How to Diagnose Which Program is Flaky?
Tofu Raster
How can sombody, who isn't an uber-programmer-illuminati, find out which
program is causing system instability? No one program seems to obviously
be at fault. Amiga's site does not say which SetPatch is the latest for
OS 3.0.
After years of hearing about SnoopDos I finally got it. Pretty darn
neat. In the midst of a major project I started upgrading some programs,
and adding viruskillers...
Then two things happened. I started having reliability problems (mostly
when starting a program, less often when exiting). And a dir of mine kept
disappearing. I'll include a symptom list that I passed on the the
virus-killer authors, but much of what's in there is what I want to ask
you about. Often I get a yellow alert that pops up (sometimes more than
once in a sequential fashion) and then the program finally gets up and
running. At least half the time this quickly leads to a red alert and
crash. The Guru #'s tend to be 8100 000c (or 0005) and 0100 000c.
SnoopDos usage in particular:
1) How do I make SnoopDos stay hidden (it keeps popping up) and
automatically start logging? I can't seem to make it behave.
2) With all these recoverable alerts (which usually lead to a crash), how
can I use snoopdos to figure out what program is the problem? I suspect
there's a program changing some vital system structure or pointer or
something, that in turn, is causing other programs to mess up.
related:
Some of the things I should mention are the other symptoms I've
noted. Let me explain what else is happening besides the chronic
vanishing of VirusChecker_II's directory and all it's sub-contents:
I installed VirusExecutor 182e (I have 183 as of Sept.19), VirusZ II
(pre-III 1.44) and VirusZ III (0.92b), VT3.16 and Virus_CheckerII 2.3 in
preperation for some new software I was going to install. This means I
also got the newer libraries and programs (like PPGuide and AmigaGuide)
that came with some of these anti-virus archives. BTW are there any
programs or libraries known to conflict with any anti-viral software? I
got the anti-virus programs from one of the VHT sites.
Personally I suspect a malicious virus or trojan because a virus-killer
like Virus_CheckerII seems to be a target, with the only other currently
obvious clues being system instability.
As soon as I installed and started making use of them, I noted that my
View80 II v2.0 textviewer (by Federico Giannici) started to either crash
my system on exit, or upon starting up issue a yellow recoverable error
alert. Sometimes afterwards, upon attempting to load and run any other
program, the same yellow recoverable alert would occur). The only libs it
uses AFAIK are arp and powerpacker v35.344 (6036 bytes). I have always
kept View80 powerpacked itself with never any problems. I do not run any
system patches to unpack files. Many of my programs have long been
powerpacked to save space. I should also note that I have recently
compressed about 30-50 more programs on my HD to make room for the news
programs I was installing.
In general there has been a marked increase in all-around instability.
More alerts, more freezing, more crashing. Even when I've just booted up
and haven't run much yet.
Among the new software I installed:
CycleToMenu v37.6
PowerSnap v37.326 (upgraded for earlier version).
I also installed CrossMac 1.03 and CrossDOS 7.04 Gold. I have re/moved
all their dosdriver entries, etc., to Storage so that none of it runs at
bootup. So unless they're already infected, and in turn have altered some
libraries or something, I don't think they're too likely to have been the
problem. I installed CrossMac 1.03 first (it was older) and it replaced
some system files. A couple of days later we installed CrossDOS which was
even newer and overwrote some of the files that CrossMac installed. All
of this seems normal. The only thing I'm running (as many are) is the
Mount command that CrossDOS's installer sticks in your C: thus overwriting
the normal one that came with the Amiga. HiSoft's installers are
similarly obnoxious. I have about 5 different mount commands around here
so far. The one installed by CrossDOS says it's 42.0 (6460 bytes). There
is a CrossMac assign and it's now on my command path but that shouldn't be
able to do anything suspect unless I actually run any of the Consultron
CrossMac/DOS software.
I also installed and the SetPatchMrgCop that came with my copy of
Brilliance but removed it from my user-startup as I initially thought it
was causing the instability.
I always used all 3 anti-viral programs to check everything before
installing anything. When exiting VirusExecutor a window always opens on
WB saying "no files to delete". This always seemed odd to me. Probably
nothing.
Whatever's going on, something is seeking out virus-killing programs and
deleting them. And it's beyond my ability to figure out what's happening.
I wonder if something nasty has hidden itself in some packed file.
Eelke Blok
Well, I'm just guessing here, but I can imagine that running several
virus programs (if that is what you do) can cause trouble. They all try
to keep an eye on the same resource, fail at it because another is doing
something to it, etc. Maybe that's something to have a look at?
As a more general way of finding out what program is causing trouble,
you should try to find out exactly when the trouble started. If you
can't, the only real option is to remove them all, and gradually add
programs until the behaviour returns. Snoopdos can't really help you
finding the culprit, I guess. It only tracks file activity, which may or
may not cause the problem. It doesn't say anything about all the other
apsects of the system.
Running a lot of system patches, especially ones that are "related" is
generally a bad idea. (Not that I know you are, of course :)
> Personally I suspect a malicious virus or trojan because a virus-killer
> like Virus_CheckerII seems to be a target, with the only other currently
> obvious clues being system instability.
Well, it indeed is strange that the directory disappears. I hope my
suggestions help.
Cheers,
Eelke
--
Eelke Blok, student Electrical Engineering, University of Twente
http://home.student.utwente.nl/e.blok ICQ: 19514933
Amiga-page: http://home.student.utwente.nl/e.blok/amiga
"Our Lady of Blessed Acceleration, don't fail us now!" - Elwood Blues
Matt Hey
On Wed, 22 Sep 1999 04:42:18 -0500, Tofu Raster wrote about How to Diagnose Which Program is Flaky?:
>
> Personally I suspect a malicious virus or trojan because a virus-killer
> like Virus_CheckerII seems to be a target, with the only other currently
> obvious clues being system instability.
Looking for unknown link viruses (most common kind) is easy. Compare the
filesize of the files on the OS disks (the disks need to be write protected)
to what's installed on your HD. If several have grown in size that shouldn't
have then you probabely have a link virus. Also the suspected files can be
viewed for ASCII (type command) and may have the name of the virus (like
Happy New Year!) or other messages usually toward the end of the file. This
method isn't fullproof but if your virus checkers are compromised or the
virus is new this is the simplest way to check for a virus.
> I also installed CrossMac 1.03 and CrossDOS 7.04 Gold. I have re/moved
> all their dosdriver entries, etc., to Storage so that none of it runs at
> bootup. So unless they're already infected, and in turn have altered some
> libraries or something, I don't think they're too likely to have been the
> problem. I installed CrossMac 1.03 first (it was older) and it replaced
> some system files. A couple of days later we installed CrossDOS which was
> even newer and overwrote some of the files that CrossMac installed. All
> of this seems normal. The only thing I'm running (as many are) is the
> Mount command that CrossDOS's installer sticks in your C: thus overwriting
> the normal one that came with the Amiga. HiSoft's installers are
> similarly obnoxious. I have about 5 different mount commands around here
> so far. The one installed by CrossDOS says it's 42.0 (6460 bytes). There
> is a CrossMac assign and it's now on my command path but that shouldn't be
> able to do anything suspect unless I actually run any of the Consultron
> CrossMac/DOS software.
I agree. CrossDOS should ask in the installation before installing the new
version of mount. This verion (42.0) of mount does look ok and I even suspect
that it was put out by C=/Amiga and not rewritten by Consultron.
> Whatever's going on, something is seeking out virus-killing programs and
> deleting them. And it's beyond my ability to figure out what's happening.
> I wonder if something nasty has hidden itself in some packed file.
That would be one mean virus.
Matt Hey (http://www.kcinter.net/~matthey)