home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
C!T ROM 5
/
ctrom5b.zip
/
ctrom5b
/
DOS
/
VIRUS
/
NSH-211E
/
NSH-211E.ZIP
/
NETSH21.TXT
< prev
next >
Wrap
Text File
|
1995-04-19
|
104KB
|
2,446 lines
U S I N G N E T S H I E L D 2.1
Copyright 1994, 1995 by McAfee, Inc. All rights reserved.
No part of this publication may be reproduced, transmitted,
transcribed, stored in a retrieval system, or translated
into any language in any form by any means without
the written permission of McAfee, Inc., 2710 Walsh Avenue,
Santa Clara, CA 95051-0963.
McAfee is a registered trademark of McAfee, Inc.
VirusScan, VShield, and NetShield are trademarks of
McAfee, Inc. All other products or services mentioned
in this document are identified by the trademarks or
service marks of their respective companies or
organizations.
CHAPTER 1 WELCOME TO NETSHIELD
Thank you for purchasing McAfee Inc.'s NetShield(TM) software,
a powerful and advanced system designed to detect computer
viruses on a NetWare server. NetShield monitors server input
and output, and protects against virus infections from
workstations, bridges, and modems.
NetShield is a NetWare Loadable Module (NLM). This allows it
to integrate easily into your NetWare environment and
function independently of any workstation, guaranteeing that
your network is always protected.
NETSHIELD TASKS
It is important that you install and configure NetShield
correctly for your particular network. As you set up
NetShield, you'll complete the tasks necessary to maintain a
virus-free network. Use this task list as a roadmap for
applying the information in this reference to your network.
Task 1: Installation. You'll install NetShield on every
server at your site. Download the NetShield files and copy
them to the SYS:SYSTEM directory on your server. For NetWare
3.11 or 3.12 installations, you also need to download and
install Novell patches. Refer to Chapter 2, "Installation
and Setup," for details.
NOTE: If you use a bootable floppy diskette to start
your server, make sure that the boot diskette is clean of
any viruses. The documentation for VirusScanĂ–, a McAfee
virus scanning product that can be used on a workstation,
describes a procedure for creating a clean bootable diskette.
Task 2: Configuration. Set NetShield to run scans at regular
intervals, using the "periodic" scanning settings. Turn on
Cyclic Redundancy Checking (CRC) if you have a stable file
environment. CRC checking verifies that numeric check sums
stay consistent for files. If files are changed often, then
an error in the check sums will be reported. Finally, set
NetShield to scan all files transferred to the server,
using the "on-access" scanning settings. Refer to
"Configuration Recommendations" in Chapter 3, "Using
NetShield," for details.
Task 3: Scanning. Once you've configured NetShield, it will
automatically scan in the background. The NetShield NLM will
be running as long as your NetWare server is running.
Task 4: Reporting. NetShield can inform you when a virus is
found, both by broadcasting a network message to selected
users and by recording the information in a log file. It can
then move or delete the infected file. We recommend that you
set up NetShield to log infections in a file, notify the
network supervisor, and move infected files into a
"quarantine" directory for later inspection. Refer to
"Configuring Virus Reporting" in Chapter 3, "Using
NetShield," for details.
Task 5: Updating. As new viruses are found, McAfee will
release new virus signature files for you to install. When
you receive an update, or download one from the McAfee BBS,
update one server and enable cross-server updating so that
the new list is copied to the other servers over the
network.
Task 6: Virus elimination. Once you've identified and
isolated an infected file, eliminate the virus using other
McAfee products such as VirusScan and VShield. Scan does
periodic scanning of a single PC and removes viruses from a
single PC, while VShield does on-access scanning of a single
PC.
SYSTEM REQUIREMENTS
The NetShield program requires a Novell NetWare 386 v3.11,
3.12, or 4.1 file server with at least 718Kb of free server
RAM. It should utilize no more than 10% of server CPU time.
Additional patches are needed for NetWare 3.11 or 3.12
installations (refer to Chapter 2, "Installation and Setup,"
for details.)
NetShield is not compatible with version 3.10 of Novell
NetWare 386.
HOW TO USE THIS MANUAL
This manual will help you get NetShield running quickly and
properly.
o Chapter 1, "Welcome to NetShield," describes the
NetShield program, general tasks for using NetShield,
and system requirements.
o Chapter 2, "Installation and Setup," describes how to
install, load, and maintain your NetShield software.
o Chapter 3, "Using NetShield," contains reference
information laid out in a format that matches the
NetShield menus. If you need help navigating the menus,
look for the guides at the start of each of these
chapters.
HOW TO CONTACT MCAFEE
To contact McAfee for sales and product support:
Phone (408) 988-3832
Monday through Friday
6:00 am to 5:00 pm Pacific Standard Time
Fax (408) 970-9727
Online 24-hour access
(see "Online Access" later in this section)
o MAfee BBS
o CompuServe
o Internet
BEFORE YOU CALL
For fast and accurate help, please have the following
information ready when you contact McAfee:
o Program name and version number.
o Type and brand of computer, hard disk, and any peripherals.
o Version of DOS you are using.
o Version of NetWare you are using.
o Printouts of your AUTOEXEC.NCF and STARTUP.NCF files.
o A description of the exact problem you are having. Please
be as specific as possible. If you cannot be at your
computer when you call, a printout of the screen will be
helpful.
If you are overseas, you can contact a McAfee authorized
agent. Agents are located in more than 50 countries around
the world and provide local sales and support for our
software.
ON-LINE ACCESS TO UPDATES AND TECHNICAL SUPPORT
McAfee updates its software monthly to add new virus
detectors, new options, and fix reported bugs. To distribute
these new versions, we run a multi-line bulletin board
system, a forum on CompuServe, and an Internet node.
McAfee bulletin board system (BBS)
Our multiline BBS is accessible 24 hours a day, 365 days a
year, except for scheduled downtime and maintenance. All
lines run high-performance modems operating from 1,200 bps
to 28,800 bps with line settings of 8 data bits, no parity,
and 1 stop bit. Both technical support and software updates
are available on the bulletin board. The McAfee BBS phone
number is (408) 988-4004.
McAfee Forum on CompuServe
We sponsor the McAfee Virus Help Forum on CompuServe.
To reach it, type GO MCAFEE at any CompuServe prompt.
Internet access
The latest versions of McAfee's anti-virus software are
available by anonymous ftp (file transfer protocol) over the
Internet from the site ftp.mcafee.com. If your domain resolver
does not support names, use the IP address 192.187.128.3.
Enter anonymous or ftp as your user ID and your own e-mail
address as the password. Programs are located in the
pub/antivirus directory. If you have questions, please send
e-mail to support@mcafee.com.
You can also find McAfee's anti-virus software at the SimTel
Software Repository at Oak.Oakland.EDU in the
simtel/msdos/virus directory and its associated mirror sites:
o wuarchive.wustl.edu (US)
o ftp.switch.ch (Switzerland)
o ftp.funet.fi (Finland)
o src.doc.ic.ac (UK)
o archie.au (Australia)
OTHER SOURCES OF INFORMATION
The McAfee BBS and CompuServe Virus Help Forum are excellent
sources of information on virus protection. Batch files and
utilities to help you use VirusScan software are often
available, along with helpful advice.
Independent publishers, colleges, training centers, and
vendors also offer information and training about virus
protection and computer security.
We especially recommend the following books:
o Ferbrache, David. A Pathology of Computer Viruses.
London: Springer-Verlag, 1992. (ISBN 0-387-19610-2)
o Hoffman, Lance J. Rogue Programs: Viruses, Worms,
and Trojan Horses. Van Nostrand Reinhold, 1990.
(ISBN 0-442-00454-0)
o Jacobson, Robert V. The PC Virus Control Handbook,
2nd Ed. San Francisco: Miller Freeman Publications,
1990. (ISBN 0-87930-194-0)
o Jacobson, Robert V. Using McAfee Associates Software for
Safe Computing. New York: International Security Technology,
1992. (ISBN 0-9627374-1-0)
In addition, the following sources can provide useful information
about viruses:
o National Computer Security Association (NCSA),
10 South Courthouse Avenue, Carlisle, PA 17013
o CompuServe VIRUSFORUM
o Internet comp.virus newsgroup
CHAPTER 2 INSTALLATION AND SETUP
Installing NetShield is a straightforward process. You
simply download the NetShield 2.1 files, copy them to the
SYS:SYSTEM directory on your server, modify the AUTOEXEC.NCF
file to load NetShield automatically upon server startup,
then load NetShield. If you are running Novell v3.11 or
3.12, you also need to install NetWare patches obtained from
Novell or McAfee. This chapter describes these tasks in detail.
NOTE: If you are upgrading from an earlier version of
NetShield, be sure to back up the files in your NetShield
directory before proceeding.
STEP 1: DOWNLOAD THE NETSHIELD SOFTWARE
Obtain the latest NetShield software from the McAfee BBS,
CompuServe, or the Internet. Refer to "Contacting McAfee" in
Chapter 1, "Welcome to NetShield," for information about
accessing these services.
Downloading Files
Download and uncompress the latest NetShield compressed
(.ZIP) files. It contains the following files:
Filename Description
NETSHLD.NLM NetShield 2.1 NLM file
NAMES.DAT Virus Scanner data file
SCAN.DAT Virus Scanner data file
VIR$CFG.DAT NetShield 2.1 base configuration file
NETSHLD2.TXT NetShield 2.1 documentation
Copying files
Copy these files to the SYS:SYSTEM directory on your NetWare
server. You can choose a different location on your server,
but we recommend this directory. If you choose a different
directory, you must add this directory to the search path
using the NetWare SEARCHADD command. For more information,
see your NetWare documentation.
Unless otherwise specified, NetShield creates, loads, and
saves configuration files, log files, and reports in the
directory where the NETSHLD.NLM file is located.
NOTE: You must be logged in with create and delete rights to
the directory on the target server volume.
Validating NETSHLD.NLM
When you download a program file from any source other than
the McAfee bulletin board or other McAfee service, it is
important to verify that it is authentic, unaltered, and
uninfected. McAfee anti-virus software includes a program
called Validate that helps you do this. When you receive a new
version of VirusScan, run Validate on all of the program files.
To do this for VirusScan, start from the system prompt (C> or
[C:\]):
1. Change to the directory to which you have downloaded
the files. For example, if you have stored the files in
C:\MCAFEE\DOWNLD:
C> c:
C> cd \mcafee\downld
2. Type the command:
C> validate netshld.nlm
3. Compare the results with the information in the README.1ST
file or other text file for the program you validated.
If the validation results match what is in the file, it is
highly unlikely that the program has been modified.
STEP 2: DOWNLOAD NETWARE PATCHES (NETWARE 3.11 OR 3.12 SITES ONLY)
NetShield requires the following NetWare patch files for
NetWare 3.11 and 3.12. Use the following recommended versions
(in parentheses):
A3112.NLM (4.10A)
AFTER311.NLM (4.10A)
CLIB.NLM (3.12h)
MATHLIB.NLM (3.12h)
MATHLIBC.NLM (3.11h)
NWSNUT.NLM (4.11)
Novell supplies these patches in the LIBUP4.EXE file. To
obtain this file:
o From Novell, see the Novell NetWire on CompuServe, the
ftp.novell.com anonymous ftp site on the Internet, or
other Novell on-line services.
o From McAfee, download it from the McAfee BBS under File
Area "P" (for Patches), or from the mcafee.com FTP site in
the pub/patches directory.
Copy these files to the SYS:SYSTEM directory on your NetWare
3.11 or 3.12 server.
NOTE: Do not install these patches on a NetWare 4.x server.
STEP 3: CUSTOMIZING THE AUTOEXEC.NCF FILE
We recommend that you change your server's AUTOEXEC.NCF file
so that NetShield loads automatically whenever the server
starts up.
To edit this file, use the NetWare LOAD INSTALL command (for
more information, refer to your Novell documentation). Add
the following command line to this file:
LOAD NETSHLD DEFAULT
For a description NetShield load options, refer to the next
section, "Loading NetShield."
Save your changes, then restart your server for these
changes to take effect.
STEP 4: LOADING NETSHIELD
Now that you have installed NetShield, you can load it using
various stored settings. You can use the default NetShield
settings, the settings stored in the standard configuration
file (VIR$CFG.DAT), or those stored in a custom
configuration file. NetShield creates VIR$CFG.DAT
automatically when you load the program for the first time.
Load NetShield using one of the following options:
o To run NetShield with the default settings and no
configuration file, use this command:
LOAD NETSHLD
o To run NetShield with the default configuration file,
VIR$CFG.DAT, from the SYS:SYSTEM directory, use this command:
LOAD NETSHLD DEFAULT
o To run NetShield with a user-specified configuration file
from the directory you specify, use the following command:
LOAD NETSHLD [path \ filename]
If the configuration file does not reside in the same
directory as NetShield, you must specify the complete
path, including the volume name. You can enter these
commands at the NetWare server console prompt or the
remote login prompt. Alternatively, you can have them
execute automatically in the AUTOEXEC.NCF file.
NOTE: Do not load NetShield 2.1 with a version 1.x
configuration file. NetShield Version 1.x configuration
files are not compatible with NetShield Version 2.1.
STEP 5: VIEWING NETSHIELD'S OPENING SCREEN
When you first load NetShield, you will see a screen similar
to the following example:
NetShield Version 2.1 NetWare Loadable Module
McAfee, Inc. NetShield Virus Protection For File Server
SERVER1
Mon Feb 20, 1995
NetShield Main Menu Options
Immediate Scan
Configure Scanning Mode
Configure Virus Detection
Configure NetShield NLM
Configure Virus Reporting
Configure Network Security
Press F10 To View Scanning Statistics
The Main menu is the highest-level menu in the hierarchy.
The NetShield menu system uses conventional NetWare keys for
menu navigation. You highlight, select, and exit menus as
you would any NetWare utility, such as SYSCON. For general
instructions about navigating NetWare menus, refer to your
Novell documentation.
You can press F10 at any time to display the Status window,
which shows the current status of many of the NetShield
configuration settings. The following example shows the
initial NetShield default settings.
NetShield Version 2.1 NetWare Loadable Module
Volume Scanning: DISABLED NetShield Delay Factor: 3
On Access Scanning: DISABLED CPU Utilization: 0 percent
Periodic Scanning: DISABLED Detection Action: Ignore
Logging: DISABLED
CRC Checking: DISABLED Mon Sep 19 15:01:45 1994
User Alarms: DISABLED
Console Messages: DISABLED
Network Monitoring: DISABLED Access Time Remaining 0 Minutes
Volume Scanning Statistics
Scanning:
Detected:
Periodic Scanning Statistics
Scanning:
Detected:
On Access Scanning Statistics
Inbound:
Detected:
Outbound:
Detected:
Press F10 To View Menus
Press F10 again to return to the current menu. Most scanning
options are disabled or configured to minimum settings. For
more information about the features listed in NetShield's
Status window, refer to Chapter 3, "Using NetShield."
EXITING NETSHIELD
You can unload NetShield from server memory to free up
server resources. Exiting NetShield halts any current scans
in process.
To exit NetShield, press ESCAPE from the Main menu.
NetShield displays a confirmation prompt. Press Y to confirm
that you want to exit NetShield.
Exiting NetShield in this manner has the same effect as
entering the following command at the NetWare server console
prompt:
unload netshld
Either way, if NetShield is configured with an unload
password, you must supply the password to exit. Otherwise,
typing this command will fail, and the only alternative is
to switch to NetShield and exit from the Main menu. For more
information, refer to "Setting the Unload Password" in
Chapter 3, "Using NetShield."
UPDATING NETSHIELD REGULARLY
Unfortunately, new viruses (and variants of old ones) appear
and circulate often in the personal computer community.
Fortunately, McAfee updates the antivirus data files
regularly, usually monthly, but sooner if many new viruses
have appeared. Each new version may detect as many as 60-100
new viruses or more, and may add new features. For
instructions on downloading McAfee updates, refer to
"Contacting McAfee" in Chapter 1, "Welcome to NetShield.."
To find out what is new in a downloaded release, review the
accompanying README.1ST text file.
CHAPTER 3 USING NETSHIELD
Once you have installed and loaded NetShield, you can begin
using it to protect your network from viral infection. This
chapter describes each feature in detail and shows you how
to use NetShield most effectively in your network
environment.
NetShield detects known viruses by searching the system for
known characteristics (sequences of code) unique to each
computer virus and reporting their presence if found. For
viruses that encrypt or cipher their code so that every
infection is different, NetShield uses detection algorithms
that work by statistical analysis, heuristics, and code
disassembly.
NetShield can also check for new or unknown viruses by
comparing files against previously recorded validation data.
For more information, refer to "Setting CRC Validation" in
this chapter. If a file has been modified, it will no longer
match the validation data, and NetShield will report that
the file may have become infected.
NetShield can scan your system in the following ways:
o Immediate scanning performs a scan of your system, on
demand, using current scan settings. For more information,
refer to "Running an Immediate Scan" in this chapter.
o On Access scanning prevents infected files from being
copied to or from server volumes. For more information,
refer to "Using On Access Scanning" in this chapter.
o Periodic scanning schedules scanning for a specific day
and time. For more information, refer to "Using Periodic
Scanning" in this chapter.
In each case, you can determine which network volumes
NetShield scans. You can use any or all of these scanning
methods in combination.
IF YOU DETECT A VIRUS
We strongly recommend that you get experienced help in
dealing with viruses if you are unfamiliar with anti-virus
software and methods. This is especially true for "critical"
viruses, because improper removal of these viruses can
result in the loss of all data and use of the infected
disks.
If you are at all unsure about how to proceed once you have
found a virus, contact McAfee for assistance. For instructions,
see "How to Contact McAfee" in Chapter 1.
CONFIGURATION RECOMMENDATIONS
We recommend that you customize NetShield with the settings
that best fit the needs of your network environment, then
save settings in a configuration file so that you can load
them easily in the future. For more information, refer to
"Setting Configuration File Options" in this chapter.
If it finds or suspects a virus, NetShield can perform
certain actions automatically, depending on how you have
configured NetShield:
o NetShield can delete, move, or ignore an infected file.
We recommend that you move infected files to a quarantine
directory for later inspection. For more information,
refer to "Setting the Infected File Action" in this chapter.
o NetShield can notify selected users and the system
console of a possible infection. We recommend that you
enable this feature so that system administrators are
informed as soon as viruses are detected. For more
information, refer to "Setting the User Contact Action"
in this chapter.
o NetShield can record a virus incident in a log file. We
recommend that you enable this feature so that you can use
the information to investigate any viral infections that
arise. For more information, refer to "Setting the Log
File" in this chapter. You can view or print the contents
of this log for future reference.
For network environments requiring strict security, consider
using the following features:
o NetShield can require a password before it can be
unloaded on the server. For more information, refer to
"Setting the Unload Password" in this chapter.
o NetShield can prevent users from writing to selected
network directories, such as system directories containing
application executable files. For more information, refer
to "Configuring Network Security" in this chapter.
To optimize server performance, consider adjusting the
execution priority. For more information, refer to "Setting
the Delay Factor" in this chapter.
RUNNING AN IMMEDIATE SCAN
NetShield can run a scan on-demand using immediate scanning.
NetShield scans the server volumes you select.
From the NetShield Main menu, choose Immediate Scan.
NetShield displays the Immediate Scan menu with the
following options:
o Start Scan
o Stop Scan
o Edit Volume
The rest of this section describes these options in detail.
SELECTING VOLUMES TO SCAN
Before you start checking for viruses on your network, you
must first select one or more volumes to scan. You can
modify the list of volumes that NetShield scans for viruses.
From the NetShield Main menu, choose Immediate Scan | Edit
Volume. NetShield displays a list of currently selected
volumes.
o To add a volume to the list, press INSERT. NetShield
displays a list of available volumes. Highlight the volume
you want to add, then press ENTER (to select multiple
volumes, highlight each one and press F5 to mark it, then
press ENTER). NetShield adds the selected volume(s) to the
list of volumes to scan.
o To remove a volume from the list of selected volumes,
highlight it, then press DELETE. The selected volume is no
longer displayed in the list of volumes to scan.
Once you have selected the volumes you want to scan, you can
begin scanning your system.
RUNNING AN IMMEDIATE SCAN
You can tell NetShield to start scanning immediately, based
on your current scan settings.
From the NetShield Main menu, choose Immediate Scan | Start Scan.
NetShield starts scanning your system. To see scanning
statistics, press F10: NetShield displays the name of each
file it scans, as well as the name of the last virus found
(if any).
NOTE: If NetShield finds a virus, refer to "If you detect a
virus" earlier in this chapter for more information.
INTERRUPTING A SCAN IN PROGRESS
NetShield scans your system until all selected items
(volumes, directories, files) have been checked for viruses.
If necessary, however, you can interrupt an immediate scan
in progress.
From the NetShield Main menu, choose Immediate Scan | Stop
Scan. NetShield displays a confirmation prompt.
NOTE: When you interrupt scanning, you prevent NetShield
from completely checking the selected volumes on your system
for viruses. To ensure that your system is virus-free, you
must run a complete, uninterrupted scan.
CONFIGURING THE SCANNING MODE
In addition to immediate scanning, NetShield provides the
following scanning modes:
o On Access Scanning prevents infected files from being
copied to or from server volumes.
o Periodic Scanning schedules scanning for a specific day
and time.
From the NetShield Main menu, choose Configure Scanning
Mode. NetShield displays the Scanning Mode Configuration
menu with the following options:
o On Access Scanning
o Periodic Scanning
The rest of this section describes these scanning modes in detail.
USING ON ACCESS SCANNING
If On Access scanning is enabled, NetShield can protect your
server against viruses by preventing infected files from
being copied to or from server volumes. If a filemask is
used in the copy operation (for example, *.EXE), NetShield
prevents only infected files from being copied. Use on
access scanning to prevent spreading viruses in the interim
between regular scans.
NOTE: If NetShield finds a virus, refer to "If you detect a
virus" earlier in this chapter for more information.
To use on access scanning, from the NetShield Main menu,
choose Configure Scanning Mode | On Access Scanning.
NetShield displays the On Access Scanning menu with the
following options:
o Inbound Files Only
o Outbound Files Only
o Inbound and Outbound Files
o Disable On Access Scanning
Select the option you want.
Inbound Files Only
Select this option to prevent copying infected files to the
selected server volume. When a copy operation is attempted,
NetShield checks the file on the target volume and, if
infected, deletes, moves, or ignores the file according to
the current action setting. For more information, refer to
"Setting the Infected File Action" later in this chapter.
We recommended this option for most environments because it
protects the server but avoids running extra scans every
time files are copied from the server volume.
Outbound Files Only
Select this option to prevent copying infected files from
selected server volumes to other server or workstation
volumes. When a copy operation is attempted, NetShield
checks the file on the source volume and, if infected,
deletes, removes, or ignores the file according to the
current action setting. For more information, refer to
"Setting the Infected File Action" later in this chapter.
This option does not protect the server volume against
infected files copied to it, and is recommended only in
cases where the server volume is read-only and might contain
infected files.
Inbound and Outbound Files
Select this option to prevent copying infected files to or
from selected server volumes. This option combines the two
previous options and offers the highest degree of protection
for both servers and workstations. It may, however, result
in extra scans if the server volume is highly unlikely to
contain infected files.
Viewing Statistics for On Access Scanning
When you open the On Access Scanning menu, NetShield
displays information similar to the following example:
NetShield On Access Virus Detection Summary
Last Inbound File Scanned:
Last Outbound File Scanned:
Last Inbound Virus Detected:
Last Outbound Virus Detected:
Total Files Scanned: 360 Total Infected Files Found: 271
Current On Access Scan Mode: Both Inbound and Outbound Files
Disabling On Access Scanning
Select this option to disable on access scanning altogether
or to interrupt an on access scan in progress. Thereafter,
NetShield will not check files as they are copied to or from
the server volume.
USING PERIODIC SCANNING
You can schedule NetShield to automatically scan server
volumes at a future date and time. Thereafter, NetShield
runs the scan at the scheduled time if the server is running
and NetShield is loaded and running. In this way, you can
scan your network unattended, during periods of low network
traffic, and thereby ensure that scanning occurs on a
regular basis. For each scheduled scan, you can specify when
to scan, what to scan, and which scan options to use.
NOTE: If NetShield finds a virus, refer to "If you detect a
virus" earlier in this chapter for more information.
From the NetShield Main menu, choose Configure Scanning Mode
| Periodic Scanning. NetShield displays the Periodic
Scanning menu with the following options:
o Scanning
o Day of Week
o Day of Month
o Time of Day
o Select Volumes to Scan
o Load Scan Settings from File
o Save Scan Settings to File
Select the option you want.
Selecting the Scanning Frequency
You can schedule scanning on a daily, weekly, or monthly
basis. For the best network performance, schedule scanning
during periods of low network traffic, such as at 2:00 am or
on weekends.
To enable scanning, highlight Scanning <DISABLED> and press
ENTER. NetShield displays the Select Scanning Frequency menu
with the following options. Select the scanning frequency
you want and enter the required information:
o Daily: Enter the time of day (0:01 to 23:59, in 24-hour format).
o Weekly: Enter the day of the week (Sunday to Saturday)
and the time of day (0:01 to 23:59).
o Monthly: Enter the day of the month (1-31) and the time
of day (0:01 to 23:59). If you enter 31, NetShield will
scan on the last day of the month, even if it has fewer
than 31 days.
Thereafter, NetShield runs the scan at the scheduled date and time.
Selecting Volumes for Periodic Scanning
You can select the network volumes you want to scan in
periodic scanning. These apply to the periodic scan only,
and do not change the currently selected volumes for
immediate or on access scanning. For more information, refer
to "Selecting Volumes to Scan" earlier in this chapter.
Highlight Select Volumes To Scan and press ENTER. NetShield
displays a list of currently selected volumes.
o To add a volume to the list, press INSERT. NetShield
displays a list of available volumes. Highlight the volume
you want to add, then press ENTER (to select multiple
volumes, highlight each one and press F5 to mark it, then
press ENTER). NetShield adds the selected volume(s) to the
list of volumes to scan.
o To remove a volume from the list, highlight it, press DELETE,
then choose Yes when prompted to confirm deletion.
NetShield removes the selected volume from the list of
volumes to scan.
NetShield will scan the selected volumes in subsequent
scheduled scans, including any changes you have just made.
Saving a Configuration File for Periodic Scanning
You can store NetShield scan settings that apply only to the
periodic scan in a special configuration file. By default,
NetShield uses SYS:\SYSTEM\PER$CFG.DAT. We recommend that
you use the default path so that configuration files are
easy to locate.
Configuration files for periodic scanning differ from
configuration files created according to the instructions in
"Setting Configuration File Options" later in this chapter.
They contain only the scheduled scanning date and time, plus
the volumes selected for periodic scanning.
From the Periodic Scanning menu, highlight Save Scan
Settings to File and press ENTER. NetShield prompts you to
identify the configuration file you want to save. Type the
volume, path, and name of the configuration file you want,
then press ENTER. Alternatively, to find the file:
1. Press INSERT to display a list of available volumes.
2. Highlight the volume you want, then press ENTER.
NetShield displays a list of directories (directory names
are enclosed in square brackets).
3. Highlight the directory you want, then press ENTER.
NetShield displays a list of subdirectories, files, or both.
4. If necessary, continue selecting subdirectories until you select
the one containing the configuration file you want to use.
5. Highlight the configuration file you want to use, then
press ESCAPE. NetShield displays the volume, path, and
filename you selected.
6. Press ENTER to accept this path and filename, or ESCAPE
to abandon the operation.
NetShield prompts you to accept your changes and, if you
answer Yes, saves the configuration file you specified.
Loading a Configuration File for Periodic Scanning
You can load a periodic scanning configuration file created
using the instructions in the previous section, "Saving a
Configuration File for Periodic Scanning." By default,
NetShield uses SYS:\SYSTEM\PER$CFG.DAT.
From the Periodic Scanning menu, highlight Load Scan
Settings from File and press ENTER. NetShield prompts you to
identify the configuration file you want to load. Type the
volume, path, and name of the configuration file you want,
then press ENTER. Alternatively, to find the file:
1. Press INSERT to display a list of available volumes.
2. Highlight the volume you want, then press ENTER.
NetShield displays a list of directories (directory names
are enclosed in square brackets).
3. Highlight the directory you want, then press ENTER.
NetShield displays a list of subdirectories, files, or both.
4. If necessary, continue selecting subdirectories until
you select the one containing the configuration file you
want to use.
5. Highlight the configuration file you want to use, then
press ESCAPE. NetShield displays the volume, path, and
filename you selected.
6. Press ENTER to accept this path and filename, or ESCAPE
to abandon the operation.
NetShield prompts you to accept your changes and, if you
answer Yes, loads the configuration file you specified and
uses it for subsequent scheduled scans.
Disabling Periodic Scanning
You can disable periodic scanning to halt a period scan in
progress or to prevent future scheduled scans.
To disable periodic scanning, highlight Scanning, then press
ENTER. NetShield displays the Scanning Frequency list.
Highlight <DISABLED>, then press ENTER.
CONFIGURING VIRUS DETECTION
You can configure NetShield to take certain actions
automatically if it finds an infected file when scanning
your network. NetShield can:
o Delete, remove, or ignore infected files.
o Notify selected users and generate a message to the
NetWare system console that a virus has been found.
To configure NetShield in this way, from the NetShield Main
menu, choose Configure Virus Detection. NetShield displays
the Virus Detect Configuration menu with the following
options:
o Infected File Action
o User Contact Action
The rest of this section describes these options in detail.
SETTING THE INFECTED FILE ACTION
You can tell NetShield what to do with infected files found
during a scan. NetShield can delete them to prevent further
infection, move them to a quarantine directory for
inspection or uploading to McAfee, or do nothing but report
the infection in a log file.
From the NetShield Main menu, choose Configure Virus
Detection | Infected File Action. NetShield displays the
Select Action from List menu with the following options:
o Delete & Overwrite Infected File
o Move Infected File
o Ignore Infected file
Select the action you want from the list.
Deleting and Overwriting Infected Files
Select this option to delete infected files found during a
scan so that they cannot be recovered except from backups.
NetShield erases any infected files and writes random
characters to the disk space formerly occupied by the
infected file. As a result, this file is completely
eradicated from your network and is not recoverable by you
or other users, except from backups. This is the most secure
option, but it can prevent you from recovering an infected
file you might want to save for further inspection.
Moving Infected Files
Select this option to move infected files found during a
scan to a different directory so that you can inspect them
yourself and, if you want, upload them to McAfee for expert
inspection. To avoid a situation in which users could
inadvertently load an infected file and spread the virus,
the directory you specify should be a "quarantine directory"
to which only system administrators have access.
To specify a directory, type the volume and path of the
directory you want, then press ENTER. Alternatively, to find
the directory:
1. Press INSERT to display a list of available volumes.
2. Highlight the volume you want, then press ENTER.
NetShield displays a list of directories (directory names
are enclosed in square brackets).
3. Highlight the directory you want, then press ENTER.
NetShield displays a list of subdirectories, files, or both.
4. If necessary, continue selecting subdirectories until
you highlight the one you want to use for infected files.
5. Highlight the directory you want to use, then press
ESCAPE. NetShield displays the volume, path, and filename
you selected.
6. Press ENTER to select this directory.
NetShield prompts you to accept your changes and, if you
answer Yes, uses the directory you selected. If the
directory you specify does not exist, NetShield creates it
for you automatically.
Ignoring Infected Files
Select this option to ignore infected files found during a
scan. NetShield leaves any infected files intact on your
system, which could result in further viral infection. We
therefore recommend that you check the log files for
infected files immediately after scanning and, if found,
take steps to protect your system.
WARNING: This option is less secure than other options.
Infected files might still be copied to the server and
viruses might spread even when NetShield is active.
SETTING THE USER CONTACT ACTION
You can configure NetShield to send a broadcast message,
MHS message, or pager notification to one or more users
if infected files were found during a scan. That way, you
and others can know immediately when viruses have been detected
on your network. NetShield can also generate console messages
to the NetWare server console.
From the NetShield Main menu, choose Configure Virus
Detection | User Contact Action. NetShield displays the User
Contact Actions menu.
o Edit MHS Configuration
o Edit Pager Configuration
o Edit User Contact List
o Enable User Alarms
o Enable Console Messages
Select the options you want.
Editing the MHS Configuration
Select this option to have NetShield, if a virus is detected,
notify users automatically via e-mail. NetShield gets messages
to network administrators and support personnel using Novell's
Message Handling Service (MHS), which can route e-mail messages
throughout your network and via mail gateways to external
mail services.
Note: To use this feature, you must have Novell Basic or Global
MHS installed and running on your network, and you must have a
list of possible recipients defined within your MHS setup.
If NetShield detects a virus during volume scanning, NetShield
sends mail notifications once to selected users after scanning
is concluded. If on access scanning is enabled (see "Using On
Access Scanning" earlier in this chapter), however, NetShield
sends a notification as soon as a virus is detected. For example,
if a user copies 20 infected files, NetShield notifies active
users with 20 different messages in rapid succession.
To prevent a backlog of redundant messages, you can set a
Minimum Notification Interval (MNI), in minutes, that NetShield
will wait before sending a new notification. For example, if
the MNI is set to 5 and all 20 infected files are copied
within 5 minutes, NetShield sends only one message. If it takes
16 minutes to copy all 20 files, NetShield sends 3 rounds of
messages.
From the User Contact Actions menu, choose Edit MHS Configuration.
NetShield displays the MHS Configuration menu with the following
options:
o Edit Master MHS User List
o Edit Active MHS User List
o Edit MHS Server Configuration
o Send Test Mail to Active List Members
o MHS Alert Status
Select the options you want.
Editing the Master MHS User List
You can create a master list of likely recipients of NetShield
notifications, such as network administrators or support staff.
You use this list to select active MHS recipients, as described in
"Editing the Active MHS User List" later in this section.
To specify users in the master list, highlight Edit Master MHS
List and press ENTER. NetShield displays a list of possible
MHS recipients.
o To add a user to the list, press INSERT. NetShield displays
a list of available users. Highlight the user you want to add,
then press ENTER. NetShield adds the selected user to the
master MHS user list.
NetShield obtains the recipient's name and mail address.
Specify a Minimum Notification Interval for the user, if you
want, or leave it unchanged to use the default interval defined
in "Editing the MHS Configuration" later in this section.
o To remove a user from the list, highlight it, then press DELETE.
NetShield deletes the selected user from the master MHS user list.
Editing the Active MHS User List
From the master list of MHS users, you can select the users
that NetShield will notify automatically if a virus is detected.
To specify the users to notify, highlight Edit Active MHS User
List and press ENTER. NetShield displays a list of users to
notify (this list is initially empty).
o To add a user to the list, press INSERT. NetShield displays
the master MHS user list. Highlight the user you want to add,
then press ENTER. NetShield adds the selected user to the list
of users to notify.
o To remove a user from the list, highlight it, then press DELETE.
NetShield deletes the selected user from the list of users to
notify.
NetShield will notify the users on this list, not on the master
MHS list.
Editing the MHS Configuration
You must supply NetShield with certain information needed to
communicate via MHS. Choose Edit the MHS Configuration and
enter the following information.
o MHS Server Name, which is the name of the server running
the MHS service.
o MHS Server User Name, which is a valid user name for the MHS
server. NetShield uses this when connecting to the MHS server.
o MHS Server Password associated with the MHS Server User Name
entered above.
o Minimum Mail Interval for NetShield to use when it is not
specified for an active user.
Press ENTER to save your changes, or ESC to exit without saving them.
Sending Test Mail to Active List Members
To verify your current MHS settings, we recommend that you
send test mail to users on the active list. Choose Send Test Mail
to Active List Members, and NetShield will send a message to every
user on the list.
Setting the MHS Alert Status
Select this option to activate or disable the MHS alert feature.
To change the current setting, highlight MHS Alert Status,
press ENTER, then choose <ENABLED> or <DISABLED> from the prompt.
Editing the Pager Configuration
Select this option to have NetShield, if a virus is detected,
notify users immediately via pagers. NetShield dials standard
pager numbers and sends your message to selected network
administrators and support personnel.
Note: To use this feature, you must have a Hayes-compatible
modem installed, running, and accessible on your NetShield server.
If NetShield detects a virus during volume scanning, NetShield
sends page notifications once to selected users after scanning
is concluded. If on access scanning is enabled (see "Using On
Access Scanning" earlier in this chapter), however, NetShield
sends a notification as soon as a virus is detected.
For example, if a user copies 20 infected files, NetShield
notifies active users with 20 different pages in rapid succession.
To prevent a backlog of redundant pager notifications, you can
set a Minimum Notification Interval (MNI), in minutes, that
NetShield will wait before sending a new notification. For example,
if the MNI is set to 5 and all 20 infected files are copied within
5 minutes, NetShield sends only one pager notification. If it
takes 16 minutes to copy all 20 files, NetShield sends 3 rounds
of pager notifications.
If NetShield cannot get a dial tone for the configured modem,
it waits 3 minutes and retries. After 3 unsuccessful attempts,
NetShield displays an error message on screen and, if enabled,
displays it on the server console and writes it to the log file.
From the User Contact Actions menu, choose Edit Pager Configuration.
NetShield displays the Pager Configuration menu with the
following options:
o Edit Master Pager User List
o Edit Active Pager User List
o Edit Pager Configuration
o Test Selected Pagers
o Pager Alert Status
Select the options you want.
Editing the Master Pager User List
You can create a master list of likely recipients of NetShield
notifications, such as network administrators or support staff.
You use this list to select active pager recipients, as described
in "Editing the Active Pager List" later in this section.
To specify users in the master list, highlight Edit Master Pager
List and press ENTER. NetShield displays a list of possible pager
recipients (this list is initially empty).
o To add a user to the list, press INSERT. NetShield displays
Enter Pager Record menu. Enter the name of the person to page,
their Minimum Notification Interval (optional), and a dial
string, which has the following format:
o Dial Prefix, such as 9 to get an outside line (required
for some phone systems)
o Area Code
o Phone Number (without hyphens, periods, or parentheses)
o Delay, using commas, which sets a 2-second delay per comma.
(required by some pager services, and varying from service
to service)
o Personal Identification Number (PIN) (required by some
pager services)
o Message (up to 40 characters)
Here is an example dial string:
9,1,8007597243,,,9999999#,,,222#,#
This string dials 9 to get an outside line, dials an
800 number, pauses for 6 seconds, enters a PIN (of 9999999),
pauses another 6 seconds, enters a message of "222" that
terminates with the pound sign (#, which is required for
some pager services, waits 2 seconds, and terminates
the call with the pound sign (again, required for some
pager services).
Press ENTER to save your changes, or ESC to exit without
saving them.
o To remove a user from the list, highlight it, then press DELETE.
NetShield deletes the selected user from the master pager list.
Editing the Active Pager User List
From the master list of pagers, you can select the users that
NetShield will notify automatically if a virus is detected.
To specify the users to notify, highlight Edit Active Pager User
List and press ENTER. NetShield displays a list of users to
notify (this list is initially empty).
o To add a user to the list, press INSERT. NetShield displays
the master pager list. Highlight the user you want to add,
then press ENTER. NetShield adds the selected user to the
list of users to notify.
o To remove a user from the list, highlight it, then press
DELETE. NetShield deletes the selected user from the list
of users to notify.
NetShield will notify the users on this list, not on the master
pagers list.
Editing the Pager Configuration
You must supply NetShield with certain information needed to
communicate with pagers via modem. Choose Edit the Pager
Configuration and enter the following information:
o Communications Board Number, as defined by the AOICOMX.NLM
utility, which determines the board number of the modem
installed on your NetShield server machine.
o Port Number, as defined by the AIOCOMX.NLM utility, which
determines the port number of the modem installed on your
NetShield server machine.
o Minimum Notification Interval for NetShield to use when
it is not specified for an active user.
Press ENTER to save your changes, or ESC to exit without saving them.
Sending a Test Page to Active List Members
To verify your current pager settings, we recommend that you send
a test page to users on the active list. Choose Send Test Page
to Active List Members, and NetShield will send a message to
every pager on the list.
Setting the Pager Alert Status
Select this option to activate or disable the pager alert feature.
To change the current setting, highlight Pager Alert Status,
press ENTER, then choose <ENABLED> or <DISABLED> from the prompt.
Editing the User Contact List
You can have NetShield notify certain users via a broadcast message
if viruses have been found. To specify the users to notify,
highlight Edit User Contact List and press ENTER. NetShield
displays a list of users to notify.
o To add a user to the list, press INSERT. NetShield displays
a list of available network users. Highlight the user you
want to add, then press ENTER. NetShield adds the selected
user to the list of users to notify.
o To remove a user from the list, highlight it, then press DELETE.
NetShield deletes the selected user from the list of users to
notify.
NetShield will notify the users on this list if viruses are found
in future scans, including any changes you have just made.
Editing the User Contact List
You can have NetShield notify certain users if viruses have
been found. To specify the users to notify, highlight Edit
User Contact List and press ENTER. NetShield displays a list
of users to notify.
o To add a user to the list, press INSERT. NetShield
displays a list of available network users. Highlight the
user you want to add, then press ENTER. NetShield adds the
selected user to the list of users to notify.
o To remove a user from the list, highlight it, then press
DELETE. NetShield deletes the selected user from the list
of users to notify.
NetShield will notify the users on this list if viruses are
found in future scans, including any changes you have just made.
Enabling User Alarms
You can tell NetShield whether to inform selected users that
infected files were found during a scan. You might want to
disable this capability if, for security reasons, you do not
want users to know that viruses have been found. However, if
you disable this feature, be sure to inspect the log file
immediately after each scan so that you know whether your
network has been infected.
To change the current setting, highlight Enable User Alarms,
type Y (for Yes) or N (for No), then press ENTER
Enabling Console Messages
You can tell NetShield whether to display messages about
infected files on the NetWare system console. This provides
an alternative method for alerting system administrators and
maintains an audit trail for further investigation into
virus incidents. For more information about NetWare server
console messages, refer to your NetWare documentation.
To change the current setting, highlight Enable Console
Messages, type Y (for Yes) or N (for No), then press ENTER
CONFIGURING NETSHIELD NLM
You can configure NetShield to:
o Save and load configuration files containing frequently-
used NetShield settings.
o Exclude directories from scanning.
o Regulate server performance by assigning CPU processing
priority to NetShield.
o Perform CRC validation to detect new or unknown viruses.
o Perform cross-server updating of NetShield data files
o Protect NetShield from unauthorized unloading by
assigning a password.
From the NetShield Main menu, choose Configure NetShield
NLM. NetShield displays the NetShield NLM Configuration menu
with the following options:
o Configuration File Options
o Configure Excluded Directories
o NetShield Delay Factor
o CRC Configuration Options
o Password Configuration
o Edit Cross-Server Updating
The rest of this section describes these options in detail.
SETTING CONFIGURATION FILE OPTIONS
You can store current NetShield configuration information in
a disk file that you can later load as needed. You can also
obtain a copy of the current configuration settings by
printing a report or saving them to an ASCII text file.
A NetShield configuration file stores configuration
information in a proprietary binary format and contains
settings information such as the selected volumes to scan,
periodic scan settings, logging, CRC checking, and other
NetShield settings (you can print a list of current
settings). Passwords are encrypted.
From the NetShield Main menu, choose Configure NetShield NLM
| Configuration File Options. NetShield displays the
Configuration File Management Options menu with the
following options:
o Load Configuration Settings From File
o Save Configuration Settings To File
o Write Configuration Report To File
o Print Current Configuration Settings
Select the options you want.
Loading Configuration Settings from a File
Select this option to load a configuration file from disk.
NetShield prompts you to identify the configuration file you
want to load. By default, NetShield uses
SYS:\SYSTEM\VIR$CFG.DAT. We recommend that you use the
default path so that the configuration files are easy to
locate if you need to investigate a problem.
Type the volume, path, and name of the configuration file
you want, then press ENTER. Alternatively, to find the file:
1. Press INSERT to display a list of available volumes.
2. Highlight the volume you want, then press ENTER.
NetShield displays a list of directories (directory names
are enclosed in square brackets).
3. Highlight the directory you want, then press ENTER.
NetShield displays a list of subdirectories, files, or both.
4. If necessary, continue selecting subdirectories until
you select the one containing the configuration file you
want to use.
5. Highlight the configuration file you want to use, then
press ESCAPE. NetShield displays the volume, path, and
filename you selected.
6. Press ENTER to accept this filename, or ESCAPE to
abandon the operation.
NetShield prompts you to accept your changes and, if you
answer Yes, loads the configuration file you specified and
uses it for subsequent scans.
Saving Configuration Settings to a File
Select this option to save a configuration file to disk.
NetShield prompts you to identify the name and path of the
configuration file you want to save. By default, NetShield
uses SYS:\SYSTEM\VIR$CFG.DAT. We recommend that you use the
default path so that the configuration files are easy to
locate if you need to investigate a problem.
Type the volume, path, and name of the configuration file
you want, then press ENTER. Alternatively, to find the file:
1. Press INSERT to display a list of available volumes.
2. Highlight the volume you want, then press ENTER.
NetShield displays a list of directories (directory names
are enclosed in square brackets).
3. Highlight the directory you want, then press ENTER.
NetShield displays a list of subdirectories, files, or both.
4. If necessary, continue selecting subdirectories until
you select the one containing the configuration file you
want to use.
5. Highlight the configuration file you want to use, then
press ESCAPE. NetShield displays the volume, path, and
filename you selected.
6. Press ENTER to accept this filename, or ESCAPE to
abandon the operation.
NetShield prompts you to accept your changes and, if you
answer Yes, writes configuration information to the file you
specified.
Writing the Configuration Report to a File
Select this option to save the configuration report in an
ASCII text file. NetShield prompts you to identify the name
and path of the report file you want to create. By default,
NetShield uses SYS:\SYSTEM\VIR$CFG.RPT. We recommend that
you use the default path so that report files are easy to
locate.
Type the volume, path, and name of the report file you want,
then press ENTER. Alternatively, to find the file:
1. Press INSERT to display a list of available volumes.
2. Highlight the volume you want, then press ENTER.
NetShield displays a list of directories (directory names
are enclosed in square brackets).
3. Highlight the directory you want, then press ENTER.
NetShield displays a list of subdirectories, files, or both.
4. If necessary, continue selecting subdirectories until
you select the one containing the configuration file you
want to use.
5. Highlight the configuration file you want to use, then
press ESCAPE. NetShield displays the volume, path, and
filename you selected.
6. Press ENTER to accept this filename, or ESCAPE to
abandon the operation.
NetShield prompts you to accept your changes and, if you
answer Yes, writes configuration information to the report
file you specified. If the report file exists, NetShield
overwrites it.
Printing Current Configuration Settings
Select this option to send a report of the current
configuration settings to a network printer queue. NetShield
displays a list of available print queues. Highlight the
queue you want, then press ENTER to select it. NetShield
sends the report to the queue you selected.
CONFIGURING EXCLUDED DIRECTORIES
You can exclude selected directories from scanning if you
want to reduce scanning time and you are confident that such
directories are unlikely to be infected by a virus. For
example, because most viruses infect executable files, you
might want to exclude directories that contain only data
files.
From the NetShield Main menu, choose Configure NetShield NLM
| Configure Excluded Directories. NetShield displays the
Configure Excluded Directories menu with the following
options:
o Edit List of Excluded Directories
o Apply Exclusion List to All Scans
The rest of this section describes these options in detail.
Selecting Directories to Exclude
Select this option to change the list of directories to
exclude from scanning. To specify a directory to exclude,
type the volume and path of the directory you want, then
press ENTER. Alternatively, to find a directory:
1. Press INSERT to display a list of available volumes.
2. Highlight the volume you want, then press ENTER.
NetShield displays a list of directories (directory names
are enclosed in square brackets).
3. Highlight the directory you want, then press ENTER.
NetShield displays a list of subdirectories, files, or both.
4. If necessary, continue selecting subdirectories until
you highlight the one you want to use for infected files.
5. Highlight the directory you want to use, then press
ESCAPE. NetShield displays the volume, path, and filename
you selected.
6. Press ENTER to select this directory.
NetShield prompts you to accept your changes and, if you
answer Yes, adds the selected directory to the list of
excluded directories.
To remove a directory from the list, highlight it, then
press DELETE. NetShield deletes the selected directory from
the list of directories to exclude.
If the exclusion list is enabled (for more information,
refer to the next section), NetShield will exclude
directories from scanning using this list, including any
changes you have just made.
Applying the Exclusion List to All Scans
Select this option to ignore, during scanning, the
directories in the exclusion list. To change the current
setting, highlight Apply Exclusion List to All Scans, press
ENTER, then choose <ENABLED> or <DISABLED> from the prompt.
SETTING THE DELAY FACTOR
You can regulate server performance during scanning by
controlling the amount of CPU time that NetShield uses to
conduct the scan. The lower the delay, the more CPU time is
devoted to carrying out the scan operation.
From the NetShield Main menu, choose Configure NetShield NLM
| NetShield Delay Factor. NetShield prompts you to enter a
priority. The default delay factor is 3. Type a number
between 1 and 100, inclusive, then press ENTER.
o If you choose a delay setting of 1, which is the most CPU-
intensive, 40-50% CPU usage is added and approximately one
file is scanned per second. We recommend using higher
settings during periods of low network traffic.
o If you choose a delay setting of 100, which is the least
CPU-intensive, 1-2% CPU usage is added and one file is
scanned approximately every 10 seconds. We recommend using
lower settings during periods of high network traffic.
NetShield uses the delay factor you specified.
SETTING CRC CONFIGURATION OPTIONS
If your environment is highly vulnerable to viruses, or you
require additional security against them, you can use
NetShield's CRC (Cyclic Redundancy Check) checking option to
detect infection by new and unknown viruses. NetShield can
assign validation codes to files, then use those codes to
detect file changes and warn that infection by an unknown
virus may have occurred. NetShield stores validation
information in an encrypted database file.
The use of CRC validation codes requires an ongoing effort
to store and maintain the codes. For example, if you install
new programs or upgrade old ones, you should remove all the
validation codes, then add them again to restore them. If
you install new software, or upgrade your DOS or NetWare
version, remember to update your recovery file.
Because the validation codes will change whenever a file is
updated, we recommend using CRC checks only in stable
environments where few software updates are performed. In
addition, consider excluding any directories containing data
files that are frequently updated. To exclude directories
from scanning, refer to "Configuring Excluded Directories"
earlier in this chapter.
Warning: Some programs are self-modifying or self-checking
(most programs that do this will tell you to turn off your
anti-virus software before running them). Such software
deliberately changes its own program file, often to protect
against viruses or illegal copying, and is therefore difficult
to validate in conventional ways.
If you use NetShield's CRC validation checking, these programs
can trigger a false alarms, and NetShield may report a virus
in a file that is not infected. To prevent this from occurring,
be sure to exclude directories containing these files, as described
in "Configuring Excluded Directories" earlier in this chapter.
From the NetShield Main menu, choose Configure NetShield NLM
| CRC Configuration Options. NetShield displays the CRC
Configuration Options menu with the following options.
o Add CRC Code To External File
o Verify CRC Code From External File
o Remove CRC Code From External File
o Edit External File Name
Select the options you want.
NOTE: You can enable only one of the options (Add, Verify,
and Remove) at a time during a scan. If you enable one
option, NetShield automatically disables any other enabled option.
Adding CRC Code to an External File
Select this option to tell NetShield to add CRC validation
codes to the external database file during the next scan.
Any previous validation codes should be removed from the
selected database file before proceeding. We recommend
disabling this option once the validation codes have been
added.
To change the current setting, highlight Add CRC Code To
External File, press ENTER, then choose <ENABLED> or
<DISABLED> from the prompt.
Verifying CRC Code from an External File
Once you have added CRC validation codes to the database,
select this option to tell NetShield to check for validation
codes in subsequent scans and, if files have changed, to
warn that infection by an unknown virus may have occurred.
To change the current setting, highlight Verify CRC Code
From External File, press ENTER, then choose <ENABLED> or
<DISABLED> from the prompt.
Removing CRC Code from an External File
Once you have added CRC validation codes to the database,
select this option to tell NetShield to remove them during
the next scan from the selected database file. You normally
do this if you have added or upgraded software on your
network and need to re-add validation codes.
To change the current setting, highlight Remove CRC Code
From External File, press ENTER, then choose <ENABLED> or
<DISABLED> from the prompt.
Selecting the Name of the External File
By default, the database file used to store CRC validation
codes is named VIR$CRC.DAT, which is stored in the same
directory as the NETSHLD.NLM file. You can change the name
and location of the database file as needed.
Type the volume, path, and name of the validation database
file you want, then press ENTER. Alternatively, to find the file:
1. Press INSERT to display a list of available volumes.
2. Highlight the volume you want, then press ENTER.
NetShield displays a list of directories (directory names
are enclosed in square brackets).
3. Highlight the directory you want, then press ENTER.
NetShield displays a list of subdirectories, files, or both.
4. If necessary, continue selecting subdirectories until
you select the one containing the validation database file
you want to use.
5. Highlight the database validation file you want to use,
then press ESCAPE. NetShield displays the volume, path,
and filename you selected.
6. Press ENTER to accept this filename, or ESCAPE to
abandon the operation.
NetShield prompts you to accept your changes and, if you
answer Yes, uses the validation database file you specified.
SETTING THE UNLOAD PASSWORD
You can assign a password to NetShield to ensure that only
authorized users can unload NetShield once it has been
loaded. The password is not case-sensitive, can be up to 40
characters long, and can be any mix of alphanumeric and
punctuation characters. The default NLM password is:
NETSHIELD. The password is encrypted.
From the NetShield Main menu, choose Configure NetShield NLM
| Password Configuration. NetShield displays the Password
Configuration menu with the following options:
o Change Existing Password
o Password Enable Status
The rest of this section describes these options in detail.
Changing the Existing Password
Select this option to add a change the unload password.
Enter the current password, if any, then enter the new
password (or leave it blank to remove the password). Be sure
to write down your new password and store it in a secure
location.
Enabling the Unload Password
Select this option to force users to enter the unload
password before exiting NetShield. To change the current
setting, highlight Password Enable Status, press ENTER, then
choose <ENABLED> or <DISABLED> from the prompt.
USING CROSS-SERVER UPDATING
McAfee releases updates of the NetShield data files
(SCAN.DAT and NAMES.DAT) regularly, usually monthly, to
detect new viruses and variants of old ones. When you
download updates of NetShield data files from McAfee, you
can use NetShield's cross-server updating feature to
automatically upgrade NetShield data files everywhere
NetShield is installed on your network. Cross-server
updating saves you the effort of performing this task
manually for each server.
For cross-server updating to work for all NetShield servers
on your network, you must enable it for each NetShield
installation. Once enabled, NetShield periodically sends a
message to other servers, via NetWare's Service Advertising
Protocol (SAP), that requests each server to indicate its
version of the data files. NetShield retrieves these
messages from other servers and, if another NetShield
installation has a more recent version of the data files,
obtains these files immediately from the other installation.
In this way, you can update the date files on one server and
have them propagate automatically to all servers.
To change the current cross-server update settings, from the
NetShield Main menu, choose Configure NetShield NLM | Edit
Cross-Server Updating. NetShield displays the Edit Cross-
Server Updating menu with the following options:
o Set Frequency
o Cross-Server Update Status
To set the frequency with which NetShield will query other
NetShield installations for their data file versions, choose
Set Frequency and enter the time interval, in minutes (up to
25 minutes). For example, if you entered 10, NetShield would
query other servers every ten minutes.
To activate or disable cross-server updating, choose Cross-
Server Update Status, then choose <ENABLED> or <DISABLED>
from the prompt.
For more information about NetShield updates, refer to
"Updating NetShield Regularly" in Chapter 2, "Installation
and Setup."
CONFIGURING VIRUS REPORTING
NetShield can keep a log of scans and infections found. You
can view this log on screen, print it, or discard it. We
recommend that you use NetShield's logging feature so that
you have an audit trail to assist in your investigation of
virus incidents.
From the NetShield Main menu, choose Configure Virus
Reporting. NetShield displays the Virus Reporting Options
menu with the following options.
o Configure Log File Settings
o Select Log File Reports
The rest of this section describes these options in detail.
SETTING UP THE LOG FILE
NetShield can record the results of scanning (immediate, on-access,
and periodic scans) in a log file that you can later use for
auditing your system and investigating problems. NetShield
appends log information in the log file, including the date
and time the scan was run and, if viruses are detected, an
entry for each file suspected to contain a virus (name, location,
and virus name).
From the NetShield Main menu, choose Configure Virus
Reporting | Configure Log File Settings. NetShield displays
the Log File Configuration Options menu with the following options:
o Enter Log File Path
o Enable Logging To Log File
Entering the Log File Path
Select this option to specify the name and location of the
log file. If the log file has not been configured, the
default filename is VIR$LOG.DAT.
Type the volume, path, and name of the log file you want,
then press ENTER. Alternatively, to find the file:
1. Press INSERT to display a list of available volumes.
2. Highlight the volume you want, then press ENTER.
NetShield displays a list of directories (directory names
are enclosed in square brackets).
3. Highlight the directory you want, then press ENTER.
NetShield displays a list of subdirectories, files, or both.
4. If necessary, continue selecting subdirectories until
you select the one containing the log file you want to use.
5. Highlight the log file you want to use, then press
ESCAPE. NetShield displays the volume, path, and filename
you selected.
6. Press ENTER to accept this filename, or ESCAPE to
abandon the operation.
NetShield prompts you to accept your changes and, if you
answer Yes, uses the log file you specified. If the file
does not exist, NetShield creates it automatically. If the
file exists, NetShield prompts you to overwrite the file or
append new information to it.
Enabling Logging to a Log File
We recommend that logging is enabled whenever you scan so
that you have an audit trail of infections found. If necessary,
you can disable logging by selecting this option.
To change the current setting, highlight Enable Logging to a
Log File, press ENTER, then choose <ENABLED> or <DISABLED>
from the prompt.
SELECTING LOG FILE REPORTS
If logging is enabled, NetShield can display, print, or
discard the contents of the currently selected log file.
From the NetShield Main menu, choose Configure Virus
Reporting | Select Log File Reports. NetShield displays the
Select Log File Reports menu with the following options:
o View Contents of Log File
o Print Contents of Log File
Select the options you want.
Viewing the Log
Select this option to display the current log file and
peruse its contents in a scrollable window.
Use these keys to navigate the scrollable window:
o HOME moves the cursor to the beginning of the line.
o END moves the cursor to the end of the line.
o PGUP and PGDN to view the log file one screen at a time.
o ESCAPE to exit the scrollable window.
Printing the Log
Select this option to print the current log file for future
reference. NetShield displays a list of available print queues.
Highlight the queue you want, then press ENTER to select it.
NetShield sends the log report to the queue you selected and
displays a message verifying that the report was sent.
CONFIGURING NETWORK SECURITY
For highly secure networks, NetShield can detect and log any
attempts to write to read-only directories, such as
directories containing application executables. This log
provides additional information about possible sources of
viral infection on your network.
You can also suspend read-only protection for authorized
users to make changes to monitored directories, such as
installing or upgrading software. Password protection
ensures centralized control over access to these
directories.
To use network security, you configure NetShield by
selecting the directories, file extensions, and users to
monitor, then you activate network security monitoring.
ENTERING A PASSWORD
Network security is password-protected to ensure that only
authorized users have access. The default password is:
login admin
You should change this password when you run NetShield for
the first time. For instructions, refer to "Changing the
Network Security Password" later in this section.
From the NetShield Main menu, choose Configure Network
Security. NetShield prompts you to enter a password. Type
the password (which is not case-sensitive), then press
ENTER. NetShield displays the Configure Network Security
menu with the following options:
o Edit Network Security Configuration
o Set Path for Log File
o Save Current Configuration To A File
o Restore Current Configuration From A File
o Current Network Security Status
The rest of this section describes these options in detail.
EDITING THE NETWORK SECURITY CONFIGURATION
You can configure NetShield to:
o Monitor disk write attempts for files with specific extensions.
o Monitor specific directories for write attempts.
o Exclude files from monitoring
o Monitor selected administrators for write attempts.
o Permit only selected users to write to monitored directories.
You can also save and load configuration settings in a file.
For more information, refer to "Saving the Current
Configuration" and "Loading a Configuration" later in this
chapter.
From the NetShield Main menu, choose Configure Network
Security | Edit Network Security Configuration. NetShield
displays the Network Security Configuration Options menu
with the following options:
o Create File and Extension Master List
o Select Entries To Monitor From Master List
o Select Files to be Excluded from Monitoring
o Select Directories To Monitor for All Users
o Change Monitored Users
o Change Temporary Authorization
o Change Network Security Password
Select the options you want.
Creating a Master List of Files and File Extensions
Select this option to manage the master list of files and
file extensions to monitor. For example, you might want
NetShield to monitor all executable files by adding the COM,
EXE, SYS, BIN, OVL, or DLL extensions to the list. You will
use this master list in the next section, "Selecting Entries
to Monitor."
From the Configure Network Security menu, choose Edit
Network Security Configuration | Create File and Extension
Master List. NetShield displays the current master list.
o To add an extension to the list, press INSERT, type a
period (required) and a new extension (up to 3 letters),
then press ENTER. NetShield adds the new extension to the
master list. If you want NetShield to monitor this
extension, however, you must add it to another list. For
more information, refer to the next section "Selecting
Entries to Monitor."
o To add a file to the list, press INSERT, type the full
file name (name, period, and extension), then press ENTER.
NetShield adds the new file to the master list. If you
want NetShield to monitor this file, however, you must add
it to another list. For more information, refer to the
next section "Selecting Entries to Monitor."
o To remove a file or files extension from the list,
highlight it, then press DELETE. NetShield deletes the
selected entry.
Once you have selected the extensions you want for the
master list, you must then select the extensions you want
NetShield to monitor while scanning.
Selecting Entries to Monitor
From the master list of files and file extensions, you can
select the list of entries that NetShield will monitor for
unauthorized write attempts. At a minimum, consider
specifying standard executable file extensions (EXE, COM,
SYS, BIN, OVL, and DLL). When a file is copied to a
monitored directory, NetShield determines whether the copied
file or its extension exists in the list of monitored
entries and, if so, NetShield creates a entry in the log file.
From the Configure Network Security menu, choose Edit
Network Security Configuration | Select Entries To Monitor
From Master List. NetShield displays the current list of
monitored files and file extensions.
o To add an entry to the list, press INSERT. NetShield displays
the master list of available files and file extensions.
Highlight the entry you want, then press ENTER. NetShield adds
the new entry to the list of entries to monitor.
o To remove an entry from the list, highlight it, then
press DELETE. NetShield deletes the selected entry from
the list of entries to monitor. However, deleting it from
this list does not remove it from the master list.
NetShield will monitor files with the selected name or
extension in the list, including any changes you have just made.
Selecting Files to be Excluded from Monitoring
You can exclude certain files and file extensions from
monitoring, such as a backup file that is frequently updated.
From the Configure Network Security menu, choose Edit
Network Security Configuration | Select Files To Be Excluded
From Monitoring. NetShield displays the current list of
excluded files.
To specify a file or file extension to exclude from
monitoring, type its name, path, and extension, then press
ENTER. Alternatively, to find a file:
1. Press INSERT to display a list of available volumes.
2. Highlight the volume you want, then press ENTER.
NetShield displays a list of directories (directory names
are enclosed in square brackets).
3. Highlight the directory you want, then press ENTER.
NetShield displays a list of subdirectories, files, or both.
4. If necessary, continue selecting subdirectories until
you highlight the one you want to exclude.
5. Highlight the file you want to exclude, then press
ESCAPE. NetShield displays the volume, path, and filename
you selected.
6. Press ENTER to select this directory.
NetShield prompts you to accept your changes and, if you
answer Yes, adds the selected directory to the list of
directories to monitor.
To remove a directory from the list, highlight it, then
press DELETE. NetShield deletes the selected directory from
the list of directories to monitor.
NetShield will exclude from monitoring the files and file
extensions you selected.
Selecting Directories to Monitor for All Users
You can select the directories that NetShield will protect
and monitor for unauthorized write attempts. For example,
you might want to monitor directories that contain
application executables.
From the Configure Network Security menu, choose Edit
Network Security Configuration | Select Directories To
Monitor for All Users. NetShield displays the current list
of monitored directories.
To specify a directory to include, type the volume and path
of the directory you want, then press ENTER. Alternatively,
to find a directory:
1. Press INSERT to display a list of available volumes.
2. Highlight the volume you want, then press ENTER.
NetShield displays a list of directories (directory names
are enclosed in square brackets).
3. Highlight the directory you want, then press ENTER.
NetShield displays a list of subdirectories, files, or both.
4. If necessary, continue selecting subdirectories until
you highlight the one you want to use for monitored files.
5. Highlight the directory you want to use, then press
ESCAPE. NetShield displays the volume, path, and filename
you selected.
6. Press ENTER to select this directory.
NetShield prompts you to accept your changes and, if you
answer Yes, adds the selected directory to the list of
directories to monitor.
To remove a directory from the list, highlight it, then
press DELETE. NetShield deletes the selected directory from
the list of directories to monitor.
NetShield will monitor directories using this list,
including any changes you have just made.
Changing Monitored Users
You can select the administrators that NetShield will
restrict for write attempts to all volumes and directories.
From the Configure Network Security menu, choose Edit
Network Security Configuration | Change Monitored Users.
NetShield displays the list of currently restricted users.
o To add a user to the list, press INSERT. NetShield
displays a list of available users, as shown in the
following example:
<SystemAdministrators>
{UsersNotInAnyGroups}
[EVERYONE]
[WORDPROCESSING]
Highlight a group, then press ENTER. NetShield displays a
list of users for that group. Highlight a user you want to
restrict, then press ENTER. NetShield adds the selected
user to the list of restricted users.
o To remove a user from the list, highlight it, then press
DELETE. NetShield deletes the selected user name from the
list of restricted users.
NetShield will monitor only users and groups in this list,
including any changes you have just made.
Authorizing Temporary Access to Monitored Directories
You can suspend, for a brief time, read-only protection on
monitored directories so that authorized users can make
changes. For example, you might want to allow one or more
administrators to install or upgrade software in a monitored
directory.
From the Configure Network Security menu, choose Edit
Network Security Configuration | Change Temporary
Authorization. NetShield displays the Change Temporary
Authorization menu with the following options:
o Change Temporary Authorization List
o Enable Administrative Access
Select the options you want.
Specifying Temporary Authorized Administrators
Select this option to allow certain administrators to write
to monitored directories during temporary authorization. You
select from the list of monitored users. For more
information, refer to the previous section, "Changing
Monitored Users."
From the Configure Network Security menu, choose Edit
Network Security Configuration | Change Temporary
Authorization | Change Temporary Authorization List.
NetShield displays the list of currently monitored users.
o To add a monitored user to the temporary authorization
list, press INSERT. NetShield displays a list of monitored
users. Highlight a user, then press ENTER. NetShield adds
the selected user to the list of temporarily authorized
administrators.
o To remove a user from the list, highlight it, then press
DELETE. NetShield deletes the selected user name from the
list of temporarily authorized administrators.
NetShield will permit access to protected directories only
to users in this list, including any changes you have just
made.
Enabling Administrative Access
Select this option to allow authorized administrators to
write to a protected directory while network security
monitoring is enabled. You might want to do this, for
example, to install or upgrade software stored in a
monitored directory.
From the Configure Network Security menu, choose Edit
Network Security Configuration | Change Temporary
Authorization | Enable Administrative Access. NetShield
prompts you to enter the number of minutes you want to
enable access.
o To enable access, type a number between 1 and 180,
inclusive, then press ENTER. NetShield displays the time
remaining for authorized administrators to update
monitored directories.
NOTE: If the administrative access time runs out while
changes are being made to monitored directories, NetShield
completes the current write operation, if any, then
prevents additional changes.
o To disable access, enter 0, the default access time.
Changing the Network Security Password
You can assign a password to NetShield to ensure that only
authorized users can access network security. The password
is not case-sensitive, can be up to forty (40) characters
long, and can be any mix of alphanumeric and punctuation
characters. The password is encrypted.
From the Configure Network Security menu, choose Edit
Network Security Configuration | Change Network Security
Password. Enter the current password, if any, then enter the
new password. Be sure to write down your new password and
store it in a secure location.
SETTING UP THE LOG FILE
NetShield can record the results of network security
monitoring in a log file that you can later use for auditing
your system and investigating problems. NetShield appends
the following information in the log file: the date and time
of the attempt as well as the user, workstation, file, and
target directory involved.
Here is a sample entry in the log file:
Wed Aug 31 17:09:14 1994
Attempt to write file XXX.EXE to
directory SYS:\SYSTEM\
on server STORM by user SUPERVISOR, ID 1
From Workstation 0000001C/0000c0cf0400 DENIED!
From the Configure Network Security menu, choose Set Path
for Log File. NetShield prompts you to specify the log file
name and path. If the log file has not been configured, the
default filename is NETSHLD.LOG.
Type the volume, path, and name of the log file you want,
then press ENTER. Alternatively, to find the file:
1. Press INSERT to display a list of available volumes.
2. Highlight the volume you want, then press ENTER.
NetShield displays a list of directories (directory names
are enclosed in square brackets).
3. Highlight the directory you want, then press ENTER.
NetShield displays a list of subdirectories, files, or both.
4. If necessary, continue selecting subdirectories until
you select the one containing the log file you want to use.
5. Highlight the log file you want to use, then press
ESCAPE. NetShield displays the volume, path, and filename
you selected.
6. Press ENTER to accept this filename, or ESCAPE to
abandon the operation.
NetShield prompts you to accept your changes and, if you
answer Yes, uses the log file you specified. If the file
does not exist, NetShield creates it automatically.
SAVING THE CURRENT CONFIGURATION
Select this option to save the network security
configuration file to disk. NetShield prompts you to
identify the name and path of the configuration file you
want to save. By default, NetShield uses SYS:\SYSTEM\NETSHLD.CFG.
We recommend that you use the default path so that the
configuration files are easy to locate if you need to
investigate a problem.
NOTE: The network security configuration file contains
information about your network security setup, not about
your NetShield virus protection configuration.
From the Configure Network Security menu, choose Save
Current Configuration to a File. NetShield prompts you to
identify the name and path of the configuration file you
want to save. By default, NetShield uses
SYS:\SYSTEM\NETSHLD.CFG. We recommend that you use the
default path so that the configuration files are easy to
locate if you need to investigate a problem.
Type the volume, path, and name of the network security file
you want, then press ENTER. Alternatively, to find the file:
1. Press INSERT to display a list of available volumes.
2. Highlight the volume you want, then press ENTER.
NetShield displays a list of directories (directory names
are enclosed in square brackets).
3. Highlight the directory you want, then press ENTER.
NetShield displays a list of subdirectories, files, or both.
4. If necessary, continue selecting subdirectories until
you select the one containing the configuration file you
want to use.
5. Highlight the configuration file you want to use, then
press ESCAPE. NetShield displays the volume, path, and
filename you selected.
6. Press ENTER to accept this filename, or ESCAPE to
abandon the operation.
NetShield prompts you to accept your changes and, if you
answer Yes, writes configuration information to the
configuration file you specified.
RESTORING A CONFIGURATION FROM A FILE
Select this option to load a network security configuration
file from disk.
From the Configure Network Security menu, choose Save
Restore Current Configuration from a File. NetShield prompts
you to identify the name and path of the configuration file
you want to save. By default, NetShield uses
SYS:\SYSTEM\NETSHLD.CFG. We recommend that you use the
default path so that the configuration files are easy to
locate if you need to investigate a problem.
Type the volume, path, and name of the configuration file
you want, then press ENTER. Alternatively, to find the file:
1. Press INSERT to display a list of available volumes.
2. Highlight the volume you want, then press ENTER.
NetShield displays a list of directories (directory names
are enclosed in square brackets).
3. Highlight the directory you want, then press ENTER.
NetShield displays a list of subdirectories, files, or both.
4. If necessary, continue selecting subdirectories until
you select the one containing the configuration file you
want to use.
5. Highlight the configuration file you want to use, then
press ESCAPE. NetShield displays the volume, path, and
filename you selected.
6. Press ENTER to accept this filename, or ESCAPE to
abandon the operation.
NetShield prompts you to accept your changes and, if you
answer Yes, loads the configuration file you specified and
uses it for subsequent monitoring.
ENABLING NETWORK SECURITY
Select this option to activate or disable NetShield's
network security feature.
To change the current setting, on the Configure Network
Security menu, highlight Current Network Security Status,
press ENTER, then choose <ENABLED> or <DISABLED> from the prompt.
[End of file]
