What's New in VirusScan for Windows NT v3.0.0 (3000) Copyright 1994-1997 by McAfee, Inc. All Rights Reserved. Thank you for using McAfee's VirusScan for Windows NT. This What's New file contains important information regarding the current version of this product. It is highly recommended that you read the entire document. McAfee welcomes your comments and suggestions. Please use the information provided in this file to contact us. ___________________ WHAT'S IN THIS FILE - New Features - Known Issues - Installation - Documentation - Frequently Asked Questions - Additional Information - Contact McAfee ____________ NEW FEATURES 1. VirusScan now offers the highest level of virus detection rates in the industry as well as fast scanning performance with its new Hunter engine technology. The Hunter engine achieves its stellar performance through a 32-bit, multithreaded implementation designed to utilize the latest advances in memory and I/O management. Hunter scanning technology achieves its leadership position in virus detection by combining several types of virus analysis technologies. All virus types including Word and Excel macros, boot-sector infections, file, multi-partite, stealth, polymorphic and encrypted viruses are detected. The Hunter engine even stops viruses written in Visual Basic 5.0 and Office97 file formats, offering users maximum defense against the newest threats to data. 2. VirusScan supports Microsoft Office97. 3. VirusScan for Windows NT now offers an Emergency Disk creation utility. With this utility, you can create an Emergency Disk during and after VirusScan installation with your own high density floppy disk. This disk is an important part of a complete security program. 4. New and improved polymorphic detection. 5. Easy access to the McAfee Virus Information Library on the McAfee Web Site. Select Online Virus Info from the Help menu to automatically open a web browser to the McAfee Virus Information Library. * ENHANCEMENTS * 1. VirusScan device drivers enhanced to dynamically load and unload. Rebooting your system is no longer necessary when installing future VirusScan NT upgrades. 2. VirusScan for Windows NT is now able to run two or more scheduled events at the same time. 3. On-demand tasks now supports UNC code. 4. Simplified scanning for Microsoft Word97 and Excel97 documents. You can now scan Word97 and Excel97 documents with the Scan for Viruses right mouse click option. * NEW VIRUSES DETECTED * This DAT file (3000) detects and removes an additional 2000 viruses. The Macro viruses listed below are detected and removed with this DAT file. New Macro viruses detected and removed: ABC.A ALIEN (.A-.B) ALLIANCE.A ANTICONCEPT.A APPDER.A ATOM (.A-.H) BADBOY (.A-.B) BALU.A BANDUNG (.A-.J) BIRTHDAY.A BOOM.A BEURO.A CEEFOUR.A CHAOS.A CLOCK (.A-.D) COLORS (.A-.J) CONCEPT (.A-.N, .P, .S-.Z) COUNT10 (.A-.B) DANIEL (.A-.C) DARK.A DATE.A DIETZEL.A DIVINA (.A-.D) DMV (.A-.B) DOGGIE.A DZT.A EASY.A EPIDEMIC.A FORMATC TROJAN FRIDAY.A FRIENDLY.A FURY.A GANGSTERZ.A GOLDFISH.A HASSLE.A HELLGATE.A HELPER.A HOT.A HYBRID.A IMPOSTER (.A-.B) IRISH (.A-.C) ITALIAN.A JOHNNY (.A-.B) KILLDLL.A KILLPROT.A KOMPU.A LOOK (.A-.C) LUNCH (.A-.B) MADDOG (.A-.B) MAGNUM.A MDMA (.A-.E, .G) MINIMAL (.A-.B) MVDK1 (Macro Virus Development Kits; .A-.B) NF.A NICEDAY (.A-.B) NIKI.A NIKITA.A NJ-CVK2 (Another Development Kit; .A-.B) NJ-DLK1A (.A-.D) NOMVIR (.A-.B) NOP (.A,.B,.D) NPAD (.A-.O) NUCLEAR (.A-.E) OLYMPIC (.A-.B) OUTLAW (.A-.C) PAPER.A PHANTOM.A PHARDERA (.A-.B) POLITE.A RAPI (.A-.H, .A1, .A2, .B1, .B2, ...) RATS (.A-.C) REFLEX.A SATANIC.A SAVER.A SHOWOFF (.A-.E) SMILEY (.A-.B) SPOOKY.A STRYX.A SWITCHES TROJAN TARGET.B TEDIOUS.A TELE.A THEATRE (.A-.C) TWISTER.A TWNO (.A-.F, .H) TWOLINES.A WAZZU (over 40) WEATHER (.A-.C) WIEDEROFFEN TROJAN XENIXOS (.A-.B) New Excel viruses detected and removed: DELTA (.A-.B) DMV.A LAROUX (.A-.B) LEGEND.A ROBOCOP.A SOFA.A YOHIMBE.A * ISSUES ADDRESSED IN THIS RELEASE * 1. Resolved "Unknown" entries listed in the Event Log when one of the following situations occured: - the initiated task found an infected file - an on-demand task cancelled or would not start - an alert message that involved the a name of a local or remote machine 2. Alert messages can now be sent to a network printer. 3. VirusScan for Windows NT now supports long file names in dialog boxes. ____________ KNOWN ISSUES 1. Reported problem with Microsoft Windows NT 4.0 Service Pack 2 and anti-virus software. After installing Service Pack 2, you may receive a STOP S0x0000000A error message when you try to access your CD-ROM drive or floppy disk drive while anti-virus software is running. Solution: Apply the fix that is now available through Microsoft. For more information regarding this issue, please contact Microsoft Technical Support. 2. PAGEFILE.SYS is not excluded by default. To exclude this file, use the Wizard to create an on-demand task. 3. When Execute Program is checked from the System Alerts configuration menu, the First Time option will not enable when selected. You must select Every Time when enabling the Execute Program option. 4. On-access exclusions only apply to local devices. ____________ INSTALLATION * INSTALLING THE PRODUCT * Prior to installation, take the following steps: 1. Uninstall any previous versions of VirusScan for Windows NT. 2. Ensure you have Administrator rights for the NT workstations on which you are installing VirusScan. 3. Run SETUP.EXE and follow the prompts. If you would like to perform a "silent" installation of VirusScan NT, requiring minimal user interaction and using all default or "Typical" installation settings, add -s (i.e. SETUP.EXE -s) to the setup command when you install the product. NOTE: If you would like to perform a silent installation on machines running NT 4.0, follow the instructions outlined below for customizing the silent installation. Network Administrators can customize the silent installation by following the steps below. 1. Check in the Windows directory to ensure that a file named SETUP.ISS does not already exist. If it does, rename it, back it up, or delete it. 2. Run SETUP.EXE with the -r switch, (i.e. SETUP.EXE -r). 3. Select the components you would like to be installed during the silent installation. All responses will be recorded. 4. Finish the installation, and locate the file SETUP.ISS in the Windows directory. 5. Locate the section [SdSetupType-0] in the SETUP.ISS file and go to the line: Result=x where x is equal to 301 (Typical installation) 302 (Compact installation) 303 (Custom installation) 6. Add 100 to the above value, so that the Result variable is equal to 401, 402, or 403. Modifying this file will allow the installation to copy the VirusScan files to the drive where the operating system resides instead of defaulting to the C: drive. 7. Rename, back up, or delete SETUP.ISS on the first installation disk (floppies only). For CD-ROM versions of the product, you must copy the installation files onto the hard drive before taking this step. 8. Copy the new SETUP.ISS from the Windows directory to the location of the installation files. 9. Run SETUP.EXE with the -s switch (i.e. SETUP.EXE -s). NOTE: If you do not specify a "recorded" answer for all dialog boxes during the initial installation, the silent installation will fail. Also, the file used for the silent installation, SETUP.ISS, may not work properly across different operating systems. For example, if the silent install is generated for Windows 95, it may not work properly in Windows 3.1x or Windows NT. * PRIMARY PROGRAM FILES FOR VIRUSSCAN FOR WINDOWS NT * Files located in the Install directory: ======================================= 1. Installed for the Alert Manager/Console/Server: README.1ST = McAfee information WHATSNEW.TXT = What's New document PACKING.LST = Packing list AGENTS.TXT = McAfee authorized agents VALIDATE.EXE = McAfee file validation program UPDATE.MSG = Update message file SHIELD.HLP = On-access scanner help SHIELD.CNT = On-access context-sensitive help MCCONSOL.HLP = Console help VIRUSCAN.HLP = On-demand scanner help VIRUSCAN.CNT = On-demand context-sensitive help NAMES.DAT = Virus names definition data SCAN.DAT = Virus scan definition data CLEAN.DAT = Virus clean definition data MCALYZE.DAT = Virus definition data NETSHIELD ACTIVITY LOG.TXT = NetShield activity log SCAN ACTIVITY LOG.TXT = Scan activity log MODEMS.TXT = Modem initialization strings SCANLOG.TXT = Scan log SAMPLE.CMD = Sample alert file MCUPDATE.EXE = Update module AMGRCNFG.EXE = Alert manager configuration program FTPGET.CMD = Automatic updating script DEISL1.ISU = Uninstall file MCSRVSHL.EXE = Uninstall application MCSERVIC.DLL = Install/uninstall library file MCALERT.MIB = Interpret SMNP traps MCSCAN32.DLL = Library files SHUTIL.DLL = Library files NETSHLD.MIF = SMS Report file 2. Installed for Alert Manager: WCMDR.EXE = Uninstall program WCMDR.INI = Uninstall initialization file DEFAULT.VSC = On-demand scanner default configuration settings IMPTASK.EXE = Task import tool IMPTASK.TXT = Task import text file AMGRSRVC.EXE = Alert manager service program MCALSNMP.DLL = Alert manager SNMP POWERP32.DLL = Alert manager support module VIRNOTFY.EXE = Notification utility 3. Installed for the Console: MCCONSOL.EXE = Console manager SHSTAT.EXE = Shield status monitor program SCNSTAT.EXE = Scan status monitor program SCNCFG32.EXE = Console configuration module VIRLIST.EXE = Virus list SHCFG32.EXE = Console configuration module MCKRNLNT.DLL = Library files MCUTILNT.DLL = Library files MCKRLN95.DLL = Library files MCUTIL95.DLL = Library files MCALYZE.DLL = Library files Files located in WINNT35\SYSTEM32: ================================== 1. Installed for the Console/Server/Alert Manager: CTL3D32.DLL = 32-bit 3D Windows controls library (*) (*) File will be installed upon installation of NetShield if the file does not already exist, or if an older version is found. Files located in WINNT35\SYSTEM32\DRIVERS: ========================================== 1. Installed for the Server: MCFILTER.SYS = System files MCFSREC.SYS = System files MCKRNL.SYS = System files MCSCAN.SYS = System files MCUTIL.SYS = System files MCSHIELD.SYS = System files * TESTING YOUR INSTALLATION * The Eicar Standard AntiVirus Test File is a combined effort by anti-virus vendors throughout the world to come up with one standard by which customers can verify their anti-virus installations. To test your installation, copy the following line into its own file and name it EICAR.COM. X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* When done, you will have a 69- or 70-byte file. When VirusScan is applied to this file, Scan will report finding the EICAR-STANDARD-AV-TEST-FILE virus. It is important to know that THIS IS NOT A VIRUS. However, users often have the need to test that their installations function correctly. The anti-virus industry, through the European Institute for Computer Antivirus Research, has adopted this standard to facilitate this need. Please delete the file when installation testing is completed so unsuspecting users are not unnecessarily alarmed. _____________ DOCUMENTATION For more information, refer to the VirusScan User's Guide, included on the CD-ROM versions of this program or available from McAfee's BBS and FTP site. This file is in Adobe Acrobat Portable Document Format (.PDF) and can be viewed using Adobe Acrobat Reader. This form of electronic documentation includes hypertext links and easy navigation to assist you in finding answers to questions about your McAfee product. Adobe Acrobat Reader is available on CD-ROM in the ACROREAD subdirectory. Adobe Acrobat Reader also can be downloaded from the World Wide Web at: http://www.adobe.com/Acrobat/readstep.html VirusScan documentation can be downloaded from McAfee's BBS or the World Wide Web at: http://www.McAfee.com or http://205.227.129.164 For more information on viruses and virus prevention, see the McAfee Virus Information Library, MCAFEE.HLP, included on the CD-ROM version of this product or available from McAfee's BBS and FTP site. A ViaGrafix Interactive Anti-virus Training program also is available on the CD-ROM version, or can be purchased from the McAfee Web Site. __________________________ FREQUENTLY ASKED QUESTIONS Regularly updated lists of frequently asked questions about McAfee products also are available on McAfee's BBS, website, and CompuServe and AOL forums. Q: How do I enable McAfee's Centralized Alerting and Reporting? A: VirusScan now supports Centralized Alerting and Reporting to a remote Windows NT server running NetShield for Windows NT v2.5.3 or later. To set up this option on your VirusScan client, modify the AlertOptions section in ScanNT's DEFAULT.VSC files and/or your custom settings file to read the following: Note: Administrators will need to configure the .VSC files for complete Centralized Alerting & Reporting. szNetworkAlertPath= bNetworkAlert=1 Where the is the path to the remote NT directory (can use UNC format where supported). From this directory, NetShield can broadcast or compile the alerts and reports according to its established configuration. NOTE: The client must have write access to this location and the directory must contain the NetShield-supplied CENTALRT.TXT file. To send a complete alerting file identifying the system and user, establish the following environment variables or add them to the AUTOEXEC.BAT file. Set COMPUTERNAME= Set USERNAME= The alert file sent to the server is an .alr text file. Upon receipt of the alert file, NetShield NT sends an alert message to an administrator and/or appropriate personnel. Q: How can I display a custom message during an on-demand scan? A: You can customize your messages during an on-demand scan by modifying ScanNT's DEFAULT.VSC file. Under AlertOptions, add the following setting: szSuggestMessage= Add your customized text message where is. Q: Why do I get errors in my event viewer after installing Service Pack 3 or Service Pack 4? A: Service Pack 3 and Service Pack 4 involved a change to the HAL.DLL file that is used by McAfee's device drivers. If you are using VirusScan for Windows NT Version 2.5.0, uninstall, then install Version 2.5.3 or higher. Q: Why do I get an error in MCINST32.DLL when I attempt to install VirusScan for Windows NT? A: VirusScan for Windows NT was designed for an i386 processor only. This error is usually caused by an attempt to install to a non-i386 machine. Q: Is there a conflict with the Novell written client for NT? A: No. However, there are some timing issues that arise when VirusScan for Windows NT is installed. If it is necessary for you to use the Novell client, change the account that both the McAfee Task Manager and the Alert Manager use to a "System" account. Q: As an administrator, how can I scan private directories that are accessible only to individual users? A: The on-access scanner will detect infected files as they are copied into the users' personal directories. On-demand (scheduled) scans are launched by the McTaskManager Service. If you specify a user name and password for the Service, then the scheduled scan will only scan directories for which the user name has privileges. If no user name was specified, then the Service has SYSTEM privileges. To perform an on-demand, or scheduled, scan of private directories, the McTaskManager Service must have access to these private areas. Following are two ways to address this issue: Solution A: 1. Do not associate a user name to the Service. 2. Give SYSTEM privileges to access the private spaces. Considerations with Solution B: Someone could create or use a Service to access your information. Solution B: 1. Create a custom user name to be used by the Service. 2. Give this user name privileges to access the private spaces. Considerations with Solution A: The administrator will need to know the user names and passwords. McAfee recommends Solution A as a more secure solution. Q: VirusScan will not perform an on-demand (scheduled) scan of some networked devices. Why? A: It is possible that the user name you are using for the Taskmanager Service does not have sufficient rights to scan the devices in question. To verify whether this is the issue, log in to each device using the user name and password used by the Taskmanager Service. Confirm that this user name has rights on the device by manually running an on-demand scan. If you can scan the device while you're logged in, then the Service should also be able to do it as a scheduled scan. Q: When performing an on-demand (scheduled) scan of a networked device, the system locks up. How can I solve this problem? A: Log on to the device in question and manually run an on-demand scan with the Compressed Files option turned off. If the scanner locks up, note where it locks. Attempt to determine which file VirusScan locks on and send the information to McAfee. If the scan succeeds, select the Compressed Files option and scan the device again. If it locks this time, chances are you have a ZIP file that is corrupted or large, and it takes time to scan. If scanning works in both scenarios, then give the Taskmanager Service the same user name and password currently logged in as and try a scheduled scan again. If this now works, then the old user name didn't have sufficient rights to scan the device in question. Q: Can I update VirusScan's data files to detect new viruses? A: Yes. If you have Internet access, you can download updated VirusScan data files from the McAfee Web Site, BBS, or other online resources. To download from the McAfee Web Site, follow these steps: 1. Go to the McAfee Web Site (http://www.mcafee.com or 205.227.129.164). 2. Select Update DAT File in the left hand column or frame. 3. Scroll down, and click Update Your DAT Files to update your virus definition files. 4. Data file updates are stored in a compressed form to reduce transmission time. Unzip the files into a temporary directory, then copy the files to the appropriate directory, replacing your old files. 5. Before performing any scans, shut down your computer, wait a few seconds, and turn it on again. If you need additional assistance with downloading, contact McAfee Download Support at (408) 988-3832. ______________________ ADDITIONAL INFORMATION VirusScan NT includes an external utility, VIRNOTFY.EXE, that will notify you in the event that McAfee's Alertmanager is not installed. To use this utility, open McConsole, and select Tools/Alerts. Add the path and utility to the Program To Execute line. ______________ CONTACT McAFEE * FOR QUESTIONS, ORDERS, PROBLEMS, OR COMMENTS * Contact McAfee's Customer Care department: 1. Corporate-licensed customers, call (408) 988-3832 Monday-Friday, 6:00 A.M. - 6:00 P.M. Pacific time Retail-licensed customers, call (972) 278-6100 Monday-Friday, 6:00 A.M. - 6:00 P.M. Pacific time 2. Fax (408) 970-9727 24-hour, Group III fax 3. Fax-back automated response system (408) 988-3034 24-hour fax Send correspondence to any of the following McAfee locations. McAfee Corporate Headquarters 2710 Walsh Avenue Santa Clara, CA 95051-0963 McAfee East Coast Office Jerral Center West 766 Shrewsbury Avenue Tinton Falls, NJ 07724-3298 McAfee Central Office 4099 McEwen Suites 500 and 700 Dallas, TX 75244 McAfee Canada 139 Main Street Suite 201 Unionville, Ontario Canada L3R2G6 McAfee Europe B.V. Gatwickstraat 25 1043 DL Amsterdam The Netherlands McAfee (UK) Ltd. Hayley House, London Road Bracknell, Berkshire RG12 2TH United Kingdom McAfee France S.A. 50 rue de Londres 75008 Paris France McAfee Deutschland GmbH Industriestrasse 1 D-82110 Germering Germany McAfee Japan KK 4F Toranomon Mori bldg. 33 3-8-21 Toranomon Minato-Ku Tokyo, 105 Japan Or, you can receive online assistance through any of the following resources: 1. Bulletin Board System: (408) 988-4004 24-hour US Robotics HST DS 2. Internet e-mail: support@mcafee.com 3. Internet FTP: ftp.mcafee.com or 205.227.129.168 4. World Wide Web: http://www.mcafee.com or http://205.227.129.164 5. America Online: keyword MCAFEE 6. CompuServe: GO MCAFEE 7. The Microsoft Network: GO MCAFEE Before contacting McAfee, please make note of the following information. When sending correspondence, please include the same details. - Program name and version number - Type and brand of your computer, hard drive, and any peripherals - Operating system type and version - Network name, operating system, and version - Contents of your AUTOEXEC.BAT, CONFIG.SYS, and system LOGIN script - Microsoft service pack, where applicable - Network card installed, where applicable - Modem manufacturer, model, and baud, where applicable - Relevant browsers/applications and version number, where applicable - Problem - Specific scenario where problem occurs - Conditions required to reproduce problem - Statement of whether problem is reproducible on demand - Your contact information: voice, fax, and e-mail Other general feedback is also appreciated. Documentation feedback is welcome. Send e-mail to documentation@cc.mcafee.com. * FOR ON-SITE TRAINING INFORMATION * Contact McAfee Customer Service at (800) 338-8754. * FOR PRODUCT UPGRADES * To make it easier for you to receive and use McAfee's products, we have established an Agents program to provide service, sales, and support for our products worldwide. For a listing of McAfee agents near you, click Contact McAfee under the Information section on the McAfee website. * MCAFEE BETA SITE * Get pre-release software, including DAT files, through http://beta.mcafee.com/public/datafiles. You will have access to Public Beta and External Test Areas. Your feedback CAN make a difference.