home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Network Support Library
/
RoseWare - Network Support Library.iso
/
security
/
pcsmn1.exe
/
PCSM.DOC
next >
Wrap
Text File
|
1993-05-05
|
55KB
|
1,453 lines
Administrator Guide
PC ScanMasterTM for NetWare
Version 1.21
"The user friendly way to enforce
your PC virus scan policy"
Serial Number: __________________
Documentation Revision 1.10
TABLE OF CONTENTS
Overview 1
Introduction 3
Requirements 4
Diskette Files 5
Quick Start - Installation and Operation Essentials 6
Installation Guide 8
PCSM - PC ScanMaster 8
PC Signature File 11
Configuration File 12
Interval Period 12
Grace Period 12
McAfee SCAN.EXE Options 13
Floppy Scanning 15
Disk Swapping 15
History Logs 16
Virus Notification List 16
Example SCAN.CFG files 17
Customizing Messages 17
PCSMA - Administrator Utility 18
Operation Guide 19
PCSM - PC ScanMaster 19
PCSMA - Administrator Utility 25
Simulating a Virus Detection 31
Troubleshooting 32
Diagnosing Problems 32
Common Questions and Problems 33
Maintenance/Update/Support Programs 34
Overview
A single virus, if spread undetected through your network
can cause untold financial loss and interruption of business
activity. The best insurance against such a disaster is a
regular scan of all PC and Network drives. Prevention
techniques and 'shields' alone, although useful, cannot
insulate today's networks from infection.
This risk to your business dictates that prudent network
administrators build in regular, required virus scans on all
PC and Network drives to assure that their networks are
virus free.
A single source solution is now available for Novell NetWare
network administrators for their virus detection needs.
NetPro Computing offers two virus programs for NOVELL
NetWare, PC ScanMaster and NetShield. PC ScanMaster is a
Virus Scan Manager for NOVELL workstations and NetShield is
a Virus Shield and Scan Manager for NetWare File Servers.
Both work in conjunction with the industry's leading Virus
Scan software from McAfee Associates.
PC ScanMaster assures that PCs logging into a NetWare
network are completely scanned on a regular basis and can
immediately notify administrators via a 25th line message
should a virus be detected. PC ScanMaster also minimizes
the impact on users by limiting how often a scan is
performed and by providing a grace period during which they
can choose the most convenient time to scan.
PC ScanMaster uses a combination of a Username and a
Workstation ID to uniquely identify each PC. This provides
easy recognition of the machines owner with unique
identification of each PC on a network. PC ScanMaster keeps
two databases, one for the current status of each machine,
and one for a chronological history of each machine's
activity and infections. Reporting tools provide
administrators with the ability to observe the quantity of
virus infections and determine their identity.
PC ScanMaster
There are many obstacles that even the most determined
administrators are unable to overcome when attempting to
maintain a virus free network. Some of the most significant
among these are:
Assurance that complete scans are performed on a regular
basis
Minimization of inconvenience to the user and administrator
alike
Immediate notification when a virus is detected
Maintenance of audit logs for scan activities and results
The network administrator must protect the network while not
interfering with normal business activity. PC ScanMaster
provides the balance and flexibility needed for NetWare
Administrators to ensure that virus scans are performed on
every drive of every user's workstation on a regular basis,
while minimizing the impact on normal business activity. In
short, PC ScanMaster is the user friendly way to enforce
your PC virus scan policy.
Introduction
The PC ScanMaster system consists of two separate programs:
1) PCSM.EXE performs and logs the PC virus scan activity
2) PCSMA.EXE is an Administration tool to manage and report
on the PC ScanMaster Logs and set certain configuration
parameters for PC ScanMaster.
PC ScanMaster works in conjunction with, and requires, the
popular PC Virus Scan software (SCAN.EXE) from McAfee
Associates. The McAfee programs are recognized as the
industry leader in virus detection software. They are
available as shareware for personal home use. Businesses,
corporations, organizations, government agencies, and
schools, require a site license to use the McAfee programs.
If you require a license for the McAfee programs, NetPro
Computing can provide site licenses and bundle the McAfee
programs with the NetPro Computing Virus Scan manager for
NetWare.
PC ScanMaster will work in either a login script, or in a
BATCH file called from a login script.
PC ScanMaster and its Administrator utility will:
Scan each PC from the login script entry or any BAT file
Limit scans to every N days with the optional Interval
period
Let users select the best time to scan within the optional
Grace period
Notify Administrators and users when a Virus is detected
Detect and scan all local hard drives
Detect and scan all floppy disk drives
Maintain audit logs of each user's scan record
Maintain a chronological history log of all viruses found
Display custom messages to users based on scan results
Allow quick, easy updates of parameters and messages on
multiple servers
Requirements
PC ScanMaster is designed for use on NOVELL NetWare network
operating systems. Workstations require approximately 250K
free RAM for PC ScanMaster (127K for PCSMA) and MS/PC DOS
3.10 or higher. PC ScanMaster requires the McAfee
Associates SCAN program.
Note: The memory required to run PC ScanMaster is
dependent on the size of SCAN.EXE and whether or not
the SWAP option is used. Before PC ScanMaster invokes
SCAN.EXE, it can swap itself completely out of memory.
If swapping is enabled the memory requirement is the
greater of that required by PC ScanMaster or that
required for the DOS shell plus the current version of
SCAN.EXE. PC ScanMaster and the current version (97)
of SCAN require less than 200K; however, the minimum
requirement is set at 250K if the SWAP option is on and
400K if the SWAP option is off. Note: PCSM does not
stay resident; when scanning is complete, nothing is
left in memory.
Diskette Files
The PCSM Diskette should contain the following files:
PCSM.EXE - PC ScanMaster
PCSMA.EXE - Administrator Utility
\SAMPLES\SCAN.CFG - Sample Configuration File
\SAMPLES\FAILED.MSG - Custom Message on Failed
\SAMPLES\PASSED.MSG - Custom Message on Passed
\SAMPLES\ABORTED.MSG - Custom Message on Abort
\VSIM\VSIM.DAT - Virus Simulation Data
\VSIM\VSIM.EXE - Simulated Infected File
If any of these files are missing, or corrupted please call
NetPro immediately.
Note : VSIM.EXE is not a real executable file and does NOT
contain a virus! The VSIM.DAT and VSIM.EXE can simulate
a virus detection for the purpose of testing without risking
exposure to a real infected file. See the section on
Simulating a Virus Detection for details. NetPro
Computing scans all of its software disks to assure
they are virus free prior to shipping.
Quick Start - Installation and Operation Essentials
For the experienced administrator who wants to get up and
running without reading lots of pages, the following Quick
Start provides the essential information to install and
operate PC ScanMaster.
For fully detailed installation and operation instructions
see the Installation and Operations sections of this manual.
Quick Start Essentials
1) The PC ScanMaster system has two programs; PCSM.EXE for
performing the scan, and PCSMA.EXE for accessing the scan
logs.
2) PC ScanMaster can be run either directly from a login
script or a BATCH file executed from the login script. PC
ScanMaster uses three directories as parameters which can
be separated by a space or a '@'.
#I:\VIRUS\PCSM.EXE I:\VIRUS\DATA@I:\VIRUS\SCAN@I:\VIRUS\CFGS
Or, from a BATCH file,
PCSM.EXE I:\VIRUS\DATA@I:\VIRUS\SCAN@I:\VIRUS\CFGS
Where:
I:\VIRUS\PCSM.EXE the drive\path\filename for PCSM.EXE (Read Only)
I:\VIRUS\DATA the drive\path where PCSM data exists (Read/Write)
I:\VIRUS\SCAN the drive\path where SCAN.EXE exists (Read Only)
I:\VIRUS\CFGS the drive\path where SCAN.CFG exists (Read Only)
3) The SCAN.CFG file can contain 6 parameters to control
the scan process, and up to 25 names to notify when a
virus is detected. The file is in standard ASCII format
as shown below with each value on a separate line; ie,
INTERVAL = 14 -Interval Period
GRACE = 3 -Grace Period
MCAFEE = /A -SCAN.EXE Options
FLOPPY = ON -Scan Floppy Drive
SWAP = ON -Swap PCSM to disk During Scan
HISTORY = FAIL -Save Failed Scans in History
NOTIFY = Joe Admin -1st Name to Send Virus Notice
NOTIFY = Jan Admin -2nd Name to Send Virus Notice
4) Optional custom message files, PASSED.MSG, FAILED.MSG,
and ABORTED.MSG may be placed in the same directory as
SCAN.EXE to customize the messages displayed to the user
when PC ScanMaster exits.
5) PCSMA requires one parameter, the directory of the Scan
Log files; ie,
PCSMA I:\VIRUS\DATA
Installation Guide
PCSM - PC ScanMaster
The PC ScanMaster program (PCSM) can be installed in a
matter of minutes with just three simple steps:
Setup the Directories and Rights Security
Copy the programs to their directories
Put PC ScanMaster in the LOGIN SCRIPT
PC ScanMaster will immediately take effect once these three
steps are complete. You can adjust its optional
configuration parameters and message files at any time
quickly and easily, on one or more servers, once PC
ScanMaster is operational.
There are four directories you must consider when installing
PC ScanMaster:
The directory where PCSM.EXE resides
The directory where the PC ScanMaster Logs will reside
The directory where the McAfee SCAN.EXE program
resides
The directory where the SCAN.CFG file resides
PCSM.EXE and SCAN.EXE can be in the same directory or
separate directories. For simplicity, it is recommended
that they be in same directory. To preclude the infection
of PC ScanMaster or SCAN, users should have READ ONLY access
to these programs. The directory where SCAN.EXE is found
may also contain optional configuration and message files.
The Scan Log directory requires MODIFY Access for everyone
and will generally be a dedicated directory.
Note: As a general rule, the administrator should setup a
separate User account to perform all administrator
activities. This way you cannot infect programs in
directories where you have special MODIFY access not
granted to others.
Step 1 - Setup the Directories and Trustee Rights
Create the directories and setup the Trustee Rights for the
proper access. As an example, you might use:
F:\SM for PCSM.EXE.
Set the rights for READ ONLY Access.
F:\SM\LOGS for the Scan Logs.
Set the rights for MODIFY Access.
F:\SM\SCAN for the SCAN.EXE, SCAN.CFG and any
.MSG files. Set the rights for READ
ONLY Access.
F:\SM\ADM for PCSMA.EXE.
Set the rights for Supervisory Access.
For the remainder of this example, we will assume that
PCSM.EXE is in the N:\SM directory, and SCAN.EXE is placed
in the N:\SM\SCAN directory.
Step 2 - Copy the programs to their directories
Copy the PCSM.EXE and SCAN.EXE files to directories created
in Step 1. They can both be in the same directory, or in
separate directories.
Note: If you like, you may also copy the samples of the
optional configuration and message files, SCAN.CFG,
PASSED.MSG, FAILED.MSG, ABORTED.MSG to the F:\SM\SCAN
directory now and edit them later.
Step 3 - Put PC ScanMaster in the LOGIN SCRIPT
Once the directories and programs are in place, modify the
user's login script or BATCH File called from the login
script to include PC ScanMaster.
PCSM.EXE takes a single string as an argument to specify its
needed directories. This string can contain three
directories separated by spaces to specify the directory for
the Scan Log, the directory for SCAN.EXE, and the directory
for the SCAN.CFG and message files as shown below.
PCSM.EXE F:\SM\LOGS@F:\SM\SCAN
Where
F:\SM\LOGS is the directory where the Scan Log is
maintained (MODIFY Access Required) PC
ScanMaster will automatically create
these logs when it is first run.
F:\SM\SCAN is the directory where SCAN.EXE and
SCAN.CFG (READ ONLY Access recommended)
is located.
Note: In this example the SCAN.EXE and the SCAN.CFG
files have been placed in the same directory. The
SCAN.CFG file can be placed in a separate directory, so
that different profiles can call different SCAN.CFG
files.
PCSM.EXE can be executed directly from the login script, or
from a BATCH file which the login script calls. To use it
directly in the login script, the syntax is as follows:
#F:\VIRUS\PCSM.EXE F:\SM\PCSM.EXE F:\SM\LOGS@F:\SM\SCAN
When executing from a BATCH file, the syntax is as follows:
F:\SM\PCSM.EXE F:\SM\LOGS@F:\SM\SCAN
When PCSM.EXE is run for the first time, the Scan Logs will
automatically be created. New workstations are
automatically added to the Scan Log when they first login
after PC ScanMaster has been added to the login script.
First time users will be placed in a 'Grace Mode' to ease
the introduction of a new system by giving users the length
of the grace period to let the scan complete before it is
first forced upon them.
Step 4 - Customize Configuration and Messages ( Optional )
PC ScanMaster's operational parameter file (SCAN.CFG) and
messages can be customized without modifying the login
script command or login script BATCH file anytime after
installation. Keeping this information in external files
allows you to easily and quickly update multiple copies of
PC ScanMaster on large networks as your virus condition
dictates.
PC Signature File
A Signature File, PCSM.SIG, is created on each hard disk to
uniquely identify the hardware being scanned. The signature
file contains two fields which identify a workstation's hard
disk within a PC ScanMaster database, USERNAME and USERADDR.
The signature file is automatically created when PC
ScanMaster is first run from a workstation. The value for
USER is taken from the user's user name. The value for
USERADDR is taken from the network address on each
individual network interface card.
Either value can be changed with an ASCII editor. The USER
field does not have to be a user name, any 64 character
string can be substituted. All log entries include both the
workstation signature values as well as the operator's user
name. The signature file can be placed in any directory you
wish, and defaults to C:\.
Note: The signature file is stored as a read-only hidden
file. To edit it manually, your editor may require
that the hidden attribute be removed in addition to the
read-only attribute.
Setup For Dial-In Users
The LoadPCSM utility has been provided to improve
performance for Dial-In users while retaining centralized
logging and control of parameters at the server. LoadPCSM
works as a small loader program for PCSM, that can execute a
local copy of both PCSM and SCAN.EXE when the user is dialed
in. This precludes a long delay while these files are
loaded from the network. LoadPCSM also performs version
control of the local copies to assure that the most recent
programs are being used.
LoadPCSM uses a DOS environment variable to indicate that
local copies of these programs should be used and what
directory they are to be stored in. If the directory is not
found it will be created. If PCSM.EXE and SCAN.EXE are not
found they will first be copied to the local drive. If
PCSM.EXE and SCAN.EXE are found on the local drive but they
are not the same versions as the ones on the network, they
will be copied over with the versions from the network.
When PCSM.EXE and SCAN.EXE have been found and verified
current, the local copies will be called with the parameters
passed to LoadPCSM (In this case PC ScanMaster will expect
to find SCAN.EXE in the same directory where PCSM.EXE is
located)
If LoadPCSM does not locate the special DOS environment
variable it will call the network version of PCSM.EXE with
the parameters passed to it.
Configuring LoadPCSM
Like PC ScanMaster, LoadPCSM can be run either directly from
a login script or a BATCH file executed from the login
script. Just like PC ScanMaster the following syntax would
be used.
#I:\VIRUS\LOADPCSM.EXE
I:\VIRUS\DATA@I:\VIRUS\SCAN@I:\VIRUS\CFGS
Or, from a batch file,
LOADPCSM.EXE I:\VIRUS\DATA@I:\VIRUS\SCAN@O:\VIRUS\CFGS
Make sure that LOADPCSM.EXE is located in the same network
directory as PCSM.EXE. When LoadPCSM is executed, it looks
for a DOS environment variable called LOCALPCSM, this
environment variable, if present, specifies the local
workstation directory where PCSM.EXE and SCAN.EXE reside.
Below is the proper syntax used to set this environment
variable.
SET LOCALPCSM = C:\VIRUS
Configuration File
The SCAN.CFG file must be kept in the same directory as
SCAN.EXE. This file is a standard ASCII text file which can
be created with any text editor. It can contain 6
parameters, and up to 25 user names, each on a separate line
. The parameters are Interval, Grace, McAfee, Floppy, Swap
and History. The user names designated by NOTIFY are users
who will be notified in the event a virus is detected.
If the SCAN.CFG or any of its parameters are not found,
default values are assumed. The definition of these
parameters are as follows:
Interval Period
The INTERVAL parameter sets the number of days after
the last complete scan that PCSM will wait before the
next scan is attempted. For example, assume the
Interval Period is 3 days, and the last completed scan
was on Monday morning with no viruses found. On
Tuesday and Wednesday morning a scan will not be
performed, but on Thursday morning when you login to
the network, PC ScanMaster will initiate a scan on your
PC.
The default Interval Period is 7 days.
Grace Period
The GRACE period parameter sets the number of days past
the Interval Period that the user is allowed to abort
the scan with a Ctrl-Break. Once the number of days
since the last complete scan exceeds the Interval
Period plus the Grace Period, the user must complete
the scan in order to login to the network. The Grace
Period is optional. If the Grace Period is 0, then as
soon as the Interval Period expires, the user must
complete the scan to login.
If the Grace Period is in effect when the user logs in,
they will be presented with the message "Scan Required
By MM/DD/YY" representing the day their Grace Period
expires. If the Grace Period has already expired, the
user will be presented with the message "Scan Required
to Login".
For example, assume the Interval Period is 2 days, and
the Grace Period is 2 days. If you last completed a
scan on Monday morning, then Tuesday morning the scan
would not be performed but on Wednesday morning when
you login to the network, a virus scan would be
initiated on your PC. However, since you see that you
have until Friday before the scan is required, you can
elect to scan and have it complete, or postpone until a
more convenient time by aborting the scan with a Ctrl-
Break. If by Friday you have not completed a scan,
when you login the message indicates that a scan is
required to login. Should you press Ctrl-Break when
this message is displayed, the scan simply restarts at
the beginning until you let it complete the scan.
The default Grace Period is 3 days.
McAfee SCAN.EXE Options
The McAfee SCAN.EXE program has numerous options
available. With the MCAFEE parameter in the SCAN.CFG
file, you can specify up to 80 characters of command
line options supported by SCAN.EXE.
Refer to the McAfee Documentation for a complete
description of all the options. Some of the options
you may find useful are:
/A - Scan All Files for Viruses
/M - Scan Memory for All Viruses
/D - Overwrite and delete infected file after
prompt
/EXT - Add external virus detection patterns
The /A option tells SCAN.EXE to scan all files
regardless of their extension. Without the /A option
SCAN.EXE will scan only .BIN, .COM, .EXE, .OV?, .PGM,
.PIF, .PRG, .SYS and .XTP files. This option will
substantially increase scanning time. McAfee
recommends that the /A option be used only after a
virus has already been detected, and additional
protection against re-infection is necessary.
The /M option tells SCAN .EXE to check system memory
for all known computer viruses that can inhabit memory.
SCAN by default only checks memory for critical viruses
which can cause catastrophic damage or spread the
infection during the scanning process. Refer to the
McAfee Documentation for a list of the viruses checked
for without this parameter. We recommend the use of
this option since it takes very little extra time.
The /D option tells SCAN.EXE to prompt the user to
overwrite and delete an infected file when one is
found. If the user selects "Y" the infected file will
be overwritten and deleted. A file erased by the /D
option can not be recovered. Boot sector and partition
table infections can not be removed by the /D option
and require the McAfee CLEAN-UP virus disinfection
program. We do not recommend the use of this option
with PC ScanMaster when you are using the 'User Name to
Notify' option in SCAN.CFG. The "Virus Found" notice
is sent to the user name specified when control is
returned back to PC ScanMaster after a virus has been
detected. Use of this option may preclude control
being returned to PC ScanMaster promptly or at all, and
therefore interfere with the notification process.
The /EXT tells SCAN.EXE the name of a file that
contains additional patterns that, if found, should be
considered to be the sign of a virus. It can be
utilized for simulating a virus detection. See
Simulating a Virus Detection.
Note: If no parameters are specified on the McAfee
line of SCAN.CFG, SCAN.exe will default to
none. The /NOPAUSE and /REPORT parameters are
automatically used by PC ScanMaster. Do not put
these parameters in the McAfee field of SCAN.CFG.
Floppy Scanning
The configuration file parameter, 'FLOPPY = ', is used to
enable the scanning of floppy drives in addition to hard
drives. When 'FLOPPY = ON' is specified, PC ScanMaster
will detect and scan any floppy diskettes that are scannable
and pass those drive letters to the SCAN.EXE in addition to
the hard drive letters. A drive is considered scannable if
the drive door is closed, and a DOS formatted diskette is
installed.
The default floppy scan value is OFF.
Note: When scanning workstations with no hard disk, no
floppy scans will be performed regardless of the value
of the FLOPPY parameter.
Disk Swapping
Prior to execution of the McAfee SCAN.EXE, PCSM.EXE can be
swapped out of memory to a PC hard drive, thus reducing
overall memory requirements. If this option is not
specified PCSM.EXE is automatically swapped to disk. If no
swapping is desired the Swap line in the SCAN.CFG file can
be set to off, or the DOS environment variable PCSMSWAP can
be set to OFF. Since the DOS environment variable is local,
it will assume priority over the option stated in the
SCAN.CFG file. The DOS variable allows individual PCs to
override the prescribed SWAP option, in case of memory or
disk restrictions.
File Service User Workstation Result
PCSM.CFG File DOS SET PCSMSWAP
SWAP=ON SET PCSMSWAP=ON Swap to Disk
SWAP=OFF SET PCSMSWAP=ON Swap to Disk
SWAP=ON SET PCSMSWAP=OFF No Swap
SWAP=OFF SET PCSMSWAP=OFF No Swap
The default Swap option is ON.
History Logs
The History parameter in the SCAN.CFG file tells PCSM what
factors to take into account when data is logged. Rather
than logging all scans performed, PCSM allows the
Administrator to determine when information should be
recorded regarding a particular scan. This status is
determined by editing the History line in the SCAN.CFG file.
The following parameters can be used.
HISTORY=PASS -Passed Scans Only
HISTORY=FAIL -Failed Scans Only
HISTORY=ABORT FAIL -Failed or Aborted Scans Only
HISTORY=PASS FAIL ABORT ERROR -All
HISTORY=ALL -All
HISTORY=NONE -All
The default History option is FAIL.
Virus Notification List
The NOTIFY parameter is used to specify the user names to be
notified if a virus is detected. The names must be valid
user names. Up to 25 NOTIFY entries may be included in the
SCAN.CFG file, each on a separate line. Patterns and
Listnames are not currently supported. If no valid names
are provided, no notification is sent.
If a virus is detected at a user's PC, it is logged in the
scan and history logs, the user's login is halted and a
message is displayed to the user. The message can be a
default message to notify their administrator or a custom
message of your choice. If the SCAN.CFG is present and
names are in the Virus Notification List, those user names
listed will be notified that a virus has been detected on
the users PC. Notification is sent via a 25th line bleep
every 60 seconds until the PC with the infection is
rebooted. The messages will indicate "Virus Found:" and the
user name of the user with the infected PC.
Example SCAN.CFG files
The sample SCAN.CFG file provided contains the following:
INTERVAL = 5
GRACE = 3
MCAFEE = /M
FLOPPY = ON
SWAP = ON
HISTORY = FAIL
NOTIFY = Name1
NOTIFY = Name2
On a network with these parameters, each user's PC will
automatically be scanned every five days. He or she will
have the option of breaking out of this scan for three days
during the grace period. Eight days after the last scan, he
or she will be forced to scan prior to logging in to the
network. The /M option on the McAfee line will provide
additional memory scanning. If there is a floppy disk in a
drive with the door closed, it will be scanned as well.
PCSM will swap itself to disk while the SCAN.EXE program is
executing, this will insure that the PC will have additional
memory to run SCAN.EXE. Since the history parameter is set
for fail, only scans in which a virus has been detected will
be recorded in the history log files. The user names
designated on the NOTIFY lines will be alerted if any
viruses are detected.
Customizing Messages
PC ScanMaster can display custom messages to the user on any
of the three possible exit conditions: PASSED, FAILED, or
ABORTED. Optional text message files called PASSED.MSG,
FAILED.MSG, ABORTED.MSG can be placed in the Scan Log
directory. As PC ScanMaster exits, it looks for the Message
file matching the exit condition and if found, displays it
until the user presses a key.
These message files should only contain text or line draw
characters and be no larger than 79 columns wide and 19 rows
long.
These message files are optional; however, use of the
FAILED.MSG file is recommended to instruct the user
regarding what to do or who to call should a virus be found
on their PC.
PCSMA - Administrator Utility
The PC ScanMaster Administrator utility does not require
installation; however, a BATCH file can be created to
simplify its use. To run PCSMA, you must supply the
directory name of the scan logs that you wish it to view, as
in the following example:
PCSMA F:\SM\LOGS
where F:\SM\LOGS is the drive\path where the Scan
Log files are (This is the same Scan Log
data directory specified in the PC
ScanMaster parameter)
NetPro Computing recommends that the PC ScanMaster
administrator utility (PCSMA) be copied to a local fixed
drive or put in a secure subdirectory in order to restrict
access to its administrator-level functions.
Operation Guide
PCSM - PC ScanMaster
When a user logs onto the NetWare network, PC ScanMaster is
automatically run from the login script. PC ScanMaster
first locates the signature file, reads the SCAN.CFG for
control parameters and then locates the workstation's scan
log record in the database to determine if a scan is needed.
If PCSM.SIG is not found...
and the workstation has a hard disk, the signature file is
created in the directory on C: configured by PCSMA. If the
workstation has no hard disk, no PCSM.SIG file is created
and no scan is performed.
When a Signature file is first created, the values for USER
and WORKSTATION are based on the current user's user name,
and the next unused PC# value in the PC ScanMaster database
for that user name. For example, if a signature file is
being created for 'Bob' and no other signature exists for
this user name, the workstation ID used will be PC1. Now if
'Bob' logs in on a second machine, PC2 will be used to make
that signature unique.
New workstation signatures are automatically added to the
logs, and a scan is initiated. New workstations start in a
grace period mode. For example, if the grace period is 3
days, then new workstations will be able to break out of the
scan for 3 days before a scan is forced upon them. This is
done to ease the introduction of a new system.
Note: Changing the directory for the PCSM.SIG file using
PCSMA after users have PCSM.SIG files created will
cause a new signature to be created for each
workstation. In this case PC ScanMaster will create a
new signature and file for that workstation, a new
entry in the PC ScanMaster database, and leave any old
PCSM.SIG file in place. For this reason, it is
recommended that the signature file directory value set
in PCSMA not be changed once in production.
If PCSM.SIG is found...
then the USER and WORKSTATION signature values are read and
used to search the database for the scan history of that
workstation.
If that signature is not found in the database, a database
entry is added and a scan is initiated in the Grace Mode.
This may happen if the database is erased, or if a user logs
in at another person's workstation and his login script maps
him to a PC ScanMaster database not normally used by that
workstation.
If SCAN.CFG is not found...
then PC ScanMaster will use the following default settings:
Default SCAN.CFG Parameters
Interval - 7
Grace - 3
Floppy - OFF
McAfee - (None)
Swap - ON
History - FAIL
Virus Notification Names - (None)
If SCAN.CFG is found...
then the parameters listed above will be read from SCAN.CFG
and used by PC ScanMaster. The parameters are interpreted
based upon the label which they follow. If a label is not
present or has a blank entry, the default value for that
parameter is used.
If the Interval Period is 0 days...
then a scan will be initiated every time the user logs into
the network. The scan may or may not be required depending
on the value of the Grace Period and the time of their last
complete scan.
If the Interval Period is not 0 days...
then PC ScanMaster will check to see if the user completed a
virus scan on the workstation within the number of days
specified by the Interval Period. If the number of days
since the last completed scan is equal to or greater than
the Interval Period, a virus scan is initiated. If PC
ScanMaster determines that a virus scan is not needed, it
simply allows the user to login without interruption.
If the Grace Period is 0 days...
then every time a scan is initiated by PC ScanMaster, it
will require the users to complete the scan before they are
allowed to login.
If the Grace Period is not 0 days...
then when a scan is initiated, PC ScanMaster will check to
see if the number of days since the last scan is equal to or
greater than the Interval Period plus the Grace Period. If
the grace period has not expired, a message will be
displayed indicating the date the grace period ends, and
they will be allowed to abort using Ctrl-Break until that
date. If the grace period has expired, then a message will
be displayed indicating that the scan is required to login.
If the Floppy Scan is enabled...
then workstations with hard disks will have their floppy
drives scanned also if a scannable floppy diskette in loaded
in a drive A: or B:. No errors will occur if floppies are
not installed or if un-formatted floppies are installed. If
drive A: or B: assignments are temporarily swapped, the
correct drive letter will be selected.
Note: Only workstations with hard disks can have
floppies scanned due to the need of a Signature to
identify the machine and a swap directory for PCSM.
If the Virus Notification List is blank...
then nobody other than the user at the infected PC will be
notified if a virus is detected. The Virus detection will
still be logged in the Scan Logs regardless of the value of
this field.
If the Virus Notification List is not blank...
then the Users listed will be notified by a 25th line
message indicating the user name of the user with the virus.
These messages will be broadcast to all names on the Virus
Notification List. The 25th line bleep will repeat every 60
seconds until the infected PC is rebooted.
The 25th line message broadcast to the Virus Notification
List is similar to the one below:
Virus Found: Ken Fine
If a Scan is Required...
when the user logs in, they will see a screen like the
following with a message in the PC ScanMaster display window
indicating "Scan Required to Login".
Should the user attempt to abort the scan with a Ctrl-Break,
the Scan will be restarted until the user allows the scan to
complete. If the user reboots, it is logged in the Scan Log
as an aborted scan, and scanning will be required again upon
their next login attempt.
If a Scan is Initiated but not Required...
when the user logs in, they will see a screen like the
following with a message in the PC ScanMaster display window
indicating "Must Scan By MM/DD/YY" where the date specified
is the date that their grace period expires.
If the user aborts the scan with a Ctrl-Break they will be
allowed to login without completing the scan. The Scan Log
will record an aborted scan.
While the Scan is in progress...
the user can watch the activity of the scan. The PC
ScanMaster window will display all drives to be scanned, and
flash the drive letter that it is currently scanning. The
SCAN program will display the files as they are being
scanned, and the names of any files found infected.
Note: If a large number of drive's are scanned, or if
multiple viruses are found, the screen may scroll.
This will not affect the performance of PC ScanMaster.
Messages Displayed after the Scan...
are based on the 3 possible exit conditions with which PC
ScanMaster exits, and the presence of a corresponding custom
message file.
Each Scan that begins, will end in one of the following
conditions:
Passed - Complete and no virus found
Failed - Complete and virus found
Aborted - Aborted with Ctrl-Break during Grace Period
When PC ScanMaster ends it will display a message to the
user appropriate to the result of the scan. If the Scan
Passed or Aborted, the message will be displayed for five
minutes or until the user presses a key. If the Scan
Failed, the message will be displayed and the user will not
be able to continue without rebooting the machine.
The following are the default messages that will be
displayed for the Passed, Failed and Aborted conditions
respectively:
No Viruses Found
Virus Found - Contact Your Network Administrator Immediately!
Virus Scan Aborted
If the custom message file is found matching the exit
condition, its contents are displayed instead of the above
default message.
Scan Results..
can be logged depending on the parameters defined on the
History line of the SCAN.CFG file. Below is the information
that may be logged for each USER/WORKSTATION Signature:
Operator's User Name
Last Successful Scan Date/Time
Last Successful Scan Drives (fixed drives which were scanned)
Last Successful Scan Duration (elapsed time in minutes)
Last Successful Scan Result (Passed)
Last Attempted Scan Date/Time
Last Attempted Scan Drives (fixed drives which were scanned)
Last Attempted Scan Duration (elapsed time in minutes)
Last Attempted Scan Result (Passed, Failed, or Aborted)
Consecutive Aborted Scans
PCSMA - Administrator Utility
The PC ScanMaster Administrator utility, PCSMA, enables the
administrator to view, and modify the scan log database, as
well as generate history reports.
PCSMA.EXE requires as a parameter the name of the directory
where the scan logs reside. The syntax for PCSMA is:
PCSMA F:\SM\LOGS
Where F:\SM\LOGS is the directory where the Scan Logs are
kept.
We recommend that you place the PCSMA utility in a secure
directory or on a local hard drive to preclude unauthorized
access, and create a BATCH file to call it with the
appropriate directory.
When you run the Administrator utility you will see a screen
like the following:
From this screen the administrator can select any of the
options shown, or return to DOS by pressing ESC.
Last Scan Results
This menu choice is used to access and manage details
regarding the last scan of individual users. From the
screen shown below, the operator can execute any of the
entries specified on the top portion of the screen. Users
can be located using the PgUp/PgDn keys or by selecting the
machine or operator name search options.
Each USER/WORKSTATION scan log consists of the following
fields plus a detailed memo of the last scans results:
User Name of USER/WORKSTATION Signature
User Address of USER/WORKSTATION Signature
Last Successful Scan (date, time, drives, result,
elapsed scan time)
Last Attempted Scan (date, time, drives, result,
elapsed scan time)
Consecutive Aborts since last complete scan
Force Next Scan flag
The Last Successful Scan field contains the data of the last
time a complete scan was performed and no virus was found.
The Last Attempted Scan field contains data of the last time
a scan was initiated for that user. If the last attempted
scan was completed and no virus was found, then both fields
will contain identical data. These fields contain the date
and time of the scan, the drives scanned, the result, and
the time required to complete the scan.
The Consecutive Abort field shows how many times the user
has aborted the scan process since their Last Successful
Scan.
The Force Scan Flag is used to force a user to scan on their
next login without regard to the Interval Period, Grace
Period, and Last Complete Scan Date. It can be set manually
on one or all users, and is set if a scan detects a virus.
Scan History Log
The History log which is shown below contains a complete
history of all scan activity for each workstation. The
information that is logged is determined by the history
setting in the SCAN.CFG file. These options are Pass, Fail,
Abort, Error, All, or None.
As with the Last Scan Results entries, these entries can be
selected by either using the PgUp/PgDn keys, or by selecting
the Machine or Operator name search options.
As with the Last Results Log, the Scan History Log records
the User Name, User Address, and Operator Name.
The Scan Date/Time field displays the time that this record
was created. It is based on the starting time of the scan.
The Scan Result field shows whether the scan passed, failed,
aborted, or encountered an error. This result entry is
dependent on the information included on the History line of
the SCAN.CFG file.
Scan Duration represents the time from start to finish that
the scan took to complete.
All drives on any PC whether virtual or physical will be
scanned by PCSM. The drives that were scanned are recorded
on the Scan Drive List entry.
Reports Menu
The Report Menu, which is shown below, allows the operator
to print out reports based on several different criteria.
The reports are determined by Data Source, Report Contents,
and Sort/Order. Using this feature is an excellent way to
store history logs, rather than having to maintain, and view
large amounts of scan history data.
Configure PCSM Installation
The Modify Configuration menu is used to determine what this
PCSM installation will be titled, the location of sig files,
and what type of notification will be used.
The system identification is included in all reports and
25th line messages. The purpose of the System
Identification is to determine which instance of PC
ScanMaster a message or report came from on multi-server
networks.
The Signature File Drive Path parameter allows the
administrator to specify a specific directory where the
Signature File is to be located. The default is the root
directory of drive C.
Note: NetPro recommends that the directory for the PCSM.SIG
file is determined before users have been mapped to PC
ScanMaster and not changed afterward. If this
directory is changed after the PC ScanMaster is in use,
new Signature files will be created for each user.
The last option allows on this menu allow the operator to
determine what type of message will be sent to users
specified in the notify list of the SCAN.CFG file. If the
"Notify by Bleep Message" is set to YES Users on the list
will be sent a 25th line message.
Index PCSM Database Files
This choice on the main menu will rebuild the index files to
the scan log. This is only needed in rare cases should the
scan log's files become corrupted.
Force All To Scan
This choice on the main menu will set the Force Next Scan
Flag to ON for all USER/WORKSTATIONS in the database after
first prompting for confirmation.
Simulating a Virus Detection
It is sometimes desirable to simulate a Virus detection to
test your message file or notification process. The McAfee
SCAN.EXE program has a facility which makes simulating a
Virus detection easy and safe.
The SCAN.EXE searches files for byte patterns that indicate
known viruses. One of the SCAN.EXE options is /EXT allowing
you to specify an external file with additional byte
patterns which should be considered an indication of a
virus. By using this option, we can add a byte pattern of a
known string and create a file containing that string.
SCAN.EXE will then detect that file as containing a possible
virus.
Two files on the distribution diskette, VSIM.DAT and
VSIM.EXE, are provided for simulating a virus detection.
VSIM.DAT is a data file which can be used by SCAN.EXE to add
the pattern 'Fake!Virus' to the list of byte patterns that
it considers to be an indication of a virus. VSIM.EXE is a
text file containing only that string. It is renamed to an
EXE so that SCAN.EXE will scan it.
To simulate virus detection with PC ScanMaster, add a line
similar to the following to the SCAN Options line (3rd line)
of the SCAN.CFG file:
/EXT N:\SM\VSIM.DAT
Where: N:\SM is the path where you have placed VSIM.DAT
Place the VSIM.EXE on your C: drive. When PC ScanMaster is
run, it will detect the file VSIM.EXE as being infected and
report "Found Fake Virus". PC ScanMaster will act as though
a real virus has been detected.
NOTE: This works by telling SCAN.EXE to recognize the byte
pattern "Fake!Virus" as an indication of a virus we have
named "Fake Virus". The VSIM.EXE is a simple ASCII file
containing the string "Fake!Virus". When scanned, it is
considered infected. Simply remove the /EXT option or
change the string in VSIM.EXE to disable the simulation.
Troubleshooting
Diagnosing Problems
In order to help diagnose problems that might be encountered
while using PCSM, NetPro has provided a means for logging
PCSM's status by setting a DOS environment variable. To set
this variable, at a DOS prompt type....
SET PCSMLOG=ON
When PCSM.EXE is executed, diagnostic data will be recorded
in a file called PCSM.LOG located on the C: drive in the
root directory. Below is a sample PCSM.LOG file...
03/20/92 13:56:31 Program expires NEVER
03/20/92 13:56:31 From command line, SCAN.EXE path is: F:\PUBLIC\PCSM
03/20/92 13:56:31 From command line, PCSM data path is: F:\PUBLIC\PCSM\LOGS
03/20/92 13:56:31 From command line, home path is: F:\
03/20/92 13:56:31 From SCAN.CFG, interval period is: 0
03/20/92 13:56:31 From SCAN.CFG, grace period is: 1
03/20/92 13:56:31 From SCAN.CFG, McAfee parameters are: /M
03/20/92 13:56:31 From SCAN.CFG, floppy switch is ON
03/20/92 13:56:32 From SYST32.SMD, system name is PCSM from NetPro Computing
03/20/92 13:56:32 From SYST32.SMD, workstation path is C:
03/20/92 13:56:32 SET PCSMLOCAL is false
03/20/92 13:56:32 PCSM.SIG hidden attribute removed
03/20/92 13:56:32 PCSM.SIG read-only attribute removed
03/20/92 13:56:32 Username found in PCSM.SIG is ROSS HOLEMAN
03/20/92 13:56:32 User ID found in PCSM.SIG is PC2
03/20/92 13:56:32 PCSM.SIG hidden attribute set
03/20/92 13:56:32 PCSM.SIG read-only attribute set
03/20/92 13:56:35 Detected hardware local drives => CD
03/20/92 13:56:51 Swapped to drive C: for SCAN
03/20/92 13:56:52 C:\PCSM.RPT erased
Common Questions and Problems
Question: Will logging into the network at a different
machine affect PCSM?
Answer: As long as you are mapped to the PCSM database
everything will be handled properly according to
the PC signature. However if the users profile
maps them to a PCSM database other than the one
normally used by that PC, PCSM will use the 2nd
database to determine if a scan is needed.
Generally this will mean a scan is initiated in
the Grace mode as it will treat you as a new user.
Problem: PCSM aborts abnormally on a few machines.
Answer: If the SWAP option is off the PC may be running
out of memory, try turning the SWAP option on.
If the SWAP option is on, verify that the machine
has at least 210K of free disk space.
Problem: PCSM can't find SCAN.EXE file.
Answer: Check the command line and verify that the only
parameters passed to PCSM are valid directories for
SCAN.EXE and the Log files. One common mistake is
to specify the filenames as well as the directories.
Problem: PCSM is running but does not perform as configured
in SCAN.CFG.
Answer: Make sure that SCAN.CFG uses the proper syntax
(See page 15 for example) and the labels,
Interval, Grace, etc. are included. Earlier
versions of PCSM did not require the Labels in
SCAN.CFG. Use the PCSMLOG environment variable
to see the parameters the PCSM is actually using.
For more information, please contact:
NetPro Computing, Inc.
8655 East Via de Ventura, Suite E155
Scottsdale, AZ 85258
(800) 998-5090 - Sales
(602) 998-5008 - Voice
(602) 998-5076 - FAX
(602)998-5093 - BBS
70524,2670 - CIS
