ThunderBYTE
`
`Anti-Virus Utilities
`
`USER MANUAL
`
`BLUE COAT SYSTEMS - Exhibit 1005 Page 1
`
`

`
`The ThunderBYTE Anti-Virus Utilities are a product of:
`
`ESaSS B.V.
`P.O. Box 1380
`6501 BJ NIJMEGEN
`The Netherlands
`
`COPYRIGHT (c) 1995 by:
`
`ThunderBYTE B.V.,
`Wijchen, The Netherlands.
`
`All rights reserved. No part of this manual may be reproduced, stored in
`a retrieval system, or transmitted in any form, by print, microfilm, or
`by any other means without written permission from ThunderBYTE B.V.
`
`BLUE COAT SYSTEMS - Exhibit 1005 Page 2
`
`

`
`TBAV User Manual. Copyright (C) 1989-1995 ThunderBYTE B.V.
`
`Page i
`
`Table of Contents
`
`Introduction
`A Word (or Two) of Thanks
`What Are the TBAV Utilities?
`The TBAV Utilities User Interface
`Conventions Used in This Manual
`How To Use This Manual
`
`1 TBAV QuickStart .
`1.1 Installing the TBAV Utilities
`1.1.1 Understanding System requirements
`1.1.2 Running INSTALL
`.
`1.1.3 Installation on a network
`1.1.4 Starting And Ending TBAV
`1.1.5 Using TBAV Commands
`1.1.6 Getting Help
`1. 1. 7 ConfigurL'1g TBAV
`1.2 Understanding TbSetup
`1.3 Understanding TbDriver .
`1.4 MalnLalnlng Lhe SysLem
`.
`1. 4.1 MaintainL'1g ANTI-VIR. OAT Files
`1.4.2 Creating a New Recovery Diskette
`1.4.3 Getting Updates
`.
`.
`1.4.4 Maintaini~g a Network
`1.4.5 Using the PKUNZIP Utility
`
`2 Defining Your Anti-Virus Strategy .
`2.1 Protecting Yourself Against Virus Infection
`2.2 Recovering from Virus Infection
`
`3 Using the TBAV utilities
`3.1 Using TbSetup
`3.1.1 Understanding TbSetup
`3.1.2 Working with the TbSetup Menu
`3.1.3 Maximizing TbSetup
`3.1.4 Understanding TbSetup's Operation
`3.1.5 Understanding TBSETUP.DAT Files
`3.2 Using TbScan .
`3.2.1 Understanding TbScan
`3.2.2 Working with the TbScan Menus
`3.2.3 Maximizing TbScan .
`
`1
`1
`1
`5
`6
`6
`
`8
`8
`8
`8
`11
`11
`14
`15
`16
`18
`19
`20
`20
`20
`20
`21
`22
`
`24
`24
`29
`
`33
`33
`33
`34
`40
`44
`45
`47
`47
`48
`62
`
`BLUE COAT SYSTEMS - Exhibit 1005 Page 3
`
`

`
`TBAV User Manual. Copyright (C) 1989-1995 ThunderBYTE B.V.
`
`Page ii
`
`3.2.4 Understanding the Scanning Process
`3.2.5 Understanding Heuristic Flags
`3.3 Using TbDriver .
`.
`3.3.1 Understanding TbDriver
`3.3.2 Working with TbDriver
`3.3.3 Maximizing TbDriver .
`3. 4 Using TbScanX
`3.4.1 Understanding TbScanX
`3.4.2 Working with TbScanX
`3.4.3 Maximizing TbScanX
`3.4.4 Understanding the Scanning Process
`3. 5 Using TbCheck
`3.5.1 Understanding TbCheck
`3.5.2 Working with TbCheck
`3.5.3 Maximizing TbCheck
`3.5.4 Understanding the Scanning Process
`3.5.5 Testing TbCheck
`.
`3. 6 Using TbClean
`3.6.1 Understanding TbClean
`3.6.2 Working with the TbClean Menus
`3.6.3 Using TbClean Command Line Options
`3.6.4 Understanding the Cleaning Process
`3.6.5 Understanding Cleaning Limitations
`3.7 Using TbMem
`3.7.1 InLroducl~g Lhe TbMem, TbFlle & TbDlsk ULlllLles
`3.7.2 Loading TbMem, TbFile and TbDisk
`3.7.3 Using Command Line Options
`3.7.4 Understanding TbMem
`3.7.5 Working with TbMem
`3.7.6 Maximizing TbMem
`3.7.7 Understanding TbMem's Operation
`3. 8 Using TbFile .
`3.8.1 Understanding TbFile
`3.8.2 Working with TbFile
`3.8.3 Maximizing TbFile .
`3.9 Using TbDisk
`.
`3.9.1 Understanding TbDisk
`3.9.2 Working with TbDisk
`.
`3.9.3 Maximizing TbDisk
`.
`3.9.4 Understanding TbDisk's Operation
`3.10 Using TbUtil
`3.10.1 Understa~ding and using TbUtil
`3.10.2 Working with the TbUtil Menu
`.
`3.10.3 Maximizi~g TbUtil
`3.10.4 Using the Anti-Virus Partition
`3.10.5 Using the TbUtil diskette
`
`72
`76
`78
`78
`78
`79
`84
`84
`84
`86
`90
`92
`92
`92
`94
`96
`96
`98
`98
`99
`101
`104
`106
`108
`108
`108
`110
`110
`111
`112
`114
`116
`116
`117
`117
`120
`120
`121
`122
`125
`126
`126
`127
`131
`137
`137
`
`BLUE COAT SYSTEMS - Exhibit 1005 Page 4
`
`

`
`TBAV User Manual. Copyright (C) 1989-1995 ThunderBYTE B.V.
`
`Page iii
`
`.
`3.11 Using TbLog
`3.11.1 Understa~ding and using TbLog
`3.11.2 Working with TbLog
`3.11.3 Maximizi~g TbLog
`.
`3.12 Using TbNet
`.
`3.12.1 Understa~ding TbNet
`3.12.2 Working with TbNet
`3.12.3 Maximizi~g TbNet
`.
`
`4 Understanding Advanced User Information
`4.1 Understanding Memory Considerations
`4.1.1 UndersLandlng Memory RequlremenLs
`4.1.2 Reducing Memory Requirements
`4.2 Understanding TbSetup
`4.2.1 Understanding ANTI-VIR.DAT File Design
`4.2.2 Editing the TBSETUP.DAT File
`4.2.3 Simplifyi~g Installation on Several Machines
`4.3 Understanding TbScan
`4.3.1 Understanding Heuristic Scanning
`4.3.2 Understanding How Heuristic Scanning Works
`4.3.3 Understanding Integrity Checking
`4.3.4 Understanding the Scan Algorithms
`4.3.5 Understanding the TBSCAN.LNG File
`4.3.6 Understanding the TBAV.MSG File .
`4.4 UndersLandlng TbClean
`4.4.1 Understanding how a Virus infects a file
`4.4.2 Understanding Conventional Cleaners
`4.4.3 Understanding Generic Cleaners
`4.5 Using TbGenSig . .
`4.5.1 Understanding and using TbGenSig
`4.5.2 Working with TbGenSig .
`4.5.3 Defining a Signature with TbScan
`4.5.4 Understanding Keywords
`4.5.5 Understanding a Sample Signature: Haifa.Mozkin
`
`Appendices
`Appendix A: TBAV messages
`A.1 TbClean
`A. 2 TbDriver
`A.3 TbScan
`.
`A.4 TbScanX
`Appendix B: TbScan Heuristic Flag Descriptions
`Appendix C: Solving Incompatibility Problems
`Appendix D: TBAV Exit Codes and Batch Files
`D.1 TbScan Exit Codes
`D.2 TbUtil Exit Codes
`
`.
`
`139
`139
`139
`141
`143
`143
`143
`144
`
`147
`147
`147
`148
`150
`150
`150
`152
`153
`153
`155
`156
`157
`159
`160
`161
`161
`161
`163
`165
`165
`165
`166
`168
`173
`
`175
`175
`175
`177
`178
`179
`180
`186
`189
`189
`189
`
`BLUE COAT SYSTEMS - Exhibit 1005 Page 5
`
`

`
`TBAV User Manual. Copyright (C) 1989-1995 ThunderBYTE B.V.
`
`Page iv
`
`.
`D.3 General Exit Codes
`D.4 Program Installation Check
`Appendix E: Virus Detection and Naming
`E.1 How Many Viruses Does TbScan Detect?
`E.2 The Virus Naming Convention
`
`Index .
`
`189
`189
`191
`191
`191
`
`i
`
`BLUE COAT SYSTEMS - Exhibit 1005 Page 6
`
`

`
`TBAV User Manual. Copyright (C) 1989-1995 ThunderBYTE B.V.
`
`Page 1
`
`Introduction
`
`A Word (or Two) of Thanks
`
`Congratulations! By purchasing the ThunderBYTE Anti-Virus utilities you
`have taken the basic step in building a massive anti-viral safety wall
`around your precious computer system. Setting up the appropriate defense
`using the TBAV utilities is a personal matter. Therefore, we recommend
`to read this manual thoroughly, so you are well aware of the different
`kinds of security measures you can take.
`
`What Are the TBAV Utilities?
`
`ThunderBYTE Anti-Virus (TBAV) is a comprehensive tool kit designed to
`protect against, and recover from, computer viruses. While TBAV focuses
`heavily on numerous ways to prevent a virus infection, the package would
`not be complete without various cleaner programs to purge a system, in
`the unlikely event that a virus manages to slip through. The package,
`therefore, consists of several programs, each of which helps you to
`prevent viruses from accomplishing their destructive purposes. Here is a
`quick overview.
`
`TbSetup: Collecting Software Information
`
`TbSetup is a program that collects information from all software it
`finds on your system. It places this information in files named
`ANTI-VIR.DAT and uses it for integrity checking, program validation,
`and cleaning infected files.
`
`TbDriver: Enable Memory Resident TBAV Utilities
`
`While TbDriver provides little protection against viruses by itself,
`you must load it in advance to enable the memory resident
`ThunderBYTE Anti-Virus utilities to perform properly. These
`utilities include: TbScanX, TbCheck, TbMem, TbFile, and TbDisk.
`TbDriver also provides basic protection against ANSI bombs and
`stealth viruses.
`
`TbScan: Scanning for Viruses
`
`TbScan is both a fast signature scanner and a so-called heuristic
`scanner. Besides its blazing speed, it has many configuration
`options. It can detect mutants of viruses, bypass stealth type
`viruses, etc. The signature file TbScan uses is a coded TBSCAN.SIG
`file, which you can update yourself in case of emergency.
`
`BLUE COAT SYSTEMS - Exhibit 1005 Page 7
`
`

`
`TBAV User Manual. Copyright (C) 1989-1995 ThunderBYTE B.V.
`
`Page 2
`
`TbScan will disassemble files. This makes it possible to detect
`suspicious instruction sequences and detect yet unknown viruses. As
`pointed out earlier, this generic detection, named heuristic
`analysis, is a technique that makes it possible to detect about 90%
`of all viruses by searching for suspicious instruction sequences
`rather than relying on any signature. For that purpose TbScan has a
`built-in disassembler and code analyzer.
`
`Another feature of TbScan is the integrity checking it performs when
`it finds the ANTI-VIR.DAT files generated by TbSetup. Integrity
`checking means that TbScan verifies that every file it scans
`maLches Lhe informaLion which was capLured when Lhe file was firsL
`analyzed by TbSetup and is maintained in the ANTI-VIR.DAT files. If
`a virus infects a file, the information in the ANTI-VIR.DAT file
`will indicate that the file has been changed, and TbScan will inform
`you of this. TbScan performs an integrity check automatically, and
`it does not have the false alarm rate other integrity checkers have.
`The goal is to detect viruses and NOT to detect configuration
`changes!
`
`TbScanX: Automatic Scanning
`
`TbScanX is the memory resident version of TbScan. This signature
`scanner remains resident in memory and automatically scans those
`files LhaL are being execuLed, copied, de-archived, downloaded, eLc.
`TbScanX does not require much memory. It can swap itself into
`expanded, XMS, or high memory, using only one kilobyte of
`conventional memory.
`
`TbCheck: Check While Loading
`
`TbCheck is a memory resident integrity checker that remains resident
`in memory and automatically checks every file just before it
`executes. TbCheck uses a fast integrity checking method, which
`consumes only 400 bytes of memory. You can configure it to reject
`files with incorrect checksums, and/or reject files that do not have
`a corresponding ANTI-VIR.DAT record.
`
`TbUtil: Restoring Infected Boot-Sector, CMOS and Partition Tables
`
`Some viruses copy themselves into the hard disk's partition table,
`which makes them far more difficult to remove than boot sector
`viruses. Performing a low-level format is an effective, but rather
`drastic measure.
`
`BLUE COAT SYSTEMS - Exhibit 1005 Page 8
`
`

`
`TBAV User Manual. Copyright (C) 1989-1995 ThunderBYTE B.V.
`
`Page 3
`
`TbUtil offers a more convenient alternative by making a
`precautionary backup of uninfected partition tables and the boot
`sector. If an infection occurs, you can use the TbUtil backup as a
`verifying tool and as a means to restore the original (uninfected)
`partition table and boot sector, without the need for a destructive
`disk format. TbUtil can also restore the CMOS configuration for you.
`If a backup of your partition table is not available, TbUtil tries
`to create a new partition table anyway, again avoiding the need for
`a low-level format.
`
`Another important feature of TbUtil is the option to replace the
`parLiLion Lable code wiLh new code offering greaLer resisLance Lo
`viruses. TbUtil executes the partition code BEFORE the boot sector
`gains control, enabling it to check this sector in a clean
`environment. The TbUtil partition code performs a CRC calculation on
`the master boot sector just before the boot sector code activates
`and issues a warning if the boot sector has been modified. The
`TbUtil partition code also checks and reports changes in the RAM
`layout. It performs these checks whenever the computer boots from
`the hard disk.
`
`We should point out that boot sector verification is imperative
`before allowing the boot sector code to execute. A virus could
`easily become reside~t in memory during boot-up and hide its
`presence. TbULil offers LoLal securiLy aL Lhis sLage by being acLive
`before the boot sector executes. TbUtil is far more convenient than
`the traditional strategy of booting from a clean DOS diskette for an
`undisturbed inspection of the boot sector.
`
`TbClean: Reconstructing Infected Files
`
`TbClean is a generic file cleaning utility. It uses the ANTI-VIR.DAT
`files generated by TbSetup to enhance file cleaning and/or to verify
`the results. TbClean can also work without these files. It
`disassembles and emulates the infected file and uses this analysis
`to reconstruct the original file.
`
`TbMem, TbFile and TbDisk: Resident Safeguards
`
`The TBAV utilities i~clude a set of memory resident anti-virus
`utilities, consisting of TbMem, TbFile and TbDisk. Most other
`resident anti-virus products offer you the choice to either invoke
`them before the network loads (thereby losing the protection after
`the logon procedure), or to load the anti-viral software after
`logging onto the network, resulting in a partially unprotected
`system. The TBAV utilities, on the other hand, recognize the network
`
`BLUE COAT SYSTEMS - Exhibit 1005 Page 9
`
`

`
`TBAV User Manual. Copyright (C) 1989-1995 ThunderBYTE B.V.
`
`Page 4
`
`software and utilize their auto-configuration capabilities to ensure
`their continued functionality.
`
`TbMem: Safeguarding Memory
`
`TbMem detects attempts from programs to remain resident in memory
`and ensures that no program can remain resident in memory without
`permission. Since most viruses remain resident in memory, this is a
`powerful weapon agai~st all such viruses, known or unknown. TbMem
`also protects your CMOS memory against unwanted modifications. The
`ANTI-VIR.DAT files maintain a database of the permission
`lnformal.lon.
`
`TbFile: Executable File Protection
`
`TbFile detects attempts from programs to infect other programs. It
`also guards read-only attributes, detects illegal time-stamps, etc.
`It ensures that no virus succeeds in infecting programs.
`
`TbDisk: Protecting The Disk
`
`TbDisk is a disk guard program that detects attempts from programs
`to write directly to disk (that is, without using DOS), attempts to
`format, etc., and makes sure that no malicious program succeeds in
`desLroylng your daLa. This uLlllLy also Lraps Lunnellng and dlrecL
`calls into the BIOS code. The ANTI-VIR.DAT files maintain permission
`information about those rare programs that write directly to and/or
`format the disk.
`
`TbGenSig: Define Your Own Signatures
`
`Since TBAV includes an up-to-date, ready-to-use signature file, you
`do not really need to maintain a signature file yourself. If,
`however during a crisis, you need to define your own virus
`signatures, then the TbGenSig utility enables you to do this. You
`can use either published signatures or define your own if you are
`familiar with the structure of computer code.
`
`TbDel: Remove Infected Files
`
`The DOS DEL or ERASE command does not actually erase a file. It
`simply deletes the first filename character in the directory listing
`and frees up the space by changing the disk's internal location
`tables (File Allocation Tables). TbDel is a small program with a
`single, yet all-important purpose: it overwrites every single byte
`
`BLUE COAT SYSTEMS - Exhibit 1005 Page 10
`
`

`
`TBAV User Manual. Copyright (C) 1989-1995 ThunderBYTE B.V.
`
`Page 5
`
`in a file with the zero character (0) before deleting it, thereby
`obliterating all the data and making it totally unrecoverable.
`
`TbMon: Installed Device Checker
`
`To check for the presence of the resident TBAV utilities (TbScanX,
`TbCheck, TbMem, TbFile, TbDisk or TbLog) in batch files or login
`scripts, you can use the TbMon utility. TbMon returns a DOS error
`level, depending on the installed ThunderBYTE resident programs.
`
`The following list specifies the ThunderBYTE resident utilities and
`Lhelr respecLlve error levels:
`
`+------------+-----------+
`!Utility NameiError levell
`+------------+-----------+
`TbScanX
`1
`TbCheck
`2
`TbMem
`4
`TbFile
`8
`TbDisk
`16
`TbLog
`32
`+------------+-----------+
`
`The error level reLurned by TbMon ls Lhe cumulaLlve sum of Lhe error
`levels of the installed devices. For example, if you have TbScanX
`and TbMem installed, TbMon will return error level 5 (1+ 4 = 5).
`Another example: if you have all utilities loaded, TbMon will return
`error level 63 (1+2+4+8+16+32=63). If none of the resident
`ThunderBYTE utilities are installed, TbMon will return error level 0
`(zero).
`
`The TBAV Utilities User L1.terface
`
`The DOS version of TBAV utilizes a menu-driven interface that enables you
`to execute the utilities easily. You can also execute many of the
`utilities directly from the DOS prompt. One advantage to this is that you
`can use the utilities in batch files.
`
`The Microsoft Windows version of TBAV utilizes the standard Windows
`interface, providing you a way to protect yourself from viruses while
`still working in the user-friendly Windows environment. TBAV-for-Windows
`is not described in this document. Please refer to the TBAV-for-Windows
`documentation for more information.
`
`BLUE COAT SYSTEMS - Exhibit 1005 Page 11
`
`

`
`TBAV User Manual. Copyright (C) 1989-1995 ThunderBYTE B.V.
`
`Page 6
`
`Conventions Used in This Manual
`
`This manual uses several special conventions:
`
`References to the keyboard are as they appear on the 101-key
`enhanced keyboard. File names, DOS commands, emphasized words, and
`information that you are to type appears in UPPERCASE letters. The
`context should clearly dictate which of these is true in each case.
`
`References to individual TBAV utilities use a combination of
`uppercase and lowercase le U.ers. For example, while TBSCAN. SIG
`refers to a signature file, TbScan refers to the utility itself.
`
`How To Use This Manual
`
`This manual consists of six chapters.
`
`Chapter 1 provides you with the fastest way to get started with the
`TBAV utilities. It presents the major features of the program in a
`step-by- step format. We recommend that you start with this chapter.
`
`Chapter 2 contains i~struction on how to prevent viruses from
`lnfecLlng your compuLer sysLem and dlrecLlons on how Lo handle
`viruses when they do strike. We recommend that you also read this
`chapter because it contains several useful tips.
`
`Chapter 3 contains a detailed description of both the purpose and
`functionality of all the TBAV for DOS utilities.
`
`Chapter 4 contains advanced user information
`are more technically oriented.
`
`for those users who
`
`This manual also contains five appendices. Appendix A describes TBAV
`messages, Appendix B describes heuristic flags, Appendix C addresses some
`incompatibility problems, Appendix D lists various exit codes for use in
`batch files, and Appendix E contains information on naming viruses.
`Finally, the Index provides you with the means of quickly finding any
`major topic.
`
`NOTE:
`
`A complete reading of this manual is indispensable in order to
`become familiar with the many facets of the ThunderBYTE AntiVirus
`utilities; to know what steps you can, and must, take to ensure
`
`BLUE COAT SYSTEMS - Exhibit 1005 Page 12
`
`

`
`TBAV User Manual. Copyright (C) 1989-1995 ThunderBYTE B.V.
`
`Page 7
`
`adequate protection and be fully prepared for a complete recovery,
`if and when disaster strikes.
`
`BLUE COAT SYSTEMS - Exhibit 1005 Page 13
`
`

`
`TBAV User Manual. Copyright (C) 1989-1995 ThunderBYTE B.V.
`
`Page 8
`
`1 TBAV QuickStart
`
`One of the problems with software manuals is they sometimes beat around
`the bush and don't get to the point, namely, how to use the software
`right now. This chapter presents the major features of TBAV and will get
`you up and running in the minimum amount of time.
`
`1.1 Installing the TBAV Utilities
`
`This secl.ion provides L.he inll.ial insl.allal.ion insl.rucl.ions of L.he TBAV
`utilities for DOS.
`See the TBAV for Windows documentation for installing
`TBAV for Windows or the TBAV for Networks documentation for installing
`TBAV for Networks.
`
`1.1.1 Understanding System requirements
`
`The ThunderBYTE Anti-Virus utilities will run on any IBM or compatible PC
`that meets the following requirements:
`
`At least 1 megabyte of disk space
`256 kilobytes of free internal memory
`
`DOS version 3.0 (DOS 5.0 or later recommended)
`
`A mouse is optional
`
`NOTE:
`
`The TBAV utilities are compatible with networks, MS-Windows,
`Novell-DOS, etc.
`
`1.1.2 Running INSTALL
`
`You can install the TBAV utilities either by using the following instal(cid:173)
`lation procedure or by a fully customized procedure that you 11 find in
`Chapter 2. To use the fast approach, follow these steps:
`
`1. Insert the TBAV L1.stallation diskette in the diskette drive, type
`A: orB:, and press the ENTER key.
`
`2. Type INSTALL and press ENTER. After a
`window appears:
`
`few seconds, the following
`
`BLUE COAT SYSTEMS - Exhibit 1005 Page 14
`
`

`
`TBAV User Manual. Copyright (C) 1989-1995 ThunderBYTE B.V.
`
`Page 9
`
`+-------------------------+
`I
`Quit Installation
`I
`View TBAV.DOC file
`I
`License TBAV
`I
`Upgrade TBAV
`I
`Custom Installation
`>
`I
`Express Installation >
`+-------------------------+
`
`>
`>
`
`NOTE:
`
`3. Since this is your first time to install the TBAV package you
`choose the first option, which is already highlighted, so just press
`ENTER. NoLlce also LhaL you can always selecL a menu opLlon by
`pressing its first letter. Install now displays the Licensing
`Agreement.
`
`4. Press the cursor movement keys (up and down arrows and Page Up
`and Page Down) to view the Agreement. When you finish reading the
`agreement, press ESC. Install now asks you to acknowledge the
`Agreement.
`
`You can exit Install at anytime by pressing the ESC key until you
`get to the Main Menu or even to the DOS prompt.
`
`5. SelecL Lhe Your Name
`
`field, Lype ln your name, and press ENTER.
`
`6. Select the company field and repeat the procedure to enter your
`company name.
`
`7. Press I to select the Terms field, type in YES to accept the
`agreement, and press ENTER. The Install Menu now appears.
`
`8. While you will probably accept the defaults, if you need to
`change the source path (the path where the installation program
`itself resides, usually drive A:) or the default Destination path
`(where Install places the TBAV program files, usually C:\TBAV),
`select the field, make your changes, and press ENTER.
`
`9. Press B (or highlight Begin Installation and press ENTER) to
`begin the installation. Install now scans your system to ensure that
`it is clean
`(that is, no files are infected by a virus) and
`informs you when it is done.
`
`10. Press any key to continue. Install now copies the TBAV files to
`the destination directory and makes a backup of your AUTOEXEC.BAT
`file before making a few modifications to it. The installation
`
`BLUE COAT SYSTEMS - Exhibit 1005 Page 15
`
`

`
`TBAV User Manual. Copyright (C) 1989-1995 ThunderBYTE B.V.
`
`Page 10
`
`program adds the TBAV directory to your PATH and adds a statement
`that will automatically run the TBSTART.BAT file.
`
`NOTE:
`
`The TBSTART.BAT file, which resides in the TBAV directory, contains
`the following commands:
`
`C:\TBAV\TBDRIVER
`C:\TBAV\TBSCANX
`C:\TBAV\TBCHECK
`C:\TBAV\TBMEM
`C: \ TBAV\ TBFILE
`C:\TBAV\TBSCAN ONCE ALLDRIVES
`
`You can configure these commands to suit your own personal needs.
`
`Notice:
`Install now displays a message that Recommends that you create a
`Recovery Diskette, which you can use in the future, for example, to
`restore your destroyed CMOS data, or restore your hard disk's
`partition table after it has been tampered with.
`
`To create a
`11. Press any key to continue to the Final Menu.
`Recovery Diskette, press M, insert a clean formatted diskette into
`Drive A, and press a.'1y key L.o conl.inue. TBAV now copies L.he sysl.em
`files to the diskette. See the Prepare a Recovery Diskette section
`in Chapter 2 for more information. If you do not want to create a
`Recovery Diskette, press Q to Quit Install.
`
`12. When TBAV finishes, press any key to continue. TBAV invokes
`TbSetup to generate an ANTI-VIR.DAT file for drive A and returns you
`to the Final Menu.
`
`13. Press Q to Quit Install. Install now invokes TbSetup again to
`generate the ANTI-VIR.DAT reference files for your hard disk and
`then returns you to the DOS prompt.
`
`CAUTION:
`It is extremely likely that some of the TBAV utilities are going to
`display messages if you now reboot and continue using the computer
`as you normally would. This is because some programs perform
`operations that the TBAV utilities monitor. TBAV, therefore, needs
`to
`learn which programs need proper permission. Before rebooting,
`execute some of the programs you use regularly and respond
`appropriately when TBAV requests permission to
`authorize or deny
`
`BLUE COAT SYSTEMS - Exhibit 1005 Page 16
`
`

`
`TBAV User Manual. Copyright (C) 1989-1995 ThunderBYTE B.V.
`
`Page 11
`
`TBAV remembers the settings and will not bother you
`their use.
`again. Reboot the computer at the end of this test run.
`
`14. After running some of the programs you use regularly (see
`Caution box above), reboot your system.
`
`The TBAV utilities are now ready to monitor your system and will issue a
`warning if something suspicious (or worse!) is about to happen. The TBAV
`utilities also warn you if any new file contains a possible virus, well
`before it can do any harm.
`
`1.1.3 Installation on a network
`
`If a workstation does not have a hard disk, you can invoke the TBAV
`utilities from a login script. You create a TbStart.Bat file containing
`the following:
`
`@echo off
`x:\apps\tbav\tbdriver.exe
`x:\apps\tbav\tbscanx.exe
`x:\apps\tbav\tbcheck.exe
`x:\apps\tbav\tbfile.exe
`x:\apps\tbav\tbmem.exe
`x:\apps\Lbav\Lbscan.exe alldrlves
`exit
`
`In the login script add the following line:
`
`#x:command.com /c /x:\apps\tbav\tbstart.bat
`
`NOTE:
`
`You need to enter the correct drive ID for 'X:'
`
`1.1.4 Starting And Ending TBAV
`
`You can run TBAV in two ways: run the menu interface or run individual
`utilities from the DOS prompt.
`
`Starting TBAV With the Me~u Interface
`
`You can access most of the TBAV utilities from within the TBAV menu. To
`start TBAV with the menu, follow these steps:
`
`BLUE COAT SYSTEMS - Exhibit 1005 Page 17
`
`

`
`TBAV User Manual. Copyright (C) 1989-1995 ThunderBYTE B.V.
`
`Page 12
`
`NOTE:
`
`1. At the DOS prompt, type CD
`in the TBAV directory.
`
`\TBAV and press ENTER. This places you
`
`This first step is actually optional since the TBAV directory was
`added to the PATH during installation. You would need this step,
`however, if you ever decided to remove that directory from the PATH.
`
`2. Type TBAV and press ENTER. This starts TBAV and displays the menu
`interface.
`
`3. A common L.ask is L.o scan your hard disk for viruses. To do L.his,
`press S on the "Main Menu" to select the TbScan command. Press S
`again to select the "Start Scanning" command on the TbScan Menu.
`Press D on the "Path Menu" and press ENTER.
`
`4. If TbScan finds a virus, it presents an action menu. "D)elete"
`deletes the infected file. "K)ill" also deletes the infected file,
`but in such a way that it can't be undeleted by an undelete utility
`(such as DOS's UNDELETE command). "R)ename" renames an EXE extension
`to VXE and a COM extension to VOM, preventing the execution of
`infected programs and thereby precluding the spread of an infection,
`and also enabling you to keep the file for later examination and
`repair. "C)ontinue scanning" continues the scan without taking
`acLion on Lhe virus. "N)onsLop conLinue" insLrucLs TbScan noL Lo
`stop when it detects a virus.
`
`NOTE:
`
`If you use C or N, we recommend that you select L on the "TbScan
`Menu" and then 0 on the "TbScan Log Menu" so that TbScan will log
`detected viruses. To view this log, select V from the "TbScan Menu."
`
`5. Another common task is to scan a diskette. To scan a diskette in
`drive A, press A, or to scan a diskette in drive B, press B.
`
`6. You can use one of three methods to end TBAV:
`
`Press X to exit and save any configuration settings
`you have set
`Press Q to exit without saving any configuration
`settings
`
`Press ESC, which is the same as pressing Q
`
`BLUE COAT SYSTEMS - Exhibit 1005 Page 18
`
`

`
`TBAV User Manual. Copyright (C) 1989-1995 ThunderBYTE B.V.
`
`Page 13
`
`Starting TBAV Utilities from the DOS Prompt
`
`You can also start each of the individual TBAV utilities directly from
`the DOS prompt by typing the command name followed by one or more options
`(or switches) to control special features. You can use either the full
`name of the option or its one- or two-letter mnemonic to shorten the
`command line.
`
`For example, if you want to use TbScan to scan for viruses on your hard
`disk, you could execute either one of the following commands:
`
`TBSCAN ALLDRIVES
`TBSCAN AD
`
`The advantage of being able to execute individual utilities is that you
`can use the utilities in batch files to create your own custom routines.
`A simple example of this is putting TbScan in your AUTOEXEC.BAT file so
`that it will scan for viruses when you boot up. To accomplish this, do
`the following:
`
`1. If you are using DOS 5 or later, type CD\ and press ENTER to go
`to the root directory. Now type EDIT AUTOEXEC.BAT and press ENTER to
`load this file into the MS-DOS text editor Edit.
`
`NOTE:
`
`If you are using a version of DOS prior to version 5.0, consult your
`DOS manual on how to edit AUTOEXEC.BAT. You might have your own text
`editor that you can use, or you could even use a word processor to
`edit the file and then save it as an ASCII text file. Consult your
`word processor's documentation for instructions.
`
`2. Add the following line to the beginning of the file, making sure
`you separate the options from the command and from each other using
`a space:
`
`C:\TBAV\TBSCAN AllDrives Once
`
`3. Press ALT, F, S to save the file again, and then press ALT, F, X
`to exit the editor (that is, if you are using the MS-DOS text editor
`EDIT; otherwise, use the commands of your favourite editor to save
`the file, and to exit the editor).
`
`4. Reboot your computer so the changes will take effect.
`
`CAUTION:
`
`BLUE COAT SYSTEMS - Exhibit 1005 Page 19
`
`

`
`TBAV User Manual. Copyright (C) 1989-1995 ThunderBYTE B.V.
`
`Page 14
`
`This line already exists in the TBSTART.BAT file, which runs
`automatically from AUTOEXEC.BAT. If you don't want to load all the
`TSR utilities that TBSTART.BAT loads, you could replace TBSTART.BAT
`with the above TBSCAN command. While this is still good protection,
`be aware that it doesn't fully protect your system. Refer to the
`Configuring TBAV
`section later in this chapter for more information
`on configuring TBAV.
`
`Now the first time you boot your computer on a given day, TbScan
`will check for viruses on all fixed drives. Because of the 00
`option, however, if you boot again, you'll receive the Option once
`already used Loday message, meaning LhaL since TbScan has already
`run once that day, it will not run again.
`
`Another useful TBAV utility, not just for deleting infected files but any
`files you want destroyed, is TbDel. This utility overwrites every byte of
`a file with a nul character, thereby completely obliterating the file.
`If, for security reasons, you have files you want to destroy and prevent
`someone from undeleting using a file recovery program, enter the
`following command:
`
`TBDEL [filename]
`
`WARNING:
`Be absoluLely sure you wanL Lo desLroy a file before using TbDel.
`Once you execute the command, the file is gone forever, and no file
`recovery utility can bring it back.
`
`1.1.5 Using TBAV Commands
`
`There are many commands L'1 The TBAV Utilities, but most of them are
`available from the menu. You can select commands using either the
`keyboard or the mouse. To select a command, do one of the following:
`
`Highlight an option using the arrow keys and press Enter
`
`Press the highlighted letter of a command
`
`Move the mouse pointer to a command and click the left button
`
`As mentioned earlier, you can use all TBAV commands directly from the DOS
`prompt. You must separate the command from the first option and options
`from each other using a space. You can use the standard slash (/)
`character or hyphen (-) before an option, but it is not necessary.
`
`BLUE COAT SYSTEMS - Exhibit 1005 Page 20
`
`

`
`TBAV User Manual. Copyright (C) 1989-1995 ThunderBYTE B.V.
`
`Page 15
`
`The standard command line syntax for all ThunderBYTE Anti-Virus commands
`is:
`
`COMMAND [<path>] [<filename>]
`
`[<option>]
`
`[<option>]
`
`where <path> and <filename> is where you want the command to execute and
`<option> is the specific option you want to use. For example, the
`following command executes a virus scan on all executable files in the
`root directory of drive C: and all subdirectories and skips the boot
`sector scan:
`
`TBSCAN C:\ NOBOOT
`
`1.1.6 Getting Help
`
`TBAV enables you to get help at any time, whether you are working from
`the menu or the DOS prompt.
`
`Getting Help From the Menu
`
`To get help at anytime while working from the TBAV menu, foll