User`s guide
VIRUS BULLETIN ©1991 Virus Bulletin Ltd, 21 The Quadrant, Abingdon Science Park, Oxon, OX14 3YS, England. Tel (+44) 235 555139.
/90/$0.00+2.50 This bulletin is available only to qualified subscribers. No part of this publication may be reproduced, stored in a retrieval system, or transmitted
by any form or by any means, electronic, magnetic, optical or photocopying, without the prior written permission of the publishers.
VIRUS BULLETINPage 26 August 1991
Virus Guard is a TSR program which
can be loaded into memory either from
the command line, through a batch file
(AUTOEXEC.BAT for instance) or by
a network login script.
Virus Guard defaults to checking files
that have been opened for read access,
programs that are about to be executed
and the boot sectors of diskettes that
are accessed. Boot sector checking and
files opened for read access can both be
disabled at load time, through com-
mand line options. Once Virus Guard
is in memory, you cannot change its
detection characteristics nor can you
disable or unload it.
Experiments With 4K
Checking files during read operations
is not a secure modus operandi as the
monitor can so easily be circumvented
by stealth viruses.
Virus Guard detected a copy of 4K
attached to a file when it [Virus Guard]
was started in a clean environment.
However, on a machine where the 4K
virus had infected COMMAND.COM
and Virus Guard then became resident,
4K continued to infect program and
data files undetected - indeed
GUARD.COM itself became infected
and still did not detect the virus.
Virus Guard completely failed to detect
4K when the virus was launched from a
packed file. On a clean machine an
infected copy of GUARD.COM was
actually responsible for introducing the
virus - again without alert.
This illustrates the major disadvantages
of memory resident monitors which:
➤ are not device drivers (the infected
COMMAND.COM would have been
detected as it was loaded by DOS)
➤ Do not check memory upon loading
for resident viruses (4K would then
have been detected)
➤ Ignore disk-write operations
Aware of the potential security
loopholes with loading a TSR as a
batch file, S&S is currently developing
GUARD.SYS, a Virus Guard device
driver which can be run before
COMMAND.COM is executed. This
device driver will be available free of
charge to registered users upon request.
Detection Rating
Overall, Virus Guard was able to detect
an acceptably high number of viruses
and its ‘hit’ rate was found to be only
marginally lower than FINDVIRUS, the
Toolkit’s disk scanner.
Among the viruses it failed to detect
were Casper, Number One, Tequila,
1260, V2P6 and PCVRSDS. (In
fairness, the documentation clearly
states that Virus Guard will not detect
V2P2 or V2P6.)
Virus Guard does not detect the
Tequila virus either when it is intro-
duced into a clean system, or after
rebooting from an infected boot sector.
Virus Guard did not detect the virus
during its subsequent spread around the
disk. Its failure to detect Tequila is
somewhat unnerving considering the
recent spread of this virus in the wild.
One point worth bearing in mind is that
Virus Guard may well provide a
different name to a virus than that
provided by FINDVIRU, since the
former product uses the same identifi-
cation pattern to identify more than one
virus. For example, it identified
Monxla, Polimer and Turbo Kukac as
‘Kukac’ and Cookie, Machosoft and
Syslock were all identified as Cookie.
Memory Footprint
Both versions of Virus Guard occupy
the same amount of conventional
memory - just over 5 kilobytes, but the
EMS version allocated 32 Kbytes of
expanded memory in order to store its
Virus Alarm! Virus Guard, the TSR virus specific monitor from
Dr.Solomon’s Anti-Virus Toolkit detecting the Black Monday virus.