CHECKOUT CHECKOUT Copyright(c) 1989 Saturn Software Copyright(c) 1989 Saturn Software //////////// //// ////// //////// & John Bintz & John Bintz / //// ///// POB 309 POB 309 /// /// Davis, CA 95616 Davis, CA 95616 ////// // ///// On Fidonet: 203/910 Opus386 203/309 California Attorneys' Conference Results from Validate File Name: checkout.exe Size: 29,813 Date: 11-6-1989 File Authentication: Check Method 1 - E47E Check Method 2 - 003F CHECKOUT is a virus protection program which is intended for use in environments in which many program reside in archieves such as ZIP or LZH. Version 0.95 is a bug-fix version. In Version 0.94, there was a problem in processing files located at the highest (C:\, A:\) level of drive. One other problem has been reported which is concerned with its interaction with DOS 4.01 with directories larger than 32k. This problem has not been verified nor fixed. If this situation is similar to yours, you should procede carefully. The next version will have additional features and will be out in one or two weeks. The quality of the program as well as the feature set, has been enhanced considerably by the beta testers who did everything that could be expected and more. These include: Merry Hughes, 204/869, Robert Michal, 386/4, John Polen, 390/4, and Jim Darrough, 161/506. Special thanks are due to Merry Hughes who independently tested CHECKOUT with live strains of Jerusalem-B, AIDS, Alabama, Dark Avenger, MIX!/Saratoga, Zero-Bug, 2930 (Traceback), Yankee Doodle, 3551/Syslock, and DataCrime II. LIMIT OF LIABILITY CHECKOUT is distributed as-is. The author makes no representation with respect to the fitness of the software for any particular purpose and disclaims all warranties, expressed or implied. The author will assume no liability for damages either from the direct use of this product or as a consequence of the use of this software. SUPPORT There is no staff employed for support purposes. If you have a problem to report or features you would like to see implemented, either send netmail to 1:203/910 or use the comment field on the registration form. All suggestions will be evaluated for the next version. SHAREWARE Checkout is distributed as shareware. This means you can evaluate the product before you decide to register it. If you are using it after a couple of weeks, you should register it. You can copy Checkout or any shareware program and distributed to anyone else, provided that neither the program nor the documentation is altered and that you do not charge a fee. Because there is no advertising, distribution, or packaging cost, the price of a shareware program is often less than an equilvalent package sold through retail channels. The registration form is provided in a separate file. INTRODUCTION INTRODUCTION //////////// ViruScan or SCAN has become one of the most popular methods of checking for various types of viruses. It will check boot sector and each exe, com, sys, and ovl file on a disk for the identifying characteristics of more than 40 different virus types. For most users, this is exactly what is needed. However, for people that operate a BBS, most executable files reside within compressed or archive files and these can't be processed by SCAN. Checkout makes it possible for SCAN to check the files within archieves. It operates by stepping through each file in a sub- directory, looking at the extension, spawning the appropriate unarchieve program (I.e. LHARC, PAK, PKUNZIP, ZOO, PKXARC) and then spawning SCAN to test each of the components of the archieved file. As CHECKOUT decompresses files and checks the components for viri, a log is being written stating that the file has been checked and whether or not it is found to be infected. Additionally, the file itself can be marked as having been checked. The purpose of the log is to make it possible to demonstate a reasonable standard of care in case of litigation. It has not been tested legally and it is not known to be convincing to any court. If there is a problem with the integrity of the archieve, that fact is also noted in the log. CHECKOUT will cause each EXE, COM, OVL, and SYS file as well as each ARC, PAK, ZIP, LZH, ZOO in the specified subdirectory to be scanned. The files which are not processed include those with a different extension than those noted above. Most of these will be data files, and since they are not executed, they can't do any harm. However, self-extracting archieves are potentially harmful and are missed by both SCAN and the current version of CHECKOUT. CHECKOUT sees the "EXE" and thinks SCAN will check it and SCAN thinks it did check (it did, but for the wrong strings). In addition, nested archieves are not tested by the present version. If a file is otherwise without problem, a log note is made if it includes nested archieved files. SETUP: Each program that is to be used must be located on the path. No check is ever made, so if you don't use a compression type, you don't need the uncompressor. The filenames that CHECKOUT might look for include: LHARC.EXE PKUNZIP.EXE ZOO.EXE PKXARC.EXE PAK.EXE SCAN.EXE These programs must exist on the path if they are to be used. They can not be renamed, and they must be recent enough to handle the files which will be processed. The version of SCAN must be 0.7V40 or greater (SCANV40) as features were added in that version for CHECKOUT. OPERATION: OPERATION: ////////// Defaults are chosen so that you would most likely execute the program without parameters, i.e.: C:> CHECKOUT It will then scan each file (EXE, COM, OVL, SYS, ARC, PAK, ZIP, LZH, ZOO) in the subdirectory in which it was executed. It is intended for CHECKOUT to be on the path and each night the new files are checked before they are distributed to other parts of the board. On my own bbs system, there are two routes by which a file might enter, the uploads subdirectory and the netfile area. The nightly maintenance routine scans all files in these subdirectories and then moves the files that pass into a distribution center from which files are distributed to the appropriate download area. If an infected file is found, it is automatically moved out of harms way so that no subsequent automatic operation can treat that file as good. If a badfile is found, a subdirectory called badfiles is created and all infected files (as well as bad archieve files) are relocated there. A note is also made in the log, of course. At any time, you can get rid of both the file and the subdirectory but there is no possiblity of it causing a problem just sitting there. By default, the log is kept and that both infected files and bad archieves are moved into the c:\badfiles subdirectory. The following arguments will modify the defaults: -H Present help file -L Eliminate log -A Eliminate moving of bad archieve files -I Eliminate moving of infected files -Thh:mm:ss Change time stamping to hh:mm:ss after checking -Odrive:\path Specify new log path\n"); -Bdrive:\path Specify new badfile path\n"); -Sdrive:\path Specify new scan path All of the options are self-explanatory except for the "-T" option. If you were to set the switch "-T5:55", the time stamp of all files would be changed to 5:55 as they are processed. Then if you were to execute the program upon the same subdirectory the second time using the same switch, any file which had a time stamp of 5:55 would be consider completed and would not be processed the second time while all other files would be processed. You must use a legitimate time; if you were to enter with 6:66, the process would not work. There are some disadvantages in using this technique for marking files. Obviously, a file might just happen to be time stamped at the specified time and get bypassed. Obviously the time stamping can't be used for anything else, if you use it for this purpose. However, it is not often used for any other purpose. Although not well known, DOS will time stamp a file by 2-second intervals as well as by hours and minutes. The seconds are not displayed with a "dir" command. Consequently, if you ignore the hours and minutes and check only the seconds, the time stamp of the file is not altered in any visable way. You can do that with the command "- T::ss" e.g. "-T::20". Since ss is really 2-sec intervals (instead of seconds), it can be no larger than 30. Additionally, it should not be 0 as this is the most common stamp. By default, CHECKOUT.LOG is left in the root directory and looks as shown below. Each compessed file is given just one log entry. If, for example, A.LZH had three executable files, it would have just one log entry and an "infection message" would apply to any or all three files. --testing D:\FILE\UP--------10/07/89 ABCDEFGH.LZH ok 10/07/89 A.LZH Virus detected B.PAK Missing files on path C.ZIP Problem in Archieve D.ZOO DOS Error E.ARC ok 10/07/89 LEGAL ASPECTS Many sysops have not considered their legal exposure caused by the presense of infected files on their board. If your board is hit with a virus, there is certainly a technical problem. But if you've performed the appropriate backup operations, under the worse set of circumstances, you probably can clean up the problem within a week. However, if someone downloads an infected file and choses to take legal action against you, that problem certainly won't be cleaned up in a week, and it may involve years. If there is an action against you, you have two basic defenses: (1) You didn't do it, or (2) You did do it but there are extenuating circumstances. If you can't demonstrate that the file from you was clean, you would like to be able to demonstate "a reasonable standard of care" and that you did not deviate from that standard in this case. It is intended that the log should provide the documentation to make that claim. You should, on occasion, remove the file CHECKOUT.LOG and store it off system. Some lawyers would doubtlessly tell you to store it in a manner that you have no access, so that no one can raise the question of whether or not the data is honest. Finally, you should bring the matter up with your lawyer for advice. The author of checkout claims no legal expertise and nothing said here should be regarded as legal advice. NOTES on ViruScan As pointed out earlier, CHECKOUT will not work with versions earlier than 0.7V40 or (SCANV40). However, you should plan to keep SCAN up to date because new virus checks are installed continuously. The latest version of SCAN is always available on the HomeBase/CVIA BBS (Computer Virus Industry Association) at (408) 988-4004. It requires a separate registration and registration fee as explained in the VirusScan documentation. Prior to Version 1.1V44, all viral checking was done on signature strings within files. In this version, a new check was introduced which checks for viral programs currently in memory and acting on programs as they are executed (specifically in this version the Dark Avenger Virus). That, of course, is a fairly serious finding and calls for some serious steps to be taken. SCAN immediately stops operation and beeps until you do something. If that should ever happen, you should POWER DOWN and reboot from a write-protected floppy disk and execute plans to remove the virus. The nature of these steps is beyond the scope of this documentation; however, by checking regularly in a scheduled procedure, you should never reach the point where the infection is already in operation at the time of testing. The simple unarchieving of a file with the Dark Avenger virus, of course, puts the virus in memory (in a nonopertive state) where it will be detected by VisuScan unless it is overwritten by a subsequent file in the archieve. The operation of SCAN is fully documented and the documentation is updated with each new version of the program.