Copyright 1994 McAfee, Inc. All rights reserved Using NetShield 2.0 Confidential Draft 4 - December 22, 1994 Copyright 1994 McAfee, Inc. All rights reserved Copyright c 1993, 1994 by McAfee, Inc. All rights reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form by any means without the written permission of McAfee, Inc., 2710 Walsh Avenue, Santa Clara, CA 95051- 0963. McAfee is a registered trademark of McAfee, Inc. VirusScan, VShield, and NetShield are trademarks of McAfee, Inc. All other products or services mentioned in this document are identified by the trademarks or service marks of their respective companies or organizations. Table of Contents CHAPTER 1 WELCOME TO NETSHIELD NETSHIELD TASKS SYSTEM REQUIREMENTS HOW TO USE THIS MANUAL CHAPTER 2 INSTALLATION AND SETUP INSTALLATION STEPS NETSHIELD FILES AFTER INSTALLATION LOADING NETSHIELD USING LOAD OPTIONS CUSTOMIZING THE AUTOEXEC.NCF FILE VIEWING NETSHIELD'S OPENING SCREEN EXITING NETSHIELD UPDATING NETSHIELD REGULARLY CHAPTER 3 USING NETSHIELD IF YOU DETECT A VIRUS CONFIGURATION RECOMMENDATIONS RUNNING AN IMMEDIATE SCAN SELECTING VOLUMES TO SCAN RUNNING AN IMMEDIATE SCAN INTERRUPTING A SCAN IN PROGRESS CONFIGURING THE SCANNING MODE USING ON ACCESS SCANNING USING PERIODIC SCANNING CONFIGURING VIRUS DETECTION SETTING THE INFECTED FILE ACTION SETTING THE USER CONTACT ACTION CONFIGURING NETSHIELD NLM SETTING CONFIGURATION FILE OPTIONS CONFIGURING EXCLUDED DIRECTORIES SETTING THE DELAY FACTOR SETTING CRC CONFIGURATION OPTIONS SETTING THE UNLOAD PASSWORD CONFIGURING VIRUS REPORTING SETTING UP THE LOG FILE SELECTING LOG FILE REPORTS CONFIGURING NETWORK MONITORING ENTERING A PASSWORD EDITING THE NETWORK SECURITY CONFIGURATION SETTING UP THE LOG FILE SAVING THE CURRENT CONFIGURATION RESTORING A CONFIGURATION FROM A FILE ENABLING NETWORK SECURITY Chapter 1 Welcome to NetShield Thank you for purchasing McAfee Associates' NetShield software, a powerful and advanced system designed to detect computer viruses on a NetWare server. NetShield watches as network users, the most likely source of infected files, copy files to the network. NetShield is a NetWare Loadable Module (NLM). This allows it to integrate easily into your NetWare environment and function independently of any workstation, guaranteeing that your network is always protected. NetShield Tasks It is important that you install and configure NetShield correctly for your particular network. As you set up NetShield, you'll complete the tasks necessary to maintain a virus-free network. Use this task list as a "roadmap" for applying the information in this reference to your network. Task 1: Installation. You'll install NetShield on every server at your site. Run the installation application from a workstation on your network. The NetShield NLM will be copied to your SYS:SYSTEM directory, and your server will be configured to load NetShield automatically whenever you restart it. Refer to Chapter 2, "Installation and Setup," for details. NOTE: If you use a bootable floppy diskette to start your server, make sure that the boot diskette is clean of any viruses. The documentation for VirusScan™, a McAfee virus scanning product that can be used on a workstation, describes a procedure for creating a clean bootable diskette. Task 2: Configuration. Set NetShield to scan all files transferred to the server, using the "on-access" scanning settings. Also set it to run scans at regular intervals, using the "periodic" scanning settings. Turn CRC, Cyclic Redundancy Checking, on if you have a stable file environment. CRC checking verifies that numeric "check sums" stay consistent for files. If files are changed often, then an error in the check sums will be reported. Refer to "Configuration Recommendations" in Chapter 3, "Using NetShield," for details. Task 3: Scanning. Once you've configured NetShield, it will automatically scan in the background. The NetShield NLM will be running as long as your NetWare server is running. Task 4: Reporting. NetShield can inform you when a virus is found, both by broadcasting a network message to selected users and by recording the information in a log file. It can then move or delete the infected file. We recommend that you set up NetShield to log infections in a file, notify the network supervisor, and move infected files into a "quarantine" directory for later inspection. Refer to "Configuring Virus Reporting" in Chapter 3, "Using NetShield," for details. Task 5: Updating. As new viruses are found, McAfee Associates will release new virus signature files for you to install. When you receive an update, or download one from the McAfee BBS, update one server and enable cross-server updating so that the new list is copied to the other servers over the network. Task 6: Virus elimination. Once you've identified and isolated an infected file, eliminate the virus using other McAfee products such as VirusScan and VShield™. Scan does periodic scanning of a single PC and removes viruses from a single PC, while VShield does on-access scanning of a single PC. System Requirements The NetShield program requires a Novell NetWare 386 v3.11, 3.12, SFT III 3.11 or 4.01 file server with at least 718Kb of free server RAM. It should utilize no more than 10% of server CPU time. NetShield is not compatible with version 3.10 of Novell NetWare386. You'll need a high-density 3.5-inch diskette drive to use the NetShield diskette in this package. Contact McAfee Associates for other media, or download the software from the McAfee bulletin board system. Refer to your Technical Support Information Card for instructions. How to Use this Manual This manual will help you get NetShield running quickly and properly. o Chapter 1, "Welcome to NetShield," describes the NetShield program, general tasks for using NetShield, and system requirements. o Chapter 2, "Installation and Setup," describes how to install, load, and maintain your NetShield software. o Chapter 3, "Using NetShield," contains reference information laid out in a format that matches the NetShield menus. If you need help navigating the menus, look for the guides at the start of each of these chapters. Chapter 2 Installation and Setup [THIS CHAPTER WILL CHANGE WHEN THE INSTALLATION PROCEDURE IS FINALIZED.] The NetShield Install program is straightforward and simple to use. You run it from a workstation logged into your server. It copies the NetShield NLM files to the local drive of the workstation, then moves the required files to your server. Finally, it modifies the AUTOEXEC.NCF file to load NetShield upon server startup. This chapter describes these tasks in detail. Installation Steps Be sure to run the Install program from a workstation that is connected to your network so that NetShield can copy the files onto your network drive. You must be logged in with create and delete rights to the target server volume. NOTE: If you are upgrading from an earlier version of NetShield, be sure to back up the files in your NetShield directory before proceeding. 1. Insert the NetShield program diskette in drive A. 2. Change to the A: drive by typing: C> a: 3. Start the Install program by typing: A> install 4. The Install program loads and prompts you to supply the following information: o Where to store NetShield. The default is the C:\MCAFEE\NETSHLD directory. The NetShield NLM and a default configuration file, VIR$CFG.DAT, will be moved from there to the network during installation. o Where to run NetShield. The default is the SYS:\SYSTEM directory on your server. You can change this, but remember that NetShield must reside on a network drive if you want it to load automatically whenever the server is started. NOTE: We recommend that you choose the default locations for files. Unless otherwise specified, NetShield creates, loads, and saves configuration files, log files, and reports in the directory where the NETSHLD.NLM file is located. The Install program may ask you for additional information. If at any time you wish to abandon installation, press ESCAPE and you will return to the DOS prompt. During installation, if the Install program finds any older NetShield files already installed, it will ask whether to update them. NetShield Files After Installation The Install program automatically copies the NetShield NLM program file, data files, various informative text files, and the Validate program onto your network. Once you have installed NetShield, verify that the following files reside in the same directory as the NetShield NLM (the default location is SYS:\SYSTEM): NetShield Files (Required) NETSHLD.NLM NetWare loadable module. SCAN.DAT Virus string data file required by NetShield. NAMES.DAT Virus name data file required by NetShield. (Optional) AGENTS.TXT List of McAfee authorized agents. COMPUSER.TXT Explains how to obtain a CompuServe membership. FILENAME.TXT Explains McAfee BBS file name conventions. LICENSE.TXT Explains how to license NetShield. PACKING.LST List of all files, including validation information. README.1ST Late-breaking information and new instructions not contained in this manual. REGISTER.TXT Explains how to register NetShield for your use. If you install NetShield onto NetWare version 3.12, you must also install the following NetWare files (which are supplied on the installation diskette) in the same directory as the NetShield NLM: A3112.NLM AFTER311.NLM CLIB.NLM MATHLIB.NLMMATHLIBC.NLM NWSNUT.NLM Loading NetShield Now that you have installed NetShield, you can load it using various stored settings. You can use the default NetShield settings, the settings stored in the standard configuration file (VIR$CFG.DAT), or those stored in a custom configuration file. NetShield creates VIR$CFG.DAT automatically when you load the program for the first time. Using Load Options Load NetShield using one of the following options: o To run NetShield with the default settings and no configuration file, use this command: LOAD NETSHLD o To run NetShield with the default configuration file, VIR$CFG.DAT, from the SYS:SYSTEM directory, use this command: LOAD NETSHLD DEFAULT_CONFIG o To run NetShield with a user-specified configuration file from the directory you specify, use the following command: LOAD NETSHLD [path \ filename] If the configuration file does not reside in the same directory as NetShield, you must specify the complete path, including the volume name. You can enter these commands at the NetWare server console prompt or the remote login prompt. Alternatively, you can have them execute automatically in the AUTOEXEC.NCF file. Customizing the AUTOEXEC.NCF File You can customize the way NetShield loads by editing the LOAD command in the AUTOEXEC.NCF file. To edit this file, use the NetWare LOAD INSTALL command (for more information, refer to your Novell documentation). If you change this file, restart your server to run NetShield. Viewing NetShield's Opening Screen When you first load NetShield, you will see a screen similar to the following example: NetShield Version 2.0 NetWare Loadable Module McAfee Associates NetShield Virus Protection For File Server SERVER1 Mon Sep 19, 1994 NetShield Main Menu Options Immediate Scan Configure Scanning Mode Configure Virus Detection Configure NetShield NLM Configure Virus Reporting Configure Network Monitoring Press F10 To View Scanning Statistics The Main menu is the highest-level menu in the hierarchy. The NetShield menu system uses conventional NetWare keys for menu navigation. You highlight, select, and exit menus as you would any NetWare utility, such as SYSCON. For general instructions about navigating NetWare menus, refer to your Novell documentation. You can press F10 at any time to display the Status window, which shows the current status of many of the NetShield configuration settings. The following example shows the initial NetShield default settings. NetShield Version 2.0 NetWare Loadable Module Volume Scanning: DISABLED NetShield Delay Factor: 3 On Access Scanning: DISABLED CPU Utilization: 0 percent Periodic Scanning: DISABLED Detection Action: Ignore Logging: DISABLED CRC Checking: DISABLED Mon Sep 19 15:01:45 1994 User Alarms: DISABLED Console Messages: DISABLED Network Monitoring: DISABLED Access Time Remaining 0 Minutes Volume Scanning Statistics Scanning: Detected: Periodic Scanning Statistics Scanning: Detected: On Access Scanning Statistics Inbound: Detected: Outbound: Detected: Press F10 To View Menus Press F10 again to return to the current menu. For more information about the features listed in NetShield's Status window, refer to Chapter 3, "Using NetShield." Exiting NetShield You can unload NetShield from server memory to free up server resources. Exiting NetShield halts any current scans in process. To exit NetShield, press ESCAPE from the Main menu. NetShield displays a confirmation prompt. Press Y to confirm that you want to exit NetShield. Exiting NetShield in this manner has the same effect as entering the following command at the NetWare server console prompt: unload netshld Either way, if NetShield is configured with an unload password, you must supply the password to exit. For more information, refer to "Setting the Unload Password" in Chapter 3, "Using NetShield." Updating NetShield Regularly Unfortunately, new viruses (and variants of old ones) appear and circulate often in the personal computer community. Fortunately, McAfee updates the NetShield data files regularly, usually monthly, but sooner if many new viruses have appeared. Each new version may detect as many as 60-100 new viruses or more, and may add new features. For instructions on downloading McAfee updates, refer to your Technical Support Information Card. To find out what is new in a downloaded release, review the accompanying README.1ST text file. Chapter 3 Using NetShield Once you have installed and loaded NetShield, you can begin using it to protect your network from viral infection. This chapter describes each feature in detail and shows you how to use NetShield most effectively in your network environment. NetShield detects known viruses by searching the system for known characteristics (sequences of code) unique to each computer virus and reporting their presence if found. For viruses that encrypt or cipher their code so that every infection is different, NetShield uses detection algorithms that work by statistical analysis, heuristics, and code disassembly. NetShield can also check for new or unknown viruses by comparing files against previously recorded validation data. For more information, refer to "Setting CRC Validation" in this chapter. If a file has been modified, it will no longer match the validation data, and NetShield will report that the file may have become infected. NetShield can scan your system in the following ways: o Immediate scanning performs a scan of your system, on demand, using current scan settings. For more information, refer to "Running an Immediate Scan" in this chapter. o On Access scanning prevents infected files from being copied to or from server volumes. For more information, refer to "Using On Access Scanning" in this chapter. o Periodic scanning schedules scanning for a specific day and time. For more information, refer to "Using Periodic Scanning" in this chapter. In each case, you can determine which network volumes NetShield scans. You can use any or all of these scanning methods in combination. If You Detect a Virus We strongly recommend that you get experienced help in dealing with viruses if you are unfamiliar with anti-virus software and methods. This is especially true for "critical" viruses, because improper removal of these viruses can result in the loss of all data and use of the infected disks. If you are at all unsure about how to proceed once you have found a virus, contact McAfee for assistance. Refer to your Technical Support Information Card for instructions. Configuration Recommendations We recommend that you customize NetShield with the settings that best fit the needs of your network environment, then save settings in a configuration file so that you can load them easily in the future. For more information, refer to "Setting Configuration File Options" in this chapter. If it finds or suspects a virus, NetShield can perform certain actions automatically, depending on how you have configured NetShield: o NetShield can delete, overwrite, move, or ignore an infected file. For more information, refer to "Setting the Infected File Action" in this chapter. We recommend that you move infected files to a quarantine directory for later inspection. o NetShield can notify selected users and the system console of a possible infection. For more information, refer to "Setting the User Contact Action" in this chapter. We recommend that you enable this feature so that system administrators are informed as soon as viruses are detected. o NetShield can record the incident in a log file. For more information, refer to "Setting the Log File" in this chapter. You can view or print the contents of this log for future reference. We recommend that you enable this feature so that you can use the information to investigate any viral infections that arise. For network environments requiring strict security, consider using the following features: o NetShield can require a password before it can be unloaded on the server. For more information, refer to "Setting the Unload Password" in this chapter. o NetShield can prevent users from writing to selected network directories, such as system directories containing application executable files. For more information, refer to "Configuring Network Monitoring" in this chapter. To optimize server performance, consider adjusting the execution priority. For more information, refer to "Setting the Delay Factor" in this chapter. Running an Immediate Scan NetShield can run a scan on-demand using immediate scanning. NetShield scans the server volumes you select. From the NetShield Main menu, choose Immediate Scan. NetShield displays the Immediate Scan menu with the following options: o Start Scan o Stop Scan o Edit Volume The rest of this section describes these options in detail. Selecting volumes to scan Before you start checking for viruses on your network, you must first select one or more volumes to scan. You can modify the list of volumes that NetShield scans for viruses. From the NetShield Main menu, choose Immediate Scan | Edit Volume. NetShield displays a list of currently selected volumes. o To add a volume to the list, press INSERT. NetShield displays a list of available volumes. Highlight the volume you want to add, then press ENTER (to select multiple volumes, highlight each one and press F5 to mark it, then press ENTER). NetShield adds the selected volume(s) to the list of volumes to scan. o To remove a volume from the list of selected volumes, highlight it, then press DELETE. The selected volume is no longer displayed in the list of volumes to scan. Once you have selected the volumes you want to scan, you can begin scanning your system. Running an Immediate Scan You can tell NetShield to start scanning immediately, based on your current scan settings. From the NetShield Main menu, choose Immediate Scan | Start Scan. NetShield starts scanning your system. To see scanning statistics, press F10: NetShield displays the name of each file it scans, as well as the name of the last virus found (if any). NOTE: If NetShield finds a virus, refer to "If you detect a virus" earlier in this chapter for more information. Interrupting a Scan in Progress NetShield scans your system until all selected items (volumes, directories, files) have been checked for viruses. If necessary, however, you can interrupt an immediate scan in progress. From the NetShield Main menu, choose Immediate Scan | Stop Scan. NetShield displays a confirmation prompt. NOTE: When you interrupt scanning, you prevent NetShield from completely checking the selected volumes on your system for viruses. To ensure that your system is virus-free, you must run a complete, uninterrupted scan. Configuring the Scanning Mode In addition to immediate scanning, NetShield provides the following scanning modes: o On Access Scanning prevents infected files from being copied to or from server volumes. o Periodic Scanning schedules scanning for a specific day and time. From the NetShield Main menu, choose Configure Scanning Mode. NetShield displays the Scanning Mode Configuration menu with the following options: o On Access Scanning o Periodic Scanning The rest of this section describes these scanning modes in detail. Using On Access Scanning If On Access scanning is enabled, NetShield can protect your server against viruses by preventing infected files from being copied to or from server volumes. If a filemask is used in the copy operation (for example, *.EXE), NetShield prevents only infected files from being copied. Use on access scanning to prevent spreading viruses in the interim between regular scans. NOTE: If NetShield finds a virus, refer to "If you detect a virus" earlier in this chapter for more information. To use on access scanning, from the NetShield Main menu, choose Configure Scanning Mode | On Access Scanning. NetShield displays the On Access Scanning menu with the following options: o Inbound Files Only o Outbound Files Only o Inbound and Outbound Files o Disable On Access Scanning Select the option you want. Inbound Files Only Select this option to prevent copying infected files to the selected server volume. When a copy operation is attempted, NetShield checks the file on the target volume and, if infected, deletes, removes, or ignores the file according to the current action setting. For more information, refer to "Setting the Infected File Action" later in this chapter. We recommended this option for most environments because it protects the server but avoids running extra scans every time files are copied from the server volume. Outbound Files Only Select this option to prevent copying infected files from selected server volumes to other server or workstation volumes. When a copy operation is attempted, NetShield checks the file on the source volume and, if infected, deletes, removes, or ignores the file according to the current action setting. For more information, refer to "Setting the Infected File Action" later in this chapter. This option does not protect the server volume against infected files copied to it, and is recommended only in cases where the server volume is read-only and might contain infected files. Inbound and Outbound Files Select this option to prevent copying infected files to or from selected server volumes. This option combines the two previous options and offers the highest degree of protection for both servers and workstations. It may, however, result in extra scans if the server volume is highly unlikely to contain infected files. Viewing Statistics for On Access Scanning When you open the On Access Scanning menu, NetShield displays information similar to the following example: NetShield On Access Virus Detection Summary Last Inbound File Scanned: Last Outbound File Scanned: Last Inbound Virus Detected: Last Outbound Virus Detected: Total Files Scanned: 360 Total Infected Files Found: 271 Current On Access Scan Mode: Both Inbound and Outbound Files Disabling On Access Scanning Select this option to disable on access scanning altogether or to interrupt an on access scan in progress. Thereafter, NetShield will not check files as they are copied to or from the server volume. Using Periodic Scanning You can schedule NetShield to automatically scan server volumes at a future date and time. Thereafter, NetShield runs the scan at the scheduled time if the server is running and NetShield is loaded and running. In this way, you can scan your network unattended, during periods of low network traffic, and thereby ensure that scanning occurs on a regular basis. For each scheduled scan, you can specify when to scan, what to scan, and which scan options to use. NOTE: If NetShield finds a virus, refer to "If you detect a virus" earlier in this chapter for more information. From the NetShield Main menu, choose Configure Scanning Mode | Periodic Scanning. NetShield displays the Periodic Scanning menu with the following options: o Scanning o Day of Week o Day of Month o Time of Day o Select Volumes to Scan o Load Scan Settings from File o Save Scan Settings to File Select the option you want. Selecting the Scanning Frequency You can schedule scanning on a daily, weekly, or monthly basis. For the best network performance, schedule scanning during periods of low network traffic, such as at 2:00 am or on weekends. To enable scanning, highlight Scanning and press ENTER. NetShield displays the Select Scanning Frequency menu with the following options. Select the scanning frequency you want and enter the required information: o Daily: Enter the time of day (0:01 to 23:59, in 24-hour format). o Weekly: Enter the day of the week (Sunday to Saturday) and the time of day (0:01 to 23:59). o Monthly: Enter the day of the month (1-31) and the time of day (0:01 to 23:59). If you enter 31, NetShield will scan on the last day of the month, even if it has fewer than 31 days. Thereafter, NetShield runs the scan at the scheduled date and time. Selecting Volumes for Periodic Scanning You can select the network volumes you want to scan in periodic scanning. These apply to the periodic scan only, and do not change the currently selected volumes for immediate or on access scanning. For more information, refer to "Selecting Volumes to Scan" earlier in this chapter. Highlight Select Volumes To Scan and press ENTER. NetShield displays a list of currently selected volumes. o To add a volume to the list, press INSERT. NetShield displays a list of available volumes. Highlight the volume you want to add, then press ENTER (to select multiple volumes, highlight each one and press F5 to mark it, then press ENTER). NetShield adds the selected volume(s) to the list of volumes to scan. o To remove a volume from the list, highlight it, press DELETE, then choose Yes when prompted to confirm deletion. NetShield removes the selected volume from the list of volumes to scan. NetShield will scan the selected volumes in subsequent scheduled scans, including any changes you have just made. Saving a Configuration File for Periodic Scanning You can store NetShield scan settings that apply only to the periodic scan in a special configuration file. By default, NetShield uses SYS:\SYSTEM\PER$CFG.DAT. We recommend that you use the default path so that configuration files are easy to locate. Configuration files for periodic scanning differ from configuration files created according to the instructions in "Setting Configuration File Options" later in this chapter. They contain only the scheduled scanning date and time, plus the volumes selected for periodic scanning. From the Periodic Scanning menu, highlight Save Scan Settings to File and press ENTER. NetShield prompts you to identify the configuration file you want to save. Type the volume, path, and name of the configuration file you want, then press ENTER. Alternatively, to find the file: 1. Press INSERT to display a list of available volumes. 2. Highlight the volume you want, then press ENTER. NetShield displays a list of directories (directory names are enclosed in square brackets). 3. Highlight the directory you want, then press ENTER. NetShield displays a list of subdirectories, files, or both. 4. If necessary, continue selecting subdirectories until you select the one containing the configuration file you want to use. 5. Highlight the configuration file you want to use, then press ESCAPE. NetShield displays the volume, path, and filename you selected. 6. Press ENTER to accept this path and filename, or ESCAPE to abandon the operation. NetShield prompts you to accept your changes and, if you answer Yes, saves the configuration file you specified. Loading a Configuration File for Periodic Scanning You can load a periodic scanning configuration file created using the instructions in the previous section, "Saving a Configuration File for Periodic Scanning." By default, NetShield uses SYS:\SYSTEM\PER$CFG.DAT. From the Periodic Scanning menu, highlight Load Scan Settings from File and press ENTER. NetShield prompts you to identify the configuration file you want to load. Type the volume, path, and name of the configuration file you want, then press ENTER. Alternatively, to find the file: 1. Press INSERT to display a list of available volumes. 2. Highlight the volume you want, then press ENTER. NetShield displays a list of directories (directory names are enclosed in square brackets). 3. Highlight the directory you want, then press ENTER. NetShield displays a list of subdirectories, files, or both. 4. If necessary, continue selecting subdirectories until you select the one containing the configuration file you want to use. 5. Highlight the configuration file you want to use, then press ESCAPE. NetShield displays the volume, path, and filename you selected. 6. Press ENTER to accept this path and filename, or ESCAPE to abandon the operation. NetShield prompts you to accept your changes and, if you answer Yes, loads the configuration file you specified and uses it for subsequent scheduled scans. Disabling Periodic Scanning You can disable periodic scanning to halt a period scan in progress or to prevent future scheduled scans. To disable periodic scanning, highlight Scanning, then press ENTER. NetShield displays the Scanning Frequency list. Highlight , then press ENTER. Configuring Virus Detection You can configure NetShield to take certain actions automatically if it finds an infected file when scanning your network. NetShield can: o Delete, remove, or ignore infected files. o Notify selected users and generate a message to the NetWare system console that a virus has been found. To configure NetShield in this way, from the NetShield Main menu, choose Configure Virus Detection. NetShield displays the Virus Detect Configuration menu with the following options: o Infected File Action o User Contact Action The rest of this section describes these options in detail. Setting the Infected File Action You can tell NetShield what to do with infected files found during a scan. NetShield can delete them to prevent further infection, move them to a quarantine directory for inspection or uploading to McAfee, or do nothing but report the infection in a log file. From the NetShield Main menu, choose Configure Virus Detection | Infected File Action. NetShield displays the Select Action from List menu with the following options: o Delete Infected File o Overwrite Infected File o Move Infected File o Ignore Infected file Select the action you want from the list. Deleting Infected Files Select this option to delete infected files found during a scan. If necessary, you can recover deleted files using the NetWare SALVAGE command. For more information, refer to your NetWare documentation. Due to the nature of anti-virus software, there is a possibility that NetShield may report a virus in a file that is not infected. Although such "false alarms" are rare, if it occurs during a scan, you can still recover the deleted file. You might also want to recover a deleted file to inspect it yourself or to upload it to McAfee for inspection. Overwriting Infected Files Select this option to delete infected files found during a scan so that they cannot be recovered except from backups. NetShield erases any infected files and writes random characters to the disk space formerly occupied by the infected file. As a result, this file is completely eradicated from your network and is not recoverable by you or other users, except from backups. This is the most secure option, but it can prevent you from recovering an infected file you might want to save for further inspection. Moving Infected Files Select this option to move infected files found during a scan to a different directory so that you can inspect them yourself and, if you want, upload them to McAfee for expert inspection. To avoid a situation in which users could inadvertently load an infected file and spread the virus, the directory you specify should be a "quarantine directory" to which only system administrators have access. To specify a directory, type the volume and path of the directory you want, then press ENTER. Alternatively, to find the directory: 1. Press INSERT to display a list of available volumes. 2. Highlight the volume you want, then press ENTER. NetShield displays a list of directories (directory names are enclosed in square brackets). 3. Highlight the directory you want, then press ENTER. NetShield displays a list of subdirectories, files, or both. 4. If necessary, continue selecting subdirectories until you highlight the one you want to use for infected files. 5. Highlight the directory you want to use, then press ESCAPE. NetShield displays the volume, path, and filename you selected. 6. Press ENTER to select this directory. NetShield prompts you to accept your changes and, if you answer Yes, uses the directory you selected. If the directory you specify does not exist, NetShield creates it for you automatically. Ignoring Infected Files Select this option to ignore infected files found during a scan. NetShield leaves any infected files intact on your system, which could result in further viral infection. We therefore recommend that you check the log files for infected files immediately after scanning and, if found, take steps to protect your system. Setting the User Contact Action You can configure NetShield to send a broadcast message to one or more users if infected files were found during a scan. That way, you and others can know immediately when viruses have been detected on your network. NetShield can also generate console messages to the NetWare server console. From the NetShield Main menu, choose Configure Virus Detection | User Contact Action. NetShield displays the User Contact Actions menu. o Edit User Contact List o Enable User Alarms o Enable Console Messages Select the options you want. Editing the User Contact List You can have NetShield notify certain users if viruses have been found. To specify the users to notify, highlight Edit User Contact List and press ENTER. NetShield displays a list of users to notify. o To add a users to the list, press INSERT. NetShield displays a list of available network users. Highlight the user you want to add, then press ENTER. NetShield adds the selected user to the list of users to notify. o To remove a user from the list, highlight it, then press DELETE. NetShield deletes the selected user from the list of users to notify. NetShield will notify the users on this list if viruses are found in future scans, including any changes you have just made. Enabling User Alarms You can tell NetShield whether to inform selected users that infected files were found during a scan. You might want to disable this capability if, for security reasons, you do not want users to know that viruses have been found. However, if you disable this feature, be sure to inspect the log file immediately after each scan so that you know whether your network has been infected. To change the current setting, highlight Enable User Alarms, type Y (for Yes) or N (for No), then press ENTER Enabling Console Messages You can tell NetShield whether to display messages about infected files on the NetWare system console. This provides an alternative method for alerting system administrators and maintains an audit trail for further investigation into virus incidents. For more information about NetWare server console messages, refer to your NetWare documentation. To change the current setting, highlight Enable Console Messages, type Y (for Yes) or N (for No), then press ENTER Configuring NetShield NLM You can configure NetShield to: o Save and load configuration files containing frequently- used NetShield settings. o Exclude directories from scanning. o Regulate server performance by assigning CPU processing priority to NetShield. o Perform CRC validation to detect new or unknown viruses. o Protect NetShield from unauthorized unloading by assigning a password. From the NetShield Main menu, choose Configure NetShield NLM. NetShield displays the NetShield NLM Configuration menu with the following options: o Configuration File Options o Configure Excluded Directories o NetShield Delay Factor o CRC Configuration Options o Password Configuration The rest of this section describes these options in detail. Setting Configuration File Options You can store current NetShield configuration information in a disk file that you can later load as needed. You can also obtain a copy of the current configuration settings by printing a report or saving them to an ASCII text file. A NetShield configuration file stores configuration information in a proprietary binary format and contains settings information such as the selected volumes to scan, periodic scan settings, logging, CRC checking, and other NetShield settings (you can print a list of current settings). Passwords are encrypted. From the NetShield Main menu, choose Configure NetShield NLM | Configuration File Options. NetShield displays the Configuration File Management Options menu with the following options: o Load Configuration Settings From File o Save Configuration Settings To File o Write Configuration Report To File o Print Current Configuration Settings Select the options you want. Loading Configuration Settings from a File Select this option to load a configuration file from disk. NetShield prompts you to identify the configuration file you want to load. By default, NetShield uses SYS:\SYSTEM\VIR$CFG.DAT. We recommend that you use the default path so that the configuration files are easy to locate if you need to investigate a problem. Type the volume, path, and name of the configuration file you want, then press ENTER. Alternatively, to find the file: 1. Press INSERT to display a list of available volumes. 2. Highlight the volume you want, then press ENTER. NetShield displays a list of directories (directory names are enclosed in square brackets). 3. Highlight the directory you want, then press ENTER. NetShield displays a list of subdirectories, files, or both. 4. If necessary, continue selecting subdirectories until you select the one containing the configuration file you want to use. 5. Highlight the configuration file you want to use, then press ESCAPE. NetShield displays the volume, path, and filename you selected. 6. Press ENTER to accept this filename, or ESCAPE to abandon the operation. NetShield prompts you to accept your changes and, if you answer Yes, loads the configuration file you specified and uses it for subsequent scans. Saving Configuration Settings to a File Select this option to save a configuration file to disk. NetShield prompts you to identify the name and path of the configuration file you want to save. By default, NetShield uses SYS:\SYSTEM\VIR$CFG.DAT. We recommend that you use the default path so that the configuration files are easy to locate if you need to investigate a problem. Type the volume, path, and name of the configuration file you want, then press ENTER. Alternatively, to find the file: 1. Press INSERT to display a list of available volumes. 2. Highlight the volume you want, then press ENTER. NetShield displays a list of directories (directory names are enclosed in square brackets). 3. Highlight the directory you want, then press ENTER. NetShield displays a list of subdirectories, files, or both. 4. If necessary, continue selecting subdirectories until you select the one containing the configuration file you want to use. 5. Highlight the configuration file you want to use, then press ESCAPE. NetShield displays the volume, path, and filename you selected. 6. Press ENTER to accept this filename, or ESCAPE to abandon the operation. NetShield prompts you to accept your changes and, if you answer Yes, writes configuration information to the file you specified. Writing the Configuration Report to a File Select this option to save the configuration report in an ASCII text file. NetShield prompts you to identify the name and path of the report file you want to create. By default, NetShield uses SYS:\SYSTEM\VIR$CFG.RPT. We recommend that you use the default path so that report files are easy to locate. Type the volume, path, and name of the report file you want, then press ENTER. Alternatively, to find the file: 1. Press INSERT to display a list of available volumes. 2. Highlight the volume you want, then press ENTER. NetShield displays a list of directories (directory names are enclosed in square brackets). 3. Highlight the directory you want, then press ENTER. NetShield displays a list of subdirectories, files, or both. 4. If necessary, continue selecting subdirectories until you select the one containing the configuration file you want to use. 5. Highlight the configuration file you want to use, then press ESCAPE. NetShield displays the volume, path, and filename you selected. 6. Press ENTER to accept this filename, or ESCAPE to abandon the operation. NetShield prompts you to accept your changes and, if you answer Yes, writes configuration information to the report file you specified. If the report file exists, NetShield overwrites it. Printing Current Configuration Settings Select this option to send a report of the current configuration settings to a network printer queue. NetShield displays a list of available print queues. Highlight the queue you want, then press ENTER to select it. NetShield sends the report to the queue you selected. Configuring Excluded Directories You can exclude selected directories from scanning if you want to reduce scanning time and you are confident that such directories are unlikely to be infected by a virus. For example, because most viruses infect executable files, you might want to exclude directories that contain only data files. From the NetShield Main menu, choose Configure NetShield NLM | Configure Excluded Directories. NetShield displays the Configure Excluded Directories menu with the following options: o Edit List of Excluded Directories o Apply Exclusion List to All Scans The rest of this section describes these options in detail. Selecting Directories to Exclude Select this option to change the list of directories to exclude from scanning. To specify a directory to exclude, type the volume and path of the directory you want, then press ENTER. Alternatively, to find a directory: 1. Press INSERT to display a list of available volumes. 2. Highlight the volume you want, then press ENTER. NetShield displays a list of directories (directory names are enclosed in square brackets). 3. Highlight the directory you want, then press ENTER. NetShield displays a list of subdirectories, files, or both. 4. If necessary, continue selecting subdirectories until you highlight the one you want to use for infected files. 5. Highlight the directory you want to use, then press ESCAPE. NetShield displays the volume, path, and filename you selected. 6. Press ENTER to select this directory. NetShield prompts you to accept your changes and, if you answer Yes, adds the selected directory to the list of excluded directories. To remove a directory from the list, highlight it, then press DELETE. NetShield deletes the selected directory from the list of directories to exclude. If the exclusion list is enabled (for more information, refer to the next section), NetShield will exclude directories from scanning using this list, including any changes you have just made. Applying the Exclusion List to All Scans Select this option to ignore, during scanning, the directories in the exclusion list. To change the current setting, highlight Apply Exclusion List to All Scans, press ENTER, then choose or from the prompt. Setting the Delay Factor You can regulate server performance during scanning by controlling the amount of CPU time that NetShield uses to conduct the scan. The higher the delay, the more CPU time is devoted to carrying out the scan operation. From the NetShield Main menu, choose Configure NetShield NLM | NetShield Delay Factor. NetShield prompts you to enter a priority. The default delay factor is 3. Type a number between 1 and 100, inclusive, then press ENTER. o If you choose a delay setting of 1, which is the most CPU- intensive, 40-50% CPU usage is added and approximately one file is scanned per second. We recommend using higher settings during periods of low network traffic. o If you choose a delay setting of 100, which is the least CPU-intensive, 1-2% CPU usage is added and one file is scanned approximately every 10 seconds. We recommend using lower settings during periods of high network traffic. NetShield uses the delay factor you specified. Setting CRC Configuration Options If your environment is highly vulnerable to viruses, or you require additional security against them, you can use NetShield's CRC (Cyclic Redundancy Check) checking option to detect infection by new and unknown viruses. NetShield can assign validation codes to files, then use those codes to detect file changes and warn that infection by an unknown virus may have occurred. NetShield stores validation information in an encrypted database file. The use of CRC validation codes requires an ongoing effort to store and maintain the codes. For example, if you install new programs or upgrade old ones, you should remove all the validation codes, then add them again to restore them. If you install new software, or upgrade your DOS or NetWare version, remember to update your recovery file. Because the validation codes will change whenever a file is updated, we recommend using CRC checks only in stable environments where few software updates are performed. In addition, consider excluding any directories containing data files that are frequently updated. To exclude directories from scanning, refer to "Configuring Excluded Directories" earlier in this chapter. From the NetShield Main menu, choose Configure NetShield NLM | CRC Configuration Options. NetShield displays the CRC Configuration Options menu with the following options. o Add CRC Code To External File o Verify CRC Code From External File o Remove CRC Code From External File o Edit External File Name Select the options you want. NOTE: You can enable only one of the options (Add, Verify, and Remove) at a time during a scan. If you enable one option, NetShield automatically disables any other enabled option. Adding CRC Code to an External File Select this option to tell NetShield to add CRC validation codes to the external database file during the next scan. Any previous validation codes should be removed from the selected database file before proceeding. We recommend disabling this option once the validation codes have been added. To change the current setting, highlight Add CRC Code To External File, press ENTER, then choose or from the prompt. Verifying CRC Code from an External File Once you have added CRC validation codes to the database, select this option to tell NetShield to check for validation codes in subsequent scans and, if files have changed, to warn that infection by an unknown virus may have occurred. To change the current setting, highlight Verify CRC Code From External File, press ENTER, then choose or from the prompt. Removing CRC Code from an External File Once you have added CRC validation codes to the database, select this option to tell NetShield to remove them during the next scan from the selected database file. You normally do this if you have added or upgraded software on your network and need to re-add validation codes. To change the current setting, highlight Remove CRC Code From External File, press ENTER, then choose or from the prompt. Selecting the Name of the External File By default, the database file used to store CRC validation codes is named VIR$CRC.DAT, which is stored in the same directory as the NETSHLD.NLM file. You can change the name and location of the database file as needed. Type the volume, path, and name of the validation database file you want, then press ENTER. Alternatively, to find the file: 1. Press INSERT to display a list of available volumes. 2. Highlight the volume you want, then press ENTER. NetShield displays a list of directories (directory names are enclosed in square brackets). 3. Highlight the directory you want, then press ENTER. NetShield displays a list of subdirectories, files, or both. 4. If necessary, continue selecting subdirectories until you select the one containing the validation database file you want to use. 5. Highlight the database validation file you want to use, then press ESCAPE. NetShield displays the volume, path, and filename you selected. 6. Press ENTER to accept this filename, or ESCAPE to abandon the operation. NetShield prompts you to accept your changes and, if you answer Yes, uses the validation database file you specified. Setting the Unload Password You can assign a password to NetShield to ensure that only authorized users can unload NetShield once it has been loaded. The password is not case-sensitive, can be up to 40 characters long, and can be any mix of alphanumeric and punctuation characters. The default NLM password is: NETSHIELD. The password is encrypted. From the NetShield Main menu, choose Configure NetShield NLM | Password Configuration. NetShield displays the Password Configuration menu with the following options: o Change Existing Password o Password Enable Status The rest of this section describes these options in detail. Changing the Existing Password Select this option to add a change the unload password. Enter the current password, if any, then enter the new password (or leave it blank to remove the password). Be sure to write down your new password and store it in a secure location. Enabling the Unload Password Select this option to force users to enter the unload password before exiting NetShield. To change the current setting, highlight Password Enable Status, press ENTER, then choose or from the prompt. Configuring Virus Reporting NetShield can keep a log of scans and infections found. You can view this log on screen, print it, or discard it. We recommend that you use NetShield's logging feature so that you have an audit trail to assist in your investigation of virus incidents. From the NetShield Main menu, choose Configure Virus Reporting. NetShield displays the Virus Reporting Options menu with the following options. o Configure Log File Settings o Select Log File Reports The rest of this section describes these options in detail. Setting Up the Log File NetShield can record the results of scanning in a log file that you can later use for auditing your system and investigating problems. NetShield appends log information in the log file, including the date and time the scan was run and, if viruses are detected, an entry for each file suspected to contain a virus (name, location, and virus name). From the NetShield Main menu, choose Configure Virus Reporting | Configure Log File Settings. NetShield displays the Log File Configuration Options menu with the following options: o Enter Log File Path o Enable Logging To Log File Entering the Log File Path Select this option to specify the name and location of the log file. If the log file has not been configured, the default filename is VIR$LOG.DAT. Type the volume, path, and name of the log file you want, then press ENTER. Alternatively, to find the file: 1. Press INSERT to display a list of available volumes. 2. Highlight the volume you want, then press ENTER. NetShield displays a list of directories (directory names are enclosed in square brackets). 3. Highlight the directory you want, then press ENTER. NetShield displays a list of subdirectories, files, or both. 4. If necessary, continue selecting subdirectories until you select the one containing the log file you want to use. 5. Highlight the log file you want to use, then press ESCAPE. NetShield displays the volume, path, and filename you selected. 6. Press ENTER to accept this filename, or ESCAPE to abandon the operation. NetShield prompts you to accept your changes and, if you answer Yes, uses the log file you specified. If the file does not exist, NetShield creates it automatically. If the file exists, NetShield prompts you to overwrite the file or append new information to it. Enabling Logging to a Log File We recommend that logging is enabled whenever you scan so that you have an audit trail of infections found. However, you can select this option to disable logging as well, if necessary. To change the current setting, highlight Enable Logging to a Log File, press ENTER, then choose or from the prompt. Selecting Log File Reports If logging is enabled, NetShield can display, print, or discard the contents of the currently selected log file. From the NetShield Main menu, choose Configure Virus Reporting | Select Log File Reports. NetShield displays the Select Log File Reports menu with the following options: o View Contents of Log File o Print Contents of Log File Select the options you want. Viewing the Log Select this option to display the current log file and peruse its contents in a scrollable window. Use these keys to navigate the scrollable window: o HOME to view the first entry in the log file. o END to view the last entry in the log file. o PGUP and PGDN to view the log file one screen at a time. o ESCAPE to exit the scrollable window. Printing the Log Select this option to print the current log file for future reference. NetShield displays a list of available print queues. Highlight the queue you want, then press ENTER to select it. NetShield sends the log report to the queue you selected and displays a message verifying that the report was sent. Configuring Network Monitoring For highly secure networks, NetShield can detect and log any attempts to write to read-only directories, such as directories containing application executables. This log provides additional information about possible sources of viral infection on your network. You can also suspend read-only protection for authorized users to make changes to monitored directories, such as installing or upgrading software. Password protection ensures centralized control over access to these directories. To use network monitoring, you configure NetShield by selecting the directories, file extensions, and users to monitor, then you activate network monitoring. Entering a Password Network monitoring is password-protected to ensure that only authorized users have access. The default password is: login admin You should change this password when you run NetShield for the first time. For instructions, refer to "Changing the Network Security Password" later in this section. From the NetShield Main menu, choose Configure Network Monitoring. NetShield prompts you to enter a password. Type the password (which is not case-sensitive), then press ENTER. NetShield displays the Configure Network Security menu with the following options: o Edit Network Security Configuration o Set Path for Log File o Save Current Configuration To A File o Restore Current Configuration From A File o Current Network Security Status The rest of this section describes these options in detail. Editing the Network Security Configuration You can configure NetShield to: o Monitor disk write attempts for files with specific extensions. o Monitor specific directories for write attempts. o Exclude files from monitoring o Monitor selected administrators for write attempts. o Permit only selected users to write to monitored directories. You can also save and load configuration settings in a file. For more information, refer to "Saving the Current Configuration" and "Loading a Configuration" later in this chapter. From the NetShield Main menu, choose Configure Network Monitoring | Edit Network Security Configuration. NetShield displays the Network Security Configuration Options menu with the following options: o Create File and Extension Master List o Select Entries To Monitor From Master List o Select Files to be Excluded from Monitoring o Select Directories To Monitor for All Users o Change Monitored Users o Change Temporary Authorization o Change Network Security Password Select the options you want. Creating a Master List of Files and File Extensions Select this option to manage the master list of files and file extensions to monitor. For example, you might want NetShield to monitor all executable files by adding the COM, EXE, SYS, BIN, OVL, or DLL extensions to the list. You will use this master list in the next section, "Selecting Entries to Monitor." From the Configure Network Security menu, choose Edit Network Security Configuration | Create File and Extension Master List. NetShield displays the current master list. o To add an extension to the list, press INSERT, type a period (required) and a new extension (up to 3 letters), then press ENTER. NetShield adds the new extension to the master list. If you want NetShield to monitor this extension, however, you must add it to another list. For more information, refer to the next section "Selecting Entries to Monitor." o To add a file to the list, press INSERT, type the full file name (name, period, and extension), then press ENTER. NetShield adds the new file to the master list. If you want NetShield to monitor this file, however, you must add it to another list. For more information, refer to the next section "Selecting Entries to Monitor." o To remove a file or files extension from the list, highlight it, then press DELETE. NetShield deletes the selected entry. Once you have selected the extensions you want for the master list, you must then select the extensions you want NetShield to monitor while scanning. Selecting Entries to Monitor From the master list of files and file extensions, you can select the list of entries that NetShield will monitor for unauthorized write attempts. At a minimum, consider specifying standard executable file extensions (EXE, COM, SYS, BIN, OVL, and DLL). When a file is copied to a monitored directory, NetShield determines whether the copied file or its extension exists in the list of monitored entries and, if so, NetShield creates a entry in the log file. From the Configure Network Security menu, choose Edit Network Security Configuration | Select Entries To Monitor From Master List. NetShield displays the current list of monitored files and file extensions. o To add an entry to the list, press INSERT. NetShield displays the master list of available files and file extensions. Highlight the entry you want, then press ENTER. NetShield adds the new entry to the list of entries to monitor. o To remove an entry from the list, highlight it, then press DELETE. NetShield deletes the selected entry from the list of entries to monitor. However, deleting it from this list does not remove it from the master list. NetShield will monitor files with the selected name or extension in the list, including any changes you have just made. Selecting Files to be Excluded from Monitoring You can exclude certain files and file extensions from monitoring, such as a backup file that is frequently updated. From the Configure Network Security menu, choose Edit Network Security Configuration | Select Files To Be Excluded From Monitoring. NetShield displays the current list of excluded files. To specify a file or file extension to exclude from monitoring, type its name, path, and extension, then press ENTER. Alternatively, to find a file: 1. Press INSERT to display a list of available volumes. 2. Highlight the volume you want, then press ENTER. NetShield displays a list of directories (directory names are enclosed in square brackets). 3. Highlight the directory you want, then press ENTER. NetShield displays a list of subdirectories, files, or both. 4. If necessary, continue selecting subdirectories until you highlight the one you want to exclude. 5. Highlight the file you want to exclude, then press ESCAPE. NetShield displays the volume, path, and filename you selected. 6. Press ENTER to select this directory. NetShield prompts you to accept your changes and, if you answer Yes, adds the selected directory to the list of directories to monitor. To remove a directory from the list, highlight it, then press DELETE. NetShield deletes the selected directory from the list of directories to monitor. NetShield will exclude from monitoring the files and file extensions you selected. Selecting Directories to Monitor for All Users You can select the directories that NetShield will protect and monitor for unauthorized write attempts. For example, you might want to monitor directories that contain application executables. From the Configure Network Security menu, choose Edit Network Security Configuration | Select Directories To Monitor for All Users. NetShield displays the current list of monitored directories. To specify a directory to exclude, type the volume and path of the directory you want, then press ENTER. Alternatively, to find a directory: 1. Press INSERT to display a list of available volumes. 2. Highlight the volume you want, then press ENTER. NetShield displays a list of directories (directory names are enclosed in square brackets). 3. Highlight the directory you want, then press ENTER. NetShield displays a list of subdirectories, files, or both. 4. If necessary, continue selecting subdirectories until you highlight the one you want to use for infected files. 5. Highlight the directory you want to use, then press ESCAPE. NetShield displays the volume, path, and filename you selected. 6. Press ENTER to select this directory. NetShield prompts you to accept your changes and, if you answer Yes, adds the selected directory to the list of directories to monitor. To remove a directory from the list, highlight it, then press DELETE. NetShield deletes the selected directory from the list of directories to monitor. NetShield will monitor directories using this list, including any changes you have just made. Changing Monitored Administrators You can select the administrators that NetShield will monitor for write attempts to monitored directories. From the Configure Network Security menu, choose Edit Network Security Configuration | Change Monitored Users. NetShield displays the list of currently monitored administrators. o To add an administrator to the list, press INSERT. NetShield displays a list of available users, as shown in the following example: {UsersNotInAnyGroups} [EVERYONE] [WORDPROCESSING] Highlight a group, then press ENTER. NetShield displays a list of users for that group. Highlight a user you want to authorize, then press ENTER. NetShield adds the selected user to the list of authorized administrators. o To remove a user from the list, highlight it, then press DELETE. NetShield deletes the selected user name from the list of monitored administrators. NetShield will monitor only users and groups in this list, including any changes you have just made. Authorizing Temporary Access to Monitored Directories You can suspend, for a brief time, read-only protection on monitored directories so that authorized users can make changes. For example, you might want to allow one or more administrators to install or upgrade software in a monitored directory. From the Configure Network Security menu, choose Edit Network Security Configuration | Change Temporary Authorization. NetShield displays the Change Temporary Authorization menu with the following options: o Change Temporary Authorization List o Enable Administrative Access Select the options you want. Specifying Temporary Authorized Administrators Select this option to allow certain administrators to write to monitored directories during temporary authorization. You select from the list of monitored administrators. For more information, refer to the previous section, "Changing Monitored Administrators." From the Configure Network Security menu, choose Edit Network Security Configuration | Change Temporary Authorization | Change Temporary Authorization List. NetShield displays the list of currently monitored administrators. o To add a monitored administrator to the temporary authorization list, press INSERT. NetShield displays a list of monitored administrators. Highlight a user, then press ENTER. NetShield adds the selected user to the list of temporarily authorized administrators. o To remove a user from the list, highlight it, then press DELETE. NetShield deletes the selected user name from the list of temporarily authorized administrators. NetShield will permit access to protected directories only to users in this list, including any changes you have just made. Enabling Administrative Access Select this option to allow authorized administrators to write to a protected directory while network monitoring is enabled. You might want to do this, for example, to install or upgrade software stored in a monitored directory. From the Configure Network Security menu, choose Edit Network Security Configuration | Change Temporary Authorization | Enable Administrative Access. NetShield prompts you to enter the number of minutes you want to enable access. o To enable access, type a number between 1 and 180, inclusive, then press ENTER. NetShield displays the time remaining for authorized administrators to update monitored directories. NOTE: If the administrative access time runs out while changes are being made to monitored directories, NetShield completes the current write operation, if any, then prevents additional changes. o To disable access, enter 0, the default access time. Changing the Network Security Password You can assign a password to NetShield to ensure that only authorized users can access network monitoring. The password is not case-sensitive, can be up to forty (40) characters long, and can be any mix of alphanumeric and punctuation characters. The password is encrypted. From the Configure Network Security menu, choose Edit Network Security Configuration | Change Network Security Password. Enter the current password, if any, then enter the new password. Be sure to write down your new password and store it in a secure location. Setting Up the Log File NetShield can record the results of network monitoring in a log file that you can later use for auditing your system and investigating problems. NetShield appends the following information in the log file: the date and time of the attempt as well as the user, workstation, file, and target directory involved. Here is a sample entry in the log file: Wed Aug 31 17:09:14 1994 Attempt to write file XXX.EXE to directory SYS:\SYSTEM\ on server STORM by user SUPERVISOR, ID 1 From Workstation 0000001C/0000c0cf0400 DENIED! From the Configure Network Security menu, choose Set Path for Log File. NetShield prompts you to specify the log file name and path. If the log file has not been configured, the default filename is NETSHLD.LOG. Type the volume, path, and name of the log file you want, then press ENTER. Alternatively, to find the file: 1. Press INSERT to display a list of available volumes. 2. Highlight the volume you want, then press ENTER. NetShield displays a list of directories (directory names are enclosed in square brackets). 3. Highlight the directory you want, then press ENTER. NetShield displays a list of subdirectories, files, or both. 4. If necessary, continue selecting subdirectories until you select the one containing the log file you want to use. 5. Highlight the log file you want to use, then press ESCAPE. NetShield displays the volume, path, and filename you selected. 6. Press ENTER to accept this filename, or ESCAPE to abandon the operation. NetShield prompts you to accept your changes and, if you answer Yes, uses the log file you specified. If the file does not exist, NetShield creates it automatically. Saving the Current Configuration Select this option to save the network monitoring configuration file to disk. NetShield prompts you to identify the name and path of the configuration file you want to save. By default, NetShield uses SYS:\SYSTEM\NETSHLD.CFG. We recommend that you use the default path so that the configuration files are easy to locate if you need to investigate a problem. NOTE: The network monitoring configuration file contains information about your network monitoring setup, not about your NetShield virus protection configuration. From the Configure Network Security menu, choose Save Current Configuration to a File. NetShield prompts you to identify the name and path of the configuration file you want to save. By default, NetShield uses SYS:\SYSTEM\NETSHLD.CFG. We recommend that you use the default path so that the configuration files are easy to locate if you need to investigate a problem. Type the volume, path, and name of the network monitoring configuration file you want, then press ENTER. Alternatively, to find the file: 1. Press INSERT to display a list of available volumes. 2. Highlight the volume you want, then press ENTER. NetShield displays a list of directories (directory names are enclosed in square brackets). 3. Highlight the directory you want, then press ENTER. NetShield displays a list of subdirectories, files, or both. 4. If necessary, continue selecting subdirectories until you select the one containing the configuration file you want to use. 5. Highlight the configuration file you want to use, then press ESCAPE. NetShield displays the volume, path, and filename you selected. 6. Press ENTER to accept this filename, or ESCAPE to abandon the operation. NetShield prompts you to accept your changes and, if you answer Yes, writes configuration information to the configuration file you specified. Restoring a Configuration from a File Select this option to load a network monitoring configuration file from disk. From the Configure Network Security menu, choose Save Restore Current Configuration from a File. NetShield prompts you to identify the name and path of the configuration file you want to save. By default, NetShield uses SYS:\SYSTEM\NETSHLD.CFG. We recommend that you use the default path so that the configuration files are easy to locate if you need to investigate a problem. Type the volume, path, and name of the configuration file you want, then press ENTER. Alternatively, to find the file: 1. Press INSERT to display a list of available volumes. 2. Highlight the volume you want, then press ENTER. NetShield displays a list of directories (directory names are enclosed in square brackets). 3. Highlight the directory you want, then press ENTER. NetShield displays a list of subdirectories, files, or both. 4. If necessary, continue selecting subdirectories until you select the one containing the configuration file you want to use. 5. Highlight the configuration file you want to use, then press ESCAPE. NetShield displays the volume, path, and filename you selected. 6. Press ENTER to accept this filename, or ESCAPE to abandon the operation. NetShield prompts you to accept your changes and, if you answer Yes, loads the configuration file you specified and uses it for subsequent monitoring. Enabling Network Security Select this option to activate or disable NetShield's network monitoring feature. To change the current setting, on the Configure Network Monitoring menu, highlight Current Network Security Status, press ENTER, then choose or from the prompt.