

ķ
                                                                  
                  ADVANCED DISKINFOSCOPE (ADinf)                  
                                by                                
                     (c) Dr. Dmitry Mostovoy                      
                                                                  
             Keldysh Institute of Applied Mathematics             
                  The Russian Academy of Sciences                 
                          Moscow, Russia                          
ͼ


ķ
              A Guide to Frequently Asked Questions               
ͼ



           This file answers in detail several questions that users quite
frequently ask about ADinf.  All  questions  pertaining to a subject have
been unified and arranged topically.

The menu tree structure described below may not fully agree with the  menu
structure of the ADinf previous versions as I have answered the  questions
with specific reference to ADinf version 8.00 and higher.



Q    Can ADinf check a  disk compacted with DoubleSpace, Stacker,
     DriveSpace or SuperStor?

A    ADinf  does  check  a compacted disk,  scanning  not through BIOS but
     using Int 25h.  Normally, ADinf itself gains access to such disks via
     Int  25 h.  For a compacted DOS logical drive having the same name as
     the original drive where compressed disk file is saved,  you must set
     Int  25h  as  the  drive  access  type (choosing the DISK ACCESS TYPE
     command from the SETUP PARAMETERS submenu of OPTIONS menu).

     For scanning a Sstor-compacted disk, you must tell ADinf not to check
     for new  bad clusters (choosing DON'T CHECK from BAD CLUSTERS menu of
     the INFO UNDER CHECK submenu).


Q    I, being a programmer, naturally change a large number of files on my
     disk everyday.   How can I tell ADinf to keep quite about these legal
     modifications in its morning reports?

A    You can easily mark directories as  working  directories.   For this,
     choose SKIP TREE from the  INFO UNDER CHECK  submenu. Then choosing a
     drive from the on-screen panel, pop up its structure tree,  mark  the
     directories and subdirectories where you are likely to change the fi-
     les everyday. ADinf will not report about unharmful changes in a file
     under a marked directory.   But if it suspects any change (in size or
     CRC of a file) as fatal, ADinf will alert you.


Q    I have  only one partition  spread  over my 120  Mb disk.  Whenever  I
     start checking, ADinf aborts its mission and  reports  "more than 2620
     files in your disk".  How can I fix up this error?

A    This limitation no longer exists in ADinf version 10.00. Install ADinf
     10.00 or higher.



Q    What is ADinf Cure Module?  If this is a curing module, is it better
     or worse than V-Hunter?  Where can I buy it?

A    ADinf Cure Module   (ADinfExt.exe)   is  a  curing module tailored to
     enhance the powers of  Advanced DiskInfoscope.  It  differs radically
     from V-Hunter:   it kills  existing and  as yet  unknown viruses with
     equal  efficacy.   It  maintains  a  small  database  containing full
     information  about  all  files  in  your  disk.  When ADinf detects a
     virus,  the  curing  module  can  be  used  to  kill it.  Database is
     automatically updated by ADinf when disk information changes in  your
     system.

     V-Hunter and ADinfExt  cannot be compared:  each deploys a  different
     strategy to  antivirus problem:  they ideally  supplement each other.
     First, ADinfExt  does not  kill all  but only  about 97% viruses (not
     bad,  isn't  it?).  Particularly, admitting its capabilities to clean
     your computer from  as yet unknown  viruses.  Second,  it is helpless
     when you are  handling someone else's  diskettes because it  requires
     the database  containing disk  information.   V-Hunter, on  the other
     hand, applies the traditional  defence principle: to every  attack it
     designs  a  counterattack  and  can  therefore  kill only the viruses
     known to it, but is helpless against new viruses.  It is therefore  a
     good idea  to have  both these  programs available  in your  machine.

     ADinf Cure Module was tested on a collection of 750  most  widespread
     infectors  unknown  to  the  program and successfully removed 97%  of
     them.

     You can buy ADinf Cure  Module from any dealer distributing V-Hunter,
     both are the products from DialogueScience Inc., Moscow, Russia.


Q    What is fast CRC that ADinf computes?  When I modified a few bytes at
     the end of an EXE file,  ADinf ignored them while checking under fast
     CRC mode.  Why?

A    ADinf  conducts its checks in  one of three alternative modes:   fast
     CRC (cyclic redundancy  checks), full CRC  and No CRC.  The method by
     which ADinf  computes fast  CRC is  closely related  to the  internal
     structure of an  executable file. Therefore  fast CRC is  best suited
     for  COM  and  EXE  files  as  it guarantees reliable virus detection
     without the need for  computing the CRC of  the whole file.   So, all
     changes in certain file areas,  unless they are generated by a virus,
     are ignored by ADinf while checking under fast CRC mode.


Q    Why is ADinf  very sluggish in checking  a write-cached disk?   Why
     does ADinf hang up on a cached machine or disk?

A    ADinf efficiently checks a read-cached disk but may face problems  on
     write-cached  disk  when  both  ADinf  and  the  cache simultaneously
     address BIOS,  creating conflicts.   There are  two ways  of avoiding
     such  conflicts:   first  disable  the  write-cache prior to starting
     ADinf  and  toggle  it  on  when  checking is complete.  For example,
     SmartDrv.exe is toggled on  and off from drives  C and D by  the com-
     mands SmartDrv C  D, and SmartDrv  C+ D+.   Alternatively, tell ADinf
     to check all drives except C via Int 13h, choosing DRIVE ACCESS  TYPE
     from the OPTIONS menu.  But such a checking mode is less reliable.

     Starting from version 9.00,  ADinf is fully compatible with HyperDisk
     write-cache  ver. 4.50 or later.  No problems arise with this utility
     any longer.


Q    Can I put net drives under ADinf control?

A    Unfortunately, you can't.   ADinf checks a  drive, reading it  sector
     by sector.   Therefore it  can check  local drives  only and  must be
     installed on each LAN workstation separately.


Q    Can Adinf run under MS Windows and DESQview?

A    Yes, it can.  ADinf works under MS Windows and  DESQview and can scan
     drives directly via BIOS while working under Windows or DESQview.


Q    What is the purpose of personal tables?

A    ADinf supports two  types of tables,  common & personal,  for storing
     disk information.  They don't differ in structure. Common tables  are
     saved in the root directory  of logical drives and personal  table in
     the  directory  where  adinf.exe  is  installed.  Common  tables  are
     helpful in regularly  checking a limited  number of program  files of
     particular extensions. Whereas personal tables are better suited  for
     in-depth checking.  You  may even choose all  types of files on  your
     disk and specify FULL  for CRC type.   Such a check is  all-inclusive
     though time consuming.


Q    I feel my  machine is infected  but ADinf is  keeping silent.   Can a
     virus dodge detection by ADinf?

A    This is a commonly asked question, and there is only one answer to it.
     Unfortunately,  there is no  panacea  for PC virus infection, nor can
     there be ever one.  ADinf is one of the most powerful virus detectors
     today.  But you must keep in mind  its  capabilities and limitations.
     Let us examine the situations where ADinf may keep quite.

     If you have installed ADinf  on an already infected machine,  it will
     not notice any virus because  it detects viruses through the  changes
     in file information.   And in our case  there are no changes  in file
     information and so  it does not  alert you.   If the virus  is hiding
     its presence, i.e.,  you have a  stealth virus in  the machine; ADinf
     will certainly detect  it, if you  run under the  STEALTH SEARCH mode
     (see Stealth Search in  the file ADinf.txt).   This is a very  useful
     mode and run ADinf from time to time under this mode.

     Second, ADinf may  fail to notice  the viruses tailored  specifically
     to infect a file only  at the time of its  creation.  If they are  at
     the same time hiding themselves, you may trap them, running ADinf  in
     STEALTH SEARCH mode. If they  are NOT hiding their presence,  you can
     easily detect them  with your naked  eyes.  For  example, suppose you
     are copying a file  from drive A to  drive C and you  notice that the
     size of the source  file does not tally  with the size of  the target
     file.   You  can  easily  detect  such  infectors,  running  ADinf as
     follows:   write  a  batch  (call  it  say TRAP) which copies several
     executable files, say,  to your RAM  drive and then  copies them from
     the RAM drive back  to the source drive.   Add a PARK command  at its
     last line.  Run the special TRAP batch  file before turning off  your
     computer. When you  start the computer  next time, ADinf  will report
     about such  viruses, if  any.   For greater  reliability, you  better
     include files to  be copied in  STABLE FILES list  (its menu path  is
     OPTIONS-> SETUP PARAMETERS -> INFO UNDER CHECK -> STABLE FILES).

     Finally, because  of its beneficent policy  - aggressive strategy and
     ingenious tactics -  ADinf is irritating  virus designers.   One fine
     morning it is not  excepted that you may  find in your machine  a new
     virus specially  tailored to  dodge detection  by ADinf.   Today only
     one virus belonging to  DIR group is known  that tries to delete  the
     files with  a  name  beginning  with  "ADIN" from your disk.  What is
     broiling in the minds of these evil-mongers, God alone knows!



Q    What is disk access via BIOS, INT 13h, and INT 25h?

A    In checking missions,  ADinf automatically  identifies  the  DOS file
     structure by reading the disk sectors one after another. Three access
     methods are available for reading the sectors in a drive

     - through direct addressing to BIOS;
     - through the use of Interrupt 13h (Int 13h);
     - through the use of DOS 25h (Int 25h);

     The drive access type is specified by choosing
     - OPTIONS from the menu,
     - SETUP PARAMETERS from the submenu, and finally
     - DRIVE ACCESS TYPE in the panel box.

     When and which drive access type should be chosen?

     For an IDE disk partitioned by the FDISK program,  ADinf uses BIOS as
     the access method.

     Access via  INT  13h  must  be  used  under the following situations.
     Modern high-capacity disks  are  manufactured  with  more  than  1024
     cylinders (limiting value for standard BIOS of IBM AT).  Special disk
     drivers are used to utilize the full  capacity  of  such  disks,  for
     example,  Disk  Manager for IDE disks.  ADinf identifies Disk Manager
     and automatically defaults to  INT  13h  as  the  disk  access  type.
     Several  drivers  exists for SCSI disks.  If you have a high capacity
     SCSI disk in your machine,  manually choose INT 13h  from  the  DRIVE
     ACCESS TYPE box.

     Second case.  In  a  machine  running under QEMM set to STEALTH mode,
     ADinf defaults to INT 13h as the DRIVE ACCESS TYPE because  access to
     disk via BIOS is denied to ADinf.

     DRIVE ACCESS TYPE must be set to INT 25h for disks managed by special
     drivers,  for example,  disk compactors.  As a rule, ADinf identifies
     such  situations  and  automatically defaults to INT 25h.  But if the
     drive name letters in a compacted disk are changed,  the drive access
     type must be set to INT 25h manually by the user.

     There are also other situations where the user must specify the drive
     access type manually,  for example,  if you have changed the standard
     sequence of drive specifiers that DOS assigns to disk partitions. DOS
     allots the drive name letters in  the  following  sequence  (if  some
     partition is missing, the letters are shifted accordingly):

             First hard disk
     1st Primary  DOS partition  C:   BIOS
     1st Extended DOS Partition  E:   BIOS
     2nd Extended DOS Partition  F:   BIOS
     3rd Extended DOS Partition  G:   BIOS
     2nd Primary  DOS partition  K:   BIOS
     3rd Primary  DOS partition  L:   BIOS

            Second hard disk:
     1st Primary  DOS partition  D:   BIOS
     1st Extended DOS Partition  H:   BIOS
     2nd Extended DOS Partition  I:   BIOS
     3rd Extended DOS Partition  J:   BIOS
     2nd Primary  DOS partition  M:   BIOS
     3rd Primary  DOS partition  N:   BIOS

     ADinf strictly  supports  this  standard  sequence  of specifiers for
     assigning names to drives.  But,  this sequence may  be  violated  in
     several  cases.  For  the  logical  drives  of  name  letters up to a
     violation in the standard sequence,  ADinf uses  BIOS  as  the  drive
     access type and INT 25h for the other drives.  Below is an example of
     such a situation.  Let us suppose that the second hard disk is an IDE
     disk with more than 1024 cylinders formatted by Disk Manager. In this
     case the partitions are allotted drive name letters as follows:

             First hard disk:
     1st Primary  DOS partition  C:    BIOS
     1st Extended DOS Partition  D:    Int 25h
     2nd Extended DOS Partition  E:    Int 25h
     3rd Extended DOS Partition  F:    Int 25h
     2nd Primary  DOS partition  G:    Int 25h
     3rd Primary  DOS partition  H:    Int 25h

            Second hard disk:
     Only one DM partition       I:    Int 25h

     The DRIVE ACCESS TYPE is listed in the right-most column.

     One more example of nonconventional configuration. Let us interchange
     the hard disks in the above example.  Let the first hard  disk  be  a
     large IDE disk partitioned by Disk Manager and the second an ordinary
     IDE disk. In this case the drive access type must be set as follows.

             First hard disk:
     Only one DM partition       C:    Int 13h

            Second hard disk:
     1st Primary  DOS partition  D:    BIOS
     1st Extended DOS Partition  E:    BIOS
     2nd Extended DOS Partition  F:    BIOS
     3rd Extended DOS Partition  G:    BIOS
     2nd Primary  DOS partition  H:    BIOS
     3rd Primary  DOS partition  I:    BIOS




Q    1.What is  the purpose  of the  command line  switch "-76", which the
     User Guide does not explain?

     2.  On  some  computers  ADinf  hangs  up, saying "Opening the disk".
     What is the cause for this?

A    Int 76h  is  an interrupt  generated  by  the IDE controller upon the
     completion of every disk operation.   There are stealth viruses  that
     use this  interrupt for  hiding their  presence in  the machine.   In
     fact, these viruses dodge  detection at the hardware  level utilizing
     the  published  potentialities  of  the  IDE  controller. In order to
     detect  such  viruses,  ADinf  intercepts  and  handles  this Int 76h
     itself.  But such an  independent handling may conflict with  certain
     BIOS systems or special  drivers of 32-bit access  to IDE disks.   In
     such  cases,  ADinf  hangs  up  displaying  the  message "Opening the
     disk".

     In order to prevent ADinf  from intercepting Int 76h, run  ADinf with
     the option "-76", as follows:

  >C:\ADINF\adinf.exe -a -b -d -76 -@C:\ADINF\list -lC:\ADINF\
                               ~~~~
     If by such a  command line your system  does not hang up  any longer,
     please send the version number of  your BIOS (the eight bytes at  the
     address  F000:FFF5)  to  DialogueScience,  Inc.,  Moscow, Russia, for
     modifying  the  ADinf  internal  BIOS  incompatibility  table  in  an
     appropriate manner so that you may  be able to run ADinf without  the
     need for including this option in the command line.



Q    I installed ADinf version 10.06 on my network server but I could  not
     install ADinf Cure Module version 3.03. What is the reason?

A    To install ADinf on  a LAN along with  the curing module, ADinf  Cure
     Module must be at 3.04 or higher.

     Similarly, the command option "-HOME:" available in ADinf 10.06  also
     requires ADinf Cure Module 3.04 or higher for the joint operation  of
     ADinf along with the cure module.



ACKNOWLEDGMENTS

     ADinf, V-Hunter are registered trademarks of DialogueScience Inc.,
              Moscow, Russia.

     MS-DOS and Windows are registered trademarks of Microsoft
              Corporation, USA.

     IBM PC XT/AT, PS2 and PC DOS are registered trademarks of International
              Business Machines Corporation, USA.

     Stacker is a registered trademark of Stac Electronics, USA.

     Other names are the registered trademarks or trademarks of the
     respective companies.


DialogueScience, Inc.,
Ul. Vavilov 40, Room No.103-a,
Moscow 117967 GSP-1, Russia.

Tel (+7-095) 137-0150, 135-6253
Tel/Fax:     938-2970, 938-2855
BBS:(+7-095) 938-2856 (28800/V.34)                  - common access
    (+7-095) 938-2969 (28800/V.34,    33600/V.34+)  - subscribers only
    (+7-095) 939-3705 (28800/V.34,    33600/V.34+)  - subscribers only
    (+7-095) 939-5239 (14400/V.32bis, 19200/ZyXEL)  - subscribers only
FidoNet: 2:5020/69 , 2:5020/69.4
E-mail : antivir@dials.msk.su - Sales and Support Department
             bob@dials.msk.su - Modem link service
           dmost@dials.msk.su - ADinf author
FTP-server: ftp.kiam1.rssi.ru
