##############################################################################
Antidote
v3.7
½ 1990-1996, Kai Holst
Release Date : September 28th 1994
Documentation : March 12th 1996
##############################################################################
Table of Contents:
1: Introduction - if you don't already know what Antidote is
2: Contact addresses - to get in touch with me
3: Version information - what is in the program now
4: Antidote history - what the older versions were like
5: System information screen - what it is, what it shows, and how it works
6: Scanning for viruses - what Antidote is all about
7: Future plans - what will there be in the future?
8: A small section for programmers
9: Disclaimer - the bit nobody ever bothers to read
##############################################################################
PRACTISE SAFE HEX - USE ANTIDOTE!
##############################################################################
Part 1
Introduction
If you don't already know what Antidote is
Antidote is a virus killer for the Atari TOS range of computers. With a
broad range of advanced features available in no other virus killers, it
has become a powerful tool in the battle against computer viruses over the
past few years, and although no work has been done to improve Antidote
since September 1994, it is a fact few people dispute that this program is
one of the best protective software applications ever made for the Atari.
With a smooth and quick GEM interface, Antidote is extremely easy to use,
and indeed, the idea of user-friendliness has been vital during the entire
creative process. Both the older versions, which were based on a custom-
made non-GEM dialog system I designed (Made from 1990 to 1993) and the
more recent GEM versions have been easy to use, with dialogs being
informative and simplified. Also, thanks to the option of having all
dialogs in windows (The program defaults to this at start-up), Antidote is
fully multi-tasking, and will almost always work quicker while run under
multi-tasking environments than other virus killers are when being run in
a single-tasking environment. Don't just take my word for it - try it out
yourself and see if I'm telling lies.
As for compatibility, Antidote works on absolutely any Atari TOS machine
produced since the beginning - on TOS versions from 1.0 dating back to
1985 or 1986 to the latest multi-tasking AES versions, on machines with as
little as 256 kB of RAM (it's actually true) and using any resident
programs, accessories and desktops you might have. Antidote has been
successfully run under TOS, MiNT, Geneva and Magic. It should also be 100%
compatible with future releases of any of these, or other, environments.
The perhaps best part about Antidote is that it comes for free. There is
absolutely no obligation to send me money or any other forms of donation
if you use Antidote on a regular (or even irregular) basis. I tried that
for a short while before Antidote went undead, and got only two
registrations and three or four encouraging e-mails. That system just
doesn't work. Please, use it as often as you need, and feel free to spread
it to PD libraries, FTP sites I have missed, and all your friends. Do
know, however, that a lot of work went into Antidote, as presented in this
version, and that a surprising letter with some kind words about it will
make me more keen to make updates and improve the thing. So how about a
postcard or an e-mail? See below for details...
So now, read the rest of the manual (Even the disclaimer) and then get on
with the virus killing. Remember, hex is best when practised safely...
##############################################################################
Part 2
Contact address
To get in touch with me
Snail Mail Kai Trygve Holst
Postboks 5061, Larsg†rden
N-6021 lesund
Norway
E-mail kh@www.hials.no
WWW http://www.hials.no/~kh/
Phone Currently not available (Unfortunately)
##############################################################################
Part 3
Version information
What is in the program now
The version of Antidote spread with this small manual should be v3.7,
which was finished on the 28th of September 1994. This was intended as a
beta-version only to test a few new features, and spread to a few persons
that same day by e-mail.
Due to the beta-status of the program, the recognition statistics were not
all that impressive - it recognized a mere 211 harmess bootsectors (Demos,
commercial games etc), a massive 155 resident (TSR) programs, 64 different
cookie jar entries, 6 bootsector anti-viruses, 21 known file packers and
archivers, all 5 known link-viruses, and 64 known bootsector viruses. This
is enough to place it in the top three (Maybe even top two) amongst virus
killers on the Atari, but was considerably less than in earlier versions.
Only the virus statistics I'm happy with.
Version 3.7 has no features removed! It will remove viruses from the
bootsector of a disk, it can successfully remove three of the known link-
viruses from infected files, without harming the file (Which I almost
believe is unique - other virus killers can remove viruses, but tend to
ruin the file in the process), and most interesting of all - if a virus
has infected the machine, it can fully or partially be rendered harmless
as Antidote is capable to remove the virus from the chain of programs
hooked to system traps, thereby making sure the destructive mechanisms are
not called! This feature has to my knowledge not been copied by any other
virus killer!
When it comes to removing link-viruses, there is one thing you should
know, though: The three link-viruses that are successfully removed are #3
(Uluru), #4 (Papa & Garfield) amd #5 (Crash). The removal of these are
perfect. If you come across a Milzbrand link-virus (#1), you will also be
asked if you want to remoove it. DO NOT ANSWER YES! The code implemented
in v3.7 was HIGHLY beta, and had a success rate of less than 10%. (I had
only recently begun studying the Milzbrand Virus) Remember that!
There is only one known BUG, and you're not likely to ever see it unless
you have a messy disk structure. I implemented an ultra-fast disk-scan
routine used when scanning for link-viruses - it has a performance that
is absolutely unsurpassed, being able to scan more than 250 files/second
on a quick harddisk. However, it was not fully debugged, and will give an
error message if the following occurs: A packed program or a link-virus is
found during disk scan, occupying cluster XXX on the disk/partition. It
will then retrieve the directory structure, and if it finds a deleted
folder pointing to cluster XXX, it will try to enter that folder and
search for a filename. This might cause an unusually long filename to
appear, and the program to give up. The machine is not likely to crash,
but this error should not have been there in the first place. It will have
been removed when I present a new version.
Another thing to notice about the program is that it might occasionally
fork out an alertbox with some debugging information I added to it - this
will only happen when unknown GEM calls are received, or when the programs
calculates itself to a halt. The latter is not likely to happen...
One or two days after this version was compiled, an unfortunate accident
involving my brand new harddisk accidentally wiped out all my data, and
left me with nothing but small portions of my code and research. Also, all
the programs I had installed were irrevokably lost. Therefore, the program
file contained in this archive is the personal copy I had stored on a
disk, and it carries the serial number 00000 (Zero). Press Control-I in
any Antidote dialog to get an alertbox confirming this.
After that accident I stopped coding, for obvious reasons, and it isn't
until recently that I have given much thought to continuing the Antidote
project. Please read further down for more information about (possible)
forthcoming releases.
##############################################################################
Part 4
Antidote history
What the older versions were like
This section will not be available until the next release of Antidote.
##############################################################################
Part 5
System information screen
What it is, what it shows, and how it works
The System Explorer (As I chose to call it back then) had reached v9.12 by
the time Antidote reched v3.7. I chose to keep separate version numbers
simply because Antidote was a virus killer, and only the differences in
its viruk-killing capabilities changed the version number of the program
itself, but as the System Explorer changed I gave it new version numbers
all the time, independant of the rest of the program.
The basic use of the System Explorer is to allow insight into the system
traps, and to trace resident programs and viruses.
The dialog itself is neatly arranged into sections, displaying eight
selected system traps (gemdos, aes, bios, xbios, hdv_bpb, hdv_rw,
hdv_mcv and the reset vector), hardware information, RAM information,
media information and some software/OS information. A number of objects in
the dialog are selectable: If the explorer detects that one of the system
traps has been bent by a resident program, the corresponding object will
turn from inactive to active and become selectable, and a descriptive text
will appear. In addition, the explorer tries to find its way through the
trap and search for other programs that also bend that particular system
trap, all the way down to an address pointing to ROM or a program that
doesn't allow further searching. I know that sounds a bit complicated, but
it's about 5 am in the morning as I write this, and I'm basically just
longing for my bed. To make it a bit easier, let me give you an example:
Let's say that you boot up your computer, and install the following
programs from your AUTO-folder: MultiDialog, NVDI and Selectric¿ (I here
assume you know these programs...). In addition, you have installed a
reset-proof RAM-disk that is unknown to Antidote, and which is installed
as the last program of the four.
Then let's say that all these programs have one thing in common: They all
bend the Bios vector (Trap #13), which Antidote checks. Basically, what
will appear in the System Explorer on the Bios object is the text
"Trap #13: Unknown". If you're using a color monitor, that text will be
printed in red, and in any case, the object will be selectable. Other trap
objects that appear in green print indicate that only known, harmless
programs have intercepted that vector (These objects are also selectable),
and objects that are unselectable indicate that the vector points directly
to a ROM address.
But back to the Bios vector. Clicking on that object will close the window
and open another, smaller window with another, smaller dialog in it. In
this dialog you will see, amidst other objects, something like this:
=> $00154A08 : Unknown VPF: 10% SRam
=> $001227BC : Selectric¿ File Selector SLCT
=> $00062496 : NVDI Screen Accelerator NVDI
=> $0004030A : Unknown VPF: 0% MDIA
=> $00E00D3E : ROM Routine End
This is a list of the programs that currently intercept the Bios system
vector. What is all means is that when a program attempts to make a Bios
call (Trap #13) the system jumps to the address of the last program to
intercept the vector (In this case, the RAM-disk). The code of that
program then examines the bios call to see if it is a call it needs to act
on - if it is, it does what it's supposed to do, and then (Probably)
returns control to the calling program, and otherwise jumps to the next
program in the chain. (In this case, Selectric¿.) That way it continues
until it reaches TOS, which takes care of all stray calls the resident
programs didn't bother to deal with.
So, what do all the things mean, then? Well, the arrow on the left simply
signifies that this is an address. Then comes the address the vector
points to, and then a descriptive name, Printed in black if the program is
known or it is a ROM address, and in green if it is unknown. If unknown,
Antidote also tries to examine the code around the vector to see if it has
any of the characteristics of known viruses (Harmful code) - the result of
that examination is reflected in the Virus Probability Factor (VPF among
friends - thanks to Richard Karsmakers, author of UVK, for that name) that
is shown for unknown programs only. And finally, to the right will be
displayed the XBRA identifier of the program, if any (Please refer to
other documentation for more info on XBRA).
If the list of resident programs is longer than ten (Which is the maximum
of lines displayed in the dialog) you can scroll up and down using the
buttons at the lower end of the window. Press "Return to menu" to return
to the System Explorer.
For more documentation of the system Explorer (Including info on the
Cookie Jar, the Goodie Bag, and info on how Antidote actually can remove
viruses from memory, you'll have to wait for the documentation in the
forthcoming version(s). I'm just too fed up with writing right now to do
that.
##############################################################################
Part 6
Scanning for viruses
What Antidote is all about
Okay, now let's get down to business. Antidote is about detecting and
removing viruses, and that business is taken care of in a single dialog
which you can enter from the main menu.
The "Check" dialog is divided into sections with different emphasis,
depending on the type of action you want to undertake. I will here go
through the sections one by one.
"Search for link-viruses" - This part contains selectable buttons for each
active drive on your system. When one such button is pressed, it is
hilighted, but that's basically all at that point. You can hilight more
than one button there (Say, "C", "D", "E" and "F" fi yoyu're on a harddisk
system), and when the virus scan is initiated, all those drives marked
will be scanned for link-virus.
"Bootsector" - Similar to the link-virus options, this section displays
selectable buttons for drives A through C, if they are active on your
system. When selected, they are hilighted, and when a scan is initiated,
the bootsectors of these drives will be searched for link-viruses.
"Scan Type" - Two options here: "GEMDOS" and "Enhanced". This refers to
the two modes you can use when scanning a disk/partitison for
link-viruses. GEMDOS mode is the standard mode, as used by many other
virus killers. It can be guaranteed to work on TOS/DOS Filesystems, and is
also the slowest of the two. Enhanced mode uses a routine written by my
friend Gard Eggesb³ Abrahamsen to increase the speed of a link-virus scan
by as much as 900%! Unfortunately, this routine also only works on
standard TOS filesystems. Improvements to take advantage of Minix and
other file systems are in the pipeline.
"Show Filename" - This option only has effect if using Gemdos scan mode.
If set to "Yes", the names of the files being checked for linkvirus
infection will be displayed in the scan dialog.
"Pack notify" - If set to yes, this option will force Antidote to give you
an alertbox notifying you if it comes across any executable files that
have been packed by one of the recognized file packers.
"Cancel" and "OK" - just ignore these... They have to do with an option
not corrctly implemented. The thought was that if you had a setup in this
dialog you always use once a week (Checking all your partitions for
link-viruses, plus the bootsector of your C partition, with enhanced mode,
show filename off and pack notify on) you could save these parameters in
an information file ("Save Options" in the Information screen). However, I
never agreed with myself on the chosen infofile format, so the option may
not be of much use in the future. Note that saving options will work, and
that you may have a standard setup this way. Might save you some seconds.
"Go" - initiates virus scan. If you request some bootsectors to be
checked, that test will be done first, followed by eventual scans of
disks/harddisks for link-viruses. If something is found, you will be
prompted for action to take before Antidote goes on.
##############################################################################
Part 7
Future plans
What will there be in the future?
Yes, I am currently working on a new version of Antidote, from scratch.
There will be a great deal of changes - the layout will be changed, most
code will probably be a bit optimized, the recognition statistics should
be considerably improved, and the entire program will be coded in C,
unlike the older ones, that are wholly programmed in GFA Basic (with a few
assembly language segemnts INLINEd). This is a list of to-do's, or as I
like to put it, wanna-do's:
* Design change - more stream-lined dialogs with less fuzz.
- On-line help, using ST Guide or the Geneva Help viewer.
* More accurate RAM determination.
* Improved window library with multiple-window capability.
- Multi-lingual resource files.
- Multi-lingual documentation.
- Long filenames support.
- Non-GEM performance - in case of MiNT-OS or command shell.
- Command line interpretation - for the same reason as above...
- XACC support.
- AV support.
- Iconify support.
- Drag and Drop support.
- Improved recognition statistics.
- Removal of ALL link-viruses.
- Library for unknown bootsectors.
- Ability to store unknown bootsectors in database, and recognition from
that database.
- Ability to repair bootsectors of commercial games.
The points marked with an asterisk (*) are already finished. The rest will
have to come at a later time. I know other virus killers already have some
of the things I've mentioned, but that doesn't put me off. I'll simply
have to make Antidote better than those other programs.
##############################################################################
Part 8
A small section for programmers
In the next release of Antidote, this section will contain information
about how to interact with Antidote via standard inter-process
communication protocols, and the use of the Goodie bag protocol, as
described in the release notes of "GBell" and "PAnTHer", two excellent
pieces of software written by my friend Gard Eggesb³ Abrahamsen.
##############################################################################
Part 9
Disclaimer
The bit nobody ever bothers to read
The author of the software described in this documentation takes no
responsibility for any kind of damage caused directly of indirectly by the
use of this software. The program described herein has been eavily
debugged for maximum user safety, but because of the beta status of this
release, one or two undiscovered bugs may still have snook in.
I therefore wish to stress the fact that all responsibility lies with you.
Unconditionally.
##############################################################################