This allows you to exit IM to the DOS prompt, but leaves
Integrity Master loaded in memory so you can quickly return by
using the Exit command. Shelling allows you to exit IM, and
execute most other programs at the DOS prompt (such as copying
files or formatting disks).
Disk Change and DiRectory Change
You'll mostly use this menu to change the current disk or
directory. (You can also use the "/D" command line option to
change to one or more other disks or use the "/P" command line
parameter to start in a different directory)
Quit - exit Integrity Master
In addition to using the "Quit - exit Integrity Master" option on
the CoMmands menu, you can use the ESCape and alt/X keys to
terminate IM from any point. The ESCape key allows you to
terminate most IM menus without taking any action and return to
the prior menu. The only exceptions to this are menus which
require a response one way or another. These are usually the
result of a detected error of some type. If you press ESCape
enough times, IM will ask if you really want to quit. You must
select "Yes" and press ENTER to exit. The fastest way to exit
IM, is by pressing alt/X (hold the ALTernate key down and press
the "X" key). This allows you to quickly exit without the final
"Do you really want to quit?" prompt.
Integrity Master (tm) - 25 - Version 3.02
Uninstall - delete integrity data
If you have integrity data files in each directory of your hard
disk, you can quickly delete these files by selecting Uninstall
on the CoMmands menu. If your integrity data is stored on a
different disk than the files it describes (such as a floppy)
then this option will have no effect.
THE STATISTICS SUMMARY
Whenever you finish checking files, IM will show you a summary of
its findings. Since the summary contains a time and date stamp,
you can use the report file as a chronological log of all changes
on your PC, even if you have it going to the printer. The summary
shows statistics for all file changes, as well as system sector and
memory checking. IM reports the number of times it checked a
file's integrity data against the DOS directory information, as
"files processed". It also reports a separate count of the number
of files actually read and checked. IM resets all statistics (with
the exception of the memory check results) each time after it
displays the summary statistics. This means that on subsequent
file checks, the system sectors will be indicated as "Not checked"
even though they were indicated as checked on the prior display.
Why is this? IM does this because some disks are removable and
disk X may suddenly be a different disk. IM shows the statistics
for any viruses, suspicious files, or system corruption (which
includes file open and read errors) in red.
The item "PC Config.:" displays the results of the "Resident
programs and memory" check.
VIRUSES - WHAT ARE THEY?
Viruses are but one of many threats to your data. You are far less
likely to be hurt by a virus than by other causes of data damage
such as software conflicts and general glitches of various types.
Viruses are programs that attach themselves to other programs in
such a way that when the other program is executed, the virus code
will also execute. The infected program usually appears to execute
normally but the virus may be attaching itself to additional
programs each time the infected program runs. Many viruses are
triggered by some event (such as a particular time or date) into an
attack phase, resulting in anything from music to serious file
damage. Viruses often wait a long time before attacking; their
goal is to spread as far as possible before revealing their
presence. Some viruses go resident in your PC's memory, taking
over your PC. This enables them to infect at will and elude
detection attempts.
A virus may attach itself to programs in two ways that many people
are not aware of. The first way is to infect the programs that are
in the system (boot and partition) sectors of your PC. The second
way is by changing system information on your PC so that the virus
code is executed before the intended program. The most obvious way
Integrity Master (tm) - 26 - Version 3.02
to do this depends on the fact that if both a .COM and .EXE file
have the same name, DOS will execute the .COM file instead of the
.EXE file. Such a virus is commonly called a companion or spawning
virus. These viruses locate .EXE files and then plant themselves as
.COM files of the same name. The virus (the .COM file) can
execute, spread further, and then run the .EXE program so that
everything appears normal. (Don't worry; IM detects all types of
viruses!) Please read PART TWO -- Data Integrity and Viruses to
learn more about viruses.
VIRUS CHECKING PROCEDURE
When you install Integrity Master using SetupIM, the Integrity Advisor will prepare a complete procedure for running IM. If you indicated that you wanted to detect viruses, then this procedure would include the steps you need to check for viruses. This step by step
procedure is customized to your own preferences, so be sure to read
file IMPROC.TXT first.
To be certain of detecting even unknown viruses, it is best to cold
boot from your write-protected floppy containing IM before checking
for viruses. Do NOT use Ctrl/alt/del to boot, but turn your PC off
and then on. Some PCs have a reset button that will force a cold
boot. (Version three of IM provides an alternative to cold booting
by performing a resident program check that will detect
memory-resident viruses.)
Whenever you engage in any activity that changes or rearranges many
files, run at least a "Quick update", so that your integrity data
accurately reflects the status of your PC. Use the Options menu to
change the type of integrity checking.
o With Integrity "CHECK ON", do a full integrity check (rather than
a "quick update") of all files at least once a month to detect
any unexpected changes.
o If your work exposes you to programs that may be infected with
viruses, do a daily full check of your disk for any unauthorized
changes. To save time, use the Options menu to limit checking to
executable programs. Check at least the current directory if you
have executed any new or "strange" programs.
o After installing any new software, IMMEDIATELY run IM to
initialize the integrity data for the new files you have created.
Be sure that you save a write-protected disk containing a copy of
the software. It is vital that you do this before you start to
use the software.
o It is worth doing some extra checking any time you copy programs
(e.g., *.EXE or *.COM files). When you copy programs, copy your
integrity data also. For example, if you are doing something
Integrity Master (tm) - 27 - Version 3.02
like a "COPY *.EXE D:\DOS", then also enter a command to copy
the integrity data to "D:\DOS". (If you're not sure what the
names of your integrity data files are, check your IMPROC.TXT
file or select "Integrity data options" on the SetupIM Change
menu.) If you simply copy all files (COPY *.*), then you won't
have to worry; the integrity data will automatically be copied
along with the programs. Afterwards, run IM to check that the
files were copied without damage or virus infection. Naturally,
IM will report any files that weren't copied as deleted when you
run this check.
SCANNING FOR VIRUSES
To quickly do nothing but scan one or more disks for known viruses:
o Use the CoMmands menu or the "/Dx" command line parameter to
change to the drive you want to scan.
o Use the Options menu to turn the report off or to set the report
to go to the printer or your hard disk.
o From the Check menu choose "Disk for known Viruses". Press ENTER
and select either "One-time scan of disk" or (if you're planning
to check several floppies) "Check Multiple diskettes".
o Some viruses will create a boot sector that can hang DOS or
Windows. If your PC should freeze while checking a diskette, then
reboot and select "Scan floppy Boot sectors" from the "Disk for
known Viruses" menu. This will check the diskette without using
DOS.
o This scans the first disk. When you see the display summarizing
the results of the scan, insert the next diskette and press enter
to scan that diskette or press ESCape if you're done scanning.
You can also use the command "IM /Dx /VM" to scan multiple
diskettes in drive x. Use "/VO" rather than "/VM" to scan only one
diskette.
IM will return a DOS error level of 64 or greater if it detects a
known virus, so you can have a batch file do automated scanning.
We provide some batch files that do this for you and serve as
samples for using IM in your own batch files:
IMSCAN.BAT This batch file allows you to scan files on an entire
disk or specific directory on a disk and all lower
subdirectories. For example, to scan files on disk C, type
"IMSCAN C:" or to scan subdirectory DOS and all lower
directories (e.g., \DOS\UTILS) type "IMSCAN \DOS". If you
don't want to check memory each time include a "/B" (e.g.,
"IMSCAN \DOS /B"
IMSCAND.BAT This allows you to scan a specific subdirectory. You
can specify just the subdirectory or both the subdirectory and
the disk (e.g., "IMSCAND C:\PCB\UPLOADS").
Integrity Master (tm) - 28 - Version 3.02
IMSCANM.BAT Allows you to scan multiple diskettes for known
viruses. After each diskette, IM will prompt you to insert
another.
IMQ.BAT Does a check in "Quick Update" mode of your current
disk. This scans memory and the system sectors for known
viruses and then checks only the files that have changed,
providing a very fast way to check an entire disk for known
viruses. This also keeps your integrity data current for all
files so that you are up-to-date in case of a problem. If you
want to specify a different disk to check, you must use the
"/Dx" command line switch (e.g., "IMQ /DCF" will check both
drive C and drive F).
IMONCE.BAT Uses RunMaybe to run a "Quick Update" once a day. This
is the fastest way to make sure your disk stays clear of
viruses.
IMAUTO.BAT Will create a backup copy of your AUTOEXEC.BAT file and
then modify it to include the once-aday "Quick Update" from
IMONCE.BAT. This way your PC will get a daily quick check.
To scan a disk for known viruses AND to get data integrity
protection:
o Use the Options menu and set the "Files to iNitialize" option to
"Executable programs."
o Use the Initialize menu to initialize "Entire disk integrity".
The command line options: /VA, /VB, /VM, /VO, /VR, and /VL are
available for scanning. Remember that virus scanning will detect
only viruses known at the time this program was written. As with
any scan program, you should have the latest version if you intend
to rely upon scanning for serious protection.
SCANNING DISKETTES
If you have detected a boot sector virus on your hard disk, you
will want to scan all your floppy diskettes for infected boot
sectors. To do this, , select "Disk for known Viruses", (from the
"Check" menu) then select "Scan floppy Boot sectors" or just start
IM with the "/VB" command line option. This will allow you to
quickly scan diskettes (bypassing DOS) and remove any viruses
found. Using this option, you can scan diskettes that contain boot
sectors that are unreadable by DOS (or which will cause DOS to
crash.)
QUICK SCANNING
Integrity Master provides an ultra-fast way to effectively perform
Integrity Master (tm) - 29 - Version 3.02
a full scan of your hard disk. We call this "Quick scanning".
Quick scanning is only possible on disks where you have allowed IM
to perform an initialize to establish initial disk integrity. Once
you have initialized a disk, you can ask IM to check in "quick
update" mode. This fully checks only files that show signs of
changes or that have been added. This is not as effective as
running Integrity Master in it's normal mode which provides full
integrity checking, but this provides scanning as effective as that
provided by any of the other scan programs and runs much, much
faster. These types of checks are so fast that most users don't
mind including a daily scan. One way to make sure this happens
regularly is to execute IMAUTO. This will modify your AUTOEXEC.BAT
so that IM runs in quick update mode once a day. Take a look at
the IMQ batch file or follow these steps to do a quick scan:
o Choose a disk on which you have run an "IM initialize" at some
point in time. (This initialize need not be recent.) Use the
CoMmands menu or the "/Dx" command line parameter to change to
the drive you want to scan.
o Use the Options menu or the "/Q" command line parameter to place
IM in "quick update" mode.
o Now run a check of this disk. If you do this frequently, you can
check even a very large disk very quickly. The command: "IM /Q
/N /DCD" would very quickly scan disks C and D as well as provide
a report of any changes.
SCANNING UPLOADS
You can use IM to scan uploads to your BBS. The command
IM /VR /ND /B
will scan the current directory or
IM /VR /ND /B /Pxxxx
will scan the directory (and/or disk) specified by xxxxxx.
If your upload processor provides a filespec like "*.*" or "*.COM",
you do not need to feed it to IM on the command line. However, if
it does, you can include it as the first parameter. (e.g. "IM
@FILES@ /B /VR /ND").
IM returns an ERRORLEVEL of 64 or greater if it finds a virus.
SCANNING .ZIP FILES FOR VIRUSES
We provide some utilities that automate scanning of zip compressed
files. File scanzip.zip contains these .bat files. You can use the
unzip.exe program that is on the IM distribution diskette to
extract the contents of scanzip.zip. Read or print file
Integrity Master (tm) - 30 - Version 3.02
READMEZ.DOC for directions on how to scan a single .zip file or a
complete disk of .zip files. These utilities require the use of
program PKunzip to decompress the .zip files. READMEZ.DOC also
explains how to process other archive types such as ARJ.
DETECTING VIRUSES
o Make sure that you specified that you wanted virus protection
when you installed IM. If you didn't, then run SetupIM and
select "Reinstall".
o For maximum protection make sure that you carefully followed
SetupIM's instructions in IMPROC.TXT (created only when you do a
full install with SetupIM).
o If a virus is found on your PC, IM will almost always recognize
it by name and explain how to remove it. IM will also advise if
viral signs are present on changes that don't match known
viruses.
o Whenever IM reports a change to an executable program, it's
important to discover the cause. Some programs modify themselves
when you change their options; some programs change themselves
every time they run. Changes to executable programs are
indicated in red on the report screen and are bracketed by "...."
to make these changes obvious.
o If only a single program has changed and IM does not reveal this
to be corruption, then you probably do NOT have a virus. If you
have any doubt that a program change may be a virus, be very
careful and run full checks with IM after executing this program.
(Cold boot (power off and on) from a floppy before running IM)
Any program changes detected at this point indicate a virus.
Please report this (see file VIRREP.DOC for complete details on
reporting viruses.).
o For speed, use the Options menu to limit checking to executable
files.
DETECTING UNKNOWN (NEW) VIRUSES
IM has the capability to detect infection by an unknown (new) virus as
well as the ability to identify known viruses and their characteristics.
If IM detects an unknown virus, it clearly can't provide the detailed
information that it provides when it detects a known virus. Because of
some of the generic detection techniques used in IM, there's a good
chance that it will identify and describe a new virus. How is this
possible? This is only possible if the virus is not totally new but a
modification of an existing virus. In this case, IM may identify the
"new" virus as a virus it knows about because someone created the
new virus by simply making some changes to an existing virus. (Most
"new" viruses are created in exactly this way.) IM will usually notice
the code from the old virus still present in the new virus and identify it
in this way.
Integrity Master (tm) - 31 - Version 3.02
What about totally new viruses? These are a little more work to
identify. In this case, IM will inform you that it has detected a
change in a file or a system sector, but won't announce that a
virus is present, unless it's similar to a known virus.
How do we decide whether a virus is responsible for the detected
change? Consider the following factors:
o Has IM identified virus-like symptoms with this change? Such
symptoms include an unusual value in the DOS time or date stamp,
and file corruption detected (no change to the time and date
stamp but a change to the file).
o Are numerous unrelated executable files changed?
If the answer to one or both of these questions is "yes" then it's
time to do some more checking to see if it's really a virus.
Please read the section on Virus Signs and Playing Detective in
Part Two - Data Integrity and Viruses. Following these procedures
will let you determine if you have encountered a brand new virus
(lucky you!). If you have encountered a virus, or you are not
sure, please contact us; see file VIRREP.DOC for details on
reporting viruses.
THE INTEGRITY MASTER VIRUS REPORT
When IM detects a known virus it will optionally present at least
one full screen of information. The virus report screen gives you
the following information:
o The name of the virus. This is usually the CARO (Computer
Antivirus Research Organization) name or the name used by the
UK's Virus Bulletin, but in some cases we use an abbreviated or
more common name. This name corresponds to an entry in file
VTEXT.DOC. Many viruses have been built as modifications to
existing viruses. By identifying common (hard to change) code
elements in the base virus, IM can identify multiple viruses by
spotting their common characteristics. This means for example
that if IM reports the Jerusalem virus, it could also be the
Anarkia, Anarkia-B or the Payday virus. Since viruses go by many
names, alternate names for the same virus are listed in this
table too.
o IM lists the type of files or system sectors infected by this
virus.
o If the virus is known to seriously interfere with normal
operation of your PC, this is mentioned. We don't classify
messages, bouncing balls, or music as serious interference. We do
consider slowing execution of your PC or halting the system as
serious.
o IM will mention if the virus is known to either deliberately or
inadvertently damage data on your disk. Beware though, some idiot
Integrity Master (tm) - 32 - Version 3.02
could, at any point in time, modify a previously harmless virus
to do something destructive. An example of this is the Cascade
virus (letters cascade down on your screen when this virus
activates). The first version of this virus was harmless, but
someone created a variant that will format your disk. In this
case, IM makes a special check for the dangerous variant of the
virus and warns you if it's detected. In spite of this, please,
NEVER assume that a virus is harmless. If we don't mention that
a virus is known to damage files, it means only that no one has
reported damage from this virus. Be careful; you may have a
variant of the virus that might very well be dangerous!
o IM presents step-by-step removal instructions for the virus as well
as the option of automatic removal.
Sometimes IM presents additional screens describing necessary or
suggested actions. This is true if the virus is detected in
memory. When IM first starts, it checks the memory of the PC for
the presence of known viruses (unless you deactivate this check
using SetupIM or the "/B" (bypass) command line parameter); if IM
detects a virus, it will ask you to immediately cold boot your PC.
Checking further at this point could be very dangerous since it
might spread the virus. If IM detects a special virus such as a
companion or cluster virus, (see PART TWO for details) it will
display an extra screen identifying that virus along with more
detailed information about the virus.
FALSE ALARMS
If IM announces detection of a known virus, could this be a false
alarm (not really a virus)? If IM has checked this file before or
if it has found more than one file infected, then you very likely
have a REAL VIRUS! If this is the first time that IM checked this
file, and if it found only one file infected after checking your
entire disk, then it's probably a false alarm (unless this file is
COMMAND.COM or one of the programs provided with DOS). There is
always some risk that a legitimate program might contain code that
matches a virus.
IF YOU THINK YOU HAVE A FALSE ALARM, PLEASE
NOTIFY STILLER RESEARCH. WE WILL DETERMINE IF
A VIRUS IS PRESENT; IF IT IS A FALSE ALARM, WE WILL,
IF POSSIBLE, SEND A CORRECTED VERSION OF IM.
Some anti-virus programs contain unencrypted virus fragments that
IM may detect. It's usually safe to assume these programs are not
infected. Some of these programs also leave virus fragments in
memory that IM may then detect and announce as a memory resident
virus. Please do not take any chances in such a case and follow
IM's instructions to cold boot, even though it's likely to be a
false alarm.
Integrity Master (tm) - 33 - Version 3.02
If you have just read an infected disk or a file, there is a chance
that IM may detect a piece of this file in memory and announce a
resident virus when one really isn't resident. In such cases, it's
best to play it safe and cold boot from a write-protected diskette.
DESTROYING VIRUSES
If IM detects a known virus, it will display the steps to remove
the virus and offer to remove it automatically.
If IM detects program or system sector changes that may be due to
a virus, please follow these steps:
o Save at least one infected diskette or file and report this to
us. This will allow us to update IM to recognize this virus and
hopefully track down the source of the virus! See file
VIRREP.DOC for complete details.
o Cold boot your PC (power off and on) from a write-protected
floppy disk.
o Run an "Entire disk integrity" check, noting any changed programs
or other possible damage by the virus.
o You can allow IM to remove the virus or follow its directions to
remove the virus manually. Restore infected files from the
original program diskettes if possible.
o Reload your system sectors if they were damaged.
o Restore any damaged files or programs from the original diskettes
if possible.
o Very carefully check any floppies you've used. If you have
encountered a system sector virus, use the /VB command line option
to quickly scan your floppies.
o Run an "Entire disk integrity" check daily for a while.
DATA CORRUPTION
If a program changes a file by normal means, the file's time and
date stamp will be updated to reflect this change. On the other
hand, if a virus or a hardware or software problem causes a file to
be changed, there is often no change to the file's time and date
stamps. IM calls this file corruption and raises a special alarm if
it detects this. If you find a corrupted file, the odds are it's
NOT a virus. The most likely cause of corrupted files is software
conflicts. The next most common cause is hardware problems. In
any case, if you have a corrupted file, it's essential you find
what the cause is. In Part Two - Data Integrity and Viruses", I
have a chapter titled Determining the Cause of Data Corruption.
Integrity Master (tm) - 34 - Version 3.02
Please read that chapter very carefully when you detect a corrupted
file. The next section describes using IM when you are having
suspected disk hardware problems.
INTEGRITY MASTER AND DISK PROBLEMS
It's an unfortunate fact of life that all disk drives will
eventually fail; sometimes at the worst possible moment! Before
disk drives totally fail, they usually start exhibiting signs of
problems, such as inability to reliably read and write certain
areas on the disk. Unfortunately, these failures tend to be
intermittent. The result may be that you have damaged files, but
when you run your disk diagnostic software, no problems are found.
By using IM to do periodic full checks, you can detect these
problems when they first begin and prevent more major disk
problems, such as total failure, from taking you by surprise. If
you have an MFM, RLL, or ESDI type of disk drive you probably can
extend its life slightly by doing a low level format, or using a
product such as Steve Gibson's SpinRite(R) that can do a
nondestructive low level format. The key here is to detect disk
problems early before any serious damage is done.
IM replaces the DOS critical error handler with its own more
advanced routine. If a disk error occurs, you will see a warning
screen explaining what has happened, rather than the dreaded
"Abort, retry, or fail" message that DOS provides. IM may also
present a menu offering you additional options (depending upon the
type of error and the circumstances) such as repeating (retrying)
the operation.
If an error occurs while IM is checking files, it will report
either "Read fail" or "Open fail" in place of the normal signature
FSpec specifies the name of the parameter file to be used. It's best
to specify the disk and directory path as part of the filespec. For
example: use "IM C:\dos\NEW.PRM" rather than "IM NEW.PRM". If you
don't use this option, IM will search for file "IM.PRM", looking first
in the current directory, then in the directory with the IM program
(IM.EXE), and finally in the root directories of all available disks.
---------------------------------------------------------------------------------------------- "/Dxyz" Change to disk "x", process and then change to disk "y", etc.
If used with more than one disk, this should be used with one of the
"/Cx" "/Ix" or "/Vx" parameters. You may also use the /Dx:y:z:" form.
"/Ppath" Change to directory (and optionally disk). If you specify
a disk here, you can't also use the "/Dxyz" parameter. (e.g.
"/P\dos" or "/Pc:\dos")
"/1" Only "1 line" virus reports. Turns off the detailed virus
descriptions.
"/B" Bypass memory check.
"/F" Forces full integrity checking if quick update is set as the default.
"/H" (or /?) produces this help display.
"/NOB" No Beep. Disables sound.
"/NA" No Abort - disables the ESCape and ALT/X keys during checking
"/N" Nonstop: the same as setting "Halt" to "Serious problems" on the
Options menu. IM will stop only on viruses or serious problems.
"/NE" Stop on Emergencies only. This almost never stops.
"/ND" Stop on Emergencies only with no screen display (unattended exec)
"/Q" Forces IM to run in "Quick update" mode.
"/REPA" Report all. When scanning, IM lists all files scanned for viruses.
When initializing, IM lists all files processed on the report file.
"/MS#" You can use the command line /MS# option (or SetupIM) to
vary the sensitivity of IM to resident program configuration
changes. The sensitivity can be set from 0 to 9. 0 turns
the check off, and 9 provides maximum sensitivity to
changes. /MS4 is the default (and recommended) setting. /MS9 is
useful for for researchers and on systems where there should
be no software changes at all.
"/RF=filespec" Writes the report to "filespec" (can include disk + path).
(The form /RF:filespec is also valid)
"/MF=XXXX.SRL" Specifies the file used by check "Resident programs
