home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Cream of the Crop 21
/
Cream of the Crop 21 (Terry Blount) (October 1996).iso
/
virus
/
tbw95705.zip
/
APPNOTES.DO_
/
APPNOTES.DO
Wrap
Text File
|
1996-09-10
|
6KB
|
110 lines
TBAV has been designed to provide good performance, reliability and
compatibility. In most cases the TBAV utilities will work as expected.
However, in combination with some other applications, problems may
occur if no special measures are taken. These applications are listed
below.
EZ-DRIVE
Problem:
I have an enhanced IDE disk of 1 Gigabyte and I have created
one large partition on it. Afterwards my system got infected and
now I am unable to clean it.
Explanation:
The ROM BIOS is unable to support large disks. Most enhanced
IDE disks are able to act as two different drives, working
around the ROM limitations. However, if you create just ONE
but very large partition, this workaround can not be used
anymore. Instead, EZ-DRIVE puts a special resident program on
the first track of your disk. It takes care of the BIOS
translations necessary to access the disk. Since the first
track of a disk is supposed to contain the partition table and
master boot record, it features some stealth capabilities, by
hiding itself and acting as if these sectors are there.
Actually, it works exactly the same as some advanced bootsector
viruses. Now, supposed you get infected by a bootsector virus.
Several things may happen:
1) A multipartite virus got active after the EZ-DRIVE driver was
executed. The virus made a copy of the master boot record (this
is what it sees since EZ-DRIVE is active and hides itself). Now,
if the system boots, the virus becomes resident and tries to
execute the original master boot record. It should however
execute the EZ-DRIVE driver, but doesn't know that. The system
now tries to boot without the necessary BIOS translations and
becomes inaccessable.
2) The virus executes after booting from a diskette and makes
correctly a copy of the EZ-DRIVE driver, and puts itself in the
space behind the master boot record, which is usually not used.
EZ-DRIVE however uses this space, but now it is overwritten.
When the system boots, EZ-DRIVE will be loaded by the virus, but
is partly overwritten and doesn't work anymore.
3) The virus contains its own bootsector loader. The virus
interprets the EZ-DRIVE driver as a partition table, and tries
to boot from the bootsector pointed by by the assumed partition
table. A system crash will be the result.
An anti-virus system even makes things worse. Depending on the
anti-virus product, the virus, and the EZ-DRIVE version, it may
see one of the following sectors when it tries to read the
partition sector:
1) The original master boot record.
2) The EZ-DRIVE driver.
3) The virus.
Things will usually work OK when you scan the system for viruses,
but a problem will occur if you try to repair an infected system.
Workaround:
Boot from a clean diskette. Do NOT use the EZ-DRIVE feature to
load the EZ-DRIVE driver before booting from the diskette. Put the
diskette into the drive and close the drive before switching on
the machine. Now use TbUtil to make a safety backup of your
partition table.
An even better approach is to divide the drive into two (or more)
partitions and not use the EZ-DRIVE large partition feature.
This gives you additional benefits like a faster disk response,
less slack space (because of the smaller cluster sizes), and the
ability to separate the code from the data files, making maintenance
and disaster recovery much easier.
MEMORY OPTIMIZERS
Problem:
Some memory optimizers, like MemMax, MemMaker and Optimize, will
not work properly if used in combination with the resident TBAV
utilities. The resident TBAV utilities can act as device drivers
as well as normal executables, depending on the way they are
loaded, and this confuses some memory optimizers. The TBAV
utilities also hook themselves into DOS for better virus
protection, and they can not be moved in memory once loaded. Any
attempt to do so will hang the machine.
Workaround:
Remove the TBAV utilities from the AutoExec.Bat file and/or
Config.Sys file and run the memory optimizer. Add the TBAV
utilities again to the AutoExec.Bat and Config.Sys file, and
highload them if desired.
DOS APPEND
Problem:
The /X switch of the DOS APPEND command is very dangerous: if
you APPEND a directory with /X and then delete *.BAK when no
such files exist in the current directory, then the .BAK files
in the APPENDed directory will be deleted instead. APPEND is
able to 'fool' programs by accessing another file than the file
requested by the application, if a file with the same name
exists in another directory. This also applies when one of the
TBAV utilities needs to consult an Anti-Vir.Dat file: The
Anti-Vir.Dat file of another directory might be accessed instead
of the intended one.
Workaround:
TbSetup and TbScan switch off APPEND automatically if they
detect that it has been loaded, but the resident TBAV
utilities don't. It is therefore recommended to be very
careful if you need to use the APPEND /X option and to
switch it off as soon as you don't need it anymore.