Night Owl 9

home *** CD-ROM | disk | FTP | other *** search

/ Night Owl 9 / Night Owl CD-ROM (NOPV9) (Night Owl Publisher) (1993).ISO / 051a / nshldbt2.zip / NETSHLD.DOC < prev next >

Wrap

Text File | 1993-04-13 | 34KB | 1,006 lines

NETSHIELD Version 1.5BETA-II (V102) Copyright 1992, 1993 by McAfee Associates All Rights Reserved. Documentation by Aryeh Goretsky NOTE: Novell NetWare/386 is a registered trademark of Novell, Inc. McAfee Associates, Inc. TEL (408) 988-3832 3350 Scott Blvd, Bldg 14 FAX (408) 970-9727 Santa Clara, California BBS (408) 988-4004 95054-3107 CompuServe GO MCAFEE USA Internet support@netcom.COM TABLE OF CONTENTS INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . 2 AUTHENTICITY . . . . . . . . . . . . . . . . . . . . . . . . . 2 WHAT'S NEW . . . . . . . . . . . . . . . . . . . . . . . . . . 3 INSTALLATION . . . . . . . . . . . . . . . . . . . . . . . . . 4 OPERATION. . . . . . . . . . . . . . . . . . . . . . . . . . . 5 CONFIGURATION OPTIONS. . . . . . . . . . . . . . . . . . . . . 6 REPORT OPTIONS . . . . . . . . . . . . . . . . . . . . . . . . 12 SIGNATURE CONTROL. . . . . . . . . . . . . . . . . . . . . . . 14 VIRUS REMOVAL. . . . . . . . . . . . . . . . . . . . . . . . . 15 TECHNICAL SUPPORT. . . . . . . . . . . . . . . . . . . . . . . 16 LICENSE. . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Page 1 NETSHIELD Version 1.5BETA-II (V102) Page 2 INTRODUCTION NETSHIELD is an anti-virus NLM (NetWare Loadable Module) for Novell NetWare/386 Version 3.11. It checks network file servers for both known and unknown viruses. Known virus detection, including stealth and polymorphic (mutation engine) viruses, is done using McAfee Associates' VIRUSCAN virus scanning technology. Unknown virus detection is handled by computing two 16-bit Cyclic Redundancy Checks (CRC) against files and then periodically comparing the file against its CRC for changes. Key features of NETSHIELD include checking files for viruses as they are accessed on the server, performing a scheduled scan, and notifying users if a virus is found. NETSHIELD does not changed the Last Accessed Date when scanning files. NETSHIELD runs on any Novell NetWare/386 3.11 file server with a minimum of 660Kb of free memory and should utilize less than 10% of the CPU. NETSHIELD is not compatible with version 3.10 of Novell NetWare/386. AUTHENTICITY NETSHIELD is packaged with the VALIDATE program to ensure the integrity of the NETSHLD.NLM and VIR.DAT files. The VALIDATE.DOC file tells how to use VALIDATE. VALIDATE can be used to check subsequent versions of NETSHIELD for tampering. The validation results for Version 1.5BETA-II (V102) should be: File Name: NETSHLD.NLM VIR.DAT Size: 116,609 37,302 Date: 04-09-1993 04-02-1993 Check Method 1: A314 C277 Check Method 2: 17B7 1ED3 If your copy of NETSHIELD differs, it may have been damaged. Always obtain your copy of NETSHIELD from a known source. The latest version of NETSHIELD and validation data for NETSHLD.NLM and VIR.DAT can be obtained from McAfee Associates' bulletin board system at (408) 988-4004,from the McAfee Virus Help Forum on CompuServe (GO MCAFEE), or via the Internet from the pub/antivirus directory of the mcafee.com site. NETSHIELD Version 1.5BETA-II (V102) Page 3 All versions of McAfee Associates' NETSHIELD have been archived with Version 1.10 of PKWare's PKZIP Authentic File Verification. When unzipped with Version 1.10 of PKWare's PKUNZIP program, an "-AV" will be displayed after each file is unzipped and an "Authentic Files Verified! # NWN405 Zip Source: McAFEE ASSOCIATES" message will appear once all files are unzipped. NOTE: If you do not receive the AV messages, you may be using a different version of PKUNZIP, such as Version 2.04. Use PKUNZIP Version 1.10 to unzip the files if you wish to have Authenticity Verification displayed when the files are unzipped. WHAT'S NEW NETSHIELD Version 1.5BETA-II replaces Version 1.5BETA. New features added in this release include: ■ An exception list of directories and/or files NOT to create CRC checks for. ■ When prompted for a directory or filename, pressing the Insert key a second time while at a dialogue box brings up a requestor to pick the directory or filename from. ■ Fixed problem with resources not being released when NETSHIELD is unloaded. NETSHIELD Version 1.5BETA-II (V102) Page 4 INSTALLATION Copy the NETSHLD.NLM and VIR.DAT files together into the SYS:SYSTEM directory or any other directory. Add one of the following lines to your AUTOEXEC.NCF file: LOAD NETSHLD runs NETSHIELD with the default settings and no configuration file LOAD NETSHLD LOAD runs NETSHIELD with the default configuration file, VIR$CFG.DAT, from the SYS:SYSTEM directory LOAD NETSHLD LOAD={path and filename} run NETSHIELD with a user-specified configuration file from a user-specified directory. NOTE: If NETSHIELD is run from directory other than SYS:SYSTEM, the complete path and filename must be entered after the "LOAD=" statement. We recommend that when installing NETSHIELD for the first time, a configuration file be created and saved for it. This way, NETSHIELD will always be loaded with optimal virus detection for your environment. Unless otherwise specified, NETSHIELD creates, loads, and saves configuration files and reports in the same directory the NETSHLD.NLM file is located in, NETSHIELD Version 1.5BETA-II (V102) Page 5 OPERATION When NETSHIELD is run the message "Please wait, loading patterns." appears on the Novell Console screen. Once the patterns have been loaded the Available Options Menu appears: _________________ AVAILABLE OPTIONS MENU ______________________ Do a scan immediately (Terminate a current scan) Configuration options Report options Signature control Exit _______________________________________________________________ NOTE: Options inside parentheses denote "toggled" options OPTION: Do a scan immediately (Terminate a current scan) MEANS: Starts (stops) scan of files for viruses. EXPLANATION: Starts an Immediate scan of all selected volumes for viruses. To choose which volumes are scanned, select Configuration Options -> What to scan -> Volumes to scan. Selecting "Terminate a current scan" will stop an Immediate or Period (scheduled) scan. OPTION: Configuration options MEANS: Set NETSHIELD's parameters. EXPLANATION: Brings up the Configuration Menu. From this menu the various NETSHIELD parameters can be set. For more information, please refer to the CONFIGURATION OPTIONS section. OPTION: Report Options MEANS: Set reporting options, view log file. EXPLANATION: Brings up the Report Options Menu. From this menu the various NETSHIELD reporting options can be set. For more information, please refer to the REPORT OPTIONS section. OPTION: Signature Control MEANS: Update or add virus signatures EXPLANATION: Brings up the Signature Control Menu. From this menu a new set of virus signatures can be loaded, or a new virus string can be added. For more information, please refer to the SIGNATURE CONTROL section. OPTION: Exit MEANS: Unload NETSHIELD EXPLANATION: Shut down and exit to System Console. Console. If an "unload password" has been selected, it must be entered before NETSHIELD unloads itself. NETSHIELD can not be unloaded from the System Console command line. If a regular (Immediate or Periodic) scan is being performed, it will be halted when NETSHIELD unloads. NETSHIELD Version 1.5BETA-II (V102) Page 6 CONFIGURATION OPTIONS The Configuration Menu is the menu from which various parameters for NETSHIELD are set. From the Configuration Menu, the following options may be selected: __________________ CONFIGURATION MENU _________________________ On-access scanning options Period-scanning options Actions on virus detection What to Scan Contact options Configuration file options Speed/Accuracy controls CRC controls Password Access Control Exit _______________________________________________________________ OPTION: On-access scanning options MEANS: Select accesses to trap for scanning. EXPLANATION: Brings up the Trap Access Menu. From this menu scanning can be selected for Incoming files, Outgoing files, both, or None. Selecting "Return to Previous menu" returns to the previous menu with no changes made to the options. OPTION: Period-scanning options MEANS: Schedule a scan for a specific time. EXPLANATION: Brings up the Activate/Deactivate Menu: __________________ ACTIVATE/DEACTIVATE MENU _____________________ Activate (Deactivate) Priority to run with Exit _______________________________________________________________ NOTE: Options inside parentheses denote "toggled" options The "Activate" item allows scans to be scheduled on a Daily, Weekly, or Monthly basis. When selecting a "Daily" scan, NETSHIELD will prompt the user to enter the time to start scanning. Enter the time in "24 hour" format, e.g., 1:00PM becomes 1300 hours. Selecting "Deactivate" disables period-scanning. If a period-scan is running when "Deactivate" is selected, the scan will continue until finished. Select "Terminate a current scan" from the Available Options Menu to halt an ongoing period-scan. NETSHIELD Version 1.5BETA-II (V102) Page 7 Select "Priority to run with" selects the amount of CPU time NETSHIELD is to use when performing a periodic scan. Ten levels of priority are available, with 1 being the highest and 10 being the slowest. When run with a priority setting of 1, 40-50% CPU usage is added and approximately 1 file is scanned per second. When run with a priority of 10, 1-2% CPU usage is added and 1 file is scanned approximately every 10 seconds. If no priority is set, priority 5 will be assumed. If a priority of 0 is set, NETSHIELD will run at the speed of the previous major release, Version 1.04 (there is no equivalent in the 1-10 settings for this priority) Select "Return to Previous menu" to return to the previous menu with no changes made to the options. NOTE: When scheduling a periodic scan it is recommend to select a time at which server utilization is low. OPTION: Actions on virus detection MEANS: What to do if a virus is found. EXPLANATION: Brings up the "Actions to take on virus detection" Menu. From here, the actions to take against files and the list of users to contact when a virus is found is configured. Choosing "File Actions" brings up the "Action when virus found" Menu. From here select from the following options: Selecting "Delete infected file" deletes virus-infected files. Deleted files can be recovered by the SALVAGE command. Selecting "Overwrite and delete" wipes virus-infected files. Files deleted in this manner can NOT be recovered. Selecting "Move infected file" moves infected files to the directory specified by "Set move-to directory." Selecting "Leave infected files alone" performs no action on infected files. Selecting "Set move-to directory" chooses the destination directory to which infected files are moved. If no directory is specified then a subdirectory named \INFECTED is created in the current directory and infected files are moved into it. To select an existing directory, press the Insert key to bring up a file requestor and use the cursor keys and Enter to choose a directory, or press Escape to exit without selecting or changing the directory. Selecting "Return to Previous Menu" displays the current Action and returns to the previous menu. NETSHIELD Version 1.5BETA-II (V102) Page 8 OPTION: What to Scan MEANS: Set areas of server, files and users to scan EXPLANATION: Brings up the "What Areas to Scan and Exclude" Menu from which volumes and file extensions to scan are selected, and users and directories to ignore are selected The following options are available: ____________ WHAT AREAS TO SCAN AND EXCLUDE MENU ______________ Volumes to Scan Change scanned extensions Ignore Users Non-CRC checked files Skip directories Return to Previous Menu _______________________________________________________________ Selecting "Volumes to scan" determines which volumes will be scanned during Immediate and Period (scheduled) scanning. On-Access scanning checks all mounted volumes and is not affected by this option. By default, all mounted volumes are scanned. Press the Insert key to add a volume name, the Delete key to remove one, and Escape to exit. Selecting "Change scanned extensions" brings up the "Change extensions scanned" menu. Select from the following options: _________________ CHANGE EXTENSIONS SCANNED ___________________ Extensions to scan on access Extensions to scan during regular scan Extensions that will NOT be scanned Extensions that will be checked by CRC Return to Previous Menu _______________________________________________________________ Selecting "Extensions to scan on access" allows changes to the list of file extensions checked during On-Access scanning. By default, .COM, .EXE, .OV?, and .SYS are selected. Selecting "Extensions to scan during regular scan" allows changes to the list of file extensions checked during Period (scheduled) scanning. By default, .COM, .EXE, .OV?, and .SYS are selected. Selecting "Extensions that will NOT be scanned" allows changes to the list of file extensions that you which to exclude from both types of scanning. This list is empty by default. Selecting "Extensions that will be checked by CRC" allows changes to the list of file extensions to check for unknown viruses using CRC checking. This list is empty by default. For the 1.5BETA-II release, we recommend adding the extensions .COM, .EXE, .OV?, and .SYS. These extensions will be added as the default list of extensions in the production release. Press the INS key to insert a file extension, the DEL key to remove them, and the ESC key to exit. To scan ALL files, including data, for viruses remove any current filename extensions and set the On Access and Regular scanning extensions to "*". NOTE: Scanning all files may impact server performance. For this reason, scanning all files is generally not recommended. NOTE: Using "*" or "???" as an extension is not recommended for CRC checking, since this will cause all files to be added to the CRC data file, including data files, batch files, bindery files and other files which change frequently. Selecting "Return to Previous Menu" displays the current Action and returns to the previous menu. Selecting "Ignore users" specifies which users should not be scanned for virus-infected files. This option should only be used to exclude accounts that run unattended processes, such as network backup. This will allow the process to continue if the account tries to access an infected file. "Ignore users" only skips virus scanning during On-Access scanning; Immediate and Period (scheduled) scanning will still occur, and entries will still be added to the log file. Selecting "Skip directories" selects which directories will not be scanned for virus infected files. This option should be used for excluding directories which contain virus- infected files, such as the containment directory created by NETSHIELD to move virus infected files into. When inserting a directory to be skipped, the name of the file server, volume, and directory must be entered in the following format: {file server}/{volume name}:/{directory}/ Note the placement of the forward slashes and colon. Selecting "Non-CRC checked files" brings up a list of directories and/or files not to create CRC checks for. Press the Insert key to add to the list, the Delete key to remove from the list, the Enter key to exit, and the Escape key to exit without making any changes. Selecting "Return to Previous Menu" displays the current Action and returns to the previous menu. NETSHIELD Version 1.5BETA-II (V102) Page 9 OPTION: Configuration file options MEANS: Load and save NETSHIELD configurations. EXPLANATION: Selecting "Configuration file options" brings up the "Save and Load Configurations" Menu. From here, different configurations can be loaded, saved, and written. Select "Load configuration file" to load a configuration file for NETSHIELD. Select "Save configuration file" to save a configuration file for NETSHIELD NOTE: If no configuration file was specified when NETSHIELD was loaded, then the default path is used and the filename is set to VIR$CFG.DAT. Pressing any key will clear the default and allow a new path and filename to be entered. Selecting "Write configuration report" allows an ASCII text file containing NETSHIELD's options to be saved. NETSHIELD defaults to a filename of VIR$CFG.TXT in the same directory that the NETSHLD.NLM file is located in. Pressing any key will clear the default filename and allow a new path and filename to be entered. NOTE: The configuration report must be written to the network drive. It can not be written to the local drive of a workstation. Selecting "Return to Previous Menu" displays the current Action and returns to the previous menu. OPTION: Speed/Accuracy controls MEANS: Set NETSHIELD for speed or accuracy during scanning EXPLANATION: This option optimizes NETSHIELD for speed or for accuracy when scanning. When set to "Full Scanning" NETSHIELD will check a greater portion of files for viruses then when set to "Fast Scanning". Using "Fast Scanning" may reduce the accuracy of NETSHIELD. NETSHIELD Version 1.5BETA-II (V102) Page 10 OPTION: CRC controls MEANS: Set and configure CRC checking for unknown viruses EXPLANATION: Brings up the "CRC Control" Menu. From here, NETSHIELD can be set to detect unknown viruses using CRC checking. Available options are: Selecting "No CRC check" disables checking for unknown unknown viruses via CRC checks. Selecting "Fast CRC" check performs a CRC check against the beginning of a file. If no entry exists in the CRC data file, NETSHIELD will create an entry for it. Selecting "Full CRC check (SLOW!)" performs a CRC check against all of a file. If no entry exists in the CRC data file, NETSHIELD will create an entry for it. Selecting "Set filename to store CRC's in" allows the name and location of the CRC data file to be changed. By default, it is set to VIR$CRC.DAT and stored in the same directory as the NETSHLD.NLM file. Selecting "Extensions that will be checked by CRC" brings up the "Extensions to scan" pop-up menu. To add extensions, press the INS key, to remove an extension, press the DEL key, and to exit, press the ESC key. NOTE: Using "*" or "???" as an extension is not recommended since this will cause all files to be added to the CRC data file, including data files, batch files, bindery files and other files which are subject to change frequently. Selecting "Return to Previous Menu" displays the current Action and returns to the previous menu. OPTION: Password Access Control MEANS: Set passwords to unload NLM or change configuration EXPLANATION: Allows passwords to be set for exiting NETSHIELD or changing its configuration. Selecting "Enter Password" allows a password to be set for unloading NETSHIELD and optionally changing NETSHIELD's configuration. The password is case-sensitive, can be up to forty (40) characters long, and can be any mix of alphanumeric and punctuation characters. If a password exists, then it must be re-entered before the password can be changed or removed. Selecting "Enable Configuration Menu password (Disable Configuration Menu password)" toggles between requiring the password to change NETSHIELD's configuration and not requiring it. Selecting "Return to Previous Menu" displays the current Action and returns to the previous menu. NETSHIELD Version 1.5BETA-II (V102) Page 11 OPTION: Return to previous menu MEANS: Exit EXPLANATION: Leaves the Configuration Menu and returns to the Available Options Menu. NETSHIELD Version 1.5BETA-II (V102) Page 12 REPORT OPTIONS The Report Options Menu is the menu from which the the creation and viewing of NETSHIELD log files are set. From the Report Options Menu, the following options may be selected: __________________ REPORT OPTIONS MENU _______________________ Set path for log file Enable logging (Disable logging) View log file Print log file Print and clear log Clear log Return to Previous Menu _______________________________________________________________ OPTION: Set path for log file MEANS: Select destination directory for report EXPLANATION: Specifies the location to store reports created by NETSHIELD. The current log file is always displayed. If the log file has not been configured, the default filename will be VIR$LOG.DAT. Press any key to clear the filename and enter a new one. OPTION: Enable Logging (Disable logging) MEANS: Create (do not create) a log file EXPLANATION: This option toggles creation of a virus incident log file on and off. OPTION: View log file MEANS: Display log file EXPLANATION: View any log files of virus incidents. Use the HOME key to view the first entry in the log file, the END key to view the last entry, the PGUP and PGDN keys to view the log file one screen at a time, and the ESC key to exit. OPTION: Print log file MEANS: Send log file to print queue EXPLANATION: Displays a list of available print queues on the server to print the log file to. Use the cursor keys to select a print queue, ENTER to accept, and ESC to abort. OPTION: Print and clear log file MEANS: Send log file to print queue, erase log file EXPLANATION: Displays a list of available print queues on the server to print the log file to. After printing, the log file is erased. Use the cursor keys to select a print queue, ENTER to accept, and ESC to abort. NETSHIELD Version 1.5BETA-II (V102) Page 13 OPTION: Clear log MEANS: Erase the current log file EXPLANATION: Deletes the current log file. Selecting "Return to Previous Menu" displays the current Action and returns to the previous menu. NETSHIELD Version 1.5BETA-II (V102) Page 14 SIGNATURE CONTROL The Signature Control Menu is the menu from which NETSHIELD's virus signature file is updated and external virus signature search strings are entered. From it, the following options may be selected: OPTION: Update signature with new VIR.DAT MEANS: Load a new signature file into memory EXPLANATION: Reads a new virus signature pattern file in to memory. By default, the file VIR.DAT will be loaded from the same directory the NETSHLD.NLM file is located in. To change this, press a key and type in the new directory and file name for the pattern file. OPTION: Load external strings MEANS: Insert a new individual virus signature string EXPLANATION: Reads in a user-created ASCII text file containing a search string for a new virus. For the beta release, please refer to the VIRUSCAN documentation on how to create one. OPTION: Return to previous menu MEANS: Exit EXPLANATION: Leaves the Configuration Menu and returns to the Available Options Menu. NETSHIELD Version 1.5BETA-II (V102) Page 15 VIRUS REMOVAL It is strongly recommended that you get experienced help in dealing with viruses if you are unfamiliar with anti-virus software and methods. This is especially true for 'critical' viruses that infect files whenever they are accessed and partition table/boot sector infecting viruses as improper removal can result in the loss of all data and use of the infected disk(s). If you require assistance with a computer virus incident, you can contact McAfee Associates for help by BBS, FAX, telephone, Internet, or CompuServe. There is no charge for technical support directly from McAfee Associates. Technical support through any of McAfee Associates' Authorized Agents may be billed at normal support rates. All of McAfee Associates' programs can be downloaded from our BBS, the SIMTEL20 archives on the Internet, the McAfee Virus Help Forum on CompuServe, or from any of the agents listed in the enclosed AGENTS.TXT text file. NETSHIELD Version 1.5BETA-II (V102) Page 16 TECHNICAL SUPPORT For fast and accurate help, please have the following information ready when you contact McAfee Associates: - Version number of NETSHIELD x.xx (Vyy) - Brand and model of server, hard disk, installed cards, and any other peripherals. - Version of NetWare. - Printouts of the AUTOEXEC.NCF and STARTUP.NCF files. _ Printout of NETSHIELD Configuration Report. - The exact problem you are having. Please be as specific as possible. Having a printout of the screen and/or being at the system console will be helpful. In the case of a network crash, please include the following: - Type of error from the ABEND Message - Thread which caused the error Technical support can be contacted by BBS, CompuServe, FAX, or Internet 24 hours a day, or by telephone at (408) 988-3832, Monday through Friday, 7:00AM to 5:30PM Pacific Time. McAfee Associates (408) 988-3832 office 3350 Scott Blvd. Bldg. 14 (408) 970-9727 fax Santa Clara, CA 95054-3107 (408) 988-4004 BBS (24 lines) U.S.A USR HST/v.32/v.42bis/MNP 1-5 CompuServe GO MCAFEE ATTN: Technical Support Internet support@mcafee.COM If you are overseas, there may be an Authorized McAfee Associates Agent in your area. Please refer to the AGENTS.TXT file for a listing of McAfee Associates Agents. NETSHIELD Version 1.5BETA-II (V102) Page 17 LICENSE NETSHIELD may be copied and distributed for testing and evaluation purposes on a trial period of five (5) days. If you wish to use NETSHIELD after the trial period, a license is required. Licenses are available for internal use within businesses, organizations, government agencies, and external use by repair centers and other service organizations. License fees are based on the size of the network or number of copies required. Information on licensing can be obtained from McAfee Associates or any of its Authorized Agents listed in the accompanying AGENTS.TXT file.