home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The World of Computer Software
/
World_Of_Computer_Software-02-387-Vol-3of3.iso
/
n
/
nem_110.zip
/
NEMDOC.ENG
< prev
next >
Wrap
Text File
|
1993-03-13
|
99KB
|
1,993 lines
====================================================================
NEMESIS v 1.10 (c) 1992, Christian Sy & Robert Hoerner
====================================================================
CONTENT :
General Overview
How does NEMESIS work
How to start NEMESIS
Commandline-parameters of NEMESIS
NEMESIS warnings (DOS-Level)
NEMESIS warnings (Sector-Level)
Technical remarks
explanation of keys to press
Appendix (false alarms & incompatibilities )
Explanation of terms
====================================================================
Read the file REGISTER.DOC, too !
NEMESIS is shareware not freeware or in the public domain.
If you are using it for longer then the trial period you HAVE to
register or to delete it.
It is cheap ! Think about the lot of work it contains.
====================================================================
====================================================================
General overview
====================================================================
REQUIREMENTS:
-------------
- IBM XT or AT or compatible
- DOS 3.3 or higher
(tested it with:
PC-DOS 3.3, MS-DOS 5.00, 4DOS 3.0/4.0, DR-DOS 5.00,6.0)
- at least 64 KB free memory to start NEMESIS
- uses 0 Byte conventional memory, if you have XMS and enough
(min. 4KB) free upper memory
- uses 4 kB normal memory for resident NEMESIS if you have EMS,
but no (not enough) free upper memory
- uses 38 kB normal memory for resident NEMESIS if neither XMS nor EMS
- 32 KB EMS / one EMS-handle for extended-learning-mode
- sector-level protection (see below) needs
(1 KB EMS per 1 MB HD-space) + (32 KB EMS * Number of your
physically available drives, networkdrives excluded)
- it needs 3 EMS-handles per DOS-drive (only harddrives)
- EMS 4.0 for EMS-functions required.
Use EMSTEST.COM to check it out.
- two harddisks are supported.
====================================================================
Features :
----------
- ability to create a flexible sector-image of specified files and
to prevent infection nearly completely.
- ability to protect even files on SUBSTed, ASSIGNed and JOINed drives
on the level of sectors !
NEMESIS is the first program worldwide that is able to do this.
- protects your directories from being destroyed
- protects your FAT from being killed (not with SMARTDRV).
- warns if protected files are to be created / deleted / changed
- ability to run (!) almost completely in EMS, wasting a minimum of
conventional memory
- ability to load itself high, wasting not a single byte in
conventional memory.
- ability to learn about "good" programs.
- doesn't need and doesn't use any scanstrings, this means you
don't need an update every two weeks
- multiple languages available.
- delivers an EMS emulator. More info on that see in EMS40.DOC
- contains an EMSTEST-utility.
====================================================================
Pre-defined filenames :
-----------------------
All the following files will be searched in the NEMESIS
start-directory.
NEMESIS.BIN : This file contains (nearly) all messages, that
NEMESIS can give.
NEMESIS.EXT : This file contains all extensions, that you want to
be protected in addition to the pre-defined
extensions (see later).
NEMESIS.FIL : If you deny a write to a protected file and did not
give the parameter "NOSAVE" , then NEMESIS will
redirect what should have been written into the file
NEMESIS.FIL.
NOTE : Since this file may contain viruses ( after
they have been disabled !) a scanner may find
virus-signatures there. There is no danger at all,
since NO VIRUS can infect from NEMESIS.FIL.
NEMESIS.OVA : Contains data that NEMESIS needs to remember after
learning. It is no "overlay", but protected by its
pseudo overlay-extension.
NEMESIS.CFG : This file contains your preferred commandline,
that you wish to give to NEMESIS.
If you normally want to start NEMESIS with "EMS" "FAT=OFF" then
you could insert these parameters in the file NEMESIS.CFG.
Type it exactly, as you would type it at the DOS-prompt.
Use ONE line only ! NEMESIS will first read your actually typed
commandline, analyse it, and then it will read the file NEMESIS.CFG.
If NEMESIS.CFG contains FAT=OFF, e.g., and you type "NEMESIS FAT=ON"
then "FAT=OFF" will be active, since the NEMESIS.CFG will be read
later (and will overrun your "FAT=ON").
====================================================================
How does NEMESIS work
====================================================================
NEMESIS works on two levels :
-----------------------------
First (conventional) level is :
-------------------------------
if a file which has a protected extension is opened
(e.g. "COMMAND.COM" has the extension "COM", which is protected)
it will be noticed by NEMESIS. NEMESIS will then act like you have
configured it, protecting this file from being changed without an
"OK" from you.
Second level is :
-----------------
Protection of those clusters which belong to files with
protected extensions.
This means : your HD does not know anything about files, it just
contains tracks and sectors. Your DOS however gives you access to
files, not to sectors. So, if you are starting any program, e.g.
COMMAND.COM, your DOS has to check which sectors on which tracks in
which sequence contain the file COMMAND.COM, then it reads these
sectors one after the other into memory and executes, what they
contain (in our example, it starts COMMAND.COM and you will see a new
DOS-prompt).
See later : "technical remarks".
You can access the sectors of COMMAND.COM with NU.EXE or PCTOOLS.EXE
or any other sector accessing utility.
What we have implemented (we are the first worldwide..) is :
we are checking which sectors are owned by files with protected
extensions and if there is any write-access onto one of these sectors,
NEMESIS will act.
The cluster-level protection, however, does only work, if you have
enough expanded memory.
====================================================================
How to start NEMESIS :
====================================================================
Just type "NEMESIS" at the DOS-prompt and wait.
NEMESIS will first create a number that allows to test,
whether NEMESIS is infected or damaged.
NEMESIS will then read the first sector of NEMESIS and checks
whether NEMESIS' disk-image has been changed.
NEMESIS will then check, wether NEMESIS is already loaded.
If so, it skips the following step.
If started from diskdrive, this step will be skipped, too.
Otherwise : NEMESIS will create one COM and one EXE file.
Both files will be re-read after creation to check whether you have
already an active virus in memory, then both files will be executed
for the same reason (no execution if NEMESIS runs from a network drive).
If everything seems to be ok, both will be deleted.
If NEMESIS detects, that at least ONE of theses files have been
modified, they will NOT be deleted, but you will get a message like
"Your system is already infected. Have a look into the file <blabla>".
This file exists in the root-directory of NEMESIS' startdrive.
NEMESIS then looks what resources you computer has, which DOS-version
you have and so on, reads the commandline, reads NEMESIS.CFG and if
everything seems to be o.k., especially if you have enough EMS for
NEMESIS' data it will perform a scanning for clusters which are owned
by protected files.
This will look like this :
(note : "scanning" here has nothing to do with "virus-scanning" !)
------------------------------------------------------------------------------
NEMESIS 1.10 (english/unreg.), (c) 1992 Christian Sy & Robert Hoerner
Unregistered evaluation copy
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
Protected files in drive
EXE,COM,SYS,OV?,BIN
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
Scanning partition C: , please wait... SYSTEM
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ total EMS in KB is : 7360
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ free EMS is KB is : 4672
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ used EMS in KB is : 0
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
------------------------------------------------------------------------------
or like this :
------------------------------------------------------------------------------
NEMESIS 1.10 (english/unreg.), (c) 1992 Christian Sy & Robert Hoerner
Unregistered evaluation copy
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
Protected files in drive
EXE,COM,SYS,OV?,BIN
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
Scanning partition C: , please wait... SYSTEM
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ total EMS in KB is : 7360
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ free EMS is KB is : 4672
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ used EMS in KB is : 0
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
No cluster level protection possible on drive D:.
Reason : drive is controlled by
SSTOR.
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
------------------------------------------------------------------------------
Since compressed drives are not protected, you will be informed.
Then you will see a screen, that contains the current status of
resident NEMESIS and you can go on with your work :
------------------------------------------------------------------------------
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
NEMESIS 1.10 installed ...
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
Copyright 1992,1993 by Christian Sy & Robert Hoerner
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
Status of resident NEMESIS
Resident NEMESIS is currently ON
WAIT for keypress is ON used DOS-memory : 512 Byte
SAVE instead of WRITE is ON used upper memory : 4000 Byte
warning on FAT-writes are ON (CODE) EMS-memory : 35478 Byte
INVALID calls allowed is ON (DATA) EMS-memory : 336 KB
warning if bootsector changed is ON used EMS-handles : 14
WATCH interrupts is ON -------------------------------
STEALTH-MODE (using EMS) is ON MS-DOS/PC-DOS : 5.0
watching sectors directly is ON Processor : 80386
initializing memory was OFF
allow TBSCANs special feature is OFF
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
Protected files in drive C:,D:,E:,F:,
EXE,COM,SYS,OV?,BIN
Problem to read absolute sectors in upper memory !
Requesting low memory for buffering.
C:\NEMESIS 14:07>
------------------------------------------------------------------------------
Maybe "STEALTH-MODE" and "watching sectors" is "OFF" at your screen.
Then you have no (or not enough) EMS or you gave the parameters
"NOEMS" and/or "NOFAT" to NEMESIS (see : "parameters").
The right side of your screen will contain other values, too. These
values are dependent on your actual configuration, your harddisk-size,
the amount of executables on your harddisk and so on.
"Used DOS-memory" means the amount of conventional memory, that
NEMESIS uses. The above picture is made from my computer, I have EMS
and XMS installed, so NEMESIS did load itself high and wasted 0 Byte
of conventional memory. Instead it used 4000 byte of "upper memory"
above 640 K, but below 1 MB.
But since I have a Busmaster-DMA-controller build in, NEMESIS has to
request a 512-byte buffer for direct sector-access. It resides in
DOS-memory. Without this I would not have any protection against
destruction of directories.
Since I have EMS NEMESIS swapped itself into expanded memory, using
33673 byte of it (it used 49152 Byte, since you can request
expanded memory only in pieces of 16384 byte) for its code.
It needed 1 EMS-handle for this.
NEMESIS has scanned my harddisk, I have sector-level protection. So
NEMESIS used 12 handles of EMS for its data (drive C: to F:, each one
needs 3 handles). These 12 handles contain 336 KB expanded memory.
One more handle is used for learning. So NEMESIS needs 14 handles.
The other data is given for debug purposes. Maybe NEMESIS acts
"strange" or doesn't work at all. Then most probably one of its
internal switches is fault. This maybe the version of DOS or others.
It doesn't tell every switch but if one of the above data is wrong
then please : drop a note to Robert Hoerner, adress below.
---------------------------------------------------------------------
What you can see is the current status of NEMESIS.
If you wish to change anything : do it.
NEMESIS detects NEMESIS in memory and will not go resident twice
but give the new status to the resident NEMESIS.
------------------------------------------------------------------------------
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
NEMESIS-parameters are :
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
ON/OFF : Switches NEMESIS "ON" or "OFF"
QUIT : Removes NEMESIS completely from memory
ADD : add new extensions to protect
TBSCAN=ON/TBSCAN=OFF : (not) allow TBSCAN-special feature (be careful ...)
WAIT/NOWAIT : (no) wait for keypress on decisions
FAT=ON/FAT=OFF : (no) warnings an writings to FAT
WATCH/NOWATCH : do (not) watch for changes of interrupts
SAVE/NOSAVE : on rejected write-accesses : (no) save instead of write
FACE/NOFACE : show (no) activity face on screen
BOOT=ON/BOOT=OFF : (no) warnings, if bootsector is written
INVALID/NOINVALID: (not) allow invalid calls to DOS
SHA=,SW=,CO1=,CO2=,CO3=,CO4=,CO5=,CO6=,CO7= : set colors
The following parameters are valid only at startup :
LOW : NEMESIS should NOT loadhi itself
EMS/NOEMS : do (not) use EMS for code
NOFAT : should (or can) not use EMS for cluster-level protection
INIT : initialize memory on startup
BATCH : switch NEMESIS on and off without asking
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
C:\NEMESIS 14:08>
------------------------------------------------------------------------------
====================================================================
Commandline-parameters of NEMESIS :
====================================================================
Simply type "NEMESIS ?" at the DOS-prompt to see all parameters.
You can type the commands when starting NEMESIS and at any time later.
====================================================================
ON/OFF : Switches NEMESIS "ON" or "OFF"
====================================================================
You can switch NEMESIS OFF and ON whenever you wish it.
NEMESIS works resident and watches every access to your HD and
watches many calls to your DOS. This cannot be done without affecting
the performance of your system. So, if you are sure not to be in
danger of viruses you can temporarily switch NEMESIS OFF and then
switch it on again.
====================================================================
ADD : add new extensions to protect
====================================================================
You can add new protected extensions whenever you wish it.
Create a textfile "NEMESIS.EXT" containing the extensions you wish to
be protected. e.g. "PIFDBFLOGBAT" and so on. Do not write the quotes,
just write the extensions themselves without spaces.
Each extensions may contain the "?" wildcard(s) and must be 3 chars.
This means "FI?" is valid, "F*" is NOT valid.
"???" is valid and will result in protecting ALL files :
WE DO NOT RECOMMEND THIS !
You would be warned on every write-acces to any file (textfiles,
tmp-files and and and....).
You can add up to 24 extensions.
NEMESIS will re-scan your harddisk then.
====================================================================
WAIT/NOWAIT : (no) wait for keypress on decisions
====================================================================
Normally NEMESIS will open a window and ask you how to act.
If you are sure that every write-access to files with protected
extensions should be rejected, you can give the parameter "NOWAIT" to
NEMESIS. Then you will never be asked, any writeaccess to any protected
file will be rejected.
Use this with care ! There are some executables that write to
themselves, if you reconfigure them (TURBO-Pascal, Q-Edit, Wordstar,
and many others, too).
If NEMESIS rejects this write-request your new configuration is
lost.
====================================================================
FAT=ON/FAT=OFF : (no) warnings on writings to FAT'
====================================================================
Since some (useful) programs are writing directly to your FAT
(file allocation table) without "going trough DOS", NEMESIS will give
warnings that may be (and in theses cases : ARE) false alarms.
To disable this warning temorarily simply type "NEMESIS FAT=OFF".
You can switch the warnings on again typing "NEMESIS FAT=ON".
If you are using SMARTDRV from Microsoft (r) then this switch is
internally forced to FAT=OFF.
====================================================================
WATCH/NOWATCH : do (not) watch for changes of interrupts
====================================================================
Most viri catch some interrupts to be sure, that they can work.
(see "technical remarks" ).
For example : if you type "NEMESIS" at the DOS-prompt a call to
interrupt 21h will be performed, containing the text "NEMESIS".
This call will be received by your DOS, that loads NEMESIS.COM from
your HD and starts it.
If there is any other program, that you have started and that has
"catched" interrupt 21h (e.g. DOSEDIT) this program will "hear" the
call too and can react. DOSEDIT will not react on THIS call, but most
virusses WILL.
NEMESIS can notice any catching of some interrupts that are
"interesting" for viruses. If one of these has been catched it
will give you a warning and you can decide, what to do.
====================================================================
BOOT=ON/BOOT=OFF : (no) warnings, if bootsector is written
====================================================================
Normally the first bootsector of each harddisk is protected as a
special system-sector. If you give "BOOT=ON" as a parameter, then each
bootsector on every partition is protected.
Normally these sectors should never be written to.
If you have small partitions (normally with less than 10 MB) some
diskeditors will write into these sectors. Then you can disable the
warnings by calling NEMESIS with parameter BOOT=OFF.
====================================================================
SAVE/NOSAVE : on rejected write-accesses :
(no) save instead of write
====================================================================
Since NEMESIS can reject any write-access you might be
interested in WHAT should have been written.
It could be a virus as well as your actual configuration (see above).
If you tell NEMESIS to "SAVE" , then a file "NEMESIS.FIL" will be
created, where this (rejected) data will be written into.
====================================================================
INVALID/NOINVALID: (not) allow invalid calls of DOS-interrupt 21h
====================================================================
Some viruses have a simple way to detect themselves im memory : they
perform a call to interrupt 21h and listen to the "answer".
There are some known "calls" and "answers".
NEMESIS can watch for these calls.
However : a lot of these calls are used by network-software, too.
So : if you are running NEMESIS on a network, these calls normally
will be calls from the network itself, and you will get very often
false "virus"-alarms.
On computers without any network these calls normally are "invalid",
that means DOS does not know the "answer". NEMESIS does.
====================================================================
TBSCAN=ON/TBSCAN=OFF : (not) allow TBSCANs special feature
====================================================================
TBSCAN is a very fast virus scanner, written by Frans Veldman,
Netherlands. Since version 3.0 it uses a special feature to increase
its performance : it swaps the dos-internal entry into your hard-disk
ROM , so it can directly access your harddisk. Since this is typical
for some "advanced" viruses, too, we first decided NOT to allow this
swapping.
TBSCAN, however, is a good scanner, so we give the responsibilty to
you : by default this feature is NOT ALLOWED.
Starting TBSCAN will result in aborting it by NEMESIS. You have to
call NEMESIS with "TBSCAN=ON" , then TBSCAN is allowed to swap.
Read the note below about CALIBRATE.
* BE CAREFUL *
A virus is allowed to swap, too !!! Since NEMESIS cannot decide if a
virus swaps or if TBSCAN swaps...
You should call NEMESIS again at once after running TBSCAN
with "TBSCAN=OFF".
====================================================================
FACE / NOFACE : do (not) activity-indicator
====================================================================
If you give NEMESIS the command NOFACE it will not display the
indicator, otherwise it will. It is always shown, if NEMESIS works.
====================================================================
====================================================================
The following parameters are valid only at startup :
====================================================================
====================================================================
LOW : NEMESIS should not loadhi itself.
====================================================================
From version 0.97 on NEMESIS is able to loadhi itself.
Since version 1.10 it doesn't allow you to use the LOADHIGH-command
from DOS, since in most cases it will make problems.
(see note about "loadhi").
If NEMESIS loads itself high, it will start in conventional memory,
copying all parts, that will be needed, high, no byte more than this.
If you have no expanded memory, but enough upper memory, it will load
itself completely (35 KB) high.
If you have EMS and did not say "NOEMS" it will only need 4000 Byte
upper memory.
So if you have a little "hole" in upper memory, LOADHIGH would not
be able to load NEMESIS high. NEMESIS itself IS able to do it.
However, if you want to prevent NEMESIS from using upper memory,
give "LOW" as paramter at startup, and it will not loadhi itself.
====================================================================
EMS/NOEMS : do (not) use EMS for its code
====================================================================
NEMESIS can work in normal DOS-RAM, in UPPER MEMORY or in EMS-MEMORY.
Since an anti-virus-program has to be secure from changes, that
viruses could make in the resident portion, the best is to start
NEMESIS without one of these parameters.
If you have at least 48kB free EMS then NEMESIS's code will reside
there, unreachable for any other program (especially for viruses).
If you do not have EMS then NEMESIS will install itself in normal
DOS-RAM or , if you have XMS, it will LOADHI itself into upper
memory.
If you have no (or not enough) EMS this switch will internally be
switched "OFF".
See the notes about EMM.SYS, EMM386 and SMARTDRV.EXE !
====================================================================
NOFAT : should (or can) not use EMS for
cluster-level protection
====================================================================
The same problem as above : You have no or not enough EMS and you are
telling this to NEMESIS at startup.
However, you do not need to tell this to NEMESIS, since it checks for
enough EMS during its initialization.
You can use this switch to switch off Cluster-level-protection, if you
like to.
====================================================================
BATCH : allow "OFF" ,"ON" and "QUIT" without
request of any keypress (BATCH)
====================================================================
This switch replaces "SYSOP". "SYSOP" is removed.
Be careful with this parameter. Giving it at startup allows to switch
NEMESIS ON and OFF from a normal batchfile.
Since version 1.10 it is allowed to remove NEMESIS with "BATCH".
A virus, that would first create such a file, then executes it,
is _not_ impossible.
However, on automatic running systems like BBSes it's necessary to
switch NEMESIS "OFF" sometimes.
In earlier versions of NEMESIS it allowed to create and delete
protected files. This has been changed, since NEMESIS can learn
into file. See note about "learning" below.
BE CAREFUL WITH THIS PARAMETER ! IT IS A SECURITY HOLE !
We include a little NEMTEST.COM, that gives an ERRORLEVEL 0, if
NEMESIS is present and an ERRORLEVEL 1 if not. You can use this
NEMTEST in your batches.
====================================================================
INIT : initialize memory on startup (** CHANGED **)
====================================================================
There are some new viruses that search for enough "free" bytes in
your memory (usually in this part, where your DOS resides) and copy
themselves to these regions.
NEMESIS can prevent this by searching for these "infectable"
memory-regions and making them useless for these viruses.
With INIT it also searches for orphan interrupts and sets them to
iret. INT 68h to INT╥Gr╬ ╘xcluded!
====================================================================
QUIT : remove NEMESIS completely from memory.
====================================================================
It removes NEMESIS completely from memory.
This can make problems : If you loaded any TSR after NEMESIS, which
hooks one of these interrupts :
8,9,13,20,21,26,27,28,2F,30,40,67,
(all hex) then it *may* crash your computer.
It surely *will* crash it, if the TSR "calls far" one of these
interrupts *and* if the TSR is triggered by an interrupt, that is not
in this list.
It will *not* crash, if it performs an "int xy".
It will be unlinked, however, if it handles one of these interrupts.
If you gave BATCH as a command at startup, then you will not be asked,
if it is ok to remove NEMESIS : it will de-install at once.
====================================================================
SHA=,SW=,CO1=,CO2=,CO3=,CO4=,CO5=,CO6=,CO7= : set colors
====================================================================
The following parameters are always valid and can be inserted into
NEMESIS.CFG. Changes will not be given to resident NEMESIS.
--------------
Use NEMCFG.EXE (part of NEMESIS-package) to install the colors.
--------------
SHA=z set shadow-caracter (default SHA=░ )
SW=xy set shadow-color (default SW=0F : white on black)
CO1=xy set background color 1 (default CO1=1F : white on blue)
CO2=xy set status color 1 (default CO2=1E : yellow on blue)
CO3=xy set textcolor 1 (default CO3=70 : black on white)
CO4=xy set warning color 1 (default CO4=4B : yellow on red)
CO5=xy set warning color 2 (default CO5=4F : white on red)
CO6=xy set status color 2 (default CO6=1B : bright blue on blue)
CO7=xy set info color 1 (default CO7=71 : blue on white)
"xy" has to be set as HEX-value with always two valid digits :
x always means the background-color (X = 0..F allowed)
y always means the foreground-color (Y = 0..F allowed)
The file MONO.CFG contains a commandline for users of monocrom
monitors, the file COLOR.CFG contains the default colors.
You have to rename (or insert) these CFG-files to NEMESIS.CFG to make
them work.
NOTE :
======
- CO2=2 is invalid : two digits required
- CO2=4G is invalid : G is not a valid number (only 0..F allowed)
- CO3=44 is invalid : would be invisible (red text on red background)
Setting "x" to a value greater then 7 results in blinking text with a
color of "x-8".
Setting "y" to a value greater then 7 results in lighted color (not
blinking).
You can use the follwing table to find your colors. The first line
means the valid code for "x" and "y", the second line means the
resulting color (remember the note about blinking text) :
------------------------------------------------------------------
0 1 2 3
black blue green cyan
------------------------------------------------------------------
4 5 6 7
red magenta brown lightgrey
------------------------------------------------------------------
8 9 A B
darkgrey lightblue lightgreen lightcyan
------------------------------------------------------------------
C D E F
lightred lightmagenta yellow white
------------------------------------------------------------------
xy of 37 means "lightgrey on cyan" (x is 3 and y is 7)
xy of 5F means "white on magenta" (x is 5 and y is F)
xy of 9F means "blinking white on blue",
because x is greater then 8 and "x-8" is 1, this means "blue".
-----------------------------------------------------------------
Again : use NEMCFG.EXE to install your own colors.
Otherwise you will damage your health.
-----------------------------------------------------------------
======================================================================
NEW : Learning into file.
======================================================================
This feature needs 32 KB expanded memory.
If you have no EMS, it will be disabled.
Since you normally are using the same programs that cause warnings,
but could be learned as "good" programs, we added the feature to
learn into a file. NEMESIS stores the NAME and EXTENSION of the
calling program (for example ARJ.EXE) as well as it can be
reconstructed, the offset, where the call came from and a number,
that identifies the region in memory, where the call came from.
So, if you have caused NEMESIS to learn an adress, you (hopefully)
will really never again been asked,
- EXCEPT there will be a change in the programs code-region (*), and
- EXECPT the call comes from a different offset and
- EXCEPT the program has been renamed.
Up to 1724 positions can be learned. If you have no EMS, NEMESIS can
learn up to 80 positions anyway. But they are lost, if you remove
NEMESIS from memory and have again to be learned the next time you
start it.
NEMESIS "learns" the adress of the calling code (1234:5678 for example)
and will never ask you again, if an action comes from this specific
point of your memory.
Your COMMAND.COM normally resides at the same adress in memory.
If you DEL some protected files, NEMESIS will warn you.
You can tell NEMESIS to LEARN this adress as a "good" adress and
you will never be warned again if you DEL something.
Maybe you are starting a know "good" terminate-stay-resident program.
NEMESIS will ask for your "ok". Let it learn, that it's "OK" and you
will never be asked again.
Starting DESQview will result in a "hang" with NEMESIS in memory.
The first time you are telling NEMESIS that you are about to start
DV, it will be learned, too.
(*) for example :
TURBO.EXE from Borland sets its relocated datasegment within the
checked window. So you will be warned each time, when TURBO.EXE
is loaded into a different memory-region.
======================================================================
EDITOVA Utility for editing NEMESIS.OVA
======================================================================
This is for registered users ONLY.
It can be downloaded from our support-bbs's.
It allows to edit NEMESIS.OVA using a normal editor. Problems as with
TURBO.EXE can be solved using this utility.
======================================================================
NEMESIS is resident.
======================================================================
Suddenly a line appears "press any key for informations".
Ok, you press any key (NUMLOCK or SHIFT is not valid [was a joke]).
A window will be opened explaining the situation. There are several
messages, that can be displayed and the window will look like this :
------------------------------------------------------------------------------
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
Attempt to create a protected file : <filename.ext> <-this should be created
Request comes from : 1234:5678 <-adress of caller
<other filename.ext> <-name of calling program
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
Do you allow it ?
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
<Y>es : allowed
<N>o : not allowed
<D>eny : alway "N"o , until program ends
<G>o : alway "Y"es , until program ends
<A>bort : abort program immediately
<L>earn : always allow this program
<T>ry : fails, if file already exists
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
------------------------------------------------------------------------------
What happened ? Someone (probably YOU) has tried to write to a
protected file. Maybe you have copied some programs from one path to
an other. Then a new file has to be created, with the same (protected)
name.
If this is the case : type "y" to allow it one time, or "g" to allow
it until your program ends. On the DOS-prompt "g" is accepted, too.
If you are sure, that in the given situation it is always allowed
to create the file, you can tell it NEMESIS pressing the "L"-key.
** Handle with care **
If you are sure, that you did not want to create the file, you can
type either "n" or "d".
If you feel nervous, since you know that there are viruses on your
computer, you can "a"bort, too.
"A"bort at once brings you to the DOS-prompt. Any previous work,
that is not saved will be lost. If you have edited a textfile and not
saved the new content, it will be lost. If you are reconfiguring a
program, that writes the new configuration into itself : it will be
lost.
Again : HANDLE WITH CARE, but no need to be nervous !
If you type "n" then the file will neither be created nor can be
written into this (nonexisting) file.
If you type "t" then DOS tries to create the file.
If the file already exists, this create will fail.
If it does not exist yet, it will be created and you will not be asked
about this file again.
====================================================================
Back to the "keys" :
====================================================================
"Y" means : allow the current action ONE TIME ONLY and then ask again.
"N" means : deny the current action ONE TIME ONLY and then ask again.
"G" means : allow everthing until the current program ends.
"END" means, you left the program.
Shelling to DOS and returning to the program is handled
as "program has ended and is restarted again".
You will be asked again.
"D" means : deny everything until the current program ends.
"END" means the same as above.
"L" means : remember the current adress. If any (!) action comes again
from this given adress then let it pass, do not ask, but
allow the action.
"A" means : abort immediately. Abort the current program and return to
the executing shell (DOS or Norton Commander, e.g.).
The current program will be terminated.
"T" means : try to create the file. If it exists : fail, else make a
new one.
====================================================================
TECHNICAL REMARKS
====================================================================
NEMESIS is a very complex program. In order to handle it properly,
you should understand at least a bit, what it does and how it works.
Basically, NEMESIS can be divided into two parts:
The DOS-level-protection and the BIOS-level-protection.
This means : On the one hand there's code which watches DOS-calls and
warns you if protected FILES are to be changed, deleted, renamed and
so on... This was already explained above and is quasi a standard
feature among resident anti-virus programs.
The other main part of NEMESIS works in the deep, if there are no
strange (viral) activities on your system, you should never get in
touch with it.
It works this way:
NEMESIS scans the whole harddisk and creates a sector-image of the
protected files.
Any (ANY) BIOS-level write access is analysed whether its destination
is a protected file. If so, you get a warning.
NEMESIS is the first program which implements this idea seriously in a
program, so there are not much experiences which could have helped to
reduce the number of false alarms.
Let us show you the dilemma by a simple example:
One feature of NEMESIS is to detect FAT-writes which don't come from
DOS.
Usually this should not happen, but maybe it does.
There are some programs which use some 'backdoors', which bypass
DOS sometimes, so you get an alarm and think: 'stupid soft,
what is going on ?'
That's why we implemented all features optionally, which means you can
disable it (in the above case with parameter FAT=OFF), if you use
regularly software which bypasses the DOS-file-system (in the appendix
you can find a list of programs which may cause false alarms).
SMARTDRV of microsoft-corporation is such a "bypassing"-software..
Therefore you have NOT FAT-PROTECTION with SMARTDRV !
====================================================================
THE SECTOR-LEVEL-WARNINGS IN DETAIL
====================================================================
---------------------------------------------------------------------
'Attention !! Somebody is trying to manipulate the FAT directly !'
---------------------------------------------------------------------
This was already mentioned in the above example. If your software uses
some 'dirty tricks', you may get such a warning. How can you tell this
from a real alarm ? Difficult question.
Probably the best is: let the write pass through (it is dangerous to
disable it ! You should have good reasons to do it), exit the current
program as fast as possible and do a 'chkdsk' over your partitions. If
everything is fine and you use the program which caused the warning
frequently, disable the FAT-protection with FAT=OFF if the warnings
disturb you. If you find lost or crosslinked clusters with 'chkdsk',
you know there was something wrong...my experience: put a program like
'mirror' (which saves your current FAT in a file) in your autoexec. If
your FAT gets destroyed, you can recover all data since the last
run of mirror by writing the file back onto the FAT !
Possible other reasons for false alarms:
- you use a cache-program with staged-write enabled.
If so, disable NEMESIS's feature to protect the FAT
- you are running a program like compress or speeddisk which
reorgranizes your file-structure. In this case, press 'G' to disable
NEMESIS until the current program finished
---------------------------------------------------------------------
'Attempt to write to a sector which belongs to a protected file !!'
---------------------------------------------------------------------
This should theoretically never occur ! It means DOS was bypassed and
someone tries to write directly to a protected sector.
Possible reasons:
- you got a very intelligent virus which tries to infect files this way
- NEMESIS got confused because you changed your file-structure heavily
(deleted/added executable files). NEMESIS should handle such changes
properly, but this was no easy code (there is no bugfree soft, as
you know)
--------------------------------------------------------------------
" Attempt to change the dir-entry of <filename.ext> directly !"
--------------------------------------------------------------------
This is the first line of a message, that shows you, that a directory
entry should be changed DIRECTLY.
The kind of change will be displayed in a second line :
--------------------------------------------------------------------
" kind of change : !! destroy directory !! "
--------------------------------------------------------------------
If the first byte of a dir-entry will be set to 0 (byte 0), then DOS
will stop reading thid directory at this position. Each entry, that
may follow, will never be read. The directory is destroyed.
Give your "ok" only, if you want to remove a directory.
--------------------------------------------------------------------
" kind of change : DELETE /"
" kind of change : RENAME /"
" kind of change : SIZE /"
" kind of change : DATE/TIME /"
--------------------------------------------------------------------
Changeing the date/time of a file will always be allowed by NEMESIS.
Maybe you have a virus, that marks files as "infected" this way. Maybe
there is no virus at all. The change of this data doesn't matter.
--------------------------------------------------------------------
"kind of change : CLUSTER /"
"kind of change : RESERVED AREA /"
--------------------------------------------------------------------
Another critical warning. Possible reasons:
- you are running a file-reorganizing program
- you got an intelligent virus like DIR-2 which changes the first
cluster of executable files to itself.
My advice: press Y and watch the displayed numbers carefully: the first
is the old cluster, the second the new one: if the new one remains the
same and there are many alarms, you can be sure that you have a virus
like DIR-2. If the numbers differ each time, probably everything is
fine (means you have detected a bug in NEMESIS)
one remark to the above feature: if you prevent a cluster-change ,
afterwards it may look as if it was written nevertheless.
Don't care, it wasn't. But DOS thinks it was and displays wrong values.
After the DOS-buffers are flushed (or the buffers of a cache-program)
you will see that the cluster-entries are like before...
To go sure I recommend a reboot after you deny such a change !
----------------------------------------------------------------------
If you get BOTH warnings (first cluster AND reserved field) then your
computer is most likely infected with a filesystem-virus (like DIR).
In this case, you should RESET your computer at once and reboot from
an original, write-protected system-diskette.
Do not start any file from your harddisk.
Start CHKDSK from this diskette and watch the messages. If there
are NONE : No filesystem-virus. If there are a lot of cross-linked
files and most of them are linked to the same cluster, then you most
surely HAVE such a virus.
----------------------------------------------------------------------
After the above warnings (and if you have denied to write) in most
cases the critical error handler of DOS will pop up :
"write failure on drive X: (a)bort (r)etry (i)gnore".
This is ok. NEMESIS tells DOS that your HD has a bad track....
----------------------------------------------------------------------
----------------------------------------------------------------------
For your information NEMESIS will display the current and future
directory-entries.
For example : If you rename NEMESIS.COM with NU.EXE it will look like
this :
------------------------------------------------------------------------------
Attempt to change the dir-entry of NEMESIS.COM directly !
Kind of change : RENAME / CLUSTER /
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
Current entry new entry
Name : NEMESIS.COM NEMESIS.BOM <name-fields>
Attr : Arc Arc <file-attribute>
Time : 11.03.42 11.03.42 <file time>
Date : 11.03.1993 11.03.1993 <file date>
Clus : 4711 4712 <first cluster>
Size : 45678 45678 <length of file>
Res. : 0000:0000:0000:0000:0000 0000:0000:0000:0000:0000 <reserved>
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
Request comes from C:\NORTON\NU.EXE
Adress 1234:5678
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
Do you allow it ?
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
<Y>es : allowed
<N>o : not allowed
<D>eny : alway "N"o , until program ends
<G>o : alway "Y"es , until program ends
<A>bort : abort program immediately
<L>earn : always allow this program
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
------------------------------------------------------------------------------
====================================================================
Messages of transient NEMESIS before reading NEMESIS.BIN
====================================================================
" Performing selftest, please wait"
" Performing pre-infection-test, please wait"
" Pre-infection-test skipped : running from floppydisk"
" pre-infection-test skipped : NEMESIS already resident"
" Pre-infection-test skipped : running from network"
If you start NEMESIS from diskette it will not perform a
pre-infection-test. It takes to much time and can cause problems.
Start NEMESIS from harddisk.
If you start NEMESIS from a server-harddisk it may cause problems,
too. So it will not perform a pre-infection-test from a server-hd.
" NEMESIS IS DAMAGED OR INFECTED. ABORTED !"
This means that NEMESIS has been changed in any way. If you did not
pack it (f.e. with LZEXE) this means : Delete it. It will never run
again. Otherwise UNPACK it !
" could not change to NEMESIS-drive "
Maybe the drive where you started NEMESIS is JOINed ?
It should no longer be a problem, but if so : drop us a note.
" NEMESIS : Could not perform selftest."
Maybe you started NEMESIS from CD-ROM ? Or from a server-harddisk ?
NEMESIS could for any reason not read its first sector from harddisk.
" could not read tempfile for pre-infection-test"
As described above NEMESIS creates two files, executes them and
controls them.
For any reason it could not read at least one of these files.
" wrong version of NEMESIS in memory. ABORTED !"
Since version 1.10 NEMESIS checks for compatibility-problems with
older versions of NEMESIS. Delete the old version !
" NEMESIS : cannot install. No free number for multiplex routine."
NEMESIS needs one single free number of int 2Fh to exchange data
between resident NEMESIS and NEMESIS.COM.
" NEMESIS : ALT-key pressed. Abort installation ? <y/n>"
If you hold the ALT-key immediately after starting NEMESIS you have
the chance to abort it. Type "y" to abort, otherwise it continues.
" Unknown DR-DOS version. Aborted."
" Unknown DOS or wrong version. "
" NEMESIS needs at least DOS 3.3 to run. Aborted."
NEMESIS is tested for PC-DOS 3.3,MS-DOS 5.0 and DR-DOS 5.0 and 6.0.
If it detects an unknown DOS or DR-DOS it aborts.
" DR-DOS with multitasker "
" Run NEMESIS only in singletask !"
NEMESIS cannot be run in TASKMAX.
" Do not use LOADHIGH with NEMESIS !"
" It's not necessary but can cause problems."
" NEMESIS will load itself high, if ever possible."
You typed "LOADHIGH NEMESIS".
NEMESIS can load itself high and it does it better then LOADHIGH does.
" Don't run NEMESIS with SIDEKICK. Aborted."
Sidekick grabs the keyboard and does not give it away anymore.
If NEMESIS pops up inside Sidekick it cannot receive any key.
See note below about "Sidekick".
" NEMESIS cannot run within D'Bridge. Aborted."
This message appears if you start NEMESIS while dropping DB to DOS.
NEMESIS is a terminate-stay-resident program. Don't start it inside
any shell !
" NEMESIS does not run with OS/2 yet.."
You started NEMESIS in a DOS-window inside OS/2.
Before NEMESIS hangs your window (or even OS/2) it aborts....
" Loading messages from NEMESIS.BIN "
" NEMESIS : message-file NEMESIS .BIN not valid / not found. Aborted"
NEMESIS.BIN is damaged or does not exist in the same path where
NEMESIS is started from.
If it is damaged then extract a new copy from your NEMESIS archive.
====================================================================
Messages of transient NEMESIS after reading NEMESIS.BIN
====================================================================
----------------------------------------------------------------------
"Not enough memory for re-scan !"
You started NEMESIS with "ADD" but you have not enough free memory to
perform a new scan. Type EXIT to leave the current shell....
----------------------------------------------------------------------
" FAT-LEVEL-PROTECTION IS 'OFF' NOW !
YOU SHOULD REBOOT AS SOON AS POSSIBLE"
You started NEMESIS with "ADD" but you have not enough free memory to
perform a new scan. This was not detected before the new scan started.
Restart NEMESIS with "ADD" again after freeing memory (type EXIT).
----------------------------------------------------------------------
Before NEMESIS starts its scan for protected files it will search for
stacked drives. The following textline will be visible :
" Searching compressed drives (Stacker,SSTOR)"
If you see this line for longer then a tenth of a second then you
probably have a network installed with absolute-sector mode.
Wait, everything is alright.
During the scan for protected files you probably will see the
following message :
" No cluster level protection possible on drive " <char follows>
" Reason : drive is controlled by"
the next line will contain either
" SUBST/ASSIGN/JOIN/network or similar."
or
" SSTOR."
See below about SUBST and STACKER. If you see the SUBST line and you
have NO network then I, Robert Hoerner, would be interested what DOS
you are using...
----------------------------------------------------------------------
" too many partitions on your HD !!! "
This message cannot appear but.... Then you would have more then 26
partitions or in other words : NEMESIS contains a bug. Please inform
us.
----------------------------------------------------------------------
" No harddisk found.'
Then you have either no harddisk or NEMESIS could not find it.
You will not have any sector-level-protection except for bootsectors
of diskettes.
----------------------------------------------------------------------
" Error writing to EMS."
" NEMESIS installing in conventional memory."
This means NEMESIS found that the EMS pageframe could not be written
directly (in other words : it behaves like ROM). This occurs with some
older NEAT-boards and with EMM386 from Microsoft.
Try NEMESIS EMS, if it works : put it in NEMESIS.CFG.
----------------------------------------------------------------------
"Not enough EMS (few handles ?) to run NEMESIS in sector-level mode !"
"However, the common viruses will still be detected ."
You are "out of EMS-memory", but NEMESIS needs to hold its sector-data
in EMS.
----------------------------------------------------------------------
" Problem to read absolute sectors in upper memory !"
" Requesting low memory for buffering."
A part of NEMESIS will reside in upper memory but can not read sectors
there. NEMESIS will request 512 byte from normal memory. Without this
NEMESIS could not protect your directories.
----------------------------------------------------------------------
" NEMESIS : SERIOUS FAILURE OF YOUR EMS-MANAGER !"
" YOU SHOULD REBOOT ** AT ONCE ** !"
" THERE IS A REAL DANGER TO LOOSE DATA !"
" THIS IS NO JOKE !"
NEMESIS cannot update data after a rescan. This comes due an error
that occured inside your EMS-manager software.
====================================================================
Messages of resident NEMESIS
====================================================================
"NEMESIS : TRACER REJECTED"
NEMESIS is hardcoded NOT to allow tracing of NEMESIS. So if any virus
(or any other software) switches to singlestep and traces int 21h, for
example, then NEMESIS will abort it.
----------------------------------------------------------------------
"NEMESIS : EMS-FAILURE"
NEMESIS detected a serious malfunction of your EMS-software and could
not map its code into the pageframe. This message only comes, if
NEMESIS uses EMS for its code. Everything is too late now, reboot.
----------------------------------------------------------------------
"Error updating EMS-data"
This error occurs if NEMESIS tries to update its data but fails.
Your EMS-software is not compatible to EMS 4.0 (it does not fully
support function 5700h ,move data from/to EMS ).
Try to get another EMS-software and remove NEMESIS.
----------------------------------------------------------------------
"Error reading harddisk"
This error occurs if NEMESIS tries to read a sector to detect, wether
a directory should be destroyed or not.
This error should never be seen. If you see it, try NEMESIS LOW.
----------------------------------------------------------------------
" NEMESIS : my code has been changed !"
" Reboot your computer at once !"
" Your drives are writeprotected now."
This message appears only, if NEMESIS has been changed at runtime
(after going resident). It's most likely that you have a virus.
----------------------------------------------------------------------
" Attempt to format harddisk"
This warning comes, if DOS was not informed about a format-command.
The command will always be rejected. The calling program will be
informed that it tried to format a bad track and that it failed.
----------------------------------------------------------------------
" *** WARNING *** "
" Attempt to trace int 13h has been rejected. "
" The current program has been aborted ! "
" Access came from : " <adress inserted>
" Some special interrupts has been restored. "
" All memory-resident programs, that you have loaded after NEMESIS"
" without saving the new state may be unlinked now."
You will get this warning with TBSCAN -D and with CALIBRATE.
You will get this warning with a lot of viruses, too.
Call NEMESIS TBSCAN=ON if the action is ok.
! See note below about CALIBRATE !
----------------------------------------------------------------------
"numbers of DOS-buffers changed from <old number> to <new number>"
" Select : <r>estore, <s>ave, <i>gnore"
This is impossible without an external program that gives you new
buffers but does not stay in memory, and some new viruses that
reside in DOS-BUFFERS (not the same as Modem-Buffers....).
!! NOTE : We had no chance to test, wether restoring works or not.
!! In theory it works...
----------------------------------------------------------------------
" BIOS-Memory Byte changed from " <old value> " to " <new value>
" Select : <r>estore, <s>ave, <i>gnore"
This occurs with VIDRAM and some viruses, that go resident without
informing DOS, but reducing your system-memory.....
----------------------------------------------------------------------
" Memory Control Block changed : <xxx> byte will be resident"
" Select : <r>estore, <s>ave, <i>gnore"
This occurs with VIDRAM, any terminate-stay-resident program and some
viruses that attempt to be intelligent (cascade is an example).
----------------------------------------------------------------------
"Memory Control Block destroyed."
This normally means you have to reboot since your COMMAND.COM cannot
be reloaded. NEMESIS gives this message, if the last memory control
block (dos-internal data-structure) does neither start with "M" nor
with "Z" and only, if you told it to "R"estore the old status after
a memory control block has been changed.
----------------------------------------------------------------------
" WARNING ! Your maximum DOS-memory has been reduced ! "
" This may be a virus. "
" NEMESIS saved data from top-of-memory ( virus ? ) "
If NEMESIS detects, that you have few memory after terminating a
program then before it will write the data from new top-of-memory to
old top-of-memory (normally 640KB) to NEMESIS.FIL for inspecting.
If you called NEMESIS with NOSAVE it will not write this data.
----------------------------------------------------------------------
" DOS-startcode has been changed !"
" Select : <r>estore, <s>ave, <i>gnore"
NEMESIS normally knows the first some byte of your DOS deep inside
your computer. I have never seen them changing in the same session !
But there are some "stealth"-viruses that change them.
----------------------------------------------------------------------
" Number of DOS-Stacks has changed " <number follows>
" Select : <r>estore, <s>ave, <i>gnore"
Without special programs that may give you MORE stacks, this is
impossible. If you have FEW stacks then you have a virus.
----------------------------------------------------------------------
"Size of DOS-Stacks has changed. Cannot be restored."
Take it as an information. It may be a virus and it may be normal.
But most likely it's a virus.
----------------------------------------------------------------------
"DOS-Stacks blocked."
" Select : <r>estore, <s>ave, <i>gnore"
This is possibly normal. Let NEMESIS restore the blocked stacks.
If this message appears often then you might (!) have one of the
newest viruses. But again : it is possible without any virus.
If your computer "hangs" after unblocking then either you have a
virus or NEMESIS has a bug.
----------------------------------------------------------------------
" Attempt to format a track in drive X: DIRECTLY !!"
" Attempt to write to a track in drive X: DIRECTLY !!"
If you are formatting this drive , say "yes" else say "no".
----------------------------------------------------------------------
" Attempt to modify the bootsector in drive " <char follows>
" Attempt to modify the partitionsector in drive " <char follows>
This message appears if the bootsector on diskettes or on drive C:
should be changed or the masterbootrecord (partitionsector) on drive
C: should be changed.
This message appears only, if you did NOT allow to format a drive.
----------------------------------------------------------------------
" Attempt to create a protected file : " <filename.ext>
" Attempt to modify a protected file : " <filename.ext>
" Attempt to delete a protected file : " <filename.ext>
" Attempt to replace a protected file : " <filename.ext>
" Attempt to rename a protected file : " <filename.ext>
See information above.
It's at your side to decide what shall happen on your computer.
----------------------------------------------------------------------
" Program uses a DOS-internal handle : " <number follows>
DOS uses 5 handles for internal purposes. It is absolutely unusual to
use one of them to modify a disk-file. Answer "NO" or "DENY".
----------------------------------------------------------------------
" Resident NEMESIS : FAKE ATTEMPT TO CHANGE MY STATUS RECEIVED !"
This message comes only if NEMESIS was called from within any other
program except NEMESIS.COM itself *and* this call was made to change
the resident NEMESIS' state. Maybe you started an older version of
NEMESIS, maybe there is a NEMESIS-virus ? Probably you started an
older version of NEMESIS to change the resident NEMESIS.
----------------------------------------------------------------------
" Program tries to set timestamp of file with second higher then 59."
Some viruses mark files as "already infected" with setting the second
of the last change to 62. NEMESIS will allow this (it's a serum).
----------------------------------------------------------------------
" RESIDENT NEMESIS : EDDIE-2 (DARK AVENGER VIRUS) IS GOING TO GO
RESIDENT ! "
NEMESIS received an invalid call to DOS that this virus performs.
If you did not at the moment start an antivirus-program that possibly
performed this call to detect this virus then :
HIGH DANGER ! Switch off !
If you start an older version of NEMESIS you may get this warning,
too, since NEMESIS performs this call before going resident but ONLY
if it did not detect that NEMESIS is already resident.
Delete all old versions of NEMESIS !
They contain bugs (as this version surely does) and they are
inkompatible with the newer releases.
Only use the newest NEMESIS !
----------------------------------------------------------------------
" NEMESIS does not run with D'Bridge 1.50 "
" NEMESIS does not run with Windows (tm). "
" NEMESIS does not run with TASKMAX (DR-DOS)."
" NEMESIS does not run with DOSSHELL."
" NEMESIS does not run with DESQview."
" NEMESIS does not run with older versions of NEMESIS."
You started one of these programs and NEMESIS informs you about
inkompatibilities. Remove NEMESIS bevor starting one of these
programs (see below about inkompatibilities).
----------------------------------------------------------------------
" You can not start NEMESIS in a windows-task."
" You can not start NEMESIS in a DOSSHELL-task."
" You can not start NEMESIS in a DESQview-task."
You started NEMESIS while running one of these programs and NEMESIS
informs you about inkompatibilities.
----------------------------------------------------------------------
" Program called DOS with Non-DOS argument. Abort ? <Y>es <N>o "
You called NEMESIS with "NOINVALID". Many programs call DOS with
invalid arguments without being a virus. If you are sure that "this
program" never behaved like this, then abort else continue.
If you exit this program NEMESIS will check your system and inform
you about changes.
----------------------------------------------------------------------
" RESIDENT NEMESIS : I RECEIVED AN INVALID CALL, THAT PROBABLY COMES
FROM"
You called NEMESIS with "NOINVALID". Many programs call DOS with
invalid arguments without being a virus. Some antivirus-programs
perform these calls, too, to detect these viruses. NEMESIS itself
performs these calls before going resident to detect a pre-infection.
The following viruses can be detected if you call NEMESIS with
NOINVALID :
eddie-2 (dark avenger) virus,
tequila virus, dir virus, G-virus, shake virus, invader virus,
699-virus, Plastique virus, Lozinsky virus, 789-virus,
terror virus, diamond-a virus, diamond-b virus, dbase virus,
flip virus, ontario virus, cascade (170x) virus, UMB-1,
One special call is performed by FluShot and VirEx , two excellent
virus-scanners and detectors but also by a virus :
----------------------------------------------------------------------
NEMESIS will pop up and ask :
"You're running FluShot or VirEx, aren't you ?"
" Please answer 'y' or 'n' :"
If you type "n" you will see :
"Then your computer probably is infected with the 'PSQR/1720'- virus !"
----------------------------------------------------------------------
" NEMESIS can give the 'correct' answer to prevent it from
installation, but it's at your side to decide ( best is :
ABORT IMMEDIATELY )"
NEMESIS can give the correct answer for all the above viruses,
so that the virus "thinks" it is already in memory and need
not to go "again". If you type "y"es ,allowed, NEMESIS will
give this answer and we will see wether it works or not.
----------------------------------------------------------------------
" Program ended, but your system has been changed."
The last program terminated without staying resident but some
data in your computer has changed :
NEMESIS checks for changes in
- interrupts that are interesting for viruses
- memory-size
- memory control blocks
- stacks (size and numbers of)
- buffers (numbers of)
- dos code
In almost any cases you can "R"estore the old status, but there are
some exceptions :
Running D'Bridge 1.39 for example will always result in the above
screen, since DB.EXE executes dbmailer.exe (it has another name today,
but that's it) and if dbmailer.exe ends NEMESIS pops up. This is
because DB.EXE hooks some interrupts. Tell NEMESIS to "i"gnore the
changes, wait until DB.EXE has ended and if no further warning occurs,
everything is ok.
The problem is that NEMESIS does not hold its data on a "per program"
base but on a "per computer" base.
----------------------------------------------------------------------
" ATTENTION ! BUFFER TO WRITE HAS BEEN CHANGED !"
" THIS IS VERY,VERY CRITICAL ! YOU SHOULD ABORT AT ONCE !"
This warning appears if NEMESIS detects any changes in data that
should be written to protected files.
It appears too, if the order of what should be written, has changed.
Sometimes NEMESIS will popup without any changes in the write buffers,
this is due some cache-programs like SMARTDRV that write as they like
to and change the orders in microsofts special manner...
----------------------------------------------------------------------
" Running SMARTDRV 4.0 from Microsoft can cause trouble with "
" NEMESIS resident in memory."
You started SMARTDRV.EXE (comes with windows 3.1).
Be sure to GET trouble with SMARTDRV.EXE, with or without NEMESIS.
See note below about "SMARTDRV".
====================================================================
ERRORLEVELS of NEMESIS
====================================================================
NEMESIS gives several ERRORLEVELS that can be used in batchfiles :
1 : wrong or unknown operating system.
2 : NEMESIS has been highloaded with LOADHI or LOADHIGH
3 : no free number for data-exchange available.
Checked int 2fh from 0c0h to 0ffh.
4 : NEMESIS.BIN invalid or not found.
5 : commandline-error or error in NEMESIS.CFG
6 : multishell (windows, desqview etc) detected.
7 : you tried to de-install NEMESIS before it was resident
8 : NEMESIS denies a request for de-install
9 : error reading harddisk during scan for protected files
10 : dos-error during scan for protected files
255 : NEMESIS is damaged or infected
====================================================================
Appendix
====================================================================
1. Known false alarms
-------------------
a) 'Attention ! Somebody is trying to manipulate the FAT directly !!'
- The FAT-protection should work without errors with DOS 3.3 and
DOS 5.0; with DOS 4.01, there may occur false warnings.
Add FAT=OFF in your command-line in this case.
b) ' Attempt to modify a protected file '
- Older versions of D'Bridge, a mailer program, change at every start
the current Commandline-interpreter (usually command.com) !!
2. incompatibility list, hints, notes.
-----------------------------------
INT2F: Some terminate-stay-resident programs are intercepting the
multiplex-interrupt 2F in the way that they perform a call to the
previous handler first, then do their work and give control back to
the original caller. If such a tsr is loaded AFTER NEMESIS it results
in that NEMESIS does not accept any commands like "QUIT" or "ADD"
any more since NEMESIS performs a strict check wether the caller is
allowed to switch NEMESIS or not.
It may happen with most "windows aware" tsrs.
You have to remove this tsr first or to reboot. You cannot switch
NEMESIS "off" or "on" either.
What you can do is to call NEMESIS and have a look to the current
state.
This check is necessary, else any virus could switch NEMESIS "off".
KEYB.EXE: If you put NEMESIS into your AUTOEXEC.BAT be sure to put it AFTER
KEYB.EXE. Otherwise NEMESIS will pop up, ask you wether you allow
KEYB to stay in memory but cannot receive your answer (KEYB grabbed
the keyboard).
SSTOR :
STACKER :
NOVELL : Will be detected and partition will not be protected.
Sector-image not (yet) supported on non-DOS partitions (Novell e.g.)
or compressed partitions (stacker, superstor).
Under NOVELL NEMESIS forces internally NOT to initialize memory and
NOT to set orphan interrupts to IRET.
You may need to give SSTOR.SYS the command "/HIDMA" if NEMESIS
resides in expanded memory. Otherwise your computer may reboot,
if you are accessing a RAMDISK.
ASSIGN,SUBST,JOIN:
NEMESIS unASSIGNs, unSUBSTs and unJOINs your harddisk on the fly,
while it is performing its selftest and while it is scanning your
harddisk for protected files. This is testet for MS-DOS 5.0, PC-DOS
3.3 and DR-DOS 6.0. With other versions of DOS this may not work,
then these areas are handled like STACKER-partitions and are not
protected. NEMESIS will informed you if this problem occurs.
After doing its work NEMESIS will re-ASSIGN re-SUBST and re-JOIN to
the former state.
SECTORS : Cluster-level-protection works only with standard sector size
(512 bytes)
CACHE : You use a cache-program with staged-write enabled : then you'll
get a lot of false alarms.
DISABLE staged-write under any circumstances if you run NEMESIS !!
SMARTDRV: Especially with Smartdrv.sys you would get often false alarms like
"Attempt to modify the FAT directly.."
Therefore NEMESIS forces FAT=OFF if smartdrv is detected.
Warning:
--------
especially smartdrv 4.0 is very critical as it uses staged-write
as default. As one consequence, NEMESIS does not load its code
into EMS to avoid the biggest trouble. But this does not solve
all problems as smartdrv has its own philosophy about cooperating
with other programs : none.
This means : nothing can convince smartdrv NOT to flush in a
critical moment. So we strongly recommend to disable staged-write,
then NEMESIS and Smartdrv may work well together.
Hint: if you use smartdrv 4.0 with staged-write and get a
message from NEMESIS about direct writes to bootsector or an
exe-file, you can either allow it or boot, forbid is not
possible as in this case smartdrv comes up and rises a very
intelligent question: 'data error, retry (R) ?'
The number of choices is left as an exercise...
Hint for the Germans: in the actual German version, they
forgot to change the hotkey from 'R' to 'W' which did not
keep them from printing in German: 'Datenfehler, Wiederholen (W) ?'
VIDRAM : From Version 0.99 on it should be no problem for NEMESIS to load
itself high even if VIDRAM is "ON".
GRAPHIC : Programs using graphics may get problems if there's a
NEMESIS-warning. But at least the graphic data of mode 12h
(Standard-VGA-graphics mode) is saved and restored, however it
is possible that a textline from NEMESIS appears in your graphic.
Other graphics modes are restored only partially...
SIDEKICK: from Borland
Sidekick does not allow NEMESIS to receive keystrokes when it pops
up inside Sidekick. The result is a "hang".
Therefore NEMESIS tells Sidekick that it is already loaded and
aborts if Sidekick is resident.
Remove NEMESIS if you need Sidekick, remove Sidekick, if you need
NEMESIS.
F-Prot: VIRSTOP.EXE (included in F-Prot package) starts its work with
switching the cpu into singlestep-mode.
NEMESIS is hardcoded not to allow singlestepping through some
interrupts interesting for viruses.
So VIRSTOP will be aborted nearly at once.
If you want to start it, remove NEMESIS from memory.
Switching NEMESIS "OFF" is not sufficient.
MULTITASKER: (and what is called as...)
NEMESIS is written originally as a "normal" program that intercepts
some system-calls and notes how your system "looks like" if it is
clean.
We had much trouble with "multitaskers" and made a lot of changes
in NEMESIS to make it "compatible".
Our greatest problem at the end was, that NEMESIS makes changes,
that all common multitaskers (like windows) let be "global changes",
and these changes are absolutely necessary to protect you from
virus-infection.
This means : even if you start NEMESIS in a "window" and it installs
itself as a single (local) task, the major changes, that NEMESIS
*has* to make are GLOBAL changes.
Therefore we stopped this attempt to unite, what cannot be united.
This means especially :
DOSSHELL (MS-DOS 5.00) :
TASKMAX (DR-DOS):
DESQVIEW:
WINDOWS : If you like to work with one of these, you have to remove
NEMESIS.
If one of these is running before you have started NEMESIS,
then NEMESIS will not go resident.
VM/386: NEMESIS works well under VM/386 (even stealth mode), but you
should not use the parameter INIT.
BBS-SYSTEMS:
Sysops of BBSs should not run NEMESIS in their BBS-task.
But if they do so, they can use NEMESIS ONLY, if they give "BATCH"
as a parameter ** AT STARTUP ** !
Read what is written above about "BATCH" !
They then have to "train" NEMESIS all their "good adresses" with
"L"earning into file or have to switch NEMESIS "OFF" each time,
when an action on protected files is ok, if you run "speedisk"
in the night, or a user uploads a "VERYGOOD.EXE".
Best is, however, NOT to use NEMESIS on BBS-systems.
D'BRIDGE: NEMESIS works well with D'BRIDGE 1.30 and 1.39 but does not work
at all with D'BRIDGE 1.50 or 1.51.
This is apparently due to changes in Ray Gwinns build-in FOSSIL.
Therefore NEMESIS will tell DB 1.50 that it is already loaded and
will not go resident, if D'Bridge is active.
Remove NEMESIS before starting D'Bridge !
CALIBRATE:part of Norton Utilities.
CALIBRATE uses the same technique as TBSCAN to get the BIOS-entry of
your harddisk. So starting CALIBRATE with NEMESIS in memory will
result in a warning and CALIBRATE will be aborted immediately.
Do **NOT** switch NEMESIS to "TBSCAN=ON" but **REMOVE** NEMESIS
completely ("NEMESIS QUIT") and reboot your computer if you want to
run calibrate ! Otherwise you could LOOSE DATA !
ROMSCAN : We cannot protect you against viruses like "EDDIE", that
directly scan for your ROM-entry of INT 13h.
But we will solve this problem ! If you are using QEMM with
"stealth"-ROMs, then this problem is already solved, NEMESIS will
protect you (better : QEMM in conjunction with NEMESIS)
EMS.SYS : included with C&T-286-NEAT-mainboards :
This utility creates expanded memory (EMS) for NEAT-boards.
Due to a bug in this util it is not possible to run NEMESIS from
this EMS (tested with such a NEAT-computer), so NEMESIS will switch
internally to NOEMS. Don't force NEMESIS to use EMS with parameter
"EMS" if you use this driver.
NEMESIS will then use EMS for its data (sector-level-protection)
but not for its code.
But there is one more bug in ems.sys : If NEMESIS updates its
internal FAT-structure from DOS-buffers that reside in upper memory
then this driver always returns an errorcode that means "ems and
conventional memory are overlapping", which is definitely wrong.
If you do not load your BUFFERS high everything works fine else
start NEMESIS with NOFAT.
EMM386.EXE: NEMESIS checks, whether it is possible or not to write into the
page-frame. If it is not possible, it switches to NOEMS. With EMM386
you may have to override this by giving "EMS" as a parameter at
startup. There will be no problems with EMM386.EXE from Microsoft,
but problems with EMM386.SYS of DR-DOS.
If DR-DOS resides in the HMA EMM386.SYS reports errors with NEMESIS.
Don't use "NEMESIS EMS" in this case.
BUSMASTER-DMA-Controller: (like ADAPTEC SCSI-Controller 1542B).
NEMESIS may fail to read a sector if it is resident in upper memory.
This may be due to a problem with DMA.
If Nemesis detects this problem it will request a 512-byte-buffer
in normal DOS-memory. There are no further problems.
NETWORK with absolute sector-modes : (as Kirschbaum-Link with param. ABS)
If NEMESIS checks for stacker it has to perform int 25h with an
invalid argument. With these networks it may need up to 5 seconds
until the call is ended. (386,20MHz,ArcNet).
This is normal, don't worry about a "hang".
LOADHI,LOADHIGH :
From version 1.10 on NEMESIS does not allow to use an external
LOADHI-command to load NEMESIS into upper memory.
Instead the screen will be cleared, a message will appear,
and NEMESIS stops immediately. NEMESIS loads itself high if ever
possible (and if not forbidden by you).
STACKS : You may need to insert a "STACKS=9,256" in your config.sys if
you load many resident programs.
UNDELETE/UNFORMAT/QU.EXE etc
If you DELETE a protected file and recover it with UNDELETE or any
similar program, it is not further handled as protected on
sector-level. This is due the fact that the NEMESIS internal-data has
already been updated. It's protected on normal level, however.
If you want to get sector-level protection again type NEMESIS ADD.
FONTS: Programs, that define their own fonts to display text, will look
strange after NEMESIS popped up.
RAMFREI:an utility, that allows to remove tsr-programs. It tries to clean your
memory after NEMESIS is resident but doesn't find NEMESIS any more.
Your computer instead hangs. NEMESIS LOW solves this problem.
DOS5.0: If you have "DOS=HIGH,UMB" in your config.sys then about 100 byte will
be left in memory after NEMESIS loaded itself high. NEMESIS terminates
and reqests 0 byte, but DOS gives it 100. What should we do ?
--------------------------------------------------------------------
====================================================================
Some explanations of terms :
====================================================================
INTERRUPT 21H
Our computers all have little chips from INTEL company, that make them
work. These chips are called "micro-processors" or CPU (central
procesing unit). One feature of these cpus is, that their normal work
(e.g. displaying a text on your screen) can be interrupted by software
or hardware, causing the chips to save their current work, start and
perform another job, and, if this new job has been finished, continue
with the prior work at the same point where they have been
"interrupted". These "interrupts" are numbered from 0 to 255, or in
hex-numbers, from 0 to 0FFh.
Interrupt 21h (= INT 21 (hex) = INT 33 (decimal) ) is used by
application programs like Word, PcTools and all others, to invoke your
DOS (disk operating system), if they want to access their files, to
write to the screen, to print and so on.
Since DOS gives any program access to any file, it seems clear that
it gives viruses access to any file, too.
So NEMESIS (as well as VSHIELD, F-PROT, TBSCANX and other resident
scanners) has to catch and filter this interrupt, to see, what's going
on in your computer. Resident scanners normally look for such
functions that execute programs, open files and write to them,
scanning the executed files for virus-marks.
NEMESIS does not scan at all, but catches 33 functions of INT 21H for
file-operations and 18 functions for well-known virus-calls.
Yes, virus-calls, because some viruses first perform an individual
call to int 21h, before they do anything. Then we will warn you
(if you switched this feature "ON" (parameter is "NOINVALID").
INTERRUPT 13H
What is said about INTERRUPT 21H is valid for INT 13h, too, but INT
13h is not called for file-operations (or screen-output) but it is the
interface between your DOS and your harddisk.
When you call INT 21h, you give the name of the file that you want
to access.
If you call INT 13h, you have to give the sector, track and head you
want to acces.
INT 13h does not know anything about files. A bootsector-virus, for
example, accesses the bootsector of diskettes and harddisks. Since
this is _not_ a file, it has to call INT 13h to infect your system.
You cannot access the bootsector calling int 21h.
FAT (file allocation table)
If you type "WIN + return" , then you are calling your
command-interpreter, that it should load windows.
How can it do this ? It tells DOS "LOAD WIN.COM".
How can DOS do this ?
DOS looks in the current directory for the name "WIN.COM"
Not found.
It looks in the "PATH"-directories for WIN.COM.
Found.
It looks in the directory-entry for the first cluster of this file
"WIN.COM" (you cannot see this field, if you type "dir").
Then it looks in the file-allocation-table for the next entry, for the
following and so on. The FAT contains the number and sequence of all
(!!) your files. If this FAT is damaged, it's like a very large book
without an index, and with pages randomly exchanged.
You cannot access files, whose FAT-entries are destroyed since nobody
knows, where they physically reside on your harddisk.
CLUSTER / SECTOR
Your harddisk is like a music-disk : it contains songs (= files) but
cannot sing. As on music-disks it just contains tracks, where your
computer "printed" its files. Since some files are very short, it
seemed to be a good idea to divide these tracks into smaller parts.
We call these parts "sectors", this means "parts of a circle".
So if a small file is saved , maybe it needs 1 or 2 sectors, and not
the whole track. That's why you can save 10 or more files on the same
track (better said : YOU save files, but DOS saves these files in
your harddisk's sectors).
A sector contains 512 byte. On diskettes a sector normally is the same
as a cluster.
If each sector of a 100 MB harddisk would have an entry in the FAT
then the FAT would have to contain 100*1024*1024/512 entries.
This are 204800 entries.
A very large number, and you would need 3 BYTE to display this number.
(and you have TWO FATs).
Since this is not very intelligent (think about, that most programs
need more then 1 sector on your harddisk), it is handled in a special
way : 4 or more sectors on your harddisk are numbered as "clusters".
Lets take the above example : you have 204800 sectors.
Then (if 4 sectors are handled as one cluster) you have 51200 cluster,
containing 204800 sectors. To number 51200 clusters you would need
2 byte, so your FAT-size would be 51200*2 byte = 102400 Byte.
Two FATS = 204800 byte.You saved 2*(614400-102400) = 1024000 byte.
This is an argument for clusters, isn't it ?
There are viruses (some Bulgarian..) that randomly write to any
clusters, wether they contain data, programs , directories or nothing.
They do not call DOS for this (see "INTERRUPT 21H") since DOS can only
access files.
To protect your files from being corrupted by these viruses it is
necessary to protect the clusters of these files directly.
----------------------------------------------------------------------
SMARTDRV,WINDOWS is (tm) of Microsoft
VIDRAM,QEMM,DesqVIEW is (tm) of Quaterdeck
others are (c) and (tm) of others.
----------------------------------------------------------------------
SPECIAL THANKS to Ralf Brown and his team for the interrupt-list !
----------------------------------------------------------------------
This documentation as well as the other files included with NEMESIS
are subject to change without notice.
There is no warranty of completeness and correctness.
----------------------------------------------------------------------
Have fun! And register your copy of NEMESIS soon !
Email-adresses :
Robert Hoerner , Fido 2:241/7518
Christian Sy , Fido 2:241/7516.1
Karlsruhe, Germany, January 1993, Robert Hoerner & Christian Sy
----------------------------------------------------------------------