Hi, I have written something similar to VSAFE (PC Tools / "MS DOS") tonight. My new creation FDSHIELD is a TSR (about 3k binary size, less if UPXed, and about 2.5k resident size) to protect you from certain bad surprises... http://www.coli.uni-sb.de/~eric/stuff/soft/specials/ fdshield-10jun2004.zip C:\HOME\RAMDISK>fdshield.com /? FreeDOS FDSHIELD virus shield (c) by Eric Auer 6/2004. Email: . This is free open source software under GNU Public License (v2, see www.gnu.org). Syntax: FDSHIELD [/?] [/v] [/t] [/b] [/B] [/w] [/W] [/x] v: verbose t: TSR block x: try exe/sys/com write protect b: floppy boot protect B: harddisk boot protect w: floppy write protect W: harddisk write protect WARNING: TSR block halts the system if a new TSR loads! Flush write caches before using write protection! The sabotage check and harddisk format block are always on. Combining /w and /W simulates read only attribute everythere. Depending on the activated options, attempts to write to a boot sector or to a disk in general will 1. fail and 2. lead to an error message (in verbose mode). The TSR blocker simply halts the system and displays a message when a program tries to go TSR (no "program turns itself into TSR by manipulating MCBs an IDT" detection yet, though). Other things which make FDSHIELD big stink trigger are: - attempt to disable TBAV (FDSHIELD pretends that TBAV is in RAM) - attempts to disable VSAFE / VWATCH (same idea) - attempts to single-step through int 13, 16 or 21, using a method used by TBAV as well, among others... - attempts to patch the single-step detector or either of two simulations of the VSAFE / VWATCH / VSHIELD int 21 dispatcher Note that FDSHIELD has no virus signature list at all! To scan your file, use ClamAV ClamScan or some free closed source DOS virus scanner or just scan your DOS partition from Linux or Windows. FDSHIELD has no "checksum of programs" database / checking system either. This means that "MS" VSAFE can do the following things which FDSHIELD cannot do (but VSAFE takes far more RAM, even if you let it swap out signatures to EMS / XMS)...: - scan for viruses / verify checksums on file open - scan for viruses / verify checksums on program exec - scan for viruses / verify checksums on program exit (of those 3, all but scan on open are always on in VSAFE) - scan boot sectors / verify checksums on VSAFE start - scan boot sectors / verify checksums on boot sector read - scan boot sector before warm reboot (not really that useful) In addition, VSAFE can detect write attempts to program files. FDSHIELD modifies file open for program files to "open read only" instead, but this does not protect you from "create / truncate" overwriting of program files. I wonder how many viruses will be blocked by this - my intention was to avoid blocking compilers which have to write to program files when creating them. And of course the "open read only" may simply cause silent write failures while VSAFE shows a message exactly when the program file write happens. You will have noticed that FDSHIELD is completely non-interactive after you loaded it! VSAFE can be reconfigured later (well, FDSHIELD can be reconfigured later by patching the flags byte in RAM), both through an API (which is often abused by viruses) as well as through some hotkey / popup menu system. I think you should just load FDSHIELD after loading your TSRs... or load it without the /t option, of course. If DOS functions get interrupted by some interactive popup, you only give the user the chance to allow the virus to continue (by selecting "allow" - I think VSAFE has "allow / deny / reboot" choice!?) and give the virus the chance to detect that it has been detected, and maybe even give itself permission to install by interacting with the popup. FDSHIELD will simply either deny the blocked access or if that is not possible (anti-shield-action detected, TSR detected) halt the system. The latter will either mean a complete freeze (should prevent problems with viruses which get back control over the system) or, in verbose mode, an automatic reboot after 20 seconds. During the waiting time some message about the reasons of the big stink is displayed in 80x25 text mode. Should be pretty foolproof but of course if you accidentally load an useful TSR while TSRs are blocked then you will basically crash (freeze) the system. Bad luck, no interactive menu. Happy testing! Enjoy... ...and please comment about missing / suggested features and let me know if some signature database or checksumming should eventually be added - especially for boot sectors, although those can be protected by the BIOS, too - unless the BIOS calls the FreeDOS boot loader a virus...! Cheers, Eric.