home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Black Box 4
/
BlackBox.cdr
/
virusers
/
tbscan23.arj
/
TBSCAN.DOC
< prev
next >
Wrap
Text File
|
1991-05-01
|
44KB
|
1,014 lines
Documentation for TbScan V2.3
Regulations with regard to use and distribution of TbScan
---------------------------------------------------------
Both TbScan and the accompanying documentation are FREE-WARE. This
simply means the program is covered by the copyrights of ESaSS, but
can be used and distributed freely as long as the following
regulations are observed.
+ The program can be used by everyone, this also includes
commercial organisations, such as companies.
+ For neither the TbScan program nor the accompanying docu-
menations any charges may be made.
+ Concerning the distribution of the TbScan program no
administration and/or shipping costs exceeding the amount of
$5,- may be charged.
+ Distribution of TbScan may only take place when both the program
and the documentation are left unmodified and only when the
complete program is supplied.
+ So it is not allowed to distribute the program apart from the
documentation.
+ ESaSS accepts no responsibility in case the program malfunctions
or does not function at all.
+ ESaSS can never be held responsible for damage, directly or
indirectly resulting from the use of TbScan.
+ Using TbScan means that you agree on these regulations.
Description TbScan
------------------
TbScan is a program that was developed to trace viruses, Trojan
Horses and other threats to your valuable data. It is a so-called
virus scanner.
A virus scanner is a program that is able to search a signature
that has been determined beforehand. Most viruses consist of a
unique signature, so by means of checking for the appearance of
this signature we can see whether or not a program has been
infected.
By searching all your program files for the signatures of all
viruses already identified you can easily find whether your system
has been infected and, if that is the case, with which virus.
By now already lots of virus scanners have been developed. However
TbScan has a number of important and unique characteristics. These
are:
+ TbScan works extremely fast.
Most virus scanners do not work very quickly. This is
nevertheless very important because you are surely one of those
people who do not like to stare at their display for a quarter
of an hour. When a program works slowly it is used less often,
that is a fact. And even the best virus scanner is worthless
when it is not used.
That is why special attention has been paid to the speed of the
program. The result is that on average TbScan works ten times
faster compared to other virus scanners.
This speed can be achieved due to four measures:
1) The program has completely been written in machine
language.
2) The program uses the obsolete but faster FCB
functions of DOS.
3) The string search routine is highly optimised, and makes use
of special algorithms.
4) The program does not read the whole file, but only
the part in which viruses could appear. This is safe
because of the built-in interpreter that determines the
internal structure of a program. At the end of this file you
can read more about this interpreter.
+ TbScan can work separately from viruses that are already active
in the memory. This is possible through a built- in debugger!
A lot of viruses are memory resident, which means they lodge
themselves in the memory of your computer. From there they can
easily influence all active programs you use. There are already
viruses that "desinfect" a program file, as soon an attempt is
made to read it. When such a virus is active, a virus scanner,
reading a program file in order to check it, finds that the
file is not infected (which is true at that moment). But after
the program file has been read the file is immediately infected
again. So the virus scanner reports that no virus has been
found, but in reality it is actually there.
TbScan offers a unique solution for this problem: it contains
an automatic debugger that works its way through the chain of
interrupts "single stepping" until it reaches the DOS program
code. It saves the address which is then found and uses it for
the communication with DOS. In this way viruses will not see
anything of the operations of TbScan.
+ TbScan is fully programmable by means of a data file.
Most of the time viruses spread quickly. After a new virus has
been found there is often no time to adapt your virus checker
in order to make it capable of recognizing this new virus. That
is why TbScan uses a data file in which the signatures of the
viruses occur. This file can quickly be adapted, possibly by
yourself, for example when you are informed of a new virus
through the media. TbScan supports among other things the
format which is used in the file "virscan.dat". This file is
regularly adapted and can be obtained at a lot of data banks.
+ TbScan supports wildcards in the signature.
A lot of viruses encrypt themselves after each infection, so
the signatures always look different. There is one part of the
virus however that cannot be modified: the routine that has to
"unpack" the modified part of the virus.
But it is a misunderstanding that this part of the virus always
should look the same. The fact is there are viruses that pepper
their unpack-routine with useless instructions which have no
effect and which are continuously replaced by other nonsensical
instructions. Although the unpack-routine always functions the
same, it looks different every time because of these changing
fake instructions!
By inserting wildcards on places where the fake instructions
occur in the signatures of the data file, such a virus can
still be traced and identified. This is the case because any
character may be used on the place of a wildcard.
It is also possible to skip a variable amount of garbage bytes
in the signature.
+ TbScan supports normal text as the signature.
Most signatures are inserted in ASCII-HEX. But when desired you
can also specify a normal text as the signature. In this case
you put the text between double quotation marks.
+ TbScan can also search the memory of your PC for viruses.
When in the future viruses should be created that for some
reason cannot be found in the program file anymore, TbScan
offers you the possibility of tracing them in the memory of
your PC itself. So in any case you will know whether or not
your PC has been infected by a certain virus.
+ TbScan is able to scan Upper Memory and the HMA. Most of the
other scanners don't recognize this kind of memory.
+ TbScan also searchs for viruses in the partition table of the
hard disk. Some viruses use the partitiontable as their
residence. Not all virus scanners inspect the partition table.
+ TbScan carries some special routines to check a stack of
diskettes at a high speed. You don't have to signal TbScan
via the keyboard that a diskette has been changed: It
determines this completely automatically.
USAGE OF THE PROGRAM
--------------------
TbScan is easy to use. The syntaxis is as follows:
TBSCAN [@][<path>][<filename>]... [<options>]...
Drive and path show from where should be searched. To search the
disk C:\ and disk D:\ you have to enter:
TBSCAN C:\ D:\
When no filename has been specified but only a drive and/or path,
then the specified path will be used as top-level path. All its
subdirectories will be processed too.
When a filename has been specified then only the specified path
will be searched. Subdirectories will not be processed.
Wildcards in the filename are allowed. It is allowed to specify
"*.*". All executable files will be processed. If you want the
non-executables to be processed too, then you have to specify the
"-a" parameter in combination with the filename. "TBSCAN TEST.DAT"
will always cause that no file will be processed: test.dat is not
an executable file. In this case you have to specify the -a
parameter.
You can also specify a response file to TbScan. A response file is
a file that contains a list of paths/filenames to be scanned.
Preceed the file with the character '@' on the TbScan command line:
TBSCAN @TBSCAN.LST
It is possible to specify so-called options on the command line.
Tbscan recognizes option-characters and option-words. The words are
more easy to remember, and they will be used in this manual for
convenience.
Command line / environment options available:
-help, -h =help -more, -m =enable "More" prompt
-quiet, -q =quiet mode -verbose, -v =display entry points
-direct, -d =direct calls -analyze, -a =analyze/all files
-noboot, -s =skip bootsector -valid, -u =force authorization
-once, -o =run once a day -compat, -c =compatibility mode
-nomem, -r =skip memory scan -allmem, +r =scan all in memory
-highmem, +e =incl. UMB and HMA -nohmem, -e =do not scan UMB/HMA
-nosub, -n =not scan sub dirs -sub, +n =process sub dirs
-del[ete],-z =delete infected -batch, -b =don't ask keyb input
-repeat, -x =scan multiple diskettes with auto disk change detect
-data <filename>, -f <filename> =data file to be used
-log [<filename>], +l [<filename>] =append to log file
-session [<filename>], -l [<filename>] =create session log
-ren[ame] [<new ext mask>], +z [<new ext mask>]=rename infected file
-help
If you specify this option TbScan will show you the brief help as
shown above.
-data
You can override the default path en name of the signature file by
using this option.
TbScan looks for the data file in this order:
1) If the -data option is used it will use the specified file.
2) It searches in the active directory for a file with the
name TBSCAN.DAT.
3) It searches in the active directory for a file with the
name TBSCAN.PRS (a pre-parsed datafile).
4) It searches for TBSCAN.DAT in the same directory as the
program file TBSCAN.COM itself is located (only DOS 3+).
5) It searches in the active directory for a file with the
name VIRSCAN.DAT.
If TbScan does not succeed in recognizing or locating the
appropriate data file by default, you should use the -data option.
-quiet
By default TbScan shows the name of every file it checks, together
with the used scanning method and the result of the inspection.
When this option has been specified you will only see a counter at
work when TbScan is operating. Of course, infected files will be
printed on the screen anyway.
-verbose
If you use this switch, TbScan will display the position from the
beginning of a file where the first stable code has been found.
This is the position of the part of the file that will be scanned.
-more
When you enter the parameter -M TbScan will stop after it has
checked the contents of one display. This gives you the
possibility to look at the results. (Of course the program takes
the number of lines of the display you use into account.)
-noboot
With this option there will be no search for viruses in the
bootsector of your hard disk.
-analyze
Normally TbScan only uses the analysis method when the program to
be checked is too complicated for the builtin interpreter. But
through option -A you can force TbScan to use the analysis method
allways. Keep in mind though that the program will work more slowly
then.
When no filename has been specified only executable files will be
analyzed. If a filename has been specified, then ALL matching
files will be searched for viruses. In that case TbScan will also
search for EVERY virus in the list: the file type will be ignored.
-direct
TbScan communicates with DOS through interrupt 21h. To prevent this
from being "monitored" by viruses, option -direct can be entered.
TbScan will use its built-in debugger to work its way through the
chain of interrupts until it has reached the DOS entry point. This
address is shown on the display and after that moment it will be
used for the communication with DOS. The same applies to the
communications with the disk system: TbScan first searches for the
entry point of the BIOS, and performs direct calls into it.
Resident programs, such as viruses, are then excluded from taking
part in the virus scan process.
This implies however that the regular resident programs remain
ignorant too with regard to the file access by TbScan. That is why
you must not enter this option when you use a multitasker or when
you are connected to a local area network.
Also note that many protection software will be fooled by TbScan
when using the -direct option. Don't be surprised when it scans
files you don't actually have any access to...
When you do use this option do not popup resident programs while
TbScan is active! This is because resident programs do not know
that someone performs file access.
The use of disk cachers is no barrier to the use of option -direct.
When you have installed the Thunderbyte card in your PC, TbScan
will not search for the DOS entry point, but for the entry point of
Thunderbyte. Otherwise Thunderbyte should warn you (correctly)
that a program performs direct calls into DOS and the BIOS. So
only Thunderbyte remains between TbScan and DOS/BIOS. Since no
viruses can be inserted between Thunderbyte and DOS/BIOS, this is
completely safe.
-nomem
Through this option TbScan will not search for viruses in the
memory of your PC.
-allmem
If you specify this option TbScan will search for all viruses of
the signature file in the memory of your PC.
-highmem
Use this option if you want your upper memory (memory above the
640Kb limit) and video-memory to be searched for viruses too.
Normally TbScan will detect the presence of Upper Memory and the
HMA automatically if you use a XMS-driver, and you won't need this
option. But does TbScan not recognize your upper memory and HMA
then you can force it with this option to scan that memory anyway.
-nohmem
This option is the opposite of the -highmem option. If TbScan
detects a XMS-driver and wants to scan upper memory and the HMA you
can override this by using the -nohmem option.
-log
When you use this parameter, TbScan creates a LOG-file. The
default filename is TBSCAN.LOG and will be created in the current
directory. You may optionally specify a path and filename. In the
LOG-file all infected program files are listed. The filenames are
mentioned including the complete path name. If the log file already
exists the information will not be overwritten but instead appended
to the file. If you use this option a lot it is recommended to
delete or truncate the log file every month to avoid unlimited
growth.
-session
This option is the same as the -L option, except that if there
already exists a log file the log information will be overwritten
instead of appended. A log file created by the -session option only
contains information of a single scanning session.
-nosub
TbScan will default search in subdirectories for executable files,
except when a filename (or wildcards) are specified. If you use
this option TbScan will never search in subdirectories.
-sub
If you use this option TbScan will always search in subdirectories,
even when you specify a filename or wildcards. Only subdirectories
matching the filename mask will be scanned too.
-valid
TbScan checks the signature file for modifications. If you change
the contents of that file TbScan will issue a warning. If you
don't want the warning to be displayed, use the -valid option.
-once
If you specify this option TbScan "remembers" that is has been used
that day, and it will not run anymore a next time on that day if
you specify this option again. This option is very powerfull if you
use it in your autoexec.bat file in combination with a list file
like:
TbScan @every.day -once -rename
TbScan now scans every day the first time being invoked the list of
files and/or paths specified in the file "every.day". All other
times the machine will boot that day, TbScan will return to DOS
immediately. This option does not interfere with the normal use of
TbScan: If you invoke TbScan without the -once option it will
always run, regardless of a previous run with the -once option. The
opposite is also true: if you use the option -once after TbScan has
been executed before that day without the -once option, TbScan will
still execute.
Note that if TbScan can not write to TbScan.Com because it is
read-only or on a write protected diskette the -once option will
not work.
-batch
If TbScan detects a file virus it prompts the user to delete or
rename the infected file, or to continue. If you specify the -batch
option TbScan will always continue. This option is intended to be
used in a batch file that would be executed unattended. It is
highly recommended to use a log file in this situation, otherwise
the scanning does not make very much sense.
-delete or -del
If TbScan detects a file virus it prompts the user to delete
or rename the infected file, or to continue. If you specify the
-delete option, TbScan will not ask the user what to do but it just
deletes the infected file. Use this option only if you already
found out that your system is infected, and if you have a trusted
backup, and wants to get rid of all infected files at once.
-rename or -ren
If TbScan detects a file virus it prompts the user to delete
or rename the infected file, or to continue. If you specify the
-rename option, TbScan will not ask the user what to do but it just
renames the infected file. By default, the first character of the
file's extension will be replace by the character "V". A .EXE file
will be renamed to .VXE, and a .COM file to .VOM. This prevents the
infected programs from being executed, but the program can still be
examined or repaired at a later time. You can also add a parameter
to this option specifying the target extension. The parameter
should always contain 3 characters, question marks are allowed. The
default target extension is "V??".
-repeat
The option is very powerfull if you want to check a large amount of
diskettes. TbScan does not return to DOS after checking a disk, but
it waits until you inserted another disk in the drive. You don't
have to press a key on the keyboard when ready, TbScan detects
automatically when the drive is ready to be accessed. This way you
can check a large amount of diskettes without touching the
keyboard. One thing you will notice however is that the motor of
the disk drive keep spinning, and the light will keep burning. This
does not harm your disk in any way, you can safely open and close
the drive-door while the motor still runs. Many backup programs
handle the drives the same way as TbScan does.
-compat
If you specify this option, TbScan tries to behave somewhat more
compatible. At this time the only result is that TbScan doesn't
write directly to the screen anymore, but instead uses the somewhat
slower BIOS.
EXAMPLES:
TbScan \ -data c:\tbscan.dat -noboot
Process all executable files in the root directory and its
sub directories. Skip the bootsector scan. Use the
signature file "c:\tbscan.dat".
TbScan \*.*
Process all executable files in the root directory. Don't
process sub directories.
TbScan test.dat -log c:\test.log
No file will be processed. TEST.DAT is not an executable. A
LOG file with the name c:\test.log will be created.
TbScan test.dat test.tmp -analyze
Search test.dat and test.tmp for ALL viruses using the
analyze method.
TbScan c:\ -analyze -rename vi?
Process all executable files in the root directory and
its sub directories. Use the analyze method. Rename
infected files to a file by replacing the first two
characters of the extension by "VI". The last character
remains the same.
TbScan c:\*.* -analyze
Process ALL files in the root directory. Search for ALL
viruses in ALL files. The analyze-method will be used. Sub
directories will not be processed.
The last two examples shows the difference in behaviour of the
-analyze parameter when a filename and when no filename has been
specified.
As long as TbScan has not found any infected programs you will only
see a list containing inspected files or, when you use option
-quiet, a counter at work. As soon as an infected program has been
found, the name of the infected program and the name of the virus
are printed (regardless of the use of option -quiet). If you did
not specify one of the options -batch, -rename or -delete, TbScan
will prompt you to delete or rename the infected file, or to
continue. If you choose to rename the file, the first character of
the extension will be replaced by the character "V". This prevents
the file from being executed accidentially.
You will see one of the next three terms behind every file name:
"Scanning", "Tracing", "Analyzing". This indicates the way in which
the file is checked.
Behind these terms you will see that, dependent on size, structure
and kind of file, a number of plus signs appear. These indicate how
often a complete part of the file, bootsector or memory has been
searched for viruses.
The process can be aborted by pressing Ctr-C or Escape.
ENVIRONMENT VARIABLE TBSCAN
If you want to use certain options always it can be handy to use
the environment variable "TBSCAN" for this. If you always use the
option -noboot and always uses a certain signature file you can
insert the following line into your autoexec.bat file:
SET TBSCAN=-LOG C:\TBSCAN.DAT -NOBOOT
TbScan now always acts like you specified the -noboot and -log
option on the command line!
Another good item to include in the environment variable is the
option -data, to specify which data file shood be used by default.
FORMAT OF THE DATA FILE
-----------------------
The data file (called TBSCAN.DAT or VIRSCAN.DAT) can be read and/or
modified with every ASCII editor.
All lines beginning with ";" are comment lines. TbScan ignores
these lines completely. When the ";" character is followed by a
percent-sign the remaining part of the line will be displayed on
the screen. A maximum of 15 lines can be printed on the screen.
Nice for "HOT NEWS"...
In the first line the name of a virus is expected. The second line
contains one or more of the next words:
BOOT SYS EXE COM HIGH LOW
These words may be separated by spaces, tabs or commas.
BOOT means that the virus is a bootsector virus. SYS, EXE and COM
indicate the virus can occur in files with these extensions. Also
overlay files (with the extension OV?) will be searched for EXE
viruses. HIGH shows that the virus can occur in the memory of your
PC located above the TbScan program itself. LOW means that the
virus can occur in the memory of your PC located under the TbScan
program itself.
In the third line the signature is expected in ASCII-HEX. Every
virus character is described by means of two characters. Instead
of two HEX characters, two question marks (the wild- card) may also
occur. The latter means that every byte on that position matches
the signature. Below you will find an example of a signature:
A5E623CB??CD21??83FF3E
You can also use the asterisk followed by an ASCII-HEX character to
skip a variable amount of bytes in the signature. The ASCII-HEX
character specifies the amount of bytes that should be skipped. The
signature could be:
A5E623CB*3CD2155??83FF3E
The next sequence of bytes will be recognised as a virus:
A5E623CB142434CD21554583FF3E
Instead of a signature in ASCII-HEX you can also specify a normal
text. This should be put between double quotation marks. A correct
signature is for example:
"I have got you!"
This series of three lines should be repeated for every virus.
Between all lines comment lines may occur.
LIMITATIONS
-----------
+ 192 Kb of free memory is sufficient.
+ DOS version 2.0 or later is obligatory.
+ The size of the data file has a maximum of 64 Kb.
+ The name of a virus may consist of maximally 30 charac-
ters.
+ The ASCII-HEX signature can consist of maximally 80 characters.
+ Up to 600 different signatures may be given.
+ Directories may be nested up to 15 levels.
ERRORMESSAGES
-------------
Errormessages that can be displayed:
+ Not enough memory
There is not enough free memory.
+ Error in data line at line <number>.
There is an error in the mentioned line of the data file.
+ Failed to find DOS entry point.
TbScan has not been able to find the DOS entry point, but
continues as if option -direct has not been specified.
+ Error reading bootsector.
The bootsector could not be read and is therefore not checked.
+ Limit exceeded.
The data file was too long or too many virus signatures
occur in it.
+ Data file not found.
TbScan has not been able to find the data file.
+ Command line error.
A wrong parameter has been given to TbScan.
+ No matching files found.
The path specified does not exist, is empty, or the specified
file does not exist.
+ No matching executable files found.
The path specified does not exist, is empty, or the specified
file does not exist or is not an executable file.
TbScan terminates with one of the following exit codes:
Error level 2 when path or command line is not correct.
Error level 1 when infected files were found.
Error level 0 when everything was okay.
THE INTERPRETER
---------------
You can safely skip this part of the documentation. It just offers
information to programmers who want to know why and how the file
interpreter of TbScan is working.
Viruses can infect program files only in certain ways. For a virus
there is only one single point in a program file of which it is
certain that it must be executed, namely the star- ting point of
the program. It cannot be sure of any other point and that is why
it will not try to put its first code on an arbitrary spot of the
program that it is planning to in- fect. The virus will always have
to put AT LEAST one jump at the entry point of the program.
TbScan uses this knowledge to restrict the number of bytes that
have to be read in of a file as much as possible. Just as the
loader of DOS itself, it determines where the entry point of the
program is located. (At the beginning of a COM-file and on an
address, specified in the EXE-header of an EXE-file.)
This is however not enough; there can also be a jump or another
branch instruction on the found starting point of the program.
TbScan will follow this jump until it does not come across a jump
anymore. Then we have found the real starting point of the program
or, in case it has been infected, the virus.
There is a possibility however that on a certain moment TbScan has
reached the end of a chain of jumps and then finds that there are
new significant IP modifying instructions (calls, rets, irets,
jumps) not far from the found starting point. Does this future
jump point to the virus code or are we alrea- dy on the right spot?
TbScan does not take any chances and in such a case it will read in
the whole file to search for viru- ses. Only when it is 100% sure
to have found the real starting point of a file, where in addition
at least 20 bytes of continuous code are situated (the code is
"stable" then), TbScan will be satisfied with checking only the
first 3 Kb of the found code. (Almost all viruses use less than 3
Kb and of viruses using more than 3 Kb the signature in the first 3
Kb of the virus is used as the signature.)
A nice advantage of this interpreter is that the number of times a
false alarm is given decreases. Because of this signa- tures can be
shorter than usual which is desirable because the unmodified parts
of the viruses become shorter every time.
Behind the name of every program the used method appears. These are:
1) Scanning. This means TbScan has been able to find the
entry point of the program with succes and that the code
it has found there was stable.
2) Tracing. This means TbScan has followed a chain of at
least 1 jump from the entry point. The final code was
stable. This method will be used especially for TSR's
because most of the time they start with a jump instruc-
tion.
3) Analyzing. Because there was no stable code on the found
position TbScan was not completely sure of where the
starting point of the program was. For safety the whole
file is read in and inspected. Files with extension SYS
are always searched according to this method.
Obviously, if you want to, you can force TbScan by means of
option -A to use always the analyzing method.
Note: Most viruses will be found in a file that has been searched
according to the analysis method. However this does not mean this
method is more reliable than the other ones, but it is a result of
the fact that a virus in a program relocates itself first most of
the time (adapt CS/IP relation). This is always accompanied by a
CS and IP modifying instruction because of which TbScan
automatically (and correctly) concludes the code is not stable
enough. That is why an infected program is often checked using the
analysis method.
TBSCANX
-------
There is also a (shareware) memory resident version of TbScan
available with the name TbScanX. This version remains resident in
memory and automatically scans every file immediately when it is
going to be executed, copied, unarchieved, downloaded, etc.
TbScanX performs even faster compared to TbScan, and uses not much
memory. It is even possible to reduce the memory requirements of
TbScanX to zero! TbScanX is by example able to make use of unused
video-memory.
TbScanX is available on many BBSses. It is of course also available
at any Thunderbyte support BBS. At the end of this document you can
find some phone numbers.
THUNDERBYTE
-----------
Virus scanners have a number of very serious disadvantages!
+ They cannot prevent infection.
Virus scanners can only tell you whether or not your system has
been infected and if so, whether any damage has already been
done. By then only a good (non-infected) backup can still save
you.
+ They can only recognize viruses that have already been
identified. When a new virus has been launched it will take a
while before someone discovers it. After that it will take some
time before a reliable signature is dis- tilled from the virus
and it will also take a while for you to get hold of the newest
virscan.dat. All this means that there is a real chance that
your system is infected at a moment virus scanners have not yet
recognized "your" virus!
+ You will have to do an active operation in order to protect
your system: namely executing the virus scanner. Even with
TbScan this takes time and so it is unpleasant. Certainly when
a PC is used by more than one person, like for instance in
companies, things go wrong quite often.
Viruses get more and more advanced. Among other things because of
all the attention the media is paying to the phenomenon computer
virus. It has even become a real sport for sick minds to write
computer viruses. Even viruses that have no stable signature
anymore have already been discovered. Because TbScan allows
wildcards in the data file it can still trace this kind of viruses
quite often. But it will not take much time anymore before viruses
will be created that have no special charac- teristics at all by
which they can be identified. And then even TbScan cannot help you
anymore. Even viruses that look for the DOS entry point in the same
way as TbScan does, avoiding detection by protection programs in an
effective way, already exist.
To provide programs with a checksum is neither a solution: as soon
as a file is read in, viruses can disinfect it, so every infected
program looks like one that is not.
There is however ONE solution for the abovementioned problems:
*** ThunderByte! ***
ThunderByte was developed to protect Personal Computers against
computer viruses, Trojan Horses and other threats to valuable data.
It is a hardware protection, consisting of an adapter card, an
installation and configuration program and a clear manual. The
working of ThunderByte is not based on knowledge of specific
viruses, so ThunderByte also protects against future viruses.
A hardware protection offers much more protection than a software
protection. ThunderByte is already active before the operating
system is loaded, so the computer will be totally protected right
after the starting of the PC.
Because of the many configuration possibilities and the intelligent
algorisms, the use of ThunderByte will never become a burden: you
will hardly notice the presence of ThunderByte in an environment
without any viruses.
Advantages of a hardware protection:
+ The protection uses very little (1Kb) RAM
+ The protection is already active before the first boot attempt
of the PC, and therefore protects also against bootsector
viruses. A software protection can not protect you against
bootsector viruses, since it has not been executed at boot
time.
+ De hard disks can not be accessed directly anymore, because
ThunderByte is connected to the hard disk cable.
+ It is impossible to forget to start ThunderByte, even if the
machine is booting with a diskette.
ThunderByte offers you many kinds of protection:
+ Protection against loss of data.
ThunderByte is connected between the cable of the hard disk and
the controller. It prevents the hard disk from being accessed
directly. The only way to access the drive from now on is by
initiating an int 13h.
In addition ThunderByte detects all direct disk writes which
try to achieve a modification or damage of the data and it
checks which program orders the execution of such operations.
Only the operating system can preform these operations
unmentioned.
Standard DOS already has the possibility of protecting files
against overwriting and modification by means of the read only
attribute. However this protection can be very easily
eliminated by software. But ThunderByte pre- vents this
protection from being ruled out without this being noticed, so
now it is nevertheless possible to protect your files
effectively with a standard method.
+ Protection against infection.
ThunderByte protects programs (files with the extension EXE,
COM or SYS) against infection by judging all modifi- cations on
their intention. The functionality is not influenced by this.
Compiling, linking, etc., are not disturbed and neither are
programs that save their confi- guration internally.
Furthermore software can be protec- ted with the help of the
aforementioned read only attribute.
Attempts to modify the bootsector of the disk are detected, so
the dreaded bootsector viruses are also eliminated. Keep in
mind that the bootsector can hardly be protected by software.
Only ThunderByte already beco- mes active before the system
tries to boot!
+ Detection of viruses.
In addition to the abovementioned ways of detecting the
presence of viruses, ThunderByte can also do so because viruses
carry out a number of special operations. For example, the
marking of already infected programs in order to recognize
them, is detected by ThunderByte. So are the attempts of
viruses to reside in the memory in a suspicious way and the
abnormal manipulations with interrupt vectors.
+ Password protection.
ThunderByte has the possibility of installing a password.
There are two kinds of passwords: one that is always asked for
or one that you only have to enter when attempts are made to
start from a diskette instead of the hard disk.
+ Safety.
A lot of attention has been paid to the safety of ThunderByte
The program code of ThunderByte is located in ROM and there is
no way it can be modified.
There is not one method of eliminating ThunderByte through
software. All the important settings are realized with the help
of dipswitches on the adapter card. And despite all their
wasted intelligence, viruses will never be able to turn
switches or to influence their read outs.
Viruses that approach the controller of the hard disk directly
will have a rude awakening: ThunderByte will only pass disk
writes when the write or format command has followed the normal
(checked) course.
There are a lot of different versions of ThunderByte
(functioning identically however) that are supplied on the
basis of capriciousness. That is why knowledge of the internal
working of only one ThunderByte system is not sufficient to
damage or destroy its protective working.
ThunderByte is constantly checking upon its own variables with
a kind of control number that is different for each version.
The positions of the memory where the variables are kept are
also different for each version.
+ Extra possibilities.
ThunderByte offers you some interesting bonuses, like booting
from drive B:, formatting of 5,25" diskettes up to 428 Kb on a
normal XT.
CONCLUSION
----------
Are you surprised about the relative great effect and inventiveness
of such a small (8 Kb) virusscan program? Get Thunderbyte and keep
on amazing yourself!
If you appreciate TbScan or if it has already been of help in a
difficult situation:
Do not send us any money, but get yourself Thunderbyte!
(or register at least the use of TbScanX).
NAMES AND ADDRESSES
-------------------
For more information about Thunderbyte you can contact:
ESaSS B.V. Tel: + 31 - 80 - 787 771
P.o. box 1380 Fax: + 31 - 80 - 777 327
6501 BJ Nijmegen Data: + 31 - 85 - 212 395
The Netherlands (2:280/200 @fidonet)
TbScan is written by Frans Veldman.
TbScan, TbScanX and the signature files (TbVirSig) are available on
Thunderbyte support BBSses:
The Netherlands: 2:280/200 @fidonet
ESaSS/Thunderbyte support BBS, Phone: + 31 - 85 - 212 395
Germany: 2:245/50 @fidonet
Androtec, Phone: + 49 - 2381 - 461 565
If you are running a electronic mail system, you can also
file-request TBSCAN to get the latest version of TBSCAN.COM,
TBSCANX to get the resident automatic version of TBSCANX, and
VIRUSSIG to obtain a copy of the latest update of the signature
file.
