home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The World of Computer Software
/
World_Of_Computer_Software-02-385-Vol-1of3.iso
/
d
/
ds115.zip
/
DISKSEC.DOC
< prev
next >
Wrap
Text File
|
1991-11-14
|
18KB
|
396 lines
DISKSECURE version 1.15
Hard Disk Protection Program Copyright (c)1990, 1991 by
Computer Security Plus Inc.
All Rights Reserved
I - Why low-level protection ?
II - What is DISKSECURE ?
III - How is DISKSECURE Loaded ?
IV - How is DISKSECURE Removed ?
V - Malicious Software (viruses) and DISKSECURE
VI - Return Codes
VII - Licensing
Appendix A - FlopSec.EXE
Appendix B - Hidden Sectors
Appendix C - Other Files
I - Why Low-Level Protection ?
Today there are many anti-viral software products available
for the IBM-PC (and clone) platform running MS-DOS, OS/2, and UNIX but
nearly all are invoked following load of the operation system (usually
from CONFIG.SYS or AUTOEXEC.BAT in MS-DOS). In many cases this is too late
for effective protection from common boot sector infectors (BSI) such as
STONED, JOSHI, or the MUSICBUG. In the case of the "stealth" variants,
even state-of-the-art anti-virus routines such as the McAfee programs
must rely on detection of a viral signature in memory rather than
detection of infected files.
At the operating system level, many extra programs have been piled
upon the basic disk access routines to be able to reliably separate the
actions of legitimate drivers and TSRs from the activity of malicious
software.
There is a point at which executable code may be placed that
will always be executed during the boot of a hard disk when the low
level activities have not yet been masked - during the execution of
the partition table. At this point the organization of a PC is defined
according to the IBM BIOS specification. In most cases this structure is
impossible for malicious software to subvert without causing a detectable
change. As of March, 1991, there are no known boot sector or partition
table viruses that can bypass detection at this level.
Additionally, there are many access control packages available
that provide strict control and full encryption of systems. DISKSECURE
does not attempt to do this, rather it is intended as a simple, unobtrusive
primary access control mechanism that does not require administration,
and which may be installed/removed/modified with a simple menu-driven
interface.
II - What DISKSECURE Does
Simply put, DISKSECURE replaces the partition table on
a hard disk with its own code. The necessary elements of the original
partition table are stored on an unused part of the disk and presented
to the authenticated operating system as required. Unauthorized boot
programs (such as the BRAIN, STONED, or AZUSA viruses) will not be
able to access the partition table as expected.
DISKSECURE has multiple elements: three are contained in the file
DISKSEC.EXE supplied with this document. The first is an interactive
installation/maintenance/removal module that allows the user to activate,
change, or remove DISKSECURE from a hard disk. The second is a replacement
for the hard disk partition table that performs load-time checking, prevents
DOS access to the hard disk if booted from a floppy, and contains the
password access routine if implemented. The third element is a resident
protection program that takes up 1k of RAM memory and protects the partition
table, hidden sectors, and boot sector of a conventionally partitioned hard
disk.
Once loaded, DISKSECURE will prevent access to the fixed disk from
DOS if the resident portion of DISKSECURE is not in memory. If password
access has been invoked, this password must be given before DISKSECURE will
become resident, allow the OS to load, and before DISKSECURE can be changed
or removed.
Other elements of DISKSECURE include an automated installation
program (DSINSTAL.BAT) - installation may be dome manually if desired,
a program to verify proper operation of DISKSECURE (CHKSEC.EXE), and
a program that will allow creation of a compliant bootable floppy disk
for maintenance purposes (FLOPSEC.EXE)
III - How DISKSECURE is Loaded
The modification program may be loaded either from the fixed
disk or from a separate, bootable floppy (recommended). It is designed
to recognize if DISKSECURE is resident, will make many checks to
ensure the integrity of the program, and will warn the user of anything
unusual that it finds.
THE DISKSEC program is invoked by executing from either the DOS
prompt (automatic installation from other OSs is not yet available) or a
batch (DSINSTALL.BAT) file. DISKSECURE will check the number of fixed
disks present and verify this with the user before proceeding. Following
this, DISKSECURE will require the user to input a password if this
additional protection is in use before proceeding. At this point, a
first-time user will be presented with a warning message before the menu
is presented. The user may then select a choice from the menu (the menu
will change to accommodate the state of DISKSECURE in the system).
During installation, the user will be asked to save the partition
tables to a file (default: DSPART.COM). This file should be copied to
a known clean, bootable floppy disk. If all else fails, the system may be
booted from the floppy, and DSPART executed. Even if the disk is
unrecognizable by DOS, this will replace the partition table. WARNING: if
this file is executed on a machine other than the original or the partition
table has been changed by repartitioning all data on the disk could be lost.
Where multiple machines are to be protected, it is suggested that
each machine have a unique and identifiable recovery disk and DSPART.DAT
be renamed to identify it with each creating PC.
Should it be necessary to repartition a disk or the operating
system upgraded, it is necessary that the simple removal procedure be
followed first as DISKSECURE will trap any attempt to write to the MBR,
hidden sectors, or the boot record.
Also provided is the program CHKSEC.EXE. This will allow the user
to check if DISKSECURE is in memory - on activation, nothing will return
if DISKSECURE is not active - the DISKSECURE logo will display if it is
active. An errorlevel of (0) will return if DISKSECURE is not found and
(1) if DISKSECURE is resident.
Additionally, the program FLOPSEC.EXE will allow the user or
custodian to convert an ordinary bootable floppy into one that may be
used to bring up a DISKSECUREd system without the normal device drivers
for maintenance or defragmentation purposes. See Appendix B for details.
Note: After activation, if booted from a floppy DOS will not recognize
the hard disk(s) and, if additional removable media are present,
DOS may recognize them as the C: drive. This will not affect
the operation of DISKSEC.EXE nor will it endanger the data on the
fixed disk. If DISKSECURE is removed, on the next boot the fixed
disk(s) will again be recognizable by DOS from a floppy. They will
always be recognized when booted from a DISKSECURE floppy disk so
long as DISKSECURE maintains validity. Should the DISKSECURE floppy
register an error, the DSPART file on the recovery disk should be
used to restore the disk and the system should be immediately
checked for a malicious attack.
Use of the DSPART.DAT file as outlined above from a standard DOS
bootable floppy will recover the disk even if DOS reports the
disk unavailable. On the next boot, the drive will be again
accessible, however DISKSECURE will have been removed and must
be re-installed to restore protection.
IV - How DISKSECURE is Removed
In the event that it is necessary to remove DISKSECURE from a PC,
the best way is to utilize the DiskSec.EXE program either from the
MAINTENANCE floppy, or from the c:\ds directory. When DS is resident, the
program will detect this and modify the menu to include a REMOVE option.
If a password is in use, it will be necessary to provide this also.
If the disk should become corrupt, the DSPART.COM program on the
RECOVERY disk may be used for an emergency recovery of the low levels after
which the machine may be rebooted and conventional recovery tools used.
While effective, this should be used only as a "last resort".
V - Malicious Software and DISKSECURE
DISKSECURE is a software program. Consequently, even though it
is the first software loaded from a fixed disk it CAN be infected or
damaged , should an indadvertant boot from an infected floppy disk take
place, even though DOS will not recognize the fixed disk . Only hardware
in the form of a ROM extension or custom BIOS can prevent this.
What DISKSECURE can and does do is to recognize immediately
when it is loaded that an infection has occurred, display an error
message as listed below, and refuse to proceed with the boot process.
This information can be used by a technician and DISKSECURE booted from
a clean floppy to determine what has happened.
Additionally, certain destructive viruses (such as AZUSA) can
destroy DISKSECURE. In this event, the disk will be unable to boot and
the drive will be unrecognizable from a floppy. The use of DSPART.DAT,
stored on a bootable floppy, renamed DSPART.COM, and executed will
restore the partition table to a usable condition. In any event, the
attack will be immediately noticeable and containable.
DISKSECURE boot error messages:
VECTOR ERROR: Low-level disk access is not directed to the BIOS
(a virus or other BIOS intercept is present)
LOAD ERROR: Problem accessing the fixed disk.
MATCH ERROR: DISKSECURE has been changed or replaced in sector 1.
TABLE ERROR: Something is wrong with the original partition table.
Additionally, some malicious software (as well as some low-level
programs) may try to write to DISKSECURE protected areas on the disk. In
this case a message may appear on the screen "DISKSECURE TRAP: x" where x
indicates the trapped function. If this should happen during a legitimate
program, DISKSECURE will have to be removed and the machine rebooted before
the program will execute properly.
A DISKSECURE trap will occur on an attempt to write to any of the
"hidden" sectors as well as the first partition's boot sector, or an
attempt to format any sector on the protected disk(s) (note: many OS format
programs do not actually "format" the disk, only the low-level formatting
such as done by programs that set the interleave of a disk may do this. (A
MS-DOS 3.3 "FORMAT" will not trigger a DISKSECURE trap until it is nearly
complete and information may be lost).
Generally, this will only occur if a program attempts to change disk
interleave, boot record/partitioning, or on complete replacement of the
operating system (Central Point Software's COMPRESS and Peter Norton's
SpeedDisk are not affected, Peter Norton's CONFIGUR and MS-DOS FDISK, are).
DISKSECURE cannot protect the FATs or Directory structure since
the user must be able to modify these. Other programs such as Enigma-
Logic's VIRUS-SAFE, Certus International's CERTUS, Fischer's PC-WATCHDOG, the
McAfee Programs, the Dr. Panda Utilities, Ross Greenberg's FLUSHOT, and
Fridrik Skulasen's F-PROT exist for this function. DISKSECURE was created
to plug a hole that exists under the operating system so that a reasonable
expectation of a clean system can be had when the "C:\>" prompt appears. And
to prevent inadvertent disclosure of information to any person with a bootable
floppy.
VI - Return Codes
On termination (if not a reboot) DISKSECURE returns various error
codes to indicate the reason. These may be used by a batch file
for checking/corrective action, however DISKSECURE is primarily
a manual, interactive program.
DISKSEC.EXE
user terminated codes
code (hex)
0 (0) Program completed with no errors
1 (1) Following warning message
2 (2) Following TOM/COMPARE message - possible virus
3 (3) Following number of fixed disks message
7 (7) Following save to file request
program terminated codes
code (hex)
8 (8) No hard disk responding
9 (9) Disk access failure
10 (A) No active partition table located
11 (B) Error in sector one on disk - possible virus
12 (C) Active partition table not in proper place - possible virus
14 (E) No "Hidden Sectors" on disk (used early version of FDISK).
or Changing MBR (see actual error message)
See Appendix B
CHKSEC.EXE
0 (0) DISKSECURE not present in memory
1 (1) DISKSECURE present in memory
VII - Licensing
DISKSECURE is copyrighted material distributed both as individual
copies and on site/entity licenses. If received as SHAREWARE, the programs
may be used without license, guarentee, or warrenty for fitness of any type
and at the user's sole risk for a period of not more than thirty days. At
the end of that time the program may be registered through payment for a
single copy of U$25 dollars which will place the registeree on a list of
approved users and entitle the user to receive support and upgrade notices.
In the event of dissatisfaction with the product, the sole liability
of Computer Security Plus shall be limited to refund of the registration fee
with no additional liability implied or accepted.
REGISTRATION
Name_________________________________________________________________
Address______________________________________________________________
City_________________________State or Country________________________
Zip Code or Postal Zone________________ Telephone ___________________
Where was product obtained from______________________________________
Number of Personal Compuers to be registered_________________________
Amount of Registration Fee Enclosed U$________________________________
(cheque or money order payable in US dollars within the United States)
Make payable to:
Computer Security Plus, POB 1203, Windermere, FL, USA, 34786
Appendix A - FLOPSEC.EXE
The program FLOPSEC.EXE is provided for maintenance purposes
to allow the user to create a bootable floppy disk without device
drivers such as disk caches that can interfere with defragmentation. To
use, simply create a bootable floppy disk (e.g. with DOS FORMAT using the
/s switch) containing the configuration and files you wish to use for
maintenance.
Once this is done, place the un-write-protected disk in drive
A: of the system that already has DISKSECURE resident (if it is not, the
program will terminate). Running FLOPSEC will then convert this disk
from a plain bootable disk to a DISKSECURE bootable disk. Following
successful termination, the disk should then be write protected and secured
in a safe or offsite location.
When desired, this disk may be placed in drive A: and the machine
can be re-booted into the configuration defined by the floppy disk.
Note: all of the DISKSECURE functions are active and, if the
machine is password protected, this must be entered before the boot will
proceed, the only difference is the provision for a different CONFIG.SYS
and AUTOEXEC.BAT configuration.
FLOPSEC has been designed to be computable with any floppy disk
conforming to MicroSoft FORMAT specification and having a 12 bit FAT.
It has been tested with 360k & 1.2 Mb 5 1/4 and 720k & 1.44 Mb 3 1/2 inch
disks. It should work with other conforming media but has not been further
tested.
Appendix B - Hidden Sectors / Mutable MBR
While all disk partitioning schemes since the release of PC-DOS
3.0 in early 1984 have aligned partitions on cylinder boundaries, very
early disk partitioning programs (e.g. FDISK 1.00) did not perform this
alignment. DISKSECURE relies on this alignment for installation and
protection, therefore the installation procedure verifies that no partition
violates this requirement.
Should a disk be found on the system (DISKSECURE checks all fixed disks),
the installation process will terminate with the warning "No Hidden
Sectors...". In this case, it will be necessary to repartition the disk
using a later version of the partitioning software.
Note: It is possible to be running a later version of DOS or other OS
with a disk partitioned using the early scheme so the DOS "VER"
command cannot be used to reliably test for this condition. Peter
Norton's DI (DiskInfo) and other software will report the number
of "hidden sectors" on a disk. This value should be equal to the
number of sectors per track.
Changing MBR
One other condition that DISKSECURE cannot cope with is that
a very small number of disk controllers write directly to the MBR at
intervals. This has only been observed on early XT hard disk units,
however the integrity of a DISKSECUREd disk's MBR must be maintained.
If discovered at load time, the installation process will issue a warning
and the installation will abort. If this should occur during a boot,
the MATCH ERROR termination will occur and the recovery disk should
be used to restore the disk. Re-installation should not occur until the
cause (viral or otherwise) has been determined.
Appendix C - Other files
DSINSTAL.BAT - a batch file to be used when installing DISKSECURE
from a floppy disk. It will create a directory \DS
on the C: drive, copy the files from the floppy
into that directory, patch the AUTOEXEC.BAT file
to include verification of DISKSECURE in memory on
boot (recommended but may be omitted), and invoke
the main program for installation.
DS.B - Batch file commands to be added to AUTOEXEC.BAT for
checking referred to in DSINSTAL.BAT
ASK.COM - 10 byte file for making .BATch files interactive. ASK
will wait for a keystroke and return an errorlevel
that may be used by an "IF ERRORLEVEL" construct.