Shareware Overload

home *** CD-ROM | disk | FTP | other *** search

/ Shareware Overload / ShartewareOverload.cdr / utils / sentry.zip / SENTRY.DOC < prev next >

Wrap

Text File | 1989-04-11 | 8KB | 195 lines

SENTRY USER'S MANUAL HOW IT WORKS: SENTRY is a computer virus detection system that catches viruses that have entered your system. It uses a high reliability detection mechanism that monitors all system areas that are susceptible to viral attacks. If a virus does enter your system, SENTRY will identify the specific system area or program files that have been infected, so that virus removal is simplified. SENTRY executes in two phases. The initial install phase logs the system's hardware and software parameters - including the initial interrupt vector states, boot sector instructions, hidden DOS files, device drivers and all executable code on the hard disks. Initial load instructions, branch addresses, and other program states are also logged for each program on the hard disk. The subsequent check phase executes each time the system is powered on or re-booted, and it checks all system parameters for traces of infection. SENTRY is fully effective in detecting viruses, including boot sector infectors and imbedded viruses (viruses that the leave the infected program's size and external indicators unchanged). It provides a timely and near foolproof indication of infection. INSTALLATION: SENTRY must be installed on your bootable hard drive. If your system contains multiple hard drives, they may also be included in the SENTRY logging and monitoring function. To install SENTRY on a system with one hard drive (C:), type: STINSTAL C: SENTRY will load and then display a message that it is going to automatically re-boot the system. At this point, you must remove diskettes from the A drive and any other floppies that are in any drives. When the floppies have been removed, press any key to allow SENTRY to begin installation. If you have more than one hard drive in your system, you should include them in the installation by typing the drive designations after the boot drive. For example: INSTALL C: D: E: would install C: as the boot drive and also include D: and E: as drives to be logged and monitored for viral infections. The SENTRY installation will re-boot your system and then begin its logging function. It will create a log file called SENTRY.LOG and store it at the root of your boot disk. It will then install the SENTRY check routine at the root of your boot disk and include it as the first program in your autoexec.bat routine. SENTRY.COM MUST REMAIN THE FIRST INSTRUCTION IN YOUR AUTOEXEC IN ORDER TO OPERATE CORRECTLY. The SENTRY installation process may take 10 minutes or more for systems with large numbers of files - the daily check function however, will execute many times faster. After the installation has completed, the system's autoexec file will be re-executed in order to return the system to its state prior to installation. The SENTRY.log file will take approximately 10K of disk space plus 100 bytes for each executable program on the disks. RE-INSTALLATION SENTRY monitors the system each time the system is powered on or re-booted and checks for modifications to key system parameters. If the system has been purposely modified, SENTRY may flag the changed areas as possibly infected. The following system modifications will cause SENTRY to issue a warning: - Installing a new version of DOS - Removing or adding a device driver to CONFIG.SYS - Deleting a program - Replacing a program with a different version If any of the above have occurred, SENTRY should be re- installed. To re-install, follow the same instructions as for initial installation. The original SENTRY.LOG file will be replaced with the new log file containing the new system data. OPERATION The SENTRY check function compares the ongoing state of your system to the original "snapshot" state. A copyrighted algorithm checks ALL executable programs on your system for viral modifications. The algorithm is able to do this in a reasonable amount of time due to a selective logging function. This logging function logs only those segments of program code and other variables that would be affected by any virus attack. "Inert" sections of programs are removed from the checking process. SENTRY also checks the entire boot sector and all system interrupt routines for modifications. Finally, system device drivers and operating system hidden files are checked. The SENTRY check function executes each time the system is powered on or re-booted. If a discrepancy in any area of the system is noted, the check function will pause and display a message identifying the system area and the discrepancy. If no discrepancies are found, the check function will terminate with an OK message. The check function will require about 10 seconds for each 100 executable programs stored on your hard disk. IF A VIRUS IS FOUND Important: If any virus is discovered by SENTRY, first note the names of the infected programs or system areas. Then immediately power down the system. Re-boot the system from the original DOS distribution diskette prior to attempting to remove the virus. There are three general classes of PC viruses: Boot infectors, system infectors and program infectors. Each class of virus will typically affect different areas of the system and require different approaches to removal. Generally, viruses can be removed by deleting or overwriting the affected portion of the disk, and replacing the infected component. For program infectors (viruses that infect general .COM or .EXE files), this is a fairly simple process. SENTRY will identify each program that has been infected (program size, date, or internal components have changed). Simply erase the infected programs and replace them from the original distribution diskettes. Boot infectors replace or modify a disk's boot sector. SENTRY will identify an infected boot sector with a "Boot Sector Infection" message. This type of virus requires that the boot sector be replaced using the DOS "SYS" command. See your DOS manual for instructions for the SYS command. System infectors attach to COMMAND.COM, IBMBIO.COM, IBMDOS.COM or any installable device drivers. SENTRY will identify such viruses by naming one of the above files or by specifying that the system interrupt vectors have changed. To remove this type of virus, erase the affected files, then perform a SYS command as above. Finally, replace any affected device drivers. In all of the above cases, re-install SENTRY after virus removal. If SENTRY detects an infection, and you have any concerns or questions, contact InterPath at the number and address at the end of this document. EXTRA PRECAUTIONS To prevent any possibility of viral tampering with the SENTRY program and log file, you should copy the files SENTRY.COM and SENTRY.LOG from the root of your boot disk to a backup floppy immediately after installing SENTRY. Periodically (each month or so) you should copy these two files from the floppy back to the root of your boot disk. FOR ADVANCED USERS SENTRY defaults to a global scan a check of all system components. You may however, restrict its operation in a number of areas: Using the /s option: STINSTAL c: /s d:\temp, d:\masm, c:\prod This command string would install SENTRY so that it ignored all activities in the three directories named. Using the /i option: STINSTAL c: d: /i This command string would install SENTRY on drives D: and C: and would instruct SENTRY to ignore any modifications in the interrupt vectors caused by changes in the operating system environment. If you frequently modify your config.sys files, or change out system device drivers you may want to use this option. Using the /b option: STINSTAL c: /b This option tells SENTRY to ignore boot sector logging. You must use this option if running on a Zenith laptop. Using the /L option: STINSTALL c: /L a:frog.log This option creates a second log file.