home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
DP Tool Club 24
/
CD_ASCQ_24_0995.iso
/
vrac
/
invb602b.zip
/
HISTORY.TXT
< prev
next >
Wrap
Text File
|
1995-07-09
|
21KB
|
362 lines
July, 1995
Product upgrade, 6.02A
----------------------
IVX major upgrade. New features were added to IVX, enabling automatic
signature extraction and signature scanning. IVX now creates its own
signatures database from sampled files. The extraction of the
signatures is automatic and does not require any special skills. The
signatures can then be used to scan for their presence in other files.
IVX also accepts user defined signatures by editing the database with
an ASCII editor. An average user can now easily generate a signature
for a new virus and announce it on the net or else. IV user can now
scan for the presence of new viruses announced on the net. The new
features of IVX reduce the response time to new virus alerts.
The algorithm of IVX in statistical mode was refined and its detection
capability improved, especially against some of the more difficult
polymorphs, such as MtE viruses.
IVB daily test under Win 95, bug fix. In former versions, the IVB DAILY
test repeated itself on every boot, while booting in Win 95 DOS. The
bug was traced to be caused by IVINIT and was fixed. IV 6.02A is
compatible with Win 95 DOS.
IVB history file. The IVB.RPT file is overwritten when a new report is
created. In a networked environment, the current daily report will be
appended to the IVB.HIS (history) file. The implementation is through
the AUTOEXEC file, by adding a couple of lines after the IVB daily
command. The appropriate lines are added automatically by the INSTALL
program when installation from server is detected (or selected, in
INSTALL's main menu). To add this feature in an existing installation,
add the following lines in the autoexec, after IVB DAILY:
IF EXIST \IVB.RPT COPY \IVB.HIS+\IVB.RPT \IVB.HIS
IF EXIST \IVB.RPT DEL \IVB.RPT
Licensing for OS/2 and Win 95. In version 6.02, InVircible's license
reverted to Sentry when in Windows' or OS/2's DOS shell. Version 6.02A
fixed that problem. Yet, you will need to run IV once in real DOS in
order to upgrade your license from a former version, to 6.02A. This
procedure does not apply to new licensed users, since the license can
be installed to disk only in REAL DOS mode.
Detection of PKLITE'd droppers and Trojans. During the last year,
several droppers and Trojans were found, that used PKLITE in order to
conceal the gen-1 file. Gen-1 is the designation of the first
generation of a virus, usually the one used to launch the virus. While
scanners usually find the offsprings, the gen-1 file will not be
suspected, as many times it isn't recognized to be a compressed file,
as the PKlite marks were removed, or disguised. The most recent case
that used the PKlite method is related to the Big Caibua virus. The
detection of potential droppers was added to IVscan, as the default.
This feature should help SysOps and network administrators to keep
their board and systems clean.
Improved IVB signatures. Functional changes were made in order to
improve IVB's discrimination between non-viral and legal modification
of program, as well as to improve their immunity to dedicated viruses
attacks (for details read the attached SECURITY.TXT file). The new
signatures are no more compatible with the lower versions of IVB. To
avoid confusion, or the loss of the former database, the default
filename of the signature files was changed to IVB .NTZ. Note that
there is a trailing character 255 (it looks like a space, but it is
not!) between the IVB filename, and the .NTZ extension.
Micro House boot driver's awareness. IV version 6.01D was aware of the
WD large capacity ID, using the Disk Manager 6.03 dynamic boot driver.
Other brands like Seagate are using the Micro House boot driver for
their Decathlon models (540+ meg). In lower versions, IVinit indicated
that the partition was "faked". This was objectively true, but it
didn't indicate the presence of a virus. It actually detected the
stealth used by the boot driver, since this is exactly how they work.
These special boot programs load a special driver through the booting
process and they use stealth to protect the special mbr from being
accidentally overwritten, by FDISK/MBR for example. From version 6.02A,
InVircible is aware of the possibility that a Micro House boot driver,
or DM 6.03 is used.
No escape in Sentry mode. System administrators asked to disable Sentry
users from escaping IVB's daily full check. Adding the /ESC switch to
the command line re-enables the Esc key when scanning daily. This
change applies only to the Sentry mode.
IVB exceptions list. There are instances when you may want to exclude a
file from IVB's list of files to process. IVB has now provisions to
exclude up to 5 filenames. Edit IVB.INI in the IVB.EXE directory with
an ASCII editor, or create a new file with the above name, if it
doesn't exist yet. Add a line for each file to exclude as follows: SKIP
= EXCLUDE.BIN
The CMOS "Restore" option was removed from IVINIT in Sentry mode.
IVINIT bug fix. The errorlevel returned by IVINIT in case of a
suspicious finding should be 1, and 0 when no finding. Due to a bug in
former versions this wasn't always the case. The bug was fixed.
INSTALL/R bug fix. The rescue diskette procedure couldn't find the
SYS.COM (or SYS.EXE) file in the search path, if the DOS directory was
after character 64 in the environment string 'PATH', and the process
aborted. The problem is now fixed.
Product upgrade, 6.02
---------------------
The major change in version 6.02 is the handling of large capacity IDE
drives. These drives appeared on the market in mid 1994 and they are
now quite common. Several enhancements to handle the large capacity IDE
were already introduced in version 6.01D. The new drives present
technical challenges in the area of disaster recovery and vulnerability
to boot and mbr viruses, that were unforeseen by both the drive's
producers, and the AV industry. Version 6.02 consolidates the former
enhancements and lays the grounds for further improvements, especially
in the disaster recovery area of these drives. Read also in UPGRADE.TXT
how to upgrade your licensed copy of InVircible.
Licensing of large capacity IDE. The installation of the license record
to large capacity IDE, was impossible with earlier versions, if the
Ontrack extended boot driver (DM 6.03+) was used. It could be done only
with plain FDISK partition, using the LBA (logical block access) option
in the setup. Version 6.02 will allow the licensing of these drives
too.
Version 6.02 consolidates changes done to the hardware access routines,
used in InVircible, to suit the newer fast access hard disks and boards
(100 mhz and higher). Hardware access is sensitive to timing, and new
industry standards were introduced in the last year. Therefore, we
recommend that InVircible copies earlier than 6.01D are upgraded.
Version 6.01B and 6.01C still have some slow routines that won't work
properly with the newer fast disks. Also, versions earlier than 6.01D
still have a routine that conflicts with a defect in design of some
older models of Maxtor hard drives. The problem has been identified by
NetZ Computing and acknowledged by Maxtor. From version 6.01D and on,
there should be no problem anymore, all models of Maxtor included. Yet,
if you have a large capacity IDE hard drive, we strongly recommend that
you upgrade to 6.02.
Bug fix in INSTALL. Some DOS variants are using SYS.EXE instead of
SYS.COM. In former versions, the procedure for preparing the rescue
diskette looked only for SYS.COM and refused the use of SYS.EXE. The
bug was fixed.
ResQdisk improvement, fixing the boot sector via DOS, the ResQdisk ^B
function. There are instances when the boot sector of hard drive #1 is
infected, and it cannot be accessed via regular int 13 functions. Such
is the case with the newer large capacity IDE drives. The active
partition's boot sector can then be refreshed through the ^B key
combination. The ^B function operates on the boot sector, the same way
that does FDISK/MBR on the mbr - it refreshes the bootstrap code,
without affecting the BPB data. The ^B function should only be used
when booted from the hard drive.
Temporary files handling, bug fix. Former versions of InVircible used a
couple of fixed names, SOFIA and \WRITEST, to perform certain tasks. If
a file with the name SOFIA was present in the current directory while
executing any of the IV self protected modules, then the file was
erased. The same would happen to a file named WRITEST, if present in
the root directory, while IVinit or IVtest are run. These routines
slipped by, since no incident was reported in regard with them during
the five years they were in use. Recently, an incident was reported in
which a file named SOFIA was erased while executing an IV module.
Therefore, the routine responsible for this has been changed and fixed.
InVircible does now use only unique names (that are not in use by the
user) for its temporary and bait files. Note that no other than files
named SOFIA or \WRITEST were of any concern, in formers versions.
Long pathname handling in networks, bug fix. Pathnames under DOS are
limited to 64 characters. Yet it is possible to create pathnames of up
to 255 characters (the maximum length allowed for strings). Such
condition is encountered on file servers. On such instances InVircible
hung when scanning a network file server, containing directories with
pathnames longer than the DOS limit. The problem existed only in the
sweeping programs: IVB, IVscan, IVX and IVmenu. It is now possible to
scan with IV's sweepers (except for IVmenu) across file structures that
have directories with pathnames longer than the DOS limitation. The
limitation in IVMENU remains as before. The reason for this is that
IVMENU allocates memory for keeping track of up to 500 directories,
with pathnames no longer than the 64 bytes DOS limit. We need some
memory to be left for some useful job to be done, other than just
showing the user a nice directories tree. :-) We thus could provide the
same with IVMENU, but only for 125 directories, if the pathname length
is to be 255 characters. This would be inadequate for most users, that
have more than 125 directories in a partition, and less than 500.
If you want to use IVMENU on file servers containing directories with
long pathnames, then use the network "map" function to define volumes
for sub-trees of the root, and then you can use IVMENU on the new
logical drive, as usual.
Product upgrade, 6.01D
----------------------
Improved installation procedure. The Installation of IV will now run
without needing to actually change the current directory. Just type the
full pathname of where IV's INSTALL program is.
Daily inspection for companion virus. The companion virus verification
was added to IVB, since IVB runs daily. The same routine is retained in
IVscan, for operational redundancy.
Keeping track of the last inspected drive. In former revisions of IV
there was need to manipulate the COMSPEC variable in order to keep
track of the last drive checked by IVB DAILY. Now, just issue the IVB
DAILY command and the tracking record will be updated, according to the
current environment settings. Only make sure to always run the DAILY
check from within the same environment shell. The last improvement is
especially useful to LAN administrators.
The user interface in ResQdisk was improved further. The newer features
were grouped in three menus, Edit (accessible by pressing ^E), Track
Zero maintenance (^Z) and Analyze sector (^A). Also, the new ^B
function was added. The latter will refresh the boot sector of drive C:
while accessing via DOS instead of the BIOS, and is the equivalent of
the SYS C: command. The ^B function is helpful in removing boot sector
viruses such as Da'Boys, Boot-437, Form etc.
IVinit was enhanced to automatically invoke ResQdisk when needed. From
now, Most boot / mbr infectors can be handled right at startup.
Improved editing features in ResQdisk. Additional editing features were
added to resQdisk. The sequence ^E ^F will read a file into the sector
clipboard, while ^E ^D drops the content of the displayed sector into a
file. The combination ^E ^Y will decrypt an encrypted sector into the
clipboard and display it on screen. The later is especially useful for
the recovery of damaged hard drives, like from the Monkey virus. It is
indispensable for rescuing hard drives lost to inappropriate
disinfection procedures, like with fdisk/mbr, or inadequate antiviral
products. The above further improve ResQdisk as the best disaster
recovery and boot-antiviral utility.
Improved "track 0" maintenance features. ResQdisk is used in the rescue
diskette for backing up track zero of the hard disk to floppy and for
restoring track zero from file to the hard drive. The "track 0"
functions are now available on-line, with the visual inspection of
ResQdisk, in both SeeThru modes (backup only, recovery is always done
with SeeThru off). The track 0 functions are started by the ^Z keys
combination, followed by ^B for backup to file or ^R for restore from
file.
Either the Ctrl (^) or the Alt key can now be used for the editing and
the "track 0" functions. For on-line help press Alt+H while running the
ResQdisk program.
Making a rescue diskette for other than standard configurations. The
rescue diskette in the INSTALL program was improved to simplify the
preparation of a rescue diskette in configurations containing other
than Stacker, DoubleSpace or Disk Manager drivers. For details read in
the on-line documentation.
Improved resistance to IV dedicated viruses. The first virus aimed to
"kill" IV's signatures has been reported and a sample of was analyzed
by NetZ. It is recommended that users change the default filename of
the signatures to one of their own definition. The signature files are
no longer traceable as IV's, and cannot be identified as such --
provided you don't leave them with the default name. The new signatures
are fully downward compatible with the former ones, and there is no
action that a user needs to take in this regard.
Random signatures' filename. When installing InVircible through
IVlogin, a random signatures' filename will be selected. IVLOGIN can be
used for standard installation with the default parameters. The random
signature filename will be implemented on first time installation only,
and with the default installation parameters only (to C:\IV).
Compatibility with large capacity IDE. IVTEST was corrected to ignore
the dynamic boot loader of large capacity IDE disks.
Revision 6.01c was compatible with only Ontrack's Disk Manager extended
bios drivers (XBIOS.OVL). The new revision is also compatible with
other brands, recently introduced into the market - e.g. Micro House.
Troubleshooting with IV. New text was added to the on-line help in
regard of troubleshooting problems with IV. There is guidance how to
detect an incompatible IDE controller with your hard drive, as well as
disclaimers about a couple of hardware: Promise hard drive controllers
with disk cache, and certain models of Maxtor's hard drives.
Further improvement for use in networked environment. IVMENU, the
integrated menu shell was upgraded to avoid conflicts in certain
Netware environment.
January, 1995
Product upgrade, InVircible 6.01C
---------------------------------
Improved performance in networked environment: Revision 6.01C has
further improvements for the operation of InVircible in the networked
environment. All the scanning modules; IVB, IVscan and IVX were revised
to avoid Novell's Netware files. The verification of Netware files
under DOS created errors because of the special attributes of Netware's
system files. IV's current revision avoids these files.
Updated manual: The use of IV in network environment, as well as the
strategy of how to disinfect the server and network are covered in a
new appendix, in the manual text.
Automatic IV version upgrades in network: IVLOGIN can now be used for
both the automatic installation of InVircible to workstations in a
networked environment, as well as the upgrading of an older IV version
to a newer one. IVLOGIN checks whether its own version is newer than
the current one installed on the hard drive. An older version will be
automatically replaced by a new one, by just invoking IVLOGIN. It is
recommended that the IVLOGIN command should always be included in the
users login script, in networks.
Improved piggybacking detection: Revision 6.01C has higher sensitivity
of piggybacking detection. The detection threshold has been lowered to
detect piggybacking within few affected files. The improved sensitivity
has no effect on speed since the loss in speed was compensated for with
a better search algorithm.
New "copy and paste" functions in ResQdisk: It is an advantage to have
editing capability of the master and boot sectors of the hard disk.
ResQdisk can now copy the content of a displayed sector to the
clipboard, by the ^E ^R sequence, then paste it elsewhere by pressing
^E ^W. The copy and paste functions are useful to recover from mbr and
boot sector viruses, that relocate the original sector elsewhere,
usually on track 0. The copying and pasting of the original sector can
be done under the visual control of ResQdisk. The new functions can be
used to store copies of the critical sectors (mbr and boot sectors) in
the unused section of track 0, usually from sector 2 to the last sector
on the track. Avoid using sector 3 (used by Monkey), 7 (Stoned,
Michelangelo), 8 (used by Disk Manager - not a virus), 17 (B1-NYB), 13
(NewBug) and the last sector (Quox and a few others).
December 1994
Product upgrade, InVircible 6.01B
---------------------------------
Installation of InVircible on networked PC: Revision 6.01B has an
additional file, IVLOGIN.EXE. As its name implies, its use is from the
user login script in networks. When a workstation connects to the
network, IVLOGIN verifies whether it has a hard drive, and if
InVircible is installed on that disk. If not, INSTALL/FAST is invoked
to install IV to the hard disk. The LAN administrator is required to
install IV to the server and add the IVLOGIN command to the user login
script. The rest is done automatically.
IVB upgrade: Some lame viruses affect *.SYS and *.OVL files, if they
have an executable structure (usually an EXE one). Thus, *.SYS and
*.OVL files were added under IVB's coverture. These files are now
secured by IVB, and can be recovered, in case they get infected.
ResQdisk upgrades: There were disk configurations that ResQdisk didn't
recognize properly. These were found mostly on Compaq models, having a
special partition dedicated to proprietary diagnostics, coming first,
before the DOS active partition. ResQdisk was upgraded to accommodate
for these configurations too.
In addition, ResQdisk had a few fixes to assure its proper functioning
with the new mode 3 and 4 IDE standards, EIDE as well as with large
capacity SCSI drives. This now covers all hard disk types used in
personal computers.
Install upgrades: The French version of InVircible configures now the
rescue diskette to start with a French keyboard. Install also takes
care to REM out the Thunderbyte TSR in the autoexec, at the
installation of IV. The TB TSR intercept IV initialization checks and
may crash the system. Also, Install will now install the IV
registration key to hard drives having the Compaq configuration (see
ResQdisk, above).
User interface updates. Both IVB and IVSCAN command line syntax has
been improved. The [d:] argument, where d represents a drive letter,
will now start the program from the drive's root, instead of the
current directory. For the default directory just don't give any drive
argument.