Formal Virus Check

Formal Virus Test

The basic concept behind formal virus checking is that no code is allowed to run from the hard drive during the process, as code viruses may take steps to avoid detection or re-infect the system if they can run first.

A formal virus scan/clean must be done from a…

Verified	Check that CMOS diskette type is set correctly, and that boot order is set to A: before C: - several viruses set A: to None so that they can boot off hard drive before faking a diskette boot
Clean	Boot and virus scanner diskettes must be formatted and prepared on a PC that is known to be clean
Protected	Write protect tabs on all diskettes must be open to prevent disk writes from tested systems that could infect the disks
Diskette	If system starts to boot off hard drive, will need to reset; the diskettes should not access any hard drive code, e.g. should avoid the temptation to load from there in the interests of speed
Boot	Code viruses can trap a soft reboot via Ctrl-Alt-Del, and write themselves back to the hard drive thereafter, so you must use reset button or power switch to reboot

…and must check…

All files, using	By default, most scanners will only check "program files", but any file can be a potential risk so all should be checked
Up-to-date	The scanner is only as good as its data files, which should be updated at least once a month

… signature data files.

Antivirus programs that can only run from Windows, or that do not offer data file updates, are irrelevant to this topic (i.e. useless in this context).

Here's the procedure:

Prepare the boot and scanner diskettes on a known clean system, and set the write-protect tabs on these diskettes
Shut down system to be tested, i.e. do a proper exit from Windows
Insert boot diskette
Do a button reset and press Del (some computers; Ctrl-Alt-Esc, F2 etc. as displayed on screen) to get into CMOS setup
Check that diskette A: is defined correctly, e.g. 1.44M 3.5" for "stiffy drives"
Check that boot order is A: before C: (usually in "Features" menu, may be under "Security" or "Boot Options", may be defined by selecting "Floppy" as First Boot Device in AMI BIOS setups)
Exit CMOS setup after saving changes
Do another button reset and allow to boot off diskette
After system boots off diskette, change to the scanner diskette
Run the scanner diskette to check all files on all hard disk drive letters
If virus found and is known, re-run scanner to clean it after checking the nature of the virus at www.nai.com, www.datafellows.com etc. or searching www.altavista.com for: +virus +"{virus name}" - that's "best-practice"
After cleaning system, reset and set boot order in CMOS back to C: before A: (or "IDE 0" as First Boot Device) to prevent exposure to boot viruses on infected diskettes that might be left in the system on future power up or reset

On a network, you may need to be quite disruptive to assure an effective clean; perhaps best done after hours! Best-practice would be to do this as follows:

Isolate each system from LAN as it is cleaned, if possible on a second "clean" sub-network as you go (difficult with server-based LANs). If LAN uses BNC (co-ax) cable, remember to preserve an unbroken chain from one terminator to the other at all times (you will need 2 additional terminators for the sub-LAN)
Keep one PC stand-alone as a "quarantine" system, to use for checking all diskettes and backup media before these are re-integrated into the LAN
Collect all diskettes and backup media before scanning the system
For x days thereafter, policy to check all such media before use on LAN
Reinforce LAN policies and technologies to safeguard e-mail entry to system and virus protection in general; update virus scanner data files, etc.

There are shortcuts and less invasive methods, but as recurrence becomes more likely, use your judgement there. For example, if you "know" the only threat is a Word macro virus that does not act as a "dropper" for code viruses, you don't have to do a formal clean; you can use the scanner from within Windows.

Back to index