What's New in NetShield for Windows NT v2.5.2 (9609) Copyright 1994-1996 by McAfee, Inc. All Rights Reserved. Thank you for using McAfee's NetShield for Windows NT. This What's New file contains important information regarding the current version of this product. It is highly recommended that you read the entire document. McAfee welcomes your comments and suggestions. Please use the information provided in this file to contact us. ___________________ WHAT'S IN THIS FILE - New Features - Known Issues - Installation - Documentation - Frequently Asked Questions - Additional Information - Contact McAfee ____________ NEW FEATURES * ENHANCEMENTS * 1. NetShield NT v2.5.2 is NT 4.0 compatible. 2. NetShield NT v2.5.2 is compatible with the Compaq SmartArray controller. 3. AutoUpdate changes are made to the registry. 4. An SNMP registry entry was added to point to Alertmanager's SNMP capabilities. 5. This release includes an external utility, VIRNOTFY.EXE, that will notify you if McAfee's Alertmanager is not installed. * ISSUES ADDRESSED IN THIS RELEASE * 1. Exclusions for both on-access and on-demand scans now work. 2. McFSREC errors in the event log have been resolved. 3. SMTP traps are now sent properly. 4. Activity log write errors have been resolved. 5. During a scan, long directory names are no longer truncated in the SCAN32.EXE display. 6. Inbound read-only files are now detected, removed and/ or cleaned. 7. When an infected file is accessed multiple times, it is now reported as a single event in the log file. * NEW VIRUSES DETECTED * This DAT file (9609) detects the following 68 new viruses. In addition, locations that have experienced problems with a particular virus are identified. _1194 Spain ACCOUNT.AVENGER.873 ALLIANCE ARCV.255 ARCV.679 ARCV.745 ASH.743 BEDA.1530 BEER.2620 BEER.3164.B BEER.3192.B BIRTHDAY:DE (*) Germany BLEAH BUERO:DE Germany BW-525 CASTELLO.3742 Spain CHEGUEVA Spain COMPBACK.3783 CORDOBES.3334 Spain DEI.8772 DEI.DR.8772 DELWIN.1199 DIETZEL:DE (*) DODGER HASSLE HASTA.884 HLLP.NAZI.5984 IVP.665 JERUSALEM.BUPT.1220 JERUSALEM.BUPT.1279 JERUSALEM.BUPT.1367 KABOUT.1804 (*) KARNAVALI.1972 Europe KDG KITTY LAMEGO.729 Portugal LIBERTY.2857.D LITTLEPEST.4243 (*) MANNEQUIN MANZON.1404 Europe MENDOZA.3380 Spain MSU.297 NECROS.1164.A NECROS.1164.B PHALCON.1117 PINDONGA.B PS-MPC.578.C PS-MPC.611.J PS-MPC.753 PS-MPC.AOS PULCE.1840 RADYUM.509 RAHACK.936 Netherlands RDA FIGHTER.5871 RIOT.ETERNITY.565 SALMAN.2000 US SATRIA.RZ Europe SCREAMING_FIST.652 SCREAMING_FIST.709 SIRIUS.ALIVE.4608 TANPRO.749 TEQUILA.2468 TURNER.3276 TV V3.1765 VACSINA.1206.A VERWOLF VICTOR.2442.A (*) Requires DOS/Win 2.5.2 engine * NEW VIRUSES REMOVED * This DAT file (9609) removes the following 38 new viruses. In addition, locations that have experienced problems with a particular virus are identified. _1194 Spain ACCOUNT.AVENGER.873 ALLIANCE England ARCV.255 ARCV.657 ARCV.679 ARCV.745 ASH.743 BIRTHDAY:DE (*) Germany BLEAH BUERO:DE Germany CHEGUEVA Spain COMPBACK.3783 CORDOBES.3334 Spain DEI.8772 DEI.DR.8772 DIETZEL:DE (*) HASSLE HASTA.884 HLLP.NAZI.5984 IVP.665 LAMEGO.729 Portugal LITTLE_BROTHER Germany NO_FRILL.835 Australia PS-MPC.611.J PS-MPC.753 RAHACK.936 Netherlands SALMAN.2000 US SATRIA.RZ Europe SCREAMING_FIST.652 SHELL.10634 Internet TANPRO.524 TANPRO.749 TEQUILA.2468 TV V3.1765 VICTOR.2442.A ZYX Europe (*) Requires DOS/Win 2.5.2 engine ____________ KNOWN ISSUES 1. When a macro virus is detected in conjunction with other viruses, the macro virus remover will not work. If this occurs, remove the other virus first or work in a separate area. 2. Files with the "-" (dash) character in the filename that are compressed in zipped files will not be scanned by the on-demand scanner. 3. NetShield continues to scan after clicking STOP. If this occurs, move the Netshield window to reveal the DynaZip UnZip Error window. Then click OK and respond appropriately to the dialog box. 4. On-access exclusions only apply to local devices. ____________ INSTALLATION * INSTALLING THE PRODUCT * Prior to installation, take the following steps: 1. Uninstall any previous version of NetShield NT. 2. Reboot the NT system. 3. Make sure you have Administrator rights for the server on which you are installing NetShield. 4. Run SETUP.EXE and follow the prompts. If the NT server is a BDC, make sure to check the appropriate box when prompted. If you would like to perform a "silent" installation of NetShield NT, requiring minimal user interaction and using all default or "Typical" installation settings, add -s (i.e. SETUP.EXE -s) to the setup command when you install the product. NOTE: If you would like to perform a silent installation on machines running NT 4.0, you must first rename SETUP40.ISS to SETUP.ISS. Network Administrators can customize the silent installation by following the steps below. 1. Check in the Windows directory to ensure that a file named SETUP.ISS does not already exist. If it does, rename it, back it up, or delete it. 2. Run SETUP.EXE with the -r switch, (i.e. SETUP.EXE -r). 3. Select the components you would like to be installed during the silent installation. All responses will be recorded. 4. Finish the installation, and locate the file SETUP.ISS in the Windows directory. 5. Open the file using any ASCII editor (e.g., NOTEPAD.EXE) and delete the section titled APPLICATION. 6. Locate the section [SdSetupType-0] in the SETUP.ISS file and go to the line: Result=x where x is equal to 301 (Typical installation) 302 (Compact installation) 303 (Custom installation) 7. Add 100 to the above value, so that the Result variable is equal to 401, 402, or 403. Modifying this file will allow the installation to copy the NetShield files to the drive where the operating system resides instead of defaulting to the C: drive. 8. Rename, back up, or delete SETUP.ISS on the first installation disk (floppies only). For CD-ROM versions of the product, you must copy the installation files onto the hard drive before taking this step. 9. Copy the new SETUP.ISS from the Windows directory to the location of the installation files. 10. Run SETUP.EXE with the -s switch (i.e. SETUP.EXE -s). 11. When the silent installation is complete, you should reboot the machine manually. NOTE: If you do not specify a "recorded" answer for all dialog boxes during the initial installation, the silent installation will fail. Also, the file used for the silent installation, SETUP.ISS, may not work properly across different operating systems. For example, if the silent install is generated for Windows 95, it may not work properly in Windows 3.1x or Windows NT. * PRIMARY PROGRAM FILES FOR NETSHIELD NT * Files located in the Install directory: ======================================= 1. Installed for the Alert Manager/Console/Server: MCKRNLNT.DLL = Library files MCSCAN32.DLL = Library files MCUTILNT.DLL = Library files SHUTIL.DLL = Library files README.1ST = McAfee information WHATSNEW.TXT = What's New document PACKING.LST = Packing list AGENTS.TXT = McAfee authorized agents VALIDATE.EXE = McAfee file validation program UPDATE.MSG = Update message file SHIELD.HLP = On-access scanner help SHIELD.CNT = On-access context-sensitive help MCCONSOL.HLP = Console help VIRUSCAN.HLP = On-demand scanner help VIRUSCAN.CNT = On-demand context-sensitive help NAMES.DAT = Virus names definition data SCAN.DAT = Virus scan definition data CLEAN.DAT = Virus clean definition data Netshield Activity Log.TXT = NetShield activity log Scan Activity Log.TXT = Scan activity log MODEMS.TXT = Modem initialization strings SAMPLE.CMD = Sample alert file MCUPDATE.EXE = Update module AMGRCNFG.EXE = Alert manager configuration program FTPGET.CMD = Automatic updating script DEISL1.ISU = Uninstall file MCSRVSHL.EXE = Uninstall application MCSERVIC.DLL = Install/uninstall library file 2. Installed for Alert Manager: WCMDR.EXE = Uninstall program WCMDR.INI = Uninstall initialization file DEFAULT.VSC = On-demand scanner default configuration settings NETSHLD.MIF = MIF file IMPTASK.EXE = Task import tool IMPTASK.TXT = Task import text file AMGRSRVC.EXE = Alert manager service program MCALSNMP.DLL = Alert manager SNMP POWERP32.DLL = Alert manager support module VIRNOTFY.EXE = Notification utility 3. Installed for the Console: MCCONSOL.EXE = Console manager SHSTAT.EXE = Shield status monitor program SCNSTAT.EXE = Scan status monitor program SCNCFG32.EXE = Console configuration module VIRLIST.EXE = Virus list SHCFG32.EXE = Console configuration module DPMI16.DLL = 16-bit DOS protected mode interface library DPMI32.DLL = 32-bit DOS protected mode interface library MCKRNL95.DLL = Library files MCUTIL95.DLL = Library files 4. Installed for the Server: DUNZIP32.DLL = File decompression library DZIP32.DLL = File decompression library TASKMRG.EXE = Task managing service SCAN32.EXE = On-demand scanner Files located in WINNT35\SYSTEM32: ================================== 1. Installed for the Console/Server/Alert Manager: CTL3D32.DLL = 32-bit 3D Windows controls library (*) (*) File will be installed upon installation of NetShield if the file does not already exist, or if an older version is found. Files located in WINNT35\SYSTEM32\DRIVERS: ========================================== 1. Installed for the Server: MCFILTER.SYS = System files MCFSREC.SYS = System files MCKRNL.SYS = System files MCSCAN.SYS = System files MCUTIL.SYS = System files MCSHIELD.SYS = System files * TESTING YOUR INSTALLATION * The Eicar Standard AntiVirus Test File is a combined effort by anti-virus vendors throughout the world to come up with one standard by which customers can verify their anti-virus installations. To test your installation, copy the following line into its own file and name it EICAR.COM. X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* When done, you will have a 69- or 70-byte file. When NetShield for Windows NT is applied to this file, Scan will report finding the EICAR-STANDARD-AV-TEST-FILE virus. It is important to know that THIS IS NOT A VIRUS. However, users often have the need to test that their installations function correctly. The anti-virus industry, through the European Institute for Computer Antivirus Research, has adopted this standard to facilitate this need. Please delete the file when installation testing is completed so unsuspecting users are not unnecessarily alarmed. _____________ DOCUMENTATION For more information, refer to the NetShield User's Guide, included on the CD-ROM versions of this program or available from McAfee's BBS and FTP site. This file is in Adobe Acrobat Portable Document Format (.PDF) and can be viewed using Adobe Acrobat Reader. This form of electronic documentation includes hypertext links and easy navigation to assist you in finding answers to questions about your McAfee product. Adobe Acrobat Reader is available on CD-ROM in the ACROREAD subdirectory. Adobe Acrobat Reader also can be downloaded from the World Wide Web at: http://www.adobe.com/Acrobat/readstep.html NetShield documentation can be downloaded from McAfee's BBS or the World Wide Web at: http://www.McAfee.com or http://205.227.129.97 For more information on viruses and virus prevention, see the McAfee Virus Information Library, MCAFEE.HLP, included on the CD-ROM version of this product or available from McAfee's BBS or FTP site. __________________________ FREQUENTLY ASKED QUESTIONS Regularly updated lists of frequently asked questions about McAfee products also are available on McAfee's BBS, website, and CompuServe and AOL forums. Q: How do I manually uninstall NetShield for Windows NT? A: To uninstall, take the following steps: 1. Close all product dialog windows. 2. Delete the installation directory. 3. Delete the HKLM\SOFTWARE\MCAFEE key in the registry. 4. Delete the six McAfee device drivers (MC*.*) in %SYSTEMROOT%\SYSTEM32\DRIVERS. 5. Reboot. Q: Why do I get an error in MCINST32.DLL when I attempt to install NetShield for Windows NT? A: NetShield for Windows NT was designed for an i386 processor only. This error is usually caused by an attempt to install to a non i386-based machine. Q: Is there a conflict with the Novell written client for NT? A: No. However, there are some timing issues that arise when NetShield for Windows NT is installed. If it is necessary for you to use the Novell client, then change the account that both the McAfee Task Manager and the Alert Manager use to a "System" account. Q: Why do I get errors in my event viewer after installing Service Pack 3 or Service Pack 4? A: Service Pack 3 and Service Pack 4 involved a change to the HAL.DLL file that is used by McAfee's device drivers. If you are using NetShield for Windows NT Version 2.5.0, uninstall, then install Version 2.5.2 or higher. Q: As an administrator, how can I scan private directories that are accessible only to individual users? A: The on-access scanner will detect infected files as they are copied into the users' private spaces. On-demand (scheduled) scans are launched by the McTaskManager Service. If you specify a user name and password for the Service, then the scheduled scan will only scan directories for which the user name has privileges. If no user name was specified, then the Service has SYSTEM privileges. To perform an on-demand, or scheduled, scan of private directories, the McTaskManager Service must have access to these private areas. Following are two ways to address this issue: Solution A: 1. Create a custom user name to be used by the Service. 2. Give this user name privileges to access the private spaces. Considerations with Solution A: The administrator will need to know the user names and passwords. Solution B: 1. Do not associate a user name to the Service. 2. Give SYSTEM privileges to access the private spaces. Considerations with Solution B: Someone could create or use a Service to access your information. McAfee recommends Solution B as a more secure solution. Q: NetShield will not perform an on-demand (scheduled) scan of some networked devices. Why? A: It is possible that the user name you are using for the Taskmanager Service does not have sufficient rights to scan the devices in question. To verify whether this is the issue, log in to each device using the user name and password used by the Taskmanager Service. Confirm that this user name has rights on the device by manually running an on-demand scan. If you can scan the device while you're logged in, then the Service should also be able to do it as a scheduled scan. Q: When performing an on-demand (scheduled) scan of a networked device, the system locks up. How can I solve this problem? A: Log on to the device in question and manually run an on-demand scan with the Compressed Files option turned off. If the scanner locks up, note where it locks. Attempt to determine which file NetShield locks on and send the information to McAfee. If the scan succeeds, select the Compressed Files option and scan the device again. If it locks this time, chances are you have a ZIP file that is corrupted or large, and it takes time to scan. If scanning works in both scenarios, then give the Taskmanager Service the same user name and password currently logged in as and try a scheduled scan again. If this now works, then the old user name didn't have sufficient rights to scan the device in question. Q: I have an on-demand (scheduled) scan that doesn't seem to run. What am I doing wrong? A: Scheduled scans should not overlap one another. If you have more than one drive, folder, or item that you would like to have scanned, add additional items for scanning to the Detections page of the Task's properties. After making the changes, restart the computer and scheduled scans should function as designed. Q: Can I update NetShield's data files to detect new viruses? A: Yes. If you have Internet access, you can download updated McAfee data files from the McAfee Web Site, BBS, or other online resources. To download from the McAfee Web Site, follow these steps: 1. Go to the McAfee Web Site (http://www.mcafee.com or http://205.227.129.97). 2. Click on the Download McAfee button in the upper left hand column or frame. 3. Click Get that DAT! to update DAT files. 4. View the information provided on new DAT files and downloading. 5. Click on Download This Month's DAT. 6. Data file updates are stored in a compressed form to reduce transmission time. Unzip the files into a temporary directory, then copy the files to the appropriate directory, replacing your old files. 7. Before performing any scans, shut down your computer, wait a few seconds, and turn it on again. If you need additional assistance with downloading, contact McAfee Download Support at (408) 988-3832. ______________________ ADDITIONAL INFORMATION 1. NetShield NT includes an external utility, VIRNOTFY.EXE, that will notify you in the event that McAfee's Alertmanager is not installed. To use this utility, open McConsole, and select Tools/Alerts. Add the path and utility to the Program To Execute line. 2. NetShield NT is Microsoft BackOffice certified. For details on how to install NetShield using SMS, refer to your BackOffice documentation. ______________ CONTACT McAFEE * FOR QUESTIONS, ORDERS, PROBLEMS, OR COMMENTS * Contact McAfee's Customer Care department: 1. Call (408) 988-3832 Monday-Friday, 6:00 A.M. - 6:00 P.M. Pacific time 2. Fax: (408) 970-9727 24-hour, Group III Fax 3. Fax-back automated response system: (408) 988-3034 24-hour fax Send correspondence to any of the following McAfee locations: McAfee Corporate Headquarters 2710 Walsh Avenue Santa Clara, CA 95051-0963 McAfee East Coast Office Jerral West Center 766 Shrewsbury Avenue Tinton Falls, NJ 07724-3298 McAfee Central Office 5944 Luther Lane, Suite 117 Dallas, TX 75225 McAfee Canada 178 Main Street Unionville, Ontario Canada L2R 2G9 McAfee Europe B.V. Orlyplein 81 - Busitel 1 1043 DS Amsterdam The Netherlands McAfee (UK) Ltd. Hayley House, London Road Bracknell, Berkshire RG12 2TH United Kingdom McAfee France S.A. 50 rue de Londres 75008 Paris France McAfee Deutschland GmbH Industriestrasse 1 D-82110 Germering Germany Or, you can receive online assistance through any of the following resources: 1. Bulletin Board System: (408) 988-4004 24-hour US Robotics HST DS 2. Internet e-mail: support@mcafee.com 3. Internet FTP: ftp.mcafee.com or 205.227.129.134 4. World Wide Web: http://www.mcafee.com or http://205.227.129.97 5. America Online: keyword MCAFEE 6. CompuServe: GO MCAFEE 7. The Microsoft Network: GO MCAFEE Before contacting McAfee, please make note of the following information. When sending correspondence, please include the same details. - Program name and version number - Type and brand of your computer, hard drive, and any peripherals - Operating system type and version - Network name, operating system, and version - Contents of your AUTOEXEC.BAT, CONFIG.SYS, and system LOGIN script - Microsoft service pack, where applicable - Network card installed, where applicable - Modem manufacturer, model, and baud, where applicable - Relevant browsers/applications and version number, where applicable - Problem - Specific scenario where problem occurs - Conditions required to reproduce problem - Statement of whether problem is reproducible on demand - Your contact information: voice, fax, and e-mail Other general feedback is also appreciated. * FOR ON-SITE TRAINING INFORMATION * Contact McAfee Customer Service at (800) 338-8754. * FOR PRODUCT UPGRADES * To make it easier for you to receive and use McAfee's products, we have established an Agents program to provide service, sales, and support for our products worldwide. For a listing of agents, see the file AGENTS.TXT, where applicable, or contact McAfee Customer Service for agents near you.