Mcafee VIRUSSCAN 4.5 ADMINISTRATOR GUIDE

McAfee VirusScan

Administrator’s Guide

Version 4.5

COPYRIGHT

Copyright © 1998-2000 Networks Associates Technology, Inc. All Rights Reserved. No part of
this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or
translated into any language in any form or by any means without the written permission of
Networks Associates Technology, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS

* ActiveHelp, Bomb Shelter, Building a World of Trust, CipherLink, Clean-Up, Cloaking, CNX,
Compass 7, CyberCop, CyberMedia, Data Security Letter, Discover, Distributed Sniffer System, Dr
Solomon’s, Enterprise Secure Cast, First Aid, ForceField, Gauntlet, GMT, GroupShield, HelpDesk,
Hunter, ISDN Tel/Scope, LM 1, LANGuru, Leading Help Desk Technology, Magic Solutions,
MagicSpy, MagicTree, Magic University, MagicWin, MagicWord, McAfee, McAfee Associates,
MoneyMagic, More Power To You, Multimedia Cloaking, NetCrypto, NetOctopus, NetRoom,
NetScan, Net Shield, NetShield, NetStalker, Net Tools, Network Associates, Network General, Network
Uptime!, NetXRay, Nuts & Bolts, PC Medic, PCNotary, PGP, PGP (Pretty Good Privacy),
PocketScope, Pop-Up, PowerTelnet, Pretty Good Privacy, PrimeSupport, RecoverKey,
RecoverKey-International, ReportMagic, RingFence, Router PM, Safe & Sound, SalesMagic,
SecureCast, Service Level Manager, ServiceMagic, Site Meter, Sniffer, SniffMaster, SniffNet, Stalker,
Statistical Information Retrieval (SIR), SupportMagic, Switch PM, TeleSniffer, TIS, TMach, TMeg,
Total Network Security, Total Network Visibility, Total Service Desk, Total Virus Defense, T-POD,
Trusted Mach, Trusted Mail, Uninstaller, Virex, Virex-PC, Virus Forum, ViruScan, VirusScan,
VShield, WebScan, WebShield, WebSniffer, WebStalker WebWall, and ZAC 2000 are registered

trademarks of Network Associates and/or its affiliates in the US and/or other countries. All
other registered and unregistered trademarks in this document are the sole property of their
respective owners.

LICENSE AGREEMENT

NOTICE TO ALL USERS: FOR THE SPECIFIC TERMS OF YOUR LICENSE TO USE THE
SOFTWARE THAT THIS DOCUMENTATION DESCRIBES, CONSULT THE README.1ST,
LICENSE.TXT, OR OTHER LICENSE DOCUMENT THAT ACCOMPANIES YOUR
SOFTWARE, EITHER AS A TEXT FILE OR AS PART OF THE SOFTWARE PACKAGING. IF
YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH THEREIN, DO NOT INSTALL
THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO THE PLACE OF
PURCHASE FOR A FULL REFUND.

Issued March 2000/VirusScan v4.5 Anti-Virus Software

Table of Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Anti-virus protection as information security . . . . . . . . . . . . . . . . . . . . . . . . .vii

Information security as a business necessity . . . . . . . . . . . . . . . . . . . . . . . . . .x

Active Virus Defense security perimeters . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

McAfee anti-virus research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

How to contact McAfee and Network Associates . . . . . . . . . . . . . . . . . . . . . xiv

Customer service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Technical support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xv

Download support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Network Associates training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Comments and feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Reporting new items for anti-virus data file updates . . . . . . . . . . . . . .xvii

International contact information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

Chapter 1. About VirusScan Software . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Introducing VirusScan anti-virus software . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

How does VirusScan software work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

What comes with VirusScan software? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

What’s new in this release? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

Chapter 2. Installing VirusScan Software . . . . . . . . . . . . . . . . . . . . . . . .33

Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

Installing VirusScan software on a local computer . . . . . . . . . . . . . . . . . . . . .34

Installation steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34

Using the Emergency Disk Creation utility . . . . . . . . . . . . . . . . . . . . . . .47

Determining when you must restart your computer . . . . . . . . . . . . . . . .53

Testing your installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54

Modifying or removing your local VirusScan installation . . . . . . . . . . .55

Administrator’s Guide iii

Table of Contents

Installing VirusScan software on other computers . . . . . . . . . . . . . . . . . . . . .57

Using Active Directory and Group Policies . . . . . . . . . . . . . . . . . . . . . . .57

Installing VirusScan software using command-line options . . . . . . . . .58

Using Management Edition software . . . . . . . . . . . . . . . . . . . . . . . . . . . .65

Using ePolicy Orchestrator to deploy VirusScan software . . . . . . . . . .66

Installing via System Management Server . . . . . . . . . . . . . . . . . . . . . . . .67

Installing via Tivoli IT Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67

Installing via ZENworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68

Exporting VirusScan custom settings . . . . . . . . . . . . . . . . . . . . . . . . . . .68

Chapter 3. Removing Infections From Your System . . . . . . . . . . . . . . .71

If you suspect you have a virus... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71

Deciding when to scan for viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74

Recognizing when you don’t have a virus . . . . . . . . . . . . . . . . . . . . . . . . . . . .75

Understanding false detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76

Responding to viruses or malicious software . . . . . . . . . . . . . . . . . . . . . . . . .77

Submitting a virus sample . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88

Using the SendVirus utility to submit a file sample . . . . . . . . . . . . . . . .88

Capturing boot sector, file-infecting, and macro viruses . . . . . . . . . . . .91

Chapter 4. Using VirusScan Software . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Using the VShield scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97

Using the VirusScan application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97

Scheduling scan tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98

Using specialized scanning tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98

Chapter 5. Sending Alert Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Using the Alert Manager Client Configuration utility . . . . . . . . . . . . . . . . . . .99

VirusScan software as an Alert Manager Client . . . . . . . . . . . . . . . . . . . . . .100

Configuring the Alert Manager Client utility . . . . . . . . . . . . . . . . . . . . . . . . . .100

Chapter 6. Updating and Upgrading VirusScan Software . . . . . . . . . . 105

Developing an updating strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105

Update and upgrade methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106

Understanding the AutoUpdate utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108

Configuring the AutoUpdate Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109

iv McAfee VirusScan Anti-Virus Software

Table of Contents

Understanding the AutoUpgrade utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118

Configuring the AutoUpgrade utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119

Using the AutoUpgrade and SuperDAT utilities together . . . . . . . . . .128

Deploying an EXTRA.DAT file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130

Appendix A. Using VirusScan Administrative Utilities . . . . . . . . . . . . 133

Understanding the VirusScan control panel . . . . . . . . . . . . . . . . . . . . . . . . .133

Opening the VirusScan control panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133

Choosing VirusScan control panel options . . . . . . . . . . . . . . . . . . . . . . . . . .134

Appendix B. Installed Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

What’s in this appendix? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137

VShield scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137

Dependent and related files for the VirusScan application . . . . . . . . .143

Alert Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146

VirusScan control panel files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147

ScreenScan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148

VirusScan Emergency Disk files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150

Dependent and related files for the E-Mail Scan extension . . . . . . . . .152

Appendix C. Using VirusScan Command-line Options . . . . . . . . . . . . 155

Adding advanced VirusScan engine options . . . . . . . . . . . . . . . . . . . . . . . . .155

Running the VirusScan Command Line program . . . . . . . . . . . . . . . . . . . . .155

Running the on-demand scanner with command-line arguments . . . . . . . .164

Appendix D. Using the SecureCast Service to Get New Data Files . . 171

Introducing the SecureCast service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171

Why should I update my data files? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172

Which data files does the SecureCast service deliver? . . . . . . . . . . . .172

Installing the BackWeb client and SecureCast service . . . . . . . . . . . . . . . . .173

System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173

Troubleshooting the Enterprise SecureCast service . . . . . . . . . . . . . .183

Unsubscribing from the SecureCast service . . . . . . . . . . . . . . . . . . . . .183

Support resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183

SecureCast service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183

BackWeb client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184

Administrator’s Guide v

Table of Contents

Appendix E. Network Associates Support Services . . . . . . . . . . . . . . 185

Adding value to your McAfee product . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185

PrimeSupport options for corporate customers . . . . . . . . . . . . . . . . . .185

Ordering a corporate PrimeSupport plan . . . . . . . . . . . . . . . . . . . . . . .188

PrimeSupport options for home users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190

How to reach international home user support . . . . . . . . . . . . . . . . . . .192

Ordering a PrimeSupport plan for home users . . . . . . . . . . . . . . . . . . .192

Network Associates consulting and training . . . . . . . . . . . . . . . . . . . . . . . . .193

Professional Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193

Total Education Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194

Appendix F. Understanding iDAT Technology . . . . . . . . . . . . . . . . . . .195

Understanding incremental .DAT files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195

How does iDAT updating work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196

What does McAfee post each week? . . . . . . . . . . . . . . . . . . . . . . . . . . .197

Best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198

Frequently asked questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

vi McAfee VirusScan Anti-Virus Software

Preface

Anti-virus protection as information security

“The world changed [on March 26, 1999]—does anyone doubt that? The world

is different. Melissa proved that ... and we are very fortunate ... the world
could have gone very close to meltdown.”

—Padgett Peterson, Chief Info Security Architect, Lockheed Martin Corporation,

on the 1999 “Melissa” virus epidemic

By the end of the 1990s, many information technology professionals had
begun to recognize that they could not easily separate how they needed to
respond to new virus threats from how they already dealt with deliberate
network security breaches. Dorothy Denning, co-editor of the 1998 computer
security handbook Internet Besieged: Countering Cyberspace Scofflaws, explicitly
grouped anti-virus security measures in with other network security

measures, classifying them as a defense against malicious “injected code.”

Denning justified her inclusive grouping on based on her definition of
information security as “the effective use of safeguards to protect the
confidentiality, integrity, authenticity, availability, and non-repudiation of
information and information processing systems.” Virus payloads had always
threatened or damaged data integrity, but by the time she wrote her survey
article, newer viruses had already begun to mount sophisticated attacks that
struck at the remaining underpinnings of information security. Denning’s
classification recognized that newer viruses no longer merely annoyed system
administrators or posed a relatively low-grade threat; they had in fact
graduated to become a serious hazard.

Though not targeted with as much precision as an unauthorized network
intrusion, virus attacks had begun to take on the color of deliberate
information warfare. Consider these examples, many of which introduced
quickly-copied innovations to the virus writer’s repertoire:

• W32/CIH.Spacefiller destroyed the flash BIOS in workstations it infected,
effectively preventing them from booting. It also overwrote parts of the
infected hard disk with garbage data.

• XM/Compat.A rewrote the data inside Microsoft Excel spreadsheet files. It
used advanced polymorphic concealment techniques, which meant that
with each infection it changed the signature bytes that indicated its
presence and allowed anti-virus scanners to find it.

Administrator’s Guide vii

Preface

• W32/Ska, though technically a worm, replaced the infected computer’s
WinSock file so that it could attach itself to outgoing Simple Mail Transfer
Protocol (SMTP) messages and postings to USENET news groups. This
strategy made it commonplace in many areas.

• Remote Explorer stole the security privileges of a Windows NT domain
administrator and used them to install itself as a Windows NT Service. It
also deposited copies of itself in the Windows NT driver directory and
carried with it a supporting Dynamic Link Library (.DLL) file that allowed
it to randomly encrypt data files. Because it appeared almost exclusively at
one corporate site, security experts speculated that it was a deliberate,
targeted attack on the unfortunate company’s network integrity.

• Back Orifice, the product of a group calling itself the Cult of the Dead Cow,
purported to give the owner of the client portion of the Back Orifice
application complete remote access to any Windows 95 or Windows 98
workstation that runs the concealed companion server. That access—from
anywhere on the Internet—allowed the client to capture keystrokes; open,
copy, delete, or run files; transmit screen captures; and restart, crash, or
shut down the infected computer. To add insult to injury, early Back
Orifice releases on CD-ROM carried a W32/CIH.Spacefiller infection.

Throughout much of 1999, virus and worm attacks suddenly stepped up in
intensity and in the public eye. Part of the reason for this, of course, is that
many of the more notorious viruses and worms took full advantage of the
Internet, beginning a long-predicted assault by flooding e-mail transmissions,
websites, newsgroups and other available channels at an almost exponential
rate of growth. They now bullied their way into network environments,
spreading quickly and leaving a costly trail of havoc behind them.

W97M/Melissa, the “Melissa” virus, jolted most corporate information
technology departments out of whatever remaining complacency they had
held onto in the face of the newer virus strains. Melissa brought corporate
e-mail servers down across the United States and elsewhere when it struck in
March 1999. Melissa instructed e-mail client programs to send out infected
e-mail messages to the first 50 entries in each target computer’s address book.
This transformed a simple macro virus infection with no real payload into an
effective denial-of-service attack on mail servers.

Melissa’s other principle innovation was its direct attempt to play on end-user
psychology: it forged an e-mail message from a sender the recipient knew, and
sent it with a subject line that urged that recipient to open both the message
and the attached file. In this way, Melissa almost made the need for viral code
to spread itself obsolete—end users themselves cooperated in its propagation,
and their own computers blindly participated.

viii McAfee VirusScan Anti-Virus Software

Preface

A rash of Melissa variants and copycats appeared soon after. Some, such as
W97M/Prilissa, included destructive payloads. Later the same year, a number
of new viruses and worms either demonstrated novel or unexpected ways to
get into networks and compromise information security, or actually
perpetuated attacks. Examples included:

• W32/ExploreZip.worm and its variants, which used some of Melissa’s
techniques to spread, initially through e-mail. After it successfully infected
a host machine, ExploreZip searched for unsecured network shares and
quietly copied itself throughout a network. It carried a destructive payload
that erased various Windows system files and Microsoft Office documents,
replacing them with an unrecoverable zero-byte-length files.

• W32/Pretty.worm, which did Melissa one better by sending itself to every
entry in the infected computer’s MAPI address book. It also connected to
an Internet Relay Chat (IRC) server, joined a particular IRC channel, then
opened a path to receive commands via the IRC connection. This
potentially allowed those on the channel to siphon information from the
infected computer, including the computer name and owner’s name, his or
her dial-up networking user name and password, and the path to the
system root directory.

• W32/FunLove.4099, which infected ActiveX .OCX files, among others.
This meant that it could lurk on web pages with ActiveX content, and infect
systems with low or nonexistent browser security settings as they
downloaded pages to their hard disks. If a Windows NT computer user
had logged into a system with administrative rights, the infecting virus
would patch two critical system files that gave all users on the network
—including the virus—administrative rights to all files on the target
computer. It spread further within the network by attaching itself to files
with the extensions .SCR, .OCX, and .EXE.

• VBS/Bubbleboy, a proof-of-concept demonstration that showed that a
virus could infect target computers directly from e-mail messages
themselves, without needing to propagate through message attachments.
It effectively circumvented desktop anti-virus protection altogether, at
least initially. Its combination of HTML and VBScript exploited existing
vulnerabilities in Internet-enabled mail systems; its author played upon the
same end-user psychology that made Melissa successful.

The other remarkable development in the year was the degree to which virus
writers copied, fused, and extended each others’ techniques. This cross­pollination had always occurred previously, but the speed at which it took
place and the increasing sophistication of the tools and techniques that became
available during this period prepared very fertile ground for a nervously
awaited bumper crop of intricate viruses.

Administrator’s Guide ix

Preface

Information security as a business necessity

Coincidentally or not, these darkly inventive new virus attacks and speedy
propagation methods appeared as more businesses made the transition to
Internet-based information systems and electronic commerce operations. The
convenience and efficiency that the Internet brought to business saved money
and increased profits. This probably also made these same businesses
attractive targets for pranksters, the hacker underground, and those intent on
striking at their favored targets.

Previously, the chief costs from a virus attack were the time and money it took
to combat an infection and restore computer systems to working order. To
those costs the new types of virus attacks now added the costs of lost
productivity, network and server downtime, service denials for e-mail and
other critical business tools, exposure—and perhaps widespread distribution
—of confidential information, and other ills.

Ultimately, the qualifying differences between a hacker-directed security
breach in a network and a security breach that results from a virus attack
might become merely ones of intent and method, not results. Already new
attacks have shaken the foundations of Net-enabled businesses, many of
which require 24-hour availability for networks and e-mail, high data
integrity, confidential customer lists, secure credit card data and purchase
verification, reliable communications, and hundreds of other computer-aided
transactional details. The costs from these virus attacks in the digital economy
now cut directly into the bottom line.

Because they do, protecting that bottom line means implementing a total
solution for information and network security—one that includes
comprehensive anti-virus protection. It’s not enough to rely only on
desktop-based anti-virus protection, or on haphazard or ad hoc security
measures. The best defense requires sealing all potential points by which
viruses can enter or attack your network, from the firewall and gateway down
to the individual workstation, and keeping the anti-virus sentries at those
points updated and current.

Part of the solution is deploying the McAfee Active Virus Defense* software
suite, which provides a comprehensive, multi-platform series of defensive
perimeters for your network. You can also build on that security with the
McAfee Active Security suite, which allows you to monitor your network
against intrusions, watch actual network packet traffic, and encrypt e-mail and
network transmissions. But even with anti-virus and security software
installed, new and previously unidentified viruses will inevitably find their
way into your network. That’s where the other part of the equation comes in:
a thorough, easy-to-follow anti-virus security policy and set of practices for
your enterprise—in the last analysis, only that can help to stop a virus attack
before it becomes a virus epidemic.

x McAfee VirusScan Anti-Virus Software

Active Virus Defense security perimeters

The McAfee Active Virus Defense product suite exists for one simple reason:
there is no such thing as too much anti-virus protection for the modern,
automated enterprise. Although at first glance it might seem needlessly
redundant to protect all of your desktop computers, file and network servers,
gateways, e-mail servers and firewalls, each of these network nodes serves a
different function in your network, and has different duties. An anti-virus
scanner designed to keep a production workstation virus-free, for example,
can’t intercept viruses that flood e-mail servers and effectively deny their
services. Nor would you want to make a file server responsible for
continuously scanning its client workstations—the cost in network bandwidth
would be too high.

More to the point, each node’s specialized functions mean that viruses infect
them in different ways that, in turn, call for optimized anti-virus solutions.
Viruses and other malicious code can enter your network from a variety of
sources—floppy disks and CD-ROMs, e-mail attachments, downloaded files,
and Internet sites, for example. These unpredictable points of entry mean that
infecting agents can slip through the chinks in incomplete anti-virus armor.

Desktop workstations, for example, can spread viruses by any of a variety of
means—via floppy disks, by downloading them from the Internet, by
mapping server shares or other workstations’ hard disks. E-mail servers, by
contrast, rarely use floppy disks and tend not to use mapped drives—the
Melissa virus showed, however, that they are quite vulnerable to e-mail–borne
infections, even if they don’t execute the virus code themselves.

Preface

At the desktop: VirusScan software

The McAfee Active Virus Defense product suite matches each point of
vulnerability with a specialized, and optimized, anti-virus application. At the
desktop level, the cornerstone of the suite is the VirusScan anti-virus product.
VirusScan software protects some of your most vulnerable virus entry points
with an interlocking set of scanners, utilities, and support files that allow it to
cover:

• Local hard disks, floppy disks, CD-ROMs, and other removable media. The
VShield scanner resides in memory, waiting for local file access of any sort.
As soon as one of your network users opens, runs, copies, saves, renames,
or sets attributes for any file on their system—even from mapped network
drives—the VShield scanner examines it for infections.

You can supplement this continuous protection with scan operations you
configure and schedule for your own needs. Comprehensive security
options let you protect individual options with a password, or run the
entire application in secure mode to lock out all unauthorized access.

Administrator’s Guide xi

Preface

• System memory, boot sectors, and master boot records. You can configure
regularly scheduled scan operations that examine these favorite virus
hideouts, or set up periodic operations whenever a threat seems likely.

• Microsoft Exchange mailboxes. VirusScan software includes a specialized
E-Mail Scan extension that assumes your network user’s Microsoft
Exchange or Outlook identity to scan his or her mailbox directly—before
viruses get downloaded to the local workstation. This can prevent some
Melissa-style infections and avoid infections from the next generation of
VBS/Bubbleboy descendants.

• Internet mail and file downloads. The VShield scanner includes two
modules that specialize in intercepting SMTP and POP-3 e-mail messages,
and that can examine files your network users download from Internet
sites. The E-Mail Scan and Download Scan modules work together to scan
the stream of file traffic that most workstations generate and receive daily.

• Hostile code. The Olympus scan engine at the heart of VirusScan software
routinely looks for suspicious script code, macro code, known Trojan horse
programs—even virus jokes or hoaxes. With the help of the VShield
Internet Filter module, it also blocks hostile ActiveX and Java objects, many
of which can lurk unnoticed on websites, waiting to deploy sophisticated
virus-like payloads. The Internet Filter module can even block entire
websites, preventing network users from visiting sites that pose a threat to
network integrity.

VirusScan software ties these powerful scanning capabilities together with a
powerful set of alerting, updating, and management tools. These include:

• Alert Manager client configuration. VirusScan software includes a client
configuration utility you can use to have it pass alert messages directly to
Alert Manager servers on your network, to a Centralized Alerting share, or
to a Desktop Management Interface administrative application. Other alert
methods include local custom messages and beeps, detection alerts and
response options, and e-mail alert messages.

• Next-generation AutoUpdate and AutoUpgrade utilities. AutoUpdate v4.5
features complete and transparent support for new incremental .DAT file
updates, which save you time and network bandwidth by adding only
virus definitions you don’t already have installed on your system. The new
AutoUpgrade version includes support for v1.2 of the McAfee SuperDAT
utility, which you can use to update the Olympus scan engine and its
support files.

• Integration with McAfee ePolicy Orchestrator management software.
Centralized anti-virus management takes a quantum leap forward with
this highly scalable management tool. VirusScan software ships with a
plug-in library file that works with the ePolicy Orchestrator server to
enforce enterprise-wide network security policies.

xii McAfee VirusScan Anti-Virus Software

You can use ePolicy Orchestrator to configure, update, distribute and
manage VirusScan installations at the group, workstation or user level.
Schedule and run scan tasks, change configurations, update .DAT and
engine files—all from a central console.

Taken together, the Active Virus Defense suite forms a tight series of anti-virus
security perimeters around your network that protect you against both
external and internal sources of infection. Those perimeters, correctly
configured and implemented in conjunction with a clear enterprise-wide
anti-virus security policy, do indeed offer useful redundancy, but their chief
benefit lies in their ability to stop viruses as they enter your network, without
your having to await a tardy or accidental discovery. Early detection contains
infections, saves on the costs of virus eradication, and in many cases can
prevent a destructive virus payload from triggering.

McAfee anti-virus research

Even the best anti-virus software is only as good as its latest update. Because
as many as 200 to 300 viruses and variants appear each month, the .DAT files
that enable McAfee software to detect and remove viruses can get quickly
outdated. If you have not updated the files that originally came with your
software, you could risk infection from newly emerging viruses. McAfee has,
however, assembled the world’s largest and most experienced anti-virus
research staff in its Anti-Virus Emergency Response Team (AVERT)*. This
premier anti-virus research organization has a worldwide reach and a “follow
the sun” coverage policy, that ensures that you get the files you need to combat
new viruses as soon as—and often before—you need them. You can take
advantage of many of the direct products of this research by visiting the
AVERT research site on the Network Associates website:

Preface

http://www.nai.com/asp_set/anti_virus/introduction/default.asp

Contact your McAfee representative, or visit the McAfee website, to find out
how to enlist the power of the Active Virus Defense security solution on your
side:

http://www.mcafeeb2b.com/

Administrator’s Guide xiii

Preface

How to contact McAfee and Network Associates

Customer service

On December 1, 1997, McAfee Associates merged with Network General
Corporation, Pretty Good Privacy, Inc., and Helix Software, Inc. to form
Network Associates, Inc. The combined Company subsequently acquired Dr
Solomon’s Software, Trusted Information Systems, Magic Solutions, and
CyberMedia, Inc.

A January 2000 company reorganization formed four independent business
units, each concerned with a particular product line. These are:

• Magic Solutions. This division supplies the Total Service desk product line
and related products

• McAfee. This division provides the Active Virus Defense product suite
and related anti-virus software solutions to corporate and retail customers.

• PGP Security. This division provides award-winning encryption and
security solutions, including the PGP data security and encryption product
line, the Gauntlet firewall product line, the WebShield E-ppliance
hardware line, and the CyberCop Scanner and Monitor product series.

• Sniffer Technologies. This division supplies the industry-leading Sniffer
network monitoring, reporting, and analysis utility and related software.

Network Associates continues to market and support the product lines from
each of the new independent business units. You may direct all questions,
comments, or requests concerning the software you purchased, your
registration status, or similar issues to the Network Associates Customer
Service department at the following address:

Network Associates Customer Service
4099 McEwan, Suite 500
Dallas, Texas 75244
U.S.A.

The department's hours of operation are 8:00 a.m. and 8:00 p.m. Central Time,
Monday through Friday

Other contact information for corporate-licensed customers:

Phone: (972) 308-9960

Fax: (972) 619-7485 (24-hour, Group III fax)

E-Mail: services_corporate_division@nai.com

Web: http://www.nai.com

xiv McAfee VirusScan Anti-Virus Software

Other contact information for retail-licensed customers:

Phone: (972) 308-9960

Fax: (972) 619-7485 (24-hour, Group III fax)

E-Mail: cust_care@nai.com

Web: http://www.mcafee.com/

Technical support

McAfee and Network Associates are famous for their dedication to customer
satisfaction. The companies have continued this tradition by making their sites
on the World Wide Web valuable resources for answers to technical support
issues. McAfee encourages you to make this your first stop for answers to
frequently asked questions, for updates to McAfee and Network Associates
software, and for access to news and virus information

World Wide Web http://www.nai.com/asp_set/services/technical_support

If you do not find what you need or do not have web access, try one of our
automated services.

Preface

.

/tech_intro.asp

Internet techsupport@mcafee.com

CompuServe GO NAI

America Online keyword MCAFEE

If the automated services do not have the answers you need, contact Network
Associates at one of the following numbers Monday through Friday between
8:00

A.M. and 8:00 P.M. Central time to find out about Network Associates

technical support plans.

For corporate-licensed customers:

Phone (972) 308-9960

Fax (972) 619-7845

For retail-licensed customers:

Phone (972) 855-7044

Fax (972) 619-7845

This guide includes a summary of the PrimeSupport plans available to
McAfee customers. To learn more about plan features and other details, see

Appendix E, “Network Associates Support Services.”

Administrator’s Guide xv

Preface

To provide the answers you need quickly and efficiently, the Network
Associates technical support staff needs some information about your
computer and your software. Please include this information in your
correspondence:

• Product name and version number

• Computer brand and model

• Any additional hardware or peripherals connected to your computer

• Operating system type and version numbers

• Network type and version, if applicable

• Contents of your AUTOEXEC.BAT, CONFIG.SYS, and system LOGIN

script

• Specific steps to reproduce the problem

Download support

To get help with navigating or downloading files from the Network Associates
or McAfee websites or FTP sites, call:

Corporate customers (801) 492-2650

Retail customers (801) 492-2600

Network Associates training

For information about scheduling on-site training for any McAfee or Network
Associates product, call Network Associates Customer Service at:
(972) 308-9960.

Comments and feedback

McAfee appreciates your comments and reserves the right to use any
information you supply in any way it believes appropriate without incurring
any obligation whatsoever. Please address your comments about McAfee
anti-virus product documentation to: McAfee, 20460 NW Von Neumann,
Beaverton, OR 97006-6942, U.S.A. You can also send faxed comments to
(503) 466-9671 or e-mail to tvd_documentation@nai.com.

xvi McAfee VirusScan Anti-Virus Software

Reporting new items for anti-virus data file updates

McAfee anti-virus software offers you the best available detection and
removal capabilities, including advanced heuristic scanning that can detect
new and unnamed viruses as they emerge. Occasionally, however, an entirely
new type of virus that is not a variation on an older type can appear on your
system and escape detection.

Because McAfee researchers are committed to providing you with effective
and up-to-date tools you can use to protect your system, please tell them about
any new Java classes, ActiveX controls, dangerous websites, or viruses that
your software does not now detect. Note that McAfee reserves the right to use
any information you supply as it deems appropriate, without incurring any
obligations whatsoever. Send your questions or virus samples to:

virus_research@nai.com Use this address to send questions or

virus samples to our North America
and South America offices

vsample@nai.com Use this address to send questions or

virus samples gathered with Dr
Solomon’s Anti-Virus Toolkit* software
to our offices in the United Kingdom

Preface

To report items to the McAfee European research office, use these e-mail
addresses:

virus_research_europe@nai.com Use this address to send questions or

virus samples to our offices in Western
Europe

virus_research_de@nai.com Use this address to send questions or

virus samples gathered with Dr
Solomon’s Anti-Virus Toolkit software
to our offices in Germany

To report items to the McAfee Asia-Pacific research office, or the office in
Japan, use one of these e-mail addresses:

virus_research_japan@nai.com Use this address to send questions or

virus samples to our offices in Japan
and East Asia

virus_research_apac@nai.com Use this address to send questions or

virus samples to our offices in Australia
and South East Asia

Administrator’s Guide xvii

Preface

International contact information

To contact Network Associates outside the United States, use the addresses,
phone numbers and fax numbers below.

Network Associates
Australia

Level 1, 500 Pacific Highway

St. Leonards, NSW

Sydney, Australia 2065

Phone: 61-2-8425-4200

Fax: 61-2-9439-5166

Network Associates
Belgique

BDC Heyzel Esplanade, boîte 43

1020 Bruxelles

Belgique

Phone: 0032-2 478.10.29

Fax: 0032-2 478.66.21

Network Associates
Canada

139 Main Street, Suite 201

Unionville, Ontario

Canada L3R 2G6

Phone: (905) 479-4189

Fax: (905) 479-4540

Network Associates
Austria

Pulvermuehlstrasse 17

Linz, Austria

Postal Code A-4040

Phone: 43-732-757-244

Fax: 43-732-757-244-20

Network Associates
do Brasil

Rua Geraldo Flausino Gomez 78

Cj. - 51 Brooklin Novo - São Paulo

SP - 04575-060 - Brasil

Phone: (55 11) 5505 1009

Fax: (55 11) 5505 1006

Network Associates
People’s Republic of China

New Century Office Tower, Room 1557

No. 6 Southern Road Capitol Gym

Beijing

People’s Republic of China 100044

Phone: 8610-6849-2650

Fax: 8610-6849-2069

Network Associates Denmark

Lautruphoej 1-3

2750 Ballerup

Danmark

Phone: 45 70 277 277

Fax: 45 44 209 910

xviii McAfee VirusScan Anti-Virus Software

NA Network Associates Oy

Mikonkatu 9, 5. krs.

00100 Helsinki

Finland

Phone: 358 9 5270 70

Fax: 358 9 5270 7100

Preface

Network Associates
France S.A.

50 Rue de Londres

75008 Paris

France

Phone: 33 1 44 908 737

Fax: 33 1 45 227 554

Network Associates Hong Kong

19th Floor, Matheson Centre

3 Matheson Way

Causeway Bay

Hong Kong 63225

Phone: 852-2832-9525

Fax: 852-2832-9530

Network Associates Japan, Inc.

Toranomon 33 Mori Bldg.

3-8-21 Toranomon Minato-Ku

Tokyo 105-0001 Japan

Phone: 81 3 5408 0700

Fax: 81 3 5408 0780

Network Associates
Deutschland GmbH

Ohmstraße 1

D-85716 Unterschleißheim

Deutschland

Phone: 49 (0)89/3707-0

Fax: 49 (0)89/3707-1199

Network Associates Srl

Centro Direzionale Summit

Palazzo D/1

Via Brescia, 28

20063 - Cernusco sul Naviglio (MI)

Italy

Phone: 39 02 92 65 01

Fax: 39 02 92 14 16 44

Network Associates Latin America

1200 S. Pine Island Road, Suite 375

Plantation, Florida 33324

United States

Phone: (954) 452-1731

Fax: (954) 236-8031

Network Associates
de Mexico

Andres Bello No. 10, 4 Piso

4th Floor

Col. Polanco

Mexico City, Mexico D.F. 11560

Phone: (525) 282-9180

Fax: (525) 282-9183

Network Associates
International B.V.

Gatwickstraat 25

1043 GL Amsterdam

The Netherlands

Phone: 31 20 586 6100

Fax: 31 20 586 6101

Administrator’s Guide xix

Preface

Network Associates
Portugal

Av. da Liberdade, 114

1269-046 Lisboa

Portugal

Phone: 351 1 340 4543

Fax: 351 1 340 4575

Network Associates
South East Asia

78 Shenton Way

#29-02

Singapore 079120

Phone: 65-222-7555

Fax: 65-220-7255

Network Associates Sweden

Datavägen 3A

Box 596

S-175 26 Järfälla

Sweden

Phone: 46 (0) 8 580 88 400

Fax: 46 (0) 8 580 88 405

Net Tools Network Associates
South Africa

Bardev House, St. Andrews

Meadowbrook Lane

Epson Downs, P.O. Box 7062

Bryanston, Johannesburg

South Africa 2021

Phone: 27 11 706-1629

Fax: 27 11 706-1569

Network Associates
Spain

Orense 4, 4

a

Planta.

Edificio Trieste

28020 Madrid, Spain

Phone: 34 9141 88 500

Fax: 34 9155 61 404

Network Associates AG

Baeulerwisenstrasse 3

8152 Glattbrugg

Switzerland

Phone: 0041 1 808 99 66

Fax: 0041 1 808 99 77

Network Associates
Taiwan

Suite 6, 11F, No. 188, Sec. 5

Nan King E. Rd.

Taipei, Taiwan, Republic of China

Phone: 886-2-27-474-8800

Fax: 886-2-27-635-5864

xx McAfee VirusScan Anti-Virus Software

Network Associates
International Ltd.

227 Bath Road

Slough, Berkshire

SL1 5PP

United Kingdom

Phone: 44 (0)1753 217 500

Fax: 44 (0)1753 217 520

1About VirusScan Software

Introducing VirusScan anti-virus software

Eighty percent of the Fortune 100—and more than 50 million users
worldwide—choose VirusScan anti-virus software to protect their computers
from the staggering range of viruses and other malicious agents that has
emerged in the last decade to invade corporate networks and cause havoc for
business users. They do so because VirusScan software offers the most
comprehensive desktop anti-virus security solution available, with features
that spot viruses, block hostile ActiveX and Java objects, identify dangerous
websites, stop infectious e-mail messages—and even root out “zombie” agents
that assist in large-scale denial-of-service attacks from across the Internet.
They do so also because they recognize how much value McAfee anti-virus
research and development brings to their fight to maintain network integrity
and service levels, ensure data security, and reduce ownership costs.

With more than 50,000 viruses and malicious agents now in circulation, the
stakes in this battle have risen considerably. Viruses and worms now have
capabilities that can cost an enterprise real money, not just in terms of lost
productivity and cleanup costs, but in direct bottom-line reductions in
revenue, as more businesses move into e-commerce and online sales, and as
virus attacks proliferate.

1

VirusScan software first honed its technological edge as one of a handful of
pioneering utilities developed to combat the earliest virus epidemics of the
personal computer age. It has developed considerably in the intervening years
to keep pace with each new subterfuge that virus writers have unleashed. As
one of the first Internet-aware anti-virus applications, it maintains its value
today as an indispensable business utility for the new electronic economy.
Now, with this release, VirusScan software adds a whole new level of
manageability and integration with other McAfee anti-virus tools.

Architectural improvements mean that each VirusScan component meshes
closely with the others, sharing data and resources for better application
response and fewer demands on your system. Full support for McAfee ePolicy
Orchestrator management software means that network administrators can
handle the details of component and task configuration, leaving you free to
concentrate on your own work. A new incremental updating technology,
meanwhile, means speedier and less bandwidth-intensive virus definition and
scan engine downloads—now the protection you need to deal with the
blindingly quick distribution rates of new-generation viruses can arrive faster
than ever before. To learn more about these features, see “What’s new in this

release?” on page 29.

Administrator’s Guide 21

About VirusScan Software

The new release also adds multiplatform support for Windows 95, Windows
98, Windows NT Workstation v4.0, and Windows 2000 Professional, all in a
single package with a single installer, but optimized to take advantage of the
benefits each platform offers. Windows NT Workstation v4.0 and Windows
2000 Professional users, for example, can run VirusScan software with
differing security levels that provide a range of enforcement options for
system administrators. That way, corporate anti-virus policy implementation
can vary from the relatively casual—where an administrator might lock down
a few critical settings, for example—to the very strict, with predefined settings
that users cannot change or disable at all.

At the same time, as the cornerstone product in the McAfee Active Virus
Defense and Total Virus Defense security suites, VirusScan software retains
the same core features that have made it the utility of choice for the corporate
desktop. These include a virus detection rate second to none, powerful
heuristic capabilities, Trojan horse program detection and removal, rapid­response updating with weekly virus definition (.DAT) file releases, daily beta
.DAT releases, and EXTRA.DAT file support in crisis or outbreak situations.
Because more than 300 new viruses or malicious software agents appear each
month McAfee backs its software with a worldwide reach and 24-hour “follow
the sun” coverage from its Anti-Virus Emergency Response Team (AVERT).

Even with the rise of viruses and worms that use e-mail to spread, that flood
e-mail servers, or that infect groupware products and file servers directly, the
individual desktop remains the single largest source of infections, and is often
the most vulnerable point of entry. VirusScan software acts as a tireless
desktop sentry, guarding your system against more venerable virus threats
and against the latest threats that lurk on websites, often without the site
owner’s knowledge, or spread via e-mail, whether solicited or not.

In this environment, taking precautions to protect yourself from malicious
software is no longer a luxury, but a necessity. Consider the extent to which
you rely on the data on your computer and the time, trouble and money it
would take to replace that data if it became corrupted or unusable because of
a virus infection. Corporate anti-virus cleanup costs, by some estimates,
topped $16 billion in 1999 alone. Balance the probability of infection—and
your company’s share of the resulting costs—against the time and effort it
takes to put a few common sense security measures in place, and you can
quickly see the utility in protecting yourself.

Even if your own data is relatively unimportant to you, neglecting to guard
against viruses might mean that your computer could play unwitting host to
a virus that could spread to computers that your co-workers and colleagues
use. Checking your hard disk periodically with VirusScan software
significantly reduces your system’s vulnerability to infection and keeps you
from losing time, money and data unnecessarily.

22 McAfee VirusScan Anti-Virus Software

How does VirusScan software work?

VirusScan software combines the anti-virus industry’s most capable scan
engine with top-notch interface enhancements that give you complete access
to that engine’s power. The VirusScan graphical user interface unifies its
specialized program components, but without sacrificing the flexibility you
need to fit the software into your computing environment. The scan engine,
meanwhile, combines the best features of technologies that McAfee and Dr
Solomon researchers developed independently for more than a decade.

Fast, accurate virus detection

The foundation for that combination is the unique development environment
that McAfee and Dr Solomon researchers constructed for the engine. That
environment includes Virtran, a specialized programming language with a
structure and “vocabulary” optimized for the particular requirements that
virus detection and removal impose. Using specific library functions from this
language, for instance, virus researchers can pinpoint those sections within a
file, a boot sector, or a master boot record that viruses tend to infect, either
because they can hide within them, or because they can hijack their execution
routines. This way, the scanner avoids having to examine the entire file for
virus code; it can instead sample the file at well defined points to look for virus
code signatures that indicate an infection.

About VirusScan Software

The development environment brings as much speed to .DAT file construction
as it does to scan engine routines. The environment provides tools researchers
can use to write “generic” definitions that identify entire virus families, and
that can easily detect the tens or hundreds of variants that make up the bulk of
new virus sightings. Continual refinements to this technique have moved
most of the hand-tooled virus definitions that used to reside in .DAT file
updates directly into the scan engine as bundles of generic routines.
Researchers can even employ a Virtran architectural feature to plug in new
engine “verbs” that, when combined with existing engine functions, can add
functionality needed to deal with new infection techniques, new variants, or
other problems that emerging viruses now pose.

This results in blazingly quick enhancements the engine’s detection
capabilities and removes the need for continuous updates that target virus
variants.

Encrypted polymorphic virus detection

Along with generic virus variant detection, the scan engine now incorporates
a generic decryption engine, a set of routines that enables VirusScan software
to track viruses that try to conceal themselves by encrypting and mutating
their code signatures. These “polymorphic” viruses are notoriously difficult to
detect, since they change their code signature each time they replicate.

Administrator’s Guide 23

About VirusScan Software

This meant that the simple pattern-matching method that earlier scan engine
incarnations used to find many viruses simply no longer worked, since no
constant sequence of bytes existed to detect. To respond to this threat, McAfee
researchers developed the PolyScan Decryption Engine, which locates and
analyzes the algorithm that these types of viruses use to encrypt and decrypt
themselves. It then runs this code through its paces in an emulated virtual
machine in order to understand how the viruses mutate themselves. Once it
does so, the engine can spot the “undisguised” nature of these viruses, and
thereby detect them reliably no matter how they try to hide themselves.

“Double heuristics” analysis

As a further engine enhancement, McAfee researchers have honed early
heuristic scanning technologies—originally developed to detect the
astonishing flood of macro virus variants that erupted after 1995—into a set of
precision instruments. Heuristic scanning techniques rely on the engine’s
experience with previous viruses to predict the likelihood that a suspicious file
is an as-yet unidentified or unclassified new virus.

The scan engine now incorporates ViruLogic, a heuristic technique that can
observe a program’s behavior and evaluate how closely it resembles either a
macro virus or a file-infecting virus. ViruLogic looks for virus-like behaviors
in program functions, such as covert file modifications, background calls or
invocations of e-mail clients, and other methods that viruses can use to
replicate themselves. When the number of these types of behaviors—or their
inherent quality—reaches a predetermined threshold of tolerance, the engine
fingers the program as a likely virus.

The engine also “triangulates” its evaluation by looking for program behavior
that no virus would display—prompting for some types of user input, for
example—in order to eliminate false positive detections. This double-heuristic
combination of “positive” and “negative” techniques results in an
unsurpassed detection rate with few, if any, costly misidentifications.

Wide-spectrum coverage

As malicious agents have evolved to take advantage of the instant
communication and pervasive reach of the Internet, so VirusScan software has
evolved to counter the threats they present. A computer “virus” once meant a
specific type of agent—one designed to replicate on its own and cause a
limited type of havoc on the unlucky recipient’s computer. In recent years,
however, an astounding range of malicious agents has emerged to assault
personal computer users from nearly every conceivable angle. Many of these
agents—some of the fastest-spreading worms, for instance—use updated
versions of vintage techniques to infect systems, but many others make full
use of the new opportunities that web-based scripting and application hosting
present.

24 McAfee VirusScan Anti-Virus Software

About VirusScan Software

Still others open “back doors” into desktop systems or create security holes in
a way that closely resembles a deliberate attempt at network penetration,
rather than the more random mayhem that most viruses tend to leave in their
wakes.

The latest VirusScan software releases, as a consequence, do not simply wait
for viruses to appear on your system, they scan proactively at the source or
work to deflect hostile agents away from your system. The VShield scanner
that comes with VirusScan software has three modules that concentrate on
agents that arrive from the Internet, that spread via e-mail, or that lurk on
Internet sites. It can look for particular Java and ActiveX objects that pose a
threat, or block access to dangerous Internet sites. Meanwhile, an E-Mail Scan
extension to Microsoft Exchange e-mail clients, such as Microsoft Outlook, can
“x-ray” your mailbox on the server, looking for malicious agents before they
arrive on your desktop.

VirusScan software even protects itself against attempts to use its own
functionality against your computer. Some virus writers embed their viruses
inside documents that, in turn, they embed in other files in an attempt to evade
detection. Still others take this technique to an absurd extreme, constructing
highly recursive—and very large—compressed archive files in an attempt to
tie up the scanner as it digs through the file looking for infections. VirusScan
software accurately scans the majority of popular compressed file and archive
file formats, but it also includes logic that keeps it from getting trapped in an
endless hunt for a virus chimera.

What comes with VirusScan software?

VirusScan software consists of several components that combine one or more
related programs, each of which play a part in defending your computer
against viruses and other malicious software. The components are:

• The VirusScan application. This component gives you unmatched control
over your scanning operations. You can configure and start a scan
operation at any time—a feature known as “on-demand” scanning—
specify local and network disks as scan targets, tell the application how to
respond to any infections it finds, and see reports on its actions. You can
start with the VirusScan Classic window, a basic configuration mode, then
move to the VirusScan Advanced mode for maximum flexibility. A related
Windows shell extension lets you right-click any object on your system to
scan it.

• The VirusScan Console. This component allows you to create, configure
and run VirusScan tasks at times you specify. A “task” can include
anything from running a scan operation on a set of disks at a specific time
or interval, to running an update or upgrade operation. You can also enable
or disable the VShield scanner from the Console window.

Administrator’s Guide 25

About VirusScan Software

the Console comes with a preset list of tasks that ensures a minimal level of
protection for your system—you can, for example, immediately scan and
clean your C: drive or all disks on your computer.

• The VShield scanner. This component gives you continuous anti-virus
protection from viruses that arrive on floppy disks, from your network, or
from various sources on the Internet. The VShield scanner starts when you
start your computer, and stays in memory until you shut down. A flexible
set of property pages lets you tell the scanner which parts of your system
to examine, what to look for, which parts to leave alone, and how to
respond to any infected files it finds. In addition, the scanner can alert you
when it finds a virus, and can generate reports that summarize each of its
actions.

The VShield scanner comes with three other specialized modules that
guard against hostile Java applets and ActiveX controls, that scan e-mail
messages and attachments that you receive from the Internet via Lotus
cc:Mail, Microsoft Mail or other mail clients that comply with Microsoft’s
Messaging Application Programming Interface (MAPI) standard, and that
block access to dangerous Internet sites. Secure password protection for
your configuration options prevents others from making unauthorized
changes. The same convenient dialog box controls configuration options
for all VShield modules.

• The E-Mail Scan extension. This component allows you to scan your
Microsoft Exchange or Outlook mailbox, or public folders to which you
have access, directly on the server. This invaluable “x-ray” peek into your
mailbox means that VirusScan software can find potential infections before
they make their way to your desktop, which can stop a Melissa-like virus
in its tracks.

• A cc:Mail scanner. This component includes technology optimized for
scanning Lotus cc:Mail mailboxes that do not use the MAPI standard.
Install and use this component if your workgroup or network uses cc:Mail
v7.x or earlier.

• The Alert Manager Client configuration utility. This component lets you
choose a destination for Alert Manager “events” that VirusScan software
generates when it detects a virus or takes other noteworthy actions. You
can also specify a destination directory for older-style Centralized Alerting
messages, or supplement either method with Desktop Management
Interface (DMI) alerts sent via your DMI client software.

• The ScreenScan utility. This optional component scans your computer as
your screen saver runs during idle periods.

26 McAfee VirusScan Anti-Virus Software

About VirusScan Software

• The SendVirus utility. This component gives you an easy and painless
way to submit files that you believe are infected directly to McAfee
anti-virus researchers. A simple wizard guides you as you choose files to
submit, include contact details and, if you prefer, strip out any personal or
confidential data from document files.

• The Emergency Disk creation utility. This essential utility helps you to
create a floppy disk that you can use to boot your computer into a
virus-free environment, then scan essential system areas to remove any
viruses that could load at startup.

• Command-line scanners. This component consists of a set of full-featured
scanners you can use to run targeted scan operations from the MS-DOS
Prompt or Command Prompt windows, or from protected MS-DOS mode.
The set includes:

– SCAN.EXE, a scanner for 32-bit environments only. This is the

primary command-line interface. When you run this file, it first
checks its environment to see whether it can run by itself. If your
computer is running in 16-bit or protected mode, it will transfer
control to one of the other scanners.

– SCANPM.EXE, a scanner for 16- and 32-bit environments. This

scanner provides you with a full set of scanning options for 16- and
32-bit protected-mode DOS environments. It also includes support
for extended memory and flexible memory allocations. SCAN.EXE
will transfer control to this scanner when its specialized capabilities
can enable your scan operation to run more efficiently.

– SCAN86.EXE, a scanner for 16-bit environments only. This scanner

includes a limited set of capabilities geared to 16-bit environments.
SCAN.EXE will transfer control to this scanner if your computer is
running in 16-bit mode, but without special memory configurations.

– BOOTSCAN.EXE, a smaller, specialized scanner for use primarily

with the Emergency Disk utility. This scanner ordinarily runs from
a floppy disk you create to provide you with a virus-free boot
environment.

When you run the Emergency Disk creation wizard, VirusScan
software copies BOOTSCAN.EXE, and a specialized set of .DAT
files to a single floppy disk. BOOTSCAN.EXE will not detect or
clean macro viruses, but it will detect or clean other viruses that can
jeopardize your VirusScan software installation or infect files at
system startup. Once you identify and respond to those viruses, you
can safely run VirusScan software to clean the rest of your system.

Administrator’s Guide 27

About VirusScan Software

All of the command-line scanners allow you to initiate targeted scan
operations from an MS-DOS Prompt or Command Prompt window, or
from protected MS-DOS mode. Ordinarily, you’ll use the VirusScan
application’s graphical user interface (GUI) to perform most scanning
operations, but if you have trouble starting Windows or if the VirusScan
GUI components will not run in your environment, you can use the
command-line scanners as a backup.

• Documentation. VirusScan software documentation includes:

– A printed Getting Started Guide, which introduces the product,

provides installation instructions, outlines how to respond if you
suspect your computer has a virus, and provides a brief product
overview. The printed Getting Started Guide comes with the
VirusScan software copies distributed on CD-ROM discs—you can
also download it as VSC45WGS.PDF from Network Associates
website or from other electronic services.

– This user’s guide saved on the VirusScan software CD-ROM or

installed on your hard disk in Adobe Acrobat .PDF format. You can
also download it as VSC45WUG.PDF from Network Associates
website or from other electronic services. The VirusScan User’s Guide
describes in detail how to use VirusScan and includes other
information useful as background or as advanced configuration
options. Acrobat .PDF files are flexible online documents that
contain hyperlinks, outlines and other aids for easy navigation and
information retrieval.

– An administrator’s guide saved on the VirusScan software

CD-ROM or installed on your hard disk in Adobe Acrobat .PDF
format. You can also download it as VSC45WAG.PDF from
Network Associates website or from other electronic services. The
VirusScan Administrator’s Guide describes in detail how to manage
and configure VirusScan software from a local or remote desktop.

– An online help file. This file gives you quick access to a full range of

topics that describe VirusScan software. You can open this file either
by choosing Help Topics from the Help menu in the VirusScan
main window, or by clicking any of the Help buttons displayed in
VirusScan dialog boxes.

The help file also includes extensive context-sensitive—or “What's
This”—help. To see these help topics, right-click buttons, lists, icons,
some text boxes, and other elements that you see within dialog
boxes. You can also click the ? symbol at the top-right corner in most
dialog boxes, then click the element you want to see described to
display the relevant topic. The dialog boxes with Help buttons open
the help file to the specific topic that describes the entire dialog box.

28 McAfee VirusScan Anti-Virus Software

– A LICENSE.TXT file. This file outlines the terms of your license to

use VirusScan software. Read it carefully—by installing VirusScan
software you agree to its terms.

– A README.TXT file. This file contains last-minute additions or

changes to the documentation, lists any known behavior or other
issues with the product release, and often describes new product
features incorporated into incremental product updates. You’ll find
the README.TXT file at the root level of your VirusScan software
CD-ROM or in the VirusScan software program folder—you can
open and print it from Windows Notepad, or from nearly any
word-processing software.

What’s new in this release?

This VirusScan release introduces a number of innovative new features to the
product’s core functionality, to its range of coverage, and to the details of its
application architecture. A previous section, “How does VirusScan software

work?” on page 23, discusses many of these features. The single most

significant change between previous VirusScan versions and this release,
however, is the integration of two separate VirusScan versions optimized to
run on separate Windows platforms into a single product that runs on both.
This single product also takes full advantage of each platform’s strengths.

About VirusScan Software

The next sections discuss other changes that this VirusScan release introduces.

Installation and distribution features

McAfee anti-virus products, including VirusScan software, now use the
Microsoft Windows Installer (MSI), which comes with all Windows 2000
Professional systems. This Setup utility offers a wealth of custom installation
and configuration features that make VirusScan software rollout across large
organizations much easier and more intuitive. To learn more about how to run
custom Setup operations with MSI, see Chapter 2, “Installing VirusScan

Software” in the VirusScan Administrator’s Guide.

This VirusScan version also comes with complete support for the McAfee
ePolicy Orchestrator software distribution tool. A specially packaged
VirusScan version ships with the ePolicy Orchestrator software, ready for
enterprise-wide distribution. You can distribute VirusScan software,
configure it from the ePolicy Orchestrator console, update that configuration
and any program or .DAT files at any time, and schedule scan operations, all
for your entire network user base. To learn more about using ePolicy
Orchestrator software for VirusScan distribution and configuration, consult
the ePolicy Orchestrator Administrator’s Guide.

This VirusScan version also includes package description information for
other distribution tools, including Microsoft System Management Server and
Tivoli Systems software management products.

Administrator’s Guide 29

About VirusScan Software

Interface enhancements

This release moves the VirusScan interface for all supported platforms solidly
into the territory VirusScan for Windows 95 and Windows 98 pioneered with
its v4.0.1 release. This adds extensive VShield scanner configuration options
for the Windows NT Workstation v4.0 and Windows 2000 Professional
platforms, while reducing the complexity of some previous configuration
options. Alert Manager server configuration, for example, moves entirely over
to the NetShield product line—VirusScan software now acts strictly as a
configurable client application.

This release also adds a new VirusScan control panel, which functions as a
central point from which you can enable and disable all VirusScan
components. This control panel also lets you set a ceiling for the number of
items you can scan in or exclude from a single operation, and can set the
VShield scanner and VirusScan control panel to run at startup. Other changes
include:

• New VShield system tray icon states tell you more about which VShield
modules are active. These states are:

– All VShield modules are active

– The System Scan module is active, but one or more of the other

VShield modules is inactive

– The System Scan module is inactive, but one or more of the other

VShield modules is active

– All VShield modules are inactive

• New interface settings for task configuration allow you to tell the

VirusScan application how you want it to appear as your scheduled task
runs and what you want it to do when it finishes. You can also set a
password to protect individual task settings from changes, or to protect an
entire task configuration at once.

• An updated randomization feature for scheduled tasks allows you to set a
time for the task to run, then set a randomization “window.” The
VirusScan Console then picks a random time within the window to
actually start the task.

• System Scan module action options now include a new Prompt Type
configuration option for Windows 95 and Windows 98 systems. This
option lets you determine how the Prompt for user action alert appears.

30 McAfee VirusScan Anti-Virus Software