home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The World of Computer Software
/
World_Of_Computer_Software-02-385-Vol-1of3.iso
/
t
/
tbav503.zip
/
TBSETUP.DOC
< prev
next >
Wrap
Text File
|
1992-12-29
|
26KB
|
841 lines
Thunderbyte file setup. (C) Copyright 1989-1992 Thunderbyte B.V.
Table of Contents
1. INTRODUCTION...................................... 2
1.1. Purpose of TbSetup.......................... 2
1.2. A Quick start............................... 2
2. USAGE OF THE PROGRAM.............................. 4
2.1. System requirements......................... 4
2.2. When to use TbSetup......................... 4
2.3. Program invocation.......................... 5
2.4. While executing............................. 5
2.5. Command line options........................ 7
2.5.1. help ................................. 7
2.5.2. pause ................................ 7
2.5.3. mono ................................. 7
2.5.4. nosub ................................ 7
2.5.5. newonly .............................. 7
2.5.6. remove ............................... 8
2.5.7. test ................................. 8
2.5.8. nohidden ............................. 8
2.5.9. readonly ............................. 8
2.5.10. nordonly ............................ 8
2.5.11. set ................................. 8
2.5.12. reset ............................... 9
2.5.13. datfile ............................. 9
3. THE DATA FILE TBSETUP.DAT........................ 10
3.1. Purpose of the TbSetup.Dat file............ 10
3.2. Format of the TbSetup.Dat file............. 11
3.3. Defining new entries....................... 12
4. CONSIDERATIONS AND RECOMMENDATIONS............... 13
4.1. Residence of the Anti-Vir.Dat files........ 13
Page i
Page 1
Thunderbyte file setup. (C) Copyright 1989-1992 Thunderbyte B.V.
1. INTRODUCTION
1.1. Purpose of TbSetup
TbSetup is a program that stores vital information of every program
in files named Anti-Vir.Dat. There will be one Anti-Vir.Dat file in
every directory that contains program files.
Although the Thunderbyte utilities can work perfectly well without
the Anti-Vir.Dat files it is highly recommended to have TbSetup
generate these files. The Anti-Vir.Dat files can be used for several
purposes:
- Integrity checking. TbScan will perform an integrity check
while scanning if it can detect the Anti-Vir.Dat file. If a
file gets infected by a virus, the information in the
Anti-Vir.Dat file will not match the actual file contents,
and TbScan will inform you that the file has been changed.
- The TbSetup program recognizes some files that need special
treatment. An example of such a file is a disk image file of a
network remote boot disk. Such a file - that actually
represents a complete disk - should be scanned completely, and
for all viruses. TbSetup will put a mark in the Anti-Vir.Dat
file to make sure that TbScan scans the complete file for all
viruses. There are other files that need special treatment,
but you can read more about that later.
- Once a file is infected, TbClean will reconstruct the original
file. The information in the Anti-Vir.Dat file will be of great
help to TbClean. Some infected programs can only be cured if
there is information about the program in the Anti-Vir.Dat
file.
- TbCheck (a tiny resident integrity checker) has no purpose if
there are no Anti-Vir.Dat files on your system.
- The resident TBAV utilities need the Anti-Vir.Dat files to
maintain permission information. Without Anti-Vir.Dat files you
can not get rid of false alarms other than by disabling a
complete feature.
1.2. A Quick start
Although we highly recommend a complete reading of this manual, here
are some directions for a quick run of TbSetup:
Type 'TbSetup C:\' at the DOS prompt. This will be sufficient for a
standard scan session. It is allowed to specify more drives:
'TbSetup C:\ D:\'.
Page 2
Thunderbyte file setup. (C) Copyright 1989-1992 Thunderbyte B.V.
The invocation syntax is:
TBSETUP [<path>][<filename>]... [<options>]...
For fast online help type 'TbSetup ?' or 'TbSetup help'. The latter
will provide for a more detailed description of the command line
options.
*** IMPORTANT NOTES! ***
The Anti-Vir.Dat files generated by TbSetup are hidden from a normal
directory display. You can see these files only with special
utilities.
TbSetup does not offer any virus detection by itself. It is just a
guide for the Thunderbyte utilities. This is the only program where
the rule applies: The less you use the program, the better your
protection against viruses is! Once the Anti-Vir.Dat files are
generated, you should not run TbSetup anymore until you change or
add some new program files to your system. In this case it is
highly recommended to run TbSetup only in the directory that
contains the new or changed files. Option 'newonly' can be used to
prevent existing information from being overwritten.
Example:
You add a new file TEST.EXE to your directory C:\FOO.
TbSetup C:\FOO\TEST.EXE
Example:
You install a new product in a new directory C:\NEW.
TbSetup C:\NEW
Don't worry that you'll have to remove all Anti-Vir.Dat files yourself
once you decided for some reason that you want to get rid of it. Just
run TbSetup again with the 'remove' option:
TbSetup C:\ remove
Page 3
Thunderbyte file setup. (C) Copyright 1989-1992 Thunderbyte B.V.
2. USAGE OF THE PROGRAM
2.1. System requirements
TbSetup runs perfectly on standard machines, in line with our
philosophy that there should be a limit to limitations.
+ TbSetup requires 140 Kb of free memory.
+ TbSetup can be executed under DOS version 3.00 (and all later
versions). However, Dos 3.3 or higher is recommended, since
TbScan has been optimized and designed primarily for use with
these DOS versions.
2.2. When to use TbSetup
You do not need to run TbSetup often. Once you have used it on your
entire system you do not need it until you change or add some
program files to your system. In this case it is highly recommended
to run TbSetup only in the directory that contains the new or
changed files.
Example:
You add a new file TEST.EXE to your directory C:\FOO.
TbSetup C:\FOO\TEST.EXE
Example:
You install a new product in a new directory C:\NEW.
TbSetup C:\NEW
TbScan will inform you when you need to run TbSetup again: it will
display either a small 'c' after the filename (indicating a new
file) or a capital 'C'(indicating a changed file).
Note that you will NOT get better protection if you use TbSetup
often! On the contrary, the protection will reduce if you use
TbSetup when this is not necessary. Consider this: the purposes of
the Anti-Vir.Dat file is to maintain vital information of the file
in an uninfected state. Once a file is infected the information
stored in the Anti-Vir.Dat file can be used to detect the virus
and to clean the file. But, if you run TbSetup after a virus has
entered the system, the information in the Anti-Vir.Dat file will
be 'updated' to the state of the infected file, and the vital
information of the file in an uninfected state is gone!
Page 4
Thunderbyte file setup. (C) Copyright 1989-1992 Thunderbyte B.V.
2.3. Program invocation
TbSetup is easy to use. The syntax is as follows:
TbSetup [<path>][<filename>]... [<options>]...
Drive and path tell TbSetup where it should perform its setup
operation. To setup disks C: and D: you should enter:
TbSetup C:\ D:\
When no filename has been specified but a drive and/or path
instead, the specified path will be used as top-level path. All
its sub-directories will be processed too.
When a filename has been specified only the specified path will be
processed. Sub-directories will not be processed.
Wildcards in the filename are allowed. You may even specify '*.*'
which will result in all files being processed.
2.4. While executing
TbSetup divides the screen into three windows: an information
window, a scanning window and a status window. The upper window is
the information window and it initially displays the comments found
in the data file.
The lower left window displays the names of the files being
processed and file specific information.
Example:
TEST.EXE 01234 12AB23CD Added * 0001
| | | | | |
| | | | | |
| | | | | 'flags' set for this file
| | | | indicates 'special' file
| | | action performed
| | 32-bit CRC (checksum)
| file size in hexadecimal number
name of file in process
Don't worry about the information that is being displayed. It is not
necessary to understand it. You will probably not need this
information anyway.
The 'action performed' field can contain three values:
Added
There was not yet an Anti-Vir.Dat record. It is added now.
Page 5
Thunderbyte file setup. (C) Copyright 1989-1992 Thunderbyte B.V.
Changed
There was already an Anti-Vir.Dat record, but the file has been
changed. The Anti-Vir.Dat information has been updated.
Updated
There was already an Anti-Vir.Dat record and the file has not been
changed. TbSetup however changed some of the program's permission
flags. This because of an entry in the TbSetup.Dat file or because
of the 'Set' or 'Reset' specification on the command line.
The lower right window is the status window. It displays the number
of files and directories encountered, the amount of Anti-Vir files,
the number of special files listed in the TbSetup.Dat file, etc.
The process can be aborted by pressing Ctrl-Break.
Page 6
Thunderbyte file setup. (C) Copyright 1989-1992 Thunderbyte B.V.
2.5. Command line options
It is possible to specify options on the command line. TbSetup
recognizes option short-keys and option words. The words are
easier to memorize, and they will be used in this manual for
convenience.
optionword parameter short explanation
---------- --------- ----- -------------------------------------
help he =help (-? = short help)
pause pa =enable 'Pause' prompt
mono mo =force monochrome
nosub ns =skip sub-directories
newonly no =do not update changed records
remove rm =remove Anti-Vir.Dat files
test te =do not create / change anything
nohidden nh =do not make Anti-Vir.Dat files hidden
readonly ro =set read-only attribute on executables
nordonly nr =remove / do not set read-only attribute
set =<flags> se =set flags
reset =<flags> re =reset flags / do not set flags
datfile [=<filename>] df =data file to be used
2.5.1. help (he)
If you specify this option TbSetup displays the contents of the
TBSETUP.HLP file if it is available in the home directory of
TbSetup. If you specify the '?' option you will get the summarized
help info as listed above.
2.5.2. pause (pa)
When you enter option 'pause' TbSetup will stop after it has
processed the contents of one window. This gives you the
possibility to examine the results.
2.5.3. mono (mo)
This option forces TbSetup to refrain from using colors in the
screen output. This might enhance the screen output on some LCD
screens or color-emulating monochrome systems.
2.5.4. nosub (ns)
By default TbSetup will search sub-directories for executable files,
unless a filename (wildcards allowed!) has been specified. If you
use this option, TbSetup will not process sub-directories.
2.5.5. newonly (no)
If you want to add new files to the Anti-Vir.Dat database, but
Page 7
Thunderbyte file setup. (C) Copyright 1989-1992 Thunderbyte B.V.
prevent the information of changed files from being updated, use
option 'newonly'. Updating the information of changed files is
dangerous because if the files are infected, the information to
detect and cure the virus will be overwritten. Option 'newonly'
prevents the information from being overwritten but it still
allows information of new files to be added to the database.
2.5.6. remove (rm)
If you want to stop using the Thunderbyte utilities you do not have
to remove all the Anti-Vir.Dat files yourself. If you use option
'remove' TbSetup will neatly remove all Anti-Vir.Dat files from
your system.
2.5.7. test (te)
If you want to see the effect of an option without the risk that
something is activated you do not want, use option 'test'. If that
option is specified the program will behave as it would normally,
but it will not change or update anything on your harddisk.
2.5.8. nohidden (nh)
The Anti-Vir.Dat files are normally not visual in a directory
listing. If you prefer to have normal - i.e. visible - files
specify option 'nohidden'. Note that this option only applies
for new Anti-Vir.Dat files.
2.5.9. readonly (ro)
This option is intended to be used by the Thunderbyte add-on card
owners. As Thunderbyte guards the readonly attribute permanently it
is highly recommended to make all executable files readonly to
prevent any modifications on these files. TbSetup will do the job
if you specify option 'readonly'. Files that should not be made
readonly are recognized by TbSetup.
2.5.10. nordonly (nr)
This option can be used to reverse the operation of option
'readonly'. If you specify option 'nordonly' all readonly
attributes of all executable files will be cleared.
2.5.11. set (se)
This option is for advanced users only. With this option you can
manually set flags in the Anti-Vir.Dat record. This option requires
a hexadecimal bitmask for the flags to set. For information about
the bit mask consult the TbSetup.Dat file.
Option format: Set =<flags>
Example: Set = 0001
Page 8
Thunderbyte file setup. (C) Copyright 1989-1992 Thunderbyte B.V.
2.5.12. reset (re)
This option is for advanced users only. With this option you can
manually reset flags or prevent flags to be set in the Anti-Vir.Dat
record. This option requires a hexadecimal bitmask for the flags
to reset. For information about the bit mask consult the
TbSetup.Dat file.
Option format: Reset =<flags>
Example: Reset = 0001
2.5.13. datfile (df)
TbSetup will search for 'special' files in a file named
TbSetup.Dat. With option 'datfile' you can specify another path or
filename that contains a list of 'special' files.
Option format: Datfile [=<filename>]
Example: Datfile = c:\foo\tbsetup.dat
Page 9
Thunderbyte file setup. (C) Copyright 1989-1992 Thunderbyte B.V.
3. THE DATA FILE TBSETUP.DAT
3.1. Purpose of the TbSetup.Dat file
Although the Thunderbyte utilities perform well on almost every
file, there are some files that need special treatment. Examples
of such files:
- Some programs maintain configuration information inside the
executable file (EXE, COM) itself. This means that when you
change the configuration of these programs, the executable file
will change too, and the checksum does not match anymore.
Since some Thunderbyte utilities use this checksum information
to verify integrity or cleanup results it is helpful if these
utilities 'know' that the checksum of the file is not a fixed
item and is allowed to change.
- TbScan can use generic detection methods such as 'heuristic'
analysis to detect unknown viruses. Since heuristic analysis
implies some false alarms in cases when a file looks like a
virus, it would be of great help that TbScan knows that it
should not try to perform heuristic analysis on such a program.
- Some of the Thunderbyte utilities guard the readonly attribute
and make sure that nobody can remove it without permission from
the user. However, a few programs do not behave as they should
if they have the readonly attribute set.
- TbScan's default method of scanning performs perfectly well
in almost all cases. However, there are a few files that need
special analysis. Such a file is the Novell NET$DOS.SYS file,
that is not a device driver - as the filename extension
suggests - but a disk image of the bootable disk. It should be
scanned completely and for ALL signatures, including COM and
BOOT.
- The resident monitoring utilities of the TBAV package detect
all kinds of virus-specific behavior. Some normal programs
however sometimes also behave like viruses, and they should
have permission to do so without TBAV interference.
TbSetup uses the data file TbSetup.Dat to recognize such files, and
it will put special flags in the Anti-Vir.Dat file. The other
Thunderbyte utilities then know how to handle such a 'special'
file.
Maybe you do not like the idea that a few files will be excluded
from heuristic analysis, but keep in mind that such a file will
still be scanned in a conventional way with signatures and all the
like. Besides, a file has to have a matching filename, a
specific file length and exactly the same 32-bit CRC. Only then
Page 10
Thunderbyte file setup. (C) Copyright 1989-1992 Thunderbyte B.V.
will the heuristic-exclusion-flag be set. This does not provide a
security hole: if a file listed in the TbSetup.Dat file is
infected, then at least the 32-bit CRC will not match, and TbSetup
will not recognize the file anymore. If a program gets infected
afterwards, the file will change, the record in the Anti-Vir.Dat
file will not match anymore and the file will be subject to full
heuristic analysis anyway.
3.2. Format of the TbSetup.Dat file.
The format of the TbSetup.Dat file is very simple. Every line
starting with a semi-colon (';') or percentage-sign ('%') or empty
line will be treated as comment lines. The files starting with the
percentage-sign will be displayed by TbSetup in the upper window.
Every entry in the TbSetup.Dat file has four items:
- The filename. The filename should be capitalized and not
contain any spaces.
- The length of the file in hexadecimal. This field may also
contain a wildcard ('*') if an exact filelength match is not
required.
- The 32-bit CRC of the file in hexadecimal. This field may also
contain a wildcard ('*') if an exact checksum match is not
required.
- The hexadecimal number representing the flags that should be
set when the listed file is found on the system.
The following flags are available:
bit 0 (0001) Do not perform heuristic analysis.
bit 1: (0002) Ignore CRC changes (self-modifying file)
bit 2: (0004) Scan for all signatures (lan remote boot file)
bit 3: (0008) Do not change read-only attribute of this file
bit 4: (0010) The program stays resident in memory.
bit 5: (0020) The program performs direct disk access.
bit 6: (0040) Program is allowed to remove readonly
attributes.
bit 15: (8000) Interrupt rehook required for TbDriver.Exe
- The rest of the line may be used for comments.
Examples:
; filename Length 32-bit CRC Flags Comment
; Files that trigger the heuristic alarm of TbScan:
4DOS.COM 19FEA * 0001 ;4Dos 4.0a
AFD.COM 0FEFE 4B351A86 0001 ;AFD debugger
ARGV0FIX.COM 001D8 431E70C0 0001 ;Argv[0]fix
Page 11
Thunderbyte file setup. (C) Copyright 1989-1992 Thunderbyte B.V.
EXE2COM.EXE 00BEA 49276F89 0001 ;Exe to Com conv. utility
KILL.EXE 00632 74D41811 0001 ;PcTools 6.0 utility
WATCH.COM 003E1 2353625D 0001 ;TSR monitoring utility
; Files that need to be scanned completely, for ALL viruses:
NET$DOS.SYS * * 0004 ;Disk image of Novell boot disk
; Files that don't have a fixed checksum due to internal config area's:
Q.EXE * * 000A ;Qedit (all versions)
TBCONFIG.COM * * 000A ;all versions
3.3. Defining new entries.
If you have files that should be included in the list, please
inform us about this! We like to get a copy of these files to
enhance our products.
An indication would be a program that triggers the heuristic
analysis of TbScan. If you used the 'V)alidate program' option in
the TbScan alert window, you will see that TbSetup next time
displays the value '0001' in the flags field. If you work in a
company and have a lot of these files installed on multiple
machines you can put these files in the TbSetup.Dat file yourself.
In this case run TbSetup and watch the filelength and 32-bit CRC
displayed. Note these values and put them into the TbSetup.Dat file
after the filename field. Then add the flag field value to the
entry, and finally execute TbSetup again to see if it recognizes
the file properly.
Note:
If you want to manually set or clear a flag field value, you can
use option 'set' and 'reset' to do so on the DOS command line:
TBSETUP TEST.EXE SET=0001
Page 12
Thunderbyte file setup. (C) Copyright 1989-1992 Thunderbyte B.V.
4. CONSIDERATIONS AND RECOMMENDATIONS
4.1. Residence of the Anti-Vir.Dat files
The Anti-Vir.Dat files will reside in the same directory as where
the program file resides. This means that every directory on your
system that contains any executable files will have its own
Anti-Vir.Dat file.
Some other anti virus products maintain a somewhat similar
'fingerprint' list of all executable files, but in one large file
rather than a separate file in every directory.
We choosed for a separate file in every directory instead of one
file that contains information of all files in the system for the
following reasons:
- One file in every directory will ease maintenance. If you want
to remove a complete product, the accompanying Anti-Vir.Dat
file can be removed too.
- It will consume less disk space because path information does
not need to be stored in the information file.
- The TBAV utilities will perform faster because they do not have
to search through a huge file to locate the information of one
specific file.
- Installation is easier and more reliable in network
environments. On networks it is not unusual that the same files
have a different drive ID on different workstations. TBAV does
not suffer from this problem, but with one information file
that covers the whole system the drive-ID's need to be stored
too, so every workstation should maintain its own list. The
supervisor would lose control in this situation.
Page 13