                                                               July, 1995
 Product upgrade, 6.02A
 ----------------------
 IVX major upgrade. New features were added to IVX, enabling automatic
 signature extraction and signature scanning. IVX now creates its own
 signatures database from sampled files. The extraction of the
 signatures is automatic and does not require any special skills. The
 signatures can then be used to scan for their presence in other files.
 IVX also accepts user defined signatures by editing the database with
 an ASCII editor. An average user can now easily generate a signature
 for a new virus and announce it on the net or else. IV user can now
 scan for the presence of new viruses announced on the net. The new
 features of IVX reduce the response time to new virus alerts.

 The algorithm of IVX in statistical mode was refined and its detection
 capability improved, especially against some of the more difficult
 polymorphs, such as MtE viruses.

 IVB daily test under Win 95, bug fix. In former versions, the IVB DAILY
 test repeated itself on every boot, while booting in Win 95 DOS. The
 bug was traced to be caused by IVINIT and was fixed. IV 6.02A is
 compatible with Win 95 DOS.

 IVB history file. The IVB.RPT file is overwritten when a new report is
 created. In a networked environment, the current daily report will be
 appended to the IVB.HIS (history) file. The implementation is through
 the AUTOEXEC file, by adding a couple of lines after the IVB daily
 command. The appropriate lines are added automatically by the INSTALL
 program when installation from server is detected (or selected, in
 INSTALL's main menu). To add this feature in an existing installation,
 add the following lines in the autoexec, after IVB DAILY:

    IF EXIST \IVB.RPT COPY \IVB.HIS+\IVB.RPT \IVB.HIS
    IF EXIST \IVB.RPT DEL \IVB.RPT

 Licensing for OS/2 and Win 95. In version 6.02, InVircible's license
 reverted to Sentry when in Windows' or OS/2's DOS shell. Version 6.02A
 fixed that problem. Yet, you will need to run IV once in real DOS in
 order to upgrade your license from a former version, to 6.02A. This
 procedure does not apply to new licensed users, since the license can
 be installed to disk only in REAL DOS mode.

 Detection of PKLITE'd droppers and Trojans. During the last year,
 several droppers and Trojans were found, that used PKLITE in order to
 conceal the gen-1 file. Gen-1 is the designation of the first
 generation of a virus, usually the one used to launch the virus. While
 scanners usually find the offsprings, the gen-1 file will not be
 suspected, as many times it isn't recognized to be a compressed file,
 as the PKlite marks were removed, or disguised. The most recent case
 that used the PKlite method is related to the Big Caibua virus. The
 detection of potential droppers was added to IVscan, as the default.
 This feature should help SysOps and network administrators to keep
 their board and systems clean.

 Improved IVB signatures. Functional changes were made in order to
 improve IVB's discrimination between non-viral and legal modification
 of program, as well as to improve their immunity to dedicated viruses
 attacks (for details read the attached SECURITY.TXT file). The new
 signatures are no more compatible with the lower versions of IVB. To
 avoid confusion, or the loss of the former database, the default
 filename of the signature files was changed to IVB.NTZ. Note that
 there is a trailing character 255 (it looks like a space, but it is
 not!) between the IVB filename, and the .NTZ extension.

 Micro House boot driver's awareness. IV version 6.01D was aware of the
 WD large capacity ID, using the Disk Manager 6.03 dynamic boot driver.
 Other brands like Seagate are using the Micro House boot driver for
 their Decathlon models (540+ meg). In lower versions, IVinit indicated
 that the partition was "faked". This was objectively true, but it
 didn't indicate the presence of a virus. It actually detected the
 stealth used by the boot driver, since this is exactly how they work.
 These special boot programs load a special driver through the booting
 process and they use stealth to protect the special mbr from being
 accidentally overwritten, by FDISK/MBR for example. From version 6.02A,
 InVircible is aware of the possibility that a Micro House boot driver,
 or DM 6.03 is used.

 No escape in Sentry mode. System administrators asked to disable Sentry
 users from escaping IVB's daily full check. Adding the /ESC switch to
 the command line re-enables the Esc key when scanning daily. This
 change applies only to the Sentry mode.

 IVB exceptions list. There are instances when you may want to exclude a
 file from IVB's list of files to process. IVB has now provisions to
 exclude up to 5 filenames. Edit IVB.INI in the IVB.EXE directory with
 an ASCII editor, or create a new file with the above name, if it
 doesn't exist yet. Add a line for each file to exclude as follows: SKIP
 = EXCLUDE.BIN

 The CMOS "Restore" option was removed from IVINIT in Sentry mode.

 IVINIT bug fix. The errorlevel returned by IVINIT in case of a
 suspicious finding should be 1, and 0 when no finding. Due to a bug in
 former versions this wasn't always the case. The bug was fixed.

 INSTALL/R bug fix. The rescue diskette procedure couldn't find the
 SYS.COM (or SYS.EXE) file in the search path, if the DOS directory was
 after character 64 in the environment string 'PATH', and the process
 aborted. The problem is now fixed.

 Product upgrade, 6.02
 ---------------------
 The major change in version 6.02 is the handling of large capacity IDE
 drives. These drives appeared on the market in mid 1994 and they are
 now quite common. Several enhancements to handle the large capacity IDE
 were already introduced in version 6.01D. The new drives present
 technical challenges in the area of disaster recovery and vulnerability
 to boot and mbr viruses, that were unforeseen by both the drive's
 producers, and the AV industry. Version 6.02 consolidates the former
 enhancements and lays the grounds for further improvements, especially
 in the disaster recovery area of these drives. Read also in UPGRADE.TXT
 how to upgrade your licensed copy of InVircible.

 Licensing of large capacity IDE. The installation of the license record
 to large capacity IDE, was impossible with earlier versions, if the
 Ontrack extended boot driver (DM 6.03+) was used. It could be done only
 with plain FDISK partition, using the LBA (logical block access) option
 in the setup. Version 6.02 will allow the licensing of these drives
 too.

 Version 6.02 consolidates changes done to the hardware access routines,
 used in InVircible, to suit the newer fast access hard disks and boards
 (100 mhz and higher). Hardware access is sensitive to timing, and new
 industry standards were introduced in the last year. Therefore, we
 recommend that InVircible copies earlier than 6.01D are upgraded.
 Version 6.01B and 6.01C still have some slow routines that won't work
 properly with the newer fast disks. Also, versions earlier than 6.01D
 still have a routine that conflicts with a defect in design of some
 older models of Maxtor hard drives. The problem has been identified by
 NetZ Computing and acknowledged by Maxtor. From version 6.01D and on,
 there should be no problem anymore, all models of Maxtor included. Yet,
 if you have a large capacity IDE hard drive, we strongly recommend that
 you upgrade to 6.02.

 Bug fix in INSTALL. Some DOS variants are using SYS.EXE instead of
 SYS.COM. In former versions, the procedure for preparing the rescue
 diskette looked only for SYS.COM and refused the use of SYS.EXE. The
 bug was fixed.

 ResQdisk improvement, fixing the boot sector via DOS, the ResQdisk ^B
 function. There are instances when the boot sector of hard drive #1 is
 infected, and it cannot be accessed via regular int 13 functions. Such
 is the case with the newer large capacity IDE drives. The active
 partition's boot sector can then be refreshed through the ^B key
 combination. The ^B function operates on the boot sector, the same way
 that does FDISK/MBR on the mbr - it refreshes the bootstrap code,
 without affecting the BPB data. The ^B function should only be used
 when booted from the hard drive.

 Temporary files handling, bug fix. Former versions of InVircible used a
 couple of fixed names, SOFIA and \WRITEST, to perform certain tasks. If
 a file with the name SOFIA was present in the current directory while
 executing any of the IV self protected modules, then the file was
 erased. The same would happen to a file named WRITEST, if present in
 the root directory, while IVinit or IVtest are run. These routines
 slipped by, since no incident was reported in regard with them during
 the five years they were in use. Recently, an incident was reported in
 which a file named SOFIA was erased while executing an IV module.
 Therefore, the routine responsible for this has been changed and fixed.
 InVircible does now use only unique names (that are not in use by the
 user) for its temporary and bait files. Note that no other than files
 named SOFIA or \WRITEST were of any concern, in formers versions.

 Long pathname handling in networks, bug fix. Pathnames under DOS are
 limited to 64 characters. Yet it is possible to create pathnames of up
 to 255 characters (the maximum length allowed for strings). Such
 condition is encountered on file servers. On such instances InVircible
 hung when scanning a network file server, containing directories with
 pathnames longer than the DOS limit. The problem existed only in the
 sweeping programs: IVB, IVscan, IVX and IVmenu. It is now possible to
 scan with IV's sweepers (except for IVmenu) across file structures that
 have directories with pathnames longer than the DOS limitation. The
 limitation in IVMENU remains as before. The reason for this is that
 IVMENU allocates memory for keeping track of up to 500 directories,
 with pathnames no longer than the 64 bytes DOS limit. We need some
 memory to be left for some useful job to be done, other than just
 showing the user a nice directories tree. :-) We thus could provide the
 same with IVMENU, but only for 125 directories, if the pathname length
 is to be 255 characters. This would be inadequate for most users, that
 have more than 125 directories in a partition, and less than 500.

 If you want to use IVMENU on file servers containing directories with
 long pathnames, then use the network "map" function to define volumes
 for sub-trees of the root, and then you can use IVMENU on the new
 logical drive, as usual.

 Product upgrade, 6.01D
 ----------------------
 Improved installation procedure. The Installation of IV will now run
 without needing to actually change the current directory. Just type the
 full pathname of where IV's INSTALL program is.

 Daily inspection for companion virus. The companion virus verification
 was added to IVB, since IVB runs daily. The same routine is retained in
 IVscan, for operational redundancy.

 Keeping track of the last inspected drive. In former revisions of IV
 there was need to manipulate the COMSPEC variable in order to keep
 track of the last drive checked by IVB DAILY. Now, just issue the IVB
 DAILY command and the tracking record will be updated, according to the
 current environment settings. Only make sure to always run the DAILY
 check from within the same environment shell. The last improvement is
 especially useful to LAN administrators.

 The user interface in ResQdisk was improved further. The newer features
 were grouped in three menus, Edit (accessible by pressing ^E), Track
 Zero maintenance (^Z) and Analyze sector (^A). Also, the new ^B
 function was added. The latter will refresh the boot sector of drive C:
 while accessing via DOS instead of the BIOS, and is the equivalent of
 the SYS C: command. The ^B function is helpful in removing boot sector
 viruses such as Da'Boys, Boot-437, Form etc.

 IVinit was enhanced to automatically invoke ResQdisk when needed. From
 now, Most boot / mbr infectors can be handled right at startup.

 Improved editing features in ResQdisk. Additional editing features were
 added to resQdisk. The sequence ^E ^F will read a file into the sector
 clipboard, while ^E ^D drops the content of the displayed sector into a
 file. The combination ^E ^Y will decrypt an encrypted sector into the
 clipboard and display it on screen. The later is especially useful for
 the recovery of damaged hard drives, like from the Monkey virus. It is
 indispensable for rescuing hard drives lost to inappropriate
 disinfection procedures, like with fdisk/mbr, or inadequate antiviral
 products. The above further improve ResQdisk as the best disaster
 recovery and boot-antiviral utility.

 Improved "track 0" maintenance features. ResQdisk is used in the rescue
 diskette for backing up track zero of the hard disk to floppy and for
 restoring track zero from file to the hard drive. The "track 0"
 functions are now available on-line, with the visual inspection of
 ResQdisk, in both SeeThru modes (backup only, recovery is always done
 with SeeThru off). The track 0 functions are started by the ^Z keys
 combination, followed by ^B for backup to file or ^R for restore from
 file.

 Either the Ctrl (^) or the Alt key can now be used for the editing and
 the "track 0" functions. For on-line help press Alt+H while running the
 ResQdisk program.

 Making a rescue diskette for other than standard configurations. The
 rescue diskette in the INSTALL program was improved to simplify the
 preparation of a rescue diskette in configurations containing other
 than Stacker, DoubleSpace or Disk Manager drivers. For details read in
 the on-line documentation.

 Improved resistance to IV dedicated viruses. The first virus aimed to
 "kill" IV's signatures has been reported and a sample of was analyzed
 by NetZ. It is recommended that users change the default filename of
 the signatures to one of their own definition. The signature files are
 no longer traceable as IV's, and cannot be identified as such --
 provided you don't leave them with the default name. The new signatures
 are fully downward compatible with the former ones, and there is no
 action that a user needs to take in this regard.

 Random signatures' filename. When installing InVircible through
 IVlogin, a random signatures' filename will be selected. IVLOGIN can be
 used for standard installation with the default parameters. The random
 signature filename will be implemented on first time installation only,
 and with the default installation parameters only (to C:\IV).

 Compatibility with large capacity IDE. IVTEST was corrected to ignore
 the dynamic boot loader of large capacity IDE disks.

 Revision 6.01c was compatible with only Ontrack's Disk Manager extended
 bios drivers (XBIOS.OVL). The new revision is also compatible with
 other brands, recently introduced into the market - e.g. Micro House.

 Troubleshooting with IV. New text was added to the on-line help in
 regard of troubleshooting problems with IV. There is guidance how to
 detect an incompatible IDE controller with your hard drive, as well as
 disclaimers about a couple of hardware: Promise hard drive controllers
 with disk cache, and certain models of Maxtor's hard drives.

 Further improvement for use in networked environment. IVMENU, the
 integrated menu shell was upgraded to avoid conflicts in certain
 Netware environment.

                                                           January, 1995
 Product upgrade, InVircible 6.01C
 ---------------------------------
 Improved performance in networked environment: Revision 6.01C has
 further improvements for the operation of InVircible in the networked
 environment. All the scanning modules; IVB, IVscan and IVX were revised
 to avoid Novell's Netware files. The verification of Netware files
 under DOS created errors because of the special attributes of Netware's
 system files. IV's current revision avoids these files.

 Updated manual: The use of IV in network environment, as well as the
 strategy of how to disinfect the server and network are covered in a
 new appendix, in the manual text.

 Automatic IV version upgrades in network: IVLOGIN can now be used for
 both the automatic installation of InVircible to workstations in a
 networked environment, as well as the upgrading of an older IV version
 to a newer one. IVLOGIN checks whether its own version is newer than
 the current one installed on the hard drive. An older version will be
 automatically replaced by a new one, by just invoking IVLOGIN. It is
 recommended that the IVLOGIN command should always be included in the
 users login script, in networks.

 Improved piggybacking detection: Revision 6.01C has higher sensitivity
 of piggybacking detection. The detection threshold has been lowered to
 detect piggybacking within few affected files. The improved sensitivity
 has no effect on speed since the loss in speed was compensated for with
 a better search algorithm.

 New "copy and paste" functions in ResQdisk: It is an advantage to have
 editing capability of the master and boot sectors of the hard disk.
 ResQdisk can now copy the content of a displayed sector to the
 clipboard, by the ^E ^R sequence, then paste it elsewhere by pressing
 ^E ^W. The copy and paste functions are useful to recover from mbr and
 boot sector viruses, that relocate the original sector elsewhere,
 usually on track 0. The copying and pasting of the original sector can
 be done under the visual control of ResQdisk. The new functions can be
 used to store copies of the critical sectors (mbr and boot sectors) in
 the unused section of track 0, usually from sector 2 to the last sector
 on the track. Avoid using sector 3 (used by Monkey), 7 (Stoned,
 Michelangelo), 8 (used by Disk Manager - not a virus), 17 (B1-NYB), 13
 (NewBug) and the last sector (Quox and a few others).

                                                           December 1994
 Product upgrade, InVircible 6.01B
 ---------------------------------
 Installation of InVircible on networked PC: Revision 6.01B has an
 additional file, IVLOGIN.EXE. As its name implies, its use is from the
 user login script in networks. When a workstation connects to the
 network, IVLOGIN verifies whether it has a hard drive, and if
 InVircible is installed on that disk. If not, INSTALL/FAST is invoked
 to install IV to the hard disk. The LAN administrator is required to
 install IV to the server and add the IVLOGIN command to the user login
 script. The rest is done automatically.

 IVB upgrade: Some lame viruses affect *.SYS and *.OVL files, if they
 have an executable structure (usually an EXE one). Thus, *.SYS and
 *.OVL files were added under IVB's coverture. These files are now
 secured by IVB, and can be recovered, in case they get infected.

 ResQdisk upgrades: There were disk configurations that ResQdisk didn't
 recognize properly. These were found mostly on Compaq models, having a
 special partition dedicated to proprietary diagnostics, coming first,
 before the DOS active partition. ResQdisk was upgraded to accommodate
 for these configurations too.

 In addition, ResQdisk had a few fixes to assure its proper functioning
 with the new mode 3 and 4 IDE standards, EIDE as well as with large
 capacity SCSI drives. This now covers all hard disk types used in
 personal computers.

 Install upgrades: The French version of InVircible configures now the
 rescue diskette to start with a French keyboard. Install also takes
 care to REM out the Thunderbyte TSR in the autoexec, at the
 installation of IV. The TB TSR intercept IV initialization checks and
 may crash the system. Also, Install will now install the IV
 registration key to hard drives having the Compaq configuration (see
 ResQdisk, above).

 User interface updates. Both IVB and IVSCAN command line syntax has
 been improved. The [d:] argument, where d represents a drive letter,
 will now start the program from the drive's root, instead of the
 current directory. For the default directory just don't give any drive
 argument.
