home *** CD-ROM | disk | FTP | other *** search
-
-
-
-
-
-
- Viruschk
- Version 2.1
- SSgt Jon Freivald, USMC
- TurboC++ 1.0
- Copyright 1991, 1st Marine Corps District
- All Rights Reserved.
-
-
- LICENSING INFORMATION:
-
-
- Viruschk is distributed as freeware. It may be distributed
- freely as long as there is no fee charged for it or it's
- distribution. Viruschk must be distributed as a complete
- package, containing all of the files contained in the file
- readme.1st. Viruschk may not be distributed as a feature with
- any other software package without the prior written permission
- of 1st Marine Corps District. There is no fee for registration,
- however, if you register as a user, you will be placed on
- distribution for future updates. Refer to the notes section for
- further information on how to register.
-
-
- WHAT IT IS:
-
-
- The use of McAfee's Viruscan (scan.exe) on all USMC systems is
- mandated by CMC/CCI msg R 220032Z OCT 90 ZY3. Viruschk is a
- "shell" or "watchdog" for McAfee's scan.exe. It also displays the
- 1
- warning screen mandated by USMC security regulations . If a
- virus condition is found, it will lock up the user's system and
- with a loud tone and unmistakable screen, alert them to the
- infected condition! It is highly recommended that you also use
- the Vshield program (also by McAfee) - especially if you use the
- option to limit scanning to once a week. Please refer to the
- referenced message for further guidance regarding use of the
- McAfee virus prevention software. This documentation does not
- cover all policy set forth in the message, nor does it intend to
- be taken as a statement of policy.
-
-
- SYSTEM REQUIREMENTS:
-
-
- o IBM PC, PC/XT, PC/AT, PS/2 or 100% compatible computer
-
- _________________________________________________________________
-
- 1. For non USMC users, you can make this a welcome screen,
- display a corporate message, etc, or you can eliminate it all
- together. The content of the screen file is irrelevant to the
- operation of the program. The file should only be one screen
- long, or it will scroll before the first part can be read.
-
-
-
-
-
-
-
-
-
-
-
-
- o 384K RAM
-
- o a hard disk with one or more DOS partitions
-
- o DOS version 2.0 or higher
-
- o DOS version 3.0 or higher for the integrity self-check
-
- o McAfee & Associates Viruscan (scan.exe) version 7.2V77 or
- higher.
-
-
- HOW TO INSTALL IT:
-
-
- To install Viruschk, proceed as follows:
-
- Make a directory on the c: drive named "security" (this is CMC
- mandated and hard-coded into Viruschk).
-
- Copy the following files into c:\security:
-
- viruschk.com
-
- scan.exe (This should be the latest version supplied
- through official channels. It *MUST* be version
- 7.2V77 or higher.)
-
- warning (This screen may be modified to suit your
- organization with any ANSI editor such as
- "TheDraw", or you can substitute it with any
- ANSI/ASCII screen of your choice, as long as it is
- named "warning". If you are not a USMC user, it
- may be omitted all together.)
-
- Add the line "c:\security\viruschk" to the beginning of the
- user's autoexec.bat file. This line should normally be the first
- 2
- line of the autoexec.bat & should ALWAYS be before the user can
- login to the network.
-
-
-
-
-
- _________________________________________________________________
-
- 2. If you use Zenith DOS with manual partition assignment, make
- sure that you place the asgnpart command BEFORE Viruschk or
- the additional partitions will not get scanned!
-
- If your system does not have an internal clock/calendar, the
- DOS date command should be in the autoexec.bat prior to the
- viruschk line.
-
-
-
- - 2 -
-
-
-
-
-
-
-
-
- WHAT IT DOES:
-
-
- Viruschk first checks the DOS version being run on the machine.
- If it is version 3.0 or higher, it performs an integrity check on
- itself. ANY modification (manual tampering, "pklite"
- compression, a virus, etc) will cause the virus warning screen to
- display and the system to lock up. If the DOS is less than
- version 3.0, a message is displayed stating that the self-check
- cannot be performed.
-
- It then checks the command line. The following command line
- options are valid:
-
- display shows the "lockup" screen & plays a snippet of the
- warning tones - no scan is performed and the
- warning screen is not displayed (this is included
- for demo purposes only!)
-
- Mon Executes scan.exe on Monday only
-
- Tue Executes scan.exe on Tuesday only
-
- Wed Executes scan.exe on Wednesday only
-
- Thu Executes scan.exe on Thursday only
-
- Fri Executes scan.exe on Friday only
-
- Sat * Executes scan.exe on Saturday only
-
- Sun * Executes scan.exe on Sunday only
-
- * = NOT ALLOWED ON USMC SYSTEMS - these options
- are only included for those who wish to use this
- program on their private systems.
-
- If no command line (or one not listed above) argument is given,
- scan.exe will be executed every day. The command line arguments
- MUST be typed exactly as they are above (i.e., "mon" is not
- equivalent to "Mon").
-
- If scan.exe is to be executed, Viruschk will then build a table
- of all valid hard drives for the system. It will then execute
- scan.exe with the proper parameters to scan all the drives. If
- scan.exe is not to be executed that day, this step will be
- skipped.
-
- If scan.exe is to be executed, and this is the first time for
- this particular day, scan will be executed with the "/NOBREAK"
- parameter - this will force a complete scan at least once each
- (selected) day. If this is a subsequent run, the "/NOBREAK"
- parameter will be omitted, allowing the user to press <Ctrl><C>
- or <Ctrl><Break> to bypass the scanning process. The first run
-
-
-
- - 3 -
-
-
-
-
-
-
-
-
- force is controlled by a control file. This is a 4 byte file
- named "c:\security\viruschk.lrd". This file will be created the
- first time the program is run and will be re-created
- automatically if it is deleted.
-
- The control file is updated to reflect the current date AFTER the
- forced scan. If the system is rebooted during the scan, the scan
- will again be forced. This will continue until the scan
- completes and the control file is updated.
-
- Viruschk will then display the file "warning" for a period of 30
- seconds if it exists. You will only get this far if one of the
- following two conditions are met:
-
- 1. scan.exe is not to be run that day
- 2. scan.exe ran successfully and did not find any
- viruses
-
- After the 30 second delay, control will release back to DOS and
- the user's system can continue running it's autoexec.bat file.
- The user can bypass the delay by pressing a key. A countdown
- timer informs you of how much longer you have to wait if you
- don't press a key. The warning screen will display every day,
- regardless of command line arguments (except "display" which is
- not for general use anyway...). If the file c:\security\warning
- does not exist, nothing will be displayed, and there will be no
- delay before the program exits.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- - 4 -
-
-
-
-
-
-
-
-
- WHAT WILL TRIGGER IT:
-
-
- One of five conditions will cause viruschk to lock up the user's
- system:
-
- 1. Viruschk.exe finds any type of modification has
- occurred to itself (indicating either manual tampering or a
- virus).
- 2. Scan.exe was not in the c:\security directory or could
- not be executed.
- 3. Scan.exe found viruses present on the system.
- 4. Scan.exe exited with an error code.
- 5. Your version of scan.exe is not at least 7.2V77.
-
- Given any of the 5 conditions, we do not want the user to be able
- to proceed and use his system (possibly spreading a virus..!), so
- viruschk sounds a warning tone on the PC's speaker & displays a
- screen leaving the user no doubt about the fact that a virus has
- been encountered (even though that is but one of five possible
- exit codes). The user's system will now be locked - the only
- keystrokes that will have any effect is <Ctrl><Alt><Del> and (if
- you have a Zenith system) <Ctrl><Alt><Ins> (so that you can boot
- from a write protected floppy disk and remedy the problem).
-
- For a demo of the warning screen type:
-
- viruschk display
-
- when display is on the command line, scan will not be executed,
- nor will warning be displayed - this is for admin demo use only.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- - 5 -
-
-
-
-
-
-
-
-
- RETURN CODES:
-
-
- Viruschk will set the DOS errorlevel upon exit. You can use the
- DOS batch command "if errorlevel" to check these codes and take
- conditional action if desired. The following is a list of the
- codes & their significance:
-
- 0 Viruschk ran uninterrupted to completion of the
- delay countdown or the "display" command line
- option was used.
-
- 1 A keystroke was pressed to bypass the delay.
-
- 2 The file c:\security\warning was not found
- (therefore no display or delay).
-
- 3 Warning was present, but the program was unable to
- 3
- display it .
-
- 100 You errantly obtained a copy of the program that
- does not have the anti-virus information imbedded
- in it. This copy should not have been distributed
- and will not run with DOS 3.0 or higher.
-
- 255 The DOS version being run is less than version
- 2.0. Viruschk requires at least version 2.0 to
- run and at least 3.0 to perform it's self-check.
-
-
- COMMON PROBLEMS/REMEDIES:
-
-
- 1. Scan.exe cannot execute - Viruschk locks up system -
- scan.exe will execute when invoked manually.
-
- a. Memory - scan.exe requires 256K of RAM. Adding the
- overhead of Viruschk brings system requirements up
- to 384K. It doesn't actually require that much, but
- that is the next step up from 256K.
-
- b. Location - scan.exe MUST be located in C:\SECURITY.
- Because this location was mandated by CMC, it has
- been hard-coded into Viruschk. If it cannot
- execute the program c:\security\scan.exe, it is
- considered an error & the lock up is initiated on
- purpose. This prevents a virus from planting a
-
- _________________________________________________________________
-
- 3. This condition should *NEVER* happen! If it does, please
- contact me because I'm interested in knowing if this can
- actually happen.
-
-
-
- - 6 -
-
-
-
-
-
-
-
-
- trojan "scan" elsewhere in your path and having it
- executed by Viruschk.
-
- c. Version - starting with Viruschk version 2.01c,
- Viruscan (scan.exe) 7.2V77 is the minimum version
- required.
-
- 2. My warning screen comes out looking like a bunch of
- jumbled garbage.
-
- a. Most likely your screen was done in ANSI graphics
- and you do not have ansi.sys loaded. Insure that
- your config.sys file contains a line something to
- the effect of "device=c:\dos\ansi.sys". If it does
- not, add the line (make sure you give the correct
- path to ansi.sys), then reboot your system.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- - 7 -
-
-
-
-
-
-
-
-
- NETWORKS AND POLICY ENFORCEMENT:
-
-
- As a network administrator myself, I have become quite
- accustomed to users ignoring policy and doing exactly what they
- pleased on "their" PCs. In light of this, the "Enforcer" program
- has evolved. You should have received "enforcer.zip" as part of
- 4
- your distribution package . This file is a compressed library
- containing the enforcer executable files and documentation.
- Using the enforcer, all systems must be scanned with the Viruschk
- - Viruscan combination before access to the network will be
- allowed.
-
- Currently supported networks are Banyan VINES 3.xx &
- 4.xx.
-
- If you do not see your network listed please feel free to
- contact the author. It is the intent of the author to support
- all DOS based networks eventually.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- _________________________________________________________________
-
- 4. PKUnzip (PKWare) version 1.10 is required to extract the
- contents of this file.
-
-
-
- - 8 -
-
-
-
-
-
-
-
-
- NOTES:
-
-
- The author can be contacted to register or for support in
- the following ways:
-
- Commanding Officer
- Headquarters, 1st Marine Corps District (ISMO)
- 605 Stewart Avenue
- Garden City, NY 11530
- ATTN: SSgt Freivald
-
- Commercial phone - (516) 228-5635
- Autovon phone - 994-5635
- ELMS/MCDN - bk1md4:gisnad05
- Compuserve - 70274,666
- Internet - 70274.666@compuserve.com
- Prodigy - ktfp55a
- BBS - (516) 483-5841 (8,N,1 - 300-2400,9600 HST)
-
- I wrote this program to take care of two CMC mandates for
- the users of our network as transparently as possible. It has
- also been implemented on all of our remote/stand-alone systems.
- Those mandates are the access warning screen on system startup
- and the scanning of all hard drives at least once a week.
-
- Please contact me ASAP if you have any problems with this
- program. We have tested it on over 90 systems here at 1st
- District, but our configurations are pretty standard, so I can't
- GUARANTEE that it will run properly on ALL systems (although I
- believe it will).
-
- I am also open to comments and suggestions for
- improvements. Having reached this stage, updates are not very
- high on the priority list, but I will definitely entertain them.
- I may also be willing to produce custom versions for specific
- requirements. This will depend on what they are (the amount of
- work involved), requested delivery deadlines, and my current
- workload here at 1st District.
-
- If you would like to be placed on distribution for any
- future updates, simply drop me a message (either US Mail or
- Electronic Mail) with your name, unit, address (E-Mail!?), etc...
- Be sure to mention Viruschk, as I maintain distribution lists for
- a number of programs & want to be sure to get you on the right
- list..! Also, please mention the version that you currently
- have.
-
-
-
-
-
-
-
-
-
-
- - 9 -
-
-
-
-
-
-
-
-
- REVISION HISTORY:
-
-
- 2.1 Implemented the Banyan VINES version of
- "Enforcer".
-
- Cleaned up the formatting of the disk found
- line(s).
-
- 2.03 Fixed a bug that would cause a divide error with
- program termination if a RAM Drive or hard disk
- partition was smaller than one meg or had less
- than one meg free. Thanks to Aryeh Goretsky from
- McAfee Associates tech support for discovering it
- and bringing it to my attention.
-
- 2.02 Added the feature of "/NOBREAK" being passed to
- scan.exe only on the first run of any given day.
- This added the requirement for a 4 byte control
- file, which is named "c:\security\viruschk.lrd"
- (lrd stands for "last run date").
-
- 2.01c Updated the code to invoke scan.exe with the "/M",
- "/NOPAUSE" and "/NOBREAK" options. This update
- requires the use of Viruscan (scan.exe) version
- 7.2V77 or higher.
-
- 2.01b Added (actually just made consistent & documented)
- DOS errorlevel exits.
-
- 2.01a Captured the keystroke if the delay was bypassed
- to prevent inadvertent input to the next program
- run.
-
- 2.01 Added drive information display, changed 5 second
- delay to a 30 second delay bypassable with a
- keystroke, and made the warning screen optional.
-
- 2.0 Added integrity (virus) self-check, system
- interrogation for drive table and option to run on
- a specific day of the week. Converted from .exe
- to .com format. Documentation written. First
- general distribution.
-
- 1.0 First release, not distributed beyond First
- District users. Would only scan drive c:, had a
- fixed 5 second delay for the warning screen (which
- was required), and ran every day.
-
-
-
-
-
-
-
-
-
- - 10 -
-
-
-
