home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Night Owl 9
/
Night Owl CD-ROM (NOPV9) (Night Owl Publisher) (1993).ISO
/
051a
/
tbav603.zip
/
TBSCANX.DOC
< prev
next >
Wrap
Text File
|
1993-06-15
|
27KB
|
901 lines
Thunderbyte resident virus scanner. (C) 1989-1993 Thunderbyte B.V.
Table of Contents
1. INTRODUCTION...................................... 2
1.1. Purpose of TbScanX.......................... 2
1.2. A Quick start............................... 2
1.3. Benefits.................................... 2
2. USAGE OF THE PROGRAM.............................. 4
2.1. System requirements......................... 4
2.2. Program invocation.......................... 4
2.2.1. Invocation in Config.Sys.............. 5
2.2.2. Invocation in network environment..... 5
2.2.3. Invocation when using MS-Windows...... 5
2.3. While scanning.............................. 5
2.4. Detecting viruses........................... 5
2.5. Command line options........................ 6
2.5.1. help ................................. 6
2.5.2. off .................................. 6
2.5.3. on ................................... 7
2.5.4. remove ............................... 7
2.5.5. compat ............................... 7
2.5.6. noexec ............................... 7
2.5.7. allexec .............................. 7
2.5.8. noboot ............................... 7
2.5.9. secure ............................... 8
2.5.10. lock ................................ 8
2.5.11. ems ................................. 8
2.5.12. xms ................................. 8
2.6. Examples:................................... 8
2.7. Error messages.............................. 8
3. CONSIDERATIONS AND RECOMMENDATIONS............... 10
3.1. Solving incompatibility problems........... 10
3.2. Reducing the memory requirements........... 11
3.3. How many viruses does it detect?........... 12
4. APPLICATION INTERFACE............................ 13
Page i
Page 1
Thunderbyte resident virus scanner. (C) 1989-1993 Thunderbyte B.V.
1. INTRODUCTION
1.1. Purpose of TbScanX
By now already many virus scanners have been developed. The problem
with all these scanners is that you have to execute them. Suppose
you have the virus scanner automatically invoked in your
autoexec.bat file. If no viruses are found, your system is supposed
to be uninfected. But, to be sure that no virus can infect your
system, you have to run the scanner every time before you copy a
file to your harddisk, after downloading a file from a bulletin
board system, or after unarchiving an archive such as a ZIP file.
Be honest, do YOU actually invoke your scanner every time you
introduce a new file into the system? If you don't, you take the
risk that within a couple of hours all files are infected by a
virus...
TbScanX has a unique feature to overcome this tedious scanning.
Once invoked it will remain resident in memory, and AUTOMATICALLY
scan all files you execute and all executable files you copy,
create, download, modify, or unarchive!
The same approach is used to protect against bootsector viruses:
Every time you put a diskette into a drive the bootsector will be
scanned. If the disk is contaminated with a boot sector virus
TbScanX will warn you in time!
The amount of memory TbScanX requires depends on the number of
signatures. With all features enabled TbScanX uses 20Kb of memory
when scanning for 750 family signatures. If you enable swapping
TbScanX normally uses only 1Kb of memory. You can swap to EMS and
XMS memory. Of course the remaining kilobyte of TbScanX can be
loaded in upper memory.
1.2. A Quick start
Although we highly recommend a complete reading of this manual, here
are some directions for a quick run of TbScanX:
Load TbDriver first if it is not yet loaded. Type "TbDriver" and
press return.
To load TbScanX type "TbScanX" and press return.
The invocation syntax is:
TBSCANX [<options>]...
For fast online help type "TbScanX ?" or "TbScanX help".
1.3. Benefits
Page 2
Thunderbyte resident virus scanner. (C) 1989-1993 Thunderbyte B.V.
By now many different virus scanners have been developed. However,
TbScanX has a number of important and unique advantages over other
scanners. These are:
TbScanX is fully network compatible. It does not require you to
reload the scanner after logging on to the network. Other
resident anti-virus utilities force you to choose between
protection before the network is started, or protection after
the network is started, but not both.
TbScanX can display its messages in your local language.
As new viruses spread quickly there is often no time available
to continually adapt your own virus checker in order to make it
capable of recognizing each new virus as it appears. That is
why TbScanX uses a separate data file listing the signatures of
all known viruses. This file can be adapted quickly, possibly
by yourself.
TbScanX offers other software a universal hook to scan data
for viruses. If you are a programmer, you can instruct your
programs to scan information read from disk for viruses before
using the data.
TbScanX does not use much memory compared to other resident
virus scanners. On almost every machine it should be possible
to configure TbScanX that it uses only 1Kb of memory. Of course
you can also load this kilobyte into upper memory.
Page 3
Thunderbyte resident virus scanner. (C) 1989-1993 Thunderbyte B.V.
2. USAGE OF THE PROGRAM
2.1. System requirements
TbScanX runs perfectly on standard machines, in line with our
philosophy that there should be a limit to limitations.
+ TbScanX can be executed under DOS version 3.00 (and all later
versions). However, Dos 5.0 or higher is recommended, since
TbScanX has been optimized and designed primarily for use with
these DOS versions.
+ TbScanX requires about 10 Kb of free memory to be invoked. If
you enable swapping it does NOT require additional standard DOS
memory to initialise itself. If you don't enable swapping the
amount of memory depends on the amount of signatures in the
data file. TbScanX can handle up to approximately 2500
signatures, depending on which swapping mode is used. Without
swapping mode TbScanX can utilize up to 50Kb, when swapping to
expanded memory 64Kb and when swapping to extended memory 50Kb.
2.2. Program invocation
It is recommended to invoke TbScanX automatically from within your
Config.Sys or Autoexec.Bat file. It is important to invoke TbScanX
as early as possible after the machine has booted. For that reason
it is possible to invoke TbScanX from within the Config.Sys file.
TbScanX requires TbDriver to be loaded first!
TbScanX is easy to use. The syntax is as follows:
TBSCANX [<options>]...
There are three possible ways to invoke TbScanX:
To invoke TbScanX from the DOS prompt or within the Autoexec.Bat
file:
<path>TbScanX
To invoke TbScanX from the Config.Sys as a TSR (Dos 4+):
Install=<path>TbScanX.Exe
To invoke TbScanX from the Config.Sys as a device driver:
Device=<path>TbScanX.Exe
TbScanX should always work correctly after being started from
within the Autoexec.Bat. The "Install=" Config.Sys command is
NOT available in DOS 3.xx.
In addition to the three invocation possibilities DOS 5 users can
"highload" TbScanX in an UMB (upper memory block) if it is
Page 4
Thunderbyte resident virus scanner. (C) 1989-1993 Thunderbyte B.V.
available:
LoadHigh <path>TbScanX.Exe
Within the Config.Sys file TbScanX can also be loaded high:
DeviceHigh=<path>TbScanX.Exe
2.2.1. Invocation in Config.Sys
-> Invoking TbScanX as a device driver does not work in all OEM
versions of DOS. You have to try it, if it doesn't work use the
"Install=" command or load TbScanX from within the Autoexec.Bat.
2.2.2. Invocation in network environment
-> Unlike other anti-virus products, the Thunderbyte anti-virus
utlities can be loaded before the network is started without
loosing the protection after the network is started.
2.2.3. Invocation when using MS-Windows
-> Windows users should invoke TbScanX BEFORE starting Windows.
If you do that there is only one copy of TbScanX in memory, but
every DOS-window will nevertheless have a fully functional
TbScanX in it. TbScanX detects if Windows is starting up, and
will switch itself in multitasking mode if necessary. You can
even disable TbScanX in one window without affecting the
functionality in another window.
2.3. While scanning
Whenever a program tries to write to an executable file (files with
the extensions .COM and .EXE), you will shortly see the text
"*Scanning*" in the upper left corner of your screen. As long as
TbScanX is scanning this text will appear. Since TbScanX takes very
little time to scan the file, the message will only appear shortly.
The text "*Scanning*" will also appear if you execute a program
directly from a diskette, and if DOS accesses the bootsector of a
diskette drive.
2.4. Detecting viruses
If TbScanX detects a signature going to be written into a file,
a popup window will appear with the message:
WARNING, <filename> contains <virus name>!
Abort? (Y/n)
Press "N" to continue, press any other key to abort.
If TbScanX detects a signature in a boot sector, it will display the
message:
Page 5
Thunderbyte resident virus scanner. (C) 1989-1993 Thunderbyte B.V.
WARNING, Disk in <drive> contains <virus name>!
Press a key...
Although a virus seems to be on the bootsector of the specified
drive, the virus can not do anything since it has not been executed
yet. However, if you reboot the machine with the contaminated
diskette in the drive, the virus will copy itself to your harddisk.
To display the name of the virus, TbScanX needs the signature file
again. It will automatically use the signature file that was used
when you invoked the program. If the signature file is missing
(because you deleted it, or because you removed the floppy with
it), or no file handles are left, TbScanX will still detect
viruses, but it is no longer able to display the name of the virus.
It will display [Name unknown] instead.
2.5. Command line options
It is possible to specify options on the command line. The upper
four options are always available, the other options are only
available if TbScanX is not already resident in memory.
optionword short explanation
---------- ----- -------------------------------------
help ? =display this helpscreen
off d =disable scanning
on e =enable scanning
remove r =remove TbScanX from memory
noexec n =never scan at execute
allexec a =always scan at execute
noboot b =do not scan bootsectors
ems me =use expanded memory (EMS)
xms mx =use extended memory (XMS)
secure s =deny access without asking
lock l =lock PC when virus detected
compat c =increased compatibility
2.5.1. help (?)
If you specify this option TbScanX will show you the brief help as
shown above. Once TbScanX has been loaded the help option will not
show all options anymore.
2.5.2. off (d)
If you specify this option TbScanX will be disabled, but it will
remain in memory.
Page 6
Thunderbyte resident virus scanner. (C) 1989-1993 Thunderbyte B.V.
2.5.3. on (e)
If you use this option TbScanX will be activated again after you
disabled it with the 'off' option.
2.5.4. remove (r)
This option can be used to remove the resident part of TbScanX from
your memory. All memory used by TbScanX will be released.
Unfortunately, the removing of a TSR (like TbScanX) is not always
possible. TbScanX checks whether it is safe to remove the resident
part from memory, if it is not safe it just disables TbScanX. A TSR
can not be removed if another TSR is started after it. If this
happens with TbScanX it will completely disable itself. The
character device "SCANX" will disappear also.
2.5.5. compat (c)
In most systems TbScanX performs very well. It is however possible
that another TSR program conflicts with TbScanX. If the other TSR
is loaded first, TbScanX will normally detect the conflict and use
an alternate interrupt. If the other TSR is loaded after TbScanX,
and it does abort with a message telling you that it has already
been loaded, you can use the 'compat' switch of TbScanX (when
installing it in memory).
It is also possible that TbScanX conflicts with other EMS or XMS
using resident software. In this case the system will hang. Option
'compat' will solve this problem, but due to extensive memory
swapping the performance of TbScanX will slow down.
2.5.6. noexec (n)
TbScanX normally scans files located on removable media just before
they are executed. If you don't like that you can use this option
to disable this feature completely.
2.5.7. allexec (a)
TbScanX normally scans files to be executed only if they reside on
removable media. Files on the harddisk are trusted, because files
on the harddisk have to be copied or downloaded before they can
exist on your disk. And by that time TbScanX already scanned them
automatically. But if you also like every file to be scanned before
it will be executed, no matter whether they reside on harddisk or
removable media, you should use this option.
2.5.8. noboot (b)
TbScanX monitors the disk system: every time the bootsector is
being read, TbScanX automatically scans it for bootsector viruses.
If you change a disk, the first thing DOS has to do is read the
Page 7
Thunderbyte resident virus scanner. (C) 1989-1993 Thunderbyte B.V.
bootsector, otherwise it does not know what kind of disk is in the
drive. And as soon as DOS reads the bootsector, TbScanX checks it
for viruses. If you don't like this feature, or if it causes
problems, you can switch it off using the 'noboot' option. If
you specify this option TbScanX will also require less memory,
because the bootsector signatures will not be stored in memory.
2.5.9. secure (s)
TbScanX normally asks the user to continue or to cancel when it
detects a virus. In some business environments however this choice
should not be made by employees. By using option 'secure' it is no
longer possible to allow suspicious operations.
2.5.10. lock (l)
If you are a system operator, you can use this option to instruct
TbScanX to lock the system once a virus is detected.
2.5.11. ems (me)
If you specify this option TbScanX will use expanded memory (like
provided by LIM/EMS expansion boards or 80386 memory managers) to
store the signatures and part of its program code. Expanded memory
is allocated in 16Kb blocks. Since conventional memory is more
valuable to your programs than expanded memory, use of EMS
memory is recommended. TbScanX can use up to 64Kb of EMS memory.
2.5.12. xms (mx)
If you specify this option TbScanX will use extended memory to
store the signatures and part of its program code. An XMS driver
(like HIMEM.SYS) needs to be installed to be able to use this
option. XMS memory is not directly accessable from within DOS, so
every time TbScanX has to scan data it has to copy the signatures
to conventional memory. To be able to save the original memory
contents TbScanX needs a double amount of XMS memory. Swapping to
XMS is slower than swapping to EMS memory, so if you have EMS
memory available swapping to EMS is recommended. It is possible
that swapping to XMS conflicts with some other software, so if you
experience problems try using TbScanX without the XMS option.
TbScanX can use about 2*50Kb of extended memory.
2.6. Examples:
Device=C:\utils\TbScanX.Exe C:\tb\TbScan.Dat xms noboot
2.7. Error messages
Error messages that might be displayed:
Page 8
Thunderbyte resident virus scanner. (C) 1989-1993 Thunderbyte B.V.
- TbDriver not active. Load TbDriver first!
TbScanX needs TbDriver, so you have to load TbDriver first.
- TbDriver version is not <version>.
The version of TbDriver found in memory does not match the
version number of TbScanX. Make sure you do not mix version
numbers!
- Not enough memory
There is not enough free memory to process the data file. Try
to enable swapping, or if you are already doing so, try another
swapping mode. See also chapter "limitations".
- Data file not found.
TbScanX has not been able to locate the data file.
- This version of TbScanX requires a <typeID> processor.
You are using a processor optimized version of TbScanX and
it can not be executed by the current processor.
Page 9
Thunderbyte resident virus scanner. (C) 1989-1993 Thunderbyte B.V.
3. CONSIDERATIONS AND RECOMMENDATIONS
3.1. Solving incompatibility problems.
Although TbScanX has been designed to cooperate with other resident
software, other software may not, causing system errors or worse.
The most common problems:
Problem:
If TbScanX tries to display a message, the text 'message file
<filename> could not be opened' appears.
Solution:
Specify the FULL path and filename of the file that you will
use as message file after the TbDriver invocation. The default
filename is TbDriver.Lng
Problem:
You are running a network. TbScanX is installed succesfully,
but it does not display the "*scanning*" message while
accessing files. It also does not detect viruses.
Solution:
Use the command 'TbDriver net' after the network has been
loaded.
Problem:
It is impossible to start a TSR after TbScanX has been loaded.
The TSR software reports that it already has been loaded in
memory, which is not true.
Solution:
Use the 'compat' switch of TbScanX while loading it. The TSR
and TbScanX are using the same multiplex interrupt call.
Problem:
The system sometimes hangs when the message "*scanning*" is on
the screen. The problem however is hard to reproduce.
Solution:
Try using StackMan. StackMan is supplied in the TBAV package.
If StackMan doesn't help, try TbScanX without option 'EMS' or
'XMS'. If TbScanX now works without problems, add option 'EMS'
or 'XMS' again along with option 'compat'.
On some systems it is possible that the 'XMS' option of TbScanX
can not be used at all. This because the use of extended memory
by resident software is not allowed on your system.
Page 10
Thunderbyte resident virus scanner. (C) 1989-1993 Thunderbyte B.V.
Problem:
Everything works well, but as soon as I load a specific TSR the
system hangs immediately after the TSR goes resident. The
TbScanX option 'compatx' does not solve the problem.
Solution:
Use StackMan with the -dos option and try again.
3.2. Reducing the memory requirements.
Most PC users try to maintain as much free DOS memory as possible.
TbScanX is designed to use only a little amount of DOS memory. To
decrease the memory requirements of TbScanX even further do the
following:
- Load TbScanX from within the Config.Sys file. If loaded as a
device driver TbScanX has no Program Segment Prefix (PSP),
and that saves 256 bytes.
- If you invoke TbScanX from within the Autoexec.Bat file do this
before establishing environment variables. DOS maintains a list
of environment variables for every resident program, so keep
this list small while installing TSRs. Once all TSRs are
installed you can define all environment variables without
affecting the memory requirements of the TSRs.
- Use swapping. By using one of the options 'ems' or 'xms'
TbScanX swaps itself to non-DOS memory, leaving only 1 Kb of
code in DOS memory. Swapping to expanded memory ('ems') is
preferred.
- If you have DOS 5 or higher try to load TbScanX into an upper
memory block using the "loadhigh" or "devicehigh" commands. It
is recommended to enable swapping also to limit the usage of
upper memory. A "hole" of 10Kb should be sufficient to load
TbScanX into upper memory while using option 'ems'. If you
don't use swapping TbScanX also needs memory to store the
signatures. If you enable XMS swapping TbScanX needs to build
the data structures in normal memory before copying them to
XMS. This causes TbScanX to require additional memory at
initialization time.
- Use one of the processor specific versions of TbScanX. They all
consume less memory than the generic version of TbScanX.
Processor optimized versions are available on any Thunderbyte
support BBS.
- To minimize the signature data you can consider to specify the
'noboot' option. In this case TbScanX does not maintain data for
bootsector viruses.
Page 11
Thunderbyte resident virus scanner. (C) 1989-1993 Thunderbyte B.V.
3.3. How many viruses does it detect?
Some people think that TbScanX recognizes only 750 viruses, based
upon the fact that the signature file contains only 750 signatures.
What they do not realise is that the signatures are family
signatures, which means that each signature covers many viruses.
For instance, our PLO/Jerusalem signature detects over 100 viruses
which are all related to the 'original' Jerusalem virus! Only one
(wildcarded) signature is needed by TbScanX to cover all these
mutants.
Some competitive products treat each virus mutant as a separate
virus, and so claim to detect over 2000 viruses. However, TbScanX
detects even more viruses using 'only' 750 signatures.
Page 12
Thunderbyte resident virus scanner. (C) 1989-1993 Thunderbyte B.V.
4. APPLICATION INTERFACE
If you are a software developer you can use TbScanX to check data
for viruses. A program can perform a self-check as soon as it is
invoked by sending its code to TbScanX.
The interface consists of some multiplex calls (int 2Fh). Register
AH should contain CAh. Register AL contains the function request
number.
On the Thunderbyte support BBS you will find additional information,
examples and libraries.
Supported function requests:
AL=0 InstallationCheck
Return value:
AL=0 TbScanX not installed
AL=FFh TbScanX installed
If BX was 'TB' then it is now changed into 'tb'.
AL=1 GetStatus
Return value:
AH Version number TbScanX in BCD. (CAh if version < 2.2)
AL=0 TbScanX disabled
AL=1 TbScanX enabled
BX Segment swap area. Zero if not swapped.
CX Number of signatures that will be searched.
DX EMS_Handle. -1 if no expanded memory in use.
If DX is not equal to -1 but BX contains zero then
TbScanX uses XMS swapping. DX contains the XMS handle
in that case.
AL=2 SetStatus
BL=0 Disable TbScanX
BL=1 Enable TbScanX
Return value:
NONE
AL=4 ScanFile
Page 13
Thunderbyte resident virus scanner. (C) 1989-1993 Thunderbyte B.V.
DS:DX Name of the program file to be scanned.
Return value:
No Carry flag set No signature found in file.
Carry: Signature found in buffer!
ES:BX ASCIIZ-name of virus (null terminated)
Registers altered:
AX,BX,CX,DX,ES
Assembler example:
mov ah,0CAh ;Multiplex number
mov al,0
int 02Fh ;Installation check
cmp al,0FFh ;If AL=FFh TbScanX has been installed.
jne notinstalled ;Else TbScanX has not been installed.
lea dx,filename ;Name of the file to be scanned.
mov ah,0CAh ;Multiplex number
mov al,4
int 02Fh ;ScanFile
jnc notinfected ;No carry? Then no virus found!
call print ;Virus found. Print name ES:BX
notinfected:
Page 14