home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
OS/2 Shareware BBS: Security
/
Security.zip
/
drwb429c.zip
/
DRWEB2CL.TXT
< prev
next >
Wrap
Text File
|
2003-04-06
|
13KB
|
287 lines
Doctor Web for OS/2
Version 4.29c
Copyright (c) 1992-2002, Igor Daniloff
Anti-virus laboratory of Igor Daniloff, DialogueScience, Inc.
This program is a representative of the 32-bit family of antivirus scanner
Doctor Web (or, briefly, DrWeb). This family, DrWeb32, includes programs
for Windows 95/98/Me/NT/2000/XP, DOS/386, OS/2, Novell NetWare, Linux,
FreeBSD, and other Unix-like systems.
INSTALLATION NOTES
There is no install shield in this version of DrWeb2CL. To install the
program, create a directory, say, DRWEB32, and unzip DRWEB2CL.ZIP into it.
Then run DRWEB2CL.EXE.
Note that all DrWeb32 programs are installed in the same directory. The
distribution packages of all family members include two common files,
DRWEB32.DLL (DrWeb32's engine) and DRWEBASE.VDB (main virus database).
All new virus base adds-on should also be placed in the same directory.
The configuration file DRWEB32.INI is also common to all family members and
can be placed in the same directory (for instance, DRWEB32). However, each
product uses its own section in the INI-file, except for DrWeb32W and
DrWebWCL that share the same section.
Log files are created in the same directory, separately for each product,
and are given, by default, the filename <program>.LOG.
Additionally, the DrWeb32 distribution kit may include language resource files
named <language>.DWL (for instance, RUSSIAN.DWL, GERMAN.DWL, etc.) that
contain program messages written in the respective language. The language
resource files are common to all programs of the DrWeb32 family. Language
can be changed by the /LNG command line option.
REGISTRATION KEYS FOR THE DRWEB32 FAMILY
For the DrWeb32 programs, there is an important file, a registration user key.
Without a registration key, all DrWeb32 members offer a limited functionality
only, as described below:
- at each startup, the evaluation version displays a warning (saying that
it's an evaluation version);
- archives aren't checked;
- e-mail message files aren't checked;
- heuristic analyzer is disabled;
- infected and suspicious files cannot be cured, deleted, removed or renamed.
Without a registration key, the DrWeb32 family members may be redistributed
without any restriction.
To enable an enhanced preview of Doctor Web features, DialogueScience freely
distributes a special evaluation registration key, the DRWEVAL.KEY file,
that removes some of the restrictions mentioned above. However, this key only
works with the one version of DrWeb (that is attached to the key). With
the evaluation key, DrWeb32 will have the following restrictions:
- at each startup, the evaluation version displays a warning (saying that
it's an evaluation version);
- archives aren't checked;
- e-mail message files aren't checked;
- infected files cannot be cured.
In some cases DialogueScience and its dealers can also distribute other
evaluation registration keys, with other set of restrictions.
To use all features of DrWeb32, a user must purchase a commercial
registration key. This key, as well as an evaluation key, is a special
file generated by UserKey. When placed in the DrWeb32 home directory,
the key enables the full-featured commercial operation of DrWeb32. The key
contains a user name, duration and some other information, and is protected
against fraud with a digital signature.
If you tried an evaluation copy of DrWeb32 and have received a commercial
registration key, please copy it to the DrWeb32 directory.
COMMAND LINE OPTIONS
To start Doctor Web, use the following command line:
<program> [disk:][path] [options]
where
program - executable module name (DrWeb2CL),
disk: - logical drive of a hard disk, floppy drive, network drive, CD-ROM,
or * (all local logical drives);
path - location of files to be checked; it may contain path to the
directory on local/network drive (or network directory) and,
optionally, filename (or filename mask).
The command line may contain several [disk:][path] parameters delimited with
blanks. In this case, the program will sequentially scan the specified objects.
Command line options (delimited with blanks)
/@[+]<file> - check objects listed in <file>.
Each object must be identified on a separate line containing
a full pathname (to check file) or the "?boot" keyword (to check
boot sectors). The list file can be created with any text editor.
When scan is completed, Doctor Web deletes the list file, unless
"+" is included in the option;
/AL - scans all files on a given drive or directory;
/AR[D|M|R][P][N] - checks all files inside archives (ARJ, CAB, GZIP, LZH, RAR,
TAR, ZIP,...). Use the optional parameters to specify how archives with
infected (or suspicious) objects should be treated as a whole:
D - delete, M - move (by default, to the INFECTED.!!! directory),
R - rename (by default, the extension's first character is changed to
"#"); P - prompt before action; the N option suppresses the archive type
after the name of the archive file;
/CN[D|M|R][P][N] - specifies how containers (HTML, RTF, PowerPoint,..)
with infected (or suspicious) objects should be treated as a whole:
D - delete, M - move (by default, to the INFECTED.!!! directory),
R - rename (by default, the extension's first character is changed to
"#"); P - prompt before action; the N option suppresses the container
type after the name of the container file;
/CU[D|M|R][P] - cures infected objects and delete incurable files. Or use the
optional parameters to specify how infected filed should be treated:
D - delete, M - move (by default, to the INFECTED.!!! directory),
R - rename (by default, the extension's first character is changed to
"#"); P - prompt before action;
/DA - runs Dr.Web only once in a day. For this option, the configuration file,
(INI-file) containing the date of the next scanning session must be
present;
/EX - scans files that have extensions associated with executable modules
and MS Office documents (COM, EXE, SYS, BAT, CMD, DRV, BIN, DLL, OV?,
BOO, PRG, VXD, 386, SCR, FON, DO?, XL?, WIZ, RTF, CL*, HT*, VBS, JS*,
INF, A??, ZIP, R??, PP?, HLP, OBJ, LIB, MD?, INI, MBR, IMG, CSC, CPL,
MBP, SH, SHB, SHS, SHT*,MSG, CHM, XML, PRC, ASP, LSP, MSO, OBD, THE*,
EML, NWS, TBB);
/FM - scans files (regardless of the extension) whose internal format is
that of an executable module or MS Office document with macros (such
as MS Word or Excel files);
/GO - goes without asking you what to do next (in such situations as not
enough disk space for unpack operation, invalid parameters in the
command line, DrWeb infected by unknown virus, etc.). This option
might be useful, say, for automatic check of incoming e-mail;
/HA - enables the heuristic analyzer that can detect unknown viruses;
/IC[D|M|R][P] - specifies how to treat incurable files:
D - delete, M - move (by default, to the INFECTED.!!! directory),
R - rename (by default, the extension's first character is changed to
"#"); P - prompt before action;
/INI:<path> - uses an alternative configuration file (INI-file);
/NI - ignores the settings in the configuration file (DRWEB32.INI);
/LNG[:<path>] - uses an alternative language file (DWL-file), or built-in
(english) language;
/ML[D|M|R][P][N] - checks files of mail format (UUENCODE, XXENCODE, BINHEX,
MIME,...). Use the optional parameters to specify how mail files with
infected (or suspicious) objects should be treated as a whole:
D - delete, M - move (by default, to the INFECTED.!!! directory),
R - rename (by default, the extension's first character is changed to
"#"); P - prompt before action; the N option suppresses the mail type
after the name of the mail file;
/NS - runs non-stop (no interruption by pressing ESC);
/OK - writes a full list of scanned objects and displays "OK" next to clean
objects;
/PF - displays the "Scan another diskette?" prompt after checking a floppy
disk;
/PR - prompts to confirm an action on an infected or suspicious file;
/RP[+]<file> - writes the scan results to a file (by default,
<program>.LOG), <file> is the full pathname of a report file. If the
plus sign is included, the recent report will be appended to the
report file; otherwise the report file will be overwritten;
/NR - does not create report file;
/SD - scans subdirectories;
/SO - plays sounds;
/SP[D|M|R][P] - specifies how to treat suspicious files:
D - delete, M - move (by default, to the INFECTED.!!! directory),
R - rename (by default, the extension's first character is changed to
"#"); P - prompt before action;
/SS - saves current settings when the program terminates;
/TB - scans boot sectors and master boot record;
/UP[N] - checks executable files packed by ASPACK, COMPACK, DIET, EXEPACK,
LZEXE, OPTLINK, PECOMPACT, PEPACK, PGMPAK, PKLITE, WWPACK, WWPACK32,
UCEXE, UPX; files converted by BJFNT, COM2EXE, CONVERT, CRYPTCOM,
CRYPTEXE, PECRYPT, PESHIELD, PROTECT, TINYPROG; and files immunized by
CPAV, F-XLOCK, PGPROT, VACCINE.
N - suppresses the compression utility name after the name of the
archived file;
/WA - waits after scan is finished if viruses or suspicious objects were found;
/? - displays help.
If DBWEB32.INI is not present or not used, the default options are:
/AR /FM /HA /ML /PR /SD /TB /UP
Some options can be postfixed with the "-" character. This "negation" form
disables the respective function or mode. It might be useful if the mode is
enabled by default or via settings in the INI-file.
The negation form can be applied to the following command-line options:
/AR /CU /FN /HA /IC /ML /OK /PF /PR /SD /SO /SP /SS /TB /UP /WA
Note that the negation form of /CU, /IC and /SP cancels all actions enabled
by these options. It means that information about infected and suspicious
objects will appear in the report file only.
/AL, /EX and /FM cannot be used in the negation form. However, any of these
options disables the other two.
RETURN CODES
The values of the return code and corresponding events are as follows:
0 - OK, no virus found
1 - known virus detected
2 - modification of known virus detected
4 - suspicious object found
8 - known virus detected in archive
16 - modification of known virus detected in archive
32 - suspicious file found in archive
64 - at least one virus successfully cured
128 - at least one infected or suspicious file deleted/renamed/moved
The actual value returned by the program is equal to the sum of codes for
the events that occured during scanning. Obviously, the sum can be easily
decomposed into separate event codes.
For example, return code 9 = 1 + 8 means that known viruses were detected,
including viruses in archives; curing and others actions were not executed;
no other "virus" events occured during scanning.
LIMITATIONS IN THIS VERSION
- Virus check of main memory is not supported.
======================
Below is Igor Daniloff's PGP public key. Please use it to encode virus
specimens when you wish to e-mail them to us.
Type Bits/KeyID Date User ID
pub 1024/1B87196D 1994/05/12 Igor A. Daniloff <ID@DrWeb.Ru>
Igor A. Daniloff <id@sald.spb.su>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i
mQCNAi3R1+AAAAEEAMeH97dViOlTOwWjd6iLsRnEvDuNMnfQor+7NtuxV0v7Dgig
Kd4cE8dcSdfINr89mmIcPVCgI+uSDoDdgGK0WAl2pkJUigmJtidMpjFgyPoUTU6T
cqmss4CyDFH9UoM74RUEqSG0cwsnt+rz46yELf+v6kS9QZC3r53C6gEbhxltAAUR
tB5JZ29yIEEuIERhbmlsb2ZmIDxJREBEcldlYi5SdT6JAJUDBRA3P7dHncLqARuH
GW0BAQDTBACeJaSAdFMINa6G4xChVPHKUWy/jqdze94UtBRymBZFdmrtup+3bL6D
IB148AkFjH6zZyQLPCgXr4RqxURtA5H1SsFJR1Iqj2eTjQZOqfgL2IAR3M79qBqD
nhGzeQMOr7gP3hXnb2hQZtZJFgw6IneSHM5gXRVGm7y29yR0y6+RT7QhSWdvciBB
LiBEYW5pbG9mZiA8aWRAc2FsZC5zcGIuc3U+iQCVAwUQL7d6qTCAIMQGDNzxAQFN
jQP7BS+D1P68oNZjqHSGbxqqzrvasK5WjFJBefJ14ALeJbn4X3BcTFqfckYNYG6w
ZqTMWt9aZZKAWOA5rKfPp9LflJzJvZSSwYZz1Su5hJ3G0RM6z7JDVCQyV90yelDq
X1ehBEHAqMV2gvkhE5YKxvoH+uOG+TPq1FzUz4hQB/W4srCJAJUDBRAugG2cOpoV
rn3diFEBAeD3A/9jGJRp5TqD2FBrwkIaJd6SqJVvSbYQnE39th/u4csghFYEYcdS
GqPnVjxl0Sri1N5OqYB2uTRn0d0kqsrD24fuWFbZwvKlcZQO2C6W1zZSmwqAfw2p
jAD+tTvRZDSx2z0+zgRZ/EhDIaH/louf8zcL3UlrW2YPNRODzJW6VUiouIkAlQMF
EC8n2IANOmycNvS2swEBvqYEAJgRxQjfQhJI+iTMMUhWS8whvgitjzDeD+5u2tKz
KwqSa4TaOfgf2000rN2SbqyTg5gDirLsVF8x80PusKFRxedwBzBNLl9ar78HB/x4
lOEO+/obRUH4wT+bH6KfUkDuqVvYsTRZ3mDoLfyJw9pCtkDiFQdCrWcGh+UNr8nJ
oNBx
=VFhp
-----END PGP PUBLIC KEY BLOCK-----
======================
Please send your comments to:
DialogueScience, Inc.
40 Vavilova St., office 103
Moscow, 117786, RUSSIA
Tel.: +7 (095) 135-6253, 137-0150
Tel./fax: +7 (095) 938-2970, 938-2855
FidoNet: 2:5020/69
E-mail: Antivir@dials.ru
WWW: http://www.dials.ru
FTP: ftp.dials.ru, ftp2.dials.ru, ftp3.dials.ru
The author of Doctor Web is available by
E-mail: Igor.Daniloff@dials.ru , id@drweb.ru
FidoNet: 2:5020/69.14 , 2:5030/87.57