
VWPD.386

Virus/Trojan Detector
Runs in Protected Mode at Ring ZERO. The MOST secure of all the operating
modes, unlike old style DOS real mode virus detectors. This is the World's
First Windows Protected Mode Virus Detector. Runs constantly, but with
low overhead; minimal impact on system performance. 
Includes write protect feature for disk drives(see documentation for VWPD).
Includes special feature to protect DOS commands and programs from running.


Program and documentation file included.


------------------------------------------------------------------------
Contains new features designed to provide enhanced VIRUS/TROJAN
protection.



Version 1.05 has:
Additional boot sector protection.
Protect sectors from partition sector to boot sector hard drive zero.
Fixes for INT 1Ah and CMOS, and the mouse disappearing.
Fix for access floppy disk hangs machine, requires reset.
Fix for DOS 5.0, call to PSP:5, if DOS loaded high.
Fixes for formatting of floppies.
Hardware trapping of format and reset commands at disk drive controller.
Attemps to remove system or hidden file attributes.

Modified hard drive protection, protects all hard drives
  from writes, except thru BIOS,
  and ALL formatting (even attempts direct to the controller port).

DOS "VER" command now prints Windows numbers +
  Dos version. (/W3 is highest level of warning, /W2 is next lower).

DOS "VWPD" command prints vwpd version and status message.

DOS "JOIN", "FDISK" command is disabled in Windows.
ALSO APPEND, SUBST, FORMAT, ASSIGN.

TIME & DATE must be changed from the Windows Control Panel.
They do not print out current time or date; this will be fixed.

Put in Dummy Command handler for hard disk controller(91h). Useful
for testing if hard disk controller is protected.

Removed most protection from floppy drives. Some protection to be
put back in.


Version 1.06 has:
FASTOPEN, APPEND commands is disabled.
Fix for BUG in 1.05 caused Windows to Hang, when DOS "HELP" command used.


See also WSAFE, our program to protect you from running certain DOS
programs like CHKDSK while Windows is running. Endorsed in Brian
Livingston's new book "Windows 3 Secrets", as Excellence in Windows
Shareware.

Incidently about Brian's book on Windows 3 Secrets, run, don't walk
to get a copy. It is excellent, maybe better than that. (By the way
I don't make anything from the sale of the book.)



INSTALLATION
------------------------------------------------------------------------
See instructions for VWPD.DOC


In the documentation below, references to VWPD means the new version.


TIPS: -------------------------------------------------------------------

If a DOS application tends to cause more messages than you would like,
try running it in a window. The annoying screen switches that occur
when a message is displayed, when a Windows application or a DOS full
screen application are running, WILL NOT occur. (This work around is for
a poor implementation of message box handling in windows).

In other words if the application causes a lot of messages. WINDOW it
before you start it.


GENERAL
------------------------------------------------------------------------
A warning message is displayed for the following occurances. In most
cases the message will allow for OK/CANCEL. OK allows the operation
to proceed as normal. Cancel stops the operation from succeding and 
where necessary forces the application to abort.



Mild warnings------------------------------------------

Attempts to terminate and stay resident.

Attempting to change the memory allocation strategy.

Attempts to read the hard disk partition table.

Attempting to reboot the system.

Attempting to get the DOS data segment.

Attempting to get the DOS list of lists

Attempting to create a Program Segment Prefix

Attempting to use int 40h, alternate disk handler

Attempting to change an interrupt vector

Some other obscure kinds of activity.



Intermediat warnings ----------------------------------

Attempt's to write sector one, head ZERO, track ZERO
any floppy disk. This is the boot sector.

Attempting to get/set the disk handler.


SEVERE errors -----------------------------------------

Attempts to clobber the CMOS RAM area.

Attempt's to write sector one, head ZERO, track ZERO
hard drive. This is the partition sector.
Also the boot sector, and on hard drive zero, all
the sectors between the partition and the boot.

Attempts to use FCB's to DELETE ALL file entries.

Attempts to Write to .COM, .EXE or .SYS files.




These measures prevent a virus from Terminating without warning,
or modifying the disk partition table or adding itself to the boot
sector on the floppy or HARD disk. (Hard disk boot sector protection 
is a recent addition). Or, modify executable files.


This protection ONLY applies when Windows is running in enhanced mode.



LIST OF Interrupts protected:-------------------------------------------

There is protection from calls to PSP:5.
INT 13h, 19h, 1Ah, 21h, 26h, 27h, 2Fh, 40h.


WARNING MESSAGES--------------------------------------------------------
If VWPD puts up a warning message this DOES NOT MEAN that a virus
is at work. In most cases, the application that is running is doing
something PERFECTLY HARMLESS. However, if you want the operation to FAIL
use the CANCEL button, else select OK.


There are 2 message levels of severity in VWPD. Most warnings will allow
the operation, if you select OK. In a couple of cases the operation will
NOT be allowed as it would cause severe damage. 

It is necessary at the present time to use your own judgement in deciding
what is and what is not a virus, in those cases where there is no obvious
damage being done.

THINGS to Watch out for. Programs attempting to terminate and go resident
especially if there is an attempt to change the memory allocation STRATEGY.







CAUTIONS: --------------------------------------------------------------
VWPD has been fixed to trap the backdoor into DOS thru CP/M call at PSP:5 if
DOS 5.0 has been loaded high.

But, There may be a similar problem with other DOS extender systems. If the
A20 line is enabled and wrap at 1 megabyte is disabled.

Formatting of floppies should only be done using a Windows application
such as File Manager. Using DOS format is NOT recommended.


TESTED WITH: -----------------------------------------------------------

This latest version has only been tested on DOS 3.30, 5.00,
under Windows 3.0a. It has been tested with Win3.1-2.

DISK system, using 32 megabyte or smaller logical drives.

It should not be capable of causing or contributing to disk corruption.
VWPD is basically a filter, that watches for certain kinds of activity.
It does nothing which should cause you any continuing problems.



DOS 4.x, 5.x -----------------------------------------------------------
I think VWPD is safe to use with DOS 5.0, it has been tested with it.
If you use it with 5.0 suggest you NOT use it if you have logical drives
larger than 32 megabytes. 

If you try it with over 32 megabyte logical drives, it should not be
capable of causing any damage, but it is possible that you might get
warning messages that I have not considered.



DISK Drives: -----------------------------------------------------------

(NOT included in this release!!).
A program for testing your disk drive is included. It is called TESTDISK.

It will display a report on your screen, and will indicate if VWPD 
will work properly with your disk drive.


2 HARD DISKS: VWPD has not been tested with a system with 2 hard drives.
It may not provide as complete protection for drive 2 as drive 1.



VIRUS DETECTOR PROGRAMS ------------------------------------------------
You may if you want try installing Central Point Software's Virus Detector
or other such program in conjunction with VWPD. The other detector may
be installed before Windows is started in which case it will protect all 
activity or it may be installed after a DOS session is started in which
case it will protect only that DOS session.

Using a second detector like this has not been tested.

Suggest you DO NOT run other detectors at the same time, as they will 
affect performance.





PERFORMANCE: -----------------------------------------------------------
VWPD has been written to minimize it's impact on the overall system
performance. I believe you will find it is much less of a drag than
ANY other virus detector available.



SPECIAL OPTIONS:--------------------------------------------------------
The option VWPDWarn3 can be placed in the [386enh] section of system.ini.
The default is TRUE. Setting it equal to false or zero (0), will turn
off certain warning messages. But you will have less protection.
(Get List of Lists, Go TSR, Create PSP are presently the only warnings
turned off).

VWPDWarn3=False	; default is TRUE.


A future version of VWPD will allow turning off more warnings, but
will use a smart system to detect a virus attack.

If Warn3 is off, then Warning level 2 is on. When you type the
DOS "VER" command, the message displayed will tell you whether the
warning level is /W3 or /W2. The "VER" command can be used whenever
you are in a DOS box and at the command line prompt.


TESTING: ---------------------------------------------------------------
A program to test and demonstrate the functionality of VWPD will be
included in a future release.



In the meantime, here are some suggested tests that YOU can perform.

Format a floppy disk. Should work ok. Use Windows Format in File Manager.

Copy some files to and from the floppy disk. Should work ok.

Attempt to change the time. Time or Date will display. Cannot change.
     Use Control Panel, to change.

Run Debug. Should give a warning.
Use the Mem command in DOS 5.0. Should give a warning.


Try the DOS commands that have been disabled or modified under
Windows 386 enhanced mode. Such as: DATE, TIME, JOIN, FDISK, FORMAT, etc.


Try the new DOS box command: VWPD.

Use the Norton or PC Tools utilities to change a byte on the disk.
DON'T try this unless you know what you are doing.




WARNINGS !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

FORMATTING of floppies should ONLY be done by File Manager.
DOS formatters run from a DOS BOX will not work correctly.
DOS Format is disabled.

DO NOT use VWPD with the high performance file system (HPFS)!
Has not been tested for the HPFS and it may not work correctly.

An attempt to do so is supposed to result in an explicit warning
message and Windows will return to the DOS prompt.




ISSUES not properly addressed in this version --------------------------

1. Protected mode versus real mode operations have not been completely 
resolved.

2. Consistent information messages appropriate to the level of protection
needed.

3. How much more checking to do and what impact it will have on performance.

4. NMI masking on port 70hex.

5. DOS commands changed or disabled, do not check for options (CHKDSK /f).


PC Magazine AnitVirus Software Review, Oct 29, 1991 p.199
-------------------------------------------------------------------------

Features Provided by VWPD:

Monitors DOS interrupts
Protects COMMAND.COM & other .COM files
Protect Boot Sectors
Protects Hidden System files
Protects Partition Table
Protects .SYS & .EXE files
Protects CMOS
Detects on demand
Uses write traps
Uses read traps



FEEDBACK: --------------------------------------------------------------

Feedback and comments are welcome.

Mike Maurice

503-355-2281
CIS 71171,47