home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Current Shareware 1994 January
/
SHAR194.ISO
/
virus
/
virx291.zip
/
VIREXPC.DOC
< prev
next >
Wrap
Text File
|
1993-10-01
|
51KB
|
1,067 lines
VIREX FOR THE PC USERS GUIDE
DATAWATCH CORPORATION
TRIANGLE SOFTWARE DIVISION
HOW TO CONTACT DATAWATCH
If you find a new virus, it is important that we learn about it, so that we
can update Virex for the PC.
Before November1, 1993, you can contact Datawatch at:
Datawatch Corporation,
Triangle Software Division
P.O. Box 51489
Durham, NC 27717
Telephone: (919) 490-1277 FAX: (919) 490-6672
After November 1, 1993, you can contact Datawatch at:
Datawatch Corporation
Triangle Software Division
P.O. Box 13984
Research Triangle Park,
NC 27709-3984
Telephone: (919) 549-0711 FAX: (919) 549-0065
You can contact Datawatch on the following services:
AppleLink DATAWATCH
CompuServe 73407,1751
America OnLine DATAWATCH
GEnie DATAWATCH
DataGate BBS 919-419-1602. Settings are (8,N,1).
Internet vpctech@DATAWATCH.COM
After November 1, 1993, the Datagate BBS number will change to (919) 549-0042.
Table of Contents
~~~~~~~~~~~~~~~~~
CHAPTER 1: Overview of Virex for the PC
CHAPTER 2: Installing Virex for the PC
CHAPTER 3: Using the VPCScan Program
CHAPTER 4: Using the Virex TSR
CHAPTER 5: Using Virex for the PC in a Network Environment
CHAPTER 6: Using Virex for the PC in a Windows Environment
CHAPTER 7: Safe Computing Practices
APPENDIX A: Removing a Boot Sector Virus
APPENDIX B: Modifying the Protection File
APPENDIX C: Troubleshooting
APPENDIX D: Using the DataGate BBS
APPENDIX E: Novell Network Features
APPENDIX F: External Virus Signature File
<<<<<<<<<<<<<<< C H A P T E R 1: Overview of Virex for the PC >>>>>>>>>>>>>>>>
Virex for the PC provides comprehensive protection against computer viruses.
The current version of the program (at the time this manual was written)
includes the following enhancements:
* Detection of more than 1700 known viruses.
* Two installation methods: Quick (using default settings);
Custom (allowing customization).
* An enhanced Inoculate feature, which cannot only repair virus damage, but
also protect your system from unknown viruses using a unique integrity check
method.
* New disinfectors for more than 40 boot sector viruses.
The Virex for the PC package uses two programs to protect and repair your
files: VPCScan and Virex.
VPCScan: Identifying Known Viruses and Repairing Files
The first program is VPCScan (VPCSCAN.EXE), a utility program that can scan
existing files and memory for the presence of known viruses. VPCScan can
recognize the code signatures of known computer viruses and will alert you if
it finds one.The powerful Inoculate feature is the key to VPCScan's
effectiveness. Inoculate has two important capabilities. First, it can repair
files that have been damaged by common viruses (by means of a special emergency
disk that you create during installation, or by files created during
installation on your hard drive). Second, Inoculate can protect existing files
by comparing the current signature of each file with its previous version.
Thus, VPCScan can use Inoculate to disinfect all known boot sector viruses and almost
all file infectors, as well protect your system from many unknown viruses.
Virex: Efficient, Continuous Monitoring of the PC System
The second program is Virex (VIREX.COM), a terminate-and-stay-resident (TSR)
program that provides continuous virus protection. Virex alerts you:
* when you attempt to run a program that is infected with a known virus.
* when an attempt is made to run a program that has had its unique Integrity
information changed.
* when you attempt to run a program that is not registered in the Integrity
database (it will give you the opportunity to register the program before
proceeding).
These three functions provide efficient protection against unknown viruses by
Integrity checking, and against known viruses by scanning programs on
execution. This virus protection uses less than 1KB of RAM memory.
Hardware and System Requirements
Virex for the PC requires a hard disk and operates on any IBM PC/XT, IBM PC/AT,
IBM PS/2, or 100% compatible computer using the PC-DOS (MS-DOS) 3.X or later
operating system. (If you have an IBM XT and do not have a high-density 5 1/4"
disk drive or a 3 1/2" disk drive, please contact Datawatch Customer Support
to obtain Virex for the PC on a low-density 5 1/4" disk.) A minimum of 512KB of
memory is recommended.
<<<<<<<<<<<<<<< C H A P T E R 2: Installing Virex for the PC >>>>>>>>>>>>>>>>>
You can install Virex for the PC using either of the following methods:
* Quick Installation: the easy installation that automatically chooses default
settings and installs the program.
(Note: If you are installing Virex for the PC from a hard drive or
subdirectory, you must use Custom Install. Quick Install only functions
from diskette.)
* Custom Installation: the more flexible installation that allows you to
change default settings before installing the program.
(Note: If you are installing Virex for the PC onto a Novell Network drive,
you must perform a Custom Installation.)
With either method, easy-to-understand screens will keep you informed about
the progress of the installation. If you want to abort the installation at any
point, press ESC to select the Exit command. If you exit before the
installation is complete, you need to confirm your decision to exit, by
highlighting Yes and pressing enter.
If you want to perform the Quick Installation, proceed to the next section. But
if you want to perform the Custom Installation, skip now to the section titled
Custom Installation.
Quick Installation
The Quick Installation method provides you with the simplest antiviral
installation available. The Quick Installer will automatically:
* Choose default settings.
* Choose the source and target disk drives. (C:\VPC)
* Scan local drives for viruses.
* Copy the necessary files to your hard disk.
* Create the Integrity database files that will aid in repairing
damaged files.
* Modify your AUTOEXEC.BAT file to load the Virex TSR each time you
boot your computer (ONLY if you have chosen to use the Virex TSR).
* Assist you in creating an emergency disk for future file repair and
disk recovery. (Be sure to have a virus-free, formatted disk ready.)
Custom Installation
If you choose to perform a Custom Installation, the Installer will:
* Scan local drives for viruses.
* Copy the necessary files to your hard disk.
* Create the Integrity database files that will aid in repairing
damaged files.
* Assist you in creating an emergency disk for future file repair and
disk recovery. (Be sure to have a virus-free, formatted disk ready.)
But the Custom Installation also gives you flexibility by letting you change
the program's default choices for:
* Source and target drives.
* Drives to include in the Integrity database.
* Installation of the Virex TSR for continuous protection.
* Changes to the AUTOEXEC.BAT file.
(Note: If you are installing Virex for the PC onto a Novell Network
drive, you will need to perform a Custom Installation.)
<<<<<<<<<<<<<<< C H A P T E R 3: Using the VPCScan Program >>>>>>>>>>>>>>>>>>>
Using VPCScan
To scan a file for the existence of known viruses:
1. Make the drive on which you installed VPCScan the current drive by
typing <drive>: and pressing enter.
2. Change to your Virex directory by typing CD <directory> and pressing
enter.
3. Type VPCScan <drive>:<pathname> and press enter, where
<drive>:<pathname> indicates the drive, directory path, and name of
the file to be scanned.
Example: VPCScan C:\GAMES\TOPSHELF.COM
Dealing with an Infection
If VPCScan finds a known virus, it will alert you and provide the following
options:
a. Repair: attempt to remove the virus from the original file (if the
Inoculate information is available, or if specific disinfectors are
available).
b. Delete: erase the infected file.
c. Ignore: leave the file as it is.
WARNING: If you repair an infected file, it will be changed, and could possibly
become unusable.
OtherTechniques
* To scan a directory and its subdirectories, specify <drive>:<path>.
Example: VPCScan C:\GAMES
* To scan a disk, specify <drive>:\.
Example: VPCScan B:\
* To scan multiple disks, specify <drive>:\ <drive>:\.
Example: VPCScan C:\ D:\ E:\
VPCScan will scan from the current directory down through the hierarchical
structure. It will scan the entire disk only if you start in the root directory
or if you specify <drive>:\.
Example: VPCScan C:\
Note: Wild cards (* and ?) are valid in VPCScan commands.Once you have scanned
and disinfected all of the files on your hard disk, restart your computer by
switching it off, waiting ten seconds, and then switching it on again. Do not
simply press ctrl-alt-del to reboot as some viruses can survive this type of
boot.
Reports
When VPCScan is finished examining your files for the presence of known
viruses, it generates a report, named VPCSCAN.LOG, that details the results of
its examination. It indicates how many directories and files were examined,
how many files were found infected, how many files were repaired, and how many
files were deleted. It also indicates which files were infected, and what
viruses were found in those files. The report can be sent to a printer or
redirected to a file.
VPCScan Command Line Switches
VPCScan has features that control how scanning is conducted. These options are
executed through the command line: VPCSCAN C: -<options>.
Example: VPCSCAN C: -M
-A: Instructs VPCScan to scan all file types, including non-executable
files such as text or spreadsheet files. In its normal operation,
VPCScan searches only executable files (*.EXE, *.SYS, *.COM, and *.OV?)
Viruses can cause damage only when they are in executable files or have
infected a disk's boot sector. By using the -A option, however, you can
be sure that there are no known viruses in any files on your computer.
The -A switch also turns on the -L (Long search) option automatically.
When the -A option is not specified and VPCScan is instructed to scan a
directory containing only data files, it will return the message 0
files scanned. This message means that it did not find any executable
files.
-E: Directs VPCScan to return an error level of 0 if and only if the system
was completely tested and no viruses were detected. Otherwise, a non-
zero errorlevel will return. An error condition will return a non-zero
error level as well.
-F: Scans a single floppy disk. After VPCScan completes a scan of a floppy
disk, you will be asked whether you want to scan additional diskettes.
The request to scan additional disks can be turned off with -F. This
feature might be useful when operating VPCScan in batch mode to scan a
single disk.
-I+: Will alert you to signature changes and allow inoculation file updating
or repair of modified files.-I<filename>: Lets you specify a
non-default file name for your inoculation database. Using the + option
(-I+<filename>) will make VPCScan add and update all new executable
files to your inoculation database.
-L: (Long scan) Scans the entire contents of a file. In its usual operation
VPCScan selectively searches the specific areas of a file that viruses
are most likely to infect. The -L search is a more thorough search;
therefore, it takes more time. For this reason, we recommend that the
-L option be used only in the following situations: to examine new
files; to scan a hard disk for the first time before Virex has been
installed on your system; or if you strongly suspect your system may
have a virus.
-M: Prevents VPCScan from searching the system memory of the computer for
the presence of viruses. This is a time saving feature. If you are
scanning multiple floppy disks and/or hard drives, there is no need to
scan the system memory each time.
-O: Scans only the specified directory and does not examine any
subdirectories.
-R<filename>: Creates an audit file, named <filename>, which lists all VPCScan
alerts and responses. VPCScan names the default audit file
C:\VPCSCAN.LOG. Results are updated with every VPCScan run.
-T: Turns off the warning message that alerts you when your version of
VPCScan is more than six months old.
-V: Lets you verify your programs using the Protection file (VIREX.DAT).
Using the + option (-V+) will update the existing Protection file.-V
<filename>: Lets you verify your programs using a Protection file that
has the file name you choose. Using the + option (-V+<filename>)
will create or update this file.
-X: Scans the entire first megabyte of memory. Normally, VPCScan limits
memory scanning to the first 640K of memory that is accessible to DOS.
Although unlikely, a virus could infect the memory between 640K and 1
megabyte.
-#: Lists all the viruses that VPCScan is currently capable of detecting.
Virus-specific repair capability is noted by the term disinfector in
parentheses next to the virus name. To print the virus listing, type
VPCSCAN C: -#>PRN.
-!N: Turns off the virus warning messages that are sent to the Novell
console whenever a virus is found.
To further customize scanning, you can combine the preceding options. For
example, to perform a long scan of the files in the current directory, type
VPCSCAN C: -O -L and press enter. Note that there must be a space between
option codes.
The Inoculate Feature
The powerful Inoculate feature is the key to VPCScan's effectiveness. Inoculate
has two important capabilities. First, it can repair registered files that have
been damaged by common viruses (by means of a special emergency disk that you
create during installation). Second, Inoculate can protect existing files by
comparing the current signature of each file with its previous version. Thus,
Inoculate can use VPCScan to disinfect all known boot sector viruses and almost
all file infectors, as well protect your system from many unknown viruses.
Inoculate works by building and using three special files that protect your
computer from virus attacks and make repairs possible: CRITICAL.VRX, INOC.VRX,
and VIREX.DAT. These three files comprise the Integrity database.
To remain effective, these three files must be updated regularly, and the
information must be stored on an emergency disk. To create or update the
Integrity database, add <drive>: and -I+<filename> to the VPCScan command line.
Example: VPCScan C: -I+
Example: VPCScan C: -I+inoc.vrx
(Note: All three Integrity database files INOC.VRX, CRITICAL.VRX, and VIREX.DAT
can be updated with one command by including both the -I+ and -V+ switches in
the command.
If VPCScan finds a file with a modified signature, a warning message will be
displayed. Pressing U will update the Integrity database and continue the scan.
If you suspect that the file was modified by a virus, press R to repair the
file. After choosing the repair option, you will see the another box if VPCScan
can successfully repair the file. If you press Y, the file will be repaired and
the scan will continue. If you press N, you will be returned to the previous
box with only the Update and Ignore options available. If VPCScan cannot repair
the file, you will see a message box, explaining why VPCScan could not repair
the file. After displaying this box, VPCScan will return you to the previous
message box with only the Update and Ignore options available.
The CRITICAL.VRX File
The CRITICAL.VRX file provides protection against boot sector viruses. Boot
sector viruses replace the boot sector and/or the partition table of your hard
drive. By copying these important parts of your hard drive, VPCScan can easily
remove any virus that might infect your hard drive by restoring the data you
had before the virus. Because boot sectors and partition tables very rarely
change, this type of protection is very effective. You must, however, update
your Integrity database whenever you alter your partition information or
upgrade to a new DOS version. The CRITICAL.VRX file also saves your CMOS
information because viruses can potentially damage it. This function does not
work on XT systems because they do not have CMOS. You should rebuild your
Inoculation file if you alter any CMOS information other than the date and
time. Note: Virex does not store extended CMOS settings.
The INOC.VRX File
The INOC.VRX file stores the Inoculation information about your executable
files. It saves a small part of the file along with the length and certain
integrity information about the file. With this information, VPCScan can
successfully repair almost all viral infections.
Using Inoculate on Files
You should update your Integrity database whenever you install new or updated
programs on your system, and continue to perform regular scans at more frequent
intervals. If VPCScan reports that your system has a virus infection or detects
an integrity signature change, Virex will first use the Inoculate feature to
attempt to repair the file. To repair all infected files, follow the normal
procedure for a scan. If you have chosen an alternative name for the INOC.VRX
file, add -I<filename> to the VPCScan command line.
Example: VPCScan C: -Ivirex.ino
In this mode, VPCScan will alert you at each virus infection and will provide
the standard options of Disinfect, Remove, or Ignore. The Disinfect option will
use Inoculate even if a signature-based disinfector is available. If you choose
Disinfect, VPCScan will attempt the repair of the file. If it can successfully
repair the file, you will get a warning message. If you press Y, the file will
be restored to its pre-infection form. In certain situations it may be
impossible for VPCScan to rebuild the file. If VPCScan cannot repair the file,
another message will be displayed. VPCScan will then return you to the previous
message box with only the Remove and Ignore options available.
Using CRITICAL.VRX
You must use VPCScan to restore the information in CRITICAL.VRX file back to
your hard drive. When using any of these options, <filename> is not necessary
VPCScan defaults to CRITICAL.VRX. A <filename> is necessary only if you have
changed the name of your CRITICAL.VRX file. A <drive>: in all cases specifies
the drive to which you want to restore the information.1. If you wish to
restore your master boot record and your partition table, use <drive>: and
-PA<filename> on the VPCScan command line.
Example: VPCScan C: -PA
Example: VPCScan D: -PAcritical.vrx2.
If you must restore your CMOS information, you need to add only the command
-PC<filename> to your VPCScan command line.
Example: VPCScan -PC
Example: VPCScan -PCcmossave.vrx
The Integrity Check Verification Feature
The VIREX.DAT Protection file contains the file signature information that
Virex uses to monitor your system from known and unknown viruses. We recommend
that, after booting for a virus-free floppy disk, you periodically check all of
these signatures using VPCScan╒s Integrity check verification feature.Using
-V<filename> will check the .DAT file named <filename> or your default
Protection file (probably VIREX.DAT).
Example: VPCScan C: -V
Example: VPCScan C: -Vmyprot.dat
If a known virus infection is found, you will be alerted and given the same
options as in a normal scan. If a file with a modified signature is found and
no inoculate record is available, you will see a warning box. Pressing U will
update the file's signature in the Protection file. Pressing I will ignore the
file's modified signature and continue scanning. If you suspect that the file
may be infected by an unknown virus, we recommend pressing I for Ignore and
then deleting the file using DOS.
<<<<<<<<<<<<<<< C H A P T E R 4: Using the Virex TSR >>>>>>>>>>>>>>>>>>>>>>>>>
Virex is a terminate-and-stay-resident (TSR) program that provides continuous
protection against both known and unknown viruses. Virex protects against known
viruses by checking programs when they are executed for the viral signatures of
known viruses. Virex protects against unknown viruses by measuring the
signature of a program each time it is run.
Using Virex
The Virex command, with no command line options, defaults to disk swapping
mode. This means that Virex keeps its virus signature information on disk until
it is needed. This technique allows Virex to occupy less than 1KB of RAM
memory.
Virex Options
If working memory is not a constraint, or if you do not want the slight speed
degradation that comes with disk swapping, Virex has other options:
-A: Prevents Virex from registering and creating Inoculate information when
new programs are run for the first time. This feature is helpful if
programs are self modifying. Files are still scanned for known
viruses.
-C: Disables Integrity checking, and allows Virex to scan each executed
program for known viruses only! (Note: In some rare situations,
especially involving networks, it may be necessary to turn off
Integrity checking completely. This approach is necessary if there is
a configuration where you cannot access the Integrity file.)
Note: If you use -C and -V together, you will lose all protection.
-R: Reloads Virex. This switch is useful to load Virex after network
drivers such as Novell NPX and NETX are used.
-S: Loads all of the Virex code into memory the virus signature information
into memory. This option causes Virex to take up approximately 4-5KB
of RAM memory.
-V: Allows you to check any preregistered program for changes (to the
Integrity data only), and allows Virex to run without VPCScan. This
option will use the Integrity information to check files for viruses,
but does not perform a memory scan or repair files.It does not update
the Protection file, nor does it protect unregistered programs.
Normally, if Virex cannot find VPCScan, it alerts you that your system
is unprotected.
Responding to Virex Alerts
The Virex TSR will alert you:
* when you attempt to run a program that is infected with a known virus.
* when an attempt is made to run a program that has had its unique Integrity
information modified.
* when you attempt to run a program that is not registered in the Integrity
database (it will give you the opportunity to register the program before
proceeding).
These three cases are explained below.
Virus Identified
When you run a program, Virex performs an integrity check to make sure the file
is as it should be. If a problem is detected, Virex will attempt to use the
information in the INOC.VRX file to repair the damage. In most cases, it will
be successful. If it is not, it will then attempt to solve the problem using
its signature-based disinfectors. If Virex is still not successful, it will
offer you the opportunity to either delete the file or ignore the warning. If
you attempt to run a program that has been infected by a known virus, VPCScan
will be run to address the viral infection. If VPCScan can disinfect the
infected file, it will do so and will offer you the choice of printing or
saving a log of its activities, or simply exiting VPCScan. If VPCScan cannot
disinfect the file, you will be given the following VPCScan alert
message:
Press R to remove (erase) the file from the disk.
Press E to exit VPCScan and leave the infected file on disk.
Integrity Code Modified
If you attempt to run a program whose Integrity information has changed, but
which is not infected by a known virus, you will see a message box along with
information about the new and stored signatures for the file. Then another
alert box appears. If you suspect that the program which caused the alert is
infected with an unknown virus, and if you have previously used VPCScan to
create or update the Integrity database, then you should press R or run VPCScan
using the Inoculate feature to disinfect (repair) the file. If Virex is able to
successfully repair the file using its Inoculate information, and you press Y,
Virex will repair the file and allow it to run. If you press N, Virex will
leave the file in its modified state and will not run it.If Virex is not able
to repair the file using Inoculate information, you will be warned in a message
box. After you press any key, you will be given further options. If you press
B, Virex will update the Integrity information and allow the file to run. If
you press I, Virex will not change the Integrity information, and will not
allow the file to run. If you think that the program which caused the alert is
infected with an unknown virus, and if you have not used the VPCScan Inoculate
feature, you should delete the suspect file and replace it with an original
copy. If you think that the file's signature has changed for some reason other
than a viral infection, you should update the file's Integrity information in
the Virex Protection file (VIREX.DAT) and the INOC.VRX file. You can press B or
use the Integrity update feature of VPCScan or a file editor to update the
VIREX.DAT and INOC.VRX files.
Program Not Registered
If you try to run a program that is not on the Virex list of registered
programs, a message box will be displayed. If you press Y, VPCScan will scan
the file for known viruses using virus-specific detectors. If the file has no
known viruses, it will be added to the Integrity database and be allowed to
run.If the file is infected, another screen will appear. If you press R, Virex
will remove the file. If the file can be repaired you will be given that
option. After the file is repaired, it will be registered and will be allowed
to run. If you press I, Virex will not allow the file to run, and the Access
Denied message will appear.
<<<<<<< C H A P T E R 5: Using Virex for the PC in a Network Environment >>>>>>
Virex for he PC is compatible with Novell NetWare (versions 2.x, 3.x, and 4.x)
a popular software product for networking personal computers.
Using VPCScan with NetWare
VPCScan is designed to scan NetWare server drives for computer viruses. VPCScan
treats a server drive (for example, F:) like a local hard drive or floppy disk,
subject to the file protection constraints of NetWare. VPCScan will scan only
the files to which you have read/open access. A file that is read-protected
cannot be scanned, nor can it be infected. Furthermore, VPCScan will only scan
files that are not in use or that are in use and sharable (that is, more than
one person can use the same file simultaneously). A file that is in use and
non-sharable cannot be scanned for viruses. We recommend that you run VPCScan
as the NetWare network supervisor, so that all read-protected files can be
scanned. We also recommend that you use VPCScan when all users are logged off
of the server, so that all non-sharable files can be scanned.
Scanning a Server Drive for Viruses
VPCScan can be operated from a personal computer linked to a server; or in the
case of a non-dedicated server, from the server itself. The procedure for
scanning a server drive is:
1. Make sure that you can access the NetWare server drive. You might
need to log in to the server, or may simply type <server drive>:
(for example, F:) for access.
2. Make the location of VPCScan program the current drive (for example,
by typing C: if VPCScan was installed on the C: drive).
3. Type VPCScan <server drive>: (for example, VPCScan F:) to scan the
server hard drive.
VPCScan will issue a warning message and list the names of any files that could
not be scanned. A file might have been read-protected or might have been in
use and non-sharable. If a server file is infected with a virus, VPCScan will
display the standard virus warning message and issue the following options:
a. Repair: attempt to remove the virus from the original file (if
VPCScan knows how to disinfect files infected by this particular
virus).
b. Delete: delete the infected file.
c. Ignore: leave the file in its current state.
If an infected file is write-protected by NetWare, you will not be able to
repair or delete the file unless you have appropriate network access to that
file.
Using the Virex TSR.
If Virex is loaded on the server, you can type <server drive>:Virex -C. When a
file is executed from either the server or the local PC hard drive, it will be
scanned for known viruses. The -C command switch disables Integrity checking.
If the server copy is installed to look on the user's local drive for
C:\VPC\VIREX.DAT and for a shared version of C:\VPC\VPCSCAN.EXE, Integrity
checking can be used. Otherwise, Integrity checking must be turned off, using
the -C switch, for Virex to operate properly when run from the server. The use
of Virex is especially appropriate if you are operating a diskless workstation
in a network. In this configuration, there is no local hard drive to operate
Virex.
Installing Virex for the PC on a Network
The suggested location to install Virex and VPCScan on the server is the LOGIN
directory. Thus, Virex can be run from the AUTOEXEC.BAT file so that protection
begins when the station is powered up. You would not need to be logged in to
the server to run Virex from the LOGIN directory. Also, Virex and VPCScan
should be installed in the LOGIN directory using the Install program for Virex
to be configured correctly.
In the event that Virex discovers a virus in a file, it will call VPCScan to
disinfect or remove it. You can install a full copy, as long as each user has
a licensed copy. But you must take caution so that each station has a unique
copy, preferably in the user's home directory. This allows you to run Virex
with all protections intact. The Protection file could become corrupted if two
or more people were to use it at the same time.
Updating the Network Protection File
Because your network is likely to be changing on a regular basis, it will
probably be necessary to update your network Protection file. This update can
be done using the Install program or VPCScan. Running the Install program again
will require you to go through the entire installation sequence, and is not as
efficient as using VPCScan. Only the supervisor can update the network
Protection file. Before updating, it is necessary to make sure that no one on
the network is running Virex. If someone is running one of the TSRs, the
protection file could become corrupted. The best way to solve this problem is
to make sure that no one else is logged on to the network when the update is
created.The network protection file is \VIREX\VPC_NET.DAT off of the root of
any server volume. For example, if F:\ is the root of a server volume (instead
of a mapped drive), the Protection file would be in F:\VIREX\VPC_NET.DAT. To
update registration information using VPCScan, you would use the following
command:
VPCScan F:\ -V+F:\VIREX\VPC_NET.DAT
Updating Users through the Network
To update several users on your network, assuming they are also licensed, we
recommend copying the entire Virex for the PC disk into a directory on your
server. Then have each individual user run Install from that directory,
configuring it as the source directory, and specifying a directory on his or
her local drive as the destination.
<<<<<<< C H A P T E R 6: Using Virex for the PC in a Windows Environment >>>>>>
Virex for the PC is compatible with Microsoft Windows and Windows for
Workgroups. Both VPCScan and the Virex TSR can be used in a Windows
environment.
VPCScan:
Scanning and Treating Viruses under Windows
VPCScan can be run from within Windows in two different ways. The first way to
run VPCScan under Windows is to open a DOS window by clicking on the DOS icon
in the MAIN group. This action will temporarily put you at a DOS prompt, and
you can run VPCScan just as if you were in standard DOS mode.
The second way is to install VPCShell and its custom icon. This method will
allow you to double-click on a custom icon and call VPCScan under Windows. We
recommend, however, that you run VPCScan from within DOS. This method will
avoid any problems that might result from other tasks processing in the
background under Windows. This approach is necessary, especially if you are
using the Integrity checking and Inoculate features of VPCScan.
Preventing Virus Infections Using Virex
The Virex TSR will monitor DOS applications running under Windows for signature
changes and for viruses. If the signature of a file has changed, program
execution will be denied. You will not be given the option to run the program.
If a file is not registered, it will be automatically scanned for viruses, but
may not be added to the Integrity check list (depending on the switch settings
that Virex is running). If a virus is found, a standard virus warning with
options will be issued. Virex will not evaluate Windows applications for
signature changes.
Running the Virex TSR
The Virex TSR should be run before the execution of Windows. It is possible
that you have Windows installed to run automatically at startup (for example,
a line to run WIN has been placed in the AUTOEXEC.BAT file). If this is the
case, VIREX.COM should be placed before WIN in the AUTOEXEC.BAT file. Loading
Virex before Windows will protect all Windows DOS sessions including those
executed using the File Manager or Program Manager. If the command to start
Virex is placed after WIN, the Virex TSR will not run and your system will be
unprotected.
<<<<<<<<<<<<<<< C H A P T E R 7: Safe Computing Practices >>>>>>>>>>>>>>>>>>>>
You can reduce the risk of experiencing problems with a computer virus by
following these guidelines:
* Use software that is obtained from reputable and reliable sources.
In general, commercial software from well-known software publishing
firms should be virus-free.
* Treat public domain and shareware software with caution. Test the
software with the VPCScan program before you use it. Remember,
computer viruses do not have an opportunity to replicate themselves
until you execute the program they have infected.
* There have been instances in which infected commercial software has
been inadvertently shipped to consumers. Although this problem occurs
infrequently, Datawatch recommends that you test all new commercial
software with the VPCScan program before you use it. Registering your
software will enable manufacturers to contact you if the need arises.
* Start your computer from the hard disk or from a single, write-
protected floppy system disk (to avoid boot sector viruses). Be sure
to check your floppy disk drives before booting your computer to
avoid accidentally attempting to boot from an infected floppy disk.
Never boot from an unscanned floppy.
* All newly acquired software applications should be backed up, write
protected, and put in a safe place. Always execute your application
programs from backup copies or from fresh copies placed on your hard
disk. This will prevent your original copies from being contaminated
by a virus, and ensure that a fresh copy is always available should
your working copy become damaged.
* Make regular backups of files you have customized, such as your
AUTOEXEC.BAT and CONFIG.SYS files. This will save you hours of work
rebuilding the system in the event of a virus attack or a hard disk
failure.
* Systematically back up your important data files to ensure that you
do not lose important work.
* Be security conscious and promote security awareness throughout your
organization. By backing up important application and data files,
you will limit your losses in the event of a hard-disk crash, a virus
attack, or any other sudden computer failure. These safe computing
practices will not only help to safeguard your computer from viruses,
but will help prevent the loss of important data in the event of a
catastrophe.
Note: You might wish to consult your dealer about useful hardware and
software backup solutions.
<<<<<<<<<<<<<< A P P E N D I X A: Removing a Boot Sector Virus >>>>>>>>>>>>>>
(Without CRITICAL.VRX)
If you downloaded Virex for the PC after your system had become infected by a
boot sector virus, or if you cannot recover using the Inoculate feature, then a
manual removal might be necessary. If you are using MS-DOS 5.0 or later, skip
to the section of this appendix titled "For MS-DOS 5.0 and Later Users."
Virus Identified but Not Disinfected
If after scanning your hard drive VPCScan finds a boot sector virus, but does
not offer to Disinfect it, follow this procedure to manually remove the virus:
1. Reboot your computer from a clean, write-protected DOS disk. The DOS version
on this disk must be the same as the DOS version on your hard drive.
2. Type DIR SYS.COM and press enter to see if this DOS disk has the SYS command
on it. If it does, skip to step 4.
3. Insert your other DOS disks until you find the one with the SYS command on
it.
4. Type SYS <drive>: and press enter (for example SYS C:).
If you receive an error from DOS in this process, consult your DOS manual.
Infected Partition Table
If VPCScan still shows your computer to be infected after you have attempted
to manually remove the virus, your computer's master boot record (and possibly
its partition table) might be infected. To eliminate this kind of virus, you
will need to follow a more complex set of steps:
1. Reboot your computer from a clean, write-protected DOS disk. The DOS version
on this disk must be the same as the DOS version on your hard drive.
2. Backup your hard drive using the DOS BACKUP command, MSBACKUP command (DOS
6.0+), or a third-party backup utility.
3. Run FDISK from your DOS disk and rebuild the hard drive's partition table.
(Consult your DOS manual.)
Note: If you have DOS 5.0 or higher, running FDISK /MBR will replace any
versions master boot record. See the following section for complete
instructions.
4. Format your hard drive by typing FORMAT <drive>: /S and pressing enter (for
example, FORMAT C: /S).
5. Restore your hard drive using the DOS RESTORE command, MSBACKUP command (DOS
6.0+), or a third-party backup utility.
Because boot sector viruses normally do not infect files, this method will
safely remove the virus from your hard drive.
For MS-DOS 5.0 and later users
There is an undocumented feature in the FDISK.EXE utility that is part of
MS-DOS (version 5.0 and later). It can remove most Master Boot Record viruses
without loss of data. Follow this simple procedure to remove a Master Boot
Record virus without loss of any data:
1. Completely back up the infected machine.
2. Restart your machine with a clean MS-DOS 5.x or above boot disk in the A:
drive. Make sure that the MS-DOS 5.x or above utility called FDISK.EXE is on
the disk and that the disk is write protected.
3. Once booted directly to the A:> prompt, type FDISK /MBR and press enter.
Almost immediately, you should return to the A:> prompt.
4. Remove the diskette from the A: drive and restart the PC.
5. Insert the original write-protected Virex for the PC disk into the disk
drive and type A:VPCSCAN C: and press enter, where A: is the drive
containing the Virex for the PC disk, and C: is your primary/startup hard
drive.This scan should indicate that no Master Boot Record viruses remain on
your hard drive.
Important Note
After a PC becomes infected with a Master Boot Record virus, the virus may
spread by infecting non-write-protected disks that are accessed by the infected
system. After following the above procedure and successfully removing the
resident virus, make sure that you scan all disks that have been used in this
infected machine. Once you have confirmed that they are clean, write protect
them. No virus can bypass this physical write-protection.
<<<<<<<<<<<<<< A P P E N D I X B: Modifying the Protection File >>>>>>>>>>>>>>
Virex provides an alert for every attempt to run an unregistered program.
Normally you can register a program by running it while the Virex TSR is
active. This protection can also be specified by using the Install program or
by editing the VIREX.DAT Protection file. To modify the file directly, add the
appropriate line to the Protection file.
Integrity Database Registration
A file can be added to the VIREX.DAT file's Integrity database registration
list by adding a line in the form C=<Drive>:<path><filename>[<5-digit signature
number>] to the proper Protection (VIREX.DAT) file. Note that if this line is
added manually, Virex will generate a "modified signature" alert when it is
started. You will then have the option to update to the correct signature
automatically. By noting the correct signature, you can also update the
Protection file manually. The * and ? wildcards may not be used in the file
names listed in the signature file, because the signature for each file must
be individually calculated.
<<<<<<<<<<<<<<<<<<<< A P P E N D I X C: Troubleshooting >>>>>>>>>>>>>>>>>>>>>>>
* Virex tells me that the signature for a program that I am running has
changed. What should I do?
If this is the first time Virex has checked this program since you upgraded
the program to a more recent version, the change is expected. You should
update your signatures and continue using the program without concern. If, on
the other hand, this alert is occurring on a program that has not been
intentionally updated by you, it is possible Virex has detected changes due
to infection by a new virus. You should abort the program and save a copy for
sending to Virex Support either via our BBS or via mail. After booting from a
clean system disk, run VPCScan in its -V+ -I+ mode so VPCScan can repair the
file.
* A "bad signature" alert appears whenever you run the DOS command SETVER.
Some few programs modify their own disk images under certain conditions in
order to save configuration information internally. The MS-DOS utility SETVER
is one such program. If a program repeatedly triggers Virex's "Changed
Program" alerts, even after you have updated the integrity databases, it may
be legitimately modifying itself. This is particularly likely if it is the
ONLY program on your system that is changing. Datawatch is compiling a list
of such "legitimately self-modifying" programs. You should check with our
technical support group regarding the program you are using. If we do not
currently have the program you are using listed as "legitimately self-
modifying", you may want to submit a copy to us via the Virex Support BBS or
via mail so we can examine it.
* MS-DOS 6.0 USERS - Due to conflicts or startup problems it may be necessary
to prevent AUTOEXEC.BAT and CONFIG.SYS from loading. MS-DOS 6.0 offers a
feature that allows the user to boot their computer and not load AUTOEXEC.BAT
and CONFIG.SYS. To boot your computer without these two files, restart your
computer. When the text "Starting MS-DOS" appears, press and release the F5
key or press and hold down the Shift key. The following text will be
displayed:
MS-DOS is bypassing your CONFIG.SYS and AUTOEXEC.BAT files.
To see a list of up-to-date troubleshooting information please consult the
latest version of the README file.
<<<<<<<<<<<<<<< A P P E N D I X D:Using the DataGate BBS >>>>>>>>>>>>>>>>>>>>>
You can download Virex for the PC updates from our DataGate dial-in service.
DataGate is a BBS (Bulletin Board Service) that you may dial into by using a
communications program and a modem. (The number is 919-419-1602. After November
1, 1993, the number will be 919-549-0042.)
Set Up
Set up your communications program for 8 data bits, no parity, 1 stop bit, and
ANSI emulation. DataGate supports speeds from 300 bps to 14,400 bps.
Using DataGate
If you have never dialed into DataGate, you will have to register yourself by
answering the few simple questions that you will be asked, and also give
yourself a password. Remember your password! You will not be able to re-enter
the BBS without it.DataGate╒s primary purpose is to provide support to you,
the Datawatch customer. So as soon as you enter the board, you will be able to
find answers to your technical questions in our "Questions and Answers"
Bulletin area, download product updates and new programs, and much more. In
addition to Datawatch customer support, DataGate also has many DOS, Windows,
and other utility files available for download.
Downloading VPCScan
To download the latest VPCScan, type the following at the Main Menu:
d VIRX??.ZIP and press enter
All necessary components will be stored in this file.Select your download
protocol to start the download process. Help is always available by typing H
and pressing enter where you get stuck and need assistance.
Entering Comments and Suggestions
Your comments and suggestions on the service that this BBS provides are always
welcome, and we look forward to reading your suggestions. You may leave us a
message by typing C and pressing enter at the Main Menu, outlining your ideas.
<<<<<<<<<<<<<<< A P P E N D I X E: Novell Network Features >>>>>>>>>>>>>>>>>>
Installation
If you are on a Novell network, the Install program sends any virus alerts to
the Novell console during the Virex for the PC install procedure. This method
allows the system administrator to monitor users installing Virex for the PC
and trace viral activity across the network. To turn this feature off, type
INSTALL -NONOTE and press enter.
This command will prevent the alerts from being sent to the console.
Using Virex on a Novell Network
If you are using Virex with a Novell Network, the network protection files for
each server volume (as described in the User's Guide) should be flagged as
Sharable/Read-Write. WARNING! If Virex has been automatically loaded prior to
Novell NetWare drivers, Virex will be disabled by the loading of those drivers.
Reloading Virex with the -R command line switch after NetWare drivers are in
place will ensure that Virex is providing continuous protection. If you are
attached to a Novell network, run VPCScan locally, and discover a virus on
your local computer, VPCScan will notify both you and the Novell NetWare
Console. If you wish to run VPCScan without this feature, use the -!N switch
from the command line (for example, VPCSCAN -!N).If you are running NetWare
2.x, VPCScan will display the message on the console screen and write an entry
to the LOG$MSG.LOG file, a NetWare log file.If you are running NetWare 3.x or
4.x, VPCScan will display only the "virus found" message to the console screen.
No permanent log of these alerts will be kept on the server itself.
<<<<<<<<<<<< A P P E N D I X F: External Virus Signature File >>>>>>>>>>>>>>>
The external virus signature file is a feature meant only for expert users. It
allows new viruses to be detected, by means of their signatures, without having
to wait for a new release of Virex for the PC. You should be careful. If you
use the external signature file and add a virus signature that we are already
using within our virus signature database, Virex will inform you that it has
found a virus in memory. You should contact Datawatch before using this
feature.
Signature File Format
The file containing external signatures must be designated C:\VIREX\VIREX.VIR
to be recognized by VPCScan. The format of the file is as follows:
<virus-type><space><virus-name><space><ascii-signature-representation>!
The <virus-type> indicates whether the virus signature following is for a
"Program" virus or a "Boot" virus. Use "P" for program viruses and "B" for
boot sector viruses. You can also use a "#" as a comment line indicator, if you
wish; such flagged lines will be ignored. The <virus-name> is the name of the
virus. It may not contain any spaces. You might want to use underscores or
hyphens instead of spaces. The <ascii-signature-representation> is the
translation of the hex signature string into an ASCII form. Each byte is
represented by a zero-filled, right-justified two-place sequence: the proper
representation of a hex "0xf" would be "0f"; to represent "0xff," use "ff."For
example, if a new virus called NewVirus, a program type virus, were to have a
signature string of "1 2 3 4 5 6 7 8 9 a b c d e f," its entry in the external
signature file (C:\VIREX\VIREX.VIR) would be:
#A comment line for the NewVirus external signature file example P
NewVirus 0102030405060708090a0b0c0d0e0f !