Category : System Diagnostics for your computer
Archive   : TBAV630.ZIP
Filename : TBAV.DOC

 
Output of file : TBAV.DOC contained in archive : TBAV630.ZIP



SECTION 0. INTRODUCTION
1. How to use the manual . . . . . . . . . . . . . . . . . 0 - 1
2. Overview of the TBAV utilities . . . . . . . . . . . . 0 - 1

SECTION I. INSTALLING TBAV
1. How to install TBAV . . . . . . . . . . . . . . . . . I - 1
1.1 Initial installation . . . . . . . . . . . . . . I - 1
1.2 Menu and command syntax . . . . . . . . . . . . . I - 4
2. Configuration . . . . . . . . . . . . . . . . . . . . . I - 6
3. TbSetup . . . . . . . . . . . . . . . . . . . . . . . . I - 8
3.1. The Purpose of TbSetup . . . . . . . . . . . . . I - 8
3.2. How to use TbSetup . . . . . . . . . . . . . . . I - 8
3.3. Command line options . . . . . . . . . . . . . . I - 13
3.4. While executing . . . . . . . . . . . . . . . . I - 15
4. TbDriver . . . . . . . . . . . . . . . . . . . . . . . I - 18
4.1. Purpose of TbDriver . . . . . . . . . . . . . . I - 18
4.2. Command line options . . . . . . . . . . . . . . I - 18
4.3. Language support . . . . . . . . . . . . . . . . I - 21
5. System maintenance . . . . . . . . . . . . . . . . . . I - 22
6. Network maintenance . . . . . . . . . . . . . . . . . . I - 23
6.1. Using DOS REPLACE . . . . . . . . . . . . . . . I - 23
6.2. Using PkUnZip . . . . . . . . . . . . . . . . . I - 23

SECTION II. ANTI-VIRUS STRATEGY
1. Protection against viruses . . . . . . . . . . . . . . II - 1
1.1. Introduction . . . . . . . . . . . . . . . . . . II - 1
1.2. Basic precautions . . . . . . . . . . . . . . . II - 1
2. What to do when a virus strikes . . . . . . . . . . . . II - 6
2.1. Detection of viruses . . . . . . . . . . . . . . II - 6
2.2. Recovering from viruses . . . . . . . . . . . . II - 7

SECTION III. USING THE TBAV UTILITIES
1. TbScan . . . . . . . . . . . . . . . . . . . . . . . III - 1
1.1. The Purpose of TbScan . . . . . . . . . . . . III - 1
1.2. How to use Tbscan . . . . . . . . . . . . . . III - 2
1.3. Command line options . . . . . . . . . . . . . III - 11
1.4. The scanning process . . . . . . . . . . . . . III - 18
2. TbScanX . . . . . . . . . . . . . . . . . . . . . . . III - 22
2.1. The Purpose of TbScanX . . . . . . . . . . . . III - 22
2.2. How to use TbScanX . . . . . . . . . . . . . . III - 22
2.3. Command line options . . . . . . . . . . . . . III - 23
2.4. While scanning . . . . . . . . . . . . . . . . III - 26
3. TbCheck . . . . . . . . . . . . . . . . . . . . . . . III - 28
3.1. The Purpose of TbCheck . . . . . . . . . . . . III - 28
3.2. How to use TbCheck . . . . . . . . . . . . . . III - 28
3.3. Command line options . . . . . . . . . . . . . III - 29
3.4. While checking . . . . . . . . . . . . . . . . III - 31
3.5. Testing TbCheck . . . . . . . . . . . . . . . III - 31
4. TbClean . . . . . . . . . . . . . . . . . . . . . . . III - 32
4.1. The Purpose of TbClean . . . . . . . . . . . . III - 32
4.2. How to use TbClean . . . . . . . . . . . . . . III - 33
4.3. Command line options . . . . . . . . . . . . . III - 35
4.4. The cleaning process . . . . . . . . . . . . . III - 36


TBAV user manual (C) Copyright 1994 Thunderbyte B.V. CONTENTS


5. Ongoing virus prevention: TbMon . . . . . . . . . . . III - 40
5.1. TbMem . . . . . . . . . . . . . . . . . . . . III - 41
5.2. TbFile . . . . . . . . . . . . . . . . . . . . III - 45
5.3. TbDisk . . . . . . . . . . . . . . . . . . . . III - 47
6. TBAV Tools . . . . . . . . . . . . . . . . . . . . . III - 53
6.1. TbUtil . . . . . . . . . . . . . . . . . . . . III - 53
6.2. TbLog . . . . . . . . . . . . . . . . . . . . III - 61

SECTION IV. ADVANCED USER INFORMATION
1. Memory requirements . . . . . . . . . . . . . . . . . . IV - 1
2. TbSetup . . . . . . . . . . . . . . . . . . . . . . . . IV - 3
2.1. Anti-Vir.Dat design considerations . . . . . . . IV - 3
2.2. Format of TbSetup.Dat . . . . . . . . . . . . . IV - 3
2.3. TBAV site installation . . . . . . . . . . . . . IV - 5
3. TbScan . . . . . . . . . . . . . . . . . . . . . . . . IV - 7
3.1. Heuristic scanning . . . . . . . . . . . . . . . IV - 7
3.2. Integrity checking . . . . . . . . . . . . . . . IV - 8
3.3. Program validation . . . . . . . . . . . . . . . IV - 9
3.4. The algorithms . . . . . . . . . . . . . . . . . IV - 9
3.5. The TbScan.Lng file . . . . . . . . . . . . . IV - 11
3.6. The TBAV.MSG file . . . . . . . . . . . . . . IV - 11
4. TbClean . . . . . . . . . . . . . . . . . . . . . . . IV - 12
5. TbGensig . . . . . . . . . . . . . . . . . . . . . . IV - 15
5.1 The Purpose of TbGenSig . . . . . . . . . . . . IV - 15
5.2 Defining signatures . . . . . . . . . . . . . . IV - 15
5.3 Keywords . . . . . . . . . . . . . . . . . . . IV - 18
5.4 Wildcards . . . . . . . . . . . . . . . . . . . IV - 21

Appendix A. TBAV messages

Appendix B. TbScan - Heuristic flag descriptions

Appendix C. Solving incompatibility problems

Appendix D. Batch file handling

Appendix E. Virus naming


TBAV user manual (C) Copyright 1994 Thunderbyte B.V. SECTION 0


SECTION 0. INTRODUCTION


1. How to use the manual

Congratulations! By purchasing the ThunderBYTE Anti-Virus utilities you
have taken the basic step in building a massive anti-viral safety wall
around your precious computer system. Setting up the appropriate defen-
se, using the TBAV utilities, is a 'personal matter'. Therefore, we
highly recommend to read this manual thoroughly, so you are well aware
of all different kinds of security measures you may take.

This manual consists of four main sections. Section I instructs you how
to install the TBAV utilities on your hard disk(s), including some
useful hints on customized initialization. Section II gives an instruc-
tion on how to prevent viruses from infecting your computer system(s)
and directions on how to handle when you actually have been struck by a
computer virus.

In section III, both purpose and functionality of all TBAV utilities are
described. For those who want to know more about the subject, some
'advanced user information' on the ThunderBYTE Anti-Virus utilities is
presented in section IV.

You may use the TBAV manual as a reference manual, via an extensive
index and appendices referring to the TBAV error messages.

=> Note that a complete reading of the manual is indispensible in order to
become familiar with the many facets of ThunderBYTE Anti-Virus, to know
what steps can - and must - be taken to ensure adequate protection and
to be fully prepared for a complete recovery, if and when disaster
strikes.


2. Overview of the TBAV utilities

What is ThunderBYTE Anti-Virus?

ThunderBYTE Anti-Virus (TBAV) is a comprehensive toolkit designed to
protect against - and recover from - computer viruses. While TBAV
focuses heavily on numerous ways to prevent a virus infection, the
package would not be complete without various cleaner programs to purge
a system, in the unlikely event that a virus manages to slip through.
The package therefore consists of a number of programs each of which
help you to prevent viruses to do their destructive jobs. Here is a
quick overview.


Collecting software information: TbSetup

TbSetup is a program that collects information from all software found
on your system. The information will be put in files named Anti-Vir.Dat.

0 - 1


TBAV user manual (C) Copyright 1994 Thunderbyte B.V. SECTION 0


The information maintained in these files can be used for integrity
checking, program validation, and to clean infected files.


Enable memory resident TBAV utilities: TbDriver

~ TbDriver does not provide much protection against viruses by itself, but
must be loaded in advance to enable the memory resident ThunderBYTE
Anti-Virus utilities, such as TbScanX, TbCheck, TbMem, TbFile and TbDisk
to perform properly. It also provides basic protection against ANSI
bombs and 'stealth' viruses.


Scanning for viruses: TbScan

TbScan is both a very fast signature scanner and a so-called heuristic
scanner. Besides its blazing speed it has many configuration options. It
can detect mutants of viruses, it can bypass stealth type viruses, etc.
The signature file used by TbScan is a coded 'TbScan.Sig' file, which
can be updated by yourself in case of emergency. TbScan is able to
disassemble and decrypt files. This makes it possible to detect suspici-
ous instruction sequences and to detect yet unknown viruses. This
generic detection, named heuristic analysis, is a technique that makes
it possible to detect about 90% of all viruses by searching for suspici-
ous instruction se-quences rather than using any signature. For that
purpose TbScan contains a disassembler, decryptor and code analyzer.

Another feature of TbScan is the integrity checking it performs when it
finds the Anti-Vir.Dat files generated by TbSetup. 'Integrity checking'
means that TbScan will check that every file being scanned matches the
information maintained in the Anti-Vir.Dat files. If a virus infects a
file, the maintained information will not match the now changed file
anymore, and TbScan will inform you about this.

TbScan performs an integrity check automatically, and it does not have
the false alarm rate other integrity checkers have. The goal is to
detect viruses and not to detect configuration changes!


Automatic scanning: TbScanX

TbScanX is the memory resident version of TbScan. This signature scanner
remains resident in memory and automatically scans those files which are
being executed, copied, de-archived, downloaded, etc. TbScanX does not
require much memory. It can swap itself into expanded, XMS, or high
memory, using only 1Kb of conventional memory.


Check while loading: TbCheck

TbCheck is a memory resident integrity checker. This program remains
resident in memory and checks automatically every file just before it is

0 - 2


TBAV user manual (C) Copyright 1994 Thunderbyte B.V. SECTION 0


being executed. TbCheck uses a fast integrity checking method, consuming
only 400 bytes of memory. It can be configured to reject files with
incorrect checksums, and/or to reject files that do not have a corres-
ponding Anti-Vir.Dat record.


Restoring infected boot-sector, CMOS and partition tables: TbUtil

Some viruses copy themselves into the hard disk's partition table, which
makes them far more difficult to remove than bootsector viruses. Perfor-
ming a low-level format is an effective, but rather drastic measure.
TbUtil offers a more convenient alternative by making a precautionary
back-up of uninfected partition tables and the boot sector. If an
infection occurs, the TbUtil back-up can be used as a verifying tool and
as a means to restore the original (uninfected) partition table and
bootsector without the need for a destructive disk format. The program
can also restore the CMOS configuration for you. If a back-up of your
partition table is not available, TbUtil will try to create a new
partition table anyway, again avoiding the need for a low-level format.

Another important feature of TbUtil is the option to replace the parti-
tion table code with new code offering greater resistance to viruses.
The TbUtil partition code is executed before the boot sector gains
control, enabling it to check this sector in a clean environment. The
TbUtil partition code performs a CRC calculation on the master boot
sector just before the boot sector code is activated and issues a
warning if the boot sector has been modified. The TbUtil partition code
also checks and reports changes in the RAM lay-out. These checks are
carried out whenever the computer is booted from the hard disk.

It should be noted that boot sector verification is imperative before
allowing the boot sector code to execute. A virus could easily become
resident in memory during boot-up and hide its presence. TbUtil offers
total security at this stage by being active before the boot sector is
executed. Obviously, TbUtil is far more convenient than the traditional
strategy of booting from a clean DOS diskette for an undisturbed inspec-
tion of the boot sector.


Reconstructing infected files: TbClean

TbClean is a generic file cleaning utility. It uses the Anti-Vir.Dat
files generated by TbSetup to enhance file cleaning and/or to verify the
results. TbClean can however also work without these files. It disassem-
bles and emulates the infected file and uses this analysis to recon-
struct the original file.


Resident safeguard: TbMon

TbMon is a set of memory resident anti-virus utilities, consisting of
TbMem, TbFile and TbDisk. Most other resident anti-virus products offer

0 - 3


TBAV user manual (C) Copyright 1994 Thunderbyte B.V. SECTION 0


you the choice to invoke them before the network is loaded and losing
the protection after the logon procedure, or to load the anti-viral
software AFTER the logon to the network, resulting in a partially
unprotected system. The ThunderBYTE Anti-Virus utilities however recog-
nize the network software and take appropriate actions to ensure their
functionality.


Controlling memory: TbMem

~ TbMem detects attempts from programs to remain resident in memory, and
ensures that no program can remain resident in memory without permis-
sion. Since most viruses remain resident in memory, this is a powerful
weapon against all such viruses, known or unknown. Permission informa-
tion is maintained in the Anti-Vir.Dat files. TbMem also protects your
CMOS memory against unwanted modifications.


Preventing infection: TbFile

TbFile detects attempts from programs to infect other programs. It also
guards read-only attributes, detects illegal time-stamps, etc. It will
make sure that no virus succeeds in infecting programs.


Protecting the disk: TbDisk

TbDisk is a disk guard program which detects attempts from programs to
write directly to disk (without using DOS), attempts to format, etc.,
and makes sure that no malicious program will succeed in destroying your
data. This utility also traps tunneling and direct calls into the BIOS
code. Permission information about the rare programs that write directly
and/or format the disk is maintained in the Anti-Vir.Dat files.


Define your own signatures (in case of an emergency): TbGensig

Since TBAV is distributed with an up-to-date, ready-to-use signature
file, you do not really need to maintain a signature file yourself. If,
however, you want to define your own virus signatures, you will need the
TbGensig utility. You can use either published signatures or define your
own ones if you are familiar with the structure of software.


Remove infected files: TbDel

The DOS 'DEL' command does not actually erase a file. It simply changes
the first filename character in the directory listing and frees up the
space by changing the disk's internal location tables. TbDel is a small
program with just one but important purpose: it replaces every single
byte in a file with zero characters before deleting it. The entire
contents are therefore obliterated and totally unrecoverable.

0 - 4


TBAV user manual (C) Copyright 1994 Thunderbyte B.V. SECTION I


SECTION I. INSTALLING TBAV


1. How to install TBAV


System requirements

The ThunderBYTE Anti-Virus utilities can be executed on any IBM or
compatible PC with at least 1 Mb disk space. The TBAV utilities need 256
Kb free internal memory and require DOS 3. However, DOS 5 or a later
version is recommended. The TBAV utilities are compatible with networks,
Windows, DR-DOS, etc.


1.1 Initial installation

You can install the TBAV utilities either by using the installation
procedure (which is explained below) or by a fully customized TBAV
installation (which is explained in sections I - 3 and II).

Insert the TBAV installation diskette in the diskette drive.

Type:
A: or B:

Type:
install C:\TBAV


+---------------------------------------+
| F1 First time installation |
| F2 Update installation |
| F3 About.... |
| F4 Exit.... |
+---------------------------------------+

Since this is the first time you install the TBAV package you choose the
first option by pressing or .


----- [ Please select Drive to install TBAV to: ]-----
You need at least 1024 KB of available space to install TBAV !

C: 3581952
D: 21291008


Toggle to the disk on which the TBAV utilities must be installed. TBAV
Install displays the amount of free disk space of each available disk.



I - 1


TBAV user manual (C) Copyright 1994 Thunderbyte B.V. SECTION I


Next, TBAV Install will prompt you for the TBAV directory. The default
directory is \TBAV:


-----[ Please select Directory to install TBAV to: ]-----
[C:\TBAV ]


If the specified directory does not exist, the installation pro-gram
will create it. Subsequently, the TBAV files are copied onto your hard
disk.

+-----------------------------------------------------------+
| The documentation for TBAV is compressed into a file. |
| The documentation-file will now be self-extracted. |
| Press any key when ready.... |
| |
| |
| Inflating: c:/tbav/TBSCAN.DOC -AV |
| Inflating: c:/tbav/TBSCANX.DOC -AV |
| Inflating: c:/tbav/TBCLEAN.DOC -AV |
+-----------------------------------------------------------+

The packed text files are copied onto your hard disk and inflated. After
copying all files, TbSetup is loaded, which will generate or update the
Anti-Vir.Dat file of the TBAV directory.


+-----------------------------------------------------------+
| TbSetup will now generate or update the Anti-Vir.Dat |
| file of the directory C:\TBAV |
| Press any key when ready... |
+-----------------------------------------------------------+

The ThunderBYTE Anti-Virus utilities are copied to the destination
directory. The installation program helps you to setup the utilities in
their most standard and non-customized way. After reading the manual
thoroughly, you can configure the package to suit your own personal
needs.

+-----------------------------------------------------------+
| This installation program helps you to setup the utilities|
| in their most standard and non-customized way. |
| Do you want to continue ? (Y/N) |
+-----------------------------------------------------------+

If 'No', TBAV Install will not prompt you for placing the memory resi-
dent TBAV utilities in the autoexec.bat file, nor for creating the Anti-
Vir.Dat files. If yes, TBAV Install backs up your original Autoexec.Bat
file and appends a call to the tbstart.bat file. For easy access of the
TBAV utilities it is recomended to put them into your PATH environment
variable. Your Autoexec.Bat file now looks like this:

I - 2


TBAV user manual (C) Copyright 1994 Thunderbyte B.V. SECTION I


@ECHO OFF
PATH C:\TBAV

call C:\TBAV\tbstart.bat

Subsequently, TbSetup will process the indicated drive to generate the
Anti-Vir.Dat files. You may need to repeat this process for other
drives. Consult the relevant section for more information!


The TBAV package contains some utilities that can be instal-
led in the memory of your PC. For each of these utilities you can
indicate whether the installation program must add them to the
Tbstart.bat file:

TBSCANX is a memory resident virus scanner.
Do you want to install it ? (Y/N)

TBCHECK is a memory resident integrity checker.
Do you want to install it ? (Y/N)

TBMEM is a resident memory guard.
Do you want to install it ? (Y/N

TBFILE is a resident file guard.
Do you want to install it ? (Y/N)


If you answer the subsequent question with Yes, TBAV will scan your
system for viruses automatically once every day:

Do you want the system to be scanned automatically
for viruses every day ? (Y/N)


The installation program will write the indicated configuration values
in the 'tbstart.bat' file, which is located in the Thunder-BYTE directo-
ry you specified before, eg.:

C:\TBAV\tbdriver
C:\TBAV\tbscanx
C:\TBAV\tbcheck
C:\TBAV\tbmem
C:\TBAV\tbfile
C:\TBAV\tbscan /once /alldrives

Finally, you can force the TBAV utilities to scan your disk right away.

It is very likely that some of the TBAV utilities are going to display
messages when you reboot and continue using the computer as you normally
would. Some programs perform operations that are monitored by the TBAV
utilities, so TBAV must first 'learn' which programs need proper permis-

I - 3


TBAV user manual (C) Copyright 1994 Thunderbyte B.V. SECTION I


sion. Execute some of the programs you use regularly and at each rele-
vant query respond with 'Y' to authorize or 'N' to deny permission. TBAV
will remember the settings and not bother you again. Reboot the computer
at the end of this test run.

The TBAV utilities are now ready to monitor the system and will issue a
warning if something suspicious - or worse - is about to happen. They
will also warn you if any new file contains a possible virus - well
before it can do any harm.


1.2 Menu and command syntax

You can activate most of the TBAV utilities from within the TBAV menu,
by loading:

cd\tbav
tbav

In order to execute the utilities automatically, all TBAV drivers and
utilities may be executed from the DOS prompt. In a systemized setup,
however, the drivers should be installed and activated in your Con-
fig.Sys, with a device= or install= directive, or in the TbStart.Bat
file as a TSR. Similarly, most utilities can be started automatically -
in the case of TbScan restricted to once a day - in the TbStart.Bat
file. The two exceptions are TbClean and TbDel, which should be executed
only from the DOS prompt and (TbClean) from within the TBAV menu.

All commands for ThunderBYTE Anti-Virus can be used with command line
switches or options to control special features. The options may either
be written out in full, or abbreviated to their one- or two-letter
mnemonic to shorten the command line. Throughout this manual the exam-
ples are given with options in verbose, unabbreviated form for clarity.
Options must be separated by spaces. They do not need a preceding switch
character, but you may use the customary slash or hyphen switch charac-
ters if you wish.

The standard command line syntax for all ThunderBYTE Anti-Virus commands
is:

command [] [] [

  3 Responses to “Category : System Diagnostics for your computer
Archive   : TBAV630.ZIP
Filename : TBAV.DOC

  1. Very nice! Thank you for this wonderful archive. I wonder why I found it only now. Long live the BBS file archives!

  2. This is so awesome! 😀 I’d be cool if you could download an entire archive of this at once, though.

  3. But one thing that puzzles me is the “mtswslnkmcjklsdlsbdmMICROSOFT” string. There is an article about it here. It is definitely worth a read: http://www.os2museum.com/wp/mtswslnk/