Netware Super Library

home *** CD-ROM | disk | FTP | other *** search

/ Netware Super Library / Netware Super Library.iso / virus / virex / virexpc.doc < prev next >

Wrap

Text File | 1995-04-29 | 50.9 KB | 1,075 lines

VIREX FOR THE PC USERS GUIDE DATAWATCH CORPORATION HOW TO CONTACT DATAWATCH If you find a new virus, it is important that we learn about it, so that we can update Virex for the PC. You can contact Datawatch at: Datawatch Corporation 234 Ballardvale St. Wilmington, MA 01887 Telephone: (508) 988-9700 FAX: (508) 988-2040 (General & Sales) FAX: (508) 988-0697 (Technical Support & Virus Reports) You can contact Datawatch on the following services: AppleLink DATAWATCH CompuServe 73407,1751 America OnLine DATAWATCH DataGate BBS 508-988-6373. Settings are (8,N,1). Internet mactech@datawatch.com Anonymous FTP ftp.datawatch.com Table of Contents ~~~~~~~~~~~~~~~~~ CHAPTER 1: Overview of Virex for the PC CHAPTER 2: Installing Virex for the PC CHAPTER 3: Using the VPCScan Program CHAPTER 4: Using the Virex TSR CHAPTER 5: Using Virex for the PC in a Network Environment CHAPTER 6: Using Virex for the PC in a Windows Environment CHAPTER 7: Safe Computing Practices APPENDIX A: Removing a Boot Sector Virus APPENDIX B: Modifying the Protection File APPENDIX C: Troubleshooting APPENDIX D: Using the DataGate BBS APPENDIX E: Novell Network Features APPENDIX F: External Virus Signature File <<<<<<<<<<<<<<< C H A P T E R 1: Overview of Virex for the PC >>>>>>>>>>>>>>>> Virex for the PC provides comprehensive protection against computer viruses. The current version of the program (at the time this manual was written) includes the following enhancements: * Detection of more than 2000 known viruses. * Two installation methods: Quick (using default settings); Custom (allowing customization). * An enhanced Inoculate feature, which cannot only repair virus damage, but also protect your system from unknown viruses using a unique integrity check method. * Disinfectors for more than 100 boot sector viruses. The Virex for the PC package uses two programs to protect and repair your files: VPCScan and Virex. VPCScan: Identifying Known Viruses and Repairing Files The first program is VPCScan (VPCSCAN.EXE), a utility program that can scan existing files and memory for the presence of known viruses. VPCScan can recognize the code signatures of known computer viruses and will alert you if it finds one.The powerful Inoculate feature is the key to VPCScan's effectiveness. Inoculate has two important capabilities. First, it can repair files that have been damaged by common viruses (by means of a special emergency disk that you create during installation, or by files created during installation on your hard drive). Second, Inoculate can protect existing files by comparing the current signature of each file with its previous version. Thus, VPCScan can use Inoculate to disinfect all known boot sector viruses and almost all file infectors, as well protect your system from many unknown viruses. Virex: Efficient, Continuous Monitoring of the PC System The second program is Virex (VIREX.COM), a terminate-and-stay-resident (TSR) program that provides continuous virus protection. Virex alerts you: * when you attempt to run a program that is infected with a known virus. * when an attempt is made to run a program that has had its unique Integrity information changed. * when you attempt to run a program that is not registered in the Integrity database (it will give you the opportunity to register the program before proceeding). These three functions provide efficient protection against unknown viruses by Integrity checking, and against known viruses by scanning programs on execution. This virus protection uses less than 1KB of RAM memory. Hardware and System Requirements Virex for the PC requires a hard disk and operates on any IBM PC/XT, IBM PC/AT, IBM PS/2, or 100% compatible computer using the PC-DOS (MS-DOS) 3.X or later operating system. (If you have an IBM XT and do not have a high-density 5 1/4" disk drive or a 3 1/2" disk drive, please contact Datawatch Customer Support to obtain Virex for the PC on a low-density 5 1/4" disk.) A minimum of 512KB of memory is recommended. <<<<<<<<<<<<<<< C H A P T E R 2: Installing Virex for the PC >>>>>>>>>>>>>>>>> You can install Virex for the PC using either of the following methods: * Quick Installation: the easy installation that automatically chooses default settings and installs the program. (Note: If you are installing Virex for the PC from a hard drive or subdirectory, you must use Custom Install. Quick Install only functions from diskette.) * Custom Installation: the more flexible installation that allows you to change default settings before installing the program. (Note: If you are installing Virex for the PC onto a Novell Network drive, you must perform a Custom Installation.) With either method, easy-to-understand screens will keep you informed about the progress of the installation. If you want to abort the installation at any point, press ESC to select the Exit command. If you exit before the installation is complete, you need to confirm your decision to exit, by highlighting Yes and pressing enter. If you want to perform the Quick Installation, proceed to the next section. But if you want to perform the Custom Installation, skip now to the section titled Custom Installation. Quick Installation The Quick Installation method provides you with the simplest antiviral installation available. The Quick Installer will automatically: * Choose default settings. * Choose the source and target disk drives. (C:\VPC) * Scan local drives for viruses. * Copy the necessary files to your hard disk. * Create the Integrity database files that will aid in repairing damaged files. * Modify your AUTOEXEC.BAT file to load the Virex TSR each time you boot your computer (ONLY if you have chosen to use the Virex TSR). * Assist you in creating an emergency disk for future file repair and disk recovery. (Be sure to have a virus-free, formatted disk ready.) Custom Installation If you choose to perform a Custom Installation, the Installer will: * Scan local drives for viruses. * Copy the necessary files to your hard disk. * Create the Integrity database files that will aid in repairing damaged files. * Assist you in creating an emergency disk for future file repair and disk recovery. (Be sure to have a virus-free, formatted disk ready.) But the Custom Installation also gives you flexibility by letting you change the program's default choices for: * Source and target drives. * Drives to include in the Integrity database. * Installation of the Virex TSR for continuous protection. * Changes to the AUTOEXEC.BAT file. (Note: If you are installing Virex for the PC onto a Novell Network drive, you will need to perform a Custom Installation.) <<<<<<<<<<<<<<< C H A P T E R 3: Using the VPCScan Program >>>>>>>>>>>>>>>>>>> Using VPCScan To scan a file for the existence of known viruses: 1. Make the drive on which you installed VPCScan the current drive by typing <drive>: and pressing enter. 2. Change to your Virex directory by typing CD <directory> and pressing enter. 3. Type VPCScan <drive>:<pathname> and press enter, where <drive>:<pathname> indicates the drive, directory path, and name of the file to be scanned. Example: VPCScan C:\GAMES\TOPSHELF.COM Dealing with an Infection If VPCScan finds a known virus, it will alert you and provide the following options: a. Repair: attempt to remove the virus from the original file (if the Inoculate information is available, or if specific disinfectors are available). b. Delete: erase the infected file. c. Ignore: leave the file as it is. WARNING: If you repair an infected file, it will be changed, and could possibly become unusable. OtherTechniques * To scan a directory and its subdirectories, specify <drive>:<path>. Example: VPCScan C:\GAMES * To scan a disk, specify <drive>:\. Example: VPCScan B:\ * To scan multiple disks, specify <drive>:\ <drive>:\. Example: VPCScan C:\ D:\ E:\ VPCScan will scan from the current directory down through the hierarchical structure. It will scan the entire disk only if you start in the root directory or if you specify <drive>:\. Example: VPCScan C:\ Note: Wild cards (* and ?) are valid in VPCScan commands. Once you have scanned and disinfected all of the files on your hard disk, restart your computer by switching it off, waiting ten seconds, and then switching it on again. Do not simply press ctrl-alt-del to reboot as some viruses can survive this type of boot. Reports When VPCScan is finished examining your files for the presence of known viruses, it generates a report, named VPCSCAN.LOG, that details the results of its examination. It indicates how many directories and files were examined, how many files were found infected, how many files were repaired, and how many files were deleted. It also indicates which files were infected, and what viruses were found in those files. The report can be sent to a printer or redirected to a file. VPCScan Command Line Switches VPCScan has features that control how scanning is conducted. These options are executed through the command line: VPCSCAN C: -<options>. Example: VPCSCAN C: -M -A: Instructs VPCScan to scan all file types, including non-executable files such as text or spreadsheet files. In its normal operation, VPCScan searches only executable files (*.EXE, *.SYS, *.COM, and *.OV?) Viruses can cause damage only when they are in executable files or have infected a disk's boot sector. By using the -A option, however, you can be sure that there are no known viruses in any files on your computer. The -A switch also turns on the -L (Long search) option automatically. When the -A option is not specified and VPCScan is instructed to scan a directory containing only data files, it will return the message 0 files scanned. This message means that it did not find any executable files. -E: Directs VPCScan to return an error level of 0 if and only if the system was completely tested and no viruses were detected. Otherwise, a non- zero errorlevel will return. An error condition will return a non-zero error level as well. -F: Scans a single floppy disk. After VPCScan completes a scan of a floppy disk, you will be asked whether you want to scan additional diskettes. The request to scan additional disks can be turned off with -F. This feature might be useful when operating VPCScan in batch mode to scan a single disk. -I+: Will alert you to signature changes and allow inoculation file updating or repair of modified files.-I<filename>: Lets you specify a non-default file name for your inoculation database. Using the + option (-I+<filename>) will make VPCScan add and update all new executable files to your inoculation database. -L: (Long scan) Scans the entire contents of a file. In its usual operation VPCScan selectively searches the specific areas of a file that viruses are most likely to infect. The -L search is a more thorough search; therefore, it takes more time. For this reason, we recommend that the -L option be used only in the following situations: to examine new files; to scan a hard disk for the first time before Virex has been installed on your system; or if you strongly suspect your system may have a virus. -M: Prevents VPCScan from searching the system memory of the computer for the presence of viruses. This is a time saving feature. If you are scanning multiple floppy disks and/or hard drives, there is no need to scan the system memory each time. -O: Scans only the specified directory and does not examine any subdirectories. -R<filename>: Creates an audit file, named <filename>, which lists all VPCScan alerts and responses. VPCScan names the default audit file C:\VPCSCAN.LOG. Results are updated with every VPCScan run. -T: Turns ON the optional warning message that alerts you when your version of VPCScan is more than six months old. -V: Lets you verify your programs using the Protection file (VIREX.DAT). Using the + option (-V+) will update the existing Protection file.-V <filename>: Lets you verify your programs using a Protection file that has the file name you choose. Using the + option (-V+<filename>) will create or update this file. -X: Scans the entire first megabyte of memory. Normally, VPCScan limits memory scanning to the first 640K of memory that is accessible to DOS. Although unlikely, a virus could infect the memory between 640K and 1 megabyte. -#: Lists all the viruses that VPCScan is currently capable of detecting. Virus-specific repair capability is noted by the term disinfector in parentheses next to the virus name. To print the virus listing, type VPCSCAN C: -#>PRN. -!N: Turns off the virus warning messages that are sent to the Novell console whenever a virus is found. To further customize scanning, you can combine the preceding options. For example, to perform a long scan of the files in the current directory, type VPCSCAN C: -O -L and press enter. Note that there must be a space between option codes. The Inoculate Feature The powerful Inoculate feature is the key to VPCScan's effectiveness. Inoculate has two important capabilities. First, it can repair registered files that have been damaged by common viruses (by means of a special emergency disk that you create during installation). Second, Inoculate can protect existing files by comparing the current signature of each file with its previous version. Thus, Inoculate can use VPCScan to disinfect all known boot sector viruses and almost all file infectors, as well protect your system from many unknown viruses. Inoculate works by building and using three special files that protect your computer from virus attacks and make repairs possible: CRITICAL.VRX, INOC.VRX, and VIREX.DAT. These three files comprise the Integrity database. To remain effective, these three files must be updated regularly, and the information must be stored on an emergency disk. To create or update the Integrity database, add <drive>: and -I+<filename> to the VPCScan command line. Example: VPCScan C: -I+ Example: VPCScan C: -I+inoc.vrx (Note: All three Integrity database files INOC.VRX, CRITICAL.VRX, and VIREX.DAT can be updated with one command by including both the -I+ and -V+ switches in the command. If VPCScan finds a file with a modified signature, a warning message will be displayed. Pressing U will update the Integrity database and continue the scan. If you suspect that the file was modified by a virus, press R to repair the file. After choosing the repair option, you will see the another box if VPCScan can successfully repair the file. If you press Y, the file will be repaired and the scan will continue. If you press N, you will be returned to the previous box with only the Update and Ignore options available. If VPCScan cannot repair the file, you will see a message box, explaining why VPCScan could not repair the file. After displaying this box, VPCScan will return you to the previous message box with only the Update and Ignore options available. The CRITICAL.VRX File The CRITICAL.VRX file provides protection against boot sector viruses. Boot sector viruses replace the boot sector and/or the partition table of your hard drive. By copying these important parts of your hard drive, VPCScan can easily remove any virus that might infect your hard drive by restoring the data you had before the virus. Because boot sectors and partition tables very rarely change, this type of protection is very effective. You must, however, update your Integrity database whenever you alter your partition information or upgrade to a new DOS version. The CRITICAL.VRX file also saves your CMOS information because viruses can potentially damage it. This function does not work on XT systems because they do not have CMOS. You should rebuild your Inoculation file if you alter any CMOS information other than the date and time. Note: Virex does not store extended CMOS settings. The INOC.VRX File The INOC.VRX file stores the Inoculation information about your executable files. It saves a small part of the file along with the length and certain integrity information about the file. With this information, VPCScan can successfully repair almost all viral infections. Using Inoculate on Files You should update your Integrity database whenever you install new or updated programs on your system, and continue to perform regular scans at more frequent intervals. If VPCScan reports that your system has a virus infection or detects an integrity signature change, Virex will first use the Inoculate feature to attempt to repair the file. To repair all infected files, follow the normal procedure for a scan. If you have chosen an alternative name for the INOC.VRX file, add -I<filename> to the VPCScan command line. Example: VPCScan C: -Ivirex.ino In this mode, VPCScan will alert you at each virus infection and will provide the standard options of Disinfect, Remove, or Ignore. The Disinfect option will use Inoculate even if a signature-based disinfector is available. If you choose Disinfect, VPCScan will attempt the repair of the file. If it can successfully repair the file, you will get a warning message. If you press Y, the file will be restored to its pre-infection form. In certain situations it may be impossible for VPCScan to rebuild the file. If VPCScan cannot repair the file, another message will be displayed. VPCScan will then return you to the previous message box with only the Remove and Ignore options available. Using CRITICAL.VRX You must use VPCScan to restore the information in CRITICAL.VRX file back to your hard drive. When using any of these options, <filename> is not necessary VPCScan defaults to CRITICAL.VRX. A <filename> is necessary only if you have changed the name of your CRITICAL.VRX file. A <drive>: in all cases specifies the drive to which you want to restore the information.1. If you wish to restore your master boot record and your partition table, use <drive>: and -PA<filename> on the VPCScan command line. Example: VPCScan C: -PA Example: VPCScan D: -PAcritical.vrx If you must restore your CMOS information, you need to add only the command -PC<filename> to your VPCScan command line. Example: VPCScan -PC Example: VPCScan -PCcmossave.vrx The Integrity Check Verification Feature The VIREX.DAT Protection file contains the file signature information that Virex uses to monitor your system from known and unknown viruses. We recommend that, after booting for a virus-free floppy disk, you periodically check all of these signatures using VPCScan╒s Integrity check verification feature.Using -V<filename> will check the .DAT file named <filename> or your default Protection file (probably VIREX.DAT). Example: VPCScan C: -V Example: VPCScan C: -Vmyprot.dat If a known virus infection is found, you will be alerted and given the same options as in a normal scan. If a file with a modified signature is found and no inoculate record is available, you will see a warning box. Pressing U will update the file's signature in the Protection file. Pressing I will ignore the file's modified signature and continue scanning. If you suspect that the file may be infected by an unknown virus, we recommend pressing I for Ignore and then deleting the file using DOS. <<<<<<<<<<<<<<< C H A P T E R 4: Using the Virex TSR >>>>>>>>>>>>>>>>>>>>>>>>> Virex is a terminate-and-stay-resident (TSR) program that provides continuous protection against both known and unknown viruses. Virex protects against known viruses by checking programs when they are executed for the viral signatures of known viruses. Virex protects against unknown viruses by measuring the signature of a program each time it is run. Using Virex The Virex command, with no command line options, defaults to disk swapping mode. This means that Virex keeps its virus signature information on disk until it is needed. This technique allows Virex to occupy less than 1KB of RAM memory. Virex Options If working memory is not a constraint, or if you do not want the slight speed degradation that comes with disk swapping, Virex has other options: -A: Prevents Virex from registering and creating Inoculate information when new programs are run for the first time. This feature is helpful if programs are self modifying. Files are still scanned for known viruses. -C: Disables Integrity checking, and allows Virex to scan each executed program for known viruses only! (Note: In some rare situations, especially involving networks, it may be necessary to turn off Integrity checking completely. This approach is necessary if there is a configuration where you cannot access the Integrity file.) Note: If you use -C and -V together, you will lose all protection. -R: Reloads Virex. This switch is useful to load Virex after network drivers such as Novell NPX and NETX are used. -S: Loads all of the Virex code into memory the virus signature information into memory. This option causes Virex to take up approximately 4-5KB of RAM memory. -V: Allows you to check any preregistered program for changes (to the Integrity data only), and allows Virex to run without VPCScan. This option will use the Integrity information to check files for viruses, but does not perform a memory scan or repair files.It does not update the Protection file, nor does it protect unregistered programs. Normally, if Virex cannot find VPCScan, it alerts you that your system is unprotected. Responding to Virex Alerts The Virex TSR will alert you: * when you attempt to run a program that is infected with a known virus. * when an attempt is made to run a program that has had its unique Integrity information modified. * when you attempt to run a program that is not registered in the Integrity database (it will give you the opportunity to register the program before proceeding). These three cases are explained below. Virus Identified When you run a program, Virex performs an integrity check to make sure the file is as it should be. If a problem is detected, Virex will attempt to use the information in the INOC.VRX file to repair the damage. In most cases, it will be successful. If it is not, it will then attempt to solve the problem using its signature-based disinfectors. If Virex is still not successful, it will offer you the opportunity to either delete the file or ignore the warning. If you attempt to run a program that has been infected by a known virus, VPCScan will be run to address the viral infection. If VPCScan can disinfect the infected file, it will do so and will offer you the choice of printing or saving a log of its activities, or simply exiting VPCScan. If VPCScan cannot disinfect the file, you will be given the following VPCScan alert message: Press R to remove (erase) the file from the disk. Press E to exit VPCScan and leave the infected file on disk. Integrity Code Modified If you attempt to run a program whose Integrity information has changed, but which is not infected by a known virus, you will see a message box along with information about the new and stored signatures for the file. Then another alert box appears. If you suspect that the program which caused the alert is infected with an unknown virus, and if you have previously used VPCScan to create or update the Integrity database, then you should press R or run VPCScan using the Inoculate feature to disinfect (repair) the file. If Virex is able to successfully repair the file using its Inoculate information, and you press Y, Virex will repair the file and allow it to run. If you press N, Virex will leave the file in its modified state and will not run it.If Virex is not able to repair the file using Inoculate information, you will be warned in a message box. After you press any key, you will be given further options. If you press B, Virex will update the Integrity information and allow the file to run. If you press I, Virex will not change the Integrity information, and will not allow the file to run. If you think that the program which caused the alert is infected with an unknown virus, and if you have not used the VPCScan Inoculate feature, you should delete the suspect file and replace it with an original copy. If you think that the file's signature has changed for some reason other than a viral infection, you should update the file's Integrity information in the Virex Protection file (VIREX.DAT) and the INOC.VRX file. You can press B or use the Integrity update feature of VPCScan or a file editor to update the VIREX.DAT and INOC.VRX files. Program Not Registered If you try to run a program that is not on the Virex list of registered programs, a message box will be displayed. If you press Y, VPCScan will scan the file for known viruses using virus-specific detectors. If the file has no known viruses, it will be added to the Integrity database and be allowed to run.If the file is infected, another screen will appear. If you press R, Virex will remove the file. If the file can be repaired you will be given that option. After the file is repaired, it will be registered and will be allowed to run. If you press I, Virex will not allow the file to run, and the Access Denied message will appear. <<<<<<< C H A P T E R 5: Using Virex for the PC in a Network Environment >>>>>> Virex for the PC is compatible with Novell NetWare (versions 2.x, 3.x, and 4.x), a popular software product for networking personal computers, as well as most other networking products. Using VPCScan with NetWare VPCScan is designed to scan NetWare server drives for computer viruses. VPCScan treats a server drive (for example, F:) like a local hard drive or floppy disk, subject to the file protection constraints of NetWare. VPCScan will scan only the files to which you have read/open access. A file that is read-protected cannot be scanned, nor can it be infected. Furthermore, VPCScan will only scan files that are not in use or that are in use and sharable (that is, more than one person can use the same file simultaneously). A file that is in use and non-sharable cannot be scanned for viruses. We recommend that you run VPCScan as the NetWare network supervisor, so that all read-protected files can be scanned. We also recommend that you use VPCScan when all users are logged off of the server, so that all non-sharable files can be scanned. Scanning a Server Drive for Viruses VPCScan can be operated from a personal computer linked to a server; or in the case of a non-dedicated server, from the server itself. The procedure for scanning a server drive is: 1. Make sure that you can access the NetWare server drive. You might need to log in to the server, or may simply type <server drive>: (for example, F:) for access. 2. Make the location of VPCScan program the current drive (for example, by typing C: if VPCScan was installed on the C: drive). 3. Type VPCScan <server drive>: (for example, VPCScan F:) to scan the server hard drive. VPCScan will issue a warning message and list the names of any files that could not be scanned. A file might have been read-protected or might have been in use and non-sharable. If a server file is infected with a virus, VPCScan will display the standard virus warning message and issue the following options: a. Repair: attempt to remove the virus from the original file (if VPCScan knows how to disinfect files infected by this particular virus). b. Delete: delete the infected file. c. Ignore: leave the file in its current state. If an infected file is write-protected by NetWare, you will not be able to repair or delete the file unless you have appropriate network access to that file. Using the Virex TSR. If Virex is loaded on the server, you can type <server drive>:Virex -C. When a file is executed from either the server or the local PC hard drive, it will be scanned for known viruses. The -C command switch disables Integrity checking. If the server copy is installed to look on the user's local drive for C:\VPC\VIREX.DAT and for a shared version of C:\VPC\VPCSCAN.EXE, Integrity checking can be used. Otherwise, Integrity checking must be turned off, using the -C switch, for Virex to operate properly when run from the server. The use of Virex is especially appropriate if you are operating a diskless workstation in a network. In this configuration, there is no local hard drive to operate Virex. Installing Virex for the PC on a Novell Network The suggested location to install Virex and VPCScan on the server is the LOGIN directory. Thus, Virex can be run from the AUTOEXEC.BAT file so that protection begins when the station is powered up. You would not need to be logged in to the server to run Virex from the LOGIN directory. Also, Virex and VPCScan should be installed in the LOGIN directory using the Install program for Virex to be configured correctly. In the event that Virex discovers a virus in a file, it will call VPCScan to disinfect or remove it. You can install a full copy, as long as each user has a licensed copy. But you must take caution so that each station has a unique copy, preferably in the user's home directory. This allows you to run Virex with all protections intact. The Protection file could become corrupted if two or more people were to use it at the same time. Updating the Novell Network Protection File Because your network is likely to be changing on a regular basis, it will probably be necessary to update your network Protection file. This update can be done using the Install program or VPCScan. Running the Install program again will require you to go through the entire installation sequence, and is not as efficient as using VPCScan. Only the supervisor can update the network Protection file. Before updating, it is necessary to make sure that no one on the network is running Virex. If someone is running one of the TSRs, the protection file could become corrupted. The best way to solve this problem is to make sure that no one else is logged on to the network when the update is created.The network protection file is \VIREX\VPC_NET.DAT off of the root of any server volume. For example, if F:\ is the root of a server volume (instead of a mapped drive), the Protection file would be in F:\VIREX\VPC_NET.DAT. To update registration information using VPCScan, you would use the following command: VPCScan F:\ -V+F:\VIREX\VPC_NET.DAT Updating Users through the Network To update several users on your network, assuming they are also licensed, we recommend copying the entire Virex for the PC disk into a directory on your server. Then have each individual user run Install from that directory, configuring it as the source directory, and specifying a directory on his or her local drive as the destination. <<<<<<< C H A P T E R 6: Using Virex for the PC in a Windows Environment >>>>>> Virex for the PC is compatible with Microsoft Windows and Windows for Workgroups. Both VPCScan and the Virex TSR can be used in a Windows environment. VPCScan: Scanning and Treating Viruses under Windows VPCScan can be run from within Windows in two different ways. The first way to run VPCScan under Windows is to open a DOS window by clicking on the DOS icon in the MAIN group. This action will temporarily put you at a DOS prompt, and you can run VPCScan just as if you were in standard DOS mode. The second way is to install VPCShell and its custom icon. This method will allow you to double-click on a custom icon and call VPCScan under Windows. We recommend, however, that you run VPCScan from within DOS. This method will avoid any problems that might result from other tasks processing in the background under Windows. This approach is necessary, especially if you are using the Integrity checking and Inoculate features of VPCScan. Preventing Virus Infections Using Virex The Virex TSR will monitor DOS applications running under Windows for signature changes and for viruses. If the signature of a file has changed, program execution will be denied. You will not be given the option to run the program. If a file is not registered, it will be automatically scanned for viruses, but may not be added to the Integrity check list (depending on the switch settings that Virex is running). If a virus is found, a standard virus warning with options will be issued. Virex will not evaluate Windows applications for signature changes. Running the Virex TSR The Virex TSR should be run before the execution of Windows. It is possible that you have Windows installed to run automatically at startup (for example, a line to run WIN has been placed in the AUTOEXEC.BAT file). If this is the case, VIREX.COM should be placed before WIN in the AUTOEXEC.BAT file. Loading Virex before Windows will protect all Windows DOS sessions including those executed using the File Manager or Program Manager. If the command to start Virex is placed after WIN, the Virex TSR will not run and your system will be unprotected. <<<<<<<<<<<<<<< C H A P T E R 7: Safe Computing Practices >>>>>>>>>>>>>>>>>>>> You can reduce the risk of experiencing problems with a computer virus by following these guidelines: * Use software that is obtained from reputable and reliable sources. In general, commercial software from well-known software publishing firms should be virus-free. * Treat public domain and shareware software with caution. Test the software with the VPCScan program before you use it. Remember, computer viruses do not have an opportunity to replicate themselves until you execute the program they have infected. * There have been instances in which infected commercial software has been inadvertently shipped to consumers. Although this problem occurs infrequently, Datawatch recommends that you test all new commercial software with the VPCScan program before you use it. Registering your software will enable manufacturers to contact you if the need arises. * Start your computer from the hard disk or from a single, write- protected floppy system disk (to avoid boot sector viruses). Be sure to check your floppy disk drives before booting your computer to avoid accidentally attempting to boot from an infected floppy disk. Never boot from an unscanned floppy. * All newly acquired software applications should be backed up, write protected, and put in a safe place. Always execute your application programs from backup copies or from fresh copies placed on your hard disk. This will prevent your original copies from being contaminated by a virus, and ensure that a fresh copy is always available should your working copy become damaged. * Make regular backups of files you have customized, such as your AUTOEXEC.BAT and CONFIG.SYS files. This will save you hours of work rebuilding the system in the event of a virus attack or a hard disk failure. * Systematically back up your important data files to ensure that you do not lose important work. * Be security conscious and promote security awareness throughout your organization. By backing up important application and data files, you will limit your losses in the event of a hard-disk crash, a virus attack, or any other sudden computer failure. These safe computing practices will not only help to safeguard your computer from viruses, but will help prevent the loss of important data in the event of a catastrophe. Note: You might wish to consult your dealer about useful hardware and software backup solutions. <<<<<<<<<<<<<< A P P E N D I X A: Removing a Boot Sector Virus >>>>>>>>>>>>>> (Without CRITICAL.VRX) If you downloaded Virex for the PC after your system had become infected by a boot sector virus, or if you cannot recover using the Inoculate feature, then a manual removal might be necessary. If you are using MS-DOS 5.0 or later, skip to the section of this appendix titled "For MS-DOS 5.0 and Later Users." Virus Identified but Not Disinfected If after scanning your hard drive VPCScan finds a boot sector virus, but does not offer to Disinfect it, follow this procedure to manually remove the virus: 1. Reboot your computer from a clean, write-protected DOS disk. The DOS version on this disk must be the same as the DOS version on your hard drive. 2. Type DIR SYS.COM and press enter to see if this DOS disk has the SYS command on it. If it does, skip to step 4. 3. Insert your other DOS disks until you find the one with the SYS command on it. 4. Type SYS <drive>: and press enter (for example SYS C:). If you receive an error from DOS in this process, consult your DOS manual. Infected Partition Table If VPCScan still shows your computer to be infected after you have attempted to manually remove the virus, your computer's master boot record (and possibly its partition table) might be infected. To eliminate this kind of virus, you will need to follow a more complex set of steps: 1. Reboot your computer from a clean, write-protected DOS disk. The DOS version on this disk must be the same as the DOS version on your hard drive. 2. Backup your hard drive using the DOS BACKUP command, MSBACKUP command (DOS 6.0+), or a third-party backup utility. 3. Run FDISK from your DOS disk and rebuild the hard drive's partition table. (Consult your DOS manual.) Note: If you have DOS 5.0 or higher, running FDISK /MBR will replace any versions master boot record. See the following section for complete instructions. 4. Format your hard drive by typing FORMAT <drive>: /S and pressing enter (for example, FORMAT C: /S). 5. Restore your hard drive using the DOS RESTORE command, MSBACKUP command (DOS 6.0+), or a third-party backup utility. Because boot sector viruses normally do not infect files, this method will safely remove the virus from your hard drive. For MS-DOS 5.0 and later users There is an undocumented feature in the FDISK.EXE utility that is part of MS-DOS (version 5.0 and later). It can remove most Master Boot Record viruses without loss of data. Follow this simple procedure to remove a Master Boot Record virus without loss of any data: 1. Completely back up the infected machine. 2. Restart your machine with a clean MS-DOS 5.x or above boot disk in the A: drive. Make sure that the MS-DOS 5.x or above utility called FDISK.EXE is on the disk and that the disk is write protected. 3. Once booted directly to the A:> prompt, try to access the infected hard drive by typing "C:" and pressing enter. If DOS returns "Invalid Drive Letter", or something equivalent, abort this whole proceedure ! It is neither safe, nor will it help in this situation, to use FDISK /MBR. If, and only if, DOS returns the C:> prompt, type FDISK /MBR and press enter. Almost immediately, you should return to the A:> prompt. 4. Remove the diskette from the A: drive and restart the PC. 5. Insert the original write-protected Virex for the PC disk into the disk drive and type A:VPCSCAN C: and press enter, where A: is the drive containing the Virex for the PC disk, and C: is your primary/startup hard drive.This scan should indicate that no Master Boot Record viruses remain on your hard drive. Important Note After a PC becomes infected with a Master Boot Record virus, the virus may spread by infecting non-write-protected disks that are accessed by the infected system. After following the above procedure and successfully removing the resident virus, make sure that you scan all disks that have been used in this infected machine. Once you have confirmed that they are clean, write protect them. No virus can bypass this physical write-protection. <<<<<<<<<<<<<< A P P E N D I X B: Modifying the Protection File >>>>>>>>>>>>>> Virex provides an alert for every attempt to run an unregistered program. Normally you can register a program by running it while the Virex TSR is active. This protection can also be specified by using the Install program or by editing the VIREX.DAT Protection file. To modify the file directly, add the appropriate line to the Protection file. Integrity Database Registration A file can be added to the VIREX.DAT file's Integrity database registration list by adding a line in the form C=<Drive>:<path><filename>[<5-digit signature number>] to the proper Protection (VIREX.DAT) file. Note that if this line is added manually, Virex will generate a "modified signature" alert when it is started. You will then have the option to update to the correct signature automatically. By noting the correct signature, you can also update the Protection file manually. The * and ? wildcards may not be used in the file names listed in the signature file, because the signature for each file must be individually calculated. <<<<<<<<<<<<<<<<<<<< A P P E N D I X C: Troubleshooting >>>>>>>>>>>>>>>>>>>>>>> * Virex tells me that the signature for a program that I am running has changed. What should I do? If this is the first time Virex has checked this program since you upgraded the program to a more recent version, the change is expected. You should update your signatures and continue using the program without concern. If, on the other hand, this alert is occurring on a program that has not been intentionally updated by you, it is possible Virex has detected changes due to infection by a new virus. You should abort the program and save a copy for sending to Virex Support either via our BBS or via mail. After booting from a clean system disk, run VPCScan in its -V+ -I+ mode so VPCScan can repair the file. * A "bad signature" alert appears whenever you run the DOS command SETVER. Some few programs modify their own disk images under certain conditions in order to save configuration information internally. The MS-DOS utility SETVER is one such program. If a program repeatedly triggers Virex's "Changed Program" alerts, even after you have updated the integrity databases, it may be legitimately modifying itself. This is particularly likely if it is the ONLY program on your system that is changing. Datawatch is compiling a list of such "legitimately self-modifying" programs. You should check with our technical support group regarding the program you are using. If we do not currently have the program you are using listed as "legitimately self- modifying", you may want to submit a copy to us via the Virex Support BBS or via mail so we can examine it. * MS-DOS 6.0 USERS - Due to conflicts or startup problems it may be necessary to prevent AUTOEXEC.BAT and CONFIG.SYS from loading. MS-DOS 6.0 offers a feature that allows the user to boot their computer and not load AUTOEXEC.BAT and CONFIG.SYS. To boot your computer without these two files, restart your computer. When the text "Starting MS-DOS" appears, press and release the F5 key or press and hold down the Shift key. The following text will be displayed: MS-DOS is bypassing your CONFIG.SYS and AUTOEXEC.BAT files. To see a list of up-to-date troubleshooting information please consult the latest version of the README file. <<<<<<<<<<<<<<< A P P E N D I X D: Using the DataGate BBS >>>>>>>>>>>>>>>>>>>> You can download Virex for the PC updates from our DataGate dial-in service. DataGate is a BBS (Bulletin Board Service) that you may dial into by using a communications program and a modem. (The number is 508-988-6373.) Set Up Set up your communications program for 8 data bits, no parity, 1 stop bit, and ANSI emulation. DataGate supports speeds from 300 bps to 14,400 bps. Using DataGate If you have never dialed into DataGate, you will have to register yourself by answering the few simple questions that you will be asked, and also give yourself a password. Remember your password! You will not be able to re-enter the BBS without it. DataGate's primary purpose is to provide support to you, the Datawatch customer. So as soon as you enter the board, you will be able to find answers to your technical questions in our "Questions and Answers" Bulletin area, download product updates and new programs, and much more. In addition to Datawatch customer support, DataGate also has many DOS, Windows, and other utility files available for download. Downloading VPCScan To download the latest VPCScan, type the following at the Main Menu: d VIRX???.ZIP and press enter All necessary components will be stored in this file.Select your download protocol to start the download process. Help is always available by typing H and pressing enter where you get stuck and need assistance. Entering Comments and Suggestions Your comments and suggestions on the service that this BBS provides are always welcome, and we look forward to reading your suggestions. You may leave us a message by typing C and pressing enter at the Main Menu, outlining your ideas. <<<<<<<<<<<<<<< A P P E N D I X E: Novell Network Features >>>>>>>>>>>>>>>>>> Installation If you are on a Novell network, the Install program sends any virus alerts to the Novell console during the Virex for the PC install procedure. This method allows the system administrator to monitor users installing Virex for the PC and trace viral activity across the network. To turn this feature off, type INSTALL -NONOTE and press enter. This command will prevent the alerts from being sent to the console. Using Virex on a Novell Network If you are using Virex with a Novell Network, the network protection files for each server volume (as described in the User's Guide) should be flagged as Sharable/Read-Write. WARNING! If Virex has been automatically loaded prior to Novell NetWare drivers, Virex will be disabled by the loading of those drivers. Reloading Virex with the -R command line switch after NetWare drivers are in place will ensure that Virex is providing continuous protection. If you are attached to a Novell network, run VPCScan locally, and discover a virus on your local computer, VPCScan will notify both you and the Novell NetWare Console. If you wish to run VPCScan without this feature, use the -!N switch from the command line (for example, VPCSCAN -!N).If you are running NetWare 2.x, VPCScan will display the message on the console screen and write an entry to the LOG$MSG.LOG file, a NetWare log file.If you are running NetWare 3.x or 4.x, VPCScan will display only the "virus found" message to the console screen. No permanent log of these alerts will be kept on the server itself. <<<<<<<<<<<< A P P E N D I X F: External Virus Signature File >>>>>>>>>>>>>>> The external virus signature file is a feature meant only for expert users. It allows new viruses to be detected, by means of their signatures, without having to wait for a new release of Virex for the PC. You should be careful. If you use the external signature file and add a virus signature that we are already using within our virus signature database, Virex will inform you that it has found a virus in memory. You should contact Datawatch before using this feature. Signature File Format The file containing external signatures must be designated C:\VIREX\VIREX.VIR to be recognized by VPCScan. The format of the file is as follows: <virus-type><space><virus-name><space><ascii-signature-representation>! The <virus-type> indicates whether the virus signature following is for a "Program" virus or a "Boot" virus. Use "P" for program viruses and "B" for boot sector viruses. You can also use a "#" as a comment line indicator, if you wish; such flagged lines will be ignored. The <virus-name> is the name of the virus. It may not contain any spaces. You might want to use underscores or hyphens instead of spaces. The <ascii-signature-representation> is the translation of the hex signature string into an ASCII form. Each byte is represented by a zero-filled, right-justified two-place sequence: the proper representation of a hex "0xf" would be "0f"; to represent "0xff," use "ff."For example, if a new virus called NewVirus, a program type virus, were to have a signature string of "1 2 3 4 5 6 7 8 9 a b c d e f," its entry in the external signature file (C:\VIREX\VIREX.VIR) would be: #A comment line for the NewVirus external signature file example P NewVirus 0102030405060708090a0b0c0d0e0f ! Fixed signatures can be from 16 to 24 bytes long. Wildcard signatures use ?? to represent a single byte that can have any value, and ** to indicate one or more "don't care" bytes. Any wildcard signatures must follow all fixed signatures. Use of the external signature file is at your own risk. There is a limit of 55 external signatures. If you find a new virus, it is wisest to send a sample to Datawatch for analysis so a reliable signature can be produced. The use of external signatures produced and distributed sources other than Datawatch is likely to produce false positives and/or miss some samples of the new viruses. We only support the use of VIREX.VIR files released by Datawatch Corp. On receiving an update to Virex for the PC, please remove any external signature files you were previously using, to avoid possible false positives.