Media Share 9

home *** CD-ROM | disk | FTP | other *** search

/ Media Share 9 / MEDIASHARE_09.ISO / antivir / rescue-m.zip / RESCUE-M.EXE / INSTMAN.DOC < prev next >

Wrap

Text File | 1994-01-09 | 45KB | 1,030 lines

RESCUE-M v 4.2 Installation Manual Advanced Operation Manual is available only for registered users. Contents l. Introduction 2. Terms used 3. Analysis of how a computer is normally used 4. Compatability 5. Installation of Rescue-M system 5.1. Installation of hardware HWLock 5.2. Automatic installation with default selections 5.3. Installation with interactive selection of protected files using the INSTALL installation program 5.4. Recovery diskette 6. Further information 7. Problems l. Introduction The danger of viral infection and other ways of infiltrating and damaging data is, sakly, a threat facing all of us. That's why everyone who ever uses computer technology has to protect him/herself from this sort of thing. Rescue-M was designed to provide this protection. The anti-viral defense you have obtained is described in detail in later chapters of the operation manual. In this section "Rescue-M: Installation Manal", only the basic principle and function will be described so that the user who wants to install the defense after just a cursory examination can make maximum use of the automatic selections that come ready for use when you first by the product. It's assumed that most users will have a configured, hard disk with the usual sort of contents, and doesn't want to be bothered with the detailed problems of programming. Once any file has been selected, Rescue-M will protect it from being erased or altered. Infiltrations are not sought out by their characteristic strings but they are prevented from altering or erasing files on the disk. It is a means of prevention which can never become outdated. The Rescue-M system is equipped with many auxiliary programs intended, amongst other things, to prepare and examine the hard disk. So when it's installed, it's enough just to select the programs to be protected and no virus or any other infiltration can disturb it. Any attempt at unauthorized access to these programs is stopped and the user notified with an auditory signal as well as one on the monitor screen (although the on-screen signal is suppressed if the graphic regime is running). Boot viruses are announced immediately after starting of the computer and Rescue-M installation into memory. Then, virus is easy to remove with the auxiliary program RESTORE, that is part of the system Rescue-M. If you add the hardware card HWLock, then your computer is protected from boot viruses as soon as the HWLock hardware card has been inserted into a free slot on its mother board. This, in brief, is the state of your computer after the automatic installation of Rescue-M. l. Areas of the disk left unprotected can be freely accessed, with no limitations. 2. Every item on selected files is protected, ie. directory and FAT items and all parts of the file body fragmented on the disk. The protection only takes up as much room on the hard disk as the file body itself. 3. The system areas on the disk are protected automatically, so that they can't be modified without the user knowing about it. 4. Boot viruses are announced immediately after starting of the computer and Rescue-M installation into memory. Then, virus is easy to remove with the auxiliary program RESTORE, that is part of the system Rescue-M. If you add the hardware card HWLock, then your computer is protected from boot viruses already in the moment the current is switched on because HWLock makes sure that there's no entry made on any part of the disk right up until the software program is installed. The system areas of the disk are protected even after the software program has been installed. 5. The active principle is the prevention of files being modified in any way. 2. TERMS USED Hardware part can be added to Rescue-M. The hardware part is always referred to as HWLock or CARD, and this is how it will be referred to throughout the text. The Rescue-M doesn't need any special terms escept for AV.EXE and AV.SYS. The other programs (ie.items of Rescue-M) will be described in detail under these names in later chapters. The installation, we are speaking on in this manual, consists of many actions that are to prepare the whole Rescue-M system for its functions in your computer. It's a question of moving the necessary files from installation diskette to disk and creating the text and binary files needed for operating. The installation is made with the program INSTALL and its simpliest way is described in chapter 5. AV.SYS is a driver which is INSTALLED in the CONFIG.SYS program in such a way that it can be placed in memory like any other program or driver. When AV.SYS is INSTALLED a part of the memory is STATICALLY ALLOCATED for the TABLE of the protected files, and can carry out other activity at the same time. After INSTALLATION, though, the place allocated to the table remains empty and the disk is locked (assuming that the external parameters of AV.SYS don't dictate otherwise). It's only when the AV.EXE program is started in AUTOEXEC.BAT or elsewhere that the protection is ACTIVATED, ie., that the AV.EXE program will calculate the positions of the protected files according to AVCMD.DAT and that the TABLE is formed which is inserted into the allocated place in the AV.SYS memory. This procedure, which can also include other actions, is what's meant by ACTIVATION. The AV.EXE program can operate independently (ie., without the AV.SYS driver) if the user doesn't want to make use of AV.SYS. When AV.EXE is started, it will calculate allocation of the protected files, form the TABLE and check whether AV.SYS has been installed and room for the table allocated. If not, it will prepare its resident kernel for activation and DYNAMICALLY allocate memory for the table which it will place here and return control to the resident kernel. In this way the protection is ACTIVATED. DYNAMIC allocation means that only as much space on memory will be taken up as the TABLE actually needs. STATIC allocation means that the amount of memory required will be established beforehand, so that the TABLE will fit into it with a small amount space kept in reserve. If fewer files are then brought under protection the amount of room allocated for the table will remain the same, it won't change in the way it would after DYNAMIC allocation. If the number of protected files changes while the computer is being used, by files being erased or recorded for instance, a new ACTIVATION can be carried out without stopping the computer. If a STATIC ALLOCATION of memory is made then the changes will be accepted straight away, but for a DYNAMIC ALLOCATION of memory that will not be possible and the computer must be rebooted. Each method has its advantages and disadvantages which every user can judge for himself and decide on one or the other. AV.SYS driver use with statoc allocation of table is advantageous in computers 386+, that have a vacant place in HighMemory - memory over 640kB. The driver with table alrge enough is possible to place here and they don't reduce memory for other programs being executed. This strategy is valid also for the program INSTALL, that will insert this driver into CONFIG.SYS file only in case that he will find the system drivers HIMEM.SYS and EMM386.EXE there. Other terms used - INSTALLATION, ACTIVATION, ALLOCATION and TABLE - have already been explained above. 3. ANALYSIS OF HOW A COMPUTER IS NORMALLY USED Most users of personal computers use them to meet certain of their personal requirements, be the games or the use of software for a specific purpose. It's not often that he/she will want to prepare software for another user. This means that the computer will very often be used as a typewriter, a device where data can be easily stored and updated, a way of setting out documents etc., but much less often as a means of developing new software. That is why there's not much difference between the types of software installed in individual computers. It's mainly by means of these executable files that computer viruses spread. These include files with .EXE and .COM extensions as well as those with .SYS and .OVL extensions. We don't need to consider boot viruses here because they automatically cease to be a threat once Rescue-M is installed. Most dangerous of all are viruses of a destructive character (which erase a disk, for instance) or direct re-writing viruses (which instantly replace part, or even the whole, of the host program with its own virus code, causing irrepairable damage). When you look at the structure of data and the programs in a computer from this point of view, it's clear that it's mainly executable files that need to be guarded from virus infection. They're the ones that viruses can use as vehicles to multiply throughout the system. The basic selection, therefore default and present at the time of manufacture, will be according to this mask: *.EXE, *.COM, *.SYS and *.OVL. If certain outdated types of program are being used, which write on their own executable part as part of their normal activity, that will have to be taken into consideration, and these programs excluded from protection. If they were placed under protection they would be prevented from making this sort of entry, even though it is part of their function, but this sort of problem has never been very common. To exclude the programs from protection is possible with the installation program INSTALL by selecting menu item "Choice of Manual protect selection". The program will be described in further. Programs which write onto their own *.EXE or *.COM configurations will be excluded from protection. Some programs write onto their own .SYS or .OVL files. It's not very common but cases do occur. The well-known COREL V.3.0 software, for instance, incorporates the CORELDRW.SYS. file, but, as far as we know, this is the only such case among the software presently marketed by Corel, and this SYS file is actually a text file, not a driver. If a program writes onto its *.SYS or *.OVL files as part of its activity, then these files cannot be placed under protection. If anyone, such as a program designer, ever has to work with unprotected .COM or .EXE type files, or other similar files, he/she can do this by opening a separate directory where the unprotected files can be lodged (but kept under protection elsewhere). Again, the easiest way how to do it is to use the installation program INSTALL, described bellow. A working directory is formed, in which all files are left unprotected. The next time the system is started, or the next time the resident AV program is activated, all new files which are suitable for this selection mask will be brough under protection (unless they are part of the directory mentioned above). Selection is made with this command: UNSEL\path\directory_name\*.* in the AVCMD.DAT file or with the help of the INSTALL installation program, which will modify AVCMD.DAT automatically. Now it's the turn of data on disk. These can become the target of destructive viruses which might, for instance, erase the disk, but virus attacks can also be aimed at particular data editors or text editors. There's a method used for these files which is elegant, proven and effective. For each application, compiling or using data, two sub-directories are formed: WORKING and BACKUP. Every time you finish work, place all data in the backup directory, where it should be placed under protection with the command: SEL\path\BACKUP\*.* In this directory nothing can destroy your data. The situation might look something like this: C:\ PARADOX WORKING BACKUP Before starting the Paradox, always copy all data files into the working sub-directory, and when work is finished put it back in the backup directory. It's best to work with two sets of data and record them into the working directory alternately. In this way a virus can, at worst, only destroy the most recent changes and the whole package in the backup directory will remain untouched. Using a .BAT file, data can be manipulated in this way completely automatically. For instance: @ECHO OFF CD\PARADOX\WORKING COPY C:\PARADOX\BACKUP\*.* CD\PARADOX PARADOX.EXE C:\AVIRLOCK\AV I D F/ODMKPAR.DAT CD\PARADOX\BACKUP COPY C:\PARADOX\WORKING\*.* CD\PARADOX\WORKING DEL *.* C:\AVIRLOCK\AV I D F/YAMKPAR.DAT If a virus has gotten into the memory when you've been working with Paradox it will reveal itself the first time it tries to replicate or cause any damage. If any working data is erased the user will know about it straight away, and he/she will also be immediately alerted if it tries to alter or erase any other file. We may say to data protection finally: THE MOST VALUABLE THING INSIDE YOUR COMPUTER IS ITS DATA That is why you should follow the procedure set out above and observe these principles: l. Obtain the original MS DOS system diskette. 2. Enter the system into your computer from the original diskette, format the disk, and then install the operating system. 3. Install Rescue-M protection with all its automatic guards. 4. Install some software you've already used and carry out a new activation of Rescue-M protection. (You can be sure that the computer's system is clean.) When re-installing, perform calculations of the CRC control at its maximum extent and enter all files which are run from AUTOEXEC.BAT or CONFIG.SYS into the automatic CRC control (during each boot). 5. Always carry out a hard reset before starting an application working with protected data or texts, and as soon as you've begun, start the batch file, *.BAT. In this way you will remove the risk of a resident virus remaining in the memory when any game or program is started from a diskette or an unprotected program on the disk. 6. When Rescue-M protection is fully operative and all protected files are locked (included under protection), you can do whatever you like on your computer. 7. If you observe points l - 5, you can be quite sure that your data are safe. 8. Add the hardware part HWLock to the system Rescue-M. The boot viruses will be no more problem for you. 4. COMPATIBILITY The antiviral system RESCUE-M is compatible with DOS operating system v 3.3 or higher. All hardware is supported. Hardware supplement HWLock The hardware card will only cover AT BUS (IDE) disks. We don't recommend that the hardware HWLock be installed on other types of computer without previously consulting a dealer. It is possible for problems to occur even with the computers mentioned above. In this case, please consult the "Problems" chapter, and if you can't find the answer to your questions there, you'll need to obtain advice from a dealer. 5. INSTALLATION of RESCUE-M SYSTEM 5.1. Installation of hardware HWLock The installation of hrdware card into computer is easy. The first step you have to do is opening of your computer case (after its disconnecting from the power supply, of course). Now select a vacant slot and put the card into it. The keys on card unable its turning. Then close ans screw up your computer case. Now, if you have finished the installation of the hardware card into any of free slot of your computer successfully, the second part of installation and new era of perfect safety for you are starting. Now you are quite safe from boot viruses and the whole disk(s) is protected against any writing in the moment of start. Any further actions you must do when protection is umlocked till the complete installation of AV driver will be made. 5.2. Automatic installation with default selections Once you've read everything mentioned above, concerning choice of files and other considerations, and you don't need any special detail choices for file protection, you can go straight on to automatic installation with the help of the INSTALL installation program. The antiviral protection will be installed with default filters for selection and it will safely protect your system till you decide to optimalize your settings for your specific needs. The antiviral system Rescue-M always install on faultless disk without any cross-linking files and without any lost clusters. That is why, before installation, check all files and directories on the disk with the SERVICE program (with command SERVICE /t C:). If some errors will appear, it is necessary to repair them by the SEVICE program (with command SERVICE /T C:), the CHKDSK program or the Norton Disk Doctor. Then you can go on to the installation itself. Check that there's at least 500kB of free space on the target disk. Put the installation diskette into any drive and start the INSTALL program. C>A: <ENTER> A>INSTALL <ENTER> or C>A: <ENTER> A>INSTALL J <Enter> Parameter J causes the searching the disk configuration (the distribution of logic disks on physical media) by another method. Both variations will give roughly the same results, parameter J is necessary only when certain types of CACHE or disk drivers are used. But it wouldn't have to distinguish logic disks properly as long as the physical disk contains some non-DOS sections. If you're using an aggressive CACHE with, at the same time, a DOS disk containing some non-DOS sections, you will have to disconnect the CACHE and install RESCUE-M without using parameter J. Introductory Panel The "Introductory Panel" will be displayed on the screen after running the INSTALL installation program. Logic Disks Information about disks found in the computer will be shown in the topmost window of the Introductory Panel. Rescue-M hardware part can be used to protect any disk marked "HWL". If the information on logic disks isn't correct, use (or not use) parameter J. Options for install In the bottom of Introductory Panel you can see window "Options for install". From here you may select the basic options. Items can be switched using arrow keys or by clicking the left mouse button, and activated by pressing ENTER or a double click on the left mouse button. Target Directory The first item in the "Options for istall" window shows "Target directory". By setting the cursor at this item and pressing ENTER you can edit the target directory and enter any directory name in any disk. Previous Installation The second item, "Previous Installation", indicates whether or not any earlier installation has been made. With the ENTER key you can modify any previous installation found or just ignore it, which means that it will be over-written with new data. Setup for ... The third item is "Setup for...". The default setting can be changed between "Operator", "User" and "Programmer" by pressing the ENTER key. By pressing F6 you can see this setting in the window "Options setting". Move the cursor to the required line with arrow keys and press the ENTER key to change its setting. This is the setting that we recommend for the first installation: - Modify AUTOEXEC.BAT, CONFIG.SYS YES - Guard the number of locked files YES - Write protect of ALL FAT COPIES - Single write protect override NO - Continue after error YES Key Fl can be used to obtain help for each of these items, and we suggest you make use of it. The bottom line of the screen shows short help for further commands. When you've made all the changes you require, the ESCAPE key will return you to the original "Options for install" window. Manual protect selection The fourth item, "Manual protect selection" will be explained in detail in later chapters, as this goes beyond what we call automatic installation. Automatic Installation The fifth item, "Automatic Installation" is for when quick installation is being made by the computer's normal user. Press the ENTER key to start the installation of Rescue-M on disk with default settings. This means that files which suit the masks *.COM, *.EXE, *.SYS, *.OV* and in installation directory also *.DAT, will be brought under protection. CONFIG.SYS in root directory isn't included into protection. AUTOEXEC.BAT and CONFIG.SYS will be modified automatically according to the setting with F6 key. It means that the protection will automatically activated whenever the computer is started. If your computer has a 386 procesor with drivers set at DEVICE=HIMEM.SYS DEVICE=EMM386.EXE then the AV.SYS driver will be installed into CONFIG.SYS in the form: DEVICEHIGH=AV.SYS <Memory_size_hex> ,HELP Otherwise the AV.SYS driver will be installed as REM and, when activated, the resident kernel of the AV.EXE. program with dynamic table memory allocation is lodged into memory. The AV.EXE call is placed in AUTOEXEC.BAT as CALL C:\path\AVACT.BAT. If you want to use the AV.SYS driver, it's enough just to delete REM in the CONFIG.SYS. NOTE: The CONFIG.SYS file is under protection, so that it has to be unlocked (KEY U) before it can be modified. Then, when later actions have been saved, the protection should be re-activated (for instance with a reset). While automatic installation is taking place, the system areas of the disk will be placed under protection, the data file AVCRC.DAT is generated for CRC checking of IO.SYS, MSDOS.SYS, COMMAND.COM and AV.EXE files each time of the activation, and the AVBOOT.DAT file is generated for BOOT and MBR checking during each activation. It is also advisable to watch the bottom status line which will change according to activity in the "Installation Options" window, offerinf further commands, hints or help. In this way automatic installation of RESCUE-M will have been carried and the protection will come into effect the next time the computer is booted. When the computer's boot is started, the protection will be activated as follows: As soon as the current is switched on the entire disk will be automatically write-protected, including from boot viruses (in case that the hardware part HWLock is used). When CONFIG.SYS is executed, AV.SYS will - or will not, according to the setting - be placed in memory and room will be allocated for the table. The whole disk is locked the whole time. When AUTOEXEC.BAT is executed, AVACT.BAT file will be called up and the CRC check of IO.SYS, MSDOS.SYS, COMMAND.COM and AV.EXE files will be done. Then the BOOT and MBR will be checked. Any changes since the last time the INSTALL program was installed will be announced. The number of files under protection will be checked (if this is switched on), as if this number has changed it could indicate the presence of a companion virus. If everything is as it should be, the table will be formed and placed in memory, either for the AV.SYS of for the residential kernel AV.EXE. In this way the protection is activated and there is no access to protected files either to infect them or to modify them. This also means, of course, that they cannot be erased or moved. The remaining parts of the disk are just freely accessible. If no unauthorized attempt is made to interfere with the protected files the user will simply not be aware that the protection is active. 5.3. Installation with interactive selection of protected files using the INSTALL installation program The first time the INSTALL installation program is started, it must be done directly from the distribution diskette or a write protected copy of it. From then on, when it's used to update data files or to change the selections, INSTALL can be started from the directory given for this protection (where it was first moved to). Before installation, check all files and directories on the disk with the SERVICE program (SERVICE /t C:). If some errors will appear, it is necessary to repair them by the SEVICE program (with command SERVICE /T C:), the CHKDSK program or the Norton Disk Doctor. Then you can go on the installation itself. Check that there's at least 500kB of free space on the target disk. Put the installation diskette into any drive and start the INSTALL program. C>A: <ENTER> A>INSTALL<ENTER> or C>A: <ENETER> A>INSTALL J <Enter> Parameter J causes the simplier searching the disk configuration (the distribution of logic disks on physical media). Both variations will give roughly the same results, parameter J is necessary only when certain types of CACHE or disk drivers are used. But it wouldn't have to distinguish logic disks properly as long as the physical disk contains some non-DOS sections. If you're using an aggressive CACHE with, at the same time, a DOS disk containing some non-DOS sections, you will have to disconnect the CACHE and install RESCUE-M without using parameter J. The "Introductory Panel" will be displayed on the screen after running the INSTALL installation program. The topmost window of the Introductory Panel "Logic Disks" shows information about disks found in the computer. Rescue-M hardware part can be used to protect any disk marked "HWL" here. If the information on logic disks isn't correct, use (or not use) parameter J. The installation should follow the next steps: Step 1 - Introductory Panel The first thing displayed will be the "Introductory Panel". The options offerd here were described in part Automatic Installation. To start with, we suggest you let the default setup, select the item "Automatic Installation" and continue by pressing the ENTER key. More advanced users can select the item "Choice of Individual Disks for Protection" and continue by pressing the ENTER key. We suggest you set "Intended for..." at "User". This item can be changed in any time with a window called by pressing F6 key. You've now been transfered to the "Installation Panel", and if you're happy with the default selection now offered you can finish installation with key F2 and go on to step 6. If you want to change these default values, go on to the following step. Step 2 - Installation Panel You can decide whether to have protection on or off for a given logic disk directly from the "Installation Panel" in the "Action" window. Turn protection on or off with the ENTER key (or a mouse) for any line (1 to 5) requested in the "Action" window. Lines which are switched on are marked with a tick. If you're happy with the automatic choice of files to be protected, you can finish installation with key F2 and go on to step 6. If not, go on to step 3. Step 3 - Global Selection Activate the required disk using arrow keys or a mouse (activated disk is highlighted), select the required line of menu and make your choice of files with F9 key. For instance, choose the first line "File protection" of menu for disk 'C' and press F9. After a short while, the current directory tree of disk C will be shown on the left hand side of the screen and the choices (actions) located in the root directory will be written out on the right hand side. The default selection is: SEL TREE *.COM, *.EXE, *SYS, *.OV* (and *.DAT in installation directory). A different action could be shown on the right hand side of the screen if you move the cursor in the left menu "Tree" to a different directory, but in this case the "Action" field will be default free. If you need to protect, say, all .TXT files in the ARCHIV directory from being re-written, select this directory in the menu "Tree" and press ENTER. When the dialog window appears, you should first erase the default offer with DEL or BACKSPACE keys and then write your own selection command "*.TXT". Check the type of action - it maust be SEL, and where it will be applied (switch on DIR). When you press ENTER key, the newly entered action will connect up with the given directory ARCHIV. This directory will be marked in the menu "Tree" with a square. This procedure can be repeated until all requests lodged in the selection have been carried out. If a faulty action was lodged anywhere you can transfer to the menu "Action" on the left hand side of the screen by pressing the TAB key or a mouse and erase or correct that line. When you're happy with the selection you've prepared, press F2 to enter your selection and you can go on to step 5. If not, you can make use of "Detailed selection" described in the next stage. Step 4 - Detailed Selection If you need to see which .COM files have been selected for protection, for instance, select the root directory in the menu "Tree" with the curzor and press key F9. The dialog window, with the filter for detailed selection, will be displayed. Here, you can let the default filter, *.*, as it is, applying to the TREE, and confirm the information shown with the ENTER key. When the detailed selection has been prepared, a detailed menu will appear in the center of the screen. Those files in the list which have been selected for protection will be marked with "***". Position the cursor at file selected originally, and press ENTER. This file will be de-selected and its indicator disappear. The same can be done with many files in either direction. ie. you may select or de-select the file with ENTER key. Confirm the detailed selection with key F2. Selection has now been completed, and the newly formed commands will appear in the global selection in the "Action" menu. A new square will appear by this directory in the "Tree" menu. Step 4 can be repeated on this or other directories, or the action can be re-adjusted following the procedure described in step 3. When you judge selection to have been completed go on to the next step. Step 5 - Completing Selection Confirm that your selection of files is ready by pressing key F2. The selection action will be saved and control will return to the "Installation Panel". Now, either compile another set of files to be protected, perhaps for another logic disk, or repeat step 3. Or else you can end installaion with step 6, which follows. Step 6 - Finishing Installation Press F2 while the "Installation Panel" is showing, to confirm that your selections are correct. The program will start to prepare all the requested files and other files necessary - in particular the CRC for extensive checking. This can last several minutes, especially if you've selected very large files or you're using a slow computer. You can see how far the calculations have progressed in the CRC window, showing which files have just been treated. 5.4. Recovery diskette Once installation has successfully taken place, first reset the computer and then insert a formatted, blank recovery diskette into drive A:. Then start the newly formed AVSAV.BAT file. If system files are accesible, a boot diskette will be formed with your DOS version. Further, the other files needed for recovering the system areas of the disk, if necessary, will be placed on this diskette along with certain service programs. According to your disk configuration, you can also add other useful programs (for instance drivers) manually. Once this diskette has been completed, make it write-protected and store it. While the AV program is being activated the checks ordered will take place and the operational protection on selected files will be activated. Note: In case that any of files under CRC protection will be updated, or in case of re-formattig of disk with protected boot sector, the AV program will announce the change while activated. You have to repair the data files for REscue-M protection. The easiest way how to do it, is to use the batch files AVACTUPD.BAT and AVCRCUPD.BAT. After such a update of check files you must update also the recocery diskette. Again you may use the batch AVSAV.BAT. 6. FURTHER INFORMATION We recommend to all users to install the memory driver EMM386.EXE which, used in conjunction with HIMEM.SYS, will make it possible to install the AV.SYS driver in the high memory as DEVICEHIGH. Installing EMM386.EXE also has some other significant protective features. INSTALL EMM386.EXE If you use a black and white monitor, the INSTALL program can be started with parameter M: INSTALL M for monochromatic regime. It is suitable to generate a backup diskette of the software. It is suitable to generate the recovery diskette with executing of AVSAV.BAT file, that was generated by the INSTALL program. When RESCUE-M is installed from a diskette, certain BAT and DAT type files are formed in the target directory. These files contain commands for necessary actions and data for them. Form the recovery diskette in this way: insert a formatted, blank diskette into drive A:. Then execute the AVSAV.BAT file. The program will form the recovery boot diskette and it record AV.EXE, RESTORE.EXE, SERVICE.EXE programs and AVBOOT.DAT a AVCRC.DAT files on it. If any serious disturbance to the system areas of the disk occurs, and even if disk becomes inaccessible by normal methods, the RESTORE.EXE program can be used with the AVBOOT.DAT file to renew the entire disk, including its logic parts. The CRC checks, calculated for the above mentioned files, are contained in the AVCRC.DAT file. Each time the computer is booted these files are checked and any discrepancy announced. The AVACT.BAT file will activate the protection, ie. calculate the tables anew and carry out other checks. In calculating the tables it makes use of information lodged in the AVCMD.DAT file which has a structure very similar to DOS commands and can be freely modified, using an ASCII editor, as needed. The AVACTUPD.BAT file is used to update the data file .DAT if the user has made any deliberate changes to the disk, such as re-installing the operating system, when the CRC check, BOOT/MBR and COMMAND.COM are changed. If any protected file needs to be relocated or erased you should first use the KEY.EXE program which will allow you to unlock the hard disk and disconnect the resident guarding program. Once service has been completed you should run AVACT.BAT (if AV.SYS is installed) or reboot the computer. Further detailed information - enabling you to make more effective use of RESCUE-M even in the most demanding software and hardware configurations - can be found in the Operating Manual. 7. PROBLEMS In this chapter we try, briefly, to explain some of the problems that might come up while using or installing RESCUE-M, considering the wide range of software now in use. 1. We recommend to locate the command for installation of protection as the first in AUTOEXEC.BAT file. The problems with some network drivers may occur. That is why sometimes it is useful to call the AV resp. INSTALL program before some network drivers are installed. The protection is compatible with all common networks, but it must be called before the installation of network drivers into memory. 2. Windows There's a new version of Windows 3.1 now being distributed: SMARTDRIVE. It installs itself automaticaly so that it caching of writing. If it's protected from being written on, this will be announced in the top left hand corner of the screen, and the traditional DOS announcement won't appear. This cache is unfriendly in that it won't allow any entry on the disk to be cancelled, and the user has either to free it or restart the computer. The solution is simple - use a different cache or install this one without caching of writing, as explained in the its instructions. 3. CORELDRW v3.0 The program writes onto file CDCONFIG.SYS while running, which therefore has to be removed from protection. For the same reason there's no point in having the CRC check it. 4. CFG A significant part of programs use for writing of new adjustments the files with CFG extension. These files have to be removed from control, as they ought not to be write-protected. The protection program would announce an attempt to breach protection each time a configuration was written. 5. PCTOOLS The PCTOOLS program makes some accesses on disk and some function without using the DOS support. That is why it may occur a collision its functions with the antiviral protection Rescue-M. The user may eliminate it when he set Rescue-M to protect both copies of FAT tables. The collision will occur during the use of the DELETE command or MOVE command. DON'T USE for cancelling of these commands "X", but use the command "IGNORE". The IGNORE command will finish the breach of protection correctly, even if it is necessary to repeat it sometimes. This problem is only an inner thing of the PCTOOL program and if you use, say, NORTON Commander or Windows, these problems don't arise. 6. Signs of Unauthorized Writing. When you start a program and you are warned that an unauthorized attempt to write is being made (an auditory signal 'La Cucaracha' with a visual warning on screen, showing that something is trying to write onto a protected file), use the SERVICE program: SERVICE /e C: (function "Write out exceptional events") The unauthorized writing warning can even be made when the SERVICE program is started. If so, this is no cause for alarm, as even if protection has been temporarily removed there's no possibility of the illicit entry being made. There's a virus you've just allowed into the computer's memory trying to attack the program, but it certainly won't be successful as long as you don't make this possible by using the override. In this way you can find out either which file the virus is trying to attack, or which file that the program you've started wants to write on, in the course of its work, and which ought not to be under protection. If the writing is to be made somewhere that couldn't even have a chance connection with the program running, then this program is infected with a direct action file virus. If the writing is to be made on a running (and protecteed) program, then it could be a resident virus trying to infect it. If so, the virus has probably also tried to infect the SERVICE program, in which case, see the previous paragraph. It's best to test this possibility by running a few other protected programs and observing what announcements of the protection are made. The virus in the computer was probably activated from the previous program; if it was started from a diskette, then that's a lesson for the next time; if it's already on disk, then it should be removed immediately. It's enough just to re-boot the computer and everything will be back as it should be. If there's no resident virus revealed (if, for instance, other programs don't announce a breach of protection or the situation repeats itself even after the computer has been re-booted from a protected, sealed recovery diskette), it could be a program that keeps certain data in its own body (EXE). This is not at all likely but there are commercial programs of this sort in existence. The configuration will usualy write itself out only after an explicit command, and never automatically when it's started. If this is the case, this program will have to removed from protection. If the breach of protection alarm is not made immediately, but when program has been running for a certain time, when certain actions are made which could call up the entry, then it's certainly the case as described in the last paragraph and the SERVICE program will help you to find the affected file and remove it from protection. 7. Data Files for AV For maximum safety it's best to include all files with a .DAT extension iffrom the AVIRLOCK directory (or whatever directory you've installed RESCUE-M in), and perhaps even the AUTOEXEC.BAT file, too, under write-protection. In this way, you can be sure that no virus can put your protection out of action. If AUTOEXEC has to be moved or adjusted, you can do this using the override or by switching protection off, using the KEY program. 8. CRC Check of the AV Program It's best to let the AV.EXE program be checked automatically by the CRC. This program has not been designed to check itself because STEALTH viruses can easily outwit any check that's too simple, and this sort of thorough check at the low level needed is just what the CRC does. 9. FAT Damage If any attempt is made to write onto a protected file or area, either by a virus or by the user, this can result in a fault in the allocation table (FAT). A certain part of the new allocation, working with an unprotected area, can be written onto the disk before this operation is interrupted by the attempt to write onto one that is protected. This certainly doesn't mean that the protected files have been damaged. The CHKDSK system program with the paramater /F or the SERVICE program, which is a part of this package, will put everything back in order. Or the Norton Disk Doctor can also be used. l0. Entry into interrupt l3 When starting the computer or when the AV is activated, the announcement "Entry into int 13 doesn't match..." might be made. This could mean that: a) Software has been installed on non-standard hardware and entry point to int l3 does not have the usual adress. b) The some kind of software that installs itself into memory at the same time as the Boot sequence has been used. This could be, for instance, a password that protects the computer from access by unauthorized persons, or something similar. c)The computer has been attacked by a boot virus, concealing itself in the same way as the software mentioned above. The AV program guards access to int l3 and if it can't be found at the adress expected this problem will be announced to the user. This protective action is very important as it ensures that no false data about where the required writing should be made can be smuggled through to the protected program. Without controlling access to int l3 the computer cannot be effectively protected. If the user is sure that access to int l3 is being used legitimately, using the password RESCUE-P, for instance, he/she can save the new adress of entry point for int l3, influenced by this program, by starting the updating batch AVACTUPD.BAT. In this way the address saved will be accepted and a warning announcement will again be made each time any change is made to it.