home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Tech Arsenal 1
/
Tech Arsenal (Arsenal Computer).ISO
/
tek-06
/
netshld.zip
/
NETSHLD.DOC
< prev
next >
Wrap
Text File
|
1992-08-18
|
21KB
|
622 lines
NETSHIELD Version 1.0 (V95)
Copyright 1992 by McAfee Associates
All Rights Reserved
Documentation by Aryeh Goretsky
NOTE: Novell NetWare/386 is a registered trademark of
Novell, Inc.
McAfee Associates TEL (408) 988-3832
3350 Scott Blvd, Bldg 14 FAX (408) 970-9727
Santa Clara, California BBS (408) 988-4004
95054-3107 CompuServe GO VIRUSFORUM
USA InterNet mcafee@netcom.COM
TABLE OF CONTENTS
INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . 2
AUTHENTICITY . . . . . . . . . . . . . . . . . . . . . . . . . 2
INSTALLATION . . . . . . . . . . . . . . . . . . . . . . . . . 3
OPERATION AND AVAILABLE OPTIONS. . . . . . . . . . . . . . . . 4
CONFIGURATION OPTIONS. . . . . . . . . . . . . . . . . . . . . 5
REPORT OPTIONS . . . . . . . . . . . . . . . . . . . . . . . . 8
VIRUS REMOVAL. . . . . . . . . . . . . . . . . . . . . . . . . 9
TECHNICAL SUPPORT. . . . . . . . . . . . . . . . . . . . . . . 10
LICENSE. . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Page 1
NETSHIELD Version 1.0 (V95) Page 2
INTRODUCTION
NETSHIELD is a NLM (NetWare Loadable Module) for Novell
NetWare/386 Version 3.11. It checks network file servers for
all known computer viruses, including stealth and polymorphic
(mutation engine) viruses, using McAfee Associates' VIRUSCAN
virus scanning technology.
Key features of NETSHIELD include checking files for
viruses as they are accessed on the server, performing a
scheduled scan, and notifying users if a virus is found.
NETSHIELD does not changed the Last Accessed Date when
scanning files.
NETSHIELD runs on any Novell NetWare/386 3.11 file server
with a minimum of 450Kb of free memory and should utilize less
than 6% of the CPU.
AUTHENTICITY
NETSHIELD is packaged with the VALIDATE program to
ensure the integrity of the NETSHLD.NLM and VIR.DAT files.
The VALIDATE.DOC file tells how to use VALIDATE. VALIDATE
can be used to check subsequent versions of NETSHIELD for
tampering.
The validation results for Version 1.0 (V95) should be:
File Name: NETSHLD.NLM VIR.DAT
Size: 224,658 23,820
Date: 08-18-1992 08-18-1992
Check Method 1: F8BD E0FB
Check Method 2: 1A11 1FC8
If your copy of NETSHIELD differs, it may have been damaged.
Always obtain your copy of NETSHIELD from a known source. The
latest version of NETSHIELD and validation data for NETSHLD.NLM
and VIR.DAT can be obtained from McAfee Associates' bulletin
board system at (408) 988-4004 or from the Computer Virus Help
Forum on CompuServe (GO VIRUSFORUM).
Beginning with Version 72, all of McAfee Associates'
programs have been archived with PKWare's PKZIP Authentic File
Verification. If you do not see an "-AV" after every file is
unzipped and receive the "Authentic Files Verified! # NWN405
Zip Source: McAFEE ASSOCIATES" message then do not use them.
If your version of PKUNZIP does not have verification
ability, then this message may not be displayed. Please
contact us if you believe the .ZIP file has been tampered
with.
NETSHIELD Version 1.0 (V95) Page 3
INSTALLATION
Copy the NETSHLD.NLM and VIR.DAT files together into the
SYS:SYSTEM directory or any other directory. Add the following
line to your AUTOEXEC.NCF file:
LOAD NETSHLD
This will run NETSHIELD with the default settings when the
server is booted. Options for installation are:
LOAD NETSHLD
runs NETSHIELD with the default settings and no
configuration file
LOAD NETSHLD LOAD
runs NETSHIELD with the default configuration
file (VIR$CFG.DAT)
LOAD NETSHLD LOAD=filename
run NETSHIELD with configuration file "filename"
NETSHIELD will always create, load, and store report and
configuration files in the directory the NETSHLD.NLM file
is stored in unless otherwise specified.
When NETSHIELD is started the message "Please wait,
loading patterns." appears. NETSHIELD is now loading its
virus signature definition search string database. Once the
patterns have been loaded, the Available Options Menu appears.
NETSHIELD Version 1.0 (V95) Page 4
OPERATION AND AVAILABLE OPTIONS
Once NETSHIELD has loaded its patterns, the Available
Options Menu will appear. Select from the following
options:
_________________ AVAILABLE OPTIONS MENU ______________________
Do a scan immediately
Terminate a current scan
Configuration options
Report options
Exit
_______________________________________________________________
OPTION: Do a scan immediately
MEANS: Start a scan of server volume(s) for viruses.
EXPLANATION: This starts a scan of all volume(s) listed
under "Volumes to Scan" (selected from the Configuration
Options Menu).
OPTION: Terminate a current scan
MEANS: End the current scan process.
EXPLANATION: Halts an Immediate (started at the server
console by the supervisor) or Period (scheduled for a
specific time) scan.
OPTION: Configuration options
MEANS: Configure NETSHIELD's parameters.
EXPLANATION: Brings up the Configuration Menu. From this
menu the various NETSHIELD parameters can be set. For
more information, please refer to the CONFIGURATION OPTIONS
section.
OPTION: Report Options
MEANS: Set reporting options, view log file.
EXPLANATION: Brings up the Report Options Menu. From this
menu the various NETSHIELD reporting options can be set. For
more information, please refer to the REPORT OPTIONS section
OPTION: Exit
MEANS: Unload NETSHIELD
EXPLANATION: Shut down and exit to System Console.
Console. If an "unload password" has been selected, it
must be entered before NETSHIELD unloads itself. NETSHIELD
can not be unloaded from the System Console command line.
If a regular (Immediate or Periodic) scan is being
performed, it will be halted when NETSHIELD unloads.
NETSHIELD Version 1.0 (V95) Page 5
CONFIGURATION OPTIONS
The Configuration Menu is the menu from which various
parameters for NETSHIELD are set. From the Configuration
Menu, the following options may be selected:
__________________ CONFIGURATION MENU _________________________
On-access scanning options
Period-scanning options
Action to take on discovering a virus
Volumes to scan
Contact options
Configuration file options
Display messages on console screen
Change scanned extensions
Enter unload password
Exit
_______________________________________________________________
OPTION: On-access scanning options
MEANS: Select accesses to trap for scanning.
EXPLANATION: Brings up the Trap Access Menu. From this menu
scanning can be selected for incoming files, outgoing files,
both, or none. Selecting "Return to Previous menu" returns
to the previous menu with no changes made to the options.
OPTION: Period-scanning options
MEANS: Schedule a scan for a specific time.
EXPLANATION: Brings up the Activate/Deactivate Menu. From
"Activate" scans can be scheduled on a Daily, Weekly, or
Monthly basis.
When selecting a "Daily" scan, NETSHIELD will prompt
the user to enter the time to start scanning. Enter the
time in "24 hour" format, e.g., 1:00PM becomes 1300 hours.
Selecting "Deactivate" disables period-scanning. If a
period-scan is running when "Deactivate" is selected, the
scan will continue until finished. Select "Terminate a
current scan" from the Available Options Menu to halt an
ongoing period-scan.
Select "Return to Previous menu" to return to the
previous menu with no changes made to the options.
NOTE: When scheduling a periodic scan it is recommend to
select a time at which server utilization is low.
NETSHIELD Version 1.0 (V95) Page 6
OPTION: Action to take on discovering a virus
MEANS: What to do if a virus is found.
EXPLANATION: Brings up the Action When Virus Found Menu.
From here, NETSHIELD can be configured delete, overwrite
and delete, move infected files, select a directory to move
infected files to, or leave infected files alone.
Selecting "Delete infected file" deletes virus-infected
filies. Deleted files can be recovered by the SALVAGE
command.
Selecting "Overwrite and delete" wipes virus-infected
files. Files deleted in this manner can NOT be recovered.
Selecting "Move infected file" moves infected files
to the directory specified by "Set move-to directory."
Selecting "Leave infected files alone" performs no
action on infected files.
Selecting "Set move-to directory" chooses the destination
directory to which infected files are moved. If no directory
is specified then a subdirectory named \INFECTED is created in
the current directory and infected files are moved into it.
Selecting "Exit" displays the current Action and then
returns to the previous menu.
OPTION: Volumes to scan
MEANS: Select which volume(s) to scan.
EXPLANATION: Specify which volumes to scan. If no volumes are
selected then no virus scanning will occur during Immediate and
Period scanning. On-Access scanning will continue as normal
on all mounted volumes. By default, all mounted volumes are
scanned.
Press the INS key to add a volume name, the DEL key to
remove a volume name, and the ESC key to exit.
OPTION: Contact options
MEANS: Select user(s) to alert if virus is found.
EXPLANATION: Brings up the Whom To Contact Menu. From here,
a list of users to contact in case of a virus is maintained.
The user accessing an infected file can be alerted as can a
list of users. By default, only the user accessing an
infected file is alerted.
Press the INS key to insert a user name, the DEL key to
remove a name, and the ESC key to exit.
OPTION: Configuration file options
MEANS: Load and save NETSHIELD configurations.
EXPLANATION: Selecting "Configuration file options" brings
up the Save and Load Configurations Menu. From it,
different configurations can be loaded and saved. The current
configuration file is always specified.
If no configuration file was specified when NETSHIELD was
loaded, the default file, VIR$CFG.DAT, is displayed. Press any
key to clear and enter a new filename.
NETSHIELD Version 1.0 (V95) Page 7
OPTION: Display messages on console screen
MEANS: Toggles display of messages on console screen.
EXPLANATION: Turns on and off the display of important message
by NETSHIELD to the System Console screen. When selected, it
informs the user of the current status of NETSHIELD. By
default, NETSHIELD will display messages on the System
Console.
OPTION: Change scanned extensions
MEANS: Change filename extensions to scan for viruses
EXPLANATION: Brings up the Change Extensions Scanned Menu.
From here, the files that NETSHIELD checks for. By default,
NETSHIELD only checks files with extensions of .COM, .EXE, .OV?,
and .SYS.
Selecting "Extension to scan on access" allows changes to the
list of filename extensions checked during on-access scanning.
Selecting "Extension to scan on regular scan" allows changes
to the filename extensions checked during periodic, or console
scanning.
Selecting "Extensions that will NOT be scanned" allows changes
to the list of filename extensions that you which to exclude from
both types of scanning. This list is empty by default.
To add filename extensions to scan for viruses, press the
INS key, to remove extensions press the DEL key, and the ESC
key to exit.
To scan ALL files, set the extension to "*".
NOTE: Scanning all files may impact server performance. For
this reason, scanning all files is generally not
recommended.
OPTION: Enter unload password
MEANS: Require/select a password to unload NETSHIELD
EXPLANATION: Allows the setting of a password that is required
to unload NETSHIELD from the file server. If a password
exists, then it must be re-entered before the password can be
changed or removed.
OPTION: Exit
MEANS: Return to previous menu.
EXPLANATION: Exit leaves the Configuration Menu and returns to
the Available Options Menu.
NETSHIELD Version 1.0 (V95) Page 8
REPORT OPTIONS
The Report Options Menu is the menu from which the
the creation and viewing of NETSHIELD log files are set.
From the Report Options Menu, the following options may be
selected:
__________________ REPORT OPTIONS MENU _______________________
Set path for log file
Disable logging
Enable logging
View log file
_______________________________________________________________
OPTION: Set path for log file
MEANS: Select destination directory for report
EXPLANATION: Specifies the location to store reports created
by NETSHIELD. The current log file is always displayed. If
the log file has not been configured, the default filename
will be VIR$LOG.DAT. Press any key to clear the filename and
enter a new one.
OPTION: Disable logging
MEANS: Do not create a log file
EXPLANATION: Stop creating a report of virus incidents.
OPTION: Enable logging
MEANS: Create a log file
EXPLANATION: Start creating a report of virus incidents
OPTION: View log file
MEANS: Display log file
EXPLANATION: View any log files of virus incidents.
Use the HOME key to view the first entry in the log file,
the END key to view the last entry, the PGUP and PGDN keys to
view the log file one screen at a time, and the ESC key to
exit.
NETSHIELD Version 1.0 (V95) Page 9
VIRUS REMOVAL
It is strongly recommended that you get experienced help in
dealing with viruses if you are unfamilar with anti-virus
software and methods. This is especially true for 'critical'
viruses that infect files whenever they are accessed and partition
table/boot sector infecting viruses as improper removal can result
in the loss of all data and use of the infected disk(s).
If you require assistance with a computer virus incident,
you can contact McAfee Associates for help by BBS, FAX,
telephone, Internet, or CompuServe. There is no charge for
technical support directly from McAfee Associates.
Technical support through any of McAfee Associates'
Authorized Agents may be billed at normal support rates.
All of McAfee Associates' programs can be downloaded from
our BBS, the SIMTEL20 archives on the InterNet, the Computer
Virus Help Forum on CompuServe, or from any of the agents listed
in the enclosed AGENTS.TXT text file.
NETSHIELD Version 1.0 (V95) Page 10
TECHNICAL SUPPORT
For fast and accurate help, please have the following
information ready when you contact McAfee Associates:
- Version number of NETSHIELD x.xx (Vyy)
- Brand and model of server, hard disk, installed
cards, and any other peripherals.
- Version of NetWare.
- Printouts of the AUTOEXEC.NCF and STARTUP.NCF files.
- The exact problem you are having. Please be as
specific as possible. Having a printout of the
screen and/or being at the system console will be
helpful.
In the case of a network crash, please include the following:
- Type of error from the ABEND Message
- Thread which caused the error
Technical support can be contacted by BBS, CompuServe, FAX, or
InterNet 24 hours a day, or by telephone at (408) 988-3832,
Monday through Friday, 7:00AM to 5:30PM Pacific Time.
McAfee Associates (408) 988-3832 office
3350 Scott Blvd. Bldg. 14 (408) 970-9727 fax
Santa Clara, CA 95054-3107 (408) 988-4004 BBS (32 lines)
U.S.A USR HST/v.32/v.42bis/MNP 1-5
CompuServe GO VIRUSFORUM
ATTN: Technical Support Internet mcafee@netcom.COM
If you are overseas, there may be an Authorized McAfee Associates
Agent in your area. Please refer to the AGENTS.TXT file for a
listing of McAfee Associates Agents.
NETSHIELD Version 1.0 (V95) Page 11
LICENSE
NETSHIELD may be copied and distributed for testing and
evaluation purposes on a trial period of five (5) days. If you
wish to use NETSHIELD after the trial period, a license is
required. Licenses are available for internal use within
businesses, organizations, government agencies, and external
use by repair centers and other service organizations. License
fees are based on the size of the network or number of copies
required. Information on licensing can be obtained from McAfee
Associates or any of its Authorized Agents listed in the
accompanying AGENTS.TXT file.