home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The Latest Windows '95 Programs
/
The Latest Windows 95 Programs.iso
/
scan
/
viruscan.txt
< prev
next >
Wrap
Text File
|
1995-04-19
|
240KB
|
6,098 lines
VirusScan Version 2.2
Copyright 1995 by McAfee, Inc.
All Rights Reserved.
McAfee, Inc. (408) 988-3832 office
2710 Walsh Avenue (408) 970-9727 fax
Santa Clara, CA 95051-0963 (408) 988-4004 BBS (25 lines)
U.S.A. USR HST/v.32/v.42bis/MNP1-5
CompuServe GO MCAFEE
InterNet support@mcafee.COM
Using VirusScan (Version 2.2)
TABLE OF CONTENTS
Chapter 1: Welcome to VirusScan / 1
What VirusScan includes / 3
System requirements / 5
License and registration / 6
Technical support / 6
Chapter 2: Don't skip this chapter / 10
Installing VirusScan / 11
Scanning your system / 14
If you detect a virus / 16
Activating VShield / 19
Making a clean start-up diskette / 21
Running the VirusScan programs / 23
When to rescan / 25
Updating VirusScan regularly / 25
Chapter 3: Scan Reference / 28
Technical overview / 30
Validating Scan / 31
Running Scan from the command line / 31
Scan command line option summary / 33
Scan option descriptions / 36
Cleaning viruses / 46
Examples / 50
Error levels / 51
Application note 1: Updating validation codes / 53
Application note 2: Reformatting infected
diskettes with DOS 5.0 and later / 53
Technical note 1: Creating an exception
list file for the /EXCLUDE option / 54
Chapter 4: VShield Reference / 55
Four levels of protection / 58
Running VShield / 60
VShield option summary / 64
VShield option descriptions / 66
Deciding which options are for you / 73
Examples / 75
Error levels / 76
Using VShieldCRC / 77
VShieldCRC option summary / 78
Using CheckVShield / 79
Technical note 1: Creating an exception list
for the /EXCLUDE option / 81
Technical note 2: Sample NetWare login
script and .BAT file / 82
Chapter 5: Tips & troubleshooting / 83
Appendix A: Retrieving McAfee programs with
communications software / 91
Appendix B: Options comparison between VirusScan
versions 1.5 and 2.1.1 / 96
Glossary / 106
Using VirusScan (Version 2.2) 1
CHAPTER 1: WELCOME TO VIRUSSCAN
Thank you for purchasing McAfee(R)'s VirusScan(TM)
software, a powerful and advanced system
designed to detect, eradicate, and prevent
computer viruses. VirusScan will help you
protect one of your most important assets--the
information on your personal computer or local
area network.
VirusScan includes two main programs:
o The Scan program detects known viruses in your
computer's memory or on disks. It can also
detect new and unknown viruses. Once viruses
are detected, it can remove them and restore
your system to normal operation. The Scan
program comes in two forms:
o A graphical interface so that you can select
commands and options using a mouse and
keyboard, if you like. For instructions,
see the on-line documentation.
o A command line interface, so you can run the
program and select options by typing from a
command prompt or from batch or script files,
if you prefer.
o The VShield(TM) memory-resident program
continuously monitors and protects your
system from viruses that might be introduced.
The VirusScan programs run on IBM-PC or 100%
compatible personal computers (PCs) that use
DOS, Windows, or OS/2.
VirusScan is an important element of a
comprehensive security program that includes a
variety of safety measures, such as regular
backups, meaningful password protection,
training, and awareness. We urge you to set up
and comply with such a security program in your
organization. For tips on how to do this, see
"Other sources of information" in this chapter.
Using VirusScan (Version 2.2) 2
HOW TO USE THIS MANUAL
This manual will help you get VirusScan running
quickly and properly on DOS, Windows, and OS/2
systems.
All the key information is in Chapter 2, "Don't
skip this chapter." Please don't install
VirusScan before reading it, even if you are a
PC power user or already familiar with Scan.
Installing and using VirusScan is not like using
other software.
The rest of Chapter 1, "Welcome to VirusScan,"
describes the programs and files on your
VirusScan disk, system requirements, how to
register, and how to get help.
Chapter 3, "Scan Reference," and Chapter 4,
"VShield Reference," contain reference
information for Scan and VShield, respectively.
Many users will not need to read these chapters,
because basic operation of VirusScan, as
described in Chapter 2, will detect and remove
most viruses from your system. The options
described in Chapters 3 and 4 offer additional
power and control, and are most useful in
vulnerable environments and to network
administrators and information services staff.
Chapter 5, "Tips & troubleshooting," explains
how to get the most out of VirusScan, and how to
cope with some common problems.
Appendix A describes how to retrieve new
versions of McAfee programs using your
communications software.
Appendix B describes differences in command line
options between VirusScan version 1.5 and
version 2.1.1.
Using VirusScan (Version 2.2) 3
NOTATION
In this manual, we use several conventions to distinguish
particular kinds of text.
CONVENTION │ EXAMPLE │ REPRESENTS
═══════════════╪══════════════╪══════════════════════════
Uppercase │ C:\> │ What your
│ │ computer displays
│ │ on your screen.
───────────────┼──────────────┼──────────────────────────
Lowercase │ scan c: │ What you
│ │ type, verbatim.
───────────────┼──────────────┼──────────────────────────
Curly braces │ {filename} │ Required
│ │ element; do not
│ │ type braces { }.
───────────────┼──────────────┼──────────────────────────
Square braces │ [filename] │ Optional
│ │ element; do not
│ │ type braces [ ].
───────────────┼──────────────┼──────────────────────────
Upper-case in │ <ENTER> │ Key to press
brackets │ │ on the
│ │ keyboard.
WHAT VIRUSSCAN INCLUDES
In addition to Scan and VShield, your VirusScan
diskette contains another program that will help
you use VirusScan. The Validate program ensures
that new versions of VirusScan software you've
obtained are authentic and unmodified.
Your VirusScan diskette also contains several
useful text files, which you can view and print
with a text editor, word processor, or print
command. You'll find version-specific
information in the README.1ST file.
Using VirusScan (Version 2.2) 4
VIRUSSCAN FILES AFTER UNPACKING
After unpacking VirusScan you should have appropriate
program files on your system for the version you have
obtained (DOS, Windows, or OS/2). Several useful text
files are also included.
VirusScan for DOS Files
AGENTS.TXT - lists McAfee authorized agents.
CLEAN.DAT - virus removal data file required by SCAN.EXE
COMPUSER.NOT - explains how to obtain CompuServe membership
FILE_ID.DIZ - description of VirusScan used by some BBS software
FILENAME.TXT - explains ZIP file naming conventions
LICENSE.TXT - explains how to license VirusScan
NAMES.DAT - virus name data file required by SCAN.EXE
PACKING.LST - contains a list of all files, including
validation information
README.TXT - late-breaking information and new
instructions not contained in this manual
REGISTER.TXT - explains how to register VirusScan for your use
SCAN.DAT - virus string data file required by SCAN.EXE
SCAN.EXE - the VirusScan program
VIRUSCAN.TXT - on-line manual for VirusScan
VIRUSCAN.DOC - on-line manual for VirusScan (MS Word 6.0)
VALIDATE.EXE - check VirusScan programs for authenticity
VALIDATE.TXT - explains how to run VALIDATE.EXE
VShield Files
AGENTS.TXT - lists McAfee authorized agents
CHKVSHLD.EXE - checks for presence of VShield and VShieldCRC
in memory
COMPUSER.NOT - explains how to obtain CompuServe membership
FILENAME.TXT - explains ZIP file naming conventions
FILE_ID.DIZ - description of VShield used by some BBS software
LICENSE.TXT - explains how to license VShield
NAMES.DAT - virus name data file
PACKING.LST - contains a list of all files, including
validation information
README.TXT - late-breaking information and new
instructions not contained in this manual
REGISTER.TXT - explains how to register VirusScan for your use
SCAN.DAT - virus string data file
VALIDATE.EXE - check VirusScan programs for authenticity
VALIDATE.TXT - explains how to run VALIDATE.EXE
VIRUSCAN.TXT - on-line manual for VirusScan
VIRUSCAN.DOC - on-line manual for VirusScan (MS Word 6.0)
VSHEML.EXE - internal program for VShield
VSHIELD.DAT - virus string data file required by VSHIELD.EXE
VSHIELD.EXE - the VShield program
VSHINST.EXE - creates program group, icon for VSHLDWIN.EXE
VSHLDCRC.EXE - the VShieldCRC program
VSHLDWIN.EXE - used by VShield and VShieldCRC to display
messages within Windows
Using VirusScan (Version 2.2) 5
VirusScan for OS/2
AGENTS.TXT - lists McAfee authorized agents
CLEAN.DAT - virus removal data file required by
OS2SCAN.EXE
COMPUSER.NOT - explains how to obtain CompuServe membership
FILE_ID.DIZ - description of VirusScan used by some BBS
software
FILENAME.TXT - explains ZIP file naming conventions
LICENSE.TXT - explains how to license VirusScan
NAMES.DAT - virus name data file required by OS2SCAN.EXE
PACKING.LST - contains a list of all files, including
validation information
README.TXT - late-breaking information and new
instructions not contained in this manual
REGISTER.TXT - explains how to register VirusScan for your
use
OS2SCAN.EXE - the VirusScan program
SCAN.DAT - virus string data file required by
OS2SCAN.EXE
VALIDATE.EXE - used to check VirusScan programs for
authenticity
VALIDATE.TXT - explains how to run VALIDATE.EXE
VIRUSCAN.TXT - on-line manual for VirusScan
VIRUSCAN.DOC - on-line manual for VirusScan (MS Word 6.0)
SYSTEM REQUIREMENTS
The VirusScan programs require an IBM-compatible
personal computer and any of the following
operating systems:
o DOS 3.1 or later
o Windows 3.1 or later
o IBM OS/2 2.1 or later
VShield is a terminate-and-stay-resident (TSR)
program. VShield attempts to minimize the use of
conventional memory by loading into expanded,
extended, or upper memory. For more information,
see "VShield Reference" in Chapter 4.
You'll need a high-density 3.5" diskette drive
to use the VirusScan diskette in this package.
Contact McAfee for other media, or download the
software from the McAfee bulletin board system
(BBS).
Using VirusScan (Version 2.2) 6
LICENSE AND REGISTRATION
The VirusScan software is provided under license
from McAfee, Inc., a copy of which is provided
with this manual. Please read it and comply with
it.
Also, please fill out and return the
registration form in your VirusScan package.
Registration entitles you to upgrades at no
charge from McAfee's bulletin board system and
other sources, as well as technical support, for
one year from your date of purchase.
TECHNICAL SUPPORT
For help in using this product, we invite you to
contact McAfee technical support. You can
contact us:
o On-line 24 hours a day, through our bulletin
board system, CompuServe, or Internet (see
"On-line access to updates and technical
support" below);
o By fax, at (408) 970-9727; or
o By telephone at (408) 988-3832, Monday through
Friday, 6:00 am to 5:00 pm Pacific Standard
Time.
For fast and accurate help, please have the
following information ready when you contact
McAfee:
o Program name and version number.
o Type and brand of computer, hard disk, and any
peripherals.
o Version of DOS, along with any TSRs or device
drivers in use.
o Printouts of your AUTOEXEC.BAT and CONFIG.SYS
files.
o A printout of the contents of memory, from the
MEM command (provided in DOS 4.0 and later)
or a similar utility.
Using VirusScan (Version 2.2) 7
o A description of the exact problem you are
having. Please be as specific as possible. If
you can't be at your computer when you call,
a printout of the screen will be helpful.
If you are overseas, you can contact a McAfee
authorized agent. Agents are located in more
than 50 countries around the world and provide
local sales and support for our software. Please
refer to the AGENTS.TXT file for a complete list
of McAfee agents.
ON-LINE ACCESS TO UPDATES AND TECHNICAL SUPPORT
McAfee updates VirusScan approximately once a month
to add new virus detectors, new options, and fix
reported bugs. To distribute these new versions,
we run a multi-line bulletin board system,
a forum on CompuServe, and an Internet node.
MCAFEE BULLETIN BOARD SYSTEM (BBS)
Our multi-line BBS is accessible 24 hours a day,
365 days a year, except for scheduled downtime
and maintenance. All lines run high-performance
modems operating from 1,200 bps to 28,800 bps
with line settings of 8 data bits, no parity,
and 1 stop bit. The McAfee BBS phone number is
(408) 988-4004.
Appendix A, "Retrieving McAfee programs with
communications software" explains how to dial up
the McAfee BBS. Both technical support and
software updates are available on the bulletin
board.
MCAFEE FORUM ON COMPUSERVE
We sponsor the McAfee Virus Help Forum on
CompuServe. To reach it, type GO MCAFEE at any
CompuServe prompt. A free introductory
membership is available. For more information,
please read the enclosed COMPUSER.TXT file.
Using VirusScan (Version 2.2) 8
INTERNET ACCESS
The latest versions of McAfee's anti-virus
software are available by anonymous ftp (file
transfer protocol) over the Internet from the
site ftp.mcafee.com. If your domain resolver does
not support names, use the IP address
192.187.128.3. Enter anonymous or ftp as your
user ID and your own e-mail address as the
password. Programs are located in the
pub/antivirus directory. If you have questions,
please send e-mail to support@mcafee.com.
You can also find McAfee's anti-virus software
at the SimTel Software Repository at
Oak.Oakland.EDU in the simtel/msdos/virus
directory and its associated mirror sites:
o wuarchive.wustl.edu (US).
o ftp.switch.ch (Switzerland).
o ftp.funet.fi (Finland).
o src.doc.ic.ac (UK).
o archie.au (Australia).
MCAFEE PRODUCTS AND SERVICES
Founded in 1989, McAfee, Inc. is the leading
provider of tools for productive computing for
the DOS, OS/2, and Windows environments. Our
anti-virus products are used by more than 16,000
corporations worldwide. Our utility products
provide data security, automated version
updating, and system inspection and editing.
McAfee is also the pioneer and leading provider
of electronically distributed software. All of
McAfee's products can be purchased through
dealers or downloaded from bulletin board
systems and on-line services around the world.
McAfee doesn't stop at developing the world's
best anti-virus and utility products. We back
them with the industry's best service and
technical support. Product support is provided
by a full-time staff of virus researchers,
programmers, and support professionals, and
delivered directly by McAfee or our network of
more than 150 Authorized Agent offices in more
than 50 countries worldwide.
Using VirusScan (Version 2.2) 9
OTHER SOURCES OF INFORMATION
The McAfee BBS and CompuServe Virus Help Forum
are excellent sources of information on virus
protection. Batch files and utilities to help
you use VirusScan software are often available,
along with helpful advice.
Independent publishers, colleges, training
centers, and vendors also offer information and
training about virus protection and computer
security.
We especially recommend the following books:
o Ferbrache, David. A Pathology of Computer
Viruses. London: Springer-Verlag, 1992.
(ISBN 0-387-19610-2)
o Hoffman, Lance J. Rogue Programs: Viruses,
Worms, and Trojan Horses. Van Nostrand
Reinhold, 1990. (ISBN 0-442-00454-0)
o Jacobson, Robert V. The PC Virus Control
Handbook, 2nd Ed. San Francisco: Miller
Freeman Publications, 1990. (ISBN 0-87930-194-0)
o Jacobson, Robert V. Using McAfee Associates
Software for Safe Computing. New York:
International Security Technology, 1992.
(ISBN 0-9627374-1-0)
In addition, the following sources can provide
useful information about viruses:
o National Computer Security Association (NCSA)
10 South Courthouse Avenue
Carlisle, PA 17013
o CompuServe VIRUSFORUM
o Internet comp.virus newsgroup
Using VirusScan (Version 2.2) 10
CHAPTER 2: DON'T SKIP THIS CHAPTER
or, What You Really Need to Know About VirusScan.
We're serious about this. Installing and running
the VirusScan(TM) programs is not like using
other software. Even if you are a personal
computer power user, use the VirusScan
installation procedure and follow the tasks in
this chapter.
The reason is to avoid spreading a computer
virus infection. Viruses spread when you start
your computer (sometimes called booting) from an
infected disk, or when you run an infected
program. If your computer is infected,
installing and running VirusScan on your hard
disk may spread the infection, even to the
VirusScan programs themselves. The tasks in this
chapter will ensure that you have a clean
environment to detect, eradicate, and prevent
viruses.
This is like a surgical team establishing a
"sterile field" before performing surgery. Once
it is established, they make sure that
everything brought into the field has already
been sterilized. In this procedure, you will
create a clean anti-viral start-up diskette with
which you can always re-establish the sterile
field.
Your VirusScan diskette is write-protected to
ensure that no virus can alter the programs and
information stored there. Under no circumstances
should you remove the write protection.
Here's a summary of the tasks you'll follow in
this chapter:
o Installing VirusScan
o Scanning your system.
o If you detect a virus.
o Activating VShield(TM).
o Making a clean start-up (boot) diskette.
o Running the VirusScan programs.
o When to scan for viruses.
o Updating VirusScan regularly.
Using VirusScan (Version 2.2) 11
INSTALLING VIRUSSCAN
This task explains how to check your system and install the
VirusScan software under DOS, Windows, or OS/2 using the
install program. For instructions on installing downloaded
software, see Appendix A.
Don't use any other method to install VirusScan, or
you risk spreading a virus.
INSTALLATION STEPS
Start from the system prompt (C:\> or [C:\]). If you are
running Windows or an application program, exit from it to
display the prompt. If you are running OS/2, close all DOS
and Win-OS/2 sessions. Open the Command Prompts folder in the
OS/2 System folder, and click on either the OS/2 Full Screen
or OS/2 Window icon.
NOTE: See Appendix A for additional instructions for
setting up WScan and VShield under Windows.
1. Create a directory to contain the VirusScan files, as
in the following example:
C:\> mkdir c:\mcafee
and press <ENTER>.
If you have an earlier version of VirusScan already
installed, create a separate directory (such as
c:\newvscan) for the new version. (You should test
the new version before removing the earlier version.)
2. Copy the VirusScan archived (.ZIP) file to this
directory, as in the following example:
C:\> copy c:\download\*.zip c:\mcafee
and press <ENTER>.
3. Change to the VirusScan directory you just created,
as in the following example:
C:\> cd c:\mcafee
and press <ENTER>.
Using VirusScan (Version 2.2) 12
4. Unzip the file using PKUNZIP.EXE, as in the following
example:
C:\mcafee> PKUNZIP *.ZIP
and press <ENTER>.
5. Run VirusScan to check your local hard disk(s) by
typing:
c:\mcafee> scan /adl
and pressing <ENTER>. It may take several minutes
for the Scan program to check for viruses in memory,
then on the system and user portions of your drives.
Scan keeps you informed of its progress. Read the
information carefully, and write down the name of any
viruses Scan reports.
6. If Scan reports no virus found, congratulations--
most likely your system is currently virus-free.
Continue with "Making a Clean Start-Up Diskette"
in this chapter.
If Scan finds one or more viruses, you'll see a message like:
Found the Jerusalem Virus
and installation will stop. Don't panic, even if the
virus has infected many files. At the same time, don't
run any other programs, especially if the virus is
found in memory. Go directly to "If you detect a virus"
later in this chapter for further instructions.
7. Create a directory on your hard disk to store the
VirusScan files in by typing:
C:\> mkdir mcafee
and pressing <ENTER>.
8. Copy the VirusScan files from the 'VirusScan Program
Diskette' in drive A: to your hard disk by typing:
C:\> copy a:\*.* c:\mcafee
and pressing <ENTER>. VirusScan has now been installed
onto your hard disk. Now your system's startup files
must be modified to find VirusScan on your system.
Using VirusScan (Version 2.2) 13
9. DOS and Windows users: Using a text editor program,
load your AUTOEXEC.BAT file. Locate the path statement,
which typically begins with a 'PATH' or 'SET PATH ='
statement. Place your cursor at the end of this line
and type:
;C:\MCAFEE
and press <ENTER>. Now save your AUTOEXEC.BAT file and
exit the editor.
NOTE: If a semi-colon ";" is already present at the end
of the line, do not add one to the path statement.
OS/2 users: Make the same change listed above to the
'SET PATH=' and 'SET LIBPATH=' statements in
your CONFIG.SYS file. Now save your CONFIG.SYS
file and exit the editor.
Congratulations! You've successfully installed VirusScan.
Restart your computer now and continue with this chapter to
see how you can use VirusScan to keep your computer virus-
free. We recommend looking over the following sections in
this chapter:
o "Scanning Your System"
o "If You Detect A Virus"
o "Activating VShield"
o "Making A Clean Start-Up Diskette"
Continue with the remaining tasks in this chapter, beginning
with "Running the VirusScan Programs" to find out how and
when to run and update the VirusScan programs.
Using VirusScan (Version 2.2) 14
SCANNING YOUR SYSTEM
VirusScan's Scan program examines your PC and
disks to detect viruses there. The first time
you run Scan, do so from the original, write-
protected diskette so that the programs
themselves cannot be infected.
Start from the system prompt (C> or [C:\]).
If you are running Windows or an application
program, exit from it to display the prompt. If
you are running OS/2, close all DOS and Win-OS/2
sessions; then open the Command Prompts folder
in the OS/2 system folder, and click the OS/2
Full Screen or OS/2 Window icon.
After typing each entry on the command line,
press [Enter]. If you include the /REPORT
option, Scan saves a report of infected files
and any system errors to a log file that you
specify.
1. Insert the VirusScan program diskette in drive A.
2. Scan your C drive for known viruses by typing:
DOS or Windows
C> a:scan c: /report c:\virus.log
OS/2
[C:\] a:os2scan c: /report c:\virus.log
Or, if you have more than one hard drive, scan
them in the same way. For example, if you have C
and D drives:
DOS or Windows
C> a:scan c: d: /report c:\virus.log
OS/2
[C:\] a:os2scan c: d: /report c:\virus.log
You can also scan all local drives using the
/ADL option. For example:
DOS or Windows
C> a:scan /adl /report c:\virus.log
OS/2
[C:\] a:os2scan /adl /report c:\virus.log
Using VirusScan (Version 2.2) 15
It may take several minutes for the Scan program
to check for viruses in memory, then on the
system and user portions of your drives. Scan
keeps you informed of its progress. Read the
information on the screen carefully. Below is a
sample of what Scan reports when checking a
drive for viruses.
┌──────────────────────────────────────────────────┐
│ Virus data file V2.1.204 created Thu Jun 02 │
│ 12:17:53 1994 │
│ │
│ No viruses found in memory. │
│ │
│ Scanning C: │
│ Summary report on C: │
│ File(s) │
│ Analyzed:....... 1500 │
│ Scanned:........ 750 │
│ Possibly Infected:....... 0 │
│ Master Boot Record(s):.. 1 │
│ Possibly Infected:....... 0 │
│ Boot Sector(s):......... 1 │
│ Possibly Infected:....... 0 │
│ │
│ Time: 60.00 sec. │
└──────────────────────────────────────────────────┘
3. If Scan reports No viruses found,
congratulations--most likely your system is
currently virus-free. Skip to "Activating
VShield" later in this chapter.
If Scan finds one or more viruses, you'll see a
message like:
┌──────────────────────────────────────────────────┐
│ Scanning C: │
│ Scanning file C:\DOS\ATTRIB.EXE │
│ Found the Jerusalem Virus │
└──────────────────────────────────────────────────┘
DON'T PANIC, even if the virus has infected many
files. At the same time, don't run any other
programs, especially if the virus is found in
memory. Turn to "If you detect a virus" later
in this chapter, where VirusScan will help you
eradicate it.
NOTE: Scan has many options to control and fine-
tune the scope, validation, and operation of its
scan. For details, see Chapter 3 and "Detecting
new and unknown viruses" in Chapter 5.
Using VirusScan (Version 2.2) 16
IF YOU DETECT A VIRUS
In this task, you will run Scan with the /CLEAN
option to eradicate most known viruses from your
disks.
NOTE: If you are at all unsure about how to
proceed once you've found a virus, contact
McAfee for assistance (see "Technical support"
in Chapter 1).
We strongly recommend that you get experienced
help in dealing with viruses if you are
unfamiliar with anti-virus software and methods.
This is especially true for "critical" viruses
and master boot record (MBR or so-called
"partition table")/boot sector infections,
because improper removal of these viruses can
result in the loss of all data and use of the
infected disks.
RESTART FROM A CLEAN ENVIRONMENT
You must run Scan from a clean, virus-free
environment. With DOS or Windows, restart from a
clean diskette. With OS/2, simply close all DOS
and Win-OS/2 sessions.
DOS OR WINDOWS
With DOS or Windows, the only way to ensure a
clean environment is to turn your computer off
to eliminate any viruses in memory, then restart
from a virus-free diskette, preferably the
original, write-protected DOS installation
diskette that came with your computer. If you
don't have one, borrow or buy one; don't use a
diskette that might be infected. (See "Making a
clean start-up diskette" later in this chapter
for instructions. Create this diskette after you
clean your system.)
1. Turn off your computer. (Don't just reset or
reboot, which may leave some viruses intact
in the computer's memory.)
Using VirusScan (Version 2.2) 17
2. Make sure your clean boot (start-up) diskette
is write-protected.
o For a 3.5" diskette, slide its corner tab so
that the square hole is open.
o For a 5.25" diskette, cover its corner notch
with a write-protect tab. Be sure to use the
write-protect stickers provided with your
diskettes, not tape.
3. Insert your start-up diskette in drive A.
4. Turn on your computer and wait until you see
the system prompt (probably A>). Don't run
any programs on your hard disk, or you may
reactivate the virus.
OS/2
With OS/2, you can eliminate viruses from memory
by closing all DOS, Win-OS/2, and virtual DOS
machine (VDM) sessions.
BACK UP YOUR HARD DISK
Some viruses may leave certain disks or files
unusable when cleaned up. To increase your
chance of recovery, boot from a clean copy of
the operating system, then copy all the files on
all of your hard disks onto fresh diskettes or a
backup tape. You can use a commercial backup
program, or the one included with DOS or OS/2.
Scan the program disk first to make sure that
the backup program itself is not infected. Do
not run the backup program if it is infected.
Instead, reload it from your original
installation diskettes.
Although some of the backed-up files may be
infected, it is better to have current copies
than not. However, don't overwrite previous
backup disks or tapes, which may or may not be
infected.
Using VirusScan (Version 2.2) 18
RUN SCAN WITH THE /CLEAN OPTION
Start from the system prompt (probably A> or
[A:\]). If you are running OS/2, open the
Command Prompts folder in the OS/2 system
folder, and click the OS/2 Full Screen or OS/2
Window icon.
After typing each entry on the command line,
press [Enter].
1. Insert the VirusScan program diskette in drive A.
2. Eliminate the first known virus on your hard
drive(s) by typing:
DOS or Windows
A> scan /adl /clean
OS/2
[A:\] os2scan /adl /clean
Scan keeps you informed of its progress and
generally reports virus removed successfully. If
Scan reports that the virus could not safely be
removed, see the next section, "If viruses were
not removed."
NOTE: Scan has options to control and fine-tune
the scope, validation, and operation of its
disinfection. For details, see "Scan option
descriptions" in Chapter 3.
IF VIRUSES WERE NOT REMOVED
If Scan can't remove a virus, it will tell you:
Virus cannot be removed from this file.
Make sure to take note of the filename, because
you will need to restore it from backups. Run
Scan again, this time using the /CLEAN and /DEL
options to delete the remaining infected files,
as described in Chapter 3. If you have any
questions, contact McAfee (see "Technical
support" in Chapter 1).
Using VirusScan (Version 2.2) 19
IF VIRUSES WERE SAFELY REMOVED, RESCAN AND CHECK DISKETTES
If Scan has successfully removed all the
viruses, restart your computer. Restart
installation as described in "Installing
VirusScan" earlier in this chapter. Thereafter,
you can proceed to "Making a clean start-up
diskette" and "Running the VirusScan programs"
later in this chapter.
One common source of virus infection is floppy
diskettes. Once you've finished installing
VirusScan on your hard disk, use Scan again to
examine and disinfect the diskettes you use, as
described in "When to rescan" later in this
chapter.
FALSE ALARMS
Due to the nature of anti-virus software, there
is a possibility that Scan may report a virus in
a file that is not infected. This can be more
likely if you are using more than one brand of
virus protection software, especially if the
virus is reported in memory and not anywhere on
the disk when you boot.
If Scan reports a virus infection that you
suspect may be in error, contact McAfee (see
"Technical support" in Chapter 1). You can
upload the file to our bulletin board system at
(408) 988-4004, along with your name, address,
daytime telephone number, and electronic mail
address (if any).
ACTIVATING VSHIELD
VirusScan's VShield program can help prevent
viruses from infecting your system. It runs as a
"terminate-and-stay-resident" (TSR) program,
remaining in memory and scanning and
intercepting programs as they are executed.
To activate VShield at any time:
o DOS or Windows
Restart your computer by pressing [Ctrl]+[Alt]+[Del],
or by turning it off and then on again, or any
other reset method.
Using VirusScan (Version 2.2) 20
o OS/2
Restart all DOS and Win-OS/2 windows. If you have
difficulties running VShield, it may be due to
conflicts with other TSR programs in your system,
or with other programs that monitor disk access.
See "VShield option summary" in Chapter 4 and
"Troubleshooting VShield" in Chapter 5 for more
information. Contact McAfee technical support if you
need help (see "Technical support" in Chapter 1).
VShield minimizes the use of conventional memory
by attempting to load into extended, expanded,
upper memory, or a combination of them, before
using conventional memory. For extreme memory
limitations, you can use VShield's /SWAP option
to reduce memory requirements to 8Kb, although
this decreases VShield's speed. For details, see
Chapter 4.
NOTE: VShield has options to control and fine-
tune the scope, validation, and operation of its
virus prevention. For details, see Chapter 4.
When used in conjunction with some Scan options, VShield
can help protect your system from new and unknown
viruses. At a minimum, consider checking floppy disk
(/ANYACCESS, /FILEACCESS, or /BOOTACCESS). For details,
see "Detecting new and unknown viruses" in Chapter 5.
In OS/2, VShield runs in DOS and Win-OS/2 sessions
only, because viruses can operate only in those
sessions.
In Windows, you can use the VShield icon to
turn messages from VShield on and off. (VShield itself,
however, remains active.) For details, see Chapter 4.
Using VirusScan (Version 2.2) 21
MAKING A CLEAN START-UP DISKETTE
In DOS or Windows, create a clean anti-viral
start-up (boot) diskette that you can use to
regain your "sterile field" if your system
becomes infected. This is not necessary in OS/2,
although it will be helpful to make backup
copies of your OS/2 installation diskettes.
NOTE: Your system must be virus-free before
starting these steps.
DOS OR WINDOWS
In DOS, start from the system prompt (C>). In
Windows, you may open a DOS window, or duplicate
these steps with the Windows File Manager.
1. Insert a blank or dispensable diskette in
drive A. Make sure the diskette contains no
important information, as this procedure will
overwrite it.
2. Format it as a start-up diskette with the
system files by typing:
C> format a: /s/v/u
NOTE: If you are using a version of DOS before
DOS 5.0, do not type the /U option. The /U
option in recent DOS versions ensures that
the system portions of the diskette are
overwritten.
When prompted for a volume label, enter
virusfree01 or another name of up to 11
characters.
3. Copy the Scan program to the diskette. Here's
one way to do this, assuming that your VirusScan
files are stored in C:\MCAFEE\VIRUSCAN:
C> copy c:\mcafee\viruscan\scan.exe a:
C> copy c:\mcafee\viruscan\scan.dat a:
C> copy c:\mcafee\viruscan\clean.dat a:
C> copy c:\mcafee\viruscan\names.dat a:
Using VirusScan (Version 2.2) 22
4. Copy useful DOS programs to the diskette.
Here's one way to do this, assuming that your
DOS files are stored in C:\DOS:
C> copy c:\dos\chkdsk.* a:
C> copy c:\dos\debug.* a:
C> copy c:\dos\diskcopy.* a:
C> copy c:\dos\fdisk.* a:
C> copy c:\dos\format.* a:
C> copy c:\dos\label.* a:
C> copy c:\dos\mem.* a:
C> copy c:\dos\sys.* a:
C> copy c:\dos\unerase.* a:
C> copy c:\dos\xcopy.* a:
In the same way, copy other DOS programs that
you think might be useful.
NOTE: If you use a disk compression utility, be
sure to copy the drivers required to access
the compressed disks onto the clean start-up
diskette.
5. Remove the diskette from the drive and write-
protect it so that it cannot become infected.
o For a 3.5" diskette, slide its corner tab so
that the square hole is open.
o For a 5.25" diskette, cover its corner notch
with a write-protect tab. Be sure to use the
write-protect stickers provided with your
diskettes, not tape.
6. Label the diskette "Virus-Free start-up" and
put it away in a secure place in case you
need to reestablish a virus-free environment
in the future. You may want to note the date
and versions of DOS and VirusScan on the label.
OS/2
With OS/2, you don't need a virus-free start-up
disk. However, it will be helpful to keep a
clean copy of important files. Copy the
VirusScan OS/2 program and data files and your
CONFIG.SYS, STARTUP.CMD and AUTOEXEC.BAT files
onto a clean start-up diskette. Write-protect
the diskette, label it, and put it away in a
secure place.
Using VirusScan (Version 2.2) 23
RUNNING THE VIRUSSCAN PROGRAMS
DOS
To run the VirusScan programs from the DOS
command prompt, type the program name (SCAN or
VSHIELD) on the command line. Follow the program
name with the drive (if applicable to the
program) and whatever options you want.
NOTE: If you have not changed the path statement
in your AUTOEXEC.BAT file, you will need to
include its location (usually
C:\MCAFEE\VIRUSCAN) in the command, or change to
that directory.
For example, to examine a diskette in drive A:
C> c:\mcafee\viruscan\scan a:
EXCEPTION: If Scan detects a virus in memory or
on your hard disk, don't run Scan with the
/CLEAN option from C:\MCAFEE\VIRUSCAN. Instead,
restart your computer and run Scan from your
clean start-up diskette as described in "If you
detect a virus" earlier in this chapter.
VirusScan can list the viruses it detects. To
view this list, run Scan with the /VIRLIST
option, as described in Chapter 3.
WINDOWS
If you used the installation procedure earlier
in this chapter or installed downloaded files using
the instructions in Appendix A, the WScan and
VShield icons appear in the McAfee group.
To use them, open the folder and double-click
the program icon. See Chapter 3 for
instructions on using Scan for Windows.
NOTE: If a virus is active in memory, do not use
interactive Scan to remove it, because Windows
or other system files might be infected and you
risk spreading the virus.
If you've detected such a virus, restart your
computer and run Scan from your clean start-up
diskette, as described in "If you detect a
virus" earlier in this chapter.
Using VirusScan (Version 2.2) 24
VSHIELD AND WINDOWS
The install program adds a line to your AUTOEXEC.BAT
file that automatically activates VShield whenever you
start or restart your computer. In Windows, it also gives
you a VShield icon that you can click to see VShield
status. (See Appendix A for instructions for downloaded
software.)
NOTE: You can change VShield options from the
DOS command line by removing VShield from memory
and rerunning it, by editing the VSHIELD command
in your AUTOEXEC.BAT file, or by editing the default
configuration file. See Chapter 4 for details.
OS/2
To run Scan from OS/2, open the Command Prompts
folder in the OS/2 system folder and click the
OS/2 Full Screen or OS/2 Window icon. Next, type
the program name (os2scan) on the command line.
Follow the program name with the drive,
directory, or file(s) you want to scan and the
options you want to use.
NOTE: If you have not changed the PATH and
LIBPATH statements in your CONFIG.SYS file, you
will need to include its location (usually
C:\MCAFEE\VIRUSCAN) on the command line, or
change to that directory.
For example, to examine a diskette in drive A:
[C:\] c:\mcafee\viruscan\os2scan a:
NOTE: VShield does not run in OS/2 sessions,
only under DOS and Win-OS/2 sessions inside of
OS/2. You can place the VShield command in your
AUTOEXEC.BAT file, where it will run automatically
when you start a DOS or Win-OS/2 session. You can
also run it from the DOS command line, as described
earlier in this section.
Using VirusScan (Version 2.2) 25
WHEN TO RESCAN
Although VShield will monitor your software for
viruses, it's wise to scan your disks when you
introduce new programs, or disks that may be
infected. New programs and files are generally
introduced in two ways: by inserting a diskette
and booting from it, and by installing new
programs. It is also possible to download a
virus inadvertently via a modem, but this is
very rare.
You can use VShield with the /ANYACCESS option
to scan diskettes automatically. For more
information, see "/ANYACCESS" in "VShield option
descriptions" in Chapter 4.
For instructions on running VirusScan, see
"Running the VirusScan programs" earlier in this
chapter.
WHEN YOU INSERT AN UNCHECKED DISKETTE
Every time you insert a new diskette in your
drive, run Scan on it before executing,
installing, or copying its files. If you have
several diskettes to scan, you can scan them
consecutively using the /MANY option described
in Chapter 3. In fact, we recommend doing this
now with all the diskettes you normally use, as
well as diskettes received from friends,
coworkers, salespeople, and even your own
diskettes if they have been in another PC.
WHEN YOU INSTALL OR DOWNLOAD NEW FILES
Every time you install new software on your hard
drive, or download executable files from a
network server, bulletin board, or on-line
service, run Scan on the directory in which the
files were placed before you execute the files.
UPDATING VIRUSSCAN REGULARLY
Unfortunately, new viruses (and variants of old
ones) appear and circulate often in the personal
computer community. Fortunately, McAfee updates
the VirusScan programs regularly--usually
monthly, but sooner if many new viruses have
appeared. Each new version may detect and
eradicate as many as 60-100 new viruses or more,
and may add new features. To find out what's
new, review the README.1ST text file.
Using VirusScan (Version 2.2) 26
DOWNLOAD NEW VERSIONS
As a VirusScan licensee, you may download new
versions without charge for one year from your
date of purchase. Use your communications
software to download new versions from the
McAfee bulletin board, CompuServe, or the
Internet. See Chapter 1 and Appendix A for more
information.
New versions of McAfee software are stored in
compressed form to reduce transmission time.
NOTE: Always download and decompress the files
in a separate directory from your current files.
That way, if you discover a problem with the new
files, you'll still have the old ones.
VALIDATE VIRUSSCAN
When you download a program file from any source
other than the McAfee bulletin board or other
McAfee service, it's important to verify that it
is authentic, unaltered, and uninfected. McAfee
anti-virus software includes a program called
Validate that helps you do this. When you
receive a new version of VirusScan, run Validate
on all of the program files.
To do this for Scan, start from the system prompt
(C> or [C:\]):
1. Navigate to the directory to which you've
downloaded the files. For example, if you've
stored the files in C:\MCAFEE\DOWNLD\VIRUSCAN:
C> c:
C> cd \mcafee\downld\viruscan
2. Type the command:
DOS or Windows
C> validate scan.exe
OS/2
[C:\] os2val os2scan.exe
3. Compare the results with the information in
the PACKING.LST file or other text file for
the program you validated. If the validation
results match what's in the file, it is
highly unlikely that the program has been
modified.
Using VirusScan (Version 2.2) 27
UPDATE YOUR CLEAN START-UP DISKETTE
Once you have validated the new version, copy it
into your C:\MCAFEE\VIRUSCAN directory. In
addition, copy the Scan program onto your clean
start-up diskette. Below is one way to do this;
you may also use the Windows File Manager or the
OS/2 environment.
Note any changes you've made to default options,
because you may want to select and save them
again. Start from the system prompt (C> or
[C:\]).
1. Navigate to the directory to which you've retrieved
the files, such as C:\MCAFEE\DOWNLD\VIRUSCAN:
C> c:
C> cd \mcafee\downld\viruscan
2. Copy the contents of the directory to
C:\MCAFEE\VIRUSCAN:
C> copy *.* c:\mcafee\viruscan
3. Temporarily remove write-protection from your
clean start-up diskette and insert it in
drive A.
o For a 3.5" diskette, slide its corner tab so
that the square hole is closed.
o For a 5.25" diskette, remove the tab from its
corner notch.
4. Copy the Scan program to the diskette.
DOS or Windows
C> copy SCAN.EXE a:
copy SCAN.DAT a:
copy CLEAN.DAT a:
copy NAMES.DAT a:
OS/2
[C:\] copy OS2SCAN.EXE a:
5. Remove the diskette from the drive and write-
protect it again.
Using VirusScan (Version 2.2) 28
CHAPTER 3: SCAN REFERENCE
The Scan program detects, identifies, and disinfects
known DOS computer viruses. Scan checks memory as
well as the system and data areas of disks for
virus infections. If Scan finds a known virus,
in most cases it will eliminate the virus and
fully restore infected programs or system areas
to normal operation.
To obtain a list of all the viruses that Scan
detects, run Scan with the /VIRLIST option.
In addition, Scan can also assign validation and
recovery codes to files, and use those codes to
detect and treat infection by new and unknown
viruses. If Scan has stored validation or
recovery data for files, it may detect file
changes and warn that infection by an unknown
virus may have occurred. Scan can also use the
recovery codes to remove new or unknown viruses
and restore infected files.
Scan runs on DOS, Windows, and OS/2. The program
files are SCAN.EXE (DOS), WSCAN.EXE (Windows),
and OS2SCAN.EXE (OS/2), respectively. This
chapter describes them all.
NOTE: Because OS/2 operates in a protected mode
environment, Scan for OS/2 does not check
memory. To protect against viruses in OS/2 DOS
and Win-OS/2 sessions, use the VShield (for DOS)
virus prevention program.
Scan is designed so that basic operation, as
described in "Scanning your system" and "When
to rescan" in Chapter 2, will detect most viruses.
The command line options described here offer
additional power and control over virus detection.
They enable you to run Scan from batch or script
files. Network administrators, information services
staff, and computer systems with vulnerable environments
will benefit from this feature.
Using VirusScan (Version 2.2) 29
SYSTEM REQUIREMENTS AND SUPPORT
Scan requires DOS 3.1 or later, Windows 3.1 or
later, or IBM OS/2 Version 2.1 or later.
Scan works with 3Com 3/Share and 3/Open,
Artisoft LanTastic, AT&T StarLAN, Banyan VINES,
DEC Pathworks, IBM LAN Server, Microsoft LAN
Manager, Novell NetWare, and any other IBMNET-
or NETBIOS-compatible network operating systems.
Contact McAfee or your local authorized agent if
you do not see your network listed (see
"Technical support" in Chapter 1).
Scan is designed to check for pre-existing
infections of known and unknown viruses on floppy,
hard, CD-ROM, and compressed disks (SuperStor,
Stacker, DoubleSpace, and so on) on both
stand-alone and networked personal computers,
as well as network file servers. If you have a
Novell NetWare/386 V3.1X or 4.01 file server,
you may want to use the NETShield(TM) virus
prevention NetWare Loadable Module (NLM) in
conjunction with Scan.
NOTE: To use Scan to clean up (disinfect) virus-
infected files, the CLEAN.DAT file must be
present in the same subdirectory as SCAN.EXE.
If you don't have the CLEAN.DAT file, first verify
whether you should contact your system
administrator or information systems staff
directly for virus clean-up. Otherwise, you can
contact McAfee (see "Technical support" in
Chapter 1).
Using VirusScan (Version 2.2) 30
TECHNICAL OVERVIEW
KNOWN VIRUS DETECTION
Scan detects known viruses by searching the
system for characteristics (sequences of code)
unique to each computer virus and reporting their
presence if found. For viruses that encrypt or
cipher their code so that every infection is
different, Scan uses detection algorithms that
work by statistical analysis, heuristics, and
code disassembly.
NEW AND UNKNOWN VIRUS DETECTION
Scan can also check for new or unknown viruses
by comparing files against previously recorded
validation data. If a file has been modified, it
will no longer match the validation data, and
Scan will report that the file may have become
infected. With certain options, SCAN /CLEAN can
use the validation and recovery data to restore
infected files. Refer to the /AF, /AV, /CF, /CV,
/RF, and /RV options in Chapter 4.
NOTE TO NETWORK USERS
To use Scan on a network drive (or directory),
you must be connected to that drive and have
read access to it. Some command line options
described in this chapter attempt to create,
change, and delete files. To use these options,
you must have sufficient access rights. If you
have questions about access rights, contact your
network administrator.
Using VirusScan (Version 2.2) 31
VALIDATING SCAN
The Scan program in your VirusScan package is
supplied on a write-protected diskette that
should be secure from infection. We recommend
that you update your copy of the VirusScan
programs regularly. You can obtain an upgrade
from several sources, as described in "Updating
VirusScan regularly" in Chapter 2.
Before using a new version of Scan for the first
time, verify that it has not been tampered with
or infected by using the Validate program, as
described in "Validate VirusScan" in Chapter 2.
If your new copy of Scan differs from the
validation data in the on-line documentation
file, it may have been damaged. Don't use it,
and obtain a clean copy of Scan from a known
source.
Scan performs an integrity test when run. This
self-check allows Scan to determine if it has
been modified. If Scan fails its integrity test,
a warning message appears, and Scan refuses to
run and returns to the command line prompt. You
must obtain an undamaged copy before continuing.
RUNNING SCAN FROM THE COMMAND LINE
Scan checks files and other areas of the system
that can contain computer viruses. When a virus
is found, Scan identifies the virus and the
system area or file where it was found.
By default, Scan examines only executable files
(.EXE, .COM, .SYS, .BIN, .OVL, and .DLL files).
These are the files most likely to be infected
with a virus. Use the /ALL option to scan all files
on your system. Refer to "Scan option descriptions"
later in this chapter for more information about
the /ALL option.
From DOS or OS/2, you can run Scan from the
system prompt. (From OS/2, open the Command Prompts
folder in the OS/2 system folder, then click
either the OS/2 Full Screen icon or the OS/2 Window
icon to see the system prompt. Once you see the prompt,
For DOS, type:
C> scan {drives} [options]
For OS/2, type:
[C:\] os2scan {drives} [options]
Using VirusScan (Version 2.2) 32
{drives} indicates one or more drives to be
scanned. You must specify one or more drives to
scan. If you list a drive like c:, all of its
subdirectories will be scanned. If you list \,
only the root directory of the current disk
will be scanned. If you list \ or a directory,
its subdirectories will not be scanned unless
you use the /SUB option.
[options] indicates one or more of the Scan
options listed in the next section, "Scan
command line option summary."
Using VirusScan (Version 2.2) 33
SCAN COMMAND LINE OPTION SUMMARY
/? or /HELP
Display help screen (not available in Windows,
use Help menu instead).
/ADL
Scan all local drives (including CD-ROM and PCMCIA
drives, but not floppy drives).
/ADN
Scan all network drives.
/AF {filename}
Store validation/recovery codes in {filename}.
/ALL
Scan all files, not just standard executables.
/APPEND
Append to, rather than overwrite, the file
(used with the /REPORT option).
/AV
Add validation/recovery data to program files.
/BOOT
Scan boot sector and master boot record only.
/CF {filename}
Check validation/recovery codes in {filename}.
/CLEAN
Clean up infections in boot sector, master
boot record, and files when possible.
/CV
Check validation/recovery data in files.
/DEL
Overwrite and delete infected files.
/EXCLUDE {filename}
Exclude from scan any files listed in {filename}
(used with the /AV option).
/FAST
Speed up VirusScan's scanning; may detect fewer viruses.
/FREQUENCY {hours}
Set the time freqency with which to scan your system.
Using VirusScan (Version 2.2) 34
/LOAD {filename}
Use Scan settings stored in {filename}.
/LOG
Save date and time that Scan was last run in
a hidden file (SCAN.LOG).
/MANY
Scan multiple diskettes on a single drive.
/MOVE {directory}
Move infected files to {directory}.
/NOCOMP
Skip checking compressed executables created
with the LZEXE or PKLITE file compression programs.
/NOMEM
Skip memory checking (not applicable to OS/2).
/PAUSE
Enable screen pause.
/PLAD
Preserve last access dates on Novell drives.
/REPORT {filename}
Create report of infected files found during scan
in {filename}.
/RF {filename}
Remove validation/recovery codes in {filename}.
/RPTCOR
Add list of corrupted files to the report file
(used with the /REPORT option).
/RPTERR
Add list of system errors to the report file
(used with the /REPORT option).
/RPTMOD
Add list of modified files to the report file.
(used with the /REPORT option in conjunction
with either /CF or /CV).
/RV
Remove validation/recovery data from files.
/SHOWLOG
Display information in SCAN.LOG.
Using VirusScan (Version 2.2) 35
/SUB
Scan subdirectories inside a directory.
/VIRLIST
Display list of viruses detected by VirusScan.
Using VirusScan (Version 2.2) 36
SCAN OPTION DESCRIPTIONS
Here is a detailed description of Scan's options.
/? or /HELP
Display list of Scan options.
Does not scan. Instead, displays a list of Scan
command line options with a brief description of
each. No scanning is performed when these
options are specified. Use either of these
options alone on the command line.
/ADL
Scan all local drives (except floppy drives).
Scans all local drives for viruses, in addition
to those specified on the command line. In DOS,
use /ADL to check all local drives (including
compressed drives, CD-ROMs, and PCMCIA drives,
but not floppy drives). To scan both
local and network drives, use /ADL and /ADN
together in the same command line.
/ADN
Scan all network drives.
Scans all network drives for viruses, in
addition to those specified on the command line.
To scan both local and network drives, use /ADL
and /ADN together in the same command line.
/AF {filename}
Store validation/recovery codes in {filename}.
Helps you detect and recover from new or unknown
viruses. /AF logs validation and recovery data
for executable files (but not the boot sector or
the master boot record) of a disk in the file
you specify. The log file is about 95 bytes per file
validated. You must specify a {filename}, which
can include the target drive and directory (such
as D:\VSVALID\VALCODES.VSC). If the target path
is a network drive, you must have rights to
create and delete files on that drive. If
{filename} exists, Scan updates it. /AF adds about
300% more time to scanning.
Using VirusScan (Version 2.2) 37
To recover from a virus using the /AF information,
use the /CF and /CLEAN options together in
the same command line. Using any of
the /AF, /CF, or /RF options together in the
same command line returns an error.
NOTE: /AF performs the same function as /AV, but
stores its data in a separate file rather than
changing the executable files themselves. For
more information, see "Detecting new and unknown
viruses" in Chapter 5.
/ALL
Check all files, not just standard executable files.
Increases system security by performing a more
thorough scan. Otherwise, Scan checks only
standard executable files (with .COM, .EXE,
.SYS, .BIN, .OVL, and .DLL extensions), which
are the files most likely to be infected by a
virus. If /ALL is specified, Scan checks all
files on the specified drive, which increases
Scan's ability to detect viruses in overlay
files but substantially increases the scanning
time required. Use this option if you have found
a virus or suspect one. (Note that the list of
extensions for standard executables, above, has
changed from previous releases of VirusScan.)
/APPEND
Append to the report file.
Used in conjunction with /REPORT, appends the
report message text to the specified report
file, if it exists. Otherwise, the /REPORT
option overwrites the specified report file, if
it exists.
/AV
Add validation/recovery data to files.
Helps you detect and recover from new or unknown
viruses. /AV adds recovery and validation data
to each standard executable file (.EXE, .COM, .SYS,
.BIN, .OVL, and .DLL), increasing the size of each
file by 98 bytes. To update files on a shared network
drive, you must have update access rights. The /AV
option adds about 100% more time to scanning.
Using VirusScan (Version 2.2) 38
To exclude self-modifying or self-checking files
that might cause false alarms, use the /EXCLUDE
option. To recover from a virus using the /AV
information, use the /CV and /CLEAN options
together in the same command line. Using any of
the /AV, /CV, or /RV options together in the
same command line returns an error.
NOTE: The /AV option does not store any
information about the master boot record (MBR)
or boot sector of the drive being scanned.
/BOOT
Scan boot sector and master boot record only.
Scans the boot sector and master boot record on
the specified drive(s), but not files or
directories on those drives.
/CF {filename}
Check validation/recovery codes in {filename}.
Helps you detect new or unknown viruses. Checks
validation data stored by the /AF option in
{filename}. If a file or system area has changed,
Scan reports that a viral infection may have
occurred. The /CF option adds about 250% more
time to scanning. For more information, see
"Detecting new and unknown viruses" in Chapter
5. You can use /CF and /CLEAN in the same
command line to check validation/recovery codes
and remove any viruses found. Using any of the
/AF, /CF, or /RF options together in a command
line returns an error.
NOTE: Some older Hewlett-Packard and Zenith PCs
modify the boot sector each time the system is
booted. If you use /CF or /CV, Scan continuously
reports that the boot sector has been modified
even though no virus may be present. Check your
system's reference manual to determine whether
your PC has self-modifying boot code, or contact
McAfee for help (see "Technical support" in
Chapter 1).
NOTE OS/2 dual boot systems change the boot
sector between DOS and OS/2 depending on
which operating system is active. This causes
Scan to report that the boot sector has been
modified.
Using VirusScan (Version 2.2) 39
/CLEAN
Remove viruses from boot sector, master boot
record, and infected files.
Attempts to restore the boot sector, if
infected, and any infected files. Usually,
between 10% and 20% of all viruses are not
removable; they damage the file they infect
beyond repair. If the infected file resides on a
network drive, you must have rights to modify
files on that drive to clean it. If it cannot
restore a file, you'll see a message that
identifies the name of the unrecoverable file.
To use /CLEAN, the CLEAN.DAT file must reside in
the Scan directory. For more information, see
"Cleaning viruses" later in this chapter.
Use /CLEAN instead of /DEL when you want to
restore infected files, not just delete or
overwrite them. The /CLEAN option can remove
master boot record (MBR) and boot sector
viruses, but the /DEL option cannot. If you use
/CLEAN and /DEL in the same command line, Scan
first attempts to disinfect an infected file,
then deletes it only if it cannot be repaired.
Similarly, if you use /CLEAN and /MOVE in the
same command line, Scan first attempts to clean
an infected file, then moves it to the specified
subdirectory if the file is unrecoverable.
You can use /CLEAN and /CF or /CV in the same
command line to check validation/recovery codes
and remove any viruses found. We strongly
recommend that you get experienced help in
dealing with viruses if you are unfamiliar with
anti-virus software and methods. This is
especially true for "critical" viruses and
master boot record (MBR)/boot sector infections,
because improper removal of these viruses can
result in the loss of all data on the infected
disks.
NOTE: When scanning a network drive using
/CLEAN, you must have sufficient rights to
update files on that drive.
Using VirusScan (Version 2.2) 40
/CV
Check validation/recovery data in files.
Helps you detect new or unknown viruses. Checks
validation data added by the /AV option. If a
file is modified, Scan reports that a viral
infection may have occurred. The /CV option adds
about 50% more time to scanning. You can use
/CLEAN and /CV in the same command line to
check validation/recovery codes and restore
infected files. Using any of the /AV, /CV, or
/RV options together in the same command line
returns an error.
For more information, see "Detecting new and
unknown viruses" in Chapter 5. See also the note
under /CF in this section.
/DEL
Overwrite and delete infected files.
Deletes and overwrites each infected file. Files
erased by the /DEL option cannot be recovered
(you should generate a report so that you can
restore them from backups). Instead of /DEL alone,
we recommend using it in combination with the
/CLEAN option to attempt to disinfect an
infected file first, then delete it only if the
file is unrecoverable. The /CLEAN option can
remove master boot record and boot sector
viruses, but the /DEL option cannot.
NOTE: When scanning a network drive using /DEL,
you must have sufficient access rights to delete
files on that drive.
/EXCLUDE {filename}
Scan using exception list file called {filename}.
Allows you to exclude files from /AV
validation and /CV checking. Self-modifying
or self-checking files can cause a false alarm
during a scan. To create {filename}, see
"Technical note 1: Creating an exception
list file for the /EXCLUDE option" in this
chapter.
Using VirusScan (Version 2.2) 41
/FAST
Speed up Scan's scanning.
Reduces scanning time by about 15%. Using the /FAST
option, Scan examines a smaller portion of each
file for viruses, although it examines more
files overall. Using /FAST might miss some
infections found in a more comprehensive (but
slower) scan. Do not use this option if you have
found a virus or suspect one.
/FREQUENCY {hours}
Set the time freqency with which to scan your system.
In environments where the risk of viral infection is
very low, use this option to prevent unnecessary or
too-frequent scans. The lower the number of {hours}
specified, the greater the scan frequency and the
greater your protection against infection.
The first time this option is used on a workstation,
Scan creates a hidden file named MCAFEE.FRC in the root
directory of drive C. In it, Scan stores the date and
time that the system was scanned. Thereafter, whenever
this option is used, Scan checks this file and compares
the time elapsed from the last scan with the specified
number of {hours}. If {hours} exceeds the elapsed time,
Scan exits without scanning the system. Otherwise, Scan
proceeds as usual to scan the system and, when finished,
updates MCAFEE.FRC with the system date and time.
/LOAD {filename}
Use Scan settings stored in {filename}.
By default, Scan loads its internal default
settings plus any options specified on the
command line. You can store all custom settings
in a separate ASCII text file, then use /LOAD to
load those settings from that file.
Use a text editor to create the file. You can
put all options on the same command line or put
each option (with its parameter) on its own
line, separated by a hard carriage return and
line feed, as shown in the following examples.
Using VirusScan (Version 2.2) 42
Sample load file with all options on the same
command line:
m: /report a:infectn.rpt /rptcor /rpterr
Sample load file with each option on a separate
command line:
m:
/report a:infectn.rpt
/rptcor
/rpterr
/LOG
Save date and time of last scan.
Stores the time and date Scan is being run by
updating or creating a file called SCAN.LOG in
the current directory.
/MANY
Scan multiple floppies.
Scans multiple diskettes consecutively in a
single drive. Scan will prompt you for each
diskette. Once you have established a virus-free
system, use this option to check multiple
diskettes quickly.
/MOVE {directory}
Move infected files to {directory}.
Moves all infected files found during a scan to
the specified directory. If you use /MOVE in
conjunction with /CLEAN, Scan attempts to
restore an infected file first, then moves it to
the specified directory only if the file cannot
be restored. Using /MOVE and /DEL in the same
command line returns an error message.
Using VirusScan (Version 2.2) 43
/NOCOMP
Skip checking compressed executable files.
Reduces scanning time when a full scan is not
needed. Otherwise, by default, Scan checks
inside executable, or self-decompressing, files
that have been created using the LZEXE or PKLITE
file compression programs. Scan decompresses
each file in memory and checks for virus
signatures, which takes time but results in a
more thorough scan. If you use /NOCOMP, Scan
does not check inside compressed files for
viruses, although it can check for modifications
to those files if they have been validated using
validation/recovery codes.
/NOMEM
Skip memory checking.
Reduces scan time by omitting all memory checks
for viruses. Use /NOMEM only when you are
absolutely certain that your system is virus-
free.
By default, Scan checks system memory for critical
known computer viruses that can inhabit memory.
In addition to main memory from 0Kb to 640Kb,
Scan checks system memory from 640Kb to 1088Kb
that can be used by computer viruses on 286 and
later systems. Memory above 1088Kb is not addressed
directly by the processor and is presently not
susceptible to viruses.
NOTE: /NOMEM is not applicable to OS/2.
/PAUSE
Enable screen pause.
If you specify /PAUSE, the More? (H = Help)
prompt appears when Scan fills up a screen with messages,
such as when using the /SHOWLOG or /VIRLIST options.
Otherwise, by default, Scan fills and scrolls a
screen continuously without stopping, which
allows Scan to run on PCs with many drives or
that have severe infections without requiring
you to attend. We recommend that you omit /PAUSE
when keeping a record of Scan's messages using
the report options (/REPORT, /RPTCOR, /RPTMOD,
and /RPTERR).
Using VirusScan (Version 2.2) 44
/PLAD
Preserve last access dates (NetWare drives only).
Prevents changing the last access date attribute
for files stored on a network drive in a Novell
network. Normally, NetWare updates the last
access date when Scan opens and examines a file.
However, some tape backup systems use this last
access date to decide whether to back up the
file. Use /PLAD to ensure that the last access
date does not change as the result of scanning.
/REPORT {filename}
Create report of infected files and system errors.
Saves the output of Scan to {filename} in ASCII
text file format. If {filename} exists, /REPORT
erases and replaces it. You can use /APPEND to
append the current scan report to the end of
{filename}. You can include the destination drive
and directory (such as D:\VSREPRT\ALL.TXT), but
if the destination is a network drive, you must
have rights to create and delete files on that drive.
You can also use /RPTCOR, /RPTMOD, and /RPTERR to
add corrupted files, modified files, and system
errors to the report.
/RF {filename}
Remove validation/recovery codes in {filename}.
Removes recovery and validation data from
{filename} created by the /AF option. If {filename}
resides on a shared network drive, you must be
able to delete files on that drive. Using any of
the /AF, /CF, or /RF options together in the
same command line returns an error.
/RPTCOR
Add corrupted files to Scan report.
Used in conjunction with /REPORT, adds the names
of corrupted files to the report file. A
corrupted file is a file that a virus has
damaged beyond repair, which typically occurs in
10% to 20% of all viral infections. You can use
/RPTCOR with /RPTMOD and /RPTERR on the same
command line.
Using VirusScan (Version 2.2) 45
/RPTERR
Add errors to Scan report.
Used in conjunction with /REPORT, adds system
errors to the report file.
System errors include problems reading or
writing to a diskette or hard disk, file system
or network problems, problems creating reports,
and other system-related problems. You can use
/RPTERR with /RPTCOR and /RPTMOD on the same
command line.
/RPTMOD
Add modified files to the Scan report.
Used in conjunction with /REPORT, adds the names
of modified files to the report file. Scan
identifies modified files when the
validation/recovery codes do not match (using
the /CF or /CV options). You can use /RPTMOD
with /RPTCOR and /RPTERR on the same command
line.
/RV
Remove validation/recovery from files.
Removes validation and recovery data from files
validated with the /AV option, along with the
SCAN.LOG file on the specified drive. To update
files on a shared network drive, you must have
access rights to update them. Using any of the
/AV, /CV, or /RV options together in the same
command line returns an error.
/SHOWLOG
Update and display the contents of SCAN.LOG.
Stores the time and date Scan is being run by
updating or creating a file called SCAN.LOG in
the current directory, and shows you the date
and time of previous scans that have been
recorded in the SCAN.LOG file using the /LOG
switch. The SCAN.LOG file contains text and some
special formatting. To pause when the screen
fills with messages, specify the /PAUSE option.
Using VirusScan (Version 2.2) 46
/SUB
Scan subdirectories.
By default, when you specify a directory to scan
rather than a drive, Scan will examine only the
files it contains, not its subdirectories. Use
/SUB to scan all subdirectories inside any
directories you've specified. Do not use /SUB if
you are scanning an entire drive.
/VIRLIST
Display the contents of SCAN.DAT.
Shows you the name and a brief description of
the viruses that VirusScan detects. To pause
when the screen fills with messages, specify the
/PAUSE option. Use /VIRLIST alone or with /PAUSE
on the command line.
You can save the list of virus names and
descriptions to a file by redirecting the output
of the command. For example, in DOS:
scan /virlist > filename.txt
CLEANING VIRUSES
Although /CLEAN removes many viruses and
restores normal operation, viruses can be
harmful and insidious, and no anti-virus program
can undo all their damage. Usually, between 10%
and 20% of all viruses corrupt the files they
infect, making them unrecoverable. If the file
is infected with an uncommon virus that /CLEAN
can't remove, Scan notifies you and identifies
the filename. Note this filename so that you
know what to restore from a backup diskette or
tape. If you use both the /CLEAN and the /DEL
options, Scan will first attempt to repair an
infected file and, if the file is damaged beyond
repair, Scan will delete it. Deleted files are
not recoverable except from backups.
Some viruses damage or overwrite program (.EXE)
files or overlay files. Removing the virus can
truncate the file or otherwise render it
inoperable. Others, like the common virus
Stoned, infect the master boot record (MBR). On
systems partitioned with programs other than DOS
(such as Disk Manager and SpeedStor), removing
the virus can cause loss of the master boot record
(MBR) and all data on the disk, if done improperly.
Using VirusScan (Version 2.2) 47
BASIC PRINCIPLES TO MINIMIZE DAMAGE
These considerations lead to the three important
principles:
NOTE: Before running Scan with the /CLEAN
option, back up all of your programs and data.
Of course, this works best if you back up your
files regularly, so that you can restore your
files from a backup made before your system was
infected. But even a backup from an infected
system can be useful for restoring data, because
most viruses do not corrupt data. If a program
no longer runs after being cleaned, replace it
from the original disk or from a virus-free
backup.
1. When disinfecting an infected system, it is
important to start from a "sterile field," as
described in Chapter 2.
2. Before running Scan with the /CLEAN option for
DOS, restart your computer from a clean,
write-protected diskette; before running it
for OS/2, close all DOS and Win-OS/2
sessions.
Preferably, use the clean anti-virus start-up
diskette you created in "Making a clean start-
up diskette" in Chapter 2. And, because
running any program can spread the infection:
3. Do not run any programs, including Windows,
before running Scan /CLEAN.
Run Scan /CLEAN from DOS instead of Windows.
Exit completely from Windows. Do not run Scan
/CLEAN from within a DOS window.
IMPORTANT: If you are at all unsure about how to
proceed once you've found a virus, contact
McAfee technical support, or your local
authorized agent, for assistance (see "Technical
support" in Chapter 1).
We strongly recommend that you get experienced
help in dealing with viruses if you are unfamiliar
with anti-virus software and methods. This is especially
true for "critical" viruses and master boot record (MBR)
/boot sector infections, because improper removal of
these viruses can result in the loss of all data and
use of the infected disks.
Using VirusScan (Version 2.2) 48
RUNNING SCAN TO CLEAN UP INFECTIONS
PREPARATION
Before running Scan to clean up infections:
1. Clear the virus from system memory and prevent
reinfection:
o With DOS or Windows, turn off your PC, then
restart from a clean start-up diskette,
preferably the anti-virus diskette you
prepared in "Making a clean start-up
diskette" in Chapter 2.
o With OS/2, close all DOS and Win-OS/2 sessions.
o With an OS/2 dual-boot system infected by a
boot sector virus (like Form, or others
identified by Scan), boot (start up) OS/2
first, delete the BOOT.DOS file from the \OS2
directory, and then boot DOS to create a new,
virus-free DOS boot sector file.
2. Run the Scan program to locate and identify
the infections.
3. Back up the files on the infected disks (be
sure not to overwrite any previous backups).
4. Repeat Step 1.
5. Run the Scan program with the /CLEAN option to
remove infections.
NOTE: Don't run any programs, including Windows,
before running Scan /CLEAN.
If you have Windows, run Scan /CLEAN from DOS.
NOTE: When disinfecting a hard disk, always run
Scan /CLEAN from a write-protected diskette to
prevent infection of the Scan program. When
disinfecting diskettes, make sure there is no
active virus in memory before running Scan from
your hard disk.
SUCCESSFUL AND UNSUCCESSFUL RESULTS
Scan /CLEAN reports the results of its attempt
to remove the virus from each infected file. If
a file has several infections, it will report on
each.
Using VirusScan (Version 2.2) 49
IF VIRUSES WERE NOT REMOVED
If Scan can't remove a virus, you'll see a
message like:
Virus cannot be safely removed from this file.
Make sure to take note of the file name, because
you will need to restore it from backups. If you
have any questions about how to proceed, contact
McAfee technical support or your local
authorized agent (see "Technical support" in
Chapter 1).
IF VIRUSES WERE SAFELY REMOVED, RESCAN AND CHECK
DISKETTES
If Scan /CLEAN has successfully removed all the
viruses, turn your computer off again and
restart from the system disk. Scan your hard
disks again to make sure they are virus-free. If
you suspect that your system was infected from a
diskette, run Scan from your hard disk to
examine and disinfect the diskettes you use.
Using VirusScan (Version 2.2) 50
EXAMPLES
These examples show different option settings.
In OS/2, remember to use OS2SCAN instead of SCAN.
scan c:
Scan all executable files on drive C.
scan f:
Scan all standard executable files on drive F, a
network drive.
scan c: /adl /adn
Scan all local and network drives (including CD-ROM
and PCMCIA drives but not diskettes).
scan f: g: h: /del /all
Scan all files on drives F, G, and H, and delete
any infected files found.
scan c: d: e: /av /all
Scan for viruses in all files and add validation
codes to executable files on drives C, D, and E.
scan m: /report c:infectn.rpt /rptcor /rpterr /append
Scan for viruses on network drive M: and create
a log file of infections, corruptions, and
errors in the file INFECTN.RPT on drive C. This
will overwrite C:INFECTN.RPT, if it exists.
scan e:\user\jake e:\user\daisy e:\user\nick /sub
Scan all subdirectories inside the directories
USER\JAKE, USER\DAISY, and USER\NICK on drive E.
scan c: d: e: /fast /cv
Quickly scan drives C, D, and E, and report any
executable files that have associated validation
codes and have been modified.
scan c:\command.com
Scan a single file.
scan c: d: /clean
Scan drives C and D and remove infections.
Using VirusScan (Version 2.2) 51
ERROR LEVELS
After Scan has finished running, it sets the
ERRORLEVEL. You can use the ERRORLEVEL in batch
files to take different actions based on the
results of the scan. See your DOS operating
system documentation for more information. Scan
returns the following ERRORLEVELs:
ERRORLEVEL Description
0 No errors occurred and no viruses were found.
1 Error occurred while accessing a file (reading
or writing).
2 A VirusScan database (*.DAT) file is
corrupted.
3 An error occurred while accessing a disk
(reading or writing).
4 An error occurred while accessing the file created
with the /AF option; the file has been damaged.
5 Insufficient memory to load program or complete
operation.
6 An internal program error occurred.
7 An error in accessing an international message
file (MCAFEE.MSG).
8 A file required to run VirusScan, such as SCAN.DAT,
is missing.
9 Incompatible or unrecognized option(s) or option
argument(s) were specified in the command line.
10 A virus was found in memory.
11 An internal program error occurred.
12 An error occurred while attempting to remove
a virus, such as no CLEAN.DAT file found, or
VirusScan was unable to remove the virus.
13 One or more viruses was found in the master
boot record, boot sector, or file(s).
14 The SCAN.DAT file is out of date; upgrade
VirusScan data files.
Using VirusScan (Version 2.2) 52
15 VirusScan self-check failed. It may be
infected or damaged.
16 An error occurred while accessing a specified
drive or file.
17 No drive, directory or file was specified;
nothing to scan.
18 A validated file has been modified (/CF or
/CV options).
20 /FREQUENCY option in use
21-99 Reserved.
100+ Operating system error; Scan adds 100 to
the original error number.
Using VirusScan (Version 2.2) 53
APPLICATION NOTE 1 UPDATING VALIDATION CODES
If you install any new software or programs on
your system, including a new version of DOS, and
are running Scan or VShield with the /CF
(preferred) or /CV validation options, you need
to install validation codes for the new files
with Scan's /AF (preferred) or /AV options.
The quickest way to update the validation codes
is to remove all validation codes from the hard
disk and then add them back. In other words,
first run Scan with the /RF or /RV option, then
run it again with the /AF or /AV option.
APPLICATION NOTE 2 REFORMATTING INFECTED
DISKETTES WITH DOS 5.0 AND LATER
When reformatting infected diskettes using DOS
5.0 and later versions, be sure to add the /U
switch to the FORMAT command. This tells DOS to
do an unconditional format of the diskette,
without saving the original infected boot
sector. This is necessary to erase certain
infections, and will prevent reinfection by
unformatting the diskette.
Using VirusScan (Version 2.2) 54
TECHNICAL NOTE 1
CREATING AN EXCEPTION LIST FILE FOR THE /EXCLUDE OPTION
If you set up validation codes using Scan's /AV
option, subsequent scans using the /CV option
will detect changes in executable files.
This can generate false alarms if the executable
files are self-modifying or self-checking (most
programs that do this will tell you to turn off
your anti-virus software before running them;
some of these files are listed below).
Therefore, use the /EXCLUDE option in
conjunction with /AV to identify such
files and exclude them from the validation.
The exception list is an ASCII or DOS text file.
If you use a word processor to create it, be
sure to save the file as ASCII or DOS Text. Each
line in the file contains the path and file name
of one file that should not be validated. Here
is an example:
c:\clipper\bin\clipper.exe
c:\123\123.com
c:\fox\foxprolx.exe
c:\dos\setver.exe
c:\pkware\pklite.exe
c:\pkware\pkzip.exe
c:\pkware\pkunzip.exe
c:\semware\q.exe
c:\swapvol.com
c:\wordstar\ws.exe
Using VirusScan (Version 2.2) 55
CHAPTER 4: VSHIELD REFERENCE
VirusScan's VShield(TM) is a memory-resident
program that helps to prevent virus infection.
It complements the Scan virus detection program
as part of your computer security plan. While
Scan lets you check areas on disks for viruses,
the VShield program checks these areas
automatically as they load into your computer's
memory. This ensures that you don't "catch" any
new viruses while you're working on your computer.
VShield does this by remaining in memory and:
o Checking master boot records (MBRs), boot
sectors, system files, and itself for viruses
when you turn on or reset
([Ctrl]+[Alt]+[Del]) your machine.
o Checking program files for viruses as your
computer executes them.
o Checking files for viruses as you copy them
(optional).
o Checking for viruses whenever your computer
accesses a disk (optional).
Follow the instructions in Chapter 2 or Appendix A
to install VShield. You can modify your AUTOEXEC.BAT
file so that VShield loads into memory every time you
turn on your computer.
If VShield finds a virus, you will hear three
beeps and see a message like:
Found the Jerusalem Virus in memory
If that happens, don't panic. Turn to Chapter 3
to find out how to use the Scan program to get
rid of the virus. If you need additional help,
contact McAfee (see "Technical support" in
Chapter 1).
NOTE: There is one way to infect your computer
that VShield cannot prevent--only you can. Never
accidentally start your computer from an unknown
diskette. That's how 80% of all viruses are
passed! VShield checks diskettes if you warm
boot, but cannot check them when you cold boot.
Always make sure your diskette drives are empty
before you turn your computer on.
Using VirusScan (Version 2.2) 56
VShield runs under DOS, Windows, and OS/2
Virtual DOS Machine and WIN-OS/2 sessions. The
program file is VSHIELD.EXE. The file called
VSHLDWIN.EXE allows VShield to display messages
from within Windows. The install program adds
this icon to your WIN.INI file automatically, or you
add it manually using the instructions in Appendix A.
If you need to conserve memory on your system,
you can use VShieldCRC, a version of VShield
that offers fewer protection options but requires
less memory. The program file is VSHLDCRC.EXE.
A companion program called CheckVShield checks
whether either VShield or VShieldCRC is loaded
in memory. The program file is CHKVSHLD.EXE.
CheckVShield is especially useful for network
administrators who want to ensure that everyone
who logs on to the network is running VShield.
All of these related programs are included in
your VirusScan disk and described in this chapter.
DO YOU NEED TO READ THIS CHAPTER?
Many users will not need the VShield options
described in this chapter. We have designed
VShield so that basic operation--achieved by
simply installing it in memory as described in
Chapter 2--provides a high degree of protection
for most users. The options here offer
additional power and control for virus
detection, and are most useful in vulnerable or
memory-scarce environments and to network
administrators and information systems staff.
See "Four levels of protection" and the table
"Deciding which options are for you" later in
this chapter for help in deciding how to use VShield.
SYSTEM REQUIREMENTS AND PERFORMANCE
VShield is a terminate-and-stay-resident (TSR)
program, which remains in memory while you run
other programs. VShield tries to optimize memory
usage and minimize conflicts with other TSRs. By
default, VShield tries to conserve as much
conventional memory as possible.
If you have only 640Kb or less memory in your
system, VShield requires minimal conventional
memory. By using the /SWAP option, you can reduce
this to only 8Kb of conventional memory, although
this will decrease VShield's speed.
Using VirusScan (Version 2.2) 57
If you have more than 640Kb, VShield tries to
load as much of itself as possible above
conventional memory: first into expanded memory
(EMS), into extended memory (XMS), then into
upper memory blocks (640Kb to 1024Kb, or UMB).
If you have sufficient high memory available,
VShield or VShieldCRC use no conventional memory.
After VShield loads, you'll see a message that
describes where VShield loaded into memory and
how much memory it uses. You can control how
VShield loads by using the /NOUMB, /NOEMS, and
/NOXMS options, as described later in this chapter.
NOTE: VShield might require slightly more memory as
SCAN.DAT and NAMES.DAT grow to include more viruses.
VShield adds a small amount of time to program
loads and reboots. Performance will vary,
depending on your system. The /SWAP option adds
more time, because VShield must reload from disk
to check files. VShieldCRC adds an average of
one second to each program load.
Once programs have been loaded, VShield does not
degrade the performance of your system. Programs
that load other files may run more slowly when
you use the /FILEACCESS or /ANYACCESS options,
because these options cause VShield to scan
files whenever they are accessed, not just when
they are executed.
Using VirusScan (Version 2.2) 58
FOUR LEVELS OF PROTECTION
You can think of VShield as providing four
levels of protection. You can use VShield's
options to customize it for the level of
protection you need. Level II meets the
protection needs of most systems.
Level I protection is appropriate for users who
have very little memory available on their
systems. It provides only minimal protection.
For Level I protection, first use Scan with the
/AF or /AV option to add validation codes. Then,
install VShieldCRC instead of VShield.
VShieldCRC can inform you that a file has not
been certified, a file has been modified, a file
size has changed, or a file has not been added
to the validation file. VShieldCRC will not
prevent infection, nor will it tell you when you
have a known virus. Use Scan instead to detect
viruses, as described in Chapter 3. See "Using
VShieldCRC" later in this chapter for
instructions.
Level II protection is appropriate for most
users. It will protect you from most viruses
whether you have run Scan or not.
For Level II protection, install VShield
according to "Running VShield" later in this
chapter. When loading, VShield checks memory
automatically for viruses. Once resident in
memory, VShield checks master boot records
(MBRs), boot sectors, and program files (when
executed) for virus signatures.
Level III protection is appropriate for
computers that are used by many people, as in an
open-use computer lab, or onto which you
frequently load files from public sources. Level
III protection checks for both validation codes
and virus signatures, incorporating both Level I
and Level II protection.
For Level III protection, first use Scan with
the /AF {filename} option, then use VShield with
the /CF {filename} option. The /AF option logs
recovery and validation data for program files
(but not the boot sector or the master boot
record) to a file you specify. The /CF option
tells VShield to check against that log. See
"Scan Reference" in Chapter 3 for instructions.
Using VirusScan (Version 2.2) 59
Level IV protection is for environments where
security is extremely important and new software
is seldom introduced. It combines Level III
protection with access control, specifying that
only programs known to be safe can be run.
For Level IV protection, run VShield with the
/CERTIFY option. See the "VShield option
descriptions" later in this chapter for details
about /CERTIFY.
NOTE: VShield has many optional features that
you might use at any protection level. See the
table "VShield option summary" later in this
chapter to see these options.
Using VirusScan (Version 2.2) 60
RUNNING VSHIELD
VShield checks programs, the master boot record
(MBR), boot sector, system files, and itself for
virus signatures, the pattern of code unique to
each virus. If VShield finds an infection, it
prevents programs from running. It also prevents
warm boots ([Ctrl]+[Alt]+[Del]) from infected disks.
You can use options to control and fine-tune the
scope, validation parameters, and operation of
the VShield's checks. To use VShield with
options, use the following syntax:
vshield [options]
[options] indicates one or more options
described in the table in the next section.
NOTE: Don't enter the square braces, which
indicate that what's within them is optional.
Because systems and environments differ, VShield
gives you a choice of options. Consider the
mixture of safety, performance, and maintenance
that meets your needs, then choose the
combination of options that works best.
When you run VShield for the first time, VShield
uses the virus information contained in SCAN.DAT
and NAMES.DAT to creates a new file,
VSHIELD.DAT, in the program directory. The
VSHIELD.DAT file contains virus information in a
format that is optimized for VShield operation.
Thereafter, when you install an updated version
of SCAN.DAT, VShield updates VSHIELD.DAT
automatically with any new virus information it
finds in SCAN.DAT.
Using VirusScan (Version 2.2) 61
DOS
You can add VShield to your AUTOEXEC.BAT file so
it is activated every time you turn on your computer.
You can put VShield at the end of AUTOEXEC.BAT.
In most cases this is OK. However, using a text editor,
1. Check the placement of the VShield command
line in the AUTOEXEC.BAT file.
o VShield must be run before any menu programs,
such as Windows, MS-DOS's DOSSHELL or Norton
Commander, or it will not be loaded.
o If AUTOEXEC.BAT loads any network drivers,
keyboard drivers, disk caching programs,
drive compression programs, or custom disk
drivers, VShield must be run both before and
after them. These kinds of programs disable
VShield. The second time VShield is loaded,
use only the /RECONNECT option, as described
later in this chapter.
2. If necessary, move the line that loads VShield.
3. Add the VShield options of your choice to the
command line.
WINDOWS
When you install VShield, you can add the VShield
command line to your AUTOEXEC.BAT file. If you used
the install program or the instructions in Appendix A,
your WIN.INI file was modified to include
VSHLDWIN.EXE, which allows VShield to display
messages under Windows.
However, you may need to change your Windows
configuration for VShield to run properly.
To do so, follow these steps. If you need help
with this procedure, see your Windows
documentation, or you can contact McAfee (see
"Technical support" in Chapter 1).
Using VirusScan (Version 2.2) 62
1. Follow the instructions for DOS users in the
previous section.
2. Start Windows.
3. In the Control Panel, configure Windows to run
in 386 enhanced mode.
4. Load Windows. You will see the VShield icon on
your desktop.
If VShield finds or suspects a virus, you'll see
a warning message. Choose OK to close the
message dialog.
Double-clicking the VShield icon only displays a
message confirming whether VShield is loaded.
OS/2
Because OS/2 is a protected environment, you
need VShield only during Virtual DOS Machine
(VDM) and WIN-OS2 sessions. When you install it,
you can add VShield to AUTOEXEC.BAT so it is
activated every time you start a VDM or WIN-OS/2 session.
If your start-up batch file is not AUTOEXEC.BAT,
edit your start-up batch file to include
VShield. For example:
[C:\] vshield /fileaccess
NOTE: See "/FILEACCESS," an option we recommend
using with OS/2, later in this chapter.
Using VirusScan (Version 2.2) 63
SPECIAL INSTRUCTIONS FOR NETWORK ADMINISTRATORS
You have many options for setting up VShield on
a network. The table "Deciding which options are
for you" later in this chapter lists options
that apply in network environments. If you need
assistance in choosing the best configuration
for your network, contact McAfee (see "Technical
support" in Chapter 1).
If you run VShield from a network drive, flag
VSHIELD.EXE as EXECUTE ONLY, READ ONLY, and
SHAREABLE.
If you run VShield from clients' local drives (optimal):
o Edit all clients' AUTOEXEC.BAT files to load
VShield, with the options that are
appropriate for your environment, before any
other drivers are loaded.
o Add VShield with the /RECONNECT option to the
AUTOEXEC.BAT or the network login script,
after the network drivers are loaded. See
/RECONNECT, later in this chapter, for more
information.
o Run CheckVShield from the login script.
CheckVShield returns a
DOS ERRORLEVEL that you can use in batch files
to check and update VShield. For an example of
using CheckVShield, see "Technical note 2:
Sample NetWare login script and .BAT file" later
in this chapter.
Using VirusScan (Version 2.2) 64
VSHIELD OPTION SUMMARY
DOS-OS/2 option Description
/? or /HELP
Display a list of valid VShield command line options.
/ANYACCESS
Scan the boot sector whenever a diskette is accessed
(read and write); scan executables; scan any newly
created files.
/BOOTACCESS
Scan the boot sector for viruses whenever a diskette
is accessed (including read and write).
/CERTIFY
Prevent files without validation codes from running.
/CF {filename}
Check for viruses using recovery and validation data
stored by Scan /AF in the specified {filename}.
/CONTACT {message}
Display specified message when a virus is found.
/CONTACTFILE {filename}
Display message stored in {filename} when
a virus is found.
/CV
Check validation codes added to files by Scan.
/EXCLUDE {filename}
Don't check files listed in {filename} for
validation codes (used with /CV).
/FILEACCESS
Scan executable files when they are accessed on a
diskette, but don't check the boot sector.
/IGNORE {drive(s)}
Don't check programs loaded from the specified drive(s).
/LOCK
Halt the system when a file that is infected loads
and attempts to execute.
/NOEMS
Prevent VShield from loading into expanded memory (EMS).
/NOMEM
Don't check memory for viruses.
Using VirusScan (Version 2.2) 65
/NOREMOVE
Prevent VShield from being removed from memory with
the /REMOVE switch.
/NOUMB
Prevent VShield from loading into upper memory blocks
(UMB).
/NOWARMBOOT
Don't check the diskette boot sector for viruses
during warm boot ([Ctrl]+[Alt]+[Del]).
/NOXMS
Prevent VShield from using extended memory (XMS)
when it loads.
/ONLY {drive(s)}
Check programs loaded only from the specified drive(s).
/POLY
Check for polymorphic viruses.
/RECONNECT
Restore VShield after certain drivers or TSRs have
disabled it.
/REMOVE
Unload VShield from memory.
/SAVE
Save the command line options to the VSHIELD.INI file.
/SWAP [pathname]
Load VShield kernel (8Kb) only; swap the rest to pathname.
Using VirusScan (Version 2.2) 66
VSHIELD OPTION DESCRIPTIONS
/? or /HELP
Use this option to display a brief description
of valid VShield command line options.
/ANYACCESS
Checks the diskette boot sector and all files
for viruses whenever a diskette is accessed by a
read or write operation, such as a DIR or COPY
command, and when a program on the diskette is
opened, read, updated, or executed.
/ANYACCESS prevents execution if a program file
is infected. It also checks any new files
created, such as with a copy command, regardless
of the file's extension.
This is the highest level of protection against
viruses that infect boot sectors. Using
/ANYACCESS with either /BOOTACCESS or
/FILEACCESS in the same command line returns an
error message.
NOTE: The /ANYACCESS switch is not recommended
for use with DOS and WIN-OS/2 sessions under
OS/2 due to certain low-level operating system
incompatibilities between OS/2 and DOS. Use the
/FILEACCESS switch instead.
/BOOTACCESS
Checks the boot sector of a diskette for viruses
whenever a diskette is accessed by a read or
write operation, such as the DIR or copy
commands. By default, VShield checks programs
when they execute, but does not check the boot
sector of the diskette for viruses. Using
/BOOTACCESS with /ANYACCESS in the same command
line returns an error message.
NOTE: This option does not work from within
Windows File Manager. For virus-checking within
Windows, use the /FILEACCESS or /ANYACCESS
switch instead.
Using VirusScan (Version 2.2) 67
/CERTIFY
Prevents programs from running if they do not
have Scan validation codes. Use it in high-
security environments to prevent clients from
running programs that have not been scanned. To
use /CERTIFY, first run Scan with the /AF or /AV
option, as described in Chapter 3. Then, use
VShield with the /CERTIFY option and either the
/CF or /CV option (either is required), such as:
vshield /certify /cf c:\mcafee\recvalch.sav
Some programs, such as Lotus 1-2-3, contain self-
modifying code and do not work correctly with
validation codes attached. You may create an
exception list of files to exclude from
validation. For instructions, refer to
"Technical note 1: Creating an exception list
for the /EXCLUDE option" later in this chapter.
/CF {filename}
Checks validation data stored by Scan's /AF
{filename} option, where {filename} is the name of
the validation data file created by Scan. If a
file or system area has changed, VShield reports
that a viral infection may have occurred.
In this example:
vshield /cf c:\mcafee\valcodes.dat /noems
VShield looks in the VALCODES.DAT file for
validation data. For instructions on using Scan
/AF to add validation codes, see "Scan option
descriptions" in Chapter 3, and "Detecting new
and unknown viruses" in Chapter 5.
Using VirusScan (Version 2.2) 68
/CONTACT {message}
Displays a custom message when a virus is found.
This message is displayed in addition to all
other VShield messages. Use /CONTACT to let
network users know what to do if VShield finds a
virus. The message can be up to 50 characters
long, and can contain any character except a
backslash " \ ". Place messages starting with a
hyphen " - " or slash " / " in quotation marks.
If your message is longer than 50 characters or
you want to store the message text in a file,
use /CONTACTFILE instead. Using /CONTACT and
/CONTACTFILE in the same command line returns an
error message.
/CONTACTFILE {filename}
An alternative to the /CONTACT option,
/CONTACTFILE identifies a file that contains the
message string to display when a virus is found.
This option is especially useful in network
environments, because you can easily maintain
the message text in a central file rather than
changing the command line in the AUTOEXEC.BAT
file on each workstation.
If your message is 50 characters or fewer, you
can use /CONTACT instead. Using /CONTACT and
/CONTACTFILE in the same command line returns an
error message.
/CV
Checks validation codes added by Scan with the
/AV option. If a file has changed, VShield
reports that the file has been modified and a
viral infection may have occurred. You can
specify the /EXCLUDE option to exclude a list of
files from validation checking. For instructions
on using Scan to add validation codes, see "Scan
option descriptions" in Chapter 3, and
"Detecting new and unknown viruses" in Chapter 5.
Using VirusScan (Version 2.2) 69
/EXCLUDE {filename}
Excludes files listed in {filename} from
validation when using /CV. For more
information on this, see "Technical note 1:
Creating an exception list for the /EXCLUDE
option" later in this chapter.
/FILEACCESS
Checks standard executable files whenever the
file is accessed or executed, and prevents
execution of infected programs. Checks all files
when accessed by a read or write operation.
Using /ANYACCESS in the same command line with
/FILEACCESS returns an error message.
NOTE: We recommend always using /FILEACCESS with
OS/2. 1 For VShieldCRC, /FILEACCESS checks files
only if they have been validated with the /AF or
/AV options.
/IGNORE {drives}
Omits checking program loads from the specified
drives, as shown in the following example:
vshield /ignore t: y: w:
Use /IGNORE or /ONLY to speed up VShield by
excluding secure, virus-free network drives from
virus checking. You can specify up to 26 drives.
See also /ONLY, described later in this section.
Using /IGNORE and /ONLY in the same command line
returns an error message.
/LOCK
Halts the system to stop further infection if
VShield finds a virus. /LOCK is appropriate in
highly vulnerable network environments, such as
open-use computer labs. If you use /LOCK, use
/CONTACT or /CONTACTFILE to tell users what to
do or whom to contact if a virus is found and
the system locks up.
Using VirusScan (Version 2.2) 70
/NOEMS
Prevents VShield from using expanded memory (LIM
EMS 3.2) when it loads. This ensures that EMS is
available exclusively to other programs.
/NOMEM
Skips the memory check for viruses when VShield
loads. Using /NOMEM improves performance
slightly, but use it only if you are absolutely
sure that your system is virus-free.
/NOREMOVE
Prevents VShield from being removed from memory
with the /REMOVE option in a subsequent VShield
command. When you load VShield with the
/NOREMOVE option, subsequent loads with the
/REMOVE option will have not effect. Your
network will be more secure if users cannot
remove VShield, but this option may prevent
users from solving memory limitations or
conflicts.
/NOUMB
Prevents VShield from loading into the upper
memory block (UMB, 640Kb to 1024Kb). This
ensures that the UMB is available exclusively to
other programs.
/NOWARMBOOT
Omits checking the diskette boot sector during a
warm boot ([Ctrl]+[Alt]+[Del]).
/NOXMS
Prevents VShield from using extended memory when
it loads. This ensures that XMS is available
exclusively to other programs.
Using VirusScan (Version 2.2) 71
/ONLY {drive(s)}
Checks program loads only from the specified
drive(s), ignoring all other drives, as shown in
the following example:
vshield /only c: f: k:
Use /IGNORE or /ONLY to speed up VShield by
excluding secure, virus-free network drives from
virus checking. You can specify up to 26 drives.
See also /IGNORE, earlier in this chapter. Using
/ONLY and /IGNORE in the same command line
returns an error message.
/POLY
Checks for polymorphic viruses, which are
viruses that attempt to evade detection by
changing their internal structure or encryption
techniques. Otherwise, VShield does not check
for polymorphic viruses. Using /POLY on the same
command line as /FILEACCESS, /ANYACCESS, /BOOTACCESS,
or /SWAP returns an error.
/RECONNECT
Restores VShield's links into DOS after another
program has disabled it, such as a network
driver, keyboard driver, custom disk driver,
drive compression program, or disk caching
program. These types of programs replace the
normal DOS system interrupts so that VShield no
longer recognizes program loads. After the lines
in your AUTOEXEC.BAT file (or network login
script) that load these programs, add this
command line to restore VShield:
vshield /reconnect
/REMOVE
Unloads VShield from memory. You may want to do
this temporarily if you are running out of
memory for programs. For best results, try using
VShield with the /SWAP option first. Use /REMOVE
only as a last resort.
Using VirusScan (Version 2.2) 72
NOTE: /REMOVE will not work if other memory-
resident programs were loaded after VShield, or
if VShield was loaded previously with the
/NOREMOVE option.
/SAVE
Stores the VShield options you specify as the
defaults in VSHIELD.INI. In the following
example, /SAVE saves the /CONTACTFILE N:\MSGFILE
as the default setting:
vshield /contactfile n:\msgfile /save
To remove custom options and return to VShield's
original defaults, use the /SAVE option alone:
vshield /save
/SWAP [pathname]
Installs a small (8Kb) kernel of VShield in
memory that loads the rest of VShield from disk
on demand. Specify a pathname only if you want
VShield to swap to a path other than the
directory where VShield resides.
Use /SWAP only if you have very little memory
available, but require a high assurance of
safety. /SWAP will slow down your system and may
cause conflicts with programs that fail to
allocate memory properly. If you don't have
enough memory to load VShield without swapping,
consider using VShieldCRC instead. We do not
recommend storing the swap file on a network
path because, if the workstation disconnects
from the network, the workstation will lock.
Using VirusScan (Version 2.2) 73
DECIDING WHICH OPTIONS ARE FOR YOU
Because systems and environments differ, VShield gives you a
choice of options. Consider the mixture of safety,
performance, and maintenance that meets your needs, then
choose the combination of options that works best.
REQUIREMENT │ OPTION │ COMMENTS
══════════════════╪══════════════╪══════════════════════════════
More complete │ /ANYACCESS │ Highest protection against
protection, any │ │ infected diskettes; checks
environment │ │ for viruses whenever a dis-
│ │ kette or files are accessed.
├──────────────┼──────────────────────────────
│ /FILEACCESS │ Next highest protection
│ │ against infected diskettes;
│ │ checks for viruses whenever
│ │ a standard file is accessed.
├──────────────┼──────────────────────────────
│ /BOOTACCESS │ Of the three, lowest
│ │ protection against infected
│ │ diskettes; checks for
│ │ viruses in boot sector when
│ │ a diskette is accessed.
├──────────────┼──────────────────────────────
│ /POLY │ Used to check for
│ │ polymorphic viruses.
──────────────────┼──────────────┼──────────────────────────────
More complete │ /CERTIFY │ Use with /CF {filename} or
protection, │ │ /CV and an exception list.
stable software ├──────────────┼──────────────────────────────
environment │ /CF │ Use /CF or /CV. Of the two,
│ │ /CF is recommended.
├──────────────┼──────────────────────────────
│ /CV │ Use /CF or /CV.
──────────────────┼──────────────┼──────────────────────────────
Network or multi- │ /CONTACT │ Use this (or /CONTACTFILE)
user environments │ │ to tell users what to do
│ │ when a virus is found.
├──────────────┼──────────────────────────────
│ /CONTACTFILE │ Use this (or /CONTACT) to
│ │ tell users what to do when
│ │ a virus is found.
├──────────────┼──────────────────────────────
│ /IGNORE │ Use this (or /ONLY) to
│ │ skip virus-free drives.
├──────────────┼──────────────────────────────
│ /LOCK │ Use with /CONTACT or
│ │ /CONTACTFILE {filename}.
──────────────────┴──────────────┴──────────────────────────────
Using VirusScan (Version 2.2) 74
──────────────────┬──────────────┬──────────────────────────────
For network │ /NOREMOVE │ Prevents VShield from
environments │ │ being removed from memory.
(continued) ├──────────────┼──────────────────────────────
│ /ONLY │ Use this (or IGNORE) to check
│ │ only vulnerable drives.
├──────────────┼──────────────────────────────
│ /RECONNECT │ Required if network drivers
│ │ are loaded after VShield.
──────────────────┼──────────────┼──────────────────────────────
Faster │ /NOMEM │ Only use on a virus-free
performance │ │ computer.
any environment ├──────────────┼──────────────────────────────
│ /NOWARMBOOT │ Omits checking the boot
│ │ sector after a warm boot.
──────────────────┼──────────────┼──────────────────────────────
Manage memory, │ /NOEMS │ Use when other programs need
any environment │ │ exclusive use of EMS memory.
├──────────────┼──────────────────────────────
│ /NOUMB │ Use when other programs need
│ │ exclusive use of UMB memory.
├──────────────┼──────────────────────────────
│ /NOXMS │ Use when other programs need
│ │ exclusive use of XMS memory.
├──────────────┼──────────────────────────────
│ /NOREMOVE │ Use to ensure that VShield
│ │ remains in memory.
├──────────────┼──────────────────────────────
│ /REMOVE │ May temporarily solve memory
│ │ conflicts.
├──────────────┼──────────────────────────────
│ /SWAP │ Use in environments with very
│ │ limited memory.
══════════════════╧══════════════╧══════════════════════════════
Using VirusScan (Version 2.2) 75
EXAMPLES
The following examples show different option
settings:
vshield
Activates VShield (Level II protection).
vshield /cv
Activates VShield (Level III protection), if you
have previously run SCAN /AV.
vshield /certify /cf c:\valcodes.dat
Activates VShield (Level IV protection) and
checks a recovery and validation data file
created when running Scan with the /AF option.
vshield /swap
Activates VShield kernel in memory and swaps
from the directory in which VShield resides.
vshield /cv /exclude c:\excption.lst /contact
"Call the PC Help Desk!"
Activates VShield (Level III protection),
ignores checking files in the EXCPTION.LST
files, and displays a message if a virus is
found.
vshield /reconnect
Re-enables VShield after it has been disconnected
by network device drivers.
Using VirusScan (Version 2.2) 76
ERROR LEVELS
When VShield loads, it sets the DOS ERRORLEVEL.
You can use the returned ERRORLEVEL in
AUTOEXEC.BAT or other batch files to take
different actions based on whether VShield has
loaded in memory. See your DOS manual for more
information.
VShield returns these ERRORLEVELs:
ERRORLEVEL/Description
0 VShield successfully loaded in memory with all
options operational.
9 VShield not loaded correctly. Abnormal termination
(program error).
VShield alerts you to problems by beeping once
for system errors, twice for validation errors
(/CF or /CF checking), or three times if a virus
is found.
Using VirusScan (Version 2.2) 77
USING VSHIELDCRC
For Level I protection on systems with limited
memory, use VShieldCRC instead of VShield.
VShieldCRC is a separate program that consumes
little system overhead, but is not recommended
for normal use because it provides only minimal
protection. VShieldCRC can inform you that you
have been infected with a virus, but it does not
check for virus signatures nor does it prevent
infection.
To use VShieldCRC, first use Scan with the /AF
or /AV option. VShieldCRC checks the validation
codes added by Scan. It also checks the master
boot record (MBR) and boot sector validation
codes, if present. See Chapter 3 for
instructions on using Scan.
To load VShieldCRC with options, use the
following syntax:
vshldcrc [options]
[options] include the options listed in the
table "VShieldCRC option summary" later in this
chapter. For more information on all options
except /LOGFILE, see "VShield option
descriptions" earlier in this chapter.
EXAMPLES
vshldcrc
Activates VShieldCRC (Level I protection).
vshldcrc /cf valcodes.dat
Activates VShieldCRC and checks validation data
stored in VALCODES.DAT, a file that was created
using Scan with the /AF option.
Using VirusScan (Version 2.2) 78
VSHIELDCRC OPTION SUMMARY
/? or /HELP
Display a list of valid VShieldCRC command line options.
/CERTIFY
Prevent files without validation codes from running.
/CF {filename}
Check for viruses using recovery and validation data
stored by Scan /AF in the specified {filename}.
/CONTACT {message}
Display specified message when a virus is found.
/CONTACTFILE {filename}
Display message stored in specified {filename}
when a virus is found.
/CV
Check validation codes added to files by Scan.
/EXCLUDE {filename}
Don't check files listed in {filename} for
validation codes (used with /CV).
/FILEACCESS
Scan only validated executable files when accessed, but don't
check boot sector. Prevent infected programs from running.
/IGNORE {drive(s)}
Don't check programs loaded from specified drive(s).
/LOCK
Halt the system when a file that is not certified
attempts to load and execute.
/LOGFILE {filename}
Write error information to {filename}.
/NOREMOVE
Prevent VShieldCRC from being removed from memory
with a subsequent VShieldCRC command using /REMOVE.
/NOUMB
Prevent VShieldCRC from using upper memory blocks (UMB)
when it loads.
/ONLY {drive(s)}
Check programs loaded only from the specified drive(s).
/REMOVE
Unload VShieldCRC from memory.
Using VirusScan (Version 2.2) 79
USING CHECKVSHIELD
CheckVShield allows network administrators to
make sure that workstations are running VShield
or VShieldCRC before users can log onto a
network. See "Technical note 2: Sample NetWare
login script and .BAT file" later in this
chapter for a sample Novell NetWare login script
using CheckVShield.
To load CheckVShield with options, use the
following syntax:
chkvshld [option(s)]
[option(s)] include:
/? and /HELP
Display a list of valid CheckVShield command line
options.
/DEBUG
Displays the version of VShield or VShieldCRC resident
in memory and the DOS ERRORLEVEL on the screen.
/QUIET
Suppresses CheckVShield messages (quiet mode) so
users don't see the messages.
/V "xxxxx"
Tells CheckVShield to look for a specific version
(2.00 or higher) of VShield or VShieldCRC in memory.
For example, /v "2.00" for VShield 2.00.
EXAMPLE
chkvshld /quiet
Checks for VShield or VShieldCRC in memory and
suppresses messages.
Using VirusScan (Version 2.2) 80
ERROR LEVELS
When CheckVShield runs, it sets the DOS
ERRORLEVEL. Use the ERRORLEVEL in batch files to
take different actions based on the results of
CheckVShield's check. The ERRORLEVELs returned
by CheckVShield are:
ERRORLEVEL/Description
0 VShield or VShieldCRC is resident or, if /V is
used, the version specified is resident in memory.
1 VShield or VShieldCRC is resident but does not
match the version specified in the /V option.
2 VShield or VShieldCRC is not resident in
memory.
3 Abnormal termination (program error).
Using VirusScan (Version 2.2) 81
TECHNICAL NOTE 1:
CREATING AN EXCEPTION LIST FOR THE /EXCLUDE OPTION
VShield /CERTIFY permits a file to load only if:
o It has been validated by Scan, or
o It appears in the exception list file
specified with the /EXCLUDE option, used in
conjunction with /CV.
If you do not validate any files and do not use
an exception list, /CERTIFY will disable all
programs other than DOS internal commands.
The exception list file is an ASCII or DOS text
file containing up to 1,024 characters. If you
use a word processor to create it, be sure to
save the file as ASCII or DOS Text. Each line in
the file contains the path and filename of one
file that should not be validated. Here is an
example:
c:\clipper\bin\clipper.exe
c:\123\123.com
c:\fox\foxprolx.exe
c:\dos\setver.exe
c:\pkware\pklite.exe
c:\pkware\pkzip.exe
c:\pkware\pkunzip.exe
c:\semware\q.exe
c:\swapvol.com
c:\norton\ncache.exe
c:\wordstar\ws.exe
Using VirusScan (Version 2.2) 82
TECHNICAL NOTE 2
SAMPLE NETWARE LOGIN SCRIPT AND .BAT FILE
Here is a sample system login script for use by
Novell NetWare system administrators. The login
script gets the ERRORLEVEL from CheckVShield and
displays messages on the user's screen. If
VShield is not loaded correctly, there is an
internal error with CheckVShield, either VShield
or VShieldCRC is not installed, or an older
version of VShield is present, the script exits
the user to a NOLOGIN.BAT file that logs him or
her out.
#REM REPLACE "XXX" WITH CURRENT VERSION NUMBER
CHKVSHLD /V "VXXX"
IF ERROR_LEVEL = "3" THEN
FIRE PHASERS 5 TIMES
WRITE "A CHKVSHLD internal error has occurred."
WRITE "Please contact the Help Desk."
#COMMAND /C NOLOGIN.BAT
EXIT
ELSE
IF ERROR_LEVEL = "2" THEN
FIRE PHASERS 5 TIMES
WRITE "VShield has not been installed on your PC."
WRITE "Access Denied. Please contact the Help Desk."
#COMMAND /C NOLOGIN.BAT
EXIT
ELSE
IF ERROR_LEVEL = "1" THEN
FIRE PHASERS 5 TIMES
WRITE "An old version of VShield has been installed."
WRITE "Access to the network has been denied. Please"
WRITE "contact the Help Desk to have a new version"
WRITE "installed."
#COMMAND /C NOLOGIN.BAT
EXIT
END
END
END
You can create more complex login scripts to
send a message to the supervisor if an error has
occurred, update the user's VSHIELD.EXE as he or
she logs in to the network, and so forth.
Here is a sample of the NOLOGIN.BAT file called
by the login script.
ECHO OFF
REM Log the user off of the network
LOGOUT
Using VirusScan (Version 2.2) 83
CHAPTER 5: TIPS & TROUBLESHOOTING
The other chapters in this manual are meant to
tell you clearly and concisely how to use the
VirusScan software. Still, you may have
questions or encounter confusing situations.
This chapter contains two kinds of advice:
o Tips for getting the most out of VirusScan.
o Common problems and how to solve or avoid
them.
If this information doesn't help resolve your
question or problem, contact McAfee (see
"Technical support" in Chapter 1).
TIPS
DETECTING NEW AND UNKNOWN VIRUSES
There are two ways of dealing with new and
unknown viruses that may infect your system:
o Update VirusScan regularly.
o Store and check validation and recovery
information about your files.
UPDATE VIRUSSCAN REGULARLY
Most likely, McAfee will see new viruses long
before you do. We update the VirusScan programs
often--usually monthly, but more often if many
new viruses have appeared. Each new version may
detect and eradicate as many as 60 to 100 new
viruses or more, and may fix bugs that have been
reported.
Updating VirusScan regularly is probably all you
need to do to protect against new viruses. See
the instructions for obtaining new versions in
"Updating VirusScan regularly" in Chapter 2.
Using VirusScan (Version 2.2) 84
USE THE VALIDATION AND RECOVERY OPTIONS
If your environment is highly vulnerable to
viruses, or you require unusual security against
them, you can use VirusScan's validation and
recovery options. Scan checks for new or unknown
viruses by comparing files against previously
recorded validation data. If a file has been
modified, it no longer matches the validation
data, and Scan reports that the file may have
become infected. Scan has two levels of
validation, which are stored in two separate
ways:
o It can store the enhanced code in a separate
recovery file, which can be stored off-line
(for example, on a diskette) for recovery
purposes (/AF, /CF, and /RF switches). This
is the preferred method because it stores the
data for files (but not the boot sector or the
master boot record) in a separate recovery file.
o It can append a simple 98-byte validation code
to .COM and .EXE files (/AV, /CV, and /RV
switches). This method applies to the files
you specified only. It does not store data
for the boot sector and master boot record (MBR).
Once the validation codes are stored, both Scan
and VShield can use the /CV and /CF options to
detect changes to the files. More importantly,
if you have stored the recovery information with
/AF, Scan can use it to restore infected files.
All of these options require continuing effort
to store and maintain the codes. For example, if
you install new programs or upgrade old ones,
you should use the /RV or /RF options to remove
all codes, then /AV or /AF to restore them.
If you want to use one of these methods, which
should you use? We recommend the "F"
options--/AF, /CF, and /RF--over the "V" options.
/AF stores the validation and recovery
information in a separate file, instead of
modifying the program files themselves. This has
three advantages:
Using VirusScan (Version 2.2) 85
o You can store the recovery file off-line (on
your clean anti-viral startup diskette, for
example, or on a network drive or tape drive)
and access it on demand to check for, and
recover from, infection by unknown viruses.
Use the procedure below to create a recovery
diskette.
o This method keeps self-checking files (usually
copy-protected programs) from reporting that
they have been tampered with.
o If you use this method, you don't need an
exception list. However, it's important that
you run Scan with the /RF option on
individual self-modifying files, such as
Lotus 1-2-3, to remove the validation codes
for those programs from the validation file.
The "V" options are primarily useful for
companies that distribute software to their
customers or employees, and want to incorporate
an additional level of virus protection.
Creating a recovery diskette To store the
recovery file on the clean startup diskette you
created in "Making a clean start-up diskette" in
Chapter 2, temporarily remove write-protection
from the diskette and insert it in drive A. Run
Scan on your hard disks with the /AF option. For
example:
scan /adl /af a:\scancrc.crc
scans the local hard disk drives for known
viruses and creates SCANCRC.CRC, a file
containing recovery data and validation codes,
on the diskette. After Scan finishes, write-
protect the diskette.
To check for virus infection, turn your computer
off, insert the recovery diskette in drive A,
and turn the power back on. The PC will now
start from the diskette. At the DOS prompt,
type:
scan /adl /cf a:\scancrc.crc
to compare the local hard disk drives against
the recovery data stored on the diskette in the
SCANCRC.CRC file.
Using VirusScan (Version 2.2) 86
If you detect an unknown virus, to disinfect
your system, turn your PC off, insert the
recovery diskette, and turn the power back on.
The PC will start from the floppy disk. At the
DOS prompt, type:
scan /adl /cf a:\scancrc.crc /clean
to restore local hard disk drives with the
recovery data stored in SCANCRC.CRC on the
diskette.
If you install new software, or upgrade your DOS
version, remember to update your recovery file.
See "Application note 1: Updating validation
codes" in Chapter 3.
Using VirusScan (Version 2.2) 87
INTERACTING WITH YOUR NETWORK
Many personal computers are interconnected
through a local area network (LAN). VirusScan is
highly compatible with most networks. Here are
some ways of using the VirusScan software with
your network:
o Run Scan on network drives Run from a
workstation (PC) on the network, Scan checks
network drives for viruses just as it does local
drives. For convenience, the /ADN option scans
all network drives to which the workstation is
connected.
o Use VShield and CheckVShield By activating
VShield as part of every workstation's
AUTOEXEC.BAT file, you can prevent the
workstations from introducing viruses into the
network. Network administrators can ensure that
VShield is active on each workstation by running
CheckVShield as part of the network login script,
before actual login.
o Use NetShield provides continuous virus
protection on a NetWare server. NetWare network
administrators can use it to check for both
known and unknown viruses and to monitor all
network activities. On other kinds of networks,
you can use Scan to check network servers.
o Develop a network security program, as described
in the next tip.
Using VirusScan (Version 2.2) 88
DEVELOP A SECURITY PROGRAM
VirusScan has been shown to be an effective
virus-preventive measure when used in a
conscientiously applied program of network
security and regular professional care.
VirusScan is one important element of a
comprehensive computing security program that
includes a variety of safety measures, such as
regular backups, meaningful password protection,
user training, and awareness. Even with
VirusScan, some viruses--not to mention theft or
fire--can render a disk unrecoverable without a
recent backup. Although outlining such a
security program is beyond the scope of this
manual, see "Other sources of information" in
Chapter 1 for suggestions.
If you are a network administrator, we urge you
to implement a security program to safeguard
your organization's data and productivity. If
you are a network user, please support and
comply with such a program.
TROUBLESHOOTING
GENERAL ABNORMALITIES
Using VirusScan with other anti-virus software
When you run more than one anti-virus program,
you risk strange results and false alarms. For
example, some anti-virus programs store their
"virus signature strings" unprotected in memory.
Running VirusScan may "detect" them falsely as a
virus.
TSR CONFLICTS
Some "terminate-and-stay-resident" (TSR)
software may conflict with VirusScan programs,
especially VShield (which is itself a TSR). To
check whether this is the problem, "comment out"
the other TSR files in your AUTOEXEC.BAT file
and restart your system. If the errors
disappear, the TSR conflict caused them.
Using VirusScan (Version 2.2) 89
SLOW DISK ACCESS, PROGRAM LOCKS
Running VShield will slow your system slightly
as described in Chapter 4, especially if you use
either the /ANYACCESS or /SWAP options. If you
experience very slow disk access, or if programs
lock or freeze while using Windows 3.1, you may
be using a disk cache program that interferes
with program operation, or you may need to
increase the number of BUFFERS in your
CONFIG.SYS file.
Using VirusScan (Version 2.2) 90
TROUBLESHOOTING SCAN
FALSE ALARMS
Scan may incorrectly report viruses in the boot
sector or master boot record (MBR) of certain
copy-protected diskettes. Contact technical
support if you're unsure (see "Technical
support" in Chapter 1).
TROUBLESHOOTING VSHIELD
PROGRAM LOCKS WITH /SWAP
When VShield is running with the /SWAP option,
certain programs may lock up the computer. These
programs may use memory without allocating it
first, including older versions Lotus 1-2-3,
pfs:Write and Professional Write, OfficeWrite,
and DisplayWrite4. To correct, restart your
computer and run VShield without the /SWAP
option.
UNABLE TO REMOVE VSHIELD
If the /REMOVE option doesn't successfully
remove VShield from memory, you have probably
loaded other terminate-and-stay-resident (TSR)
programs after VShield. VShield can't be removed
until the other TSRs are removed. If you need to
unload VShield often, load it last.
Using VirusScan (Version 2.2) 91
APPENDIX A:
RETRIEVING MCAFEE PROGRAMS WITH COMMUNICATIONS SOFTWARE
You can use your communications software to dial
up the McAfee bulletin board system (BBS) and
retrieve (download) McAfee software by following
these steps.
DIAL UP
o The McAfee BBS phone number is (408) 988-4004.
o The BBS operates at up to 28,800 bps (baud).
Set your communications parameters to 8 data
bits, 1 stop bit, no parity, and your
terminal emulation to ANSI or TTY.
o The BBS is Bell- and ITU- (formerly CCITT)
compatible.
LOG ON
After receiving the CONNECT message from your
modem, enter your name, geographic location, and
password.
To retrieve VirusScan programs, type
guest (for first name)
user (for last name)
Or, if you want personal answers or feedback,
create your own account by entering your first
and last name and a password. Passwords should
be 3-8 characters long and are case-sensitive.
THE MAIN MENU
Here are some of the important functions on the
main menu:
F File transfer area (download McAfee updates)
M Message area (read and write messages in all
sections and e-mail)
G Goodbye (hang up and leave the BBS)
Using VirusScan (Version 2.2) 92
DOWNLOADING MCAFEE PROGRAMS
1. Select F from the Main Menu to go to the File
transfer area. This is the area from which
you can download McAfee programs.
2. Select 1 for the McAfee Antivirus Files. A
sorted directory listing of files available
for download will be displayed.
3. Type D for download, then type in the filename
as found in the directory.
4. The BBS will prompt you to select a protocol.
If possible, use an error-correcting protocol
such as ZMODEM, YMODEM or XMODEM.
5. You'll see the message Awaiting start signal.
Tell your software to receive files. With
PROCOMM for DOS or TELIX, press the [Page
Down] key, with BITCOM, press the [F2] key.
For other communications programs, check your
manual.
6. Your software will prompt you to select a
protocol and file name to receive the file.
Select the same protocol and name.
UNPACKING YOUR FILES
Once you have downloaded software, you
need to unpack the downloaded files
before you can use them for virus detection.
ABOUT COMPRESSED FILES
Compressed files take less space on the
disk and require less time to transfer
electronically. McAfee uses a shareware
program, PKZIP (produced by PKWare of
Brown Deer, WI, and not a McAfee
product), to compress updated software.
PKUNZIP (also from PKWare) is the
utility used to decompress file
previously compressed with PKZIP. Once a
file is decompressed, it can be used normally.
Using VirusScan (Version 2.2) 93
Note: Since McAfee's products are
zipped using PKZIP version 2.04g, you
must also have version 2.04g. This is
available on our BBS in area one (1) as
PKZ204.EXE. This is a self-extracting
zip file. Simply download the file and,
at the DOS prompt, run it by typing
PKZ204 and pressing ENTER. It self-
extracts several files, including PKUNZIP.EXE.
HOW TO UNPACK
Once you have downloaded the McAfee
software, quit to DOS, and change to the
directory where you downloaded the
software to. (If you used QMODEM,
TELIX, PROCOMM or CROSSTALK it will be
in that directory, or a subdirectory of
it usually named DOWNLOAD). If you used
Windows Terminal, this may be the
Windows directory). Then, enter the
following command:
PKUNZIP zipfile destination
where
o zipfile is the name of the file you downloaded.
o destination is the target directory to store
the McAfee software.
For example,
PKUNZIP SCN216.ZIP C:\MCAFEE
unpacks the SCN216.ZIP file and stores
it in the C:\MCAFEE directory.
o If you are updating an older version
of McAfee software, you may get a
message similar to the following example
while decompressing:
PKUNZIP: (W18) Warning! AGENTS.TXT
already exists. Overwrite (y/n/a/r)?
If this happens, type A for ALL and
press ENTER. PKUNZIP will replace all
files with the updated versions
contained in the zip file.
Using VirusScan (Version 2.2) 94
o The last lines after all of the files
are decompressed should be similar to:
Authentic files Verified! #FZW807
McAFEE Inc.
If you do not see this message, you
might have files that have been tampered
with. Be sure that you obtain them
from a valid source before using them.
o If you run VSHIELD after updating,
you might get the following message:
WARNING: VSHIELD data file has been damaged.
This occurs because VSHIELD continually
accesses its data file and it has
detected a change. Simply restart your
machine. VSHIELD will load with the new version.
IF YOU ARE INSTALLING SOFTWARE FOR WINDOWS
If you downloaded WScan or VShield for
the first time, you need to perform
several additional configuration steps
to complete your installation. You can
skip this section if you are not running
VirusScan under Windows.
INSTALLING WSCAN
For WScan, you need to add the icon to
your McAfee program group.
1. Create a McAfee program group, if one
does not already exist. In the Windows
Program Manager, choose File | New. In
the New Program Object dialog box, select
Program Group and choose OK. Enter a
description (such as "McAfee") and a group
filename (such as MCAFEE.GRP).
If a McAfee program group already
exists, select it.
2. Create the WScan icon. In the Windows
Program Manager, choose File | New. In
the New Program Object dialog box, select
Program Item and choose OK. Click Browse,
locate the WSCAN.EXE file in the McAfee
software directory, then double-click it.
Choose OK to add the icon.
Using VirusScan (Version 2.2) 95
3. Double-click the icon to verify that it works.
Note: You do not need to make any changes to
the WIN.INI file because WScan stores its startup
settings in WSCAN.INI.
INSTALLING VSHIELD UNDER WINDOWS
The VSHLDWIN.EXE program allows VShield
to display warning messages in a Windows
message dialog box. For VShield, you
need to add the VShield icon to the
McAfee program group and modify WIN.INI
so that VSHLDWIN.EXE loads automatically
when you start Windows.
1. Within Windows, use the File Manager
to locate the VSHINST.EXE program in
your McAfee software directory and
double-click it. The program creates
a McAfee program group (if one does
not already exist) and adds the icon
for VSHLDWIN.EXE.
2. Edit your WIN.INI file using any ASCII
text editor. Add the following line to
the [windows] section of your WIN.INI file:
run=VSHLDWIN.EXE
Restart Windows for your changes to take effect.
UPDATING YOUR AUTOEXEC.BAT FILE
Finally, you might need to edit the
AUTOEXEC.BAT file to:
o Automatically load VShield. For more
information, see "Running Vshield" in Chapter 5.
o Add the McAfee software directory to
your PATH statement.
Restart your system for the changes to take effect.
Using VirusScan (Version 2.2) 96
APPENDIX B:
OPTIONS COMPARISON BETWEEN VIRUSSCAN VERSIONS 1.5 AND 2.1.1
COMPARISON OF SCAN VERSIONS 1.5 and 2.1.1
Scan │ Scan │
Version 1.5 │ Version 2.1.1 │ Option Description
═══════════════╪══════════════╪══════════════════════════
/? /H or │ /? or /HELP │ Display help screen.
/HELP │ │
───────────────┼──────────────┼──────────────────────────
/A │ /ALL │ Scan all files,
│ │ including data files.
───────────────┼──────────────┼──────────────────────────
/AD{x} │ /AD{x} │ Scan all drives
│ │ {L=Local, N=Network}.
│ │ Leave blank for both
│ │ (version 1.5 only).
───────────────┼──────────────┼──────────────────────────
/AF │ /AF │ Store
{filename} │ {filename} │ validation/recovery
│ │ codes in {filename}.
───────────────┼──────────────┼──────────────────────────
/AG │ │ Add recovery/validation
{filename} │ │ data to files except
│ │ those listed in {filename}.
───────────────┼──────────────┼──────────────────────────
/AV │ /AV │ Add validation/recovery
{filename} │ │ data to program files.
│ │ Exclude those listed in
│ │ {filename} (version 1.5
│ │ only); exclude those
│ │ listed in /EXCLUDE
│ │ option (version 2.1.1 only).
───────────────┼──────────────┼──────────────────────────
/BELL │ default │ Beep whenever a virus
│ │ is found.
───────────────┼──────────────┼──────────────────────────
/BMP │ default │ Scan OS/2 Boot Manager
│ │ partition only.
───────────────┼──────────────┼──────────────────────────
│ /BOOT │ Scan master boot record
│ │ and boot sector only.
───────────────┼──────────────┼──────────────────────────
/CERTIFY │ │ List files not having a
│ │ validation code.
───────────────┼──────────────┼──────────────────────────
/CF │ /CF │ Check
{filename} │ {filename} │ validation/recovery
│ │ codes in {filename}.
───────────────┼──────────────┼──────────────────────────
Using VirusScan (Version 2.2) 97
VERSION COMPARISON OF SCAN OPTIONS (continued)
Scan │ Scan │
Version 1.5 │ Version 2.1.1 │ Option Description
═══════════════╪══════════════╪══════════════════════════
/CG │ │ Check
│ │ recovery/validation
│ │ data in files.
───────────────┼──────────────┼──────────────────────────
/CHKHI │ │ Check memory from 0Kb
│ │ to 1,088Kb (not
│ │ applicable to OS/2).
───────────────┼──────────────┼──────────────────────────
(CLEAN.EXE) │ /CLEAN │ Clean up infections in
│ │ master boot records,
│ │ boot sectors, and files
│ │ when possible.
───────────────┼──────────────┼──────────────────────────
/CV │ /CV │ Check
│ │ validation/recovery
│ │ data in files.
───────────────┼──────────────┼──────────────────────────
/D │ /DEL │ Overwrite and delete
│ │ infected files.
│ │ Save date and time
│ │ VirusScan was last run
│ │ in SCAN.LOG.
───────────────┼──────────────┼──────────────────────────
/DATE │ /LOG │ Save date and time
│ │ VirusScan was last run.
│ │ Save in SCAN.LOG file
│ │ (version 2.1.1 only).
───────────────┼──────────────┼──────────────────────────
│ /EXCLUDE │ Exclude from scan any
│ {filename} │ files listed in
│ │ {filename}. Typically
│ │ used in conjunction
│ │ with the /AV option.
───────────────┼──────────────┼──────────────────────────
EXT │ │ Scan using external
{filename} │ │ virus information from
│ │ {filename}.
───────────────┼──────────────┼──────────────────────────
/FAST │ /FAST │ Speed up VirusScan's
│ │ scanning; may detect
│ │ fewer viruses.
───────────────┼──────────────┼──────────────────────────
/HISTORY │ /APPEND │ Append Scan report to
{filename} │ │ {filename} (version 1.5).
│ │ Append to, rather than
│ │ overwrite, the report
│ │ file (/REPORT, version 2.1.1)
Using VirusScan (Version 2.2) 98
VERSION COMPARISON OF SCAN OPTIONS (continued)
Scan │ Scan │
Version 1.5 │ Version 2.1.1 │ Option Description
═══════════════╪══════════════╪══════════════════════════
/M │ │ Scan memory for all
│ │ viruses (not applicable
│ │ to OS/2).
───────────────┼──────────────┼──────────────────────────
/MANY │ /MANY │ Scan multiple floppy
│ │ disks (diskettes).
───────────────┼──────────────┼──────────────────────────
│ /MOVE │ Move infected files to
│ {directory} │ directory.
───────────────┼──────────────┼──────────────────────────
/NLZ │ /NOCOMP │ Skip internal scan of
│ │ LZEXE compressed files.
───────────────┼──────────────┼──────────────────────────
/NOBREAK │ /NOBREAK │ Disable Ctrl-C and
│ │ Ctrl-Break during scan.
───────────────┼──────────────┼──────────────────────────
/NOEXPIRE │ │ Do not display
│ │ expiration notice.
───────────────┼──────────────┼──────────────────────────
/NOMEM │ /NOMEM │ Skip memory checking
│ │ (not applicable to OS/2).
───────────────┼──────────────┼──────────────────────────
/NOPAUSE │ /PAUSE │ Disable screen pause
│ │ (version 1.5 only).
│ │ Enable screen pause
│ │ (version 2.1.1 only).
───────────────┼──────────────┼──────────────────────────
/NPKL │ /NOCOMP │ Skip internal scan of
│ │ PKLITE compressed files.
───────────────┼──────────────┼──────────────────────────
│ /PLAD │ Preserve Last-Access
│ │ date of scanned files
│ │ on Novell drives.
───────────────┼──────────────┼──────────────────────────
/REPORT │ /REPORT │ Create report of
{filename} │ {filename} │ infected files found
│ │ during scan in {filename}.
───────────────┼──────────────┼──────────────────────────
/RF │ /RF │ Remove
{filename} │ {filename} │ validation/recovery
│ │ codes in {filename}.
───────────────┼──────────────┼──────────────────────────
/RG │ /RG │ Remove
│ │ recovery/validation
│ │ data from files.
Using VirusScan (Version 2.2) 99
VERSION COMPARISON OF SCAN OPTIONS (continued)
Scan │ Scan │
Version 1.5 │ Version 2.1.1 │ Option Description
═══════════════╪══════════════╪══════════════════════════
│ /RPTCOR │ Add list of corrupted
│ │ files to the report
│ │ file (/REPORT).
───────────────┼──────────────┼──────────────────────────
│ /RPTERR │ Add list of system
│ │ errors to the report
│ │ file (/REPORT).
───────────────┼──────────────┼──────────────────────────
│ /RPTMOD │ Add list of modified
│ │ files to the report
│ │ file (/REPORT).
───────────────┼──────────────┼──────────────────────────
/RV │ /RV │ Remove
│ │ validation/recovery
│ │ data from files.
───────────────┼──────────────┼──────────────────────────
/SAVE │ /SAVE │ Save specified options
│ │ as new defaults (not
│ │ available in Windows).
───────────────┼──────────────┼──────────────────────────
/SHOWDATE │ /SHOWLOG │ Show date and time of
│ │ last scan (version 1.5
│ │ only). Display
│ │ information in SCAN.LOG
│ │ (version 2.1.1 only)
───────────────┼──────────────┼──────────────────────────
/SUB │ /SUB │ Scan subdirectories
│ │ inside a directory.
───────────────┼──────────────┼──────────────────────────
│ /VIRLIST │ Display list of viruses
│ │ detected by VirusScan.
───────────────┼──────────────┼──────────────────────────
@{filename} │ /LOAD │ Use Scan settings
│ {filename} │ stored in {filename}.
│ │
Using VirusScan (Version 2.2) 100
COMPARISON OF VSHIELD VERSIONS 1.5 and 2.1.1
VShield │ VShield │
Version 1.5 │ Version 2.1.1 │ Option Description
═══════════════╪══════════════╪══════════════════════════
/? or /HELP │ /? or /HELP │ Display a list of valid
│ │ VShield command line
│ │ options.
───────────────┼──────────────┼──────────────────────────
/ACCESS │ │ Check for viruses when
│ │ files are opened and
│ │ diskettes are accessed.
───────────────┼──────────────┼──────────────────────────
│ /ANYACCESS │ Scan the diskette boot
│ │ sector for viruses
│ │ whenever a diskette is
│ │ accessed (including any
│ │ read and write
│ │ operations); scan .EXE,
│ │ .COM, .DLL, .OVL, .BIN,
│ │ and .SYS files whenever
│ │ the file is opened,
│ │ read, or updated; scan
│ │ .EXE and .COM files
│ │ upon execution; scan
│ │ any newly created file,
│ │ regardless of extension.
───────────────┼──────────────┼──────────────────────────
/BOOT │ /BOOTACCESS │ Scan the diskette boot
│ │ sector for viruses
│ │ whenever a diskette is
│ │ accessed (including any
│ │ read and write
│ │ operations); individual
│ │ files on a diskette are
│ │ not scanned when a
│ │ diskette is accessed.
───────────────┼──────────────┼──────────────────────────
/CERTIFY │ /CERTIFY │ Prevent files without
{filename} │ │ validation codes from
│ │ running. {filename} is
│ │ an optional exception
│ │ list (version 1.5 only)
───────────────┼──────────────┼──────────────────────────
/CF │ /CF │ Check for viruses using
{filename} │ {filename} │ validation and recovery
│ │ data stored by Scan /AF
│ │ in specified {filename}.
───────────────┼──────────────┼──────────────────────────
/CG │ │ Check for viruses using
{filename} │ │ validation and recovery
│ │ data stored by Scan /AG
│ │
Using VirusScan (Version 2.2) 101
VERSION COMPARISON OF VSHIELD OPTIONS (continued)
VShield │ VShield │
Version 1.5 │ Version 2.1.1 │ Option Description
═══════════════╪══════════════╪══════════════════════════
/CHKHI │ default │ Check memory from 0Kb-
│ │ 1088Kb when VShield loads.
───────────────┼──────────────┼──────────────────────────
/CONTACT │ /CONTACT │ Display specified
{message} │ {message} │ message when a virus is
│ │ found.
───────────────┼──────────────┼────────────────────────── found.
│ /CONTACTFILE │ Display message stored
│ {filename} │ in {filename} when a
│ │ virus is found.
───────────────┼──────────────┼──────────────────────────
/CV │ /CV │ Check validation codes
│ │ added to files by Scan.
───────────────┼──────────────┼──────────────────────────
│ /EXCLUDE │ Don't check files
│ {filename} │ listed in {filename} for
│ │ validation codes
│ │ (/CV option).
───────────────┼──────────────┼──────────────────────────
/F │ │ Use with /SWAP for DOS
{pathname} │ │ 2.0 systems ONLY.
───────────────┼──────────────┼──────────────────────────
│ /FILEACCESS │ Scan .EXE, .COM, .DLL,
│ │ .OVL, .BIN, and .SYS
│ │ files whenever the file
│ │ is opened, read, or
│ │ updated; scan .EXE and
│ │ .COM files upon
│ │ execution; the diskette
│ │ boot sector is not
│ │ checked when a diskette
│ │ is accessed.
───────────────┼──────────────┼──────────────────────────
/IGNORE │ /IGNORE │ Don't check programs
{drive(s)} │ {drive(s)} │ loaded from the
│ │ specified drive(s).
───────────────┼──────────────┼──────────────────────────
/LH │ │ Load VShield into upper
│ │ memory area.
───────────────┼──────────────┼──────────────────────────
/LOCK │ /LOCK │ Halt the system when a
│ │ file that is infected
│ │ or not certified loads
│ │ and attempts to execute.
Using VirusScan (Version 2.2) 102
VERSION COMPARISON OF VSHIELD OPTIONS (continued)
VShield │ VShield │
Version 1.5 │ Version 2.1.1 │ Option Description
═══════════════╪══════════════╪══════════════════════════
/M │ │ Scan base memory for
│ │ viruses when VShield loads.
───────────────┼──────────────┼──────────────────────────
/NB │ /NOWARMBOOT │ Disable boot sector
│ │ check during install
│ │ and reboot.
───────────────┼──────────────┼──────────────────────────
/NI6510 │ │ Fixes Racal Datacomm
│ │ NI6510 conflict.
───────────────┼──────────────┼──────────────────────────
/NOBREAK │ │ Prevent [Ctrl]+[C] /
│ │ [Ctrl]+[Break] from
│ │ working during install.
───────────────┼──────────────┼──────────────────────────
/NOCONT │ │ Prevent non-certified
│ │ programs from running.
───────────────┼──────────────┼──────────────────────────
/NODISK │ │ Turn off the boot
│ │ sector check when
│ │ VShield is loading.
───────────────┼──────────────┼──────────────────────────
/NOEMS │ /NOEMS │ Prevent VShield from
│ │ using expanded memory
│ │ (EMS) when it loads.
───────────────┼──────────────┼──────────────────────────
/NOFLOPPY │ │ Turn off the boot sector
│ │ check for floppy drives.
───────────────┼──────────────┼──────────────────────────
/NOMEM │ /NOMEM │ Do not check memory for
│ │ viruses upon running.
───────────────┼──────────────┼──────────────────────────
/NOREMOVE │ /NOREMOVE │ Prevent VShield from
│ │ being removed from
│ │ memory with the /REMOVE
│ │ switch.
───────────────┼──────────────┼──────────────────────────
│ /NOUMB │ Prevent VShield from
│ │ using upper memory
│ │ blocks (UMB) when it
│ │ loads.
───────────────┼──────────────┼──────────────────────────
│ /NOXMS │ Prevent VShield from
│ │ using extended memory
│ │ (XMS) when it loads.
Using VirusScan (Version 2.2) 103
VERSION COMPARISON OF VSHIELD OPTIONS (continued)
VShield │ VShield │
Version 1.5 │ Version 2.1.1 │ Option Description
═══════════════╪══════════════╪══════════════════════════
/ONLY │ /ONLY │ Check programs loaded
{drive(s)} │ {drive(s)} │ only from the specified
│ │ drive(s).
───────────────┼──────────────┼──────────────────────────
│ /POLY │ Check for polymorphic
│ │ viruses.
───────────────┼──────────────┼──────────────────────────
/RECONNECT │ /RECONNECT │ Restore VShield after
│ │ certain drivers or TSRs
│ │ have disabled it.
───────────────┼──────────────┼──────────────────────────
/REMOVE │ /REMOVE │ Unload VShield from
│ │ memory.
───────────────┼──────────────┼──────────────────────────
/SAVE │ /SAVE │ Save specified options
│ │ as new defaults
│ │ (version 1.5 only).
│ │ Save the command line
│ │ options to the VSHIELD.INI
│ │ file (version 2.1.1 only).
───────────────┼──────────────┼──────────────────────────
/SWAP │ /SWAP │ Load VShield kernel
[pathname] │ [pathname] │ only (5Kb in version
│ │ 1.5; 8Kb in version
│ │ 2.1.1); swap the rest
│ │ from pathname.
Using VirusScan (Version 2.2) 104
VERSION COMPARISON OF VSHIELD1/VSHIELDCRC OPTIONS
VShield1 │ VShieldCRC │
Version 1.5 │ Version 2.1.1 │ Option Description
═══════════════╪══════════════╪══════════════════════════
│ /? or /HELP │ Display a list of valid
│ │ VShieldCRC command line
│ │ options.
───────────────┼──────────────┼──────────────────────────
│ /CERTIFY │ Prevent files without
│ │ validation codes from
│ │ running.
───────────────┼──────────────┼──────────────────────────
│ /CF │ Check for viruses using
│ {filename} │ validation and recovery
│ │ data stored by Scan /AF
│ │ in specified {filename}.
───────────────┼──────────────┼──────────────────────────
│ /CONTACT │ Display specified message
│ {message} │ when a virus is found.
───────────────┼──────────────┼──────────────────────────
│ /CONTACTFILE │ Display message stored
│ {filename} │ in specified {filename}
│ │ when a virus is found.
───────────────┼──────────────┼──────────────────────────
│ /CV │ Check validation codes
│ │ added to files by Scan.
───────────────┼──────────────┼──────────────────────────
│ /EXCLUDE │ Don't check files
│ {filename} │ listed in {filename} for
│ │ validation codes (used
│ │ with /CV option).
───────────────┼──────────────┼──────────────────────────
│ /FILEACCESS │ Checks validated files
│ │ whenever the file is
│ │ accessed or executed.
│ │ Whenever a validated
│ │ .EXE, .COM, .DLL, .OVL,
│ │ .BIN, or .SYS file is
│ │ opened, read, or
│ │ updated, Scan checks
│ │ the accessed file.
│ │ Whenever a validated
│ │ .EXE or .COM file
│ │ executes, Scan checks
│ │ the file for viruses as
│ │ it loads and prevents
│ │ execution if the file
│ │ is infected.
Using VirusScan (Version 2.2) 105
VERSION COMPARISON OF VSHIELD1/VSHIELDCRC OPTIONS (continued)
VShield1 │ VShieldCRC │
Version 1.5 │ Version 2.1.1 │ Option Description
═══════════════╪══════════════╪══════════════════════════
│ /IGNORE │ Don't check programs
│ {drive(s)} │ loaded from specified
│ │ drive(s).
───────────────┼──────────────┼──────────────────────────
│ /LOCK │ Halt the system when a
│ │ file that is not
│ │ certified attempts to
│ │ load and execute.
───────────────┼──────────────┼──────────────────────────
│ /LOGFILE │ Write error information
│ {filename} │ to {filename}.
───────────────┼──────────────┼──────────────────────────
/NB │ │ Disable boot sector
│ │ checking during install
│ │ and reboot.
───────────────┼──────────────┼────────────────────────── and reboot.
│ /NOREMOVE │ Prevent VShieldCRC from
│ │ being removed from memory
│ │ with a subsequent VShieldCRC
│ │ command using /REMOVE.
───────────────┼──────────────┼──────────────────────────
│ /NOUMB │ Prevent VShieldCRC from
│ │ using upper memory
│ │ blocks (UMB) when it loads.
───────────────┼──────────────┼──────────────────────────
│ /ONLY │ Check programs loaded
│ {drive(s)} │ only from the specified
│ │ drive(s).
───────────────┼──────────────┼──────────────────────────
/REMOVE │ /REMOVE │ Unload VShieldCRC from
│ │ memory.
Using VirusScan (Version 2.2) 106
VIRUSCAN GLOSSARY
ARCHIVED FILE A file that has been archived
using either LZEXE or PKLITE, file compression
utilities.
BOOT To start a computer. The first step is to
load startup instructions from the boot ROM or
boot sector of a disk.
BIOS A read-only memory chip that contains the
coded instructions for the operating system to
start the computer. Always present in portable
computers, a BIOS (boot ROM) is not susceptible
to infection (unlike the boot sector on a disk).
However, it is harder to update.
BOOT SECTOR A portion of a disk that contains
the coded instructions for the operating system
to start the computer.
BOOT SECTOR INFECTIONS Contamination of the
boot sector by a virus. Particularly serious
because information in the boot sector is loaded
into memory first, before virus protection code
can be executed. The only certain way to
eliminate boot sector infections is to restart
from a disk known to be uninfected, then clean
up the infection.
CLEAN STARTUP DISKETTE A diskette known to be
uninfected, that contains the coded instructions
from which the computer can be started. See
Chapter 2 for instructions on preparing one.
COLD BOOT To start a computer from power-off
state.
COMPRESSED FILE A file (usually with a .ZIP
extension) that has been compressed using the
PKZIP file compression utility.
CONVENTIONAL MEMORY Up to 640Kb of main memory
in which DOS executes programs.
CORRUPTED FILE A file that has been damaged.
About 10% to 20% of viral infections involve
viruses that damage files beyond repair.
DETECTION Scanning memory and disks for
telltale marks or changes indicating that a
virus might be present.
Using VirusScan (Version 2.2) 107
DISINFECT To eradicate a virus so that it can
no longer spread or cause damage to a system.
EXCEPTION LIST List of files to which
validation codes should not be added because
they are immunized against viruses or contain
self-modifying code. Scans /AV option uses the
list to avoid adding codes to inappropriate
files; VShield's /CERTIFY option can use it to
allow certain unvalidated files to be run.
EXECUTABLE (FILE) A file containing coded
instructions to be executed by the computer.
Executable files include programs and overlays.
EXPANDED MEMORY Memory above the DOS 640Kb
limit of conventional memory that is accessed by
memory paging. You need special software,
conforming to an expanded memory specification,
to take advantage of expanded memory.
EXTENDED MEMORY Linear memory above the DOS
640Kb limit of conventional memory. Often used
for RAM disks and print spoolers.
FALSE ALARM Detecting a virus when none is
present.
INFECTED FILE A file contaminated by a virus.
MASTER BOOT RECORD (MBR) A portion of a hard
disk that contains a partition table that
divides the drive into chunks, some of which may
be assigned to operating systems other than DOS.
MEMORY A storage medium where data or program
code are kept temporarily while being used by
the computer. DOS supports up to 640Kb of
conventional memory. Beyond that limit may be
accessed as expanded memory, extended memory, or
an upper memory block (UMB).
MEMORY INFECTION Contamination of memory by a
virus. The only certain way to eliminate memory
infections is to restart from a disk known to be
uninfected, then clean up the source of
infection.
MODIFIED FILE A file that has changed after
validation/recovery codes have been added.
Using VirusScan (Version 2.2) 108
OVERLAY INFECTION Virus contamination of a file
containing auxiliary program code that is loaded
by the main program.
PARTITION TABLE See MASTER BOOT RECORD.
POLYMORPHIC VIRUS A virus that attempts to
evade detection by changing its internal
structure or its encryption techniques.
PROGRAM Software that performs a defined
function on a computer. See executable.
READ OPERATION Any operation in which
information is read from a disk. DOS commands
that perform read operations include dir
(directory listing), type (display contents of a
file), and copy (copy files). See also write
operation.
RECOVERY CODES Information that Scan records
about an executable file in order to recover if
it is infected by a virus. See also validation
codes.
SELF-MODIFYING PROGRAM Software that
deliberately changes its own program file, often
to protect against viruses or illegal copying,
and is therefore difficult to validate in
conventional ways.
STANDARD EXTENSIONS Filename extensions
(suffixes) that signify executable files--.EXE,
.COM, .SYS, .DLL, .BIN, and .OVL--which Scan
checks by default.
SYSTEM ERRORS Errors that can prevent Scan from
completing its job successfully. System error
conditions include disk format errors (such as
unformatted disks), media errors (bad sectors),
file system errors (unreadable files), network
errors (unable to log in), file access errors
(access permission denied), device access errors
(printer out of paper), and report failures.
TERMINATE-AND-STAY-RESIDENT (TSR) A program,
like VShield, that remains active in memory
while you run other programs.
TURBO A scanning option that is faster than
normal but less comprehensive (because it checks
a smaller portion of each file).
Using VirusScan (Version 2.2) 109
UNKNOWN VIRUS A virus not yet identified and
listed in SCAN.DAT. VirusScan can detect unknown
viruses by observing changes in files that could
result from infection.
UPPER MEMORY BLOCK (UMB) Memory in the range
640-1024Kb, just above the DOS 640Kb limit of
conventional memory.
VALIDATE To check that a file is authentic and
has not been altered. Most validation methods
rely on computing a statistic based on all the
data in the file, which is unlikely to remain
constant if the file itself is changed.
VALIDATION CODES Information that Scan records
about an executable file in order to detect
subsequent infection by a virus. See also
recovery codes.
VIRUS A software program that attaches itself
to another program in computer memory or on a
disk, and spreads from one program to another.
Viruses may damage data, cause the computer to
crash, display messages, or lie dormant.
WARM BOOT To restart (reset) a running
computer, in DOS by pressing [Ctrl]+[Alt]+[Del].
WRITE OPERATION Any operation in which
information is recorded on a disk. Commands that
perform write operations include those that
save, move, and copy files. Most write
operations are also read operations because the
system verifies that the data have been written
correctly. See also read operation.
WRITE PROTECTION A mechanism to protect files
or disks from being changed. A 3.5" diskette may be
write-protected by sliding its corner tab so that
the square hole is open; a 5.25" diskette by covering
its corner notch with a write-protect tab. A file
may be write-protected by changing its system attributes.