Product upgrade, revision 6.10b. -------------------------------- FIXBOOT was upgraded to support Windows 95 system (boot) floppies. Their bootability to Win95 is retained when processed with FIXBOOT. The program was also upgraded to handle the special 1.68 Mbytes DMF format, introduced by Microsoft in their Win95 installation floppies set. IV4WIN95 rescue kit. The kit detects boot infectors and removes them from your computer's hard disk before installing Win95. The Win 95 rescue kit also repairs boot virus damage to the Windows 95 setup floppies, and provides for making a full backup of the installation set. IV4WIN95.ZIP was released to the IV ftp sites and the major networks. Rescue diskette improvement: The rescue diskette procedure now creates a text file named A:\HD_DATA.NTZ. The text file contains the CMOS setup, as well as the IDE parameters of the two first installed hard drives. You can read the parameters written to the HD_DATA file and restore them in the CMOS in case of need. A utility named GET-HD was added to the IV-UTILS.ZIP package. It will display the same hard drive data as described above, on screen. These parameters may be asked for in case you need help from the IV user's support. Supporting MIRROR and IMAGE FAT backup utilities. IV's rescue supported till now only MIRROR.COM, by copying it's complementary program UNFORMAT.COM to the rescue floppy. From ver 6.10b, both Unformat.com and Unformat.exe (from the Norton Utilities) will be copied to IV's rescue. The latter will be renamed to UNFORMT!.EXE (on the rescue floppy) not to confuse between the two. With this amendment either MIRROR or IMAGE can be used as the FAT mirroring utility, in the autoexec. Repairing the mbr of Disk Manager dynamic partitions. The recovery from boot virus damage to dynamic partitions configured with Disk Manager presented a problem. Revision 6.10b contains several improvements in this regard: the addition of the HD_DATA on the rescue diskette, the GET-HD utility and the revision of appendix C of the online manual. Restoring a damaged DM partition is now much easier, with significantly higher chances to succeed. Increased number of IVB exception files. The number of the files that can be excluded from IVB's test was increased from five to ten. The syntax of the excepted filenames was also relaxed. The former syntax required that only the file name, no path, should be given after the "SKIP=" prefix. Filename or pathname are now allowed in the exception list. Increased number of filespecs in IVB's checklist. The number of additional filespecs to check by IVB was increased from five to ten. There was was no specific reason for increasing that number, yet since we increased the number of files in the exceptions list, it was easy to increase the latter too. It's to the user if s/he uses this option. Handling macros malware with InVircible. The tampering with template files can be monitored by IVB as easily as the monitoring of changes to executable files. To warn against the possible introduction of a prank macro into a Winword template, just add "INCL=*.DOT" in the optional checklist of IVB. Appendix G was added to the online manual of InVircible. It explains how macro malware works, how to remove them and how to protect your applications with IV from the introduction of this kind of malware. Product upgrade, revision 6.10a. -------------------------------- IV rescue functions for Windows 95: Win95's boot sector differs from that of DOS. The DOS boot sector didn't change from DOS 4.0 till Windows 95. Revision 6.10a of InVircible now handles properly both DOS and Windows 95 floppies and hard disks. The affected programs are: INSTALL, RESQDISK and FIXBOOT. Then revised programs can now handle both DOS or Windows 95 disks and floppies. Improved CMOS parameters check: As part of it's disaster recovery functions, IVINIT compares the current configuration parameters in the CMOS with those contained in a backup file. The user is alerted if IV detects a configuration change. The user should then decide whether the change should reflect in the rescue diskette and may then 'Update' the CMOS backup, to cancel the message on subsequent booting. Former versions had a special installation option for notebooks as the latter use the CMOS for storing battery power saving parameters, as well as the display settings. The /NOCMOS switch could be used in the autoexec to disable IVINIT's CMOS test. The latter was improved in this version, to include configuration parameters only. The 'Laptop' option was removed from the installation program as it isn't needed anymore. Yet as new problem emerged: multiple CMOS configurations. One example is with notebook. The PC use different CMOS hardware when docked or undocked, with different setups in the two states. A new utility is provided, NOCMOS, for that purpose. NOCMOS will edit the autoexec and add or remove the /NOCMOS switch from the IVINIT line. Run NOCMOS with the "D" switch to disable the test, or "E" to re-enable the CMOS test. Removing old or inactive IVB signatures: IVB's signatures filename may contain high ASCII characters, if installed by IVLOGIN /RANDOM for example. Former versions had an ASCII 255 character in them for preventing accidentally erasing of the files. Users had difficulties in removing these files, especially with Windows' File Manager. Unlike DOS, Windows recognizes only characters contained in the set defined by the codepage set when DOS booted. To overcome this difficulty we devised the FIND-SIG housekeeping utility. FIND-SIG will spot inactive and orphan IVB signature files and privide the following options: leave the file, erase it or erase all inactive IVB signature files. Product upgrade, 6.10 --------------------- Revised documentation. The online hypertext and the full manual were completely revised to reflect the changes and the additions made in IV. New appendices were added, as well as discussion on many anti-virus and virus related subjects. A chapter on disaster recovery methods and techniques was added, specifically addressing the use of ResQdisk and ResQpro. Full manual hypertext. The InVircible electronic manual was processed into a hypertext that can now be browsed with the same browser as the online help (IVHELP.EXE). It is possible to select and switch between the two databases by using F6 when running the hypertext browser. The manual hypertext is contained in the archived IV package and on the distribution floppy. The new manual hypertext is NOT copied to the hard disk when installing IV, the user should take care of this if s/he wishes to have the hypertext manual available online. Retro-piggybacking options removed from IV (*). Retro-piggybacking is seldom used from the IV user interface. The retro-piggybacking options were removed from IV, to declutter the display Retro-piggybacking (RP) enabled from command line. Retro-piggybacking method 1 was disabled in former versions since it could be activated from IV. In specific cases, such as when infected with a cluster infector, without the virus being memory resident and active, deliberate retro-piggybacking would had a negative effect (permanently fixing the virus in the file). RP method 1 was automatically enabled when certain viruses were detected such as Necropolis and Frodo. Since method 1 was removed from IV, it is now enabled for deliberate activation from the command line. It provides an additional method to remove full stealth viruses, when active, such as Tremor and others. File killer detection message - bug fixed. The source of a bug causing a false alarms of killer file piggybacking was spotted and fixed. ResQdisk - Compare track zero backup. New feature to compare track zero with backup was added to ResQdisk. The new feature helps in spotting new boot stealth infections on other than IDE drives. It also helps analyzing boot infections on all drives. The new feature is included under the ^Z (track zero) menu, in addition to the existing ones. Special /DM switch in ResQdisk. Use /DM /B to backup the active partition boot sector of a Disk manager 6.03 partition, and /DM /R to restore the boot sector. The drive must be booted with the special DM driver loaded in memory, either from the hd itself, or from a floppy specially prepared for the purpose. IVLOGIN installation with predetermined signature filename. Run IVlogin with the following parameter: IVLOGIN SIG=. If a random filename is preferred then run IVLOGIN /RANDOM. The Memory Stealing threshold presetting was removed from all programs, except from INSTALL and IV, against the inadvertent resetting by inexperienced users. Improved ResQdiskquette. SeeThru is not available on SCSI and other non-IDE hard drives. This rendered the detection of stealth boot infectors difficult, as it had to rely on the detection of memory stealing mainly, or on running IV after booting from a clean DOS floppy. From this version on, even if there is a stealth virus active on the system, the rescue diskette prepared by INSTALL/R will still have a clean boot sector. Hard drives that cannot be checked with active SeeThru can now be verified and CLEANED from the rescue diskette prepared on the infected machine! Including additional file types in IVB's checklist. IVB, the integrity analyzer and restore program, secures and can restore executable files if infected. The list of file extensions currently supported in IVB's checklist are COM, EXE, SYS, BIN, OV?, NLM, VLM, 386 and VXD. There are additional types that are not included in IVB's checklist such as Windows' DLL, FOT, FTT etc., although they have a binary and executable structure. Additional filespecs are added to the checklist by NetZ on a need-to basis. Since IVB processes binary executable files only, then there is no point including data or text files such as batches (BAT) in IVB's checklist. Yet, users may wish to include certain file types in IVB's list. There is now an option to add up to five extension specs to IVB's list. Edit the IVB.INI file in the IVB.EXE directory with an ASCII editor. For each desired extension you wish IVB to check, add a line as in the following example (for DLL files): "INCL=*.DLL". The '*,?' wildcards are permitted. (*) The IVMENU.EXE user interface shell was renamed to IV.EXE. Product upgrade, 6.02B ---------------------- Online backup of IVB signatures. Existing IVB signatures were usually overwritten every time a new signatures file was created. From this version, the current IVB signature is backed up before a new one is written, by renaming the existing file with the extension *.000, and by changing its attribute to 'read only'. The back up is done when IVB renews a signature (because it found new files in a directory, or because of tampering with one of the signatures, or more) in the current file. The back up signature can be used with the /X switch (user defined filename). No backup is created when new signatures are purposely rewritten. Improvement in IVX: A new feature was added to IVX, enabling the selection of the offset past the entry point, to look for the extraction of a signature string. This option improves IVX capability as an automatic signature extractor. Look in Appendix C, in IV's manual for details how to use this feature. IDE hardware access fix. InVircible uses hardware access to overcome stealth boot viruses. IV's hardware access is usually well behaved, yet there are controllers and 32 bit access drivers with which IV had problems. This is taken care of by timing out the hardware access if unsuccessful. If timed out, then SeeThru will not be available with the specific hardware or driver. This will be indicated in IVinit, IVtest and in ResQdisk. Usually, the unavailability of SeeThru on 32 bit hardware should not constitute a problem, as boot virus stealth is disabled when 32 bit disk access is present and these viruses are then detected by other IV features, i.e sector analysis and memory stealing. Improvements in FixBoot. The FixBoot utility was added to IV since version 6.02. It's purpose is to clean the boot sector of floppies in bulk processing, by the replacement of the boot sector. The new additions to FixBoot are: a prompt to process another floppy, and the detection of which operating system is present on the diskette, to keep it bootable. The default boot sector is MS-DOS. An IBM boot sector (PC-DOS/DR-DOS) will be installed instead, if IBM system files are found on the floppy. ResQdisk Professional. ResQpro is an extremely powerful tool for recovering lost hard drives and its professional version, ResQpro, has already saved users thousands of dollars, by recovering data that was considered total loss. The ResQpro features are now available in ResQdisk, to users that purchase the professional license. The Pro version is recommended to data recovery specialists, computer servicing labs, to institutions and organizations, and to power users with special needs for data recovery. The Pro version license is available through a special distribution floppy only, available from authorized IV vendors. ResQpro upgrades are identical to IV's, via the Internet and the major nets. ResQdisk single session authorization. ResQdisk can restore access to a hard drive, on condition that the cause is not a hardware failure. Yet the full advanced features of ResQdisk and ResQpro are available only to licensed users of IV. The new version enables an authorized dealer of IV to authorize ResQdisk over the phone, for the present session. The authorization is done through the exchange of a password pair (press ^F10 when running ResQdisk to generate the password), while in a hotline support session. Handling the boot sector through DOS - new feature in ResQdisk. There are instances when the active partition's boot sector needs to be addressed through DOS instead of interrupt 13h. Such is the case when special boot drivers are used such as Disk Manager or EZ-Drive. The edit functions (^E) of ResQdisk were duplicated under the ^B (boot) command. The active boot sector of drive C: is then handled through DOS interrupts 25h (read) and 26h (write). Note that the designation under DOS is the logical drive C:, rather than hard drive # 1, with BIOS interrupt 13h. The options are: read sector to clipboard, write clipboard to boot sector, read from file, write sector to file, and SYS (the equivalent of refreshing the boot sector with the command SYS C:). Detection of signature killer. InVircible has proven that it's possible to anticipate viral technologies and counter them, before they become a real threat. Although such threat didn't yet materialize, it's possible to write a virus that could target InVircible's database to destroy its files. To prevent such possibility, the new version detects the presence of a signature killer and will alert on its presence. Random signature filename. Use the IVLOGIN /RANDOM switch to select a random signature filename. Enhanced rescue floppy procedure. Users may wish to have their favorite utilities such as an ASCII editor on the rescue diskette. To do so, just copy the additional files to a newly formatted floppy before starting the rescue disk procedure, run INSTALL/R and answer "no" to whether to wipe the floppy clean or not. Product upgrade, 6.02A ---------------------- IVX major upgrade. New features were added to IVX, enabling automatic signature extraction and signature scanning. IVX now creates its own signatures database from sampled files. The extraction of the signatures is automatic and does not require any special skills. The signatures can then be used to scan for their presence in other files. IVX also accepts user defined signatures by editing the database with an ASCII editor. An average user can now easily generate a signature for a new virus and announce it on the net or else. IV user can now scan for the presence of new viruses announced on the net. The new features of IVX reduce the response time to new virus alerts. The algorithm of IVX in statistical mode was refined and its detection capability improved, especially against some of the more difficult polymorphs, such as MtE viruses. IVB history file. The IVB.RPT file is overwritten when a new report is created. In a networked environment, the current daily report will be appended to the IVB.HIS (history) file. The implementation is through the AUTOEXEC file, by adding a couple of lines after the IVB daily command. The appropriate lines are added automatically by the INSTALL program when installation from server is detected (or selected, in INSTALL's main menu). To add this feature in an existing installation, add the following lines in the autoexec, after IVB DAILY: IF EXIST \IVB.RPT COPY \IVB.HIS+\IVB.RPT \IVB.HIS IF EXIST \IVB.RPT DEL \IVB.RPT Licensing for OS/2 and Win 95. In version 6.02, InVircible's license reverted to Sentry when in Windows' or OS/2's DOS shell. Version 6.02A fixed that problem. Yet, you will need to run IV once in real DOS in order to upgrade your license from a former version, to 6.02A. This procedure does not apply to new licensed users, since the license can be installed to disk only in REAL DOS mode. Detection of PKLITE'd droppers and Trojans. During the last year, several droppers and Trojans were found, that used PKLITE in order to conceal the gen-1 file. Gen-1 is the designation of the first generation of a virus, usually the one used to launch the virus. While scanners usually find the offsprings, the gen-1 file will not be suspected, as many times it isn't recognized to be a compressed file, as the PKlite marks were removed, or disguised. The most recent case that used the PKlite method is related to the Big Caibua virus. The detection of potential droppers was added to IVscan, as the default. This feature should help SysOps and network administrators to keep their board and systems clean. Improved IVB signatures. Functional changes were made in order to improve IVB's discrimination between non-viral and legal modification of program, as well as to improve their immunity to dedicated viruses attacks. The new signatures are no more compatible with the lower versions of IVB. To avoid confusion, or the loss of the former database, the default filename of the signature files was changed to IVB˙.NTZ. Note that there is a trailing character 255 (it looks like a space, but it is not!) between the IVB filename, and the .NTZ extension. No escape in Sentry mode. System administrators asked to disable Sentry users from escaping IVB's daily full check. Adding the /ESC switch to the command line re-enables the Esc key when scanning daily. This change applies only to the Sentry mode. IVB exceptions list. There are instances when you may want to exclude a file from IVB's list of files to process. IVB has now provisions to exclude up to 5 filenames. Edit IVB.INI in the IVB.EXE directory with an ASCII editor, or create a new file with the above name, if it doesn't exist yet. Add a line for each file to exclude as follows: SKIP = EXCLUDE.BIN The CMOS "Restore" option was removed from IVINIT in Sentry mode. Product upgrade, 6.02 --------------------- The major change in version 6.02 is the handling of large capacity IDE drives. These drives appeared on the market in mid 1994 and they are now quite common. Several enhancements to handle the large capacity IDE were already introduced in version 6.01D. The new drives present technical challenges in the area of disaster recovery and vulnerability to boot and mbr viruses, that were unforeseen by both the drive's producers, and the AV industry. Version 6.02 consolidates the former enhancements and lays the grounds for further improvements, especially in the disaster recovery area of these drives. Read also in UPGRADE.TXT how to upgrade your licensed copy of InVircible. Licensing of large capacity IDE. The installation of the license record to large capacity IDE, was impossible with earlier versions, if the Ontrack extended boot driver (DM 6.03+) was used. It could be done only with plain FDISK partition, using the LBA (logical block access) option in the setup. Version 6.02 will allow the licensing of these drives too. Version 6.02 consolidates changes done to the hardware access routines, used in InVircible, to suit the newer fast access hard disks and boards (100 mhz and higher). Hardware access is sensitive to timing, and new industry standards were introduced in the last year. Therefore, we recommend that InVircible copies earlier than 6.01D are upgraded. Version 6.01B and 6.01C still have some slow routines that won't work properly with the newer fast disks. Also, versions earlier than 6.01D still have a routine that conflicts with a defect in design of some older models of Maxtor hard drives. The problem has been identified by NetZ Computing and acknowledged by Maxtor. From version 6.01D and on, there should be no problem anymore, all models of Maxtor included. ResQdisk improvement, fixing the boot sector via DOS, the ResQdisk ^B function. There are instances when the boot sector of hard drive #1 is infected, and it cannot be accessed via regular int 13 functions. Such is the case with the newer large capacity IDE drives. The active partition's boot sector can then be refreshed through the ^B key combination. The ^B function operates on the boot sector, the same way that does FDISK/MBR on the mbr - it refreshes the bootstrap code, without affecting the BPB data. The ^B function should only be used when booted from the hard drive. Product upgrade, 6.01D ---------------------- Daily inspection for companion virus. The companion virus verification was added to IVB, since IVB runs daily. The same routine is retained in IVscan, for operational redundancy. The user interface in ResQdisk was improved further. The newer features were grouped in three menus, Edit (accessible by pressing ^E), Track Zero maintenance (^Z) and Analyze sector (^A). Also, the new ^B function was added. The latter will refresh the boot sector of drive C: while accessing via DOS instead of the BIOS, and is the equivalent of the SYS C: command. The ^B function is helpful in removing boot sector viruses such as Da'Boys, Boot-437, Form etc. Improved editing features in ResQdisk. Additional editing features were added to resQdisk. The sequence ^E ^F will read a file into the sector clipboard, while ^E ^D drops the content of the displayed sector into a file. The combination ^E ^Y will decrypt an encrypted sector into the clipboard and display it on screen. The later is especially useful for the recovery of damaged hard drives, like from the Monkey virus. It is indispensable for rescuing hard drives lost to inappropriate disinfection procedures, like with fdisk/mbr, or inadequate antiviral products. The above further improve ResQdisk as the best disaster recovery and boot-antiviral utility. Improved "track 0" maintenance features. ResQdisk is used in the rescue diskette for backing up track zero of the hard disk to floppy and for restoring track zero from file to the hard drive. The "track 0" functions are now available on-line, with the visual inspection of ResQdisk, in both SeeThru modes (backup only, recovery is always done with SeeThru off). The track 0 functions are started by the ^Z keys combination, followed by ^B for backup to file or ^R for restore from file. Compatibility with large capacity IDE. IVTEST was corrected to ignore the dynamic boot loader of large capacity IDE disks. Revision 6.01c was compatible with only Ontrack's Disk Manager extended bios drivers (XBIOS.OVL). The new revision is also compatible with other brands, recently introduced into the market - e.g. MicroHouse's EZ-DRIVE. January, 1995 Product upgrade, InVircible 6.01C --------------------------------- Improved performance in networked environment: Revision 6.01C has further improvements for the operation of InVircible in the networked environment. All the scanning modules; IVB, IVscan and IVX were revised to avoid Novell's Netware files. The verification of Netware files under DOS created errors because of the special attributes of Netware's system files. IV's current revision avoids these files. Automatic IV version upgrades in network: IVLOGIN can now be used for both the automatic installation of InVircible to workstations in a networked environment, as well as the upgrading of an older IV version to a newer one. IVLOGIN checks whether its own version is newer than the current one installed on the hard drive. An older version will be automatically replaced by a new one, by just invoking IVLOGIN. It is recommended that the IVLOGIN command should always be included in the users login script, in networks. Improved piggybacking detection: Revision 6.01C has higher sensitivity of piggybacking detection. The detection threshold has been lowered to detect piggybacking within few affected files. The improved sensitivity has no effect on speed since the loss in speed was compensated for with a better search algorithm. December 1994 Product upgrade, InVircible 6.01B --------------------------------- Installation of InVircible on networked PC: Revision 6.01B has an additional file, IVLOGIN.EXE. As its name implies, its use is from the user login script in networks. When a workstation connects to the network, IVLOGIN verifies whether it has a hard drive, and if InVircible is installed on that disk. If not, INSTALL/FAST is invoked to install IV to the hard disk. The LAN administrator is required to install IV to the server and add the IVLOGIN command to the user login script. The rest is done automatically. Install upgrades: The French version of InVircible configures now the rescue diskette to start with a French keyboard. Install also takes care to REM out the Thunderbyte TSR in the autoexec, at the installation of IV. The TB TSR intercept IV initialization checks and may crash the system. Also, Install will now install the IV registration key to hard drives having the Compaq configuration (see ResQdisk, above).