PC/CD Gamer UK 39

home *** CD-ROM | disk | FTP | other *** search

/ PC/CD Gamer UK 39 / PCGAMER39.bin / utils / mcafee / 16bit / viruscan.txt < prev next >

Wrap

Text File | 1995-05-11 | 234.8 KB | 6,098 lines

VirusScan Version 2.2 Copyright 1995 by McAfee, Inc. All Rights Reserved. McAfee, Inc. (408) 988-3832 office 2710 Walsh Avenue (408) 970-9727 fax Santa Clara, CA 95051-0963 (408) 988-4004 BBS (25 lines) U.S.A. USR HST/v.32/v.42bis/MNP1-5 CompuServe GO MCAFEE InterNet support@mcafee.COM Using VirusScan (Version 2.2) TABLE OF CONTENTS Chapter 1: Welcome to VirusScan / 1 What VirusScan includes / 3 System requirements / 5 License and registration / 6 Technical support / 6 Chapter 2: Don't skip this chapter / 10 Installing VirusScan / 11 Scanning your system / 14 If you detect a virus / 16 Activating VShield / 19 Making a clean start-up diskette / 21 Running the VirusScan programs / 23 When to rescan / 25 Updating VirusScan regularly / 25 Chapter 3: Scan Reference / 28 Technical overview / 30 Validating Scan / 31 Running Scan from the command line / 31 Scan command line option summary / 33 Scan option descriptions / 36 Cleaning viruses / 46 Examples / 50 Error levels / 51 Application note 1: Updating validation codes / 53 Application note 2: Reformatting infected diskettes with DOS 5.0 and later / 53 Technical note 1: Creating an exception list file for the /EXCLUDE option / 54 Chapter 4: VShield Reference / 55 Four levels of protection / 58 Running VShield / 60 VShield option summary / 64 VShield option descriptions / 66 Deciding which options are for you / 73 Examples / 75 Error levels / 76 Using VShieldCRC / 77 VShieldCRC option summary / 78 Using CheckVShield / 79 Technical note 1: Creating an exception list for the /EXCLUDE option / 81 Technical note 2: Sample NetWare login script and .BAT file / 82 Chapter 5: Tips & troubleshooting / 83 Appendix A: Retrieving McAfee programs with communications software / 91 Appendix B: Options comparison between VirusScan versions 1.5 and 2.1.1 / 96 Glossary / 106 Using VirusScan (Version 2.2) 1 CHAPTER 1: WELCOME TO VIRUSSCAN Thank you for purchasing McAfee(R)'s VirusScan(TM) software, a powerful and advanced system designed to detect, eradicate, and prevent computer viruses. VirusScan will help you protect one of your most important assets--the information on your personal computer or local area network. VirusScan includes two main programs: o The Scan program detects known viruses in your computer's memory or on disks. It can also detect new and unknown viruses. Once viruses are detected, it can remove them and restore your system to normal operation. The Scan program comes in two forms: o A graphical interface so that you can select commands and options using a mouse and keyboard, if you like. For instructions, see the on-line documentation. o A command line interface, so you can run the program and select options by typing from a command prompt or from batch or script files, if you prefer. o The VShield(TM) memory-resident program continuously monitors and protects your system from viruses that might be introduced. The VirusScan programs run on IBM-PC or 100% compatible personal computers (PCs) that use DOS, Windows, or OS/2. VirusScan is an important element of a comprehensive security program that includes a variety of safety measures, such as regular backups, meaningful password protection, training, and awareness. We urge you to set up and comply with such a security program in your organization. For tips on how to do this, see "Other sources of information" in this chapter. Using VirusScan (Version 2.2) 2 HOW TO USE THIS MANUAL This manual will help you get VirusScan running quickly and properly on DOS, Windows, and OS/2 systems. All the key information is in Chapter 2, "Don't skip this chapter." Please don't install VirusScan before reading it, even if you are a PC power user or already familiar with Scan. Installing and using VirusScan is not like using other software. The rest of Chapter 1, "Welcome to VirusScan," describes the programs and files on your VirusScan disk, system requirements, how to register, and how to get help. Chapter 3, "Scan Reference," and Chapter 4, "VShield Reference," contain reference information for Scan and VShield, respectively. Many users will not need to read these chapters, because basic operation of VirusScan, as described in Chapter 2, will detect and remove most viruses from your system. The options described in Chapters 3 and 4 offer additional power and control, and are most useful in vulnerable environments and to network administrators and information services staff. Chapter 5, "Tips & troubleshooting," explains how to get the most out of VirusScan, and how to cope with some common problems. Appendix A describes how to retrieve new versions of McAfee programs using your communications software. Appendix B describes differences in command line options between VirusScan version 1.5 and version 2.1.1. Using VirusScan (Version 2.2) 3 NOTATION In this manual, we use several conventions to distinguish particular kinds of text. CONVENTION │ EXAMPLE │ REPRESENTS ═══════════════╪══════════════╪══════════════════════════ Uppercase │ C:\> │ What your │ │ computer displays │ │ on your screen. ───────────────┼──────────────┼────────────────────────── Lowercase │ scan c: │ What you │ │ type, verbatim. ───────────────┼──────────────┼────────────────────────── Curly braces │ {filename} │ Required │ │ element; do not │ │ type braces { }. ───────────────┼──────────────┼────────────────────────── Square braces │ [filename] │ Optional │ │ element; do not │ │ type braces [ ]. ───────────────┼──────────────┼────────────────────────── Upper-case in │ <ENTER> │ Key to press brackets │ │ on the │ │ keyboard. WHAT VIRUSSCAN INCLUDES In addition to Scan and VShield, your VirusScan diskette contains another program that will help you use VirusScan. The Validate program ensures that new versions of VirusScan software you've obtained are authentic and unmodified. Your VirusScan diskette also contains several useful text files, which you can view and print with a text editor, word processor, or print command. You'll find version-specific information in the README.1ST file. Using VirusScan (Version 2.2) 4 VIRUSSCAN FILES AFTER UNPACKING After unpacking VirusScan you should have appropriate program files on your system for the version you have obtained (DOS, Windows, or OS/2). Several useful text files are also included. VirusScan for DOS Files AGENTS.TXT - lists McAfee authorized agents. CLEAN.DAT - virus removal data file required by SCAN.EXE COMPUSER.NOT - explains how to obtain CompuServe membership FILE_ID.DIZ - description of VirusScan used by some BBS software FILENAME.TXT - explains ZIP file naming conventions LICENSE.TXT - explains how to license VirusScan NAMES.DAT - virus name data file required by SCAN.EXE PACKING.LST - contains a list of all files, including validation information README.TXT - late-breaking information and new instructions not contained in this manual REGISTER.TXT - explains how to register VirusScan for your use SCAN.DAT - virus string data file required by SCAN.EXE SCAN.EXE - the VirusScan program VIRUSCAN.TXT - on-line manual for VirusScan VIRUSCAN.DOC - on-line manual for VirusScan (MS Word 6.0) VALIDATE.EXE - check VirusScan programs for authenticity VALIDATE.TXT - explains how to run VALIDATE.EXE VShield Files AGENTS.TXT - lists McAfee authorized agents CHKVSHLD.EXE - checks for presence of VShield and VShieldCRC in memory COMPUSER.NOT - explains how to obtain CompuServe membership FILENAME.TXT - explains ZIP file naming conventions FILE_ID.DIZ - description of VShield used by some BBS software LICENSE.TXT - explains how to license VShield NAMES.DAT - virus name data file PACKING.LST - contains a list of all files, including validation information README.TXT - late-breaking information and new instructions not contained in this manual REGISTER.TXT - explains how to register VirusScan for your use SCAN.DAT - virus string data file VALIDATE.EXE - check VirusScan programs for authenticity VALIDATE.TXT - explains how to run VALIDATE.EXE VIRUSCAN.TXT - on-line manual for VirusScan VIRUSCAN.DOC - on-line manual for VirusScan (MS Word 6.0) VSHEML.EXE - internal program for VShield VSHIELD.DAT - virus string data file required by VSHIELD.EXE VSHIELD.EXE - the VShield program VSHINST.EXE - creates program group, icon for VSHLDWIN.EXE VSHLDCRC.EXE - the VShieldCRC program VSHLDWIN.EXE - used by VShield and VShieldCRC to display messages within Windows Using VirusScan (Version 2.2) 5 VirusScan for OS/2 AGENTS.TXT - lists McAfee authorized agents CLEAN.DAT - virus removal data file required by OS2SCAN.EXE COMPUSER.NOT - explains how to obtain CompuServe membership FILE_ID.DIZ - description of VirusScan used by some BBS software FILENAME.TXT - explains ZIP file naming conventions LICENSE.TXT - explains how to license VirusScan NAMES.DAT - virus name data file required by OS2SCAN.EXE PACKING.LST - contains a list of all files, including validation information README.TXT - late-breaking information and new instructions not contained in this manual REGISTER.TXT - explains how to register VirusScan for your use OS2SCAN.EXE - the VirusScan program SCAN.DAT - virus string data file required by OS2SCAN.EXE VALIDATE.EXE - used to check VirusScan programs for authenticity VALIDATE.TXT - explains how to run VALIDATE.EXE VIRUSCAN.TXT - on-line manual for VirusScan VIRUSCAN.DOC - on-line manual for VirusScan (MS Word 6.0) SYSTEM REQUIREMENTS The VirusScan programs require an IBM-compatible personal computer and any of the following operating systems: o DOS 3.1 or later o Windows 3.1 or later o IBM OS/2 2.1 or later VShield is a terminate-and-stay-resident (TSR) program. VShield attempts to minimize the use of conventional memory by loading into expanded, extended, or upper memory. For more information, see "VShield Reference" in Chapter 4. You'll need a high-density 3.5" diskette drive to use the VirusScan diskette in this package. Contact McAfee for other media, or download the software from the McAfee bulletin board system (BBS). Using VirusScan (Version 2.2) 6 LICENSE AND REGISTRATION The VirusScan software is provided under license from McAfee, Inc., a copy of which is provided with this manual. Please read it and comply with it. Also, please fill out and return the registration form in your VirusScan package. Registration entitles you to upgrades at no charge from McAfee's bulletin board system and other sources, as well as technical support, for one year from your date of purchase. TECHNICAL SUPPORT For help in using this product, we invite you to contact McAfee technical support. You can contact us: o On-line 24 hours a day, through our bulletin board system, CompuServe, or Internet (see "On-line access to updates and technical support" below); o By fax, at (408) 970-9727; or o By telephone at (408) 988-3832, Monday through Friday, 6:00 am to 5:00 pm Pacific Standard Time. For fast and accurate help, please have the following information ready when you contact McAfee: o Program name and version number. o Type and brand of computer, hard disk, and any peripherals. o Version of DOS, along with any TSRs or device drivers in use. o Printouts of your AUTOEXEC.BAT and CONFIG.SYS files. o A printout of the contents of memory, from the MEM command (provided in DOS 4.0 and later) or a similar utility. Using VirusScan (Version 2.2) 7 o A description of the exact problem you are having. Please be as specific as possible. If you can't be at your computer when you call, a printout of the screen will be helpful. If you are overseas, you can contact a McAfee authorized agent. Agents are located in more than 50 countries around the world and provide local sales and support for our software. Please refer to the AGENTS.TXT file for a complete list of McAfee agents. ON-LINE ACCESS TO UPDATES AND TECHNICAL SUPPORT McAfee updates VirusScan approximately once a month to add new virus detectors, new options, and fix reported bugs. To distribute these new versions, we run a multi-line bulletin board system, a forum on CompuServe, and an Internet node. MCAFEE BULLETIN BOARD SYSTEM (BBS) Our multi-line BBS is accessible 24 hours a day, 365 days a year, except for scheduled downtime and maintenance. All lines run high-performance modems operating from 1,200 bps to 28,800 bps with line settings of 8 data bits, no parity, and 1 stop bit. The McAfee BBS phone number is (408) 988-4004. Appendix A, "Retrieving McAfee programs with communications software" explains how to dial up the McAfee BBS. Both technical support and software updates are available on the bulletin board. MCAFEE FORUM ON COMPUSERVE We sponsor the McAfee Virus Help Forum on CompuServe. To reach it, type GO MCAFEE at any CompuServe prompt. A free introductory membership is available. For more information, please read the enclosed COMPUSER.TXT file. Using VirusScan (Version 2.2) 8 INTERNET ACCESS The latest versions of McAfee's anti-virus software are available by anonymous ftp (file transfer protocol) over the Internet from the site ftp.mcafee.com. If your domain resolver does not support names, use the IP address 192.187.128.3. Enter anonymous or ftp as your user ID and your own e-mail address as the password. Programs are located in the pub/antivirus directory. If you have questions, please send e-mail to support@mcafee.com. You can also find McAfee's anti-virus software at the SimTel Software Repository at Oak.Oakland.EDU in the simtel/msdos/virus directory and its associated mirror sites: o wuarchive.wustl.edu (US). o ftp.switch.ch (Switzerland). o ftp.funet.fi (Finland). o src.doc.ic.ac (UK). o archie.au (Australia). MCAFEE PRODUCTS AND SERVICES Founded in 1989, McAfee, Inc. is the leading provider of tools for productive computing for the DOS, OS/2, and Windows environments. Our anti-virus products are used by more than 16,000 corporations worldwide. Our utility products provide data security, automated version updating, and system inspection and editing. McAfee is also the pioneer and leading provider of electronically distributed software. All of McAfee's products can be purchased through dealers or downloaded from bulletin board systems and on-line services around the world. McAfee doesn't stop at developing the world's best anti-virus and utility products. We back them with the industry's best service and technical support. Product support is provided by a full-time staff of virus researchers, programmers, and support professionals, and delivered directly by McAfee or our network of more than 150 Authorized Agent offices in more than 50 countries worldwide. Using VirusScan (Version 2.2) 9 OTHER SOURCES OF INFORMATION The McAfee BBS and CompuServe Virus Help Forum are excellent sources of information on virus protection. Batch files and utilities to help you use VirusScan software are often available, along with helpful advice. Independent publishers, colleges, training centers, and vendors also offer information and training about virus protection and computer security. We especially recommend the following books: o Ferbrache, David. A Pathology of Computer Viruses. London: Springer-Verlag, 1992. (ISBN 0-387-19610-2) o Hoffman, Lance J. Rogue Programs: Viruses, Worms, and Trojan Horses. Van Nostrand Reinhold, 1990. (ISBN 0-442-00454-0) o Jacobson, Robert V. The PC Virus Control Handbook, 2nd Ed. San Francisco: Miller Freeman Publications, 1990. (ISBN 0-87930-194-0) o Jacobson, Robert V. Using McAfee Associates Software for Safe Computing. New York: International Security Technology, 1992. (ISBN 0-9627374-1-0) In addition, the following sources can provide useful information about viruses: o National Computer Security Association (NCSA) 10 South Courthouse Avenue Carlisle, PA 17013 o CompuServe VIRUSFORUM o Internet comp.virus newsgroup Using VirusScan (Version 2.2) 10 CHAPTER 2: DON'T SKIP THIS CHAPTER or, What You Really Need to Know About VirusScan. We're serious about this. Installing and running the VirusScan(TM) programs is not like using other software. Even if you are a personal computer power user, use the VirusScan installation procedure and follow the tasks in this chapter. The reason is to avoid spreading a computer virus infection. Viruses spread when you start your computer (sometimes called booting) from an infected disk, or when you run an infected program. If your computer is infected, installing and running VirusScan on your hard disk may spread the infection, even to the VirusScan programs themselves. The tasks in this chapter will ensure that you have a clean environment to detect, eradicate, and prevent viruses. This is like a surgical team establishing a "sterile field" before performing surgery. Once it is established, they make sure that everything brought into the field has already been sterilized. In this procedure, you will create a clean anti-viral start-up diskette with which you can always re-establish the sterile field. Your VirusScan diskette is write-protected to ensure that no virus can alter the programs and information stored there. Under no circumstances should you remove the write protection. Here's a summary of the tasks you'll follow in this chapter: o Installing VirusScan o Scanning your system. o If you detect a virus. o Activating VShield(TM). o Making a clean start-up (boot) diskette. o Running the VirusScan programs. o When to scan for viruses. o Updating VirusScan regularly. Using VirusScan (Version 2.2) 11 INSTALLING VIRUSSCAN This task explains how to check your system and install the VirusScan software under DOS, Windows, or OS/2 using the install program. For instructions on installing downloaded software, see Appendix A. Don't use any other method to install VirusScan, or you risk spreading a virus. INSTALLATION STEPS Start from the system prompt (C:\> or [C:\]). If you are running Windows or an application program, exit from it to display the prompt. If you are running OS/2, close all DOS and Win-OS/2 sessions. Open the Command Prompts folder in the OS/2 System folder, and click on either the OS/2 Full Screen or OS/2 Window icon. NOTE: See Appendix A for additional instructions for setting up WScan and VShield under Windows. 1. Create a directory to contain the VirusScan files, as in the following example: C:\> mkdir c:\mcafee and press <ENTER>. If you have an earlier version of VirusScan already installed, create a separate directory (such as c:\newvscan) for the new version. (You should test the new version before removing the earlier version.) 2. Copy the VirusScan archived (.ZIP) file to this directory, as in the following example: C:\> copy c:\download\*.zip c:\mcafee and press <ENTER>. 3. Change to the VirusScan directory you just created, as in the following example: C:\> cd c:\mcafee and press <ENTER>. Using VirusScan (Version 2.2) 12 4. Unzip the file using PKUNZIP.EXE, as in the following example: C:\mcafee> PKUNZIP *.ZIP and press <ENTER>. 5. Run VirusScan to check your local hard disk(s) by typing: c:\mcafee> scan /adl and pressing <ENTER>. It may take several minutes for the Scan program to check for viruses in memory, then on the system and user portions of your drives. Scan keeps you informed of its progress. Read the information carefully, and write down the name of any viruses Scan reports. 6. If Scan reports no virus found, congratulations-- most likely your system is currently virus-free. Continue with "Making a Clean Start-Up Diskette" in this chapter. If Scan finds one or more viruses, you'll see a message like: Found the Jerusalem Virus and installation will stop. Don't panic, even if the virus has infected many files. At the same time, don't run any other programs, especially if the virus is found in memory. Go directly to "If you detect a virus" later in this chapter for further instructions. 7. Create a directory on your hard disk to store the VirusScan files in by typing: C:\> mkdir mcafee and pressing <ENTER>. 8. Copy the VirusScan files from the 'VirusScan Program Diskette' in drive A: to your hard disk by typing: C:\> copy a:\*.* c:\mcafee and pressing <ENTER>. VirusScan has now been installed onto your hard disk. Now your system's startup files must be modified to find VirusScan on your system. Using VirusScan (Version 2.2) 13 9. DOS and Windows users: Using a text editor program, load your AUTOEXEC.BAT file. Locate the path statement, which typically begins with a 'PATH' or 'SET PATH =' statement. Place your cursor at the end of this line and type: ;C:\MCAFEE and press <ENTER>. Now save your AUTOEXEC.BAT file and exit the editor. NOTE: If a semi-colon ";" is already present at the end of the line, do not add one to the path statement. OS/2 users: Make the same change listed above to the 'SET PATH=' and 'SET LIBPATH=' statements in your CONFIG.SYS file. Now save your CONFIG.SYS file and exit the editor. Congratulations! You've successfully installed VirusScan. Restart your computer now and continue with this chapter to see how you can use VirusScan to keep your computer virus- free. We recommend looking over the following sections in this chapter: o "Scanning Your System" o "If You Detect A Virus" o "Activating VShield" o "Making A Clean Start-Up Diskette" Continue with the remaining tasks in this chapter, beginning with "Running the VirusScan Programs" to find out how and when to run and update the VirusScan programs. Using VirusScan (Version 2.2) 14 SCANNING YOUR SYSTEM VirusScan's Scan program examines your PC and disks to detect viruses there. The first time you run Scan, do so from the original, write- protected diskette so that the programs themselves cannot be infected. Start from the system prompt (C> or [C:\]). If you are running Windows or an application program, exit from it to display the prompt. If you are running OS/2, close all DOS and Win-OS/2 sessions; then open the Command Prompts folder in the OS/2 system folder, and click the OS/2 Full Screen or OS/2 Window icon. After typing each entry on the command line, press [Enter]. If you include the /REPORT option, Scan saves a report of infected files and any system errors to a log file that you specify. 1. Insert the VirusScan program diskette in drive A. 2. Scan your C drive for known viruses by typing: DOS or Windows C> a:scan c: /report c:\virus.log OS/2 [C:\] a:os2scan c: /report c:\virus.log Or, if you have more than one hard drive, scan them in the same way. For example, if you have C and D drives: DOS or Windows C> a:scan c: d: /report c:\virus.log OS/2 [C:\] a:os2scan c: d: /report c:\virus.log You can also scan all local drives using the /ADL option. For example: DOS or Windows C> a:scan /adl /report c:\virus.log OS/2 [C:\] a:os2scan /adl /report c:\virus.log Using VirusScan (Version 2.2) 15 It may take several minutes for the Scan program to check for viruses in memory, then on the system and user portions of your drives. Scan keeps you informed of its progress. Read the information on the screen carefully. Below is a sample of what Scan reports when checking a drive for viruses. ┌──────────────────────────────────────────────────┐ │ Virus data file V2.1.204 created Thu Jun 02 │ │ 12:17:53 1994 │ │ │ │ No viruses found in memory. │ │ │ │ Scanning C: │ │ Summary report on C: │ │ File(s) │ │ Analyzed:....... 1500 │ │ Scanned:........ 750 │ │ Possibly Infected:....... 0 │ │ Master Boot Record(s):.. 1 │ │ Possibly Infected:....... 0 │ │ Boot Sector(s):......... 1 │ │ Possibly Infected:....... 0 │ │ │ │ Time: 60.00 sec. │ └──────────────────────────────────────────────────┘ 3. If Scan reports No viruses found, congratulations--most likely your system is currently virus-free. Skip to "Activating VShield" later in this chapter. If Scan finds one or more viruses, you'll see a message like: ┌──────────────────────────────────────────────────┐ │ Scanning C: │ │ Scanning file C:\DOS\ATTRIB.EXE │ │ Found the Jerusalem Virus │ └──────────────────────────────────────────────────┘ DON'T PANIC, even if the virus has infected many files. At the same time, don't run any other programs, especially if the virus is found in memory. Turn to "If you detect a virus" later in this chapter, where VirusScan will help you eradicate it. NOTE: Scan has many options to control and fine- tune the scope, validation, and operation of its scan. For details, see Chapter 3 and "Detecting new and unknown viruses" in Chapter 5. Using VirusScan (Version 2.2) 16 IF YOU DETECT A VIRUS In this task, you will run Scan with the /CLEAN option to eradicate most known viruses from your disks. NOTE: If you are at all unsure about how to proceed once you've found a virus, contact McAfee for assistance (see "Technical support" in Chapter 1). We strongly recommend that you get experienced help in dealing with viruses if you are unfamiliar with anti-virus software and methods. This is especially true for "critical" viruses and master boot record (MBR or so-called "partition table")/boot sector infections, because improper removal of these viruses can result in the loss of all data and use of the infected disks. RESTART FROM A CLEAN ENVIRONMENT You must run Scan from a clean, virus-free environment. With DOS or Windows, restart from a clean diskette. With OS/2, simply close all DOS and Win-OS/2 sessions. DOS OR WINDOWS With DOS or Windows, the only way to ensure a clean environment is to turn your computer off to eliminate any viruses in memory, then restart from a virus-free diskette, preferably the original, write-protected DOS installation diskette that came with your computer. If you don't have one, borrow or buy one; don't use a diskette that might be infected. (See "Making a clean start-up diskette" later in this chapter for instructions. Create this diskette after you clean your system.) 1. Turn off your computer. (Don't just reset or reboot, which may leave some viruses intact in the computer's memory.) Using VirusScan (Version 2.2) 17 2. Make sure your clean boot (start-up) diskette is write-protected. o For a 3.5" diskette, slide its corner tab so that the square hole is open. o For a 5.25" diskette, cover its corner notch with a write-protect tab. Be sure to use the write-protect stickers provided with your diskettes, not tape. 3. Insert your start-up diskette in drive A. 4. Turn on your computer and wait until you see the system prompt (probably A>). Don't run any programs on your hard disk, or you may reactivate the virus. OS/2 With OS/2, you can eliminate viruses from memory by closing all DOS, Win-OS/2, and virtual DOS machine (VDM) sessions. BACK UP YOUR HARD DISK Some viruses may leave certain disks or files unusable when cleaned up. To increase your chance of recovery, boot from a clean copy of the operating system, then copy all the files on all of your hard disks onto fresh diskettes or a backup tape. You can use a commercial backup program, or the one included with DOS or OS/2. Scan the program disk first to make sure that the backup program itself is not infected. Do not run the backup program if it is infected. Instead, reload it from your original installation diskettes. Although some of the backed-up files may be infected, it is better to have current copies than not. However, don't overwrite previous backup disks or tapes, which may or may not be infected. Using VirusScan (Version 2.2) 18 RUN SCAN WITH THE /CLEAN OPTION Start from the system prompt (probably A> or [A:\]). If you are running OS/2, open the Command Prompts folder in the OS/2 system folder, and click the OS/2 Full Screen or OS/2 Window icon. After typing each entry on the command line, press [Enter]. 1. Insert the VirusScan program diskette in drive A. 2. Eliminate the first known virus on your hard drive(s) by typing: DOS or Windows A> scan /adl /clean OS/2 [A:\] os2scan /adl /clean Scan keeps you informed of its progress and generally reports virus removed successfully. If Scan reports that the virus could not safely be removed, see the next section, "If viruses were not removed." NOTE: Scan has options to control and fine-tune the scope, validation, and operation of its disinfection. For details, see "Scan option descriptions" in Chapter 3. IF VIRUSES WERE NOT REMOVED If Scan can't remove a virus, it will tell you: Virus cannot be removed from this file. Make sure to take note of the filename, because you will need to restore it from backups. Run Scan again, this time using the /CLEAN and /DEL options to delete the remaining infected files, as described in Chapter 3. If you have any questions, contact McAfee (see "Technical support" in Chapter 1). Using VirusScan (Version 2.2) 19 IF VIRUSES WERE SAFELY REMOVED, RESCAN AND CHECK DISKETTES If Scan has successfully removed all the viruses, restart your computer. Restart installation as described in "Installing VirusScan" earlier in this chapter. Thereafter, you can proceed to "Making a clean start-up diskette" and "Running the VirusScan programs" later in this chapter. One common source of virus infection is floppy diskettes. Once you've finished installing VirusScan on your hard disk, use Scan again to examine and disinfect the diskettes you use, as described in "When to rescan" later in this chapter. FALSE ALARMS Due to the nature of anti-virus software, there is a possibility that Scan may report a virus in a file that is not infected. This can be more likely if you are using more than one brand of virus protection software, especially if the virus is reported in memory and not anywhere on the disk when you boot. If Scan reports a virus infection that you suspect may be in error, contact McAfee (see "Technical support" in Chapter 1). You can upload the file to our bulletin board system at (408) 988-4004, along with your name, address, daytime telephone number, and electronic mail address (if any). ACTIVATING VSHIELD VirusScan's VShield program can help prevent viruses from infecting your system. It runs as a "terminate-and-stay-resident" (TSR) program, remaining in memory and scanning and intercepting programs as they are executed. To activate VShield at any time: o DOS or Windows Restart your computer by pressing [Ctrl]+[Alt]+[Del], or by turning it off and then on again, or any other reset method. Using VirusScan (Version 2.2) 20 o OS/2 Restart all DOS and Win-OS/2 windows. If you have difficulties running VShield, it may be due to conflicts with other TSR programs in your system, or with other programs that monitor disk access. See "VShield option summary" in Chapter 4 and "Troubleshooting VShield" in Chapter 5 for more information. Contact McAfee technical support if you need help (see "Technical support" in Chapter 1). VShield minimizes the use of conventional memory by attempting to load into extended, expanded, upper memory, or a combination of them, before using conventional memory. For extreme memory limitations, you can use VShield's /SWAP option to reduce memory requirements to 8Kb, although this decreases VShield's speed. For details, see Chapter 4. NOTE: VShield has options to control and fine- tune the scope, validation, and operation of its virus prevention. For details, see Chapter 4. When used in conjunction with some Scan options, VShield can help protect your system from new and unknown viruses. At a minimum, consider checking floppy disk (/ANYACCESS, /FILEACCESS, or /BOOTACCESS). For details, see "Detecting new and unknown viruses" in Chapter 5. In OS/2, VShield runs in DOS and Win-OS/2 sessions only, because viruses can operate only in those sessions. In Windows, you can use the VShield icon to turn messages from VShield on and off. (VShield itself, however, remains active.) For details, see Chapter 4. Using VirusScan (Version 2.2) 21 MAKING A CLEAN START-UP DISKETTE In DOS or Windows, create a clean anti-viral start-up (boot) diskette that you can use to regain your "sterile field" if your system becomes infected. This is not necessary in OS/2, although it will be helpful to make backup copies of your OS/2 installation diskettes. NOTE: Your system must be virus-free before starting these steps. DOS OR WINDOWS In DOS, start from the system prompt (C>). In Windows, you may open a DOS window, or duplicate these steps with the Windows File Manager. 1. Insert a blank or dispensable diskette in drive A. Make sure the diskette contains no important information, as this procedure will overwrite it. 2. Format it as a start-up diskette with the system files by typing: C> format a: /s/v/u NOTE: If you are using a version of DOS before DOS 5.0, do not type the /U option. The /U option in recent DOS versions ensures that the system portions of the diskette are overwritten. When prompted for a volume label, enter virusfree01 or another name of up to 11 characters. 3. Copy the Scan program to the diskette. Here's one way to do this, assuming that your VirusScan files are stored in C:\MCAFEE\VIRUSCAN: C> copy c:\mcafee\viruscan\scan.exe a: C> copy c:\mcafee\viruscan\scan.dat a: C> copy c:\mcafee\viruscan\clean.dat a: C> copy c:\mcafee\viruscan\names.dat a: Using VirusScan (Version 2.2) 22 4. Copy useful DOS programs to the diskette. Here's one way to do this, assuming that your DOS files are stored in C:\DOS: C> copy c:\dos\chkdsk.* a: C> copy c:\dos\debug.* a: C> copy c:\dos\diskcopy.* a: C> copy c:\dos\fdisk.* a: C> copy c:\dos\format.* a: C> copy c:\dos\label.* a: C> copy c:\dos\mem.* a: C> copy c:\dos\sys.* a: C> copy c:\dos\unerase.* a: C> copy c:\dos\xcopy.* a: In the same way, copy other DOS programs that you think might be useful. NOTE: If you use a disk compression utility, be sure to copy the drivers required to access the compressed disks onto the clean start-up diskette. 5. Remove the diskette from the drive and write- protect it so that it cannot become infected. o For a 3.5" diskette, slide its corner tab so that the square hole is open. o For a 5.25" diskette, cover its corner notch with a write-protect tab. Be sure to use the write-protect stickers provided with your diskettes, not tape. 6. Label the diskette "Virus-Free start-up" and put it away in a secure place in case you need to reestablish a virus-free environment in the future. You may want to note the date and versions of DOS and VirusScan on the label. OS/2 With OS/2, you don't need a virus-free start-up disk. However, it will be helpful to keep a clean copy of important files. Copy the VirusScan OS/2 program and data files and your CONFIG.SYS, STARTUP.CMD and AUTOEXEC.BAT files onto a clean start-up diskette. Write-protect the diskette, label it, and put it away in a secure place. Using VirusScan (Version 2.2) 23 RUNNING THE VIRUSSCAN PROGRAMS DOS To run the VirusScan programs from the DOS command prompt, type the program name (SCAN or VSHIELD) on the command line. Follow the program name with the drive (if applicable to the program) and whatever options you want. NOTE: If you have not changed the path statement in your AUTOEXEC.BAT file, you will need to include its location (usually C:\MCAFEE\VIRUSCAN) in the command, or change to that directory. For example, to examine a diskette in drive A: C> c:\mcafee\viruscan\scan a: EXCEPTION: If Scan detects a virus in memory or on your hard disk, don't run Scan with the /CLEAN option from C:\MCAFEE\VIRUSCAN. Instead, restart your computer and run Scan from your clean start-up diskette as described in "If you detect a virus" earlier in this chapter. VirusScan can list the viruses it detects. To view this list, run Scan with the /VIRLIST option, as described in Chapter 3. WINDOWS If you used the installation procedure earlier in this chapter or installed downloaded files using the instructions in Appendix A, the WScan and VShield icons appear in the McAfee group. To use them, open the folder and double-click the program icon. See Chapter 3 for instructions on using Scan for Windows. NOTE: If a virus is active in memory, do not use interactive Scan to remove it, because Windows or other system files might be infected and you risk spreading the virus. If you've detected such a virus, restart your computer and run Scan from your clean start-up diskette, as described in "If you detect a virus" earlier in this chapter. Using VirusScan (Version 2.2) 24 VSHIELD AND WINDOWS The install program adds a line to your AUTOEXEC.BAT file that automatically activates VShield whenever you start or restart your computer. In Windows, it also gives you a VShield icon that you can click to see VShield status. (See Appendix A for instructions for downloaded software.) NOTE: You can change VShield options from the DOS command line by removing VShield from memory and rerunning it, by editing the VSHIELD command in your AUTOEXEC.BAT file, or by editing the default configuration file. See Chapter 4 for details. OS/2 To run Scan from OS/2, open the Command Prompts folder in the OS/2 system folder and click the OS/2 Full Screen or OS/2 Window icon. Next, type the program name (os2scan) on the command line. Follow the program name with the drive, directory, or file(s) you want to scan and the options you want to use. NOTE: If you have not changed the PATH and LIBPATH statements in your CONFIG.SYS file, you will need to include its location (usually C:\MCAFEE\VIRUSCAN) on the command line, or change to that directory. For example, to examine a diskette in drive A: [C:\] c:\mcafee\viruscan\os2scan a: NOTE: VShield does not run in OS/2 sessions, only under DOS and Win-OS/2 sessions inside of OS/2. You can place the VShield command in your AUTOEXEC.BAT file, where it will run automatically when you start a DOS or Win-OS/2 session. You can also run it from the DOS command line, as described earlier in this section. Using VirusScan (Version 2.2) 25 WHEN TO RESCAN Although VShield will monitor your software for viruses, it's wise to scan your disks when you introduce new programs, or disks that may be infected. New programs and files are generally introduced in two ways: by inserting a diskette and booting from it, and by installing new programs. It is also possible to download a virus inadvertently via a modem, but this is very rare. You can use VShield with the /ANYACCESS option to scan diskettes automatically. For more information, see "/ANYACCESS" in "VShield option descriptions" in Chapter 4. For instructions on running VirusScan, see "Running the VirusScan programs" earlier in this chapter. WHEN YOU INSERT AN UNCHECKED DISKETTE Every time you insert a new diskette in your drive, run Scan on it before executing, installing, or copying its files. If you have several diskettes to scan, you can scan them consecutively using the /MANY option described in Chapter 3. In fact, we recommend doing this now with all the diskettes you normally use, as well as diskettes received from friends, coworkers, salespeople, and even your own diskettes if they have been in another PC. WHEN YOU INSTALL OR DOWNLOAD NEW FILES Every time you install new software on your hard drive, or download executable files from a network server, bulletin board, or on-line service, run Scan on the directory in which the files were placed before you execute the files. UPDATING VIRUSSCAN REGULARLY Unfortunately, new viruses (and variants of old ones) appear and circulate often in the personal computer community. Fortunately, McAfee updates the VirusScan programs regularly--usually monthly, but sooner if many new viruses have appeared. Each new version may detect and eradicate as many as 60-100 new viruses or more, and may add new features. To find out what's new, review the README.1ST text file. Using VirusScan (Version 2.2) 26 DOWNLOAD NEW VERSIONS As a VirusScan licensee, you may download new versions without charge for one year from your date of purchase. Use your communications software to download new versions from the McAfee bulletin board, CompuServe, or the Internet. See Chapter 1 and Appendix A for more information. New versions of McAfee software are stored in compressed form to reduce transmission time. NOTE: Always download and decompress the files in a separate directory from your current files. That way, if you discover a problem with the new files, you'll still have the old ones. VALIDATE VIRUSSCAN When you download a program file from any source other than the McAfee bulletin board or other McAfee service, it's important to verify that it is authentic, unaltered, and uninfected. McAfee anti-virus software includes a program called Validate that helps you do this. When you receive a new version of VirusScan, run Validate on all of the program files. To do this for Scan, start from the system prompt (C> or [C:\]): 1. Navigate to the directory to which you've downloaded the files. For example, if you've stored the files in C:\MCAFEE\DOWNLD\VIRUSCAN: C> c: C> cd \mcafee\downld\viruscan 2. Type the command: DOS or Windows C> validate scan.exe OS/2 [C:\] os2val os2scan.exe 3. Compare the results with the information in the PACKING.LST file or other text file for the program you validated. If the validation results match what's in the file, it is highly unlikely that the program has been modified. Using VirusScan (Version 2.2) 27 UPDATE YOUR CLEAN START-UP DISKETTE Once you have validated the new version, copy it into your C:\MCAFEE\VIRUSCAN directory. In addition, copy the Scan program onto your clean start-up diskette. Below is one way to do this; you may also use the Windows File Manager or the OS/2 environment. Note any changes you've made to default options, because you may want to select and save them again. Start from the system prompt (C> or [C:\]). 1. Navigate to the directory to which you've retrieved the files, such as C:\MCAFEE\DOWNLD\VIRUSCAN: C> c: C> cd \mcafee\downld\viruscan 2. Copy the contents of the directory to C:\MCAFEE\VIRUSCAN: C> copy *.* c:\mcafee\viruscan 3. Temporarily remove write-protection from your clean start-up diskette and insert it in drive A. o For a 3.5" diskette, slide its corner tab so that the square hole is closed. o For a 5.25" diskette, remove the tab from its corner notch. 4. Copy the Scan program to the diskette. DOS or Windows C> copy SCAN.EXE a: copy SCAN.DAT a: copy CLEAN.DAT a: copy NAMES.DAT a: OS/2 [C:\] copy OS2SCAN.EXE a: 5. Remove the diskette from the drive and write- protect it again. Using VirusScan (Version 2.2) 28 CHAPTER 3: SCAN REFERENCE The Scan program detects, identifies, and disinfects known DOS computer viruses. Scan checks memory as well as the system and data areas of disks for virus infections. If Scan finds a known virus, in most cases it will eliminate the virus and fully restore infected programs or system areas to normal operation. To obtain a list of all the viruses that Scan detects, run Scan with the /VIRLIST option. In addition, Scan can also assign validation and recovery codes to files, and use those codes to detect and treat infection by new and unknown viruses. If Scan has stored validation or recovery data for files, it may detect file changes and warn that infection by an unknown virus may have occurred. Scan can also use the recovery codes to remove new or unknown viruses and restore infected files. Scan runs on DOS, Windows, and OS/2. The program files are SCAN.EXE (DOS), WSCAN.EXE (Windows), and OS2SCAN.EXE (OS/2), respectively. This chapter describes them all. NOTE: Because OS/2 operates in a protected mode environment, Scan for OS/2 does not check memory. To protect against viruses in OS/2 DOS and Win-OS/2 sessions, use the VShield (for DOS) virus prevention program. Scan is designed so that basic operation, as described in "Scanning your system" and "When to rescan" in Chapter 2, will detect most viruses. The command line options described here offer additional power and control over virus detection. They enable you to run Scan from batch or script files. Network administrators, information services staff, and computer systems with vulnerable environments will benefit from this feature. Using VirusScan (Version 2.2) 29 SYSTEM REQUIREMENTS AND SUPPORT Scan requires DOS 3.1 or later, Windows 3.1 or later, or IBM OS/2 Version 2.1 or later. Scan works with 3Com 3/Share and 3/Open, Artisoft LanTastic, AT&T StarLAN, Banyan VINES, DEC Pathworks, IBM LAN Server, Microsoft LAN Manager, Novell NetWare, and any other IBMNET- or NETBIOS-compatible network operating systems. Contact McAfee or your local authorized agent if you do not see your network listed (see "Technical support" in Chapter 1). Scan is designed to check for pre-existing infections of known and unknown viruses on floppy, hard, CD-ROM, and compressed disks (SuperStor, Stacker, DoubleSpace, and so on) on both stand-alone and networked personal computers, as well as network file servers. If you have a Novell NetWare/386 V3.1X or 4.01 file server, you may want to use the NETShield(TM) virus prevention NetWare Loadable Module (NLM) in conjunction with Scan. NOTE: To use Scan to clean up (disinfect) virus- infected files, the CLEAN.DAT file must be present in the same subdirectory as SCAN.EXE. If you don't have the CLEAN.DAT file, first verify whether you should contact your system administrator or information systems staff directly for virus clean-up. Otherwise, you can contact McAfee (see "Technical support" in Chapter 1). Using VirusScan (Version 2.2) 30 TECHNICAL OVERVIEW KNOWN VIRUS DETECTION Scan detects known viruses by searching the system for characteristics (sequences of code) unique to each computer virus and reporting their presence if found. For viruses that encrypt or cipher their code so that every infection is different, Scan uses detection algorithms that work by statistical analysis, heuristics, and code disassembly. NEW AND UNKNOWN VIRUS DETECTION Scan can also check for new or unknown viruses by comparing files against previously recorded validation data. If a file has been modified, it will no longer match the validation data, and Scan will report that the file may have become infected. With certain options, SCAN /CLEAN can use the validation and recovery data to restore infected files. Refer to the /AF, /AV, /CF, /CV, /RF, and /RV options in Chapter 4. NOTE TO NETWORK USERS To use Scan on a network drive (or directory), you must be connected to that drive and have read access to it. Some command line options described in this chapter attempt to create, change, and delete files. To use these options, you must have sufficient access rights. If you have questions about access rights, contact your network administrator. Using VirusScan (Version 2.2) 31 VALIDATING SCAN The Scan program in your VirusScan package is supplied on a write-protected diskette that should be secure from infection. We recommend that you update your copy of the VirusScan programs regularly. You can obtain an upgrade from several sources, as described in "Updating VirusScan regularly" in Chapter 2. Before using a new version of Scan for the first time, verify that it has not been tampered with or infected by using the Validate program, as described in "Validate VirusScan" in Chapter 2. If your new copy of Scan differs from the validation data in the on-line documentation file, it may have been damaged. Don't use it, and obtain a clean copy of Scan from a known source. Scan performs an integrity test when run. This self-check allows Scan to determine if it has been modified. If Scan fails its integrity test, a warning message appears, and Scan refuses to run and returns to the command line prompt. You must obtain an undamaged copy before continuing. RUNNING SCAN FROM THE COMMAND LINE Scan checks files and other areas of the system that can contain computer viruses. When a virus is found, Scan identifies the virus and the system area or file where it was found. By default, Scan examines only executable files (.EXE, .COM, .SYS, .BIN, .OVL, and .DLL files). These are the files most likely to be infected with a virus. Use the /ALL option to scan all files on your system. Refer to "Scan option descriptions" later in this chapter for more information about the /ALL option. From DOS or OS/2, you can run Scan from the system prompt. (From OS/2, open the Command Prompts folder in the OS/2 system folder, then click either the OS/2 Full Screen icon or the OS/2 Window icon to see the system prompt. Once you see the prompt, For DOS, type: C> scan {drives} [options] For OS/2, type: [C:\] os2scan {drives} [options] Using VirusScan (Version 2.2) 32 {drives} indicates one or more drives to be scanned. You must specify one or more drives to scan. If you list a drive like c:, all of its subdirectories will be scanned. If you list \, only the root directory of the current disk will be scanned. If you list \ or a directory, its subdirectories will not be scanned unless you use the /SUB option. [options] indicates one or more of the Scan options listed in the next section, "Scan command line option summary." Using VirusScan (Version 2.2) 33 SCAN COMMAND LINE OPTION SUMMARY /? or /HELP Display help screen (not available in Windows, use Help menu instead). /ADL Scan all local drives (including CD-ROM and PCMCIA drives, but not floppy drives). /ADN Scan all network drives. /AF {filename} Store validation/recovery codes in {filename}. /ALL Scan all files, not just standard executables. /APPEND Append to, rather than overwrite, the file (used with the /REPORT option). /AV Add validation/recovery data to program files. /BOOT Scan boot sector and master boot record only. /CF {filename} Check validation/recovery codes in {filename}. /CLEAN Clean up infections in boot sector, master boot record, and files when possible. /CV Check validation/recovery data in files. /DEL Overwrite and delete infected files. /EXCLUDE {filename} Exclude from scan any files listed in {filename} (used with the /AV option). /FAST Speed up VirusScan's scanning; may detect fewer viruses. /FREQUENCY {hours} Set the time freqency with which to scan your system. Using VirusScan (Version 2.2) 34 /LOAD {filename} Use Scan settings stored in {filename}. /LOG Save date and time that Scan was last run in a hidden file (SCAN.LOG). /MANY Scan multiple diskettes on a single drive. /MOVE {directory} Move infected files to {directory}. /NOCOMP Skip checking compressed executables created with the LZEXE or PKLITE file compression programs. /NOMEM Skip memory checking (not applicable to OS/2). /PAUSE Enable screen pause. /PLAD Preserve last access dates on Novell drives. /REPORT {filename} Create report of infected files found during scan in {filename}. /RF {filename} Remove validation/recovery codes in {filename}. /RPTCOR Add list of corrupted files to the report file (used with the /REPORT option). /RPTERR Add list of system errors to the report file (used with the /REPORT option). /RPTMOD Add list of modified files to the report file. (used with the /REPORT option in conjunction with either /CF or /CV). /RV Remove validation/recovery data from files. /SHOWLOG Display information in SCAN.LOG. Using VirusScan (Version 2.2) 35 /SUB Scan subdirectories inside a directory. /VIRLIST Display list of viruses detected by VirusScan. Using VirusScan (Version 2.2) 36 SCAN OPTION DESCRIPTIONS Here is a detailed description of Scan's options. /? or /HELP Display list of Scan options. Does not scan. Instead, displays a list of Scan command line options with a brief description of each. No scanning is performed when these options are specified. Use either of these options alone on the command line. /ADL Scan all local drives (except floppy drives). Scans all local drives for viruses, in addition to those specified on the command line. In DOS, use /ADL to check all local drives (including compressed drives, CD-ROMs, and PCMCIA drives, but not floppy drives). To scan both local and network drives, use /ADL and /ADN together in the same command line. /ADN Scan all network drives. Scans all network drives for viruses, in addition to those specified on the command line. To scan both local and network drives, use /ADL and /ADN together in the same command line. /AF {filename} Store validation/recovery codes in {filename}. Helps you detect and recover from new or unknown viruses. /AF logs validation and recovery data for executable files (but not the boot sector or the master boot record) of a disk in the file you specify. The log file is about 95 bytes per file validated. You must specify a {filename}, which can include the target drive and directory (such as D:\VSVALID\VALCODES.VSC). If the target path is a network drive, you must have rights to create and delete files on that drive. If {filename} exists, Scan updates it. /AF adds about 300% more time to scanning. Using VirusScan (Version 2.2) 37 To recover from a virus using the /AF information, use the /CF and /CLEAN options together in the same command line. Using any of the /AF, /CF, or /RF options together in the same command line returns an error. NOTE: /AF performs the same function as /AV, but stores its data in a separate file rather than changing the executable files themselves. For more information, see "Detecting new and unknown viruses" in Chapter 5. /ALL Check all files, not just standard executable files. Increases system security by performing a more thorough scan. Otherwise, Scan checks only standard executable files (with .COM, .EXE, .SYS, .BIN, .OVL, and .DLL extensions), which are the files most likely to be infected by a virus. If /ALL is specified, Scan checks all files on the specified drive, which increases Scan's ability to detect viruses in overlay files but substantially increases the scanning time required. Use this option if you have found a virus or suspect one. (Note that the list of extensions for standard executables, above, has changed from previous releases of VirusScan.) /APPEND Append to the report file. Used in conjunction with /REPORT, appends the report message text to the specified report file, if it exists. Otherwise, the /REPORT option overwrites the specified report file, if it exists. /AV Add validation/recovery data to files. Helps you detect and recover from new or unknown viruses. /AV adds recovery and validation data to each standard executable file (.EXE, .COM, .SYS, .BIN, .OVL, and .DLL), increasing the size of each file by 98 bytes. To update files on a shared network drive, you must have update access rights. The /AV option adds about 100% more time to scanning. Using VirusScan (Version 2.2) 38 To exclude self-modifying or self-checking files that might cause false alarms, use the /EXCLUDE option. To recover from a virus using the /AV information, use the /CV and /CLEAN options together in the same command line. Using any of the /AV, /CV, or /RV options together in the same command line returns an error. NOTE: The /AV option does not store any information about the master boot record (MBR) or boot sector of the drive being scanned. /BOOT Scan boot sector and master boot record only. Scans the boot sector and master boot record on the specified drive(s), but not files or directories on those drives. /CF {filename} Check validation/recovery codes in {filename}. Helps you detect new or unknown viruses. Checks validation data stored by the /AF option in {filename}. If a file or system area has changed, Scan reports that a viral infection may have occurred. The /CF option adds about 250% more time to scanning. For more information, see "Detecting new and unknown viruses" in Chapter 5. You can use /CF and /CLEAN in the same command line to check validation/recovery codes and remove any viruses found. Using any of the /AF, /CF, or /RF options together in a command line returns an error. NOTE: Some older Hewlett-Packard and Zenith PCs modify the boot sector each time the system is booted. If you use /CF or /CV, Scan continuously reports that the boot sector has been modified even though no virus may be present. Check your system's reference manual to determine whether your PC has self-modifying boot code, or contact McAfee for help (see "Technical support" in Chapter 1). NOTE OS/2 dual boot systems change the boot sector between DOS and OS/2 depending on which operating system is active. This causes Scan to report that the boot sector has been modified. Using VirusScan (Version 2.2) 39 /CLEAN Remove viruses from boot sector, master boot record, and infected files. Attempts to restore the boot sector, if infected, and any infected files. Usually, between 10% and 20% of all viruses are not removable; they damage the file they infect beyond repair. If the infected file resides on a network drive, you must have rights to modify files on that drive to clean it. If it cannot restore a file, you'll see a message that identifies the name of the unrecoverable file. To use /CLEAN, the CLEAN.DAT file must reside in the Scan directory. For more information, see "Cleaning viruses" later in this chapter. Use /CLEAN instead of /DEL when you want to restore infected files, not just delete or overwrite them. The /CLEAN option can remove master boot record (MBR) and boot sector viruses, but the /DEL option cannot. If you use /CLEAN and /DEL in the same command line, Scan first attempts to disinfect an infected file, then deletes it only if it cannot be repaired. Similarly, if you use /CLEAN and /MOVE in the same command line, Scan first attempts to clean an infected file, then moves it to the specified subdirectory if the file is unrecoverable. You can use /CLEAN and /CF or /CV in the same command line to check validation/recovery codes and remove any viruses found. We strongly recommend that you get experienced help in dealing with viruses if you are unfamiliar with anti-virus software and methods. This is especially true for "critical" viruses and master boot record (MBR)/boot sector infections, because improper removal of these viruses can result in the loss of all data on the infected disks. NOTE: When scanning a network drive using /CLEAN, you must have sufficient rights to update files on that drive. Using VirusScan (Version 2.2) 40 /CV Check validation/recovery data in files. Helps you detect new or unknown viruses. Checks validation data added by the /AV option. If a file is modified, Scan reports that a viral infection may have occurred. The /CV option adds about 50% more time to scanning. You can use /CLEAN and /CV in the same command line to check validation/recovery codes and restore infected files. Using any of the /AV, /CV, or /RV options together in the same command line returns an error. For more information, see "Detecting new and unknown viruses" in Chapter 5. See also the note under /CF in this section. /DEL Overwrite and delete infected files. Deletes and overwrites each infected file. Files erased by the /DEL option cannot be recovered (you should generate a report so that you can restore them from backups). Instead of /DEL alone, we recommend using it in combination with the /CLEAN option to attempt to disinfect an infected file first, then delete it only if the file is unrecoverable. The /CLEAN option can remove master boot record and boot sector viruses, but the /DEL option cannot. NOTE: When scanning a network drive using /DEL, you must have sufficient access rights to delete files on that drive. /EXCLUDE {filename} Scan using exception list file called {filename}. Allows you to exclude files from /AV validation and /CV checking. Self-modifying or self-checking files can cause a false alarm during a scan. To create {filename}, see "Technical note 1: Creating an exception list file for the /EXCLUDE option" in this chapter. Using VirusScan (Version 2.2) 41 /FAST Speed up Scan's scanning. Reduces scanning time by about 15%. Using the /FAST option, Scan examines a smaller portion of each file for viruses, although it examines more files overall. Using /FAST might miss some infections found in a more comprehensive (but slower) scan. Do not use this option if you have found a virus or suspect one. /FREQUENCY {hours} Set the time freqency with which to scan your system. In environments where the risk of viral infection is very low, use this option to prevent unnecessary or too-frequent scans. The lower the number of {hours} specified, the greater the scan frequency and the greater your protection against infection. The first time this option is used on a workstation, Scan creates a hidden file named MCAFEE.FRC in the root directory of drive C. In it, Scan stores the date and time that the system was scanned. Thereafter, whenever this option is used, Scan checks this file and compares the time elapsed from the last scan with the specified number of {hours}. If {hours} exceeds the elapsed time, Scan exits without scanning the system. Otherwise, Scan proceeds as usual to scan the system and, when finished, updates MCAFEE.FRC with the system date and time. /LOAD {filename} Use Scan settings stored in {filename}. By default, Scan loads its internal default settings plus any options specified on the command line. You can store all custom settings in a separate ASCII text file, then use /LOAD to load those settings from that file. Use a text editor to create the file. You can put all options on the same command line or put each option (with its parameter) on its own line, separated by a hard carriage return and line feed, as shown in the following examples. Using VirusScan (Version 2.2) 42 Sample load file with all options on the same command line: m: /report a:infectn.rpt /rptcor /rpterr Sample load file with each option on a separate command line: m: /report a:infectn.rpt /rptcor /rpterr /LOG Save date and time of last scan. Stores the time and date Scan is being run by updating or creating a file called SCAN.LOG in the current directory. /MANY Scan multiple floppies. Scans multiple diskettes consecutively in a single drive. Scan will prompt you for each diskette. Once you have established a virus-free system, use this option to check multiple diskettes quickly. /MOVE {directory} Move infected files to {directory}. Moves all infected files found during a scan to the specified directory. If you use /MOVE in conjunction with /CLEAN, Scan attempts to restore an infected file first, then moves it to the specified directory only if the file cannot be restored. Using /MOVE and /DEL in the same command line returns an error message. Using VirusScan (Version 2.2) 43 /NOCOMP Skip checking compressed executable files. Reduces scanning time when a full scan is not needed. Otherwise, by default, Scan checks inside executable, or self-decompressing, files that have been created using the LZEXE or PKLITE file compression programs. Scan decompresses each file in memory and checks for virus signatures, which takes time but results in a more thorough scan. If you use /NOCOMP, Scan does not check inside compressed files for viruses, although it can check for modifications to those files if they have been validated using validation/recovery codes. /NOMEM Skip memory checking. Reduces scan time by omitting all memory checks for viruses. Use /NOMEM only when you are absolutely certain that your system is virus- free. By default, Scan checks system memory for critical known computer viruses that can inhabit memory. In addition to main memory from 0Kb to 640Kb, Scan checks system memory from 640Kb to 1088Kb that can be used by computer viruses on 286 and later systems. Memory above 1088Kb is not addressed directly by the processor and is presently not susceptible to viruses. NOTE: /NOMEM is not applicable to OS/2. /PAUSE Enable screen pause. If you specify /PAUSE, the More? (H = Help) prompt appears when Scan fills up a screen with messages, such as when using the /SHOWLOG or /VIRLIST options. Otherwise, by default, Scan fills and scrolls a screen continuously without stopping, which allows Scan to run on PCs with many drives or that have severe infections without requiring you to attend. We recommend that you omit /PAUSE when keeping a record of Scan's messages using the report options (/REPORT, /RPTCOR, /RPTMOD, and /RPTERR). Using VirusScan (Version 2.2) 44 /PLAD Preserve last access dates (NetWare drives only). Prevents changing the last access date attribute for files stored on a network drive in a Novell network. Normally, NetWare updates the last access date when Scan opens and examines a file. However, some tape backup systems use this last access date to decide whether to back up the file. Use /PLAD to ensure that the last access date does not change as the result of scanning. /REPORT {filename} Create report of infected files and system errors. Saves the output of Scan to {filename} in ASCII text file format. If {filename} exists, /REPORT erases and replaces it. You can use /APPEND to append the current scan report to the end of {filename}. You can include the destination drive and directory (such as D:\VSREPRT\ALL.TXT), but if the destination is a network drive, you must have rights to create and delete files on that drive. You can also use /RPTCOR, /RPTMOD, and /RPTERR to add corrupted files, modified files, and system errors to the report. /RF {filename} Remove validation/recovery codes in {filename}. Removes recovery and validation data from {filename} created by the /AF option. If {filename} resides on a shared network drive, you must be able to delete files on that drive. Using any of the /AF, /CF, or /RF options together in the same command line returns an error. /RPTCOR Add corrupted files to Scan report. Used in conjunction with /REPORT, adds the names of corrupted files to the report file. A corrupted file is a file that a virus has damaged beyond repair, which typically occurs in 10% to 20% of all viral infections. You can use /RPTCOR with /RPTMOD and /RPTERR on the same command line. Using VirusScan (Version 2.2) 45 /RPTERR Add errors to Scan report. Used in conjunction with /REPORT, adds system errors to the report file. System errors include problems reading or writing to a diskette or hard disk, file system or network problems, problems creating reports, and other system-related problems. You can use /RPTERR with /RPTCOR and /RPTMOD on the same command line. /RPTMOD Add modified files to the Scan report. Used in conjunction with /REPORT, adds the names of modified files to the report file. Scan identifies modified files when the validation/recovery codes do not match (using the /CF or /CV options). You can use /RPTMOD with /RPTCOR and /RPTERR on the same command line. /RV Remove validation/recovery from files. Removes validation and recovery data from files validated with the /AV option, along with the SCAN.LOG file on the specified drive. To update files on a shared network drive, you must have access rights to update them. Using any of the /AV, /CV, or /RV options together in the same command line returns an error. /SHOWLOG Update and display the contents of SCAN.LOG. Stores the time and date Scan is being run by updating or creating a file called SCAN.LOG in the current directory, and shows you the date and time of previous scans that have been recorded in the SCAN.LOG file using the /LOG switch. The SCAN.LOG file contains text and some special formatting. To pause when the screen fills with messages, specify the /PAUSE option. Using VirusScan (Version 2.2) 46 /SUB Scan subdirectories. By default, when you specify a directory to scan rather than a drive, Scan will examine only the files it contains, not its subdirectories. Use /SUB to scan all subdirectories inside any directories you've specified. Do not use /SUB if you are scanning an entire drive. /VIRLIST Display the contents of SCAN.DAT. Shows you the name and a brief description of the viruses that VirusScan detects. To pause when the screen fills with messages, specify the /PAUSE option. Use /VIRLIST alone or with /PAUSE on the command line. You can save the list of virus names and descriptions to a file by redirecting the output of the command. For example, in DOS: scan /virlist > filename.txt CLEANING VIRUSES Although /CLEAN removes many viruses and restores normal operation, viruses can be harmful and insidious, and no anti-virus program can undo all their damage. Usually, between 10% and 20% of all viruses corrupt the files they infect, making them unrecoverable. If the file is infected with an uncommon virus that /CLEAN can't remove, Scan notifies you and identifies the filename. Note this filename so that you know what to restore from a backup diskette or tape. If you use both the /CLEAN and the /DEL options, Scan will first attempt to repair an infected file and, if the file is damaged beyond repair, Scan will delete it. Deleted files are not recoverable except from backups. Some viruses damage or overwrite program (.EXE) files or overlay files. Removing the virus can truncate the file or otherwise render it inoperable. Others, like the common virus Stoned, infect the master boot record (MBR). On systems partitioned with programs other than DOS (such as Disk Manager and SpeedStor), removing the virus can cause loss of the master boot record (MBR) and all data on the disk, if done improperly. Using VirusScan (Version 2.2) 47 BASIC PRINCIPLES TO MINIMIZE DAMAGE These considerations lead to the three important principles: NOTE: Before running Scan with the /CLEAN option, back up all of your programs and data. Of course, this works best if you back up your files regularly, so that you can restore your files from a backup made before your system was infected. But even a backup from an infected system can be useful for restoring data, because most viruses do not corrupt data. If a program no longer runs after being cleaned, replace it from the original disk or from a virus-free backup. 1. When disinfecting an infected system, it is important to start from a "sterile field," as described in Chapter 2. 2. Before running Scan with the /CLEAN option for DOS, restart your computer from a clean, write-protected diskette; before running it for OS/2, close all DOS and Win-OS/2 sessions. Preferably, use the clean anti-virus start-up diskette you created in "Making a clean start- up diskette" in Chapter 2. And, because running any program can spread the infection: 3. Do not run any programs, including Windows, before running Scan /CLEAN. Run Scan /CLEAN from DOS instead of Windows. Exit completely from Windows. Do not run Scan /CLEAN from within a DOS window. IMPORTANT: If you are at all unsure about how to proceed once you've found a virus, contact McAfee technical support, or your local authorized agent, for assistance (see "Technical support" in Chapter 1). We strongly recommend that you get experienced help in dealing with viruses if you are unfamiliar with anti-virus software and methods. This is especially true for "critical" viruses and master boot record (MBR) /boot sector infections, because improper removal of these viruses can result in the loss of all data and use of the infected disks. Using VirusScan (Version 2.2) 48 RUNNING SCAN TO CLEAN UP INFECTIONS PREPARATION Before running Scan to clean up infections: 1. Clear the virus from system memory and prevent reinfection: o With DOS or Windows, turn off your PC, then restart from a clean start-up diskette, preferably the anti-virus diskette you prepared in "Making a clean start-up diskette" in Chapter 2. o With OS/2, close all DOS and Win-OS/2 sessions. o With an OS/2 dual-boot system infected by a boot sector virus (like Form, or others identified by Scan), boot (start up) OS/2 first, delete the BOOT.DOS file from the \OS2 directory, and then boot DOS to create a new, virus-free DOS boot sector file. 2. Run the Scan program to locate and identify the infections. 3. Back up the files on the infected disks (be sure not to overwrite any previous backups). 4. Repeat Step 1. 5. Run the Scan program with the /CLEAN option to remove infections. NOTE: Don't run any programs, including Windows, before running Scan /CLEAN. If you have Windows, run Scan /CLEAN from DOS. NOTE: When disinfecting a hard disk, always run Scan /CLEAN from a write-protected diskette to prevent infection of the Scan program. When disinfecting diskettes, make sure there is no active virus in memory before running Scan from your hard disk. SUCCESSFUL AND UNSUCCESSFUL RESULTS Scan /CLEAN reports the results of its attempt to remove the virus from each infected file. If a file has several infections, it will report on each. Using VirusScan (Version 2.2) 49 IF VIRUSES WERE NOT REMOVED If Scan can't remove a virus, you'll see a message like: Virus cannot be safely removed from this file. Make sure to take note of the file name, because you will need to restore it from backups. If you have any questions about how to proceed, contact McAfee technical support or your local authorized agent (see "Technical support" in Chapter 1). IF VIRUSES WERE SAFELY REMOVED, RESCAN AND CHECK DISKETTES If Scan /CLEAN has successfully removed all the viruses, turn your computer off again and restart from the system disk. Scan your hard disks again to make sure they are virus-free. If you suspect that your system was infected from a diskette, run Scan from your hard disk to examine and disinfect the diskettes you use. Using VirusScan (Version 2.2) 50 EXAMPLES These examples show different option settings. In OS/2, remember to use OS2SCAN instead of SCAN. scan c: Scan all executable files on drive C. scan f: Scan all standard executable files on drive F, a network drive. scan c: /adl /adn Scan all local and network drives (including CD-ROM and PCMCIA drives but not diskettes). scan f: g: h: /del /all Scan all files on drives F, G, and H, and delete any infected files found. scan c: d: e: /av /all Scan for viruses in all files and add validation codes to executable files on drives C, D, and E. scan m: /report c:infectn.rpt /rptcor /rpterr /append Scan for viruses on network drive M: and create a log file of infections, corruptions, and errors in the file INFECTN.RPT on drive C. This will overwrite C:INFECTN.RPT, if it exists. scan e:\user\jake e:\user\daisy e:\user\nick /sub Scan all subdirectories inside the directories USER\JAKE, USER\DAISY, and USER\NICK on drive E. scan c: d: e: /fast /cv Quickly scan drives C, D, and E, and report any executable files that have associated validation codes and have been modified. scan c:\command.com Scan a single file. scan c: d: /clean Scan drives C and D and remove infections. Using VirusScan (Version 2.2) 51 ERROR LEVELS After Scan has finished running, it sets the ERRORLEVEL. You can use the ERRORLEVEL in batch files to take different actions based on the results of the scan. See your DOS operating system documentation for more information. Scan returns the following ERRORLEVELs: ERRORLEVEL Description 0 No errors occurred and no viruses were found. 1 Error occurred while accessing a file (reading or writing). 2 A VirusScan database (*.DAT) file is corrupted. 3 An error occurred while accessing a disk (reading or writing). 4 An error occurred while accessing the file created with the /AF option; the file has been damaged. 5 Insufficient memory to load program or complete operation. 6 An internal program error occurred. 7 An error in accessing an international message file (MCAFEE.MSG). 8 A file required to run VirusScan, such as SCAN.DAT, is missing. 9 Incompatible or unrecognized option(s) or option argument(s) were specified in the command line. 10 A virus was found in memory. 11 An internal program error occurred. 12 An error occurred while attempting to remove a virus, such as no CLEAN.DAT file found, or VirusScan was unable to remove the virus. 13 One or more viruses was found in the master boot record, boot sector, or file(s). 14 The SCAN.DAT file is out of date; upgrade VirusScan data files. Using VirusScan (Version 2.2) 52 15 VirusScan self-check failed. It may be infected or damaged. 16 An error occurred while accessing a specified drive or file. 17 No drive, directory or file was specified; nothing to scan. 18 A validated file has been modified (/CF or /CV options). 20 /FREQUENCY option in use 21-99 Reserved. 100+ Operating system error; Scan adds 100 to the original error number. Using VirusScan (Version 2.2) 53 APPLICATION NOTE 1 UPDATING VALIDATION CODES If you install any new software or programs on your system, including a new version of DOS, and are running Scan or VShield with the /CF (preferred) or /CV validation options, you need to install validation codes for the new files with Scan's /AF (preferred) or /AV options. The quickest way to update the validation codes is to remove all validation codes from the hard disk and then add them back. In other words, first run Scan with the /RF or /RV option, then run it again with the /AF or /AV option. APPLICATION NOTE 2 REFORMATTING INFECTED DISKETTES WITH DOS 5.0 AND LATER When reformatting infected diskettes using DOS 5.0 and later versions, be sure to add the /U switch to the FORMAT command. This tells DOS to do an unconditional format of the diskette, without saving the original infected boot sector. This is necessary to erase certain infections, and will prevent reinfection by unformatting the diskette. Using VirusScan (Version 2.2) 54 TECHNICAL NOTE 1 CREATING AN EXCEPTION LIST FILE FOR THE /EXCLUDE OPTION If you set up validation codes using Scan's /AV option, subsequent scans using the /CV option will detect changes in executable files. This can generate false alarms if the executable files are self-modifying or self-checking (most programs that do this will tell you to turn off your anti-virus software before running them; some of these files are listed below). Therefore, use the /EXCLUDE option in conjunction with /AV to identify such files and exclude them from the validation. The exception list is an ASCII or DOS text file. If you use a word processor to create it, be sure to save the file as ASCII or DOS Text. Each line in the file contains the path and file name of one file that should not be validated. Here is an example: c:\clipper\bin\clipper.exe c:\123\123.com c:\fox\foxprolx.exe c:\dos\setver.exe c:\pkware\pklite.exe c:\pkware\pkzip.exe c:\pkware\pkunzip.exe c:\semware\q.exe c:\swapvol.com c:\wordstar\ws.exe Using VirusScan (Version 2.2) 55 CHAPTER 4: VSHIELD REFERENCE VirusScan's VShield(TM) is a memory-resident program that helps to prevent virus infection. It complements the Scan virus detection program as part of your computer security plan. While Scan lets you check areas on disks for viruses, the VShield program checks these areas automatically as they load into your computer's memory. This ensures that you don't "catch" any new viruses while you're working on your computer. VShield does this by remaining in memory and: o Checking master boot records (MBRs), boot sectors, system files, and itself for viruses when you turn on or reset ([Ctrl]+[Alt]+[Del]) your machine. o Checking program files for viruses as your computer executes them. o Checking files for viruses as you copy them (optional). o Checking for viruses whenever your computer accesses a disk (optional). Follow the instructions in Chapter 2 or Appendix A to install VShield. You can modify your AUTOEXEC.BAT file so that VShield loads into memory every time you turn on your computer. If VShield finds a virus, you will hear three beeps and see a message like: Found the Jerusalem Virus in memory If that happens, don't panic. Turn to Chapter 3 to find out how to use the Scan program to get rid of the virus. If you need additional help, contact McAfee (see "Technical support" in Chapter 1). NOTE: There is one way to infect your computer that VShield cannot prevent--only you can. Never accidentally start your computer from an unknown diskette. That's how 80% of all viruses are passed! VShield checks diskettes if you warm boot, but cannot check them when you cold boot. Always make sure your diskette drives are empty before you turn your computer on. Using VirusScan (Version 2.2) 56 VShield runs under DOS, Windows, and OS/2 Virtual DOS Machine and WIN-OS/2 sessions. The program file is VSHIELD.EXE. The file called VSHLDWIN.EXE allows VShield to display messages from within Windows. The install program adds this icon to your WIN.INI file automatically, or you add it manually using the instructions in Appendix A. If you need to conserve memory on your system, you can use VShieldCRC, a version of VShield that offers fewer protection options but requires less memory. The program file is VSHLDCRC.EXE. A companion program called CheckVShield checks whether either VShield or VShieldCRC is loaded in memory. The program file is CHKVSHLD.EXE. CheckVShield is especially useful for network administrators who want to ensure that everyone who logs on to the network is running VShield. All of these related programs are included in your VirusScan disk and described in this chapter. DO YOU NEED TO READ THIS CHAPTER? Many users will not need the VShield options described in this chapter. We have designed VShield so that basic operation--achieved by simply installing it in memory as described in Chapter 2--provides a high degree of protection for most users. The options here offer additional power and control for virus detection, and are most useful in vulnerable or memory-scarce environments and to network administrators and information systems staff. See "Four levels of protection" and the table "Deciding which options are for you" later in this chapter for help in deciding how to use VShield. SYSTEM REQUIREMENTS AND PERFORMANCE VShield is a terminate-and-stay-resident (TSR) program, which remains in memory while you run other programs. VShield tries to optimize memory usage and minimize conflicts with other TSRs. By default, VShield tries to conserve as much conventional memory as possible. If you have only 640Kb or less memory in your system, VShield requires minimal conventional memory. By using the /SWAP option, you can reduce this to only 8Kb of conventional memory, although this will decrease VShield's speed. Using VirusScan (Version 2.2) 57 If you have more than 640Kb, VShield tries to load as much of itself as possible above conventional memory: first into expanded memory (EMS), into extended memory (XMS), then into upper memory blocks (640Kb to 1024Kb, or UMB). If you have sufficient high memory available, VShield or VShieldCRC use no conventional memory. After VShield loads, you'll see a message that describes where VShield loaded into memory and how much memory it uses. You can control how VShield loads by using the /NOUMB, /NOEMS, and /NOXMS options, as described later in this chapter. NOTE: VShield might require slightly more memory as SCAN.DAT and NAMES.DAT grow to include more viruses. VShield adds a small amount of time to program loads and reboots. Performance will vary, depending on your system. The /SWAP option adds more time, because VShield must reload from disk to check files. VShieldCRC adds an average of one second to each program load. Once programs have been loaded, VShield does not degrade the performance of your system. Programs that load other files may run more slowly when you use the /FILEACCESS or /ANYACCESS options, because these options cause VShield to scan files whenever they are accessed, not just when they are executed. Using VirusScan (Version 2.2) 58 FOUR LEVELS OF PROTECTION You can think of VShield as providing four levels of protection. You can use VShield's options to customize it for the level of protection you need. Level II meets the protection needs of most systems. Level I protection is appropriate for users who have very little memory available on their systems. It provides only minimal protection. For Level I protection, first use Scan with the /AF or /AV option to add validation codes. Then, install VShieldCRC instead of VShield. VShieldCRC can inform you that a file has not been certified, a file has been modified, a file size has changed, or a file has not been added to the validation file. VShieldCRC will not prevent infection, nor will it tell you when you have a known virus. Use Scan instead to detect viruses, as described in Chapter 3. See "Using VShieldCRC" later in this chapter for instructions. Level II protection is appropriate for most users. It will protect you from most viruses whether you have run Scan or not. For Level II protection, install VShield according to "Running VShield" later in this chapter. When loading, VShield checks memory automatically for viruses. Once resident in memory, VShield checks master boot records (MBRs), boot sectors, and program files (when executed) for virus signatures. Level III protection is appropriate for computers that are used by many people, as in an open-use computer lab, or onto which you frequently load files from public sources. Level III protection checks for both validation codes and virus signatures, incorporating both Level I and Level II protection. For Level III protection, first use Scan with the /AF {filename} option, then use VShield with the /CF {filename} option. The /AF option logs recovery and validation data for program files (but not the boot sector or the master boot record) to a file you specify. The /CF option tells VShield to check against that log. See "Scan Reference" in Chapter 3 for instructions. Using VirusScan (Version 2.2) 59 Level IV protection is for environments where security is extremely important and new software is seldom introduced. It combines Level III protection with access control, specifying that only programs known to be safe can be run. For Level IV protection, run VShield with the /CERTIFY option. See the "VShield option descriptions" later in this chapter for details about /CERTIFY. NOTE: VShield has many optional features that you might use at any protection level. See the table "VShield option summary" later in this chapter to see these options. Using VirusScan (Version 2.2) 60 RUNNING VSHIELD VShield checks programs, the master boot record (MBR), boot sector, system files, and itself for virus signatures, the pattern of code unique to each virus. If VShield finds an infection, it prevents programs from running. It also prevents warm boots ([Ctrl]+[Alt]+[Del]) from infected disks. You can use options to control and fine-tune the scope, validation parameters, and operation of the VShield's checks. To use VShield with options, use the following syntax: vshield [options] [options] indicates one or more options described in the table in the next section. NOTE: Don't enter the square braces, which indicate that what's within them is optional. Because systems and environments differ, VShield gives you a choice of options. Consider the mixture of safety, performance, and maintenance that meets your needs, then choose the combination of options that works best. When you run VShield for the first time, VShield uses the virus information contained in SCAN.DAT and NAMES.DAT to creates a new file, VSHIELD.DAT, in the program directory. The VSHIELD.DAT file contains virus information in a format that is optimized for VShield operation. Thereafter, when you install an updated version of SCAN.DAT, VShield updates VSHIELD.DAT automatically with any new virus information it finds in SCAN.DAT. Using VirusScan (Version 2.2) 61 DOS You can add VShield to your AUTOEXEC.BAT file so it is activated every time you turn on your computer. You can put VShield at the end of AUTOEXEC.BAT. In most cases this is OK. However, using a text editor, 1. Check the placement of the VShield command line in the AUTOEXEC.BAT file. o VShield must be run before any menu programs, such as Windows, MS-DOS's DOSSHELL or Norton Commander, or it will not be loaded. o If AUTOEXEC.BAT loads any network drivers, keyboard drivers, disk caching programs, drive compression programs, or custom disk drivers, VShield must be run both before and after them. These kinds of programs disable VShield. The second time VShield is loaded, use only the /RECONNECT option, as described later in this chapter. 2. If necessary, move the line that loads VShield. 3. Add the VShield options of your choice to the command line. WINDOWS When you install VShield, you can add the VShield command line to your AUTOEXEC.BAT file. If you used the install program or the instructions in Appendix A, your WIN.INI file was modified to include VSHLDWIN.EXE, which allows VShield to display messages under Windows. However, you may need to change your Windows configuration for VShield to run properly. To do so, follow these steps. If you need help with this procedure, see your Windows documentation, or you can contact McAfee (see "Technical support" in Chapter 1). Using VirusScan (Version 2.2) 62 1. Follow the instructions for DOS users in the previous section. 2. Start Windows. 3. In the Control Panel, configure Windows to run in 386 enhanced mode. 4. Load Windows. You will see the VShield icon on your desktop. If VShield finds or suspects a virus, you'll see a warning message. Choose OK to close the message dialog. Double-clicking the VShield icon only displays a message confirming whether VShield is loaded. OS/2 Because OS/2 is a protected environment, you need VShield only during Virtual DOS Machine (VDM) and WIN-OS2 sessions. When you install it, you can add VShield to AUTOEXEC.BAT so it is activated every time you start a VDM or WIN-OS/2 session. If your start-up batch file is not AUTOEXEC.BAT, edit your start-up batch file to include VShield. For example: [C:\] vshield /fileaccess NOTE: See "/FILEACCESS," an option we recommend using with OS/2, later in this chapter. Using VirusScan (Version 2.2) 63 SPECIAL INSTRUCTIONS FOR NETWORK ADMINISTRATORS You have many options for setting up VShield on a network. The table "Deciding which options are for you" later in this chapter lists options that apply in network environments. If you need assistance in choosing the best configuration for your network, contact McAfee (see "Technical support" in Chapter 1). If you run VShield from a network drive, flag VSHIELD.EXE as EXECUTE ONLY, READ ONLY, and SHAREABLE. If you run VShield from clients' local drives (optimal): o Edit all clients' AUTOEXEC.BAT files to load VShield, with the options that are appropriate for your environment, before any other drivers are loaded. o Add VShield with the /RECONNECT option to the AUTOEXEC.BAT or the network login script, after the network drivers are loaded. See /RECONNECT, later in this chapter, for more information. o Run CheckVShield from the login script. CheckVShield returns a DOS ERRORLEVEL that you can use in batch files to check and update VShield. For an example of using CheckVShield, see "Technical note 2: Sample NetWare login script and .BAT file" later in this chapter. Using VirusScan (Version 2.2) 64 VSHIELD OPTION SUMMARY DOS-OS/2 option Description /? or /HELP Display a list of valid VShield command line options. /ANYACCESS Scan the boot sector whenever a diskette is accessed (read and write); scan executables; scan any newly created files. /BOOTACCESS Scan the boot sector for viruses whenever a diskette is accessed (including read and write). /CERTIFY Prevent files without validation codes from running. /CF {filename} Check for viruses using recovery and validation data stored by Scan /AF in the specified {filename}. /CONTACT {message} Display specified message when a virus is found. /CONTACTFILE {filename} Display message stored in {filename} when a virus is found. /CV Check validation codes added to files by Scan. /EXCLUDE {filename} Don't check files listed in {filename} for validation codes (used with /CV). /FILEACCESS Scan executable files when they are accessed on a diskette, but don't check the boot sector. /IGNORE {drive(s)} Don't check programs loaded from the specified drive(s). /LOCK Halt the system when a file that is infected loads and attempts to execute. /NOEMS Prevent VShield from loading into expanded memory (EMS). /NOMEM Don't check memory for viruses. Using VirusScan (Version 2.2) 65 /NOREMOVE Prevent VShield from being removed from memory with the /REMOVE switch. /NOUMB Prevent VShield from loading into upper memory blocks (UMB). /NOWARMBOOT Don't check the diskette boot sector for viruses during warm boot ([Ctrl]+[Alt]+[Del]). /NOXMS Prevent VShield from using extended memory (XMS) when it loads. /ONLY {drive(s)} Check programs loaded only from the specified drive(s). /POLY Check for polymorphic viruses. /RECONNECT Restore VShield after certain drivers or TSRs have disabled it. /REMOVE Unload VShield from memory. /SAVE Save the command line options to the VSHIELD.INI file. /SWAP [pathname] Load VShield kernel (8Kb) only; swap the rest to pathname. Using VirusScan (Version 2.2) 66 VSHIELD OPTION DESCRIPTIONS /? or /HELP Use this option to display a brief description of valid VShield command line options. /ANYACCESS Checks the diskette boot sector and all files for viruses whenever a diskette is accessed by a read or write operation, such as a DIR or COPY command, and when a program on the diskette is opened, read, updated, or executed. /ANYACCESS prevents execution if a program file is infected. It also checks any new files created, such as with a copy command, regardless of the file's extension. This is the highest level of protection against viruses that infect boot sectors. Using /ANYACCESS with either /BOOTACCESS or /FILEACCESS in the same command line returns an error message. NOTE: The /ANYACCESS switch is not recommended for use with DOS and WIN-OS/2 sessions under OS/2 due to certain low-level operating system incompatibilities between OS/2 and DOS. Use the /FILEACCESS switch instead. /BOOTACCESS Checks the boot sector of a diskette for viruses whenever a diskette is accessed by a read or write operation, such as the DIR or copy commands. By default, VShield checks programs when they execute, but does not check the boot sector of the diskette for viruses. Using /BOOTACCESS with /ANYACCESS in the same command line returns an error message. NOTE: This option does not work from within Windows File Manager. For virus-checking within Windows, use the /FILEACCESS or /ANYACCESS switch instead. Using VirusScan (Version 2.2) 67 /CERTIFY Prevents programs from running if they do not have Scan validation codes. Use it in high- security environments to prevent clients from running programs that have not been scanned. To use /CERTIFY, first run Scan with the /AF or /AV option, as described in Chapter 3. Then, use VShield with the /CERTIFY option and either the /CF or /CV option (either is required), such as: vshield /certify /cf c:\mcafee\recvalch.sav Some programs, such as Lotus 1-2-3, contain self- modifying code and do not work correctly with validation codes attached. You may create an exception list of files to exclude from validation. For instructions, refer to "Technical note 1: Creating an exception list for the /EXCLUDE option" later in this chapter. /CF {filename} Checks validation data stored by Scan's /AF {filename} option, where {filename} is the name of the validation data file created by Scan. If a file or system area has changed, VShield reports that a viral infection may have occurred. In this example: vshield /cf c:\mcafee\valcodes.dat /noems VShield looks in the VALCODES.DAT file for validation data. For instructions on using Scan /AF to add validation codes, see "Scan option descriptions" in Chapter 3, and "Detecting new and unknown viruses" in Chapter 5. Using VirusScan (Version 2.2) 68 /CONTACT {message} Displays a custom message when a virus is found. This message is displayed in addition to all other VShield messages. Use /CONTACT to let network users know what to do if VShield finds a virus. The message can be up to 50 characters long, and can contain any character except a backslash " \ ". Place messages starting with a hyphen " - " or slash " / " in quotation marks. If your message is longer than 50 characters or you want to store the message text in a file, use /CONTACTFILE instead. Using /CONTACT and /CONTACTFILE in the same command line returns an error message. /CONTACTFILE {filename} An alternative to the /CONTACT option, /CONTACTFILE identifies a file that contains the message string to display when a virus is found. This option is especially useful in network environments, because you can easily maintain the message text in a central file rather than changing the command line in the AUTOEXEC.BAT file on each workstation. If your message is 50 characters or fewer, you can use /CONTACT instead. Using /CONTACT and /CONTACTFILE in the same command line returns an error message. /CV Checks validation codes added by Scan with the /AV option. If a file has changed, VShield reports that the file has been modified and a viral infection may have occurred. You can specify the /EXCLUDE option to exclude a list of files from validation checking. For instructions on using Scan to add validation codes, see "Scan option descriptions" in Chapter 3, and "Detecting new and unknown viruses" in Chapter 5. Using VirusScan (Version 2.2) 69 /EXCLUDE {filename} Excludes files listed in {filename} from validation when using /CV. For more information on this, see "Technical note 1: Creating an exception list for the /EXCLUDE option" later in this chapter. /FILEACCESS Checks standard executable files whenever the file is accessed or executed, and prevents execution of infected programs. Checks all files when accessed by a read or write operation. Using /ANYACCESS in the same command line with /FILEACCESS returns an error message. NOTE: We recommend always using /FILEACCESS with OS/2. 1 For VShieldCRC, /FILEACCESS checks files only if they have been validated with the /AF or /AV options. /IGNORE {drives} Omits checking program loads from the specified drives, as shown in the following example: vshield /ignore t: y: w: Use /IGNORE or /ONLY to speed up VShield by excluding secure, virus-free network drives from virus checking. You can specify up to 26 drives. See also /ONLY, described later in this section. Using /IGNORE and /ONLY in the same command line returns an error message. /LOCK Halts the system to stop further infection if VShield finds a virus. /LOCK is appropriate in highly vulnerable network environments, such as open-use computer labs. If you use /LOCK, use /CONTACT or /CONTACTFILE to tell users what to do or whom to contact if a virus is found and the system locks up. Using VirusScan (Version 2.2) 70 /NOEMS Prevents VShield from using expanded memory (LIM EMS 3.2) when it loads. This ensures that EMS is available exclusively to other programs. /NOMEM Skips the memory check for viruses when VShield loads. Using /NOMEM improves performance slightly, but use it only if you are absolutely sure that your system is virus-free. /NOREMOVE Prevents VShield from being removed from memory with the /REMOVE option in a subsequent VShield command. When you load VShield with the /NOREMOVE option, subsequent loads with the /REMOVE option will have not effect. Your network will be more secure if users cannot remove VShield, but this option may prevent users from solving memory limitations or conflicts. /NOUMB Prevents VShield from loading into the upper memory block (UMB, 640Kb to 1024Kb). This ensures that the UMB is available exclusively to other programs. /NOWARMBOOT Omits checking the diskette boot sector during a warm boot ([Ctrl]+[Alt]+[Del]). /NOXMS Prevents VShield from using extended memory when it loads. This ensures that XMS is available exclusively to other programs. Using VirusScan (Version 2.2) 71 /ONLY {drive(s)} Checks program loads only from the specified drive(s), ignoring all other drives, as shown in the following example: vshield /only c: f: k: Use /IGNORE or /ONLY to speed up VShield by excluding secure, virus-free network drives from virus checking. You can specify up to 26 drives. See also /IGNORE, earlier in this chapter. Using /ONLY and /IGNORE in the same command line returns an error message. /POLY Checks for polymorphic viruses, which are viruses that attempt to evade detection by changing their internal structure or encryption techniques. Otherwise, VShield does not check for polymorphic viruses. Using /POLY on the same command line as /FILEACCESS, /ANYACCESS, /BOOTACCESS, or /SWAP returns an error. /RECONNECT Restores VShield's links into DOS after another program has disabled it, such as a network driver, keyboard driver, custom disk driver, drive compression program, or disk caching program. These types of programs replace the normal DOS system interrupts so that VShield no longer recognizes program loads. After the lines in your AUTOEXEC.BAT file (or network login script) that load these programs, add this command line to restore VShield: vshield /reconnect /REMOVE Unloads VShield from memory. You may want to do this temporarily if you are running out of memory for programs. For best results, try using VShield with the /SWAP option first. Use /REMOVE only as a last resort. Using VirusScan (Version 2.2) 72 NOTE: /REMOVE will not work if other memory- resident programs were loaded after VShield, or if VShield was loaded previously with the /NOREMOVE option. /SAVE Stores the VShield options you specify as the defaults in VSHIELD.INI. In the following example, /SAVE saves the /CONTACTFILE N:\MSGFILE as the default setting: vshield /contactfile n:\msgfile /save To remove custom options and return to VShield's original defaults, use the /SAVE option alone: vshield /save /SWAP [pathname] Installs a small (8Kb) kernel of VShield in memory that loads the rest of VShield from disk on demand. Specify a pathname only if you want VShield to swap to a path other than the directory where VShield resides. Use /SWAP only if you have very little memory available, but require a high assurance of safety. /SWAP will slow down your system and may cause conflicts with programs that fail to allocate memory properly. If you don't have enough memory to load VShield without swapping, consider using VShieldCRC instead. We do not recommend storing the swap file on a network path because, if the workstation disconnects from the network, the workstation will lock. Using VirusScan (Version 2.2) 73 DECIDING WHICH OPTIONS ARE FOR YOU Because systems and environments differ, VShield gives you a choice of options. Consider the mixture of safety, performance, and maintenance that meets your needs, then choose the combination of options that works best. REQUIREMENT │ OPTION │ COMMENTS ══════════════════╪══════════════╪══════════════════════════════ More complete │ /ANYACCESS │ Highest protection against protection, any │ │ infected diskettes; checks environment │ │ for viruses whenever a dis- │ │ kette or files are accessed. ├──────────────┼────────────────────────────── │ /FILEACCESS │ Next highest protection │ │ against infected diskettes; │ │ checks for viruses whenever │ │ a standard file is accessed. ├──────────────┼────────────────────────────── │ /BOOTACCESS │ Of the three, lowest │ │ protection against infected │ │ diskettes; checks for │ │ viruses in boot sector when │ │ a diskette is accessed. ├──────────────┼────────────────────────────── │ /POLY │ Used to check for │ │ polymorphic viruses. ──────────────────┼──────────────┼────────────────────────────── More complete │ /CERTIFY │ Use with /CF {filename} or protection, │ │ /CV and an exception list. stable software ├──────────────┼────────────────────────────── environment │ /CF │ Use /CF or /CV. Of the two, │ │ /CF is recommended. ├──────────────┼────────────────────────────── │ /CV │ Use /CF or /CV. ──────────────────┼──────────────┼────────────────────────────── Network or multi- │ /CONTACT │ Use this (or /CONTACTFILE) user environments │ │ to tell users what to do │ │ when a virus is found. ├──────────────┼────────────────────────────── │ /CONTACTFILE │ Use this (or /CONTACT) to │ │ tell users what to do when │ │ a virus is found. ├──────────────┼────────────────────────────── │ /IGNORE │ Use this (or /ONLY) to │ │ skip virus-free drives. ├──────────────┼────────────────────────────── │ /LOCK │ Use with /CONTACT or │ │ /CONTACTFILE {filename}. ──────────────────┴──────────────┴────────────────────────────── Using VirusScan (Version 2.2) 74 ──────────────────┬──────────────┬────────────────────────────── For network │ /NOREMOVE │ Prevents VShield from environments │ │ being removed from memory. (continued) ├──────────────┼────────────────────────────── │ /ONLY │ Use this (or IGNORE) to check │ │ only vulnerable drives. ├──────────────┼────────────────────────────── │ /RECONNECT │ Required if network drivers │ │ are loaded after VShield. ──────────────────┼──────────────┼────────────────────────────── Faster │ /NOMEM │ Only use on a virus-free performance │ │ computer. any environment ├──────────────┼────────────────────────────── │ /NOWARMBOOT │ Omits checking the boot │ │ sector after a warm boot. ──────────────────┼──────────────┼────────────────────────────── Manage memory, │ /NOEMS │ Use when other programs need any environment │ │ exclusive use of EMS memory. ├──────────────┼────────────────────────────── │ /NOUMB │ Use when other programs need │ │ exclusive use of UMB memory. ├──────────────┼────────────────────────────── │ /NOXMS │ Use when other programs need │ │ exclusive use of XMS memory. ├──────────────┼────────────────────────────── │ /NOREMOVE │ Use to ensure that VShield │ │ remains in memory. ├──────────────┼────────────────────────────── │ /REMOVE │ May temporarily solve memory │ │ conflicts. ├──────────────┼────────────────────────────── │ /SWAP │ Use in environments with very │ │ limited memory. ══════════════════╧══════════════╧══════════════════════════════ Using VirusScan (Version 2.2) 75 EXAMPLES The following examples show different option settings: vshield Activates VShield (Level II protection). vshield /cv Activates VShield (Level III protection), if you have previously run SCAN /AV. vshield /certify /cf c:\valcodes.dat Activates VShield (Level IV protection) and checks a recovery and validation data file created when running Scan with the /AF option. vshield /swap Activates VShield kernel in memory and swaps from the directory in which VShield resides. vshield /cv /exclude c:\excption.lst /contact "Call the PC Help Desk!" Activates VShield (Level III protection), ignores checking files in the EXCPTION.LST files, and displays a message if a virus is found. vshield /reconnect Re-enables VShield after it has been disconnected by network device drivers. Using VirusScan (Version 2.2) 76 ERROR LEVELS When VShield loads, it sets the DOS ERRORLEVEL. You can use the returned ERRORLEVEL in AUTOEXEC.BAT or other batch files to take different actions based on whether VShield has loaded in memory. See your DOS manual for more information. VShield returns these ERRORLEVELs: ERRORLEVEL/Description 0 VShield successfully loaded in memory with all options operational. 9 VShield not loaded correctly. Abnormal termination (program error). VShield alerts you to problems by beeping once for system errors, twice for validation errors (/CF or /CF checking), or three times if a virus is found. Using VirusScan (Version 2.2) 77 USING VSHIELDCRC For Level I protection on systems with limited memory, use VShieldCRC instead of VShield. VShieldCRC is a separate program that consumes little system overhead, but is not recommended for normal use because it provides only minimal protection. VShieldCRC can inform you that you have been infected with a virus, but it does not check for virus signatures nor does it prevent infection. To use VShieldCRC, first use Scan with the /AF or /AV option. VShieldCRC checks the validation codes added by Scan. It also checks the master boot record (MBR) and boot sector validation codes, if present. See Chapter 3 for instructions on using Scan. To load VShieldCRC with options, use the following syntax: vshldcrc [options] [options] include the options listed in the table "VShieldCRC option summary" later in this chapter. For more information on all options except /LOGFILE, see "VShield option descriptions" earlier in this chapter. EXAMPLES vshldcrc Activates VShieldCRC (Level I protection). vshldcrc /cf valcodes.dat Activates VShieldCRC and checks validation data stored in VALCODES.DAT, a file that was created using Scan with the /AF option. Using VirusScan (Version 2.2) 78 VSHIELDCRC OPTION SUMMARY /? or /HELP Display a list of valid VShieldCRC command line options. /CERTIFY Prevent files without validation codes from running. /CF {filename} Check for viruses using recovery and validation data stored by Scan /AF in the specified {filename}. /CONTACT {message} Display specified message when a virus is found. /CONTACTFILE {filename} Display message stored in specified {filename} when a virus is found. /CV Check validation codes added to files by Scan. /EXCLUDE {filename} Don't check files listed in {filename} for validation codes (used with /CV). /FILEACCESS Scan only validated executable files when accessed, but don't check boot sector. Prevent infected programs from running. /IGNORE {drive(s)} Don't check programs loaded from specified drive(s). /LOCK Halt the system when a file that is not certified attempts to load and execute. /LOGFILE {filename} Write error information to {filename}. /NOREMOVE Prevent VShieldCRC from being removed from memory with a subsequent VShieldCRC command using /REMOVE. /NOUMB Prevent VShieldCRC from using upper memory blocks (UMB) when it loads. /ONLY {drive(s)} Check programs loaded only from the specified drive(s). /REMOVE Unload VShieldCRC from memory. Using VirusScan (Version 2.2) 79 USING CHECKVSHIELD CheckVShield allows network administrators to make sure that workstations are running VShield or VShieldCRC before users can log onto a network. See "Technical note 2: Sample NetWare login script and .BAT file" later in this chapter for a sample Novell NetWare login script using CheckVShield. To load CheckVShield with options, use the following syntax: chkvshld [option(s)] [option(s)] include: /? and /HELP Display a list of valid CheckVShield command line options. /DEBUG Displays the version of VShield or VShieldCRC resident in memory and the DOS ERRORLEVEL on the screen. /QUIET Suppresses CheckVShield messages (quiet mode) so users don't see the messages. /V "xxxxx" Tells CheckVShield to look for a specific version (2.00 or higher) of VShield or VShieldCRC in memory. For example, /v "2.00" for VShield 2.00. EXAMPLE chkvshld /quiet Checks for VShield or VShieldCRC in memory and suppresses messages. Using VirusScan (Version 2.2) 80 ERROR LEVELS When CheckVShield runs, it sets the DOS ERRORLEVEL. Use the ERRORLEVEL in batch files to take different actions based on the results of CheckVShield's check. The ERRORLEVELs returned by CheckVShield are: ERRORLEVEL/Description 0 VShield or VShieldCRC is resident or, if /V is used, the version specified is resident in memory. 1 VShield or VShieldCRC is resident but does not match the version specified in the /V option. 2 VShield or VShieldCRC is not resident in memory. 3 Abnormal termination (program error). Using VirusScan (Version 2.2) 81 TECHNICAL NOTE 1: CREATING AN EXCEPTION LIST FOR THE /EXCLUDE OPTION VShield /CERTIFY permits a file to load only if: o It has been validated by Scan, or o It appears in the exception list file specified with the /EXCLUDE option, used in conjunction with /CV. If you do not validate any files and do not use an exception list, /CERTIFY will disable all programs other than DOS internal commands. The exception list file is an ASCII or DOS text file containing up to 1,024 characters. If you use a word processor to create it, be sure to save the file as ASCII or DOS Text. Each line in the file contains the path and filename of one file that should not be validated. Here is an example: c:\clipper\bin\clipper.exe c:\123\123.com c:\fox\foxprolx.exe c:\dos\setver.exe c:\pkware\pklite.exe c:\pkware\pkzip.exe c:\pkware\pkunzip.exe c:\semware\q.exe c:\swapvol.com c:\norton\ncache.exe c:\wordstar\ws.exe Using VirusScan (Version 2.2) 82 TECHNICAL NOTE 2 SAMPLE NETWARE LOGIN SCRIPT AND .BAT FILE Here is a sample system login script for use by Novell NetWare system administrators. The login script gets the ERRORLEVEL from CheckVShield and displays messages on the user's screen. If VShield is not loaded correctly, there is an internal error with CheckVShield, either VShield or VShieldCRC is not installed, or an older version of VShield is present, the script exits the user to a NOLOGIN.BAT file that logs him or her out. #REM REPLACE "XXX" WITH CURRENT VERSION NUMBER CHKVSHLD /V "VXXX" IF ERROR_LEVEL = "3" THEN FIRE PHASERS 5 TIMES WRITE "A CHKVSHLD internal error has occurred." WRITE "Please contact the Help Desk." #COMMAND /C NOLOGIN.BAT EXIT ELSE IF ERROR_LEVEL = "2" THEN FIRE PHASERS 5 TIMES WRITE "VShield has not been installed on your PC." WRITE "Access Denied. Please contact the Help Desk." #COMMAND /C NOLOGIN.BAT EXIT ELSE IF ERROR_LEVEL = "1" THEN FIRE PHASERS 5 TIMES WRITE "An old version of VShield has been installed." WRITE "Access to the network has been denied. Please" WRITE "contact the Help Desk to have a new version" WRITE "installed." #COMMAND /C NOLOGIN.BAT EXIT END END END You can create more complex login scripts to send a message to the supervisor if an error has occurred, update the user's VSHIELD.EXE as he or she logs in to the network, and so forth. Here is a sample of the NOLOGIN.BAT file called by the login script. ECHO OFF REM Log the user off of the network LOGOUT Using VirusScan (Version 2.2) 83 CHAPTER 5: TIPS & TROUBLESHOOTING The other chapters in this manual are meant to tell you clearly and concisely how to use the VirusScan software. Still, you may have questions or encounter confusing situations. This chapter contains two kinds of advice: o Tips for getting the most out of VirusScan. o Common problems and how to solve or avoid them. If this information doesn't help resolve your question or problem, contact McAfee (see "Technical support" in Chapter 1). TIPS DETECTING NEW AND UNKNOWN VIRUSES There are two ways of dealing with new and unknown viruses that may infect your system: o Update VirusScan regularly. o Store and check validation and recovery information about your files. UPDATE VIRUSSCAN REGULARLY Most likely, McAfee will see new viruses long before you do. We update the VirusScan programs often--usually monthly, but more often if many new viruses have appeared. Each new version may detect and eradicate as many as 60 to 100 new viruses or more, and may fix bugs that have been reported. Updating VirusScan regularly is probably all you need to do to protect against new viruses. See the instructions for obtaining new versions in "Updating VirusScan regularly" in Chapter 2. Using VirusScan (Version 2.2) 84 USE THE VALIDATION AND RECOVERY OPTIONS If your environment is highly vulnerable to viruses, or you require unusual security against them, you can use VirusScan's validation and recovery options. Scan checks for new or unknown viruses by comparing files against previously recorded validation data. If a file has been modified, it no longer matches the validation data, and Scan reports that the file may have become infected. Scan has two levels of validation, which are stored in two separate ways: o It can store the enhanced code in a separate recovery file, which can be stored off-line (for example, on a diskette) for recovery purposes (/AF, /CF, and /RF switches). This is the preferred method because it stores the data for files (but not the boot sector or the master boot record) in a separate recovery file. o It can append a simple 98-byte validation code to .COM and .EXE files (/AV, /CV, and /RV switches). This method applies to the files you specified only. It does not store data for the boot sector and master boot record (MBR). Once the validation codes are stored, both Scan and VShield can use the /CV and /CF options to detect changes to the files. More importantly, if you have stored the recovery information with /AF, Scan can use it to restore infected files. All of these options require continuing effort to store and maintain the codes. For example, if you install new programs or upgrade old ones, you should use the /RV or /RF options to remove all codes, then /AV or /AF to restore them. If you want to use one of these methods, which should you use? We recommend the "F" options--/AF, /CF, and /RF--over the "V" options. /AF stores the validation and recovery information in a separate file, instead of modifying the program files themselves. This has three advantages: Using VirusScan (Version 2.2) 85 o You can store the recovery file off-line (on your clean anti-viral startup diskette, for example, or on a network drive or tape drive) and access it on demand to check for, and recover from, infection by unknown viruses. Use the procedure below to create a recovery diskette. o This method keeps self-checking files (usually copy-protected programs) from reporting that they have been tampered with. o If you use this method, you don't need an exception list. However, it's important that you run Scan with the /RF option on individual self-modifying files, such as Lotus 1-2-3, to remove the validation codes for those programs from the validation file. The "V" options are primarily useful for companies that distribute software to their customers or employees, and want to incorporate an additional level of virus protection. Creating a recovery diskette To store the recovery file on the clean startup diskette you created in "Making a clean start-up diskette" in Chapter 2, temporarily remove write-protection from the diskette and insert it in drive A. Run Scan on your hard disks with the /AF option. For example: scan /adl /af a:\scancrc.crc scans the local hard disk drives for known viruses and creates SCANCRC.CRC, a file containing recovery data and validation codes, on the diskette. After Scan finishes, write- protect the diskette. To check for virus infection, turn your computer off, insert the recovery diskette in drive A, and turn the power back on. The PC will now start from the diskette. At the DOS prompt, type: scan /adl /cf a:\scancrc.crc to compare the local hard disk drives against the recovery data stored on the diskette in the SCANCRC.CRC file. Using VirusScan (Version 2.2) 86 If you detect an unknown virus, to disinfect your system, turn your PC off, insert the recovery diskette, and turn the power back on. The PC will start from the floppy disk. At the DOS prompt, type: scan /adl /cf a:\scancrc.crc /clean to restore local hard disk drives with the recovery data stored in SCANCRC.CRC on the diskette. If you install new software, or upgrade your DOS version, remember to update your recovery file. See "Application note 1: Updating validation codes" in Chapter 3. Using VirusScan (Version 2.2) 87 INTERACTING WITH YOUR NETWORK Many personal computers are interconnected through a local area network (LAN). VirusScan is highly compatible with most networks. Here are some ways of using the VirusScan software with your network: o Run Scan on network drives Run from a workstation (PC) on the network, Scan checks network drives for viruses just as it does local drives. For convenience, the /ADN option scans all network drives to which the workstation is connected. o Use VShield and CheckVShield By activating VShield as part of every workstation's AUTOEXEC.BAT file, you can prevent the workstations from introducing viruses into the network. Network administrators can ensure that VShield is active on each workstation by running CheckVShield as part of the network login script, before actual login. o Use NetShield provides continuous virus protection on a NetWare server. NetWare network administrators can use it to check for both known and unknown viruses and to monitor all network activities. On other kinds of networks, you can use Scan to check network servers. o Develop a network security program, as described in the next tip. Using VirusScan (Version 2.2) 88 DEVELOP A SECURITY PROGRAM VirusScan has been shown to be an effective virus-preventive measure when used in a conscientiously applied program of network security and regular professional care. VirusScan is one important element of a comprehensive computing security program that includes a variety of safety measures, such as regular backups, meaningful password protection, user training, and awareness. Even with VirusScan, some viruses--not to mention theft or fire--can render a disk unrecoverable without a recent backup. Although outlining such a security program is beyond the scope of this manual, see "Other sources of information" in Chapter 1 for suggestions. If you are a network administrator, we urge you to implement a security program to safeguard your organization's data and productivity. If you are a network user, please support and comply with such a program. TROUBLESHOOTING GENERAL ABNORMALITIES Using VirusScan with other anti-virus software When you run more than one anti-virus program, you risk strange results and false alarms. For example, some anti-virus programs store their "virus signature strings" unprotected in memory. Running VirusScan may "detect" them falsely as a virus. TSR CONFLICTS Some "terminate-and-stay-resident" (TSR) software may conflict with VirusScan programs, especially VShield (which is itself a TSR). To check whether this is the problem, "comment out" the other TSR files in your AUTOEXEC.BAT file and restart your system. If the errors disappear, the TSR conflict caused them. Using VirusScan (Version 2.2) 89 SLOW DISK ACCESS, PROGRAM LOCKS Running VShield will slow your system slightly as described in Chapter 4, especially if you use either the /ANYACCESS or /SWAP options. If you experience very slow disk access, or if programs lock or freeze while using Windows 3.1, you may be using a disk cache program that interferes with program operation, or you may need to increase the number of BUFFERS in your CONFIG.SYS file. Using VirusScan (Version 2.2) 90 TROUBLESHOOTING SCAN FALSE ALARMS Scan may incorrectly report viruses in the boot sector or master boot record (MBR) of certain copy-protected diskettes. Contact technical support if you're unsure (see "Technical support" in Chapter 1). TROUBLESHOOTING VSHIELD PROGRAM LOCKS WITH /SWAP When VShield is running with the /SWAP option, certain programs may lock up the computer. These programs may use memory without allocating it first, including older versions Lotus 1-2-3, pfs:Write and Professional Write, OfficeWrite, and DisplayWrite4. To correct, restart your computer and run VShield without the /SWAP option. UNABLE TO REMOVE VSHIELD If the /REMOVE option doesn't successfully remove VShield from memory, you have probably loaded other terminate-and-stay-resident (TSR) programs after VShield. VShield can't be removed until the other TSRs are removed. If you need to unload VShield often, load it last. Using VirusScan (Version 2.2) 91 APPENDIX A: RETRIEVING MCAFEE PROGRAMS WITH COMMUNICATIONS SOFTWARE You can use your communications software to dial up the McAfee bulletin board system (BBS) and retrieve (download) McAfee software by following these steps. DIAL UP o The McAfee BBS phone number is (408) 988-4004. o The BBS operates at up to 28,800 bps (baud). Set your communications parameters to 8 data bits, 1 stop bit, no parity, and your terminal emulation to ANSI or TTY. o The BBS is Bell- and ITU- (formerly CCITT) compatible. LOG ON After receiving the CONNECT message from your modem, enter your name, geographic location, and password. To retrieve VirusScan programs, type guest (for first name) user (for last name) Or, if you want personal answers or feedback, create your own account by entering your first and last name and a password. Passwords should be 3-8 characters long and are case-sensitive. THE MAIN MENU Here are some of the important functions on the main menu: F File transfer area (download McAfee updates) M Message area (read and write messages in all sections and e-mail) G Goodbye (hang up and leave the BBS) Using VirusScan (Version 2.2) 92 DOWNLOADING MCAFEE PROGRAMS 1. Select F from the Main Menu to go to the File transfer area. This is the area from which you can download McAfee programs. 2. Select 1 for the McAfee Antivirus Files. A sorted directory listing of files available for download will be displayed. 3. Type D for download, then type in the filename as found in the directory. 4. The BBS will prompt you to select a protocol. If possible, use an error-correcting protocol such as ZMODEM, YMODEM or XMODEM. 5. You'll see the message Awaiting start signal. Tell your software to receive files. With PROCOMM for DOS or TELIX, press the [Page Down] key, with BITCOM, press the [F2] key. For other communications programs, check your manual. 6. Your software will prompt you to select a protocol and file name to receive the file. Select the same protocol and name. UNPACKING YOUR FILES Once you have downloaded software, you need to unpack the downloaded files before you can use them for virus detection. ABOUT COMPRESSED FILES Compressed files take less space on the disk and require less time to transfer electronically. McAfee uses a shareware program, PKZIP (produced by PKWare of Brown Deer, WI, and not a McAfee product), to compress updated software. PKUNZIP (also from PKWare) is the utility used to decompress file previously compressed with PKZIP. Once a file is decompressed, it can be used normally. Using VirusScan (Version 2.2) 93 Note: Since McAfee's products are zipped using PKZIP version 2.04g, you must also have version 2.04g. This is available on our BBS in area one (1) as PKZ204.EXE. This is a self-extracting zip file. Simply download the file and, at the DOS prompt, run it by typing PKZ204 and pressing ENTER. It self- extracts several files, including PKUNZIP.EXE. HOW TO UNPACK Once you have downloaded the McAfee software, quit to DOS, and change to the directory where you downloaded the software to. (If you used QMODEM, TELIX, PROCOMM or CROSSTALK it will be in that directory, or a subdirectory of it usually named DOWNLOAD). If you used Windows Terminal, this may be the Windows directory). Then, enter the following command: PKUNZIP zipfile destination where o zipfile is the name of the file you downloaded. o destination is the target directory to store the McAfee software. For example, PKUNZIP SCN216.ZIP C:\MCAFEE unpacks the SCN216.ZIP file and stores it in the C:\MCAFEE directory. o If you are updating an older version of McAfee software, you may get a message similar to the following example while decompressing: PKUNZIP: (W18) Warning! AGENTS.TXT already exists. Overwrite (y/n/a/r)? If this happens, type A for ALL and press ENTER. PKUNZIP will replace all files with the updated versions contained in the zip file. Using VirusScan (Version 2.2) 94 o The last lines after all of the files are decompressed should be similar to: Authentic files Verified! #FZW807 McAFEE Inc. If you do not see this message, you might have files that have been tampered with. Be sure that you obtain them from a valid source before using them. o If you run VSHIELD after updating, you might get the following message: WARNING: VSHIELD data file has been damaged. This occurs because VSHIELD continually accesses its data file and it has detected a change. Simply restart your machine. VSHIELD will load with the new version. IF YOU ARE INSTALLING SOFTWARE FOR WINDOWS If you downloaded WScan or VShield for the first time, you need to perform several additional configuration steps to complete your installation. You can skip this section if you are not running VirusScan under Windows. INSTALLING WSCAN For WScan, you need to add the icon to your McAfee program group. 1. Create a McAfee program group, if one does not already exist. In the Windows Program Manager, choose File | New. In the New Program Object dialog box, select Program Group and choose OK. Enter a description (such as "McAfee") and a group filename (such as MCAFEE.GRP). If a McAfee program group already exists, select it. 2. Create the WScan icon. In the Windows Program Manager, choose File | New. In the New Program Object dialog box, select Program Item and choose OK. Click Browse, locate the WSCAN.EXE file in the McAfee software directory, then double-click it. Choose OK to add the icon. Using VirusScan (Version 2.2) 95 3. Double-click the icon to verify that it works. Note: You do not need to make any changes to the WIN.INI file because WScan stores its startup settings in WSCAN.INI. INSTALLING VSHIELD UNDER WINDOWS The VSHLDWIN.EXE program allows VShield to display warning messages in a Windows message dialog box. For VShield, you need to add the VShield icon to the McAfee program group and modify WIN.INI so that VSHLDWIN.EXE loads automatically when you start Windows. 1. Within Windows, use the File Manager to locate the VSHINST.EXE program in your McAfee software directory and double-click it. The program creates a McAfee program group (if one does not already exist) and adds the icon for VSHLDWIN.EXE. 2. Edit your WIN.INI file using any ASCII text editor. Add the following line to the [windows] section of your WIN.INI file: run=VSHLDWIN.EXE Restart Windows for your changes to take effect. UPDATING YOUR AUTOEXEC.BAT FILE Finally, you might need to edit the AUTOEXEC.BAT file to: o Automatically load VShield. For more information, see "Running Vshield" in Chapter 5. o Add the McAfee software directory to your PATH statement. Restart your system for the changes to take effect. Using VirusScan (Version 2.2) 96 APPENDIX B: OPTIONS COMPARISON BETWEEN VIRUSSCAN VERSIONS 1.5 AND 2.1.1 COMPARISON OF SCAN VERSIONS 1.5 and 2.1.1 Scan │ Scan │ Version 1.5 │ Version 2.1.1 │ Option Description ═══════════════╪══════════════╪══════════════════════════ /? /H or │ /? or /HELP │ Display help screen. /HELP │ │ ───────────────┼──────────────┼────────────────────────── /A │ /ALL │ Scan all files, │ │ including data files. ───────────────┼──────────────┼────────────────────────── /AD{x} │ /AD{x} │ Scan all drives │ │ {L=Local, N=Network}. │ │ Leave blank for both │ │ (version 1.5 only). ───────────────┼──────────────┼────────────────────────── /AF │ /AF │ Store {filename} │ {filename} │ validation/recovery │ │ codes in {filename}. ───────────────┼──────────────┼────────────────────────── /AG │ │ Add recovery/validation {filename} │ │ data to files except │ │ those listed in {filename}. ───────────────┼──────────────┼────────────────────────── /AV │ /AV │ Add validation/recovery {filename} │ │ data to program files. │ │ Exclude those listed in │ │ {filename} (version 1.5 │ │ only); exclude those │ │ listed in /EXCLUDE │ │ option (version 2.1.1 only). ───────────────┼──────────────┼────────────────────────── /BELL │ default │ Beep whenever a virus │ │ is found. ───────────────┼──────────────┼────────────────────────── /BMP │ default │ Scan OS/2 Boot Manager │ │ partition only. ───────────────┼──────────────┼────────────────────────── │ /BOOT │ Scan master boot record │ │ and boot sector only. ───────────────┼──────────────┼────────────────────────── /CERTIFY │ │ List files not having a │ │ validation code. ───────────────┼──────────────┼────────────────────────── /CF │ /CF │ Check {filename} │ {filename} │ validation/recovery │ │ codes in {filename}. ───────────────┼──────────────┼────────────────────────── Using VirusScan (Version 2.2) 97 VERSION COMPARISON OF SCAN OPTIONS (continued) Scan │ Scan │ Version 1.5 │ Version 2.1.1 │ Option Description ═══════════════╪══════════════╪══════════════════════════ /CG │ │ Check │ │ recovery/validation │ │ data in files. ───────────────┼──────────────┼────────────────────────── /CHKHI │ │ Check memory from 0Kb │ │ to 1,088Kb (not │ │ applicable to OS/2). ───────────────┼──────────────┼────────────────────────── (CLEAN.EXE) │ /CLEAN │ Clean up infections in │ │ master boot records, │ │ boot sectors, and files │ │ when possible. ───────────────┼──────────────┼────────────────────────── /CV │ /CV │ Check │ │ validation/recovery │ │ data in files. ───────────────┼──────────────┼────────────────────────── /D │ /DEL │ Overwrite and delete │ │ infected files. │ │ Save date and time │ │ VirusScan was last run │ │ in SCAN.LOG. ───────────────┼──────────────┼────────────────────────── /DATE │ /LOG │ Save date and time │ │ VirusScan was last run. │ │ Save in SCAN.LOG file │ │ (version 2.1.1 only). ───────────────┼──────────────┼────────────────────────── │ /EXCLUDE │ Exclude from scan any │ {filename} │ files listed in │ │ {filename}. Typically │ │ used in conjunction │ │ with the /AV option. ───────────────┼──────────────┼────────────────────────── EXT │ │ Scan using external {filename} │ │ virus information from │ │ {filename}. ───────────────┼──────────────┼────────────────────────── /FAST │ /FAST │ Speed up VirusScan's │ │ scanning; may detect │ │ fewer viruses. ───────────────┼──────────────┼────────────────────────── /HISTORY │ /APPEND │ Append Scan report to {filename} │ │ {filename} (version 1.5). │ │ Append to, rather than │ │ overwrite, the report │ │ file (/REPORT, version 2.1.1) Using VirusScan (Version 2.2) 98 VERSION COMPARISON OF SCAN OPTIONS (continued) Scan │ Scan │ Version 1.5 │ Version 2.1.1 │ Option Description ═══════════════╪══════════════╪══════════════════════════ /M │ │ Scan memory for all │ │ viruses (not applicable │ │ to OS/2). ───────────────┼──────────────┼────────────────────────── /MANY │ /MANY │ Scan multiple floppy │ │ disks (diskettes). ───────────────┼──────────────┼────────────────────────── │ /MOVE │ Move infected files to │ {directory} │ directory. ───────────────┼──────────────┼────────────────────────── /NLZ │ /NOCOMP │ Skip internal scan of │ │ LZEXE compressed files. ───────────────┼──────────────┼────────────────────────── /NOBREAK │ /NOBREAK │ Disable Ctrl-C and │ │ Ctrl-Break during scan. ───────────────┼──────────────┼────────────────────────── /NOEXPIRE │ │ Do not display │ │ expiration notice. ───────────────┼──────────────┼────────────────────────── /NOMEM │ /NOMEM │ Skip memory checking │ │ (not applicable to OS/2). ───────────────┼──────────────┼────────────────────────── /NOPAUSE │ /PAUSE │ Disable screen pause │ │ (version 1.5 only). │ │ Enable screen pause │ │ (version 2.1.1 only). ───────────────┼──────────────┼────────────────────────── /NPKL │ /NOCOMP │ Skip internal scan of │ │ PKLITE compressed files. ───────────────┼──────────────┼────────────────────────── │ /PLAD │ Preserve Last-Access │ │ date of scanned files │ │ on Novell drives. ───────────────┼──────────────┼────────────────────────── /REPORT │ /REPORT │ Create report of {filename} │ {filename} │ infected files found │ │ during scan in {filename}. ───────────────┼──────────────┼────────────────────────── /RF │ /RF │ Remove {filename} │ {filename} │ validation/recovery │ │ codes in {filename}. ───────────────┼──────────────┼────────────────────────── /RG │ /RG │ Remove │ │ recovery/validation │ │ data from files. Using VirusScan (Version 2.2) 99 VERSION COMPARISON OF SCAN OPTIONS (continued) Scan │ Scan │ Version 1.5 │ Version 2.1.1 │ Option Description ═══════════════╪══════════════╪══════════════════════════ │ /RPTCOR │ Add list of corrupted │ │ files to the report │ │ file (/REPORT). ───────────────┼──────────────┼────────────────────────── │ /RPTERR │ Add list of system │ │ errors to the report │ │ file (/REPORT). ───────────────┼──────────────┼────────────────────────── │ /RPTMOD │ Add list of modified │ │ files to the report │ │ file (/REPORT). ───────────────┼──────────────┼────────────────────────── /RV │ /RV │ Remove │ │ validation/recovery │ │ data from files. ───────────────┼──────────────┼────────────────────────── /SAVE │ /SAVE │ Save specified options │ │ as new defaults (not │ │ available in Windows). ───────────────┼──────────────┼────────────────────────── /SHOWDATE │ /SHOWLOG │ Show date and time of │ │ last scan (version 1.5 │ │ only). Display │ │ information in SCAN.LOG │ │ (version 2.1.1 only) ───────────────┼──────────────┼────────────────────────── /SUB │ /SUB │ Scan subdirectories │ │ inside a directory. ───────────────┼──────────────┼────────────────────────── │ /VIRLIST │ Display list of viruses │ │ detected by VirusScan. ───────────────┼──────────────┼────────────────────────── @{filename} │ /LOAD │ Use Scan settings │ {filename} │ stored in {filename}. │ │ Using VirusScan (Version 2.2) 100 COMPARISON OF VSHIELD VERSIONS 1.5 and 2.1.1 VShield │ VShield │ Version 1.5 │ Version 2.1.1 │ Option Description ═══════════════╪══════════════╪══════════════════════════ /? or /HELP │ /? or /HELP │ Display a list of valid │ │ VShield command line │ │ options. ───────────────┼──────────────┼────────────────────────── /ACCESS │ │ Check for viruses when │ │ files are opened and │ │ diskettes are accessed. ───────────────┼──────────────┼────────────────────────── │ /ANYACCESS │ Scan the diskette boot │ │ sector for viruses │ │ whenever a diskette is │ │ accessed (including any │ │ read and write │ │ operations); scan .EXE, │ │ .COM, .DLL, .OVL, .BIN, │ │ and .SYS files whenever │ │ the file is opened, │ │ read, or updated; scan │ │ .EXE and .COM files │ │ upon execution; scan │ │ any newly created file, │ │ regardless of extension. ───────────────┼──────────────┼────────────────────────── /BOOT │ /BOOTACCESS │ Scan the diskette boot │ │ sector for viruses │ │ whenever a diskette is │ │ accessed (including any │ │ read and write │ │ operations); individual │ │ files on a diskette are │ │ not scanned when a │ │ diskette is accessed. ───────────────┼──────────────┼────────────────────────── /CERTIFY │ /CERTIFY │ Prevent files without {filename} │ │ validation codes from │ │ running. {filename} is │ │ an optional exception │ │ list (version 1.5 only) ───────────────┼──────────────┼────────────────────────── /CF │ /CF │ Check for viruses using {filename} │ {filename} │ validation and recovery │ │ data stored by Scan /AF │ │ in specified {filename}. ───────────────┼──────────────┼────────────────────────── /CG │ │ Check for viruses using {filename} │ │ validation and recovery │ │ data stored by Scan /AG │ │ Using VirusScan (Version 2.2) 101 VERSION COMPARISON OF VSHIELD OPTIONS (continued) VShield │ VShield │ Version 1.5 │ Version 2.1.1 │ Option Description ═══════════════╪══════════════╪══════════════════════════ /CHKHI │ default │ Check memory from 0Kb- │ │ 1088Kb when VShield loads. ───────────────┼──────────────┼────────────────────────── /CONTACT │ /CONTACT │ Display specified {message} │ {message} │ message when a virus is │ │ found. ───────────────┼──────────────┼────────────────────────── found. │ /CONTACTFILE │ Display message stored │ {filename} │ in {filename} when a │ │ virus is found. ───────────────┼──────────────┼────────────────────────── /CV │ /CV │ Check validation codes │ │ added to files by Scan. ───────────────┼──────────────┼────────────────────────── │ /EXCLUDE │ Don't check files │ {filename} │ listed in {filename} for │ │ validation codes │ │ (/CV option). ───────────────┼──────────────┼────────────────────────── /F │ │ Use with /SWAP for DOS {pathname} │ │ 2.0 systems ONLY. ───────────────┼──────────────┼────────────────────────── │ /FILEACCESS │ Scan .EXE, .COM, .DLL, │ │ .OVL, .BIN, and .SYS │ │ files whenever the file │ │ is opened, read, or │ │ updated; scan .EXE and │ │ .COM files upon │ │ execution; the diskette │ │ boot sector is not │ │ checked when a diskette │ │ is accessed. ───────────────┼──────────────┼────────────────────────── /IGNORE │ /IGNORE │ Don't check programs {drive(s)} │ {drive(s)} │ loaded from the │ │ specified drive(s). ───────────────┼──────────────┼────────────────────────── /LH │ │ Load VShield into upper │ │ memory area. ───────────────┼──────────────┼────────────────────────── /LOCK │ /LOCK │ Halt the system when a │ │ file that is infected │ │ or not certified loads │ │ and attempts to execute. Using VirusScan (Version 2.2) 102 VERSION COMPARISON OF VSHIELD OPTIONS (continued) VShield │ VShield │ Version 1.5 │ Version 2.1.1 │ Option Description ═══════════════╪══════════════╪══════════════════════════ /M │ │ Scan base memory for │ │ viruses when VShield loads. ───────────────┼──────────────┼────────────────────────── /NB │ /NOWARMBOOT │ Disable boot sector │ │ check during install │ │ and reboot. ───────────────┼──────────────┼────────────────────────── /NI6510 │ │ Fixes Racal Datacomm │ │ NI6510 conflict. ───────────────┼──────────────┼────────────────────────── /NOBREAK │ │ Prevent [Ctrl]+[C] / │ │ [Ctrl]+[Break] from │ │ working during install. ───────────────┼──────────────┼────────────────────────── /NOCONT │ │ Prevent non-certified │ │ programs from running. ───────────────┼──────────────┼────────────────────────── /NODISK │ │ Turn off the boot │ │ sector check when │ │ VShield is loading. ───────────────┼──────────────┼────────────────────────── /NOEMS │ /NOEMS │ Prevent VShield from │ │ using expanded memory │ │ (EMS) when it loads. ───────────────┼──────────────┼────────────────────────── /NOFLOPPY │ │ Turn off the boot sector │ │ check for floppy drives. ───────────────┼──────────────┼────────────────────────── /NOMEM │ /NOMEM │ Do not check memory for │ │ viruses upon running. ───────────────┼──────────────┼────────────────────────── /NOREMOVE │ /NOREMOVE │ Prevent VShield from │ │ being removed from │ │ memory with the /REMOVE │ │ switch. ───────────────┼──────────────┼────────────────────────── │ /NOUMB │ Prevent VShield from │ │ using upper memory │ │ blocks (UMB) when it │ │ loads. ───────────────┼──────────────┼────────────────────────── │ /NOXMS │ Prevent VShield from │ │ using extended memory │ │ (XMS) when it loads. Using VirusScan (Version 2.2) 103 VERSION COMPARISON OF VSHIELD OPTIONS (continued) VShield │ VShield │ Version 1.5 │ Version 2.1.1 │ Option Description ═══════════════╪══════════════╪══════════════════════════ /ONLY │ /ONLY │ Check programs loaded {drive(s)} │ {drive(s)} │ only from the specified │ │ drive(s). ───────────────┼──────────────┼────────────────────────── │ /POLY │ Check for polymorphic │ │ viruses. ───────────────┼──────────────┼────────────────────────── /RECONNECT │ /RECONNECT │ Restore VShield after │ │ certain drivers or TSRs │ │ have disabled it. ───────────────┼──────────────┼────────────────────────── /REMOVE │ /REMOVE │ Unload VShield from │ │ memory. ───────────────┼──────────────┼────────────────────────── /SAVE │ /SAVE │ Save specified options │ │ as new defaults │ │ (version 1.5 only). │ │ Save the command line │ │ options to the VSHIELD.INI │ │ file (version 2.1.1 only). ───────────────┼──────────────┼────────────────────────── /SWAP │ /SWAP │ Load VShield kernel [pathname] │ [pathname] │ only (5Kb in version │ │ 1.5; 8Kb in version │ │ 2.1.1); swap the rest │ │ from pathname. Using VirusScan (Version 2.2) 104 VERSION COMPARISON OF VSHIELD1/VSHIELDCRC OPTIONS VShield1 │ VShieldCRC │ Version 1.5 │ Version 2.1.1 │ Option Description ═══════════════╪══════════════╪══════════════════════════ │ /? or /HELP │ Display a list of valid │ │ VShieldCRC command line │ │ options. ───────────────┼──────────────┼────────────────────────── │ /CERTIFY │ Prevent files without │ │ validation codes from │ │ running. ───────────────┼──────────────┼────────────────────────── │ /CF │ Check for viruses using │ {filename} │ validation and recovery │ │ data stored by Scan /AF │ │ in specified {filename}. ───────────────┼──────────────┼────────────────────────── │ /CONTACT │ Display specified message │ {message} │ when a virus is found. ───────────────┼──────────────┼────────────────────────── │ /CONTACTFILE │ Display message stored │ {filename} │ in specified {filename} │ │ when a virus is found. ───────────────┼──────────────┼────────────────────────── │ /CV │ Check validation codes │ │ added to files by Scan. ───────────────┼──────────────┼────────────────────────── │ /EXCLUDE │ Don't check files │ {filename} │ listed in {filename} for │ │ validation codes (used │ │ with /CV option). ───────────────┼──────────────┼────────────────────────── │ /FILEACCESS │ Checks validated files │ │ whenever the file is │ │ accessed or executed. │ │ Whenever a validated │ │ .EXE, .COM, .DLL, .OVL, │ │ .BIN, or .SYS file is │ │ opened, read, or │ │ updated, Scan checks │ │ the accessed file. │ │ Whenever a validated │ │ .EXE or .COM file │ │ executes, Scan checks │ │ the file for viruses as │ │ it loads and prevents │ │ execution if the file │ │ is infected. Using VirusScan (Version 2.2) 105 VERSION COMPARISON OF VSHIELD1/VSHIELDCRC OPTIONS (continued) VShield1 │ VShieldCRC │ Version 1.5 │ Version 2.1.1 │ Option Description ═══════════════╪══════════════╪══════════════════════════ │ /IGNORE │ Don't check programs │ {drive(s)} │ loaded from specified │ │ drive(s). ───────────────┼──────────────┼────────────────────────── │ /LOCK │ Halt the system when a │ │ file that is not │ │ certified attempts to │ │ load and execute. ───────────────┼──────────────┼────────────────────────── │ /LOGFILE │ Write error information │ {filename} │ to {filename}. ───────────────┼──────────────┼────────────────────────── /NB │ │ Disable boot sector │ │ checking during install │ │ and reboot. ───────────────┼──────────────┼────────────────────────── and reboot. │ /NOREMOVE │ Prevent VShieldCRC from │ │ being removed from memory │ │ with a subsequent VShieldCRC │ │ command using /REMOVE. ───────────────┼──────────────┼────────────────────────── │ /NOUMB │ Prevent VShieldCRC from │ │ using upper memory │ │ blocks (UMB) when it loads. ───────────────┼──────────────┼────────────────────────── │ /ONLY │ Check programs loaded │ {drive(s)} │ only from the specified │ │ drive(s). ───────────────┼──────────────┼────────────────────────── /REMOVE │ /REMOVE │ Unload VShieldCRC from │ │ memory. Using VirusScan (Version 2.2) 106 VIRUSCAN GLOSSARY ARCHIVED FILE A file that has been archived using either LZEXE or PKLITE, file compression utilities. BOOT To start a computer. The first step is to load startup instructions from the boot ROM or boot sector of a disk. BIOS A read-only memory chip that contains the coded instructions for the operating system to start the computer. Always present in portable computers, a BIOS (boot ROM) is not susceptible to infection (unlike the boot sector on a disk). However, it is harder to update. BOOT SECTOR A portion of a disk that contains the coded instructions for the operating system to start the computer. BOOT SECTOR INFECTIONS Contamination of the boot sector by a virus. Particularly serious because information in the boot sector is loaded into memory first, before virus protection code can be executed. The only certain way to eliminate boot sector infections is to restart from a disk known to be uninfected, then clean up the infection. CLEAN STARTUP DISKETTE A diskette known to be uninfected, that contains the coded instructions from which the computer can be started. See Chapter 2 for instructions on preparing one. COLD BOOT To start a computer from power-off state. COMPRESSED FILE A file (usually with a .ZIP extension) that has been compressed using the PKZIP file compression utility. CONVENTIONAL MEMORY Up to 640Kb of main memory in which DOS executes programs. CORRUPTED FILE A file that has been damaged. About 10% to 20% of viral infections involve viruses that damage files beyond repair. DETECTION Scanning memory and disks for telltale marks or changes indicating that a virus might be present. Using VirusScan (Version 2.2) 107 DISINFECT To eradicate a virus so that it can no longer spread or cause damage to a system. EXCEPTION LIST List of files to which validation codes should not be added because they are immunized against viruses or contain self-modifying code. Scans /AV option uses the list to avoid adding codes to inappropriate files; VShield's /CERTIFY option can use it to allow certain unvalidated files to be run. EXECUTABLE (FILE) A file containing coded instructions to be executed by the computer. Executable files include programs and overlays. EXPANDED MEMORY Memory above the DOS 640Kb limit of conventional memory that is accessed by memory paging. You need special software, conforming to an expanded memory specification, to take advantage of expanded memory. EXTENDED MEMORY Linear memory above the DOS 640Kb limit of conventional memory. Often used for RAM disks and print spoolers. FALSE ALARM Detecting a virus when none is present. INFECTED FILE A file contaminated by a virus. MASTER BOOT RECORD (MBR) A portion of a hard disk that contains a partition table that divides the drive into chunks, some of which may be assigned to operating systems other than DOS. MEMORY A storage medium where data or program code are kept temporarily while being used by the computer. DOS supports up to 640Kb of conventional memory. Beyond that limit may be accessed as expanded memory, extended memory, or an upper memory block (UMB). MEMORY INFECTION Contamination of memory by a virus. The only certain way to eliminate memory infections is to restart from a disk known to be uninfected, then clean up the source of infection. MODIFIED FILE A file that has changed after validation/recovery codes have been added. Using VirusScan (Version 2.2) 108 OVERLAY INFECTION Virus contamination of a file containing auxiliary program code that is loaded by the main program. PARTITION TABLE See MASTER BOOT RECORD. POLYMORPHIC VIRUS A virus that attempts to evade detection by changing its internal structure or its encryption techniques. PROGRAM Software that performs a defined function on a computer. See executable. READ OPERATION Any operation in which information is read from a disk. DOS commands that perform read operations include dir (directory listing), type (display contents of a file), and copy (copy files). See also write operation. RECOVERY CODES Information that Scan records about an executable file in order to recover if it is infected by a virus. See also validation codes. SELF-MODIFYING PROGRAM Software that deliberately changes its own program file, often to protect against viruses or illegal copying, and is therefore difficult to validate in conventional ways. STANDARD EXTENSIONS Filename extensions (suffixes) that signify executable files--.EXE, .COM, .SYS, .DLL, .BIN, and .OVL--which Scan checks by default. SYSTEM ERRORS Errors that can prevent Scan from completing its job successfully. System error conditions include disk format errors (such as unformatted disks), media errors (bad sectors), file system errors (unreadable files), network errors (unable to log in), file access errors (access permission denied), device access errors (printer out of paper), and report failures. TERMINATE-AND-STAY-RESIDENT (TSR) A program, like VShield, that remains active in memory while you run other programs. TURBO A scanning option that is faster than normal but less comprehensive (because it checks a smaller portion of each file). Using VirusScan (Version 2.2) 109 UNKNOWN VIRUS A virus not yet identified and listed in SCAN.DAT. VirusScan can detect unknown viruses by observing changes in files that could result from infection. UPPER MEMORY BLOCK (UMB) Memory in the range 640-1024Kb, just above the DOS 640Kb limit of conventional memory. VALIDATE To check that a file is authentic and has not been altered. Most validation methods rely on computing a statistic based on all the data in the file, which is unlikely to remain constant if the file itself is changed. VALIDATION CODES Information that Scan records about an executable file in order to detect subsequent infection by a virus. See also recovery codes. VIRUS A software program that attaches itself to another program in computer memory or on a disk, and spreads from one program to another. Viruses may damage data, cause the computer to crash, display messages, or lie dormant. WARM BOOT To restart (reset) a running computer, in DOS by pressing [Ctrl]+[Alt]+[Del]. WRITE OPERATION Any operation in which information is recorded on a disk. Commands that perform write operations include those that save, move, and copy files. Most write operations are also read operations because the system verifies that the data have been written correctly. See also read operation. WRITE PROTECTION A mechanism to protect files or disks from being changed. A 3.5" diskette may be write-protected by sliding its corner tab so that the square hole is open; a 5.25" diskette by covering its corner notch with a write-protect tab. A file may be write-protected by changing its system attributes.