This is a list with Frequently Asked Questions. If you have a question about our product, or want to know why our product differs from some competitive products, please check out the questions below. Design philosophy ----------------- Why does TbSetup create an Anti-Vir.Dat file in every directory, instead of generating just ONE reference file for the entire system? 1) It is more intuitive. For a user it is much easier to see whether a directory is already processed by the checksummer or not. You can see in one glance what the last time was you modified the Anti-Vir.Dat file, and whether this matches with the most recent timestamp of the executable files. 2) Maintenance. If you delete an entire directory, the checksum base will be gone too. Automatically! With a single file approach, you will have to run an update utility or to accept that the database file will continue to grow for ever. The same applies if you move a directory to another disk or subdirectory: don't worry about the checksum files. They will travel automatically wherever the executable files go! 3) Security. If a company decides to introduce a new software product, they can make a backup of the diskette, scan it for viruses, and put the checksum file on the diskette, and multiply it and distribute it within the company. Now, whoever gets this diskette, the checksum file will already be there. The user won't have to bother with it himself. The new checksum file with not interfere with the already existing ones. 4) Networks. In a LAN, different users may have access to a directory via another path. One user may see the directory F:\JOHN, while someone with more access rights may refer to the same directory as G:\USERS\JOHN. With a single database approach, you will have to create a separate database for every user. With the checksum-file-per-directory approach, the supervisor just creates ONE checksum base per directory, and no matter the access rights or mappings of a specific user, if he has access to that directory, he automatically has access to the checksum file. So, if the supervisor updates a product on the network, he just creates a new checksum file for that directory, and EVERY user on the network immediately has the correct checksum information. Why does TbScanX not scan a file if I rename it, or when I move it to another directory? If you rename an executable file to another executable file, you actually do not introduce a new file on your system. The file was originally already there, and should have been checked by TbScanX already when the file was introduced on your system. If you rename a non-executable file to an executable file, you actually introduce a new executable file on the system. This quite unusual way to introduce a new executable file on the system is detected by TbFile (attempt to rename a non-executable file to an executable file). If you move a file to another directory, using the 'move' command, the file doesn't get actually copied when the destination drive is the same as the original drive. What happens is that the file gets 'renamed' to a different directory, i.e. the file remains physically where it is, but just the name reference is moved from one directory to the other. TbScanX does not scan the file in this case, because the file was already there, and has been checked when it got introduced to your system, and doesn't need to be checked again just because it is moved to another directory. Why does TbScanX, unlike some other products, not scan a bootsector if you press Ctrl-Alt-Del? First of all, TbScanX scans a bootsector immediately if you try to access a diskette. Most people insert a diskette because they need a file from it, or want to copy something on it, or just look into the directory. TbScanX will then check the bootsector, long time before you press Ctrl-Alt-Del. So there is not much need for TbScanX to check it when you reboot, the job has already been done. A second reason is that it can be dangerous to scan a diskette while trying to reboot. You usually don't reboot just for fun! In many cases, you reboot because the system became instable, or because a program instructed you to reboot the system, after it changed some vital information on the harddisk. If the system became instable, you can damage data by accessing a disk, and it is quite questionable anyway whether an instable system is still able to perform a reliable disk scan. If a program asks you to reboot, the reboot is often necessary because the system is not aware of some changes in the configuration, and it is dangerous to continue accessing the disks, without - for example - the appropriate drivers. A third reason is that it could cause people to believe that rebooting with a diskette inserted into the drive is OK, because the diskette will be scanned anyway. Unfortunately, checking a diskette can only be done before a SOFT boot, and not when you hit the reset button. It is only a partial solution. For many people, the difference between a hard and a soft boot is not clear, and they will just assume that rebooting with a diskette inserted is now always safe. So, it is dangerous, unreliable, confusing, and unnecessary in most cases. Therefor we decided not to scan a diskette after pressing Ctrl-Alt-Del. Why does TbClean not clean ALL files at once? Let's look what happens if your system is infected by a virus, and you run an 'automatic' cleaner on it. With one and the same virus, every executable file will be in one of the following states after the cleaning is terminated: 1) Files that have not been affected by the virus at all. 2) Files which were infected but have been successfully cleaned. 3) Files that have been damaged (not infected!) by the virus and can not be 'cleaned' because they have been deleted or are overwritten. 4) Files from which the cleaner says that they have been successfully cleaned but still don't work anymore (because of copy protections or various other reasons). 5) Files from which the cleaner says that it failed to clean and thus are still infected and need replacement. Now, are you going to sort things out after the cleaner is done? A much better approach is to work through the files on a one by one approach. Clean one file, judge the result, test the file, and proceed with the next one. Tedious? Yes, an even better approach is to take that backup tape, and restore all executable files. Remember, viruses are not written to be bug free, and to be compatible with all the complex configurations we are using these days. No cleaner can repair the files incorrectly infected by a buggy virus. Automatic cleaning is an illusion. If you really insist on using a cleaner, you have the best chances if you work through your files one by one. Remember also that even viruses that are known not to damage data still very often damage data because of interference with disk caches, Windows, or other system software for which the virus was not written for or properly tested against. I have seen on Internet some information how to fool TbScan. What are you going to do about it? This is nothing to worry about. We know that it is possible to fool heuristics. We know that it is possible to design a virus that TbScan can not yet detect. We have seen many examples of this in the past. Encrypted viruses have been invented to make signature scanning useless, until the AV industry invented signature wildcards and entry point tracers. Polymorphic viruses have been invented to make signature scanning completely impossible, until the anti-virus industry invented generic decryption. It is an endless battle. Some strategics are involved as well. Sometimes it is better to leave an easy to close door open, and let a virus writer spend weeks to write something that exploits this 'loophole' and then just slam this door without any trouble and any damage, than to attempt to foresee all possible future virus-writing-developments and to close all doors in advance, and let someone discover something that is much more difficult to solve. Someone who wants to attac a specific anti-virus product will finally discover something that can be used. This applies to all anti-virus products, no matter how clever they are. That's why all serious anti-virus products have to be frequently updated. If a virus is able to escape heuristic detection, we will find it with a signature. If some information leads to a virus that indeed succeeds to remain unspotted, we will do something about it. We have been doing so dozens of times in the past, and we will keep doing so. So far, there is no reason to believe that virus writers will finally come up with something that we can't handle. Network related questions ------------------------- We have TBAV installed on a server, and we use TbScan with option 'once'. However, if we turn on the machines in the morning, TbScan only scans one workstation, and skips on the other workstations. If TbScan uses the 'once' option, information will be written to TbScan.Exe. The first PC scans, and updates the information in TbScan.Exe. The next PC's will conclude that TbScan has already been used this day, and proceed without scanning. To avoid this problem, you can specify a filename behind option 'once'. Instead of putting the information in the TbScan.Exe program, TbScan now records the information in the specified file. Use, for instance, 'TbScan once=c:\config.sys' to make sure that every PC maintains its own 'last time scanned' record. Note: TbScan does not alter the contents of the specified file, but records the information in a different way. Therefor you can specify any existing file. We have TBAV installed on a server, and we use TbScan with option 'once'. However, if we boot the machines multiple times a day, TbScan always scan the workstations, instead of only once. The users probably don't have write access rights to the directory where TbScan.Exe resides. Excellent! Use the method as described in the previous question. Is it possible for the supervisor to receive messages about viral activities anywhere within the network? Not with the standard TBAV utilities. There is a special network version available which features centralized anti-virus control. Contact your local vendor for more information. Why is TbGenSig.Exe no longer part of the TBAV package? The newer generation of viruses require much more complex signatures, and to create these signatures is no longer a do-it-yourself job. The idea to enable the end user to create signatures comes from the time when the distribution of virus samples between Anti-Virus developers, independant researchers, universities, government agencies, etc. was not organised at all. These days, we are able to respond to a new outbreak in a couple of hours. It is far easier for you, the end user, to download a new signature file from us than to try to create a signature for a polymorphic virus, or to locate a word macro virus (and thus a signature) in a huge document file. A second reason for the omission of TbGenSig is that we are in the process of revising our existing signature structures, and that we are working on automated signature construction. This gives us a leading edge in the future when the amount of viruses keeps growing, and ensures more reliable signatures and a higher response time from us on new viruses. The tools required to generate these signatures are very complex and not suitable for the users at all.