High Voltage Shareware

home *** CD-ROM | disk | FTP | other *** search

/ High Voltage Shareware / high1.zip / high1 / DIR24 / OSCAN109.ZIP / OSCN109.DOC < prev next >

Wrap

Text File | 1993-11-08 | 44KB | 1,152 lines

OS2SCAN FOR OS/2 Version 9.20V109 Copyright (C) 1989 - 1993 by McAfee Associates All rights reserved. Documentation by Aryeh Goretsky. McAfee Associates (408) 988-3832 office 2710 Walsh Avenue, Suite 200 (408) 970-9727 fax Santa Clara, CA 95051-0963 (408) 988-4004 BBS (25 lines) U.S.A. USR HST/v.32/v.42bis/MNP1-5 CompuServe GO MCAFEE InterNet support@mcafee.COM America OnLine MCAFEE TABLE OF CONTENTS: WHAT'S NEW . . . . . . . . . . . . . . . . . . . . . . . . . .2 - New features added in this release - System Requirements OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . .3 - Detection of known viruses - Detection of new and unknown viruses AUTHENTICITY . . . . . . . . . . . . . . . . . . . . . . . . .5 - How to verify the OS2SCAN.EXE program file COMMAND SUMMARY. . . . . . . . . . . . . . . . . . . . . . . .6 - One-line description of switches OPTIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . .8 - Detailed explanation of switches EXIT CODES . . . . . . . . . . . . . . . . . . . . . . . . . .13 - ERRORLEVEL's returned by OS2SCAN for REXX scripts EXAMPLES . . . . . . . . . . . . . . . . . . . . . . . . . . .14 - Samples of frequently-used options VIRUS REMOVAL. . . . . . . . . . . . . . . . . . . . . . . . .15 - How to manually remove a virus REGISTRATION . . . . . . . . . . . . . . . . . . . . . . . . .16 - How to register OS2SCAN TECHNICAL SUPPORT INFORMATION . . . . . . . . . . . . . . . .17 - Information you should have ready when calling OBTAINING THE LATEST VERSION OF OS2SCAN. . . . . . . . . . . .18 - BBS, CompuServe, and Internet access to OS2SCAN APPENDIX A . . . . . . . . . . . . . . . . . . . . . . . . . .19 - Creating a virus string file with the /EXT option Page 1 OS2SCAN FOR OS/2 Version 9.20V109 Page 2 WHAT'S NEW This is version 9.20V109 of VIRUSCAN FOR OS/2 (filename OS2SCAN.EXE). This release adds detection of 114 new viruses and 167 variants, bringing the total number of known viruses to 1,769, or counting variants, 2,632 viruses. Like it's DOS-based counterpart, VIRUSCAN (for DOS), OS2SCAN searches PC's for computer viruses in memory, the master boot record (partition table), boot sector, and files. However, OS2SCAN contains several important differences: · Since OS/2 operates in a protected mode environment it can only check its own area of memory or "memory image" for viruses. Viruses in a DOS session or VDM will not be detected in memory by OS2SCAN. To protect against viruses in a DOS session or VDM, use the VSHIELD (for DOS) virus prevention TSR. · OS2SCAN does not have the /CHKHI, /M, /MAINT, /NOMEM, or /UNATTEND switches that VIRUSCAN does. · The /SAVE switch does not modify the OS2SCAN.EXE file. Instead, it creates an OS2SCAN.INI file. OS2SCAN FOR OS/2 Version 9.20V109 Page 3 SYSTEM REQUIREMENTS OS2SCAN requires IBM OS/2 Version 2.00(GA) or above. Use the SYSLEVEL command to determine what version of OS/2 you are running. OS2SCAN is designed to check PC's and file servers for viruses and is compatible with all network operating systems including 3Com, Artisoft LanTastic, AT&T StarLAN, DEC Pathworks IBM LAN Server, Microsoft LAN Manager, and Novell NetWare. Contact McAfee Associates if you do not see your NOS listed. If you have a Novell NetWare/386 server, you may wish to use the NETSHIELD NetWare Loadable Module for virus prevention in conjunction with OS2SCAN. NOTE: WRITE-PROTECT THE FLOPPY DISK CONTAINING THE OS2SCAN FOR OS/2 (OS2SCAN.EXE) PROGRAM BEFORE SCANNING TO PREVENT IT FROM BECOMING INFECTED BY A COMPUTER VIRUS. OVERVIEW (Known Virus Detection) OS2SCAN FOR OS/2 Version 9.20V109 (filename OS2SCAN.EXE) identifies all 1,769 known computer viruses and their variants. Some viruses have been modified so that more than one "strain" exists. Counting such modifications, 2,632 viruses exist. All known viruses infect one or more of the following areas: the hard disk partition table (alias Master Boot Record); the Boot Sector of disks; or one or more executable files on the system. Executable files include operating system files, .COM files, .EXE files, overlay files, or any other files containing program code. A virus that infects more than one area, such as a boot sector and an executable file is called a multipartite virus. OS2SCAN checks files, subdirectories, diskettes or entire systems for pre-existing computer virus infections. It will identify the virus infecting the system and the area where it was found, giving the name of the virus as well as the I.D. code used with CLEAN-UP to remove it. Infected files can be removed using the /D switch in OS2SCAN to erase the file, or with the CLEAN-UP universal virus removal (disinfection) program. CLEAN-UP is recommended because in most cases it will eliminate the virus and fully restore infected programs or system areas to normal operation. CLEAN-UP is available in both DOS and OS/2 versions. The accompanying VIRLIST.TXT file lists describes all viruses identified by OS2SCAN and their associated I.D. codes for removal by CLEAN-UP. OS2SCAN FOR OS/2 Version 9.20V109 Page 4 OVERVIEW (Unknown Virus Detection) OS2SCAN checks for new or unknown viruses by comparing files against previously-recorded validation (checksum) data. OS2SCAN has two levels of validation which are stored in three separate ways: · A simple 10-byte long validation checksum may be appended to .COM and .EXE files. If a file has been modified, it no longer matches the checksum and OS2SCAN reports the file may be infected. (/AV, /CV, /RV switches) · An enhanced 52-byte validation and recovery data checksum can also be created. This can be appended to the end of files like the 10-byte checksum, or stored in a separate log file which can be offline (e.g., on floppies) for recovery purposes. CLEAN-UP can restore infected files, partition tables, or boot sectors using this information. (/AG, /CG, /RG switches and /AF, /CF, /RF switches) NOTE: OS2SCAN does NOT add codes to the partition table, boot sector, or system files. Instead, a separate hidden file will be created in the root directory named SCANVAL.VAL containing data for these areas. NOTE: Files which are self-checking (e.g., Lotus 1-2-3) should not be validated with the /AV (Add Validation) or /AG (Add Generic) switches which modify files. Instead, use the /AF (Add File) switch. OS2SCAN also checks for new or unknown viruses by searching for Generic or Family virus strings. These are strings that have been found repeatedly in different viruses. Since virus writers may use the older pieces of code for new viruses, this allows OS2SCAN to detect viruses which have not been written yet. OS2SCAN can be updated to search for new viruses by an External Virus Data File, which allows the user to input new search strings for viruses. (/EXT switch) OS2SCAN FOR OS/2 Version 9.20V109 Page 5 AUTHENTICITY Before using OS2SCAN for the first time, verify that it has not been tampered with or infected by a virus by using the enclosed VALIDATE for OS/2 (OS2VAL.EXE) program. For instructions on using OS2VAL, please read the OS2VAL.DOC file. The validation results for Version 9.20V109 should be: FILENAME: SIZE: DATE: CHECK METHOD: OS2SCAN.EXE 234,688 11-08-93 M1: 9D67 M2: 062C NOTE: If you run VALIDATE.COM for DOS against OS2SCAN.EXE, a different Check Method 1 value will be returned. Do not use VALIDATE.COM to validate OS2SCAN.EXE If your copy of OS2SCAN differs, it may have been damaged. Always obtain your copy of OS2SCAN from a known source. The latest version of OS2SCAN and validation data for OS2SCAN.EXE can be obtained from McAfee Associates' bulletin board system at (408) 988-4004 or from the McAfee Virus Help Forum on CompuServe (GO MCAFEE), or the mcafee.COM anonymous ftp site on the Internet. OS2SCAN performs a self-check when run. If OS2SCAN has been modified in any way, a warning will be displayed and the user will be prompted to either continue or quit. OS2SCAN can still check for viruses. However, if OS2SCAN reports that it has been damaged, it is recommended that a new copy be obtained. All of McAfee Associates' programs are archived with Version 1.10 of PKWare's PKZIP Authentic File Verification. When unzipped with Version 1.10 of PKWare's PKUNZIP program, an "-AV" will be displayed after each file is unzipped and an "Authentic Files Verified! # NWN405 Zip Source: McAFEE ASSOCIATES" will appear once all files are unzipped. NOTE: If you do not receive the Authentic File Verification messages, you may be using a different version of PKUNZIP, such as V1.93A or V2.04. Use PKUNZIP Version 1.10 to unzip files if you wish to have Authenticity Verification displayed as files are unzipped. OS2SCAN FOR OS/2 Version 9.20V109 Page 6 COMMAND SUMMARY IMPORTANT NOTE: WRITE PROTECT YOUR FLOPPY DISK BEFORE SCANNING TO PREVENT INFECTION OF THE OS2SCAN PROGRAM. OS2SCAN checks files and other areas of the system that can contain a computer virus. When a virus is found, OS2SCAN identifies the virus and the file or system area where it was found. OS2SCAN examines files based on their extension. The default extensions supported by OS2SCAN are .APP, .BIN, .COM, .EXE, .OV?, .PGM, .PIF, .PRG, .SWP, .SYS, and .XTP. Additional extensions can be added with the /E option, or use the /A to check all files. Valid options for OS2SCAN are: OS2SCAN {drive(s)} {options} {drive(s)} - Indicates a drive or drives to be scanned Options are: \ - Scan root directory and boot area only /? /H or /HELP - Displays help screen /A - Scan all files, including data, for viruses /AD - Scan all local drives for viruses /AF {filename} - Store recovery & validation data to {filename} /AG {filename} - Add recovery & validation data to files EXCEPT for those listed in {filename} /AV {filename} - Add validation codes to files EXCEPT for those listed in {filename} /BELL - Beep whenever a virus is found /BMP - Scan OS/2 Boot Manager Partition ONLY /CERTIFY - List files that do not have a validation code /CF {filename} - Check for viruses using recovery & validation data stored in {filename} /CG - Check recovery & validation data on files /CV - Check validation codes on files /D - Overwrite and delete infected files /DATE - Save the date and time OS2SCAN was last run (use /SHOWDATE to display) /EXT {filename} - Scan using external virus data from {filename} /FAST - Speed up OS2SCAN's output (see below for specifics) /HISTORY {fname} - Create infection log {fname} appending to old log OS2SCAN FOR OS/2 Version 9.20V109 Page 7 /MANY - Scan multiple disks /NLZ - Skip internal scan of LZEXE-compressed files (DOS executables only) /NOBREAK - Disable Ctrl-C and Ctrl-Brk during scanning /NOEXPIRE - Do not display expiration notice /NOPAUSE - Disable screen pause when scanning /NPKL - Skip internal scan of PKLITE-compressed files (DOS executables only) /REPORT {fname} - Create infection log {fname} deleting the old log /RF filename - Remove recovery & validation data stored /RG - Remove recovery & validation data from files /RV - Remove validation codes from specified files /SAVE - Save specified options as new default options /SHOWDATE - Display the date and time OS2SCAN was last run (use /DATE to save date and time) /SUB - Scan all subdirectories inside a subdirectory @{filename} - Scan using options from {filename} *Denotes new option added in this release OS2SCAN FOR OS/2 Version 9.20V109 Page 8 OPTIONS Following is a detailed description of OS2SCAN's options. Please note the /AF and /AG switches modify executable files. This may cause other anti-viral programs to generate a warning. /A - This option checks all files on the drive scanned and also examines a greater portion of files. This substantially increases the time required to scan disks and also increases OS2SCAN's ability to detect viruses in overlay files. It is recommended this switch only be used when installing software or if a file-infecting virus has been found. This option takes priority over the /E option. /AD - This option scans all local hard disk drives for viruses. No drives need to be listed when the /AD switch is used. NOTE: If network drives exist, OS2SCAN will attempt to access them when run with the /AD switch and fail. /AF {filename} - This option logs recovery and validation data for .COM and .EXE files, boot sector, and partition table of a disk to a user-specified file. The log file size is about 20Kb per 1,000 files validated. Recovery from a virus using the /AF information requires the CLEAN-UP program. /AG {filename} - This option allows the user to store recovery and validation data for .COM and .EXE files, boot sector, and partition table of a disk. Recovery information adds 52 bytes to files. The recovery information for the partition table, boot sector, COMMAND.COM and system files is stored separately in a hidden file called SCANVAL.VAL in the root directory of the drive being scanned. {filename} is an optional ASCII text file listing files NOT to add recovery and validation data to (see NOTE below). Recovery from a virus using the /AG information requires the CLEAN-UP (CLEAN.EXE) program. /AV {filename} - This option allows the user to store validation codes for .COM and .EXE files, boot sector, and partition table of a disk. Validation information adds 10 bytes to files. The validation codes for the partition table, boot sector, system files and COMMAND.COM is stored separately in a hidden file named SCANVAL.VAL in the root directory of the drive being scanned. {filename} is an optional ASCII text file listing the files NOT to add validation codes to (see note below). OS2SCAN FOR OS/2 Version 9.20V109 Page 9 NOTE: Files which are immunized against viruses or contain self-modifying code should not have validation codes added to them. To prevent OS2SCAN from adding validation codes to these files, a validation exception list must be created with the path and filename of each file NOT to be validated listed on each line (only one filename for each line). To put a comment in, start the line with an "*" character. This sample file contains a list of programs NOT to validate: *LIST OF FILES NOT TO USE /AV OR /AG OPTIONS WITH * *This is Nantucket Corp's database program, Clipper D:\CLIPPER\BIN\CLIPPER.EXE *This is Lotus Development Corp's spreadsheet program, 1-2-3 D:\123\123.COM *This is MS-DOS 5.00's self-modifying program, SETVER D:\DOS\SETVER.EXE *PKWare's data compression programs already perform a self-check D:\PKWARE\PKLITE.EXE D:\PKWARE\PKZIP.EXE D:\PKWARE\PKUNZIP.EXE *Stac Technologies hard disk swapping program D:\SWAPVOL.COM *Symantec's Norton Utilities V6.01 disk caching program D:\NORTON\NCACHE.EXE *WordStar Corp's word processor is self-modifying D:\WORDSTAR\WS.EXE The validation exception list should be an ASCII or DOS text file. If a word processor is used to create the list, be sure to save the file as ASCII or DOS Text. /BELL - This option tells OS2SCAN to beep when a virus is found. /BMP - This option tells OS2SCAN to check the OS/2 Boot Manager partition. When run with this option, OS2SCAN will check the Boot Manager partition and boot sector. /CERTIFY - This option will audit a system for files that have validation codes added to them with the /AG or /AV switches. Files that have no validation code will be reported as being uncertified by OS2SCAN. /CF {filename} - This option checks recovery and validation data stored by the /AF option in {filename}. If a file or system area has changed, OS2SCAN reports that a viral infection may have occurred. Using the /CG option adds about 25% more time to scanning. OS2SCAN FOR OS/2 Version 9.20V109 Page 10 /CG - This options checks recovery and validation data added by the /AG option. If a file or system area has changed, OS2SCAN reports that a viral infection may have occurred. Using the /CG option adds about 25% more time to scanning. This option takes priority over the /CV option. /CV - This option checks validation codes inserted by the /AV option. If a file or system area has been changed, OS2SCAN will report that the file or system area has been modified and a viral infection may have occurred. Using the /CV option adds about 20% more time to scanning. NOTE: Dual Boot systems change the Boot Sector between DOS and OS/2 depending on which operating system is currently active. This will cause OS2SCAN to report that the boot sector has been modified. /D - This option tells OS2SCAN to prompt the user to overwrite and delete an infected files. Files erased by the /D option can not be recovered. If the CLEAN-UP program is available, it can be used to disinfect the file. Partition table and boot sector viruses can not be removed by the /D option and require the CLEAN-UP virus removal program. /DATE - This option stores the time and date OS2SCAN was last executed. This is done by changing the date on the SCANVAL.VAL file. If no SCANVAL.VAL file exists, OS2SCAN will create a 0-byte long file in the currently-logged directory. /EXT {filename} - This option tells OS2SCAN to search for viruses using virus search strings from ASCII text file {filename}, in addition to the viruses that OS2SCAN looks for. For instructions creating an external virus data file, refer to Appendix A. NOTE: The /EXT option provides users with the ability to add strings for detection of viruses on an interim or emergency basis. When used with the /D option, it will overwrite-and-delete infected files. This option is not for general use and should be used with caution. OS2SCAN FOR OS/2 Version 9.20V109 Page 11 /FAST - This option speeds OS2SCAN up by displaying less on the the screen, skipping checking inside of LZEXE- and PKLITE- compressed files (DOS only), and examining a smaller portion of files during scanning. This may reduce the accuracy of OS2SCAN. /HISTORY {filename} - This option saves the output of OS2SCAN to {filename} in ASCII text file format. If {filename} exists, OS2SCAN will add the results of the current scan to the end. /MANY - This option is used to scan multiple diskettes placed in a given drive. If the user has more than one floppy disk to check for viruses, the /MANY option will allows the user to check disks without having to re-run OS2SCAN multiple times. /NLZ - This option tells OS2SCAN not to look inside files compressed with LZEXE, a file compression program for DOS .EXE files. OS2SCAN will still check LZEXE-compressed files for viruses that may have become infected after LZEXE compression. /NOBREAK - This option prevents Ctrl-C or Ctrl-Brk from aborting the scanning process. /NOEXPIRE - This option prevents OS2SCAN from displaying a warning message after 7 months warning that it may no longer be current with respect to known computer viruses. /NOPAUSE - This option disables the "More? (H = Help )" prompt displayed when OS2SCAN fills up a screen with 24 lines of text. This allows OS2SCAN to run on PC's with severe infections without requiring operator assistance. /NPKL - This option tells OS2SCAN not to look inside files compressed with PKLITE, a file compression program for DOS .EXE files. OS2SCAN will still check PKLITE-compressed files for viruses that may have become infected after PKLITE compression. /REPORT {filename} - This option saves the output of OS2SCAN to {filename} in ASCII text file format. If {filename} exists, OS2SCAN will erase it and replace with the current scan results. /RF {filename} - This option removes recovery and validation data from log file {filename} created by the /AF option. OS2SCAN FOR OS/2 Version 9.20V109 Page 12 /RG - This option removes validation and recovery data from a file or files validated with the /AG option. Using the /RG switch against a drive removes the SCANVAL.VAL file. This option can not be used with the /AG option. /RV - This option removes validation codes from a file or files validated with the /AV option. Using the /RV switch against a drive removes the SCANVAL.VAL file. This option can not be used with the /AV option. /SAVE - This option stores any listed options for subsequent executions of OS2SCAN. The options are stored by creating a file named OS2SCAN.INI in the same directory as OS2SCAN.EXE. For example, the command: OS2SCAN /NOMEM /REPORT C:\OS2SCAN.LOG /NOPAUSE /SAVE saves the default options to /NOMEM, /REPORT C:\OS2SCAN.LOG and /NOPAUSE and will cause OS2SCAN to use these options the next time it is run. If OS2SCAN is run with only the /SAVE switch, the OS2SCAN.INI file is removed. If you wish to use more than one set of switches with OS2SCAN, use the @{filename} option instead. /SHOWDATE - This option displays the time and date OS2SCAN was last run. No virus checking is performed. NOTE: When run with /SHOWDATE, OS2SCAN only displays the last run date. Viruses will *NOT* be checked for. /SUB - This option scans all subdirectories inside a subdirectory. Previously, OS2SCAN would only recursively check subdirectories if a drive was scanned at the root level (e.g., C:). Do not use the /SUB switch if you are scanning a drive from the root level. @{filename} - This option allows the user to run OS2SCAN with a configuration file listing the options and drives OS2SCAN is to check. Options need to be separated by a space, while drives (disks, subdirectories, or files) need to be listed on separate lines. A sample file might look like this: /A /BELL /CV /REPORT C:\OS2SCAN\OS2SCAN.LOG C: The first line contains the OS2SCAN options while other lines list the names of disks, subdirectories, or files to scan. The file should be an ASCII text file. OS2SCAN FOR OS/2 Version 9.20V109 Page 13 EXIT CODES After OS2SCAN has finished running, it will set the ERRORLEVEL. ERRORLEVEL's are used in REXX scripts to pass on the results of a program's actions. The ERRORLEVEL's returned by OS2SCAN are: ERRORLEVEL │ DESCRIPTION ═══════════╪══════════════════════════════════════════════ 0 │ No viruses found 1 │ One or more viruses found 2 │ Abnormal termination (program error) 3 │ One or more uncertified files found 4 │ Ctrl-C or Ctrl-Break aborted scan If a user stops the scanning process, OS2SCAN will set the ERRORLEVEL to 4. If you wish to prevent users from stopping the scanning process, then run OS2SCAN with the /NOBREAK option. OS2SCAN FOR OS/2 Version 9.20V109 Page 14 EXAMPLES The following examples show different option settings: OS2SCAN C: To scan drive C: OS2SCAN A:R-HOOPER.EXE Scans file "R-HOOPER.EXE" on drive A: OS2SCAN A: /A /CV Scans all files and checks validation codes for unknown viruses on drive A:. OS2SCAN B: /D /A Scans all files on drive B: and prompt for erasure of any infected files, if found. OS2SCAN C: D: E: /AV Scan for viruses, add validation codes to files on drives C:, D:, and E:. OS2SCAN C: D: /A /FR Scan all files on drives C: and D: for viruses, and display all messages in French. OS2SCAN C: D: /E .WPM .COD Scans drives C: and D:, including .WPM and .COD files OS2SCAN C: /EXT D:\SAMPLE_VIRUSSTRING.TXT /BELL To scan drive C: for known computer viruses and also for viruses added by the user via the external virus data file option, and beep whenever a virus is found. OS2SCAN C: /NOPAUSE /REPORT G:INFECTION_REPORT.DRIVEC To scan drive C: without stopping, and create a log file INFECTION_REPORT.DRIVEC on drive G: OS2SCAN E:\DOWNLOADS /SUB To scan all subdirectories under the directory DOWNLOADS on drive E: OS2SCAN C: D: E: /FAST /CERTIFY To perform a fast scan of drives C:, D:, and E: and check for any files that do not have validation codes. OS2SCAN @C:\SCANOPTN.LST To run OS2SCAN using configuration file SCANOPTN.LST located in the root directory of drive C:. OS2SCAN /AD Scan all hard drive partitions for viruses. OS2SCAN FOR OS/2 Version 9.20V109 Page 15 VIRUS REMOVAL What do you do if a virus is found? You can contact McAfee Associates for help, their authorized agents, or use the CLEAN-UP program. CLEAN-UP is available for DOS (CLEAN.EXE) and OS/2 (OS2CLEAN.EXE). McAfee Associates can be reached by BBS, CompuServe, FAX, Internet, or Telephone and there is no charge for support calls to McAfee Associates (Authorized agents may charge normal McAfee Associates consulting rates.). The CLEAN-UP universal virus disinfection program can disinfect virtually all reported computer viruses. It is updated with each release of the OS2SCAN program to remove new viruses. CLEAN-UP can be downloaded from McAfee Associates' BBS, the McAfee Virus Help Forum on CompuServe, and the mcafee.COM and WSMR-SIMTEL20.Army.Mil sites on the Internet, or from any of the agents' BBSes listed in the enclosed AGENTS.TXT text file. It is strongly recommended that you get experienced help in dealing with viruses if you are unfamiliar with anti-virus software and methods. This is especially true for 'critical' viruses and partition table/boot sector infecting viruses as improper removal of these viruses can result in the loss of all data and the use of the infected disk(s). Before removing a boot sector or partition table-infecting virus, it is recommended that you cold boot the infected PC from a clean DOS disk and backup any critical data. For qualified assistance in removing a virus, contact McAfee Associates directly or any of the Authorized Agents in your area. Agents may charge McAfee Associates' normal consult rates for their services. If you wish to remove a file-infecting virus manually, cold boot the PC from a clean (virus-free) OS/2 boot diskette and run OS2SCAN with the /A and /D switches to erase all infected files. Any files removed in this manner can not be recovered. OS2SCAN FOR OS/2 Version 9.20V109 Page 16 REGISTRATION A registration fee of US$35.00 is required for the use of OS2SCAN by individual home users. Registration entitles the holder to unlimited free upgrades from McAfee Associates' BBS, the Internet, and the McAfee Virus Help Forum on CompuServe as well as technical support for one year. When registering, a diskette containing the latest version may be requested for an additional US$9.00. Only one diskette mailing will be made. Registration is for home users only and does not apply to businesses, corporations, organizations, government agencies, or schools, which must obtain a license for use. Contact McAfee Associates directly or an Authorized Agent for more information. TECH SUPPORT For fast and accurate help, please have the following information ready when you contact McAfee Associates: - Program name and version number. - Type and brand of computer, hard disk, plus any peripherals. - Version of OS/2 (use the SYSLEVEL command to determine) plus any device drivers in use. - Printouts of your AUTOEXEC.BAT and CONFIG.SYS files. - The exact problem you are having. Please be as specific as possible. Having a printout of the screen and/or being at your computer will be helpful. McAfee Associates can be contacted by BBS, CompuServe, FAX, or InterNet 24 hours a day, or by telephone at (408) 988-3832, Monday through Friday, 7:00AM to 5:30PM Pacific Time. If you are overseas, you can contact a McAfee Associates Authorized Agent. Agents are located in over 50 countries around the world and provide local sales and support for our software. Please refer to the AGENTS.TXT file for a complete list of McAfee Associates Agents. OS2SCAN FOR OS/2 Version 9.20V109 Page 17 OBTAINING THE LATEST VERSION OF McAFEE ASSOCIATES PROGRAMS McAfee Associates regularly updates the OS2SCAN series of programs every 4 to 6 weeks to add new virus detectors, new options, and fix reported bugs. To distribute these new versions, we run a multi-line BBS, CompuServe Forum, and Internet node. BBS ACCESS Our 25-line BBS is accessible 24 hours a day, 365 days a year, except for scheduled downtime and maintenance. All lines run US Robotics Courier HST Dual Standard ASL modems operating from 1,200bps to 14,400bps with line settings of 8 data bits, no parity, and one stop bit. THE McAFEE VIRUS HELP FORUM ON COMPUSERVE We are now sponsoring the McAfee Virus Help Forum on CompuServe. To reach the McAfee Virus Help Forum type GO MCAFEE at any CompuServe prompt. A free introductory membership is available. For more information, please read the enclosed COMPUSER.NOT file. INTERNET ACCESS TO McAFEE ASSOCIATES SOFTWARE The latest versions of McAfee Associates' anti-viral software is now available by anonymous ftp (file transfer protocol) over the Internet from the site mcafee.COM. If your domain resolver does not support names, use the IP# 192.187.128.1. Enter "anonymous" for your user I.D. and your own email address for the password. Programs are located in the pub/antivirus directory. If you have any questions, please send email to support@mcafee.COM McAfee Associates' anti-viral software may also be found at the Oak.Oakland.EDU site in the pub/msdos/virus directory and its associated mirror sites WUARCHIVE.WUSTL.EDU (US), FTP.SWITCH.CH (Swiss), FTP.FUNET.FI (Finland), SRC.DOC.IC.AC (UK), and ARCHIE.AU (Australia). OS2SCAN FOR OS/2 Version 9.20V109 Page 18 APPENDIX A: Creating a Virus String File with the /EXT Option NOTE: The /EXT option is intended for emergency and research use only. It is a temporary method for identifying new viruses prior to the subsequent release of OS2SCAN. A thorough understanding of viruses and string-search techniques is advised for using this option. A string length of 10 to 15 bytes is recommended. The External Virus Data file should be created with an editor or a word processor and saved as an ASCII text file. Be sure each line ends with a Carriage Return/Line Feed pair. The virus string file uses the following format: #Comment about Virus_1 "aabbccddeeff..." Virus_1_Name #Comment about Virus_2 "gghhiijjkkll..." Virus_2_Name . . "uuvvwwxxyyzz..." Virus_n_Name Where aa, bb, cc, etc. are the hexadecimal bytes that you wish to scan for. Each line in the file represents one virus. The Virus Name for each virus is mandatory, and may be up to 25 characters in length. The double quotes (") are required at the beginning and end of each hexadecimal string. OS2SCAN will use the string file to search the Master Boot Record (partition table), Boot Sector, System files, all .COM and .EXE files, and overlay files with the extension .APP, .BIN, .COM, .EXE, .OV?, .PGM, .PIF, .PRG, .SWP, .SYS, and .XTP. Virus strings may contain wild cards. The two wildcard options are: FIXED POSITION WILDCARD The question mark "?" may be used to represent a wildcard in a fixed position within the string. For example, the string: "E9 7C 00 10 ? 37 CB" would match "E9 7C 00 10 27 37 CB", "E9 7C 00 10 9C 37 CB", or any other similar string, regardless of the fifth byte. OS2SCAN FOR OS/2 Version 9.20V109 Page 19 RANGE WILDCARD The asterisk "*", followed by range number in parentheses "(" and ")" is used to represent a variable number of adjoining random bytes. For example, the string: "E9 7C *(4) 37 CB" would match "E9 7C 00 37 CB", "E9 7C 00 11 37 CB", and "E9 7C 00 11 22 37 CB". The string "E9 7C 00 11 22 33 44 37 CB" would not match since the distance between 7C and 37 is greater than four bytes. You may specify a range of up to 99 bytes. Up to 10 different wildcards of either kind may be used in one virus string. COMMENTS A pound sign "#" at the beginning of a line will denote a comment. Use this for adding notes to the external virus data file. For example: #New .COM virus found in file FRITZ.EXE from #Schneiderland on 01-22-91 "53 48 45 45 50" Fritz-1 [F-1] gives a description of the virus, name of the infected file, where and when it was found, etc. APPENDIX B: Miscellaneous Application Notes OS2SCAN VALIDATION CODES If you have installed any new software or programs on your system, and are running OS2SCAN or VSHIELD for DOS with the /CF, /CG, or /CV validation codes options, you will need to reinstall validation codes to the new files with the /AF, /AG, or /AV add validation codes options of OS2SCAN. In addition, the SCANVAL.VAL hidden file containing validation codes for the partition table, boot sector, COMMAND.COM, and system files may have to be replaced (unhide the file with the ATTRIB command and then delete it). The quickest way to update the validation codes is to remove all validation codes from the hard disk and then add them back by running OS2SCAN with the /RV and then the /AV options. NOTE: This applies to any new version of DOS, as well as any programs which you install on your system. OS2SCAN FOR OS/2 Version 9.20V109 Page 20 IMPORTANT NOTICE - PLEASE READ! Due to the nature of anti-virus software, the slight chance exists that a virus may be reported in a file that is not infected by that virus. If you receive a report of a virus infection which you believe may be in error, please contact McAfee Associates by telephone at (408) 988-3832, by fax at (408) 970-9727, or upload the file to our BBS at (408) 988-4004 along with your name, address, daytime telephone number, and electronic mail address, if any.