Shareware Overload

home *** CD-ROM | disk | FTP | other *** search

/ Shareware Overload / ShartewareOverload.cdr / virus / vshld76.zip / VSHLD76.DOC < prev

Wrap

Text File | 1991-04-08 | 25KB | 559 lines

VSHIELD Version 3.4V76 VSHIELD1 Version 0.2 Copyright (C) 1989, 1990, 1991 by McAfee Associates. All rights reserved. Documentation by Aryeh Goretsky. McAfee Associates (408) 988-3832 office 4423 Cheeney Street (408) 970-9727 fax Santa Clara, CA 95054-0253 (408) 988-4004 BBS 2400 bps U.S.A (408) 988-5138 BBS HST 9600 (408) 988-5190 BBS v32 9600 TABLE OF CONTENTS SYNOPSIS . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 - What VSHIELD is, system requirements AUTHENTICITY . . . . . . . . . . . . . . . . . . . . . . . . . .2 - Verifying the integrity of VSHIELD WHAT'S NEW . . . . . . . . . . . . . . . . . . . . . . . . . . .3 - Features, new viruses added in this release OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 - Detailed description of VSHIELD OPERATION. . . . . . . . . . . . . . . . . . . . . . . . . . . .6 - Options to use with VSHIELD EXAMPLES . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 - Samples of frequently-used options INSTALLATION . . . . . . . . . . . . . . . . . . . . . . . . . .9 - How to install VSHIELD on your system EXIT CODES . . . . . . . . . . . . . . . . . . . . . . . . . . .9 - For running VSHIELD from batch files VIRUS REMOVAL. . . . . . . . . . . . . . . . . . . . . . . . . .10 - What to do if a virus is found REGISTRATION . . . . . . . . . . . . . . . . . . . . . . . . . .11 - How to register VSHIELD in the U.S. and abroad TECH SUPPORT . . . . . . . . . . . . . . . . . . . . . . . . . .11 - Information you should have ready when calling APPENDIX A . . . . . . . . . . . . . . . . . . . . . . . . . . .12 - Creating an exception list for the /CERTIFY option Page 1 VSHIELD Version 3.4V76 Page 2 SYNOPSIS VSHIELD is a virus prevention program for IBM PC and compatible computers. It will prevent viruses from infecting your system. When VSHIELD first loads it will search the PC for known computer viruses in memory, the partition table, boot sector, system files, and itself and then install itself as a Terminate-and-Stay-Resident (TSR) program. It will then scan all programs before allowing the system to execute them. If any program contains a virus, VSHIELD will refuse to allow it to execute. It will also not allow the system to be warm-booted from any diskette which contains a boot-sector virus. VSHIELD can optionally check files that have been validation coded by the VIRUSCAN (SCAN) program for new, unknown viruses. VSHIELD can monitor a system for viruses by checking a program for virus signatures, checking the validation code added by the VIRUSCAN program to a file, or do both. Two separate programs are available. The first, VSHIELD.EXE, does known-virus and validation checking. The second program, VSHIELD1.EXE, does validation checking only. The VSHIELD programs will monitor all program loads regardless of the disk they occur on. VSHIELD optionally provides access control functions to reduce the risk of introducing computer viruses from unknown software. VSHIELD will run on any PC with 256Kb and DOS version 2.0 or greater. VSHIELD1 uses 6Kb of system memory. VSHIELD uses 33Kb of system memory in non-swap mode, or 3Kb if swapping-to-disk is specified. AUTHENTICITY VSHIELD is packaged with the VALIDATE program to ensure the integrity of the VSHIELD.EXE and VSHIELD1.EXE files. The VALIDATE.DOC instructions tell how to use the VALIDATE program. The VALIDATE program is distributed with VSHIELD and may be used to check all future versions of VSHIELD. The validation results for the VSHIELD Version 76 and VSHIELD1 Version 0.2 programs should be: FILE NAME: VSHIELD.EXE VSHIELD1.EXE SIZE: 31,425 11,281 DATE: 04-08-1991 02-14-1991 FILE AUTHENTICATION Check Method 1: 7F25 6B40 Check Method 2: 042A 103E If your copy of the VSHIELD programs differ, they may have been modified. Always obtain your copy of VSHIELD from a known source. The latest version of VSHIELD and validation codes for VSHIELD.EXE and VSHIELD1.EXE can be obtained off of McAfee Associates bulletin board system at (408) 988-4004. VSHIELD Version 3.4V76 Page 3 Beginning with Version 72, all McAfee Associates programs for download are archived with PKWare's PKZIP Authentic File Verification. If you do not see the "-AV" message after every file is unzipped and receive the message "Authentic Files Verified! # NWN405 Zip Source: McAFEE ASSOCIATES" when you unzip the files then do not run them. If your version of PKUNZIP does not have verification ability, then the message may not be displayed. Please contact McAfee Associates if your .ZIP file has been tampered with. WHAT'S NEW Version 76 has been completely re-structured to provide a major increase in the execution speed. Version 76 will run twice as fast as previous versions. The amount of time added to program loads will now be cut in half. Version 76 of VSHIELD adds 18 new viruses, bring the number of discrete computer viruses detected to 239 and the number of variants to 501 viruses. Version 76 of VSHIELD adds two new options, /WINDOWS option and /CHKHI. When run with the /WINDOWS option, VSHIELD will intercept viruses in DOS processes under Microsoft Windows. The /CHKHI command allows the scanning of the high memory area present on 286 and 386 machines. VSHIELD Version 3.4V76 Page 4 OVERVIEW VSHIELD is a memory-resident program that prevents viruses from infecting your computer. VSHIELD does this by checking program files before they are loaded into the computer and executed. If a virus is found, or a program does not match its validation check, or a file is not on the /CERTIFY list, then VSHIELD will not allow the file to be executed, preventing the virus from infecting your system. VSHIELD will also check the disk the computer is booting from for boot sector and partition table viruses. In the event that a virus is found, VSHIELD will not allow the system to reboot and will prompt the user to insert a clean, write-protected boot disk and run the VIRUSCAN program to determine the extent of the infection. When VSHIELD is placed in the AUTOEXEC.BAT file, it will install itself each time the system is turned on or rebooted. It will proceed to check the memory, partition table, boot sector, system files, and itself for viruses and then install itself as a Terminate-and-Stay-Resident (TSR) program. It then monitors all program loads for viruses. If a virus is found using Level I protection, a warning message will be displayed stating the name of the modified file. If a virus is found using Level II or III protection, a warning message will be displayed stating the filename and name of the virus. Loading will then be terminated, preventing infection of the system by the infected program. If a program is loaded using the /CERTIFY option that has not been validated or is not on the exception list, then a message will be displayed saying that access has been denied. When the power is turned off and the system is booted (without VSHIELD) off an infected floppy, VSHIELD will detect the infection the next time VSHIELD is executed. VSHIELD level II and III protection will also prevent partition table and boot sector infector viruses from infecting the system during a a warm reboot of the system (Ctrl-Alt-Del). It does this by examining the diskette being booted from and halting the reboot process if a virus is found. VSHIELD has four levels of user-selectable protection: - Level I protection, provided by the VSHIELD1 program, checks the Cyclic Redundancy Check (CRC) validation code values added to programs by the VIRUSCAN program's /AV option. If a program no longer matches its validation code VSHIELD1 will not allow it to execute. VSHIELD1 will also check the partition table and boot sector validation codes, if present. Level I protection provides a minimal degree of protection, and it is recommended that Level II protection or above be used if system resources permit. - Level II protection, provided by the VSHIELD program, checks program files for virus signatures. A virus signature is a piece of code or pattern unique to each computer virus strain. VSHIELD will check the memory, partition table, boot sector, system files, and itself for viruses before installing itself as a TSR program. It will then check programs loaded after it installs itself for computers viruses. If a virus is found, VSHIELD will not allow the program to execute. VSHIELD VSHIELD Version 3.4V76 Page 5 will also not allow a computer to be warm-rebooted from a diskette infected with a partition table or boot sector infector. - Level III protection is a combination of Level I and Level II Protections. - Level IV protection is access control and allows the user to specify which programs can and can not be run. Level IV protection can be set up so that only programs that are listed in a certification file may be run on a given system. It may also be set up so that only those programs that have been validated by VIRUSCAN may be run. Each level of protection has its advantages and disadvantages. The Level I protection, VSHIELD1, requires the least amount of system overhead, using 6Kb of system memory. It provides minimal protection, however. The Level II, III, and IV protections requires 34Kb of system memory, but this can be reduced to 3Kb by using the /SWAP option. The /SWAP option leaves a VSHIELD kernel in memory that swaps the main body of the program in and out of memory as needed. VSHIELD will add an average of three seconds to each program load, and six seconds to each reboot. Using the /SWAP option adds an additional 600 milliseconds to each program load. VSHIELD will not degrade the performance of the system in any way once a program has been loaded. VSHIELD1 will add an average of 1 second to each program load. NOTE: VSHIELD and VSHIELD1 should not be used simultaneously. Either one or the other should be selected. OPERATION IMPORTANT NOTE: CREATE A BACKUP DISK BY COPYING THE VSHIELD PROGRAMS TO A BLANK FLOPPY AND WRITE-PROTECTING IT BEFORE RUNNING THE PROGRAMS. THIS WILL GIVE THE USER A VALID BACKUP IN CASE THE PROGRAMS BECOME INFECTED. VSHIELD and VSHIELD1 will monitor your system for attempts to load an infected program. If an infected program is loaded, VSHIELD will display a message stating the name of the file, the virus infecting it, and will prevent the file from being executed; and VSHIELD1 will display a message stating the name of the file, the fact that it has been modified, and will prevent the file from being executed. VSHIELD Version 3.4V76 Page 6 To run VSHIELD type: VSHIELD /CERTIFY filename /CHKHI /CONTACT message /CV /F pathname /LOCK /M /NB /NOMEM /SWAP pathname /WINDOWS Options are: /CERTIFY filename - Enable access control with exception list /CHKHI - Check High Memory Area on 286/386 PC's /CONTACT message - Display message when virus is found /CV - Check validation codes added by VIRUSCAN /LOCK - Halt and freeze system when virus is found /M - Scan memory for all viruses during install (see restrictions below) /NB - Disable boot sector checking /NOMEM - Skip memory checking /REMOVE - Uninstall VSHIELD from memory /SWAP pathname - Install VSHIELD kernel as memory-resident /F pathname - Required parameter for DOS 2.0 or earlier /WINDOWS - Enable checking of DOS processes under Windows The /CERTIFY option allows a systems administrator to control access to executable files. This can be used to prevent unauthorized software from running that could introduce a computer virus. When run with the /CV option, /CERTIFY allows only files that have had validation codes inserted into them with the VIRUSCAN program to execute. An exception list of "trusted" files can also be made to allow files on the exception use to be executed. if /CERTIFY is used wothout the /CV option, then only those programs in the exception list will be allowed to run on the system. For instructions on how to create an exception list, refer to Appendix A. NOTE: Running /CERTIFY without /CV option or an exception list will prevent all programs other than DOS internal commands from being run. The /CONTACT option displays a contact name and phone number when a virus is found. The name and number message can be fifty (50) characters long, and can contain any characters. If the message begins with a slash "/" or a hyphen "-" then the message must placed in quotation marks. The /CHKHI option checks the High Memory Area on AT and 386 machines for viruses. The message "Scanning 1088K RAM" will be displayed. On XT systems with extended memory cards installed, this will cause the first 64K of RAM to be scanned again. This option can not be used with the /NOMEM option. VSHIELD Version 3.4V76 Page 7 The /CV option checks validation codes inserted by the VIRUSCAN program to provide Level III protection as defined above. If a file no longer matches its validation code, VSHIELD will report that the file has been modified, that viral infection may have occurred, and will not allow the program to execute. If the /CV option is not specified, VSHIELD will provide Level II (virus signature) checking only. For information about the installation of CRC validation codes, please refer to the VIRUSCAN program documentation. The /F option is required if the user wishes to use the /SWAP command and is running DOS 2.0 or earlier. The /F option tells VSHIELD where it has been loaded from. The complete pathname must be specified. The /LOCK option will halt the system if a virus is found so that processing cannot continue. The /M option tells VSHIELD to check system memory for all known computer viruses that are memory resident before installing itself. By default, VSHIELD only checks memory for critical and "stealth" viruses, which are viruses that can cause damage or spread during the scanning process. If a critical or "stealth" virus is found, VSHIELD will stop the system and advise the user to cold boot the machine from a clean copy of DOS and scan the system for viruses. For a listing of critical viruses, see the VIRUSCAN documentation. The /NOMEM option is used to turn off all memory checking for viruses during installation. It should only be used when a system is known to be free of viruses. This option can not be used with the /M option. The /NB option will tell VSHIELD not to look at the partition table and boot sector. The /REMOVE option will uninstall the VSHIELD program and remove it from memory. If other memory-resident programs prevent VSHIELD from being uninstalled an error message will appear. The /SWAP option tells VSHIELD to install only its kernel as memory resident. The VSHIELD program will then be swapped in and out of memory as needed from a hard disk or RAM disk. The placement of a path after the /SWAP command is optional, and should only be used if VSHIELD is to be swapped from other than the path from which it is being executed. NOTE: The /SWAP parameter should only be used if the computer has a limited amount of system memory available for memory-resident programs. It is recommended that VSHIELD be used without the /SWAP option whenever memory permits. The /WINDOWS option should be used when running Windows 3.0. VSHIELD Version 3.4V76 Page 8 To run VSHIELD1 type: VSHIELD1 /NB /REMOVE Options are: /NB - Bypass boot sector checking /REMOVE - Uninstall VSHIELD1 from memory The /NB option will tell VSHIELD not to look at the partition table and boot sector. This option should only be used if VSHIELD1 continually reports that the boot sector has been modified. This occurs on some old Hewlett Packard and Zenith systems because they modify the boot sector each time the system is booted. Check your system's manual to determine if your system contains self-modifying boot code. The /REMOVE option will uninstall the VSHIELD1 program and remove it from memory. If other memory-resident programs prevent VSHIELD1 from being uninstalled an error message will appear. EXAMPLES The following examples are shown as they would be typed in on the command line. VSHIELD1 To install VSHIELD (Level I protection) VSHIELD To install VSHIELD (Level II protection) VSHIELD /CV To install VSHIELD (Level III protection) VSHIELD /CV /CERTIFY EXCPTN.LST To Install VSHIELD (Level IV protection) with CRC and exception list checking. VSHIELD /SWAP To install VSHIELD kernel only as memory resident and swap from root directory of disk on DOS 3.0+ system VSHIELD /SWAP /F C:\VSHIELD.EXE To install VSHIELD kernel only as memory resident and swap from root directory of disk on DOS 2.0 system VSHIELD /CV /CONTACT "Please Contact the PC Help Desk" To install VSHIELD using Level III protection, and display a message if virus is found. VSHIELD Version 3.4V76 Page 9 INSTALLATION VSHIELD and VSHIELD1 should be normally placed at the end of the AUTOEXEC.BAT file. The exception is any AUTOEXEC file that contains a DOS Shell routine. In this circumstance, VSHIELD or VSHIELD1 should be loaded immediately prior to the Shell routine. If network drivers are being used, VSHIELD *MUST* be loaded AFTER the network drivers, preferably at the end of the AUTOEXEC. This is because network drivers replace normal DOS functions in a manner that prevents VSHIELD from recognizing program loads if VSHIELD is loaded first. Running VSHIELD after network drivers have been loaded will ensure proper virus protection. It is recommended that VSHIELD be used in non-swap mode if free memory permits. Use of the /SWAP option may cause conflicts with programs that fail to allocate memory properly. If conflicts occurs do occur, remove the /SWAP option and reboot the machine. If there is not enough memory to load VSHIELD in non-swap mode, than the VSHIELD1 program should be used instead. ERROR LEVELS VSHIELD will set the following DOS ERRORLEVELS prior to going resident: VALUE | DESCRIPTION ------+-------------------------- 0 | No viruses found 1 | One or more viruses found 2 | Abnormal termination (program error) VSHIELD Version 3.4V76 Page 10 VIRUS REMOVAL What do you do if a virus is found? You can contact McAfee Associates for assistance with manually removing the virus, for disinfection utilities, and for more information about the virus. When an infection is found, the VIRUSCAN program should be run to scan the entire system to determine the extent of infection. The VIRUSCAN program is available for download off of McAfee Associates' BBS. The CLEAN-UP universal virus disinfection program is available and will disinfect the majority of reported computer viruses. It is updated frequently to remove new viruses. The CLEAN-UP program can be downloaded from McAfee Associates' BBS. It is strongly recommended that you get experienced help from local consultants or other experienced sources in dealing with viruses, especially critical viruses that can damage or destroy data [for a listing of critical viruses, pleae refer to the VIRUSCAN program documentation] and partition table or boot sector infecting viruses, as improper removal of these viruses could result in the loss of all data and use of the disk(s). VSHIELD Version 3.4V76 Page 11 REGISTRATION A registration fee of $25.00US is required for the use of VSHIELD by individual home users. Registration is for one year and entitles the holder to unlimited free upgrades off of McAfee Associates' bulletin board. Diskettes are not mailed unless specifically requested. Add $9.00US for diskette mailings. Registration is for home users only and does not apply to businesses, departments, organizations, government agencies, or schools, who must obtain a site license for use. Contact McAfee Associates for more information. Outside of North America, registration and support may be obtained through the agents listed in the accompanying AGENTS.TXT text file. TECHNICAL SUPPORT In order to facilitate speedy and accurate support, please have the following information ready when you contact McAfee Associates: - Program name and version number. - Type and brand of computer, hard disk, plus any peripherals. - Version of DOS you are running, plus any TSRs or device drivers in use. - Printouts of your AUTOEXEC.BAT and CONFIG.SYS files. - The exact problem you are having. Please be as specific as possible. Having a printout of the screen and/or being at your computer will help also. McAfee Associates can be contacted by BBS or fax twenty-four hours a day, or call our business office at (408) 988-3832, Monday through Friday, 8:30AM to 6:00PM Pacific Standard Time. McAfee Associates (408) 988-3832 office 4423 Cheeney Street (408) 970-9727 fax Santa Clara, CA 95054-0253 (408) 988-4004 BBS 2400 bps U.S.A (408) 988-5138 BBS HST 9600 (408) 988-5190 BBS v32 9600 VSHIELD Version 3.4V76 Page 12 APPENDIX A: Creating an Exception List for the /CERTIFY Option The Exception List data file should be created with an editor or word processor and saved as an ASCII text file. Be sure each line ends with a CR/LF pair. NOTE: The /CERTIFY option is intended for use in environments where there is significant risk of viral infection due to the use of unauthorized software. It is not intended for use in an environment where new software is introduced on a continious basis. When /CERTIFY is run with the /CV option, only files that have been validated by the VIRUSCAN program will be allowed to run. When run with an Exception List, only files in that list will be allowed to run. Running /CERTIFY with both the /CV option and an exception list will allow both files that have been validated with the VIRUSCAN program and files on the exception list to be run. The Exception List uses the following format: d:\pathnam1\filenam1.ext *comment . . d:\pathnam1\filenam2.ext *more comments Where "d:" is the name of the drive, "\pathnam1\" is the name of the path, and "filename.ext" is the name of the file, including the extension. Up to 1,000 characters worth of filenames can be specified. Comment lines are preceded with an asterisk "*" and are ignored by VSHIELD. Running /CERTIFY without /CV option or an exception list will prevent all programs other than DOS internal commands from being run.