McAfee VirusScan User’s Guide Version 5.
COPYRIGHT Copyright © 2000 Network Associates, Inc. and its Affiliated Companies. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Network Associates, Inc.
Table of Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii What happened? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii Why worry? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii Where do viruses come from? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii Virus prehistory . . . . . . . . . . . . .
Table of Contents Recognizing when you don’t have a virus . . . . . . . . . . . . . . . . . . . . . . . . . . . .57 Understanding false detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58 Responding to viruses or malicious software . . . . . . . . . . . . . . . . . . . . . . . . .59 Submitting a virus sample . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70 Using the SendVirus utility to submit a file sample . . . . . . . . . . . . . . . .
Table of Contents Checking task status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202 Configuring VirusScan application options . . . . . . . . . . . . . . . . . . . . . . . . . .204 Chapter 7. Using Specialized Scanning Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Scanning Microsoft Exchange and Outlook mail . . . . . . . . . . . . . . . . . . . . .223 When and why you should use the E-Mail Scan extension . . . . . . . . .
Table of Contents Adding file name extensions for scanning . . . . . . . . . . . . . . . . . . . . . . . . . . .267 Current list of vulnerable file name extensions . . . . . . . . . . . . . . . . . . . . . . .268 Current list of compressed files scanned . . . . . . . . . . . . . . . . . . . . . . . . . . .272 Appendix B. Product Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Preface What happened? If you’ve ever lost important files stored on your hard disk, watched in dismay as your computer ground to a halt only to display a prankster’s juvenile greeting on your monitor, or found yourself having to apologize for abusive e-mail messages you never sent, you know first-hand how computer viruses and other harmful programs can disrupt your productivity. If you haven’t yet suffered from a virus “infection,” count yourself lucky.
Preface The threat from viruses and other malicious software is real, and it is growing worse. Some estimates have placed the total worldwide cost in time and lost productivity for merely detecting and cleaning virus infections at more than $10 billion per year, a figure that doesn’t include the costs of data loss and recovery in the wake of attacks that destroyed data.
Preface Some of these students soon discovered that they could use certain features of the host computer’s operating system to give them unauthorized access to computer resources. Others took advantage of users who had relatively little computer knowledge to substitute their own programs—written for their own purposes—in place of common or innocuous utilities.
Preface For a time, sophisticated descendants of this first boot-sector virus represented the most serious virus threat to computer users. Variants of boot sector viruses also infect the Master Boot Record (MBR), which stores the partition information your computer needs to figure out where to find each of your hard disk partitions and the boot sector itself. Realistically, nearly every step in the boot process, from reading the MBR to loading the operating system, is vulnerable to virus sabotage.
Preface Particularly clever viruses can even subvert attempts to clear them from memory by trapping the CTRL+ALT+DEL keyboard sequence for a warm reboot, then faking a restart. Sometimes the only outward indication that anything on your system is amiss—before any payload detonates, that is—might be a small change in the file size of infected legitimate software.
Preface Macro viruses By 1995 or so, the virus war had come to something of a standstill. New viruses appeared continuously, prompted in part by the availability of ready-made virus “kits” that enabled even some non-programmers to whip up a new virus in no time. But most existing anti-virus software easily kept pace with updates that detected and disposed of the new virus variants, which consisted primarily of minor tweaks to well-known templates.
Preface Convergences in the technologies that have resulted from this feverish pace of invention have given website designers tools they can use to collect and display information in ways never previously available. Websites soon sprang up that could send and receive e-mail, formulate and execute queries to databases using advanced search engines, send and receive live audio and video, and distribute data and multimedia resources to a worldwide audience.
Preface Instead, harmful objects exist to deliver their equivalent of a virus payload. Programmers have written objects, for example, that can read data from your hard disk and send it back to the website you visited, that can “hijack” your e-mail account and send out offensive messages in your name, or that can watch data that passes between your computer and other computers. Even more powerful agents have begun to appear in applications that run directly from websites you visit.
Preface How to protect yourself McAfee VirusScan’s anti-virus software already gives you an important bulwark against infection and damage to your data, but anti-virus software is only one part of the security measures you should take to protect yourself. Anti-virus software, moreover, is only as good as its latest update. Because as many as 200 to 300 viruses and variants appear each month, the virus definition (.
Preface xvi McAfee VirusScan
1 1 About VirusScan Software The VirusScan Central is your main entry point in using all of the available components of McAfee VirusScan. This home screen provides relevant information such as the last time a virus scan was performed on your computer; what VShield settings are enabled or disabled (for more information see Using VShield Scanner; and available DAT information and when it was created. Through this user-friendly interface, you can access the main functions of McAfee VirusScan.
About VirusScan Software VirusScan software first honed its technological edge as one of a handful of pioneering utilities developed to combat the earliest virus epidemics of the personal computer age. It has developed considerably in the intervening years to keep pace with each new subterfuge that virus writers have unleashed. As one of the first Internet-aware anti-virus applications, it maintains its value today as an indispensable business utility for the new electronic economy.
About VirusScan Software Even with the rise of viruses and worms that use e-mail to spread, that flood e-mail servers, or that infect groupware products and file servers directly, the individual desktop remains the single largest source of infections, and is often the most vulnerable point of entry.
About VirusScan Software file, a boot sector, or a master boot record that viruses tend to infect, either because they can hide within them, or because they can hijack their execution routines. This way, the scanner avoids having to examine the entire file for virus code; it can instead sample the file at well defined points to look for virus code signatures that indicate an infection. The development environment brings as much speed to .DAT file construction as it does to scan engine routines.
About VirusScan Software “Double heuristics” analysis As a further engine enhancement, McAfee VirusScan researchers have honed early heuristic scanning technologies—originally developed to detect the astonishing flood of macro virus variants that erupted after 1995—into a set of precision instruments. Heuristic scanning techniques rely on the engine’s experience with previous viruses to predict the likelihood that a suspicious file is an as-yet unidentified or unclassified new virus.
About VirusScan Software Internet sites. It can look for particular Java and ActiveX objects that pose a threat, or block access to dangerous Internet sites. Meanwhile, an E-Mail Scan extension to Microsoft Exchange e-mail clients, such as Microsoft Outlook, can “x-ray” your mailbox on the server, looking for malicious agents before they arrive on your desktop. VirusScan software even protects itself against attempts to use its own functionality against your computer.
About VirusScan Software Figure 1-1. McAfee VirusScan Central screen Through this user-friendly interface, you can access the main functions of McAfee VirusScan. Click the appropriate buttons as displayed to start performing a particular task within McAfee VirusScan (e.g., Scan, Schedule, Quarantine, etc). You can also click the Update button to start searching and downloading any available updates to McAfee VirusScan installed on your computer.
About VirusScan Software • The VShield scanner. This component gives you continuous anti-virus protection from viruses that arrive on floppy disks, from your network, or from various sources on the Internet. The VShield scanner starts when you start your computer, and stays in memory until you shut down. A flexible set of property pages lets you tell the scanner which parts of your system to examine, what to look for, which parts to leave alone, and how to respond to any infected files it finds.
About VirusScan Software • A cc:Mail scanner. This component includes technology optimized for scanning Lotus cc:Mail mailboxes that do not use the MAPI standard. Install and use this component if your workgroup or network uses cc:Mail v8.x or earlier. • The Alert Manager Client configuration utility. This component lets you choose a destination for Alert Manager “events” that VirusScan software generates when it detects a virus or takes other noteworthy actions.
About VirusScan Software – BOOTSCAN.EXE, a smaller, specialized scanner for use primarily with the Emergency Disk utility. This scanner ordinarily runs from a floppy disk you create to provide you with a virus-free boot environment. When you run the Emergency Disk creation wizard, VirusScan software copies BOOTSCAN.EXE, and a specialized set of .DAT files to a single floppy disk. BOOTSCAN.
About VirusScan Software – An online help file. This file gives you quick access to a full range of topics that describe VirusScan software. You can open this file either by choosing Help Topics from the Help menu in the VirusScan main window, or by clicking any of the Help buttons displayed in VirusScan dialog boxes. The help file also includes extensive context-sensitive—or “What's This”—help.
About VirusScan Software Interface enhancements This release moves the VirusScan interface for all supported platforms solidly into the territory VirusScan anti-virus software for Windows 95, Windows 98 and Window ME pioneered with its v4.0.1 release. This adds extensive VShield scanner configuration options for the Windows NT Workstation v4.0 and Windows 2000 Professional platforms, while reducing the complexity of some previous configuration options.
About VirusScan Software Changes in product functionality • A new Alert Manager Client configuration utility allows you to choose an Alert Manager server installed on your network as an alert message destination, or to select a network share as a destination for Centralized Alerting messages. You can also supplement either of these alert methods with Desktop Management Interface alert messages.
About VirusScan Software 30 McAfee VirusScan
Installing VirusScan Software 2 2 Before you begin McAfee VirusScan Software distributes VirusScan software in two ways: 1) as an archived file that you can download from the McAfee Web site; and 2) on CD-ROM. Although the method you use to transfer VirusScan files from an archive you download differs from the method you use to transfer files from a CD-ROM you place in your CD-ROM drive, the installation steps you follow after that are the same for both distribution types.
Installing VirusScan Software Preparing to install VirusScan software After inserting the McAfee VirusScan on your CD-ROM drive , you should see a VirusScan welcome image appear automatically. To install VirusScan software immediately, click Install VirusScan, then skip to Step 4 to continue with Setup. If the welcome image does not appear, or if you are installing VirusScan software from files you downloaded, start with Step 2.
Installing VirusScan Software 2. Choose Run from the Start menu in the Windows taskbar. The Run dialog box will appear (Figure 2-1). Figure 2-1. Run dialog box 3. Type :\SETUP.EXE in the text box provided, then click OK. Here, represents the drive letter for your CD-ROM drive or the path to the folder that contains your extracted VirusScan files. To search for the correct files on your hard disk or CD-ROM, click Browse.
Installing VirusScan Software Figure 2-2. Setup welcome panel 4. This first panel tells you where to locate the README.TXT file, which describes product features, lists any known issues, and includes the latest available product information for this VirusScan version. When you have read the text, click Next> to continue. 5. The next wizard panel displays the VirusScan software end-user license agreement.
Installing VirusScan Software 6. Select Preserve On Access Settings, if the option is available, then click Next> to continue. If Setup finds incompatible software, it will display a wizard panel that gives you the option to remove the conflicting software (see Figure 2-3). If you have no incompatible software on your system and your computer runs Windows 95 or Windows 98, skip to Step 9 to continue with the installation. If you have no incompatible software and your system runs Windows NT Workstation v4.
Installing VirusScan Software If your computer runs Windows NT Workstation v4.0 or Windows 2000 Professional, Setup next asks you which security mode you want to use to run VirusScan software on your system. The options in this panel govern whether others who use your computer can make changes to the configuration options you choose, can schedule and run tasks, or can enable and disable VirusScan components.
Installing VirusScan Software Figure 2-4. Setup Type panel 9. Choose the Setup Type you prefer. Your choices are: • Typical Installation. This option installs all available features contained in the McAfee VirusScan product. • Custom Installation. This option allows you to customized McAfee VirusScan by only selecting specific features of the product to be installed on your computer. 10. Choose the option you prefer, then click Next> to continue.
Installing VirusScan Software Figure 2-5. Custom Setup panel 11. Choose the VirusScan components you want to install. You can: • Add a component to the installation. Click beside a component name, then choose This feature will be installed on local hard drive from the menu that appears. To add a component and any related modules within the component, choose This feature, and all subfeatures, will be installed on local hard drive instead. You can choose this option only if a component has related modules.
Installing VirusScan Software Setup will show you a wizard panel that confirms its readiness to begin installing files (Figure 2-6). Figure 2-6. Ready to Install panel 13. Click Install to begin copying files to your hard drive. Otherwise, click
Installing VirusScan Software 14. From the VirusScan Configuration panel (Figure 2-7), you can skip configuration to finish your installation, or you can select to configure the available options displayed. • Scan boot record at startup. Select this checkbox to have Setup write these lines to your Windows AUTOEXEC.BAT file: C:\PROGRA~1\COMMON~1\NETWOR~1\VIRUSS~1\40~1.XX\SCAN .EXE C:\ @IF ERRORLEVEL 1 PAUSE This tells your system to start the VirusScan Command Line scanner when your system starts.
Installing VirusScan Software Figure 2-8. Configuration panel Choose configuration options for your installation. You can choose to scan your system, create an emergency disk, or update your virus definition files before you start the VShield scanner and the VirusScan Console. NOTE: For more information on any of these options, you can refer to the online Help of McAfee VirusScan. 16. In the next screen (Figure 2-9), select the Enable McAfee VirusScan Protection checkbox, then click Finish.
Installing VirusScan Software Figure 2-9. Successful Installation panel 17. After you click Finish, the McAfee VirusScan Installer Information dialog box is displayed where you will be prompted to restart your computer (Figure 2-10). Figure 2-10. McAfee VirusScan Installer Information dialog box NOTE: If you had a previous VirusScan version installed on your computer, you must restart your system in order to start the VShield scanner. Click Yes to restart your computer.
Installing VirusScan Software Using the Emergency Disk Creation utility If you choose to create an Emergency Disk during installation, Setup will start the Emergency Disk wizard in the middle of the VirusScan software installation, then will return to the Setup sequence when it finishes. To learn how to create an Emergency Disk, begin with Step 1. You can also start the Emergency Disk wizard at any point after you install VirusScan software.
Installing VirusScan Software To start the wizard after installation, click Start in the Windows taskbar, point to Programs, then to McAfee VirusScan. Next, choose Create Emergency Disk. The Emergency Disk wizard welcome panel will appear (Figure 2-11). Figure 2-11. Emergency Disk welcome panel 1. Click Next> to continue. The next wizard panel appears (Figure 2-12). Figure 2-12.
Installing VirusScan Software If your computer runs Windows NT Workstation or Windows 2000 Professional, the wizard tells you that it will format your Emergency Disk with the NAI-OS. You must use these proprietary operating system files to create your Emergency Disk, because Windows NT Workstation v4.0 and Windows 2000 Professional system files do not fit on a single floppy disk.
Installing VirusScan Software a. Insert an unlocked and unformatted floppy disk into your floppy drive. McAfee VirusScan Software recommends that you use a completely new disk that you have never previously formatted to prevent the possibility of virus infections on your Emergency Disk. b. Verify that the Don’t format checkbox is clear. c. Click Next>. The Windows disk format dialog box appears (see Figure 2-11). Figure 2-13. Windows Format dialog box d.
Installing VirusScan Software Figure 2-14. Scanning Emergency Disk for viruses If VirusScan software does not detect any viruses during its scan operation, Setup will immediately copy BOOTSCAN.EXE and its support files to the floppy disk you created. If VirusScan software does detect a virus, quit Setup immediately. 4. When the wizard finishes copying the Emergency Disk files, it displays the final wizard panel (Figure 2-15). Figure 2-15. Final Emergency Disk panel 5. Click Finish to quit the wizard.
Installing VirusScan Software NOTE: A locked or write-protected floppy disk shows two holes near the edge of the disk opposite the metal shutter. If you don’t see two holes, look for a plastic sliding tab at one of the disk corners, then slide the tab until it locks in an open position. Determining when you must restart your computer In many circumstances, you can install and use this VirusScan release immediately, without needing to restart your computer.
Installing VirusScan Software Table 2-1.
Installing VirusScan Software To test your installation, follow these steps: 1. Open a standard Windows text editor, such as Notepad, then type this character string as one line, with no spaces or carriage returns: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUSTEST-FILE!$H+H* NOTE: The line shown above should appear as one line in your text editor window, so be sure to maximize your text editor window and delete any carriage returns.
Installing VirusScan Software Setup will start and display the first Maintenance wizard panel. 4. Click Next> to continue. Setup displays the Program Maintenance wizard panel. Choose whether to modify VirusScan components or to remove VirusScan software from your system completely. Your choices are: • Modify. Select this option to add or remove individual VirusScan components. Setup will display the Custom wizard panel (see Figure 2-5).
Installing VirusScan Software 52 McAfee VirusScan
Removing Infections From Your System 3 3 If you suspect you have a virus... First of all, don’t panic! Although far from harmless, most viruses that infect your machine will not destroy data, play pranks, or render your computer unusable. Even the comparatively rare viruses that do carry a destructive payload usually produce their nasty effects in response to a trigger event.
Removing Infections From Your System If VirusScan software found an infection during installation, follow these steps carefully: 1. Quit Setup immediately, then shut down your computer. Be sure to turn the power to your system off completely. Do not press CTRL+ALT+DEL or reset your computer to restart your system—some viruses can remain intact during this type of “warm” reboot. 2.
Removing Infections From Your System NOTE: McAfee VirusScan Software strongly recommends that you do not interrupt the BOOTSCAN.EXE scanner as it runs its scan operation. The Emergency Disk will not detect macro viruses, script viruses, or Trojan horse programs, but it will detect common file-infecting and boot-sector viruses. If BOOTSCAN.EXE finds a virus, it will try to clean the infected file. If it fails, it will deny access to the file and continue the scan operation.
Removing Infections From Your System Deciding when to scan for viruses Maintaining a secure computing environment means scanning for viruses regularly. Depending on the degree to which you swap floppy disks with other users, share files over your local area network, or interact with other computers via the Internet, scanning “regularly” could mean scanning as little as once a month, or as often as several times a day.
Removing Infections From Your System Recognizing when you don’t have a virus Personal computers have evolved, in their short life span, into highly complex machines that run ever-more-complicated software. Even the most farsighted of the early PC advocates could never have imagined the tasks for which workers, scientists and others have harnessed the modern PC’s speed, flexibility and power.
Removing Infections From Your System Understanding false detections A false detection occurs when VirusScan software sends a virus alert message or makes a log file entry that identifies a virus where none actually exists. You are more likely to see false detections if you have anti-virus software from more than one vendor installed on your computer, because some anti-virus software stores the code signatures it uses for detection unprotected in memory.
Removing Infections From Your System Responding to viruses or malicious software Because VirusScan software consists of several component programs, any one of which could be active at one time, your possible responses to a virus infection or to other malicious software will depend upon which program detected the harmful object, how you have that program configured to respond, and other circumstances. The following sections give an overview of the default responses available with each program component.
Removing Infections From Your System Figure 3-1. Initial System Scan response options If your computer runs Windows 95 or Windows 98, you can choose to display a different virus alert message. If you select BIOS in the Prompt Type area in the System Scan module Action page, you’ll see instead a full-screen warning that offers you response options. Figure 3-2. Full-screen Warning - System Scan response options This alert message brings your system to a complete halt as it awaits your response.
Removing Infections From Your System To take one of the actions shown in an alert message, click a button in the Access to File Was Denied dialog box, or type the letter highlighted in yellow when you see the full-screen warning. If you want the same response to apply to all infected files that the System Scan module finds during this scan operation, select the Apply to all items checkbox in the dialog box. This option is not available in the full-screen alert message.
Removing Infections From Your System Responding when the E-mail Scan module detects a virus NOTE: This feature only applies to exchange server e-mails. This module looks for viruses in e-mail messages you receive via corporate e-mail systems such as cc:Mail and Microsoft Exchange. In its initial configuration, the module will prompt you to choose a response from among five options whenever it detects a virus. Figure 3-3.
Removing Infections From Your System • Exclude. Click this button to prevent the E-Mail Scan module from flagging this file as a virus in future scan operations. If you copy this file to your hard disk, this also prevents the System Scan module from detecting the file as a virus. When you choose your action, the E-Mail Scan module will implement it immediately and add a notice to the top of the e-mail message that contained the infected attachment.
Removing Infections From Your System • Move. Click this to tell the Download Scan module to move the infected file to the quarantine directory you chose in the module’s Action property page. When you choose your action, the Download Scan module will implement it immediately and add a notice to the top of the e-mail message that contained the infected attachment.
Removing Infections From Your System Figure 3-6. VirusScan response options To respond to the infection, click one of the buttons shown. You can tell the VirusScan application to: • Continue. Click this button to proceed with the scan operation and have the application list each infected file in the lower portion of its main window (Figure 3-7), record each detection in its log file, but take no other action to respond to the virus.
Removing Infections From Your System • Clean. Click this button to have the VirusScan application try to remove the virus code from the infected file. If it cannot clean the file—either because it has no remover or because the virus has damaged the file beyond repair—it will record the incident in its log file and suggest alternative responses.
Removing Infections From Your System Figure 3-8. E-Mail Scan response options To respond to the infection, click one of the buttons shown. You can tell the E-Mail Scan extension to: • Continue. Click this button to have the E-Mail Scan extension proceed with its scan operation, list each infected file it finds in the lower portion of its main window (Figure 3-9), and record each detection in its log file, but it will take no other action to respond to the virus.
Removing Infections From Your System Figure 3-9. E-Mail Scan extension window • Clean. Click this button to remove the virus code from the infected file. If the E-Mail Scan extension cannot clean the file—either because it has no remover or because the virus has damaged the file beyond repair—it will record the incident in its log file and suggest alternative responses. In the example shown in Figure 3-8, Clean is not an available response option.
Removing Infections From Your System Figure 3-10. McAfee VirusScan Virus Information Library page The Virus Information Library has a collection of documents that give you a detailed overview of each virus that VirusScan software can detect or clean, along with information about how the virus infects and alters files, and the sorts of payloads it deploys.
Removing Infections From Your System • Contact addresses and other information for submitting questions, virus samples, and other data • Virus definition updates-this includes daily beta .DAT file updates, EXTRA.DAT files, updated Emergency .DAT files, current scan engine versions, regular weekly .DAT and SuperDAT updates, and new incremental virus definition files (.
Removing Infections From Your System Several methods exist for capturing virus samples and submitting them. The next sections discuss methods suited to particular conditions. Using the SendVirus utility to submit a file sample Because the majority of later-generation viruses tend to infect document and executable files, VirusScan software comes with SENDVIR.EXE, a utility that makes it easy to submit an infected file sample to McAfee VirusScan researchers for analysis.
Removing Infections From Your System Figure 3-13. Your Contact Information panel 5. If you want AVERT researchers to contact you about your submission, enter your name, e-mail address, and any message you would like to send along with your submission in the text boxes provided, then click Next> to continue. NOTE: You may submit samples anonymously, if you prefer— simply leave the text boxes in this panel blank. You are under no obligation to supply any information at all here.
Removing Infections From Your System 6. Click Add to open a dialog box you can use to locate the files you believe are infected. Choose as many files as you want to submit for analysis. To remove any of the files shown in the submission list, select it, then click Remove. When you have chosen all of the files you want to submit, click Next> to continue. The Choose Upload Options panel appears (Figure 3-15). Figure 3-15.
Removing Infections From Your System Figure 3-16. Choose E-mail Service panel 7. Select the type of e-mail client application you have installed on your computer. Your choices are: • Use outgoing Internet mail. Click this button to send your sample via a Simple Mail Transfer Protocol e-mail client, such as Eudora, NetScape Mail, or Microsoft Outlook Express. Next, enter the name of your outgoing mail server in the text box provided-mail.domain.com, for example. • Use Microsoft Exchange.
Removing Infections From Your System Capturing boot sector, file-infecting, and macro viruses If you suspect you have a virus infection, you can collect a sample of the virus, then either create a floppy disk image to send via e-mail, or mail the floppy disk itself to McAfee VirusScan anti-virus researchers. The researchers would also benefit from having samples of your current system files on a separate floppy disk.
Removing Infections From Your System Capturing file-infecting or macro viruses If you suspect you have a file-infecting virus or a macro virus that has infected any of your Microsoft Word, Excel, or PowerPoint files, send these files to McAfee VirusScan’s anti-virus researchers, either with the SENDVIR.EXE utility, via e-mail as floppy disk images, or through the mail on floppy disk: • If you suspect that a virus has infected executable files on your system, copy COMMAND.
Removing Infections From Your System Once you create images of the disks you want to send, you can send them as file attachments in an e-mail message to McAfee VirusScan’s anti-virus researchers. Preparing file archives to send Try to fit as many of file samples as you can on a single floppy disk. To do so, compress the samples that you captured on disk to a single .ZIP file with password protection. Here’s a suggested procedure that uses the WinZip utility: 1. Start WinZip. 2.
Removing Infections From Your System In the United States virus_research@nai.com In the United Kingdom vsample@nai.com In Germany virus_research_de@nai.com In Japan virus_research_japan@nai.com In Australia virus_research_apac@nai.com In the Netherlands virus_research_europe@nai.
Removing Infections From Your System In Germany: In Japan: Network Associates, Inc. Network Associates, Inc. Virus Research Virus Research Luisenweg 40 9F Toranomon Mori-bldg. 33 20537 Hamburg 3-8-21 Toranomon, Minato-Ku Germany Tokyo Japan 105-0001 In Australia: In Europe: Network Associates, Inc. Network Associates, Inc. Virus Research Virus Research 500 Pacific Highway, Level 1 Gatwickstraat 25 St.
Removing Infections From Your System 80 McAfee VirusScan
4 4 Using the VShield Scanner What does the VShield scanner do? McAfee VirusScan desktop anti-virus products use two general methods to protect your system. The first method, background scanning, operates continuously, watching for viruses as you use your computer for everyday tasks. In the VirusScan product, the VShield scanner performs this function. A second method allows you to initiate your own scan operations. The VirusScan application generally handles these tasks.
Using the VShield Scanner • Internet Filter. This module looks for and blocks hostile Java classes and ActiveX controls from downloading to and executing from your system as you visit Internet sites. It can also block your browser from connecting to potentially dangerous Internet sites that harbor malicious software. Ë IMPORTANT: To use the E-Mail Scan, Download Scan or Internet Filter modules, you must install them from the Custom option in Setup. • Security.
Using the VShield Scanner • Internet site filtering. The VShield scanner comes with a list of dangerous web- or Internet sites that pose a hazard to your system, usually in the form of downloadable malicious software. You can add any other site that you want to keep your browser software from connecting to, either by listing its Internet Protocol (IP) address or its domain name. • Automatic operation. The VShield scanner integrates with a range of browser software and e-mail client applications.
Using the VShield Scanner McAfee VirusScan Software has also tested these e-mail clients and verified that they work with the VShield Download Scan module: • Microsoft Outlook Express • Qualcomm Eudora v3.x and v4.x • Netscape Mail (included with most versions of Netscape Navigator and Netscape Communicator) • America Online mail v3.0, v4.0 and v5.0 In order to work with the VShield E-mail Scan module, your corporate e-mail system must use Lotus cc:Mail, Microsoft Exchange, or Microsoft Outlook client.
Using the VShield Scanner NOTE: McAfee VirusScan Software recommends that you do not start or stop the VShield service from the Windows control panel. Instead, you can stop and restart the scanner from the provided VirusScan control panel. If your computer runs Windows 95 or Windows 98, the scanner loads in a way that mimics a Windows service on that platform. This service is not visible in the Windows user interface.
Using the VShield Scanner NOTE: Enabling a module means activating it and loading it into your computer’s memory for use. The VShield scanner can start and remain active in memory even with none of its modules enabled. Method 1: Use the VShield shortcut menu Follow these steps: 1. Right-click the VShield icon shortcut menu. in the Windows system tray to display its 2. Point to Quick Enable. 3. Choose one of the module names shown without a check mark.
Using the VShield Scanner Depending on which combination of modules you enable, the VShield icon will display a different state. Method 3: Use the VShield Properties dialog box Follow these steps: 1. Right-click the VShield icon in the Windows system tray to display the VShield shortcut menu, point to Properties, then choose System Scan to open the VShield Properties dialog box. Figure 4-2. VShield Properties dialog box 2.
Using the VShield Scanner Method 4: Use the VirusScan Console Follow these steps: 1. Double-click the VirusScan Console icon in the Windows system tray to bring the Console window to the foreground. 2. Select VShield in the task list, then choose Enable from the Task menu. the Console will enable the System Scan module and any other module you had enabled previously. You cannot use this method to enable individual modules other than the System Scan module. 3.
Using the VShield Scanner Using the VShield configuration wizard After you install VirusScan software and restart your computer, the VShield scanner loads into memory immediately and begins working with a default set of options that give you basic anti-virus protection. Unless you disable it or one of its modules—or stop it entirely—you never have to worry about starting the scanner or scheduling scan tasks for it.
Using the VShield Scanner Figure 4-4. VShield configuration wizard - System Scan panel Here you can tell the VShield scanner to look for viruses in files susceptible to infection whenever you open, run, copy, save or otherwise modify them. Susceptible files include various types of executable files and document files with embedded macros, such as Microsoft Office files.
Using the VShield Scanner 5. Select the Enable e-mail scanning checkbox, then select the checkbox that corresponds to the type of e-mail client you use. Your choices are: • Internet e-mail clients. Select this checkbox if you use a Post Office Protocol (POP-3) or Simple Mail Transfer Protocol (SMTP) e-mail client that sends and receives standard Internet mail directly or through a dial-up connection.
Using the VShield Scanner The next wizard panel sets options for the VShield Download Scan module (Figure 4-6). Figure 4-6. VShield Configuration Wizard - Download Scan panel 6. To have the Download Scan module look for viruses in each file that you download from the Internet, select the Yes, do scan my downloaded files for viruses checkbox, then click Next> to continue. The module will look for viruses in those files most susceptible to infection and will scan compressed files as you receive them.
Using the VShield Scanner 7. To have the Internet Filter module block hostile Java and ActiveX objects or dangerous Internet sites that can cause your system harm, select Yes, enable hostile applet protection and access prevention to unsafe websites, then click Next>. The Internet Filter module maintains a list of harmful objects and sites that it uses to check the sites you visit and the objects you encounter.
Using the VShield Scanner The VShield Properties dialog box consists of a series of property pages that control the settings for each program module. To choose your options, click the icon for the appropriate program module, then click each tab in the VShield Properties dialog box in turn. To open the VShield Properties dialog box, right-click the VShield icon in the Windows system tray to display the VShield shortcut menu, point to Properties, then choose System Scan.
Using the VShield Scanner The module can take a variety of automatic actions to respond to any viruses it finds, and can report what it has done either with an alert message when it takes the action or in a log file you can examine at your leisure. You can also set it to ask you what to do when it finds a virus. Elsewhere in this module, you can choose options that tell the VShield scanner to display a state icon in the Windows taskbar that tells you at a glance which, if any, VShield modules are active.
Using the VShield Scanner “Inbound” files are files that your computer or another system on the network saves or writes to local hard disks attached to your computer or to any network hard disks you have mapped to your system. To include network drives mapped to your system for a scan session, you must also select the Network drives checkbox.
Using the VShield Scanner If you tend to copy files from one server that does not copy files from your computer, and if other network users do the same, you might want to configure your computers to scan only files that they write to their hard disks—or only files that they read from their hard disks—in order to prevent two computers from scanning the same file. If you do so, however, you should configure each computer identically.
Using the VShield Scanner Figure 4-10. Program File Extensions dialog box • Scan all files. Select the All files button to have the System Scan module examine any file, whatever its extension, whenever you or a system process modifies it in any way. • Scan networked drives. To have the System Scan module look for viruses on any drives mapped to your system that you use in any way, select the Network drives checkbox.
Using the VShield Scanner You can also run the entire VirusScan product in secure mode, which disables access to all configurable options. • Display the VShield icon in the Windows system tray. Select the Show icon in the Taskbar checkbox to have the VShield scanner display this icon in the system tray. The particular state in which the icon appears depends on which VShield modules you have enabled. Double-clicking the icon opens the VShield Status dialog box.
Using the VShield Scanner b. Select the types of heuristics scanning you want the System Scan module to use. Your choices are: – Enable macro heuristics scanning. Choose this option to have the System Scan module identify all Microsoft Word, Microsoft Excel, and other Microsoft Office files that contain embedded macros, then compare the macro code to its virus definitions database.
Using the VShield Scanner Choosing Action options When the System Scan module detects a virus, it can respond either by asking you what it should do with the infected file, or by automatically taking an action that you determine ahead of time. Use the Action property page to specify which response options you want the module to give you when it finds a virus, or which actions you want it to take on its own.
Using the VShield Scanner 3. The items you can choose from the list are: • Prompt for user action. Choose this response to have the System Scan module ask you what to do when it finds a virus—the module will display an alert message and offer you a set of possible responses. If your computer runs Windows 95 or Windows 98, choosing this response displays the Prompt Type option (Figure 4-13). Here you can choose the method you want the System Scan module to use to alert you when it finds a virus.
Using the VShield Scanner – Move file. This option tells the module to move the infected file to a quarantine folder. The GUI version of the alert message will display a Move file to button that allows you to locate a quarantine folder to use. – Stop access. This option tells the module to prevent you or anyone else who tried to modify this file from working with it in any way at all. – Exclude file. This option tells the module to skip the file during this and later scan sessions. – Continue access.
Using the VShield Scanner • Deny access to infected files and continue. Choose this response to have the module mark the file “off limits” and continue with its normal scanning operations. Choose this response only if you plan to leave your computer unattended for long periods. If you also activate the module’s reporting feature, the program will record the names of any viruses it finds and the names of infected files so that you can delete them at your next opportunity. 4.
Using the VShield Scanner 2. Select the Notify Alert Manager checkbox to have the module send alert messages to Alert Manager for distribution. Alert Manager is a separate McAfee VirusScan software component that collects alert messages and uses a variety of methods to send them to recipients that you specify. To have the System Scan module send these alert messages successfully, you must also set up the Alert Manager Client Configuration utility.
Using the VShield Scanner Choosing Report options The System Scan module lists its current settings and summarizes all of the actions it takes during its scanning operations in a log file called VSHLOG.TXT. You can have the module write its log to this file, or you can use any text editor to create a text file for it to use. You can then open and print the log file for later review from any text editor. The VSHLOG.
Using the VShield Scanner You can enter a different name and path in the text box provided, or click Browse to locate a suitable file elsewhere on your hard disk or on your network.You may use a different file, but the text file must already exist. The module will not create a new file. 3. Select the Limit size of log file to checkbox to minimize the log file size, then enter a value for the file size, in kilobytes, in the text box provided.
Using the VShield Scanner If you choose this option, the log will record: – How many files the module examined. – How many infected files the module cleaned. – How many infected files the module deleted. – How many infected files the module moved to a quarantine folder. – Your System Scan module settings. Clear the checkbox to leave this information out of the log file. 5. Date and time. Select this checkbox to have the log file record the date and time at which the module starts each scan session.
Using the VShield Scanner Once you use VirusScan software to scan your system thoroughly, you can tell the System Scan module to ignore those files and folders that do not change or that are not normally vulnerable to virus infection. To choose your options, follow these steps: 1. Click the Exclusion tab in the System Scan module to display the correct property page (Figure 4-16). Figure 4-16. System Scan Properties dialog box - Exclusion page 2. Specify the items you want to exclude.
Using the VShield Scanner Next, follow these substeps to add items to the list: a. Enter a path to a folder or a file name in the text box provided, or click Browse to locate the item you want the module to exclude. NOTE: If you have chosen to move infected files to a quarantine folder automatically, the module excludes that folder from scan operations. b. Select the Include subfolders checkbox to tell the module to ignore files stored in any subfolders within the folder you specified in Step a.
Using the VShield Scanner • Remove an item from the list. To delete an exclusion item, select it in the list, then click Remove. This means that the System Scan module will scan this file or folder during this scan session. 3. Click a different tab to change any of your System Scan settings, or click one of the icons along the side of the System Scan Properties dialog box to choose options for a different module. To save your changes in the System Scan module without closing its dialog box, click Apply.
Using the VShield Scanner Choosing Detection options The VShield scanner does not start with the E-mail Scan module enabled by default because it needs to know which e-mail system you use. Once you configure it for use with your regular e-mail client, the module will use your MAPI profile, or your cc:Mail user name and password, to log on to your mail account whenever it starts a scan session.
Using the VShield Scanner 2. Select the type of e-mail system you use. Your options are: • Enable Corporate Mail. Select this checkbox to have the E-Mail Scan module scan mail attachments you receive via a mail system that runs within your office network. Usually such systems use a proprietary mail protocol and have a central mail server to which you send mail for delivery. Often such systems send and receive Internet mail, but they usually do so through a gateway application.
Using the VShield Scanner 3. Tell the E-Mail Scan module which mail sources it should monitor: • If you chose Microsoft Exchange (MAPI) as your corporate e-mail system, the Folders area shows All incoming mail, which means that the module will look for viruses in files attached to each e-mail message as it arrives in your MAPI mailbox or via other MAPI services.
Using the VShield Scanner To see or designate the file name extensions that the E-Mail Scan module will examine, click Extensions to open the Program File Extensions dialog box (Figure 4-10). Figure 4-20. Program File Extensions dialog box • Scan all files. Select the All files button to have the E-Mail Scan module examine any file, whatever its extension, whenever you or a system process modifies it in any way. 5. Turn on heuristic scanning.
Using the VShield Scanner The E-Mail Scan module starts out without any heuristic scan options active. To activate heuristics scanning, follow these substeps: a. Select the Enable heuristics scanning checkbox. The remaining options in the dialog box activate. b. Select the types of heuristics scanning you want theE-Mail Scan module to use. Your choices are: – Enable macro heuristics scanning.
Using the VShield Scanner Choosing Action options When the E-Mail Scan module detects a virus in an e-mail attachment, it can respond either by asking you what it should do with the infected file, or by taking an action that you determine ahead of time. Use the Action property page to specify which response options you want the module to give you when it finds a virus, or which actions you want it to take on its own.
Using the VShield Scanner NOTE: If you choose Prompt for user action from the list, click the Alert tab to specify whether you want the E-Mail Scan module to prompt you with a message, a beep, or both. Select the options you want to see in the alert message. Each of the checkboxes you select here causes an option button to appear in an alert message that the module displays when it finds a virus. Selecting Delete file here, for example, causes a Delete button to appear in the alert message.
Using the VShield Scanner NOTE: The E-Mail Scan module does not support this option for Lotus cc:Mail v7.x and earlier e-mail systems. The option will not appear here if you selected Lotus cc:Mail in the E-Mail Scan Detection page. • Delete infected files. Choose this response to have the E-Mail Scan module delete every infected file it detects immediately. Be sure to enable its reporting feature so that you have a record of which files the module deleted.
Using the VShield Scanner Figure 4-23. E-mail Scan Properties dialog box - Alert page 2. Select the Notify Alert Manager checkbox to have the module send alert messages to Alert Manager for distribution. Alert Manager is a separate McAfee VirusScan software component that collects alert messages and uses a variety of methods to send them to recipients that you specify. To have the E-Mail Scan module send these alert messages successfully, you must also set up the Alert Manager Client Configuration utility.
Using the VShield Scanner You can pass alert messages directly to an Alert Manager server, or you can send alert messages as text (.ALR) files to a Centralized Alerting directory that the Alert Manager server checks periodically. NOTE: Clearing this checkbox tells the E-Mail Scan module not to send an alert message via Alert Manager, but does not affect other alert messages that you configure in this property page.
Using the VShield Scanner b. To send a copy of this message to someone else, enter an e-mail address in the text box labeled Cc:, or click Cc: to choose a recipient from your mail system’s user directory or address book. NOTE: To find an e-mail address in your mail system’s user directory, you must store address information in a MAPIcompliant user directory, database, or address book, or in an equivalent Lotus cc:Mail directory.
Using the VShield Scanner The module will sound the standard system warning beep or .WAV file you have your computer set to play. 5. Select the Display custom message checkbox to have the module add a custom message to the alert box it displays when it finds an infected file. As with the audible alert, you can change the setting for this option only if you choose Prompt for user action in the Action property page.
Using the VShield Scanner Figure 4-24. E-mail Scan Properties dialog box - Report page 2. Select the Log to file checkbox. By default, the module writes log information to the file WEBEMAIL.TXT in the VirusScan program directory. you can enter a different name and path in the text box provided, or click Browse to locate a suitable file elsewhere on your hard disk or on your network. 3.
Using the VShield Scanner • Infected file deletion. Select this checkbox to have the log file record how many viruses the module deletes during each scan session. Clear this checkbox to leave this information out. • Infected file move. Select this checkbox to have the log file record how many viruses the module moves to a quarantine folder during each scan session. Clear this checkbox to leave this information out. • Session settings.
Using the VShield Scanner Configuring the Download Scan module The Download Scan module can check files you download from the Internet as you visit websites, FTP sites, and other Internet sites. This module is also where you set the options you want to use to respond to infected e-mail attachments you receive via POP-3 or SMTP e-mail client programs such as Eudora, Netscape Mail, or Microsoft Outlook Express.
Using the VShield Scanner To modify the settings in this property page, follow these steps: 1. Select the Enable Internet download scanning checkbox. The options in the rest of the property page activate. 2. Specify the types of files you want the Download Scan module to examine. You can: • Choose file types for scanning. Viruses cannot infect files that contain no executable code, whether script, macro, or binary code.
Using the VShield Scanner This option ensures that viruses do not spread from compressed files, but because the module uncompresses these files before it scans them, choosing this option can lengthen the time it takes to scan a given set of files as you work with your computer. NOTE: When the Download Scan module examines a file archive, it will scan only the file archive itself, not the compressed files within the archive. 3. Turn on heuristic scanning.
Using the VShield Scanner – Enable macro heuristics scanning. Choose this option to have the Download Scan module identify all Microsoft Word, Microsoft Excel, and other Microsoft Office files that contain embedded macros, then compare the macro code to its virus definitions database. The module will identify exact matches with the virus name; code signatures that resemble existing viruses cause the module to tell you it has found a potential macro virus. – Enable program file heuristics scanning.
Using the VShield Scanner Choosing Action options When the Download Scan module detects a virus, it can respond either by asking you what it should do with the infected file, or by automatically taking an action that you determine ahead of time. Use the Action property page to specify which response options you want the module to give you when it finds a virus, or which actions you want it to take on its own. Follow these steps: 1.
Using the VShield Scanner Select the options you want to see in the alert message. Each of the checkboxes you select here causes an option button to appear in an alert message that the module displays when it finds a virus. Selecting Delete file here, for example, causes a Delete button to appear in the alert message. You can choose from these options: – Delete file. This option tells the module to delete the infected attachment immediately. The module will, however, preserve the e-mail message it came in.
Using the VShield Scanner NOTE: Clicking Cancel will not undo any changes you already saved by clicking Apply. Choosing Alert options Once you configure it with the response options you want in the Action page, you can let the Download Scan module look for and remove viruses from your system automatically, as it finds them, with almost no further intervention.
Using the VShield Scanner You can pass alert messages directly to an Alert Manager server, or you can send alert messages as text (.ALR) files to a Centralized Alerting directory that the Alert Manager server checks periodically. NOTE: Clearing this checkbox tells the Download Scan module not to send an alert message via Alert Manager, but does not affect other alert messages that you configure in this property page. 3.
Using the VShield Scanner The WEBINET.TXT file can serve as an important management tool for you to track virus activity on your system and to note which settings you used to detect and respond to the infections the Download Scan module found. You can also use the incident reports recorded in the file to determine which files you need to replace from backup copies, examine in quarantine, or delete from your computer.
Using the VShield Scanner Enter a value between 10KB and 999KB. By default, the Download Scan module limits the file size to 100KB. If the data in the log exceeds the file size you set, the module erases the existing log and begins again from the point at which it left off. 4. Select the checkboxes that correspond to the information you want the module to record in its log file. The module usually will record the data when the scan session ends or when you shut your system down.
Using the VShield Scanner NOTE: Clicking Cancel will not undo any changes you already saved by clicking Apply. Configuring the Internet Filter module Although both Java and ActiveX objects include safeguards designed to prevent harm to your computer system, determined programmers have developed objects that exploit arcane Java or ActiveX features to cause various sorts of harm to your system.
Using the VShield Scanner Figure 4-31. Internet Filter Properties - Detection page To change configuration options, follow these steps: 1. Verify that the Enable Java & ActiveX filter checkbox is selected. This activates the options in the rest of the property page. 2. Specify which objects you want the Internet Filter module to examine. Your options are: • ActiveX Controls. Select this checkbox to have the module look for and block harmful ActiveX or .OCX controls. • Java classes.
Using the VShield Scanner • IP Addresses to block. Select this checkbox to tell the module to identify dangerous Internet sites by using their Internet Protocol (IP) addresses. To see or designate which addresses you want the module to ban, click Configure to open the Banned IP Addresses dialog box (Figure 4-32). Figure 4-32.
Using the VShield Scanner Figure 4-33. Add IP address dialog box Next, follow these substeps: a. Type the Internet Protocol (IP) address you want to add to the Banned IP Addresses list in the text box on the left. Be sure to format the address with periods between each number group. b. Type the subnet mask associated with the IP address you want to add to the Banned IP Addresses list in the text box on the right, if you know the correct subnet mask value for the site you want to avoid.
Using the VShield Scanner The Banned URLs dialog box identifies which Uniform Resource Locators you want the Internet Filter module to block whenever you or someone else tries to connect to them. By default, the list includes two domain names that download hostile Java or ActiveX objects to your machine as soon as you connect. You can add other domain names, then password-protect your settings to ensure that users do not delete them.
Using the VShield Scanner 4. Click the Action tab to choose additional Internet Filter module options. To save your changes without closing the Internet Filter Properties dialog box, click Apply. To save your changes and close the dialog box, click OK. To close the dialog box without saving your changes, click Cancel. NOTE: Clicking Cancel will not undo any changes you already saved by clicking Apply.
Using the VShield Scanner • Deny access to objects. Choose this response to have the module block harmful objects or sites automatically. The program will do so based on the contents of its own database, plus whatever site information you added. Click the Alert tab to choose additional Internet Filter module options. To save your changes without closing the Internet Filter Properties dialog box, click Apply. To save your changes and close the dialog box, click OK.
Using the VShield Scanner 2. Select the Notify Alert Manager checkbox to have the module send alert messages to Alert Manager for distribution. Alert Manager is a separate McAfee VirusScan software component that collects alert messages and uses a variety of methods to send them to recipients that you specify. To have the Internet Filter module send these alert messages successfully, you must also set up the Alert Manager Client Configuration utility.
Using the VShield Scanner Choosing Report options The Internet Filter module records how many Java and ActiveX objects it scanned, and how many it blocked from access to your computer in a log file called WEBFLTR.TXT. The same file records the number of Internet sites you visited while the module was active, and how many dangerous sites the program kept your browser from visiting. You can have the module write its log to its default file, or you can use any text editor to create a text file for it to use.
Using the VShield Scanner 2. Select the Log to file checkbox. By default, the module writes log information to the file WEBFILTR.TXT in the VirusScan program directory. You can enter a different name and path in the text box provided, or click Browse to locate a suitable file elsewhere on your hard disk or on your network. 3. To minimize the log file size, select the Limit size of log file to checkbox, then enter a value for the file size, in kilobytes, in the text box provided.
Using the VShield Scanner Use the Security module to assign a password and to choose which pages to protect. Enabling password protection The VShield Security module does not come enabled by default, because it needs to know which password you want to assign to your settings. To activate and configure Security module password protection, follow these steps: 1. Select the Enable password protection checkbox. The options in the rest of the property page activate (Figure 4-39). Figure 4-39.
Using the VShield Scanner 3. Enter a password to use to lock your settings. Type any combination of up to 20 characters in the upper text box in the Password area, then enter the exact same combination in the text box below to confirm your choice. Ë IMPORTANT: The password protection in the VShield scanner is different from the password protection you can assign to tasks in the VirusScan Console or to settings in the VirusScan application.
Using the VShield Scanner Protecting individual property pages If you chose Password-protect selected property pages only in the Security module’s Password page, you can choose which configuration options you want to lock for individual modules. Follow these steps: 1. Click the tab for the module whose settings you want to protect. If you don’t see the tab you want, click or to bring it into view. A representative page appears in Figure 4-41. Figure 4-41.
Using the VShield Scanner Using the VShield shortcut menu The VShield scanner groups several of its common commands in a shortcut menu associated with its system tray icon . Double-click this icon to display the VShield Status dialog box. Right-click the icon to display these commands: • Status. Choose this to open the VShield Status dialog box. • Properties. Point to this, then choose one of the modules listed to open the VShield Properties dialog box to the property page for that module. • Quick Enable.
Using the VShield Scanner Preventing the scanner from starting automatically If you do not want the VShield scanner to start automatically, you can use the VirusScan control panel to prevent it from doing so. Follow these steps: 1. Click Start in the Windows taskbar, point to Settings, then choose Control Panel. 2. Locate and double-click the VirusScan control panel to open it. 3. Click the Components tab. 4. Clear the Load VShield on startup checkbox at the top of the Components property page. 5.
Using the VShield Scanner Method 2: Use the VirusScan Console Follow these steps: 1. Double-click the VirusScan Console icon in the Windows system tray to bring the Console window to the foreground (Figure 4-42). Figure 4-42. VirusScan Console window 2. Select VShield in the task list, then choose Disable from the Task menu. the Console will stop the VShield scanner and all of its modules, and unload them from memory. The VShield icon will disappear from the Windows taskbar. 3.
Using the VShield Scanner Method 3: Use the VirusScan control panel Follow these steps: 1. Click Start in the Windows taskbar, point to Settings, then choose Control Panel. 2. Locate and double-click the VirusScan control panel (Figure 4-43). to open it Figure 4-43. VirusScan control panel - Service page 3. Click Stop in the Service page. All active VirusScan components will stop, close all open windows or dialog boxes, remove their icons from the Windows system tray, and unload from memory. 4.
Using the VShield Scanner Method 1: Use the VShield shortcut menu Follow these steps: 1. Right-click the VShield icon shortcut menu. in the Windows system tray to display its 2. Point to Quick Enable. 3. Choose one of the module names shown with a check mark beside it to deactivate it. Module names that have a check mark beside them are active. Those without a check mark are inactive. This method disables a module only for the length of a scan session, or until you enable it again.
Using the VShield Scanner Method 3: Use the VShield Properties dialog box Follow these steps: 1. Right-click the VShield icon the VShield shortcut menu. in the Windows system tray to display 2. Point to Properties, then choose a module name to open the VShield Properties dialog box (Figure 4-45). Figure 4-45. VShield Properties dialog box 3. For each module that you want to disable, click the corresponding icon along the left side of the dialog box, then click the Detection tab. 4.
Using the VShield Scanner Tracking VShield software status information Once you activate and configure the VShield scanner, it operates continuously in the background, watching for and then scanning e-mail you receive, files you run or download, or Java and ActiveX objects you encounter. To see a real-time summary of its progress: 1. Double-click the VShield system tray icon box. to open the Status dialog 2. Click the tab that corresponds to the program module whose progress you want to check.
Using the VShield Scanner Viewing VShield task status information You can also see statistical information in the Task Properties dialog box for each VShield module. To view this information, follow these steps: 1. Double-click the VirusScan Console icon in the Windows system tray to bring the Console window to the foreground. 2. Double-click the VShield task in the task list to display the Task Properties dialog box shown in Figure 4-46. Figure 4-46. VShield Task Properties dialog box 3.
Using the VirusScan application 5 5 What is the VirusScan application? McAfee VirusScan desktop anti-virus products use two general methods to protect your system. The first method, background scanning, operates continuously, watching for viruses as you use your computer for everyday tasks. In the VirusScan product, the VShield scanner performs this function. The second method puts you in charge.
Using the VirusScan application Why use the VirusScan application? Maintaining a secure computing environment means scanning for viruses regularly. Depending on the degree to which you swap floppy disks with other users, share files over your local area network, or interact with other computers via the Internet, scanning “regularly” could mean scanning as little as once a month, or as often as several times a day.
Using the VirusScan application If you connect to the Internet frequently or download files often, you might want to schedule regular scan operations that sweep your system at set intervals, so that you don’t have to remember to start the VirusScan application. The VirusScan Console provides a very flexible set of options for this purpose. Starting the VirusScan application You can start the VirusScan application in its own window, or as part of a scheduled scan task.
Using the VirusScan application Figure 5-1. McAfee VirusScan main screen From here, you can: • Start scanning immediately. Click Scan to have the application scan your system with the last configuration options you set, or with default options. The following screen (Figure 3-2) allows you to select which area of your computer you want to scan. After selecting, click Scan Now. Following through the succeeding screens to complete the task.
Using the VirusScan application Figure 5-2. Scan Now window • View the VirusScan application activity log. Through this window you are able to view a log of VirusScan activities performed on your your computer. You can also select to clear or print any of these activity logs (see Figure 5-3). Figure 5-3.
Using the VirusScan application • Open the online help file. Choose Help Topics from the Help menu to see a list of VirusScan help topics. To see a context-sensitive description of buttons, lists and other items in the VirusScan window, choose What’s this? from the Help menu, then click an item with your left mouse button after your mouse cursor changes to . You can see these same help topics if you right-click an element in the VirusScan window, then choose What’s This? from the menu that appears. 2.
Using the VirusScan application Method 2: Starting a scan task from the VirusScan Console Follow these steps: 1. Double-click the VirusScan Console icon in the Windows system tray to bring the Console window to the foreground. If the icon does not appear in the system tray, click Start in the Windows taskbar, point to Programs, then to McAfee VirusScan. Next, choose VirusScan Console. The Console comes with two preset tasks that use the VirusScan application to run—Scan My Computer and Scan Drive ‘C’.
Using the VirusScan application Configuring the VirusScan Classic interface IMPORTANT: The VirusScan Classic must be run from Windows Explorer or in the Run menu.
Using the VirusScan application To modify these options, follow these steps: 1. Choose a volume or folder on your system or on your network that you want VirusScan software to examine for viruses. Type a path to the target volume or folder in the text box provided, or click Browse to open the Browse for Folder dialog box (Figure 5-4). Figure 5-6. Browse for Folder dialog box Click to expand the listing for an item shown in the dialog box. Click to collapse an item.
Using the VirusScan application 3. Specify the types of files you want VirusScan software to examine. You can: • Scan compressed files. Select the Compressed files checkbox to have VirusScan software look for viruses in compressed files and file archives. Although it does give you better protection, scanning compressed files can lengthen a scan operation. • Scan all files. Select the All Files checkbox to have the application scan all of the files on the target you specified, whatever their extensions.
Using the VirusScan application Figure 5-7. VirusScan Classic window - Action page 2. Choose a response from the When a virus is found list. The area immediately beneath the list will change to show you additional options for each response. Your choices are: • Prompt User for Action.
Using the VirusScan application 3. Click the Report tab to choose additional VirusScan options. To start a scan operation immediately with just the options you’ve chosen, click Scan Now. To save your changes as default scan options, choose Save As Default from the File menu or click New Scan. To save your settings in a new file, choose Save Settings from the File menu, name your file in the dialog box that appears, then click Save.
Using the VirusScan application NOTE: To have the VirusScan application display your message, you must have selected Prompt user for action as your response in the Action page. • Beep. Select the Sound alert checkbox. 3. Select the Log to file checkbox. By default, VirusScan software writes log information to the file VSCLOG.TXT in the VirusScan program directory. To specify a log file other than VSCLOG.
Using the VirusScan application For the VirusScan application to protect your system, you must tell it: • what you want it to scan • what you want it to do if it finds a virus • how it should let you know when it finds a virus • whether you want it to keep track of its actions • which items you don't want it to scan for viruses A series of property pages in the VirusScan window controls the options for each task—click each tab to set up the application for your task.
Using the VirusScan application To modify these options and add others, follow these steps: 1. Choose which parts of your system or your network that you want VirusScan software to examine for viruses. You can: • Add scan targets. Click Add to open the Add Scan Item dialog box (Figure 5-8). Figure 5-10. Add Scan Item dialog box To scan your entire computer or a subset of the drives on your system or your network, click the Select item to scan button, then: a. Choose a scan target from the list provided.
Using the VirusScan application To scan a particular disk or folder on your system, click the Select drive or folder to scan button, then: a. Type in the text box provided the drive letter or the path to the folder you want scanned, or click Browse to locate the scan target on your computer. NOTE: You may not use Universal Naming Convention (UNC) notation to specify a network disk as a scan target for scheduled tasks. Doing so will result in an “Invalid Path” error.
Using the VirusScan application 2. Specify the types of files you want the VirusScan application to examine. You can: • Scan compressed files. Select the Compressed files checkbox to have the VirusScan application look for viruses in compressed files and file archives. Although it does give you better protection, scanning compressed files can lengthen a scan operation. • Scan all files.
Using the VirusScan application Heuristic scanning technology enables the VirusScan application to recognize new viruses based on their resemblance to similar viruses that the module already knows. To do this, the application looks for certain “virus-like” characteristics in the files you’ve asked it to scan. The presence of a sufficient number of these characteristics in a file leads the application to identify the file as potentially infected with a new or previously unidentified virus.
Using the VirusScan application c. Click OK to save your settings and return to the VShield Properties dialog box. 4. Click the Action tab to choose additional VirusScan application options. To start a scan operation immediately with just the options you’ve chosen, click Scan Now. To save your changes as default scan options, choose Save As Default from the File menu or click New Scan.
Using the VirusScan application You can choose from these options: – Clean infection. This option tells the application to try to remove the virus code from the infected file. If you have its reporting function enabled, it will record a log event each time it successfully cleans, or fails to clean, an infected file. – Delete file. This option tells the application to delete the infected file immediately. – Exclude item. This option tells the application to skip the file during later scan operations.
Using the VirusScan application 3. Click the Alert tab to choose additional VirusScan configuration options. To start a scan operation immediately with just the options you’ve chosen, click Scan Now. To save your changes as default scan options, choose Save As Default from the File menu or click New Scan. To save your settings in a new file, choose Save Settings from the File menu, name your file in the dialog box that appears, then click Save.
Using the VirusScan application NOTE: Clearing this checkbox tells the VirusScan application not to send an alert message via Alert Manager, but does not affect other alert messages that you configure in this property page. 3. Select the Sound audible alert checkbox to have the application beep when it finds an infected file. You can change the setting for this option only if you select Prompt for user action in the Action property page.
Using the VirusScan application The VSCLOG.TXT file can serve as an important management tool for you to track virus activity on your system and to note which settings you used to detect and respond to the infections the VirusScan application found. You can also use the incident reports recorded in the file to determine which files you need to replace from backup copies, examine in quarantine, or delete from your computer.
Using the VirusScan application 4. Select the checkboxes that correspond to the information you want the application to record in its log file. Each checkbox you select here causes the application to record this information, usually when the scan operation ends, or when you shut your system down: • Virus detection. Select this checkbox to have the log file record how many viruses the application finds during each scan operation. Clear the checkbox to leave this information out of the log file.
Using the VirusScan application • User name. Select this checkbox to have the log file record the name of the user logged into the workstation as the software starts each scan operation. Clear this checkbox to leave this information out of the log file. 5. Click the Exclusion tab to choose additional VirusScan configuration options. To start a scan operation immediately with just the options you’ve chosen, click Scan Now.
Using the VirusScan application To exclude files or folders from scan operations, follow these steps: 1. Click the Exclusion tab in the VirusScan Advanced window to display the correct property page (Figure 5-14). Figure 5-16. VirusScan Advanced window - Exclusion page 2. Specify the items you want to exclude. You can • Add files, folders or volumes to the exclusion list. Click Add to open the Add Exclude Item dialog box (Figure 5-15). Figure 5-17.
Using the VirusScan application b. Select the Include subfolders checkbox to tell the application to ignore files stored in any subfolders within the folder you specified in Step a. NOTE: Choosing Include subfolders causes the application to ignore only those files stored in the subfolders themselves. The application will still scan files stored at the root level of the folder you designate. To exclude the files at the folder root level, clear the Include subfolders checkbox. c.
Using the VirusScan application Enabling password protection VirusScan software lets you set a password to protect the settings you choose in each property page from unauthorized changes. This feature is particularly useful for system administrators who need to keep users from tampering with their security measures by changing VirusScan settings. Use the Security property page to lock your settings. To enable password protection for VirusScan Advanced, follow these steps: 1.
Using the VirusScan application User’s Guide 185
Using the VirusScan application 186 McAfee VirusScan
Creating and Configuring Scheduled Tasks 6 6 What does VirusScan Console do? The VirusScan Console exists primarily to run scan operations and other tasks on the dates and at the times you choose, or at intervals you set. You can use the Console to run a scan operation in your absence, when it causes the least disruption to your work, as part of a series of automated tasks, or in other ways that suit your needs.
Creating and Configuring Scheduled Tasks • Alternate between scan operations. Scheduled scanning operations give you the flexibility to choose different operations for different purposes or different times. If, for example, you want to use VShield software to scan your own system continuously and scan mapped network drives less frequently, you can schedule a task for this purpose. the Console comes with a default set of tasks already configured, but not yet scheduled.
Creating and Configuring Scheduled Tasks 4. Select the Load on startup checkbox in the VirusScan Console area in the Components page. 5. Click OK to close the control panel. When you next restart your computer, the Console will also start, but it will remain minimized as an icon in the Windows system tray. To bring the Console window to the foreground, double-click the icon (Figure 6-2). Figure 6-2. VirusScan Console window If the icon does not appear in the system tray: 1.
Creating and Configuring Scheduled Tasks To add text captions to the buttons, click View, point to Toolbar, then choose Text Labels. You can have both options active at the same time—a check mark beside the menu item indicates which view is active. You’ll find most of the same toolbar commands in the menus at the top of the Console window, and in shortcut menus that appear when you click a listed task with your right mouse button.
Creating and Configuring Scheduled Tasks • Start a task. Select one of the tasks listed in the Console window, then choose Start from the Task menu, or click in the Console toolbar. The task you selected will start immediately and will run with the options you’ve chosen. To enable the VShield scanner, select the VShield task, then choose Enable from the Task menu. To start the scanner and load it into memory, select the VShield task, then click in the Console toolbar. • Stop a task.
Creating and Configuring Scheduled Tasks • Start VirusScan Console automatically. Choose Load at Startup from the View menu to have the VirusScan Console start whenever you start your computer. the Console has this option enabled by default. Because it must be running in order to execute any tasks you have scheduled, you should choose to have the Console start automatically so that your scheduled tasks will begin at their appointed times. You can also control this option from the VirusScan control panel.
Creating and Configuring Scheduled Tasks • AutoUpdate. This task allows you to schedule automatic virus definition (.DAT) file updates. To get it to do so, you must configure the task to connect to a server or File Transfer Protocol (FTP) site that you designate. The task comes configured to connect to a McAfee server, but you may also set it to download files internally. You must also schedule and activate the task to get it to update your files.
Creating and Configuring Scheduled Tasks Working with the VShield task The VShield task appears in the Console window primarily so that you can manage its operation. You can enable and disable it directly from the Console window, or double-click the task to open the Task Properties dialog box (Figure 6-3). Figure 6-3. VShield scanner Task Properties dialog box In this dialog box, you can: • Enable or disable the task. Click the Disable button at the bottom of the Task Properties dialog box.
Creating and Configuring Scheduled Tasks Working with the AutoUpgrade and AutoUpdate tasks The AutoUpgrade task allows you to download and install new program files for your VirusScan software according to a schedule you set. The AutoUpdate task allows you to download and install new virus definition (.DAT) files. You may not rename, delete, or create other copies of these tasks, but you can configure them, protect them with a password, or run them immediately from the Task Properties dialog box.
Creating and Configuring Scheduled Tasks You may enter a maximum of 20 characters of any type. Be sure to choose a password you will remember. c. Re-enter your password exactly as you typed it in the previous text box. d. Click OK to close the Specify Password dialog box. The Console will ask for the password you entered whenever anybody tries to open the Task Properties dialog box for this task. 3. Next, you can: • Run this task with its existing configuration options.
Creating and Configuring Scheduled Tasks To create a new task, follow these steps: 1. Choose New Task from the Task menu in the Console window, or click in the Console toolbar. The Task Properties dialog box will appear (Figure 6-5). Figure 6-5. Task Properties dialog box - Program page 2. Type a name for the task in the Description text box. Be sure that your name describes the task so that you can distinguish it from others in the Console window and so that you can tell at a glance what it does. 3.
Creating and Configuring Scheduled Tasks Doing so locks all of the property pages for this task at once in the Security page in the VirusScan Properties dialog box. Clearing this checkbox allows you to choose different security settings for each page in the Security property page. e. Click OK to close the Specify Password dialog box. The Console will ask for the password you entered whenever anybody tries to open the Task Properties dialog box for this task. 4.
Creating and Configuring Scheduled Tasks If you run the task in normal scan mode, it will also allow you to dispose of any viruses it detects, if you have not already set the application to dispose of them automatically. • Never Exit. Click this button to specify that you want the VirusScan application to always remain open after it completes this scan task.
Creating and Configuring Scheduled Tasks • Click Cancel to close the dialog box without creating a task. Enabling tasks Enabling a task means choosing a schedule for it and activating that schedule so that the task runs when you need it. You can schedule any of the tasks shown in the VirusScan Console window, except the VShield task, which runs continuously from the time your start your computer or as soon as you start the task yourself.
Creating and Configuring Scheduled Tasks Figure 6-6. Task Properties dialog box - Schedule page 3. Select the Enable checkbox. The options in the Run and the Start At areas become active. 4. Choose how often you want the task to run in the Run area. Depending on which interval you select, the Start At area gives you a different set of choices for your task schedule. The choices are: • Once. This runs your task exactly once on the date and at the time you specify.
Creating and Configuring Scheduled Tasks • Monthly. This runs your task once each month on the day and at the time you specify. Enter the time in the leftmost text box, then enter the day of the month on which you want the task to run. NOTE: Enter all scheduled times, except for the hourly time interval, using a 24-hour clock. If you want the task to run at 9:30 p.m., for example, enter 21:30. 5.
Creating and Configuring Scheduled Tasks To see task results, follow these steps: 1. If you do not already have the Task Properties dialog box open, double-click one of the listed tasks in the Console window, or select a task, then click in the Console toolbar. 2. The Task Properties dialog box will appear (see Figure 6-5 on page 197). Click the Status tab to display the correct property page (Figure 6-7). Figure 6-7.
Creating and Configuring Scheduled Tasks Configuring VirusScan application options To configure a VirusScan scan task that will run at a time you designate, you must tell the application: • when you want it to run • what you want it to scan • what you want it to do if it finds a virus • how it should let you know when it finds a virus • whether you want it to keep track of its actions • which items you don't want it to scan for viruses • whether you want to protect the settings you chose from unauthorized
Creating and Configuring Scheduled Tasks Choosing Detection options If you chose to configure a task you just created, the VirusScan application initially assumes that you want to scan your C: drive and your computer’s memory, to look for boot sector viruses, and to restrict the files it scans only to those susceptible to virus infection. If you chose to configure one of the default tasks, your initial options will vary. To modify the initial task options, follow these steps: 1.
Creating and Configuring Scheduled Tasks To scan a particular disk or folder on your system, click the Select drive or folder to scan button, then: a. Type in the text box provided the drive letter or the path to the folder you want scanned, or click Browse to locate the scan target on your computer. NOTE: You may not use Universal Naming Convention (UNC) notation to specify a network disk as a scan target for scheduled tasks. Doing so will result in an “Invalid Path” error.
Creating and Configuring Scheduled Tasks 2. Specify the types of files you want the VirusScan application to examine. You can: • Scan compressed files. Select the Compressed files checkbox to have the VirusScan application look for viruses in compressed files and file archives. Although it does give you better protection, scanning compressed files can lengthen a scan operation. • Scan all files.
Creating and Configuring Scheduled Tasks Heuristic scanning technology enables the VirusScan application to recognize new viruses based on their resemblance to similar viruses that the module already knows. To do this, the application looks for certain “virus-like” characteristics in the files you’ve asked it to scan. The presence of a sufficient number of these characteristics in a file leads the application to identify the file as potentially infected with a new or previously unidentified virus.
Creating and Configuring Scheduled Tasks 4. Choose special scanning options. Boot-sector viruses load themselves into your computer’s memory and conceal themselves in the boot blocks or master boot record on your hard drive. To use this scan task to detect those types of viruses, select the Scan Memory and Scan boot sectors checkboxes. 5.
Creating and Configuring Scheduled Tasks Figure 6-12. VirusScan Properties dialog box - Action page 3. Choose a response from the When a virus is found list. The area immediately beneath the list will change to show you additional options for each response. Your choices are: • Prompt user for action.
Creating and Configuring Scheduled Tasks – Continue scan. This option tells the application to continue with its scan operation, but not take any other actions. If you have its reporting options enabled, the application records the incident in its log file. – Stop scan. This option tells the application to stop the scan operation immediately. To continue, you must click Scan Now to restart the operation. – Move file. This option tells the application to move the infected file to a quarantine folder.
Creating and Configuring Scheduled Tasks Choosing Alert options Once you configure it with the response options you want, you can let the VirusScan application look for and remove viruses from your system automatically, as it finds them, with almost no further intervention. To have the application tell you immediately when it finds a virus so that you can take appropriate action, however, configure it to send an alert message to you. Follow these steps: 1.
Creating and Configuring Scheduled Tasks You can pass alert messages directly to an Alert Manager server, or you can send alert messages as text (.ALR) files to a Centralized Alerting directory that the Alert Manager server checks periodically. NOTE: Clearing this checkbox tells the VirusScan application not to send an alert message via Alert Manager, but does not affect other alert messages that you configure in this property page. 4.
Creating and Configuring Scheduled Tasks The VSCLOG.TXT file can serve as an important management tool for you to track virus activity on your system and to note which settings you used to detect and respond to the infections the VirusScan application found. You can also use the incident reports recorded in the file to determine which files you need to replace from backup copies, examine in quarantine, or delete from your computer.
Creating and Configuring Scheduled Tasks 4. To minimize the log file size, select the Limit size of log file to checkbox, then enter a value for the file size, in kilobytes, in the text box provided. If you do not select this checkbox, the log file can grow to as large a size as your disk space permits. Enter a value between 10KB and 999KB. By default, the application limits the file size to 100KB.
Creating and Configuring Scheduled Tasks Clear the checkbox to leave this information out of the log file. • Date and time. Select this checkbox to have the log file record the date and time at which the software starts each scan operation. Clear this checkbox to leave this information out of the log file. • User name. Select this checkbox to have the log file record the name of the user logged into the workstation as the software starts each scan operation.
Creating and Configuring Scheduled Tasks Each entry in the exclusion list displays the path to the item, notes whether the application will also exclude any nested folders within the target, and explains whether the application will exclude the item when it scans files, when it scans your hard disk boot sector, or both. By default, you can exclude up to 100 unique scan targets.
Creating and Configuring Scheduled Tasks Figure 6-16. Add Exclude Item dialog box Next, follow these substeps to add items to the list: a. Enter a path to a folder or a file name in the text box provided, or click Browse to locate the item you want the application to exclude. NOTE: If you have chosen to move infected files to a quarantine folder automatically, the application excludes that folder from scan operations. b.
Creating and Configuring Scheduled Tasks e. Repeat Step a. through Step d. until you have listed all of the files and folders you do not want scanned. • Change the exclusion list. To change the settings for an exclusion item, select it in the Exclusions list, then click Edit to open the Edit Exclude Item dialog box. Make the changes you need, then click OK to close the dialog box. • Remove an item from the list. To delete an exclusion item, select it in the list, then click Remove.
Creating and Configuring Scheduled Tasks Figure 6-17. VirusScan Properties dialog box - Security page 3. Select the settings you want to protect in the list shown. You may protect any or all VirusScan property pages. Protected property pages display a locked padlock icon in the security list shown in Figure 6-17. To remove protection from a property page, click the locked padlock icon to unlock it . 4. Click Password to open the Specify Password dialog box (Figure 6-18). Figure 6-18.
Creating and Configuring Scheduled Tasks 6. Click a different tab to change any of your VirusScan settings. To save your changes without closing the VirusScan Properties dialog box, click Apply. To save your changes and return to the Console window, click OK. To return to the Console window without saving your changes, click Cancel. NOTE: Clicking Cancel will not undo any changes you already saved by clicking Apply.
Creating and Configuring Scheduled Tasks 222 McAfee VirusScan
Using Specialized Scanning Tools 7 7 Scanning Microsoft Exchange and Outlook mail VirusScan software provides you with two complementary methods to protect your Microsoft Exchange or Outlook e-mail system: • The VShield scanner includes an E-Mail Scan module that runs continuous background scan operations on e-mail as it arrives on your server. • The E-Mail Scan extension allows you to scan your mailbox on the Exchange server at your own initiative, and at times convenient for you.
Using Specialized Scanning Tools Good anti-virus security measures incorporate complete, regular scan operations on your mailbox because: • Good security is redundant security. The VShield E-Mail Scan module looks for virus code as your e-mail arrives on your server, or as executable attachments run after they’ve downloaded to your system.
Using Specialized Scanning Tools By default, the E-Mail Scan extension examines all of the mail messages stored in your mailbox on the Exchange mail server, looking for messages and attachments susceptible to virus infection. If you have a large number of messages stored there that you have not yet downloaded, this scan operation can take a long time. To pause the operation, click resume the operation, click . To stop it altogether, click . To . Figure 7-1.
Using Specialized Scanning Tools A series of property pages in the E-Mail Scan Properties dialog box controls the options for each scan operation you run. You can click each tab in turn to choose options for the extension to use to scan your e-mail. To display this dialog box, follow these steps: 1. Start your Microsoft Exchange or Outlook client and log in to your e-mail server.
Using Specialized Scanning Tools Choosing Detection options When you first open the E-Mail Scan Properties dialog box to configure a scan operation, the E-Mail Scan extension assumes that you want it to scan all of the messages in your Inbox, to scan all message file attachments, to scan compressed files, and to scan only those files susceptible to virus infection.
Using Specialized Scanning Tools 2. To restrict this scan operation so that it examines only unread messages, select the Scan unread messages only checkbox. Depending on which option you select in Step 1, this means that the extension will scan all unread messages in your mailbox or in accessible public folders, or all unread messages within the range you’ve selected. 3. Specify the file types you want the extension to examine. You can: • Scan compressed files.
Using Specialized Scanning Tools Heuristic scanning technology enables the E-Mail Scan extension to recognize new viruses based on their resemblance to similar viruses that the module already knows. To do this, the extension looks for certain “virus-like” characteristics in the files you’ve asked it to scan. The presence of a sufficient number of these characteristics in a file leads the extension to identify the file as potentially infected with a new or previously unidentified virus.
Using Specialized Scanning Tools 5. Click the Action tab to choose additional E-Mail Scan extension options. To save your changes without closing the E-Mail Scan Properties dialog box, click Apply. To save your changes and close the dialog box, click OK. To close the dialog box without saving your changes, click Cancel. NOTE: Clicking Cancel will not undo any changes you already saved by clicking Apply.
Using Specialized Scanning Tools Your choices are: • Prompt for user action. Choose this response if you expect to be at your computer when the E-Mail Scan extension examines your mailbox—the program will display an alert message when it finds a virus and offer you a range of possible responses. Each of the checkboxes you select in the Action page causes an option button to appear in an alert message that the extension displays when it finds a virus.
Using Specialized Scanning Tools • Clean infected files automatically. Choose this response to tell the extension to remove the virus code from the infected attachment as soon as it finds it. If the extension cannot remove the virus, it will note the incident in its log file. • Delete infected files automatically. Choose this option to have the extension delete every infected e-mail attachment it finds immediately.
Using Specialized Scanning Tools Follow these steps: 1. Click the Alert tab in the E-Mail Scan Properties dialog box to display the correct property page (Figure 7-5). Figure 7-5. E-Mail Scan Properties dialog box - Alert page 2. Select the Notify Alert Manager checkbox to have the E-Mail Scan extension send alert messages to Alert Manager for distribution.
Using Specialized Scanning Tools If you prefer not to send a reply, you can simply have the extension send an e-mail notification, perhaps to a system administrator, whenever it detects a virus. Sending reply messages can aid your ability to track virus sources and pinpoint where infectious agents enter your network; copies of these messages sent to system administrators can help them track how infections spread.
Using Specialized Scanning Tools c. Enter a subject for the message that conveys its urgency, then add any comments you want to make in the body of the message, below a standard infection notice that the extension itself will supply. You may add up to 1024 characters of text. d. Click OK to save the message. Whenever it detects a virus, the extension will send a copy of this message to each person who sends you e-mail with an infected attachment.
Using Specialized Scanning Tools 7. Click the Report tab to choose additional E-Mail Scan extension options. To save your changes without closing the E-Mail Scan Properties dialog box, click Apply. To save your changes and close the dialog box, click OK. To close the dialog box without saving your changes, click Cancel. NOTE: Clicking Cancel will not undo any changes you already saved by clicking Apply.
Using Specialized Scanning Tools 2. Select the Log to file checkbox. By default, the E-Mail Scan extension writes log information to the file MAILSCAN.TXT in the VirusScan program directory. You can enter a different name in the text box provided, or click Browse to locate a suitable file elsewhere on your hard disk or on your network. You may use a different file, but the text file must already exist. The extension will not create a new file.
Using Specialized Scanning Tools • Infected file deletion. Select this checkbox to have the log file record how many viruses the extension deletes during each scan operation. Clear this checkbox to leave this information out of the log file. • Infected file move. Select this checkbox to have the log file record how many viruses the extension moves to a quarantine folder during each scan operation. Clear this checkbox to leave this information out of the log file. • Session settings.
Using Specialized Scanning Tools Scanning cc:Mail VirusScan software includes native support for Microsoft Exchange and Outlook clients, and for Lotus cc:Mail v6.0, v7.0, and v8.0. The cc:Mail clients use a proprietary e-mail system that the E-Mail Scan extension does not support directly.
Using Specialized Scanning Tools Provided that you have configured and enabled it, the utility will start whenever your computer’s screen saver starts, and it will stop whenever you move your mouse, press a key on your keyboard, or take any other action that interrupts your screen saver. To configure ScreenScan, follow these steps: 1. Click Start in the Windows taskbar, point to Settings, then choose Control Panel. 2.
Using Specialized Scanning Tools Figure 7-8. The Add Scan Item dialog box Next, choose the scan target from the list provided. Your choices are: – All local drives. This tells the utility to scan all drives physically attached to your computer, including removable media drives. – Drive or folder. This tells the utility to scan particular files or folders on your system.
Using Specialized Scanning Tools 5. Specify the types of files you want the ScreenScan utility to examine. You can • Scan compressed files. Select the Compressed files checkbox to have the utility look for viruses in compressed files or file archives. To see a list of the types of files and archives that the application scans, see “Current list of compressed files scanned” on page 272. • Scan subfolders within the designated target.
Using Specialized Scanning Tools Figure 7-10. Advanced Scan Settings dialog box The presence of a sufficient number of these characteristics in a file leads the utility to identify the file as potentially infected with a new or previously unidentified virus. Because the utility looks simultaneously for file characteristics that rule out the possibility of virus infection, it will rarely give you a false indication of a virus infection.
Using Specialized Scanning Tools – Enable macro and program file heuristics scanning. Choose this option to have the utility use both types of heuristics scanning. McAfee VirusScan Software recommends that you use this option for complete anti-virus protection. NOTE: The utility will use heuristic scanning techniques only on the file types you designate in the Program File Extensions dialog box. If you choose to scan All files, it will use heuristic scanning for all file types. 7.
Using Specialized Scanning Tools Slide the control toward Low to give the other background tasks higher priority than you do to the ScreenScan utility. This causes the ScreenScan utility to run more slowly. • Tell the utility to log its actions. Select the Enable logging of ScreenScan activities to file checkbox to have the ScreenScan utility summarize the actions it took as it ran in the file SCREENSCAN ACTIVITY LOG.TXT.
Using Specialized Scanning Tools 246 McAfee VirusScan
8 8 Using VirusScan Utilities Understanding the VirusScan control panel The VirusScan control panel serves as the graphical front end for the VirusScan management service, which initiates and controls all top-level component processes, including the VirusScan application, the Console, and the VShield scanner. The VirusScan management service also provides a common memory structure for all VirusScan components, which allows the components to share data between themselves, and to act on that data.
Using VirusScan Utilities Figure 8-1. VirusScan control panel - Service page Choosing VirusScan control panel options The control panel consists of two tabbed property pages that set out its options. To choose your options, follow these steps: 1. Open the control panel, then click the Service tab. 2. To stop all active VirusScan components, click Stop. If all VirusScan components that normally load into memory—the Console and the VShield scanner, normally—are inactive, this button will read Start.
Using VirusScan Utilities If your computer runs Windows NT Workstation v4.0 or Windows 2000 Professional, this service appears in the Services dialog box as AvSync Manager. If your computer runs Windows 95 or Windows 98, this service is not directly accessible. NOTE: DMcAfee VirusScan Software strongly recommends that you set the VirusScan management service to load at startup.
Using VirusScan Utilities By default, 100 items can appear in the list. You may not set the value here to fewer than five items. 7. Click or enter a figure in the Scan Items text box to specify how many targets the VirusScan application can examine at one time. This setting sets a maximum number of items that can appear as scan targets for any default scan task-or any task you configure-from within the VirusScan Console. By default, 100 items can appear in the list.
Using VirusScan Utilities Using the Alert Manager Client Configuration utility All McAfee VirusScan’s anti-virus software includes wide range of methods to alert you when it has detected a virus or other malicious software.
Using VirusScan Utilities VirusScan software as an Alert Manager client VirusScan software works as a client program with respect to NetShield software and an Alert Manager server. It can send alert “events” whenever it detects a virus or malicious software to any Alert Manager server you specify. The Alert Manager server then relays those events—and any others it receives from other workstations—as alert messages, via the methods you or your system administrator defined for alert distribution.
Using VirusScan Utilities This tells each VirusScan component to send an alert event to the Alert Manager client utility each time it detects a virus or malicious object. The client utility, in turn, passes the alert message to the Alert Manager server you designate. If you do not set your software to generate alert messages in the first place, the client utility will have nothing to pass to the Alert Manager server for distribution. To start and configure the Alert Manager utility, follow these steps: 1.
Using VirusScan Utilities To choose the destination server, click Configure to open the Select Alert Manager Server dialog box (Figure 8-4). Figure 8-4. Select Alert Manager Server dialog box Next, enter the path to the directory that hosts the Alert Manager server you want to use, or click Browse to locate the server on your network.
Using VirusScan Utilities To choose a destination directory, click Configure to open the Central Alerting Configuration dialog box (Figure 8-5). Figure 8-5. Central Alerting Configuration dialog box Next, enter the path to the Centralized Alerting directory you want to use, or click Browse to locate the directory on your network. When you’ve chosen a destination, click OK to close the dialog box.
Using VirusScan Utilities Figure 8-6. DMI Configuration dialog box To use this option, you must have a DMI client application, such as Hewlett-Packard OpenView, already installed on your local computer and DMI administrative software running somewhere on your network. VirusScan software comes packaged with a Management Information File (AMG.MIF) that identifies VirusScan alerting attributes to your DMI client application.
9 9 About Safe & Sound Figure 9-1. Safe & Sound window The most important asset on your computer is the information, or data, you create and store there. Over time, this data grows in size and value. The storage devices where you keep this information are vulnerable to a wide range of environmental and human factors that can damage or destroy all or part of the data stored there. Valuable and vulnerable disk organizational structure information is also stored in various places on a hard drive.
About Safe & Sound Using Safe & Sound Protected Volume Files (The Ultimate Backup Protection) Safe & Sound lets you create backup sets in protected volume files, which is the safest and preferred type of backup. A protected volume file is a sectioned-off area of the drive, sometimes called a logical drive.
About Safe & Sound Many things can cause the data on disks, tapes or drives to become garbled or lost: hardware malfunctions, worn out media, electrical storms, excessive heat, static electricity, magnets, loose cable or power cord connections, and so on. CD discs, though durable, can become scratched enough to damage their data. Human actions can also cause lost data, such as deleting the wrong folder or formatting the wrong drive.
About Safe & Sound Where Will You Store the Backup Set? If the survival of your business depends upon your PC being up and running at all times (and if money is not an object), the ultimate way to protect the data on your PC would be to set up a redundant PC with identical sized drives. This backup PC’s only job would be to mirror the data on your primary PC. It would be waiting in the wings should your first PC fail for any reason.
About Safe & Sound In addition, you can create multiple backup sets of data for particular purposes. Each of these backup sets can be created when and where you specify. They can each include exactly the files or types of files that you choose. For example, you might create individual backup sets for each of your clients if you produce data for clients that is stored on your computer, such as advertising layouts, graphic images, books, or accounting data.
About Safe & Sound 262 McAfee VirusScan
10 10 About Quarantine Using Quarantine Figure 10-1. Quarantine window Many VirusScan components allow you to move infected files to a quarantine folder. This moves infected files from areas where they can be accessed and enables you to clean or delete them at your convenience. To use Quarantine to work with infected files that were quarantined, follow these steps: 1. Start the VirusScan Console. 2. Click Quarantine. The Quarantine Explorer window appears. 3.
About Quarantine • Restore. Select this option to restore a file to its original folder. This option does not clean the file. Make sure the file is not infected before using this option • Delete. Select this option to delete the infected file. Make sure to note the file location so you have a record of the deleted files. You will need to restore deleted files from backup copies. • Submit to McAfee. Select this option to submit new viruses to McAfee.
About Quarantine 6. Click Next. A page appears on which you may type a message to the A.V.E.R.T team. If you want, include your personal contact information. This information is helpful, but optional. 7. Click Next. A submission list appears. 8. Click Add to select the file(s) to be submitted. • Alternatively, you can drag and drop a file from My Computer or Windows Explorer to the list box. • If you want to remove a file from the list, select it and click Delete. 9. Click Next.
About Quarantine 266 McAfee VirusScan
Default Vulnerable and Compressed File Extensions A A Adding file name extensions for scanning Because viruses ordinarily cannot infect files that contain no executable code, VirusScan software initially looks for viruses only in files that are susceptible to infection. The software uses a list of file name extensions to keep track of vulnerable files. This list appears in the Program Extensions dialog box, and is something you can edit to suit your own needs.
Default Vulnerable and Compressed File Extensions • Select one of the extensions shown, then click Remove to delete it from the list. • Click Default to restore the original extension entries. This removes any extensions you have added to the list. 4. When you have finished changing the list, click OK to save your changes and close the dialog box. Click Cancel to close the dialog box without saving your changes.
Default Vulnerable and Compressed File Extensions Table 10-1. Vulnerable file name extensions Extension File Type File Description .COM Program Command/binary image files. These common files run as infectable executable programs. DOS and Windows system files frequently make use of this extension. .CSC Script/macro Corel script files. Script files can include viruses or generate macro viruses. .DL? Program Dynamic Link Library file; C++ dialog script files.
Default Vulnerable and Compressed File Extensions Table 10-1. Vulnerable file name extensions 270 Extension File Type File Description .MD? Macro Microsoft Access database, add-in, and related files. These files can contain infectable Visual Basic for Applications macros. .MPP Macro Microsoft Project files. These files can contain infectable Visual Basic for Applications macros. .MPT Macro Microsoft Project template files.
Default Vulnerable and Compressed File Extensions Table 10-1. Vulnerable file name extensions Extension File Type File Description .SYS Program DOS or Windows system files and device drivers. These executable files frequently start along with or as part of program execution. .TAR Archive UNIX tape archive files. .VBS Script Visual Basic script files and VBScript files. VBScript is an implementation of the Microsoft Visual Basic programming language.
Default Vulnerable and Compressed File Extensions Current list of compressed files scanned The VirusScan application and the VShield scanner look for viruses in a range of compressed and archived file formats. Each component uses slightly different technologies for this purpose, however, and therefore treats each file type differently. For the purpose of this discussion, a “compressed” file means a single file.
Default Vulnerable and Compressed File Extensions Both VirusScan components include built-in support for a number of compressed and archived file formats. The table below lists each format and describes how each component scans it when you select the Compressed Files checkbox. You may not edit or add items to this list. Table 10-1.
Default Vulnerable and Compressed File Extensions Table 10-1. How VirusScan software treats each file type VirusScan application support? VShield scanner support? ICE compressed file • Scans compressed file if listed in Program Extensions dialog box • Scans compressed file if listed in Program Extensions dialog box .LZH LHARC compressed file • Scans compressed file if listed in Program Extensions dialog box • Scans compressed file if listed in Program Extensions dialog box .
B B Product Support Updates You will receive one free year of updates on new virus signature files. Updating the virus signature files for McAfee VirusScan on a regular schedule is essential in ensuring that all new viruses are detected for a completely protected system. To update your signature files, simply click on the UPDATE button in the McAfee VirusScan home page. Make sure that your PC is connected to the Internet as VirusScan will automatically update the files for you.
Product Support Customer service To order products or obtain product information, contact the McAfee Customer Care department at (972) 308-9960 or write to the following address: Network Associates 3965 Freedom Circle Santa Clara, CA 95054 U.S.A. If you need further assistance or have specific questions about our products, send your questions via email to the appropriate address below: • For general questions about ordering software: mcafeestore@beyond.
Product Support Telephone support numbers 30-Day Free Telephone Support 972-308-9960 Per Minute Telephone Support 1-900-225-5624 Per Incident Telephone Support ($35) 1-800-950-1165 Disclaimer: Time and telephone numbers are subject to change without prior notice.
Product Support 278 McAfee VirusScan
Download Information (License ID #: VSF500R) C C As a valued McAfee customer, we are committed to keeping your system FREE from virus infection. To protect against the newest virus threats, keep your VirusScan installation up to date! Per your McAfee Software License Agreement, you are eligible for one (1) FREE Upgrade within ninety (90) days of purchase. This document explains the different ways you can access your FREE VirusScan upgrade.
Download Information (License ID #: VSF500R) 7. If previously registered, the thank you page is displayed. To begin download of product - click on the download button. 8. If not previously registered, the McAfee Product Registration page is displayed. You will be asked to enter your Last Name, First Name, Postal Code, Country, State and a password that you make up. Press submit. Once submitted a thank you page is displayed. An access URL will be emailed automatically to email address that you have entered.
Using the SecureCast Service to Get New Data Files D D Introducing the SecureCast service The McAfee VirusScan SecureCast service provides a convenient method you can use to receive the latest virus definition (.DAT) file updates automatically, as they become available, without your having to download them.
Using the SecureCast Service to Get New Data Files Why should I update my data files? Your software relies on information in its virus definition files (.DAT) files to identify viruses. More than 200 new viruses appear each month, however, and older .DAT files might not recognize them. To meet this challenge, McAfee VirusScan Software releases new .DAT files each week. You are entitled to these free data file updates for use with your version of the software. If you do not use current .
Using the SecureCast Service to Get New Data Files Installing the BackWeb client and SecureCast service Setting up SecureCast service and the BackWeb client is a two-phase process: 1. Download and install the BackWeb client 2. Register to receive SecureCast service InfoPaks To get started with the SecureCast service, review the system requirements shown below, then follow the steps outlined in each section.
Using the SecureCast Service to Get New Data Files Figure D-1. BackWeb client welcome panel 3. Read the instructions and warnings on this panel, then click Next> to continue. 4. The BackWeb license agreement appears (Figure D-2). Figure D-2. BackWeb Software License Agreement panel 5. Click Yes to continue. 6. The Choose Destination Location panel appears (Figure D-3 on page 285).
Using the SecureCast Service to Get New Data Files Figure D-3. Choose Destination Location panel 7. Enter a new location for Setup to install the client software, if you wish, or click Browse to locate a suitable folder. Click Next> to continue. Setup will begin to copy BackWeb program files to your computer. As it does so, it displays its progress. When it has finished, Setup displays the Connection Type panel (Figure D-4). Figure D-4.
Using the SecureCast Service to Get New Data Files 8. Specify the type of connection your computer has to the Internet. Your choices are: • Direct. Choose this option if you connect to the Internet through a local-area network, a high-bandwidth connection such as a cable modem or digital subscriber line (DSL) connection. Continue with Step 9. • Modem. Choose this option if you dial up to connect to an Internet service provider, or into your corporate network. Skip to Step 13.
Using the SecureCast Service to Get New Data Files 10. If you chose HTTP via proxy as your connection method, the HTTP Proxy Setup panel appears (Figure D-6). Figure D-6. HTTP Proxy Setup panel 11. Enter the name of your proxy server in the Proxy text box, then enter the port the server uses for communication in the Port text box. When you have finished, click Next> to continue. The Proxy Authentication panel appears (Figure D-7 on page 287). Figure D-7. Proxy Authentication panel 12.
Using the SecureCast Service to Get New Data Files The Setup Complete panel appears (Figure D-8). Figure D-8. Setup Complete panel 13. To start immediately, leave both checkboxes selected in this panel, then click Finish to complete your installation. Phase 2: Register with the Enterprise SecureCast service After you install the BackWeb client and start it, the SecureCast service immediately opens the client application and sends its first InfoPak: the SecureCast registration forms (Figure D-9).
Using the SecureCast Service to Get New Data Files The SecureCast service alerts you that an InfoPak has arrived with the Flash message shown at the bottom right corner of Figure D-9. Ë IMPORTANT: If you are a corporate user and have a high-speed Internet connection, the window may list Register Now as an already received InfoPak. Continue with Step 1.
Using the SecureCast Service to Get New Data Files 4. Double-click the BW Register icon in the window that opens next. A registration information form appears (Figure D-12). Figure D-12. SecureCast User Registration Information form 5. Enter your name, title and company contact information in the text boxes provided. Here you will also need to enter the grant number you received when you purchased your software, or that you received from McAfee Customer Service.
Using the SecureCast Service to Get New Data Files Figure D-13. SecureCast Parent Company Information form 6. If your company is the subsidiary of another company, enter contact information for your parent company in the text boxes provided. When you have finished, click Next>. The Proxy Communication Configuration dialog box appears (Figure D-14). Figure D-14. SecureCast Proxy Communication Configuration 7.
Using the SecureCast Service to Get New Data Files Figure D-15. SecureCast Online Activity Status panel 9. Click Finish after a check mark appears in all the boxes. The setup process in complete. At that point, your web browser will connect to the McAfee SecureCast service electronic customer care page. If you are a corporate user, the window resembles the one shown in Figure D-16: Figure D-16.
Using the SecureCast Service to Get New Data Files Troubleshooting the Enterprise SecureCast service Registration problems If you try to register during a busy time of day on the web, you may encounter a delay while the server tries to process your registration request. If you receive the error message “1105 Error” or “Database Error: Unable to connect to the data source,” this means that there is a database problem on the server. Try submitting the form again, or try to register later.
Using the SecureCast Service to Get New Data Files BackWeb client • For a comprehensive guide to BackWeb, including additional troubleshooting advice, see the online BackWeb User’s Manual: http://www.backweb.
Understanding iDAT Technology E E Understanding incremental .DAT files To function at peak efficiency, VirusScan software needs regular updates for its virus definition (.DAT) files. Without them, the software might not detect new viruses or respond effectively to remove threats from your system. Prior versions of the AutoUpdate utility required you to download and install the entire virus definition package each week.
Understanding iDAT Technology How does iDAT updating work? The AutoUpdate utility downloads two types of files when it connects to the update site you specified: • .UPD files. These update files contain only the virus definition changes between one weekly .DAT file release and the .DAT file release from the week immediately following. The names for these .UPD files consist of the version number of a .DAT file release—4053, for example—and the version number of the very next .
Understanding iDAT Technology The entries in the Incremental Resolver table, meanwhile, translate the sequential numbers from the Multiple Patch Table into actual filenames that the AutoUpdate utility can download. The DELTA.INI file also has checksum and other information that the AutoUpdate utility can use to verify that files it downloaded have not changed or become corrupted. NOTE: If an iDAT download fails for any reason, the AutoUpdate utility will download and install a full .DAT update.
Understanding iDAT Technology 40554056.UPD dat-4056.zip dat-4056.tar DELTA.INI README.TXT Best practices The following sections outline some suggestions for how to employ iDAT downloads in your updating strategy.
Understanding iDAT Technology The AutoUpdate utility will download each file it needs, in sequence, to bring the .DAT files installed on its host computer up to date. From that point forward, your network computers will install iDAT files, which will reduce your update time and the demand on your network bandwidth. Scheduling internal .DAT updates The AutoUpdate utility has a built-in scheduling feature that lets you automate the entire update process.
Understanding iDAT Technology Corrupted data Q: What happens if one of the iDAT files is corrupted during download? A: Before the AutoUpdate utility installs any iDAT file, it checks the file against a verification checksum recorded in the DELTA.INI file. If the checksums do not match, the utility does not install that iDAT file or any subsequent files it downloads in that session. Instead, the utility will display an error message, then will download a full .DAT file set to update your software.
Index A action options, choosing for VirusScan in Console, 209 to 211 in Download Scan module, 130 to 132 in E-mail Scan module, 117 to 119 .
Index as alert mode in VShield scanner on Windows 95 and Windows 98 systems, 102 possible VirusScan conflicts with anti-virus features of, 58 boot blocks scanning, 209 BOOTSCAN.EXE use of on Emergency Disk, 54 boot-sector viruses, definition and behavior of, ix to x COMMAND.
Index understanding, 247 configuring tasks in, 190, 204 to 221 copying and pasting tasks in, 190 Copy creating new tasks in, 190, 196, 200 default scan tasks included with, 192 in Edit menu, 190 corporate e-mail systems, choosing definition of scan task in, 189 in configuration wizard, 91 deleting tasks from, 190 in E-Mail Scan Properties dialog box, 113 detection options for VirusScan, configuring from, 205 to 209 costs from virus damage, vii to viii disabling and enabling tasks from, 191 CTRL
Index choosing for VirusScan in Console, 205 double heuristics analysis, 21 Download Scan module choosing in the E-Mail Scan program component, 227 to 230 configuring, 126 to 136 configuring for Download Scan module, 126 to 129 set up default response options for, 63 to 64 using configuration wizard, 92 configuring for E-mail Scan module, 112 to 116 using VShield Properties dialog box, 126 to 135 configuring for Internet Filter module, 136 to 141 configuring for System Scan module, 95 to 100 remov
Index choosing as scan targets, 205 to 206, 228 to 230, 240 to 242 encrypted viruses, xi Enterprise SecureCast, 281 infected features of, 282 cleaning, 101 to 104, 117 to 119, 130, 132, 210 to 211, 230 to 232 setting up, 293 support resources for, 293 cleaning by yourself when VirusScan cannot, 55 system requirements for, 283 troubleshooting, 293 deleting, 101 to 104, 117 to 119, 130, 132, 210 to 211, 230 to 232 unsubscribing from, 293 moving, 101 to 104, 117 to 119, 130, 132, 210 to 211, 230 to
Index default response options for, 64 hostile objects distinction between viruses and, xiii set up using configuration wizard, 93 Java classes and ActiveX controls as, xiii to xiv I using VShield Properties dialog box, 136 to 145 Internet Relay Chat incremental .DAT (iDAT) files as agent for virus transmission, xiv .UPD files as downloads, 296 understanding and using, 295 to 300 J use of DELTA.
Index Microsoft M Exchange, Outlook and Outlook Express, as e-mail clients supported in VShield, 84 macro viruses Concept virus, xii definition and behavior of, xii Internet Explorer setting heuristic scanning options for, 99 to 100, 115, 128 to 129, 207, 228, 242 as browser supported in VShield, 83 Visual Basic, as macro virus programming language, xii MAILSCAN.
Index Action, 230 to 232 payload, definition of, ix Alert, 232 to 236 PC viruses, origins of, ix configuring, 225 to 238 permanent storage Detection, 227 to 230 Report, 236 to 238 Internet Filter module, configuring, 136 to 145 plain text, use of to transmit viruses, xiv polymorphic viruses, definition of, xi POP-3 e-mail clients, choosing options for ScreenScan, configuring, 239 to 245 in configuration wizard, 91 Security module, configuring, 145 to 148 in E-mail Scan dialog box, 113 System Sc
Index Q in E-mail Scan module, 123 to 125 Qualcomm Eudora and Eudora Pro in Internet Filter module, 144 to 145 as e-mail clients supported in VShield, 84 Quarantine, 263 quarantine folder, use of to isolate infected files, 103, 118, 131 quick start for VShield configuration, 84, 89 to 93 in System Scan module, 106 to 108 in the E-Mail Scan program component, 236 to 238 in VirusScan Classic, ?? to 169 response options choosing quitting VShield, 149 to 154 when Download Scan module finds a virus, 63 t
Index right-clicking use of to display shortcut menus for VShield, 149 use of to display shortcut menus in VirusScan Console, 190 S scan operations, deciding when to start, 56 scan task action options, configuring, 209 to 211 alert options, configuring, 212 to 213 boot blocks, examining as part of, 209 configuring options for in VirusScan Console, 204 to 221 copying settings from one to another, 190 defaults included with VirusScan Console, 192 removing, 190 report options, configuring for VirusScan Clas
Index displayed in VShield Status dialog box, 155 security password, choosing, 148, 220 for scan task, 202 to 203 Security module configuring, 145 to 148 status checking for scan operations, 202 to 203 security options choosing for VirusScan in Console, 219 to 221 checking for VShield, 155 Status Bar Select, 190 in VirusScan Console, hiding and displaying, 190 server backup a local copy of files, 260 Status Bar in View menu, 190 session settings recorded in log file, 107, 124, 135 session summar
Index starting, 191 adding scan targets to, ?? to 206, ?? to 228, ?? to 242 automatically, 209 alert options, configuring, 212 to 213 need for Console to be running, 202 configuring options for in VirusScan Console, 204 to 221 copying settings from one to another, 190 defaults, included with VirusScan Console, 192 status, checking, 202 to 203 stopping, 191 task list default tasks in, 189 Task menu definition of, 189 Delete, 190 deleting, 190 Disable, 191 detection options Enable, 191 New Task,
Index 24-hour clock, using to enter schedule times, 202 when E-Mail Scan program component detects, 66 when VirusScan detects, 64 U when VShield detects, 59 to 64 uninfected computer, use of to create Emergency Disk, 54 .
Index viewing information about, 68 to 70 overview of features, 17 why worry?, vii to viii property pages VirusScan Action options choosing for in Console, 209 to 211 Alert options choosing in Console, 212 to 213 as component of Active Virus Defense suite, 18 BIOS anti-virus features, potential conflicts with, 58 components included with, 22 to 27 configuring for scan operations, 204 to 221 control panel choosing options for, 248 to 250 opening, 247 to 248 understanding, 247 default responses to virus
Index Internet Filter module, 136 to 145 scheduling and enabling tasks in, 190, 200 to 202 Security module, 145 to 148 starting, 188 System Scan module, 94 to 100 starting tasks from, 191 Wizard button in, 89 status bar in, hiding and displaying, 190 reasons to run, 82 stopping tasks from, 191 Security module title bar in, hiding and displaying, 190 configuring, 145 to 148 toolbar in, hiding and displaying, 189 stopping and unloading from memory, 149 to 154 window, elements of, 189 Visual Ba
