home *** CD-ROM | disk | FTP | other *** search
Text File | 1997-02-14 | 74.4 KB | 1,651 lines |
-
-
-
- DDDDDDD RRRRRRR WW WWW WW EEEEEEEEE BBBBBBB
- DDDDDDDD RRRRRRRR WW WWWW WW EEEEEEEEE BBBBBBBB
- DD DD RR RR WW WW WW WW EE BB BB
- DD DD RR RR WW WW WW WW EE BB BB
- DD DD RRRRRRRR WW WW WW WW EEEEEEEEE BBBBBBBB
- DD DD RRRRRRR WW WW WW WW EEEEEEEEE BBBBBBBB
- DD DD RR RR WW WW WW WW EE BB BB
- DD DD RR RR ■■ WW WW WW WW EE BB BB
- DDDDDDDD RR RR ■■■■ WWWW WWWW EEEEEEEEE BBBBBBBB
- DDDDDDD RR RR ■■ WWW WWW EEEEEEEEE BBBBBBB
-
- A KILLER FOR POLYMORPHIC VIRUSES
-
- USER'S GUIDE
-
- Version 3.19 Released February 15, 1997.
-
- by Igor Daniloff
-
-
-
- LICENSE AGREEMENT
-
- Dr. Web anti-virus program is distributed "AS IS" without
- warranty of any kind, either expressed or implied. The entire
- risk as to the quality and performance of the program lies with
- the user. Should the program prove defective, the designer or his
- authorized distributor or dealers bear no responsibility.
-
-
- If you have an illegal copy of Dr. Web
-
- Registered users and ... virus designers may skip this paragraph.
- Dr. Web Anti-virus program is a commercial software product. If
- you have found it helpful and want to use it in your everyday
- computer sessions - please, procure a licensed copy and register
- it. The value of information in your computer is incomparable to
- the cost of Dr. Web program!
-
-
- Dr. Web Anti-virus Package includes the following files:
- ┌────────────┬────────┬─────────────────────────────────────────┐
- │ File │ Size │ Description │
- ├────────────┼────────┼─────────────────────────────────────────┤
- │HISTORY.WEB │ - │ Brief history of Dr. Web program │
- │VIRTABLE.WEB│ 204730 │ Catalogue of viruses recognized and │
- │ │ │ killed by Dr. Web │
- │VIRLIST.WEB │ - │ Brief description of the viruses known │
- │ │ │ to Dr. Web │
- ├────────────┼────────┼─────────────────────────────────────────┤
- │DRWEB.EXE │ 213490 │ Dr. Web anti-virus program │
- │DRWEB.HLP │ 18571 │ Help file in English │
- │DRWEB.ICO │ 766 │ Icon file for MS-Windows │
- │DRWEB.INI │ 1024 │ Dr. Web configuration file │
- │DRWEB.ME │ 76210 │ User's guide │
- │DRWEB.PGP │ 294 │ Dr. Web validation signature │
- │WEBymmdd.vvv│ nnn │ Add-on file to the virus database │
- └────────────┴────────┴─────────────────────────────────────────┘
-
- REMARK. Dr. Web package may also contain one or more
- add-on files. How to append add-on files to
- the Dr. Web program is described in Section
- 1.4 The UPDATE item.
-
-
- C O N T E N T S
-
- OVERVIEW
- What is Doctor Web?
- 1. RUNNING DR. WEB IN INTERACTIVE MODE
- 1.1 The DR. WEB menu
- 1.2 The TEST menu
- 1.3 The SETUP menu
- 1.4 The UPDATE item
- 1.5 The HELP menu
- 1.6 Speedkeys
- 2. RUNNING DR. WEB FROM ITS COMMAND LINE
- 2.1 List of command options and their purpose
- 2.2 Running Dr. Web in batch mode
- REFERENCES
-
-
- O V E R V I E W
-
- What is Doctor Web?
-
- Dr. Web searches the memory and disks for viruses known to it and
- eradicates them. It can also conduct a heuristic analysis of
- files and system areas for detecting new and unknown viruses.
-
- It is a good idea to have Dr. Web on a write-protected bootable
- diskette for testing your machine. Prior to making this copy, it
- is quite important that the computer is started from a clean
- bootable system diskette.
-
- First, install Dr. Web in your machine. For this, create a
- directory named DRWEB in drive C:, log on to this directory, and
- finally copy all files from the installation diskette to this
- directory.
-
- Dr. Web can be run either in interactive or batch mode. Batch
- mode is particularly convenient for automatically running Dr. Web
- from the AUTOEXEC.BAT file every time the computer is started.
- How to run Dr. Web from the AUTOEXEC.BAT file and the command
- options will be described latter. Now we describe the interactive
- mode.
-
-
-
- 1. RUNNING DR. WEB IN INTERACTIVE MODE
-
- To start Dr. Web in interactive mode, at the DOS prompt type the
- command
-
- drweb
-
- and press <Enter>.
-
- In case you rename the DRWEB.EXE file (to hide it from resident
- viruses capable of attacking Dr. Web), the DRWEB.INI file (if it
- is used in operation) must also be renamed to the same name as
- DRWEB.EXE without altering the extension INI; for example, if
- DRWEB.EXE is renamed as ANTIVIR.EXE, then DRWEB.INI must be
- renamed as ANTIVIR.INI.
-
- On starting the program, the screen displays the main menu:
-
- Dr.Web Test Setup Update [F1] Help
- █████████████████████████████████████████████████████████████████
- █╔═════════════════════ Scanning progress ═════════════════════╗█
- █║ ║█
- Fig. 1. Dr. Web's main menu
-
- Using the menu items and commands, you can configure the program
- to suit your preferences, choose various program modes, update
- your Dr. Web by appending add-on files to the main virus
- database, and get on-line help on various topics.
-
- ═══════════╦═════════════════════════════════════════════════════
- Menu item ║ Purpose
- ═══════════╬═════════════════════════════════════════════════════
- Dr.Web ║ The commands in this menu are used to display
- ║ information about the program version, to shell
- ║ to DOS screen, and to end a Dr. Web session.
- ───────────╫─────────────────────────────────────────────────────
- Test ║ The commands in this menu are used to test and
- ║ cure the machine, and to display the report of
- ║ the current scanning session.
- ───────────╫─────────────────────────────────────────────────────
- Setup ║ The commands in this menu are used to customize
- ║ the operation of Dr. Web to suit your preferences.
- ───────────╫─────────────────────────────────────────────────────
- Update ║ This command is used to append add-on files to
- ║ the main virus database of the program.
- ───────────╫─────────────────────────────────────────────────────
- [F1] Help ║ displays on-line help on various topics.
- ═══════════╩═════════════════════════════════════════════════════
-
- Press [F10] or <Space> to activate the menu bar. Then, using the
- left and right arrow keys, move to the desired menu item and
- press <Enter> to pull down its menu. Finally, move to the desired
- command in the menu with the up and down arrow keys, and press
- <Enter> to execute the command.
-
- A mouse can also be used to run Dr. Web. First, place the mouse
- cursor on the desired menu item and click the left button to drop
- down its menu. Then click the name of the command you want to
- execute.
-
- One letter in the names of the menu items is highlighted. To pull
- down the submenu of a menu item, while holding down <Alt>, press
- the corresponding highlighted letter. For example, to pull down
- the menu of DR. WEB item, while holding down <Alt>, press the
- letter D. The same procedure is used to choose a command from
- drop-down menus.
-
-
- 1.1 The DR. WEB menu
-
- contains three commands: DOS SHELL, ABOUT..., and EXIT.
-
- Dr.Web Test Setup Update [F1] Help
- ┌──────────────┐█████████████████████████████████████████████████
- │ Dos shell │═══════════Scanning progress ══════════════════╗█
- │ About... │ ║█
- │ Exit Alt-X │ ║█
- └──────────────┘ Fig. 2. Dr. Web menu
-
-
- The DOS SHELL command
-
- Choosing this command, you can temporarily exit from the current
- Dr. Web session for shelling to the DOS screen:
-
- ┌─────────────────────────────────────────────────────┐
- │ Type EXIT to return to Dr. Web... │
- │ │
- │ Microsoft(R) MS-DOS(R) Version 6.20 │
- │ (C)Copyright Microsoft Corp 1981-1993. │
- │ │
- │ │
- │ C:\WEB> │
- └─────────────────────────────────────────────────────┘
- Fig. 3. DOS screen
-
- You can use this command, for example, to copy and rename
- infected files, to create a backup copy of valuable files, etc.
- After you are done with your DOS session, type EXIT and press
- <Enter> to return the Dr. Web main menu window.
-
- Note. Never use this command to end a Dr. Web session,
- because the program resides in the memory and thus
- occupies some memory space.
-
-
- The ABOUT... command
-
- Choosing this command, you can view the version number of the Dr.
- Web in your machine.
-
- If your version is two-month obsolete, you will be prompted to
- update the program, because an outdated version will not detect
- and eradicate the viruses written in this two-month intervening
- period. But, running in heuristic analysis mode, you can detect
- new and unknown viruses and eradicate them by appending
- appropriate add-on files to the main virus database of your
- outdated version. See Section 1.4 The UPDATE item.
-
-
- The EXIT command
-
- Choosing this command, you end a Dr. Web session. You can also
- end a session, pressing the speedkey combination <Alt+X>.
-
-
- 1.2 The TEST menu
-
- contains five commands: TEST MEMORY, SCAN, CURE, STATICTICS, and
- REPORT for searching and removing viruses, and viewing the
- statistics of the current session and the report of the current
- and previous scanning sessions.
-
- Dr.Web Test Setup Update [F1] Help
- ████████┌────────────────┐███████████████████████████████████████
- ██╔═════│ Test memory │══ Scanning progress ═══════════════╗██
- ██║ │ Scan F5 │ ║██
- ██║ │ Cure Ctrl-F5 │ ║██
- ██║ │ Statistics │ ║██
- ██║ │ Report │ ║██
- ██║ └────────────────┘ Fig. 4. Test menu
-
-
- The TEST MEMORY command
-
- Choosing this command, you can test the memory for viruses at any
- time. If an unknown virus is detected in the memory, Dr.Web warns
- you as follows:
-
- Memory (F900:0350) may be infected by resident virus!
-
- On detecting a known virus in the memory, Dr. Web prints its name
- on the screen:
-
- Memory (F900:0350) infected with Eddie.1800 - eradicated!
-
- In most cases, Dr. Web kills the known viruses in memory. In case
- there is a virus in the memory, start the computer from a
- bootable diskette containing the Dr. Web and Virus Hunter
- programs, and clean the computer for viruses. Sometimes, Dr. Web
- may warn for virus in the memory, while retesting the memory
- after killing a virus.
-
-
- The SCAN command
-
- Choosing this command, you can test the machine for viruses. Or
- simply press the speedkey <F5> to start scanning for viruses.
- Immediately, the screen displays a SCAN PATH panel. To close this
- panel, either press <Esc> or point and click the down arrow []
- at the top left corner of the panel.
-
- ╔═[]═════════ Scan path ═════════════╗
- ║ ┌───────────────────────────┬─┐ ║
- ║ │* ││ ║
- ║ └───────────────────────────┴─┘ ║
- ║ [X] including subdirectories ║
- ║ ║
- ║ Ok ▄ Cancel ▄ ║
- ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ║
- ╚═════════════════════════════════════╝
- Fig. 5. Scan path panel
-
- In the text field containing an asterisk, type the full pathnames
- of the files you want to test. You can also use wildcard
- characters in file specifications, directory path, and drive name
- letter. Here are few examples of specifying the scan path:
-
- ═══════════════╦═════════════════════════════════════════════════
- Scan path ║ Description
- ═══════════════╬═════════════════════════════════════════════════
- * or *: ║ scan all logical drives in the hard disk
- ───────────────╫─────────────────────────────────────────────────
- C: ║ scan all files in drive C:
- ───────────────╫─────────────────────────────────────────────────
- C:\DOS ║ scan all files in the directory C:\DOS
- C:\DOS\* ║
- C:\DOS\*.* ║
- ───────────────╫─────────────────────────────────────────────────
- C:\DOS\FILE.* ║ scan all files of the name FILE with any
- ║ extension in the directory C:\DOS
- ───────────────╫─────────────────────────────────────────────────
- C:\DOS\*.EXE ║ scan all files having the extension EXE in the
- ║ directory C:\DOS
- ═══════════════╩═════════════════════════════════════════════════
-
- NOTE. If you use a wildcard character * in drive
- specification, only the logical drives in the hard disk of
- the machine will be scanned; virtual drives created by the
- DOS SUBST command, CD-ROM drives, and network drives will
- not be tested.
-
- You can also specify several files located in different
- directories, separating the entries by an intervening white
- space; for example, to scan all files in the directories A:,
- C:\DOS, C:\UTIL\PROG, and D:\WINDOWS, in the text field type
-
- A: C:\DOS C:\UTIL\PROG D:\WINDOWS
-
- By default, Dr. Web checks the files not only in directories,
- but also in subdirectories. If you do not want to scan the
- subdirectories, you can tell Dr. Web to skip the subdirectories
- by deselecting the INCLUDING SUBDIRECTORIES option box.
-
- After typing the scan path, choose or click the OK button to
- start scanning. To close the box without executing the scan
- command, choose or click the CANCEL button.
-
- On choosing the OK button, the screen displays in the SCANNING
- PROGRESS window the names of files scanned, the name of the virus
- after the filename of infected files, the name of the achiever
- program after the filenames of packed files.
-
- ╔═══════════════════ Scanning progress ══════════════╗
- ║ Searching for viruses in drive A: ║
- ║ BOOT SECTOR infected by Form ║
- ║ A:\FORMAT.COM infected by Tiny.129 ║
- ║ A:\VIRUS.COM infected by Fy.338 ║
- ║ A:\SMARTDRV.EXE infected by Tchechen.1912 ║
- ║ A:\FTW1.COM packed by PKLITE ║
- ║ A:\C-639.COM infected by Hizhnak.639 ║
- ║ A:\AINEXT.EXE infected by RDA.Fighter.7408 ║
- ║ A:\COMMAND.COM infected by Ox.475 ║
- ║ Scanning report for drive A: ║
- ║ Scanned: files, programs, and sectors - 9 ║
- ║ detected: viruses and infected programs - 7 ║
- ║ Scanned time: 00:00:17 ║
- ╚════════════════════════════════════════════════════╝
- Fig. 6. Report on detected viruses
-
- After the completion of scanning a drive, you get a scanning report:
-
- ╔═[]════════════════════════════════════════════════╗
- ║ Scanning report for drive D: ║
- ║ Scanned: files, programs and sectors - 67 ║
- ║ Detected: viruses and infected programs - 9 ║
- ║ including in archived files - 3 ║
- ║ posible virus modifications - 1 ║
- ║ files suspected for infection - 5 ║
- ║ including archived files - 4 ║
- ║ Scanned time: 00:00:43 ║
- ╚════════════════════════════════════════════════════╝
- Fig. 7. Scanning report panel
-
- This panel is displayed only if you have selected the REPORT FOR
- EACH DRIVE box in the DESKTOP panel of the DESKTOP... command. If
- this box is deselected, the scanning report is appended at the
- bottom of the SCANNING PROGRESS window.
-
- In both cases, information about virus modifications, suspected
- files, and archived files are printed only if the corresponding
- counters are greater than 0.
-
- In the example above, Dr. Web detected the viruses Form,
- Tiny.129, Fy.338, Tchechen.1912, Hizhnak.639, RDA.Fighter.7408,
- and Ox.475. After the completion of the scanning mission, you can
- cure the infected files in the machine.
-
-
- The CURE command
-
- To remove the viruses detected by Dr. Web in a scanning session,
- choose this command or press its speedkey combination <Ctrl+F5>.
-
- The screen will then display a CURE PATH panel:
-
- ╔═[]═════════ Cure path ═════════════╗
- ║ ┌───────────────────────────┬─┐ ║
- ║ │* ││ ║
- ║ └───────────────────────────┴─┘ ║
- ║ [ ] including subdirectories ║
- ║ ║
- ║ Ok ▄ Cancel ▄ ║
- ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ║
- ╚═════════════════════════════════════╝
- Fig. 8. Cure path panel
-
- Type the full pathname of the files to be cured and then choose
- OK. The conventions for typing the specifications in this text
- field are the same as those described for the text field in the
- SCAN PATH panel of the SCAN command.
-
- Prior to curing infected files, it is good idea to copy them on a
- separate diskette. Change the extension of copied infected files
- so that you may not accidentally run any infected program from
- the diskette. For example, if MSD.EXE is infected, rename it as
- MSD.EX or MSD.VIR. Infected files may be needed in subsequent
- virus analysis.
-
- The CURE command initiates Dr. Web to handle infected files
- differently (for curing, deleting, or renaming files) depending
- on your choice in the INFECTED FILES field of the OPTIONS panel.
-
- In the course of operating files their names are printed in an
- on-screen panel as follows:
-
- ╔══════════════════ Scanning progress ═══════════════╗
- ║ Searching for viruses in drive A: ║
- ║ BOOT SECTOR infected by Form - cured! ║
- ║ A:\FORMAT.COM infected by Tiny.129 - cured! ║
- ║ A:\FORMAT.COM packed by PKLITE ║
- ║ A:\VIRUS.COM infected by Fy.338 - cured! ║
- ║ A:\SMARTDRV.EXE infected by Tchechen.1912 - cured! ║
- ║ A:\FTW1.COM packed by PKLITE ║
- ║ A:\C-639.COM infected by Hizhnak.639 - cured! ║
- ║ A:\AINEXT.EXE infected by RDA.Fighter.7408 - cured!║
- ║ A:\COMMAND.COM infected by Ox.475 - cured! ║
- ║ Scanning report for drive A: ║
- ║ Scanned: files, programs and sectors - 9 ║
- ║ Detected: viruses and infected programs - 7 ║
- ║ Cured: files and boot sectors - 7 ║
- ║ Scanned time: 00:00:43 ║
- ╚════════════════════════════════════════════════════╝
- Fig. 9. List of restored files
-
- While curing a disk for boot viruses which Dr. Web detected in a
- scanning mission, you may get a warning message:
-
- ╔══[]════════════════════════════════════════════════╗
- ║ Boot sector may not be cured properly! ║
- ║ Continue curing? ║
- ║ ║
- ║ Ok ▄ Cancel ▄ Help ▄ ║
- ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ║
- ╚═════════════════════════════════════════════════════╝
- Fig. 10. Incorrect restoration message
-
- You get this warning when Dr. Web does not find the original
- master boot record or the boot sector in the area where the virus
- ought to have hidden them. This happens if the virus is a
- plagiarism of some well-known virus and saves the actual boot
- sectors in an area different from where its original virus saves,
- or if the computer is infected with several boot viruses such
- that one virus is superimposed on another. In such cases the
- "head" of the second virus is found in the sector where the first
- virus ought to have saved the master boot record.
-
- Dr. Web does not immediately analyze the hidden boot sector for
- other viruses in it; therefore, this message is displayed
- whenever the boot sector that Dr. Web found does not agree with
- the original boot sector. If you press <Enter> to continue
- curing, Dr. Web kills the viruses known to it one by one.
-
- When the disk is infected with several boot viruses, the boot
- sector may be lost if different viruses hide the boot sector in
- the same sector or if several resident viruses infect the boot
- sectors repeatedly. In such cases, the machine, as a rule but not
- necessarily, hangs up on booting from the infected drive. Dr. Web
- conducts 10 cycles to cure the viruses one after another.
- Therefore it is advisable to stop curing in such cases and
- restore the system areas by MS DOS tools.
-
- To restore the system areas, boot the machine from a clean
- bootable system diskette and use the command SYS C: or the
- command FDISK /MBR.
-
- Important! while restoring the boot sectors by MS DOS tools,
- some data on the hard disk may be lost; particularly if the
- virus has encoded a part of the disk sectors. Therefore,
- call computer analyst for help.
-
-
- The STATISTICS command
-
- Upon the completion of a scanning mission, you can view the
- statistics of the current mission results by choosing the
- STATISTICS command, which displays an on-screen statistics panel
- similar to the panel shown in Fig. 7 with a separate report for
- each drive scanned.
-
-
- The REPORT command
-
- If you want to save the results of scanning missions, you must
- tell Dr. Web to create a scanning report file. For this, see the
- OPTIONS and PATHS... commands of the SETUP menu.
-
- At the end of every scanning session, Dr. Web appends the results
- of the current session in the report file containing the results
- of previous scanning sessions.
-
- This file can be opened for viewing by choosing the REPORT
- command from the TEST menu. The report panel looks somewhat as
- follows:
-
- ╔═[]══════════════════════════════════════════════════╗
- ║ Dr. Web, version 3.16 (1996 Oct 14), ░ ║
- ║ Copyright (c) by Igor Daniloff, 1992-96 ║
- ║ Scanning Report dated 1996 Oct 14 22:58:44 ░ ║
- ║ Command line: ░ ║
- ║ ──────────────────────────────────────── ░ ║
- ║ No viruses found in memory ░ ║
- ║ ──────────────────────────────────────── ░ ║
- ║ Searching for viruses in disk C: ░ ║
- ║ C:\FOXBIND.EXE immunized by CPAV ░ ║
- ║ C:\EXE\LZH.EXE immunized by CPAV ░ ║
- ║ C:\FD\FD.EXE packed by PKLITE ░ ║
- ║ C:\FD\FDNC.EXE packed by PKLITE ░ ║
- ║ Abort scanning? ░ ║
- ║ Yes ░ ║
- ║ Test interrupted by user! ░ ║
- ║ Scanning report for drive C: ░ ║
- ║ Scanned: files, programs and sectors - 191 ░ ║
- ║ Detected: viruses and infected programs - 0 ║
- ║ Scanned time: 00:00:50 ░ ║
- ╚══════════════════════════════════════════════════════╝
- Fig. 11. Scanning report file
-
- It is a simple text file and can be opened and edited, using any
- ASCII text editor. By default, scanning results are saved in a
- REPORT.WEB file which is created in the directory where drweb.exe
- is installed. It can be given any name and extension, and located
- anywhere you like (see The SETUP menu).
-
-
- 1.3 The SETUP menu
-
- Using the commands in the SETUP menu, you can customize the
- operation of Dr. Web to suit your preferences. On choosing this
- item, its menu has three commands: DESKTOP.., OPTIONS..., and
- PATHS... .
-
- Dr.Web Test Setup Update [F1] Help
- ██████████████┌───────────────┐█████████████████████████████████
- ██╔═══════════│ Desktop... │═ Scanning progress ═══════════╗█
- ██║ │ Options... F9 │ ║█
- ██║ │ Paths ... │ ║█
- ██║ └───────────────┘ Fig. 12. Setup menu
-
-
- The DESKTOP... command
-
- To customize the way in which Dr. Web screen is displayed, choose
- the DESKTOP command to open the DESKTOP dialog panel:
-
- ╔═[]═════════════════════ Desktop ════════════════════╗
- ║ ┌ Screen mode ─────────────────┐ ┌ Language ─────┐ ║
- ║ │ [X] Expanding windows │ │ ( ) Russion │ ║
- ║ │ [X] Mouse support │ │ () English │ ║
- ║ │ [ ] Load screen font │ └───────────────┘ ║
- ║ │ [X] Beep │ ┌ Color scheme ─┐ ║
- ║ │ [ ] Autosave setup │ │ () Color 1 │ ║
- ║ └──────────────────────────────┘ │ ( ) Color 2 │ ║
- ║ ┌ Additional preferences ──────┐ │ ( ) Color 3 │ ║
- ║ │ [ ] "Snow" prevention │ │ ( ) Color 4 │ ║
- ║ │ [ ] Screen output via BIOS │ │ ( ) Mono 1 │ ║
- ║ │ [ ] Print "Ok" after filename│ │ ( ) Mono 2 │ ║
- ║ │ [X] Print packer name │ └───────────────┘ ║
- ║ │ [ ] Report for each drive │ ┌ Screen height ┐ ║
- ║ │ [ ] Test one floppy only │ │ () 25 lines │ ║
- ║ └──────────────────────────────┘ │ ( ) 30 lines │ ║
- ║ Ok ▄ Save ▄ │ ( ) 45 lines │ ║
- ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ └───────────────┘ ║
- ║ Cancel ▄ Help ▄ ║
- ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ║
- ╚══════════════════════════════════════════════════════╝
- Fig. 13. Desktop dialog panel
-
- This panel has five groups of fields SCREEN MODE, ADDITIONAL
- PREFERENCES, LANGUAGE, COLOR SCHEME, and SCREEN HEIGHT (each
- containing a few check boxes or option buttons), and four command
- buttons OK, SAVE, CANCEL, and HELP.
-
- After setting your choices for the check boxes and option
- buttons, choose the SAVE button to write your preferences in the
- DRWEB.INI file so that Dr. Web may start the subsequent sessions
- with your operation preferences.
-
- If the AUTOSAVE SETUP box is checked, there is no need to save
- your settings; Dr. Web will automatically save them on choosing
- the OK button. The SAVE command button is also present in the
- other dialog panels of the SETUP menu.
-
- After setting the preferences for the fields in this panel,
- either choose the OK button to bring the new settings into effect
- or the CANCEL button to cancel them in case you change your
- decision.
-
- The purpose of each field in this panel is described below.
-
-
- * The SCREEN MODE field
-
- contains the following check boxes.
- ═════════════════╦════════════════════════════════════════════════
- EXPANDING WINDOWS║ If this check box is selected, the superimposed
- ║ pop-up panels in the course of a session will
- ║ expand smoothly and gradually. To speed up the
- ║ operation of the program, deselect this box.
- ─────────────────╫────────────────────────────────────────────────
- MOUSE SUPPORT ║ If this check box is selected, you can use
- ║ your mouse in scanning sessions to choose the
- ║ menu items, to select check and option boxes,
- ║ choose command buttons, etc. If Dr. Web
- ║ conflicts with the nonconventional mouse driver
- ║ in your system, deselect this box.
- ─────────────────╫────────────────────────────────────────────────
- LOAD SCREEN FONT ║ If this box is selected, Dr. Web loads its own
- ║ screen fonts for displaying text information
- ║ Use this option, if your Dr. Web is a
- ║ customized version with no support of national
- ║ characters for your monitor.
- ─────────────────╫────────────────────────────────────────────────
- BEEP ║ If this check box is selected, Dr. Web will
- ║ beep on detecting a virus.
- ─────────────────╫────────────────────────────────────────────────
- AUTOSAVE SETUP ║ If this check box is selected, the settings you
- ║ specify in option panels will be saved
- ║ automatically in the Dr. Web initiation file on
- ║ closing the panel without the need for choosing
- ║ the SAVE button in the panel.
- ═════════════════╩════════════════════════════════════════════════
-
-
- * The ADDITIONAL PREFERENCES field
-
- contains the following check boxes.
- ═════════════════╦════════════════════════════════════════════════
- SNOW PREVENTION ║ This check box is to be selected only if output
- ║ to the screen is done via BIOS (see the next
- ║ item). Select this box if snow appears on a CGA
- ║ monitor.
- ─────────────────╫────────────────────────────────────────────────
- SCREEN OUTPUT VIA║ Dr. Web prints messages on the screen directly
- BIOS ║ via BIOS. If this box is deselected, Dr. Web
- ║ will dump messages to videomemory and this
- ║ speeds up the operation. If your videoadapter
- ║ is not compatible with CGA, EGA, or VGA
- ║ adapters, check this box.
- ─────────────────╫────────────────────────────────────────────────
- PRINT "OK" AFTER ║ In a scanning mission, if Dr. Web finds that a
- FILENAME ║ file is not infected, it prints the letters
- ║ "Ok" after the name of this file in the
- ║ scanning progress window. If you do not wish
- ║ to clutter the screen with superfluous messages,
- ║ deselect this box.
- ─────────────────╫────────────────────────────────────────────────
- PRINT PACKER NAME║ If you have selected the CHECK PACKED box in
- ║ the FILES field in the panel displayed on
- ║ choosing the OPTIONS command from the SETUP
- ║ menu, Dr. Web will print the name of the
- ║ achiever (DIET, LZEXE, PKLITE, etc.) after the
- ║ file name in the scanning progress window when
- ║ this box is checked. You may deselect this box
- ║ to keep the screen uncluttered.
- ─────────────────╫────────────────────────────────────────────────
- REPORT FOR EACH ║ If this check box is selected, Dr. Web will
- DRIVE ║ create a report separately for each drive
- ║ scanned.
- ─────────────────╫────────────────────────────────────────────────
- TEST ONE FLOPPY ║ If this check box is selected, Dr. Web will
- ONLY ║ check only one floppy diskette and will not
- ║ promt you to insert another diskette for
- ║ checking. Deselect this box whenever you want
- ║ to scan several floppy diskettes in a session.
- ═════════════════╩════════════════════════════════════════════════
-
-
- * The LANGUAGE field
-
- is present in the DESKTOP panel only in bilingual customized
- versions of Dr. Web. In this case, this field contains two option
- buttons for specifying your choice between the alternative
- languages. This field is not present in single-language versions.
-
-
- * The COLOR SCHEME field
-
- contains six option buttons for choosing a color scheme for
- displaying information on the screen:
-
- ═════════╦═══════════════════════════════════════════════════════
- Color 1 ║ The default color scheme of Dr. Web program.
- ─────────╫───────────────────────────────────────────────────────
- Color 2 ║ This scheme is drawn from TurboVision program.
- ─────────╫───────────────────────────────────────────────────────
- Color 3 ║ This scheme is drawn from Norton Utilities.
- ─────────╫───────────────────────────────────────────────────────
- Color 4 ║ This scheme is drawn from ADinf program.
- ─────────╫───────────────────────────────────────────────────────
- Mono 1 ║ Both these schemes display the message in white
- Mono 2 ║ against black background. Choose the scheme best
- ║ suited for your monitor.
- ═════════╩═══════════════════════════════════════════════════════
-
-
- * The SCREEN HEIGHT field
-
- contains three option buttons to adjust the full vertical size of
- screen to a height of 25, 30, or 45 lines. Choose a button to
- suit your convenience.
-
-
- The OPTIONS... command
-
- On choosing this command from the drop-down menu of the SETUP
- item of the main menu, you get a panel containing a few choices
- for customizing the operation modes of Dr. Web program. You may
- also press <F9> to pop up this panel directly.
-
- ╔═[]═══════════════════ Options ════════════════════╗
- ║ ┌ Main settings ─────────┐ ┌ Files ─────────────┐ ║
- ║ │ [X] Memory test │ │ [X] Check packed │ ║
- ║ │ [X] Boot sector test │ │ [X] Check archives │ ║
- ║ │ [X] Heuristic analysis │ │ [ ] Delete damaged │ ║
- ║ │ [X] Check TSR viruses │ │ [ ] Prompt for cure│ ║
- ║ └────────────────────────┘ └────────────────────┘ ║
- ║ ┌ Heuristic level ───────┐ ┌ Memory range ──────┐ ║
- ║ │ () Minimal │ │ ( ) 640 Kb │ ║
- ║ │ ( ) "Paranoid" │ │ () 1088 Kb │ ║
- ║ └────────────────────────┘ └────────────────────┘ ║
- ║ ┌ Infected files ────────┐ ┌ Report file ───────┐ ║
- ║ │ () Cure │ │ ( ) Don't create │ ║
- ║ │ ( ) Delete │ │ ( ) Overwrite │ ║
- ║ │ ( ) Rename │ │ () Append │ ║
- ║ └────────────────────────┘ └────────────────────┘ ║
- ║ Ok ▄ Save ▄ Cancel ▄ Help ▄ ║
- ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ║
- ╚════════════════════════════════════════════════════╝
- Fig. 14. Operation options dialog panel
-
- This panel contains six fields MAIN SETTINGS, HEURISTIC LEVEL,
- INFECTED FILES, FILES, MEMORY RANGE, and REPORT FILE for setting
- the way in which you wish Dr. Web to scan your machine and four
- command buttons: OK, SAVE, CANCEL, and HELP.
-
-
- * The MAIN SETTINGS field
-
- The check boxes in this field define the areas that are to be
- scanned in every session. Check all boxes in this field for
- greater reliability of virus protection.
-
-
- The MEMORY TEST box
-
- If this box is selected, the memory in your computer will be
- scanned for active viruses on starting the program. By default,
- Dr. Web restricts the memory test to the conventional memory,
- i.e., the first 640 Kb. In a computer with more than 640Kb
- memory, you can additionally tell Dr. Web to scan the high memory
- area and upper memory blocks. If the 1088 Kb option button under
- the MEMORY RANGE field is selected, all memory range accessible
- in real operation will be tested, i.e., the first 1088 Kb that
- include the high memory area and upper memory blocks.
-
- If you have extended memory in the computer for loading resident
- programs and operation system modules, select the 1088 Kb option
- button in the MEMORY RANGE field.
-
-
- The BOOT SECTOR TEST box
-
- tells Dr. Web to scan the master boot record of the hard disk and
- the boot sectors of drives and diskettes. If this box is
- deselected, Dr. Web will detect the boot viruses in the boot
- sectors of diskettes and hard disks.
-
-
- The HEURISTIC ANALYSIS box
-
- A powerful tool incorporated in Dr. Web is the heuristic analysis
- of files and boot sectors. If this box is selected, Dr. Web
- will detect new and hithertounknown viruses. In this mode, Dr.
- Web analyzes the code of all suspicious programs and determines
- whether their codes are capable of executing functions
- characteristic of viruses.
-
- On detecting a suspicious program, Dr. Web warns that the program
- is possibly infected with some unknown virus (COM.Virus,
- EXE.Virus, COM.EXE.Virus, COM.TSR.Virus, EXE.TSR.Virus,
- COM.EXE.TSR.Virus, MACRO.Virus, or BOOT.Virus).
-
- The terms used to describe unknown viruses have the following
- meaning:
-
- ═══════╦═════════════════════════════════════════════
- Term ║ Meaning
- ═══════╬═════════════════════════════════════════════
- COM ║ The virus infects COM files.
- ───────╫─────────────────────────────────────────────
- EXE ║ The virus infects EXE files.
- ───────╫─────────────────────────────────────────────
- TSR ║ The virus is memory resident.
- ───────╫─────────────────────────────────────────────
- MACRO ║ The virus infects WinWord documents.
- ───────╫─────────────────────────────────────────────
- BOOT ║ The virus infects boot sectors of disks.
- ───────╫─────────────────────────────────────────────
- CRYPT ║ The virus code is encrypted or polymorphic.
- ═══════╩═════════════════════════════════════════════
- See also the HEURISTIC LEVEL field.
-
-
- The CHECK TSR VIRUSES box
-
- Many resident viruses infect a file when it opened for reading or
- writing. This is helpful in detecting an active virus, because
- the file size increases after opening (if there is a virus in
- it).
-
- If the CHECK TSR VIRUS box is selected, Dr. Web will check the
- changes in the size (if any) of files at the time of executing
- the seek and open commands.
-
- File size check also reveals active stealth viruses which hide
- their presence in the files they have infected. Once activated, a
- stealth virus stays resident in the memory and manipulates the
- size find operations. If any program calls for the size of an
- infected file, the stealth virus residing in the file returns the
- clean file size in order to conceal the increased size.
-
- If the CHECK TSR VIRUSES box is selected, on detecting a virus
- Dr. Web may warn:
-
- ╔══[]════════════════════════════════════════════════╗
- ║ C:\DOS\COMMAND.COM ║
- ║ WARNING! On opening this file, its size ║
- ║ changed by +800 bytes! Memory may contain ║
- ║ an ACTIVE RESIDENT VIRUS! ║
- ║ Continue scanning? ║
- ║ ║
- ║ Ok ▄ Cancel ▄ Help ▄ ║
- ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ║
- ╚═════════════════════════════════════════════════════╝
- Fig. 15. Warning message for an active resident virus
-
- to alert you that the file had one size before opening for
- reading and a different size after opening. Possibly, some
- unknown resident virus, which infected the file, might have been
- residing in the memory at the time of opening this file by the
- DOS open command. In this case, the file size increases. The file
- size may also decrease if the memory contains a "stealth" virus,
- which tries to hide its presence in the file being scanned.
-
- In either case, it is a good idea to stop Dr. Web, reboot your
- computer from a clean write-protected bootable diskette
- containing the Dr. Web program and scan the suspected files with
- Dr. Web once again.
-
-
- * The HEURISTIC LEVEL field
-
- has two option buttons MINIMAL, "PARANOID" for specifying the
- analysis level. When no level is specified, Doctor Web defaults
- to the minimal level.
-
- In a test conducted with 10,000 different viruses, Dr. Web showed
- unknown virus detection efficiency of 87% under the minimal
- level, and 89-91% under the maximal level.
-
- The following is a list of a few examples of the warning messages
- which Dr. Web displays in the scanning progress window on
- detecting suspicious files while running under heuristic analysis
- mode:
-
- D:\GAMES\DOOM\NCA.EXE possible infected with EXE.CRYPT.Virus
-
- D:\GAMES\ENGL\README.EXE possible infected with EXE.TSR.Virus
-
- D:\GAMES\ENGL\LM.EXE possible infected with COM.EXE.TSR.CRYPT.Virus
-
- C:\WORDS\NORMAL.DOT possible infected with MACRO.Virus
-
- In the "paranoid" mode, Dr. Web additionally checks the
- suspicious settings of file date stamps. Certain viruses set
- unreal values to file creation time and date as an infection
- label or flag; for example, seconds in file creation time may be
- set to 62 or the year to 2000!. On detecting a file with a
- strange date stamp, Dr. Web prints a warning in the scanning
- progress window as follows:
-
- D:\DOD.COM strange date stamp 2031 ??? 31 25:60:00
-
- In the heuristic analysis mode, Dr. Web may generate FALSE
- ALARMS! The higher the analysis level, the greater the
- possibility of false alarms. Such a possibility is particularly
- great in "paranoid" analysis level.
-
- As a rule, false alarms are generated in testing a program under
- heuristic analysis mode, if the program uses file open and file
- write operations, particularly if the program is TSR.
-
- IMPORTANT! Always test the program you get hold of for the
- first time under the heuristic analisys to avoid infection
- of your machine. Handle the programs with special care which
- Dr. Web suspects as "possibly" infected.
-
- Dr. Web takes longer time to scan a machine under heuristic
- analysis mode.
-
-
- * The INFECTED FILES field
-
- contains three option buttons CURE, DELETE, and RENAME, of which
- only one can be active at a time. The first two option buttons
- CURE and DELETE are self-explanatory and need no further
- comments. If you select the third button, RENAME, then the
- infected files will be renamed: the filename will be same as the
- original filename, but the letter V will be substituted for the
- first letter in the extension; for example, the filename
- extensions COM and EXE will be changed as VOM and VXE,
- respectively.
-
- Prior to handling an infected file, Dr. Web will ascertain your
- permission if you have selected the PROMPT FOR CURE box in the
- FILES field:
-
- ╔══[]══════════════ B:\FORMAT.COM ═══════════════════╗
- ║ This file is infected with Tiny.129 ║
- ║ Rename it? ║
- ║ ║
- ║ Yes ▄ No ▄ Help ▄ ║
- ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ║
- ╚═════════════════════════════════════════════════════╝
- Fig. 16. Inquiry for renaming a file
-
-
- * The FILES field
-
- contains four check boxes with which you can opt for checking
- packed files and archives, delete damaged files, and tell Dr. Web
- to ascertain your intention prior to handling an infected file.
-
-
- The CHECK PACKED box
-
- If this box is selected, Dr. Web will test the files that are
- packed with DIET, LZEXE, PKLITE, EXEPACK, COMPACK compression
- utilities, the files converted with COMTOEXE, PROTECT, CRYPTCOM,
- TYNYPROG, as well as the files vaccinated with the Central Point
- Anti-Virus CPAV program. The packed files are temporarily
- exploded in some drive and then scanned for viruses. You can
- specify any drive for creating these temporary files under the
- text box of the TEMP DRIVE field in the PATHS panel displayed on
- choosing the PATHS... command from the SETUP menu.
-
- NOTE: It is a good idea to specify the fastest drive in your
- computer as the TEMP drive for temporarily exploding packed
- files. Furthermore, there must always be enough space in the
- drive for temporarily exploding the packed files.
-
-
- The CHECK ARCHIVES box
-
- To save space on hard and floppy disks, users often make use of
- archive programs. If an infected program is contained in an
- archive file, most of the anti-virus utilities, e.g., VIRUS
- HUNTER, cannot check such a program.
-
- Doctor Web can check any file included in an archived file. For
- this, select the CHECK ARCHIVES box. Dr. Web easily tests the
- archive files created with ARJ, PKZIP, LHA, RAR, ZOO, ICE, and HA.
-
-
- The DELETE DAMAGED box
-
- In certain cases, packed files that are infected and damaged by
- viruses may not yield to full restoration. If the DELETE DAMAGED
- box in the FILES field is selected, Dr. Web will automatically
- delete such files.
-
-
- The PROMPT FOR CURE box
-
- If you wish that Dr. Web should ascertain your intention prior to
- handling infected files (for curing, deleting, or renaming),
- select the PROMPT FOR CURE box in the FILES field of the OPTIONS
- panel. Otherwise, infected files will be handled automatically
- without ascertaining your permission.
-
- ╔═[]═══════════════ B:\FORMAT.COM ═══════════════════╗
- ║ This file is infected with Tiny.129 ║
- ║ Remove the virus from the file? ║
- ║ ║
- ║ Yes ▄ No ▄ Help ▄ ║
- ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ║
- ╚═════════════════════════════════════════════════════╝
- Fig. 17. Inquiry for removing a virus
-
-
- * The MEMORY RANGE field
-
- See the MEMORY TEST box in the MAIN SETTINGS field.
-
-
- * The REPORT FILE field
-
- contains three option buttons DON'T CREATE, OVERWRITE, and APPEND.
-
- If you select the DON'T CREATE button, no report file is created
- at the end of scanning and curing sessions. If you select the
- OVERWRITE button, at the end of a session the results of the
- current session will be overwritten on the contents of the report
- file; so the report file will always contain the results of the
- last scanning session. If you select the APPEND button, the
- results of the current scanning session is appended at the end of
- the report file; so the report file contains the results of all
- previous scanning sessions since you last cleared up the report
- file.
-
- You can open the report file for viewing by choosing the REPORT
- command from the TEST menu and edit it with any text editor.
-
- By default, the report file is named REPORT.WEB and is created in
- the directory where Dr. Web is installed. However, you can
- specify a different name and location (see the REPORT FILE NAME
- field under the PATHS... command).
-
-
- The PATHS... command
-
- On choosing this command, you get a panel containing text fields
- for specifying certain pathnames and option buttons for choosing
- the type of files to be tested:
-
- ╔═[]═══════════════════ Paths ═══════════════════════╗
- ║ ┌ Add-on search pattern ┐ ┌ Report file name ─────┐ ║
- ║ │ WEB?????.3?? │ │ E:\DRWEBE\REPORT.WEB │ ║
- ║ └───────────────────────┘ └───────────────────────┘ ║
- ║ ┌ Add-on pathname ──────┐ ┌ File type ────────────┐ ║
- ║ │ │ │ ( ) All files │ ║
- ║ │ │ │ () Programs │ ║
- ║ │ │ │ ( ) User defined │ ║
- ║ └───────────────────────┘ │ └ *.EXE *.COM *.SYS │ ║
- ║ ┌ Temp drive ┐ └───────────────────────┘ ║
- ║ │ C: │ Ok ▄ Cancel ▄ ║
- ║ └────────────┘ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ║
- ║ Save ▄ Help ▄ ║
- ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ║
- ╚═════════════════════════════════════════════════════╝
- Fig. 18. Paths dialog panel
-
-
- * The ADD-ON SEARCH PATTERN field
-
- In the text box of this field, type the names of add-on files
- that are to be appended to your main virus database. You can use
- wildcard characters in typing the filename.
-
-
- * The ADD-ON PATHNAME field
-
- In the text box of this field, type the path of the directory
- where add-on files exist.
-
- All add-on files matching the specifications typed in add-on
- search pattern and add-on pathname fields that are compatible
- with the version of Dr. Web will be automatically appended to the
- main virus database on choosing the OK command button.
-
- You can also append add-on files to the main virus database with
- the help of the UPDATE item in the main menu.
-
-
- * The TEMP DRIVE field
-
- In the text box of this field, type the name letter of the drive
- where you want Dr. Web to create temporary files. This drive must
- not be READ ONLY drive. Dr. Web temporarily explodes packed files
- prior to checking them for viruses. There must be sufficient disk
- space (500 Kb to 1 Mb) in the drive specified under this field.
-
- If there is not sufficient free space in the drive, Dr. Web
- displays an error message:
-
- ╔═[]══════════════ C:\DOS\ATTRIB.EXE ════════════════╗
- ║ No space on disk to decompress the file! ║
- ║ Continue scanning? ║
- ║ ║
- ║ Yes ▄ No ▄ Help ▄ ║
- ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ║
- ╚═════════════════════════════════════════════════════╝
- Fig. 19. Insufficient free space warning message
-
- If you choose YES, Dr. Web will resume its mission, but skip the
- packed file from scanning. Therefore, choosing NO, abort the
- scanning mission, create sufficient free space on the disk, and
- then start Dr. Web once again.
-
- In order to speed up the operation, specify the fastest drive in
- your system as the temporary drive. It is a good idea to specify
- RAM disk (if any) as the temporary drive. DOS ramdrive.sys can be
- conveniently used to create a virtual disk.
-
-
- * The REPORT FILE NAME field
-
- In the text box of this field, type the full pathname of the
- report file where you wish to save the results of scanning
- missions. By default, it is named report.web and created in the
- same directory where Dr. Web is installed. Typing a different
- full pathname, you can change the filename, its extension, the
- directory, and the drive where it is to be created.
-
-
- * The FILE TYPE field
-
- gives three option buttons for specifying the type of files to be
- tested in scanning.
-
-
- The ALL FILES button
-
- tells Dr. Web to scan all files regardless of the file name and
- extension.
-
-
- The PROGRAMS button
-
- tells Dr. Web to scan executable files only, i.e., files of
- extension COM, EXE, SYS, BAT, DRV, BIN, DLL, BOO, OV?, DOC, and
- DOT.
-
-
- The USER DEFINED button
-
- tells Dr. Web to scan only the files specified by the user in the
- text field under this option box. Press <Tab> to go to the text
- field, and then type the file specifications, separating the
- entries by an intervening white space. You can use wildcard
- characters, * and ?, in file specifications.
-
- In scanning and curing sessions, Dr. Web always scans files of
- the type specified in this FILE TYPE field, unless you type a
- different specification in the SCAN PATH panel displayed on
- choosing the SCAN command from the TEST menu at the start of a
- session, i.e., only for the current session the file
- specifications in the SCAN PATH panel override the file
- specifications under the FILE TYPE field.
-
-
-
- 1.4 The UPDATE item
-
- in the main menu has no submenu, because it is a command. Its
- purpose is to upgrade your Dr. Web with the appearance of new
- viruses.
-
- For Dr. Web to cope with the new virus specimens, its database
- must be upgraded constantly by appending add-on files containing
- data about the new viruses.
-
- Add-on files are released almost once in a week. Registered users
- can obtain them free of cost from our official dealers.
-
-
- If a virus unknown to DR. WEB has invaded your machine
-
- Please, immediately send (for example, by e-mail) a copy of the
- virus or infected file to DialogueScience, Inc., Moscow, or to
- the designer of Dr. Web. If you are a registered user, within 48
- hours you will receive an add-on file (an external appendix to
- the main database) to detect and remove the new virus from files
- and system areas (master boot record, boot sector) of the
- computer.
-
- The add-on files are named as WEBymmdd.vvv, where y denotes the
- last figure in the current year, mm the number of the month, dd
- the day of the date of release of an add-on file, vvv the version
- number (v.vv) of the Dr. Web for which the add-on is designed.
- For example, web60814.314 means that the add-on file is released
- on August 14, 1996 for Dr. Web version 3.14.
-
- Prior to copying the add-on files to the computer, check that
- they are compatible with your Dr. Web version. For this, open the
- add-on file through any text editor: its beginning reads somewhat
- as follows:
-
- New Virus Base Add-on for Anti-Virus Dr. Web version 3.05+,
-
- where 3.05+ means that this add-on is designed for Dr. Web
- version 3.05 and higher. Then, copy it to the directory where
- drweb.exe is installed.
-
- The add-on files can be appended to the main virus database in
- two different ways. By the first method, the add-on files are
- automatically appended in a scanning session. For this, open the
- SETUP menu, choose the PATHS... command, and type an appropriate
- text string in the ADD-ON SEARCH PATTERN and ADD-ON PATH fields.
-
- IMPORTANT! The add-on files for Dr. Web version 3.00 or
- higher are released with the name WEB?????.3??. You can type
- this text string in the ADD-ON SEARCH PATTERN field. If you
- have copied the add-on files to the directory where Dr. Web
- is installed, you may leave the ADD-ON PATH field unfilled.
-
- By the second method, you can manually append add-on files
- located in different directories. For this, choose the UPDATE
- command from the main menu to pull down its dialog panel:
-
- ╔═[]════════ Add-on files ════════════╗
- ║ ║
- ║ ┌─────────────────────────────┐ ║
- ║ │ E:\DRWEB\WEB?????.3?? │ ║
- ║ └─────────────────────────────┘ ║
- ║ ║
- ║ Search ▄ Cancel ▄ Help ▄ ║
- ║ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ║
- ╚══════════════════════════════════════╝
- Fig. 20. Add-on dialog panel
-
- In the text field, type the full pathname or a search pattern for
- finding and appending the add-on files. Then choose the SEARCH
- button. If the add-on files are successfully appended, the screen
- display a message showing the number of add-on files appended to
- the database.
-
- ATTENTION! Scan and clean your disks for new viruses with
- add-on files only by starting the computer from a CLEAN
- BOOTABLE DISKETTE - Dr. Web does not scan and clean the
- memory for new viruses.
-
- After purchasing a new upgraded version of Dr. Web capable of
- independently detecting and removing new viruses without the aid
- of add-on files, delete all old versions of add-on files as they
- are no longer needed for the upgraded Dr. Web program.
-
-
- 1.5 The HELP menu
-
- Dr. Web's help system is context-sensitive and provides on-line
- assistance to the user in the current topic on pressing the <F1>
- key. Alternatively, you may click the [F1] Help box. Using <PgUp>
- and <PgDn> keys, you can browse through the help window. Press
- <Esc> to close the help window.
-
-
- 1.6 Speedkeys
-
- To speed up the work with the keyboard, you can use the following
- combinations of keys to implement the commands listed below.
-
- ╔════════════════╦══════════════════════════════════════════════╗
- ║Key combination ║ Command executed ║
- ╠════════════════╬══════════════════════════════════════════════╣
- ║<Alt+X>,<Alt+F4>║ Quit Dr. Web. ║
- ╟────────────────╫──────────────────────────────────────────────╢
- ║<F1> ║ Call on-line help. ║
- ╟────────────────╫──────────────────────────────────────────────╢
- ║<F5> ║ Scan (files, boot sectors, etc.) for ║
- ║ ║ infection. ║
- ╟────────────────╫──────────────────────────────────────────────╢
- ║<Ctrl+F5> ║ Search for and remove viruses. ║
- ╟────────────────╫──────────────────────────────────────────────╢
- ║<F9> ║ Display OPTIONS panel for specifying Dr. Web ║
- ║ ║ operation settings. ║
- ╟────────────────╫──────────────────────────────────────────────╢
- ║<F10> ║ Initiate main menu. Thereafter, use right and║
- ║ ║ left arrow keys to move through the menu bar.║
- ╟────────────────╫──────────────────────────────────────────────╢
- ║<Tab> ║ Move from one field to another in dialog ║
- ║ ║ panels. ║
- ╟────────────────╫──────────────────────────────────────────────╢
- ║<Esc> ║ Abort scanning mission. Close dialog panels ║
- ║ ║ and message panels currently displayed on the║
- ║ ║ screen. This key is inoperate if you ║
- ║ ║ specified /NS option in Dr. Web command line.║
- ╚════════════════╩══════════════════════════════════════════════╝
-
-
-
- 2. RUNNING DR. WEB FROM ITS COMMAND LINE
-
- This section explains how to run Dr. Web with its command line
- and command options.
-
- The syntax of Dr. Web's command line is
-
- drweb [<drive>:[<path>]] [<option>] . . . [<option>]
-
- The command name and the command options must be separated by an
- intervening white space. Items shown within square brackets are
- optional. To include option parameters in the command line, only
- type the information inside the brackets. Do not type the square
- brackets.
-
- The first parameter, <drive>, is the name letter of the drive to
- be scanned, for example, f: or a:. If you wish to test all
- logical drives in the hard disk(s) of your system, type the
- global character "*" in place of the drive name letter. To test
- the current directory, just type a stop character "." after the
- command name drweb.
-
- To test the files in separate directories, include the <path> to
- the directories in the command line. Alternatively, you can also
- type the <path> parameter, using global characters in filenames
- and extensions. The following is a
-
-
- 2.1 List of command options and their purpose
-
- ════════════╦════════════════════════════════════════════════════
- Option ║ Description
- ════════════╬════════════════════════════════════════════════════
- /@[+] ║ Integrity checker ADinf generates a list of files
- <filename>║ that are to be scanned by anti-virus programs.
- ║ Dr. Web will test only the files specified in
- ║ this list without checking the other files. This
- ║ will speed up the scanning session. If the
- ║ plus sign is included, the list of files will be
- ║ saved after scanning is completed; otherwise it
- ║ is deleted.
- ────────────╫────────────────────────────────────────────────────
- /25 ║ adjust the full vertical size of screen to a height
- ║ of 25 lines.
- ────────────╫────────────────────────────────────────────────────
- /30 ║ the same for 30 lines.
- ────────────╫────────────────────────────────────────────────────
- /45 ║ the same for 45 lines.
- ────────────╫────────────────────────────────────────────────────
- /AL ║ scan all files in a given drive (not only files of
- ║ extension COM, EXE, SYS, BAT, DRV, BIN, DLL, BOO,
- ║ OV?, DOC, or DOT, but also files of all other
- ║ extensions).
- ────────────╫────────────────────────────────────────────────────
- /AR[N][W][T]║ scan all files inside the archives created with
- ║ ARJ, PKZIP, LHA, RAR, ZOO, ICE, and HA compression
- ║ utilities. N - don't print the name of archiver
- ║ after the name of the archived file, W - extract
- ║ files from archive to the current directory,
- ║ T - (only with parameter W) extract files to the
- ║ temporary directory specified with environment
- ║ variable TEMP or TMP.
- ────────────╫────────────────────────────────────────────────────
- /BW[<num>] ║ print messages in black-and-white display mode. You
- ║ can type 1 or 2 for <num> that is best suite for
- ║ your monitor.
- ────────────╫────────────────────────────────────────────────────
- /CH ║ disable self-test.
- ────────────╫────────────────────────────────────────────────────
- /CL ║ run in command line mode and suppress the dialog
- ║ interface.
- ────────────╫────────────────────────────────────────────────────
- /CO[<num>] ║ run in color display mode. You can type 1 to 4
- ║ for <num> that is best suited for your monitor.
- ────────────╫────────────────────────────────────────────────────
- /CU[D][R][P]║ cure drives and files by removing the viruses
- ║ found. If the D parameter is included, infected
- ║ files will be deleted. If the R parameter is
- ║ included, infected files will be renamed by
- ║ substituting the letter V for the first letter in
- ║ the filename extension; for example, the extensions
- ║ COM and EXE in infected files will be changed as
- ║ VOM and VXE, respectively. The P parameter tells
- ║ Dr. Web to prompt the user before curing an
- ║ infected file.
- ────────────╫────────────────────────────────────────────────────
- /DA ║ Run Dr. Web only once in a day. For this option,
- ║ the initiation file, drweb.ini, containing the date
- ║ of the last scanning session must be present. This
- ║ option is useful for starting Dr. Web automatically
- ║ from the AUTOEXEC.BAT file only once in a day on
- ║ booting the computer.
- ────────────╫────────────────────────────────────────────────────
- /DL ║ delete infected files if they do not yield to
- ║ restoration.
- ────────────╫────────────────────────────────────────────────────
- /GO ║ run without stopping for instructions about what to
- ║ do next, e.g., in case of insufficient disk space
- ║ for unpacking compressed files, removal of damaged
- ║ files, self-infection of Dr. Web program by an
- ║ unknown virus, etc. This mode is very useful for
- ║ testing e-mail at BBS.
- ────────────╫────────────────────────────────────────────────────
- /HA ║ heuristic analysis of files for searching hitherto
- [<level>] ║ unknown viruses with an optional level parameter:
- ║ 0 - minimal level, 1 - "paranoid" level. False
- ║ alarms are possible under the "paranoid" level. If
- ║ no level parameter is specified, Dr. Web defaults
- ║ to the minimal level.
- ────────────╫────────────────────────────────────────────────────
- /HI ║ scan the memory in the range from 0 to 1088 Kb.
- ────────────╫────────────────────────────────────────────────────
- /MO ║ disable mouse support.
- ────────────╫────────────────────────────────────────────────────
- /MT<time> ║ the latest polymorphic viruses require a long time
- ║ to decode. By specifying a time in seconds, you
- ║ limit the time for scanning a file. The default
- ║ time values for different processors are
- ║ Pentium - 30 sec
- ║ 486 - 30 sec
- ║ 386 - 60 sec
- ║ 286 - 120 sec
- ║ 8088 - 240 sec
- ║ 8086 - 240 sec
- ║ Double the default time is needed to detect
- ║ advanced polymorphic viruses.
- ────────────╫────────────────────────────────────────────────────
- /NB ║ skip boot sector tests.
- ────────────╫────────────────────────────────────────────────────
- /ND ║ test the files only in the root or the current
- ║ directory, skipping the subdirectories.
- ────────────╫────────────────────────────────────────────────────
- /NI ║ ignore the settings in the initial file DRWEB.INI.
- ────────────╫────────────────────────────────────────────────────
- /NM ║ skip the memory from virus search.
- ────────────╫────────────────────────────────────────────────────
- /NR ║ do not create report file.
- ────────────╫────────────────────────────────────────────────────
- /NS ║ disable the use of <Esc> key for aborting a session.
- ────────────╫────────────────────────────────────────────────────
- /OF ║ check only one floppy diskette and do not prompt
- ║ for another diskette for testing.
- ────────────╫────────────────────────────────────────────────────
- /OK ║ print "Ok" after the names of clean files.
- ────────────╫────────────────────────────────────────────────────
- /QU ║ quit to DOS screen after the completion of test.
- ────────────╫────────────────────────────────────────────────────
- /RP[+] ║ write the scanning results in the file (by default
- [<file>] ║ REPORT.WEB in the directory where Dr. Web is
- ║ installed), <file> is the full pathname of
- ║ the report file. If the plus sign is included, the
- ║ report of the current session will be appended at
- ║ the end of the report file; otherwise the report
- ║ will be overwritten in the report file.
- ────────────╫────────────────────────────────────────────────────
- /RV ║ scan files for active TSR viruses.
- ────────────╫────────────────────────────────────────────────────
- /SD ║ include subdirectories in scanning.
- ────────────╫────────────────────────────────────────────────────
- /SF ║ In Windows 95, for the names of files and
- ║ directories you can use names longer than 8
- ║ characters containind white space and some other
- ║ separators. While running under Windows 95, Dr. Web
- ║ recognizes these longer names and prints then
- ║ appropriately. If you do not want to clutter the
- ║ screen with longer names, include the /SF option in
- ║ the command line to truncate the names of files and
- ║ directories to the DOS 8-character convention.
- ────────────╫────────────────────────────────────────────────────
- /SH<no> ║ the first five figures of the serial number of
- ║ Sheriff security system (if installed in the
- ║ computer) so that Dr. Web may run jointly with
- ║ Sheriff without conflicts.
- ────────────╫────────────────────────────────────────────────────
- /SN ║ "snow" prevention for CGA adapters.
- ────────────╫────────────────────────────────────────────────────
- /SV ║ save the settings of the current session before
- ║ exiting.
- ────────────╫────────────────────────────────────────────────────
- /TD<disk>: ║ drive name letter of the disk for creating
- ║ temporary files.
- ────────────╫────────────────────────────────────────────────────
- /UB ║ output to screen via BIOS.
- ────────────╫────────────────────────────────────────────────────
- /UP[N][W] ║ scan the files packed by LZEXE, DIET, PKLITE,
- ║ EXEPACK, COMPACK, the files converted by COMTOEXE,
- ║ PROTECT, CRYPTCOM, TINYPROG, and the files
- ║ vaccinated by CPAV. N - don't print the name of
- ║ compression utility after the name of the packed
- ║ file, W - restore files and remove the
- ║ decompressor. Under the /UP option, a packed file
- ║ is first exploded in a temporary file and then the
- ║ exploded file is tested. If the W parameter is
- ║ additionally included, then after testing, the
- ║ exploded file is overwritten on sthe original file.
- ║ Thus, an originally packed (vaccinated) file is
- ║ converted into an exploded (devaccinated) file
- ║ after testing is completed. This also happens
- ║ during curing: a packed (vaccinated) file is
- ║ exploded, tested, cured, and finally saved as an
- ║ exploded (devaccinated) file.
- ────────────╫────────────────────────────────────────────────────
- /WA ║ display the statistics after testing a given object.
- ────────────╫────────────────────────────────────────────────────
- /? ║ display help information.
- ════════════╩════════════════════════════════════════════════════
-
- NOTE. As a rule, the /UPW option is needed only in rare
- cases, for example, when Dr. Web suspects that an
- unknown virus may be present in a "packed" file. In
- such cases, the suspect file can be exploded with the
- /UPW option for independent in-depth infection
- analysis. This option is helpful only to system
- analysts knowledgeable in virus technology. The /UP
- option is quite adequate for ordinary users in routine
- checks.
-
- If no options are specified in the command line, Dr. Web will
- scan in the current session as per the specifications in the
- DRWEB.INI configuration file which must exist in the directory
- where DRWEB.EXE is installed.
-
- If there is no DRWEB.INI file or no options are specified in the
- command line, Dr. Web will scan the memory in the address range
- from 0 to 640 Kb, files of extensions COM, EXE, SYS, BIN, DRV,
- DLL, BOO, OV?, DOC, and DOT, and display the names of files
- infected with the viruses known to it.
-
-
- 2.2 Running Dr. Web in batch mode
-
- If you wish to start Dr. Web automatically every time the
- computer is booted, you must tack the command line of Dr. Web
- with the options of your choice to your autoexec.bat file.
-
- Alternatively, you may write a batch file containing the command
- line with all necessary command options and CALL it from the
- autoexec.bat file.
-
- The option /CL, if included in the commandes. line, tells Dr. Web
- not to use the dialog mode.
-
- Dr. Web sets an errorlevel, and this can be used in a batch file
- to determine to what actions are then to be taken.
-
- ────────────┬────────────────────────────────────────────────────
- ERRORLEVEL │ Meaning:
- ────────────┼────────────────────────────────────────────────────
- 0 │ viruses not found
- 1 │ known viruses detected
- 2 │ unknown viruses detected or suspicious files
- ────────────┴────────────────────────────────────────────────────
-
- Below is a sample batch file for starting Dr. Web in batch mode
- and testing the errorlevel returned. On detecting a virus, the
- screen would display a cyclic message.
-
- drweb C: /CL /NM
- echo off
- if errorlevel 2 goto new_vir
- if errorlevel 1 goto vir
- goto end
-
- :vir
- echo WARNING! A KNOWN VIRUS DETECTED
- goto vir
-
- :new_vir
- echo WARNING! I SUSPECT THAT AN UNKNOWN VIRUS IS PRESENT IN YOUR MACHINE
- goto new_vir
-
- :end
-
-
- REFERENCES
-
- DialogueScience, ADinf and Virus Hunter are registered trademarks
- of DialogueScience Inc., Moscow, Russia.
-
- Sheriff is a registered trademark of FomSoft, Moscow, Russia.
-
- Other names are registered trademarks or trademarks of the
- respective companies.
-
-
- * * *
-
- I express my thanks to Grigory Frolov for his help in preparing
- the Russian manuscript of this manual. I am especially indebted
- to Dr. Naidu P.S.V. for translating and revising the Russian
- manuscript, and for preparing the translation of the internal
- texts of the program.
-
- Musical effects drawn from the polymorphic virus Holms.6161 are
- incorporated in Dr. Web program.
-
-
- Below is a PGP public key that can be used for verifying the
- integrity of the Doctor Web program with the help of the
- signature in the drweb.pgp file. It can also be used to encode
- the virus specimens when a user wishes to e-mail them to me.
-
- -----BEGIN PGP PUBLIC KEY BLOCK-----
- Version: 2.6
-
- mQCNAi3R1+AAAAEEAMeH97dViOlTOwWjd6iLsRnEvDuNMnfQor+7NtuxV0v7Dgig
- Kd4cE8dcSdfINr89mmIcPVCgI+uSDoDdgGK0WAl2pkJUigmJtidMpjFgyPoUTU6T
- cqmss4CyDFH9UoM74RUEqSG0cwsnt+rz46yELf+v6kS9QZC3r53C6gEbhxltAAUR
- tCFJZ29yIEEuIERhbmlsb2ZmIDxpZEBzYWxkLnNwYi5zdT6JAJUDBRAugG2cOpoV
- rn3diFEBAeD3A/9jGJRp5TqD2FBrwkIaJd6SqJVvSbYQnE39th/u4csghFYEYcdS
- GqPnVjxl0Sri1N5OqYB2uTRn0d0kqsrD24fuWFbZwvKlcZQO2C6W1zZSmwqAfw2p
- jAD+tTvRZDSx2z0+zgRZ/EhDIaH/louf8zcL3UlrW2YPNRODzJW6VUiouIkAlQMF
- EC8n2IANOmycNvS2swEBvqYEAJgRxQjfQhJI+iTMMUhWS8whvgitjzDeD+5u2tKz
- KwqSa4TaOfgf2000rN2SbqyTg5gDirLsVF8x80PusKFRxedwBzBNLl9ar78HB/x4
- lOEO+/obRUH4wT+bH6KfUkDuqVvYsTRZ3mDoLfyJw9pCtkDiFQdCrWcGh+UNr8nJ
- oNBx
- =kuRk
- -----END PGP PUBLIC KEY BLOCK-----
-
- My "fingerprint" of PGP key:
-
- C0 56 A6 24 91 99 B5 A1 C7 78 6A 8B D9 6D 8F B0
-
-
- * * *
-
- Dr. Web Anti-Virus Package is available at
-
- DialogueScience, Inc.,
- Computing Center of the Russian Academy of Sciences,
- Office No 103a, House No 40, Vavilov street,
- 117967, Moscow, Russia.
-
- Tel.: (+7-095) 137-0150, 135-6253
- Tel./Fax: (+7-095) 938-2970, 938-2855
-
- BBS: (+7-095) 939-5239 (14400/V.32bis, 19200/ZyXEL) - subscribers only
- (+7-095) 939-3705 (28800/V.34, 33600/V.34+) - subscribers only
- (+7-095) 938-2969 (28800/V.34, 33600/V.34+) - subscribers only
- (+7-095) 938-2867 (28800/V.34, 33600/V.34+) - subscribers only
- (+7-095) 938-2856 (28800/V.34) - common access
-
- FidoNet: 2:5020/69
- 2:5020/69.14 (Igor Daniloff)
-
- FTP-server: ftp.dials.ccas.ru
- ftp.kiam1.rssi.ru
-
- WWW: http://www.dials.ru
- http://www.dials.ccas.ru
- http://www.kiam1.rssi.ru
-
- E-mail: antivir@dials.msk.su - Sales and Support Department
- bob@dials.msk.su - Modem link service
- id@dials.msk.su - Line for transferring new viruses
- loz@dials.msk.su - Line for transferring new viruses
-