As such this document contains a lot of preventative measures and advice for various decision making circumstances. This is the reasoning behind the name of this document and behind it's format, as it is not intended to go into detailed technical minutiae (unless warranted by obscure and unbelievable circumstances) but instead to be an average-joe-friendly document regarding secure measures for virus prevention, detection, and recovery. Unfortunately it's not possible to get away with a complete lack of technical terms - anything I feel isn't obvious I will explain in the glossary at the end.
This is sort of an anti-FAQ, I don't present questions and then answers as I don't feel that type of presentation is appropriate to reach people who might not be sure they even need to know about this stuff let alone have specific questions.
I'm also not going to go into great detail about what a virus is, many documents already do that and the average person probably doesn't need to know that.
A virus is just a kind of program (it can be any kind of program, not just an *.exe / *.com file) and it has to be executed before it can do anything. The two defining characteristics are that it has to self-replicate (make copies of itself) and it requires a host program to execute the virus when the host gets executed.
Now for a list of ingredients for an AV strategy.
Why should you back up your hard drive? Besides the obvious threat of virus infection, there's also trojan horses, accidental deletion, corruption due to buggy software, corruption due to power spikes, corruption due to media failure, etc... Somewhere, at some point you WILL need to restore from back ups, regardless of what precautions you take.
What should you back up? Everything that you don't fully intend to delete (which includes that which you're ambivalent about - you may find a use for that pop-up 4 digit display calculator yet!). Default program files are a must for backing up; personal data files can be remade to a large extent but remaking the programs themselves is beyond the abilities of most of us, you'd have to find them (or buy them) all over again.
To save yourself hassle, though, personal data files should be backed up too - but as you probably realize, data files change a lot so obviously they need to be backed up regularly while programs themselves (which for the most part shouldn't change at all) need only be backed up once. For this reason it may (especially if you're doing the backup manually) be easier to keep the two types of backups separate and save yourself a lot of redundant effort.
Program backups (backups of the software itself) should likely be made as soon as you acquire the software (scan it first though). Data backups should be made on a regular basis, the interval between backups being dependant on the average rate at which new data is generated and the value of that data (ie. in a system where incredible amounts of very valuable data are being produced, backups would probably take place every day at least; a single home user who might generate a new text file every week containing his/her shopping list probably wouldn't need to backup that data more than once a month if at all but thats an unlikely and rather artificial example). Data backups can also be amalgamated (grouped together) into sets and stored for extended periods of time before being replaced by the next set of data backups so that small errors that grow with time but go unnoticed in early stages (like what might occur on a system with a data diddler on it or simply with progressive file corruption) don't contaminate the only backups you have and render the data completely lost. In essence, you'd have a fixed number of backups and the oldest one would be replaced by the one you just made.
Backups can (obviously) be made on any writable media other than the hard disk (there'd be no point in storing the copy in the same place as the original as the copy would be just as insecure as the original), that includes floppy disks, tape cartridges, magneto-optical-erasable or floptical disks, SyQuest disks, Iomega ZIP or JAM disks, or even on paper (though that would be tedious to restore to the hard drive should it get lost - and you'd use up paper each time you made a new backup). There are more extensive systems that make use of methods beyond the scope of what we would conventionally think of as a backup (such as file mirroring on separate media) but such systems are costly and few average users would require such extensive measures.
Unfortunately every system is different and has different requirements, and data has different value in different contexts so no hard and fast rules about backups are possible - in this document it is only feasible to stress their importance and give some general tips.
To make a recovery disk set:
[BOOT disk]
You should now patch A:\IO.SYS by executing the commands
"ATTRIB -R -S -H A:\IO.SYS" and "DEBUG A:\IO.SYS". You should now
see a '-' prompt, type "d 2a18 2a1a" and press return. You should
see "07 72 03" somewhere around the middle of the output line. If
this is the case type the following lines:
If at any point where it says "you should see" if you didn't then press enter until you get a '-' prompt, type "q" and then "ATTRIB +R +S +H A:\IO.SYS". If you were unable to perform this patch it doesn't matter all that much as is needed only in relatively rare circumstances. *1* See the end of this section.
2) Copy FORMAT.EXE on to the floppy (not for removing viruses but for creating more recovery disks in case you need to do so when your system is "dirty"). Copy DEBUG.EXE, SYS.COM, and FDISK.EXE to the floppy for disaster recovery (not necessarily viral) for which you will require instructions from an expert should such recovery become necessary.
3) Copy HIMEM.SYS onto the floppy and create a CONFIG.SYS file on the
floppy containing this:
device=a:\himem.sys
dos=high
4) Write protect the disk (on 3-1/2" disks that means you can see through the hole, on 5-1/4" disks this means the notch is covered) so that if the disk is inserted into an infected system while a virus is active the virus cannot infect the disk and render it useless.
5) Write down all the configuration information in your CMOS memory down on a peice of paper to be stored with your recovery disk(s). (CMOS memory holds configuration information and can usually be accessed on 286+ computers during bootup by pressing 'Del' or 'Esc' during the memory test.)
6) Clearly label the disk with a meaningful name (ie. Recovery Disk : Bootable DOS 6.x)
7) Repeat this process (without the patch) on a clean Win95 system if you need a Win95 boot disk (ie. if you're going to be working on a Win95 system).
9) Copy a backup of your clean Master Boot Record (MBR) and DOS Boot Sector (DBS) on to the second floppy along with a program to restore them to their proper locations. You will require special software to make these backups as the MBR and DBS are not files and can not be located inside of a filesystem.
10) Write protect this disk as you did the first one and give it a meaningful label.
12) Write protect this disk as you did the first and give it a meaningful label.
2) Using the file decompression program on a recovery disk (specify the full path to be sure - ie. A:\PKUNZIP.EXE) decompress the new version of the anti-virus product on the hard drive.
3) Remove the write protection from the recovery disk containing the old version of the anti-virus product, insert it into the drive and copy the necessary files from the new version to the disk (overwriting the old files in the process).
4) Replace the write protect tab on the disk in the write protected position. (on 3 1/2" disks this means you can see through the hole, on 5 1/4" disks this means that the notch in the side is covered)
2) Decompress the new compression program (usually they come in self-extracting executable archives so all you have to do is execute that - assuming it's already been scanned).
3) Remove the write protection from the recovery disk containing the old version of the compression program, insert it into the drive and copy the necessary files from the new version to the disk (overwriting the old files in the process).
4) Replace the write protect tab on the disk in the write protected position. (on 3 1/2' disks this means you can see through the hole, on 5 1/4" disks this means that the notch in the side is covered)
*1*
This process (in particular the patching of A:\IO.SYS) is necessary
to deal with a security loophole that has existed in MS-DOS since
version 3.2 which would hang the computer when booted from the hard
disk or from a floppy disk.
The bug does not exist in current versions of PC-DOS or most other non-MS operating systems so those can be used instead without the patch (effectively the batch file should be reduced to include only the first line in that case). In the case of Win95 users, I still suggest using a DOS 6.X recovery disk to start because the above patch may not work on Win95 and also because Win95 leaves a copy of the MBR in a memory buffer even after a clean boot from a floppy - which can interfer with the user's ability to use anti-virus products on the drive (it causes false alarms in the case of MBR infections). A bootable Win95/DOS7.x should be made aswell if that is the operating system your computer is running on - so that you can deal with the newer filesystems and long filenames if you have them.
A regular clean boot is a requirement for secure anti-virus scheme because, in essense, the code that gets control first wins. If a virus is already actively running in memory when a user attempts to apply a software based anti-viral technique it is possible for the virus to circumvent that technique, regardless of what it is or how complex it is. The virus can do this before the software is allowed to run or during the operation of the anti-viral software. A clean boot is a hardware based anti-viral technique for removing all possible viruses from the computer's memory so that subsequent software based av techniques can't be actively circumvented. In theory is absolutely secure if you know that the disk you're booting off of is clean but there's a problem.
There exists a mechanism by which a virus can make sure it gets loaded even when a simple clean boot is performed. It isn't magic, although it may seem impossible at first. What happens is that a virus (typically an MBR infector) making use of this technique changes the computers CMOS to make sure that the computer attempts to boot off of the hard drive (thus executing the virus) before checking the floppy drive (the default behaviour, the behaviour necessary for a true clean boot, is the reverse of this) regardless of whether or not a disk is put into drive A:. Apon detecting the disk in drive A:, the MBR infector would continue the boot from the floppy disk (instead of continuing from the hard disk) and make it seem to the user as if s/he had just booted from the floppy. It is now necessary to check an make sure this hasn't happened on your system when you perform a clean boot.
As such the verified clean boot is as follows:
2) Insert a bootable recovery disk into drive A:.
3) Then turn the computer back on.
4) While the memory check is being performed press the key to bring up the CMOS configuration menu (it should say which key to press - usually it's either Del or Esc).
5) Verify that drive A: is installed and that it is the first drive that the computer attempts to boot from (ie. make sure it's at the begining of the boot sequence). Also turn off the BIOS virus protection if it's activated. If the BIOS virus protection was set on and/or the boot sequence was reversed deliberately for protection (which is wise) they can be reset to those states after you're done looking for viruses.
6) Exit from the configuration (saving any changes you needed to make) and continue with the clean floppy boot process.
Scanners are the most widely used type of av product and the most convenient because, if used properly, they can catch a virus before it has a chance to affect your system and save you the trouble of restoring your system to it's original condition. Some more advanced scanners also know how to look for code that is commonly used in viruses and thus alert you to the presence of a possible new virus. This is called heuristic scanning and it doesn't always work as advertized (it doesn't detect all new viruses and sometimes it detects what it thinks "might" be a virus where there isn't one). Never the less it's very useful technology and most of the better av products out there now have heuristic capabilities.
b. Integrity Checkers - These are considered the most secure type of anti-virus product even though in the most general sense it is not an anti-virus product. Integrity checkers detect changes to files and/or other system areas (like the MBR or DBS). Viruses (all viruses) have to change something to infect - if they just sit there, they aren't viruses, this is why integrity checking is useful as an anti-virus measure because they can detect ALL viruses, not just the ones in it's database. Unfortunately integrity checkers can't tell you the name of the virus (or even if it really is a virus - unless you use it to watch the virus produce offspring) and they can only detect the virus AFTER it's done something, so that you won't know there is a virus there until after you've become infected. Also, an exhaustive check of the integrity of everything on a system can be time consuming so these generally shouldn't be used too often or productivity could suffer. A lesser known implementation is directed integrity checking which checks only certain key system areas and/or likely viral targets.
d. Memory Resident Integrity Checkers - These are like memory resident scanners except that they perform the function of an integrity checker instead. They also have the same drawback as the memory resident scanner with regards to using up system memory and slowing down the computer, but if properly used some can prevent all changed or as yet unvalidated software from being executed (ie. execution of new software won't be allowed until you first check the software and generate integrity information for it).
They are open to attack from multipartite infections, however, as the boot infector instance of the multipartite virus will execute before the memory resident integrity checker.
e. Behaviour Blockers - These are memory resident programs that monitor system activities looking for anything that might be considered virus activity. These can also be circumvented and since viruses don't use any techniques unique to viruses, behaviour blockers can warn you of a process even if it isn't viral.
f. Bait Files - These are used to catch viruses in the act of infecting (the bait files themselves). They aren't particularly useful as they can only catch certain types of viruses and even then not always. They are much more useful to researchers who are studying the a particular virus and can thus make a bait file with specific, intelligently chosen characteristics.
g. Immunizers - Despite the name, these aren't very useful at all. These are programs that add self-integrity checking code to all your programs. This causes problems when such code is added to a program that already checks it's own integrity (the program will no longer run since it's been altered by new self-integrity checking code) and this method can easily be circumvented by simply overwriting the file when the virus infects it.
The second most important thing to remember is to update your software regularly. Scanners typically come out with new versions or new definitions files every month or so (there is one that does so every week). Integrity checkers and other generic av software are often updated less frequently, but keeping up to date is no less important in those cases. As a general rule of thumb, unless you are keeping constant tabs on the industry (thus making sure you hear about new releases when they happen) don't go more than 2 months without looking for a more recent version of your main av software. The detection rate of the current version of your scanner can go down by as much as 10% or more over that period just from the number of new viruses that come out each month.
At the moment I am aware of 6 basic layers that may or may not need to be addressed depending on the needs and capabilities of the system:
b. Preventative Filtering - Scanning of all incoming materials (software downloads, disks and CD's, even new computers) to weed out those few that are infected.
c. Virus-Specific System Monitoring - Checking everything you access or execute for viruses (as filtering may miss droppers or you may have filtered improperly or forgotten).
d. Full Integrity Checking - The use of integrity checking to detect new unknown viruses that would remain undetected by virus-specific methods like scanning, and for locating viral changes such as files corrupted by a virus' payload. Should be done from a recovery disk.
e. Generic System Monitoring - Using generic techniques (such as directed integrity checking and/or baiting) to monitor key system areas and/or likely viral targets. This should ideally be less computationally intensive than a Full Integrity Check as it is meant to partially replace it and hopefully lessen the performance hit that regular Full Integrity Checks would have.
f. Recovery - Restoring programs, data, and the system in general to its original uninfected state.
You can run one of the memory resident anti-virus products and/or generic system monitors aswell.
2) Reception of new software or disks or computer - Scan all new materials coming into your system. Unpack compressed archives and scan inside those (some scanners can do this by default with a number of types of compression). Use a program like UNP to decompress and/or decrypt runtime compressed/encrypted executables and scan inside those (few scanners can do this automatically). If these seem like measures you aren't sure you can remember to follow every time you might want to get a hold of a program called THDPro (along with all those unpacking utilities and scanners), as it will automate much of this (and more) when correctly installed. It won't automate everything though, you still have to tell it what to scan, when you want it to check something - you can't rest on your backside, there is no fully automatic security.
Then backup the new software (if warranted).
<There are alternatives to THDPro, but be sure that the product you choose is at least comparable to THDPro in terms of it's wide range of scanners and compression types it can handle. Some newer scanners, notably AVP, do have comparable functionality to THDPro.>
3) Scanning the entire computer - Perform a verified clean boot from the recovery disk with the scanner on it and execute the scanner. This allows you to scan your files in a clean environment so that viruses can neither hide from the scanner nor use the it to aid in infecting every executable on your hard drive. It isn't often necessary to scan the entire computer, usually only when you update your scanner, or if integrity checking starts turning up changed executables - otherwise step #2 should stop all known viruses before they get into your system.
In the case of major device driven media (such as a Stacker, Doublespace, or Speedstor drive) where the device drivers necessary to access them aren't loaded during the verified clean boot - scan the computer using the method above, and when everything turns up clean reboot from the hard drive so that those drivers are loaded up but nothing inside the device driven media is executed and then use the scanner on the floppy to scan the device driven media (or if you're clever, put the device drivers on the the recovery disk so that you can access them after the clean boot - but beware, this takes up space that could otherwise be used by anti-virus software).
In the case of Win95, perform the the above mentioned clean boot with the DOS 6.x boot disk and scan or otherwise check the MBR and DBS for viruses. Then boot from the Win95/DOS 7.x boot disk and check the rest of the computer.
4) Integrity checking the entire computer - Again, perform a verified clean boot from a recovery disk (so that stealth viruses cannot circumvent the integrity checker) insert the disk with the integrity checker and integrity data into the floppy drive and check the system. This should be done regularly regardless of whether or not the target system gets a lot of new files (integrity checking is a good all around security measure, and besides which a time bomb in a very old file could activate).
There may be some question as to whether the disk with the integrity checker and data on it should be write protected or not - it should except when you intend to actually use it (ie. remove the write protection just before executing the integrity checker and then restore it when the integrity checker has finished). This is so that it doesn't get infected if it's accidentally put in the drive when you haven't yet performed a clean boot (ie. you might put it in by accident).
5) Disinfecting your system - Perform a verified clean boot and insert the disk with the scanner on it and execute the scanner. Use it to identify all infected objects on your hard disk. Use the identification the scanner gives you to find out information on the virus (such as data damaging effects other than infection - so that you'll know whether it's likely that it's started to affect the integrity of your backups - most viruses don't have such effects however). Delete those affected objects and replace them from backups. The disinfection capabilities in anti-virus software is not perfect and can wind up screwing up a file even more, thats why even the people who create the software suggest that you remove viruses by deleting and replacing from known clean backups. The disinfectors are to be used only if there's no other way.
If it's the MBR or bootsector that's infected, restore it from the backups of them that you have on a recovery disk. If you don't have a backup of your bootsector or MBR it will be necessary to use the disinfection capability of your anti-virus program. These viruses will infect floppies so it will be necessary to scan your floppy disks and recover from those additional infections.
After everything is clean and working properly again, send the company who makes your anti-virus program a note saying what virus you had, how you cleaned it up, and how much you appreciate their efforts in creating such great anti-virus tools. This will improve their figures regarding which viruses are in the wild and how prevalent they are, aswell as giving them an opportunity to have someone reply if their's any additional procedures you should have used or anything they feel you need to be made aware of. It also makes some of them feel good to get the appreciation they so much deserve.
6) Dealing with a recurring infection - Consider the possibility that you haven't managed to clean up the infection entirely the first time or that you have a dropper that was able to slip through step #2. Bootsector and MBR infectors will infect floppy disks aswell so after recovering the hard drive, check all your floppies. If it's a recurring file infection it could be that you weren't strict enough with your security and the backups got infected, or you could have a dropper. Scan your all your backups (program and data backups since macro viruses infect document files and they would be in your data) to eliminate the possibility of infected backups and then use one or more of the memory resident anti-virus products to hunt down droppers by executing all your files one by one (droppers are files that contain viruses but are designed so that scanners can't see the virus even if it's a virus the scanner knows about). When you finally execute the dropper the memory resident av programs should warn you that the program is trying to do something you may not want it to do.
If all this fails, question whether step #2 is being followed strictly enough in all circumstances (you could be getting infected files over and over again from someone you would otherwise 'trust' - if so they should be alerted about the infection so that they can clean up their system)
Test bed integrity - Magazines tend not to check to make sure what they think are viruses are actually viruses. This check involves making sure each sample will infect something and that the newly infected file in turn will infect something else. For all those samples that don't do this their code must be checked by hand to see if it really is a virus that just isn't compatible with the particular hardware or software being used. Doing this for nearly 12,000 viruses is beyond the scope of almost every magazine (there are one or two specialty magazines/publications that is dedicated to the anti-virus industry that should be capable of this) and most private individuals aswell.
Rating criteria - Magazine tests tend to rate detection of viruses as having almost equal importance to user-friendly interfaces and scanning speed. A scanner is a security product, the security it provides is in it's ability to detect viruses - therefore it's virus detection rate is of prime importance, the interface and the speed are only important if they happen to be incredibly poor (thus making an otherwise excellent product practically unusable).
Products tested - Magazines tend to test a very limited number of products, maybe as much as 25% of them in most cases leaving you to guess about whether or not one of the ones they didn't mention is far superior to all the ones they did mention.
Virus Research Unit
[Uni-Tampere]
http://www.uta.fi/laitokset/virus
Virus Bulletin
[Industry Periodical]
http://www.virusbtn.com
Secure Computing
[Industry Periodical]
http://www.westcoast.com
You can't get infected by a virus from 'reading' email.
No known virus has ever intentionally damaged hardware, nor is it likely that they will do so in the future.
It is never necessary to format a hard drive to get rid of a virus, in some instances this method won't even work.
Do not use the command "FDISK /MBR" unless specifically told to do so by the author of an anti-virus product (and sometimes not even then).
There is no "best" anti-virus product and there likely never will be one, there are only very good products and products you should probably just ignore.
CMOS memory cannot be infected, only corrupted.
Clean/Dirty - Words used to describe the state of infection that a environment exhibits. A computer with no infection present is clean and a computer with one or more infections present is dirty. This can also be applied to floppy disks, boot processes, etc.
CMOS - Complimentary Metal-Oxide Semiconductor: Used in IBM PC/AT compatibles as a battery driven type of memory to store the setup/configuration information about that computer.
Companion Virus - A specialized type of virus that doesn't modify its host. Instead it creates its own file with the same file name as the host but a different file extention that DOS will execute first.
CRC - Cyclic Redundancy Check: A technique for producing a string of bytes that represent the input file (the string is usually much smaller than the input file). The string of bytes are unique enough to be used to distinguish one file from another (and thus are useful for checking if the file changes as it would change the file's CRC value). Checksums and cryptographic hash algorithms are roughly equivalent to this.
DBS - DOS Bootsector: This peice of code is part of the operating system (in this case part fo DOS). It loads the operating system's kernel.
DEBUG.EXE - A program that comes with MS-DOS and is usually located in the DOS directory.
Decompression - The reverse of the act of compression. In a computer environment data and programs can be digitally compressed so as to take up less storage space, but they must be decompressed to be used.
Dropper - A program with a virus infected file hiden inside in such a way as to escape detection by scanners until the dropper is executed and injects the virus into the system.
Generic - In anti-virus terms it is used to categorize techniques that don't require specific knowledge about the particular viruses they can detect.
Infector - A word to indicate that a certain thing is a virus, usually when declaring what type of virus it is (ie. a file infector is a virus that infects files).
Kernel - The main controller part of the operating system.
MBR - Master Boot Record: This is a peice of code that makes sense out the various drives you might have on a single physical hard disk and passes control to the bootsector on the appropriate logical drive.
Media - Something which information is represented/stored in/on.
Memory Resident - A term used to refer to the ability to remain active in memory while the computer goes on to perform other tasks (equivalent to TSR - Terminate and Stay Resident).
PATH - An environment variable defined in the AUTOEXEC.BAT file. It lists the other directories that DOS will look in for a given program besides the current directory when you attempt to execute said program.
Patch - An ad hoc solution to a problem with a third party peice of software.