Hi, I have written something similar to VSAFE (PC Tools / "MS DOS")
tonight. My new creation FDSHIELD is a TSR (about 3k binary size,
less if UPXed, and about 2.5k resident size) to protect you from
certain bad surprises...

http://www.coli.uni-sb.de/~eric/stuff/soft/specials/ fdshield-10jun2004.zip

C:\HOME\RAMDISK>fdshield.com /?
FreeDOS FDSHIELD virus shield (c) by Eric Auer 6/2004.
Email: <eric*coli.uni-sb.de>. This is free open source
software under GNU Public License (v2, see www.gnu.org).
 
Syntax:
FDSHIELD [/?] [/v] [/t] [/b] [/B] [/w] [/W] [/x]
v: verbose  t: TSR block  x: try exe/sys/com write protect
b: floppy boot protect    B: harddisk boot protect
w: floppy write protect   W: harddisk write protect
WARNING: TSR block halts the system if a new TSR loads!
         Flush write caches before using write protection!
The sabotage check and harddisk format block are always on.
Combining /w and /W simulates read only attribute everythere.



Depending on the activated options, attempts to write to a
boot sector or to a disk in general will 1. fail and 2. lead
to an error message (in verbose mode). The TSR blocker simply
halts the system and displays a message when a program tries
to go TSR (no "program turns itself into TSR by manipulating
MCBs an IDT" detection yet, though).

Other things which make FDSHIELD big stink trigger are:
- attempt to disable TBAV (FDSHIELD pretends that TBAV is in RAM)
- attempts to disable VSAFE / VWATCH (same idea)
- attempts to single-step through int 13, 16 or 21, using a method
  used by TBAV as well, among others...
- attempts to patch the single-step detector or either of two
  simulations of the VSAFE / VWATCH / VSHIELD int 21 dispatcher

Note that FDSHIELD has no virus signature list at all! To scan
your file, use ClamAV ClamScan or some free closed source DOS
virus scanner or just scan your DOS partition from Linux or Windows.
FDSHIELD has no "checksum of programs" database / checking system
either. This means that "MS" VSAFE can do the following things which
FDSHIELD cannot do (but VSAFE takes far more RAM, even if you let it
swap out signatures to EMS / XMS)...:

- scan for viruses / verify checksums on file open
- scan for viruses / verify checksums on program exec
- scan for viruses / verify checksums on program exit
(of those 3, all but scan on open are always on in VSAFE)
- scan boot sectors / verify checksums on VSAFE start
- scan boot sectors / verify checksums on boot sector read
- scan boot sector before warm reboot (not really that useful)

In addition, VSAFE can detect write attempts to program files.
FDSHIELD modifies file open for program files to "open read only"
instead, but this does not protect you from "create / truncate"
overwriting of program files. I wonder how many viruses will be
blocked by this - my intention was to avoid blocking compilers which
have to write to program files when creating them. And of course the
"open read only" may simply cause silent write failures while VSAFE
shows a message exactly when the program file write happens.

You will have noticed that FDSHIELD is completely non-interactive
after you loaded it! VSAFE can be reconfigured later (well, FDSHIELD
can be reconfigured later by patching the flags byte in RAM), both
through an API (which is often abused by viruses) as well as through
some hotkey / popup menu system. I think you should just load FDSHIELD
after loading your TSRs... or load it without the /t option, of course.
If DOS functions get interrupted by some interactive popup, you only
give the user the chance to allow the virus to continue (by selecting
"allow" - I think VSAFE has "allow / deny / reboot" choice!?) and give
the virus the chance to detect that it has been detected, and maybe
even give itself permission to install by interacting with the popup.

FDSHIELD will simply either deny the blocked access or if that is
not possible (anti-shield-action detected, TSR detected) halt the
system. The latter will either mean a complete freeze (should prevent
problems with viruses which get back control over the system) or, in
verbose mode, an automatic reboot after 20 seconds. During the waiting
time some message about the reasons of the big stink is displayed in
80x25 text mode. Should be pretty foolproof but of course if you
accidentally load an useful TSR while TSRs are blocked then you will
basically crash (freeze) the system. Bad luck, no interactive menu.

Happy testing! Enjoy...
...and please comment about missing / suggested features and let me
know if some signature database or checksumming should eventually be
added - especially for boot sectors, although those can be protected
by the BIOS, too - unless the BIOS calls the FreeDOS boot loader a virus...!

Cheers, Eric.