File integrity checking is an important part of your anti-virus strategy because it provides additional protection against new viruses.
Integrity checking compares the checksum of a scanned file to its previously saved checksum. As the file's original checksum was calculated from a virus-free version of itself, any change in the file's checksum indicates a possible virus infection.The integrity checker included with Command AntiVirus contains the following features:
- The file integrity checker can function as an "approved application" database. If the application is not registered in the database or if the application has been modified, the integrity checker prevents the program from running.
- Generic disinfection restores a program if a new virus attacks the system.
- A password-protected database prevents unauthorized users or viruses from modifying the file integrity information.
Two programs manage integrity checking: CHECK.EXE and CTSR.COM.
CHECK is a program that allows you to build and maintain a database of the programs that you run. You can use CHECK to compare the files on the hard drive against those in the database.
CS-TSR is a TSR that compares each program that you try to run with the database created by CHECK. Any mismatch is brought to your attention prior to the program's actual running. This process prevents a file virus from running.
Before you activate CHECK.EXE for the first time, you must create a file integrity database.
 |
NOTE: If you run CHECK.EXE and you have not created the file integrity database, the system displays the following error message: |
ERROR: CANNOT FIND C:\F-PROT\_CHK.CHKIF YOU ARE RUNNING THIS PROGRAM FOR THE FIRST TIME OR WANT TO CREATE A NEW FILE YOU MUST USE THE 'CREATE' COMMAND.
FOR EXAMPLE: CHECK CREATE
IF YOU HAVE ALREADY CREATED A DATABASE WITH A DIFFERENT NAME, YOU MUST USE THE /DBFILE=XXXX.XXX SWITCH.
Databases created by previous versions are not compatible with this version.
CHECK can group the files on your hard drive for daily comparisons. By separating files into more than one group, CHECK can scan a smaller number of files each day. When you are creating your database, you can specify from one to ninety-nine groups.
For example, if there are five days in your work week, you may want to separate the files into 5 groups. At the end of the week, the program will have checked all files once.
Although this method is faster, the program scans each file only once a week.
Use the following directions to create the CHECK.EXE file integrity database. Exit Windows and, at the DOS command line, perform the following steps:
- Change to the F-PROT directory:
CD \F-PROT- Type Check Create
- Press Enter. The system displays the following:
Are you sure the computer is not virus-infected right now (Y/N) ?- If you are not sure, type N. The system displays a message that tells you to rerun Command AntiVirus and then rerun this program. Press Enter to exit the program.
If you are sure that the system is virus-free, continue with the next step.- Type Y. The system displays the following:
The default name for the database is _CHK.CHK. To make it more difficult for viruses or Trojans to attack the program, you can specify a different name.
Do you want to change the name (Y/N)?- If you want to rename the file, type Y. The system displays a New file name box for you to type in the new name.
If you do not want to rename the file, type N.- Press Enter. The system displays the following:
It is possible to password-protect the database, but then you must enter the password when modifying it or when disinfecting.Password protection prevents unauthorized changes to the file integrity database.
Do you want to use a password (Y/N)?- If you want to use a password, type Y. The system displays a Password box for you to type in the password.
If you do not want to rename the file, type N.- Press Enter. The system displays an information box about the number of groups.
- Press Enter. The system displays a box prompting you for the number of groups.
- Type in the number of groups.
- Press Enter. The program now creates the file integrity database. When the database is complete, the system displays the following menu:
Check Main Menu
To select a function you can type the first character of the menu item or move the highlight bar to the item and press Enter. To quit, press Esc or select Quit.
Now that you have created the database, you need to add the files that you want checked to that database. The following directions will help you with this task:
- At the Main Menu, select Maintenance.
- Press Enter.
- Select Add files to database.
- Press Enter. The system displays a Path/file box.
- Type in the path of the directory that contains the files you want to be checked. For example, type:
C:\MYDIRECTORY
NOTE: The program only adds files with extensions of .EXE, .COM, .APP, .OV?, .SYS, and .PGM. - Press Enter. The program begins adding the files. When complete, the system returns to the beginning of the Integrity Checker Report.
- Press Esc to return to the Maintenance menu.
Check/Restore scans the files that are included in the file integrity database for viruses.
After comparing the master boot record, DOS boot sector, and executable files with the database, the system displays the following report:
Check Report Screen
You can print or save this report screen for future reference.
Maintenance allows the user to list and update the file integrity database. When you select this option, the following sub&-menu appears:
Check Maintenance Menu
The following section describes the Maintenance Menu items in detail:
This option produces a list of all files that are currently in the file integrity database.
This option searches for files that are not found in the file integrity database. This list includes the frequency of use of each of these files.
This option allows you to add a file or an entire directory to the file integrity database. The program adds the file(s) and updates the file information that is stored in the database.
This option allows you to remove a file or an entire directory from the file integrity database. Delete files from database does not remove files from the disk, only from the database.
This option allows you to update file information that is stored in the file integrity database. Use Update information in database when adding or updating programs.
This option allows you to save the file integrity database on diskette for backup purposes.
This option displays information about how to contact your local Command Software Systems office.
CHECK.EXE has several features which includes the creation of the file integrity database. The following table lists these features:
CHECK.EXE COMMAND DESCRIPTION
Switch Description CREATE Creates the database for file integrity checking. TODAY Checks the files from one group only. CHECKALL Checks all of the files in the database.
To use any of the check commands, you must be in the F-PROT directory.
For a list of these features, you can type CHECK/? at the DOS command line. The syntax is:
CHECK [COMMAND] [OPTIONS]
You can use the following options with CHECK:
CHECK.EXE COMMAND LINE OPTIONS
Switch Function /APPEND Append to existing report. Used with /REPORT. /AUTO Automatic mode does not ask for confirmations. /BEEP Beep on warnings. /DBFILE=XXX.XXX Use the file xxx.xxx as the database file instead of the default _CHK.CHK. /EXT=XXX.XXX.XXX Additional file extensions to scan. /GROUP=N Number of groups. Use this switch only with CREATE. /HELP Help displays this list of options. /MONO Use monochrome on color display. /NOBREAK Do not break if ESC is pressed. /NOSUB Do not scan subdirectories. /NOWRAP Do not wrap pages in pages. /PAGE Pause after each screen. /PASSWORD=XXXXX The password to use. /QUICK [default] Only check critical parts of each file. /REPORT=XXX.XXX Name of output file for report. /SECURE Do a full check of each file.
The following example creates a checksum database under a previously created SECURITY directory with the file name MYDATA.DAT:
CHECK CREATE /DEFILE=C:\MYDATA.DAT
CHECK.EXE returns a two-digit code when it exits. These codes can be captured with a DOS batch file. The following table contains a list of these exit codes:
CHECK.EXE EXIT CODE LIST
Exit Code Description 20 Error loading language information. 21 Internal error in checklist. 22 Missing check-database file or unable to open. 23 Invalid integrity database. 24 Incompatible version of database file. 25 Unable to create database file. 26 Wrong number of groups given at command line. 27 Error writing to disk. 28 Error reading from disk. 29 File infected with companion virus. 30 Cannot do self-test. 31 Error opening file. 32 Out of memory. 33 Creation of database successful. 34 Creation of database fails because of the existence of another database file.
CS-TSR is a terminate and stay resident program that monitors the integrity of programs that are running in real-time.
There are no default switches. CS-TSR accepts the following parameters from the DOS command line.
CS-TSR.COM SWITCH OPTIONS
Switch Description /NOTIFY Notifies the user that the program was not found in the file integrity database. The user can choose to run the program anyway. /SILENT Allows a program to run if it was not found in the database. No message appears. /STOP Prevents the execution of programs that do not appear in the file integrity database.
| |
NOTE: You can select only one command-line switch at a time. |
Like VIRSTOP.EXE, you must load CS-TSR.COM after NETX.COM or any other network redirector.
You must run CS-TSR from the same directory as the _CHK.CHK file integrity database. If the database is altered or deleted, CS-TSR displays an error message and locks the computer.
To load CS-TSR automatically when you start your computer, add the following command to your AUTOEXEC.BAT file:
C:\F-PROT\CS-TSR /[SWITCH]
| |
NOTE: [SWITCH] is a placeholder for /NOTIFY, /SILENT or /STOP. You must use one of these switches with CS-TSR. We recommend CS-TSR /SILENT for use with Windows. |