ADVANCED DISKINFOSCOPE (ADinf) by (c) Dr. Dmitry Mostovoy DialogueScience, Inc. Moscow, Russia A Guide to Frequently Asked Questions ===================================== Here are the answers in detail to the questions which our users quite frequently ask about ADinf. All questions on a topic have been unified and arranged topicwise. The menu tree structure described below may not fully agree with that of the ADinf earlier versions as the answers specifically refer to version 8.xx and later. Can ADinf check a disk compacted with DoubleSpace, DriveSpace, SpeedStor or Stacker? Yes, it does check a compacted disk, scanning not through BIOS but via Int 25h. For scanning a SuperStor-compacted disk, you must tell ADinf not to check for new bad clusters (choosing INFO UNDER CHECK Í> BAD CLUSTERS Í> DON'T CHECK) I, being a programmer, naturally change many files on my disk everyday. How can I tell ADinf to skip these legal modifications in its report? You can hide directories from ADinf checks. For this, choose INFO UNDER CHECK Í> SKIP TREE. Then choosing a drive from the on-screen panel, pop up its directory tree, mark the directories and subdirectories where files are likely to be changed often. ADinf will not report the unharmful changes in a file under a marked directory. But if a change (in size or CRC) is suspicious, for example a file is modified but its date stamp is unaltered, you are alerted. What is ADinf Cure Module? If this is a curing module, is it better or worse than Virus Hunter and Doctor Web? Where can I buy it? ADinf Cure Module is a curing companion which enhances the capabilities of Advanced Diskinfoscope. It radically differs from scanners Virus Hunter and Doctor Web. It kills existing and as-yet-unknown viruses with equal efficacy. It maintains a small database containing necessary information about all files in your disk. When ADinf detects a virus, the curing module can be used to kill it. Database is automatically updated by ADinf when diskinfo changes in your system. The program was tested on a collection of 7000 various infectors unknown to the program and successfully removed 97 percent of them. Scanners and ADinf Cure Module cannot be compared: each deploys a different strategy to the antivirus problem: each ideally supplements the other. First, ADinf Cure Module does not kill all but about 97% viruses, particularly, admitting its capabilities to clean a computer from as-yet-unknown viruses. Second, it is helpless when you are handling someone else's diskettes since it requires the database containing diskinfo. Scanners, on the contrary, deploy the traditional tactics: to every attack they design a counterattack and can therefore kill only the viruses known to them, but are helpless against new viruses. It is therefore a good idea to have both of them in your machine. What is fast CRC that ADinf computes? When I modified a few bytes at the end of an executable file, it ignored them under fast CRC mode. Why? ADinf checks in one of the modes: FAST CRC, CRC16, CRC32 and NO CRC. FAST CRC is computed in close relation to the internal structure of an executable file. So FAST CRC is best suited for COM and EXE files as it guarantees reliable virus detection without the need for computing the CRC of the whole file. So, any change in certain file areas, unless it is virus-induced, is ignored under FAST CRC check. Why is ADinf very sluggish in checking a write-cached disk? Why does it hang on a cached disk? ADinf efficiently checks a read-cached disk, but may fail on a write-cached disk when both ADinf and the cache simultaneously address BIOS, creating conflicts. There are two ways of avoiding such conflicts: first disable the write-cache prior to starting ADinf and toggle it on when checking is complete. For instance, to hide your drives C and D from write-caching by smatrdrv.exe, use the command smartdrv C D and to switch it again the command: smartdrv C+ D+ Alternatively, tell ADinf to access all drives, except drive C:, via Int 13h. For this, go to OPTIONS Í> SETUP PARAMETERS Í> DRIVE ACCESS TYPE. Then arrow to the drive name letters and repeatedly pressing , set Int 13h as the drive access type for all drives. For the drive C:, leave the default setting as it is. Now ADinf will not conflict with your write-cache, but virus detection is somewhat less reliable. ADinf ver. 9.00 or higher is fully compatible with HyperDisk write-cache ver. 4.50 or later. No problems arise with this utility any longer. Can I put network drives under ADinf control? Unfortunately, you can't. ADinf checks a drive, reading it sector by sector. Therefore it can check local drives only. Can ADinf run under MS Windows, Windows 95, and DESQview? Yes, it does run under MS Windows, Windows 95, and DESQview, scanning the drives directly via BIOS. Can ADinf run under DR DOS, Nowell DOS, Compaq DOS? Yes, ADinf can run under DR DOS. ADinf detects its environment by the version number. If ADinf hangs up under Novell DOS later than 7.0, run it with -r option. Use this option, if your computer is running under Compaq DOS or any other OS not fully MS DOS compatible. What is the purpose of personal tables? ADinf supports two types of tables, common and personal, for storing disk information. Structurally, they don't differ much. Common tables are saved in the root directory of logical drives and personal table in the directory where ADinf is installed or in another directory. Common tables are helpful in regularly checking a limited number of program files of particular extensions. Whereas personal tables are better suited for in-depth checking. You may even choose all types of files on your disk and specify CRC32 for CRC type. Such a check is all-inclusive; time consuming, though. I feel my machine is infected, but ADinf is silent. Can a virus dodge ADinf? This is a common question, and there is only one answer to it. Unfortunately, there is no panacea against PC virus infection, nor can there be ever one. ADinf seems to be the best virus detector today. But bear in mind its capabilities and limitations. Let us examine the situations where ADinf may keep quite. First, if you have installed ADinf on an already infected machine, it will not notice any virus, because it detects viruses through the changes in file information. And in our case there are no changes in file information and so it does not alert you. If the virus is hiding its presence, i.e., you have a stealth virus in the machine; ADinf will certainly detect it, if you run under the STEALTH SEARCH mode. This is a very useful mode and run ADinf from time to time under this mode. Second, ADinf may fail to notice the viruses tailored specifically to infect a file only at the time of creation. If they are additionally hiding themselves, you may trap them, running ADinf in STEALTH SEARCH mode. If they are NOT hiding their presence, you can easily detect them with your naked eyes. For example, suppose you are copying a file from drive A: to drive C: and you notice that the source file has a different size than the target file. You can easily detect such infectors, running ADinf as follows: write a batch file (call it TRAP) which copies several executable files, say, to your RAM drive and then copies them back from the RAM drive to the source drive. Run the TRAP batch file before turning off your computer. When you start the computer next time, ADinf will report about such viruses, if any. For greater reliability, you better include files to be copied in STABLE FILES list (its menu path is OPTIONS Í> SETUP PARARAMETRS Í> INFO UNDER CHECK Í> STABLE FILES). Third, ADinf permits to toggle off many checks. If you, for example, have toggled off check of boot sector of drive C: or you have deleted EXE from extension list for control, you may not notice virus-inducted changes. Finally, because of its beneficent policy Ä aggressive strategy and ingenious tactics Ä ADinf irritates to virus designers. One fine day it is not excepted that you may find a new virus specially tailored to dodge the ADinf in your machine. Today there are several viruses which try to delete files with a name begining with "ADIN". What will these evil-mongers do further, God alone knows. What is disk access via BIOS, Int 13h, and Int 25h? In checking missions, ADinf automatically identifies the DOS file structure by reading the disk sectors one after another. Three access methods are available for reading the sectors in a drive through direct addressing to BIOS; through the use of Interrupt 13h (Int 13h); through the use of DOS Interrupt 25h (Int 25h); The drive access type is specified by choosing OPTIONS Í> SETUP PARAMETERS Í> DRIVE ACCESS TYPE. When and which drive access type should be chosen? For an IDE disk partitioned by the FDISK program, ADinf uses BIOS as the access type. Access via Int 13h must be used under the following situations. Modern high-capacity disks are manufactured with more than 1024 cylinders (limiting value for standard BIOS of IBM AT). Present-day BIOSes and hard disks support handling of such disks by redusing the number of cylinders and increasing the number of sectors or heads, accordingly (LBA mode). However, if your BIOS does not provide this facility, you may have to use special disk drivers to utilize the full capacity of such disks, for example, Disk Manager for IDE disks. ADinf identifies Disk Manager and automatically defaults to Int 13h as the disk access type. Several drivers exists for SCSI disks. If you have a high capacity SCSI disk in your machine, manually choose Int 13h from the DRIVE ACCESS TYPE box. Second case. In a machine running under QEMM set to STEALTH mode, ADinf defaults to Int 13h as the DRIVE ACCESS TYPE because access to disk via BIOS is denied to ADinf. DRIVE ACCESS TYPE must be set to Int 25h for disks managed by special drivers, for example, disk compactors. As a rule, ADinf identifies such situations and automatically defaults to Int 25h. But if the drive name letters in a compacted disk are changed, the drive access type must be set to Int 25h manually by the user. There are also other situations where the user must specify the drive access type manually, for example, if you have changed the standard sequence of drive specifiers that DOS assigns to disk partitions. DOS allots the drive name letters in the following sequence (if some partition is missing, the letters are shifted accordingly): First hard disk 1st Primary DOS Partition C: BIOS 1st Extended DOS Partition E: BIOS 2nd Extended DOS Partition F: BIOS 3rd Extended DOS Partition G: BIOS 2nd Primary DOS Partition K: BIOS 3rd Primary DOS Partition L: BIOS Second hard disk: 1st Primary DOS Partition D: BIOS 1st Extended DOS Partition H: BIOS 2nd Extended DOS Partition I: BIOS 3rd Extended DOS Partition J: BIOS 2nd Primary DOS Partition M: BIOS 3rd Primary DOS Partition N: BIOS ADinf strictly supports this standard sequence of specifiers for assigning names to drives. But, this sequence may be violated in several cases. For the logical drives of name letters up to a violation in the standard sequence, ADinf uses BIOS as the drive access type and Int 25h for the other drives. Below is an example of such a situation. Let us suppose that the second hard disk is an IDE disk with more than 1024 cylinders (without LBA) formatted by Disk Manager. In this case the partitions are allotted drive name letters as follows: First hard disk: 1st Primary DOS Partition C: BIOS 1st Extended DOS Partition D: Int 25h 2nd Extended DOS Partition E: Int 25h 3rd Extended DOS Partition F: Int 25h 2nd Primary DOS Partition G: Int 25h 3rd Primary DOS Partition H: Int 25h Second hard disk: Only one DM Partition I: Int 25h The DRIVE ACCESS TYPE is listed in the right-most column. One more example of nonconventional configuration. Let us interchange the hard disks in the above example. Let the first hard disk be a large IDE disk partitioned by Disk Manager and the second an ordinary IDE disk. In this case, the drive access type must be set as follows. First hard disk: Only one DM partition C: Int 13h Second hard disk: 1st Primary DOS Partition D: BIOS 1st Extended DOS Partition E: BIOS 2nd Extended DOS Partition F: BIOS 3rd Extended DOS Partition G: BIOS 2nd Primary DOS Partition H: BIOS 3rd Primary DOS Partition I: BIOS What is the purpose of the -76 command option, which the User's Guide does not explain? On some computers ADinf hangs up, saying "Opening the disk". What is the cause for this? Int 76h is an interrupt generated by the IDE controller upon the completion of every disk operation. There are stealth viruses that use this interrupt for hiding their presence in the machine. In fact, these viruses dodge detection at the hardware level utilizing the published potentialities of the IDE controller. In order to detect such viruses, ADinf intercepts and handles this Int 76h itself. But such an independent handling may conflict with certain BIOS systems or special drivers of 32-bit access to IDE disks. In such cases, ADinf hangs up, displaying the message "Opening the disk". In order to prevent ADinf from intercepting Int 76h, run ADinf with the -76 option, as follows: C:\ADINF\Adinf.exe -a -b -d -76 -@C:\ADINF\ \list -lC:\ADINF\ If, by such a command line, your system does not hang up any longer, please send the version number of your BIOS (the eight bytes at the address F000:FFF5) to DialogueScience, Inc., Moscow, Russia, for modifying the ADinf internal BIOS incompatibility table in an appropriate manner so that you may be able to run ADinf without the need for including this option in the command line. I installed ADinf version 10.06 on my network server, but I could not install ADinf Cure Module version 3.03. What is the reason? To install ADinf on a LAN along with the curing module, ADinf Cure Module must be at least 3.04 or higher. Similarly, the -home command option available in ADinf 10.06 also requires ADinf Cure Module 3.04 or higher for the joint operation of ADinf along with the Cure Module. REFERENCES DialogueScience, ADinf and Virus Hunter are registered trademarks of DialogueScience Inc., Moscow, Russia. DSAV is a trademark of DialogueScience Inc., Moscow, Russia. Sheriff is a registered trademark of FomSoft, Moscow, Russia. Other names are registered trademarks or trademarks of the respective companies. * * * DialogueScience, Inc., Computing Center of the Russian Academy of Sciences, Office No 103a, House No 40, Vavilov street, 117967, Moscow, Russia. Tel.(+7-095) 137-0150, 135-6253 Tel./Fax: 938-2970, 938-2855 FidoNet: 2:5020/69.4 (Dmitry Mostovoy) E-mail: antivir@dials.ru - Sales and Support Department dmost@dials.ru - ADinf author (Dmitry Mostovoy)