	    	      FULL SHIELD PLUS
		   P C  P R O T E C T O R
		    Version 1.1a  9/1/94
		   Micah Development Corp.


This file includes information not found in the User's Guide as
well as compatibility issues to keep in mind while using Full
Shield and TbSca.  Below is a list of covered topics:

      1.   General Information about Full Shield
      2.   Disk Utilities
      3.   Data Compression Software
      4.   Backup Software
      5.   Laptop Users
      6.   DOS CHKDSK
      7.   Networks
      8.   Novi Anti-Virus      
      9.   SyDOS Drives
      10.  IBM OS/2
      11.  TANDY Computers
      12.  ThunderBYTE - TbScan Anti-Virus Scanner

1.   General Information
------------------------
Full Shield has been tested and found to be compatible with many
different software and hardware products.  However, we cannot
guarantee full compatibility with every system in the marketplace. 
As a result, back up your entire hard drive before locking any
data.  

When Full Shield locks data, the data is completely removed.  As a
result, the locked data cannot be backed up, viewed, opened,
changed, or altered.  In order to use the data, you must first
unlock it.

2.   Disk Utilities 
-------------------
Full Shield is compatible with popular utilities such as Norton and 
PC Tools.  However, before using Norton Disk Doctor (NDD) or PC Tools 
DiskFix to repair drives, unlock all hard drives.
     
When a file or directory is locked, Full Shield places a message
'Files Locked' within the locked directory.  Norton Disk Doctor and
PC Tools DiskFix will report invalid files.  You can select to
remove the files or cancel.  This will not affect your locked data.

Full Shield marks the locked data location as unavailable in order
that DOS does not overwrite the area.  As a result, unlock all data
before using programs or utilities that would mark unavailable
sectors as usable.  SpinRite II Depth 4 Pattern Testing and Norton
DiskTool are programs which can mark/unmark sectors.

3.  Data Compression Software
-----------------------------
Unlock all data on a drive before compressing or uncompressing it
with a compression utility.  

DOUBLESPACE -  Full Shield is compatible with DOS 6.0/6.2 DoubleSpace.  
With DOS version 6.0, unlock all data on the DoubleSpace drive before 
using the CHKDSK utility to check the drive. 

STACKER - Stacker's SCHECK/CHECK utilities conflict with Full Shield.  
If you wish to check a Stacker drive, unlock all data on the drive 
before running SCHECK/CHECK.

SUPERSTOR - SuperStor's PREPARE and SSUTIL programs conflict with 
Full Shield.  Similarly, if using SuperStor with DR DOS 6.0, the 
DRDOS CHKDSK conflicts with Full Shield when checking a SuperStor drive.  
Unlock all data before using these programs.

XTRADRIVE - XtraDrive's compression conflicts with Full Shield's
hard drive locking.  Use INSTALL /Q to install Full Shield to lock
directories.

THIRD PARTY CHECKING UTILITIES - Norton Disk Doctor and PC Tools DiskFix
check compressed drives for errors.  Unlock all data on a compressed 
drive before running these utilities.

4.  Backup Software
-------------------
When Full Shield locks data, the data is completely removed.  It
cannot be viewed, deleted, or altered.  Therefore, in order to back
up the data, unlock it, back it up, and re-lock it.  

5.  Laptop Users
----------------
Use the SHIELD /MONO option if you have problems viewing the screen.  

6.  DOS CHKDSK
--------------
When data is locked, the DOS CHKDSK program will show that there is
a large amount of sectors that are unavailable (or bad).  This is
OK, this is where the locked data is stored.  No repair action is
needed.

7.  Networks
------------
Full Shield can be installed on the network server for all users to
access from their local machines.  A network or site license must be 
purchased to run Full Shield from a network.  Contact Micah Development
for details.

Note:  When Full Shield is installed on the server, users will only be 
able to lock data on their individual hard drives.  Full Shield 
will not affect data on the server.  

If you are on a peer-to-peer network such as Artisoft's LANtastic 
or Novell NetWare Lite, you must un-mount your drive before
locking and unlocking any data. 

8.  NOVI ANTI-VIRUS
-------------------
When using the Novi Anti-Virus with Full Shield, set the Novi TSR
Boot Watch and the Novi Boot/Unknown options to NONE.

9.  SyDOS Drives
----------------
To run Full Shield with SyDOS drives, get the latest device driver 
(SYDRIVER.SYS) from SyQuest Technology.

10.  IBM OS/2
-------------
Full Shield must be run with the FAT file system under DOS.  Full 
Shield's Hard Drive locking works only with OS/2's Dual Boot 
configuration.

11.  TANDY Computers
--------------------
Tandy computers which give you the option to load from ROM 
(e.g., 1000 RL machines) or from DOS should be set to load from DOS. 

If you have already installed Full Shield and you are unable to 
retrieve drive C:, unlock the drive using Full Shield from the 
floppy and change the setup to load from DOS. 

12.  ThunderBYTE - TbScan Anti-Virus Scanner
--------------------------------------------
TbScan is both a very fast signature scanner and a so-called heuristic
scanner. Besides its blazing speed it has many configuration options. It
can detect mutants of viruses, it can bypass stealth type viruses, etc.
The signature file used by TbScan is a coded 'TbScan.Sig' file, which
can be updated by yourself in case of emergency.  TbScan is able to
disassemble files. This makes it possible to detect suspicious instruction 
sequences and to detect yet unknown viruses. This generic detection, named 
heuristic analysis, is a technique that makes it possible to
detect about 90% of all viruses by searching for suspicious instruction
sequences rather than using any signature. For that purpose TbScan
contains a real disassembler and code analyzer.

Another feature of TbScan is the integrity checking it performs when it
finds the Anti-Vir.Dat files generated by TbSetup. 'Integrity checking'
means that TbScan will check that every file being scanned matches the
information maintained in the Anti-Vir.Dat files. If a virus infects a
file, the maintained information will not match the now changed file
anymore, and TbScan will inform you about this. 

TbScan performs an integrity check automatically, and it does not have
the false alarm rate other integrity checkers have. The goal is to
detect viruses and not to detect configuration changes!

Command line options

When loaded from the DOS command line, Tbscan recognizes option short-
keys and option words. The words are easier to memorize, and they will
be used in this manual for convenience. TbScan searches for a file named
TBAV.INI in the TbScan directory. 

If the keyword 'UseIni' is specified in the [TbScan] section of the
TBAV.INI file, the options will also be valid when TbScan is invoked
from the command line. Be careful, as options specified in the TBAV.INI
file can not be undone on the command line.

option parameter        short  explanation
     -----------------------------------------------------------------
     help                    he     help 
     pause                   pa     enable 'Pause' prompt
     mono                    mo     force monochrome
     quick                   qs     quick scan (uses Anti-Vir.Dat)
     allfiles                af     scan non-executable files too
~    alldrives               ad     scan all local non-removable drives
~    allnet                  an     scan all network drives
     heuristic               hr     enable heuristic alerts
     extract                 ex     extract signature (registered only)
     once                    oo     only once a day
~    slowscroll              ss     enable conventional (slow) scrolling
     secure                  se     user abort not allowed (reg. only)
     compat                  co     maximum-compatibility mode
     ignofile                in     ignore no-file-error
~    old                     ol     disable "this program is old" message
     noboot                  nb     skip bootsector check
     nomem                   nm     skip memory check
     hma                     hm     force HMA scan
     nohmem                  nh     skip UMB/HMA scan
     nosub                   ns     skip sub-directories
     noautohr                na     auto heuristic level adjust
     repeat                  rp     scan multiple diskettes
     batch                   ba     batch mode. No user input
     delete                  de     delete infected files
~    kill                    ki     kill infected files
     log                     lo     output to logfile
     append                  ap     log file append mode
     expertlog               el     no heuristic descriptions in log 

     logname  =<filename>    ln     set path/name of log file
     loglevel =<0..4>        ll     set log level
~    wait     =<0...255>     wa     amount of timerticks to wait
     rename   [=<text-mask>] rn     rename infected files
~    exec     =.<ext-mask>   ee     specify executable extensions

You can find an explanation on most of the command line options at the
similar menu descriptions presented above. 

help (he)
If you specify this option TbScan will display the help as listed above.

pause (pa)
When you activate the 'pause' option TbScan will stop after it has
checked the contents of one window. This gives you the possibility to
examine the results without having to consult a log file afterwards.

mono (mo)
This option forces TbScan to refrain from using colors in the screen
output. This might enhance the screen output on some LCD screens or
color-emulating monochrome systems.

quick (qs)
TbScan will use the Anti-Vir.Dat files to check for file changes since
the last time only. Only if a file has been changed (CRC change) or is
not yet listed in Anti-Vir.Dat it will be scanned. Normally TbScan will
always scan files.

allfiles (af)
With this option TbScan will scan non-executable files (files without
extension COM, EXE, SYS or BIN) too. If TbScan finds out that such a
file does not contain anything that can be executed by the processor the
file will be 'skipped'. Otherwise the file will be searched for COM, EXE
and SYS signatures. TbScan however will not perform heuristic analysis
on non-executable files.

Since viruses normally do not infect non-executable files it is not
necessary to scan non-executable files too. We even recommend not to use
this option unless you have a good reason to scan all files. Once again:
a virus needs to be executed to perform what it is programmed to do, and
since non-executable files will not be executed a virus in such a file
can not do anything. For this reason viruses do not even try to infect
such files. Some viruses however will write to non-executable files as a
result of 'incorrect' programming. If so, these non-executable files
will never harm other program or data files, but do contain corrupted
data.

~   alldrives (ad)
     This option causes TbScan to scan all local non-removabe disks.

~    allnet (an)
     This option causes TbScan to scan all network drives.

     heuristic (hr)
     TbScan always performs a heuristic scan on the files being processed.
     However, only if a file is very probably infected with a virus, TbScan
     will report the file as being infected. If you use option 'heuristic',
     TbScan is somewhat more sensitive. In this mode 90% of the new, unknown,
     viruses will be detected without any signature, but some false alarms
     may occur.

     extract (ex)
     This option is available to registered users only. See the chapter
     'TbGensig' (IV-5) on how to use the option 'extract'. 

     once (oo)
     If you specify this option TbScan will 'remember' after its scan that is
     has been executed that day, and that it should not be executed again the
     same day with this particular option set. This option is very useful if
     you incorporate it in your AUTOEXEC.BAT file in combination with a list
     file:
	  TbScan @Everyday.Lst once rename

     TbScan will now scan the list of files and/or paths specified in the
     file EVERYDAY.LST during the first boot-up of the day. 

     If the systems boots more often that day, TbScan will then return to DOS
     immediately.  This option does not interfere with the regular use of
     TbScan. If you invoke TbScan without the 'once' option it will always be
     executed, regardless of a previous run with the 'once' option set.

=>   Note that if TbScan cannot write to TBSCAN.EXE because it has been
     flagged 'read-only' or is located on a write-protected diskette, the
     'once' option will fail and the scanner will be executed without it.

~    slowscroll (ss)
     If you specify this option, TbScan will scroll the files in the files
     window conventionally. This method is slower but looks nicer.

     secure (se)
     This option is available to registered users only. If this option is
     specified it is no longer possible to cancel TbScan by pressing Ctrl-
     Break, or to respond to a virus alert window.

     compat (co)
     If you select this option, TbScan attempts to be more compatible with
     your system. Use this option if the program does not behave as you would
     expect, or even halts the system. This option will slow down the scan-
     ning process. Therefore, it should only be used if necessary. 
     Note that this option does not affect the results of a scan.

     ignofile (in)
     If this option is specified and no files can be found, TbScan will not
     display the 'no files found' message, nor does it exit with errorlevel
     1. This option might be useful for automatic contents scanning.

~    old (ol)
     This option suppresses the message which appears if TbScan is 6 months
     old.

     noboot (nb)
     If you specify this option TbScan will not scan the bootsector.

     nomem (nm)
     If you specify this option TbScan will not scan the memory of the PC for
     viruses.

     hma (hm)
     TbScan detects the presence of an XMS-driver, and scans HMA automa-
     tically. If you have an HMA-driver which is not compatible with the XMS
     standard you can use the 'HMA' option to force TbScan to scan HMA.

     nohmem (nh)
     By default TbScan identifies RAM beyond the DOS limit and scans that
     too. This means that video memory and the current EMS pages are scanned
     by default. You can use this option to disable the scanning of non-DOS
     memory.

     nosub (ns)
     By default TbScan will search sub-directories for executable  files,
     unless a filename (wildcards allowed!) is specified. If you enable this
     option, TbScan will not scan sub-directories.

     noautohr (na)
     TbScan automatically adjusts the heuristic detection level after a virus
     has been found. This provides you maximum detection capabilities in case
     you need it, while the amount of false alarms due to heuristics remains
     small in normal situations. In other words: as soon as a virus has been
     found, TbScan will anticipate and proceed as if option 'heuristic' has
     been speci-fied. If you don't want this, you can specify option 'noau-
     tohr'.

     repeat (rp)
     This option is very useful if you want to check a large amount of
     diskettes. TbScan does not return to DOS after checking a disk, but it
     prompts you to insert another disk in the drive.

     batch (ba)
     By enabling this option TbScan will scan without displaying any messa-
     ges. Therefore, the use of a LOG file is highly
     advisable.

     delete (de)
     If TbScan detects a virus in a file it prompts the user to delete or
     rename the infected file, or to continue without action. If you specify
     the 'delete' option, TbScan will delete the infected file automatically,
     without prompting the user first. Use this option if you have determined
     it is a virus infection. Make sure that you have a clean back-up, and
     that you really want to get rid of all infected files at once.

~    kill (ki)
     If TbScan detects a virus in a file it prompts the user to deleter or
     rename the infected file, or to continue without action. If you specify
     the 'kill' option, TbScan will delete the infected file automatically,
     without prompting the user first. However, unlike the 'delete' option,
     files which have been killed can not be undeleted anymore. Be careful if
     you use this option. Make sure you have a clean back-up!

     log (lo)
     When you use this option, TbScan creates a log file. The log file lists
     all infected program files, specifying heuristic flags and complete 
     pathnames.

     append (ap)
     If you use this option, TbScan will not overwrite an existing log file
     but append the new information to it. If you use this option often, it
     is recommended to delete or truncate the log file once in a while to
     avoid unlimited growth.
=>   Note: you have to combine this option with option 'log'.

     expertlog (el)
     If you enable this option TbScan will not specify the descriptions of
     the heuristic flags in the log file. 
     
     logname =<filename> (ln)
     With option logname you can specify the name of the log file to be used.
     TbScan will create the file in the current directory unless you specify
     a path and filename after selecting this option. If the log file already
     exists, it will be overwritten. If you want to print the results, you
     can specify a printer device name rather than a filename (logname=lpt1).
=>   Note: you have to combine this option with option 'log'.

     loglevel =<0..4> (ll)
     These levels determine what kind of file information will be stored in
     the log file. The default log level is 1. You may select one of five log
     levels:

     0    Log only infected files. If there are no infected files do not
	  create or change the log file.

     1    Log summary too. Put a summary and timestamp in the log file. Put
	  only infected files in the log file.

     2    Log suspected too. Same as loglevel=1, but now also 'suspected'
	  files are logged. Suspected files are files that would trigger the
	  heuristic alarm if option 'heuristic' had been specified.

     3    Log all warnings too. Same as loglevel=2, but all files that have a
	  warning character printed behind the filename will be logged too.

     4    Log clean files too. All files being processed will be put into the
	  log file.

=>   Note: you have to combine this option with option 'log'.

~    wait =<0..255> (wa)
     This option can be used to delay TbScan, which may be handy if you want
     to scan a very busy network and you don't want to occupy the network to
     heavily. You have to specify the amount of timer ticks you want to insert
     between every two files scanned.

     rename [=<text-mask>] (rn)
     If TbScan detects a file virus it prompts the user to delete or rename
     the infected file, or to continue without action. If you select the
     'rename' option, TbScan will rename the infected file automatically,
     without prompting the user first. By default, the first character of the
     file extension will be replced by the character 'V'. An .EXE file will
     be renamed to .VXE, and a .COM file to .VOM. This prevents the infected
     programs from being executed, spreading the infection. At the same time
     they can be kept for later examination and repair.

     You may also add a parameter to this option specifying the target
     extension. This parameter should always contain 3 characters; question
     marks are allowed. The default target extension is 'V??'.

~    exec =.<ext-mask> (ee)
     With this option you can add filename extensions which indicate that a
     file is executable. If you want to use this option, you probably want to
     put it in the configuration file. Consult the explanation of the similar
     menu option for more details.


     Examples:
	  TbScan c:\ noboot 

     Process all executable files in the root directory and its subdirecto-
     ries. Skip the bootsector scan.

	  TbScan \*.* 

     Process all files in the root directory. Don't process subdirectories.

	  TbScan c:\ log logname=c:\test.log loglevel=2

     All executable files on drive C: will be checked. A LOG file with the
     name c:\test.log will be created. The log file will contain all infected
     and suspected files.

	  TbScan \ log logname=lpt1

     TbScan will scan the root directory and its subdirectories. The results
     are redirected to the printer rather than to a log file.


     The scanning process

     Choose the 'Start scanning' option in the TbScan menu or start the
     TbScan program from the DOS command line. TbScan will start scanning
     right away.
     
     +-----------------------------------------------------------------+
     |Thunderbyte virus detector v6.04 - (C) 1989-93, Thunderbyte B.V. |
     |                                                                 |
     | TBAV is upgraded every two months. Free hotline support is      |
     | provided for all registered users via telephone, fax and        |
     | electronic bulletin board. Read the comprehensive documentation |
     | files for detailed info. BBS: +31- 85- 212 395                  |
     |                                                                 |
     | C:\DOS\                                                         |
     | ** Unregistered evaluation version. Don't forget to register! **|
     |                                                                 |
     | ANSI.SYS      scanning..>        OK    signatures:        986   |
     | COUNTRY.SYS   skipping..>        OK                             |
     | DISKCOPY.COM  tracing...>        OK    file system:       OWN   |
     | DISPLAY.SYS   scanning..>        OK                             |
     | DRIVER.SYS    scanning..>        OK    directories:        01   |
     | EGA.CPI       skipping..>        OK    total files:        17   |
     | FASTOPEN.EXE  looking...>        OK    executables:        12   |
     | FDISK.EXE     looking...>        OK    CRC verified:       10   |
     | FORMAT.COM    tracing...>   E    OK    changed files:      00   |
     | GRAFTABL.COM  tracing...>        OK    infected items:     00   |
     | GRAPHICS.COM  tracing...>        OK                             |
     | GRAPHICS.PRO  skipping..>        OK    elapsed time:    00:05   |
     |                                        Kb /second:        57    |
     |                                                                 |
     +-----------------------------------------------------------------+

     TbScan divides the screen into three windows: an information window, a
     scanning window and a status window. The information window will initi-
     ally display the vendor information only. 


     While Scanning

     If TbScan detects infected files the names of the file and the virus
     will be displayed in the upper window. The lower left window displays
     the names of the files being processed, the algorithm in use, info and
     heuristic flags, and finally an OK statement or the name of the virus
     detected.


     Example: NLSFUNC.EXE     checking..>    FU          OK
		 |              |            |           |
		 |              |            |           result of scan
		 |              |            heuristic flags
		 |              algorithm being used to process file
		 name of file in process


     You will see comments following each file name: 'looking', 'checking',
     'tracing', 'scanning' or 'skipping'. These refer to the various algo-
     rithms being used to scan files.

     Other comments that TbScan can display here are the heuristic flags.
     Consult the 'Heuristic flags' chapter (1.3) for more information on
     these warning characters.

     The lower right window is the status window. It displays the number of
     files and directories encountered, the amount of viruses found. It also
     displays which file system is being used: either "DOS" or "OWN". The
     latter means that TbScan is able to bypass DOS. If this is the case,
     TbScan reads all files directly from disk for extra security and speed.

     The scanning process can be aborted by pressing Ctrl-Break.


     Detecting Viruses

     As soon as an infected program is found, TbScan will display the name of
     the virus. If you did not specify one of the  options 'batch', 'rename'
     or 'delete', TbScan will prompt you to specify the appropriate action.
     If you choose to rename the file, the first character of the file
     extension will be replaced by the character 'V'. This prevents the file
     from being executed by accident before it has been investigated more
     thoroughly. 


     If an infected file is detected, TbScan will display a message:

	  Infected by [name of virus] virus.
	  The file is infected by the virus mentioned.

	  Is Joke named [name of Joke]  
	  There are some programs which simulate that the system is infected
	  by a virus. A joke is completely harmless.

	  Is Trojan named [name of Trojan]
	  The file is a Trojan Horse.Do not execute the program but delete
	  it.

	  Damaged by [name of virus]
	  A damaged file contains - unlike an infected file - not the virus
	  itself, but has been damaged by the virus.

	  Dropper of [name of virus]
	  A dropper is a program that has not been infected itself, but which
	  does contain a bootsector virus and is able to install it in your
	  bootsector.

	  Overwritten by [name of virus]
	  Some viruses overwrite files. An overwritten file contains - unlike
	  an infected file - not the virus itself, but has been overwritten
	  with garbage.

     It is also possible that TbScan encounters a file that seems to be
     infected by a virus, although a signature could not be found. In this
     case TbScan displays the prefix 'Probably' before the message. 


     Program Validation

     If TbScan finds a file to be very suspicious and pops up with the virus
     alert window, you can avoid future false alarms by pressing 'V' (Valida-
     te program). Note that this only works if there is an Anti-Vir.Dat
     record of the file available. Once a program is validated it will no
     longer be subject to heuristic analysis, unless the program changes and
     does not match the Anti-Vir.Dat record anymore. This will be the case if
     such a file gets infected afterwards, so TbScan will still report
     infections on these files.

=>   Note that a validated program is still subject to the conventional
     signature scanning.


     Heuristic Scanning

     If you have specified the option 'heuristic' it is likely that TbScan
     will find some files which look like a virus, and in this case TbScan
     uses the prefix 'Might be' to inform you about it. So, if TbScan dis-
     plays: 

	  Probably infected by an unknown virus (level 1)
     or:
	  Might be infected by an unknown virus (level 2) 

     it does not necessarily mean that the file is infected. There are a lot
     of files that look like a virus but are not.

=>   The heuristic levels are explained in section IV (page 9).


     False Positives

=>   Important!
     False alarms are part of the nature of heuristic scanning. In default
     mode it is very unlikely that TbScan issues a false alarm. However, if
     you have specified option 'heuristic' some false alarms might occur. How
     to deal with these false alarms? If TbScan thinks it has found a virus
     it tells you the reason for this suspicion. In most cases you will be
     able to evaluate these reasons when you consider the purpose of the
     suspected file.

=>   Note that viruses infect other programs. It is highly unlikely that you
     will find only a few infected files on a hard disk used frequently. You
     should ignore the result of a heuristic scan if only a few programs on
     your hard disk trigger it. But, if your system behaves in a 'strange'
     manner and many programs cause TbScan to issue an alarm with the same
     serious flags, your system could very well be infected by a (yet un-
     known) virus.


     Heuristic flags

     Heuristic flags consist of single characters that are printed behind the
     name of the file that has been processed. There are two kinds of flags:
     the informative ones are printed in lower-case characters; the more
     serious flags are printed in upper-case characters. 

     The lower-case flags are indicative of special characteristics of the
     file being processed, whereas the upper-case warnings may indicate a
     virus. If the 'loglevel' is 3 or above, the important warnings will not
     only appear as a warning character, but there will also be a description
     printed in the log file.

     How should you treat the flags? The less important lower-case flags can
     be considered to be for your information only.They provide you with file
     information you might find interesting. The more serious warning flags
     printed in upper-case MIGHT point towards a virus. It is quite normal
     that you have some files in your system which trigger an upper-case
     flag.


Note: ThunderBYTE, ThunderBYTE Anti-Virus Utilities and TbScan are registered
trademarks of ESaSS B.V. (The Netherlands).  ThunderBYTE Anti-Virus
Utilities Evaluationware - TbScan verison - has been included with this 
version of Full Shield by special arrangement between Micah development and
ThunderBYTE North American HQ.