General notes for TbScan and TbScanX ------------------------------------ TbScan(X) does not mean TurBo-SCAN as some users assume, but stands for Thunderbyte Scan. TbScan and TbScanX are supplied on the Thunderbyte disk which makes part of the Thunderbyte hardware PC Immunizer package. If you loaded TbScanX in video-memory it is possible that TbScan detects signatures in upper memory. TbScanX does not always scramble the signatures to gain some speed when it is using (slow) video-memory or expanded memory. Due to safety routines in the TbScan(X) programs, it can not be compressed with programs like PkLite, LzExe, or Diet. This is not very painfull after all because the files aren't that big! TbScan and TbScanX both need a signature file TBSCAN.DAT or VIRUSSIG.DAT. Because these files are updated a lot, they are not supplied with this package. Both of these files are available at Thunderbyte support BBS +31-85-212395 (2:280/200@fidonet) or at many other BBSs. Notes concerning TbScan ----------------------- Some users think that scanning for all viruses in all files is the best scanning method (by using "TBSCAN *.* -a +n"). This is not true: It only increases the possibility of false alarms. It is not usefull to scan for bootsector viruses in .COM files or to scan for COM viruses in .EXE files. Use this option only when you already encountered a virus and want to make sure that you really destroyed all infected files. If you use the -analyze option, TbScan will issue less warnings. This is due to the fact that the -analyze option disables the code interpreter of TbScan. And the code interpreter is the routine that is able to detect suspicious code. The -analyze option converts the scanner to a normal, conventional (but also very fast) scanner. If you run TbScan AFTER you executed another scanner, it is possible that TbScan finds signatures of viruses in memory. This does not mean that you have a virus, but is caused by the fact that TbScan detects the search-signatures left in memory by the other virusscanner. If you have a disk caching system it is recommended to disable the cacher, because TbScan will be faster in that case. While TbScan is scanning, the cacher keeps trying to determine what is going on, storing megabytes of data in its buffers, but TbScan will read every byte only once, and all clock cycles spend by the cacher to maintain the data are completely lost! So, switch that cacher temporary off, it can speed up the operation of TbScan with up to 20 percent! Thunderbyte users who have a language file installed should download the most recent language file, because only the most recent language file contains the new texts of TbScan. Notes concerning TbScanX ------------------------ TbScanX is Windows 3.0 aware. It is recommended to load TbScanX BEFORE starting Windows (even in 386-enhanced-mode). TbScanX will not interfere with copies of it running in other DOS windows. It is even possible to disable TbScanX in one window while it is still enabled in another window. With other words, TbScanX maintains a separate data area for every DOS-window. If you use a local area network you should invoke TbScanX AFTER the network software. Otherwise, TbScanX will not be able to detect if a remote file is being created/opened. In that case TbScanX will only be functional for the local drives. Although TbScanX is very reliable, you should regulary use a normal transient scanner like TbScan, especially after an alarm of TbScanX. Some people think that we went mad to implement an option to switch TbScanX off, because viruses can switch off TbScanX too! But, it is not dangerous at all. TbScanX detects a virus as soon as it is copied to your system, or before it is being executed. At that time the virus did not have the opportunity to switch TbScanX off at all! Of course, after the virus becomes active (and you ignored the first TbScanX warning), the virus could switch off TbScanX or completely remove it from memory. This applies to all resident anti-virus software. If you want a real weapon against viruses that always survives a viral attack we recommend Thunderbyte... Notes concerning the format of the signature file ------------------------------------------------- The format of the signature file (also called data file) is covered completely in the manual on disk. However, there are more scanners using the same signature file (virscan.dat) as compiled by Jan Terpstra. Unfortunately, not all scanners use the same format. There is at least one scanner that has some extensions to the signature file. These extensions that will not be recognized by TbScan(X) are: - The virus type identifier "PART" or "MAIN". In my opinion viruses that infect only the partition table don't exist and will never exist. Why? Because floppy disks don't have a partition table and are therefore not suitable to carry such a virus. A virus programmer can be pretty sure that his/her victims never share and exchange their fixed disks, so his virus would not reach other systems. So we can conclude that viruses with the keyword PART should also have the keyword BOOT. Besides, there are many bootsector viruses that are capable of infecting partition tables too. The end result is that all signatures with the keyword PART should also have the keyword BOOT, and that viruses with the keyword BOOT should also be searched on the partition table, regardless of the keyword PART. Consider this and you will understand that in almost all cases the words BOOT and PART are functional equal. Even if a BOOT virus is not able to infect a partition table there is no reason why we shouldn't scan for it. There is only one partition table and it is only one disk sector in size, so scanning speed can not be the reason. Why then using two or even three synonymous keywords? I don't know, and I will not implement those keywords. - The virus type identifier "OVL". Only a few people know that the viruses that are able to infect overlay files do so by accident, because there are some linkers that create overlay files which are in reality a kind of normal EXE file, and these files are also treated that way by DOS. The virus "thinks" the file is a normal EXE file, and infects it. The result is that some viruses that infect EXE files are also able to infect some OVL files, it all depends fully on how their infection routine is triggered. In my opinion there are no viruses that will ONLY infect OVL files, because if they do so, they don't have much chance to spread and they will not survive. Besides, infecting these OVL file is the same process as infecting a EXE file, so why should the virus writer add a special routine to prevent EXE files for becoming infected by their virus? I don't know. The result is that the OVL keyword should always be paired with a EXE keyword, and that many EXE viruses can accidentially infect a OVL file. Consider this and you will understand that in almost all cases the words EXE and OVL are equal. And even if a virus would infect only OVL files it is not a real pain to search for those viruses in EXE files too! Anyway, unlike some other scanners, TbScan scans all OVL files automatically for all EXE viruses. Better safe than sorry! - The same story applies to SYS and BIN viruses. The only difference between SYS and BIN files are their extensions, their internal layout is exactly the same! For reasons beyond my comprehension, the author of That Other scanner defined two keywords for the same virus type! Can anybody explain me why it is not a good idea to search for a BIN marked virus in a SYS file? And if so, why did he omit the third synonym "DEV"? - The keyword PIF. I'm not a Windows expert, but I have my doubts whether a file with the extension PIF contains really any executable code. - The keyword UMB. The keywords LOW and UMB are actually the same, as I will explain below in "Notes concerning the scanning of memory". With the release of DOS 5.00 the keyword UMB becomes obsolete anyway. TbScan scans automatically the Upper Memory area for all viruses with the keyword LOW set. - The XOR brackets '{' and '}'. This "scrambling" technique in its pure appearance is so seldomly used and so subject to modifications (mutations!), that this detection scheme is almost useless. Note that these comments are not intended to anoy the author of "That Other scanner", nor to give you the impression that his product is less than mine. In fact, I'm surprised by the speed achieved by that scanner because it has been created with a high level programming language and is not very much slower compared to TbScan. I also borrowed some of the ideas implemented in that scanner. But I have to justify to the users of TbScan(X) why I don't implement these extensions to the data file. Defining a standard is always difficult, especially if the developers don't consult each other before introducing new extensions to the format of the shared input files. :-( Notes concerning the scanning of memory --------------------------------------- TbScan recognizes two types of memory signature: LOW memory and HIGH memory viruses. The keywords are choosen not very carefully: the keyword LOW means that the virus is a normal TSR-type virus which could reside in memory below TbScan, and in upper memory. Both locations are suitable for TSR-type viruses and TbScan will scan both areas for signatures with the keyword LOW set. The keyword HIGH is intended for boot sector viruses (that have to allocate their memory by decreasing the available memory value maintained by the BIOS) and by viruses that allocate memory by manipulating the DOS memory control block chain. Consider this layout: ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ 0Kb ³ ³ ³ Low memory. ³ ³ ³ LOW ³ TSR's are loaded here ³ ³ ³ ³ also TSR type viruses ³ ³ are loaded here. ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ ³ N/A ³ TbScan is executed here ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ ³ ³ ³ ³ Free memory ³ HIGH ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ End of DOS available memory ³ Top loaded software ³ HIGH ³ like MCB manipulators ³ ³ and some viruses reside ³ ³ in this area ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ 640Kb limit ³ ³ ³ Video memory ³ ³ ROM's ³ ³ EMS page frames ³ LOW ³ and Upper memory ³ ³ TSR's (and also TSR type ³ ³ viruses) can reside here ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ System BIOS ³ LOW ³ ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ 1Mb limit LOW ³ HMA ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Note that TbScan does not have a special keyword for Upper Memory Viruses. Viruses that are able to use Upper Memory should also be able to use normal LOW memory, because they can not rely that there is Upper Memory in every machine they will reach. Normal TSR-viruses on the other hand can be loaded in Upper Memory using an appropriate highloader as supplied with Qemm or even DOS 5.00. So "UMB-type viruses" are the same as LOW viruses! There is also no need to scan allocated pages of EMS. Viruses can never reside entirely in expanded memory. They should have at least a piece of code outside the EMS window, just to have access to the EMS driver to swap in the correct RAM-pages. By using that piece of code as the search signature also those (future?) viruses will be found, without the need to scan all EMS pages. Some users think it is usefull to scan the memory for all viruses using the -allmem (+r) option of TbScan. I think it is not a good idea, because memory signatures are not the same as disk signatures. There are many scrambled viruses, but in memory they reside unscrambled. The signatures for both instances of the same viruses could be totally different! The same applies to signatures that incorporate uninitialized data. In memory the data is used for some purpose, and the memory values are different. Searching memory for disk-specific signatures is likely to cause false alarms and the signatures will not match the memory image of the virus anyway.