Mcafee DR SOLOMON S ANTI-VIRUS 8.5 ADMINISTRATOR GUIDE

Dr Solomon’s Anti-Virus

Administrator’s
Guide

Version 8.5

COPYRIGHT

Copyright © 2000 Network Associates, Inc. and its Affiliated Companies. All Rights Reserved. No part
of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated
into any language in any form or by any means without the written permission of Network Associates ,
Inc.

TRADEMARK ATTRIBUTIONS

* ActiveHelp, Bomb Shelter, Building a World of Trust, CipherLink, Clean-Up, Cloaking, CNX,
Compass 7, CyberCop, CyberMedia, Data Security Letter, Discover, Di stributed Sniffer System, Dr
Solomon’s, Enterprise Secure Cast, First Aid, ForceField, Gauntlet, GMT, GroupShield, HelpDesk,
Hunter, ISDN Tel/Scope, LM 1, LA NGuru, Le ading Help Des k Technolo gy, Magic Solu tions, MagicSpy,
MagicTree, Magic University, MagicWin, MagicWord, McAfee, McAfee Associates, MoneyMagic, More
Power To You, Multimedia Cl oaking, NetCrypto, Net Octopus, NetRoom, NetScan, Net Shield, NetShield,
NetStalker, Net Tools, Network Associates, Network General, Network Uptime!, NetXRay, Nuts & Bolts,
PC Medic, PCNotary, PGP, PGP (Pretty Good Privacy), PocketScope, Pop-Up, PowerTelnet, Pretty
Good Privacy, PrimeSupport, RecoverKey, RecoverKey-Inter national, ReportMagic, RingFence, Router
PM, Safe & Sound, SalesMagic, SecureCast, Service Level Manager, ServiceMagic, Site Meter, Sniffer,
SniffMaster, SniffNet, Stalker, Statistical Information Retrieval (SIR), SupportMagic, Switch PM,
TeleSniffer, TIS, TMach, TMeg, Total Network S ecurity, Total Network Visibility, Total Se rvice Desk,
Total Virus Defense, T-P OD, Trus ted Mach, Trusted Ma il, Uninst aller, Virex, Virex- PC, Viru s Forum,
ViruScan, VirusScan, VShield, WebScan, WebS hield, WebSniffer , WebSt alker WebW all, and ZAC 2000

are registered trademarks of Network Associates and/or its affiliates in the US and/or other countries. All
other registered and unregistered trademarks in this document are the sole property of their respective
owners.

LICENSE AGREEMENT

NOTICE TO ALL USERS: CAREFULLY READ THE FOLLOWING LEGAL AGREEMENT
("AGREEMENT"), FOR THE LICENSE OF SPECIFIED SOFTWARE ("SOFTWARE") BY
NETWORK ASSOCIATES, INC. ("McAfee"). BY CLICKING THE ACCEPT BUTTON OR
INSTALLING THE SOFTWARE, YOU (EITHER AN INDIVIDUAL OR A SINGLE ENTITY)
CONSENT TO BE BOUND BY AND B ECOME A PARTY TO THIS AGREEMENT. IF YO U DO
NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, CLICK THE BUTTON THAT
INDICATES THAT YOU DO NOT ACCEPT THE TERMS OF THIS AGREEMENT AND DO NOT
INSTALL THE SOFTWARE. (IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO THE
PLACE OF PURCHASE FOR A FULL REFUND.)

1. License Grant. Subject to the payment of the applicable license fees, and subject to the terms and

conditions of this Agreement, McAfee hereby grants to you a non-exclusive, no n-transferable right
to use one copy of the specified version of the Software and the accompanying d ocumentation (the
"Documentation"). You may install one copy of the Software on one computer, workstation,
personal digital assistant, pager, "smart phone" or other electronic device for which the Software
was designed (each, a "Client Device"). If the Software is licensed as a suite or bundle with more
than one specified Software product, this license applies to all such specified Software products,
subject to any restrictions or usage terms specified on the applicable price list or p roduct packaging
that apply to any of such Software products individually.

Issued May 2000/ Dr Solomon’s Anti-Virus v8.5

(i.e., the required number of licenses would equal the number of distinct inputs to the
multiplexing or pooling software or hardware "front end"). If the number of Client Devices or
seats that can connect to the Software can exceed the nu mber of licens es you have obtained, then
you must have a reasonable mechanism in place to en sure that you r use of the Software does not
exceed the use limits specified for the licens es you h ave obtained . This licen se authorizes you to
make or download one copy of the Documentation for each Client Device or seat that is licensed,
provided that each such copy contains all of the Documentation's proprietary notices.

c. Volume Licenses. If the Software is licensed with volume license terms specified in the

applicable price list or product packaging for the Software, you may make, use and install as
many additional copies of the Software on the number of Client Devices as the volume license
authorizes. You must have a reasonable mechanism in place to ensure that the number of Client
Devices on which the Software has been installed does not exceed the number of licenses you
have obtained. This license authori zes you to make or downl oad one copy of the Document ation
for each additional copy authorized by the volume license, provided that each such copy contains
all of the Documentation's proprietary notices.

2. Term. This Agreement is effective for an unlimited duration unless and until earlier terminated as

set forth herein. This Agreement will terminate automatically if you fail to comply with any of the
limitations or other requirements described herein. Upon any termination or expiration of this
Agreement, you must destroy all copies of the Software and the Documentation. You may
terminate this Agreement at any point by destroying all copies of the Software and the
Documentation.

3. Updates. For the time period specified in the applicable price list or product packaging for the

Software you are entitled to download revisions or updates to the Software when and as McAfee
publishes them via its electronic bulletin board system, website or through other online services.
For a period of ninety (90) days from the date of the original purchase of the Software, you are
entitled to download one (1) revision or upgrade to the Software when and as McAfee publishes it
via its electronic bulletin board system, website or through other online services. After the
specified time period, you have no further rights to receive any revisions or upgrades without
purchase of a new license or annual upgrade plan to the Software.

4. Ownership Rights. The Software is protected by United States copyright laws and international

treaty provisions. McAfee and its suppliers own and retain all right, title an d interest in and to the
Software, including all copyrights, patents, trade secret rights, trademarks and other intellectual
property rights therein. Your possession, installation, or use of the Software does not transfer to
you any title to the intellectual property in the Software, and you will not acquire any rights to the
Software except as expressly set forth in this Agreement. All copies of the Software and
Documentation made hereund er must contain the s ame proprietar y notices that appear o n and in the
Software and Documentation.

Administrator’s Guide iii

5. Restrictions. You may not rent, lease, loan or resell the Software. You may not permit third parties

to benefit from the use or functionality of the Software via a timesharing, service bureau or other
arrangement, except to the extent such use is specified in the applicable list price or product
packaging for the Software. You may not transfer any of the rights granted to you under this
Agreement. You may not reverse engineer, decompile, or disassemble the Software, except to the
extent the foregoing restriction is expres s ly prohibited by applicabl e law . Y ou may n ot mo di fy, or
create derivative works based upon, the Software in whole or in part. You may not copy the
Software or Documentation except as expressly permitted in Section 1 above. You may not remove
any proprietary notices or labels on the Software. All rights not expressly set forth hereunder are
reserved by McAfee. McAfee reserves the right to periodically conduct audits upon advance
written notice to verify compliance with the terms of this Agreement.

6. Warranty and Disclaimer
a. Limited Warranty. McAfee warrants that for sixty (60) day s from the date of origi nal purchase

the media (e.g., diskettes) on which the Software is contained will be free from defects in
materials and workmanship.

b. Customer Remedies. McAfee's and its suppliers' entire liability and your exclusive remedy for

any breach of the foregoing warranty shall be, at McAfee's option, either (i) return of the
purchase price paid for the license, if any, or (ii) repl acement of the defective med ia in which the
Software is contained. You must return the defective media to McAfee at your expense with a
copy of your receipt. This limited warranty is void if the defect has resulted from accident,
abuse, or misapplication. Any replacement media will be warranted for the remainder of the
original warranty period. Outside the United St ates, this remedy is not av ailable to the extent
McAfee is subject to restrictions under United States export control laws and regulations.

c. Warranty Disclaimer. Except for the limited warranty set forth herein, THE SOFTWARE IS

PROVIDED "AS IS." TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE
LAW, MCAFEE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND
NONINFRINGEMENT WITH RESPECT TO THE SOFTWARE AND THE
ACCOMPANYING DOCUMENTATION. YOU ASSUME RESPONSIBILITY FOR
SELECTING THE SOFTWARE TO ACHIEVE YOUR INTENDED RESULTS, AND FOR
THE INSTALLATION OF, USE OF, AND RESULTS OBTAINED FROM THE SOFTWARE.
WITHOUT LIMITING THE FOREGOING PROVISIONS, MCAFEE MAKES NO
WARRANTY THAT THE SOFTWARE WILL BE ERROR-FREE OR FREE FROM
INTERRUPTIONS OR OTHER FAILURES OR THAT THE SOFTWARE WILL MEET
YOUR REQUIREMENTS. SOME STATES AND JURISDICTIONS DO NOT ALLOW
LIMITATIONS ON IMPLIED WARRANTIES, SO THE ABOVE LIMITATION MAY NOT
APPLY TO YOU. The foregoing provisions shall be enforceable to the maximum extent
permitted by applicable law.

iv Dr Solomon’s Anti-Virus

7. Limitation of Liability. UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY,
WHETHER IN TORT, CONTRACT, OR OTHERWISE, SHALL MCAFEE OR ITS SUPPLIER S
BE LIABLE TO YOU OR TO ANY OTHER PERSON FOR ANY INDIRECT, SPECIAL,
INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING,
WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE,
COMPUTER FAILURE OR MALFUNCTION, OR FOR ANY AND ALL OTHER DAMAGES
OR LOSSES. IN NO EVENT WILL MCAFEE BE L IABLE FOR ANY DAMAGES IN EXCESS
OF THE LIST PRICE MCAFEE CHARGES FOR A LICE NSE TO THE SOFTW ARE, EVEN IF
MCAFEE SHALL HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO LIABILITY FOR DEATH OR
PERSONAL INJURY TO THE EXTENT THAT APPLICABLE LAW PROHIBITS SUCH
LIMITATION. FURTHERMORE, SOME STATES AND JURISDICTIONS DO NOT ALLOW
THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES,
SO THIS LIMITATION AND EXCLUSION MAY NOT APPLY TO YOU. The foregoing
provisions shall be enforceable to the maximum extent permitted by applicable law.

8. United States Government. The Software and accompanying Documentation are deemed to be
"commercial computer software" and "commercial computer software documentation,"
respectively, pursuant to DFAR Section 227.7202 and FAR Section 12.212, as applicable. Any
use, modification, reproduction, release, performance, display or disclosure of the Software and
accompanying Documentation by the United States Government shall be governed solely by the
terms of this Agreement and shall be prohibited except to the extent expressly permitted by the
terms of this Agreement.

9. Export Controls. Neither the Software nor the Documentation and underlying information or
technology may be downloaded or otherwise exported or re-exported (i) into (or to a national or
resident of ) Cuba, Iran, Iraq, Libya, North Korea, Sudan, Syria or any other country to which the
United States has embargoed goods; or (ii) to anyone on the United States Treasury Department's
list of Specially Designated Nations or the United States Commerce Department's Table of Denial
Orders. By downloading or using the Software you are agreeing to the foregoing and you are
certifying that you are not located in, under the control of, or a national or resident of any such
country or on any such list.

IN ADDITION, YOU SHOULD BE AWARE OF THE FOLLOWING: EXPORT OF THE
SOFTWARE MAY BE SUBJECT TO COMPLIANCE WITH THE RULES AND
REGULATIONS PROMULGATED FROM TIME TO TIME BY THE BUREAU OF EXPOR T
ADMINISTRATION, UNITED STATES DEPARTMENT OF COMMERCE, WHICH
RESTRICT THE EXPORT AND RE-EXPORT OF CERTAIN PRODUCTS AND TECHNICAL
DATA. IF THE EXPORT OF THE SOFTWARE IS CONTROLLED UNDER SUCH RULES
AND REGULATIONS, THEN THE SOFTWARE SHALL NOT BE EXPORTED OR
RE-EXPORTED, DIRECTLY OR INDIRECTLY, (A) WITHOUT ALL EXPORT OR
RE-EXPORT LICENSES AND UNITED STATES OR OTHER GOVERNMENTAL
APPROVALS REQUIRED BY ANY APPLICABLE LAWS, OR (B) IN V IOLATION OF ANY
APPLICABLE PROHIBITION AGAINST THE EXPORT OR RE-EXPORT OF ANY PART OF
THE SOFTWARE.

Administrator’s Guide v

SOME COUNTRIES HAVE RESTRICTIONS ON THE USE OF ENCRYPTION WITHIN
THEIR BORDERS, OR THE IMPORT OR EXPORT OF ENCRYPTION EVEN IF FOR ONLY
TEMPORARY PERSONAL OR BUSINESS USE. YOU ACKNOWLEDGE THAT THE
IMPLEMENTATION AND ENFORCEMENT OF THESE LAWS IS NOT ALWAYS
CONSISTENT AS TO SPECIFIC COUNTRIES. ALTHOUGH THE FOLLOWING
COUNTRIES ARE NOT AN EXHAUSTIVE LIST THERE MAY EXIST RESTRICTIONS ON
THE EXPORTATION TO, OR IMPORTATION OF, ENCRYPTION BY: BELGIUM, CHINA
(INCLUDING HONG KONG), FRANCE, INDIA, INDONESIA, ISRAEL, RUSSIA, SAUDI
ARABIA, SINGAPORE, AND SOUTH KOREA. YOU ACKNOWLEDGE IT IS YOUR
ULTIMATE RESPONSIBILITY TO COMPLY WITH ANY AND ALL GOVERNMENT
EXPORT AND OTHER APPLICABLE LAWS AND THAT MCAFEE HAS NO FURTHER
RESPONSIBILITY AFTER THE INITIAL SALE TO YOU WITHIN THE ORIGINAL
COUNTRY OF SALE.

10.High Risk Activities. The Software is not fault-tolerant and is not designed or intended for use in
hazardous environments requiring fail-safe performance, including without limitation, in the
operation of nuclear facilities, aircraft navigation or communication systems, air traffic control,
weapons systems, direct life-support machines, or any other application in which the failure of the
Software could lead directly to death, personal injury, or severe physical or property damage
(collectively, "High Risk Activities"). McAfee expressly disclaims any express or implied
warranty of fitness for High Risk Activities.

11.Miscellaneous. This Agreement is governed by the laws of the United States and the State of
California, without reference to conflict of laws principles. The application of the United Nations
Convention of Contracts for the International Sale of Goods is expres sly excluded. This Agreement
sets forth all rights for the user of the Software and is the entire agreement between the parties. This
Agreement supersedes any other communications with respect to the Software and Docum entation.
This Agreement may not be modified except by a written addendum issued by a duly authorized
representative of McAfee. No provision hereof shall be deemed waived unless such waiver shall
be in writing and signed by McAfee or a duly authorized representative of McAfee. If any
provision of this Agreement is held invalid, the remainder of this Agreement shall contin ue in full
force and effect. The parties confirm that it is their wish that this Agreement has been written in
the English language only.

12.McAfee Customer Contact. If you have any questions concerning these terms and conditions, or
if you would like to contact McAfee for any other reason, please call (408) 988-3832, fax (408)
970-9727, or write: McAfee Software, 3965 Freedom Circle, Santa Clara, California 95054.
http://www.mcafee.com.

Statements made to you in the course of this sale are subject to the Year 2000 Information and
Readiness Disclosure Act (Public Law 105-271). In the case of a dispute, this Act may reduce your
legal rights regarding the use of any statements regarding Year 2000 readiness, unless otherwise
specified in your contract or tariff.

vi Dr Solomon’s Anti-Virus

Table of Contents

Preface.....................................................xi

Anti-virusprotectionasinformationsecurity .........................xi

Informationsecurityasabusinessnecessity ........................xiv

ActiveVirusDefensesecurityperimeters ............................xv

Dr Solomon’s anti-virus research . . . . . .............................xvii

HowtocontactNetworkAssociates...............................xviii

Customerservice..........................................xviii

Technical support ..........................................xix

Downloadsupport ...........................................xx

NetworkAssociatestraining...................................xx

Commentsandfeedback......................................xx

Reportingnewitemsforanti-virusdatafileupdates ...............xx

Internationalcontactinformation ..............................xxii

Chapter 1. About Dr Solomon’sAnti-Virus .......................25

Introducing Dr Solomon’sAnti-Virus ................................25

How does Dr Solomon’sAnti-Viruswork?............................27

What comes with Dr Solomon’sAnti-Virus? ..........................29

What’snewinthisrelease?........................................33

Chapter 2. Installing Dr Solomon’sAnti-Virus ....................37

Beforeyoubegin.................................................37

Systemrequirements.........................................37

Installing Dr Solomon’sAnti-Virussoftwareonalocalcomputer.........38

Installationsteps ............................................38

Using the Emergency Disk Creation utility . . . . . . . . . ..............53

Determiningwhenyoumustrestartyourcomputer................58

Testingyourinstallation ..........................................59

Modifying or removing your local Dr Solomon’s Anti-Virus installation .

61

Installing Dr Solomon’s Anti-Virus software on other computers . . . . . . . . .63

UsingActiveDirectoryandGroupPolicies.......................63

Administrator’s Guide vii

Table of Contents

Installing Dr Solomon’s Anti-Virus softwareusing command-lineoptions

64

UsingManagementEditionsoftware ............................72

Using ePolicy Orchestrator to deploy Dr Solomon’sAnti-Virussoftware

73

Installing via System Management Server . . . . . . . . . . ..............74

Installing via Tivoli IT Director . . . ..............................74

Installing via ZENworks . . . . . . . . . ..............................75

Exporting Dr Solomon’sAnti-Viruscustomsettings ...............75

Chapter 3. Removing Infections

FromYourSystem ....................................79

Ifyoususpectyouhaveavirus... ...................................79

Decidingwhentoscanforviruses ..................................82

Recognizing when you don’thaveavirus ............................83

Understandingfalsedetections ................................84

Responding to viruses or malicious software . . . . . . . . . . . ..............85

Submittingavirussample.........................................97

Using the SendVirus utility to submit a file sample . . ..............97

Capturing boot sector, file-infecting, and macro viruses . . . . . . . . . . .100

Chapter 4. Using Dr Solomon’sAnti-Virus ......................105

UsingtheWinGuardscanner......................................105

Using the Dr Solomon’sAnti-Virusapplication .......................105

Schedulingscantasks...........................................106

Usingspecializedscanningtools ..................................106

Chapter5. SendingAlertMessages............................107

Using the Alert Manager Client Configuration utility . . . . . .............107

Dr Solomon’sAnti-VirusasanAlertManagerClient ..................108

ConfiguringtheAlertManagerClientutility..........................108

Chapter 6. Updating and Upgrading Dr Solomon’sAnti-Virus ......113

Developinganupdatingstrategy ..................................113

Update and upgrade methods . . . . . . . . .............................114

Understanding the AutoUpdate utility . .............................116

viii Dr Solomon’sAnti-Virus

Table of Contents

ConfiguringtheAutoUpdateUtility.................................118

UnderstandingtheAutoUpgradeutility .............................127

Configuring the AutoUpgrade utility . . . .............................128

Using the AutoUpgrade and SuperDAT utilities together . . . . . . . . . .137

DeployinganEXTRA.DATfile.................................139

Appendix A. Using Dr Solomon’s Anti-Virus Administrative Utilities 141

Understanding the Dr Solomon’sAnti-Viruscontrolpanel .............141

Opening the Dr Solomon’sAnti-Viruscontrolpanel...................141

Choosing Dr Solomon’sAnti-Viruscontrolpaneloptions ..............142

AppendixB. InstalledFiles ...................................147

What’sinthisappendix? .........................................147

WinGuardscanner ..........................................147

Dependent and related files for the Dr Solomon’s Anti-Virus application

153

AlertManager ..............................................156

Dr Solomon’sAnti-Viruscontrolpanelfiles .....................157

ScreenScan................................................158

Dr Solomon’sAnti-VirusEmergencyDiskfiles...................160

Dependent and related files for the E-Mail Scan extension . . . . . . . . .162

Appendix C. Using Dr Solomon’s Anti-Virus Command-line Options 167

Adding advanced Dr Solomon’sAnti-Virusengineoptions.............167

Running the Dr Solomon’s Anti-Virus Command Line program . . . . . . . . .167

Running the on-demand scanner with command-line arguments . . . . . . . .177

Appendix D. Using the SecureCast Service to Get New Data Files . .185

Introducing the SecureCast service . . . .............................185

Why should I update my da ta files? . . . .............................186

WhichdatafilesdoestheSecureCastservicedeliver? ............186

Installing the BackWeb client and SecureCast service . . . . .............187

Systemrequirements........................................187

Troubleshooting the Enterprise SecureCast service . .............197

UnsubscribingfromtheSecureCastservice.....................197

Supportresources ..............................................197

Administrator’s Guide ix

Table of Contents

SecureCastservice .........................................197

BackWebclient.............................................198

Appendix E. Network Associates

Support Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Adding value to your Dr Solomon’sproduct .........................199

PrimeSupport options for corporate customers . . . . . .............199

Ordering a corporate PrimeSupport plan . . . . . . . . . . .............202

PrimeSupport options for home users . .............................204

How to reach international home user support . . . . . . .............206

Ordering a PrimeSupport plan for home users . . . . . . .............206

NetworkAssociatesconsultingandtraining.........................207

ProfessionalServices .......................................207

TotalEducationServices.....................................208

Appendix F. Understanding iDAT Technology . . . . . . . . . . . . . . . . . . . 209

Understandingincremental.DATfiles ..............................209

How does iDAT updating work? . . . . . . .............................210

What does Dr Solomon’sposteachweek?......................211

Bestpractices ..................................................212

Frequentlyaskedquestions ......................................213

Index......................................................217

x Dr Solomon’sAnti-Virus

Preface

Anti-virus protection as information security

“Theworld changed[on March26, 1999]—doesanyone doubt that? The world

is different. Melissa proved that ... and we are very fortunate ... the world
could have gone very close to meltdown.”

—Padgett Peterson, Chief Info Security Architect, Lockheed Martin Corporation,

on the 1999 “Melissa” virus epidemic

Bytheendofthe1990s,manyinformationtechnologyprofessionalshad
begun to recognize that they could not easily separate how they needed to
respond to new virus threats from how they already dealt with deliberate
network security breaches. Dorothy Denning, co-editor of the 1998 computer
security handbook Internet Besieged: Countering Cyberspace Scofflaws, explicitly
grouped anti-virus security measures in with other network security
measures, classifying them as a defense against malicious “injected code.”

Denning justified her inclusive grouping on based on her definition of
information security as “the effective use of sa feg uards to protect the
confidentiality, integrity, authenticity, availability, and non-repudiation of
information andinformation processing systems.” Virus payloads had always
threatened or damaged data integrity, but by the time she wrote her survey
article, newer viruses had already begun to mount sophisticated attacks that
struck at the remaining underpinnings of information security. Denning’s
classification recognized that newer viruses no longer merely annoyed system
administrators or posed a relatively low-grade threat; they had in fact
graduated to become a serious hazard.

Though not targeted with as much precision as an unauthorized network
intrusion, virus attacks had begun to take on the color of deliberate
information warfare. Consider these examples, many of which introduced
quickly-copied innovations to the virus writer’s repertoire:

• W32/CIH.Spacefiller destroyed the flash BIOS in workstations it infected,

effectively preventing them from booting. It also overwrote parts of the
infected hard disk with garbage data.

• XM/Compat.ArewrotethedatainsideMicrosoftExcelspreadsheetfiles.It

used advanced polymorphic concealment techniques, which meant that
with each infection it changed the signature bytes that indicated its
presence and allowed anti-virus scanners to find it.

Administrator’s Guide xi

Preface

• W32/Ska, though technically a worm, replaced the infected computer’s

WinSock file so that it could attach itself to outgoing Simple Mail Transfer
Protocol (SMTP) messages and postings to USENET news groups. This
strategy made it commonplace in many areas.

• Remote Explorer stole the security privileges of a Windows NT domain

administrator and used them to install itself as a Windows NT Service. It
also deposited copies of itself in the Windows NT driver directory and
carried with it a supporting Dynamic Link Library (.DLL) file that allowed
it to randomly encrypt data files. Because it appeared almost exclusively at
one corporate site, security experts speculated that it was a deliberate,
targeted attack on the unfortunate company’s network integrity.

• Back Orifice, the product ofa group calling itself the Cult of the Dead Cow,

purported to give the owner of the client portion of the Back Orifice
application complete remote access to any Windows 95 or Windows 98
workstation thatruns t he concealed companion server. That access—from
anywhereon the Internet—allowedthe clientto capturekeystrokes; open,
copy, delete, or run files; transmit screen captures; and restart, crash, or
shut down the infected computer. To add insult to injury, early Back
Orifice releases on CD-ROM carried a W32/CIH.Spacefiller infection.

Throughout much of 1999, virus and worm attacks suddenly stepped up in
intensity and in the public eye. Part of the reason for this, of course, is that
many of the more notorious viruses and worms took full advantage of the
Internet, beginning a long-predicted assault by flooding e-mail transmissions,
websites, newsgroups and other available channels at an almost exponential
rate of growth. They now bullied their way into network environments,
spreading quickly and leaving a costly trail of havoc behind them.

W97M/Melissa, the “Melissa” virus, jolted most corporate information
technology departments out of whatever remaining complacency they had
held onto in the face of the newer virus strains. Melissa brought corporate
e-mail servers down across the United States and elsewhere when it struck in
March 1999. Melissa instructed e-mail client programs to send out infected
e-mail messages to the first 50 entries in each target computer’s address book.
This transformed a simple macro virus infection with no real payload into an
effective denial-of-service attack on mail servers.

Melissa’s other principle innovation was its direct attempt to play on end-user
psychology: it forged ane-mail message from asender the recipient knew, and
sent it with a subject line that urged that recipient to open both the message
and the attached file. In this way, Melissa almost made the need for viral code
to spread itself obsolete—end users themselves cooperated in its propagation,
and their own computers blindly participated.

xii Dr Solomon’sAnti-Virus

Preface

A rash of Melissa variants and copycats appeared soon after. Some, such as
W97M/Prilissa, included destructivepayloads. Later the same year, a number
of new viruses and worms either demonstrated novel or unexpected ways to
get into networks and compromise information security, or actually
perpetuated attacks. Examples included:

• W32/ExploreZip.worm and its variants, which used some of Melissa’s

techniques to spread, initially through e-mail. After it successfully infected
a host machine, ExploreZip searched for unsecured network shares and
quietly copied itself throughout anetwork. It carried a destructive payload
that erased variousWindows system filesand Microsoft Officedocuments,
replacing them with an unrecoverable zero-byte-length files.

• W32/Pretty.worm, which did Melissa one better by sending itself to every

entry in the infected computer’s MAPI address book. It also connected to
an Internet Relay Chat (IRC) server, joined a particular IRC channel, then
opened a path to receive commands via the IRC connection. This
potentially allowed those on the channel to siphon information from the
infectedcomputer,includingthe computernameand owner’s name, hisor
her dial-up networking user name and password, and the path to the
system root directory.

• W32/FunLove.4099, which infected ActiveX .OCX files, among others.

This meant that it couldlurk on web pages withActiveX content, and infect
systems with low or nonexistent browser security settings as they
downloaded pages to their hard disks. If a Windows NT computer user
had logged into a system with administrative rights, the infecting virus
would patch two critical system files that gave all users on the network
—includingthe virus—administrative rights to all files on the target
computer. It spread further within the network by attaching itself to files
with the extensions .SCR, .OCX, and .EXE.

• VBS/Bubbleboy, a proof-of-concept demonstration that showed that a

virus could infect target computers directly from e-mail messages
themselves, without needing to propagate through message attachments.
It effectively circumvented desktop anti-virus protection altogether, at
least initially. Its combination of HTML and VBScript exploited existing
vulnerabilities in Internet-enabledmail systems;its author playedupon the
same end-user psychology that made Melissa successful.

The other remarkable development in the year was the degree to which virus
writers copied, fused, and extended each others’ techniques. This cross­pollination had always occurred previously, but the speed at which it took
placeandtheincreasingsophisticationof thetools and techniquesthatbecame
available during this period prepared very fertile ground for a nervously
awaited bumper crop of intricate viruses.

Administrator’s Guide xiii

Preface

Information security as a business necessity

Coincidentally or not, these darkly inventive new virus attacks and speedy
propagation methods appeared as more businesses made the transition to
Internet-based information systems and electronic commerce operations. The
convenience and efficiency that the Internet brought to business saved money
and increased profits. This probably also made these same businesses
attractive targets for pranksters, the hacker underground, and those intent on
striking at their favored targets.

Previously, the chief costs from a virus attack were thetime and money it took
to combat an infection and restore computer systems to working order. To
those costs the new types of virus attacks now added the costs of lost
productivity, network and server downtime, service denials for e-mail and
other critical business tools, exposure—and perhaps widespread distribution
—of confidentialinformation, and other ills.

Ultimately, the qualifying differences between a hacker-directed security
breach in a network and a security breach that results from a virus attack
might become merely ones of intent and method, not results. Already new
attacks have shaken the foundations of Net-enabled businesses, many of
which require 24-hour availability for networks and e-mail, high data
integrity, confidential customer lists, secure credit card data and purchase
verification, reliable communications, and hundreds of other computer-aided
transactional details. The costs from these virus attacks in the digital economy
now cut directly into the bottom line.

Because they do, protecting that bottom line means implementing a total
solution for information and network security—one that includes
comprehensive anti-virus protection. It’s not enough to rely only on
desktop-basedanti-virusprotection,oronhaphazardoradhocsecurity
measures. The best defense requires sealing all potential points by which
viruses can enter or attack your network, from the firewall and gateway down
to the individual workstation, and keeping the anti-virus sentries at those
points updated and current.

Part of the solution is deploying the Dr Solomon’s Active Virus Defense*
software suite, which provides a comprehensive, multi-platform series of
defensive perimeters for your network. You can also build on that security
with the Dr Solomon’s Active Security suite, which allows you to monitor
your network against intrusions, watch actual network packet traffic, and
encrypt e-mail and network transmissions. But even with anti-virus and
security software installed, new and previously unidentified viruses will
inevitably find their way into your network. That’s where the other part of the
equation comes in: a thorough, easy-to-follow anti-virus security policy and
set of practices for your enterprise—in the last analysis, only that can help to
stop a virus attack before it becomes a virus epidemic.

xiv Dr Solomon’sAnti-Virus

Active Virus Defense security perimeters

The Dr Solomon’s Active Virus Defense product suite exists for one simple
reason: there is no such thing as too much anti-virus protection for the
modern, automated enterprise. Although at first glance it might seem
needlessly redundant to protect all of your desktop computers, file and
network servers, gateways,e-mail servers andfirewalls, each ofthese network
nodesservesa different function in yournetwork,andhas different duties. An
anti-virus scanner designed to keep a production workstation virus-free, for
example, can’t intercept viruses that flood e-mail servers and effectively deny
their services. Nor would you want to make a file server responsibl e for
continuously scanningits client workstations—the costin networkbandwidth
would be too high.

More to the point, each node’s specialized functions mean that viruses infect
them in different ways that, in turn, call for optimized anti-virus solutions.
Viruses and other malicious code can enter your network from a variety of
sources—floppy disks and CD-ROMs, e-mail attachments, downloaded files,
and Internet sites, for example. These unpredictable points of entry mean that
infecting agents can slip through the chinks in incomplete anti-virus armor.

Desktop workstations, for example, can spread viruses by any of a variety of
means—via floppy disks, by downloading them from the Internet, by
mapping server shares or other workstations’ hard disks. E-mail servers, by
contrast, rarely use floppy disks and tend not to use mapped drives—the
Melissa virus showed,however, thatthey are quitevulnerable toe-mail–borne
infections, even if they don’t execute the virus code themselves.

Preface

At the desktop: Dr Solomon’sAnti-Virus

The Dr Solomon’s Active Virus Defense product suite matches each point of
vulnerability with a specialized, and optimized, anti-virus application. At the
desktop level, the cornerstone of the suite is the Dr Solomon’s Anti-Virus
anti-virus product. Dr Solomon’s Anti-Virus protects some of your most
vulnerable virus entrypoints withan interlockingset of scanners, utilities, and
support files that allow it to cover:

• Localharddisks,floppy disks,CD-ROMs,andotherremovable media.The

WinGuard scanner resides in memory, waiting for local file access of any
sort. As soon as one of your network users opens, runs, copies,saves,
renames, or sets attributes for any file on their system—even from mapped
network drives—the WinGuard scanner examines it for infections.

You can supplement this continuous protection with scan operations you
configure and schedule for your own needs. Comprehensive security
options let you protect individual options with a password, or run the
entire application in secure mode to lock out all unauthorized access.

Administrator’s Guide xv

Preface

• System memory, boot sectors, and master boot records. You can configure

regularly scheduled scan operations that examine these favorite virus
hideouts, or set up periodic operations whenever a threat seems likely.

• Microsoft Exchange mailboxes. Dr Solomon’s Anti-Virus includes a

specialized E-Mail Scan extension that assumes your network user’s
Microsoft Exchange or Outlook identity to scan his or her mailbox
directly—before viruses get downloaded to the local workstation. This can
prevent some Melissa-style infections and avoid infections from the next
generation of VBS/Bubbleboy descendants.

• Internet mail and file downloads. The WinGuard scanner includes two

modules that specialize in intercepting SMTP and POP-3 e-mail messages,
and that can examine files your network users download from Internet
sites. The E-Mail Scan and Download Scan modules work together to scan
the stream of file traffic that most workstations generate and receive daily.

• Hostile code. The Olympus scan engine at the heart of Dr Solomon’s

Anti-Virus routinely looks for suspicious script code, macro code, known
Trojan horse programs—even virus jokes or hoaxes. With the help of the
WinGuard Internet Filter module, it also blocks hostile ActiveX and Java
objects, many of which can lurk unnoticed on websites, waiting to deploy
sophisticated virus-like payloads. The Internet Filter module can even
block entire websites, preventing network users from visiting sites that
pose a threat to network integrity.

Dr Solomon’s Anti-Virus ties these powerful scanning capabilities together
with a powerful set of alerting, updating, and management tools. These
include:

• Alert Manager client configuration. Dr Solomon’s Anti-Virus includes a

client configuration utility you can use to have it pass alert messages
directly to Alert Manager servers on your network, to a Centralized
Alerting share, or to a Desktop Management Interface administrative
application. Other alert methods include localcustom messages and beeps,
detection alerts and response options, and e-mail alert messages.

• Next-generation AutoUpdateand AutoUpgrade utilities.AutoUpdate v4.5

features complete and transparent support for new incremental .DAT file
updates, which save you time and network bandwidth by adding only
virus definitions you don’t already have installed on your system. The new
AutoUpgrade version includes support for v1.2 of the Dr Solomon’s
SuperDAT utility, which you can use to update the Olympus scan engine
and its support files.

xvi Dr Solomon’sAnti-Virus

• Integration withDrSolomon’s ePolicyOrchestrator management software.

Centralized anti-virus management takes a quantum leap forward with
this highly scalable management tool. Dr Solomon’s Anti-Virus ships with
a plug-in library file that works with the ePolicy Orchestrator server to
enforce enterprise-wide network security policies.

You can use ePolicy Orchestrator to configure, update, distribute and
manage DrSolomon’s Anti-Virus installations atthe group, workstation or
user level. Schedule and run scan tasks, change configurations, update
.DAT and engine files—all from a central console.

Taken together, theActive Virus Defensesuite forms atight series ofanti-virus
security perimeters around your network that protect you against both
external and internal sources of infection. Those perimeters, correctly
configured and implemented in conjunction with a clear enterprise-wide
anti-virus security policy, do indeed offer useful redundancy, but their chief
benefit lies in their ability to stop viruses as they enter your network, without
your having to await a tardy or accidental discovery. Early detection contains
infections, saves on the costs of virus eradication, and in many cases can
prevent a destructive virus payload from triggering.

Dr Solomon’s anti-virus research

Preface

Even the best anti-virus software is only as good as its latest update. Because
as many as 200 to 300 viruses and variants appear each month, the .DAT files
that enable Dr Solomon’s software to detect and remove viruses can get
quickly outdated. If you have not updated the files that originally came with
your software, you could risk infection from newly emerging viruses. Dr
Solomon’s has, however, assembled the world’slargest andmost experienced
anti-virus research staff in its Anti-Virus Emergency Response Team
(AVERT)*. This premier anti-virus research organization has a worldwide
reach and a“follow the sun” coverage policy, that ensures that youget thefiles
you need to combat new viruses as soon as—and often before—you need
them. You can take advantage of many of the direct products of this research
by visiting the AVERT research site on the Network Associates website:

http://www.nai.com/asp_set/anti_virus/introduction/default.asp

ContactyourDrSolomon’srepresentative,orvisittheDrSolomon’swebsite,
to find out how to enlist the power of th e Active Virus Defense security
solution on your side:

http://www.mcafeeb2b.com/

Administrator’s Guide xvii

Preface

How to contact Network Associates

Customer service

On December 1, 1997, McAfee Associates merged with Network General
Corporation, Pretty Good Privacy, Inc., and Helix Software, Inc. to form
Network Associates, Inc. The combined Company subsequently acquired Dr
Solomon's Software, Trusted Information Systems, Magic Solutions, and
CyberMedia, Inc.

A January 2000 company reorganization formed four independent business
units, each concerned with a particular product line. These are:

• Magic Solutions. This division supplies the Total Service desk product line

and related products

• McAfee and Dr Solomon’s Software. These divisions provide the Active

Virus Defense product suite and related anti-virus software solutions to
corporate and retail customers.

• PGP Security. This division provides award-winning encryption and

security solutions, including the PGP data security andencryption product
line, the Gauntlet firewall product line, the WebShield E-ppliance
hardware line, and the CyberCop Scanner and Monitor product series.

• Sniffer Technologies. This division supplies the industry-leading Sniffer

network monitoring, reporting, and analysis utility and related software.

Network Associates continues to market and support the product lines from
each of the new independent business units. You may direct all questions,
comments, or requests concerning the software you purchased, your
registration status, or similar issues to the Network Associates Customer
Servicedepartmentatthefollowingaddress:

Network Associates Customer Service
4099 McEwan, Suite 500
Dallas, Texas 75244
U.S.A.

The department's hours of operation are 8:00 a.m. and 8:00 p.m. Central Time,
Monday through Friday

Other contact information for corporate-licensed customers:
Phone: (972) 308-9960
Fax: (972) 619-7485 (24-hour, Group III fax)
E-Mail: services_corporate_division@nai.com
Web: http://www.nai.com

xviii Dr Solomon’sAnti-Virus

Other contact information for retail-licensed customers:
Phone: (972) 308-9960
Fax: (972) 619-7485 (24-hour, Group III fax)
E-Mail: cust_care@nai.com
Web: http://www.mcafee.com/

Technical support

Dr Solomon’s and Network Associates are famous for their dedication to
customer satisfaction. The companies have continued this tradition by making
their sites on the World Wide Web valuable resources for answers to technical
support issues. Dr Solomon’s encourages you to make this your first stop for
answers to frequently asked questions, for updates to Dr Solomon’s and
Network Associates software, and for access to news and virus information

World Wide Web http://www.nai.com/asp_set/services/technical_support

Ifyoudonotfindwhatyouneedordonothavewebaccess,tryoneofour
automated services.

Preface

.

/tech_intro.asp

Internet techsupport@mcafee.com
CompuServe GO NAI
America Online keyword MCAFEE

If the automated services do not have the answers you need, contact Network
Associates at one of the following numbers Monday through Friday between

A.M.and8:00P.M. Central time to find out about Network Associates

8:00
technical support plans.

For corporate-licensed customers:

Phone (972) 308-9960
Fax (972) 619-7845

For retail-licensed customers:

Phone (972) 855-7044
Fax (972) 619-7845

This guide includes a summary of the PrimeSupport plans available to Dr
Solomon’s customers. To learn more about plan features and other details, see

Appendix E, “Network Associates Support Services.”

Administrator’s Guide xix

Preface

To provide the answers you need quickly and efficiently, the Network
Associates technical support staff needs some information about your
computer and your software. Please include this information in your
correspondence:

• Product name and version number

• Computer brand and model

• Any additional hardware or peripherals connected to yo ur computer

• Operating system type and version numbers

• Network type and version, if applicable

• Contents of your AUTOEXEC.BAT, CONFIG.SYS, and system LOGIN

script

• Specific steps to reproduce the problem

Download support

Toget help withnavigating ordownloading filesfrom the NetworkAssociates
or Dr Solomon’s websites or FTP sites, call:

Corporate customers (801) 492-2650
Retail customers (801) 492-2600

Network Associates training

For information about scheduling on-site training for any Dr Solomon’s or
Network Associates product, call Network Associates Customer Service at:
(972) 308-9960.

Comments and feedback

Dr Solomon’s Software appreciates your comments and reserves the right to
use any information you supply in any way it believes appropriate without
incurring any obligation whatsoever.

Reporting new items for anti-virus data file updates

DrSolomon’santi-virussoftwareoffersyouthebestavailabledetectionand
removal capabilities, including advanced heuristic scanning that can detect
new and unnamed viruses as they emerge. Occasionally, however, an entirely
new type of virus that is not a variation on an older type can appear on your
system and escape detection.

xx Dr Solomon’sAnti-Virus

Preface

Because Dr Solomon’s researchers are committed to providing you with
effective and up-to-date tools you can use to protect your system, please tell
them about any new Java classes, ActiveX controls, dangerous websites, or
viruses that your software does not now detect. Note that Dr Solomon’s
Software reserves the right to use any information you supply as it deems
appropriate, without incurring any obligations whatsoever. Send your
questions or virus samples to:

virus_research@nai.com Use this address to send questions or

virus samples to our North America
and South America offices

vsample@nai.com Use this address to send questions or

virus samples gathered with Dr
Solomon’s Anti-Virus Toolkit* software
to our offices in the United Kingdom

To report items to the Dr Solomon’s European researchoffice, use these e-mail
addresses:

virus_research_europe@nai.com Use this address to send questions or

virus samplesto our officesin Western
Europe

virus_research_de@nai.com Use this address to send questions or

virus samples gathered with Dr
Solomon’s Anti-Virus Toolkit software
to our offices in Germany

To report items to the Dr Solomon’s Asia-Pacific research office, or the office
in Japan, use one of these e-mail addresses:

virus_research_japan@nai.com Use this address to send questions or

virus samples to our offices in Japan
and East Asia

virus_research_apac@nai.com Use this address to send questions or

virus samples toour officesin Australia
and South East Asia

Administrator’s Guide xxi

Preface

International contact information

To contact Network Associates outside the United States, use the addresses,
phone numbers and fax numbers below.

Network Associates
Australia

Level 1, 500 Pacific Highway
St. Leonards, NSW
Sydney, Australia 2065
Phone: 61-2-8425-4200
Fax: 61-2-9439-5166

Network Associates
Belgique

BDC Heyzel Esplanade,boîte 43
1020 Bruxelles
Belgique

Phone: 0032-2 478.10.29
Fax: 0032-2 478.66.21

Network Associates
Canada

139 Main Street, Suite 201
Unionville, Ontario
Canada L3R 2G6
Phone: (905) 479-4189
Fax: (905) 479-4540

Network Associates
Austria

Pulvermuehlstrasse 17
Linz, Austria
Postal Code A-4040
Phone: 43-732-757-244
Fax: 43-732-757-244-20

Network Associates
do Brasil

Rua Geraldo Flausino Gomez 78
Cj. - 51 Brooklin Novo - São Paulo
SP - 04575-060 - Brasil

Phone: (55 11) 5505 1009
Fax: (55 11) 5505 1006

Network Associates
People’s Republic of China

New Century Office Tower,Room 1557
No. 6 Southern Road Capitol Gym
Beijing
People’s Republicof China 100044
Phone: 8610-6849-2650
Fax: 8610-6849-2069

Network Associates Denmark

Lautruphoej 1-3
2750 Ballerup
Danmark
Phone: 45 70 277 277
Fax: 45 44 209 910

xxii Dr Solomon’sAnti-Virus

NA Network Associates Oy

Mikonkatu 9, 5. krs.
00100 Helsinki
Finland

Phone: 358 9 5270 70
Fax: 358 9 5270 7100

Preface

Network Associates
France S.A.

50 Rue de Londres
75008 Paris
France
Phone: 33 1 44 908 737
Fax: 33145227554

Network Associates Hong Kong

19th Floor, Matheson Centre
3 Matheson Way
Causeway Bay
Hong Kong 63225
Phone: 852-2832-9525
Fax: 852-2832-9530

Network Associates Japan, Inc.

Toranomon 33 Mori Bldg.
3-8-21 Toranomon Minato-Ku
Tokyo 105-0001 Japan
Phone: 81 3 5408 0700
Fax: 81 3 5408 0780

Network Associates
Deutschland GmbH

Ohmstraße1
D-85716 Unterschleißheim
Deutschland
Phone: 49 (0)89/3707-0
Fax: 49 (0)89/3707-1199

Network Associates Srl

Centro DirezionaleSummit
Palazzo D/1
Via Brescia, 28
20063 - Cernusco sul Naviglio (MI)
Italy
Phone: 39 02 92 65 01
Fax: 39 02 92 14 16 44

Network Associates Latin America

1200S.PineIslandRoad,Suite375
Plantation, Florida 33324
United States
Phone: (954) 452-1731
Fax: (954) 236-8031

Network Associates
de Mexico

Andres Bello No. 10, 4 Piso
4th Floor
Col. Polanco
Mexico City, Mexico D.F. 11560
Phone: (525) 282-9180
Fax: (525) 282-9183

Network Associates
International B.V.

Gatwickstraat 25
1043 GL Amsterdam
The Netherlands
Phone: 31 20 586 6100
Fax: 31 20 586 6101

Administrator’s Guide xxiii

Preface

Network Associates
Portugal

Av. da Liberdade, 114
1269-046 Lisboa
Portugal
Phone: 351 1 340 4543
Fax: 351 1 340 4575

Network Associates
South East Asia

78 Shenton Way
#29-02
Singapore 079120
Phone: 65-222-7555
Fax: 65-220-7255

Network Associates Sweden

Datavägen 3A
Box 596
S-17526Järfälla
Sweden
Phone: 46 (0) 8 580 88 400
Fax: 46 (0) 8 580 88 405

Net Tools Network Associates
South Africa

Bardev House, St. Andrews
Meadowbrook Lane
Epson Downs, P.O. Box 7062
Bryanston, Johannesburg
South Africa 2021
Phone: 27 11 706-1629
Fax: 27 11 706-1569

Network Associates
Spain

a

Orense 4, 4

Planta.
Edificio Trieste
28020 Madrid, Spain
Phone: 34 9141 88 500
Fax: 34 9155 61 404

Network Associates AG

Baeulerwisenstrasse 3
8152 Glattbrugg
Switzerland
Phone: 0041 1 808 99 66
Fax: 0041 1 808 99 77

Network Associates
Taiwan

Suite6,11F,No.188,Sec.5
NanKingE.Rd.
Taipei, Taiwan, Republic of China
Phone: 886-2-27-474-8800
Fax: 886-2-27-635-5864

xxiv Dr Solomon’sAnti-Virus

Network Associates
International Ltd.

227 Bath Road
Slough, Berkshire
SL1 5PP
United Kingdom
Phone: 44 (0)1753 217 500
Fax: 44 (0)1753 217 520

1About Dr Solomon’sAnti-Virus

Introducing Dr Solomon’sAnti-Virus

Eighty percent of the Fortune 100—and more than 50 million users
worldwide—choose D r Solomon’s Anti-Virus to protect their computers from
the staggering range of viruses and other malicious agents that has emerged
in the last decade to invade corporate networks and cause havoc for business
users. T hey do so because Dr Solomon’s Anti-Virus offers the most
comprehensive desktop anti-virus security solution available, with features
that spot viruses, block hostile ActiveX and Java objects, identify dangerous
websites, stop infectiouse-mail messages—and even rootout “zombie” agents
that assist in large-scale denial-of-service attacks from across the Internet.
They do so also because they recognize how much value Dr Solomon’s
anti-virus research and development brings to their fight to maintain network
integrity and service levels, ensure data se curity, and reduce ownership costs.

With more than 50,000 viruses and malicious agents now in circulation, the
stakes in this battle have risen considerably. Viruses and worms now have
capabilities that can cost an enterprise real money, not just in terms of lost
productivity and cleanup costs, but in direct bottom-line reductions in
revenue, as more businesses move into e-commerce and online sales, and as
virus attacks proliferate.

1

Dr Solomon’s Anti-Virusfirsthoned its technologicaledge as oneof a handful
of pioneering utilities developed to combat the earliest virus epidemics of the
personal computer age.It has developed considerably inthe intervening years
to keep pace with each new subterfuge that virus writers have unleashed. As
one of the first Internet-aware anti-virus applications, it maintains its value
today as an indispensable business utility for the new electronic economy.
Now, with this release, Dr Solomon’s Anti-Virus adds a whole new level of
manageability and integration with other Dr Solomon’s anti-virus tools.

Architecturalimprovements mean that each Dr Solomon’sAnti-Virus
component meshes closely with the others, sharing data and resources for
better application response and fewer demands on your system. Full support
for Network Associates ePolicy Orchestrator management software means
that network administrators can handle the details of component and task
configuration, leaving you free to concentrate on your own work. A new
incremental updating technology, meanwhile, means speedier and less
bandwidth-intensive virus definition and scan engine downloads—now the
protection you need to deal with the blindingly quick distribution rates of
new-generation viruses canarrive faster thanever before. Tolearn more about
these features, see “What’s new in this release?” on page 33.

Administrator’s Guide 25

About Dr Solomon’sAnti-Virus

The new release also adds multiplatform support for Windows 95, Windows
98, Windows NT Workstation v4.0, and Windows 2000 Professional, all in a
single package with a single installer, but optimized to take advantage of the
benefits each platform offers. Windows NT Workstation v4.0 and Windows
2000 Professional users, for example, can run Dr Solomon’s Anti-Virus with
differingsecurity levels that provide a range of enforcement options for
system administrators. That way, corporate anti-virus policy implementation
can vary from the relatively casual—where an administrator might lock down
a few critical settings, for example—to thevery strict,with predefined settings
that users cannot change or disable at all.

At the same time, as the cornerstone product inthe Dr Solomon’s Active Virus
Defense and Total Virus Defense security suites, Dr Solomon’s Anti-Virus
retains the same core features that have made it the utility of choice for the
corporate desktop. These include a virus detection rate second to none,
powerful heuristic capabilities, Trojan horse program detection and removal,
rapid- response updating with weekly virus definition (.DAT) file releases,
daily beta .DAT releases, and EXTRA.DAT file support in crisis or outbreak
situations. Because more than 300 new viruses or malicious software agents
appear each month Dr Solomon’s backs its software with a worldwide reach
and 24-hour “follow the sun” coverage from its Anti-Virus Emergency
Response Team (AVERT).

Evenwiththeriseofvirusesandwormsthatusee-mailtospread,thatflood
e-mail servers, or that infect groupware products and file servers directly, the
individual desktop remains the single largest source of infections, and is often
the most vulnerable point of entry. Dr Solomon’s Anti-Virus acts as a tireless
desktop sentry, guarding your system against more venerable virus threats
and against the latest threats that lurk on websites, often without the site
owner’s knowledge, or spread via e-mail, whether solicited or not.

In this environment, taking precautions to protect yourself from malicious
software is no longer a luxury, but a necessity. Consider the extent to which
you rely on the data on your computer and the time, trouble and money it
would take to replace that data if it became corrupted or unusable because of
a virus infection. Corporate anti-virus cleanup costs, by some estimates,
topped $16 billion in 1999 alone. Balance the probability of infection—and
your company’s share of the resulting costs—against the time and effort it
takes to put a few common sense security measures in place, and you can
quickly see the utility in protecting yourself.

Even if your own data is relatively unimportant to you, neglecting to guard
against viruses might mean that your computer could play unwitting host to
a virus that could spread to computers that your co-workers and colleagues
use. Checking your hard disk periodically with Dr Solomon’s Anti-Virus
significantly reduces your system’s vulnerability to infection and keeps you
from losing time, money and data unnecessarily.

26 Dr Solomon’sAnti-Virus

About Dr Solomon’sAnti-Virus

How does Dr Solomon’sAnti-Viruswork?

DrSolomon’sAnti-Viruscombinestheanti-virusindustry’smostcapablescan
engine with top-notch interface enhancements that give you complete access
to that engine’s power. The Dr Solomon’s Anti-Virus graphical user interface
unifies its specialized program components, but without sacrificing the
flexibility you need to fit the software into your computing environment. The
scan engine, meanwhile, combines the best features of technologies that
McAfee and Dr Solomon researchers developed independently for more than
adecade.

Fast, accurate virus detection

The foundation for that combination is the unique development environment
that McAfee and Dr Solomon researchers constructed for the engine. That
environmentincludes Virtran, a specialized programming language with a
structure and “vocabulary” optimized for the particular requirements that
virus detection and removal impose. Using specific library functions from this
language, for instance, virus researchers can pinpoint those sections within a
file, a boot sector, or a master boot record that viruses tend to infect, either
because they can hide within them, or because they can hijack their execution
routines. This way, the scanner avoids having to examine the entire file for
virus code; it can instead samplethe fileat welldefined points to look for virus
code signatures that indicate an infection.

Thedevelopment environmentbrings as muchspeed to .DAT fileconstruction
as it does to scan engineroutines. The environment provides tools researchers
can use to write “generic” definitions that identify entire virus families, and
that can easily detectthe tens or hundreds of variants that make up the bulk of
new virus sightings. Continual refinements to this technique have moved
most of the hand-tooled virus definitions that used to reside in .DAT file
updates directly into the scan engine as bundles of generic routines.
Researchers can even employ a Virtran architectural feature to plug in new
engine “verbs” that, when combined with existing engine functions, can add
functionality needed to deal with new infection techniques, new variants, or
other problems that emerging viruses now pose.

This results in blazingly quick enhancements the engine’s detection
capabilities and removes the need for continuous updates that target virus
variants.

Administrator’s Guide 27

About Dr Solomon’sAnti-Virus

Encrypted polymorphic virus detection

Along with generic virus variant detection, the scan engine now incorporates
a generic decryption engine, a set of routines that enables Dr Solomon’s
Anti-Virus to track viruses that try to conceal themselves by encrypting and
mutating their code signatures. These “polymorphic” viruses are notoriously
difficult to detect, since they change their code signature each time they
replicate.

This meant that the simple pattern-matching method that earlier scan engine
incarnations used to find many viruses simply no longer worked, since no
constant sequence of bytes existed to detect. To respond to this threat, Dr
Solomon’s researchers developedthe PolyScan Decryption Engine, which
locates and analyzes the algorithm that these types of viruses use to encrypt
and decrypt themselves. It then runs this code through its paces in an
emulated virtual machine in order to understand how the viruses mutate
themselves. Once it does so, the engine can spot the “undisguised” nature of
these viruses, and thereby detect them reliably no m atter how they try to hide
themselves.

“Double heuristics” analysis

As a further engine enhancement, Dr Solomon’s researchers have honed early
heuristic scanning technologies—originally developed to detect the
astonishing flood of macro virus variants that erupted after 1995—into a set of
precision instruments. Heuristic scanning techniques rely on the engine’s
experiencewith previousviruses to predictthe likelihoodthat asuspicious file
is an as-yet unidentified or unclassified new virus.

The scan engine now incorporates ViruLogic, a heuristic technique that can
observe a program’s behavior and evaluate how closely it resembles either a
macro virus or a file-infecting virus. ViruLogic looks for virus-like behaviors
in program functions, such as covert file modifications, background calls or
invocations of e-mail clients, and other methods that viruses can use to
replicatethemselves.Whenthenumberofthesetypesofbehaviors—ortheir
inherent quality—reaches a predetermined threshold of tolerance, the engine
fingers the program as a likely virus.

The engine also “triangulates” its evaluation by looking for program behavior
that no virus would display—prompting for some types of user input, for
example—in order to eliminate false positive detections. This double-heuristic
combination of “positive” and “negative” techniques results in an
unsurpasseddetection rate with few, if any, costly misidentifications.

28 Dr Solomon’sAnti-Virus

About Dr Solomon’sAnti-Virus

Wide-spectrum coverage

As malicious agents have evolved to take advantage of the instant
communication and pervasive reach of the Internet, so Dr Solomon’s
Anti-Virus has evolved to counter the threats they present. A computer
“virus” once meant a specific type of agent—one designed to replicate on its
own and cause alimited type of havoc on the unlucky recipient’s computer. In
recent years, however, an astounding range of malicious agents has emerged
to assault personal computer usersfrom nearlyevery conceivable angle. Many
of these agents—some of the fastest-spreading worms, for instance—use
updated versions of vintage techniques to infect systems, but many others
make full use of the new opportunities that web-based scripting and
application hosting present.

Stillothers open “backdoors”into desktop systems or create security holes in
a way that closely resembles a deliberate attempt at network penetration,
rather than the more random mayhem that most viruses tend to leave in their
wakes.

The latest Dr Solomon’s Anti-Virus releases, as a consequence, do not simply
wait for viruses to appear on your system, they scan proactively at the source
or work to deflect hostile agents away from your system. The WinGuard
scanner that comes with Dr Solomon’s Anti-Virus has three modules that
concentrate on agents that arrive from the Internet, that spread via e-mail, or
that lurk on Internet sites. It can look f or particular Java and ActiveX objects
that pose a threat, or block access to dangerous Internet sites. Meanwhile, an
E-Mail Scan extension to Microsoft Exchange e-mail clients, such as Microsoft
Outlook, can “x-ray” your mailbox on the server, looking for malicious agents
before they arrive on your desktop.

Dr Solomon’s Anti-Virus even protects itself against attempts to use its own
functionality against your computer. Some virus writers embed their viruses
inside documents that, in turn,they embed in other filesin an attemptto evade
detection. Still others take this technique to an absurd extreme, constructing
highly recursive—and very large—compressed archive files in an attempt to
tie up the scanner as it digs through the file looking for infections. Dr
Solomon’s Anti-Virus accuratelyscans the majorityof popular compressedfile
and archive file formats, but it also includes logic that keeps it from getting
trapped in an endless hunt for a virus chimera.

What comes with Dr Solomon’sAnti-Virus?

Dr Solomon’s Anti-Virus consists of several components that combine one or
more related programs, each of which play a part in defending your computer
against viruses and other malicious software. The components are:

Administrator’s Guide 29

About Dr Solomon’sAnti-Virus

• The Dr Solomon’s Anti-Virus application. This component gives you

unmatched control over your scanningoperations. You can configureand
start a scan operation at any time—a feature known as “on-demand”
scanning— specify local and network disks as scan targets, tell the
application how to respond to any infections it finds, and see reports on its
actions. You can start with the Dr Solomon’s Anti-Virus Classic window, a
basic configuration mode, then move to the Dr Solomon’s Anti-Virus
Advanced mode for maximum flexibility. A related Windows shell
extension lets you right-click any object on your system to scan it.

• The Dr Solomon’s Anti-Virus Console. This component allowsyou to

create, configure and run Dr Solomon’s Anti-Virus tasks at times you
specify. A “task” can include anything from running a scan operation on a
set of disks at a specific time or interval, to running an update or upgrade
operation. You can also enable or disable the WinGuard scanner from the
Console window.

the Console comes with a preset list of tasks that ensures a minimal level of
protection for your system—you can, for example, immediately scan and
clean your C: drive or all disks on your computer.

• The WinGuard scanner. This component gives you continuous anti-virus

protection from viruses that arrive on floppy disks, from your network, or
from various sources on the Internet. The WinGuard scanner starts when
you start your computer, and stays in memory until you shut down. A
flexible set of property pages lets you tell the scanner which parts of your
system to examine, what to look for, which parts to leave alone, and how
to respond to any infected files it finds. In addition, the scanner can alert
you when it finds avirus, and can generate reports that summarize each of
its actions.

The WinGuard scanner comes with three other specialized modules that
guard against hostile Java applets and ActiveX controls, that scan e-mail
messages and attachments that you receive from the Internet via Lotus
cc:Mail, Microsoft Mail or other mail clients that comply with Microsoft’s
MessagingApplication Programming Interface (MAPI) standard, and that
block access to dangerous Internet sites. Secure password protectio n for
your configuration options prevents others from making unauthorized
changes. The same convenient dialog box controls configuration options
for all WinGuard modules.

• The E-Mail Scan extension. This component allows you to scan your

Microsoft Exchange or Outlook mailbox, or public folders to which you
have access, directly on the server. This invaluable “x-ray” peek into your
mailbox means that Dr Solomon’s Anti-Virus can find potential infections
before they make their way to your desktop, which can stop a Melissa-like
virus in its tracks.

30 Dr Solomon’sAnti-Virus

About Dr Solomon’sAnti-Virus

• A cc:Mail scanner. This component includes technology optimized for

scanning Lotus cc:Mail mailboxes that do not use the MAPI standard.
Install and use this component if your workgroup or network uses cc:Mail
v7.x or earlier.

• The Alert Manager Client configuration utility. This component lets you

choose a destination for Alert Manager “events” that Dr Solomon’s
Anti-Virus generates when it detects a virus or takes other noteworthy
actions. You can also specify a destination directory for older-style
CentralizedAlerting messages, or supplementeither method w ith Desktop
Management Interface (DMI) alerts sent via your DMI client software.

• The ScreenScan utility. This optional component scans your computer as

your screen saver runs during idle periods.

• The SendVirus utility. This component gives you an easy and painless

way to submit files that you believe are infected directly to Dr Solomon’s
anti-virus researchers. A simple wizard guides you as you choose files to
submit, include contact details and, if you prefer, strip out any personal or
confidential data from document files.

• The Emergency Disk creation utility. This essential utility helps you to

create a floppy disk that you can use to boot your computer into a
virus-free environment, then scan essential system areas to remove any
viruses that could load at startup.

• Command-line scanners. This componentconsists of a set of full-featured

scanners you can use to run targeted scan operations from the MS-DOS
Prompt or Command Prompt windows, or from protected MS-DOS mode.
The set includes:

– SCAN.EXE, a scanner for 32-bit environments only. This is the

primary command-line interface. When you run this file, it first
checks its environment to see whether it can run by itself. If your
computer is running in 16-bit or protected mode, it will transfer
control to one of the other scanners.

– SCANPM.EXE, a s canner for 16- and 32-bit environments. This

scanner provides you with a full set of scanning options for 16- and
32-bit protected-mode DOS environments. It also includes support
for extended memory and flexible memory allocations. SCAN.EXE
will transfer control to this scanner when its specialized capabilities
canenableyourscanoperationtorunmoreefficiently.

– SCAN86.EXE, a scanner for 16-bit environments only. This scanner

includes a limited set of capabilities geared to 16-bit environments.
SCAN.EXE will transfer control to this scanner if your computer is
running in 16-bit mode, butwithout special memory configurations.

Administrator’s Guide 31

About Dr Solomon’sAnti-Virus

– BOOTSCAN.EXE, a smaller, specialized scanner for use primarily

All of the command-line scanners allow you to initiate targeted scan
operations from an MS-DOS Prompt or Command Prompt window, or
from protected MS-DOS mode. Ordinarily, you'll use the Dr Solomon’s
Anti-Virus application's graphical user interface (GUI) to perform most
scanning operations, but if you have trouble starting Windows or if the Dr
Solomon’s Anti-Virus GUI components will not run in your environment,
you can use the command-line scanners as a backup.

• Documentation.Dr Solomon’s Anti-Virus documentation includes:

with the Emergency Disk utility. This scanner ordinarily runs from
a floppy disk you create to provide you with a virus-free boot
environment.

When you run the Emergency Disk creation wizard, Dr Solomon’s
Anti-Virus copies BOOTSCAN.EXE, and a specialized set of .DAT
files to a single floppy disk. BOOTSCAN.EXE will not detect or
clean macro viruses, but it will detect or clean other viruses th at can
jeopardize your Dr Solomon’s Anti-Virus installation or infect files
at system startup. Once you identify and respond to those viruses,
you can safely run Dr Solomon’sAnti-Virusto clean therestof your
system.

–AprintedGetting Started Guide, which introduces the product,

provides installation instructions, outlines how to respond if you
suspect your computer has a virus, and provides a brief product
overview. The printed Getting Started Guide comes with the Dr
Solomon’s Anti-Virus copies distributed on CD-ROM discs—you
can also download it as VSC45WGS.PDF from Network Associates
website or from other electronic services.

– Thisuser’sguidesavedontheDrSolomon’sAnti-VirusCD-ROM

or installed on your hard disk in Adobe Acrobat .PDF format.You
can also download it as VSC45WUG.PDF from Network Associates
website or from other electronic services. The Dr Solomon’s
Anti-Virus User’s Guide describes in detail how to use Dr Solomon’s
Anti-Virus and includes other information useful as background or
as advanced configuration options. Acrobat .PDF files are flexible
online documents that contain hyperlinks, outlines and other aids
for easy navigation and information retrieval.

32 Dr Solomon’sAnti-Virus

About Dr Solomon’sAnti-Virus

– An administrator’s guide saved on the Dr Solomon’s Anti-Virus

CD-ROM or installed on your hard disk in Adobe Acrobat .PDF
format. You can also download it as VSC45WAG.PDF from
Network Associates website or from other electronic services. The
Dr Solomon’s Anti-Virus Administrator’s Guide describes in detail
how to manage and configure Dr Solomon’s Anti-Virus from a local
or remote desktop.

– An online help file. This file gives you quick access to a full range of

topics that describe Dr Solomon’s Anti-Virus. You can open this file
either by choosing Help Topics from the Help menu in the Dr
Solomon’sAnti-Virus main window, or by clicking any of the Help
buttons displayed in Dr Solomon’s Anti-Virus dialog boxes.

The help file also includes extensive context-sensitive—or “What's
This”—help. To seethese help topics,right-click buttons, lists, icons,
some text boxes, and other elements that you see within dialog
boxes. You canalso click the? symbol at the top-rightcorner in most
dialog boxes, then click the element you want to see described to
display the relevant topic. The dialog boxes with Help buttons open
the help file to the specific topic that describes the entire dialog box.

– A LICENSE.TXT file. This file outlines the terms of your license to

use Dr Solomon’s Anti-Virus. Read it carefully—by installing Dr
Solomon’s Anti-Virus you agree to its terms.

– A README.TXT file. This file contains last-minute additions or

changes to the documentation, lists any known behavior or other
issues with the product release, and often describes new product
features incorporated into incremental product updates. You’ll find
the README.TXT file at the root level of your Dr Solomon’s
Anti-Virus CD-ROM or in the D r Solomon’s Anti-Virus program
folder—you can open and print it from Windows Notepad, o r from
nearly any word-processing software.

What’s new in this release?

This Dr Solomon’s Anti-Virus release introduces a number of innovative new
features to the product’s core functionality, to its range of coverage, and to the
details of its application architecture. A previous section, “How does Dr

Solomon’s Anti-Virus work?” on page 27, discusses many of these features.

Thesingle mostsignificant changebetween previous DrSolomon’s Anti-Virus
versions and this release, however, is the integration of two separate Dr
Solomon’sAnti-VirusversionsoptimizedtorunonseparateWindows
platforms into a single product that runs on both. This single product also
takes full advantage of each platform’s strengths.

Administrator’s Guide 33

About Dr Solomon’sAnti-Virus

The next sections discuss other changes that this Dr Solomon’s Anti-Virus
release introduces.

Installation and distribution features

Dr Solomon’s anti-virus products, including Dr Solomon’s Anti-Virus, now
use the Microsoft Windows Installer (MSI), which comes with all Windows
2000 Professional systems. This Setup utility offers a wealth of custom
installation and configuration features that make Dr Solomon’s Anti-Virus
rollout across large organizations much easier and more intuitive. To learn
more about how to run custom Setup operations with MSI, see Chapter 2,

“Installing Dr Solomon’s Anti-Virus” in the Dr Solomon’s Anti-Virus

Administrator’s Guide.
ThisDrSolomon’sAnti-Virusversionalsocomeswithcompletesupportfor

the Network Associates ePolicy Orchestrator software distribution tool. A
specially packaged Dr Solomon’s Anti-Virus version ships with the ePolicy
Orchestrator software, ready for enterprise-wide distribution. You can
distribute DrSolomon’s Anti-Virus, configure it from the ePolicy Orchestrator
console, update that configuration and any program or .DAT files at any time,
and schedule scan operations, all for your entire network user base. To learn
more about using ePolicy Orchestrator software for Dr Solomon’s Anti-Virus
distribution and configuration, consult the ePolicy Orchestrator
Administrator’s Guide.

This Dr Solomon’s Anti-Virus version also includes package description
information for other distribution tools, including Microsoft System
Management Server and Tivoli Systems software management products.

Interface enhancements

This release moves the Dr Solomon’s Anti-Virus interface for all supported
platforms solidly into the territory Dr Solomon’s Anti-Virus for Windows 95
and Windows 98 pioneered with its v4.0.1 release. This adds extensive
WinGuard scanner configuration options for the Windows NT Workstation
v4.0 and Windows 2000 Professional platforms, while reducing the
complexity of some previous configuration options. Alert Manag er server
configuration, for example, moves entirely over to the NetShield product
line—Dr Solomon’s Anti-Virus now acts strictly as a configurable client
application.

This release also adds a new Dr Solomon’s Anti-Virus control panel, which
functions as a central point from which you can enable and disable all Dr
Solomon’s Anti-Virus components. This control panel also lets you set a
ceiling for the number of items you can scan in or exclude from a single
operation, and can set the WinGuard scanner and Dr Solomon’s Anti-Virus
control panel to run at startup. Other changes include:

34 Dr Solomon’sAnti-Virus

About Dr Solomon’sAnti-Virus

• New WinGuard system tray icon states tell you more about which
WinGuard modules are active. These states are:

–AllWinGuardmodulesareactive
– The System Scan module is active, but one or more of the other

WinGuardmodulesisinactive

– The System Scanmodule is inactive,but one or more ofthe other

WinGuardmodulesisactive

– All WinGuard modules are inactive

• New interface settings for task configuration allow you to tell the Dr
Solomon’s Anti-Virus application how you want it to appear as your
scheduledtaskrunsandwhatyouwantittodowhenitfinishes.Youcan
also set a password to protect individual task settings from changes, or to
protect an entire task configuration at once.

• An updated randomization feature for scheduled tasks allows you to set a
time for the task to run, then set a randomization “window.” The Dr
Solomon’sAnti-VirusConsolethenpicksarandomtimewithinthe
window to actually start the task.

• System Scan module action options now include a new Prompt Type
configuration option for Windows 95 and Windows 98 systems. This
option lets you determine how the Prompt for user action alert appears.

Changes in product functionality

• A new Alert Manager Client configuration utility allows you to choose an
Alert Manager server installed on your network as an alert message
destination, or to select a network share as a destination for Centralized
Alerting messages. You can also supplement either of these alert methods
with Desktop Management Interface alert messages.

• The Alert Manager server supports Intel Pentium III processor serial
numbers to identify individual machines for virus notification. For more
information about Intel processor serial numbers, consult the Intel FAQ at
http://support.intel.com/support/processors/pentiumiii/psqa.htm.

New update options for your Dr Solomon’sAnti-Virus

Even with the majority of the virus definitions it requires now incorporated
directly into its engine in generic routines, Dr Solomon’s Anti-Virus still
requires regular .DAT file updates to keep pace with the 200 to 300 new
viruses that appear each month. To meet this need, Dr Solomon’s has
incorporated updatingtechnology inDrSolomon’s Anti-Virusfrom its earliest
incarnations. With this release, that technologytakes a quantumleap forward
with incremental .DAT file updating.

Administrator’s Guide 35

About Dr Solomon’sAnti-Virus

Incremental .DAT files are small packages of virus definition files that collect
data from a certain range of .DAT file releases. The latest versions of the
AutoUpdate and AutoUpgrade utilities come with transparent support forthe
new updates, downloading and installing only those virus definitions you
don’t already have installed on your system. This means a substantial
reduction in download and rollout time, along with similar reductions in
network bandwidth demand.

36 Dr Solomon’sAnti-Virus

2Installing Dr Solomon’s

Anti-Virus

Before you begin

During Setup, you can choose to install Dr Solomon’s Anti-Virus software
either on your local computer,or on other computers elsewhereon the
network. The first option copies Dr Solomon’s Anti-Virus program files to
your computer’s hard disk. The second option copies selected components to
the target workstation.

Dr Solomon’s Software distributes Dr Solomon’s Anti-Virus software in two
ways: as an archived file that you can download from the Network Associates
website or from other electronic services, and on CD-ROM disc. Once you
have downloaded a Dr Solomon’s Anti-Virus archive or placed your Dr
Solomon’s Anti-Virus installation disc in your CD-ROM drive, the installation
steps are the same.

To install Dr Solomon’s Anti-Virus software, you must have Administrator
privileges for the workstation on which you plan to install the program.
Review the itemsshown in “System requirements” todetermine whether your
target workstations can run Dr Solomon’s Anti-Virus software.

System requirements

2

Dr Solomon’s Anti-Virus software installs and runs on any IBM PC or
PC-compatible computer equipped with:

• A processor equivalent to an Intel Pentium-class or compatible processor.
DrSolomon’sSoftware recommendsanIntelPentiumprocessoror Celeron
running a minimum of 166MH

• A CD-ROM drive. Not required if you download the Dr Solomon’s
Anti-Virus software.

•Atleast40
Software recommends 75

•Atleast16MB of free random-access memory (RAM). Dr Solomon’s
Software recommends 20

• MicrosoftWindows 95, Windows98, Windows NT 4.0 with ServicePack 4
or later, or Windows 2000 Professional. Dr Solomon’s Software
recommends that you also have Microsoft Internet Explorer v4.0.1 or later
installed, particularly if your system runs any Windows 95 version.

MB of free hard disk space for a full installation. Dr Solomon’s

Z.

MB.

MB.

Administrator’s Guide 37

Installing Dr Solomon ’sAnti-Virus

Installing Dr Solomon’sAnti-Virussoftwareona local computer

Note which type of Dr Solomon’s Anti-Virus software distribution you have,
then follow the corresponding steps to prepare your files for installation.

• If you downloadedyour copyof Dr Solomon’s Anti-Virus software from
the Network Associates website,from a server on your local network, or
from another electronic service, make a new, temporary folder on your
hard disk, then use WinZip, PKZIP, or a similar utility to extract the Dr
Solomon’s Anti-Virus installation files to that temporary folder. You can
download the necessary utilities from most online services.

IMPORTANT: If you suspect that your computer has a virus,
download the Dr Solomon’s Anti-Virus software installation files
onto a computer that is not infected. Install the copy onto the
uninfected computer, then use the Emergency Disk utility to make
a disk that you can use to boot the infected computer and remove
the virus. To learn more, see “If you suspect you have a virus...” on

page 69.

• If your copy of Dr Solomon’s Anti-Virus software came on a CD-ROM,
insert that disc into your computer’s CD-ROM drive.

If you inserted a CD-ROM, you should see a Dr Solomon’s Anti-Virus
welcome image appear automatically. To install Dr Solomon’s Anti-Virus
software immediately, click Install,thenskiptoStep 5 on page 41 to continue
with Setup. If the welcome image does not appear, or if you are installing Dr
Solomon’sAnti-Virussoftwarefromfilesyoudownloaded,startwithStep 2

on page 39.

IMPORTANT: Because Setup installs some Dr Solomon’s Anti-Virus
files as services on Windows NT Workstation v4.0 and Windows 2000
Professional systems, you mustlog in to yoursystem withAdministrator
rights to install this product. To run Setup on Windows 95 or
Windows 98, you do not need to log in with any particular profile or
rights.

Installation steps

Dr Solomon’s recommends that you first quit all other applications you have
running on your system before you start Setup. Doing so reduces the
possibility that software conflicts will interfere with your installation.

38 Dr Solomon’sAnti-Virus

Installing Dr Solomon’sAnti-Virus

To install Dr Solomon’s Anti-Virus software, follow these steps:

1. If your computer runsWindows NT Workstation v4.0 or Windows 2000
Professional, log on to your system as Administrator. You must have
administrative rights to install Dr Solomon’s Anti-Virus software on
your system.

2. Choose Run from the Start menu in the Windows taskbar.
The Run dialog box will appear (Figure 2-1).

Figure 2-1. Run dialog box

3. Type <X>:\SETUP.EXE in the text box provided, then click OK.
Here, <X> represents the drive letter for your CD-ROM drive or the path

to the folderthat contains your extracted Dr Solomon’s Anti-Virus files.
To search for the correct files on your hard disk or CD-ROM, click
Browse.

 NOTE: If your Dr Solomon’s Anti-Virus software copy came on an

Active Virus Defense or a Total Virus Defense CD-ROM, you must
also specify which folder contains the Dr Solomon’s Anti-Virus
software.

Before it continues with the installation, Setup first asks you whether it
should check to see whether you have previous Dr Solomon’s Anti-Virus
versions installed on your computer (Figure 2-2).

Figure 2-2. Previous versions dialog box

4. Click Yes to continue. If you click No, Setup quits immediately.

Administrator’s Guide 39

Installing Dr Solomon ’sAnti-Virus

If you have a previous Dr Solomon’s Anti-Virus version on your system,
Setup will find it immediately. It will then remove the previous version,
but will temporarily preserve the configuration options you set for that
version if your system is running Windows 95 or Windows 98. A later
step (see Step 7 onpage 42) will allow you to transfer those options to the
current Dr Solomon’s Anti-Virus installation.

After it removes any previous Dr Solomon’s Anti-Virus versions you
have on your system, Setup checks to see whether your computer
already has version 1.1 of the Microsoft Windows Installer (MSI) utility
running as part of your system software.

If your computer runs Windows 2000 Professional, the correct MSI
version already exists on your system. If your computer runs an earlier
Windows release, you might still have this MSI version on your system
if you previously installed other software that uses MSI.

If you have the correct MSI version on your computer and do not have
any previous DrSolomon’s Anti-Virusversions installed onyour system,
Setup will display its first wizard panel immediately. Skip to Step 5 to
continue.

If Setup does not find MSI v1.1 on your computer, it installs files that it
needs to continue the installation, then prompts you to restart your
computer. Click Restart System.If Setup removed a previous Dr
Solomon’s Anti-Virus version from your system, Setup will also ask you
to restart your computer.

For a list of circumstances in which Setup or system upgrades requ ire
you to rebootyour system, see “Determiningwhen you mustrestartyour

computer” on page 58.

When your computer restarts, Setup will continue from where it left off.
The Setup welcome panel will appear (Figure 2-3).

40 Dr Solomon’sAnti-Virus

Installing Dr Solomon’sAnti-Virus

Figure 2-3. Setup welcome panel

5. This first panel tells you where to locate the README.TXT file, which
describesproduct features, lists anyknownissues, and i ncludesthe latest
available product information for this Dr Solomon’s Anti-Virus version.
When you have read the text, click Next> to continue.

6. The next wizard panel displays the Dr Solomon’s Anti-Virus software
end-user license agreement.Read this agreementcarefully—if you install
Dr Solomon’s Anti-Virus software, you agree to abide by the terms of the
license.

If you do not agree to the license terms, select I do not agree to the
terms of the License Agreement, then click Cancel. Setup will quit
immediately. Otherwise, click I agree to the terms of the License
Agreement, then click Next> to continue.

Setup next checks to see whether incompatible software exists on your
computer. Ifyou have no other anti-virus software on your system, Setup
then moves to the Security Type panel for Windows NT Workstation or
Windows 2000 Professional systems. Otherwise, it will display the Setup
Type panel (see Figure 2-6 on page 44 or Figure 2-7 on page 45). Skip to

Step 9 on page 44 to continue.

If your computer runs Windows 95 or Windows 98, Setup also gives you
theoptiontopreservetheWinGuardconfigurationsettingsyouchosefor
the earlier version (Figure 2-4).

Administrator’s Guide 41

Installing Dr Solomon ’sAnti-Virus

 NOTE: If your computer runs Windows NT Workstation v4.0 or

Windows 2000 Professional, Setup will remove the previous Dr
Solomon’s Anti-Virus version in Step 4 on page 39, but will not
preserve any previous WinGuard scanner settings.

Figure 2-4. Previous Version Detected panel

7. Select Preserve OnAccess Settings, if theoption is available, then click
Next> to continue.

If Setup finds incompatible software, it will display a wizard panel that
gives you the option to remove the conflicting software (see Figure 2-5on

page 43).

Ifyouhavenoincompatiblesoftwareonyoursystemandyourcomputer
runs Windows 95 or Windows 98, skip to Step 10 on page 45 to continue
with the installation. If you have no incompatible software and your
system runs Windows NT Workstation v4.0 or Windows 2000
Professional, skip to Step 9 on page 44 to continue. Otherwise, continue
with Step 8.

42 Dr Solomon’sAnti-Virus

Installing Dr Solomon’sAnti-Virus

Figure 2-5. Incompatible software panel

8. Select the checkbox shown, then click Next>. Setup will start the
uninstallation utility that the conflicting software normally uses, and
allow it to remove the software. The uninstallation utility might tell you
that you need to restart your computer to completely remove the other
software. You do not need to do so to continue with your Dr Solomon’s
Anti-Virus installation—so long as the other software is not active, Setup
can continue without conflicts.

 NOTE: Dr Solomon’s Software strongly recommends that you

remove incompatible software. Because most anti-virus software
operates at a very low level within your system, two anti-virus
programs that compete for access to the same files or that perform
critical operations can make your system very unstable.

If your computerruns WindowsNT Workstation v4.0 or Windows 2000
Professional, Setup next asks you which security mode you want to use
to run Dr Solomon’s Anti-Virus software on your system (see Figure 2-6

on page 44).

The options in thispanel govern whether others who use your computer
can make changes to the configuration options you choose, can schedule
and run tasks, or can enable and disable Dr Solomon’s Anti-Virus
components. Dr Solomon’s Anti-Virus software includes extensive
security measures to ensure that unauthorized users cannot make any
changes to software configurations in Maximum Security mode. The
Standard Security mode allows all users to have access to all
configuration options.

Administrator’s Guide 43

Installing Dr Solomon ’sAnti-Virus

Either option you choose here will install the same Dr Solomon’s
Anti-Virus version, with the same configuration options, and with the
same scheduled tasks for all system users.

9. Select the security mode you prefer. Your choices are:

Figure 2-6. Security Type panel

• Use Maximum Security. Select this option to require users to have

• UseStandard Security.Selectthis option to give anyuser who logs

Setup next asks you to choose a Typical or a Custom setup for this
computer (Figure 2-7).

44 Dr Solomon’sAnti-Virus

Administrator rights to your computer in order to change any
configuration options, to enable or disable any Dr Solomon’s
Anti-Virus component, or to configure and run scheduled tasks.

Users who donot have administrative rights may stillconfigure and
run their own scan operations with the Dr Solomon’s Anti-Virus
application and save settings for those operations in a .VSC file, but
they cannot change default Dr Solomon’s Anti-Virus application
settings. To learn more about how to configure and save Dr
Solomon’s Anti-Virus application settings, see Chapter 5, “Using

the Dr Solomon’s Anti-Virus application,” in the User’s Guide.

into your computer the ability to change any configuration option,
enable or disable and Dr Solomon’s Anti-Virus component,or
schedule and run any task.

Installing Dr Solomon’sAnti-Virus

Figure 2-7. Setup Type panel

10.ChoosetheSetupTypeyouprefer.Yourchoicesare:

• Typical Installation. This option installs a basic component setthat

includes:

– the Dr Solomon’s Anti-Virus application, and application

extensions that allow you to right-click any object on your hard

disk to start a scan operation
– the Dr Solomon’sAnti-Virus Console
– the WinGuard System Scan module
– the Alert Manager Client configurationutility
– the Send Virus utility
– the Emergency Disk utility
– the Dr Solomon’s Anti-Virus Command Line scanner software

• Custom Installation.This option starts with the same components

as the Typical setup, but allows you to choose from among these
additional items:

– The WinGuard E-Mail Scan, Download Scan, and Internet

Filter modules
– The ScreenScan utility

Administrator’s Guide 45

Installing Dr Solomon ’sAnti-Virus

To learn more about what each component does, see “What comes with

Dr Solomon’s Anti-Virus?” on page 33 of the Dr Solomon’s Anti-Virus

User’s Guide.

11. Choose the option you prefer, then click Next> to continue.
If you chose Custom Setup, you’ll see the panel shown in Figure 2-8.

Otherwise, skip to Step 14 on page 47 to continue with your installation.

12. Choose the Dr Solomon’s Anti-Virus components you want to install.
You can:

• Add a component to the installation. Click beside a

• Remove a component from the installation. Click beside a

46 Dr Solomon’sAnti-Virus

Figure 2-8. Custom Setup panel

componentname, then choose This feature willbe installedon
local hard drive from the menu that appears. To add a component

and any related modules within the component, choose

This feature, and all subfeatures, will be installed on local

hard drive instead. You can choose this option only if a component

has related modules.

component name, then choose This feature w ill not be
available from the menu that appears.

 NOTE: The Dr Solomon’s Anti-Virus Setup utility does not

support the other options shown in this menu. You may not
install Dr Solomon’s Anti-Virus components to run from a
network, and Dr Solomon’s Anti-Virus software has no
components that you can install on an as-needed basis.

Installing Dr Solomon’sAnti-Virus

You can also specify a different disk and destination directory for the
installation. Click Change, then locate the drive or directory you wantto
use in the dialog box that appears. To see a summary of Dr Solomon’s
Anti-Virus disk usage requirements relative to y our available hard disk
space, click Disk Usage. The wizard will highlight disks that have
insufficient space.

13. When you have chosen the components you want to install, click Next>
to continue.

Setup will show you a wizard panel that confirms its readiness to begin
installing files (Figure 2-9).

Figure 2-9. Ready to Install panel

14. Click Install to begin copying files to your hard drive. Otherwise, click
<Back to change any of the Setup options you chose.

Setup first removes any incompatible software from your system. It then
copies Dr Solomon’s Anti-Virus program files toyour hard disk. When it
has finished, it displays a panel that asks if you want to configure the
product you installed (see Figure 2-10 on page 48).

Administrator’s Guide 47

Installing Dr Solomon ’sAnti-Virus

15. At this point, you can:

• Finish your installation. Leave the Scan Memory for Viruses
beforeConfiguring checkbox clear,then click SkipConfig to finish
your installation. Setup will ask if you want to start the WinGuard
scanner and the Dr Solomon’s Anti-Virus Consoleimmediately.To
do so, select the Start Dr Solomon’sAnti-Viruscheckbox, then
click Finish. Your Dr Solomon’s Anti-Virus software is ready for
use.

Figure 2-10. Completing Setup panel

• Choose configuration options for your installation. You can choose

48 Dr Solomon’sAnti-Virus

 NOTE:If you had a previous Dr Solomon’s Anti-Virus version

installed on your computer, you must restart your system once
again in order to start the WinGuard scanner. Setup will
prompt you to restart your system.

to scan your system, create an emergency disk, or update your virus
definition files before you start the WinGuard scanner and the Dr
Solomon’s Anti-Virus Console.

To do so, select the Scan Memory for Viruses before Configuring
checkbox to have Setup start the Dr Solomon’s Anti-Virus
application briefly to check your system memory. Next, click

Configure.

Installing Dr Solomon’sAnti-Virus

Setup will start the Dr Solomon’s Anti-Virus application to examine your
system memory for viruses before it continues. If it finds an infection, it
will alert you and give you a chance to respond to the virus. To learn
about your options, see Chapter 3, “Removing Infections From Your

System.” If it finds nothing, the application will flash briefly as it scans

your system, then Setup will display the first of two configuration panels
(see Figure2-11onpage49).

Figure 2-11. Configuration pa nel

16. If your computer runs Windows 95 or W indows 98, you can choose any
of the configuration options shown here. These are:

• Scan boot record at startup. Select this checkbox to have Setup

write these lines to your Windows AUTOEXEC.BAT file:

C:\PROGRA~1\NETWOR~1\DRSOLO~1\SCAN.EXE C:\
@IF ERRORLEVEL 1 PAUSE

This tells your system to start the Dr Solomon’s Anti-Virus
Command Line scanner when your system starts. The scanner, in
turn, will pause if it detects a virus on your system so that you can
shutdown and usethe Dr Solomon’sAnti-VirusEmergencyDisk to
restart.

Administrator’s Guide 49

Installing Dr Solomon ’sAnti-Virus

• Create Emergency Disk. This option is active by default. It tells

Setup to depart from its normal sequence to start the Emergency
Disk creation utility. The creation utility formats and copies a
scanner and support files onto a bootable floppy disk you can use to
start your system in a virus-free environment. You can use this disk
to scan portions of your hard disk for viruses. After the utility
creates the disk, it returns to the regular Setup sequence. Clear this
checkbox to skip the Emergency Disk creation. You can start the
utility at any time after installation.

• Run Default Scan for Viruses after Installation.Thisoptionis

active by default. The option tells Setup to finish the installation,
then to run the Dr Solomon’s Anti-Virus application immediately
afterwards to scanyour entirestartup partition. The application will
alertyouifitfindsanyvirusesonthispartition,butotherwisewill
quit without any further notice. Clear this checkbox to skip this scan
operation.

 NOTE:If you told Setup to remove any previous DrSolomon’s

Anti-Virus versions from your system, it will run the scan
operation after it restarts your computer. The Dr Solomon’s
Anti-Virus application will appear immediately after startup.

If your computerruns Windows NT Workstation v4.0 or Windows 2000
Professional, you may not choose Scan bootrecord at startup,butyou
may choose either of the other options. Neither Windows NT
Workstation nor Windows 2000 permit software to scanor make changes
to hard disk boot sectors or master boot records. Also, these operating
systems do not use an AUTOEXEC.BAT file for system startup.

17. When you have chosen the options you want, click Next> to continue.
If you selected the Create Emergency Disk option, the Emergency Dis k

creation wizard starts immediately. To learn how to use this utility, see

“Using the Emergency Disk Creation utility” on page 53.

After the utility creates an Emergency Disk, it will return to this point in
the Setup sequence. To bypass the Emergency Disk utility once it starts,
click Cancel when you see its first screen. Setup will display a second
configuration panel you can use to update your virus definition files or
to configure the AutoUpdate utility (Figure 2-12).

50 Dr Solomon’sAnti-Virus

Installing Dr Solomon’sAnti-Virus

Figure 2-12. Update Virus Definition Files panel

18. Choose the update option you prefer. You can:

• Run AutoUpdate Now.ThisoptionusesdefaultAutoUpdate

configuration options to connect directly to the Network Associates
website and download the latest incremental .DAT file updates.
Select this option if your company has not designated a location on
your network as an update site, and if you do not need to configure
proxy server or firewall settings. This ensures that any scan
operation you run uses current files.

• Configure AutoUpdate Now. This option opens the Automatic

Update dialog box, where you can add or configure an update site
from which to download new files. Select this option if your
company has designated a server for .DAT file updates somewhere
on your network, or if you want to change some aspect of how your
computer connects to the Network Associates website—firewall or
proxyserversettings,forexample.

To learn more about how to configure the AutoUpdate utility, see

“Configuring update options” on page 122.

• Wait and Run AutoUpdate Later. This option skips the update

operation altogether. You can configure and schedule an
AutoUpdate task to download new .DAT files at any later time. To
learn how to schedule a task, see Chapter 6, “Creating and

Configuring Scheduled Tasks,” in the Dr Solomon’s Anti-Virus User’s

Guide.

19. When you have chosen the option you want, click Next>.

Administrator’s Guide 51

Installing Dr Solomon ’sAnti-Virus

If you chose to run an AutoUpdate operation immediately, the utility
will connect to the Network Associates website to download new
incremental .DAT files. After it finishes, the Setup sequence will resume .

If you chose to configure the AutoUpdate utility, the Automatic Update
dialog box will appear. Choose your configuration options, then click
Update Nowto start an immediate update operation, or click OK to save
the options you chose.

Setup next displays its final panel and asks if you want to start the
WinGuard scanner and the Dr Solomon’s Anti-Virus Console
immediately (see Figure 2-13 on page 52).

20. To do so, select the Start Dr Solomon’sAnti-Viruscheckbox,then click
Finish. The Dr Solomon’s Anti-Virus software “splash screens” will
appear, and the WinGuard scanner and Dr Solomon’s Anti-Virus
ConsoleiconswillappearintheWindowssystemtray.Yoursoftwareis
ready for use.

 NOTE: If you had a previous Dr Solomon’s Anti-Virus version

52 Dr Solomon’sAnti-Virus

Figure 2-13. Successful Installation panel

installed on your computer, you must restart your system in order
to start the WinGuard scanner. Setup will prompt you to restart
your system.

Installing Dr Solomon’sAnti-Virus

Using the Emergency Disk Creation utility

If you choose to create an Emergency Disk during installation, Setup will start
the Emergency Disk wizardin the middle of the Dr Solomon’s Anti-Virus
software installation, then will return to the Setup sequence when it finishes.
To learn how to create an Emergency Disk, begin with Step 1 on page 54.You
can also start the Emergency Disk wizard at any point after you in stall Dr
Solomon’s Anti-Virus software.

 NOTE: Network Associates strongly recommends that you create an

EmergencyDiskduringinstallation,butthatyoudosoafterDr
Solomon’s Anti-Virus softwarehas scanned your system memory for
viruses. If Dr Solomon’s Anti-Virus software detects a virus on your
system, do not create an Emergency Disk on the infected computer.

The Emergency Disk you create includes BOOTSCAN.EXE, a specialized,
small-footprint command-line scanner that can scan your hard disk boot
sectors and Master Boot Record (MBR). BOOTSCAN.EXE works with a
specialized set of .DAT files that focus on ferreting out boot-sector viruses. If
you have already installed Dr Solomon’s Anti-Virus software with default
Setupoptions,youcanfindthese.DATfilesinthislocationonyourharddisk:

C:\Program Files\Common Files\Network Associates\Dr Solomon’s Anti-Virus
Engine\4.0.xx

The special .DAT files have these names:

• EMCLEAN.DAT

•EMNAMES.DAT

•EMSCAN.DAT
Dr Solomon’s Software periodically updates these .DAT files to detect new

boot-sector viruses. You can download new Emergency .DAT files here:

http://www.nai.com/asp_set/anti_virus/avert/tools.asp

 NOTE: Dr Solomon’s Software recommends that you download new

Emergency .DAT files directly to a newly formatted floppy disk in o rder
to reduce the risk of infection.

Because the wizard renames the files and prepares them for use when it
creates your floppy disk, you may not simply co py them directly to an
Emergency Disk that you create yourself. Use the creation wizard to prepare
your Emergency Disk.

Administrator’s Guide 53

Installing Dr Solomon ’sAnti-Virus

To start the wizard, click Start in the Windows taskbar, point to Programs,
then to Network Associates.Next,chooseCreate Emergency Disk.The
Emergency Disk wizard welcome panel will appear (Figure 2-14).

1. Click Next> to continue. The next wizard p anel appears (Figure 2-15).

Figure 2-14. Emergency Disk welcome panel

If your computer runs Windows NT Workstation or Windows 2000
Professional,thewizardtellsyouthatitwillformatyourEmergency
Disk with the NAI-OS. You must use these operating system files to
create your Emergency Disk, because Windows NT Workstation v4.0
and Windows 2000 Professional system files do not fit on a floppy disk.

If your computer runs Windows 95 or Windows 98, the wizard will offer
to format your Emergency Disk either with the NAI-OS or with
Windows startup files.

54 Dr Solomon’sAnti-Virus

Figure 2-15. Second Emergency Disk panel

Installing Dr Solomon’sAnti-Virus

2. If the wizard offersyou a choice,choosewhichoperatingsystemfilesyou
want to use,then click Next>to continue. Depending on which operating
system you choose, the wizard displays a different panel next.

Figure 2-16. Emergency Disk informational panel

• If you chose to format your disk with the NAI-OS, the wizard
displays an informational panel (see Figure2-16onpage55).

Follow these substeps to continue:

a. Insertanunlockedandunformatted1.44MBfloppydiskinto

your floppy drive, then click Next>.
The Emergency Disk wizard will copy its files from a disk

image stored in the Dr Solomon’s Anti-Virus program
directory. As it does so, it will display its progress in a wizard
panel.

b. Click Finish to quit the wizard when it has created your disk.

Next, remove the disk from your floppy drive, lock it, label it Dr
Solomon’sEmergency Boot Disk and store it in a safe place.

• If you chose to format your disk with Windows system files, the
wizard displays a panel that lets youchoose whether to format your
floppy disk (Figure 2-17).

Administrator’s Guide 55

Installing Dr Solomon ’sAnti-Virus

Your choices are:

•Ifyouhaveavirus-free, formatted floppy disk that contains only
DOS or Windows system files, insert it into your floppy drive. Next,
select the Don’t Format checkbox, then click Next> to continue.

This tells the Emergency Disk wizard to copy only the Dr Solomon’s
Anti-Virus software Command Line component the emergency
.DAT files, and support files to the floppy disk. Skip to Step 3 on

page 57 to continue.

Figure 2-17. Third Emergency Disk pane l

•Ifyoudonot have a virus-free floppy disk formatted with DOS or

56 Dr Solomon’sAnti-Virus

Windows system files, you must create one in order to use the
EmergencyDisktostartyourcomputer.Followthesesubsteps:

a. Insert an unlocked and unformatted floppy disk into your

floppydrive.DrSolomon’sSoftwarerecommendsthatyou use
a completely new disk that you have never previously
formatted to prevent the possibility of virus infections on your
EmergencyDisk.

b. Verify that the Don’tformatcheckbox is clear.
c. Click Next>.

The Windows disk format dialog box appears (Figure 2-18).

Installing Dr Solomon’sAnti-Virus

Figure 2-18. Windows Format dialog box

d. Verify that the Full checkbox in the Format Type area and the

Copy system files checkbox in the Other Options area are

both selected. Next, click Start.
Windows will format your floppy disk and copy the system

files necessary to start your computer.

e. Click Closewhen Windowshas finished formattingyourdisk,

then click Close again to return to the Emergency Disk panel.

3. Click Next> to continue. Setup will scan your newly formatted disk for

viruses (see Figure 2-19 on page 57).

Figure 2-19. Scanning Emergency Disk for viruses

Administrator’s Guide 57

Installing Dr Solomon ’sAnti-Virus

If Dr Solomon’s Anti-Virus software does not detect any viruses during
its scan operation, Setup will immediately copy BOOTSCAN.EXE and its
support files to the floppy disk you created. If Dr Solomon’s Anti-Virus
softwaredoes detect a virus, quit Setup immediately. See “If you suspect

you have a virus...” on page 69 tolearnwhattodonext.

4. When the wizard finishes copying the Emergency Disk files, it displays
the final wizard panel (Figure 2-20).

Figure 2-20. Final Emergency Disk panel

5. Click Finish to quit the wizard. Next, remove the new Emergency Disk
from your floppy drive, write-protect it, and store it in a safe place.

 NOTE: A locked or write-protected floppy disk shows two holes

near the edge of the disk opposite the metal shutter. If you don’t see
two holes, look for a plastic sliding tab at one of the disk corners,
then slide the tab until it locks in an open position.

Determining when you must restart your computer

In many circumstances, you can install and use this Dr Solomon’s Anti-Virus
release immediately, without needing to restart your computer. In some cases,
however, the Microsoft Installer (MSI) will need to replace or initialize certain
files, or previous Dr Solomon’s product installations might require you to
remove files in order for Dr Solomon’s Anti-Virus software to run correctly.
These requirements can also vary for each supported Windows platform.

In these cases, you will need to restart your system during the installation—
usually to install MSI files—or after the installation itself.

Tolearnwhenyoumustrestartyourcomputer,seeTable 2-1.

58 Dr Solomon’sAnti-Virus

Installing Dr Solomon’sAnti-Virus

Table 2-1. Circumstances that require you to restart your system

Circumstance

Installationon computer with no
previous Dr Solomon’s
Anti-Virus version and no
incompatible software

Installation on computer with
previous Dr Solomon’s
Anti-Virus version

Installation on computer with
incompatible software

Installation on a computer with
Microsoft Installer (MSI) v1.0

NOTE: Microsoft Office 2000
installs this MSI version

Installation on a computer with
Microsoft Installer v1.1

Windows 95 and
Windows 98

No restart required,
unless you have
Novell Client32 for
NetWare installed,
then restart required

Restart required Restart required

No restart required,
but Setup will ask if
youwishtorestart.
You can safely click

No.

Restart required
after MSI files
installed and before
Setup can continue

No restart required,
except on Windows
98 Second Edition
systems, or if some
drivers or .DLL files
used

Windows NT and
Windows 2000

Restart required

No restart required,
but Setup will ask if
youwishtorestart.
You can safely click

No.

Restart required
after MSI files
installed and before
Setup can continue

No restart required

.DAT file update No restart required No restart required
Scan engine update via Dr

Solomon’s SuperDAT utility

Testing your installation

Once you install it, Dr Solomon’s Anti-Virus software is ready to scan your
system for infected files. You can verify that it has installed correctly and that
it can properlyscan for viruseswith a testdeveloped by theEuropean Institute
ofComputer Anti-virusResearch (EICAR), acoalition of anti-virusvendors, as
a method for their customers to test any anti-virus software installation.

To test your installation, follow these steps:

1. Open a standard Wi ndows text editor, such as Notepad, then type this
character string as one line, with no spaces or carriage returns:

No restart required No restart required

Administrator’s Guide 59

Installing Dr Solomon ’sAnti-Virus

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS­TEST-FILE!$H+H*

 NOTE: Thelineshownaboveshouldappearasone line inyour text

editorwindow,sobesuretomaximizeyourtexteditorwindowand
delete any carriage returns. Also, be sure to type the letter O, not the
number 0, in the “X5O...” that begins the test message.

If you are reading this manual on your compu ter, you can copy the
line directly from the Acrobat .PDF file and paste it into Notepad.
You can also copy this text string directly from the “Testing your
installation” section of theREADME.TXT file, which you can findin
your Dr Solomon’s Anti-Virus program directory. If you copy the
line from either of these sources, be sure to delete any carriage
returns or spaces.

2. Save the file with the name EICAR.COM. The file size will be 69 or 70
bytes.

3. Start your Dr Solomon’s Anti-Virus software and allow it to scan the
directory that contains EICAR.COM. When Dr Solomon’s Anti-Virus
software examines this file, it will report finding the
EICAR-STANDARD-AV-TEST-FILE virus.

60 Dr Solomon’sAnti-Virus

IMPORTANT:

This file is

not a virus—

it cannot spread or infect
other files, or otherwise harm your system. Delete the file whenyou
have finished testing your installation to avoid alarming other users.

Installing Dr Solomon’sAnti-Virus

Modifying or removing your local Dr Solomon’sAnti-Virus installation

The Microsoft Windows Installer version that Dr Solomon’s Anti-Virus
software uses also includes a standard method to modify or remove a Dr
Solomon’s Anti-Virus installation from the local workstation.

To modify, or remove Dr Solomon’s Anti-Virus software, follow these steps:

1. Click Start in the Windows taskbar, point to Settings, then choose
Control Panel.

2. Locate and double-click the Add/Remove Programs control panel.

3. In the Add/Remove Programs Properties dialog box, choose Dr

Solomon’s Dr Solomon’s Anti-Virus v4.5.0 in the list, then click
Add/Remove.

Setup will start and display the first Maintenance wizard panel (Figure

2-21).

Figure 2-21. First maintenance panel

4. Click Next> to continue.
Setup displays the Program Maintenance wizard panel (see Figure 2-22

on page 62).

Administrator’s Guide 61

Installing Dr Solomon ’sAnti-Virus

5. Choose whether to modify Dr Solomon’s Anti-Virus components or to
remove Dr Solomon’sAnti-Virus software fromyour system completely.
Your choices are:

Figure 2-22. Program Ma intenance panel

• Modify.Select this option to add or remove individual Dr

Solomon’s Anti-Virus components. Setup will display the Custom
wizard panel (see Figure 2-8 on page 46). Startwith Step 12 on page

46 to choose the components you want to add or remove.

 NOTE: This panel differs from the one shown on page 46:It

will not allow you to change your Dr Solomon’s Anti-Virus
program directory, nor will it display disk usage statistics. To
install Dr Solomon’s Anti-Virus software in a different
directory or on a different drive, you m ust first remove, then
reinstall the software.

• Remove. Select this option to remove Dr Solomon’s Anti-Virus

software from your computer completely. Setup will ask you to
confirm that you want to remove the software from your system
(see Figure2-23onpage63).

62 Dr Solomon’sAnti-Virus

Installing Dr Solomon’sAnti-Virus

Figure 2-23. Remove the Program panel

6. Click Remove. Setup will display progress information as it deletes Dr
Solomon’s Anti-Virus software from your system. When it has finished,
click Finish to close the wizard panel.

Installing Dr Solomon’sAnti-Virussoftwareon other computers

The next sections describe how to install Dr Solomon’s Anti-Virus software
over your network, to many workstations at once, and with various custom
configurations. You can run Setup from a command prompt to choose many
of these configuration options.

Using Active Directory and Group Policies

If you use Active Directory services inWindows 2000, you must distribute the
software per machine, not per user. Set up the installation in the Microsoft
ManagementConsole;thereyoucanchoosethecomputerson whichyou want
to install the Dr Solomon’s Anti-Virus package. The installation takes place
when you restart these computers.

Administrator’s Guide 63

Installing Dr Solomon ’sAnti-Virus

 NOTE: The Dr Solomon’s Anti-Virus package contains two versions of

the Microsoft installer (MSI):one for Windows 95 and Windows 98, and
one for Windows NT Workstation v4.0 and Windows 2000 Professional.
You can remove these files from the package if your computers already
have the installer. This makes the Dr Solomon’s Anti-Virus file smaller
and more manageable when you send it remotely.

Installing Dr Solomon’sAnti-Virussoftwareusing command-line options

The Dr Solomon’s Anti-Virus Setup utility runs as a Microsoft Installer (MSI)
application, which allows a wide array of custom installation options. To
shape the installation so that it runs the way you want it to, and so that you
end up with exactly those product components you want, run Setup from the
command line.

 NOTE: You can run Setup from the command line only to install Dr

Solomon’s Anti-Virus software to a local computer. To install the
software over a network, you must use Management Edition or ePolicy
Orchestratorsoftware.

To do so, click Start in the Windows taskbar, then choose Run. Next, enter the
command line you want to use in the Run dialog box, then click OK.

The Setup command-line syntax looks like this:

setup PROPERTY=VALUE[,VALUE] [/option] /i

This syntax does not require any particular order in its elements, except that
you may notseparate a propertyand its value, and youmust terminate theline
with the /i option so that Setup knows to look for a particular .MSI file it
needs for installation. The syntax consists of:

• the name of the executable file: setup.exe.

• any options you choose to add,each precededby a / character. Optionsare
not case sensitive. The installation scenarios that appear later in this guide
discusssomeoftheavailableoptions.

• any properties you want to use to shape how the installation runs.

64 Dr Solomon’sAnti-Virus

Installing Dr Solomon’sAnti-Virus

Each property consists of a name, which must appear all in capitals, an =
sign, and one or more values, each separated by commas. Most property
values must appear in all capitals, too, but some—such as True and False,
must appear in capitals and lower case. The Microsoft Installer permits a
large variety of properties, all of which you can use to determine how your
installation runs. To learn about those properties, see the Microsoft
Installer documentation. To install Dr Solomon’s Anti-Virus software,
specifically, you can use these additional properties:

– ADDLOCAL. This property tells Setup to install particular

components to the local computer.

– INSTALLDIR. This property specifies which installation directory

you want to use. The value consists of the directory path you want
to use.

– PRESERVESETTINGS. This property tells Setup whether it should

retain the configuration options you used for previous WinGuard
scanner installations. By default, its value is True.

– REBOOT. This property tells Setup whether it should restart your

computer. You can eitherforce the computer to restart, or preventit
from restarting.

– REMOVE. Thisproperty tells Setup to remove one or more program

components. You can specify a particular component, or use the
value ALL to remove all components. If you combine this property
with the ADDLOCAL property, you can install all but one or two
specificcomponents.

– REMOVEINCOMPATIBLESOFTWARE. This property tells Setup

to remove previous Dr Solomon’s Anti-Virus versions or other
anti-virus software that could conflict with this Dr Solomon’s
Anti-Virus version. By default, its value is True.

– STARTONACCESSSCANNER. Thisproperty tells Setupto start the

WinGuard scanner after it finishes the installation. By default, its
value is True.

– USEADMINONLYSECURITY. This property tells Setup which

security mode you want this Dr Solomon’s Anti-Virus copy to use
when it runs. Possible values are 0, which runs the software with
standard security, and 1, which runs the software with maximum
security.

The following sections describe some common scenarios that use command­line options to run custom installations.

Administrator’s Guide 65

Installing Dr Solomon ’sAnti-Virus

Silent installation

Use command-line options to set up Dr Solomon’s Anti-Virus software on
each network node with little or no interaction from end users. During a silent
installation, Setupdoes not display any ofits usual wizard panelsor windows,
or offer the end user any configuration options. Instead, you pre-configure
these choices and run Setup in the background on each target workstation. If
you want, you can install Dr Solomon’s Anti-Virus software on any
unattended workstation with or without the end user’s knowledge, provided
you have all the necessary administrative privileges.

setup/q/i

Use /q to run a silent installation. The /i should always appear last on the
command line.It tellsSetup tolocate the .MSI file that controls the installation.

66 Dr Solomon’sAnti-Virus

Other semi-silent installation methods are:

/qb shows a small progress bar during installation, with a

/q+ shows a success/failure installationcomplete dialog box
/qb+ shows both the progress and completed dialog boxes
/qf shows the full progress bar screen from the regular

Logging the installation

To record installation progress in a log file, add this option and parameter to
the Setup command line:

/l*v “c:\temp\log.txt”

Here, c:\temp\log.txt canbeanydirectoryandanyfilenameyouwantto
use to createthe log file. Thisoption logsall installer activity, including all files
copied, all registry keys added, and all .INI file changes.

Replace the * shown in the command-line example with one or more of these
parameters to limit the type of data that the log file records:

Installing Dr Solomon’sAnti-Virus

cancel button

installation

i status messages
w non-fatal warnings
e all error messages
aactionstarts
r action-specific records
u user requests
c initial user interface parameters
m out-of-memory or fatal exit information
o out-of-disk space messages
p terminal properties
+ append to existing file
! flush each line to the log

Administrator’s Guide 67

Installing Dr Solomon ’sAnti-Virus

Installing to a custom directory

To install Dr Solomon’s Anti-Virus software to a custom directory, add the
INSTALLDIR property to the command line, then follow the property with a
value for the directory you want to use. To install Dr Solomon’s Anti-Virus
software to C:\My Anti-Virus Software, for example, type this line at the
command prompt:

setup INSTALLDIR= “c:\My Anti-Virus Software” /q/i

Use quotes only if the target directory name has spaces. You can add the /q
switch run the installation silently, if you prefer. The /i switch is not
optional—Setup needs it to locate the .MSI file that has current installation
data.

Selecting specific features to install

When you run Setup from the command line to install specific program
components, the utility installs those components according to a preexisting
hierarchy. This means that if you choose to install only the Dr Solomon’s
Anti-Virus shell extensions, for example, Setup knows that you must have
SCAN32.EXE, the Dr Solomon’s Anti-Virus application, installed in order to
use the extensions. It therefore will install both this file and any related files.

To specify the components you want to install, Setup requires you to add
particular component names as command-line parameters. The component
names you can specify from the command line are:

Component Name Description

AlertManager The Alert Manager Client configuration

utility

CMD The Dr Solomon’sAnti-Virus

Command Line scanners: SCAN.EXE,
SCANPM.EXE, SCAN86.EXE

EdiskUtil The Emergency Disk wizard and

archived files

EmailScan The WinGuard E-Mail Scan module

and the E-Mail Scan extension

InternetScan The WinGuard Download Scan and

Internet Filter modules
SystemScan The WinGuard System Scan module
Scan32 The Dr Solomon’sAnti-Virus

application, SCAN32.EXE

68 Dr Solomon’sAnti-Virus

Installing Dr Solomon’sAnti-Virus

Component Name Description

Scheduler The Dr Solomon’sAnti-VirusConsole
McUpdate The AutoUpdate and AutoUpgrade

utilities
ShellExtentions Extensions that add right-click

functionality that enables you to scan

individual files
ScreenScan The ScreenScan utility
SendVirus An applet that allows you to send virus

samples to AVERT Labs for analysis

To use these component names in acommand line, specify the destination and
the component name, exactly as it appears in the table.

For example, to add the Dr Solomon’s Anti-Virus application to the local
system, type this line at the command prompt:

setup.exe ADDLOCAL=Scan32/q/i

Use a comma to separate values in order to install more than one component.
To add Scan32 and SystemScan together, for example, type this line at the
command prompt:

setup.exe ADDLOCAL=SystemScan,Scan32/q/i

To do a complete installation, type this line at the command prompt:

setup.exe ADDLOCAL=ALL/q/i

To remove all Dr Solomon’s Anti-Virus components, type this line at the
command prompt:

setup.exe REMOVE=ALL/q/i

To install all components except for one—the SendVirus component,in this
example—type this line at the command prompt:

setup.exe ADDLOCAL=ALL REMOVE=SendVirus/q/i

You can also choose different components for an installation that you do not
run silently. If, for example, you leaveoff the /q option in any of the command
line examples shown above the Custom S etup wizard panel (see Figure 2-8 on

page 46) will show only the components you specify as those available for

installation. If you use these same examples to specify a component set for
installation, Setup will install only the components you specified during a
Typical installation.

Administrator’s Guide 69

Installing Dr Solomon ’sAnti-Virus

Setting reboot options

You can force or prevent the target computer from restarting during the
installation. To do this, add the REBOOT property to the command line.
REBOOT=F forces the restart, while REBOOT=R prevents the restart. If you
must first install the Windows Installer service on a target computer, Setup
will require you to restart whether you force or prevent a restart for other
reasons. Setup will resume after MSI forces a restart. It will then use the
options you set to determine whether to force or prevent a restart after the
installation.

setup REBOOT=R /q /i

This example runs a silent installation and prevents a system restart.

Setting security type for Windows NT

If you install Dr Solomon’s Anti-Virus software on Windows NT Workstation
v4.0 or Windows 2000 Professional systems, you can choose to run the
software with regular or maximum security. To set this value from the
command line, run Setup with the USEADMINONLYSECURITY property
and the value you want to use.

To run the software with standard security, give the property the value 0:

USEADMINONLYSECURITY=0

To run the software with maximum security, give the property the value 1:

USEADMINONLYSECURITY=1

To use the property from the command line, type a line similar to this:

setup USEADMINONLYSECURITY=1 /q /i

This runs a silent installation andsets thesecurity level so that only auser with
administrative rights can configure or stop the product.

Removing incompatible software

By default, Setup removes incompatible software during a silent installation.
To prevent Setup from removing incompatible software, add the property
REMOVEINCOMPATIBLESOFTWARE to the command line with the value
False:

setup REMOVEINCOMPATIBLESOFTWARE=False

70 Dr Solomon’sAnti-Virus

Scanning your system at startup

By default,Setup adds a line to the AUTOEXEC.BAT file for Windows 95 and
Windows 98 systems that tells the Dr Solomon’s Anti-Virus application to
scan the master boot record (MBR) when your computer starts. To prevent
Setup from doing so—during a silent installation, for example—add the
property SCANATSTARTUP to the command line with the value False:

setup SCANATSTARTUP=False

Starting the WinGuard scanner

By default, Setup starts the WinGuard System Scan module if the installation
does not require you to restart your computer—if you remove earlier Dr
Solomon’sAnti-Virusversionsduringinstallation,forexample.TokeepSetup
from starting the WinGuard scanner, add the STARTONACCESSSCANNER
property to the command line with the value False:

setup STARTONACCESSSCANNER=False

Preserving on access settings

By default, Setup preserves your WinGuard settings from previous Dr
Solomon’s Anti-Virus installations. To install the new Dr Solomon’s
Anti-Virus version without previous settings, add the PRESERVESETTINGS
property to the command line with the value False:

Installing Dr Solomon’sAnti-Virus

setup PRESERVESETTINGS = False

Running Setup from a login script

To install Dr Solomon’s Anti-Virus software at the time each of your target
computers starts, you can add a Setup command line to your login script and
include any logic you think necessary to ensure that the installation will run
once—checking for the Dr Solomon’s Anti-Virus default program directory,
for example. The command line should include all of the options and
properties you want to use to govern how Setup runs.

If you run the login script from a Windows 95 or Windows 98 workstation,
you must addthe option /LSCRIPT to thecommand lineif the targetcomputer
has any previous Dr Solomon’s Anti-Virus version installed, or if it might not
have Microsoft Installer (MSI) v1.1 installed. Unlike other options, the
/LSCRIPT option is case sensitive and must appear in the command line with
all capitals.

Withoutthe/LSCRIPToption,Setup will run and, ifyou do not haveMSI v1.1
installed or if you have a previous Dr Solomon’s Anti-Virus version on the
target computer, will require the target computer to restart. Before it does so,
however, it places a flag in the Windows RunOnce registry key.

Administrator’s Guide 71

Installing Dr Solomon ’sAnti-Virus

Because Windows 95 and Windows 98 execute the login script at the same
time they act on thecontents ofthe RunOnce key, however, they willtry to run
another instance of Setup while, at the same time, they try to resume the
previous Setup you started. MSI does not permit more than one instance of
Setup to run at the same time.

Adding the /LSCRIPT option to the command linecauses Setup toplace a flag
in the RunServicesOnce registry key, which Windows executes before it runs
the login script. If your login script checks for the presence of the default Dr
Solomon’s Anti-Virus program directory before it runs Setup, therefore,
Windows will not try to run Setup a second time.

In order to use a login script for this purpose, you must also copy or “push”
the Dr Solomon’s Anti-Virus installation packageto a local directory on the
target computer. You may not use a login script to install Dr Solomon’s
Anti-Virus software from elsewhere on your network. To install DrSolomon’s
Anti-Virussoftware from a remotelocation on the network,use Management
Edition or ePolicy Orchestrator management software.

 NOTE: If you plan to install Dr Solomon’s Anti-Virus software to a

Windows NT Workstation v4.0 or a Windows 2000 system via login
scripts, you do not need to include the /LSCRIPT option in your
command line.

Using Management Edition software

Management Edition distribution software allows you to distribute Dr
Solomon’s anti-virus software from a single console on your network. It
installs, configures, upgrades, and removes anti-virus software for remote
machines on a network. It installs anti-virus software to domains you create,
and from repositories that you create. You control activities from the
Management Edition Console, a drag-and-drop application that runs on
Microsoft Windows NT.

Once the Management Edition components are installed in the master
repository, you are ready to install anti-virus software into the Repository.

Follow these steps:

1. In the Management Console main menu, click Tools,thenchoose

Repository.

The Repository dialog box displays the Products page. It contains the
management components that are currently in the Repository.

2. Click Install.

72 Dr Solomon’sAnti-Virus

Installing Dr Solomon’sAnti-Virus

3. Click Product.

4. Insert the Dr Solomon’s Anti-Virus CD into your CD-ROM drive.

The Management Edition software copies Dr Solomon’s Anti-Virus files
into the Repository.Once it doesso, the componentsyou installed appear
in the Repository list.

5. Click Close to complete the installation.

You can now use Management Edition software to install and configure Dr
Solomon’sAnti-Virussoftware,oraddcomponentstoorremovethemfrom
anexistingDrSolomon’sAnti-Virusinstallation.To learnhow to do so, seethe
Management Edition Administrator’s Guide.

To install all Dr Solomon’s Anti-Virus components via Management Edition
software, you must modify the Management Edition scripts that come with
the Dr Solomon’sAnti-Virus product package.

Follow these steps:

1. UseWinZip, PKZipor a similarutility to extract thefiles VSC_9X.INIand

VSC_NT.INI from the Dr Solomon’s Anti-Virus package.

2. Locate this line in each file:

REGSETVAL LOCAL !VS_EXEC_KEY! “ExecCmdLine” SZ
“!I_CMD_LINE!”

Change the macro reference I_CMD_LINE so that it reads
I_CMD_LINE_ALL. When you have finished, the entire line in both the
VSC_9X.INI and the VSC_NT.INI files should read:

REGSETVAL LOCAL !VS_EXEC_KEY! “ExecCmdLine” SZ
“!I_CMD_LINE_ALL!”

3. Save both files, then return them to the Dr Solomon’s Anti-Virus product

package, overwriting the existing files in that package.

4. Deploy your modified Dr Solomon’s Anti-Virus package via

Management Edition software.

Using ePolicy Orchestrator to deploy Dr Solomon’s Anti-Virus software

ePolicy Orchestrator management software provides a single point of control
for all of your Dr Solomon’s anti-virus products. It is a scalable anti-virus
management tool that provides centralized policy management and
enforcement, software distribution, and extensive reporting features.

Administrator’s Guide 73

Installing Dr Solomon ’sAnti-Virus

With the ePolicy Orchestrator server, console, and agent you can manage a
single database and software repository from any location on your company’s
network. Once you have installed the ePolicy Orchestrator server and console,
and have loaded Dr Solomon’s Anti-Virus software is loaded into the
repository, you can use the console to push the agent onto the client machines.
Through the agent, you gather data on the virus protection currently residing
on the client machines. The server then responds by sending appropriate
installation software. The agentinstalls thesoftware using the instructions you
set up during configuration.

Follow these steps:

1. In the ePolicy Orchestrator Console’s main menu, place your cursor on

Software in the console tree.

2. Click the Action menu, and then click Install.

The Select a Software Package dialog box displays your network. Locate
the Dr Solomon’s Anti-Virus software packagethat you want to place in
the repository.

3. Click Dr Solomon’sAnti-Virus.

4. Click Open.

Dr Solomon’s Anti-Virus software is loaded in your repository. For more
information,see the ePolicy Orchestrator Administrator’s Guide.

Installing via System Management Server

Dr Solomon’s Anti-Virus software is Microsoft BackOffice compliant and
comes with a prewritten package definition file (.PDF) for use with System
Management Server (SMS). You can use SMS to install the software on
multiple workstations across your network. To learn how to use SMS to
deploy the Dr Solomon’s Anti-Virus installation package, consult your
Microsoft SMS documentation.

Installing via Tivoli IT Director

You can create a distributable custom installation package using the Tivoli IT
Director management console’s Software Distribution feature.

Follow these steps:

1. Open the Tivoli IT Director Management Console.

74 Dr Solomon’sAnti-Virus

Installing Dr Solomon’sAnti-Virus

2. Choose Open from the Software Distribution option, then choose

Custom Package. The Create Custom Package configuration pages

appear.

3. Click the General tab, then follow these substeps:

a. Enter a name for the package that you are about to create.
b. Select Stream package directly to managed system.
c. Enter a value of 32 in the Required Memory text box.
d. Entera value of 30 in the Disk Space text box.

4. To enable Tivoli to distribute Dr Solomon’s Anti-Virussoftware to

Windows 95 and Windows 98 systems, select the Windows 9x tab.Enter
the appropriate information in the panel.

5. To enable Tivoli to distribute Dr Solomon’s Anti-Virussoftware to

Windows NT systems, select the Windows NT tab. Enter theappropriate
informationinthepanel.

For more information, consult your Tivoli documentation.

Installing via ZENworks

ZENworks allows network administrators to deploy Dr Solomon’s Anti-Virus
software to users’ workstations. To learn how to use ZENworks to deploy the
Dr Solomon’s Anti-Virus installation package, consultyour NovellZENworks
documentation.

Exporting Dr Solomon’s Anti-Virus custom settings

Dr Solomon’s Software provides a small utility that you can use to put a Dr
Solomon’s Anti-Virus installation package together with all of the
configuration settings you want to use for eachtarget computer. Dr Solomon’s
Software releases this utility, the Custom Installation Creator, apart from the
Dr Solomon’s Anti-Virus product package. In order to use it to create the
package, you must import the configuration settings you want from an .INI
file. This means that you must first install the Dr Solomon’s Anti-Virus
software on your computer, choose the settings you want to use, then export
those settings to an .INI file.

The Dr Solomon’s Anti-Virus program package contains another utility,
MSI_INST.EXE, that allows you to import and export Dr Solomon’s
Anti-Virus configuration settings. You can use this utility to prepare an .INI
for use with the Custom Installation Creator, or you can use it to import
settings directly from an existing .INI file.

Administrator’s Guide 75

Installing Dr Solomon ’sAnti-Virus

The MSI_INST.EXE utility runs from the command line with this syntax:

msi_inst.exe /option [value]

Table 2-1 onpage 59 lists the options you can use with the utility. Tolearn how

to use the .INI file you create with MSI_INST.EXE to customize your
installation, see the documentation for the Custom Installation Creator.

Table 2-1. MSI_INST.EXE command-line switches

Option Purpose Usage

IMPORT Import settings into a Dr

Solomon’s Anti-Virus installation
from an .INI file you designate

EXPORT Export settings from a Dr

Solomon’s Anti-Virus installation
to an .INI file you designate

EXPOPTIONS Export certain settings from Dr

Solomon’s Anti-Virus. Use this
option in conjunction with the
/EXPORT option. If you do not
specify which components to
export, MSI_INST.EXE will export
all settings. You can export these
Dr Solomon’s Anti-Virus settings:

/IMPORT<path and filename>

/EXPORT<path and filename>

/EXPOPTIONS <decimal value>

76 Dr Solomon’sAnti-Virus

Installing Dr Solomon’sAnti-Virus

Table 2-1. MSI_INST.EXE command-line switches

Option Purpose Usage

Export nothing [generally unused] 0x00000000h
Export System Scan 0x00000001h
Export E-Mail Scan 0x00000002h
Export Internet Scan 0x00000004h
Export AvConsol.exe settings 0x00000008h
Export Scheduled Tasks 0x00000010h
Export Default On-Demand Scan 0x00000020h
Export All (default) 0x00000800h
The settings specifiers appear here in hexadecimal format. To

determinea valueto usewith the/EXPOPTIONS option, combineeach
of the settings you want to use together with a logical OR operation,
then pass the resulting value as a decimal.

Example: Suppose you want to export System Scan, AvConsol, and
Scheduled Tasks settings only. Combine the hexadecimal values for
these settings together in a logical OR operation:

0x00000001h | 0x00000008h | 0x00000010h = 0x00000019h

Next, take the resulting value and change the hexadecimal number to
a decimal number:

0x00000019h = 25

Add the decimal value to the command line:

msi_inst.exe /EXPOPTIONS 25

RESTART StartDr Solomon’sAnti-Virusafter

the MSI_INST.EXE utility finishes
importing or exporting settings.

PRESERVE Preserve existing paths. This tells

MSI_INST.EXE to set a switch in
the resulting .INI file that will
adjust paths when the Custom
Installation Creator or another Dr
Solomon’s Anti-Virus installation
imports a new .INI file. This will
update any paths that point to
executablesand log files to reflect
the current installation. You may
use this option only with the
/EXPORT option; it will not work
with the /IMPORT option.

/RESTART

/PRESERVE

Administrator’s Guide 77

Installing Dr Solomon ’sAnti-Virus

Table 2-1. MSI_INST.EXE command-line switches

Option Purpose Usage

PREVIOUS Preserves the settings from

previous WinGuard scanner
settings. This option tells
MSI_INST.EXE to read settings
from a previous .INI file and set
new installation settings
appropriately.

NOTE: You may use this option
only to preserve Dr Solomon’s
Anti-Virus v4.0.2 and v4.0.3
settings.

PREVIOUS_EXCLUDE Preserves the exclusion settings

from previous WinGuard scanner
installations. This option tells
MSI_INST.EXE to read the
exclusionsettings from a previous
.INI file and set new installation
appropriately. You must use this
option with the /PREVIOUS
option.

NOTE: You may use this option
only to preserve Dr Solomon’s
Anti-Virus v4.0.2 and v4.0.3
settings.

/PREVIOUS <path and filename>

/PREVIOUS_EXCLUDE <path
and filename>

78 Dr Solomon’sAnti-Virus

3Removing Infections

From Your System

If you suspect you have a virus...

First of all, don’t panic! Although far from harmless, most viruses that infect
your machine will not destroy data, play pranks, or render your computer
unusable. Even the comparatively rare viruses that do carry a destructive
payload usually produce their nasty effects in response to a trigger event. In
most cases, unless you actually see evidence of a payload that has activated,
you will have time to deal with the infection properly. The very presence of
these small snippets of unwanted computer code can, however, interfere with
your computer’s normal operation, consume system resources and have other
undesirable effects, so you should take them seriously and be sure to remove
them when you encounter them.

A second idea to keep in mind is that odd computer behavior, unexplained
system crashes, or other unpredictable events might have causes other than
virus infections. If you believe you have a virus on your computer because of
occurrences such as these, scanning for viruses might not produce the results
you expect, but it will help eliminate one potential cause of your computer
problems.

The safest course of action you can take is to install Dr Solomon’s Anti-Virus, then
scan your system immediately and thoroughly.

3

When you install Dr Solomon’s Anti-Virus, Setup starts the Dr Solomon’s
Anti-Virus application to examine your computer’s memory and your hard
disk boot sectors in order to verify that it can safely copy its files to your hard
disk without risking their infection. If the application does not detect any
infections, continue with the installation, then scan your system thoroughly as
soon as you restart your computer. File-infector viruses that don’t load into
your computer’s memory or hide in your hard disk boot blocks might still be
lurking somewhere on your system. See Chapter 2, “Installing Dr Solomon’s

Anti-Virus,”to learn aboutvirus scanning duringsetup. See Chapter4, “Using
Dr Solomon’s Anti-Virus,” to learn how to scan your system.

If the Dr Solomon’s Anti-Virus application detects a virusduring Setup, you’ll
need to remove it from your system before you install the program. To learn
howtodoso,followthestepsthatbeginonpage 80.

IMPORTANT: To ensure maximum security, you should also follow
these same steps if a Dr Solomon’s Anti-Virus component detects a virus
in your computer’s memory at some point after installation.

Administrator’s Guide 79

Removing Infections From Your System

If Dr Solomon’sAnti-Virus found an infection during installation, follow these
steps carefully:

1. Quit Setup immediately, then shut down your computer.

Be sure to turn the power to your system off completely. Do not press
CTRL+ALT+DEL or reset your computer to restart your system—some
viruses can remain intact during this type of “warm” reboot.

2. If you created a Dr Solomon’s Anti-Virus Emergency Disk during

installation, orif yourDr Solomon’s Anti-Virus copy came with one, lock
the disk, then insert it into your floppy drive.

 NOTE: If your Dr Solomon’s Anti-Virus copy did not come with an

Emergency Disk, or if you could not create an Emergency Disk
during Setup, you must create a disk on an uninfected computer.
Locate a computer that you know is virus-free, then follow the steps
outlinedin“Using the Emergency Disk Creation utility” on page 53.

3. Wait at least 15 seconds, then start your computer again.

 NOTE: If you have your computer's BIOS configured to look for its

boot code first on your C: drive, you should change your BIOS
settings so that your computer looks first on your A: or B: drive.
Consult your hardware documentation to learn how to configure
your BIOS settings.

After it starts your computer, the Emergency Disk runs a batch file that
leadsyouthroughanemergencyscanoperation.Thebatchfilefirstasks
you whether you cycled the power on your computer.

4. Type y to continue, then skip to Step 7.Ifyoudidnot,typen,thenturn

your computer completely off and begin again.
The batch file next tells you that it will start a scan operation.

5. Read the notice shown on your screen, then press any key on your

keyboard to continue.
The Emergency Disk will load the files it needs to conduct the scan

operation into memory. If you have extended memory on your
computer, it will load its database files into that memory for faster
execution.

80 Dr Solomon’sAnti-Virus

Removing Infections F rom Your System

BOOTSCAN.EXE, the command-line scanner that comes with the
Emergency Disk, will make four scanning passes to examine your hard
disk boot sectors, your Master Boot Record (MBR), your system
directories, program files, and other likely points of infection on all of
your local computer's hard disks.

 NOTE: Dr Solomon’s Software strongly recommends that you do

not interrupt the BOOTSCAN.EXE scanner as it runs its scan
operation. TheEmergency Disk will not detect macro viruses, script
viruses, or Trojan horse programs, but it will detect common
file-infecting and boot-sector viruses.

If BOOTSCAN.EXE finds a virus, it will try to clean the infected file. If it
fails, it will deny access to the file and continue the scan operation. After
it finishes all of its scanning passes, it shows a summary report the
actions it took for each hard disk on the screen. The report tells you:

• How many files the scanner examined

• How many files of that number are clean, or uninfected

• How many files contain potential infections

• How many files of that number the scanner cleaned

• How many boot sector and MBR files the scanner examined

• How many boot sector and MBR files contain potential infections

If the scanner detects a virus, it beeps and reports the name and location
of the virus on the screen.

6. When the scanner finishes examining your hard disk, remove the

Emergency Disk from your floppy drive, then shut your computer off
again.

7. When BOOTSCAN.EXE finishes examining your system, you can either:

• Return to working with your computer. If BOOTSCAN.EXE did

not find a virus, or if it cleaned any infected files it did find, remove
the Emergency Disk from your floppy drive, then restart your
computer normally. If you had planned to install Dr Solomon’s
Anti-Virus on your computer but stopped when Setup found an
infection, you can now continue with your installation.

• Try to clean or delete infected files yourself. If BOOTSCAN.EXE

found a virus that it could not remove, it will identify the infected
filesandtellyouthatitcouldnotcleanthem,orthatitdoesnothave
a current remover for the infecting virus.

Administrator’s Guide 81

Removing Infections From Your System

As your next step, locate and delete the infected file or files. You will
need to restore any files that you delete from backup files. Be sure to
check your backup files for infections also. Be sure also to use the Dr
Solomon’s Anti-Virus application at your earliest opportunity to scan
your system completely in order to ensure that your system is virus-free.

Deciding when to scan for viruses

Maintaining a secure computing environment means scanning for viruses
regularly. Depending on the degree to which you swap floppy disks with
other users, share files over your local area network, or interact with other
computers via the Internet, scanning “regularly” could mean scanning as little
as once a month, or as often as several times a day. Other good habits to
cultivate include scanning right beforeyou back upyour data, scanning before
you install new or upgraded software—particularly software you download
from other computers—and scanning when you start or shut down your
computer each day. Use the WinGuard scanner to examine your computer’s
memory and maintain a constant level of vigilance between scan operations.
Under most circumstances this should protect your system’s integrity.

If you connect to the Internet frequently or download files often, you might
want to supplement regular scan operations with tasks based on certain
events.UsetheDrSolomon’sAnti-VirusConsoletoscheduleasetofscan
tasks to monitor your system at likely points of virus entry, such as

• whenever you insert a floppy disk into your computer’s floppy drive

• whenever you start an application or open a file

• wheneveryouconnecttoormapanetworkdrivetoyoursystem
Even the most diligent scan operation can miss new viruses, however, if your

virus definition (.DAT) filesare notup to date. YourDr Solomon’s Anti-Virus
purchase entitles you to free virus updates for the life of your product, so you
can update frequently to keep current. The Dr Solomon’s Anti-Virus Console
includes AutoUpdate and AutoUpgrade tasks you can use to update your
.DAT files and the Dr Solomon’s Anti-Virus engine. To learn how to update
your software, see Chapter 6, “Updating and Upgrading Dr Solomon’s

Anti-Virus.”.

82 Dr Solomon’sAnti-Virus

Removing Infections F rom Your System

Recognizing when you don’thaveavirus

Personal computers have evolved, in their short life span, into highly complex
machines that run ever-more-complicated software. Even the most farsighted
of the early PC advocates could never have imagined the tasks for which
workers, scientists and others have harnessed the modern PC’s speed,
flexibility and power. But that power comes with a price: hardware and
software conflicts abound, applications and operating systems crash, and
hundreds of other problems can crop up in unlikely places. In some cases,
these failures can resemble the sorts of effects that you see when you have a
virus infection with a destructive payload. Other computer failures seem to
defy explanation or diagnosis, so frustrated users blame virus infections,
perhaps as a last resort.

Because viruses do leave traces, however, you can usually eliminate a virus
infection as a possible cause for computer failure relatively quickly and easily.
Running a full Dr Solomon’s Anti-Virus scan operation will uncover all of the
known virus variants that can infect your computer, and quite a few of those
that have noknown nameor defined behavior. Although that doesn’t give you
much help when your problem really results from an interrupt conflict, it does
allow you to eliminate one possible cause. With that knowledge, you can then
go on to troubleshoot your system with a full-featured system diagnosis
utility.

More serious is the confusion that results from virus-like programs, virus
hoaxes, and real security breaches. Anti-virus software simply cannot detect
or respond to such destructive agents as Trojan horse programs that have
never appeared previously, orthe perception that a virus exists where none in
fact does.

The best way to determine whether your computer failure resulted from a
virusattackistorunacompletescanoperation,thenpayattentiontothe
results. If the Dr Solomon’s Anti-Virus application does not report a virus
infection, the chances that your problem results from one are slight—look to
other causes for the symptoms you see. Furthermore, in the very rare event
that the Dr Solomon’s Anti-Virus application does miss a macro virus or
another virus type that has in fact infected your system, the chances are
relatively small that serious failures will follow in its wake. You can, however,
rely on Dr Solomon’s researchers to identify and isolate the virus, then to
update Dr Solomon’s Anti-Virus immediately so that you can detect and, if
possible, remove the virus when you next encounter it. To learn how you can
help the virus researchers help you, see “Reporting new items for anti-virus

data file updates” on page xx.

Administrator’s Guide 83

Removing Infections From Your System

Understanding false detections

A false detection occurs when Dr Solomon’s Anti-Virus sends a virus alert
message or makes a log file entry that identifies a virus where none actually
exists. You are more likely to see false detections if you have anti-virus
software from more than one vendor installed on your computer, because
some anti-virus software stores the code signatures it uses for detection
unprotected in memory.

Thesafestcoursetotakewhenyouseeanalertmessageorlogentryistotreat
it as a genuine virus threat, and to take the appropriate steps to remove the
virus from your system. If, however, you believe that a Dr Solomon’s
Anti-Virus component has generated a false detection—it has, for example,
flagged as infected a file that you have used safely for years—verify that you
are not seeing one of these situations before you call Network Associates
technical support:

• You have more than one anti-virus program running. If so, Dr Solomon’s

Anti-Virus components might detect unprotected code signatures that
another program uses and report them as viruses. To avoid this problem,
configure yourcomputer to run only one anti-virus program, then shutthe
computer down and turn off the power. Wait a few seconds before you
start the computer again so that the system can clear the other program’s
code signature strings from memory.

• You have a BIOS chip with anti-virus features. Some BIOS chips provide

anti-virus features that can trigger false detections when Dr Solomon’s
Anti-Virus runs. Consult theuser’s guide for your computer to learn about
how its anti-virus features work and how to disable them if necessary.

• You have an older Hewlett-Packard or Zenith PC. Some older models

from these manufacturers modify the boot sectors on their hard disks each
time they start up. Dr Solomon’s Anti-Virus components might detect
thesemodificationsas viruses,when they arenot. Consult the user’sguide
foryourcomputertolearnwhetheritusesself-modifyingbootcode.To
solve the problem, use the Dr Solomon’s Anti-Virus Command Line
scanner to add validation information to the startup files themselves. This
methoddoes notsave information about the boot sector or the master boot
record.

• You have copy-protected software. Depending on the type of copy

protectionused, Dr Solomon’s Anti-Viruscomponentsmight detecta virus
inthebootsectororthemasterbootrecordonsomefloppydisksorother
media.

If none of these situations apply, contact Network Associates technical
support or send e-mail to virus_research@nai.com with a detailed explanation
of the problem you encountered.

84 Dr Solomon’sAnti-Virus

Removing Infections F rom Your System

Responding to viruses or malicious software

Because Dr Solomon’s Anti-Virus consists of several component programs,
any one ofwhich could beactive at onetime, your possible responses toa virus
infection or to other malicious software will depend upon which program
detected the harmful object, how you have that program configured to
respond, and other circumstances. The following sections give an overview of
the default responsesavailable with eachprogram component.To learn about
other possible responses, see the chapter that discusses each component in
detail.

Responding when the WinGuard scanner detects malicious software

The WinGuard scanner consists of four related modules that provide you with
continuous background protection against viruses, harmful Java and ActiveX
objects, and dangerous websites. A fifth module controls security settings for
the other four. You can configure and activate each module s eparately, or use
them together to provide maximum protection. See Chapter 4, “Using Dr

Solomon’s Anti-Virus,” to learn how to configure each module. Because each

module detects different objects or scans differentvirus entry points, each has
a different set of default responses.

Responding when the System Scan module detects a virus

How this module reacts when it finds a virus depends on which operating
system your computer runs and, onWindows 95 and Windows 98 systems, on
which prompt option you chose in the module’s Action page.

By default on Windows 95 and Windows 98 systems, this module looks for
viruses each time you run, copy, create, or rename any file on your system, or
whenever you read from a floppy disk. On Windows NT Workstation v4.0
and Windows 2000 Professional systems, the System Scan module looks for
viruseswheneveryoursystemoranothercomputerreadsfilesfromorwrites
files to your hard disk or a floppy disk.

Because it scans files this way, the System Scan module can serve as a backup
in case anyof the otherWinGuard modules does notdetect a viruswhen it first
enters your system. In its initial configuration, the module will deny access to
any infected file it finds, whichever Windows version your computer runs. It
will also display an alert message that asks you what you want to do about the
virus (see Figure3-11onpage96). The response options you see in this dialog
box come from default choices or choices you make in the System Scan
module’s Action page.

As this dialog box awaits your response, your computer will continue to
process any other tasks it is running in the background.

Administrator’s Guide 85

Removing Infections From Your System

Figure 3-1. Initial System Scan response options

If your computer runs Windows 95 or Windows 98, you can choose to display
a different virus alert message. If you select BIOS in the Prompt Type area in
the System Scan module Action page, you’ll see instead a full-screen warning
that offers you response options (Figure 3-2).

Figure 3-2. Full-screen Warning - System Scan response options

This alert message brings your system to a complete halt as it awaits your
response. No other programs or system operationsrun on your system until
you choose one of the response options shown.

The BIOS prompt type also allows you to substitute a Continueoption for the
Move File option. To do so, select the Continue access checkbox in the
module’s Action page.

 NOTE: The Continue access checkbox is unavailable if your computer

runs Windows NT Workstation v4.0 or Windows 2000, or if you choose
the GUI prompt type on Windows 95 and Windows 98 systems.

86 Dr Solomon’sAnti-Virus

Removing Infections F rom Your System

To take one of the actions shown in an alert message, click a button in the
Access to File Was Denied dialog box, or type the letter highlighted in yellow
when you see the full-screen warning. If you want the same response to apply
to all infected files that the System Scan module finds during this scan
operation,selectthe Applyto allitems checkboxin the dialog box. Thisoption
is not available in the full-screen alert message.

Your responseoptions are:

• Clean the file. Click Clean in the dialog box, or type C when you see the

full-screen warning, to tell the System Scan module to try to remove the
virus code from the infected file. If the module succeeds, it will restore the
file to its original state and record its success in its log file.

If the module cannot clean the file—either because it has no remover or
because the virus has damaged the file beyond repair—it will note this
result in its log file, but will take no other action. In most cases, you should
delete such files and restore them from backups.

• Delete the file. Click Delete in the dialog box, or type D when you see the

full-screen warning, to tell the System Scan module to delete the infected
file immediately. By default, the module notes the name of the infected file
in its log file so that you have a record of which files it flagged as infected.
You can then restore deleted files from backup copies.

• Move the file to a different location. Click Move File to in the dialog box.

This opens a browse window you can use to locate your quarantine folder
or another folder youwant to use to isolateinfectedfiles.Once you selecta
folder, the System Scan module moves the infected file to it immediately.
This option does not appear in the full-screen warning.

• Continue working. TypeO whenyou see the full-screen warning to tellthe

System Scan module to let you continue working with the file and not take
any other action. Normally, you would use this option to bypass files that
you know do not haveviruses. Ifyou haveits reporting option enabled, the
module will note each incident in its log file. This option is not available in
the Access to File Was Denied dialog box.

• Stop the scan operation. Click Stop in the dialog box, or type S whenyou

see the full-screen warning, to tell the System Scan module to deny any
access to the file but not to take any other action. Denying access to the file
prevents anyone from opening, saving, copying or renaming it. To
continue, you must click OK. If you have its reporting option enabled, the
module will note each incident in its log file.

• Exclude the file from scanoperations. Click Exclude in the dialog box, or

type E when you see the full-screen warning, to tell the System Scan
module to exclude this file from future scan operations. Normally, you
would use this option to bypass files that you know do not have viruses.

Administrator’s Guide 87

Removing Infections From Your System

Responding when the E-mail Scan module detects a virus

This module looks for viruses in e-mail messages you receive via corporate
e-mail systems such as cc:Mail and Microsoft Exchange. In its initial
configuration, the module will prompt you to choose a response from among
five options whenever it detects a virus (Figure 3-3).

Figure 3-3. E-mail Scan module response options

Click the button that corresponds to the response you want. Your choices are:

• Stop. Clickthis button to stopthe scan operationimmediately.The E-Mail

Scan module will record each detection in its log file, but it will take no
other action to respond to the virus.

• Clean. Click this button to have the E-Mail Scan module software try to

remove the virus code from the infected file. If it cannot clean the
file—either because it has no remover or because the virus has damaged
the file beyond repair—it will record the incident in its log file and suggest
alternative responses. In the example shown in Figure 3-3,themodule
failed to clean the EICAR test file—a mock “virus” written specifically to
test whether your anti-virus softwareinstalled correctly.Here, Cleanis not
an available response option. In most cases, you should delete such files
and restore them from backups.

• Delete. Click this button to delete the file from your system immediately.

Bydefault,theE-MailScanmodulewillrecordthenameoftheinfectedfile
in its log so that you can restore the file from a backup copy.

• Move file to. Click this button to open a dialog box that you can use to

locate your quarantine folder, or another suitable folder. Once you have
located the correct folder, click OK to transfer the file to that location.

• Exclude. Click this button to prevent the E-Mail Scan module from

flagging this file as a virus in future scan operations. If you copy this file to
your hard disk, this also prevents the System Scan module from detecting
the file as a virus.

88 Dr Solomon’sAnti-Virus

Removing Infections F rom Your System

When you choose your action, the E-Mail Scan module will implement it
immediately and add a notice to the top of the e-mail message that contained
theinfectedattachment.Thenoticegivesthefilenameoftheinfected
attachment, identifies the name of the infecting virus, and describes the action
thatthemoduletookinresponse.

To apply the response you chose to all infected files that the E-Mail Scan
module finds during this scan operation, select the Apply to all items
checkbox in the dialog box.

Responding when the Download Scan module detects a virus

This module looks for viruses in e-mail messages and other files you receive
over the Internet via a web browser or such e-mail cli ent programs as Eudora
Light, Netscape Mail, Outlook Express, and others. It will not detect files you
download with FTP client applications, terminal applications, or through
similar channels. In its initial configuration, the module will prompt you to
choose a response from among three options whenever it detects a virus
(Figure 3-4). A fourth option provides you with additional information.

Figure 3-4. Download Scan response options

Click the button that corresponds to the response you want. Your choices are:

• Continue. Click this to tell the Download Scan module to take no action

andtoresumescanning.Themodulewillcontinueuntilitfindsanother
virus on your system or until it finishes the scan operation. Normally, you
would use this option to bypass files that you know do not have viruses, or
if you plan to leave your computer unattended as you download e-mail or
other files. The module will note each incident in its log file.

• Delete. Click this to tell the Download Scan module to delete the infected

file or e-mail attachment you received. By default, the module notes the
name of the infected file in its log file.

• Move.Click this totell the Download Scan module to movethe infectedfile

to the quarantine directory you chose in the module’s Action property
page.

Administrator’s Guide 89

Removing Infections From Your System

When you choose your action, the Download Scan module will implement it
immediately and add a notice to the top of the e-mail message that contained
theinfectedattachment.Thenoticegivesthefilenameoftheinfected
attachment, identifies the name of the infecting virus, and describes the action
thatthemoduletookinresponse.

Responding when Internet Filter detects a virus

This module looks for hostile Java classes or ActiveX controls whenever you
visit a website or download files from the Internet. You can also use the
module to block your browser from connecting to dangerous Internet sites. In
its initial configuration, the module will ask you whenever it encounters a
potentially harmful object whether youwantto Denythe object access to your
system or you want to Continue and allow the object access. It will offer you
the same choice when you try to connect to a potentially dangerouswebsite
(Figure 3-5).

Figure 3-5. Internet Filter response options

Respondingwhenthe Dr Solomon’sAnti-Virus application detects avirus

When you first run a scan operation with the Dr Solomon’s Anti-Virus
application, it will look at all files on your C: drive that are susceptible to virus
infection. This provides you with a basic level of protection that you can
extend by configuring Dr Solomon’s Anti-Virus to suit your own needs.

With this initial configuration, the program will prompt you for a response
whenitfindsavirus(Figure 3-6).

90 Dr Solomon’sAnti-Virus

Removing Infections F rom Your System

Figure 3-6. Dr Solomon’s Anti-Virus response options

To respond to the infection, click one of the buttons shown. You can tell the Dr
Solomon’s Anti-Virus application to:

• Continue. Click this button to proceed with the scan operation and have

the application list each infected file in the lower portion of its main
window (Figure 3-7), record each detection in its log file, but take no other
action to respond to the virus. Once the application finishes examining
your system, you can right-click each file listed in the main window, then
choose an individual response from the shortcut menu that appears.

Figure 3-7. Dr Solomon’s Anti-Virus main window

• Stop. Click this button to stop the scan operation immediately. The Dr

Solomon’s Anti-Virus application will list the infected files it has already
found in the lower portion of its main window (Figure 3-7) and record each
detection in its log file, but it will take no other action to respond to the
virus. Right-click each infected file listed in the main window, then choose
an individual response from the shortcut menu that appears.

Administrator’s Guide 91

Removing Infections From Your System

• Clean. Click this button to have the Dr Solomon’s Anti-Virus application

try to remove the virus code from the infected file. If it cannot clean the
file—either because it has no remover or because the virus has damaged
the file beyond repair—it will record the incident in its log file and suggest
alternative responses.

In the example shown in Figure 3-6 on page 91, the application failed to
clean the EICAR Test Virus—a mock “virus” written specifically to test
whether your anti -virus software installed correctly. Here, Clean is not an
available response option. In most cases, you should delete such files and
restore them from backups.

• Delete. Click this button to delete the file from your system immediately.

By default, the Dr Solomon’s Anti-Virus application will record the name
of the infected file in its log so that you can restore the file from a backup
copy.

• Move file to. Click this to open a dialog box that you can use to locate your

quarantine folder, or another suitable folder. Once you have located the
correct folder, click OK to transfer the file to that location.

• Info. Click this to connect to the Network Associates Virus Information

Library. This choice does not take any action against the virus that the
application detected. See “Viewing virus information”onpage94 for more
details.

Responding when the E-Mail Scan extension detects a virus

TheE-MailScanextensionincludedwithDrSolomon’sAnti-Virusletsyou
scan incoming Microsoft Exchange or Microsoft Outlook e-mail messages for
virusesatyourinitiative.Youcanstartitfromwithineithere-mailclientand
use it to supplement the continuous e-mail background scanning you get with
theWinGuardE-MailScanmodule.TheE-MailScanmodulealsooffersthe
ability to cleaninfected file attachmentsor stopthe scanoperation, a capability
that complements the continuous monitoring that the E-Mail Scan module
provides. In its initial configuration, E-Mail Scan extension will prompt you
for a response when it finds a virus (Figure 3-8).

92 Dr Solomon’sAnti-Virus

Removing Infections F rom Your System

Figure 3-8. E-Mail Scan response options

To respond to the infection, click one of the buttons shown. You can tell the
E-Mail Scan extension to:

• Continue.Click thisbutton to have theE-Mail Scan extensionproceed with

its scan operation, list each infected file it finds in the lower portion of its
main window (Figure 3-9), and record each detection in its log file, but it
will take no other action to respond to the virus. The extension will
continue until it finds another virus on your system or until it finishes the
scan operation. Once it has finished examining your system, you can
right-click each file listed in the main window, then choose an individual
response from the shortcut menu that appears.

• Stop. Clickthis button to stopthe scan operation immediately.The E-Mail

Scan extension will list the infected files it has already found in the lower
portion of its main window (Figure 3-9) andrecord eachdetection in its log
file, but it will take no other action to respond to the virus. Right-click each
infected file listed in the main window, then choose an individual response
fromtheshortcutmenuthatappears.

Administrator’s Guide 93

Removing Infections From Your System

• Clean. Click this button to remove the virus code from the infected file. If

the E-Mail Scan extension cannot clean the file—either because it has no
remover or because the virus has damaged the file beyond repair—it will
record the incident in its log file and suggest alternative responses. In the
example shown in Figure 3-8, Clean is not an available response option. In
most cases, you should delete such files and restore them from backups.

Figure 3-9. E-Mail Scan extension window

• Delete. Click this button to delete the file from your system. Bydefault, the

E-Mail Scan extension will record the name of the infected file in its log so
that you can restore the file from a backup copy.

• Move.Click this button to open a dialog box that you can useto locate your

quarantine folder, or another suitable folder. Once you have located the
correct folder, click OK to transfer the file to that location.

• Info. Click this to connect to the Network Associates Virus Information

Library. This choice does not cause the E-Mail Scan extension to take any
action against the virus it detected. See “Viewing virus information” for
more details.

Viewing virus information

Clicking Info in any of the virus response dialog boxes will connect you to the
Network Associates online Virus Information Library, provided you have an
Internet connection and web browsing software available on your computer
(Figure 3-10).

94 Dr Solomon’sAnti-Virus

Removing Infections F rom Your System

Figure 3-10. Network Associates Virus Information Library page

The Virus Information Library has a collection of documents that give you a
detailed overview of each virus that Dr Solomon’s Anti-Virus can detect or
clean, along with information about how the virus infects and alters files, and
the sorts of payloads it deploys. The site lists the most prevalent or riskiest
viruses, provides a search engine you can use to search for particular virus
descriptions alphabetically or by virus name, displays prevalence tables,
technical documents, and white papers, and gives you access to technical data
you can use to remove viruses from your system.

To connect directly to the library, visit the site at:

http://vil.nai.com/villib/alpha.asp

You can also connect directly to the Library from the Dr Solomon’s Anti-Virus
Console —choose Virus List from the View menu in the Console window. To
learnmoreabouttheConsole,seeChapter 6, “Creating and Configuring

Scheduled Tasks” in the Dr Solomon’s Anti-Virus User’s Guide.

The Library is part of the AVERT website, which you can visit at:

http://www.nai.com/asp_set/anti_virus/avert/intro.asp

The AVERT website has a wealth of virus-related data and software.
Examples include:

• Current information and risk assessments on emerging and active virus

threats

Administrator’s Guide 95

Removing Infections From Your System

• Software tools you can use to extend or supplement your Dr Solomon’s

anti-virus software

• Contact addresses and other information for submitting questions, virus

samples, and other data

• Virus definition updates-this includes daily beta .DAT file updates,

EXTRA.DAT files, updated Emergency .DAT files, current scan engine
versions, regular weekly .DAT and SuperDAT updates, and new
incremental virus definition files (.UPD)

• Beta and “first look” software

Viewing file information

If you right-click a file listed either in the Dr Solomon’s Anti-Virus main
window or the E-Mail Scan window (see Figure 3-9 on page 94), then choose
File Info from the shortcut menu that appears, Dr Solomon’s Anti-Virus will
open an Infected Item Information dialog box that names the file, lists its type
and size in bytes, gives its creation and modification dates, and describes its
attributes (Figure 3-11).

96 Dr Solomon’sAnti-Virus

Figure 3-11. Infected File Information property page

Removing Infections F rom Your System

Submitting a virus sample

If you have a suspicious file that you believe contains a virus, or experience a
system condition that might result from an infection—but Dr Solomon’s
Anti-Virushas not detected a virus—Dr Solomon’sSoftwarerecommendsthat
you send a sample toits anti-virus research team for analysis. When you do so,
be sure to start your system in the apparently infected state—don’t start your
system from a clean floppy disk.

Several methods exist for capturing virus samples and submitting them. The
next sections discuss methods suited to particular conditions.

Using the SendVirus utility to submit a file sample

Because the majority of later-generation viruses tend to infect document and
executable files, Dr Solomon’sAnti-Virus comes with SENDVIR.EXE, a utility
that makes it easy to submit an infected file sample to Dr Solomon’s
researchers for analysis.

To submit a sample file, follow these steps:

1. If you must connect to your network or Internet Service Provider (ISP) to
send e-mail, do so first. If you are continuously connected to your
network or ISP, skip this step and go to Step 2.

2. Locate the file SENDVIR.EXE in your Dr Solomon’s Anti-Virus program
directory. If you installed your Dr Solomon’s Anti-Virus with default
Setup options, you'll find the file here:

C:\Program Files\Network Associates\Dr Solomon’s Anti-Virus

3. Double-click the file to display the first AVERT Labs Response Center
wizard panel (Figure 3-12).

Figure 3-12. First S ENDVIR.EXE panel

Administrator’s Guide 97

Removing Infections From Your System

4. Read the welcome message, then click Next> to continue.
The Contact Information wizard panel appears.

5. If you want AVERT researchers to contact you about your submission,
enter your name, e-mail address, and any message you would like to
send along with your submission in the text boxes provided, then click

Next> to continue.

Figure 3-13. Your Contact Information panel

 NOTE: You may submit samples anonymously, if you prefer—

The Choose Files to Submit panel appears (Figure 3-14).

98 Dr Solomon’sAnti-Virus

simply leave the text boxes in this panel blank. You are under no
obligation to supply any information at all here.

Figure 3-14. Choose Files to Submit panel

Removing Infections F rom Your System

6. Click Add to open a dialog box you can use to locate the files you believe
are infected.

Choose as many files as you want to submit for analysis. To remove any
of the files shown in the submission list, select it, then click Remove.
When you have chosen all of the files you want to submit, click Next> to
continue.

The Choose Upload Options panel appears (Figure 3-15).

Figure 3-15. Choose Upload options panel

If the file you want to submit is a Microsoft Office document or another
file that contains information you want to keep confidential, select the
Remove my personal data from file checkbox, then click Ne xt> to
continue. This tells the SENDVIR.EXE utility to strip everything out of
the file except macros or executable code.

The Choose E-Mail Service panel appears (Figure 3-16).

Figure 3-16. Choose E-mail Service panel

Administrator’s Guide 99

Removing Infections From Your System

7. Select the type of e-mail client application you have installed on your
computer. Your choices are:

• Use outgoing Internet mail. Click this button to send your sample

viaaSimpleMailTransferProtocole-mailclient,suchasEudora,
NetScape Mail, or Microsoft Outlook Express. Next, enter the name
of your outgoing mail server in the text box
provided-mail.domain.com, for example.

• Use Microsoft Exchange. Click thisbutton to sendyoursample via

your corporate e-mail system. To use this option, your e-mail
system must support the Messaging Application Programming
Interface (MAPI) standard. Examples of such systems include
Microsoft Exchange, Microsoft Ou tlo ok, and Lotuscc:Mail v8.0 and
later.

8. Click Finish to send your sample.

 NOTE: Although Dr Solomon’s researchers appreciate your

submission, their receipt of your message does not obligate them to
take any action, provide any remedy, or respond in any way to you.

SENDVIR.EXE will use the e-mail client you specified to send your
sample.You must have connectedtoyournetworkorISPinorderforthis
process to succeed.

Capturing boot sector, file-infecting, and macro viruses

If you suspect you have a virus infection, you can collect a sample of the virus,
then either create a floppy disk image to send via e-mail, or mail the floppy
disk itself to Dr Solomon’s anti-virus researchers. The researchers would also
benefit from having samples of your system files on a separate floppy disk.

Capturing boot-sector infections

Boot-sector viruses frequently hide in areas of your hard disk or floppy disks
that you ordinarily cannot see or read. You can, however, capture a sample of
a boot-sector virus by deliberately infecting a floppy disk with it.

To do so, follow these steps:

1. Insert a new, unformatted floppy disk into your floppy drive.

2. Click Start in the Windows taskbar, point to Programs,thenchoose

MS-DOS Promptif your computer runs Windows 95 or Windows 98, or
Command Prompt if your computer runs Windows NT Workstation

v4.0 or Windows 2000 Professional.

100 Dr Solomon’sAnti-Virus