home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Night Owl 6
/
Night Owl's Shareware - PDSI-006 - Night Owl Corp (1990).iso
/
030a
/
tbscan31.zip
/
TBSCAN.HLP
< prev
next >
Wrap
Text File
|
1991-12-12
|
16KB
|
403 lines
TBSCAN.HLP This file will be displayed if using the -help option of TbScan.
This help is very comprehensive and does NOT replace the documentation!
Program invokation:
TBSCAN [@][<path>][<filename>]... [<options>]...
Example:
TBSCAN C:\ D:\
When no filename has been specified but only a drive and/or path,
then the specified path will be used as top-level path.All its
subdirectories will be processed too.
When a filename has been specified then only the specified path
will be searched. Subdirectories will not be processed.
Wildcards in the filename are allowed although only executable
files will be processed. If you want the non-executables to be
processed too, then you have to specify the "-analyze" parameter in
combination with the filename. "TBSCAN TEST.DAT" will always cause
that no file will be processed: TEST.DAT is not an executable file.
In this case you have to specify the -analyze parameter.
You can also specify a list file to TbScan. A list file is
a file that contains a list of paths/filenames to be scanned.
Preceed the file with the character '@' on the TbScan command line:
TBSCAN @TBSCAN.LST
Command line and environment options:
-help,-h=help (-? = short help)
-info,-i=display disassembly information
-quick,-q=quick scan
-more,-m=enable "More" prompt
-mutant,-y=enable fuzzy search
-direct,-d=direct calls into DOS/BIOS
-analyze, -a=force analyze/all files
-valid,-u=force authorization
-once,-o=only once a day
-compat,-c=compatibility mode
-nosnow,-t=fast CGA output
-noboot,-s=skip bootsector
-sector,+s=scan all disk sectors
-nomem,-r=don't scan memory
-allmem,+r=scan for all viruses in memory
-hma,+e=scan HMA too
-nohmem,-e=don't scan UMB/HMA
-nosub,-n=don't scan in sub directories
-sub,+n=process sub directories
-noavr,-j=do not search for AVR modules
-del[ete] -z=delete infected files
-batch,-b=don't ask keyboard input
-repeat,-x=scan multiple diskettes
-loginfo, -w=log files with a lowercase warning too
-logall,+w=log all files unconditionally
-log[<filename>],+l [<filename>]=append to log file
-session[<filename>],-l [<filename>]=create session log file
-data<filename>-f <filename>=data file to be used
-ren[ame] [<ext mask>],+z [<ext mask>]=rename infected files
-info
If you are an experienced user we recommend you to use this option.
If you do so, TbScan will display the most important warnings
with the complete pathname of the concerned file in the upper
window.
-quick
This option enables you to quickly scan the system. It is recommended
to invoke TbScan once a day without this option because this option
does not offer you the highest security. .OVL files and .SYS files
are skipped entirely since it is not likely that these files are
infected, memory scan is skipped, the scan frame is reduced to
2Kb instead of 4Kb, and TbScan does not fall back to the analyze
routine as often as usual. However, TbScan still detects 95% of the
viruses if this option is specified.
-more
When you enter the parameter -more TbScan will stop after it has
checked the contents of one display.
-mutant
If you use the -mutant option TbScan does not restrict itself to the
wildcard specification, but allows up to two extra changes anywhere
in the signature. False alarms may occur. Therefore this option is
not recommended to be used in a normal scan session. However, you
can use this option if you expect the system is infected but TbScan
does not detect a virus. If you scan again and specify the -mutant
option, and TbScan now reports many files to be "possibly infected"
with one virus, it might be possible that the files are infected by
an unknown variant of the virus.
-direct
If you specify this option TbScan tries to determine the address
of the harddisk BIOS and the DOS kernel and uses that to communicate
directly with the system. Many stealth type viruses will be bypassed
by this. Note that also resident software (like networks) will be
bypassed and it depends on the system whether this option can be
used or not.
-analyze
Normally TbScan only uses the analysis method when the program to
be checked is too complicated for the builtin interpreter.But
through option -analyze you can force TbScan to use the analysis
or browse method allways. Keep in mind though that the program will
perform more slowly and that false alarms may occur. Therefore it
is recommended to refrain from this option while performing a
normal scan session. Since this option also disables the internal
disassembler of TbScan, most warning marks will not occur, and
the AVR modules will not be executed.
If you use the -analyze option in combination with an explicite
filename specification, TbScan scans ALL matching files for ALL
signatures. Needless to say that this combination is NOT
recommended due to its low performance and exessive amount of
false alarms.It is only provided to gain some compatibility with
other scanners.
-valid
TbScan checks the signature file for modifications.If you change
the contents of that file TbScan will issue a warning.If you
don't want the warning to be displayed, use the -valid option.
-once
If you specify this option TbScan "remembers" that is has been used
that day, and it will not run anymore a next time on that day if
you specify this option again. This option is very powerfull if you
use it in your autoexec.bat file in combination with a list file
like:TbScan @everyday.lst -once -rename
-compat
If you specify this option, TbScan tries to behave somewhat more
compatible. Use this option if the program does not behave as
expected or hangs the machine. This option will slow down the scan
process so it should only be used when necessary. Note that this
option does not affect the results of a scan.
-nosnow
If you use TbScan on a machine with a CGA video system TbScan
avoids the occurence of snow on the sceen. This slows down the scan
process slightly and causes the display to flicker. If your CGA
system does not require special operations to avoid snow you can
specify the -nosnow option, resulting in a flicker-free screen and
an increased scan speed.
-noboot
If you specify this option TbScan will not scan the bootsector.
-sector
This option is experimental.This option enables the feature to
scan a disk at sector level.This way you can trace viruses that
reside outside the files and bootsector and difficult stealth
viruses. This option might also tell you that a virus ever
resided on the machine in the past.If this option detects a
signature it does not mean that the virus should be still active.
Even if TbScan deleted the virus this option is still able to
detect the signature for a while.This option is absolutely NOT
recommended for a normal search.
-nomem
If you specify this option TbScan will not scan the memory of the
PC for viruses.
-allmem
If you specify this option TbScan will search for all viruses of
the signature file in the memory of your PC, regardless of the
virus type. This option is not recommended since the signature of
most viruses changes when the virus is resident in memory and the
virus will not be found by the file type signature. It may cause a
lot of false alarms and does not detect more viruses. It is provided
to maintain some compatibility with other scanners.
-hma
Use this option if TbScan does not recognize your HMA driver.
-nohmem
Use this option if you don't want TbScan to scan upper memory.
-nosub
TbScan will default search in subdirectories for executable files,
except when a filename (or wildcards) are specified.If you use
this option TbScan will never search in subdirectories.
-sub
If you use this option TbScan will always search in subdirectories,
even when you specify a filename or wildcards.Only subdirectories
matching the filename mask will be scanned too.
-noavr
If you specify this option TbScan will not search for AVR modules
(Algorithmic Virus Recognition modules; .AVR files) at startup and
will not perform any algorithmic searches.
-delete or -del
If TbScan detects a virus in a file it prompts the user to delete
or rename the infected file, or to continue.If you specify the
-delete option, TbScan will not ask the user what to do but it just
deletes the infected file.Use this option only if you already
found out that your system is infected, and if you have a trusted
backup, and want to get rid of all infected files at once.
-batch
If TbScan detects a file virus it prompts the user to delete or
rename the infected file, or to continue. If you specify the -batch
option TbScan will always continue. This option is intended to be
used in a batch file that would be executed unattended. It is
highly recommended to use a log file in this situation.
-repeat
The option is very powerfull if you want to check a large amount of
diskettes. TbScan does not return to DOS after checking a disk, but
it waits until you insert another disk in the drive.
-log
When you use this parameter, TbScan creates a LOG-file.The
default filename is TBSCAN.LOG and it will be created in the current
directory.You may optionally specify a path and filename. If the
log file already exists the information will not be overwritten but
instead appended to the file. If you use this option often it is
recommended to delete or truncate the log file every month to avoid
unlimited growth.
-session
This option is the same as the -log option, except that if there
already exists a log file the log information will be overwritten
instead of appended. A log file created by the -session option only
contains information of a single scanning session.
-loginfo
If you use a log file and wants to log files with lowercase
(informative) warnings too you should specify this option.
-logall
If you use a log file and wants to get all files listed in the log
file unconditionally you can use this option.
-data
You can override the default path en name of the signature file to
be used by specifying this option.
-rename or -ren
If TbScan detects a file virus it prompts the user to delete
or rename the infected file, or to continue.If you specify the
-rename option, TbScan will not ask the user what to do but it just
renames the infected file. By default, the first character of the
file's extension will be replace by the character "V". You can also
add a parameter to this option specifying the target extension.The
parameter should always contain 3 characters, question marks are
allowed.The default target extension is "V??".
The warning marks.
'R'Suspicious relocator.
The character 'R' warns for a suspicious relocator. A relocator is
a sequence of instructions that change the proportion of CS:IP. It
is often used by viruses, especially COM type infectors. Those
viruses have to relocate the CS:IP proportion because they are
compiled for a specific location in the executable file, and a
virus that infects another program can almost never use its
original location in the file (it is appended to the file). Normal
programs "know" their location in the executable file, so they
don't have to relocate themselves. On normal systems only a few
percent of the programs should cause this warning to be displayed.
Tests on a large collection of viruses shows that TbScan issues
this warning for about 65% of all viruses. TbScan uses the "analyze"
or "browse" algorithm on programs which contain a suspicious
relocator.
'T'Invalid timestamp.
The timestamp of the program is invalid. The seconds of the
timestamp are illegal, or the date is illegal or later than the
year 2000. This is suspicious because many viruses set the
timestamp to an illegal value (like 62 seconds) to mark that they
already infected the file, preventing themselves to infect a file
for a second time.
'!'Branch out of code.
The program has an entry point that is located outside the file's
body, or a chain of "jumps" traced to a location outside the
program file. The program being checked is probably damaged, and
can not be executed.
'#'Decryptor code found.
The file possibly contains a self-decryption routine. Some
copy-protected software is encrypted so this warning may appear
for some of your files. But if this warning appears a lot, or in
combination with by example the T-warning, there could be a virus
involved! Many viruses encrypt themself and cause this warning to
be displayed.
'D'Direct disk access.
This warning is displayed if the program being processed has
instructions near the entry-point to write to a disk directly. It
is normal that some disk related utilities cause this warning to be
displayed (like Undelete.Exe). As usual, if many of your files
(which have nothing to do with the disk) cause this warning to be
displayed your system might be infected by an unknown virus.
'N'Wrong name extension.
Name conflict. The program carries the extension .EXE but appears to
be a .COM file, or it has the extension .COM but the internal layout
of an .EXE file. TbScan scans the file for both EXE and COM type
signatures.
'M'Memory resident code.
TbScan has found instruction sequences which could make the program
to remain resident in memory or to hook into important interrupts.
Almost all TSR (Terminate and Stay Resident) programs will trigger
this warning, because hooking into interrupts or remaining
resident belong to their normal behaviour. However if a lot of
normal programs (not intended to be a TSR) have this warning mark
it is suspicious. It is possible that the files are infected by a
virus that remains resident in memory. Note that this warning does
not appear for all TSR-programs, nor does it always mean that when
this warning appears the program is a TSR program.
'?'Inconsistent header.
The program being processed has an exe-header that does not reflect
the actual program layout. Many viruses do not update the exe-header
of an EXE file correctly after they have infected the file, so if
this warning appears a lot it seems you have a problem. You should
ignore this warning for the DOS SORT.EXE program.
'E'Read or open error.
The file could not be opened or read. This can be the result of an
error on the disk(ette), but the file could also be in use by
another task or network user. The file has not been scanned.
'J'Multiple jumps.
The program did not start at the program entry point, but the code
has jumped at least two times before reaching the final startup
code. This is rather strange for normal programs. If many files
cause this warning to be displayed you should investigate your
system thorougly.
'p'Packed or compressed file.
The program is packed or compressed. This warning is quiet normal.
Consult the manual for more information.
'w'Windows or OS/2 header.
The program can be or is intended to be used with Windows (or OS/2).
'h'Hidden or System file.
The file has the "Hidden" or the "System" file attribute set.
'i'Internal overlay.
The program being processed has additional data or code behind the
load-module as specified in the exe-header of the file. The
program might have internal overlay(s) or configuration information
appended behind the load-module of the EXE file.
'o'Odd stack pointer.
The EXE file being processed has an odd (instead of even) stack
offset. See in the manual how to correct the problem.