VirusScan Version 2.0.2 Copyright 1994 by McAfee, Inc. All Rights Reserved. Brought to you by: Igor Grebert Project Leader Jivko Koltchev Lead Programmer David Mai TSR Programmer Vadim Ivanov Algorithms/Emulation Programmer Tatyana Shishkina Virus Librarian, Programmer Bruce de Graaf GUI Programmer Dmitri Orlov DOS UI Programmer Geoff Brandenburg GUI Artist Spencer Clark SQA Manager David Pierce Lead SQA Engineer Sean Birch SQA Engineer John Zussman Documentation Project Leader Eric Ivory Technical Writer Aryeh Goretsky Manager Technical Support With special thanks to Bob Chappelear, Rudite Emir, and Bill Larson McAfee, Inc. (408) 988-3832 office 2710 Walsh Avenue (408) 970-9727 fax Santa Clara, CA 95051-0963 (408) 988-4004 BBS (25 lines) U.S.A. USR HST/v.32/v.42bis/MNP1-5 CompuServe GO MCAFEE InterNet support@mcafee.COM America Online MCAFEE Using VirusScan (Version 2.0) 1 CHAPTER 1: WELCOME TO VIRUSSCAN Thank you for evaluating McAfee, Inc.'s, VirusScan(TM) software Version 2.0, a powerful and advanced system designed to detect, eradicate, and prevent computer viruses. VirusScan will help you protect one of your most important assets--the information on your computer or local area network. VirusScan includes two main programs: o The Scan program detects known viruses in your computer's memory or on disks. See the README.1ST file for the number of viruses that Scan detects. It can also detect new and unknown viruses. Once viruses are detected, it can remove them and restore your system to normal operation. o The VShield(TM) program continuously monitors and protects your system from viruses that might be introduced. The VirusScan programs run on IBM-PC or 100% compatible personal computers (PCs) that use DOS 3.0 and above, Windows 3.1, or OS/2 2.0 and above. VirusScan is an important element of a comprehensive security program that includes a variety of safety measures, such as regular backups, meaningful password protection, training, and awareness. We urge you to set up and comply with such a security program in your organization. For tips on how to do this, see "Other Sources of Information" in this chapter. HOW TO USE THIS MANUAL This manual will help you get VirusScan running quickly and properly on DOS, Windows, and OS/2 systems. o All the key information is in Chapter 2, "Don't Skip this Chapter." Please don't install VirusScan before reading it, even if you are already familiar with Scan. Installing and using VirusScan is not like using other software. The rest of Chapter 1, "Welcome to VirusScan," describes the programs and files on your VirusScan disk, system requirements, how to register, and how to get help. Chapter 3, "Scan Reference," in this document and Chapter 3, "VShield Reference," in the VShield documentation contain reference information for Scan and VShield, respectively. Using VirusScan (Version 2.0) 2 Many users will not need to read these chapters, because basic operation of VirusScan, as described in Chapter 2, will detect and remove most viruses from your system. The options described in Chapter 3 in this document and Chapter 3 in the VShield documentation offer additional power and control, and are most useful in vulnerable environments and to network administrators and information services staff. Chapter 4, "Tips & Troubleshooting," explains how to get the most out of VirusScan, and how to cope with some common problems. Appendix A, "Retrieving VirusScan Updates via the McAfee BBS," provides instructions for using the McAfee Bulletin Board (BBS). Appendix B, "Options Comparison Between VirusScan Versions 1.5 and 2.0," shows the differences between command line options in Scan 1.5 and 2.0. Using VirusScan (Version 2.0) 3 NOTATION In this manual, we use several conventions to distinguish particular kinds of text. CONVENTION ³ EXAMPLE ³ REPRESENTS ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ Upper-case ³ C:\> ³ What your ³ ³ computer displays ³ ³ on your screen. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Lower-case ³ scan c: ³ What you ³ ³ type, verbatim. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Curly braces ³ {filename} ³ Required ³ ³ element; do not ³ ³ type braces { }. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Square braces ³ [filename] ³ Optional ³ ³ element; do not ³ ³ type braces [ ]. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Upper-case in ³ ³ Key to press brackets ³ ³ on the ³ ³ keyboard. WHAT VIRUSSCAN INCLUDES In addition to Scan or VShield, the Validate program ensures that new versions of VirusScan software you've obtained are authentic. Finally, the VirusScan archive contains several useful text files, which you can view and print with a text editor, word processor, or DOS PRINT command. You'll find version- specific information in the README.1ST text file. Using VirusScan (Version 2.0) 4 VIRUSSCAN FILES AFTER UNPACKING After unpacking VirusScan you should have appropriate program files on your system for the version you have obtained (DOS, Windows, or OS/2). Several useful text files are also included. VirusScan for DOS. AGENTS.TXT - list of McAfee authorized agents. CLEAN.DAT - virus removal data file required by SCAN.EXE COMPUSER.NOT - explains how to obtain CompuServe membership FILE_ID.DIZ - description of VirusScan used by some BBS software FILENAME.TXT - explains new McAfee BBS file name conventions LICENSE.TXT - explains how to license VirusScan NAMES.DAT - virus name data file required by SCAN.EXE PACKING.LST - contains a list of all files, including validation information README.1ST - late-breaking information and new instructions not contained in this manual REGISTER.TXT - explains how to register VirusScan for your use SCAN.DAT - virus string data file required by SCAN.EXE SCAN.EXE - the VirusScan program SCAN.TXT - on-line manual for Scan VALIDATE.EXE - used to check VirusScan programs for authenticity VALIDATE.TXT - explains how to run VALIDATE.EXE VShield AGENTS.TXT - list of McAfee authorized agents. CHKVSHLD.EXE - checks for presence of VShield and VShieldCRC in memory COMPUSER.NOT - explains how to obtain CompuServe membership FILE_ID.DIZ - description of VShield used by some BBS software FILENAME.TXT - explains new McAfee BBS file name conventions LICENSE.TXT - explains how to license VShield PACKING.LST - contains a list of all files, including validation information REGISTER.TXT - explains how to register VirusScan for your use VALIDATE.EXE - used to check VirusScan programs for authenticity VALIDATE.TXT - explains how to run VALIDATE.EXE VSHIELD.DAT - virus string data file required by VSHIELD.EXE VSHIELD.EXE - the VShield program VSHIELD.TXT - on-line manual for VShield VSHLDCRC.EXE - the VShieldCRC program VSHLDWIN.EXE - used by VShield and VShieldCRC to display messages within Windows Using VirusScan (Version 2.0) 5 VirusScan for OS/2 AGENTS.TXT - list of McAfee authorized agents. CLEAN.DAT - virus removal data file required by OS2SCAN.EXE COMPUSER.NOT - explains how to obtain CompuServe membership FILE_ID.ZIP - description of VirusScan used by some BBS software FILENAME.TXT - explains new McAfee BBS file name conventions LICENSE.TXT - explains how to license VirusScan NAMES.DAT - virus name data file required by OS2SCAN.EXE PACKING.LST - contains a list of all files, including validation information README.1ST - late-breaking information and new instructions not contained in this manual REGISTER.DOC - explains how to register VirusScan for your use OS2SCAN.EXE - the VirusScan program SCAN.DAT - virus string data file required by OS2SCAN.EXE SCAN.TXT - on-line manual for Scan VALIDATE.EXE - used to check VirusScan programs for authenticity VALIDATE.TXT - explains how to run VALIDATE.EXE Using VirusScan (Version 2.0) 6 SYSTEM AND MEMORY REQUIREMENTS The VirusScan programs require an IBM-compatible personal computer and any of the following operating systems: o DOS 3.0 or later and at least 340Kb of free RAM for the command line programs. o Windows 3.1 or later and at least 4Mb of RAM. o IBM OS/2 2.00(GA) or later and at least 8Mb of RAM. VirusScan for DOS requires 340Kb of available free memory in order to scan a system for viruses. VShield is a terminate-and-stay-resident (TSR) program that requires 67Kb of free memory. VShield will minimize the use of conventional memory by loading into expanded, extended, or upper memory, when available. For more information, see "System Requirements and Performance" in Chapter 3. LICENSING VIRUSSCAN The VirusScan software is provided under license from McAfee, Inc., a copy of which is included in the file LICENSE.TXT. Please read it and comply with it. If you want to use VirusScan after the evaluation period, please register your copy of the software by filling out and returning the enclosed registration form, REGISTER.TXT. Registration entitles you to upgrades at no charge from McAfee's bulletin board system and other sources, as well as technical support, for one year from your date of purchase. Using VirusScan (Version 2.0) 7 TECHNICAL SUPPORT For help in using this product, we invite you to contact McAfee technical support. You can contact us: o On-line 24 hours a day, through our bulletin board system, CompuServe, fax, or Internet (see "Online Access to Updates and Technical Support" below); or o By telephone at (408) 988-3832, Monday through Friday, 7:00 am to 5:30 pm Pacific Time. For fast and accurate help, please have the following information ready when you contact McAfee: o Program name and version number. o Type and brand of computer, hard disk, and any peripherals. o Version of DOS, along with any TSR's or device drivers in use. o Printouts of your AUTOEXEC.BAT and CONFIG.SYS files. o A printout of the contents of memory, from the MEM command (provided in DOS 4.0 and later) or a similar utility. o A description of the exact problem you are having. Please be as specific as possible. If you can't be at your computer when you call, a printout of the screen will be helpful. If you are overseas, you can contact a McAfee authorized agent for support. Agents are located in more than 50 countries around the world and provide local sales and support for our software. Please refer to the AGENTS.TXT file for a complete list of McAfee agents. ONLINE ACCESS TO UPDATES AND TECHNICAL SUPPORT McAfee updates VirusScan monthly to add new virus detectors, new options, and fix reported bugs. To distribute these new versions, we run a multi-line bulletin board system, a forum on CompuServe, and an Internet node. Using VirusScan (Version 2.0) 8 Bulletin board system (BBS) access Our multiline BBS is accessible 24 hours a day, 365 days a year, except for scheduled downtime and maintenance. All lines run high-performance modems operating from 1,200 bps to 14,400 bps with line settings of 8 data bits, no parity, and 1 stop bit. The McAfee BBS phone number is (408) 988-4004. CompuServe Access We sponsor the McAfee Virus Help Forum on CompuServe. To reach it, type GO MCAFEE at any CompuServe prompt. A free introductory membership is available. For more information, please read the enclosed COMPUSER.TXT file. Internet Access The latest versions of McAfee's anti-virus software are available by anonymous ftp (file transfer protocol) over the Internet from the site mcafee.com. If your domain resolver does not support names, use the IP# 192.187.128.1. Enter "anonymous" or "ftp" as your user ID (do not type the quotation marks) and your own e-mail address as the password. Programs are located in the pub/antivirus directory. If you have questions, please send e-mail to support@mcafee.com. You can also find McAfee's anti-virus software at the SimTel Software Repository at Oak.Oakland.EDU in the pub/msdos/virus directory and its associated mirror sites: o WUARCHIVE.WUSTL.EDU (US). o FTP.SWITCH.CH (Switzerland). o FTP.FUNET.FI (Finland). o SRC.DOC.IC.AC (UK). o ARCHIE.AU (Australia). Using VirusScan (Version 2.0) 9 OTHER SOURCES OF INFORMATION The McAfee BBS and CompuServe Virus Help Forum are excellent sources of information on virus protection. Batch files and utilities to help you use VirusScan software are often available, along with helpful advice. Independent publishers, colleges, training centers, and vendors also offer information and training about virus protection and computer security. We especially recommend the following books: o Ferbrache, David. A Pathology of Computer Viruses. London: Springer-Verlag, 1992. (ISBN 0-387-19610-2) o Hoffman, Lance J. Rogue Programs: Viruses, Worms, and Trojan Horses. Van Nostrand Reinhold, 1990. (ISBN 0-442-00454-0) o Jacobson, Robert V. The PC Virus Control Handbook, 2nd Ed. San Francisco: Miller Freeman Publications, 1990. (ISBN 0-87930-194-0) o Jacobson, Robert V. Using McAfee, Inc. Software for Safe Computing. New York: International Security Technology, 1992. (ISBN 0-9627374-1-0) In addition, the following sources can provide useful information about viruses: o National Computer Security Association (NCSA) 10 South Courthouse Avenue Carlisle, PA 17013 o CompuServe McAfee Computer Virus Help Forum (GO VIRUSFORUM) o Internet comp.virus newsgroup Using VirusScan (Version 2.0) 10 CHAPTER 2: DON'T SKIP THIS CHAPTER (or, What you really need to know about VirusScan) We're serious about this. Installing and running the VirusScan(TM) programs is not like using other software. Even if you are a long-time user of McAfee's software, please take the time to read through and follow the tasks in this chapter. The reason is to avoid spreading a computer virus infection. Viruses spread when you start your computer (sometimes called booting) from an infected disk, or when you run an infected program. If your computer is infected, installing and running VirusScan on your hard disk may spread the infection, even to the VirusScan programs themselves. The tasks in this chapter will ensure that you have a clean environment to detect, eradicate, and prevent viruses. This is like a surgical team establishing a "sterile field" before performing surgery. Once it is established, they make sure that everything brought into the field has already been sterilized. In this procedure, you will create a clean anti- viral start-up diskette with which you can always re- establish the sterile field. Your VirusScan archive (.ZIP) file is created with authenticity checks and a serial number embedded in it to ensure that it has not been tampered with or modified. Additionally, VirusScan comes with Validate, a Cyclic Redundancy Check (CRC) program that computes a check-sum for VirusScan's files. Once you have unpacked the VirusScan archive, you should copy all the files to a diskette in drive A: and write-protect it to ensure that no virus can alter the programs and information stored there. Under no circumstances should you remove the write protection. Label this diskette as your 'VirusScan Program Diskette.' Here's a summary of the tasks you'll follow in this chapter: o Installing VirusScan. o Scanning your system. o If you detect a virus. o Activating VShield(TM). o Making a clean start-up (boot) diskette. o Running the VirusScan programs. o When to scan for viruses. o Updating VirusScan regularly. NOTE: Because OS/2 programs run in a protected mode, OS/2 systems are not vulnerable to viruses as DOS and Windows Using VirusScan (Version 2.0) 11 systems are. Many OS/2 users run DOS and Win-OS/2 sessions, however, and they are still vulnerable. By using the VirusScan programs as described in this manual, you can protect the DOS and Win-OS/2 portions of your OS/2 system from infection. Using VirusScan (Version 2.0) 12 INSTALLING VIRUSSCAN This task explains how to check your system and install the VirusScan software under DOS, Windows, or OS/2. Don't use any other method to install VirusScan, or you risk spreading a virus. INSTALLATION STEPS Start from the system prompt (C:\> or [C:\]). If you are running Windows or an application program, exit from it to display the prompt. If you are running OS/2, close all DOS and Win-OS/2 sessions open the Command Prompts folder in the OS/2 System folder, and click on either the OS/2 Full Screen or OS/2 Window icons. After typing each entry on the command line, press . 1. Create a directory to contain the VirusScan files, as in the following example: C:\> mkdir c:\mcafee and press . If you have an earlier version of VirusScan already installed, create a separate directory (such as c:\newvscan) for the new version. (You should test the new version before removing the earlier version.) 2. Copy the VirusScan archived (.ZIP) file to this directory, as in the following example: C:\> copy c:\download\*.zip c:\mcafee and press . 3. Change to the VirusScan directory you just created, as in the following example: C:\> cd c:\mcafee and press . 4. Unzip the file using PKUNZIP.EXE, as in the following example: C:\mcafee> PKUNZIP *.ZIP and press . Using VirusScan (Version 2.0) 13 5. Run VirusScan to check your local hard disk(s) by typing: c:\mcafee> scan /adl and pressing . It may take several minutes for the Scan program to check for viruses in memory, then on the system and user portions of your drives. Scan keeps you informed of its progress. Read the information carefully, and write down the name of any viruses Scan reports. 6. If Scan does not report any viruses, congratulations --most likely your system is currently virus-free. Continue with "Making a Clean Start-Up Diskette" in this chapter. If Scan finds one or more viruses you'll see a message like: Found the Jerusalem Virus Stop the installation. Don't panic, even if the virus has infected many files. At the same time, don't run any other programs, especially if the virus is found in memory. Go directly to "If You Detect a Virus" later in this chapter for further instructions. 7. Create a directory on your hard disk to store the VirusScan files in by typing: C:\> mkdir mcafee and pressing . 8. Copy the VirusScan files from the 'VirusScan Program Diskette' in drive A: to your hard disk by typing: C:\> copy a:\*.* c:\mcafee and pressing . VirusScan has now been installed onto your hard disk. Now your system's startup files must be modified to find VirusScan on your system. 9. DOS and Windows users: Using a text editor program, load your AUTOEXEC.BAT file. Locate the path statement, which typically begins with a 'PATH' or 'SET PATH =' statement. Place your cursor at the end of this line and type: ;C:\MCAFEE Using VirusScan (Version 2.0) 14 and press . Now save your AUTOEXEC.BAT file and exit the editor. NOTE: If a semi-colon ";" is already present at the end of the line, do not add one to the path statement. OS/2 users: Make the same change listed above to the 'SET PATH=' statements in your CONFIG.SYS file. Now save your CONFIG.SYS file and exit the editor. Congratulations! You've successfully installed VirusScan. Restart your computer now and continue with this chapter to see how you can use VirusScan to keep your computer virus- free. We recommend looking over the following sections in this chapter: "Scanning Your System" "If You Detect A Virus" "Activating VShield" "Making A Clean Start-Up Diskette" so you'll know what took place during installation. Then continue with the remaining tasks in this chapter, beginning with "Running the VirusScan Programs" to find out how and when to run and update the VirusScan programs. Using VirusScan (Version 2.0) 15 SCANNING YOUR SYSTEM VirusScan's Scan program examines your PC and disks to detect viruses there. The first time you run Scan, do so from the original, write-protected diskette so that the programs themselves cannot be infected. Start from the system prompt (C:\> or [C:\]). If you are running Windows or an application program, exit from it to display the prompt. If you are running OS/2, close all DOS and Win-OS/2 sessions. Next, open the Command Prompts folder in the OS/2 system folder, then click the OS/2 Full Screen or OS/2 Window icon. After typing each entry on the command line, press . If you include the /REPORT option, Scan saves a report of infected files and any system errors to a log file that you specify. o Insert the 'VirusScan Program Diskette' in drive A: o Scan your C: drive for known viruses by typing: C:\> a:scan c: /report c:\virus.log OS/2 Users: Be sure to replace "a:scan" with "a:os2scan" in the above example. Or, if you have more than one hard drive, scan them in the same fashion. For example, if you have C and D drives: C:\> a:scan c: d: /report c:\virus.log You can also scan all local drives using the /ADL option. For example: C:\> a:scan /adl /report c:\virus.log Using VirusScan (Version 2.0) 16 It may take several minutes for the Scan program to check for viruses in memory, then on the system and user portions of your drives. Scan keeps you informed of its progress. Read the information on the screen carefully. Below is a sample of what Scan reports when checking a drive for viruses: ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Database file V1.00 created Fri Apr 1 12:01:00 1994 ³ ³ Finished scanning memory for viruses. ³ ³ Scanning C: ³ ³ ³ ³ Summary report on C: ³ ³ ³ ³ File(s) ³ ³ Analyzed: .............. 1500 ³ ³ Scanned: ............... 750 ³ ³ Possibly Infected: ..... 0 ³ ³ Master Boot Record(s):.. 1 ³ ³ Possibly Infected:...... 0 ³ ³ Boot Sector(s):......... 1 ³ ³ Possibly Infected:...... 0 ³ ³ ³ ³ Time: 60.00 sec. ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ o If Scan reports 0 viruses found, congratulations--most likely your system is currently virus-free. Skip to "Activating VShield" later in this chapter to continue. If Scan finds one or more viruses, you'll see a message like: ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Scanning C: ³ ³ Scanning file C:\DOS\ATTRIB.EXE ³ ³ Found the Jerusalem virus ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Don't panic, even if the virus has infected many files. At the same time, don't run any other programs, especially if the virus is found in memory. Turn to "If You Detect a Virus" later in this chapter, where VirusScan will help you eradicate it. o Scan has many options to control and fine-tune the scope, validation, and operation of its scan. For details, see Chapter 3 and "Detecting new and unknown viruses" in Chapter 4. Using VirusScan (Version 2.0) 17 IF YOU DETECT A VIRUS In this task, you will run Scan with the /CLEAN option to eradicate most known viruses from your disks. o If you are at all unsure about how to proceed once you've found a virus, contact McAfee for assistance (see "Technical Support" in Chapter 1). We strongly recommend that you get experienced help in dealing with viruses if you are unfamiliar with anti-virus software and methods. This is especially true for "critical" viruses and master boot record (MBR or so-called "partition table")/boot sector infections, because improper removal of these viruses can result in the loss of all data and use of the infected disks. RESTART FROM A CLEAN ENVIRONMENT You must run Scan from a clean, virus-free environment. With DOS or Windows, restart from a clean diskette. With OS/2, simply close all DOS and Win-OS/2 sessions. DOS or Windows With DOS or Windows, the only way to ensure a clean environment is to turn your computer off to eliminate any viruses in memory, then restart from a virus-free floppy diskette in drive A:, preferably the original, write- protected DOS installation diskette that came with your computer. If you don't have one, borrow or buy one; don't use a diskette that might be infected. (You will create a new anti-viral diskette in "Making a Clean Start-Up Diskette" later in this chapter to use in the future, but you need a clean environment before you create one.) 1. Turn off your computer. (Don't just reset or reboot, which may leave some viruses intact in the computer's memory.) 2. Make sure your clean boot (start-up) diskette is write- protected. o For a 3.5" diskette, slide its corner tab so that the square hole is open. o For a 5.25" diskette, cover its corner notch with a write-protect tab. Be sure to use the black or silver write-protect stickers provided with your diskettes, not transparent tape, which is ignored by the floppy drive's infrared write-protection mechanism. Using VirusScan (Version 2.0) 18 3. Insert your start-up diskette in drive A:. 4. Turn on your computer and wait until you see the system prompt (probably A>). Don't run any programs on your hard disk, or you may reactivate the virus. OS/2 With OS/2, you can eliminate most viruses from memory by closing all DOS, Win-OS/2, and virtual DOS machine (VDM) sessions. Because OS/2 programs run in protected mode, viruses cannot spread between them. BACK UP YOUR HARD DISK Some viruses may leave certain disks or files unusable when cleaned up. To increase your chance of recovery, copy all the files on all of your hard disks onto fresh diskettes or a backup tape after booting from a clean copy of the operating system. You can use a commercial backup program, or the one included with DOS or OS/2. Scan the program disk first to make sure that the backup program itself is not infected. Do not run the backup program if it is infected. Instead, reload it from your original installation diskettes. Although some of the backed-up files may be infected, it is better to have current copies than not. However, don't overwrite previous backup disks or tapes, which may or may not be infected. RUN SCAN WITH THE /CLEAN OPTION Start from the system prompt (probably A> or [A:\]). If you are running OS/2, open the Command Prompts folder in the OS/2 system folder, and click on the OS/2 Full Screen or OS/2 Window icons. After typing each entry on the command line, press [Enter]. 1. Insert the 'VirusScan Program Diskette' in drive A:. 2. Eliminate the first known virus on your hard drive(s) by typing: DOS or Windows A> a:scan /adl /clean OS/2 [A:\] a:os2scan /adl /clean Using VirusScan (Version 2.0) 19 Scan keeps you informed of its progress and generally reports that a virus was removed successfully. If Scan reports that the virus could not safely be removed, see the next section, "If Viruses Were Not Removed, Contact Technical Support." 3. Repeat step 2 for other viruses found by Scan, and for other infected hard drives. For example: DOS or Windows A> a:scan /clean d: OS/2 [A:\] a:os2scan /clean d: o Scan has options to control and fine-tune the scope, validation, and operation of its disinfection. For details, see Chapter 3. If Viruses were NOT removed, contact Technical Support If Scan can't remove a virus, it will tell you: Virus cannot be safely removed from this file. Make sure to take note of the filename, because you will need to restore it from backups. Run Scan again, this time using the /CLEAN and /DEL options to delete the remaining infected files, as described in Chapter 3. If you have any questions, contact McAfee (see "Technical Support" in Chapter 1). If viruses were safely removed, rescan and check diskettes If Scan has successfully removed all the viruses, restart your computer. Restart installation as described in "Installing VirusScan" earlier in this chapter. Assuming that your system is now virus-free, installation will scan your system, activate VShield, and make a clean start-up diskette as part of the installation procedure. Thereafter, you can proceed to "Running the VirusScan programs" later in this chapter. One common source of virus infection is floppy diskettes. Once you've finished installing VirusScan on your hard disk, use Scan again to examine and disinfect the diskettes you use, as described in "When to Rescan," in this chapter. Using VirusScan (Version 2.0) 20 FALSE ALARMS Due to the nature of anti-virus software, there is a small possibility that Scan may report a virus in a file that is not infected. This can be more likely if you are using more than one brand of virus protection software, especially if the virus is only reported in memory and not anywhere on the disk when you boot. If Scan reports a virus infection that you suspect may be in error, contact McAfee (see "Technical Support" in Chapter 1). You can upload the file to our bulletin board system at (408) 988-4004, along with your name, address, daytime telephone number, and electronic mail address (if any). ACTIVATING VSHIELD VirusScan's VShield program can help prevent viruses from infecting your system. It runs as a "terminate-and-stay- resident" (TSR) program, remaining in memory and scanning and intercepting programs as they are executed. To install VShield, use your editor to load your AUTOEXEC.BAT file. Insert the following as the first line: C:\MCAFEE\VSHIELD If you load network drivers, disk-caching software, or other memory-resident programs that changes the way in which you access disks, insert a second VShield line after the last invocation of such software: C:\MCAFEE\VSHIELD /RECONNECT and press . This reactivates VShield if it has been deactivated by another memory-resident program. Now save your AUTOEXEC.BAT file. Using VirusScan (Version 2.0) 21 Windows VShield can display messages from within Windows in a message dialog. This is done through VShield's Windows Messager. If you choose not to install the Messager, VShield will still detect viruses, but will not be able to report them to you. 1. To activate the Messager, you must copy the VSHLDWIN.EXE file from your VirusScan directory (typically C:\MCAFEE) to your Windows directory (typically C:\WINDOWS). You can do this by typing: C:\> copy c:\mcafee\vshldwin.exe c:\windows and pressing . 2. Go to your Windows directory, and using a text editor program, load your WIN.INI file. Go to the [Windows] settings and insert the following line: load=vshldwin.exe NOTE: If you already have a "load=" line in your WIN.INI file, go to the end of it and type: ; vshldwin.exe and press . Now save your WIN.INI file and exit the editor. VShield will now run whenever you start or restart your computer. To activate VShield at any time: DOS or Windows - Restart your computer by pressing the , , and keys simultaneously, or by turning it off and then on again (if Windows is running, exit out of it before doing restarting your computer). OS/2 - Restart all DOS and Win-OS/2 windows. o If you have difficulties running VShield, it may be due to conflicts with other TSR programs in your system, or with other programs that monitor disk access. See Chapter 3 in the VShield documentation for details, and Chapter 4, "Tips and Troubleshooting," in this document for more information. Contact McAfee technical support if you need help (see "Technical Support" in Chapter 1). Using VirusScan (Version 2.0) 22 o VShield normally occupies up to 67Kb of conventional (base 640Kb) memory. VShield minimizes the use of conventional memory by attempting to load into extended (XMS) memory, expanded (EMS) memory, upper memory, or a combination of them before using conventional memory. For computers with extreme available memory limitations, you can use VShield's /SWAP option to reduce its memory requirements to 7Kb, although this will decrease VShield's speed. For details, see Chapter 3 in the VShield documentation. o VShield has options to control and fine-tune the scope, validation, and operation of its virus prevention. For details, see Chapter 3 in the VShield documentation. o When used in conjunction with some of Scan's options, VShield can help protect your system from new and unknown viruses. For details, see "Detecting New and Unknown Viruses" in Chapter 4. o Under OS/2, VShield runs in DOS and Win-OS/2 sessions only, because current viruses can operate only in those sessions. o In Windows, you can use the VShield icon to turn messages from VShield on and off (VShield itself, however, remains active). For details, see Chapter 3 in the VShield documentation. Using VirusScan (Version 2.0) 23 MAKING A CLEAN START-UP DISKETTE In DOS or Windows, create a clean anti-viral start-up (boot) diskette that you can use to regain your "sterile field" if your system becomes infected. This is not necessary in OS/2, although it will be helpful to make backup copies of your OS/2 installation diskettes. DOS or Windows In DOS, start from the system prompt (C:\>). In Windows, you may open a DOS window, or duplicate these steps using Windows' File Manager. 1. Insert a blank or dispensable diskette into drive A. Make sure the diskette contains no important information, as this procedure will erase it. 2. Format the disk as a DOS-bootable diskette with the system files on it by typing: C:\> format a: /s /v /u and pressing . If you are using a version of DOS before DOS 5.0, do not type the "/u" option. The /U option is used in recent versions of DOS to insure that the floppy diskette is erased completely (earlier versions of DOS automatically do this). When prompted for a volume label, type: virusfree01 and press , or use another name of up to 11 characters. 3. Copy the VirusScan program files onto the diskette. Here's one way to do this, assuming that your VirusScan files are stored in C:\MCAFEE: C:\> copy c:\mcafee\scan.exe a: C:\> copy c:\mcafee\scan.dat a: C:\> copy c:\mcafee\clean.dat a: C:\> copy c:\mcafee\names.dat a: 4. Copy useful DOS programs to the diskette. Here's one way to do this, assuming that your DOS files are stored in C:\DOS: C:\> copy c:\dos\format.* a: C:\> copy c:\dos\xcopy.* a: C:\> copy c:\dos\diskcopy.* a: C:\> copy c:\dos\sys.* a: Using VirusScan (Version 2.0) 24 C:\> copy c:\dos\fdisk.* a: C:\> copy c:\dos\debug.* a: C:\> copy c:\dos\unerase.* a: C:\> copy c:\dos\mem.* a: C:\> copy c:\dos\chkdsk.* a: In the same way, copy other DOS programs that you think might be useful. 5. Remove the diskette from the drive and write-protect it so that it cannot become infected. o For a 3.5" diskette, slide its corner tab so that the square hole is open. o For a 5.25" diskette, cover its corner notch with a write-protect tab. Be sure to use the opaque write-protect stickers provided with your diskettes, not transparent tape. 6. Label the diskette "Virus-Free Boot Disk" and put it away in a secure place in case you need to reestablish a virus-free environment in the future. You may want to include supplemental information on the disk label, such as the date and versions of DOS and VirusScan. OS/2 With OS/2, you don't need a virus-free start-up disk. However, it will be helpful to keep a clean copy of important files, such as your system configuration files. Copy your CONFIG.SYS, STARTUP.CMD, and AUTOEXEC.BAT files onto an empty, formatted diskette. Write-protect the diskette, label it, and put it away in a secure place. Using VirusScan (Version 2.0) 25 RUNNING THE VIRUSSCAN PROGRAMS VIRUSSCAN FOR DOS To run the VirusScan programs from the DOS command prompt, type the program name (SCAN) on the command line. Follow the program name with the drive, directory, or file(s) you want to scan for viruses and the options you want to use. Note: If you have not changed the path statement in your AUTOEXEC.BAT file, you will need to include its location (usually C:\MCAFEE) in the command, or change to that directory. For example, to examine a diskette in drive A: type: C:\> c:\mcafee\scan a: and press . EXCEPTION: If Scan detects a virus in memory or on your hard disk, don't run Scan with the /CLEAN option from C:\MCAFEE. Instead, restart your computer and run Scan from your clean start-up diskette as described in "If you detect a virus" in this chapter. VirusScan can list the viruses it detects. To view this list, run Scan with the /VIRLIST option, described in Chapter 3. VSHIELD VShield loads automatically upon startup for DOS and Windows computers, or when a DOS or Win-OS/2 session is started within OS/2. o You can change VShield options from the DOS command line by removing VShield from memory and re-running it, or by editing the VShield command line in your AUTOEXEC.BAT file. See Chapter 3 in the VShield documentation for details. Using VirusScan (Version 2.0) 26 VIRUSSCAN FOR OS/2 To run Scan from OS/2, open the Command Prompts folder in the OS/2 System folder and click on the OS/2 Full Screen or OS/2 Window icons. Next, type the program name (OS2SCAN) on the command line. Follow the program name with the drive, directory, or file(s) you want to scan for viruses and the options you want to use. Note: If you have not changed the PATH and LIBPATH statements in your CONFIG.SYS file, you will need to include its location (usually C:\MCAFEE) on the command line, or change to that directory. For example, to examine a diskette in drive A: type: [C:\] c:\mcafee\os2scan a: and press . o VShield does not run in native OS/2 sessions, only under DOS and Win-OS/2 sessions inside of OS/2. If you have placed the VShield command in your AUTOEXEC.BAT file, it will run automatically when you start a DOS or Win-OS/2 session. You can also run it from the DOS command line, as described earlier in this section. Using VirusScan (Version 2.0) 27 WHEN TO RESCAN Although VShield will monitor your software for viruses, it's wise to scan your disks when you introduce new programs or disks that may be infected. New programs and files are generally introduced in two ways: by inserting a diskette, and by installing new programs. It is also possible to download a computer virus using a modem, however, this is extremely rare. o You can use VShield with the /ANYACCESS option to scan diskettes automatically. For more information, see the discussion of /ANYACCESS in Chapter 3 in the VShield documentation. o For instructions on running VirusScan, see "Running the VirusScan programs" earlier in this chapter. WHEN YOU INSERT AN UNCHECKED DISKETTE Every time you insert a new diskette in your drive, run Scan on it before executing, installing, or copying its files. If you have several diskettes to scan, you can scan them consecutively. In fact, we recommend doing this now with all the diskettes you normally use, as well as diskettes received from friends, co-workers, salespeople, and even your own diskettes if they have been in another PC. WHEN YOU INSTALL OR DOWNLOAD NEW FILES Every time you install new software on your hard drive, or download executable files from a network server, bulletin board, or on-line service, run Scan on the directory the files were placed in before executing the files. Using VirusScan (Version 2.0) 28 UPDATING VIRUSSCAN REGULARLY Unfortunately, new viruses (and variants of old ones) appear and circulate often in the personal computer community. Fortunately, McAfee updates the VirusScan programs regularly--usually every month, but sooner if many new viruses have appeared. Each new version may detect and eradicate as many as 60-100 new viruses or more, and may add new features. To find out what's new, review the README.1ST text file. DOWNLOADING NEW VERSIONS You may use your own communications software to download new versions from the McAfee bulletin board, CompuServe, or the Internet. See Chapter 1, "Welcome to VirusScan" for more information. Always download and decompress the files in a separate directory from your current files. That way, if you discover a problem with the new files, you'll still have the old ones intact. VALIDATING VIRUSSCAN When you download a program file from any source other than the McAfee bulletin board system or other direct-from-McAfee service, it's important to verify that it is authentic, unaltered, and uninfected. McAfee anti-virus software includes a program called Validate that helps you do this. When you receive a new version of VirusScan, run Validate on all of the program files. To do this for Scan, start from the system prompt (C:\> or [C:\]): 1. Change to the directory to which you've downloaded the files. For example, if you've stored the files in C:\DOWNLOAD, type: C:\> cd \download and press . 2. Type the command: C:\DOWNLOAD> c:\mcafee\validate scan.exe and press . Using VirusScan (Version 2.0) 29 OS/2 Users: Be sure to replace SCAN.EXE with OS2SCAN.EXE as the file to be validated. 3. Compare the results with the information in the README.1ST file or other text file for the program you have just validated. If the validation results match what's in the file, it is highly unlikely that the program has been modified. 4. Once you have validated the new version, copy it into your C:\MCAFEE directory. In addition, create a new "VirusScan Start-Up Diskette" containing the new version. UPDATE YOUR CLEAN START-UP DISKETTE Once you have validated the new version, copy it into your C:\MCAFEE directory. In addition, copy the Scan program onto your clean start-up diskette. Below is one way to do this; you may also use the Windows File Manager or the OS/2 environment. Note any changes you've made to default options, because you may want to select and save them again. Start from the system prompt (C> or [C:\]). 1. Navigate to the directory to which you've retrieved the files, such as C:\MCAFEE: cd c:\mcafee 2. Temporarily remove write-protection from your clean start-up diskette and insert it in drive A. o For a 3.5" diskette, slide its corner tab so that the square hole is closed. o For a 5.25" diskette, remove the tab or tape from its corner notch. 3. Copy the Scan program, and its data files to the diskette. DOS or Windows C> copy SCAN.EXE a: C> copy *.DAT a: OS/2 [C:\] copy OS2SCAN.EXE a: [C:\] copy *.DAT a: 4. Remove the diskette from the drive and write-protect it again. Using VirusScan (Version 2.0) 30 Chapter 3: VIRUSSCAN REFERENCE VirusScan(TM)'s Scan program detects, identifies, and disinfects known DOS computer. Scan checks memory and both the system and data areas of disks for virus infections. If Scan finds a known virus, in most cases it will eliminate the virus and fully restore infected programs or system areas to normal operation. To obtain a list of all the viruses that Scan detects, run SCAN with the /VIRLIST option. In addition, Scan can also assign validation and recovery codes to files, and then use those codes to detect and treat infection by new and unknown viruses. If Scan has stored validation or recovery data for files, it may detect file changes and warn that infection by an unknown virus may have occurred. Scan can also use the recovery codes to remove new or unknown viruses and restore infected files, master boot record (MBRs), and boot sectors. This chapter describes how to use Scan from the DOS or OS/2 command prompt. The command-line versions of VirusScan run under DOS and OS/2. The program files are SCAN.EXE and OS2SCAN.EXE, respectively. This chapter describes them both. Note: Because OS/2 operates in a protected mode environment, Scan for OS/2 does not check memory. To protect against viruses in OS/2 DOS and Win-OS/2 sessions, use the VShield(TM) virus prevention program. DO YOU NEED TO READ THIS CHAPTER? Many users will not need the Scan command line options described in this chapter. We have designed Scan so that basic operation, as described in "Scanning Your System" and "When to Rescan" in Chapter 2, will detect most viruses in your system. The command line options described here offer additional power and control over virus detection. They enable you to run Scan from batch or script files, and are most useful in vulnerable environments and to network administrators and information services staff. Using VirusScan (Version 2.0) 31 SYSTEM REQUIREMENTS AND SUPPORT Scan requires DOS 3.0 or later, Windows 3.1 or later, or IBM OS/2 Version 2.0 or later. Running Scan for DOS requires 340Kb of free RAM. Scan works with 3Com 3/Share and 3/Open, Artisoft LanTastic, AT&T StarLAN, Banyan VINES, DEC Pathworks, IBM LAN Server, Microsoft LAN Manager, Novell NetWare, and any other IBMNET- or NETBIOS-compatible network operating systems. Contact McAfee or your local authorized agent if you do not see your network listed (see "Technical Support" in Chapter 1). Scan is designed to check for pre-existing infections of known and unknown viruses on floppy, hard, CD-ROM, and compressed (SuperStor, Stacker, DoubleSpace, and so on) disks on both stand-alone and networked personal computers, as well as network file servers. If you have a Novell NetWare/386 V3.1X or 4.01 file server, you may want to use the NETShield(TM) virus prevention NetWare Loadable Module in conjunction with Scan. o To use Scan to clean up (disinfect) virus-infected files, the CLEAN.DAT file must be present in the same subdirectory as Scan. If you don't have the CLEAN.DAT file, first verify whether you should contact your system administrator or information systems staff directly for virus clean-up. Otherwise, you can contact McAfee (see "Technical Support" in Chapter 1). TECHNICAL OVERVIEW KNOWN VIRUS DETECTION Scan detects known viruses by searching the system for known characteristics (sequences of code) unique to each computer virus and reporting their presence if found. For viruses that encrypt or cipher their code so that every infection is different, Scan uses detection algorithms that work by statistical analysis, heuristic analysis, and code disassembly. NEW AND UNKNOWN VIRUS DETECTION Scan can also check for new or unknown viruses by comparing files against previously recorded validation data. If a file has been modified, it will no longer match the validation data, and Scan will report that the file may have become infected. With certain options, Scan /CLEAN can use the validation and recovery data to restore infected files, master boot records (MBRs), or boot sectors. Using VirusScan (Version 2.0) 32 NOTE TO NETWORK USERS To use Scan on a network drive (or directory), you must be connected to that drive and have read access to it. Some command line options described in this chapter attempt to create, change, and delete files. To use these options, you must have sufficient access rights. If you have questions about access rights, contact your network administrator. Using VirusScan (Version 2.0) 33 VALIDATING SCAN The VirusScan program has several safeguards to ensure that it remains free of viruses. See "Validating VirusScan" in Chapter 2 for more information. We recommend that you update your copy of the VirusScan programs regularly. You can obtain an upgrade from several sources, as described in "Updating VirusScan Regularly" in Chapter 2. Before using a new version of Scan for the first time, verify that it has not been tampered with or infected by using the Validate program, as described in "Validating VirusScan" in Chapter 2. If your new copy of Scan differs from the validation data in the on-line documentation file, it may have been damaged. Don't use it, and obtain a clean copy of Scan from a known source. Scan performs an integrity test when run. This self-check allows Scan to determine if it has been modified. If Scan fails its integrity test, a warning message will appear, and Scan will refuse to run and return to the command line prompt. If Scan reports that it failed its integrity check, you must then obtain an undamaged copy before continuing. RUNNING SCAN FROM THE COMMAND LINE Scan checks files and other areas of the system that can contain computer viruses. When a virus is found, Scan identifies it and the system area or file where it was found. By default, Scan examines all files on a system. Once you've installed VirusScan and have established a "sterile field" (as described in Chapter 2), you might not need to scan every file on your system again, just the executable files (.EXE, .COM, .SYS, .BIN, .OVL, and .DLL files). Use the /STD option to scan executable files only. (Note that the list of extensions for standard executables has changed from previous versions of Scan.) Using VirusScan (Version 2.0) 34 From DOS or OS/2, you can run Scan from the command line prompt. (From OS/2, open the Command Prompts folder in the OS/2 system folder, then choose the OS/2 Full Screen or OS/2 Window icons to see the command line prompt.) The syntax is: DOS C:\> scan {drives} [options] OS/2 [C:\] os2scan {drives} [options] {drives} indicates one or more drives to be scanned. You must specify one or more drives to scan. If you list a drive like C:, all of its subdirectories will be scanned. If you list \, only the root directory and boot area of the current disk will be scanned. If you list a directory or \, its subdirectories will not be scanned unless you use the /SUB option. [options] indicates one or more of the Scan options listed in the "Scan Command Line Option Summary" on the following page. Using VirusScan (Version 2.0) 35 SCAN COMMAND LINE OPTION SUMMARY /? or /HELP Display help screen. /ADL Scan all local drives (except floppy drives). /ADN Scan all network drives. /AF {filename} Store validation/recovery codes in filename. /APPEND Append to rather than overwrite, the report file (/REPORT). /AV Add validation/recovery data to program files. /BOOT Scan master boot record and boot sector only. /CF {filename} Check validation/recovery codes in filename. /CLEAN Clean up infections in master boot records, boot sectors, and files when possible. /CV Check validation/recovery data in files. /DEL Overwrite and delete infected files. /EXCLUDE {filename} Exclude from scan any files listed in filename. Typically used in conjunction with the /AV option. /FAST Speed up VirusScan's scanning; may detect fewer viruses. /LOAD {filename} Use Scan settings stored in filename. /LOG Save date and time VirusScan was last run in SCAN.LOG. Using VirusScan (Version 2.0) 36 /MOVE {directory} Move infected files to directory. /NOMEM Skip memory checking (not applicable to OS/2). /PAUSE Enable screen pause at end of display page. /PLAD Preserve Last-Access date of scanned files on Novell drives. /REPORT {filename} Create report of infected files found during scan in filename. /RF {filename} Remove validation/recovery codes in filename. /RPTCOR Add list of corrupted files to the report file (/REPORT). /RPTERR Add list of system errors to the report file (/REPORT). /RPTMOD Add list of modified files to the report file (/REPORT). /RV Remove validation/recovery data from files. /SHOWLOG Display information in SCAN.LOG. /STD Scan executable files only (.COM, .EXE, .SYS, .BIN, .OVL, and .DLL) /SUB Scan subdirectories inside a directory. /VIRLIST Display list of viruses detected by VirusScan. Using VirusScan (Version 2.0) 37 SCAN OPTION DESCRIPTIONS Here is a detailed description of Scan's options. /? or /HELP Display list of Scan options Displays a list of Scan command line options with a brief description of each. No virus scanning will be performed when these options are specified. Use either of these options alone on the command line. /ADL Scan all local drives (except floppy drives) Scans all local drives for viruses, in addition to those specified on the command line. In DOS, use /ADL to check all local drives, including compressed drives and CD-ROMs. To scan both local and network drives, use /ADL and /ADN together in the same command line. /ADN Scan all network drives Scans all network drives for viruses, in addition to those specified on the command line. To scan both local and network drives, use /ADL and /ADN together in the same command line. /AF {filename} Store validation/recovery codes in file Helps you detect and recover from new or unknown viruses. /AF logs validation and recovery data for the executable files, boot sector, and master boot record (MBR) of a disk in the file you specify. The log file is about 95 bytes per file validated. You must specify a filename, which can include the target drive and directory (such as D:\VAL\DRIVES.VAL). If the target path is a network drive, you must be able to create and delete files in that drive. If filename exists, Scan updates it. The /AF option adds about 300% more time to scanning. To exclude self-modifying or self-checking files that might cause false alarms, use the /EXCLUDE option. To recover from a virus using the /AF information, use the /CF and /CLEAN options together in the same command line. Using any of the /AF, /CF, or /RF options together in the same command line returns an error. o /AF performs the same function as /AV, but stores its data in a separate file rather than changing the executable files themselves. For more information, see "Detecting new and unknown viruses" in Chapter 4. Using VirusScan (Version 2.0) 38 /APPEND Append to the report file. Used in conjunction with /REPORT, appends the report message text to the specified report file, if it exists. Otherwise, the /REPORT option overwrites the specified report file, if it exists. /AV Add validation/recovery data to files Helps you detect and recover from new or unknown viruses. /AV adds recovery and validation data to each standard executable file (.EXE, .COM, .SYS, .BIN, .OVL. and .DLL), increasing the size of each file by 98 bytes. To update files on a shared network drive, you must have update access rights. The /AV option adds about 100% more time to scanning. To exclude self-modifying or self-checking files that might cause false alarms, use the /EXCLUDE option. To recover from a virus using the /AF information, use the /CV and /CLEAN options together in the same command line. Using any of the /AV, /CV, or /RV options together in the same command line returns an error. o The /AV option does not store any information about the master boot record (MBR) or boot sector of the drive being scanned. /BOOT Scan boot sector and master boot record only Scans the boot sector and master boot record on the specified drive(s), but not the files or directories on those drives. /CF {filename} Check validation/recovery codes in file Helps you detect new or unknown viruses. Checks validation data stored by the /AF option in filename. If a file or system area has changed, Scan reports that a viral infection may have occurred. The /CF option adds about 250% more time to scanning. For more information, see "Detecting New And Unknown Viruses" in Chapter 4. You can use /CF and /CLEAN in the same command line to check validation/recovery codes and remove any viruses found. Using any of the /AF, /CF, or /RF options together in a command line returns an error. o Some older Hewlett-Packard and Zenith PCs modify the boot sector each time the system is booted. If you use /CF or /CV, Scan will continuously report that the boot sector has been modified even though no virus may be present. Check your system's technical reference manual to determine whether your PC has self-modifying boot code, or contact McAfee for help (see "Technical Using VirusScan (Version 2.0) 39 Support" in Chapter 1). o OS/2 dual boot systems change the boot sector between DOS and OS/2 depending on which operating system is active. This causes Scan to report that the boot sector has been modified. /CLEAN Remove viruses from boot sector, master boot record (MBR), and infected files Attempts to restore the boot sector, if infected, and any infected files. Usually, between 10% and 20% of all viruses are not removable; they damage the file they infect beyond repair. If the infected file resides on a network drive, you must be able to modify files on that drive to clean it. If it cannot restore a file, you'll see a message that identifies the name of the unrecoverable file. To use /CLEAN, the CLEAN.DAT file must reside in the Scan directory. Use /CLEAN instead of /DEL when you want to restore infected files, not just delete or overwrite them. The /CLEAN option can remove master boot record and boot sector viruses, but the /DEL option cannot. If you use /CLEAN and /DEL in the same command line, Scan first attempts to disinfect an infected file, then deletes it only if it cannot be repaired. Similarly, if you use /CLEAN and /MOVE in the same command line, Scan attempts first to clean an infected file, then moves it automatically if the file is unrecoverable. You can use /CLEAN and /CF or /CV in the same command line to check validation/recovery codes and remove any viruses found. We strongly recommend that you get experienced help in dealing with viruses if you are unfamiliar with anti- virus software and methods. This is especially true for "critical" viruses and master boot record/boot sector infections, because improper removal of these viruses can result in the loss of all data on the infected disks. o When scanning a network drive using /CLEAN, you must have sufficient rights to update files on that drive. /CV Check validation/recovery data in files Helps you detect new or unknown viruses. Checks validation data added by the /AV option. If a file is modified, Scan reports that a viral infection may have occurred. The /CV option adds about 50% more time to scanning. You can use /CLEAN and /CF or /CV in the same command line to check validation/recovery codes and restore infected files. Using any of the /AV, /CV, or /RV options together in the same command line returns an error. Using VirusScan (Version 2.0) 40 /DEL Overwrite and delete infected files Deletes and overwrites each infected file. Files erased by the /DEL option cannot be recovered (generate a report so that you can restore them from backups). Instead of /DEL alone, we recommend using it in combination with the /CLEAN option to attempt to disinfect an infected file first, then delete it only if the file is unrecoverable. The /CLEAN option can remove master boot record and boot sector viruses, but the /DEL option cannot. o When scanning a network drive using /DEL, you must have sufficient access rights to delete files on that drive. /EXCLUDE {filename} Scan using exception list file Allows you to exclude files from /AF or /AV validation. Self-modifying or self-checking files can cause a false alarm during a scan. To create filename, see "Technical Note 1: Creating an Exception List File for the /EXCLUDE Option" in this chapter. /FAST Speed up VirusScan's scanning Reduces Scan time by about 15%. Using the /FAST option, Scan examines a smaller portion of each file for viruses, although it examines more files overall. Using /FAST might miss some infections found in a more comprehensive (but slower) scan. Do not use this option if you have found a virus or suspect one. /LOAD {filename} Use Scan settings stored in {filename}. By default, Scan loads its internal default settings plus any options specified on the command line. You can store all custom settings in a separate ASCII text file, then use /LOAD to load those settings from that file. Use a text editor to create the file. You can put all options on the same line separated by a space or put each option (with its parameter) on its own line, separated by a hard carriage return and line feed, as shown in the following examples: Using VirusScan (Version 2.0) 41 Sample load file with all options on the same command line: m: /report a:infectn.rpt /rptcor /rpterr Sample load file with each option on a separate command line: m: /report a:infectn.rpt /rptcor /rpterr /LOG Save date and time of last scan Stores the time and date Scan is being run by updating or creating a file called SCAN.LOG in the current directory. /MOVE {directory} Move infected files to directory Moves all infected files found during a scan to the specified directory. If you use /MOVE in conjunction with /CLEAN, Scan attempts to restore an infected file first, then moves it to the specified directory only if the file cannot be restored. Using /MOVE and /DEL in the same command line returns an error message. /NOMEM Skip memory checking Reduces scan time by omitting all memory checks for viruses. Use /NOMEM only when you are absolutely certain that your system is virus-free. By default, Scan checks system memory for all for critical known computer viruses that can inhabit memory. In addition to main memory from 0Kb to 640Kb, Scan checks upper memory from 640Kb to 1,024Kb and the high memory area from 1,024Kb to 1,088Kb that can be used by computer viruses on 286 and later systems. Memory above 1,088Kb is not addressed directly by the processor and is not presently susceptible to viruses. o /NOMEM is not applicable to OS/2. Using VirusScan (Version 2.0) 42 /PAUSE Enable screen pausing. If you specify /PAUSE, a "More? (H = Help)" prompt will appear when Scan fills up a screen with messages, such as when using the /SHOWLOG or /VIRLIST options. Otherwise, Scan will, by default, fill the screen with messages and scroll the screen continuously without stopping. This allows Scan to be run against PCs with many drives or on PCs with severe infections without requiring user intervention. We recommend that you omit /PAUSE when keeping a record of Scan's messages using the report options (/REPORT, /RPTCOR, /RPTMOD, and /RPTERR). /PLAD Preserve Last-Access date on NetWare drives. Prevents changing the Last-Access date attribute for files stored on a network drive of a Novell network. Normally, NetWare updates the Last-Access date when files are accessed on network drives. However, some tape backup systems use the Last-Access date to decide whether to back up the file. Use /PLAD to ensure that the last access date does not change as the result of scanning. /REPORT {filename} Create report of infected files and system errors Saves the output of Scan to filename in ASCII text file format. If filename exists, /REPORT erases and replaces it. You can include the destination drive and directory (such as D:\VSREPRT\ALL.TXT), but if the destination is a network drive, you must be able to create and delete files on that drive. You can also use /RPTCOR, /RPTMOD, and /RPTERR to add corrupted files, modified files, and system errors to the report. /RF {filename} Remove validation/recovery codes in file Removes validation and recovery data from filename created by the /AF option. If filename resides on a shared network drive, you must be able to delete files on that drive. Using any of the /AF, /CF, or /RF options together in the same command line returns an error. /RPTCOR Add corrupted files to Scan report Used in conjunction with /REPORT, adds the names of corrupted files to the report file. A corrupted file is a file that a virus has damaged beyond repair, which typically occurs in 10% to 20% of all viral infections. You can use /RPTCOR with /RPTMOD and /RPTERR on the same command line. Using VirusScan (Version 2.0) 43 /RPTERR Add errors to Scan report Used in conjunction with /REPORT, adds system errors to the report file. System errors include problems reading or writing to a diskette or hard disk, file system or network problems, problems creating reports, and other system-related problems. You can use /RPTERR with /RPTCOR and /RPTMOD on the same command line. /RPTMOD Add modified files to the Scan report Used in conjunction with /REPORT, adds the names of modified files to the report file. Scan identifies modified files when the validation/recovery codes do not match (using the /CF or /CV options). You can use /RPTMOD with /RPTCOR and /RPTERR on the same command line. /RV Remove validation/recovery from files Removes validation and recovery data from files validated with the /AV option, along with the SCAN.LOG file on the specified drive. To update files on a shared network drive, you must have access rights to update them. Using any of the /AV, /CV, or /RV options together in the same command line returns an error. /SHOWLOG Update and display the contents of SCAN.LOG Stores the time and date Scan is being run by updating or creating a file called SCAN.LOG in the current directory, and shows you the date and time of previous scans that have been recorded in the SCAN.LOG file using the /LOG switch. The SCAN.LOG file contains text and some special formatting. To pause when the screen fills with messages, specify the /PAUSE option. /STD Scan executable files only (.COM, .EXE, .SYS, .BIN, .OVL, .DLL) Reduces scan time when a full scan is not needed. Otherwise, Scan checks all files on the drive scanned and examines files in greater detail, which increases Scan's ability to detect viruses in overlay files but substantially increases the scanning time required. Do not use this option if you have found a virus or suspect one. (The list of extensions for standard executables has changed from previous releases of VirusScan.) Using VirusScan (Version 2.0) 44 /SUB Scan subdirectories By default, when you specify a directory to scan rather than a drive, Scan will examine only the files it contains, not its subdirectories. Use /SUB to scan all subdirectories inside any directories you've specified. Do not use /SUB if you are scanning an entire drive. /VIRLIST Display list of viruses detected by VirusScan Shows the name of the viruses that VirusScan detects. To pause when the screen fills with messages, specify the /PAUSE option. Use /VIRLIST alone on the command line. Using VirusScan (Version 2.0) 45 CLEANING VIRUSES Although /CLEAN removes many viruses and restores normal operation, viruses can be harmful and insidious, and no anti-virus program can undo all their damage. Usually, between 10% and 20% of all viruses corrupt the files they infect, making them unrecoverable. If the file is infected with an uncommon virus that /CLEAN can't remove, Scan notifies you and identifies the filename. Write down this filename so that you can restore it from a backup diskette or tape. If you use both the /CLEAN and the /DEL options, Scan will first attempt to repair an infected file and, if the file is damaged beyond repair, Scan will delete it. Deleted files are not recoverable except from backups. Some viruses damage or overwrite program (.EXE) files or overlay files. Removing the virus can truncate the file or otherwise render it inoperable. Others, like the common virus Stoned, infect the master boot record (MBR). On systems partitioned with programs other than DOS (such as Disk Manager and SpeedStor), removing the virus can cause loss of the master boot record (MBR) and all data on the disk if done improperly. BASIC PRINCIPLES TO MINIMIZE DAMAGE These considerations lead to the three important principles: 1. Before running Scan with the /CLEAN option, back up all of your programs and data. Of course, this works best if you backup your files regularly, so that you can restore your files from a backup made before your system was infected. But even a backup from an infected system can be useful for restoring data, because most viruses do not corrupt data. If a program no longer runs after being cleaned, replace it from the original disk or from a virus-free backup. When disinfecting an infected system, it is important to start from a "sterile field," as described in Chapter 2. 2. Before running Scan with the /CLEAN option for DOS, restart your computer from a clean, write-protected diskette; before running it for OS/2, close all DOS and Win-OS/2 sessions. Preferably, use the clean anti-virus start-up diskette you created in "Making a clean start-up diskette" in Chapter 2. And, because running any program can spread the infection: Using VirusScan (Version 2.0) 46 3. Do not run any programs, including Windows, before running Scan /CLEAN. Run Scan /CLEAN from DOS instead of from Windows. Exit completely from Windows. Do not run Scan /CLEAN from within a DOS window. IMPORTANT: If you are at all unsure about how to proceed once you've found a virus, contact McAfee technical support, or your local authorized agent, for assistance (see "Technical support" in Chapter 1). Using VirusScan (Version 2.0) 47 RUNNING SCAN TO CLEAN UP INFECTIONS Preparation 1. Before running Scan to clean up infections, clear the virus from system memory and prevent reinfection: o With DOS, turn off your PC, then restart from a clean start-up diskette, preferably the anti-virus diskette you prepared in "Making a clean start-up diskette" in Chapter 2. o With OS/2, close all DOS and Win-OS/2 sessions. o With an OS/2 dual-boot system infected by a boot sector virus (like FORM, Disk Killer, or others identified by Scan), boot (start up) OS/2 first, delete the BOOT.DOS file from the \OS2 directory, and then boot DOS to create a new, virus-free DOS boot sector file. 2. Run the Scan program to locate and identify the infections. 3. Back up the files on the infected disks (be sure not to overwrite any previous backups). 4. Repeat Step 1. 5. Don't run any programs, including Windows, before running Scan /CLEAN. If you have Windows, run Scan /CLEAN from DOS. 6. When disinfecting a hard disk, always run Scan /CLEAN from your write-protected VirusScan diskette to prevent infection of the Scan program. When disinfecting diskettes, make sure there is no active virus in memory before running Scan from your hard disk. Using VirusScan (Version 2.0) 48 SUCCESSFUL AND UNSUCCESSFUL RESULTS Scan /CLEAN reports the results of its attempt to remove the virus from each infected file. If a file has several infections, it will report on each. If viruses were not removed, contact technical support. If Scan can't remove a virus, you'll see a message like: Virus cannot be safely removed from this file. Make sure to take note of the file name, because you will need to restore it from backups. If you have any questions about how to proceed, contact McAfee technical support or your local authorized agent (see "Technical Support" in Chapter 1). IF VIRUSES WERE SAFELY REMOVED, RESCAN AND CHECK DISKETTES If Scan /CLEAN has successfully removed all the viruses, turn your computer off again and restart from the system disk. Scan your hard disks again to make sure they are virus-free. If you suspect that your system was infected from a diskette, run Scan from your hard disk to examine and disinfect the diskettes you use. Using VirusScan (Version 2.0) 49 EXAMPLES These examples show different option settings. In OS/2, remember to use OS2SCAN instead of SCAN. scan c: Scan all executable files on drive C. scan f: Scan drive F:, a network drive. scan c: /adl /adn Scan all local and network drives (except floppy drives). scan f: g: h: /del Scan all files on drives F:, G:, and H:, and delete any infected files found. scan c: d: e: /av Scan for viruses in all files and add validation codes to executable files on drives C:, D:, and E:. scan m: /report a:infectn.rpt /rptcor /rpterr Scan for viruses on network drive M: and create a log file of infections, corruptions, and errors in the file INFECTN.RPT on drive A:. scan e:\user\mike e:\user\chris e:\user\cindy /sub Scan all subdirectories inside the directories USER\MIKE, USER\CHRIS, and USER\CINDY on drive E:. scan c: d: e: /fast /cv Quickly scan drives C:, D:, and E:, and also report any executable files that do not have validation codes. scan c:\command.com Scan a single file. Using VirusScan (Version 2.0) 50 ERROR LEVELS o This section is primarily for network administrators, information systems staff, and other people who may want to run VirusScan from DOS batch files, network login scripts, or OS/2 REXX scripts. After Scan has finished running, it sets the ERRORLEVEL. You can use the ERRORLEVEL in batch or script files to take different actions based on the results of the scan. See your operating system documentation for information on creating these types of files. Scan returns the following ERRORLEVELs: ERRORLEVEL DESCRIPTION 0 No errors occurred and no viruses were found. 1 An error occurred while accessing a file (either reading or writing). 2 A VirusScan database (*.DAT) file is corrupted. 3 An error occurred while accessing a disk (either reading or writing). 4 An error occurred with the file created with the /AF option; the file has been damaged. 5 Insufficient memory to load program or complete an operation. 6 An internal program error occurred. 7 An error occurred while accessing or processing an international message file (MCAFEE.MSG). 8 A file required to run VirusScan, such as SCAN.DAT or NAMES.DAT, is missing. 9 Incompatible or unrecognized option(s) or argument(s) for an option were specified on the command line. 10 A computer virus was found in memory. 11 An internal program error occurred. Using VirusScan (Version 2.0) 51 12 An error occurred while attempting to remove a virus, such as no CLEAN.DAT file found or VirusScan was unable to remove the virus. 13 One or more viruses was found in the master boot record, boot sector, or file(s). 14 The SCAN.DAT file is out-of-date; please upgrade VirusScan data files. 15 VirusScan failed its self-check. It may be infected with a virus, tampered with, or damaged. 16 An error occurred while accessing or attempting to access a specified drive, directory, or file. 17 No drive, directory or file was specified for scanning. 18 A validated file has been modified and no longer matches its CRC check-sum (/CF or /CV options). 19 - 99 Reserved. 100+ An error within the operating system. VirusScan adds 100 to original error number. Using VirusScan (Version 2.0) 52 APPLICATION NOTE 1: UPDATING VALIDATION CODES If you install any new software or programs on your system, including a new version of DOS, and are running Scan or VShield with the /CF (preferred) or /CV validation options, you need to install validation codes for the new files with Scan's /AF (preferred) or /AV options. The quickest way to update the validation codes is to remove all validation codes from the hard disk and then add them back. To do this, first run Scan with the /RF or /RV option, then run it again with the /AF or /AV option. Using VirusScan (Version 2.0) 53 APPLICATION NOTE 2: REFORMATTING INFECTED DISKETTES WITH DOS 5.0 AND LATER When reformatting infected diskettes using DOS 5.0 and later versions, be sure to add the /U switch to the FORMAT command. This tells DOS to do an unconditional format of the diskette, without saving the original infected boot sector. This is necessary to erase certain infections, and will prevent reinfection by unformatting the diskette. Using VirusScan (Version 2.0) 54 TECHNICAL NOTE 1: CREATING AN EXCEPTION LIST FILE FOR THE /EXCLUDE OPTION If you set up validation codes using Scan's /AF or /AV options, subsequent scans using the /CF or /CV options will detect changes in executable files. This can generate false alarms if the executable files are self-modifying or self- checking (most programs that do this will tell you to turn off your anti-virus software before running them; some of these files are listed below). Therefore, use the /EXCLUDE option in conjunction with /AF or /AV to identify such files and exclude them from the validation. The exception list is an ASCII (or DOS) text file. If you use a word processor to create it, be sure to save the file as ASCII or DOS Text. Each line in the file contains the path and file name of one file that should not be validated. Here is an example: C:\CLIPPER\BIN\CLIPPER.EXE C:\123\123.COM C:\FOX\FOXPROLX.EXE C:\DOS\SETVER.EXE C:\PKWARE\PKLITE.EXE C:\PKWARE\PKZIP.EXE C:\PKWARE\PKUNZIP.EXE C:\SEMWARE\Q.EXE C:\SWAPVOL.COM C:\WORDSTAR\WS.EXE Using VirusScan (Version 2.0) 55 Chapter 4: TIPS & TROUBLESHOOTING The other chapters in this manual are meant to tell you clearly and concisely how to use the VirusScan(TM) software. Still, you may have questions or encounter confusing situations. This chapter contains two kinds of advice: o Tips for getting the most out of VirusScan. o Common problems and how to solve or avoid them. If this information doesn't help resolve your question or problem, contact McAfee (see "Technical Support" in Chapter 1). DETECTING NEW AND UNKNOWN VIRUSES There are two ways of dealing with new and unknown viruses that may infect your system: o Update VirusScan regularly. o Store and check validation and recovery information about your files. UPDATE VIRUSSCAN REGULARLY Most likely, McAfee will see new viruses long before you do. We update the VirusScan programs often--usually montly, but more often if many new viruses have appeared. Each new version may detect and eradicate as many as 60 to 100 new viruses or more, and may fix bugs that have been reported. Updating VirusScan regularly is probably all you need to do to protect against new viruses. See the instructions for obtaining new versions in "Updating VirusScan Regularly" in Chapter 2. USE THE VALIDATION AND RECOVERY OPTIONS If your environment is highly vulnerable to viruses, or you require unusual security against them, you can use VirusScan's validation and recovery options. Scan checks for new or unknown viruses by comparing files against previously recorded validation data. If a file has been modified, it no longer matches the validation data, and Scan reports that the file may have become infected. Scan has two levels of validation, which are stored in two separate ways: Using VirusScan (Version 2.0) 56 o It can store the enhanced code in a separate recovery file, which can be stored off-line (for example, on a diskette) for recovery purposes (/AF, /CF, and /RF switches). This is the preferred method because it stores the data for files, the boot sector, and the master boot record (MBR) of a disk in the recovery file. o It can append a 98-byte validation code to .COM and .EXE files (/AV, /CV, and /RV switches). This method applies to the files you specified only. It does not store data for the boot sector and master boot record (MBR). Once the validation codes are stored, both Scan and VShield can use the /CV and /CF options to detect changes to the files. More importantly, if you have stored the recovery information with /AF, Scan can use it to restore infected files, master boot record (MBRs), and boot sectors. All of these options require continuing effort to store and maintain the codes. For example, if you install new programs or upgrade old ones, you should use the /RV or /RF options to remove all codes, then /AV or /AF to restore them. If you want to use one of these methods, which should you use? We recommend the "F" options--/AF, /CF, and /RF--over the "V" options. /AF stores the validation and recovery information in a separate file, instead of modifying the program files themselves. This has three advantages: o You can store the recovery file off-line (on your clean anti-viral startup diskette, for example, or on a network drive or tape drive) and access it on demand to check for, and recover from, infection by unknown viruses. Use the procedure below to create a recovery diskette. o This method keeps self-checking files (usually copy- protected programs) from reporting that they have been tampered with. o If you use this method, you don't need an exception list. However, it's important that you run Scan with the /RF option on individual self-modifying files, such as Lotus 1-2-3, to remove the validation codes for those programs from the validation file. The "V" options are primarily useful for companies that distribute software to their customers or employees, and want to incorporate an additional level of virus protection. Using VirusScan (Version 2.0) 57 CREATING A RECOVERY DISKETTE To store the recovery file, create a new "VirusScan Startup Diskette" and then run Scan to create a validation code and recovery data file by typing: scan /adl /af a:\scancrc.crc and pressing . The above command scans the local hard disk drive(s) for known viruses and creates "SCANCRC.CRC," a file containing validation codes and recovery data, on the diskette. After Scan finishes, write-protect the diskette, label it as your "VirusScan Recovery Diskette," and store in a safe location. To check for virus infection, turn your computer off, insert your "VirusScan Recovery Diskette" in drive A:, and turn the power back on. The PC will now start from the diskette. At the DOS prompt, type: scan /adl /cf a:\scancrc.crc and press . This will compare the local hard disk drive(s) against the recovery data stored on the diskette in the SCANCRC.CRC file. If you detect an unknown virus, to disinfect your system, turn your PC off, insert the recovery diskette, and turn the power back on. The PC will start from the floppy disk. At the DOS prompt, type: scan /adl /cf a:\scancrc.crc /clean to restore drives C and D with the recovery data stored in SCANCRC.CRC on the diskette. If you install new software, or upgrade your DOS version, remember to update your recovery file. See Application note 1, "Updating Validation Codes," in Chapter 3. Using VirusScan (Version 2.0) 58 INTERACTING WITH YOUR NETWORK Many personal computers are interconnected through a local area network (LAN). VirusScan is highly compatible with most networks. Here are some ways of using the VirusScan software with your network: Run Scan on network drives Run from a workstation (PC) on the network, Scan checks network drives for viruses just as it does local drives. For convenience, the /ADN option scans all network drives to which the workstation is connected. Use VShield and CheckVShield By activating VShield as part of every workstation's AUTOEXEC.BAT file, you can prevent the workstations from introducing viruses into the network. Network administrators can ensure that VShield is active on each workstation by running CheckVShield as part of the network login script, before actual login. Use NETShield NETShield provides continuous virus protection on a NetWare server. NetWare network administrators can use it to check for both known and unknown viruses and to monitor all network activities. On other kinds of networks, you can use Scan to check network servers. Develop a network security program, as described in the next tip. Develop a security program VirusScan has been shown to be an effective virus-preventive measure when used in a conscientiously applied program of network security and regular professional care. VirusScan is one important element of a comprehensive computing security program that includes a variety of safety measures, such as regular backups, meaningful password protection, user training, and awareness. Even with VirusScan, some viruses--not to mention theft or fire--an render a disk unrecoverable without a recent backup to reload information. Although outlining such a security program is beyond the scope of this manual, see "Other Sources of Information" in Chapter 1 for suggestions. If you are a network administrator, we urge you to implement a security program to safeguard your organization's data and productivity. If you are a network user, please support and comply with such a program. Using VirusScan (Version 2.0) 59 TROUBLESHOOTING Using VirusScan with other anti-virus software When you run more than one anti-virus program from different vendors, you risk strange results and false alarms. For example, some anti-virus programs store their "virus signature strings" unprotected in memory. Running VirusScan may "detect" them falsely as a virus. False alarms Scan may incorrectly report a virus in the boot sector or master boot record (MBR) of a disk if the diskette using a special copy-protection or encryption mechanism. Contact technical support if you're unsure (see "Technical Support" in Chapter 1). TSR conflicts Some "terminate-and-stay-resident" (TSR) software may conflict with VirusScan programs, especially VShield (which is itself a TSR). To check whether this is the problem, "comment out" the other TSR files in your AUTOEXEC.BAT file and restart your system. If the errors disappear, the TSR conflict caused them. Slow disk access, program locks Running VShield will slow your system slightly as described in Chapter 3 in the VShield documentation, especially if you use either the /ANYACCESS or /SWAP options. If you experience very slow disk access, or if programs lock or freeze while using Windows 3.1, you may be using a disk cache program that interferes with program operation, or you may need to increase the number of BUFFERS in your CONFIG.SYS file. Program locks with VShield's /SWAP option When VShield is running with the /SWAP option, certain programs may lock up the computer. These programs may use memory without allocating it first, including older versions of Lotus 1-2-3, pfs:Write and Professional Write, OfficeWrite, and DisplayWrite4. To correct, restart your computer and run VShield without the /SWAP option. Unable to remove VShield If the /REMOVE option doesn't successfully remove VShield from memory, you have probably loaded other terminate-and- stay-resident (TSR) programs after VShield. VShield can't be removed until the other TSRs are removed. If you need to unload VShield often, load it last. Using VirusScan (Version 2.0) 60 APPENDIX A: RETRIEVING VIRUSSCAN UPDATES VIA THE McAFEE BBS McAfee runs a multiple line bulletin board system (BBS) for you to download program updates, receive technical support, and interact with other McAfee users. DIAL UP o The McAfee BBS phone number is (408) 988-4004. o The BBS operates at up to 14,400 bps (baud). Set your communications parameters to 8 data bits, 1 stop bit, no parity, and your terminal emulation to ANSI or TTY. o The BBS is Bell- and ITU- (formerly CCITT) compatible. LOG ON After receiving the CONNECT message from your communications package: o Enter your name, geographic location, and password. To retrieve the VirusScan programs, type "GUEST" for first name, and "USER" for last name. Or, if you want personal answers or feedback, create your own account by entering your first and last name and a password. Passwords should be 3-8 characters long and are case-sensitive. THE MAIN MENU Here are some of the important functions on the main menu: F File transfer area (download McAfee updates) M Message area (read and write messages in all sections and e-mail) G Goodbye (hang up and leave the BBS) Downloading McAfee programs 1. Select from the Main Menu to go to the File transfer area. This is the area from which you can download McAfee programs. 2. Select <1> for the McAfee Antivirus Files. A sorted directory listing of files available for download will be displayed. Using VirusScan (Version 2.0) 61 3. Type for download, then type in the filename as found in the directory. 4. The BBS will prompt you to select a protocol. We recommend error-correcting protocol such as ZMODEM, YMODEM or XMODEM. 5. You'll see the message Awaiting start signal. Tell your software to receive files. With PROCOMM for DOS or TELIX, press the key, with BITCOM, press the key. For other communications programs, check your manual. 7. Your software will prompt you to select a protocol and file name to receive the file. Select the same protocol and name. Using VirusScan (Version 2.0) 62 APPENDIX B: OPTIONS COMPARISON BETWEEN VIRUSCAN VERSIONS 1.5 AND 2.0 VERSION COMPARISON OF SCAN OPTIONS Scan ³ Scan ³ Version 1.5 ³ Version 2.0 ³ Option Description ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ /? /H or ³ /? or /HELP ³ Display help screen. /HELP ³ ³ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /A ³ ³ Scan all files, ³ ³ including data files. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /AD{x} ³ /AD{x} ³ Scan all drives ³ ³ {L=Local, N=Network}. ³ ³ Leave blank for both ³ ³ (version 1.5 only). ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /AF ³ /AF ³ Store {filename} ³ {filename} ³ validation/recovery ³ ³ codes in filename. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /AG ³ ³ Add recovery/validation {filename} ³ ³ data to files except ³ ³ those listed in {filename}. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /AV ³ /AV ³ Add validation/recovery {filename} ³ ³ data to program files. ³ ³ Exclude those listed in ³ ³ {filename} (version 1.5 ³ ³ only); exclude those ³ ³ listed in /EXCLUDE ³ ³ option (version 2.0 only). ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /BELL ³ ³ Beep whenever a virus ³ ³ is found. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /BMP ³ ³ Scan OS/2 Boot Manager ³ ³ partition only. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ³ /BOOT ³ Scan master boot record ³ ³ and boot sector only. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /CERTIFY ³ ³ List files not having a ³ ³ validation code. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /CF ³ /CF ³ Check {filename} ³ {filename} ³ validation/recovery ³ ³ codes in filename. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Using VirusScan (Version 2.0) 63 VERSION COMPARISON OF SCAN OPTIONS (continued) Scan ³ Scan ³ Version 1.5 ³ Version 2.0 ³ Option Description ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ /CG ³ ³ Check ³ ³ recovery/validation ³ ³ data in files. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /CHKHI ³ ³ Check memory from 0Kb ³ ³ to 1,088Kb (not ³ ³ applicable to OS/2). ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ (CLEAN.EXE) ³ /CLEAN ³ Clean up infections in ³ ³ master boot records, ³ ³ boot sectors, and files ³ ³ when possible. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /CV ³ /CV ³ Check ³ ³ validation/recovery ³ ³ data in files. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /D ³ /DEL ³ Overwrite and delete ³ ³ infected files. ³ ³ Save date and time ³ ³ VirusScan was last run ³ ³ in SCAN.LOG. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /DATE ³ /LOG ³ Save date and time ³ ³ VirusScan was last run. ³ ³ Save in SCAN.LOG file ³ ³ (version 2.0 only). ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ³ /EXCLUDE ³ Exclude from scan any ³ {filename} ³ files listed in ³ ³ filename. Typically ³ ³ used in conjunction ³ ³ with the /AV option. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ EXT ³ ³ Scan using external {filename} ³ ³ virus information from ³ ³ filename. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /FAST ³ /FAST ³ Speed up VirusScan's ³ ³ scanning; may detect ³ ³ fewer viruses. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /HISTORY ³ /APPEND ³ Append Scan report to filename ³ ³ filename (version 1.5). ³ ³ Append to, rather than ³ ³ overwrite, the report ³ ³ file (/REPORT, version 2.0) Using VirusScan (Version 2.0) 64 VERSION COMPARISON OF SCAN OPTIONS (continued) Scan ³ Scan ³ Version 1.5 ³ Version 2.0 ³ Option Description ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ /M ³ ³ Scan memory for all ³ ³ viruses (not applicable ³ ³ to OS/2). ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /MANY ³ ³ Scan multiple floppy ³ ³ disks (diskettes). ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ³ /MOVE ³ Move infected files to ³ {directory} ³ directory. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /NLZ ³ ³ Skip internal scan of ³ ³ LZEXE compressed files. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /NOBREAK ³ ³ Disable Ctrl-C and Ctrl- ³ ³ Brk during scan. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /NOEXPIRE ³ ³ Do not display ³ ³ expiration notice. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /NOMEM ³ /NOMEM ³ Skip memory checking ³ ³ (not applicable to OS/2). ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /NOPAUSE ³ /PAUSE ³ Disable screen pause ³ ³ (version 1.5 only). ³ ³ Enable screen pause ³ ³ (version 2.0 only). ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /NPKL ³ ³ Skip internal scan of ³ ³ PKLITE compressed files. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ³ /PLAD ³ Preserve Last-Access ³ ³ date of scanned files ³ ³ on Novell drives. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /REPORT ³ /REPORT ³ Create report of {filename} ³ {filename} ³ infected files found ³ ³ during scan in filename. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /RF ³ /RF ³ Remove {filename} ³ {filename} ³ validation/recovery ³ ³ codes in filename. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /RG ³ /RG ³ Remove ³ ³ recovery/validation ³ ³ data from files. Using VirusScan (Version 2.0) 65 VERSION COMPARISON OF SCAN OPTIONS (continued) Scan ³ Scan ³ Version 1.5 ³ Version 2.0 ³ Option Description ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ³ /RPTCOR ³ Add list of corrupted ³ ³ files to the report ³ ³ file (/REPORT). ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ³ /RPTERR ³ Add list of system ³ ³ errors to the report ³ ³ file (/REPORT). ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ³ /RPTMOD ³ Add list of modified ³ ³ files to the report ³ ³ file (/REPORT). ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /RV ³ /RV ³ Remove ³ ³ validation/recovery ³ ³ data from files. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /SAVE ³ /SAVE ³ Save specified options ³ ³ as new defaults (not ³ ³ available in Windows). ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /SHOWDATE ³ /SHOWLOG ³ Show date and time of ³ ³ last scan (version 1.5 ³ ³ only). Display ³ ³ information in SCAN.LOG ³ ³ (version 2.0 only) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ³ /STD ³ Scan executable files ³ ³ only (.COM, .EXE, .SYS, ³ ³ .BIN, .OVL, and .DLL) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /SUB ³ /SUB ³ Scan subdirectories ³ ³ inside a directory. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ³ /VIRLIST ³ Display list of viruses ³ ³ detected by VirusScan. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ @filename ³ /LOAD ³ Use Scan settings ³ {filename} ³ stored in filename. ³ ³