Sophos InterCheck Release Notes
                  -------------------------------

                  Version 4.04, 15 October 1998


Contents
--------

1.  Installation and upgrade
2.  Modifications from version 4.03
3.  New features in version 4
4.  Known Problems
5.  Compatibility issues
6.  Acknowledgments


1. Installation and upgrade
---------------------------

Version 4.04 of InterCheck requires:

    Sweep version 3.15 or above.

Please consult the appropriate SWEEP manual for instructions on 
installing InterCheck.


2. Modifications from version 4.03
----------------------------------

i. Long file names in networked mode
------------------------------------
Version 4.03 could cause fatal "blue-screen" error messages from
Windows 95 when the following conditions were all true:
a. InterCheck is operating in networked mode
b. The PopupDisplay= option in INTERCHK.CFG is set to ALL
c. InterCheck needs to authorise a file whose name including 
   extension is longer than 32 characters excluding path 
   information.

The setting in (b) is the default.

This problem has been resolved.

ii. Thread data slot usage reduced
----------------------------------
Thread data slots are very scarce resources in Windows 95 and
Windows 98.  Windows 95 has a total of twelve, at least seven of
which are used by Windows 95 itself.  InterCheck 4.04 requires
only one of these; InterCheck 4.03 required two.

iii. "0 viruses found" reports
------------------------------
InterCheck 4.03 for Windows 95/98 would infrequently report
"0 viruses found" with a white cross in a red circle icon.  
InterCheck version 4.04 resolves this problem.

iv. Windows-only mode of operation for InterCheck for DOS
---------------------------------------------------------

The new Windows-only mode of operation for InterCheck for DOS
is selected by the WindowsOnly= configuration file option
described below:

WindowsOnly=YES|NO                                    (DOS ONLY)
When this option is set to YES, InterCheck for DOS will allow 
all file and disk access while Windows is not active.  As soon 
as Windows loads the Sweep VxD, InterCheck becomes fully active, 
and programs, documents, and disks will be swept on access.

This has the effect of allowing free access to the machine to 
start Windows without an InterCheck server, and without a full
sweep of the files on the local hard disk(s).  On the other 
hand, it also allows the user to use the machine without 
InterCheck's protection.

If the SweepVxDLoad=YES option is not present in the INTERCHK.CFG
file, then this option is forced to be NO.  The default is NO.


3. New features in version 4
----------------------------

i. 'On-the-fly' disinfection
----------------------------
This version of InterCheck supports 'on-the-fly' disinfection for 
stand-alone Windows and Windows 95 InterCheck clients. This option 
is disabled by default. It can be enabled using the following 
configuration file options IN THE SWEEP VXD SECTIONS (see below):

DisinfectDocuments=YES|NO

When this option is enabled  the Sweep VxD will try to disinfect 
Word/Excel viruses.

DisinfectDisks=YES|NO

When this option is enabled  the Sweep VxD will try to disinfect 
boot sector viruses.

For example, to enable both forms of disinfection for all users
running Windows 95, use the following in INTERCHK.CFG:

	[SweepVxDW95Global]
	DisinfectDocuments=YES
	DisinfectDisks=YES

These configuration options are only valid in the Sweep VxD 
configuration sections of the InterCheck configuration file. The 
Sweep VxD section identifiers are described later.

All documents reported as having been disinfected should be 
reviewed to ensure that the virus made no changes to the content.

Disinfection of boot sector viruses is not supported for NEC
PC-9800 series machines.

ii. New user Interface for Windows 95/98 InterCheck clients
-----------------------------------------------------------
Windows 95/98 InterCheck clients have a new user interface. This 
is fully described in the manual supplement "Windows 95/98 
InterCheck GUI" which is available in PDF format.

iii. Novell IntraNetWare/Client32 support
-----------------------------------------
InterCheck is now fully compatible with the Novell IntraNetWare 
client and the Novell NetWare Client32 network drivers for DOS, 
Windows and Windows 95.

iv. Support for the NEC PC-9800 series computers
------------------------------------------------
The InterCheck for Windows 95/98 client has been modified to 
operate correctly on NEC PC-9800 series computers. However, not 
all the standard InterCheck functions are available; requesting 
authorisation messages are not displayed in full screen DOS boxes 
and InterCheck does not prevent a restart when an infected 
floppy disk has been left in the floppy drive.

Disinfection of boot sector viruses is not supported for NEC
PC-9800 series machines.

At present, InterCheck 4.04 has been tested only on the following
PC-9800 models:

	PC9821 La13 laptop with Windows 95 version 4.00.950B
	PC9821 Xa13 desktop with Windows 95 version 4.00.950A

As more PC-9800 models are tested, they will be added to this list.
For more information, contact Sophos or your local distributor.

v. Automatic installation
-------------------------
The iclogin program can now be used from a login script to 
automatically install the stand-alone Windows 95 InterCheck client 
on a workstation. This option is enabled using the '-9' command 
line option. For a description of how to use this feature please 
refer to the description of the iclogin '-a' option in the 
appropriate SWEEP manual. The '-a' option automatically installs 
the stand-alone Windows 3.x InterCheck client on a workstation.

vi. Removing the networked Windows 95 InterCheck client
-------------------------------------------------------
The networked Windows 95 InterCheck client installs an additional 
VxD (icstatic.vxd) on the workstation the first time the client is 
activated. Simply removing the central InterCheck installation 
from the server will not remove the locally installed VxD. The 
following command must be used to remove the VxD from the 
workstation:

    ICLOAD95 -remove

Note: The VxD must be loaded very early in the computer’s boot 
sequence to ensure that the InterCheck client can correctly 
intercept all file activity. Therefore it cannot be started from 
the network. 

vii. Sweep VxD configuration file sections
------------------------------------------
The following section headers may be used in the InterCheck 
configuration file to pass information to the SWEEP VxD. 

    [SweepVxDGlobal]
    [SweepVxDDOSGlobal]
    [SweepVxDW95Global]

    [SweepVxDWorkStation]
    [SweepVxDDOSWorkStation]
    [SweepVxDW95WorkStation]

The distinctions between global and workstation specific sections, 
and between general, DOS specific, and Windows 95 specific 
sections are the same as for the InterCheck configuration section 
headers.

viii. New configuration file options
------------------------------------
The following new InterCheck configuration options have been 
introduced:

AllowRestartLater=YES|NO                   (Windows 95 ONLY)

The first time that the Windows 95 InterCheck client is used on a 
workstation the computer must be restarted before InterCheck can 
provide protection from viruses. By default the computer is 
automatically restarted after a short delay. However, if 
AllowRestartLater is YES, InterCheck allows the user to restart 
the computer at a later time.

AltCommsDir=<Communication directory>

This option is now supported by the Windows 95 InterCheck client. 
Please refer to the appropriate SWEEP manual for more information.

CheckFloppyOnShutdown=YES|NO               (Windows 95 ONLY)

InterCheck normally checks the floppy disk in drive A: before 
allowing the computer to be shut down.  This feature can be 
disabled by setting CheckFloppyOnShutDown to NO. 

PurgeChecksumsNow                          (Windows 95 ONLY)

This option instructs the InterCheck loader to purge the checksums 
every time InterCheck is started. The option is designed to be 
used for a limited period after a virus incident in order to force 
InterCheck to re-sweep all files for viruses. 

RestartTimeout=<time in seconds, 0-120>    (Windows 95 ONLY)

The delay before the automatic restart, described above, is 
controlled by this option.  The default value is 15 seconds. It 
can be set to zero for an immediate restart.

UseProgramExtensionsForSweep=YES|NO

This option influences what files will be swept as InterCheck 
starts. By default, InterCheck now allows SWEEP to decide what 
file extensions represent files that need to be checked for 
viruses. Setting UseProgramExtensionsForSweep to YES forces SWEEP 
to use the list of extensions defined by the ProgramExtensions 
configuration option. Please note that this represents a change in 
default behaviour. 

AddProgramExtension=ext
This option adds ONE extension to the ProgramExtensions list, but 
leaves the existing list alone.  Note that if this option precedes 
a ProgramExtensions= option, the single extension is discarded.
To add "no extension" to the list, use a dot by itself.

DriverIoChecking=YES|NO                        (Windows 95 ONLY)
If set to NO, this will suppress interception of certain types of 
file I/O operations executed by other VxDs in the system.  Use 
this option to avoid problems (such as lock-ups) that can occur 
when InterCheck intercepts these calls.  One third-party product 
that definitely requires this switch set to NO is ZIPMagic (1.0 
and 98) from Mijenix.  The default is YES.

DriveType=x:,type                              (Windows 95 ONLY)
This option allows the user to override the system's assignment 
of drive types.  It is primarily intended for use in the form 
DriveType=A:,FLOPPY which allows InterCheck to start up without 
a delay on systems which have no A: floppy drive.  It can also 
be used where a PC boots up from a removable C: drive in order 
to force InterCheck to treat the removable drive as if it is a 
fixed hard disk.

x: may be any drive letter from A: to Z: (or a: to z:)

type may be one of:
        for floppy and other removable drives:
                FLOPPY    REMOVABLE
        for non-removable drives:
                FIXED     HARD DISK   HARDDISK
        for mapped network drive letters:
                NETWORK   REMOTE
        for CD-ROM drives:
                CDROM     CD
        for RAM disks:
                RAMDISK
        when the drive doesn't exist:
                ABSENT    NONE

Only FLOPPY/REMOVABLE and FIXED/HARD DISK/HARDDISK have any 
special meaning in InterCheck 4.04; this may change in later 
versions.

NOTE:
This option only affects the actions taken by InterCheck 
during startup.

4. Known Problems
-----------------

i. System lock-ups with OCR packages
------------------------------------
Sophos has had reports about system lock-ups ("hangs") when using
optical character recognition (OCR) packages and InterCheck 4.  
If this problem occurs, you can switch to using InterCheck 3 
instead, but please report it to Sophos, including the following 
information:
        OCR package name, version, and manufacturer.
        Windows 95 version from "My Computer" properties.
        Scanner manufacturer, model, and driver version.
        What you were doing when the system locked up.


5. Compatibility Issues
-----------------------

i. Norton Utilities 3.0 and Internet Explorer 4.0
-------------------------------------------------

One of these packages, or the combination, introduces something 
into the system that causes the computer to lock up while 
InterCheck is conducting the initial sweep.  Testing at Sophos
revealed that the InterCheck file/disk access interception
code is not involved in any way in this.  We have identified
at least one contributory factor, and a fix for that part of the 
problem will be implemented in a future release of InterCheck.

We are investigating the problem further.

ii. Eudora
----------
When Eudora is configured by a command line option to use a 
network drive for its files, InterCheck causes it to be very
slow.  This is caused by InterCheck's file type detection trying 
to identify the kind of file being accessed.

The main "culprit" file is eudora.ini.  You can improve 
performance by putting:

    Exclude=eudora.ini

in INTERCHK.CFG.

iii. Mijenix Corporation's ZIPMagic
-----------------------------------
InterCheck 4.04 for Windows 95/98 requires the use of the
DriverIoChecking=NO configuration file option when used with
either ZIPMagic 1.0 or ZIPMagic 98.

iv. Windows 95 AS/400 Client Access
-----------------------------------
When used with Windows 95 AS/400 Client Access V3 R1 M2, the
networked InterCheck client requires Service Pack level SF47544.

With previous versions of the Client Access software, the Check 
Version utility (installed by default into the Startup group) 
would hang the PC with InterCheck present.

The stand-alone InterCheck client cannot be used with AS/400
Client Access because the Sweep95 VxD is unable to open files 
stored on the AS/400. The only solution at present is to use 
the networked InterCheck client.

v. QEMM version 6.02
--------------------
InterCheck for DOS will cause the system to hang in response to 
CTL-ALT-DEL if it is loaded high using QEMM v6.02. However, the 
diskette in the A drive will be checked for viruses before the 
system hangs so that the integrity of InterCheck is not 
compromised. There are a number of possible solutions:
        
a) Upgrade to QEMM version 7. 
b) Load InterCheck into low memory using the LoadLow=YES 
   configuration option.
c) Use the QEMM nr (norom) option. However this does not work with 
   the stealth option.

vi. 386Max version 6.01d
------------------------
InterCheck for DOS cannot load high when version 6.01d of the 
386Max memory manager has been installed. An error message "Memory 
allocation error"  is displayed after InterCheck has run SWEEP. 
Use the LoadLow configuration option to load InterCheck into low 
memory. Alternatively upgrade to 386Max version 6.02 or above.

vii. NetWare 4.01
-----------------
The ICLOGIN program is not compatible with the version of the 
LOGIN program supplied as part of NetWare 4.01. In order to use 
the ICLOGIN program you must upgrade the Novell login program to 
version 4.08 or later. Version 4.08 of LOGIN.EXE can be obtained, 
by all registered users of NetWare 4.01, as part of the "Novell 
4.01 Upgrade kit Vol.1 No.1".

viii. MSD versions 2.10 and 2.11
--------------------------------
The Microsoft diagnostic program, MSD.EXE, supplied with Windows 
3.11 and DOS 6.x, does not work correctly with InterCheck. Unless 
the Novell LSL driver has been loaded before installing 
InterCheck, the MSD program will crash while initially examining 
the system, with unpredictable results. The problem has been fixed 
in version 2.13 of the MSD program, supplied with Windows 95. 

ix. Other memory resident Anti-Virus products
---------------------------------------------
We do not recommend using InterCheck when other memory resident 
anti-virus are active. Attempting to run multiple anti-virus 
products in this manner will cause the system to run extremely 
slowly. In some cases the system may also become unstable.


6. Acknowledgments
------------------

This product uses the SPAWNO routines by Ralf Brown to minimise 
memory use while shelling to DOS and running other programs.


                         ----------------


       Sophos Plc, The Pentagon, Abingdon, OX14 3YP, England
                Tel 01235 559933 o Fax 01235 559935


             Sophos Plc, 2, Place de la Defense, BP240, 
		  92053 Paris la Defense, France
                Tel 01 46 92 24 42 o Fax 01 46 92 24 00


     Sophos GmbH, Am Hahnenbusch 21, D-55268 Nieder-Olm, Germany                               
                Tel 06136 91193 o Fax 06136 911940


         Sophos Inc, 18 Commerce Way, Woburn, MA 01801, USA
                Tel 781 932 0222 o Fax 781 932 0251


                   Sales email sales@sophos.com
            Technical support email support@sophos.com
                    Web http://www.sophos.com/