Chip: Special Survival Kit

home *** CD-ROM | disk | FTP | other *** search

/ Chip: Special Survival Kit / Chip_Special_Survival_Kit_fuer_PC_Anwender.iso / 02schutz / mcafee / vshld202 / vshield.txt < prev next >

Wrap

Text File | 1994-09-01 | 147KB | 3,888 lines

VirusScan Version 2.0.2 Copyright 1994 by McAfee, Inc. All Rights Reserved. Brought to you by: Igor Grebert Project Leader Jivko Koltchev Lead Programmer David Mai TSR Programmer Vadim Ivanov Algorithms/Emulation Programmer Tatyana Shishkina Virus Librarian, Programmer Bruce de Graaf GUI Programmer Dmitri Orlov DOS UI Programmer Geoff Brandenburg GUI Artist Spencer Clark SQA Manager David Pierce Lead SQA Engineer Sean Birch SQA Engineer John Zussman Documentation Project Leader Eric Ivory Technical Writer Aryeh Goretsky Manager Technical Support With special thanks to Bob Chappelear, Rudite Emir, and Bill Larson McAfee, Inc. (408) 988-3832 office 2710 Walsh Avenue (408) 970-9727 fax Santa Clara, CA 95051-0963 (408) 988-4004 BBS (25 lines) U.S.A. USR HST/v.32/v.42bis/MNP1-5 CompuServe GO MCAFEE InterNet support@mcafee.COM America Online MCAFEE Using VirusScan (Version 2.0) 1 CHAPTER 1: WELCOME TO VIRUSSCAN Thank you for evaluating McAfee, Inc.'s, VirusScan(TM) software Version 2.0, a powerful and advanced system designed to detect, eradicate, and prevent computer viruses. VirusScan will help you protect one of your most important assets--the information on your computer or local area network. VirusScan includes two main programs: o The Scan program detects known viruses in your computer's memory or on disks. See the README.1ST file for the number of viruses that Scan detects. It can also detect new and unknown viruses. Once viruses are detected, it can remove them and restore your system to normal operation. o The VShield(TM) program continuously monitors and protects your system from viruses that might be introduced. The VirusScan programs run on IBM-PC or 100% compatible personal computers (PCs) that use DOS 3.0 and above, Windows 3.1, or OS/2 2.0 and above. VirusScan is an important element of a comprehensive security program that includes a variety of safety measures, such as regular backups, meaningful password protection, training, and awareness. We urge you to set up and comply with such a security program in your organization. For tips on how to do this, see "Other Sources of Information" in this chapter. HOW TO USE THIS MANUAL This manual will help you get VirusScan running quickly and properly on DOS, Windows, and OS/2 systems. o All the key information is in Chapter 2, "Don't Skip this Chapter." Please don't install VirusScan before reading it, even if you are already familiar with Scan. Installing and using VirusScan is not like using other software. The rest of Chapter 1, "Welcome to VirusScan," describes the programs and files on your VirusScan disk, system requirements, how to register, and how to get help. Chapter 3, "VirusScan Reference," in the Scan documentation, and Chapter 3, "VShield Reference," in this document contain reference information for Scan and VShield, respectively. Using VirusScan (Version 2.0) 2 Many users will not need to read these chapters, because basic operation of VirusScan, as described in Chapter 2, will detect and remove most viruses from your system. The options described in Chapter 3 in the Scan documentation and Chapter 3 in this document offer additional power and control, and are most useful in vulnerable environments and to network administrators and information services staff. Chapter 4, "Tips & Troubleshooting," explains how to get the most out of VirusScan, and how to cope with some common problems. Appendix A, "Retrieving VirusScan Updates via the McAfee BBS," provides instructions for using the McAfee Bulletin Board (BBS). Appendix B, "Options Comparison Between VirusScan Versions 1.5 and 2.0," shows the differences between command line options in VShield 1.5 and 2.0, then between VShield1 1.5 and VShieldCRC 2.0. Using VirusScan (Version 2.0) 3 NOTATION In this manual, we use several conventions to distinguish particular kinds of text. CONVENTION │ EXAMPLE │ REPRESENTS ═══════════════╪══════════════╪══════════════════════════ Upper-case │ C:\> │ What your │ │ computer displays │ │ on your screen. ───────────────┼──────────────┼────────────────────────── Lower-case │ scan c: │ What you │ │ type, verbatim. ───────────────┼──────────────┼────────────────────────── Curly braces │ {filename} │ Required │ │ element; do not │ │ type braces { }. ───────────────┼──────────────┼────────────────────────── Square braces │ [filename] │ Optional │ │ element; do not │ │ type braces [ ]. ───────────────┼──────────────┼────────────────────────── Upper-case in │ <ENTER> │ Key to press brackets │ │ on the │ │ keyboard. WHAT VIRUSSCAN INCLUDES In addition to Scan or VShield, the Validate program ensures that new versions of VirusScan software you've obtained are authentic. Finally, the VirusScan archive contains several useful text files, which you can view and print with a text editor, word processor, or DOS PRINT command. You'll find version- specific information in the README.1ST text file. Using VirusScan (Version 2.0) 4 VIRUSSCAN FILES AFTER UNPACKING After unpacking VirusScan you should have appropriate program files on your system for the version you have obtained (DOS, Windows, or OS/2). Several useful text files are also included. VirusScan for DOS. AGENTS.TXT - list of McAfee authorized agents. CLEAN.DAT - virus removal data file required by SCAN.EXE COMPUSER.NOT - explains how to obtain CompuServe membership FILE_ID.DIZ - description of VirusScan used by some BBS software FILENAME.TXT - explains new McAfee BBS file name conventions LICENSE.TXT - explains how to license VirusScan NAMES.DAT - virus name data file required by SCAN.EXE PACKING.LST - contains a list of all files, including validation information README.1ST - late-breaking information and new instructions not contained in this manual REGISTER.TXT - explains how to register VirusScan for your use SCAN.DAT - virus string data file required by SCAN.EXE SCAN.EXE - the VirusScan program SCAN.TXT - on-line manual for Scan VALIDATE.EXE - used to check VirusScan programs for authenticity VALIDATE.TXT - explains how to run VALIDATE.EXE VShield AGENTS.TXT - list of McAfee authorized agents. CHKVSHLD.EXE - checks for presence of VShield and VShieldCRC in memory COMPUSER.NOT - explains how to obtain CompuServe membership FILE_ID.DIZ - description of VShield used by some BBS software FILENAME.TXT - explains new McAfee BBS file name conventions LICENSE.TXT - explains how to license VShield PACKING.LST - contains a list of all files, including validation information REGISTER.TXT - explains how to register VirusScan for your use VALIDATE.EXE - used to check VirusScan programs for authenticity VALIDATE.TXT - explains how to run VALIDATE.EXE VSHIELD.DAT - virus string data file required by VSHIELD.EXE VSHIELD.EXE - the VShield program VSHIELD.TXT - on-line manual for VShield VSHLDCRC.EXE - the VShieldCRC program VSHLDWIN.EXE - used by VShield and VShieldCRC to display messages within Windows Using VirusScan (Version 2.0) 5 VirusScan for OS/2 AGENTS.TXT - list of McAfee authorized agents. CLEAN.DAT - virus removal data file required by OS2SCAN.EXE COMPUSER.NOT - explains how to obtain CompuServe membership FILE_ID.ZIP - description of VirusScan used by some BBS software FILENAME.TXT - explains new McAfee BBS file name conventions LICENSE.TXT - explains how to license VirusScan NAMES.DAT - virus name data file required by OS2SCAN.EXE PACKING.LST - contains a list of all files, including validation information README.1ST - late-breaking information and new instructions not contained in this manual REGISTER.DOC - explains how to register VirusScan for your use OS2SCAN.EXE - the VirusScan program SCAN.DAT - virus string data file required by OS2SCAN.EXE SCAN.TXT - on-line manual for Scan VALIDATE.EXE - used to check VirusScan programs for authenticity VALIDATE.TXT - explains how to run VALIDATE.EXE Using VirusScan (Version 2.0) 6 SYSTEM AND MEMORY REQUIREMENTS The VirusScan programs require an IBM-compatible personal computer and any of the following operating systems: o DOS 3.0 or later and at least 340Kb of free RAM for the command line programs. o Windows 3.1 or later and at least 4Mb of RAM. o IBM OS/2 2.00(GA) or later and at least 8Mb of RAM. VirusScan for DOS requires 340Kb of available free memory in order to scan a system for viruses. VShield is a terminate-and-stay-resident (TSR) program that requires 67Kb of free memory. VShield will minimize the use of conventional memory by loading into expanded, extended, or upper memory, when available. For more information, see "System Requirements and Performance" in Chapter 3 in the Scan documentation. LICENSING VIRUSSCAN The VirusScan software is provided under license from McAfee, Inc., a copy of which is included in the file LICENSE.TXT. Please read it and comply with it. If you want to use VirusScan after the evaluation period, please register your copy of the software by filling out and returning the enclosed registration form, REGISTER.TXT. Registration entitles you to upgrades at no charge from McAfee's bulletin board system and other sources, as well as technical support, for one year from your date of purchase. Using VirusScan (Version 2.0) 7 TECHNICAL SUPPORT For help in using this product, we invite you to contact McAfee technical support. You can contact us: o On-line 24 hours a day, through our bulletin board system, CompuServe, fax, or Internet (see "Online Access to Updates and Technical Support" below); or o By telephone at (408) 988-3832, Monday through Friday, 7:00 am to 5:30 pm Pacific Time. For fast and accurate help, please have the following information ready when you contact McAfee: o Program name and version number. o Type and brand of computer, hard disk, and any peripherals. o Version of DOS, along with any TSR's or device drivers in use. o Printouts of your AUTOEXEC.BAT and CONFIG.SYS files. o A printout of the contents of memory, from the MEM command (provided in DOS 4.0 and later) or a similar utility. o A description of the exact problem you are having. Please be as specific as possible. If you can't be at your computer when you call, a printout of the screen will be helpful. If you are overseas, you can contact a McAfee authorized agent for support. Agents are located in more than 50 countries around the world and provide local sales and support for our software. Please refer to the AGENTS.TXT file for a complete list of McAfee agents. ONLINE ACCESS TO UPDATES AND TECHNICAL SUPPORT McAfee updates VirusScan monthly to add new virus detectors, new options, and fix reported bugs. To distribute these new versions, we run a multi-line bulletin board system, a forum on CompuServe, and an Internet node. Using VirusScan (Version 2.0) 8 Bulletin board system (BBS) access Our multiline BBS is accessible 24 hours a day, 365 days a year, except for scheduled downtime and maintenance. All lines run high-performance modems operating from 1,200 bps to 14,400 bps with line settings of 8 data bits, no parity, and 1 stop bit. The McAfee BBS phone number is (408) 988-4004. CompuServe Access We sponsor the McAfee Virus Help Forum on CompuServe. To reach it, type GO MCAFEE at any CompuServe prompt. A free introductory membership is available. For more information, please read the enclosed COMPUSER.TXT file. Internet Access The latest versions of McAfee's anti-virus software are available by anonymous ftp (file transfer protocol) over the Internet from the site mcafee.com. If your domain resolver does not support names, use the IP# 192.187.128.1. Enter "anonymous" or "ftp" as your user ID (do not type the quotation marks) and your own e-mail address as the password. Programs are located in the pub/antivirus directory. If you have questions, please send e-mail to support@mcafee.com. You can also find McAfee's anti-virus software at the SimTel Software Repository at Oak.Oakland.EDU in the pub/msdos/virus directory and its associated mirror sites: o WUARCHIVE.WUSTL.EDU (US). o FTP.SWITCH.CH (Switzerland). o FTP.FUNET.FI (Finland). o SRC.DOC.IC.AC (UK). o ARCHIE.AU (Australia). Using VirusScan (Version 2.0) 9 OTHER SOURCES OF INFORMATION The McAfee BBS and CompuServe Virus Help Forum are excellent sources of information on virus protection. Batch files and utilities to help you use VirusScan software are often available, along with helpful advice. Independent publishers, colleges, training centers, and vendors also offer information and training about virus protection and computer security. We especially recommend the following books: o Ferbrache, David. A Pathology of Computer Viruses. London: Springer-Verlag, 1992. (ISBN 0-387-19610-2) o Hoffman, Lance J. Rogue Programs: Viruses, Worms, and Trojan Horses. Van Nostrand Reinhold, 1990. (ISBN 0-442-00454-0) o Jacobson, Robert V. The PC Virus Control Handbook, 2nd Ed. San Francisco: Miller Freeman Publications, 1990. (ISBN 0-87930-194-0) o Jacobson, Robert V. Using McAfee, Inc. Software for Safe Computing. New York: International Security Technology, 1992. (ISBN 0-9627374-1-0) In addition, the following sources can provide useful information about viruses: o National Computer Security Association (NCSA) 10 South Courthouse Avenue Carlisle, PA 17013 o CompuServe McAfee Computer Virus Help Forum (GO VIRUSFORUM) o Internet comp.virus newsgroup Using VirusScan (Version 2.0) 10 CHAPTER 2: DON'T SKIP THIS CHAPTER (or, What you really need to know about VirusScan) We're serious about this. Installing and running the VirusScan(TM) programs is not like using other software. Even if you are a long-time user of McAfee's software, please take the time to read through and follow the tasks in this chapter. The reason is to avoid spreading a computer virus infection. Viruses spread when you start your computer (sometimes called booting) from an infected disk, or when you run an infected program. If your computer is infected, installing and running VirusScan on your hard disk may spread the infection, even to the VirusScan programs themselves. The tasks in this chapter will ensure that you have a clean environment to detect, eradicate, and prevent viruses. This is like a surgical team establishing a "sterile field" before performing surgery. Once it is established, they make sure that everything brought into the field has already been sterilized. In this procedure, you will create a clean anti- viral start-up diskette with which you can always re- establish the sterile field. Your VirusScan archive (.ZIP) file is created with authenticity checks and a serial number embedded in it to ensure that it has not been tampered with or modified. Additionally, VirusScan comes with Validate, a Cyclic Redundancy Check (CRC) program that computes a check-sum for VirusScan's files. Once you have unpacked the VirusScan archive, you should copy all the files to a diskette in drive A: and write-protect it to ensure that no virus can alter the programs and information stored there. Under no circumstances should you remove the write protection. Label this diskette as your 'VirusScan Program Diskette.' Here's a summary of the tasks you'll follow in this chapter: o Installing VirusScan o Scanning your system. o If you detect a virus. o Activating VShield(TM). o Making a clean start-up (boot) diskette. o Running the VirusScan programs. o When to scan for viruses. o Updating VirusScan regularly. NOTE: Because OS/2 programs run in a protected mode, OS/2 systems are not vulnerable to viruses as DOS and Windows Using VirusScan (Version 2.0) 11 systems are. Many OS/2 users run DOS and Win-OS/2 sessions, however, and they are still vulnerable. By using the VirusScan programs as described in this manual, you can protect the DOS and Win-OS/2 portions of your OS/2 system from infection. Using VirusScan (Version 2.0) 12 INSTALLING VIRUSSCAN This task explains how to check your system and install the VirusScan software under DOS, Windows, or OS/2. Don't use any other method to install VirusScan, or you risk spreading a virus. INSTALLATION STEPS Start from the system prompt (C:\> or [C:\]). If you are running Windows or an application program, exit from it to display the prompt. If you are running OS/2, close all DOS and Win-OS/2 sessions open the Command Prompts folder in the OS/2 System folder, and click on either the OS/2 Full Screen or OS/2 Window icons. After typing each entry on the command line, press <ENTER>. 1. Create a directory to contain the VirusScan files, as in the following example: C:\> mkdir c:\mcafee and press <ENTER>. If you have an earlier version of VirusScan already installed, create a separate directory (such as c:\newvscan) for the new version. (You should test the new version before removing the earlier version.) 2. Copy the VirusScan archived (.ZIP) file to this directory, as in the following example: C:\> copy c:\download\*.zip c:\mcafee and press <ENTER>. 3. Change to the VirusScan directory you just created, as in the following example: C:\> cd c:\mcafee and press <ENTER>. 4. Unzip the file using PKUNZIP.EXE, as in the following example: C:\mcafee> PKUNZIP *.ZIP and press <ENTER>. Using VirusScan (Version 2.0) 13 5. Run VirusScan to check your local hard disk(s) by typing: c:\mcafee> scan /adl and pressing <ENTER>. It may take several minutes for the Scan program to check for viruses in memory, then on the system and user portions of your drives. Scan keeps you informed of its progress. Read the information carefully, and write down the name of any viruses Scan reports. 6. If Scan does not report any viruses, congratulations --most likely your system is currently virus-free. Continue with "Making a Clean Start-Up Diskette" in this chapter. If Scan finds one or more viruses you'll see a message like: Found the Jerusalem Virus Stop the installation. Don't panic, even if the virus has infected many files. At the same time, don't run any other programs, especially if the virus is found in memory. Go directly to "If You Detect a Virus" later in this chapter for further instructions. 7. Create a directory on your hard disk to store the VirusScan files in by typing: C:\> mkdir mcafee and pressing <ENTER>. 8. Copy the VirusScan files from the 'VirusScan Program Diskette' in drive A: to your hard disk by typing: C:\> copy a:\*.* c:\mcafee and pressing <ENTER>. VirusScan has now been installed onto your hard disk. Now your system's startup files must be modified to find VirusScan on your system. 9. DOS and Windows users: Using a text editor program, load your AUTOEXEC.BAT file. Locate the path statement, which typically begins with a 'PATH' or 'SET PATH =' statement. Place your cursor at the end of this line and type: ;C:\MCAFEE Using VirusScan (Version 2.0) 14 and press <ENTER>. Now save your AUTOEXEC.BAT file and exit the editor. NOTE: If a semi-colon ";" is already present at the end of the line, do not add one to the path statement. OS/2 users: Make the same change listed above to the 'SET PATH=' statements in your CONFIG.SYS file. Now save your CONFIG.SYS file and exit the editor. Congratulations! You've successfully installed VirusScan. Restart your computer now and continue with this chapter to see how you can use VirusScan to keep your computer virus- free. We recommend looking over the following sections in this chapter: "Scanning Your System" "If You Detect A Virus" "Activating VShield" "Making A Clean Start-Up Diskette" so you'll know what took place during installation. Then continue with the remaining tasks in this chapter, beginning with "Running the VirusScan Programs" to find out how and when to run and update the VirusScan programs. Using VirusScan (Version 2.0) 15 SCANNING YOUR SYSTEM VirusScan's Scan program examines your PC and disks to detect viruses there. The first time you run Scan, do so from the original, write-protected diskette so that the programs themselves cannot be infected. Start from the system prompt (C:\> or [C:\]). If you are running Windows or an application program, exit from it to display the prompt. If you are running OS/2, close all DOS and Win-OS/2 sessions. Next, open the Command Prompts folder in the OS/2 system folder, then click the OS/2 Full Screen or OS/2 Window icon. After typing each entry on the command line, press <ENTER>. If you include the /REPORT option, Scan saves a report of infected files and any system errors to a log file that you specify. o Insert the 'VirusScan Program Diskette' in drive A: o Scan your C: drive for known viruses by typing: C:\> a:scan c: /report c:\virus.log OS/2 Users: Be sure to replace "a:scan" with "a:os2scan" in the above example. Or, if you have more than one hard drive, scan them in the same fashion. For example, if you have C and D drives: C:\> a:scan c: d: /report c:\virus.log You can also scan all local drives using the /ADL option. For example: C:\> a:scan /adl /report c:\virus.log Using VirusScan (Version 2.0) 16 It may take several minutes for the Scan program to check for viruses in memory, then on the system and user portions of your drives. Scan keeps you informed of its progress. Read the information on the screen carefully. Below is a sample of what Scan reports when checking a drive for viruses: ┌─────────────────────────────────────────────────────┐ │ Database file V1.00 created Fri Apr 1 12:01:00 1994 │ │ Finished scanning memory for viruses. │ │ Scanning C: │ │ │ │ Summary report on C: │ │ │ │ File(s) │ │ Analyzed: .............. 1500 │ │ Scanned: ............... 750 │ │ Possibly Infected: ..... 0 │ │ Master Boot Record(s):.. 1 │ │ Possibly Infected:...... 0 │ │ Boot Sector(s):......... 1 │ │ Possibly Infected:...... 0 │ │ │ │ Time: 60.00 sec. │ └─────────────────────────────────────────────────────┘ o If Scan reports 0 viruses found, congratulations--most likely your system is currently virus-free. Skip to "Activating VShield" later in this chapter to continue. If Scan finds one or more viruses, you'll see a message like: ┌─────────────────────────────────────────────────────┐ │ Scanning C: │ │ Scanning file C:\DOS\ATTRIB.EXE │ │ Found the Jerusalem virus │ └─────────────────────────────────────────────────────┘ Don't panic, even if the virus has infected many files. At the same time, don't run any other programs, especially if the virus is found in memory. Turn to "If You Detect a Virus" later in this chapter, where VirusScan will help you eradicate it. o Scan has many options to control and fine-tune the scope, validation, and operation of its scan. For details, see Chapter 3 in the VirusScan documentation, and "Detecting new and unknown viruses" in Chapter 4. Using VirusScan (Version 2.0) 17 IF YOU DETECT A VIRUS In this task, you will run Scan with the /CLEAN option to eradicate most known viruses from your disks. o If you are at all unsure about how to proceed once you've found a virus, contact McAfee for assistance (see "Technical Support" in Chapter 1). We strongly recommend that you get experienced help in dealing with viruses if you are unfamiliar with anti-virus software and methods. This is especially true for "critical" viruses and master boot record (MBR or so-called "partition table")/boot sector infections, because improper removal of these viruses can result in the loss of all data and use of the infected disks. RESTART FROM A CLEAN ENVIRONMENT You must run Scan from a clean, virus-free environment. With DOS or Windows, restart from a clean diskette. With OS/2, simply close all DOS and Win-OS/2 sessions. DOS or Windows With DOS or Windows, the only way to ensure a clean environment is to turn your computer off to eliminate any viruses in memory, then restart from a virus-free floppy diskette in drive A:, preferably the original, write- protected DOS installation diskette that came with your computer. If you don't have one, borrow or buy one; don't use a diskette that might be infected. (You will create a new anti-viral diskette in "Making a Clean Start-Up Diskette" later in this chapter to use in the future, but you need a clean environment before you create one.) 1. Turn off your computer. (Don't just reset or reboot, which may leave some viruses intact in the computer's memory.) 2. Make sure your clean boot (start-up) diskette is write- protected. o For a 3.5" diskette, slide its corner tab so that the square hole is open. o For a 5.25" diskette, cover its corner notch with a write-protect tab. Be sure to use the black or silver write-protect stickers provided with your diskettes, not transparent tape, which is ignored by the floppy drive's infrared write-protection mechanism. Using VirusScan (Version 2.0) 18 3. Insert your start-up diskette in drive A:. 4. Turn on your computer and wait until you see the system prompt (probably A>). Don't run any programs on your hard disk, or you may reactivate the virus. OS/2 With OS/2, you can eliminate most viruses from memory by closing all DOS, Win-OS/2, and virtual DOS machine (VDM) sessions. Because OS/2 programs run in protected mode, viruses cannot spread between them. BACK UP YOUR HARD DISK Some viruses may leave certain disks or files unusable when cleaned up. To increase your chance of recovery, copy all the files on all of your hard disks onto fresh diskettes or a backup tape after booting from a clean copy of the operating system. You can use a commercial backup program, or the one included with DOS or OS/2. Scan the program disk first to make sure that the backup program itself is not infected. Do not run the backup program if it is infected. Instead, reload it from your original installation diskettes. Although some of the backed-up files may be infected, it is better to have current copies than not. However, don't overwrite previous backup disks or tapes, which may or may not be infected. RUN SCAN WITH THE /CLEAN OPTION Start from the system prompt (probably A> or [A:\]). If you are running OS/2, open the Command Prompts folder in the OS/2 system folder, and click on the OS/2 Full Screen or OS/2 Window icons. After typing each entry on the command line, press [Enter]. 1. Insert the 'VirusScan Program Diskette' in drive A:. 2. Eliminate the first known virus on your hard drive(s) by typing: DOS or Windows A> a:scan /adl /clean OS/2 [A:\] a:os2scan /adl /clean Using VirusScan (Version 2.0) 19 Scan keeps you informed of its progress and generally reports that a virus was removed successfully. If Scan reports that the virus could not safely be removed, see the next section, "If Viruses Were Not Removed, Contact Technical Support." 3. Repeat step 2 for other viruses found by Scan, and for other infected hard drives. For example: DOS or Windows A> a:scan /clean d: OS/2 [A:\] a:os2scan /clean d: o Scan has options to control and fine-tune the scope, validation, and operation of its disinfection. For details, see Chapter 3 in the Scan documentation. If Viruses were NOT removed, contact Technical Support If Scan can't remove a virus, it will tell you: Virus cannot be safely removed from this file. Make sure to take note of the filename, because you will need to restore it from backups. Run Scan again, this time using the /CLEAN and /DEL options to delete the remaining infected files, as described in Chapter 3 in the Scan documentation. If you have any questions, contact McAfee (see "Technical Support" in Chapter 1). If viruses were safely removed, rescan and check diskettes If Scan has successfully removed all the viruses, restart your computer. Restart installation as described in "Installing VirusScan" earlier in this chapter. Assuming that your system is now virus-free, installation will scan your system, activate VShield, and make a clean start-up diskette as part of the installation procedure. Thereafter, you can proceed to "Running the VirusScan programs" later in this chapter. One common source of virus infection is floppy diskettes. Once you've finished installing VirusScan on your hard disk, use Scan again to examine and disinfect the diskettes you use, as described in "When to Rescan," in this chapter. Using VirusScan (Version 2.0) 20 FALSE ALARMS Due to the nature of anti-virus software, there is a small possibility that Scan may report a virus in a file that is not infected. This can be more likely if you are using more than one brand of virus protection software, especially if the virus is only reported in memory and not anywhere on the disk when you boot. If Scan reports a virus infection that you suspect may be in error, contact McAfee (see "Technical Support" in Chapter 1). You can upload the file to our bulletin board system at (408) 988-4004, along with your name, address, daytime telephone number, and electronic mail address (if any). ACTIVATING VSHIELD VirusScan's VShield program can help prevent viruses from infecting your system. It runs as a "terminate-and-stay- resident" (TSR) program, remaining in memory and scanning and intercepting programs as they are executed. To install VShield, use your editor to load your AUTOEXEC.BAT file. Insert the following as the first line: C:\MCAFEE\VSHIELD If you load network drivers, disk-caching software, or other memory-resident programs that changes the way in which you access disks, insert a second VShield line after the last invocation of such software: C:\MCAFEE\VSHIELD /RECONNECT and press <ENTER>. This reactivates VShield if it has been deactivated by another memory-resident program. Now save your AUTOEXEC.BAT file. Using VirusScan (Version 2.0) 21 Windows VShield can display messages from within Windows in a message dialog. This is done through VShield's Windows Messager. If you choose not to install the Messager, VShield will still detect viruses, but will not be able to report them to you. 1. To activate the Messager, you must copy the VSHLDWIN.EXE file from your VirusScan directory (typically C:\MCAFEE) to your Windows directory (typically C:\WINDOWS). You can do this by typing: C:\> copy c:\mcafee\vshldwin.exe c:\windows and pressing <ENTER>. 2. Go to your Windows directory, and using a text editor program, load your WIN.INI file. Go to the [Windows] settings and insert the following line: load=vshldwin.exe NOTE: If you already have a "load=" line in your WIN.INI file, go to the end of it and type: ; vshldwin.exe and press <ENTER>. Now save your WIN.INI file and exit the editor. VShield will now run whenever you start or restart your computer. To activate VShield at any time: DOS or Windows - Restart your computer by pressing the <CTRL>, <ALT>, and <DEL> keys simultaneously, or by turning it off and then on again (if Windows is running, exit out of it before doing restarting your computer). OS/2 - Restart all DOS and Win-OS/2 windows. o If you have difficulties running VShield, it may be due to conflicts with other TSR programs in your system, or with other programs that monitor disk access. See Chapter 3 for details, and Chapter 4, "Tips and Troubleshooting," for more information. Contact McAfee technical support if you need help (see "Technical Support" in Chapter 1). Using VirusScan (Version 2.0) 22 o VShield normally occupies up to 67Kb of conventional (base 640Kb) memory. VShield minimizes the use of conventional memory by attempting to load into extended (XMS) memory, expanded (EMS) memory, upper memory, or a combination of them before using conventional memory. For computers with extreme available memory limitations, you can use VShield's /SWAP option to reduce its memory requirements to 7Kb, although this will decrease VShield's speed. For details, see Chapter 3. o VShield has options to control and fine-tune the scope, validation, and operation of its virus prevention. For details, see Chapter 3. o When used in conjunction with some of Scan's options, VShield can help protect your system from new and unknown viruses. For details, see "Detecting New and Unknown Viruses" in Chapter 4. o Under OS/2, VShield runs in DOS and Win-OS/2 sessions only, because current viruses can operate only in those sessions. o In Windows, you can use the VShield icon to turn messages from VShield on and off (VShield itself, however, remains active). For details, see Chapter 3. Using VirusScan (Version 2.0) 23 MAKING A CLEAN START-UP DISKETTE In DOS or Windows, create a clean anti-viral start-up (boot) diskette that you can use to regain your "sterile field" if your system becomes infected. This is not necessary in OS/2, although it will be helpful to make backup copies of your OS/2 installation diskettes. DOS or Windows In DOS, start from the system prompt (C:\>). In Windows, you may open a DOS window, or duplicate these steps using Windows' File Manager. 1. Insert a blank or dispensable diskette into drive A. Make sure the diskette contains no important information, as this procedure will erase it. 2. Format the disk as a DOS-bootable diskette with the system files on it by typing: C:\> format a: /s /v /u and pressing <ENTER>. If you are using a version of DOS before DOS 5.0, do not type the "/u" option. The /U option is used in recent versions of DOS to insure that the floppy diskette is erased completely (earlier versions of DOS automatically do this). When prompted for a volume label, type: virusfree01 and press <ENTER>, or use another name of up to 11 characters. 3. Copy the VirusScan program files onto the diskette. Here's one way to do this, assuming that your VirusScan files are stored in C:\MCAFEE: C:\> copy c:\mcafee\scan.exe a: C:\> copy c:\mcafee\scan.dat a: C:\> copy c:\mcafee\clean.dat a: C:\> copy c:\mcafee\names.dat a: 4. Copy useful DOS programs to the diskette. Here's one way to do this, assuming that your DOS files are stored in C:\DOS: C:\> copy c:\dos\format.* a: C:\> copy c:\dos\xcopy.* a: C:\> copy c:\dos\diskcopy.* a: C:\> copy c:\dos\sys.* a: Using VirusScan (Version 2.0) 24 C:\> copy c:\dos\fdisk.* a: C:\> copy c:\dos\debug.* a: C:\> copy c:\dos\unerase.* a: C:\> copy c:\dos\mem.* a: C:\> copy c:\dos\chkdsk.* a: In the same way, copy other DOS programs that you think might be useful. 5. Remove the diskette from the drive and write-protect it so that it cannot become infected. o For a 3.5" diskette, slide its corner tab so that the square hole is open. o For a 5.25" diskette, cover its corner notch with a write-protect tab. Be sure to use the opaque write-protect stickers provided with your diskettes, not transparent tape. 6. Label the diskette "Virus-Free Boot Disk" and put it away in a secure place in case you need to reestablish a virus-free environment in the future. You may want to include supplemental information on the disk label, such as the date and versions of DOS and VirusScan. OS/2 With OS/2, you don't need a virus-free start-up disk. However, it will be helpful to keep a clean copy of important files, such as your system configuration files. Copy your CONFIG.SYS, STARTUP.CMD, and AUTOEXEC.BAT files onto an empty, formatted diskette. Write-protect the diskette, label it, and put it away in a secure place. Using VirusScan (Version 2.0) 25 RUNNING THE VIRUSSCAN PROGRAMS VIRUSSCAN FOR DOS To run the VirusScan programs from the DOS command prompt, type the program name (SCAN) on the command line. Follow the program name with the drive, directory, or file(s) you want to scan for viruses and the options you want to use. Note: If you have not changed the path statement in your AUTOEXEC.BAT file, you will need to include its location (usually C:\MCAFEE) in the command, or change to that directory. For example, to examine a diskette in drive A: type: C:\> c:\mcafee\scan a: and press <ENTER>. EXCEPTION: If Scan detects a virus in memory or on your hard disk, don't run Scan with the /CLEAN option from C:\MCAFEE. Instead, restart your computer and run Scan from your clean start-up diskette as described in "If you detect a virus" in this chapter. VirusScan can list the viruses it detects. To view this list, run Scan with the /VIRLIST option, described in Chapter 3 in the Scan documentation. VSHIELD VShield loads automatically upon startup for DOS and Windows computers, or when a DOS or Win-OS/2 session is started within OS/2. o You can change VShield options from the DOS command line by removing VShield from memory and re-running it, or by editing the VShield command line in your AUTOEXEC.BAT file. See Chapter 3 for details. Using VirusScan (Version 2.0) 26 VIRUSSCAN FOR OS/2 To run Scan from OS/2, open the Command Prompts folder in the OS/2 System folder and click on the OS/2 Full Screen or OS/2 Window icons. Next, type the program name (OS2SCAN) on the command line. Follow the program name with the drive, directory, or file(s) you want to scan for viruses and the options you want to use. Note: If you have not changed the PATH and LIBPATH statements in your CONFIG.SYS file, you will need to include its location (usually C:\MCAFEE) on the command line, or change to that directory. For example, to examine a diskette in drive A: type: [C:\] c:\mcafee\os2scan a: and press <ENTER>. o VShield does not run in native OS/2 sessions, only under DOS and Win-OS/2 sessions inside of OS/2. If you have placed the VShield command in your AUTOEXEC.BAT file, it will run automatically when you start a DOS or Win-OS/2 session. You can also run it from the DOS command line, as described earlier in this section. Using VirusScan (Version 2.0) 27 WHEN TO RESCAN Although VShield will monitor your software for viruses, it's wise to scan your disks when you introduce new programs or disks that may be infected. New programs and files are generally introduced in two ways: by inserting a diskette, and by installing new programs. It is also possible to download a computer virus using a modem, however, this is extremely rare. o You can use VShield with the /ANYACCESS option to scan diskettes automatically. For more information, see the discussion of /ANYACCESS in Chapter 3. o For instructions on running VirusScan, see "Running the VirusScan programs" earlier in this chapter. WHEN YOU INSERT AN UNCHECKED DISKETTE Every time you insert a new diskette in your drive, run Scan on it before executing, installing, or copying its files. If you have several diskettes to scan, you can scan them consecutively. In fact, we recommend doing this now with all the diskettes you normally use, as well as diskettes received from friends, co-workers, salespeople, and even your own diskettes if they have been in another PC. WHEN YOU INSTALL OR DOWNLOAD NEW FILES Every time you install new software on your hard drive, or download executable files from a network server, bulletin board, or on-line service, run Scan on the directory the files were placed in before executing the files. Using VirusScan (Version 2.0) 28 UPDATING VIRUSSCAN REGULARLY Unfortunately, new viruses (and variants of old ones) appear and circulate often in the personal computer community. Fortunately, McAfee updates the VirusScan programs regularly--usually every month, but sooner if many new viruses have appeared. Each new version may detect and eradicate as many as 60-100 new viruses or more, and may add new features. To find out what's new, review the README.1ST text file. DOWNLOADING NEW VERSIONS You may use your own communications software to download new versions from the McAfee bulletin board, CompuServe, or the Internet. See Chapter 1, "Welcome to VirusScan" for more information. Always download and decompress the files in a separate directory from your current files. That way, if you discover a problem with the new files, you'll still have the old ones intact. VALIDATING VIRUSSCAN When you download a program file from any source other than the McAfee bulletin board system or other direct-from-McAfee service, it's important to verify that it is authentic, unaltered, and uninfected. McAfee anti-virus software includes a program called Validate that helps you do this. When you receive a new version of VirusScan, run Validate on all of the program files. To do this for Scan, start from the system prompt (C:\> or [C:\]): 1. Change to the directory to which you've downloaded the files. For example, if you've stored the files in C:\DOWNLOAD, type: C:\> cd \download and press <ENTER>. 2. Type the command: C:\DOWNLOAD> c:\mcafee\validate scan.exe and press <ENTER>. Using VirusScan (Version 2.0) 29 OS/2 Users: Be sure to replace SCAN.EXE with OS2SCAN.EXE as the file to be validated. 3. Compare the results with the information in the README.1ST file or other text file for the program you have just validated. If the validation results match what's in the file, it is highly unlikely that the program has been modified. 4. Once you have validated the new version, copy it into your C:\MCAFEE directory. In addition, create a new "VirusScan Start-Up Diskette" containing the new version. UPDATE YOUR CLEAN START-UP DISKETTE Once you have validated the new version, copy it into your C:\MCAFEE directory. In addition, copy the Scan program onto your clean start-up diskette. Below is one way to do this; you may also use the Windows File Manager or the OS/2 environment. Note any changes you've made to default options, because you may want to select and save them again. Start from the system prompt (C> or [C:\]). 1. Navigate to the directory to which you've retrieved the files, such as C:\MCAFEE: cd c:\mcafee 2. Temporarily remove write-protection from your clean start-up diskette and insert it in drive A. o For a 3.5" diskette, slide its corner tab so that the square hole is closed. o For a 5.25" diskette, remove the tab or tape from its corner notch. 3. Copy the Scan program, and its data files to the diskette. DOS or Windows C> copy SCAN.EXE a: C> copy *.DAT a: OS/2 [C:\] copy OS2SCAN.EXE a: [C:\] copy *.DAT a: 4. Remove the diskette from the drive and write-protect it again. Using VirusScan (Version 2.0) 30 Chapter 3: VSHIELD REFERENCE VirusScan(TM)'s VShield(TM) is a memory-resident program that helps to prevent virus infection. It complements the Scan virus detection program as part of your computer security plan. While Scan checks areas on disks for viruses, the VShield program checks programs as they load into your computer's memory. This ensures that you don't "catch" any new viruses while you're working on your computer. VShield does this by remaining in memory and: o Checking master boot records (MBR's), boot sectors, system files, and itself for viruses when you turn on or soft-boot (press the <CTRL>, <ALT>, and <DEL> keys together) your machine. o Checking program files for viruses as your computer executes them. o Checking files for viruses as you copy them (optional). o Checking for viruses whenever your computer accesses a disk (optional). Follow the instructions in Chapter 2 to install VShield. Instructions are given on how to modify your AUTOEXEC.BAT file so that VShield loads into memory every time you turn on your computer. If VShield finds a virus, you will hear three beeps and see a message like: Found the Jerusalem Virus If that happens, don't panic. Turn to Chapter 3 in the Scan documentation to find out how to use the Scan program to get rid of the virus. If you need additional help, contact McAfee (see "Technical Support" in Chapter 1). Note: There is one way to infect your computer that VShield cannot prevent--only you can. Never accidentally start your computer from an unknown diskette. That's how 80% of all viruses are passed! Always make sure your diskette drives are empty before you turn your computer on. VShield runs under DOS, Windows, and OS/2 Virtual DOS Machine and WIN-OS/2 sessions. The filename for this program is VSHIELD.EXE. Using VirusScan (Version 2.0) 31 The file called VSHLDWIN.EXE allows VShield to display messages from within Windows, and is added to your WIN.INI file automatically when you install VShield. If you need to conserve memory on your system, you can use VShieldCRC, a version of VShield that offers fewer protection options but requires less memory. The filename of the program is VSHLDCRC.EXE. A companion program called CheckVShield checks whether either VShield or VShieldCRC is loaded in memory. The filename of the program is CHKVSHLD.EXE. CheckVShield is especially useful for network administrators who want to ensure that everyone who logs on to the network is running VShield. All of these related programs are included in your VirusScan disk and described in this chapter. DO YOU NEED TO READ THIS CHAPTER? Many users will not need the VShield options described in this chapter. We have designed VShield so that basic operation--achieved by simply installing it in memory as described in Chapter 2--provides a high degree of protection for most users. The options here offer additional power and control for virus detection, and are most useful in vulnerable or memory-scarce environments, and to network administrators and information systems staff. See "Four Levels of Protection" and "Deciding Which Options Are for You" in this chapter for help in deciding how to use VShield. Using VirusScan (Version 2.0) 32 SYSTEM REQUIREMENTS AND PERFORMANCE VShield is a terminate-and-stay-resident (TSR) program, which remains in memory while you run other programs. VShield tries to optimize memory usage and minimize conflicts with other TSRs. By default, VShield tries to conserve as much conventional memory as possible. If you have only 640Kb or less memory in your system, VShield requires about 67Kb of memory. By using the /SWAP option, you can reduce this to only 7Kb of conventional memory, although this will decrease VShield's speed. If you have more than 640Kb of memory in your system, VShield tries to load as much of itself as possible above your conventional memory: first, into expanded memory (EMS), into extended memory (XMS), then into upper memory blocks (640Kb to 1024Kb, or UMB). If you have sufficient high memory available, VShield or VShieldCRC use no conventional memory. After VShield loads you'll see a message that describes where VShield loaded into memory and how much memory it using. You can control how VShield loads by using the /NOUMB, /NOEMS, and /NOXMS options, as described later in this chapter. o VShield might require slightly more memory as the VSHIELD.DAT file grows to include more viruses. VShield adds a small amount of time to program loads and reboots. Performance will vary, depending on your system. The /SWAP option adds more time, because VShield must reload from disk to check files. VShieldCRC adds an average of one second to each program load. Once programs have been loaded, VShield does not degrade the performance of your system in any way. Programs that load other files may run more slowly when you use the /FILEACCESS or /ANYACCESS options, because these options cause VShield to scan files whenever they are accessed, not just when they are executed. Using VirusScan (Version 2.0) 33 FOUR LEVELS OF PROTECTION You can think of VShield as providing four levels of protection. You can use VShield's options to customize it for the level of protection you need. Level II meets the protection needs of most systems. LEVEL I PROTECTION This level is appropriate for users who have very little memory available on their systems. It provides only minimal protection. For Level I protection, first use Scan with the /AF or /AV option to add validation codes. Then, install VShieldCRC instead of VShield. VShieldCRC can inform you that a file has not been certified, a file has been modified, a file size has changed, or a file has not been added to the validation file. VShieldCRC will not prevent infection, nor will it tell you when you have a known virus. Use Scan instead to detect viruses, as described in Chapters 3 and 4. See "Using VShieldCRC" in this chapter for instructions. LEVEL II PROTECTION This level is appropriate for most users. It will protect you from most viruses whether you have run Scan or not. For Level II protection, just install VShield according to the instructions in "Activating VShield." When loading, VShield checks memory automatically for viruses. Once resident in memory, VShield checks master boot records (MBRs), boot sectors, and program files (when executed) for virus signatures. LEVEL III PROTECTION This level is appropriate for computers that are used by many people, as in an open-use computer lab, or onto which you frequently load files from public sources. Level III protection checks for both validation codes and virus signatures, incorporating both Level I and Level II protection. For Level III protection, first use Scan with the /AF {filename} option, then use VShield with the /CF {filename} option. The /AF option logs validation and recovery data for program files, the boot sector, and the master boot record (MBR) to a file you specify. The /CF option tells VShield to check against that log. See Chapter 3 in the Scan documentation for instructions. Using VirusScan (Version 2.0) 34 LEVEL IV PROTECTION This level is for environments where security is extremely important and new software is seldom introduced. It combines Level III protection with access control, specifying that only programs known to be safe can be run. For Level IV protection, run VShield with the /CERTIFY option. See the "VShield Option Descriptions" later in this chapter for details about /CERTIFY. o VShield has many optional features that you might use at any protection level. See the table "VShield Option Summary" later in this chapter to see these options at a glance. Using VirusScan (Version 2.0) 35 RUNNING VSHIELD VShield checks programs, master boot records (MBR), boot sectors, system files, and itself for virus strings, the patterns of code unique to each computer virus. If VShield finds an infection, it prevents programs from running. It also prevents soft boots (also known as "warm boots") performed by pressing the <CTRL>, <ALT>, and <DEL> keys together from an infected floppy diskette in the A: drive. You can use options to control and fine-tune the scope, validation parameters, and operation of the VShield's checks. To use VShield with options, use the following syntax: vshield [options] [options] indicates one or more options described in the table in the next section. o Don't enter the square braces, which indicate that what's within them is optional. Because systems and environments differ, VShield gives you a choice of options. Consider the mixture of safety, performance, and maintenance that meets your needs, then choose the combination of options that works best. When you run VShield for the first time, VShield uses the virus information contained in SCAN.DAT to creates a new file, VSHIELD.DAT, in the program directory. The VSHIELD.DAT file contains virus information in a format that is optimized for VShield operation. Thereafter, when you install an updated version of SCAN.DAT, VShield updates VSHIELD.DAT automatically with any new virus information it finds in SCAN.DAT. DOS If you followed the installation instructions in Chapter 2, VShield begins working for you as soon as you install it, protecting the "sterile field" that the installation procedure creates. VShield should be run from your AUTOEXEC.BAT file, so it is activated every time you turn on your computer. o Check the placement of the VShield command line in the AUTOEXEC.BAT file. o VShield must be run before Microsoft Windows or any menu programs, such as MS-DOS's DOSSHELL or Norton Commander, or it will not be loaded. Using VirusScan (Version 2.0) 36 1. If your AUTOEXEC.BAT loads any network drivers, keyboard drivers, disk caching programs, drive compression programs, or custom disk drivers, VShield must be run both before and after them. These kinds of programs disable VShield. The second time VShield is loaded, use only the /RECONNECT option, as described later in this chapter. 2. If necessary, move the line that loads VShield. 3. Add the VShield options of your choice to the command line. Windows When you installed VShield, you should have added the VShield command line to your AUTOEXEC.BAT file and modified your WIN.INI file to include VSHLDWIN.EXE, which allows VShield to display messages under Windows. However, you may need to change your Windows configuration for VShield to run properly. To do so, follow these steps. If you need help with this procedure, see your Windows documentation, or contact McAfee (see "Technical Support" in Chapter 1). 1. Follow the instructions for DOS users in the previous section. 2. Start Windows. 3. Make Program Manager the default shell. Use no other Windows shell during installation. 4. In the Control Panel, configure Windows to run in 386 Enhanced mode. 5. Load Windows. You will see the VShield icon on your desktop. If VShield finds or suspects a virus, you'll see a warning message. Choose OK to close the message dialog. Note: Double-clicking the VShield icon only displays a message that VShield is loaded. OS/2 Because OS/2 is a protected environment, you need VShield only during Virtual DOS Machine (VDM) and WIN-OS2 sessions. When loaded through your AUTOEXEC.BAT file, VShield is automatically activated every time you start a DOS VDM or WIN-OS/2 session. Using VirusScan (Version 2.0) 37 If your DOS and WIN-OS/2 start-up batch file is not named AUTOEXEC.BAT, edit it so that it includes VShield. For example, add the following line: c:\mcafee\vshield to your start-up batch file. Using VirusScan (Version 2.0) 38 SPECIAL INSTRUCTIONS FOR NETWORK ADMINISTRATORS You have many options for setting up VShield on a network. The table "Deciding Which Options Are For You" later in this chapter lists options that most apply in network environments. If you need assistance in choosing the best configuration for your network, contact McAfee (see "Technical Support" in Chapter 1). If you run VShield from a network drive, flag VSHIELD.EXE as EXECUTE-ONLY, READ-ONLY, and SHAREABLE. If you run VShield from clients' local drives: o Edit all clients' AUTOEXEC.BAT files to load VShield with the options that are appropriate for your environment before any other drivers are loaded. o Add VShield with the /RECONNECT option to the AUTOEXEC.BAT file or the network login script, after the network drivers are loaded. See /RECONNECT, later in this chapter, for more information. o Run CheckVShield from the login script. CheckVShield returns a DOS ERRORLEVEL that you can use in batch files to check and update VShield. For an example of using CheckVShield, see "Technical Note 2: Sample NetWare Login Script and .BAT File" later in this chapter. Using VirusScan (Version 2.0) 39 VSHIELD OPTION SUMMARY Option and Description /? or /HELP Display a list of valid VShield command line options. /ANYACCESS Scan the diskette boot sector for viruses whenever a diskette is accessed (including any read and write operations); scan .EXE, .COM, .DLL, .OVL, .BIN, and .SYS files whenever the file is opened, read, or updated; scan .EXE and .COM files upon execution; scan any newly created file, regardless of extension. /BOOTACCESS Scan the diskette boot sector for viruses whenever a diskette is accessed (including any read and write operations); individual files on a diskette are not scanned when a diskette is accessed. /CERTIFY Prevent files without validation codes from running. /CF {filename} Check for viruses using validation and recovery data stored by Scan /AF in the specified filename. /CONTACT {message} Display specified message when a virus is found. /CONTACTFILE {filename} Display message stored in filename when a virus is found. /CV Check validation codes added to files by Scan. /EXCLUDE {filename} Don't check files listed in filename for validation codes (/CF and /CV options). /FILEACCESS Scan .EXE, .COM, .DLL, .OVL, .BIN, and .SYS files whenever the file is opened, read, or updated; scan .EXE and .COM files upon execution; the diskette boot sector is not checked when a diskette is accessed. /IGNORE {drive(s)} Don't check programs loaded from the specified drive(s). Using VirusScan (Version 2.0) 40 /LOCK Halt the system when a file that is infected or not certified loads and attempts to execute. /NOEMS Prevent VShield from using expanded memory (EMS) when it loads. /NOMEM Do not check memory for viruses upon running. /NOREMOVE Prevent VShield from being removed from memory with the /REMOVE switch. /NOUMB Prevent VShield from using upper memory blocks (UMB) when it loads. /NOWARMBOOT Don't check the diskette boot sector for viruses during a warm boot. /NOXMS Prevent VShield from using extended memory (XMS) when it loads. /ONLY {drive(s)} Check programs loaded only from the specified drive(s). /RECONNECT Restore VShield after certain drivers or TSRs have disabled it. /REMOVE Unload VShield from memory. /SAVE Save the command line options to the VSHIELD.INI file. /SWAP [pathname] Load VShield kernel (7Kb) only; swap the rest from pathname. Using VirusScan (Version 2.0) 41 VSHIELD OPTION DESCRIPTIONS /? or /HELP Use this option to display a brief description of valid VShield command line options. /ANYACCESS Checks the boot sector and files during read and write operations. Whenever a diskette is accessed (including any read and write operations such as a DIR or COPY command), VShield checks the boot sector for viruses. Whenever an .EXE, .COM, .DLL, .OVL, .BIN, or .SYS file is opened, read, or updated, VShield checks the accessed file. Whenever an .EXE or .COM file executes, VShield checks the file for viruses as it loads and prevents execution if the file is infected. Whenever a new file is created, such as with a COPY command, VShield checks the file (regardless of its extension). This is the highest level of protection against viruses that infect boot sectors and standard executable files. Using /ANYACCESS with either /BOOTACCESS or /FILEACCESS in the same command line returns an error message. Note: The /ANYACCESS switch is not recommended for use with DOS and WIN-OS/2 sessions under OS/2 due to certain low-level operating system incompatibilities between OS/2 and DOS. Use the /FILEACCESS switch instead. /BOOTACCESS Checks the diskette boot sector for viruses whenever a diskette is accessed (including any read and write operations such as a DIR or COPY command). Unlike /ANYACCESS, /BOOTACCESS does not check individual files on the diskette, only the boot sector. Using /BOOTACCESS with /ANYACCESS on the same command line returns an error message. Note: This option does not work from within Windows File Manager. For virus-checking within Windows, use the /ANYACCESS or /FILEACCESS switch instead. Using VirusScan (Version 2.0) 42 /CERTIFY Prevents programs from running if they do not have Scan validation codes. Use it in high-security environments to prevent clients from running programs that have not been scanned. To use /CERTIFY, first run Scan with the /AF or /AV option, as described in Chapter 3 in the Scan documentation. Then, use VShield with the /CERTIFY option and either the /CF or /CV option (either is required), such as: vshield /certify /cf c:\mcafee\valcodes.val Some programs, such as Lotus 1-2-3, contain self-modifying code and do not work correctly with validation codes attached. You may create an exception list of files to exclude from validation. For instructions, refer to "Technical Note 1: Creating an exception list for /EXCLUDE" in Chapter 3 of the Scan documentation. /CF {filename} Checks validation data stored by Scan's /AF {filename} option, where filename is the name of the validation data file created by Scan. If a file or system area has changed, VShield reports that a viral infection may have occurred. You can specify the /EXCLUDE option to exclude a list of files from validation checking. In this example: vshield /cf c:\mcafee\valcodes.dat /noems VShield looks in the VALCODES.DAT file for validation data. For instructions on using Scan /AF to add validation codes, see "/AF {filename} Store recovery/validation codes in file" in Chapter 3 in the Scan documentation, and "Detecting New and Unknown Viruses" in Chapter 4. /CONTACT {message} Displays a custom message when a virus is found. This message is displayed in addition to all other VShield messages. Use /CONTACT to let network users know what to do if VShield finds a virus. The message can be up to 50 characters long, and can contain any character except a backslash "\" character. Place messages starting with a hyphen "-" or a slash "/" in quotation marks. If your message is longer than 50 characters or you want to store the message text in a file, use /CONTACTFILE instead. Using /CONTACT and /CONTACTFILE in the same command line returns an error message. Using VirusScan (Version 2.0) 43 /CONTACTFILE {filename} An alternative to the /CONTACT option, /CONTACTFILE identifies a file that contains the message string to display when a virus is found. This option is especially useful in network environments, because you can easily maintain the message text in a central file rather than changing the command line in the AUTOEXEC.BAT file on each workstation. If your message is 50 characters or fewer, you can use /CONTACT instead. Using /CONTACT and /CONTACTFILE in the same command line returns an error message. /CV Checks validation codes added by Scan with the /AV option. If a file has changed, VShield reports that the file has been modified and a viral infection may have occurred. You can specify the /EXCLUDE option to exclude a list of files from validation checking. For instructions on using Scan to add validation codes, see "/AV Add recovery/validation data to files" in Chapter 3 in the Scan documentation, and "Detecting new and unknown viruses" in Chapter 4. /EXCLUDE {filename} Excludes files listed in filename from validation when using /CF or /CV. For more information, see "Technical Note 1: Creating an Exception List for /EXCLUDE" later in this chapter. /FILEACCESS Checks standard executable files whenever the file is accessed or executed. Whenever an .EXE, .COM, .DLL, .OVL, .BIN, or .SYS file is opened, read, or updated, VShield checks the accessed file. Whenever an .EXE or .COM file executes, VShield checks the file for viruses as it loads and prevents execution if the file is infected. VShield checks all files when accessed by a read or write operation. Using /ANYACCESS on the same command line with /FILEACCESS returns an error message. o We recommend always using /FILEACCESS with OS/2. For VShieldCRC, /FILEACCESS checks files only if they have been validated with the /AF or /AV options. Using VirusScan (Version 2.0) 44 /IGNORE {drives} Omits checking program loads from the specified drives, as shown in the following example: vshield /ignore t: y: w: Use /IGNORE or /ONLY to speed up VShield by excluding secure, virus-free drives such as network drives from virus checking. You can specify up to 26 drives. See also /ONLY, described later in this section. Using /IGNORE and /ONLY in the same command line returns an error message. /LOCK Halts the system to stop further infection if VShield finds a virus. /LOCK is appropriate in highly vulnerable network environments, such as open-use computer labs. If you use /LOCK, be sure to use /CONTACT or /CONTACTFILE to tell users what to do or whom to contact if a virus is found and the system locks up. /NOEMS Prevents VShield from using expanded memory (LIM EMS 3.2) when it loads. This ensures that EMS is available exclusively for other programs. /NOMEM Skips the memory check for viruses when VShield loads. Using /NOMEM allows VShield to load more quickly, but use it only if you are absolutely sure that your system is virus-free. /NOREMOVE Prevents VShield from being removed from memory with the /REMOVE option in a subsequent VShield command. When you load VShield with the /NOREMOVE option, subsequent loads with the /REMOVE option will have not effect. Your network will be more secure if users cannot remove VShield, but this option may prevent users from solving memory limitations or conflicts. /NOUMB Prevents VShield from using the upper memory block (UMB, 640Kb to 1024Kb) when it loads. This ensures that the UMB is available exclusively for other programs. /NOWARMBOOT Omits checking the diskette boot sector during a warm boot of the system. /NOXMS Prevents VShield from using extended memory (XMS) when it loads. This ensures that XMS is available exclusively for other programs. Using VirusScan (Version 2.0) 45 /ONLY {drive(s)} Checks program loads only from the specified drive(s), ignoring all other drives, as shown in the following example: vshield /only c: f: k: Use /IGNORE or /ONLY to speed up VShield by excluding secure, virus-free network drives from virus checking. You can specify up to 26 drives. See also /IGNORE earlier in this section. Using /ONLY and /IGNORE in the same command line returns an error message. /RECONNECT Restores VShield's links into DOS after another program has disabled it, such as a network driver, keyboard driver, custom disk driver, drive compression program, or disk caching program. These types of programs replace the normal DOS system interrupts so that VShield no longer recognizes program loads. After the lines in your AUTOEXEC.BAT file (or network login script) that load these programs, add this command line to restore VShield: vshield /reconnect /REMOVE Unloads VShield from memory. You may want to do this temporarily if you are running out of memory for programs. For best results, try using VShield with the /SWAP option first. Use /REMOVE only as a last resort. Note: /REMOVE will not work if other memory-resident programs were loaded after VShield, or if VShield was loaded previously with the /NOREMOVE option. /SAVE Stores the VShield options you specify as the defaults in the VSHIELD.INI file. In the following example, /SAVE saves "/CONTACTFILE N:\USR\DAVEM\MSGFILE" as the default setting: vshield /contactfile n:\usr\davem\msgfile /save To remove custom options and return to VShield's original defaults, use the /SAVE option alone: vshield /save /SWAP [pathname] Installs a small (7Kb) kernel of VShield in memory that loads the rest of VShield from disk on demand. Specify a pathname only if you want VShield to swap to a path other than the directory where VShield resides. Using VirusScan (Version 2.0) 46 Use /SWAP only if you have very little memory available, but require a high assurance of safety. /SWAP will slow down your system and may cause conflicts with programs that fail to allocate memory properly. If you don't have enough memory to load VShield without swapping, consider using VShieldCRC instead. We do not recommend storing the swap file on a network path because, if the workstation disconnects from the network, the workstation will lock. Using VirusScan (Version 2.0) 47 DECIDING WHICH OPTIONS ARE FOR YOU Because systems and environments differ, VShield gives you a choice of options. Consider the mixture of safety, performance, and maintenance that meets your needs, then choose the combination of options that works best. REQUIREMENT │ OPTION │ COMMENTS ════════════════════╪══════════════╪═══════════════════════════════ More complete │ /ANYACCESS │ Highest protection against protection, any │ │ infected diskettes; checks environment │ │ for viruses whenever a dis- │ │ kette or files are accessed. ├──────────────┼─────────────────────────────── │ /FILEACCESS │ Next highest protection │ │ against infected diskettes; │ │ checks for viruses whenever │ │ a standard file is accessed. ├──────────────┼─────────────────────────────── │ /BOOTACCESS │ Of the three, lowest │ │ protection against infected │ │ diskettes; checks for │ │ viruses in boot sector when │ │ a diskette is accessed. ────────────────────┼──────────────┼─────────────────────────────── More complete │ /CERTIFY │ Use with /CF {filename} or protection, │ │ /CV and an exception list. stable software ├──────────────┼─────────────────────────────── environment │ /CF │ Use /CF or /CV. Of the two, │ │ /CF is recommended. ├──────────────┼─────────────────────────────── │ /CV │ Use /CF or /CV. ────────────────────┼──────────────┼─────────────────────────────── Network or multi- │ /CONTACT │ Use this (or /CONTACTFILE) user environments │ │ to tell users what to do │ │ when a virus is found. ├──────────────┼─────────────────────────────── │ /CONTACTFILE │ Use this (or /CONTACT) to │ │ tell users what to do when │ │ a virus is found. ├──────────────┼─────────────────────────────── │ /IGNORE │ Use this (or /ONLY) to │ │ skip virus-free drives. ├──────────────┼─────────────────────────────── │ /LOCK │ Use with /CONTACT or │ │ /CONTACTFILE {filename}. ────────────────────┴──────────────┴─────────────────────────────── Using VirusScan (Version 2.0) 48 ────────────────────┬──────────────┬─────────────────────────────── For network │ /NOREMOVE │ Prevents VShield from environments │ │ being removed from memory. (continued) ├──────────────┼─────────────────────────────── │ /ONLY │ Use this (or IGNORE) to check │ │ only vulnerable drives. ├──────────────┼─────────────────────────────── │ /RECONNECT │ Required if network drivers │ │ are loaded after VShield. ────────────────────┼──────────────┼─────────────────────────────── Faster performance, │ /NOMEM │ Only use on a virus-free any environment │ │ computer. ├──────────────┼─────────────────────────────── │ /NOWARMBOOT │ Omits checking the boot │ │ sector after a warm boot. ────────────────────┼──────────────┼─────────────────────────────── Manage memory, any │ /NOEMS │ Use when other programs need environment │ │ exclusive use of EMS memory. ├──────────────┼─────────────────────────────── │ /NOUMB │ Use when other programs need │ │ exclusive use of UMB memory. ├──────────────┼─────────────────────────────── │ /NOXMS │ Use when other programs need │ │ exclusive use of XMS memory. ├──────────────┼─────────────────────────────── │ /NOREMOVE │ Use to ensure that VShield │ │ remains in memory. ├──────────────┼─────────────────────────────── │ /REMOVE │ May temporarily solve memory │ │ conflicts. ├──────────────┼─────────────────────────────── │ /SWAP │ Use in environments with very │ │ limited memory. ════════════════════╧══════════════╧═══════════════════════════════ Using VirusScan (Version 2.0) 49 EXAMPLES The following examples show different option settings: vshield Activates VShield (Level II protection). vshield /cv Activates VShield (Level III protection), if you have previously run SCAN /AV. vshield /certify /cf c:\valcodes.dat Activates VShield (Level IV protection) and checks a validation and recovery data file created when running Scan with the /AF option. vshield /swap Activates VShield kernel in memory and swaps from the directory in which VShield resides. vshield /cv /exclude c:\excption.lst /contact "Call the Help Desk!" Activates VShield (Level III protection), ignores checking files in the EXCPTION.LST files, and displays a message if a virus is found. vshield /reconnect Re-activates VShield after it has been disabled by network device drivers. Using VirusScan (Version 2.0) 50 ERROR LEVELS When VShield loads, it sets the DOS ERRORLEVEL. You can use the returned ERRORLEVEL in AUTOEXEC.BAT or other batch files to take different actions based on whether VShield has loaded in memory. See your DOS manual for more information on using ERRORLEVEL's. VShield returns these ERRORLEVELs: ERRORLEVEL DESCRIPTION 0 VShield successfully loaded in memory with all options operational. 9 VShield not loaded correctly. Abnormal termination (program error). VShield alerts you to problems by beeping once for system errors, twice for validation errors (/CF or /CF checking), or three times if a virus is found. USING VSHIELDCRC For Level I protection on systems with limited memory, use VShieldCRC instead of VShield. VShieldCRC is a separate program that consumes little system overhead, but is not recommended for normal use because it provides only minimal protection. VShieldCRC can inform you that you have been infected with a virus, but it does not check for virus signatures nor does it prevent infection. To use VShieldCRC, first use Scan with the /AF or /AV option. VShieldCRC checks the validation codes added by Scan. It also checks the master boot record (MBR) and boot sector validation codes, if present. See Chapter 3 in the Scan documentation for instructions on using Scan. To load VShieldCRC with options, use the following syntax: vshldcrc [options] [options] include the options listed in the table "VShieldCRC Option Summary" which follows. For more information on all options except /LOGFILE, see "VShield Option Descriptions" earlier in this chapter. Using VirusScan (Version 2.0) 51 EXAMPLES vshldcrc Activates VShieldCRC (Level I protection). vshldcrc /cf valcodes.crc Activates VShieldCRC and checks validation data stored in VALCODES.CRC, a file that was created using Scan with the /AF option. Using VirusScan (Version 2.0) 52 VSHIELDCRC OPTION SUMMARY Option and Description /? or /HELP Display a list of valid VShieldCRC command line options. /CERTIFY Prevent files without validation codes from running. /CF {filename} Check for viruses using validation and recovery data stored by Scan /AF in the specified filename. /CONTACT {message} Display specified message when a virus is found. /CONTACTFILE {filename} Display message stored in specified filename when a virus is found. /CV Check validation codes added to files by Scan. /EXCLUDE {filename} Don't check files listed in filename for validation codes (used with /CF and /CV options). /FILEACCESS Checks validated files whenever the file is accessed or executed. Whenever a validated .EXE, .COM, .DLL, .OVL, .BIN, or .SYS file is opened, read, or updated, VShieldCRC checks the accessed file. Whenever a validated .EXE or .COM file executes, VShieldCRC checks the file for viruses as it loads and prevents execution if the file is infected. /IGNORE {drive(s)} Don't check programs loaded from specified drive(s). /LOCK Halt the system when a file that is not certified attempts to load and execute. /LOGFILE {filename} Write error information to filename. /NOREMOVE Prevent VShieldCRC from being removed from memory with a subsequent VShieldCRC command using /REMOVE. Using VirusScan (Version 2.0) 53 /NOUMB Prevent VShieldCRC from using upper memory blocks (UMB) when it loads. /ONLY {drive(s)} Check programs loaded only from the specified drive(s). /REMOVE Unload VShieldCRC from memory. Using VirusScan (Version 2.0) 54 USING CHECKVSHIELD CheckVShield allows network administrators to make sure that workstations are running VShield or VShieldCRC before users can log onto a network. See "Technical Note 2: Sample NetWare login script and .BAT file" later in this chapter for a sample Novell NetWare login script using CheckVShield. To load CheckVShield with options, use the following syntax: chkvshld [option(s)] [option(s)] include: /? and /HELP Display a list of valid CheckVShield command line options. /DEBUG Displays the version of VShield or VShieldCRC resident in memory and the DOS ERRORLEVEL on the screen. /Q Suppresses CheckVShield messages (quiet mode) so users don't see the messages. /V xxxxx Tells CheckVShield to look for a specific version (2.00 or higher) of VShield or VShieldCRC in memory. For example, /v 2.00 for VShield 2.00. Using VirusScan (Version 2.0) 55 EXAMPLES chkvshld /q Checks for VShield or VShieldCRC in memory and suppresses messages. ERROR LEVELS When CheckVShield runs, it sets the DOS ERRORLEVEL. Use the ERRORLEVEL in batch files to take different actions based on the results of CheckVShield's check. The ERRORLEVELs returned by CheckVShield are: ERRORLEVEL DESCRIPTION 0 VShield or VShieldCRC is resident or, if /V is used, the version specified is resident in memory. 1 VShield or VShieldCRC is resident but does not match the version specified in the /V option. 2 VShield or VShieldCRC is not resident in memory. 3 Abnormal termination (program error). Using VirusScan (Version 2.0) 56 TECHNICAL NOTE 1: CREATING AN EXCEPTION LIST FOR /EXCLUDE VShield /CERTIFY permits a file to load only if: o It has been validated by Scan, or o It appears in the exception list file specified with the /EXCLUDE option, used in conjunction with /CF or /CV. If you do not validate any files and do not use an exception list, /CERTIFY will disable all programs other than DOS internal commands. The exception list file is an ASCII or DOS text file containing up to 1,024 characters. If you use a word processor to create it, be sure to save the file as ASCII or DOS Text. Here is an example: C:\CLIPPER\BIN\CLIPPER.EXE C:\123\123.COM C:\FOX\FOXPROLX.EXE C:\DOS\SETVER.EXE C:\PKWARE\PKLITE.EXE C:\PKWARE\PKZIP.EXE C:\PKWARE\PKUNZIP.EXE C:\SEMWARE\Q.EXE C:\SWAPVOL.COM C:\NORTON\NCACHE.EXE C:\WORDSTAR\WS.EXE Using VirusScan (Version 2.0) 57 TECHNICAL NOTE 2: SAMPLE NETWARE LOGIN SCRIPT AND .BAT FILE Here is a sample system login script for use by Novell NetWare system administrators. The login script gets the ERRORLEVEL from CheckVShield and displays messages on the user's screen. If VShield is not loaded correctly, there is an internal error with CheckVShield, either VShield or VShieldCRC is not installed, or an older version of VShield is present, the script exits the user to a NOLOGIN.BAT file that logs him or her out. #REM REPLACE "XXX" WITH CURRENT VERSION NUMBER CHKVSHLD /V "XXX" IF ERROR_LEVEL = "3" THEN FIRE PHASERS 5 TIMES WRITE "A CHKVSHLD internal error has occurred." WRITE "Please contact the Help Desk." #COMMAND /C NOLOGIN.BAT EXIT ELSE IF ERROR_LEVEL = "2" THEN FIRE PHASERS 5 TIMES WRITE "VShield has not been installed on your PC." WRITE "Access Denied. Please contact the Help Desk." #COMMAND /C NOLOGIN.BAT EXIT ELSE IF ERROR_LEVEL = "1" THEN FIRE PHASERS 5 TIMES WRITE "An old version of VShield has been installed." WRITE "Access to the network has been denied. Please" WRITE "contact the Help Desk to have a new version." WRITE "installed." #COMMAND /C NOLOGIN.BAT EXIT END END END You can create more complex login scripts to send a message to the supervisor if an error has occurred, update the user's VSHIELD.EXE as he or she logs in to the network, and so forth. Here is a sample of the NOLOGIN.BAT file called by the login script. ECHO OFF REM Log the user off of the network LOGOUT Using VirusScan (Version 2.0) 58 Chapter 4: TIPS & TROUBLESHOOTING The other chapters in this manual are meant to tell you clearly and concisely how to use the VirusScan(TM) software. Still, you may have questions or encounter confusing situations. This chapter contains two kinds of advice: o Tips for getting the most out of VirusScan. o Common problems and how to solve or avoid them. If this information doesn't help resolve your question or problem, contact McAfee (see "Technical Support" in Chapter 1). DETECTING NEW AND UNKNOWN VIRUSES There are two ways of dealing with new and unknown viruses that may infect your system: o Update VirusScan regularly. o Store and check validation and recovery information about your files. UPDATE VIRUSSCAN REGULARLY Most likely, McAfee will see new viruses long before you do. We update the VirusScan programs often--usually montly, but more often if many new viruses have appeared. Each new version may detect and eradicate as many as 60 to 100 new viruses or more, and may fix bugs that have been reported. Updating VirusScan regularly is probably all you need to do to protect against new viruses. See the instructions for obtaining new versions in "Updating VirusScan Regularly" in Chapter 2. USE THE VALIDATION AND RECOVERY OPTIONS If your environment is highly vulnerable to viruses, or you require unusual security against them, you can use VirusScan's validation and recovery options. Scan checks for new or unknown viruses by comparing files against previously recorded validation data. If a file has been modified, it no longer matches the validation data, and Scan reports that the file may have become infected. Scan has two levels of validation, which are stored in two separate ways: Using VirusScan (Version 2.0) 59 o It can store the enhanced code in a separate recovery file, which can be stored off-line (for example, on a diskette) for recovery purposes (/AF, /CF, and /RF switches). This is the preferred method because it stores the data for files, the boot sector, and the master boot record (MBR) of a disk in the recovery file. o It can append a 98-byte validation code to .COM and .EXE files (/AV, /CV, and /RV switches). This method applies to the files you specified only. It does not store data for the boot sector and master boot record (MBR). Once the validation codes are stored, both Scan and VShield can use the /CV and /CF options to detect changes to the files. More importantly, if you have stored the recovery information with /AF, Scan can use it to restore infected files, master boot record (MBRs), and boot sectors. All of these options require continuing effort to store and maintain the codes. For example, if you install new programs or upgrade old ones, you should use the /RV or /RF options to remove all codes, then /AV or /AF to restore them. If you want to use one of these methods, which should you use? We recommend the "F" options--/AF, /CF, and /RF--over the "V" options. /AF stores the validation and recovery information in a separate file, instead of modifying the program files themselves. This has three advantages: o You can store the recovery file off-line (on your clean anti-viral startup diskette, for example, or on a network drive or tape drive) and access it on demand to check for, and recover from, infection by unknown viruses. Use the procedure below to create a recovery diskette. o This method keeps self-checking files (usually copy- protected programs) from reporting that they have been tampered with. o If you use this method, you don't need an exception list. However, it's important that you run Scan with the /RF option on individual self-modifying files, such as Lotus 1-2-3, to remove the validation codes for those programs from the validation file. The "V" options are primarily useful for companies that distribute software to their customers or employees, and want to incorporate an additional level of virus protection. Using VirusScan (Version 2.0) 60 CREATING A RECOVERY DISKETTE To store the recovery file, create a new "VirusScan Startup Diskette" and then run Scan to create a validation code and recovery data file by typing: scan /adl /af a:\scancrc.crc and pressing <ENTER>. The above command scans the local hard disk drive(s) for known viruses and creates "SCANCRC.CRC," a file containing validation codes and recovery data, on the diskette. After Scan finishes, write-protect the diskette, label it as your "VirusScan Recovery Diskette," and store in a safe location. To check for virus infection, turn your computer off, insert your "VirusScan Recovery Diskette" in drive A:, and turn the power back on. The PC will now start from the diskette. At the DOS prompt, type: scan /adl /cf a:\scancrc.crc and press <ENTER>. This will compare the local hard disk drive(s) against the recovery data stored on the diskette in the SCANCRC.CRC file. If you detect an unknown virus, to disinfect your system, turn your PC off, insert the recovery diskette, and turn the power back on. The PC will start from the floppy disk. At the DOS prompt, type: scan /adl /cf a:\scancrc.crc /clean to restore drives C and D with the recovery data stored in SCANCRC.CRC on the diskette. If you install new software, or upgrade your DOS version, remember to update your recovery file. See Application note 1, "Updating Validation Codes," in Chapter 3 in the Scan documentation. Using VirusScan (Version 2.0) 61 INTERACTING WITH YOUR NETWORK Many personal computers are interconnected through a local area network (LAN). VirusScan is highly compatible with most networks. Here are some ways of using the VirusScan software with your network: Run Scan on network drives Run from a workstation (PC) on the network, Scan checks network drives for viruses just as it does local drives. For convenience, the /ADN option scans all network drives to which the workstation is connected. Use VShield and CheckVShield By activating VShield as part of every workstation's AUTOEXEC.BAT file, you can prevent the workstations from introducing viruses into the network. Network administrators can ensure that VShield is active on each workstation by running CheckVShield as part of the network login script, before actual login. Use NETShield NETShield provides continuous virus protection on a NetWare server. NetWare network administrators can use it to check for both known and unknown viruses and to monitor all network activities. On other kinds of networks, you can use Scan to check network servers. Develop a network security program, as described in the next tip. Develop a security program VirusScan has been shown to be an effective virus-preventive measure when used in a conscientiously applied program of network security and regular professional care. VirusScan is one important element of a comprehensive computing security program that includes a variety of safety measures, such as regular backups, meaningful password protection, user training, and awareness. Even with VirusScan, some viruses--not to mention theft or fire--an render a disk unrecoverable without a recent backup to reload information. Although outlining such a security program is beyond the scope of this manual, see "Other Sources of Information" in Chapter 1 for suggestions. If you are a network administrator, we urge you to implement a security program to safeguard your organization's data and productivity. If you are a network user, please support and comply with such a program. Using VirusScan (Version 2.0) 62 TROUBLESHOOTING Using VirusScan with other anti-virus software When you run more than one anti-virus program from different vendors, you risk strange results and false alarms. For example, some anti-virus programs store their "virus signature strings" unprotected in memory. Running VirusScan may "detect" them falsely as a virus. False alarms Scan may incorrectly report a virus in the boot sector or master boot record (MBR) of a disk if the diskette using a special copy-protection or encryption mechanism. Contact technical support if you're unsure (see "Technical Support" in Chapter 1). TSR conflicts Some "terminate-and-stay-resident" (TSR) software may conflict with VirusScan programs, especially VShield (which is itself a TSR). To check whether this is the problem, "comment out" the other TSR files in your AUTOEXEC.BAT file and restart your system. If the errors disappear, the TSR conflict caused them. Slow disk access, program locks Running VShield will slow your system slightly as described in Chapter 3, especially if you use either the /ANYACCESS or /SWAP options. If you experience very slow disk access, or if programs lock or freeze while using Windows 3.1, you may be using a disk cache program that interferes with program operation, or you may need to increase the number of BUFFERS in your CONFIG.SYS file. Program locks with VShield's /SWAP option When VShield is running with the /SWAP option, certain programs may lock up the computer. These programs may use memory without allocating it first, including older versions of Lotus 1-2-3, pfs:Write and Professional Write, OfficeWrite, and DisplayWrite4. To correct, restart your computer and run VShield without the /SWAP option. Unable to remove VShield If the /REMOVE option doesn't successfully remove VShield from memory, you have probably loaded other terminate-and- stay-resident (TSR) programs after VShield. VShield can't be removed until the other TSRs are removed. If you need to unload VShield often, load it last. Using VirusScan (Version 2.0) 63 APPENDIX A: RETRIEVING VIRUSSCAN UPDATES VIA THE McAFEE BBS McAfee runs a multiple line bulletin board system (BBS) for you to download program updates, receive technical support, and interact with other McAfee users. DIAL UP o The McAfee BBS phone number is (408) 988-4004. o The BBS operates at up to 14,400 bps (baud). Set your communications parameters to 8 data bits, 1 stop bit, no parity, and your terminal emulation to ANSI or TTY. o The BBS is Bell- and ITU- (formerly CCITT) compatible. LOG ON After receiving the CONNECT message from your communications package: o Enter your name, geographic location, and password. To retrieve the VirusScan programs, type "GUEST" for first name, and "USER" for last name. Or, if you want personal answers or feedback, create your own account by entering your first and last name and a password. Passwords should be 3-8 characters long and are case-sensitive. THE MAIN MENU Here are some of the important functions on the main menu: <F> File transfer area (download McAfee updates) <M> Message area (read and write messages in all sections and e-mail) <G> Goodbye (hang up and leave the BBS) Downloading McAfee programs 1. Select <F> from the Main Menu to go to the File transfer area. This is the area from which you can download McAfee programs. 2. Select <1> for the McAfee Antivirus Files. A sorted directory listing of files available for download will be displayed. Using VirusScan (Version 2.0) 64 3. Type <D> for download, then type in the filename as found in the directory. 4. The BBS will prompt you to select a protocol. We recommend error-correcting protocol such as ZMODEM, YMODEM or XMODEM. 5. You'll see the message Awaiting start signal. Tell your software to receive files. With PROCOMM for DOS or TELIX, press the <PAGE DOWN> key, with BITCOM, press the <F2> key. For other communications programs, check your manual. 7. Your software will prompt you to select a protocol and file name to receive the file. Select the same protocol and name. Using VirusScan (Version 2.0) 65 APPENDIX B: OPTIONS COMPARISON BETWEEN VIRUSCAN VERSIONS 1.5 AND 2.0 VERSION COMPARISON OF VSHIELD OPTIONS VShield │ VShield │ Version 1.5 │ Version 2.0 │ Option Description ═══════════════╪══════════════╪══════════════════════════ /? or /HELP │ /? or /HELP │ Display a list of valid │ │ VShield command line │ │ options. ───────────────┼──────────────┼────────────────────────── /ACCESS │ │ Check for viruses when │ │ files are opened and │ │ diskettes are accessed. ───────────────┼──────────────┼────────────────────────── │ /ANYACCESS │ Scan the diskette boot │ │ sector for viruses │ │ whenever a diskette is │ │ accessed (including any │ │ read and write │ │ operations); scan .EXE, │ │ .COM, .DLL, .OVL, .BIN, │ │ and .SYS files whenever │ │ the file is opened, │ │ read, or updated; scan │ │ .EXE and .COM files │ │ upon execution; scan │ │ any newly created file, │ │ regardless of extension. ───────────────┼──────────────┼────────────────────────── /BOOT │ /BOOTACCESS │ Scan the diskette boot │ │ sector for viruses │ │ whenever a diskette is │ │ accessed (including any │ │ read and write │ │ operations); individual │ │ files on a diskette are │ │ not scanned when a │ │ diskette is accessed. ───────────────┼──────────────┼────────────────────────── /CERTIFY │ /CERTIFY │ Prevent files without {filename} │ │ validation codes from │ │ running. {filename} is │ │ an optional exception │ │ list (version 1.5 only) ───────────────┼──────────────┼────────────────────────── /CF │ /CF │ Check for viruses using {filename} │ {filename} │ validation and recovery │ │ data stored by Scan /AF │ │ in the specified filename. Using VirusScan (Version 2.0) 66 VERSION COMPARISON OF VSHIELD OPTIONS (continued) VShield │ VShield │ Version 1.5 │ Version 2.0 │ Option Description ═══════════════╪══════════════╪══════════════════════════ /CG │ /CV │ Check recovery and │ │ validation codes added │ │ to files by Scan. ───────────────┼──────────────┼────────────────────────── /CHKHI │ (default) │ Check memory from 0- │ │ 1088Kb when VShield loads. ───────────────┼──────────────┼────────────────────────── /CONTACT │ /CONTACT │ Display specified {message} │ {message} │ message when a virus is │ │ found. ───────────────┼──────────────┼────────────────────────── │ /CONTACTFILE │ Display message stored │ {filename} │ in filename when a │ │ virus is found. ───────────────┼──────────────┼────────────────────────── /CV │ │ Check validation codes │ │ added to files by Scan. ───────────────┼──────────────┼────────────────────────── /CV [filename] │ /EXCLUDE │ Don't check files or │ {filename} │ listed in filename for /CG [filename] │ │ validation codes (/CF │ │ and /CV options). ───────────────┼──────────────┼────────────────────────── /F │ │ Use with /SWAP for DOS {pathname} │ │ 2.0 systems ONLY. ───────────────┼──────────────┼────────────────────────── /COPY │ /FILEACCESS │ Scan .EXE, .COM, .DLL, │ │ .OVL, .BIN, and .SYS │ │ files whenever the file │ │ is opened, read, or │ │ updated; scan .EXE and │ │ .COM files upon │ │ execution; the diskette │ │ boot sector is not │ │ checked when a diskette │ │ is accessed. ───────────────┼──────────────┼────────────────────────── /IGNORE │ /IGNORE │ Don't check programs {drive(s)} │ {drive(s)} │ loaded from the │ │ specified drive(s). ───────────────┼──────────────┼────────────────────────── /LH │ (default) │ Load VShield into upper │ │ memory area. ───────────────┼──────────────┼────────────────────────── /LOCK │ /LOCK │ Halt the system when a │ │ file that is infected │ │ or not certified loads │ │ and attempts to execute. Using VirusScan (Version 2.0) 67 VERSION COMPARISON OF VSHIELD OPTIONS (continued) VShield │ VShield │ Version 1.5 │ Version 2.0 │ Option Description ═══════════════╪══════════════╪══════════════════════════ /M │ (default) │ Scan base memory for │ │ viruses when VShield loads. ───────────────┼──────────────┼────────────────────────── /NB │ /NOWARMBOOT │ Disable boot sector │ │ check during install │ │ and reboot. ───────────────┼──────────────┼────────────────────────── /NI6510 │ │ Fixes Racal Datacomm │ │ NI6510 conflict. ───────────────┼──────────────┼────────────────────────── /NOBREAK │ │ Prevent [Ctrl]+[C] / │ │ [Ctrl]+[Brk] from │ │ working during install. ───────────────┼──────────────┼────────────────────────── /NOCONT │ │ Prevent non-certified │ │ programs from running. ───────────────┼──────────────┼────────────────────────── /NODISK │ │ Turn off the boot │ │ sector check when │ │ VShield is loading. ───────────────┼──────────────┼────────────────────────── /NOEMS │ /NOEMS │ Prevent VShield from │ │ using expanded memory │ │ (EMS) when it loads. ───────────────┼──────────────┼────────────────────────── /NOFLOPPY │ │ Turn off the boot sector │ │ check for floppy drives. ───────────────┼──────────────┼────────────────────────── /NOMEM │ /NOMEM │ Do not check memory for │ │ viruses upon running. ───────────────┼──────────────┼────────────────────────── /NOREMOVE │ /NOREMOVE │ Prevent VShield from │ │ being removed from │ │ memory with the /REMOVE │ │ switch. ───────────────┼──────────────┼────────────────────────── │ /NOUMB │ Prevent VShield from │ │ using upper memory │ │ blocks (UMB) when it │ │ loads. ───────────────┼──────────────┼────────────────────────── │ /NOXMS │ Prevent VShield from │ │ using extended memory │ │ (XMS) when it loads. Using VirusScan (Version 2.0) 68 VERSION COMPARISON OF VSHIELD OPTIONS (continued) VShield │ VShield │ Version 1.5 │ Version 2.0 │ Option Description ═══════════════╪══════════════╪══════════════════════════ /ONLY │ /ONLY │ Check programs loaded {drive(s)} │ {drive(s)} │ only from the specified │ │ drive(s). ───────────────┼──────────────┼────────────────────────── /RECONNECT │ /RECONNECT │ Restore VShield after │ │ certain drivers or TSRs │ │ have disabled it. ───────────────┼──────────────┼────────────────────────── /REMOVE │ /REMOVE │ Unload VShield from │ │ memory. ───────────────┼──────────────┼────────────────────────── /SAVE │ /SAVE │ Save specified options │ │ as new defaults │ │ (version 1.5 only). │ │ Save the command line │ │ options to the VSHIELD.INI │ │ file (version 2.0 only). ───────────────┼──────────────┼────────────────────────── /SWAP │ /SWAP │ Load VShield kernel [pathname] │ [pathname] │ only (5Kb in version │ │ 1.5; 7Kb in version │ │ 2.0); swap the rest │ │ from pathname. Using VirusScan (Version 2.0) 69 VERSION COMPARISON OF VSHIELD1/VSHIELDCRC OPTIONS VShield1 │ VShieldCRC │ Version 1.5 │ Version 2.0 │ Option Description ═══════════════╪══════════════╪══════════════════════════ │ /? or /HELP │ Display a list of valid │ │ VShieldCRC command line │ │ options. ───────────────┼──────────────┼────────────────────────── │ /CERTIFY │ Prevent files without │ │ validation codes from │ │ running. ───────────────┼──────────────┼────────────────────────── │ /CF │ Check for viruses using │ {filename} │ validation and recovery │ │ data stored by Scan /AF │ │ in the specified filename. ───────────────┼──────────────┼────────────────────────── │ /CONTACT │ Display specified message │ {message} │ when a virus is found. ───────────────┼──────────────┼────────────────────────── │ /CONTACTFILE │ Display message stored │ {filename} │ in specified filename │ │ when a virus is found. ───────────────┼──────────────┼────────────────────────── │ /CV │ Check validation codes │ │ added to files by Scan. ───────────────┼──────────────┼────────────────────────── │ /EXCLUDE │ Don't check files │ {filename} │ listed in filename for │ │ validation codes (used │ │ with /CF and /CV options). ───────────────┼──────────────┼────────────────────────── │ /FILEACCESS │ Checks validated files │ │ whenever the file is │ │ accessed or executed. │ │ Whenever a validated │ │ .EXE, .COM, .DLL, .OVL, │ │ .BIN, or .SYS file is │ │ opened, read, or │ │ updated, Scan checks │ │ the accessed file. │ │ Whenever a validated │ │ .EXE or .COM file │ │ executes, Scan checks │ │ the file for viruses as │ │ it loads and prevents │ │ execution if the file │ │ is infected. Using VirusScan (Version 2.0) 70 VERSION COMPARISON OF VSHIELD1/VSHIELDCRC OPTIONS (continued) VShield1 │ VShieldCRC │ Version 1.5 │ Version 2.0 │ Option Description ═══════════════╪══════════════╪══════════════════════════ │ /IGNORE │ Don't check programs │ {drive(s)} │ loaded from specified │ │ drive(s). ───────────────┼──────────────┼────────────────────────── │ /LOCK │ Halt the system when a │ │ file that is not │ │ certified attempts to │ │ load and execute. ───────────────┼──────────────┼────────────────────────── │ /LOGFILE │ Write error information │ {filename} │ to filename. ───────────────┼──────────────┼────────────────────────── /NB │ │ Disable boot sector │ │ checking during install │ │ and reboot. ───────────────┼──────────────┼────────────────────────── │ │ │ /NOREMOVE │ Prevent VShieldCRC from │ │ being removed from memory │ │ with a subsequent VShieldCRC │ │ command using /REMOVE. ───────────────┼──────────────┼────────────────────────── │ /NOUMB │ Prevent VShieldCRC from │ │ using upper memory │ │ blocks (UMB) when it loads. ───────────────┼──────────────┼────────────────────────── │ /ONLY │ Check programs loaded │ {drive(s)} │ only from the specified │ │ drive(s). ───────────────┼──────────────┼────────────────────────── /REMOVE │ /REMOVE │ Unload VShieldCRC from │ │ memory.