home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The World of Computer Software
/
World_Of_Computer_Software-02-385-Vol-1of3.iso
/
t
/
tbav503.zip
/
TBSCANX.DOC
< prev
next >
Wrap
Text File
|
1992-12-29
|
39KB
|
1,201 lines
Thunderbyte resident virus scanner. (C) 1989-1992 Thunderbyte B.V.
Table of Contents
1. INTRODUCTION...................................... 2
1.1. Purpose of TbScanX.......................... 2
1.2. A Quick start............................... 3
1.3. Benefits.................................... 3
2. USAGE OF THE PROGRAM.............................. 5
2.1. System requirements......................... 5
2.2. Program invocation.......................... 5
2.2.1. Invocation in Config.Sys.............. 6
2.2.2. Invocation in network environment..... 6
2.2.3. Invocation when using MS-Windows...... 6
2.3. While scanning.............................. 6
2.4. Detecting viruses........................... 6
2.5. Testing for viruses......................... 7
2.6. Command line options........................ 7
2.6.1. help ................................. 8
2.6.2. off .................................. 8
2.6.3. on ................................... 8
2.6.4. remove ............................... 8
2.6.5. compatx .............................. 8
2.6.6. data ................................. 9
2.6.7. noexec ............................... 9
2.6.8. allexec .............................. 9
2.6.9. noboot ............................... 9
2.6.10. valid ............................... 9
2.6.11. secure ............................. 10
2.6.12. lock ............................... 10
2.6.13. verbose ............................ 10
2.6.14. ems ................................ 10
2.6.15. xms ................................ 10
2.6.16. herchalf ........................... 10
2.6.17. hercfull ........................... 11
2.6.18. cga ................................ 11
2.7. Examples:.................................. 11
2.8. Residence of the signature file............ 11
2.9. Error messages............................. 11
3. CONSIDERATIONS AND RECOMMENDATIONS............... 13
3.1. Solving incompatibility problems........... 13
3.2. Reducing the memory requirements........... 14
3.3. How many viruses does it detect?........... 15
3.4. Testing the scanner........................ 15
4. APPLICATION INTERFACE............................ 17
4.1. High-level control......................... 17
4.2. Low-level control.......................... 17
Page i
Page 1
Thunderbyte resident virus scanner. (C) 1989-1992 Thunderbyte B.V.
1. INTRODUCTION
1.1. Purpose of TbScanX
TbScanX is a virus scanner: it has been specifically developed to
detect viruses, Trojan Horses and other such threats to your
valuable data.
A virus scanner is a program that is able to search a virus
signature that has been determined beforehand. Most viruses
consist of a unique sequence of instructions, called a signature,
so by means of checking for the appearance of this signature in a
file we can see whether or not a program has been infected.
By searching all your program files for the signatures of all
viruses already identified you can easily find whether your system
has been infected and, if that is the case, with which virus.
Every PC owner should use a virus scanner frequently. It is the least
he or she can do to avoid possible damage caused by a virus.
By now already many virus scanners have been developed. The problem
with all these scanners is that you have to execute them. Suppose
you have the virus scanner automatically invoked in your
autoexec.bat file. If no viruses are found, your system is supposed
to be uninfected. But, to be sure that no virus can infect your
system, you have to run the scanner every time before you copy a
file to your harddisk, after downloading a file from a bulletin
board system, or after unarchiving an archive such as a ZIP file.
Be honest, do YOU actually invoke your scanner every time you
introduce a new file into the system? If you don't, you take the
risk that within a couple of hours all files are infected by a
virus...
TbScanX has a unique feature to overcome this tedious scanning.
Once invoked it will remain resident in memory, and AUTOMATICALLY
scan all files you execute, copy, download, modify, or unarchive!
The same approach is used to protect against bootsector viruses:
Every time you put a diskette into a drive the bootsector will be
scanned. If the disk is contaminated with a boot sector virus
TbScanX will warn you!
Probably you think that a resident virus scanner consumes much
memory, makes your system slow, and is a source of many problems.
But, if you already know our shareware scanner TBSCAN, you know
that this scanner can scan your files faster than any other
scanner. Also TbScanX achieves a lightning fast speed. Actually,
TbScanX is a lot faster, since it will not access your disk to scan
the files, because all files to be created or modified reside
already in memory! TbScanX just monitors every byte going to any
Page 2
Thunderbyte resident virus scanner. (C) 1989-1992 Thunderbyte B.V.
executable file on the harddisk.
The amount of memory used depends on the number of signatures. With
all features enabled TbScanX uses 10Kb of memory when scanning for
360 family signatures. If you enable swapping TbScanX normally uses
only 1Kb of memory. You can swap to EMS, XMS or even unused video
memory. Of course the remaining kilobyte of TbScanX can be loaded
in upper memory.
1.2. A Quick start
Although we highly recommend a complete reading of this manual, here
are some directions for a quick run of TbScanX:
Load TbDriver first if it is not yet loaded. Type "TbDriver" and
press return.
To load TbScanX type "TbScanX" and press return.
The invocation syntax is:
TBSCANX [<options>]...
For fast online help type "TbScanX ?" or "TbScanX help".
1.3. Benefits
By now many different virus scanners have been developed. However,
TbScanX has a number of important and unique advantages over other
scanners. These are:
TbScanX is fully network compatible. It does not require you to
reload the scanner after logging on to the network. Other
resident anti-virus utilities force you to choose between
protection before the network is started, or protection after
the network is started, but not both.
TbScanX can display its messages in your local language.
TbScanX offers the flexibility of a data file that can be edited
quickly.
As new viruses spread quickly there is often no time available
to continually adapt your own virus checker in order to make it
capable of recognizing each new virus as it appears. That is
why TbScanX uses a separate data file listing the signatures of
all known viruses. This file can be adapted quickly, possibly
by yourself. TbScanX supports, among others, the format which is
used in the file VIRSCAN.DAT. This file is regularly updated
and can be obtained through a lot of data banks.
TbScanX supports wildcards in the signature. Many viruses are
Page 3
Thunderbyte resident virus scanner. (C) 1989-1992 Thunderbyte B.V.
adapted and converted versions of existing viruses. Such a
modified virus - a mutant - is similar to the original virus,
but that part of the virus program which contains the signature
has often been changed. Most scanners will fail to recognize
the mutant unless the new signature has been incorporated into
the scanning program. TbScanX has been designed to approach this
problem differently: by replacing the modified parts of the
signature with wildcards TbScanX can still recognize mutant
virus activities. Hence all mutant versions of, for instance,
the Jerusalem/PLO virus can be discovered by TbScanX through
just one signature instead of the, say, 25 that several other
virus scanners require. This also explains why TbScanX uses
'only' 300 signatures but still detects all 800 viruses known.
TbScanX offers other software a universal hook to scan data
for viruses. If you are a programmer, you can instruct your
programs to scan information read from disk for viruses before
using the data.
TbScanX does not use much memory compared to other resident
virus scanners. On almost every machine it should be possible
to configure TbScanX that it uses only 1Kb of memory. Of course
you can also load this kilobyte into upper memory.
Page 4
Thunderbyte resident virus scanner. (C) 1989-1992 Thunderbyte B.V.
2. USAGE OF THE PROGRAM
2.1. System requirements
TbScanX runs perfectly on standard machines, in line with our
philosophy that there should be a limit to limitations.
+ TbScanX can be executed under DOS version 3.00 (and all later
versions). However, Dos 5.0 or higher is recommended, since
TbScanX has been optimized and designed primarily for use with
these DOS versions.
+ TbScanX requires about 10 Kb of free memory to be invoked. If
you enable swapping it does NOT require additional standard DOS
memory to initialise itself. If you don't enable swapping the
amount of memory depends on the amount of signatures in the
data file. TbScanX can handle up to approximately 2500
signatures, depending on which swapping mode is used. Without
swapping mode TbScanX can utilize up to 50Kb, when swapping to
expanded memory 64Kb, when swapping to extended memory 50Kb,
when swapping to Hercules memory 28Kb, and when swapping to
CGA/EGA/VGA memory 24Kb.
+ The size of the signature file should not exceed 2Mb.
2.2. Program invocation
It is recommended to invoke TbScanX automatically from within your
Config.Sys or Autoexec.Bat file. It is important to invoke TbScanX
as early as possible after the machine has booted. For that reason
it is possible to invoke TbScanX from within the Config.Sys file.
TbScanX requires TbDriver to be loaded first!
TbScanX is easy to use. The syntax is as follows:
TBSCANX [<options>]...
There are three possible ways to invoke TbScanX:
To invoke TbScanX from the DOS prompt or within the Autoexec.Bat
file:
<path>TbScanX
To invoke TbScanX from the Config.Sys as a TSR (Dos 4+):
Install=<path>TbScanX.Exe
To invoke TbScanX from the Config.Sys as a device driver:
Device=<path>TbScanX.Exe
TbScanX should always work correctly after being started from
Page 5
Thunderbyte resident virus scanner. (C) 1989-1992 Thunderbyte B.V.
within the Autoexec.Bat. The "Install=" Config.Sys command is
NOT available in DOS 3.xx.
In addition to the three invocation possibilities DOS 5 users can
"highload" TbScanX in an UMB (upper memory block) if it is
available:
LoadHigh <path>TbScanX.Exe
Within the Config.Sys file TbScanX can also be loaded high:
DeviceHigh=<path>TbScanX.Exe
2.2.1. Invocation in Config.Sys
-> Invoking TbScanX as a device driver does not work in all OEM
versions of DOS. You have to try it, if it doesn't work use the
"Install=" command or load TbScanX from within the Autoexec.Bat.
2.2.2. Invocation in network environment
-> Unlike other anti-virus products, the Thunderbyte anti-virus
utlities can be loaded before the network is started without
loosing the protection after the network is started.
2.2.3. Invocation when using MS-Windows
-> Windows users should invoke TbScanX BEFORE starting Windows.
If you do that there is only one copy of TbScanX in memory, but
every DOS-window will nevertheless have a fully functional
TbScanX in it. TbScanX detects if Windows is starting up, and
will switch itself in multitasking mode if necessary. You can
even disable TbScanX in one window without affecting the
functionality in another window.
2.3. While scanning
Whenever a program tries to write to an executable file (files with
the extensions .COM and .EXE), you will shortly see the text
"*Scanning*" in the upper left corner of your screen. As long as
TbScanX is scanning this text will appear. Since TbScanX takes very
little time to scan the file, the message will only appear shortly.
The text "*Scanning*" will also appear if you execute a program
directly from a diskette, and if DOS accesses the bootsector of a
diskette drive.
2.4. Detecting viruses
If TbScanX detects a signature going to be written into a file,
a popup window will appear with the message:
WARNING, <filename> contains <virus name>!
Abort? (Y/n)
Page 6
Thunderbyte resident virus scanner. (C) 1989-1992 Thunderbyte B.V.
Press "N" to continue, press any other key to abort.
If TbScanX detects a signature in a boot sector, it will display the
message:
WARNING, Disk in <drive> contains <virus name>!
Press a key...
Although a virus seems to be on the bootsector of the specified
drive, the virus can not do anything since it has not been executed
yet. However, if you reboot the machine with the contaminated
diskette in the drive, the virus will copy itself to your harddisk.
To display the name of the virus, TbScanX needs the signature file
again. It will automatically use the signature file that was used
when you invoked the program. If the signature file is missing
(because you deleted it, or because you removed the floppy with
it), or no file handles are left, TbScanX will still detect
viruses, but it is no longer able to display the name of the virus.
It will display [Name unknown] instead.
2.5. Testing for viruses
Although TbScanX detects viruses automatically when you try to
create or modify an executable file, it can be handy to force
TbScanX to test a specific file for viruses. TbScanX has created a
character device with the name "SCANX" while installing itself in
memory. When you send data to this device the data will be scanned
for the occurences of viruses. Try this:
copy /b testvir.com scanx
No file will be created with the name "scanx" but the input (the
contents of the file "testvir.com") will be scanned for viruses.
This way you can easy inspect any file (also the non-executables)
for the existence of virus signatures without the need to invoke a
special program. If the device "scanx" detects a signature in the
input it will simulate a DOS "write protect error".
Note that you have to specify the "/b" option. Otherwise DOS will
send the characters to the device one by one. This consumes a lot
of time and of course, no viruses will be found in one byte
sequences!
2.6. Command line options
It is possible to specify options on the command line. The upper
four options are always available, the other options are only
available if TbScanX is not already resident in memory.
Page 7
Thunderbyte resident virus scanner. (C) 1989-1992 Thunderbyte B.V.
optionword short explanation
---------- ----- -------------------------------------
help ? =display this helpscreen
off d =disable scanning
on e =enable scanning
remove r =remove TbScanX from memory
compatx c =use alternate interrupt
noexec n =never scan at execute
allexec a =always scan at execute
noboot b =do not scan bootsectors
ems me =use expanded memory (EMS)
xms mx =use extended memory (XMS)
herchalf mh =use Hercules-half memory
hercfull mf =use Hercules-full memory
cga mc =use CGA/EGA/VGA memory
secure s =deny access without asking
lock l =lock PC when virus detected
verbose v =show comment and memory report
valid u =unauthorized signatures allowed
2.6.1. help (?)
If you specify this option TbScanX will show you the brief help as
shown above. Once TbScanX has been loaded the help option will not
show all options anymore.
2.6.2. off (d)
If you specify this option TbScanX will be disabled, but it will
remain in memory.
2.6.3. on (e)
If you use this option TbScanX will be activated again after you
disabled it with the 'off' option.
2.6.4. remove (r)
This option can be used to remove the resident part of TbScanX from
your memory. All memory used by TbScanX will be released.
Unfortunately, the removing of a TSR (like TbScanX) is not always
possible. TbScanX checks whether it is safe to remove the resident
part from memory, if it is not safe it just disables TbScanX. A TSR
can not be removed if another TSR is started after it. If this
happens with TbScanX it will completely disable itself. The
character device "SCANX" will disappear also.
2.6.5. compatx (c)
Page 8
Thunderbyte resident virus scanner. (C) 1989-1992 Thunderbyte B.V.
In most systems TbScanX performs very well. It is however possible
that another TSR program conflicts with TbScanX. If the other TSR
is loaded first, TbScanX will normally detect the conflict and use
an alternate interrupt. If the other TSR is loaded after TbScanX,
and it does abort with a message telling you that it has already
been loaded, you can use the 'compatx' switch of TbScanX
(when installing it in memory).
2.6.6. data (df)
You can override the default path and name of the signature file by
using this option.
TbScanX normally tries to locate a signature file by itself. See
chapter 3.10 for information on how TbScan searches such a data
file. If TbScanX does not succeed in recognizing or locating the
default data file, or if you want to override TbScanX's default data
search path, you should use the 'data' option.
2.6.7. noexec (n)
TbScanX normally scans files located on removable media just before
they are executed. If you don't like that you can use this option
to disable this feature completely.
2.6.8. allexec (a)
TbScanX normally scans files to be executed only if they reside on
removable media. Files on the harddisk are trusted, because files
on the harddisk have to be copied or downloaded before they can
exist on your disk. And by that time TbScanX already scanned them
automatically. But if you also like every file to be scanned before
it will be executed, no matter whether they reside on harddisk or
removable media, you should use this option.
2.6.9. noboot (b)
TbScanX monitors the disk system: every time the bootsector is
being read, TbScanX automatically scans it for bootsector viruses.
If you change a disk, the first thing DOS has to do is read the
bootsector, otherwise it does not know what kind of disk is in the
drive. And as soon as DOS reads the bootsector, TbScanX checks it
for viruses. If you don't like this feature, or if it causes
problems, you can switch it off using the 'noboot' option. If
you specify this option TbScanX will also require less memory,
because the bootsector signatures will not be stored in memory.
2.6.10. valid (u)
TbScanX checks the signature file for modifications. If you change
the contents of that file TbScanX will issue a warning. If you
don't want the warning to be displayed, use the 'valid' option.
Page 9
Thunderbyte resident virus scanner. (C) 1989-1992 Thunderbyte B.V.
2.6.11. secure (s)
TbScanX normally asks the user to continue or to cancel when it
detects a virus. In some business environments however this choice
should not be made by employees. By using option 'secure' it is no
longer possible to allow suspicious operations.
2.6.12. lock (l)
If you are a system operator, you can use this option to instruct
TbScanX to lock the system once a virus is detected.
2.6.13. verbose (v)
If you specify this option TbScanX displays data file comments and
the memory report when installing itself resident in memory.
2.6.14. ems (me)
If you specify this option TbScanX will use expanded memory (like
provided by LIM/EMS expansion boards or 80386 memory managers) to
store the signatures and part of its program code. Expanded memory
is allocated in 16Kb blocks, so the minimum amount of expanded
memory allocated is 16Kb. However, conventional memory is more
valuable to your programs than expanded memory, so use of this
option is recommended. TbScanX can use up to 64Kb of EMS memory.
2.6.15. xms (mx)
If you specify this option TbScanX will use extended memory to
store the signatures and part of its program code. An XMS driver
(like HIMEM.SYS) needs to be installed to be able to use this
option. XMS memory is not directly accessable from within DOS, so
every time TbScanX has to scan data it has to copy the signatures
to conventional memory. To be able to save the original memory
contents TbScanX needs a double amount of XMS memory. Swapping to
XMS is slower than swapping to EMS memory, so if you have EMS
memory available swapping to EMS is recommended. It is possible
that swapping to XMS conflicts with some other software, so if you
experience problems try using TbScanX without the XMS option.
TbScanX can use about 2*50Kb of extended memory.
2.6.16. herchalf (mh)
If you specify this parameter TbScanX will use some part of the
Hercules videomemory to store the signatures. As long as the
video card remains in the text mode it uses only a little part of
its video memory. The rest can be used by... TbScanX. Video memory
is very slow, so also TbScanX will slowdown somewhat. If you
execute a program that switches the card into the graphics mode
TbScanX will disable itself completely. You can re-activate TbScanX
by running it again. It will automatically remove the old resident
Page 10
Thunderbyte resident virus scanner. (C) 1989-1992 Thunderbyte B.V.
part of TbScanX that might be left in memory. TbScanX can use up to
28Kb of Hercules memory.
2.6.17. hercfull (mf)
This parameter does the same as the 'herchalf' parameter, but it
will switch the Hercules card into the full mode. TbScanX then uses
video memory that will not be used by even most of the graphics
software. You can run a graphics program while TbScanX remains
active at the same time! But watch out! If you have two
videocards in your machine at the same time, DO NOT USE this
option!
2.6.18. cga (mc)
This parameter does the same as the 'herchalf' or 'hercfull' option,
but it will now use CGA/EGA/VGA video memory instead of Hercules
memory. TbScanX can use up to 24Kb of video memory.
2.7. Examples:
C:\utils\TbScanX C:\tb\TbScan.Dat ems
or:
Device=C:\utils\TbScanX.Exe C:\tb\TbScan.Dat xms noboot
2.8. Residence of the signature file
TbScanX looks for the data file in the following order:
1) If a filename is specified on the command line, it will use
the file specified on the command line.
2) It searches for a file with the name VIRSCAN.DAT in the active
directory.
3) It searches for VIRSCAN.DAT in the same directory where the
program file TBSCANX.EXE itself resides.
4) It searches for a file with the name TBSCAN.DAT in the active
directory.
5) It searches for TBSCAN.DAT in the same directory where the
program file TBSCANX.EXE itself resides.
2.9. Error messages
Error messages that might be displayed:
- TbDriver not active. Load TbDriver first!
TbScanX needs TbDriver, so you have to load TbDriver first.
- TbDriver version is not <version>.
The version of TbDriver found in memory does not match the
Page 11
Thunderbyte resident virus scanner. (C) 1989-1992 Thunderbyte B.V.
version number of TbScanX. Make sure you do not mix version
numbers!
- Error in data file at line <number>.
There is an error in the specified line of the data file.
- Not enough memory
There is not enough free memory to process the data file. Try
to enable swapping, or if you are already doing so, try another
swapping mode. See also chapter "limitations".
- Data file not found.
TbScanX has not been able to locate the data file.
- This version of TbScanX requires a <typeID> processor.
You are using a processor optimized version of TbScanX and
it can not be executed by the current processor.
Page 12
Thunderbyte resident virus scanner. (C) 1989-1992 Thunderbyte B.V.
3. CONSIDERATIONS AND RECOMMENDATIONS
3.1. Solving incompatibility problems.
Although TbScanX has been designed to cooperate with other resident
software, other software may not, causing system errors or worse.
The most common problems:
Problem:
If TbScanX tries to display a message, the text 'message file
<filename> could not be opened' appears.
Solution:
Specify the FULL path and filename of the file that you will
use as message file after the TbDriver invocation. The default
filename is TbDriver.Lng
Problem:
You are running a network. TbScanX is installed succesfully,
but it does not display the "*scanning*" message while
accessing files. It also does not detect viruses.
Solution:
Use the command 'TbDriver net' after the network has been
loaded.
Problem:
It is impossible to start a TSR after TbScanX has been loaded.
The TSR software reports that it already has been loaded in
memory, which is not true.
Solution:
Use the 'compatx' switch of TbScanX while loading it. The TSR
and TbScanX are using the same multiplex interrupt call.
Problem:
The system sometimes hangs when the message "*scanning*" is on
the screen. The problem however is hard to reproduce.
Solution:
Try using StackMan. StackMan is supplied in the TBAV package.
Problem:
The system sometimes hangs when the message "*scanning*" is on
the screen when using a specific application. The problem can
be reproduced.
Solution:
If you are using the 'xms' option, load TbScanX without it.
If the problem is solved, you should not use the 'xms' option.
Page 13
Thunderbyte resident virus scanner. (C) 1989-1992 Thunderbyte B.V.
If the problem is not related to the 'xms' option, try using
StackMan.
Problem:
Everything works well, but as soon as I load a specific TSR the
system hangs immediately after the TSR goes resident. The
TbScanX option 'compatx' does not solve the problem.
Solution:
Use StackMan with the -dos option and try again.
3.2. Reducing the memory requirements.
Most PC users try to maintain as much free DOS memory as possible.
TbScanX is designed to use only a little amount of DOS memory. To
decrease the memory requirements of TbScanX even further do the
following:
- Load TbScanX from within the Config.Sys file. If loaded as a
device driver TbScanX has no Program Segment Prefix (PSP),
and that saves 256 bytes.
- If you invoke TbScanX from within the Autoexec.Bat file do this
before establishing environment variables. DOS maintains a list
of environment variables for every resident program, so keep
this list small while installing TSRs. Once all TSRs are
installed you can define all environment variables without
affecting the memory requirements of the TSRs.
- Use swapping. By using one of the options 'ems', 'xms', 'cga',
'hercfull' or 'herchalf' TbScanX swaps itself to non-DOS memory,
leaving only 1 Kb of code in DOS memory. Swapping to expanded
memory ('ems') is preferred.
- If you have DOS 5 or higher try to load TbScanX into an upper
memory block using the "loadhigh" or "devicehigh" commands. It
is recommended to enable swapping also to limit the usage of
upper memory. A "hole" of 10Kb should be sufficient to load
TbScanX into upper memory while using one of the swapping modes
except 'xms'. If you don't use swapping TbScanX also needs
memory to store the signatures. If you enable XMS swapping
TbScanX needs to build the data structures in normal memory
before copying them to XMS. This causes TbScanX to require
additional memory at initialization time. You can also combine
the 'xms' option with one of the other swapping options. In that
case TbScanX will finally use 'xms' as swapping memory, but
while initialising TbScanX uses the other swapping mode,
enabling you to load TbScanX into an upper memory "hole" of
only 10Kb.
- Use one of the processor specific versions of TbScanX. They all
Page 14
Thunderbyte resident virus scanner. (C) 1989-1992 Thunderbyte B.V.
consume less memory than the generic version of TbScanX.
Processor optimized versions are available on any Thunderbyte
support BBS.
- To minimize the signature data you can consider to specify the
'noboot' option. In this case TbScanX does not maintain data for
viruses with only the BOOT keyword set.
- Finally you can edit the data file, deleting the less widely
spread viruses and truncating the remaining signatures. Of
course we don't recommend this but if memory is tight it might
be the only solution.
3.3. How many viruses does it detect?
Some people think that TbScanX recognizes only 500 viruses, based
upon the fact that the signature file contains only 500 signatures.
What they do not realise is that the signatures are family
signatures, which means that each signature covers many viruses.
For instance, our PLO/Jerusalem signature detects over 25 viruses
which are all related to the 'original' Jerusalem virus! Only one
(wildcarded) signature is needed by TbScanX to cover all these
mutants.
Some competitive products treat each virus mutant as a separate
virus, and so claim to detect over 1200 viruses. However, TbScanX
detects even more viruses using 'only' 500 signatures.
3.4. Testing the scanner
Many people understandably wish to test the product they are using.
While it is very easy to test, for instance, a word processor, it
is very difficult to test a smart scanner like TbScanX. You cannot
extract 25 bytes from an executable and insert it into the
TBSCAN.DAT or VIRSCAN.DAT data file as a bogus signature just to
find out whether or not TbScan will detect the 'signature' in the
file it was copied from. It is very likely that TbScanX will NOT
find it because it only scans the entry-area of the file whereas
the 'signature' you extracted might be taken from some other
location within the file.
You might ask: 'How then can I test the scanner if using a 'test
signature' does not work?' We think you can't, unless you are an
experienced assembler programmer. Sorry, but testing a
disassembling scanner should be performed by virus experts only.
Fortunately, you don't have to rely on our tests solely. There are
anti-virus magazines that regularly publish tests of all virus
scanners. At the end of this manual you will find names and
addresses of such magazines. Anyway, third parties have tested our
scanner along with several others, and they found TbScanX to have a
Page 15
Thunderbyte resident virus scanner. (C) 1989-1992 Thunderbyte B.V.
very high hit rate. It detects even more viruses than many popular
scanners do.
Page 16
Thunderbyte resident virus scanner. (C) 1989-1992 Thunderbyte B.V.
4. APPLICATION INTERFACE
If you are a software developer you can use TbScanX to check data
for viruses. A program can perform a self-check as soon as it is
invoked by sending its code to TbScanX. A program that processes
other programs or parts of it (for example encryptors or executable
file compressors) should check the data for viruses before
processing it.
4.1. High-level control
This method is most usefull for the high level programming
languages and languages that lack the ability to generate
interrupts.
Try to open the file "SCANX". If this file exists TBSCANX is
installed in the machine. Open the file in the binairy mode. Write
the data to be scanned to the opened file. If the data contains a
signature of a virus TbScanX simulates a DOS "write protect error".
If nothing happens and the data is accepted no signature could be
found in it.
4.2. Low-level control
This method is more complex, but offers more possibilities. If your
programming language supports issuing interrups you should be able
to use this method.
The interface consists of some multiplex calls (int 2Fh). Register
AH should contain CAh. Register AL contains the function request
number.
On the Thunderbyte support BBS you will find additional information,
examples and libraries.
Supported function requests:
AL=0 InstallationCheck
Return value:
AL=0 TbScanX not installed
AL=FFh TbScanX installed
If BX was 'TB' then it is now changed into 'tb'.
AL=1 GetStatus
Return value:
Page 17
Thunderbyte resident virus scanner. (C) 1989-1992 Thunderbyte B.V.
AH Version number TbScanX in BCD. (CAh if version < 2.2)
AL=0 TbScanX disabled
AL=1 TbScanX enabled
BX Segment swap area. Zero if not swapped.
CX Number of signatures that will be searched.
DX EMS_Handle. -1 if no expanded memory in use.
If DX is not equal to -1 but BX contains zero then
TbScanX uses XMS swapping. DX contains the XMS handle
in that case.
AL=2 SetStatus
BL=0 Disable TbScanX
BL=1 Enable TbScanX
Return value:
NONE
AL=3 ScanBuffer
DS:DX Address of buffer to scan.
CX Length of buffer to scan.
Return value:
No Carry flag set No signatures found in buffer.
Carry: Signature found in buffer!
ES:BX ASCIIZ-name of virus (null terminated)
Registers altered:
AX,BX,CX,DX,ES
The contents of the buffer remains unchanged.
AL=4 ScanFile
DS:DX Name of the program file to be scanned.
WARNING! There should be at least 4 Kb of free memory to
perform this function!
Return value:
No Carry flag set No signature found in file.
Carry: Signature found in buffer!
ES:BX ASCIIZ-name of virus (null terminated)
Registers altered:
AX,BX,CX,DX,ES
Page 18
Thunderbyte resident virus scanner. (C) 1989-1992 Thunderbyte B.V.
Assembler example:
mov ah,0CAh ;Multiplex number
mov al,0
int 02Fh ;Installation check
cmp al,0FFh ;If AL=FFh TbScanX has been installed.
jne notinstalled ;Else TbScanX has not been installed.
lea dx,buffer ;Address of the buffer in DS:DX
mov cx,512 ;Length of our buffer
mov ah,0CAh ;Multiplex number
mov al,3
int 02Fh ;ScanBuffer
jnc notinfected ;No carry? Then no virus found!
call print ;Virus found. Print name ES:BX
notinfected:
Page 19