Night Owl 6

home *** CD-ROM | disk | FTP | other *** search

/ Night Owl 6 / Night Owl's Shareware - PDSI-006 - Night Owl Corp (1990).iso / 008a / tbscan30.zip / TBSCAN.NEW < prev next >

Wrap

Text File | 1991-11-17 | 29KB | 684 lines

Update report of TBSCAN. 3.0 --- This upgrade has been released a few days after the release of TbScan 2.9. Although TbScan was beta-tested very well, it appears it had two bugs causing a few machines to hang. The first one has to do with the protection of TbScan which caused problems on machines with a NEC Vxx processor, the second with the detection of upper memory. Both problems are solved. TbScan now always searches for upper memory, even if no XMS driver has been installed. So even in XT's TbScan searches for memory above the DOS limit. This implies that video memory and EMS memory are always scanned in every machine. If you don't want to scan upper memory use the -nohmem switch. Since upper memory is always scanned by default, there is no need for the -highmem option anymore and it has been removed. New option added: -hma. This forces TbScan to scan the HMA even if there is no XMS driver detected. TbScan now restores the default screen color even if there is no ANSI driver installed. TbScan now forces the -compat switch if it detects Desqview. Format-error of TbScan.Doc fixed, compatibility error of Install.Bat fixed. 2.9 --- Major upgrade! Many little bugs solved, quirks removed, new features implemented, reliability boosted, screen lay-out changed, limits removed, manual rewritten. -> TBSCAN HAS BEEN CONVERTED TO AN EXE FILE!!! REMOVE YOUR OLD TBSCAN.COM! If you don't remove your old TbScan.Com, DOS will executed the .COM file instead of the new TbScan.EXE file! -> You have to run the batch file INSTALL.BAT to install TbScan. New key system developed. Previously registered users will receive a key file within a few days after this release. The differences between the current and previous version of TbScan are so numerous that it is recommended to reread the (also rewritten) manual. The Dutch manual has been removed, it takes too much time to keep two manuals up to date. TbScan is faster than ever! (about twice as fast as v2.8). - The analyzis method is about 50% faster! - "Checking" and "tracing" are about 10% faster. - Disk IO is 15% faster! Implemented internal cacher! - The "slowest" "Analyzis" scanning method is used less. - Screen IO (scrolling!) is at least 200% faster. - Internal DOS buffers will be optimized dynamically. - Added two new fast algorithms: "skipping" and "browsing". - Log file handling is now fully buffered. Screen lay-out changed! TbScan is now a fullscreen program. The screen is divided into two parts: a scan window and an info window. The info window shows the header of the signature file, and if TbScan detects infected files it will print them in that window with their complete path name. Also some important warnings are logged into the info window. The screen output is Desqview aware, CGA snow aware and "non-standard" screen dimensions aware. The -compat switch no longer disables the colors. New wonderfull feature added! There are some completely encrypted viruses which can not be detected by any signature. The only way to detect such viruses is by applying a special detection algorithm on the files. Instead of hardcoding these recognition algorithms we decided to make them external. Since it is not possible and even not desirable to define such an algorithm in any signature file language, the "Algorithmic-Virus-Detection" (AVR) modules contain the actual program code to detect the virus. The AVR modules will be supplied with future upgrades of the signature files. TbScan searches at program startup for .AVR files and links them dynamically into its code. Nice isn't it? Another new feature you will like is the -mutant option. If you specify this option TbScan will recognize mutants of a virus, even if no wildcards are used in the signature. TbScan now also searches for a virscan.dat file in its home directory. Fixed a bug that caused long wildcarded signatures like the Murphy virus family signature to be parsed incorrectly. Fixed a DMA-problem that occured with some older PC's when the -direct switch was specified. On some systems TbScan occasionally didn't succeed in reading some files. This is caused by some quirk in DOS redirectors. TbScan has been changed to operate on those systems without errors. The maximum number of signatures is no longer hardcoded. It is now dependant of the actual length of the signatures. The memory reserved for signatures should be enough for at least 2500 signatures. Note that the memory requirements don't increase when the number of signatures increases. The current memory requirements already incoporate the space needed to manage 2500 signatures. The size of the signature file is no longer limited to 64Kb. It may have any size. Disk IO speed has been increased. TbScan now disables temporary any disk cacher and installs a temporary new one. Why? Because disk cachers don't know that all data read by the scanner will be used only once, and therefore they waste many clockcycles by managing megabytes of data for no reason. On the other hand, while scanning, DOS needs the FAT and directory information a lot and only for these regions a cacher would be nice. The solution to this problem is to install a dedicated cacher that "knows" which data will be re-used and which will not. Only a built-in cacher is able to determine this. Now TbScan has one, and you will see how high its hit-rate is and how fast TbScan performs. You can test the performance of the internal cacher by using the -compat switch to disable internal caching. Internal caching will be disabled automatically if a disk error occurs or if a background task writes data to the disk. The readahead story above applies also to the DOS lookahead buffers: if you have specified the Y parameter of the DOS "BUFFERS=X,Y" command, TbScan will temporary disable the DOS lookahead buffers to increase the scanning speed. The cacher of TbScan has an internal lookahead algorithm which performs much better. I'm not better than Microsoft, but my algorithm is optimized for use with TbScan and that from Microsoft certainly not. Anyway, you can use the -compat switch to disable the BUFFERS override. Internal disassembler enhanced. TbScan now needs the "slowest" analyzis method less, without any reliability loss. This decreases the chances of false alarms, and has as positive side effect that TbScan performs a little faster again. Two new fast scanning algorithms added: "skipping" and "browsing". In analyze or browsing mode some warnings are now also enabled. Note that it is impossible to enable all warnings in analyze mode because some suspicious facts can only be detected while disassembling the file, which will not be done by those scanning techniques. Added some new warnings: - "Direct Disk IO" (D). - "Suspicious relocator" (R). - "multiple-jump" (J). - "memory resident code (M). - "internal-overlay" (i). - "inconsistent header" (?). - "odd stack offset" Enhanced the compressed file detector to detect also executable compressors developed according to new Microsoft DOS 5.0 standards. Enhanced the decryptor detection. False warnings will occur less, while detection capabilities have been increased. Enhanced the invalid filetime detector. Now also invalid minutes, hours, and dates are reported. The warning also occurs for dates above the year 2000. Changed the memory scanning to allow it to operate on systems with "slow" upper memory, and on PC's that generate a parity error when memory is tried to read that does not exists. Changed option -nowarn to disable "standard" (non-alarming) warnings only. Added option -? to get a short help (instead of a partial doc file). TbScan now handles the ctrl-break itself and disables the DOS Ctrl-break detection. This increases reliability and speed... Removed the TEXT search possibility (literal signatures). It isn't likely that ever a signature will be based on a text-string. Will anybody miss this feature? The maximum line length of the data file is increased to 132 bytes. The maximum length of the ASCII-HEX signature has also been increased to 132 bytes. Removed the -quiet option. Did anybody ever use it? Introduced the -quick option. If you specify this option TbScan runs in "turbo mode". In this mode TbScan skips .OV? and .SYS and .BIN files and does not take account for some rather theoretical possibilities. This mode is less secur, but excellent for the "after lunch" scan session since it still recognizes almost all of the viruses. TbScan now scans .BIN files for SYS viruses. As extra feature for virus researchers, TbScan also scans .BIN files for BOOT viruses. Many researchers archive bootsector viruses in .BIN files and TbScan can now be used to test the signatures. Removed the alternate language option which was used by Thunderbyte users. There are too many changes in this new version of TbScan to get translations for all foreign languages in a short period of time. 2.8 --- Implemented the "%" wildcard (variable amount of garbage bytes). Added the H warning for Hidden or System files. Changed the more prompt to process repons keys like Y and N. TbScan now always saves and restores the current directory. TbScan now uses colors! For people that don't like them: use option -compat to disable the colors. Modified the -direct option so that also the data file will be read by direct calls in DOS code. Fixed an error in the English documentation file, causing the -help option to operate incorrectly. Fixed a rare problem that could cause file open errors. Removed a bug that caused "integrity check failed" to be displayed when TbScan does not find its datafile. TbScan displayed some garbage if it found the datafile in its home directory. Solved. Some minor internal changes. 2.7 --- Added the "obsolete datafile" warning. TbScan now issues a warning if the signature file is older than three months (except if the -valid option has been specified). Enhanced the functionality of the -help option. If TbScan has access to TbScan.Doc it will extract a more detailed help from the manual. The -verbose option now displays zero again if the file is being analyzed. TbScan now preserves BP,DI and SI while using the BIOS screen routines. This should increase compatibility especially for older IBM type PC's. TbScan is now more network aware, and issues the E (open error) warning if it attempts to re-open a locked file. It does not cause an "Abort Retry Ignore" prompt anymore. Ctrl-break interrupt is now trapped, to avoid program termination in critical sections which could cause system hang. The Escape key is now no longer processed. Added the garble warning (#). If a program seems to carry a self- decrypting routine TbScan issues this warning. Nice for detecting unknown viruses! As a matter of fact, TbScan assumes that a program is infected by an unknown virus if the file carries a decrypting routine and has an invalid time stamp as well. This mechanism detects for example the Tequilla virus, although it is not listed in the data file. TbScan now displays a message if the integrity check fails, before returning to DOS. Implemented total disk scanning with option -sector. Consult the manual for more details. Enhanced the -direct option to perform even more reliable. Implemented nibble wildcards. Consult the manual for details. Improved signature file error detection. TbScan now displays the name and path of the signature file being used. Replaced the TESTVIR files with a TEST.DAT test-signature file. 2.6 --- TbScan 2.5 was supplied with only the Dutch manual. Sorry for that! Removed bugs related to the contents of the log file (missing carriage return and missing warning mark if the -quiet option was specified). Removed a bug related to the list file feature (@<filename>). TbScan now prints the elapsed time on the screen. 2.5 --- TbScan is no longer completely free-ware! Consult the manual for more information. Added the E (open error) and W (windows or OS/2 file) warning. TbScan will now put warnings into the log or session file. Added the -w (-nowarn) command line switch. If you use this switch warnings are not logged to the log or session file. Disabled the N-warning for overlays (OV?) with an exe-header. Overlays with an exe-header are still scanned for EXE type viruses. TbScan sometimes randomly thought that a .COM file was corrupted, which wasn't true, causing it to switch unnecessary into analyze mode. Solved. Signatures in the .DAT file may now contain spaces to increase the readability and to maintain compatibility with an other scanner. Updated the file TESTVIR.COM to match the new signature listed in the most recent signature file. When scanning memory, the range of the '**' wildcard has been limited to 32Kb instead of your entire memory. This avoids some false alarms. The memory is now scanned in 32Kb chunks instead of chunks of 64Kb. The range of the '**' wildcard is still unlimited when scanning files, because it offers a powerfull feature to scan for viruses that scatter themself all over a program file. Signatures beginning with 00 are now processed properly. TbScan is tested very carefully, and it detects ALL viruses when scanning in 'turbo'-mode, unlike some previous versions of TbScan which unfortunately only detected 97% of the viruses listed in the signature file. To avoid confusion, the revised scanning method is called "checking". The old (a little less reliable) scanning method "scanning" has been removed. The slower "analyze" method is used less, because the new "checking" algorithm is able to debug a file better. The analyze method is only used if the debugger is not completely sure. The result is that TbScan performs once again faster than ever... 2.4 --- The new string search algorithm has been enhanced even further, and TbScan is now 25% faster compared to TbScan 2.3! The speed increasement however is most noticable when checking files using the analyze method. Fully implemented the (until today) experimental "**" wildcard. This wildcard is used in the most recent signature file. For TbScan this wildcard means "skip an unlimited number of bytes". TbScan now prints warning marks while processing a file. The following warning marks might be printed: P Packed or compressed file. Also EXEPACKed files are detected. Note that TbScan does not recognize any special compressing package, it uses an universal way to detect whether a file has been compressed. Let me know if you have a compression technique it doesn't recognize. N Name conflict. The file has been named .EXE but seems to be a .COM file, or vice versa. TbScan will scan the file for both COM and EXE type signatures. T Invalid file time. Seconds are set on 60 or 62. Some viruses use this as an infection mark. A File seems to be an ASCII file. ! Entry point located outside file, or a chain of jumps traces outside the body of the file. Probably the file is seriously damaged and can not be executed. TbScan analyzes the file in this case. Enhanced the internal code interpreter. Tbscan needs the analyze mode less, and performs even more reliable. The minimum length of the code that should be "stable" has been increased. This finally solves the problem that TbScan did not find a few signatures. Fixed a screen color problem due to the direct screen write. Fixed also some other screen related minor problems. Fixed a bug in the command line parser. It didn't recognize the '+'sign anymore. 2.3 --- Major upgrade! You don't believe it, but just before I would release this new version I got a fantastic idea to eliminate almost all overhead involved with the scanning of data! Depending of the speed of your disk, TbScan is now approximately 30% faster!!! Almost all time involved with executing this scanner is due to disk access. One "disadvantage" is that TbScan now needs an additional 64Kb of memory. The total memory requirement of TbScan is now 192 Kb. Still not a limitation at all... Due to the new fast string search algorithm, it was not possible to optimize the routine any further for the 80386 processor. The special 80386 version of TbScan is therefore no longer available. New options added! Because TbScan already carried so much options, it became a little difficult to remember all those options. Now TbScan recognizes complete option words too! TbScan now displays a prompt if it finds a virus. You are prompted to rename or delete the infected file, or just continue scanning. You can also instruct TbScan on the command line to delete or rename the infected files. Of course it is still possible to run TbScan in unattended (batch) mode. Added the feature asked for by numerous people: "scan multiple diskettes". TbScan will automatically detect a disk change, so you can scan multiple diskettes without the need to press a key while changing disks. TbScan will now scan the HMA too. TbScan will now automatically scan the HMA and Upper Memory if present. Option -e now disables this feature, instead of enabling it! People complained that TbScan was not able to detect a very few viruses. I don't have those viruses, but I assume that the signatures are created for use with the (obsolete) virscan program. TbScan requires the signatures to be code within a distance of 2Kb of the virus entry point. To gain compatibility with the older signatures, TbScan will now scan a larger window of the files. This should solve the incompatibility problem with the older signatures. Added the -once option. It makes it possible to include TbScan in your autoexec.bat file to scan automatically some (all?) files once a day. If you boot more than once a day TbScan will exit immediately to DOS. TbScan writes now directly to the screen. The lack of speed of the video BIOS became a bottleneck! However, you can use the -compat switch to continue using the BIOS in the case it causes trouble. Increased the maximum number of viruses to 600. TbScan did not recognize the -u (-valid) option. Solved. TbScan is now again compatible with DOS 2.xx Fixed a bug in the header of the log file. 2.2 --- Added the possibility to use response files. Response files are files that contain a list of paths and/or filenames to be scanned. Prefix a filename with the character '@' and TbScan will consider it being a response file. Added the -e option. This option makes it possible to scan memory above the 640Kb barrier. Nice for detecting video-viruses or upper-memory- viruses. Added a processor type detector to the 386-version of TbScan. The -d option now detects upper RAM and will no longer consider it as being a DOS-ROM or Thunderbyte ROM. TbScan should now be able to determine the correct DOS entry point in machines with upper memory. The -d option now also works with DOS 5.00 and Dr-DOS. 2.1a ---- When using a .PRS file TbScan did not display the correct number of signatures. Fixed. 2.1 --- Fixed a bug introduced in version 2.0 that caused the bootsector from large DOS partitions not being scanned sometimes. Corrected a bug introduced in version 2.0 that caused TbScan to assume always that the number of screen rows is 25. TbScan now supports pre-parsed datafiles. You can create pre-parsed datafiles by using the -p [<filename>] switch. Added the experimental -o (optimize) switch. It can be used to merge signatures that are more than 75% equal. It was created as a test to enhance TbScanX (it saves memory), but it also increases the scan speed somewhat. I did not remove the option, so have fun with it! TbScan now finally destroys its internal data structures before terminating, so other scanners that will be invoked later on will not find the signatures left in memory by TbScan. 2.0 --- This release is a performance and safety upgrade. TbScan is now even 5% faster, due to branch optimization. Improved memory scanning. Now it is much faster! Enhanced the run-time debugger. TbScan now uses the slower analyzis methode less! This causes a big speed inprovement, especially when scanning compressed files (files compressed with PkLite or LzExe). The package now also contains TbScan.386 which is the special 80386 version of TbScan. If you have a 80386 processor in your PC, rename TbScan.386 to TbScan.COM. It is somewhat faster... TbScan now checks its memory image before scanning. If the internal CRC does not match it will not continue. Note that this safety check is not 100% proof. That is not possible. TbScan will also check some parts of the disk image to increase the safety. TbScan is now more difficult to hack. Some bad guys were making money from this free-ware scanner... The first one who succeeds to change the copyright notice of TbScan v2.0 will get a registration key for TbScanX for free! Added the signature file authorization check. Future signature files will be checksummed to make sure you have an unmodified copy of it. Signatures can still be added to the list manually if you want to. You can also override the authorization check with the new -U option... Added support for environment variable TBSCAN. You can use this variable to specify default options for TbScan (like a default signature file!). Corrected a small bug in the command line parser. The -f option now always works as expected. Corrected the bug that caused the machine to lock up after aborting TbScan with Ctrl-C or Escape. 1.9 --- Fixed a minor internal bug. 1.8 --- Fixed a bug introduced in v1.7 that caused the bootsector on the default disk to be scanned instead of the specified one. When scanning multiple paths the bootsector of each specified path will be scanned too. Added new commandline option -V (verbose). Use this option if you want to see the scan offset of all files. The number specified is the offset of the location in the file where the startup code of the executable file has been found. TBSCAN now also searches for hidden- and system files. Also hidden directories will be processed. Implemented the ** wildcard (skip an unlimited amount of garbage bytes). Added language file support, to be used with future versions of the Thunderbyte add-on card. 1.7 --- TBSCAN is now even 5% faster, due to an internal optimalization of register usage! Revision of commandline interface. New options added! Added the possibility to specify the name of the log file, log file append-mode, etc. It is now also possible to specify multiple scan paths like: TBSCAN c:\ d:\test c:\utils Look in the manual for more details, or type TBSCAN /H. The commandline interface is backwards compatible, the old syntax is still valid. 1.6 --- Minor upgrade. Removed some little bugs and optimized some code. This version is a little bit faster. Scanning all files for all viruses now also uses the fast string search algorithm. Added the announcement-sign. Lines beginning with a semi-colon followed by a percent sign are printed on the screen. A maximum of 15 lines of hot news in the signature file can be printed on the users screen. Changed the *-wildcard format. The hex character following the asterisk determines the EXACT number of bytes to be skipped, not the MAXIMUM number of bytes to be skipped. To skip a variable amount of garbage bytes specify also an asterisk instead of the length mark. See the manual for more details. TBSCAN processes now also overlay files. Overlay files are files with the extension OV?. Since overlay files can be infected by some EXE viruses, TBSCAN scans the overlay files for all signatures which have the EXE flag set. NEW!!! There is a shareware memory resident version of TBSCAN available. It is now one time supplied with this TBSCAN release. Future versions will be supplied seperately. File request TBSCANX, or download the file TBSCN10.ZIP manually from our BBS (31-85-212395), or register TBSCANX to get a fully functional version! NOTE: TBSCAN is still free-ware, if you sent us a register form, you register for TBSCANX, the memory resident version. 1.5 --- TBSCAN is faster than ever! By using a faster string search algorithm "scanning" and "tracing" are now more than twice as fast, and "analyzing" is four (!) times faster than ever!!! Amazing... TBSCAN now also bypasses all resident programs while reading the bootsector and partition table with the /D option enabled. This means that a virus can no longer fool TBSCAN by providing an unaltered copy of the bootsector / partition table. With other words, TBSCAN searches the BIOS entry point of the int 13h handler, and calls the BIOS directly, just as some nasty viruses do. For reasons of compatibility with another virus scanner, the *-wildcard is now also supported. The signature can now contain a variable amount of garbage bytes. See the manual for more details. The maximum number of signatures has been increased. Now up to 500 signatures can be processed. The maxmium size of the TBSCAN.DAT file has been increased and is now 64Kb. However, you can not increase limits without creating other ones: TBSCAN now needs 128Kb of free memory to operate properly. Still not a limitation at all... This release also contains many other small improvements and little bug fixes. TBSCAN.DAT is no longer supplied with the program files. Download VIRUSSIG.ZIP or TBVIRSIG.ZIP to get the most updated TBSCAN.DAT file. 1.4 --- Important upgrade! Modified the tracing mechanism so that also viruses that have their entry point at the end of the code are detected very well!!! Previous versions of TBSCAN where not able to detect some viruses like the Fish and Vacsina, except when the /A option was used. TBSCAN now supports filenames (or wildcards) in the search path. Now it is possible to inspect one specified file, or to inspect non-executable files. See the manual for detailed information. Fixed a bug that caused the results of the bootsector, partitiontable and memory scan to be recorded incorrect in the log file (only the name of the virus appeared). 1.3 --- TBSCAN now also checks the partition table for viruses. Previous versions did not, because there was no reliable way to determine whether the specified drive has a partition table. Now TBSCAN intercepts int 13 while reading the bootsector, and determines if the sector read by DOS is read from the first fixed disk in the system. If this is the case TBSCAN will also read the partition table. This ensures that TBSCAN will not screw up LAN's and other non-standard systems. By populair demand, the /V (verbose) option has been removed. Now TBSCAN will always print the scanned file on the screen, except when the /Q (Quiet) option has been specified. The /Q option has been added for those that don't want to see al their files scrolling over the screen. For backward compatibility, the /V option will be ignored and will not cause an error message. The log file has been improved. Now the date of the scan, the command line parameters, and the results are always inserted in the log file. 1.2 --- TBSCAN 1.1 was unable to read the bootsector if you use a dos 4 large disk partition (> 32Mb). It also failed to display the error message if it couldn't scan the bootsector. Both problems are solved. The /M option has been reversed. If you specify this parameter, you will get a more prompt. If you ommit the parameter, you will not. The usage of TBSCAN by numerous people learned us that the interpreter-mechanism is very reliable. So we removed the check of the last part of the executable file. This caused TBSCAN to be a lot faster, without loss of reliability. The scan process of TBSCAN can now be aborted by the user by pressing escape or Ctrl-C. 1.1 --- In version 1.0 the TBSCAN.DAT file will not be found if it is not in the current directory. Now the file will be searched in the home directory of TBSCAN.COM (Dos 3.0+). 1.0 --- Initial release of TBSCAN.