McAfee Dr Solomon’s Anti-Virus Administrator's Manual

Dr Solomon’s Anti-Virus

Administrator’s Guide

Version 8.5

Copyright © 2000 Network Associates, Inc. and its Affiliated Companies. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written pe rmission of Network A ssociates, Inc.

TRADEMARK ATTRIB UTIONS

* ActiveHelp, Bomb Shelter, Building a World of Trust, CipherLink, Clean-Up, Cloaking, CNX, Compass 7, CyberCop, CyberMedia, Data Security Letter, Discover, Distributed Sniffer System, Dr Solomon’s, Enterprise Secure Cast, First Aid, ForceField, Gauntlet, GMT, GroupShield, HelpDesk, Hunter, ISDN Tel/Scope , LM 1, LANGur u, Leading H elp Desk Technol ogy, Magic Sol utions, Mag icSpy, MagicTree, Magic University, MagicWin, MagicWord, McAfee, McAfee Associates, MoneyMagic, More Power To You, Multimed ia Cloaking, NetCrypto , NetOctopus, NetRoom, Net Scan, Net Shield, NetShiel d, NetStalker, Net Tools, Network Associates, Network General, Network Uptime!, NetXRay, Nuts & Bolts, PC Medic, PCNotary, PGP, PGP (Pretty Good Privacy), PocketScope, Pop-Up, PowerTelnet, Pretty Good Privacy, PrimeSupport, RecoverKey, Recover Key-International, ReportMagic, RingFence, Ro uter PM, Safe & Sound, SalesMagic, SecureCast, Service Level Manager, ServiceMagic, Site Meter, Sniffer, SniffMaster, SniffNet, Stalker, Statistical Information Retrieval (SIR), SupportMagic, Switch PM, TeleSniffer, TIS, TMach, TMeg, Total N etwork Security, Total Network Visibility, Tota l Service Desk, Total Virus Defense, T-POD, Tru sted Mac h, Truste d Mail, Unin stall er, Vi rex, Vi rex-PC, V irus Fo rum, ViruScan, VirusScan, VShield, WebScan, WebShield, W ebSniffer , WebStalker WebWall , and ZAC 2000

are registered trademarks of Network Associates and/or its affiliates in the US and/or other countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners.

LICENSE AGREEMENT

NOTICE TO ALL USERS: CAREFULLY READ THE FOLLOWING LEGAL AGREEMENT ("AGREEMENT"), FOR THE LICENSE OF SPECIFIED SOFTWARE ("SOFTWARE") BY NETWORK ASSOCIATES, INC. ("McAfee"). BY CLICKING THE ACCEPT BUTTON OR INSTALLING THE SOFTWARE, YOU (EITHER AN INDIVIDUAL OR A SINGLE ENTITY) CONSENT TO BE BOUND BY AND BECOME A PARTY TO THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, CLICK THE BUTTON THAT INDICATES THAT YOU DO NOT ACCE PT THE TERMS OF THIS AGREEMENT AND DO NOT INSTALL THE SOFTWARE. (IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO THE PLACE OF PURCHASE FOR A FULL RE FUND.)

1. License Grant. Subject to the payment of the applicable license fees, and subject to the terms and

conditions of this Agreement, McAfee hereby grants to you a non-exclus ive, non-transferable righ t to use one copy of the specified version of the Software and the acco mpanying docum entation (the "Documentation"). You may install one copy of the Software on one computer, workstation, personal digital assistant, pager, "smart phone" or other electronic device for which the Software was designed (each, a "Client Device"). If the Software is licensed as a suite or bundle with more than one specified Software product, this license applies to all such specified Software products, subject to any restrictions or usage terms specified on the ap plicable price list or product pack aging that apply to any of such Software products individually.

Issued May 2000/ Dr Solomon’s Anti-Virus v8.5

(i.e., the required number of licenses would equal the number of distinct inputs to the multiplexing or pooling software or hardware "front end"). If the number of Clien t Devices or seats that can connect to the Software can exceed the number of licenses you have obtained, then you must have a reasonabl e mechanism in p lace to ensu re that your us e of the So ftware does no t exceed the use limits specified for the licenses yo u have obtained. Th is license autho rizes you to make or download one copy of the Docu mentation for each Client Device or seat that is licensed, provided that each such copy contains all of the Documentation's proprietary notices.

c. Volume Licenses. If the Software is licensed with volume license terms specified in the

applicable price list or product packaging for the Software, you may make, use and install as many additional copies of the Software on the number of Client Devices as the volume license authorizes. You must have a reasonable mechanism in place to ensure that the number of C lient Devices on which the Software has been installed does not exceed the number of licenses you have obtained. This license au thorizes you to make or d ownload one copy of the D ocumentation for each additional copy authorized by the volume license, provided that each such copy contains all of the Documentation's proprietary notices.

2. Term. This Agreement is effective for an unlimited duration unless and until earlier terminated as

set forth herein. This Agreement will terminate automatically if you fail to comply with any of the limitations or other requirements described herein. Upon any termination or expiration of this Agreement, you must destroy all copies of the Software and the Documentation. You may terminate this Agreement at any point by destroying all copies of the Software and the Documentation.

3. Updates. For the time period specified in the applicable price list or product packaging for the

Software you are entitled to download revisions or updates t o the Software when and as McAfee publishes them via its electronic bulletin board system, website or through other online services. For a period of ninety (90) days from the date of the original purchase of the Software, you are entitled to download one (1) revision or upgrade to the Software when and as McAfee publishes it via its electronic bulletin board system, website or through other online services. After the specified time period, you have no further rights to receive any revisions or upgrades without purchase of a new license or annual upgrade plan to the Software.

4. Ownership Rights. The Software is protected by United States copyright laws and international

treaty provisions. McAfee and its suppliers own and retain all right, title an d interest in and to the Software, including all copyrights, patents, trade secret rights, trademarks and other intellectual property rights therein. Your possession, installation, or use of the Software does not transfer to you any title to the intellectual p roperty in the Software, and you will not acquire any rights to the Software except as expressly set forth in this Agreement. All copies of the Software and Documentation made her eunder must cont ain the same propri etary notices that ap pear on and in the Software and Documentation.

Administrator’s Guide iii

5. Restrictions. You may not rent, lease, loan or resell the Software. You may not permit third parties

to benefit from the use or functionality of the Software via a timesharing, service bureau or other arrangement, except to the extent such use is specified in the applicable list price or product packaging for the Software. You may not transfer any of the rights granted to you under this Agreement. You may not reverse engineer, decompile, or disassemble the Software, except to the extent the foregoing restriction i s expres s ly pr ohi bi te d by appl i cable law. You may not modify, or create derivative works based upon, the Software in whole or in part. You may not copy the Software or Documentation except as expressly permitted in Section 1 above. You may not remove any proprietary notices or labels on the Software. All rights not expressly set forth hereunder are reserved by McAfee. McAfee reserves the right to periodically conduct audits upon advance written notice to verify compliance with the terms of this Agreement.

6. Warranty and Disclaimer a. Limited Warranty. McAfee warrants that for sixty (60 ) days from the date of or iginal purchase

the media (e.g., diskettes) on which the Software is contained will be free from defects in materials and workmanship.

b. Customer Remedies. McAfee's and its suppliers' entire liability and your exclusive remedy for

any breach of the foregoing warranty shall be, at McAfee's option, either (i) return of the purchase price paid for the license, if any, or (ii) replacement of th e defective media in which the Software is contained. You must return the defective media to McAfee at your expense with a copy of your receipt. This limited warranty is void if the defect has resulted from accident, abuse, or misapplication. Any replacement media will be warranted for the remainder of the original warranty period. Outside the Un ited States, this remedy is not available to the extent McAfee is subject to restrictions under United States export control laws and regulations.

c. Warranty Disclaimer. Except for the limited warranty set forth herein, THE SOFTWARE IS

PROVIDED "AS IS." TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MCAFEE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT WITH RESPECT TO THE SOFTWARE AND THE ACCOMPANYING DOCUMENTATION. YOU ASSUME RESPONSIBILITY FOR SELECTING THE SOFTWARE TO ACHIEVE YOUR INTENDED RESULTS, AND FOR THE INSTALLATION OF, USE OF, AND RESULTS OBTAINED FROM THE SOFTWARE. WITHOUT LIMITING THE FOREGOING PROVISIONS, MCAFEE MAKES NO WARRANTY THAT THE SOFTWARE WILL BE ERROR-FREE OR FREE FROM INTERRUPTIONS OR OTHER FAILURES OR THAT THE SOFTWARE WILL MEET YOUR REQUIREMENTS. SOME STATES AND JURISDICTIONS DO NOT ALLOW LIMITATIONS ON IMPLIED WARRANTIES, SO THE ABOVE LIMITATION MAY NOT APPLY TO YOU. The foregoing provisions shall be enforceable to the maximum extent permitted by applicable law.

iv Dr Solomon’s Anti-Virus

7. Limitation of Liability. UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER IN TORT, CONTRACT, OR OTHERWISE, SHALL MCAFEE OR ITS S UPPLIERS BE LIABLE TO YOU OR TO ANY OTHER PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR FOR ANY AND ALL OTHER DAMAGES OR LOSSES. IN NO EVENT WILL MCAFEE BE LIABLE FOR ANY DAMAGES IN EXCESS OF THE LIST PRICE MCAFEE CHARGES FOR A LICE NSE TO THE S OFTWARE, EVEN IF MCAFEE SHALL HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO LIABILITY FOR DEATH OR PERSONAL INJURY TO THE EXTENT THAT APPLICABLE LAW PROHIBITS SUCH LIMITATION. FURTHERMORE, SOME STATES AND JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS LIMITATION AND EXCLUSION MAY NOT APPLY TO YOU. The foregoing provisions shall be enforceable to the maximum extent permitted by applicable law.

8. United S tates Government. The Software and accompanying Documentation are deemed to be "commercial computer software" and "commercial computer software documentation," respectively, pursuant to DFAR Section 227.7202 and FAR Section 12.212, as applicable. Any use, modification, reproduction, release, performance, display or disclosure of the Software and accompanying Documentation by the United States Government shall be governed solely by the terms of this Agreement and shall be prohibited except to the extent expressly permitted by the terms of this Agreement.

9. Export Controls. Neither the Software nor the Documentation and underlying information or technology may be downloaded or otherwise exported or re-exported (i) into (or to a national or resident of ) Cuba, Iran, Iraq, Libya, North Korea, Sudan, Syria or any other country to which the United States has embargoed goods; or (ii) to anyone on the United States Treasury Department's list of Specially Designated Nations or the United States Commerce Department's Table of Denial Orders. By downloading or using the Software you are agreeing to the foregoing and you are certifying that you are not located in, under the control of, or a national or resident of any such country or on any such list.

IN ADDITION, YOU SHOULD BE AWARE OF THE FOLLOWING: EXPORT OF THE SOFTWARE MAY BE SUBJECT TO COMPLIANCE WITH THE RULES AND REGULATIONS PROMULGATED FROM TIME TO TIME BY THE BUREAU OF EXPORT ADMINISTRATION, UNITED STATES DEPARTMENT OF COMMERCE, WHICH RESTRICT THE EXPORT AND R E -EX POR T OF CERTAIN PRODUCTS AND TECHNICAL DATA. IF THE EXPORT OF THE SOFTWARE IS CONTROLLED UNDER SUCH RULES AND REGULATIONS, THEN THE SOFTWARE SHALL NOT BE EXPORTED OR RE-EXPORTED, DIRECTLY OR INDIRECTLY, (A) WITHOUT ALL EXPORT OR RE-EXPORT LICENSES AND UNITED STATES OR OTHER GOVERNMENTAL APPROVALS REQUIRED BY ANY APP LICABLE LAWS, OR (B) IN V IOLATION OF ANY APPLICABLE PROHIBITION AGAINST THE EXPORT OR RE-EXPORT OF ANY PART OF THE SOFTWARE.

Administrator’s Guide v

SOME COUNTRIES HAVE RESTRICTIONS ON THE USE OF ENCRYPTION WITHIN THEIR BORDERS, OR THE IMPORT OR EXPORT OF ENCRYPTION EVEN IF FOR ONLY TEMPORARY PERSONAL OR BUSINESS USE. YOU ACKNOWLEDGE THAT THE IMPLEMENTATION AND ENFORCEMENT OF THESE LAWS IS NOT ALWAYS CONSISTENT AS TO SPECIFIC COUNTRIES. ALTHOUGH THE FOLLOWING COUNTRIES ARE NOT AN EXHAUSTIVE LIST THERE MAY EXIST RESTR ICTIONS ON THE EXPORTATION TO, OR IMPORTATION OF, ENCR YPTION BY: BELGIUM, CH INA (INCLUDING HONG KONG), FRANCE, INDIA, INDONESIA, ISRAEL, RUSSIA, SAUDI ARABIA, SINGAPORE, AND SOUTH KOREA. YOU ACKNOWLEDGE IT IS YOUR ULTIMATE RESPONSIBILITY TO COMPLY WITH ANY AND ALL GOVERNMENT EXPORT AND OTHER APPLICABLE LAWS AND THAT MCAFEE HAS NO FURTHER RESPONSIBILITY AFTER THE INITIAL SALE TO YOU WITHIN THE ORIGINAL COUNTRY OF SALE.

10.High Risk Activities. The Software is not fault-tolerant and is not designed or in tended for use in hazardous environments requiring fail-safe performance, including without limitation, in the operation of nuclear facilities, aircraft navigation or communication systems, air traffic control, weapons systems, direct life-support machines, or any other application in which the failure of the Software could lead directly to death, personal injury, or severe physical or property damage (collectively, "High Risk Activities"). McAfee expressly disclaims any express or implied warranty of fitness for High Risk Activities.

11.Miscellaneous. This Agreement is governed by the laws of the United States and the State of California, without reference to conflict of laws principles. The application of the United Nations Convention of Contracts for the International Sale of Goods is expressly excluded. This Agreement sets forth all rights for the user of the Software and is the entire agreement between the parties. This Agreement supersedes any other communications with respect to the Software an d Documentation. This Agreement may not be modified except by a written addendum issued by a duly authorized representative of McAfee. No provision hereof shall be deemed waived unless such waiver shall be in writing and signed by McAfee or a duly authorized representative of McAfee. If any provision of this Agreement is held invalid, the remainder o f this Agreement shall continue in full force and effect. The parties confirm that it is their wish that this Agreement has been written in the English language only.

12.McAfee Customer Contact. If you have any questions concerning these terms and conditions, or if you would like to contact McAfee for any other reason, please call (408) 988-3832, fax (408) 970-9727, or write: McAfee Software, 3965 Freedom Circle, Santa Clara, California 95054. http://www.mcafee.com.

Statements made to you in the course of this sale are subject to the Year 2000 Information and Readiness Disclosure Act (Public Law 105-271). In the case of a dispute, this Act may reduce your legal rights regarding the use of any statements regarding Year 2000 readiness, unless otherwise specified in your contract or tariff.

vi Dr Solomon’s Anti-Virus

Table of Contents

Preface.....................................................xi

Anti-virusprotectionasinformationsecurity .........................xi

Informationsecurityasabusinessnecessity ........................xiv

ActiveVirusDefensesecurityperimeters ............................xv

Dr Solomon’s anti-virus research . . . . . .............................xvii

HowtocontactNetworkAssociates...............................xviii

Customerservice ..........................................xviii

Technical support ..........................................xix

Downloadsupport ...........................................xx

NetworkAssociatestraining...................................xx

Commentsandfeedback......................................xx

Reportingnewitemsforanti-virusdatafileupdates ...............xx

Internationalcontactinformation ..............................xxii

Chapter 1. About Dr Solomon’sAnti-Virus .......................25

Introducing Dr S olomon’sAnti-Virus ................................25

How does Dr Solomon’sAnti-Viruswork?............................27

What comes with Dr Solomon’sAnti-Virus? ..........................29

What’snewinthisrelease?........................................33

Chapter 2. Installing Dr Solomon’sAnti-Virus ....................37

Beforeyoubegin.................................................37

Systemrequirements.........................................37

Installing Dr Solomon’sAnti-Virussoftwareonalocalcomputer.........38

Installationsteps ............................................38

Using the Emergency Disk Creation utility . . . . . . . . . ..............53

Determiningwhenyoumustrestartyourcomputer................58

Testingyourinstallation ..........................................59

Modifying or removing your local Dr Solomon’s Anti-Virus installation .

Installing Dr Solomon’s Anti-Virus software on other computers . . . . . . . . .63

UsingActiveDirectoryandGroupPolicies.......................63

Administrator’s Guide vii

Table of Contents

Installing DrSolomon’s Anti-Virussoftwareusing command-lineoptions

UsingManagementEditionsoftware ............................72

Using ePolicy Orchestrator to deploy Dr Solomon’sAnti-Virussoftware

Installing via System Management Server . . . . . . . . . . ..............74

Installing via Tivoli IT Director . . . ..............................74

Installing via ZENworks . . . . . . . . . ..............................75

Exporting Dr Solomon’sAnti-Viruscustomsettings ...............75

Chapter 3. Removing Infections

FromYourSystem ....................................79

Ifyoususpectyouhaveavirus... ...................................79

Decidingwhentoscanforviruses ..................................82

Recognizing when you don’thaveavirus ............................83

Understandingfalsedetections ................................84

Responding to viruses or malicious software . . . . . . . . . . . ..............85

Submittingavirussample .........................................97

Using the SendVirus utility to submit a file sample . . ..............97

Capturing boot sector, file-infecting, and macro viruses . . . . . . . . . . .100

Chapter 4. Using Dr Solomon’sAnti-Virus ......................105

UsingtheWinGuardscanner......................................105

Using the Dr Solomon’sAnti-Virusapplication.......................105

Schedulingscantasks ...........................................106

Usingspecializedscanningtools ..................................106

Chapter5. SendingAlertMessages............................107

Using the Alert Manager Client Configuration utility . . . . . .............107

Dr Solomon’sAnti-VirusasanAlertManagerClient ..................108

ConfiguringtheAlertManagerClientutility..........................108

Chapter 6. Updating and Upgrading Dr Solomon’sAnti-Virus ......113

Developinganupdatingstrategy ..................................113

Update and upgrade methods . . . . . . . . .............................114

Understanding the AutoUpdate utility . .............................116

viii Dr Solomon’sAnti-Virus

Table of Contents

ConfiguringtheAutoUpdateUtility.................................118

UnderstandingtheAutoUpgradeutility .............................127

Configuring the AutoUpgrade utility . . . .............................128

Using the AutoUpgrade and SuperDAT utilities together . . . . . . . . . .137

DeployinganEXTRA.DATfile.................................139

Appendix A. Using Dr Solomon’s Anti-Virus Administrative Utilities 141

Understanding the Dr Solomon’sAnti-Viruscontrolpanel .............141

Opening the Dr Solomon’sAnti-Viruscontrolpanel...................141

Choosing Dr Solomon’sAnti-Viruscontrolpaneloptions ..............142

AppendixB. InstalledFiles ...................................147

What’sinthisappendix? .........................................147

WinGuardscanner ..........................................147

Dependent and related files for the Dr Solomon’s Anti-Virus application

153

AlertManager ..............................................156

Dr Solomon’sAnti-Viruscontrolpanelfiles .....................157

ScreenScan................................................158

Dr Solomon’sAnti-VirusEmergencyDiskfiles...................160

Dependent and re lated files for the E-Mail Scan extension . . . . . . . . .162

Appendix C. Using Dr Solomon’s Anti-Virus Command-line Options 167

Adding advanced Dr Solomon’sAnti-Virusengineoptions.............167

Running the Dr Solomon’s Anti-Virus Command Line program . . . . . . . . .167

Running the on-demand scanner with c ommand-line arguments . . . . . . . .177

Appendix D. Using the SecureCast Service to Get New Data Files . .185

Introducing the SecureCast service . . . .............................185

Why should I update my data files? . . . .............................186

WhichdatafilesdoestheSecureCastservicedeliver?............186

Installing the BackWeb client and SecureCast service . . . . .............187

Systemrequirements........................................187

Troubleshooting the Enterprise SecureCast service . .............197

UnsubscribingfromtheSecureCastservice.....................197

Supportresources ..............................................197

Administrator’s Guide ix

Table of Contents

SecureCastservice .........................................197

BackWebclient.............................................198

Appendix E. Network Associates

Support Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199

Adding value to your Dr Solomon’sproduct .........................199

PrimeSupport options for corporate customers . . . . . .............199

Ordering a corporate PrimeSupport plan . . . . . . . . . . .............202

PrimeSupport options for home users . .............................204

How to reach international home user support . . . . . . .............206

Ordering a PrimeSupport pla n for home users . . . . . . .............206

NetworkAssociatesconsultingandtraining.........................207

ProfessionalServices .......................................207

TotalEducationServices.....................................208

Appendix F. Understanding iDAT Technology . . . . . . . . . . . . . . . . . . .209

Understandingincremental.DATfiles ..............................209

How does iDAT updating work? . . . . . . .............................210

What does Dr Solomon’sposteachweek?......................211

Bestpractices ..................................................212

Frequentlyaskedquestions ......................................213

Index......................................................217

x Dr Solomon’sAnti-Virus

Preface

Anti-virus protection as information security

“Theworld changed[on March26, 1999]—doesanyonedoubtthat?Theworld

is different. Melissa proved that ... and we are very fortunate ... the world could have gone very close to meltdown.”

—Padgett Peterson, Chief Info Security Architect, Lockheed Martin Corporation,

on the 1999 “Melissa” virus epidemic

Bytheendofthe1990s,manyinformationtechnologyprofessionalshad begun to recognize that they could not easily separate how they needed to respond to new virus threats from how they already dealt with deliberate network security breaches. Dorothy Denning, co-editor of the 1998 computer security handbook Internet Besieged: Countering Cyberspace Scofflaws, explicitly grouped anti-virus security measures in with other network security measures, classifying them as a defense against malicious “injected code.”

Denning justified her inclusive grouping on based on her definition of information security as “the effective use of safeguards to protect the confidentiality, integrity, authenticity, availability, and non-repudiation of information andinformation processing systems.” Virus payloads had always threatened or damaged data integrity, but by the time she wrote her survey article, newer viruses had already begun to mount sophisticated attacks that struck at the remaining underpinnings of information security. Denning’s classification recognized that newer viruses no longer merely annoyed system administrators or posed a relatively low-grade threat; they had in fact graduated to become a serious hazard.

Though not targeted with as much precision as an unauthorized network intrusion, virus attacks had begun to take on the color of deliberate information warfare. Consider these examples, many of which introduced quickly-copied innovations to the virus writer’s repertoire:

• W32/CIH.Spacefiller destroyed the flash BIOS in workstations it infected,

effectively preventing them from booting. It also overwrote parts of the infected hard disk with garbage data.

• XM/Compat.ArewrotethedatainsideMicrosoftExcelspreadsheetfiles.It

used advanced polymorphic concealment techniques, which meant that with each infection it changed the signature bytes that indicated its presence and allowed anti-virus scanners to find it.

Administrator’s Guide xi

Preface

• W32/Ska, though technically a worm, replaced the infected computer’s

WinSock file so that it could attach itself to outgoing Simple Mail Transfer Protocol (SMTP) messages and postings to USENET news groups. This strategy made it commonplace in many areas.

• Remote Explorer stole the security privileges of a Windows NT domain

administrator and used them to install itself as a Windows NT Service. It also deposited copies of itself in the Windows NT driver directory and carried with it a supporting Dynamic Link Library (.DLL) file that allowed it torandomly encrypt data files.Because it appearedalmost exclusively at one corporate site, security experts speculated that it was a deliberate, targeted attack on the unfortunate company’s network integrity.

• Back Orifice, the product ofa group calling itself theCult of the Dead Cow,

purported to give the owner of the client portion of the Back Orifice application complete remote access to any Windows 95 or Windows 98 workstation thatruns theconcealed companion server. That access—from anywhereon the Internet—allowed the client to capture keystrokes; open, copy, delete, or run files; transmit screen captures; and restart, crash, or shut down the infected computer. To add insult to injury, early Back Orifice releases on CD-ROM carried a W32/CIH.Spacefiller infection.

Throughout much of 1999, virus and worm attacks suddenly stepped up in intensity and in the public eye. Part of the reason for this, of course, is that many of the more notorious viruses and worms took full advantage of the Internet, beginning a long-predicted assault by flooding e-mail transmissions, websites, newsgroups and other available channels at an almost exponential rate of growth. They now bullied their way into network environments, spreading quickly and leaving a costly trail of havoc behind them.

W97M/Melissa, the “Melissa” virus, jolted most corporate information technology departments out of whatever remaining complacency they had held onto in the face of the newer virus strains. Melissa brought corporate e-mail servers down across the United States and elsewhere when it struck in March 1999. Melissa instructed e-mail client programs to send out infected e-mail messages to the first 50 entries in each target computer’s address book. This transformed a simple macro virus infection with no real payload into an effective denial-of-service attack on mail servers.

Melissa’s other principle innovation was its direct attempt to playon end-user psychology: itforged an e-mail message from asender therecipient knew,and sent it with a subject line that urged that recipient to open both the message and the attached file. In this way, Melissa almost made the need for viral code to spreaditself obsolete—end usersthemselves cooperated in its propagation, and their own computers blindly participated.

xii Dr Solomon’sAnti-Virus

Preface

A rash of Melissa variants and copycats appeared soon after. Some, such as W97M/Prilissa, included destructive payloads. Later the same year, a number of new viruses and worms either demonstrated novel or unexpected ways to get into networks and compromise information security, or actually perpetuated attacks. Examples included:

• W32/ExploreZip.worm and its variants, which used some of Melissa’s

techniques tospread, initially through e-mail. Afterit successfully infected a host machine, ExploreZip searched for unsecured network shares and quietly copieditself throughout a network. Itcarried a destructive payload that erased variousWindows system filesand MicrosoftOfficedocuments, replacing them with an unrecoverable zero-byte-length files.

• W32/Pretty.worm, which did Melissa one better by sending itself to every

entry in the infected computer’s MAPI address book. It also connected to an Internet Relay Chat (IRC) server, joined a particular IRC channel, then opened a path to receive commands via the IRC connection. This potentially allowed those on the channel to siphon information from the infectedcomputer,includingthecomputername and owner’s name, his or her dial-up networking user name and password, and the path to the system root directory.

• W32/FunLove.4099, which infected ActiveX .OCX files, among others.

This meantthat itcould lurkon web pageswith ActiveXcontent, andinfect systems with low or nonexistent browser security settings as they downloaded pages to their hard disks. If a Windows NT computer user had logged into a system with administrative rights, the infecting virus would patch two critical system files that gave all users on the network —including the virus—administrative rights to all files on the target computer. It spread further within the network by attaching itself to files with the extensions .SCR, .OCX, and .EXE.

• VBS/Bubbleboy, a proof-of-concept demonstration that showed that a

virus could infect target computers directly from e-mail messages themselves, without needing to propagate through message attachments. It effectively circumvented desktop anti-virus protection altogether, at least initially. Its combination of HTML and VBScript exploited existing vulnerabilities in Internet-enabledmail systems;itsauthor playedupon the same end-user psychology that made Melissa successful.

The other remarkable development in the year was the degree to which virus writers copied, fused, and extended each others’ techniques. This crosspollination had always occurred previously, but the speed at which it took placeandtheincreasingsophisticationof the tools and techniquesthatbecame available during this period prepared very fertile ground for a nervously awaited bumper crop of intricate viruses.

Administrator’s Guide xiii

Preface

Information security as a business necessity

Coincidentally or not, these darkly inventive new virus attacks and speedy propagation methods appeared as more businesses made the transition to Internet-based information systems and electronic commerce operations. The convenience and efficiency that the Internet brought to business saved money and increased profits. This probably also made these same businesses attractive targets for pranksters, the hacker underground, and those intent on striking at their favored targets.

Previously, the chief costs from a virus attackwere the time and money it took to combat an infection and restore computer systems to working order. To those costs the new types of virus attacks now added the costs of lost productivity, network and server downtime, service denials for e-mail and other critical business tools, exposure—and perhaps widespread distribution —of confidential information, and other ills.

Ultimately, the qualifying differences between a hacker-directed security breach in a network and a security breach that results from a virus attack might become merely ones of intent and method, not results. Already new attacks have shaken the foundations of Net-enabled businesses, many of which require 24-hour availability for networks and e-mail, high data integrity, confidential customer lists, secure credit card data and purchase verification, reliable communications, and hundreds of other computer-aided transactional details. The costs fromthese virus attacks inthe digital economy now cut directly into the bottom line.

Because they do, protecting that bottom line means implementing a total solution for information and network security—one that includes comprehensive anti-virus protection. It’s not enough to rely only on desktop-basedanti-virusprotection,oronhaphazardoradhocsecurity measures. The best defense requires sealing all potential points by which viruses canenter orattack your network, from the firewall andgateway down to the individual workstation, and keeping the anti-virus sentries at those points updated and current.

Part of the solution is deploying the Dr Solomon’s Active Virus Defense* software suite, which provides a comprehensive, multi-platform series of defensive perimeters for your network. You can also build on that security with the Dr Solomon’s Active Security suite, which allows you to monitor your network against intrusions, watch actual network packet traffic, and encrypt e-mail and network transmissions. But even with anti-virus and security software installed, new and previously unidentified viruses will inevitably find their wayinto your network. That’s wherethe other part of the equation comes in: a thorough, easy-to-follow anti-virus security policy and set of practices for your enterprise—in the last analysis, only that can help to stop a virus attack before it becomes a virus epidemic.

xiv Dr Solomon’sAnti-Virus

Active Virus Defense security perimeters

The Dr Solomon’s Active Virus Defense product suite exists for one simple reason: there is no such thing as too much anti-virus protection for the modern, automated enterprise. Although at first glance it might seem needlessly redundant to protect all of your desktop computers, file and network servers, gateways,e-mail servers andfirewalls, eachofthese network nodesservesa differentfunctionin your network, andhasdifferentduties.An anti-virus scanner designed to keep a production workstation virus-free, for example, can’t intercept viruses that flood e-mail servers and effectively deny their services. Nor would you want to make a file server responsible for continuously scanningits client workstations—the costin network bandwidth would be too high.

More to the point, each node’s specialized functions mean that viruses infect them in different ways that, in turn, call for optimized anti-virus solutions. Viruses and other malicious code can enter your network from a variety of sources—floppy disks and CD-ROMs, e-mail attachments, downloaded files, and Internet sites, for example. These unpredictable points ofentry mean that infecting agents can slip through the chinks in incomplete anti-virus armor.

Preface

Desktop workstations, for example, can spread viruses by any of a variety of means—via floppy disks, by downloading them from the Internet, by mapping server shares or other workstations’ hard disks. E-mail servers, by contrast, rarely use floppy disks and tend not to use mapped drives—the Melissa virus showed,however, thattheyare quitevulnerable to e-mail–borne infections, even if they don’t execute the virus code themselves.

At the desktop: Dr Solomon’sAnti-Virus

The Dr Solomon’s Active Virus Defense product suite matches each point of vulnerability with a specialized, and optimized, anti-virus application. At the desktop level, the cornerstone of the suite is the Dr Solomon’s Anti-Virus anti-virus product. Dr Solomon’s Anti-Virus protects some of your most vulnerable virus entrypoints withan interlocking set ofscanners, utilities,and support files that allow it to cover:

• Localharddisks,floppydisks,CD-ROMs,andotherremovablemedia.The

WinGuard scanner resides in memory, waiting for local file access of any sort. As soon as one of your network users opens, runs, copies, saves, renames, orsets attributes for anyfile on their system—even from mapped network drives—the WinGuard scanner examines it for infections.

You can supplement this continuous protection with scan operations you configure and schedule for your own needs. Comprehensive security options let you protect individual options with a password, or run the entire application in secure mode to lock out all unauthorized access.

Administrator’s Guide xv

Preface

• System memory, bootsectors, and master boot records. You can configure

regularly scheduled scan operations that examine these favorite virus hideouts, or set up periodic operations whenever a threat seems likely.

• Microsoft Exchange mailboxes. Dr Solomon’s Anti-Virus includes a

specialized E-Mail Scan extension that assumes your network u ser’s Microsoft Exchange or Outlook identity to scan his or her mailbox directly—before viruses get downloaded to the local workstation. This can prevent some Melissa-style infections and avoid infections from the next generation of VBS/Bubbleboy descendants.

• Internet mail and file downloads. The WinGuard scanner includes two

modules that specialize in intercepting SMTP and POP-3 e-mail messages, and that can examine files your network users download from Internet sites. The E-Mail Scan and Download Scan modules work together to scan the stream of file traffic that most workstations generate and receive daily.

• Hostile code. The Olympus scan engine at the heart of Dr Solomon’s

Anti-Virus routinely looks for suspicious script code, macro code, known Trojan horse programs—even virus jokes or hoaxes. With the help of the WinGuard Internet Filter module, it also blocks hostile ActiveX and Java objects, many of which can lurk unnoticed on websites, waiting to deploy sophisticated virus-like payloads. The Internet Filter module can even block entire websites, preventing network users from visiting sites that pose a threat to network integrity.

Dr Solomon’s Anti-Virus ties these powerful scanning capabilities together with a powerful set of alerting, updating, and management tools. These include:

• Alert Manager client configuration. Dr Solomon’s Anti-Virus includes a

client configuration utility you can use to have it pass alert messages directly to Alert Manager servers on your network, to a Centralized Alerting share, or to a Desktop Management Interface administrative application. Otheralert methodsinclude localcustom messagesand beeps, detection alerts and response options, and e-mail alert messages.

• Next-generation AutoUpdateandAutoUpgrade utilities.AutoUpdatev4.5

features complete and transparent support for new incremental .DAT file updates, which save you time and network bandwidth by adding only virus definitions youdon’t alreadyhave installedon yoursystem. The new AutoUpgrade version includes support for v1.2 of the Dr Solomon’s SuperDAT utility, which you can use to update the Olympus scan engine and its support files.

xvi Dr Solomon’sAnti-Virus

Preface

• Integration withDrSolomon’s ePolicyOrchestrator managementsoftware.

Centralized anti-virus management takes a quantum leap forward with this highly scalable management tool. Dr Solomon’s Anti-Virus ships with a plug-in library file that works with the ePolicy Orchestrator server to enforce enterprise-wide network security policies.

You can use ePolicy Orchestrator to configure, update, distribute and manage DrSolomon’s Anti-Virus installations at the group, workstation or user level. Schedule and run scan tasks, change configurations, update .DAT and engine files—all from a central console.

Taken together, theActive Virus Defensesuite formsatight seriesofanti-virus security perimeters around your network that protect you against both external and internal sources of infection. Those perimeters, correctly configured and implemented in conjunction with a clear enterprise-wide anti-virus security policy, do indeed offer useful redundancy, but their chief benefit lies in their ability to stop viruses as they enter your network, without your having to await a tardy or accidental discovery. Early detection contains infections, saves on the costs of virus eradication, and in many cases can prevent a destructive virus payload from triggering.

Dr Solomon’s anti-virus research

Even the best anti-virus software is only as good as its latest update. Because as many as 200 to 300 viruses and variants appear each month, the .DAT files that enable Dr Solomon’s software to detect and remove viruses can get quickly outdated. If you have not updated the files that originally came with your software, you could risk infection from newly emerging viruses. Dr Solomon’s has, however, assembledthe world’slargest andmost experienced anti-virus research staff in its Anti-Virus Emergency Response Team (AVERT)*. This premier anti-virus research organization has a worldwide reach and a “follow the sun”coverage policy, that ensures that youget thefiles you need to combat new viruses as soon as—and often before—you need them. You can take advantage of many of the direct products of this research by visiting the AVERT research site on the Network Associates website:

http://www.nai.com/asp_set/anti_virus/introduction/default.asp

ContactyourDrSolomon’srepresentative,orvisittheDrSolomon’swebsite, to find out how to enlist the power of the Active Virus Defense security solution on your side:

http://www.mcafeeb2b.com/

Administrator’s Guide xvii

Preface

How to contact Network Associates

Customer service

On December 1, 1997, McAfee Associates merged with Network General Corporation, Pretty Good Privacy, Inc., and Helix Software, Inc. to form Network Associates, Inc. The combined Company subsequently acquired Dr Solomon's Software, Trusted Information Systems, Magic Solutions, and CyberMedia, Inc.

A January 2000 company reorganization formed four independent business units, each concerned with a particular product line. These are:

• Magic Solutions.This divisionsupplies the TotalService desk product line

and related products

• McAfee and Dr Solomon’s Software. These divisions provide the Active

Virus Defense product suite and related anti-virus software solutions to corporate and retail customers.

• PGP Security. This division provides award-winning encryption and

security solutions, includingthe PGP data security and encryption product line, the Gauntlet firewall product line, the WebShield E-ppliance hardware line, and the CyberCop Scanner and Monitor product series.

• Sniffer Technologies. This division supplies the industry-leading Sniffer

network monitoring, reporting, and analysis utility and related software.

Network Associates continues to market and support the product lines from each of the new independent business units. You may direct all questions, comments, or requests concerning the software you purchased, your registration status, or similar issues to the Network Associates Customer Servicedepartmentatthefollowingaddress:

Network Associates Customer Service 4099 McEwan, Suite 500 Dallas, Texas 75244 U.S.A.

The department's hours of operation are 8:00 a.m. and 8:00 p.m. Central Time, Monday through Friday

Other contact information for corporate-licensed customers: Phone: (972) 308-9960 Fax: (972) 619-7485 (24-hour, Group III fax) E-Mail: services_corporate_division@nai.com Web: http://www.nai.com

xviii Dr Solomon’sAnti-Virus

Other contact information for retail-licensed customers: Phone: (972) 308-9960 Fax: (972) 619-7485 (24-hour, Group III fax) E-Mail: cust_care@nai.com Web: http://www.mcafee.com/

Technical support

Dr Solomon’s and Network Associates are famous for their dedication to customer satisfaction. Thecompanies have continued this tradition by making their siteson the World Wide Web valuableresources for answersto technical support issues. Dr Solomon’s encourages you to make this your first stop for answers to frequently asked questions, for updates to Dr Solomon’s and Network Associates software, and for access to news and virus information

World Wide Web http://www.nai.com/asp_set/services/technical_support

Preface

/tech_intro.asp

Ifyoudonotfindwhatyouneedordonothavewebaccess,tryoneofour automated services.

Internet techsupport@mcafee.com CompuServe GO NAI America Online keyword MCAFEE

If the automated services do not have the answers you need, contact Network Associates at one of the following numbers Monday through Friday between

A.M.and8:00P.M. Central time to find out about Network Associates

8:00 technical support plans.

For corporate-licensed customers:

Phone (972) 308-9960 Fax (972) 619-7845

For retail-licensed customers:

Phone (972) 855-7044 Fax (972) 619-7845

This guide includes a summary of the PrimeSupport plans available to Dr Solomon’s customers. Tolearn more about plan features and otherdetails, see

Appendix E, “Network Associates Support Services.”

Administrator’s Guide xix

Preface

To provide the answers you need quickly and efficiently, the Network Associates technical support staff needs some information about your computer and your software. Please include this information in your correspondence:

• Product name and version number

• Computer brand and model

• Any additional hardware or peripherals con nected to your computer

• Operating system type and version numbers

• Network type and version, if applicable

• Contents of your AUTOEXEC.BAT, CONFIG.SYS, and system LOGIN

script

• Specific steps to reproduce the problem

Download support

Toget help withnavigating ordownloading files from theNetwork Associates or Dr Solomon’s websites or FTP sites, call:

Corporate customers (801) 492-2650 Retail customers (801) 492-2600

Network Associates training

For information about scheduling on-site training for any Dr Solomon’s or Network Associates product, call Network Associates Customer Service at: (972) 308-9960.

Comments and feedback

Dr Solomon’s Software appreciates your comments and reserves the right to use any information you supply in any way it believes appropriate without incurring any obligation whatsoever.

Reporting new items for anti-virus data file updates

DrSolomon’santi-virussoftwareoffersyouthebestavailabledetectionand removal capabilities, including advanced heuristic scanning that can detect new andunnamed viruses as they em erge. Occasionally, however,an entirely new type of virus that is not a variation on an older type can appear on your system and escape detection.

xx Dr Solomon’sAnti-Virus

Preface

Because Dr Solomon’s researchers are committed to providing you with effective and up-to-date tools you can use to protect your system, please tell them about any new Java classes, ActiveX controls, dangerous websites, or viruses that your software does not now detect. Note that Dr Solomon’s Software reserves the right to use any information you supply as it d eems appropriate, without incurring any obligations whatsoever. Send your questions or virus samples to:

virus_research@nai.com Use this address to send questions or

virus samples to our North America and South America offices

vsample@nai.com Use this address to send questions or

virus samples gathered with Dr Solomon’s Anti-Virus Toolkit* software to our offices in the United Kingdom

To report items to the Dr Solomon’s European researchoffice, usethese e-ma il addresses:

virus_research_europe@nai.com Use this address to send questions or

virus samples to our offices in Western Europe

virus_research_de@nai.com Use this address to send questions or

virus samples gathered with Dr Solomon’s Anti-Virus Toolkit software to our offices in Germany

To report items to the Dr Solomon’s Asia-Pacific research office, or the office in Japan, use one of these e-mail addresses:

virus_research_japan@nai.com Use this address to send questions or

virus samples to our offices in Japan and East Asia

virus_research_apac@nai.com Use this address to send questions or

virus samples toour officesin Australia and South East Asia

Administrator’s Guide xxi

Preface

International contact information

To contact Network Associates outside the United States, use the addresses, phone numbers and fax numbers below.

Network Associates Australia

Level 1, 500 Pacific Highway St. Leonards, NSW Sydney, Australia 2065 Phone: 61-2-8425-4200 Fax: 61-2-9439-5166

Network Associates Belgique

BDC Heyzel Esplanade, boîte 43 1020 Bruxelles Belgique

Phone: 0032-2 478.10.29 Fax: 0032-2 478.66.21

Network Associates Canada

Network Associates Austria

Pulvermuehlstrasse 17 Linz, Austria Postal Code A-4040 Phone: 43-732-757-244 Fax: 43-732-757-244-20

Network Associates do Brasil

Rua Geraldo Flausino Gomez 78 Cj. - 51 Brooklin Novo - São Paulo SP - 04575-060 - Brasil

Phone: (55 11) 5505 1009 Fax: (55 11) 5505 1006

Network Associates People’s Republic of China

139 Main Street, Suite 201 Unionville, Ontario Canada L3R 2G6 Phone: (905) 479-4189 Fax: (905) 479-4540

Network Associates Denmark

Lautruphoej 1-3 2750 Ballerup Danmark Phone: 45 70 277 277 Fax: 45 44 209 910

New CenturyOffice Tower,Room 1557 No. 6 Southern Road Capitol Gym Beijing People’s Republicof China 100044 Phone: 8610-6849-2650 Fax: 8610-6849-2069

NA Network Associates Oy

Mikonkatu 9, 5. krs. 00100 Helsinki

Finland Phone: 358 9 5270 70 Fax: 358 9 5270 7100

xxii Dr Solomon’sAnti-Virus

Preface

Network Associates France S.A.

50 Rue de Londres 75008 Paris France Phone: 33 1 44 908 737 Fax: 33145227554

Network Associates Hong Kong

19th Floor, Matheson Centre 3 Matheson Way Causeway Bay Hong Kong 63225 Phone: 852-2832-9525 Fax: 852-2832-9530

Network Associates Deutschland GmbH

Ohmstraße1 D-85716 Unterschleißheim Deutschland Phone: 49 (0)89/3707-0 Fax: 49 (0)89/3707-1199

Network Associates Srl

Centro Direzionale Summit Palazzo D/1 Via Brescia, 28 20063 - Cernusco s ul Naviglio (MI) Italy Phone: 39 02 92 65 01 Fax: 39 02 92 14 16 44

Network Associates Japan, Inc.

Toranomon 33 Mori Bldg. 3-8-21 Toranomon Minato-Ku Tokyo 105-0001 Japan Phone: 81 3 5408 0700 Fax: 81 3 5408 0780

Network Associates de Mexico

Andres Bello No. 10, 4 Piso 4th Floor Col. Polanco Mexico City, Mexico D.F. 11560 Phone: (525) 282-9180 Fax: (525) 282-9183

Network Associates Latin America

1200S.PineIslandRoad,Suite375 Plantation, Florida 33324 United States Phone: (954) 452-1731 Fax: (954) 236-8031

Network Associates International B.V.

Gatwickstraat 25 1043 GL Amsterdam The Netherlands Phone: 31 20 586 6100 Fax: 31 20 586 6101

Administrator’s Guide xxiii

Preface

Network Associates Portugal

Av. da Liberdade, 114 1269-046 Lisboa Portugal Phone: 351 1 340 4543 Fax: 351 1 340 4575

Network Associates South East Asia

78 Shenton Way #29-02 Singapore 079120 Phone: 65-222-7555 Fax: 65-220-7255

Net Tools Network Associates South Africa

Bardev House, St. Andrews Meadowbrook Lane Epson Downs, P.O. Box 7062 Bryanston, Johannesburg South Africa 2021 Phone: 27 11 706-1629 Fax: 27 11 706-1569

Network Associates Spain

Orense 4, 4

Planta. Edificio Trieste 28020 Madrid, Spain Phone: 34 9141 88 500 Fax: 34 9155 61 404

Network Associates Sweden

Datavägen 3A Box 596 S-17526Järfälla Sweden Phone: 46 (0) 8 580 88 400 Fax: 46 (0) 8 580 88 405

Network Associates Taiwan

Suite6,11F,No.188,Sec.5 NanKingE.Rd. Taipei, Taiwan, Republic of China Phone: 886-2-27-474-8800 Fax: 886-2-27-635-5864

Network Associates AG

Baeulerwisenstrasse 3 8152 Glattbrugg Switzerland Phone: 0041 1 808 99 66 Fax: 0041 1 808 99 77

Network Associates International Ltd.

227 Bath Road Slough, Berkshire SL1 5PP United Kingdom Phone: 44 (0)1753 217 500 Fax: 44 (0)1753 217 520

xxiv Dr Solomon’sAnti-Virus

1About Dr Solomon’sAnti-Virus

Introducing Dr Solomon’sAnti-Virus

Eighty percent of the Fortune 100—and more than 50 mil lion users worldwide—choose DrSolomon’s Anti-Virus to protect their computers from the staggering range of viruses and other malicious agents that has emerged in the last decade to invade corporate networks and cause havoc for business users. They do so because Dr Solomon’s Anti-Virus offers the most comprehensive desktop anti-virus security solution available, with features that spot viruses, block hostile ActiveX and Java objects, identify dangerous websites, stop infectiouse-mail messages—andeven rootout “zombie” agents that assist in large-scale denial-of-service attacks from across the Internet. They do so also because they recognize how much value Dr Solomon’s anti-virus research and development brings to their fight to maintain network integrity and service levels, ensure data security, and reduce ownership costs.

With more than 50,000 viruses and malicious agents now in circulation, the stakes in this battle have risen considerably. Viruses and worms now have capabilities that can cost an enterprise real money, not just in terms of lost productivity and cleanup costs, but in direct bottom-line reductions in revenue, as more businesses move into e-commerce and online sales, and as virus attacks proliferate.

Dr Solomon’s Anti-Virusfirsthoned its technologicaledge as oneof a handful of pioneering utilities developed to combat the earliest virus epidemics of the personal computer age.It has developed considerably inthe intervening years to keep pace with each new subterfuge that virus writers have unleashed. As one of the first Internet-aware anti-virus applications, it maintains its value today as an indispensable business utility for the new electronic economy. Now, with this release, Dr Solomon’s Anti-Virus adds a whole new level of manageability and integration with other Dr Solomon’s anti-virus tools.

Architectural improvements mean that each Dr Solomon’s Anti-Virus component meshes closely with the others, sharing data and resources for better application response and fewer demands on your system. Full support for Network Associates ePolicy Orchestrator management software means that network administrators can handle the details of component and task configuration, leaving you free to concentrate on your own work. A new incremental updating technology, meanwhile, means speedier and less bandwidth-intensive virus definition and scan engine downloads—now the protection you need to deal with the blindingly quick distribution rates of new-generation viruses canarrive faster thanever before. Tolearn more about these features, see “What’s new in this release?” on page 33.

Administrator’s Guide 25

About Dr Solomon’sAnti-Virus

The new release also adds multiplatform support for Windows 95, Windows 98, Windows NT Workstation v 4.0, and Windows 2000 Professional, all in a single package with a single installer, but optimized to take advantage of the benefits each platform offers. Windows NT Workstation v4.0 and Windows 2000 Professional users, for example, can run Dr Solomon’s Anti-Virus with differing security levels that provide a range of enforcement options for system administrators. That way, corporate anti-virus policy implementation can vary from the relatively casual—where an administrator might lock down a few critical settings,for example—to the very strict, with predefinedsettings that users cannot change or disable at all.

At thesame time, as the cornerstone productin theDr Solomon’s ActiveVirus Defense and Total Virus Defense security suites, Dr Solomon’s Anti-Virus retains the same core features that have made it the utility of choice for the corporate desktop. These include a virus detection rate second to none, powerful heuristic capabilities, Trojan horse program detection and removal, rapid- response updating with weekly virus definition (.DAT) file releases, daily beta .DAT releases, and EXTRA.DAT file support in crisis or outbreak situations. Because more than 300 new viruses or malicious software agents appear each month Dr Solomon’s backs its software with a worldwide reach and 24-hour “follow the sun” coverage from its Anti-Virus Emergency Response Team (AVERT).

Evenwiththeriseofvirusesandwormsthatusee-mailtospread,thatflood e-mail servers, or that infect groupware products and file servers directly, the individual desktop remains the single largest source of infections, and isoften the most vulnerable point of entry. Dr Solomon’s Anti-Virus acts as a tireless desktop sentry, guarding your system against more venerable virus threats and against the latest threats that lurk on websites, often without the site owner’s knowledge, or spread via e-mail, whether solicited or not.

In this environment, taking precautions to protect yourself from malicious software is no longer a luxury, but a necessity. Consider the extent to which you rely on the data on your computer and the time, trouble and money it would take to replace that data if it became co rrupted o r unusable because of a virus infection. Corporate anti-virus cleanup costs, by some estimates, topped $16 billion in 1999 alone. Balance the probability of infection—and your company’s share of the resulting costs—against the time and effort it takes to put a few common sense security measures in place, and you can quickly see the utility in protecting yourself.

Even if your own data is relatively unimportant to you, neglecting to guard against viruses might mean that your computer could play unwitting host to a virus that could spread to computers that your co-workers and colleagues use. Checking your hard disk periodically with Dr Solomon’s Anti-Virus significantly reduces your system’s vulnerability to infection and keeps you from losing time, money and data unnecessarily.

26 Dr Solomon’sAnti-Virus

About Dr Solomon’sAnti-Virus

How does Dr Solomon’sAnti-Viruswork?

DrSolomon’sAnti-Viruscombinestheanti-virusindustry’smostcapablescan engine with top-notch interface enhancements that give you complete access to that engine’s power. The Dr Solomon’s Anti- Virus graphical user interface unifies its specialized program components, but without sacrificing the flexibility you need to fit the software into your computing environment. The scan engine, meanwhile, combines the best features of technologies that McAfee and Dr Solomon researchers developed independently for more th an adecade.

Fast, accurate virus detection

The foundation for that combination is the unique development environment that McAfee and Dr Solomon researchers constructed for the engine. That environment includes Virtran, a specialized programming language with a structure and “vocabulary” optimized for the particular requirements that virus detecti on and removal impose.Using specific library functions from this language, for instance, virus researchers can pinpoint those sections within a file, a boot sector, or a master boot record that viruses tend to i nfect, either because they can hi de within them, or because they can hijack their execution routines. This way, the scanner avoids having to examine the entire file for virus code; it caninstead sample the file at welldefined points to lookfor virus code signatures that indicate an infection.

Thedevelopment environmentbringsas much speedto .DAT fileconstruction as i t does toscan engineroutines. The environmentprovides toolsresearchers can use to write “generic” definitions that identify entire virus families, and that can easily detect the tensor hundreds of variants that make up the bulk of new virus sightings. Continual refinements to this technique have moved most of the hand-tooled virus definitions that used to reside in .DAT file updates directly into the scan engine as bundles of generic routines. Researchers can even employ a Virtran architectural feature to plug in new engine “verbs” that, when combined with existing engine functions, can add functionality needed to deal with new infection techniques, new variants, or other problems that emerging viruses now pose.

This results in blazingly quick enhancements the engine’s detection capabilities and removes the need for continuous updates that target virus variants.

Administrator’s Guide 27

About Dr Solomon’sAnti-Virus

Encrypted polymorphic virus detection

Along with generic virus variant detection, the scan engine now incorporates a generic decryption engine, a set of routines that enables Dr Solomon’s Anti-Virus to track viruses that try to conceal themselves by encrypting and mutating their code signatures. These “polymorphic” viruses are notoriously difficult to detect, since they change their code signature each time they replicate.

This meant that the simple pattern-matching method that earlier scan engine incarnations used to find many viruses simply no longer worked, since no constant sequence of bytes existed to detect. To respond to this threat, Dr Solomon’s researchers developed the PolyScan Decryption Engine, which locates and analyzes the algorithm that these types of viruses use to encrypt and decrypt themselves. It then runs this code through its paces in an emulated virtual machine in order to understand how the viruses mutate themselves. Once it does so, the engine can spot the “undisguised” nature of these viruses, and thereby detect them reliably no matter how they try to hide themselves.

“Double heuristics” analysis

As a further engine enhancement, Dr Solomon’s researchers have honed early heuristic scanning technologies—originally developed to detect the astonishing flood ofmacro virus variants that eruptedafter 1995—into aset of precision instruments. Heuristic scanning techniques rely on the engine’s experiencewith previousviruses topredictthe likelihood that asuspicious file is an as-yet unidentified or unclassified new virus.

The scan engine now incorporates ViruLogic, a heuristic technique that can observe a program’s behavior and evaluate how closely it resembles either a macro virus or a file-infecting virus. ViruLogic looks for virus-like behaviors in program functions, such as covert file modifications, background calls or invocations of e-mail clients, and other methods that viruses can use to replicatethemselves.Whenthenumberofthesetypesofbehaviors—ortheir inherent quality—reaches a predetermined threshold of tolerance, the engine fingers the program as a likely virus.

The engine also “triangulates” its evaluation bylooking for program behavior that no virus would display—prompting for some types of user input, for example—in orderto eliminate false positive detections. This double-heuristic combination of “positive” and “negative” techniques results in an unsurpassed detection rate with few, if any, costly misidentifications.

28 Dr Solomon’sAnti-Virus

About Dr Solomon’sAnti-Virus

Wide-spectrum coverage

As malicious agents have evolved to take advantage of the instant communication and pervasive reach of the Internet, so Dr Solomon’s Anti-Virus has evolved to counter the threats they present. A computer “virus” once meant a specific type of agent—one designed to replicate on its own andcause alimited type of havoc on the unlucky recipient’s computer. In recent years, however, an astounding range of malicious agents has emerged to assault personal computer usersfrom nearlyeveryconceivable angle.Many of these agents—some of the fastest-spreading worms, for instance—use updated versions of vintage techniques to infect systems, but many others make full use of the new opportunities that web-based scripting and application hosting present.

Stillothers open “backdoors”into desktopsystems or createsecurityholes in a way that closely resembles a deliberate attempt at network penetration, rather than the more random mayhem that most viruses tend to leave in their wakes.

The latest Dr Solomon’s Anti-Virus releases, as a consequence, do not simply wait for viruses to appear on your system, they scan proactively at the source or work to deflect hostile agents away from your system. The WinGuard scanner that comes with Dr Solomon’s Anti-Virus has three modules that concentrate on agents that arrive from the Internet, that spread via e-mail, or that lurk on Internet sites. It can look for particular Java and ActiveX objects that pose a threat, or block access to dangerous Internet sites. Meanwhile, an E-Mail Scan extension to Microsoft Exchangee-mail clients, such as Microsoft Outlook, can “x-ray” your mailbox on the server, looking for malicious agents before they arrive on your desktop.

Dr Solomon’s Anti-Virus even protects itself against attempts to use its own functionality against your computer. Some virus writers embed their viruses inside documentsthat, inturn, theyembed inother filesinan attempt to evade detection. Still others take this technique to an absurd extreme, constructing highly recursive—and very large—compressed archive files in an attempt to tie up the scanner as it digs through the file looking for infections. Dr Solomon’s Anti-Virusaccurately scansthemajority of popularcompressed file and archive file formats, but it also includes logic that keeps it from getting trapped in an endless hunt for a virus chimera.

What comes with Dr Solom on’sAnti-Virus?

Dr Solomon’s Anti-Virus consists of several components that combine one or more related programs, each of which play a part in defending your computer against viruses and other malicious software. The components are:

Administrator’s Guide 29

About Dr Solomon’sAnti-Virus

• The Dr Solomon’s Anti-Virus application. This component gives you

unmatched control over your scanningoperations. You can configure and start a scan operation at any time—a feature known as “on-demand” scanning— specify local and network disks as scan targets, tell the application how to respond to any infections it finds, and see reports on its actions. You can start with the Dr Solomon’s Anti-Virus Classic window, a basic configuration mode, then move to the Dr Solomon’s Anti-Virus Advanced mode for maximum flexibility. A related Windows shell extension lets you right-click any object on your system to scan it.

• The Dr Solomon’s Anti-Virus Console. This component allows you to

create, configure and run Dr Solomon’s Anti-Virus tasks at times you specify. A “task” can include anything from running a scan operation on a set of disks at a specific time or interval, to running an update or upgrade operation. You can also enable or disable the WinGuard scanner from the Console window.

the Console comes with a preset list oftasks that ensures a minimal level of protection for your system—you can, for example, immediately scan and clean your C: drive or all disks on your computer.

• The WinGuard scanner. This component gives you continuous anti-virus

protection from viruses that arrive on floppy disks, from your network, or from various sources on the Internet. The WinGuard scanner starts when you start your computer, and stays in memory until you shut down. A flexible set of property pages lets you tell the scanner which parts of your system to examine, what to look for, which parts to leave alone, and how to respond to any infected files it finds. In addition, the scanner can alert you when it finds avirus, and can generate reportsthat summarize eachof its actions.

The WinGuard scanner comes with three other specialized modules that guard against hostile Java applets and ActiveX controls, that scan e-mail messages and attachments that you receive from the Internet via Lotus cc:Mail, Microsoft Mail or other mail clients that comply with Microsoft’s MessagingApplication Programming Interface (MAPI) standard, and that block access to dangerous Internet sites. Secure password protection for your configuration options prevents others from making unauthorized changes. The same convenient dialog box controls configuration options for all WinGuard modules.

• The E-Mail Scan extension. This component allows you to scan your

Microsoft Exchange or Outlook mailbox, or public folders to which you have access, directly on the server. This invaluable “x-ray” peek into your mailbox means that Dr Solomon’s Anti-Virus can find potential infections before they make their way to your desktop, which can stop a Melissa-like virus in its tracks.

30 Dr Solomon’sAnti-Virus

+ 194 hidden pages

McAfee Dr Solomon’s Anti-Virus Administrator's Manual

Specifications and Main Features

Frequently Asked Questions

User Manual