home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Shareware Supreme Volume 6 #1
/
swsii.zip
/
swsii
/
111
/
FP-209.ZIP
/
SCAN.DOC
< prev
next >
Wrap
Text File
|
1993-02-03
|
11KB
|
182 lines
Virus scanning - how, why and when ?
F-PROT is able to find practically all known viruses, by a method known as
"scanning". This involves searching for a virus pattern or "signature" -
a sequence of bytes which is very unlikely to be found anywhere but in
this particular virus.
The virus signatures are stored in a file named SIGN.DEF, which must be
present in the current directory or the same directory as F-PROT.EXE.
The number of signatures contained in this file is not an indication of
the number of viruses F-PROT is able to detect, however - as most new
viruses are created by making small changes to older viruses, the same
signature can often be used to detect many different viruses.
Secure Scan, Quick Scan or Heuristic Analysis ?
F-PROT can use three different methods when scanning for viruses. The first
method ("Secure Scan") uses two different signatures for each virus. It
will also search for the signatures in a large block of data - usually (but
not always) located either at the beginning or the end of the file. This
improves the chances of detecting any virus which might have been created
by modifying an older one - any change might cause a signature to be
located at a different position within the virus, or it might even corrupt
the signature itself, but the chances of a single change invalidating both
of the signatures are practically zero.
"Quick Scan" is, as the name implies, a faster method than "Secure Scan",
but it is also less secure. This is because it only uses a single
signature for each virus, and to speed things up further, "Quick Scan" does
not spend time on an accurate identification of any virus it might find.
"Quick Scan" will just report a "Jerusalem" infection, while "Secure Scan"
might report an infection by the "Anarkia-2B" variant of Jerusalem, for
example. Most users are not concerned with the accurate identification of
any virus which might strike - all they want to know is if they have a
virus or not, and "Quick Scan" is almost as good at finding known viruses
as "Secure Scan". However, there are a few viruses, like MtE-Pogue, which
cannot be detected with a signature, and Quick Scan will not find those.
If you select "Quick Scan", you cannot select any disinfection, as it
requires an accurate identification, so the "Action" option is disabled.
As "Quick Scan" will not search for Trojans or user-defined strings, the
"Targets" option is disabled as well.
The third method uses a set of rules, instead of a signature database.
It is still only experimental, but its purpose is to detect suspicious
code. It is not foolproof - it will not detect all viruses and may easily
produce false alarms, so it should be used with care - not recommended for
the casual user. However - unlike the other two methods, it is not limited
to existing viruses or variants of them - it is equally effective against
new viruses. For further information on this method see ANALYSE.DOC
When you select "Scan" from the initial menu, a new menu will appear,
where you can select what to scan for and where to scan.
To change the setup you simply use the arrow keys to move to the option you
want to change and press Enter. A window will then appear showing the
available possibilities, and you select one of them.
The first option, "Method" is uses to select which search method (Secure
or Quick) to use, with "Secure" as the default.
The second option, "Search" is used to select on which drives and
directories F-PROT should search for viruses. The possibilities are
"Hard disk", "Diskette drive" and "Network", which should be self-explanatory,
and finally "User-specified". The last possibility applies if you only
want to scan a single directory, or perhaps just a single file. If a
directory is specified, all subdirectories below it will be searched as
well. The difference between selecting "Diskette drive A:" and selecting
"User-specified", and entering "A:" is that in the former case it is
assumed you might want to scan multiple diskettes, so after scanning each
diskette a report is given and you are prompted for the next diskette.
One note: If "Network" is selected, all network drives from C: to Z: will
be searched, so if several drive letters have been mapped to the same
physical directory, the same files might be scanned several times. The
default is to search the hard disk.
The third option, "Action" is used to specify what action should be taken
when a virus is found. The default operation is just to list the names of
any infected files, but F-PROT can also disinfect almost all viruses. If
you want disinfection, it can either be fully automatic, or F-PROT can
prompt you before it attempts to disinfect any given file. Sometimes
an infection cannot be removed, for example if the virus just overwrites
and destroys any file it infects, or in the case of a "first-generation"
sample.
A "first-generation" sample is the author's original copy of the virus,
and can only exist if the file has been obtained directly or indirectly
from him. Such samples are generally not found in the "real world", only
in large virus collections.
In those cases the only effective disinfection is to delete the file. It
is always safer to delete infected programs than to disinfect, so F-PROT
offers deletion as well - any infected file will first be overwritten
several times (just to make sure) and then deleted. You can select
automatic deletion or have F-PROT prompt you before it deletes a file.
Finally, an infected file can be renamed, and given the extension
.VOM or .VXE, so it will not be executed by accident, but you will still have
it around to study.
The fourth option, "Targets" is used to select the types of viruses to
search for. Normally one would like to search for all known viruses, but
in certain circumstances you might want to exclude boot sector viruses or
program viruses. For example, if you are cleaning up after an attack by
a specific boot sector virus, you might not want to search for program
viruses on every single diskette. F-PROT does normally not scan for
Trojans, only viruses, but this option can be selected, although it is
practically never necessary. The Trojans are much rarer than the viruses,
and not a serious threat, as they don't spread, except by deliberate
copying. In fact, the only place where most of the Trojans will probably
be encountered is in certain large collections of programs used to compare
anti-virus programs. As some of my competitors detect the Trojans, I added
this feature as well. You can also instruct F-PROT to search for special
user-defined signature strings, but this will slow the scanning down
considerably.
The fifth option, "Files" is used to select in which files F-PROT should
search for viruses. Most viruses will only infect normal executable
files, (.EXE, .COM and possibly .APP files) although some may infect
overlay files (.OV?) and device driver files (.SYS) as well. The default
operation of F-PROT is just to scan those types of files, but it is also
possible to select "All files" - this is advisable if you are cleaning up
after a virus attack - just to make sure the virus is not hiding in some
obscure overlay file. However, as this is quite time-consuming, it is not
recommended, unless you have actually found a virus when scanning just the
regular executable files. It is also possible to specify a set of file
extensions - for example adding .BIN to the default list.
If any of the options are changed from their default values, F-PROT will
ask if the changed values should be saved when you exit from the program.
If so, a file named SETUP.F2 will be created. This does not work if the
program is run from a write-protected diskette, however.
Starting the virus scan
When you have selected the correct options, you may start the scanning by
selecting "Begin Scan" at the top of the menu, either by moving the cursor
there, or just by pressing "B".
The small window at the bottom will display the name of the last file
scanned.
The scanning can be aborted at any time simply by pressing the ESC key.
When the scanning is finished, a summary is displayed. If no viruses or
suspicious programs were found, it simply says so, but otherwise a
detailed listing is produced when ENTER is pressed. This listing can be
saved to a disk or sent to the printer.
This report may say that a file has been packed by a program such as
KVETCH, PGMPAK, SHRINK or CRUNCH and can not be scanned. This is
generally not a cause for alarm, although a virus can be hidden in a
program by infecting it, and then running one of those file-packing
programs, which create a program which will unpack itself in memory when
executed. Some virus writers use this method to distribute their viruses,
but generally this only works for the first generation - second (and
later) generation samples of the same virus will not be packed. F-PROT
can scan inside most PKLITE, LZEXE, ICE, DIET and EXEPACK compressed files,
and support for the remaining compression program will be added in the near
future, if necessary. Please keep in mind that if a file is infected after
compression, the virus is always detected normally. Finally, F-PROT will
not scan inside self-unpacking archives, or .ZIP, .ARJ or similar files.
A note on disinfection
When a file has been disinfected it has usually been restored to its
original state before infection. In many cases the disinfected program
will have 1-16 additional garbage bytes at the end. Those bytes are added
by viruses, in order to make the length of the program a multiple of 16
bytes, before infection. As the number of those extra bytes cannot be
determined, they cannot be removed. Normally they will not have any effect,
unless the program checks its current length. In those cases it will
report an incorrect length after disinfection, and will have to be restored
from a backup.
Skipping the memory scan
Normally F-PROT will search the memory for virus signatures, and refuse to
operate if any active viruses are found. However, a false alarm is
possible, for example if an infected file has just been copied, and
portions of it are in an unused disk buffer. To skip the memory scan, run
the program with the /NOMEM command-line switch.