home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Multimedia Selection
/
Multimedia Selection Volume One - CD-ROM.rar
/
MULTIMEDIA SELECTION____________.ISO
/
virus
/
nsh152
/
netshld.doc
< prev
next >
Wrap
Text File
|
1993-07-30
|
35KB
|
991 lines
NETSHIELD Version 1.52 (V106)
Copyright 1992, 1993 by McAfee Associates
All Rights Reserved
Documentation by Aryeh Goretsky
NOTE: Novell NetWare/386 is a registered trademark of
Novell, Inc.
McAfee Associates, Inc. TEL (408) 988-3832
2710 Walsh Avenue, Suite 200 FAX (408) 970-9727
Santa Clara, California BBS (408) 988-4004
95051-0963 COMPUSERVE GO MCAFEE
USA INTERNET support@mcafee.COM
AMERICA ONLINE McAfee
TABLE OF CONTENTS
INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . 2
AUTHENTICITY . . . . . . . . . . . . . . . . . . . . . . . . . 2
WHAT'S NEW . . . . . . . . . . . . . . . . . . . . . . . . . . 3
INSTALLATION . . . . . . . . . . . . . . . . . . . . . . . . . 4
OPERATION. . . . . . . . . . . . . . . . . . . . . . . . . . . 5
CONFIGURATION OPTIONS. . . . . . . . . . . . . . . . . . . . . 6
REPORT OPTIONS . . . . . . . . . . . . . . . . . . . . . . . . 12
SIGNATURE CONTROL. . . . . . . . . . . . . . . . . . . . . . . 13
VIRUS REMOVAL. . . . . . . . . . . . . . . . . . . . . . . . . 14
TECHNICAL SUPPORT. . . . . . . . . . . . . . . . . . . . . . . 15
LICENSE. . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Page 1
NETSHIELD Version 1.52 (V106) Page 2
INTRODUCTION
NETSHIELD is an anti-virus NLM (NetWare Loadable Module)
for Novell NetWare/386 Version 3.11. It checks network file
servers for both known and unknown viruses. Known virus
detection, including stealth and polymorphic (mutation engine)
viruses, is done using McAfee Associates' VIRUSCAN virus
scanning technology. Unknown virus detection is handled by
computing two 16-bit Cyclic Redundancy Checks (CRC) against
files and then periodically comparing the file against its
CRC for changes.
Key features of NETSHIELD include checking files for
viruses as they are accessed on the server, performing a
scheduled scan, and notifying users if a virus is found.
NETSHIELD does not changed the Last Accessed Date when
scanning files.
NETSHIELD runs on any Novell NetWare/386 3.11 file server
and requires 660Kb of server memory and should utilize less
than 10% of the CPU. NETSHIELD is not compatible with version
3.10 of Novell NetWare/386.
AUTHENTICITY
NETSHIELD is packaged with the VALIDATE program to
ensure the integrity of the NETSHLD.NLM and VIR.DAT files.
The VALIDATE.DOC file tells how to use VALIDATE. VALIDATE
can be used to check subsequent versions of NETSHIELD for
tampering.
The validation results for Version 1.52 (V106) should be:
File Name: NETSHLD.NLM VIR.DAT
Size: 127,231 46,287
Date: 07-30-1993 06-24-1993
Check Method 1: 8598 5209
Check Method 2: 0E32 1ED0
If your copy of NETSHIELD differs, it may have been damaged.
Always obtain your copy of NETSHIELD from a known source. The
latest version of NETSHIELD and validation data for NETSHLD.NLM
and VIR.DAT can be obtained from McAfee Associates' bulletin
board system at (408) 988-4004,from the McAfee Virus Help
Forum on CompuServe (GO MCAFEE), via the Internet from the
pub/antivirus directory of the mcafee.com site, or from America
Online's McAfee Associates' area (Keyword: McAfee).
NETSHIELD Version 1.52 (V106) Page 3
All versions of McAfee Associates' NETSHIELD have been
archived with Version 1.10 of PKWare's PKZIP Authentic File
Verification. If you do not see an "-AV" after every file is
unzipped and receive the "Authentic Files Verified! # NWN405
Zip Source: McAFEE ASSOCIATES" message then you be using a
different version of PKUNZIP, such as 2.04. Use PKUNZIP 1.10
if you wish to have Authenticity Verification displayed when
you unarchive the files.
WHAT'S NEW
NETSHIELD Version 1.52 automatically ignores changes
made to the Novell NetWare bindery files NET$OBJ.SYS,
NET$PROP.SYS, and NET$VAL.SYS when performing CRC checking
for unknown viruses. This prevents NETSHIELD from
reporting that these frequently-changing data files have
been infected by a virus.
Entries to the list of files or directories not to be
CRC-checked no longer have to be entered alphabetically.
Re-entering information into a field with prior data in
it (such as a file or directory name) clears the field if the
first key pressed is a non-editing (cursor, Insert, or
Delete) key.
Passwords are no longer case-sensitive.
NETSHIELD will accept the SUPERVISOR password in
place of the NETSHIELD password for any password-protected
options.
NETSHIELD can now be unloaded from the system console
prompt if password protection has not been selected.
NETSHIELD unloads in several seconds, instead of
taking two or more minutes to unload.
The "Print Configuration Report" option now prints
to printers attached to the file server.
NETSHIELD Version 1.52 (V106) Page 4
INSTALLATION
Copy the NETSHLD.NLM and VIR.DAT files together into the
SYS:SYSTEM directory or any other directory. Add one of the
following lines to your AUTOEXEC.NCF file:
LOAD NETSHLD
runs NETSHIELD with the default settings and no
configuration file
LOAD NETSHLD LOAD
runs NETSHIELD with the default configuration
file, VIR$CFG.DAT, from the SYS:SYSTEM directory
LOAD NETSHLD LOAD={path and filename}
run NETSHIELD with a user-specified configuration file
from a user-specified directory.
NOTE: If NETSHIELD is run from directory other than SYS:SYSTEM,
the complete path and filename must be entered after the
"LOAD=" statement.
It is recommended that when NETSHIELD is installed for the
first time, a configuration file be created and saved for it.
This way, NETSHIELD will always be loaded with optimal virus
detection for your environment.
Unless otherwise specificed, NETSHIELD creates, loads,
and saves configuration files and reports in the same
directory the NETSHLD.NLM file is located in,
NETSHIELD Version 1.52 (V106) Page 5
OPERATION
When NETSHIELD is run the message "Please wait, loading
patterns." appears on the Novell Console screen. Once the
patterns have been loaded the Available Options Menu appears:
_________________ AVAILABLE OPTIONS MENU ______________________
Do a scan immediately (Terminate a current scan)
Configuration options
Report options
Signature control
Exit
_______________________________________________________________
NOTE: Options inside parentheses denote "toggled" options
OPTION: Do a scan immediately (Terminate a current scan)
MEANS: Starts (stops) scan of files for viruses.
EXPLANATION: Starts an Immediate scan of all selected
volumes for viruses. To choose which volumes are scanned,
select Configuration Options -> What to scan -> Volumes
to scan. Selecting "Terminate a current scan" will stop
an Immediate or Period (scheduled) scan.
OPTION: Configuration options
MEANS: Set NETSHIELD's parameters.
EXPLANATION: Brings up the Configuration Menu. From this
menu the various NETSHIELD parameters can be set. For
more information, please refer to the CONFIGURATION OPTIONS
section.
OPTION: Report Options
MEANS: Set reporting options, view log file.
EXPLANATION: Brings up the Report Options Menu. From this
menu the various NETSHIELD reporting options can be set. For
more information, please refer to the REPORT OPTIONS section.
OPTION: Signature Control
MEANS: Update or add virus signatures
EXPLANATION: Brings up the Signature Control Menu. From this
menu a new set of virus signatures can be loaded, a new virus
string can be added, and cross-server virus signature updating
can be toggled on and off. For more information, please refer
to the SIGNATURE CONTROL section.
OPTION: Exit
MEANS: Unload NETSHIELD
EXPLANATION: Shut down and exit to System Console.
Console. If an "unload password" has been selected, it
must be entered before NETSHIELD unloads itself. NETSHIELD
can not be unloaded from the System Console command line.
If a regular (Immediate or Periodic) scan is being
performed, it will be halted when NETSHIELD unloads.
NETSHIELD Version 1.52 (V106) Page 6
CONFIGURATION OPTIONS
The Configuration Menu is the menu from which various
parameters for NETSHIELD are set. From the Configuration
Menu, the following options may be selected:
__________________ CONFIGURATION MENU _________________________
On-access scanning options
Period-scanning options
Actions on virus detection
What to Scan
Contact options
Configuration file options
Speed/Accuracy controls
CRC controls
Password Access Control
Return to previous menu
_______________________________________________________________
OPTION: On-access scanning options
MEANS: Select accesses to trap for scanning.
EXPLANATION: Brings up the Trap Access Menu. From this menu
scanning can be selected for Incoming files, Outgoing files,
both, or None. Selecting "Return to Previous menu" or pressing
the Escape key returns to the previous menu.
OPTION: Period-scanning options
MEANS: Schedule a scan for a specific time.
EXPLANATION: Brings up the Activate/Deactivate Menu:
__________________ ACTIVATE/DEACTIVE MENU _____________________
Activate (Deactivate)
Priority to run with
Return to Previous Menu
_______________________________________________________________
NOTE: Options inside parentheses denote "toggled" options
The "Activate" item allows scans to be scheduled on a
Daily, Weekly, or Monthly basis.
When selecting a "Daily" scan, NETSHIELD will prompt
the user to enter the time to start scanning. Enter the
time in "24 hour" format, e.g., 1:00PM becomes 1300 hours.
Selecting "Deactivate" disables period-scanning. If a
period-scan is running when "Deactivate" is selected, the
scan will continue until finished. Select "Terminate a
current scan" from the Available Options Menu to halt a
current periodic scan.
NETSHIELD Version 1.52 (V106) Page 7
Select "Priority to run with" selects the amount of
CPU time NETSHIELD is to use when performing a periodic
scan. Ten levels of priority are available, with 1 being
the highest and 10 being the slowest. When run with a
priority setting of 1, 40-50% CPU usage is added and
approximately 1 file is scanned per second. When run with
a priority of 10, 1-2% CPU usage is added and 1 file is
scanned approximately every 10 seconds. If no priority is
set, priority 5 will be assumed. If a priority of 0 is set,
NETSHIELD will run at the speed of the previous major
release, Version 1.04 (there is no equivalent in the 1-10
settings for this priority).
Select "Return to Previous Menu" to return to the
previous menu with no changes made to the options.
NOTE: When scheduling a periodic scan it is recommend to
select a time when server utilization is low.
OPTION: Actions on virus detection
MEANS: What to do if a virus is found.
EXPLANATION: Brings up the "Actions to take on virus
detection" Menu. From here, the actions to take against
files and the list of users to contact when a virus is found
is configured.
Choosing "File Actions" brings up the "Action when
virus found" Menu. From here select from the following
options:
Selecting "Delete infected file" deletes virus-infected
filies. Deleted files can be recovered by the SALVAGE
command.
Selecting "Overwrite and delete" wipes virus-infected
files. Files deleted in this manner can NOT be recovered.
Selecting "Move infected file" moves infected files
to the directory specified by "Set move-to directory."
Selecting "Leave infected files alone" performs no
action on infected files.
Selecting "Set move-to directory" chooses the destination
directory to which infected files are moved. If no directory
is specified then a subdirectory named \INFECTED is created in
the current directory and infected files are moved into it.
Selecting "Return to Previous Menu" displays the current
Action and returns to the previous menu.
NETSHIELD Version 1.52 (V106) Page 8
OPTION: What to Scan
MEANS: Set areas of server, files and users to scan
EXPLANATION: Brings up the "What Areas to Scan and Exclude"
Menu from which volumes and file extensions to scan are
selected, and users and directories to ignore are selected
The following options are available:
____________ WHAT AREAS TO SCAN AND EXCLUDE MENU ______________
Volumes to Scan
Change scanned extensions
Ignore Users
Skip directories
Return to Previous Menu
_______________________________________________________________
Selecting "Volumes to scan" determines which volumes
will be scanned during Immediate and Period (scheduled)
scanning. On-Access scanning checks all mounted volumes and
is not affected by this option. By default, all mounted
volumes are scanned. Press the INS key to insert a volume
name, the DEL key to remove one, and the ESC key to exit.
Selecting "Change scanned extensions" brings up the
"Change extensions scanned" menu. Select from the following
options:
_________________ CHANGE EXTENSIONS SCANNED ___________________
Extensions to scan on access
Extensions to scan during regular scan
Extensions that will NOT be scanned
Extensions that will be checked by CRC
Return to Previous Menu
_______________________________________________________________
Selecting "Extensions to scan on access" allows changes
to the list of file extensions checked during On-Access
scanning. By default, .COM, .EXE, .OV?, and .SYS are
selected.
Selecting "Extensions to scan during regular scan" allows
changes to the list of file extensions checked during Period
(scheduled) scanning. By default, .COM, .EXE, .OV?, and
.SYS are selected.
Selecting "Extensions that will NOT be scanned" allows
changes to the list of file extensions that you which to
exclude from both types of scanning. This list is empty by
default.
Selecting "Extensions that will be checked by CRC" allows
changes to the list of file extensions to check for unknown
viruses using CRC checking. By default, .COM, .EXE, .OV?, and
.SYS are selected.
Press the INS key to insert a file extension, the DEL key
to remove them, and the ESC key to exit.
To scan ALL files, including data, for viruses remove any
current filename extensions and set the On Access and Regular
scanning extensions to "*".
NOTE: Scanning all files may impact server performance. For
this reason, scanning all files is generally not
recommended.
NOTE: Using "*" or "???" as an extension is not recommended
for CRC checking, since this will cause all files to
be added to the CRC data file, including data files,
batch files, bindery files and other files which
change frequently.
Selecting "Return to Previous Menu" displays the current
Action and returns to the previous menu.
Selecting "Ignore users" specifies which users should not
be scanned for virus-infected files. This option should only be
used to exclude accounts that run unattended processes, such as
network backup. This will allow the process to continue if the
account tries to access an infected file. "Ignore users" only
skips virus scanning during On-Access scanning; Immediate and
Period (scheduled) scanning will still occur, and entries will
still be added to the log file.
Selecting "Skip directories" selects which directories
will not be scanned for virus infected files. This option
should be used for excluding directories which contain virus-
infected files, such as the containment directory created by
NETSHIELD to move virus infected files into. When inserting
a directory to be skipped, the name of the file server,
volume and directory must be entered in the following format:
{file server}/{volume name}:/{directory}/
Note the placement of the forward slashes and colon.
Select "Non-CRC checked files" to enter directories
or files not to create CRC checks for. When inserting a
directory to be skipped, the name of the volume and the
subdirectory must be entered. When inserting a filename,
the complete volume, subdirectory, and filename must be
entered. No wildcards can be used for file or directory
names.
Selecting "Return to Previous Menu" displays the current
Action and returns to the previous menu.
NETSHIELD Version 1.52 (V106) Page 9
OPTION: Configuration file options
MEANS: Load and save NETSHIELD configurations.
EXPLANATION: Selecting "Configuration file options" brings
up the "Save and Load Configurations" Menu. From here,
different configurations can be loaded, saved, and written.
Select "Load configuration file" to load a configuration
file for NETSHIELD.
Select "Save configuration file" to save a configuration
file for NETSHIELD
NOTE: If no configuration file was specified when NETSHIELD
was loaded, then the default path is used and the
filename is set to VIR$CFG.DAT. Pressing any key will
clear the default and allow a new path and filename to
be entered.
Selecting "Write configuration report" allows an ASCII
text file containing NETSHIELD's options to be saved.
NETSHIELD defaults to a filename of VIR$CFG.TXT in the same
directory that the NETSHLD.NLM file is located in. Pressing
any key will clear the default filename and allow a new path
and filename to be entered.
NOTE: The configuration report must be written to the
network drive. It can not be written to the local
drive of a workstation.
Selecting "Print configuration report" allows the
configuration report to be sent to any print queue available
to the file server.
Selecting "Return to Previous Menu" displays the current
Action and returns to the previous menu.
OPTION: Speed/Accuracy controls
MEANS: Set NETSHIELD for speed or accuracy during scanning
EXPLANATION: This option optimizes NETSHIELD for speed or
for accuracy when scanning. When set to "Full Scanning"
NETSHIELD will check a greater portion of files for viruses
then when set to "Fast Scanning". Using "Fast Scanning" may
reduce the accuracy of NETSHIELD.
NETSHIELD Version 1.52 (V106) Page 10
OPTION: CRC controls
MEANS: Set and configure CRC checking for unknown viruses
EXPLANATION: Brings up the "CRC Control" Menu. From here,
NETSHIELD can be set to detect unknown viruses using CRC
checking. Available options are:
Selecting "No CRC check" disables checking for unknown
unknown viruses via CRC checks.
Selecting "Fast CRC" check performs a CRC check against
the beginning of a file. If no entry exists in the CRC data
file, NETSHIELD will create an entry for it.
Selecting "Full CRC check (SLOW!)" performs a CRC check
against all of a file. If no entry exists in the CRC data
file, NETSHIELD will create an entry for it.
Selecting "Set filename to store CRC's in" allows the
name and location of the CRC data file to be changed. By
default, it is set to VIR$CRC.DAT and stored in the same
directory as the NETSHLD.NLM file.
Selecting "Extensions that will be checked by CRC"
brings up the "Extensions to scan" pop-up menu. To add
extensions, press the INS key, to remove an extension, press
the DEL key, and to exit, press the ESC key.
NOTE: Using "*" or "???" as an extension is not recommended
since this will cause all files to be added to the
CRC data file, including data files, batch files,
bindery files and other files which are subject to
change frequently.
Selecting "Return to Previous Menu" displays the current
Action and returns to the previous menu.
OPTION: Password Access Control
MEANS: Set passwords to unload NLM or change configuration
EXPLANATION: Allows passwords to be set for exiting NETSHIELD
or changing its configuration.
Selecting "Enter Password" allows a password to be set
for unloading NETSHIELD and optionally changing NETSHIELD's
configuration. The password is not case-sensitive, can be up
to forty (40) characters long, and can be any mix of
alaphnumeric and punctuation characters. If a password
exists, then it must be re-entered before the password can be
changed or removed.
Selecting "Enable Configuration Menu password (Disable
Configuration Menu password)" toggles between requiring the
password to change NETSHIELD's configuration and not
requiring it.
Selecting "Return to Previous Menu" returns to the
Configuration Menu.
NETSHIELD Version 1.52 (V106) Page 11
REPORT OPTIONS
The Report Options Menu is the menu from which the
the creation and viewing of NETSHIELD log files are set.
From the Report Options Menu, the following options may be
selected:
__________________ REPORT OPTIONS MENU _______________________
Set path for log file
Enable logging (Disable logging)
View log file
Print log file
Print and clear log
Clear log
Return to Previous Menu
_______________________________________________________________
OPTION: Set path for log file
MEANS: Select destination directory for report
EXPLANATION: Specifies the location to store reports created
by NETSHIELD. The current log file is always displayed. If
the log file has not been configured, the default filename
will be VIR$LOG.DAT. Press any key to clear the filename and
enter a new one.
OPTION: Enable Logging (Disable logging)
MEANS: Create (do not create) a log file
EXPLANATION: This option toggles creation of a virus incident
log file on and off.
OPTION: View log file
MEANS: Display log file
EXPLANATION: View any log files of virus incidents.
Use the HOME key to view the first entry in the log file,
the END key to view the last entry, the PGUP and PGDN keys to
view the log file one screen at a time, and the ESC key to
exit.
OPTION: Print log file
MEANS: Send log file to print queue
EXPLANATION: Displays a list of available print queues on
the server to print the log file to. Use the cursor keys
to select a print queue, ENTER to accept, and ESC to abort.
OPTION: Print and clear log file
MEANS: Send log file to print queue, erase log file
EXPLANATION: Displays a list of available print queues on
the server to print the log file to. After printing, the
log file is erased. Use the cursor keys to select a print
queue, ENTER to accept, and ESC to abort.
NETSHIELD Version 1.52 (V106) Page 12
OPTION: Clear log
MEANS: Erase the current log file
EXPLANATION: Deletes the current log file.
Selecting "Return to Previous Menu" displays the current
Action and returns to the previous menu.
NETSHIELD Version 1.52 (V106) Page 13
SIGNATURE CONTROL
The Signature Control Menu is the menu from which
NETSHIELD's virus signature file is updated and external
virus signature search strings are entered. From it,
the following options may be selected:
OPTION: Update signature with new VIR.DAT
MEANS: Load a new signature file into memory
EXPLANATION: Reads a new virus signature pattern file in
to memory. By default, the file VIR.DAT will be loaded
from the same directory the NETSHLD.NLM file is located in.
To change this, press a key and type in the new directory
and file name for the pattern file.
OPTION: Load external strings
MEANS: Insert a new individual virus signature string
EXPLANATION: Reads in a user-created ASCII text file
containing a search string for a new virus. For the beta
release, please refer to the VIRUSCAN documentation on how
to create one.
OPTION: Disallow cross server updating (Allow cross server updating)
MEANS: Enable (Disable) pattern updates between servers
EXPLANATION: Toggles on and off updates of virus signature
pattern files between different file servers running NETSHIELD
on the network.
OPTION: Return to previous menu
MEANS: Exit
EXPLANATION: Leaves the Signature Control Menu and returns to
the Available Options Menu.
NETSHIELD Version 1.52 (V106) Page 14
VIRUS REMOVAL
It is strongly recommended that you get experienced help
in dealing with viruses if you are unfamilar with anti-virus
software and methods. This is especially true for 'critical'
viruses that infect files whenever they are accessed and master
boot record (partition table) and boot sector infecting viruses
as improper removal can result in the loss of all data and use
of the infected disk(s).
If you require assistance with a computer virus incident,
you can contact McAfee Associates for help by BBS, FAX,
telephone, Internet, CompuServe, or America Online. There is
no charge for technical support directly from McAfee
Associates.
Technical support through any of McAfee Associates'
Authorized Agents may be billed at normal support rates.
All of McAfee Associates' programs can be downloaded from
our BBS, the mcafee.com or SIMTEL20 sites on the Internet, the
McAfee Virus Help Forum on CompuServe, the McAfee area on America
Online, or from any of the agents listed in the enclosed
AGENTS.TXT text file.
NETSHIELD Version 1.52 (V106) Page 15
TECHNICAL SUPPORT
For fast and accurate help, please have the following
information ready when you contact McAfee Associates:
- Version number of NETSHIELD x.xx (Vyy)
- Brand and model of server, hard disk, installed
cards, and any other peripherals.
- Version of NetWare.
- Printouts of the AUTOEXEC.NCF and STARTUP.NCF files.
_ Printout of NETSHIELD Configuration Report.
- The exact problem you are having. Please be as
specific as possible. Having a printout of the
screen and/or being at the system console will be
helpful.
In the case of a network crash, please include the following:
- Type of error from the ABEND Message.
- Thread which caused the error.
- What was NETSHIELD doing at the time of the crash.
- Is the problem reproducable?
Technical support can be contacted by BBS, CompuServe, FAX,
Internet, or America Online 24 hours a day, or by telephone at
(408) 988-3832, Monday through Friday, 7:00AM to 5:30PM Pacific
Time.
McAfee Associates TEL (408) 988-3832 office
2710 Walsh Avenue, Suite 200 FAX (408) 970-9727
Santa Clara, CA 95051-0963 BBS (408) 988-4004 (24 line)
U.S.A USR HST/v.32/v.42bis/MNP 1-5
COMPUSERVE GO MCAFEE
ATTN: Technical Support INTERNET support@mcafee.COM
AMERICA ONLINE McAfee
If you are overseas, there may be an Authorized McAfee Associates
Agent in your area. Please refer to the AGENTS.TXT file for a
listing of McAfee Associates Agents.
NETSHIELD Version 1.52 (V106) Page 16
LICENSE
NETSHIELD may be copied and distributed for testing and
evaluation purposes on a trial period of five (5) days. If you
wish to use NETSHIELD after the trial period, a license is
required. Licenses are available for internal use within
businesses, organizations, government agencies, and external
use by repair centers and other service organizations. License
fees are based on the size of the network or number of copies
required. Information on licensing can be obtained from McAfee
Associates or any of its Authorized Agents listed in the
accompanying AGENTS.TXT file.
