$MessageID.X$Recipients.XFrom$VStatus$Source$Domain$DbTitle$DesignID$Modified$Created$ScanOptions$Antigen(c) 1995-1997 Sybari Software Inc. All rights reserved.
''''''''it on the ClipboUUUUUUUU selection isn'tSSSSSSSS from its currenqqqqqqqqon.<Places the c
of the Clipboard
Quarantined
$GroupScanb
REPRO
STEALTH
prefix
Stealthed
Notes
Trojan
suffix
Virus
FIELD|G
prefix
Form"
suffix"
BUTTON|
prefix
Hotspot
suffix"
EXCEEDED SIZE
Oversized File
FILE|
Infected File
OLE1|
prefix
OLE Object"
suffix"
prefix
Macro
suffix"
_Class
W4W10F/V2
WordPerfect
<a>7`^///""
esign mode; se
rrrrrrrr
ffffffff
[cc[c[[c
[[[[[[[[
L[LL[L[[
LLLLLLLL
;;;;;;;;
gYou may notccccccccDocument Link in44444444field unless the........to database is t
nt database.eYou
tempted to load frrfrffrinto a form thatcffcfccfs a table. Nest;;L;LL;Ls are not allowe44;4;;4;on 1 Bitmap bigg.4..4.4464K bytes; Expor
Time of Detection:
$ScanTime
$ScanTime
_Time
Document Status:
SAVE
EDIT
.IBMP - (C) C
The name of the design in a stored form. This is actually the value of the $TITLE field of the source document. If a title is not found, then the design ID is used as the name.
Design Name
$DesignID
$$Title
(Unknown)
$$Title
(UNKNOWN)
$$Title
$DesignID
$$Title
$$Title
$$Title
$$Title
_DesignName
Detected
$GroupScanj
$GroupScan
READONLYG
_VCount
Viral Characteristic
$GroupScanj
count
$GroupScan
READONLYG
count
.IBMP - (C) C
$GroupScanj
$GroupScan
READONLYG
$GroupScan
$GroupScan
outlen
nlist
outlenk
flist1
flist2
flist1
has
flist3
flist1
ILE|_
flist4
flist3
File attachment
flist
flist4
flist2
FILE|
blist1
flist1
UTTON|_
blist
blist1
found in button
return
nlist
flist
blist
outlen
return
(See analysis for more characteristics)
return
_Virus
.IBMP - (C) C
Unknown Virus
SaveOptions
$VStatus
$VStatusIs this document a confirmed virus or a false alarm?
gYou may notccccccccDocument Link in44444444field unless the........to database is t
nt database.eYou
tempted to load frrfrffrinto a form thatcffcfccfs a table. Nest;;L;LL;Ls are not allowe44;4;;4;on 1 Bitmap bigg.4..4.4464K bytes; Expor
Click icons
for details
Has Stored Form:
$Body
$$Bodyh
OLE Attachments:
File Attachments: r
Has Encryption:
$Seal
$SealData
Encrypt
Note Attributes:
$ScanType
_Source
$ScanType
MESSAGE
$Created
wwwwwwx
wwwwwww
wwwwwww
wwwwwwx
@ @@ @` @
@@ @@@@@`@@
`@ `@@`@``@
Scan mode:
$GroupScan
READONLYG
Scan Only
$ScanOptions
Delete
Clean
Scan files:
$ScanOptions
Scan OLE:
$ScanOptions
Scan RTF:
$ScanOptions
Scan form:
$ScanOptions
Scanner Version
$Source
Scanner Settings:
mode"
$Source
$Created#
$ScanType
MESSAGE
Time Elapsed:
wwwwwwx
wwwwwww
wwwwwww
wwwwwwx
@ @@ @` @
@@ @@@@@`@@
`@ `@@`@``@
dispo
$GroupScan
READONLYG
not modified.
$ScanOptions
deleted.
cleaned.
$GroupScan
FIELD|G
Stored form: REMOVED
$GroupScan
BUTTON|
Hotspots: DISABLED"
$GroupScan
OLE1|
OLE Trojan: REMOVED"
$GroupScan
FILE|
Infected File: CURED
$GroupScan
FORMFLAG|
AUTORUN|
Auto-Launch: DISABLED"
Note Disposition:
Source document was "
dispo
$Source
sentry
nshield
Message
$ScanType
$GroupScan
READONLYF
$ScanOptions
Read Denied
Skipped
Deleted
Cleaned
_Result
$ScanType
<a>7`^///""
esign mode; se
rrrrrrrr
ffffffff
[cc[c[[c
[[[[[[[[
L[LL[L[[
LLLLLLLL
;;;;;;;;
gYou may notccccccccDocument Link in44444444field unless the........to database is t
nt database.eYou
tempted to load frrfrffrinto a form thatcffcfccfs a table. Nest;;L;LL;Ls are not allowe44;4;;4;on 1 Bitmap bigg.4..4.4464K bytes; Expor
The Notes user name that initiated the source document read or write transaction. For CLEAN, this name always equals the source server since CLEAN operates under the server ID. For SENTRY, it is the name of the user who initiated the read or write.
$ScanType
Message
Sent From
User Name
_PUser
$ScanType
Message
$Source
$ScanType
Message
$Source
_User
The source document creation date and time.
Date Created
$Created
_Created
The source document last modified date and time.
Date Modified
$Modified
_Modified
A unique ID computed from the stored form of the source document and used by the false alarm facility. Two documents with identical stored forms ($INFO,$BODY) will have the same design ID. Note that viruses without a stored form (button bombs, stealth forms, ...) do not have a design ID.
Design ID
$DesignID
_DesignID
The name of server where the virus was detected.
Source Server
$Source
$Source
$Domain
$Domain
_Server
The file specification of the database that contained the source document.
Database File
$Source
$Source
_Database
$ScanType
Message
Message ID
Database Title
_DBTMID
$DBTITLE
$ScanType
Message
$MessageID.X
_DBTitle
The universal note ID of the source document when it was found on the source server, in the source database file. To identify a document by UNID, create a view in the source database sorted by the formula @Text(@DocumentUniqueID). This formula returns the UNID of any document.
$ScanType
Message
Recipients
Source UNID
_SrcRecip
rlist1
$Recipients.X
$Recipients.X
Recipients
rlist2
rlist1
rlist3
rlist2
rlist
rlist3
rlist3
rlist3
$ScanType
Message
rlist
$Source
_UNID
ANALYSIS
<a>7`^///""
esign mode; se
rrrrrrrr
ffffffff
[cc[c[[c
[[[[[[[[
L[LL[L[[
LLLLLLLL
;;;;;;;;
gYou may notccccccccDocument Link in44444444field unless the........to database is t
nt database.eYou
tempted to load frrfrffrinto a form thatcffcfccfs a table. Nest;;L;LL;Ls are not allowe44;4;;4;on 1 Bitmap bigg.4..4.4464K bytes; Expor
$Synopsis
Copyright
1995-1997 Sybari Software Incorporated. All rights reserved.
GroupScan/GroupShield was designed and written by G. Tetrault of Sybari Software for McAfee Associates.
W4W10F/V2
WordPerfect 1a
$AuditTrail
Changed:
$VStatus.Old"
to "
$VStatus"
$VStatus.Old
Initialized:
$VStatus"
$VStatus
$VStatus.Old
$AuditTrail
$AuditTrail
$AuditTrail
Compute audit trail on false alarm changes
W4W10F/V2
WordPerfect 0a
$VStatus
$VStatus.Old
$VStatus.Old
Used to detect changes to false alarm field
Designed and written by Gregory Tetrault for Sybari Software Incorported. Completed 6/22/95.
Virus:
$$Title
[Unknown]
$$Title
&Arial
"Small Fonts
Virus
$GroupScanh
$GroupScan
$GroupShieldh
$GroupShield
$Antigen
$GroupScan
$Source
Message
Document
Remote
RouteServersh
Routed
Local
$ScanType
Source.
$ScanType
SymbolView
LoadSSymbol
Module.
$Source
SymbolView
LoadMSymbol
$Source
sentry
nshield
Message
$ScanType
$GroupScan
READONLYF
$ScanOptions
Result.NoAccess
Result.SkipDoc
Result.SkipMail
Result.DeadDoc
Result.DeadMail
Result.CleanDoc
Result.CleanMail
SymbolView
LoadRSymbol
'US@
'US@
'US@
'US@
'US@
'US@
'US@
'US@
93Sqi9
9iqS39
iUqU.9
i9S.3
UqU.9U
3.Uqi
.UqS.3
qU.3q
'US@
'US@
'US@
'US@
'US@
<a>7`^///""
''''''''
BUUUUUUUU
@SSSSSSSS
qqqqqqqq
Quarantined
$GroupScanb
REPRO
STEALTH
prefix
Stealthed
Notes
Trojan
suffix
Virus
FIELD|G
prefix
Form"
suffix"
BUTTON|
prefix
Hotspot
suffix"
EXCEEDED SIZE
Oversized File
FILE|
Infected File
OLE1|
prefix
OLE Object"
suffix"
prefix
Macro
suffix"
_Class
W4W10F/V2
WordPerfect
<a>7`^///""
rrrrrrrr
ffffffff
[cc[c[[c
[[[[[[[[
L[LL[L[[OOOB
BLLLLLLLL
P7;;;;;;;;
F(cccccccc
%44444444
i3........
3frrfrffrr
cffcfccfrrrrrrrr
;;L;LL;Lffffffff
44;4;;4;[cc[c[[c
.4..4.44[[[[[[[[
Time of Detection:
$ScanTime
$ScanTime
_Time
Document Status:
SAVE
EDIT
.IBMP - (C) C
Detected
$GroupScanj
$GroupScan
READONLYG
_VCount
Viral Characteristic
$GroupScanj
count
$GroupScan
READONLYG
count
.IBMP - (C) C
$GroupScanj
$GroupScan
READONLYG
$GroupScan
$GroupScan
outlen
nlist
outlenk
flist1
flist2
flist1
has
flist3
flist1
ILE|_
flist4
flist3
File attachment
flist
flist4
flist2
FILE|
blist1
flist1
UTTON|_
blist
blist1
found in button
return
nlist
flist
blist
outlen
return
(See analysis for more characteristics)
return
_Virus
.IBMP - (C) C
Unknown Virus
SaveOptions
$VStatus
$VStatusIs this document a confirmed virus or a false alarm?
The Notes user name that initiated the source document read or write transaction. For CLEAN, this name always equals the source server since CLEAN operates under the server ID. For SENTRY, it is the name of the user who initiated the read or write.
$ScanType
Message
Sent From
User Name
_PUser
$ScanType
Message
$Source
$ScanType
Message
$Source
_User
The source document creation date and time.
Date Created
$Created
_Created
The source document last modified date and time.
Date Modified
$Modified
_Modified
A unique ID computed from the stored form of the source document and used by the false alarm facility. Two documents with identical stored forms ($INFO,$BODY) will have the same design ID. Note that viruses without a stored form (button bombs, stealth forms, ...) do not have a design ID.
Macro ID
$MacroID
_DesignID
The name of server where the virus was detected.
Source Server
$Source
$Source
$Domain
$Domain
_Server
The file specification of the database that contained the source document.
Database File
$Source
$Source
_Database
$ScanType
Message
Message ID
Database Title
_DBTMID
$DBTITLE
$ScanType
Message
$MessageID.X
_DBTitle
The universal note ID of the source document when it was found on the source server, in the source database file. To identify a document by UNID, create a view in the source database sorted by the formula @Text(@DocumentUniqueID). This formula returns the UNID of any document.
$ScanType
Message
Recipients
Source UNID
_SrcRecip
rlist1
$Recipients.X
$Recipients.X
Recipients
rlist2
rlist1
rlist3
rlist2
rlist
rlist3
rlist3
rlist3
$ScanType
Message
rlist
$Source
_UNID
ANALYSIS
<a>7`^///""
rrrrrrrr
ffffffff
[cc[c[[c
[[[[[[[[
L[LL[L[[OOOB
BLLLLLLLL
P7;;;;;;;;
F(cccccccc
%44444444
i3........
3frrfrffrr
cffcfccfrrrrrrrr
;;L;LL;Lffffffff
44;4;;4;[cc[c[[c
.4..4.44[[[[[[[[
$Synopsis
Copyright
1995-1997 Sybari Software Incorporated. All rights reserved.
GroupScan/GroupShield was designed and written by G. Tetrault of Sybari Software for McAfee Associates.
W4W10F/V2
WordPerfect 1a
$AuditTrail
Changed:
$VStatus.Old"
to "
$VStatus"
$VStatus.Old
Initialized:
$VStatus"
$VStatus
$VStatus.Old
$AuditTrail
$AuditTrail
$AuditTrail
Compute audit trail on false alarm changes
W4W10F/V2
WordPerfect 0a
$VStatus
$VStatus.Old
$VStatus.Old
Used to detect changes to false alarm field
Microsof
###########################
#######
@ @@ @` @
@@ @@@@@`@@
`@ `@@`@``@
###########################
#######
Y.NSF
@ @@ @` @
@@ @@@@@`@@
`@ `@@`@``@
###########################
#######
""""
wwwww
@ @@ @` @
@@ @@@@@`@@
`@ `@@`@``@
###########################
#######
Name:
@ @@ @` @
@@ @@@@@`@@
`@ `@@`@``@
###########################
#######
@ @@ @` @
@@ @@@@@`@@
`@ `@@`@``@
###########################
#######
@ @@ @` @
@@ @@@@@`@@
`@ `@@`@``@
###########################
#######
@ @@ @` @
@@ @@@@@`@@
`@ `@@`@``@
###########################
#######
@ @@ @` @
@@ @@@@@`@@
`@ `@@`@``@
###########################
#######
Name:
@ @@ @` @
@@ @@@@@`@@
`@ `@@`@``@
###########################
#######
@ @@ @` @
@@ @@@@@`@@
`@ `@@`@``@
###########################
#######
@ @@ @` @
@@ @@@@@`@@
`@ `@@`@``@
@ @@ @` @
@@ @@@@@`@@
`@ `@@`@``@
###########################
#######
@ @@ @` @
@@ @@@@@`@@
`@ `@@`@``@
###########################
#######
###########################
#######
@ @@ @` @
@@ @@@@@`@@
`@ `@@`@``@
###########################
#######
@ @@ @` @
@@ @@@@@`@@
`@ `@@`@``@
EVALUATION COPY
|W4W10F/V2
WordPerfect
<a>7`^///""
requested.
*.CGM
Excel 4.0/
Image
*.TIF
Ami Pro
-with Text
F 5._IW4W
GroupShield Quarantine Area
The GroupShield product suite is a complete solution to the problem of viruses in the Notes environment. It provides a number of sophisticated features such as: diagnosis and analysis information of all suspected viruses, a false alarm facility and the ability to scan file attachments using the industry leading McAfee virus scanning engine. The Quarantine Area is the repository for information about viruses, button bombs, mail bombs, and trojan forms that have been detected and defeated. Help is available from the "Using Quarantine Area" help menu and from the online documentation.
Copyright
1996-1997 by McAfee, Inc. All rights reserved. Notes security technology licensed from Sybari Software Inc.
Symbol
Quarantine Area Views
PECIAL
ARKERS
Each view of the Quarantine Area includes a column that displays special red markers to indicate the status of 'stored forms' embedded in the document. Each marker will be displayed under the following conditions:
This marker indicates that the document contains a disabled stored form. The 'Enable Stored Form' may be used to enable the stored form. Be sure to use caution before enabling any stored form isolated by GroupShield.
This marker indicates that the document contains a stored form that is enabled. That means when the document is opened, the embedded stored stored form will be executed. Please note that GroupShield is disabled for the Quarantine Area, leaving the current workstation vulnerable to attack if a destructive stored form is executed. The stored form may be disabled using the 'Disable Stored Form' macro. Normally this marker will never appear.
Quarantine Area Procedures
fo; $Info);
FIELD $Body := @If(@IsAvail
ESTORE
fo; $Info);
FIELD $Body := @If(@IsAvail
RIGINAL
fo; $Info);
FIELD $Body := @If(@IsAvail
OCUMENT3
<<<+++
DDD"""
www
33333f33
f33f3ff3
3f33ff3f
ff3fffff
<<<+++
DDD"""
www
33333f33
f33f3ff3
3f33ff3f
ff3fffff
WHEN TO...
Use this procedure when you wish to restore isolated documents to their respective source databases
the documents are not to be used as false alarm indicators. When documents are first isolated by GroupShield, they contain all the data of the original document plus additional data used for analysis and classification. If the source document contained a 'stored form' then the 'stored form' is disabled but present in the isolated document. So the procedure to restore has basically two parts: the first part is to cleanup the document itself and the second part is to inject the document back into the source database.
HOW TO...
Use the following steps as a guide for restoring isolated documents to the database where the document was originally isolated.
Step 1. Select the documents you wish to restore from any view except the Restored Documents view.
Step 2. Run the macro "Restore Original Document" from the Tools menu. This will remove all GroupShield data from the document and restore certain source document fields. All the selected documents will disappear from the current view and become listed in the Restored Documents view.
NOTE: If a selected document was previously marked as a false alarm, you will receive a warning message. If you choose to proceed, the false alarm will be removed from the list of active false alarms. Use the next procedure if you need to restore the document
maintain a false alarm list entry.
Step 3. Open the Restored Documents view. You will see all of the restored documents organized by date.
Step 4. Open each document that needs to be restored. When opened, each document will be displayed with either a default mail form or a default document form. The presence of certain mail-specific fields (Recipients, SendTo) determine which default form is used. If you need to force all documents to be opened with the default document form, run the macro 'Toggle Restored Display Mode'.
Step 5. If the document is displayed with the default mail form, use the standard button macros "Send", "Reply", and/or "Forward" to resend the message. If the document is displayed with the default document form, use the "Restore to Source" button to copy the document into the source database. You can then use the "Open Source" button to open the source database for inspection.
Step 6. (Optional) After the document has been restored, delete the document from the Quarantine Area.
ESTORE
OPY OF
fo; $Info);
FIELD $Body := @If(@IsAvail
OCUMENT
<<<+++
DDD"""
www
33333f33
f33f3ff3
3f33ff3f
ff3fffff
WHEN TO...
Use this procedure when you wish to restore isolated documents to their respective source databases
you wish to retain the original isolated document. The reason for retaining the isolated documents is usually to maintain historical incident data or to maintain a false alarm list entry if the document has been marked a false alarm. Recall that a false alarm entry enables GroupShield to skip documents with identical design characteristics that would otherwise be isolated. The actual procedure to restore has basically two parts: the first part is to cleanup the document itself and the second part is to inject the document back into the source database.
HOW TO...f
Use the following steps as a guide for restoring isolated documents to the database where the document was originally isolated.f
Step 1. Select the documents you wish to restore from any view except the Restored Documents view.
Step 2. Run the macro "Restore Copy of Document" from the Tools menu. This will remove all GroupShield data and restore certain source document fields from a copy of the original isolated document. All of the selected documents will remain visible in the current view and the copies will become listed in the Restored Documents view.
NOTE: If a selected document contains a stored form and has not been marked as a false alarm, an error message will appear and the document will not be processed. In this case, either mark the document as a false alarm, or use the procedure described above to restore the document.
Step 3. Open the Restored Documents view. You will see all of the restored documents organized by date.f
Step 4. Open each document that needs to be restored. When opened, each document will be displayed with either a default mail form or a default document form. The presence of certain mail-specific fields (Recipients, SendTo) determine which default form is used. If you need to force all documents to be opened with the default document form, run the macro 'Toggle Restored Display Mode'.
Step 5. If the document is displayed with the default mail form, use the standard button macros "Send", "Reply", and/or "Forward" to resend the message. If the document is displayed with the default document form, use the "Restore to Source" button to copy the document into the source database. You can then use the "Open Source" button to open the source database for inspection.f
Step 6. (Optional) After the document has been restored, delete the document from the Quarantine Area.
REATE3
ALSE 3
<<<+++
DDD"""
www
33333f33
f33f3ff3
3f33ff3f
ff3fffff
WHEN TO...
Use this procedure when you want to identify to GroupShield a trusted document design. In some instances, sophisticated mail-enabled applications may contain virus-like behavior but in fact are not viruses. Although this is quite rare in practice, it can happen. The false alarm facility of GroupShield allows you to identify a single instance of the design as a false alarm so that GroupShield will skip all other documents that contain an identical design. The facility will however only work on 'stored form' designs and not on rich text elements such as button and hotspots or file attachments.
HOW TO...
Use the following procedure to mark a document as a false alarm.
Step 1. Open the document from any view except the Restored Documents view. When the document opens, a series of radio buttons will appear in the top right corner of the window. If a radio button marked "False Alarm" is not present, then this document does not contain a stored form and cannot be marked as a false alarm.
Step 2. Switch the document into Edit mode by pressing Ctrl-E or using the equivalent menu command.
Step 3. Click the radio button marked "False Alarm" and save the document. The document will remain visible in the current view but will now also be visible in the False Alarms view.
NOTE: An audit trail is maintained on all changes made to the document status. Click the hotspot located just below the radio buttons and labeled "Audit Trail". A list of all changes, including changes to and from false alarm status will be displayed in a popup window.
ONFIRMING
<<<+++
DDD"""
www
33333f33
f33f3ff3
3f33ff3f
ff3fffff
WHEN TO...
Use this procedure when you want to identify to GroupShield a confirmed virus incident. This is useful for tracking viruses and identifying future viruses.
HOW TO...f
Use the following procedure to mark a document as a false alarm.
Step 1. Open the document from any view except the Restored Documents view. When the document opens, a series of radio buttons will appear in the top right corner of the window.3
Step 2. Switch the document into Edit mode by pressing Ctrl-E or using the equivalent menu command.
Step 3. Click the radio button marked "Confirmed" and save the document. The document will remain visible in the current view but will now classified as a confirmed virus.
NOTE: An audit trail is maintained on all changes made to the document status. Click the hotspot located just below the radio buttons and labeled "Audit Trail". A list of all changes, including changes to and from confirmed status will be displayed in a popup window.