6. MBR SUPPORT

USING FIXDISK.EXE

NOTE: As mentioned above, FIXDISK creates the hidden rescue file, F-PROT.SYS on your computer during installation. You can also use FIXDISK to save a copy of this rescue file to a floppy disk.

Before using FIXDISK, please familiarize yourself with FIXDISK's command line parameters. If you use FIXDISK without any parameters, the program offers you the following parameter options:

FIXDISK COMMAND-LINE PARAMETERS

Parameter	Description
FIND	Searches the drive for a previously created rescue file.
REPAIR	Saves the first track and attempts a generic repair of the boot area.
RESCUE	Used with the following switches for saving and restoring a rescue file CREATE Creates a file that contains the MBR and boot sector. RESTORE Restores the file that was previously saved.
SAVE	Makes an image of the boot area and backs up the first track to a file.
UNDO	Restores the boot area to its original state prior to the an attempted repair.

If, after you have successfully installed Command AntiVirus, you encounter an unknown boot virus that the program cannot disinfect, you can run FIXDISK with the FIND parameter to restore your original, uninfected MBR. This process will allow access to your valuable data files. The parameters shown in the Fixdisk Command Line Parameters table are described below in detail.

FIND

This parameter skips the generic boot area repair and, instead, searches for the previously created rescue file, F-PROT.SYS, on the hard drive. The FIND parameter searches for the rescue file on a track-by-track basis. Because this type of search involves a disk-intensive procedure, the search may take some time. The following is an example of using FIXDISK with the FIND parameter:

FIXDISK FIND

REPAIR

This parameter attempts a generic repair of the MBR. Should this fail, REPAIR then searches the hard drive for a previously created rescue file. Normally, the letter of the drive containing the rescue file follows the REPAIR parameter. For example:

FIXDISK REPAIR C:

RESCUE

This parameter creates or restores a rescue file. By including the proper command line parameters, you can create and save the rescue file to the location of your choice or restore a previously saved rescue file to your system.

To accomplish these tasks, you can use either the CREATE or RESTORE parameters with RESCUE. The following descriptions will help you understand the function of each parameter:

Create

CREATE produces a rescue file containing an image of the MBR and the boot sectors of all physical hard drives. You can specify a file name for the rescue file. Using a diskette drive letter creates the F-PROT.SYS file on that drive.

The following example creates the hidden, read-only system file, F­PROT.SYS, on the root directory of the boot drive. This file contains not only the MBR and boot sector of the boot drive but also the MBRs of any other physical hard drives in the system.

FIXDISK RESCUE CREATE

You can create that same rescue file on drive A by typing:

FIXDISK RESCUE CREATE A:

If you prefer to give the rescue file a different name, add the name to the end of the command. For example, to create a rescue file called TEST.DAT on drive A, type:

FIXDISK RESCUE CREATE A:TEST.DAT

The rescue file is machine-specific. If you create a rescue file on a diskette, label the diskette in a way that will remind you that the rescue file is only for the computer used to create the file.

If you use the FIXDISK RESCUE CREATE command to create a rescue file on a floppy disk, FIXDISK attempts to make a copy of that rescue file on the local boot drive.

Restore

RESTORE prompts you for a rescue file name. FIXDISK then uses that file to recover the MBR and boot sector. For example, when you type in the following command, the system prompts you for the path and name of the rescue file:

FIXDISK RESCUE RESTORE

SAVE

This parameter takes an image of the first track of the drive and the boot sector and saves the image to a file and drive of your choice.

For example, to save an image of your hard drive's first track and boot sector, use the following command:

FIXDISK SAVE C:

After entering the above command, the system prompts you to enter a file name and a drive where the file will be saved.

You can use this parameter to save a sample of a suspected virus for analysis.

NOTE: If you have a sample to send, you must contact a Command Software Systems technical support representative at 1-800-423-9147.

Each virus request is given a unique virus examination request tracking number (VxER). This number helps us process your request in a timely manner. Once the VxER number has been assigned, the technical support representative will tell you where to send the sample.

UNDO

The UNDO parameter restores the boot area to its original state prior to an attempted repair by FIXDISK. You can use UNDO if the repair process does not succeed. The following is an example of using FIXDISK with the UNDO parameter:

FIXDISK UNDO C:

When you enter the above command, the program prompts you for the name of the rescue file.

CMOS ATTACKS

Should attempts to disinfect a boot sector virus fail, check the CMOS setup of the infected system. Your computer stores some of its important system information in CMOS. Some boot sector virus variants can protect themselves by modifying the CMOS in two ways:

• The virus turns off the boot sector protection in CMOS, infects the boot sector and then turns on the protection again. This maneuver circumvents CMOS anti-virus capabilities.
  To avoid this modification, turn OFF your CMOS boot sector protection. Instead of relying on CMOS, let Command AntiVirus handle your boot sector protection and disinfection.
• The virus changes the boot sequence to boot from C first. When you perform a cold boot, the virus loads from C drive. Then it searches the floppy drive for a copy of DOS. This process makes it appear that your system is booting properly.
  Make sure the boot sequence in CMOS reads A drive first, not C drive.

DISINFECTING A BOOT SECTOR VIRUS

The Command AntiVirus attacks boot sector viruses in two different ways. The first involves a known virus and uses F-PROT.EXE to disinfect. Disinfection of new variants or totally unknown viruses involves using a second method. This second method relies on both F-PROT.EXE and FIXDISK.EXE.

If you think you have a virus that uses encryption, contact your local support representative. There are at least two types of encryption and two methods of disinfection. Your support representative will be able to help you use the proper method without any loss of data.

IF A VIRUS IS KNOWN

If a known virus infects your system, Command AntiVirus often removes the virus automatically. Some known viruses cannot be removed in this manner. In this case, follow the steps below to get rid of the virus.

Have a virus-free write-protected Rescue Disk on hand. If you do not have one, refer to Creating A Rescue Disk in the Installation chapter.

1. Exit all open applications, including Windows, and turn your system off for about 15 seconds.
2. Insert the Rescue Disk into drive A.
3. Turn your system power on to restart from drive A.
4. When the A: prompt appears, insert the Rescue Disk or Command AntiVirus Disk #1 and type: F-PROT /HARD /DISINF
5. Press Enter. The program now scans all physical hard drives. When the virus is found, follow the instructions on the screen.

If Command AntiVirus does not disinfect the virus, reports an error in the disinfection process, or indicates that an unknown variant is present, proceed to the next section.

IF A VIRUS IS UNKNOWN

If the system reports an error in disinfection or an unknown variant, take the following steps.

Have a virus-free write-protected Rescue Disk and a virus-free formatted floppy disk on hand. If you do not have a Rescue Disk, refer to Creating A Rescue Disk in the Installation chapter.

1. Exit all open applications, including Windows, and turn the system off for about 15 seconds.
2. Insert the Rescue Disk into drive A.
3. Turn your system power on to restart from drive A.
4. When the A: prompt appears, insert the Rescue Disk or Command AntiVirus Disk #1 and type: FIXDISK REPAIR C:
5. Press Enter.
6. When the program prompts you to enter a file name, remove the diskette in drive A.
7. Insert a blank, virus-free formatted floppy disk into drive A.
8. Type an eight-character name (you can include a three-character extension).
9. Press Enter. The system copies the MBR of the hard drive into a data file on the floppy disk and attempts to rebuild the original MBR.
10. After FIXDISK has completed rebuilding the original MBR, turn your computer off for about 15 seconds.
11. Place the Rescue Disk or Command AntiVirus Disk #1 in drive A.
12. Turn your computer on. When the A: prompt appears, type:
    

    F-PROT /HARD /DISINF

13. Press Enter. The program scans your hard drive for any other viruses.
14. Some multipartite viruses, for example, infect the Mater Boot Record, .COM files and .EXE files. If Command AntiVirus finds any infections in your system's executable files, it will disinfect them.
15. Remove the floppy disk and restart your computer normally.

NOTE: Without a rescue file, Command AntiVirus repairs only MBR viruses that have not modified the partition table. If a virus modifies the partition table and you have a rescue file available, you can use the FIXDISK utility to repair the partition table.

NOTE: If you believe that you have a new virus, contact your local support representative. This is an important step in preventing new viruses from spreading.