home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
ShareWare OnLine 2
/
ShareWare OnLine Volume 2 (CMS Software)(1993).iso
/
virus
/
onet102.zip
/
ONET102.DOC
< prev
next >
Wrap
Text File
|
1993-02-27
|
36KB
|
934 lines
NETSCAN FOR OS/2 Version 9.14V102
Copyright (C) 1989 - 1993 by McAfee Associates
All rights reserved.
Documentation by Aryeh Goretsky.
McAfee Associates (408) 988-3832 office
3350 Scott Blvd, Bldg. 14 (408) 970-9727 fax
Santa Clara, CA 95054-3107 (408) 988-4004 BBS (25 lines)
U.S.A. USR HST/v.32/v.42bis/MNP1-5
CompuServe GO MCAFEE
InterNet support@mcafee.COM
TABLE OF CONTENTS:
WHAT'S NEW . . . . . . . . . . . . . . . . . . . . . . . . . .2
- New features added in this release
- System Requirements
OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . .3
- Detection of known viruses
- Detection of new and unknown viruses
SYNOPSIS . . . . . . . . . . . . . . . . . . . . . . . . . . .4
- Technical description of known virus detection
- Technical description of new/unknown virus detection
AUTHENTICITY . . . . . . . . . . . . . . . . . . . . . . . . .5
- How to verify the OS2NSCAN.EXE program file
COMMAND SUMMARY. . . . . . . . . . . . . . . . . . . . . . . .6
- One-line description of switches
OPTIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . .7
- Detailed explanation of switches
EXAMPLES . . . . . . . . . . . . . . . . . . . . . . . . . . .12
- Samples of frequently-used options
VIRUS REMOVAL. . . . . . . . . . . . . . . . . . . . . . . . .13
- How to manually remove a virus
REGISTRATION . . . . . . . . . . . . . . . . . . . . . . . . .14
- How to register OS2NSCAN
TECHNICAL SUPPORT INFORMATION . . . . . . . . . . . . . . . .15
- Information you should have ready when calling
OBTAINING THE LATEST VERSION OF OS2NSCAN . . . . . . . . . . .16
- BBS, CompuServe, and Internet access to OS2NSCAN
APPENDIX A . . . . . . . . . . . . . . . . . . . . . . . . . .17
- Creating a virus string file with the /EXT option
Page 1
OS2NSCAN FOR OS/2 Version 9.14V102 Page 2
WHAT'S NEW
NETSCAN for OS/2 Version 9.14V102 detects all viruses
that the current version SCAN for OS/2 can which are capable of
transferring over a network drive.
Beginning with Version 100, we are providing foreign
language support for VIRUSCAN, NETSCAN, and CLEAN-UP with an
external language file named MCAFEE.MSG. When the MCAFEE.MSG
file is present in the same directory as the OS2NSCAN.EXE file,
NETSCAN will automatically use the messages from the MCAFEE.MSG
file instead of the default English (American) messages in the
program. In order to accomodate this change, the /FR (French)
and /SP (Spanish) language switches have been removed and two
new files, FRENCH.MSG and SPANISH.MSG have been included with
this release. If you wish to use a foreign language, rename the
language file to MCAFEE.MSG. Support for other languages will
be added in the future.
Like it's DOS-based counterpart, NETSCAN (for DOS),
OS2NSCAN searches network drives for file-infecting viruses.
However, OS2NSCAN contains several important differences:
■ Since OS/2 operates in a protected mode environment it can
only check its own area of memory or "memory image" for
viruses. Viruses will not be checked for in memory on the
workstation OS2NSCAN is run from.
■ OS2NSCAN does not have the /CHKHI, /NOMEM, or /UNATTEND
switches that NETSCAN does.
■ The /SAVE switch does not modify the OS2NSCAN.EXE file.
Instead, it creates a NETSCAN.INI file.
■ OS2NSCAN does not return an ERRORLEVEL for DOS batch files.
OS2NSCAN detects all viruses that the current version of
NETSCAN for DOS does. For a complete list of known viruses,
refer to the enclosed VIRLIST.TXT file. For a description of
known viruses please refer to Patricia Hoffman's Hypertext VSUM.
OS2NSCAN FOR OS/2 Version 9.14V102 Page 3
SYSTEM REQUIREMENTS
OS2NSCAN requires IBM OS/2 Version 2.00(GA) or above.
OS2NSCAN works with 3COM 3/Share and 3/Open, Artisoft
LANTastic, AT&T StarLAN, Banyan VINES, DEC Pathworks, IBM and
Microsoft LAN Manager, Novell NetWare, and any other compatible
network operating systems. Contact McAfee Associates if you do
not see your network listed. For PC's please use SCAN for OS/2
instead.
NOTE: WRITE-PROTECT THE FLOPPY DISK CONTAINING THE NETSCAN FOR
OS/2 (OS2NSCAN.EXE) PROGRAM BEFORE SCANNING TO PREVENT IT
FROM BECOMING INFECTED BY A COMPUTER VIRUS.
OVERVIEW (Known Virus Detection)
OS2NSCAN FOR OS/2 Version 9.14V102 (filename OS2NSCAN.EXE)
identifies all viruses detected by the current version of
NETSCAN (for DOS). Some viruses have been modified so that
more than one "strain" exists. Counting such modifications,
there are 1,830 viruses.
OS2NSCAN checks files, subdirectories, and volumes for
pre-existing computer virus infections. It will identify the
virus infecting the system and the area where it was found,
giving the name of the virus as well as the I.D. code used with
CLEAN-UP to remove it.
Infected files can be removed using the /D switch in
OS2NSCAN to erase the file, or with the CLEAN-UP universal virus
removal (disinfection) program. CLEAN-UP is recommended because
in most cases it will eliminate the virus and fully restore
infected programs or system areas to normal operation. CLEAN-UP
is available for both DOS and OS/2.
The accompanying VIRLIST.TXT file lists describes all
viruses identified by OS2NSCAN and their associated I.D. codes
for removal by CLEAN-UP.
OVERVIEW (Unknown and New Virus Detection)
OS2NSCAN has three separate methods of detecting unknown and
new viruses:
■ Validation codes which can be periodically checked against
to look for the changes made by a virus to files or system
areas.
■ Generic and Family virus detectors to look for new viruses
which are derivatives of older viruses.
■ External virus signatures to insert new virus signature
strings on a temporary basis to OS2NSCAN.
OS2NSCAN FOR OS/2 Version 9.14V102 Page 4
SYNOPSIS (technical description of known virus detection)
OS2NSCAN detects known viruses by searching the system for
strings (sequences of bytes) unique to each computer virus and
reporting their presence if found. For viruses which encrypt or
cipher their code so that every infection of the virus is
different, OS2NSCAN uses detection algorithms (programs) that work
by statistical analysis, heuristics, or code disassembly.
SYNOPSIS (technical description of new/unknown virus detection)
OS2NSCAN checks for new or unknown viruses by comparing
files against previously-recorded validation (checksum) data.
OS2NSCAN has stores its validation code in the following way:
■ 52-bytes of validation (checksum) and recovery data are
recorded for each .COM and .EXE file. This information
can be stored offline (e.g., on a floppy diskette)
in a separate log file for recovery purposes. CLEAN-UP
can restore infected files using this information.
(see /AF, /CF, /RF switches)
OS2NSCAN also checks for new or unknown viruses by looking
for Generic or Family virus strings. These are strings that
have been found repeatedly in different viruses. Since virus
writers may use the older pieces of code for new viruses, this
allows OS2NSCAN to detect viruses which have not been written.
OS2NSCAN can be updated to search for new viruses by an
External Virus Data File, which allows the user to input new
search strings for viruses. (/EXT switch)
OS2NSCAN FOR OS/2 Version 9.14V102 Page 5
AUTHENTICITY
Before using OS2NSCAN for the first time, verify that it has
not been tampered with or infected by a virus by using the
enclosed VALIDATE for OS/2 (OS2VAL.EXE) program. For
instructions on using OS2VAL, please read the OS2VAL.DOC file.
The validation results for Version 9.14V102 should be:
FILE NAME: OS2NSCAN.EXE
SIZE: 202,016
DATE: 02-26-1993
FILE AUTHENTICATION
Check Method 1: 5A2F
Check Method 2: 05EF
If your copy of OS2NSCAN differs, it may have been damaged.
Always obtain your copy of OS2NSCAN from a known source. The
latest version of OS2NSCAN and validation data for OS2NSCAN.EXE
can be obtained from McAfee Associates' bulletin board system
at (408) 988-4004 or from the McAfee Virus Help Forum on
CompuServe (GO MCAFEE), or the mcafee.COM anonymous ftp site on
the Internet.
OS2NSCAN performs a self-check when run. If OS2NSCAN has
been modified in any way, a warning will be displayed and the
user will be prompted to either continue or quit. OS2NSCAN can
still check for viruses. However, if OS2NSCAN reports that it
has been damaged, it is recommended that a new copy be obtained.
Beginning with Version 72, all of McAfee Associates'
VIRUSCAN series are archived with PKWare's PKZIP Authentic File
Verification. If you do not see an "-AV" after every file is
unzipped and receive the "Authentic Files Verified! # NWN405
Zip Source: McAFEE ASSOCIATES" message when you unzip the files
then do not use them. If your version of PKUNZIP does not have
verification ability, then this message may not be displayed.
Please contact us if you believe tampering has occurred to the
.ZIP file.
OS2NSCAN FOR OS/2 Version 9.14V102 Page 6
COMMAND SUMMARY
IMPORTANT NOTE: WRITE PROTECT YOUR FLOPPY DISK BEFORE SCANNING
TO PREVENT INFECTION OF THE OS2NSCAN PROGRAM.
OS2NSCAN checks files on network file servers that can
contain a computer virus. When a virus is found, OS2NSCAN
identifies the virus and the file where it was found.
OS2NSCAN examines files based on their extension. The
default extensions supported by OS2NSCAN are .APP, .BIN, .COM,
.EXE, .OV?, .PGM, .PIF, .PRG, .SWP, .SYS, and .XTP. Additional
extensions can be added with the /E option, or use the /A to
check all files.
Valid options for OS2NSCAN are:
OS2NSCAN {drive(s)} {options}
{drive(s)} - Indicates a drive or drives to be scanned
Options are:
\ - Scan root directory and boot area only
/? /H or /HELP - Displays help screen
/A - Scan all files, including data, for viruses
/AF {filename} - Store recovery & validation data to {filename}
/BELL - Beep whenever a virus is found
/CERTIFY - List files that do not have a validation code
/CF {filename} - Check for viruses using recovery & validation
data stored in {filename}
/D - Overwrite and delete infected files
/E .xxx .yyy - Scan overlay extensions .XXX and .YYY
/EXT {filename} - Scan using external virus data from {filename}
/FAST - Speed up OS2NSCAN's output
(see below for specifics)
/HISTORY {fname} - Create infection log {fname} appending to old log
/NLZ - Skip internal scan of LZEXE-compressed files
(DOS executables only)
/NOBREAK - Disable Ctrl-C and Ctrl-Brk during scanning
/NOEXPIRE - Do not display expiration notice
/NOPAUSE - Disable screen pause when scanning
/NPKL - Skip internal scan of PKLITE-compressed files
(DOS executables only)
/REPORT {fname} - Create infection log {fname} deleting the old log
/RF filename - Remove recovery & validation data stored
/SAVE - Save specified options as new default options
/SUB - Scan all subdirectories inside a subdirectory
@{filename} - Scan using options from {filename}
OS2NSCAN FOR OS/2 Version 9.14V102 Page 7
OPTIONS
Following is a detailed description of OS2NSCAN's options.
Please note the /AF and /AG switches modify executable files.
This may cause other anti-viral programs to generate a warning.
/A - This option checks all files on the drive scanned and also
examines a greater portion of files. This substantially
increases the time required to scan disks and also increases
OS2NSCAN's ability to detect viruses in overlay files. It is
recommended this switch only be used when installing software
or if a file-infecting virus has been found. This option takes
priority over the /E option.
/AF {filename} - This option logs recovery and validation
data for .COM and .EXE files of a disk to a user-specified file.
The log file size is about 20Kb per 1,000 files validated.
Recovery from a virus using the /AF information requires the
CLEAN-UP program.
/BELL - This option tells OS2NSCAN to beep when a virus is found.
/CERTIFY - This option will audit a system for files that have
validation codes added to them with SCAN FOR OS/2'S /AG or /AV
switches. Files that have no validation code will be reported as
being uncertified by OS2NSCAN.
/CF {filename} - This option checks recovery and validation data
stored by the /AF option in {filename}. If a file or system
area has changed, OS2NSCAN reports that a viral infection may
have occurred. Using the /CG option adds about 25% more time to
scanning.
NOTE: Dual Boot systems change the Boot Sector between DOS and
OS/2 depending on which operating system is currently
active. This will cause OS2NSCAN to report that the boot
sector has been modified.
/D - This option tells OS2NSCAN to prompt the user to overwrite
and delete an infected files. Files erased by the /D option
can not be recovered. If the CLEAN-UP program is available,
it can be used to disinfect the file. Partition table and boot
sector viruses can not be removed by the /D option and require
the CLEAN-UP virus removal program.
/E .xxx .yyy - This option allows an additional extension or set
extensions to be scanned. Extensions should include a period "."
character and be separated by a space after the /E. Up to three
extensions may be added with the /E. For more extensions, use
the /A option instead.
OS2NSCAN FOR OS/2 Version 9.14V102 Page 8
/EXT {filename} - This option tells OS2NSCAN to search for viruses
using virus search strings from ASCII text file {filename}, in
addition to the viruses that OS2NSCAN looks for. For instructions
creating an external virus data file, refer to Appendix A.
NOTE: The /EXT option provides users with the ability to add
strings for detection of viruses on an interim or
emergency basis. When used with the /D option, it will
overwrite-and-delete infected files. This option is not
for general use and should be used with caution.
/FAST - This option speeds OS2NSCAN up by displaying less on the
the screen, skipping checking inside of LZEXE- and PKLITE-
compressed files (DOS only), and examining a smaller portion of
files during scanning. This may reduce the accuracy of OS2NSCAN.
/HISTORY {filename} - This option saves the output of OS2NSCAN
to {filename} in ASCII text file format. If {filename} exists,
OS2NSCAN will add the results of the current scan to the end.
/NLZ - This option tells OS2NSCAN not to look inside files
compressed with LZEXE, a file compression program for DOS
.EXE files. OS2NSCAN will still check LZEXE-compressed files for
viruses that may have become infected after LZEXE compression.
/NOBREAK - This option prevents Ctrl-C or Ctrl-Brk from aborting
the scanning process.
/NOEXPIRE - This option prevents OS2NSCAN from displaying a
warning message after 7 months warning that it may no longer be
current with respect to known computer viruses.
/NOPAUSE - This option disables the "More? (H = Help )" prompt
displayed when OS2NSCAN fills up a screen with 24 lines of text.
This allows OS2NSCAN to run on PC's with severe infections without
requiring operator assistance.
/NPKL - This option tells OS2NSCAN not to look inside files
compressed with PKLITE, a file compression program for DOS .EXE
files. OS2NSCAN will still check PKLITE-compressed files for
viruses that may have become infected after PKLITE compression.
/REPORT {filename} - This option saves the output of OS2NSCAN
to {filename} in ASCII text file format. If {filename} exists,
OS2NSCAN will erase it and replace with the current scan results.
/RF {filename} - This option removes recovery and validation
data from log file {filename} created by the /AF option.
OS2NSCAN FOR OS/2 Version 9.14V102 Page 9
/SAVE - This option stores any listed options for subsequent
executions of OS2NSCAN. The options are stored by creating a
file named OS2NSCAN.INI in the same directory as OS2NSCAN.EXE.
For example, the command:
OS2NSCAN /NOMEM /REPORT C:\OS2NSCAN.LOG /NOPAUSE /SAVE
saves the default options to /NOMEM, /REPORT C:\OS2NSCAN.LOG and
/NOPAUSE and will cause OS2NSCAN to use these options the next
time it is run. If OS2NSCAN is run with only the /SAVE switch,
the OS2NSCAN.INI file is removed. If you wish to use more than
one set of switches with OS2NSCAN, use the @{filename} option
instead.
/SUB - This option scans all subdirectories inside a
subdirectory. The /SUB switch is not required if you are
scanning a drive from the root level.
@{filename} - This option allows the user to run OS2NSCAN with
a configuration file listing the options and drives OS2NSCAN is
to check. Options need to be separated by a space, while drives
(disks, subdirectories, or files) need to be listed on separate
lines. A sample file might look like this:
/A /BELL /CF C:\MCAFEE\CF-FILE /REPORT G:\OS2NETSCAN_LOGFILE
F:
The first line contains the OS2NSCAN options while other lines
list the names of disks, subdirectories, or files to scan. The
file should be an ASCII text file.
OS2NSCAN FOR OS/2 Version 9.14V102 Page 10
EXAMPLES
The following examples show different option settings:
OS2NSCAN F:
To scan drive F:
OS2NSCAN F:ROBERT_HOOPER.EXE
Scans file "ROBERT_HOOPER.EXE" on drive F:
OS2NSCAN F: /A /CF C:\OS2NETSCAN\OS2NETSCAN.VALFILE
Scans all files and checks recovery data & validation
codes for unknown viruses on drive F:
OS2NSCAN G: /D /A
Scans all files on drive G: and prompt for erasure of
any infected files, if found.
OS2NSCAN F: G: H: /AF C:\OS2NETSCAN\OS2NETSCAN.VALFILE
Scan for viruses, add recovery data & validation codes
to files on drives F:, G:, and H:
OS2NSCAN M: N: /A /FR
Scan all files on drives M: and N: for viruses, and
display all messages in French.
OS2NSCAN X: Z: /E .WPM .COD
Scans drives X: and Z:, including .WPM and .COD files
OS2NSCAN F: /EXT A:SAMPLE.ASC /BELL
To scan drive F: for known computer viruses and also
for viruses added by the user via the external virus
data file option, and beep whenever a virus is found.
OS2NSCAN F: /NOPAUSE /REPORT C:INFECTN.RPT
To scan drive F: without stopping, and create a log
file INFECTN.RPT on drive C:
OS2NSCAN G:\PUBLIC\TMP /SUB
To scan all subdirectories under the directory
PUBLIC\TMP on drive G:
OS2NSCAN X: Y: Z: /FAST /CERTIFY
To perform a fast scan of drives X:, Y:, and Z: and
check for any files that do not have validation codes
added to them with VIRUSCAN FOR OS/2 (OS2SCAN.EXE)
OS2NSCAN F: C:\SCANOPTN.LST
To run OS2NSCAN against drive F: using configuration
file SCANOPTN.LST located in the root directory of
drive C:.
OS2NSCAN FOR OS/2 Version 9.14V102 Page 11
VIRUS REMOVAL
What do you do if a virus is found? You can contact McAfee
Associates for help, their authorized agents, or use the CLEAN-UP
program. CLEAN-UP is available for DOS (CLEAN.EXE) and OS/2
(OS2CLEAN.EXE).
McAfee Associates can be reached by BBS, CompuServe, FAX,
Internet, or Telephone and there is no charge for support calls
to McAfee Associates (Authorized agents may charge normal McAfee
Associates consulting rates.).
The CLEAN-UP universal virus disinfection program can
disinfect virtually all reported computer viruses. It is
updated with each release of the VIRUSCAN programs to remove new
viruses. CLEAN-UP can be downloaded from McAfee Associates'
BBS, the McAfee Virus Help Forum on CompuServe, and the
mcafee.COM and WSMR-SIMTEL20.Army.Mil sites on the Internet, or
from any of the agents' BBSes listed in the enclosed AGENTS.TXT
text file.
It is strongly recommended that you get experienced help in
dealing with viruses if you are unfamiliar with anti-virus
software and methods. This is especially true for 'critical'
viruses and partition table/boot sector infecting viruses as
improper removal of these viruses can result in the loss of
all data and the use of the infected disk(s).
Before removing a boot sector or partition table-infecting
virus, it is recommended that you cold boot the infected PC from
a clean DOS disk and backup any critical data.
For qualified assistance in removing a virus, contact
McAfee Associates directly or any of the Authorized Agents in
your area. Agents may charge McAfee Associates' normal consult
rates for their services.
If you wish to remove a file-infecting virus manually, cold
boot the PC from a clean (virus-free) OS/2 boot diskette and run
OS2NSCAN with the /A and /D switches to erase all infected files.
Any files removed in this manner can not be recovered.
OS2NSCAN FOR OS/2 Version 9.14V102 Page 12
LICENSE
OS2NSCAN may be copied and distributed for testing and
evaluation purposes on a trial period of five (5) days. If you
wish to use OS2NSCAN after the trial period, a license is
required. Licenses are available for internal use within
businesses, organizations, government agencies, and for external
use by repair centers and other service organizations. License
fees are based on the size of the network or number of copies
required. Information on licensing can be obtained from McAfee
Associates or any authorized agent listed in the AGENTS.TXT
file.
TECH SUPPORT
For fast and accurate help, please have the following
information ready when you contact McAfee Associates:
- Program name and version number.
- Type and brand of computer, hard disk, plus any
peripherals.
- Version of OS/2 (use the SYSLEVEL command to display).
- Printouts of your AUTOEXEC.BAT and CONFIG.SYS files.
- The exact problem you are having. Please be as
specific as possible. Having a printout of the
screen and/or being at your computer will be helpful.
McAfee Associates can be contacted by BBS, CompuServe, FAX, or
InterNet 24 hours a day, or by telephone at (408) 988-3832,
Monday through Friday, 7:00AM to 5:30PM Pacific Time.
If you are overseas, you can contact a McAfee Associates
Authorized Agent. Agents are located in over 50 countries
around the world and provide local sales and support for our
software. Please refer to the AGENTS.TXT file for a complete
list of McAfee Associates Agents.
OS2NSCAN FOR OS/2 Version 9.14V102 Page 13
OBTAINING THE LATEST VERSION OF McAFEE ASSOCIATES PROGRAMS
McAfee Associates regularly updates the VIRUSCAN series
of programs every 4 to 6 weeks to add new virus detectors,
new options, and fix reported bugs. To distribute these new
versions, we run a multi-line BBS, CompuServe Forum, and
Internet node.
BBS ACCESS
Our 25-line BBS is accessible 24 hours a day, 365 days a
year, except for scheduled downtime and maintenance. All lines
run US Robotics Courier HST Dual Standard ASL modems operating
from 1,200bps to 14,400bps with line settings of 8 data bits, no
parity, and one stop bit.
THE McAFEE VIRUS HELP FORUM ON COMPUSERVE
We are now sponsoring the McAfee Virus Help Forum on
CompuServe. To reach the McAfee Virus Help Forum type GO MCAFEE
at any CompuServe prompt. A free introductory membership is
available. For more information, please read the enclosed
COMPUSER.NOT file.
INTERNET ACCESS TO McAFEE ASSOCIATES SOFTWARE
The latest versions of McAfee Associates' anti-viral
software is now available by anonymous ftp (file transfer
protocol over the Internet from the site mcafee.COM. If
your domain resolver does not support names, use the IP#
192.187.128.1. Enter "anonymous" for your user I.D. and
your own email address for the password. Programs are
located in the pub/antivirus directory. If you have any
questions, please send email to support@mcafee.COM
McAfee Associates' DOS anti-viral software may be
found at the Simtel20 archive site WSMR-SIMTEL20.Army.MIL
in the PD1:<MSDOS.VIRUS> directory and its associated
mirror sites WUARCHIVE.WUSTL.EDU (US), NIC.SWITCH.CH (Swiss),
NIC.FUNET.FI (Finland), SRC.DOC.IC.AC (UK), and
RANA.CC.DEAK.OZ.AU (Australia).
OS2NSCAN FOR OS/2 Version 9.14V102 Page 14
APPENDIX A: Creating a Virus String File with the /EXT Option
NOTE: The /EXT option is intended for emergency and research
use only. It is a temporary method for identifying new
viruses prior to the subsequent release of OS2NSCAN. A
thorough understanding of viruses and string-search
techniques is advised for using this option. A string
length of 10 to 15 bytes is recommended.
The External Virus Data file should be created with an
editor or a word processor and saved as an ASCII text file. Be
sure each line ends with a Carriage Return/Line Feed pair.
The virus string file uses the following format:
#Comment about Virus_1
"aabbccddeeff..." Virus_1_Name
#Comment about Virus_2
"gghhiijjkkll..." Virus_2_Name
.
.
"uuvvwwxxyyzz..." Virus_n_Name
Where aa, bb, cc, etc. are the hexadecimal bytes that you wish
to scan for. Each line in the file represents one virus. The
Virus Name for each virus is mandatory, and may be up to 25
characters in length. The double quotes (") are required at the
beginning and end of each hexadecimal string.
OS2NSCAN will use the string file to search the Master Boot
Record (partition table), Boot Sector, System files, all .COM
and .EXE files, and overlay files with the extension .APP, .BIN,
.COM, .EXE, .OV?, .PGM, .PIF, .PRG, .SWP, .SYS, and .XTP.
Virus strings may contain wild cards. The two wildcard
options are:
FIXED POSITION WILDCARD
The question mark "?" may be used to represent a wildcard
in a fixed position within the string. For example, the string:
"E9 7C 00 10 ? 37 CB"
would match "E9 7C 00 10 27 37 CB", "E9 7C 00 10 9C 37 CB", or
any other similar string, regardless of the fifth byte.
OS2NSCAN FOR OS/2 Version 9.14V102 Page 15
RANGE WILDCARD
The asterisk "*", followed by range number in parentheses
"(" and ")" is used to represent a variable number of adjoining
random bytes. For example, the string:
"E9 7C *(4) 37 CB"
would match "E9 7C 00 37 CB", "E9 7C 00 11 37 CB", and
"E9 7C 00 11 22 37 CB". The string "E9 7C 00 11 22 33 44 37 CB"
would not match since the distance between 7C and 37 is greater
than four bytes. You may specify a range of up to 99 bytes.
Up to 10 different wildcards of either kind may be used in one
virus string.
COMMENTS
A pound sign "#" at the begining of a line will denote a
comment. Use this for adding notes to the external virus data
file. For example:
#New .COM virus found in file FRITZ.EXE from
#Schneiderland on 01-22-91
"53 48 45 45 50" Fritz-1 [F-1]
gives a description of the virus, name of the infected file,
where and when it was found, etc.
APPENDIX B: Miscellaneous Application Notes
OS2NSCAN VALIDATION CODES
If you have installed any new software or programs on your
system, and are running OS2NSCAN or VSHIELD for DOS with the /CF,
/CG, or /CV validation codes options, you will need to reinstall
validation codes to the new files with the /AF, /AG, or /AV
add validation codes options of OS2NSCAN. In addition, the
SCANVAL.VAL hidden file containing validation codes for the
partition table, boot sector, COMMAND.COM, and system files may
have to be replaced (unhide the file with the ATTRIB command
and then delete it).
The quickest way to update the validation codes is to
remove all validation codes from the hard disk and then add them
back by running OS2NSCAN with the /RV and then the /AV options.
NOTE: This applies to any new version of DOS, as well as any
programs which you install on your system.
OS2NSCAN FOR OS/2 Version 9.14V102 Page 16
IMPORTANT NOTICE - PLEASE READ!
Due to the nature of anti-virus software, the slight chance
exists that a virus may be reported in a file that is not
infected by that virus.
If you receive a report of a virus infection which you believe
may be in error, please contact McAfee Associates by telephone
at (408) 988-3832, by fax at (408) 970-9727, or upload the file
to our BBS at (408) 988-4004 along with your name, address,
daytime telephone number, and electronic mail address, if any.
