Mcafee VIRUSSCAN 4.5 ADMINISTRATOR GUIDE

Download

Page 1

McAfee VirusScan

Administrator’s Guide

Version 4.5

Page 2

Copyright © 1998-2000 Networks Associates Technology, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Networks Associates Technology, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS

* ActiveHelp, Bomb Shelter, Building a World of Trust, CipherLink, Clean-Up, Cloaking, CNX, Compass 7, CyberCop, CyberMedia, Data Security Letter, Discover, Distributed Sniffer System, Dr Solomon’s, Enterprise Secure Cast, First Aid, ForceField, Gauntlet, GMT, GroupShield, HelpDesk, Hunter, ISDN Tel/Scope, LM 1, LANGuru, Leading Help Desk Technology, Magic Solutions, MagicSpy, MagicTree, Magic University, MagicWin, MagicWord, McAfee, McAfee Associates, MoneyMagic, More Power To You, Multimedia Cloaking, NetCrypto, NetOctopus, NetRoom, NetScan, Net Shield, NetShield, NetStalker, Net Tools, Network Associates, Network General, Network Uptime!, NetXRay, Nuts & Bolts, PC Medic, PCNotary, PGP, PGP (Pretty Good Privacy), PocketScope, Pop-Up, PowerTelnet, Pretty Good Privacy, PrimeSupport, RecoverKey, RecoverKey-International, ReportMagic, RingFence, Router PM, Safe & Sound, SalesMagic, SecureCast, Service Level Manager, ServiceMagic, Site Meter, Sniffer, SniffMaster, SniffNet, Stalker, Statistical Information Retrieval (SIR), SupportMagic, Switch PM, TeleSniffer, TIS, TMach, TMeg, Total Network Security, Total Network Visibility, Total Service Desk, Total Virus Defense, T-POD, Trusted Mach, Trusted Mail, Uninstaller, Virex, Virex-PC, Virus Forum, ViruScan, VirusScan, VShield, WebScan, WebShield, WebSniffer, WebStalker WebWall, and ZAC 2000 are registered

trademarks of Network Associates and/or its affiliates in the US and/or other countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners.

LICENSE AGREEMENT

NOTICE TO ALL USERS: FOR THE SPECIFIC TERMS OF YOUR LICENSE TO USE THE SOFTWARE THAT THIS DOCUMENTATION DESCRIBES, CONSULT THE README.1ST, LICENSE.TXT, OR OTHER LICENSE DOCUMENT THAT ACCOMPANIES YOUR SOFTWARE, EITHER AS A TEXT FILE OR AS PART OF THE SOFTWARE PACKAGING. IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH THEREIN, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO THE PLACE OF PURCHASE FOR A FULL REFUND.

Issued March 2000/VirusScan v4.5 Anti-Virus Software

Page 3

Table of Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Anti-virus protection as information security . . . . . . . . . . . . . . . . . . . . . . . . .vii

Information security as a business necessity . . . . . . . . . . . . . . . . . . . . . . . . . .x

Active Virus Defense security perimeters . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

McAfee anti-virus research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

How to contact McAfee and Network Associates . . . . . . . . . . . . . . . . . . . . . xiv

Customer service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Technical support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xv

Download support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Network Associates training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Comments and feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Reporting new items for anti-virus data file updates . . . . . . . . . . . . . .xvii

International contact information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

Chapter 1. About VirusScan Software . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Introducing VirusScan anti-virus software . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

How does VirusScan software work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

What comes with VirusScan software? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

What’s new in this release? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

Chapter 2. Installing VirusScan Software . . . . . . . . . . . . . . . . . . . . . . . .33

Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

Installing VirusScan software on a local computer . . . . . . . . . . . . . . . . . . . . .34

Installation steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34

Using the Emergency Disk Creation utility . . . . . . . . . . . . . . . . . . . . . . .47

Determining when you must restart your computer . . . . . . . . . . . . . . . .53

Testing your installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54

Modifying or removing your local VirusScan installation . . . . . . . . . . .55

Administrator’s Guide iii

Page 4

Table of Contents

Installing VirusScan software on other computers . . . . . . . . . . . . . . . . . . . . .57

Using Active Directory and Group Policies . . . . . . . . . . . . . . . . . . . . . . .57

Installing VirusScan software using command-line options . . . . . . . . .58

Using Management Edition software . . . . . . . . . . . . . . . . . . . . . . . . . . . .65

Using ePolicy Orchestrator to deploy VirusScan software . . . . . . . . . .66

Installing via System Management Server . . . . . . . . . . . . . . . . . . . . . . . .67

Installing via Tivoli IT Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67

Installing via ZENworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68

Exporting VirusScan custom settings . . . . . . . . . . . . . . . . . . . . . . . . . . .68

Chapter 3. Removing Infections From Your System . . . . . . . . . . . . . . .71

If you suspect you have a virus... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71

Deciding when to scan for viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74

Recognizing when you don’t have a virus . . . . . . . . . . . . . . . . . . . . . . . . . . . .75

Understanding false detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76

Responding to viruses or malicious software . . . . . . . . . . . . . . . . . . . . . . . . .77

Submitting a virus sample . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88

Using the SendVirus utility to submit a file sample . . . . . . . . . . . . . . . .88

Capturing boot sector, file-infecting, and macro viruses . . . . . . . . . . . .91

Chapter 4. Using VirusScan Software . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Using the VShield scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97

Using the VirusScan application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97

Scheduling scan tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98

Using specialized scanning tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98

Chapter 5. Sending Alert Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Using the Alert Manager Client Configuration utility . . . . . . . . . . . . . . . . . . .99

VirusScan software as an Alert Manager Client . . . . . . . . . . . . . . . . . . . . . .100

Configuring the Alert Manager Client utility . . . . . . . . . . . . . . . . . . . . . . . . . .100

Chapter 6. Updating and Upgrading VirusScan Software . . . . . . . . . . 105

Developing an updating strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105

Update and upgrade methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106

Understanding the AutoUpdate utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108

Configuring the AutoUpdate Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109

iv McAfee VirusScan Anti-Virus Software

Page 5

Table of Contents

Understanding the AutoUpgrade utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118

Configuring the AutoUpgrade utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119

Using the AutoUpgrade and SuperDAT utilities together . . . . . . . . . .128

Deploying an EXTRA.DAT file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130

Appendix A. Using VirusScan Administrative Utilities . . . . . . . . . . . . 133

Understanding the VirusScan control panel . . . . . . . . . . . . . . . . . . . . . . . . .133

Opening the VirusScan control panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133

Choosing VirusScan control panel options . . . . . . . . . . . . . . . . . . . . . . . . . .134

Appendix B. Installed Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

What’s in this appendix? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137

VShield scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137

Dependent and related files for the VirusScan application . . . . . . . . .143

Alert Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146

VirusScan control panel files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147

ScreenScan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148

VirusScan Emergency Disk files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150

Dependent and related files for the E-Mail Scan extension . . . . . . . . .152

Appendix C. Using VirusScan Command-line Options . . . . . . . . . . . . 155

Adding advanced VirusScan engine options . . . . . . . . . . . . . . . . . . . . . . . . .155

Running the VirusScan Command Line program . . . . . . . . . . . . . . . . . . . . .155

Running the on-demand scanner with command-line arguments . . . . . . . .164

Appendix D. Using the SecureCast Service to Get New Data Files . . 171

Introducing the SecureCast service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171

Why should I update my data files? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172

Which data files does the SecureCast service deliver? . . . . . . . . . . . .172

Installing the BackWeb client and SecureCast service . . . . . . . . . . . . . . . . .173

System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173

Troubleshooting the Enterprise SecureCast service . . . . . . . . . . . . . .183

Unsubscribing from the SecureCast service . . . . . . . . . . . . . . . . . . . . .183

Support resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183

SecureCast service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183

BackWeb client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184

Administrator’s Guide v

Page 6

Table of Contents

Appendix E. Network Associates Support Services . . . . . . . . . . . . . . 185

Adding value to your McAfee product . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185

PrimeSupport options for corporate customers . . . . . . . . . . . . . . . . . .185

Ordering a corporate PrimeSupport plan . . . . . . . . . . . . . . . . . . . . . . .188

PrimeSupport options for home users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190

How to reach international home user support . . . . . . . . . . . . . . . . . . .192

Ordering a PrimeSupport plan for home users . . . . . . . . . . . . . . . . . . .192

Network Associates consulting and training . . . . . . . . . . . . . . . . . . . . . . . . .193

Professional Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193

Total Education Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194

Appendix F. Understanding iDAT Technology . . . . . . . . . . . . . . . . . . .195

Understanding incremental .DAT files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195

How does iDAT updating work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196

What does McAfee post each week? . . . . . . . . . . . . . . . . . . . . . . . . . . .197

Best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198

Frequently asked questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

vi McAfee VirusScan Anti-Virus Software

Page 7

Preface

Anti-virus protection as information security

“The world changed [on March 26, 1999]—does anyone doubt that? The world

is different. Melissa proved that ... and we are very fortunate ... the world could have gone very close to meltdown.”

—Padgett Peterson, Chief Info Security Architect, Lockheed Martin Corporation,

on the 1999 “Melissa” virus epidemic

By the end of the 1990s, many information technology professionals had begun to recognize that they could not easily separate how they needed to respond to new virus threats from how they already dealt with deliberate network security breaches. Dorothy Denning, co-editor of the 1998 computer security handbook Internet Besieged: Countering Cyberspace Scofflaws, explicitly grouped anti-virus security measures in with other network security

measures, classifying them as a defense against malicious “injected code.”

Denning justified her inclusive grouping on based on her definition of information security as “the effective use of safeguards to protect the confidentiality, integrity, authenticity, availability, and non-repudiation of information and information processing systems.” Virus payloads had always threatened or damaged data integrity, but by the time she wrote her survey article, newer viruses had already begun to mount sophisticated attacks that struck at the remaining underpinnings of information security. Denning’s classification recognized that newer viruses no longer merely annoyed system administrators or posed a relatively low-grade threat; they had in fact graduated to become a serious hazard.

Though not targeted with as much precision as an unauthorized network intrusion, virus attacks had begun to take on the color of deliberate information warfare. Consider these examples, many of which introduced quickly-copied innovations to the virus writer’s repertoire:

• W32/CIH.Spacefiller destroyed the flash BIOS in workstations it infected, effectively preventing them from booting. It also overwrote parts of the infected hard disk with garbage data.

• XM/Compat.A rewrote the data inside Microsoft Excel spreadsheet files. It used advanced polymorphic concealment techniques, which meant that with each infection it changed the signature bytes that indicated its presence and allowed anti-virus scanners to find it.

Administrator’s Guide vii

Page 8

Preface

• W32/Ska, though technically a worm, replaced the infected computer’s WinSock file so that it could attach itself to outgoing Simple Mail Transfer Protocol (SMTP) messages and postings to USENET news groups. This strategy made it commonplace in many areas.

• Remote Explorer stole the security privileges of a Windows NT domain administrator and used them to install itself as a Windows NT Service. It also deposited copies of itself in the Windows NT driver directory and carried with it a supporting Dynamic Link Library (.DLL) file that allowed it to randomly encrypt data files. Because it appeared almost exclusively at one corporate site, security experts speculated that it was a deliberate, targeted attack on the unfortunate company’s network integrity.

• Back Orifice, the product of a group calling itself the Cult of the Dead Cow, purported to give the owner of the client portion of the Back Orifice application complete remote access to any Windows 95 or Windows 98 workstation that runs the concealed companion server. That access—from anywhere on the Internet—allowed the client to capture keystrokes; open, copy, delete, or run files; transmit screen captures; and restart, crash, or shut down the infected computer. To add insult to injury, early Back Orifice releases on CD-ROM carried a W32/CIH.Spacefiller infection.

Throughout much of 1999, virus and worm attacks suddenly stepped up in intensity and in the public eye. Part of the reason for this, of course, is that many of the more notorious viruses and worms took full advantage of the Internet, beginning a long-predicted assault by flooding e-mail transmissions, websites, newsgroups and other available channels at an almost exponential rate of growth. They now bullied their way into network environments, spreading quickly and leaving a costly trail of havoc behind them.

W97M/Melissa, the “Melissa” virus, jolted most corporate information technology departments out of whatever remaining complacency they had held onto in the face of the newer virus strains. Melissa brought corporate e-mail servers down across the United States and elsewhere when it struck in March 1999. Melissa instructed e-mail client programs to send out infected e-mail messages to the first 50 entries in each target computer’s address book. This transformed a simple macro virus infection with no real payload into an effective denial-of-service attack on mail servers.

Melissa’s other principle innovation was its direct attempt to play on end-user psychology: it forged an e-mail message from a sender the recipient knew, and sent it with a subject line that urged that recipient to open both the message and the attached file. In this way, Melissa almost made the need for viral code to spread itself obsolete—end users themselves cooperated in its propagation, and their own computers blindly participated.

viii McAfee VirusScan Anti-Virus Software

Page 9

Preface

A rash of Melissa variants and copycats appeared soon after. Some, such as W97M/Prilissa, included destructive payloads. Later the same year, a number of new viruses and worms either demonstrated novel or unexpected ways to get into networks and compromise information security, or actually perpetuated attacks. Examples included:

• W32/ExploreZip.worm and its variants, which used some of Melissa’s techniques to spread, initially through e-mail. After it successfully infected a host machine, ExploreZip searched for unsecured network shares and quietly copied itself throughout a network. It carried a destructive payload that erased various Windows system files and Microsoft Office documents, replacing them with an unrecoverable zero-byte-length files.

• W32/Pretty.worm, which did Melissa one better by sending itself to every entry in the infected computer’s MAPI address book. It also connected to an Internet Relay Chat (IRC) server, joined a particular IRC channel, then opened a path to receive commands via the IRC connection. This potentially allowed those on the channel to siphon information from the infected computer, including the computer name and owner’s name, his or her dial-up networking user name and password, and the path to the system root directory.

• W32/FunLove.4099, which infected ActiveX .OCX files, among others. This meant that it could lurk on web pages with ActiveX content, and infect systems with low or nonexistent browser security settings as they downloaded pages to their hard disks. If a Windows NT computer user had logged into a system with administrative rights, the infecting virus would patch two critical system files that gave all users on the network —including the virus—administrative rights to all files on the target computer. It spread further within the network by attaching itself to files with the extensions .SCR, .OCX, and .EXE.

• VBS/Bubbleboy, a proof-of-concept demonstration that showed that a virus could infect target computers directly from e-mail messages themselves, without needing to propagate through message attachments. It effectively circumvented desktop anti-virus protection altogether, at least initially. Its combination of HTML and VBScript exploited existing vulnerabilities in Internet-enabled mail systems; its author played upon the same end-user psychology that made Melissa successful.

The other remarkable development in the year was the degree to which virus writers copied, fused, and extended each others’ techniques. This crosspollination had always occurred previously, but the speed at which it took place and the increasing sophistication of the tools and techniques that became available during this period prepared very fertile ground for a nervously awaited bumper crop of intricate viruses.

Administrator’s Guide ix

Page 10

Preface

Information security as a business necessity

Coincidentally or not, these darkly inventive new virus attacks and speedy propagation methods appeared as more businesses made the transition to Internet-based information systems and electronic commerce operations. The convenience and efficiency that the Internet brought to business saved money and increased profits. This probably also made these same businesses attractive targets for pranksters, the hacker underground, and those intent on striking at their favored targets.

Previously, the chief costs from a virus attack were the time and money it took to combat an infection and restore computer systems to working order. To those costs the new types of virus attacks now added the costs of lost productivity, network and server downtime, service denials for e-mail and other critical business tools, exposure—and perhaps widespread distribution —of confidential information, and other ills.

Ultimately, the qualifying differences between a hacker-directed security breach in a network and a security breach that results from a virus attack might become merely ones of intent and method, not results. Already new attacks have shaken the foundations of Net-enabled businesses, many of which require 24-hour availability for networks and e-mail, high data integrity, confidential customer lists, secure credit card data and purchase verification, reliable communications, and hundreds of other computer-aided transactional details. The costs from these virus attacks in the digital economy now cut directly into the bottom line.

Because they do, protecting that bottom line means implementing a total solution for information and network security—one that includes comprehensive anti-virus protection. It’s not enough to rely only on desktop-based anti-virus protection, or on haphazard or ad hoc security measures. The best defense requires sealing all potential points by which viruses can enter or attack your network, from the firewall and gateway down to the individual workstation, and keeping the anti-virus sentries at those points updated and current.

Part of the solution is deploying the McAfee Active Virus Defense* software suite, which provides a comprehensive, multi-platform series of defensive perimeters for your network. You can also build on that security with the McAfee Active Security suite, which allows you to monitor your network against intrusions, watch actual network packet traffic, and encrypt e-mail and network transmissions. But even with anti-virus and security software installed, new and previously unidentified viruses will inevitably find their way into your network. That’s where the other part of the equation comes in: a thorough, easy-to-follow anti-virus security policy and set of practices for your enterprise—in the last analysis, only that can help to stop a virus attack before it becomes a virus epidemic.

x McAfee VirusScan Anti-Virus Software

Page 11

Active Virus Defense security perimeters

The McAfee Active Virus Defense product suite exists for one simple reason: there is no such thing as too much anti-virus protection for the modern, automated enterprise. Although at first glance it might seem needlessly redundant to protect all of your desktop computers, file and network servers, gateways, e-mail servers and firewalls, each of these network nodes serves a different function in your network, and has different duties. An anti-virus scanner designed to keep a production workstation virus-free, for example, can’t intercept viruses that flood e-mail servers and effectively deny their services. Nor would you want to make a file server responsible for continuously scanning its client workstations—the cost in network bandwidth would be too high.

More to the point, each node’s specialized functions mean that viruses infect them in different ways that, in turn, call for optimized anti-virus solutions. Viruses and other malicious code can enter your network from a variety of sources—floppy disks and CD-ROMs, e-mail attachments, downloaded files, and Internet sites, for example. These unpredictable points of entry mean that infecting agents can slip through the chinks in incomplete anti-virus armor.

Desktop workstations, for example, can spread viruses by any of a variety of means—via floppy disks, by downloading them from the Internet, by mapping server shares or other workstations’ hard disks. E-mail servers, by contrast, rarely use floppy disks and tend not to use mapped drives—the Melissa virus showed, however, that they are quite vulnerable to e-mail–borne infections, even if they don’t execute the virus code themselves.

Preface

At the desktop: VirusScan software

The McAfee Active Virus Defense product suite matches each point of vulnerability with a specialized, and optimized, anti-virus application. At the desktop level, the cornerstone of the suite is the VirusScan anti-virus product. VirusScan software protects some of your most vulnerable virus entry points with an interlocking set of scanners, utilities, and support files that allow it to cover:

• Local hard disks, floppy disks, CD-ROMs, and other removable media. The VShield scanner resides in memory, waiting for local file access of any sort. As soon as one of your network users opens, runs, copies, saves, renames, or sets attributes for any file on their system—even from mapped network drives—the VShield scanner examines it for infections.

You can supplement this continuous protection with scan operations you configure and schedule for your own needs. Comprehensive security options let you protect individual options with a password, or run the entire application in secure mode to lock out all unauthorized access.

Administrator’s Guide xi

Page 12

Preface

• System memory, boot sectors, and master boot records. You can configure regularly scheduled scan operations that examine these favorite virus hideouts, or set up periodic operations whenever a threat seems likely.

• Microsoft Exchange mailboxes. VirusScan software includes a specialized E-Mail Scan extension that assumes your network user’s Microsoft Exchange or Outlook identity to scan his or her mailbox directly—before viruses get downloaded to the local workstation. This can prevent some Melissa-style infections and avoid infections from the next generation of VBS/Bubbleboy descendants.

• Internet mail and file downloads. The VShield scanner includes two modules that specialize in intercepting SMTP and POP-3 e-mail messages, and that can examine files your network users download from Internet sites. The E-Mail Scan and Download Scan modules work together to scan the stream of file traffic that most workstations generate and receive daily.

• Hostile code. The Olympus scan engine at the heart of VirusScan software routinely looks for suspicious script code, macro code, known Trojan horse programs—even virus jokes or hoaxes. With the help of the VShield Internet Filter module, it also blocks hostile ActiveX and Java objects, many of which can lurk unnoticed on websites, waiting to deploy sophisticated virus-like payloads. The Internet Filter module can even block entire websites, preventing network users from visiting sites that pose a threat to network integrity.

VirusScan software ties these powerful scanning capabilities together with a powerful set of alerting, updating, and management tools. These include:

• Alert Manager client configuration. VirusScan software includes a client configuration utility you can use to have it pass alert messages directly to Alert Manager servers on your network, to a Centralized Alerting share, or to a Desktop Management Interface administrative application. Other alert methods include local custom messages and beeps, detection alerts and response options, and e-mail alert messages.

• Next-generation AutoUpdate and AutoUpgrade utilities. AutoUpdate v4.5 features complete and transparent support for new incremental .DAT file updates, which save you time and network bandwidth by adding only virus definitions you don’t already have installed on your system. The new AutoUpgrade version includes support for v1.2 of the McAfee SuperDAT utility, which you can use to update the Olympus scan engine and its support files.

• Integration with McAfee ePolicy Orchestrator management software. Centralized anti-virus management takes a quantum leap forward with this highly scalable management tool. VirusScan software ships with a plug-in library file that works with the ePolicy Orchestrator server to enforce enterprise-wide network security policies.

xii McAfee VirusScan Anti-Virus Software

Page 13

You can use ePolicy Orchestrator to configure, update, distribute and manage VirusScan installations at the group, workstation or user level. Schedule and run scan tasks, change configurations, update .DAT and engine files—all from a central console.

Taken together, the Active Virus Defense suite forms a tight series of anti-virus security perimeters around your network that protect you against both external and internal sources of infection. Those perimeters, correctly configured and implemented in conjunction with a clear enterprise-wide anti-virus security policy, do indeed offer useful redundancy, but their chief benefit lies in their ability to stop viruses as they enter your network, without your having to await a tardy or accidental discovery. Early detection contains infections, saves on the costs of virus eradication, and in many cases can prevent a destructive virus payload from triggering.

McAfee anti-virus research

Even the best anti-virus software is only as good as its latest update. Because as many as 200 to 300 viruses and variants appear each month, the .DAT files that enable McAfee software to detect and remove viruses can get quickly outdated. If you have not updated the files that originally came with your software, you could risk infection from newly emerging viruses. McAfee has, however, assembled the world’s largest and most experienced anti-virus research staff in its Anti-Virus Emergency Response Team (AVERT)*. This premier anti-virus research organization has a worldwide reach and a “follow the sun” coverage policy, that ensures that you get the files you need to combat new viruses as soon as—and often before—you need them. You can take advantage of many of the direct products of this research by visiting the AVERT research site on the Network Associates website:

Preface

http://www.nai.com/asp_set/anti_virus/introduction/default.asp

Contact your McAfee representative, or visit the McAfee website, to find out how to enlist the power of the Active Virus Defense security solution on your side:

http://www.mcafeeb2b.com/

Administrator’s Guide xiii

Page 14

Preface

How to contact McAfee and Network Associates

Customer service

On December 1, 1997, McAfee Associates merged with Network General Corporation, Pretty Good Privacy, Inc., and Helix Software, Inc. to form Network Associates, Inc. The combined Company subsequently acquired Dr Solomon’s Software, Trusted Information Systems, Magic Solutions, and CyberMedia, Inc.

A January 2000 company reorganization formed four independent business units, each concerned with a particular product line. These are:

• Magic Solutions. This division supplies the Total Service desk product line and related products

• McAfee. This division provides the Active Virus Defense product suite and related anti-virus software solutions to corporate and retail customers.

• PGP Security. This division provides award-winning encryption and security solutions, including the PGP data security and encryption product line, the Gauntlet firewall product line, the WebShield E-ppliance hardware line, and the CyberCop Scanner and Monitor product series.

• Sniffer Technologies. This division supplies the industry-leading Sniffer network monitoring, reporting, and analysis utility and related software.

Network Associates continues to market and support the product lines from each of the new independent business units. You may direct all questions, comments, or requests concerning the software you purchased, your registration status, or similar issues to the Network Associates Customer Service department at the following address:

Network Associates Customer Service 4099 McEwan, Suite 500 Dallas, Texas 75244 U.S.A.

The department's hours of operation are 8:00 a.m. and 8:00 p.m. Central Time, Monday through Friday

Other contact information for corporate-licensed customers:

Phone: (972) 308-9960

Fax: (972) 619-7485 (24-hour, Group III fax)

E-Mail: services_corporate_division@nai.com

Web: http://www.nai.com

xiv McAfee VirusScan Anti-Virus Software

Page 15

Other contact information for retail-licensed customers:

Phone: (972) 308-9960

Fax: (972) 619-7485 (24-hour, Group III fax)

E-Mail: cust_care@nai.com

Web: http://www.mcafee.com/

Technical support

McAfee and Network Associates are famous for their dedication to customer satisfaction. The companies have continued this tradition by making their sites on the World Wide Web valuable resources for answers to technical support issues. McAfee encourages you to make this your first stop for answers to frequently asked questions, for updates to McAfee and Network Associates software, and for access to news and virus information

World Wide Web http://www.nai.com/asp_set/services/technical_support

If you do not find what you need or do not have web access, try one of our automated services.

Preface

/tech_intro.asp

Internet techsupport@mcafee.com

CompuServe GO NAI

America Online keyword MCAFEE

If the automated services do not have the answers you need, contact Network Associates at one of the following numbers Monday through Friday between 8:00

A.M. and 8:00 P.M. Central time to find out about Network Associates

technical support plans.

For corporate-licensed customers:

Phone (972) 308-9960

Fax (972) 619-7845

For retail-licensed customers:

Phone (972) 855-7044

Fax (972) 619-7845

This guide includes a summary of the PrimeSupport plans available to McAfee customers. To learn more about plan features and other details, see

Appendix E, “Network Associates Support Services.”

Administrator’s Guide xv

Page 16

Preface

To provide the answers you need quickly and efficiently, the Network Associates technical support staff needs some information about your computer and your software. Please include this information in your correspondence:

• Product name and version number

• Computer brand and model

• Any additional hardware or peripherals connected to your computer

• Operating system type and version numbers

• Network type and version, if applicable

• Contents of your AUTOEXEC.BAT, CONFIG.SYS, and system LOGIN

script

• Specific steps to reproduce the problem

Download support

To get help with navigating or downloading files from the Network Associates or McAfee websites or FTP sites, call:

Corporate customers (801) 492-2650

Retail customers (801) 492-2600

Network Associates training

For information about scheduling on-site training for any McAfee or Network Associates product, call Network Associates Customer Service at: (972) 308-9960.

Comments and feedback

McAfee appreciates your comments and reserves the right to use any information you supply in any way it believes appropriate without incurring any obligation whatsoever. Please address your comments about McAfee anti-virus product documentation to: McAfee, 20460 NW Von Neumann, Beaverton, OR 97006-6942, U.S.A. You can also send faxed comments to (503) 466-9671 or e-mail to tvd_documentation@nai.com.

xvi McAfee VirusScan Anti-Virus Software

Page 17

Reporting new items for anti-virus data file updates

McAfee anti-virus software offers you the best available detection and removal capabilities, including advanced heuristic scanning that can detect new and unnamed viruses as they emerge. Occasionally, however, an entirely new type of virus that is not a variation on an older type can appear on your system and escape detection.

Because McAfee researchers are committed to providing you with effective and up-to-date tools you can use to protect your system, please tell them about any new Java classes, ActiveX controls, dangerous websites, or viruses that your software does not now detect. Note that McAfee reserves the right to use any information you supply as it deems appropriate, without incurring any obligations whatsoever. Send your questions or virus samples to:

virus_research@nai.com Use this address to send questions or

virus samples to our North America and South America offices

vsample@nai.com Use this address to send questions or

virus samples gathered with Dr Solomon’s Anti-Virus Toolkit* software to our offices in the United Kingdom

Preface

To report items to the McAfee European research office, use these e-mail addresses:

virus_research_europe@nai.com Use this address to send questions or

virus samples to our offices in Western Europe

virus_research_de@nai.com Use this address to send questions or

virus samples gathered with Dr Solomon’s Anti-Virus Toolkit software to our offices in Germany

To report items to the McAfee Asia-Pacific research office, or the office in Japan, use one of these e-mail addresses:

virus_research_japan@nai.com Use this address to send questions or

virus samples to our offices in Japan and East Asia

virus_research_apac@nai.com Use this address to send questions or

virus samples to our offices in Australia and South East Asia

Administrator’s Guide xvii

Page 18

Preface

International contact information

To contact Network Associates outside the United States, use the addresses, phone numbers and fax numbers below.

Network Associates Australia

Level 1, 500 Pacific Highway

St. Leonards, NSW

Sydney, Australia 2065

Phone: 61-2-8425-4200

Fax: 61-2-9439-5166

Network Associates Belgique

BDC Heyzel Esplanade, boîte 43

1020 Bruxelles

Belgique

Phone: 0032-2 478.10.29

Fax: 0032-2 478.66.21

Network Associates Canada

139 Main Street, Suite 201

Unionville, Ontario

Canada L3R 2G6

Phone: (905) 479-4189

Fax: (905) 479-4540

Network Associates Austria

Pulvermuehlstrasse 17

Linz, Austria

Postal Code A-4040

Phone: 43-732-757-244

Fax: 43-732-757-244-20

Network Associates do Brasil

Rua Geraldo Flausino Gomez 78

Cj. - 51 Brooklin Novo - São Paulo

SP - 04575-060 - Brasil

Phone: (55 11) 5505 1009

Fax: (55 11) 5505 1006

Network Associates People’s Republic of China

New Century Office Tower, Room 1557

No. 6 Southern Road Capitol Gym

Beijing

People’s Republic of China 100044

Phone: 8610-6849-2650

Fax: 8610-6849-2069

Network Associates Denmark

Lautruphoej 1-3

2750 Ballerup

Danmark

Phone: 45 70 277 277

Fax: 45 44 209 910

xviii McAfee VirusScan Anti-Virus Software

NA Network Associates Oy

Mikonkatu 9, 5. krs.

00100 Helsinki

Finland

Phone: 358 9 5270 70

Fax: 358 9 5270 7100

Page 19

Preface

Network Associates France S.A.

50 Rue de Londres

75008 Paris

France

Phone: 33 1 44 908 737

Fax: 33 1 45 227 554

Network Associates Hong Kong

19th Floor, Matheson Centre

3 Matheson Way

Causeway Bay

Hong Kong 63225

Phone: 852-2832-9525

Fax: 852-2832-9530

Network Associates Japan, Inc.

Toranomon 33 Mori Bldg.

3-8-21 Toranomon Minato-Ku

Tokyo 105-0001 Japan

Phone: 81 3 5408 0700

Fax: 81 3 5408 0780

Network Associates Deutschland GmbH

Ohmstraße 1

D-85716 Unterschleißheim

Deutschland

Phone: 49 (0)89/3707-0

Fax: 49 (0)89/3707-1199

Network Associates Srl

Centro Direzionale Summit

Palazzo D/1

Via Brescia, 28

20063 - Cernusco sul Naviglio (MI)

Italy

Phone: 39 02 92 65 01

Fax: 39 02 92 14 16 44

Network Associates Latin America

1200 S. Pine Island Road, Suite 375

Plantation, Florida 33324

United States

Phone: (954) 452-1731

Fax: (954) 236-8031

Network Associates de Mexico

Andres Bello No. 10, 4 Piso

4th Floor

Col. Polanco

Mexico City, Mexico D.F. 11560

Phone: (525) 282-9180

Fax: (525) 282-9183

Network Associates International B.V.

Gatwickstraat 25

1043 GL Amsterdam

The Netherlands

Phone: 31 20 586 6100

Fax: 31 20 586 6101

Administrator’s Guide xix

Page 20

Preface

Network Associates Portugal

Av. da Liberdade, 114

1269-046 Lisboa

Portugal

Phone: 351 1 340 4543

Fax: 351 1 340 4575

Network Associates South East Asia

78 Shenton Way

#29-02

Singapore 079120

Phone: 65-222-7555

Fax: 65-220-7255

Network Associates Sweden

Datavägen 3A

Box 596

S-175 26 Järfälla

Sweden

Phone: 46 (0) 8 580 88 400

Fax: 46 (0) 8 580 88 405

Net Tools Network Associates South Africa

Bardev House, St. Andrews

Meadowbrook Lane

Epson Downs, P.O. Box 7062

Bryanston, Johannesburg

South Africa 2021

Phone: 27 11 706-1629

Fax: 27 11 706-1569

Network Associates Spain

Orense 4, 4

Planta.

Edificio Trieste

28020 Madrid, Spain

Phone: 34 9141 88 500

Fax: 34 9155 61 404

Network Associates AG

Baeulerwisenstrasse 3

8152 Glattbrugg

Switzerland

Phone: 0041 1 808 99 66

Fax: 0041 1 808 99 77

Network Associates Taiwan

Suite 6, 11F, No. 188, Sec. 5

Nan King E. Rd.

Taipei, Taiwan, Republic of China

Phone: 886-2-27-474-8800

Fax: 886-2-27-635-5864

xx McAfee VirusScan Anti-Virus Software

Network Associates International Ltd.

227 Bath Road

Slough, Berkshire

SL1 5PP

United Kingdom

Phone: 44 (0)1753 217 500

Fax: 44 (0)1753 217 520

Page 21

1About VirusScan Software

Introducing VirusScan anti-virus software

Eighty percent of the Fortune 100—and more than 50 million users worldwide—choose VirusScan anti-virus software to protect their computers from the staggering range of viruses and other malicious agents that has emerged in the last decade to invade corporate networks and cause havoc for business users. They do so because VirusScan software offers the most comprehensive desktop anti-virus security solution available, with features that spot viruses, block hostile ActiveX and Java objects, identify dangerous websites, stop infectious e-mail messages—and even root out “zombie” agents that assist in large-scale denial-of-service attacks from across the Internet. They do so also because they recognize how much value McAfee anti-virus research and development brings to their fight to maintain network integrity and service levels, ensure data security, and reduce ownership costs.

With more than 50,000 viruses and malicious agents now in circulation, the stakes in this battle have risen considerably. Viruses and worms now have capabilities that can cost an enterprise real money, not just in terms of lost productivity and cleanup costs, but in direct bottom-line reductions in revenue, as more businesses move into e-commerce and online sales, and as virus attacks proliferate.

VirusScan software first honed its technological edge as one of a handful of pioneering utilities developed to combat the earliest virus epidemics of the personal computer age. It has developed considerably in the intervening years to keep pace with each new subterfuge that virus writers have unleashed. As one of the first Internet-aware anti-virus applications, it maintains its value today as an indispensable business utility for the new electronic economy. Now, with this release, VirusScan software adds a whole new level of manageability and integration with other McAfee anti-virus tools.

Architectural improvements mean that each VirusScan component meshes closely with the others, sharing data and resources for better application response and fewer demands on your system. Full support for McAfee ePolicy Orchestrator management software means that network administrators can handle the details of component and task configuration, leaving you free to concentrate on your own work. A new incremental updating technology, meanwhile, means speedier and less bandwidth-intensive virus definition and scan engine downloads—now the protection you need to deal with the blindingly quick distribution rates of new-generation viruses can arrive faster than ever before. To learn more about these features, see “What’s new in this

release?” on page 29.

Administrator’s Guide 21

Page 22

About VirusScan Software

The new release also adds multiplatform support for Windows 95, Windows 98, Windows NT Workstation v4.0, and Windows 2000 Professional, all in a single package with a single installer, but optimized to take advantage of the benefits each platform offers. Windows NT Workstation v4.0 and Windows 2000 Professional users, for example, can run VirusScan software with differing security levels that provide a range of enforcement options for system administrators. That way, corporate anti-virus policy implementation can vary from the relatively casual—where an administrator might lock down a few critical settings, for example—to the very strict, with predefined settings that users cannot change or disable at all.

At the same time, as the cornerstone product in the McAfee Active Virus Defense and Total Virus Defense security suites, VirusScan software retains the same core features that have made it the utility of choice for the corporate desktop. These include a virus detection rate second to none, powerful heuristic capabilities, Trojan horse program detection and removal, rapidresponse updating with weekly virus definition (.DAT) file releases, daily beta .DAT releases, and EXTRA.DAT file support in crisis or outbreak situations. Because more than 300 new viruses or malicious software agents appear each month McAfee backs its software with a worldwide reach and 24-hour “follow the sun” coverage from its Anti-Virus Emergency Response Team (AVERT).

Even with the rise of viruses and worms that use e-mail to spread, that flood e-mail servers, or that infect groupware products and file servers directly, the individual desktop remains the single largest source of infections, and is often the most vulnerable point of entry. VirusScan software acts as a tireless desktop sentry, guarding your system against more venerable virus threats and against the latest threats that lurk on websites, often without the site owner’s knowledge, or spread via e-mail, whether solicited or not.

In this environment, taking precautions to protect yourself from malicious software is no longer a luxury, but a necessity. Consider the extent to which you rely on the data on your computer and the time, trouble and money it would take to replace that data if it became corrupted or unusable because of a virus infection. Corporate anti-virus cleanup costs, by some estimates, topped $16 billion in 1999 alone. Balance the probability of infection—and your company’s share of the resulting costs—against the time and effort it takes to put a few common sense security measures in place, and you can quickly see the utility in protecting yourself.

Even if your own data is relatively unimportant to you, neglecting to guard against viruses might mean that your computer could play unwitting host to a virus that could spread to computers that your co-workers and colleagues use. Checking your hard disk periodically with VirusScan software significantly reduces your system’s vulnerability to infection and keeps you from losing time, money and data unnecessarily.

22 McAfee VirusScan Anti-Virus Software

Page 23

How does VirusScan software work?

VirusScan software combines the anti-virus industry’s most capable scan engine with top-notch interface enhancements that give you complete access to that engine’s power. The VirusScan graphical user interface unifies its specialized program components, but without sacrificing the flexibility you need to fit the software into your computing environment. The scan engine, meanwhile, combines the best features of technologies that McAfee and Dr Solomon researchers developed independently for more than a decade.

Fast, accurate virus detection

The foundation for that combination is the unique development environment that McAfee and Dr Solomon researchers constructed for the engine. That environment includes Virtran, a specialized programming language with a structure and “vocabulary” optimized for the particular requirements that virus detection and removal impose. Using specific library functions from this language, for instance, virus researchers can pinpoint those sections within a file, a boot sector, or a master boot record that viruses tend to infect, either because they can hide within them, or because they can hijack their execution routines. This way, the scanner avoids having to examine the entire file for virus code; it can instead sample the file at well defined points to look for virus code signatures that indicate an infection.

About VirusScan Software

The development environment brings as much speed to .DAT file construction as it does to scan engine routines. The environment provides tools researchers can use to write “generic” definitions that identify entire virus families, and that can easily detect the tens or hundreds of variants that make up the bulk of new virus sightings. Continual refinements to this technique have moved most of the hand-tooled virus definitions that used to reside in .DAT file updates directly into the scan engine as bundles of generic routines. Researchers can even employ a Virtran architectural feature to plug in new engine “verbs” that, when combined with existing engine functions, can add functionality needed to deal with new infection techniques, new variants, or other problems that emerging viruses now pose.

This results in blazingly quick enhancements the engine’s detection capabilities and removes the need for continuous updates that target virus variants.

Encrypted polymorphic virus detection

Along with generic virus variant detection, the scan engine now incorporates a generic decryption engine, a set of routines that enables VirusScan software to track viruses that try to conceal themselves by encrypting and mutating their code signatures. These “polymorphic” viruses are notoriously difficult to detect, since they change their code signature each time they replicate.

Administrator’s Guide 23

Page 24

About VirusScan Software

This meant that the simple pattern-matching method that earlier scan engine incarnations used to find many viruses simply no longer worked, since no constant sequence of bytes existed to detect. To respond to this threat, McAfee researchers developed the PolyScan Decryption Engine, which locates and analyzes the algorithm that these types of viruses use to encrypt and decrypt themselves. It then runs this code through its paces in an emulated virtual machine in order to understand how the viruses mutate themselves. Once it does so, the engine can spot the “undisguised” nature of these viruses, and thereby detect them reliably no matter how they try to hide themselves.

“Double heuristics” analysis

As a further engine enhancement, McAfee researchers have honed early heuristic scanning technologies—originally developed to detect the astonishing flood of macro virus variants that erupted after 1995—into a set of precision instruments. Heuristic scanning techniques rely on the engine’s experience with previous viruses to predict the likelihood that a suspicious file is an as-yet unidentified or unclassified new virus.

The scan engine now incorporates ViruLogic, a heuristic technique that can observe a program’s behavior and evaluate how closely it resembles either a macro virus or a file-infecting virus. ViruLogic looks for virus-like behaviors in program functions, such as covert file modifications, background calls or invocations of e-mail clients, and other methods that viruses can use to replicate themselves. When the number of these types of behaviors—or their inherent quality—reaches a predetermined threshold of tolerance, the engine fingers the program as a likely virus.

The engine also “triangulates” its evaluation by looking for program behavior that no virus would display—prompting for some types of user input, for example—in order to eliminate false positive detections. This double-heuristic combination of “positive” and “negative” techniques results in an unsurpassed detection rate with few, if any, costly misidentifications.

Wide-spectrum coverage

As malicious agents have evolved to take advantage of the instant communication and pervasive reach of the Internet, so VirusScan software has evolved to counter the threats they present. A computer “virus” once meant a specific type of agent—one designed to replicate on its own and cause a limited type of havoc on the unlucky recipient’s computer. In recent years, however, an astounding range of malicious agents has emerged to assault personal computer users from nearly every conceivable angle. Many of these agents—some of the fastest-spreading worms, for instance—use updated versions of vintage techniques to infect systems, but many others make full use of the new opportunities that web-based scripting and application hosting present.

24 McAfee VirusScan Anti-Virus Software

Page 25

About VirusScan Software

Still others open “back doors” into desktop systems or create security holes in a way that closely resembles a deliberate attempt at network penetration, rather than the more random mayhem that most viruses tend to leave in their wakes.

The latest VirusScan software releases, as a consequence, do not simply wait for viruses to appear on your system, they scan proactively at the source or work to deflect hostile agents away from your system. The VShield scanner that comes with VirusScan software has three modules that concentrate on agents that arrive from the Internet, that spread via e-mail, or that lurk on Internet sites. It can look for particular Java and ActiveX objects that pose a threat, or block access to dangerous Internet sites. Meanwhile, an E-Mail Scan extension to Microsoft Exchange e-mail clients, such as Microsoft Outlook, can “x-ray” your mailbox on the server, looking for malicious agents before they arrive on your desktop.

VirusScan software even protects itself against attempts to use its own functionality against your computer. Some virus writers embed their viruses inside documents that, in turn, they embed in other files in an attempt to evade detection. Still others take this technique to an absurd extreme, constructing highly recursive—and very large—compressed archive files in an attempt to tie up the scanner as it digs through the file looking for infections. VirusScan software accurately scans the majority of popular compressed file and archive file formats, but it also includes logic that keeps it from getting trapped in an endless hunt for a virus chimera.

What comes with VirusScan software?

VirusScan software consists of several components that combine one or more related programs, each of which play a part in defending your computer against viruses and other malicious software. The components are:

• The VirusScan application. This component gives you unmatched control over your scanning operations. You can configure and start a scan operation at any time—a feature known as “on-demand” scanning— specify local and network disks as scan targets, tell the application how to respond to any infections it finds, and see reports on its actions. You can start with the VirusScan Classic window, a basic configuration mode, then move to the VirusScan Advanced mode for maximum flexibility. A related Windows shell extension lets you right-click any object on your system to scan it.

• The VirusScan Console. This component allows you to create, configure and run VirusScan tasks at times you specify. A “task” can include anything from running a scan operation on a set of disks at a specific time or interval, to running an update or upgrade operation. You can also enable or disable the VShield scanner from the Console window.

Administrator’s Guide 25

Page 26

About VirusScan Software

the Console comes with a preset list of tasks that ensures a minimal level of protection for your system—you can, for example, immediately scan and clean your C: drive or all disks on your computer.

• The VShield scanner. This component gives you continuous anti-virus protection from viruses that arrive on floppy disks, from your network, or from various sources on the Internet. The VShield scanner starts when you start your computer, and stays in memory until you shut down. A flexible set of property pages lets you tell the scanner which parts of your system to examine, what to look for, which parts to leave alone, and how to respond to any infected files it finds. In addition, the scanner can alert you when it finds a virus, and can generate reports that summarize each of its actions.

The VShield scanner comes with three other specialized modules that guard against hostile Java applets and ActiveX controls, that scan e-mail messages and attachments that you receive from the Internet via Lotus cc:Mail, Microsoft Mail or other mail clients that comply with Microsoft’s Messaging Application Programming Interface (MAPI) standard, and that block access to dangerous Internet sites. Secure password protection for your configuration options prevents others from making unauthorized changes. The same convenient dialog box controls configuration options for all VShield modules.

• The E-Mail Scan extension. This component allows you to scan your Microsoft Exchange or Outlook mailbox, or public folders to which you have access, directly on the server. This invaluable “x-ray” peek into your mailbox means that VirusScan software can find potential infections before they make their way to your desktop, which can stop a Melissa-like virus in its tracks.

• A cc:Mail scanner. This component includes technology optimized for scanning Lotus cc:Mail mailboxes that do not use the MAPI standard. Install and use this component if your workgroup or network uses cc:Mail v7.x or earlier.

• The Alert Manager Client configuration utility. This component lets you choose a destination for Alert Manager “events” that VirusScan software generates when it detects a virus or takes other noteworthy actions. You can also specify a destination directory for older-style Centralized Alerting messages, or supplement either method with Desktop Management Interface (DMI) alerts sent via your DMI client software.

• The ScreenScan utility. This optional component scans your computer as your screen saver runs during idle periods.

26 McAfee VirusScan Anti-Virus Software

Page 27

About VirusScan Software

• The SendVirus utility. This component gives you an easy and painless way to submit files that you believe are infected directly to McAfee anti-virus researchers. A simple wizard guides you as you choose files to submit, include contact details and, if you prefer, strip out any personal or confidential data from document files.

• The Emergency Disk creation utility. This essential utility helps you to create a floppy disk that you can use to boot your computer into a virus-free environment, then scan essential system areas to remove any viruses that could load at startup.

• Command-line scanners. This component consists of a set of full-featured scanners you can use to run targeted scan operations from the MS-DOS Prompt or Command Prompt windows, or from protected MS-DOS mode. The set includes:

– SCAN.EXE, a scanner for 32-bit environments only. This is the

primary command-line interface. When you run this file, it first checks its environment to see whether it can run by itself. If your computer is running in 16-bit or protected mode, it will transfer control to one of the other scanners.

– SCANPM.EXE, a scanner for 16- and 32-bit environments. This

scanner provides you with a full set of scanning options for 16- and 32-bit protected-mode DOS environments. It also includes support for extended memory and flexible memory allocations. SCAN.EXE will transfer control to this scanner when its specialized capabilities can enable your scan operation to run more efficiently.

– SCAN86.EXE, a scanner for 16-bit environments only. This scanner

includes a limited set of capabilities geared to 16-bit environments. SCAN.EXE will transfer control to this scanner if your computer is running in 16-bit mode, but without special memory configurations.

– BOOTSCAN.EXE, a smaller, specialized scanner for use primarily

with the Emergency Disk utility. This scanner ordinarily runs from a floppy disk you create to provide you with a virus-free boot environment.

When you run the Emergency Disk creation wizard, VirusScan software copies BOOTSCAN.EXE, and a specialized set of .DAT files to a single floppy disk. BOOTSCAN.EXE will not detect or clean macro viruses, but it will detect or clean other viruses that can jeopardize your VirusScan software installation or infect files at system startup. Once you identify and respond to those viruses, you can safely run VirusScan software to clean the rest of your system.

Administrator’s Guide 27

Page 28

About VirusScan Software

All of the command-line scanners allow you to initiate targeted scan operations from an MS-DOS Prompt or Command Prompt window, or from protected MS-DOS mode. Ordinarily, you’ll use the VirusScan application’s graphical user interface (GUI) to perform most scanning operations, but if you have trouble starting Windows or if the VirusScan GUI components will not run in your environment, you can use the command-line scanners as a backup.

• Documentation. VirusScan software documentation includes:

– A printed Getting Started Guide, which introduces the product,

provides installation instructions, outlines how to respond if you suspect your computer has a virus, and provides a brief product overview. The printed Getting Started Guide comes with the VirusScan software copies distributed on CD-ROM discs—you can also download it as VSC45WGS.PDF from Network Associates website or from other electronic services.

– This user’s guide saved on the VirusScan software CD-ROM or

installed on your hard disk in Adobe Acrobat .PDF format. You can also download it as VSC45WUG.PDF from Network Associates website or from other electronic services. The VirusScan User’s Guide describes in detail how to use VirusScan and includes other information useful as background or as advanced configuration options. Acrobat .PDF files are flexible online documents that contain hyperlinks, outlines and other aids for easy navigation and information retrieval.

– An administrator’s guide saved on the VirusScan software

CD-ROM or installed on your hard disk in Adobe Acrobat .PDF format. You can also download it as VSC45WAG.PDF from Network Associates website or from other electronic services. The VirusScan Administrator’s Guide describes in detail how to manage and configure VirusScan software from a local or remote desktop.

– An online help file. This file gives you quick access to a full range of

topics that describe VirusScan software. You can open this file either by choosing Help Topics from the Help menu in the VirusScan main window, or by clicking any of the Help buttons displayed in VirusScan dialog boxes.

The help file also includes extensive context-sensitive—or “What's This”—help. To see these help topics, right-click buttons, lists, icons, some text boxes, and other elements that you see within dialog boxes. You can also click the ? symbol at the top-right corner in most dialog boxes, then click the element you want to see described to display the relevant topic. The dialog boxes with Help buttons open the help file to the specific topic that describes the entire dialog box.

28 McAfee VirusScan Anti-Virus Software

Page 29

– A LICENSE.TXT file. This file outlines the terms of your license to

use VirusScan software. Read it carefully—by installing VirusScan software you agree to its terms.

– A README.TXT file. This file contains last-minute additions or

changes to the documentation, lists any known behavior or other issues with the product release, and often describes new product features incorporated into incremental product updates. You’ll find the README.TXT file at the root level of your VirusScan software CD-ROM or in the VirusScan software program folder—you can open and print it from Windows Notepad, or from nearly any word-processing software.

What’s new in this release?

This VirusScan release introduces a number of innovative new features to the product’s core functionality, to its range of coverage, and to the details of its application architecture. A previous section, “How does VirusScan software

work?” on page 23, discusses many of these features. The single most

significant change between previous VirusScan versions and this release, however, is the integration of two separate VirusScan versions optimized to run on separate Windows platforms into a single product that runs on both. This single product also takes full advantage of each platform’s strengths.

About VirusScan Software

The next sections discuss other changes that this VirusScan release introduces.

Installation and distribution features

McAfee anti-virus products, including VirusScan software, now use the Microsoft Windows Installer (MSI), which comes with all Windows 2000 Professional systems. This Setup utility offers a wealth of custom installation and configuration features that make VirusScan software rollout across large organizations much easier and more intuitive. To learn more about how to run custom Setup operations with MSI, see Chapter 2, “Installing VirusScan

Software” in the VirusScan Administrator’s Guide.

This VirusScan version also comes with complete support for the McAfee ePolicy Orchestrator software distribution tool. A specially packaged VirusScan version ships with the ePolicy Orchestrator software, ready for enterprise-wide distribution. You can distribute VirusScan software, configure it from the ePolicy Orchestrator console, update that configuration and any program or .DAT files at any time, and schedule scan operations, all for your entire network user base. To learn more about using ePolicy Orchestrator software for VirusScan distribution and configuration, consult the ePolicy Orchestrator Administrator’s Guide.

This VirusScan version also includes package description information for other distribution tools, including Microsoft System Management Server and Tivoli Systems software management products.

Administrator’s Guide 29

Page 30

About VirusScan Software

Interface enhancements

This release moves the VirusScan interface for all supported platforms solidly into the territory VirusScan for Windows 95 and Windows 98 pioneered with its v4.0.1 release. This adds extensive VShield scanner configuration options for the Windows NT Workstation v4.0 and Windows 2000 Professional platforms, while reducing the complexity of some previous configuration options. Alert Manager server configuration, for example, moves entirely over to the NetShield product line—VirusScan software now acts strictly as a configurable client application.

This release also adds a new VirusScan control panel, which functions as a central point from which you can enable and disable all VirusScan components. This control panel also lets you set a ceiling for the number of items you can scan in or exclude from a single operation, and can set the VShield scanner and VirusScan control panel to run at startup. Other changes include:

• New VShield system tray icon states tell you more about which VShield modules are active. These states are:

– All VShield modules are active

– The System Scan module is active, but one or more of the other

VShield modules is inactive

– The System Scan module is inactive, but one or more of the other

VShield modules is active

– All VShield modules are inactive

• New interface settings for task configuration allow you to tell the

VirusScan application how you want it to appear as your scheduled task runs and what you want it to do when it finishes. You can also set a password to protect individual task settings from changes, or to protect an entire task configuration at once.

• An updated randomization feature for scheduled tasks allows you to set a time for the task to run, then set a randomization “window.” The VirusScan Console then picks a random time within the window to actually start the task.

• System Scan module action options now include a new Prompt Type configuration option for Windows 95 and Windows 98 systems. This option lets you determine how the Prompt for user action alert appears.

30 McAfee VirusScan Anti-Virus Software

Page 31

About VirusScan Software

Changes in product functionality

• A new Alert Manager Client configuration utility allows you to choose an Alert Manager server installed on your network as an alert message destination, or to select a network share as a destination for Centralized Alerting messages. You can also supplement either of these alert methods with Desktop Management Interface alert messages.

• The Alert Manager server supports Intel Pentium III processor serial numbers to identify individual machines for virus notification. For more information about Intel processor serial numbers, consult the Intel FAQ at http://support.intel.com/support/processors/pentiumiii/psqa.htm.

New update options for your VirusScan software

Even with the majority of the virus definitions it requires now incorporated directly into its engine in generic routines, VirusScan software still requires regular .DAT file updates to keep pace with the 200 to 300 new viruses that appear each month. To meet this need, McAfee has incorporated updating technology in VirusScan software from its earliest incarnations. With this release, that technology takes a quantum leap forward with incremental .DAT file updating.

Incremental .DAT files are small packages of virus definition files that collect data from a certain range of .DAT file releases. The latest versions of the AutoUpdate and AutoUpgrade utilities come with transparent support for the new updates, downloading and installing only those virus definitions you don’t already have installed on your system. This means a substantial reduction in download and rollout time, along with similar reductions in network bandwidth demand.

Administrator’s Guide 31

Page 32

About VirusScan Software

32 McAfee VirusScan Anti-Virus Software

Page 33

2Installing VirusScan

Software

Before you begin

During Setup, you can choose to install VirusScan software either on your local computer, or on other computers elsewhere on the network. The first option copies VirusScan program files to your computer’s hard disk. The second option copies selected components to the target workstation.

McAfee distributes VirusScan software in two ways: as an archived file that you can download from the McAfee website or from other electronic services, and on CD-ROM disc. Once you have downloaded a VirusScan archive or placed your VirusScan installation disc in your CD-ROM drive, the installation steps are the same.

To install VirusScan software, you must have Administrator privileges for the workstation on which you plan to install the program. Review the items shown in “System requirements” to determine whether your target workstations can run VirusScan software.

System requirements

VirusScan software installs and runs on any IBM PC or PC-compatible computer equipped with:

• A processor equivalent to an Intel Pentium-class or compatible processor. McAfee recommends an Intel Pentium processor or Celeron running a minimum of 166MH

• A CD-ROM drive. Not required if you download the VirusScan software.

• At least 40

recommends 75

• At least 16 20

MB.

• Microsoft Windows 95, Windows 98, Windows NT 4.0 with Service Pack 4 or later, or Windows 2000 Professional. McAfee recommends that you also have Microsoft Internet Explorer v4.0.1 or later installed, particularly if your system runs any Windows 95 version.

MB of free hard disk space for a full installation. McAfee

MB of free random-access memory (RAM). McAfee recommends

MB.

Administrator’s Guide 33

Page 34

Installing VirusScan Software

Installing VirusScan software on a local computer

Note which type of VirusScan software distribution you have, then follow the corresponding steps to prepare your files for installation.

• If you downloaded your copy of VirusScan software from the Network Associates website, from a server on your local network, or from another electronic service, make a new, temporary folder on your hard disk, then use WinZip, PKZIP, or a similar utility to extract the VirusScan installation files to that temporary folder. You can download the necessary utilities from most online services.

IMPORTANT: If you suspect that your computer has a virus, download the VirusScan software installation files onto a computer that is not infected. Install the copy onto the uninfected computer, then use the Emergency Disk utility to make a disk that you can use to boot the infected computer and remove the virus. To learn more, see “If you suspect you have a virus...” on page 63.

• If your copy of VirusScan software came on a CD-ROM, insert that disc into your computer’s CD-ROM drive.

If you inserted a CD-ROM, you should see a VirusScan welcome image appear automatically. To install VirusScan software immediately, click Install, then skip to Step 5 on page 36 to continue with Setup. If the welcome image does not appear, or if you are installing VirusScan software from files you downloaded, start with Step 2 on page 35.

IMPORTANT: Because Setup installs some VirusScan files as services on Windows NT Workstation v4.0 and Windows 2000 Professional systems, you must log in to your system with Administrator rights to install this product. To run Setup on Windows 95 or Windows 98, you do not need to log in with any particular profile or rights.

Installation steps

McAfee recommends that you first quit all other applications you have running on your system before you start Setup. Doing so reduces the possibility that software conflicts will interfere with your installation.

To install VirusScan software, follow these steps:

1. If your computer runs Windows NT Workstation v4.0 or Windows 2000 Professional, log on to your system as Administrator. You must have administrative rights to install VirusScan software on your system.

34 McAfee VirusScan Anti-Virus Software

Page 35

Installing VirusScan Software

2. Choose Run from the Start menu in the Windows taskbar.

The Run dialog box will appear (Figure 2-1).

Figure 2-1. Run dialog box

3. Type <X>:\SETUP.EXE in the text box provided, then click OK.

Here, <X> represents the drive letter for your CD-ROM drive or the path to the folder that contains your extracted VirusScan files. To search for the correct files on your hard disk or CD-ROM, click Browse.



NOTE: If your VirusScan software copy came on an Active Virus Defense or a Total Virus Defense CD-ROM, you must also specify which folder contains the VirusScan software.

Before it continues with the installation, Setup first asks you whether it should check to see whether you have previous VirusScan versions installed on your computer (Figure 2-2).

Figure 2-2. Previous versions dialog box

4. Click Yes to continue. If you click No, Setup quits immediately.

If you have a previous VirusScan version on your system, Setup will find it immediately. It will then remove the previous version, but will temporarily preserve the configuration options you set for that version if your system is running Windows 95 or Windows 98. A later step (see

Step 7 on page 37) will allow you to transfer those options to the current

VirusScan installation.

After it removes any previous VirusScan versions you have on your system, Setup checks to see whether your computer already has version

1.1 of the Microsoft Windows Installer (MSI) utility running as part of your system software.

Administrator’s Guide 35

Page 36

Installing VirusScan Software

If your computer runs Windows 2000 Professional, the correct MSI version already exists on your system. If your computer runs an earlier Windows release, you might still have this MSI version on your system if you previously installed other software that uses MSI.

If you have the correct MSI version on your computer and do not have any previous VirusScan versions installed on your system, Setup will display its first wizard panel immediately. Skip to Step 5 to continue.

If Setup does not find MSI v1.1 on your computer, it installs files that it needs to continue the installation, then prompts you to restart your computer. Click Restart System. If Setup removed a previous VirusScan version from your system, Setup will also ask you to restart your computer.

For a list of circumstances in which Setup or system upgrades require you to reboot your system, see “Determining when you must restart your

computer” on page 53.

When your computer restarts, Setup will continue from where it left off. The Setup welcome panel will appear (Figure 2-3).

5. This first panel tells you where to locate the README.TXT file, which describes product features, lists any known issues, and includes the latest available product information for this VirusScan version. When you have read the text, click Next> to continue.

6. The next wizard panel displays the VirusScan software end-user license agreement. Read this agreement carefully—if you install VirusScan software, you agree to abide by the terms of the license.

36 McAfee VirusScan Anti-Virus Software

Figure 2-3. Setup welcome panel

Page 37

Installing VirusScan Software

If you do not agree to the license terms, select I do not agree to the terms of the License Agreement, then click Cancel. Setup will quit immediately. Otherwise, click I agree to the terms of the License Agreement, then click Next> to continue.

Setup next checks to see whether incompatible software exists on your computer. If you have no other anti-virus software on your system, Setup then moves to the Security Type panel for Windows NT Workstation or Windows 2000 Professional systems. Otherwise, it will display the Setup Type panel (see Figure 2-6 on page 39 or Figure 2-7 on page 40). Skip to

Step 9 on page 39 to continue.

If your computer runs Windows 95 or Windows 98, Setup also gives you the option to preserve the VShield configuration settings you chose for the earlier version (Figure 2-4).



NOTE: If your computer runs Windows NT Workstation v4.0 or Windows 2000 Professional, Setup will remove the previous VirusScan version in Step 4 on page 35, but will not preserve any previous VShield scanner settings.

Figure 2-4. Previous Version Detected panel

7. Select Preserve On Access Settings, if the option is available, then click Next> to continue.

If Setup finds incompatible software, it will display a wizard panel that gives you the option to remove the conflicting software (see Figure 2-5 on

page 38).

Administrator’s Guide 37

Page 38

Installing VirusScan Software

If you have no incompatible software on your system and your computer runs Windows 95 or Windows 98, skip to Step 10 on page 40 to continue with the installation. If you have no incompatible software and your system runs Windows NT Workstation v4.0 or Windows 2000 Professional, skip to Step 9 on page 39 to continue. Otherwise, continue with Step 8.

Figure 2-5. Incompatible software panel

8. Select the checkbox shown, then click Next>. Setup will start the uninstallation utility that the conflicting software normally uses, and allow it to remove the software. The uninstallation utility might tell you that you need to restart your computer to completely remove the other software. You do not need to do so to continue with your VirusScan installation—so long as the other software is not active, Setup can continue without conflicts.



NOTE: McAfee strongly recommends that you remove incompatible software. Because most anti-virus software operates at a very low level within your system, two anti-virus programs that compete for access to the same files or that perform critical operations can make your system very unstable.

If your computer runs Windows NT Workstation v4.0 or Windows 2000 Professional, Setup next asks you which security mode you want to use to run VirusScan software on your system (see Figure 2-6 on page 39).

38 McAfee VirusScan Anti-Virus Software

Page 39

Installing VirusScan Software

The options in this panel govern whether others who use your computer can make changes to the configuration options you choose, can schedule and run tasks, or can enable and disable VirusScan components. VirusScan software includes extensive security measures to ensure that unauthorized users cannot make any changes to software configurations in Maximum Security mode. The Standard Security mode allows all users to have access to all configuration options.

Either option you choose here will install the same VirusScan version, with the same configuration options, and with the same scheduled tasks for all system users.

Figure 2-6. Security Type panel

9. Select the security mode you prefer. Your choices are:

• Use Maximum Security. Select this option to require users to have

Administrator rights to your computer in order to change any configuration options, to enable or disable any VirusScan component, or to configure and run scheduled tasks.

Users who do not have administrative rights may still configure and run their own scan operations with the VirusScan application and save settings for those operations in a .VSC file, but they cannot change default VirusScan application settings. To learn more about how to configure and save VirusScan application settings, see

Chapter 5, “Using the VirusScan application,” in the User’s Guide.

• Use Standard Security. Select this option to give any user who logs

into your computer the ability to change any configuration option, enable or disable and VirusScan component, or schedule and run any task.

Administrator’s Guide 39

Page 40

Installing VirusScan Software

Setup next asks you to choose a Typical or a Custom setup for this computer (Figure 2-7).

10. Choose the Setup Type you prefer. Your choices are:

Figure 2-7. Setup Type panel

• Typical Installation. This option installs a basic component set that

includes:

– the VirusScan application, and application extensions that

allow you to right-click any object on your hard disk to start a scan operation

– the VirusScan Console

– the VShield System Scan module

– the Alert Manager Client configuration utility

– the Send Virus utility

– the Emergency Disk utility

– the VirusScan Command Line scanner software

• Custom Installation. This option starts with the same components

as the Typical setup, but allows you to choose from among these additional items:

– The VShield E-Mail Scan, Download Scan, and Internet Filter

modules

– The ScreenScan utility

40 McAfee VirusScan Anti-Virus Software

Page 41

Installing VirusScan Software

To learn more about what each component does, see “What comes with

VirusScan software?” on page 29 of the VirusScan User’s Guide.

11. Choose the option you prefer, then click Next> to continue.

If you chose Custom Setup, you’ll see the panel shown in Figure 2-8. Otherwise, skip to Step 14 on page 42 to continue with your installation.

Figure 2-8. Custom Setup panel

12. Choose the VirusScan components you want to install. You can:

• Add a component to the installation. Click beside a

component name, then choose This feature will be installed on local hard drive from the menu that appears. To add a component and any related modules within the component, choose This feature, and all subfeatures, will be installed on local hard drive instead. You can choose this option only if a component has related modules.

• Remove a component from the installation. Click beside a

component name, then choose This feature will not be available from the menu that appears.



NOTE: The VirusScan Setup utility does not support the other options shown in this menu. You may not install VirusScan components to run from a network, and VirusScan software has no components that you can install on an as-needed basis.

Administrator’s Guide 41

Page 42

Installing VirusScan Software

You can also specify a different disk and destination directory for the installation. Click Change, then locate the drive or directory you want to use in the dialog box that appears. To see a summary of VirusScan disk usage requirements relative to your available hard disk space, click Disk Usage. The wizard will highlight disks that have insufficient space.

13. When you have chosen the components you want to install, click Next> to continue.

Setup will show you a wizard panel that confirms its readiness to begin installing files (Figure 2-9).

14. Click Install to begin copying files to your hard drive. Otherwise, click <Back to change any of the Setup options you chose.

Setup first removes any incompatible software from your system. It then copies VirusScan program files to your hard disk. When it has finished, it displays a panel that asks if you want to configure the product you installed (see Figure 2-10 on page 43).

42 McAfee VirusScan Anti-Virus Software

Figure 2-9. Ready to Install panel

Page 43

Installing VirusScan Software

Figure 2-10. Completing Setup panel

15. At this point, you can:

• Finish your installation. Leave the Scan Memory for Viruses before Configuring checkbox clear, then click Skip Config to finish

your installation. Setup will ask if you want to start the VShield scanner and the VirusScan Console immediately. To do so, select the Start VirusScan checkbox, then click Finish. Your VirusScan software is ready for use.



NOTE: If you had a previous VirusScan version installed on your computer, you must restart your system once again in order to start the VShield scanner. Setup will prompt you to restart your system.

• Choose configuration options for your installation. You can choose to scan your system, create an emergency disk, or update your virus definition files before you start the VShield scanner and the VirusScan Console.

To do so, select the Scan Memory for Viruses before Configuring checkbox to have Setup start the VirusScan application briefly to check your system memory. Next, click Configure.

Setup will start the VirusScan application to examine your system memory for viruses before it continues. If it finds an infection, it will alert you and give you a chance to respond to the virus. To learn about your options, see Chapter 3, “Removing Infections From Your System.” If it finds nothing, the application will flash briefly as it scans your system, then Setup will display the first of two configuration panels (see Figure

2-11 on page 44).

Administrator’s Guide 43

Page 44

Installing VirusScan Software

16. If your computer runs Windows 95 or Windows 98, you can choose any of the configuration options shown here. These are:

• Scan boot record at startup. Select this checkbox to have Setup

Figure 2-11. Configuration panel

write these lines to your Windows AUTOEXEC.BAT file:

C:\PROGRA~1\NETWOR~1\MCAFEE~1\SCAN.EXE C:\ @IF ERRORLEVEL 1 PAUSE

This tells your system to start the VirusScan Command Line scanner when your system starts. The scanner, in turn, will pause if it detects a virus on your system so that you can shut down and use the VirusScan Emergency Disk to restart.

• Create Emergency Disk. This option is active by default. It tells

Setup to depart from its normal sequence to start the Emergency Disk creation utility. The creation utility formats and copies a scanner and support files onto a bootable floppy disk you can use to start your system in a virus-free environment. You can use this disk to scan portions of your hard disk for viruses. After the utility creates the disk, it returns to the regular Setup sequence. Clear this checkbox to skip the Emergency Disk creation. You can start the utility at any time after installation.

44 McAfee VirusScan Anti-Virus Software

Page 45

Installing VirusScan Software

• Run Default Scan for Viruses after Installation. This option is

active by default. The option tells Setup to finish the installation, then to run the VirusScan application immediately afterwards to scan your entire startup partition. The application will alert you if it finds any viruses on this partition, but otherwise will quit without any further notice. Clear this checkbox to skip this scan operation.



NOTE: If you told Setup to remove any previous VirusScan versions from your system, it will run the scan operation after it restarts your computer. The VirusScan application will appear immediately after startup.

If your computer runs Windows NT Workstation v4.0 or Windows 2000 Professional, you may not choose Scan boot record at startup, but you may choose either of the other options. Neither Windows NT Workstation nor Windows 2000 permit software to scan or make changes to hard disk boot sectors or master boot records. Also, these operating systems do not use an AUTOEXEC.BAT file for system startup.

17. When you have chosen the options you want, click Next> to continue.

If you selected the Create Emergency Disk option, the Emergency Disk creation wizard starts immediately. To learn how to use this utility, see

“Using the Emergency Disk Creation utility” on page 47.

After the utility creates an Emergency Disk, it will return to this point in the Setup sequence. To bypass the Emergency Disk utility once it starts, click Cancel when you see its first screen. Setup will display a second configuration panel you can use to update your virus definition files or to configure the AutoUpdate utility (Figure 2-12).

Figure 2-12. Update Virus Definition Files panel

Administrator’s Guide 45

Page 46

Installing VirusScan Software

18. Choose the update option you prefer. You can:

• Run AutoUpdate Now. This option uses default AutoUpdate

• Configure AutoUpdate Now. This option opens the Automatic

• Wait and Run AutoUpdate Later. This option skips the update

configuration options to connect directly to the McAfee website and download the latest incremental .DAT file updates. Select this option if your company has not designated a location on your network as an update site, and if you do not need to configure proxy server or firewall settings. This ensures that any scan operation you run uses current files.

Update dialog box, where you can add or configure an update site from which to download new files. Select this option if your company has designated a server for .DAT file updates somewhere on your network, or if you want to change some aspect of how your computer connects to the McAfee website—firewall or proxy server settings, for example.

To learn more about how to configure the AutoUpdate utility, see

“Configuring update options” on page 113.

operation altogether. You can configure and schedule an AutoUpdate task to download new .DAT files at any later time. To learn how to schedule a task, see Chapter 6, “Creating and

Configuring Scheduled Tasks,” in the VirusScan User’s Guide.

19. When you have chosen the option you want, click Next>.

If you chose to run an AutoUpdate operation immediately, the utility will connect to the McAfee website to download new incremental .DAT files. After it finishes, the Setup sequence will resume.

If you chose to configure the AutoUpdate utility, the Automatic Update dialog box will appear. Choose your configuration options, then click Update Now to start an immediate update operation, or click OK to save the options you chose.

Setup next displays its final panel and asks if you want to start the VShield scanner and the VirusScan Console immediately (see Figure 2-13

on page 47).

46 McAfee VirusScan Anti-Virus Software

Page 47

Installing VirusScan Software

Figure 2-13. Successful Installation panel

20. To do so, select the Start VirusScan checkbox, then click Finish. The VirusScan software “splash screens” will appear, and the VShield scanner and VirusScan Console icons will appear in the Windows system tray. Your software is ready for use.



NOTE: If you had a previous VirusScan version installed on your computer, you must restart your system in order to start the VShield scanner. Setup will prompt you to restart your system.

Using the Emergency Disk Creation utility

If you choose to create an Emergency Disk during installation, Setup will start the Emergency Disk wizard in the middle of the VirusScan software installation, then will return to the Setup sequence when it finishes. To learn how to create an Emergency Disk, begin with Step 1 on page 49. You can also start the Emergency Disk wizard at any point after you install VirusScan software.



NOTE: Network Associates strongly recommends that you create an Emergency Disk during installation, but that you do so after VirusScan software has scanned your system memory for viruses. If VirusScan software detects a virus on your system, do not create an Emergency Disk on the infected computer.

Administrator’s Guide 47

Page 48

Installing VirusScan Software

The Emergency Disk you create includes BOOTSCAN.EXE, a specialized, small-footprint command-line scanner that can scan your hard disk boot sectors and Master Boot Record (MBR). BOOTSCAN.EXE works with a specialized set of .DAT files that focus on ferreting out boot-sector viruses. If you have already installed VirusScan software with default Setup options, you can find these .DAT files in this location on your hard disk:

C:\Program Files\Common Files\Network Associates\VirusScan Engine\4.0.xx

The special .DAT files have these names:

• EMCLEAN.DAT

• EMNAMES.DAT

• EMSCAN.DAT

McAfee periodically updates these .DAT files to detect new boot-sector viruses. You can download new Emergency .DAT files from this location:



NOTE: McAfee recommends that you download new Emergency .DAT files directly to a newly formatted floppy disk in order to reduce the risk of infection.

http://www.nai.com/asp_set/anti_virus/avert/tools.asp

Because the wizard renames the files and prepares them for use when it creates your floppy disk, you may not simply copy them directly to an Emergency Disk that you create yourself. Use the creation wizard to prepare your Emergency Disk.

To start the wizard, click Start in the Windows taskbar, point to Programs, then to Network Associates. Next, choose Create Emergency Disk. The Emergency Disk wizard welcome panel will appear (Figure 2-14).

Figure 2-14. Emergency Disk welcome panel

48 McAfee VirusScan Anti-Virus Software

Page 49

Installing VirusScan Software

1. Click Next> to continue. The next wizard panel appears (Figure 2-15).

Figure 2-15. Second Emergency Disk panel

If your computer runs Windows NT Workstation or Windows 2000 Professional, the wizard tells you that it will format your Emergency Disk with the NAI-OS. You must use these operating system files to create your Emergency Disk, because Windows NT Workstation v4.0 and Windows 2000 Professional system files do not fit on a floppy disk.

If your computer runs Windows 95 or Windows 98, the wizard will offer to format your Emergency Disk either with the NAI-OS or with Windows startup files.

2. If the wizard offers you a choice, choose which operating system files you want to use, then click Next> to continue. Depending on which operating system you choose, the wizard displays a different panel next.

Figure 2-16. Emergency Disk informational panel

Administrator’s Guide 49

Page 50

Installing VirusScan Software

• If you chose to format your disk with the NAI-OS, the wizard

• If you chose to format your disk with Windows system files, the

displays an informational panel (see Figure 2-16 on page 49).

Follow these substeps to continue:

a. Insert an unlocked and unformatted 1.44MB floppy disk into

your floppy drive, then click Next>.

The Emergency Disk wizard will copy its files from a disk image stored in the VirusScan program directory. As it does so, it will display its progress in a wizard panel.

b. Click Finish to quit the wizard when it has created your disk.

Next, remove the disk from your floppy drive, lock it, label it McAfee Emergency Boot Disk and store it in a safe place.

wizard displays a panel that lets you choose whether to format your floppy disk (Figure 2-17).

Your choices are:

• If you have a virus-free, formatted floppy disk that contains only

DOS or Windows system files, insert it into your floppy drive. Next, select the Don’t Format checkbox, then click Next> to continue.

This tells the Emergency Disk wizard to copy only the VirusScan software Command Line component the emergency .DAT files, and support files to the floppy disk. Skip to Step 3 on page 51 to continue.

50 McAfee VirusScan Anti-Virus Software

Figure 2-17. Third Emergency Disk panel

Page 51

Installing VirusScan Software

• If you do not have a virus-free floppy disk formatted with DOS or

Windows system files, you must create one in order to use the Emergency Disk to start your computer. Follow these substeps:

a. Insert an unlocked and unformatted floppy disk into your

floppy drive. McAfee recommends that you use a completely new disk that you have never previously formatted to prevent the possibility of virus infections on your Emergency Disk.

b. Verify that the Don’t format checkbox is clear.

c. Click Next>.

The Windows disk format dialog box appears (Figure 2-18).

Figure 2-18. Windows Format dialog box

d. Verify that the Full checkbox in the Format Type area and the

Copy system files checkbox in the Other Options area are

both selected. Next, click Start.

Windows will format your floppy disk and copy the system files necessary to start your computer.

e. Click Close when Windows has finished formatting your disk,

then click Close again to return to the Emergency Disk panel.

3. Click Next> to continue. Setup will scan your newly formatted disk for viruses (see Figure 2-19 on page 52).

Administrator’s Guide 51

Page 52

Installing VirusScan Software

If VirusScan software does not detect any viruses during its scan operation, Setup will immediately copy BOOTSCAN.EXE and its support files to the floppy disk you created. If VirusScan software does detect a virus, quit Setup immediately. See “If you suspect you have a

virus...” on page 63 to learn what to do next.

4. When the wizard finishes copying the Emergency Disk files, it displays the final wizard panel (Figure 2-20).

Figure 2-19. Scanning Emergency Disk for viruses

5. Click Finish to quit the wizard. Next, remove the new Emergency Disk from your floppy drive, write-protect it, and store it in a safe place.



NOTE: A locked or write-protected floppy disk shows two holes near the edge of the disk opposite the metal shutter. If you don’t see two holes, look for a plastic sliding tab at one of the disk corners, then slide the tab until it locks in an open position.

52 McAfee VirusScan Anti-Virus Software

Figure 2-20. Final Emergency Disk panel

Page 53

Installing VirusScan Software

Determining when you must restart your computer

In many circumstances, you can install and use this VirusScan release immediately, without needing to restart your computer. In some cases, however, the Microsoft Installer (MSI) will need to replace or initialize certain files, or previous McAfee product installations might require you to remove files in order for VirusScan software to run correctly. These requirements can also vary for each supported Windows platform.

In these cases, you will need to restart your system during the installation— usually to install MSI files—or after the installation itself.

To learn when you must restart your computer, see Table 2-1.

Table 2-1. Circumstances that require you to restart your system

Circumstance

Installation on computer with no previous VirusScan version and no incompatible software

Installation on computer with previous VirusScan version

Installation on computer with incompatible software

Installation on a computer with Microsoft Installer (MSI) v1.0

NOTE: Microsoft Office 2000 installs this MSI version

Installation on a computer with Microsoft Installer v1.1

Windows 95 and Windows 98

No restart required, unless you have Novell Client32 for NetWare installed, then restart required

Restart required Restart required

No restart required, but Setup will ask if you wish to restart. You can safely click

No.

Restart required after MSI files installed and before Setup can continue

No restart required, except on Windows 98 Second Edition systems, or if some drivers or .DLL files used

Windows NT and Windows 2000

Restart required

No restart required, but Setup will ask if you wish to restart. You can safely click

No.

Restart required after MSI files installed and before Setup can continue

No restart required

.DAT file update No restart required No restart required

Scan engine update via McAfee SuperDAT utility

No restart required No restart required

Administrator’s Guide 53

Page 54

Installing VirusScan Software

Testing your installation

Once you install it, VirusScan software is ready to scan your system for infected files. You can verify that it has installed correctly and that it can properly scan for viruses with a test developed by the European Institute of Computer Anti-virus Research (EICAR), a coalition of anti-virus vendors, as a method for their customers to test any anti-virus software installation.

To test your installation, follow these steps:

1. Open a standard Windows text editor, such as Notepad, then type this character string as one line, with no spaces or carriage returns:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUSTEST-FILE!$H+H*



NOTE: The line shown above should appear as one line in your text editor window, so be sure to maximize your text editor window and delete any carriage returns. Also, be sure to type the letter O, not the number 0, in the “X5O...” that begins the test message.

If you are reading this manual on your computer, you can copy the line directly from the Acrobat .PDF file and paste it into Notepad. You can also copy this text string directly from the “Testing your installation” section of the README.TXT file, which you can find in your VirusScan program directory. If you copy the line from either of these sources, be sure to delete any carriage returns or spaces.

2. Save the file with the name EICAR.COM. The file size will be 69 or 70 bytes.

3. Start your VirusScan software and allow it to scan the directory that contains EICAR.COM. When VirusScan software examines this file, it will report finding the EICAR-STANDARD-AV-TEST-FILE virus.

IMPORTANT: other files, or otherwise harm your system. Delete the file when you have finished testing your installation to avoid alarming other users.

54 McAfee VirusScan Anti-Virus Software

This file is

not a virus—

it cannot spread or infect

Page 55

Installing VirusScan Software

Modifying or removing your local VirusScan installation

The Microsoft Windows Installer version that VirusScan software uses also includes a standard method to modify or remove a VirusScan installation from the local workstation.

To modify, or remove VirusScan software, follow these steps:

1. Click Start in the Windows taskbar, point to Settings, then choose Control Panel.

2. Locate and double-click the Add/Remove Programs control panel.

3. In the Add/Remove Programs Properties dialog box, choose McAfee VirusScan v4.5.0 in the list, then click Add/Remove.

Setup will start and display the first Maintenance wizard panel (Figure

2-21).

Figure 2-21. First maintenance panel

4. Click Next> to continue.

Setup displays the Program Maintenance wizard panel (see Figure 2-22

on page 56).

Administrator’s Guide 55

Page 56

Installing VirusScan Software

5. Choose whether to modify VirusScan components or to remove VirusScan software from your system completely. Your choices are:

• Modify. Select this option to add or remove individual VirusScan

Figure 2-22. Program Maintenance panel

components. Setup will display the Custom wizard panel (see

Figure 2-8 on page 41). Start with Step 12 on page 41 to choose the

components you want to add or remove.



NOTE: This panel differs from the one shown on page 41: It will not allow you to change your VirusScan program directory, nor will it display disk usage statistics. To install VirusScan software in a different directory or on a different drive, you must first remove, then reinstall the software.

• Remove. Select this option to remove VirusScan software from

your computer completely. Setup will ask you to confirm that you want to remove the software from your system (see Figure 2-23 on

page 57).

56 McAfee VirusScan Anti-Virus Software

Page 57

Installing VirusScan Software

Figure 2-23. Remove the Program panel

6. Click Remove. Setup will display progress information as it deletes VirusScan software from your system. When it has finished, click Finish to close the wizard panel.

Installing VirusScan software on other computers

The next sections describe how to install VirusScan software over your network, to many workstations at once, and with various custom configurations. You can run Setup from a command prompt to choose many of these configuration options.

Using Active Directory and Group Policies

If you use Active Directory services in Windows 2000, you must distribute the software per machine, not per user. Set up the installation in the Microsoft Management Console; there you can choose the computers on which you want to install the VirusScan package. The installation takes place when you restart these computers.



NOTE: The VirusScan package contains two versions of the Microsoft installer (MSI): one for Windows 95 and Windows 98, and one for Windows NT Workstation v4.0 and Windows 2000 Professional. You can remove these files from the package if your computers already have the installer. This makes the VirusScan file smaller and more manageable when you send it remotely.

Administrator’s Guide 57

Page 58

Installing VirusScan Software

Installing VirusScan software using command-line options

The VirusScan Setup utility runs as a Microsoft Installer (MSI) application, which allows a wide array of custom installation options. To shape the installation so that it runs the way you want it to, and so that you end up with exactly those product components you want, run Setup from the command line.



NOTE: You can run Setup from the command line only to install VirusScan software to a local computer. To install the software over a network, you must use McAfee Management Edition or ePolicy Orchestrator software.

To do so, click Start in the Windows taskbar, then choose Run. Next, enter the command line you want to use in the Run dialog box, then click OK.

The Setup command-line syntax looks like this:

setup PROPERTY=VALUE[,VALUE] [/option] /i

This syntax does not require any particular order in its elements, except that you may not separate a property and its value, and you must terminate the line with the /i option so that Setup knows to look for a particular .MSI file it needs for installation. The syntax consists of:

• the name of the executable file: setup.exe.

• any options you choose to add, each preceded by a / character. Options are

not case sensitive. The installation scenarios that appear later in this guide discuss some of the available options.

• any properties you want to use to shape how the installation runs.

Each property consists of a name, which must appear all in capitals, an = sign, and one or more values, each separated by commas. Most property values must appear in all capitals, too, but some—such as True and False, must appear in capitals and lower case. The Microsoft Installer permits a large variety of properties, all of which you can use to determine how your installation runs. To learn about those properties, see the Microsoft Installer documentation. To install VirusScan software, specifically, you can use these additional properties:

– ADDLOCAL. This property tells Setup to install particular

components to the local computer.

– INSTALLDIR. This property specifies which installation directory

you want to use. The value consists of the directory path you want to use.

58 McAfee VirusScan Anti-Virus Software

Page 59

Installing VirusScan Software

– PRESERVESETTINGS. This property tells Setup whether it should

retain the configuration options you used for previous VShield scanner installations. By default, its value is True.

– REBOOT. This property tells Setup whether it should restart your

computer. You can either force the computer to restart, or prevent it from restarting.

– REMOVE. This property tells Setup to remove one or more program

components. You can specify a particular component, or use the value ALL to remove all components. If you combine this property with the ADDLOCAL property, you can install all but one or two specific components.

– REMOVEINCOMPATIBLESOFTWARE. This property tells Setup

to remove previous VirusScan versions or other anti-virus software that could conflict with this VirusScan version. By default, its value is True.

– STARTONACCESSSCANNER. This property tells Setup to start the

VShield scanner after it finishes the installation. By default, its value is True.

– USEADMINONLYSECURITY. This property tells Setup which

security mode you want this VirusScan copy to use when it runs. Possible values are 0, which runs the software with standard security, and 1, which runs the software with maximum security.

The following sections describe some common scenarios that use commandline options to run custom installations.

Silent installation

Use command-line options to set up VirusScan software on each network node with little or no interaction from end users. During a silent installation, Setup does not display any of its usual wizard panels or windows, or offer the end user any configuration options. Instead, you pre-configure these choices and run Setup in the background on each target workstation. If you want, you can install VirusScan software on any unattended workstation with or without the end user’s knowledge, provided you have all the necessary administrative privileges.

setup/q/i

Use /q to run a silent installation. The /i should always appear last on the command line. It tells Setup to locate the .MSI file that controls the installation.

Administrator’s Guide 59

Page 60

Installing VirusScan Software

Other semi-silent installation methods are:

/qb shows a small progress bar during installation, with a

/q+ shows a success/failure installation complete dialog box

/qb+ shows both the progress and completed dialog boxes

/qf shows the full progress bar screen from the regular

Logging the installation

To record installation progress in a log file, add this option and parameter to the Setup command line:

/l*v “c:\temp\log.txt”

Here, c:\temp\log.txt can be any directory and any file name you want to use to create the log file. This option logs all installer activity, including all files copied, all registry keys added, and all .INI file changes.

Replace the * shown in the command-line example with one or more of these parameters to limit the type of data that the log file records:

cancel button

installation

i status messages

w non-fatal warnings

e all error messages

a action starts

r action-specific records

u user requests

c initial user interface parameters

m out-of-memory or fatal exit information

o out-of-disk space messages

p terminal properties

+ append to existing file

! flush each line to the log

60 McAfee VirusScan Anti-Virus Software

Page 61

Installing to a custom directory

To install VirusScan software to a custom directory, add the INSTALLDIR property to the command line, then follow the property with a value for the directory you want to use. To install VirusScan software to C:\My Anti-Virus Software, for example, type this line at the command prompt:

setup INSTALLDIR= “c:\My Anti-Virus Software” /q/i

Use quotes only if the target directory name has spaces. You can add the /q switch run the installation silently, if you prefer. The /i switch is not optional—Setup needs it to locate the .MSI file that has current installation data.

Selecting specific features to install

When you run Setup from the command line to install specific program components, the utility installs those components according to a preexisting hierarchy. This means that if you choose to install only the VirusScan shell extensions, for example, Setup knows that you must have SCAN32.EXE, the VirusScan application, installed in order to use the extensions. It therefore will install both this file and any related files.

Installing VirusScan Software

To specify the components you want to install, Setup requires you to add particular component names as command-line parameters. The component names you can specify from the command line are:

Component Name Description

AlertManager The Alert Manager Client configuration

utility

CMD The VirusScan Command Line

scanners: SCAN.EXE, SCANPM.EXE, SCAN86.EXE

EdiskUtil The Emergency Disk wizard and

archived files

EmailScan The VShield E-Mail Scan module and

the E-Mail Scan extension

InternetScan The VShield Download Scan and

Internet Filter modules

SystemScan The VShield System Scan module

Scan32 The VirusScan application,

SCAN32.EXE

Scheduler The VirusScan Console

Administrator’s Guide 61

Page 62

Installing VirusScan Software

Component Name Description

McUpdate The AutoUpdate and AutoUpgrade

ShellExtentions Extensions that add right-click

ScreenScan The ScreenScan utility

SendVirus An applet that allows you to send virus

To use these component names in a command line, specify the destination and the component name, exactly as it appears in the table.

For example, to add the VirusScan application to the local system, type this line at the command prompt:

setup.exe ADDLOCAL=Scan32/q/i

Use a comma to separate values in order to install more than one component. To add Scan32 and SystemScan together, for example, type this line at the command prompt:

utilities

functionality that enables you to scan individual files

samples to AVERT Labs for analysis

setup.exe ADDLOCAL=SystemScan,Scan32/q/i

To do a complete installation, type this line at the command prompt:

setup.exe ADDLOCAL=ALL/q/i

To remove all VirusScan components, type this line at the command prompt:

setup.exe REMOVE=ALL/q/i

To install all components except for one—the SendVirus component, in this example—type this line at the command prompt:

setup.exe ADDLOCAL=ALL REMOVE=SendVirus/q/i

You can also choose different components for an installation that you do not run silently. If, for example, you leave off the /q option in any of the command line examples shown above the Custom Setup wizard panel (see Figure 2-8 on

page 41) will show only the components you specify as those available for

installation. If you use these same examples to specify a component set for installation, Setup will install only the components you specified during a Typical installation.

62 McAfee VirusScan Anti-Virus Software

Page 63

Setting reboot options

You can force or prevent the target computer from restarting during the installation. To do this, add the REBOOT property to the command line. REBOOT=F forces the restart, while REBOOT=R prevents the restart. If you must first install the Windows Installer service on a target computer, Setup will require you to restart whether you force or prevent a restart for other reasons. Setup will resume after MSI forces a restart. It will then use the options you set to determine whether to force or prevent a restart after the installation.

setup REBOOT=R /q /i

This example runs a silent installation and prevents a system restart.

Setting security type for Windows NT

If you install VirusScan software on Windows NT Workstation v4.0 or Windows 2000 Professional systems, you can choose to run the software with regular or maximum security. To set this value from the command line, run Setup with the USEADMINONLYSECURITY property and the value you want to use.

Installing VirusScan Software

To run the software with standard security, give the property the value 0:

USEADMINONLYSECURITY=0

To run the software with maximum security, give the property the value 1:

USEADMINONLYSECURITY=1

To use the property from the command line, type a line similar to this:

setup USEADMINONLYSECURITY=1 /q /i

This runs a silent installation and sets the security level so that only a user with administrative rights can configure or stop the product.

Removing incompatible software

By default, Setup removes incompatible software during a silent installation. To prevent Setup from removing incompatible software, add the property REMOVEINCOMPATIBLESOFTWARE to the command line with the value False:

setup REMOVEINCOMPATIBLESOFTWARE=False

Administrator’s Guide 63

Page 64

Installing VirusScan Software

Scanning your system at startup

By default, Setup adds a line to the AUTOEXEC.BAT file for Windows 95 and Windows 98 systems that tells the VirusScan application to scan the master boot record (MBR) when your computer starts. To prevent Setup from doing so—during a silent installation, for example—add the property SCANATSTARTUP to the command line with the value False:

setup SCANATSTARTUP=False

Starting the VShield scanner

By default, Setup starts the VShield System Scan module if the installation does not require you to restart your computer—if you remove earlier VirusScan versions during installation, for example. To keep Setup from starting the VShield scanner, add the STARTONACCESSSCANNER property to the command line with the value False:

setup STARTONACCESSSCANNER=False

Preserving on access settings

By default, Setup preserves your VShield settings from previous VirusScan installations. To install the new VirusScan version without previous settings, add the PRESERVESETTINGS property to the command line with the value False:

setup PRESERVESETTINGS = False

Running Setup from a login script

To install VirusScan software at the time each of your target computers starts, you can add a Setup command line to your login script and include any logic you think necessary to ensure that the installation will run once—checking for the VirusScan default program directory, for example. The command line should include all of the options and properties you want to use to govern how Setup runs.

If you run the login script from a Windows 95 or Windows 98 workstation, you must add the option /LSCRIPT to the command line if the target computer has any previous VirusScan version installed, or if it might not have Microsoft Installer (MSI) v1.1 installed. Unlike other options, the /LSCRIPT option is case sensitive and must appear in the command line with all capitals.

Without the /LSCRIPT option, Setup will run and, if you do not have MSI v1.1 installed or if you have a previous VirusScan version on the target computer, will require the target computer to restart. Before it does so, however, it places a flag in the Windows RunOnce registry key.

64 McAfee VirusScan Anti-Virus Software

Page 65

Installing VirusScan Software

Because Windows 95 and Windows 98 execute the login script at the same time they act on the contents of the RunOnce key, however, they will try to run another instance of Setup while, at the same time, they try to resume the previous Setup you started. MSI does not permit more than one instance of Setup to run at the same time.

Adding the /LSCRIPT option to the command line causes Setup to place a flag in the RunServicesOnce registry key, which Windows executes before it runs the login script. If your login script checks for the presence of the default VirusScan program directory before it runs Setup, therefore, Windows will not try to run Setup a second time.

In order to use a login script for this purpose, you must also copy or “push” the VirusScan installation package to a local directory on the target computer. You may not use a login script to install VirusScan software from elsewhere on your network. To install VirusScan software from a remote location on the network, use McAfee Management Edition or McAfee ePolicy Orchestrator management software.



NOTE: If you plan to install VirusScan software to a Windows NT Workstation v4.0 or a Windows 2000 system via login scripts, you do not need to include the /LSCRIPT option in your command line.

Using Management Edition software

Management Edition distribution software allows you to distribute McAfee anti-virus software from a single console on your network. It installs, configures, upgrades, and removes anti-virus software for remote machines on a network. It installs anti-virus software to domains you create, and from repositories that you create. You control activities from the Management Edition Console, a drag-and-drop application that runs on Microsoft Windows NT.

Once the Management Edition components are installed in the master repository, you are ready to install anti-virus software into the Repository.

Follow these steps:

1. In the Management Console main menu, click Tools, then choose Repository.

The Repository dialog box displays the Products page. It contains the management components that are currently in the Repository.

2. Click Install.

Administrator’s Guide 65

Page 66

Installing VirusScan Software

3. Click Product.

4. Insert the VirusScan CD into your CD-ROM drive.

The Management Edition software copies VirusScan files into the Repository. Once it does so, the components you installed appear in the Repository list.

5. Click Close to complete the installation.

You can now use Management Edition software to install and configure VirusScan software, or add components to or remove them from an existing VirusScan installation. To learn how to do so, see the Management Edition Administrator’s Guide.

To install all VirusScan components via Management Edition software, you must modify the Management Edition scripts that come with the VirusScan product package.

Follow these steps:

1. Use WinZip, PKZip or a similar utility to extract the files VSC_9X.INI and VSC_NT.INI from the VirusScan package.

2. Locate this line in each file:

REGSETVAL LOCAL !VS_EXEC_KEY! “ExecCmdLine” SZ “!I_CMD_LINE!”

Change the macro reference I_CMD_LINE so that it reads I_CMD_LINE_ALL. When you have finished, the entire line in both the VSC_9X.INI and the VSC_NT.INI files should read:

REGSETVAL LOCAL !VS_EXEC_KEY! “ExecCmdLine” SZ “!I_CMD_LINE_ALL!”

3. Save both files, then return them to the VirusScan product package, overwriting the existing files in that package.

4. Deploy your modified VirusScan package via Management Edition software.

Using ePolicy Orchestrator to deploy VirusScan software

ePolicy Orchestrator management software provides a single point of control for all of your McAfee anti-virus products. It is a scalable anti-virus management tool that provides centralized policy management and enforcement, software distribution, and extensive reporting features.

66 McAfee VirusScan Anti-Virus Software

Page 67

Installing VirusScan Software

With the ePolicy Orchestrator server, console, and agent you can manage a single database and software repository from any location on your company’s network. Once you have installed the ePolicy Orchestrator server and console, and have loaded VirusScan software is loaded into the repository, you can use the console to push the agent onto the client machines. Through the agent, you gather data on the virus protection currently residing on the client machines. The server then responds by sending appropriate installation software. The agent installs the software using the instructions you set up during configuration.

Follow these steps:

1. In the ePolicy Orchestrator Console’s main menu, place your cursor on Software in the console tree.

2. Click the Action menu, and then click Install.

The Select a Software Package dialog box displays your network. Locate the VirusScan software package that you want to place in the repository.

3. Click VirusScan.

4. Click Open.

VirusScan software is loaded in your repository. For more information, see the ePolicy Orchestrator Administrator’s Guide.

Installing via System Management Server

VirusScan software is Microsoft BackOffice compliant and comes with a prewritten package definition file (.PDF) for use with System Management Server (SMS). You can use SMS to install the software on multiple workstations across your network. To learn how to use SMS to deploy the VirusScan installation package, consult your Microsoft SMS documentation.

Installing via Tivoli IT Director

You can create a distributable custom installation package using the Tivoli IT Director management console’s Software Distribution feature.

Follow these steps:

1. Open the Tivoli IT Director Management Console.

2. Choose Open from the Software Distribution option, then choose Custom Package. The Create Custom Package configuration pages appear.

Administrator’s Guide 67

Page 68

Installing VirusScan Software

3. Click the General tab, then follow these substeps:

a. Enter a name for the package that you are about to create.

b. Select Stream package directly to managed system.

c. Enter a value of 32 in the Required Memory text box.

d. Enter a value of 30 in the Disk Space text box.

4. To enable Tivoli to distribute VirusScan software to Windows 95 and Windows 98 systems, select the Windows 9x tab. Enter the appropriate information in the panel.

5. To enable Tivoli to distribute VirusScan software to Windows NT systems, select the Windows NT tab. Enter the appropriate information in the panel.

For more information, consult your Tivoli documentation.

Installing via ZENworks

ZENworks allows network administrators to deploy VirusScan software to users’ workstations. To learn how to use ZENworks to deploy the VirusScan installation package, consult your Novell ZENworks documentation.

Exporting VirusScan custom settings

McAfee provides a small utility that you can use to put a VirusScan installation package together with all of the configuration settings you want to use for each target computer. McAfee releases this utility, the Custom Installation Creator, apart from the VirusScan product package. In order to use it to create the package, you must import the configuration settings you want from an .INI file. This means that you must first install the VirusScan software on your computer, choose the settings you want to use, then export those settings to an .INI file.

The VirusScan program package contains another utility, MSI_INST.EXE, that allows you to import and export VirusScan configuration settings. You can use this utility to prepare an .INI for use with the Custom Installation Creator, or you can use it to import settings directly from an existing .INI file.

The MSI_INST.EXE utility runs from the command line with this syntax:

msi_inst.exe /option [value]

Table 2-1 on page 53 lists the options you can use with the utility. To learn how

to use the .INI file you create with MSI_INST.EXE to customize your installation, see the documentation for the Custom Installation Creator.

68 McAfee VirusScan Anti-Virus Software

Page 69

Table 2-1. MSI_INST.EXE command-line switches

Option Purpose Usage

Installing VirusScan Software

IMPORT Import settings into a VirusScan

installation from an .INI file you designate

EXPORT Export settings from a VirusScan

installation to an .INI file you designate

EXPOPTIONS Export certain settings from

VirusScan. Use this option in conjunction with the /EXPORT option. If you do not specify which components to export, MSI_INST.EXE will export all settings. You can export these VirusScan settings:

Export nothing [generally unused] 0x00000000h

Export System Scan 0x00000001h

Export E-Mail Scan 0x00000002h

Export Internet Scan 0x00000004h

Export AvConsol.exe settings 0x00000008h

Export Scheduled Tasks 0x00000010h

Export Default On-Demand Scan 0x00000020h

Export All (default) 0x00000800h

The settings specifiers appear here in hexadecimal format. To determine a value to use with the /EXPOPTIONS option, combine each of the settings you want to use together with a logical OR operation, then pass the resulting value as a decimal.

Example: Suppose you want to export System Scan, AvConsol, and Scheduled Tasks settings only. Combine the hexadecimal values for these settings together in a logical OR operation:

0x00000001h | 0x00000008h | 0x00000010h = 0x00000019h

Next, take the resulting value and change the hexadecimal number to a decimal number:

0x00000019h = 25

Add the decimal value to the command line:

msi_inst.exe /EXPOPTIONS 25

/IMPORT<path and filename>

/EXPORT<path and filename>

/EXPOPTIONS <decimal value>

Administrator’s Guide 69

Page 70

Installing VirusScan Software

Table 2-1. MSI_INST.EXE command-line switches

Option Purpose Usage

RESTART Start VirusScan after the

MSI_INST.EXE utility finishes importing or exporting settings.

PRESERVE Preserve existing paths. This tells

MSI_INST.EXE to set a switch in the resulting .INI file that will adjust paths when the Custom Installation Creator or another VirusScan installation imports a new .INI file. This will update any paths that point to executables and log files to reflect the current installation. You may use this option only with the /EXPORT option; it will not work with the /IMPORT option.

PREVIOUS Preserves the settings from

previous VShield scanner settings. This option tells MSI_INST.EXE to read settings from a previous .INI file and set new installation settings appropriately.

NOTE: You may use this option only to preserve VirusScan v4.0.2 and v4.0.3 settings.

/RESTART

/PRESERVE

/PREVIOUS <path and filename>

PREVIOUS_EXCLUDE Preserves the exclusion settings

from previous VShield scanner installations. This option tells MSI_INST.EXE to read the exclusion settings from a previous .INI file and set new installation appropriately. You must use this option with the /PREVIOUS option.

NOTE: You may use this option only to preserve VirusScan v4.0.2 and v4.0.3 settings.

70 McAfee VirusScan Anti-Virus Software

/PREVIOUS_EXCLUDE <path and filename>

Page 71

3Removing Infections

From Your System

If you suspect you have a virus...

First of all, don’t panic! Although far from harmless, most viruses that infect your machine will not destroy data, play pranks, or render your computer unusable. Even the comparatively rare viruses that do carry a destructive payload usually produce their nasty effects in response to a trigger event. In most cases, unless you actually see evidence of a payload that has activated, you will have time to deal with the infection properly. The very presence of these small snippets of unwanted computer code can, however, interfere with your computer’s normal operation, consume system resources and have other undesirable effects, so you should take them seriously and be sure to remove them when you encounter them.

A second idea to keep in mind is that odd computer behavior, unexplained system crashes, or other unpredictable events might have causes other than virus infections. If you believe you have a virus on your computer because of occurrences such as these, scanning for viruses might not produce the results you expect, but it will help eliminate one potential cause of your computer problems.

The safest course of action you can take is to install VirusScan software, then scan your system immediately and thoroughly.

When you install VirusScan software, Setup starts the VirusScan application to examine your computer’s memory and your hard disk boot sectors in order to verify that it can safely copy its files to your hard disk without risking their infection. If the application does not detect any infections, continue with the installation, then scan your system thoroughly as soon as you restart your computer. File-infector viruses that don’t load into your computer’s memory or hide in your hard disk boot blocks might still be lurking somewhere on your system. See Chapter 2, “Installing VirusScan Software,” to learn about virus scanning during setup. See Chapter 4, “Using VirusScan Software,” to learn how to scan your system.

If the VirusScan application detects a virus during Setup, you’ll need to remove it from your system before you install the program. To learn how to do so, follow the steps that begin on page 72.

IMPORTANT: To ensure maximum security, you should also follow these same steps if a VirusScan component detects a virus in your computer’s memory at some point after installation.

Administrator’s Guide 71

Page 72

Removing Infections From Your System

If VirusScan software found an infection during installation, follow these steps carefully:

1. Quit Setup immediately, then shut down your computer.

Be sure to turn the power to your system off completely. Do not press CTRL+ALT+DEL viruses can remain intact during this type of “warm” reboot.

2. If you created a VirusScan Emergency Disk during installation, or if your VirusScan copy came with one, lock the disk, then insert it into your floppy drive.



NOTE: If your VirusScan software copy did not come with an Emergency Disk, or if you could not create an Emergency Disk during Setup, you must create a disk on an uninfected computer. Locate a computer that you know is virus-free, then follow the steps outlined in “Using the Emergency Disk Creation utility” on page 47.

3. Wait at least 15 seconds, then start your computer again.



NOTE: If you have your computer's BIOS configured to look for its boot code first on your C: drive, you should change your BIOS settings so that your computer looks first on your A: or B: drive. Consult your hardware documentation to learn how to configure your BIOS settings.

or reset your computer to restart your system—some

After it starts your computer, the Emergency Disk runs a batch file that leads you through an emergency scan operation. The batch file first asks you whether you cycled the power on your computer.

4. Type y to continue, then skip to Step 7. If you did not, type n, then turn your computer completely off and begin again.

The batch file next tells you that it will start a scan operation.

5. Read the notice shown on your screen, then press any key on your keyboard to continue.

The Emergency Disk will load the files it needs to conduct the scan operation into memory. If you have extended memory on your computer, it will load its database files into that memory for faster execution.

72 McAfee VirusScan Anti-Virus Software

Page 73

Removing Infections From Your System

BOOTSCAN.EXE, the command-line scanner that comes with the Emergency Disk, will make four scanning passes to examine your hard disk boot sectors, your Master Boot Record (MBR), your system directories, program files, and other likely points of infection on all of your local computer’s hard disks.



NOTE: McAfee strongly recommends that you do not interrupt the BOOTSCAN.EXE scanner as it runs its scan operation. The Emergency Disk will not detect macro viruses, script viruses, or Trojan horse programs, but it will detect common file-infecting and boot-sector viruses.

If BOOTSCAN.EXE finds a virus, it will try to clean the infected file. If it fails, it will deny access to the file and continue the scan operation. After it finishes all of its scanning passes, it shows a summary report the actions it took for each hard disk on the screen. The report tells you:

• How many files the scanner examined

• How many files of that number are clean, or uninfected

• How many files contain potential infections

• How many files of that number the scanner cleaned

• How many boot sector and MBR files the scanner examined

• How many boot sector and MBR files contain potential infections

If the scanner detects a virus, it beeps and reports the name and location of the virus on the screen.

6. When the scanner finishes examining your hard disk, remove the Emergency Disk from your floppy drive, then shut your computer off again.

7. When BOOTSCAN.EXE finishes examining your system, you can either:

• Return to working with your computer. If BOOTSCAN.EXE did not find a virus, or if it cleaned any infected files it did find, remove the Emergency Disk from your floppy drive, then restart your computer normally. If you had planned to install VirusScan software on your computer but stopped when Setup found an infection, you can now continue with your installation.

• Try to clean or delete infected files yourself. If BOOTSCAN.EXE found a virus that it could not remove, it will identify the infected files and tell you that it could not clean them, or that it does not have a current remover for the infecting virus.

Administrator’s Guide 73

Page 74

Removing Infections From Your System

As your next step, locate and delete the infected file or files. You will need to restore any files that you delete from backup files. Be sure to check your backup files for infections also. Be sure also to use the VirusScan application at your earliest opportunity to scan your system completely in order to ensure that your system is virus-free.

Deciding when to scan for viruses

Maintaining a secure computing environment means scanning for viruses regularly. Depending on the degree to which you swap floppy disks with other users, share files over your local area network, or interact with other computers via the Internet, scanning “regularly” could mean scanning as little as once a month, or as often as several times a day. Other good habits to cultivate include scanning right before you back up your data, scanning before you install new or upgraded software—particularly software you download from other computers—and scanning when you start or shut down your computer each day. Use the VShield scanner to examine your computer’s memory and maintain a constant level of vigilance between scan operations. Under most circumstances this should protect your system’s integrity.

If you connect to the Internet frequently or download files often, you might want to supplement regular scan operations with tasks based on certain events. Use the VirusScan Console to schedule a set of scan tasks to monitor your system at likely points of virus entry, such as

• whenever you insert a floppy disk into your computer’s floppy drive

• whenever you start an application or open a file

• whenever you connect to or map a network drive to your system

Even the most diligent scan operation can miss new viruses, however, if your virus definition (.DAT) files are not up to date. Your VirusScan software purchase entitles you to free virus updates for the life of your product, so you can update frequently to keep current. The VirusScan Console includes AutoUpdate and AutoUpgrade tasks you can use to update your .DAT files and the VirusScan engine. To learn how to update your software, see Chapter

6, “Updating and Upgrading VirusScan Software.”.

74 McAfee VirusScan Anti-Virus Software

Page 75

Removing Infections From Your System

Recognizing when you don’t have a virus

Personal computers have evolved, in their short life span, into highly complex machines that run ever-more-complicated software. Even the most farsighted of the early PC advocates could never have imagined the tasks for which workers, scientists and others have harnessed the modern PC’s speed, flexibility and power. But that power comes with a price: hardware and software conflicts abound, applications and operating systems crash, and hundreds of other problems can crop up in unlikely places. In some cases, these failures can resemble the sorts of effects that you see when you have a virus infection with a destructive payload. Other computer failures seem to defy explanation or diagnosis, so frustrated users blame virus infections, perhaps as a last resort.

Because viruses do leave traces, however, you can usually eliminate a virus infection as a possible cause for computer failure relatively quickly and easily. Running a full VirusScan scan operation will uncover all of the known virus variants that can infect your computer, and quite a few of those that have no known name or defined behavior. Although that doesn’t give you much help when your problem really results from an interrupt conflict, it does allow you to eliminate one possible cause. With that knowledge, you can then go on to troubleshoot your system with a full-featured system diagnosis utility.

More serious is the confusion that results from virus-like programs, virus hoaxes, and real security breaches. Anti-virus software simply cannot detect or respond to such destructive agents as Trojan horse programs that have never appeared previously, or the perception that a virus exists where none in fact does.

The best way to determine whether your computer failure resulted from a virus attack is to run a complete scan operation, then pay attention to the results. If the VirusScan application does not report a virus infection, the chances that your problem results from one are slight—look to other causes for the symptoms you see. Furthermore, in the very rare event that the VirusScan application does miss a macro virus or another virus type that has in fact infected your system, the chances are relatively small that serious failures will follow in its wake. You can, however, rely on McAfee researchers to identify and isolate the virus, then to update VirusScan software immediately so that you can detect and, if possible, remove the virus when you next encounter it. To learn how you can help the virus researchers help you, see “Reporting new

items for anti-virus data file updates” on page xvii.

Administrator’s Guide 75

Page 76

Removing Infections From Your System

Understanding false detections

A false detection occurs when VirusScan software sends a virus alert message or makes a log file entry that identifies a virus where none actually exists. You are more likely to see false detections if you have anti-virus software from more than one vendor installed on your computer, because some anti-virus software stores the code signatures it uses for detection unprotected in memory.

The safest course to take when you see an alert message or log entry is to treat it as a genuine virus threat, and to take the appropriate steps to remove the virus from your system. If, however, you believe that a VirusScan component has generated a false detection—it has, for example, flagged as infected a file that you have used safely for years—verify that you are not seeing one of these situations before you call Network Associates technical support:

• You have more than one anti-virus program running. If so, VirusScan components might detect unprotected code signatures that another program uses and report them as viruses. To avoid this problem, configure your computer to run only one anti-virus program, then shut the computer down and turn off the power. Wait a few seconds before you start the computer again so that the system can clear the other program’s code signature strings from memory.

• You have a BIOS chip with anti-virus features. Some BIOS chips provide anti-virus features that can trigger false detections when VirusScan software runs. Consult the user’s guide for your computer to learn about how its anti-virus features work and how to disable them if necessary.

• You have an older Hewlett-Packard or Zenith PC. Some older models from these manufacturers modify the boot sectors on their hard disks each time they start up. VirusScan components might detect these modifications as viruses, when they are not. Consult the user’s guide for your computer to learn whether it uses self-modifying boot code. To solve the problem, use the VirusScan Command Line scanner to add validation information to the startup files themselves. This method does not save information about the boot sector or the master boot record.

• You have copy-protected software. Depending on the type of copy protection used, VirusScan components might detect a virus in the boot sector or the master boot record on some floppy disks or other media.

If none of these situations apply, contact Network Associates technical support or send e-mail to virus_research@nai.com with a detailed explanation of the problem you encountered.

76 McAfee VirusScan Anti-Virus Software

Page 77

Removing Infections From Your System

Responding to viruses or malicious software

Because VirusScan software consists of several component programs, any one of which could be active at one time, your possible responses to a virus infection or to other malicious software will depend upon which program detected the harmful object, how you have that program configured to respond, and other circumstances. The following sections give an overview of the default responses available with each program component. To learn about other possible responses, see the chapter that discusses each component in detail.

Responding when the VShield scanner detects malicious software

The VShield scanner consists of four related modules that provide you with continuous background protection against viruses, harmful Java and ActiveX objects, and dangerous websites. A fifth module controls security settings for the other four. You can configure and activate each module separately, or use them together to provide maximum protection. See Chapter 4, “Using

VirusScan Software,” to learn how to configure each module. Because each

module detects different objects or scans different virus entry points, each has a different set of default responses.

Responding when the System Scan module detects a virus

How this module reacts when it finds a virus depends on which operating system your computer runs and, on Windows 95 and Windows 98 systems, on which prompt option you chose in the module’s Action page.

By default on Windows 95 and Windows 98 systems, this module looks for viruses each time you run, copy, create, or rename any file on your system, or whenever you read from a floppy disk. On Windows NT Workstation v4.0 and Windows 2000 Professional systems, the System Scan module looks for viruses whenever your system or another computer reads files from or writes files to your hard disk or a floppy disk.

Because it scans files this way, the System Scan module can serve as a backup in case any of the other VShield modules does not detect a virus when it first enters your system. In its initial configuration, the module will deny access to any infected file it finds, whichever Windows version your computer runs. It will also display an alert message that asks you what you want to do about the virus (see Figure 3-11 on page 87). The response options you see in this dialog box come from default choices or choices you make in the System Scan module’s Action page.

As this dialog box awaits your response, your computer will continue to process any other tasks it is running in the background.

Administrator’s Guide 77

Page 78

Removing Infections From Your System

Figure 3-1. Initial System Scan response options

If your computer runs Windows 95 or Windows 98, you can choose to display a different virus alert message. If you select BIOS in the Prompt Type area in the System Scan module Action page, you’ll see instead a full-screen warning that offers you response options (Figure 3-2).

Figure 3-2. Full-screen Warning - System Scan response options

This alert message brings your system to a complete halt as it awaits your response. No other programs or system operations run on your system until you choose one of the response options shown.

The BIOS prompt type also allows you to substitute a Continue option for the Move File option. To do so, select the Continue access checkbox in the module’s Action page.



NOTE: The Continue access checkbox is unavailable if your computer runs Windows NT Workstation v4.0 or Windows 2000, or if you choose the GUI prompt type on Windows 95 and Windows 98 systems.

78 McAfee VirusScan Anti-Virus Software

Page 79

Removing Infections From Your System

To take one of the actions shown in an alert message, click a button in the Access to File Was Denied dialog box, or type the letter highlighted in yellow when you see the full-screen warning. If you want the same response to apply to all infected files that the System Scan module finds during this scan operation, select the Apply to all items checkbox in the dialog box. This option is not available in the full-screen alert message.

Your response options are:

• Clean the file. Click Clean in the dialog box, or type C when you see the full-screen warning, to tell the System Scan module to try to remove the virus code from the infected file. If the module succeeds, it will restore the file to its original state and record its success in its log file.

If the module cannot clean the file—either because it has no remover or because the virus has damaged the file beyond repair—it will note this result in its log file, but will take no other action. In most cases, you should delete such files and restore them from backups.

• Delete the file. Click Delete in the dialog box, or type D when you see the full-screen warning, to tell the System Scan module to delete the infected file immediately. By default, the module notes the name of the infected file in its log file so that you have a record of which files it flagged as infected. You can then restore deleted files from backup copies.

• Move the file to a different location. Click Move File to in the dialog box. This opens a browse window you can use to locate your quarantine folder or another folder you want to use to isolate infected files. Once you select a folder, the System Scan module moves the infected file to it immediately. This option does not appear in the full-screen warning.

• Continue working. Type O when you see the full-screen warning to tell the System Scan module to let you continue working with the file and not take any other action. Normally, you would use this option to bypass files that you know do not have viruses. If you have its reporting option enabled, the module will note each incident in its log file. This option is not available in the Access to File Was Denied dialog box.

• Stop the scan operation. Click Stop in the dialog box, or type S when you see the full-screen warning, to tell the System Scan module to deny any access to the file but not to take any other action. Denying access to the file prevents anyone from opening, saving, copying or renaming it. To continue, you must click OK. If you have its reporting option enabled, the module will note each incident in its log file.

• Exclude the file from scan operations. Click Exclude in the dialog box, or type E when you see the full-screen warning, to tell the System Scan module to exclude this file from future scan operations. Normally, you would use this option to bypass files that you know do not have viruses.

Administrator’s Guide 79

Page 80

Removing Infections From Your System

Responding when the E-mail Scan module detects a virus

This module looks for viruses in e-mail messages you receive via corporate e-mail systems such as cc:Mail and Microsoft Exchange. In its initial configuration, the module will prompt you to choose a response from among five options whenever it detects a virus (Figure 3-3).

Figure 3-3. E-mail Scan module response options

Click the button that corresponds to the response you want. Your choices are:

• Stop. Click this button to stop the scan operation immediately. The E-Mail Scan module will record each detection in its log file, but it will take no other action to respond to the virus.

• Clean. Click this button to have the E-Mail Scan module software try to remove the virus code from the infected file. If it cannot clean the file—either because it has no remover or because the virus has damaged the file beyond repair—it will record the incident in its log file and suggest alternative responses. In the example shown in Figure 3-3, the module failed to clean the EICAR test file—a mock “virus” written specifically to test whether your anti-virus software installed correctly. Here, Clean is not an available response option. In most cases, you should delete such files and restore them from backups.

• Delete. Click this button to delete the file from your system immediately. By default, the E-Mail Scan module will record the name of the infected file in its log so that you can restore the file from a backup copy.

• Move file to. Click this button to open a dialog box that you can use to locate your quarantine folder, or another suitable folder. Once you have located the correct folder, click OK to transfer the file to that location.

• Exclude. Click this button to prevent the E-Mail Scan module from flagging this file as a virus in future scan operations. If you copy this file to your hard disk, this also prevents the System Scan module from detecting the file as a virus.

80 McAfee VirusScan Anti-Virus Software

Page 81

Removing Infections From Your System

When you choose your action, the E-Mail Scan module will implement it immediately and add a notice to the top of the e-mail message that contained the infected attachment. The notice gives the file name of the infected attachment, identifies the name of the infecting virus, and describes the action that the module took in response.

To apply the response you chose to all infected files that the E-Mail Scan module finds during this scan operation, select the Apply to all items checkbox in the dialog box.

Responding when the Download Scan module detects a virus

This module looks for viruses in e-mail messages and other files you receive over the Internet via a web browser or such e-mail client programs as Eudora Light, Netscape Mail, Outlook Express, and others. It will not detect files you download with FTP client applications, terminal applications, or through similar channels. In its initial configuration, the module will prompt you to choose a response from among three options whenever it detects a virus (Figure 3-4). A fourth option provides you with additional information.

Figure 3-4. Download Scan response options

Click the button that corresponds to the response you want. Your choices are:

• Continue. Click this to tell the Download Scan module to take no action and to resume scanning. The module will continue until it finds another virus on your system or until it finishes the scan operation. Normally, you would use this option to bypass files that you know do not have viruses, or if you plan to leave your computer unattended as you download e-mail or other files. The module will note each incident in its log file.

• Delete. Click this to tell the Download Scan module to delete the infected file or e-mail attachment you received. By default, the module notes the name of the infected file in its log file.

• Move. Click this to tell the Download Scan module to move the infected file to the quarantine directory you chose in the module’s Action property page.

Administrator’s Guide 81

Page 82

Removing Infections From Your System

When you choose your action, the Download Scan module will implement it immediately and add a notice to the top of the e-mail message that contained the infected attachment. The notice gives the file name of the infected attachment, identifies the name of the infecting virus, and describes the action that the module took in response.

Responding when Internet Filter detects a virus

This module looks for hostile Java classes or ActiveX controls whenever you visit a website or download files from the Internet. You can also use the module to block your browser from connecting to dangerous Internet sites. In its initial configuration, the module will ask you whenever it encounters a potentially harmful object whether you want to Deny the object access to your system or you want to Continue and allow the object access. It will offer you the same choice when you try to connect to a potentially dangerous website (Figure 3-5).

Figure 3-5. Internet Filter response options

Responding when the VirusScan application detects a virus

When you first run a scan operation with the VirusScan application, it will look at all files on your C: drive that are susceptible to virus infection. This provides you with a basic level of protection that you can extend by configuring VirusScan software to suit your own needs.

With this initial configuration, the program will prompt you for a response when it finds a virus (Figure 3-6).

Figure 3-6. VirusScan response options

82 McAfee VirusScan Anti-Virus Software

Page 83

Removing Infections From Your System

To respond to the infection, click one of the buttons shown. You can tell the VirusScan application to:

• Continue. Click this button to proceed with the scan operation and have the application list each infected file in the lower portion of its main window (Figure 3-7), record each detection in its log file, but take no other action to respond to the virus. Once the application finishes examining your system, you can right-click each file listed in the main window, then choose an individual response from the shortcut menu that appears.

Figure 3-7. VirusScan main window

• Stop. Click this button to stop the scan operation immediately. The VirusScan application will list the infected files it has already found in the lower portion of its main window (Figure 3-7) and record each detection in its log file, but it will take no other action to respond to the virus. Right-click each infected file listed in the main window, then choose an individual response from the shortcut menu that appears.

• Clean. Click this button to have the VirusScan application try to remove the virus code from the infected file. If it cannot clean the file—either because it has no remover or because the virus has damaged the file beyond repair—it will record the incident in its log file and suggest alternative responses.

In the example shown in Figure 3-6 on page 82, the application failed to clean the EICAR Test Virus—a mock “virus” written specifically to test whether your anti-virus software installed correctly. Here, Clean is not an available response option. In most cases, you should delete such files and restore them from backups.

• Delete. Click this button to delete the file from your system immediately. By default, the VirusScan application will record the name of the infected file in its log so that you can restore the file from a backup copy.

Administrator’s Guide 83

Page 84

Removing Infections From Your System

• Move file to. Click this to open a dialog box that you can use to locate your quarantine folder, or another suitable folder. Once you have located the correct folder, click OK to transfer the file to that location.

• Info. Click this to connect to the Network Associates Virus Information Library. This choice does not take any action against the virus that the application detected. See “Viewing virus information” on page 86 for more details.

Responding when the E-Mail Scan extension detects a virus

The E-Mail Scan extension included with VirusScan software lets you scan incoming Microsoft Exchange or Microsoft Outlook e-mail messages for viruses at your initiative. You can start it from within either e-mail client and use it to supplement the continuous e-mail background scanning you get with the VShield E-Mail Scan module. The E-Mail Scan module also offers the ability to clean infected file attachments or stop the scan operation, a capability that complements the continuous monitoring that the E-Mail Scan module provides. In its initial configuration, E-Mail Scan extension will prompt you for a response when it finds a virus (Figure 3-8).

Figure 3-8. E-Mail Scan response options

To respond to the infection, click one of the buttons shown. You can tell the E-Mail Scan extension to:

• Continue. Click this button to have the E-Mail Scan extension proceed with its scan operation, list each infected file it finds in the lower portion of its main window (Figure 3-9), and record each detection in its log file, but it will take no other action to respond to the virus. The extension will continue until it finds another virus on your system or until it finishes the scan operation. Once it has finished examining your system, you can right-click each file listed in the main window, then choose an individual response from the shortcut menu that appears.

84 McAfee VirusScan Anti-Virus Software

Page 85

Removing Infections From Your System

• Stop. Click this button to stop the scan operation immediately. The E-Mail Scan extension will list the infected files it has already found in the lower portion of its main window (Figure 3-9) and record each detection in its log file, but it will take no other action to respond to the virus. Right-click each infected file listed in the main window, then choose an individual response from the shortcut menu that appears.

Figure 3-9. E-Mail Scan extension window

• Clean. Click this button to remove the virus code from the infected file. If the E-Mail Scan extension cannot clean the file—either because it has no remover or because the virus has damaged the file beyond repair—it will record the incident in its log file and suggest alternative responses. In the example shown in Figure 3-8, Clean is not an available response option. In most cases, you should delete such files and restore them from backups.

• Delete. Click this button to delete the file from your system. By default, the E-Mail Scan extension will record the name of the infected file in its log so that you can restore the file from a backup copy.

• Move. Click this button to open a dialog box that you can use to locate your quarantine folder, or another suitable folder. Once you have located the correct folder, click OK to transfer the file to that location.

• Info. Click this to connect to the Network Associates Virus Information Library. This choice does not cause the E-Mail Scan extension to take any action against the virus it detected. See “Viewing virus information” for more details.

Administrator’s Guide 85

Page 86

Removing Infections From Your System

Viewing virus information

Clicking Info in any of the virus response dialog boxes will connect you to the Network Associates online Virus Information Library, provided you have an Internet connection and web browsing software available on your computer (Figure 3-10).

Figure 3-10. Network Associates Virus Information Library page

The Virus Information Library has a collection of documents that give you a detailed overview of each virus that VirusScan software can detect or clean, along with information about how the virus infects and alters files, and the sorts of payloads it deploys. The site lists the most prevalent or riskiest viruses, provides a search engine you can use to search for particular virus descriptions alphabetically or by virus name, displays prevalence tables, technical documents, and white papers, and gives you access to technical data you can use to remove viruses from your system.

To connect directly to the library, visit the site at:

http://vil.nai.com/villib/alpha.asp

You can also connect directly to the Library from the VirusScan Console —choose Virus List from the View menu in the Console window. To learn more about the Console, see Chapter 6, “Creating and Configuring Scheduled

Tasks” in the VirusScan User’s Guide.

The Library is part of the McAfee AVERT website, which you can visit at:

http://www.nai.com/asp_set/anti_virus/avert/intro.asp

The AVERT website has a wealth of virus-related data and software.

86 McAfee VirusScan Anti-Virus Software

Page 87

Examples include:

• Current information and risk assessments on emerging and active virus threats

• Software tools you can use to extend or supplement your McAfee anti-virus software

• Contact addresses and other information for submitting questions, virus samples, and other data

• Virus definition updates-this includes daily beta .DAT file updates, EXTRA.DAT files, updated Emergency .DAT files, current scan engine versions, regular weekly .DAT and SuperDAT updates, and new incremental virus definition files (.UPD)

• Beta and “first look” software

Viewing file information

If you right-click a file listed either in the VirusScan main window or the E-Mail Scan window (see Figure 3-9 on page 85), then choose File Info from the shortcut menu that appears, VirusScan software will open an Infected Item Information dialog box that names the file, lists its type and size in bytes, gives its creation and modification dates, and describes its attributes (Figure 3-11).

Removing Infections From Your System

Figure 3-11. Infected File Information property page

Administrator’s Guide 87

Page 88

Removing Infections From Your System

Submitting a virus sample

If you have a suspicious file that you believe contains a virus, or experience a system condition that might result from an infection—but VirusScan software has not detected a virus—McAfee recommends that you send a sample to its anti-virus research team for analysis. When you do so, be sure to start your system in the apparently infected state—don’t start your system from a clean floppy disk.

Several methods exist for capturing virus samples and submitting them. The next sections discuss methods suited to particular conditions.

Using the SendVirus utility to submit a file sample

Because the majority of later-generation viruses tend to infect document and executable files, VirusScan software comes with SENDVIR.EXE, a utility that makes it easy to submit an infected file sample to McAfee researchers for analysis.

To submit a sample file, follow these steps:

1. If you must connect to your network or Internet Service Provider (ISP) to send e-mail, do so first. If you are continuously connected to your network or ISP, skip this step and go to Step 2.

2. Locate the file SENDVIR.EXE in your VirusScan program directory. If you installed your VirusScan software with default Setup options, you'll find the file here:

C:\Program Files\Network Associates\VirusScan

3. Double-click the file to display the first AVERT Labs Response Center wizard panel (Figure 3-12).

88 McAfee VirusScan Anti-Virus Software

Figure 3-12. First SENDVIR.EXE panel

Page 89

Removing Infections From Your System

4. Read the welcome message, then click Next> to continue.

The Contact Information wizard panel appears.

Figure 3-13. Your Contact Information panel

5. If you want AVERT researchers to contact you about your submission, enter your name, e-mail address, and any message you would like to send along with your submission in the text boxes provided, then click Next> to continue.



NOTE: You may submit samples anonymously, if you prefer— simply leave the text boxes in this panel blank. You are under no obligation to supply any information at all here.

The Choose Files to Submit panel appears (Figure 3-14).

Figure 3-14. Choose Files to Submit panel

Administrator’s Guide 89

Page 90

Removing Infections From Your System

6. Click Add to open a dialog box you can use to locate the files you believe are infected.

Choose as many files as you want to submit for analysis. To remove any of the files shown in the submission list, select it, then click Remove. When you have chosen all of the files you want to submit, click Next> to continue.

The Choose Upload Options panel appears (Figure 3-15).

Figure 3-15. Choose Upload options panel

If the file you want to submit is a Microsoft Office document or another file that contains information you want to keep confidential, select the Remove my personal data from file checkbox, then click Next> to continue. This tells the SENDVIR.EXE utility to strip everything out of the file except macros or executable code.

The Choose E-Mail Service panel appears (Figure 3-16).

Figure 3-16. Choose E-mail Service panel

90 McAfee VirusScan Anti-Virus Software

Page 91

Removing Infections From Your System

7. Select the type of e-mail client application you have installed on your computer. Your choices are:

• Use outgoing Internet mail. Click this button to send your sample

via a Simple Mail Transfer Protocol e-mail client, such as Eudora, NetScape Mail, or Microsoft Outlook Express. Next, enter the name of your outgoing mail server in the text box provided-mail.domain.com, for example.

• Use Microsoft Exchange. Click this button to send your sample via

your corporate e-mail system. To use this option, your e-mail system must support the Messaging Application Programming Interface (MAPI) standard. Examples of such systems include Microsoft Exchange, Microsoft Outlook, and Lotus cc:Mail v8.0 and later.

8. Click Finish to send your sample.



NOTE: Although McAfee researchers appreciate your submission, their receipt of your message does not obligate them to take any action, provide any remedy, or respond in any way to you.

SENDVIR.EXE will use the e-mail client you specified to send your sample. You must have connected to your network or ISP in order for this process to succeed.

Capturing boot sector, file-infecting, and macro viruses

If you suspect you have a virus infection, you can collect a sample of the virus, then either create a floppy disk image to send via e-mail, or mail the floppy disk itself to McAfee anti-virus researchers. The researchers would also benefit from having samples of your current system files on a separate floppy disk.

Capturing boot-sector infections

Boot-sector viruses frequently hide in areas of your hard disk or floppy disks that you ordinarily cannot see or read. You can, however, capture a sample of a boot-sector virus by deliberately infecting a floppy disk with it.

To do so, follow these steps:

1. Insert a new, unformatted floppy disk into your floppy drive.

2. Click Start in the Windows taskbar, point to Programs, then choose

MS-DOS Prompt if your computer runs Windows 95 or Windows 98, or Command Prompt if your computer runs Windows NT Workstation

v4.0 or Windows 2000 Professional.

Administrator’s Guide 91

Page 92

Removing Infections From Your System

3. Type this line at the command prompt:

format a: /s

If your system hangs as it tries to format the disk, remove the disk from your floppy drive. Next, label the disk “Damaged during infected format as boot disk,” then set it aside.

4. Insert a new, formatted floppy disk into your floppy drive.

5. Copy your current system files to that disk. For most DOS versions, those files will include:

• IO.SYS

• MSDOS.SYS

• COMMAND.COM

For Windows systems, copy these files to the same preformatted disk:

• GDI.EXE

• KRNL286.EXE or KRNL386.EXE

• PROGMAN.EXE

6. Label the diskette “Contains infected files,” then set it aside.

Capturing file-infecting or macro viruses

If you suspect you have a file-infecting virus or a macro virus that has infected any of your Microsoft Word, Excel, or PowerPoint files, send these files to McAfee anti-virus researchers, either with the SENDVIR.EXE utility, via e-mail as floppy disk images, or through the mail on floppy disk:

• If you suspect that a virus has infected executable files on your system, copy COMMAND.COM to a formatted floppy disk, then change its file extension to a non-executable extension.

• If you suspected that a macro virus has infected your Microsoft Word files, copy NORMAL.DOT and all files from the Microsoft Office Startup folder to the floppy disk. You’ll find the Microsoft Office startup files here, if you installed Office to its default location:

C:\Program Files\Microsoft Office\Office\Startup

• If you suspect that a macro virus has infected your Microsoft Excel files, copy all files from C:\Program Files\Microsoft Office\Office\XLSTART to the disk. Include all files you have installed in alternative startup file locations.

92 McAfee VirusScan Anti-Virus Software

Page 93

Removing Infections From Your System

• If you suspect that a macro virus has infected your PowerPoint files, copy the file BLANKPRESENTATION.POT from C:\Program Files\Microsoft Office\Templates to the disk.

Making disk images

To send the files now stored on any floppy disks you created, you can use a McAfee AVERT Labs tool called RWFLOPPY.EXE to make a floppy disk image that encapsulates the infection. The RWFLOPPY.EXE tool does not come with your VirusScan software, but you can download it from this location:

http://www.nai.com/asp_set/anti_virus/avert/tools.asp

The AVERT site stores the tool as a compressed .ZIP file. Download the file to your computer, then extract it to a temporary folder on your hard disk. The .ZIP package contains a brief text file that explains the syntax for using the RWFLOPPY.EXE utility.

NOTE: If you suspect you have a boot virus, you must use RWFLOPPY to send your samples electronically; otherwise, you must send your samples physically on a diskette. If you send them electronically without using RWFLOPPY, the samples will be incomplete or unusable, as boot viruses often hide beyond the last sectors of a diskette, and other diskette image creation programs cannot obtain this data.

Once you create images of the disks you want to send, you can send them as file attachments in an e-mail message to McAfee anti-virus researchers.

Preparing file archives to send

Try to fit as many of file samples as you can on a single floppy disk. To do so, compress the samples that you captured on disk to a single .ZIP file with password protection. Here’s a suggested procedure that uses the WinZip utility:

1. Start WinZip.

2. Press CTRL+N to create a new archive.

The New Archive dialog box appears.

3. Enter a name for the new archive, then click OK.

4. Press CTRL+A to add files to the new archive.

The Add dialog box appears.

5. Click Password to display the Password dialog box.

Administrator’s Guide 93

Page 94

Removing Infections From Your System

6. Type INFECTED in the Password text box, then click OK.

7. When prompted, retype your password to verify its accuracy, then click

OK.

The Add With Password dialog box appears.

8. Select your sample files, then click OK.

WinZip applies the password you entered to all files that you add to or extract from your archive. Password-protected files appear in the archive list with a plus sign (+) after their names.



NOTE: If you do not protect your samples with the password

INFECTED, McAfee anti-virus scanners may detect and clean samples before they reach our researchers.

9. Attach the .ZIP file that you created to an e-mail message.

Sending samples via e-mail

Once you’ve made disk images or created a file archive for your samples, send them to McAfee researchers at one of these e-mail addresses:

In the United States virus_research@nai.com

In the United Kingdom vsample@nai.com

In Germany virus_research_de@nai.com

In Japan virus_research_japan@nai.com

In Australia virus_research_apac@nai.com

In the Netherlands virus_research_europe@nai.com

In your message, include this information:

• Which symptoms cause you to suspect that your machine is infected

• Which product and version number detected the virus, if any did, and

what the results were

• Your VirusScan and .DAT file version numbers

• Details about your system that might help to reproduce the environment in

which you detected the virus

• Your name, company name, phone number, and e-mail address, if possible

• A list of all items contained in the package you are sending

94 McAfee VirusScan Anti-Virus Software

Page 95

Removing Infections From Your System

Mailing infected floppy disks

You can also mail the actual disks you created directly to McAfee anti-virus researchers. McAfee recommends that you create a text file or write a message to accompany the disks that includes the same information you would submit with an electronic disk image. Send your sample to only one research lab address so that you can receive the fastest possible response to your issue. Use these mailing addresses:

In the United States:

Network Associates, Inc.

Virus Research

20460 NW Von Neumann Drive

Beaverton, OR 97006

In Germany:

Network Associates, Inc.

Virus Research

Luisenweg 40

20537 Hamburg

Germany

In Australia:

Network Associates, Inc.

Virus Research

500 Pacific Highway, Level 1

St. Leonards, NSW

Sydney

Australia 2065

In the United Kingdom:

Network Associates, Inc.

Virus Research

Gatehouse Way

Aylesbury, Bucks HP19 3XU

In Japan:

Network Associates, Inc.

Virus Research

9F Toranomon Mori-bldg. 33

3-8-21 Toranomon, Minato-Ku

Tokyo

Japan 105-0001

In Europe:

Network Associates, Inc.

Virus Research

Gatwickstraat 25

1043 GL Amsterdam

Netherlands



NOTE: McAfee AVERT Labs does keep all submitted samples, but once you submit a sample, AVERT cannot return it to you. AVERT does not accept or process Iomega Ditto or Jazz cartridges, Iomega Zip disks, or other types of removable media.

Administrator’s Guide 95

Page 96

Removing Infections From Your System

96 McAfee VirusScan Anti-Virus Software

Page 97

4Using VirusScan Software

Using the VShield scanner

The VShield scanner protects your system in the background, as you work with your files, in order to prevent infection from viruses that arrive via floppy disks, from your network, embedded in file attachments that come with e-mail messages, or from your computer’s memory. The scanner starts when you start your computer, and stays in memory until you shut down. The VShield scanner also includes technology that guards against hostile Java applets and ActiveX controls, and that keeps your computer from connecting to dangerous Internet sites. Secure password protection for your configuration options prevents others from making unauthorized changes.



NOTE: In order for some VShield scanner features to become active, you must do a custom installation of these modules: Download Scan and Internet Filter.

To learn how to configure VShield properties and how to start and stop the VShield scanner, see Chapter 4, “Using the VShield Scanner,” in the VirusScan

User’s Guide.

Using the VirusScan application

The VirusScan name applies both to the entire set of desktop anti-virus program components described in the User’s Guide, and to a particular component of that set: SCAN32.EXE, or the VirusScan application, which allows you to run “on-demand” scan operations. “On demand” means that you as a user control when VirusScan software starts and ends a scan operation, which targets it examines, what it does when it finds a virus, or any other aspect of the program’s operation. Other VirusScan components, by contrast, operate automatically or according to a schedule you set. VirusScan software originally consisted solely of an on-demand scanner—features integrated into the program since then provide a cluster of anti-virus functions that give you maximum protection against virus infections and attacks from malicious software.

The VirusScan application operates in two modes: the VirusScan “Classic” interface gets you up and running quickly, with a minimum of configuration options, but with the full power of the VirusScan anti-virus scanning engine; the VirusScan Advanced mode adds flexibility to the program’s configuration options, including the ability to run more than one scan operation concurrently.

Administrator’s Guide 97

Page 98

Using VirusScan Software

To learn how to configure VirusScan properties and how to start and stop VirusScan software, see Chapter 5, “Using the VirusScan application,”in the VirusScan User’s Guide.

Scheduling scan tasks

The VirusScan Console runs scan operations and other tasks on the dates and at the times you choose, or at intervals you set. Use the Console to run a scan operation in your absence, when it causes the least disruption to your work, as part of a series of automated tasks, or in other ways that suit your needs.

To learn how to configure VirusScan Console properties, see Chapter 6,

“Creating and Configuring Scheduled Tasks,” in the VirusScan User’s Guide.

Using specialized scanning tools

In addition to the continuous background scanning that the VShield scanner provides you with through its E-Mail Scan module, VirusScan software includes a Microsoft Outlook client extension designed specifically to look for viruses in your Microsoft Exchange and Microsoft Outlook mailboxes. The E-Mail Scan extension gives you the ability to scan your mail servers at your own initiative, and at times convenient for you. An unobtrusive plug-in architecture gives you access to the scanner from directly within your Exchange or Outlook client application.

To learn how to configure the E-Mail Scan extension and other specialized scanners, see Chapter 8, “Using Specialized Scanning Tools,” in the VirusScan

User’s Guide.

98 McAfee VirusScan Anti-Virus Software

Page 99

5Sending Alert Messages

Using the Alert Manager Client Configuration utility

All McAfee anti-virus software includes wide range of methods to alert you when it has detected a virus or other malicious software. These methods include:

• graphical and full-screen warnings that appear on your local computer, often with response options

• system beeps and custom messages that you can compose

• e-mail messages sent as replies to those who send you infected items, or as

warnings to others that you've received an infected item

• log files that record VirusScan component actions, including virus detection and response events

• summary and real-time statistical displays that update detection and response events

Many of these methods alert you only if you are at your computer and watching as a scan operation runs. If you manage a network of workstations that you want to secure, however, you often need a method that will tell you about an infection if you are at any other workstation on your network, or even if you are not connected to the network at all. You also need a method to collect and manage alert messages from all over the network in a central repository so that you can respond whenever any workstation detects an infected file.

McAfee provides Alert Manager server software for just such a need. The software allows you to centralize alert message collection and processing, assign priority designations and custom messages to those messages, and designate any of up to 11 different methods to distribute them to you or to others. With the v4.5 anti-virus product series, the Alert Manager server now comes as an independent package bundled with McAfee NetShield anti-virus software. You can install this new Alert Manager server together with NetShield software, or by itself on a computer that you want to use as an alert collection point.

You can install multiple Alert Manager servers, one to a domain, perhaps, or one on each of the machines in a cluster server. If you do so, you can also forward alert messages among Alert Manager servers and, thereby, to other computers on your network or to centralized notification systems. This feature can allow MIS departments to keep close track of viruses and problem areas.

To learn how to install and configure the Alert Manager utility, see the NetShield Administrator’s Guide.

Administrator’s Guide 99

Page 100

Sending Alert Messages

VirusScan software as an Alert Manager Client

VirusScan software works as a client program with respect to NetShield software and an Alert Manager server. It can send alert “events” whenever it detects a virus or malicious software to any Alert Manager server you specify. The Alert Manager server then relays those events—and any others it receives from other workstations—as alert messages, via the methods you or your system administrator defined for alert distribution.

VirusScan software can instead send these same alert messages as text (.ALR) files to a Centralized Alerting directory visible to the Alert Manager server. The Alert Manager server checks the Centralized Alerting directory periodically, looking for any new .ALR files, and distributing the alert messages from any it finds.



NOTE: McAfee recommends that you send alert events directly to an Alert Manager server rather than via Centralized Alerting, unless your network configuration does not permit you to use Alert Manager servers. The Alert Manager server can work in conjunction with Network Associates Event Orchestrator software to tie alert messages into the Network Associates Magic HelpDesk application for trouble-ticket generation and other features.

Alert Manager messages also contain much richer data than do those sent via Centralized Alerting. Enabling SNMP traps for Alert Manager will collect a host of information about the computer that generates the alert message and its software configuration.

The VirusScan client can supplement either method with Desktop Management Interface (DMI) alerts for network management software, such as Hewlett-Packard OpenView, to process.

Configuring the Alert Manager Client utility

VirusScan software includes a simple client configuration utility that allows you to choose the Alert Manager server that you want to receive alert events, designate a Centralized Alerting directory to receive alert messages, and specify the numeric value of DMI alert messages you want to send.

Setting up a complete alert system is a two-part process: First, you must enable the Alert Manager Client Configuration utility and point it to the correct Alert Manager server or Centralized Alerting location. Next, you must verify that you have selected the Notify Alert Manager checkbox in the VirusScan Advanced Alert property page, in the Alert page for the E-Mail Scan extension and in the Alert pages for each VShield module you have enabled.

100 McAfee VirusScan Anti-Virus Software

Mcafee VIRUSSCAN 4.5 ADMINISTRATOR GUIDE

Specifications and Main Features

Frequently Asked Questions

User Manual

Preface

Anti-virus protection as information security

Information security as a business necessity

Active Virus Defense security perimeters

At the desktop: VirusScan software

McAfee anti-virus research

How to contact McAfee and Network Associates

Customer service

Technical support

Download support

Network Associates training

Comments and feedback

Reporting new items for anti-virus data file updates

International contact information

1About VirusScan Software

Introducing VirusScan anti-virus software

How does VirusScan software work?

Fast, accurate virus detection

Encrypted polymorphic virus detection

“Double heuristics” analysis

Wide-spectrum coverage

What comes with VirusScan software?

What’s new in this release?

Installation and distribution features

Interface enhancements

Changes in product functionality

New update options for your VirusScan software

Before you begin

System requirements

Installing VirusScan software on a local computer

Installation steps

Using the Emergency Disk Creation utility

Determining when you must restart your computer

Testing your installation

Modifying or removing your local VirusScan installation

Installing VirusScan software on other computers

Using Active Directory and Group Policies

Installing VirusScan software using command-line options

Silent installation

Logging the installation

Installing to a custom directory

Selecting specific features to install

Setting reboot options

Setting security type for Windows NT

Removing incompatible software

Scanning your system at startup

Starting the VShield scanner

Preserving on access settings

Running Setup from a login script

Using Management Edition software

Using ePolicy Orchestrator to deploy VirusScan software

Installing via System Management Server

Installing via Tivoli IT Director

Installing via ZENworks

Exporting VirusScan custom settings

If you suspect you have a virus...

Deciding when to scan for viruses

Recognizing when you don’t have a virus

Understanding false detections

Responding to viruses or malicious software

Responding when the VShield scanner detects malicious software

Responding when the System Scan module detects a virus

Responding when the E-mail Scan module detects a virus

Responding when the Download Scan module detects a virus

Responding when Internet Filter detects a virus

Responding when the VirusScan application detects a virus

Responding when the E-Mail Scan extension detects a virus

Viewing virus information

Viewing file information

Submitting a virus sample

Using the SendVirus utility to submit a file sample

Capturing boot sector, file-infecting, and macro viruses

Capturing boot-sector infections

Capturing file-infecting or macro viruses

Making disk images

Preparing file archives to send