TBAV User Manual. Copyright (C) 1989-1995 'I‘hunderBY'I'E B.V.
`
`Page 96
`
`infections. Other file changes. notably configuration variations,
`will not trigger the alarm. If, however. you should ever desire a
`full check that detects ANY file changes, this option takes care of
`it. Be aware that this option slows down the system considerably, so
`we don't recommend its use in normal circumstances.
`
`:
`
`secure ('5).
`
`TbCheck normally asks whether you want to continue or cancel when a.
`file has been changed or when there is no checksum information
`available. In a business environment it may be unwise to leave such
`decisions to employees. Option SECURE makes it impossible to execute
`new or unltnown programs, or programs that have been changed.
`
`NOTE:
`
`-
`
`Be aware that the SECURE option also disables the OFF and
`REMOVE options.
`
`3.5.4 Understanding the Scanning Process
`
`This section adds to your lcnowiedge of ThCheck by explaining a little
`more about the scanning process
`Whenever a program wants to execute, TbChock steps in to see if it really
`has the authority to do so. During that time it displays the message
`"*Chec1cing*" in the upper left hand corner of the screen. 'I'bChecIt
`operates at lightning speed. so the message appears only momentarily.
`
`Tbcheck quickly checks 3 program when the program loads. If TbCheck
`detects that a file has changed, a notification message appears. At this
`point, you can choose to either continue, or to abort the program's
`execution.
`
`If there is no information in the AN'I'I-VIELDAT file about the program.
`TbChcI:k also informs you of this. You can either choose to continue
`without checking, or to abort the program's execution
`
`TIP:
`
`You can prevent users from executing unauthorized software by using
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0101
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0101
`
`

`
`TBAV User Manual. Copyright (C) 1989-1995 'IhunderBYTE B.V.
`
`Page 97
`
`Understandably, many users wish to test the product they are using. In
`contrast to a word processor, for example, it is very difficult to test a
`smart integrity checker like TbCheck_ You cannot change a random 25 bytes
`of an executable file just to find out whether 'I‘bCheck detects the file
`change. On the contrary. it is very likely that TbCheck will NOT detect
`it because the program checks only the entry area of the file, whereas
`the changed bytes might reside in another location within the file. But
`again, if a virus infects the file, this entry area will definitely
`change, so this is perfectly adequate to detect all infections.
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0102
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0102
`
`

`
`
`
`TBAV User Manual. Copyright (C) 1989-1995 ThunderBYTE B.V.
`
`Page 98
`
`3.6 Using TbClean
`
`In case a virus infects one or more files. and you wish to remove the
`virus from those tiles (for example, in case you do not have a clean
`backup of the files). you can use TbClean. TbClean is the program that
`can remove viruses from infected files, even without knowing the virus
`itself. This section explores 'IbCleau_
`
`3.6.1 Understanding 'I'bC1ean
`
`TbClean isolates viral code in an infected program and removes it. It is
`then safe to use the program again, since TbClean securely eliminates the
`risk of other files becoming infected or damaged.
`
`Understanding the Repair Cleaner
`
`'l‘bClean works differently from conventional virus cleaners because it
`does not actually recognize any specific virus. ’I'bC1ean's disinfection
`scheme is unique. employing 'l'hunderBY'I‘E's heuristic ( learn as you go )
`technology so that it works with almost any virus.
`
`Actually, the TbClean program contains two cleaners: a "repair" cleaner,
`and a "heuristic" cleaner. ‘Ilse repair cleaner needs an AN'I'l-VIR.DAT file
`generated by the Tbsetup program before the infection occured. This
`ANTl—VIR.DAT file contains essential information such as the original
`file size. the bytes at the beginning of the program, a cryptographic
`checlsum to verify the results, etc. This information enables TbC1ean to
`disinfect almost every file, regardless of the specific virus that has
`infected it, even if it is unlmown.
`
`Understanding the Heuristic Cleaner
`
`in the heuristic cleaning mode Thclean does not need any information
`about viruses either, but it has the added advantage that it does not
`even care about the original, uninfected stone of a program. This
`cleaning mode is very effective if your system becomes infected with an
`unknown virus and you neglected to let .'['bSetup generate the ANTI-VlR.DAT
`files in time.
`
`In the heuristic mode, 'I'bClea.n loads the infected file and starts
`emulating the program code to find out which part of the file belongs to
`the original program and which belongs no thevirus. The result is
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0103
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0103
`
`

`
`
`
`TBAV User Manual. Copyright (C) 1989-1995 'I'hunderBY'I'E B.V.
`
`Page 99
`
`successfu1ifTbClean restores the functionality of the original program,
`and reduces the functionality of the virus to zero.
`
`NOTE:
`
`This does not imply that the cleaned file is 100% equal to the
`or-igjnal. Please read on.
`
`When TbC1ean uses heuristic cleaning to disinfect a progmm, the file
`most likely will not be exactly the same as in its original state. This
`does not imply a failure on 'I'bClean 3 part, nor does it mean the file is
`still infected in some way.
`
`_
`
`It is actually normal that the lieutistically cleaned file is still larger
`than the
`This is normal because 'I'bC1ean tries to be on the safe
`side and avoids removing too much. The bytes left at the end of the file
`are dead code. that is. instmctions mat will never execute again
`since 'I'bClean removes the jump at the beginning of the program. If the
`cleaned file is an EXE type file, it is likely that some bytes in-Eront
`of the program (the EXZE-header) are different There are several
`suitable solutions for reconstructing the EXE-header, so TbC1ea.I1
`cannot, of course, know the original state of the program. The
`functionality of the cleaned file will nevertheless be the same.
`
`NOTE:
`This applies only to heuristic cleaning. If there is a suitable
`ANTI-Vl'.R.DAT record available, the cleaned program will normally be
`exactly the same as the original clean file.
`
`It's also possible for a virus to infect a file with multiple viruses, or
`multiple instances of the same virus. Some viruses keep on i.nfecti.ng
`files, and in such cases the number of infected files keeps growing. If
`ThC]ean used its heuristic cleaning mode, it is very likely that TbC1ean
`removed only one instance of the virus. In this case, it is necessary to
`repeat the cleaning process until 'I'bCl.ean reports that it cannot remove
`anything else.
`
`3.6.2 Working with the TbClean Menus
`
`Selecting TbClean from TBAV's Main Menu displays the following menu:
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0104
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0104
`
`

`
`
`
`TBAV User Manual. Copyright (C) 1989-1995 ThunclerBYIE B.V.
`
`Page 100
`
`+---Main menu----+
`I Confi+—-—--TbClean men---—-+
`I Tbscai Start cleaning
`1
`l'IbSetI List file name
`I
`iTbUti| Use TBAV. INI file
`|TbCLel Prompt for pause
`I Viruslv Use Anti-Vir.Dat
`I TBAV iv Use Heuristics
`I Documlv Expanded memory
`I Regisl Display program loops I
`I Abo-utl Make list file
`I
`I Quit -I»-—----—--—-—---'—--i-
`|eX.it (no save)
`I
`+——————--+
`
`I
`
`I
`
`I
`
`I
`
`I
`
`We'll now explore these menu options.
`
`‘The "Start Cleaning" Option
`
`After necking one or more viruses, all you should do is select the
`Start cleaning option. After specifying the relevant filename, TbC[ean
`goes into action. Before beginning. however. you can select various
`parameters. We will explore these in the following sections.
`
`The "List File Name" Option
`
`By selecting this option you can specify a filename to use as a list file
`{see also the Make list file option below).
`
`The "Use TBAVINI File" Option
`
`Ifyou enable this option, the ‘fbclean configurafion values." saved in the
`TBAVJNI file, will also be valid if you run 'I‘bClea.n from the DOS command
`line. Be carefill, however. since if you specify options in the TBAVJNI
`file, you cannot undo them on the command line. See the "Configuring
`TBAV" section of Chapter 1 for details about TBAVJNI.
`
`The "Prompt For Pause" Option
`
`This option instructs '1"bC1ean to stop disassembling inforrnation after
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0105
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0105
`
`

`
`
`
`TBAV User Manual. Copyright (C) 1989-1995 ThunderBYTE B.V.
`
`Page 101
`
`The "Use AN'I'I-V'£R.DA'I"' Option
`
`If you tum this option off, Tbcleen acts as if there were no
`ANTI-VIR.DAT records available and therefore performs heuristic cleaning.
`
`The "Use Hemistics‘ Option
`
`If you turn this option off, Tbclezm does not try to apply heuristic
`cleaning, even when there are no ANTI-VIR.DAT records available.
`
`The "Expanded Memory" Option
`
`_ Lfyou select this option, Tbclean detects the presence of expanded
`memory and uses it in heuristic mode. You might want to disable EMS usage
`if it is too slow or if your expanded memory manager is not very stable.
`
`The "Show Program Loops" Option
`
`By default T|JCIean keeps track. of looping conditions to prevent
`repetitive data from appearing on your screen thousands of thnes. If you
`select this option, Tbclean "works out" every loop.
`
`CAUTION:
`
`Using this option drastically reduces 'I'bClean's performance speed.
`Also, do not combine this option with the "Make list file" option,
`because the list file might grow too big
`
`The "Make List File" Option
`
`Selecting this option instructs T|:IC'lean to generate an output file with a
`chronological disassembly of the virus being removed.
`
`Maximizing 'IbClean
`
`Now that you know how to use TbC1ean's menus, you can more easily
`understand the power of using it from the command line.
`
`3.6.3 Using TbC1ean Command Line Options
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0106
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0106
`
`

`
`
`
`TBAV User Ma.nua1.'Copyright (C) 19394995 '1"l1underBYTE B.V.
`
`Page 102
`
`When you run TbC1ean from the DOS command line, it recognizes command
`line options (often called "switches" in DOS terms). These options appear
`as "key-words" or "key-letters." The words are easier to memorize, so we
`will use these in this manual for convenience.
`
`You can maximize 'IbClean's performance by using its command line options.
`The following table lists these options:
`
`option parameter short explanation
`
`he display on-line help
`help
`pa enable pause prompt
`pause
`mo force monochrome display output
`mono
`ea do not use ANTI-VIRDAT records
`noav
`nh do not use heuristic cleaning
`noheur
`ne do not use expanded memory
`uoems
`51 show every loop iteradon (slow!)
`showloop
`Ii.st[=<fi.1ename>]
`Ii create listfile
`
`The explanations in the above table serve as a quick reference. but the
`following descriptions provide more information about each option.
`
`TJF:
`Remember that you can display these options from the command line by
`entering TBCLEAN ?.
`
`help {he}.
`
`Specifying this option displays the above options list.
`
`pause (pa).
`
`This option instructs 'I‘bCI.ean to stop disassembling information
`after each full screen, enabling you to examine the results. The
`PAUSE option is available for registered users only.
`
`mono (mo).
`
`This option enhances the screen output on some LCD screens or
`color-emulating monochrome systems.
`
`noav (na).
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0107
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0107
`
`

`
`TBAV User Menus]. Copyright (C) 1989-1995 '1'hunderBYTE B.V.
`
`Page 103
`
`Ifyou specify this option, Tbclean acts as if there were no
`AN'I'I-VlR.DAT'records available and therefore performs heuristic
`cleaning.
`
`noheur (nh).
`
`Ifyou specify this option. '1"bClean does not try to apply heuristic
`cleaning, even when there are no ANT1—V'ER.DAT_ records available.
`
`noems (no).
`
`If you specify this option. I'bCIean does not detect the presence of
`expanded memory and use it in heuristic mode. You might want to
`disable EMS use if it is too slow. or if your expanded memory
`manager is not very stable.
`
`shovvloop (s1).
`
`By defa.u.lt'I'bC1ean keeps track of looping conditions to prevent
`repetitive data from appearing on your screen thousands of times. If
`you select fliis option, Tbclean "works out“ every loop.
`
`CAUTION:
`
`Using this option drastically reduces 'I'bC1ean's performance
`speed. Also, do not combine this option with the "Make list
`file" option, because the list file might grow too big
`
`list [%ename>] (ii).
`
`This option instructs Tbclean to generate an output file with a.
`chronological disassembly of the virus being removed. The LIST
`option is available for registered users only.
`
`Here are two examples of using TbC1ean from the command line:
`
`1. This command:
`
`TBCLEAN VIRUS.EXE
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0108
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0108
`
`

`
`TBAV User Manual.‘Copyright (C) 1989-1995 ThunderBYTE B.V.
`
`Page 104
`
`iusn-nets Tbclean to make a backup of the file VIRUSEXE using the
`name filename VIRUS.VIR. and then disinfect VlRUS.EXE.
`
`2. This command:
`
`TBCLEAN V]ZRUS.EXE TESTJ-EXE
`
`instructs TbClean to copy the file called VIRUSEXCE. to the new
`filename TESTEXE and then disinfect 'I“E.ST.EXE..
`
`3.6.4 Understanding the Cleaning Process
`
`_ TbClea.t1's cleaning process is extremely important. To better illustrate
`it, let's look at a sample file cleaning.
`
`Assume you want to clean a file called COMMANDCOM, which resides in the
`TMP CIil‘cctDI'y on drive G. To do so, you would follow these steps:
`
`1. Select the "Start cleaning" option on the TBAV menu. The following
`window appears:
`
`I
`
`I
`
`'
`
`The 'I'hunderBY'I'E utility cleans on a file-by-file approach; that is, it
`cleans one file, verifies the result, and continues on to the next file.
`This helps you keep track of which file is clean. which file is damaged
`and should be restored from a backup, and which file is still infected.
`
`2. Specify the name of the file. In this case, you would type
`G:\TMIF\COl\-’lMAND.COM and press ENTER. The following window appears:
`
`+—————————-—---———————————————-——-—+
`I
`I
`I Enter name of cleaned file. Keep blank if infected program may be I
`changed.
`_
`I
`
`I
`I
`
`I
`I
`
`I
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0109
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0109
`
`

`
`TITBAV User Manual Copyright (C) 1939-1995 TI1underBYTE B.\’.
`
`Page 105
`
`3. Type anew file name and press ENTER. In this case, we11 use
`G:\'I'MP\TEST.BXE. TbClean now begins the cleaning process.
`
`By specifying a different name you ensure that the cleaned file cannot
`overwrite the original file.- In this example 'I'bC1ean copies COMMANDCOM
`to TEST.COM and disinfects 'I'EST.COM.
`
`If you do not specify a backup filenatue. TbCIean creates a backup with
`the .VIR extension. In this example, the 'I'bC1ean would copy the original
`file to COMMANDNIR and then clean COMMA.ND.COM.
`
`During the cleaning process, I'bC1ean displays as much information as
`possible about the current operalion, as illustrated helow. All the major
`. actions appear in the emulation window at the lower half of the screen,
`which displays a disassembiy and the register contents of the program
`under scrutiny, as well as a progress report. The top-Eeft and top-right
`status windows reveal useful details of the infected file and (if TbCiean
`can find a suitable ANTI-V'ER.DAT file) the file's original status. You
`can abort the cleaning process by pressing Ctrl+Break.
`
`+-—————————————————————————--+
`
`(C) 1992-95 Tirunderbylae B.V.
`I Thunderbyte clean utility
`+—--—---Infected state--——-——--——H---—-—01'iginal state-—---+
`I Entry point (CS:EP) 34BF:0012 II Entry point (CS:IP) 3'4BF:O012|
`I File length
`ll File length
`UNKNOWN! I
`I Cryptographic CRC 9F90F52A II Cryptographic CRC UNKNOWN! I
`+---—--———--——--———--++-—————-—--—————--+
`I
`I
`
`I
`
`I
`
`I
`I Starfing clean attempt. Analyzing infected file...
`IAn1:i-Vir not found: original state unknown. Trying emulafion... I
`I Emulation terminated:
`I
`1
`I
`I G:\VIRUS\COMMAND.COM
`I CS:IP Instruction AX BX CX DX DS SI ES DI SS SP I
`I9330:0101 mov a.h,40 FFFE9330FFFFEFFFD382FFEDEFFEFFFF9520007E|
`|9330:0103 mov bx,0002 40FE9330FPFFEFFFD382FFEDEFFEFFFF9520007E|
`I9330:fl106 mov cx,00i6 40FEJ0O02FFFFEFFFD3B2FFE.DEFFEI-'FFF9520O07EI
`I9330:0109 mov dx.cs
`40FE00020016EFFFD382FFEDEFFEl-7FPF95200U7E|
`I9330:010B mov ds,dx 40FED()0200169330D382.FFEDEFf-'E.FFFF95200UTEI
`|9330:010D mov dx,0117 40FE000200169330933DFFEDEFE-'EFFFF9520D07EI
`I 9330:0110 int 21
`40FE00O2001601l79330FFEDEFFEFFFF9520007EI
`l9330:01 12‘ mm: ax,4CFF 40FEO002D0160117933DFFEDEFFEPFFF9520007E|
`I 9330:0115 int 21
`4CFFO00200160I17933BFFEDEFFEFFFP952OD07E|
`I 9330:0115 <Bnd of emu1ation>
`I
`-I————————---—-———-—-———-—————————————+
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0110
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0110
`
`

`
`TBAV User Manual. Copyright (C) 1989-1995 ThunderBY'I'E B.V.
`
`Page 106
`
`A successful purge is not the end of the story! Your job is only
`partially complete. Some viruses damage data files. They could randomly
`change bytes on your disks, swap sectors, or perform other nasty nicks.
`A cleaning utility can never repair data!
`
`4. Check your data files thoroughly and consult a virus expert to find
`out what the virus is capable of doing. if there is any doubt. restoring
`the data is definitely the most reliable option.
`
`WARNING:
`
`Under no circumstances should you continue to use cleaned software!
`Cleaning is a temporary solution that simply enables you to delay a
`large restore operation until.a more practical time. You should
`never rely on a cleaned program for any length of time. T1:u's is not
`a criticism of anti—viral cleaning agents. If your data is valuable
`to you, you should care for it as much as possible, and sticking to
`original software is simply an elementary precaution. In other
`words, restore the original programs as soon as possible!
`
`3.6.5 Understanding Cleaning Limitations
`
`Although Thclean has a very high success rate and is able to clean
`programs that other cleaners refuse to process, it simply cannot remove
`all viruses and cannot clean every file. Examples of computer viruses
`that TbClean (or other virus cleaners) cannot clean include:
`
`Overwritiug viruses. This type of virus does not add itself to the
`end of the original program, rather it copies itself over the
`original file. Further. it does not attempt to start the original
`program but simply hangs the machine or retums you to DOS after it
`activates. Since it overwrites the original file, no cleaner can
`restore the file.
`
`Some encrypted viruses. TbClean is usually able to decrypt the
`virus. However. some viruses use anti-debugger feamres that TbClean
`cannot yet cope with (but we re working on it!).
`
`The construction of some program files makes them impossible to
`clean, making reinstallation the only option. Some of these file
`types include:
`
`EX!-Lprograms with internal overlays. TbScan marks these files
`with an "i" flag. Any infection is sure to cause major damage
`to these files. Some viruses recognize such programs and do not
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0111
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0111
`
`

`
`TIBAV User Manual. Copyright (C) 1989-1995 ThunderBYTE B.V.
`
`Page 107
`
`infect them, but most viruses infect these programs anyway and
`corrupt them. No cleaner can repair this kind of damage.
`
`Programs with sanity check routines. Some programs (mostly
`anti-virus software or copy-protected programs) perform their
`own kind of sanity check. Heuristic cleaning of an infected
`program normally results in a program that is not physically
`identical to the original. So, although TbC1ean removes the
`virus from the progmm and the program is functionally
`identical to the original, the program's internal sanity check
`usually deuects the slight changes and aborts the program.
`
`— Cleaning Multiple Files
`
`'1"bClean has no provisions for cleaning multiple programs in one run.
`There are two reasons for this omission:
`
`1. TbC1ean cannot seaich for viruses automafically since it does not
`know any virus.
`
`2. We recommend that you clean the system on a file-by-file basis.
`Clean one file. verify the result. and go on to the next file.
`Again, this helps you keep track of which files are clean. which
`files are damaged and should be restored from a backup, and which
`files are still infected.
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0112
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0112
`
`

`
`TBAV User Manual. Copyright (C) 1989-1995 Tl1underBYTE B.V.
`
`Page 108
`
`3.7 Using TbMem
`
`TBAV provides three extra utilities that help you build a massive
`security wall around your computer system. This set includes: TbMem.
`'I'oFi1e and TbDisk. In this section. we'll" introduce these three utilities
`collectively as 21 set and then examine each individual utility.
`
`3.7.] Introducing the 'I'bMem, TbFi1e & TbDisk Utilities
`
`As the old saying goes. An ounce of prevention is worth a pound of cure,
`and the computer virus threat gives this old saying new meaning. TBAV is
`the best product on the market for removing viruses, but if this is all
`it did, it would be of little use. It's much wiser to prevent virus
`infection than wait until you get one and remove it.
`
`This is where a set of three all memory-resident CTSR) programs come
`in. These utilities are shipped with TBAV for DOS; they monitor specific
`areas of your system and protect against virus infection These three
`utilities are:
`
`TbMesn.
`
`This program detects attempts by programs to remain resident in
`memory and ensures that no program can remain resident in memory
`without permission.
`
`TbFi1e.
`
`This program detects attempts by programs to infect other programs.
`
`'I'bDisk.
`
`This program detects attempts by programs to write directly to the
`disk (bypassing DOS), attempts to format disks, and other such
`destructive actions.
`
`3.7.2 Loading 'I'bMem, TbFi.1e and TbDisk
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0113
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0113
`
`

`
`
`
`TBAV User Manual. Copyright (C) 1989-1995 ThunderBY'I'B B.V.
`
`Page 109
`
`The TbMem, TbFiJe and TbDisk programs load in the same way. The following
`sections contain specific information on each of the programs, but here
`we present loading inforrnation that is common to all of them.
`
`V
`-
`CAUTION:
`You must load 'I'bD1-iver before you can load any of the 'I‘bMen1, 'I'bFiJe
`or TbDisk utilities. These uIil.ities will refuse to load without it.
`
`There are three possible ways to load TbMem, TbFii'e or TbDislt. Please
`note that we call the programs '[‘bXXX here. Naturally, you will replace
`the XXX with either Mom, File, or Disk when you load each utility.
`
`1. From the DOS prompt or within the AUTOEXEGBAT file:
`<PA’I'H>T.BXXX
`
`2. From the CONFIGSYS file as e TSR (DOS 4 or higher):
`ENSTALL=<PATH>TBXXX.EXE
`The INSTALL: CONFIG.SYS command is NOT available in DOS 3.xx.
`
`-
`
`3. From the CONFIGSYS as a device driver:
`DEVICE=<PATI'I>TBXXX.EXE
`
`NOTE:
`
`Executing one of the utilities TbMem, IbFile or Tbbisk as a device
`driver does not Work in all OEM versions of DOS. Lfit doesn't work,
`use the INSTALL-= command or load the desired program from within the
`AU'I‘0EXIEC.BAT. TbMen1. Tb!-‘ile and TbDislt should always work correctly
`after being started from within the AU"I‘OEXEC.BAT file. Also, unlike
`other anti-virus products, you can load the 'I‘hunderBYTE Anti-Virus
`utilities before starting a network without losing the protection
`after the network starts.
`
`In addition to the three loading possihiljnes, if you are using DOS
`version 5 or above. you can load the 'I‘bMem. 'I'bFile or 'I‘bDisk progranls in
`an available UMB (upper mory block) from AUTOEXEC.BA'I'- using the
`following command:
`
`I LOADI-IIGI-I <PA'I'H>TBXXX.EXE
`
`You can load TbMem, TbFile or ThDisk high from within the CONE-IG.SYS
`using the following command:
`'
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0114
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0114
`
`

`
`This file wrapper was thoroughly reviewed by
`our technical staff. Pages 110 is missing in the
`
`file.
`
`This has been brought to your attention so that
`you will know it has not been overlooked.
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0115
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0115
`
`

`
`TBAV User Manual. Copyright (C) 1989-1995 ThunderBY'I'E B.V.
`
`Page 111
`
`- programs load themselves into memory, remain resident in memory. and
`perform some task in the background. Programs in this category
`include: disk caches. print spoolers and network software. ‘These
`programs are often referred to as TSR (Terminate and Stay Resident)
`programs.
`
`Like a TSR program, most viruses also remain resident in memory, and it
`is for this reason that TbMem should he osedto control the process of
`becoming resident in memory.
`
`If a program attempts to become resident. TbMem offers you the option to
`abort the attempt It does this by guarding the DOS TSR function calls
`while also monitoring important interrupts and memory structures. TbMem
`uses the ANTI-V]R.DAT records to determine whether it will allow a
`specific program to remain resident in memory.
`
`' Tbsetup recognizes many common 'I‘SRs. 1:1: doesn't recognize a TSR,
`however, 'I'bMem asks your permission for the TSR to load. It then
`maintains permission information in the AN'I'[—V'[R.DAT files to prevent
`TbMem from bothering you when an approved TSR is loading.
`
`TbMem also checks the contents of the CMOS configuration memory after
`each program termination to ensure that programs have not changed. 'I'bMem
`offers you the option of restoring the CMOS configuration when it
`changes. Once you teach TbMem which programs are TSRs and which are not
`on a PC, you can use TbSetI.1p to set the permission flag of these files on
`other machines.
`
`TbMem also installs a hot key that you can use to escape from nearly all
`programs.
`
`'I'bMem is fully network compatible. It does not require you to reload the
`checker after logging onto a netwodr.
`
`3.7.5 Working with TbM_em
`
`Since TbMem is a memory resident program, you can execute and configure
`it from the command line or from within a batch file. It is more
`efficient. however, to load 'I'bMem at boot up from either CONFIG.SYS or
`AU'I'OEXEC.BAT. See the "Introducing the 'I'bMem. TbFile and 'I'bDis!:
`Utilities‘! section earlier in this chapter for details.
`
`CAUTION:
`You must load TbDr-iver before you can load TbMern. TbMem will refuse
`to load without it.
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0116
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0116
`
`

`
`
`
`TBAV User Manual. Copyright (C) 1989- 1995 ‘Il3underBY'1"B B.V.
`
`Page 112
`
`3.7.6 Maximizing 'I‘bMem
`
`You can maximize the performance of 'I‘bMem by using its command line
`options. The first four options in the table below are always available.
`The other options are available only if 'IbMem is not yet memory resident.
`
`option parameter short explanation
`
`e
`cl
`
`? display on—l.ine help
`help
`r
`remove TbMem from memory
`remove
`enable checking
`on
`disable checking
`off
`do not execute unauthorized TSRs
`s
`secure
`hotkey<=keycode> 1:
`specify keyboard scancode for the program
`cancel hotkey
`n do not install the cancel hotkey
`in do not protect CMOS memory
`
`nocancel
`oocmos
`
`The explanations in the above table serve as a quick reference, but the
`follow descriptions provide more infonnation about each option.
`
`TIP:
`
`Remember that you can display these options from the command line by
`entering TBMEM ?.
`
`help (?).
`
`Specifying this option displays the brief help as shown above.
`
`remove (1').
`
`This option disables TbMem and attempts to remove the resident part
`of its code from memory and return this memory space to the system.
`Unfortunately, this works only if you loaded TbMem last. An attempt
`to remove a TSR after you load another TSR leaves a. useless gap in
`memory and could disrupt the interrupt chain. TbMem checks whether
`it is safe to remove its resident code; if not, it simply disables
`itself.
`
`on (e).
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0117
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0117
`
`

`
`
`
`TBAV User Manual. "Copyright (C) 1989-1995 ThunderBY'I'E B.V.
`
`Page 113
`
`This option reactivate.-3 TbMem after you disable it using the OFF
`option.
`
`off (d).
`
`Specifying this option disables TbMem but leaves it in memory.
`
`secure (s).
`
`TbMem normally asks the user to continue or to cancel when a program
`tries to remain resident in memory. In some business environments,
`however, employees should not make this choice. If you use this
`option, it is no longer possible to execute new or unknown resident
`software. It is also no longer possible to use the REMOVE or OFF
`options.
`
`hotlcey (ls).
`
`'I'bMem offers you a reliable way to escape from any program by
`pressing a special key combination. You can not only use this
`feature to escape from programs that
`but also from software
`that seems to be malicious (although we recommend powering down and
`rebooting from a Write-protected system disk). Instead of the
`default combination (Cu-1+AIt+1nsert), you can specify another
`keyboard combination using the H0'I‘KEY=<KEYCODE> option. You must
`specify the scancode using a 4—digit hexadecimal number; the first
`two digits specify the shift-key mask. and the last two digits
`specify the keyboard scancode. Consult your PC manual for a List of
`"scan codes." For example, the default scan code is 0C52, but you
`can change this to another code, such as OCOI, the code for
`Ctr1+A1t+Bsc.
`
`nocancel (11).
`
`TbMem normally installs the program cancel hot key -
`(Ctr1-I-Alt+Iusert). Ifyou do not want to use the program cancel hot
`key, specify this option. since this saves a few bytes of memory.
`
`nocmos (m).
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0118
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0118
`
`

`
`TBAV User Manual. Copyright (C) 1989-1995 ThunderBYTE B.V.
`
`Page 114
`
`TbMem normally protects the CMOS memory if available. Ifyou do not
`want TbMem to do this. you can specify this option.
`
`The following command loads TbMem as a device driver in the CONFIGSYS,
`configures the “program canoe] hot key" as Ctr1+A1t+Esc, and cancels
`protection of CMOS memory:
`
`DEVICE=C:\TBAV\TBMIi-3M.E§CE. H0’I'KEY=0C0l NOCMOS
`
`To achieve the same functionality. you could execute.ThMem from the DOS
`command line rather then specifying the TbMem command line in the
`CONFICLSYS by entering the following command at the DOS command line:
`
`C:\TBAV\'I'BMEM.l-DKB I-IOTKEY=0C0l NOCMQS
`
`' 3.7.7 Understanding TbMem's Operation
`
`If 'I‘bMem detects that a program tries to remain resident in memory, it
`displays a pop-up window displaying a message to that effect. You can
`either choose to continue, or to abort the program's loading. lfyou
`answer "NO" to the question "Remove program fi'om memory?" the program
`continues undisturbed, and ’I'bMen1 places a mark in the ANII-V'£R.DAT file
`about this program. Next time you invoke the same resident program, TbMem
`will not disturb you again.
`
`There are many programs that normally remain resident in memory, such as:
`disk caches, print spoolers, and others. How, then, does TbMem
`distinguish between these programs and viruses?
`
`'I'bMern uses the AN1'[—VIR.DA'I‘ records generated by Tbsernp to keep track of
`which files are normal TSRS and which are not. It marks most common
`resident software as being common so you don't have to worry about these
`files.
`
`IfTbMem pops up with the message that a program tries to remain resident
`in memory, you have to consider the purpose of the program mentioned. For
`example, is the program supposed to continue to operate in the
`background? The answer is obviously yes if the program is a disk cache.
`print spooler, pop-up utility or system extension software.
`
`If, on the other hand, the message appears after you have eatitaed your
`word processor, database. spreadsheet application. something is
`definitely wrong! You ought to terminate the program immediately and use
`avirus scanner to check the system. The same applies when software that
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0119
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0119
`
`

`
`
`
`TBAV User Manual. Copyright (C) 1939-1995 Thunde_rBYTE. B.V.
`
`Page 115
`
`operates normally without staying resident in memory suddenly changes its
`behavior and tries to remain resident in memory.
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0120
`
`SOPHOS
`EXHIBIT 1006 - PAGE 0120
`
`

`
`
`
`TBAV User Manual. Copyright (C) 1989-1995 ThunderBYI'E B.V.
`
`Page 116
`
`3.8 Using 'I'bFile
`
`This section concerns another resident TBAV utility. 'I'hFiie. which checks
`programs for virus infections as they begin to load.
`
`3.8-1 Understanding TbFile
`
`The two most dangerous virus categories are the boot sector and the file
`variants. File viruses all have a common purpose, namely, to infect
`programs. Infecting a program involves very unusual file manipulations
`that are quite dissimilar to normal file handling procedures, so in order
`to detect viral activity it is essential to keep an eye out for program
`file changes involving peculiar actions.
`
`TbFile monitors the system and detects attempts by programs to infect
`other programs. Unlike other file guards, TbFile monitors the system only
`for virus specific file modifications. T'bFile doesn't generate an alarm
`when a program modifies itself for configuration purposes, nor does it
`bother you when you update a program or create one yourself. On an
`average system, configurations should never cause a false alarm. TbFile
`has a very sophisticated i