Tech Arsenal 1

home *** CD-ROM | disk | FTP | other *** search

/ Tech Arsenal 1 / Tech Arsenal (Arsenal Computer).ISO / tek-05 / netsc95b.zip / NETSCN95.DOC < prev next >

Wrap

Text File | 1992-08-19 | 34KB | 936 lines

NETSCAN Version 95B Copyright (C) 1989 - 1992 by McAfee Associates All rights reserved. Documentation by Aryeh Goretsky. McAfee Associates (408) 988-3832 office 3350 Scott Blvd, Bldg. 14 (408) 970-9727 fax Santa Clara, CA 95054 (408) 988-4004 BBS (32 lines) U.S.A. USR HST/v.32/v.42bis/MNP1-5 CompuServe GO VIRUSFORUM InterNet mcafee@netcom.COM TABLE OF CONTENTS: SYNOPSIS . . . . . . . . . . . . . . . . . . . . . . . . . . .2 - What is NETSCAN? - System requirements AUTHENTICITY . . . . . . . . . . . . . . . . . . . . . . . . .2 - Verifying the integrity of NETSCAN WHAT'S NEW . . . . . . . . . . . . . . . . . . . . . . . . . .4 - New features and viruses in this release OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . .5 - General description of NETSCAN OPERATION and OPTIONS. . . . . . . . . . . . . . . . . . . . .6 - How to use NETSCAN, detailed explanation of switches EXAMPLES . . . . . . . . . . . . . . . . . . . . . . . . . . .12 - Samples of frequently-used options EXIT CODES . . . . . . . . . . . . . . . . . . . . . . . . . .13 - ERRORLEVELS for running NETSCAN from batch files VIRUS REMOVAL. . . . . . . . . . . . . . . . . . . . . . . . .13 - How to manually remove a virus LICENSE. . . . . . . . . . . . . . . . . . . . . . . . . . . .14 - How to license NETSCAN TECH SUPPORT . . . . . . . . . . . . . . . . . . . . . . . . .14 - Information you should have ready when calling APPENDIX A . . . . . . . . . . . . . . . . . . . . . . . . . .15 - Creating a virus string file with the /EXT option Page 1 NETSCAN Version 95B Page 2 SYNOPSIS NETSCAN is a virus detection and identification program for local and wide area networks. NETSCAN will search any networked drive accessible as a DOS device for known viruses. NETSCAN works by searching the system for sequences of bytes unique to each computer virus and then reporting their presence if found. NETSCAN Version 95B, when used in conjunction with the VIRUSCAN program on workstations, can identify all known computer virus strains. (For a complete list of viruses detected, please refer to the acompanying VIRLIST.TXT file). In order for NETSCAN to check all areas of the server for computer viruses, NETSCAN should be run under an account with global read and filescan rights. NETSCAN requires 320Kb of RAM and DOS 2.0 or above (some features require DOS 3.1 or above) and works with 3Com 3/Share and 3/Open, Artisoft LANTastic, AT&T StarLAN, Banyan VINES, DEC Pathworks, Microsoft LAN Manager, Novell NetWare, and any other IBMNET or NETBIOS compatible network operating system. If you do not see your NOS listed, contact McAfee Associates. AUTHENTICITY NETSCAN performs a self-check when run. If NETSCAN has been modified in any way, a warning will be displayed and the user prompted to either continue or quit. NETSCAN can still check for viruses, however, if NETSCAN reports it has been damaged, it is recommended that a clean copy be obtained. NETSCAN versions 46 and above are packaged with VALIDATE, a program to ensure the integrity of the NETSCAN.EXE file. The VALIDATE.DOC file tells how to use VALIDATE. VALIDATE can be used to check subsequent versions of NETSCAN for tampering. The validation results for Version 95B should be: FILE NAME: NETSCAN.EXE SIZE: 77,976 DATE: 08-19-1992 FILE AUTHENTICATION Check Method 1: 5CFA Check Method 2: 1DC6 If your copy of NETSCAN differs, it may have been damaged or have options stored in it with the /SAVE switch. Run NETSCAN with only the /SAVE option to remove any stored options and then re-run VALIDATE. Always obtain your copy of NETSCAN from a known source. The latest version of NETSCAN and validation data for NETSCAN.EXE can be obtained from McAfee Associates' BBS at (408) 988-4004 or from the Computer Virus Help Forum on CompuServe ( GO VIRUSFORUM). NETSCAN Version 95B Page 3 Beginning with Version 72, all of McAfee Associates' VIRUSCAN series are archived with PKWare's PKZIP Authentic File Verification. If you do not see an "-AV" after every file is unzipped and receive the "Authentic Files Verified! # NWN405 Zip Source: McAFEE ASSOCIATES" message when you unzip the files then do not use them. If your version of PKUNZIP does not have verification ability, then this message may not be displayed. Please contact us if you believe tampering has occured to the .ZIP file. [This space intentionally left blank] NETSCAN Version 95B Page 4 WHAT'S NEW Version 95B replaces Version 95B. This corrects a reported false alarm, and a problem with the /save switch. NETSCAN version 95B has been updated to detect all the new viruses added to VIRUSCAN. Beginning in Version 90, we have started optimizing our virus search strings by grouping similar viruses together into generic virus detection strings. This speeds up the VIRUSCAN program by reducing the amount of virus strings it has to look for and makes the program file smaller by reducing the size of its virus string data. THE COMPUTER VIRUS HELP FORUM ON COMPUSERVE We are now sponsoring the Computer Virus Help Forum on CompuServe. Updates to the NETSCAN series, information about computer viruses, and technical support may be obtained by typing GO VIRUSFORUM at any CompuServe prompt. A free introductory membership to CompuServe is also available. For more information, please read the COMPUSER.NOT file. NETSCAN Version 95B Page 5 OVERVIEW NETSCAN is designed to work with file servers on local and wide area networks. For stand-alone and networked PC's, use the VIRUSCAN program instead. NETSCAN checks files, subdirectories, or entire volumes on a file server forpre-existing computer virus infections. It will identify the virus infecting the system and the area where it was found. Infected files can be removed either with the /D overwrite- and-delete option in NETSCAN which will erase the file, or with the CLEAN-UP universal virus disinfection program. CLEAN-UP is recommended because in most cases it eliminates the virus and fully restores the program or system area. NETSCAN can be updated to search for new viruses by an External Virus Data File, which allows the user to input new search strings for viruses. After seven months have passed NETSCAN will display a message that it may no longer be current. However, NETSCAN will continue to function as normal. This message can be bypassed by running NETSCAN with the /NOEXPIRE switch. NETSCAN displays messages in English, French, or Spanish. NETSCAN Version 95B Page 6 OPERATION and OPTIONS IMPORTANT NOTE: WRITE PROTECT YOUR FLOPPY DISK BEFORE SCANNING TO PREVENT INFECTION OF THE NETSCAN PROGRAM. NETSCAN checks files and other areas of the system that can contain a computer virus. When a virus is found, NETSCAN identifies the virus and the file or system area where it was found. NETSCAN examines files based on their extension. The default extensions supported by NETSCAN are .APP, .BIN, .COM, .EXE, .OV?, .PGM, .PIF, .PRG, .SWP, .SYS, and .XTP. Additional extensions can be added with the /EXT option, or use the /A to check all files on the disk. Valid options for NETSCAN are: NETSCAN d1: ... d26: /? /A /AF filename /BELL /CF filename /CHKHI /D /E .xxx .yyy .zzz /EXT filename /FAST /FR /H /HELP /HISTORY filename /M /NLZ /NOBREAK /NOEXPIRE /NOMEM /NOPAUSE /NPKL /REPORT filename /RF filename /SAVE /SP /SUB /UNATTEND @filename Options are: /? /H /HELP - Display help screen /A - Scan all files, including data, for viruses /AF filename - Store recovery data/validation codes to file /BELL - Beep whenever a virus is found /CF filename - Check for viruses using recovery data/ validation codes stored in filename /CHKHI - Check memory from 0Kb to 1088Kb (on workstation NETSCAN is run from) /D - Overwrite and delete infected file /E .xxx .yyy - Scan overlay extensions .xxx .yyy .zzz /EXT filename - Scan using external virus data file /FAST - Speed up NETSCAN's output (see below for specifics) /FR - Display messages in French /HISTORY filename - Create infection log, appending to old log /M - Scan memory for all viruses (see below for specifics) /NLZ - Skip internal scan of LZEXE-compressed files /NOBREAK - Disable Ctrl-C and Ctrl-Brk during scanning /NOEXPIRE - Do not display expiration notice /NOMEM - Skip memory checking /NOPAUSE - Disable screen pause when scanning /NPKL - Skip internal scan of PKLITE-compressed files /REPORT filename - Create infection log, deleting old log NETSCAN Version 95B Page 7 /RF filename - Remove recovery data/validation codes stored in filename /SAVE - Save specified command line options as new defaults /SP - Display messages in Spanish /SUB - Scan subdirectories under a subdirectory /UNATTEND - Scan using DOS critical error handler @filename - Scan using options from configuration file (d1: ... d26: indicate drives to be scanned) The /A option checks all files on the drive scanned. This substantially increases the time required to scan disks, so it is recommended this swich only be used when installing new software or if a file-infecting virus has been found. This option takes priority over the /E option. The /AF option logs recovery data and validation codes for .COM and .EXE files on the network drive to a user- specified file that can be located on any drive. The size of the log file will be about 20Kb for every 1,000 files validated. The syntax is /AF filename, where "filename" is the path and file where recovery data and validation codes are stored. The /BELL option will cause NETSCAN to beep each time a computer virus is found. The /CF option checks recovery data and validation codes added by the /AF option. The syntax is /CF filename, where "filename" is the path and file name where recovery data and validation codes are stored. The /CHKHI option checks the memory on the workstation running NETSCAN between 640Kb and 1,088Kb that can be used on AT (286) and 386 systems for computer viruses. On XT systems with extended memory cards installed, this will cause the first 64K of RAM to be scanned again. This option cannot be used with the /NOMEM option. The /D option tells NETSCAN to prompt the user to overwrite and delete an infected file when one is found. A file erased by the /D option cannot be recovered. If the CLEAN-UP program is available, it can be used to disinfect the file. The /E option allows the user to specify an extension or set of extensions to scan. Extensions should include a period "." and should also be separated by a space after the /E. Up to three extensions may be added with the /E. For more extensions, use the /A option. NETSCAN Version 95B Page 8 The /EXT option allows NETSCAN to search for viruses from a text file containing user-defined search strings in addition to the viruses that NETSCAN already identifies. The syntax for using the external virus data file is /EXT d:filename, where d: is the drive name and filename is the name of the external virus data file. For instructions on how to create an external virus data file, refer to Appendix A. NOTE: The /EXT option provides users with the ability to add strings for detection of viruses on an interim or emergency basis. When used with the /D option, it will overwrite-and-delete infected files. This option is not for general use and should be used with caution. The /FAST option will speed NETSCAN up by displaying fewer messages on the screen, skipping checking inside of LZEXE- and PKLITE-compressed files, and examining a smaller portion of files during scanning. This may reduce the accuracy of NETSCAN. The /FR option tells NETSCAN to output all messages in French instead of English. The /FR option cannot be used with the /SP (Spanish) option. The /HISTORY option saves a list of infected files to disk. The list is saved to disk as an ASCII text file. If a list exists, then the results of the current scan will be added to the end. The syntax is /HISTORY filename, where "filename" is the path and name of the report file. The /M option tells NETSCAN to check system memory on the workstation for all known computer viruses that can inhabit memory. NETSCAN by default only checks memory for critical and "stealth" viruses, which are viruses which can cause catastrophic damage or spread the virus infection during the scanning process. By default, NETSCAN will check memory for the following viruses: 1024 1253 1554 1963 1971 2560 337 3445-Stealth 4096 512 Anthrax Antitelefonica Brain Caz CD Dark Avenger Dir-2 Doom II Empire Fish Flu-2 Form Greemlin Irish Joshi Leech Lozinsky Microbes Mirror Nomenklatura NOP No-Int (Stoned III) P1R (Phoenix) Phantom Plastique Pogue SBC Sentinel Stoned Sunday-2 SVC Taiwan3 Tequila Turbo (Polish-2) Twin-351 V2100 V2P6 Whale If one of these viruses is found in memory, NETSCAN will stop and tell the user to power down, and reboot the system from a virus- free system-bootable disk. NETSCAN Version 95B Page 9 NOTE: Using the /M option with another anti-viral software package may result in false alarms if the other package does not remove its virus search strings from memory. The /NLZ option tells NETSCAN not to look inside files compressed with LZEXE, a file compression program. NETSCAN will still check the LZEXE-compressed files for viruses that have infected after file compression. The /NOBREAK option prevents Ctrl-C or Ctrl-Brk from aborting the scanning process. The /NOMEM option is used to turn off all memory checking for viruses in order to speed up the scanning process. It should only be used when a system is known to be virus-free. The /NOMEM option can not be used with the /CHKHI or /M options. The /NOEXPIRE option disables the warning message that NETSCAN displays after seven months warning that it may no longer be current with respect to known computer viruses. The /NOPAUSE option disables the "More? (H = Help )" prompt that is displayed when NETSCAN fills up a screen with messages. This allows NETSCAN to check networks with multiple infections without requiring operator assistance. The /NPKL option tells NETSCAN not to look inside files compressed with PKLITE, a file compression program. NETSCAN will still check the PKLITE-compressed files for viruses that have infected after file compression. The /REPORT option saves a list of infected files to disk. The list is saved to disk as an ASCII text file. If a list exists, then it will be overwritten with the new list. The syntax is /REPORT filename, where "filename" is the path and name of the report file. The /RF option will remove recovery data and validation codes for files from the recovery data and validation code file. The syntax is /RF filename, where "filename" is the path and file where recovery data and validation codes are stored. NETSCAN Version 95B Page 10 The /SAVE option is used to store NETSCAN options for subsequent executions of NETSCAN. Options are stored by modifying the NETSCAN.EXE executable file. For example: NETSCAN F: /HISTORY C:VIRUS.LOG /NOMEM /UNATTEND /SAVE will set the default options to scanning the F: drive with the /HISTORY, /NOMEM, and /UNATTEND swtiches. If NETSCAN is run with just the /SAVE switch, then all options are removed and NETSCAN will run with its original settings. If you do not wish to modify the NETSCAN.EXE file, use the @filename option instead, which allows you to store the NETSCAN options in a separate text file. NOTE: VALIDATE 0.4 must be used to validate NETSCAN version 94 or above if /SAVE is used. /SAVE directly modifies NETSCAN.EXE and the validate codes will no longer match if an older version of VALIDATE is used. VALIDATE 0.4 will generate the correct validation results even if the /SAVE option has been used. Third party file-integrity check programs may not produce the same results after the /SAVE option is used. The /SAVE option should be added to NETSCAN by the Systems Administrator prior to final installation on PC's if other integrity checking programs are in use. The /SP option tells NETSCAN to output all messages in Spanish instead of English. This option can not be used with the /FR (French) option. The /SUB scans all subdirectories inside a subdirectory. Previously, NETSCAN would only recursively check subdirectories if a logical device (e.g., C:) was scanned. The /UNATTEND option tells NETSCAN use the DOS critical error handler when accessing files. If NETSCAN accesses an open or non-shareble file, it will continue scanning instead of displaying an error message. This option requires DOS 3.10 or above. NOTE: The /UNATTEND switch is required if you are running NETSCAN against a Novell NetWare file server. The @FILENAME option allows the user to store a list of NETSCAN Version 95B Page 11 options and/or system areas to be scanned in a configuration file. Options need to be separated by a space, while system areas (disks, subdirectories, or files) need to be on separate lines. A sample file might look like this: /HISTORY C:\VIRUS.LOG /NOMEM /UNATTEND F: X:\PROGRAMS\UTILS The first line contains the NETSCAN options while other lines contain the names of disks, subdirectories, or files to scan. The configuration file should be an ASCII text file. If a word processor is used to create the list, be sure to save as ASCII. NETSCAN Version 95B Page 12 EXAMPLES The following examples show different option settings: NETSCAN F: To scan drive F: NETSCAN F: G: H: To scan drives F:, G:, and H:: NETSCAN F: /CF C:\NETSCAN.CRC To scan files on drive F: and check for unknown viruses viruses with recovery/validation data file NETSCAN.CRC. NETSCAN Y: /D /A Scans all files on drive Y: and prompt for erasure of any infected files, if found. NETSCAN F: /UNATTEND To scan drive F: on a Novell NetWare network. NETSCAN F: G: H: /E .WPM Scans drives F:, G:, and H: including .WPM files NETSCAN Z: /EXT A:SAMPLE.ASC /BELL To scan drive Z: for known computer viruses and also for viruses added by the user via the external virus data file option, and beep whenever a virus is found. NETSCAN Version 95B Page 13 EXIT CODES After NETSCAN has finished running, it will set the DOS ERRORLEVEL. ERRORLEVEL's are used in batch files to pass the results of a program's actions. The ERRORLEVEL's returned by NETSCAN are: ERRORLEVEL │ DESCRIPTION ═══════════╪══════════════════════════════════════════════ 0 │ No viruses found 1 │ One or more viruses found 2 │ Abnormal termination (program error) 3 │ One or more uncertified files found 4 │ Ctrl-C or Ctrl-Break aborted scan If a user stops the scanning process, NETSCAN will set the ERRORLEVEL to 3. The /NOBREAK option can be used to prevent users from stopping NETSCAN. VIRUS REMOVAL What do you do if a virus is found? You can contact McAfee Associates for help by BBS, FAX, telephone, Internet, or CompuServe. There is no charge for support calls to McAfee Associates. The CLEAN-UP universal virus disinfection program can disinfect virtually all reported computer viruses. It is updated with each release of the NETSCAN program to remove new viruses. CLEAN-UP can be downloaded from McAfee Associates' BBS, the SIMTEL20 archives on the InterNet, the Computer Virus Help Forum on CompuServe, or from any of the agents listed in the enclosed AGENTS.TXT text file. It is strongly recommended that you get experienced help in dealing with viruses if you are unfamilar with anti-virus software and methods. This is especially true for 'critical' viruses and partition table/boot sector infecting viruses as improper removal of these viruses can result in the loss of all data and the use of the infected disk(s). [For a listing of critical viruses, see the /M switch listed under OPTIONS above.] For qualified assistance in removing a virus, please contact McAfee Associates directly or any of the Authorized McAfee Associates Agents in your area. Agents may charge McAfee Associates' normal support rates for their services. If you wish to remove a file-infecting virus manually, you can run NETSCAN with the /A and /D switches to erase all infected files. Before removing a boot sector or partition table-infecting virus, it is recommended that you cold boot the infected PC from a clean DOS disk and backup any critical data. NETSCAN Version 95B Page 14 LICENSE NETSCAN may be copied and distributed for testing and evaluation purposes on a trial period of five (5) days. If you wish to use NETSCAN after the trial period, a license is required. Licenses are available for internal use within businesses, organizations, government agencies, and external use by repair centers and other service organizations. License fees are based on the size of the network or number of copies required. Information on licensing can be obtained from McAfee Associates or any of its Authorized Agents listed in the accompanying AGENTS.TXT file. TECH SUPPORT For fast and accurate help, please have the following information ready when you contact McAfee Associates: - Program name and version number. - Type of network and workstations - Version of DOS plus any TSRs or device drivers in use on workstation. - Printouts of your CONFIG.SYS, AUTOEXEC.BAT and network login files. - A printout of what is in memory from the MEM command (DOS 4 and above users only) or a similar utility. - The exact problem you are having. Please be as specific as possible. Having a printout of the screen and/or being at your computer be will helpful. McAfee Associates can be contacted by BBS, CompuServe, FAX, or InterNet 24 hours a day, or by telephone at (408) 988-3832, Monday through Friday, 7:00AM to 5:30PM Pacific Time. McAfee Associates (408) 988-3832 office 3350 Scott Blvd. Bldg. 14 (408) 970-9727 fax Santa Clara, CA 95054-3107 (408) 988-4004 BBS (32 lines) U.S.A USR HST/v.32/v.42bis/MNP 1-5 CompuServe GO VIRUSFORUM Internet mcafee@netcom.com If you are overseas, there may be an Authorized McAfee Associates Agent in your area. Please refer to the AGENTS.TXT file for a listing of McAfee Associates Agents for support or sales. NETSCAN Version 95B Page 15 APPENDIX A: Creating a Virus String File with the /EXT Option NOTE: The /EXT option is intended for emergency and research use only. It is a temporary method for identifying new viruses prior to the subsequent release of NETSCAN. A thorough understanding of viruses and string-search techniques is advised for using this option. A string length of 10 to 15 bytes is recommended. The External Virus Data file should be created with an editor or a word processor and saved as an ASCII text file. Be sure each line ends with a Carriage Return/Line Feed pair. The virus string file uses the following format: #Comment about Virus_1 "aabbccddeeff..." Virus_1_Name #Comment about Virus_2 "gghhiijjkkll..." Virus_2_Name . . "uuvvwwxxyyzz..." Virus_n_Name Where aa, bb, cc, etc. are the hexadecimal bytes that you wish to scan for. Each line in the file represents one virus. The Virus Name for each virus is mandatory, and may be up to 25 characters in length. The double quotes (") are required at the beginning and end of each hexadecimal string. NETSCAN will use the string file to search memory on the workstation and all .COM and .EXE files, and overlay files with the extensions .APP, .BIN, .COM, .EXE, .OV?, .PGM, .PIF, .PRG, .SWP, .SYS, and .XTP. Virus strings may contain wild cards. The two wildcard options are: FIXED POSITION WILDCARD The question mark "?" may be used to represent a wildcard in a fixed position within the string. For example, the string: "E9 7C 00 10 ? 37 CB" would match "E9 7C 00 10 27 37 CB", "E9 7C 00 10 9C 37 CB", or any other similar string, regardless of the fifth byte. NETSCAN Version 95B Page 16 RANGE WILDCARD The asterisk "*", followed by range number in parentheses "(" and ")" is used to represent a variable number of adjoining random bytes. For example, the string: "E9 7C *(4) 37 CB" would match "E9 7C 00 37 CB", "E9 7C 00 11 37 CB", and "E9 7C 00 11 22 37 CB". The string "E9 7C 00 11 22 33 44 37 CB" would not match since the distance between 7C and 37 is greater than four bytes. You may specify a range of up to 99 bytes. Up to 10 different wildcards of either kind may be used in one virus string. COMMENTS A pound sign "#" at the begining of a line will denote a comment. Use this for adding notes to the external virus data file. For example: #New .COM virus found in file FRITZ.EXE from #Schneiderland on 01-22-91 "53 48 45 45 50" Fritz-1 [F-1] gives a description of the virus, name of the infected file, where and when it was found, etc.