What's New in VirusScan for Windows 3.1x v2.5.3 (9611) Copyright 1994-1996 by McAfee, Inc. All Rights Reserved. Thank you for using McAfee's VirusScan for Windows 3.1x. This What's New file contains important information regarding the current version of this product. It is highly recommended that you read the entire document. McAfee welcomes your comments and suggestions. Please use the information provided in this file to contact us. ___________________ WHAT'S IN THIS FILE - New Features - Known Issues - Installation - Documentation - Frequently Asked Questions - Contact McAfee ____________ NEW FEATURES VirusScan now supports centralized alerting and reporting to a remote NetWare or Windows NT server. Using NetShield for NetWare v2.3.3 or NetShield for Windows NT v2.5.3, client alerts and reports can be redistributed or compiled at the central server location for ease of management. * ENHANCEMENTS * 1. VirusScan for Windows 3.1x now implements VShield as a virtual device driver (VxD). This replaces the VShield Terminate and Stay Resident (TSR), enhancing features and reducing the memory footprint. VShield operates directly in the Windows environment, no longer relying on a DOS TSR. 2. A VxD is a filter to prevent the spread or activation of Macro viruses attempting to replicate within Windows applications, such as Microsoft Word for Windows. 3. When a virus is found, VShield's VxD can be pre-configured to prompt the user for action or to automatically repair, quarantine, deny access to, or delete infected files. 4. McAfee's VShield VxD allows the user to configure when to conduct a scan (for example: on file run, copy, create, or rename; on floppy disk access) and which files to include. 5. During installation, the DOS scanner provides the user with the options of scanning the drive at boot up and appending the installed directory to the path. 6. During installation, the option of loading VShield into memory upon starting Windows is provided to the user. * NEW VIRUSES DETECTED * This DAT file (9611) detects the following 129 new viruses. Locations that have experienced particular problems with specific viruses are also identified. _922 Germany _1000 US _2673 Philippines APOCALIPSE.1685 Portugal APRIL1A.798 APRIL1B.797 AREQUIPA.1994 Peru ASBV ASH.302 ASMODEOUS.1437 ASSIGN.653 ATOM BANDUNG.A US/Indonesia BANDUNG.B BARAN.2978 BARAN.3001 BNB.498 BR.1180 BW.790 CACO.3310 Peru CHANDI US CHAPA.447 CHAPA.448 CHERRY.2266 COMP.180 CONCEPT.I CONCEPT.L CONCEPT.M CONCEPT.N CONCEPT.P COOL.929 COREA.926 COUP.2062 CRAWLER.545 CRIM_WW CYBERTECH.668 DAN.1784 DELTREE TROJAN DEMON3B.4313 DINA.271 DINA.283 DIR-II.1536.G DIR-II.AS DREAMER.8869 DST.330 DST.347 DST.396 DSTAR.223 EASY Internet EDOL.832 EXEHEADER.VLAD.337 EXTRACTJPG.TROJAN FATHER_MAC.1382 FAULT.9209 FORMATC:TROJAN FSN.1279 GANGSTERZ Internet H-ANDROMED.594 HELGA.666.B HELPER US HIDER.2143 INCH INFERNO.781 JASON.626 JOVIAL.503 JUICE.305 KALO.1464 KOSKON.313 LATER.981.B LD93.1217 Australia LUNCH.783 MACGYVER.4112 (MBR) Taiwan MAIDEN.891 MARKUS.5415 MBRK.714 MDMA.C US MINZ.470 MIXTURA.1000 MOSCA.1278 MURCIA.4651 NPOX.1186 OKTUBRE.1784 OUTLAW Internet PELIGRO.1206 Peru PHARDERA Internet PIRANIA.1617 PROTOVIRUS.720 PS-MPC.504 Peru RESCUE 911.3774 Saudi Arabia ROTATOR.864 SALAMANDER.888 SANLORENO.1025 SAVER:DE Internet SCROLL.600 SHOWOFXX Australia SIERRA.D US SILLY.745 SMILEY:DE Germany SPEC.907 SPOOKY:DE Internet STEATODA.1623 Israel STRYX:DE Internet SUPERF.1175 SVC.3103 South America SYSKLL.290 T555.556 TAURUS.1852 THEATRE:TW (*) Taiwan THEATRE.A:TW (*) Taiwan TREBUJENA.1094 TRIVIAL.44.F TRIVIAL.45.H TRIVIAL.52 TRIVIAL.53.A TRIVIAL.119 TRIVIAL.284 TROOPER.2259 TWNO:TW (*) Taiwan TWNO.B:TW (*) Taiwan TWNO.C:TW (*) Taiwan UNHAPPY.763.A UNHAPPY.763.B VCC.620 VCS.799 WAZZU.J WAZZU.O WAZZU.P US WEATHER:TW(*) Taiwan WAZZU.Q US ZGENRAT.785 US (*) Infects double-byte (omnicode) versions of Word, which include Japanese, Korean, Chinese, and Simplified Chinese. * NEW VIRUSES REMOVED * This DAT file (9611) removes the following 112 new viruses. Locations that have experienced particular problems with specific viruses are also identified. 666 _922 Germany _1000 US 1946 _2673 Philippines ARALE AREQUIPA.1994 Peru ASBV AWAITS.500 BABY_L.674 BADSIZE.369 BANDUNG.B BARAN.2978 BARAN.3001 BARROTES.840 Spain BNB.498 BR.1180 BRBI.KOBRIN.492 CACO.2965 CACO.3310 Peru CARRYON.534 CHANDI US CHAPA.447 CHAPA.448 CONCEPT.I CONCEPT.L CONCEPT.M CONCEPT.N CONCEPT.P COOL.929 COREA.926 COUP.2062 DEARFRIEND.524 DOPERLAND.490 DREAMER.4808 DREAMER.8869 DUNE.483 EASY Internet EUPM.1731 F-YOU FIFO.333 FORMAS.1146 FORMATC:FORMAT GANGSTERZ Internet GENE.1991 GENIUS H-ANDROMED.594 HELPER US INCH.386 INT4B.231 INT4B.242 IVP.BUBBLES.684 US KALI-4 KOSKON.313 LD93.1217 Australia LOVEBUZZ.591 LUNCH MACGYVER.4112 Taiwan MANTRA.719 MARKUS.5415 MDMA.C US NPOX.1186 OMEGA OUTLAW Internet PELIGRO.1206 Peru PHARDERA Internet PS-MPC.504 Peru PUPPETS.960 RESCUE 911.3774 Saudi Arabia SAVER:DE Internet SHOWOFXX Australia SIERRA.D US SILLYC.90 SILLYC.155.B SILLYC.165 SILLYC.200.B SILLYC.202 SILLYC.226 SILLYC.316 SILLYC.373 SILLYORCE.76.B SILLYRC.214 SILLYRC.248 SILLYRC.303 SMILEY:DE Germany SPOOKY:DE Internet STEATODA.1623 Israel STRYX:DE Internet SUPERVISOR.2221 SVC.3103 South America T555.556 THEATRE:TW (*) Taiwan THEATRE.A:TW (*) Taiwan TIE.619 TIP.554 TULA.1540 TULA.1656 TURBOEXE.854 TWNO:TW (*) Taiwan TWNO.B:TW (*) Taiwan TWNO.C:TW (*) Taiwan UNHANDLED.495 UNHAPPY.763.A UNHAPPY.763.B VIAGGIO.1051 VOTADC.591 WAZZU.J WAZZU.O WAZZU.P US WAZZU.Q US WEATHER:TW (*) Taiwan WILDY.354.B WILDY.354.C (*) Infects double-byte (omnicode) versions of Word, which include Japanese, Korean, Chinese, and Simplified Chinese. * ISSUES ADDRESSED IN THIS RELEASE * 1. Log file validation has been added in the Report page. 2. When the Clean Infected Files Automatically option is set in the Actions page, the user is now prompted if a boot sector virus is found. 3. Additional virus detection for file overwriting. 4. VShield status is now displayed when double clicking on the VShield icon from the program group. 5. VShield now validates the Virus Dat files before loading. 6. Added Netx driver and Netware 3.X compatibility. 7. The user utility Chkvxd.exe now returns the proper exit codes. 8. Various display issues with the McAfee detection screen (Blue and Red) are resolved. 9. Log entries are now made with the "Deny access and continue" setting in the Actions page. ____________ KNOWN ISSUES 1. This version will not detect previously installed versions of VShield TSR (from 2.2.F and prior) and will not remove the path entry made to the AUTOEXEC.BAT file if the installation differed from the default, c:\mcafee\viruscan. 2. In order to re-enable VShield after disabling it, right-click and select Enable. 3. If Move Infected File is selected on the Actions page, infected files will be moved to the directory specified. However, if the Windows Copy command fails during this procedure, a zero byte file size stamp may be left in the destination directory when carrying out the Copy command. 4. If using NetX drivers to connect to 3.x Netware servers, carrying out applications located on the server may result in a Windows' sharing violation message during a VShield file scan. Solution: To avoid the Window's sharing violation message, add the following line to the default.vsh file under the General section: bUsingNetx=1 Or, change the application executed from the server to Read Only. ____________ INSTALLATION * INSTALLING THE PRODUCT * If you would like to perform a "silent" installation of VirusScan, requiring minimal user interaction and using all default or "Typical" installation settings, add -s (i.e. SETUP.EXE -s) to the setup command when you install the product. Please note that the silent install is designed to install the product from a single source. If you have the floppy disks version, please copy the files from both disks to a temporary directory on the hard drive and run the setup command with the -s switch. Network Administrators can customize the silent installation by following the steps below. 1. Check in the Windows directory to ensure that a file named SETUP.ISS does not already exist. If it does, rename it, back it up, or delete it. 2. Run SETUP.EXE with the -r switch, (i.e. SETUP.EXE -r). 3. Select the components you would like to be installed during the silent installation. All responses will be recorded. 4. Finish the installation, and locate the file SETUP.ISS in the Windows directory. 5. Open the file using any ASCII editor (e.g., NOTEPAD.EXE) and delete the section titled APPLICATION. 6. Rename, back up, or delete SETUP.ISS on the first installation disk (floppies only). For CD-ROM versions of the product, you must copy the installation files onto the hard drive before taking this step. 7. Copy the new SETUP.ISS from the Windows directory to the location of the installation files. 8. Run SETUP.EXE with the -s switch (i.e. SETUP.EXE -s). 9. When the silent installation is complete, you should reboot the machine manually. NOTE: If you do not specify a "recorded" answer for all dialog boxes during the initial installation, the silent installation will fail. Also, the file used for the silent installation, SETUP.ISS, may not work properly across different operating systems. * PRIMARY PROGRAM FILES FOR VIRUSSCAN FOR WINDOWS 3.1x * Files located in the Install directory: ======================================= 1. Installed for VShield/DOS/VirusScan: README.1ST = McAfee information CLEAN.DAT = Virus clean definition data NAMES.DAT = Virus names definition data SCAN.DAT = Virus scan definition data VALIDATE.EXE = McAfee file validation program WCMDR.EXE = Windows Commander program WCMDR.INI = Windows Commander configuration settings PACKING.LST = Packing list WHATSNEW.TXT = What's New document 2. Installed for VShield: MCKRNL16.DLL = Tools library MCUTIL16.DLL = Run-time support library TABDLL11.DLL = Properties dialog library VSHCFG16.EXE = VShield Configuration Manager VSHWIN.EXE = VShield on-access engine CHKVXD.EXE = VShield virtual device driver checking utility VSHCFG16.HLP = Online help DEFAULT.VSH = Default VSH settings 3. Installed for DOS: SCAN.EXE = MS-DOS scan program 4. Installed for VirusScan: WSCAN.EXE = VirusScan for Windows 3.1x on- demand scanner WSCAN.HLP = VirusScan for Windows 3.1x online help WSCAN.INI = VirusScan for Windows 3.1x config- uration file PROFILE1.PRF = Sample WSCAN configuration profile PROFILE2.PRF = Sample WSCAN configuration profile Files located in WINDOWS\SYSTEM directory: ========================================== 1. Installed for VShield/VirusScan: CTL3D.DLL = 16-bit 3D Windows controls library (*) CTL3D32.DLL = 32-bit 3D Windows controls library (*) (*) File will be installed upon installation of VirusScan if it does not already exist, or if an older version is found. 2. Installed for VShield: MCFSHOOK.386 = File system hook MCKRNL.386 = Scan engine device driver MCSCAN32.386 = Scan engine device driver MCUTIL.386 = Utility device driver VSHIELD.386 = VShield device driver * INSTALLING THE PRODUCT * If you have not already installed the product, create a folder and copy the files to it. When the installation is complete, it is recommended that you restart your system. * TESTING YOUR INSTALLATION * The Eicar Standard AntiVirus Test File is a combined effort by anti-virus vendors throughout the world to come up with one standard by which customers can verify their anti-virus installations. To test your installation, copy the following line into its own file and name it EICAR.COM. X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* When done, you will have a 69 or 70 byte file. When VirusScan is applied to this file, Scan will report finding the EICAR-STANDARD-AV-TEST-FILE virus. It is important to know that THIS IS NOT A VIRUS. However, users often have the need to test that their installations function correctly. The anti-virus industry, through the European Institute for Computer Antivirus Research, has adopted this standard to facilitate this need. Please delete the file when installation testing is completed so unsuspecting users are not unnecessarily alarmed. _____________ DOCUMENTATION For more information, refer to the User's Guide, included on the CD-ROM versions of this program or available from McAfee's BBS and FTP site. This file is in Adobe Acrobat Portable Document Format (.PDF) and can be viewed using Adobe Acrobat Reader. This form of electronic documentation includes hypertext links and easy navigation to assist you in finding answers to questions about your McAfee product. Adobe Acrobat Reader is available on CD-ROM in the ACROREAD subdirectory. Adobe Acrobat Reader also can be downloaded from the World Wide Web at: http://www.adobe.com/Acrobat/readstep.html VirusScan documentation can be downloaded from McAfee's BBS or the World Wide Web at: http://www.McAfee.com or 205.227.129.97 For more information on viruses and virus prevention, see the McAfee Virus Information Library, included on the CD-ROM version of this product or available from McAfee's BBS and FTP site. A ViaGraphix Interactive Anti-virus Training program also is available on the CD-ROM version, or can be purchased from the McAfee Web Site. __________________________ FREQUENTLY ASKED QUESTIONS Regularly updated lists of frequently asked questions about McAfee products also are available on McAfee's BBS, website, and CompuServe and AOL forums. Q: How do I enable McAfee's Centralized Alerting and Reporting? A: VirusScan now supports Centralized Alerting and Reporting to a remote NetWare or Windows NT server running NetShield for Windows NT v2.5.3 or NetShield for NetWare v2.3.3. To set up this option on your VirusScan client, modify VirusScan's DEFAULT.VSH, and/or your custom settings file to read the following: Note: Administrators will need to configure the WSCAN.INI and/or DEFAULT.VSH file for complete Centralized Alerting & Reporting. Add the following lines to the WSCAN.INI file under AlertOptions: PS_S_NETWORKALERTPATH= PS_O_ALERT=1 Add the following lines to the DEFAULT.VSH file under AlertOptions: szNetworkAlertPath= bNetworkAlert=1 Where the is the path to the remote NetWare volume or NT directory. From this directory, NetShield can broadcast or compile the alerts and reports according to its established configuration. NOTE: The client must have write access to this location and the directory must contain the NetShield-supplied CENTALRT.TXT file. To send a complete alerting file identifying the system user, establish the following environment variables or add them to the AUTOEXEC.BAT file. Set COMPUTERNAME= Set USERNAME= The alert file sent to the server is an .alr text file. Upon receipt of the alert file, NetShield NT or NetShield for NetWare sends an alert message to an administrator and/or appropriate personnel. Q: I have created my own Emergency diskette, how can I optimize it's performance? A: For optimal performance, create a CONFIG.SYS file on the boot diskette and add the following lines: [CONFIG.SYS] DEVICE=HIMEM.SYS DOS=HIGH Add the HIMEM.SYS file from the DOS directory to the boot diskette. Note: For detailed instructions on creating an Emergency diskette, refer to the instructions outlined in your online documentation. Q: When I have an infected file, why does the infected counter increase by increments greater than one? A: The file system will typically access a file more than once. On each access, VirusScan scans the file and detects the infection. Q: Does VShield detect Word Macro infections? A: Yes. VShield detects and cleans Word Macro infections. Q: Can I update VirusScan's data files to detect new viruses? A: Yes. If you have Internet access, you can download updated VirusScan data files from the McAfee Web Site, BBS, or other online resources. To download from the McAfee Web Site, follow these steps: 1. Go to the McAfee Web Site (http://www.mcafee.com or 205.227.129.97). 2. Click on the Download McAfee button in the upper left hand column or frame. 3. Click on Update Your DAT Files to update DAT files. 4. View the information provided on new DAT files and downloading. 5. Click on Download this Month's DAT. 6. Data file updates are stored in a compressed form to reduce transmission time. Unzip the files into a temporary directory, then copy the files to the appropriate directory, replacing your old files. 7. Before performing any scans, shut down your computer, wait a few seconds, and turn it on again. If you need additional assistance with downloading, contact McAfee Download Support at (408) 988-3832. ______________ CONTACT McAFEE * FOR QUESTIONS, ORDERS, PROBLEMS, OR COMMENTS * Contact McAfee's Customer Care department: 1. Call (408) 988-3832 Monday-Friday, 6:00 A.M. - 6:00 P.M. Pacific time 2. Fax (408) 970-9727 24-hour, Group III Fax 3. Fax-back automated response system (408) 988-3034 24-hour fax Send correspondence to any of the following McAfee locations: McAfee Corporate Headquarters 2710 Walsh Avenue Santa Clara, CA 95051-0963 McAfee East Coast Office Jerral West Center 766 Shrewsbury Avenue Tinton Falls, NJ 07724-3298 McAfee Central Office 5944 Luther Lane, Suite 117 Dallas, TX 75225 McAfee Canada 178 Main Street Unionville, Ontario Canada L2R 2G9 McAfee Europe B.V. Orlyplein 81 - Busitel 1 1043 DS Amsterdam The Netherlands McAfee (UK) Ltd. Hayley House, London Road Bracknell, Berkshire RG12 2TH United Kingdom McAfee France S.A. 50 rue de Londres 75008 Paris France McAfee Deutschland GmbH Industriestrasse 1 D-82110 Germering Germany Or, you can receive online assistance through any of the following resources: 1. Bulletin Board System: (408) 988-4004 24-hour US Robotics HST DS 2. Internet e-mail: support@mcafee.com 3. Internet FTP: ftp.mcafee.com or 205.227.129.70 4. World Wide Web: http://www.mcafee.com or 205.227.129.97 5. America Online: keyword MCAFEE 6. CompuServe: GO MCAFEE 7. The Microsoft Network: GO MCAFEE Before contacting McAfee, please make note of the following information. When sending correspondence, please include the same details. - Program name and version number - Type and brand of your computer, hard drive, and any peripherals - Operating system type and version - Network name, operating system, and version - Contents of your AUTOEXEC.BAT, CONFIG.SYS, and system LOGIN script - Microsoft service pack, where applicable - Network card installed, where applicable - Modem manufacturer, model, and baud, where applicable - Relevant browsers/applications and version number, where applicable - Problem - Specific scenario where problem occurs - Conditions required to reproduce problem - Statement of whether problem is reproducible on demand - Your contact information: voice, fax, and e-mail Other general feedback is also appreciated. * FOR ON-SITE TRAINING INFORMATION * Contact McAfee Customer Service at (800) 338-8754. * FOR PRODUCT UPGRADES * To make it easier for you to receive and use McAfee's products, we have established an Agents program to provide service, sales, and support for our products worldwide. For a listing of agents, see the file AGENTS.TXT, where applicable, or contact McAfee Customer Service for agents near you.