Mcafee DR SOLOMON S ANTI-VIRUS 8.5 User Manual

Download

Page 1

Dr Solomon’s Anti-Virus

User’s Guide

Version 8.5

Page 2

Copyright © 2000 Network Associates, Inc. and its Affiliated Companies. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Network Associates , Inc.

TRADEMARK ATTRIBUTIONS

* ActiveHelp, Bomb Shelter, Building a World of Trust, CipherLink, Clean-Up, Cloaking, CNX, Compass 7, CyberCop, CyberMedia, Data Security Letter, Discover, Di stributed Sniffer System, Dr Solomon’s, Enterprise Secure Cast, First Aid, ForceField, Gauntlet, GMT, GroupShield, HelpDesk, Hunter, ISDN Tel/Scope, LM 1, LA NGuru, Le ading Help Des k Technolo gy, Magic Solu tions, MagicSpy, MagicTree, Magic University, MagicWin, MagicWord, McAfee, McAfee Associates, MoneyMagic, More Power To You, Multimedia Cl oaking, NetCrypto, Net Octopus, NetRoom, NetScan, Net Shield, NetShield, NetStalker, Net Tools, Network Associates, Network General, Network Uptime!, NetXRay, Nuts & Bolts, PC Medic, PCNotary, PGP, PGP (Pretty Good Privacy), PocketScope, Pop-Up, PowerTelnet, Pretty Good Privacy, PrimeSupport, RecoverKey, RecoverKey-Inter national, ReportMagic, RingFence, Router PM, Safe & Sound, SalesMagic, SecureCast, Service Level Manager, ServiceMagic, Site Meter, Sniffer, SniffMaster, SniffNet, Stalker, Statistical Information Retrieval (SIR), SupportMagic, Switch PM, TeleSniffer, TIS, TMach, TMeg, Total Network S ecurity, Total Network Visibility, Total Se rvice Desk, Total Virus Defense, T-P OD, Trus ted Mach, Trusted Ma il, Uninst aller, Virex, Virex- PC, Viru s Forum, ViruScan, VirusScan, VShield, WebScan, WebS hield, WebSniffer , WebSt alker WebW all, and ZAC 2000

are registered trademarks of Network Associates and/or its affiliates in the US and/or other countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners.

LICENSE AGREEMENT

NOTICE TO ALL USERS: CAREFULLY READ THE FOLLOWING LEGAL AGREEMENT ("AGREEMENT"), FOR THE LICENSE OF SPECIFIED SOFTWARE ("SOFTWARE") BY NETWORK ASSOCIATES, INC. ("McAfee"). BY CLICKING THE ACCEPT BUTTON OR INSTALLING THE SOFTWARE, YOU (EITHER AN INDIVIDUAL OR A SINGLE ENTITY) CONSENT TO BE BOUND BY AND B ECOME A PARTY TO THIS AGREEMENT. IF YO U DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, CLICK THE BUTTON THAT INDICATES THAT YOU DO NOT ACCEPT THE TERMS OF THIS AGREEMENT AND DO NOT INSTALL THE SOFTWARE. (IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO THE PLACE OF PURCHASE FOR A FULL REFUND.)

1. License Grant. Subject to the payment of the applicable license fees, and subject to the terms and

conditions of this Agreement, McAfee hereby grants to you a non-exclusive, no n-transferable right to use one copy of the specified version of the Software and the accompanying d ocumentation (the "Documentation"). You may install one copy of the Software on one computer, workstation, personal digital assistant, pager, "smart phone" or other electronic device for which the Software was designed (each, a "Client Device"). If the Software is licensed as a suite or bundle with more than one specified Software product, this license applies to all such specified Software products, subject to any restrictions or usage terms specified on the applicable price list or p roduct packaging that apply to any of such Software products individually.

Issued May 2000/ Dr Solomon’s Anti-Virus v8.5

Page 3

(i.e., the required number of licenses would equal the number of distinct inputs to the multiplexing or pooling software or hardware "front end"). If the number of Client Devices or seats that can connect to the Software can exceed the nu mber of licens es you have obtained, then you must have a reasonable mechanism in place to en sure that you r use of the Software does not exceed the use limits specified for the licens es you h ave obtained . This licen se authorizes you to make or download one copy of the Documentation for each Client Device or seat that is licensed, provided that each such copy contains all of the Documentation's proprietary notices.

c. Volume Licenses. If the Software is licensed with volume license terms specified in the

applicable price list or product packaging for the Software, you may make, use and install as many additional copies of the Software on the number of Client Devices as the volume license authorizes. You must have a reasonable mechanism in place to ensure that the number of Client Devices on which the Software has been installed does not exceed the number of licenses you have obtained. This license authori zes you to make or downl oad one copy of the Document ation for each additional copy authorized by the volume license, provided that each such copy contains all of the Documentation's proprietary notices.

2. Term. This Agreement is effective for an unlimited duration unless and until earlier terminated as

set forth herein. This Agreement will terminate automatically if you fail to comply with any of the limitations or other requirements described herein. Upon any termination or expiration of this Agreement, you must destroy all copies of the Software and the Documentation. You may terminate this Agreement at any point by destroying all copies of the Software and the Documentation.

3. Updates. For the time period specified in the applicable price list or product packaging for the

Software you are entitled to download revisions or updates to the Software when and as McAfee publishes them via its electronic bulletin board system, website or through other online services. For a period of ninety (90) days from the date of the original purchase of the Software, you are entitled to download one (1) revision or upgrade to the Software when and as McAfee publishes it via its electronic bulletin board system, website or through other online services. After the specified time period, you have no further rights to receive any revisions or upgrades without purchase of a new license or annual upgrade plan to the Software.

4. Ownership Rights. The Software is protected by United States copyright laws and international

treaty provisions. McAfee and its suppliers own and retain all right, title an d interest in and to the Software, including all copyrights, patents, trade secret rights, trademarks and other intellectual property rights therein. Your possession, installation, or use of the Software does not transfer to you any title to the intellectual property in the Software, and you will not acquire any rights to the Software except as expressly set forth in this Agreement. All copies of the Software and Documentation made hereund er must contain the s ame proprietar y notices that appear o n and in the Software and Documentation.

User’s Guide iii

Page 4

5. Restrictions. You may not rent, lease, loan or resell the Software. You may not permit third parties

to benefit from the use or functionality of the Software via a timesharing, service bureau or other arrangement, except to the extent such use is specified in the applicable list price or product packaging for the Software. You may not transfer any of the rights granted to you under this Agreement. You may not reverse engineer, decompile, or disassemble the Software, except to the extent the foregoing restriction is expres s ly prohibited by applicabl e law . Y ou may n ot mo di fy, or create derivative works based upon, the Software in whole or in part. You may not copy the Software or Documentation except as expressly permitted in Section 1 above. You may not remove any proprietary notices or labels on the Software. All rights not expressly set forth hereunder are reserved by McAfee. McAfee reserves the right to periodically conduct audits upon advance written notice to verify compliance with the terms of this Agreement.

6. Warranty and Disclaimer a. Limited Warranty. McAfee warrants that for sixty (60) day s from the date of origi nal purchase

the media (e.g., diskettes) on which the Software is contained will be free from defects in materials and workmanship.

b. Customer Remedies. McAfee's and its suppliers' entire liability and your exclusive remedy for

any breach of the foregoing warranty shall be, at McAfee's option, either (i) return of the purchase price paid for the license, if any, or (ii) repl acement of the defective med ia in which the Software is contained. You must return the defective media to McAfee at your expense with a copy of your receipt. This limited warranty is void if the defect has resulted from accident, abuse, or misapplication. Any replacement media will be warranted for the remainder of the original warranty period. Outside the United St ates, this remedy is not av ailable to the extent McAfee is subject to restrictions under United States export control laws and regulations.

c. Warranty Disclaimer. Except for the limited warranty set forth herein, THE SOFTWARE IS

PROVIDED "AS IS." TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MCAFEE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT WITH RESPECT TO THE SOFTWARE AND THE ACCOMPANYING DOCUMENTATION. YOU ASSUME RESPONSIBILITY FOR SELECTING THE SOFTWARE TO ACHIEVE YOUR INTENDED RESULTS, AND FOR THE INSTALLATION OF, USE OF, AND RESULTS OBTAINED FROM THE SOFTWARE. WITHOUT LIMITING THE FOREGOING PROVISIONS, MCAFEE MAKES NO WARRANTY THAT THE SOFTWARE WILL BE ERROR-FREE OR FREE FROM INTERRUPTIONS OR OTHER FAILURES OR THAT THE SOFTWARE WILL MEET YOUR REQUIREMENTS. SOME STATES AND JURISDICTIONS DO NOT ALLOW LIMITATIONS ON IMPLIED WARRANTIES, SO THE ABOVE LIMITATION MAY NOT APPLY TO YOU. The foregoing provisions shall be enforceable to the maximum extent permitted by applicable law.

iv Dr Solomon’s Anti-Virus

Page 5

7. Limitation of Liability. UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER IN TORT, CONTRACT, OR OTHERWISE, SHALL MCAFEE OR ITS SUPPLIER S BE LIABLE TO YOU OR TO ANY OTHER PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR FOR ANY AND ALL OTHER DAMAGES OR LOSSES. IN NO EVENT WILL MCAFEE BE L IABLE FOR ANY DAMAGES IN EXCESS OF THE LIST PRICE MCAFEE CHARGES FOR A LICE NSE TO THE SOFTW ARE, EVEN IF MCAFEE SHALL HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO LIABILITY FOR DEATH OR PERSONAL INJURY TO THE EXTENT THAT APPLICABLE LAW PROHIBITS SUCH LIMITATION. FURTHERMORE, SOME STATES AND JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS LIMITATION AND EXCLUSION MAY NOT APPLY TO YOU. The foregoing provisions shall be enforceable to the maximum extent permitted by applicable law.

8. United States Government. The Software and accompanying Documentation are deemed to be "commercial computer software" and "commercial computer software documentation," respectively, pursuant to DFAR Section 227.7202 and FAR Section 12.212, as applicable. Any use, modification, reproduction, release, performance, display or disclosure of the Software and accompanying Documentation by the United States Government shall be governed solely by the terms of this Agreement and shall be prohibited except to the extent expressly permitted by the terms of this Agreement.

9. Export Controls. Neither the Software nor the Documentation and underlying information or technology may be downloaded or otherwise exported or re-exported (i) into (or to a national or resident of ) Cuba, Iran, Iraq, Libya, North Korea, Sudan, Syria or any other country to which the United States has embargoed goods; or (ii) to anyone on the United States Treasury Department's list of Specially Designated Nations or the United States Commerce Department's Table of Denial Orders. By downloading or using the Software you are agreeing to the foregoing and you are certifying that you are not located in, under the control of, or a national or resident of any such country or on any such list.

IN ADDITION, YOU SHOULD BE AWARE OF THE FOLLOWING: EXPORT OF THE SOFTWARE MAY BE SUBJECT TO COMPLIANCE WITH THE RULES AND REGULATIONS PROMULGATED FROM TIME TO TIME BY THE BUREAU OF EXPOR T ADMINISTRATION, UNITED STATES DEPARTMENT OF COMMERCE, WHICH RESTRICT THE EXPORT AND RE-EXPORT OF CERTAIN PRODUCTS AND TECHNICAL DATA. IF THE EXPORT OF THE SOFTWARE IS CONTROLLED UNDER SUCH RULES AND REGULATIONS, THEN THE SOFTWARE SHALL NOT BE EXPORTED OR RE-EXPORTED, DIRECTLY OR INDIRECTLY, (A) WITHOUT ALL EXPORT OR RE-EXPORT LICENSES AND UNITED STATES OR OTHER GOVERNMENTAL APPROVALS REQUIRED BY ANY APPLICABLE LAWS, OR (B) IN V IOLATION OF ANY APPLICABLE PROHIBITION AGAINST THE EXPORT OR RE-EXPORT OF ANY PART OF THE SOFTWARE.

User’s Guide v

Page 6

SOME COUNTRIES HAVE RESTRICTIONS ON THE USE OF ENCRYPTION WITHIN THEIR BORDERS, OR THE IMPORT OR EXPORT OF ENCRYPTION EVEN IF FOR ONLY TEMPORARY PERSONAL OR BUSINESS USE. YOU ACKNOWLEDGE THAT THE IMPLEMENTATION AND ENFORCEMENT OF THESE LAWS IS NOT ALWAYS CONSISTENT AS TO SPECIFIC COUNTRIES. ALTHOUGH THE FOLLOWING COUNTRIES ARE NOT AN EXHAUSTIVE LIST THERE MAY EXIST RESTRICTIONS ON THE EXPORTATION TO, OR IMPORTATION OF, ENCRYPTION BY: BELGIUM, CHINA (INCLUDING HONG KONG), FRANCE, INDIA, INDONESIA, ISRAEL, RUSSIA, SAUDI ARABIA, SINGAPORE, AND SOUTH KOREA. YOU ACKNOWLEDGE IT IS YOUR ULTIMATE RESPONSIBILITY TO COMPLY WITH ANY AND ALL GOVERNMENT EXPORT AND OTHER APPLICABLE LAWS AND THAT MCAFEE HAS NO FURTHER RESPONSIBILITY AFTER THE INITIAL SALE TO YOU WITHIN THE ORIGINAL COUNTRY OF SALE.

10.High Risk Activities. The Software is not fault-tolerant and is not designed or intended for use in hazardous environments requiring fail-safe performance, including without limitation, in the operation of nuclear facilities, aircraft navigation or communication systems, air traffic control, weapons systems, direct life-support machines, or any other application in which the failure of the Software could lead directly to death, personal injury, or severe physical or property damage (collectively, "High Risk Activities"). McAfee expressly disclaims any express or implied warranty of fitness for High Risk Activities.

11.Miscellaneous. This Agreement is governed by the laws of the United States and the State of California, without reference to conflict of laws principles. The application of the United Nations Convention of Contracts for the International Sale of Goods is expres sly excluded. This Agreement sets forth all rights for the user of the Software and is the entire agreement between the parties. This Agreement supersedes any other communications with respect to the Software and Docum entation. This Agreement may not be modified except by a written addendum issued by a duly authorized representative of McAfee. No provision hereof shall be deemed waived unless such waiver shall be in writing and signed by McAfee or a duly authorized representative of McAfee. If any provision of this Agreement is held invalid, the remainder of this Agreement shall contin ue in full force and effect. The parties confirm that it is their wish that this Agreement has been written in the English language only.

12.McAfee Customer Contact. If you have any questions concerning these terms and conditions, or if you would like to contact McAfee for any other reason, please call (408) 988-3832, fax (408) 970-9727, or write: McAfee Software, 3965 Freedom Circle, Santa Clara, California 95054. http://www.mcafee.com.

Statements made to you in the course of this sale are subject to the Year 2000 Information and Readiness Disclosure Act (Public Law 105-271). In the case of a dispute, this Act may reduce your legal rights regarding the use of any statements regarding Year 2000 readiness, unless otherwise specified in your contract or tariff.

vi Dr Solomon’s Anti-Virus

Page 7

Table of Contents

Preface....................................................xiii

Whathappened?................................................xiii

Whyworry?................................................xiii

Wheredovirusescomefrom? ....................................xiv

Virusprehistory ............................................xiv

VirusesandthePCrevolution .................................xv

Onthefrontier.................................................xviii

Wherenext? ................................................xx

Howtoprotectyourself ..........................................xxi

HowtocontactNetworkAssociates ................................xxii

Customerservice ...........................................xxii

Technical support .........................................xxiii

Downloadsupport .........................................xxiv

NetworkAssociatestraining.................................xxiv

Commentsandfeedback....................................xxiv

Reportingnewitemsforanti-virusdatafileupdates .............xxiv

Internationalcontactinformation .............................xxvi

Chapter 1. About Dr Solomon’sAnti-Virus .......................29

Introducing Dr Solomon’sAnti-Virus ................................29

How does Dr Solomon’sAnti-Viruswork?............................31

What comes with Dr Solomon’sAnti-Virus? ..........................33

What’snewinthisrelease? ........................................38

Chapter 2. Installing Dr Solomon’sAnti-Virus ....................41

Beforeyoubegin.................................................41

Systemrequirements.........................................41

Otherrecommendations ......................................42

Preparing t o install Dr Solomon’sAnti-Virus .....................42

Installationoptions ..........................................43

Installationsteps ............................................43

Using the Emergency Disk Creation utility . . . . . . . . . ..............57

User’s Guide vii

Page 8

Table of Contents

Determiningwhenyoumustrestartyourcomputer................62

Testingyourinstallation ..........................................63

Modifying or removing your Dr Solomon’s Anti-Virus installation . . . .64

Chapter 3. Removing Infections

FromYourSystem ....................................69

Ifyoususpectyouhaveavirus... ...................................69

Decidingwhentoscanforviruses ..................................72

Recognizing when you don’thaveavirus ............................73

Understandingfalsedetections ................................74

Responding to viruses or malicious software . . . . . . . . . . . ..............75

Submittingavirussample .........................................87

Using the SendVirus utility to submit a file sample . . ..............87

Capturing boot sector, file-infecting, and macro viruses . . . . . . . . . . . .90

Chapter4. UsingtheWinGuardScanner.........................95

WhatdoestheWinGuardscannerdo?...............................95

WhyusetheWinGuardscanner?...............................96

Browserande-mailclientsupport ..............................97

EnablingorstartingtheWinGuardscanner...........................98

UsingtheWinGuardconfigurationwizard ...........................103

SettingWinGuardscannerproperties ..............................109

UsingtheWinGuardshortcutmenu ................................165

DisablingorstoppingtheWinGuardscanner ........................165

TrackingWinGuardsoftwarestatusinformation......................172

Chapter 5. Using the Dr Solomon’sAnti-Virusapplication .........175

What is the Dr Solomon’sAnti-Virusapplication? ....................175

Why use the Dr Solomon’sAnti-Virusapplication? ...............176

Starting the Dr Solomon’sAnti-Virusapplication .....................177

Configuring the Dr Solomon’sAnti-VirusClassicinterface.............183

Configuring the Dr Solomon’sAnti-VirusAdvancedinterface ..........189

Chapter 6. Creating and Configuring Scheduled Tasks . . . . . . . . . . . . 209

What does Dr Solomon’sAnti-VirusConsoledo? ....................209

Whyschedulescanoperations?...................................209

viii Dr Solomon’sAnti-Virus

Page 9

Table of Contents

Starting the Dr Solomon’sAnti-VirusConsole .......................210

Using the Console window . . . . . . . . . . .............................212

Workingwithdefaulttasks ...................................215

WorkingwiththeVShieldtask ................................217

WorkingwiththeAutoUpgradeandAutoUpdatetasks ............218

Creatingnewtasks ..............................................219

Enablingtasks..................................................223

Checkingtaskstatus ........................................226

Configuring Dr Solomon’sAnti-Virusapplicationoptions..............228

Chapter 7. Updating and Upgrading Dr Solomon’sAnti-Virus ......249

Developinganupdatingstrategy ..................................249

Update and upgrade methods . . . . . . . . .............................250

Understanding the AutoUpdate utility . .............................252

ConfiguringtheAutoUpdateUtility.................................254

UnderstandingtheAutoUpgradeutility .............................263

Configuring the AutoUpgrade utility . . . .............................264

Using the AutoUpgrade and SuperDAT utilities together . . . . . . . . . . 273

DeployinganEXTRA.DATfile.................................275

Chapter 8. Using Specialized

Scanning Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277

ScanningMicrosoftExchangeandOutlookmail .....................277

When and why you should use the E-Mail Scan extension . . . . . . . . .277

UsingtheE-MailScanextension...................................278

ConfiguringtheE-MailScanextension .........................279

Scanningcc:Mail................................................294

UsingtheScreenScanutility ......................................294

Chapter 9. Using Dr Solomon’s Anti-Virus Utilities . . . . . . . . . . . . . . . 301

Understanding the Dr Solomon’sAnti-Viruscontrolpanel .............301

Opening the Dr Solomon’sAnti-Viruscontrolpanel...................301

Choosing Dr Solomon’sAnti-Viruscontrolpaneloptions ..............302

Using the Alert Manager Client Configuration utility . . . . . .............306

Dr Solomon’sAnti-VirusasanAlertManagerclient...................307

ConfiguringtheAlertManagerclientutility ..........................307

User’s Guide ix

Page 10

Table of Contents

Appendix A. Default Vulnerable and Compressed File Extensions . . 313

Addingfilenameextensionsforscanning...........................313

Currentlistofvulnerablefilenameextensions.......................314

Currentlistofcompressedfilesscanned ...........................318

Appendix B. Network Associates

Support Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321

Adding value to your Dr Solomon’sproduct .........................321

PrimeSupport options for corporate customers . . . . . .............321

Ordering a corporate PrimeSupport plan . . . . . . . . . . .............324

PrimeSupport options for home users . .............................326

How to reach international home user support . . . . . . .............328

Ordering a PrimeSupport plan for home users . . . . . . .............328

NetworkAssociatesconsultingandtraining.........................329

ProfessionalServices .......................................329

TotalEducationServices.....................................330

Appendix C. Using the SecureCast Service to Get New Data Files . . 331

Introducing the SecureCast service . . . .............................331

Why should I update my data files? . . . .............................332

Which data files does the SecureCast service deliver? . . . . . . . . . . . .332

Installing the BackWeb client and SecureCast service . . . . .............333

Systemrequirements........................................333

Troubleshooting the Enterprise SecureCast service . .............343

UnsubscribingfromtheSecureCastservice.....................343

Supportresources ..............................................343

SecureCastservice .........................................343

BackWebclient.............................................344

Appendix D. Understanding iDAT Technology . . . . . . . . . . . . . . . . . . .345

Understandingincremental.DATfiles ..............................345

How does iDAT updating work? . . . . . . .............................346

What does Dr Solomon’sSoftwareposteachweek?..............347

Bestpractices ..................................................348

Frequentlyaskedquestions ......................................349

x Dr Solomon’sAnti-Virus

Page 11

Table of Contents

Index......................................................353

User’s Guide xi

Page 12

Table of Contents

xii Dr Solomon’sAnti-Virus

Page 13

Preface

What happened?

If you’ve ever lost important files stored on your hard disk, watched in dismay

as your computer ground to a halt only to display a prankster’s juvenile

greeting on your monitor, or found yourself having to apologize for abusive

e-mail messages you never sent, you know first-hand how computer viruses

and other harmful programs can disrupt your productivity. If you haven’t yet

suffered from a virus “infection,” count yourself lucky. But with more than

50,000 known viruses in circulation capable of attacking Windows- and

DOS-based computer systems, it really is only a matter of time before you do.

The good news is that of those thousands of circulating viruses, only a small

proportion have the means to do real damage to your data. In fact, the term

“computer virus” identifies a broad array of programs that have only one

feature in common: they “reproduce” themselves automatically by attaching

themselves to host software or disk sectors on your computer, usually without

your knowledge. Most viruses cause relatively trivial problems, ranging from

the merely annoying to the downright insignificant. Often, the primary

consequence of a virus infection is the cost you incur in time and effort to track

down the source of the infection and eradicate all of its traces.

Why worry?

So why worry about virus infections, if most attacks do little harm? The

problem is twofold. First, although relatively few viruses have destructive

effects, that fact says nothing about how widespread the malicious viruses are.

In many cases, viruses with the most debilitating effects are the hardest to

detect—the virus writer bent on causing harm will take extra steps to avoid

discovery. Second, even “benign” viruses can interfere with the normal

operationofyourcomputerandcancauseunpredictablebehaviorinother

software. Some viruses contain bugs, poorly written code, or other problems

severe enough to cause crashes when they run. Other times, legitimate

software has problems running when a virus has, intentionally or otherwise,

altered system parameters or other aspects of the computing environment.

Tracking down the source of resulting system freezes or crashescan draintime

and money from more productive activities.

Beyond these problems lies a problem of perception: once infected, your

computer can serve as a source of infection for other computers. If you

regularly exchange data with colleagues or customers, you could unwittingly

pass on a virusthat could do more damage to your reputation or your dealings

with others than it does to your computer.

User’s Guide xiii

Page 14

Preface

The threat from viruses and other malicious software is real, and it is growing

worse. Some estimates have placed the total worldwide cost in time and lost

productivity for merely detecting and cleaning virus infections at more than

$10 billion per year, a figure that doesn’t include the costs of data loss and

recovery in the wake of attacks that destroyed data.

Where do viruses come from?

As you or one of your colleagues recovers from a virus attack or hears about

new forms of malicious software appearing in commonly used programs,

you’ve probably asked yourself a number of questions about how we as

computer users got to this point. Where do viruses and other malicious

programs come from? Who writes them? Wh y do those who write them seek

to interrupt workflows, destroy data, or cost people the time and money

necessary to eradicate them? What can stop them?

Why did this happen to me?

It probably doesn’t console you much to hear that the programmerwho wrote

the virus that erased your hard disk’s file allocation table didn’t target you or

your computer specifically. Nor will it cheer you up to learn that the virus

problem will probably always be with us. But knowing a bit about the history

of computer viruses and how they work can help you better protect yourself

against them.

Virus prehistory

Historianshave identified a number of programs that incorporated features

now associated with virus software. Canadian researcher and educator Robert

M. Slade traces virus lineage back to special-purpose utilities used to reclaim

unused file space and perform other useful tasks in the earliest networked

computers. Slade reports that computer scientists at a Xerox Corporation

research facility called programs like these “worms,” a term coined after the

scientists noticed “holes” in printouts from computer memory maps that

looked as though worms had eaten them. The term survives to this day to

describe programs that make copies of themselves, but without necessarily

using host software in the process.

A strong academic tradition of computer prank playing most likely

contributed to the shift away from utility programs and toward more

malicioususesoftheprogrammingtechniquesfoundinwormsoftware.

Computer science students, often to test their programming abilities, would

construct rogue worm programs and unleash them to “fight” against each

other, competing to see whose program could “survive” while shutting down

rivals. Those same students also found uses for worm programs in practical

jokes they played on unsuspecting colleagues.

xiv Dr Solomon’sAnti-Virus

Page 15

Some of these students soon discovered that they could use certain features of

the host computer’s operating system to give them unauthorized access to

computer resources. Others took advantage of users who had relatively little

computer knowledge to substitute their own programs—written for their own

purposes—in place of common or innocuous utilities. These unsophisticated

users would run what they thought was their usual software only to find their

files erased, to have their account passwords stolen, or to suffer other

unpleasant consequences. Such “Trojan horse” programs or “Trojans,” so

dubbed for their metaphorical resemblance to the ancient Greek gift t o the city

of Troy, remain a significant, and growing, threat to computer users today.

Viruses and the PC revolution

What we now think of as true computer viruses first appeared, according to

Robert Slade, soon after the first perso nal computers reached the mass market

in the early1980s. Other researchers date the advent of virus programs to 1986,

with the appearance of the “Brain” virus. Whichever date has the better claim,

the link between the virus threat and the personal computer is not

coincidental.

The new mass distribution of computers meant that viruses could spread to

many more hosts than before, when a comparatively few, closely guarded

mainframe systems dominated the computing world from their bastions in

large corporations and universities.Nor did the individual users who bought

PCs have much use for the sophisticated security measures needed to protect

sensitive data in those environments. As further catalyst, virus writers found

it relatively easy to exploit some PC technologies to serve their own ends.

Preface

Boot-sector viruses

Early PCs, for example, “booted” or loaded their operating systems from

floppy disks. The authors of the Brain virus discovered that they could

substitute their own program for the executable code present on the boot

sector of every floppy disk formatted with Microsoft’s MS-DOS, w hether or

not it included system files. Users thereby loaded the virus into memory every

time they started their computers with any formatted disk in their floppy

drives. Onc e in memory, a virus can copy itself to boot sectors on other floppy

or hard disks. Those who unintentionally loaded Brain from an infected

floppy found themselves reading an ersatz “advertisement” for a computer

consulting company in Pakistan.

With that advertisement, Brain pioneered another characteristic feature of

modern viruses: the payload. The payload is the prank or malicious behavior

that,iftriggered,causeseffectsthatrangefromannoyingmessagestodata

destruction. It’s the virus characteristic that draws the most attention—many

virus authors now write their viruses specifically to deliver their payloads to

as many computers as possible.

User’s Guide xv

Page 16

Preface

For a time,sophisticated descendants of this first boot-sector virus represented

themostseriousvirusthreattocomputerusers.Variantsofbootsectorviruses

also infect the Master Boot Record (MBR), which stores the partition

information your computer needs to figure out where to find each of your

hard disk partitions and the boot sector itself.

Realistically, nearly every step in the boot process, from reading the MBR to

loading the operating system, is vulnerable to virus sabotage. Some of the

most tenacious and destructive viruses still include the ability to infect your

computer’s boot sector or MBR among their repertoire of tricks. Among ot her

advantages, loading at boot time can give a virus a chance to do its work before

your anti-virus software has a chance to run. Many Dr Solomon’s anti-virus

products anticipate this possibility by allowing you to create an emergency

disk you can use to boot your computer and remove infections.

ButmostbootsectorandMBRviruseshadaparticularweakness:theyspread

by means of floppy disks or other removable media, riding concealed in that

first track of disk space. As fewer users exchanged floppy disks and as

software distribution came to rely on other media, such as CD-ROMs and

direct downloading from the Internet, other virus types eclipsed the boot

sector threat. But it’s far f rom gone—many later-generation viruses routinely

incorporate functions that infect your hard disk boot sector or MBR, even if

they use other methods as their primary means of transmission.

Those same v iruseshave also benefitted from several generations ofevolution,

andtherefore incorporate muchmore sophisticated infectionand concealment

techniques that make it far from simple to detect them, even when they hide

in relatively predictable places.

File infector viruses

At about the same time as the authors of the Brain virus found vulnerabilities

in the DOS boot sector, other virus writers found out how to use other

software to help replicate their creations. An early example of this type of virus

showed up in computers at Lehigh University in Pennsylvania. The virus

infected part of the DOS command interpreter COMMAND.COM, which it

used to load itself into memory. Once there, it spread to other uninfected

COMMAND.COM files each time a user entered any standard DOScommand

that involved disk access. This limited its spread to floppy disks that

contained, usually, a full operating system.

Later viruses quickly overcame this limitation, sometimes with fairly clever

programming. Virus writers might, for instance, have their virus add its code

to the beginning of an executable file, so that when users start a program, the

virus code executes immediately, then transfers control back to the legitimate

software, which runs as though nothing unusual has happened. Once it

activates, the virus “hooks” or “traps” requests thatlegitimate software makes

to the operating system and substitutes its own responses.

xvi Dr Solomon’sAnti-Virus

Page 17

Preface

Particularly clever viruses can even s ubvert attempts to clear them from

memory by trapping the CTRL+ALT+DEL keyboard sequence for a warm

reboot, then faking a restart. Sometimes the only outward indication that

anything on your system is amiss—before any payload detonates, that

is—might be a small change in the file size of infected legitimate software.

Stealth, mutation, encryption, and polymorphic techniques

Unobtrusive as they might be, changes in file size and other scant evidence of

a virus infection usually gives most anti-virus software enough of a scent to

locate and remove the offending code. One of the virus writer’s principal

challenges, therefore, is to find ways to hide his or her handiwork. The earliest

disguises were a mixture of innovative programming and obvious giveaways.

The Brain vi rus, for instance, redirected requests to see a disk’s boot sector

away from the actual location of the infected sector to the new location of the

boot files, which the virus had moved. This “stealth” capability enabled this

and other viruses to hide from conventional search techniques.

Because viruses needed to avoid continuously reinfecting host systems—

doing so would quickly balloon an infected file’s size to easily detectable

proportions or would consume enough system resources to point to an

obvious culprit—their authors also needed to tell them to leave certain files

alone. They addressed this problem by having the virus write a characteristic

byte sequence or, in 32-bit Windows operating systems, create a particular

registry key that would flag infected files with the software equivalent of a “do

not disturb” sign. Although that kept the virus from giving itself away

immediately, it opened the way for anti-virus software to use the “do not

disturb” sequence itself, along with other characteristic patterns that the virus

wrote into files it infected, to spot its “code signature.” Most anti-virus

vendors now compile and regularly update a database of virus “definitions”

that their products use to recognize those code signatures in the files they scan.

In response, virus writers found ways to conceal the code signatures. Some

viruses would “mutate” or transform their code signatures with each new

infection. Others encrypted themselves and, as a result, their code signatures,

leaving only a couple of bytes to use as a key for decryption. The most

sophisticated new viruses employed stealth, mutation and encryption to

appear in an almost undetectable variety of new forms. Finding these

“polymorphic” viruses required software engineers to develop very elaborate

programming techniques for anti-virus software.

User’s Guide xvii

Page 18

Preface

Macro viruses

By 1995 or so, the virus war had come to something ofa standstill. New viruses

appeared continuously, prompted in part by the availability of ready-made

virus “kits” that enabled even some non-programmers to whip up a new virus

in no time. But most existing anti-virus software easily kept pace with updates

that detected and disposed of the new virus variants, which consisted

primarily of minor tweaks to well-known templates.

But 1995 marked the emergence of the Concept virus, which added a new and

surprising twist to virus history. Before Concept, most virus researchers

thought of data files—the text, spreadsheet, or drawing documents created by

the software you use—as immune to infection. Viruses, after all, are programs

and, as such, needed to run in the same way executable software did in order

to do their damage. Data files, on the other hand, simply stored information

that you entered when you worked with your software.

That distinction melted away when Microsoft began adding macro

capabilities to Word and Excel, the flagship applications in its Office suite.

Using the stripped-down version of its Visual Basic language included with

the suite, users could create document templates that would automatically

format and a dd other features to documents created with Word and Excel.

Other vendors quickly followed suit with their products, either using a

variation of the same Microsoft macro language or incorporating one of their

own. Virus writers, in turn, seized the opportunity that this presented to

conceal and spread viruses in documents that you, the user, created yourself.

The exploding popularity of the Internet and of e-mail software that allowed

users to attach files to messages ensured that macroviruses would spread very

quickly and very widely. Within a year, macro viruses became the most potent

virus threat ever.

On the frontier

Even as viruses grew more sophisticated and continued to threaten the

integrity of computer systems we all had come to depend upon, still other

dangers began to emerge from an unexpected source: the World Wide Web.

Once a repository of research papers and academic treat ises, the web has

transformed itself into perhaps the most versatile and adaptable medium ever

invented for communication and commerce.

Because its potential seems so vast, the web has attracted the attention and the

developmental energies of nearly every computer-related company in the

industry.

xviii Dr Solomon’sAnti-Virus

Page 19

Convergences in the technologies that have resulted from this feverish pace of

invention have given website designers tools they can use to collect and

display information in ways never previously available. Websites soon sprang

up that could send and receive e-mail, formulate and execute queries to

databases using advanced s earch engines, send a nd receive live audio and

video, and distribute data and multimedia resources to a worldwide audience.

Much of the technology that made these features possible consisted of small,

easily downloaded programs that interact with your browser software and,

sometimes, with other software on your hard disk. This same avenue served

as an entry point into your computer system for other—less benign—

programs to use for their own purposes.

Java, ActiveX, and scripted objects

These programs, whether beneficial or harmful, come in a variety of forms.

Someare special-purpose miniature applications, or “applets,” writtenin Java,

a programming lang uage first developed by Sun Microsystems. Others are

developed using ActiveX, a Microsoft technology that programmers can use

for similar purposes.

Both Java and ActiveX make extensive use of prewritten software modules, or

“objects,” that programmers can write themselves or take from existing

sources and fashion into the plug-ins, applets, device drivers and other

software needed t o power the web. Java objects are called “classes,” while

ActiveX objects are called “controls.” The principle difference between them

lies in how they run on the host system. Java applets run in a Java “virtual

machine” designed to interpret Java programming and translate it into action

on the host machine, while ActiveX controls run as native Windows software

that links and passes data among other Windows programs.

Preface

The overwhelming majority of these objects are useful, even necessary, parts

of any interactive website. But despite the best efforts of Sun and Microsoft

engineers to design security measures into them, determined programmers

can use Java and ActiveX tools to plant harmful objects on websites, where

they can lurk until visitors unwittingly allow them access to vulnerable

computer systems.

Unlike viruses, harmful Java and ActiveX objects usually don’t seek to

replicate themselves. The web provi des them with plenty of opportunities to

spread to target computer systems, while their small size and innocuous

nature makes it easy for them to evade detection. In fact, unless you tell your

web browser specifically to block them, Java and ActiveX objects download to

your system automatically whenever you visit a website that hosts them.

User’s Guide xix

Page 20

Preface

Instead, harmful objects exist to deliver their equivalent of a virus payload.

Programmers have written objects, for example, that can read data from your

hard disk and send it back to the website you visited, that can “hijack” your

e-mail account and send out offensive messages in your name, or that can

watch data that passes between your computer and other computers.

Even more powerful agents have begun to appear in applications that run

directly from websites you visit. JavaScript, a scripting language with a name

similar to the unrelated Java language, first appeared in Netscape Navigator,

with its implementation of version 3.2 of the Hyper Text Markup Language

(HTML) standard. Since its introduction, JavaScript has grown tremendously

in capability and power, as have the host of other scripting technologies that

have followed it—including Microsoft VBScript and Active Server Pages,

Allaire Cold Fusion, and others. These technologies now allow software

designers to create fully realized applications that run on web servers, interact

with databases and other data sources, and directly manipulate features in the

web browser and e-mail client so f tware running on your computer.

As with Java and ActiveX objects, significant security measures exist to

prevent malicious actions, but vir us writers and security hackers have found

ways around these. Because the benefits these innovations bring to the web

generallyoutweighthe risks, however,mostusersfind themselvescalculating

the tradeoffs rather than shunning the technologies.

Where next?

Malicious software has even intruded into areas once thought completely out

of bounds. Users of the mIRC Internet Relay Chat client, for example, have

reported encountering viruses constructed from the mIRC scripting language.

The chat client sends script viruses as plain text, w hich would ordinarily

preclude them from infecting systems, but older versions of the mIRC client

software would interpret the instructions coded into the script and perform

unwanted actions on the recipient’s computer.

The vendors moved quickly to disable this capability in updated versions of

the software, but the mIRC incident illustrates the general rule that where a

way exists to exploit a software security hole, someone will find it and use it.

Late in 1999, another virus writer demonstrated this rule yet again with a

proof-of-concept virus called VBS/Bubbleboy that ran directly within the

Microsoft Outlook e-mail client by hijacking its built-in VBScript support. This

virus crossed the once-sharp line that divided plain-text e-mail messages from

the infectable attachments they carried. VBS/Bubbleboy didn’t even require

youto open the e-mailmessage—simplyviewingit from the Outlookpreview

window could infect your system.

xx Dr Solomon’sAnti-Virus

Page 21

How to prote ct yourself

Dr Solomon’s Anti-Virus already gives you an important bulwark against

infection and damage to your data, but anti-virus software is only one part of

the security measures you should take to protect yourself. Anti-virus software,

moreover,isonlyasgoodasitslatestupdate.Becauseasmanyas200to300

viruses and variants appear each month, the virus definition (.DAT) files that

enable Dr Solomon’s software to detect and remove viruses can get quickly

outdated. If you have not updated the files that originally came with your

software, you could risk infection from newly emerging viruses. Dr Solomon’s

Software has, however, assembled the world’s largest and most experienced

anti-virus research staff in its Anti-Virus Emergency Response Team

(AVERT)*. This means that the files you need to combat new viruses appear as

soon as—and often before—you need them.

Most other security measures are common sense—checking disks you receive

from unknown or questionable sources, either with anti-virus software or

some kind of verification utility, is always a good idea. Malicious

programmers have gone so far as to mimic the programs you trust to guard

your computer, pasting a familiar face on software with a less-than-friendly

purpose. Neither Dr Solomon’s nor any other anti-virus software, however,

can detect when someone substitutes an as-yet unidentified Trojan horse or

other malicious program for one of your favorite shareware or commercial

utilities—that is, until after the fact.

Preface

Web and Internet access poses its own risks. Dr Solomon’s Anti-Virus* gives

you the ability to block dangerous web sites so that users can’t inadvertently

download malicious software from known hazards; it also catches hostile

objects that get downloaded anyway. But having a top-notch firewall in place

to protect your network and implementing other network security measures

is a neces sity when unscrupulous attackers can penetrate your network from

nearly any point on the globe, whether to steal sensitive data or implant

malicious code. You should also make sure that your network is not accessible

to unauthorized users, and that you have an adequate training program in

place to teach and enforce security standards. To learn about the origin,

behavior and other characteristics of particular viruses, consult the Virus

Information Library maintained on the AVERT website.

Dr Solomon’s Software can provide you with other powerful software in the

Active Virus Defense* (AVD) and Total Virus Defense (TVD) suites, the most

comprehensive anti-virus solutions available. Related companies within the

Network Associates family provideother technologiesthat alsohelp to protect

your network, including the PGP Security CyberCop product line, and the

Sniffer Technologies network monitoring product suite. Contact your

Network Associates representative, or visit the Network Associates website,

to find out how to enlist the power of these security solutions on your side.

User’s Guide xxi

Page 22

Preface

How to contact Network Associates

Customer service

On December 1, 1997, McAfee Associates merged with Network General

Corporation, Pretty Good Privacy, Inc., and Helix Software, Inc. to form

Network Associates, Inc. The combined Company subsequently acquired Dr

Solomon's Software, Trusted Information Systems, Magic Solutions, and

CyberMedia, Inc.

A January 2000 company reorganization formed four independent business

units, each concerned with a particular product line. These are:

• MagicSolutions.This divisionsupplies the Total Servicedesk product line

and related products

• McAfee and Dr Solomon’s Software. These divisions provide the Active

Virus Defense product suite and related anti-virus software solutions to corporate and retail customers.

• PGP Security. This division provides award-winning encryption and

security solutions, including the PGP data security and encryption product line, the Gauntlet firewall product line, the WebShield E-ppliance hardware line, and the CyberCop Scanner and Monitor product series.

• Sniffer Technologies. This division supplies the industry-leading Sniffer

network monitoring, reporting, and analysis utility and related software.

Network Associates continues to market and support the product lines from

each of the new independent business units. You may direct all questions,

comments, or requests concerning the software you purchased, your

registration status, or similar issues to the Network Associates Customer

Servicedepartmentatthefollowingaddress:

Network Associates Customer Servi ce

4099 McEwan, Suite 500

Dallas, Texas 75244

U.S.A.

The department's hours of operation are 8:00 a.m. and 8:00 p.m. Central time,

Monday through Friday

Other contact information for corporate-licensed customers:

Phone: (972) 308-9960

Fax: (972) 619-7485 (24-hour, Group III fax)

E-Mail: services_corporate_division@nai.com

Web: http://www.nai.com

xxii Dr Solomon’sAnti-Virus

Page 23

Other contact information for retail-licensed customers:

Phone: (972) 308-9960

Fax: (972) 619-7485 (24-hour, Group III fax)

E-Mail: cust_care@nai.com

Web: http://www.drsolomon.com/

Technical support

Dr Solomon’s Software and Network Associates are famous for their

dedication to customer satisfaction. The companies have continued this

tradition by making their sites on the World Wide Web valuable resources for

answers to technical support iss ues. Dr Solomon’s Software encourages you to

make this your first stop for answers to frequently asked questions, for

updates to Dr Solomon’s and Network Associates software, and for access to

news and virus information

World Wide Web http://www.nai.com/asp_set/services/technical_support

Ifyoudonotfindwhatyouneedordonothavewebaccess,tryoneofour

automated services.

Preface

/tech_intro.asp

Internet techsupport@mcafee.com CompuServe GO NAI America Online keyword MCAFEE

If the automated services do not have the answers you need, contact Network

Associates at one of the following numbers Monday through Friday between

A.M.and8:00P.M. Central time to find out about Network Associates

8:00

technical support plans.

For corporate-licensed customers:

Phone (972) 308-9960 Fax (972) 619-7845

For retail-licensed customers:

Phone (972) 855-7044 Fax (972) 619-7845

This guide includes a summary of the PrimeSupport plans available to Dr

Solomon’s customers. To learn more about plan features and other details, see

Appendix B, “Network Associates Support Services.”

User’s Guide xxiii

Page 24

Preface

To provide the answers you need quickly and efficiently, the Network

Associates technical support staff needs some information about your

computer and your software. Please include this information in your

correspondence:

• Product name and version number

• Computer brand and model

• Any additional hardw are or peripherals connected to your computer

• Operating system type and version numbers

• Network type and version, if applicable

• Contents of your AUTOEXEC.BAT, CONFIG.SYS, and system LOGIN script

• Specific steps to reproduce the problem

Download support

Toget help with navigatingor downloading files from the NetworkAssociates or Dr Solomon’s websites or FTP sites, call:

Corporate customers (801) 492-2650 Retail customers (801) 492-2600

Network Associates training

For information about scheduling on-site training for any Dr Solomon’s or Network Associates product, call Network Associates Customer Service at: (972) 308-9960.

Comments and feedback

Dr Solomon’s Software appreciates your comments and reserves the right to use any information you supply in any way it believes appropriate without incurring any obligation whatsoever.

Reporting new items for anti-virus data file updates

Dr Solomon’s Anti-Virus offers you the best available detection and removal capabilities, including advanced heuristic scanning that can detect new and unnamed viruses as they emerge. Occasionally, however, an entirely new type of virus that is not a variationon an older type can appear on your system and escape detection.

xxiv Dr Solomon’sAnti-Virus

Page 25

Preface

Because Dr Solomon’s researchers are committed to providing you with effective and up-to-date tools you can use to protect your system, please tell them about any new Java classes, ActiveX controls, dangerous websites, or viruses that your software does not now detect. Note that Dr Solomon’s Software reserves the right to use any information you supply as it deems appropriate, without incurring any obligations whatsoever. Send your questions or virus samples to:

virus_research@nai.com Use this address to send questions or

virus samples to our North America and South America offices

vsample@nai.com Use this address to send questions or

virus samples gathered with Dr Solomon’s Anti-Virus Toolkit* software to our offices in the United Kingdom

To report items to the Dr Solomon’s Software European research office, use these e-mail addresses:

virus_research_europe@nai.com Use this address to send questions or

virus samples to our offices in Western Europe

virus_research_de@nai.com Use this address to send questions or

virus samples gathered with Dr Solomon’s Anti-Virus Toolkit software to our offices in Germany

To report items to the Dr Solomon’s Software Asia-Pacific research office, or theofficeinJapan,useoneofthesee-mailaddresses:

virus_research_japan@nai.com Use this address to send questions or

virus samples to our offices in Japan and East Asia

virus_research_apac@nai.com Use this address to send questions or

virus samples to our offices in Australia and Southeast Asia

User’s Guide xxv

Page 26

Preface

International contact information

To contact Network Associates outside the United States, use the addresses, phone numbers and fax numbers below.

Network Associates Australia

Level 1, 500 Pacific Highway St. Leonards, NSW Sydney, Australia 2065 Phone: 61-2-8425-4200 Fax: 61-2-9439-5166

Network Associates Belgique

BDC Heyzel Esplanade, boîte 43 1020 Bruxelles Belgique

Phone: 0032-2 478.10.29 Fax: 0032-2478.66.21

Network Associates Canada

139 Main Street, Suite 201 Unionville, Ontario Canada L3R 2G6 Phone: (905) 479-4189 Fax: (905)479-4540

Network Associates Austria

Pulvermuehlstrasse 17 Linz, Austria Postal Code A-4040 Phone: 43-732-757-244 Fax: 43-732-757-244-20

Network Associates do Brasil

Rua Geraldo Flausino Gomez 78 Cj. - 51 Brooklin Novo - São Paulo SP - 04575-060 - Brasil

Phone: (55 11) 5505 1009 Fax: (5511) 5505 1006

Network Associates People’s Republic of China

New Century Office Tower, Room 1557 No. 6 Southern Road Capitol Gym Beijing People’s Republic of China 100044 Phone: 8610-6849-2650 Fax: 8610-6849-2069

Network Associates Denmark

Lautruphoej 1-3 2750 Ballerup Danmark Phone: 45 70 277 277 Fax: 4544 209 910

xxvi Dr Solomon ’sAnti-Virus

NA Network Associates Oy

Mikonkatu 9, 5. krs. 00100 Helsinki Finland

Phone: 358 9 5270 70 Fax: 3589 5270 7100

Page 27

Preface

Network Associates France S.A.

50 Rue de Londres 75008 Paris France Phone: 33 1 44 908 737 Fax: 33145227554

Network Associates Hong Kong

19th Floor, Matheson Centre 3 Matheson Way Causeway Bay Hong Kong 63225 Phone: 852-2832-9525 Fax: 852-2832-9530

Network Associates Japan, Inc.

Toranomon 33 Mori Bldg. 3-8-21 Toranomon Minato-Ku Tokyo 105-0001 Japan Phone: 81 3 5408 0700 Fax: 813 5408 0780

Network Associates Deutschland GmbH

Ohmstraße1 D-85716 Unterschleißheim Deutschland Phone: 49 (0)89/3707-0 Fax: 49 (0)89/3707-1199

Network Associates Srl

Centro Direzionale Summit Palazzo D/1 Via Brescia, 28 20063 - Cernusco sul Naviglio (MI) Italy Phone: 39 02 92 65 01 Fax: 3902 92 14 16 44

Network Associates Latin America

1200S.PineIslandRoad,Suite375 Plantation, Florida 33324 United States Phone: (954) 452-1731 Fax: (954) 236-8031

Network Associates de Mexico

Andres Bello No. 10, 4 Piso 4th Floor Col. Polanco Mexico City, Mexico D.F. 11560 Phone: (525) 282-9180 Fax: (525)282-9183

Network Associates International B.V.

Gatwickstraat 25 1043 GL Amsterdam The Netherlands Phone: 31 20 586 6100 Fax: 3120 586 6101

User’s Guide xxvii

Page 28

Preface

Network Associates Portugal

Av. da Liberdade, 114 1269-046 Lisboa Portugal Phone: 351 1 340 4543 Fax: 3511 340 4575

Network Associates South East Asia

78 Shenton Way #29-02 Singapore 079120 Phone: 65-222-7555 Fax: 65-220-7255

Network Associates Sweden

Datavägen 3A Box 596 S-17526Järfälla Sweden Phone: 46 (0) 8 580 88 400 Fax: 46(0) 8 580 88 405

Net Tools Network Associates South Africa

Bardev House, St. Andrews Meadowbrook Lane Epson Downs, P.O. Box 7062 Bryanston, Johannesburg South Africa 2021 Phone: 27 11 706-1629 Fax: 2711 706-1569

Network Associates Spain

Orense 4, 4

Planta. Edificio Trieste 28020 Madrid, Spain Phone: 34 9141 88 500 Fax: 349155 61 404

Network Associates AG

Baeulerwisenstrasse 3 8152 Glattbrugg Switzerland Phone: 0041 1 808 99 66 Fax: 00411 808 99 77

Network Associates Taiwan

Suite6,11F,No.188,Sec.5 NanKingE.Rd. Taipei, Taiwan, Republic of China Phone: 886-2-27-474-8800 Fax: 886-2-27-635-5864

xxviii Dr Solomon’sAnti-Virus

Network Associates International Ltd.

227 Bath Road Slough, Berkshire SL1 5PP United Kingdom Phone: 44 (0)1753 217 500 Fax: 44(0)1753 217 520

Page 29

1About Dr Solomon’sAnti-Virus

Introducing Dr Solomon’sAnti-Virus

Eighty percent of the Fortune 100—and more than 50 million users worldwide—choose D r Solomon’s Anti-Virus to protect their computers from the staggering range of viruses and other malicious agents that has emerged in the last decade to invade corporate networks and cause havoc for business users. T hey do so because Dr Solomon’s Anti-Virus offers the most comprehensive desktop anti-virus security solution available, with features that spot viruses, block hostile ActiveX and Java objects, identify dangerous websites, stop infectious e-mail messages—and evenroot out “zombie” agents that assist in large-scale denial-of-service attacks from across the Internet. They do so also because they recognize how much value Dr Solomon’s anti-virus research and development brings to their fight to maintain network integrity and service levels, ensure data security, and reduce ownership costs.

With more than 50,000 viruses and malicious agents now in circulation, the stakes in this battle have risen considerably. Viruses and worms now have capabilities that can cost an enterprise real money, not just in terms of lost productivity and cleanup costs, but in direct bottom-line reductions in revenue, as more businesses move into e-commerce and online sales, and as virus attacks proliferate.

Dr Solomon’s Anti-Virusfirsthoned its technological edge as one of a handful of pioneering utilities developed to combat the earliest virus epidemics of the personal computer age. It has developed considerably in the intervening years to keep pace with each new subterfuge that virus writers have unleashed. As one of the first Internet-aware anti-virus applications, it maintains its value today as an indispensable business utility for the new electronic economy. Now, with this release, Dr Solomon’s Anti-Virus adds a whole new level of manageability and integration with other Dr Solomon’s anti-virus tools.

Architecturalimprovements mean that each Dr Solomon’s Anti-Virus component meshes closely with the others, sharing data and resources for better application response and fewer demands on your system. Full support for Network Associates ePolicy Orchestrator management software means that network administrators can handle the details of component and task configuration, leaving you free to concentrate on your own work. A new incremental updating technology, meanwhile, means speedier and less bandwidth-intensive virus definition and scan engine downloads—now the protection you need to deal with the blindingly quick distribution rates of new-generation viruses can arrive faster than ever before. To learn more about these features, see “What’s new in this release?” on page 38.

User’s Guide 29

Page 30

About Dr Solomon’sAnti-Virus

The new release also adds multiplatform support for Windows 95, Windows 98, Windows NT Workstation v4.0, and Windows 2000 Professional, all in a single package with a single installer, but optimized to take advantage of the benefits each platform offers. Windows NT Workstation v4.0 and Windows 2000 Professional users, for example, can run Dr Solomon’s Anti-Virus with differingsecurity levels that provide a range of enforcement options for system administrators. That way, corporate anti-virus policy implementation can vary from the relatively casual—where an administrator might lock down a few critical settings, for example—to the very strict, with predefined settings that users cannot change or disable at all.

At the same time, as the cornerstone product in the Dr Solomon’s Active Virus Defense and Total Virus Defense security suites, Dr Solomon’s Anti-Virus retains the same core features that have made it the utility of choice for the corporate desktop. These include a virus detection rate second to none, powerful heuristic capabilities, Trojan horse program detection and removal, rapid- response updating with weekly virus definition (.DAT) file releases, daily beta .DAT releases, and EXTRA.DAT file support in crisis or outbreak situations. Because more than 300 new viruses or malicious software agents appear each month Dr Solomon’s Software backs its software with a worldwide reach and 24-hour “follow the sun” coverage from its Anti-Virus Emergency Response Team (AVERT).

Evenwiththeriseofvirusesandwormsthatusee-mailtospread,thatflood e-mail servers, or that infect groupware products and file servers directly, the individual desktop remains the single largest source of infections, and is often the most vulnerable point of entry. Dr Solomon’s Anti-Virus acts as a tireless desktop sentry, guarding your system against more venerable virus threats and against the latest threats that lurk on websites, often without the site owner’s knowledge, or spread via e-mail, whether solicited or not.

In this environment, taking precautions to protect yourself from malicious software is no longer a luxury, but a necessity. Consider the extent to which you rely on the data on your computer and the time, trouble and money it would take to replace that data if it became corrupted or unusable because of a virus infection. Corporate anti-virus cleanup costs, by some estimates, topped $16 billion in 1999 alone. Balance the probability of infection—and your company’s share of the resulting costs—against the time and effort it takes to put a few common sense security measures in place, and you can quickly see the utility in protecting yourself.

Even if your own data is relatively unimportant to you, neglecting to guard against viruses might mean that your computer could play unwitting host to a virus that could spread to computers that your co-workers and colleagues use. Checking your hard disk periodically with Dr Solomon’s Anti-Virus significantly reduces your system’s vulnerability to infection and keeps you from losing time, money and data unnecessarily.

30 Dr Solomon’sAnti-Virus

Page 31

About Dr Solomon’sAnti-Virus

How does Dr Solomon’sAnti-Viruswork?

DrSolomon’sAnti-Viruscombinestheanti-virusindustry’smostcapablescan engine with top-notch interface enhancements that give you complete access to that engine’s power. The Dr Solomon’s Anti-Virus graphical user interface unifies its specialized program components, but without sacrificing the flexibility you need to fit the software into your computing environment. The scan engine, meanwhile, combines the best features of technologies that McAfee and Dr Solomon researchers developed independently for more than adecade.

Fast, accurate virus detection

The foundation for that combination is the unique development environment that McAfee and Dr Solomon researchers constructed for the engine. That environmentincludes Virtran, a specialized programming language with a structure and “vocabulary” optimized for the particular requirements that virus detection and removal impose. Using specific library functions from this language, for instance, virus researchers can pinpoint those sections within a file, a boot sector, or a master boot record that viruses tend to infect, either because they can hide within them, or because they can hijack their execution routines. This way, the scanner avoids having to examine the entire file for virus code; it can instead sample the file at well defined points to look for virus code signatures that indicate an infection.

Thedevelopment environmentbrings as much speed to .DAT file construction as it does to scan engine routines. The environment provides t ools researchers can use to write “generic” definitions that identify entire virus families, and that can easily detect the tens or hundreds of variants that make up the bulk of new virus sightings. Continual refinements to this technique have moved most of the hand-tooled virus definitions that used to reside in .DAT file updates directly into the scan engine as bundles of generic routines. Researchers can even employ a Virtran architectural feature to plug in new engine “verbs” that, when combined with existing engine functions, can add functionality needed to deal with new infection techniques, new variants, or other problems that emerging viruses now pose.

This results in blazingly quick enhancements the engine’s detection capabilities and removes the need for continuous updates that target virus variants.

User’s Guide 31

Page 32

About Dr Solomon’sAnti-Virus

Encrypted polymorphic virus detection

Along with generic virus variant detection, the scan engine now incorporates a generic decryption engine, a set of routines that enables Dr Solomon’s Anti-Virus to track viruses that try to conceal themselves by encrypting and mutating their code signatures. These “polymorphic” viruses are notoriously difficult to detect, since they change their code signature each time they replicate.

This meant that the simple pattern-matching method that earlier scan engine incarnations used to find many viruses simply no longer worked, since no constant sequence of bytes existed to detect. To respond to this threat, Dr Solomon’s researchers developed the PolyScan Decryption Engine, which locates and analyzes the algorithm that these types of viruses use to encrypt and decrypt th emselves. It then runs this code through its paces in an emulated virtual machine in order to understand how the virus es mutate themselves. Once it does so, the engine can spot the “undisguised” nature of these viruses, and thereby detect them reliably no matter how they try to hide themselves.

“Double heuristics” analysis

As a further engine enhancement, Dr Solomon’s researchers have honed early heuristic scanning technologies—originally developed to detect the astonishing flood of macro virus variants that erupted after 1995—into a set of precision instruments. Heuristic scanning techniques rely on the engine’s experiencewith previous viruses to predict the likelihood that a suspicious file is an as-yet unidentified or unclassified new virus.

The scan e ngine now incorporates ViruLogic, a heuristic technique that can observe a program’sbehavior and evaluate how closely it resembles either a macro virus or a file-infecting virus. ViruLogic looks for virus-like behaviors in program functions, such as covert file modifications, background calls or invocations of e-mail clients, and other methods that viruses can use to replicatethemselves.Whenthenumberofthesetypesofbehaviors—ortheir inherent quality—reaches a predetermined threshold of tolerance, the engine fingers the program as a likely virus.

The engine also “triangulates” its evaluation by looking for program behavior that no virus would display—prompting for some types of user input, for example—in order to eliminate false positive detections. This double-heuristic combination of “positive” and “negative” techniques results in an unsurpasseddetection rate with few, if any, costly misidentifications.

32 Dr Solomon’sAnti-Virus

Page 33

About Dr Solomon’sAnti-Virus

Wide-spectrum coverage

As malicious agents have evolved to take advantage of the instant communication and pervasive reach of the Internet, so Dr Solomon’s Anti-Virus has evolved to counter the threats they present. A computer “virus” once meant a specific type of agent—one designed to replicate on its own and cause a limited type of havoc on the unlucky recipient’s computer. In recent years, however, an astounding range of malicious agents has emerged to assault personal computerusers from nearly every conceivable angle. Many of these agents—some of the fastest-spreading worms, for instance—use updated versions of vintage techniques to infect systems, but many others make full use of the new opportunities that web-based scripting and application hosting present.

Stillothers open “backdoors” into desktopsystemsor create securityholes in a way th at closely resembles a deliberate a ttempt at network penetration, rather than the more random mayhem that most viruses tend to leave in their wakes.

The latest Dr Solomon’s Anti-Virus releases, as a consequence, do not simply wait for viruses to appear on your system, they scan proactively at the source or work to deflect hostile agents away from your system. The WinGuard scanner that comes with Dr Solomon’s Anti-Virus has three modules that concentrate on agents that arrive from the Internet, that spread via e-mail, or that lurk on Internet sites. It can look for particular Java and ActiveX objects that pose a threat, or block access to dangerous Internet sites. Meanwhile, an E-Mail Scan extension to Microsoft Exchange e-mail clients, such as Microsoft Outlook, can “x-ray” your mailbox on the server, looking for malicious agents before they arrive on your desktop.

Dr Solomon’s Anti-Virus even protects itself against attempts to use its own functionality against your computer. Some virus writers embed their viruses inside documents that, in turn, theyembed in other files in an attempt to evade detection. Still others take this technique to an absurd extreme, constructing highly recursive—and very large—compressed archive files in an attempt to tie up the scanner as it digs through the file looking for infections. Dr Solomon’s Anti-Virus accurately scans themajority of popular compressed file and archive file formats, but it also includes logic that keeps it from getting trapped in an endless hunt for a virus chimera.

What comes with Dr Solomon’sAnti-Virus?

Dr Solomon’s Anti-Virus consists of several components that combine one or more related programs, each of which play a part in defending your computer against viruses and other malicious software. The components are:

User’s Guide 33

Page 34

About Dr Solomon’sAnti-Virus

• The Dr Solomon’s Anti-Virus application. This component gives you

unmatched control over your scanning operations.You can configure and start a scan operation at any time—a feature known as “on-demand” scanning— specify local and network disks as scan targets, tell the application how to respond to any infections it finds, and see reports on its actions. You can start with the Dr Solomon’s Anti-Virus Classic window, a basic configuration mode, then move to the Dr Solomon’s Anti-Virus Advanced mode for maximum flexibility. A related Windows shell extension lets you right-click any object on your system to scan it. See

“Using the Dr Solomon’s Anti-Virus application” on page 175 for details.

• The Dr Solomon’s Anti-Virus Console. This component allows you to

create, configure and run Dr Solomon’s Anti-Virus tasks at times you specify. A “task” can include anything from running a scan operation on a set of disks at a specific time or interval, to running an update or upgrade operation. You can also enable or disable the WinGuard scanner from the Console window.

The Console comes with a preset list of tasks that ensures a minimal level ofprotectionfor your system—youcan,forexample,immediatelyscanand clean your C: drive or all disks on your computer. See “Creating and

Configuring Scheduled Tasks” on page 209 for details.

• The WinGuard scanner. This component gives you continuous anti-virus

protection from viruses that arrive on floppy disks, from your network, or from various sources on the Internet. The WinGuard scanner starts when you start your computer, and stays in memory until you shut down. A flexible set of property pages lets you tell the scanner which parts of your system to examine, what to look for, which parts to leave alone, and how to respond to any infected files it finds. In addition, the scanner can alert you when it finds a virus, and can generate reports that summarize each of its actions.

The WinGuard scanner comes with three other specialized modules that guard against hostile Java applets and ActiveX controls, that scan e-mail messages and attachments that you receive from the Internet via Lotus cc:Mail, Microsoft Mail or other mail clients that comply with Microsoft’s MessagingApplication Programming Interface (MAPI) standard, and that block access to dangerous Internet sites. Secure password protection for your configuration options prevents others from making unauthorized changes. The same convenient dialog box controls configuration options for all WinGuard modules. See “Using the WinGuard Scanner” on page 95 for details.

34 Dr Solomon’sAnti-Virus

Page 35

About Dr Solomon’sAnti-Virus

• The E-Mail Scan extension. This component allows you to scan your

Microsoft Exchange or Outlook mailbox, or public folders to which you have access, directly on the server. This invaluable “x-ray” peek into your mailbox means that Dr Solomon’s Anti-Virus can find potential infections before they make their way to your desktop, which can stop a Melissa-like virus in itstracks. See “Scanning Microsoft Exchange and Outlook mail” on

page 277 for details.

• A cc:Mail scanner. This component includes technology optimized for

scanning Lotus cc:Mail mailboxes that do not use the MAPI standard. Install and use this component if your workgroup or network uses cc:Mail v8.x or earlier. See “Choosing Detection options” on page 128 for details.

• The Alert Manager Client configuration utility. This component lets you

choose a destination for Alert Manager “events” that Dr S olomon’s Anti-Virus generates when it detects a virus or takes other noteworthy actions. You can also specify a destination directory for older-style CentralizedAlerting messages, or supplement either metho d with Desktop Management Interface (DMI) alerts sent via your DMI client software. See

“Using the Alert Manager Client Configuration utility” on page 306 for

details.

• The ScreenScan utility. This optional component scans your computer as

your screen saver runs during idle periods. See “Using the ScreenScan

utility” on page 294 for details.

• The SendVirus utility. This component gives you an easy and painless

way to submit files that you believe are infected directly to Dr Solomon’s anti-virus researchers. A simple wizard guides you as you choose files to submit, include contact details and, if you prefer, strip out any personal or confidential data from document files. See “Using the SendVirus utility to

submit a file sample” on page 87 for details.

• The Emergency Disk creation utility. This essential utility helps you to

create a floppy disk that you can use to boot your computer into a virus-free environment, then scan essential system areas to remove any viruses that could load at startup. See “Using the Emergency Disk Creation

utility” on page 57 for details.

• Command-line scanners. This component consists of a set of full-featured

scanners you can use to run targeted scan operations from the MS-DOS Prompt or Command Prompt windows, or from protected MS-DOS mode. The set includes:

– FINDVIRU.EXE, a scanner for 32-bit environments o nl y. T his is the

primary command-line interface. When you run this file, it first checks its environment to see whether it can run by itself. If your computer is running in 16-bit or protected mode, it will transfer control to one of the other scanners.

User’s Guide 35

Page 36

About Dr Solomon’sAnti-Virus

– SCANPM.EXE, a scanner for 16- and 32-bit environments. This

– SCAN86.EXE, a scanner for 16-bit environments only. This scanner

– BOOTSCAN.EXE, a smaller, specialized scanner for use primarily

scanner provides you with a full set of scanning options for 16- and 32-bit protected-mode DOS environments. It also includes support for extended memory and flexible memory allocations. FINDVIRU.EXE will transfer control to this scanner when its capabilities can enable your scan operation to run more efficiently.

includes a limited set of capabilities geared to 16-bit environments. FINDVIRU.EXE will transfer control to this scanner if your system runs in 16-bit mode, but without special memory configurations.

with the Emergency Disk utility. This scanner ordinarily runs from a floppy disk you create to provide you with a virus-free boot environment.

When you run the Emergency Disk creation wizard, Dr Solomon’s Anti-Virus copies BOOTSCAN.EXE, and a specialized set of .DAT files to a single floppy disk. BOOTSCAN.EXE will not detect or clean macro viruses, but it will detect or clean other viruses that can jeopardize your Dr Solomon’s Anti-Virus installation or infect files at system startup. Once you identify and respond to those viruses, you can safely run Dr Solomon’sAnti-Virusto clean the rest of your system.

All of the command-line scanners a llow you to initiate targeted scan operations from an MS-DOS Prompt or Command Prompt window, or from protected MS-DOS mode. Ordinarily, you'll use the Dr Solomon’s Anti-Virus application's graphical user interface (GUI) to perform most scanning operations, but if you have trouble starting Windows or if the Dr Solomon’s Anti-Virus GUI components will not run in your environment, you can use the command-line scanners as a backup.

• Documentation. Dr Solomon’s Anti-Virus documentation includes:

–AprintedGetting Started Guide, which introduces the product,

36 Dr Solomon’sAnti-Virus

provides installation instructions, outlines how to respond if you suspect your computer has a virus, and provides a brief product overview. The printed Getting Started Guide comes with the Dr Solomon’s Anti-Virus copies distributed on CD-ROM discs—you can also download it as VSC45WGS.PDF from Network Associates website or from other electronic services.

Page 37

About Dr Solomon’sAnti-Virus

– Thisuser’sguidesavedontheDrSolomon’sAnti-VirusCD-ROM

or installed on your hard disk in Adobe Acrobat .PDF format. You can also download it as VSC45WUG.PDF from Network Associates website or from other electronic services. The Dr Solomon’s Anti-Virus User’s Guide describes in detail how to use Dr Solomon’s Anti-Virus and includes other information useful as background or as advanced configuration options. Acrobat .PDF files are flexible online documents that contain hyperlinks, outlines and other aids for easy navigation and information retrieval.

– An administrator’s guide saved on the Dr Solomon’s Anti-Virus

CD-ROM or installedon your hard disk in Adobe Acrobat .PDF format. You can also download it as VSC45WAG.PDF from Network Associates website or from other electronic services. The Dr Solomon’s Anti-Virus Administrator’s Guide describes in detail how to manage and configure Dr Solomon’s Anti-Virus from a local or remote desktop.

– An online help file. This file gives you quick access to a full range of

topics that describe Dr Solomon’s Anti-Virus. You can open this file either by choosing Help Topics from the Help menu in the Dr Solomon’sAnti-Virus main window, or by clicking any of the Help buttons displayed in Dr Solomon’s Anti-Virus dialog boxes.

The help file also includes extensive context-sensitive—or “What's This”—help. To see these help topics, right-click buttons, lists, icons, some text boxes, and other elements that you see within dialog boxes. You canalso click the ? symbolatthetop-rightcornerinmost dialog boxes, then click the element you want to see described to display the relevant topic. The dialog boxes with Helpbuttons open the help file to the specific topic that describes the entire dialog box.

– A LICENSE.TXT file. This file outlines the terms of your license to

use Dr Solomon’s Anti-Virus. Read it carefully—by installing Dr Solomon’s Anti-Virus you agree to its terms.

– A README.TXT file. This file contains last-minute additions or

changes to the documentation, lists any known behavior or other issues with the product release, and often describes new product features incorporated into incremental product updates. You’ll find the README.TXT file at the root level of your Dr Solomon’s Anti-Virus CD-ROM or in the Dr Solomon’s Anti-Virus program folder—you can open and print it from Windows Notepad, or from nearly any word-processing software.

User’s Guide 37

Page 38

About Dr Solomon’sAnti-Virus

What’s new in this release?

This Dr Solomon’s Anti-Virus release introduces a number of innovative new features to the product’s core functionality, to its range of coverage, and to the details of its application architecture. A previous section, “How does Dr

Solomon’s Anti-Virus work?” on page 31, discusses many of these features.

Thesingle most significantchange betweenprevious DrSolomon’s Anti-Virus versions and this release, however, is the integration of two separate Dr Solomon’sAnti-VirusversionsoptimizedtorunonseparateWindows platforms into a single product that runs on both. This single product also takes full advantage of each platform’s strengths.

The next sections discuss other changes that this Dr Solomon’s Anti-Virus release introduces.

Installation and distribution features

Dr Solomon’s anti-virus products, including Dr Solomon’s Anti-Virus, now use the Microsoft Windows Ins taller (MSI), which comes with all Windows 2000 Professional systems. This Setup utility offers a wealth of custom installation and configuration features that make Dr Solomon’s Anti-Virus rollout across large organizations mu ch easier and more intuitive. To learn more about how to run custom Setup operations with MSI, see Chapter 2,

“Installing Dr Solomon’s Anti-Virus” in the Dr Solomon’s Anti-Virus

Administrator’s Guide. ThisDrSolomon’sAnti-Virusversionalsocomeswithcompletesupportfor

the Network Associates ePolicy Orchestrator software distribution tool. A specially packaged Dr Solomon’s Anti-Virus version ships with the ePolicy Orchestrator software, ready for enterprise-wide distribution. You can distribute DrSolomon’s Anti-Virus, configure it from the ePolicy Orchestrator console, update that configuration and any program or .DAT files at any time, and schedule scan operations, all for your entire network user base. To learn more about using ePolicy Orchestrator software for Dr Solomon’s Anti-Virus distribution and configuration, consult the ePolicy Orchestrator Administrator’s Guide.

This Dr Solomon’s Anti-Virus version also includes package description information for other distribution tools, including Microsoft System Management Server and Tivoli Systems software management products.

38 Dr Solomon’sAnti-Virus

Page 39

About Dr Solomon’sAnti-Virus

Interface enhancements

This release moves the Dr Solomon’s Anti-Virus interface for all supported platforms solidly into the territory Dr Solomon’s Anti-Virus for Windows 95 and Windows 98. This adds extensive WinGuard scanner configuration options for the Windows NT Workstation v4.0 and Windows 2000 Professional platforms, while reducing the complexity of some previous configuration options. Alert Manager server configuration, for example, moves entirely over to the NetShield product line—Dr Solomon’s Anti-Virus now acts strictly as a configurable client application.

This release also adds a new Dr Solomon’s Anti-Virus control panel, which functions as a central point from which you can enable and disable all Dr Solomon’s Anti-Virus components. This control panel also lets you set a ceiling for the number of items you can scan in or exclude from a single operation, and can set the WinGuard scanner and Dr Solomon’s Anti-Virus control panel to run at startup. Other changes include:

• New WinGuard system tray icon states tell you more about which WinGuard modules are active. These states are:

–AllWinGuardmodulesareactive – The System Scan module is active, but one or more of the other

WinGuardmodulesisinactive

– The System Scan module i s inactive, but one or more of the other

WinGuardmodulesisactive

– All WinGuard modules are inactive

• New interface settings for task configuration allow you to tell the Dr Solomon’s Anti-Virus application how you want it to appear as your scheduledtaskrunsandwhatyouwantittodowhenitfinishes.Youcan also set a password to protect individual task settings from changes, or to protect an entire task configuration at once.

• An updated randomization feature for scheduled tasks allows you to set a time for the task to run, then set a randomization “window.” The Dr Solomon’sAnti-VirusConsolethenpicksarandomtimewithinthe window to actually start the task.

• System Scan module action options now include a new Prompt Type configuration option for Windows 95 and Windows 98 systems. This option lets you determine how the Prompt for user action alert appears.

User’s Guide 39

Page 40

About Dr Solomon’sAnti-Virus

Changes in product functionality

• A new Alert Manager Client configuration utility allows you to choose an Alert Manager server installed on your network as an alert message destination, or to select a network share as a destination for Centralized Alerting messages. You can also supplement either of these alert methods with Desktop Management Interface alert messages.

• The Alert Manager server supports Intel Pentium III processor serial numbers to identify individual machines for virus notification. For more information about Intel processor serial numbers, consult the Intel FAQ at

http://support.intel.com/support/processors/pentiumiii/psqa.htm.

New update options for your Dr Solomon’sAnti-Virus

Even with the majority of the virus definitions it requires now incorporated directly into its engine in generic routines, Dr Solomon’s Anti-Virus still requires regular .DAT file updates to keep pace with the 200 to 300 new virusesthatappeareachmonth.Tomeetthisneed,DrSolomon’sSoftwarehas incorporated updatingtechnology in Dr Solomon’sAnti-Virus from its earliest incarnations. With this release,that technology takes a quantum leap forward with incremental .DAT file updating.

Incremental .DAT files are small packages of virus definition files that collect data from a certain range of .DAT file r eleases. The latest versions of the AutoUpdate and AutoUpgrade utilities come with transparentsupport forthe new updates, downloading and installing only those virus definitions you don’t already have installed on your system. This means a substantial reduction in download and rollout time, along with similar reductions in network bandwidth demand.

40 Dr Solomon’sAnti-Virus

Page 41

2Installing Dr Solomon’s

Anti-Virus

Before you begin

Dr Solomon’s Software distributes Dr Solomon’s Anti-Virus in two ways: 1) as an archived file that you can download from the Network Associates website; and 2) on CD-ROM. Although the method you use t o transfer Dr Solomon’s Anti-Virus files from an archive you download differs from the method you use to transfer files from a CD-ROM you place in your CD-ROM drive, the installation steps you follow after that are the same for both distribution types. Review the system requirements to verify that Dr Solomon’s Anti-Virus will run on your system, then move to “Preparing to install Dr Solomon’s

Anti-Virus” on page 42.

System requirements

Dr Solomon’s Anti-Virus will install and run on any IBM PC or PC-compatible computer equipped with:

• A processor equivalent to at least an Intel Pentium-class or compatible processor. Dr Solomon’s Software recommends an Intel Pentium processor or Celeron processor running at a minimum of 166 MHz.

• A CD-ROM drive. If you downloaded your copy of Dr Solomon’s Anti-Virus,thisisanoptionalitem.

• At least 40MB of free hard disk space for a full installation. Dr Solomon’s Software recommends 75MB.

• At least 16MB of free random-access memory (RAM). Dr Solomon’s Software recommends at l east 20MB.

• MicrosoftWindows 95, Windows 98, Windows NT Workstationv4.0 with Service Pack 4 or later, or Windows 2000 Professional. Dr Solomon’s Software recommends that you also have Microsoft Internet Explorer v4.0.1 or later installed, particularly if your system runs any Windows 95 version.

User’s Guide 41

Page 42

Installing Dr Solomon’sAnti-Virus

Other recommendations

To take full advantage of Dr Solomon’s Anti-Virus’s automatic update features, you should have an Internet connection, either through your local-area network, or via a high-speed modem and an Internet service provider.

Preparing to install Dr Solomon’sAnti-Virus

Note which type of Dr Solomon’s Anti-Virus distribution you have, then follow the corresponding steps to prepare your files for installation.

• If you downloaded your copy of Dr Solomon’s Anti-Virus from the Network Associates website, from a server on your local network, or from another electronic service, make a new, temporary folder on your hard disk, then use WinZip, PKZIP, or a similar utility to extract the Dr Solomon’s Anti-Virus installation files to that temporary folder. You can download the necessary utilities from most online services.

IMPORTANT: If you suspect that your computer has a virus, download the Dr Solomon’s Anti-Virus installation files onto a computer that is not infected. Install the copy onto the uninfected computer,thenusetheEmergencyDiskutilitytomakeadiskthat you can use to boot the infected computer and remove the virus. To learn more, see “If you suspect you have a virus...” on page 69.

• If your copy of Dr Solomon’s Anti-Virus came on a CD-ROM, insert that disc into your computer’s CD-ROM drive.

If you inserted a CD-ROM, you should see a Dr Solomon’s Anti-Virus welcome image appear automatically. To install Dr Solomon’s Anti-Virus immediately, click Install,thenskiptoStep 4 on page 45 to continue with Setup. If the welcome image does not appear, or if you are installing Dr Solomon’s Anti-Virus from files you downloaded, start with Step 2 on page 43.

IMPORTANT: Because Setup installs some Dr Solomon’s Anti-Virus files as services on Windows NT Workstation v4.0 and Windows 2000 Professional systems, you must log in to your system with Administrator rights to install this product. To run Setup on Windows 95 or Windows 98, you do not need to log in with any particular profile or rights.

42 Dr Solomon’sAnti-Virus

Page 43

Installation options

The “Installation steps”section describes how to install Dr Solomon’s Anti-Virus with its most common options on a single computer or workstation. You can choose to do a Typical setup—which installs commonly used Dr Solomon’s Anti-Virus components but leaves out some WinGuard modules and the ScreenScan utility—or you can choose to do a Custom setup, which gives you the option to install all Dr Solomon’s Anti-Virus components.

To learn how to install Dr Solomon’s Anti-Virus on more than one computer at a time, or to modify your installation to implement a corporate anti-virus policy, see the Dr Solomon’s Anti-Virus Administrator’sGuide,which describes how to install and configure Dr Solomon’s Anti-Virus to meet nearly any business contingency. You can also use Network Associates ePolicy Orchestrator software to distribute and configure Dr Solomon’s Anti-Virus on thousands of network desktop computers. See the ePolicy Orchestrator Administrator’s Guide for details.

Installation steps

Dr Solomon’s Software recommends that you first quit all other applications you have running on your system before you start Setup. Doing so reduces the possibility that software conflicts will interfere with your installation.

Installing Dr Solomon’sAnti-Virus

To install Dr Solomon’s Anti-Virus, follow these steps:

1. If your computer runs Windows NT Workstationv4.0 or Windows 2000 Professional, log on to your system as Administrator. You must have administrative rights to install Dr Solomon’s Anti-Virus on your system.

2. Choose Run from the Start menu in the Windows taskbar. The Run dialog box will appear (Figure 2-1).

Figure 2-1. Run dialog box

3. Type <X>:\SETUP.EXE in the text box provided, then click OK.

User’s Guide 43

Page 44

Installing Dr Solomon’sAnti-Virus

Here, <X> represents the drive letter for your CD-ROM drive or the path to the folder that contains your extracted Dr Solomon’s Anti-Virus files. To search for the correct files on your hard disk or CD-ROM, click Browse.

 NOTE: If your Dr Solomon’s Anti-Virus copy came on an Active

Virus Defense or a Total Virus Defense CD-ROM, you must also specify which folder contains the Dr Solomon’s Anti-Virus.

Before it continues with the installation, Setup first checks to see whether your computer already has version 1.1 of the Microsoft Windows Installer (MSI) utility running as part of your system software.

If your computer runs Windows 2000 Professional, this MSI version alreadyexists on your s ystem. If your computer runs an earlier Windows release, you might still have this MSI version on your system if you previously installed other software that uses MSI. In either of these cases, Setup will display its first wizard panel immediately. Skip to Step 4 to continue.

If Setup does not find MSI v1.1 on your computer, it installs files it needs to continue the installation, then prompts you to restart your computer. Click Restart System. For a list of circumstances in which Setup or system upgrades require you to reboot your system, see “Determining

when you must restart your computer” on page 62.

When your computer restarts, Setup will continue from where it left off. The Setup welcome panel will appear (Figure 2-2).

44 Dr Solomon’sAnti-Virus

Figure 2-2. Setup welcome panel

Page 45

Installing Dr Solomon’sAnti-Virus

4. This first panel tells you where to locate the README.TXT file, which describesproduct features, lists anyknown issues, andincludes the latest available product information for this Dr Solomon’s Anti-Virus version. When you have read the text, click Next> to continue.

5. The next wizard panel displays the Dr Solomon’s Anti-Virus end-user license agreement. Read this agreement carefully—if you install Dr Solomon’s Anti-Virus, you agree to abide by the terms of the license.

If you do not agree to the license terms, select I do not agree to the terms of the License Agreement, then click Cancel. Setup will quit immediately. Otherwise, click I agree to the terms of the License Agreement, then click Next> to continue.

SetupnextcheckstoseewhetherpreviousDrSolomon’sAnti-Virus versions or incompatible software exists on your computer. If you have no other anti-virus software or any previous Dr Solomon’s Anti-Virus versions on your system, it will display the Security Type or the Setup Type panel (see Step 2-5 on page 47 or Figure2-6 on page 48). Skip to Step

8onpage47to continue.

If Setup discovers an earlier Dr Solomon’s Anti-Virus version on your system, it will tell you that it must remove that earlier version. If your computer runs Windows 95 or Windows 98, Setup also gives you the option to preserve the WinGuardconfiguration settings you chose for the earlier version (Figure 2-3).

If your computer runs Windows NT Workstationv4.0 or Windows 2000 Professional, Setup will remove the previous Dr Solomon’s Anti-Virus version, but will not preserve any previous WinGuard scanner settings.

Figure 2-3. Previous Version Detected panel

User’s Guide 45

Page 46

Installing Dr Solomon’sAnti-Virus

6. Select Preserve On Access Settings, if the option is available, then click Next> to continue.

If Setup finds incompatible software, it will display a wizard panel that gives you the option to remove the conflicting software(see Figure 2-4 on

page 46).

Ifyouhavenoincompatiblesoftwareonyoursystemandyourcomputer runs Windows 95 or Windows 98, skip to Step 9 on page 48 to continue with the installation. If you have no incompatible software and your system runs Windows NT Workstation v4.0 or Windows 2000 Professional, skip to Step 8 on page 47 to continue. Otherwise, continue with Step 7.

7. Select the checkbox shown, then click Next>. Setup will start the uninstallation utility that the conflicting software normally uses, and allow it to remove the software. The uninstallation utility might tell you that you need to restart your computer to completely remove the other software.You do not need to do so to continue with your Dr Solomon’s Anti-Virus installation—so long as the other software is not active, Setup can continue without conflicts.

 NOTE: Dr Solomon’s Software strongly recommends that you

46 Dr Solomon’sAnti-Virus

Figure 2-4. Incompatible software panel

remove incompatible software. Because most anti-virus software operates at a very low level within your system, two anti-virus programs that compete for access to the same files or that perform critical operations can make your system very unstable.

Page 47

Installing Dr Solomon’sAnti-Virus

If your computer runs Windows NT Workstationv4.0 or Windows 2000 Professional, Setup next asks you which security mode you want to use to run Dr Solomon’s Anti-Virus on your system (see Figure 2-5 on page

47).

The options in this panel govern whetherotherswho use your computer can make changes to the configuration options you choose, can schedule and run tasks, or can enable and disable Dr Solomon’s Anti-Virus components. Dr Solomon’s Anti-Virus includes extensive security measures to ensure that unauthorized users cannot make any changes to software configurations in Maximum Security mode. The Standard Security mode allows all users to have access to all configuration options.

Either option you choose here will install the same Dr Solomon’s Anti-Virus version, with the same configuration options, and with the same scheduled tasks for all system users.

Figure 2-5. Security Type panel

8. Select the security mode you prefer. Your choices are:

• Use Maximum Security. Select this option to require users to h ave

Administrator rights to your computer in order to change any configuration options, to enable or disable any Dr Solomon’s Anti-Virus component, or to configure and run scheduled tasks.

User’s Guide 47

Page 48

Installing Dr Solomon’sAnti-Virus

Users who do not have administrative rights may still configure and run their own scan operations with the Dr Solomon’s Anti-Virus application and save settings for those operations in a .VSC file, but they cannot change default Dr Solomon’s Anti-Virus application settings. To learn more about how to configure and save Dr Solomon’s Anti-Virus application settings, see Chapter 5, “Using

the Dr Solomon’s Anti-Virus application.”

• UseStandard Security.Select this option to give any user who logs

into your computer the ability to change any configuration option, enable or disable and Dr Solomon’s Anti-Virus component, or schedule and run any task.

Setup next asks you to choose a Typical or a Custom setup for this computer (see Figure 2-6 on page 48).

9. Choose the Setup Type you prefer. Your choices are:

• Typical Installation. This option installs a basic component set that

48 Dr Solomon’sAnti-Virus

Figure 2-6. Setup Type panel

includes:

– the Dr Solomon’s Anti-Virus application, and application

extensions that allow you to right-click any object on your hard

disk to start a scan operation – the Dr Solomon’s Anti-Virus Console – the WinGuard System Scan module – the Alert Manager Client configuration utility

Page 49

Installing Dr Solomon’sAnti-Virus

– the Send Virus utility – the Emergency Disk utility – the Dr Solomon’s Anti-Virus Command Line scanner software

• Custom Installation.This option starts with the same components

as the Typical setup, but allows you to choose from among these additional items:

– The WinGuard E-Mail Scan, Download Scan, and Internet

Filter modules – The ScreenScan utility

To learn more about what each component does, see “What comes with

Dr Solomon’s Anti-Virus?” on page 33.

10. Choose the option you prefer, then click Next> to continue. If you chose Custom Setup, you’ll see the panel shown in Figure 2-7.

Otherwise, skip to Step 13 on page 51 to continue with your installation.

Figure 2-7. Custom Setup panel

11. Choose the Dr Solomon’s Anti-Virus components you want to install. You can:

User’s Guide 49

Page 50

Installing Dr Solomon’sAnti-Virus

• Add a component to the installation. Click beside a

componentname, then choose Thisfeature will be installedon local hard drive from the menu that appears. To add a component and any related modules within the component, choose

hard drive instead. You can choose this option only if a component has related modules.

• Remove a component from the installation. Click beside a

component name, then choose This feature will not be available from the menu that appears.

 NOTE: The Dr Solomon’s Anti-Virus Setup utility does not

You can also specify a different disk and destination directory for the installation. Click Change, then locate thedrive or directoryyou want to use in the dialog box that appears. To see a summary of Dr Solomon’s Anti-Virus disk usage requirements relative to your available hard disk space, click Disk Usage. The wizard will highlight disks that have insufficient space.

This feature, and all subfeatures, will be installed on local

support the other options shown in this menu. You may not install Dr Solomon’s Anti-Virus components to run from a network,and Dr Solomon’sAnti-Virushasno componentsthat you can install on an as-needed basis.

12. When you have chosen the components you want to install, click Next> to continue.

Setup will show you a wizard panel that confirms its readiness to begin installing files (Figure 2-8).

50 Dr Solomon’sAnti-Virus

Page 51

Installing Dr Solomon’sAnti-Virus

Figure 2-8. Ready to Install panel

13. Click Install to begin copying files to your hard drive. Otherwise, click <Back to change any of the Setup options you chose.

SetupfirstremovesanypreviousDrSolomon’sAnti-Virusversionsor incompatible software from your system, then copies Dr Solomon’s Anti-Virus program files to your hard disk. When it has finished, it displays a panel that asks if you want to configure the product you installed (Figure 2-9).

Figure 2-9. Completing Setup panel

14. At this point, you can:

User’s Guide 51

Page 52

Installing Dr Solomon’sAnti-Virus

• Finish your installation. Leave the Scan Memory for Viruses beforeConfiguring checkbox clear, then click Skip Configto finish

your installation. Setup will ask if you want to start the WinGuard scanner and the Dr Solomon’s Anti-Virus Console immediately.To do so, select the Start Dr Solomon’sAnti-Viruscheckbox, then click Finish. Your Dr Solomon’s Anti-Virus is ready for use.

 NOTE:If you had a previous Dr Solomon’s Anti-Virus version

• Choose configuration options for your installation. You can choose to scan your system, createan emergency disk, or update your virus definition files before you start the WinGuard scanner and the Dr Solomon’s Anti-Virus Console.

To do so, select the Scan Memory for Viruses before Configuring checkbox to have Setup start the Dr Solomon’s Anti-Virus application briefly to check your system memory. Next, click Configure.

installed on your computer, you must restart your system in order to start the WinGuard scanner. Setup will prompt you to restart your system.

Setup will start the Dr Solomon’s Anti-Virus application to examine your system memory for viruses before it continues. If it finds an infection, it will alert you and give you a chance to respond to the virus. To learn about your options, see Chapter 3, “Removing Infections From Your

System.” If it finds nothing, the application will flash briefly as it scans

your system, then Setup will display the first of two configuration panels (Figure 2-10).

52 Dr Solomon’sAnti-Virus

Page 53

Installing Dr Solomon’sAnti-Virus

Figure 2-10. Configuration panel

15. If your computer runs Windows 95 or Windows 98, you can choose any of the configuration options shown here. These are:

• Scan boot record a t startup. Select this checkbox to have Setup

write these lines to your Windows AUTOEXEC.BAT file:

C:\PROGRA~1\NETWOR~1\DRSOLO~1\FINDVIRU.EXE C:\ @IF ERRORLEVEL 1 PAUSE

This tells your system to start the Dr Solomon’s Anti-Virus Command Line scanner when your system starts. The scanner, in turn, will pause if it detects a virus on your system so that you can shutdown and use the Dr Solomon’sAnti-VirusEmergencyDiskto restart.

• Create Emergency Disk. This option is active by default. It tells

Setup to depart from its normal sequence to start the Emergency Disk creation utility. The creation utility formats and copies a scanner and support files onto a bootable floppy disk you can use to start your system in a virus-free environment. You can use this disk to scan portions of your hard disk for viruses. After the utility creates the disk, it returns to the regular Setup sequence. Clear this checkbox to skip the Emergency Disk creation. You can start the utility at any time after installation.

User’s Guide 53

Page 54

Installing Dr Solomon’sAnti-Virus

• Run Default Scan for Viruses after Installation.Thisoptionis

active by default. The option tells Setup to finish the installation, then to run the Dr Solomon’s Anti-Virus application immediately afterwards to scan your entire startuppartition. The application will alertyouifitfindsanyvirusesonthispartition,butotherwisewill quit without any further notice. Clear this checkbox to skip this scan operation.

 NOTE:If you told Setup to remove any previous Dr Solomon’s

If your computer runs Windows NT Workstation v4.0 or Windows 2000 Professional, you may not choose Scan boot record at startup,butyou may choose either of the other options. Neither Windows NT Workstation nor Windows 2000 permitsoftware to scan or make changes to hard disk boot sectors or master boot records. Also, these operating systems do not use an AUTOEXEC.BAT file for system startup.

16. When you have chosen the options you want, click Next> to continue.

Anti-Virus versions from your system, it will run the scan operation after it restarts your computer. The Dr Solomon’s Anti-Virus application will appear immediately after startup.

If you selected the Create Emergency Disk option, the Emergency Disk creation wizard starts immediately. To learn how to use this utility, see

“Using the Emergency Disk Creation utility” on page 57.

After the utility creates an Emergency Disk, it will return to this point in the Setup sequence. To bypass the Emergency Disk utility once it starts, click Cancel when you see its first screen.

Setup will display a second configuration panel that gives you the option to update your virus definition files or to configure the AutoUpdate utility for future update operations (see Figure 2-11 on page 55).

54 Dr Solomon’sAnti-Virus

Page 55

Installing Dr Solomon’sAnti-Virus

Figure 2-11. Update Virus Definition Files panel

17. Choose the update option you prefer. You can:

• Run AutoUpdate Now.ThisoptionusesdefaultAutoUpdate

configuration options to connect directly to the Network Associates website and download the latest incremental .DAT file updates. Select this option if your company has not designated a location on your network as an update site, and if you do not need to configure proxy server or firewall settings. Th is ensures that any scan operation you run uses current files.

• Configure AutoUpdate Now. This option opens the Automatic

Update dialog box, where you can add or configure an update site from which to download new files. Select this option if your company has designated a server for .DAT file updates somewhere on your network, or if you want to change some aspect of how your computer connects to the Network Associates website—firewall or proxyserversettings,forexample.

To learn more about how to configure the AutoUpdate utility, see

“Configuring update options” on page 258.

• Wait and Run AutoUpdate Later. This option skips the update

operation altogether. You can configure and schedule an AutoUpdate task to download new .DAT files at any later time. To learn how to schedule a task, see Chapter 6, “Creating and

Configuring Scheduled Tasks.”

18. When you have chosen the option you want, click Next>.

User’s Guide 55

Page 56

Installing Dr Solomon’sAnti-Virus

If you chose to run an AutoUpdate operation immediately, the utility will connect to the Network Associates website to download new incremental .DAT files. After it finishes, the Setup sequence will resume.

If you chose to configure the AutoUpdate utility, the Automatic Update dialog box will appear. Choose your configurationoptions, then click Update Now to start an immediate update operation, or click OK to save the options you chose.

Setup next displays its final panel and asks if you want to start the WinGuard scanner and the Dr Solomon’s Anti-Virus Console immediately (Figure 2-12).

19. To do so, select the Start Dr Solomon’sAnti-Viruscheckbox, then click Finish. The Dr Solomon’s Anti-Virus “splash screens” will appear, and the WinGuard scanner and Dr Solomon’s Anti-Virus Console icons will appear in the Windows system tray. Your software is ready for use.

 NOTE: If you had a previous Dr Solomon’s Anti-Virus version

56 Dr Solomon’sAnti-Virus

Figure 2-12. Successful Installation panel

installed on your computer, you must restart your system in order to start the WinGuard scanner. Setup will prompt you to restart your system.

Page 57

Installing Dr Solomon’sAnti-Virus

Using the Emergency Disk Creation utility

If you choose to create an Emergency Disk during installation, Setup will start the Emergency Disk wizard in the middle of the Dr Solomon’s Anti-Virus installation, then will return to the Setup sequence when it finishes. To learn how to create an Emergency Disk, begin with Step 1 on page 58.Youcanalso start the Emergency Disk wizard at any point after you install Dr Solomon’s Anti-Virus.

 NOTE: Network Associates strongly recommends that you create an

EmergencyDiskduringinstallation,butthatyoudosoafterDr Solomon’s Anti-Virus has scanned your system memory for viruses. If Dr Solomon’s Anti-Virus detects a virus on your system, do not create an EmergencyDiskontheinfectedcomputer.

The Emergency Disk you create includes BOOTSCAN.EXE, a specialized, small-footprint command-line scanner that can scan your hard disk boot sectors and Master Boot Record (MBR). BOOTSCAN.EXE works with a specialized set of .DAT files that focus on ferreting out boot-sector viruses. If you have already installed Dr Solomon’s Anti-Virus with default Setup options, you can find these .DAT files in this location on your hard disk:

C:\Program Files\Common Files\Network Associates\Dr Solomon’s Anti-Virus Engine\4.0.xx

The special .DAT files have these names:

• EMCLEAN.DAT

•EMNAMES.DAT

•EMSCAN.DAT Dr Solomon’s Software periodically updates these .DAT files to detect new

boot-sector viruses. You can download updated Emergency .DAT files from this location:

http://www.nai.com/asp_set/anti_virus/avert/tools.asp

 NOTE:Dr Solomon’s Software recommends that you download new

Emergency .DAT files directly to a newly formatted floppy disk in order to reduce the risk of infection.

Because the wizard renames the files and prepares them for use when it creates your floppy disk, you may not simply copy them directly to an Emergency Disk that you create yourself. Use the creation wizard to prepare your Emergency Disk.

User’s Guide 57

Page 58

Installing Dr Solomon’sAnti-Virus

To start the wizard after installation, click Start in the Windows taskbar, point to Programs,thentoNetwork Associates.Next,chooseCreate Emergency Disk.

The Emergency Disk wizard welcome panel will appear (Figure 2-13).

Figure 2-13. Emergency Disk welcome panel

1. Click Next> to continue. The next wizard panel appears (Figure 2-14).

Figure 2-14. Second Emergency Disk panel

58 Dr Solomon’sAnti-Virus

Page 59

Installing Dr Solomon’sAnti-Virus

If your computer runs Windows NT Workstation or Windows 2000 Professional, the wizard tells you that it will format your Emergency Disk with the NAI-OS.

You must use these proprietary operating system files to create your Emergency Disk, because Windows NT Workstation v4.0 and Windows 2000 Professional system files do not fit on a single floppy disk.

If your computer runs Windows 95 or Windows 98, the wizard will offer to format your Emergency Disk either with the NAI-OS or with Windows startup files.

2. Ifthewizardoffersyouachoice,choosewhich operatingsystemfilesyou want to use, then click Next> to continue. Depending on which operating system you choose, the wizard displays a different panel next:

• If you chose to format your disk with the NAI-OS, the wizard displays an informational panel (Figure 2-15).

Figure 2-15. Emergency Disk informational panel

Follow these substeps to continue:

a. Insertanunlockedandunformatted1.44MBfloppydiskinto

your floppy drive, then click Next>. The Emergency Disk wizard will copy its files from a disk

image stored in the Dr Solomon’s Anti-Virus program directory. As it does so, it will display its progress in a wizard panel.

b. Click Finish to quit the wizard when it has created your disk.

User’s Guide 59

Page 60

Installing Dr Solomon’sAnti-Virus

Next, remove the disk from your floppy drive, lock it, label it Dr Solomon’s Anti-Virus Emergency Boot Disk and store it in a safe place.

• If you chose to format your disk with Windows system files, the wizard displays a panel that lets you choose whether to format your floppy disk (see Figure 2-16 on page 60).

Figure 2-16. Third Emergency Disk panel

Your choices are:

•Ifyouhaveavirus-free, formatted floppy disk that contains only DOS or Windows system files, insert it into your floppy drive. Next, select the Don’t Format checkbox, then click Next> to continue.

This tells the Emergency Disk wizard to copy only the Dr Solomon’s Anti-Virus Command Line component the emergency .DAT files, and support files to the floppy disk. Skip to Step 3 on page 61 to continue.

•Ifyoudonot have a virus-free floppy disk formatted with DOS or Windows system files, you must create one in order to use the EmergencyDisktostartyourcomputer.Followthesesubsteps:

a. Insert an unlocked and unformatted floppy disk into your

floppydrive.DrSolomon’sSoftwarerecommendsthatyou use a completely new disk that you have never previously formatted to prevent the possibility of virus infections on your EmergencyDisk.

b. Verify that the Don’tformatcheckbox is clear. c. Click Next>.

60 Dr Solomon’sAnti-Virus

Page 61

Installing Dr Solomon’sAnti-Virus

The Windows disk format dialog box appears (see Figure 2-17

on page 61).

Figure 2-17. Windows Format dialog box

d. Verify that the Full checkbox in the Format Type area and the

Copy system files checkbox in the Other Options area are

both selected. Next, click Start. Windows will format your floppy disk and copy the system

files necessary to start your computer.

e. Click Close whenWindowshas finishedformattingyourdisk,

then click Close again to return to the Emergency Disk panel.

3. Click Next> to continue. Setup will scan your newly formatted disk for

viruses (Figure 2-18).

Figure 2-18. Scanning Emergency Disk for viruses

User’s Guide 61

Page 62

Installing Dr Solomon’sAnti-Virus

If Dr Solomon’s Anti-Virus does not detect any viruses during its scan operation, Setup will immediately copy BOOTSCAN.EXE and its support files to the floppy disk you created. If Dr Solomon’s Anti-Virus does detect a virus, quit Setup immediately. See “If you suspect you have

a virus...” on page 69 to learn what to do next.

4. When the wizard finishes copying the Emergency Disk files, it displays the final wizard panel (Figure 2-19).

Figure 2-19. Final Emergency Disk panel

5. Click Finish to quit the wizard. Next, remove the new Emergency Disk from your floppy drive, label it, write-protect it, and store it in a safe place.

 NOTE: A locked or write-protected floppy disk shows two holes

near the edge of the disk opposite the metal shutter. If you don’t see two holes, look for a plastic sliding tab at one of the disk corners, then slide the tab until it locks in an open position.

Determining when you must restart your computer

In many circumstances, you can install and use this Dr Solomon’s Anti-Virus release immediately, without needing to restart your computer. In some cases, however, the Microsoft Installer (MSI) will need to replace or initialize certain files, or previous Dr Solomon’s Software product installations might require you to remove files in order for Dr Solomon’s Anti-Virus to run correctly. These requirements can also vary for each supported Windows platform.

In these cases, you will need to restart your system during the installation—usually to install MSI files—or after the installation itself.

62 Dr Solomon’sAnti-Virus

Page 63

Installing Dr Solomon’sAnti-Virus

To learn which circumstances require you to restart your computer, see Table

2-1.

Table 2-1. Circumstances that require you to restart your system

Circumstance

Installationon computer with no previous Dr Solomon’s Anti-Virus version and no incompatible software

Installation on computer with previous Dr Solomon’s Anti-Virus version

Installation on computer with incompatible software

Installation on a computer with Microsoft Installer (MSI) v1.0

NOTE: Microsoft Office 2000 installs this MSI version

Installation on a computer with Microsoft Installer v1.1

Windows 95 and Windows 98

No restart required, unless you have Novell Client32 for NetWare installed, then restart required

Restart required Restart required

No restart required, but Setup will ask if youwishtorestart. You can safely click

No.

Restart required after MSI files installed and before Setup can continue

No restart required, except on Windows 98 Second Edition systems, or if some drivers or .DLL files used

Windows NT and Windows 2000

Restart required

No restart required, but Setup will ask if youwishtorestart. You can safely click

No.

Restart required after MSI files installed and before Setup can continue

No restart required

.DAT file update No restart required No restart required Scan engine update via

Network Associates SuperDAT utility

Testing your installation

Once you install it, Dr Solomon’s Anti-Virus is ready to scan your system for infected files. You can verify that it has installed correctly and that it can properly scan for viruses with a test developed by the European Institute of Computer Anti-virus Research (EICAR), a coalition of anti-virus vendors, as a method for their customers to test any anti-virus software installation.

No restart required No restart required

User’s Guide 63

Page 64

Installing Dr Solomon’sAnti-Virus

To test your installation, follow these steps:

1. Open a standard Windows text editor, such as Notepad, then type this character string as one line, with no spaces or carriage returns:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUSTEST-FILE!$H+H*

 NOTE: Thelineshownaboveshouldappearasone line in your text

editorwindow,sobesuretomaximizeyourtexteditorwindowand delete any carriage returns. Also, be sure to type the letter O, not the number 0, in the “X5O...” that begins the test message.

If you are reading this manual on your computer, you can copy the line directly from the Acrobat .PDF file and paste it into Notepad. You can also copy this text string directly from the “Testing your installation” section of the README.TXT file, which you can find in your Dr Solomon’s Anti-Virus p rogram directory. If you copy the line from either of these sources, be sure to delete any carriage returns or spaces.

2. Save the file with the name EICAR.COM. The file size will be 69 or 70 bytes.

3. Start your Dr Solomon’s Anti-Virus and allow it to scan the directory that contains EICAR.COM. WhenDr Solomon’s Anti-Virus examines this file, it will report finding the EICAR-STANDARD-AV-TEST-FILE virus.

IMPORTANT:

other files, or otherwise harm your system. Delete the file when you have finished testing your installation to avoid alarming other users.

This file is

not a virus—

it cannot spread or infect

Modifying or removing your Dr Solomon’sAnti-Virus installation

The Microsoft Windows Installer version that Dr Solomon’s Anti-Virus uses also includes a standard method to modify or remove your Dr Solomon’s Anti-Virus installation.

To modify, or remove Dr Solomon’s Anti-Virus, follow these steps:

1. Click Start in the Windows taskbar, point to Settings, then choose Control Panel.

64 Dr Solomon’sAnti-Virus

Page 65

Installing Dr Solomon’sAnti-Virus

2. Locate and double-click the Add/Remove Programs control panel.

3. In the Add/Remove Programs Properties dialog box, choose Dr

Solomon’s Dr Solomon’s Anti-Virus v8.5.0 in the list, then click Add/Remove.

Setup will start and display the first Maintenance wizard panel (Figure

2-20).

Figure 2-20. First maintenance panel

4. Click Next> to continue. Setup displays the Program Maintenance wizard panel.

User’s Guide 65

Page 66

Installing Dr Solomon’sAnti-Virus

Figure 2-21. Program Maintenance panel

66 Dr Solomon’sAnti-Virus

Page 67

Installing Dr Solomon’sAnti-Virus

5. Choose whether to modify Dr Solomon’s Anti-Virus components or to remove Dr Solomon’s Anti-Virus from your system completely. Your choices are:

• Modify.Select this option to add or remove individual Dr

Solomon’s Anti-Virus components. Setup will display the Custom wizard panel (see Figure 2-7 on page 49). Start with Step 11 on page

49 to choose the components you want to add or remove.

 NOTE: This panel differs from the one shown on page 49:It

will not allow you to change your Dr Solomon’s Anti-Virus program directory, nor will it display disk usage statistics. To install Dr Solomon’s Anti-Virus in a different directory or on a different drive, you must first remove, then reinstall the software.

• Remove. Select this option to remove Dr Solomon’s Anti-Virus

from your computer completely. Setup will ask you to confirm that you want to remove the software from your system (Figure 2-22).

Figure 2-22. Remove the Program panel

Click Remove. Setup will display progress information as it deletes Dr Solomon’s Anti-Virus from your system. When it has finished, click Finish to close the wizard panel.

User’s Guide 67

Page 68

Installing Dr Solomon’sAnti-Virus

68 Dr Solomon’sAnti-Virus

Page 69

3Removing Infections

From Your System

If you suspect you have a virus...

First of all, don’t panic! Although far from harmless, most viruses that infect your machine will not destroy data, play pranks, or render your computer unusable. Even the comparatively rare viruses that do carry a destructive payload usually produce their nasty effects in response to a trigger event. In most cases, unless you actually see evidence of a payload that has activated, you will have time to deal with the infection properly. The very presence of these small snippets of unwanted computer code can, however, interfere with your computer’s normal operation, consume system resources and have other undesirable effects, so you should take them seriously and be sure to remove them when you encounter them.

A second idea to keep in mind is that odd computer behavior, unexplained system crashes, or other unpredictable events might have causes other than virus infections. If you believe you have a virus on your computer because of occurrences such as these, scanning for viruses mig ht not produce the results you expect, but it will help eliminate one potential cause of your computer problems.

The safest course of action you can take is to install Dr Solomon’s Anti-Virus, then scan your system immediately and thoroughly.

When you install Dr Solomon’s Anti-Virus, Setup starts the Dr Solomon’s Anti-Virus application to examine your computer’s memory and your hard disk boot sectors in order to verify that it can safely copy its files to your hard disk without risking their infection. If the application does not detect any infections, continue with the installation, then scan your system thoroughly as soon as you restart your computer. File-infector viruses that don’t load into your computer’s memory or hide in your hard disk boot blocks might still be lurking somewhere on your system. See Chapter 2, “Installing Dr Solomon’s

Anti-Virus,”to learn about virus scanning during setup. See Chapter 5, “Using the Dr Solomon’s Anti-Virus application,” to learn how to scan your system.

If the Dr Solomon’s Anti-Virus application detects a virus during Setup, you’ll need to remove it from your system before you install the program. To learn howtodoso,followthestepsthatbeginonpage 70.

IMPORTANT: To ensure maximum security, you should also follow these same steps if a Dr Solomon’s Anti-Virus component detects a virus in your computer’s memory at some point after installation.

User’s Guide 69

Page 70

Removing Infections From Your System

If Dr Solomon’s Anti-Virus found an infection during installation, follow these steps carefully:

1. Quit Setup immediately, then shut down your computer. Be sure to turn the power to your system off completely. Do not press

CTRL+ALT+DEL or reset your computer to restart your system—some viruses can remain intact during this type of “warm” reboot.

2. If you created a Dr Solomon’s Anti-Virus Emergency Disk during installation, or if your Dr Solomon’s Anti-Virus copy came with one, lock the disk, then insert it into your floppy drive.

 NOTE:If your Dr Solomon’s Anti-Virus copy did not come with an

Emergency Disk, or if you could not create an Emergency Disk during Setup, you must create a disk on an uninfected computer. Locate a computer that you know is virus-free, then follow the steps outlinedin“Using the Emergency Disk Creation utility” on page 57.

3. Wait at least 15 seconds, then start your computer again.

 NOTE:If you have your computer's BIOS configured to look for its

boot code first on your C: drive, you should change your BIOS settings so that your computer looks first on your A: or B: drive. Consult your hardware documentation to learn how to configure your BIOS settings.

After it starts your computer, the Emergency Disk runs a batch file that leadsyouthroughanemergencyscanoperation.Thebatchfilefirstasks you whether you cycled the power on your computer.

4. Type y to continue, then skip to Step 7.Ifyoudidnot,typen,thenturn your computer completely off and begin again.

The batch file next tells you that it will start a scan operation.

5. Read the notice shown on your screen, then press any key on your keyboard to continue.

The Emergency Disk will load the files it needs to conduct the scan operation into memory. If you have extended memory on your computer, it will load its database files into that memory for faster execution.

70 Dr Solomon’sAnti-Virus

Page 71

Removing Infections From Your System

BOOTSCAN.EXE, the command-line scanner that comes with the Emergency Disk, will make four scanning passes to examine your hard disk boot sectors, your Master Boot Record (MBR), your system directories, program files, and other likely points of infection on all of your local computer's hard disks.

 NOTE: Dr Solomon’s Software strongly recommends that you do

not interrupt the BOOTSCAN.EXE scanner as it runs its scan operation. The Emergency Disk will not detect macro viruses, script viruses, or Trojan horse programs, but it will detect common file-infecting and boot-sector viruses.

If BOOTSCAN.EXE finds a virus, it will try to clean the infected file. If it fails, it will deny access to the file and continue the scan operation. After it finishes all of its scanning passes, it shows a summary report the actions it took for each hard disk on the screen. The report tells you:

• How many files the scanner examined

• How many files of that number are clean, or uninfected

• How many files contain potential infections

• How many files of that number the scanner cleaned

• How many boot sector and MBR files the scanner examined

• How many boot sector and MBR files contain potential infections

If the scanner detects a virus, it beeps and reports the name and location of the virus on the screen.

6. When the scanner finishes examining your hard disk, remove the Emergency Disk from your floppy drive, then shut your computer off again.

7. When BOOTSCAN.EXE finishes examining your system, you can either:

• Return to working with your computer. If BOOTSCAN.EXE did

not find a virus, or if it cleaned any infected files it did find, remove the Emergency Disk from your floppy drive, then restart your computer normally. If you had planned to install Dr Solomon’s Anti-Virus on your computer but stopped when Setup found an infection, you can now continue with your installation.

• Try to clean or delete infected files yourself. If BOOTSCAN.EXE

found a virus that it could not remove, it will identify the infected filesandtellyouthatitcouldnotcleanthem,orthatitdoesnothave a current remover for the infecting virus.

User’s Guide 71

Page 72

Removing Infections From Your System

As your next step, locate and delete the infected file or files. You will need to restore any files that you delete from backup files. Be sure to check your backup files for infections also. Be sure also to use the Dr Solomon’s Anti-Virus application at your earliest opportunity to scan your system completely in order to ensure that your system is virus-free.

Deciding when to scan for viruses

Maintaining a secure computing environment means scanning for viruses regularly. Depending on the degree to which you swap floppy disks with other users, share files over your local area network, or interact with other computers via the Internet, scanning “regularly” could mean scanning as little as once a month, or as often as several times a day. Other good habits to cultivate include scanning right before you back up your data, scanningbefore you install new or upgraded software—particularly software you download from other computers—and scanning when you start or shut down your computer each day. Use the WinGuard scanner to examine your computer’s memory and maintain a constant level of vigilance between scan operations. Under most circumstances this should protect your system’s integrity.

If you connect to the Internet frequently or download files often, you might want to supplement regular scan operations with tasks based on certain events.UsetheDrSolomon’sAnti-VirusConsoletoscheduleasetofscan tasks to monitor your system at likely points of virus entry, such as

• whenever you insert a floppy disk into your computer’s floppy drive

• whenever you start an application or open a file

• wheneveryouconnecttoormapanetworkdrivetoyoursystem Even the most diligent scan operation can miss new viruses, however, if your

virus definition (.DAT) files are not up to date. Your Dr Solomon’s Anti-Virus purchase entitles you to free virus updates for the life of your product, so you can update frequently to keep current. The Dr Solomon’s Anti-Virus Console includes AutoUpdate and AutoUpgrade tasks you can use to update your .DAT files and the Dr Solomon’s Anti-Virus engine. To learn how to update your software, see Chapter 7, “Updating and Upgrading Dr Solomon’s

Anti-Virus.”.

72 Dr Solomon’sAnti-Virus

Page 73

Removing Infections From Your System

Recognizing when you don’thaveavirus

Personal computers have evolved, in their short life span, into highly complex machines that run ever-more-complicated software. Even the most farsighted of the early PC advocates could never have imagined the tasks for which workers, scientists and others have harnessed the modern PC’s speed, flexibility and power. But that power comes with a price: hardware and software conflicts abound, applications and operating systems crash, and hundreds of other problems can crop up in unlikely places. In some cases, these failures can resemble the sorts of effects that you see when you have a virus infection with a destructive payload. Other computer failures seem to defy explanation or diagnosis, so frustrated users blame virus infections, perhaps as a last resort.

Because viruses do leave traces, however, you can usually eliminate a virus infection as a possible cause for computer failure relatively quickly and easily. Running a full Dr Solomon’s Anti-Virus scan operation will uncover all of the known virus variants that can infect your computer, and quite a few of those that have no knownname or defined behavior. Although that doesn’t give you much help when your problem really results from an interrupt conflict, it does allow you to eliminate one possible cause. With that knowledge, you can then go on to troubleshoot your system with a full-featured system diagnosis utility.

More serious is the confusion that results from virus-like programs, virus hoaxes, and real security breaches. Anti-virus software simply cannot detect or respond to such destructive agents as Trojan horse programs that have never appeared previously, or the perception that a virus exists where none in fact does.

The best way to determine whether your computer failure resulted from a virusattackistorunacompletescanoperation,thenpayattentiontothe results. If the Dr Solomon’s Anti-Virus application does not report a virus infection, the chances that your problem results from one are slight—look to other causes for the symptoms you see. Furthermore, in the very rare event that the Dr Solomon’s Anti-Virus application does miss a macro virus or another virus type that has in fact infected your system, the chances are relatively small that serious failures will follow in its wake. You can, however, rely on Dr Solomon’s researchers to identify and isolate the virus, then to update Dr Solomon’s Anti-Virus immediately so that you can detect and, if possible, remove the virus when you next encounter it. To learn how yo u can help the virus researchers help you, see “Reporting new items for anti-virus

data file updates” on page xxiv.

User’s Guide 73

Page 74

Removing Infections From Your System

Understanding false detections

A false detection occurs when Dr Solomon’s Anti-Virus sends a virus alert message or makes a log file entry that identifies a virus where none actually exists. You are more likely to see false detections if you have anti-virus software from more than one vendor installed on your computer, because some anti-virussoftware stores the code signatures it uses for detection unprotected in memory.

Thesafestcoursetotakewhenyouseeanalertmessageorlogentryistotreat it as a genuine virus threat, and to take the appropriate steps to remove the virus from y our system. If, however, you believe that a Dr Solomon’s Anti-Virus component has generated a false detection—it has, for example, flagged as infected a file that you have used safely for years—verify that you are not seeing one of these situations before you call Network Associates technical support:

• You have more than one anti-virus program running. If so, Dr Solomon’s

Anti-Virus components might detect unprotected code signatures that another program uses and report them as viruses. To avoid this problem, configure your computer to run only one anti-virus program, then shut the computer down and turn off the power. Wait a few seconds before you start the computer again so that the system can clear the other program’s code signature strings from memory.

• You have a BIOS chip with anti-virus features. Some BIOS chips provide

anti-virus features that can trigger false detections when Dr Solomon’s Anti-Virus runs. Consult the user’s guide for your computer to learn about how its anti-virus features work and how to disable them if necessary.

• You have an older Hewlett-Packard or Zenith PC. Some older models

from these manufacturers modify the boot sectors on their hard disks each time they start up. Dr Solomon’s Anti-Virus components might detect thesemodificationsas viruses, when theyare not. Consult the user’sguide foryourcomputertolearnwhetheritusesself-modifyingbootcode.To solve the problem, use the Dr Solomon’s Anti-Virus Command Line scanner to add validation information to the startup files themselves. This methoddoes not save informationaboutthe boot sector or the master boot record.

• You have copy-protected software. Depending on the type of copy

protectionused, Dr Solomon’s Anti-Viruscomponentsmight detecta virus inthebootsectororthemasterbootrecordonsomefloppydisksorother media.

If none of these situations apply, contact Network Associates technical support or send e-mail to virus_research@nai.com with a detailed explanation of the problem you encountered.

74 Dr Solomon’sAnti-Virus

Page 75

Removing Infections From Your System

Responding to viruses or malicious software

Because Dr Solomon’s Anti-Virus consists of several component programs, any one of which could be active at one time, yourpossible responses to avirus infection or to other malicious software will depend upon which program detected the harmful object, how you have that program configured to respond, and other circumstances. The following sections give an overview of the default responses available with each program component. To learn about other possible responses, see the chapter that discusses each component in detail.

Responding when the WinGuard scanner detects malicious software

The WinGuard scanner consists of four related modules that provide you with continuous background protection against viruses, harmful Java and ActiveX objects, and dangerous websites. A fifth module controls security settings for the other four. You can configure and activate each module separately, or use them together to provide maximum protection. See Chapter 4, “Using the

WinGuard Scanner,” to learn how to configure each module. Because each

module detects different objects or scans different virus entry points, each has a different set of default responses.

Responding when the System Scan module detects a virus

How this module reacts when it fin ds a virus depends on which operating system your computer runs and, on Windows 95 and Windows 98 systems, on which prompt option you chose in the module’s Action page. To learn more about these options, see “Choosing Action options” on page 117.

By default on Windows 95 and Windows 98 systems, this module looks for viruses each time you run, copy, create, or rename any file on your system, or whenever you r ead from a floppy disk. On Windows NT Workstation v4.0 and Windows 2000 Professional systems, the System Scan module looks for viruseswheneveryoursystemoranothercomputerreadsfilesfromorwrites files to your hard disk or a floppy disk.

Because it scans files this way, the System Scan module can serve as a backup in case any of the other WinGuard modulesdoes not detect a virus when it first enters your system. In its initial configuration, the module will deny access to any infected file it finds, whichever Windows version your computer runs. It will also display an alert message that asks you what you want to do about the virus (see Figure3-11onpage86). The response options you see in this dialog box come from default choices or choices you make in the System Scan module’s Action page.

User’s Guide 75

Page 76

Removing Infections From Your System

As this dialog box awaits your response, your computer will continue to process any other tasks it is running in the background.

Figure 3-1. Initial System Scan response options

If your computer runs Windows 95 or Windows 98, you can choose to display a different virus alert message. If you select BIOS in the Prompt Type area in the System Scan module Action page, you’ll see instead a full-screen warning that offers you response options (Figure 3-2).

Figure 3-2. Full-screen Warning - System Scan response options

This alert message brings your system to a complete halt as it awaits your response. No other programs or system operations run on your system until you choose one of the response options shown.

The BIOS prompt type also allows you to substitute a Continue option for the Move File option. To do so, select the Continue access checkbox in the module’s Action page.

76 Dr Solomon’sAnti-Virus

Page 77

Removing Infections From Your System

 NOTE:The Continue access checkbox is unavailable if your computer

runs Windows NT Workstation v4.0 or Windows 2000, or if you choose the GUI prompt type on Windows 95 and Windows 98 systems.

To take one of the actions shown in an alert message, click a button in the Access to File Was Denied dialog box, or type the letter highlighted in yellow when you see the full-screen warning. If you want the same response to apply to all infected files that the System Scan module finds during this scan operation,selectthe Apply to all items checkbox in the dialog box. This option is not available in the full-screen alert message.

Your response options are:

• Clean the file. Click Clean in the dialog box, or type C when you see the

full-screen warning, to tell the System Scan module to try to remove the virus code from the infected file. If the module succeeds, it will restore the file to its original state and record its success in its log file.

If the module cannot clean the file—either because it has no remover or because the virus has damaged the file beyond repair—it will note this result in its log file, but will take no other action. In most cases, you should delete such files and restore them from backups.

• Delete the file. Click Delete in the dialog box, or type D when you see the

full-screen warning, to tell the System Scan module to delete the infected file immediately. By default, the module notes the name of the infected file in its log file so that you have a record of which files it flagged as infected. You can then restore deleted files from backup copies.

• Move the file to a differentlocation. Click Move File to in the dialog box.

This opens a browse window you can use to locate your quarantine folder or another folder you want to use to isolate infectedfiles. Once you select a folder, the System Scan module moves the infected file to it immediately. This option does not appear in the full-screen warning.

• Continueworking. Type O when you see the full-screen warning to tell the

System Scan module to let you continue working with the file and not take any other action. Normally, you would use this option to bypass files that you know do not have viruses. If you have its reporting option enabled, the module will note each incident in its log file. This option is not available in the Access to File Was Denied dialog box.

• Stop the scan operation. Click Stop in the dialog box, or type S when you

see the full-screen warning, to tell the System Scan module to deny any access to the file but not to take any other action. Denying access to the file prevents anyone from opening, saving, copying or renaming it. To continue, you must click OK. If you have its reporting option enabled, the module will note each incident in its log file.

User’s Guide 77

Page 78

Removing Infections From Your System

• Exclude the file from scan operations. Click Exclude in the dialog box, or

type E when you see the full-screen warning, to tell the System Scan module to exclude this file from future scan operations. Normally, you would use this option to bypass files that you know do not have viruses.

Responding when the E-mail Scan module detects a virus

This module looks for viruses in e-mail messages you receive via corporate e-mail systems such as cc:Mail and Microsoft Exchange. In its initial configuration, the module will prompt you to choose a response from among five options whenever it detects a virus (Figure 3-3).

Figure 3-3. E-mail Scan module response options

Click the button that corresponds to the response you want. Your choices are:

• Stop.Click this button to stop the scan operation immediately.The E-Mail

Scan module will record each detection in its log file, but it will take no other action to respond to the virus.

• Clean. Click this button to have the E-Mail Scan module software try to

remove the virus code from the infected file. If it cannot clean the file—either because it has no remover or because the virus has damaged the file beyond repair—it will record the incident in its log file and suggest alternative responses. In the example shown in Figure 3-3,themodule failed to clean the EICAR test file—a mock “virus” written specifically to test whether your anti-virus software installed correctly.Here, Cleanis not an available response option. In most cases, you should delete such files and restore them from backups.

• Delete. Click this button to delete the file from your system immediately.

Bydefault,theE-MailScanmodulewillrecordthenameoftheinfectedfile in its log so that you can restore the file from a backup copy.

• Move file to. Click this button to open a dialog box that you can use to

locate your quarantine folder, or another suitable folder. Once you have located the correct folder, click OK to transfer the file to that location.

78 Dr Solomon’sAnti-Virus

Page 79

Removing Infections From Your System

• Exclude. Click this button to prevent the E-Mail Scan module from

flagging this file as a virus in future scan operations. If you copy this file to your hard disk, this also prevents the System Scan module from detecting the file as a virus.

When you choose your action, the E-Mail Scan module will implement it immediately and add a notice to the top of the e-mail message that contained theinfectedattachment.Thenoticegivesthefilenameoftheinfected attachment, identifies the name of the infecting virus, and describes the action thatthemoduletookinresponse.

To apply the response you chose to all infected files that the E-Mail Scan module finds during this scan operation, select the Apply to all items checkbox in the dialog box.

Responding when the Download Scan module detects a virus

This module looks for viruses in e-mail messages and other files you receive over the Internet via a web browser or such e-mail client programs as Eudora Light, Netscape Mail, Outlook Express, and others. It will not detect files you download with FTP client applications, terminal applications, or through similar channels. In its initial configuration, the module will prompt you to choose a respo nse from among three options whenever it detects a virus (Figure 3-4). A fourth option provides you with additional information.

Figure 3-4. Download Scan response options

Click the button that corresponds to the response you want. Your choices are:

• Continue. Click this to tell the Download Scan module to take no action

andtoresumescanning.Themodulewillcontinueuntilitfindsanother virus on your system or until it finishes the scan operation. Normally, you would use this option to bypass files that you know do not have viruses, or if you plan to leave your computer unattended as you download e-mail or other files. The module will note each incident in its log file.

• Delete. Click this to tell the Download Scan module to delete the infected

file or e-mail attachment you received. By default, the module notes the name of the infected file in its log file.

User’s Guide 79

Page 80

Removing Infections From Your System

• Move.Clickthis totell the Download Scan module to move the infected file

to the quarantine directory you chose in the module’s Action property page.

When you choose your action, the Download Scan module will implement it immediately and add a notice to the top of the e-mail message that contained theinfectedattachment.Thenoticegivesthefilenameoftheinfected attachment, identifies the name of the infecting virus, and describes the action thatthemoduletookinresponse.

Responding when Internet Filter detects a virus

This module looks for hostile Java classes or ActiveX controls whenever you visit a website or download files from the Internet. You can also use the module to block your browser from connecting to dangerous Internet sites. In its initial configuration, the module will ask you whenever it encounters a potentially harmful object whether youwant to Denythe object access to your system or you want to Continue and allow the object access. It will offer you the same choice when you try to connect to a potentially dangerous website (Figure 3-5).

Figure 3-5. Internet Filter response options

Respondingwhen the Dr Solomon’sAnti-Virus application detects avirus

When you first run a scan operation with the Dr Solomon’s Anti-Virus application, it will look at all files on your C: drive that are susceptible to virus infection. This provides you with a basic level of protection that you can extend by configuring Dr Solomon’s Anti-Virus to suit your own needs.

With this initial configuration, the program will prompt you for a response whenitfindsavirus(Figure 3-6).

80 Dr Solomon’sAnti-Virus

Page 81

Removing Infections From Your System

Figure 3-6. Dr Solomon’s Anti-Virus response options

To respond to the infection, click one of the buttons shown. You can tell the Dr Solomon’s Anti-Virus application to:

• Continue. Click this button to proceed with the scan operation and have

the application list each infected file in the lower portion of its main window (Figure 3-7), record each detection in its log file, but take no other action to respond to the virus. Once the application finishes examining your system, you can right-click each file listed in the main window, then choose an individual response from the shortcut menu that appears.

Figure 3-7. Dr Solomon’s Anti-Virus main window

• Stop. Click this button to stop the scan operation immediately. The Dr

Solomon’s Anti-Virus application will list the infected files it has already found in the lower portion of its main window (Figure 3-7) and record each detection in its log file, but it will take no other action to respond to the virus. Right-click each infected file listed in the main window, then choose an individual respo ns e from the shortcut menu that appears.

User’s Guide 81

Page 82

Removing Infections From Your System

• Clean. Click this button to have the Dr Solomon’s Anti-Virus application

try to remove the virus code from the infected file. If it cannot clean the file—either because it has no remover or because the virus has damaged the file beyond repair—it will record the incident in its log file and suggest alternative responses.

In the example shown in Figure 3-6 on page 81, the application failed to clean the EICAR Test Virus—a mock “virus” written specifically to test whether your anti-virus software installed correctly. Here, Clean is not an available response option. In most cases, you should delete such files and restore them from backups.

• Delete. Click this button to delete the file from your system immediately.

By default, the Dr Solomon’s Anti-Virus application will record the name of the infected file in its log so that you can restore the file from a backup copy.

• Move file to. Click this to open a dialog box that you can use to locate your

quarantine folder, or another suitable folder. Once you have located the correct folder, click OK to transfer the file to that location.

• Info. Click this to connect to the Network Associates Virus Information

Library. This choice does not take any action against the virus that the application detected. See “Viewing virus information”onpage84 for more details.

Responding when the E-Mail Scan extension detects a virus

TheE-MailScanextensionincludedwithDrSolomon’sAnti-Virusletsyou scan incoming Microsoft Exchange or Microsoft Outlook e-mail messages for virusesatyourinitiative.Youcanstartitfromwithineithere-mailclientand use it to supplement the continuous e-mail background scanning you get with theWinGuardE-MailScanmodule.TheE-MailScanmodulealsooffersthe ability to clean infected file attachments or stop the scan operation, a capability that complements the continuous monitoring that the E-Mail Scan module provides. In its initial configuration, E-Mail Scan extension will prompt you for a response when it finds a virus (Figure 3-8).

82 Dr Solomon’sAnti-Virus

Page 83

Removing Infections From Your System

Figure 3-8. E-Mail Scan response options

To respond to the infection, click one of the buttons shown. You can tell the E-Mail Scan extension to:

• Continue.Click this button to have the E-Mail Scanextension proceed with

its scan operation, list each infected file it finds in the lower portion of its main window (Figure 3-9), and record each detection in its log file, but it will take no other action to respond to the virus. The extension will continue until it finds another virus on your system or until it finishes the scan operation. Once it has finished examining your system, you can right-click each file listed in the main window, then choose an individual response from the shortcut menu that appears.

• Stop.Click this button to stop the scan operation immediately.The E-Mail

Scan extension will list the infected files it has already found in the lower portion of its main window (Figure 3-9) and record each detection in its log file, but it will take no other action to respond to the virus. Right-click each infected file listed in the main window, then choose an individual response fromtheshortcutmenuthatappears.

User’s Guide 83

Page 84

Removing Infections From Your System

Figure 3-9. E-Mail Scan extension window

• Clean. Click this button to remove the virus code from the infected file. If

the E-Mail Scan extension cannot clean the file—eithe r because it has no remover or because the virus has damaged the file beyond repair—it will record the incident in its log file and suggest alternative responses. In the example shown in Figure 3-8, Clean is not an available response option. In most cases, you should delete such files and restore them from backups.

• Delete.Click this button to delete the file from your system. By default, the

E-Mail Scan extension will record the name of the infected file in its log so that you can restore the file from a backup copy.

• Move.Click this button to open a dialog box that you can use to locate your

quarantine folder, or another suitable folder. Once you have located the correct folder, click OK to transfer the file to that location.

• Info. Click this to connect to the Network Associates Virus Information

Library. This choice does not cause the E-Mail Scan extension to take any action against the virus it detected. See “Viewing virus information” for more details.

Viewing virus information

Clicking Info in any of the virus response dialog boxes will connect you to the Network Associates online Virus Information Library, provided you have an Internet connection and web browsing software available on your computer (Figure 3-10).

84 Dr Solomon’sAnti-Virus

Page 85

Removing Infections From Your System

Figure 3-10. Network Associates Virus Information Library page

The Virus Information Library has a collection of documents that give you a detailed overview of each virus that Dr Solomon’s Anti-Virus can detect or clean, along with information about how the virus infects and alters files, and the sorts of payloads it deploys. The site lists the most prevalent or riskiest viruses, provides a search engine you can use to search for particular virus descriptions alphabetically or by virus name, displays prevalence tables, technical documents, and white papers, and gives you access to technical data you can use to remove viruses from your system.

To connect directly to the library, visit the site at:

http://vil.nai.com/villib/alpha.asp

You can also connect directly to the Library from the Dr Solomon’s Anti-Virus Console —choose Virus List from the View menu in the Console window. To learnmoreabouttheConsole,seeChapter 6, “Creating and Configuring

Scheduled Tasks.”

You’ll find the Library at Network Associates AVERT website:

http://www.nai.com/asp_set/anti_virus/avert/intro.asp

The AVERT website has a w ealth of virus-related data and software. Examples include:

• Current information an d risk assessments on emerging and active virus

threats

User’s Guide 85

Page 86

Removing Infections From Your System

• Software tools you can use to extend or supplement your Dr Solomon’s

anti-virus software

• Contact addresses and other information for submitting questions, virus

samples, and other data

• Virus definition updates-this includes daily beta .DAT file updates,

EXTRA.DAT files, updated Emergency .DAT files, current scan engine versions, regular weekly .DAT and SuperDAT updates, and new incremental virus definition files (.UPD)

• Beta and “first look” software

Viewing file information

If you right-click a file listed either in the Dr Solomon’s Anti-Virus main window or the E-Mail Scan window (see Figure 3-9 on page 84), then choose File Info from the shortcut menu that appears, Dr Solomon’s Anti-Virus will open an Infected Item Information dialog box that names the file, lists its type and size in bytes, gives its creation and modification dates, and describes its attributes (Figure 3-11).

86 Dr Solomon’sAnti-Virus

Figure 3-11. Infected File Information property page

Page 87

Removing Infections From Your System

Submitting a virus sample

If you have a suspicious file that you believe contains a virus, or experience a system condition that might result from an infection—but Dr Solomon’s Anti-Virushas not detected a virus—Dr Solomon’sSoftwarerecommendsthat you send a sample to its anti-virus research team for analysis. When you do so, be sure to start your system in the apparently infected state—don’t start your system from a clean floppy disk.

Several methods exist for capturing virus samples and submitting them. The next sections discuss methods suited to particular conditions.

Using the SendVirus utility to submit a file sample

Because the majority of later-generation viruses tend to infect document and executable files, Dr Solomon’s Anti-Virus comes w ith SENDVIR.EXE, a utility that makes it easy to submit an infected file sample to Dr Solomon’s researchers for analysis.

To submit a sample file, follow these steps:

1. If you must connect to your network or Internet Service Provider (ISP) to send e-mail, do so first. If you are continuouslyconnected to your network or ISP, skip this step and go to Step 2.

2. Locate the file SENDVIR.EXE in your Dr Solomon’s Anti-Virus program directory. If you installed your Dr Solomon’s Anti-Virus with default Setup options, you'll find the file here:

C:\Program Files\Network Associates\Dr Solomon’s Anti-Virus

3. Double-click the file to display the first AVERT Labs Response Center wizard panel (Figure 3-12).

Figure 3-12. First SENDVIR.EXE panel

User’s Guide 87

Page 88

Removing Infections From Your System

4. Read the welcome message, then click Next> to continue. The Contact Information wizard panel appears.

5. If you want AVERT researchers to contact you about your submission, enter your name, e-mail address, and any message you would like to send along with your submission in the text boxes provided, then click

Next> to continue.

Figure 3-13. Your Contact Information panel

 NOTE: You may submit samples anonymously, if you prefer—

The Choose Files to Submit panel appears (Figure 3-14).

88 Dr Solomon’sAnti-Virus

simply leave the text boxes in this panel blank. You are under no obligation to supply any information at all here.

Figure 3-14. Choose Files to Submit panel

Page 89

Removing Infections From Your System

6. Click Add to open a dialog box you can use to locate the files you believe are infected.

Choose as many files as you want to submit for analysis. To remove any of the files shown in the submission list, select it, then click Remove. When you have chosen all of the files you want to submit, click Next> to continue.

The Choose Upload Options panel appears (Figure 3-15).

Figure 3-15. Choose Upload options panel

If the file you want to submit is a Microsoft Office document or another file that contains information you want to keep confidential, select the Remove my personal data from file checkbox, then click Next> to continue. This tells the SENDVIR.EXE utility to strip everything out of the file except macros or executable code.

The Choose E-Mail Service panel appears (Figure 3-16).

Figure 3-16. Choose E-mail Service panel

User’s Guide 89

Page 90

Removing Infections From Your System

7. Select the type of e-mail client application you have installed on your computer. Your choices are:

• Use outgoing Internet mail. Click this button to send your sample

viaaSimpleMailTransferProtocole-mailclient,suchasEudora, NetScape Mail, or Microsoft Outlook Express. Next, enter the name of your outgoing mail server in the text box provided-mail.domain.com, for example.

• Use Microsoft Exchange. Click thisbutton to sendyour samplevia

your corporate e-mail system. To use this option, your e-mail system must support the Messaging Application Programming Interface (MAPI) standard. Examples of such systems include Microsoft Exchange, Microsoft Outlook, and Lot us cc:Mail v8.0 and later.

8. Click Finish to send your sample.

 NOTE: Although Dr Solomon’s researchers appreciate your

submission, their receipt of your message does not obligate them to take any action, provide any remedy, or respond in any way to you.

SENDVIR.EXE will use the e-mail client you specified to send your sample.You must have connectedto your networkor ISP in order for this process to succeed.

Capturing boot sector, file-infecting, and macro viruses

If you suspect you have a virus infection, you can collect a sample of the virus, then either create a floppy disk image to send via e-mail, or mail the floppy disk itself to Dr Solomon’s anti-virus researchers. The researchers would also benefit from having samples of your current system files on a separate floppy disk.

Capturing boot-sector infections

Boot-sector viruses frequently hide in areas of your hard disk or floppy disks that you ordinarily cannot see or read. You can, however, capture a sample of a boot-sector virus by deliberately infecting a floppy disk with it.

To do so, follow these steps:

1. Insert a new, unformatted floppy disk into your floppy drive.

2. Click Start in the Windows taskbar, point to Programs,thenchoose

MS-DOS Prompt if your computer runs Windows 95 or Windows 98, or Command Prompt if your computer runs Windows NT Workstation

v4.0 or Windows 2000 Professional.

90 Dr Solomon’sAnti-Virus

Page 91

Removing Infections From Your System

3. Type this line at the command prompt:

format a: /s

If your system hangs as it tries to format the disk, remove the disk from your floppy drive. Next, label the disk “Damaged during infected format as boot disk,” then set it aside.

4. Insert a new, formatted floppy disk into your floppy drive.

5. Copy your current system files to that disk. For most DOS versions, those files will include:

•IO.SYS

•MSDOS.SYS

•COMMAND.COM

For Windows systems, copy these files to the same preformatted disk:

•GDI.EXE

• KRNL286.EXE or KRNL386.EXE

•PROGMAN.EXE

6. Label the diskette “Contains infected files,” then set it aside.

Capturing file-infecting or macro viruses

If you suspect you have a file-infecting virus or a macro virus that has infected any of your Microsoft Word, Excel, or PowerPoint files, send these files to Dr Solomon’s anti-virus researchers, either with the SENDVIR.EXE utility, via e-mail as floppy disk images, or through the mail on floppy disk:

• If you suspect that a virus has infected executable files on your system, copy COMMAND.COM to a formatted floppy dis k, then change its file extension to a non-executable extension.

• If you suspected that a macro virus has infected your Microsoft Word files, copy NORMAL.DOT and all files from the Microsoft Office Startup folder to the floppy disk. You’ll find the Microsoft Office startup files here, if you installed Office to its default location:

C:\Program Files\Microsoft Office\Office\Startup

• If you suspect that a macro virus has infected your Microsoft Excel files, copy all files from C:\Program Files\Microsoft Office\Office\XLSTART to the disk. Include all files you have installed in alternative startup file locations.

User’s Guide 91

Page 92

Removing Infections From Your System

• If you suspect that a macro virus has infected your PowerPoint files, copy the file BLANKPRESENTATION.POT from C:\Program Files\Microsoft Office\Templates to the disk.

Making disk images

To send the files now stored on any floppy disks you created, you can use a Network Associates AVERT Labs tool called RWFLOPPY.EXE to make a floppy disk image that encapsulates the infection. The RWFLOPPY.EXE tool does not come with your Dr Solomon’s Anti-Virus, but you can download it from this location:

http://www.nai.com/asp_set/anti_virus/avert/tools.asp

The AVERT site stores the tool as a compressed .ZIP file. Download the file to your computer, then extract it to a temporary folder on your hard disk. The .ZIP package contains a brief text file that explains the syntax for using the RWFLOPPY.EXE utility.

NOTE: If you suspect you have a boot virus, you must use RWFLOPPY to send your samples electronically; otherwise, you must send your samples physically on a diskette. If you send them electronically without using RWFLOPPY, the samples will be incomplete or unusable, as boot viruses often hide beyond the last sectors of a diskette, and other diskette image creation programs cannot obtain this data.

Onceyoucreateimagesofthedisksyouwanttosend,youcansendthemas file attachments in an e-mail message to Dr Solomon’s anti-virus researchers.

Preparing file archives to send

Try to fit as many of file samples as you can on a single floppy disk. To do so, compress the samples that you captured on disk to a single .ZIP file with password protection. Here’s a suggested procedure that uses the WinZip utility:

1. Start WinZip.

2. Press CTRL+N to create a new archive.

The New Archive dialog box appears.

3. Enter a name for the new archive, then click OK.

4. Press CTRL+A to add files to the new archive.

The Add dialog box appears.

5. Click Password to display the Password dialog box.

92 Dr Solomon’sAnti-Virus

Page 93

Removing Infections From Your System

6. Type INFECTED in the Password text box, then click OK.

7. When prompted, retype your password to verify its accuracy, then click

OK. The Add With Password dialog box appears.

8. Select your sample files, then click OK.

WinZip applies the password you entered to all files that you add to or extract from your archive. Password-protected files appear in the archive list with a plus sign (+) after their names.

 NOTE: If you do not protect your samples with the password

INFECTED, Dr Solomon’s anti-virus scanners may detect and clean samples before they reach our researchers.

9. Attach the .ZIP file that you created to an e-mail message.

Sending samples via e-mail

Once you’ve made disk images or created a file archive for your samples, send them to Dr Solomon’s researchers at one of these e-mail addresses:

In the United States virus_research@nai.com In the United Kingdom vsample@nai.com In Germany virus_research_de@nai.com In Japan virus_research_japan@nai.com In Australia virus_research_apac@nai.com In the Netherlands virus_research_europe@nai.com

In your message, include this information:

• Which symptoms cause you to suspect that your machine is infected

• Which product and version number detected the virus, if any did, and what the results were

• Your Dr Solomon’s Anti-Virus and .DAT file version numbers

• Details about your system that might help to reproduce the environment in which you detected the virus

• Your name, company name, phone number, and e-mail address, if possible

• A list of all items contained in the package you are sending

User’s Guide 93

Page 94

Removing Infections From Your System

Mailing infected floppy disks

You can also mail the actual disks you created directly to Dr Solomon’s anti-virus researchers. Dr Solomon’s Software recommends that you create a text file or write a message to accompany the disks that includes the same information you would submit with an electronic disk image. Send your sample to only one research lab address so that you can receive the fastest possibleresponsetoyourissue.Usethesemailingaddresses:

In the United States:

Network Associates, Inc. Virus Research 20460 NW Von Neumann Drive Beaverton, OR 97006

In Germany:

Network Associates, Inc. Virus Research Luisenweg 40 20537 Hamburg Germany

In Australia:

Network Associates, Inc. Virus Research 500 Pacific Highway, Level 1 St. Leonards, NSW Sydney Australia 2065

In the United Kingdom:

Network Associates, Inc. Virus Research Gatehouse Way Aylesbury, Bucks HP19 3XU UK

In Japan:

Network Associates, Inc. Virus Research 9F Toranomon Mori-bldg. 33 3-8-21 Toranomon, Minato-Ku Tokyo Japan 105-0001

In Europe:

Network Associates, Inc. Virus Research Gatwickstraat 25 1043 GL Amsterdam Netherlands

 NOTE:Network Associates AVERT Labs does keep all submitted

samples, but once you submit a sample, AVERT cannot return it to you. AVERT does not accept or process Iomega Ditto or Jazz cartridges, Iomega Zip disks, or other types of removable media.

94 Dr Solomon’sAnti-Virus

Page 95

4Using the WinGuard Scanner

What does the WinGuard scanner do?

Dr Solomon’s desktop anti-virus products use two general methods to protect your system. The first method, background scanning, operates continuously, watching for viruses as you use your computer for everyday tasks. In the Dr Solomon’sAnti-Virusproduct,the WinGuard scanner performsthis function. A second method allows you to initiate your own scan operations. The Dr Solomon’s Anti-Virus application generally handles these tasks.To learn more about the application, see Chapter 5, “Using the Dr Solomon’s Anti-Virus

application.”

Depending on how you configure it, the WinGuard scanner can monitor any filethatarrivesonorleavesyoursystem,whetheronfloppydisk,overyour network, in file attachments that accompany e-mail messages, or from the Internet. The scanner looks for viruses as you open, save, copy, rename or otherwise modify your files, and it probes your computer's memory during any file activity. The scanner starts when you start your computer, and stays in memory until you shut it or your system down. The scanner also includes optional features that guard against hostile Java applets and ActiveX controls, and that keep your computer from connecting to dangerous Internet sites.

The WinGuard scanner consists of five related modules, each of which has a specialized function. You can configure settings for all of these modules in the WinGuard Properties dialog box. The WinGuard modules are:

• SystemScan. This module looks for viruses on your hard disk as you work with your computer. It tracks files as yo ur system or other computers read filesfromyourharddiskorwritefiles to it. Itcanalsoscanfloppydisksand network drives mapped to your system.

• E-MailScan. This module scans e-mail messages and message attachments that you receive via intraoffice e-mail systems, and vi a the Internet. It scans your Microsoft Exchange or Outlook mailbox on your Microsoft Exchange server, and older cc:Mail e-mail systems.

It works in conjunction with the Download Scan module to scan Internet mail that arrives via Simple Mail Transfer Protocol (SMTP) or Post Office Protocol (POP-3) sources.

User’s Guide 95

Page 96

Using the WinGuard Scanner

• Download Scan. This module scans files that you download to your system from the Internet. If you have enabled the Internet mail option in the E-Mail Scan module, this will include e-mail and file attachments that arrive via SMTP or POP-3 e-mail systems, which include such e-mail client programs as Eudora Pro, Microsoft Outlook Express, NetScape mail, and America Online mail.

• Internet Filter. This module looks for and blocks hostile Java classes and ActiveX controls from downloading to and executingfrom your system as you visit Internet sites. It can also block your browser from connecting to potentially dangerous Internet sites that harbor malicious software.

• Security.Thismoduleprovidespasswordprotectionfortheremaining WinGuard modules. You can protect any or all individual module property pages and set a password to prevent unauthorized changes.

 NOTE: Because the WinGuard scanner runs continuously, you

IMPORTANT: To use the E-Mail Scan, Download Scan or Internet Filter modules, you must install them from the Custom option in Setup. To learn how to do so, see C hapter 2, “InstallingDr

Solomon’s Anti-Virus.”

should not install or run more than one WinGuard scanner on the same workstation. Doing so can cause the scanners to interfere with each others' operations.

Why use the WinGuard scanner?

The WinGuard scanner has unique capabilities that make it an integral part of the Dr Solomon’s Anti-Virus comprehensive anti-virus software security package. These capabilities include:

• On-access scanning. This means that the scanner looks for viruses in files that you open, copy, save, or otherwise modify, and files that you read from or write to floppy disks and network drives. It therefore can detect and stop viruses as soon as they appear on your system, including those that arrive via e-mail or as downloads from the Internet. This means you can make the WinGuard scanner both your first line of anti-virus defense, and your backstop protection in between each scan operation that you perform. The WinGuard scanner detects viruses in memory and as they attempt to execute from within infected files.

96 Dr Solomon’sAnti-Virus

Page 97

Using the WinGuard Scanner

• Malicious object detection and blocking. T he WinGuard scanner can block harmful ActiveX and Java objectsfrom gaining access to your system, before they pose a threat. The scanner does this by scanning the hundreds ofobjectsyoudownloadas you connect to the web or tootherInternetsites, and the file attachments you receive with your e-mail. It compares these items against a current list of harmful objects that it maintains, and blocks those that could cause problems.

• Internet site filtering. The WinGuard scanner comes with a list of dangerous web- or Internet sites that pose a hazard to your system, usually intheformofdownloadablemalicioussoftware.Youcanaddanyother site that you want to keep your browser software from connecting to, either by listing its Internet Protocol (IP) address or its domain name.

• Automatic operation. The WinGuard scanner integrates with a range of browser software and e-mail client applications. This allows the scanner to log on to and scan your e-mail attachments for viruses before they ever reach your computer.

If you connect to the Internet or work on a network in any capacity, leaving this component running at all times can significantly improve your ability to detect and dispose of harmful software before i t has a chance to damage your system.

Browser and e-mail client suppor t

The WinGuard scanner works seamlessly with many of the most popular web browsers and e-mail client software available for the Windows platform. To work with your browser, the scannerrequires no setup beyond what you have alreadydone to connect your computer to the Internet. You must configure the scanner, however, to work correctly with your e-mail client software. See

“Using the WinGuard configuration wizard” on page 103 or “Setting WinGuard scanner properties” on page 109 to learn how to do the required

setup. Dr Solomon’s Software has tested these web browsers and verified that they

work correctly with the WinGuard scanner:

• Netscape Navigator v3.x

• Netscape Navigator v4.0.x (not including v4.0.6)

• Microsoft Internet Explorer v3.x

• Microsoft Internet Explorer v4.x

User’s Guide 97

Page 98

Using the WinGuard Scanner

Dr Solomon’s Software has also tested these e-mail clients and verified that they work with the WinGuard Download Scan module:

• Microsoft Outlook Express

• Qualcomm Eudora v3.x and v4.x

• Netscape Mail (incl uded with most versions of Netscape Navigator and Netscape Communicator)

• America Online mail v3.0 and v4.0

In order to work with the W inGuard E-mail Scan module, your corporate e-mail system must use Lotus cc:Mail, Microsoft Exchange, or Microsoft Outlook client. Dr Solomon’s Software has tested these clients and has verified that they work correctly with the E-mail Scan module:

• Microsoft Exchange v4.0, v5.0 and v5.5

• Microsoft Outlook 97 and Outlook 98

• Lotus cc:Mail v6.x, v7.x, and v8.x (not MAPI-compliant)

Dr Solomon’s Software does not certify WinGuard software compatibility with client software not listed above.

Enabling or starting the WinGuard scanner

At the end of the Dr Solomon’s Anti-Virus installation, Setup asks if you want to enable the WinGuard scanner at that time. If you agree, the WinGuard scanner should load into memory immediately and begin working with a default set of options that give you basic anti-virus protection. If you do not agree, the WinGuard scanner will load automatically the next time you restart your computer.

When the WinGuard scanner first starts, it displays an icon in the Windows system tray that indicates which of its modules are active. To learn what each iconstatemeans,see“Understanding the WinGuard system tray icon states”

on page 103.

At first, the scanner enables only its System Scan module, which scans viruses that arrive on your system from floppy disks and other removable media, from local-area network connections, and similar areas. The System Scan module also scans files that arrive via your e-mail system and from the Internet, but to do so, it requires the aid of the other WinGuard modules: E-Mail Scan, Download Scan, and Internet Filter.

IMPORTANT:To use the E-Mail Scan, Download Scan or Internet Filter modules, you must install them from the Custom option in Setup. To learn how to do so, see Chapter 2, “Installing Dr Solomon’s Anti-Virus.”

98 Dr Solomon’sAnti-Virus

Page 99

Using the WinGuard Scanner

If your computer runs Windows NT Workstation v4.0 or Windows 2000 Professional, the WinGuard scanner loads as a Windows NT service called McShield, which you can see in the Windows Services control panel.

 NOTE:Dr Solomon’s Software recommends that you do not start or stop

theMcShieldservicefromtheWindowscontrolpanel.Instead,youcan stop and restart the scanner from the provided Dr Solomon’s Anti-Virus control panel. To learn more about how to use the Dr Solomon’s Anti-Virus control panel, see “Understanding the Dr Solomon’s

Anti-Virus control panel” on page 301

Ifyour computer runs Windows 95or Windows 98,the scanner loads in a way that mimics a Windows service on that platform. This service is not visible in the Windows user interface.

Starting the scanner automatically

If the WinGuard scanner does not start automatically, you can set it to do so in the Dr Solomon’s Anti-Virus control panel.

Follow these steps:

1. Click Start in the Windows taskbar, point to Settings, then choose Control Panel.

2. Locate and double-click the Dr Solomon’s Anti-Virus control panel

to open it.

3. Click the Components tab (Figure 4-1).

Figure 4-1. Dr Solomon’s Anti-Virus control panel - Components

page

User’s Guide 99

Page 100

Using the WinGuard Scanner

4. Select the Load WinGuard on startup checkbox at the top of the Components property page.

5. Click OK to close the control panel.

Enabling the WinGuard scanner and its modules

Once you have all WinGuard components installed, you can use any of four methods to enable them, in various combinations.

 NOTE:Enabling a module means activating it and loading it into your

computer's memory for use. The WinGuard scanner can start and remain active in memory even with none of its modules enabled.

Method 1: Use the WinGuard shortcut menu

Follow these steps:

1. Right-click the WinGuard icon in the Windows system tray to display its shortcut menu.

2. Point to Quick Enable.

3. Choose one of the module names shown without a check mark. Module names that have a check mark beside them are active. Those without a checkmarkareinactive.Ifyouusethismethodtoenableamodule,it remains enabled until you restart your Dr Solomon’s Anti-Virus or your computer. At that point, its state will depend on whether you have enabled or disabled the module in the Dr Solomon’s Anti-Virus Properties dialog box.

Depending on which combination of modules you enable, the WinGuard icon will display a different state. To learn what the different icon states mean, see

“Understanding the WinGuard system tray icon states” on page 103.

Method 2: Use the System Scan Status dialog box

Follow these steps:

1. Double-clicktheWinGuard icon intheWindows system tray to open the System Scan Status dialog box (Figure 4-1).

100 Dr Solomon’sAnti-Virus

Mcafee DR SOLOMON S ANTI-VIRUS 8.5 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Preface

What happened?

Why worry?

Where do viruses come from?

Virus prehistory

Viruses and the PC revolution

Boot-sector viruses

File infector viruses

Stealth, mutation, encryption, and polymorphic techniques

Macro viruses

On the frontier

Java, ActiveX, and scripted objects

Where next?

How to prote ct yourself

How to contact Network Associates

Customer service

Technical support

Download support

Network Associates training

Comments and feedback

Reporting new items for anti-virus data file updates

International contact information

1About Dr Solomon’sAnti-Virus

Introducing Dr Solomon’sAnti-Virus

How does Dr Solomon’sAnti-Viruswork?

Fast, accurate virus detection

Encrypted polymorphic virus detection

“Double heuristics” analysis

Wide-spectrum coverage

What comes with Dr Solomon’sAnti-Virus?

What’s new in this release?

Installation and distribution features

Interface enhancements

Changes in product functionality

New update options for your Dr Solomon’sAnti-Virus

Before you begin

System requirements

Other recommendations

Preparing to install Dr Solomon’sAnti-Virus

Installation options

Installation steps

Using the Emergency Disk Creation utility

Determining when you must restart your computer

Testing your installation

Modifying or removing your Dr Solomon’sAnti-Virus installation

If you suspect you have a virus...

Deciding when to scan for viruses

Recognizing when you don’thaveavirus

Understanding false detections

Responding to viruses or malicious software

Responding when the WinGuard scanner detects malicious software

Responding when the System Scan module detects a virus

Responding when the E-mail Scan module detects a virus

Responding when the Download Scan module detects a virus

Responding when Internet Filter detects a virus

Respondingwhen the Dr Solomon’sAnti-Virus application detects avirus

Responding when the E-Mail Scan extension detects a virus

Viewing virus information

Viewing file information

Submitting a virus sample

Using the SendVirus utility to submit a file sample

Capturing boot sector, file-infecting, and macro viruses

Capturing boot-sector infections

Capturing file-infecting or macro viruses

Making disk images

Preparing file archives to send

Sending samples via e-mail

Mailing infected floppy disks

4Using the WinGuard Scanner

What does the WinGuard scanner do?

Why use the WinGuard scanner?

Browser and e-mail client suppor t

Enabling or starting the WinGuard scanner

Starting the scanner automatically

Enabling the WinGuard scanner and its modules

Method 1: Use the WinGuard shortcut menu