AVP Inspector for WEB servers User guide December 1999
AntiViral Toolkit Pro Copyright © 1999 Kaspersky Lab Ltd. All rights reserved. No part of this document may be reproduced, changed or transmitted in any form or by any form by any means, electronic, mechanical or photographic, for any purpose, without the express written permission of Kaspersky Lab Ltd. and reference to this document. All product names referenced herein are trademarks of registered trademarks of their respective owners.
AntiViral Toolkit Pro Table of contents 1. AVP INSPECTOR FOR WEB-SERVERS................................ 6 1.1 Main Functions and Features .....................................................6 1.2 Distribution Kit...........................................................................6 1.2.1 Distribution Kit ......................................................................6 1.2.2 License agreement..................................................................7 1.2.3 Registration Card .........
AntiViral Toolkit Pro 4.4.3 4.4.4 4.4.5 4.4.6 4.4.7 4.4.8 The “Files” Tab ....................................................................37 The “Reports” Tab ...............................................................38 The “History” Tab................................................................39 The “AVP” Tab....................................................................41 The “Excludes” Tab .............................................................42 The “Backup/Restore” Tab ......
AntiViral Toolkit Pro Dear customer, We are happy that you have chosen AntiViral Toolkit Pro (AVP), the world’s best anti-virus defense, for protecting your computer against computer viruses. Kaspersky Lab’s best anti-virus experts are working hard to provide you with this best-of-breed anti-virus solution and to face your strictest conditions. By choosing AVP you choose unbeatable anti-virus protection.
AntiViral Toolkit Pro 1. AVP Inspector for Web-servers 1.1 Main Functions and Features AVP Inspector for Web Servers™ is additional utility for unauthorized changes on Web-site control which works under Microsoft Windows 95/98® or Microsoft Windows NT®. AVP Inspector for Web Servers™ registers changes to prevent data structures on Web site from bad consequences. It can recover modified objects. AVP Inspector for Web Servers™ reduces the time needed to scan a PC for viruses.
AntiViral Toolkit Pro • License Agreement; • Sealed envelope containing AVP distribution diskettes; • User Guide; • Register card. o Before you unseal the envelope make sure to thoroughly review License Agreement. 1.2.2 License agreement License Agreement is a legal agreement between you (either an individual or a single entity) and the manufacturer (Kaspersky Lab Ltd.) describing the terms on which you may employ the purchased by you antivirus product.
AntiViral Toolkit Pro recommends on how to manage and change settings. This book doesn’t describe installation procedure and operation concepts of the package. 1.3.1 Product Support All the registered users are provided with the product support for the period of subscription.
AntiViral Toolkit Pro 2. AVP Inspector for Web servers installation procedure 2.1 System requirements The minimum system requirements for AVP Inspector for Web Servers™ are: 2.2 • IBM PC (or 100% compatible) running MS Windows® 95/98/NT; • 8 Mb RAM or more (16 Mb recommended) for Windows®95/98, at least 16 Mb RAM for Windows NT® (32 Mb recommended); • At least 1 Mb free disk space on the hard drive.
AntiViral Toolkit Pro The Welcome to the AVP Inspector for Web Servers Window During the installation procedure you will be prompted for some information that is necessary to set up AVP Inspector for Web Servers™ on your PC. The installation program will prompt you to read the License Agreement. Read it carefully and, if you agree to all its conditions, continue Setup by pressing the “Yes” button. If you do not agree press the “No” button to abort the installation. The License Agreement Window.
AntiViral Toolkit Pro User Information. Next you must register your copy of AVP Inspector for Web Servers™. To do you must enter the required information (first and last names, company name, registration number) into the corresponding fields. Your registration number is printed on the registration card enclosed with the AVP Inspector for Web Servers™ software. Registering your copy of AVP Inspector for Web Servers Choose Destination Location.
AntiViral Toolkit Pro Choosing the destination directory for AVP Inspector for Web Servers ™. Select Program Folder. This option lets you specify the name under which the AVP Inspector for Web Servers™ program and documentation files can be accessed from the Windows Start menu. You can change the group name by clicking on the input field and typing the desired name. You can place AVP Inspector for Web Servers into an existing program group by selecting the group name from the list.
AntiViral Toolkit Pro Setup Type. Next you will be prompted for the type of AVP Inspector for Web Servers™ installation. • • Typical – recommended for most users. If you select Typical install installation you will be prompted only for the destination directory into which AVP Inspector for Web Servers ™ is to be installed. Custom – recommended for advanced users. This option allows you to change other settings during installation. Selecting the AVP Inspector for Web Service Setup Type.
AntiViral Toolkit Pro Current settings of AVP Inspector for Web Servers ™ AVP Inspector for Web Servers Configuration. If you selected Custom installation you must complete four more steps to define configurations you need. Step1. This step allows you to define: • Run AVP Inspector for Web Servers™ automatically: set up AVP Inspector for Web Servers™ to launch automatically once a day during Windows start-up. This setting may be changed later, if required.
AntiViral Toolkit Pro Configuration Setup 1 Step2.You can set the path to table file and change its name. • Path to table files: the location where the table for the AVP Inspector for Web Servers™ is placed. If this field is left empty the table will be placed in the root directory of the C: drive; • Name of table file for AVP Inspector for Web Servers™. NOTE: Table filename must not exceed 7 characters in length.
AntiViral Toolkit Pro Configuration Setup 2 Step3. In following window you can set the list of folders to be checked with AVP Inspector for Web Servers™. Click the ADD button to add a folder to the list or the Remove button to delete it. Configuration Setup 3 Step4. Next you set the backup options by checking the “Enable BackupRestore” box and define the folder to save the backup information in. To restore changed files and delete new ones automatically check the appropriate box.
AntiViral Toolkit Pro can check the following box to the program ask your confirmation before restoring or deleting of files. Configuration Setup 4 Step5. In following window you should select the mode of start of AVP Inspector for Web Servers™ as system service. Starting of AVP for Web Servers as system service If you check the box AVP Inspector for Web Servers will start up automatically before registration procedure and work independently of the user’s rights.
AntiViral Toolkit Pro menu and you must to have the administrator’s right in this case. Step6.You should enter username, password and domain to start AVP Inspector for Web Servers™ system service. If you leave all the fields blank then service will be installed as LocalSystem account with some functions unavailable. You can change the account later with Windows NT service manager. Enter username, password and domain On completion of these steps the software is ready to be installed on your computer.
AntiViral Toolkit Pro Setup Needs The Next Disk. Here you should specify the path to key file or press “Browse” button and select necessary directory. The key file is a file with key extension. It is your own key where you may find all auxiliary information necessary for operating of AVP Inspector for Web Servers™. Defining of the key file path. The key file contains several data. 1. Address, company name and phone of distributor of current version. 2. Support information. 3. Date of release. 4.
AntiViral Toolkit Pro Selecting the key file After selecting of the key file click the “Next” button. Setup Complete. In the follow window you will see window that offers to you to read file Readme and to launch the program after installation finish. • Check the corresponding box to view Readme file. • Check the box to start AVP Inspector for Web Servers ™ after installation.
AntiViral Toolkit Pro Finishing of installation of AVP Inspector for Web Servers ™ Press the “Finish” button to close the installation program. AVP.KEY File The AVP.KEY file is a software key containing data that is required for the software to operate, such as: • • • • • Dealer information; Support information; Product release date; Proof of registration; License validity period.
AntiViral Toolkit Pro 3. AVP Inspector for Web Servers™ Principles Of Operation AVP Inspector for Web Servers™ works by calculating cyclic redundancy check (CRC) values for disk sectors and files, saving these values to a database (table) and then comparing the current CRC values with the previous values stored in the database.
AntiViral Toolkit Pro The following changes are categorized as suspicious: • changes in file contents where the file modification date and time remain the same (characteristic of most file viruses). • different files have a similar size change.
AntiViral Toolkit Pro 4. Launching And Configuring AVP Inspector for Web Servers™ 4.1 Launching AVP Inspector for Web Servers™ And Command Line Options AVP Inspector for Web Servers™ can be launched using any standard for Windows method. For example, it can be launched from the “AVP Inspector for Web Servers” program group which is created during the installation procedure.
AntiViral Toolkit Pro path name (e.g.: -cl) AVP Inspector for Web Servers will write the report to the root directory of the drive being tested. If a report file already exists, report data will be appended to it. You may use a long filename in provided it is enclosed in quotes, for example -cl"c:\AVP Inspector for Web Servers". An alternative way to specify the location of the report file is by pressing the “Report” button in the View Test Results dialog box.
AntiViral Toolkit Pro -StopNNN this option allows certain tests to be disabled. The value of is obtained from the sum of the following numbers: 8 - disable new directory scan; 16 - disable deleted directory scan; 32 -disable changed files scan; 64 - disable new files scan; 128 - disable deleted files scan; 256 -disable moved files scan; 512 - disable renamed files scan; 4096 - disable available DOS RAM size test.
AntiViral Toolkit Pro AVP Inspector for Web Servers™Main Window The main window contains the menu items: “File”, “Config”, “Scan”, “Help”, a toolbar and a list of the directories for scan. You can edit the list of directories in the right-hand area of the main window. To add a new directory to the list to be tested click the “Add” button on the toolbar and choose a directory to scan in the opened window “Browse for Folder”.
AntiViral Toolkit Pro The “Browse for Folder” Window You cannot add the directory to the list for check, if it is parental or affiliated in relation to already available. To remove a directory from the list, select it and click “Delete” button. 4.2.1 Menu Items •File - exits the program. •Config: change program settings, language, save current settings. Configuration: displays the "AVPI Profiles" dialog box.
AntiViral Toolkit Pro •Help Contents: launches the help system. What’s This? – obtain help for a selected element of the user interface. Introducing: information about AVP Inspector for Web Servers™. How to… how to perform key operations using AVP Inspector for Web Servers™ AVP Inspector for Web Servers™ On The Internet: go to the AVP Inspector for Web Servers™ Support Site on the Internet. This option opens your Web browser and requires an Internet connection. About...
AntiViral Toolkit Pro are called profiles. When AVP Inspector for Web Servers™ is launched for the first time it creates a default profile called “Default Profile”. The “Profiles” Tab To create a new profile, click the “Add” button. The Add New Profile dialog box will open. Under “Enter profile name” enter a name for the new profile.
AntiViral Toolkit Pro Any profile may be set as "current" – that is, used during the current AVP Inspector for Web Servers™ session – by selecting it from the list and clicking the "Set as current" button. One profile must be set as the default. This is the profile that will be loaded when AVP Inspector for Web Servers™ is launched. You set the default profile in the same way, by selecting one from the list and clicking the "Set as default" button.
AntiViral Toolkit Pro “Use alternative scan mode” This mode disables the updating of tables and prevents further tests from running if no suspicious changes (indicating the likelihood of a virus infection) are found. “Use delayed start” This option allows you to specify an interval in seconds (between 1 and 999) which must elapse between startup and when AVP Inspector for Web Servers launches.
AntiViral Toolkit Pro The “Configuration” Tab “Table name and location” In these input fields you can specify the file name and path for table files. NOTE: The file name must not exceed 7 characters in length. The reason for this limitation is that a separate table file is created for each drive and an additional letter is appended to the specified name to indicate the drive letter.
AntiViral Toolkit Pro in the list and press the “Remove” button to remove it from the list. NOTE: Although AVP Inspector for Web Servers does not report changes in working directories, information about any changes is still passed to AVPIC. “Continues Scan” By checking this box you can run test in a mode of continuous scanning. Enabling this parameter the efficiency of operating increases but traffic of the Web-server greatly increases.
AntiViral Toolkit Pro The “Extensions” Tab The “Extension” list displays file extensions that will always be tested by AVP Inspector for Web Servers. Other file extensions can be added or removed from the “User defined extension” field. Adding Additional Extensions Press the “Add” button to add an extension to the list. The “Add user defined extension” dialog box will appear.
AntiViral Toolkit Pro extension in the input field and click a radio button to select the type of check (No CRC, Fast CRC, Full CRC, Macro Fast CRC, Macro Full CRC) you want to use for it. NOTE: The “?” wildcard may be used in user-defined extensions. For example, by specifying OV?, AVP Inspector for Web Servers™ will test files with extensions of OVL, OVR etc.
AntiViral Toolkit Pro extra line called “Other Files”. For files not listed in “Extension” or “ User defined extension ” the type of CRC check to use can be set. 4.4.3 The “Files” Tab From the Files tab you can view and edit the lists of stable files and excluded files, and set the parameters that determine whether a change in file size should be considered dangerous. The “Files” Tab “These files will not be checked (Excluded files)” This is a list of files that will not be tested.
AntiViral Toolkit Pro “Stable files” This is a list of files which should not change under any circumstances. Examples of such files are the command shell (Command.Com, NDos.Com, etc) operating system kernel files (IO.SYS, IBMBIO.COM), various trap files. To add a file to this list press the “Add” button and select a file using a standard file selection dialog box. To remove a file from the list, select it and click “ Delete ”. 4.4.
AntiViral Toolkit Pro “Append to report file” If this box is checked and a report file already exists, new data will be appended to it. If this box is unchecked, the old report file will be overwritten by the new one. “Save as HTML page” In this case all reports will be saved at HTML format. “Report file path:” In this field you specify the directory in which report files will be saved. You may use long filenames here as long as you enclose them in quotes, for example “c:\AVP Inspector for Web Servers”.
AntiViral Toolkit Pro The “History” Tab “Save check history information” If this box is checked, historical records will be saved to the history database. “Save History Info only at first check” If this box is checked, only the history of the first check of the day will be saved. “Save History Info at all checks” If this option is selected, the history of each check will be saved.
AntiViral Toolkit Pro “Check Max Number” If you select this option you can then specify the maximum number of records you want to keep in the history database. “Check Days” If you select this option you can then specify the maximum number of days’ information to keep in the history database. 4.4.
AntiViral Toolkit Pro the virus scanner. This list may contain the names of new, changed, renamed and moved files. In this field you can specify the full path and name of the file to be created. If only the file name is entered it will be created in the AVP Inspector for Web Servers™ home directory. “Executable File Name” In this field you enter the path and file name of the virus scanner AVP® for Windows. If you did not rename the AVP® for Windows executable (in other words, if it is called avp32.
AntiViral Toolkit Pro The “Excludes” Tab A number of check boxes are displayed. If a box is checked, changes in the corresponding item will not be reported. The checks you can exclude are: • New directories; • Deleted directories; • Changes in files; • New files; • Deleted files; • Renamed files; • Moved files. 4.4.8 The “Backup/Restore” Tab There is an opportunity of preservation of directories and their subsequent restoration in case of necessity for increase of safety of Web server work.
AntiViral Toolkit Pro The “Backup/Restore” Tab “Sources to backup” In this field you specify the directories you want to save. To add a new folder to the list click the “Add path” button and choose the directory you need in the “Browse for folder “ window.
AntiViral Toolkit Pro The “Browse for Folder” Window “Distination path” In this field you can enter the path where your sources will be kept. “Automatic restore changed and deleted files” If this box is checked the AVP Inspector for Web Servers™ restores the specified folders automatically if in them there were any changes. “Prompt before restore” If this box is checked the AVP Inspector for Web Servers™ asks the sanction to restoration each time before that how to make actions.
AntiViral Toolkit Pro 5. Working With AVP Inspector for Web Servers™ 5.1 First launch of AVP Inspector for Web Servers When launched for the very first time, AVP Inspector for Web Servers™ automatically creates tables for all directories, which were given during installation to be tested (see AVP Inspector for Web Servers™ Installation Procedure). If these table were not created you will see notification: Reply “Yes” and all necessary tables will be created. 5.
AntiViral Toolkit Pro AVP Inspector for Web Servers™Main Window 5.2.1 How To Create Folder List First you should decide what folders you want to test. Click the ADD button on toolbar and choose folder in opened window “Browse for folder”. The “Browse for folder” window. To add the other folder to folder list repeat this actions one more time.
AntiViral Toolkit Pro 5.3 How To Create New Tables To create new table click “Scan” in the main menu, then “Create New Tables”. 5.4 The Disk Tests Summary Dialog Box The “Scan summary for drive” Dialog Box This dialog box displays a summary of changes since the last disk test. Information shown includes: the numbers of changed, deleted, renamed, moved and new files, new and deleted directories; also information about changes to the master boot sector and boot sector.
AntiViral Toolkit Pro don’t want to update the tables press the “Not update” button or the “Esc” key. 5.5 The View File/Directory List Dialog Box The View File/Directory List Dialog Box. NOTE: suspiciously changed files are tagged with this symbol: /.
AntiViral Toolkit Pro 5.6 View Files View Files Dialog Box This dialog box is displayed if you press the “View” button in the file/directory view dialog box or if you select the “View” menu item from the context menu in this dialog box. • PgUp, PgDn, Up, Down: these buttons allow you to navigate within the file being viewed. • View as…: this button lets you change the view mode.
AntiViral Toolkit Pro 5.7 View Test History The "History Information" Dialog Box This dialog box allows you to view the results of previous tests. The “Result” field displays table update information. The “Test List” field displays information about changes on the tested drive, or about the type of test, for example: “Creation Of Tables” or “Active Stealth Virus Test”. If any changes were detected you can view the test results by pressing the “View” screen button.
AntiViral Toolkit Pro To launch AVP Inspector for Web Servers™ as system service manually click “Scan” in the main menu, then “Start AVPIWeb as Service”. The main window gets the following kind: AVP Inspector for Web Servers™Main Window In this case it will work with the current profile. If you want to change a profile configuration you should restart AVP Inspector for Web Servers™ as a service after changing. To stop work AVP Inspector for Web Servers™ as a service part, press the “Stop service” button.
AntiViral Toolkit Pro sending of mail.
AntiViral Toolkit Pro 6. Messages about suspicious changes or possible virus infection 6.1 Warnings displayed upon completion of tests Upon completion of tests, and if changes that indicate the possible presence of viruses have been detected, AVP Inspector for Web Servers™ displays a dialog box with the list of the suspicious changes.
AntiViral Toolkit Pro • Changes found in files marked stable - a file listed as stable (should not change) has changed. Unless you know of a good reason why the file(s) listed have changed (for example, you have installed an updated version of the operating system) these changes are likely to be due to infection by a virus. • Abnormal file size change - The size of several different files has changed by a similar number of bytes.
AntiViral Toolkit Pro 7. Warning and error messages 7.1 Run-Time error messages "Cannot allocate memory" This message may appear if there is not enough memory for AVP Inspector for Web Servers™ to complete some operation. "Cannot open AVPITABX.DAT" where X is a drive letter. This message means that it is impossible to open the specified table file. (Note that the name can be changed at installation time or using the Configuration dialog). This message may be caused by several reasons.
AntiViral Toolkit Pro "Cannot create report file " "Error writing report " These messages are displayed if you choose an invalid name for the report file, if you attempt to save the report file to a write protected diskette, or if there is not enough disk space to save the report file. "Error writing tables " This message is displayed if you attempt to save a report file to a write protected diskette or if there is not enough disk space.
AntiViral Toolkit Pro Cannot Create AVPI main window This message is displayed if there is not enough system resources to open AVPI Main window. 7.3 Debugging registers test messages AVPI performs a debugging registers test before beginning any checks. During normal operation (not under a debugger) the system should not have any hardware breakpoints set.
AntiViral Toolkit Pro AVP Inspector for Web Servers requires NCCL32.DLL version X.XX or later to operate correctly. Please use NCCL32.DLL from AntiViral Toolkit Pro. This message is displayed during AVP Inspector for Web Servers™ launch if the version of NCCL32.DLL currently installed is lower than X.XX. This is an AVP Inspector for Web Servers™ control elements library. AVP Inspector for Web Servers requires NCA32.DLL version X.XX or later to operate correctly. Please use NCA32.
AntiViral Toolkit Pro 8. Glossary File Attributes File characteristics: System file, Hidden File, Read Only File etc. Absolute Sector see: Sector Blocker see: Monitor Interrupt Vector An entry in the Interrupt Vectors Table. Points to the Interrupt Handler address. Non-resident see: Resident Disassembler A utility that derives assembly language code from executable code (the opposite to an assembler). Such utilities are valuable for debugging purposes as well as for virus analysis.
AntiViral Toolkit Pro Logical drive A disk partition, containing a continuous block of disk sectors. A logical drive consists of a boot sector, FAT sectors, the root directory and data areas. Sectors in the data area are grouped into clusters. Logical drives are assigned letters (A:, B:, C: etc.) Within a single logical drive logical sector addressing is possible.
AntiViral Toolkit Pro code in computer memory after it terminates. This code is typically installed as an interrupt handler and is executed when an interrupt occurs. Sector The smallest physical unit of storage on disk. A disk is divided into sectors when it is formatted. Each sector can be uniquely addressed. A sector may have both a physical (relative to the start of the disk, accessed using BIOS calls) and a logical (relative to the start of a partition, accessed using DOS calls) address.
AntiViral Toolkit Pro computer hard disk. BIOS (Basic Input-Output System) Built-in software included with your computer. It performs functions such as testing the hardware at start-up, and launching the operating system boot procedure. It also provides the primary interface to hardware such as the screen, disks, printers, etc. The BIOS code is stored in ROM. Boot Sector The first sector of a logical drive (also the first physical sector on floppies).
AntiViral Toolkit Pro OVL File A file containing executable code which may be used by a calling program. It often has a COM or EXE file structure. SYS File A system device driver file. It is loaded into memory when DOS initializes after boot-up. System files are loaded as instructed by DEVICE commands in the file CONFIG.SYS which are actioned during boot-up.
AntiViral Toolkit Pro 9. Kaspersky Lab Ltd. Kaspersky Lab Kaspersky Lab Ltd. is a fast growing international privately owned software development company with offices in Moscow (Russia) and Cambridge (UK). Having started the business in 1992 Kaspersky Lab concentrates its efforts on the development, marketing and distribution of world-leading anti-virus technologies and computer software. Weekly anti-virus database updates Every week up to 200 new viruses appear.
AntiViral Toolkit Pro • • For most popular operating systems; Includes powerful and flexible management tools Year 2000 compliant Kaspersky Lab is the first anti-virus software vendor to certify its products for year 2000 compliance in an independent testing lab. This certificate confirms that all AVP family products will work correctly after year 2000. Certificates AVP for Windows is certified by Microsoft’s Testing Lab and carries the “Designed for Windows 95/NT” and “Designed for Windows 98/NT” logos.
AntiViral Toolkit Pro AntiViral Toolkit Pro for Novell NetWare AVP for Novell NetWare (AVPN) is an antivirus system for the Novell NetWare computer network. AVPN performs scanner and filter tasks permanently supervising server files. AntiViral Toolkit Pro for Windows NT Server AVP for Windows NT Server is designed to build a reliable antivirus protection system on the file and application servers operating under Microsoft Windows NT Server.
AntiViral Toolkit Pro AntiViral Toolkit Pro Virus Encyclopedia (AVPVE) AVP Virus Encyclopedia is an electronic HTML document. AVPVE details on almost all the worldwide ever detected viruses (more than 5000 pieces), their classifications, detection and deletion approaches, their operation concepts, their manifestations and after-effects of the virus infection. The product also demonstrates graphical and sound effects produced by viruses.
AntiViral Toolkit Pro Our contact information: Address: : 10, Geroyev Panfilovtcev Street, 123363, Moscow, Russia, Kasperskly Lab Phone: : +7 (095) 948-43-31 - Sales Department, +7 (095) 495-03-00 Technical Support +7(095)948-56-50 Marketing and Advertising Department Fax: : +7 (095) 948-4331 BBS: : +7 (095) 948-6333, +7 (095) 948-3601 (clock round service) E-Mail: : globalsale@avp.ru – distribution related matters support@avp.ru Technical Support newvirus@avp.
