home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
WDR Computer Club Digital 1995 August
/
CLUB_0895.BIN
/
antiviru
/
arfav
/
arfbuild.doc
< prev
next >
Wrap
Text File
|
1995-06-25
|
47KB
|
1,081 lines
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▌ ▐
▌ ARFBUILD.EXE and ▐
▌ ARFMAIN.BIN -- THE RESIDENT DRIVER ▐
▌ ▐
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
Overview: ARFBUILD.EXE, ARFMAIN.BIN, and ARFDISP.BIN....1
What is an Anti-Virus "Shield"?.........................2
Installation - using ARFBUILD.EXE.......................3
Possible Warnings from ARFBUILD.EXE.....................5
Loading ARFMAIN via CONFIG.SYS..........................7
Errors During Boot......................................8
Warning Messages: From an INJECTed MODULE..............10
Warning Messages: From the AV Shield...................11
Common Warnings....................................12
More Serious Warnings..............................16
(What to do if you get a virus)....................16
Command-Line Switches..................................18
SOME FINAL NOTES:......................................21
False Alarms.......................................21
Why Ours Is The Best...............................23
A Special Note For Windows(tm) Users...............26
Known Conflicts with other Software................27
This manual and accompanying software are copyrighted
(c) 1995 Leonard P. Gragson and Stephen M. Poole,
All Rights Reserved.
Revision history: Updated June, 1995.
Page 1
INTRODUCTION AND OVERVIEW
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
The first version of ARFMAIN.BIN simply provided display functions
for INJECTed modules. By moving the bells and whistles into a
separate driver, we could reduce the size of the injected module
without compromising protection. But then we wondered: why not
let the driver perform some anti-virus shielding of its own?
The more we looked at it, the more intrigued we became. First,
(as of this writing, anyway), very few viruses attack device dri-
vers; we'd gain that advantage to start with. Plus, a device dri-
ver would get into the system during the actual bootup process,
and could thus begin protecting the system sooner. Thus, we deci-
ded to implement the idea, and ARFMAIN.BIN came into existence.
If you've unzipped this package, and have been looking for ARFMAIN
.BIN and can't find it, you're not crazy. For a number of reasons
(discussed below), we instead provide a special program (ARFBUILD
.EXE) that will custom-build the ARFMAIN.BIN driver for your PC.
You DO get the original version of the driver, ready-to-install as
ARFDISP.BIN. This is a display-only driver which DOES NOT contain
any anti-virus protection. This should only be used if you're
sure that the shield in ARFMAIN.BIN conflicts with your system.
Finally, a note to novice computer users: Device drivers, by nat-
ure, are kindof picky, and sometimes this discussion will get a
little technical-sounding. But don't let that put you off; it's
really not as complex as it may sound. We've tried to provide
detailed instructions here, and you can contact us if you have
questions or problems.
Leonard P. Gragson - Compuserve: 73131,1034
- America On-Line: Arfman2
Stephen M. Poole, CET - Compuserve 71234,3263
- America On-Line: SMPoole
Page 2
WHAT IS AN ANTI-VIRUS "SHIELD"?
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
Images of Byzantine soldiers with shields and helmets come to
mind, but this is pretty simple. An anti-virus "shield" does just
as its name implies: it helps "shield" your system from a virus
infection. Precisely how it does this will vary from one shield
to the next, and some are more effective than others.
Your PC, while extremely easy to use and update, contains some
glaring weaknesses in the security department. The worst is that
just about anyone can do anything to any file without being chal-
lenged. An eight-year-old kid could write a program in QBASIC
that could eat half the files on your hard drive ... and the com-
puter would cheerfully comply without complaint.
It would only be afterwards, when you started getting "Bad Command
or File Name" and discovered that you just gained 1.5 zigabytes of
free space on your drive that you would realize that something
strange had happened.
An "anti-virus shield" (also called a "behavior blocker") warns
you when something like this happens and gives YOU the final say-
so over whether it should happen.
We feel (not surprisingly) that our shield is the best available
for a number of reasons. Just one example: our shield checks a
number of undocumented system calls and data areas, which many
anti-virus shields ignore.
ARFBUILD.EXE was written in hand-coded assembler for speed and
compactness, and the resulting driver is full of Hacker's Tricks
and Other Wierd Stuff. The driver takes up only about 8K of mem-
ory and is lightning fast, and yet, it still manages to check eve-
ry critical system call for suspicious activity. It's so fast,
in fact, you'll normally never even notice that it's there.
Page 3
INSTALLATION
▀▀▀▀▀▀▀▀▀▀▀▀
BASIC PROCEDURE
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
Installing ARFMAIN.BIN on your system may be different from what
you're used to. Here's how you do it (INSTALL may have already
done some of this for you):
1 - Use DOS's FORMAT /S to create a bootable floppy that you can
use in case of problems. (This is a must-have whether you use
our stuff or not!) Don't put a CONFIG.SYS or AUTOEXEC.BAT on
this floppy; we want a "clean-boot" floppy. Copy ARFBUILD.EXE,
LOAD.COM (PRO-BOOT), and INJECT.COM onto the floppy.
2 - Boot onto the floppy and run ARFBUILD.EXE; it will create an
ARFMAIN.BIN driver on the floppy that's unique for your PC.
(If you get warning messages, go to the next section.) Copy
the driver onto your hard drive.
3 - Remove the floppy, label it "ARF Recovery Disk", WRITE-PROTECT
IT, and store it in a safe place. (To write-protect a 3.5"
floppy, you slide UP the little tab on the back so that light
can get through the hole.) That floppy is your main line of
defense if you ever suspect a virus. This is important:
ALWAYS CHECK THE WRITE-PROTECT TAPE OR TAB BEFORE
YOU INSERT THAT DISK INTO ANY DRIVE SLOT!
4 - Use DOS's EDIT command (or some other ASCII TEXT editor) to
add a line such as this one
DEVICE = ARFMAIN.BIN
... to the end of your CONFIG.SYS file.
Page 4
5 - Reboot the system. Don't use CTRL-ALT-DEL; cut it off, wait
a few seconds, then cut it back on. ARFMAIN.BIN will then be
loaded in memory, and will begin protecting your system.
AN IMPORTANT NOTE!
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
IMPORTANT! THE ARFMAIN.BIN PRODUCED BY ARFBUILD.EXE
IS UNIQUELY CONFIGURED FOR THE MACHINE ON WHICH IT
WAS CREATED. IF YOU TRY TO RUN IT ON A DIFFERENT
COMPUTER, YOU'LL GET CHAOS AND WIERDNESS (OR WORSE).
DON'T DO IT!
If your friend wants an ARFMAIN.BIN on his/her PC, take all this
stuff over to their computer and build a unique ARFMAIN for THEIR
computer. (Do it; they'll think you're a computer wizard.)
Feel free to do this, too. Remember, we don't require a registra-
tion fee of home users. We want this software in as many hands as
possible; see REGISTER.DOC for details.
ARFBUILD accepts one command-line argument -- a different name for
the ARFMAIN.BIN driver. For example, if you use
ARFBUILD MYDRIVER.SYS
... the created driver will be named "MYDRIVER.SYS" instead of
ARFMAIN.BIN. If you do this for more than one PC, why not use
different names for each computer? For example, you might have
drivers named "MYHOME.SYS," "HELENS.SYS", and so on.
For simplicity, we'll use the default "ARFMAIN.BIN" in all of our
documentation, but obviously, you should substitute your name for
the driver in everything that follows.
Page 5
POSSIBLE WARNINGS FROM ARFBUILD.EXE DURING THE BUILD
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
You could get one or more of these warning messages from ARFBUILD
as it constructs ARFMAIN.BIN on your system:
Your interrupt 13h vector isn't in the expected place
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
The eyes of most novice computer users just glazed over, but all
this means is that ARFBUILD.EXE didn't find the entry point for
the BIOS disk services where they should be. Did you run ARF-
BUILD.EXE on a clean-booted floppy? If not, you should!
If you get this warning message when building on a clean boot,
you probably have some type of virus already in your computer.
Try booting, and then building, from a known-good floppy that was
prepared on some other machine. If this message goes away, bad
news; that's almost certainly the case. Contact us for informa-
tion on cleaning the virus, or use a commercial cleaning program
(this may not work if it's a very recent virus; contact us).
Can't read the MBR/SBR from the hard drive
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
This warning means that ARFBUILD.EXE couldn't read (or find) the
boot sectors of your hard drive with a direct hardware call. A
number of things could cause this problem:
1 - Your hard drive isn't bootable; you boot from a floppy, and
use the hard drive for storage only. If that's the case, you
can't use ARFMAIN; ARFMAIN is basically a bootable hard-drive
protector. ARFMAIN won't work at all on all-floppy systems.
2 - Your hard drive isn't accessible; check your CMOS SETUP and
make sure the hard drive is installed properly.
Page 6
3 - Your BIOS isn't 100% compatible with the PC (pretty rare now-
days), or you're not using a 100% compatible DOS (also rare).
4 - You possibly have a boot-sector virus (not likely if you get
this message by itself, and no other warnings appear once the
driver is installed and in operation).
5 - You may have an old, sluggish hard drive. In this case, just
try ARFBUILD.EXE again. If you get this warning after repeat-
ed tries, move on; you'll have to live with it.
If it can't read the boot sectors, ARFBUILD constructs a default
ARFMAIN.BIN driver that doesn't check the boot sectors on bootup.
If that "default" build won't work properly on your system, you
may have to use ARFDISP.BIN and do without the resident shield.
WARNING: The boot material read via INT 13h
doesn't match the material read directly!
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
To check for a virus that may already be in your system, ARFBUILD
compares boot material read via the disk services to the same boot
stuff read directly via hardware; it should be identical.
You SHOULD NOT get this message. If you do, that's not a good
sign. Try this: boot from a floppy that was formatted on a diffe-
rent, known-clean computer, then run ARFBUILD.EXE. If this mes-
sage DOESN'T appear, that's a positive indication that you have a
resident virus hiding in your hard drive's boot material.
Can't Create ARFMAIN.BIN
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
Either the disk is full, or is write protected. For some reason,
ARFBUILD.EXE can't write the finished product out to disk. Try a
different disk, or delete some unneeded stuff to make room.
Page 7
LOADING THE DRIVER VIA CONFIG.SYS
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
Once the driver has been built and copied into the desired sub-
directory on your hard drive, you simply place a line such as
DEVICE=ARFMAIN.BIN
in your CONFIG.SYS file. (Of course, if you've renamed the driver
you should use your new name instead of "ARFMAIN.BIN".) The next
time you boot up, ARFMAIN will be in memory, and will start prote-
cting your system.
Time for a Power User Tweak Tip. If you have a 386 or better,
later versions of DOS and some third-party memory managers (ex.,
QEMM(tm)) will permit you to load ARFMAIN or ARFDISP high in mem-
ory. This frees up more conventional memory for other programs.
Under DOS 5/6, you'd use the "DEVICEHIGH=" syntax; see your memory
manager's documentation for more details.
One warning: if you're using an advanced memory manager that relo-
cates the BIOS and moves RAM into that space (such as QEMM(tm)'s
"stealth" feature), ARFMAIN.BIN will not work in a segment above
F000h. Refer to your documentation to see how to force it lower
in memory. Refer also to your DOS manual for more on CONFIG.SYS.
IF YOUR SYSTEM HANGS
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
(The poor novice user now has a mental image of the computer
swinging lifelessly from a noose of rope. A "hang" is when your
system just stops working -- it "hangs up" -- and won't accept
any input from the mouse or keyboard. The only cure is to reboot.
You may have to switch the computer off, wait a moment, and then
switch it back on, if it has a really bad case of the hangs.)
Page 8
Those who've used DOS for a while, especially those who've inst-
alled device drivers, know that the system could hang if anything
goes wrong during the boot. DOS Version 6 (finally!) added the
ability to boot "clean" by holding the F5 key during the boot. If
your system hangs, you can use the F5 key under DOS 6; under earl-
ier DOS versions, you'll have to use a bootable floppy.
Once you get the system booted and on line, the quick-fix is just
to delete ARFMAIN.BIN, then boot again normally. (DOS may warn,
"Bad or Missing ARFMAIN.BIN," but that's OK.) If you determine
that ARFMAIN isn't compatible with your system, use ARFDISP inst-
ead. In the unlikely event that ARFDISP is also incompatible, you
may have to do without both shield and detailed error messages.
ERRORS DURING THE BOOT LOAD
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
Now we have a second tier of messages: those displayed by ARFMAIN
while it's being loaded during bootup. You should see something
like:
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▌ ▌
▌ ARF Resident Anti-Virus Utilities, version 2.1. ▌
▌ (c)1995 Leonard P. Gragson and Stephen M. Poole ▌
▌ All rights reserved. ▌
▌ ▌
▌ Checking memory location ... OK ▌
▌ Checking DOS Version ... OK ▌
▌ Checking MBR/SBR ... OK ▌
▌ Checking program code ... OK ▌
▌ ▌
▌ Installation completed successfully! ▌
▌ ▌
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
Page 9
Each of the self-check lines indicates "OK", so the driver was
installed properly. If an error occurs, though, you'll see an
error message under the line that announced the check:
Trying to load above F000h
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
As mentioned above, the ARFMAIN.BIN driver won't work if you have
a memory manager that tries to load it above segment F000h.
Your DOS version is too old
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
Self-explanatory; go buy a new DOS! All of the ARF utilities
require at least DOS 3.3.
Boot records have been altered!
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
Something has altered the boot record code on the hard drive. If
you've just upgraded to a new version of DOS or Windows(tm), you
may get this message; simply run ARFBUILD.EXE again to generate a
new ARFMAIN.BIN for the new operating system.
If you haven't made any recent changes at the operating system
level, though, this is almost surely being caused by a boot-sector
virus that has gotten into your system. See HELPME!.DOC.
NOTE: If you're going to use the PRO-BOOT partition, you should
install it before you run ARFBUILD.EXE (PRO-BOOT changes the MBR,
too, so you'd just have to run ARFBUILD all over again).
ARFMAIN.BIN has been altered!
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
Also bad news. Something (probably a virus) has attacked ARFMAIN,
altering the program code. See HELPME!.DOC.
Page 10
WARNING MESSAGES FROM AN INJECTed MODULE
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
Assuming that we've made it through the boot OK, and that ARFMAIN
is now in memory and at work, you could get any of the following
messages if a problem is detected.
First, let's look at the messages that could be displayed if an
INJECTed MODULE in one of your program files detects a problem.
When this happens, the MODULE will use ARFMAIN.BIN to sound an
attention-getting (some might say annoying) alarm and display a
red box such as this one:
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▌ ▐
▌ W A R N I N G ! ! ! ▐
▌ ▐
▌ File fails CRC Check! ▐
▌ (Old value 4354h Current value 0536h) ▐
▌ ▐
▌ Press any key to begin rebuilding the file ... ▐
▌ ▐
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
In this case, when you started the INJECTed program, the injected
module inside the program detected changes to the program code and
data. This caused the program to fail the CRC check, giving this
warning.
When you're ready, do as the prompt says: press any key, and the
MODULE will begin repairing the file.
(If you want a harmless demonstration, try this: inject SORT.EXE
or some other program. Then change it to a read-only file with
"ATTRIB SORT.EXE +r". The next time you run SORT, you'll see the
warning box and SORT.EXE will repair itself.)
Page 11
NOTE: The operation of the INJECTed module is independent of ARF-
MAIN. The module merely calls ARFMAIN.BIN to help display more
detailed error messages. If ARFMAIN is disabled or not present,
INJECTed modules will still function normally, and will still ful-
ly protect your program files. You just won't get a detailed re-
port describing the problem that caused the rebuild.
See INJECT.DOC; and if you suspect a virus, see HELPME!.DOC.
Each warning that the INJECTed module could display relates to
some form of possible virus activity. For example, some viruses
change file attributes; that's why we check for that. Many virus-
es also change the time and date stamp, so we check for that, too.
(You can refer to VIRUS.DOC for more information on viruses.)
Programmers can expect to get some warnings from time to time
(they alter files for a living). For example, if a programmer
DEBUGs an injected .COM program, alters some of the code, and then
write the new .COM back out to disk, they'll get a warning screen.
But for the average user,
ONCE A PROGRAM FILE HAS BEEN INSTALLED AND CONFIGURED,
IT SHOULD NOT CHANGE -- PERIOD!
By far, these warnings are the most serious:
- CRC check failure (the program has been altered)
- Bytes at beginning and/or end of the file have changed
- Program entry point or stack size has changed
WARNINGS FROM THE DRIVER'S INTERNAL AV SHIELD
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
The ARFMAIN.BIN driver, as mentioned, also acts as an anti-virus
"shield," and will display various warning messages itself if it
Page 12
detects suspicious activity. Let's look at what the driver might
warn you about.
Common Warnings
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
All of these warnings appear in a rectangular box in the middle
of the display screen, and most will prompt for a "Y/N" ("Yes/No")
response. If you select "yes", the operation will be permitted to
continue as though nothing had happened. As a general rule, sele-
cting "No" (the default) will cause the driver to tell the calling
program that the operation isn't permitted.
In many cases you can ignore these warnings. (You can't call such
a case a "false alarm", though, because the described activity IS
happening; the driver is simply making sure you approve of it.)
So when should you suspect a virus? Follow these guidelines:
1. Look for CHANGES. For example, a program hasn't been causing
any warnings before; why should it suddenly start now? You'd
especially get suspicious if an old program started giving
warnings right after you'd just run a new program; it's very
possible that the new program was infected, and has spread
that infection to other files on your harddrive. (If INJECTed
programs suddently start complaining, you can be sure of it.)
2. Look for REPEATED activity. Many viruses will attempt to open
a number of different, unrelated files. For example, you
might get, one after another:
"Attempt to open ALPHA.COM"
"Attempt to open BETA.EXE"
"Attempt to open GAMMA.COM"
... and so on. This is very typical of a virus doing a direc-
tory search, looking for files to infect. You should especi-
ally get suspicious if it's attempting to open program files
in other subdirectories.
Page 13
3. Look for SUSPICIOUS activity. Why should your word processor
need to open "COMMAND.COM" for write? Why would a database
program want to access the boot sectors?
4. Look for MULTIPLE warnings. A single, isolated warning is
probably just One Of Those Things. Two or more warnings is
cause for concern.
Now let's look at the actual warning messages, starting with ...
WARNING: Opening for R/W access: <program.com/exe/etc.>
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
The program that you're currently using is trying to open a "code"
file (.EXE, .COM, .BIN, etc.) for read/write access. (Programmers
will become very familiar with this warning; LINK, DEBUG and many
other programmer's utilities open program files for write access.)
You can choose "Y" (Yes, continue) or "N" (no). If you choose "N"
the driver will tell the calling program that the file is write-
protected, preventing access to it. (Programmers, just say YES.)
Some legitimate programs can cause this warning screen; in fact,
if you want to see it, enter "DEBUG SORT.EXE" at the DOS prompt.
INSTALL and configuration programs are a problem. Many of them
write to .EXE and .COM files, and they WILL trigger this warning.
One solution is to temporarily disable the driver (by removing the
"DEVICE=ARFMAIN.BIN" line in CONFIG.SYS) until after the install.
That's far from ideal, though; even just-out-of-the-box software
could be infected (it has happened before, even with stuff from
top software houses).
Unfortunately, there are no hard and fast rules for an installer
or configuration program. If you've INJECTed all your files, you
should be OK. Unless you get a warning on a file that you honest-
ly think the installer shouldn't be touching, just press "Y" at
each warning.
Page 14
WARNING: Renaming/changing attributes: <program>
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
You'll get fewer warnings from legitimate programs with this one.
We included this check because many viruses like to rename files
and/or change file attributes (see VIRUS.DOC).
DOS's own ATTRIB command can cause this warning (obviously), as
can a few other programs, primarily utilities that change things
at the system or boot configuration level. The guidelines sug-
gested above apply (especially for INSTALL-type programs).
Attempt to overwrite the boot/partition sectors!
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
and Attempt to write directly via INT 26h!
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
Hmmm ... these may be a little more serious. There ARE some
legitimate programs that can cause these, but we felt like we had
to warn you, because so many viruses do these things. Legitimate
programs which can cause these warnings include disk defraggers
and data recovery utilities, and system-level utilities such as
FORMAT and SYS. But most of your software should NOT.
SUPERHINTS: The "boot sector" warning should NOT appear when
you're doing routine read/writes to a floppy. For example, say
you've just finished writing a gooey love letter to your sweetie,
and you're saving it to drive A:. If you see "Attempt to over-
write the boot sector," that's not good. Some viruses wait for
such disk access to sneak in their own writes to the boot sector;
you won't be as likely to notice. (The sneaky little devils.)
As for the second warning, it used to be common for programs to
use INT 26h to write to disk, so older programs can cause this
warning. But Microsoft(tm), the producers of DOS, have recently
warned that INT 26h is obsolete, and that new programs shouldn't
use it (so why do their own FORMAT, SYS, SCANDISK and even the
DEFRAG program that comes with DOS 6 use it? Hey; go figure.)
Page 15
INT xxh vector has changed: xxxx:xxxxh
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
There's no maybe to this one; a number of legitimate programs do
wierd things to the interrupt table in your computer, and WILL
cause this warning (SMARTDRV.EXE, for example). We added the /I13
and /I21 switches (see the next section) for this reason.
If you get this warning repeatedly with the same program, and no
other warning messages appear (and INJECTED programs appear to be
fine), it's probably a false alarm; use the /I13 or /I21 command-
line switch to disable it at that address (see below).
This is a bit different from the previous messages; you're not
asked to proceed, merely to press a key to continue. Earlier
versions of the driver used the "Serious Message" approach (see
below), locking the PC up if you didn't want to proceed. But so
many programs change interrupts in a non-standard manner, and we
were getting so many false alarms, we decided to do it this way.
Technically, this warning is triggered by any program that hooks
INT 13h or 21h in a "suspicious" manner. The problem lies in de-
fining "suspicious"; if we took the narrowest possible view, you'd
get constant warning screens. (This is a function of how DOS
upper memory is implemented, -not- a problem with ARFMAIN.)
Look for CHANGES: A program that hasn't been giving this warning
before, and has now started doing so, for example. THAT'S when
you should get suspicious. In general, if you have a virus, you
also won't get this message by itself; it'll appear with others.
If you make changes to your boot configuration, you could get new
warnings, too. Just changing the order of the DEVICE= lines in
CONFIG.SYS or adding a new line to AUTOEXEC.BAT can change where
the final INT 13/21h vectors will be at run time; you may have to
change your /I13 and /I21 switches (again, see below).
Page 16
More Serious Warnings
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
The common warnings just discussed will allow operation to conti-
nue if you give a "N" ("no") response. The messages that follow,
however, default to a system hang for safety.
These warnings are more serious than the previous ones. Each is
described in detail below. For all of them, though, the suggested
verification and repair procedure is as follows:
1. See the section "What To Do If I Get A Virus" in INJECT.DOC;
there is some very useful information there.
2. Switch the computer off, then boot from the write-protected
ARF Recovery floppy that you created when you installed ARF AV.
WARNING!!! - BEFORE YOU PUT THAT FLOPPY INTO THE
DRIVE, MAKE SURE IT'S STILL WRITE PROTECTED!!!!
Tape strips can fall off, and/or the sliding tabs in 3.5" floppies
can slip over time! DO NOT under any circumstances let that disk
go into the drive when it's not write protected! (If you do, you
CANNOT trust it anymore; and if a virus is suspected, use a diff-
erent computer to build a known-good bootable floppy to be safe.)
3. Use INJECT to scan and repair your files as needed (again, see
INJECT.DOC).
4. Use PRO-BOOT to check and restore the Main Boot and System Boot
Records as needed (see PRO-BOOT.DOC).
5. Boot the system normally (ie, on the hard drive); unless you
get a fresh batch of warning screens, you should be OK now. But
don't forget to delete the file that caused the warning (register-
ed users may send a copy of the file to us for analysis).
Page 17
6. If you do get other warnings, contact us for more assistance.
As explained in REGISTER.DOC, we will only provide limited support
to non-registered users. Registered users can expect full support
for recovery after a virus attack.
Here are the serious warnings that you could get:
WARNING: System INT xxh is being tunneled!
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
This is indeed a serious warning. NO NORMAL SOFTWARE SHOULD EVER
CAUSE THIS WARNING (and by "normal," we mean ALL of the software
that the typical user -- even a programmer -- might use)!
What is "tunneling?" Just as a thief might try to dig under a
fence to get inside your property, some viruses use a hardware
tracing technique to "tunnel" past a shield such as ARFMAIN, and
"dig" into the heart of the system. This allows them to bypass
the shield and call the system directly.
If you see this warning, you almost certainly have a virus trying
to install itself in your system; we strongly recommend that you
choose the default "No" and let the driver hang the system.
That's the bad news; the good news is, selecting "N" will, in most
cases, stop the virus COLD before it has a chance to spread.
The only "legitimate" programs we know of that might cause a false
alarm here are very specialized program analyzers and tracers.
But these are extremely rare (even CODEVIEW, DEBUG, and TD386 will
not cause this warning, for example).
Page 18
This BIOS memory size report has been altered ...
... current size is xxxh ....
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
You may get a false alarm on this one during and immediately after
bootup, but once you begin a normal session, you should NEVER see
this. If you do, something is seriously wrong; you are probably
witnessing a "stealth" virus as it first tries to install itself
in your system.
If you're going to get a false alarm, you'll get it when you first
install and use ARFMAIN, and/or right after making changes to your
CONFIG.SYS and AUTOEXEC.BAT files. In that case, you can use the
/Mxxx command-line switch to disable the warning (see below).
But once you've installed ARFMAIN and have been using it for a
while, you should NOT get this message. ESPECIALLY if you get
this message when you first run a new program, you should kill it
and follow the recovery procedure described above.
COMMAND-LINE SWITCHES
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
To help minimize false alarms, a few command-line switches are
supported by ARFMAIN.BIN. (These have no effect on ARFDISP.BIN,
because it doesn't have the anti-virus shield.)
The basic syntax for the CONFIG.SYS line that would install the
driver is as follows:
DEVICE(HIGH)=ARFMAIN.BIN <optional switches>
The DEVICE or DEVICEHIGH command, of course, is what "loads" the
driver; see your DOS manual. The optional switches are described
below. Remember to specify a path if ARFMAIN.BIN isn't in the
root directory; for example,
Page 19
DEVICE=C:\ARFSTUFF\ARFMAIN.BIN <optional switches>
Each of the switches is intended to attack a specific type of
false alarm, and we'll look at each in turn.
/Mxxx
▀▀▀▀▀
This switch allows you to tell the driver the size of your
conventional memory in hex kilobytes. (The default is 280h, or
640K). This can help prevent false "Memory Size" warnings.
If you're not familiar with hexadecimal numbers and other such
nonsense, the easiest way to set this switch is just to boot the
computer and write down the memory size specified in the warning
screen (it'll be displayed in hex, which is what we want).
For example, suppose you've just installed the driver, and when
you boot, you get the warning box. It states that "the BIOS mem-
ory size has changed," and that the current size is 27Fh. You
might use this line in your CONFIG.SYS file:
DEVICEHIGH=ARFMAIN.BIN /M27F
Note that there are no spaces in the switch itself, and that the
"h" suffix on the "27Fh" isn't required.
IMPORTANT NOTE: If the memory size reported by the warning screen
is different from 280h or 27Fh, you could have a virus. These are
the only two values we're familiar with on modern PCs with 640K or
more memory.
page 20
/I13,ssss:oooo
▀▀▀▀▀▀▀▀▀▀▀▀▀▀
/I21,ssss:oooo
▀▀▀▀▀▀▀▀▀▀▀▀▀▀
These are essentially the same, and allow you to specify a single
known-good vector for INT 13h and for INT 21h.
This is another case where we had to weight compromises, and dec-
ided to implement this to support those cases where a legimate
program does funky things to the interrupt table. Adding code to
the driver to automatically detect this might provide a possible
"back door" for a virus to disable the driver.
(For example, SMARTDRV.EXE causes this warning when it loads in
upper memory because it remaps some interrupts to upper memory.
But so do a number of viruses! Adding code to permit SMARTDRV to
do it would mean that some viruses might get past the driver.)
By providing a single, known-good interrupt vector address for
INT 13h or INT 21h, you can safely eliminate false alarms.
Note the precise syntax: no spaces, and a comma after the "/I13"
or "/I21" specifying the interrupt. The "ssss" value is the
segment in hex, and "oooo" is the offset in hex.
Again, if you're no good with hexadecimal, just watch the display
and write down the numbers in the message box.
For example, suppose you get the warning screens during boot, and
they specify that the current vector for INT 13h is C868:16D2h,
and the current vector for INT 21h is C868:1492h. You might use a
line line like this one in your CONFIG.SYS file:
DEVICE=ARFMAIN.BIN /I13,C868:16D2 /I21,C868:1492
Page 21
SOME FINAL NOTES
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
FALSE ALARMS
▀▀▀▀▀▀▀▀▀▀▀▀
You can compare computer viruses to vandals who break into your
home and break things for no real purpose. You can also compare
the ARFMAIN.BIN driver to a security system that tries to catch
them before they can get in and do their damage.
That's a good analogy, too, because there are some similarities.
The PC is easy to use and easy to upgrade. By simply popping in a
disk, you can install a new software package. But convenience has
a price, and we can compare it to an unlocked door on a house:
convenient for you and the family ... but also for the bad guys!
Installing locks and an alarm system means you lose convenience.
You'll have to remember alarm codes and get new keys and all that
nonsense. You'll have to remember not to enter the house while
the alarm is active, too. Anti-virus software is a lot like that;
if it's going to work, you may be inconvenienced from time to
time. Not often, but it'll happen.
Let's continue the analogy. You want the alarm system to be sens-
itive enough to catch bad guys, but not so sensitive that you get
constant false alarms. Finding the right setting involves some
compromises. For maximum protection, you'll err on the side of
caution, though, and that's what we've done.
(We might cynically point out that one reason why some anti-virus
software isn't totally effective is because many companies are so
terrified about causing false alarms. We'd rather treat you as an
adult, warn you that you may get a false alarm from time to time,
and provide maximum protection.)
Page 22
But this where the analogy ends; actually, many of these warning
screens aren't really "false" alarms. The described activity *IS*
happening; ARFMAIN is simply making sure you know about it.
Why will you occasionally get a warning screen on a legitimate
program? It's simple: for every virus-like activity that you can
name, we can name at least one legitimate program that does the
same thing. We've already mentioned writing to the boot sectors
with FORMAT; there are dozens of other examples.
So ... could we have eliminated some of these warnings? Probably.
But this is a critical point:
IF YOU PUT !ANYTHING! IN AN ANTI-VIRUS PROGRAM TO DISABLE
IT, TURN IT OFF, OR EVEN MERELY MAKE IT "IGNORE" CERTAIN
PROGRAMS, THE VIRUS COMMUNITY !WILL! LEARN ABOUT IT, AND
!WILL! TRY TO USE IT TO THEIR ADVANTAGE.
(We had a hard enough time convincing ourselves just to support
command-line switches!)
Read that. Take it to heart. Memorize it. And if you're ever
irritated by a warning screen, read it again.
Can we share just one true story?
One major software house released their own anti-virus shield a
few years back. This particular shield is now considered a joke
in the virus community; it's completely ineffective against the
majority of viruses produced in the last year or so.
Why? To prevent false alarms, this manufacturer put a secret
"switch" in the shield. Their other programs could call this
switch to turn the shield off while they did "suspicious" stuff,
such as writing to the boot records of the disk. No false alarms.
Page 23
When they were done, their other programs would switch the shield
back on, and all was well. Right?
Yeah, RIGHT. Virus writers may be somewhat warped, but they are
NOT stupid. When they noticed that this manufacturer's other
programs were mysteriously able to do things (like write to boot
sectors) without setting off an alarm, they got curious. They
looked at the shield's code and discovered the switch. Within a
matter of DAYS (no exaggeration!), viruses were being produced
that could switch that shield off.
True story, folks, and we don't want to repeat that mistake!
(So how does ARFMAIN know when INJECT is writing an .COM or .EXE
file? We ain't tellin', but you can be sure of one thing: we're
not using a software switch!)
WHY OURS IS THE BEST
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
... and this relates to the previous section on false alarms. If
you don't have time to read all of this stuff now, that's fine;
but do us -- and yourself -- a favor and read it soon.
INJECT is the ideal file protector, combining a number of func-
tions (including detection and recovery) in one automatic, self-
contained unit. PRO-BOOT is the ideal way to protect your Main
Boot Record, too; it's also an automatic, self-contained utility.
ARFMAIN.BIN is the perfect complement to these other two programs;
it concentrates on virus-like activity at the system level. What
INJECT and PRO-BOOT might miss, ARFMAIN will catch, and vice-versa.
This overlapping protection is the key to our anti-virus package,
and we're confident enough to offer registered users a limited
money-back guarantee (see REGISTER.DOC for details).
Page 24
We believe that ARFMAIN.BIN is the best anti-virus shield avail-
able for several good reasons:
1 - First and foremost, our approach. This is NOT another "me-
too" scanner/detector. From the outset, we wanted to do more
than that; and the more research we did, the more convinced we
became that we were on the right track.
See Leonard's comments in the "overview" in INJECT.DOC; much
of what he says there applies here. Countless hours of res-
earch and testing have gone into identifying the reasons why
the PC family is susceptible to viruses in the first place,
and to FIXING those weaknesses.
The ARF Anti-Virus package is a virus PREVENTION system, not
just a virus detector.
(Using the alarm analogy one last time, we want to stop the
bad guys from getting into your system to start with. If they
DO get past us, we want to stop them as soon as possible, and
strictly limit the amount of damage they might cause.)
2 - In the same vein, the driver traps and inspects a number of
undocumented system calls and data areas. This includes calls
to some undocumented network functions, which most anti-virus
programs presently ignore. To be fair, few PC viruses use
these "back doors" into the system at present ... but it'll
only be a matter of time before this becomes commonplace.
With our shield, you have the assurance that the protection is
already in place.
3 - The device driver is custom-configured to your system. As it
builds ARFMAIN.BIN, ARFBUILD checks your system carefully and
records some "signature" values in the driver. If these
values ever change, you'll be warned. This makes it far more
Page 25
effective than an anti-virus shield that has to compromise to
work on every system regardless of manufacturer.
4 - Because it's a device driver, ARFMAIN.BIN is loaded during the
boot, even before the system shell (ex., COMMAND.COM) is
started. We get into the system much sooner than an anti-
viral shield which must be invoked from the DOS prompt.
5 - As the driver is being loaded during boot-up, it checks both
the Main Boot and System Boot Records (MBR/SBR) for changes
using a very effective CRC "signature" method. If even a
single byte in the SBR/MBR has been altered, you'll be warned.
(PRO-BOOT checks the boot records, too. Again, you see the
overlapping protection.)
6 - After boot-up, the driver runs in the background and automati-
cally checks for suspicious activity. One such check is for
"tunneling" -- a technique used by many viruses to "tunnel"
past anti-virus software and get to the heart of the system.
7 - The driver requires confirmation from the operator before any
write can be done to the boot sectors of a disk. (It's amaz-
ing that most PCs *STILL* don't have this simple and effective
protection.)
8 - The device driver asks for confirmation on any attempt by a
program to open a code file for R/W access, or any attempt to
change the attributes of, or rename, a code file.
9 - Just as the INJECTed module is very difficult to remove from
an injected file, this driver is very resistant to tampering.
In fact, the only way to disable this driver is to not use it
-- ie, to remove the "DEVICE=ARFMAIN" line from CONFIG.SYS.
We did it that way on purpose.
Page 26
ARFMAIN has been tested in memory against a number of viruses,
from well-known older types (ex., the Jerusalem family) to those
currently making the rounds (ex., SMEG/QUEEG and NATAS). It has
proven extrememly effective in all tests so far.
Finally, we don't require a registration fee of home users (see
REGISTER.DOC for full details; there are some real benefits to
registration, but it's not required of home users). We want this
software in as many PCs as possible; please give copies of this
package to your friends, family, and co-workers. Spread the word!
And remember: let us know how we did. Suggestions and comments
are not only welcome, but deeply appreciated. No matter how minor
the suggestion, if it makes sense, we'll include it in future
releases of the package. See "How to Contact Us" in REGISTER.DOC.
A SPECIAL NOTE FOR WINDOWS(tm) USERS
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
The ARFMAIN.BIN driver works fine with Windows versions 3.1 and
3.11 in 386 Enhanced mode. However, we can't guarantee it for all
future versions of Windows. Check with us for information on an
update if you plan to change to a later version of Windows.
IMPORTANT: If you are using Windows(tm) on an older 286 computer,
you are almost certainly running Windows in Standard mode. You
may experience problems with ARFMAIN.BIN in that case, due to the
way that Windows captures the keyboard and video subsystems. For
example, if you shell out to DOS, when you attempt to return to
Windows, the system may hang.
Unfortunately, you have only two choices: either stop using Wind-
ows on your 286, or stop using ARFMAIN.BIN. Sorry ... . .
Page 27
KNOWN CONFLICTS WITH OTHER PROGRAMS
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
We've taken great pains to make sure that ARFMAIN works with most
popular software. But in addition to the "false alarms" discussed
above, as of this writing, we know of these possible conflicts:
1. SMARTDRV.EXE -- if you use SMARTDRV, disable write-back cach-
ing. If you don't, the system will appear to hang when exiting
some programs (such as word processors). (Write-caching on soft-
ware based disk cachers is a bad idea in general, anyway; and
SMARTDRV's ability to corrupt disks -- especially floppies --
when write-back is enabled is well-known.)
2. Some older programs have a very small stack. You may get the
message "stack overflow" when these are used with the driver. If
you have an .EXE modification utility such as EXEHDR, you can
increase the size of the stack. Other than that, such programs
will probably have to be avoided when the driver is in memory.
If you know of other programs that appear to work improperly with
the ARFMAIN driver, please let us know and we'll add them to the
list.