Revision 6.11c - July 1996 -------------------------- The IV rescue floppy couldn't be prepared in former versions when the COMSPEC was pointing to anywhere else than to the C drive. This condition was fixed in this version and the rescue can be prepared under all conditions, even when logged to a server. A new option was added to INSTALL. It is now possible to specify the directory where to install InVircible right from the command line. Either INSTALL and IVLOGIN will accept the new command option. The syntax of the command is "DIR=pathname". The installation of IV under Windows NT has been modified. The INSTALL procedure will now detect it is running under NT and proceed accordingly. INSTALL can be run under NT in either full-screen or windowed mode. IVLOGIN can be used under NT to install IV to an NT workstation from a server. Virus detection through dodgy date or time stamp. Many viruses mark infected files by setting the year's date to +100 years (i.e year 2096 instead of 1996), or by setting the seconds to a value larger than 59. The faked date/time stamp are not revealed by the DIR command but are detected by IVSCAN. IV will indicate "dodgy date or time, possibly infected". Concurrently, NetZ released a freeware utility named GETDATE that will let inspect drives for files with dodgy date/time mark and rename those files on request. GETDATE can also spot files with a a specified "seconds" setting. Certain viruses use a specific value in the seconds field to mark infected files, e.g. HD Euthanasia sets the seconds of infected files to 34. GetDate can be used as a first-aid and fast disinfector. Generic macro malware cleaning by IVX was introduced in version 6.11a Due to the nature of the problem, it is impossible to distinguish legitimate auto-macros from potentially harmful ones. Customized templates and forms that use auto-macros can be saved in separate directories. These directories can be marked to be skipped by the IVX macro cleaner. To mark a directory to skip, just create a zero length file named IVX.NOT in it. To create a zero length file, type from the DOS prompt "TYPE PLAIN_GARBAGE > IVX.NOT", without the quotation marks. Extended partitions on EIDE drives running in LBA mode will be corrupted by DOS programs running in a Win-95 MS-DOS shell, if the partition was created by Windows 95 FDISK. Win-95 introduced new extended partition types (types 0E, 0F - decimal 14, 15) for EIDE /w LBA. Other than Win-95 OS do not recognize these partitions and erroneously reflect the C logical partition into the higher one. ResQdisk has been upgraded to check whether this problem exists. When examining a partition with ResQdisk, a warning message will indicate the presence of partition types 0E or 0F. The user is then advised to correct the problem, to prevent possible damage. Revision 6.11b - June 1996 -------------------------- NEW AUDIT FEATURE IN IVB. IVB now provides for the auditing of specified directories and drives. The audit function is based on the IVB integrity database and runs concurrently with IVB integrity checking. New, missing and modified files are reported in the audit log. Auditing can run either on-demand or automatically. Auditing can be used in private user and corporate/network environment to keep track of program inventory. Auditing combined with IVB's integrity functions and IVX report is useful in spotting the source of an infection. In the institutional environment auditing can help system administrators in monitoring software uploads to servers. Revision 6.11a -------------- Version 6.11a has a generic "Word Macros" mode added to IVX. The latter will detect forced macros in Word documents and templates and CLEAN them on request. IVX can be used in batch mode for handling macro viruses. INSTALL has been updated to edit the test for macro malware right into the autoexec (see below). Attention network administrators! The new Word Macro mode in IVX has provisions for testing a workstation's integrity right at logging in to the network. Affected workstations can be spotted now right as they login and refused access to the network. For details see appendix G in the DOS online hypertext, or search for "macro" in the Windows IV manual. The INSTALL program menus were changed for user's convenience. The main functions were moved to the first level menu (the default). INSTALL's default options are now: installation, the preparation of the rescue diskette, installation or retraction of the license registration, installation or removal of IVTEST in / from batch files, and removal of IV related files (*.NTZ and signatures). The on-line registration is now assigned to F10 and was removed from the menus. On-line help is now accessed through F1, as is the standard in most software. Where Winword is found in the search path, the user will be prompted if to include the Word templates integrity check against macro malware, in the autoexec. The templates test is extremely fast, it takes just a few seconds and is highly recommended. Improved presentation in IVB, IVX and IVSCAN. The scrolling on screen of the inspected directories and files is progressed now "on-finding" only. This way, the user is presented only with relevant information which should help in assessing the problem at hand. New IVLOGIN /Q switch. When run with the /Q switch, IVLOGIN will query the workstation whether the daily integrity check (IVB DAILY) did run. IVLOGIN returns an errorlevel 0 if the test was run and 1 otherwise. The integrity query switch can be used by network administrators to refuse access to users that disabled the IV daily integrity check. The memory stealing alert was modified to a threshold of 7 Kbytes for drives using dynamic boot overlay (DDO), thus eliminating the nagging message resulting from this source. The "dynamic boot driver" message related with Ontrack's DM and MicroHouse EZ-Drive was removed from IVINIT. Revision 6.11 ------------- An on-line hypertext user's guide for Windows was added with version 6.11. The file's name is IVMANUAL.HLP and it can be added as an icon on the Windows desktop, for quick reference. IV's winhelp contains screen captures and detailed procedures and tips. You can produce a formatted hard copy of selected topics from the IV manual, through Windows Print Manager. Windows 95 enables booting to DOS by swapping and renaming the system files (IO.SYS and MSDOS.SYS). In result, IVB reported changes every time the computer was booted to a different OS from the previous one. IVB now identifies legitimate swapping between Win 95 and previously installed DOS. The editing of the Bios Parameter Block (BPB) of logical drives' boot sector was added to ResQdisk. This facilitates the recovery of hard drives with non-standard configurations such as Compaq models and multiple partitions with dynamic boot overlay drives (DDO), as well as NT servers and workstations. Batch processing of floppies with the IVX correlator was added. The IVX correlation-scan parameters need to be entered just once to process floppies in bulk.