Compu-Fix

home *** CD-ROM | disk | FTP | other *** search

/ Compu-Fix / Compu-Fix.iso / misc / scantool / scan95b.doc < prev next >

Wrap

Text File | 1993-03-01 | 51KB | 1,113 lines

VIRUSCAN Version 8.7B95 Copyright (C) 1989 - 1992 by McAfee Associates All rights reserved. Documentation by Aryeh Goretsky. McAfee Associates (408) 988-3832 office 3350 Scott Blvd, Bldg. 14 (408) 970-9727 fax Santa Clara, CA 95054 (408) 988-4004 BBS (32 lines) U.S.A. USR HST/v.32/v.42bis/MNP1-5 CompuServe GO VIRUSFORUM InterNet mcafee@netcom.COM TABLE OF CONTENTS: SYNOPSIS . . . . . . . . . . . . . . . . . . . . . . . . . . .2 - What is VIRUSCAN? - System requirements AUTHENTICITY . . . . . . . . . . . . . . . . . . . . . . . . .2 - Verifying the integrity of VIRUSCAN WHAT'S NEW . . . . . . . . . . . . . . . . . . . . . . . . . .4 - New features and viruses in this release OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . .5 - General description of VIRUSCAN OPERATION and OPTIONS. . . . . . . . . . . . . . . . . . . . .7 - How to use VIRUSCAN, detailed explanation of switches EXAMPLES . . . . . . . . . . . . . . . . . . . . . . . . . . .14 - Samples of frequently-used options EXIT CODES . . . . . . . . . . . . . . . . . . . . . . . . . .15 - For running VIRUSCAN from batch files VIRUS REMOVAL. . . . . . . . . . . . . . . . . . . . . . . . .15 - How to manually remove a virus REGISTRATION . . . . . . . . . . . . . . . . . . . . . . . . .16 - How to register VIRUSCAN TECH SUPPORT . . . . . . . . . . . . . . . . . . . . . . . . .16 - Information you should have ready when calling APPENDIX A . . . . . . . . . . . . . . . . . . . . . . . . . .17 - Creating a virus string file with the /EXT option APPENDIX B . . . . . . . . . . . . . . . . . . . . . . . . . .18 - How to check only memory for viruses - Validation codes: Tips and Tricks - Reformatting infected floppies with DOS 5.00 - Creating a Recovery Disk Page 1 VIRUSCAN Version 8.7B95 Page 2 SYNOPSIS VIRUSCAN (SCAN) is a virus detection and identification program for IBM PC and compatible computers. SCAN will search a PC for known computer viruses in memory, the partition table, the boot sector and the files of a PC and disks. SCAN can also detect the presence of unknown viruses. SCAN works by searching the system for sequences of bytes unique to each computer virus and then reporting their presence when found. This method works for viruses recognized by SCAN. SCAN also checks for new/unknown viruses by looking for virus- like code patterns, plus comparisons against previously-stored validation (checksum) data. When the enhanced validation mode is used, CLEAN-UP can restore infected partition tables, boot sectors, or files infected by unknown (new) viruses (See OPTIONS for more information on enhanced validation). The data for the enhanced validation mode can be stored off-line on disks as a "Recovery Disk" in case of infection by an unknown virus. SCAN can also check for new viruses from a user-created list of virus search strings. VIRUSCAN requires 320Kb of RAM and DOS 2.0 or above (some features require DOS 3.1 or above). AUTHENTICITY VIRUSCAN performs a self-check when run. If SCAN has been modified in any way, a warning will be displayed and the user will be prompted to either continue or quit. SCAN can still check for viruses, however, if SCAN reports that it has been damaged, it is recommended that a clean copy be obtained. SCAN versions 46 and above are packaged with the VALIDATE program to ensure the integrity of the SCAN.EXE file. The VALIDATE.DOC file tells how to use VALIDATE. VALIDATE can be used to check subsequent versions of SCAN for tampering. The validation results for Version 8.7B95 should be: FILE NAME: SCAN.EXE SIZE: 80,073 DATE: 08-19-1992 FILE AUTHENTICATION Check Method 1: 3885 Check Method 2: 0813 If your copy of SCAN differs, it may have been damaged or have options stored in it with the /SAVE switch. Run SCAN with only the /SAVE option to remove any stored options and then re-run VALIDATE. Always obtain your copy of VIRUSCAN from a known source. The latest version of VIRUSCAN and validation data for SCAN.EXE can be obtained from McAfee Associates' bulletin board system at (408) 988-4004 or from the Computer Virus Help Forum on CompuServe (GO VIRUSFORUM). VIRUSCAN Version 8.7B95 Page 3 Beginning with Version 72, all of McAfee Associates' VIRUSCAN series are archived with PKWare's PKZIP Authentic File Verification. If you do not see an "-AV" after every file is unzipped and receive the "Authentic Files Verified! # NWN405 Zip Source: McAFEE ASSOCIATES" message when you unzip the files then do not use them. If your version of PKUNZIP does not have verification ability, then this message may not be displayed. Please contact us if you believe tampering has occured to the .ZIP file. [This space intentionally left blank] VIRUSCAN Version 8.7B95 Page 4 WHAT'S NEW Version 95B replaces Version 95. This corrects a reported false alarm, and a problem with the /save switch. Version 95 replaces Version 93 of SCAN. While we did start beta-testing with Version BETA94, we received a report of Trojan horse Version 94 from Mexico. In order to prevent any confusion, we have skipped ahead to B95. Version 8.7B95 adds detection of 99 new viruses, bringing the total number of known viruses to 685, or counting variants, 1,401. For a complete description of known viruses please refer to Patricia Hoffman's VSUM. Viruses reported at multiple sites include the Cansu, a floppy disk boot sector and hard disk partition table infector that encrypts its own code. The virus keeps track of how many diskettes it has infected and on every 64th infection displays a "V" sign. Beginning in Version 90, we have started optimizing our virus search strings by grouping similar viruses together into generic virus detection strings. This speeds up the VIRUSCAN program by reducing the amount of virus strings it has to look for and makes the program file smaller by reducing the size of its virus string data. A new companion program for SCAN has been released named TARGET. A stand-alone file location and manipulation utility for PC's and networks, TARGET, when used with SCAN, adds several features for selecting which files are scanned. TARGET can, for example, find all new files added within the past week, scan them for viruses, and move them to specific subdirectory or drive, all with one command. Or it could locate all backed up or duplicate files, delete the duplicates, and compress them into an archive (with PKWare's PKZIP or a similiar utility). TARGET can be used in a virtually unlimited number of ways to manipulate files. TARGET is available from the McAfee Associates' bulletin board system, the Computer Virus Help Forum on CompuServe, or any McAfee Associates' Authorized Agent listed in the accompanying AGENTS.TXT file. THE COMPUSERVE COMPUTER VIRUS HELP FORUM We are now sponsoring the Computer Virus Help Forum on CompuServe. Updates to the VIRUSCAN series, information about computer viruses, and technical support may be obtained by typing GO VIRUSFORUM at any CompuServe prompt. A free introductory membership to CompuServe is also available. For more information, please read the COMPUSER.NOT file. VIRUSCAN Version 8.7B95 Page 5 OVERVIEW VIRUSCAN is designed to work with stand-alone and networked PC's, for file servers use the NETSCAN program instead. SCAN checks files, subdirectories, diskettes or entire systems for pre-existing computer virus infections. It will identify the virus infecting the system and the area where it was found. Infected files can be removed either with the /D overwrite-and-delete option in SCAN which will erase the file, or with the CLEAN-UP universal virus disinfection program. The CLEAN-UP program is recommended because in most cases it eliminates the virus and fully restores the program or system area. VIRUSCAN Version 95 identifies all 685 known computer viruses and their variants. Some viruses have been modified so that more than one "strain" exists. Counting modifications, there are 1,401 viruses. This includes the twenty most common viruses which account for over 95% of all reported infections. The accompanying VIRLIST.TXT file lists describes all viruses identified by SCAN. All known viruses infect one or more of the following areas: the hard disk partition table (alias Master Boot Record); the DOS Boot Sector of disks; or one or more executable files on the system. Executable files include operating system files, .COM files, .EXE files, overlay files, or any other files containing program code. A virus that infects more than one area, such as a boot sector and an executable file is called a multipartite virus. VIRUSCAN identifies every system area or file infected, and gives the name of the virus and the I.D. code used with CLEAN-UP to remove it. VIRUSCAN can also check for unknown viruses with the Check Validation options (/CV, /CG and /CF). This is done by calculating a checksum for files and system areas and then comparing against that checksum. The checksum can be stored at the end of .COM and .EXE files or saved to a user-specified file which can then be stored offline (e.g., on floppies) for recovery purposes. If the file has been modified, the check will no longer match, indicating that viral infection may have occurred. When run in the Enhanced Validation (/CG or /CF) modes, information will be saved that can be used to restore files or areas of the system that have been damaged by unknown (new) viruses. VIRUSCAN calculates checksums using two independently- generated CRC's (Cyclic Redundancy Check). Files which are self-checking (e.g., Lotus 1-2-3) should not be validated with the /AV (Add Validation) or /AG (Add Generic) switches which modify files. Instead, use the /AF (Add File) switch, which stores its data in a separate file. See the entries for /AF, /AG, and /AV under OPERATION and OPTIONS for more information. VIRUSCAN Version 8.7B95 Page 6 When SCAN is run with the /AV or /AG switches it adds validation codes to .COM and .EXE files only. The validation codes for the partition table, boot sector, and system files are kept in a hidden file called SCANVAL.VAL in the root directory. VIRUSCAN can check for unknown (new viruses) in the boot sector and partition table. When virus-like code is found in either area SCAN indicates it has found a Generic Boot Sector or MBR Virus, respectively. VIRUSCAN can be updated to search for new viruses by an External Virus Data File, which allows the user to input new search strings for viruses. After seven months have passed VIRUSCAN will display a message that it may no longer be current. However, SCAN will continue to function as normal. This message can be bypassed by running SCAN with the /NOEXPIRE switch. VIRUSCAN displays messages in English, French, or Spanish. VIRUSCAN Version 8.7B95 Page 7 OPERATION and OPTIONS IMPORTANT NOTE: WRITE PROTECT YOUR FLOPPY DISK BEFORE SCANNING TO PREVENT INFECTION OF THE VIRUSCAN PROGRAM. VIRUSCAN checks files and other areas of the system that can contain a computer virus. When a virus is found, SCAN identifies the virus and the file or system area where it was found. SCAN examines files based on their extension. The default extensions supported by SCAN are .APP, .BIN, .COM, .EXE, .OV?, .PGM, .PIF, .PRG, .SWP, .SYS, and .XTP. Additional extensions can be added with the /EXT option, or use the /A to check all files on the disk. Valid options for VIRUSCAN are: SCAN d1: ... d26: /? /A /AF filename /AG filename /AV filename /BELL /CERTIFY /CF filename /CHKHI /CG /CV /D /DATE /E .xxx .yyy .zzz /EXT filename /FAST /FR /H /HELP /HISTORY filename /MAINT /MANY /NLZ /NOBREAK /NOEXPIRE /NOMEM /NOPAUSE /NPKL /REPORT filename /RF filename /RG /RV /SAVE /SHOWDATE /SP /SUB /UNATTEND @filename Options are: \ - Scan root directory and boot area only /? /H /HELP - Display help screen /A - Scan all files, including data, for viruses /AF filename - Store recovery data/validation codes to file /AG filename - Add recovery data/validation codes to files EXCEPT those listed in filename /AV filename - Add validation codes to files EXCEPT those listed in filename /BELL - Beep whenever a virus is found /CERTIFY - List files that do not have a validation code /CF filename - Check for viruses using recovery data/ validation codes stored in filename /CHKHI - Check memory from 0Kb to 1088Kb /CG - Check recovery data/validation codes on files /CV - Check validation codes on files /D - Overwrite and delete infected file /DATE - Save the date and time VIRUSCAN was last run (use /SHOWDATE to display date and time) /E .xxx .yyy - Scan overlay extensions .xxx .yyy .zzz /EXT filename - Scan using external virus data file /FAST - Speed up VIRUSCAN's output (see below for specifics) VIRUSCAN Version 8.7B95 Page 8 /FR - Display messages in French /HISTORY filenam - Create infection log, appending to old log /M - Scan memory for all viruses (see below for specifics) /MAINT - Scan "invalid media" error (damaged) disk /MANY - Scan multiple floppies /NLZ - Skip internal scan of LZEXE-compressed files /NOBREAK - Disable Ctrl-C and Ctrl-Brk during scanning /NOEXPIRE - Do not display expiration notice /NOMEM - Skip memory checking /NOPAUSE - Disable screen pause when scanning /NPKL - Skip internal scan of PKLITE-compressed files /REPORT filename - Create infection log, deleting old log /RF filename - Remove recovery data/validation codes stored in filename /RG - Remove recovery data/validation codes from files /RV - Remove validation codes from specified files /SAVE - Save specified command line options as new defaults /SHOWDATE - Show date and time SCAN was last run (use /DATE to save date and time) /SP - Display messages in Spanish /SUB - Scan subdirectories under a subdirectory /UNATTEND - Scan using DOS critical error handler @filename - Scan using options from configuration file (d1: ... d26: indicate drives to be scanned) The /A option checks all files on the drive scanned. This substantially increases the time required to scan disks, so it is recommended this swich only be used when installing new software or if a file-infecting virus has been found. This option takes priority over the /E option. The /AF option logs recovery data and validation codes for .COM and .EXE files, boot sector, and partition table of a disk to a user-specified file that can be located on any drive. The size of the file is about 20K per 1,000 files validated. The syntax is /AF filename, where "filename" is the path and file where recovery data and validation codes are stored. The /AG option allows the user to store recovery data and validation codes for .COM and .EXE files, boot sector, and partition table of a disk. Recovery information adds fifty-two (52) bytes to files. The recovery information for the partition table, boot sector, COMMAND.COM and system files is stored seperately in a hidden file called SCANVAL.VAL in the root directory of the drive being scanned. It is otherwise similar to the /AV option below. Recovery requires the CLEAN-UP (CLEAN.EXE) program. VIRUSCAN Version 8.7B95 Page 9 The /AV option allows the user to add validation codes to .COM and .EXE files being scanned. If the whole drive is specified, SCAN will create validation data for the partition table, boot sector, COMMAND.COM and system files and store them seperately in a hidden file called SCANVAL.VAL in the root directory of the drive being scanned. Validation adds ten (10) bytes to files; the validation data for the partition table, boot sector, and system files is stored separately in a hidden file named SCANVAL.VAL in the root directory of the scanned drive. Files which are immunized against viruses or contain self-modifying code should not have validation codes added to them. To prevent SCAN from adding validation codes to these files, a validation exception list must be created with the path and filename of each file NOT to be validated listed on each line. Only one file should be on a line. To put a comment in, start a line with the asterisk "*" character. This sample file contains a list of programs NOT to validate: *This is Nantucket Corp's database program, Clipper C:\CLIPPER\BIN\CLIPPER.EXE *This is Lotus Development Corp's spreadsheet program, 1-2-3 C:\123\123.COM *This is MS-DOS 5.00's self-modifying program, SETVER C:\DOS\SETVER.EXE *PKWare's data compression programs already perform a self-check C:\PKWARE\PKLITE.EXE C:\PKWARE\PKZIP.EXE C:\PKWARE\PKUNZIP.EXE *Stac Technologies hard disk swapping program C:\SWAPVOL.COM *Symantec's Norton Utilities V6.01 disk caching program C:\NORTON\NCACHE.EXE *WordStar Corp's word processor is self-modifying C:\WORDSTAR\WS.EXE The validation exception list should be an ASCII text file. If a word processor is used to create the list, be sure to save the file as ASCII. The /BELL option will cause VIRUSCAN to beep each time a computer virus is found. The /CERTIFY option will audit a system for files that have validation codes added to them with the /AG or /AV switches. Files that have no validation code will be reported as being uncertified by VIRUSCAN and an ERRORLEVEL of 3 will be returned after SCAN is run. The /CF option checks recovery data and validation codes added by the /AF option. The syntax is /CF filename, where "filename" is the path and file name where recovery data and validation codes are stored. VIRUSCAN Version 8.7B95 Page 10 The /CG option checks recovery data and validation codes added by the /AG option. If a file or system area has changed, SCAN will report that the file or system area has been modified and a viral infection may have occurred. The /CG option takes priority over the /CV option. The /CHKHI option checks the memory above 640Kb that can be used on AT (286) and 386 systems for computer viruses. This includes the 384Kb Upper Memory Area from 640Kb to 1024Kb, and the 64Kb High Memory Area from 1024Kb to 1088Kb. On XT systems with extended memory cards installed, this will cause the first 64K of RAM to be scanned again. This option cannot be used with the /NOMEM option. The /CV option checks validation codes inserted by the /AV option. If a file or system area has been changed, SCAN will report that the file or system area has been modified and a viral infection may have occurred. Using the /CV option adds about 25% more time to scanning. NOTE: Some older Hewlett Packard and Zenith PC's modify the boot sector each time the system is booted. This will cause SCAN to continually notify the user of boot sector modifications if the /CV switch is selected. Check your system's manual to determine if your system contains self-modifying boot code. The /D option tells VIRUSCAN to prompt the user to overwrite and delete an infected file when one is found. A file erased by the /D option cannot be recovered. If the CLEAN-UP program is available, it can be used to disinfect the file. Boot sector and partition table infectors cannot be removed by the /D option and require the CLEAN-UP virus removal program. The /DATE option stores the time and date the VIRUSCAN program was last run. This is done by changing the date on the SCANVAL.VAL file. If no such file exists, SCAN will create a 0-byte long SCANVAL.VAL file in the currently-logged directory. The /E option allows the user to specify an extension or set of extensions to scan. Extensions should include a period "." and should also be separated by a space after the /E. Up to three extensions may be added with the /E. For more extensions, use the /A option. The /EXT option allows VIRUSCAN to search for viruses from a text file containing user-defined search strings in addition to the viruses that SCAN already identifies. The syntax for using the external virus data file is /EXT d:filename, where d: is the drive name and filename is the name of the external virus data file. For instructions on how to create an external virus data file, refer to Appendix A. NOTE: The /EXT option provides users with the ability to add strings for detection of viruses on an interim or emergency basis. When used with the /D option, it will overwrite-and-delete infected files. This option is not for general use and should be used with caution. VIRUSCAN Version 8.7B95 Page 11 The /FAST option will speed SCAN up by displaying fewer messages on the screen, skipping checking inside of LZEXE- and PKLITE-compressed files, and examining a smaller portion of files during scanning. This may reduce the accuracy of SCAN. The /FR option tells VIRUSCAN to output all messages in French instead of English. The /FR option cannot be used with the /SP (Spanish) option. The /HISTORY option saves a list of infected files to disk. The list is saved to disk as an ASCII text file. If a list exists, then the results of the current scan will be added to the end. The syntax is /HISTORY filename, where "filename" is the path and name of the report file. The /M option tells VIRUSCAN to check system memory for all known computer viruses that can inhabit memory. SCAN by default only checks memory for critical and "stealth" viruses, which are viruses which can cause catastrophic damage or spread the virus infection during the scanning process. By default, SCAN will check memory for the following viruses: 1024 1253 1554 1963 1971 2560 337 3445-Stealth 4096 512 Anthrax Antitelefonica Brain Caz CD Dark Avenger Dir-2 Doom II Empire Fish Flu-2 Form Greemlin Irish Joshi Leech Lozinsky Microbes Mirror Nomenklatura NOP No-Int (Stoned III) P1R (Phoenix) Phantom Plastique Pogue SBC Sentinel Stoned Sunday-2 SVC Taiwan3 Tequila Turbo (Polish-2) Twin-351 V2100 V2P6 Whale If one of these viruses is found in memory, SCAN will stop and tell the user to power down, and reboot the system from a virus- free system-bootable disk. The /M option adds 6 to 20 seconds. NOTE: Using the /M option with another anti-viral software package may result in false alarms if the other package does not remove its virus search strings from memory. The /MAINT option is used to scan hard disks partitioned with DOS 4.0 or above that have been damaged by a boot sector or partition table infecting virus. Attempts to access disks damaged in such a manner result in an "invalid media" message being displayed. The /MAINT option will only scan the partition table and boot sector, not the files. The /MANY option is used to scan multiple diskettes placed in a given drive. If the user has more than one floppy disk to check for viruses, the /MANY option will allows the user to check disks without having to re-run SCAN multiple times. After the system has been disinfected, the /MANY and /NOMEM options can be used together to speed up the scanning of disks. VIRUSCAN Version 8.7B95 Page 12 The /NLZ option tells SCAN not to look inside files compressed with LZEXE, a file compression program. SCAN will still check the LZEXE-compressed files for viruses that have infected after file compression. The /NOBREAK option prevents Ctrl-C or Ctrl-Brk from aborting the scanning process. The /NOMEM option is used to turn off all memory checking for viruses in order to speed up the scanning process. It should only be used when a system is known to be virus-free. The /NOMEM option can not be used with the /CHKHI or /M options. The /NOEXPIRE option disables the warning message that SCAN displays after seven months warning that it may no longer be current with respect to known computer viruses. The /NOPAUSE option disables the "More? (H = Help )" prompt that is displayed when SCAN fills up a screen with messages. This allows SCAN to run on PC's with severe infections without requiring operator assistance. The /NPKL option tells SCAN not to look inside files compressed with PKLITE, a file compression program. SCAN will still check the PKLITE-compressed files for viruses that have infected after file compression. The /REPORT option saves a list of infected files to disk. The list is saved to disk as an ASCII text file. If a list exists, then it will be overwritten with the new list. The syntax is /REPORT filename, where "filename" is the path and name of the report file. The /RF option will remove recovery data and validation codes for files from the recovery data and validation code file. The syntax is /RF filename, where "filename" is the path and file where recovery data and validation codes are stored. The /RG option will remove validation codes and recovery information from files validated with the /AG option. The /RV option is used to remove validation codes from a file or files. It can be used to remove the validation code from a diskette, subdirectory, or file(s). Using /RV on a disk will remove the partition table, boot sector, and system file validation. This option cannot be used with the /AV option. The /SAVE option is used to store SCAN options for subsequent executions of SCAN. Options are stored by modifying the SCAN.EXE executable file. For example: SCAN /NOMEM /REPORT FILE1 /NOPAUSE /SAVE will set the default options to /NOMEM, /REPORT and /NOPAUSE. If SCAN is run with just the /SAVE switch, then all options are removed and SCAN execute with its original settings. If you do not wish to modify the SCAN.EXE file, use the @filename option instead, which allows you to store the SCAN options in a separate text file. VIRUSCAN Version 8.7B95 Page 13 NOTE: VALIDATE 0.4 must be used to validate SCAN version 89 or above if /SAVE is used. /SAVE directly modifies SCAN.EXE and the validate codes will no longer match if an older version of VALIDATE is used. VALIDATE 0.4 will generate the correct validation results even if the /SAVE option has been used. Third party file-integrity check programs may not produce the same results after the /SAVE option is used. The /SAVE option should be added to SCAN by the Systems Administrator prior to final installation on PC's if other integrity checking programs are in use. The /SHOWDATE option displays the time and date that SCAN was last run. No virus checking is performed NOTE: When run with /SHOWDATE, SCAN only displays the last run date. Viruses will *NOT* be checked for. The /SP option tells VIRUSCAN to output all messages in Spanish instead of English. This option can not be used with the /FR (French) option. The /SUB scans all subdirectories inside a subdirectory. Previously, SCAN would only recursively check subdirectories if a logical device (e.g., C:) was scanned. The /UNATTEND option tells VIRUSCAN use the DOS critical error handler when accessing files. If SCAN accesses a file which is in use by another program, it will continue scanning instead of displaying an error message. This option requires DOS 3.10 or above. NOTE: The /UNATTEND switch is required if you are running SCAN from a DOS session inside Windows or OS/2. The @FILENAME option allows the user to store a list of options and/or system areas to be scanned in a configuration file. Options need to be separated by a space, while system areas (disks, subdirectories, or files) need to be on separate lines. A sample file might look like this: /A /BELL /CV /NOMEM /REPORT C:\VIRUSCAN\SCAN.LOG C: D:\BBS E:\MCAFEE\CLEAN-UP\CLEAN.EXE The first line contains the VIRUSCAN options while other lines contain the names of disks, subdirectories, or files to scan. The configuration file should be an ASCII text file. If a word processor is used to create the list, be sure to save as ASCII. VIRUSCAN Version 8.7B95 Page 14 EXAMPLES The following examples show different option settings: SCAN C: To scan drive C: SCAN A:R-HOOPER.EXE Scans file "R-HOOPER.EXE" on drive A: SCAN A: /A /CV To scan all files and check validation codes for unknown viruses on drive A:. SCAN B: /D /A Scans all files on drive B: and prompt for erasure of any infected files, if found. SCAN C: D: E: /AV /NOMEM To add validation codes to files on drives C:, D:, and E:, and skip memory checking. SCAN C: D: /M /A /FR Scan memory for all viruses, all files on drives C: and D:, and output all messages in French. SCAN C: D: /E .WPM .COD Scans drives C: and D:, including .WPM and .COD files SCAN C: /EXT A:SAMPLE.ASC /BELL To scan drive C: for known computer viruses and also for viruses added by the user via the external virus data file option, and beep whenever a virus is found. SCAN C: /M /NOPAUSE /REPORT A:INFECTN.RPT To scan for all viruses in memory and drive C: without stopping, and create a log file INFECTN.RPT on drive A: SCAN C: D: /NOPAUSE /REPORT B:VIRUS.RPT To scan drives C: and D: for viruses without stopping, and create a log on drive B: called VIRUS.RPT SCAN E:\DOWNLOADS /SUB To scan all subdirectories under DOWNLOADS on drive E: SCAN C: D: E: /FAST /CERTIFY To perform a fast scan of drives C:, D:, and E: and check for any files that do not have validation codes. SCAN @C:\SCANOPTN.LST To run VIRUSCAN using configuration file SCANOPTN.LST in the root directory of drive C:. VIRUSCAN Version 8.7B95 Page 15 EXIT CODES After VIRUSCAN has finished running, it will set the DOS ERRORLEVEL. ERRORLEVEL's are used in batch files to pass the results of a program's actions. The ERRORLEVEL's returned by SCAN are: ERRORLEVEL │ DESCRIPTION ═══════════╪══════════════════════════════════════════════ 0 │ No viruses found 1 │ One or more viruses found 2 │ Abnormal termination (program error) 3 │ One or more uncertified files found 4 │ Ctrl-C or Ctrl-Break aborted scan If a user stops the scanning process, SCAN will set the ERRORLEVEL to 3. The /NOBREAK option can be used to prevent users from stopping SCAN. VIRUS REMOVAL What do you do if a virus is found? You can contact McAfee Associates for help by BBS, FAX, telephone, Internet, or CompuServe. There is no charge for support calls to McAfee Associates. The CLEAN-UP universal virus disinfection program can disinfect virtually all reported computer viruses. It is updated with each release of the SCAN program to remove new viruses. CLEAN-UP can be downloaded from McAfee Associates' BBS, the SIMTEL20 archives on the InterNet, the Computer Virus Help Forum on CompuServe, or from any of the agents listed in the enclosed AGENTS.TXT text file. It is strongly recommended that you get experienced help in dealing with viruses if you are unfamilar with anti-virus software and methods. This is especially true for 'critical' viruses and partition table/boot sector infecting viruses as improper removal of these viruses can result in the loss of all data and the use of the infected disk(s). [For a listing of critical viruses, see the /M switch listed under OPTIONS above.] For qualified assistance in removing a virus, please contact McAfee Associates directly or any of the Authorized McAfee Associates Agents in your area. Agents may charge McAfee Associates' normal support rates for their services. If you wish to remove a file-infecting virus manually, you can run SCAN with the /A and /D switches to erase all infected files. Before removing a boot sector or partition table-infecting virus, it is recommended that you cold boot the infected PC from a clean DOS disk and backup any critical data. VIRUSCAN Version 8.7B95 Page 16 REGISTRATION A registration fee of US$25.00 is required for the use of VIRUSCAN by individual home users. Registration entitles the holder to unlimited free upgrades from McAfee Associates' BBS or the Computer Virus Help Forum on CompuServe and technical support for one year. When registering, a diskette containing the latest version may be requested for an additional US$9.00. Only one diskette mailing will be made. Registration is for home users only and does not apply to businesses, corporations, organizations, government agencies, or schools, which must obtain a license for use. Contact McAfee Associates directly or an Authorized Agent for more information. TECH SUPPORT For fast and accurate help, please have the following information ready when you contact McAfee Associates: - Program name and version number. - Type and brand of computer, hard disk, plus any peripherals. - Version of DOS plus any TSRs or device drivers in use. - Printouts of your AUTOEXEC.BAT and CONFIG.SYS files. - A printout of what is in memory from the MEM command (DOS 4 and above users only) or a similar utility. - The exact problem you are having. Please be as specific as possible. Having a printout of the screen and/or being at your computer be will helpful. McAfee Associates can be contacted by BBS, CompuServe, FAX, or InterNet 24 hours a day, or by telephone at (408) 988-3832, Monday through Friday, 7:00AM to 5:30PM Pacific Time. McAfee Associates (408) 988-3832 office 3350 Scott Blvd. Bldg. 14 (408) 970-9727 fax Santa Clara, CA 95054-3107 (408) 988-4004 BBS (32 lines) U.S.A USR HST/v.32/v.42bis/MNP 1-5 CompuServe GO VIRUSFORUM Internet mcafee@netcom.com If you are overseas, there may be an Authorized McAfee Associates Agent in your area. Please refer to the AGENTS.TXT file for a listing of McAfee Associates Agents for support or sales. VIRUSCAN Version 8.7B95 Page 17 APPENDIX A: Creating a Virus String File with the /EXT Option NOTE: The /EXT option is intended for emergency and research use only. It is a temporary method for identifying new viruses prior to the subsequent release of SCAN. A thorough understanding of viruses and string-search techniques is advised for using this option. A string length of 10 to 15 bytes is recommended. The External Virus Data file should be created with an editor or a word processor and saved as an ASCII text file. Be sure each line ends with a Carriage Return/Line Feed pair. The virus string file uses the following format: #Comment about Virus_1 "aabbccddeeff..." Virus_1_Name #Comment about Virus_2 "gghhiijjkkll..." Virus_2_Name . . "uuvvwwxxyyzz..." Virus_n_Name Where aa, bb, cc, etc. are the hexadecimal bytes that you wish to scan for. Each line in the file represents one virus. The Virus Name for each virus is mandatory, and may be up to 25 characters in length. The double quotes (") are required at the beginning and end of each hexadecimal string. SCAN will use the string file to search memory, the Partition Table, Boot Sector, System files, all .COM and .EXE files, and overlay files with the extension .APP, .BIN, .COM, .EXE, .OV?, .PGM, .PIF, .PRG, .SWP, .SYS, and .XTP. Virus strings may contain wild cards. The two wildcard options are: FIXED POSITION WILDCARD The question mark "?" may be used to represent a wildcard in a fixed position within the string. For example, the string: "E9 7C 00 10 ? 37 CB" would match "E9 7C 00 10 27 37 CB", "E9 7C 00 10 9C 37 CB", or any other similar string, regardless of the fifth byte. VIRUSCAN Version 8.7B95 Page 18 RANGE WILDCARD The asterisk "*", followed by range number in parentheses "(" and ")" is used to represent a variable number of adjoining random bytes. For example, the string: "E9 7C *(4) 37 CB" would match "E9 7C 00 37 CB", "E9 7C 00 11 37 CB", and "E9 7C 00 11 22 37 CB". The string "E9 7C 00 11 22 33 44 37 CB" would not match since the distance between 7C and 37 is greater than four bytes. You may specify a range of up to 99 bytes. Up to 10 different wildcards of either kind may be used in one virus string. COMMENTS A pound sign "#" at the begining of a line will denote a comment. Use this for adding notes to the external virus data file. For example: #New .COM virus found in file FRITZ.EXE from #Schneiderland on 01-22-91 "53 48 45 45 50" Fritz-1 [F-1] gives a description of the virus, name of the infected file, where and when it was found, etc. APPENDIX B: Miscellaneous Application Notes CHECKING MEMORY FOR VIRUSES ONLY VIRUSCAN can perform a quick check for viruses in memory only. In this mode, SCAN will not check the disk for viruses. This option is useful for network administrators who need to check workstations for viruses before allowing them to log on to a LAN but cannot run the VSHIELD program due to memory constraints. The command for this is: SCAN NUL /M /CHKHI By designating NUL as the drive to be scanned, SCAN will check system memory for viruses (up to 1088Kb if the /CHKHI option is used) and then return to DOS without scanning any disks. SCAN returns the DOS ERRORLEVEL in the normal manner. VIRUSCAN Version 8.7B95 Page 19 VIRUSCAN VALIDATION CODES If you have installed any new software or programs on your system, and are running VIRUSCAN or VSHIELD with the /CF, /CG, or /CV validation codes options, you will need to reinstall validation codes to the new files with the /AF, /AG, or /AV add validation codes options of SCAN. In addition, the SCANVAL.VAL hidden file containing validation codes for the partition table, boot sector, COMMAND.COM, and system files may have to be replaced (unhide the file with the DOS ATTRIB command and then delete it). The quickest way to update the validation codes is to remove all validation codes from the hard disk and then add them back by running SCAN with the /RV and then the /AV options. NOTE: This applies to any new version of DOS, as well as any programs which you install on your system. REFORMATTING INFECTING FLOPPIES WITH DOS 5.00 When reformatting infected floppy disks under DOS 5.0, be sure to add the /U switch to the FORMAT command. This tells DOS to do an Unconditional Format of the disk, without saving the original infected boot sector of the disk. This should be done to prevent the reinfection by unformatting the disk. CREATING A RECOVERY DISK USING THE /AF OPTION The /AF switch added in Version 90 of SCAN creates a separate file to store recovery data and validation codes. This file can be stored off-line (on a floppy disk, network drive, tape drive, etc.) and accessed on-demand to check for, and recover from,infection by unknown viruses. To create a Recovery Disk, format a system-bootable floppy and copy the VIRUSCAN (SCAN.EXE) and CLEAN-UP (CLEAN.EXE) files to it. Then run SCAN against the hard disk with the /AF option. For example: SCAN C: D: /AF A:\SCANCRC.CRC will scan the C: and D: drives for known viruses and create a file named SCANCRC.CRC containing recovery data and validation codes. After SCAN finishes, write-protect the disk. To check for virus infection, turn the PC off, insert the Recovery Disk, and turn the power back on. The PC will now boot from the floppy disk. At the DOS prompt, type: SCAN C: D: /CF A:\SCANCRC.CRC to compare drives C: and D: against the recovery data stored in the SCANCRC.CRC file on the A: drive. VIRUSCAN Version 8.7B95 Page 20 To disinfect your system, turn your PC off, insert the Recovery Disk, and turn the power back on. The PC will now boot from the floppy disk. At the DOS prompt, type: CLEAN C: D: /GF A:\SCANCRC.CRC to restore drives C: and D: with the recovery data stored in the SCANCRC.CRC file on the A: drive.