# @(#) $Id: rhbvsfaq.txt,v 1.30 2024/12/11 09:55:38 ralph Exp $
// atom:set fileencoding=cp437 fileformat=dos filetype=plain tabstop=2 expandtab:
# --=---------------------------------------------------------------------=---
# (c) 1997-2025 by Ralph Roth  -*- http://rose.rult.at -*-
Format: UTF8, CR/LF

FAQ for RHBVS, Deutscher Text im zweiten Abschnitt!

                       _     _                 __
                  _ __| |__ | |____   _____   / _| __ _  __ _
                 | '__| '_ \| '_ \ \ / / __| | |_ / _` |/ _` |
                 | |  | | | | |_) \ V /\__ \ |  _| (_| | (_| |
                 |_|  |_| |_|_.__/ \_/ |___/ |_|  \__,_|\__, |
                                                           |_|

 ___           _ _    _
| __|_ _  __ _| (_)__| |_
| _|| ' \/ _` | | (_-< ' \
|___|_||_\__, |_|_/__/_||_|
-------- |___/ --------------------------------------------------------------

Q1> Do you can compile RHBVS with a 32 bit compiler?  Because I'm running my
Q1> system in a Windows 7 SP1 64bit computer and RHBVS don't run in this
Q1> system, because 16bit programs don't run inside x64 systems.


Q2> Please, do you can make a RHBVS version compiled for working in 64-bit systems?
Q2> Because they is a 16-bit .exe and they don't run inside Windows x64 bits.
Q2> If you compile a 32 bits version, they can run inside x64 systems.


Unfortunately RHBVS is not written in portable code, so I am unable to provide
32bit binaries (Win32/Linux) - sorry. F_Mirc is a successor of RHBVS (stripped
of all the non-portable stuff).


Q?>> I think there is a release numbering error for RHBVS
Q?>> I have already running version 4-62 since early MAY 2005,
Q?>> so this version should be at least 4-63 or higher, no?

No, the version number is right. I haven't touch RHBVS source code
itself. I have updated only the scan engines, virus pattern and
documentation.

For this reason, most of my programs have a build number, e.g. RHBVS has today:
--=[ ROSE SWE's heuristic based virus scanner - Version 4.62-918 ]=--------

the one you have download should have then build 914 (4.62-914).

Hint> OK, I noticed this difference now that was not aware to me before
Hint>
Hint> Version 4.62-854  < 04/11
Hint> Version 4.62-914  > 05/11
Hint>
Hint> maybe it would be smart to make this build version more visible


------------------------------------------------------------------------

>How do I set RHBVS so it skips the initial check of CD-ROM drive which it gets
>stuck on till I type N ? Do I change the boot sequence of the computer or
>something in RHBVS?

How do you start RHBVS?  With option -auto?  I suggest rhbvs c: then
the CD-ROM check is not performed.  That is a "feature" of the -auto
option.

>If it does find a virus  how will I see it in the log? Does it clean them
too? How about new viruses?

1.) See log:

-----[ C:\FOUND\RHBVS355  (HDD drive)   ]-------------------------------------
* Scan started at 06.08.2001 - 21:12:21 for (Executables, Images, Scripts)
C:\FOUND\RHBVS355\DMSETUP\C\4164RIMC.EXE  DMSetup.C Trojan
C:\FOUND\RHBVS355\DMSETUP\C\4166RIMC.EXE  DMSetup.C Trojan
C:\FOUND\RHBVS355\MIRC\WINDROPP\3968\4163RI~1.PIF  Mirc.WinDropper.3968
C:\FOUND\RHBVS355\VBS\FREELINK\A\4176RIMC.VBS  VBS.Freelinks.A
C:\FOUND\RHBVS355\VBS\FREELINK\A\4177RIMC.VBS  VBS.Freelinks.A
C:\FOUND\RHBVS355\VBS\HYBRID\GENERIC1\4161RIMC.PIF  VBS.Hybrid.Generic.16963

2.) RHBVS is NOT able to clean viruses, you can only delete them
(-del).  Some (older) viruses can be cleaned using VirScan Plus (VSP),
MBR-Kill and ROSE SWE Virus Killer (RVK is included into the DECOM package).

3.) New viruses are found via heuristic, if not I will update RHBVS....

> Great prog., thanks.

Thank you too for feedback!

------------------------------------------------------------------------

>  To help us better understand your product, I'd like to ask some high-level
questions about the ROSE AV product.

>  1) What are the main types of viruses that your heuristics detect for? For
example, do they look for behaviors of Office macro viruses, Trojan horses,
key-loggers and worms in addition to "classic viruses"?

We can detect almost all kind of viral stuff using the common signature,
pattern and advanced virus recognition modules (AVR) approach. Beside that
detection, we are able to detect new viruses using the heuristic scan
engines, including the following virus families:

    * DOS file viruses
    * hybrid MBR/file viruses
    * MBR/boot viruses
    * IRC worms
    * batch viruses
    * some kind of trojans/backdoors (limited)
    * VBS viruses
    * mail worms


>  2) Does the scanner look for viruses that may be running in active
memory plus associated program dependencies in addition to those on the
file system?

Speaking for known DOS viruses: Yes. Known Windows malware: Limited
detection.

The Live-Bait Test engine is able to detect almost every resident file
infector using advanced goat/bait technology (DOS and Windows file
infector).

>  3) Does a commercial, for-sale version of this product exist?

The scan engines are used in the following products:

    * FindMirc - Freeware
    * RHBVS - Freeware
    * mr2s - Freeware
    * VSP and AntiLink package - Shareware


>  4) Can you send me a copy of the current end user license agreement,
if such exists?

For the engines or RHBVS?

>  5) Is there any sub-licensed third party code that is used in the
product or code that is covered under some open source license? If so,
can you identify which functions are covered and under which type of
open source license?

So generic stuff like ANSI CRC32 and other common algorithm are used.

>  6) Are you available for modifications to the engine if they would be
needed in a partnership agreement?

Yes, on a very limited time basis.

>  7) Do you also maintain a signature database for malware that does not
fit into existing heuristic rules? If so, approximately how many
signatures of this type are in the database?

Yes, all anti-virus software is maintained. The signatures are placed in the
virscan.* signature files as well as new viruses are added to the scan
engines itself. Therefore the scan engines and the heuristic detection
engines improve also. RHBVS itself prints out how much viruses approximately
the program can detect using signatures and scan engines, e.g.:

  * File & hybrid viruses = 22.923
  * Trojans/Malware/Jokes = 4.961
  * mIRC/pIRC worms, BAT = 2.220
  * VBS/HTML/JS/WSH/CSC = 1.440

>  8) Do you maintain a signature database for malware that might generate a
"false-positive" when heuristic scans are run? If so, approximately how many
signatures of this type are in the database?

Yes, handling of false positives is included into the products. Both in the
signatures and scan engines. False positives always start with a "[" in their
name.

Example:

   trj_sig.dat:[DSA!UNA2.COM]
   trj_sig.dat:[DSA!UNEX.COM]
   trj_sig.dat:[E-PROT.EXE]
   trj_sig.dat:[TC.COM]
   vbs_sig.dat:[zz_iicache2]
   vbs_sig.dat:[VBS.Redlof.B@m]
   vbs_sig.dat:[ctheft_ART188]
   vbs_sig.dat:[ctheft_ART]

A rough estimate for the signatures:

   bash-2.05b$ grep "^\[" *sig.dat | wc -l
   103
   bash-2.05b$ ls *sig.dat
   irc_sig.dat trj_sig.dat vbs_sig.dat
   # this are the plain ASCII signatures, not encrypted and compressed!

for the scan engines is a rough estimate:
   bash-2.05b$ fgrep -r "'[" *|wc -l
   286

additional a user supplied data base could be easily implemented

------------------------------------------------------------------------

q> BTW, why does RHBVS time out (expire, beep b/c version is barely
q> "old")? No need for that if it's mostly heuristic based, right? I
q> don't normally update such things every few months (believe it or
q> not).

Yes, this is true if RHBVS is older than 6 months:

       if (CurrentTime2Long(0) > Reg_OutOfDate) then
       begin
          writeln1('* WARNING: This version of RHBVS is outdated, please install a newer version!');
          siren;
       end;

------------------------------------------------------------------------

q> Also, do you have any GPL tools you think FreeDOS could officially
q> use? It's hard to find good antivirus software that's "free/libre"
q> these days (especially for DOS). I am not an official member of
q> FreeDOS, only a fan, but I know they'd be interested.

Most of my programs include some freeware source code units. Therefore it is
not possible to release them under the GPL license.

------------------------------------------------------------------------


 ___           _          _
|   \ ___ _  _| |_ ___ __| |_
| |) / -_) || |  _(_-</ _| ' \
|___/\___|\_,_|\__/__/\__|_||_|
-----------------------------------------------------------------------------

Subject: Anti-Virus Prog.

> also Ich hatte mir (Ich glaube) Ihre Software von Computerchannel.de
> runter geladen mit dem Namen "Rhbvs". Ich hatte die auch Extrahiert usw.
> aber Ich weiss nicht was Ich damit machen kann. Es ist ja ein sehr kleines
> Programm.

Bei RHBVS liegt eine PIF Datei "RHBVS.PIF" dabei, diese doppelklicken (NT
4.0/W2K). Fuer versierte Benutzer: Auf Kommandozeile wechseln (COMMAND.COM)
und rhbvs c: -log eingeben. Anbei eine PIF Datei fuer Win95/98
(rhbvs_win9x.pif).

 AM> RHBVS (oder so?) rauscht ja richtig ab. Wow! Scannst du wirklich alle
 AM> Dateien oder nur ausfuehrbare?

Alle die Du angewaehlt hast. Das ist standardmaessig COM, EXE und OV?. Bei
der Option /ALL wirklich jede. Gut ein intelligentes Entry-Point Tracing wird
natuerlich auch noch durchgefuehrt!

 RR> Kennt jemand diesen Scanner und kann mir evtl. sagen, ob es sich lohnt
 RR> diesen zu besorgen?

Tja was soll ich als Autor dazu sagen? Ist der kleine Bruder von VirScan
Plus. Nur das dieser Scanner absolut regelbasierend arbeitet und deshalb
ein paar Viren findet (neue z.B.) die VSP nicht findet. Dafuer findet RHBVS
halt nicht alle Viren, die VSP (mit Signaturen) entdecken kann....

Und das beste: Autopilot, Netzwerke etc. und alles gratis (Freeware)!

> Erkennt das Programm Malware auch in Dateien, die mit UPX,ASPack etc.
> behandelt wurden?

Ja, falls das Programm "original" so gepackt war. Nein, wenn Sie selbst
ein Packen oder re-packen vornehmen.


/* Ende */
