McAfee VirusScan Administrator’s Guide Version 5.
COPYRIGHT Copyright © 2000 Network Associates, Inc. and its Affiliated Companies. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Network Associates, Inc.
Table of Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Anti-virus protection as information security . . . . . . . . . . . . . . . . . . . . . . . . .vii Information security as a business necessity . . . . . . . . . . . . . . . . . . . . . . . . . .x Active Virus Defense security perimeters . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi McAfee VirusScan’s anti-virus research . . . . . . . . . . . . . . . . . . . .
Table of Contents Using the SendVirus utility to submit a file sample . . . . . . . . . . . . . . . .67 Capturing boot sector, file-infecting, and macro viruses . . . . . . . . . . . .70 Chapter 4. Using VirusScan Software . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Using the VShield scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77 Using the VirusScan application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table of Contents Which data files does the SecureCast service deliver? . . . . . . . . . . . .118 Installing the BackWeb client and SecureCast service . . . . . . . . . . . . . . . . .119 System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119 Troubleshooting the Enterprise SecureCast service . . . . . . . . . . . . . .129 Unsubscribing from the SecureCast service . . . . . . . . . . . . . . . . . . . . .129 Support resources . . . . . . . . . . . . . . . . .
Table of Contents vi McAfee VirusScan
Preface Anti-virus protection as information security “The world changed [on March 26, 1999]—does anyone doubt that? The world is different. Melissa proved that ... and we are very fortunate ... the world could have gone very close to meltdown.
Preface • W32/Ska, though technically a worm, replaced the infected computer’s WinSock file so that it could attach itself to outgoing Simple Mail Transfer Protocol (SMTP) messages and postings to USENET news groups. This strategy made it commonplace in many areas. • Remote Explorer stole the security privileges of a Windows NT domain administrator and used them to install itself as a Windows NT Service.
Preface A rash of Melissa variants and copycats appeared soon after. Some, such as W97M/Prilissa, included destructive payloads. Later the same year, a number of new viruses and worms either demonstrated novel or unexpected ways to get into networks and compromise information security, or actually perpetuated attacks. Examples included: • W32/ExploreZip.worm and its variants, which used some of Melissa’s techniques to spread, initially through e-mail.
Preface Information security as a business necessity Coincidentally or not, these darkly inventive new virus attacks and speedy propagation methods appeared as more businesses made the transition to Internet-based information systems and electronic commerce operations. The convenience and efficiency that the Internet brought to business saved money and increased profits.
Preface Active Virus Defense security perimeters The McAfee VirusScan’s Active Virus Defense product suite exists for one simple reason: there is no such thing as too much anti-virus protection for the modern, automated enterprise. Although at first glance it might seem needlessly redundant to protect all of your desktop computers, file and network servers, gateways, e-mail servers and firewalls, each of these network nodes serves a different function in your network, and has different duties.
Preface • System memory, boot sectors, and master boot records. You can configure regularly scheduled scan operations that examine these favorite virus hideouts, or set up periodic operations whenever a threat seems likely. • Microsoft Exchange mailboxes. VirusScan software includes a specialized E-Mail Scan extension that assumes your network user’s Microsoft Exchange or Outlook identity to scan his or her mailbox directly—before viruses get downloaded to the local workstation.
Preface Taken together, the Active Virus Defense suite forms a tight series of anti-virus security perimeters around your network that protect you against both external and internal sources of infection.
Preface xiv McAfee VirusScan
1 1 About VirusScan Software Introducing VirusScan anti-virus software Eighty percent of the Fortune 100—and more than 50 million users worldwide—choose VirusScan anti-virus software to protect their computers from the staggering range of viruses and other malicious agents that has emerged in the last decade to invade corporate networks and cause havoc for business users.
About VirusScan Software The new release also adds multiplatform support for Windows 95, Windows 98, Windows ME, Windows NT Workstation v4.0, and Windows 2000 Professional, all in a single package with a single installer, but optimized to take advantage of the benefits each platform offers. Windows NT Workstation v4.0 and Windows 2000 Professional users, for example, can run VirusScan software with differing security levels that provide a range of enforcement options for system administrators.
About VirusScan Software How does VirusScan software work? VirusScan software combines the anti-virus industry’s most capable scan engine with top-notch interface enhancements that give you complete access to that engine’s power. The VirusScan graphical user interface unifies its specialized program components, but without sacrificing the flexibility you need to fit the software into your computing environment.
About VirusScan Software This meant that the simple pattern-matching method that earlier scan engine incarnations used to find many viruses simply no longer worked, since no constant sequence of bytes existed to detect. To respond to this threat, McAfee VirusScan researchers developed the PolyScan Decryption Engine, which locates and analyzes the algorithm that these types of viruses use to encrypt and decrypt themselves.
About VirusScan Software Still others open “back doors” into desktop systems or create security holes in a way that closely resembles a deliberate attempt at network penetration, rather than the more random mayhem that most viruses tend to leave in their wakes. The latest VirusScan software releases, as a consequence, do not simply wait for viruses to appear on your system, they scan proactively at the source or work to deflect hostile agents away from your system.
About VirusScan Software Figure 1-1. McAfee VirusScan Central screen • The VirusScan Console. This component allows you to create, configure and run VirusScan tasks at times you specify. A “task” can include anything from running a scan operation on a set of disks at a specific time or interval, to running an update or upgrade operation. You can also enable or disable the VShield scanner from the Console window.
About VirusScan Software The VShield scanner comes with three other specialized modules that guard against hostile Java applets and ActiveX controls, that scan e-mail messages and attachments that you receive from the Internet via Lotus cc:Mail, Microsoft Mail or other mail clients that comply with Microsoft’s Messaging Application Programming Interface (MAPI) standard, and that block access to dangerous Internet sites.
About VirusScan Software • The Alert Manager Client configuration utility. This component lets you choose a destination for Alert Manager “events” that VirusScan software generates when it detects a virus or takes other noteworthy actions. You can also specify a destination directory for older-style Centralized Alerting messages, or supplement either method with Desktop Management Interface (DMI) alerts sent via your DMI client software. • The ScreenScan utility.
About VirusScan Software When you run the Emergency Disk creation wizard, VirusScan software copies BOOTSCAN.EXE, and a specialized set of .DAT files to a single floppy disk. BOOTSCAN.EXE will not detect or clean macro viruses, but it will detect or clean other viruses that can jeopardize your VirusScan software installation or infect files at system startup. Once you identify and respond to those viruses, you can safely run VirusScan software to clean the rest of your system.
About VirusScan Software The help file also includes extensive context-sensitive—or “What's This”—help. To see these help topics, right-click buttons, lists, icons, some text boxes, and other elements that you see within dialog boxes. You can also click the ? symbol at the top-right corner in most dialog boxes, then click the element you want to see described to display the relevant topic. The dialog boxes with Help buttons open the help file to the specific topic that describes the entire dialog box.
About VirusScan Software This VirusScan version also comes with complete support for the Network Associates ePolicy Orchestrator software distribution tool. A specially packaged VirusScan version ships with the ePolicy Orchestrator software, ready for enterprise-wide distribution. You can distribute VirusScan software, configure it from the ePolicy Orchestrator console, update that configuration and any program or .DAT files at any time, and schedule scan operations, all for your entire network user base.
About VirusScan Software • An updated randomization feature for scheduled tasks allows you to set a time for the task to run, then set a randomization “window.” The VirusScan Console then picks a random time within the window to actually start the task. • System Scan module action options now include a new Prompt Type configuration option for Windows 95 and Windows 98 systems. This option lets you determine how the Prompt for user action alert appears.
Installing VirusScan Software 2 2 Before you begin McAfee VirusScan Software distributes VirusScan software in two ways: 1) as an archived file that you can download from the McAfee Web site; and 2) on CD-ROM. Although the method you use to transfer VirusScan files from an archive you download differs from the method you use to transfer files from a CD-ROM you place in your CD-ROM drive, the installation steps you follow after that are the same for both distribution types.
Installing VirusScan Software Preparing to install VirusScan software After inserting the McAfee VirusScan on your CD-ROM drive , you should see a VirusScan welcome image appear automatically. To install VirusScan software immediately, click Install VirusScan, then skip to Step 4 to continue with Setup. If the welcome image does not appear, or if you are installing VirusScan software from files you downloaded, start with Step 2.
Installing VirusScan Software 2. Choose Run from the Start menu in the Windows taskbar. The Run dialog box will appear (Figure 2-1). Figure 2-1. Run dialog box 3. Type :\SETUP.EXE in the text box provided, then click OK. Here, represents the drive letter for your CD-ROM drive or the path to the folder that contains your extracted VirusScan files. To search for the correct files on your hard disk or CD-ROM, click Browse.
Installing VirusScan Software Figure 2-2. Setup welcome panel 4. This first panel tells you where to locate the README.TXT file, which describes product features, lists any known issues, and includes the latest available product information for this VirusScan version. When you have read the text, click Next> to continue. 5. The next wizard panel displays the VirusScan software end-user license agreement.
Installing VirusScan Software 6. Select Preserve On Access Settings, if the option is available, then click Next> to continue. If Setup finds incompatible software, it will display a wizard panel that gives you the option to remove the conflicting software. If you have no incompatible software on your system and your computer runs Windows 95 or Windows 98, skip to Step 9 to continue with the installation. If you have no incompatible software and your system runs Windows NT Workstation v4.
Installing VirusScan Software If your computer runs Windows NT Workstation v4.0 or Windows 2000 Professional, Setup next asks you which security mode you want to use to run VirusScan software on your system. The options in this panel govern whether others who use your computer can make changes to the configuration options you choose, can schedule and run tasks, or can enable and disable VirusScan components.
Installing VirusScan Software Users who do not have administrative rights may still configure and run their own scan operations with the VirusScan application and save settings for those operations in a .VSC file, but they cannot change default VirusScan application settings. To learn more about how to configure and save VirusScan application settings. • Use Standard Security.
Installing VirusScan Software Figure 2-6. Custom Setup panel 11. Choose the VirusScan components you want to install. You can: • Add a component to the installation. Click beside a component name, then choose This feature will be installed on local hard drive from the menu that appears. To add a component and any related modules within the component, choose This feature, and all subfeatures, will be installed on local hard drive instead. You can choose this option only if a component has related modules.
Installing VirusScan Software Setup will show you a wizard panel that confirms its readiness to begin installing files (Figure 2-6). Figure 2-7. Ready to Install panel 13. Click Install to begin copying files to your hard drive. Otherwise, click
Installing VirusScan Software 14. From the VirusScan Configuration panel (Figure 2-8), you can skip configuration to finish installation, or you can select to configure the available options displayed. • Scan boot record at startup. Select this checkbox to have Setup write these lines to your Windows AUTOEXEC.BAT file: C:\PROGRA~1\COMMON~1\NETWOR~1\VIRUSS~1\40~1.XX\SCAN .EXE C:\ @IF ERRORLEVEL 1 PAUSE This tells your system to start the VirusScan Command Line scanner when your system starts.
Installing VirusScan Software Figure 2-9. Configuration panel Choose configuration options for your installation. You can choose to scan your system, create an emergency disk, or update your virus definition files before you start the VShield scanner and the VirusScan Console. NOTE: For more information on any of these options, you can refer to the online Help of McAfee VirusScan. 16. In the next screen (Figure 2-10), select the Enable McAfee VirusScan Protection checkbox, then click Finish.
Installing VirusScan Software Figure 2-10. Successful Installation panel 17. After you click Finish, the McAfee VirusScan Installer Information dialog box is displayed where you will be prompted to restart your computer (Figure 2-11). Figure 2-11. McAfee VirusScan Installer Information dialog box NOTE: If you had a previous VirusScan version installed on your computer, you must restart your system in order to start the VShield scanner. Click Yes to restart your computer.
Installing VirusScan Software Using the Emergency Disk Creation utility If you choose to create an Emergency Disk during installation, Setup will start the Emergency Disk wizard in the middle of the VirusScan software installation, then will return to the Setup sequence when it finishes. To learn how to create an Emergency Disk, begin with Step 1. You can also start the Emergency Disk wizard at any point after you install VirusScan software.
Installing VirusScan Software To start the wizard after installation, click Start in the Windows taskbar, point to Programs, then to McAfee VirusScan. Next, choose Create Emergency Disk. The Emergency Disk wizard welcome panel will appear (Figure 2-9). Figure 2-12. Emergency Disk welcome panel 1. Click Next> to continue. The next wizard panel appears (Figure 2-10). Figure 2-13.
Installing VirusScan Software If your computer runs Windows NT Workstation or Windows 2000 Professional, the wizard tells you that it will format your Emergency Disk with the NAI-OS. You must use these proprietary operating system files to create your Emergency Disk, because Windows NT Workstation v4.0 and Windows 2000 Professional system files do not fit on a single floppy disk.
Installing VirusScan Software a. Insert an unlocked and unformatted floppy disk into your floppy drive. McAfee VirusScan Software recommends that you use a completely new disk that you have never previously formatted to prevent the possibility of virus infections on your Emergency Disk. b. Verify that the Don’t format checkbox is clear. c. Click Next>. The Windows disk format dialog box appears (see Figure 2-11). Figure 2-14. Windows Format dialog box d.
Installing VirusScan Software Figure 2-15. Scanning Emergency Disk for viruses If VirusScan software does not detect any viruses during its scan operation, Setup will immediately copy BOOTSCAN.EXE and its support files to the floppy disk you created. If VirusScan software does detect a virus, quit Setup immediately. 4. When the wizard finishes copying the Emergency Disk files, it displays the final wizard panel (Figure 2-13). Figure 2-16. Final Emergency Disk panel 5. Click Finish to quit the wizard.
Installing VirusScan Software NOTE: A locked or write-protected floppy disk shows two holes near the edge of the disk opposite the metal shutter. If you don’t see two holes, look for a plastic sliding tab at one of the disk corners, then slide the tab until it locks in an open position. Determining when you must restart your computer In many circumstances, you can install and use this VirusScan release immediately, without needing to restart your computer.
Installing VirusScan Software Table 2-1.
Installing VirusScan Software To test your installation, follow these steps: 1. Open a standard Windows text editor, such as Notepad, then type this character string as one line, with no spaces or carriage returns: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUSTEST-FILE!$H+H* NOTE: The line shown above should appear as one line in your text editor window, so be sure to maximize your text editor window and delete any carriage returns.
Installing VirusScan Software Setup will start and display the first Maintenance wizard panel. 4. Click Next> to continue. Setup displays the Program Maintenance wizard panel. Choose whether to modify VirusScan components or to remove VirusScan software from your system completely. Your choices are: • Modify. Select this option to add or remove individual VirusScan components. Setup will display the Custom wizard panel. Start with Step 11 to choose the components you want to add or remove.
Installing VirusScan Software 48 McAfee VirusScan
Removing Infections From Your System 3 3 If you suspect you have a virus... First of all, don’t panic! Although far from harmless, most viruses that infect your machine will not destroy data, play pranks, or render your computer unusable. Even the comparatively rare viruses that do carry a destructive payload usually produce their nasty effects in response to a trigger event.
Removing Infections From Your System If VirusScan software found an infection during installation, follow these steps carefully: 1. Quit Setup immediately, then shut down your computer. Be sure to turn the power to your system off completely. Do not press CTRL+ALT+DEL or reset your computer to restart your system—some viruses can remain intact during this type of “warm” reboot. 2.
Removing Infections From Your System BOOTSCAN.EXE, the command-line scanner that comes with the Emergency Disk, will make four scanning passes to examine your hard disk boot sectors, your Master Boot Record (MBR), your system directories, program files, and other likely points of infection on all of your local computer’s hard disks. NOTE: McAfee VirusScan Software strongly recommends that you do not interrupt the BOOTSCAN.EXE scanner as it runs its scan operation.
Removing Infections From Your System As your next step, locate and delete the infected file or files. You will need to restore any files that you delete from backup files. Be sure to check your backup files for infections also. Be sure also to use the VirusScan application at your earliest opportunity to scan your system completely in order to ensure that your system is virus-free. Deciding when to scan for viruses Maintaining a secure computing environment means scanning for viruses regularly.
Removing Infections From Your System Recognizing when you don’t have a virus Personal computers have evolved, in their short life span, into highly complex machines that run ever-more-complicated software. Even the most farsighted of the early PC advocates could never have imagined the tasks for which workers, scientists and others have harnessed the modern PC’s speed, flexibility and power.
Removing Infections From Your System Understanding false detections A false detection occurs when VirusScan software sends a virus alert message or makes a log file entry that identifies a virus where none actually exists. You are more likely to see false detections if you have anti-virus software from more than one vendor installed on your computer, because some anti-virus software stores the code signatures it uses for detection unprotected in memory.
Removing Infections From Your System Responding to viruses or malicious software Because VirusScan software consists of several component programs, any one of which could be active at one time, your possible responses to a virus infection or to other malicious software will depend upon which program detected the harmful object, how you have that program configured to respond, and other circumstances. The following sections give an overview of the default responses available with each program component.
Removing Infections From Your System Figure 3-1. Initial System Scan response options If your computer runs Windows 95 or Windows 98, you can choose to display a different virus alert message. If you select BIOS in the Prompt Type area in the System Scan module Action page, you’ll see instead a full-screen warning that offers you response options. Figure 3-2. Full-screen Warning - System Scan response options This alert message brings your system to a complete halt as it awaits your response.
Removing Infections From Your System To take one of the actions shown in an alert message, click a button in the Access to File Was Denied dialog box, or type the letter highlighted in yellow when you see the full-screen warning. If you want the same response to apply to all infected files that the System Scan module finds during this scan operation, select the Apply to all items checkbox in the dialog box. This option is not available in the full-screen alert message.
Removing Infections From Your System Responding when the E-mail Scan module detects a virus NOTE: This feature only applies to exchange server e-mails. This module looks for viruses in e-mail messages you receive via corporate e-mail systems such as cc:Mail and Microsoft Exchange. In its initial configuration, the module will prompt you to choose a response from among five options whenever it detects a virus. Figure 3-3.
Removing Infections From Your System • Exclude. Click this button to prevent the E-Mail Scan module from flagging this file as a virus in future scan operations. If you copy this file to your hard disk, this also prevents the System Scan module from detecting the file as a virus. When you choose your action, the E-Mail Scan module will implement it immediately and add a notice to the top of the e-mail message that contained the infected attachment.
Removing Infections From Your System • Move. Click this to tell the Download Scan module to move the infected file to the quarantine directory you chose in the module’s Action property page. When you choose your action, the Download Scan module will implement it immediately and add a notice to the top of the e-mail message that contained the infected attachment.
Removing Infections From Your System Figure 3-6. VirusScan response options To respond to the infection, click one of the buttons shown. You can tell the VirusScan application to: • Continue. Click this button to proceed with the scan operation and have the application list each infected file in the lower portion of its main window, record each detection in its log file, but take no other action to respond to the virus.
Removing Infections From Your System • Clean. Click this button to have the VirusScan application try to remove the virus code from the infected file. If it cannot clean the file—either because it has no remover or because the virus has damaged the file beyond repair—it will record the incident in its log file and suggest alternative responses.
Removing Infections From Your System Figure 3-8. E-Mail Scan response options To respond to the infection, click one of the buttons shown. You can tell the E-Mail Scan extension to: • Continue. Click this button to have the E-Mail Scan extension proceed with its scan operation, list each infected file it finds in the lower portion of its main window, and record each detection in its log file, but it will take no other action to respond to the virus.
Removing Infections From Your System Figure 3-9. E-Mail Scan extension window • Clean. Click this button to remove the virus code from the infected file. If the E-Mail Scan extension cannot clean the file—either because it has no remover or because the virus has damaged the file beyond repair—it will record the incident in its log file and suggest alternative responses. In the example shown in, Clean is not an available response option.
Removing Infections From Your System Figure 3-10. McAfee Virus Information Library page The Virus Information Library has a collection of documents that give you a detailed overview of each virus that VirusScan software can detect or clean, along with information about how the virus infects and alters files, and the sorts of payloads it deploys.
Removing Infections From Your System • Contact addresses and other information for submitting questions, virus samples, and other data • Virus definition updates-this includes daily beta .DAT file updates, EXTRA.DAT files, updated Emergency .DAT files, current scan engine versions, regular weekly .DAT and SuperDAT updates, and new incremental virus definition files (.
Removing Infections From Your System Several methods exist for capturing virus samples and submitting them. The next sections discuss methods suited to particular conditions. Using the SendVirus utility to submit a file sample Because the majority of later-generation viruses tend to infect document and executable files, VirusScan software comes with SENDVIR.EXE, a utility that makes it easy to submit an infected file sample to McAfee VirusScan researchers for analysis.
Removing Infections From Your System Figure 3-13. Your Contact Information panel 5. If you want AVERT researchers to contact you about your submission, enter your name, e-mail address, and any message you would like to send along with your submission in the text boxes provided, then click Next> to continue. NOTE: You may submit samples anonymously, if you prefer— simply leave the text boxes in this panel blank. You are under no obligation to supply any information at all here.
Removing Infections From Your System Choose as many files as you want to submit for analysis. To remove any of the files shown in the submission list, select it, then click Remove. When you have chosen all of the files you want to submit, click Next> to continue. The Choose Upload Options panel appears. Figure 3-15.
Removing Infections From Your System 7. Select the type of e-mail client application you have installed on your computer. Your choices are: • Use outgoing Internet mail. Click this button to send your sample via a Simple Mail Transfer Protocol e-mail client, such as Eudora, NetScape Mail, or Microsoft Outlook Express. Next, enter the name of your outgoing mail server in the text box provided-mail.domain.com, for example. • Use Microsoft Exchange.
Removing Infections From Your System 2. Click Start in the Windows taskbar, point to Programs, then choose MS-DOS Prompt if your computer runs Windows 95 or Windows 98, or Command Prompt if your computer runs Windows NT Workstation v4.0 or Windows 2000 Professional. 3. Type this line at the command prompt: format a: /s If your system hangs as it tries to format the disk, remove the disk from your floppy drive. Next, label the disk “Damaged during infected format as boot disk,” then set it aside. 4.
Removing Infections From Your System • If you suspect that a macro virus has infected your Microsoft Excel files, copy all files from C:\Program Files\Microsoft Office\Office\XLSTART to the disk. Include all files you have installed in alternative startup file locations. • If you suspect that a macro virus has infected your PowerPoint files, copy the file BLANKPRESENTATION.POT from C:\Program Files\Microsoft Office\Templates to the disk.
Removing Infections From Your System 4. Press CTRL+A to add files to the new archive. The Add dialog box appears. 5. Click Password to display the Password dialog box. 6. Type INFECTED in the Password text box, then click OK. 7. When prompted, retype your password to verify its accuracy, then click OK. The Add With Password dialog box appears. 8. Select your sample files, then click OK. WinZip applies the password you entered to all files that you add to or extract from your archive.
Removing Infections From Your System • Details about your system that might help to reproduce the environment in which you detected the virus • Your name, company name, phone number, and e-mail address, if possible • A list of all items contained in the package you are sending Mailing infected floppy disks You can also mail the actual disks you created directly to McAfee VirusScan anti-virus researchers.
Removing Infections From Your System NOTE: AVERT Labs does keep all submitted samples, but once you submit a sample, AVERT cannot return it to you. AVERT does not accept or process Iomega Ditto or Jazz cartridges, Iomega Zip disks, or other types of removable media.
Removing Infections From Your System 76 McAfee VirusScan
4 4 Using VirusScan Software Using the VShield scanner The VShield scanner protects your system in the background, as you work with your files, in order to prevent infection from viruses that arrive via floppy disks, from your network, embedded in file attachments that come with e-mail messages, or from your computer’s memory. The scanner starts when you start your computer, and stays in memory until you shut down.
Using VirusScan Software Scheduling scan tasks The VirusScan Console runs scan operations and other tasks on the dates and at the times you choose, or at intervals you set. Use the Console to run a scan operation in your absence, when it causes the least disruption to your work, as part of a series of automated tasks, or in other ways that suit your needs. To learn how to configure VirusScan Console properties, see the Creating and Configuring Scheduled Tasks section in the McAfee VirusScan User’s Guide.
5 5 Sending Alert Messages Using the Alert Manager Client Configuration utility All McAfee anti-virus software includes wide range of methods to alert you when it has detected a virus or other malicious software.
Sending Alert Messages VirusScan software as an Alert Manager Client VirusScan software works as a client program with respect to NetShield software and an Alert Manager server. It can send alert “events” whenever it detects a virus or malicious software to any Alert Manager server you specify. The Alert Manager server then relays those events—and any others it receives from other workstations—as alert messages, via the methods you or your system administrator defined for alert distribution.
Sending Alert Messages This tells each VirusScan component to send an alert event to the Alert Manager client utility each time it detects a virus or malicious object. The client utility, in turn, passes the alert message to the Alert Manager server you designate. If you do not set your software to generate alert messages in the first place, the client utility will have nothing to pass to the Alert Manager server for distribution. To start and configure the Alert Manager utility, follow these steps: 1.
Sending Alert Messages 3. Select the alerting method you want to use. Your choices are: • Enable Alert Manager alerting. Click this button to send alert events to an Alert Manager server somewhere on your network. Choosing this option prevents you from sending alert events to a Centralized Alerting directory. To choose the destination server, click Configure to open the Select Alert Manager Server dialog box. Figure 5-2.
Sending Alert Messages When you’ve chosen a destination for your alert messages, click OK to close the dialog box. • Enable Centralized alerting. Click this button to have VirusScan components send alert messages to a Centralized Alerting directory somewhere on your network. Choosing this option prevents you from sending alert events to an Alert Manager server. To choose a destination directory, click Configure to open the Central Alerting Configuration dialog box. Figure 5-3.
Sending Alert Messages • Additionally Enable DMI Alerts. Select this checkbox to supplement either of the other alerting methods. Next, click Configure to open the DMI Configuration dialog box, where you can enter the identifying number that your Desktop Management Interface (DMI) client application assigned to your VirusScan software when you installed it. Figure 5-4.
Using VirusScan Administrative Utilities A A Understanding the VirusScan control panel The VirusScan control panel serves as the graphical front end for the VirusScan management service, which initiates and controls all top-level component processes, including the VirusScan application, the Console, and the VShield scanner.
Using VirusScan Administrative Utilities 2. Locate and double-click the VirusScan control panel icon the control panel itself. to open Figure A-1. VirusScan control panel - Service page Choosing VirusScan control panel options The control panel consists of two tabbed property pages that set out its options. To choose your options, follow these steps: 1. Open the control panel, then click the Service tab. 2. To stop all active VirusScan components, click Stop.
Using VirusScan Administrative Utilities If your computer runs Windows NT Workstation v4.0 or Windows 2000 Professional, this service appears in the Services dialog box as AvSync Manager. If your computer runs Windows 95 or Windows 98, this service is not directly accessible. NOTE: McAfee VirusScan Software strongly recommends that you set the VirusScan management service to load at startup.
Using VirusScan Administrative Utilities By default, 100 items can appear in the list. You may not set the value here to fewer than five items. 7. Click or enter a figure in the Scan Items text box to specify how many targets the VirusScan application can examine at one time. This setting sets a maximum number of items that can appear as scan targets for any default scan task-or any task you configure-from within the VirusScan Console. By default, 100 items can appear in the list.
B Installed Files B What’s in this appendix? The VirusScan installation procedure places essential program files on the VirusScan client workstation. This section provides an overview of the files installed. Some of the files are associated with a particular component while others are in common use, called by program functions as needed.
Installed Files Table B-1. VShield scanner program files 90 CONFWIZ.EXE VShield configuration wizard file C:\Program Files\Network Associates\VirusScan VSHWIN32.EXE Communicates between VSSTAT.EXE and the VShield System Scan module C:\Program Files\Network Associates\VirusScan MCSHIELD.EXE System Scan module. Runs as a Windows NT Service on Windows NT and Windows 2000 systems C:\Program Files\Common Files\Network Associates\McShield NAIEVENT.DLL Event logging resource.
Installed Files Table B-1. VShield scanner program files NTCLIENT.DLL Support file for System Scan module. Runs only on Windows NT and Windows 2000 systems C:\Program Files\Network Associates\VirusScan SCANSERV.DLL Support file for System Scan module. Runs only on Windows NT and Windows 2000 systems C:\Program Files\Common Files\Network Associates\McShield VSHIELD.VXD VShield System Scan module.
Installed Files Table B-1. VShield scanner program files CCM_SCAN.EXE Scans e-mail you receive via Lotus cc:Mail v7.x and earlier cc:Mail systems C:\Program Files\Network Associates\VirusScan WEBSCANX.EXE Provides functionality for VShield Download Scan and Internet Filter modules. Initializes WBHOOK32.DLL C:\Program Files\Network Associates\VirusScan WBHOOK32.DLL Provides functionality for VShield Download Scan, and Internet Filter modules.
Installed Files Table B-2. VShield scanner dependent files SYNCUTIL.DLL Stores data shared between components C:\Program Files\Network Associates\VirusScan VSUTIL.DLL Provides common utilities for components C:\Program Files\Network Associates\VirusScan AVSMCPA.CPL VirusScan control panel applet C:\Windows\System or C:\Winnt\System 32 RESDLL.DLL Resource file for all components C:\Program Files\Common Files\Network Associates\McPal MCSCAN32.
Installed Files Table B-3. VShield scanner temporary files 94 DAV_SCAN.MMF Memory map file for SYNCUTIL.DLL C:\Program Files\Network Associates\VirusScan DEXCLDEF.MFF Memory map file for SYNCUTIL.DLL C:\Program Files\Network Associates\VirusScan DSCANDEF.MMF Memory map file for SYNCUTIL.DLL C:\Program Files\Network Associates\VirusScan DVS_EXCL.MMF Memory map file for SYNCUTIL.DLL C:\Program Files\Network Associates\VirusScan VSCANGEN.MMF Memory map file for SYNCUTIL.
Installed Files Dependent and related files for the VirusScan application The VirusScan application runs as a stand-alone executable file that you can start yourself, or that the VirusScan Scheduler can start according to a schedule you set. The application requires a number of support files to function, including some related to the McAfee VirusScan’s scan engine.
Installed Files Table B-5. VirusScan application dependent files AVSYNCH.DLL Handles inter-component communication through shared memory C:\Program Files\Network Associates\VirusScan SYNCUTIL.DLL Stores data shared between components C:\Program Files\Network Associates\VirusScan VSUTIL.DLL Provides common utilities for components C:\Program Files\Network Associates\VirusScan AVSMCPA.CPL VirusScan control panel applet C:\Windows\System or C:\Winnt\System 32 RESDLL.
Installed Files Table B-6. VirusScan application temporary files File Function Location SYNC_MAP.MMF Memory map file for AVSYNCH.DLL C:\Program Files\Network Associates\VirusScan AVCONSOLE.MMF Memory map file for SYNCUTIL.DLL C:\Program Files\Network Associates\VirusScan DAV_CONS.MMF Memory map file for SYNCUTIL.DLL C:\Program Files\Network Associates\VirusScan DAV_EXCL.MMF Memory map file for SYNCUTIL.DLL C:\Program Files\Network Associates\VirusScan DAV_SCAN.
Installed Files Table B-7. Alert Manager files File Function Location ADSLOOKUP.DLL Library file. Allows client utility to locate Alert Manager server through Microsoft Active Directory services C:\Program Files\Common Files\Network Associates\McPal AMG.MIF Management Information File for use with Desktop Management Interface client application software C:\Program Files\Common Files\Network Associates\McPal NAARCHIV.
Installed Files Table B-8. VirusScan control panel files File Function Location AVSYNMGR.EXE The VirusScan management service. Initializes, starts and stops all VirusScan services and components. Must run to enable all VirusScan components. C:\Program Files\Network Associates\VirusScan AVSYNCH.DLL Handles inter-component communication through shared memory C:\Program Files\Network Associates\VirusScan SYNCUTIL.
Installed Files Table B-9. VirusScan control panel temporary files DEXCLDEF.MFF Memory map file for SYNCUTIL.DLL C:\Program Files\Network Associates\VirusScan DSCANDEF.MMF Memory map file for SYNCUTIL.DLL C:\Program Files\Network Associates\VirusScan DVS_EXCL.MMF Memory map file for SYNCUTIL.DLL C:\Program Files\Network Associates\VirusScan VSCANGEN.MMF Memory map file for SYNCUTIL.DLL C:\Program Files\Network Associates\VirusScan VSCANOAS.MMF Memory map file for SYNCUTIL.
Installed Files Dependent files The ScreenScan utility requires these files to run at various points during its operation, but these are not ScreenScan program files, or are not dedicated solely to ScreenScan utility support. Table B-11. ScreenScan dependent files File Function Location RESDLL.DLL Resource file for all VirusScan components C:\Program Files\Common Files\Network Associates \McPal RWABS16.
Installed Files Table B-12. VirusScan Emergency Disk files 102 File Function Location AUTOEXEC.BAT MS-DOS batch file. This file leads you through an immediate scan operation, as soon as the Emergency Disk finishes starting your computer A:\ BIOS.SYS System file A:\ BOOTSCAN.EXE McAfee VirusScan’s command-line scanner. This file conducts the scan operation on your hard disk A:\ CLEAN.DAT McAfee VirusScan’s virus definition file. This file is a smaller, specialized version of the CLEAN.
Installed Files Table B-12. VirusScan Emergency Disk files MESSAGES.DAT McAfee VirusScan’s resource file. This file stores application messages for use during scan operations A:\ NAMES.DAT McAfee VirusScan’s virus definition file. This file is a smaller, specialized version of the NAMES.DAT file that other VirusScan components use. You may not use a NAMES.DAT file from the VirusScan program directory for the Emergency Disk A:\ SCAN.DAT McAfee VirusScan’s virus definition file.
Installed Files Program files Table B-13. E-Mail Scan program files File Function Location EMALSCAN.DLL Scans e-mail on your Microsoft Exchange server or other Messaging Application Programming Interface (MAPI) e-mail system. This file runs as an Exchange or Outlook extension that loads into the e-mail client application. C:\Program Files\Network Associates\VirusScan This same file provides scan services for the VShield E-Mail Scan module.
Installed Files Table B-14. E-Mail Scan dependent files VSUTIL.DLL Provides common utilities for components. C:\Program Files\Network Associates\VirusScan AVSMCPA.CPL VirusScan control panel applet. C:\Windows\System or C:\Winnt\System 32 RESDLL.DLL Resource file for all VirusScan components. C:\Program Files\Common Files\Network Associates\McPal RWABS16.DLL Support file for scan engine. C:\Program Files\Common Files\Network Associates\VirusScan Engine\4.0.xx RWABS32.
Installed Files Table B-15. E-Mail Scan temporary files 106 DSCANDEF.MMF Memory map file for SYNCUTIL.DLL C:\Program Files\Network Associates\VirusScan DVS_EXCL.MMF Memory map file for SYNCUTIL.DLL C:\Program Files\Network Associates\VirusScan VSCANGEN.MMF Memory map file for SYNCUTIL.DLL C:\Program Files\Network Associates\VirusScan VSCANOAS.MMF Memory map file for SYNCUTIL.DLL C:\Program Files\Network Associates\VirusScan VSCANODS.MMF Memory map file for SYNCUTIL.
Using VirusScan Command-line Options C C Adding advanced VirusScan engine options The following table lists all of the command-line options that can be communicated directly to the scanning engine via the Advanced Scan Settings dialog box provided by most Detection property pages. These command-line options (that you specify in the Advanced Scan Settings dialog box), will supplement, and can overwrite, the options selected in the VShield and VirusScan Detection property pages.
Using VirusScan Command-line Options 3. Type scan, followed by the scan options you want to use, at the command prompt. VirusScan Command Line will start immediately and begin scanning your system with the options you choose. When it has finished, it will display the results of its scan operation, then return to the command prompt. 4. To run another scan operation, repeat Step 3. To close the MS-DOS Prompt window, type exit at the command prompt.
Using VirusScan Command-line Options The following table lists the options that can be added to the SCAN command. Table C-1. VirusScan command-line scanner options Command-line Option Limitations Description /? or /HELP None Displays a list of VirusScan command-line options, each with a brief description. /ADL On-demand scanning only Scan all local drives—including compressed drives and PC cards, but not disks—in addition to any other drive specified on the command line.
Using VirusScan Command-line Options Table C-1. VirusScan command-line scanner options /APPEND On-demand scanning only Used with /REPORT to append report message text to the specified report file instead of overwriting it. /BOOT On-demand scanning only Scan boot sector and master boot record only. /BOOTACCESS On-access scanning only Scans a disk’s boot sector for viruses whenever the disk is accessed (including read/write operations).
Using VirusScan Command-line Options Table C-1. VirusScan command-line scanner options /FREQUENCY On-demand scanning only Do not scan hours after the previous scan operation. In environments where the risk of viral infection is very low, use this option to prevent unnecessary scan operations. Note that the greater the scan frequency, the greater your protection against infection. /HELP or /? None Displays a list of VirusScan scanner command-line options, each with a brief description.
Using VirusScan Command-line Options Table C-1. VirusScan command-line scanner options /MOVE
or *.??? On-demand scanning only /MOVE : Moves all infected files found during a scan to the specified directory, preserving drive letter and directory structure. This option has no effect if the Master Boot Record or boot sector is infected, since these are not actually files. /MOVE*.???: The scanner will change the extension of infected files, but not move them. For example, using the /MOVE*.Using VirusScan Command-line Options Table C-1. VirusScan command-line scanner options /NODDA On-demand scanning only No direct disk access. This prevents the scanner from examining the boot record. This feature has been added to allow the scanner to run under Windows NT. You might need to use this option on some device-driven drives. Using /NODDA with the /ADN or /ADL switches may generate errors when accessing empty CD-ROM drives or empty Zip drives.
Using VirusScan Command-line Options Table C-1. VirusScan command-line scanner options /PAUSE On-demand scanning only Enables screen pause. The Press any key to continue prompt will appear when the scanner fills a screen with messages. Otherwise, by default, the scanner fills and scrolls a screen continuously without stopping, which allows it to run on PCs with multiple drives or that have severe infections, without needing your input.
Using VirusScan Command-line Options Table C-1. VirusScan command-line scanner options /RPTALL On-demand scanning only Include all scanned files in the /REPORT file. When used with /REPORT, this option adds the names of corrupted files to the report file. McAfee VirusScan recommends omitting /PAUSE when using any report option. /RPTERR On-demand scanning only Include errors in /REPORT file. When used with /REPORT, this option adds a list of system errors to the report file.
Using VirusScan Command-line Options Table C-1. VirusScan command-line scanner options /VIRLIST On-demand scanning only Displays the name and a brief description of each virus that the scanner detects. You may use the /PAUSE option on the same command line as /VIRLIST to read the virus list one screen at a time. To redirect the /VIRLIST output to a text file: At the command prompt, type scan /VIRLIST .txt Because the scanner can detect many viruses, this file will be over 250 pages long.
Using the SecureCast Service to Get New Data Files D D Introducing the SecureCast service The Network Associates SecureCast service provides a convenient method you can use to receive the latest virus definition (.DAT) file updates automatically, as they become available, without your having to download them.
Using the SecureCast Service to Get New Data Files Why should I update my data files? Your software relies on information in its virus definition files (.DAT) files to identify viruses. More than 200 new viruses appear each month, however, and older .DAT files might not recognize them. To meet this challenge, McAfee VirusScan’s Software releases new .DAT files each week. You are entitled to these free data file updates for use with your version of the software. If you do not use current .
Using the SecureCast Service to Get New Data Files Installing the BackWeb client and SecureCast service Setting up SecureCast service and the BackWeb client is a two-phase process: 1. Download and install the BackWeb client 2. Register to receive SecureCast service InfoPaks To get started with the SecureCast service, review the system requirements shown below, then follow the steps outlined in each section.
Using the SecureCast Service to Get New Data Files Figure D-1. BackWeb client welcome panel 3. Read the instructions and warnings on this panel, then click Next> to continue. 4. The BackWeb license agreement appears (Figure D-2). Figure D-2. BackWeb Software License Agreement panel 5. Click Yes to continue. 6. The Choose Destination Location panel appears (Figure D-3 on page 121).
Using the SecureCast Service to Get New Data Files Figure D-3. Choose Destination Location panel 7. Enter a new location for Setup to install the client software, if you wish, or click Browse to locate a suitable folder. Click Next> to continue. Setup will begin to copy BackWeb program files to your computer. As it does so, it displays its progress. When it has finished, Setup displays the Connection Type panel (Figure D-4). Figure D-4.
Using the SecureCast Service to Get New Data Files 8. Specify the type of connection your computer has to the Internet. Your choices are: • Direct. Choose this option if you connect to the Internet through a local-area network, a high-bandwidth connection such as a cable modem or digital subscriber line (DSL) connection. Continue with Step 9. • Modem. Choose this option if you dial up to connect to an Internet service provider, or into your corporate network. Skip to Step 13.
Using the SecureCast Service to Get New Data Files 10. If you chose HTTP via proxy as your connection method, the HTTP Proxy Setup panel appears (Figure D-6). Figure D-6. HTTP Proxy Setup panel 11. Enter the name of your proxy server in the Proxy text box, then enter the port the server uses for communication in the Port text box. When you have finished, click Next> to continue. The Proxy Authentication panel appears (Figure D-7 on page 123). Figure D-7. Proxy Authentication panel 12.
Using the SecureCast Service to Get New Data Files The Setup Complete panel appears (Figure D-8). Figure D-8. Setup Complete panel 13. To start immediately, leave both checkboxes selected in this panel, then click Finish to complete your installation. Phase 2: Register with the Enterprise SecureCast service After you install the BackWeb client and start it, the SecureCast service immediately opens the client application and sends its first InfoPak: the SecureCast registration forms (Figure D-9).
Using the SecureCast Service to Get New Data Files The SecureCast service alerts you that an InfoPak has arrived with the Flash message shown at the bottom right corner of Figure D-9. Ë IMPORTANT: If you are a corporate user and have a high-speed Internet connection, the window may list Register Now as an already received InfoPak. Continue with Step 1.
Using the SecureCast Service to Get New Data Files 4. Double-click the BW Register icon in the window that opens next. A registration information form appears (Figure D-12). Figure D-12. SecureCast User Registration Information form 5. Enter your name, title and company contact information in the text boxes provided. Here you will also need to enter the grant number you received when you purchased your software, or that you received from Network Associates Customer Service.
Using the SecureCast Service to Get New Data Files Figure D-13. SecureCast Parent Company Information form 6. If your company is the subsidiary of another company, enter contact information for your parent company in the text boxes provided. When you have finished, click Next>. The Proxy Communication Configuration dialog box appears (Figure D-14). Figure D-14. SecureCast Proxy Communication Configuration 7.
Using the SecureCast Service to Get New Data Files Figure D-15. SecureCast Online Activity Status panel 9. Click Finish after a check mark appears in all the boxes. The setup process in complete. At that point, your web browser will connect to the Network Associates SecureCast service electronic customer care page. If you are a corporate user, the window resembles the one shown in Figure D-16: Figure D-16.
Using the SecureCast Service to Get New Data Files Troubleshooting the Enterprise SecureCast service Registration problems If you try to register during a busy time of day on the web, you may encounter a delay while the server tries to process your registration request. If you receive the error message “1105 Error” or “Database Error: Unable to connect to the data source,” this means that there is a database problem on the server. Try submitting the form again, or try to register later.
Using the SecureCast Service to Get New Data Files BackWeb client • For a comprehensive guide to BackWeb, including additional troubleshooting advice, see the online BackWeb User’s Manual: http://www.backweb.
E E Product Support Updates You will receive one free year of updates on new virus signature files. Updating the virus signature files for McAfee VirusScan on a regular schedule is essential in ensuring that all new viruses are detected for a completely protected system. To update your signature files, simply click on the UPDATE button in the McAfee VirusScan home page. Make sure that your PC is connected to the Internet as VirusScan will automatically update the files for you.
Product Support Customer service To order products or obtain product information, contact the McAfee Customer Care department at (972) 308-9960 or write to the following address: McAfee Software 3965 Freedom Circle Santa Clara, CA 95054 U.S.A. If you need further assistance or have specific questions about our products, send your questions via email to the appropriate address below: • For general questions about ordering software: mcafeestore@beyond.
Product Support Telephone support numbers 30-Day Free Telephone Support 972-308-9960 Per Minute Telephone Support 1-900-225-5624 Per Incident Telephone Support ($35) 1-800-950-1165 Disclaimer: Time and telephone numbers are subject to change without prior notice.
Product Support 134 McAfee VirusScan
Download Information (License ID #: VSF500R) F F As a valued McAfee customer, we are committed to keeping your system FREE from virus infection. To protect against the newest virus threats, keep your VirusScan installation up to date! Per your McAfee Software License Agreement, you are eligible for one (1) FREE Upgrade within ninety (90) days of purchase. This document explains the different ways you can access your FREE VirusScan upgrade.
Download Information (License ID #: VSF500R) 7. If previously registered, the thank you page is displayed. To begin download of product - click on the download button. 8. If not previously registered, the McAfee Product Registration page is displayed. You will be asked to enter your Last Name, First Name, Postal Code, Country, State and a password that you make up. Press submit. Once submitted a thank you page is displayed. An access URL will be emailed automatically to email address that you have entered.
Index A Download Scan module default response options for, 59 to 60 alarms, false, understanding, 54 Alert Manager files, 97 anti-virus software E EICAR "virus," use of to test installation, 45 consequences of running multiple vendor E-Mail Scan dependent files, 104 versions, 54 program files, 104 B temporary files, 105 BIOS possible VirusScan conflicts with anti-virus features of, 54 E-Mail Scan program component, default responses when virus found, 62 Emergency Disk BOOTSCAN.
Index H R heuristic scanning rebooting, with the McAfee Emergency Disk, 50 definition of, 18 heuristics, 18 registry keys installed, 89 Home SecureCast remover actions available when VirusScan has none, 51 features of, 119 support resources for, 129 system requirements for, 119 response options choosing when Download Scan module finds a virus, 59 to 60 I infected files when E-mail Scan module finds a virus, 58 to 59 cleaning yourself when VirusScan cannot, 51 when Internet Filter module finds
Index common data files delivered via, 118 utilities, 85 Enterprise SecureCast, 117 setting up, 129 V troubleshooting, 129 ViruLogic, "double heuristics" technology, 18 unsubscribing from, 129 features of, 119 support resources for, 129 system requirements, 119 Virus Information Libarary, connecting to from VirusScan, 64 to 66 viruses using to update your software, 117 deciding when to start scan operations for, 52 VirusScan channel for retail users, 119 default response to Sending, 79 Setup ab
Index as best protection against infection, 49 what to do when virus found during, 49 introducing, 15 main window use of to select responses to infections, 61 overview of features, 15 what it does, 77 VirusScan application dependent files, 95 program files, 95 temporary files, 96 VirusScan Command Line use of when booting with Emergency Disk, 50 VirusScan control panel, 85 files, 98 options, 86 temporary files, 99 VirusScan Emergency Disk files, 101 VirusScan Scheduler purpose of, 78 VShield default respon
