home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Media Share 9
/
MEDIASHARE_09.ISO
/
antivir
/
rescue-m.zip
/
RESCUE-M.EXE
/
INSTMAN.DOC
< prev
next >
Wrap
Text File
|
1994-01-09
|
45KB
|
1,030 lines
RESCUE-M v 4.2
Installation Manual
Advanced Operation Manual is available only for registered
users.
Contents
l. Introduction
2. Terms used
3. Analysis of how a computer is normally used
4. Compatability
5. Installation of Rescue-M system
5.1. Installation of hardware HWLock
5.2. Automatic installation with default selections
5.3. Installation with interactive selection of protected
files using the INSTALL installation program
5.4. Recovery diskette
6. Further information
7. Problems
l. Introduction
The danger of viral infection and other ways of
infiltrating and damaging data is, sakly, a threat facing
all of us. That's why everyone who ever uses computer
technology has to protect him/herself from this sort of
thing. Rescue-M was designed to provide this protection. The
anti-viral defense you have obtained is described in detail
in later chapters of the operation manual. In this section
"Rescue-M: Installation Manal", only the basic principle and
function will be described so that the user who wants to
install the defense after just a cursory examination can
make maximum use of the automatic selections that come ready
for use when you first by the product. It's assumed that
most users will have a configured, hard disk with the usual
sort of contents, and doesn't want to be bothered with the
detailed problems of programming.
Once any file has been selected, Rescue-M will protect it
from being erased or altered. Infiltrations are not sought
out by their characteristic strings but they are prevented
from altering or erasing files on the disk. It is a means of
prevention which can never become outdated.
The Rescue-M system is equipped with many auxiliary
programs intended, amongst other things, to prepare and
examine the hard disk. So when it's installed, it's enough
just to select the programs to be protected and no virus or
any other infiltration can disturb it. Any attempt at
unauthorized access to these programs is stopped and the
user notified with an auditory signal as well as one on the
monitor screen (although the on-screen signal is suppressed
if the graphic regime is running).
Boot viruses are announced immediately after starting of
the computer and Rescue-M installation into memory. Then,
virus is easy to remove with the auxiliary program RESTORE,
that is part of the system Rescue-M. If you add the hardware
card HWLock, then your computer is protected from boot
viruses as soon as the HWLock hardware card has been
inserted into a free slot on its mother board.
This, in brief, is the state of your computer after the
automatic installation of Rescue-M.
l. Areas of the disk left unprotected can be freely
accessed, with no limitations.
2. Every item on selected files is protected, ie.
directory and FAT items and all parts of the file body
fragmented on the disk. The protection only takes up as
much room on the hard disk as the file body itself.
3. The system areas on the disk are protected
automatically, so that they can't be modified without
the user knowing about it.
4. Boot viruses are announced immediately after starting
of the computer and Rescue-M installation into memory.
Then, virus is easy to remove with the auxiliary
program RESTORE, that is part of the system Rescue-M.
If you add the hardware card HWLock, then your computer
is protected from boot viruses already in the moment
the current is switched on because HWLock makes sure
that there's no entry made on any part of the disk
right up until the software program is installed. The
system areas of the disk are protected even after the
software program has been installed.
5. The active principle is the prevention of files being
modified in any way.
2. TERMS USED
Hardware part can be added to Rescue-M. The hardware part
is always referred to as HWLock or CARD, and this is how it
will be referred to throughout the text.
The Rescue-M doesn't need any special terms escept for
AV.EXE and AV.SYS. The other programs (ie.items of Rescue-M)
will be described in detail under these names in later
chapters.
The installation, we are speaking on in this manual,
consists of many actions that are to prepare the whole
Rescue-M system for its functions in your computer. It's a
question of moving the necessary files from installation
diskette to disk and creating the text and binary files
needed for operating. The installation is made with the
program INSTALL and its simpliest way is described in
chapter 5.
AV.SYS is a driver which is INSTALLED in the CONFIG.SYS
program in such a way that it can be placed in memory like
any other program or driver. When AV.SYS is INSTALLED a part
of the memory is STATICALLY ALLOCATED for the TABLE of the
protected files, and can carry out other activity at the
same time. After INSTALLATION, though, the place allocated
to the table remains empty and the disk is locked (assuming
that the external parameters of AV.SYS don't dictate
otherwise). It's only when the AV.EXE program is started in
AUTOEXEC.BAT or elsewhere that the protection is ACTIVATED,
ie., that the AV.EXE program will calculate the positions of
the protected files according to AVCMD.DAT and that the
TABLE is formed which is inserted into the allocated place
in the AV.SYS memory. This procedure, which can also include
other actions, is what's meant by ACTIVATION.
The AV.EXE program can operate independently (ie.,
without the AV.SYS driver) if the user doesn't want to make
use of AV.SYS. When AV.EXE is started, it will calculate
allocation of the protected files, form the TABLE and check
whether AV.SYS has been installed and room for the table
allocated. If not, it will prepare its resident kernel for
activation and DYNAMICALLY allocate memory for the table
which it will place here and return control to the resident
kernel. In this way the protection is ACTIVATED.
DYNAMIC allocation means that only as much space on memory
will be taken up as the TABLE actually needs. STATIC
allocation means that the amount of memory required will be
established beforehand, so that the TABLE will fit into it
with a small amount space kept in reserve. If fewer files
are then brought under protection the amount of room
allocated for the table will remain the same, it won't
change in the way it would after DYNAMIC allocation. If the
number of protected files changes while the computer is
being used, by files being erased or recorded for instance,
a new ACTIVATION can be carried out without stopping the
computer. If a STATIC ALLOCATION of memory is made then the
changes will be accepted straight away, but for a DYNAMIC
ALLOCATION of memory that will not be possible and the
computer must be rebooted. Each method has its advantages
and disadvantages which every user can judge for himself and
decide on one or the other.
AV.SYS driver use with statoc allocation of table is
advantageous in computers 386+, that have a vacant place in
HighMemory - memory over 640kB. The driver with table alrge
enough is possible to place here and they don't reduce
memory for other programs being executed. This strategy is
valid also for the program INSTALL, that will insert this
driver into CONFIG.SYS file only in case that he will find
the system drivers HIMEM.SYS and EMM386.EXE there.
Other terms used - INSTALLATION, ACTIVATION, ALLOCATION and
TABLE - have already been explained above.
3. ANALYSIS OF HOW A COMPUTER IS NORMALLY USED
Most users of personal computers use them to meet certain
of their personal requirements, be the games or the use of
software for a specific purpose. It's not often that he/she
will want to prepare software for another user. This means
that the computer will very often be used as a typewriter,
a device where data can be easily stored and updated, a way
of setting out documents etc., but much less often as
a means of developing new software. That is why there's not
much difference between the types of software installed in
individual computers.
It's mainly by means of these executable files that
computer viruses spread. These include files with .EXE and
.COM extensions as well as those with .SYS and .OVL
extensions. We don't need to consider boot viruses here
because they automatically cease to be a threat once
Rescue-M is installed. Most dangerous of all are viruses of
a destructive character (which erase a disk, for instance)
or direct re-writing viruses (which instantly replace part,
or even the whole, of the host program with its own virus
code, causing irrepairable damage).
When you look at the structure of data and the programs in
a computer from this point of view, it's clear that it's
mainly executable files that need to be guarded from virus
infection. They're the ones that viruses can use as vehicles
to multiply throughout the system.
The basic selection, therefore default and present at the
time of manufacture, will be according to this mask: *.EXE,
*.COM, *.SYS and *.OVL.
If certain outdated types of program are being used, which
write on their own executable part as part of their normal
activity, that will have to be taken into consideration, and
these programs excluded from protection. If they were placed
under protection they would be prevented from making this
sort of entry, even though it is part of their function, but
this sort of problem has never been very common. To exclude
the programs from protection is possible with the
installation program INSTALL by selecting menu item "Choice
of Manual protect selection". The program will be described
in further.
Programs which write onto their own *.EXE or *.COM
configurations will be excluded from protection.
Some programs write onto their own .SYS or .OVL files.
It's not very common but cases do occur. The well-known
COREL V.3.0 software, for instance, incorporates the
CORELDRW.SYS. file, but, as far as we know, this is the
only such case among the software presently marketed by
Corel, and this SYS file is actually a text file, not
a driver.
If a program writes onto its *.SYS or *.OVL files as part
of its activity, then these files cannot be placed under
protection.
If anyone, such as a program designer, ever has to work
with unprotected .COM or .EXE type files, or other similar
files, he/she can do this by opening a separate directory
where the unprotected files can be lodged (but kept under
protection elsewhere). Again, the easiest way how to do it
is to use the installation program INSTALL, described
bellow.
A working directory is formed, in which all files are left
unprotected.
The next time the system is started, or the next time the
resident AV program is activated, all new files which are
suitable for this selection mask will be brough under
protection (unless they are part of the directory mentioned
above). Selection is made with this command:
UNSEL\path\directory_name\*.*
in the AVCMD.DAT file or with the help of the INSTALL
installation program, which will modify AVCMD.DAT
automatically.
Now it's the turn of data on disk. These can become the
target of destructive viruses which might, for instance,
erase the disk, but virus attacks can also be aimed at
particular data editors or text editors. There's a method
used for these files which is elegant, proven and effective.
For each application, compiling or using data, two
sub-directories are formed: WORKING and BACKUP.
Every time you finish work, place all data in the backup
directory, where it should be placed under protection with
the command:
SEL\path\BACKUP\*.*
In this directory nothing can destroy your data. The
situation might look something like this:
C:\
PARADOX
WORKING
BACKUP
Before starting the Paradox, always copy all data files
into the working sub-directory, and when work is finished
put it back in the backup directory. It's best to work with
two sets of data and record them into the working directory
alternately. In this way a virus can, at worst, only destroy
the most recent changes and the whole package in the backup
directory will remain untouched.
Using a .BAT file, data can be manipulated in this way
completely automatically.
For instance:
@ECHO OFF
CD\PARADOX\WORKING
COPY C:\PARADOX\BACKUP\*.*
CD\PARADOX
PARADOX.EXE
C:\AVIRLOCK\AV I D F/ODMKPAR.DAT
CD\PARADOX\BACKUP
COPY C:\PARADOX\WORKING\*.*
CD\PARADOX\WORKING
DEL *.*
C:\AVIRLOCK\AV I D F/YAMKPAR.DAT
If a virus has gotten into the memory when you've been
working with Paradox it will reveal itself the first time it
tries to replicate or cause any damage. If any working data
is erased the user will know about it straight away, and
he/she will also be immediately alerted if it tries to alter
or erase any other file.
We may say to data protection finally:
THE MOST VALUABLE THING INSIDE YOUR COMPUTER IS ITS DATA
That is why you should follow the procedure set out above
and observe these principles:
l. Obtain the original MS DOS system diskette.
2. Enter the system into your computer from the original
diskette, format the disk, and then install the
operating system.
3. Install Rescue-M protection with all its automatic
guards.
4. Install some software you've already used and carry out
a new activation of Rescue-M protection. (You can be
sure that the computer's system is clean.) When
re-installing, perform calculations of the CRC control
at its maximum extent and enter all files which are run
from AUTOEXEC.BAT or CONFIG.SYS into the automatic CRC
control (during each boot).
5. Always carry out a hard reset before starting an
application working with protected data or texts, and
as soon as you've begun, start the batch file, *.BAT.
In this way you will remove the risk of a resident
virus remaining in the memory when any game or program
is started from a diskette or an unprotected program on
the disk.
6. When Rescue-M protection is fully operative and all
protected files are locked (included under protection),
you can do whatever you like on your computer.
7. If you observe points l - 5, you can be quite sure that
your data are safe.
8. Add the hardware part HWLock to the system Rescue-M.
The boot viruses will be no more problem for you.
4. COMPATIBILITY
The antiviral system RESCUE-M is compatible with DOS
operating system v 3.3 or higher. All hardware is
supported.
Hardware supplement HWLock
The hardware card will only cover AT BUS (IDE) disks.
We don't recommend that the hardware HWLock be installed
on other types of computer without previously consulting
a dealer. It is possible for problems to occur even with the
computers mentioned above. In this case, please consult the
"Problems" chapter, and if you can't find the answer to your
questions there, you'll need to obtain advice from a dealer.
5. INSTALLATION of RESCUE-M SYSTEM
5.1. Installation of hardware HWLock
The installation of hrdware card into computer is easy.
The first step you have to do is opening of your computer
case (after its disconnecting from the power supply, of
course). Now select a vacant slot and put the card into it.
The keys on card unable its turning. Then close ans screw up
your computer case.
Now, if you have finished the installation of the hardware
card into any of free slot of your computer successfully,
the second part of installation and new era of perfect
safety for you are starting.
Now you are quite safe from boot viruses and the whole
disk(s) is protected against any writing in the moment of
start. Any further actions you must do when protection is
umlocked till the complete installation of AV driver will be
made.
5.2. Automatic installation with default selections
Once you've read everything mentioned above, concerning
choice of files and other considerations, and you don't need
any special detail choices for file protection, you can go
straight on to automatic installation with the help of the
INSTALL installation program.
The antiviral protection will be installed with default
filters for selection and it will safely protect your system
till you decide to optimalize your settings for your
specific needs.
The antiviral system Rescue-M always install on faultless
disk without any cross-linking files and without any lost
clusters.
That is why, before installation, check all files and
directories on the disk with the SERVICE program (with
command SERVICE /t C:). If some errors will appear, it is
necessary to repair them by the SEVICE program (with command
SERVICE /T C:), the CHKDSK program or the Norton Disk
Doctor.
Then you can go on to the installation itself.
Check that there's at least 500kB of free space on the
target disk. Put the installation diskette into any drive
and start the INSTALL program.
C>A: <ENTER>
A>INSTALL <ENTER>
or
C>A: <ENTER>
A>INSTALL J <Enter>
Parameter J causes the searching the disk configuration
(the distribution of logic disks on physical media) by
another method. Both variations will give roughly the same
results, parameter J is necessary only when certain types of
CACHE or disk drivers are used. But it wouldn't have to
distinguish logic disks properly as long as the physical
disk contains some non-DOS sections. If you're using an
aggressive CACHE with, at the same time, a DOS disk
containing some non-DOS sections, you will have to
disconnect the CACHE and install RESCUE-M without using
parameter J.
Introductory Panel
The "Introductory Panel" will be displayed on the screen
after running the INSTALL installation program.
Logic Disks
Information about disks found in the computer will be
shown in the topmost window of the Introductory Panel.
Rescue-M hardware part can be used to protect any disk
marked "HWL". If the information on logic disks isn't
correct, use (or not use) parameter J.
Options for install
In the bottom of Introductory Panel you can see window
"Options for install". From here you may select the basic
options. Items can be switched using arrow keys or by
clicking the left mouse button, and activated by pressing
ENTER or a double click on the left mouse button.
Target Directory
The first item in the "Options for istall" window shows
"Target directory". By setting the cursor at this item and
pressing ENTER you can edit the target directory and enter
any directory name in any disk.
Previous Installation
The second item, "Previous Installation", indicates whether
or not any earlier installation has been made. With the
ENTER key you can modify any previous installation found or
just ignore it, which means that it will be over-written
with new data.
Setup for ...
The third item is "Setup for...". The default setting can
be changed between "Operator", "User" and "Programmer" by
pressing the ENTER key. By pressing F6 you can see this
setting in the window "Options setting". Move the cursor to
the required line with arrow keys and press the ENTER key to
change its setting.
This is the setting that we recommend for the first
installation:
- Modify AUTOEXEC.BAT, CONFIG.SYS YES
- Guard the number of locked files YES
- Write protect of ALL FAT COPIES
- Single write protect override NO
- Continue after error YES
Key Fl can be used to obtain help for each of these items,
and we suggest you make use of it. The bottom line of the
screen shows short help for further commands.
When you've made all the changes you require, the ESCAPE
key will return you to the original "Options for install"
window.
Manual protect selection
The fourth item, "Manual protect selection" will be
explained in detail in later chapters, as this goes beyond
what we call automatic installation.
Automatic Installation
The fifth item, "Automatic Installation" is for when quick
installation is being made by the computer's normal user.
Press the ENTER key to start the installation of Rescue-M on
disk with default settings. This means that files which suit
the masks *.COM, *.EXE, *.SYS, *.OV* and in installation
directory also *.DAT, will be brought under protection.
CONFIG.SYS in root directory isn't included into protection.
AUTOEXEC.BAT and CONFIG.SYS will be modified automatically
according to the setting with F6 key. It means that the
protection will automatically activated whenever the
computer is started. If your computer has a 386 procesor
with drivers set at
DEVICE=HIMEM.SYS
DEVICE=EMM386.EXE
then the AV.SYS driver will be installed into CONFIG.SYS in
the form:
DEVICEHIGH=AV.SYS <Memory_size_hex> ,HELP
Otherwise the AV.SYS driver will be installed as REM and,
when activated, the resident kernel of the AV.EXE. program
with dynamic table memory allocation is lodged into memory.
The AV.EXE call is placed in AUTOEXEC.BAT as
CALL C:\path\AVACT.BAT.
If you want to use the AV.SYS driver, it's enough just to
delete REM in the CONFIG.SYS.
NOTE: The CONFIG.SYS file is under protection, so that
it has to be unlocked (KEY U) before it can be
modified. Then, when later actions have been saved, the
protection should be re-activated (for instance with
a reset).
While automatic installation is taking place, the system
areas of the disk will be placed under protection, the data
file AVCRC.DAT is generated for CRC checking of IO.SYS,
MSDOS.SYS, COMMAND.COM and AV.EXE files each time of the
activation, and the AVBOOT.DAT file is generated for BOOT
and MBR checking during each activation.
It is also advisable to watch the bottom status line which
will change according to activity in the "Installation
Options" window, offerinf further commands, hints or help.
In this way automatic installation of RESCUE-M will have
been carried and the protection will come into effect the
next time the computer is booted.
When the computer's boot is started, the protection will be
activated as follows:
As soon as the current is switched on the entire disk will
be automatically write-protected, including from boot
viruses (in case that the hardware part HWLock is used).
When CONFIG.SYS is executed, AV.SYS will - or will not,
according to the setting - be placed in memory and room will
be allocated for the table. The whole disk is locked the
whole time. When AUTOEXEC.BAT is executed, AVACT.BAT file
will be called up and the CRC check of IO.SYS, MSDOS.SYS,
COMMAND.COM and AV.EXE files will be done.
Then the BOOT and MBR will be checked. Any changes since
the last time the INSTALL program was installed will be
announced. The number of files under protection will be
checked (if this is switched on), as if this number has
changed it could indicate the presence of a companion virus.
If everything is as it should be, the table will be formed
and placed in memory, either for the AV.SYS of for the
residential kernel AV.EXE.
In this way the protection is activated and there is no
access to protected files either to infect them or to modify
them. This also means, of course, that they cannot be erased
or moved. The remaining parts of the disk are just freely
accessible. If no unauthorized attempt is made to interfere
with the protected files the user will simply not be aware
that the protection is active.
5.3. Installation with interactive selection of protected
files using the INSTALL installation program
The first time the INSTALL installation program is
started, it must be done directly from the distribution
diskette or a write protected copy of it. From then on, when
it's used to update data files or to change the selections,
INSTALL can be started from the directory given for this
protection (where it was first moved to).
Before installation, check all files and directories on
the disk with the SERVICE program (SERVICE /t C:). If some
errors will appear, it is necessary to repair them by the
SEVICE program (with command SERVICE /T C:), the CHKDSK
program or the Norton Disk Doctor.
Then you can go on the installation itself.
Check that there's at least 500kB of free space on the
target disk. Put the installation diskette into any drive
and start the INSTALL program.
C>A: <ENTER>
A>INSTALL<ENTER>
or
C>A: <ENETER>
A>INSTALL J <Enter>
Parameter J causes the simplier searching the disk
configuration (the distribution of logic disks on physical
media). Both variations will give roughly the same results,
parameter J is necessary only when certain types of CACHE or
disk drivers are used. But it wouldn't have to distinguish
logic disks properly as long as the physical disk contains
some non-DOS sections. If you're using an aggressive CACHE
with, at the same time, a DOS disk containing some non-DOS
sections, you will have to disconnect the CACHE and install
RESCUE-M without using parameter J.
The "Introductory Panel" will be displayed on the screen
after running the INSTALL installation program. The topmost
window of the Introductory Panel "Logic Disks" shows
information about disks found in the computer. Rescue-M
hardware part can be used to protect any disk marked "HWL"
here. If the information on logic disks isn't correct, use
(or not use) parameter J.
The installation should follow the next steps:
Step 1 - Introductory Panel
The first thing displayed will be the "Introductory
Panel". The options offerd here were described in part
Automatic Installation. To start with, we suggest you let
the default setup, select the item "Automatic Installation"
and continue by pressing the ENTER key.
More advanced users can select the item "Choice of
Individual Disks for Protection" and continue by pressing
the ENTER key. We suggest you set "Intended for..." at
"User". This item can be changed in any time with a window
called by pressing F6 key.
You've now been transfered to the "Installation Panel",
and if you're happy with the default selection now offered
you can finish installation with key F2 and go on to step
6. If you want to change these default values, go on to the
following step.
Step 2 - Installation Panel
You can decide whether to have protection on or off for
a given logic disk directly from the "Installation Panel" in
the "Action" window. Turn protection on or off with the
ENTER key (or a mouse) for any line (1 to 5) requested in
the "Action" window. Lines which are switched on are marked
with a tick. If you're happy with the automatic choice of
files to be protected, you can finish installation with key
F2 and go on to step 6. If not, go on to step 3.
Step 3 - Global Selection
Activate the required disk using arrow keys or a mouse
(activated disk is highlighted), select the required line of
menu and make your choice of files with F9 key.
For instance, choose the first line "File protection" of
menu for disk 'C' and press F9. After a short while, the
current directory tree of disk C will be shown on the left
hand side of the screen and the choices (actions) located in
the root directory will be written out on the right hand
side. The default selection is:
SEL TREE *.COM, *.EXE, *SYS, *.OV* (and *.DAT in
installation directory).
A different action could be shown on the right hand side
of the screen if you move the cursor in the left menu "Tree"
to a different directory, but in this case the "Action"
field will be default free.
If you need to protect, say, all .TXT files in the ARCHIV
directory from being re-written, select this directory in
the menu "Tree" and press ENTER.
When the dialog window appears, you should first erase
the default offer with DEL or BACKSPACE keys and then write
your own selection command "*.TXT". Check the type of action
- it maust be SEL, and where it will be applied (switch on
DIR). When you press ENTER key, the newly entered action
will connect up with the given directory ARCHIV. This
directory will be marked in the menu "Tree" with a square.
This procedure can be repeated until all requests lodged
in the selection have been carried out.
If a faulty action was lodged anywhere you can transfer to
the menu "Action" on the left hand side of the screen by
pressing the TAB key or a mouse and erase or correct that
line.
When you're happy with the selection you've prepared,
press F2 to enter your selection and you can go on to step
5. If not, you can make use of "Detailed selection"
described in the next stage.
Step 4 - Detailed Selection
If you need to see which .COM files have been selected
for protection, for instance, select the root directory in
the menu "Tree" with the curzor and press key F9.
The dialog window, with the filter for detailed selection,
will be displayed. Here, you can let the default filter,
*.*, as it is, applying to the TREE, and confirm the
information shown with the ENTER key.
When the detailed selection has been prepared, a detailed
menu will appear in the center of the screen. Those files in
the list which have been selected for protection will be
marked with "***". Position the cursor at file selected
originally, and press ENTER. This file will be de-selected
and its indicator disappear. The same can be done with many
files in either direction. ie. you may select or de-select
the file with ENTER key.
Confirm the detailed selection with key F2. Selection has
now been completed, and the newly formed commands will
appear in the global selection in the "Action" menu. A new
square will appear by this directory in the "Tree" menu.
Step 4 can be repeated on this or other directories, or
the action can be re-adjusted following the procedure
described in step 3. When you judge selection to have been
completed go on to the next step.
Step 5 - Completing Selection
Confirm that your selection of files is ready by pressing
key F2. The selection action will be saved and control will
return to the "Installation Panel".
Now, either compile another set of files to be protected,
perhaps for another logic disk, or repeat step 3. Or else
you can end installaion with step 6, which follows.
Step 6 - Finishing Installation
Press F2 while the "Installation Panel" is showing, to
confirm that your selections are correct.
The program will start to prepare all the requested files
and other files necessary - in particular the CRC for
extensive checking. This can last several minutes,
especially if you've selected very large files or you're
using a slow computer.
You can see how far the calculations have progressed in
the CRC window, showing which files have just been treated.
5.4. Recovery diskette
Once installation has successfully taken place, first
reset the computer and then insert a formatted, blank
recovery diskette into drive A:. Then start the newly formed
AVSAV.BAT file. If system files are accesible, a boot
diskette will be formed with your DOS version. Further, the
other files needed for recovering the system areas of the
disk, if necessary, will be placed on this diskette along
with certain service programs. According to your disk
configuration, you can also add other useful programs
(for instance drivers) manually. Once this diskette has been
completed, make it write-protected and store it.
While the AV program is being activated the checks ordered
will take place and the operational protection on selected
files will be activated.
Note: In case that any of files under CRC protection
will be updated, or in case of re-formattig of disk with
protected boot sector, the AV program will announce the
change while activated. You have to repair the data
files for REscue-M protection. The easiest way how to do
it, is to use the batch files AVACTUPD.BAT and
AVCRCUPD.BAT.
After such a update of check files you must update also
the recocery diskette. Again you may use the batch
AVSAV.BAT.
6. FURTHER INFORMATION
We recommend to all users to install the memory driver
EMM386.EXE which, used in conjunction with HIMEM.SYS, will
make it possible to install the AV.SYS driver in the high
memory as DEVICEHIGH. Installing EMM386.EXE also has some
other significant protective features.
INSTALL EMM386.EXE
If you use a black and white monitor, the INSTALL program
can be started with parameter M:
INSTALL M
for monochromatic regime.
It is suitable to generate a backup diskette of the
software.
It is suitable to generate the recovery diskette with
executing of AVSAV.BAT file, that was generated by the
INSTALL program.
When RESCUE-M is installed from a diskette, certain BAT
and DAT type files are formed in the target directory. These
files contain commands for necessary actions and data for
them.
Form the recovery diskette in this way: insert
a formatted, blank diskette into drive A:. Then execute the
AVSAV.BAT file. The program will form the recovery boot
diskette and it record AV.EXE, RESTORE.EXE, SERVICE.EXE
programs and AVBOOT.DAT a AVCRC.DAT files on it.
If any serious disturbance to the system areas of the disk
occurs, and even if disk becomes inaccessible by normal
methods, the RESTORE.EXE program can be used with the
AVBOOT.DAT file to renew the entire disk, including its
logic parts.
The CRC checks, calculated for the above mentioned files,
are contained in the AVCRC.DAT file. Each time the computer
is booted these files are checked and any discrepancy
announced.
The AVACT.BAT file will activate the protection, ie.
calculate the tables anew and carry out other checks. In
calculating the tables it makes use of information lodged in
the AVCMD.DAT file which has a structure very similar to DOS
commands and can be freely modified, using an ASCII editor,
as needed.
The AVACTUPD.BAT file is used to update the data file .DAT
if the user has made any deliberate changes to the disk,
such as re-installing the operating system, when the CRC
check, BOOT/MBR and COMMAND.COM are changed.
If any protected file needs to be relocated or erased you
should first use the KEY.EXE program which will allow you to
unlock the hard disk and disconnect the resident guarding
program. Once service has been completed you should run
AVACT.BAT (if AV.SYS is installed) or reboot the computer.
Further detailed information - enabling you to make more
effective use of RESCUE-M even in the most demanding
software and hardware configurations - can be found in the
Operating Manual.
7. PROBLEMS
In this chapter we try, briefly, to explain some of the
problems that might come up while using or installing
RESCUE-M, considering the wide range of software now in use.
1. We recommend to locate the command for installation of
protection as the first in AUTOEXEC.BAT file. The problems
with some network drivers may occur. That is why sometimes
it is useful to call the AV resp. INSTALL program before
some network drivers are installed. The protection is
compatible with all common networks, but it must be called
before the installation of network drivers into memory.
2. Windows
There's a new version of Windows 3.1 now being
distributed: SMARTDRIVE. It installs itself automaticaly so
that it caching of writing. If it's protected from being
written on, this will be announced in the top left hand
corner of the screen, and the traditional DOS announcement
won't appear. This cache is unfriendly in that it won't
allow any entry on the disk to be cancelled, and the user
has either to free it or restart the computer.
The solution is simple - use a different cache or install
this one without caching of writing, as explained in the
its instructions.
3. CORELDRW v3.0
The program writes onto file CDCONFIG.SYS while running,
which therefore has to be removed from protection. For the
same reason there's no point in having the CRC check it.
4. CFG
A significant part of programs use for writing of new
adjustments the files with CFG extension. These files have
to be removed from control, as they ought not to be
write-protected. The protection program would announce an
attempt to breach protection each time a configuration was
written.
5. PCTOOLS
The PCTOOLS program makes some accesses on disk and some
function without using the DOS support. That is why it may
occur a collision its functions with the antiviral
protection Rescue-M. The user may eliminate it when he set
Rescue-M to protect both copies of FAT tables. The collision
will occur during the use of the DELETE command or MOVE
command. DON'T USE for cancelling of these commands "X", but
use the command "IGNORE". The IGNORE command will finish the
breach of protection correctly, even if it is necessary to
repeat it sometimes. This problem is only an inner thing of
the PCTOOL program and if you use, say, NORTON Commander or
Windows, these problems don't arise.
6. Signs of Unauthorized Writing.
When you start a program and you are warned that an
unauthorized attempt to write is being made (an auditory
signal 'La Cucaracha' with a visual warning on screen,
showing that something is trying to write onto a protected
file), use the SERVICE program:
SERVICE /e C:
(function "Write out exceptional events")
The unauthorized writing warning can even be made when the
SERVICE program is started. If so, this is no cause for
alarm, as even if protection has been temporarily removed
there's no possibility of the illicit entry being made.
There's a virus you've just allowed into the computer's
memory trying to attack the program, but it certainly won't
be successful as long as you don't make this possible by
using the override. In this way you can find out either
which file the virus is trying to attack, or which file that
the program you've started wants to write on, in the course
of its work, and which ought not to be under protection.
If the writing is to be made somewhere that couldn't even
have a chance connection with the program running, then this
program is infected with a direct action file virus. If the
writing is to be made on a running (and protecteed) program,
then it could be a resident virus trying to infect it. If
so, the virus has probably also tried to infect the SERVICE
program, in which case, see the previous paragraph. It's
best to test this possibility by running a few other
protected programs and observing what announcements of the
protection are made. The virus in the computer was probably
activated from the previous program; if it was started from
a diskette, then that's a lesson for the next time; if it's
already on disk, then it should be removed immediately.
It's enough just to re-boot the computer and everything will
be back as it should be.
If there's no resident virus revealed (if, for
instance, other programs don't announce a breach of
protection or the situation repeats itself even after the
computer has been re-booted from a protected, sealed
recovery diskette), it could be a program that keeps certain
data in its own body (EXE). This is not at all likely but
there are commercial programs of this sort in existence. The
configuration will usualy write itself out only after an
explicit command, and never automatically when it's
started. If this is the case, this program will have to
removed from protection.
If the breach of protection alarm is not made
immediately, but when program has been running for a certain
time, when certain actions are made which could call up the
entry, then it's certainly the case as described in the last
paragraph and the SERVICE program will help you to find the
affected file and remove it from protection.
7. Data Files for AV
For maximum safety it's best to include all files with
a .DAT extension iffrom the AVIRLOCK directory (or whatever
directory you've installed RESCUE-M in), and perhaps even
the AUTOEXEC.BAT file, too, under write-protection. In this
way, you can be sure that no virus can put your protection
out of action. If AUTOEXEC has to be moved or adjusted, you
can do this using the override or by switching protection
off, using the KEY program.
8. CRC Check of the AV Program
It's best to let the AV.EXE program be checked
automatically by the CRC. This program has not been designed
to check itself because STEALTH viruses can easily outwit
any check that's too simple, and this sort of thorough check
at the low level needed is just what the CRC does.
9. FAT Damage
If any attempt is made to write onto a protected file or
area, either by a virus or by the user, this can result in
a fault in the allocation table (FAT). A certain part of the
new allocation, working with an unprotected area, can be
written onto the disk before this operation is interrupted
by the attempt to write onto one that is protected.
This certainly doesn't mean that the protected files have
been damaged. The CHKDSK system program with the paramater
/F or the SERVICE program, which is a part of this package,
will put everything back in order. Or the Norton Disk Doctor
can also be used.
l0. Entry into interrupt l3
When starting the computer or when the AV is activated,
the announcement "Entry into int 13 doesn't match..." might
be made. This could mean that:
a) Software has been installed on non-standard hardware
and entry point to int l3 does not have the usual adress.
b) The some kind of software that installs itself into
memory at the same time as the Boot sequence has been used.
This could be, for instance, a password that protects the
computer from access by unauthorized persons, or something
similar.
c)The computer has been attacked by a boot virus,
concealing itself in the same way as the software mentioned
above.
The AV program guards access to int l3 and if it can't be
found at the adress expected this problem will be announced
to the user. This protective action is very important as it
ensures that no false data about where the required writing
should be made can be smuggled through to the protected
program.
Without controlling access to int l3 the computer cannot be
effectively protected.
If the user is sure that access to int l3 is being used
legitimately, using the password RESCUE-P, for instance,
he/she can save the new adress of entry point for int l3,
influenced by this program, by starting the updating batch
AVACTUPD.BAT. In this way the address saved will be accepted
and a warning announcement will again be made each time any
change is made to it.