McAfee VirusScan Administrator’s Guide Version 4.
COPYRIGHT Copyright © 1998-2000 Networks Associates Technology, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Networks Associates Technology, Inc., or its suppliers or affiliate companies.
Table of Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Anti-virus protection as information security . . . . . . . . . . . . . . . . . . . . . . . . .vii Information security as a business necessity . . . . . . . . . . . . . . . . . . . . . . . . . .x Active Virus Defense security perimeters . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi McAfee anti-virus research . . . . . . . . . . . . . . . . . . . . . . . . . .
Table of Contents Installing VirusScan software on other computers . . . . . . . . . . . . . . . . . . . . .57 Using Active Directory and Group Policies . . . . . . . . . . . . . . . . . . . . . . .57 Installing VirusScan software using command-line options . . . . . . . . .58 Using Management Edition software . . . . . . . . . . . . . . . . . . . . . . . . . . . .65 Using ePolicy Orchestrator to deploy VirusScan software . . . . . . . . . .66 Installing via System Management Server . . . . . . . . . . . .
Table of Contents Understanding the AutoUpgrade utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118 Configuring the AutoUpgrade utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119 Using the AutoUpgrade and SuperDAT utilities together . . . . . . . . . .128 Deploying an EXTRA.DAT file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130 Appendix A. Using VirusScan Administrative Utilities . . . . . . . . . . . .
Table of Contents Appendix E. Network Associates Support Services . . . . . . . . . . . . . . 185 Adding value to your McAfee product . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185 PrimeSupport options for corporate customers . . . . . . . . . . . . . . . . . .185 Ordering a corporate PrimeSupport plan . . . . . . . . . . . . . . . . . . . . . . .188 PrimeSupport options for home users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Preface Anti-virus protection as information security “The world changed [on March 26, 1999]—does anyone doubt that? The world is different. Melissa proved that ... and we are very fortunate ... the world could have gone very close to meltdown.
Preface • W32/Ska, though technically a worm, replaced the infected computer’s WinSock file so that it could attach itself to outgoing Simple Mail Transfer Protocol (SMTP) messages and postings to USENET news groups. This strategy made it commonplace in many areas. • Remote Explorer stole the security privileges of a Windows NT domain administrator and used them to install itself as a Windows NT Service.
Preface A rash of Melissa variants and copycats appeared soon after. Some, such as W97M/Prilissa, included destructive payloads. Later the same year, a number of new viruses and worms either demonstrated novel or unexpected ways to get into networks and compromise information security, or actually perpetuated attacks. Examples included: • W32/ExploreZip.worm and its variants, which used some of Melissa’s techniques to spread, initially through e-mail.
Preface Information security as a business necessity Coincidentally or not, these darkly inventive new virus attacks and speedy propagation methods appeared as more businesses made the transition to Internet-based information systems and electronic commerce operations. The convenience and efficiency that the Internet brought to business saved money and increased profits.
Preface Active Virus Defense security perimeters The McAfee Active Virus Defense product suite exists for one simple reason: there is no such thing as too much anti-virus protection for the modern, automated enterprise. Although at first glance it might seem needlessly redundant to protect all of your desktop computers, file and network servers, gateways, e-mail servers and firewalls, each of these network nodes serves a different function in your network, and has different duties.
Preface • System memory, boot sectors, and master boot records. You can configure regularly scheduled scan operations that examine these favorite virus hideouts, or set up periodic operations whenever a threat seems likely. • Microsoft Exchange mailboxes. VirusScan software includes a specialized E-Mail Scan extension that assumes your network user’s Microsoft Exchange or Outlook identity to scan his or her mailbox directly—before viruses get downloaded to the local workstation.
Preface You can use ePolicy Orchestrator to configure, update, distribute and manage VirusScan installations at the group, workstation or user level. Schedule and run scan tasks, change configurations, update .DAT and engine files—all from a central console. Taken together, the Active Virus Defense suite forms a tight series of anti-virus security perimeters around your network that protect you against both external and internal sources of infection.
Preface How to contact McAfee and Network Associates Customer service On December 1, 1997, McAfee Associates merged with Network General Corporation, Pretty Good Privacy, Inc., and Helix Software, Inc. to form Network Associates, Inc. The combined Company subsequently acquired Dr Solomon’s Software, Trusted Information Systems, Magic Solutions, and CyberMedia, Inc. A January 2000 company reorganization formed four independent business units, each concerned with a particular product line.
Preface Other contact information for retail-licensed customers: Phone: (972) 308-9960 Fax: (972) 619-7485 (24-hour, Group III fax) E-Mail: cust_care@nai.com Web: http://www.mcafee.com/ Technical support McAfee and Network Associates are famous for their dedication to customer satisfaction. The companies have continued this tradition by making their sites on the World Wide Web valuable resources for answers to technical support issues.
Preface To provide the answers you need quickly and efficiently, the Network Associates technical support staff needs some information about your computer and your software. Please include this information in your correspondence: • Product name and version number • Computer brand and model • Any additional hardware or peripherals connected to your computer • Operating system type and version numbers • Network type and version, if applicable • Contents of your AUTOEXEC.BAT, CONFIG.
Preface Reporting new items for anti-virus data file updates McAfee anti-virus software offers you the best available detection and removal capabilities, including advanced heuristic scanning that can detect new and unnamed viruses as they emerge. Occasionally, however, an entirely new type of virus that is not a variation on an older type can appear on your system and escape detection.
Preface International contact information To contact Network Associates outside the United States, use the addresses, phone numbers and fax numbers below. Network Associates Australia Network Associates Austria Level 1, 500 Pacific Highway Pulvermuehlstrasse 17 St.
Preface Network Associates France S.A.
Preface Network Associates Portugal Net Tools Network Associates South Africa Av. da Liberdade, 114 Bardev House, St. Andrews 1269-046 Lisboa Meadowbrook Lane Portugal Epson Downs, P.O. Box 7062 Phone: 351 1 340 4543 Bryanston, Johannesburg Fax: South Africa 2021 351 1 340 4575 Phone: 27 11 706-1629 Fax: Network Associates South East Asia Network Associates Spain 78 Shenton Way Orense 4, 4a Planta.
1 About VirusScan Software 1 Introducing VirusScan anti-virus software Eighty percent of the Fortune 100—and more than 50 million users worldwide—choose VirusScan anti-virus software to protect their computers from the staggering range of viruses and other malicious agents that has emerged in the last decade to invade corporate networks and cause havoc for business users.
About VirusScan Software The new release also adds multiplatform support for Windows 95, Windows 98, Windows NT Workstation v4.0, and Windows 2000 Professional, all in a single package with a single installer, but optimized to take advantage of the benefits each platform offers. Windows NT Workstation v4.0 and Windows 2000 Professional users, for example, can run VirusScan software with differing security levels that provide a range of enforcement options for system administrators.
About VirusScan Software How does VirusScan software work? VirusScan software combines the anti-virus industry’s most capable scan engine with top-notch interface enhancements that give you complete access to that engine’s power. The VirusScan graphical user interface unifies its specialized program components, but without sacrificing the flexibility you need to fit the software into your computing environment.
About VirusScan Software This meant that the simple pattern-matching method that earlier scan engine incarnations used to find many viruses simply no longer worked, since no constant sequence of bytes existed to detect. To respond to this threat, McAfee researchers developed the PolyScan Decryption Engine, which locates and analyzes the algorithm that these types of viruses use to encrypt and decrypt themselves.
About VirusScan Software Still others open “back doors” into desktop systems or create security holes in a way that closely resembles a deliberate attempt at network penetration, rather than the more random mayhem that most viruses tend to leave in their wakes. The latest VirusScan software releases, as a consequence, do not simply wait for viruses to appear on your system, they scan proactively at the source or work to deflect hostile agents away from your system.
About VirusScan Software the Console comes with a preset list of tasks that ensures a minimal level of protection for your system—you can, for example, immediately scan and clean your C: drive or all disks on your computer. • The VShield scanner. This component gives you continuous anti-virus protection from viruses that arrive on floppy disks, from your network, or from various sources on the Internet. The VShield scanner starts when you start your computer, and stays in memory until you shut down.
About VirusScan Software • The SendVirus utility. This component gives you an easy and painless way to submit files that you believe are infected directly to McAfee anti-virus researchers. A simple wizard guides you as you choose files to submit, include contact details and, if you prefer, strip out any personal or confidential data from document files. • The Emergency Disk creation utility.
About VirusScan Software All of the command-line scanners allow you to initiate targeted scan operations from an MS-DOS Prompt or Command Prompt window, or from protected MS-DOS mode. Ordinarily, you’ll use the VirusScan application’s graphical user interface (GUI) to perform most scanning operations, but if you have trouble starting Windows or if the VirusScan GUI components will not run in your environment, you can use the command-line scanners as a backup. • Documentation.
About VirusScan Software – A LICENSE.TXT file. This file outlines the terms of your license to use VirusScan software. Read it carefully—by installing VirusScan software you agree to its terms. – A README.TXT file. This file contains last-minute additions or changes to the documentation, lists any known behavior or other issues with the product release, and often describes new product features incorporated into incremental product updates. You’ll find the README.
About VirusScan Software Interface enhancements This release moves the VirusScan interface for all supported platforms solidly into the territory VirusScan for Windows 95 and Windows 98 pioneered with its v4.0.1 release. This adds extensive VShield scanner configuration options for the Windows NT Workstation v4.0 and Windows 2000 Professional platforms, while reducing the complexity of some previous configuration options.
About VirusScan Software Changes in product functionality • A new Alert Manager Client configuration utility allows you to choose an Alert Manager server installed on your network as an alert message destination, or to select a network share as a destination for Centralized Alerting messages. You can also supplement either of these alert methods with Desktop Management Interface alert messages.
About VirusScan Software 32 McAfee VirusScan Anti-Virus Software
Installing VirusScan Software 2 2 Before you begin During Setup, you can choose to install VirusScan software either on your local computer, or on other computers elsewhere on the network. The first option copies VirusScan program files to your computer’s hard disk. The second option copies selected components to the target workstation.
Installing VirusScan Software Installing VirusScan software on a local computer Note which type of VirusScan software distribution you have, then follow the corresponding steps to prepare your files for installation.
Installing VirusScan Software 2. Choose Run from the Start menu in the Windows taskbar. The Run dialog box will appear (Figure 2-1). Figure 2-1. Run dialog box 3. Type :\SETUP.EXE in the text box provided, then click OK. Here, represents the drive letter for your CD-ROM drive or the path to the folder that contains your extracted VirusScan files. To search for the correct files on your hard disk or CD-ROM, click Browse.
Installing VirusScan Software If your computer runs Windows 2000 Professional, the correct MSI version already exists on your system. If your computer runs an earlier Windows release, you might still have this MSI version on your system if you previously installed other software that uses MSI. If you have the correct MSI version on your computer and do not have any previous VirusScan versions installed on your system, Setup will display its first wizard panel immediately. Skip to Step 5 to continue.
Installing VirusScan Software If you do not agree to the license terms, select I do not agree to the terms of the License Agreement, then click Cancel. Setup will quit immediately. Otherwise, click I agree to the terms of the License Agreement, then click Next> to continue. Setup next checks to see whether incompatible software exists on your computer.
Installing VirusScan Software If you have no incompatible software on your system and your computer runs Windows 95 or Windows 98, skip to Step 10 on page 40 to continue with the installation. If you have no incompatible software and your system runs Windows NT Workstation v4.0 or Windows 2000 Professional, skip to Step 9 on page 39 to continue. Otherwise, continue with Step 8. Figure 2-5. Incompatible software panel 8. Select the checkbox shown, then click Next>.
Installing VirusScan Software The options in this panel govern whether others who use your computer can make changes to the configuration options you choose, can schedule and run tasks, or can enable and disable VirusScan components. VirusScan software includes extensive security measures to ensure that unauthorized users cannot make any changes to software configurations in Maximum Security mode. The Standard Security mode allows all users to have access to all configuration options.
Installing VirusScan Software Setup next asks you to choose a Typical or a Custom setup for this computer (Figure 2-7). Figure 2-7. Setup Type panel 10. Choose the Setup Type you prefer. Your choices are: • Typical Installation.
Installing VirusScan Software To learn more about what each component does, see “What comes with VirusScan software?” on page 29 of the VirusScan User’s Guide. 11. Choose the option you prefer, then click Next> to continue. If you chose Custom Setup, you’ll see the panel shown in Figure 2-8. Otherwise, skip to Step 14 on page 42 to continue with your installation. Figure 2-8. Custom Setup panel 12. Choose the VirusScan components you want to install. You can: • Add a component to the installation.
Installing VirusScan Software You can also specify a different disk and destination directory for the installation. Click Change, then locate the drive or directory you want to use in the dialog box that appears. To see a summary of VirusScan disk usage requirements relative to your available hard disk space, click Disk Usage. The wizard will highlight disks that have insufficient space. 13. When you have chosen the components you want to install, click Next> to continue.
Installing VirusScan Software Figure 2-10. Completing Setup panel 15. At this point, you can: • Finish your installation. Leave the Scan Memory for Viruses before Configuring checkbox clear, then click Skip Config to finish your installation. Setup will ask if you want to start the VShield scanner and the VirusScan Console immediately. To do so, select the Start VirusScan checkbox, then click Finish. Your VirusScan software is ready for use.
Installing VirusScan Software Figure 2-11. Configuration panel 16. If your computer runs Windows 95 or Windows 98, you can choose any of the configuration options shown here. These are: • Scan boot record at startup. Select this checkbox to have Setup write these lines to your Windows AUTOEXEC.BAT file: C:\PROGRA~1\NETWOR~1\MCAFEE~1\SCAN.EXE C:\ @IF ERRORLEVEL 1 PAUSE This tells your system to start the VirusScan Command Line scanner when your system starts.
Installing VirusScan Software • Run Default Scan for Viruses after Installation. This option is active by default. The option tells Setup to finish the installation, then to run the VirusScan application immediately afterwards to scan your entire startup partition. The application will alert you if it finds any viruses on this partition, but otherwise will quit without any further notice. Clear this checkbox to skip this scan operation.
Installing VirusScan Software 18. Choose the update option you prefer. You can: • Run AutoUpdate Now. This option uses default AutoUpdate configuration options to connect directly to the McAfee website and download the latest incremental .DAT file updates. Select this option if your company has not designated a location on your network as an update site, and if you do not need to configure proxy server or firewall settings. This ensures that any scan operation you run uses current files.
Installing VirusScan Software Figure 2-13. Successful Installation panel 20. To do so, select the Start VirusScan checkbox, then click Finish. The VirusScan software “splash screens” will appear, and the VShield scanner and VirusScan Console icons will appear in the Windows system tray. Your software is ready for use. NOTE: If you had a previous VirusScan version installed on your computer, you must restart your system in order to start the VShield scanner. Setup will prompt you to restart your system.
Installing VirusScan Software The Emergency Disk you create includes BOOTSCAN.EXE, a specialized, small-footprint command-line scanner that can scan your hard disk boot sectors and Master Boot Record (MBR). BOOTSCAN.EXE works with a specialized set of .DAT files that focus on ferreting out boot-sector viruses. If you have already installed VirusScan software with default Setup options, you can find these .
Installing VirusScan Software 1. Click Next> to continue. The next wizard panel appears (Figure 2-15). Figure 2-15. Second Emergency Disk panel If your computer runs Windows NT Workstation or Windows 2000 Professional, the wizard tells you that it will format your Emergency Disk with the NAI-OS. You must use these operating system files to create your Emergency Disk, because Windows NT Workstation v4.0 and Windows 2000 Professional system files do not fit on a floppy disk.
Installing VirusScan Software • If you chose to format your disk with the NAI-OS, the wizard displays an informational panel (see Figure 2-16 on page 49). Follow these substeps to continue: a. Insert an unlocked and unformatted 1.44MB floppy disk into your floppy drive, then click Next>. The Emergency Disk wizard will copy its files from a disk image stored in the VirusScan program directory. As it does so, it will display its progress in a wizard panel. b.
Installing VirusScan Software • If you do not have a virus-free floppy disk formatted with DOS or Windows system files, you must create one in order to use the Emergency Disk to start your computer. Follow these substeps: a. Insert an unlocked and unformatted floppy disk into your floppy drive. McAfee recommends that you use a completely new disk that you have never previously formatted to prevent the possibility of virus infections on your Emergency Disk. b.
Installing VirusScan Software Figure 2-19. Scanning Emergency Disk for viruses If VirusScan software does not detect any viruses during its scan operation, Setup will immediately copy BOOTSCAN.EXE and its support files to the floppy disk you created. If VirusScan software does detect a virus, quit Setup immediately. See “If you suspect you have a virus...” on page 63 to learn what to do next. 4. When the wizard finishes copying the Emergency Disk files, it displays the final wizard panel (Figure 2-20).
Installing VirusScan Software Determining when you must restart your computer In many circumstances, you can install and use this VirusScan release immediately, without needing to restart your computer. In some cases, however, the Microsoft Installer (MSI) will need to replace or initialize certain files, or previous McAfee product installations might require you to remove files in order for VirusScan software to run correctly. These requirements can also vary for each supported Windows platform.
Installing VirusScan Software Testing your installation Once you install it, VirusScan software is ready to scan your system for infected files. You can verify that it has installed correctly and that it can properly scan for viruses with a test developed by the European Institute of Computer Anti-virus Research (EICAR), a coalition of anti-virus vendors, as a method for their customers to test any anti-virus software installation. To test your installation, follow these steps: 1.
Installing VirusScan Software Modifying or removing your local VirusScan installation The Microsoft Windows Installer version that VirusScan software uses also includes a standard method to modify or remove a VirusScan installation from the local workstation. To modify, or remove VirusScan software, follow these steps: 1. Click Start in the Windows taskbar, point to Settings, then choose Control Panel. 2. Locate and double-click the Add/Remove Programs control panel. 3.
Installing VirusScan Software Figure 2-22. Program Maintenance panel 5. Choose whether to modify VirusScan components or to remove VirusScan software from your system completely. Your choices are: • Modify. Select this option to add or remove individual VirusScan components. Setup will display the Custom wizard panel (see Figure 2-8 on page 41). Start with Step 12 on page 41 to choose the components you want to add or remove.
Installing VirusScan Software Figure 2-23. Remove the Program panel 6. Click Remove. Setup will display progress information as it deletes VirusScan software from your system. When it has finished, click Finish to close the wizard panel. Installing VirusScan software on other computers The next sections describe how to install VirusScan software over your network, to many workstations at once, and with various custom configurations.
Installing VirusScan Software Installing VirusScan software using command-line options The VirusScan Setup utility runs as a Microsoft Installer (MSI) application, which allows a wide array of custom installation options. To shape the installation so that it runs the way you want it to, and so that you end up with exactly those product components you want, run Setup from the command line. NOTE: You can run Setup from the command line only to install VirusScan software to a local computer.
Installing VirusScan Software – PRESERVESETTINGS. This property tells Setup whether it should retain the configuration options you used for previous VShield scanner installations. By default, its value is True. – REBOOT. This property tells Setup whether it should restart your computer. You can either force the computer to restart, or prevent it from restarting. – REMOVE. This property tells Setup to remove one or more program components.
Installing VirusScan Software Other semi-silent installation methods are: /qb shows a small progress bar during installation, with a cancel button /q+ shows a success/failure installation complete dialog box /qb+ shows both the progress and completed dialog boxes /qf shows the full progress bar screen from the regular installation Logging the installation To record installation progress in a log file, add this option and parameter to the Setup command line: /l*v “c:\temp\log.txt” Here, c:\temp\log.
Installing VirusScan Software Installing to a custom directory To install VirusScan software to a custom directory, add the INSTALLDIR property to the command line, then follow the property with a value for the directory you want to use. To install VirusScan software to C:\My Anti-Virus Software, for example, type this line at the command prompt: setup INSTALLDIR= “c:\My Anti-Virus Software” /q/i Use quotes only if the target directory name has spaces.
Installing VirusScan Software Component Name Description McUpdate The AutoUpdate and AutoUpgrade utilities ShellExtentions Extensions that add right-click functionality that enables you to scan individual files ScreenScan The ScreenScan utility SendVirus An applet that allows you to send virus samples to AVERT Labs for analysis To use these component names in a command line, specify the destination and the component name, exactly as it appears in the table.
Installing VirusScan Software Setting reboot options You can force or prevent the target computer from restarting during the installation. To do this, add the REBOOT property to the command line. REBOOT=F forces the restart, while REBOOT=R prevents the restart. If you must first install the Windows Installer service on a target computer, Setup will require you to restart whether you force or prevent a restart for other reasons. Setup will resume after MSI forces a restart.
Installing VirusScan Software Scanning your system at startup By default, Setup adds a line to the AUTOEXEC.BAT file for Windows 95 and Windows 98 systems that tells the VirusScan application to scan the master boot record (MBR) when your computer starts.
Installing VirusScan Software Because Windows 95 and Windows 98 execute the login script at the same time they act on the contents of the RunOnce key, however, they will try to run another instance of Setup while, at the same time, they try to resume the previous Setup you started. MSI does not permit more than one instance of Setup to run at the same time.
Installing VirusScan Software 3. Click Product. 4. Insert the VirusScan CD into your CD-ROM drive. The Management Edition software copies VirusScan files into the Repository. Once it does so, the components you installed appear in the Repository list. 5. Click Close to complete the installation. You can now use Management Edition software to install and configure VirusScan software, or add components to or remove them from an existing VirusScan installation.
Installing VirusScan Software With the ePolicy Orchestrator server, console, and agent you can manage a single database and software repository from any location on your company’s network. Once you have installed the ePolicy Orchestrator server and console, and have loaded VirusScan software is loaded into the repository, you can use the console to push the agent onto the client machines. Through the agent, you gather data on the virus protection currently residing on the client machines.
Installing VirusScan Software 3. Click the General tab, then follow these substeps: a. Enter a name for the package that you are about to create. b. Select Stream package directly to managed system. c. Enter a value of 32 in the Required Memory text box. d. Enter a value of 30 in the Disk Space text box. 4. To enable Tivoli to distribute VirusScan software to Windows 95 and Windows 98 systems, select the Windows 9x tab. Enter the appropriate information in the panel. 5.
Installing VirusScan Software Table 2-1. MSI_INST.EXE command-line switches Option Purpose Usage IMPORT Import settings into a VirusScan installation from an .INI file you designate /IMPORT EXPORT Export settings from a VirusScan installation to an .INI file you designate /EXPORT EXPOPTIONS Export certain settings from VirusScan. Use this option in conjunction with the /EXPORT option. If you do not specify which components to export, MSI_INST.
Installing VirusScan Software Table 2-1. MSI_INST.EXE command-line switches Option Purpose Usage RESTART Start VirusScan after the MSI_INST.EXE utility finishes importing or exporting settings. /RESTART PRESERVE Preserve existing paths. This tells MSI_INST.EXE to set a switch in the resulting .INI file that will adjust paths when the Custom Installation Creator or another VirusScan installation imports a new .INI file.
Removing Infections From Your System 3 3 If you suspect you have a virus... First of all, don’t panic! Although far from harmless, most viruses that infect your machine will not destroy data, play pranks, or render your computer unusable. Even the comparatively rare viruses that do carry a destructive payload usually produce their nasty effects in response to a trigger event.
Removing Infections From Your System If VirusScan software found an infection during installation, follow these steps carefully: 1. Quit Setup immediately, then shut down your computer. Be sure to turn the power to your system off completely. Do not press CTRL+ALT+DEL or reset your computer to restart your system—some viruses can remain intact during this type of “warm” reboot. 2.
Removing Infections From Your System BOOTSCAN.EXE, the command-line scanner that comes with the Emergency Disk, will make four scanning passes to examine your hard disk boot sectors, your Master Boot Record (MBR), your system directories, program files, and other likely points of infection on all of your local computer’s hard disks. NOTE: McAfee strongly recommends that you do not interrupt the BOOTSCAN.EXE scanner as it runs its scan operation.
Removing Infections From Your System As your next step, locate and delete the infected file or files. You will need to restore any files that you delete from backup files. Be sure to check your backup files for infections also. Be sure also to use the VirusScan application at your earliest opportunity to scan your system completely in order to ensure that your system is virus-free. Deciding when to scan for viruses Maintaining a secure computing environment means scanning for viruses regularly.
Removing Infections From Your System Recognizing when you don’t have a virus Personal computers have evolved, in their short life span, into highly complex machines that run ever-more-complicated software. Even the most farsighted of the early PC advocates could never have imagined the tasks for which workers, scientists and others have harnessed the modern PC’s speed, flexibility and power.
Removing Infections From Your System Understanding false detections A false detection occurs when VirusScan software sends a virus alert message or makes a log file entry that identifies a virus where none actually exists. You are more likely to see false detections if you have anti-virus software from more than one vendor installed on your computer, because some anti-virus software stores the code signatures it uses for detection unprotected in memory.
Removing Infections From Your System Responding to viruses or malicious software Because VirusScan software consists of several component programs, any one of which could be active at one time, your possible responses to a virus infection or to other malicious software will depend upon which program detected the harmful object, how you have that program configured to respond, and other circumstances. The following sections give an overview of the default responses available with each program component.
Removing Infections From Your System Figure 3-1. Initial System Scan response options If your computer runs Windows 95 or Windows 98, you can choose to display a different virus alert message. If you select BIOS in the Prompt Type area in the System Scan module Action page, you’ll see instead a full-screen warning that offers you response options (Figure 3-2). Figure 3-2. Full-screen Warning - System Scan response options This alert message brings your system to a complete halt as it awaits your response.
Removing Infections From Your System To take one of the actions shown in an alert message, click a button in the Access to File Was Denied dialog box, or type the letter highlighted in yellow when you see the full-screen warning. If you want the same response to apply to all infected files that the System Scan module finds during this scan operation, select the Apply to all items checkbox in the dialog box. This option is not available in the full-screen alert message.
Removing Infections From Your System Responding when the E-mail Scan module detects a virus This module looks for viruses in e-mail messages you receive via corporate e-mail systems such as cc:Mail and Microsoft Exchange. In its initial configuration, the module will prompt you to choose a response from among five options whenever it detects a virus (Figure 3-3). Figure 3-3. E-mail Scan module response options Click the button that corresponds to the response you want. Your choices are: • Stop.
Removing Infections From Your System When you choose your action, the E-Mail Scan module will implement it immediately and add a notice to the top of the e-mail message that contained the infected attachment. The notice gives the file name of the infected attachment, identifies the name of the infecting virus, and describes the action that the module took in response.
Removing Infections From Your System When you choose your action, the Download Scan module will implement it immediately and add a notice to the top of the e-mail message that contained the infected attachment. The notice gives the file name of the infected attachment, identifies the name of the infecting virus, and describes the action that the module took in response.
Removing Infections From Your System To respond to the infection, click one of the buttons shown. You can tell the VirusScan application to: • Continue. Click this button to proceed with the scan operation and have the application list each infected file in the lower portion of its main window (Figure 3-7), record each detection in its log file, but take no other action to respond to the virus.
Removing Infections From Your System • Move file to. Click this to open a dialog box that you can use to locate your quarantine folder, or another suitable folder. Once you have located the correct folder, click OK to transfer the file to that location. • Info. Click this to connect to the Network Associates Virus Information Library. This choice does not take any action against the virus that the application detected. See “Viewing virus information” on page 86 for more details.
Removing Infections From Your System • Stop. Click this button to stop the scan operation immediately. The E-Mail Scan extension will list the infected files it has already found in the lower portion of its main window (Figure 3-9) and record each detection in its log file, but it will take no other action to respond to the virus. Right-click each infected file listed in the main window, then choose an individual response from the shortcut menu that appears. Figure 3-9.
Removing Infections From Your System Viewing virus information Clicking Info in any of the virus response dialog boxes will connect you to the Network Associates online Virus Information Library, provided you have an Internet connection and web browsing software available on your computer (Figure 3-10). Figure 3-10.
Removing Infections From Your System Examples include: • Current information and risk assessments on emerging and active virus threats • Software tools you can use to extend or supplement your McAfee anti-virus software • Contact addresses and other information for submitting questions, virus samples, and other data • Virus definition updates-this includes daily beta .DAT file updates, EXTRA.DAT files, updated Emergency .DAT files, current scan engine versions, regular weekly .
Removing Infections From Your System Submitting a virus sample If you have a suspicious file that you believe contains a virus, or experience a system condition that might result from an infection—but VirusScan software has not detected a virus—McAfee recommends that you send a sample to its anti-virus research team for analysis. When you do so, be sure to start your system in the apparently infected state—don’t start your system from a clean floppy disk.
Removing Infections From Your System 4. Read the welcome message, then click Next> to continue. The Contact Information wizard panel appears. Figure 3-13. Your Contact Information panel 5. If you want AVERT researchers to contact you about your submission, enter your name, e-mail address, and any message you would like to send along with your submission in the text boxes provided, then click Next> to continue.
Removing Infections From Your System 6. Click Add to open a dialog box you can use to locate the files you believe are infected. Choose as many files as you want to submit for analysis. To remove any of the files shown in the submission list, select it, then click Remove. When you have chosen all of the files you want to submit, click Next> to continue. The Choose Upload Options panel appears (Figure 3-15). Figure 3-15.
Removing Infections From Your System 7. Select the type of e-mail client application you have installed on your computer. Your choices are: • Use outgoing Internet mail. Click this button to send your sample via a Simple Mail Transfer Protocol e-mail client, such as Eudora, NetScape Mail, or Microsoft Outlook Express. Next, enter the name of your outgoing mail server in the text box provided-mail.domain.com, for example. • Use Microsoft Exchange.
Removing Infections From Your System 3. Type this line at the command prompt: format a: /s If your system hangs as it tries to format the disk, remove the disk from your floppy drive. Next, label the disk “Damaged during infected format as boot disk,” then set it aside. 4. Insert a new, formatted floppy disk into your floppy drive. 5. Copy your current system files to that disk. For most DOS versions, those files will include: • IO.SYS • MSDOS.SYS • COMMAND.
Removing Infections From Your System • If you suspect that a macro virus has infected your PowerPoint files, copy the file BLANKPRESENTATION.POT from C:\Program Files\Microsoft Office\Templates to the disk. Making disk images To send the files now stored on any floppy disks you created, you can use a McAfee AVERT Labs tool called RWFLOPPY.EXE to make a floppy disk image that encapsulates the infection. The RWFLOPPY.
Removing Infections From Your System 6. Type INFECTED in the Password text box, then click OK. 7. When prompted, retype your password to verify its accuracy, then click OK. The Add With Password dialog box appears. 8. Select your sample files, then click OK. WinZip applies the password you entered to all files that you add to or extract from your archive. Password-protected files appear in the archive list with a plus sign (+) after their names.
Removing Infections From Your System Mailing infected floppy disks You can also mail the actual disks you created directly to McAfee anti-virus researchers. McAfee recommends that you create a text file or write a message to accompany the disks that includes the same information you would submit with an electronic disk image. Send your sample to only one research lab address so that you can receive the fastest possible response to your issue.
Removing Infections From Your System 96 McAfee VirusScan Anti-Virus Software
4 Using VirusScan Software 4 Using the VShield scanner The VShield scanner protects your system in the background, as you work with your files, in order to prevent infection from viruses that arrive via floppy disks, from your network, embedded in file attachments that come with e-mail messages, or from your computer’s memory. The scanner starts when you start your computer, and stays in memory until you shut down.
Using VirusScan Software To learn how to configure VirusScan properties and how to start and stop VirusScan software, see Chapter 5, “Using the VirusScan application,”in the VirusScan User’s Guide. Scheduling scan tasks The VirusScan Console runs scan operations and other tasks on the dates and at the times you choose, or at intervals you set.
5 Sending Alert Messages 5 Using the Alert Manager Client Configuration utility All McAfee anti-virus software includes wide range of methods to alert you when it has detected a virus or other malicious software.
Sending Alert Messages VirusScan software as an Alert Manager Client VirusScan software works as a client program with respect to NetShield software and an Alert Manager server. It can send alert “events” whenever it detects a virus or malicious software to any Alert Manager server you specify. The Alert Manager server then relays those events—and any others it receives from other workstations—as alert messages, via the methods you or your system administrator defined for alert distribution.
Sending Alert Messages This tells each VirusScan component to send an alert event to the Alert Manager client utility each time it detects a virus or malicious object. The client utility, in turn, passes the alert message to the Alert Manager server you designate. If you do not set your software to generate alert messages in the first place, the client utility will have nothing to pass to the Alert Manager server for distribution. To start and configure the Alert Manager utility, follow these steps: 1.
Sending Alert Messages 3. Select the alerting method you want to use. Your choices are: • Enable Alert Manager alerting. Click this button to send alert events to an Alert Manager server somewhere on your network. Choosing this option prevents you from sending alert events to a Centralized Alerting directory. To choose the destination server, click Configure to open the Select Alert Manager Server dialog box. Figure 5-2.
Sending Alert Messages When you’ve chosen a destination for your alert messages, click OK to close the dialog box. • Enable Centralized alerting. Click this button to have VirusScan components send alert messages to a Centralized Alerting directory somewhere on your network. Choosing this option prevents you from sending alert events to an Alert Manager server. To choose a destination directory, click Configure to open the Central Alerting Configuration dialog box. Figure 5-3.
Sending Alert Messages • Additionally Enable DMI Alerts. Select this checkbox to supplement either of the other alerting methods. Next, click Configure to open the DMI Configuration dialog box, where you can enter the identifying number that your Desktop Management Interface (DMI) client application assigned to your VirusScan software when you installed it. Figure 5-4.
Updating and Upgrading VirusScan Software 6 6 Developing an updating strategy Make no mistake about it: virus writers are electronic vandals who can destroy your data, cause system instability, and cost you time and money. The overwhelming majority of them are relatively inept programmers who rely on virus “kits,” or other pre-made tools, to introduce small variations in existing viruses or other malicious software.
Updating and Upgrading VirusScan Software Update and upgrade methods Because new .DAT and program files are crucial to ensuring your anti-virus security, McAfee incorporates a range of updating options into the VirusScan product package. These include: • SecureCast service broadcasts. The McAfee SecureCast service uses BackWeb “push” technology to send out automatic .DAT file updates, product upgrades, virus alerts and other useful items to subscribers.
Updating and Upgrading VirusScan Software The current VirusScan release can download and install new .DAT and engine files from a SuperDAT package, on any supported Windows platform, without requiring you to restart your computer. You can download and run SuperDAT packages separately to update and update your software, or you can use the SuperDAT utility in conjunction with the AutoUpgrade utility to automate updates to a significant degree.
Updating and Upgrading VirusScan Software • Emergency .DAT files. VirusScan software includes an Emergency Disk utility you can use to create a bootable floppy disk to start your computer in a virus-free environment. The Emergency Disk you create uses specialized .DAT files that target boot-sector and memory-resident viruses, which pose the greatest infection risk to software if they activate before your anti-virus software can.
Updating and Upgrading VirusScan Software If you make the files you download files available on one or more central servers on your network, then configure your remaining network nodes to “pull” the updated files from those servers, you can • Schedule network-wide .DAT file roll-outs for convenient times and with minimal intervention from either administrators or network users.
Updating and Upgrading VirusScan Software Property pages in the Automatic Update Properties dialog box control the options for your update task. You can click each tab in turn to configure this task. To display the Automatic Update dialog box, follow these steps: 1. Double-click the AutoUpdate task in the Console task list to open its Task Properties dialog box (see Figure 6-4 on page 203 of the VirusScan User’s Guide).
Updating and Upgrading VirusScan Software Initially, the utility comes configured to connect only to the Network Associates FTP site. You can add as many different sites as you need, and alter the order in which AutoUpdate tries to connect to them, from this dialog box. The utility will try each site in turn, starting from the top of the list, until it successfully downloads new files or determines that no new files exist. 3. From here, you can: • Add a new site.
Updating and Upgrading VirusScan Software • Update your files immediately from the sites listed in the update list, using default configuration options or the options you chose for this task. Click Update now. To use this function, you must have configured enough of the necessary options for the AutoUpdate utility to locate the listed site and, if necessary, log on to it. See “Configuring update options” on page 113 to learn how to specify the options you need.
Updating and Upgrading VirusScan Software If you would prefer to log this data to a different text file, enter its path and filename in the text box provided, or click Browse to locate the file. The AutoUpdate utility will not generate a text file—it will write only to an existing file. 6. To minimize the log file size, select the Limit size of log file to checkbox. Next click to set a size, or enter a value between 10KB and 999KB. By default, the AutoUpdate utility limits the file size to 100KB.
Updating and Upgrading VirusScan Software Next, follow these steps: 1. Enter a descriptive name in the Site Name text box that clearly identifies the new site. An example might be Internal DAT File Update Site. 2. Select the Enabled checkbox to approve this site for the AutoUpdate utility’s use. Clearing this checkbox preserves the options you’ve chosen, but causes the utility to skip this site when it tries to download new .DAT files.
Updating and Upgrading VirusScan Software To use a custom account, clear the Use Logged In Account checkbox, then click UNC login information to enter a user name and password for an account that has access rights to the target server. • FTP from a remote network computer. Click this button to tell the AutoUpdate utility to look for new files on an FTP site you designate. To use this option, the target server must have an FTP service enabled.
Updating and Upgrading VirusScan Software To have AutoUpdate do additional pre- or post-processing on the files, or to have it take other actions, click the Advanced Update Options tab to display the property page shown in Figure 6-5 on page 116. Figure 6-5. Automatic Update Properties dialog box Advanced Update Options page Next, follow these steps: 1. Tell the AutoUpdate utility what you want it to do before or as it performs an update. Your options are: • Backup the existing .DAT files.
Updating and Upgrading VirusScan Software Selecting this checkbox also makes the Backup the existing DAT files, the Force Update, and the Reboot system, if needed, after a successful update checkboxes unavailable. You might want to use this option if you download new .DAT files to a central server on your network and want individual client computers to download, extract and install the new files locally. • Force Update.
Updating and Upgrading VirusScan Software • Save the Update file for later usage. Select this checkbox to have the AutoUpdate utility save an unextracted copy of the .DAT file package in a location you specify. The utility then extracts the .DAT files from the update package and continues with the installation. By contrast, the Retrieve the Update file but do not perform the update option saves the unextracted file, but does not install the new .DAT files.
Updating and Upgrading VirusScan Software By default, the AutoUpgrade task included with VirusScan Console does not come configured with any default upgrade site. Instead, McAfee recommends that you use other mechanisms, such as the Enterprise SecureCast service, to receive new SuperDAT or program files, then place those files on a central server within your network. Next, you would configure the AutoUpgrade utility on each of your network workstations to “pull” the new files from the location you specify.
Updating and Upgrading VirusScan Software • whether you want it to reboot your system after an upgrade • whether you want it to keep track of its actions in a log file Property pages in the Automatic Upgrade Properties dialog box control the options for your upgrade task. You can click each tab in turn to configure this task. To display the Automatic Upgrade dialog box, follow these steps: 1. Double-click the AutoUpgrade task in the Console task list to open its Task Properties dialog box (Figure 6-6).
Updating and Upgrading VirusScan Software Figure 6-7. Automatic Upgrade dialog box - Upgrade Sites page Here, the AutoUpgrade utility lists the sites from which it will download new VirusScan program files. It also reports each site’s current status as Enabled or Disabled. A site is enabled if you have selected the Enabled checkbox in the Automatic Upgrade Properties dialog box. A site is disabled if you clear this checkbox.
Updating and Upgrading VirusScan Software 3. From this dialog box, you can: • Add a new site. Click Add to open the Automatic Upgrade Properties dialog box (Figure 6-2 on page 111). To learn how to specify options for your new site, see “Configuring upgrade options” on page 124. Figure 6-8. Automatic Upgrade Properties dialog box Upgrade Options page 122 • Change definitions for an existing upgrade site.
Updating and Upgrading VirusScan Software To use this function, you must have configured enough of the necessary options for the AutoUpgrade utility to locate the listed site and, if necessary, log on to it. See “Configuring upgrade options” on page 124 to learn how to specify the options you need.
Updating and Upgrading VirusScan Software If you clear this checkbox, the log file can grow until disk space or file system limitations stop it. When the file reaches the maximum size you set, the AutoUpgrade utility first clears it, then starts the log again from where it left off. To see the contents of the log file from VirusScan Console, select the AutoUpgrade task in the task list, then choose View Activity Log from the Task menu. 7.
Updating and Upgrading VirusScan Software 2. Select the Enabled checkbox to approve this site for the AutoUpgrade utility’s use. Clearing this checkbox preserves the options you’ve chosen, but causes the utility to skip this site when it tries to download new .DAT files. The AutoUpgrade utility will make a maximum of three connection attempts for the site during each scheduled update operation.
Updating and Upgrading VirusScan Software To use a custom account, clear the Use Logged In Account checkbox, then click UNC login information to enter a user name and password for an account that has access rights to the target server. • FTP from a remote network computer. Click this button to tell the AutoUpgrade utility to look for new files on an FTP site you designate. To use this option, the target server must have an FTP service enabled.
Updating and Upgrading VirusScan Software Figure 6-11. Automatic Update Properties dialog box Advanced Update Options page Next, follow these steps: 1. Tell the AutoUpgrade utility what you want it to do before or as it performs an update. Your options are: • Retrieve the Upgrade files but do not perform the upgrade. Select this checkbox to have the utility download the archive that contains new program files, then save it in a location you specify instead of extracting it and installing it.
Updating and Upgrading VirusScan Software In most cases, you will not need to restart in order for VirusScan software to use new program files, but some systems will require that you do so in order for the new files to activate. If you want to restart your system at a more convenient time, clear this checkbox. 3. To save your changes and return to the Automatic Upgrade dialog box, click OK. To close the dialog box without saving your changes, click Cancel.
Updating and Upgrading VirusScan Software 3. If you want to, create and copy a SETUP.ISS file into the directory from which you tell AutoUpgrade to download new files. SETUP.ISS is a simple text file that governs how the AutoUpgrade utility upgrades your software. You can use any standard text editor to create and save this file. To specify configuration options in your SETUP.ISS file, use the example shown below to learn which options you may use.
Updating and Upgrading VirusScan Software When you have placed the PKGDESC.INI file, the SETUP.EXE file, and any SETUP.ISS file you want to use on a central server, configure the AutoUpgrade utility copies on your workstation computers to download new files from the share you created on that central server. The AutoUpgrade utilities will download and install the new files from this package.
Updating and Upgrading VirusScan Software For VirusScan v4.5 and later releases, copy any EXTRA.DAT files you download to this directory: C:\Program Files\Common Files\Network Associates\VirusScan Engine \4.0.
Updating and Upgrading VirusScan Software 132 McAfee VirusScan Anti-Virus Software
Using VirusScan Administrative Utilities A A Understanding the VirusScan control panel The VirusScan control panel serves as the graphical front end for the VirusScan management service, which initiates and controls all top-level component processes, including the VirusScan application, the Console, and the VShield scanner.
Using VirusScan Administrative Utilities 2. Locate and double-click the VirusScan control panel icon the control panel itself. to open Figure A-1. VirusScan control panel - Service page Choosing VirusScan control panel options The control panel consists of two tabbed property pages that set out its options. To choose your options, follow these steps: 1. Open the control panel, then click the Service tab. 2. To stop all active VirusScan components, click Stop.
Using VirusScan Administrative Utilities If your computer runs Windows NT Workstation v4.0 or Windows 2000 Professional, this service appears in the Services dialog box as AvSync Manager. If your computer runs Windows 95 or Windows 98, this service is not directly accessible. NOTE: McAfee strongly recommends that you set the VirusScan management service to load at startup.
Using VirusScan Administrative Utilities By default, 100 items can appear in the list. You may not set the value here to fewer than five items. 7. Click or enter a figure in the Scan Items text box to specify how many targets the VirusScan application can examine at one time. This setting sets a maximum number of items that can appear as scan targets for any default scan task-or any task you configure-from within the VirusScan Console. By default, 100 items can appear in the list.
B Installed Files B What’s in this appendix? The VirusScan installation procedure places essential program files on the VirusScan client workstation. This section provides an overview of the files installed. Some of the files are associated with a particular component while others are in common use, called by program functions as needed.
Installed Files Table B-1. VShield scanner program files 138 CONFWIZ.EXE VShield configuration wizard file C:\Program Files\Network Associates\VirusScan VSHWIN32.EXE Communicates between VSSTAT.EXE and the VShield System Scan module C:\Program Files\Network Associates\VirusScan MCSHIELD.EXE System Scan module. Runs as a Windows NT Service on Windows NT and Windows 2000 systems C:\Program Files\Common Files\Network Associates\McShield NAIEVENT.DLL Event logging resource.
Installed Files Table B-1. VShield scanner program files NTCLIENT.DLL Support file for System Scan module. Runs only on Windows NT and Windows 2000 systems C:\Program Files\Network Associates\VirusScan SCANSERV.DLL Support file for System Scan module. Runs only on Windows NT and Windows 2000 systems C:\Program Files\Common Files\Network Associates\McShield VSHIELD.VXD VShield System Scan module.
Installed Files Table B-1. VShield scanner program files EMALSCAN.DLL Scans e-mail you receive from the Internet or from your network via Messaging Application Programming Interface (MAPI) e-mail systems C:\Program Files\Network Associates\VirusScan CCM_SCAN.EXE Scans e-mail you receive via Lotus cc:Mail v7.x and earlier cc:Mail systems C:\Program Files\Network Associates\VirusScan WEBSCANX.EXE Provides functionality for VShield Download Scan and Internet Filter modules. Initializes WBHOOK32.
Installed Files Table B-2. VShield scanner dependent files File Function Location AVSYNMGR.EXE VirusScan management service. Initializes, starts and stops all VirusScan services and components. Must run to enable all VirusScan components. C:\Program Files\Network Associates\VirusScan AVSYNCH.DLL Handles inter-component communication through shared memory C:\Program Files\Network Associates\VirusScan SYNCUTIL.
Installed Files Temporary files The VShield scanner and its related files use these files as “memory maps” to store configuration options copied from the Windows registry when the program runs. These files start out with a standard file size and minimal data, and grow or shrink as necessary to accommodate configuration data. Table B-3. VShield scanner temporary files 142 File Function Location SYNC_MAP.MMF Memory map file for AVSYNCH.DLL C:\Program Files\Network Associates\VirusScan AVCONSOLE.
Installed Files Dependent and related files for the VirusScan application The VirusScan application runs as a stand-alone executable file that you can start yourself, or that the VirusScan Scheduler can start according to a schedule you set. The application requires a number of support files to function, including some related to the McAfee scan engine.
Installed Files Table B-5. VirusScan application dependent files 144 File Function Location AVSYNMGR.EXE VirusScan management service. Initializes, starts and stops all VirusScan services and components. Must run to enable all VirusScan components. C:\Program Files\Network Associates\VirusScan AVSYNCH.DLL Handles inter-component communication through shared memory C:\Program Files\Network Associates\VirusScan SYNCUTIL.
Installed Files Table B-5. VirusScan application dependent files MESSAGES.DAT Support file for scan engine. Provides virus detection messages to engine C:\Program Files\Common Files\Network Associates\VirusScan Engine\4.0.xx S95EXT.DLL Shell extension file. Allows you to right-click .VSC settings files you saved and start scan operations or view scan task properties.
Installed Files Table B-6. VirusScan application temporary files VSCANOAS.MMF Memory map file for SYNCUTIL.DLL C:\Program Files\Network Associates\VirusScan VSCANODS.MMF Memory map file for SYNCUTIL.DLL C:\Program Files\Network Associates\VirusScan Alert Manager The Alert Manager client configuration utility requires these files to run. Table B-7. Alert Manager files 146 File Function Location ADSLOOKUP.DLL Library file.
Installed Files Table B-7. Alert Manager files NAKRNL32.DLL Library file for various VirusScan utilities C:\Program Files\Common Files\Network Associates\McPal NAUTIL32.DLL Library file for various VirusScan utilities C:\Program Files\Common Files\Network Associates\McPal VirusScan control panel files As the initial process for all VirusScan components, the VirusScan management service does not depend on other VirusScan components. It does depend on some Windows system components to run, however.
Installed Files Table B-9. VirusScan control panel temporary files File Function Location SYNC_MAP.MMF Memory map file for AVSYNCH.DLL C:\Program Files\Network Associates\VirusScan AVCONSOLE.MMF Memory map file for SYNCUTIL.DLL C:\Program Files\Network Associates\VirusScan DAV_CONS.MMF Memory map file for SYNCUTIL.DLL C:\Program Files\Network Associates\VirusScan DAV_EXCL.MMF Memory map file for SYNCUTIL.DLL C:\Program Files\Network Associates\VirusScan DAV_SCAN.
Installed Files Table B-10. ScreenScan program files File Function Location SCRSCAN.EXE ScreenScan utility executable file. Runs the actual scan operation C:\Program Files\Network Associates\VirusScan SCRSCANP.DLL ScreenScan control panel extension.
Installed Files VirusScan Emergency Disk files The Emergency Disk wizard will copy files you need to start your computer and scan your hard disk for boot-sector viruses. These files include a reduced-footprint command line scanner, a set of emergency virus definition (.DAT) files, and boot files that enable you to start your computer from the Emergency Disk. This table lists the files that appear on the Emergency Disk when you create it: Table B-12.
Installed Files Table B-12. VirusScan Emergency Disk files GETREPLY.EXE Application file. This file processes output from the scan operation A:\ KERNEL.SYS System file A:\ LICENSE.DAT McAfee License file. The command-line scanner uses this to track use eligibility for this product A:\ MESSAGES.DAT McAfee resource file. This file stores application messages for use during scan operations A:\ NAMES.DAT McAfee virus definition file. This file is a smaller, specialized version of the NAMES.
Installed Files Dependent and related files for the E-Mail Scan extension The E-Mail Scan extension runs as an add-in to your MAPI e-mail system. If you use a Microsoft Exchange or Outlook client, the extension loads into the client application and appears as menu items in the Tools menu and as buttons in the application toolbar. You can use the extension to run scan operations whenever you wish. The extension requires a number of support files to function, including some related to the McAfee scan engine.
Installed Files Table B-14. E-Mail Scan dependent files File Function Location AVSYNMGR.EXE VirusScan management service. Initializes, starts and stops all VirusScan services and components. Must run to enable all VirusScan components. C:\Program Files\Network Associates\VirusScan AVSYNCH.DLL Handles inter-component communication through shared memory. C:\Program Files\Network Associates\VirusScan SYNCUTIL.DLL Stores data shared between components.
Installed Files Table B-15. E-Mail Scan temporary files 154 File Function Location SYNC_MAP.MMF Memory map file for AVSYNCH.DLL C:\Program Files\Network Associates\VirusScan AVCONSOLE.MMF Memory map file for SYNCUTIL.DLL C:\Program Files\Network Associates\VirusScan DAV_CONS.MMF Memory map file for SYNCUTIL.DLL C:\Program Files\Network Associates\VirusScan DAV_EXCL.MMF Memory map file for SYNCUTIL.DLL C:\Program Files\Network Associates\VirusScan DAV_SCAN.MMF Memory map file for SYNCUTIL.
Using VirusScan Command-line Options C C Adding advanced VirusScan engine options The following table lists all of the command-line options that can be communicated directly to the scanning engine via the Advanced Scan Settings dialog box provided by most Detection property pages. These command-line options (that you specify in the Advanced Scan Settings dialog box), will supplement, and can overwrite, the options selected in the VShield and VirusScan Detection property pages.
Using VirusScan Command-line Options 3. Type scan, followed by the scan options you want to use, at the command prompt. VirusScan Command Line will start immediately and begin scanning your system with the options you choose. When it has finished, it will display the results of its scan operation, then return to the command prompt. 4. To run another scan operation, repeat Step 3. To close the MS-DOS Prompt window, type exit at the command prompt.
Using VirusScan Command-line Options Table C-1. VirusScan command-line scanner options /ALL On-demand scanning only Overrides the default scan setting by scanning all infectable files—regardless of extension. Using the /ALL option substantially increases the scanning time required. Use it only if you find a virus or suspect that you have one. /ANALYZE /ANYACCESS On-demand scanning only Sets scanner to use its full heuristics, both program and macro. Extended memory required.
Using VirusScan Command-line Options Table C-1. VirusScan command-line scanner options /CONTACTFILE None Display the contents of when a virus is found. Use this to provide contact information and instructions to the user when the scanner finds a virus. This option is especially useful in network environments, because you can easily maintain the message text in a central file rather than on each workstation. Any character is valid in a contact message except a backslash (\).
Using VirusScan Command-line Options Table C-1. VirusScan command-line scanner options /LOCK Not available in low-memory environments With this /LOCK option enabled, VirusScan will halt and lock your system if it finds a virus. /LOCK is appropriate in highly vulnerable network environments, such as open-use computer labs. McAfee recommends using /LOCK with the /CONTACTFILE option to tell users what to do or whom to contact if VirusScan locks the system.
Using VirusScan Command-line Options Table C-1. VirusScan command-line scanner options /NOBREAK On-demand scanning only Disables CTRL-C and CTRL-BREAK during scans. Users will not be able to halt scans in progress with /NOBREAK in use. Use this option with /LOG to create a meaningful audit trail of regularly scheduled scans. /NOCOMP On-demand scanning only Extended memory required. Skips checking of compressed executables created with the LZEXE or PkLite file compression programs.
Using VirusScan Command-line Options Table C-1. VirusScan command-line scanner options /NOREMOVE On-access scanning only Prevents users from removing the VShield scanner from memory with the /REMOVE switch. /NOWARMBOOT On-access scanning only Does not check the disk boot sector of the floppy disk in drive A: for viruses during warm boot (system reset or CTRL+ALT+DEL). /NOXMS On-access scanning only Does not use extended memory (XMS).
Using VirusScan Command-line Options Table C-1. VirusScan command-line scanner options /REPORT On-demand scanning only Creates a report of infected files and system errors, and saves the data to in ASCII text file format. If already exists, /REPORT will overwrite it. To avoid overwriting, use the /APPEND option with /REPORT: The scanner will instead add report information to the end of the file, instead of overwriting it.
Using VirusScan Command-line Options Table C-1. VirusScan command-line scanner options /SUB On-demand scanning only Scans subdirectories inside a directory. • By default, when you specify a directory to scan rather than a drive, the scanner will examine only the files it contains, not its subdirectories. • Use /SUB to scan all subdirectories within any directories you have specified. • It is not necessary to use /SUB if you are scanning an entire drive.
Using VirusScan Command-line Options Running the on-demand scanner with command-line arguments You can run the VirusScan on-demand scanner with command-line arguments either from a Windows MS-DOS Prompt window, or by restarting your computer in DOS mode. (You can also run the scanner without command-line arguments, either from a Windows MS-DOS Prompt window or from the Start menu’s Run dialog box.) Network Associates recommends restarting in DOS mode for best results.
Using VirusScan Command-line Options Table C-2. SCAN32.EXE command-line options Option Use /SPLASH This option tells the VirusScan application to display its identity or “splash” screen when it starts. /NOSPLASH This option tells the VirusScan application to hide its identity or “splash” screen when it starts. /AUTOSCAN This option tells the VirusScan application to run a scan operation immediately, with the configuration options currently set, and without further user interaction.
Using VirusScan Command-line Options Table C-2. SCAN32.EXE command-line options /UICONFIG This option tells the VirusScan application to open its main window and await configuration option changes. To start a scan operation after you change configuration options, click the Scan Now button in the application window. Setting this option will disable the /AUTOSCAN option if you use it in the same command line.
Using VirusScan Command-line Options Table C-2. SCAN32.EXE command-line options /NOCOMP This option tells the VirusScan application not to scan any files in compressed file archives. This can speed up scan operations. /CONTINUE This option tells the VirusScan application to continue the scan operation automatically when it detects a virus. /PROMPT This option tells the VirusScan application to ask you what to do when it finds a virus.
Using VirusScan Command-line Options Table C-2. SCAN32.EXE command-line options /DEFEXT This option tells the VirusScan application to add to its default program extension list those extensions you specify on the same command line. During the scan operation, the application will use the combined list to govern which files it examines. /TASK This option tells the VirusScan application to start a specific task listed in the VirusScan Scheduler task list.
Using VirusScan Command-line Options Table C-2. SCAN32.EXE command-line options /NOLOGCLEAN This option tells the VirusScan application not to record an event when it cleans or fails to clean an infected file. /LOGDELETE This option tells the VirusScan application to record an event in the log file each time it deletes an infected file. /NOLOGDELETE This option tells the VirusScan application to leave virus deletion events out of the log file.
Using VirusScan Command-line Options 170 McAfee VirusScan Anti-Virus Software
Using the SecureCast Service to Get New Data Files D D Introducing the SecureCast service The Network Associates SecureCast service provides a convenient method you can use to receive the latest virus definition (.DAT) file updates automatically, as they become available, without your having to download them.
Using the SecureCast Service to Get New Data Files Why should I update my data files? Your software relies on information in its virus definition files (.DAT) files to identify viruses. More than 200 new viruses appear each month, however, and older .DAT files might not recognize them. To meet this challenge, McAfee releases new .DAT files each week. You are entitled to these free data file updates for use with your version of the software. If you do not use current .
Using the SecureCast Service to Get New Data Files Installing the BackWeb client and SecureCast service Setting up SecureCast service and the BackWeb client is a two-phase process: 1. Download and install the BackWeb client 2. Register to receive SecureCast service InfoPaks To get started with the SecureCast service, review the system requirements shown below, then follow the steps outlined in each section.
Using the SecureCast Service to Get New Data Files Figure D-1. BackWeb client welcome panel 3. Read the instructions and warnings on this panel, then click Next> to continue. 4. The BackWeb license agreement appears (Figure D-2). Figure D-2. BackWeb Software License Agreement panel 5. Click Yes to continue. 6. The Choose Destination Location panel appears (Figure D-3 on page 175).
Using the SecureCast Service to Get New Data Files Figure D-3. Choose Destination Location panel 7. Enter a new location for Setup to install the client software, if you wish, or click Browse to locate a suitable folder. Click Next> to continue. Setup will begin to copy BackWeb program files to your computer. As it does so, it displays its progress. When it has finished, Setup displays the Connection Type panel (Figure D-4). Figure D-4.
Using the SecureCast Service to Get New Data Files 8. Specify the type of connection your computer has to the Internet. Your choices are: • Direct. Choose this option if you connect to the Internet through a local-area network, a high-bandwidth connection such as a cable modem or digital subscriber line (DSL) connection. Continue with Step 9. • Modem. Choose this option if you dial up to connect to an Internet service provider, or into your corporate network. Skip to Step 13.
Using the SecureCast Service to Get New Data Files 10. If you chose HTTP via proxy as your connection method, the HTTP Proxy Setup panel appears (Figure D-6). Figure D-6. HTTP Proxy Setup panel 11. Enter the name of your proxy server in the Proxy text box, then enter the port the server uses for communication in the Port text box. When you have finished, click Next> to continue. The Proxy Authentication panel appears (Figure D-7 on page 177). Figure D-7. Proxy Authentication panel 12.
Using the SecureCast Service to Get New Data Files The Setup Complete panel appears (Figure D-8). Figure D-8. Setup Complete panel 13. To start immediately, leave both checkboxes selected in this panel, then click Finish to complete your installation. Phase 2: Register with the Enterprise SecureCast service After you install the BackWeb client and start it, the SecureCast service immediately opens the client application and sends its first InfoPak: the SecureCast registration forms (Figure D-9).
Using the SecureCast Service to Get New Data Files The SecureCast service alerts you that an InfoPak has arrived with the Flash message shown at the bottom right corner of Figure D-9. Ë Internet IMPORTANT: If you are a corporate user and have a high-speed connection, the window may list Register Now as an already received InfoPak. Continue with Step 1.
Using the SecureCast Service to Get New Data Files 4. Double-click the BW Register icon in the window that opens next. A registration information form appears (Figure D-12). Figure D-12. SecureCast User Registration Information form 5. Enter your name, title and company contact information in the text boxes provided. Here you will also need to enter the grant number you received when you purchased your software, or that you received from Network Associates Customer Service.
Using the SecureCast Service to Get New Data Files Figure D-13. SecureCast Parent Company Information form 6. If your company is the subsidiary of another company, enter contact information for your parent company in the text boxes provided. When you have finished, click Next>. The Proxy Communication Configuration dialog box appears (Figure D-14). Figure D-14. SecureCast Proxy Communication Configuration 7.
Using the SecureCast Service to Get New Data Files Figure D-15. SecureCast Online Activity Status panel 9. Click Finish after a check mark appears in all the boxes. The setup process in complete. At that point, your web browser will connect to the Network Associates SecureCast service electronic customer care page. If you are a corporate user, the window resembles the one shown in Figure D-16: Figure D-16.
Using the SecureCast Service to Get New Data Files Troubleshooting the Enterprise SecureCast service Registration problems If you try to register during a busy time of day on the web, you may encounter a delay while the server tries to process your registration request. If you receive the error message “1105 Error” or “Database Error: Unable to connect to the data source,” this means that there is a database problem on the server. Try submitting the form again, or try to register later.
Using the SecureCast Service to Get New Data Files BackWeb client • For a comprehensive guide to BackWeb, including additional troubleshooting advice, see the online BackWeb User’s Manual: http://www.backweb.
Network Associates Support Services E E Adding value to your McAfee product Choosing McAfee anti-virus, Sniffer Technologies network management, and PGP security software helps to ensure that the critical technology you rely on functions smoothly and effectively.
Network Associates Support Services If you purchased a perpetual license for your Network Associates product, you can purchase a PrimeSupport KnowledgeCenter plan for an annual fee. To receive your KnowledgeCenter password or to register your PrimeSupport agreement with Network Associates, visit: http://www.nai.com/asp_set/support/introduction/default.asp Your completed form will go to the Network Associates Customer Service Center.
Network Associates Support Services The PrimeSupport Priority plan The PrimeSupport Priority plan gives you round-the-clock telephone access to essential product assistance from experienced Network Associates technical support staff members. You can purchase the PrimeSupport Priority plan on an annual basis when you purchase a Network Associates product, either with a subscription license or a one-year license.
Network Associates Support Services By calling in advance, your PrimeSupport Enterprise representative can help to prevent problems before they occur. If, however, an emergency arises, the PrimeSupport Enterprise plan gives you a committed response time that assures you that help is on the way. You may purchase the PrimeSupport Enterprise plan on an annual basis when you purchase a Network Associates product, either with a subscription license or a one-year license.
Network Associates Support Services Table E-1. Corporate PrimeSupport Plans at a Glance Plan Feature Knowledge Center Connect Priority Enterprise Technical support via website Yes Yes Yes Yes Software updates Yes Yes Yes Yes Technical support via telephone — Monday–Friday Monday–Friday, after hours emergency access Monday–Friday, after hours emergency access North America: 8 a.m.–8 p.m. CT North America: 8 a.m.–8 p.m. CT North America: 8 a.m.–8 p.m.
Network Associates Support Services PrimeSupport options for home users If you purchased your Network Associates product through a retail vendor or from the Network Associates website, you also receive support services as part of your purchase. The specific level of support you receive depends on which product you purchased.
Network Associates Support Services If you need additional support, Network Associates offers a variety of other support plans that you can purchase either with your Network Associates product or after your complimentary 30-day support period expires. These include: NOTE: The support plans described here are available only in North America—contact your regional sales representative to learn about local support options. • Small Office/Home Office Annual Plan.
Network Associates Support Services How to reach international home user support The following table lists telephone numbers for technical support in several international locations. The specific costs, availability of service, office hours and plan details might vary from location to location. Consult your sales representative or a regional Network Associates office for details. Table E-2.
Network Associates Support Services Network Associates consulting and training The Network Associates Total Service Solutions program provides you with expert consulting and comprehensive education that can help you maximize the security and performance of your network investments. The Total Service Solutions program includes the Network Associates Professional Consulting arm and the Total Education Services program.
Network Associates Support Services Network consulting Network Associates consultants provide expertise in protocol analysis and offer a vendor-independent perspective to recommend unbiased solutions for troubleshooting and optimizing your network. Consultants can also bring their broad understanding of network management best practices and industry relationships to speed problem escalation and resolution through vendor support.
Understanding iDAT Technology F F Understanding incremental .DAT files To function at peak efficiency, VirusScan software needs regular infusions of new virus definition data files (.DAT files). Without them, the software might not detect new virus strains or respond effectively to remove the threat from your system. Prior versions of the AutoUpdate utility required you to download and install the entire virus definition package each week.
Understanding iDAT Technology How does iDAT updating work? The AutoUpdate utility downloads two types of files when it connects to the update site you specified: • .UPD files. These update files contain only the virus definition changes between one weekly .DAT file release and the .DAT file release from the week immediately following. The names for these .UPD files consist of the version number of a .DAT file release—4053, for example—and the version number of the very next .
Understanding iDAT Technology The entries in the Incremental Resolver table, meanwhile, translate the sequential numbers from the Multiple Patch Table into actual filenames that the AutoUpdate utility can download. The DELTA.INI file also has checksum and other information that the AutoUpdate utility can use to verify that files it downloaded have not changed or become corrupted. NOTE: If an iDAT download fails for any reason, the AutoUpdate utility will download and install a full .DAT update.
Understanding iDAT Technology dat-4056.zip dat-4056.tar DELTA.INI README.TXT Best practices The following sections outline some suggestions for how to employ iDAT downloads in your updating strategy. Three-stage updating If you need to roll out new virus definitions to multiple workstations on your network, McAfee recommends a three-stage update strategy that will save you external network bandwidth, minimize your security risks, and give you more control over your internal updating strategy: 1. If the .
Understanding iDAT Technology The AutoUpdate utility will download each file it needs, in sequence, to bring the .DAT files installed on its host computer up to date. From that point forward, your network computers will install iDAT files, which will reduce your update time and the demand on your network bandwidth. Scheduling internal .DAT updates The AutoUpdate utility has a built-in scheduling feature that lets you automate the entire update process.
Understanding iDAT Technology Corrupted data Q: What happens if one of the iDAT files is corrupted during download? A: Before the AutoUpdate utility installs any iDAT file, it checks the file against a verification checksum recorded in the DELTA.INI file. If the checksums do not match, the utility does not install that iDAT file or any subsequent files it downloads in that session. Instead, the utility will display an error message, then will download a full .DAT file set to update your software.
Index A B alarms, false, understanding, 76 batch files, running after successful updates, 118 Alert Manager files, 146 BIOS possible VirusScan conflicts with anti-virus features of, 76 America Online technical support via, xv America Online, technical support via, 190 anonymous FTP, use of to log on to update and upgrade sites, 115, 126 anti-virus software consequences of running multiple vendor versions, 76 reporting new viruses not detected by to McAfee, xvii BOOTSCAN.
Index D .DAT file updates reporting new items for, xvii Emergency .DAT files, location and use of, 108 Emergency Disk creating what they are, 105 on uninfected computer, 72 definition of and numbering convention for, 107 use of BOOTSCAN.EXE on, 72 use of to reboot system, 72 data files common, delivered via SecureCast, 172 Enterprise SecureCast, 171 features of, 173 DELTA.
Index H installation aborting if virus detected during , 71 heuristic scanning logging , 60 definition of, 24 heuristics, 24 silent, 59 Home SecureCast specific features, 61 testing effectiveness of , 54 features of , 173 support resources for, 183 installation customization, 68 system requirements for, 173 installing to a custom directory, 61 installing via SMS, 67 I installing via Tivoli, 67 iDAT files installing via ZENworks, 68 use of DELTA.
Index N PrimeSupport Connect, 186 Network Associates PrimeSupport Connect 24-By-7, 187 PrimeSupport Enterprise, 187 consulting services from, 193 for home users contacting Customer Service, xiv Online Upgrades plan, 191 outside the United States, xviii ordering, 192 educational services, 194 Pay-Per-Minute plan, 191 support services, 185 Quarterly Disk/CD plan, 191 training, xvi, 193 Small Office/Home Office Annual Plan, 191 website address for software updates and Professional Consulting S
Index response options choosing when Download Scan module finds a virus, 81 to 82 SecureCast common data files delivered via, 172 Enterprise SecureCast, 171 setting up, 183 when E-mail Scan module finds a virus, 80 to 81 when Internet Filter module finds harmful objects, 82 troubleshooting, 183 unsubscribing from, 183 features of, 173 when System Scan module finds a virus, 77 to 79 support resources for, 183 when the E-Mail Scan program component detects a virus, 84 to 85 use of in conjunction with
Index T support corporate at a glance, 189 KnowledgeCenter, 185 ordering, 188 Task menu View Activity Log, 113, 124 technical support corporate PrimeSupport Connect, 186 at a glance , 189 PrimeSupport Connect 24-By-7, 187 KnowledgeCenter, 185 PrimeSupport Enterprise, 187 ordering, 188 for home users, 190 PrimeSupport Connect, 186 Online Upgrades plan, 191 PrimeSupport Connect 24-By-7, 187 Pay-Per-Minute plan, 191 PrimeSupport Enterprise, 187 PrimeSupport ordering, 192 e-mail address for, xv
Index Total Virus Defense VirusScan as component of, 22 training for Network Associates products, xvi, 193 scheduling, xvi updates and upgrades, website address for obtaining, 190 updating strategies for VirusScan software, 105 upgrades automatic, via AutoUpgrade, 118 to 128 troubleshooting SecureCast firewall problems, 183 registration problems, 183 utilities, 133 V View Activity Log U uninfected computer, use of to create Emergency Disk, 72 in Task menu, 113, 124 ViruLogic, "double heuristics" tech
Index VirusScan as component of Total Virus Defense suite, 22 BIOS anti-virus features, potential conflicts with, 76 command line options, 155 VirusScan Emergency Disk files, 150 VirusScan Scheduler purpose of, 98 VShield command-line examples, 164 default responses to virus detection, 77 to 82 command-line options, 155 Download Scan module components included with, 25 to 29 default response options for, 81 to 82 default responses to virus detection, 82 to 84 E-mail Scan module description of pro
