[Intel Navigation Header]

    LANDesk(R) Management Suite v2.x: Virus Scan Usage Tips

    Contents:

    • LANDESK(R) MANAGEMENT SUITE V2.0X: VIRUS SCAN USAGE TIPS
    • VSCAN.EXE ASKS FOR PASSWORD BEFORE ALLOWING USER TO SCAN FILE SERVER
    • LANDESK(R) MANAGER VIRUS SCAN
    • COULD NOT ATTACH TO PRE-SCAN PROTOCOL STACK" OR "PSCAN: COULD NOT ATTACH PRE-SCAN DRIVERS"
    
    

    LANDESK(R) MANAGEMENT SUITE V2.0X: VIRUS SCAN USAGE TIPS

    
       This document discusses issues commonly encountered with Virus Scan.  It
    
       supplements the files in LANDesk(R) Management Suite's Readme Viewer.
    
    
    
       VSCAN.EXE asks for a password before allowing you to scan the File
    
       Server
    
    
    
       It only applies if you are not "Supervisor." or "Supervisor
    
       Equilivence". The default password is VPROTECT.
    
    
    
       The way you can change the default password is to do the following
    
       proceedure in the Sys:landesk directroy and the sys:login/landesk
    
       directery.
    
    
    
       1. Go to the dos prompt of the landesk directory.
    
    
    
       2. Type <without the quotes> "Vscand /w"  this is not normall displayed
    
       when a user does vscand /w.  It is used by supervisor or equivalent
    
       users.  Configures whetere vscand (or vscan) rquires users without
    
       wupervisory rights to ienter a password before they can scan network
    
       drives.  The default passwords is VPROTECT.
    
    
    
       3. You will then be prompted to require a password and if so what is the
    
       password the end user must give to be able to run vscand or  vscan.
    
    
    
       4. Once you've answered the questions of the vscand /w then you have
    
       changed the password requirement.
    
    
    
       5.  Once this is done, you would then follow the same proceedure of
    
       using (vscand /w) in the login/landesk.
    
    
    
       How to clean a virus from a workstation, once VSCAND or VSCAN finds the
    
       virus
    
    
    
       If vscand can clean the virus at a high success rate, then the vscand
    
       will offer to clean the virus for you.  If vscand or vscan cannot clean
    
       the virus,  then there are alternative ways to clean the virus. File
    
       viruses:  Can be cleaned by deleting the original and replacing it with
    
       a clean origional file.
    
    
    
       Boot sector virues: 
    
    
    
       1.  Obtain a clean, bootble, write-protected floppy disk which contains
    
       the same version of DOS as the machine you are attempting to clean. 
    
       Copy SYS.COM and FDISK.EXE to this floppy.
    
    
    
       2.  Make sure the CMOS setting is to boot from the A: drive.  Power off
    
       the cmputer, insert your bootable floppy, and power on the computer.
    
    
    
       3.  At this point, it is critical that you verify that the partition
    
       table has not been damaged.  To do this, type DIR for each disk
    
       partition.  If the drive has just one partition just type DIR C:.  You
    
       should see the listing of files in the C:\ directory.  If you cannot
    
       access your C: drive (or other disk partitions), it is likely you have a
    
    
    
       damaged partition table.  If this is the case, the partition table needs
    
       to be repaired before you can attempt to clean the virus.  A utility
    
       such as Norton Disk doctor may be helpful.  If you have the Monkey
    
       virus, which moves the partition table, download the cleaning utility
    
       KILLMN.EXE from the Intel's online services.
    
    
    
           If you have a compressed drive, you will probably not be able to see
    
       the hard drive unless you included the drivers for your compression
    
       software on our boot floppy.
    
    
    
       4.  From the A: prompt type:
    
    
    
            SYS C:
    
    
    
            This will transfer the 2 hidden system files and COMMAND.COM.  It
    
       will also overwrite the boot sector where the virus may reside (at the
    
       first relative sector of the partition).
    
    
    
       5.  Once the DOS prompt returns, scan the drive again to see if the
    
       virus has been removed.
    
    
    
       6.  If the virus is still present, repeat steps 2 and 3 above, then from
    
       the A: prompt type:
    
    
    
            FDIST /MBR
    
    
    
            This will write new code to the master boot record at the first
    
       physical sector of the drive, and overwite any virus code present.
    
    
    
       7.  Once the DOS prompt returns, scan the drive again to see if it is
    
       clean.
    
    
    
       8.  As a last step, power off the computer, remove the boot floppy, and
    
       turn the power back on.  Scan the drive for viruses to ensure that it is
    
       now clean.
    
    
    
       What are the virus scan signature files and how often are they updated
    
       and from where?
    
    
    
       Virus Pattern File is a file that is named LPT$VPN.xxx,  where xxx is
    
       the version of the pattern file.  At the time of this writing the
    
       current pattern is 050 so the file name is LPT$VPN.124.  It is updated 
    
       as new viruses come out.  Any end user can call into the Intel BBS to
    
       get the latest version.  To download the pattern file, go to  Intel's
    
       online services, it would be called UPxxx.EXE, where X refers to the
    
       most recent pattern.
    
    
    
    

    VSCAN.EXE ASKS FOR PASSWORD BEFORE ALLOWING USER TO SCAN FILE SERVER

    
       If you are not logged in as "Supervisor" the default password is
    
       VPROTECT. There is no method to change the password. 
    
    
    
    

    LANDESK(R) MANAGER VIRUS SCAN

    
       LANDesk(R) Manager includes some on-demand virus protection features
    
       from  LANDesk Virus Protect. Download  document 5528 for detailed 
    
    
    
       information on VSCAN.EXE and VSCAND.EXE beyond the common issues here
    
       which is available through Intel's online services.
    
    
    
       If VSCAND.EXE gives the message ERROR READING PATTERN FILE, the
    
       workstation  may have insufficient memory. VSCAND.EXE requires about 300
    
       KB of memory.  If executing from the login script, an additional 100 KB
    
       or so is required.  To be safe, the workstation should have a largest
    
       executable program size  of at least 400KB.
    
    
    
       Verify that the virus pattern, LPT$VPN.XXX is in the directory from
    
       which  you ran the scan. Generally, this will be either the shared or 
    
       administrator's LANDESK directory on the network. If the problem
    
       persists,  map a search drive to the appropriate LANDESK directory.
    
    
    
       If VSCAND.EXE gives the message "Warning: Cannot access master log
    
       file,"  ignore it. This is a cosmetic mistake that appears when the
    
       LANDesk  Virus Protect package isn't installed with its full 24-hour NLM
    
       protection. 
    
    
    
       Update the virus pattern on a monthly basis. This will help make sure
    
       you  have the best virus protection. To update your virus pattern,
    
       download the  self-extracting zip file UPDATEXX.EXE where XX is the
    
       number of the pattern  file (for example, UPDATE60.EXE) from the LANDesk
    
       Virus Protect Current area  on the Intel's online services.  See the
    
       READ.ME file for installation instructions.
    
    
    
    

    COULD NOT ATTACH TO PRE-SCAN PROTOCOL STACK" OR "PSCAN: COULD NOT ATTACH PRE-SCAN DRIVERS"

    
       Error message:
    
       Error message "Could not attach to pre-scan protocol stack" or "PSCAN:
    
       Could Not Attach Pre-Scan Drivers" occurs when loading the LANDesk(R)
    
       Management Suite NLMs.  Software metering (METER.NLM and RELAY.NLM)
    
       relies on PSCAN.NLM to intercept files.  RELAY.NLM won't load until
    
       PSCAN.NLM loads successfully.
    
    
    
       Description:
    
       PSCAN.NLM may be failing to load because PSCAN.NLM is already loaded or
    
       another application "dirty hooks" files directly through the operating
    
       system on your NetWare* v3.11/3.12 file server. Another possibility is
    
       that a PSCAN.NLM from a NetWare v3.11 file server is loading on a
    
       NetWare v3.12 file server or vice-versa.
    
    
    
       Solution:
    
    
    
         1. Make sure PSCAN.NLM is unloaded (type: UNLOAD PSCAN).
    
    
    
         2. Determine if another NLM is loaded that directly hooks files
    
            through the operating system.  Some of the known products are:
    
            McAfee NetShield, McAfee SiteMeter, Symantec Central Point
    
            AntiVirus, Symantec Norton AntiVirus, Cheyenne Inoculan, Funk
    
            Software AppMeter, LANAuditor, LTAuditor, Microtest DiskPort, and
    
            AuditTrack (ADTTRK.NLM). 
    
    
    
            If this is the case, there is a PSCANCH.NLM already in the
    
    
    
            SYS:SYSTEM directory of the core file server (not managed file
    
            servers) as documented in the Readme Viewer release notes for
    
            Software Metering (LDMETER.TXT), item #7.  This new NLM hooks files
    
            through CLIB instead of through the operating system directly. For
    
            this reason, it is required that CLIB v3.12G or later is used
    
            because previous versions did not support file hooking. This "clean
    
            hooks" PSCAN.NLM will work on any 3.x version of NetWare (including
    
            SFTIII). This problem should not happen on a 4.x server, so no fix
    
            is required.
    
    
    
         3. Make sure the correct version of CLIB is running on the file
    
            server.  If an upgrade is required, remember that the currently
    
            running CLIB must be unloaded, which may require that a series of
    
            other NLMs be unloaded first.
    
    
    
         4. Rename or delete the existing PSCAN.NLM in SYS:SYSTEM. If you use
    
            LANDesk Virus Protect, make the same change in the VPROTECT
    
            directory.
    
    
    
         5. Rename PSCANCH.NLM to PSCAN.NLM. Remember to update the PSCAN.NLM
    
            in any VPROTECT directory.
    
    
    
       PSCAN.NLM will now load and not conflict with the other products listed
    
       previously.
    
    
    
       Note:     If the error message continues to appear or the file server
    
       has problems even after updating PSCAN.NLM and CLIB, then reverse the
    
       load order of PSCAN and McAfee SiteMeter or NetShield.  This reversed
    
       load order works best. SiteMeter v4.3 and NetShield v1.61 now both
    
       support clean hooks, which allows other third-party vendors to intercept
    
       files. NetShield upgrades to v1.61 are available in 3NS161RC.ZIP on
    
       McAfee's BBS at 408 988-4004. NetShield prefers CLIB v3.12F and requires
    
       the Novell patches SPXS.NLM and SPXDDFIX.NLM from STRTL3.EXE.
    
    
    
            Symantec Central Point AntiVirus for NetWare v2.5 is the first
    
       release to support clean hooks with a fix in the self-extracting zip
    
       file CPNLM.EXE on their BBS at 503 984-5366. Symantec Norton AntiVirus
    
       for NetWare v1.0 shipped in the last year contains the "clean hooks"
    
       fix.
    
    
    
            Cheyenne Inoculan v3.0 is the first release to support clean hooks
    
       with signature file version v2.31 or later. Download IL0004.ZIP from the
    
       Inoculan Signature File area on Cheyenne's BBS at 516 484-3445. 
    
    

    Trademark information