F Best free antivirus software and antivirus software reviews

Best free antivirus software and antivirus software reviews

Best free antivirus software - what's it, where to find it and how to download or buy it. I'll try to find for you a lot of different antispyware and antivirus software products

Google

Open VPN

Friday, November 24, 2006

Antivirus programs review.

By operation with a modern personal computer of the user (and especially starting) can trap set of troubles: loss of data, a system hang, failure of separate parts of a computer and others. One of the reasons of these problems alongside with errors in the software) and inept operations of computer operator can be rich in system computer viruses. These programs similarly to biological viruses are multiplied, writing in system areas of a disk or being assigned to files and make various undesirable operations which, frequently, have disastrous consequences. To come a victim of this misfortune, each user should know principles of protection against computer viruses well. For a long time it is known, that to any poison sooner or later it is possible to find antidote. Such antidote in the computer world of steel the programs named anti-virus. The given programs can be classed on five main groups: Filters, detectors, auditors, doctors and vaccines. Antiviruses-filters are resident programs which notify the user on all attempts of any program to write on a disk, and especially to format it, and also other suspicious operations (for example about attempts to change installations CMOS). Thus the inquiry about the permission or prohibition of the given operation is output. The principle of operation of these programs is grounded appropriate vectors of interruptions. On matching with programs-detectors it is possible to carry scalability to advantage of programs of this class under the ratio as to known, so to unknown viruses whereas detectors are written under concrete sorts known at present to the programmer. It is especially actual now when there was a set of the viruses-mutants, growing dumb a constant code. However, programs-filters cannot watch the viruses accessing directly to BIOS, and also the BOOT-viruses which are becoming more active still before start of an antivirus, in an initial stage of loading of DOS, also it is possible to carry frequent output of inquiries about realization of any operation To disadvantages: answers to questions take away a lot of time from the user and get on to it nerves. At installation of some antiviruses-filters there can be conflicts to other resident programs using the same interruptions which simply cease to work. The greatest distribution to our country was received with programs-detectors, and the programs uniting in the detector and the doctor are more true. The most known representatives of this class - Aidstest, Doctor Web, MicroSoft AntiVirus further will be considered more in detail. Antiviruses-detectors are calculated for concrete viruses and grounded on matching of sequence of codes containing in a body of a virus with codes of checked programs. Such programs need to be updated on a regular basis as they fast become outdated and cannot find out new sorts of viruses. Auditors - programs which parse a current state of files and system areas of a disk and compare it to the information saved earlier in one datafiles of the auditor. Thus the state of BOOT-sector, table FAT, and also length of files, their time of creation, attributes, the check total is checked. Parsing messages of the program-auditor, the user can solve, than changes are called: a virus or not. At output of such messages it is not necessary to be betraid to a panic as the reason of changes, for example, lengths of the program can be at all and not a virus. So there was a case when one starting user outright has got a fright when antivirus AVSP has produced to it the message on changes in file CONFIG.SYS. It has appeared, that before on a computer installation of memory manager QEMM which writes the driver in CONFIG.SYS has been carried out. The most ineffective antiviruses concern to the last group - vaccines. They write in вакцинируемую the program tags of a concrete virus so, that the virus considers its already infected.

AIDSTEST

In our country as already it has been told above, special popularity was gained with the anti-virus programs combining in of function of detectors and doctors. Most known of them is program AIDSTEST of D.N.Lozinsky. In Russia practically on each IBM-compatible personal computer there is one of versions of this program. One of the last version finds out more than 1100 viruses. Aidstest for the normal operation demands, that in memory there were no the resident antiviruses locking record in program files, therefore they should be unloaded, or having specified an option of outswapping to the resident program or to take advantage of the corresponding utility (for example in Wolves the Commander for these purposes there is a special item in the menu). At start Aidstest checks itself the RAM on presence of viruses known to it and neutralizes them. Thus the functions of a virus linked to reproduction will be paralysed only, and other by-effects can remain. Therefore the program after the termination of neutralization of a virus in memory asks about reboot. It is necessary to follow without fail to this advice if computer operator is not the system programmer, an engaged learning of properties of viruses. At what it is necessary to reboot button RESET as at « warm reboot » some viruses can be saved. In additives, it is better to start the computer and Aidstest with protected from record of a diskette as at start from the infected disk the virus can write in memory with the resident and interfere with treatment. Aidstest tests the body for presence of known viruses, and also on distortions in the code judges the infection with a unknown virus. At chances of a false alarm, for example at compression of an antivirus by a packager. The program has no graphic interface and modes of its operation are set by means of keys. Having specified path, it is possible to check up all disk, and separate subdirectory. As has shown an expert, the most optimal mode for daily operation is set by keys/g (check of all files, and not just with EXE extension, COM, SYS) and/s (slow check). Rich of time at such options practically not enough (completely "hammered" hard disk in capacity of 270 Megabytes on the computer with the processor 486DX2 is tested less minutes), but probability of detection on the order above. At usual testing it is not necessary to put a key/f (correction of the infected programs and erasing not a subject restoring), even with a key/q (to ask about file deletion), as any program, including anti-virus, not from errors. The key/f should be used when Aidstest, and also other antiviruses specify presence of a virus in any file. Thus it is necessary to restart a computer with protected from record of a diskette as the system can be infected by a resident virus and then treatment will be ineffective, and that simply dangerous. At detection of a virus in a valuable file it is necessary to copy it on a diskette, and it is even better - on electronic, a disk and there to try to cure by means of the instruction of Aidstest options/f. If attempt will not crown success it is necessary to delete all the infected copies of a file and to check up a disk again. If in a file the important information which to erase contains is a pity, it is possible to archive a file to wait for an output of new version Aidstest or other antivirus, capable to treat this type of a virus. For an expedition of process it is possible to route the infected file as sample Lozinsky. For creation in a log file of operation of program Aidstest the key/p is. The protocol happens is necessary, when, for example, the user has not time to view names of the infected files. For support anti-virus program - hardware Sheriff complex (further it will be considered more in detail), the key/z is.

DOCTOR WEB

Recently popularity of other anti-virus program - Doctor Web. Dr. Web also promptly grows, as well as Aidstest concerns to a class of detectors - doctors, but unlike last has so-called « the heuristic analyzer » - the algorithm, allowing to find out unknown viruses. « The medical web » as the program name is translated from English, became the answer of domestic programmers to invasion of self-updated viruses - mutants which at reproduction update the body so that does not remain any characteristic chain of byte which are present at the initial version of a virus. Dr. Web it is possible to name as an antivirus of a new generation on matching with Aidstest and its clones. In favour of this program speaks that fact, that the large license (2000 computers) the Central administrative board of informational resources at the President of the Russian Federation, and the second-largest buyer « has gained webs Handle of modes also as well as in Aidtest is carried out by means of keys. The user can specify to the program to test both all disk, and separate subdirectories or groups of files, or to refuse check of disks and to test only the RAM. In turn it is possible to test or only base memory, or, in addition, still and expanded (it is underlined by means of a key/H). As well as Aidstest Doctor Web can create the report on operation (a key/P), to load character generator Cyrillics (key/R), supports operation with hardware-software Sheriff complex (a key/Z). But , certainly, key feature of " the Medical web » is presence of the heuristic analyzer which is connected by a key/S. The balance between speed and quality can achieve, having specified to a key a level of the heuristic analysis: 0 - minimum, 1-optimal, 2 - maximum; thus, naturally, speed decreases proportionally to increase in quality. Besides Dr. Web allows to test files,CPAV, and also packed LZEXE, PKLITE, DIET. For this purpose it is necessary to specify a key/U (thus unpacking of files will be made on the current device) or/U a disk: (where a disk: - The device on which unpacking will be made) if a diskette from which it is started DoctorWeb it is protected from record. Many programs are packed in such a way though the user can and not suspect about it. If the key/U is not installed, Doctor Web can skip the virus which has got the packed program. The important function is the control of infection tested фай-лов a resident virus (a key/V). At scanning memory there is no absolute guarantee, that « the Medical web » will find out all the viruses which are being there. And so, at the job of function/V Dr. Web tries to prevent the remained resident viruses to infect tested files. Testing of hard disk Dr. Web borrows on much more time, than Aidstest, therefore not each user presumes to spend so much time for daily check of all hard disk. Such users can be advised more carefully (with an option/S2) to check the diskettes brought from the outside. If the information on a diskette is in archive (and recently programs and data are transferred from the computer on the computer only in such sort; even corporations-manufacturers of the software, for example Borland, pack production), it is necessary to unsqueeze it in the separate directory on a hard disk and at once, not postponing to start Dr. Web, having set it as parameter instead of a disk name a fully qualified path to this subdirectory. And still it is necessary even time in two weeks to make complete check of "hard disk" on viruses with the job of a maximum level of the heuristic analysis. As well as in case of with Aidstest at initial testing it is not necessary to allow to the program to treat files in which it will find out a virus as it is impossible to eliminate, that the sequence of byte accepted in an antivirus for the template can meet in the healthy program. If when done playing testings Dr. Web will produce messages that has found viruses, it is necessary to start it with an option/P (EU-whether this option has not been specified) to look, what file is infected. After that it is necessary to copy a file on a diskette or on the ram drive and to try to delete, having specified to " the Medical web » a key/F. At unsuccessful treatment it is necessary to act the same as in the similar situation described above for program Aidstest. For daily operation with diskettes it is possible to advise a following configuration: web /A/S2/V/O/U/H where/A - to check all files,/S2 - the heuristic analyzer,/V - to check infection with a resident virus,/O - to output message OK for not infected files,/U - to check packed (but not архивированные!) Files,/H - to test high memory. That all time to not type the same sequence of keys, it is possible to include in the menu of the user (USER MENU) NORTON COMMANDER shells (or ДОС-НОВИГАТОР if it is used last) items of call Dr. Web and Aidstest or to create a batch file. It not only will save time, but also will allow to reduce size of variables of an environment of DOS as now it will not be necessary to specify in PATH command of file AUTOEXEC.BAT subdirectory with anti-virus programs (the some people do it for operative call to antiviruses).

AVSP (Anti-Virus Software Protection)

Interesting software product is antivirus AVSP. This program combines both the detector, and the doctor, and the auditor, and even has some functions of the resident filter (the prohibition of record in files with attribute READ ONLY). The antivirus can treat both known and unknown viruses at what the user can inform on a way of treatment last to the program. Besides AVSP can treat self-updated and Stealth-viruses (invisible beings). At start AVSP there is a system of windows from the menu and a state information of the program. The context-sensitive system of hints which gives the explanation to each choice is very convenient. It is called classically, key F1, and varies at transition from the item to the item. As not unimportant advantage in our century of Windows (OS/2) is support of the mouse. Essential disadvantage of interface AVSP - absence of possibility of a choice of choices pressing the key with the corresponding character though it is a little compensated by possibility to select the item, having pressed ALT and the digit corresponding number of this item. The structure of package AVSP includes also resident driver AVSP.SYS which allows to find out the majority of invisible viruses (except for viruses of type Ghost-1963 or DIR) to deactivate viruses for the period of the operation, and also prohibits to change READ ONLY files. It is installed classically, in file CONFIG.SYS. To place string in a file it is desirable more close to the beginning as in drivers the virus too can contain, and the more them the probability will be started prior to the beginning of operation AVSP.SYS, the above, that this driver will appear useless. AVSP.SYS it is possible to place at once behind drivers of managers of high memory (HIMEM, EMM386, QEMM, etc.) . For connection of protection READ ONLY of files in AUTOEXEC.BAT it is necessary to include string calling file AVSPMONI.EXE, as entering in a package, with parameter ON (naturally this string should be also one of the first) .Теперь at attempt to remove attribute or to write in READ ONLY a file the long signal and operation will sound will not be fulfilled. To remove protection it is possible or having started AVSPMONI.EXE c in parameter OFF, or in main program AVSP.EXE. For this purpose it is necessary to enter into the item « Research of changes in files » and to note the necessary files the spacebar (it is possible to note also group of files a key «+»). After that it is necessary to press key F8, and attribute READONLY will be removed. To put files under protection it is possible key F7. One more function AVSP.SYS - disconnecting for a while работыAVSP.EXE resident viruses, the truth together with viruses the driver disables also some other resident programs. For check of this fact I had been loaded two programs-parodies on viruses: One overturns the screen, and another transforms into streaming wave lines vertical straight lines (for example vertical programs Norton Commander forming panels). At start AVSP has returned the screen in a normal state, but "waves" on sides of frames have remained, the truth they and did not move, and stood on a place. By call of other choice side its direct frames also turned in wavy, though also motionless. From this it is possible to draw output, that AVSP not completely disables resident programs. Behaved ADinf more strange: having made in the "turned" sort it has produced testing, that viruses it is not revealed, then "has hung" (the truth to quit this state it was possible keys CTRL/BREAK). At first start AVSP it is necessary to test system on presence of known viruses, having selected choices « Search and deleting of viruses » and « Complex check ». Thus the RAM, BOOT-sector and files is checked. After that (if viruses it is not revealed) it is necessary to create data tables about files and system areas, having selected basically the menu the item « Data about files and viruses » and a submenu « Creation of datafiles ». Thus on a disk in the directory/AVSP files DISKDATA.DTL (data about the sizes and check totals of files), MBOOT.DTL (copy Master Boot of sector) and BOOT.DTL (a copy of DOS Boot of sector) will be created. Now at complex check AVSP will compare disk files to the information containing in these datafiles. This information can be used for the analysis of the changes which have occured in files and Boot-sectors, and also for search and treatment of unknown viruses. And in some cases it is possible to restore even the files spoiled by a unknown virus. To specify to the program what exactly needs to be checked, the user can by means of the item "Parameter setup". It is possible to install check of the sizes of files, their check totals, presence in them of viruses, or all this together. For this purpose it is necessary to install "flags" opposite to appropriate items. As it is possible to specify, what exactly to check (Boot-sector, memory, or files). As well as in the majority of anti-virus programs here possibility to select between speed and quality is given to the user. The essence of high-speed check consists that all file but only its beginning is viewed; thus it is possible to find out the majority of viruses. If the virus is written to the middle, or the file is infected by several viruses (thus "old" viruses are as though pushed aside in the middle "young") that the program it and will not notice. Therefore it is necessary to install optimization on quality as in AVSP qualitative testing borrows not much more time, than high-speed. All operations, for example, search of viruses, can be made on a current disk (by default), on current path, and also on all disks. To change path or a disk it is necessary to press key TAB. During operation the information on path is output in the upper left corner. For check of a computer on presence of known viruses it is necessary to select basically the menu the item « Search and deleting of viruses ». After that it is possible to select or a mode « Stock-taking of viruses », or a mode « Complex check ». In the first case check of files and boot sectors on known viruses will be made, and in the second - will be checked up not only files and BOOT-sectors, but also memory. Besides the program will compare a state of system to the data saved in files DISKDATA.DTL , MBOOT.DTL and BOOT.DTL. At first the program will make preliminary pass for an estimation of size of forthcoming operation, and then will view all program files. At any moment the user can press ESC for interruption of review or a blank for suspend. By default AVSP checks the sizes of files. If the size is changed, the check total is checked and the card of change of a file is under construction. If a file new it is checked on presence of known viruses. During check of a disk in a window allocated in the right part of the screen various messages, for example, about resizing a file can be output. After check all of them can be viewed having selected in the menu the item « Review of Messages ». The message on suspicious files can be sometimes produced. It means, that to some tags it is possible to judge that or the file is infected by a new virus, or it earlier has been infected by it, but after treatment characteristic tags for a virus have remained. Such message is produced also about files, for which strange time of creation. For example for me AVSP time создания3:53.60 "swears" on file PCXSHOW.EXE, for which. As the antivirus does not like the programs transferred from computer БК-0011М. The matter is that the majority of the disk operating systems applied on БК (such, as operating system the NORTH, НОРТОН, etc.) Do not write in the directory a creation date and the utility upgrading a diskette for operation from MS-DOS writes the number corresponding date 0.0.80 in appropriate cells of the directory. Here AVSP the message « the Nonexistent creation date also produces, the virus is possible! » That fact is interesting, that the antivirus "does not swear" on the demo program (AVSP_DEM.EXE), for which date создания11.11.2011 year, and time 11:11, moreover besides the size – five шестёрок. Possibly at writing the program the author has recollected, that else there are out-of-date computers for which is not present CMOS and date is entered at loading. At complex check AVSP outputs also names of files in which there were changes, and also a so-called card of changes. If for the majority of the changed files it identical, most likely, in system any virus "has crept in". More often the program itself "will suspect" of such situation wrong and will suggest to bring the information on it in library. Thus the template of a virus it will be automatically selected. At autodetection of new viruses AVSP can accept set of errors. Just those days when I was engaged in writing of the abstract, with me there was such case. At check of hard disk AVSP has produced the message « the unknown virus Is found! « Also has produced inquiry about filing the template of a virus in library. Having looked addressed to a file, I at once have understood, that presence in it of a virus is improbable, as it was self-unsqueezed archive RAR-and which I have created some minutes prior to start of an antivirus, перепаковав two files, one of which was also SFX-archive with the same name, as turned out. Having decided to look, that will be further, I have installed an option of creation of the report and have repeatedly started complex check. Here a fragment of this report:

Directory _ C:TOOLSUTILIT_ SPEED200. EXE: New_ TB.EXE: New

Directory _ C:USERMUSICMETALL_ METALL.EXE: New_ PTTэS.COM: New_ METAL.EXE: New

Directory _ C:DISK_ARH_ DERIVE.EXE: Изменен-Resizing: 22053 (was 170496, became 192549) - the Possible virus: TP-940128 Card of change:----------------¦

After inquiry answer AVSP about filing a virus in library, the program has displayed made by her the template. Дизассемблировав key TAB a code of the template I have seen a following routine: push es push cs pop ds mov cx, [000ch] mov si, cx dec si Such routine, and especially two first (saving of appropriate registers) meet in the beginning of many исполнимых programs. At restart of complex check AVSP "found" a virus in each second EXE-program:

Directory _ C:ANTIVIR_ AIDSTEST.EXE: Заражен-Virus ERU-37

Directory _ C:ANTIVIRADINF_ REVIS.EXE: Заражен-Virus ERU-37

Directory _ C:DOS_ MEMMAKER.EXE: Заражен-Virus ERU-37

_ MSAV.EXE: Заражен-Virus ERU-37

<<<>>>

So at autodetection of the template it is necessary to not be too lazy to check up, whether really it is a virus and whether this the template will meet in healthy programs. If during AVSP will find out a known virus it is necessary to undertake the same operations, as well as by operation with Aidstest and Dr. Web: to copy a file on a disk, to reboot with backup diskettes to start AVSP. It is desirable also that thus in memory driver AVSP.SYS as it helps the main program to treat Stealth-viruses has been loaded. After that it is necessary to select the choice » Deleting of viruses ». If in library of program VIRUSES.INF there is an information on how to treat the given virus the file will be cured, and AVSP will produce the corresponding message. At absence in library of the information on a way of treatment of the given virus the program will try to restore automatically a file by means of the information saved in datafiles DISKDATA.DTL. If a file to cure that will not be possible, it is possible вирус-"invisible being". To learn more in detail that for a virus "has climbed" in system it is possible in the browse mode of messages. For this purpose it is necessary to bring the cursor on the name of a virus and to press ENTER. If automatically a file to restore that was not possible is possible or to delete, as always, it or to try to train independently AVSP to delete a virus. The truth for writing "medicine" even on the macrolanguage AVSP it is necessary to have experience in system programming and to know even elements of the assembler. In fact and in medicine of a tablet in inept hands bring more harm, than advantage. If the user has a modem it can transmit in a network « the electronic declaration » with a question on a way of treatment of a virus. Thus it is necessary to select known enough servers, instead of amateur BBS, in which лазают only fans GIF and jokes about the lieutenant Rzhev. For depositing and editing of the information on viruses in the menu » Data about files and about viruses » are a submenu « Change of the information on viruses ». At a choice of this item the program displays the list of all viruses known to it. Under the list it is possible to move by means of arrows. To receive more complete information on a virus, it is necessary, having brought the cursor to its name it to press ENTER. All this information is in file VIRUSES.INF which can be edited not only by means of AVSP in the item « Change of the information on viruses » but also as a usual text file. To bring the information on a new virus by means of AVSP it is necessary to press F2 , the program will ask about a name of a virus and when the user will enter this name, the program will produce the table similar to those that is output at the automatic job of the template. In this table it is necessary to bring all known data about this virus. In AVSP there is a possibility to set the template not only usual, but also self-updated viruses. It is carried out by means of characters of substitutes in the mnemonic commands also making the macrolanguage of an antivirus. Experimental programmers can bring also the sequence of macros setting a way of treatment of a file. At any moment it is possible to refuse editing, having pressed ESC or to write the information in library, having pressed ENTER. But, certainly, completely all possibilities of the program are realized in hands of the person familiar with the assembler and system programming. In AVSP there is a possibility to view files in different formats. At an input in the browse mode on the screen two columns are output: at the left contents of a viewed file in the form of hexadecimal codes, and on the right - in the form of ASCII-codes. Except for that the useful system information which will help at writing procedure of deleting of a virus is output. Moving the cursor, it is possible to pass to any address, there are also lookup functions of templates, matchings of files. It is possible to install, in what format the header will be viewed, for example: as for an EXE-file, a SYS-file or in a format of boot sector. Thus review of header is well realized: its system cells are presented in the form of the table: at the left value of a cell, on the right - the explanation. One more useful function is the built in disassembler. Whether with its help it is possible to understand there is in a file a virus or at check of a disk there was malfunctioning AVSP. Except for that it is possible to try to clarify a way of infection, a principle of operation of a virus, and also a place where it "has hidden" substituted байты a file (if we deal with such type of a virus). All this will allow to write procedure of deleting of a virus and to restore запорченные files. For complete happiness does not suffice only трассировщика though in inept hands such function can lead to infection still a lot of data. In a mode of a disassembler between mnemonic commands it is possible to move, using arrows. To pass on the offset specified in the branch instruction, it is necessary to press key F7. One more useful function - output of an evident card of changes. Especially clearly I have understood it, when I had a suspicion concerning one of files (which should not, like to vary) in auditor ADinf in whom there is no such function. The card of changes allows to estimate, whether there correspond these changes to a virus or not, and also to narrow down a search area of a body of a virus at дизассемблировании. At its construction the red rectangle is used for the map of the changed block, dark blue - not changed, and transparent - new. If there is a suspicion, that into system has got Stealth - a virus, it is possible to start AVSP with parameter/D from a hard disk, and then to boot from pure operating system boot diskette and to start AVSP without parameters. If results of check of check totals differ in both cases suspicions are justified. In program AVSP there are two algorithms of neutralizing of "invisible beings" and both of them work only at presence of an active virus in memory. That occurs at implementation of these algorithms similar on film of horrors or a doomsday: all files are copied in datafiles, and then erased. Files with attribute SYSTEM are rescueed only. In Adinf process of deleting Stealth is realized much easier. Can, certainly, the way of struggle against "invisible beings" in AVSP and is more reliable, but somehow it not especially pleasant entertainment - to plough up all "screw", in addition and unsafe. Program AVSP inspects as well a state of boot sectors. If the BOOT-sector on a diskette is infected and the antivirus cannot cure it it is necessary to erase a load code. The diskette thus becomes not system, but data thus will not be lost. With "hard disk" so valiantly to act it is impossible. At detection of changes in one of BOOT-sectors of hard disk AVSP will suggest it to save in some file, and then will try to delete a virus. If it is program to make it will not be possible, it will suggest to restore a former state of boot sector. In general, - a thing whimsical, therefore before similar operation it is desirable "to throw off" "hard disk" the necessary data on diskettes. What to speak about operations with BOOT-sectors if there were cases when "screw" «самоочищался» at involvement Speed Disk and Disk Fix . The truth to the one who treated by means of AVSP Стелз-viruses already nothing terribly.

Microsoft Antivirus

The structure of modern versions of MS-DOS (for example 6.22) includes the anti-virus program of Microsoft Antivirus (MSAV). This antivirus can work in modes of the detector-doctor and the auditor. MSAV has a user-friendly interface in style of MS-Windows, naturally, the mouse is supported. The context-sensitive help is well realized: the hint is practically to any choice, to any situation. Access to choices is universally realized: for this purpose it is possible to use arrow keys, key keys (F1-F9), the keys corresponding one characters of the name of the item, and also the mouse. Flags of installations in Options choice it is possible to install both a key the BLANK, and the enter key. Серьёзным inconvenience at usage of the program is that it saves tables with data about files not in one file, and scatters them on all directories. Here files CHKLIST.MS also wander at an exchange of programs from the user to the user, littering the directory and a place on a disk. At start the program loads the own character generator and reads a directory tree of a current disk then quits in the main menu. Not clearly, what for to read a directory tree at once at start: in fact the user can and not want to check a current disk. In the main menu it is possible to replace a disk (Select new drive) to select between check without deleting viruses (Detect) and with their deleting (Detect*Clean). At start of check of a disk (both in a mode of deleting, and without it) the program all over again scans memory on presence of viruses known to it. Thus indication of the done operation in the form of a color strip and percent of performed operation is output. After scanning memory MSAV is accepted to check of directly disk. At first check MSAV creates in each directory containing исполнимые files, files CHKLIST.MS in which writes the information on the size, date, time, attributes, and also the check total of inspected files. At the subsequent checks the program will compare files to the information in CHKLIST.MS - files. If the size and date the program will inform on it to the user have varied and will request about further operations: to update the information (Update), to install date and time in correspondence with data in CHKLIST.MS (Repair), to continue, not paying attention to changes in the given file (Continue) to interrupt check (Stop). If the check total MSAV will output the same window has varied, only instead of Repair item Delete item will (delete), as the program cannot restore contents of a file. At detection of a virus in mode Detect*Clean the program will delete this virus. Check of a disk in both modes can be suspended, or completely to interrupt, having pressed ESC (or F3) and answered an appropriate question of the program. During scanning a disk the information on the done operation is output: percent of the handled directories and percent of the handled files in the current directory. This information is produced also evidently, in the form of a color strip, as well as at check of memory. In the end of check MSAV produces the report in the form of the table in which it is informed on quantity of the checked up hard disks and floppy disks, about quantity of the checked up, infected and cured files. Except for that time of scanning is output. In menu Options it is possible to configure the program at own will. Here it is possible to install a mode of search of stealth viruses (Anti-Stealth), checks of all (and not just исполнимых) фай-лов (Check All Files), and also to resolve or prohibit to create tables CHKLIST.MS (Create New Checksums). Besides it is possible to set a mode of saving of the report on the done operation in a file. If to install option Create Backup before deleting of a virus from the infected file its copy will be saved with VIR extension Being basically the menu, it is possible to view the list of the viruses, known to program MSAV, having pressed key F9. Thus the window with names of viruses will be output. To look more detailed information on a virus, it is necessary to bring the cursor to its name and to press ENTER. It is possible to pass fast to an interesting virus, having typed the first characters of its name. The information on a virus can be output on the printer, having selected the appropriate choice.

ADINF (Advanced Diskinfoscope)

ADinf concerns to a class of programs-auditors. The antivirus has a high speed of operation, is capable to resist with success to the viruses which are being memory. It allows to inspect a disk, reading it on sectors through BIOS and not using system traps of DOS which the virus can intercept. Program ADinf has received the first prize at the Second All-Union competition of anti-virus programs in 1990, and also the second prize at competition BorlandContest ' 93. Unlike AVSP in which the user should most parse, whether the computer is infected by a Stealth-virus, booting all over again from the hard disk, and then with standard diskettes, in ADinf this operation occurs automatically. It occurs owing to original algorithm of counteraction by it вирусам-to "invisible beings" which essence consists that all over again the disk is read directly through BIOS, and then - by means of DOS. If the information will differ, in system Stelz - a virus. ADinf was a unique antivirus which in the summer of 1991 has found out virus DIR constructed on essentially new way of infection and masking. To treatment of the infected files it is applied ADinf CureModule unit not entering into package ADinf and delivered separately. A principle of operation of the unit - saving of the small database describing inspected files. Working jointly, these programs allow to find out and delete about 97 % of file viruses and 100%вирусов in boot sector. For example, sensational virus SatanBug has been found easily out, and the files infected by it are automatically restored. And, even those users who have gained ADinf and ADinf Cure Module some months prior to appearance of this virus, could save of it without effort. More in detail I cannot tell anything about the treating unit, as for me it is not present. Unlike other antiviruses Advansed Diskinfoscope does not demand loading with standard, protected from record of a diskette. At loading from the hard disk reliability of protection does not decrease. ADinf has well fulfilled user-friendly interface which unlike AVSP is realized not in text, and in a graphic mode. The program works directly with video-memory, passing BIOS, thus graphics adapters are supported all. Presence of a plenty of keys allows the user to create configuration of system as much as possible convenient for it. It is possible to install, what exactly needs to be inspected: files with the set extensions, boot sectors, presence of the bad clusters, new files on presence of Stealth-viruses, files from the list invariabl ит.д. At the desire the user can prohibit to check some directories (it is necessary if directories are workers and in them all time there are changes). There is a possibility to change a way of access to a disk (BIOS, Int13h or Int25h/26h) to edit the list of extensions of checked files, and also to assign to each extension an own browser by means of which files with this extension will be viewed. Also there are various additions of type of upgrade together with tables and file TREEINFO.NCD (this file реализовывает possibility of fast transition on a directory tree in program Norton Commander). In traditions of the modern software operation with the mouse is realized. As well as all production of the corporation « Dialogue the Science », ADinf supports hardware-software Sheriff complex. At installation ADinf in system there is a possibility to change a name of main file ADINF.EXE and a name of tables, thus the user can set any name. It is very useful function as recently there was a set of the viruses "hunting" antiviruses (for example, there is a virus which changes program Aidstest so, that it instead of a picture of the corporation « the Science » writes Dialogue: « Lozinsky - a stub »), including for ADinf. Useful function is possibility of operation from DOS not quitting from the program. It happens it is useful, when it is necessary to start an external antivirus for treatment of a file if the user does not have treating block ADinf Cure Module. One more interesting function - prohibition of operation with system at detection of changes on a disk. This function is useful, when behind terminals the users who are not having still wide experience in dialogue with a computer work. Such users on ignorance or on a negligence can ignore message ADinf and continue operation indifferently, that can lead to heavy consequences. If the key-Stop in string of call ADinfAUTOEXEC.BAT at detection of changes on a disk the program will demand is installed to call the system programmer servicing the given terminal and if the user will press ESC or ENTER the system will reboot also all will repeat again. And still this function is thought not out, as continuation of operation probably at pressing the key F10. In fact the majority of users even if they for the first time have sat down for a computer, even at the minimum desire on that can continue operation, having taken advantage of " a rule of scientific test », that is having pressed on all keys successively. For rise of reliability of protection against such users it would be necessary to enter even any unpretentious password. The principle of operation ADinf is grounded on saving in the table of copy MASTER-BOOT and BOOT sectors, the list of numbers of bad clusters, the circuit of a directory tree and the information on all inspected files. Besides the program remembers and at each start checks, whether accessible DOS size of the RAM (that happens at infection with the majority of load viruses), quantity of the installed hard disks, property sheets of the hard disk in the field of variables BIOS has varied. At the first start the program remembers size of the RAM, finds and remembers the address of interrupt handler Int 13h in BIOS which will be used at all subsequent checks, and builds tables for checked disks. Thus it is checked, whether showed interrupt vector 13h in BIOS before loading of DOS. At subsequent starts ADinf checks size of the RAM accessible to DOS, variables BIOS, boot sectors, the list of numbers of bad clusters (as some viruses, having written in a cluster, mark it as fail that they were jammed by other data, and also have not found out primitive antiviruses). Besides the antivirus searches for again created and deleted subdirectories new, the remote, renamed, moved and varied files (change of length and the check total is checked). If ADinf will find out, that, the file from the list invariabl has varied, or in a file have occured has varied without change of date and time, and also presence for a file of strange date (the number is more 31, month is more 12 or year more current) or time (minutes more than 59, there are more than hours 23 or seconds more than 59) it will produce the warning that the virus infection is possible. If changes of BOOT-sectors it is possible to compare system tables which were before change in dialog mode are found out, and at will to restore former sector. After restoring the changed sector is saved in a disk file for the subsequent analysis. New bad clusters (the information on them in FAT is more true) can appear after start of any utility treating a disk (for example NDD) or owing to operations of a virus. If ADinf has produced the message, and the user did not start any similar utilities most likely the virus has got into a computer. At obtaining such message it is necessary to continue check, closely watch all messages on changes of files and boot sectors. If in system really virus such messages will not keep itself waiting long (in fact if all body of a virus will be in a "fail" cluster, handle) will never be transferred it. After check ADinf produces a pivot table informing on changes on a disk. Under the table it is possible to move arrows and to view the detailed information, having pressed ENTER on the interesting item. There is a possibility of transition to any item by means of "fast" keys. The varied files can be viewed in a classical mode (a hexadecimal dump / ASCII-codes) by means of the built in browser which reads a disk through BIOS. It is possible to take advantage also of an external browser preliminary having specified to it path. Having connected the external editor, it is possible to edit the varied file. Not absolutely habitually the form in which ADinf informs on the found out suspicious changes looks: instead of output of the message on concrete changes it outputs a red window with the list of all possible and marks with a tick items, to the respective alterations which have occured at the moment. If after obtaining such message to press ESC the program will request about further operations: to update the information on a disk, to not update it, to treat (at presence of treating ADinf Cure Module unit) or to write the protocol. For treatment it is possible to take advantage of an external antivirus, having loaded it from a window of operation from DOS which is called by shortcut key ALT+V. If changes do not concern to bit suspicious after output of the table of changes it is possible to press ESC. Thus the program will ask, whether it is necessary to update data about a disk in tables or not necessary, and also whether it is necessary to create a file in the report on the done operation. After a choice of one of items the program fulfils the demanded operation and completes the operation.

0 Comments:

Post a Comment

<< Home