home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Nautilus 1994 August
/
Nautilus CD Magazine Volume 4-8 August 1994 Windows Edition.mdf
/
compware
/
virus
/
vshield
/
vshield.txt
< prev
next >
Wrap
Text File
|
1994-06-01
|
147KB
|
3,888 lines
VirusScan Version 2.0.2
Copyright 1994 by McAfee, Inc.
All Rights Reserved.
Brought to you by:
Igor Grebert Project Leader
Jivko Koltchev Lead Programmer
David Mai TSR Programmer
Vadim Ivanov Algorithms/Emulation Programmer
Tatyana Shishkina Virus Librarian, Programmer
Bruce de Graaf GUI Programmer
Dmitri Orlov DOS UI Programmer
Geoff Brandenburg GUI Artist
Spencer Clark SQA Manager
David Pierce Lead SQA Engineer
Sean Birch SQA Engineer
John Zussman Documentation Project Leader
Eric Ivory Technical Writer
Aryeh Goretsky Manager Technical Support
With special thanks to Bob Chappelear, Rudite Emir, and Bill Larson
McAfee, Inc. (408) 988-3832 office
2710 Walsh Avenue (408) 970-9727 fax
Santa Clara, CA 95051-0963 (408) 988-4004 BBS (25 lines)
U.S.A. USR HST/v.32/v.42bis/MNP1-5
CompuServe GO MCAFEE
InterNet support@mcafee.COM
America Online MCAFEE
Using VirusScan (Version 2.0) 1
CHAPTER 1: WELCOME TO VIRUSSCAN
Thank you for evaluating McAfee, Inc.'s, VirusScan(TM)
software Version 2.0, a powerful and advanced system
designed to detect, eradicate, and prevent computer viruses.
VirusScan will help you protect one of your most important
assets--the information on your computer or local area network.
VirusScan includes two main programs:
o The Scan program detects known viruses in your
computer's memory or on disks. See the README.1ST file
for the number of viruses that Scan detects. It can
also detect new and unknown viruses. Once viruses are
detected, it can remove them and restore your system to
normal operation.
o The VShield(TM) program continuously monitors and
protects your system from viruses that might be
introduced.
The VirusScan programs run on IBM-PC or 100% compatible
personal computers (PCs) that use DOS 3.0 and above, Windows
3.1, or OS/2 2.0 and above.
VirusScan is an important element of a comprehensive
security program that includes a variety of safety measures,
such as regular backups, meaningful password protection,
training, and awareness. We urge you to set up and comply
with such a security program in your organization. For tips
on how to do this, see "Other Sources of Information" in
this chapter.
HOW TO USE THIS MANUAL
This manual will help you get VirusScan running quickly and
properly on DOS, Windows, and OS/2 systems.
o All the key information is in Chapter 2, "Don't Skip
this Chapter." Please don't install VirusScan before
reading it, even if you are already familiar with
Scan. Installing and using VirusScan is not like using
other software.
The rest of Chapter 1, "Welcome to VirusScan," describes the
programs and files on your VirusScan disk, system
requirements, how to register, and how to get help.
Chapter 3, "VirusScan Reference," in the Scan
documentation, and Chapter 3, "VShield Reference,"
in this document contain reference information for
Scan and VShield, respectively.
Using VirusScan (Version 2.0) 2
Many users will not need to read these chapters, because basic
operation of VirusScan, as described in Chapter 2, will detect
and remove most viruses from your system. The options described
in Chapter 3 in the Scan documentation and Chapter 3 in this
document offer additional power and control, and are most
useful in vulnerable environments and to network administrators
and information services staff.
Chapter 4, "Tips & Troubleshooting," explains how to get the
most out of VirusScan, and how to cope with some common
problems.
Appendix A, "Retrieving VirusScan Updates via the McAfee BBS,"
provides instructions for using the McAfee Bulletin Board (BBS).
Appendix B, "Options Comparison Between VirusScan Versions
1.5 and 2.0," shows the differences between command line options
in VShield 1.5 and 2.0, then between VShield1 1.5 and
VShieldCRC 2.0.
Using VirusScan (Version 2.0) 3
NOTATION
In this manual, we use several conventions to distinguish
particular kinds of text.
CONVENTION │ EXAMPLE │ REPRESENTS
═══════════════╪══════════════╪══════════════════════════
Upper-case │ C:\> │ What your
│ │ computer displays
│ │ on your screen.
───────────────┼──────────────┼──────────────────────────
Lower-case │ scan c: │ What you
│ │ type, verbatim.
───────────────┼──────────────┼──────────────────────────
Curly braces │ {filename} │ Required
│ │ element; do not
│ │ type braces { }.
───────────────┼──────────────┼──────────────────────────
Square braces │ [filename] │ Optional
│ │ element; do not
│ │ type braces [ ].
───────────────┼──────────────┼──────────────────────────
Upper-case in │ <ENTER> │ Key to press
brackets │ │ on the
│ │ keyboard.
WHAT VIRUSSCAN INCLUDES
In addition to Scan or VShield, the Validate program
ensures that new versions of VirusScan software
you've obtained are authentic.
Finally, the VirusScan archive contains several useful text
files, which you can view and print with a text editor, word
processor, or DOS PRINT command. You'll find version-
specific information in the README.1ST text file.
Using VirusScan (Version 2.0) 4
VIRUSSCAN FILES AFTER UNPACKING
After unpacking VirusScan you should have appropriate
program files on your system for the version you have
obtained (DOS, Windows, or OS/2). Several useful text
files are also included.
VirusScan for DOS.
AGENTS.TXT - list of McAfee authorized agents.
CLEAN.DAT - virus removal data file required by SCAN.EXE
COMPUSER.NOT - explains how to obtain CompuServe membership
FILE_ID.DIZ - description of VirusScan used by some BBS
software
FILENAME.TXT - explains new McAfee BBS file name conventions
LICENSE.TXT - explains how to license VirusScan
NAMES.DAT - virus name data file required by SCAN.EXE
PACKING.LST - contains a list of all files, including
validation information
README.1ST - late-breaking information and new
instructions not contained in this manual
REGISTER.TXT - explains how to register VirusScan for
your use
SCAN.DAT - virus string data file required by SCAN.EXE
SCAN.EXE - the VirusScan program
SCAN.TXT - on-line manual for Scan
VALIDATE.EXE - used to check VirusScan programs for
authenticity
VALIDATE.TXT - explains how to run VALIDATE.EXE
VShield
AGENTS.TXT - list of McAfee authorized agents.
CHKVSHLD.EXE - checks for presence of VShield and VShieldCRC
in memory
COMPUSER.NOT - explains how to obtain CompuServe membership
FILE_ID.DIZ - description of VShield used by some BBS
software
FILENAME.TXT - explains new McAfee BBS file name conventions
LICENSE.TXT - explains how to license VShield
PACKING.LST - contains a list of all files, including
validation information
REGISTER.TXT - explains how to register VirusScan for
your use
VALIDATE.EXE - used to check VirusScan programs for
authenticity
VALIDATE.TXT - explains how to run VALIDATE.EXE
VSHIELD.DAT - virus string data file required by
VSHIELD.EXE
VSHIELD.EXE - the VShield program
VSHIELD.TXT - on-line manual for VShield
VSHLDCRC.EXE - the VShieldCRC program
VSHLDWIN.EXE - used by VShield and VShieldCRC to display
messages within Windows
Using VirusScan (Version 2.0) 5
VirusScan for OS/2
AGENTS.TXT - list of McAfee authorized agents.
CLEAN.DAT - virus removal data file required by
OS2SCAN.EXE
COMPUSER.NOT - explains how to obtain CompuServe membership
FILE_ID.ZIP - description of VirusScan used by some BBS
software
FILENAME.TXT - explains new McAfee BBS file name conventions
LICENSE.TXT - explains how to license VirusScan
NAMES.DAT - virus name data file required by OS2SCAN.EXE
PACKING.LST - contains a list of all files, including
validation information
README.1ST - late-breaking information and new
instructions not contained in this manual
REGISTER.DOC - explains how to register VirusScan for your
use
OS2SCAN.EXE - the VirusScan program
SCAN.DAT - virus string data file required by
OS2SCAN.EXE
SCAN.TXT - on-line manual for Scan
VALIDATE.EXE - used to check VirusScan programs for
authenticity
VALIDATE.TXT - explains how to run VALIDATE.EXE
Using VirusScan (Version 2.0) 6
SYSTEM AND MEMORY REQUIREMENTS
The VirusScan programs require an IBM-compatible personal
computer and any of the following operating systems:
o DOS 3.0 or later and at least 340Kb of free RAM for the
command line programs.
o Windows 3.1 or later and at least 4Mb of RAM.
o IBM OS/2 2.00(GA) or later and at least 8Mb of RAM.
VirusScan for DOS requires 340Kb of available free memory in
order to scan a system for viruses.
VShield is a terminate-and-stay-resident (TSR) program that
requires 67Kb of free memory. VShield will minimize the use
of conventional memory by loading into expanded, extended,
or upper memory, when available. For more information, see
"System Requirements and Performance" in Chapter 3 in the
Scan documentation.
LICENSING VIRUSSCAN
The VirusScan software is provided under license from
McAfee, Inc., a copy of which is included in the file
LICENSE.TXT. Please read it and comply with it.
If you want to use VirusScan after the evaluation period,
please register your copy of the software by filling out and
returning the enclosed registration form, REGISTER.TXT.
Registration entitles you to upgrades at no charge from
McAfee's bulletin board system and other sources, as well as
technical support, for one year from your date of purchase.
Using VirusScan (Version 2.0) 7
TECHNICAL SUPPORT
For help in using this product, we invite you to contact
McAfee technical support. You can contact us:
o On-line 24 hours a day, through our bulletin board
system, CompuServe, fax, or Internet (see "Online
Access to Updates and Technical Support" below); or
o By telephone at (408) 988-3832, Monday through Friday,
7:00 am to 5:30 pm Pacific Time.
For fast and accurate help, please have the following
information ready when you contact McAfee:
o Program name and version number.
o Type and brand of computer, hard disk, and any
peripherals.
o Version of DOS, along with any TSR's or device drivers
in use.
o Printouts of your AUTOEXEC.BAT and CONFIG.SYS files.
o A printout of the contents of memory, from the MEM
command (provided in DOS 4.0 and later) or a similar
utility.
o A description of the exact problem you are having.
Please be as specific as possible. If you can't be at
your computer when you call, a printout of the screen
will be helpful.
If you are overseas, you can contact a McAfee authorized
agent for support. Agents are located in more than 50
countries around the world and provide local sales and
support for our software. Please refer to the AGENTS.TXT
file for a complete list of McAfee agents.
ONLINE ACCESS TO UPDATES AND TECHNICAL SUPPORT
McAfee updates VirusScan monthly to add new virus detectors,
new options, and fix reported bugs. To distribute these new
versions, we run a multi-line bulletin board system, a forum
on CompuServe, and an Internet node.
Using VirusScan (Version 2.0) 8
Bulletin board system (BBS) access
Our multiline BBS is accessible 24 hours a day, 365 days a
year, except for scheduled downtime and maintenance. All
lines run high-performance modems operating from 1,200 bps
to 14,400 bps with line settings of 8 data bits, no parity,
and 1 stop bit. The McAfee BBS phone number is (408) 988-4004.
CompuServe Access
We sponsor the McAfee Virus Help Forum on CompuServe. To
reach it, type GO MCAFEE at any CompuServe prompt. A free
introductory membership is available. For more information,
please read the enclosed COMPUSER.TXT file.
Internet Access
The latest versions of McAfee's anti-virus software are
available by anonymous ftp (file transfer protocol) over the
Internet from the site mcafee.com. If your domain resolver
does not support names, use the IP# 192.187.128.1. Enter
"anonymous" or "ftp" as your user ID (do not type the
quotation marks) and your own e-mail address as the
password. Programs are located in the pub/antivirus
directory. If you have questions, please send e-mail to
support@mcafee.com.
You can also find McAfee's anti-virus software at the SimTel
Software Repository at Oak.Oakland.EDU in the
pub/msdos/virus directory and its associated mirror sites:
o WUARCHIVE.WUSTL.EDU (US).
o FTP.SWITCH.CH (Switzerland).
o FTP.FUNET.FI (Finland).
o SRC.DOC.IC.AC (UK).
o ARCHIE.AU (Australia).
Using VirusScan (Version 2.0) 9
OTHER SOURCES OF INFORMATION
The McAfee BBS and CompuServe Virus Help Forum are excellent
sources of information on virus protection. Batch files and
utilities to help you use VirusScan software are often
available, along with helpful advice.
Independent publishers, colleges, training centers, and
vendors also offer information and training about virus
protection and computer security.
We especially recommend the following books:
o Ferbrache, David. A Pathology of Computer Viruses.
London: Springer-Verlag, 1992. (ISBN 0-387-19610-2)
o Hoffman, Lance J. Rogue Programs: Viruses, Worms, and
Trojan Horses. Van Nostrand Reinhold, 1990.
(ISBN 0-442-00454-0)
o Jacobson, Robert V. The PC Virus Control Handbook,
2nd Ed. San Francisco: Miller Freeman Publications, 1990.
(ISBN 0-87930-194-0)
o Jacobson, Robert V. Using McAfee, Inc. Software
for Safe Computing. New York: International Security
Technology, 1992. (ISBN 0-9627374-1-0)
In addition, the following sources can provide useful
information about viruses:
o National Computer Security Association (NCSA)
10 South Courthouse Avenue
Carlisle, PA 17013
o CompuServe McAfee Computer Virus Help Forum (GO
VIRUSFORUM)
o Internet comp.virus newsgroup
Using VirusScan (Version 2.0) 10
CHAPTER 2: DON'T SKIP THIS CHAPTER
(or, What you really need to know about VirusScan)
We're serious about this. Installing and running the
VirusScan(TM) programs is not like using other software.
Even if you are a long-time user of McAfee's software,
please take the time to read through and follow the tasks in
this chapter.
The reason is to avoid spreading a computer virus infection.
Viruses spread when you start your computer (sometimes
called booting) from an infected disk, or when you run an
infected program. If your computer is infected, installing
and running VirusScan on your hard disk may spread the
infection, even to the VirusScan programs themselves. The
tasks in this chapter will ensure that you have a clean
environment to detect, eradicate, and prevent viruses.
This is like a surgical team establishing a "sterile field"
before performing surgery. Once it is established, they make
sure that everything brought into the field has already been
sterilized. In this procedure, you will create a clean anti-
viral start-up diskette with which you can always re-
establish the sterile field.
Your VirusScan archive (.ZIP) file is created with
authenticity checks and a serial number embedded in it to
ensure that it has not been tampered with or modified.
Additionally, VirusScan comes with Validate, a Cyclic
Redundancy Check (CRC) program that computes a check-sum for
VirusScan's files. Once you have unpacked the VirusScan
archive, you should copy all the files to a diskette in
drive A: and write-protect it to ensure that no virus can
alter the programs and information stored there. Under no
circumstances should you remove the write protection. Label
this diskette as your 'VirusScan Program Diskette.'
Here's a summary of the tasks you'll follow in this chapter:
o Installing VirusScan
o Scanning your system.
o If you detect a virus.
o Activating VShield(TM).
o Making a clean start-up (boot) diskette.
o Running the VirusScan programs.
o When to scan for viruses.
o Updating VirusScan regularly.
NOTE: Because OS/2 programs run in a protected mode, OS/2
systems are not vulnerable to viruses as DOS and Windows
Using VirusScan (Version 2.0) 11
systems are. Many OS/2 users run DOS and Win-OS/2 sessions,
however, and they are still vulnerable. By using the
VirusScan programs as described in this manual, you can
protect the DOS and Win-OS/2 portions of your OS/2 system
from infection.
Using VirusScan (Version 2.0) 12
INSTALLING VIRUSSCAN
This task explains how to check your system and install the
VirusScan software under DOS, Windows, or OS/2. Don't use
any other method to install VirusScan, or you risk spreading
a virus.
INSTALLATION STEPS
Start from the system prompt (C:\> or [C:\]). If you are
running Windows or an application program, exit from it to
display the prompt. If you are running OS/2, close all DOS
and Win-OS/2 sessions open the Command Prompts folder in the
OS/2 System folder, and click on either the OS/2 Full Screen
or OS/2 Window icons.
After typing each entry on the command line, press <ENTER>.
1. Create a directory to contain the VirusScan files, as
in the following example:
C:\> mkdir c:\mcafee
and press <ENTER>.
If you have an earlier version of VirusScan already
installed, create a separate directory (such as
c:\newvscan) for the new version. (You should test
the new version before removing the earlier version.)
2. Copy the VirusScan archived (.ZIP) file to this
directory, as in the following example:
C:\> copy c:\download\*.zip c:\mcafee
and press <ENTER>.
3. Change to the VirusScan directory you just created,
as in the following example:
C:\> cd c:\mcafee
and press <ENTER>.
4. Unzip the file using PKUNZIP.EXE, as in the following
example:
C:\mcafee> PKUNZIP *.ZIP
and press <ENTER>.
Using VirusScan (Version 2.0) 13
5. Run VirusScan to check your local hard disk(s) by
typing:
c:\mcafee> scan /adl
and pressing <ENTER>. It may take several minutes
for the Scan program to check for viruses in memory,
then on the system and user portions of your drives.
Scan keeps you informed of its progress. Read the
information carefully, and write down the name of any
viruses Scan reports.
6. If Scan does not report any viruses, congratulations
--most likely your system is currently virus-free.
Continue with "Making a Clean Start-Up Diskette" in
this chapter.
If Scan finds one or more viruses you'll see a
message like:
Found the Jerusalem Virus
Stop the installation. Don't panic, even if the virus
has infected many files. At the same time, don't run
any other programs, especially if the virus is found
in memory. Go directly to "If You Detect a Virus"
later in this chapter for further instructions.
7. Create a directory on your hard disk to store the
VirusScan files in by typing:
C:\> mkdir mcafee
and pressing <ENTER>.
8. Copy the VirusScan files from the 'VirusScan Program
Diskette' in drive A: to your hard disk by typing:
C:\> copy a:\*.* c:\mcafee
and pressing <ENTER>. VirusScan has now been installed
onto your hard disk. Now your system's startup files
must be modified to find VirusScan on your system.
9. DOS and Windows users: Using a text editor program,
load your AUTOEXEC.BAT file. Locate the path statement,
which typically begins with a 'PATH' or 'SET PATH ='
statement. Place your cursor at the end of this line
and type:
;C:\MCAFEE
Using VirusScan (Version 2.0) 14
and press <ENTER>. Now save your AUTOEXEC.BAT file and
exit the editor.
NOTE: If a semi-colon ";" is already present at the end
of the line, do not add one to the path statement.
OS/2 users: Make the same change listed above to the
'SET PATH=' statements in your CONFIG.SYS
file. Now save your CONFIG.SYS file and
exit the editor.
Congratulations! You've successfully installed VirusScan.
Restart your computer now and continue with this chapter to
see how you can use VirusScan to keep your computer virus-
free. We recommend looking over the following sections in
this chapter:
"Scanning Your System"
"If You Detect A Virus"
"Activating VShield"
"Making A Clean Start-Up Diskette"
so you'll know what took place during installation. Then
continue with the remaining tasks in this chapter, beginning
with "Running the VirusScan Programs" to find out how and
when to run and update the VirusScan programs.
Using VirusScan (Version 2.0) 15
SCANNING YOUR SYSTEM
VirusScan's Scan program examines your PC and disks to
detect viruses there. The first time you run Scan, do so
from the original, write-protected diskette so that the
programs themselves cannot be infected.
Start from the system prompt (C:\> or [C:\]). If you are
running Windows or an application program, exit from it to
display the prompt. If you are running OS/2, close all DOS
and Win-OS/2 sessions. Next, open the Command Prompts folder
in the OS/2 system folder, then click the OS/2 Full Screen or
OS/2 Window icon.
After typing each entry on the command line, press <ENTER>.
If you include the /REPORT option, Scan saves a report of
infected files and any system errors to a log file that you
specify.
o Insert the 'VirusScan Program Diskette' in drive A:
o Scan your C: drive for known viruses by typing:
C:\> a:scan c: /report c:\virus.log
OS/2 Users: Be sure to replace "a:scan" with
"a:os2scan" in the above example.
Or, if you have more than one hard drive, scan them in
the same fashion. For example, if you have C and D
drives:
C:\> a:scan c: d: /report c:\virus.log
You can also scan all local drives using the /ADL
option. For example:
C:\> a:scan /adl /report c:\virus.log
Using VirusScan (Version 2.0) 16
It may take several minutes for the Scan program to
check for viruses in memory, then on the system and
user portions of your drives. Scan keeps you informed
of its progress. Read the information on the screen
carefully. Below is a sample of what Scan reports
when checking a drive for viruses:
┌─────────────────────────────────────────────────────┐
│ Database file V1.00 created Fri Apr 1 12:01:00 1994 │
│ Finished scanning memory for viruses. │
│ Scanning C: │
│ │
│ Summary report on C: │
│ │
│ File(s) │
│ Analyzed: .............. 1500 │
│ Scanned: ............... 750 │
│ Possibly Infected: ..... 0 │
│ Master Boot Record(s):.. 1 │
│ Possibly Infected:...... 0 │
│ Boot Sector(s):......... 1 │
│ Possibly Infected:...... 0 │
│ │
│ Time: 60.00 sec. │
└─────────────────────────────────────────────────────┘
o If Scan reports 0 viruses found, congratulations--most
likely your system is currently virus-free. Skip to
"Activating VShield" later in this chapter to continue.
If Scan finds one or more viruses, you'll see a message
like:
┌─────────────────────────────────────────────────────┐
│ Scanning C: │
│ Scanning file C:\DOS\ATTRIB.EXE │
│ Found the Jerusalem virus │
└─────────────────────────────────────────────────────┘
Don't panic, even if the virus has infected many files.
At the same time, don't run any other programs,
especially if the virus is found in memory. Turn to "If
You Detect a Virus" later in this chapter, where
VirusScan will help you eradicate it.
o Scan has many options to control and fine-tune the
scope, validation, and operation of its scan. For
details, see Chapter 3 in the VirusScan documentation,
and "Detecting new and unknown viruses" in Chapter 4.
Using VirusScan (Version 2.0) 17
IF YOU DETECT A VIRUS
In this task, you will run Scan with the /CLEAN option to
eradicate most known viruses from your disks.
o If you are at all unsure about how to proceed once
you've found a virus, contact McAfee for assistance
(see "Technical Support" in Chapter 1).
We strongly recommend that you get experienced help in
dealing with viruses if you are unfamiliar with anti-virus
software and methods. This is especially true for "critical"
viruses and master boot record (MBR or so-called "partition
table")/boot sector infections, because improper removal of
these viruses can result in the loss of all data and use of
the infected disks.
RESTART FROM A CLEAN ENVIRONMENT
You must run Scan from a clean, virus-free environment. With
DOS or Windows, restart from a clean diskette. With OS/2,
simply close all DOS and Win-OS/2 sessions.
DOS or Windows
With DOS or Windows, the only way to ensure a clean
environment is to turn your computer off to eliminate any
viruses in memory, then restart from a virus-free floppy
diskette in drive A:, preferably the original, write-
protected DOS installation diskette that came with your
computer. If you don't have one, borrow or buy one; don't
use a diskette that might be infected. (You will create a
new anti-viral diskette in "Making a Clean Start-Up
Diskette" later in this chapter to use in the future,
but you need a clean environment before you create one.)
1. Turn off your computer. (Don't just reset or reboot,
which may leave some viruses intact in the computer's
memory.)
2. Make sure your clean boot (start-up) diskette is write-
protected.
o For a 3.5" diskette, slide its corner tab so that
the square hole is open.
o For a 5.25" diskette, cover its corner notch with
a write-protect tab. Be sure to use the black or
silver write-protect stickers provided with your
diskettes, not transparent tape, which is ignored
by the floppy drive's infrared write-protection
mechanism.
Using VirusScan (Version 2.0) 18
3. Insert your start-up diskette in drive A:.
4. Turn on your computer and wait until you see the system
prompt (probably A>). Don't run any programs on your
hard disk, or you may reactivate the virus.
OS/2
With OS/2, you can eliminate most viruses from memory by
closing all DOS, Win-OS/2, and virtual DOS machine (VDM)
sessions. Because OS/2 programs run in protected mode,
viruses cannot spread between them.
BACK UP YOUR HARD DISK
Some viruses may leave certain disks or files unusable when
cleaned up. To increase your chance of recovery, copy all
the files on all of your hard disks onto fresh diskettes or
a backup tape after booting from a clean copy of the
operating system. You can use a commercial backup program,
or the one included with DOS or OS/2. Scan the program disk
first to make sure that the backup program itself is not
infected. Do not run the backup program if it is infected.
Instead, reload it from your original installation
diskettes.
Although some of the backed-up files may be infected, it is
better to have current copies than not. However, don't
overwrite previous backup disks or tapes, which may or may
not be infected.
RUN SCAN WITH THE /CLEAN OPTION
Start from the system prompt (probably A> or [A:\]). If you
are running OS/2, open the Command Prompts folder in the
OS/2 system folder, and click on the OS/2 Full Screen or
OS/2 Window icons.
After typing each entry on the command line, press [Enter].
1. Insert the 'VirusScan Program Diskette' in drive A:.
2. Eliminate the first known virus on your hard drive(s)
by typing:
DOS or Windows
A> a:scan /adl /clean
OS/2
[A:\] a:os2scan /adl /clean
Using VirusScan (Version 2.0) 19
Scan keeps you informed of its progress and generally
reports that a virus was removed successfully. If Scan
reports that the virus could not safely be removed,
see the next section, "If Viruses Were Not Removed,
Contact Technical Support."
3. Repeat step 2 for other viruses found by Scan, and for
other infected hard drives. For example:
DOS or Windows
A> a:scan /clean d:
OS/2
[A:\] a:os2scan /clean d:
o Scan has options to control and fine-tune the
scope, validation, and operation of its
disinfection. For details, see Chapter 3
in the Scan documentation.
If Viruses were NOT removed, contact Technical Support
If Scan can't remove a virus, it will tell you:
Virus cannot be safely removed from this file.
Make sure to take note of the filename, because you will
need to restore it from backups. Run Scan again, this time
using the /CLEAN and /DEL options to delete the remaining
infected files, as described in Chapter 3 in the Scan
documentation. If you have any questions, contact McAfee
(see "Technical Support" in Chapter 1).
If viruses were safely removed, rescan and check diskettes
If Scan has successfully removed all the viruses, restart
your computer.
Restart installation as described in "Installing VirusScan"
earlier in this chapter. Assuming that your system is now
virus-free, installation will scan your system, activate
VShield, and make a clean start-up diskette as part of the
installation procedure. Thereafter, you can proceed to
"Running the VirusScan programs" later in this chapter.
One common source of virus infection is floppy diskettes.
Once you've finished installing VirusScan on your hard disk,
use Scan again to examine and disinfect the diskettes you
use, as described in "When to Rescan," in this chapter.
Using VirusScan (Version 2.0) 20
FALSE ALARMS
Due to the nature of anti-virus software, there is a small
possibility that Scan may report a virus in a file that is
not infected. This can be more likely if you are using more
than one brand of virus protection software, especially if
the virus is only reported in memory and not anywhere on the
disk when you boot.
If Scan reports a virus infection that you suspect may be in
error, contact McAfee (see "Technical Support" in Chapter 1).
You can upload the file to our bulletin board system at
(408) 988-4004, along with your name, address, daytime
telephone number, and electronic mail address (if any).
ACTIVATING VSHIELD
VirusScan's VShield program can help prevent viruses from
infecting your system. It runs as a "terminate-and-stay-
resident" (TSR) program, remaining in memory and scanning
and intercepting programs as they are executed.
To install VShield, use your editor to load your
AUTOEXEC.BAT file. Insert the following as the first line:
C:\MCAFEE\VSHIELD
If you load network drivers, disk-caching software, or
other memory-resident programs that changes the way
in which you access disks, insert a second VShield line
after the last invocation of such software:
C:\MCAFEE\VSHIELD /RECONNECT
and press <ENTER>. This reactivates VShield if it has been
deactivated by another memory-resident program. Now save
your AUTOEXEC.BAT file.
Using VirusScan (Version 2.0) 21
Windows
VShield can display messages from within Windows in a
message dialog. This is done through VShield's
Windows Messager. If you choose not to install the
Messager, VShield will still detect viruses, but will
not be able to report them to you.
1. To activate the Messager, you must copy the
VSHLDWIN.EXE file from your VirusScan directory
(typically C:\MCAFEE) to your Windows directory
(typically C:\WINDOWS). You can do this by typing:
C:\> copy c:\mcafee\vshldwin.exe c:\windows
and pressing <ENTER>.
2. Go to your Windows directory, and using a text editor
program, load your WIN.INI file. Go to the [Windows]
settings and insert the following line:
load=vshldwin.exe
NOTE: If you already have a "load=" line in your WIN.INI
file, go to the end of it and type:
; vshldwin.exe
and press <ENTER>. Now save your WIN.INI file and
exit the editor.
VShield will now run whenever you start or restart your
computer. To activate VShield at any time:
DOS or Windows - Restart your computer by pressing the
<CTRL>, <ALT>, and <DEL> keys simultaneously, or by turning
it off and then on again (if Windows is running, exit out
of it before doing restarting your computer).
OS/2 - Restart all DOS and Win-OS/2 windows.
o If you have difficulties running VShield, it may be due
to conflicts with other TSR programs in your system, or
with other programs that monitor disk access. See
Chapter 3 for details, and Chapter 4, "Tips and
Troubleshooting," for more information. Contact
McAfee technical support if you need help (see
"Technical Support" in Chapter 1).
Using VirusScan (Version 2.0) 22
o VShield normally occupies up to 67Kb of conventional
(base 640Kb) memory. VShield minimizes the use of
conventional memory by attempting to load into extended
(XMS) memory, expanded (EMS) memory, upper memory, or a
combination of them before using conventional memory.
For computers with extreme available memory
limitations, you can use VShield's /SWAP option to
reduce its memory requirements to 7Kb, although this
will decrease VShield's speed. For details, see
Chapter 3.
o VShield has options to control and fine-tune the scope,
validation, and operation of its virus prevention. For
details, see Chapter 3.
o When used in conjunction with some of Scan's options,
VShield can help protect your system from new and
unknown viruses. For details, see "Detecting New and
Unknown Viruses" in Chapter 4.
o Under OS/2, VShield runs in DOS and Win-OS/2 sessions
only, because current viruses can operate only in those
sessions.
o In Windows, you can use the VShield icon to turn
messages from VShield on and off (VShield itself,
however, remains active). For details, see Chapter 3.
Using VirusScan (Version 2.0) 23
MAKING A CLEAN START-UP DISKETTE
In DOS or Windows, create a clean anti-viral start-up (boot)
diskette that you can use to regain your "sterile field" if
your system becomes infected. This is not necessary in OS/2,
although it will be helpful to make backup copies of your
OS/2 installation diskettes.
DOS or Windows
In DOS, start from the system prompt (C:\>). In Windows, you
may open a DOS window, or duplicate these steps using
Windows' File Manager.
1. Insert a blank or dispensable diskette into drive A.
Make sure the diskette contains no important
information, as this procedure will erase it.
2. Format the disk as a DOS-bootable diskette with the
system files on it by typing:
C:\> format a: /s /v /u
and pressing <ENTER>. If you are using a version of
DOS before DOS 5.0, do not type the "/u" option. The
/U option is used in recent versions of DOS to insure
that the floppy diskette is erased completely (earlier
versions of DOS automatically do this).
When prompted for a volume label, type:
virusfree01
and press <ENTER>, or use another name of up to 11
characters.
3. Copy the VirusScan program files onto the diskette.
Here's one way to do this, assuming that your VirusScan
files are stored in C:\MCAFEE:
C:\> copy c:\mcafee\scan.exe a:
C:\> copy c:\mcafee\scan.dat a:
C:\> copy c:\mcafee\clean.dat a:
C:\> copy c:\mcafee\names.dat a:
4. Copy useful DOS programs to the diskette. Here's one
way to do this, assuming that your DOS files are stored
in C:\DOS:
C:\> copy c:\dos\format.* a:
C:\> copy c:\dos\xcopy.* a:
C:\> copy c:\dos\diskcopy.* a:
C:\> copy c:\dos\sys.* a:
Using VirusScan (Version 2.0) 24
C:\> copy c:\dos\fdisk.* a:
C:\> copy c:\dos\debug.* a:
C:\> copy c:\dos\unerase.* a:
C:\> copy c:\dos\mem.* a:
C:\> copy c:\dos\chkdsk.* a:
In the same way, copy other DOS programs that you think
might be useful.
5. Remove the diskette from the drive and write-protect it
so that it cannot become infected.
o For a 3.5" diskette, slide its corner tab so that
the square hole is open.
o For a 5.25" diskette, cover its corner notch with
a write-protect tab. Be sure to use the opaque
write-protect stickers provided with your
diskettes, not transparent tape.
6. Label the diskette "Virus-Free Boot Disk" and put it
away in a secure place in case you need to reestablish
a virus-free environment in the future. You may want
to include supplemental information on the disk label,
such as the date and versions of DOS and VirusScan.
OS/2
With OS/2, you don't need a virus-free start-up disk.
However, it will be helpful to keep a clean copy of
important files, such as your system configuration files.
Copy your CONFIG.SYS, STARTUP.CMD, and AUTOEXEC.BAT files
onto an empty, formatted diskette. Write-protect the
diskette, label it, and put it away in a secure place.
Using VirusScan (Version 2.0) 25
RUNNING THE VIRUSSCAN PROGRAMS
VIRUSSCAN FOR DOS
To run the VirusScan programs from the DOS command prompt,
type the program name (SCAN) on the command line. Follow the
program name with the drive, directory, or file(s) you want
to scan for viruses and the options you want to use.
Note: If you have not changed the path statement in your
AUTOEXEC.BAT file, you will need to include its
location (usually C:\MCAFEE) in the command, or
change to that directory.
For example, to examine a diskette in drive A: type:
C:\> c:\mcafee\scan a:
and press <ENTER>.
EXCEPTION:
If Scan detects a virus in memory or on your hard
disk, don't run Scan with the /CLEAN option from
C:\MCAFEE. Instead, restart your computer and run
Scan from your clean start-up diskette as described
in "If you detect a virus" in this chapter.
VirusScan can list the viruses it detects. To view this list,
run Scan with the /VIRLIST option, described in Chapter 3
in the Scan documentation.
VSHIELD
VShield loads automatically upon startup for DOS and Windows
computers, or when a DOS or Win-OS/2 session is started
within OS/2.
o You can change VShield options from the DOS command
line by removing VShield from memory and re-running it,
or by editing the VShield command line in your
AUTOEXEC.BAT file. See Chapter 3 for details.
Using VirusScan (Version 2.0) 26
VIRUSSCAN FOR OS/2
To run Scan from OS/2, open the Command Prompts folder in
the OS/2 System folder and click on the OS/2 Full Screen or
OS/2 Window icons. Next, type the program name (OS2SCAN) on
the command line. Follow the program name with the drive,
directory, or file(s) you want to scan for viruses and
the options you want to use.
Note: If you have not changed the PATH and LIBPATH
statements in your CONFIG.SYS file, you will need to
include its location (usually C:\MCAFEE) on the command
line, or change to that directory.
For example, to examine a diskette in drive A: type:
[C:\] c:\mcafee\os2scan a:
and press <ENTER>.
o VShield does not run in native OS/2 sessions, only
under DOS and Win-OS/2 sessions inside of OS/2. If you
have placed the VShield command in your AUTOEXEC.BAT
file, it will run automatically when you start a DOS or
Win-OS/2 session. You can also run it from the DOS
command line, as described earlier in this section.
Using VirusScan (Version 2.0) 27
WHEN TO RESCAN
Although VShield will monitor your software for viruses,
it's wise to scan your disks when you introduce new programs
or disks that may be infected. New programs and files are
generally introduced in two ways: by inserting a diskette,
and by installing new programs. It is also possible to
download a computer virus using a modem, however, this is
extremely rare.
o You can use VShield with the /ANYACCESS option to scan
diskettes automatically. For more information, see
the discussion of /ANYACCESS in Chapter 3.
o For instructions on running VirusScan, see "Running the
VirusScan programs" earlier in this chapter.
WHEN YOU INSERT AN UNCHECKED DISKETTE
Every time you insert a new diskette in your drive, run Scan
on it before executing, installing, or copying its files. If
you have several diskettes to scan, you can scan them
consecutively. In fact, we recommend doing this now with all
the diskettes you normally use, as well as diskettes
received from friends, co-workers, salespeople, and even
your own diskettes if they have been in another PC.
WHEN YOU INSTALL OR DOWNLOAD NEW FILES
Every time you install new software on your hard drive, or
download executable files from a network server, bulletin
board, or on-line service, run Scan on the directory the
files were placed in before executing the files.
Using VirusScan (Version 2.0) 28
UPDATING VIRUSSCAN REGULARLY
Unfortunately, new viruses (and variants of old ones) appear
and circulate often in the personal computer community.
Fortunately, McAfee updates the VirusScan programs
regularly--usually every month, but sooner if many new
viruses have appeared. Each new version may detect and
eradicate as many as 60-100 new viruses or more, and may add
new features. To find out what's new, review the README.1ST
text file.
DOWNLOADING NEW VERSIONS
You may use your own communications software to download new
versions from the McAfee bulletin board, CompuServe, or the
Internet. See Chapter 1, "Welcome to VirusScan" for more
information.
Always download and decompress the files in a separate
directory from your current files. That way, if you
discover a problem with the new files, you'll still
have the old ones intact.
VALIDATING VIRUSSCAN
When you download a program file from any source other than
the McAfee bulletin board system or other direct-from-McAfee
service, it's important to verify that it is authentic,
unaltered, and uninfected.
McAfee anti-virus software includes a program called
Validate that helps you do this. When you receive a new
version of VirusScan, run Validate on all of the program
files.
To do this for Scan, start from the system prompt (C:\> or
[C:\]):
1. Change to the directory to which you've downloaded the
files. For example, if you've stored the files in
C:\DOWNLOAD, type:
C:\> cd \download
and press <ENTER>.
2. Type the command:
C:\DOWNLOAD> c:\mcafee\validate scan.exe
and press <ENTER>.
Using VirusScan (Version 2.0) 29
OS/2 Users: Be sure to replace SCAN.EXE with
OS2SCAN.EXE as the file to be validated.
3. Compare the results with the information in the
README.1ST file or other text file for the program you
have just validated. If the validation results match
what's in the file, it is highly unlikely that the
program has been modified.
4. Once you have validated the new version, copy it into
your C:\MCAFEE directory. In addition, create a new
"VirusScan Start-Up Diskette" containing the new
version.
UPDATE YOUR CLEAN START-UP DISKETTE
Once you have validated the new version, copy it into
your C:\MCAFEE directory. In addition, copy the Scan
program onto your clean start-up diskette. Below is one
way to do this; you may also use the Windows File Manager
or the OS/2 environment.
Note any changes you've made to default options, because
you may want to select and save them again. Start from
the system prompt (C> or [C:\]).
1. Navigate to the directory to which you've
retrieved the files, such as C:\MCAFEE:
cd c:\mcafee
2. Temporarily remove write-protection from your clean
start-up diskette and insert it in drive A.
o For a 3.5" diskette, slide its corner tab so that
the square hole is closed.
o For a 5.25" diskette, remove the tab or tape from
its corner notch.
3. Copy the Scan program, and its data files to the diskette.
DOS or Windows C> copy SCAN.EXE a:
C> copy *.DAT a:
OS/2 [C:\] copy OS2SCAN.EXE a:
[C:\] copy *.DAT a:
4. Remove the diskette from the drive and write-protect
it again.
Using VirusScan (Version 2.0) 30
Chapter 3: VSHIELD REFERENCE
VirusScan(TM)'s VShield(TM) is a memory-resident program
that helps to prevent virus infection. It complements the
Scan virus detection program as part of your computer
security plan. While Scan checks areas on disks for viruses,
the VShield program checks programs as they load into your
computer's memory. This ensures that you don't "catch" any
new viruses while you're working on your computer.
VShield does this by remaining in memory and:
o Checking master boot records (MBR's), boot sectors,
system files, and itself for viruses when you turn on
or soft-boot (press the <CTRL>, <ALT>, and <DEL> keys
together) your machine.
o Checking program files for viruses as your computer
executes them.
o Checking files for viruses as you copy them (optional).
o Checking for viruses whenever your computer accesses a
disk (optional).
Follow the instructions in Chapter 2 to install VShield.
Instructions are given on how to modify your AUTOEXEC.BAT
file so that VShield loads into memory every time you turn
on your computer.
If VShield finds a virus, you will hear three beeps and see
a message like:
Found the Jerusalem Virus
If that happens, don't panic. Turn to Chapter 3 in the
Scan documentation to find out how to use the Scan
program to get rid of the virus. If you need additional help,
contact McAfee (see "Technical Support" in Chapter 1).
Note: There is one way to infect your computer that
VShield cannot prevent--only you can. Never
accidentally start your computer from an unknown
diskette. That's how 80% of all viruses are passed!
Always make sure your diskette drives are empty before
you turn your computer on.
VShield runs under DOS, Windows, and OS/2 Virtual DOS
Machine and WIN-OS/2 sessions. The filename for this program
is VSHIELD.EXE.
Using VirusScan (Version 2.0) 31
The file called VSHLDWIN.EXE allows VShield to display
messages from within Windows, and is added to your WIN.INI
file automatically when you install VShield.
If you need to conserve memory on your system, you can use
VShieldCRC, a version of VShield that offers fewer
protection options but requires less memory. The filename
of the program is VSHLDCRC.EXE.
A companion program called CheckVShield checks whether either
VShield or VShieldCRC is loaded in memory. The filename of the
program is CHKVSHLD.EXE. CheckVShield is especially useful
for network administrators who want to ensure that everyone
who logs on to the network is running VShield. All of these
related programs are included in your VirusScan disk and
described in this chapter.
DO YOU NEED TO READ THIS CHAPTER?
Many users will not need the VShield options described in
this chapter. We have designed VShield so that basic
operation--achieved by simply installing it in memory as
described in Chapter 2--provides a high degree of
protection for most users. The options here offer additional
power and control for virus detection, and are most useful
in vulnerable or memory-scarce environments, and to network
administrators and information systems staff. See "Four
Levels of Protection" and "Deciding Which Options Are for
You" in this chapter for help in deciding how to use
VShield.
Using VirusScan (Version 2.0) 32
SYSTEM REQUIREMENTS AND PERFORMANCE
VShield is a terminate-and-stay-resident (TSR) program,
which remains in memory while you run other programs.
VShield tries to optimize memory usage and minimize
conflicts with other TSRs. By default, VShield tries to
conserve as much conventional memory as possible.
If you have only 640Kb or less memory in your system,
VShield requires about 67Kb of memory. By using the /SWAP
option, you can reduce this to only 7Kb of conventional
memory, although this will decrease VShield's speed.
If you have more than 640Kb of memory in your system,
VShield tries to load as much of itself as possible above
your conventional memory: first, into expanded memory (EMS),
into extended memory (XMS), then into upper memory blocks
(640Kb to 1024Kb, or UMB). If you have sufficient high
memory available, VShield or VShieldCRC use no conventional
memory.
After VShield loads you'll see a message that describes
where VShield loaded into memory and how much memory it
using. You can control how VShield loads by using the
/NOUMB, /NOEMS, and /NOXMS options, as described later in
this chapter.
o VShield might require slightly more memory as the
VSHIELD.DAT file grows to include more viruses.
VShield adds a small amount of time to program loads and
reboots. Performance will vary, depending on your system.
The /SWAP option adds more time, because VShield must reload
from disk to check files.
VShieldCRC adds an average of one second to each program
load.
Once programs have been loaded, VShield does not degrade the
performance of your system in any way. Programs that load
other files may run more slowly when you use the /FILEACCESS
or /ANYACCESS options, because these options cause VShield
to scan files whenever they are accessed, not just when they
are executed.
Using VirusScan (Version 2.0) 33
FOUR LEVELS OF PROTECTION
You can think of VShield as providing four levels of
protection. You can use VShield's options to customize it
for the level of protection you need. Level II meets the
protection needs of most systems.
LEVEL I PROTECTION
This level is appropriate for users who have very little
memory available on their systems. It provides only minimal
protection.
For Level I protection, first use Scan with the /AF or /AV
option to add validation codes. Then, install VShieldCRC
instead of VShield.
VShieldCRC can inform you that a file has not been
certified, a file has been modified, a file size has
changed, or a file has not been added to the validation
file. VShieldCRC will not prevent infection, nor will it
tell you when you have a known virus. Use Scan instead to
detect viruses, as described in Chapters 3 and 4. See "Using
VShieldCRC" in this chapter for instructions.
LEVEL II PROTECTION
This level is appropriate for most users. It will protect
you from most viruses whether you have run Scan or not.
For Level II protection, just install VShield according to
the instructions in "Activating VShield." When loading,
VShield checks memory automatically for viruses. Once
resident in memory, VShield checks master boot records
(MBRs), boot sectors, and program files (when executed) for
virus signatures.
LEVEL III PROTECTION
This level is appropriate for computers that are used by
many people, as in an open-use computer lab, or onto which
you frequently load files from public sources. Level III
protection checks for both validation codes and virus
signatures, incorporating both Level I and Level II
protection.
For Level III protection, first use Scan with the /AF
{filename} option, then use VShield with the /CF {filename}
option. The /AF option logs validation and recovery data for
program files, the boot sector, and the master boot record
(MBR) to a file you specify. The /CF option tells VShield to
check against that log. See Chapter 3 in the Scan
documentation for instructions.
Using VirusScan (Version 2.0) 34
LEVEL IV PROTECTION
This level is for environments where security is extremely
important and new software is seldom introduced. It combines
Level III protection with access control, specifying that
only programs known to be safe can be run.
For Level IV protection, run VShield with the /CERTIFY
option. See the "VShield Option Descriptions" later in this
chapter for details about /CERTIFY.
o VShield has many optional features that you might use
at any protection level. See the table "VShield Option
Summary" later in this chapter to see these options at
a glance.
Using VirusScan (Version 2.0) 35
RUNNING VSHIELD
VShield checks programs, master boot records (MBR), boot
sectors, system files, and itself for virus strings, the
patterns of code unique to each computer virus. If VShield
finds an infection, it prevents programs from running. It
also prevents soft boots (also known as "warm boots")
performed by pressing the <CTRL>, <ALT>, and <DEL> keys
together from an infected floppy diskette in the A: drive.
You can use options to control and fine-tune the scope,
validation parameters, and operation of the VShield's
checks. To use VShield with options, use the following
syntax:
vshield [options]
[options] indicates one or more options described in the
table in the next section.
o Don't enter the square braces, which indicate that
what's within them is optional.
Because systems and environments differ, VShield gives you
a choice of options. Consider the mixture of safety,
performance, and maintenance that meets your needs, then
choose the combination of options that works best.
When you run VShield for the first time, VShield uses the
virus information contained in SCAN.DAT to creates a new
file, VSHIELD.DAT, in the program directory. The VSHIELD.DAT
file contains virus information in a format that is
optimized for VShield operation. Thereafter, when you
install an updated version of SCAN.DAT, VShield updates
VSHIELD.DAT automatically with any new virus information it
finds in SCAN.DAT.
DOS
If you followed the installation instructions in Chapter 2,
VShield begins working for you as soon as you install it,
protecting the "sterile field" that the installation
procedure creates. VShield should be run from your
AUTOEXEC.BAT file, so it is activated every time you turn on
your computer.
o Check the placement of the VShield command line in the
AUTOEXEC.BAT file.
o VShield must be run before Microsoft Windows or any
menu programs, such as MS-DOS's DOSSHELL or Norton
Commander, or it will not be loaded.
Using VirusScan (Version 2.0) 36
1. If your AUTOEXEC.BAT loads any network drivers,
keyboard drivers, disk caching programs, drive
compression programs, or custom disk drivers,
VShield must be run both before and after them.
These kinds of programs disable VShield. The
second time VShield is loaded, use only the
/RECONNECT option, as described later in this
chapter.
2. If necessary, move the line that loads VShield.
3. Add the VShield options of your choice to the
command line.
Windows
When you installed VShield, you should have added the
VShield command line to your AUTOEXEC.BAT file and modified
your WIN.INI file to include VSHLDWIN.EXE, which allows
VShield to display messages under Windows. However, you may
need to change your Windows configuration for VShield to run
properly. To do so, follow these steps. If you need help
with this procedure, see your Windows documentation, or
contact McAfee (see "Technical Support" in Chapter 1).
1. Follow the instructions for DOS users in the previous
section.
2. Start Windows.
3. Make Program Manager the default shell. Use no other
Windows shell during installation.
4. In the Control Panel, configure Windows to run in 386
Enhanced mode.
5. Load Windows. You will see the VShield icon on your
desktop. If VShield finds or suspects a virus, you'll
see a warning message. Choose OK to close the message
dialog.
Note: Double-clicking the VShield icon only displays a
message that VShield is loaded.
OS/2
Because OS/2 is a protected environment, you need VShield
only during Virtual DOS Machine (VDM) and WIN-OS2 sessions.
When loaded through your AUTOEXEC.BAT file, VShield is
automatically activated every time you start a DOS VDM or
WIN-OS/2 session.
Using VirusScan (Version 2.0) 37
If your DOS and WIN-OS/2 start-up batch file is not named
AUTOEXEC.BAT, edit it so that it includes VShield. For
example, add the following line:
c:\mcafee\vshield
to your start-up batch file.
Using VirusScan (Version 2.0) 38
SPECIAL INSTRUCTIONS FOR NETWORK ADMINISTRATORS
You have many options for setting up VShield on a network.
The table "Deciding Which Options Are For You" later in
this chapter lists options that most apply in network
environments. If you need assistance in choosing the best
configuration for your network, contact McAfee (see
"Technical Support" in Chapter 1).
If you run VShield from a network drive, flag VSHIELD.EXE as
EXECUTE-ONLY, READ-ONLY, and SHAREABLE.
If you run VShield from clients' local drives:
o Edit all clients' AUTOEXEC.BAT files to load VShield
with the options that are appropriate for your
environment before any other drivers are loaded.
o Add VShield with the /RECONNECT option to the
AUTOEXEC.BAT file or the network login script, after
the network drivers are loaded. See /RECONNECT,
later in this chapter, for more information.
o Run CheckVShield from the login script. CheckVShield
returns a DOS ERRORLEVEL that you can use in batch
files to check and update VShield. For an example of
using CheckVShield, see "Technical Note 2: Sample
NetWare Login Script and .BAT File" later in this
chapter.
Using VirusScan (Version 2.0) 39
VSHIELD OPTION SUMMARY
Option and Description
/? or /HELP
Display a list of valid VShield command line options.
/ANYACCESS
Scan the diskette boot sector for viruses whenever a
diskette is accessed (including any read and write
operations); scan .EXE, .COM, .DLL, .OVL, .BIN, and
.SYS files whenever the file is opened, read, or updated;
scan .EXE and .COM files upon execution; scan any
newly created file, regardless of extension.
/BOOTACCESS
Scan the diskette boot sector for viruses whenever a
diskette is accessed (including any read and write
operations); individual files on a diskette are not
scanned when a diskette is accessed.
/CERTIFY
Prevent files without validation codes from running.
/CF {filename}
Check for viruses using validation and recovery data
stored by Scan /AF in the specified filename.
/CONTACT {message}
Display specified message when a virus is found.
/CONTACTFILE {filename}
Display message stored in filename when a virus is
found.
/CV
Check validation codes added to files by Scan.
/EXCLUDE {filename}
Don't check files listed in filename for validation
codes (/CF and /CV options).
/FILEACCESS
Scan .EXE, .COM, .DLL, .OVL, .BIN, and .SYS files
whenever the file is opened, read, or updated;
scan .EXE and .COM files upon execution; the
diskette boot sector is not checked when a diskette
is accessed.
/IGNORE {drive(s)}
Don't check programs loaded from the specified
drive(s).
Using VirusScan (Version 2.0) 40
/LOCK
Halt the system when a file that is infected or not
certified loads and attempts to execute.
/NOEMS
Prevent VShield from using expanded memory (EMS) when
it loads.
/NOMEM
Do not check memory for viruses upon running.
/NOREMOVE
Prevent VShield from being removed from memory with the
/REMOVE switch.
/NOUMB
Prevent VShield from using upper memory blocks (UMB)
when it loads.
/NOWARMBOOT
Don't check the diskette boot sector for viruses during
a warm boot.
/NOXMS
Prevent VShield from using extended memory (XMS) when
it loads.
/ONLY {drive(s)}
Check programs loaded only from the specified drive(s).
/RECONNECT
Restore VShield after certain drivers or TSRs have
disabled it.
/REMOVE
Unload VShield from memory.
/SAVE
Save the command line options to the VSHIELD.INI file.
/SWAP [pathname]
Load VShield kernel (7Kb) only; swap the rest from
pathname.
Using VirusScan (Version 2.0) 41
VSHIELD OPTION DESCRIPTIONS
/? or /HELP
Use this option to display a brief description of valid
VShield command line options.
/ANYACCESS
Checks the boot sector and files during read and write
operations. Whenever a diskette is accessed (including
any read and write operations such as a DIR or COPY
command), VShield checks the boot sector for viruses.
Whenever an .EXE, .COM, .DLL, .OVL, .BIN, or .SYS file is
opened, read, or updated, VShield checks the accessed file.
Whenever an .EXE or .COM file executes, VShield checks the
file for viruses as it loads and prevents execution if
the file is infected. Whenever a new file is created, such
as with a COPY command, VShield checks the file (regardless
of its extension).
This is the highest level of protection against viruses
that infect boot sectors and standard executable files.
Using /ANYACCESS with either /BOOTACCESS or /FILEACCESS in
the same command line returns an error message.
Note: The /ANYACCESS switch is not recommended for use
with DOS and WIN-OS/2 sessions under OS/2 due to
certain low-level operating system incompatibilities
between OS/2 and DOS. Use the /FILEACCESS switch
instead.
/BOOTACCESS
Checks the diskette boot sector for viruses whenever a
diskette is accessed (including any read and write operations
such as a DIR or COPY command). Unlike /ANYACCESS,
/BOOTACCESS does not check individual files on the diskette,
only the boot sector. Using /BOOTACCESS with /ANYACCESS on
the same command line returns an error message.
Note: This option does not work from within Windows File
Manager. For virus-checking within Windows, use the
/ANYACCESS or /FILEACCESS switch instead.
Using VirusScan (Version 2.0) 42
/CERTIFY
Prevents programs from running if they do not have Scan
validation codes. Use it in high-security environments to
prevent clients from running programs that have not been
scanned. To use /CERTIFY, first run Scan with the /AF or /AV
option, as described in Chapter 3 in the Scan
documentation. Then, use VShield with the /CERTIFY option
and either the /CF or /CV option (either is required),
such as:
vshield /certify /cf c:\mcafee\valcodes.val
Some programs, such as Lotus 1-2-3, contain self-modifying
code and do not work correctly with validation codes
attached. You may create an exception list of files to
exclude from validation. For instructions, refer to
"Technical Note 1: Creating an exception list for /EXCLUDE"
in Chapter 3 of the Scan documentation.
/CF {filename}
Checks validation data stored by Scan's /AF {filename}
option, where filename is the name of the validation data
file created by Scan. If a file or system area has changed,
VShield reports that a viral infection may have occurred.
You can specify the /EXCLUDE option to exclude a list of
files from validation checking. In this example:
vshield /cf c:\mcafee\valcodes.dat /noems
VShield looks in the VALCODES.DAT file for validation data.
For instructions on using Scan /AF to add validation codes,
see "/AF {filename} Store recovery/validation codes in file"
in Chapter 3 in the Scan documentation, and "Detecting
New and Unknown Viruses" in Chapter 4.
/CONTACT {message}
Displays a custom message when a virus is found. This
message is displayed in addition to all other VShield
messages. Use /CONTACT to let network users know what to
do if VShield finds a virus. The message can be up to 50
characters long, and can contain any character except a
backslash "\" character. Place messages starting with a
hyphen "-" or a slash "/" in quotation marks.
If your message is longer than 50 characters or you want to
store the message text in a file, use /CONTACTFILE instead.
Using /CONTACT and /CONTACTFILE in the same command line
returns an error message.
Using VirusScan (Version 2.0) 43
/CONTACTFILE {filename}
An alternative to the /CONTACT option, /CONTACTFILE
identifies a file that contains the message string to
display when a virus is found. This option is especially
useful in network environments, because you can easily
maintain the message text in a central file rather than
changing the command line in the AUTOEXEC.BAT file on each
workstation.
If your message is 50 characters or fewer, you can use
/CONTACT instead. Using /CONTACT and /CONTACTFILE in the
same command line returns an error message.
/CV
Checks validation codes added by Scan with the /AV option.
If a file has changed, VShield reports that the file has
been modified and a viral infection may have occurred. You
can specify the /EXCLUDE option to exclude a list of files
from validation checking. For instructions on using Scan to
add validation codes, see "/AV Add recovery/validation data
to files" in Chapter 3 in the Scan documentation, and
"Detecting new and unknown viruses" in Chapter 4.
/EXCLUDE {filename}
Excludes files listed in filename from validation when using
/CF or /CV. For more information, see "Technical Note 1:
Creating an Exception List for /EXCLUDE" later in this chapter.
/FILEACCESS
Checks standard executable files whenever the file is
accessed or executed. Whenever an .EXE, .COM, .DLL, .OVL,
.BIN, or .SYS file is opened, read, or updated, VShield checks
the accessed file. Whenever an .EXE or .COM file executes,
VShield checks the file for viruses as it loads and prevents
execution if the file is infected. VShield checks all files
when accessed by a read or write operation. Using /ANYACCESS
on the same command line with /FILEACCESS returns an error
message.
o We recommend always using /FILEACCESS with OS/2.
For VShieldCRC, /FILEACCESS checks files only if they have
been validated with the /AF or /AV options.
Using VirusScan (Version 2.0) 44
/IGNORE {drives}
Omits checking program loads from the specified drives, as
shown in the following example:
vshield /ignore t: y: w:
Use /IGNORE or /ONLY to speed up VShield by excluding
secure, virus-free drives such as network drives from virus
checking. You can specify up to 26 drives. See also /ONLY,
described later in this section. Using /IGNORE and /ONLY in
the same command line returns an error message.
/LOCK
Halts the system to stop further infection if VShield finds
a virus. /LOCK is appropriate in highly vulnerable network
environments, such as open-use computer labs. If you use
/LOCK, be sure to use /CONTACT or /CONTACTFILE to tell
users what to do or whom to contact if a virus is found and
the system locks up.
/NOEMS
Prevents VShield from using expanded memory (LIM EMS 3.2)
when it loads. This ensures that EMS is available
exclusively for other programs.
/NOMEM
Skips the memory check for viruses when VShield loads. Using
/NOMEM allows VShield to load more quickly, but use it only
if you are absolutely sure that your system is virus-free.
/NOREMOVE
Prevents VShield from being removed from memory with the
/REMOVE option in a subsequent VShield command. When you
load VShield with the /NOREMOVE option, subsequent loads
with the /REMOVE option will have not effect. Your network
will be more secure if users cannot remove VShield, but this
option may prevent users from solving memory limitations or
conflicts.
/NOUMB
Prevents VShield from using the upper memory block (UMB,
640Kb to 1024Kb) when it loads. This ensures that the UMB
is available exclusively for other programs.
/NOWARMBOOT
Omits checking the diskette boot sector during a warm boot
of the system.
/NOXMS
Prevents VShield from using extended memory (XMS) when it
loads. This ensures that XMS is available exclusively for
other programs.
Using VirusScan (Version 2.0) 45
/ONLY {drive(s)}
Checks program loads only from the specified drive(s),
ignoring all other drives, as shown in the following
example:
vshield /only c: f: k:
Use /IGNORE or /ONLY to speed up VShield by excluding
secure, virus-free network drives from virus checking. You
can specify up to 26 drives. See also /IGNORE earlier in
this section. Using /ONLY and /IGNORE in the same
command line returns an error message.
/RECONNECT
Restores VShield's links into DOS after another program has
disabled it, such as a network driver, keyboard driver,
custom disk driver, drive compression program, or disk
caching program. These types of programs replace the normal
DOS system interrupts so that VShield no longer recognizes
program loads. After the lines in your AUTOEXEC.BAT file (or
network login script) that load these programs, add this
command line to restore VShield:
vshield /reconnect
/REMOVE
Unloads VShield from memory. You may want to do this
temporarily if you are running out of memory for programs.
For best results, try using VShield with the /SWAP option
first. Use /REMOVE only as a last resort.
Note: /REMOVE will not work if other memory-resident
programs were loaded after VShield, or if VShield was
loaded previously with the /NOREMOVE option.
/SAVE
Stores the VShield options you specify as the defaults in
the VSHIELD.INI file. In the following example, /SAVE saves
"/CONTACTFILE N:\USR\DAVEM\MSGFILE" as the default setting:
vshield /contactfile n:\usr\davem\msgfile /save
To remove custom options and return to VShield's original
defaults, use the /SAVE option alone:
vshield /save
/SWAP [pathname]
Installs a small (7Kb) kernel of VShield in memory that
loads the rest of VShield from disk on demand. Specify a
pathname only if you want VShield to swap to a path other
than the directory where VShield resides.
Using VirusScan (Version 2.0) 46
Use /SWAP only if you have very little memory available, but
require a high assurance of safety. /SWAP will slow down
your system and may cause conflicts with programs that fail
to allocate memory properly. If you don't have enough memory
to load VShield without swapping, consider using VShieldCRC
instead. We do not recommend storing the swap file on a
network path because, if the workstation disconnects from
the network, the workstation will lock.
Using VirusScan (Version 2.0) 47
DECIDING WHICH OPTIONS ARE FOR YOU
Because systems and environments differ, VShield gives you a
choice of options. Consider the mixture of safety,
performance, and maintenance that meets your needs, then
choose the combination of options that works best.
REQUIREMENT │ OPTION │ COMMENTS
════════════════════╪══════════════╪═══════════════════════════════
More complete │ /ANYACCESS │ Highest protection against
protection, any │ │ infected diskettes; checks
environment │ │ for viruses whenever a dis-
│ │ kette or files are accessed.
├──────────────┼───────────────────────────────
│ /FILEACCESS │ Next highest protection
│ │ against infected diskettes;
│ │ checks for viruses whenever
│ │ a standard file is accessed.
├──────────────┼───────────────────────────────
│ /BOOTACCESS │ Of the three, lowest
│ │ protection against infected
│ │ diskettes; checks for
│ │ viruses in boot sector when
│ │ a diskette is accessed.
────────────────────┼──────────────┼───────────────────────────────
More complete │ /CERTIFY │ Use with /CF {filename} or
protection, │ │ /CV and an exception list.
stable software ├──────────────┼───────────────────────────────
environment │ /CF │ Use /CF or /CV. Of the two,
│ │ /CF is recommended.
├──────────────┼───────────────────────────────
│ /CV │ Use /CF or /CV.
────────────────────┼──────────────┼───────────────────────────────
Network or multi- │ /CONTACT │ Use this (or /CONTACTFILE)
user environments │ │ to tell users what to do
│ │ when a virus is found.
├──────────────┼───────────────────────────────
│ /CONTACTFILE │ Use this (or /CONTACT) to
│ │ tell users what to do when
│ │ a virus is found.
├──────────────┼───────────────────────────────
│ /IGNORE │ Use this (or /ONLY) to
│ │ skip virus-free drives.
├──────────────┼───────────────────────────────
│ /LOCK │ Use with /CONTACT or
│ │ /CONTACTFILE {filename}.
────────────────────┴──────────────┴───────────────────────────────
Using VirusScan (Version 2.0) 48
────────────────────┬──────────────┬───────────────────────────────
For network │ /NOREMOVE │ Prevents VShield from
environments │ │ being removed from memory.
(continued) ├──────────────┼───────────────────────────────
│ /ONLY │ Use this (or IGNORE) to check
│ │ only vulnerable drives.
├──────────────┼───────────────────────────────
│ /RECONNECT │ Required if network drivers
│ │ are loaded after VShield.
────────────────────┼──────────────┼───────────────────────────────
Faster performance, │ /NOMEM │ Only use on a virus-free
any environment │ │ computer.
├──────────────┼───────────────────────────────
│ /NOWARMBOOT │ Omits checking the boot
│ │ sector after a warm boot.
────────────────────┼──────────────┼───────────────────────────────
Manage memory, any │ /NOEMS │ Use when other programs need
environment │ │ exclusive use of EMS memory.
├──────────────┼───────────────────────────────
│ /NOUMB │ Use when other programs need
│ │ exclusive use of UMB memory.
├──────────────┼───────────────────────────────
│ /NOXMS │ Use when other programs need
│ │ exclusive use of XMS memory.
├──────────────┼───────────────────────────────
│ /NOREMOVE │ Use to ensure that VShield
│ │ remains in memory.
├──────────────┼───────────────────────────────
│ /REMOVE │ May temporarily solve memory
│ │ conflicts.
├──────────────┼───────────────────────────────
│ /SWAP │ Use in environments with very
│ │ limited memory.
════════════════════╧══════════════╧═══════════════════════════════
Using VirusScan (Version 2.0) 49
EXAMPLES
The following examples show different option settings:
vshield
Activates VShield (Level II protection).
vshield /cv
Activates VShield (Level III protection), if you have
previously run SCAN /AV.
vshield /certify /cf c:\valcodes.dat
Activates VShield (Level IV protection) and checks a
validation and recovery data file created when running
Scan with the /AF option.
vshield /swap
Activates VShield kernel in memory and swaps from the
directory in which VShield resides.
vshield /cv /exclude c:\excption.lst /contact "Call the Help Desk!"
Activates VShield (Level III protection), ignores
checking files in the EXCPTION.LST files, and displays
a message if a virus is found.
vshield /reconnect
Re-activates VShield after it has been disabled by
network device drivers.
Using VirusScan (Version 2.0) 50
ERROR LEVELS
When VShield loads, it sets the DOS ERRORLEVEL. You can use
the returned ERRORLEVEL in AUTOEXEC.BAT or other batch files
to take different actions based on whether VShield has
loaded in memory. See your DOS manual for more information
on using ERRORLEVEL's.
VShield returns these ERRORLEVELs:
ERRORLEVEL DESCRIPTION
0 VShield successfully loaded in memory
with all options operational.
9 VShield not loaded correctly. Abnormal
termination (program error).
VShield alerts you to problems by beeping once for system
errors, twice for validation errors (/CF or /CF checking),
or three times if a virus is found.
USING VSHIELDCRC
For Level I protection on systems with limited memory, use
VShieldCRC instead of VShield. VShieldCRC is a separate
program that consumes little system overhead, but is not
recommended for normal use because it provides only minimal
protection. VShieldCRC can inform you that you have been
infected with a virus, but it does not check for virus
signatures nor does it prevent infection.
To use VShieldCRC, first use Scan with the /AF or /AV
option. VShieldCRC checks the validation codes added by
Scan. It also checks the master boot record (MBR) and boot
sector validation codes, if present. See Chapter 3 in the
Scan documentation for instructions on using Scan.
To load VShieldCRC with options, use the following syntax:
vshldcrc [options]
[options] include the options listed in the table
"VShieldCRC Option Summary" which follows. For more
information on all options except /LOGFILE, see "VShield
Option Descriptions" earlier in this chapter.
Using VirusScan (Version 2.0) 51
EXAMPLES
vshldcrc
Activates VShieldCRC (Level I protection).
vshldcrc /cf valcodes.crc
Activates VShieldCRC and checks validation data stored
in VALCODES.CRC, a file that was created using Scan
with the /AF option.
Using VirusScan (Version 2.0) 52
VSHIELDCRC OPTION SUMMARY
Option and Description
/? or /HELP
Display a list of valid VShieldCRC command line
options.
/CERTIFY
Prevent files without validation codes from running.
/CF {filename}
Check for viruses using validation and recovery data
stored by Scan /AF in the specified filename.
/CONTACT {message}
Display specified message when a virus is found.
/CONTACTFILE {filename}
Display message stored in specified filename when a
virus is found.
/CV
Check validation codes added to files by Scan.
/EXCLUDE {filename}
Don't check files listed in filename for validation
codes (used with /CF and /CV options).
/FILEACCESS
Checks validated files whenever the file is accessed or
executed. Whenever a validated .EXE, .COM, .DLL, .OVL,
.BIN, or .SYS file is opened, read, or updated, VShieldCRC
checks the accessed file. Whenever a validated .EXE or
.COM file executes, VShieldCRC checks the file for viruses
as it loads and prevents execution if the file is infected.
/IGNORE {drive(s)}
Don't check programs loaded from specified drive(s).
/LOCK
Halt the system when a file that is not certified
attempts to load and execute.
/LOGFILE {filename}
Write error information to filename.
/NOREMOVE
Prevent VShieldCRC from being removed from memory with
a subsequent VShieldCRC command using /REMOVE.
Using VirusScan (Version 2.0) 53
/NOUMB
Prevent VShieldCRC from using upper memory blocks (UMB)
when it loads.
/ONLY {drive(s)}
Check programs loaded only from the specified drive(s).
/REMOVE
Unload VShieldCRC from memory.
Using VirusScan (Version 2.0) 54
USING CHECKVSHIELD
CheckVShield allows network administrators to make sure that
workstations are running VShield or VShieldCRC before users
can log onto a network. See "Technical Note 2: Sample
NetWare login script and .BAT file" later in this chapter for
a sample Novell NetWare login script using CheckVShield.
To load CheckVShield with options, use the following syntax:
chkvshld [option(s)]
[option(s)] include:
/? and /HELP
Display a list of valid CheckVShield command line
options.
/DEBUG
Displays the version of VShield or VShieldCRC resident
in memory and the DOS ERRORLEVEL on the screen.
/Q
Suppresses CheckVShield messages (quiet mode) so users
don't see the messages.
/V xxxxx
Tells CheckVShield to look for a specific version (2.00
or higher) of VShield or VShieldCRC in memory. For
example, /v 2.00 for VShield 2.00.
Using VirusScan (Version 2.0) 55
EXAMPLES
chkvshld /q
Checks for VShield or VShieldCRC in memory and
suppresses messages.
ERROR LEVELS
When CheckVShield runs, it sets the DOS ERRORLEVEL. Use the
ERRORLEVEL in batch files to take different actions based on
the results of CheckVShield's check. The ERRORLEVELs returned
by CheckVShield are:
ERRORLEVEL DESCRIPTION
0 VShield or VShieldCRC is
resident or, if /V is used,
the version specified is
resident in memory.
1 VShield or VShieldCRC is
resident but does not match
the version specified in the
/V option.
2 VShield or VShieldCRC is not
resident in memory.
3 Abnormal termination (program
error).
Using VirusScan (Version 2.0) 56
TECHNICAL NOTE 1: CREATING AN EXCEPTION LIST FOR /EXCLUDE
VShield /CERTIFY permits a file to load only if:
o It has been validated by Scan, or
o It appears in the exception list file specified with
the /EXCLUDE option, used in conjunction with /CF or
/CV.
If you do not validate any files and do not use an exception
list, /CERTIFY will disable all programs other than DOS
internal commands.
The exception list file is an ASCII or DOS text file
containing up to 1,024 characters. If you use a word
processor to create it, be sure to save the file as ASCII
or DOS Text. Here is an example:
C:\CLIPPER\BIN\CLIPPER.EXE
C:\123\123.COM
C:\FOX\FOXPROLX.EXE
C:\DOS\SETVER.EXE
C:\PKWARE\PKLITE.EXE
C:\PKWARE\PKZIP.EXE
C:\PKWARE\PKUNZIP.EXE
C:\SEMWARE\Q.EXE
C:\SWAPVOL.COM
C:\NORTON\NCACHE.EXE
C:\WORDSTAR\WS.EXE
Using VirusScan (Version 2.0) 57
TECHNICAL NOTE 2: SAMPLE NETWARE LOGIN SCRIPT AND .BAT FILE
Here is a sample system login script for use by Novell
NetWare system administrators. The login script gets the
ERRORLEVEL from CheckVShield and displays messages on the
user's screen. If VShield is not loaded correctly, there is
an internal error with CheckVShield, either VShield or
VShieldCRC is not installed, or an older version of VShield
is present, the script exits the user to a NOLOGIN.BAT file
that logs him or her out.
#REM REPLACE "XXX" WITH CURRENT VERSION NUMBER
CHKVSHLD /V "XXX"
IF ERROR_LEVEL = "3" THEN
FIRE PHASERS 5 TIMES
WRITE "A CHKVSHLD internal error has occurred."
WRITE "Please contact the Help Desk."
#COMMAND /C NOLOGIN.BAT
EXIT
ELSE
IF ERROR_LEVEL = "2" THEN
FIRE PHASERS 5 TIMES
WRITE "VShield has not been installed on your PC."
WRITE "Access Denied. Please contact the Help Desk."
#COMMAND /C NOLOGIN.BAT
EXIT
ELSE
IF ERROR_LEVEL = "1" THEN
FIRE PHASERS 5 TIMES
WRITE "An old version of VShield has been installed."
WRITE "Access to the network has been denied. Please"
WRITE "contact the Help Desk to have a new version."
WRITE "installed."
#COMMAND /C NOLOGIN.BAT
EXIT
END
END
END
You can create more complex login scripts to send a message
to the supervisor if an error has occurred, update the
user's VSHIELD.EXE as he or she logs in to the network, and
so forth.
Here is a sample of the NOLOGIN.BAT file called by the login
script.
ECHO OFF
REM Log the user off of the network
LOGOUT
Using VirusScan (Version 2.0) 58
Chapter 4: TIPS & TROUBLESHOOTING
The other chapters in this manual are meant to tell you
clearly and concisely how to use the VirusScan(TM) software.
Still, you may have questions or encounter confusing
situations. This chapter contains two kinds of advice:
o Tips for getting the most out of VirusScan.
o Common problems and how to solve or avoid them.
If this information doesn't help resolve your question or
problem, contact McAfee (see "Technical Support" in
Chapter 1).
DETECTING NEW AND UNKNOWN VIRUSES
There are two ways of dealing with new and unknown viruses
that may infect your system:
o Update VirusScan regularly.
o Store and check validation and recovery information
about your files.
UPDATE VIRUSSCAN REGULARLY
Most likely, McAfee will see new viruses long before you do.
We update the VirusScan programs often--usually montly, but
more often if many new viruses have appeared. Each new
version may detect and eradicate as many as 60 to 100 new
viruses or more, and may fix bugs that have been reported.
Updating VirusScan regularly is probably all you need to do
to protect against new viruses. See the instructions for
obtaining new versions in "Updating VirusScan Regularly" in
Chapter 2.
USE THE VALIDATION AND RECOVERY OPTIONS
If your environment is highly vulnerable to viruses, or you
require unusual security against them, you can use
VirusScan's validation and recovery options. Scan checks for
new or unknown viruses by comparing files against previously
recorded validation data. If a file has been modified, it no
longer matches the validation data, and Scan reports that
the file may have become infected. Scan has two levels of
validation, which are stored in two separate ways:
Using VirusScan (Version 2.0) 59
o It can store the enhanced code in a separate recovery
file, which can be stored off-line (for example, on a
diskette) for recovery purposes (/AF, /CF, and /RF
switches). This is the preferred method because it
stores the data for files, the boot sector, and the
master boot record (MBR) of a disk in the recovery
file.
o It can append a 98-byte validation code to .COM and
.EXE files (/AV, /CV, and /RV switches). This method
applies to the files you specified only. It does not
store data for the boot sector and master boot record
(MBR).
Once the validation codes are stored, both Scan and VShield
can use the /CV and /CF options to detect changes to the
files. More importantly, if you have stored the recovery
information with /AF, Scan can use it to restore infected
files, master boot record (MBRs), and boot sectors.
All of these options require continuing effort to store and
maintain the codes. For example, if you install new programs
or upgrade old ones, you should use the /RV or /RF options
to remove all codes, then /AV or /AF to restore them.
If you want to use one of these methods, which should you
use? We recommend the "F" options--/AF, /CF, and /RF--over
the "V" options. /AF stores the validation and recovery
information in a separate file, instead of modifying the
program files themselves. This has three advantages:
o You can store the recovery file off-line (on your clean
anti-viral startup diskette, for example, or on a
network drive or tape drive) and access it on demand to
check for, and recover from, infection by unknown
viruses. Use the procedure below to create a recovery
diskette.
o This method keeps self-checking files (usually copy-
protected programs) from reporting that they have been
tampered with.
o If you use this method, you don't need an exception
list. However, it's important that you run Scan with
the /RF option on individual self-modifying files, such
as Lotus 1-2-3, to remove the validation codes for
those programs from the validation file.
The "V" options are primarily useful for companies that
distribute software to their customers or employees, and
want to incorporate an additional level of virus protection.
Using VirusScan (Version 2.0) 60
CREATING A RECOVERY DISKETTE
To store the recovery file, create a new "VirusScan Startup
Diskette" and then run Scan to create a validation code and
recovery data file by typing:
scan /adl /af a:\scancrc.crc
and pressing <ENTER>. The above command scans the local
hard disk drive(s) for known viruses and creates
"SCANCRC.CRC," a file containing validation codes and
recovery data, on the diskette. After Scan finishes,
write-protect the diskette, label it as your "VirusScan
Recovery Diskette," and store in a safe location.
To check for virus infection, turn your computer off, insert
your "VirusScan Recovery Diskette" in drive A:, and turn
the power back on. The PC will now start from the diskette.
At the DOS prompt, type:
scan /adl /cf a:\scancrc.crc
and press <ENTER>. This will compare the local hard disk
drive(s) against the recovery data stored on the diskette
in the SCANCRC.CRC file.
If you detect an unknown virus, to disinfect your system,
turn your PC off, insert the recovery diskette, and turn the
power back on. The PC will start from the floppy disk. At
the DOS prompt, type:
scan /adl /cf a:\scancrc.crc /clean
to restore drives C and D with the recovery data stored in
SCANCRC.CRC on the diskette.
If you install new software, or upgrade your DOS version,
remember to update your recovery file. See Application
note 1, "Updating Validation Codes," in Chapter 3 in
the Scan documentation.
Using VirusScan (Version 2.0) 61
INTERACTING WITH YOUR NETWORK
Many personal computers are interconnected through a local
area network (LAN). VirusScan is highly compatible with most
networks. Here are some ways of using the VirusScan software
with your network:
Run Scan on network drives
Run from a workstation (PC) on the network, Scan checks
network drives for viruses just as it does local drives. For
convenience, the /ADN option scans all network drives to
which the workstation is connected.
Use VShield and CheckVShield
By activating VShield as part of every workstation's
AUTOEXEC.BAT file, you can prevent the workstations from
introducing viruses into the network. Network administrators
can ensure that VShield is active on each workstation by
running CheckVShield as part of the network login script,
before actual login.
Use NETShield
NETShield provides continuous virus protection on a NetWare
server. NetWare network administrators can use it to check
for both known and unknown viruses and to monitor all
network activities. On other kinds of networks, you can use
Scan to check network servers.
Develop a network security program, as described in the next
tip.
Develop a security program
VirusScan has been shown to be an effective virus-preventive
measure when used in a conscientiously applied program of
network security and regular professional care.
VirusScan is one important element of a comprehensive
computing security program that includes a variety of safety
measures, such as regular backups, meaningful password
protection, user training, and awareness. Even with
VirusScan, some viruses--not to mention theft or fire--an
render a disk unrecoverable without a recent backup to
reload information. Although outlining such a security
program is beyond the scope of this manual, see "Other
Sources of Information" in Chapter 1 for suggestions.
If you are a network administrator, we urge you to implement
a security program to safeguard your organization's data and
productivity. If you are a network user, please support and
comply with such a program.
Using VirusScan (Version 2.0) 62
TROUBLESHOOTING
Using VirusScan with other anti-virus software
When you run more than one anti-virus program from different
vendors, you risk strange results and false alarms. For
example, some anti-virus programs store their "virus
signature strings" unprotected in memory. Running VirusScan
may "detect" them falsely as a virus.
False alarms
Scan may incorrectly report a virus in the boot sector or
master boot record (MBR) of a disk if the diskette using a
special copy-protection or encryption mechanism. Contact
technical support if you're unsure (see "Technical Support"
in Chapter 1).
TSR conflicts
Some "terminate-and-stay-resident" (TSR) software may
conflict with VirusScan programs, especially VShield (which
is itself a TSR). To check whether this is the problem,
"comment out" the other TSR files in your AUTOEXEC.BAT file
and restart your system. If the errors disappear, the TSR
conflict caused them.
Slow disk access, program locks
Running VShield will slow your system slightly as described
in Chapter 3, especially if you use either the /ANYACCESS
or /SWAP options. If you experience very slow disk access,
or if programs lock or freeze while using Windows 3.1,
you may be using a disk cache program that interferes with
program operation, or you may need to increase the number
of BUFFERS in your CONFIG.SYS file.
Program locks with VShield's /SWAP option
When VShield is running with the /SWAP option, certain
programs may lock up the computer. These programs may use
memory without allocating it first, including older versions
of Lotus 1-2-3, pfs:Write and Professional Write,
OfficeWrite, and DisplayWrite4. To correct, restart your
computer and run VShield without the /SWAP option.
Unable to remove VShield
If the /REMOVE option doesn't successfully remove VShield
from memory, you have probably loaded other terminate-and-
stay-resident (TSR) programs after VShield. VShield can't be
removed until the other TSRs are removed. If you need to
unload VShield often, load it last.
Using VirusScan (Version 2.0) 63
APPENDIX A: RETRIEVING VIRUSSCAN UPDATES VIA THE McAFEE BBS
McAfee runs a multiple line bulletin board system (BBS) for
you to download program updates, receive technical support,
and interact with other McAfee users.
DIAL UP
o The McAfee BBS phone number is (408) 988-4004.
o The BBS operates at up to 14,400 bps (baud). Set your
communications parameters to 8 data bits, 1 stop bit,
no parity, and your terminal emulation to ANSI or TTY.
o The BBS is Bell- and ITU- (formerly CCITT) compatible.
LOG ON
After receiving the CONNECT message from your communications
package:
o Enter your name, geographic location, and password.
To retrieve the VirusScan programs, type "GUEST" for
first name, and "USER" for last name.
Or, if you want personal answers or feedback, create
your own account by entering your first and last name
and a password. Passwords should be 3-8 characters long
and are case-sensitive.
THE MAIN MENU
Here are some of the important functions on the main menu:
<F> File transfer area (download McAfee updates)
<M> Message area (read and write messages in all sections
and e-mail)
<G> Goodbye (hang up and leave the BBS)
Downloading McAfee programs
1. Select <F> from the Main Menu to go to the File
transfer area. This is the area from which you can
download McAfee programs.
2. Select <1> for the McAfee Antivirus Files. A sorted
directory listing of files available for download will
be displayed.
Using VirusScan (Version 2.0) 64
3. Type <D> for download, then type in the filename as
found in the directory.
4. The BBS will prompt you to select a protocol. We
recommend error-correcting protocol such as ZMODEM,
YMODEM or XMODEM.
5. You'll see the message Awaiting start signal. Tell your
software to receive files. With PROCOMM for DOS or
TELIX, press the <PAGE DOWN> key, with BITCOM, press
the <F2> key. For other communications programs, check
your manual.
7. Your software will prompt you to select a protocol and
file name to receive the file. Select the same protocol
and name.
Using VirusScan (Version 2.0) 65
APPENDIX B: OPTIONS COMPARISON BETWEEN
VIRUSCAN VERSIONS 1.5 AND 2.0
VERSION COMPARISON OF VSHIELD OPTIONS
VShield │ VShield │
Version 1.5 │ Version 2.0 │ Option Description
═══════════════╪══════════════╪══════════════════════════
/? or /HELP │ /? or /HELP │ Display a list of valid
│ │ VShield command line
│ │ options.
───────────────┼──────────────┼──────────────────────────
/ACCESS │ │ Check for viruses when
│ │ files are opened and
│ │ diskettes are accessed.
───────────────┼──────────────┼──────────────────────────
│ /ANYACCESS │ Scan the diskette boot
│ │ sector for viruses
│ │ whenever a diskette is
│ │ accessed (including any
│ │ read and write
│ │ operations); scan .EXE,
│ │ .COM, .DLL, .OVL, .BIN,
│ │ and .SYS files whenever
│ │ the file is opened,
│ │ read, or updated; scan
│ │ .EXE and .COM files
│ │ upon execution; scan
│ │ any newly created file,
│ │ regardless of extension.
───────────────┼──────────────┼──────────────────────────
/BOOT │ /BOOTACCESS │ Scan the diskette boot
│ │ sector for viruses
│ │ whenever a diskette is
│ │ accessed (including any
│ │ read and write
│ │ operations); individual
│ │ files on a diskette are
│ │ not scanned when a
│ │ diskette is accessed.
───────────────┼──────────────┼──────────────────────────
/CERTIFY │ /CERTIFY │ Prevent files without
{filename} │ │ validation codes from
│ │ running. {filename} is
│ │ an optional exception
│ │ list (version 1.5 only)
───────────────┼──────────────┼──────────────────────────
/CF │ /CF │ Check for viruses using
{filename} │ {filename} │ validation and recovery
│ │ data stored by Scan /AF
│ │ in the specified filename.
Using VirusScan (Version 2.0) 66
VERSION COMPARISON OF VSHIELD OPTIONS (continued)
VShield │ VShield │
Version 1.5 │ Version 2.0 │ Option Description
═══════════════╪══════════════╪══════════════════════════
/CG │ /CV │ Check recovery and
│ │ validation codes added
│ │ to files by Scan.
───────────────┼──────────────┼──────────────────────────
/CHKHI │ (default) │ Check memory from 0-
│ │ 1088Kb when VShield loads.
───────────────┼──────────────┼──────────────────────────
/CONTACT │ /CONTACT │ Display specified
{message} │ {message} │ message when a virus is
│ │ found.
───────────────┼──────────────┼──────────────────────────
│ /CONTACTFILE │ Display message stored
│ {filename} │ in filename when a
│ │ virus is found.
───────────────┼──────────────┼──────────────────────────
/CV │ │ Check validation codes
│ │ added to files by Scan.
───────────────┼──────────────┼──────────────────────────
/CV [filename] │ /EXCLUDE │ Don't check files
or │ {filename} │ listed in filename for
/CG [filename] │ │ validation codes (/CF
│ │ and /CV options).
───────────────┼──────────────┼──────────────────────────
/F │ │ Use with /SWAP for DOS
{pathname} │ │ 2.0 systems ONLY.
───────────────┼──────────────┼──────────────────────────
/COPY │ /FILEACCESS │ Scan .EXE, .COM, .DLL,
│ │ .OVL, .BIN, and .SYS
│ │ files whenever the file
│ │ is opened, read, or
│ │ updated; scan .EXE and
│ │ .COM files upon
│ │ execution; the diskette
│ │ boot sector is not
│ │ checked when a diskette
│ │ is accessed.
───────────────┼──────────────┼──────────────────────────
/IGNORE │ /IGNORE │ Don't check programs
{drive(s)} │ {drive(s)} │ loaded from the
│ │ specified drive(s).
───────────────┼──────────────┼──────────────────────────
/LH │ (default) │ Load VShield into upper
│ │ memory area.
───────────────┼──────────────┼──────────────────────────
/LOCK │ /LOCK │ Halt the system when a
│ │ file that is infected
│ │ or not certified loads
│ │ and attempts to execute.
Using VirusScan (Version 2.0) 67
VERSION COMPARISON OF VSHIELD OPTIONS (continued)
VShield │ VShield │
Version 1.5 │ Version 2.0 │ Option Description
═══════════════╪══════════════╪══════════════════════════
/M │ (default) │ Scan base memory for
│ │ viruses when VShield loads.
───────────────┼──────────────┼──────────────────────────
/NB │ /NOWARMBOOT │ Disable boot sector
│ │ check during install
│ │ and reboot.
───────────────┼──────────────┼──────────────────────────
/NI6510 │ │ Fixes Racal Datacomm
│ │ NI6510 conflict.
───────────────┼──────────────┼──────────────────────────
/NOBREAK │ │ Prevent [Ctrl]+[C] /
│ │ [Ctrl]+[Brk] from
│ │ working during install.
───────────────┼──────────────┼──────────────────────────
/NOCONT │ │ Prevent non-certified
│ │ programs from running.
───────────────┼──────────────┼──────────────────────────
/NODISK │ │ Turn off the boot
│ │ sector check when
│ │ VShield is loading.
───────────────┼──────────────┼──────────────────────────
/NOEMS │ /NOEMS │ Prevent VShield from
│ │ using expanded memory
│ │ (EMS) when it loads.
───────────────┼──────────────┼──────────────────────────
/NOFLOPPY │ │ Turn off the boot sector
│ │ check for floppy drives.
───────────────┼──────────────┼──────────────────────────
/NOMEM │ /NOMEM │ Do not check memory for
│ │ viruses upon running.
───────────────┼──────────────┼──────────────────────────
/NOREMOVE │ /NOREMOVE │ Prevent VShield from
│ │ being removed from
│ │ memory with the /REMOVE
│ │ switch.
───────────────┼──────────────┼──────────────────────────
│ /NOUMB │ Prevent VShield from
│ │ using upper memory
│ │ blocks (UMB) when it
│ │ loads.
───────────────┼──────────────┼──────────────────────────
│ /NOXMS │ Prevent VShield from
│ │ using extended memory
│ │ (XMS) when it loads.
Using VirusScan (Version 2.0) 68
VERSION COMPARISON OF VSHIELD OPTIONS (continued)
VShield │ VShield │
Version 1.5 │ Version 2.0 │ Option Description
═══════════════╪══════════════╪══════════════════════════
/ONLY │ /ONLY │ Check programs loaded
{drive(s)} │ {drive(s)} │ only from the specified
│ │ drive(s).
───────────────┼──────────────┼──────────────────────────
/RECONNECT │ /RECONNECT │ Restore VShield after
│ │ certain drivers or TSRs
│ │ have disabled it.
───────────────┼──────────────┼──────────────────────────
/REMOVE │ /REMOVE │ Unload VShield from
│ │ memory.
───────────────┼──────────────┼──────────────────────────
/SAVE │ /SAVE │ Save specified options
│ │ as new defaults
│ │ (version 1.5 only).
│ │ Save the command line
│ │ options to the VSHIELD.INI
│ │ file (version 2.0 only).
───────────────┼──────────────┼──────────────────────────
/SWAP │ /SWAP │ Load VShield kernel
[pathname] │ [pathname] │ only (5Kb in version
│ │ 1.5; 7Kb in version
│ │ 2.0); swap the rest
│ │ from pathname.
Using VirusScan (Version 2.0) 69
VERSION COMPARISON OF VSHIELD1/VSHIELDCRC OPTIONS
VShield1 │ VShieldCRC │
Version 1.5 │ Version 2.0 │ Option Description
═══════════════╪══════════════╪══════════════════════════
│ /? or /HELP │ Display a list of valid
│ │ VShieldCRC command line
│ │ options.
───────────────┼──────────────┼──────────────────────────
│ /CERTIFY │ Prevent files without
│ │ validation codes from
│ │ running.
───────────────┼──────────────┼──────────────────────────
│ /CF │ Check for viruses using
│ {filename} │ validation and recovery
│ │ data stored by Scan /AF
│ │ in the specified filename.
───────────────┼──────────────┼──────────────────────────
│ /CONTACT │ Display specified message
│ {message} │ when a virus is found.
───────────────┼──────────────┼──────────────────────────
│ /CONTACTFILE │ Display message stored
│ {filename} │ in specified filename
│ │ when a virus is found.
───────────────┼──────────────┼──────────────────────────
│ /CV │ Check validation codes
│ │ added to files by Scan.
───────────────┼──────────────┼──────────────────────────
│ /EXCLUDE │ Don't check files
│ {filename} │ listed in filename for
│ │ validation codes (used
│ │ with /CF and /CV options).
───────────────┼──────────────┼──────────────────────────
│ /FILEACCESS │ Checks validated files
│ │ whenever the file is
│ │ accessed or executed.
│ │ Whenever a validated
│ │ .EXE, .COM, .DLL, .OVL,
│ │ .BIN, or .SYS file is
│ │ opened, read, or
│ │ updated, Scan checks
│ │ the accessed file.
│ │ Whenever a validated
│ │ .EXE or .COM file
│ │ executes, Scan checks
│ │ the file for viruses as
│ │ it loads and prevents
│ │ execution if the file
│ │ is infected.
Using VirusScan (Version 2.0) 70
VERSION COMPARISON OF VSHIELD1/VSHIELDCRC OPTIONS (continued)
VShield1 │ VShieldCRC │
Version 1.5 │ Version 2.0 │ Option Description
═══════════════╪══════════════╪══════════════════════════
│ /IGNORE │ Don't check programs
│ {drive(s)} │ loaded from specified
│ │ drive(s).
───────────────┼──────────────┼──────────────────────────
│ /LOCK │ Halt the system when a
│ │ file that is not
│ │ certified attempts to
│ │ load and execute.
───────────────┼──────────────┼──────────────────────────
│ /LOGFILE │ Write error information
│ {filename} │ to filename.
───────────────┼──────────────┼──────────────────────────
/NB │ │ Disable boot sector
│ │ checking during install
│ │ and reboot.
───────────────┼──────────────┼──────────────────────────
│ │
│ /NOREMOVE │ Prevent VShieldCRC from
│ │ being removed from memory
│ │ with a subsequent VShieldCRC
│ │ command using /REMOVE.
───────────────┼──────────────┼──────────────────────────
│ /NOUMB │ Prevent VShieldCRC from
│ │ using upper memory
│ │ blocks (UMB) when it loads.
───────────────┼──────────────┼──────────────────────────
│ /ONLY │ Check programs loaded
│ {drive(s)} │ only from the specified
│ │ drive(s).
───────────────┼──────────────┼──────────────────────────
/REMOVE │ /REMOVE │ Unload VShieldCRC from
│ │ memory.