Help for Anti-Virus Copyright 1991 by Central Point Software Inc. (Configure (Express (Options (Scan about access action activity after against already anti-Virus appears application arrow automatically available basic before bottom button cHKLIST.CPS cancel cannot central changed changes change checked checklist checksums checksum check choose choosing cleaned cleaning clean click close commands command configuration configure confirm containing contains continue created create current customized database default deleted delete detected detection detects detect dialog dictionary different directories directory displayed displays display don't drive during eNTER entered enter entire error exceptions executable express file's files floppy following found function getting glossary highlighted highlight hyperlinks hyperlink immunization immunized immunize individual infected infection information installation integrity letter memory menus message monitors mouse network number operation options option original other panel parameter password point pressing press printer problems programs program prompted prompt provides remove report return scanned scanning scans screen scroll sector selected selecting select shows signature skills software support symptoms system technical their there these topics topic unknown updated updates update updating using variants verify viruses virus whenever while windows window without Index Topics GoBack Print Manuals FZPSPT Sorry, eis not . Please ESC to F4 to view a Index e You can get anywhere in a F1, or Index horizontal {bar. Keyboard The depends on what you doing e. If you in a egives you .. If you Bbox, etells you If a epage can fit in the , use the PGUP and PGDN UP and DOWN s) to in the . If you , you can use the bar at the right. The end of the indicated by a blue horizontal in most , you can h. A a word or phrase is connected ( connection is invisible to the user) to the chosen i. To i, use the TAB or cursor move the ger among h(END takes you to the last and HOME takes you to the first), O. If you , just and Ithe associated word or phrase on , you can F5 to to the previously viewed F3 to Wthe to the Related hlocated at the left of some take you to a related of the e. For example, the related is "Special sfor General hlocated at the right of some take you to a ~general of the Control PZThe Control Alt+SPACE or *the +box. Version... &the Version .produces a + Alt+F4 2copyright specific to the . To to the *the Version +box or ESC. &the .produces a box which asks you to Wthe Double- *the +box to bypass the Control {and Wthe Sample is a sample illustrates how hcan be used to move you quickly throughout a word or phrase transports you to an . To to the just viewing, %the ied word " ". In case, you can %the general (located at the right of e", to to the previously viewed PZFor assistance beyond what the manual, e, and README.TXT provide, please refer to the Guide card en package and contact us one of the ]methods: Phone Our business hours are 6 am to 5 pm PST, Monday through Friday. If possible, call _a phone next to the computer you're having and PC turned on and ready to go. Our phone is (503) 690-8080. To receive evia fax, send us a description of problem along our : (503) 690-7133. CPS Bulletin our 24-hour-a-day bulletin board , you Board can direct questions or |s to as well as download the _the section. To connect to our BBS, set modem to N-8-1 `duplex and dial (503) 690-6650. CompuServe CompuServe members can r Pour forum by typing GO CENTRAL at the ! . In the forum, you can direct questions or comments to and download the new You can write to at the address below. Be sure to send us a description of as well as the problem you are experiencing. , Inc. 15220 NW Greenbrier Pkwy., Suite 200 Beaverton, OR 97006 Attn: International Phone: +44 (0)81 569 3316 FAX: +44 (0)81 569 1013 BBS: +44 (0)81 569 3324 Mail: 3 Furzeground Way Stockley Park Uxbridge Middlesex UB11 1DA United Kingdom BBoxes PZYou can either pull-down zor the at the of the the keyboard: 1. F10 to activate the Horizontal {Bar. 2. ALT and the vof the the first vof the .or use the gthe .you If the Ia sub _it in the same way as noted above. to the main , etc.), and hold the left , drag the er to the .you on the {, and release the . If you mind and to make a ion, drag the er outside the {and release. _the |Bar: akey associated .(F1, F2, etc.) Use the *the BBoxes Bboxes allow you to needs continuing. are six s of Bbox uyou one of several *ing the one turns off all in the same group. uyou toggle an independent on or off by *ing it the [..] uyou , such as a to search for. TAB to move to the next Oto proceed Bbox. [-A-] uyou an item [-B-] ging it and *ing it Carries out an +s the Bbox. TAB or SHIFT-TAB to cycle through the the vof the %the . EXIT and CANCEL terminate the CONTINUE goes to the next step of the You can *the up or down the increase or decrease the adjacent value by one. For example, you might adjust an alarm To leave a Bbox, -usually OK, CONTINUE, or the of the To leave a Bbox and %the EXIT or CANCEL ESC, or use the *the +box in the top-left corner. PZOpening , a new opens, allowing you to you first %some s, the does not fill the whole . However, if the 3a Maximize/Restore the upper-right corner, you can maximize it to a larger The Active the active is indicated by a title bar +box and a Maximize/Restore (if it can be re d). All d title bars are not fand are +boxes or Maximize/Restore s. You can one open at , but you can one at a , the active or SHIFT-TAB to activate *in the to activate Some bars along the right and/or edge, a small box indicating the position of the in relation to the [. Drag , or *the location in the bar represents where you *the sabove and below the bar to wat a . If you , you can use PGUP and PGDN or the UP and DOWN Note: If you are a CGA, EGA, or monochrome monitor, the characters used for the +box, Maximize/Restore and look _those shown in the documentation. The expanded character set used for objects on VGA }. However, they the same. s control Jand them "CPAV" at the DOS , along s you are . Be sure to separate multiple a space. For example: CPAV /LE /BF Additional s used by an be obtained by typing /? the at the DOS Sets the Jto 25 Sets the Jto 28 Sets the Jto 43 specific to EGA }, but can be used on some VGA emulate EGA Sets the Jto 50 should be used on VGA Uses the 's BIOS to manipulate fonts, instead of writing directly to the port. Use if you Jing characters correctly. Starts the in black-and-white mode. improves the Jif you use a color card a black- and-white monitor. Disables "snow" sup ion on CGA Normally, video "snow" is sup ed on CGA video Jis sharper. may slow on some }. If you da CGA monitor and Kmind minor flickering or "snow" on , use the /FF Used on computers I(usually laptops) to set colors. the left and right as to accommo :persons who prefer to use left- handed. Disables the , but does not affect keyboard does not affect the underlying . Use if you dan old Microsoft Lr or experience hotkeying out of a y-resident NOTE: If you running , it is probably due to an older- style Lr. You can use the /IM , but we recommend you ask manufacturer for an upgrade. Allows you to run a y-resident in color you da Hercules InColor card. If you do not use the /IN , the comes up in black and white mode. is run as a standard , it comes its normal colors. Disables the use of alternate fonts. Disables the graphics character. , the be a solid box instead of an . You might to use is running too slowly and you to speed it up. /MONO s the ;monochrome color set. has an effect similar to /BW. If you dan IBM monochrome monitor and /BW does not improve try /MONO. optimal performance and corrects can occur you are a PS/2. You can does not you ; Index Index A - B Log Cleared Allow Anti-Stealth C - D Alert $All Clear 6Backup 6New Disable Alarm Sound E - H I - R Last Pause Ready Removing a S - T Zand U - Z >and PZ F1 egives eon the Immune protects Bbox. uyou Log Log, a recent * repair. Wquits Xswitches to the s to {, a simple DOS. summary of the Alooks for in the * can and F10 gs the fixes the damage done to copies itself to the a computer's hard or replace the is always loaded into anything else. y, the can spread to If the 6New is on, 6s a for 9of records in the F, including , attributes, :, and called ". If a exists for the F, any added to the Fare added to the A value derived _the attributes, :, and [infectors The most common [infectors add Z(.COM, N, .SYS, etc.). is executed, it spreads to Protect adding a small amount of ,to them. k, a [has its own anti- capabilities allowing it to notify you of any may occur. If a the [can )itself, to its state. Trojan horse is disguised as a legitimate . Trojan horses are much apt to destroy Zor damage Variant +ly related form of an Although the variant is similar, its Denough _the strain to need a unique (routine. designed to replicate and spread on its own. VSafe y-resident utility 0d by Install for suspicious . If it @such , VSafe Ia warning |, giving you the opportunity to 4the , restart the , or VSafe can be set by CPAV. VWatch y-resident utility 0d by Install $s for the presence of is executed or a ed. VWatch $s for the presence of . If a ^, a Hand the is halted, allowing you the opportunity to run the eliminate the VWatch can be set by CPAV. PSPT PZLike a human body, a PC is vulnerable to , like organic counterparts, can produce a variety of hosts. some computer are content to multiply obvious ~malicious strains exist sporadically lockup salute you off-color suggestions. In extreme cases, erase Zand even Shard (CPAV. N) protects parasites in two ways. If become n, you can use )over 1000 s of Aand a suspect [--an in some way and which may be nby an If you to add an extra layer of protection future attacks, you can use the lfeature to modify they rid themselves of (even ones) they first become are several ways of bnew xtells how to get pby modem. If you da modem, you can still get Call the 24-hour wat (503) 690-2660 for up-to-the minute pon the latest , including unique Use the pcontained in the Quarterly sent to registration card address. The Quarterly s for new well as upgrade Submit the coupon en receive one free Protection the quarterly or any s obtained _the CPS w, you can manually add new be able to recognize and eradicate the new You can ]procedure: 1. computer, modem, and telecommunications connect to the CPS Bulletin Board or to CompuServe. If you are a CompuServe user, GO CENTRAL at the ! 2. Locate the area of the bulletin board and download the SIGS. [and its accompanying VIRUS.DOC (if any). 3. Copy Zto the (the CPAV. 4. Use a editor or word processing to read the VIRUS.DOC [for pon the new you run Zand Eand de appear in Dcolors. _the Eare affected by the 1. TAB until the f, or *in the 2. Use the up and down _, or 3. TAB to move to the *in the 4. Use the or de it; or *the 1. TAB until the f, or *the 2. Use the or de it; or *the -are _the at the top of the . To vof the .. To ESC or *outside of the Ione of the pull-down 6New Disable Alarm Sound 6Backup Anti-Stealth $All Allow Disable Disable Disable Disable VSafe Hot-Key Verification Alert Send |s to Index Keyboard PZThe .won't Instead, it alerts you if it finds either an [or a . Since Zgenerally modified [could indicate oby an finds a uyou )the =the [, or ignore the [. If the , you won't dthe choice (the finds a modified [, it Ithe Bbox. allows you to =the [in question, in addition to To both find and repair Zand %the E. If you twhether begins, you are alerted if either an [or a modified ^. (Since Zgenerally , a modified [could indicate Zare Mthe . If finds a modified [, it Bbox to enable you to , Repair, or [in question. Zand PZUse the .to self-protect Zyou [runs an it is executed and Ithe |if it Self $warning - [was [R] Self Reconstruction [C] 4execution [E] Wto DOS jadds less 1K to a [, but does not occupy any space in s of 2overlays or pat the end of the [(usually debugging corrupted headers. Nand .COM Zsmaller 14 bytes (excluding the . header) .COM Zlarger Any [in the built-in or OS/2 you attempt to lany of Bbox and enables you to add the [to its Very rarely, a may not acorrectly it has k. If should occur, use jto restore [and add the [. You add the [to the Zand kpreviously. _the If you to recover the less 1K of Gspace or [to its state, use Zand 6New "is enabled, a Fas it is [stores , attributes, :, and Msubsequent ris on, compares Zto the !and alerts you if Although ?method a good defense , it does consume a small amount of space. You can =the procedure: 1. has the Zyou =; or if you =all of them, just 2. if you =the 3. _the Bbox asks you to choice. Zand PZThe uyou show or print a xof all the recognized by . The , alias (if any), , and c). You can get detailed pon specific in the &Info. , refer to the documentation. x/Show 2all the recognized by . The , alias (if any), , and _the , you can search for specific , print the x, or get detailed specific &Info. , refer to the documentation. x/Print uyou print a xof all the recognized by . The , alias (if any), , and (see c). You can get detailed pon specific in the &Info. , refer to the documentation. %the .if you a new . The data describes the "--the unique set of hexadecimal characters distinguishes it or pieces of You can , if you da modem and telecommunications . The explains how. uyou Log, a of recent ?and PC. You can show the log, print it, or clear it. ls, or j, it 6s an entry in its log. The log holds a maximum of 400 entries. limit is r Ped, the oldest entry is recorded. Log/Show Ithe Log, a summary of the ?and (sessions performed on PC. You can print or clear If you ~detailed psuch as strain and , turn on is enabled, 6s an if any s are written to a /REPORTS sub Flocated in the CPAV. F. However, you can view s directly _the Log by moving the gbar over the Log entry (it Hin a gcolor if an ) and &Info. Log/Print .prints the Log, a of recent ?and PC, if you connected to PC. You can show the log or clear it. Log/Clear .clears the Log, a of recent ?and PC. Everything in the so the Log starts recording _scratch. You show the log or print it. PZThe uyou show, print, or clear the 6s a and any is taken in d CPAV.RPT, is an ASCII located in the root Fof the /Show Ithe and any is taken in /Print PZPrints the and any is taken in /Clear =s the and any is taken in s to the DOS Do you really or whatever launched you are asked to Wthe made to the Anti- session. If you've chosen leave the to remain in compares Zto the 5by the and alerts you to any comparison to isolate made to Zby new, along the Anti-Stealth uses a special, low-level routine to enhance the ?of the Stealth family of ;for is on. 6New [called 5for Fas it is p, called on the Fincluding attributes, :, and If a exists for the adds pto the [for any added to the ;for is on. 5for Fon a Gas it is is useful for creating "(see c) of write-protecting the "are 5, write-protect the Gand turn off. Subsequent of the compare "but not attempt to ". If is on a write-protected \, a Hindicating write to ;for is off. Disable Alarm Sound PZIf you do not a sound played a warning . The sound is useful for attention, but not required you're Anti- ;for is off. 6Backup , a backup is made of any '. The backup be re the extension .VIR. can be dangerous, however, because it means a [remains on G. You should if, for example, the copy of a and you're so desperate you'd rather use an dit at all. ;for is off. any is taken in d CPAV.RPT, is an ASCII [located in the root Fof the L. Here is a sample search :: mm/dd/yy, hh:mm:ss. x was Total FOUND Total REMOVED : Total ZCHECKED : Total FOUND Total REMOVED : END OF REPORT. ;for is off. You can show, print, or clear the .in the PZIf you ~detailed psuch as strain and , turn on enabled, feature 6s an if any s are written to a /REPORTS sub Flocated in the CPAV. You can view s directly _the Log by moving gbar over the Log entry (it in a gcolor if an ) and &Info. If is run L, the NET: and the user of the person who ran the To set up s, the administrator must assign read and write rights to the \CPAV\REPORTS Ffor all users. In addition, the administrator must assign read and write rights to the \CPAV\ACTIVITY.CPS for all users. Bbox is you can repair 4the repairing the [, or , the goes to the end ping to give you choices in a Bbox. ;for is on. Anti-Stealth along uses a special, low-level routine to enhance the ?of the Stealth family of Stealth are particularly tricky in attempts to infect the computer's COMMAND.COM [and spread to turns on special low-level routines AStealth no matter where they try to hide. For maximum protection Stealth , leave both the Anti- Stealth and ;for is on. $All , all for turned off, Zend the extensions N, COM, OVL, OVR, SYS, BIN, APP, or ;for is on. , the j, and -in the {are disabled. If you are z, the be disabled. The main use of feature is for IS ( managers. If you to make sure you twho has what they are ', you can set users' machines. they turn off the unless they ;for is off. Allow Ls is allowed If a installed, you you turn ;for is on. Disable affects both (CPAV. N) and the y-resident VSafe. finds a modified normally Ithe Bbox allowing you to =the 4the taking , or . If Disable , however, the Bbox is disabled. If VSafe is y-resident and it finds an not match the #, VSafe normally Bbox allowing you to the execution of the 4the taking , or p. You can disable the Disable CPAV and installing VSafe. The in the VSafe Bbox is Disable PZIf finds an [, it Bbox to enable you to However, if Disable , you (the ping the . If you [, the resume. disables the in all VSafe alert Bboxes. Disable PZIf , the usual methods of ping a F3 or ESC -- are disabled. is off by Disable VSafe Hot-Key PZThe VSafe hot-key, Alt-V, enables you to VSafe's Warning and to unload it y. You can disable hotkey by the Disable VSafe Hot-Key disabled, the hotkey under DOS or any s: VSafe y, the VSafe control ed, and VSafe are ignored. To use ., you must provide the q, if a was assigned. (the normal z) to a simplified , called the five -. (You may F8 to switch to the main as of the so you dto deal details like which %or which . The -both NOTE: in the {, the Aand be dimmed in the ' standard interface, z. You for the q, if a was assigned. In the box to the right of the s is efor . You can F1 at any for detailed PZMost, but not all, Zcan be k. To prevent the unsuitable $s the MENU02. Add SETUP. and avoids modifying them. WIN386. TCC. the Add , you can TD286. Zto the HELP!. tcan't be SCAN. kinclude the HYPERDSK. OK .COM Zlarger or OS/2 built-in 2overlays or pat the end of the Nand .COM Zsmaller 14 bytes (excluding the . header) Verification PZTo avoid verification alerts for often, a verification x. For example, if you CONFIG.SYS frequently, you could add it to the Verification x. It would be ignored verified. (If the [was nby a recognized, however, you would still be alerted.) Alert uyou the alert . If a installed, you for it continuing. Bbox Rthe to be uyou assigned qor, if none was assigned at , to 6a new In the Bbox %OK. You be asked to repeat the is required in the ]situations: 1. Changing _the 2. 3. the Allow 4. Alert 5. Changing the 6. Changing the If no set, you not be for one. Send |s to ., you can send 8alert a Novell user. Typically, feature would be used to alert a administrator a machine on the n. To use feature, you must provide a if one was set up for settings ( in the {, for example) you need to /in order to keep the wise, any you made be forgotten the next you start immediately, /. You can wait until you if you've made any. 7setup is d to the CPAV.INI PZIf you da hard begins by L. If you to an L(to Gor an hard L), use the ., the above the . To gthe Licon O, OR v, OR *the Licon. >and the results of the . The table how many Gs and Zof various , how many , and how many At the of the table, how long the $ing and (took. %OK to +the Bbox and to the Bbox asks you to Wthe and if so, whether to /settings. Wto leave the remain in $All Bbox you %the $All _the Bbox the results of the you just took. The table how many Gs and Zof various and how many k. Because %s to (if they ) but not At the of the table, how long the took. %OK to +the Bbox and to the Bbox asks you to Zstore (see If you =the Gspace, make sure you turn off the 6New "and in the {. If you K, the be re- 5. For maximum confidence, =the periodically. %the .if you dobtained a new . The data describes the "--the unique set of hexadecimal characters distinguishes it or pieces of Bbox , and you can Rthe new 1. the first two-character hex 2. Repeat until the You can , if you da modem and telecommunications . The explains how. The tells where to get new Clear PZIn Bbox, %OK to clear the Log. The [, ACTIVITY.CPS, is leave the [as it is and +the Bbox. Log/Clear Alert . (You for a if one was installed.) Whatever you here appear in a Bbox Rthe |to be given Log/Clear %Send |s to Bbox . (You for a if one was installed.) Rthe for the user which receive the a the user %OK. If a 8alert be sent to the Novell you specified here. Log/Clear Log Cleared Bbox uyou Log has cleared. %OK to +the Bbox and ing in Log/Clear PZTo 1. In the Bbox, Rthe if any, and 2. a new 3. the new again to it and %OK to accept the new 1. In the Bbox, Rthe if any, and 2. for a new 3. Ragain to it and Changing/ PZTo 1. In the Bbox, Rthe if any, and 2. a new 3. the new again to it and %OK to accept the new 1. In the Bbox, Rthe if any, and 2. for a new 3. Ragain to it and requires a _the {to be set either in z. If no not be two similar Bboxes you add/ _either the jexception the verification exception Zadded to the jException be skipped you use the lfeature. A xof common Zto skip is provided. Zadded to the Verification Exception "verified. ( , however, Zfor xis useful if you to be alerted for frequently such as CONFIG.SYS. Add Exception Rthe of the Bbox) or verified (Verification box) %OK. The is added to the Every occurrence of be ignored jor verification. Pause PZYou can interrupt it is to end the 4to finish the Fatal Bbox happens upon an Tserious enough $the Troubleshooting section of the printed manual for Bbox Wing , if it session. , but it's always a good idea to re finding and , to make sure the is eradicated not just _the G, but Bbox Qa new in the xto allow to recognize a doesn't enable the new , however. As part of the plan, you receive quarterly 2the s of --the next one include the capability of (the new . Until a new best bet is to =the [to make sure the doesn't spread. Bbox has done so much damage to be recovered. Because vital phas destroyed, is unable to restore the condition. =the _the is completed, restore the most recent backup or _the G(s), and run again to Bbox indicates (see c) has strongly recommend you and prevent further 4to ignore the the remaining to the Bbox is Anti- Alabama was ^in: APPNAME. recognizes. We strongly recommend _the [and restore it to its condition, so won't be 4to ignore the the remaining to the Ithe Bbox to the new SIGNATUR.CPS [you put in Fwas ^and the Ready Ithe Ready Bbox to make sure the is ready proceeding. If power is off, or no is hooked up to get a you try to print the PZThe windicates the Licons in the Licon f. It _the {(in z), or L, hold down CTRL v, or *the Licon. The Lyou be the one PZThe xs the on the L. You can (or tag) ;, all the Eare you first start xs the ^in the F. You can (or tag) Zto be kor dis As you Ein the , the Zin the Fare Hin the Zand PZThe of tagged Zon the L. Tagged entries and untagged entries appear in Dcolors in the and the ;, which can be Eand or by setting the $All , is for all Zto be tagged. As E, the to reflect the Zand Eremaining to be PZThe indicates the last , if any. If you to find particular , you can open the look up the in the Cincluded documentation. Last PZThe Last tells you what was most recently taken <, re verified, k, or dis k), and the occurred. PSPT ls, or j, it 6s an log (ACTIVITY.CPS) of . The log holds a maximum of 400 entries. limit is r Ped, the oldest entry is recorded. You can show, print, or clear the PZIf {) is turned on and a 6s an :and of the strain and path of s are written to a /REPORTS sub located in the CPAV. F. You can view the Log's Info feature or you can print it by Print in the PZIf the ls, or You can show, print, or clear the PZThe xof all the recognized . The for the Hin the first column s for the any) appear indented underneath it. The in the far right column. ~detailed pon a particular git in xand %Info or . You can search the xfor a particular Ring the in the blank field. gthe comes +st to matching entry. You can get detailed pon the &Info or You can print the xif you wish. Characteristics PZThe Characteristics Zit attacks yresident? Side Effects variations, and , refer to the documentation. Lfor 100% A progress percentage of You can interrupt the 100% ESC, by F3, or by *ing F3. If a sounds an alarm and ^and a suggested solution. Lhas , the >and 100% s any it finds. A progress the percentage of Eand 100% . You can interrupt the at any If a it and the Last Taken Lhas , the >and ^and .allows you to , the Licon O, OR v, OR *the Licon. The parea at the of the .takes you back to Anti- . In z, all of the , and you can Zand ), or %the .in the {, you'll be asked to give a , if one was assigned. The can be qor by s to the DOS Do you really or whatever launched it. you are asked to Wthe made to the session. If you've chosen _the Wrong DOS Version PZThe version of DOS you are is not ed by s DOS 3.0 and later. Not Ready . Make sure is turned on, loaded paper, and connected to computer. Not Allowed PZThe Allow is disabled. .to enable . You for the if one was set. is not enough to complete the . Try removing TSR G-related Thas occurred. Immune Impossible could not lthe lthe s of 2overlays or pat the end of the [(usually debugging corrupted headers. Nand .COM Zsmaller 14 bytes (excluding the . header) .COM Zlarger 2an independent self- $ing or OS/2 To avoid Bbox in the future, you can add the [to the in the >but could not be _the Please contact )the alerts you [: APPNAME. N has . Since Attribute: generally 23:09:14 09:07:18 could 03/27/90 02/27/91 indicate 139793 139743 by an FF4C FDF2 marks the in the 9as permanent |s are not Msubsequent if you [was s the [. Unless you twhy the ,you should =it and re-install _the 4resumes the #data base. s the Failed alerts you [: APPNAME. N has . Since generally Attribute: could 23:09:14 09:07:18 indicate 03/27/90 02/27/91 by an 139793 139743 FDF2 FDF2 marks the in the Repair 9as permanent |s are not subsequent if you twhy the Repair resets the :and _) values. if you twhy the 4resumes the #data base. s the yFor is insufficient yto add an exception to the x. Try freeing yby removing TSR PZThe log, ACTIVITY.CPS, Fto see if the [was yFor log is insufficient Jthe log. Try freeing yby removing TSR Wrong PZThe Qis incorrect. data you Qis correct. Contact the problem persists. PZYou are attempting to [. Deleting cause serious including not being able to