Technical note 1: Creating an exception list file for the /EXCLUDE option
4 VirusScan reference
VirusScan's Scan program detects, identifies, and disinfects known DOS
computer viruses. Scan checks memory and both the system and data areas of disks for virus infections. If Scan finds a known virus, in most cases it will eliminate the virus and fully restore infected programs or system areas to normal operation.
To obtain a list of all the viruses that Scan detects, run Scan with the /VIRLIST option.
In addition, Scan can also assign validation and recovery codes to files, and use those codes to detect and treat infection by new and unknown viruses. If Scan has stored validation or recovery data for files, it may detect file changes and warn that infection by an unknown virus may have occurred. Scan can also use the recovery codes to remove new or unknown viruses and restore infected files, master boot records (MBRs), and boot sectors.
This chapter describes how to use Scan from the DOS or OS/2 command prompt. For instructions on using interactive Scan, see Chapter 3.
Scan runs on DOS, Windows, and OS/2. The program files are SCAN.EXE (DOS), WSCAN.EXE (Windows), MSCAN.EXE (Menu DOS), and OS2SCAN.EXE (OS/2), respectively. This chapter describes them all.
1 Because OS/2 operates in a protected mode environment, Scan for OS/2 does not check memory. To protect against viruses in OS/2 DOS and Win-OS/2 sessions, use the VShield (for DOS) virus prevention program.
Do you need to read this chapter?
Many users will not need the Scan command line options described in this chapter. We have designed Scan so that basic operation, as described in "Scanning your system" and "When to rescan" in Chapter 2, will detect most viruses in your system. The command line options described here offer additional power and control over virus detection. They enable you to run Scan from batch or script files, and are most useful in vulnerable environments and to network administrators and information services staff.
System requirements and support
Scan requires DOS 3.1 or later, Windows 3.1 or later, or IBM OS/2 Version 2.1 or later. Running Scan for DOS with command line options requires 360Kb of free RAM. Running MScan with the graphical interface requires 530Kb of free RAM.
Scan works with 3Com 3/Share and 3/Open, Artisoft LanTastic, AT&T StarLAN, Banyan VINES, DEC Pathworks, IBM LAN Server, Microsoft LAN Manager, Novell NetWare, and any other IBMNET- or NETBIOS-compatible network operating systems. Contact McAfee or your local authorized agent if you do not see your network listed (see "Technical support" in Chapter 1).
Scan is designed to check for pre-existing infections of known and unknown viruses on floppy, hard, CD-ROM, and compressed (SuperStor, Stacker, Double-Space, and so on) disks on both stand-alone and networked personal computers, as well as network file servers. If you have a Novell NetWare/386 V3.1X or 4.01 file server, you may want to use the NetShieldÖ virus prevention NetWare Loadable Module (NLM) in conjunction with Scan.\x14
1 To use Scan to clean up (disinfect) virus-infected files, the CLEAN.DAT file must be present in the same subdirectory as Scan. If you don't have the CLEAN.DAT file, first verify whether you should contact your system administrator or information systems staff directly for virus clean-up. Otherwise, you can contact McAfee (see "Technical support" in Chapter 1).
Technical overview
Known virus detection
Scan detects known viruses by searching the system for known characteristics (sequences of code) unique to each computer virus and reporting their presence if found. For viruses that encrypt or cipher their code so that every infection is different, Scan uses detection algorithms that work by statistical analysis, heuristics, and code disassembly.
New and unknown virus detection
Scan can also check for new or unknown viruses by comparing files against previously recorded validation data. If a file has been modified, it will no longer match the validation data, and Scan will report that the file may have become infected. With certain options, Scan /CLEAN can use the validation and recovery data to restore infected files, master boot records (MBRs), or boot sectors.
Note to network users
To use Scan on a network drive (or directory), you must be connected to that drive and have read access to it. Some command line options described in this chapter attempt to create, change, and delete files. To use these options, you must have sufficient access rights. If you have questions about access rights, contact your network administrator.
Validating Scan
The Scan program in your VirusScan package is supplied on a write-protected diskette that should be secure from infection. We recommend that you update your copy of the VirusScan programs regularly. You can obtain an upgrade from several sources, as described in "Updating VirusScan regularly" in Chapter 2.
Before using a new version of Scan for the first time, verify that it has not been tampered with or infected by using the Validate program, as described in "Validate VirusScan" in Chapter 2. If your new copy of Scan differs from the validation data in the on-line documentation file, it may have been damaged. Don't use it, and obtain a clean copy of Scan from a known source.
Scan performs an integrity test when run. This self-check allows Scan to determine if it has been modified. If Scan fails its integrity test, a warning message appears, and Scan refuses to run and returns to the command line prompt. You must obtain an undamaged copy before continuing.
Running Scan from the command line
Scan checks files and other areas of the system that can contain computer viruses. When a virus is found, Scan identifies the virus and the system area or file where it was found.
By default, Scan examines only executable files (.EXE, .COM, .SYS, .BIN, .OVL, and .DLL files). These are the files most likely to be infected with a virus. Once you've installed VirusScan and have established a "sterile field" (as described in Chapter 2), you might not need to scan every file on your system again. Use the /ALL option to scan all files on your system. See "Scan option descriptions" later in this chapter for more information about the /ALL option.
1 Note that the list of extensions for standard executables has changed from -previous versions of VirusScan.
From DOS or OS/2, you can run Scan from the system prompt. (From OS/2, open the Command Prompts folder in the OS/2 system folder, then click the OS/2 Full Screen or OS/2 Window icon to see the system prompt.) The -syntax is:
DOS C> scan {drives} [options]
OS/2 [C:\] os2scan {drives} [options]
{drives} indicates one or more drives to be scanned. You must specify one or more drives to scan. If you list a drive like c:, all of its subdirectories will be scanned. If you list \, only the root directory and boot area of the current disk will be scanned. If you list \ or a directory, its subdirectories will not be scanned unless you use the /SUB option.
[options] indicates one or more of the Scan options listed in the next section, "Scan command line option summary."
Scan command line option summary
DOS-OS/2 option
Description/Windows option
/? or /HELP
Display help screen (not available in Windows, use Help menu instead).
/ADL
Scan all local drives (except floppy drives).
/ADN
Scan all network drives.
/AF {filename}
Store validation/recovery codes in filename.
/ALERT {servername}
Alert the servername server about infected files.
/ALL
Scan all files, not just standard executables.
/APPEND
Append to, rather than overwrite, the file (/REPORT).
/AV
Add validation/recovery data to program files.
/BOOT
Scan boot sector and master boot record only.
/CF {filename}
Check validation/recovery codes in filename.
/CLEAN
Clean up infections in boot sector, master boot record, and files when possible.
/CV
Check validation/recovery data in files.
/DEL
Overwrite and delete infected files.
/EXCLUDE {filename}
Exclude from scan any files listed in filename (with /AV).
/FAST
Speed up VirusScan's scanning; may detect fewer viruses.
/LISTEN {servername}
Load Scan and wait for a command from the servername server.
/LOAD {filename}
Use Scan settings stored in filename.
/LOG
Save date and time VirusScan was last run in SCAN.LOG.
/MANY
Scan multiple diskettes.
/MOVE {directory}
Move infected files to directory.
/NOCOMP
Skip checking compressed executables created with the LZEXE or PKLITE file compression programs.
/NOMEM
Skip memory checking (not applicable to OS/2).
/PAUSE
Enable screen pause.
/PLAD
Preserve last access dates on Novell drives.
/REPORT {filename}
Create report of infected files found during scan in filename.
DOS-OS/2 option
Description/Windows option
/RF {filename}
Remove validation/recovery codes in filename.
/RPTCOR
Add list of corrupted files to the report file (/REPORT).
/RPTERR
Add list of system errors to the report file (/REPORT).
/RPTMOD
Add list of modified files to the report file (/REPORT).
/RV
Remove validation/recovery data from files.
/SHOWLOG
Display information in SCAN.LOG.
/SUB
Scan subdirectories inside a directory.
/VIRLIST
Display list of viruses detected by VirusScan.
Scan option descriptions
Here is a detailed description of Scan's options.
/? or /HELP
Display list of Scan options
Does not scan. Instead, displays a list of Scan command line options with a brief description of each. No scanning is performed when these options are specified. Use either of these options alone on the command line.
/ADL
Scan all local drives (except floppy drives)
Scans all local drives for viruses, in addition to those specified on the command line. In DOS, use /ADL to check all local drives, including compressed drives and CD-ROMs. To scan both local and network drives, use /ADL and /ADN together in the same command line.
/ADN
Scan all network drives
Scans all network drives for viruses, in addition to those specified on the command line. To scan both local and network drives, use /ADL and /ADN together in the same command line.
/AF {filename}
Store validation/recovery codes in file
Helps you detect and recover from new or unknown viruses. /AF logs validation and recovery data for executable files, boot sector, and master boot record (MBR) of a disk in the file you specify. The log file is about 95 bytes per file -validated. You must specify a filename, which can include the target drive and directory (such as D:\VSVALID\VALCODES.VSC). If the target path is a network drive, you must have rights to create and delete files on that drive. If -filename exists, Scan updates it. /AF adds about 300% more time to scanning.
To exclude self-modifying or self-checking files that might cause false alarms, use the /EXCLUDE option. To recover from a virus using the /AF information, use the /CF and /CLEAN options together in the same command line. Using any of the /AF, /CF, or /RF options together in the same command line returns an error.
1 /AF performs the same function as /AV, but stores its data in a separate file rather than changing the executable files themselves. For more information, see "Detecting new and unknown viruses" in Chapter 6.
/ALERT {servername}
Alert the server about infected files (OS/2 only)
Notifies the servername server if infected files are detected during the scan. Using /ALERT and /LISTEN in the same command line returns an error. See your Command & Control Server documentation for more information.
/ALL
Check all files, not just standard executable files.
Increases system security by performing a more thorough scan. Otherwise, Scan checks only standard executable files (with .COM, .EXE, .SYS, .BIN, .OVL, and .DLL extensions), which are the files most likely to be infected by a virus. If /ALL is specified, Scan checks all files on the specified drive, which increases Scan's ability to detect viruses in overlay files but substantially increases the scanning time required. Use this option if you have found a virus or suspect one. (Note that the list of extensions for standard executables, above, has changed from previous releases of VirusScan.)
/APPEND
Append to the report file.
Used in conjunction with /REPORT, appends the report message text to the specified report file, if it exists. Otherwise, the /REPORT option overwrites
the specified report file, if it exists.
/AV
Add validation/recovery data to files
Helps you detect and recover from new or unknown viruses. /AV adds recovery and validation data to each standard executable file (.EXE, .COM, .SYS, .BIN, .OVL, and .DLL), increasing the size of each file by 98 bytes. To update files on a shared network drive, you must have update access rights. The /AV option adds about 100% more time to scanning.
To exclude self-modifying or self-checking files that might cause false alarms, use the /EXCLUDE option. To recover from a virus using the /AF information, use the /CV and /CLEAN options together in the same command line. Using any of the /AV, /CV, or /RV options together in the same command line returns an error.
1 The /AV option does not store any information about the master boot record (MBR) or boot sector of the drive being scanned.
/BOOT
Scan boot sector and master boot record only
Scans the boot sector and master boot record on the specified drive(s), but not files or directories on those drives.
/CF {filename}
Check validation/recovery codes in file
Helps you detect new or unknown viruses. Checks validation data stored by
the /AF option in filename. If a file or system area has changed, Scan reports that a viral infection may have occurred. The /CF option adds about 250% more time to scanning. For more information, see "Detecting new and unknown viruses" in Chapter 6. You can use /CF and /CLEAN in the same command line to check validation/recovery codes and remove any viruses found. Using any of the /AF, /CF, or /RF options together in a command line returns an error.
1 Some older Hewlett-Packard and Zenith PCs modify the boot sector each time the system is booted. If you use /CF or /CV, Scan continuously reports that the boot sector has been modified even though no virus may be present. Check your system's reference manual to determine whether your PC has self-modifying boot code, or contact McAfee for help (see "Technical support" in Chapter 1)\x14 1\x13OS/2 dual boot systems change the boot sector between DOS and OS/2 depending on which operating system is active. This causes Scan to report that the boot sector has been modified.
/CLEAN
Remove viruses from boot sector, master boot record, and infected files
Attempts to restore the boot sector, if infected, and any infected files. Usually, between 10% and 20% of all viruses are not removable; they damage the file they infect beyond repair. If the infected file resides on a network drive, you must have rights to modify files on that drive to clean it. If it cannot restore a file, you'll see a message that identifies the name of the unrecoverable file. To use
/CLEAN, the CLEAN.DAT file must reside in the Scan directory. For more information, see "Cleaning viruses" later in this chapter.
Use /CLEAN instead of /DEL when you want to restore infected files, not just delete or overwrite them. The /CLEAN option can remove master boot record (MBR) and boot sector viruses, but the /DEL option cannot. If you use /CLEAN and /DEL in the same command line, Scan first attempts to disinfect an infected file, then deletes it only if it cannot be repaired. Similarly, if you use /CLEAN and /MOVE in the same command line, Scan first attempts to clean an infected file, then moves it to the specified subdirectory if the file is unrecoverable.
You can use /CLEAN and /CF or /CV in the same command line to check validation/recovery codes and remove any viruses found. We strongly recommend that you get experienced help in dealing with viruses if you are unfamiliar with anti-virus software and methods. This is especially true for "critical" viruses and master boot record (MBR)/boot sector infections, because improper removal of these viruses can result in the loss of all data on the infected disks.
1 When scanning a network drive using /CLEAN, you must have sufficient rights to update files on that drive.
/CV
Check validation/recovery data in files
Helps you detect new or unknown viruses. Checks validation data added by the /AV option. If a file is modified, Scan reports that a viral infection may have occurred. The /CV option adds about 50% more time to scanning. You can use
/CLEAN and /CF or /CV in the same command line to check validation/recovery codes and restore infected files. Using any of the /AV, /CV, or /RV options together in the same command line returns an error.
1 For more information, see "Detecting new and unknown viruses" in Chapter 6. See also the note under /CF in this section.
/DEL
Overwrite and delete infected files
Deletes and overwrites each infected file. Files erased by the /DEL option cannot be recovered (generate a report so that you can restore them from backups). Instead of /DEL alone, we recommend using it in combination with the
/CLEAN option to attempt to disinfect an infected file first, then delete it only if the file is unrecoverable. The /CLEAN option can remove master boot record and boot sector viruses, but the /DEL option cannot.
1 When scanning a network drive using /DEL, you must have sufficient access rights to delete files on that drive.
/EXCLUDE {filename}
Scan using exception list file
Allows you to exclude files from /AF or /AV validation and /CF or /CV checking. Self-modifying or self-checking files can cause a false alarm during a scan. To create filename, see "Technical note 1: Creating an exception list file for the /EXCLUDE option" in this chapter.
/FAST
Speed up VirusScan's scanning
Reduces Scan time by about 15%. Using the /FAST option, Scan examines a smaller portion of each file for viruses, although it examines more files overall. Using /FAST might miss some infections found in a more comprehensive (but slower) scan. Do not use this option if you have found a virus or suspect one.
/LISTEN {servername}
Load Scan and wait for a command from the server
Using /LISTEN and /ALERT in the same command line returns an error. See your Command & Control Server documentation for more information.
/LOAD {filename}
Use Scan settings stored in {filename}.
By default, Scan loads its internal default settings plus any options specified on the command line. You can store all custom settings in a separate ASCII text file, then use /LOAD to load those settings from that file.
Use a text editor to create the file. You can put all options on the same command line or put each option (with its parameter) on its own line, separated by a hard carriage return and line feed, as shown in the following examples.
Sample load file with all options on the same command line:
m: /report a:infectn.rpt /rptcor /rpterr
Sample load file with each option on a separate command line:
m:
/report a:infectn.rpt
/rptcor
/rpterr
/LOG
Save date and time of last scan
Stores the time and date Scan is being run by updating or creating a file called SCAN.LOG in the current directory.
/MANY
Scan multiple floppies
Scans multiple diskettes consecutively in a single drive. Scan will prompt you for each diskette. Once you have established a virus-free system, use this option to check multiple diskettes quickly.
/MOVE {directory}
Move infected files to directory
Moves all infected files found during a scan to the specified directory. If you use /MOVE in conjunction with /CLEAN, Scan attempts to restore an infected file first, then moves it to the specified directory only if the file cannot be restored. Using /MOVE and /DEL in the same command line returns an error message.
/NOCOMP
Skip checking compressed executable files.
Reduces scanning time when a full scan is not needed. Otherwise, by default, Scan checks inside executable, or self-decompressing, files that have been -created using the LZEXE or PKLITE file compression programs. Scan decompresses each file in memory and checks for virus signatures, which takes time but results in a more thorough scan. If you use /NOCOMP, Scan does not check inside compressed files for viruses, although it can check for modifications to those files if they have been validated using validation/recovery codes.
/NOMEM
Skip memory checking
Reduces scan time by omitting all memory checks for viruses. Use /NOMEM only when you are absolutely certain that your system is virus-free.
By default, Scan checks system memory for all for critical known computer viruses that can inhabit memory. In addition to main memory from 0Kb to 640Kb, Scan checks system memory from 640Kb to 1088Kb that can be used by computer viruses on 286 and later systems. Memory above 1088Kb is not addressed directly by the processor and is not presently susceptible to viruses.
1 /NOMEM is not applicable to OS/2.
/PAUSE
Enable screen pause
If you specify /PAUSE, the More? (H = Help) prompt appears when
Scan fills up a screen with messages, such as when using the /SHOWLOG or
/VIRLIST options. Otherwise, by default, Scan fills and scrolls a screen continuously without stopping, which allows Scan to run on PCs with many drives or that have severe infections without requiring you to attend. We recommend that you omit /PAUSE when keeping a record of Scan's messages using the report options (/REPORT, /RPTCOR, /RPTMOD, and /RPTERR).
/PLAD
Preserve last access dates (on NetWare drives only).
Prevents changing the last access date attribute for files stored on a network drive in a Novell network. Normally, NetWare updates the last access date when Scan opens and examines a file. However, some tape backup systems use this last access date to decide whether to back up the file. Use /PLAD to ensure that the last access date does not change as the result of scanning.
/REPORT {filename}
Create report of infected files and system errors
Saves the output of Scan to filename in ASCII text file format. If filename exists, /REPORT erases and replaces it. You can include the destination drive and directory (such as D:\VSREPRT\ALL.TXT), but if the destination is a network drive, you must have rights to create and delete files on that drive. You can also use /RPTCOR, /RPTMOD, and /RPTERR to add corrupted files, modified files, and system errors to the report.
/RF {filename}
Remove validation/recovery codes in file
Removes recovery and validation data from filename created by the /AF option. If filename resides on a shared network drive, you must be able to delete files on that drive. Using any of the /AF, /CF, or /RF options together in the same command line returns an error.
/RPTCOR
Add corrupted files to Scan report
Used in conjunction with /REPORT, adds the names of corrupted files to the report file. A corrupted file is a file that a virus has damaged beyond repair, which typically occurs in 10% to 20% of all viral infections. You can use
/RPTCOR with /RPTMOD and /RPTERR on the same command line.
/RPTERR
Add errors to Scan report
Used in conjunction with /REPORT, adds system errors to the report file.
System errors include problems reading or writing to a diskette or hard disk, file system or network problems, problems creating reports, and other system-related problems. You can use /RPTERR with /RPTCOR and /RPTMOD on the same command line.
/RPTMOD
Add modified files to the Scan report
Used in conjunction with /REPORT, adds the names of modified files to the report file. Scan identifies modified files when the validation/recovery codes
do not match (using the /CF or /CV options). You can use /RPTMOD with
/RPTCOR and /RPTERR on the same command line.
/RV
Remove validation/recovery from files
Removes validation and recovery data from files validated with the /AV option, along with the SCAN.LOG file on the specified drive. To update files on a shared network drive, you must have access rights to update them. Using any of the
/AV, /CV, or /RV options together in the same command line returns an error.
/SHOWLOG
Update and display the contents of SCAN.LOG
Stores the time and date Scan is being run by updating or creating a file called SCAN.LOG in the current directory, and shows you the date and time of previous scans that have been recorded in the SCAN.LOG file using the /LOG switch. The SCAN.LOG file contains text and some special formatting. To pause when the screen fills with messages, specify the /PAUSE option.
/SUB
Scan subdirectories
By default, when you specify a directory to scan rather than a drive, Scan will examine only the files it contains, not its subdirectories. Use /SUB to scan all subdirectories inside any directories you've specified. Do not use /SUB if you are scanning an entire drive.
/VIRLIST
Display the contents of SCAN.DAT
Shows you the name and a brief description of the viruses that VirusScan detects. To pause when the screen fills with messages, specify the /PAUSE option. Use /VIRLIST alone or with /PAUSE on the command line.
You can save the list of virus names and descriptions to a file by redirecting the output of the command. For example, in DOS:
scan /virlist > filename.txt
Cleaning viruses
Although /CLEAN removes many viruses and restores normal operation, viruses can be harmful and insidious, and no anti-virus program can undo all their damage. Usually, between 10% and 20% of all viruses corrupt the files they infect, making them unrecoverable. If the file is infected with an uncommon virus that /CLEAN can't remove, Scan notifies you and identifies the filename. Note this filename so that you know what to restore from a backup diskette or tape. If you use both the /CLEAN and the /DEL options, Scan will first attempt to repair an infected file and, if the file is damaged beyond repair, Scan will delete it. Deleted files are not recoverable except from backups.
Some viruses damage or overwrite program (.EXE) files or overlay files. Removing the virus can truncate the file or otherwise render it inoperable. Others, like the common virus Stoned, infect the master boot record (MBR). On systems partitioned with programs other than DOS (such as Disk Manager and SpeedStor), removing the virus can cause loss of the master boot record (MBR) and all data on the disk, if done improperly.
Basic principles to minimize damage
These considerations lead to the three important principles:
1 Before running Scan with the /CLEAN option, back up all of your programs and data.
Of course, this works best if you back up your files regularly, so that you can restore your files from a backup made before your system was infected. But even a backup from an infected system can be useful for restoring data, because most viruses do not corrupt data. If a program no longer runs after being cleaned, replace it from the original disk or from a virus-free backup.
When disinfecting an infected system, it is important to start from a "sterile field," as described in Chapter 2.
2 Before running Scan with the /CLEAN option for DOS, restart your computer from a clean, write-protected diskette; before running it for OS/2, close all DOS and Win-OS/2 sessions.
Preferably, use the clean anti-virus start-up diskette you created in "Making a clean start-up diskette" in Chapter 2.\x11And, because running any program can spread the infection:
3 Do not run any programs, including Windows, before running Scan
/CLEAN.
Run Scan /CLEAN from DOS instead of Windows. Exit completely from -Windows. Do not run Scan /CLEAN from within a DOS window.
1 Important\x13If you are at all unsure about how to proceed once you've found a virus, contact McAfee technical support, or your local authorized agent, for assistance (see "Technical support" in Chapter 1).
We strongly recommend that you get experienced help in dealing with viruses if you are unfamiliar with anti-virus software and methods. This is especially true for "critical" viruses and master boot record (MBR)/boot sector infections, because improper removal of these viruses can result in the loss of all data and use of the infected disks.
Running Scan to clean up infections
Preparation
Before running Scan to clean up infections:
1 Clear the virus from system memory and prevent reinfection:
1 With DOS or Windows, turn off your PC, then restart from a clean start-up diskette, -preferably the anti-virus diskette you prepared in "Making a clean start-up diskette" in Chapter 2.
1 With OS/2, close all DOS and Win-OS/2 sessions.
1 With an OS/2 dual-boot system infected by a boot sector virus (like Form, or others identified by Scan), boot (start up) OS/2 first, delete the BOOT.DOS file from the \OS2 directory, and then boot DOS to create a new, virus-free DOS boot sector file.
2 Run the Scan program to locate and identify the infections.
3 Back up the files on the infected disks (be sure not to overwrite any previous backups).
4 Repeat Step 1.
5 Run the Scan program with the /CLEAN option to remove infections.
1 Don't run any programs, including Windows, before running Scan /CLEAN.
If you have Windows, run Scan /CLEAN from DOS.
1 When disinfecting a hard disk, always run Scan /CLEAN from a write-
protected diskette to prevent infection of the Scan program. When disinfecting diskettes, make sure there is no active virus in memory before running Scan from your hard disk.
Successful and unsuccessful results
Scan /CLEAN reports the results of its attempt to remove the virus from each infected file. If a file has several infections, it will report on each.
If viruses were not removed, contact technical support
If Scan can't remove a virus, you'll see a message like:
Virus cannot be safely removed from this file.
Make sure to take note of the file name, because you will need to restore it
from backups. If you have any questions about how to proceed, contact McAfee technical support or your local authorized agent (see "Technical support" in Chapter 1).
If viruses were safely removed, rescan and check diskettes
If Scan /CLEAN has successfully removed all the viruses, turn your computer off again and restart from the system disk. Scan your hard disks again to make sure they are virus-free. If you suspect that your system was infected from a -diskette, run Scan from your hard disk to examine and disinfect the diskettes you use.
Examples
These examples show different option settings. In OS/2, remember to use OS2SCAN instead of SCAN.
scan c:
Scan all executable files on drive C.
scan f:
Scan all standard executable files on drive F, a network drive.
scan c: /adl /adn
Scan all local and network drives (except floppy drives).
scan f: g: h: /del /all
Scan all files on drives F, G, and H, and delete any infected files found.
scan c: d: e: /av /all
Scan for viruses in all files and add validation codes to executable files on drives C, D, and E.
Scan for viruses on network drive M: and create a log file of infections, corruptions, and errors in the file INFECTN.RPT on drive A. This will overwrite A:INFECTN.RPT, if it exists.
scan e:\user\jake e:\user\daisy e:\user\nick /sub
Scan all subdirectories inside the directories USER\JAKE, USER\DAISY, and USER\NICK on drive E.
scan c: d: e: /fast /cv
Quickly scan drives C, D, and E, and report any executable files that have associated validation codes and have been modified.
scan c:\command.com
Scan a single file.
scan c: d: /clean
Scan drives C and D and remove infections.
Error levels
After Scan has finished running, it sets the ERRORLEVEL. You can use the ERRORLEVEL in batch files to take different actions based on the results of the scan. See your DOS operating system documentation for more information. Scan returns the following ERRORLEVELs:
ERRORLEVEL
Description
0
No errors occurred and no viruses were found.
1
Error occurred while accessing a file (reading or writing).
2
A VirusScan database (*.DAT) file is corrupted.
3
An error occurred while accessing a disk (reading or writing).
4
An error occurred while accessing the file created with the /AF option; the file has been damaged.
5
Insufficient memory to load program or complete operation.
6
An internal program error occurred.
7
An error in accessing an international message file (MCAFEE.MSG).
8
A file required to run VirusScan, such as SCAN.DAT, is missing.
9
Incompatible or unrecognized option(s) or option argument(s) were specified in the command line.
10
A virus was found in memory.
11
An internal program error occurred.
12
An error occurred while attempting to remove a virus, such as no CLEAN.DAT file found, or VirusScan was unable to remove the virus.
13
One or more viruses was found in the master boot record, boot
sector, or file(s).
14
The SCAN.DAT file is out of date; upgrade VirusScan data files.
15
VirusScan self-check failed. It may be infected or damaged.
16
An error occurred while accessing a specified drive or file.
17
No drive, directory or file was specified; nothing to scan.
18
A validated file has been modified (/CF or /CV options).
19û99
Reserved.
100+
Operating system error; Scan adds 100 to the original error number.
Application note 1:
Updating validation codes
If you install any new software or programs on your system, including a new version of DOS, and are running Scan or VShield with the /CF (preferred) or
/CV -validation options, you need to install validation codes for the new files with Scan's /AF (preferred) or /AV options.
The quickest way to update the validation codes is to remove all validation codes from the hard disk and then add them back. In other words, first run Scan with the /RF or /RV option, then run it again with the /AF or /AV option.
Application note 2:
Reformatting infected diskettes with DOS 5.0 and later
When reformatting infected diskettes using DOS 5.0 and later versions, be sure to add the /U switch to the FORMAT command. This tells DOS to do an unconditional format of the diskette, without saving the original infected boot sector. This is necessary to erase certain infections, and will prevent reinfection by unformatting the diskette.
Technical note 1:
Creating an exception list file for the /EXCLUDE option
If you set up validation codes using Scan's /AF or /AV options, subsequent scans using the /CF or /CV options will detect changes in executable files.
This can generate false alarms if the executable files are self-modifying or self-checking (most programs that do this will tell you to turn off your anti-virus software before running them; some of these files are listed below). Therefore, use the /EXCLUDE option in conjunction with /AF or /AV to identify such files and exclude them from the validation.
The exception list is an ASCII or DOS text file. If you use a word processor to create it, be sure to save the file as ASCII or DOS Text. Each line in the file contains the path and file name of one file that should not be validated. Here is an example:
