

ķ
                                                                  
                  ADVANCED DISKINFOSCOPE (ADinf)                  
                                by                                
                     (c) Dr. Dmitry Mostovoy                      
                                                                  
             Keldysh Institute of Applied Mathematics             
                  The Russian Academy of Sciences                 
                          Moscow, Russia                          
ͼ


ķ
              A Guide to Frequently Asked Questions               
ͼ



           This file answers in detail several questions that users quite
frequently ask about ADinf.  All  questions  pertaining to a subject have
been unified and arranged topically.

The menu tree structure described below may not fully agree with the  menu
structure of the ADinf previous versions as I have answered the  questions
with specific reference to ADinf version 8.00 and higher.



Q    Can ADinf check a disk  compacted with DoubleSpace, Stacker or Sstor?

A    ADinf  does  check  a compacted disk,  scanning  not through BIOS but
     using Int 25h.  Normally, ADinf itself gains access to such disks via
     Int  25 h.  For a compacted DOS logical drive having the same name as
     the original drive where compressed disk file is saved,  you must set
     Int  25h  as  the  drive  access  type (choosing the DISK ACCESS TYPE
     command from the SETUP PARAMETERS submenu of OPTIONS menu).

     For scanning a Sstor-compacted disk, you must tell ADinf not to check
     for new  bad clusters (choosing DON'T CHECK from BAD CLUSTERS menu of
     the INFO UNDER CHECK submenu).


Q    I, being a programmer, naturally change a large number of files on my
     disk everyday.   How can I tell ADinf to keep quite about these legal
     modifications in its morning reports?

A    You can easily mark directories as  working  directories.   For this,
     choose SKIP TREE from the  INFO UNDER CHECK  submenu. Then choosing a
     drive from the on-screen panel, pop up its structure tree,  mark  the
     directories and subdirectories where you are likely to change the fi-
     les everyday. ADinf will not report about unharmful changes in a file
     under a marked directory.   But if it suspects any change (in size or
     CRC of a file) as fatal, ADinf will alert you.


Q    I have  only one partition  spread  over my 120  Mb disk.  Whenever  I
     start checking, ADinf aborts its mission and  reports  "more than 2620
     files in your disk".  How can I fix up this error?

A    Unfortunately, this is a constraint inherent in the program. To  speed
     up checking, ADinf piles up disk structure information in the computer
     memory; this obviously puts a limit on the size of diskinfo table.  To
     come round this problem, tell ADinf to confine its checks to COM, EXE,
     SYS, BAT, OVL, LIB and DRV  files  by editing  the file extension list
     (choosing  EXTENSIONS from the LIST menu). The number of such files in
     your disk is not likely to more than the built-in threshold for  ADinf
     to abort its checks.



Q    What is ADinf Cure Module?  If this is a curing module, is it better
     or worse than V-Hunter?  Where can I buy it?

A    ADinf Cure Module   (ADinfExt.exe)   is  a  curing module tailored to
     enhance the powers of  Advanced DiskInfoscope.  It  differs radically
     from V-Hunter:   it kills  existing and  as yet  unknown viruses with
     equal  efficacy.   It  maintains  a  small  database  containing full
     information  about  all  files  in  your  disk.  When ADinf detects a
     virus,  the  curing  module  can  be  used  to  kill it.  Database is
     automatically updated by ADinf when disk information changes in  your
     system.

     V-Hunter and ADinfExt  cannot be compared:  each deploys a  different
     strategy to  antivirus problem:  they ideally  supplement each other.
     First, ADinfExt  does not  kill all  but only  about 97% viruses (not
     bad,  isn't  it?).  Particularly, admitting its capabilities to clean
     your computer from  as yet unknown  viruses.  Second,  it is helpless
     when you are  handling someone else's  diskettes because it  requires
     the database  containing disk  information.   V-Hunter, on  the other
     hand, applies the traditional  defence principle: to every  attack it
     designs  a  counterattack  and  can  therefore  kill only the viruses
     known to it, but is helpless against new viruses.  It is therefore  a
     good idea  to have  both these  programs available  in your  machine.

     ADinf Cure Module was tested on a collection of 750  most  widespread
     infectors  unknown  to  the  program and successfully removed 97%  of
     them.

     You can buy ADinf Cure  Module from any dealer distributing V-Hunter,
     both are the products from DialogueScience Inc., Moscow, Russia.


Q    What is fast CRC that ADinf computes?  When I modified a few bytes at
     the end of an EXE file,  ADinf ignored them while checking under fast
     CRC mode.  Why?

A    ADinf  conducts its checks in  one of three alternative modes:   fast
     CRC (cyclic redundancy  checks), full CRC  and No CRC.  The method by
     which ADinf  computes fast  CRC is  closely related  to the  internal
     structure of an  executable file. Therefore  fast CRC is  best suited
     for  COM  and  EXE  files  as  it guarantees reliable virus detection
     without the need for  computing the CRC of  the whole file.   So, all
     changes in certain file areas,  unless they are generated by a virus,
     are ignored by ADinf while checking under fast CRC mode.


Q    Why is ADinf  very sluggish in checking  a write-cached disk?   Why
     does ADinf hang up on a cached machine or disk?

A    ADinf efficiently checks a read-cached disk but may face problems  on
     write-cached  disk  when  both  ADinf  and  the  cache simultaneously
     address BIOS,  creating conflicts.   There are  two ways  of avoiding
     such  conflicts:   first  disable  the  write-cache prior to starting
     ADinf  and  toggle  it  on  when  checking is complete.  For example,
     SmartDrv.exe is toggled on  and off from drives  C and D by  the com-
     mands SmartDrv C  D, and SmartDrv  C+ D+.   Alternatively, tell ADinf
     to check all drives except C via Int 13h, choosing DRIVE ACCESS  TYPE
     from the OPTIONS menu.  But such a checking mode is less reliable.

     Starting from version 9.00,  ADinf is fully compatible with HyperDisk
     write-cache  ver. 4.50 or later.  No problems arise with this utility
     any longer.


Q    Can I put net drives under ADinf control?

A    Unfortunately, you can't.   ADinf checks a  drive, reading it  sector
     by sector.   Therefore it  can check  local drives  only and  must be
     installed on each LAN workstation separately.


Q    Can Adinf run under MS Windows and DESQview?

A    Yes, it can.  ADinf works under MS Windows and  DESQview and can scan
     drives directly via BIOS while working under Windows or DESQview.


Q    What is the purpose of personal tables?

A    ADinf supports two  types of tables,  common & personal,  for storing
     disk information.  They don't differ in structure. Common tables  are
     saved in the root directory  of logical drives and personal  table in
     the  directory  where  adinf.exe  is  installed.  Common  tables  are
     helpful in regularly  checking a limited  number of program  files of
     particular extensions. Whereas personal tables are better suited  for
     in-depth checking.  You  may even choose all  types of files on  your
     disk and specify FULL  for CRC type.   Such a check is  all-inclusive
     though time consuming.


Q    I feel my  machine is infected  but ADinf is  keeping silent.   Can a
     virus dodge detection by ADinf?

A    This is a commonly asked question, and there is only one answer to it.
     Unfortunately,  there is no  panacea  for PC virus infection, nor can
     there be ever one.  ADinf is one of the most powerful virus detectors
     today.  But you must keep in mind  its  capabilities and limitations.
     Let us examine the situations where ADinf may keep quite.

     If you have installed ADinf  on an already infected machine,  it will
     not notice any virus because  it detects viruses through the  changes
     in file information.   And in our case  there are no changes  in file
     information and so  it does not  alert you.   If the virus  is hiding
     its presence, i.e.,  you have a  stealth virus in  the machine; ADinf
     will certainly detect  it, if you  run under the  STEALTH SEARCH mode
     (see Stealth Search in  the file ADinf.txt).   This is a very  useful
     mode and run ADinf from time to time under this mode.

     Second, ADinf may  fail to notice  the viruses tailored  specifically
     to infect a file only  at the time of its  creation.  If they are  at
     the same time hiding themselves, you may trap them, running ADinf  in
     STEALTH SEARCH mode. If they  are NOT hiding their presence,  you can
     easily detect them  with your naked  eyes.  For  example, suppose you
     are copying a file  from drive A to  drive C and you  notice that the
     size of the source  file does not tally  with the size of  the target
     file.   You  can  easily  detect  such  infectors,  running  ADinf as
     follows:   write  a  batch  (call  it  say TRAP) which copies several
     executable files, say,  to your RAM  drive and then  copies them from
     the RAM drive back  to the source drive.   Add a PARK command  at its
     last line.  Run the special TRAP batch  file before turning off  your
     computer. When you  start the computer  next time, ADinf  will report
     about such  viruses, if  any.   For greater  reliability, you  better
     include files to  be copied in  STABLE FILES list  (its menu path  is
     OPTIONS-> SETUP PARAMETERS -> INFO UNDER CHECK -> STABLE FILES).

     Finally, because  of its beneficent policy  - aggressive strategy and
     ingenious tactics -  ADinf is irritating  virus designers.   One fine
     morning it is not  excepted that you may  find in your machine  a new
     virus specially  tailored to  dodge detection  by ADinf.   Today only
     one virus belonging to  DIR group is known  that tries to delete  the
     files with  a  name  beginning  with  "ADIN" from your disk.  What is
     broiling in the minds of these evil-mongers, God alone knows!



ACKNOWLEDGMENTS

     ADinf    is a registered trademark of DialogueScience Inc., Moscow,
              Russia.

     MS-DOS and WINDOWS are registered trademarks of Microsoft
              Corporation, USA.

     DR-DOS   is a registered trademark of Digital Research Corporation,
              USA.

     IBM PC XT/AT PS2 and PC DOS are registered trademarks of International
              Business Machines Corporation.

     SCAN     is a registered trademark of McAfee Associates, USA.

     NORTON UTILITIES is a registered trademark of Symantec Corporation,
              USA.

     V-Hunter is a registered trademark of DialogueScience Inc., Moscow,
              Russia.

     SHERIFF  is a trademark of DialogueScience Inc., Moscow, Russia.

     STACKER  is a trademark of Stac Electronics, USA.

     HERCULES is a registered trademark of Hercules Computer Technology
              Inc., USA.

     Other names are the registered trademarks or trademarks of the
     respective companies.


DialogueScience, Inc.,
Ul. Vavilov 40, Room No.103-a,
Moscow 117967 GSP-1, Russia.

Tel/Fax: (+7-095) 938-2970, 137-0150
BBS:     (+7-095) 938-2856 (14400/V.32bis, 19200/ZyXEL) - common access
         (+7-095) 938-2969 (14400/V.32bis, 19200/ZyXEL) - subscribers only
FidoNet: 2:5020/69 , 2:5020/69.4
E-mail : lyu@dials.msk.su    - Sales and Support Department
         root@dials.msk.su   - Modem link service
         dmost@dials.msk.su  - ADinf author
