Sophos InterCheck Release Notes ------------------------------- Version 4.20, 14 February 2001 www.sophos.com Contents -------- 1. Modifications from version 4.19 2. Enabling archive scanning 3. Additional configuration options 4. Additional information 5. Known problems 6. Compatibility issues 7. Acknowledgments 1. Modifications from version 4.19 ---------------------------------- a) Fix for problem when docking laptop computers A few users have encountered problems when docking laptop computers. Soon after the laptop was connected to a docking station the system would stop responding to any user input. InterCheck version 4.20 resolves this problem. Please note: after upgrading to InterCheck version 4.20 the problem will recur until the computer has been restarted. b) Support for long program extensions InterCheck for Windows 95/98/Me now supports program extensions longer than three characters. For example, it is now possible to instruct InterCheck to check files with the extension ".oversized extension" by including the option "AddProgramExtension=long extension" in the InterCheck configuration file. c) Reporting external IDE files InterCheck for Windows 95/98/Me now reports externally loaded virus identity files in the InterCheck log file. d) New configuration option: DisableNALCheck=YES|NO Some users have encountered performance problems when using the Novell Application Launcher (NAL) on systems where InterCheck is active. Setting the configuration option DisableNALCheck to YES should resolve this problem. 2. Enabling archive scanning for Windows 95/98/Me ------------------------------------------------- It is possible to configure InterCheck to search for viruses inside archives such as Zip or Tar. However, by default this facility has not been enabled, and infected files stored in archives will not be reported until they are extracted for use. The ability to scan inside archive files is disabled by default because it can take a long time to scan inside large archives and a user must wait until the scan is complete before they can continue with their work. However, in some circumstances it may still be desirable to enable scanning inside archives. This section tells you how to do so. The default action can be modified for the following archive formats: Zip, Arj, Rar, Gzip, Tar and Cmz. For example, to enable Zip file archive handling the following must be added to the INTERCHK.CFG file: [InterCheckGlobal] AddProgramExtension=ZIP [SweepVxDGlobal] VirusEngineSetting:Zip=1 For the other archive formats, each needs to be added as above with a separate AddProgramExtension entry for each different extension used and one VirusEngineSetting entry for the archive type. For example, to enable Tar and Zip file archive handling, where Zip files may have the alternative extension WZP, the following must be added to the INTERCHK.CFG file: [InterCheckGlobal] AddProgramExtension=ZIP AddProgramExtension=WZP AddProgramExtension=TAR [SweepVxDGlobal] VirusEngineSetting:Zip=1 VirusEngineSetting:Tar=1 It should be noted that this non-default functionality is only available for Windows 95/98/Me and not with Windows 3.1x. 3. Additional configuration options ----------------------------------- AddProgramExtension=ext This option adds ONE extension to the ProgramExtensions list, but leaves the existing list alone. Note that if this option precedes a ProgramExtensions= option, the single extension is discarded. To add "no extension" to the list, use a dot by itself. DriverIoChecking=YES|NO (Windows 95/98 ONLY) If set to NO, this will suppress interception of certain types of file I/O operations executed by other VxDs in the system. Use this option to avoid problems (such as lock-ups) that can occur when InterCheck intercepts these calls. One third-party product that definitely requires this switch set to NO is ZIPMagic (1.0 and 98) from Mijenix. The default is YES. DriveType=x:,type (Windows 95/98 ONLY) This option allows the user to override the system's assignment of drive types. It is primarily intended for use in the form DriveType=A:,FLOPPY which allows InterCheck to start up without a delay on systems which have no A: floppy drive. It can also be used where a PC boots up from a removable C: drive in order to force InterCheck to treat the removable drive as if it were a fixed hard disk. x: may be any drive letter from A: to Z: (or a: to z:) Type may be one of the following: for floppy and other removable drives: FLOPPY,REMOVABLE for non-removable drives: FIXED,HARD DISK,HARDDISK for mapped network drive letters: NETWORK,REMOTE for CD-ROM drives: CDROM,CD for RAM disks: RAMDISK when the drive doesn't exist: ABSENT,NONE NOTE: This option only affects the actions taken by InterCheck during startup. 4. Additional information ------------------------- i. Improved file type detection. The file type detection provided by InterCheck has been extended to detect Microsoft PowerPoint files by default. PowerPoint files will now always be checked for viruses regardless of the file extension. ii. Default program extension list Any file whose extension matches an entry in the following list will be considered by InterCheck to be a program and will be checked whenever it is accessed: CHM, COM, DLL, DOT, DRV, EXE, HLP, HT?, HTML, INI, MPP, MPT, MSO, OV?, PIF, PRC, SHB, SHS, SYS, VB?, VXD, XL? 5. Known problems ----------------- i. Exclude= does not work correctly on InterCheck for Windows 95/98 InterCheck for Windows 95/98 only allows the use of standard short "8.3" file names in the "Exclude" configuration option. This means that it is not possible to exclude files with long names (e.g. "longfilename.txt"). 6. Compatibility issues ----------------------- i. Windows 95 and USB support On Windows 95 (OSR2) machines where the "USB (Universal Serial Bus) supplement" has been installed, InterCheck may hang on startup displaying the message "Preparing to SWEEP". The problem is caused by an obsolete version of the USB supplement. Customers encountering this problem are advised to remove the USB supplement using the "Add/Remove programs" icon in the control panel. When USB support is required, the latest version of the USB supplement should then be installed. ii. Borland C++ and Novell IntraNetWare client There is a problem when using Borland C++ 4.51 and the Novell IntraNetWare client version 3.10 together with InterCheck for Windows 95/98. When building large projects (20+ source files), files are left locked open and cannot be deleted. This problem does not occur when using version 3.02 of the Novell IntraNetWare client. iii. Windows 95 Program Manager It is possible to configure Windows 95 to use a different shell instead of the normal Explorer. Windows 95 includes a version of the Windows 3.1x Program Manager which can be used as a shell. Sophos recommends against using Program Manager as a shell on a machine which runs InterCheck. iv. Hewlett Packard scanners and OCR software If you experience problems such as system lock-ups or fatal exception errors when using OCR software to acquire text directly from a Hewlett Packard scanner while InterCheck is active, you should put the following line in INTERCHK.CFG: Exclude=HPSCAN This prevents InterCheck from attempting to open a device name that is associated with the scanner, and that causes fatal errors if it is opened other than by the application. v. Eudora When Eudora is configured by a command line option to use a network drive for its files, InterCheck causes it to be very slow. This is caused by InterCheck's file type detection trying to identify the kind of file being accessed. The main "culprit" file is eudora.ini. You can improve performance by adding: Exclude=eudora.ini to INTERCHK.CFG. vi. Mijenix Corporation's ZIPMagic InterCheck 4.XX for Windows 95/98 requires the use of the DriverIoChecking=NO configuration file option when used with either ZIPMagic 1.0 or ZIPMagic 98. vii. Windows 95/98 AS/400 Client Access When used with Windows 95/98 AS/400 Client Access V3 R1 M2, the networked InterCheck client requires Service Pack level SF47544. With previous versions of the Client Access software, the Check Version utility (installed by default into the Startup group) would hang the PC with InterCheck present. The stand-alone InterCheck client cannot be used with AS/400 Client Access because the Sweep95 VxD is unable to open files stored on the AS/400. The only solution at present is to use the networked InterCheck client. viii. QEMM version 6.02 InterCheck for DOS will cause the system to hang in response to CTL-ALT-DEL if it is loaded high using QEMM v6.02. However, the diskette in the A drive will be checked for viruses before the system hangs so that the integrity of InterCheck is not compromised. There are a number of possible solutions: a) Upgrade to QEMM version 7. b) Load InterCheck into low memory using the LoadLow=YES configuration option. c) Use the QEMM nr (norom) option. However this does not work with the stealth option. ix. 386Max version 6.01d InterCheck for DOS cannot load high when version 6.01d of the 386Max memory manager has been installed. An error message "Memory allocation error" is displayed after InterCheck has run SWEEP. Use the LoadLow configuration option to load InterCheck into low memory. Alternatively upgrade to 386Max version 6.02 or above. x. NetWare 4.01 The ICLOGIN program is not compatible with the version of the LOGIN program supplied as part of NetWare 4.01. In order to use the ICLOGIN program you must upgrade the Novell login program to version 4.08 or later. Version 4.08 of LOGIN.EXE can be obtained, by all registered users of NetWare 4.01, as part of the "Novell 4.01 Upgrade kit Vol.1 No.1". xi. MSD versions 2.10 and 2.11 The Microsoft diagnostic program, MSD.EXE, supplied with Windows 3.11 and DOS 6.x, does not work correctly with InterCheck. Unless the Novell LSL driver has been loaded before installing InterCheck, the MSD program will crash while initially examining the system, with unpredictable results. The problem has been fixed in version 2.13 of the MSD program, supplied with Windows 95. xii. Other memory resident Anti-Virus products We do not recommend using InterCheck when other memory resident anti-virus are active. Attempting to run multiple anti-virus products in this manner will cause the system to run extremely slowly. In some cases the system may also become unstable. 7. Acknowledgments ------------------ This product uses the SPAWNO routines by Ralf Brown to minimise memory use while shelling to DOS and running other programs. ----------------