home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The PC-SIG Library 13
/
PC-Sig Library (13th Edition) (PC-SIG) (1994).ISO
/
virus
/
scan104.doc
< prev
next >
Wrap
Text File
|
1993-12-13
|
57KB
|
1,358 lines
VIRUSCAN Version 9.15V104
Copyright (C) 1989 - 1993 by McAfee Associates
All rights reserved.
Documentation by Aryeh Goretsky.
McAfee Associates, Inc. (408) 988-3832 office
3350 Scott Blvd, Bldg. 14 (408) 970-9727 fax
Santa Clara, CA 95054-3107 (408) 988-4004 BBS (25 lines)
U.S.A. USR HST/v.32/v.42bis/MNP1-5
CompuServe GO MCAFEE
InterNet support@mcafee.COM
TABLE OF CONTENTS:
WHAT'S NEW . . . . . . . . . . . . . . . . . . . . . . . . . .2
- New features and viruses in this release
- System Requirements
OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . .3
- Detection of known viruses
- Detection of new and unknown viruses
SYNOPSIS . . . . . . . . . . . . . . . . . . . . . . . . . . .4
- Technical description of known virus detection
- Technical description of new/unknown virus detection
AUTHENTICITY . . . . . . . . . . . . . . . . . . . . . . . . .5
- How to verify the SCAN.EXE program file
COMMAND SUMMARY. . . . . . . . . . . . . . . . . . . . . . . .6
- One-line description of switches
OPTIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . .8
- Detailed explanation of switches
EXAMPLES . . . . . . . . . . . . . . . . . . . . . . . . . . .15
- Samples of frequently-used options
EXIT CODES . . . . . . . . . . . . . . . . . . . . . . . . . .16
- Running VIRUSCAN from batch files
VIRUS REMOVAL. . . . . . . . . . . . . . . . . . . . . . . . .16
- How to manually remove a virus
REGISTRATION . . . . . . . . . . . . . . . . . . . . . . . . .17
- How to register VIRUSCAN
TECHNICAL SUPPORT INFORMATION . . . . . . . . . . . . . . . .17
- Information you should have ready when calling
OBTAINING THE LATEST VERSION OF VIRUSCAN . . . . . . . . . . .18
- BBS, CompuServe, and Internet access to SCAN
APPENDIX A . . . . . . . . . . . . . . . . . . . . . . . . . .19
- Creating a virus string file with the /EXT option
APPENDIX B . . . . . . . . . . . . . . . . . . . . . . . . . .21
- How to check only memory for viruses
- Validation codes: Tips and Tricks
- Reformatting infected floppies with DOS 5.00 & 6.00
- Creating a Recovery Disk
APPENDIX C . . . . . . . . . . . . . . . . . . . . . . . . . .23
- Foreign Language Support
Page 1
VIRUSCAN Version 9.15V104 Page 2
WHAT'S NEW
This is version of 9.15V104 of VIRUSCAN (SCAN.EXE).
Beginning with this release, SCAN combines the functionality
of NETSCAN into VIRUSCAN. The NETSCAN program will no longer
be provided by McAfee Associates. Instead, use VIRUSCAN to
scan all local and network drives for viruses.
To compensate for this change, the following options
have been changed:
· The /AD switch has been enhanced to allow all local
drives, all networked drives, or both to be scanned.
· The /BMP switch has been added to scan OS/2 Boot Manager
partitions for viruses.
· The /UNATTEND switch has been made a default setting (it
was required for networked and multitasking computers).
A message will be displayed if SCAN cannot open a file:
"Sorry cannot open file xxxxxxxx.xxx."
Version 104 adds detection of 219 new viruses, bringing the
total number of known viruses to 1,353, or counting variants,
2,049 viruses.
Version 103 was skipped due to a Trojan horse bearing
that version number reported from Arizona.
For a complete list of known viruses, refer to the enclosed
VIRLIST.TXT file. For a description of known viruses please
refer to Patricia Hoffman's Hypertext VSUM.
SYSTEM REQUIREMENTS
SCAN requires 400Kb of free RAM and DOS 2.0 or above.
VIRUSCAN works with 3Com 3/Share and 3/Open, Artisoft LanTastic,
AT&T StarLAN, Banyan VINES, DEC Pathworks, IBM LAN Server,
Microsoft LAN Manager, Novell NetWare, and any other IBMNET or
NETBIOS compatible network operating systems. Contact McAfee
Associates or your local Authorized Agent if you do not see your
network listed.
SCAN is designed to check floppy, hard, CD-ROM, and
compressed (SuperStor, Stacker, Doublespace, etc.) disks on
both stand-alone and networked PC's as well as network file
servers for pre-existing infections of known and unknown
viruses. If you have a Novell NetWare/386 V3.11 file server,
you may wish to use the NETSHIELD virus prevention NetWare
Loadable Module instead.
VIRUSCAN Version 9.15V104 Page 3
SCAN displays messages in English (default); foreign
language support is available for many other languages. Please
refer to APPENDIX C for information on foreign language support.
NOTE: WRITE-PROTECT THE FLOPPY DISK CONTAINING THE VIRUSCAN
(SCAN.EXE) PROGRAM BEFORE SCANNING TO PREVENT VIRUSCAN
FROM BECOMING INFECTED BY A COMPUTER VIRUS.
OVERVIEW (Known Virus Detection)
VIRUSCAN Version 9.15V104 (filename SCAN.EXE) identifies
all 1,353 known computer viruses and their variants. Some
viruses have been modified so that more than one "strain"
exists. Counting such modifications, 2,049 viruses exist.
All known viruses infect one or more of the following
areas: the hard disk partition table (alias Master Boot Record);
the DOS Boot Sector of disks; or one or more executable files on
the system. Executable files include operating system files,
.COM files, .EXE files, overlay files, or any other files
containing program code. A virus that infects more than one
area, such as a boot sector and an executable file is called
a multipartite virus.
SCAN checks files, subdirectories, diskettes or entire
systems for pre-existing computer virus infections. In the
case of infection by a known virus, it will identify the virus
infecting the system, the area(s) it was found, and the I.D.
code used by CLEAN-UP to remove it.
Infected files can be removed using the /D switch in SCAN
to erase the file, or with the CLEAN-UP universal virus removal
(disinfection) program. CLEAN-UP is recommended because in most
cases it will eliminate the virus and fully restore infected
programs or system areas to normal operation.
The accompanying VIRLIST.TXT file lists describes all
viruses identified by SCAN and their associated I.D. codes for
removal by CLEAN-UP.
OVERVIEW (Unknown and New Virus Detection)
SCAN has three separate methods of detecting unknown and
new viruses:
· Validation codes which can be periodically checked against
to look for the changes made by a virus to files or system
areas.
· Generic and Family virus detectors to look for new viruses
which are derivatives of older viruses.
· External virus signatures to insert new virus signature
strings on a temporary basis to SCAN.
VIRUSCAN Version 9.15V104 Page 4
SYNOPSIS (technical description of known virus detection)
SCAN detects known viruses by searching the system for
strings (sequences of bytes) unique to each computer virus and
reporting their presence if found. For viruses which encrypt or
cipher their code so that every infection of the virus is
different, SCAN uses detection algorithms (programs) that work
by statistical analysis, heuristics, or code disassembly.
SYNOPSIS (technical description of new/unknown virus detection)
SCAN checks for new or unknown viruses by comparing
files against previously-recorded validation (checksum) data.
SCAN has two levels of validation which are stored in three
separate ways:
· A simple 10-byte long validation checksum may be appended
to .COM and .EXE files. If a file has been modified, it
no longer matches the checksum and SCAN will report the
file may have become infected. (/AV, /CV, /RV switches)
· An enhanced 52-byte validation and recovery data checksum
can also be created. This can be appended to the end of
files like the 10-byte checksum, or stored in a separate
log file which can be offline (e.g., on floppies) for
recovery purposes. CLEAN-UP can restore infected files,
partition tables, or boot sectors using this information.
(/AG, /CG, /RG switches and /AF, /CF, /RF switches)
NOTE: If validation codes are attached to files, SCAN will NOT
add codes to the partition table, boot sector, or system
files. Instead, a separate hidden file will be created
in the root directory named SCANVAL.VAL containing data
for these areas.
NOTE: Files which are self-checking (e.g., Lotus 1-2-3) should
not be validated with the /AV (Add Validation) or /AG
(Add Generic) switches which modify files. Instead, use
the /AF (Add File) switch.
SCAN also checks for new or unknown viruses by searching
for Generic or Family virus strings. These are strings that
have been found repeatedly in different viruses. Since virus
writers may use the older pieces of code for new viruses, this
allows SCAN to detect viruses which have not been written yet.
VIRUSCAN can be updated to search for new viruses by an
External Virus Data File, which allows the user to input new
search strings for viruses. (/EXT switch)
VIRUSCAN Version 9.15V104 Page 5
AUTHENTICITY
Before using SCAN for the first time, verify that it has
not been tampered with or infected by a virus by using the
the enclosed VALIDATE program. For instructions on using
VALIDATE, please read the VALIDATE.DOC file.
The validation results for Version 9.15V104 should be:
FILE NAME: SCAN.EXE
SIZE: 117,452
DATE: 05-03-1993
FILE AUTHENTICATION
Check Method 1: 5771
Check Method 2: 1FC0
If your copy of SCAN differs, it may have been damaged or have
options stored in it with the /SAVE switch. Run SCAN with only
the /SAVE option to remove any stored options and then re-run
VALIDATE. Always obtain your copy of VIRUSCAN from a known
source. The latest version of VIRUSCAN and validation data for
SCAN.EXE can be obtained from McAfee Associates' bulletin board
system at (408) 988-4004 or from the McAfee Virus Help Forum on
CompuServe (GO MCAFEE), or the mcafee.COM anonymous ftp site on
the Internet.
VIRUSCAN performs a self-check when run. If SCAN has been
modified in any way, a warning will be displayed and the user
will be prompted to either continue or quit. SCAN can still
check for viruses, however, if SCAN reports that it has been
damaged, it is recommended that a clean copy be obtained.
All of McAfee Associates' programs are archived with
Version 1.10 of PKWare's PKZIP Authentic File Verification.
When unzipped with Version 1.10 of PKWare's PKUNZIP program,
an "-AV" will be displayed after each file is unzipped and an
"Authentic Files Verified! # NWN405 Zip Source: McAFEE
ASSOCIATES" will appear once all files are unzipped.
NOTE: If you do not receive the Authentic File Verification
messages, you may be using a different version of
PKUNZIP, such as V1.93α or V2.04. Use PKUNZIP Version
1.10 to unzip files if you wish to have Authenticity
Verification displayed as files are unzipped.
VIRUSCAN Version 9.15V104 Page 6
COMMAND SUMMARY
IMPORTANT NOTE: WRITE PROTECT YOUR FLOPPY DISK BEFORE SCANNING
TO PREVENT INFECTION OF THE VIRUSCAN PROGRAM.
VIRUSCAN checks files and other areas of the system that
can contain a computer virus. When a virus is found, SCAN
identifies the virus and the file or system area where it was
found.
SCAN examines files based on their extension. The default
extensions supported by SCAN are .APP, .BIN, .COM, .EXE, .OV?,
.PGM, .PIF, .PRG, .SWP, .SYS, and .XTP. Additional extensions
can be added with the /E option, or use the /A to check all
files.
Valid options for VIRUSCAN are:
SCAN {drive(s)} {options}
{drive(s)} - Indicates a drive or drives to be scanned
Options are:
\ - Scan root directory and boot area only
/? /H or /HELP - Displays help screen
/A - Scan all files, including data, for viruses
/AD{x} - Scan all drives {L = Local, N = Network}
/AF {filename} - Store recovery & validation data to {filename}
/AG {filename} - Add recovery & validation data to files
EXCEPT for those listed in {filename}
/AV {filename} - Add validation codes to files EXCEPT for
those listed in {filename}
/BELL - Beep whenever a virus is found
/BMP - Scan OS/2 Boot Manager partition ONLY
/CERTIFY - List files that do not have a validation code
/CF {filename} - Check for viruses using recovery & validation
data stored in {filename}
/CHKHI - Check memory from 0Kb to 1,088Kb
/CG - Check recovery & validation data on files
/CV - Check validation codes on files
/D - Overwrite and delete infected files
/DATE - Save the date and time SCAN was last run
(use /SHOWDATE to display)
/E .xxx .yyy - Scan overlay extensions .XXX and .YYY
/EXT {filename} - Scan using external virus data from {filename}
/FAST - Speed up VIRUSCAN's output
(see below for specifics)
/HISTORY {fname} - Create infection log {fname} appending to old log
/M - Scan memory for all viruses
(see below for specifics)
VIRUSCAN Version 9.15V104 Page 7
/MAINT - Scan "invalid media" error (damaged) disk
/MANY - Scan multiple disks
/NLZ - Skip internal scan of LZEXE-compressed files
/NOBREAK - Disable Ctrl-C and Ctrl-Brk during scanning
/NOEXPIRE - Do not display expiration notice
/NOMEM - Disable memory check
/NOPAUSE - Disable screen pause when scanning
/NPKL - Skip internal scan of PKLITE-compressed files
/REPORT {fname} - Create infection log {fname} deleting the old log
/RF {filename} - Remove recovery & validation data from {filename}
/RG - Remove recovery & validation data from files
/RV - Remove validation codes from specified files
/SAVE - Save specified options as new default options
/SHOWDATE - Display the date and time SCAN was last run
(use /DATE to save date and time)
/SUB - Scan all subdirectories inside a subdirectory
@{filename} - Scan using options from {filename}
[This space left intentionally blank.]
VIRUSCAN Version 9.15V104 Page 8
OPTIONS
Following is a detailed description of VIRUSCAN's options.
NOTE: The /AV and /AG switches modify executable files, the
/SAVE switch modifies the SCAN.EXE file. If SCAN is
run against a network drive, it must be run from an
account with rights to modify files.
NOTE: Changes made by the /AV, /AG, and /SAVE switches may
cause other anti-viral programs to generate a warning.
/A - This option checks all files on the drive scanned and also
examines a greater portion of files. This substantially
increases the time required to scan disks and also increases
VIRUSCAN's ability to detect viruses in overlay files. It is
recommended this switch only be used when installing software
or if a file-infecting virus has been found. This option takes
priority over the /E option.
/AD{x} - This option scans all drives for viruses. If /ADL
is used, all local drives are checked, including compressed
drives and CD-ROM's. If /ADN is used, all networked drives
are checked. To scan local and network drives, use /AD by
itself.
/AF {filename} - This option logs recovery and validation
data for .COM and .EXE files, boot sector, and partition table
of a disk to a user-specified file. The log file size is about
20Kb per 1,000 files validated. Recovery from a virus using the
/AF information requires the CLEAN-UP (CLEAN.EXE) program.
/AG {filename} - This option allows the user to store recovery
and validation data for .COM and .EXE files, boot sector, and
partition table of a disk. Recovery information adds 52 bytes
to files. The recovery information for the partition table,
boot sector, COMMAND.COM and system files is stored separately
in a hidden file called SCANVAL.VAL in the root directory of the
drive being scanned. {filename} is an optional ASCII text file
listing files NOT to add recovery and validation data to (see
NOTE below). Recovery from a virus using the /AG information
requires the CLEAN-UP (CLEAN.EXE) program.
/AV {filename} - This option allows the user to store validation
codes for .COM and .EXE files, boot sector, and partition table
of a disk. Validation information adds 10 bytes to files. The
validation codes for the partition table, boot sector, system
files and COMMAND.COM is stored separately in a hidden file
named SCANVAL.VAL in the root directory of the drive being
scanned. {filename} is an optional ASCII text file listing the
files NOT to add validation codes to (see note below).
VIRUSCAN Version 9.15V104 Page 9
NOTE: Files which are immunized against viruses or contain
self-modifying code should not have validation codes
added to them. To prevent SCAN from adding validation
codes to these files, a validation exception list must be
created with the path and filename of each file NOT to be
validated listed on each line (only one filename for each
line). To put a comment in, start the line with an "*"
character. This sample file contains a list of programs
NOT to validate:
*LIST OF FILES NOT TO USE /AV OR /AG OPTIONS WITH
*
*This is Nantucket Corp's database program, Clipper
C:\CLIPPER\BIN\CLIPPER.EXE
*This is Lotus Development Corp's spreadsheet program, 1-2-3
C:\123\123.COM
*This is Microsoft's database program, FoxPro
C:\FOX\FOXPROLX.EXE
*This is MS-DOS 5.00's self-modifying program, SETVER
C:\DOS\SETVER.EXE
*PKWare's data compression programs already perform a self-check
C:\PKWARE\PKLITE.EXE
C:\PKWARE\PKZIP.EXE
C:\PKWARE\PKUNZIP.EXE
*SemWare's QEdit text editor (which I am writing this with now)
C:\SEMWARE\Q.EXE
*Stac Technologies hard disk swapping program
C:\SWAPVOL.COM
*Symantec's Norton Utilities V6.01 disk caching program
C:\NORTON\NCACHE.EXE
*WordStar Corp's word processor is self-modifying
C:\WORDSTAR\WS.EXE
The validation exception list should be an ASCII or DOS
text file. If a word processor is used to create the list, be
sure to save the file as ASCII or DOS Text.
/BELL - This option causes SCAN to beep when a virus is found.
/BMP - This option tells SCAN to check the OS/2 Boot Manager
partition. When run with this option, SCAN checks the Boot
Manager partition and boot sector only.
/CERTIFY - This option will audit a system for files that have
validation codes added to them with the /AG or /AV switches.
Files that have no validation code will be reported as being
uncertified by VIRUSCAN and an ERRORLEVEL of 3 will be returned
after SCAN is run.
VIRUSCAN Version 9.15V104 Page 10
/CF {filename} - This option checks recovery and validation data
stored by the /AF option in {filename}. If a file or system
area has changed, SCAN reports that a viral infection may have
occurred. Using the /CG option adds about 25% more time to
scanning.
/CG - This options checks recovery and validation data added by
the /AG option. If a file or system area has changed, SCAN
reports that a viral infection may have occurred. Using the /CG
option adds about 25% more time to scanning. This option takes
priority over the /CV option.
/CHKHI - This option checks the memory from 640Kb to 1,088Kb
which can be used on 286 and 386 systems by computer viruses.
On XT systems, memory may be scanned twice. Memory above 1,088
is not addressed directly by the CPU and can not contain viral
code. This option cannot be used with the /NOMEM option.
/CV - This option checks validation codes inserted by the /AV
option. If a file or system area has been changed, SCAN will
report that the file or system area has been modified and a
viral infection may have occurred. Using the /CV option adds
about 20% more time to scanning.
NOTE: Some older Hewlett Packard and Zenith PC's modify the
boot sector each time the system is booted. This causes
SCAN to continually report that the boot sector has been
modified if the /CF, /CG, or /CV switches are used.
Check your system's manual to determine if your PC has
self-modifying boot code.
/D - This option tells SCAN to prompt the user to overwrite
and delete an infected files. Files erased by the /D option
can not be recovered. If the CLEAN-UP program is available,
it can be used to disinfect the file. Partition table and boot
sector viruses can not be removed by the /D option and require
the CLEAN-UP virus removal program.
NOTE: If the /D switch is used against a network drive, SCAN
must be run from an account with erase or delete rights.
/DATE - This option stores the time and date SCAN was last run.
This is done by changing the date on the SCANVAL.VAL file. If
no SCANVAL.VAL file exists, SCAN will create a 0-byte long one
in the currently-logged directory.
/E .xxx .yyy - This option allows an additional extension or set
extensions to be scanned. Extensions should include a period "."
character and be separated by a space after the /E. Up to three
extensions may be added with the /E. For more extensions, use
the /A option instead.
VIRUSCAN Version 9.15V104 Page 11
/EXT {filename} - This option tells SCAN to search for viruses
using virus search strings from ASCII text file {filename}, in
addition to the viruses that SCAN looks for. For instructions
creating an external virus data file, refer to Appendix A.
NOTE: The /EXT option provides users with the ability to add
strings for detection of viruses on an interim or
emergency basis. When used with the /D option, it will
overwrite-and-delete infected files. This option is not
for general use and should be used with caution.
/FAST - This option speeds SCAN up by displaying less on the
the screen, skipping checking inside of LZEXE- and PKLITE-
compressed files, and examining a smaller portion of files
during scanning. This may reduce the accuracy of SCAN.
/HISTORY {filename} - This option saves the output of SCAN
to {filename} in ASCII text file format. If {filename} exists,
SCAN will add the results of the current scan to the end.
/M - This option tells VIRUSCAN to check system memory for all
known computer viruses that can inhabit memory. SCAN by default
only checks memory for critical and "stealth" viruses, which are
viruses which can cause catastrophic damage or spread the virus
infection during the scanning process. By default, SCAN will
check memory for the following viruses:
1024 1253 1530 15xx variant
1963 1971 2153 2560
3040 337 3445-Stealth 4096
500 512 557 702
ABC Agena Anthrax Antitelefonica
Aragon arcv B3 Blood Rage
Brain Budo Caz CD
Chang Coffee Shop Copyr-ug Cracky
Crusher Dark Avenger Davis Dir-2
DM-330 Doom II EEL Empire
End-of Evil Genius ExeBug Fam
Feist Fish Flu FORM
Frodo Soft Fune Futhark Geek
Greemlin Green HA HBT
Hellween 1182 Hi Highland Horror
Ice9 Iernim IOU Jeru Variant
Joanna Joshi Jump4Joy Kersplat
L1 Larry Leech LixoNuke
Lozinsky Lycee Magnum Malaga
Malaise Microbes Mirror Mocha
Monkey Mugshot Mummy Murphy
VIRUSCAN Version 9.15V104 Page 12
NCU Li Ninja Nomemklatura NOP
No-Int Nygus Nygus-KL Ontario-3
Otto P1R PCBB11 Penza
Phantom Piazzola Plastique Pogue
Pojer Problem Radyum Rattle
Reaper Reklama Rocko Sandwich
SBC Scr-2 Scroll Scythe
Sentinel Sergant Silence Sk
Sk1 Sma-108a Soyun Stealthb
Sticky Stoned (Vari) Sunday-2 SVC
Tabulero Taiwan3 Ten Bytes Tequila
Thursday 12th Turbo Turkey Twin-351
V2100 V2P6 V600 Vietnamese
Walker Whale Windmill Yan2050a
Youth Zaragoza
If any of the above viruses is found in memory, SCAN will stop,
tell the user to power down and reboot the system from a virus-
free system-bootable disk. This option can not be used with the
/NOMEM option.
NOTE: Using the /M option with another anti-viral software
package may result in false alarms if the other package
does not remove or cipher (hide or otherwise encrypt) its
virus search strings in memory.
/MAINT - This option is used to scan hard disks partitioned
with DOS 4.0 or above that have been damaged by a boot sector
or partition table infecting virus or non-DOS partitions, such
as those created by Novell NetWare/386 or IBM OS/2 V2.0 HPFS.
Attempts to access damaged or non-DOS disks result in an
"Invalid media" message being displayed. When SCAN is run with
this option, only the partition table and boot sector will be
scanned.
NOTE: The /MAINT switch can only be used on a local drive. If
you wish to scan the boot sector or partition table of a
network drive, SCAN must be run from the file server, not
a workstation.
/MANY - This option is used to scan multiple diskettes placed
in a given drive. If the user has more than one floppy disk to
check for viruses, the /MANY option will allows the user to
check disks without having to re-run SCAN multiple times. After
the system has been disinfected, the /MANY and /NOMEM options
options can be used together to speed up the scanning of disks.
/NLZ - This option tells SCAN not to look inside files
compressed with LZEXE, a file compression program. SCAN will
still check LZEXE-compressed files for viruses that may have
become infected after LZEXE compression.
VIRUSCAN Version 9.15V104 Page 13
/NOBREAK - This option prevents Ctrl-C or Ctrl-Brk from aborting
the scanning process.
/NOMEM - This option turns off all memory checks for viruses
in order to speed up the scanning process. It should only be
used when a system is known to be virus-free. This option can
not be used with the /CHKHI or /M options.
/NOEXPIRE - This option prevents SCAN from displaying a warning
message after 7 months warning that it may no longer be current
with respect to known computer viruses.
/NOPAUSE - This option disables the "More? (H = Help )" prompt
displayed when SCAN fills up a screen with 24 lines of text.
This allows SCAN to run on PC's with severe infections without
requiring operator assistance.
/NPKL - This option tells SCAN not to look inside files
compressed with PKLITE, a file compression program. SCAN will
still check PKLITE-compressed files for viruses that may have
become infected after PKLITE compression.
/REPORT {filename} - This option saves the output of SCAN
to {filename} in ASCII text file format. If {filename} exists,
SCAN will erase it and replace with the current scan results.
/RF {filename} - This option removes recovery and validation
data from log file {filename} created by the /AF option.
/RG - This option removes validation and recovery data from a
file or files validated with the /AG option. Using the /RG
switch against a drive removes the SCANVAL.VAL file. This
option can not be used with the /AG option.
/RV - This option removes validation codes from a file or files
validated with the /AV option. Using the /RV switch against a
drive removes the SCANVAL.VAL file. This option can not
be used with the /AV option.
/SAVE - This option stores any listed options for subsequent
executions of SCAN. The options are stored by modifying the
SCAN.EXE executable file itself. For example:
SCAN /NOMEM /REPORT C:\SCAN.LOG /NOPAUSE /SAVE
saves the default options to /NOMEM, /REPORT C:\SCAN.LOG and
/NOPAUSE and will cause SCAN to use these options the next time
it is run. If SCAN is run with only the /SAVE switch, all saved
options are removed and the SCAN.EXE is returned to normal. If
you do not wish to modify the SCAN.EXE file, use the @{filename}
option instead.
VIRUSCAN Version 9.15V104 Page 14
NOTE: VALIDATE 0.4 must be used to validate SCAN V89 or above
if the /SAVE option is used. /SAVE directly modifies
SCAN.EXE in such a manner that validate codes will not
match if an older version of VALIDATE is used. VALIDATE
0.4 generates correct validation results if the /SAVE
option is used.
/SHOWDATE - This option displays the time and date SCAN was last
run on the specified drive. No virus checking is performed.
NOTE: When run with /SHOWDATE, SCAN only displays the last run
date. Viruses will *NOT* be checked for.
/SUB - This option scans all subdirectories inside a
subdirectory. Previously, SCAN would only recursively check
subdirectories if a drive was scanned at the root level (e.g.,
C:). Do not use the /SUB switch if you are scanning a drive
from the root level.
@{filename} - This option allows the user to store a list of
options and drives to be scanned in a configuration file.
Options need to be separated by a space, while drives (disks,
subdirectories, or files) need to be listed on separate lines.
A sample file might look like this:
/A /BELL /CV /NOMEM /REPORT C:\VIRUSCAN\SCAN.LOG
C:
D:\BBS
E:\MCAFEE\CLEAN-UP\CLEAN.EXE
The first line contains the SCAN options while other lines list
the names of disks, subdirectories, or files to scan. The file
should be an ASCII text file. If a word processor is used to
create the list, be sure to save it as ASCII or DOS text.
VIRUSCAN Version 9.15V104 Page 15
EXAMPLES
The following examples show different option settings:
SCAN C:
To scan drive C:
SCAN F:
To scan drive F: on a Novell NetWare LAN for viruses
SCAN F: G: H: /A /D
Scans all files on network drives F:, G:, and H:, and
prompt for erasure of any infected files, if found.
SCAN C: D: E: /AV /NOMEM
Scan for viruses, add validation codes to files on
drives C:, D:, and E:, and skip memory checking.
SCAN C: D: /M /A
Scan all files on C: and D:, memory for all viruses.
SCAN C: D: /E .WPM .COD
Scans drives C: and D:, including .WPM and .COD files
SCAN C: /EXT A:SAMPLE.ASC /BELL
To scan drive C: for known computer viruses and also
for viruses added by the user via the external virus
data file option, and beep whenever a virus is found.
SCAN M: /M /NOPAUSE /REPORT A:INFECTN.RPT
To scan for all viruses in memory and network drive M:
without stopping, and create a log file INFECTN.RPT on
drive A:
SCAN E:\USER\DUNN E:\USER\LUCAS E:\USER\THOMAS /SUB
To scan all subdirectories inside the directories
USER\DUNN, USER\LUCAS, and USER\THOMAS on drive E:
SCAN C: D: E: /FAST /CERTIFY
To perform a fast scan of drives C:, D:, and E: and
check for any files that do not have validation codes.
SCAN @C:\SCANOPTN.LST
To run SCAN using configuration file SCANOPTN.LST
located in the root directory of drive C:.
SCAN /AD /M
Scan all local hard drives, network drives, and memory.
VIRUSCAN Version 9.15V104 Page 16
EXIT CODES
After VIRUSCAN has finished running, it will set the DOS
ERRORLEVEL. ERRORLEVEL's are used in batch files to pass the
results of a program's actions. The ERRORLEVEL's returned by
SCAN are:
ERRORLEVEL │ DESCRIPTION
═══════════╪══════════════════════════════════════════════
0 │ No viruses found
1 │ One or more viruses found
2 │ Abnormal termination (program error)
3 │ One or more uncertified files found
4 │ Ctrl-C or Ctrl-Break aborted scan
If a user stops the scanning process, SCAN will set the
ERRORLEVEL to 4. If you wish to prevent users from stopping the
scanning process, then run SCAN with the /NOBREAK option.
VIRUS REMOVAL
What do you do if a virus is found? You can contact McAfee
Associates for help, their authorized agents, or use the CLEAN-UP
program.
McAfee Associates can be reached by BBS, CompuServe, FAX,
Internet, or Telephone and there is no charge for support calls
to McAfee Associates (Authorized agents may charge normal McAfee
Associates consulting rates.).
The CLEAN-UP universal virus disinfection program can
disinfect virtually all reported computer viruses. It is
updated with each release of the SCAN program to remove new
viruses. CLEAN-UP can be downloaded from McAfee Associates'
BBS, the McAfee Virus Help Forum on CompuServe, and the
mcafee.COM and WSMR-SIMTEL20.Army.Mil sites on the Internet, or
from any of the agents' BBSes listed in the enclosed AGENTS.TXT
text file.
It is strongly recommended that you get experienced help in
dealing with viruses if you are unfamiliar with anti-virus
software and methods. This is especially true for 'critical'
viruses and partition table/boot sector infecting viruses as
improper removal of these viruses can result in the loss of
all data and the use of the infected disk(s). [For a listing of
critical viruses, see the /M switch listed under OPTIONS above.]
Before removing a boot sector or partition table-infecting
virus, it is recommended that you cold boot the infected PC from
a clean DOS disk and backup any critical data.
VIRUSCAN Version 9.15V104 Page 17
For qualified assistance in removing a virus, contact
McAfee Associates directly or any of the Authorized Agents in
your area. Agents may charge McAfee Associates' normal consult
rates for their services.
If you wish to remove a file-infecting virus manually, cold
boot the PC from a clean (virus-free) DOS system disk and run
SCAN with the /A and /D switches to erase all infected files.
Any files removed in this manner can not be recovered.
REGISTRATION
A registration fee of US$25.00 is required for the use of
VIRUSCAN by individual home users. Registration entitles the
holder to unlimited free upgrades from McAfee Associates' BBS,
the Internet, and the McAfee Virus Help Forum on CompuServe as
well as technical support for one year. When registering, a
diskette containing the latest version may be requested for an
additional US$9.00. Only one diskette mailing will be made.
Registration is for home users only and does not apply to
businesses, corporations, organizations, government agencies, or
schools, which must obtain a license for use. Contact McAfee
Associates directly or an Authorized Agent for more information.
TECH SUPPORT
For fast and accurate help, please have the following
information ready when you contact McAfee Associates:
· Program name and version number.
· Type and brand of computer, hard disk, plus any
peripherals.
· Version of DOS plus any TSRs or device drivers in use.
· Printouts of your AUTOEXEC.BAT and CONFIG.SYS files.
· A printout of what is in memory from the MEM command
(DOS 4 and above users only) or a similar utility.
· The exact problem you are having. Please be as
specific as possible. Having a printout of the
screen and/or being at your computer will be helpful.
McAfee Associates can be contacted by BBS, CompuServe, FAX, or
InterNet 24 hours a day, or by telephone at (408) 988-3832,
Monday through Friday, 7:00AM to 5:30PM Pacific Time.
VIRUSCAN Version 9.15V104 Page 18
If you are overseas, you can contact a McAfee Associates
Authorized Agent. Agents are located in over 50 countries
around the world and provide local sales and support for our
software. Please refer to the AGENTS.TXT file for a complete
list of McAfee Associates Agents.
OBTAINING THE LATEST VERSION OF McAFEE ASSOCIATES PROGRAMS
McAfee Associates regularly updates the VIRUSCAN series
of programs every 4 to 6 weeks to add new virus detectors,
new options, and fix reported bugs. To distribute these new
versions, we run a multi-line BBS, CompuServe Forum, and
Internet node.
BBS ACCESS
Our 25-line BBS is accessible 24 hours a day, 365 days a
year, except for scheduled downtime and maintenance. All lines
run US Robotics Courier HST Dual Standard ASL modems operating
from 1,200bps to 16,800bps with line settings of 8 data bits, no
parity, and one stop bit.
THE McAFEE VIRUS HELP FORUM ON COMPUSERVE
We are now sponsoring the McAfee Virus Help Forum on
CompuServe. To reach the McAfee Virus Help Forum type GO MCAFEE
at any CompuServe prompt. A free introductory membership is
available. For more information, please read the enclosed
COMPUSER.NOT file.
INTERNET ACCESS TO McAFEE ASSOCIATES SOFTWARE
The latest versions of McAfee Associates' anti-viral
software is now available by anonymous ftp (file transfer
protocol over the Internet from the site mcafee.COM. If
your domain resolver does not support names, use the IP#
192.187.128.1. Enter "anonymous" for your user I.D. and
your own email address for the password. Programs are
located in the pub/antivirus directory. If you have any
questions, please send email to support@mcafee.COM
McAfee Associates' anti-viral software may also be
found at the Simtel20 archive site WSMR-SIMTEL20.Army.MIL
in the PD1:<MSDOS.VIRUS> directory and its associated
mirror sites WUARCHIVE.WUSTL.EDU (US), NIC.SWITCH.CH (Swiss),
NIC.FUNET.FI (Finland), SRC.DOC.IC.AC (UK), and
ARCHIE.AU (Australia).
VIRUSCAN Version 9.15V104 Page 19
APPENDIX A: Creating a Virus String File with the /EXT Option
NOTE: The /EXT option is intended for emergency and research
use only. It is a temporary method for identifying new
viruses prior to the subsequent release of SCAN. A
thorough understanding of viruses and string-search
techniques is advised for using this option. A string
length of 10 to 15 bytes is recommended.
The External Virus Data file should be created with an
editor or a word processor and saved as an ASCII text file. Be
sure each line ends with a Carriage Return/Line Feed pair.
The virus string file uses the following format:
#Comment about Virus_1
"aabbccddeeff..." Virus_1_Name
#Comment about Virus_2
"gghhiijjkkll..." Virus_2_Name
.
.
"uuvvwwxxyyzz..." Virus_n_Name
Where aa, bb, cc, etc. are the hexadecimal bytes that you wish
to scan for. Each line in the file represents one virus. The
Virus Name for each virus is mandatory, and may be up to 25
characters in length. The double quotes (") are required at the
beginning and end of each hexadecimal string.
SCAN will use the string file to search memory, the
Partition Table, Boot Sector, System files, all .COM and .EXE
files, and overlay files with the extension .APP, .BIN, .COM,
.EXE, .OV?, .PGM, .PIF, .PRG, .SWP, .SYS, and .XTP.
Virus strings may contain wild cards. The two wildcard
options are:
FIXED POSITION WILDCARD
The question mark "?" may be used to represent a wildcard
in a fixed position within the string. For example, the string:
"E9 7C 00 10 ? 37 CB"
would match "E9 7C 00 10 27 37 CB", "E9 7C 00 10 9C 37 CB", or
any other similar string, regardless of the fifth byte.
VIRUSCAN Version 9.15V104 Page 20
RANGE WILDCARD
The asterisk "*", followed by range number in parentheses
"(" and ")" is used to represent a variable number of adjoining
random bytes. For example, the string:
"E9 7C *(4) 37 CB"
would match "E9 7C 00 37 CB", "E9 7C 00 11 37 CB", and
"E9 7C 00 11 22 37 CB". The string "E9 7C 00 11 22 33 44 37 CB"
would not match since the distance between 7C and 37 is greater
than four bytes. You may specify a range of up to 99 bytes.
Up to 10 different wildcards of either kind may be used in one
virus string.
COMMENTS
A pound sign "#" at the beginning of a line will denote a
comment. Use this for adding notes to the external virus data
file. For example:
#New .COM virus found in file FRITZ.EXE from
#Schneiderland on 01-22-91
"53 48 45 45 50" Fritz-1 [F-1]
gives a description of the virus, name of the infected file,
where and when it was found, etc.
VIRUSCAN Version 9.15V104 Page 21
APPENDIX B: Miscellaneous Application Notes
CHECKING MEMORY FOR VIRUSES ONLY
VIRUSCAN can perform a quick check for viruses in memory
only. In this mode, SCAN will not check the disk for viruses.
This option is useful for network administrators who need to
check workstations for viruses before allowing them to log on to
a LAN but cannot run the VSHIELD program due to memory
constraints. The command for this is:
SCAN NUL /M /CHKHI
By designating NUL as the drive to be scanned, SCAN will check
system memory for viruses (up to 1088Kb if the /CHKHI option is
used) and then return to DOS without scanning any disks. SCAN
returns the DOS ERRORLEVEL in the normal manner.
VIRUSCAN VALIDATION CODES
If you have installed any new software or programs on your
system, and are running VIRUSCAN or VSHIELD with the /CF, /CG,
or /CV validation codes options, you will need to reinstall
validation codes to the new files with the /AF, /AG, or /AV
add validation codes options of SCAN. In addition, the
SCANVAL.VAL hidden file containing validation codes for the
partition table, boot sector, COMMAND.COM, and system files may
have to be replaced (unhide the file with the DOS ATTRIB command
and then delete it).
The quickest way to update the validation codes is to
remove all validation codes from the hard disk and then add them
back by running SCAN with the /RV and then the /AV options.
NOTE: This applies to any new version of DOS, as well as any
programs which you install on your system.
REFORMATTING INFECTED FLOPPIES WITH DOS 5.00 or 6.00
When reformatting infected floppy disks under DOS 5.0, be
sure to add the /U switch to the FORMAT command. This tells DOS
to do an Unconditional Format of the disk, without saving the
original infected boot sector of the disk. This should be done
to prevent the reinfection by unformatting the disk.
VIRUSCAN Version 9.15V104 Page 22
CREATING A RECOVERY DISK USING THE /AF OPTION
The /AF switch added in Version 90 of SCAN creates a
separate file to store recovery data and validation codes.
This file can be stored off-line (on a floppy disk, network
drive, tape drive, etc.) and accessed on-demand to check for,
and recover from infection by unknown viruses.
To create a Recovery Disk, format a system-bootable floppy
diskette by typing "FORMAT A: /S" and pressing Enter. Then,
copy the VIRUSCAN (SCAN.EXE) and CLEAN-UP (CLEAN.EXE) files on
to it. Run SCAN against the hard disk with the /AF option.
For example:
SCAN C: D: /AF A:\SCANCRC.CRC
will scan the C: and D: drives for known viruses and create
a file named SCANCRC.CRC containing recovery data and validation
codes. After SCAN finishes, write-protect the disk.
To check for virus infection, turn the PC off, insert the
Recovery Disk, and turn the power back on. The PC will now boot
from the floppy disk. At the DOS prompt, type:
SCAN C: D: /CF A:\SCANCRC.CRC
to compare drives C: and D: against the recovery data stored
in the SCANCRC.CRC file on the A: drive.
To disinfect your system, turn your PC off, insert the
Recovery Disk, and turn the power back on. The PC will now
boot from the floppy disk. At the DOS prompt, type:
CLEAN C: D: /GRF A:\SCANCRC.CRC
to restore drives C: and D: with the recovery data stored in the
SCANCRC.CRC file on the A: drive.
VIRUSCAN Version 9.15V104 Page 23
APPENDIX C: FOREIGN LANGUAGE SUPPORT
VIRUSCAN can display messages in a foreign language by
reading in a replacement set of messages from an external
file named MCAFEE.MSG. When the MCAFEE.MSG file is placed in
the same directory as the SCAN.EXE file, SCAN will display
messages from the foreign language module instead of displaying
messages in English (American). Currently, SCAN is bundled with
two .MSG files, FRENCH.MSG and SPANISH.MSG, which contain
messages in French (European) and Spanish (Latin America),
respectively.
To use a foreign language module, rename it to MCAFEE.MSG
and place it in the same directory as the SCAN.EXE file. When
SCAN is run, it will check for the MCAFEE.MSG file and use it,
if found.
Support for other languages such as Chinese, Dutch, Finnish,
French (Canadian), German, Hungarian, Norwegian, Portuguese,
Russian, Spanish (European), Swahili, Swedish and Bulgarian is
planned for future releases. Contact your local McAfee Associates
Authorized Agent or McAfee Associates directly for availability.
VIRUSCAN Version 9.15V104 Page 24
IMPORTANT NOTICE - PLEASE READ!
Due to the nature of anti-virus software, the slight chance
exists that a virus may be reported in a file that is not
infected by that virus.
If you receive a report of a virus infection which you believe
may be in error, please contact McAfee Associates by telephone
at (408) 988-3832, by fax at (408) 970-9727, or upload the file
to our BBS at (408) 988-4004 along with your name, address,
daytime telephone number, and electronic mail address, if any.
