





















                           VirusScan Version 2.1.1
                       Copyright 1994 by McAfee, Inc.
                            All Rights Reserved.

              Documentation by Aryeh Goretsky and Logical Arts.



















            McAfee, Inc.                 (408) 988-3832 office
            2710 Walsh Avenue            (408) 970-9727 fax
            Santa Clara, CA  95051-0963  (408) 988-4004 BBS (25 lines)
            U.S.A.                       USR HST/v.32/v.42bis/MNP1-5
                                         CompuServe        GO MCAFEE
                                         InterNet support@mcafee.COM
                                         America Online       MCAFEE

           Using VirusScan (Version 2.1.1)                           
            
            TABLE OF CONTENTS

            Chapter 1: Welcome to VirusScan  / 1   
                       What VirusScan includes  / 3 
                       System requirements  / 5
                       License and registration  / 6
                       Technical support  / 6 
            Chapter 2: Don't skip this chapter  / 10 
                       Installing VirusScan  / 11 
                       Scanning your system  / 14 
                       If you detect a virus  / 16 
                       Activating VShield  / 19 
                       Making a clean start-up diskette  / 21 
                       Running the VirusScan programs  / 23 
                       When to rescan  / 25 
                       Updating VirusScan regularly  / 25 
            Chapter 3: VirusScan reference  / 28 
                       Technical overview  / 30 
                       Validating Scan  / 31 
                       Running Scan from the command line  / 31 
                       Scan command line option summary  / 33 
                       Scan option descriptions  / 35
                       Cleaning viruses  / 45 
                       Examples  / 49 
                       Error levels  / 50
                       Application note 1: Updating validation codes  / 52 
                       Application note 2: Reformatting infected 
                          diskettes with DOS 5.0 and later  / 52 
                       Technical note 1: Creating an exception 
                          list file for the /EXCLUDE option  / 53 
            Chapter 4: VShield reference  / 54 
                       Four levels of protection  / 57 
                       Running VShield  / 59 
                       VShield option summary  / 63 
                       VShield option descriptions  / 65 
                       Deciding which options are for you  / 72 
                       Examples  / 74 
                       Error levels  / 75 
                       Using VShieldCRC  / 76 
                       VShieldCRC option summary  / 77 
                       Using CheckVShield  / 78 
                       Technical note 1: Creating an exception list 
                          for the /EXCLUDE option  / 80 
                       Technical note 2: Sample NetWare login 
                          script and .BAT file  / 81 
            Chapter 5: Tips & troubleshooting  / 82 
            Appendix A: Retrieving McAfee programs with
                        communications software  / 90 
            Appendix B: Options comparison between VirusScan 
                        versions 1.5 and 2.1.1  / 92 
            Glossary  / 102
            
            
           Using VirusScan (Version 2.1.1)                           1

            CHAPTER 1: WELCOME TO VIRUSSCAN
            
            Thank you for purchasing McAfee(R)'s VirusScan(TM)
            software, a powerful and advanced system
            designed to detect, eradicate, and prevent
            computer viruses. VirusScan will help you
            protect one of your most important assets--the
            information on your personal computer or local
            area network.
            
            VirusScan includes two main programs:
            
            o The Scan program detects known viruses in your
              computer's memory or on disks. It can also
              detect new and unknown viruses. Once viruses
              are detected, it can remove them and restore
              your system to normal operation. The Scan
              program comes in two forms:

              o A graphical interface so that you can select
                commands and options using a mouse and
                keyboard, if you like. For instructions,
                see the on-line documentation.
              
              o A command line interface, so you can run the
                program and select options by typing from a
                command prompt or from batch or script files,
                if you prefer.

            o The VShield(TM) memory-resident program
              continuously monitors and protects your
              system from viruses that might be introduced.
            
            The VirusScan programs run on IBM-PC or 100%
            compatible personal computers (PCs) that use
            DOS, Windows, or OS/2.
            
            VirusScan is an important element of a
            comprehensive security program that includes a
            variety of safety measures, such as regular
            backups, meaningful password protection,
            training, and awareness. We urge you to set up
            and comply with such a security program in your
            organization. For tips on how to do this, see
            "Other sources of information" in this chapter.
            
            
            
            
            
            
            
            
           Using VirusScan (Version 2.1.1)                           2
            
            HOW TO USE THIS MANUAL
            
            This manual will help you get VirusScan running
            quickly and properly on DOS, Windows, and OS/2
            systems.
            
            All the key information is in Chapter 2, "Don't
            skip this chapter." Please don't install
            VirusScan before reading it, even if you are a
            PC power user or already familiar with Scan.
            Installing and using VirusScan is not like using
            other software.
            
            The rest of Chapter 1, "Welcome to VirusScan,"
            describes the programs and files on your
            VirusScan disk, system requirements, how to
            register, and how to get help.
            
            Chapter 3, "VirusScan reference," and Chapter 4,
            "VShield reference," contain reference
            information for Scan and VShield, respectively.
            Many users will not need to read these chapters,
            because basic operation of VirusScan, as
            described in Chapter 2, will detect and remove
            most viruses from your system. The options
            described in Chapters 3 and 4 offer additional
            power and control, and are most useful in
            vulnerable environments and to network
            administrators and information services staff.
            
            Chapter 5, "Tips & troubleshooting," explains
            how to get the most out of VirusScan, and how to
            cope with some common problems.
            
            Appendix A describes how to retrieve new
            versions of McAfee programs using your
            communications software.
            
            Appendix B describes differences in command line
            options between VirusScan version 1.5 and
            version 2.1.1.
            
            
            
            
            
            
            
            
            
            
            
            
           Using VirusScan (Version 2.1.1)                           3
            
            NOTATION

            In this manual, we use several conventions to distinguish
            particular kinds of text.

            CONVENTION       EXAMPLE       REPRESENTS
            
            Uppercase        C:\>          What your
                                           computer displays
                                           on your screen.
            
            Lowercase        scan c:       What you
                                           type, verbatim.
            
            Curly braces     {filename}    Required
                                           element; do not
                                           type braces { }.
            
            Square braces    [filename]    Optional
                                           element; do not
                                           type braces [ ].
            
            Upper-case in    <ENTER>       Key to press
            brackets                       on the
                                           keyboard.

            WHAT VIRUSSCAN INCLUDES
            
            In addition to Scan and VShield, your VirusScan
            diskette contains another program that will help
            you use VirusScan. The Validate program ensures
            that new versions of VirusScan software you've
            obtained are authentic and unmodified.
            
            Your VirusScan diskette also contains several
            useful text files, which you can view and print
            with a text editor, word processor, or print
            command. You'll find version-specific
            information in the README.1ST file.
            
            
            
            
            
            
            
            
            
            
            
            
            

           Using VirusScan (Version 2.1.1)                           4
            
            VIRUSSCAN FILES AFTER UNPACKING

            After unpacking VirusScan you should have appropriate
            program files on your system for the version you have
            obtained (DOS, Windows, or OS/2). Several useful text
            files are also included.

            VirusScan for DOS.
            AGENTS.TXT   - lists McAfee authorized agents.
            CLEAN.DAT    - virus removal data file required by SCAN.EXE
            COMPUSER.NOT - explains how to obtain CompuServe membership
            FILE_ID.DIZ  - description of VirusScan used by some BBS
                           software
            LICENSE.TXT  - explains how to license VirusScan
            NAMES.DAT    - virus name data file required by SCAN.EXE
            PACKING.LST  - contains a list of all files, including
                           validation information
            README.1ST   - late-breaking information and new
                           instructions not contained in this manual
            REGISTER.TXT - explains how to register VirusScan for
                           your use
            SCAN.DAT     - virus string data file required by SCAN.EXE
            SCAN.EXE     - the VirusScan program
            SCAN.TXT     - on-line manual for Scan
            VALIDATE.EXE - used to check VirusScan programs for
                           authenticity
            VALIDATE.TXT - explains how to run VALIDATE.EXE

            VShield
            AGENTS.TXT   - lists McAfee authorized agents.
            CHKVSHLD.EXE - checks for presence of VShield and VShieldCRC
                           in memory
            COMPUSER.NOT - explains how to obtain CompuServe membership
            FILE_ID.DIZ  - description of VShield used by some BBS
                           software
            LICENSE.TXT  - explains how to license VShield
            PACKING.LST  - contains a list of all files, including
                           validation information
            REGISTER.TXT - explains how to register VirusScan for 
                           your use
            VALIDATE.EXE - used to check VirusScan programs for
                           authenticity
            VALIDATE.TXT - explains how to run VALIDATE.EXE
            VSHIELD.DAT  - virus string data file required by
                           VSHIELD.EXE
            VSHIELD.EXE  - the VShield program
            VSHIELD.TXT  - on-line manual for VShield
            VSHLDCRC.EXE - the VShieldCRC program
            VSHLDWIN.EXE - used by VShield and VShieldCRC to display
                           messages within Windows



           Using VirusScan (Version 2.1.1)                           5

            VirusScan for OS/2
            AGENTS.TXT   - lists McAfee authorized agents.
            CLEAN.DAT    - virus removal data file required by
                           OS2SCAN.EXE
            COMPUSER.NOT - explains how to obtain CompuServe membership
            FILE_ID.ZIP  - description of VirusScan used by some BBS
                           software
            LICENSE.TXT  - explains how to license VirusScan
            NAMES.DAT    - virus name data file required by OS2SCAN.EXE
            PACKING.LST  - contains a list of all files, including
                           validation information
            README.1ST   - late-breaking information and new
                           instructions not contained in this manual
            REGISTER.DOC - explains how to register VirusScan for your
                           use
            OS2SCAN.EXE  - the VirusScan program
            SCAN.DAT     - virus string data file required by
                           OS2SCAN.EXE
            SO32DLL.DLL  - dynamic link library required by OS2SCAN.EXE
            TCP32DLL.DLL - dynamic link library required by OS2SCAN.EXE
            USR32DLL.DLL - dynamic link library required by OS2SCAN.EXE
            VALIDATE.EXE - used to check VirusScan programs for
                           authenticity
            VALIDATE.TXT - explains how to run VALIDATE.EXE
           
            SYSTEM REQUIREMENTS
            
            The VirusScan programs require an IBM-compatible
            personal computer and any of the following
            operating systems:
            
            o DOS 3.1 or later and at least 340Kb of free
              RAM for the command line programs and 530Kb
              of free RAM for the graphical programs.

            o Windows 3.1 or later and at least 4Mb of RAM.

            o IBM OS/2 2.1 or later and at least 8Mb of RAM.

            VShield is a terminate-and-stay-resident (TSR)
            program that requires 67Kb of free memory.
            VShield attempts to minimize the use of
            conventional memory by loading into expanded,
            extended, or upper memory. For more information,
            see "VShield reference" in Chapter 4.
            
            You'll need a high-density 3.5" diskette drive
            to use the VirusScan diskette in this package.
            Contact McAfee for other media, or download the
            software from the McAfee bulletin board system
            (BBS).
            
            
           Using VirusScan (Version 2.1.1)                           6
            
            LICENSE AND REGISTRATION
            
            The VirusScan software is provided under license
            from McAfee, Inc., a copy of which is provided
            with this manual. Please read it and comply with
            it.
            
            Also, please fill out and return the
            registration form in your VirusScan package.
            Registration entitles you to upgrades at no
            charge from McAfee's bulletin board system and
            other sources, as well as technical support, for
            one year from your date of purchase.
            
            TECHNICAL SUPPORT
            
            For help in using this product, we invite you to
            contact McAfee technical support. You can
            contact us:
            
            o On-line 24 hours a day, through our bulletin
              board system, CompuServe, or Internet (see
              "On-line access to updates and technical
              support" below);

            o By fax, at (408) 970-9727; or

            o By telephone at (408) 988-3832, Monday through
              Friday, 6:00 am to 5:00 pm Pacific Standard
              Time.

            For fast and accurate help, please have the
            following information ready when you contact
            McAfee:
            
            o Program name and version number.

            o Type and brand of computer, hard disk, and any
              peripherals.

            o Version of DOS, along with any TSRs or device
              drivers in use.

            o Printouts of your AUTOEXEC.BAT and CONFIG.SYS
              files.

            o A printout of the contents of memory, from the
              MEM command (provided in DOS 4.0 and later)
              or a similar utility.

            
            
            
           Using VirusScan (Version 2.1.1)                           7
            
            o A description of the exact problem you are
              having. Please be as specific as possible. If
              you can't be at your computer when you call,
              a printout of the screen will be helpful.

            If you are overseas, you can contact a McAfee
            authorized agent. Agents are located in more
            than 50 countries around the world and provide
            local sales and support for our software. Please
            refer to the AGENTS.TXT file for a complete list
            of McAfee agents.
            
            ON-LINE ACCESS TO UPDATES AND TECHNICAL SUPPORT
            
            McAfee updates VirusScan monthly to add new
            virus detectors, new options, and fix reported
            bugs. To distribute these new versions, we run a
            multi-line bulletin board system, a forum on
            CompuServe, and an Internet node.
            
            MCAFEE BULLETIN BOARD SYSTEM (BBS)
            
            Our multi-line BBS is accessible 24 hours a day,
            365 days a year, except for scheduled downtime
            and maintenance. All lines run high-performance
            modems operating from 1,200 bps to 14,400 bps
            with line settings of 8 data bits, no parity,
            and 1 stop bit. The McAfee BBS phone number is
            (408) 988-4004.
            
            Appendix A, "Retrieving McAfee programs with
            communications software" explains how to dial up
            the McAfee BBS. Both technical support and
            software updates are available on the bulletin
            board.
            
            MCAFEE FORUM ON COMPUSERVE
            
            We sponsor the McAfee Virus Help Forum on
            CompuServe. To reach it, type GO MCAFEE at any
            CompuServe prompt. A free introductory
            membership is available. For more information,
            please read the enclosed COMPUSER.TXT file.
            
            
            
            
            
            
            
            
            

           Using VirusScan (Version 2.1.1)                           8
            
            INTERNET ACCESS
            
            The latest versions of McAfee's anti-virus
            software are available by anonymous ftp (file
            transfer protocol) over the Internet from the
            site mcafee.com. If your domain resolver does
            not support names, use the IP address
            192.187.128.1. Enter anonymous or ftp as your
            user ID and your own e-mail address as the
            password. Programs are located in the
            pub/antivirus directory. If you have questions,
            please send e-mail to support@mcafee.com.
            
            You can also find McAfee's anti-virus software
            at the SimTel Software Repository at
            Oak.Oakland.EDU in the simtel/msdos/virus
            directory and its associated mirror sites:
            
            o wuarchive.wustl.edu (US).
            o ftp.switch.ch (Switzerland).
            o ftp.funet.fi (Finland).
            o src.doc.ic.ac (UK).
            o archie.au (Australia).

            MCAFEE PRODUCTS AND SERVICES
            
            Founded in 1989, McAfee, Inc. is the leading
            provider of tools for productive computing for
            the DOS, OS/2, and Windows environments. Our
            anti-virus products are used by more than 16,000
            corporations worldwide. Our utility products
            provide data security, automated version
            updating, and system inspection and editing.
            McAfee is also the pioneer and leading provider
            of electronically distributed software. All of
            McAfee's products can be purchased through
            dealers or downloaded from bulletin board
            systems and on-line services around the world.
            
            McAfee doesn't stop at developing the world's
            best anti-virus and utility products. We back
            them with the industry's best service and
            technical support. Product support is provided
            by a full-time staff of virus researchers,
            programmers, and support professionals, and
            delivered directly by McAfee or our network of
            more than 150 Authorized Agent offices in more
            than 50 countries worldwide.
            
            
            
            
            
           Using VirusScan (Version 2.1.1)                           9
            
            OTHER SOURCES OF INFORMATION
            
            The McAfee BBS and CompuServe Virus Help Forum
            are excellent sources of information on virus
            protection. Batch files and utilities to help
            you use VirusScan software are often available,
            along with helpful advice.
            
            Independent publishers, colleges, training
            centers, and vendors also offer information and
            training about virus protection and computer
            security.
            
            We especially recommend the following books:
            
            o Ferbrache, David. A Pathology of Computer
              Viruses. London: Springer-Verlag, 1992.
              (ISBN 0-387-19610-2)

            o Hoffman, Lance J. Rogue Programs: Viruses,
              Worms, and Trojan Horses. Van Nostrand
              Reinhold, 1990. (ISBN 0-442-00454-0)

            o Jacobson, Robert V. The PC Virus Control
              Handbook, 2nd Ed. San Francisco: Miller
              Freeman Publications, 1990. (ISBN 0-87930-194-0)

            o Jacobson, Robert V. Using McAfee Associates
              Software for Safe Computing. New York:
              International Security Technology, 1992.
              (ISBN 0-9627374-1-0)

            In addition, the following sources can provide
            useful information about viruses:
            
            o National Computer Security Association (NCSA)
              10 South Courthouse Avenue
              Carlisle, PA 17013

            o CompuServe VIRUSFORUM

            o Internet comp.virus newsgroup











           Using VirusScan (Version 2.1.1)                           10
            
            CHAPTER 2: DON'T SKIP THIS CHAPTER
            or, What You Really Need to Know About VirusScan
            
            We're serious about this. Installing and running
            the VirusScan(TM) programs is not like using
            other software. Even if you are a personal
            computer power user, use the VirusScan
            installation procedure and follow the tasks in
            this chapter.
            
            The reason is to avoid spreading a computer
            virus infection. Viruses spread when you start
            your computer (sometimes called booting) from an
            infected disk, or when you run an infected
            program. If your computer is infected,
            installing and running VirusScan on your hard
            disk may spread the infection, even to the
            VirusScan programs themselves. The tasks in this
            chapter will ensure that you have a clean
            environment to detect, eradicate, and prevent
            viruses.
            
            This is like a surgical team establishing a
            "sterile field" before performing surgery. Once
            it is established, they make sure that
            everything brought into the field has already
            been sterilized. In this procedure, you will
            create a clean anti-viral start-up diskette with
            which you can always re-establish the sterile
            field.
            
            Your VirusScan diskette is write-protected to
            ensure that no virus can alter the programs and
            information stored there. Under no circumstances
            should you remove the write protection.
            
            Here's a summary of the tasks you'll follow in
            this chapter:
            
            o Installing VirusScan
            o Scanning your system.
            o If you detect a virus.
            o Activating VShield(TM).
            o Making a clean start-up (boot) diskette.
            o Running the VirusScan programs.
            o When to scan for viruses.
            o Updating VirusScan regularly.

            
            
            
            

           Using VirusScan (Version 2.1.1)                           11
            
            NOTE: Because OS/2 programs run in a protected
            mode, OS/2 systems are not vulnerable to viruses
            as DOS and Windows systems are. Many OS/2 users
            run DOS and Win-OS/2 sessions, however, and they
            are still vulnerable. By using the VirusScan
            programs as described in this manual, you can
            protect the DOS and Win-OS/2 portions of your
            OS/2 system from infection.
            
            INSTALLING VIRUSSCAN

            This task explains how to check your system and install the
            VirusScan software under DOS, Windows, or OS/2. Don't use
            any other method to install VirusScan, or you risk spreading
            a virus.
            
            INSTALLATION STEPS

            Start from the system prompt (C:\> or [C:\]). If you are
            running Windows or an application program, exit from it to
            display the prompt. If you are running OS/2, close all DOS
            and Win-OS/2 sessions open the Command Prompts folder in the
            OS/2 System folder, and click on either the OS/2 Full Screen
            or OS/2 Window icons.

            After typing each entry on the command line, press <ENTER>.

            1. Create a directory to contain the VirusScan files, as
               in the following example:

                    C:\> mkdir c:\mcafee

               and press <ENTER>. 

               If you have an earlier version of VirusScan already
               installed, create a separate directory (such as 
               c:\newvscan) for the new version. (You should test 
               the new version before removing the earlier version.)

            2. Copy the VirusScan archived (.ZIP) file to this 
               directory, as in the following example:

                    C:\> copy c:\download\*.zip c:\mcafee

               and press <ENTER>.

            3. Change to the VirusScan directory you just created,
               as in the following example:

                    C:\> cd c:\mcafee

               and press <ENTER>.

           Using VirusScan (Version 2.1.1)                           12
            
            4. Unzip the file using PKUNZIP.EXE, as in the following
               example:

                    C:\mcafee> PKUNZIP *.ZIP

               and press <ENTER>.
            
            5. Run VirusScan to check your local hard disk(s) by
               typing:

                    c:\mcafee> scan /adl

               and pressing <ENTER>. It may take several minutes
               for the Scan program to check for viruses in memory,
               then on the system and user portions of your drives.
               Scan keeps you informed of its progress. Read the
               information carefully, and write down the name of any
               viruses Scan reports.

            6. If Scan reports no virus found, congratulations--
               most likely your system is currently virus-free. 
               Continue with "Making a Clean Start-Up Diskette" 
               in this chapter.

               If Scan finds one or more viruses, you'll see a message like:
               
                    Found the Jerusalem Virus

               and installation will stop. Don't panic, even if the
               virus has infected many files. At the same time, don't
               run any other programs, especially if the virus is
               found in memory. Go directly to "If you detect a virus"
               later in this chapter for further instructions.

            7. Create a directory on your hard disk to store the
               VirusScan files in by typing:

                    C:\> mkdir mcafee

               and pressing <ENTER>.

            8. Copy the VirusScan files from the 'VirusScan Program
               Diskette' in drive A: to your hard disk by typing:

                    C:\> copy a:\*.* c:\mcafee

               and pressing <ENTER>.  VirusScan has now been installed
               onto your hard disk.  Now your system's startup files
               must be modified to find VirusScan on your system.

               


           Using VirusScan (Version 2.1.1)                           13
            
            9. DOS and Windows users: Using a text editor program, 
               load your AUTOEXEC.BAT file.  Locate the path statement,
               which typically begins with a 'PATH' or 'SET PATH ='
               statement.  Place your cursor at the end of this line
               and type:

                    ;C:\MCAFEE

               and press <ENTER>.  Now save your AUTOEXEC.BAT file and
               exit the editor.

               NOTE: If a semi-colon ";" is already present at the end
                     of the line, do not add one to the path statement.

               OS/2 users: Make the same change listed above to the
                           'SET PATH=' and 'SET LIBPATH=' statements in
                           your CONFIG.SYS file. Now save your CONFIG.SYS
                           file and exit the editor.

            Congratulations! You've successfully installed VirusScan.
            Restart your computer now and continue with this chapter to
            see how you can use VirusScan to keep your computer virus-
            free. We recommend looking over the following sections in
            this chapter:

            o "Scanning Your System"
            o "If You Detect A Virus"
            o "Activating VShield"
            o "Making A Clean Start-Up Diskette"

            Continue with the remaining tasks in this chapter, beginning
            with "Running the VirusScan Programs" to find out how and
            when to run and update the VirusScan programs.
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            


           Using VirusScan (Version 2.1.1)                           14
           
            SCANNING YOUR SYSTEM
            
            VirusScan's Scan program examines your PC and
            disks to detect viruses there. The first time
            you run Scan, do so from the original, write-
            protected diskette so that the programs
            themselves cannot be infected.
            
            Start from the system prompt (C> or [C:\]). 
            If you are running Windows or an application
            program, exit from it to display the prompt. If
            you are running OS/2, close all DOS and Win-OS/2
            sessions; then open the Command Prompts folder
            in the OS/2 system folder, and click the OS/2
            Full Screen or OS/2 Window icon.
            
            After typing each entry on the command line,
            press [Enter]. If you include the /REPORT
            option, Scan saves a report of infected files
            and any system errors to a log file that you
            specify.

            1. Insert the VirusScan program diskette in drive A.

            2. Scan your C drive for known viruses by typing:

               DOS or Windows
                    C> a:scan c: /report c:\virus.log
               
               OS/2 
                    [C:\] a:os2scan c: /report c:\virus.log
            
               Or, if you have more than one hard drive, scan
               them in the same way. For example, if you have C
               and D drives:
            
               DOS or Windows
                    C> a:scan c: d: /report c:\virus.log
            
               OS/2
                    [C:\] a:os2scan c: d: /report c:\virus.log
            
               You can also scan all local drives using the
               /ADL option. For example:
            
               DOS or Windows
                    C> a:scan /adl /report c:\virus.log
            
               OS/2
                    [C:\] a:os2scan /adl /report c:\virus.log
            


           Using VirusScan (Version 2.1.1)                           15
               
               It may take several minutes for the Scan program
               to check for viruses in memory, then on the
               system and user portions of your drives. Scan
               keeps you informed of its progress. Read the
               information on the screen carefully. Below is a
               sample of what Scan reports when checking a
               drive for viruses.

               Ŀ
                 Virus data file V2.1.204 created Thu Jun 02     
                 12:17:53 1994                                   
                                                                 
                 No viruses found in memory.                     
                                                                 
                 Scanning C:                                     
                 Summary report on C:                            
                 File(s)                                         
                       Analyzed:.......         1500             
                       Scanned:........          750             
                       Possibly Infected:.......   0             
                       Master Boot Record(s):..    1             
                       Possibly Infected:.......   0             
                       Boot Sector(s):.........    1             
                       Possibly Infected:.......   0             
                                                                 
                 Time: 60.00 sec.                                
               
            
            3. If Scan reports No viruses found,
               congratulations--most likely your system is
               currently virus-free. Skip to "Activating
               VShield" later in this chapter.

               If Scan finds one or more viruses, you'll see a
               message like:

               Ŀ
                 Scanning C:                                     
                 Scanning file C:\DOS\ATTRIB.EXE                 
                 Found the Jerusalem Virus                       
               
          
               DON'T PANIC, even if the virus has infected many
               files. At the same time, don't run any other
               programs, especially if the virus is found in
               memory. Turn to "If you detect a virus" later 
               in this chapter, where VirusScan will help you 
               eradicate it.
            
            NOTE: Scan has many options to control and fine-
            tune the scope, validation, and operation of its
            scan. For details, see Chapter 3 and "Detecting
            new and unknown viruses" in Chapter 5.
           Using VirusScan (Version 2.1.1)                           16            
            
            IF YOU DETECT A VIRUS
            
            In this task, you will run Scan with the /CLEAN
            option to eradicate most known viruses from your
            disks.
            
            NOTE: If you are at all unsure about how to
            proceed once you've found a virus, contact
            McAfee for assistance (see "Technical support"
            in Chapter 1).
            
            We strongly recommend that you get experienced
            help in dealing with viruses if you are
            unfamiliar with anti-virus software and methods.
            This is especially true for "critical" viruses
            and master boot record (MBR or so-called
            "partition table")/boot sector infections,
            because improper removal of these viruses can
            result in the loss of all data and use of the
            infected disks.
            
            RESTART FROM A CLEAN ENVIRONMENT
            
            You must run Scan from a clean, virus-free
            environment. With DOS or Windows, restart from a
            clean diskette. With OS/2, simply close all DOS
            and Win-OS/2 sessions.
            
            DOS OR WINDOWS
            
            With DOS or Windows, the only way to ensure a
            clean environment is to turn your computer off
            to eliminate any viruses in memory, then restart
            from a virus-free diskette, preferably the
            original, write-protected DOS installation
            diskette that came with your computer. If you
            don't have one, borrow or buy one; don't use a
            diskette that might be infected. (See "Making a
            clean start-up diskette" later in this chapter
            for instructions. Create this diskette after you
            clean your system.)
            
            1. Turn off your computer. (Don't just reset or
               reboot, which may leave some viruses intact
               in the computer's memory.)








           Using VirusScan (Version 2.1.1)                           17            
            
            2. Make sure your clean boot (start-up) diskette
               is write-protected.

               o For a 3.5" diskette, slide its corner tab so
                 that the square hole is open.

               o For a 5.25" diskette, cover its corner notch
                 with a write-protect tab. Be sure to use the
                 write-protect stickers provided with your
                 diskettes, not tape.
            
            3. Insert your start-up diskette in drive A.

            4. Turn on your computer and wait until you see
               the system prompt (probably A>). Don't run
               any programs on your hard disk, or you may
               reactivate the virus.

            OS/2
            
            With OS/2, you can eliminate any viruses from
            memory by closing all DOS, Win-OS/2, and virtual
            DOS machine (VDM) sessions. Because OS/2
            programs run in protected mode, viruses cannot
            spread between them.
            
            BACK UP YOUR HARD DISK
            
            Some viruses may leave certain disks or files
            unusable when cleaned up. To increase your
            chance of recovery, boot from a clean copy of
            the operating system, then copy all the files on
            all of your hard disks onto fresh diskettes or a
            backup tape. You can use a commercial backup
            program, or the one included with DOS or OS/2.
            Scan the program disk first to make sure that
            the backup program itself is not infected. Do
            not run the backup program if it is infected.
            Instead, reload it from your original
            installation diskettes.
            
            Although some of the backed-up files may be
            infected, it is better to have current copies
            than not. However, don't overwrite previous
            backup disks or tapes, which may or may not be
            infected.
            
            





           Using VirusScan (Version 2.1.1)                           18
            
            RUN SCAN WITH THE /CLEAN OPTION
            
            Start from the system prompt (probably A> or
            [A:\]). If you are running OS/2, open the
            Command Prompts folder in the OS/2 system
            folder, and click the OS/2 Full Screen or OS/2
            Window icon.
            
            After typing each entry on the command line,
            press [Enter].

            1. Insert the VirusScan program diskette in drive A.
            
            2. Eliminate the first known virus on your hard
               drive(s) by typing:

               DOS or Windows
               A> a:scan /adl /clean
            
               OS/2
               [A:\] a:os2scan /adl /clean
            
            Scan keeps you informed of its progress and
            generally reports virus removed successfully. If
            Scan reports that the virus could not safely be
            removed, see the next section, "If viruses were
            not removed, contact technical support."
            
            NOTE: Scan has options to control and fine-tune
            the scope, validation, and operation of its
            disinfection. For details, see "Scan option
            descriptions" in Chapter 3.
            
            IF VIRUSES WERE NOT REMOVED, CONTACT TECHNICAL SUPPORT
            
            If Scan can't remove a virus, it will tell you:
            
                 Virus cannot be removed from this file.
            
            Make sure to take note of the filename, because
            you will need to restore it from backups. Run
            Scan again, this time using the /CLEAN and /DEL
            options to delete the remaining infected files,
            as described in Chapter 3. If you have any
            questions, contact McAfee (see "Technical
            support" in Chapter 1).
            
            





           Using VirusScan (Version 2.1.1)                           19
            
            IF VIRUSES WERE SAFELY REMOVED, RESCAN AND CHECK DISKETTES
            
            If Scan has successfully removed all the
            viruses, restart your computer. Restart
            installation as described in "Installing
            VirusScan" earlier in this chapter. Thereafter,
            you can proceed to "Making a clean start-up
            diskette" and "Running the VirusScan programs"
            later in this chapter.
            
            One common source of virus infection is floppy
            diskettes. Once you've finished installing
            VirusScan on your hard disk, use Scan again to
            examine and disinfect the diskettes you use, as
            described in "When to rescan" later in this
            chapter.
            
            FALSE ALARMS
            
            Due to the nature of anti-virus software, there
            is a possibility that Scan may report a virus in
            a file that is not infected. This can be more
            likely if you are using more than one brand of
            virus protection software, especially if the
            virus is reported in memory and not anywhere on
            the disk when you boot.
            
            If Scan reports a virus infection that you
            suspect may be in error, contact McAfee (see
            "Technical support" in Chapter 1). You can
            upload the file to our bulletin board system at
            (408) 988-4004, along with your name, address,
            daytime telephone number, and electronic mail
            address (if any).
            
            ACTIVATING VSHIELD
            
            VirusScan's VShield program can help prevent
            viruses from infecting your system. It runs as a
            "terminate-and-stay-resident" (TSR) program,
            remaining in memory and scanning and
            intercepting programs as they are executed.
            
            To activate VShield at any time:
            
            o DOS or Windows
              Restart your computer by pressing [Ctrl]+[Alt]+[Del], 
              or by turning it off and then on again, or any 
              other reset method.




           Using VirusScan (Version 2.1.1)                           20
            
            o OS/2
              Restart all DOS and Win-OS/2 windows. If you have 
              difficulties running VShield, it may be due to 
              conflicts with other TSR programs in your system, 
              or with other programs that monitor disk access. 
              See "VShield option summary" in Chapter 4 and 
              "Troubleshooting VShield" in Chapter 5 for more 
              information. Contact McAfee technical support if you
              need help (see "Technical support" in Chapter 1).
            
            VShield minimizes the use of conventional memory
            by attempting to load into extended, expanded,
            upper memory, or a combination of them, before
            using conventional memory. For extreme memory
            limitations, you can use VShield's /SWAP option
            to reduce memory requirements to 7Kb, although
            this decreases VShield's speed. For details, see
            Chapter 4.
            
            NOTE: VShield has options to control and fine-
            tune the scope, validation, and operation of its
            virus prevention. For details, see Chapter 4. 1
            When used in conjunction with some Scan options,
            VShield can help protect your system from new
            and unknown viruses. For details, see "Detecting
            new and unknown viruses" in Chapter 5. 1 In
            OS/2, VShield runs in DOS and Win-OS/2 sessions
            only, because viruses can operate only in those
            sessions. 1 In Windows, you can use the VShield
            icon to turn messages from VShield on and off.
            (VShield itself, however, remains active.) For
            details, see Chapter 4.
            




















           Using VirusScan (Version 2.1.1)                           21
            
            MAKING A CLEAN START-UP DISKETTE
            
            In DOS or Windows, create a clean anti-viral
            start-up (boot) diskette that you can use to
            regain your "sterile field" if your system
            becomes infected. This is not necessary in OS/2,
            although it will be helpful to make backup
            copies of your OS/2 installation diskettes.
            
            DOS OR WINDOWS
            
            In DOS, start from the system prompt (C>). In
            Windows, you may open a DOS window, or duplicate
            these steps with the Windows File Manager.
            
            1. Insert a blank or dispensable diskette in
               drive A. Make sure the diskette contains no
               important information, as this procedure will
               overwrite it.

            2. Format it as a start-up diskette with the
               system files by typing:

                    C> format a: /s/v/u
            
               NOTE: If you are using a version of DOS before
               DOS 5.0, do not type the /U option. The  /U
               option in recent DOS versions ensures that
               the system portions of the diskette are
               overwritten.

               When prompted for a volume label, enter
               virusfree01 or another name of up to 11
               characters.

            3. Copy the Scan program to the diskette. Here's
               one way to do this, assuming that your VirusScan 
               files are stored in C:\MCAFEE\VIRUSCAN:

                    C> copy c:\mcafee\viruscan\scan.exe a:
                    C> copy c:\mcafee\viruscan\scan.dat a:
                    C> copy c:\mcafee\viruscan\clean.dat a:
                    C> copy c:\mcafee\viruscan\names.dat a:

            
            
            
            
            
            
            
            

           Using VirusScan (Version 2.1.1)                           22
            
            4. Copy useful DOS programs to the diskette.
               Here's one way to do this, assuming that your
               DOS files are stored in C:\DOS:

                    C> copy c:\dos\chkdsk.* a:
                    C> copy c:\dos\debug.* a:
                    C> copy c:\dos\diskcopy.* a:
                    C> copy c:\dos\fdisk.* a:
                    C> copy c:\dos\format.* a:
                    C> copy c:\dos\label.* a:
                    C> copy c:\dos\mem.* a:
                    C> copy c:\dos\sys.* a:
                    C> copy c:\dos\unerase.* a:
                    C> copy c:\dos\xcopy.* a:

               In the same way, copy other DOS programs that
               you think might be useful.
            
               NOTE: If you use a disk compression utility, be
               sure to copy the drivers required to access
               the compressed disks onto the clean start-up
               diskette.

            5. Remove the diskette from the drive and write-
               protect it so that it cannot become infected.

               o For a 3.5" diskette, slide its corner tab so
                 that the square hole is open.

               o For a 5.25" diskette, cover its corner notch
                 with a write-protect tab. Be sure to use the
                 write-protect stickers provided with your
                 diskettes, not tape.

            6. Label the diskette "Virus-Free start-up" and
               put it away in a secure place in case you
               need to reestablish a virus-free environment
               in the future. You may want to note the date
               and versions of DOS and VirusScan on the label.
            
            OS/2
            
            With OS/2, you don't need a virus-free start-up
            disk. However, it will be helpful to keep a
            clean copy of important files. Copy the
            VirusScan OS/2 program and data files and your
            CONFIG.SYS, STARTUP.CMD and AUTOEXEC.BAT files
            onto a clean start-up diskette. Write-protect
            the diskette, label it, and put it away in a
            secure place.
            


           Using VirusScan (Version 2.1.1)                           23

            RUNNING THE VIRUSSCAN PROGRAMS
           
            DOS
            
            To run the VirusScan programs from the DOS
            command prompt, type the program name (SCAN or
            VSHIELD) on the command line. Follow the program
            name with the drive (if applicable to the
            program) and whatever options you want.
            
            NOTE: If you have not changed the path statement
            in your AUTOEXEC.BAT file, you will need to
            include its location (usually
            C:\MCAFEE\VIRUSCAN) in the command, or change to
            that directory.
            
            For example, to examine a diskette in drive A:
            
                 C> c:\mcafee\viruscan\scan a:
            
            EXCEPTION: If Scan detects a virus in memory or
            on your hard disk, don't run Scan with the
            /CLEAN option from C:\MCAFEE\VIRUSCAN. Instead,
            restart your computer and run Scan from your
            clean start-up diskette as described in "If you
            detect a virus" earlier in this chapter.
            
            VirusScan can list the viruses it detects. To
            view this list, run Scan with the /VIRLIST
            option, as described in Chapter 3.
            
            WINDOWS
            
            The Windows installation procedure installs
            icons for Scan for Windows and VShield in the
            McAfee group. To use them, open the folder and
            double-click the program icon. See Chapter 3 for
            instructions on using Scan for Windows.
            
            NOTE: If a virus is active in memory, do not use
            interactive Scan to remove it, because Windows
            or other system files might be infected and you
            risk spreading the virus.
            
            If you've detected such a virus, restart your
            computer and run Scan from your clean start-up
            diskette, as described in "If you detect a
            virus" earlier in this chapter.
            



            
           Using VirusScan (Version 2.1.1)                           24

            VSHIELD AND WINDOWS
            
            You can add a line to your AUTOEXEC.BAT file that 
            automatically activates VShield whenever you start 
            or restart your computer. In Windows, it also gives 
            you a VShield icon that you can click to turn VShield
            messages on or off.
            
            NOTE: You can change VShield options from the
            DOS command line by removing VShield from memory
            and rerunning it, by editing the VSHIELD command
            in your AUTOEXEC.BAT file, or by editing the default 
            configuration file. See Chapter 4 for details.
            
            OS/2
            
            To run Scan from OS/2, open the Command Prompts
            folder in the OS/2 system folder and click the
            OS/2 Full Screen or OS/2 Window icon. Next, type
            the program name (os2scan) on the command line.
            Follow the program name with the drive,
            directory, or file(s) you want to scan and the
            options you want to use.
            
            NOTE: If you have not changed the PATH and
            LIBPATH statements in your CONFIG.SYS file, you
            will need to include its location (usually
            C:\MCAFEE\VIRUSCAN) on the command line, or
            change to that directory.
            
            For example, to examine a diskette in drive A:
            
                 [C:\] c:\mcafee\viruscan\os2scan a:
            
            NOTE: VShield does not run in OS/2 sessions,
            only under DOS and Win-OS/2 sessions inside of
            OS/2. You can place the VShield command in your 
            AUTOEXEC.BAT file, where it will run automatically 
            when you start a DOS or Win-OS/2 session. You can 
            also run it from the DOS command line, as described 
            earlier in this section.
            
            
            
            
            
            
            
            
            
            
            
            
           Using VirusScan (Version 2.1.1)                           25
            
            WHEN TO RESCAN
            
            Although VShield will monitor your software for
            viruses, it's wise to scan your disks when you
            introduce new programs, or disks that may be
            infected. New programs and files are generally
            introduced in two ways: by inserting a diskette
            and booting from it, and by installing new
            programs. It is also possible to download a
            virus inadvertently via a modem, but this is
            very rare.
            
            You can use VShield with the /ANYACCESS option
            to scan diskettes automatically. For more
            information, see "/ANYACCESS" in "VShield option
            descriptions" in Chapter 4.
            
            For instructions on running VirusScan, see
            "Running the VirusScan programs" earlier in this
            chapter.
            
            WHEN YOU INSERT AN UNCHECKED DISKETTE
            
            Every time you insert a new diskette in your
            drive, run Scan on it before executing,
            installing, or copying its files. If you have
            several diskettes to scan, you can scan them
            consecutively using the /MANY option described
            in Chapter 3. In fact, we recommend doing this
            now with all the diskettes you normally use, as
            well as diskettes received from friends,
            coworkers, salespeople, and even your own
            diskettes if they have been in another PC.
            
            WHEN YOU INSTALL OR DOWNLOAD NEW FILES
            
            Every time you install new software on your hard
            drive, or download executable files from a
            network server, bulletin board, or on-line
            service, run Scan on the directory in which the
            files were placed before you execute the files.
            
            UPDATING VIRUSSCAN REGULARLY
            
            Unfortunately, new viruses (and variants of old
            ones) appear and circulate often in the personal
            computer community. Fortunately, McAfee updates
            the VirusScan programs regularly--usually
            monthly, but sooner if many new viruses have
            appeared. Each new version may detect and
            eradicate as many as 60-100 new viruses or more,
            and may add new features. To find out what's
            new, review the README.1ST text file.
           Using VirusScan (Version 2.1.1)                           26
            
            DOWNLOAD NEW VERSIONS
            
            As a VirusScan licensee, you may download new
            versions without charge for one year from your
            date of purchase. Use your communications
            software to download new versions from the
            McAfee bulletin board, CompuServe, or the
            Internet. See Chapter 1 and Appendix A for more
            information.
            
            New versions of McAfee software are stored in
            compressed form to reduce transmission time.
            
            NOTE: Always download and decompress the files
            in a separate directory from your current files.
            That way, if you discover a problem with the new
            files, you'll still have the old ones.
            
            VALIDATE VIRUSSCAN
            
            When you download a program file from any source
            other than the McAfee bulletin board or other
            McAfee service, it's important to verify that it
            is authentic, unaltered, and uninfected. McAfee
            anti-virus software includes a program called
            Validate that helps you do this. When you
            receive a new version of VirusScan, run Validate
            on all of the program files.
            
            To do this for Scan, start from the system prompt 
            (C> or [C:\]):

            1. Navigate to the directory to which you've
               downloaded the files. For example, if you've
               stored the files in C:\MCAFEE\DOWNLD\VIRUSCAN:

                  C> c:
                  C> cd \mcafee\downld\viruscan

            2. Type the command:

               DOS or Windows
                  C> validate scan.exe
            
               OS/2
                  [C:\] os2val os2scan.exe

            3. Compare the results with the information in
               the PACKING.LST file or other text file for
               the program you validated. If the validation
               results match what's in the file, it is
               highly unlikely that the program has been
               modified.
           Using VirusScan (Version 2.1.1)                           27
            
            UPDATE YOUR CLEAN START-UP DISKETTE
            
            Once you have validated the new version, copy it
            into your C:\MCAFEE\VIRUSCAN directory. In
            addition, copy the Scan program onto your clean
            start-up diskette. Below is one way to do this;
            you may also use the Windows File Manager or the
            OS/2 environment.
            
            Note any changes you've made to default options,
            because you may want to select and save them
            again. Start from the system prompt (C> or
            [C:\]).
            
            1. Navigate to the directory to which you've retrieved
               the files, such as C:\MCAFEE\DOWNLD\VIRUSCAN:
            
                     C> c:
                     C> cd \mcafee\downld\viruscan

            2. Copy the contents of the directory to 
               C:\MCAFEE\VIRUSCAN:

                    C> copy *.* c:\mcafee\viruscan

            3. Temporarily remove write-protection from your
               clean start-up diskette and insert it in
               drive A.

               o For a 3.5" diskette, slide its corner tab so
                 that the square hole is closed.

               o For a 5.25" diskette, remove the tab from its
                 corner notch.

            4. Copy the Scan program to the diskette.

               DOS or Windows
                  C> copy SCAN.EXE a:
           
               OS/2
                  [C:\] copy OS2SCAN.EXE a:
            
            5. Remove the diskette from the drive and write-
               protect it again.








           Using VirusScan (Version 2.1.1)                           28
            
            CHAPTER 3: VIRUSSCAN REFERENCE
            
            VirusScan's Scan program detects, identifies,
            and disinfects known DOS computer viruses. Scan
            checks memory and both the system and data areas
            of disks for virus infections. If Scan finds a
            known virus, in most cases it will eliminate the
            virus and fully restore infected programs or
            system areas to normal operation.
            
            To obtain a list of all the viruses that Scan
            detects, run Scan with the /VIRLIST option.
            
            In addition, Scan can also assign validation and
            recovery codes to files, and use those codes to
            detect and treat infection by new and unknown
            viruses. If Scan has stored validation or
            recovery data for files, it may detect file
            changes and warn that infection by an unknown
            virus may have occurred. Scan can also use the
            recovery codes to remove new or unknown viruses
            and restore infected files, master boot records
            (MBRs), and boot sectors.
            
            Scan runs on DOS, Windows, and OS/2. The program
            files are SCAN.EXE (DOS), WSCAN.EXE (Windows),
            MSCAN.EXE (Menu DOS), and OS2SCAN.EXE (OS/2),
            respectively. This chapter describes them all.
            
            NOTE: Because OS/2 operates in a protected mode
            environment, Scan for OS/2 does not check
            memory. To protect against viruses in OS/2 DOS
            and Win-OS/2 sessions, use the VShield (for DOS)
            virus prevention program.
            
            DO YOU NEED TO READ THIS CHAPTER?
            
            Many users will not need the Scan command line
            options described in this chapter. We have
            designed Scan so that basic operation, as
            described in "Scanning your system" and "When to
            rescan" in Chapter 2, will detect most viruses
            in your system. The command line options
            described here offer additional power and
            control over virus detection. They enable you to
            run Scan from batch or script files, and are
            most useful in vulnerable environments and to
            network administrators and information services
            staff.
            



           Using VirusScan (Version 2.1.1)                           29

            SYSTEM REQUIREMENTS AND SUPPORT
           
            Scan requires DOS 3.1 or later, Windows 3.1 or
            later, or IBM OS/2 Version 2.1 or later. Running
            Scan for DOS with command line options requires
            360Kb of free RAM. Running MScan with the
            graphical interface requires 530Kb of free RAM.
            
            Scan works with 3Com 3/Share and 3/Open,
            Artisoft LanTastic, AT&T StarLAN, Banyan VINES,
            DEC Pathworks, IBM LAN Server, Microsoft LAN
            Manager, Novell NetWare, and any other IBMNET-
            or NETBIOS-compatible network operating systems.
            Contact McAfee or your local authorized agent if
            you do not see your network listed (see
            "Technical support" in Chapter 1).
            
            Scan is designed to check for pre-existing
            infections of known and unknown viruses on
            floppy, hard, CD-ROM, and compressed (SuperStor,
            Stacker, DoubleSpace, and so on) disks on both
            stand-alone and networked personal computers, as
            well as network file servers. If you have a
            Novell NetWare/386 V3.1X or 4.01 file server,
            you may want to use the NETShield(TM) virus
            prevention NetWare Loadable Module (NLM) in
            conjunction with Scan.
            
            NOTE: To use Scan to clean up (disinfect) virus-
            infected files, the CLEAN.DAT file must be
            present in the same subdirectory as Scan. If you
            don't have the CLEAN.DAT file, first verify
            whether you should contact your system
            administrator or information systems staff
            directly for virus clean-up. Otherwise, you can
            contact McAfee (see "Technical support" in
            Chapter 1).
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            

           Using VirusScan (Version 2.1.1)                           30            
            
            TECHNICAL OVERVIEW
            
            KNOWN VIRUS DETECTION
            
            Scan detects known viruses by searching the
            system for known characteristics (sequences of
            code) unique to each computer virus and
            reporting their presence if found. For viruses
            that encrypt or cipher their code so that every
            infection is different, Scan uses detection
            algorithms that work by statistical analysis,
            heuristics, and code disassembly.
            
            NEW AND UNKNOWN VIRUS DETECTION
            
            Scan can also check for new or unknown viruses
            by comparing files against previously recorded
            validation data. If a file has been modified, it
            will no longer match the validation data, and
            Scan will report that the file may have become
            infected. With certain options, Scan /CLEAN can
            use the validation and recovery data to restore
            infected files, master boot records (MBRs), or
            boot sectors.
            
            NOTE TO NETWORK USERS
            
            To use Scan on a network drive (or directory),
            you must be connected to that drive and have
            read access to it. Some command line options
            described in this chapter attempt to create,
            change, and delete files. To use these options,
            you must have sufficient access rights. If you
            have questions about access rights, contact your
            network administrator.
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
           Using VirusScan (Version 2.1.1)                           31           
            
            VALIDATING SCAN
            
            The Scan program in your VirusScan package is
            supplied on a write-protected diskette that
            should be secure from infection. We recommend
            that you update your copy of the VirusScan
            programs regularly. You can obtain an upgrade
            from several sources, as described in "Updating
            VirusScan regularly" in Chapter 2.
            
            Before using a new version of Scan for the first
            time, verify that it has not been tampered with
            or infected by using the Validate program, as
            described in "Validate VirusScan" in Chapter 2.
            If your new copy of Scan differs from the
            validation data in the on-line documentation
            file, it may have been damaged. Don't use it,
            and obtain a clean copy of Scan from a known
            source.
            
            Scan performs an integrity test when run. This
            self-check allows Scan to determine if it has
            been modified. If Scan fails its integrity test,
            a warning message appears, and Scan refuses to
            run and returns to the command line prompt. You
            must obtain an undamaged copy before continuing.
            
            RUNNING SCAN FROM THE COMMAND LINE
            
            Scan checks files and other areas of the system
            that can contain computer viruses. When a virus
            is found, Scan identifies the virus and the
            system area or file where it was found.
            
            By default, Scan examines only executable files
            (.EXE, .COM, .SYS, .BIN, .OVL, and .DLL files).
            These are the files most likely to be infected
            with a virus. Once you've installed VirusScan
            and have established a "sterile field" (as
            described in Chapter 2), you might not need to
            scan every file on your system again. Use the
            /ALL option to scan all files on your system.
            See "Scan option descriptions" later in this
            chapter for more information about the /ALL option.
            
            NOTE: The list of extensions for standard
            executables has changed from previous versions
            of VirusScan.
            
            
            
            
            
           Using VirusScan (Version 2.1.1)                           32  

            From DOS or OS/2, you can run Scan from the
            system prompt. (From OS/2, open the Command
            Prompts folder in the OS/2 system folder, then
            click the OS/2 Full Screen or OS/2 Window icon
            to see the system prompt.) The syntax is:
            
            DOS
                 C> scan {drives} [options]
            
            OS/2
                 [C:\] os2scan {drives} [options]
            
            {drives} indicates one or more drives to be
            scanned. You must specify one or more drives to
            scan. If you list a drive like c:, all of its
            subdirectories will be scanned. If you list \,
            only the root directory and boot area of the
            current disk will be scanned. If you list \ or a
            directory, its subdirectories will not be
            scanned unless you use the /SUB option.
            
            [options] indicates one or more of the Scan
            options listed in the next section, "Scan
            command line option summary."
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
           Using VirusScan (Version 2.1.1)                           33            
            
            SCAN COMMAND LINE OPTION SUMMARY
            
            /? or /HELP
              Display help screen (not available in Windows, 
              use Help menu instead).
            
            /ADL
              Scan all local drives (except floppy drives).
            
            /ADN
              Scan all network drives.
            
            /AF {filename}
              Store validation/recovery codes in filename.
            
            /ALERT {servername}
              Alert the servername server about infected files.
            
            /ALL
              Scan all files, not just standard executables.
            
            /APPEND   
              Append to, rather than overwrite, the file (/REPORT).
            
            /AV
              Add validation/recovery data to program files.
            
            /BOOT
              Scan boot sector and master boot record only.
            
            /CF {filename}
              Check validation/recovery codes in filename.
            
            /CLEAN    
              Clean up infections in boot sector, master 
              boot record, and files when possible.
            
            /CV
              Check validation/recovery data in files.
            
            /DEL
              Overwrite and delete infected files.
            
            /EXCLUDE {filename}
              Exclude from scan any files listed in filename
              (with /AV).
            
            /FAST     
              Speed up VirusScan's scanning; may detect fewer viruses.
           
            /LISTEN {servername}     
              Load Scan and wait for a command from the 
              servername server.
           Using VirusScan (Version 2.1.1)                           34
            
            /LOAD {filename}    
              Use Scan settings stored in filename.
            
            /LOG
              Save date and time VirusScan was last run in SCAN.LOG.
            
            /MANY     
              Scan multiple diskettes.
            
            /MOVE {directory}   
              Move infected files to directory.
            
            /NOCOMP   
              Skip checking compressed executables created 
              with the LZEXE or PKLITE file compression programs.
            
            /NOMEM    
              Skip memory checking (not applicable to OS/2).
            
            /PAUSE    
              Enable screen pause.
            
            /PLAD     
              Preserve last access dates on Novell drives.
            
            /REPORT {filename}  
              Create report of infected files found during scan 
              in filename.
            
            /RF {filename}
              Remove validation/recovery codes in filename.
            
            /RPTCOR   
              Add list of corrupted files to the report file.
            
            /RPTERR   
              Add list of system errors to the report file.
            
            /RPTMOD   
              Add list of modified files to the report file.
            
            /RV  
              Remove validation/recovery data from files.
            
            /SHOWLOG  
              Display information in SCAN.LOG.
            
            /SUB 
              Scan subdirectories inside a directory.

            /VIRLIST  
              Display list of viruses detected by VirusScan.
            
           Using VirusScan (Version 2.1.1)                           35
            
            SCAN OPTION DESCRIPTIONS
            
            Here is a detailed description of Scan's options.
            
            /? or /HELP
            Display list of Scan options
            
            Does not scan. Instead, displays a list of Scan
            command line options with a brief description of
            each. No scanning is performed when these
            options are specified. Use either of these
            options alone on the command line.
            
            
            /ADL
            Scan all local drives (except floppy drives)
            
            Scans all local drives for viruses, in addition
            to those specified on the command line. In DOS,
            use /ADL to check all local drives, including
            compressed drives and CD-ROMs. To scan both
            local and network drives, use /ADL and /ADN
            together in the same command line.
            
            
            /ADN
            Scan all network drives
            
            Scans all network drives for viruses, in
            addition to those specified on the command line.
            To scan both local and network drives, use /ADL
            and /ADN together in the same command line.
            
            
            /AF {filename}
            Store validation/recovery codes in file
            
            Helps you detect and recover from new or unknown
            viruses. /AF logs validation and recovery data
            for executable files, boot sector, and master
            boot record (MBR) of a disk in the file you
            specify. The log file is about 95 bytes per file
            validated. You must specify a filename, which
            can include the target drive and directory (such
            as D:\VSVALID\VALCODES.VSC). If the target path
            is a network drive, you must have rights to
            create and delete files on that drive. If
            filename exists, Scan updates it. /AF adds about
            300% more time to scanning.
            
            
            
            
           Using VirusScan (Version 2.1.1)                           36            

            To exclude self-modifying or self-checking files
            that might cause false alarms, use the /EXCLUDE
            option. To recover from a virus using the /AF
            information, use the /CF and /CLEAN options
            together in the same command line. Using any of
            the /AF, /CF, or /RF options together in the
            same command line returns an error.
            
            NOTE: /AF performs the same function as /AV, but
            stores its data in a separate file rather than
            changing the executable files themselves. For
            more information, see "Detecting new and unknown
            viruses" in Chapter 5.
            
            
            /ALERT {servername}
            Alert the server about infected files (OS/2 only)
            
            Notifies the servername server if infected files
            are detected during the scan. Using /ALERT and
            /LISTEN in the same command line returns an
            error. See your Command & Control Server
            documentation for more information.
            
            
            /ALL
            Check all files, not just standard executable files.
            
            Increases system security by performing a more
            thorough scan. Otherwise, Scan checks only
            standard executable files (with .COM, .EXE,
            .SYS, .BIN, .OVL, and .DLL extensions), which
            are the files most likely to be infected by a
            virus. If /ALL is specified, Scan checks all
            files on the specified drive, which increases
            Scan's ability to detect viruses in overlay
            files but substantially increases the scanning
            time required. Use this option if you have found
            a virus or suspect one. (Note that the list of
            extensions for standard executables, above, has
            changed from previous releases of VirusScan.)
            
            
            /APPEND
            Append to the report file.
            
            Used in conjunction with /REPORT, appends the
            report message text to the specified report
            file, if it exists. Otherwise, the /REPORT
            option overwrites the specified report file, if
            it exists.
            
            
           Using VirusScan (Version 2.1.1)                           37            

            /AV
            Add validation/recovery data to files
            
            Helps you detect and recover from new or unknown
            viruses. /AV adds recovery and validation data
            to each standard executable file (.EXE, .COM,
            .SYS, .BIN, .OVL, and .DLL), increasing the size
            of each file by 98 bytes. To update files on a
            shared network drive, you must have update
            access rights. The /AV option adds about 100%
            more time to scanning.
            
            To exclude self-modifying or self-checking files
            that might cause false alarms, use the /EXCLUDE
            option. To recover from a virus using the /AF
            information, use the /CV and /CLEAN options
            together in the same command line. Using any of
            the /AV, /CV, or /RV options together in the
            same command line returns an error.
            
            NOTE: The /AV option does not store any
            information about the master boot record (MBR)
            or boot sector of the drive being scanned.
            
            
            /BOOT
            Scan boot sector and master boot record only
            
            Scans the boot sector and master boot record on
            the specified drive(s), but not files or
            directories on those drives.
            
            
            /CF {filename}
            Check validation/recovery codes in file
            
            Helps you detect new or unknown viruses. Checks
            validation data stored by the /AF option in
            filename. If a file or system area has changed,
            Scan reports that a viral infection may have
            occurred. The /CF option adds about 250% more
            time to scanning. For more information, see
            "Detecting new and unknown viruses" in Chapter
            5. You can use /CF and /CLEAN in the same
            command line to check validation/recovery codes
            and remove any viruses found. Using any of the
            /AF, /CF, or /RF options together in a command
            line returns an error.
            
            
            
            

           Using VirusScan (Version 2.1.1)                           38
            
            NOTE: Some older Hewlett-Packard and Zenith PCs
            modify the boot sector each time the system is
            booted. If you use /CF or /CV, Scan continuously
            reports that the boot sector has been modified
            even though no virus may be present. Check your
            system's reference manual to determine whether
            your PC has self-modifying boot code, or contact
            McAfee for help (see "Technical support" in
            Chapter 1)  1 OS/2 dual boot systems change the
            boot sector between DOS and OS/2 depending on
            which operating system is active. This causes
            Scan to report that the boot sector has been
            modified.
            
            
            /CLEAN
            Remove viruses from boot sector, master boot
            record, and infected files
            
            Attempts to restore the boot sector, if
            infected, and any infected files. Usually,
            between 10% and 20% of all viruses are not
            removable; they damage the file they infect
            beyond repair. If the infected file resides on a
            network drive, you must have rights to modify
            files on that drive to clean it. If it cannot
            restore a file, you'll see a message that
            identifies the name of the unrecoverable file.
            To use /CLEAN, the CLEAN.DAT file must reside in
            the Scan directory. For more information, see
            "Cleaning viruses" later in this chapter.
            
            Use /CLEAN instead of /DEL when you want to
            restore infected files, not just delete or
            overwrite them. The /CLEAN option can remove
            master boot record (MBR) and boot sector
            viruses, but the /DEL option cannot. If you use
            /CLEAN and /DEL in the same command line, Scan
            first attempts to disinfect an infected file,
            then deletes it only if it cannot be repaired.
            Similarly, if you use /CLEAN and /MOVE in the
            same command line, Scan first attempts to clean
            an infected file, then moves it to the specified
            subdirectory if the file is unrecoverable.
            
            You can use /CLEAN and /CF or /CV in the same
            command line to check validation/recovery codes
            and remove any viruses found. We strongly
            recommend that you get experienced help in
            dealing with viruses if you are unfamiliar with
            anti-virus software and methods. This is
            especially true for "critical" viruses and
            master boot record (MBR)/boot sector infections,
            because improper removal of these viruses can
            result in the loss of all data on the infected
            disks.
            
            NOTE: When scanning a network drive using
            /CLEAN, you must have sufficient rights to
            update files on that drive.
            
            
            
            
            
            
            
            
            
            
            
            

           Using VirusScan (Version 2.1.1)                           39            
            
            /CV
            Check validation/recovery data in files
            
            Helps you detect new or unknown viruses. Checks
            validation data added by the /AV option. If a
            file is modified, Scan reports that a viral
            infection may have occurred. The /CV option adds
            about 50% more time to scanning. You can use
            /CLEAN and /CF or /CV in the same command line
            to check validation/recovery codes and restore
            infected files. Using any of the /AV, /CV, or
            /RV options together in the same command line
            returns an error.
            
            For more information, see "Detecting new and
            unknown viruses" in Chapter 5. See also the note
            under /CF in this section.
            
            
            /DEL
            Overwrite and delete infected files
            
            Deletes and overwrites each infected file. Files
            erased by the /DEL option cannot be recovered
            (generate a report so that you can restore them
            from backups). Instead of /DEL alone, we
            recommend using it in combination with the
            /CLEAN option to attempt to disinfect an
            infected file first, then delete it only if the
            file is unrecoverable. The /CLEAN option can
            remove master boot record and boot sector
            viruses, but the /DEL option cannot.
            
           Using VirusScan (Version 2.1.1)                           40            

            NOTE: When scanning a network drive using /DEL,
            you must have sufficient access rights to delete
            files on that drive.
            
            
            /EXCLUDE {filename}
            Scan using exception list file
            
            Allows you to exclude files from /AF or /AV
            validation and /CF or /CV checking. Self-
            modifying or self-checking files can cause a
            false alarm during a scan. To create filename,
            see "Technical note 1: Creating an exception
            list file for the /EXCLUDE option" in this
            chapter.
            
            
            /FAST
            Speed up VirusScan's scanning
            
            Reduces Scan time by about 15%. Using the /FAST
            option, Scan examines a smaller portion of each
            file for viruses, although it examines more
            files overall. Using /FAST might miss some
            infections found in a more comprehensive (but
            slower) scan. Do not use this option if you have
            found a virus or suspect one.
            
            
            /LISTEN {servername}
            Load Scan and wait for a command from the server
            
            Using /LISTEN and /ALERT in the same command
            line returns an error. See your Command &
            Control Server documentation for more
            information.
            
            
            /LOAD {filename}
            Use Scan settings stored in {filename}.
            
            By default, Scan loads its internal default
            settings plus any options specified on the
            command line. You can store all custom settings
            in a separate ASCII text file, then use /LOAD to
            load those settings from that file.
            
            Use a text editor to create the file. You can
            put all options on the same command line or put
            each option (with its parameter) on its own
            line, separated by a hard carriage return and
            line feed, as shown in the following examples.
            
           Using VirusScan (Version 2.1.1)                           41            
            
            Sample load file with all options on the same
            command line:
            
                 m: /report a:infectn.rpt /rptcor /rpterr
            
            Sample load file with each option on a separate
            command line:
            
                 m:
                 /report a:infectn.rpt
                 /rptcor
                 /rpterr
            
            
            /LOG
            Save date and time of last scan
            
            Stores the time and date Scan is being run by
            updating or creating a file called SCAN.LOG in
            the current directory.
            
            
            /MANY
            Scan multiple floppies
            
            Scans multiple diskettes consecutively in a
            single drive. Scan will prompt you for each
            diskette. Once you have established a virus-free
            system, use this option to check multiple
            diskettes quickly.
            
            
            /MOVE {directory}
            Move infected files to directory
            
            Moves all infected files found during a scan to
            the specified directory. If you use /MOVE in
            conjunction with /CLEAN, Scan attempts to
            restore an infected file first, then moves it to
            the specified directory only if the file cannot
            be restored. Using /MOVE and /DEL in the same
            command line returns an error message.
            
            
            
            
            
            
            
            
            
            
            
           Using VirusScan (Version 2.1.1)                           42
            
            /NOCOMP
            Skip checking compressed executable files
            
            Reduces scanning time when a full scan is not
            needed. Otherwise, by default, Scan checks
            inside executable, or self-decompressing, files
            that have been created using the LZEXE or PKLITE
            file compression programs. Scan decompresses
            each file in memory and checks for virus
            signatures, which takes time but results in a
            more thorough scan. If you use /NOCOMP, Scan
            does not check inside compressed files for
            viruses, although it can check for modifications
            to those files if they have been validated using
            validation/recovery codes.
            
            
            /NOMEM
            Skip memory checking
            
            Reduces scan time by omitting all memory checks
            for viruses. Use /NOMEM only when you are
            absolutely certain that your system is virus-
            free.
            
            By default, Scan checks system memory for all
            for critical known computer viruses that can
            inhabit memory. In addition to main memory from
            0Kb to 640Kb, Scan checks system memory from
            640Kb to 1088Kb that can be used by computer
            viruses on 286 and later systems. Memory above
            1088Kb is not addressed directly by the
            processor and is not presently susceptible to
            viruses.
            
            NOTE: /NOMEM is not applicable to OS/2.
            
            
            /PAUSE
            Enable screen pause
            
            If you specify /PAUSE, the More? (H = Help)
            prompt appears when Scan fills up a screen with messages, 
            such as when using the /SHOWLOG or /VIRLIST options.
            Otherwise, by default, Scan fills and scrolls a
            screen continuously without stopping, which
            allows Scan to run on PCs with many drives or
            that have severe infections without requiring
            you to attend. We recommend that you omit /PAUSE
            when keeping a record of Scan's messages using
            the report options (/REPORT, /RPTCOR, /RPTMOD,
            and /RPTERR).
            
           Using VirusScan (Version 2.1.1)                           43            
            
            /PLAD
            Preserve last access dates (on NetWare drives
            only).
            
            Prevents changing the last access date attribute
            for files stored on a network drive in a Novell
            network. Normally, NetWare updates the last
            access date when Scan opens and examines a file.
            However, some tape backup systems use this last
            access date to decide whether to back up the
            file. Use /PLAD to ensure that the last access
            date does not change as the result of scanning.
            
            
            /REPORT {filename}
            Create report of infected files and system errors
            
            Saves the output of Scan to filename in ASCII
            text file format. If filename exists, /REPORT
            erases and replaces it. You can include the
            destination drive and directory (such as
            D:\VSREPRT\ALL.TXT), but if the destination is a
            network drive, you must have rights to create
            and delete files on that drive. You can also use
            /RPTCOR, /RPTMOD, and /RPTERR to add corrupted
            files, modified files, and system errors to the
            report.
            
            
            /RF {filename}
            Remove validation/recovery codes in file
            
            Removes recovery and validation data from
            filename created by the /AF option. If filename
            resides on a shared network drive, you must be
            able to delete files on that drive. Using any of
            the /AF, /CF, or /RF options together in the
            same command line returns an error.
            
            
            /RPTCOR
            Add corrupted files to Scan report
            
            Used in conjunction with /REPORT, adds the names
            of corrupted files to the report file. A
            corrupted file is a file that a virus has
            damaged beyond repair, which typically occurs in
            10% to 20% of all viral infections. You can use
            /RPTCOR with /RPTMOD and /RPTERR on the same
            command line.
            
            
            
           Using VirusScan (Version 2.1.1)                           44            
            
            /RPTERR
            Add errors to Scan report
            
            Used in conjunction with /REPORT, adds system
            errors to the report file.
            
            System errors include problems reading or
            writing to a diskette or hard disk, file system
            or network problems, problems creating reports,
            and other system-related problems. You can use
            /RPTERR with /RPTCOR and /RPTMOD on the same
            command line.
            
            
            /RPTMOD
            Add modified files to the Scan report
            
            Used in conjunction with /REPORT, adds the names
            of modified files to the report file. Scan
            identifies modified files when the
            validation/recovery codes do not match (using
            the /CF or /CV options). You can use /RPTMOD
            with /RPTCOR and /RPTERR on the same command
            line.
            
            
            /RV
            Remove validation/recovery from files
            
            Removes validation and recovery data from files
            validated with the /AV option, along with the
            SCAN.LOG file on the specified drive. To update
            files on a shared network drive, you must have
            access rights to update them. Using any of the
            /AV, /CV, or /RV options together in the same
            command line returns an error.
            
            
            /SHOWLOG
            Update and display the contents of SCAN.LOG
            
            Stores the time and date Scan is being run by
            updating or creating a file called SCAN.LOG in
            the current directory, and shows you the date
            and time of previous scans that have been
            recorded in the SCAN.LOG file using the /LOG
            switch. The SCAN.LOG file contains text and some
            special formatting.  To pause when the screen
            fills with messages, specify the /PAUSE option.
            
            
            
            
           Using VirusScan (Version 2.1.1)                           45

            /SUB
            Scan subdirectories
            
            By default, when you specify a directory to scan
            rather than a drive, Scan will examine only the
            files it contains, not its subdirectories. Use
            /SUB to scan all subdirectories inside any
            directories you've specified. Do not use /SUB if
            you are scanning an entire drive.
            
            
            /VIRLIST
            Display the contents of SCAN.DAT
            
            Shows you the name and a brief description of
            the viruses that VirusScan detects. To pause
            when the screen fills with messages, specify the
            /PAUSE option. Use /VIRLIST alone or with /PAUSE
            on the command line.
            
            You can save the list of virus names and
            descriptions to a file by redirecting the output
            of the command. For example, in DOS:
            
                 scan /virlist > filename.txt
            
            CLEANING VIRUSES
            
            Although /CLEAN removes many viruses and
            restores normal operation, viruses can be
            harmful and insidious, and no anti-virus program
            can undo all their damage. Usually, between 10%
            and 20% of all viruses corrupt the files they
            infect, making them unrecoverable. If the file
            is infected with an uncommon virus that /CLEAN
            can't remove, Scan notifies you and identifies
            the filename. Note this filename so that you
            know what to restore from a backup diskette or
            tape. If you use both the /CLEAN and the /DEL
            options, Scan will first attempt to repair an
            infected file and, if the file is damaged beyond
            repair, Scan will delete it. Deleted files are
            not recoverable except from backups.
            
            Some viruses damage or overwrite program (.EXE)
            files or overlay files. Removing the virus can
            truncate the file or otherwise render it
            inoperable. Others, like the common virus
            Stoned, infect the master boot record (MBR). On
            systems partitioned with programs other than DOS
            (such as Disk Manager and SpeedStor), removing
            the virus can cause loss of the master boot record 
            (MBR) and all data on the disk, if done improperly.
           Using VirusScan (Version 2.1.1)                           46

            BASIC PRINCIPLES TO MINIMIZE DAMAGE
            
            These considerations lead to the three important
            principles:
            
            NOTE: Before running Scan with the /CLEAN
            option, back up all of your programs and data.
            
            Of course, this works best if you back up your
            files regularly, so that you can restore your
            files from a backup made before your system was
            infected. But even a backup from an infected
            system can be useful for restoring data, because
            most viruses do not corrupt data. If a program
            no longer runs after being cleaned, replace it
            from the original disk or from a virus-free
            backup.
            
            1. When disinfecting an infected system, it is
               important to start from a "sterile field," as
               described in Chapter 2.

            2. Before running Scan with the /CLEAN option for
               DOS, restart your computer from a clean,
               write-protected diskette; before running it
               for OS/2, close all DOS and Win-OS/2
               sessions.

               Preferably, use the clean anti-virus start-up
               diskette you created in "Making a clean start-
               up diskette" in Chapter 2. And, because
               running any program can spread the infection:

            3. Do not run any programs, including Windows,
               before running Scan /CLEAN.
            
            Run Scan /CLEAN from DOS instead of Windows.
            Exit completely from Windows. Do not run Scan
            /CLEAN from within a DOS window.
            
            IMPORTANT: If you are at all unsure about how to
            proceed once you've found a virus, contact
            McAfee technical support, or your local
            authorized agent, for assistance (see "Technical
            support" in Chapter 1).
            
            We strongly recommend that you get experienced
            help in dealing with viruses if you are unfamiliar 
            with anti-virus software and methods. This is especially 
            true for "critical" viruses and master boot record (MBR)
            /boot sector infections, because improper removal of 
            these viruses can result in the loss of all data and
            use of the infected disks.
           Using VirusScan (Version 2.1.1)                           47
            
            RUNNING SCAN TO CLEAN UP INFECTIONS
            
            PREPARATION
            
            Before running Scan to clean up infections:

            1. Clear the virus from system memory and prevent
               reinfection:

               o With DOS or Windows, turn off your PC, then
                 restart from a clean start-up diskette,
                 preferably the anti-virus diskette you
                 prepared in "Making a clean start-up
                 diskette" in Chapter 2.

               o With OS/2, close all DOS and Win-OS/2 sessions.

               o With an OS/2 dual-boot system infected by a
                 boot sector virus (like Form, or others
                 identified by Scan), boot (start up) OS/2
                 first, delete the BOOT.DOS file from the \OS2
                 directory, and then boot DOS to create a new,
                 virus-free DOS boot sector file.

            2. Run the Scan program to locate and identify
               the infections.

            3. Back up the files on the infected disks (be
               sure not to overwrite any previous backups).

            4. Repeat Step 1.

            5. Run the Scan program with the /CLEAN option to
               remove infections.

            NOTE: Don't run any programs, including Windows,
            before running Scan /CLEAN.
            
            If you have Windows, run Scan /CLEAN from DOS.
            
            NOTE: When disinfecting a hard disk, always run
            Scan /CLEAN from a write-protected diskette to
            prevent infection of the Scan program. When
            disinfecting diskettes, make sure there is no
            active virus in memory before running Scan from
            your hard disk.
            
            SUCCESSFUL AND UNSUCCESSFUL RESULTS
            
            Scan /CLEAN reports the results of its attempt
            to remove the virus from each infected file. If
            a file has several infections, it will report on
            each.
           Using VirusScan (Version 2.1.1)                           48            
            
            IF VIRUSES WERE NOT REMOVED, CONTACT TECHNICAL SUPPORT
            
            If Scan can't remove a virus, you'll see a
            message like:
            
                 Virus cannot be safely removed from this file.
            
            Make sure to take note of the file name, because
            you will need to restore it from backups. If you
            have any questions about how to proceed, contact
            McAfee technical support or your local
            authorized agent (see "Technical support" in
            Chapter 1).
            
            IF VIRUSES WERE SAFELY REMOVED, RESCAN AND CHECK
            DISKETTES
            
            If Scan /CLEAN has successfully removed all the
            viruses, turn your computer off again and
            restart from the system disk. Scan your hard
            disks again to make sure they are virus-free. If
            you suspect that your system was infected from a
            diskette, run Scan from your hard disk to
            examine and disinfect the diskettes you use.
            




























           Using VirusScan (Version 2.1.1)                           49            
            
            EXAMPLES
            
            These examples show different option settings.
            In OS/2, remember to use OS2SCAN instead of SCAN.
            
                 scan c:
            
            Scan all executable files on drive C.
            
                 scan f:
            
            Scan all standard executable files on drive F, a
            network drive.
            
                 scan c: /adl /adn
            
            Scan all local and network drives (except floppy drives).
            
                 scan f: g: h: /del /all
            
            Scan all files on drives F, G, and H, and delete
            any infected files found.
            
                 scan c: d: e: /av /all
            
            Scan for viruses in all files and add validation
            codes to executable files on drives C, D, and E.
            
                 scan m: /report a:infectn.rpt /rptcor /rpterr /append
            
            Scan for viruses on network drive M: and create
            a log file of infections, corruptions, and
            errors in the file INFECTN.RPT on drive A. This
            will overwrite A:INFECTN.RPT, if it exists.
            
                 scan e:\user\jake e:\user\daisy e:\user\nick /sub
            
            Scan all subdirectories inside the directories
            USER\JAKE, USER\DAISY, and USER\NICK on drive E.
            
                 scan c: d: e: /fast /cv
            
            Quickly scan drives C, D, and E, and report any
            executable files that have associated validation
            codes and have been modified.
            
                 scan c:\command.com
            
            Scan a single file.
            
                 scan c: d: /clean
            
            Scan drives C and D and remove infections.
           Using VirusScan (Version 2.1.1)                           50            

            ERROR LEVELS
            
            After Scan has finished running, it sets the
            ERRORLEVEL. You can use the ERRORLEVEL in batch
            files to take different actions based on the
            results of the scan. See your DOS operating
            system documentation for more information. Scan
            returns the following ERRORLEVELs:
            
            ERRORLEVEL  Description
            
             0   No errors occurred and no viruses were found.
            
             1   Error occurred while accessing a file (reading
                 or writing).
            
             2   A VirusScan database (*.DAT) file is
                 corrupted.
            
             3   An error occurred while accessing a disk
                 (reading or writing).
            
             4   An error occurred while accessing the file created 
                 with the /AF option; the file has been damaged.
            
             5   Insufficient memory to load program or complete 
                 operation.
            
             6   An internal program error occurred.
              
             7   An error in accessing an international message
                 file (MCAFEE.MSG).
            
             8   A file required to run VirusScan, such as SCAN.DAT, 
                 is missing.
            
             9   Incompatible or unrecognized option(s) or option 
                 argument(s) were specified in the command line.
            
            10   A virus was found in memory.
             
            11   An internal program error occurred.
            
            12   An error occurred while attempting to remove
                 a virus, such as no CLEAN.DAT file found, or
                 VirusScan was unable to remove the virus.
            
            13   One or more viruses was found in the master
                 boot record, boot sector, or file(s).
            
            14   The SCAN.DAT file is out of date; upgrade
                 VirusScan data files.
            
           Using VirusScan (Version 2.1.1)                           51            
            15   VirusScan self-check failed. It may be
                 infected or damaged.
            
            16   An error occurred while accessing a specified
                 drive or file.
            
            17   No drive, directory or file was specified;
                 nothing to scan.
            
            18   A validated file has been modified (/CF or
                 /CV options).
            
            19-99 Reserved.
            
            100+ Operating system error; Scan adds 100 to
                 the original error number.
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            

           Using VirusScan (Version 2.1.1)                           52            
            
            APPLICATION NOTE 1  UPDATING VALIDATION CODES
            
            If you install any new software or programs on
            your system, including a new version of DOS, and
            are running Scan or VShield with the /CF
            (preferred) or /CV validation options, you need
            to install validation codes for the new files
            with Scan's /AF (preferred) or /AV options.
            
            The quickest way to update the validation codes
            is to remove all validation codes from the hard
            disk and then add them back. In other words,
            first run Scan with the /RF or /RV option, then
            run it again with the /AF or /AV option.
            
            APPLICATION NOTE 2  REFORMATTING INFECTED
            DISKETTES WITH DOS 5.0 AND LATER
            
            When reformatting infected diskettes using DOS
            5.0 and later versions, be sure to add the /U
            switch to the FORMAT command. This tells DOS to
            do an unconditional format of the diskette,
            without saving the original infected boot
            sector. This is necessary to erase certain
            infections, and will prevent reinfection by
            unformatting the diskette.
            
            
            
            
            
            





















           Using VirusScan (Version 2.1.1)                           53            
            
            TECHNICAL NOTE 1  CREATING AN EXCEPTION LIST
            FILE FOR THE /EXCLUDE OPTION
            
            If you set up validation codes using Scan's /AF
            or /AV options, subsequent scans using the /CF
            or /CV options will detect changes in executable
            files.
            
            This can generate false alarms if the executable
            files are self-modifying or self-checking (most
            programs that do this will tell you to turn off
            your anti-virus software before running them;
            some of these files are listed below).
            Therefore, use the /EXCLUDE option in
            conjunction with /AF or /AV to identify such
            files and exclude them from the validation.
            
            The exception list is an ASCII or DOS text file.
            If you use a word processor to create it, be
            sure to save the file as ASCII or DOS Text. Each
            line in the file contains the path and file name
            of one file that should not be validated. Here
            is an example:
            
                 c:\clipper\bin\clipper.exe
                 c:\123\123.com
                 c:\fox\foxprolx.exe
                 c:\dos\setver.exe
                 c:\pkware\pklite.exe
                 c:\pkware\pkzip.exe
                 c:\pkware\pkunzip.exe
                 c:\semware\q.exe
                 c:\swapvol.com
                 c:\wordstar\ws.exe
            


















           Using VirusScan (Version 2.1.1)                           54
            
            CHAPTER 4: VSHIELD REFERENCE

            VirusScan's VShield(TM) is a memory-resident
            program that helps to prevent virus infection.
            It complements the Scan virus detection program
            as part of your computer security plan. While
            Scan lets you check areas on disks for viruses,
            the VShield program checks these areas
            automatically as they load into your computer's
            memory. This ensures that you don't "catch" any
            new viruses while you're working on your computer.
            
            VShield does this by remaining in memory and:
            
            o Checking master boot records (MBRs), boot
              sectors, system files, and itself for viruses
              when you turn on or reset
              ([Ctrl]+[Alt]+[Del]) your machine.
            
            o Checking program files for viruses as your
              computer executes them.
            
            o Checking files for viruses as you copy them
              (optional).
            
            o Checking for viruses whenever your computer
              accesses a disk (optional).

            Follow the instructions in Chapter 2 to install
            VShield. You can modify your AUTOEXEC.BAT file so 
            that VShield loads into memory every time you turn 
            on your computer.
            
            If VShield finds a virus, you will hear three
            beeps and see a message like:
            
                 Found the Jerusalem Virus in memory
            
            If that happens, don't panic. Turn to Chapter 3
            to find out how to use the Scan program to get
            rid of the virus. If you need additional help,
            contact McAfee (see "Technical support" in
            Chapter 1).
            
            NOTE: There is one way to infect your computer
            that VShield cannot prevent--only you can. Never
            accidentally start your computer from an unknown
            diskette. That's how 80% of all viruses are
            passed! VShield checks diskettes if you warm
            boot, but cannot check them when you cold boot.
            Always make sure your diskette drives are empty
            before you turn your computer on.
            
           Using VirusScan (Version 2.1.1)                           55
            
            VShield runs under DOS, Windows, and OS/2
            Virtual DOS Machine and WIN-OS/2 sessions. The
            program file is VSHIELD.EXE. The file called
            VSHLDWIN.EXE allows VShield to display messages
            from within Windows, and is added to your
            WIN.INI file automatically when you install
            VShield. If you need to conserve memory on your
            system, you can use VShieldCRC, a version of
            VShield that offers fewer protection options but
            requires less memory. The program file is 
            VSHLDCRC.EXE.
            
            A companion program called CheckVShield checks
            whether either VShield or VShieldCRC is loaded
            in memory. The program file is CHKVSHLD.EXE.
            CheckVShield is especially useful for network
            administrators who want to ensure that everyone
            who logs on to the network is running VShield.
            All of these related programs are included in
            your VirusScan disk and described in this chapter.
            
            DO YOU NEED TO READ THIS CHAPTER?
            
            Many users will not need the VShield options
            described in this chapter. We have designed
            VShield so that basic operation--achieved by
            simply installing it in memory as described in
            Chapter 2--provides a high degree of protection
            for most users. The options here offer
            additional power and control for virus
            detection, and are most useful in vulnerable or
            memory-scarce environments and to network
            administrators and information systems staff.
            See "Four levels of protection" and the table
            "Deciding which options are for you" later in
            this chapter for help in deciding how to use VShield.
            
            SYSTEM REQUIREMENTS AND PERFORMANCE
            
            VShield is a terminate-and-stay-resident (TSR)
            program, which remains in memory while you run
            other programs. VShield tries to optimize memory
            usage and minimize conflicts with other TSRs. By
            default, VShield tries to conserve as much
            conventional memory as possible.
            
            If you have only 640Kb or less memory in your
            system, VShield requires about 67Kb of memory.
            By using the /SWAP option, you can reduce this
            to only 7Kb of conventional memory, although
            this will decrease VShield's speed.
            
            
           Using VirusScan (Version 2.1.1)                           56            

            If you have more than 640Kb, VShield tries to
            load as much of itself as possible above
            conventional memory: first into expanded memory
            (EMS), into extended memory (XMS), then into
            upper memory blocks (640Kb to 1024Kb, or UMB).
            If you have sufficient high memory available, 
            VShield or VShieldCRC use no conventional memory.
            
            After VShield loads, you'll see a message that
            describes where VShield loaded into memory and
            how much memory it uses. You can control how
            VShield loads by using the /NOUMB, /NOEMS, and
            /NOXMS options, as described later in this chapter.
            
            NOTE: VShield might require slightly more memory
            as the SCAN.DAT file grows to include more viruses.
            
            VShield adds a small amount of time to program
            loads and reboots. Performance will vary,
            depending on your system. The /SWAP option adds
            more time, because VShield must reload from disk
            to check files. VShieldCRC adds an average of
            one second to each program load.
            
            Once programs have been loaded, VShield does not
            degrade the performance of your system. Programs
            that load other files may run more slowly when
            you use the /FILEACCESS or /ANYACCESS options,
            because these options cause VShield to scan
            files whenever they are accessed, not just when
            they are executed.
            





















           Using VirusScan (Version 2.1.1)                           57            
            FOUR LEVELS OF PROTECTION
            
            You can think of VShield as providing four
            levels of protection. You can use VShield's
            options to customize it for the level of
            protection you need. Level II meets the
            protection needs of most systems.
            
            Level I protection is appropriate for users who
            have very little memory available on their
            systems. It provides only minimal protection.
            
            For Level I protection, first use Scan with the
            /AF or /AV option to add validation codes. Then,
            install VShieldCRC instead of VShield.
            VShieldCRC can inform you that a file has not
            been certified, a file has been modified, a file
            size has changed, or a file has not been added
            to the validation file. VShieldCRC will not
            prevent infection, nor will it tell you when you
            have a known virus. Use Scan instead to detect
            viruses, as described in Chapter 3. See "Using
            VShieldCRC" later in this chapter for
            instructions.
            
            Level II protection is appropriate for most
            users. It will protect you from most viruses
            whether you have run Scan or not.
            
            For Level II protection, install VShield
            according to "Running VShield" later in this
            chapter. When loading, VShield checks memory
            automatically for viruses. Once resident in
            memory, VShield checks master boot records
            (MBRs), boot sectors, and program files (when
            executed) for virus signatures.
            
            Level III protection is appropriate for
            computers that are used by many people, as in an
            open-use computer lab, or onto which you
            frequently load files from public sources. Level
            III protection checks for both validation codes
            and virus signatures, incorporating both Level I
            and Level II protection.
            
            For Level III protection, first use Scan with
            the /AF {filename} option, then use VShield with
            the /CF {filename} option. The /AF option logs
            recovery and validation data for program files,
            the boot sector, and the master boot record
            (MBR) to a file you specify. The /CF option
            tells VShield to check against that log. See
            "VirusScan reference" in Chapter 3 for
            instructions.
           Using VirusScan (Version 2.1.1)                           58            
            
            Level IV protection is for environments where
            security is extremely important and new software
            is seldom introduced. It combines Level III
            protection with access control, specifying that
            only programs known to be safe can be run.
            
            For Level IV protection, run VShield with the
            /CERTIFY option. See the "VShield option
            descriptions" later in this chapter for details
            about /CERTIFY.
            
            NOTE: VShield has many optional features that
            you might use at any protection level. See the
            table "VShield option summary" later in this
            chapter to see these options.
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
           Using VirusScan (Version 2.1.1)                           59            
            
            RUNNING VSHIELD
            
            VShield checks programs, the master boot record
            (MBR), boot sector, system files, and itself for
            virus signatures, the pattern of code unique to
            each virus. If VShield finds an infection, it
            prevents programs from running. It also prevents
            warm boots ([Ctrl]+[Alt]+[Del]) from infected disks.
            
            You can use options to control and fine-tune the
            scope, validation parameters, and operation of
            the VShield's checks. To use VShield with
            options, use the following syntax:
            
                 vshield [options]
            
            [options] indicates one or more options
            described in the table in the next section.
            
            NOTE: Don't enter the square braces, which
            indicate that what's within them is optional.
            
            Because systems and environments differ, VShield
            gives you a choice of options. Consider the
            mixture of safety, performance, and maintenance
            that meets your needs, then choose the
            combination of options that works best.
            
            When you run VShield for the first time, VShield
            uses the virus information contained in SCAN.DAT
            and NAMES.DAT to creates a new file,
            VSHIELD.DAT, in the program directory. The
            VSHIELD.DAT file contains virus information in a
            format that is optimized for VShield operation.
            Thereafter, when you install an updated version
            of SCAN.DAT, VShield updates VSHIELD.DAT
            automatically with any new virus information it
            finds in SCAN.DAT.
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
           Using VirusScan (Version 2.1.1)                           60            

            DOS
            
            You can add VShield to your AUTOEXEC.BAT file so 
            it is activated every time you turn on your computer.
            
            You can put VShield at the end of AUTOEXEC.BAT. 
            In most cases this is OK. However, using a text editor,
            
            1. Check the placement of the VShield command
               line in the AUTOEXEC.BAT file.

               o VShield must be run before any menu programs,
                 such as MS-DOS's DOSSHELL or Norton
                 Commander, or it will not be loaded.

               o If AUTOEXEC.BAT loads any network drivers,
                 keyboard drivers, disk caching programs,
                 drive compression programs, or custom disk
                 drivers, VShield must be run both before and
                 after them. These kinds of programs disable
                 VShield. The second time VShield is loaded,
                 use only the /RECONNECT option, as described
                 later in this chapter.

            2. If necessary, move the line that loads VShield.

            3. Add the VShield options of your choice to the
               command line.

            NOTE: On your VirusScan disk, you'll find
            AUTOEXEC.VSH, a sample AUTOEXEC.BAT that shows
            the correct placement of the VShield command
            line. If you are still not sure whether VShield
            is in the right place, contact McAfee (see
            "Technical support" in Chapter 1).
            
            WINDOWS
            
            When you install VShield, you can add the VShield
            command line to your AUTOEXEC.BAT file. It also
            modifies your WIN.INI file to include
            VSHLDWIN.EXE, which allows VShield to display
            messages under Windows.
            
            However, you may need to change your Windows
            configuration for VShield to run properly.
            
            To do so, follow these steps. If you need help
            with this procedure, see your Windows
            documentation, or you can contact McAfee (see
            "Technical support" in Chapter 1).
            

           Using VirusScan (Version 2.1.1)                           61            
            
            1. Follow the instructions for DOS users in the
               previous section.

            2. Start Windows.

            3. In the Control Panel, configure Windows to run
               in 386 enhanced mode.

            4. Load Windows. You will see the VShield icon on
               your desktop.

            If VShield finds or suspects a virus, you'll see
            a warning message. Choose OK to close the
            message dialog.
            
            Double-clicking the VShield icon only displays a
            message confirming whether VShield is loaded.
            
            OS/2
            
            Because OS/2 is a protected environment, you
            need VShield only during Virtual DOS Machine
            (VDM) and WIN-OS2 sessions. When you install it,
            you can add VShield to AUTOEXEC.BAT so it is 
            activated every time you start a VDM or WIN-OS/2 session.
            
            If your start-up batch file is not AUTOEXEC.BAT,
            edit your start-up batch file to include
            VShield. For example:
            
                 [C:\] vshield /fileaccess
            
            NOTE: See "/FILEACCESS," an option we recommend
            using with OS/2, later in this chapter.
            


















           Using VirusScan (Version 2.1.1)                           62

            SPECIAL INSTRUCTIONS FOR NETWORK ADMINISTRATORS
            
            You have many options for setting up VShield on
            a network. The table "Deciding which options are
            for you" later in this chapter lists options
            that apply in network environments. If you need
            assistance in choosing the best configuration
            for your network, contact McAfee (see "Technical
            support" in Chapter 1).
            
            If you run VShield from a network drive, flag
            VSHIELD.EXE as EXECUTE ONLY, READ ONLY, and
            SHAREABLE.
            
            If you run VShield from clients' local drives:
            
            o Edit all clients' AUTOEXEC.BAT files to load
              VShield, with the options that are
              appropriate for your environment, before any
              other drivers are loaded.

            o Add VShield with the /RECONNECT option to the
              AUTOEXEC.BAT or the network login script,
              after the network drivers are loaded. See
              /RECONNECT, later in this chapter, for more
              information.

            o Run CheckVShield from the login script.
              CheckVShield returns a

            DOS ERRORLEVEL that you can use in batch files
            to check and update VShield. For an example of
            using CheckVShield, see "Technical note 2:
            Sample NetWare login script and .BAT file" later
            in this chapter.
            
            
            















           Using VirusScan (Version 2.1.1)                           63            

            VSHIELD OPTION SUMMARY
            
            DOS-OS/2 option     Description
            
            /? or /HELP    
              Display a list of valid VShield command line options.
            
            /ANYACCESS     
              Scan the boot sector whenever a diskette is accessed 
              (read and write); scan executables; scan any newly 
              created files.
            
            /BOOTACCESS    
              Scan the boot sector for viruses whenever a diskette 
              is accessed (including read and write).
            
            /CERTIFY  
              Prevent files without validation codes from running.
            
            /CF {filename} 
              Check for viruses using recovery and validation data 
              stored by Scan /AF in the specified filename.
            
            /CONTACT {message}  
              Display specified message when a virus is found.
            
            /CONTACTFILE {filename}  
              Display message stored in filename when a virus is found.
            
            /CV  
              Check validation codes added to files by Scan.
            
            /EXCLUDE {filename} 
              Don't check files listed in filename for validation codes 
              (/CF and /CV options).
            
            /FILEACCESS    
              Scan executable files when they are accessed on a 
              diskette, but don't check the boot sector.
            
            /IGNORE {drive(s)}
              Don't check programs loaded from the specified drive(s).
            
            /LOCK     
              Halt the system when a file that is infected loads 
              and attempts to execute.
            
            /NOEMS    
              Prevent VShield from loading into expanded memory (EMS).
            
            /NOMEM    
              Don't check memory for viruses.
            
           Using VirusScan (Version 2.1.1)                           64            

            /NOREMOVE 
              Prevent VShield from being removed from memory with 
              the /REMOVE switch.
            
            /NOUMB    
              Prevent VShield from loading into upper memory blocks 
              (UMB).
            
            /NOWARMBOOT    
              Don't check the diskette boot sector for viruses 
              during warm boot ([Ctrl]+[Alt]+[Del]).
            
            /NOXMS    
              Prevent VShield from using extended memory (XMS) 
              when it loads.
            
            /ONLY {drive(s)}    
              Check programs loaded only from the specified drive(s).
            
            /POLY     
              Check for polymorphic viruses.

            /RECONNECT     
              Restore VShield after certain drivers or TSRs have 
              disabled it.
            
            /REMOVE   
              Unload VShield from memory.
            
            /SAVE     
              Save the command line options to the VSHIELD.INI file.
            
            /SWAP [pathname]    
              Load VShield kernel (7Kb) only; swap the rest to pathname.
            


















           Using VirusScan (Version 2.1.1)                           65            
            
            VSHIELD OPTION DESCRIPTIONS
            
            /? or /HELP
            
            Use this option to display a brief description
            of valid VShield command line options.
            

            /ANYACCESS
            
            Checks the diskette boot sector and all files
            for viruses whenever a diskette is accessed by a
            read or write operation, such as a DIR or COPY
            command, and when a program on the diskette is
            opened, read, updated, or executed.
            
            /ANYACCESS prevents execution if a program file
            is infected. It also checks any new files
            created, such as with a copy command, regardless
            of the file's extension.
            
            This is the highest level of protection against
            viruses that infect boot sectors. Using
            /ANYACCESS with either /BOOTACCESS or
            /FILEACCESS in the same command line returns an
            error message.
            
            NOTE: The /ANYACCESS switch is not recommended
            for use with DOS and WIN-OS/2 sessions under
            OS/2 due to certain low-level operating system
            incompatibilities between OS/2 and DOS. Use the
            /FILEACCESS switch instead.
            
            
            /BOOTACCESS
            
            Checks the boot sector of a diskette for viruses
            whenever a diskette is accessed by a read or
            write operation, such as the DIR or copy
            commands. By default, VShield checks programs
            when they execute, but does not check the boot
            sector of the diskette for viruses. Using
            /BOOTACCESS with /ANYACCESS in the same command
            line returns an error message.
            
            NOTE: This option does not work from within
            Windows File Manager. For virus-checking within
            Windows, use the /FILEACCESS or /ANYACCESS
            switch instead.
            



           Using VirusScan (Version 2.1.1)                           66            

            /CERTIFY
            
            Prevents programs from running if they do not
            have Scan validation codes. Use it in high-
            security environments to prevent clients from
            running programs that have not been scanned. To
            use /CERTIFY, first run Scan with the /AF or /AV
            option, as described in Chapter 3. Then, use
            VShield with the /CERTIFY option and either the
            /CF or /CV option (either is required), such as:
            
                 vshield /certify /cf c:\mcafee\recvalch.sav
            
            Some programs, such as Lotus 1-2-3, contain self-
            modifying code and do not work correctly with
            validation codes attached. You may create an
            exception list of files to exclude from
            validation. For instructions, refer to
            "Technical note 1: Creating an exception list
            for the /EXCLUDE option" later in this chapter.
            
            
            /CF {filename}
            
            Checks validation data stored by Scan's /AF
            {filename} option, where filename is the name of
            the validation data file created by Scan. If a
            file or system area has changed, VShield reports
            that a viral infection may have occurred. You
            can specify the /EXCLUDE option to exclude a
            list of files from validation checking.  In this
            example:
             
                 vshield /cf c:\mcafee\valcodes.dat /noems
            
            VShield looks in the VALCODES.DAT file for
            validation data. For instructions on using Scan
            /AF to add validation codes, see "Scan option
            descriptions" in Chapter 3, and "Detecting new
            and unknown viruses" in Chapter 5.
            
            
            
            
            
            
            
            
            
            
            
            

           Using VirusScan (Version 2.1.1)                           67            
            
            /CONTACT {message}
            
            Displays a custom message when a virus is found.
            This message is displayed in addition to all
            other VShield messages. Use /CONTACT to let
            network users know what to do if VShield finds a
            virus. The message can be up to 50 characters
            long, and can contain any character except a
            backslash " \ ". Place messages starting with a
            hyphen " - " or slash " / " in quotation marks.
            
            If your message is longer than 50 characters or
            you want to store the message text in a file,
            use /CONTACTFILE instead. Using /CONTACT and
            /CONTACTFILE in the same command line returns an
            error message.
           
            
            /CONTACTFILE {filename}
            
            An alternative to the /CONTACT option,
            /CONTACTFILE identifies a file that contains the
            message string to display when a virus is found.
            This option is especially useful in network
            environments, because you can easily maintain
            the message text in a central file rather than
            changing the command line in the AUTOEXEC.BAT
            file on each workstation.
            
            If your message is 50 characters or fewer, you
            can use /CONTACT instead. Using /CONTACT and
            /CONTACTFILE in the same command line returns an
            error message.
            
            
            /CV
            
            Checks validation codes added by Scan with the
            /AV option. If a file has changed, VShield
            reports that the file has been modified and a
            viral infection may have occurred. You can
            specify the /EXCLUDE option to exclude a list of
            files from validation checking. For instructions
            on using Scan to add validation codes, see "Scan
            option descriptions" in Chapter 3, and
            "Detecting new and unknown viruses" in Chapter 5.
             
            
            
            
            
            
            
           Using VirusScan (Version 2.1.1)                           68

            /EXCLUDE {filename}
            
            Excludes files listed in filename from
            validation when using /CF or /CV. For more
            information on this, see "Technical note 1:
            Creating an exception list for the /EXCLUDE
            option" later in this chapter.
            
            
            /FILEACCESS
            
            Checks standard executable files whenever the
            file is accessed or executed, and prevents
            execution of infected programs. Checks all files
            when accessed by a read or write operation.
            Using /ANYACCESS in the same command line with
            /FILEACCESS returns an error message.
            
            NOTE: We recommend always using /FILEACCESS with
            OS/2. 1 For VShieldCRC, /FILEACCESS checks files
            only if they have been validated with the /AF or
            /AV options.
            
            
            /IGNORE {drives}
            
            Omits checking program loads from the specified
            drives, as shown in the following example:
            
                 vshield /ignore t: y: w:
            
            Use /IGNORE or /ONLY to speed up VShield by
            excluding secure, virus-free network drives from
            virus checking. You can specify up to 26 drives.
            See also /ONLY, described later in this section.
            Using /IGNORE and /ONLY in the same command line
            returns an error message.
            
            
            /LOCK
            
            Halts the system to stop further infection if
            VShield finds a virus. /LOCK is appropriate in
            highly vulnerable network environments, such as
            open-use computer labs. If you use /LOCK, use
            /CONTACT or /CONTACTFILE to tell users what to
            do or whom to contact if a virus is found and
            the system locks up.
            
            
            
            

           Using VirusScan (Version 2.1.1)                           69            
            
            /NOEMS
            
            Prevents VShield from using expanded memory (LIM
            EMS 3.2) when it loads. This ensures that EMS is
            available exclusively to other programs.
            
            
            /NOMEM
            
            Skips the memory check for viruses when VShield
            loads. Using /NOMEM improves performance
            slightly, but use it only if you are absolutely
            sure that your system is virus-free.
            
            
            /NOREMOVE
            
            Prevents VShield from being removed from memory
            with the /REMOVE option in a subsequent VShield
            command. When you load VShield with the
            /NOREMOVE option, subsequent loads with the
            /REMOVE option will have not effect. Your
            network will be more secure if users cannot
            remove VShield, but this option may prevent
            users from solving memory limitations or
            conflicts.
            
            
            /NOUMB
            
            Prevents VShield from loading into the upper
            memory block (UMB, 640Kb to 1024Kb). This
            ensures that the UMB is available exclusively to
            other programs.
            
            
            /NOWARMBOOT
            
            Omits checking the diskette boot sector during a
            warm boot ([Ctrl]+[Alt]+[Del]).
            
            
            /NOXMS
            
            Prevents VShield from using extended memory when
            it loads. This ensures that XMS is available
            exclusively to other programs.
            
            
            
            
            

           Using VirusScan (Version 2.1.1)                           70            
            
            /ONLY {drive(s)}
            
            Checks program loads only from the specified
            drive(s), ignoring all other drives, as shown in
            the following example:
            
                 vshield /only c: f: k:
            
            Use /IGNORE or /ONLY to speed up VShield by
            excluding secure, virus-free network drives from
            virus checking. You can specify up to 26 drives.
            See also /IGNORE, earlier in this chapter. Using
            /ONLY and /IGNORE in the same command line
            returns an error message.
            
            
            /POLY
            
            Checks for polymorphic viruses, which are
            viruses that attempt to evade detection by
            changing their internal structure or encryption
            techniques. Otherwise, VShield does not check
            for polymorphic viruses. Using /POLY on the same
            command line as /FILEACCESS or /SWAP returns an
            error.
            
            
            /RECONNECT
            
            Restores VShield's links into DOS after another
            program has disabled it, such as a network
            driver, keyboard driver, custom disk driver,
            drive compression program, or disk caching
            program. These types of programs replace the
            normal DOS system interrupts so that VShield no
            longer recognizes program loads. After the lines
            in your AUTOEXEC.BAT file (or network login
            script) that load these programs, add this
            command line to restore VShield:
            
                 vshield /reconnect
            
            
            /REMOVE
            
            Unloads VShield from memory. You may want to do
            this temporarily if you are running out of
            memory for programs. For best results, try using
            VShield with the /SWAP option first. Use /REMOVE
            only as a last resort.
            
            

           Using VirusScan (Version 2.1.1)                           71            
            
            NOTE: /REMOVE will not work if other memory-
            resident programs were loaded after VShield, or
            if VShield was loaded previously with the
            /NOREMOVE option.
            
            
            /SAVE
            
            Stores the VShield options you specify as the
            defaults in VSHIELD.INI. In the following
            example, /SAVE saves the /CONTACTFILE N:\MSGFILE
            as the default setting:
            
                 vshield /contactfile n:\msgfile /save
            
            To remove custom options and return to VShield's
            original defaults, use the /SAVE option alone:
            
            vshield /save
            
            
            /SWAP [pathname]
            
            Installs a small (7Kb) kernel of VShield in
            memory that loads the rest of VShield from disk
            on demand. Specify a pathname only if you want
            VShield to swap to a path other than the
            directory where VShield resides.
            
            Use /SWAP only if you have very little memory
            available, but require a high assurance of
            safety. /SWAP will slow down your system and may
            cause conflicts with programs that fail to
            allocate memory properly. If you don't have
            enough memory to load VShield without swapping,
            consider using VShieldCRC instead. We do not
            recommend storing the swap file on a network
            path because, if the workstation disconnects
            from the network, the workstation will lock.
            













           Using VirusScan (Version 2.1.1)                           72            
            
            DECIDING WHICH OPTIONS ARE FOR YOU

            Because systems and environments differ, VShield gives you a
            choice of options. Consider the mixture of safety,
            performance, and maintenance that meets your needs, then
            choose the combination of options that works best.

            REQUIREMENT        OPTION        COMMENTS
            
            More complete      /ANYACCESS    Highest protection against
            protection, any                  infected diskettes; checks
            environment                      for viruses whenever a dis-
                                             kette or files are accessed.
                              
                               /FILEACCESS   Next highest protection
                                             against infected diskettes;
                                             checks for viruses whenever
                                             a standard file is accessed. 
                              
                               /BOOTACCESS   Of the three, lowest
                                             protection against infected
                                             diskettes; checks for
                                             viruses in boot sector when
                                             a diskette is accessed.
                              
                               /POLY         Used to check for
                                             polymorphic viruses.
            
            More complete      /CERTIFY      Use with /CF {filename} or
            protection,                      /CV and an exception list.
            stable software   
            environment        /CF           Use /CF or /CV. Of the two,
                                             /CF is recommended.
                              
                               /CV           Use /CF or /CV.
            
            Network or multi-  /CONTACT      Use this (or /CONTACTFILE)
            user environments                to tell users what to do
                                             when a virus is found.
                              
                               /CONTACTFILE  Use this (or /CONTACT) to
                                             tell users what to do when 
                                             a virus is found.
                              
                               /IGNORE       Use this (or /ONLY) to
                                             skip virus-free drives.
                              
                               /LOCK         Use with /CONTACT or
                                             /CONTACTFILE {filename}.
            



           Using VirusScan (Version 2.1.1)                            73

            
            For network        /NOREMOVE     Prevents VShield from
            environments                     being removed from memory.   
            (continued)       
                               /ONLY         Use this (or IGNORE) to check
                                             only vulnerable drives.
                              
                               /RECONNECT    Required if network drivers
                                             are loaded after VShield.
            
            Faster             /NOMEM        Only use on a virus-free
            performance                      computer.
            any environment   
                               /NOWARMBOOT   Omits checking the boot
                                             sector after a warm boot.
            
            Manage memory,     /NOEMS        Use when other programs need
            any environment                  exclusive use of EMS memory.
                              
                               /NOUMB        Use when other programs need
                                             exclusive use of UMB memory.
                              
                               /NOXMS        Use when other programs need
                                             exclusive use of XMS memory.
                              
                               /NOREMOVE     Use to ensure that VShield
                                             remains in memory.
                              
                               /REMOVE       May temporarily solve memory
                                             conflicts.
                              
                               /SWAP         Use in environments with very
                                             limited memory.
            
            


















           Using VirusScan (Version 2.1.1)                           74            
            
            EXAMPLES
            
            The following examples show different option
            settings:
            
                 vshield
            
            Activates VShield (Level II protection).
            
                 vshield /cv
            
            Activates VShield (Level III protection), if you
            have previously run SCAN /AV.
            
                 vshield /certify /cf c:\valcodes.dat
            
            Activates VShield (Level IV protection) and
            checks a recovery and validation data file
            created when running Scan with the /AF option.
            
                 vshield /swap
            
            Activates VShield kernel in memory and swaps
            from the directory in which VShield resides.
            
                 vshield /cv /exclude c:\excption.lst /contact
                 "Call the PC Help Desk!"
            
            Activates VShield (Level III protection),
            ignores checking files in the EXCPTION.LST
            files, and displays a message if a virus is
            found.
            
                 vshield /reconnect
            
            Re-enables VShield after it has been disconnected 
            by network device drivers.
            















           Using VirusScan (Version 2.1.1)                           75            
            
            ERROR LEVELS
            
            When VShield loads, it sets the DOS ERRORLEVEL.
            You can use the returned ERRORLEVEL in
            AUTOEXEC.BAT or other batch files to take
            different actions based on whether VShield has
            loaded in memory. See your DOS manual for more
            information.
            
            VShield returns these ERRORLEVELs:
            
            ERRORLEVEL/Description
            
            0   VShield successfully loaded in memory with all
                options operational.
            
            9   VShield not loaded correctly. Abnormal termination 
                (program error).
            
            VShield alerts you to problems by beeping once
            for system errors, twice for validation errors
            (/CF or /CF checking), or three times if a virus
            is found.
            





























           Using VirusScan (Version 2.1.1)                           76

            USING VSHIELDCRC
            
            For Level I protection on systems with limited
            memory, use VShieldCRC instead of VShield.
            VShieldCRC is a separate program that consumes
            little system overhead, but is not recommended
            for normal use because it provides only minimal
            protection. VShieldCRC can inform you that you
            have been infected with a virus, but it does not
            check for virus signatures nor does it prevent
            infection.
            
            To use VShieldCRC, first use Scan with the /AF
            or /AV option. VShieldCRC checks the validation
            codes added by Scan. It also checks the master
            boot record (MBR) and boot sector validation
            codes, if present. See Chapter 3 for
            instructions on using Scan.
            
            To load VShieldCRC with options, use the
            following syntax:
            
                 vshldcrc [options]
            
            [options] include the options listed in the
            table "VShieldCRC option summary" later in this
            chapter. For more information on all options
            except /LOGFILE, see "VShield option
            descriptions" earlier in this chapter.
            
            EXAMPLES
            
                 vshldcrc
            
            Activates VShieldCRC (Level I protection).
            
                 vshldcrc /cf valcodes.dat
            
            Activates VShieldCRC and checks validation data
            stored in VALCODES.DAT, a file that was created
            using Scan with the /AF option.
            











           Using VirusScan (Version 2.1.1)                           77

            VSHIELDCRC OPTION SUMMARY
            
            /? or /HELP    
              Display a list of valid VShieldCRC command line options.
            
            /CERTIFY  
              Prevent files without validation codes from running.
            
            /CF {filename} 
              Check for viruses using recovery and validation data 
              stored by Scan /AF in the specified filename.
            
            /CONTACT {message}  
              Display specified message when a virus is found.
            
            /CONTACTFILE {filename}  
              Display message stored in specified filename when virus found.
            
            /CV  
              Check validation codes added to files by Scan.
            
            /EXCLUDE {filename} 
              Don't check files listed in filename for validation 
              codes (used with /CF and /CV options).
            
            /FILEACCESS    
              Scan only validated executable files when accessed, but don't 
              check boot sector. Prevent infected programs from running.
            
            /IGNORE {drive(s)}  
              Don't check programs loaded from specified drive(s).
            
            /LOCK     
              Halt the system when a file that is not certified 
              attempts to load and execute.
            
            /LOGFILE {filename} 
              Write error information to filename.
            
            /NOREMOVE 
              Prevent VShieldCRC from being removed from memory 
              with a subsequent VShieldCRC command using /REMOVE.
            
            /NOUMB    
              Prevent VShieldCRC from using upper memory blocks (UMB) 
              when it loads.
            
            /ONLY {drive(s)}    
              Check programs loaded only from the specified drive(s).
            
            /REMOVE   
              Unload VShieldCRC from memory.
            
           Using VirusScan (Version 2.1.1)                           78            
            
            USING CHECKVSHIELD
            
            CheckVShield allows network administrators to
            make sure that workstations are running VShield
            or VShieldCRC before users can log onto a
            network. See "Technical note 2: Sample NetWare
            login script and .BAT file" later in this
            chapter for a sample Novell NetWare login script
            using CheckVShield.
            
            To load CheckVShield with options, use the
            following syntax:
            
                 chkvshld [option(s)]
            
            [option(s)] include:
            
            /? and /HELP 
              Display a list of valid CheckVShield command line 
              options.
            
            /DEBUG  
              Displays the version of VShield or VShieldCRC resident 
              in memory and the DOS ERRORLEVEL on the screen.
            
            /QUIET 
              Suppresses CheckVShield messages (quiet mode) so 
              users don't see the messages.
            
            /V "xxxxx" 
              Tells CheckVShield to look for a specific version 
              (2.00 or higher) of VShield or VShieldCRC in memory. 
              For example, /v "2.00" for VShield 2.00.
            
            EXAMPLE
            
                 chkvshld /quiet
            
            Checks for VShield or VShieldCRC in memory and
            suppresses messages.
            












           Using VirusScan (Version 2.1.1)                           79
            
            ERROR LEVELS
            
            When CheckVShield runs, it sets the DOS
            ERRORLEVEL. Use the ERRORLEVEL in batch files to
            take different actions based on the results of
            CheckVShield's check. The ERRORLEVELs returned
            by CheckVShield are:
            
            ERRORLEVEL/Description
            
            0   VShield or VShieldCRC is resident or, if /V is
                used, the version specified is resident in memory.
            
            1   VShield or VShieldCRC is resident but does not
                match the version specified in the /V option.
            
            2   VShield or VShieldCRC is not resident in
                memory.
            
            3   Abnormal termination (program error).
            










            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
           Using VirusScan (Version 2.1.1)                           80
            
            TECHNICAL NOTE 1:  
            CREATING AN EXCEPTION LIST FOR THE /EXCLUDE OPTION
            
            VShield /CERTIFY permits a file to load only if:
            
            o It has been validated by Scan, or

            o It appears in the exception list file
              specified with the /EXCLUDE option, used in
              conjunction with /CF or /CV.

            If you do not validate any files and do not use
            an exception list, /CERTIFY will disable all
            programs other than DOS internal commands.
            
            The exception list file is an ASCII or DOS text
            file containing up to 1,024 characters. If you
            use a word processor to create it, be sure to
            save the file as ASCII or DOS Text. Each line in
            the file contains the path and filename of one
            file that should not be validated. Here is an
            example:
            
                 c:\clipper\bin\clipper.exe
                 c:\123\123.com
                 c:\fox\foxprolx.exe
                 c:\dos\setver.exe
                 c:\pkware\pklite.exe
                 c:\pkware\pkzip.exe
                 c:\pkware\pkunzip.exe
                 c:\semware\q.exe
                 c:\swapvol.com
                 c:\norton\ncache.exe
                 c:\wordstar\ws.exe
            


















           Using VirusScan (Version 2.1.1)                           81

            TECHNICAL NOTE 2  
            SAMPLE NETWARE LOGIN SCRIPT AND .BAT FILE
            
            Here is a sample system login script for use by
            Novell NetWare system administrators. The login
            script gets the ERRORLEVEL from CheckVShield and
            displays messages on the user's screen. If
            VShield is not loaded correctly, there is an
            internal error with CheckVShield, either VShield
            or VShieldCRC is not installed, or an older
            version of VShield is present, the script exits
            the user to a NOLOGIN.BAT file that logs him or
            her out.
            
            #REM REPLACE "XXX" WITH CURRENT VERSION NUMBER
            CHKVSHLD /V "VXXX"
              IF ERROR_LEVEL = "3" THEN
               FIRE PHASERS 5 TIMES
               WRITE "A CHKVSHLD internal error has occurred."
               WRITE "Please contact the Help Desk."
               #COMMAND /C NOLOGIN.BAT
              EXIT
             ELSE
              IF ERROR_LEVEL = "2" THEN
               FIRE PHASERS 5 TIMES
               WRITE "VShield has not been installed on your PC."
               WRITE "Access Denied. Please contact the Help Desk."
               #COMMAND /C NOLOGIN.BAT
              EXIT
             ELSE
              IF ERROR_LEVEL = "1" THEN
               FIRE PHASERS 5 TIMES
               WRITE "An old version of VShield has been installed."
               WRITE "Access to the network has been denied. Please"
               WRITE "contact the Help Desk to have a new version"
               WRITE "installed."
               #COMMAND /C NOLOGIN.BAT
               EXIT
              END
             END
            END
            
            You can create more complex login scripts to
            send a message to the supervisor if an error has
            occurred, update the user's VSHIELD.EXE as he or
            she logs in to the network, and so forth.
            
            Here is a sample of the NOLOGIN.BAT file called
            by the login script.
            
            ECHO OFF
            REM Log the user off of the network
            LOGOUT
           Using VirusScan (Version 2.1.1)                           82            
            
            CHAPTER 5: TIPS & TROUBLESHOOTING
            
            The other chapters in this manual are meant to
            tell you clearly and concisely how to use the
            VirusScan software. Still, you may have
            questions or encounter confusing situations.
            This chapter contains two kinds of advice:
            
            o Tips for getting the most out of VirusScan.

            o Common problems and how to solve or avoid
              them.

            If this information doesn't help resolve your
            question or problem, contact McAfee (see
            "Technical support" in Chapter 1).
            
            TIPS
            
            DETECTING NEW AND UNKNOWN VIRUSES
            
            There are two ways of dealing with new and
            unknown viruses that may infect your system:
            
            o Update VirusScan regularly.

            o Store and check validation and recovery
              information about your files.

            UPDATE VIRUSSCAN REGULARLY
            
            Most likely, McAfee will see new viruses long
            before you do. We update the VirusScan programs
            often--usually monthly, but more often if many
            new viruses have appeared. Each new version may
            detect and eradicate as many as 60 to 100 new
            viruses or more, and may fix bugs that have been
            reported.
            
            Updating VirusScan regularly is probably all you
            need to do to protect against new viruses. See
            the instructions for obtaining new versions in
            "Updating VirusScan regularly" in Chapter 2.










           Using VirusScan (Version 2.1.1)                           83            
            
            USE THE VALIDATION AND RECOVERY OPTIONS
            
            If your environment is highly vulnerable to
            viruses, or you require unusual security against
            them, you can use VirusScan's validation and
            recovery options. Scan checks for new or unknown
            viruses by comparing files against previously
            recorded validation data. If a file has been
            modified, it no longer matches the validation
            data, and Scan reports that the file may have
            become infected. Scan has two levels of
            validation, which are stored in two separate
            ways:
            
            o It can store the enhanced code in a separate
              recovery file, which can be stored off-line
              (for example, on a diskette) for recovery
              purposes (/AF, /CF, and /RF switches). This
              is the preferred method because it stores the
              data for files, the boot sector, and the
              master boot record (MBR) of a disk in the
              recovery file.

            o It can append a simple 98-byte validation code
              to .COM and .EXE files (/AV, /CV, and /RV
              switches). This method applies to the files
              you specified only. It does not store data
              for the boot sector and master boot record (MBR).

            Once the validation codes are stored, both Scan
            and VShield can use the /CV and /CF options to
            detect changes to the files. More importantly,
            if you have stored the recovery information with
            /AF, Scan can use it to restore infected files,
            master boot records (MBR), and boot sectors.
            
            All of these options require continuing effort
            to store and maintain the codes. For example, if
            you install new programs or upgrade old ones,
            you should use the /RV or /RF options to remove
            all codes, then /AV or /AF to restore them.
            
            If you want to use one of these methods, which
            should you use? We recommend the "F"
            options--/AF, /CF, and /RF--over the "V" options.
            /AF stores the validation and recovery
            information in a separate file, instead of
            modifying the program files themselves. This has
            three advantages:
            
            
            
            
           Using VirusScan (Version 2.1.1)                           84
            
            o You can store the recovery file off-line (on
              your clean anti-viral startup diskette, for
              example, or on a network drive or tape drive)
              and access it on demand to check for, and
              recover from, infection by unknown viruses.
              Use the procedure below to create a recovery
              diskette.

            o This method keeps self-checking files (usually
              copy-protected programs) from reporting that
              they have been tampered with.

            o If you use this method, you don't need an
              exception list. However, it's important that
              you run Scan with the /RF option on
              individual self-modifying files, such as
              Lotus 1-2-3, to remove the validation codes
              for those programs from the validation file.

            The "V" options are primarily useful for
            companies that distribute software to their
            customers or employees, and want to incorporate
            an additional level of virus protection.
            
            Creating a recovery diskette To store the
            recovery file on the clean startup diskette you
            created in "Making a clean start-up diskette" in
            Chapter 2, temporarily remove write-protection
            from the diskette and insert it in drive A. Run
            Scan on your hard disks with the /AF option. For
            example:
            
                 scan /adl /af a:\scancrc.crc
            
            scans the local hard disk drives for known
            viruses and creates SCANCRC.CRC, a file
            containing recovery data and validation codes,
            on the diskette. After Scan finishes, write-
            protect the diskette.
            
            To check for virus infection, turn your computer
            off, insert the recovery diskette in drive A,
            and turn the power back on. The PC will now
            start from the diskette. At the DOS prompt,
            type:
            
                 scan /adl /cf a:\scancrc.crc
            
            to compare the local hard disk drives against
            the recovery data stored on the diskette in the
            SCANCRC.CRC file.
            
            
           Using VirusScan (Version 2.1.1)                           85            
            
            If you detect an unknown virus, to disinfect
            your system, turn your PC off, insert the
            recovery diskette, and turn the power back on.
            The PC will start from the floppy disk. At the
            DOS prompt, type:
            
                 scan /adl /cf a:\scancrc.crc /clean
            
            to restore local hard disk drives with the
            recovery data stored in SCANCRC.CRC on the
            diskette.
            
            If you install new software, or upgrade your DOS
            version, remember to update your recovery file.
            See "Application note 1: Updating validation
            codes" in Chapter 3.
            




































           Using VirusScan (Version 2.1.1)                           86
            
            INTERACTING WITH YOUR NETWORK
            
            Many personal computers are interconnected
            through a local area network (LAN). VirusScan is
            highly compatible with most networks. Here are
            some ways of using the VirusScan software with
            your network:
            
            o Run Scan on network drives Run from a
              workstation (PC) on the network, Scan checks
              network drives for viruses just as it does local
              drives. For convenience, the /ADN option scans
              all network drives to which the workstation is
              connected.
            
            o Use VShield and CheckVShield By activating
              VShield as part of every workstation's
              AUTOEXEC.BAT file, you can prevent the
              workstations from introducing viruses into the
              network. Network administrators can ensure that
              VShield is active on each workstation by running
              CheckVShield as part of the network login script, 
              before actual login.
            
            o Use NetShield provides continuous virus
              protection on a NetWare server. NetWare network
              administrators can use it to check for both
              known and unknown viruses and to monitor all
              network activities. On other kinds of networks,
              you can use Scan to check network servers.
            
            o Develop a network security program, as described
              in the next tip.
            



















           Using VirusScan (Version 2.1.1)                           87            
            
            DEVELOP A SECURITY PROGRAM
           
            VirusScan has been shown to be an effective
            virus-preventive measure when used in a
            conscientiously applied program of network
            security and regular professional care.
            
            VirusScan is one important element of a
            comprehensive computing security program that
            includes a variety of safety measures, such as
            regular backups, meaningful password protection,
            user training, and awareness. Even with
            VirusScan, some viruses--not to mention theft or
            fire--can render a disk unrecoverable without a
            recent backup. Although outlining such a
            security program is beyond the scope of this
            manual, see "Other sources of information" in
            Chapter 1 for suggestions.
            
            If you are a network administrator, we urge you
            to implement a security program to safeguard
            your organization's data and productivity. If
            you are a network user, please support and
            comply with such a program.
            
            TROUBLESHOOTING
            
            GENERAL ABNORMALITIES
            
            Using VirusScan with other anti-virus software
            
            When you run more than one anti-virus program,
            you risk strange results and false alarms. For
            example, some anti-virus programs store their
            "virus signature strings" unprotected in memory.
            Running VirusScan may "detect" them falsely as a
            virus.
            
            TSR CONFLICTS
            
            Some "terminate-and-stay-resident" (TSR)
            software may conflict with VirusScan programs,
            especially VShield (which is itself a TSR). To
            check whether this is the problem, "comment out"
            the other TSR files in your AUTOEXEC.BAT file
            and restart your system. If the errors
            disappear, the TSR conflict caused them.
            





           Using VirusScan (Version 2.1.1)                           88

            SLOW DISK ACCESS, PROGRAM LOCKS
            
            Running VShield will slow your system slightly
            as described in Chapter 4, especially if you use
            either the /ANYACCESS or /SWAP options. If you
            experience very slow disk access, or if programs
            lock or freeze while using Windows 3.1, you may
            be using a disk cache program that interferes
            with program operation, or you may need to
            increase the number of BUFFERS in your
            CONFIG.SYS file.
            









































           Using VirusScan (Version 2.1.1)                           89            
            
            TROUBLESHOOTING SCAN
            
            FALSE ALARMS
            
            Scan may incorrectly report viruses in the boot
            sector or master boot record (MBR) of certain
            copy-protected diskettes. Contact technical
            support if you're unsure (see "Technical
            support" in Chapter 1).
            
            TROUBLESHOOTING VSHIELD
            
            PROGRAM LOCKS WITH /SWAP
            
            When VShield is running with the /SWAP option,
            certain programs may lock up the computer. These
            programs may use memory without allocating it
            first, including older versions Lotus 1-2-3,
            pfs:Write and Professional Write, OfficeWrite,
            and DisplayWrite4. To correct, restart your
            computer and run VShield without the /SWAP
            option.
            
            UNABLE TO REMOVE VSHIELD
            
            If the /REMOVE option doesn't successfully
            remove VShield from memory, you have probably
            loaded other terminate-and-stay-resident (TSR)
            programs after VShield. VShield can't be removed
            until the other TSRs are removed. If you need to
            unload VShield often, load it last.
            





















           Using VirusScan (Version 2.1.1)                           90            
            
            APPENDIX A:  
            RETRIEVING MCAFEE PROGRAMS WITH COMMUNICATIONS SOFTWARE
            
            You can use your communications software to dial
            up the McAfee bulletin board system (BBS) and
            retrieve (download) McAfee software by following
            these steps.
            
            DIAL UP
            
            o The McAfee BBS phone number is (408) 988-4004.

            o The BBS operates at up to 14,400 bps (baud).
              Set your communications parameters to 8 data
              bits, 1 stop bit, no parity, and your
              terminal emulation to ANSI or TTY.

            o The BBS is Bell- and ITU- (formerly CCITT)
              compatible.

            LOG ON
            
            After receiving the CONNECT message from your
            modem, enter your name, geographic location, and
            password.
            
            To retrieve VirusScan programs, type
            
            guest   (for first name)
            user    (for last name)
            
            Or, if you want personal answers or feedback,
            create your own account by entering your first
            and last name and a password. Passwords should
            be 3-8 characters long and are case-sensitive.
            
            THE MAIN MENU
            
            Here are some of the important functions on the
            main menu:
            
            F  File transfer area (download McAfee updates)
            
            M  Message area (read and write messages in all
               sections and e-mail)
            
            G  Goodbye (hang up and leave the BBS)
            





           Using VirusScan (Version 2.1.1)                           91            
            
            DOWNLOADING MCAFEE PROGRAMS

            1. Select F from the Main Menu to go to the File
               transfer area. This is the area from which
               you can download McAfee programs.

            2. Select 1 for the McAfee Antivirus Files. A
               sorted directory listing of files available
               for download will be displayed.

            3. Type D for download, then type in the filename
               as found in the directory.

            4. The BBS will prompt you to select a protocol.
               If possible, use an error-correcting protocol
               such as ZMODEM, YMODEM or XMODEM.

            5. You'll see the message Awaiting start signal.
               Tell your software to receive files. With
               PROCOMM for DOS or TELIX, press the [Page
               Down] key, with BITCOM, press the [F2] key.
               For other communications programs, check your
               manual.

            6. Your software will prompt you to select a
               protocol and file name to receive the file.
               Select the same protocol and name.


























           Using VirusScan (Version 2.1.1)                           92            
            
            APPENDIX B:
            OPTIONS COMPARISON BETWEEN VIRUSSCAN VERSIONS 1.5 AND 2.1.1
            
            COMPARISON OF SCAN VERSIONS 1.5 and 2.1.1

               Scan         Scan         
               Version 1.5  Version 2.1.1  Option Description
                         
              /? /H or      /? or /HELP   Display help screen.
              /HELP                      
            
              /A            /ALL          Scan all files,
                                          including data files.
            
              /AD{x}        /AD{x}        Scan all drives
                                          {L=Local, N=Network}.
                                          Leave blank for both
                                          (version 1.5 only).
            
              /AF           /AF           Store
             {filename}     {filename}    validation/recovery
                                          codes in filename.
            
              /AG                         Add recovery/validation
              {filename}                  data to files except
                                          those listed in {filename}.
            
              /AV           /AV           Add validation/recovery
              {filename}                  data to program files.
                                          Exclude those listed in
                                          {filename} (version 1.5
                                          only); exclude those
                                          listed in /EXCLUDE
                                          option (version 2.1.1 only).
            
              /BELL         default       Beep whenever a virus
                                          is found.
            
              /BMP          default       Scan OS/2 Boot Manager
                                          partition only.
                         
                            /BOOT         Scan master boot record
                                          and boot sector only.
            
              /CERTIFY                    List files not having a
                                          validation code.
                                       
              /CF           /CF           Check
              {filename}    {filename}    validation/recovery
                                          codes in filename.
            
            
            
           Using VirusScan (Version 2.1.1)                           93            
            
            VERSION COMPARISON OF SCAN OPTIONS (continued)

               Scan         Scan         
               Version 1.5  Version 2.1.1  Option Description
                         
              /CG                         Check
                                          recovery/validation
                                          data in files.
            
              /CHKHI                      Check memory from 0Kb
                                          to 1,088Kb (not
                                          applicable to OS/2).
            
              (CLEAN.EXE)   /CLEAN        Clean up infections in
                                          master boot records,
                                          boot sectors, and files
                                          when possible.
            
              /CV           /CV           Check
                                          validation/recovery
                                          data in files.
            
              /D            /DEL          Overwrite and delete
                                          infected files.
                                          Save date and time
                                          VirusScan was last run
                                          in SCAN.LOG.
            
              /DATE         /LOG          Save date and time
                                          VirusScan was last run.
                                          Save in SCAN.LOG file
                                          (version 2.1.1 only).
                         
                            /EXCLUDE      Exclude from scan any
                            {filename}    files listed in
                                          filename. Typically
                                          used in conjunction
                                          with the /AV option.
            
              EXT                         Scan using external
              {filename}                  virus information from
                                          filename.
            
              /FAST         /FAST         Speed up VirusScan's
                                          scanning; may detect
                                          fewer viruses.
            
              /HISTORY      /APPEND       Append Scan report to
              filename                    filename (version 1.5).
                                          Append to, rather than
                                          overwrite, the report
                                          file (/REPORT, version 2.1.1)
            
           Using VirusScan (Version 2.1.1)                           94            
            
            VERSION COMPARISON OF SCAN OPTIONS (continued)

               Scan         Scan         
               Version 1.5  Version 2.1.1  Option Description
                         
              /M                          Scan memory for all
                                          viruses (not applicable
                                          to OS/2).
            
              /MANY         /MANY         Scan multiple floppy
                                          disks (diskettes).
                         
                            /MOVE         Move infected files to
                            {directory}   directory.
            
              /NLZ          /NOCOMP       Skip internal scan of
                                          LZEXE compressed files.
                                       
              /NOBREAK      /NOBREAK      Disable Ctrl-C and
                                          Ctrl-Break during scan.
            
              /NOEXPIRE                   Do not display
                                          expiration notice.
            
              /NOMEM        /NOMEM        Skip memory checking
                                          (not applicable to OS/2).
            
              /NOPAUSE      /PAUSE        Disable screen pause
                                          (version 1.5 only).
                                          Enable screen pause
                                          (version 2.1.1 only).
            
              /NPKL         /NOCOMP       Skip internal scan of
                                          PKLITE compressed files.
                         
                            /PLAD         Preserve Last-Access
                                          date of scanned files
                                          on Novell drives.
            
              /REPORT       /REPORT       Create report of
              {filename}    {filename}    infected files found
                                          during scan in filename.
            
              /RF           /RF           Remove
              {filename}    {filename}    validation/recovery
                                          codes in filename.
            
              /RG           /RG           Remove
                                          recovery/validation
                                          data from files.



           Using VirusScan (Version 2.1.1)                            95
             
            VERSION COMPARISON OF SCAN OPTIONS (continued)

               Scan         Scan         
               Version 1.5  Version 2.1.1  Option Description
                         
                            /RPTCOR       Add list of corrupted
                                          files to the report
                                          file (/REPORT).
                         
                            /RPTERR       Add list of system
                                          errors to the report
                                          file (/REPORT).
                         
                            /RPTMOD       Add list of modified
                                          files to the report
                                          file (/REPORT).
            
              /RV           /RV           Remove
                                          validation/recovery
                                          data from files.
            
              /SAVE         /SAVE         Save specified options
                                          as new defaults (not
                                          available in Windows).
            
              /SHOWDATE     /SHOWLOG      Show date and time of
                                          last scan (version 1.5
                                          only). Display
                                          information in SCAN.LOG
                                          (version 2.1.1 only)
            
              /SUB          /SUB          Scan subdirectories
                                          inside a directory.
                                       
                            /VIRLIST      Display list of viruses
                                           detected by VirusScan.
            
               @filename     /LOAD         Use Scan settings
                             {filename}    stored in filename.
                                         
           
        











           Using VirusScan (Version 2.1.1)                           96
            
            COMPARISON OF VSHIELD VERSIONS 1.5 and 2.1.1

               VShield      VShield      
               Version 1.5  Version 2.1.1  Option Description
                         
               /? or /HELP  /? or /HELP   Display a list of valid
                                          VShield command line
                                          options.
            
               /ACCESS                    Check for viruses when
                                          files are opened and
                                          diskettes are accessed.
                         
                            /ANYACCESS    Scan the diskette boot
                                          sector for viruses
                                          whenever a diskette is
                                          accessed (including any
                                          read and write
                                          operations); scan .EXE,
                                          .COM, .DLL, .OVL, .BIN,
                                          and .SYS files whenever
                                          the file is opened,
                                          read, or updated; scan
                                          .EXE and .COM files
                                          upon execution; scan
                                          any newly created file,
                                          regardless of extension.
            
              /BOOT         /BOOTACCESS   Scan the diskette boot
                                          sector for viruses
                                          whenever a diskette is
                                          accessed (including any
                                          read and write
                                          operations); individual
                                          files on a diskette are
                                          not scanned when a
                                          diskette is accessed.
            
              /CERTIFY      /CERTIFY      Prevent files without
              {filename}                  validation codes from
                                          running. {filename} is
                                          an optional exception
                                          list (version 1.5 only)
            
              /CF           /CF           Check for viruses using
              {filename}    {filename}    validation and recovery
                                          data stored by Scan /AF
                                          in the specified filename.
            
              /CG                         Check for viruses using
              {filename}                  validation and recovery
                                          data stored by Scan /AG
                                          
           Using VirusScan (Version 2.1.1)                           97 

            VERSION COMPARISON OF VSHIELD OPTIONS (continued)

               VShield      VShield      
               Version 1.5  Version 2.1.1  Option Description
                         
              /CHKHI        default       Check memory from 0Kb-
                                          1088Kb when VShield loads.
            
              /CONTACT      /CONTACT      Display specified
              {message}     {message}     message when a virus is
                                          found.
                                                     found.
                            /CONTACTFILE  Display message stored
                            {filename}    in filename when a
                                          virus is found.
            
              /CV           /CV           Check validation codes
                                          added to files by Scan.
                         
                            /EXCLUDE      Don't check files
                            {filename}    listed in filename for
                                          validation codes (/CF
                                          and /CV options).
            
              /F                          Use with /SWAP for DOS
             {pathname}                   2.0 systems ONLY.
                         
                            /FILEACCESS   Scan .EXE, .COM, .DLL,
                                          .OVL, .BIN, and .SYS
                                          files whenever the file
                                          is opened, read, or
                                          updated; scan .EXE and
                                          .COM files upon
                                          execution; the diskette
                                          boot sector is not
                                          checked when a diskette
                                          is accessed.
            
             /IGNORE        /IGNORE       Don't check programs
             {drive(s)}     {drive(s)}    loaded from the
                                          specified drive(s).
            
             /LH                          Load VShield into upper
                                          memory area.
            
             /LOCK          /LOCK         Halt the system when a
                                          file that is infected
                                          or not certified loads
                                          and attempts to execute.

            


           Using VirusScan (Version 2.1.1)                           98
            
            VERSION COMPARISON OF VSHIELD OPTIONS (continued)

               VShield      VShield      
               Version 1.5  Version 2.1.1  Option Description
                         
             /M                           Scan base memory for
                                          viruses when VShield loads.
            
             /NB            /NOWARMBOOT   Disable boot sector
                                          check during install
                                          and reboot.
            
             /NI6510                      Fixes Racal Datacomm
                                          NI6510 conflict.
            
             /NOBREAK                     Prevent [Ctrl]+[C] /
                                          [Ctrl]+[Break] from
                                          working during install.
            
             /NOCONT                      Prevent non-certified
                                          programs from running.
            
             /NODISK                      Turn off the boot
                                          sector check when
                                          VShield is loading.
            
             /NOEMS         /NOEMS        Prevent VShield from
                                          using expanded memory
                                          (EMS) when it loads.
            
             /NOFLOPPY                    Turn off the boot sector
                                          check for floppy drives.
            
             /NOMEM         /NOMEM        Do not check memory for
                                          viruses upon running.
            
             /NOREMOVE      /NOREMOVE     Prevent VShield from
                                          being removed from
                                          memory with the /REMOVE
                                          switch.
                         
                            /NOUMB        Prevent VShield from
                                          using upper memory
                                          blocks (UMB) when it
                                          loads.
                         
                            /NOXMS        Prevent VShield from
                                          using extended memory
                                          (XMS) when it loads.
            
            
            
            
           Using VirusScan (Version 2.1.1)                           99            

            VERSION COMPARISON OF VSHIELD OPTIONS (continued)

               VShield      VShield      
               Version 1.5  Version 2.1.1  Option Description
                         
               /ONLY        /ONLY         Check programs loaded
              {drive(s)}    {drive(s)}    only from the specified
                                          drive(s).
                          
                            /POLY         Check for polymorphic
                                          viruses.
                          
              /RECONNECT    /RECONNECT    Restore VShield after
                                          certain drivers or TSRs
                                          have disabled it.
            
              /REMOVE       /REMOVE       Unload VShield from
                                          memory.
            
              /SAVE         /SAVE         Save specified options
                                          as new defaults
                                          (version 1.5 only).
                                          Save the command line
                                          options to the VSHIELD.INI
                                          file (version 2.1.1 only).
            
              /SWAP         /SWAP         Load VShield kernel
              [pathname]    [pathname]    only (5Kb in version
                                          1.5; 7Kb in version
                                          2.1.1); swap the rest
                                          from pathname.
                            





















           Using VirusScan (Version 2.1.1)                           100
             
            VERSION COMPARISON OF VSHIELD1/VSHIELDCRC OPTIONS

               VShield1     VShieldCRC   
               Version 1.5  Version 2.1.1  Option Description
                         
                            /? or /HELP   Display a list of valid
                                          VShieldCRC command line
                                          options.
                         
                            /CERTIFY      Prevent files without
                                          validation codes from
                                          running.
                         
                            /CF           Check for viruses using
                            {filename}    validation and recovery
                                          data stored by Scan /AF
                                          in the specified filename.
                                       
                            /CONTACT      Display specified message
                            {message}     when a virus is found.
                        
                            /CONTACTFILE  Display message stored
                            {filename}    in specified filename
                                          when a virus is found.
                         
                            /CV           Check validation codes
                                          added to files by Scan.
                         
                            /EXCLUDE      Don't check files
                            {filename}    listed in filename for
                                          validation codes (used
                                          with /CF and /CV options).
                         
                            /FILEACCESS   Checks validated files
                                          whenever the file is
                                          accessed or executed.
                                          Whenever a validated
                                          .EXE, .COM, .DLL, .OVL,
                                          .BIN, or .SYS file is
                                          opened, read, or
                                          updated, Scan checks
                                          the accessed file.
                                          Whenever a validated
                                          .EXE or .COM file
                                          executes, Scan checks
                                          the file for viruses as
                                          it loads and prevents
                                          execution if the file
                                          is infected.




           Using VirusScan (Version 2.1.1)                           101
             
            VERSION COMPARISON OF VSHIELD1/VSHIELDCRC OPTIONS (continued)

               VShield1     VShieldCRC   
               Version 1.5  Version 2.1.1  Option Description
                         
                            /IGNORE       Don't check programs
                            {drive(s)}    loaded from specified
                                          drive(s).
                         
                            /LOCK         Halt the system when a
                                          file that is not
                                          certified attempts to
                                          load and execute.
                             
                            /LOGFILE      Write error information
                            {filename}    to filename.
            
                 /NB                      Disable boot sector
                                          checking during install
                                          and reboot.
                                                        and reboot.
                            /NOREMOVE     Prevent VShieldCRC from
                                          being removed from memory 
                                          with a subsequent VShieldCRC
                                          command using /REMOVE.
                         
                            /NOUMB        Prevent VShieldCRC from
                                          using upper memory
                                          blocks (UMB) when it loads.
                         
                            /ONLY         Check programs loaded
                            {drive(s)}    only from the specified
                                          drive(s).
            
                 /REMOVE    /REMOVE       Unload VShieldCRC from
                                          memory.
                                          
















           Using VirusScan (Version 2.1.1)                           102            
            VIRUSCAN GLOSSARY
            
            ARCHIVED FILE  A file that has been archived
            using either LZEXE or PKLITE, file compression
            utilities.
            
            BOOT  To start a computer. The first step is to
            load startup instructions from the boot ROM or
            boot sector of a disk.
            
            BIOS  A read-only memory chip that contains the
            coded instructions for the operating system to
            start the computer. Always present in portable
            computers, a BIOS (boot ROM) is not susceptible
            to infection (unlike the boot sector on a disk).
            However, it is harder to update.
            
            BOOT SECTOR  A portion of a disk that contains
            the coded instructions for the operating system
            to start the computer.
            
            BOOT SECTOR INFECTIONS  Contamination of the
            boot sector by a virus. Particularly serious
            because information in the boot sector is loaded
            into memory first, before virus protection code
            can be executed. The only certain way to
            eliminate boot sector infections is to restart
            from a disk known to be uninfected, then clean
            up the infection.
            
            CLEAN STARTUP DISKETTE  A diskette known to be
            uninfected, that contains the coded instructions
            from which the computer can be started. See
            Chapter 2 for instructions on preparing one.
            
            COLD BOOT  To start a computer from power-off
            state.
            
            COMPRESSED FILE  A file (usually with a .ZIP
            extension) that has been compressed using the
            PKZIP file compression utility.
            
            CONVENTIONAL MEMORY  Up to 640Kb of main memory
            in which DOS executes programs.
            
            CORRUPTED FILE  A file that has been damaged.
            About 10% to 20% of viral infections involve
            viruses that damage files beyond repair.
            
            DETECTION  Scanning memory and disks for
            telltale marks or changes indicating that a
            virus might be present.
            

           Using VirusScan (Version 2.1.1)                           103
            
            DISINFECT  To eradicate a virus so that it can
            no longer spread or cause damage to a system.
            
            EXCEPTION LIST  List of files to which
            validation codes should not be added because
            they are immunized against viruses or contain
            self-modifying code. Scans /AV option uses the
            list to avoid adding codes to inappropriate
            files; VShield's /CERTIFY option can use it to
            allow certain unvalidated files to be run.
            
            EXECUTABLE (FILE)  A file containing coded
            instructions to be executed by the computer.
            Executable files include programs and overlays.
            
            EXPANDED MEMORY  Memory above the DOS 640Kb
            limit of conventional memory that is accessed by
            memory paging. You need special software,
            conforming to an expanded memory specification,
            to take advantage of expanded memory.
            
            EXTENDED MEMORY  Linear memory above the DOS
            640Kb limit of conventional memory. Often used
            for RAM disks and print spoolers.
            
            FALSE ALARM  Detecting a virus when none is
            present.
            
            INFECTED FILE  A file contaminated by a virus.
            
            MASTER BOOT RECORD (MBR)  A portion of a hard
            disk that contains a partition table that
            divides the drive into chunks, some of which may
            be assigned to operating systems other than DOS.
            
            MEMORY  A storage medium where data or program
            code are kept temporarily while being used by
            the computer. DOS supports up to 640Kb of
            conventional memory. Beyond that limit may be
            accessed as expanded memory, extended memory, or
            an upper memory block (UMB).
            
            MEMORY INFECTION  Contamination of memory by a
            virus. The only certain way to eliminate memory
            infections is to restart from a disk known to be
            uninfected, then clean up the source of
            infection.
            
            MODIFIED FILE  A file that has changed after
            validation/recovery codes have been added.
            
            

           Using VirusScan (Version 2.1.1)                           104            
            
            OVERLAY INFECTION  Virus contamination of a file
            containing auxiliary program code that is loaded
            by the main program.
            
            PARTITION TABLE  See MASTER BOOT RECORD.
            
            POLYMORPHIC VIRUS  A virus that attempts to
            evade detection by changing its internal
            structure or its encryption techniques.
            
            PROGRAM  Software that performs a defined
            function on a computer. See executable.
            
            READ OPERATION  Any operation in which
            information is read from a disk. DOS commands
            that perform read operations include dir
            (directory listing), type (display contents of a
            file), and copy (copy files). See also write
            operation.
            
            RECOVERY CODES  Information that Scan records
            about an executable file in order to recover if
            it is infected by a virus. See also validation
            codes.
            
            SELF-MODIFYING PROGRAM  Software that
            deliberately changes its own program file, often
            to protect against viruses or illegal copying,
            and is therefore difficult to validate in
            conventional ways.
            
            STANDARD EXTENSIONS  Filename extensions
            (suffixes) that signify executable files--.EXE,
            .COM, .SYS, .DLL, .BIN, and .OVL--which Scan
            checks by default.
            
            SYSTEM ERRORS  Errors that can prevent Scan from
            completing its job successfully. System error
            conditions include disk format errors (such as
            unformatted disks), media errors (bad sectors),
            file system errors (unreadable files), network
            errors (unable to log in), file access errors
            (access permission denied), device access errors
            (printer out of paper), and report failures.
            
            TERMINATE-AND-STAY-RESIDENT (TSR)  A program,
            like VShield,  that remains active in memory
            while you run other programs.
            
            TURBO  A scanning option that is faster than
            normal but less comprehensive (because it checks
            a smaller portion of each file).
            
           Using VirusScan (Version 2.1.1)                           105            

            UNKNOWN VIRUS  A virus not yet identified and
            listed in SCAN.DAT. VirusScan can detect unknown
            viruses by observing changes in files that could
            result from infection.
            
            UPPER MEMORY BLOCK (UMB)  Memory in the range
            640-1024Kb, just above the DOS 640Kb limit of
            conventional memory.
            
            VALIDATE  To check that a file is authentic and
            has not been altered. Most validation methods
            rely on computing a statistic based on all the
            data in the file, which is unlikely to remain
            constant if the file itself is changed.
            
            VALIDATION CODES  Information that Scan records
            about an executable file in order to detect
            subsequent infection by a virus. See also
            recovery codes.
            
            VIRUS  A software program that attaches itself
            to another program in computer memory or on a
            disk, and spreads from one program to another.
            Viruses may damage data, cause the computer to
            crash, display messages, or lie dormant.
            
            WARM BOOT  To restart (reset) a running
            computer, in DOS by pressing [Ctrl]+[Alt]+[Del].
            
            WRITE OPERATION  Any operation in which
            information is recorded on a disk. Commands that
            perform write operations include those that
            save, move, and copy files. Most write
            operations are also read operations because the
            system verifies that the data have been written
            correctly. See also read operation.
            
            WRITE PROTECTION  A mechanism to protect files
            or disks from being changed. A 3.5" diskette may be 
            write-protected by sliding its corner tab so that 
            the square hole is open; a 5.25" diskette by covering 
            its corner notch with a write-protect tab. A file 
            may be write-protected by changing its system attributes.
            
            
            
