Should all extensions be scanned or only selected ones?

The anti-virus scans COM, EXE, DLL, BAT, DRV, VXD, SYS, SCR, DO?, XL? extensions by default, as viruses can infect.

The option of scanning all extensions enables you to scan all files. This is important as there may be executable files with a non-standard extension or data files that are really renamed executable files, and which may be virus-infected.

Scanning data files makes no sense, but the scan is performed in order to cover the possibility of a virus giving an executable file a data file extension.

There is a situation in which it is necessary to scan all file name extensions. This is when the disk is infected and must be disinfected. In this case it is vital to run at least one scan on all extensions to make sure that no copy of the virus, which could re-infect the computer, is left.

Back to the Top

When I try to clean it says "File already in use"

If you try to clean an opened file this error will occur. You should quit all windows applications before going to clean. It is advisable to reboot the machine through the emergency disk and then remove the virus.

Back to the Top

There is not enough memory to run anti-virus.

DOS works with only the first 640 Kbytes of RAM as it dates back to the first microprocessors that could address only 1024 Kbytes RAM.

Part of this 640 KB is occupied by DOS and by memory-resident programs and the rest is what remains for applications. If there are many programs loaded in CONFIG.SYS and AUTOEXEC.BAT, there will be little memory left for programs that run from DOS, and the anti-virus will display the message "insufficient memory".

Back to the Top

When I try to clean virus it says "BOOT sector write"

The "BOOT sector write", or similar message, means that an attempt has been made to write to the hard disk boot sector. This message is not generated by the anti-virus, but by a write-protection utility built into some BIOS systems that can usually be activated or deactivated from the computer SETUP. This does not necessarily mean that there is a virus trying to penetrate the system, but that an attempt has been made to write onto the BOOT sector. The agent trying to write onto the boot may be a virus, a regular program such as the DOS FORMAT or FDISK programs, or the anti-virus itself.

Back to the Top

What about files with strange dates and times?

Some viruses change the date and time of the files they infect, changing them to impossible or future values in order to keep count of files they have already infected. They take advantage of the fact that the DOS DIR command does not show these changes and that the files seem perfectly normal to the user.

Solo anti-virus allows you to scan for these suspicious dates and times, which offer important clues for the finding of new, as yet uncataloged viruses.

There are, however, other reasons why a file might have a modified date or time, without there necessarily being a virus intervention, e.g.:

- It might have come with that date/time from the manufacturer.

- A user might change it with a utility program.

- If the system date and time are wrong, DOS will mark all files created or updated with those values

You should be suspicious if several executable files appear with changed dates and/or times if they were previously correct.

Remember: Viruses only infect executable files. Data files cannot be infected

Back to the Top

What steps should I take to disinfect a virus?

1.- Use the write-protected anti-virus diskette. This will prevent it from being infected or destroyed if the virus is active in memory.

2.- Boot the computer with a virus-free, write-protected boot diskette.

3.- Use the anti-virus on the write-protected diskette to disinfect the virus on the hard disk.

4.- Now reboot from the hard disk and scan all diskettes to avoid re-infecting the hard disk with an infected program on a diskette.

If in step 3 you find a virus in memory, the boot diskette will be infected and will therefore not be usable for this operation.

Bear in mind that the virus must be removed from all files and/or the boot sector, as a single copy of the virus could re-infect the hard disk.

You should never work with a virus in memory. A virus or any other program can only get into memory when it is run. When you run an infected program, the virus is activated, and that is what we want to prevent by booting from a clean, virus-free boot diskette. When a virus is active in memory, it interferes with the operations performed and, at best, it could re-infect cleaned files if you go on working with the computer (without re-booting) after the disinfection is finished.

Back to the Top

I detect a virus in memory but not on the hard disk. How come?

You may have previously run another anti-virus program and pieces of its virus signature files are still in memory. Reboot the system to get rid of the messages.

Some resident anti-virus programs leave decrypted virus signatures in memory, so that when another anti-virus scans the memory it finds a series of "virus pieces", which are just the virus signature files of the resident anti-virus. This sets off a series of false alarms.

Several viruses are usually found in memory in this way. The probability of a computer operating correctly with several viruses is minimal.

All these details lead to the suspicion that this is a false alarm. Moreover, when files are scanned, no viruses are found. But for a virus to be in memory, it must have entered the system through a file or through a diskette boot sector.

This may happen with the VSAFE program. While this program is memory resident you are likely to get false alarms in memory.

Information about old files and totally inert virus strings may remain at the end of file clusters or in free sectors on the hard disk. It might be possible to remove them by reorganizing the hard disk with programs like DEFRAG. If these strings remain in memory in some buffer or disk cache, they may create random false alarms.

Back to the Top

What is the use of creating a rescue disk (recovery diskette creation)?

The recovery diskette contains a series of critical data about your computer: MBR (Master Boot Record), BOOT, CMOS, etc., as well as DOS boot files and other utility programs.

If the hard disk does not boot, it is possible that this data has been damaged (BOOT and MBR). By booting from the recovery diskette and using the Restore option you can reset these mechanisms and regain access to the hard disk. This is possible if there is no major damage. If the data areas have been overwritten, it will not be possible to recover it with this diskette. You would need to have a backup copy of your data to restore it in this case.

The recovery disk is specific to a particular computer and cannot be used on any other. You should never try to restore a recovery disk from another computer. It is not necessary to create a new recovery diskette for each anti-virus update that you install.

However, you will need to create a new recovery diskette if the hardware on your computer changes, if you add or re-partition a hard disk, if you install a new card or make important changes to your CMOS memory.

Back to the Top

What does the heuristic scan consist of?

The heuristic file scan tries to discover any possible new and as yet uncataloged viruses that may have infected your system's files.

As the virus to be detected is supposedly unknown, no strings or routines can be searched for. A deductive process based on experience with currently known viruses is carried out. It then checks executable programs for possible virus activity.

The problem is that a virus is a program like any other and uses the same CPU instructions. A set of instructions performs a specific action and a set of actions determines the likelihood of a program being infected.

In the end it is the user's choice to act or not on a program tagged as suspect.

It is important to note that it is normal to have some "suspicious" files on your hard disk.

An indication of real virus presence would be to have several files tagged as suspect, especially files that never before had recorded virus incidents, such as DOS programs like FORMAT, MEM, DOSKEY, other operating system programs or the programs you most use.

By default, the anti-virus is configured for medium-level sensitivity. If you change this to maximum level, the anti-virus will report all details it observes, even those of little importance.

With this anti-virus option you can also be informed of hard disk files with strange dates or times and compressed or vaccinated programs.

Back to the Top

I can't install the DOS version.

The possible problems you may encounter during the installation process are mainly due to two causes:

(1) A diskette read error. This happens when one or several sectors on the diskette cannot be read correctly. Sectors are storage units where information is recorded on disks and diskettes. If the information read from the diskette is incorrect due to magnetic or physical disturbance, a system called CRC (Cyclic Redundancy Check) will detect the error.

In this case you cannot proceed with the installation of the anti-virus.

To confirm this situation, you can use a program that checks the diskette surface, such as SCANDISK, or you can simply try to copy the files to another drive. If DOS shows the typical "Cancel, Retry, Ignore?" prompt, the error is confirmed.

(2) Insufficient conventional memory available. Although nowadays computers have several megabytes of RAM memory available, DOS is restricted to use only the first 640 KB. From this figure you have to deduct the memory occupied by the operating system, drivers and memory-resident programs. Most memory is needed when decompressing the files and if memory is insufficient, an error is indicated while transferring files.

Trying to free memory can prove complicated if you do not have a thorough knowledge of the DOS operating system, especially if you cannot do without the memory-resident programs you already have. Networked and CD-ROM programs are usually the ones that take up most memory .

An easier solution to this is to use a boot diskette. You can easily create such a diskette by formatting it with the /s parameter. By booting from a basic boot diskette you avoid loading the programs your AUTOEXEC.BAT and CONFIG.SYS files load from the hard disk. In addition to freeing memory, this avoids interference and conflicts with memory-resident programs.

Back to the Top

What are the possible sources of virus transmission?

Diskettes, CDs, E-mail attachments, network cables, telephone cables (if you have a modem) and the Internet.

Back to the Top

How many viruses are there currently in the PC environment?

It is estimated that there are more than 3,09000 known viruses. Of course, not all of them are sufficiently common so as to consider them frequent.

Back to the Top

What is the worst a virus can do?

The most destructive operation a virus can perform is formatting the hard disk. Other destructive actions, which are quicker to perform, include the destruction of the FAT (File Allocation Table) and disk directories.

Back to the Top

What reasons can someone have for creating a virus?

A person can create a virus for several reasons:

• A desire to be admired, even if in a hidden way. This type of virus author feels satisfied by seeing his personal mark in the virus.
• A need to check his personal ability to deceive.
• A desire to damage a specific organization or person. For example, someone may want to damage the company that fires him and introduces a virus into their systems.
• On rare occasions, they are normal programs that unintentionally go wrong.
• For political reasons.
• A desire to experiment, etc.

Back to the Top

Where do viruses insert themselves?

Viruses can infect files with extensions COM, EXE, DLL, BAT, DRV, VXD, SYS, SCR, DO?, XL?. It may infect partition table and Boot sectors.

Back to the Top

Can viruses always be removed from an infected computer?

The answer is yes. You can always remove viruses with a low-level format of the hard disk and by formatting infected diskettes. The problem is that viruses often infect parts of the computer that contain data you want to save. Remember that the best security measure is to keep recent backup copies of all your important data.

If the virus is located in the computer boot system, it can be removed by substituting the infected boot system with a new one.

Back to the Top

How can I prevent my computer from becoming infected?

If you only use original programs, do not use diskettes of unknown origin and do not link up to other computers by cable, phone, through a network or the Internet, you will never be affected by a virus. In addition, you should never allow other users to access your computer (use a password or other means of protection).

Back to the Top

Can a system be completely immunized against viruses?

It can be partially immunized. Total immunization is impossible, as a virus that eliminated all forms of protection could always be manufactured. However, the task of preparing a virus of this type would be so great that in practice it is possible to create highly effective anti-virus programs.

Back to the Top

How long do viruses take to reproduce themselves?

It depends only on the virus itself. In general, they try to infect as fast as possible, although in many cases they can only infect under certain circumstances such as specific dates or specific files. They also try to avoid infecting the same file more than once. The speed of infection also depends in part on the type of virus in question. In particular, it depends very much on whether the virus is memory-resident or not.

Back to the Top

When does infection take place?

• When an infected program is run, the virus code is executed first. This is the occasion the virus uses to infect one or more files.
• When an infected file is executed the virus becomes memory-resident. From this moment on it can control system operations and take advantage of any circumstance to carry out infection.
• When running an infected program.
• When copying files.
• Under certain specific circumstances, such as time or date.

Back to the Top

Where are viruses located within files?

Virus can position themselves:

• At the beginning of the file: The virus moves the original program. In the case of a COM file, it can clearly be seen that, when executed, the virus will take control, as it occupies the first position of the infected file. In the case of an EXE file, the virus needs to change the EXE header to indicate that the first instruction to be executed is the one located within its code.
• At the end of the file: This is the most common case. The virus attaches itself to the end of the original file. In the case of a COM file, the virus needs to insert a jump instruction. In the case of an EXE file, the virus needs to change the program header to indicate that the first instruction to be executed is the one located within its code.
• In the middle of the file: This is less common, as the virus has to do some extra work to obtain the same results. The only advantage of this method is that it avoids detection. In the case of a COM file, the virus needs to insert a jump instruction. In the case of an EXE file the virus needs to change the program header to indicate that the first instruction to be executed is one located within its code.

Back to the Top

What is the latency and activation status of a virus?

While a virus is being transmitted it remains latent. A virus cannot reproduce itself or destroy information if the computer is switched off. Once in the computer, a virus cannot do anything until the file or program that carries it is executed. At that point the virus will take control, and what happens then completely depends on the type of virus in question.

Back to the Top

What symptoms can be observed that indicate the presence of a virus?

The most common symptoms are the following:

• The computer becomes slower.
• Files are increased in size.
• File date or time are incorrect.
• Available memory is reduced.
• Some programs can no longer be run.
• New files appear with the same name as existing ones.
• Available disk space is reduced.
• Disk directories appear to be damaged.
• The boot system seems to be changed.
• Some files show information from other files.
• The computer locks up.

Back to the Top

What are the advantages of having 4, 8 or more MB of RAM?

From DOS version 5 onward, most of the operating system can be loaded into high memory, and is done so by default, leaving more conventional memory available for other programs. You can also load some memory resident programs above the 640 KB barrier (but below 1024 KB) using the facilities offered by the new microprocessors.

To load programs in high memory you can use utilities like MEMMAKER or RAMBOOST, both widely available or included with the operating system.

You can also use the extra memory as expanded memory to run large programs, or extended memory, which is very useful for disk cache data buffers or virtual disk programs.

The possibility of using extended memory directly to run programs is only available with more advanced operating systems and environments such as OS/2 or Windows, which use the latest features of the new microprocessors.

Back to the Top

What are the non-destructive effects caused by viruses?

These effects include:

• Occasional displaying of on-screen messages.
• Erasure or modification of on-screen data.
• Music.
• Interference or difficulties with printer output.

Back to the Top

What are the destructive effects caused by viruses?

These effects include:

• Disappearance of files.
• Formatting of some disk sectors or tracks.
• The system does not boot.
• The disk seems to have no data on it.
• The system does not recognize a disk drive.

Back to the Top

Why do viruses become memory-resident?

A memory-resident program somehow stays hidden to the user’s view. The virus remains hidden while the system works and takes advantage of any occasion to infect other parts of the computer.

Back to the Top

How does a virus become memory-resident?

There are several ways for the virus to become memory-resident:

• It can use the normal DOS resources. This method has the drawback that the area occupied by the virus can be viewed using a utility program that shows the memory map.
• It can search for holes in the operating system area so as not to be detected by memory maps.
• It can manipulate the operating system memory block allocation system to make it believe that there is less memory available than there really is.

Back to the Top

How can a server file be infected?

There are several possible causes:

• It was copied directly from a workstation.
• It was copied from a removable disk from the server itself.
• A backup copy that contained infected files was restored .
• The file was infected when used on a workstation with an active virus.
• It reached the server through a communications port.

Back to the Top

What are the most important issues to take into account in order to maintain server integrity?

The main issues to be taken into account are:

• Make periodic backup copies.
• Use network privileges to avoid changes to executable files.
• Never use the server as a workstation.
• Only install original software or from a reliable source.
• Cancel diskette booting (SETUP).

Back to the Top

What techniques does the anti-virus use to detect viruses?

The techniques are the following:

• String Search.
• Algorithmic Search.
• Heuristic Search.

Back to the Top

What is a String Search?

As a virus is a program that consists of code and data, the first step in detecting a virus in a file is to search for a unique piece of its code or of its data within files.

This method is reserved for simple viruses. Although the string search technique is not considered foolproof it is still the basis of most anti-virus programs.

Back to the Top

What is an Algorithmic Search?

This technique consists of determining whether a file has been infected by observing certain parameters that commonly appear in infected files.

This is a secondary detection method.

Back to the Top

What must an anti-virus package contain for it to be complete and effective?

It should contain the following features:

• A quick, highly-precise detection system.
• In addition to the traditional virus-signature search method, it should contain a complementary search method that enables it to find unknown viruses: heuristic and investigation methods.
• It must be able to disinfect as many viruses from infected files as possible. Disinfection needs to be reliable and must not affect the original file.
• It should have an isolation mode that allows it to operate safely in environments where there is an active virus.
• It must be easy to use. Reliability and power do not necessarily mean complexity of use.
• After-sale service. Professional help can be very valuable when viruses are encountered.

Back to the Top

Is it possible to manufacture a virus that cannot be detected by an anti-virus?

It is possible to create a virus that would be very difficult for an anti-virus to detect. This is due to the fact that anti-virus programs assume that viruses always behave in a similar fashion. But new viruses are now appearing that infect while mutating themselves so that they cannot be identified as a known virus. Nevertheless, they can be detected by other means, such as the heuristic analysis, which analyzes the file rather than simply searching for a virus signature.

Back to the Top

Can an anti-virus damage my computer?

The answer is no. The only exception to this could be the file disinfection operations. The disinfection of a virus requires extreme care so as not to affect the application, such as when a virus is identified as a different one (which is relatively frequent due to the many variants there are). Disinfection may be carried out incorrectly, thereby damaging the infected file.

Back to the Top

What method is used for disinfecting viruses in a network?

To clean a network you need a clean system boot diskette and an anti-virus that is capable of detecting and removing that specific virus. Then proceed as follows:

• Boot a workstation from the clean system boot diskette.
• Use the anti-virus to clean it completely. Remember to scan all extensions in case an infected executable file has been renamed.
• Link up to the file server as Supervisor or Administrator.
• With the FCONSOLE utility, or from the server console, prevent new connections to the server and cancel exiting connections (in versions 4.x you need to do this from the file server console).
• Re-run the anti-virus to scan and clean all server volumes. If a virus is detected in memory during this scan, this would indicate that LOGIN.EXE or other programs are infected (this should never happen if their original attributes were conserved). In that case you would need to start again from the beginning, after copying all necessary programs for file server connection to the local disk, including FCONSOLE
• Then clean all workstations on the network one by one, as indicated in the first 2 steps of this section.

What features must anti-viruses have in order to successfully combat macro viruses?

These features can be classified into two groups:

• DETECTION
• Multi-platform detection: Macros viruses must be detected on all platforms supported by the anti-virus.
• Integrated detection: This refers to improving the performance of the anti-virus, in this case adding the ability to scan macro documents in different platforms.
• Automatic detection: Macro viruses should be discovered automatically when an infected document is about to be copied or opened.
• Specific Detection: It is also advisable that the anti-virus be capable of identifying macro viruses by their specific characteristics, i.e. by name and type.

• DISINFECTION
• Integrated disinfection: Disinfection should be performed from the anti-virus itself. There should be no need to use other complementary tools, due to the confusion caused by the treatment of the different types of viruses.
• Specific disinfection: The disinfection of macro viruses should not be generic, as this leads to the removal of good macros as well as damaging ones.
• Data reconstruction: The anti-virus should not limit itself to removing virus-infected macros. It also needs to recover the damage and changes that may have been caused.