home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Experimental BBS Explossion 3
/
Experimental BBS Explossion III.iso
/
virus
/
oscb200b.zip
/
VIRUSCAN.TXT
< prev
Wrap
Text File
|
1994-03-16
|
43KB
|
1,078 lines
SCAN Reference Copyright 1994 McAfee Inc. Page 1
VirusScan REFERENCE
VirusScan's Scan program detects, identifies, and
disinfects more than 2,600 known DOS computer
viruses. Scan checks memory and both the system
and data areas of disks for virus infections. If
Scan finds a known virus, in most cases it will
eliminate the virus and fully restore infected
programs or system areas to normal operation.
The SCAN.DAT file that accompanies Scan lists all
viruses that Scan identifies and removes. Use Scan
with the /VIRLIST option to see a list of these
viruses.
In addition, Scan can also assign validation and
recovery codes to files, and use those codes to
detect and treat infection by new and unknown
viruses. If Scan has stored validation or recovery
data for files, it may detect file changes and
warn that infection by an unknown virus may have
occurred. Scan can also use the recovery codes to
remove new or unknown viruses and restore infected
files, master boot record (MBRs), and boot
sectors.
Scan runs on DOS, Windows, and OS/2. The program
files are SCAN.EXE, WSCAN.EXE, and OS2SCAN.EXE,
respectively.
Because OS/2 operates in a protected mode
environment, Scan for OS/2 does not check memory.
To protect against viruses in OS/2 DOS and Win-
OS/2 sessions, use the VShield (for DOS) virus
prevention program.
DO YOU NEED TO READ THIS DOCUMENT?
Many users will not need the Scan command line
options described in details here. We have
designed Scan so that basic operations will detect
most viruses in your system. The command line
options described here offer additional power and
control over virus detection. They enable you to
run Scan from batch or script files, and are most
useful in vulnerable environments and to network
administrators and information services staff.
SCAN Reference Copyright 1994 McAfee Inc. Page 2
SYSTEM REQUIREMENTS AND SUPPORT
Scan requires DOS 3.0 or later, Windows 3.1 or
later, or IBM OS/2 Version 2.0 or later. Running
Scan for DOS with command line options requires
360Kb of free RAM.
Scan works with 3Com 3/Share and 3/Open, Artisoft
LanTastic, AT&T StarLAN, Banyan VINES, DEC
Pathworks, IBM LAN Server, Microsoft LAN Manager,
Novell NetWare, and any other IBMNET- or NETBIOS-
compatible network operating systems. Contact
McAfee or your local authorized agent if you do
not see your network listed.
Scan is designed to check for pre-existing
infections of known and unknown viruses on floppy,
hard, CD-ROM, and compressed (SuperStor, Stacker,
Doublespace, and so on) disks on both stand-alone
and networked personal computers, as well as
network file servers. If you have a Novell
NetWare/386 V3.1X or 4.01 file server, you may
want to use the NETShield virus prevention
NetWare Loadable Module in conjunction with Scan.
To use Scan to clean up (disinfect) virus-infected
files, the CLEAN.DAT file must be present in the
same subdirectory as Scan. If you don't have the
CLEAN.DAT file, first verify whether you should
contact your system administrator or information
systems staff directly for virus clean-up.
Otherwise, you can contact McAfee.
TECHNICAL OVERVIEW
KNOWN VIRUS DETECTION
Scan detects known viruses by searching the system
for known characteristics (sequences of code)
unique to each computer virus and reporting their
presence if found. For viruses that encrypt or
cipher their code so that every infection is
different, Scan uses detection algorithms that
work by statistical analysis, heuristics, and code
disassembly.
NEW AND UNKNOWN VIRUS DETECTION
Scan can also check for new or unknown viruses by
comparing files against previously recorded
validation data. If a file has been modified, it
SCAN Reference Copyright 1994 McAfee Inc. Page 3
will no longer match the validation data, and Scan
will report that the file may have become
infected. With certain options, Scan /CLEAN can
use the validation and recovery data to restore
infected files, master boot records (MBRs), or
boot sectors.
NOTE TO NETWORK USERS
To use Scan on a network drive (or directory), you
must be connected to that drive and have read
access to it. Some command line options attempt to
create, change, and delete files. To use these
options, you must have sufficient access rights.
If you have questions about access rights, contact
your network administrator.
VALIDATING SCAN
The Scan program in your VirusScan package is
supplied on a write-protected diskette (notchless)
that should be secure from infection. We recommend
that you update your copy of the VirusScan
programs regularly. You can obtain an upgrade from
several sources.
Before using a new version of Scan for the first
time, verify that it has not been tampered with or
infected by using the Validate program. If your
new copy of Scan differs from the validation data
in the on-line documentation file, it may have
been damaged. Don't use it, and obtain a clean
copy of Scan from a known source.
Scan performs a self-check when it runs. If Scan
has been modified in any way, a warning appears
and asks you whether to continue or quit. Scan may
be infected. If you choose to continue, Scan can
still check for viruses but may spread the
infection. Therefore, if Scan reports that it has
been damaged, we recommend that you quit, and then
obtain a clean copy before continuing.
Running Scan from the command line
Scan checks files and other areas of the system
that can contain computer viruses. When a virus is
found, Scan identifies the virus and the system
area or file where it was found.
By default, Scan examines all files on a system.
Once you've installed VirusScan and have
SCAN Reference Copyright 1994 McAfee Inc. Page 4
established a "sterile field", you might not need
to scan every file on your system again, just the
executable files (.EXE, .COM, .SYS, .BIN, .OVL,
and .DLL files). Use the /STD option to scan
executable files only. (Note that the list of
extensions for standard executables has changed
from previous versions of Scan.)
From DOS or OS/2, you can run Scan from the system
prompt. (From OS/2, open the Command Prompts
folder in the OS/2 system folder, then choose OS/2
Full Screen or OS/2 Window to see the system
prompt.) The syntax is:
DOS C> scan {drives} [options]
OS/2 [C:\] os2scan {drives} [options]
* {drives} indicates one or more drives to be
scanned. You must specify one or more drives to
scan. If you list a drive like c:, all of its
subdirectories will be scanned. If you list \,
only the root directory and boot area of the
current disk will be scanned. If you list \ or a
directory, its subdirectories will not be scanned
unless you use the /SUB option.
* [options] indicates one or more of the Scan
options listed in "Scan command line option
summary."
SCAN COMMAND LINE OPTION SUMMARY (DOS-OS/2)
/? or /HELP
Display help screen (not available in Windows, use
Help menu instead).
/ADL
Scan all local drives.
/ADN
Scan all network drives.
/AF {filename}
Store validation/recovery codes in filename.
SCAN Reference Copyright 1994 McAfee Inc. Page 5
/AV
Add validation/recovery data to program files.
/BOOT
Scan boot sector and master boot record only.
/CF {filename}
Check validation/recovery codes in filename.
/CLEAN
Clean up infections in boot sector, master boot
record, and files when possible.
/CV
Check validation/recovery data in files.
/DEL
Overwrite and delete infected files.
/EXCLUDE {filename}
Exclude from scan any files listed in filename.
(with /AV).
/FAST
Speed up VirusScan's scanning; may detect fewer
viruses.
/HISTORY
Append, rather than overwrite, the report file
(/REPORT).
/LOAD {filename}
Use Scan settings stored in filename.
SCAN Reference Copyright 1994 McAfee Inc. Page 6
/LOG
Save date and time VirusScan was last run in
SCAN.LOG.
/MOVE {directory}
Move infected files to directory.
/NOMEM
Skip memory checking (not applicable to OS/2).
/PAUSE
Enable screen pause.
/PLAD
Preserve last access dates on network drives in a
Novell network.
/REPORT {filename}
Create report of infected files found during scan
in filename.
/RF filename
Remove validation/recovery codes in filename.
/RPTCOR
Add list of corrupted files to the report file
(/REPORT).
/RPTERR
Add list of system errors to the report file
(/REPORT).
/RPTMOD
Add list of modified files to the report file
(/REPORT).
/RV
Remove validation/recovery data from files.
/SHOWLOG
Display information in SCAN.LOG.
SCAN Reference Copyright 1994 McAfee Inc. Page 7
/STD
Scan executable files only (COM, EXE, SYS, BIN,
OVL, DLL)
/SUB
Scan subdirectories inside a directory.
/VIRLIST
Display list of viruses stored in SCAN.DAT
SCAN OPTION DESCRIPTIONS
Here is a detailed description of Scan's options.
/? or /HELP
Display list of Scan options
Does not scan. Instead, displays a list of Scan
command line options with a brief description of
each. Use these options alone on the command line.
/ADL
Scan all local drives
Scans all local drives for viruses, in addition to
those specified on the command line. In DOS, use
/ADL to check all local drives, including
compressed drives and CD-ROMs. To scan both local
and network drives, use /ADL and /ADN together in
the same command line.
/ADN
Scan all network drives
Scans all network drives for viruses, in addition
to those specified on the command line. To scan
both local and network drives, use /ADL and /ADN
together in the same command line.
/AF filename
Store validation/recovery codes in file
Helps you detect and recover from new or unknown
viruses. /AF logs validation and recovery data for
executable files, boot sector, and master boot
record (MBR) of a disk in the file you specify.
SCAN Reference Copyright 1994 McAfee Inc. Page 8
The log file is about 95 bytes per file validated.
You must specify a filename, which can include the
target drive and directory (such as
D:\VSVALID\VALCODES.VSC). If the target path is a
network drive, you must be able to create and
delete files in that drive. If filename exists,
Scan updates it. The /AF option adds about 300%
more time to scanning.
To exclude self-modifying or self-checking files
that might cause false alarms, use the /EXCLUDE
option. To recover from a virus using the /AF
information, use the /CF and /CLEAN options
together in the same command line. Using any of
the /AF, /CF, or /RF options together in the same
command line returns an error.
/AF performs the same function as /AV, but stores
its data in a separate file rather than changing
the executable files themselves.
/AV
Add validation/recovery data to files
Helps you detect and recover from new or unknown
viruses. /AV adds recovery and validation data to
each standard executable file (.EXE, .COM, .SYS,
.BIN, .OVL. and .DLL), increasing the size of each
file by 98 bytes. To update files on a shared
network drive, you must have update access rights.
The /AV option adds about 100% more time to
scanning.
To exclude self-modifying or self-checking files
that might cause false alarms, use the /EXCLUDE
option. To recover from a virus using the /AF
information, use the /CV and /CLEAN options
together in the same command line. Using any of
the /AV, /CV, or /RV options together in the same
command line returns an error.
/BOOT
Scan boot sector and master boot record only
SCAN Reference Copyright 1994 McAfee Inc. Page 9
Scans the boot sector and master boot record on
the specified drive(s), but not files or
directories on those drives.
/CF filename
Check validation/recovery codes in file
Helps you detect new or unknown viruses. Checks
validation data stored by
the /AF option in filename. If a file or system
area has changed, Scan reports that a viral
infection may have occurred. The /CF option adds
about 250% more time to scanning. You can use /CF
and /CLEAN in the same command line to check
validation/recovery codes and remove any viruses
found. Using any of the /AF, /CF, or /RF options
together in the same command line returns an
error.
Some older Hewlett-Packard and Zenith PCs modify
the boot sector each time the system is booted. If
you use /CF or /CV, Scan will continuously report
that the boot sector has been modified even though
no virus may be present. Check your system's
technical reference manual to determine whether
your PC has self-modifying boot code, or contact
McAfee for help.
OS/2 dual boot systems change the boot sector
between DOS and OS/2 depending on which operating
system is active. This causes Scan to report that
the boot sector has been modified.
/CLEAN
Remove viruses from boot sector, master boot
record, and infected files
Attempts to restore the boot sector, if infected,
and any infected files. Usually, between 10% and
20% of all viruses are not removable; they damage
the file they infect beyond repair. If the
infected file resides on a network drive, you must
be able to modify files on that drive to clean it.
If it cannot restore a file, you'll see a message
that identifies the name of the unrecoverable
file. To use /CLEAN, the CLEAN.DAT file must
reside in the Scan directory.
Use /CLEAN instead of /DEL when you want to
restore infected files, not just delete or
SCAN Reference Copyright 1994 McAfee Inc. Page 10
overwrite them. The /CLEAN option can remove
master boot record (MBR) and boot sector viruses,
but the /DEL option cannot. If you use /CLEAN and
/DEL in the same command line, Scan first attempts
to disinfect an infected file, then deletes it
only if it cannot be repaired. Similarly, if you
use /CLEAN and /MOVE in the same command line,
Scan attempts first to clean an infected file,
then moves it automatically if the file is
unrecoverable.
You can use /CLEAN and /CF or /CV in the same
command line to check validation/recovery codes
and remove any viruses found. We strongly
recommend that you get experienced help in dealing
with viruses if you are unfamiliar with anti-virus
software and methods. This is especially true for
"critical" viruses and master boot record
(MBR)/boot sector infections, because improper
removal of these viruses can result in the loss of
all data on the infected disks.
When scanning a network drive using /CLEAN, you
must have sufficient rights to update files on
that drive.
/CV
Check validation/recovery data in files
Helps you detect new or unknown viruses. Checks
validation data added by the /AV option. If a file
is modified, Scan reports that a viral infection
may have occurred. The /CV option adds about 50%
more time to scanning. You can use /CLEAN and /CV
or /CF in the same command line to check
validation/recovery codes and restore infected
files. Using any of the /AV, /CV, or /RV options
together in the same command line returns an
error.
/DEL
Overwrite and delete infected files
Deletes and overwrites each infected file. Files
erased by the /DEL option cannot be recovered
(generate a report so that you can restore them
from backups). Instead of /DEL alone, we recommend
using it in combination with the /CLEAN option to
attempt to disinfect an infected file first, then
delete it only if the file is unrecoverable. The
/CLEAN option can remove master boot record and
SCAN Reference Copyright 1994 McAfee Inc. Page 11
boot sector viruses, but the /DEL option cannot.
When scanning a network drive using /DEL, you must
have sufficient access rights to delete files on
that drive.
/EXCLUDE filename
Scan using exception list file
Allows you to exclude files from /AF or /AV
validation. Self-modifying or self-checking files
can cause a false alarm during a scan. To create
filename, see "Creating an exception list"
/FAST
Speed up VirusScan's scanning
Reduces Scan time by about 15%. Using the /FAST
option, Scan examines a smaller portion of each
file for viruses, although it examines more files
overall. Using /FAST might miss some infections
found in a more comprehensive (but slower) scan.
Do not use this option if you have found a virus
or suspect one.
/HISTORY
Append to the report file.
Used in conjunction with /REPORT, appends the
report message text to the specified report file,
if it exists. Otherwise, the /REPORT option
overwrites the specified report file, if it
exists.
/LOAD {filename}
Use Scan settings stored in filename.
By default, Scan loads its internal default
settings plus any options specified on the command
line. You can store all custom settings in a
separate ASCII text file, then use /LOAD to load
SCAN Reference Copyright 1994 McAfee Inc. Page 12
those settings from that file.
/LOG
Save date and time of last scan
Stores the time and date Scan is being run by
updating or creating a file called SCAN.LOG in the
current directory.
/MOVE {directory}
Move infected files to directory
Moves all infected files found during a scan to
the specified directory. If you use /MOVE in
conjunction with /CLEAN, Scan attempts to restore
an infected file first, then moves it to the
specified directory only if the file cannot be
restored. Using /MOVE and /DEL in the same
command line returns an error message.
/NOMEM
Skip memory checking
Reduces scan time by omitting all memory checks
for viruses. Use /NOMEM only when you are
absolutely certain that your system is virus-free.
By default, Scan checks system memory for critical
known computer viruses that can inhabit memory. In
addition to main memory from 0Kb to 640Kb, Scan
checks system memory from 640Kb to 1088Kb that can
be used by computer viruses on 286 and later
systems. Memory above 1088Kb is not addressed
directly by the processor and is not presently
susceptible to viruses.
/NOMEM is not applicable to OS/2.
/PAUSE
Enable screen pause
If you specify /PAUSE, the More? (H = Help) prompt
appears when Scan fills up a screen with messages.
Otherwise, by default, Scan fills and scrolls a
screen continuously without stopping, which allows
Scan to run on PCs with severe infections without
requiring you to attend. We recommend that you
omit /PAUSE when keeping a record of Scan's
messages using the report options (/REPORT,
SCAN Reference Copyright 1994 McAfee Inc. Page 13
/RPTCOR, /RPTMOD, and /RPTERR), or when using the
/SHOWLOG or /VIRLIST options.
/PLAD
Preserve last access dates (on NetWare drives only).
Prevents changing the last access date attribute
for files stored on a network drive in a Novell
network. Normally, NetWare updates the last access
date when Scan opens and examines a file. However,
some tape backup systems use this last access date
to decide whether to back up the file. Use /PLAD
to ensure that the last access date does not
change as the result of scanning.
/REPORT {filename}
Create report of infected files and system errors
Saves the output of Scan to filename in ASCII text
file format. If filename exists, /REPORT erases
and replaces it. You can include the destination
drive and directory (such as D:\VSREPRT\ALL.TXT),
but if the destination is a network drive, you
must be able to create and delete files on that
drive. You can also use /RPTCOR, /RPTMOD, and
/RPTERR to add corrupted files, modified files,
and system errors to the report.
/RF filename
Remove validation/recovery codes in file
Removes recovery and validation data from filename
created by the /AF option. If filename resides on
a shared network drive, you must be able to delete
files on that drive. Using any of the /AF, /CF, or
/RF options together in the same command line
returns an error.
/RPTCOR
Add corrupted files to Scan report
Used in conjunction with /REPORT, adds the names
of corrupted files to the report file. A corrupted
file is a file that a virus has damaged beyond
repair, which typically occurs in 10% to 20% of
all viral infections. You can use /RPTCOR with
/RPTMOD and /RPTERR on the same command line.
SCAN Reference Copyright 1994 McAfee Inc. Page 14
/RPTERR
Add errors to Scan report
Used in conjunction with /REPORT, adds system
errors to the report file. System errors include
problems reading or writing to a diskette or hard
disk, file system or network problems, problems
creating reports, and other system-related
problems. You can use /RPTERR with /RPTCOR and
/RPTMOD on the same command line.
/RPTMOD
Add modified files to the Scan report
Used in conjunction with /REPORT, adds the names
of modified files to the report file. Scan
identifies modified files when the
validation/recovery codes do not match (using the
/CF or /CV options). You can use /RPTMOD with
/RPTCOR and /RPTERR on the same command line.
/RV
Remove validation/recovery from files
Removes validation and recovery data from files
validated with the /AV option, along with the
SCAN.LOG file on the specified drive. To update
files on a shared network drive, you must have
access rights to update them. Using any of the
/AV, /CV, or /RV options together in the same
command line returns an error.
/SHOWLOG
Display the contents of SCAN.LOG
Shows you the date and time of previous scans that
have been recorded in the SCAN.LOG file using the
/LOG switch. The SCAN.LOG file contains text and
some special formatting.
/STD
Scan executable files only (COM, EXE, SYS, BIN,
OVL, and DLL)
Reduces scan time when a full scan is not needed.
Otherwise, Scan checks all files on the drive
scanned and examines files in greater detail,
which increases Scan's ability to detect viruses
SCAN Reference Copyright 1994 McAfee Inc. Page 15
in overlay files but substantially increases the
scanning time required. Do not use this option if
you have found a virus or suspect one. (The list
of extensions for standard executables has changed
from previous releases of VirusScan.)
/SUB
Scan subdirectories
By default, when you specify a directory to scan
rather than a drive, Scan will examine only the
files it contains, not its subdirectories. Use
/SUB to scan all subdirectories inside any
directories you've specified. Do not use /SUB if
you are scanning an entire drive.
/VIRLIST
Display the contents of SCAN.DAT
Shows you the name and a brief description of the
viruses that VirusScan detects.
EXAMPLES
These examples show different option settings. In
OS/2, remember to use OS2SCAN instead of SCAN.
scan c:
Scan all executable files on drive C.
scan f:
Scan drive F, a network drive.
scan c: /adl /adn
Scan all local and network drives.
scan f: g: h: /del
Scan all files on drives F, G, and H, and delete
any infected files found.
scan c: d: e: /av
Scan for viruses in all files and add
validation codes to executable files on drives C,
D, and E.
SCAN Reference Copyright 1994 McAfee Inc. Page 16
scan m: /report a:infectn.rpt /rptcor /rpterr
Scan for viruses on network drive M: and
create a log file of infections, corruptions, and
errors in the file INFECTN.RPT on drive A.
scan e:\user\jake e:\user\daisy e:\user\nick /sub
Scan all subdirectories inside the directories
USER\JAKE, USER\DAISY, and USER\NICK on drive E.
scan c: d: e: /fast /cv
Quickly scan drives C, D, and E, and report any
executable files that do not have validation
codes.
scan c:\command.com
Scan a single file.
ERRORLEVELS
This section is primarily for network
administrators and information systems staff.
After Scan has finished running, it sets the DOS
ERRORLEVEL. You can use the ERRORLEVEL in
AUTOEXEC.BAT to take different actions based on
the results of the scan. See your DOS
documentation for more information.
Scan returns the following DOS ERRORLEVELs:
<<Error levels to come>>
APPLICATION NOTE 1
UPDATING VALIDATION CODES
If you install any new software or programs on
your system, including a new version of DOS, and
are running Scan or VShield with the /CF
(preferred) or /CV -validation options, you need
to install validation codes for the new files with
Scan's /AF (preferred) or /AV options.
The quickest way to update the validation codes is
to remove all validation codes from the hard disk
and then add them back. In other words, first run
Scan with the /RF or /RV option, then run it again
with the /AF or /AV option.
SCAN Reference Copyright 1994 McAfee Inc. Page 17
APPLICATION NOTE 2
REFORMATTING INFECTED DISKETTES WITH DOS 5.0 AND
LATER
When reformatting infected diskettes using DOS 5.0
and later versions, be sure to add the /U switch
to the FORMAT command. This tells DOS to do an
unconditional format of the diskette, without
saving the original infected boot sector. This is
necessary to erase certain infections, and will
prevent reinfection by unformatting the diskette.
TECHNICAL NOTE 1
CREATING AN EXCEPTION LIST FILE FOR THE /EXCLUDE
OPTION
If you set up validation codes using Scan's /AF or
/AV options, subsequent scans using the /CF or /CV
options will detect changes in executable files.
This can generate false alarms if the executable
files are self-modifying or self-checking (most
programs that do this will tell you to turn off
your anti-virus software before running them; some
of these files are listed below). Therefore, use
the /EXCLUDE option in conjunction with /AF or /AV
to identify such files and exclude them from the
validation.
The exception list is an ASCII or DOS text file.
If you use a word processor to create it, be sure
to save the file as ASCII or DOS Text. Each
uncommented line in the file contains the path and
file name of one file that should not be
validated. Here is an example:
C:\CLIPPER\BIN\CLIPPER.EXE
C:\123\123.COM
C:\FOX\FOXPROLX.EXE
C:\DOS\SETVER.EXE
C:\PKWARE\PKLITE.EXE
C:\PKWARE\PKZIP.EXE
C:\PKWARE\PKUNZIP.EXE
C:\SEMWARE\Q.EXE
SCAN Reference Copyright 1994 McAfee Inc. Page 18
C:\SWAPVOL.COM
C:\WORDSTAR\WS.EXE
CLEANING VIRUSES
Although /CLEAN removes many viruses and restores
normal operation, viruses can be harmful and
insidious, and no anti-virus program can undo all
their damage. Usually, between 10% and 20% of all
viruses corrupt the files they infect, making them
unrecoverable. If the file is infected with an
uncommon virus that /CLEAN can't remove, Scan
notifies you and identifies the filename. Write
down this filename so that you can restore it from
a backup diskette or tape. If you use both the
/CLEAN and the /DEL options, Scan will first
attempt to repair an infected file and, if the
file is damaged beyond repair, Scan will delete
it. Deleted files are not recoverable except from
backups.
Some viruses damage or overwrite program (.EXE)
files or overlay files. Removing the virus can
truncate the file or otherwise render it
inoperable. Others, like the common virus Stoned,
infect the master boot record (MBR). On systems
partitioned with programs other than DOS (such as
Disk Manager and SpeedStor), removing the virus
can cause loss of the master boot record (MBR) and
all data on the disk if done improperly.
BASIC PRINCIPLES TO MINIMIZE DAMAGE
These considerations lead to the three important
principles:
1 Before running Scan with the /CLEAN option, back
up all of your programs and data.
Of course, this works best if you back up
regularly, so that you can restore from a backup
made before your system was infected. But even a
backup from an infected system can be useful for
restoring data, because most viruses do not
corrupt data. If a program no longer runs after
being cleaned, replace it from the original disk
or from a virus-free backup.
When disinfecting an infected system, it is
important to start from a "sterile field."
2 Before running Scan with the /CLEAN option for
SCAN Reference Copyright 1994 McAfee Inc. Page 19
DOS, restart your computer from a clean, write-
protected diskette.
Before running Scan with the /CLEAN option for
OS/2, close all DOS and Win-OS/2 sessions.
Preferably, use a clean anti-virus start-up
diskette. And, because running any program can
spread the infection:
3 Do not run any programs, including Windows,
before running Scan /CLEAN.
Run Scan /CLEAN from DOS instead of Windows. Exit
completely from DOS. Do not run Scan /CLEAN from
within a DOS window.
Important: If you are at all unsure about how to
proceed once you've found a virus, contact McAfee
technical support, or your local authorized agent,
for assistance.
We strongly recommend that you get experienced
help in dealing with viruses if you are unfamiliar
with anti-virus software and methods. This is
especially true for "critical" viruses and master
boot record (MBR)/boot sector infections, because
improper removal of these viruses can result in
the loss of all data and use of the infected
disks.
RUNNING SCAN TO CLEAN UP INFECTIONS
PREPARATION
Before running Scan to clean up infections:
1 Clear the virus from system memory and prevent
reinfection:
* With DOS, turn off your PC, then restart from a
clean start-up diskette, preferably the anti-virus
diskette you prepared during installation.
* With OS/2, close all DOS and Win-OS/2 sessions.
* With an OS/2 dual-boot system infected by a boot
sector virus (like Form, or others identified by
Scan), boot (start up) OS/2 first, delete the
BOOT.DOS file from the \OS2 directory, and then
boot DOS to create a new, virus-free DOS boot
sector file.
SCAN Reference Copyright 1994 McAfee Inc. Page 20
2 Run the Scan program to locate and identify the
infections.
3 Back up the files on the infected disks (be sure
not to overwrite any previous backups).
4 Repeat Step 1.
5 Don't run any programs, including Windows,
before running Scan /CLEAN. If you have Windows,
run Scan /CLEAN from DOS.
6 When disinfecting a hard disk, always run Scan
/CLEAN from a write-protected diskette to prevent
infection of the Scan program. When disinfecting
diskettes, make sure there is no active virus in
memory before running Scan from your hard disk.
SUCCESSFUL AND UNSUCCESSFUL RESULTS
Scan /CLEAN reports the results of its attempt to
remove the virus from each infected file. If a
file has several infections, it will report on
each.
If viruses were not removed, contact technical
support
If Scan can't remove a virus, you'll see a message
like:
Virus cannot be safely removed from this file.
Make sure to take note of the file name, because
you will need to restore it from backups. If you
have any questions about how to proceed, contact
McAfee technical support or your local authorized
agent.
If viruses were safely removed, rescan and check
diskettes
If Scan /CLEAN has successfully removed all the
viruses, turn your computer off again and restart
from the system disk. Scan your hard disks again
to make sure they are virus-free. If you suspect
that your system was infected from a diskette, run
Scan from your hard disk to examine and disinfect
the diskettes you use.
CREATING A CUSTOM SETTINGS FILE
When you run the Scan program, Scan uses its own
internal default settings plus any options listed
in the command line. You can create an ASCII text
file to contain the settings you want to run with
Scan, then load the settings using the /LOAD
option.
Your VirusScan package includes sample settings
files that you can copy and change, using a DOS
text editor, to suit your needs. The <<filename>>
file contains the following text: <<sample to come>>
<<end of text file>>
