

ķ
                                                                  
                  ADVANCED DISKINFOSCOPE (ADinf)                  
                                by                                
                     (c) Dr. Dmitry Mostovoy                      
                                                                  
                       DialogueScience, Inc.                      
                          Moscow, Russia                          
ͼ


ķ
              A Guide to Frequently Asked Questions               
ͼ




Here are the answers in detail to the questions which our users  quite
frequently ask about ADinf. All questions on a topic have been unified
and arranged topicwise.  The menu tree structure described  below  may
not fully agree with that of the ADinf earlier versions as the answers
specifically refer to version 8.xx and later.


     Can ADinf  check  a disk compacted with DoubleSpace,  DriveSpace,
     SpeedStor or Stacker?

Yes, it does check a compacted disk, scanning not through BIOS but via
Int 25h.  For scanning a SuperStor-compacted disk, you must tell ADinf
not  to  check  for new bad clusters (choosing INFO UNDER CHECK > BAD
CLUSTERS > DON'T CHECK)


     I, being  a  programmer,  naturally  change many files on my disk
     everyday.  How can I tell ADinf to skip these legal modifications
     in its report?

You can hide directories from ADinf  checks.  For  this,  choose  INFO
UNDER  CHECK  >  SKIP TREE.  Then choosing a drive from the on-screen
panel,  pop  up  its  directory  tree,  mark   the   directories   and
subdirectories where files are likely to be changed often.  ADinf will
not report the unharmful changes in a file under a  marked  directory.
But if a change (in size or CRC) is suspicious,  for example a file is
modified but its date stamp is unaltered, you are alerted.


     What is  ADinf  Cure  Module?  If this is a curing module,  is it
     better or worse than Virus Hunter and Doctor Web? Where can I buy
     it?

ADinf Cure  Module  is  a  curing   companion   which   enhances   the
capabilities  of  Advanced  Diskinfoscope.  It  radically differs from
scanners  Virus  Hunter  and  Doctor  Web.  It  kills   existing   and
as-yet-unknown viruses  with  equal  efficacy.  It  maintains  a small
database containing necessary information  about  all  files  in  your
disk.  When  ADinf  detects a virus,  the curing module can be used to
kill it.  Database is automatically updated  by  ADinf  when  diskinfo
changes in your system. The program was tested on a collection of 7000
various infectors unknown to the program and successfully  removed  97
percent of them.

Scanners and  ADinf  Cure  Module  cannot be compared:  each deploys a
different strategy to the antivirus problem:  each ideally supplements
the  other.  First,  ADinf Cure Module does not kill all but about 97%
viruses,  particularly, admitting its capabilities to clean a computer
from  as-yet-unknown  viruses.  Second,  it  is  helpless when you are
handling someone else's  diskettes  since  it  requires  the  database
containing diskinfo. Scanners, on the contrary, deploy the traditional
tactics: to every attack they design a counterattack and can therefore
kill  only  the  viruses  known to them,  but are helpless against new
viruses.  It is therefore a good idea to have both  of  them  in  your
machine.


     Why does ADinf compute several types of checksums?

The possibility   of  specifying  different  types  of  checksums  for
verifying the integrity files is useful in customizing ADinf for  fast
and  reliable  scanning.  For  detailed  information on the CRC types,
refer to the  section  CRC  TYPES  (OPTIONS  ->  SETUP  PARAMETERS  ->
EXTENSION LIST -> CRC TYPES).


     What is fast CRC that ADinf computes? When I modified a few bytes
     at the end of an executable file,  it ignored them under fast CRC
     mode. Why?

ADinf checks  in  one  of the modes:  NO CRC,  FAST CRC,  and full CRC
(CRC16, CRC32 or CRC48). FAST CRC is computed in close relation to the
internal  structure of an executable file.  So FAST CRC is best suited
for COM and EXE  files  as  it  guarantees  reliable  virus  detection
without  the  need  for computing the CRC of the whole file.  So,  any
change in certain file areas,  unless it is virus-induced,  is ignored
under FAST CRC check.


     Can I put network drives under ADinf control?

Unfortunately, you can't. ADinf checks a drive, reading it  sector  by
sector. Therefore it can check local drives only.


     Can ADinf run under MS Windows, Windows 95, and DESQview?

Yes, it does run under MS Windows,  Windows 95, and DESQview, scanning
the drives directly via BIOS.


     Can ADinf run under DR DOS, Novell DOS, Compaq DOS?

Yes, ADinf can run under DR DOS 5.00 or 6.00.  If ADinf hangs up under
Novell DOS later than 7.0,  run it with -r option. Use this option, if
your computer is running under Compaq DOS or any other OS not fully MS
DOS compatible.


     What is the purpose of personal tables?

ADinf supports two types of tables,  common and personal,  for storing
disk information.  Structurally, they don't differ much. Common tables
are  saved  in the root directory of logical drives and personal table
in the directory where ADinf is installed  or  in  another  directory.
Common  tables  are  helpful in regularly checking a limited number of
program files of particular extensions.  Whereas personal  tables  are
better suited for in-depth checking.  You may even choose all types of
files on your disk and specify CRC32 for CRC type.  Such  a  check  is
all-inclusive; time consuming, though.


     I feel my machine is infected,  but ADinf is silent.  Can a virus
     dodge ADinf?

This is a common question,  and  there  is  only  one  answer  to  it.
Unfortunately, there is no panacea against PC virus infection, nor can
there be ever one.  ADinf seems to be the best virus  detector  today.
But bear in mind its capabilities and limitations.  Let us examine the
situations where ADinf may keep quite.

First, if you have installed ADinf on an already infected machine,  it
will not  notice  any  virus,  because  it detects viruses through the
changes in file information.  And in our case there are no changes  in
file information and so it does not alert you.  If the virus is hiding
its presence,  i.e.,  you have a stealth virus in the  machine;  ADinf
will  certainly  detect it,  if you run under the STEALTH SEARCH mode.
This is a very useful mode and run ADinf from time to time under  this
mode.

Second, ADinf  may fail to notice the viruses tailored specifically to
infect a file only at the time of creation.  If they are  additionally
hiding themselves,  you may trap them, running ADinf in STEALTH SEARCH
mode.  If they are NOT hiding their presence,  you can  easily  detect
them with your naked eyes. For example, suppose you are copying a file
from drive  A  to  drive  C  and you notice that the source file has a
different size than the  target  file.  You  can  easily  detect  such
infectors, running ADinf as follows: write a batch file (call it TRAP)
which copies several executable files, say, to your RAM drive and then
copies them back from the RAM drive to the source drive.  Run the TRAP
batch file before turning  off  your  computer.  When  you  start  the
computer next time,  ADinf will report about such viruses, if any. For
greater reliability,  you better include files to be copied in  STABLE
FILES  list  (its  menu  path  is OPTIONS > SETUP PARARAMETRS > INFO
UNDER CHECK > STABLE FILES).

Third, ADinf permits to toggle off many checks.  If you,  for example,
have toggled  off  check of boot sector of drive C or you have deleted
EXE from extension list for control, you may not notice virus-inducted
changes.

Finally, because of its beneficent policy   aggressive  strategy  and
ingenious  tactics  ADinf irritates to virus designers.  One fine day
it is not excepted that you may find a new virus specially tailored to
dodge the ADinf in your machine. Today there are several viruses which
try to delete files with a name begining with "ADIN".  What will these
evil-mongers do further, God alone knows.


     What is disk access via BIOS, Int 13h, and Int 25h?

In checking  missions,  ADinf  automatically  identifies  the DOS file
structure by reading the disk sectors one after another.  Three access
methods are available for reading the sectors in a drive

         through direct addressing to BIOS;
         through the use of Interrupt 13h (Int 13h);
         through the use of DOS Interrupt 25h (Int 25h);

The drive  access  type  is  specified  by  choosing  OPTIONS > SETUP
PARAMETERS >  DRIVE  ACCESS  TYPE.  When  and which drive access type
should be chosen?

For an IDE disk partitioned by the FDISK program, ADinf uses  BIOS  as
the access type.

Access via Int 13h must be used under the following situations. Modern
high-capacity disks are manufactured with  more  than  1024  cylinders
(limiting  value  for  standard  BIOS  of IBM AT).  Present-day BIOSes
and hard disks support handling of such disks by redusing  the  number
of   cylinders   and  increasing  the  number  of  sectors  or  heads,
accordingly (LBA mode).  However,  if your BIOS does not provide  this
facility, you may have to use special disk drivers to utilize the full
capacity of such disks, for example, Disk Manager for IDE disks. ADinf
identifies  Disk  Manager and automatically defaults to Int 13h as the
disk access type. Several drivers exists for SCSI disks. If you have a
high capacity SCSI disk in your machine,  manually choose Int 13h from
the DRIVE ACCESS TYPE box.

Second case.  In a machine running under QEMM  set  to  STEALTH  mode,
ADinf  defaults  to Int 13h as the DRIVE ACCESS TYPE because access to
disk via BIOS is denied to ADinf.

DRIVE ACCESS TYPE must be set to Int 25h for disks managed by  special
drivers,  for example,  disk compactors.  As a rule,  ADinf identifies
such situations and automatically defaults to  Int  25h.  But  if  the
drive  name letters in a compacted disk are changed,  the drive access
type must be set to Int 25h manually by the user.

There are also other situations where the user must specify the  drive
access  type manually,  for example,  if you have changed the standard
sequence of drive specifiers that DOS assigns to disk partitions.  DOS
allots  the  drive  name  letters  in  the following sequence (if some
partition is missing, the letters are shifted accordingly):

First hard disk

       1st Primary  DOS Partition C: BIOS
       1st Extended DOS Partition E: BIOS
       2nd Extended DOS Partition F: BIOS
       3rd Extended DOS Partition G: BIOS
       2nd Primary  DOS Partition K: BIOS
       3rd Primary  DOS Partition L: BIOS

Second hard disk:

       1st Primary  DOS Partition D: BIOS
       1st Extended DOS Partition H: BIOS
       2nd Extended DOS Partition I: BIOS
       3rd Extended DOS Partition J: BIOS
       2nd Primary  DOS Partition M: BIOS
       3rd Primary  DOS Partition N: BIOS

ADinf strictly supports  this  standard  sequence  of  specifiers  for
assigning  names  to  drives.  But,  this  sequence may be violated in
several cases.  For the  logical  drives  of  name  letters  up  to  a
violation  in  the  standard  sequence,  ADinf  uses BIOS as the drive
access type and Int 25h for the other drives.  Below is an example  of
such  a situation.  Let us suppose that the second hard disk is an IDE
disk with more than 1024 cylinders (without  LBA)  formatted  by  Disk
Manager.  In  this case the partitions are allotted drive name letters
as follows:

First hard disk:

       1st Primary  DOS Partition C: BIOS
       1st Extended DOS Partition D: Int 25h
       2nd Extended DOS Partition E: Int 25h
       3rd Extended DOS Partition F: Int 25h
       2nd Primary  DOS Partition G: Int 25h
       3rd Primary  DOS Partition H: Int 25h

Second hard  disk:

       Only one DM Partition I: Int 25h

The DRIVE ACCESS TYPE is listed in the right-most column.

One more example of nonconventional configuration.  Let us interchange
the hard disks in the above example.  Let the first  hard  disk  be  a
large  IDE disk partitioned by Disk Manager and the second an ordinary
IDE disk. In this case, the drive access type must be set as follows.

First hard disk:

       Only one DM partition C: Int 13h

Second hard disk:

       1st Primary  DOS Partition D: BIOS
       1st Extended DOS Partition E: BIOS
       2nd Extended DOS Partition F: BIOS
       3rd Extended DOS Partition G: BIOS
       2nd Primary  DOS Partition H: BIOS
       3rd Primary  DOS Partition I: BIOS


     Why BIOS  cannot  be  specified  as  the  drive access type for a
     32-bit machine? Does this affect detection reliability?

Problems are encountered in enabling/disabling this mode in a  machine
running under Windows 3.11,  because the address of the entry point to
Int 13h handler in BIOS changes.  If 32-bit access is disabled,  ADinf
while running under Windows 3.11 gains access to drives via "hardware"
BIOS, whereas if 32-bit access is enabled, it gains access via virtual
BIOS.   For  ADinf  to  operate  reliably,  the  first  run  of  ADinf
immediately after enabling/disabling the 32-bit drive access  must  be
started  with the -force13 command option which forcibly redefines the
address of the entry point to the Int 13h handler.


     What is the purpose of the -76 command option,  which the  User's
     Guide does not explain?  On some computers ADinf hangs up, saying
     "Opening the disk". What is the cause for this?

Int 76h is an interrupt generated  by  the  IDE  controller  upon  the
completion of every disk operation. There are stealth viruses that use
this interrupt for hiding their presence  in  the  machine.  In  fact,
these  viruses  dodge  detection  at  the hardware level utilizing the
published potentialities of the IDE controller.  In  order  to  detect
such  viruses,  ADinf intercepts and handles this Int 76h itself.  But
such an independent handling may conflict with certain BIOS systems or
special  drivers of 32-bit access to IDE disks.  In such cases,  ADinf
hangs up, displaying the message "Opening the disk".

In order to prevent ADinf from intercepting Int 76h,  run  ADinf  with
the -76 option, as follows:

C:\ADINF\Adinf.exe -a -b -d -76 -@C:\ADINF\list  -lC:\ADINF\

If, by  such a command line,  your system does not hang up any longer,
please send the version number of your BIOS (the eight  bytes  at  the
address  F000:FFF5)  to DialogueScience,  Inc.,  Moscow,  Russia,  for
modifying  the  ADinf  internal  BIOS  incompatibility  table  in   an
appropriate  manner  so  that you may be able to run ADinf without the
need for including this option in the command line.


     I installed ADinf version 10.06 on my network server, but I could
     not install ADinf Cure Module version 3.03. What is the reason?

To install ADinf on a LAN along with the  curing  module,  ADinf  Cure
Module must be at least 3.04 or higher.

Similarly, the -home command option  available  in  ADinf  10.06  also
requires  ADinf  Cure Module 3.04 or higher for the joint operation of
ADinf along with the Cure Module.


     What is   the  objective  of  ADinf  Pro  version?  What  is  the
     difference between ADinf Pro and the standard ADinf?

ADinf Pro is a special modification for users  who  demand  guaranteed
integrity  and security of large volumes of valuable information,  for
example,  databases or document  achieves.  Because  of  a  new  LAN64
algorithm used for computing the checksums of files,  ADinf Pro is not
a simple integrity checker,  but a powerful utility which keeps strict
control over data security.

LAN64 algorithm  computes  64-digit  checksums  by  the  hash function
developed by LAN Crypto Corporation for controlling  the  security  of
specially  valuable  information.  It guarantees reliable control over
data security and leaves no room for  modification  of  files  without
changing the value of the hash function.

Under CRC16  and CRC32 algorithms employed in standard ADinf versions,
the checksums of files  can  be  algorithmically  modified  so  as  to
introduce  slight  modifications  in files.  In this sense,  CRC16 and
CRC32 checksums are helpless against smart tricks.  For both these CRC
types,  there  are  algorithms  which compute additional bytes so that
checksum remains unchanged.

The LAN64 algorithm (hash  function)  is  intelligent  enough  not  to
permit  anyone  to  compute the necessary changes without altering the
checksum.  Trial-and-error method is  only  way  and  this  cannot  be
accomplished  in real time.  Here lies the superiority of LAN 64-digit
checksum.

A special mechanism is incorporated in ADinf Pro for  controlling  the
integrity  of  diskinfo  tables which are also now protected by 64-bit
checksums.


                           REFERENCES

DialogueScience, DSAV, ADinf and Virus Hunter are registered trademarks
of DialogueScience Inc., Moscow, Russia.

Sheriff is a registered trademark of FomSoft, Moscow, Russia.

Other names are registered trademarks or trademarks of the
respective companies.


                             * * *

DialogueScience, Inc.,
Computing Center of the Russian Academy of Sciences,
Office No 103, House No 40, Vavilov street,
117786, Moscow, Russia.

Tel.:     (+7-095) 137-0150, 135-6253
Tel./Fax: (+7-095) 938-2970, 938-2855

BBS: (+7-095) 939-3705 (28800/V.34, 33600/V.34+) - subscribers only
     (+7-095) 938-2969 (28800/V.34, 33600/V.34+) - subscribers only
     (+7-095) 938-2867 (28800/V.34, 33600/V.34+) - subscribers only
     (+7-095) 938-2856 (28800/V.34)              - common access

FidoNet: 2:5020/69

FTP-server: ftp://ftp.adinf.com
            ftp://ftp2.adinf.com
            ftp://ftp3.adinf.com

WWW:        http://www.adinf.com
            http://www.dials.ru

E-mail: Antivir@ADinf.com
