![[Intel Navigation Header]](/CONTENT/PIX/HEADER.GIF)
LANDesk(R) Management Suite v2.x: Virus Scan Usage Tips
Contents:
LANDESK(R) MANAGEMENT SUITE V2.0X: VIRUS SCAN USAGE TIPS
This document discusses issues commonly encountered with Virus Scan. It
supplements the files in LANDesk(R) Management Suite's Readme Viewer.
VSCAN.EXE asks for a password before allowing you to scan the File
Server
It only applies if you are not "Supervisor." or "Supervisor
Equilivence". The default password is VPROTECT.
The way you can change the default password is to do the following
proceedure in the Sys:landesk directroy and the sys:login/landesk
directery.
1. Go to the dos prompt of the landesk directory.
2. Type <without the quotes> "Vscand /w" this is not normall displayed
when a user does vscand /w. It is used by supervisor or equivalent
users. Configures whetere vscand (or vscan) rquires users without
wupervisory rights to ienter a password before they can scan network
drives. The default passwords is VPROTECT.
3. You will then be prompted to require a password and if so what is the
password the end user must give to be able to run vscand or vscan.
4. Once you've answered the questions of the vscand /w then you have
changed the password requirement.
5. Once this is done, you would then follow the same proceedure of
using (vscand /w) in the login/landesk.
How to clean a virus from a workstation, once VSCAND or VSCAN finds the
virus
If vscand can clean the virus at a high success rate, then the vscand
will offer to clean the virus for you. If vscand or vscan cannot clean
the virus, then there are alternative ways to clean the virus. File
viruses: Can be cleaned by deleting the original and replacing it with
a clean origional file.
Boot sector virues:
1. Obtain a clean, bootble, write-protected floppy disk which contains
the same version of DOS as the machine you are attempting to clean.
Copy SYS.COM and FDISK.EXE to this floppy.
2. Make sure the CMOS setting is to boot from the A: drive. Power off
the cmputer, insert your bootable floppy, and power on the computer.
3. At this point, it is critical that you verify that the partition
table has not been damaged. To do this, type DIR for each disk
partition. If the drive has just one partition just type DIR C:. You
should see the listing of files in the C:\ directory. If you cannot
access your C: drive (or other disk partitions), it is likely you have a
damaged partition table. If this is the case, the partition table needs
to be repaired before you can attempt to clean the virus. A utility
such as Norton Disk doctor may be helpful. If you have the Monkey
virus, which moves the partition table, download the cleaning utility
KILLMN.EXE from the Intel's online services.
If you have a compressed drive, you will probably not be able to see
the hard drive unless you included the drivers for your compression
software on our boot floppy.
4. From the A: prompt type:
SYS C:
This will transfer the 2 hidden system files and COMMAND.COM. It
will also overwrite the boot sector where the virus may reside (at the
first relative sector of the partition).
5. Once the DOS prompt returns, scan the drive again to see if the
virus has been removed.
6. If the virus is still present, repeat steps 2 and 3 above, then from
the A: prompt type:
FDIST /MBR
This will write new code to the master boot record at the first
physical sector of the drive, and overwite any virus code present.
7. Once the DOS prompt returns, scan the drive again to see if it is
clean.
8. As a last step, power off the computer, remove the boot floppy, and
turn the power back on. Scan the drive for viruses to ensure that it is
now clean.
What are the virus scan signature files and how often are they updated
and from where?
Virus Pattern File is a file that is named LPT$VPN.xxx, where xxx is
the version of the pattern file. At the time of this writing the
current pattern is 050 so the file name is LPT$VPN.124. It is updated
as new viruses come out. Any end user can call into the Intel BBS to
get the latest version. To download the pattern file, go to Intel's
online services, it would be called UPxxx.EXE, where X refers to the
most recent pattern.
VSCAN.EXE ASKS FOR PASSWORD BEFORE ALLOWING USER TO SCAN FILE SERVER
If you are not logged in as "Supervisor" the default password is
VPROTECT. There is no method to change the password.
LANDESK(R) MANAGER VIRUS SCAN
LANDesk(R) Manager includes some on-demand virus protection features
from LANDesk Virus Protect. Download document 5528 for detailed
information on VSCAN.EXE and VSCAND.EXE beyond the common issues here
which is available through Intel's online services.
If VSCAND.EXE gives the message ERROR READING PATTERN FILE, the
workstation may have insufficient memory. VSCAND.EXE requires about 300
KB of memory. If executing from the login script, an additional 100 KB
or so is required. To be safe, the workstation should have a largest
executable program size of at least 400KB.
Verify that the virus pattern, LPT$VPN.XXX is in the directory from
which you ran the scan. Generally, this will be either the shared or
administrator's LANDESK directory on the network. If the problem
persists, map a search drive to the appropriate LANDESK directory.
If VSCAND.EXE gives the message "Warning: Cannot access master log
file," ignore it. This is a cosmetic mistake that appears when the
LANDesk Virus Protect package isn't installed with its full 24-hour NLM
protection.
Update the virus pattern on a monthly basis. This will help make sure
you have the best virus protection. To update your virus pattern,
download the self-extracting zip file UPDATEXX.EXE where XX is the
number of the pattern file (for example, UPDATE60.EXE) from the LANDesk
Virus Protect Current area on the Intel's online services. See the
READ.ME file for installation instructions.
COULD NOT ATTACH TO PRE-SCAN PROTOCOL STACK" OR "PSCAN: COULD NOT ATTACH PRE-SCAN DRIVERS"
Error message:
Error message "Could not attach to pre-scan protocol stack" or "PSCAN:
Could Not Attach Pre-Scan Drivers" occurs when loading the LANDesk(R)
Management Suite NLMs. Software metering (METER.NLM and RELAY.NLM)
relies on PSCAN.NLM to intercept files. RELAY.NLM won't load until
PSCAN.NLM loads successfully.
Description:
PSCAN.NLM may be failing to load because PSCAN.NLM is already loaded or
another application "dirty hooks" files directly through the operating
system on your NetWare* v3.11/3.12 file server. Another possibility is
that a PSCAN.NLM from a NetWare v3.11 file server is loading on a
NetWare v3.12 file server or vice-versa.
Solution:
1. Make sure PSCAN.NLM is unloaded (type: UNLOAD PSCAN).
2. Determine if another NLM is loaded that directly hooks files
through the operating system. Some of the known products are:
McAfee NetShield, McAfee SiteMeter, Symantec Central Point
AntiVirus, Symantec Norton AntiVirus, Cheyenne Inoculan, Funk
Software AppMeter, LANAuditor, LTAuditor, Microtest DiskPort, and
AuditTrack (ADTTRK.NLM).
If this is the case, there is a PSCANCH.NLM already in the
SYS:SYSTEM directory of the core file server (not managed file
servers) as documented in the Readme Viewer release notes for
Software Metering (LDMETER.TXT), item #7. This new NLM hooks files
through CLIB instead of through the operating system directly. For
this reason, it is required that CLIB v3.12G or later is used
because previous versions did not support file hooking. This "clean
hooks" PSCAN.NLM will work on any 3.x version of NetWare (including
SFTIII). This problem should not happen on a 4.x server, so no fix
is required.
3. Make sure the correct version of CLIB is running on the file
server. If an upgrade is required, remember that the currently
running CLIB must be unloaded, which may require that a series of
other NLMs be unloaded first.
4. Rename or delete the existing PSCAN.NLM in SYS:SYSTEM. If you use
LANDesk Virus Protect, make the same change in the VPROTECT
directory.
5. Rename PSCANCH.NLM to PSCAN.NLM. Remember to update the PSCAN.NLM
in any VPROTECT directory.
PSCAN.NLM will now load and not conflict with the other products listed
previously.
Note: If the error message continues to appear or the file server
has problems even after updating PSCAN.NLM and CLIB, then reverse the
load order of PSCAN and McAfee SiteMeter or NetShield. This reversed
load order works best. SiteMeter v4.3 and NetShield v1.61 now both
support clean hooks, which allows other third-party vendors to intercept
files. NetShield upgrades to v1.61 are available in 3NS161RC.ZIP on
McAfee's BBS at 408 988-4004. NetShield prefers CLIB v3.12F and requires
the Novell patches SPXS.NLM and SPXDDFIX.NLM from STRTL3.EXE.
Symantec Central Point AntiVirus for NetWare v2.5 is the first
release to support clean hooks with a fix in the self-extracting zip
file CPNLM.EXE on their BBS at 503 984-5366. Symantec Norton AntiVirus
for NetWare v1.0 shipped in the last year contains the "clean hooks"
fix.
Cheyenne Inoculan v3.0 is the first release to support clean hooks
with signature file version v2.31 or later. Download IL0004.ZIP from the
Inoculan Signature File area on Cheyenne's BBS at 516 484-3445.
Trademark information