************************************************************************** * * * AntiVir/NW Version 0.92á January 10th, 1995 * * (Beta - testversion) * * * * * * Copyright (c) 1994 by H+BEDV Datentechnik GmbH * * * ************************************************************************** This testversion is only runnable until February 28th, 1995. Any suggestions, ideas for usefull additional new features, detected programerrors and other comments are very much appreciated. Please describe exactly detected errors or the actions causing the error, this would help us a lot removing it. You can send your statements or other messages concerning AntiVir/NW to one of the following ad- dresses: H+BEDV Datentechnik GmbH Olgastrasse 4 88069 Tettnang Germany Tel: (+49) (0)7542-93040 Fax: (+49) (0)7542-52510 BBS: (+49) (0)7542-52110 CompuServe: 71310,3143 System requirements: ******************** o Fileserver with Novell NetWare 3.1x. o The system - NLM's described below. o Min. 4 Mb memory, better are 8 Mb. o Min. 3 Mb free discspace on Volume SYS. Files on diskette: ****************** AVN.NLM - The scanner NLM. AVN.HLP - The helpfile (currently in german language). AVN.VDF - The virus definition file. README.TXT - This file. RESIDENT.COM - A resident DOS program with a testsignature. INSTALL.EXE - The installation program of AntiVir/NW. (new) NETINFO.NLM - A small NLM (Beta), supplying some server information. NOVLIBS.EXE - Self extracting file containing the newest Novell NetWare library NLM's. Contains the following packed NLM's: CLIB.NLM v3.12g NWSNUT.NLM v4.01a STREAMS.NLM v3.12 AFTER311.NLM v4.10a A3112.NLM v4.10a Installation notes: ******************* o In version 0.92b the installation program has been added. INSTALL.EXE creates the directories, copies the file to the server and changes AUTOEXEC.NCF. To install AVN you must have SUPERVISORY rights. o You can also install AVN manually: - Test if your server has the following NLM's loaded: CLIB.NLM Version 3.12f or later. NWSNUT.NLM 4.00i. additional for NetWare 3.11: AFTER311.NLM 4.10a A3112.NLM 4.10a If no, please load these NLMs. In the case that the NLMs on your server aren't of the correct version, the selfextracting file NOVLIBS.EXE contains those files. Please copy those files to the directory: SYS:SYSTEM\ Please check if your AUTOEXEC.NLM contains the following statements: load streams load clib load nwsnut and additional for NetWare 3.11: load after311 load a3112 Down your server later on and restart it or unload the old NLMs and reload the new ones. - Creater a the AVN-directory, e.g. SYS:SYSTEM\ANTIVIR Note: Check, that only the SUPERVISOR has rights there. - Delete a possibly existing file AVN.CFG. - Copy the following files to this directory: AVN.NLM AVN.HLP AVN.VDF README.TXT - Create the subdirectory ANTIVIR\INFECTED (e.g. SYS:SYSTEM\ANTIVIR\INFECTED) NOTE: Within a appropriate configuration, all infected files will be moved to that subdirectory. Please check, that only the SUPERVISOR has rights there and that the volume has enough free diskspace. - To install AVN for a longer time add the following lines to your AUTOEXEC.NCF: SEARCH ADD SYS:SYSTEM\ANTIVIR LOAD AVN - If you do not add a search path, load AntiVir/NW with the following command: : : LOAD SYS:SYSTEM\ANTIVIR\AVN.NLM : o Now you can configurate AntiVir/NW as you wish. The system defaults are normally sufficient. o AVN in the actual version occupies the following systemmemory. Those values can differ when displaying the known virus list, starting a scheduled scan, etc. AVN.NLM ........ 521 kB AVN code and data. NWSNUT.NLM ..... 59 kB The Novell menusystem AFTER311.NLM ... 12 kB OS - Extension (Only NetWare 3.11, Part 1) A3112.NLM ...... 12 kB OS - Extension (Only NetWare 3.11, Part 2) CLIB.NLM ....... 295 kB C-library from Novell ======================= Total .......... 898 kB All Libryry NLMs are also used by other available NLMs, e.g. Cheyennes ArcServe, so they have only to be loaded once. Other files on diskette: ************************ o The file RESIDENT.COM is a small TSR, containing a signature of a virus. The file contains *NOT* a runnable virus! You can install RESIDENT.COM before starting SERVER.EXE. AntiVir/NW should report a virus when checking DOS-memory. (Expecting you did not REMOVE DOS) RESIDENT.COM could also be used to test AVN in various configurations. You have only to copy the file to the server. If importscanning is activated, AntiVir/NW has to report a virus "Sofia Terminator". o NETINFO.NLM -> Only supplies some serverinformation. (Beta-version) Developed for 3.xx server, runs on 4.xx servers too. For 4.xx servers please load NETINFO into the domain OS. It will not work in OS_PROTECTED because of using some undocumented 3.xx - calls. Command line arguments: (only beta- / testversion) ************************************************** /R0 -----> Disables the reporting feature of AntiVir/NW completely. (WARNING!!!) General commandlinearguments: ***************************** /? -----> Displays some help. /M0 -----> Disables the DOS memory check. NOTE: The arguments have to be separated with SPACES. Operation notes *************** The menu of AntiVir/NW is programmed with the Novell-library NWSNUT, so the operation shout be known from other programs like SYSCON, RCONSOLE, PCONSOLE. However, there are some additional features: - At every time in every Portal within the standard screen "AntiVir/NW - Main", you can get context-sensitive help presing the - key. You can scroll the pages pressing or . exits the help-portal. - To select a menu item, press or . Some items are implemented as switches. A activated switch (e.g. Enabe the Bell) will be marked with a 'û'. Some other items will bring up an inputportal. If a entry is expected in such a portal and there is already a entry, the item will be marked with a 'ù'. A menu item including a submenu will be marked with '¯'. - You can abort every menu, submenu, list or inputportal by pressing the -key. All input done in a aborted portal will be thrown away. - The standard inputportals provided by Novell have been replaced by own, more comfortable ones. These new inputportals provide following features: - Automatic horizontal scrolling. - Hidden text is marked by '<' or '>'. - You are always in insert-mode. - The maximum length of every input is limited. - The -key will bring you to the beginning of the text, the - key to the end. - To move wihin the text use the cursor keys. - deletes the character left from the cursor, deletes the character behind the cursor. - Within date-input-portals you can increment and decrement the numbers with your cursorkeys. Only valid numbers are displayed. Other notes: ************ - If AntiVir/NW had come into trouble with a difficult configuration, simply delete the file AVN.INI and reload AVN. The module will startup with defaultvalues. - Do not change the configuration file AVN.CFG manual. This file is protected with a CRC against changes (e.g. done by a virus). AVN detects such changes an starts up with default values. - A new feature is the scan of an existing DOS memory area at startup. With this feature AVN will also detect known bootsector viruses. However, masterbootsector viruses will *NOT* be detected with this method! This means also, loaded check-modules like NETCHECK.NLM, PROTECT.NLM, CHECK.NLM etc. should be loaded *after* loading AVN, because of the rangechecking facility of memory-accesses. - The helptext is still written in german language. A translation (I hope not as bad as this text) will follow soon. Please send us a note where you miss some help. - If NETCHECK.NLM (argument /w) is loaded, AntiVir/NW *CAN NOT* install the online scanning! It's the same for PROTECT.NLM by Novell. If you want to use NETCHECK, please load it after loading AVN and unload it before unloading AVN. - Most of the available antivirus-NLMs use the unauthorized method patching the NetWare-kernel to install the online scanning option. AVN uses the newest available CLIB.NLM which provides the same functions. This method is authorized by Novell but could cause some trouble when other NLMs are loaded. NOTE: AVN cannot install onlinescanning if one of those non Novell- authorized NLM's is loaded! - To test the detection rate of the scanner, it would be recommendable to disable IPX-broadcasts by deleting the send-to list and to disable the reporting-function by starting AVN with the argument /R0. If IPX- send is not disabled, AntiVir/NW will report every virus by a IPX- message to every user in the send-to list. If reporting isn't disabled, AVN will add up to four lines to the logfile for every virus found. The scanner performance would decrease dramatically. - Archives are not processed in the actual version. - Scan of DOS partition: The scan of the DOS partition causes a very high CPU-utilization, because the OS switches to realmode for every DOS access. To reduce this utilization, AVN sets the priority of this process to low. The feature iwill be disabled after running the scan. This function will only work at startup and only if it is enabled before within the submenu "Startup". Please reload AVN to cause it work. - Found viruses in the DOS-partition will only be reported. The files themself are left untouched. However, the warn routines are executed completely. - AntiVir/NW can only be started from an NetWare partition. It is not possible to start AntiVir from the DOS partition of the file server. - CRCs: The CRC is only provided by direct scans or immediate scans. It's providing 3 modes: minimal mode: CRC is computed with the first 32 bytes of every file. Mode is very fast, but detection rate is relatively low. standard mode: CRC is computed with the first and the last 2 kbytes of every file. Mode is very fast, detection rate is high. extended mode: CRC is computed with the full file. Mode is slow, detection rate is near 100%. If you switch CRC-mode to extended and scan-mode to standard, scan-mode will be automatically switched to extended. - Perhaps you get a warning like: : 9/15/94 12:09pm 1.1.133 Alloc Short Term Memory allocator requests exceeded the configuration limit 1 short term memory allocation request failed :_ If you get such a warning, you should increase the value of the SET-parameter: (default 2Mb) Set Maximum Alloc Short Term Memory = 2Mb Increase this value if you've loaded some more NLM's or if AVN uses temporarly too much memory. NOTE: Increasing the value for Alloc Short Term Memory will decrease the count of available cache-buffers. - Onlinescanning: AVN starts the scanner if one of the following events occurs: o Fileread. o Filewrite. o Rename file. o Salvage file.