================================================================== Norman Virus Control v4.70 ================================================================== Copyright (C) 1999 Norman This Read Me file contains information on last minute changes to NVC v4.70 and fixes to known problems in NVC v4.60. The information in this file is organized into 9 sections: 1.0 Common section 2.0 NVC for Windows 95 3.0 NVC for DOS/Windows 3.1x 4.0 NVC NT Service 5.0 NVC for Windows NT 6.0 NVC for Groupware 7.0 Network considerations 8.0 N_DIST 9.0 SNMP extension ================================================================== 1.0 Common section ================================================================== 1.1 The scanning engine 1.1.1 The scanning engine has been changed to include new functionality. As of this version the engine can remove boot sector viruses. In previous versions the scanning engine has detected these viruses, but for cleaning them we used the DOS-based program NVCLEAN. This program is now removed from all NVC platforms. We consider this improvement important with regard to user friendliness, because all viruses are detected and handled (repaired, moved, deleted) from the same dialog(s). You can remove boot sector viruses from the Windows scanners as well as from the DOS command line scanner. 1.1.2 The minimum requirement for running the DOS command line scanner is a 386 processor and 2MB RAM. In severe situations the DOS extender may generate a screen dump, for example in a memory conflict situation. This will not crash the system. The dump file that is generated is called 'cw.err'. If you call support, they may ask for this file, which provides useful information for troubleshooting. 1.1.3 Detecting unknown macro viruses The 32-bit scanner can detect and remove unknown macro viruses in Office 97 and Office 2000 using heuristic methods. When the scanner detects an unknown macro virus, the virus name will be reported as UNKNOWN. If the 'Repair file if possible' option is ON, all macros in the document are removed. 1.1.4 PowerPoint and Access NVC v4.70 will detect macro viruses in these applications, but cannot remove the viruses. 1.1.5 Scanning: pre-defined file extensions When you scan a directory, floppy, or hard drive, files with the following extensions are automatically scanned: *.386 *.CLA *.DLL *.INF *.OVR *.SMM *.WBK *.XLS *.APP *.COM *.DRV *.INI *.POT *.SYS *.WIZ *.XLT *.ASP *.CMD *.EXE *.MDA *.PPN *.VBS *.XLA *.XTP *.ATT *.CPL *.FON *.MDB *.PPS *.VBX *.XLB *.BAT *.CSC *.GMS *.MDL *.PPT *.VOM *.XLC *.BIN *.DOC *.HTM *.OCX *.PWZ *.VXD *.XLM *.BOO *.DOT *.HTT *.OVL *.SCR *.VXE *.XLP 1.1.6 Scanning: pre-defined file extensions - archive files If you specify "Scan archive files" in the tabbed dialog "Scanning" (Options|Scanning options), archive files with the following extensions are automatically scanned: *.ARC *.ARJ *.LZH *.PAK *.ZIP *.ZOO 1.1.7 Why 'Repair file if possible' is not ON by default Even though we believe automatic repair provides the best protection, we cannot set this option ON by default. The reason is that legislation in some countries prohibits changes to data files without the user's explicit consent. However, unless you have good reasons for not doing so, we recommend that you turn this option on. (Options|Scanning options) 1.2 Installation 1.2.1 Troguard is copied to the WIN32 directory on single user installations. To server only on admin installations. See #2.1.5 (Windows 9x) or #5.1.1 (Windows NT) for details about Troguard. 1.2.2 Norman Internet Update is default component in single user installation. (Windows 9x and Windows NT.) 1.2.3 A command line utility to set security options is provided in the admin installation. Utility named NCFTE.EXE. Refer to the Administrator's Guide for more information. (Windows 9x and Windows NT.) 1.2.4 NVCLEAN and NVCEXCL will be deleted from the Norman\DOS directory during installation of NVC v4.70. All repair is now done by the Windows and command line scanners. (All platforms.) 1.2.5 NSE has increased significantly in size due to the built-in 32 bits emulator and 32 bits heuristics. 1.2.6 On NVC for Windows 95/NT the .cfg file is ALWAYS copied from the installation media onto the server. Then the NseUpdate path is written in the .cfg file as an UNC path. (Admin install only.) 1.2.7 On NVC for Windows 3.1x: the installation copies the .cfg file IF it's newer than one on the server. This is done to avoid that an Win31 installation overwrites a correctly set up NVC32.CFG file. (Admin install only.) 1.2.8 On NVC for Windows NT: the mapped network drive you select will be changed to an UNC path. Therefore, the NDIST script will be set up with UNC path in $Source. (Admin install only.) ================================================================== 2.0 Norman Virus Control for Windows 95 ================================================================== 2.1 Cat's Claw 2.1.1 Whenever 'CLAW95 /INSTALL' is run, Cat's Claw will assume that the definition files are updated and will reinitialize. 2.1.2 Support for SNMP traps exists for Cat's Claw. The following trap reason codes are used: 1 :Virus removed 2 :Virus not removed (write access denied or user selected no repair) 4 :Virus not removed (did not know how to) 5 :Uncertified macros removed 6 :Uncertified macros not removed (write access denied or user selected no repair) 8 :Uncertified macros not removed (did not know how to) 9 :File not scanned (password protected) 10:File not scanned, user access denied (password protected) 11:File not scanned (damaged file) 12:File not scanned, user access denied (damaged file) 13:File not scanned (system error) 14:File not scanned, user access denied (system error) 2.1.3 Undocumented entries in the registry Two undocumented entries are added to the registry and can be edited in the CLAW95.REG file: [HKEY_LOCAL_MACHINE\Software\Norman Data Defense Systems\Cat's Claw\Debug] "Delay"=dword:00000000 "Yield"=dword:00000000 Both are used to insert a delay before activating Cat's Claw. If problems are experienced when loading Cat's Claw during startup but not when started manually, try inserting a delay. "Delay"=dword: is the number seconds to wait. Increase by 00000001 until the problem disappears. Then add 00000001. Valid values are 00000000 to 0000000A. "Yield"=dword: is the number of times Cat's Claw should give up its time slice (yield) to let other applications run. Increase by 0000000A until the problem disappears. Then add 0000000A. Legal values are from 00000000 to 00000064. (The suggested values are: 00000000, 0000000A, 00000014, 0000001E, 00000028, 00000032, 0000003C, 00000046, 00000050, 0000005A, 00000064.) Either "Delay" or "Yield" should be used, not both. Try "Yield" first. The unused entry should be assigned its minimum value. 2.1.4 Boot sector repair (see #1.1.1) enables Cat's Claw to not only detect boot sector viruses, but also to clean such viruses. 2.1.5 TroGuard TroGuard is a program designed to remove active trojans from your system. Trojans are detected by regular scans, but cannot be removed when they are active. TroGuard checks all active processes in memory, and kills a process if the file is a trojan. By default, the file is deleted. TroGuard employs the NVC scanner engine to determine if a file is a trojan or not. TroGuard has one parameter: /n (do not delete trojan if found). To start TroGuard, double-click on the executable (troguard.exe), located in the norman\win32 directory). You can create a shortcut and place it on your desktop, but do not place it in your Startup group. TroGuard only checks active processes, and there is no telling that a possible Trojan is active at the time TroGuard loads. 2.3 Bug fixes 2.3.1 On partitions larger than 2GB the progress bar would display wrong values. This error is now fixed. 2.3.2 In version 4.60 any subdirectory on 2nd level or lower could not extend 84 chars or NVC95/NVCNT would crash. Fixed in v4.70. 2.3.3 In versions prior to 4.70 nvcnt/nvc95 would not allow to clean an infected file if this file was a read-only file. Fixed. 2.3.4 When the "Save on Exit" menu-selection was de-selected, this action was never stored. The next time someone would start the app, "Save on Exit" would still be selected. This is now fixed. 2.3.5 Improved handling of checking the contents of .zip and .arj archive files. NVC will now recursively scan for viruses within files of this category. This means that archive files within other archive files will be checked for viruses. 2.3.6 A bug in the virus library would sometimes lead to the display of wrong values within the virus library. This is fixed. 2.4 Known problems 2.4.1 During scanning of archive files, the Cancel button is unavailable. 2.4.2 If a scheduled scan ends within the same minute it was started, it is repeated as many times as allowed for within that minute. However, it will stop when the clock changes to the next minute. 2.4.3 There is a conflict between Cat's Claw and e-mail scanners. The latter do not detect viruses. 2.4.4 The Right-click scanner only scans ZIP and ARJ archive files. ================================================================== 3.0 Norman Virus Control for DOS/Windows 3.1x ================================================================== 3.1 Cat's Claw 3.1.1 Whenever 'CLAW31 /INSTALL' is run, Cat's Claw will assume that the definition files are updated and will reinitialize. 3.1.2 Support for SNMP traps has been added to Cat's Claw. The following trap reason codes are used: 1 :Virus removed 2 :Virus not removed (write access denied or user selected no repair) 4 :Virus not removed (did not know how to) 5 :Uncertified macros removed 6 :Uncertified macros not removed (write access denied or user selected no repair) 8 :Uncertified macros not removed (did not know how to) 9 :File not scanned (password protected) 10:File not scanned, user access denied (password protected) 11:File not scanned (damaged file) 12:File not scanned, user access denied (damaged file) 13:File not scanned (system error) 14:File not scanned, user access denied (system error) 3.1.3 Undocumented entries in the CLAW31.INI file Two undocumented entries added to the CLAW31.INI file: [Debug] Delay=0 Yield=10 Both are used to insert a delay before activating Cat's Claw. If problems are experienced when loading Cat's Claw during startup but not when started manually, try inserting a delay. Delay= is the number of seconds to wait. Increase by 1 until the problem disappears, then add 1. Valid values are 0 to 10. Yield= is the number of times Cat's Claw should yield and let other applications run. Increase by 10 until the problem disappears. Then add 10. Valid values are 10 to 100. Either "Delay" or "Yield" should be used, not both. Try "Yield" first. The unused entry should be given its minimum value. 3.1.4 Boot sector repair (see #1.1.1) enables Cat's Claw to not only detect boot sector viruses, but also to clean such viruses. In Windows 3.1 only diskettes are checked for boot sector viruses. 3.2 Known problems 3.2.1 There is a conflict between Cat's Claw and mail scanners. The latter do not detect viruses. 3.2.2 In some situations the buttons in the Cat's Claw warning dialogs are empty. Clicking on the buttons works OK. ================================================================== 4.0 Norman Virus Control NT Service ================================================================== 4.1 SYSTEM REQUIREMENTS: Windows NT Workstation or Server version 3.51 with service pack 5 or higher, or NT version 4.0 with service pack 3 or higher. 4.2 The NVC NT Service will now deny access when trying to read or execute infected files. The NT Service now also uses the same set of standard extentions used during real-time, on-demand and scheduled scans. The move/delete on infections should be more effective since this funtionality is moved into separate threads. 4.3 The driver part of the NVC NT Service is optimized so that the real-time scanner should be more effective and thus reducing the overhead involved in real-time scanning. 4.4 New option added in the Edit Styles dialog box in the listbox 'Select drives'. In addition to the drive letters, you can choose 'All fixed'. This option applies a style to all fixed drives and is mutually exclusive. I.e. if you choose 'All fixed' it overrides other drive selections, and if you select a drive letter, 'All fixed' is deselected. The 'All fixed' option makes a style deployable in an environment where the workstations have a different selection of hard drives. 4.5 In the configuration program NCFGW, the Help|About nvcsrv now displays two signature dates: 'Signature date binary:' and 'Signature date macro:'. 4.6 NCFGW: 'Real-time options|Scanning|Look for OLE2 header' has been greyed out. If you choose this option, all files are checked, which is not a preferred real-time operation. Use the on-demand scanner if you wish to scan all files for OLE2 headers. 4.7 About updating the scanning engine The NVC NT Service is now capable of automatically using a new scanning engine when available. When a scanning engine is specified in the nvc32.cfg file according to the desciption in the Admin Guide, NVC will automatically check for update once a day. If a new update is available and it is safe to unload the current scanning engine, NVC will load the new scanning engine/def files. A condition that typically will make an update fail is if the scanning engine is in use by other NVC component (NVCNT.EXE, NVC For Notes). If that is the case the NVC NT Service will try to update the scanning engine at a later time. To support this the following switches has been added to the configuration program ncfg.exe: ncfg -checkupdateengine Use this to check if a scanning engine update is available and/or possible. ncfg -updateengine Will try to update the scanning engine according to the update settings in the nvc32.cfg file. ncfg -updateengineat:: Will try a daily update of the scanning engine at the specified time. NVC will use the update settings in the nvc32.cfg file. This will override the default setting which is to try the update at 24:00 ncfg -remupdateengineat Revert to the default settings for when a scanning engine update will be performed (at 24:00). 4.8 NOTE: As NVC NT Service cannot deny write operations to disk, NT Servers where real-time scan normally is configured to "Scan when Writing" only - the "Managing Infections" option should always be set to "Move Infected Files". Then all files which are not cleaned will be moved offline and thus unaccessible to users. 4.9 Bug fixes 4.9.1 In the NVC Service versions prior to 4.63 it was possible for a user to "hide" a directory or a file by taking ownership over the file and then deny any other user or program access to this directory. When trying to access such a directory, the NVC service was denied access to the files and was thus unable to scan them for viruses. The NVC Service will now grant itself the privilege to override such a restriction. No matter what restrictions a user will set on a directory, the NVC Service will get access to any file on any directory on the machine where it is installed. 4.9.2 Improved handling of checking the contents of .zip and .arj archive files. NVC will now recursively scan for viruses within files of this category. This means that archive files within other archive files will be checked for viruses. 4.10 Known problems 4.10.1 Seagate Open File Manager ver 3.1 There is an error in OFM 3.1 (not in 3.0) that causes our nvcrec4.sys driver to crash NT immediately if the OFM driver is started prior to the nvcrec4 driver. The new driver from Seagate (v5.1) solves the problem. 4.10.2 The scheduler does not check the date when it on startup is checking if it has skipped an hourly scan because the service was not running or the machine was powered off, just the time. If a monthly scheduled scan failed to run, it will be re-scheduled for next month rather than prompt for the scan to be performed right away. 4.10.3 NVCSRV: Due to the format on certain discs, on-demand scanning of CD-ROMs produces numbers like 39460% completed. 4.10.4 Norton utilities for NT4 It appears that some of the features within the Norton utilities for NT4 does not run well with the NVCNT service. (Unerase and defrag services.) Solution: If possible remove the services above. If this is a unacceptable solution, run the NVC service without the real-time components and rather rely on the scheduled scan feature within the service. (Install the service with the command: nvcsrv -install -nodrvs) ================================================================== 5.0 Norman Virus Control for Windows NT ================================================================== 5.1 Boot sector repair (see #1.1.1) enables NVCNT to not only detect boot sector viruses, but also to clean such viruses on diskettes as well as on hard drives. NVCNT will clean a boot sector virus on a hard drive even if the user is not logged on with admin rights. For this functionality to work it is required that the initial run of NVCNT was run with admin rights to allow the low-level components to install correctly. NVCNT will even detect a boot sector virus without these components, but cannot clean the virus. 5.1.1 TroGuard TroGuard is a program designed to remove active trojans from your system. Trojans are detected by regular scans, but cannot be removed when they are active. TroGuard checks all active processes in memory, and kills a process if the file is a trojan. By default, the file is deleted. TroGuard employs the NVC scanner engine to determine if a file is a trojan or not. TroGuard has one parameter: /n (do not delete trojan if found). To start TroGuard, double-click on the executable (troguard.exe), located in the norman\win32 directory). You can create a shortcut and place it on your desktop, but do not place it in your Startup group. TroGuard only checks active processes, and there is no telling that a possible Trojan is active at the time TroGuard loads. Note that an active process under Windows NT cannot be killed unless you have administrator's privileges. 5.2 Bug fixes: 5.2.1 In version 4.60 any subdirectory on 2nd level or lower could not extend 84 chars or NVC95/NVCNT would crash. Fixed in v4.70. 5.2.2 In versions prior to 4.70 nvcnt/nvc95 would not allow to clean an infected file if this file was a read-only file. Fixed. 5.2.3 When the "Save on Exit" menu-selection was de-selected, this action was never stored. The next time someone would start the app, "Save on Exit" would still be selected. This is now fixed. 5.2.4 Improved handling of checking the contents of .zip and .arj archive files. NVC will now recursively scan for viruses within files of this category. This means that archive files within other archive files will be checked for viruses. 5.2.5 A bug in the virus library would sometimes lead to the display of wrong values within the virus library. This is fixed. 5.3 Known problems 5.3.1 If a scheduled scan ends within the same minute it was started, it is repeated as many times as allowed for within that minute. However, it will stop when the clock changes to the next minute. 5.3.2 If a scheduled scan is entered with style , and the style is changed, the old settings in will overwrite changes done in the meantime. To activate changes to the style , exit the program and restart NVC. 5.3.3 The Right-click scanner only scans ZIP and ARJ archive files. ======================================================================== 6.0 NVC for Groupware ======================================================================== See also the separate readme that is installed with NVC for Groupware. 6.1 NVC for Groupware v4.70 is compatible with Domino v5. 6.2 When you change the root directory for on-demand scans, the new root is stored for the next scan. 6.3 Manual setup and removal This procedure is for manual maintenance of the NVC for Groupware service module. It is possible to start, stop, install and remove the service using commands on the NVCgroup.exe command line. Normally, the installation performed by the Install Shield's setup procedure should be sufficient. To avoid a 'NNOTES.DLL not found' error, make sure that your Notes directory is included in your system path. If not, add the path entry and restart NT before attempting to install the service module. To install 'NVC for Groupware' manually, run 'NVCgroup.exe -install' from the 'NVC for Groupware' home directory. This will install the service, copy the hook-dll (NVCgwlh.dll) to the Domino server home directory, and modify the 'notes.ini' file to enable real-time scanning upon the next Domino server restart. The 'notes.ini' file should have the following entry added: 'NSF_hooks=NVCgwlh' 6.4 Start the scanner service To start the scanner service, do one of the following: - Reboot the NT server (the service is installed with 'automatic' startup) or - Run 'NVCgroup -start' or - Run the graphical front-end 'NVCgw.exe', choose the computer and push 'start' or - Start the service from 'services' in the NT control panel 6.5 Stop the scanner service To stop the scanner service, do one of the following: - Run the graphical front-end 'NVCgw.exe', choose the computer and push 'stop' or - Run 'NVCgroup -stop' or - Stop the service from 'services' in the NT control panel 6.6 Remove the scanner service To remove the system, including the real-time hook: - Run 'NVCgroup -remove'. This will stop the service if it is running, and also remove references to the hook in the 'notes.ini' file. All custom settings in the registry will be lost. To remove the service without erasing the configuration: - Run 'NVCgroup -upgrade'. This will stop the service if it is running, and also remove references to the hook in the 'notes.ini' file. The registry settings will be preserved. To remove the hook from the Domino server after 'NVCgroup' has been removed: - Make sure the entry in 'notes.ini' has been removed. - Restart the Notes Domino server. 6.7 Non-standard local mailbox names The service will use several methods to locate the local mailbox to be able to send virus warning mail messages. If the service is unable to locate the mailbox, the path may be specified manually by creating an entry in the NVCgroup registry location. Make a key called 'LocalMailbox', and set the value to be the full path to the mailbox. 6.8 Changes in the 'On-demand scan' dialog box Two buttons have been added: 6.8.1 'Change root': Allows the user to specify root directory for the directory tree to be searched for notes bases to be listed. As a result of this, the menu entry 'Extra database' in the system menu in this dialog has been removed. 6.8.2 'Options': Same effect as the 'Options' button (and the menu entry Options|Options) in the main window, which includes scanning options for on-demand as well as other scanning. The new button will lead to the on-demand specific scanning options. ======================================================================== 7.0 Network considerations ======================================================================== 7.1 NVC.SYS AND IPX COMMUNICATIONS 7.1.1 All NVC.SYS versions will send messages to all versions of FireBreak via IPX, and all versions of FireBreak will accept the messages. 7.2 REQUIREMENTS FOR PROPER COMMUNICATION These are the versions of client software necessary for NVC v4.00+ workstation products (with the exception of NVC.SYS) to send IPX messages to FireBreak v3.60+. If you don't have these versions of the client software, you can download them free of charge via anonymous ftp ftp://ftp.novell.com/pub/updates/nw You may also get the client software by pointing your web browser to http://support.novell.com and select the "Minimum Patch List". NOTE that Microsoft's Client Services for NetWare (available in Windows 95 and Windows NT) are not supported by NVC IPX communications. Therefore, in Windows 95 and Windows NT, you must be running NetWare's client software. 7.2.1 DOS/Windows 3.1x: - Netx - VLMs - Netware Client 32 for DOS/Windows 3.1x Note: Only VLMs support Canary on the server. 7.2.2 Windows 95: - NetWare Client 32 for Windows 95 7.2.3 Windows NT: - NetWare Client v4.0 or later for Windows NT 7.2.4 OS/2: - Netware Client v2.12 or later for OS/2 7.2.5 NVC workstation products (with the exception of NVC.SYS) will send messages to all versions of FireBreak via IPX, but only FireBreak v3.60 and newer will accept them. 7.2.6 IPX messaging from NVC workstations doesn't include messages about viruses found in memory. 7.3 NetWare v5 Please note that NVC currently only support messaging over IPX. This means that if you are running a NetWare v5 with pure IP as your only protocol, the messaging feature will not work. This limitation will be removed in a future release. ======================================================================== 8.0 N_DIST ======================================================================== 8.1 Win32: Distributing scanner configurations in a network To distribute Win 95 or Win NT scanner configurations in a network environment, you should: 1. Configure the scanner, including styles and possible scheduled scans. 2. Start REGEDIT. 3. Export the content in HKEY_CURRENT_USER\Software\NORMAN\NVC to x:\nvcadmin\win95\nvc95.reg (Windows 95) or x:\nvcadmin\win32\nvcnt.reg (Windows NT) 4. Next time you run N_DIST, NVCxx.REG will be copied onto the work stations, and REGEDIT will be run against the file. 8.2 Using N_DIST to upgrade a running NVC service Since the N_DIST script will be executed in the context of a logged on user, a prior version of the NVC Service is already started when the N_DIST script executes. An admin user could stop the service and then copy the new files before starting the service again. There is still a problem with the real-time components (the NVC device drivers) that will not stop when the service stops. The safest way to make sure that all components are properly upgraded is to make sure that the N_DIST script: 1. Renames the opened NVC files on the machine (nvcsrv.exe and the .sys files in the \NORMAN\WIN32 directory) 2. Copies the new files on top of the renamed ones Reboot the machine, and the new components will be used. 8.3 Known problems The 'Register' command will not always register icons in the 'Common' profile. The 'Unregister' command will not remove single icons if the icon name contains a double space. ======================================================================== 9.0 SNMP extension ======================================================================== 9.1 Change of format to accommodate long machine names A change has been made to the SNMP extension, so that machine names of up to 50 characters may be specified in the 'SYSTEMS.TXT' file. Users of PC-NFS or LAN Workplace should continue using the old format. Users who has no use for long machine names do not have to recompile their 'SYSTEMS.TXT' files. The old 'TCP_IP.CFG' file will still work. For more information, refer to the readme file in the SNMP extension.