
An important part of AVG is the resident driver AVGSYS.EXE. It is
permanently located in memory to prevent virus infiltration and
constantly monitors system activities. Anything suspicious or
incorrect is interrupted and will not proceed unless confirmed.
Another driver, AVGSYSW.EXE, is required for WINDOWS to enable
communication between AVGSYS and WINDOWS 3.x or AVGWD.VXD and
WINDOWS 95.
In WINDOWS 95 the driver, AVGWD.VXD, is added to SYSTEM.INI during
installation. The default settings can be changed by running Driver
Settings from the AVG group.
Installation - DOS and WINDOWS 3.x
──────────────────────────────────
The driver must be loaded when the computer is booted - by the
DEVICE= command in CONFIG.SYS. It is not possible to activate the
driver in any other way.
DEVICE = disk:\directory\AVGSYS.EXE /parameters
Since the driver uses XMS memory, it should be started after the
driver that controls the XMS memory in your computer - usually this
is HIMEM.SYS.
If AVGSYS cannot use XMS memory then the boot sector of diskettes
cannot be checked.
Parameters
──────────
/AXMS[+/-] Determines whether the driver uses XMS memory.
About 33 kB is used as a working area. If XMS
memory is not available or not used (/AXMS-)
the driver will use the hard disk as a working area.
Environment : DOS and WINDOWS
Default : /AXMS+
Recommended : /AXMS+
Use : only in CONFIG.SYS file
/MESG[+/-] Determines whether AVGSYS displays messages
on the first line of the screen.
Environment : DOS
Default : /MESG+
Recommended : /MESG+
Use : CONFIG.SYS and from command line
/BEEP[+/-] Determines whether sound is used.
Environment : DOS and WINDOWS
Default : /BEEP+
Recommended : /BEEP+
Use : CONFIG.SYS and from command line
/FWRI[+/-] Turns on/off checking of COM/EXE files being opened
with write permission. If detected the following
is possible:
Yes - permits file to be opened
No - file will not be opened for writing
Always - same effect as Yes up to the end of the
calling program or until the time limit of
about 60 seconds is reached
Environment : DOS and WINDOWS
Default : /FWRI+
Recommended : /FWRI+
Use : CONFIG.SYS and from command line
/DWRI[+/-] Turns on/off checking for writes to system areas.
If detected the following is possible:
Yes - write to system areas will be allowed
No - write to system areas will not be
allowed - an error code will be returned to
the process which made this request.
Ignore - write will not be allowed. Error-free
status will be returned to the process
which made this request - as though the
operation had been carried out.
Environment : DOS and WINDOWS
Default : /DWRI-
Recommended : /DWRI+
Use : CONFIG.SYS and from command line
/SCAN[+/-] Turns on/off scan-test of opened files.
Environment : DOS and WINDOWS
Default : /SCAN-
Recommended : /SCAN+
Use : CONFIG.SYS and from command line
/COMP[+/-] Turns on/off comparative test of file when opened.
Environment :DOS and WINDOWS
Default : /COMP-
Recommended : /COMP-
Use : CONFIG.SYS and from command line
/RENM[+/-] Turns on/off checking for renaming COM/EXE files.
If detected the following is possible:
Yes - renaming permitted
No - renaming not permitted.
Environment : DOS and WINDOWS
Default : /RENM-
Recommended : /RENM+
Use : CONFIG.SYS and from command line
/BOOT[+/-] Turns on/off checking of diskette boot sector in
drive A:. This can be used only if XMS memory
is available.
Environment : DOS and WINDOWS
Default : /BOOT-
Recommend : /BOOT+
Use : CONFIG.SYS and from command line
/OPEN[+/-] Turns on/off scan-test on files when opened.
Environment : DOS and WINDOWS
Default : /OPEN-
Recommended : /OPEN-
Use : CONFIG.SYS and from command line
/WARM[+/-] Turns on/off checking for presence of diskette in
drive A: when Ctrl+Alt+Del is pressed.
Environment : DOS
Default : /WARM-
Recommended : /WARM+
Use : CONFIG.SYS and from command line
/GRWR[+-/] Determines whether AVGSYS displays messages in DOS
applications running in a graphics mode. Note that
first line on the screen cannot be restored in
graphics mode.
Environment : DOS
Default : /GRWR-
Recommended : /GRWR+
Use : CONFIG.SYS and from command line
/TUNN[+/-] Turns on/off checking for INT13/INT21 tunnelling.
Environment : DOS and WINDOWS
Default : /TUNN-
Recommended : /TUNN+
Use : CONFIG.SYS and from command line
/NETW[+/-] Determines whether network drives are to be
checked by /SCAN, /COMP, /OPEN, /FWRI.
AVGSYS /NETW+ must be run after loading network
drivers.
Parameters can be changed either from the command line or with
the help of SETSYS.EXE - these changes do not affect settings
in CONFIG.SYS.
Updating the Driver
───────────────────
A list of active parameters can be obtained by executing the
AVGSYS.EXE driver without a parameter. AVGSYS /? displays a
list of parameters available - the letters in brackets mean:
i - can be initialised from CONFIG.SYS file
m - can be modified from the command line
Loading AVGSYS when booting can be suppressed by holding down
the left Ctrl and left Alt while CONFIG.SYS is being processed.
****************************************************************************
Starting AVG for DOS
════════════════════
This chapter describes the three ways of running AVG for DOS:
Interactive mode - most common
Command file - for automatic testing
Command line - for quick testing
Interactive mode
────────────────
For interactive mode the command line syntax is as follows:
AVG.EXE [/T] [/G] [SD[number]] [/VGAHI[number]]
[/ANALYSE[+/-]] [/FASTREAD[+/-]] [/XMS[+/-]]
[STEALTH[+/-]] [/BREAK[+/-] [/NONSTOP]
[/SUBDIR[+/-]] [/NOMEM] [/NOSELF] [/NOEXPORT]
[/REPORTfilename]
The switches mean the following:
/T Starts AVG in text mode.
/G Starts AVG in VGA graphic mode.
/SD[number] Loads default background in graphics mode
- otherwise chosen at random from the few
possibilities. The number ranges from 0
to 5 and is linked to a background.
/VGAHI[number] Starts in graphic mode of 800x600 pixels.
The number must be hexadecimal and is used
for direct setting of the video card mode
- consult the video card manual.
/ANALYSE [+/-] Turns on/off the fast heuristic analysis
in scan-test.
/FASTREAD[+/-] Turns on/off fast reading.
/STEALTH[+/-] Turns on/off anti-stealth technology.
/BREAK[+/-] Turns on/off Ctrl-Break.
/NONSTOP Tests and reports only. No user input expected.
/SUBDIR[+/-] Turns on/off testing of subdirectories.
/NOMEM Does not test RAM.
/NOSELF Does not run AVG internal integrity check.
/NOEXPORT Prevents creation of _GRISOFT.VIR file.
/REPORTfilename Creates a text file containing the results
of the tests.The name of the file must be
specified.
If none of the above parameters is given, the setting is either
taken from the configuration file or is the default.
The following shows the parameters, their defaults and whether
or not they are stored in the configuration file:
Parameter Default In configuration file
/T or /G /G Yes
/SD random No
/VGAHI - No
/ANALYSIS + Yes
/FASTREAD + Yes
/XMS + Yes
/STEALTH + Yes
/BREAK - No
/NONSTOP - Yes
/SUBDIR + No
/NOMEM - Yes
/NOSELF - No
/NOEXPORT - Yes
/REPORT none Yes
Desktop
After carrying out the initial tests the basic working area
appears with the following menus:
Info - basic information about AVG
Tests - test functions
Settings - setting program parameters
Utilities - backup and restore system areas and
other utilities
Exit - exits AVG
Help line
The bottom line of the desktop gives more information on
the highlighted menu item.
Help F1 calls up context sensitive help.
Mode indicator The top right corner shows four letters
(S, X, A, F) which indicate the current use of:
S - anti-stealth technology
X - XMS memory
A - fast heuristic analysis
F - fast read from the disk
The letters are displayed all the time, bright white when active,
otherwise grey. Note that they do not show the settings but current
usage. For instance, the letter F will be bright white only when
fast read is actually used.
Starting AVG with a command file
────────────────────────────────
AVG can be started with a command file to automate testing.
╔═╤═╗ This feature is not available in WINDOWS since it is designed
╟─┼─╢ for MS-DOS only. Macros will achieve similar
╚═╧═╝ result - see chapter Macros.
The command file is an ASCII file containing permitted commands
and must not contain any other symbols such as control codes of
text editor. AVG will be controlled by the commands from this
file and no menu is displayed.
In this mode AVG only detects and reports - it will not repair
or update the comparative database.
Creating a command file
─────────────────────
The following commands can be used in the command file:
SCAN Activates Scan-test. The full syntax is:
SCAN [DEVICE:[\DIRECTORY[\FILE]] [:number of days]
DEVICE:\DIRECTORY\FILE - device and/or directory, or a
particular file which is to be tested.
:number of days - time interval between tests run from
command file. If omitted or set to 0, the command is always
executed.
Example - SCAN C: D:\MYDIR:7
Runs Scan-test, if more than 7 days have passed since the
last test, on the whole of C: drive but on D: only directory
\MYDIR is tested.
COMP Activates comparative test. The syntax is
the same as for the SCAN command.
HEUR Activates heuristic analysis. Syntax is
the same as for the SCAN command.
STOP errorlevel AVG returns an ERRORLEVEL on exit. The
value corresponds to what AVG found.
Generally, the higher the value, the
more serious the finding.
The STOP command defines the ERRORLEVEL value beyond which
the process must not go. For instance STOP 7 will prevent AVG
from continuing if Scan-test finds a virus.
List of ERRORLEVEL values used by AVG :
0 AVG found nothing important or suspicious
1 AVG was aborted by Ctrl-Break
2 AVG detected error
3 Comparative test found change in file(s)
4 Comparative test found change in system areas
5 Code analysis detected suspect file
6 Code analysis detected suspect system area
7 Scan-test found file infected by known virus
8 Scan-test found system area infected by known virus
9 Memory test found virus
10 Memory test found aggressive virus
11 AVG found internal error
The following switches can also be used in a command file:
/SUBDIR[+/-] Turns on/off testing of subdirectories.
/ANALYSIS[+/-] Turns on/off fast heuristic analysis.
/FASTREAD[+/-] Turns on/off fast reading.
/XMS[+/-] Turns on/off XMS memory usage.
/STEALTH[+/-] Turns on/off anti-stealth technology.
/REPORTfilename Defines the name of the file to which
the results of the tests are to be
logged.
/NOMEM Does not test RAM.
/BREAK[+/-] Turns on/off Ctrl-Break.
Starting AVG with a command file
────────────────────────────────
The command line syntax is ;
AVG /@command file name
Example command file:
/STOP 5
/SUBDIR+
/FASTREAD+
/ANALYSIS+
SCAN C:\DOS : 0
SCAN C:\ : 1
/SUBDIR-
COMP C:\ : 7
HEUR C:\ : 7
When AVG is started with this command file it carries out:
Scan-test of directory C:\DOS (including subdirectories) each
time it is run (even several times a day). Scan-test of
directory C:\ (including subdirectories) once a day.
Comparative test C:\ provided more than 7 days have elapsed
since last run from command line. Full heuristic analysis
C:\ provided more than 7 days have elapsed since last run
from command line.
If AVG finds an event with an errorlevel of 5 or higher in
any of the above tests, it stops the computer and gives a
warning.
The switches below are valid from the moment they are introduced
to the end of the command file or until any changes override them:
/SUBDIR+
/FASTREAD+
/ANALYSIS+
*******************************************************************************
Starting AVG for WINDOWS
════════════════════════
The WINDOWS 95 and WINDOWS 3.x versions of AVG have the same user
interface.
AVG for WINDOWS starts with a few tests of which the self-check
is the most important. Failure can be corrected only by
re-installing AVG. As in DOS the self-check can be omitted with
the parameter /NOSELF. Further, AVG looks for _GRISOFT.VIR,
checks that the databases are up to date, checks the scheduler
and tests memory (if not switched off in Settings - General
settings).
Desktop
Note that AVG has only a full sized working window.
Menu items:
Information - basic information about AVG
Tests - test functions
Settings - setting program parameters
Utilities - backup/restore system areas and other utilities
Exit - exits AVG
Help - contents of help
Icons:
Scan-test
Full heuristic analysis
Comparative test
Memory test
Macros
Exit
Temporary files
───────────────
AVG creates a number of temporary files on the hard disk. The
names of these files follow the pattern AVG_xxx.$$$. AVG
deletes these files when it ends normally. If AVG ends
incorrectly (system crash etc.) the files will remain on the
hard disk and must be deleted manually.
****************************************************************************
Info menu
═════════
It is clear from its name that this menu contains functions of a
predominantly informative character.
About AVG
Displays information about the AVG version you are using,
including subversion, date of release for distribution and
information on language versions.
The serial number and the name of the licensee are important.
They are written into the AVG program during installation and
cannot be changed later.
The information about the AVI and AVF files is important. These
files influence the range and capability of the tests, i.e. two
programs of the same version but with different data files will
differ in their capabilities.
If the user employs his own files for user validation and/or
his own description of external viruses, the appropriate
information is displayed in the window.
About viruses
Displays basic data on viruses detected by your installation of
AVG (the number of detected viruses depends on which version you
have installed and on the AVI/AVF files). It should be pointed
out that the information given here has been abbreviated
considerably, i.e. it contains only the name of the virus and
type of attack (file/system area).
AVG contains a detailed description of the commonest viruses,
it is not available for all viruses contained in the virus databank.
System information
Displays information on the working environment - type and
version of the operating system, memory controls, processor mode,
size of base and XMS memory etc.
*******************************************************************************
Scan-test
═════════
The Scan-test in AVG consists of three independent techniques which
appear as one compact test. We shall deal with the three parts separately.
Standard search
The standard way to detect known viruses is to search for virus
identifiers (sequence of symbols characteristic of a given virus).
Individual algorithms
Individual algorithms are for detecting some known mutation viruses
of the Tremor, MtE, TPE etc. Each file tested is checked to see if
it contains a coding algorithm characteric of a known type of
mutation virus.
Fast heuristic analysis
The principle of this technique consists in analysing code of the
file being tested and in understanding the meaning of the instructions.
The analysis can reveal suspicious activities. In contrast to full
heuristic analysis (analysis with code emulation), which is a
separate test, fast heuristic analysis does not carry out
consistent "pseudo-operation" of the instructions. It is not able
to detect new mutation viruses protected by an as yet unknown
encryption routine.
Fast heuristic analysis can be switched off in Scan-test settings.
During the test it is possible to determine whether fast analysisi
is switched on.
┌────┐ Refer to the letter A in the top right corner of the screen - if
│C:\>│ fast analysis is active the letter is brights white, otherwise it is
└────┘ grey.
╔═╤═╗ If fast heuristic analysis is active, then the 'bullet' is green,
╟─┼─╢ otherwise it is grey.
╚═╧═╝
During the Scan-test the above techniques appear to the user as one
compact test. The advantage of this is that file being tested is checked
thoroughly and the test can thus detect both known and also the great
majority of unknown viruses.
Anti-Stealth
────────────
┌────┐ The AVG uses anti-stealth technology to detect stealth viruses.
│C:\>│ Refer to the letter S in the top right corner of the screen - if
└────┘ anti-stealth is active the letter is bright white, otherwise it is
grey.
╔═╤═╗
╟─┼─╢ Anti-stealth technology cannot be used in a WINDOWS environment.
╚═╧═╝
Selection of Devices
────────────────────
Before the actual analysis, a window containing a list of the
devices available appears, including more detailed information
about each one. The user must now select the device, or its
directory, which is to be tested.
The following information about each device is shown:
Logical name of device
Type of device - local/network/or SUBST
Type of device - HDD or FDD
Whether the device contains a comparative database
The symbol ■ or 'OK' denotes that a comparative database exists
on the device.
The symbol '!' indicates that a comparative database does
not exist on the device
The comparative database (for detailed information on this see
chapter Comparative test is a very important source of information
for AVG. For this reason the existence of the database on the
device is checked when the program is started and the user is
warned if the database does not exist. AVG does not check for
the database on diskettes or network devices, only on local
hard disks.
┌────┐ Information about a device, i.e. the logical name of a device, its
│C:\>│ type and whether a comparative database exists, are shown on one
└────┘ line in AVG.EXE. To test just one device, highlight it and press
ENTER.
If more than one device is to be tested, selection/deselection can
be made by INSERT key. Once all required devices are selected
press ENTER to access the menu below with the following options:
Run test Starts test of selected device(s).
Directory Tests selected directory only. The directories
will be listed - use the cursor and ENTER key
to select one. Press F9 to start the test of
this directory or F10 to start the test of this
directory plus its subdirectories.
Extension User selectable file name extension(s) to be
tested. This can also be done in Settings and
stored in the configuration file. Changes made
here are only temporary.
╔═╤═╗ In AVG for WINDOWS the type of device and the existence of a
╟─┼─╢ comparative database are shown separately under the list of
╚═╧═╝ devices.One or more devices can be chosen from a list. Individual
directories can be selected - all subdirectories will be tested as
well.
To run the test highlight the device and click on Start test or
just double-click the left mouse button on the target device.
To test a particular directory, highlight the device, and choose
Directory. Then from the tree highlight the directory and click
on Select. When finished click on OK to return to the previous
screen where the selected directories will be shown.
To test several devices/directories together, use Add. Highlight
the required device/directory in the above way and click on Add.
The selected device/directory appears in the list at the bottom of
the window. When finished, click on Run Test and all listed
devices/directories will be tested.
To clear the list of devices/directories, click on Clear List.
The options in the dialogue of the device/directory to be tested
are as follows:
Return Ends selection of device/directory.
Add Adds a device/directory to the list in the
lower part of the window.
Clear Deletes contents of the list in lower part
of the window.
Settings Calls up a window with the possibility of
changing some of the test parameters.
Run test Activates test on all devices/directories in
the list or, if this list is empty, then the
highlighted device/directory.
Directory Displays directory tree where one directory
can be chosen.
Test areas The list of devices/directories to be tested.
This list can be edited manually - the items
must be separated by a semicolon.
If the hard disk is not accessible
──────────────────────────────────
It can happen that due to a virus or as a result of a computer
crash the hard disk is not accessible - the operating system
refuses to recognise it as a valid device. In this case the only
thing to do is to boot from a system diskette, start AVG and use
the backup copies of the system areas. If AVG.EXE finds that no
hard disk exists, it tries to find it directly by means of the
BIOS and not through the operating system. If it finds that a disk
is physically connected, it includes it in the list of existing
devices and calls it "Physical Disk 1" and so on, whereby it is
made available at least for testing the system areas - partition
table. It is here that the cause of the inaccessibility of the
device usually lies and AVG can thus test this area and correct it
if necessary. With a device accessed like this it will not be
possible to carry out tests of files. If the partition table is
repaired, the device will be available after rebooting.
Test of system areas
────────────────────
The system areas of the device are tested first (AVG determines
the type of device and how the system areas will therefore be
tested. For hard disks this means the partition table and the
boot sector. For diskettes it is only the boot sector. With
network devices or with some pseudo-devices the test of the system
area is omitted since these areas are under the control of the
network operating system.
If the system areas are in order, the program continues testing
files, otherwise, the user is alerted and AVG offers the following
options:
Continue Continues testing other system areas or
starts testing files. The virus is left
in the infected area.
Information Gives detailed information about the virus
found.
Remove Removes virus from the system area using one
of the two following techniques:
(NA in freeware) Repair Treats the infected system area
using a general technique based on
the fact that practically all
viruses of this type use the same
principle to spread.
Reconstruction With hard disks this replaces the
infected system area by the
previously created backup
copy (see Backup system areas in
the Utility menu). With diskettes
the infected boot sector is replaced
by a generally valid structure.
As the system areas are of key importance, it is possible to make
an UNDO disk before running repair or reconstruction. If switched
on in Settings, a name and path for the UNDO file must be entered
when prompted. This file can be used at any time later (see
Complete reconstruction in Utilities menu) to restore the area to
the state it was in before running repair or reconstruction.
▀████▀ Note that altering the system areas is potentially dangerous. We
▀▀ therefore recommend that UNDO be used all the time.
▀▀
File test
─────────
After testing the system areas Scan-test continues testing files.
During the test, information is displayed as follows:
┌────┐ The screen contains three windows. The directory tree is
│C:\>│ displayed in the top left window, while the files and results
└────┘ are shown in the window to the right.
OK - the file is in order - no virus found.
? - no known virus found - but file has non-standard
structure.
@ - the file is internally compressed (PKLITE, LZEXE,
DIET etc.) or is immunised by some other antivirus
software. In both cases the test is not 100%
accurate as the test cannot access the file -
but neither can a virus. reporting non-standard
files can be suppressed in the menu Settings -
Heuristic analysis settings - Report non-standard
files.
! - a specific virus has been found or heuristic
analysis has detected so many suspicious operations
that the file has been flagged as possibly infected
by an unknown virus.
The third window displays information about the viruses found,
about files with non-standard structure and so on.
╔═╤═╗ AVG for WINDOWS displays the tested file/directory and any
╟─┼─╢ important information is reported in the lower part of the window.
╚═╧═╝ This gives not only information on infected but also on non-standard
files. Reporting non-standard files can be suppressed in the menu
Settings - Scan-test settings - Report non-standard files.
If an infected file is found the type and name of the virus is
displayed. It should be pointed out that AVG distinguishes several
levels of attack - from files which are entirely OK through suspect
to actually infected by a specific virus. A list of the warning
levels including description can be found in the appendix to this
manual.
Continue
Calls up a submenu with options to continue until a further
infection is found or to continue non-stop to the end of the
test or abort the test.
Information
Displays detailed information about the virus found together
with the relevant flags.
Remove
Calls up a submenu with the following options:
Repair NOT AVAILABLE IN FREEWARE
This function, when successfully carried out, leads to
elimination of the virus from the infected file and returns
the file to its original state. AVG incorporates two treatment
techniques:
Reconstruction
Reconstruction uses information stored in the comparative
database (see the chapter Comparative test) to reconstruct
the infected file to its original state. AVG analyses the
infected file and automatically chooses the order of the
above techniques according to the type of file and virus.
The choice cannot be influenced.
After treatment the file is tested again so that the
effectiveness of eliminating the virus from the file can
be determined.
We recommend that the infected file is backed up (see chapter
Settings - Common settings for all tests).
Rename This renames an infected file so it can be kept on
the device without change and without the danger of
it being accidentally executed.
Erase This destroys the infected file so that it cannot be
resurrected.
Repair all Repair all is the same as Repair except that
the program automatically tests the remainder of
the device and tries to repair all the infected
files it finds - best for treating devices with
many infected files. However, the device must
be tested again to ensure that all viruses have
been removed.
After carrying out a test, a summary is displayed - the number of
files tested, the number of viruses found and files treated etc.
*******************************************************************************
Full Heuristic Analysis
═══════════════════════
This function could better be described as "heuristic analysis with
code emulation". Since this is a novelty for most users, we shall
explain the basic principles of heuristic analysis before going on
to describe it in detail.
Principle of heuristic analysis
───────────────────────────────
Heuristic analysis, unlike the Scan-test, does not look for
anything specific in the objects being tested. Rather, it
examines the code in the file, i.e. it follows the instructions
and analyses their practical meaning. It is able to pick up
dubious activities of a program (e.g. taking control over the
operating system, a non-standard method of becoming memory
resident). Each incorrect activity is characterised by a "flag"
- a letter from 'A' to 'Z' or 'a' to 'z'. Each flag has a
different value ie. not every symbol has the same weight.
During the heuristic analysis the virus database is continuously
checked for a known virus. When the total weight reaches a
critical limit and no match is found in the virus database,
the virus is declared unknown.
Unknown virus
─────────────
When no specific virus has been found, but heuristic analysis
has detected many significant symptoms, the file contains either
an unknown virus or has a non-standard structure. The user is
warned (with comments) that an unknown virus may be present.
The great advantage of Heuristic Analysis is its ability to detect
a virus even if it is unknown.
_GRISOFT.VIR file
─────────────────
The analysis also exports a sample of the suspect file (if switched
on in Settings) to the _GRISOFT.VIR file, located in the
C:\ directory. This file should be sent to GRISOFT (UK) Ltd.
to be analysed and possibly added to the main AVG.AVF validation
file and thus eliminate false alarms for all.
Users may, however, judge for themselves the seriousness of the
heuristic analysis report. The following may act as a general
guide:
If the user is confident that the file in question is either
non-standard (e.g. a device driver) or is virus free then the
warning can be ignored or user validation performed.
More detailed information about user validation can be found
in the chapter User Validation - MANAVF.EXE.If, however,
the program is new and untested or the file is suspect,
great care should be taken. If analysis finds several
suspect files with greatly dissimilar symptoms, it can
be assumed that the alarm is false. If analysis finds
several suspect files with similar symptoms, there may
be an unknown virus.
Change in analysis sensitivity
──────────────────────────────
A range of parameters that influence the behaviour and sensitivity
of the heuristic analysis can be changed in the menu Settings -
Heuristic analysis settings - Advanced. It should be pointed out,
however, that changing the default values of these parameters may
lead to a great increase in sensitivity and thus increasing the
possibility of false alarms.
To give the less experienced user an idea of how changing the
parameters can influence the analysis, Show settings will display
a graph of the following:
Sensitivity (i.e. ability to detect an unknown virus)
Speed of test
False alarms
When heuristic analysis is run with non-default settings, the new
parameters are displayed in the Information window.
User validation
───────────────
If the user is convinced that a file is completely in order
although heuristic analysis has indicated it is infected by an
unknown virus, it is possible to carry out "user validation".
This will eliminate an alarm for this file in future analysis.
More detailed information about user validation can be found in
the chapter User validation - MANAVF.EXE.
If a known virus is detected, the name of the infected file is
displayed together with the type and name of the virus.
A complete list of the symbols (flags) used by heuristic analysis,
together with a brief description of each, is given in the
appendix to this manual.
Anti-Stealth
────────────
┌────┐ The AVG uses anti-stealth technology to detect stealth viruses.
│C:\>│ Refer to the letter S in the top right corner of the screen - if
└────┘ anti-stealth is active the letter is bright white, otherwise it is
grey.
╔═╤═╗
╟─┼─╢ Anti-stealth technology cannot be used in a WINDOWS environment.
╚═╧═╝
Selection of Devices
────────────────────
Before the actual analysis, a window containing a list of the
devices available appears, including more detailed information
about each one. The user must now select the device, or its
directory, which is to be tested.
The following information about each device is shown:
Logical name of device
Type of device - local/network/or SUBST
Type of device - HDD or FDD
Whether the device contains a comparative database
The symbol ■ or 'OK' denotes that a comparative database
exists in the device.
The symbol '!' indicates that a comparative database does
not exist in the device
The comparative database (for detailed information on this see
chapter Comparative test is a very important source of information
for AVG. For this reason the existence of the database on the
device is checked when the program is started and the user is
warned if the database does not exist. AVG does not check
for the database on diskettes or network devices, only on local
hard disks.
┌────┐ Information about a device, i.e. the logical name of a device, its
│C:\>│ type and whether a comparative database exists, are shown on one
└────┘ line in AVG.EXE. To test just one device, highlight it and press
ENTER.
If more than one device is to be tested, selection/deselection can
be made by INSERT key. Once all required devices are selected
press ENTER to access the menu below with the following options:
Run test Starts test of selected device(s).
Directory Tests selected directory only. The directories
will be listed - use the cursor and ENTER key
to select one. Press F9 to start the test of
this directory or F10 to start the test of
this directory plus its subdirectories.
Extension User selectable file name extension(s) to be
tested. This can also be done in Settings and
stored in the configuration file. Changes made
here are only temporary.
╔═╤═╗ In AVG for WINDOWS the type of device and the existence of a
╟─┼─╢ comparative database are shown separately under the list of
╚═╧═╝ devices.
One or more devices can be chosen from a list. Individual
directories can be selected - all subdirectories will be tested
as well.
To run the test highlight the device and click on Start test or
just double-click the left mouse button on the target device.
To test a particular directory, highlight the device, and choose
Directory. Then from the tree highlight the directory and click
on Select. When finished click on OK to return to the previous
screen where the selected directories will be shown.
To test several devices/directories together, use Add. Highlight
the required device/directory in the above way and click on Add.
The selected device/directory appears in the list at the bottom of
the window. When finished, click on Run Test and all listed
devices/directories will be tested.
To clear the list of devices/directories, click on Clear List.
The options in the dialogue of the device/directory to be tested
are as follows:
Return Ends selection of device/directory.
Add Adds a device/directory to the list in the
lower part of the window.
Clear Deletes contents of the list in lower part of
the window.
Settings Calls up a window with the possibility of
changing some of the test parameters.
Run test Activates test on all devices/directories in
the list or, if this list is empty, then the
highlighted device/directory.
Directory Displays directory tree where one directory
can be chosen.
Test areas The list of devices/directories to be tested.
This list can be edited manually - the items
must be separated by a semicolon.
If the hard disk is not accessible
──────────────────────────────────
It can happen that due to a virus or as a result of a computer
crash the hard disk is not accessible - the operating system
refuses to recognise it as a valid device. In this case the only
thing to do is to boot from a system diskette, start AVG and use
the backup copies of the system areas. If AVG.EXE finds that no
hard disk exists, it tries to find it directly by means of the
BIOS and not through the operating system. If it finds that a disk
is physically connected, it includes it in the list of existing
devices and calls it "Physical Disk 1" and so on, whereby it is
made available at least for testing the system areas - partition
table. It is here that the cause of the inaccessibility of the
device usually lies and AVG can thus test this area and correct it
if necessary. With a device accessed like this it will not be
possible to carry out tests of files. If the partition table is
repaired, the device will be available after rebooting.
Test of system areas
────────────────────
The system areas of the device are tested first (AVG determines
the type of device and how the system areas will therefore be
tested. For hard disks this means the partition table and the boot
sector. For diskettes it is only the boot sector. With network
devices or with some pseudo-devices the test of the system area
is omitted since these areas are under the control of the network
operating system.
If the system areas are in order, the program continues testing
files, otherwise, the user is alerted and AVG offers the following
options:
Continue Continues testing other system areas or
starts testing files. The virus is left in
the infected area.
Information Gives detailed information about the virus found.
Remove Removes virus from the system area using one
of the two following techniques:
(NA in freeware) Repair Treats the infected system area using
a general technique based on the fact
that practically all viruses of this
type use the same principle to spread.
Reconstruction With hard disks this replaces the
infected system area by the previously
created backup copy (see Backup system
areas in the Utility menu). With
diskettes the infected boot sector
is replaced by a generally valid
structure.
As the system areas are of key importance, it is possible to make
an UNDO disk before running repair or reconstruction. If switched
on in Settings, a name and path for the UNDO file must be entered
when prompted. This file can be used at any time later (see
Complete reconstruction in Utilities menu) to restore the area to
the state it was in before running repair or reconstruction.
▀████▀ Note that altering the system areas is potentially dangerous. We
▀▀ therefore recommend that UNDO be used all the time.
▀▀
File test
─────────
After testing the system areas Scan-test continues testing files.
During the test, information is displayed as follows:
┌────┐ The screen contains three windows. The directory tree is
│C:\>│ displayed in the top left window, while the files and results
└────┘ are shown in the window to the right.
OK - the file is in order - no virus found.
? - no known virus found - but file has non-standard
structure.
@ - the file is internally compressed (PKLITE, LZEXE,
DIET etc.) or is immunised by some other antivirus
software. In both cases the test is not 100%
accurate as the test cannot access the file -
but neither can a virus. reporting non-standard
files can be suppressed in the menu Settings -
Heuristic analysis settings - Report non-standard
files.
! - a specific virus has been found or heuristic
analysis has detected so many suspicious operations
that the file has been flagged as possibly infected
by an unknown virus.
The third window displays information about the viruses found,
about files with non-standard structure and so on.
╔═╤═╗ AVG for WINDOWS displays the tested file/directory and any
╟─┼─╢ important information is reported in the lower part of the window.
╚═╧═╝ This gives not only information on infected but also on non-standard
files. Reporting non-standard files can be suppressed in the menu
Settings - Heuristic analysis settings - Report non-standard files.
If an infected file is found the type and name of the virus is
displayed. It should be pointed out that AVG distinguishes several
levels of attack - from files which are entirely OK through
suspect to actually infected by a specific virus. A list of the
warning levels including description can be found in the appendix
to this manual.
Continue
Calls up a submenu with options to continue until a further
infection is found or to continue non-stop to the end of the
test or abort the test.
Information
Displays detailed information about the virus found together
with the relevant flags.
Remove
Calls up a submenu with the following options:
Repair NOT AVAILABLE IN FREEWARE
This function, when successfully carried out, leads to
elimination of the virus from the infected file and returns
the file to its original state. AVG incorporates two treatment
techniques:
Heuristic treatment is based on the fact that the most modern
viruses can preserve their host in an executable state - the
virus temporarily returns the host (infected file) to its
original uninfected state so that it can be run. A certain
guide to the possibility of heuristic treatment is given by
the flag {B} - return to entry point. If this flag appears
amongst those found by the analysis, heuristic treatment will
probably be successful.
If flag {B} is not shown try to set a Special mode in the menu
Setting - Heuristic analysis settings - Advanced and test the
infected file again. Heuristic analysis will now work slightly
differently to try to detect the necessary flag {B} and thus
enable heuristic treatment to take place.
Reconstruction uses information stored in the comparative
database (see the chapter Comparative test) to reconstruct the
infected file to its original state.
AVG analyses the infected file and automatically chooses the
order of the above techniques according to the type of file and
virus. The choice cannot be influenced.
After treatment the file is tested again so that the
effectiveness of eliminating the virus from the file can be
determined.
▀████▀ We recommend that the infected file is backed up (see chapter
▀▀ Settings - Common settings for all tests).
▀▀
Rename This renames an infected file so it can be kept on
the device without change and without the danger of
it being accidentally executed.
Erase This destroys the infected file so that it cannot be
resurrected.
Repair all Repair all is the same as Repair except that the
program automatically tests the remainder of the
device and tries to repair all the infected files
it finds - best for treating devices with many
infected files. However, the device must be tested
again to ensure that all viruses have been removed.
After carrying out a test, a summary is displayed - the number of files
tested, the number of viruses found and files treated etc.
*******************************************************************************
Comparative test
════════════════
Each infection changes its victim - files in their size and contents,
sometimes also the date and time is changed, system areas merely in
their contents. This fact is used by the Comparative Test, which creates
and maintains a database (called the comparative database) by means of
which it can ascertain what has changed.
Selection of Devices
────────────────────
Before the actual comparative test, a window containing a list of
the devices available appears, including more detailed information
about each one. The user must now select the device, or its
directory, which is to be tested.
The following information about each device is shown:
Logical name of device
Type of device - local/network/or SUBST
Type of device - HDD or FDD
Whether the device contains a comparative database
The symbol ■ or 'OK' denotes that a comparative database exists
in the device.
The symbol '!' indicates that a comparative database does
not exist in the device
┌────┐ Information about a device, i.e. the logical name of a device, its
│C:\>│ type and whether a comparative database exists, are shown on one
└────┘ line in AVG.EXE. To test just one device, highlight it and press
ENTER.
If more than one device is to be tested, selection/deselection can
be made by INSERT key. Once all required devices are selected press
ENTER to access the menu below with the following options:
Run test Starts test of selected device(s).
Directory Tests selected directory only. The directories will
be listed - use the cursor and ENTER key to select
one. Press F9 to start the test of this directory
or F10 to start the test of this directory plus
its subdirectories
Extension User selectable filename extension(s) to be tested.
This can also be done in Settings and stored in the
configuration file. Changes made here are only
temporary
In AVG for WINDOWS the type of device and the existence of a
╔═╤═╗ comparative database are shown separately under the list of devices.
╟─┼─╢ One or more devices can be chosen from a list. Individual
╚═╧═╝ directories can be selected - all subdirectories will be tested
as well.
To run the test highlight the device and click on Start test or
just double-click the left mouse button on the target device.
To test a particular directory, highlight the device, and choose
Directory. Then from the tree highlight the directory and click on
Select. When finished click on OK to return to the previous screen
where the selected directories will be shown.
To test several devices/directories together, use Add. Highlight
the required device/directory in the above way and click on Add.
The selected device/directory appears in the list at the bottom of
the window. When finished, click on Run test and all listed
devices/directories will be tested.
To clear the list of devices/directories, click on Clear list.
The options in the dialogue of the device/directory to be tested
are as follows:
Return Ends selection of device/directory.
Add Adds a device/directory to the list in the lower
part of the window.
Clear Deletes contents of the list in lower part of the
window.
Settings Calls up a window with the possibility of
changing some of the test parameters.
Run test Activates test on all devices/directories in the
list or, if this list is empty, then the
highlighted device/directory.
Directory Displays directory tree where one directory can
be chosen.
Test areas The list of devices/directories to be tested.
This list can be edited manually - the items
must be separated by a semicolon.
Creating comparative database
─────────────────────────────
If there is no comparative database on a device to be tested the
user is informed and the option to create one is offered. The
default name for this file is AVG.GRS and can be changed in the
menu Settings - Scan-test settings.
The following information about each file under test is stored in
the comparative database:
Name of file including path.
Size of file in bytes.
Checksum of important parts of file. Only the file header and
some other important parts are stored - not the whole file.
Attributes of file (Archive/Hidden/System/Read-only).
Time and date of creation of file.
Additional information to aid scan-test and heuristic
analysis is also stored in the comparative database.
System areas - Only checksum data of the system area is stored
in the comparative database.
Test against existing database
──────────────────────────────
If comparative database already exists on tested device, real
comparative test follows - comparing data from database with a
reality. Comparative test is fully automated and information about
currently tested directory and file is available to user, brief
description of detected changes is also displayed. When the test
is completed, all detected changes are again displayed together
with detailed description. Comparative test detects these type of
changes:
Change in system area This change should be taken seriously.
Unless a new operating system, some
system software or new hardware (new
hard disk, etc.) has been installed
since the last test this change is a
strong indication of a virus attack.
A change in system area (boot sector)
of pseudo-devices (e.g. compressed
disks - Stacker, DoubleSpace...) may
not be caused by virus.
Change in file The comparative test has found a
discrepancy between the file and its
record in the database. If there is no
known reason for the file to have changed
since last tested (e.g. replaced by a
new version), this discrepancy may
signal virus infiltration. It is
important to know what has changed
- a change in the file attributes or
in the time of creation is not as
important as a change in the content
of the file and/or its length.
File deleted A file recorded in the database was
not found. It has probably been deleted,
renamed or moved to another directory.
File is new A file exists on the device but has no
record in the database.
Evaluating changes
──────────────────
When testing is over, the changes are listed. It is up to the user
to mark changes which are considered correct, and record them in
the database as a standard for future tests.
The new and/or deleted files can be updated automatically according
to the settings - see menu Settings - Comparative test settings.
Any changes found are selected and tagged in the following way:
┌────┐ The changes are tagged (or un-tagged) by ENTER or INS.
│C:\>│ F2 to add changes to comparative database.
└────┘ ESC aborts evaluation of changes without updating comparative
database.
Tag is used to select groups of changes quickly. It displays a
menu with the following choices:
Tag all
Un-tag all
Tag changed
Un-tag changed
Tag deleted
Un-tag deleted
Tag new
Un-tag new
Auto-Tag analyses the changes then automatically indicates all
changes that it regards as correct.
F2 will update the database.
ESC will abort comparative test without updating database.
╔═╤═╗ Mouse click selects/deselects a changed file.
╟─┼─╢
╚═╧═╝
To select/deselect groups of files, choose from the following:
Select all
Deselect all
Select changed
Deselect changed
Select erased
Deselect erased
Select new
Deselect new
Other choices are:
Information which gives more detailed information on a
change found.
Exit without update ends the comparative test without
updating the database.
Update database ends the comparative test and updates the
database with all selected changes.
The last screen displayed by the Comparative test is a window
containing the test results. This window is common to all tests and
only items relevant to the type of test run are highlighted.
To sum up
─────────
The comparative test is an important source of information, used by
the scan-test in eliminating viruses. We consider a comparative
database to be almost vital on every device (with the exception of
diskettes and some network devices).
We recommend that the comparative test is run frequently. Remember
that it is the user who must make a decision about the changes
found. He must know what has taken place in the system since it
was last used and whether the changes are correct or not. The
greater the number of changes the more frequently the comparative
test should be run. From our experience we can recommend running
this test once or twice a week.
**************************************************************************
Memory Test
═══════════
This tests memory for the presence of a virus. It is run automatically
when AVG is started unless suppressed in Settings - Common settings
for all tests or by using the parameter /NOMEM.
╔═╤═╗ In windows environment AVGSYSW.EXE must be loaded to test memory.
╟─┼─╢
╚═╧═╝
AVG tests only those parts of memory that are used by viruses. If a
virus is found, the option to continue (particularly useful with some
portable computers) or restart computer is given.
*******************************************************************************
Interrupt vectors analysis
══════════════════════════
The analysis of interrupt vectors is a progressive method for
detecting new resident viruses. Basically, it is heuristic analysis
of the vectors INT21 and INT13.
╔═╤═╗ This analysis has no meaning in a WINDOWS environment and is
╟─┼─╢ therefore not available.
╚═╧═╝
What are INT21 and INT13?
─────────────────────────
Fundamental system functions are located in ROM memory. The
addresses of these functions are located in the interrupt vectors
- INT21 (operating system) and INT13 (disk operation). These
addresses are very often changed by resident viruses to obtain
control over the system.
Heuristic analysis tests the code to which the vectors point and
can determine whether a virus has taken control of the system.
Some modern viruses cannot be detected by conventional memory test
and so heuristic analysis of vectors of interrupts compensates for
this shortcoming.
*******************************************************************************
Environment test
════════════════
AVG tests the environment by trying to detect incorrect activity
in the system.
╔═╤═╗ This test has no meaning in a WINDOWS environment and is therefore
╟─┼─╢ not available.
╚═╧═╝
Principle of test
─────────────────
Most present-day viruses reside in memory to monitor system activity
and attack when a suitable situation occurs. AVG deliberately
activates system functions (used by viruses to spread) to trick
them into revealing themselves.
File viruses
AVG simulates system operations to provoke a active virus in
the computer to act.
Boot viruses
A formatted diskette, not write-protected, must be present in
the drive before carrying out this test.
▀████▀ Data on this diskette will be destroyed.
▀▀
▀▀
*******************************************************************************
Settings
════════
It is possible to configure many of AVG's functions to the user's needs
and preferences.
Scan test, heuristic analysis and comparative test settings will be
dealt with in subsequent chapters.
Settings common to all tests
────────────────────────────
┌────┐ Direct disk reading
│C:\>│ AVG uses its own technique for reading data from disk. The main
└────┘ advantage, apart from speeding up tests, is increased
sensitivity to stealth file viruses (e.g. Tremor).
AVG analyses the type of device to be tested and the software
used and automatically switches off direct reading if its use
is impossible or unsuitable. Manual override can be set.
Refer to the letter F in the top right corner of the screen -
if fast reading is active the letter is bright white, otherwise
it is grey.
When XMS memory cannot be used then fast reading occupies base
memory otherwise used by other routines. Should there be
insufficient free memory AVG terminates prematurely. Access to
XMS memory is recommended (see /FASTREAD+ and /XMS+).
Defend against Stealth viruses
AVG uses anti-STEALTH technology - the operating system is not
used to read devices as it may be under the control of stealth
viruses.
Refer to the letter S in the top right corner of the screen -
if anti-Stealth technology is active the letter is bright white,
otherwise it is grey.
Use XMS
Determines whether AVG will use XMS memory. The default is to
use XMS memory, which speeds up tests. XMS memory is used for
fast reading from disk. To use this an XMS memory driver must
be installed (i.e. HIMEM.SYS or EMM386.EXE).
Test RAM Upper Memory
Determines whether Memory RAM test will test memory in the
region 640KB-1MB.
Create backup file
AVG can create a backup of an infected file before each
attempt to repair. This copy can be useful if repair is
unsuccessful - the infected file has been unrecoverably
damaged. A functional, although infected, copy of the file
is retained. The extension of the backup is altered -
e.g. COMMAND.COM becomes COMMAND.C##.
Memory test on start
Determines whether memory is tested on starting AVG.
╔═╤═╗ Double Click with Mouse
╟─┼─╢ To simplify the selection of devices, a double click of the
╚═╧═╝ left button on your mouse can be used. Double click can be
defined in General settings. The default setting for double
click is Start test. Other possible settings are Directory
selection, Add to list or Not used.
Start test - starts test.
Directory selection - selects directory to be tested.
Add to list - adds a selected device/directory to the list
of areas to be tested.
Not used - double clicking has no effect.
List of tested areas
Determines whether the list of tested areas is to be cleared
or preserved from the last test.
AVG environment settings
Sound Determines whether AVG uses sound effects on
detecting an important event.
Report Sets the name of a report file, into which AVG
will write extra information about tests.
Save configuration Configuration changes can be saved automatically
to AVG.CFG on exit. AVG creates a configuration
file with the name AVG.CFG. AVG for WINDOWS
creates a configuration file with the name
AVGW.CFG. Thus the two programs may have
different configurations saved.
┌────┐ Graphic mode Sets AVG to either graphics or text mode. This
│C:\>│ is stored in the configuration file. Unless
└────┘ over-ridden, graphical mode is used for VGA
cards and text mode for any other display
adapter.
Screen dimming If set on the screen is dimmed after ten minutes
of inactivity. Pressing any key will reset the
screen to normal.
Password AVG contains privileged functions accessible
only after a valid password has been entered.
The standard generally valid password cannot
be changed and is located in the {PWD} file on
the installation diskette.
Apart from this password it is possible to
define a user password and use it in day to day
work. The use of such a password is possible
only if a valid password has been entered in
the present session.
Font The font in the menu information line can be
changed. AVG must be re-started for this to
take effect.
Save settings to disk
Unless changes to settings are saved, they will apply only for the
current session. AVG creates a configuration file with the name
AVG.CFG. AVG for WINDOWS creates a configuration file with the name
AVGW.CFG. Thus the two programs may have different configurations
saved.
A configuration can also be saved automatically - see Settings -
Environment settings.
Network communication
In a Novell Netware environment it is possible to use the Network
communication feature. If enabled and the user/group is valid,
then a message will be sent if scan-test or heuristic analysis
finds a virus on your computer.
If network messaging is set to YES, the name of the user to whom
messages should be sent must be entered. The file to which the
messages are sent must be specified - in case the recipient is
not accessible.
The network administrator must ensure that the AVG user has the
necessary rights to create the log file in the given directory.
Default settings
Restores settings to default values. This feature is privileged and
is available only after entering a valid password in Utilities.
******************************************************************************
Scan-test settings
══════════════════
The following parameters can be set for Scan-test:
Extension Extension box contains the following:
Default - this group cannot be changed
Other - user definable list of extensions is used
Extensions - to customise a list of extensions
It should be noted that files like *.TXT, *.DBF are not important as
far as viruses are concerned. Only program files ( *.EXE, *.COM *.OVL
etc. ) and some document files ( *.DOC ) should be tested. Testing,
for example, text files could lead to false alarms.
Report non-standard files
Determines whether non-standard files (PKLITE, DIET, LZEXE,
immunised programs etc.) will be reported.
Quick analysis
Determines whether fast heuristic analysis will be used during a
scan-test - see chapter Scan-test.
Test without messages
By default messages are displayed during testing when an infected
or a suspicious file is found. Testing is suspended and continues
only after user intervention.
If Test without messages is set to YES, then scan-test will run
non-stop until all files have been tested and action can be taken
when finished.
Scheduler
Allows a time interval (in days) for a scheduled test to be
defined. Whenever AVG is run the date is checked and the user
prompted when the time has come to run the test.
******************************************************************************
Heuristic analysis settings
═══════════════════════════
The following parameters can be set for heuristic analysis:
Extension
Extension box contains the following:
Default this group cannot be changed
Other user definable list of extensions is used
Extensions to customise a list of extensions
It should be noted that files like *.TXT, *.DBF are not important as
far as viruses are concerned. Only program files (*.EXE, *.COM *.OVL
etc.) and some document files (*.DOC) should be tested. Testing, for
example, text files could lead to false alarms.
Report non-standard files
Determines whether non-standard files (PKLITE, DIET, LZEXE,
immunised programs etc.) will be reported.
Export suspicious files
Determines whether heuristic analysis will save a sample of a
suspicious file to _GRISOFT.VIR
┌────┐ Heuristic analysis can display the contents of CPU registers and the
│C:\>│ instructions in the tested code. These details are mainly
└────┘ informative and can be suppressed. The screen area is then
allocated to the messages about detected viruses and non-standard
files.
Test without messages
By default messages are displayed during testing when an infected
or a suspicious file is found. Testing is suspended and continues
only after user intervention.
Scheduler
Allows a time interval (in days) for a scheduled test to be
defined. Whenever AVG is run the date is checked and the user
prompted when the time has come to run the test.
Advanced
Contains the following options:
Time limit
Limits the time spent on testing each file. The default is
ten seconds. It is important to realise that for the great
majority of files this limit is not reached.
Depth and Maximum number of instructions
These two parameters influence the number of instructions
tested by heuristic analysis. They have a very similar
function but differ in one important fact. The parameter
Max. number of instructions sets the number of
instructions to be tested. Depth of test determines how
far down the program listing analysis should penetrate.
The difference between the two parameters is best shown by
the following example. Imagine that there are repeating
cycles in the code of the program under test. In repeatedly
passing through these cycles the number of instructions
counted continually rises but the depth of penetration
ignores this repetition and increases only as the analysis
penetrates deeper into the file.
The default values are 400 for the depth and 1,000,000 for
the maximum number of instructions.
Significantly faster execution of heuristic analysis can be
achieved by decreasing these parameters but at the risk of
not detecting complex polymorphic viruses.
Analyse non-standard files
Files with non-standard structure - those produced by
PKLITE, DIET, LZEXE etc. take longer to analyse. Although
heuristic analysis recognises these files their analysis
is usually unnecessary.
Sensitive cycle detection
Analysis can detect the occurrence of loops in a program
and pass through them quickly. With high sensitivity even
complex and fragmented viruses can be detected. Low
sensitivity speeds up the test at the cost of the
potential to detect complex polymorphic viruses.
Alternative addresses
Examines the code reached by a conditional jump. Using
this feature makes information about the possibility of a
virus in a file more complete but could lead to a false alarm.
Special mode (for treatment)
Heuristic treatment is based on the fact that the most
modern viruses can preserve their host in an executable
state - the virus temporarily returns the host (infected
file) to its original uninfected state so that it can be
run. A certain guide to the possibility of heuristic
treatment is given by the flag {B} - return to entry point.
If this flag appears amongst those found by the analysis,
heuristic treatment will probably be successful.
Special mode of heuristic analysis can help to remove some
very complex polymorphic viruses when flag {B} is not shown.
Emulate instruction queue
The effort to speed up execution of instructions led Intel
to use instruction queues. The processor reads instructions
from memory, which it anticipates will be needed, into a
queue. If a program changes an instruction in memory which
is already in the queue, the CPU may not know this and
process the original instruction. Manipulating instructions
in this way is a relatively common technique used by viruses
as a defence against being tracked or analysed. Instruction
queues did not exist on 8086 processors, and although the
Pentium has them it can recognise any mismatch and re-read
the instruction. AVG sets this parameter to a value
corresponding to the processor it is running on. With an
80286, 80386 or 80486 it is on, with an 8086 or a Pentium
emulation is off.
Show
Updates the graph to show the effect of any changes.
******************************************************************************
Comparative test settings
═════════════════════════
The following parameters can be set for Comparative test:
Extension
Extension box contains the following:
Default - this group cannot be changed
Other - user definable list of extensions is used
Extensions... - to customise a list of extensions
It should be noted that files like *.TXT, *.DBF often change
and are unimportant as far as viruses are concerned. Only
program files - *.EXE, *.COM *.OVL etc. should be tested.
New and Erased files
The comparative test detects and reports not only changed
files, but also new files (their checksum is not in the
database) and erased files (their checksum is in the database
but the files are no longer on the drive). These changes are
usually not of great value and the user can therefore set the
update to automatic - that means that new and erased file
checksums will automatically be updated in the database and
user confirmation is not required.It should be noted that, to
a certain extent, automatic updating reduces control over some
types and changes and should be chosen only in justifiable
cases.
Database name
Sets the name of the comparative database - default is AVG.GRS.
Scheduler
Allows a time interval (in days) for a scheduled test to be
defined. Whenever AVG is run the date is checked and the user
prompted when the time has come to run the test.
******************************************************************************
Utilities
═════════
Utilities contains the following:
Password
A password protects those features of AVG which are considered
as privileged. These features are not accessible as standard
(they are coloured differently in the menu) and must first be
activated with the password. This password, which is always
valid, is stored in the file {PWD} on the installation
diskette. This file is not copied to the hard disk during
installation.
Backup system areas
The system areas of disks and diskettes carry information
vital to the correct running of a computer and are the prime
targets of some viruses.
Removal of viruses from these regions is a very sensitive
procedure entailing the possibility of a system crash. The
simplest and most reliable method is to back them up. If
system regions are infected and/or damaged then they can be
restored to their original condition.
All important system areas are stored in one file from which
they can be retrieved. In AVG the following areas are backed up:
Partition table
Extended partition tables
Boot sectors of hard disks
CMOS memory.
Devices which DOS views as networked cannot be backed-up.
The first step is to name the backup file. The default name is
A:\SYSTAB.GRS. Both name and path can be changed.
▀████▀ Do not save backup copies to the hard drive as they will be
▀▀ inaccessible if the system crashes - save them on a diskette.
▀▀
Backup follows entry of a file name. If this file already
exists, the user is warned and must confirm that the file be
over-written. AVG also checks that backup copies are not
infected - in this case the program refuses to create a backup.
Restore partition table and Restore boot sector
A list of devices is displayed. The file containing the backup
must be selected. AVG will accept only a file with the correct
structure and restore only after further confirmation.
Restore CMOS memory
The file containing the backup must be selected. AVG will
accept only a file with the correct structure and restore only
after further confirmation. The date and time will not be
restored.
╔═╤═╗ The menu item Restore system areas opens a dialogue box from
╟─┼─╢ which the selection is made. The process is then the same as
╚═╧═╝ given above.
Complete Reconstruction
┌────┐ Restores all system areas together. Should be used when more
│C:\>│ then one area is damaged and individual area restoration is not
└────┘ possible. It is usually necessary to boot from a system diskette
then run AVG from diskette.
All system areas will be restored without verification as to
whether or not they comply with current configuration.
On diskette this function replaces the Boot sector with a
generally valid structure of this region.
╔═╤═╗ Complete reconstruction is not available because low-level
╟─┼─╢ access is not allowed.
╚═╧═╝
File viewer
┌────┐
│C:\>│ Displays text files distributed with AVG antivirus system.
└────┘
╔═╤═╗
╟─┼─╢ Not included in AVG as notepad in WINDOWS is adequate.
╚═╧═╝
Single step
This makes full heuristic analysis accessible in the form of a
debugger and allows code to be tested instruction by instruction.
It is intended for users with advanced knowledge of the system and
assembler to help them judge whether code is correct.
With this tool you can test:
Selected files
Partition table
Boot sectors
INT13 - Disk services control
INT21 - Operating system services
Single step is controlled by ENTER or Space bar. One step is
displayed after pressing a key. To run non-stop press ALT+F.
Pressing ALT+F again will return to single step.
These parameters may be set:
EXE relocation - recalculation of relocations in EXE files is
made.
Detect cycles - jumps to repeating addresses are detected.
Log file - creates single step report file.
**************************************************************************
EXIT
════
Correctly exits AVG
Exit
Exits program and returns to operating system
Restart Computer
An alternative is to reset the system. This should ALWAYS be used
when a virus has just been removed otherwise the virus may remain
active in memory and continue to infect.
Restart Windows
Availabe only in windows
***************************************************************************
Macros
══════
Macros are a useful way of carrying out frequent tests.
A macro file is a text file containing AVG commands, similar to the
commands in a command file. The file can have any name but its extension
must be MAK.
AVG checks for MAK files on start-up.
┌────┐
│C:\>│ A list of macros is displayed by pressing keys ALT-M.
└────┘
╔═╤═╗ A list of macros is evoked by clicking on the macro icon (camera).
╟─┼─╢
╚═╧═╝
Macro commands
The following commands can be used in a macro:
SCAN Activates Scan-test. The full syntax is:
SCAN [DEVICE:[\DIRECTORY[\FILE]] [:number of days]
DEVICE:\DIRECTORY\FILE - device and/or directory, or
a particular file which is to be tested.
: number of days - time interval between tests run
from command file. If omitted or set to 0, the
command is always executed.
Example
SCAN C: D:\MYDIR:7
Runs Scan-test, if more than 7 days have passed since the
last test, on the whole of C: drive but on D: only
directory \MYDIR is tested.
COMP Activates comparative test. The syntax is the same as for the
SCAN command.
HEUR Activates heuristic analysis. Syntax is the same as for the
SCAN command.
/SUBDIR [+/-] Turns on/off testing of subdirectories.
/ANALYSIS[+/-] Turns on/off fast heuristic analysis.
/REPORTfilename Defines the name of the file to which the results
of the tests are to be logged.
/FASTREAD [+/-] Turns on/off fast reading.
/XMS[+/-] Turns on/off XMS memory usage.
/STEALTH [+/-] Turns on/off anti-Stealth technology.
More detailed information on the parameters /FASTREAD, /STEALTH
and /XMS can be found in the chapter Settings.
╔═╤═╗ The parameters /STEALTH, /XMS and /FASTREAD are ignored in AVG for
╟─┼─╢ WINDOWS as they are inapplicable.
╚═╧═╝
**************************************************************************
User definition of new viruses
══════════════════════════════
AVG works with a virus database (AVG.AVI) which is updated regularly.
Should this file not exist most features will be unavailable. It is
possible to compliment AVG.AVI with EXTERN.AVI in which additional
virus definitions can be entered. This file must have a name EXTERN.AVI.
Each virus definition must be on one line with the following syntax:
Sequence
First give the sequence (virus identifier) which must be written
in hexadecimal form.
If the sequence contains a variable byte, use the symbol ??.
When defining a variable number of variable bytes, use the
symbol [x], where x is the number of variable bytes, e.g. [3]
is the same as ?? ?? ??, [0-3] is the same as ?? or ?? ??,
or ?? ?? ??.
Virus name
The name of the virus follows in quotes.
Type of infection
The type of virus infection defines where this virus can be found:
M - infects memory
C - infects COM files
E - infects EXE files
B - infects system areas
Comment
A comment can follow - must be preceded by double slash //.
A typical example could be this definition of an imaginary virus:
CD 21 BB 00 2A ?? BB FF [0-5] FF "Imaginary" MCE //comment
▀████▀ Sequences published in technical literature
▀▀ should be weighed with care. They are sometimes inaccurate and could
▀▀ cause false alarms or significantly decrease the speed of AVG. Some
published sequences are not for general use and can be used only
with a particular brand of antivirus software.
******************************************************************************
User validation
═══════════════
As was stated in the chapters on fast heuristic analysis and full
heuristic analysis, one of their properties is some sensitivity to
non-standard programs. However, it is a fact that a number of programs
must bypass the operating system in order to achieve the required
result.
What is validation?
One way to eliminate false alarms in heuristic analysis is the
method of validation. Heuristic analysis has a list of files
(AVG.AVF) which are known to cause false alarms. Whenever a
suspect file is encountered, AVG.AVF is referred to and providing
that all data (CRC etc.) correspond, the analysis denotes the file
as correct - no alarm is given.
AVG.AVF is created and updated regularly by GRISOFT. However, it
has been found to be very useful to allow the user to add his own
entries to a separate validation file EXTERN.AVF.
▀████▀ The possibility of user validation also involves a certain degree
▀▀ of danger. If, by mistake, a file is validated that has really
▀▀ been infected by a virus, AVG will not be able to detect the virus
in this file!!! User validation should only be carried out by an
experienced user and then only for those programs which are
definitely uninfected, or their design has been discussed with
their manufacturer.
User entry into AVG.AVF file
To add a new entry to EXTERN.AVF, use the command:
MANAVF.EXE name_of_file
Give the name of the file together with its path so that the file
can be found by MANAVF.EXE and calculate checksum information for
it. MANAVF.EXE opens or creates EXTERN.AVF and adds information
about the validated/corrected file - its name, checksum, length of
file.
Deletion of entry
Each entry in EXTERN.AVF has its own line. The user can thus later
delete any validation by editing the EXTERN.AVF file.
Use of EXTERN.AVF file
EXTERN.AVF is always read by AVG on start-up. If AVG is copied to a
diskette, AVG.AVF and EXTERN.AVF must be copied with it.
******************************************************************************
Appendices
══════════
List of ERRORLEVEL values returned by AVG
0 AVG found nothing important or suspicious
1 AVG was aborted by Ctrl-Break
2 AVG detected error
3 Comparative test found change in files
4 Comparative test found change in system areas
5 Code analysis detected suspect file
6 Code analysis detected suspect system area
7 Scan-test found file infected by known virus
8 Scan-test found system area infected by known virus
9 Memory test found virus
10 Memory test found aggressive virus
11 AVG found internal error
Test evaluation
AVG evaluation of files/system areas ranges from OK to Infected by
a known virus. Since some users have been confused by the different
kinds of wording, we give here a survey of all commands together
with an explanation of each.
File OK
The tested file is completely in order.
Faulty file
File contains incorrect instruction - may not run or crash the
system.
Can cause system RESET
Analysis has found an instruction that would lead to RESET of
the computer. This might be the residue of a virus infection or
probably a file destroyed by a virus.
Suspicion
Analysis has detected some unusual symptoms in a file. In most
cases this does not mean the presence of a virus.
Could be infected
Analysis has detected many symptoms in a file. The file is
either infected or extremely non-standard.
Probably infected by an unknown virus
Analysis has detected so many symptoms that presence of an
unknown virus is highly likely.
Probably infected by a known virus
Analysis has detected a known virus in the file but with fewer
symptoms than expected. The file is most probably infected.
Infected
A known virus has been found.
Heuristic analysis flags - in alphabetical order.
{&} Asynchronous code
An asynchronous move is used in the code which could be employed
for trick modification of the code. Heuristics cannot guarantee
exact emulation of the asynchronnic move.
{a} Sets file attributes
A routine which modifies file attributes. Typical of file
viruses which can then infect READ-ONLY files.
{A} Suspect allocation of memory
Uses methods which normally occur in memory resident file
viruses.
{B} Return to entry point
A jump to the original entry address was detected. For COM
files this means a return to the address PSP:100h, with EXE
files calculation of the address or calling up of an indexed
jump, e.g. by the instruction JMP[SI+jjkk] by which the virus
joins on to its host, is found first. This symptom is of key
importance for heuristic treatment.
{b} Uses direct disk services
A method used by many viruses. Normal programs do not usually
use these services.
{c} Incorrect date and time
The file has nonsensical time. A virus can mark its victim by
using an incorrect time-stamp.
{C} Sets incorrect file time
Used by viruses to mark files that are infected. As a rule, the
file is given a nonsensical time-stamp, such as 10:00:62. From
this the virus knows that it has already infected this file.
{D} Controls disk services
Takes control of disk operations. Typical of some utilities
working with a disk and of all boot viruses and some file
viruses, particularly of the stealth type.
{e} Seek to end of file
Analysis detected that the pointer is sent to the end of the
file. File viruses can append themselves in this way.
{E} Finds dynamic entry point
Locates relative address. Typical of some file viruses.
{f} Suspicious access to files
Detected file access techniques which rarely occur in normal
programs.
{g} Confusing instructions
Instructions found that are aimed at making identification of
a virus difficult and which obviously have no other
significance. Typical for mutation viruses which interweave
their code loops with many different short instructions in
order to confuse the antivirus software.
{i} Faulty instructions
Analysis has detected a faulty instruction or synchronisation
of heuristic analysis has failed. In the latter case the final
evaluation may not be entirely exact.
{J} Suspect jump
Detected a suspiciously constructed jump typical for most file
viruses.
{l} Code in lower memory
Uses free spaces in the base memory to place its code. This
technique is impure and is used by viruses and some protective
programs. In this way the virus achieves greater fragmentation
of its code in order to make detection difficult.
{L} Controls opening of files
If a virus is resident it can attack files when they are
opened. A function which is connected with the DOS interrupt
service and is activated when the file (function 4B/int21) is
opened.
{m} Modifies memory
Direct modification of the MCB structures has taken place.
Typical of resident file viruses which in this way gain a
place in the memory to control the system.
{M} Changes size of base memory
A change detected in the size of base memory. Typical for boot
viruses and some resident file viruses.
{o} Opens file
Opens EXE/COM files with write permission. Used by viruses to
infect files when opened. It can also occur in normal
applications.
{O} Controls services of operating system
Takes control over the operating system. Typical for all
resident viruses and some correct resident programs.
{p} Writing to ports
Writing to ports can be used for uncontrollable operations. It
occurs with some viruses and with special programs (drivers).
{r} Reads file
Reads an open EXE/COM file. Can also occur in correct programs.
{R} Resident code
Code becomes resident. Common to all resident viruses and is
also used by correct resident programs. If this flag is found,
first determine whether the tested program is resident.
{s} Suspiciously set stack
Stack can be interleaved with code. This is typical of viruses
but also occurs with special programs.
{S} Seeks executable files
Seeks out files on a disk. Typical of viruses that attack
directly - they usually seek out files under the mask of *.COM
and *.EXE.
{t} Requests date and time
If this is a virus then it is activated when specific time
conditions are fulfilled.
{T} Checks steps and breakpoints
Rewriting vectors makes difficult or even impossible any
decoding of a program by means of a debugger. This method is
used only by viruses and protective programs.
{U} Uses undocumented function
By calling up a non-standard function the program can
ascertain whether it is already resident in memory.
This occurs with some resident applications and with
most resident file viruses.
{w} Write to EXE/COM files
Typical of file viruses.
{W} Direct write to disk
A routine which writes directly to disk detected. Typical of
boot viruses and with all destructive viruses.
{x} Interrupted
Time limit reached or test aborted by key press - test not
completed. To adjust maximum time see Settings - Heuristic
analysis settings - Advanced.
{X} Coded
Detected a decoding routine. Typical of mutation viruses.
{Z} Distinguishes between EXE and COM
Used by file viruses which need to determine the type of host
before attack. Correct programs generally have no need of such
a distinction.
{!} Switches off resident antivirus protection
Typical of a virus which before spreading tries to switch off
antivirus defences.
Acknowledgements
AVG is a registered trademark of GRISOFT(c)SOFTWARE
IBM PC XT/AT are registered trademarks of IBM
MS-DOS, Windows, Windows 95, Windows NT are registered trademarks of
Microsoft Corporation
DR-DOS, DoubleStore, DoubleSpace are registered trademarks of
Digital Research Inc.
Novell Netware is a registered trademark of Novell Inc.
Stacker is a registered trademark of STAC Electronics