home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Shareware Overload
/
ShartewareOverload.cdr
/
virus
/
netscn76.zip
/
NETSCN76.DOC
< prev
next >
Wrap
Text File
|
1991-04-08
|
13KB
|
314 lines
NETSCAN Version V76
Copyright (C) 1989, 1990, 1991 by McAfee Associates.
All Rights Reserved.
Documentation by Aryeh Goretsky.
McAfee Associates (408) 988-3832 office
4423 Cheeney Street (408) 970-9727 fax
Santa Clara, CA 95054-0253 (408) 988-4004 BBS 2400 bps
U.S.A. (408) 988-5138 BBS HST 9600
(408) 988-5190 BBS v32 9600
SYNOPSIS
NETSCAN is a virus detection and identification program from local
and wide area networks. NETSCAN will search any networked drive
accesible as a DOS device, searching the networked drive(s) for both
known and unknown viruses.
NETSCAN works by searching the system for instruction sequences
or patterns that are unique to each computer virus, and then reporting
their presence if found. This method works for viruses that NETSCAN
recognizes. To detect unknown viruses, NETSCAN can append a validation
code or "CRC Check" for .COM and .EXE files. If the file has been
modified in any way, NETSCAN will report that an infection may have
occurred. NETSCAN will also check for new viruses via a user-supplied
list of search strings.
NETSCAN version V76, when used in conjunction with the VIRUSCAN
program on workstations, can identify all 240 computer virus strains
with the 500 varieties.
For a complete listing of viruses detected, please read the
accompanying VIRLIST.TXT file.
NETSCAN can be run off of any workstation with 256Kb and DOS 2.0
or above (Some options may require DOS 3.1 or above). In order for
NETSCAN to check all areas of the server for computer viruses,
NETSCAN should be run under an account with global read, write, and
create priveleges. NETSCAN works with 3Com 3/Share and 3/Open, Novell
NetWare, Banyan VINES, DEC DECNet, Microsoft LAN Manager, PC/SA,
and NFSNet as well as IBMNET and NETBIOS compatible networks. If you
do not see your network listed, contact McAfee Associates.
AUTHENTICITY
NETSCAN runs a self-test when executed. If NETSCAN has been
modified in any way, a warning will be displayed. The program will
still continue to check for viruses, though. If NETSCAN reports that
it has been damaged, it is recommended that a clean copy be
obtained.
NETSCAN versions 51 and above are packaged with the VALIDATE
program to ensure the integrity of the NETSCAN.EXE file. The
VALIDATE.DOC instructions tell how to use the VALIDATE program.
The VALIDATE program distributed with VIRUSCAN may be used to check
all further versions of NETSCAN.
The validation results for Version 76 should be:
FILE NAME: NETSCAN.EXE
SIZE: 58,483
DATE: 04-08-1991
FILE AUTHENTICATION
Check Method 1: 1B58
Check Method 2: 1CFC
If your copy of NETSCAN.EXE differs, it may have been modified.
Always obtain your copy of VIRUSCAN from a known source. The
latest version of VIRUSCAN and validation data for SCAN.EXE can be
obtained off of McAfee Associates' bulletin board system at (408)
988-4004.
Beginning with Version 72, all McAfee Associates programs for
download are archived with PKWare's PKZIP Authentic File
Verification. If you do not see the "-AV" message after every file
is unzipped and receive the message "Authentic Files Verified!
# NWN405 Zip Source: McAFEE ASSOCIATES" when you unzip the files
then do not run them. If your version of PKUNZIP does not have
verification ability, then this message may not be displayed.
Please contact McAfee Associates if your .ZIP file has been
tampered with.
WHAT'S NEW
NETSCAN Version 76 adds nineteen new viruses. For a listing of
complete listing of viruses, refer to the VIRLIST.TXT file.
Version 76 of NETSCAN adds a critical error handler that allows
NETSCAN to continue scanning if a file-open error occurs. For more
information about the /UNATTEND option, see the COMMANDS section.
COMMANDS
IMPORTANT NOTE: NETSCAN SHOULD ALWAYS BE RUN FROM A WRITE-PROTECTED
FLOPPY DISK TO PREVENT NETSCAN FROM BECOMING INFECTED.
To run NETSCAN type:
NETSCAN d1: ... d10: /A /D /E .xxx .yyy .zzz /EXT d:filename
/FR /M /NLZ /NOBREAK /NOMEM /NOPAUSE
/REPORT d:filename /RV /UNATTEND
Options are:
/A - Scan all files for viruses
/D - Overwrite and delete infected files
/E .xxx .yyy .zzz - Scan overlay extensions .xxx .yyy .zzz
/EXT d:filename - Scan with external virus data file
/FR - Display messages in French
/M - Scan memory for all viruses
(see below for specifics)
/NLZ - Skip scanning of LZEXE compressed files
/NOBREAK - Disable Ctrl-C / Ctrl-Brk during scanning
/NOMEM - Skip memory checking
/NOPAUSE - Disable screen pause when scanning
/REPORT d:filename - Create report of infected files
/UNATTEND - Scan network using error handler
(d1: ... d10: indicate drives to be scanned)
The /A option will cause NETSCAN to go through all files on the
referenced drive. This should be used if a file-infecting virus
has already been detected. Otherwise the /A option should only be
used when checking a new program. The /A option will add a
substantial time to scanning. This option takes priority over the
/E option.
The /D option tells NETSCAN to prompt the user to overwrite
and delete an infected file when one is found. If the user selects
"Y" the infected file will be overwritten with hex code C3 [the
Return-to-DOS instruction] and then deleted. A file erased by the
/D option can not be recovered. If the McAfee Associates' CLEAN-
UP program is available, it is recommended that CLEAN be used to
remove the virus instead of NETSCAN, since in most cases it will
recover the infected file. Boot sector and partition table
infectors can not be removed by the /D option and require the
CLEAN-UP virus disinfection program.
The /E option allows the user to specify an extension or set
of extensions to scan. Extensions should include the period
character "." and be separated by a space after the /E and between
each other. Up to three extensions may be added with the /E. For
more extensions, use the /A option.
The /EXT option allows NETSCAN to search for viruses from a
text file containing user-created search strings. The syntax for
using the external virus data file is /EXT d:filename, where d: is
the drive name and filename is the name of the external virus data
file. For instructions on how to create an external virus data
file, refer to Appendix A.
NOTE: The /EXT option is intended for advanced users and computer
anti-virus researchers to add their own strings for detection of
computer viruses on an interim or emergency basis. When used with
the /D option, it will delete infected files. This option is not
recommended for general use and should be used with caution.
The /FR option tells NETSCAN to output all messages in French
instead of English.
The /M option tells NETSCAN to check system memory of the
workstation it is running off of for all known computer viruses that
can inhabit memory. NETSCAN by default only checks memory for
critical and "stealth" viruses, which are viruses which can cause
catastrophic damage or spread the infection during the scanning
process. NETSCAN will check memory for the following viruses
in any case:
1554 1971 1253 2100
3445-Stealth 4096 512 Anthrax
Brain Dark Avenger Disk Killer Doom-2
EDV Fish6 Form Invader
Joshi Microbes Mirror Murphy
Nomenclature Phantom Plastique Polish-2
P1R (Phoenix) Taiwan-3 Whale Zero-Hunt
If one of these viruses is found in memory, NETSCAN will stop and
advise the user to power down, and reboot the system from a
virus-free system disk. Using the /M option with another
anti-viral software package may result in false alarms if the other
package does not remove its virus search strings from memory. The
/M option will add 10 to 40 seconds to the scanning time.
The /NLZ option tells NETSCAN not to look inside files
compressed with the LZEXE file compression program. NETSCAN will
still check the programs for external infections.
The /NOBREAK option disables Control-C or Control-Break from
stopping VIRUSCAN while running. The /NOBREAK option only works if
BREAK=OFF has been added to the CONFIG.SYS file.
The /NOMEM option is used to turn off all memory checking for
viruses. It should only be used when a system is known to be free
of viruses.
The /NOPAUSE option disables the "More..." prompt that appears
when NETSCAN fills up a screen with data. This allows VIRUSCAN to run
on a machine with multiple infections without requiring operator
intervention when the screen fills up with messages from the NETSCAN
program.
The /REPORT option is used to generate a listing of infected
files. The resulting list is saved to disk as an ASCII text file.
To use the report option, specify /REPORT on the command line,
followed by the device and filename.
The /UNATTEND option allows NETSCAN to continue scanning when a
non-shareable open file is scanned.
NOTE: The /UNATTEND options requires DOS 3.1 and above. If your PC
is running an older version, then the /UNATTEND option will not
work.
OPERATION
NETSCAN should be run while only the supervisor account is active
on the network.
NETSCAN will require approximately 3 minutes of run time for each
1,000 files on the designated drive.
LICENSE
NETSCAN may be copied and distributed for testing on a trial basis.
If you choose to use NETSCAN, a license is required. Licenses are available
for internal use within a business, organization, government agency, or
for external use by repair centers or other service organizations. License
fees will vary depending on the size of the network or number of copies of
NETSCAN required. For information contact:
McAfee Associates (408) 988-3832 office
4423 Cheeney Street (408) 970-9727 fax
Santa Clara, CA 95054-0253 (408) 988-4004 BBS 2400 bps
U.S.A. (408) 988-5138 BBS HST 9600
(408) 988-5190 BBS v32 9600
APPENDIX A: Creating a Virus String File with the /EXT Option
The External Virus Data file should be created with an editor
or a word processor and saved as an ASCII text file. Be sure each
line ends with a CR/LF pair.
NOTE: The /EXT option is intended for emergency and research use
only. It is an temporary method for identifying new viruses prior
to the subsequent release of NETSCAN. A sound understanding of
viruses and string-search techniques is advised as a prerequisite
for using this option.
The virus string file uses the following format:
#Comment about Virus_1
"aabbccddeeff..." Virus_1_Name
#Comment about Virus_2
"gghhiijjkkll..." Virus_2_Name
.
.
"uuvvwwxxyyzz..." Virus_n_Name
Where aa, bb, cc, etc. are the hexadecimal bytes that you wish to
scan for. Each line in the file represents one virus. The Virus
Name for each virus is mandatory, and may be up to 25 characters
in length. The double quotes (") are required at the beginning and
end of each hexadecimal string.
NETSCAN will use the string file to search memory, the Partition
Table, Boot Sector, System files, all .COM and .EXE files, and
Overlay files with the extension .BIN, .OV?, .PGM, .PIF, .PRG, .SYS
and .XTP.
Virus strings may contain wild cards. The two wildcard
options are:
FIXED POSITION WILDCARD
The question mark "?" may be used to represent a wildcard in
a fixed position within the string. For example, the string:
"E9 7C 00 10 ? 37 CB"
would match "E9 7C 00 10 27 37 CB", "E9 7C 00 10 9C 37 CB", or any
other similar string, no matter what byte was in the fifth place.
RANGE WILDCARD
The asterisk "*", followed by range number in parentheses "("
and ")" is used to represent a variable number of adjoining random
bytes. For example, the string:
"E9 7C *(4) 37 CB"
would match "E9 7C 00 37 CB", "E9 7C 00 11 37 CB", and
"E9 7C 00 11 22 37 CB". The string "E9 7C 00 11 22 33 44 37 CB"
would not match since the distance between 7C and 37 is greater
than four bytes. You may specify a range of up to 99 bytes. Up
to 10 different wildcards of either kind may be used in one virus
string.
COMMENTS
A pound sign "#" at the begining of a line will denote that
it is a comment. Use this for adding notes to the external virus
data file. For example:
#New .COM virus found in file FRITZ.EXE from
#Schneiderland on 01-22-91
"53 48 45 45 50" Fritz-1 [F-1]
Could be used to store a description of the virus, name of the
original infected file, where and when it was received, and so
forth.