* ActiveHelp, Bomb Shelter, Building a World of Trust, CipherLink, Clean-Up, Cloaking, CNX,
Compass 7, CyberCop, CyberMedia, Data Security Letter, Discover, Distributed Sniffer System, Dr
Solomon’s, Enterprise Secure Cast, First Aid, ForceField, Gauntlet, GMT, GroupShield, HelpDesk,
Hunter, ISDN Tel/Scope, LM 1, LA NGuru, Leadin g Help Desk Technolo gy, Magic Solu tions, Magi cSpy,
MagicTree, Magic University, MagicWin, MagicWord, McAfee, McAfee Associates, MoneyMagic, More
Power To You, Multimedia Cloaking, NetCrypto, NetOctopus, NetRoom, NetSca n, Net Shield, NetShiel d,
NetStalker, Net Tools, Network Associates, Network General, Network Uptime!, NetXRay, Nuts & Bolts,
PC Medic, PCNotary, PGP, PGP (Pretty Good Privacy), PocketScope, Pop-Up, PowerTelnet, Pretty
Good Privacy, PrimeSupport, RecoverKey, RecoverKey-International, ReportMagic, RingFence, Router
PM, Safe & Sound, SalesMagic, SecureCast, Service Level Manager, ServiceMagic, Site Meter, Sniffer,
SniffMaster, SniffNet, Stalker, Statistical Information Retrieval (SIR), SupportMagic, Switch PM,
TeleSniffer, TIS, TMach, TMeg, Tota l Network Security, Total Network Vis ibility, Total Service Desk,
Total Virus Defense, T-POD, Trusted Ma ch, Trusted Ma il, Uninstall er, Virex, Vi rex-PC, Virus Fo rum,
ViruScan, VirusScan, VShi eld, WebScan , Web Shield, W ebS niffer , WebSt alker W ebW all , and ZAC 2000
are registered trademarks of Network Associates and/or its affiliates in the US and/or other countries. All
other registered and unregistered trademarks in this document are the sole property of their respective
owners.
LICENSE AGREEMENT
NOTICE TO ALL USERS: CAREFULLY READ THE FOLLOWING LEGAL AGREEMENT
("AGREEMENT"), FOR THE LICENSE OF SPECIFIED SOFTWARE ("SOFTWARE") BY
NETWORK ASSOCIATES, INC. ("McAfee"). BY CLICKING THE ACCEPT BUTTON OR
INSTALLING THE SOFTWARE, YOU (EITHER AN INDIVIDUAL OR A SINGLE ENTITY)
CONSENT TO BE BOUND BY AND BECOME A PARTY TO THIS AGREEMENT. IF YOU DO
NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, CLICK THE BUTTON THAT
INDICATES THAT YOU DO NOT ACCEPT THE TERMS OF THIS AGREEMENT AND DO NOT
INSTALL THE SOFTWARE. (IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO THE
PLACE OF PURCHASE FOR A FULL REFUND.)
1. License Grant. Subject to the payment of the applicable license fees, and subject to the terms and
conditions of this Agreement, McAfee hereby grants to you a non-exclusive, non-transferable right
to use one copy of the specified version of the Software and the accompanying documentation (the
"Documentation"). You may install one copy of the Software on one computer, workstation,
personal digital assistant, pager, "smart phone" or other electronic device for which the Software
was designed (each, a "Client Device"). If the Software is licensed as a suite or bundle with more
than one specified Software product, this license applies to all such specified Software products,
subject to any restrictions or usage terms specified on the applicable price list or product packaging
that apply to any of such Software products individually.
Issued July 2000/McAfee VirusScan v5.1 Anti-Virus Software
“The world chang ed [on March 26, 1999]— does anyon e doubt that ? The world
is different. Melissa proved that ... and we are very fortunate ... the world
could have gone very close to meltdown.”
—Padgett Peterson, Chief Info Security Architect, Lockheed Martin Corporation,
on the 1999 “Melissa” virus epidemic
By the end of the 1990s, many information technology professionals had
begun to recognize that they could not easily separate how they needed to
respond to new virus threats from how they already dealt with deliberate
network security breaches. Dorothy Denning, co-editor of the 1998 computer
security handbook Internet Besieged: Countering Cyberspace Scofflaws, explicitly
grouped anti-virus security measures in with other network security
measures, classifying them as a defense against malicious “injected code.”
Denning justified her inclusive grouping on based on her definition of
information security as “the effective use of safeguards to protect the
confidentiality, integrity, authenticity, availability, and non-repudiation of
information and information processing systems.” Virus payloads had always
threatened or damaged data integrity, but by the time she wrote her survey
article, newer viruses had already begun to mount sophisticated attacks that
struck at the remaining underpinnings of information security. Denning’s
classification recognized that newer viruses no longer merely annoyed system
administrators or posed a relatively low-grade threat; they had in fact
graduated to become a serious hazard.
Though not targeted with as much precision as an unauthorized network
intrusion, virus attacks had begun to take on the color of deliberate
information warfare. Consider these examples, many of which introduced
quickly-copied innovations to the virus writer’s repertoire:
• W32/CIH.Spacefiller destroyed the flash BIOS in workstations it infected,
effectively preventing them from booting. It also overwrote parts of the
infected hard disk with garbage data.
• XM/Compat.A rewrote the data inside Microsoft Excel spreadsheet files. It
used advanced polymorphic concealment techniques, which meant that
with each infection it changed the signature bytes that indicated its
presence and allowed anti-virus scanners to find it.
Administrator’s Guidevii
Preface
• W32/Ska, though technically a worm, replaced the infected computer’s
WinSock file so that it could attach itself to outgoing Simple Mail Transfer
Protocol (SMTP) messages and postings to U SENET news groups. This
strategy made it commonplace in many areas.
• Remote Explorer stole the security privileges of a Windows NT domain
administrator and used them to install itself as a Windows NT Service. It
also deposited copies of itself in the Windows NT driver directory and
carried with it a supporting Dynamic Link Library (.DLL) file that allowed
it to randomly encrypt data files. Because it appeared almost exclusively at
one corporate site, security experts speculated that it was a deliberate,
targeted attack on the unfortunate company’s network integrity.
• Back Orifice, the product of a group calling itself the Cult of the Dead Cow,
purported to give the owner of the client portion of the Back Orifice
application complete remote access to any Windows 95 or Windows 98
workstation that runs the concealed companion server. That access—from
anywhere on the Internet—allowed the client to capture keystrokes; open,
copy, delete, or run files; transmit screen captures; and restart, crash, or
shut down the infected computer. To add insult to injury, early Back
Orifice releases on CD-ROM carried a W32/CIH.Spacefiller infection.
Throughout much of 1999, virus and worm attacks suddenly stepped up in
intensity and in the public eye. Part of the reason for this, of course, is that
many of the more notorious viruses and worms took full advantage of the
Internet, beginning a long-predicted assault by flooding e-mail transmissions,
websites, newsgroups and other available channels at an almost exponential
rate of growth. They now bullied their way into network environments,
spreading quickly and leaving a costly trail of havoc behind them.
W97M/Melissa, the “Melissa” virus, jolted most corporate information
technology departments out of whatever remaining complacency they had
held onto in the face of the newer virus strains. Melissa brought corporate
e-mail servers down across the United States and elsewhere when it struck in
March 1999. Melissa instructed e-mail client programs to send out infected
e-mail messages to the first 50 entries in each target computer’s address book.
This transformed a simple macro virus infection with no real payload into an
effective denial-of-service attack on mail servers.
Melissa’s other principle innovation was its direct attempt to play on end-user
psychology: it forged an e-mail message from a sender the recipient knew, and
sent it with a subject line that urged that recipient to open both the message
and the attached file. In this way, Melissa almost made the need for viral code
to spread itself obsolete—end users themselves cooperated in its propagation,
and their own computers blindly participated.
viiiMcAfee VirusScan
Preface
A rash of Melissa variants and copycats appeared soon after. Some, such as
W97M/Prilissa, included destructive payloads. Later the same yea r, a number
of new viruses and worms either demonstrated novel or unexpected ways to
get into networks and compromise information security, or actually
perpetuated attacks. Examples included:
• W32/ExploreZip.worm and its variants, which used some of Melissa’s
techniques to spread, initially through e-mail. After it successfully infected
a host machine, ExploreZip searched for unsecured network shares and
quietly copied itself throughout a network. It carried a destructive payload
that erased various Windows system files and Microsoft Office documents,
replacing them with an unrecoverable zero-byte-length files.
• W32/Pretty.worm, which did Melissa one better by sending itself to every
entry in the infected computer’s MAPI address book. It also connected to
an Internet Relay Chat (IRC) server, joined a particular IRC channel, then
opened a path to receive commands via the IRC connection. This
potentially allowed those on the channel to siphon information from the
infected computer, including the computer name and owner’s name, his or
her dial-up networking user name and password, and the path to the
system root directory.
• W32/FunLove.4099, which infected ActiveX .OCX files, among others.
This meant that it could lurk on web pages with ActiveX content, and infect
systems with low or nonexistent browser security settings as they
downloaded pages to their hard disks. If a Windows NT computer user
had logged into a system with administrative rights, the infecting virus
would patch two critical system files that gave all users on the network
—including the virus—administrative rights to all files on the target
computer. It spread further within the network by attaching itself to files
with the extensions .SCR, .OCX, and .EXE.
• VBS/Bubbleboy, a proof-of-concept demonstration that showed that a
virus could infect target computers directly from e-mail messages
themselves, without needing to propagate through message attachments.
It effectively circumvented desktop anti-virus protection altogether, at
least initially. Its combination of HTML and VBScript exploited existing
vulnerabilities in Internet-enabled mail systems; its author played upon the
same end-user psychology that made Melissa success fu l.
The other remarkable development in the year w as the degree to wh ich virus
writers copied, fused, and extended each others’ techniques. This crosspollination had always occurred previously, but the speed a t which it took
place and the increasing sophistication of the tools and techniques that became
available during this period prepared very fertile ground for a nervously
awaited bumper crop of intricate viruses.
Administrator’s Guideix
Preface
Information security as a business necessity
Coincidentally or not, these darkly inventive new virus attacks and speedy
propagation methods appeared as more businesses made the transition to
Internet-based information systems and electronic commerce operations. The
convenience and efficiency that the Internet brought to business saved money
and increased profits. This probably also made these same businesses
attractive targets for pranksters, the hacker underground, and those intent on
striking at their favored targets.
Previously, the chief costs from a virus attack were the time and money it took
to combat an infection and restore computer systems to working order. To
those costs the new types of virus attacks now added the costs of lost
productivity, network and server downtime, service denials for e-mail and
other critical business tools, exposure—and perhaps widespread distribution
—of confidential information, and other ills.
Ultimately, the qualifying differences between a hacker-directed security
breach in a network and a security breach that results from a virus attack
might become merely ones of intent and method, not results. Already new
attacks have shaken the foundations of Net-enable d bu sinesses, many of
which require 24-hour availability for networks and e-mail, high data
integrity, confidential customer lists, secure credit card data and purchase
verification, reliable communications, and hundreds of other computer-aided
transactional details. The costs from these virus attacks in the digital economy
now cut directly into the bottom line.
Because they do, protecting that bottom line means implementing a total
solution for information and network security—one that includes
comprehensive anti-virus protection. It’s not enough to rely only on
desktop-based anti-virus protection, or on haphazard or ad hoc security
measures. The best defense requires sealing all potential points by which
viruses can enter or attack your network, from the firewall and gateway down
to the individual workstation, and keeping the anti-virus sentries at those
points updated and current.
Part of the solution is deploying the McAfee VirusScan’s Active Virus
Defense* software suite, which provides a comprehensive, multi-platform
series of defensive perimeters for your network. You can also build on that
security with the McAfee VirusScan’s Active Security suite, which allows you
to monitor your network against intrusions, watch actual network packet
traffic, and encrypt e-mail and network transmissions. But even with
anti-virus and security software installed, new and previously unidentified
viruses will inevitably find their way into yo ur network. That’s where the
other part of the equation comes in: a thorough, easy-to-follow anti-virus
security policy and set of practices for your enterprise—in the last ana lysis,
only that can help to stop a virus attack before it becomes a virus epidemic.
xMcAfee VirusScan
Active Virus Defense security perimeters
The McAfee VirusScan’s Active Virus Defense product suite exists for one
simple reason: there is no such thing as too much anti-virus protection for the
modern, automated enterprise. Although at first glance it might seem
needlessly redundant to protect all of your desktop computers, file and
network servers, gateways, e-mail servers and firewalls, each of these network
nodes serves a different function in your network, a nd has different duties. An
anti-virus scanner designed to keep a production workstation virus-free, for
example, can’t intercept viruses that flood e-mail servers and effectively deny
their services. Nor would you want to make a file server responsible for
continuously scanning its client workstations—the cost in network bandwidth
would be too high.
More to the point, each node’s specialized functions mean that viruses infect
them in different ways that, in turn, call for optimized anti-virus solutions.
Viruses and other malicious code can enter your network from a variety of
sources—floppy disks and CD-ROMs, e-mail attachments, downloaded files,
and Internet sites, for example. These unpredictable points of entry mean that
infecting agents can slip through the chinks in incomplete anti-virus armor.
Desktop workstations, for example, can spread viruses by any of a variety of
means—via floppy disks, by downloading them from the Internet, by
mapping server shares or other workstations’ hard disks. E-mail servers, by
contrast, rarely use floppy disks and tend not to use mapped drives—the
Melissa virus showed, however, that they are quite vulnerable to e-mail–borne
infections, even if they don’t execute the virus code themselves.
Preface
At the desktop: VirusScan software
The McAfee VirusScan’s Active Virus Defense product suite matches each
point of vulnerability with a specialized, and optimized, anti-virus
application. At the desktop level, the cornerstone of the suite is the VirusScan
anti-virus product. VirusScan software protects some of your most vulnerable
virus entry points with an interlocking set of scanners, utilities, and support
files that allow it to cover:
• Local hard disks, floppy disks, CD-ROMs, and other removable media. The
VShield scanner resides in memory, waiting for local file access of any sort.
As soon as one of your network users opens, runs, copies, saves, renames,
or sets attributes for any file on their system—even from mapped network
drives—the VShield scanner examines it for infections.
You can supplement this continuous protection with scan operations you
configure and schedule for your own needs. Comprehensive security
options let you protect individual options with a password, or run the
entire application in secure mode to lock out all unauthorized access.
Administrator’s Guidexi
Preface
• System memory, boot sectors, and master boot records. You can configure
regularly scheduled scan operations that examine these favorite virus
hideouts, or set up periodic operations whenever a threat seems likely.
• Microsoft Exchange mailboxes. VirusScan software includes a specialized
E-Mail Scan extension that assumes y our network user’s Microsoft
Exchange or Outlook identity to scan his or her mailbox directly—before
viruses get downloaded to the local workstation. This can prevent some
Melissa-style infections and avoid infecti on s fro m th e next generation of
VBS/Bubbleboy descendants.
• Internet mail and file downloads. The VShield scanner includes two
modules that specialize in intercepting SMTP and POP-3 e-mail messages,
and that can examine files your network users download from Internet
sites. The E-Mail Scan and Download Scan modules work together to scan
the stream of file traffic that most workstations generate and receive daily.
• Hostile code. The Olympus scan engine at the heart of VirusScan software
routinely looks for suspicious script code, macro code, known Trojan horse
programs—even virus jokes or hoaxes. With the help of the VShield
Internet Filter module, it also blocks hostile ActiveX and Java objects, many
of which can lurk unnoticed on websites, waitin g to deploy sophisticated
virus-like payloads. The Internet Filter module can even block entire
websites, preventing network users from visiting sites that pose a threat to
network integrity.
VirusScan software ties these powerful scanning capabilities together with a
powerful set of alerting, and management tools. These include:
• Alert Manager client configuration. VirusScan software includes a client
• Integration with McAfee VirusScan’s ePolicy Orchestrator management
xiiMcAfee VirusScan
configuration utility yo u can use to have it pass alert messages directly to
Alert Manager servers on your network, to a Centralized Alerting share, or
to a Desktop Management Interface administrative application. Other alert
methods include local custom messages and beeps, detection alerts and
response options, and e-mail alert messages.
software. Centralized anti-virus management takes a quantum leap
forward with this highly scalable management tool. VirusScan software
ships with a plug-in library file that works with the ePolicy Orchestrator
server to enforce enterprise-wide network security policies.
You can use ePolicy Orchestrator to configure, update, distribute and
manage VirusScan installations at the group, workstation or user level.
Schedule and run scan tasks, change configurations, update .DAT and
engine files—all from a central console.
Taken together, the Active Virus Defense suite forms a tight series of anti-virus
security perimeters around your network that protect you against both
external and internal sources of infection. Those perimeters, correctly
configured and implemented in conjunction with a clear enterprise-wide
anti-virus security policy, do indeed offer useful redundancy, but their chief
benefit lies in their ability to stop viruses as they enter your network, without
your having to await a tardy or accidental discovery. Early detection contains
infections, saves on the costs of virus eradicatio n, and in many cases can
prevent a destructive virus payload from triggering.
McAfee VirusScan’s anti-virus research
Even the best anti-virus software is only as good as its latest update. Because
as many as 200 to 300 vi rus es an d varian t s a ppear each mo nth , the .D AT fi le s
that enable McAfee VirusScan’s software to detect and remove viruses can get
quickly outdated. If you have not updated the files that originally came with
your software, you could risk infection from newly emerging viruses. McAfee
VirusScan’s has, however, assembled the world’s largest and most
experienced anti-virus research staff in its Anti-Virus Emergency Response
Team (AVERT)*. This premier anti-virus research organization has a
worldwide reach and a “follow the sun” coverage policy, that ensures that you
get the files you need to combat new viruses as soon as—and often
before—you need them. You can take advantage of many of the direct
products of this research by visiting the AVERT research site on the Network
Associates website:
Contact your McAfee VirusScan’s representative, or visit the McAfee
VirusScan’s website, to find out how to enlist the power of the Active Virus
Defense security solution on your side:
http://www.mcafeeb2b.com/
Administrator’s Guidexiii
Preface
xivMcAfee VirusScan
1About VirusScan Software
Introducing VirusScan anti-virus softw are
Eighty percent of the Fortune 100—and more than 50 million users
worldwide—choose VirusScan anti-virus software to protect their computers
from the staggering range of viruses and other malicious agents that has
emerged in the last decade to invade co rpora te n etworks a nd cause havo c for
business users. They do so because VirusScan software offers the most
comprehensive desktop anti-virus security solution available, with features
that spot viruses, block hostile ActiveX and Java objects, identify dangerous
websites, stop infectious e-mail messages—and even root out “zombie” agents
that assist in large-scale denial-of-service attacks from across the Internet.
They do so also because they recognize h ow m uch value McAfe e VirusScan’s
anti-virus research and development brings to their fight to maintain network
integrity and service levels, ensure data security, and reduce ownership costs.
With more than 50,000 viruses and malicious agents now in circulation, the
stakes in this battle have risen considerably. Viruses and worms now have
capabilities that can cost an enterprise real money, not just in terms of lost
productivity and cleanup costs, but in direct bottom-line reductions in
revenue, as more businesses move into e-commerce and online sales, and as
virus attacks proliferate.
1
VirusScan software first honed it s technological edge as one of a handful of
pioneering utilities developed to combat the earliest virus epidemics of the
personal computer age. It has developed considerably in the intervening years
to keep pace with each new subterfuge that virus writers have unleashed. As
one of the first Internet-aware anti-virus applications, it maintains its value
today as an indispensable business utility for the new electronic economy.
Now, with this release, VirusScan software adds a whole new level of
manageability and integration with other McAfee VirusScan’s anti-virus tools.
Architectural improvements mean that each VirusScan component meshes
closely with the others, sharing data and resources for better application
response and fewer demands on your system. Full support for Network
Associates ePolicy Orchestrator management software means that network
administrators can handle the details of component and task configuration,
leaving you free to concentrate on your own work. A new incremental
updating technology, meanwhile, means speedier and less
bandwidth-intensive virus definition and scan engine downloads—now the
protection you need to deal with the blindingly quick distribution rates of
new-generation viruses can arrive faster than ever before. To learn more about
these features, see “What’s new in this release?” on page 24.
Administrator’s Guide15
About VirusScan Software
The new release also adds multiplatform support for Windows 95, Windows
98, Windows ME, Windows NT Workstation v4.0, and Windows 2000
Professional, all in a single package with a sing le installer, but optimized to
take advantage of the benefits each platform offers. Windows NT Workstation
v4.0 and Windows 2000 Professional users, for example, can run VirusScan
software with differing security levels that provide a range of enforcement
options for system administrators. That way, corporate anti-virus policy
implementation can vary from the relatively casual—where an administrator
might lock down a few critical settings, for example—to the very strict, with
predefined settings that users cannot change or disable at all.
At the same time, as the cornerstone product in the McAfee VirusScan’s Active
Virus Defense and Total Virus Defense security suites, VirusScan software
retains the same core features that have made it the utility of choice for the
corporate desktop. These include a virus detection rate second to none,
powerful heuristic capabilities, Trojan horse program detection and removal,
rapid- response updating with weekly virus definition (.DAT) file releases,
daily beta .DAT releases, and EXTRA.DAT file support in crisis or outbreak
situations. Because more than 300 new viruses or malicious software agents
appear each month McAfee VirusScan backs its software with a worldwide
reach and 24-hour “follow the sun” coverage from its Anti-Virus Emergency
Response Team (AVERT).
Even with the rise of viruses and worms that use e-mail to spread, that flood
e-mail servers, or that infect groupware products and file servers directly, the
individual desktop remains the single largest source of infections, and is often
the most vulnerable point of entry. VirusScan software acts as a tireless
desktop sentry, guarding your system against more venerable virus threats
and against the latest threats that lurk on websites, often without the site
owner’s knowledge, or spread via e-mail, whether solicited or not.
In this environment, taking precautions to protect yourself from malicious
software is no longer a luxury, but a necessity. Consider the extent to which
you rely on the data on your computer and the time, trouble and money it
would take to replace that data if it became corrupted or unusable because of
a virus infection. Corporate anti-virus cleanup co sts, by some estimates,
topped $16 billion in 1999 alon e. Bala nce the probability of infection—and
your company’s share of the resulting costs—against the time and effort it
takes to put a few common sense security measures in place, and you can
quickly see the utility in protecting yourself.
Even if your own data is relatively unimportant to you, neglecting to guard
against viruses might mean tha t your computer could play unwitting host to
a virus that could spread to computers that your co-workers and colleagues
use. Checking your hard disk periodically with VirusScan software
significantly reduces your system’s vulnerability to infection and keeps you
from losing time, money an d data unnecessarily.
16McAfee VirusScan
How does VirusScan software work?
VirusScan software combines the anti-virus industry’s most capable scan
engine with top-notch interface enhancements that give you complete access
to that engine’s power. The VirusScan graphical user interface unifies its
specialized program components, but without sacrificing the flexibility you
need to fit the software into your computing environment. The scan engine,
meanwhile, combines the best features of tech nologies thatMcA fee VirusScan
researchers developed independently for more than a decade.
Fast, accurate virus de tection
The foundation for that combination is the unique development environmen t
that McAfee VirusScan researchers constructed for the engine. That
environment includes Virtran, a specialized programming language with a
structure and “vocabulary” optimized for the particular requirements that
virus detection and removal impose. Using specific library functions from this
language, for instance, virus researchers can pinpoint those sections within a
file, a boot sector, or a master boot record that viruses tend to infect, either
because they can hide within them, or because they can hijack their execution
routines. This way, the scanner avoids having to examine the entire file for
virus code; it can instead sample the file at well defined poin ts to look for virus
code signatures that indicate an infection.
About VirusScan Software
The development environment brings as much speed to .DAT file construction
as it does to scan engine routines. The environment provides tools researchers
can use to write “generic” definitions that identify entire virus families, and
that can easily detect the tens or hundreds of variants that make up the bulk of
new virus sightings. Continual refinements to this technique have moved
most of the hand-tooled virus definitions that used to reside in .DAT file
updates directly into the scan engine as bundles of generic routines.
Researchers can even employ a Virtran architectural feature to plug in new
engine “verbs” that, when combined with existing engine functions, can add
functionality needed to deal with new infection techniques, new variants, or
other problems that emerging viruses now pose.
This results in blazingly quick enhancements the engine’s detection
capabilities and removes the need for continuous updates tha t target virus
variants.
Encrypted polymorphic virus detection
Along with generic virus variant detection, the scan engine now incorpora te s
a generic decryption engine, a set of ro utines that en ables VirusScan so ftware
to track viruses that try to conceal themselves by encrypting and mutating
their code signatures. These “polymorphic” viruses are notoriously difficult to
detect, since they change their code signature each time they replicate.
Administrator’s Guide17
About VirusScan Software
This meant that the simple pattern-matching method that earlier scan engine
incarnations used to find many viruses simply no longer worked, since no
constant sequence of bytes existed to detect. To respond to this threat, McAfee
VirusScan researchers developed the PolyScan Decryption Engine, which
locates and analyzes the algorithm that these types of viruses use to encrypt
and decrypt themselves. It then runs this code through its paces in an
emulated virtual machine in order to understand how the viruses mutate
themselves. Once it does so, the engine can spot the “undisguised” nature of
these viruses, and thereby detect them reliably no matter how they try to hide
themselve s.
“Double heuristics” analysis
As a further engine enhancement, McAfee VirusScan research ers h ave hon ed
early heuristic scanning technologies—originally developed to detect the
astonishing flood of macro virus variants that erupted after 1995 —into a set of
precision instruments. Heuristic scanning techniques rely on the engine’s
experience with previous viruses to predict the likelihood that a suspicious file
is an as-yet unidentified or unclassified new virus.
The scan engine now incorporates ViruLogic, a heuristic technique that can
observe a program’s behavior and evaluate how closely it resembles either a
macro virus or a file-infecting virus. ViruLogic looks for virus-like behaviors
in program functions, such as covert file modifications, background calls or
invocations of e-mail clients, and other methods that viruses can use to
replicate themselves. When the number of these types of behaviors—or their
inherent quality—reaches a predetermined threshold of tolerance, th e engine
fingers the program as a likely virus.
The engine also “triangulates” its evaluation by looking for program behavior
that no virus would display—prompting for some types of user input, for
example—in order to eliminate false positive detections. This double-heuristic
combination of “positive” and “negative” techniques results in an
unsurpassed detection rate with few, if any, costly misidentifications.
Wide-spectrum coverage
As malicious agents have evolved to take advantage of the instant
communication and pervasive reach of the Internet, so VirusScan software has
evolved to counter the threats they present. A computer “virus” once meant a
specific type of agent—one designed to replicate on its own and cause a
limited type of havoc on the unlucky recipient’s computer. In recent years,
however, an astounding range of malicious agents has emerged to assault
personal computer users from nearly every conceivable angle. Many of these
agents—some of the fastest-spreading worms, for instance—use updated
versions of vintage techniques to infect systems, but many others make full
use of the new opportunities that web-based scripting and application hosting
present.
18McAfee VirusScan
About VirusScan Software
Still others open “back doors” into desktop systems or create security holes in
a way that closely resembles a deliberate attempt at network penetration,
rather than the more random mayhem that most viruses tend to leave in their
wakes.
The latest VirusScan software releases, as a consequence, do not simply wait
for viruses to appear on your system, they scan proactively at the source or
work to deflect hostile agents away from your system. The VShield scanner
that comes with VirusScan software has three modules that concentrate on
agents that arrive from the Internet, that spread via e-mail, or that lurk on
Internet sites. It can look for particular Java and ActiveX objects that pose a
threat, or block access to dangerous Internet sites. Meanwhile, an E-M ail Scan
extension to Microsoft Exchange e-mail clients, such as Microsoft Outlook, can
“x-ray” your mailbox on the server, looking for malicious agents before they
arrive on your desktop.
VirusScan software even protects itself against attempts to use its own
functionality against your computer. Some virus writers embed their viruses
inside documents that, in turn, they embed in other files in an attempt to evade
detection. Still others take this technique to an absurd extreme, constructing
highly recursive—and very large—compressed a rchive f iles in an attempt to
tie up the scanner as it digs through the file looking for infections. VirusScan
software accurately scans the majority of popular compressed file and archive
file formats, but it also includes logic that keeps it from getting trapped in an
endless hunt for a virus chimera.
What comes with VirusSca n softwa re?
VirusScan software consists of several components that combine one or more
related programs, each of which play a part in defending your computer
against viruses and other malicious software. The components are:
• The VirusScan Central. This is your main entry point in using all of the
available components of McAfee VirusScan. This home screen (see Figure
1-2) provides relevant information such as the last time a virus scan was
performed on your computer; what VShield settings are enabled or
disabled and available DAT information and when it was created.
Administrator’s Guide19
About VirusScan Software
Figure 1-1. McAfee VirusScan Central screen
• The VirusScan Console. This component allows you to create, configure
and run VirusScan tasks at times you specif y. A “task” can include
anything from running a scan operation on a set of disks at a specific time
or interval, to running an update o r upgrade operation. You can al so enable
or disable the VShield scanner from the Console window.
the Console comes with a preset list of tasks that ensures a minimal level of
protection for your system—you can, for example, immediately scan and
clean your C: drive or all disks on your computer.
• The VShield scanner. This component gives you continuous anti-virus
protection from viruses that arrive on floppy disks, from your network, or
from various sources on the Internet. The VShield scanner starts when you
start your computer, and stays in memory until you shut down. A flexible
set of property pages lets you tell the scanner which parts of yo ur system
to examine, what to look for, which parts to leave alone, and how to
respond to any infected files it finds. In addition, the scanner can alert you
when it finds a virus, and can generate reports that summarize each of its
actions.
20McAfee VirusScan
About VirusScan Software
The VShield scanner comes with three other specialized modules that
guard against hostile Java applets and ActiveX controls, that scan e-mail
messages and attachments that you receive from the Internet via Lotus
cc:Mail, Microsoft Mail or other mail clients that comply with Microsoft’s
Messaging Application Programming Interface (MAPI) standard, and that
block access to dangerous Internet sites. Secure password protection for
your configuration options prevents others from making unauthorized
changes. The same convenient dialog bo x controls configuration options
for all VShield modules.
• Safe & Sound. This component allows you to create backup sets in
protected volume files, which is the safest and preferred type of backup. A
protected volume file is a sectioned-off area of the drive, sometimes called a
logical drive.
NOTE: Sa fe & Sound is on ly a vailabl e for Wi ndow s 95, 98 and
Windows ME. For more information, access the PDF formatted
file of the User’s Guide (i.e., vscan51_userguide.pdf) included
in the McAfee VirusScan CD-ROM and read “About Safe &
Sound”.
• Quarantine. This component allows you to move infected files to a
quarantine folder. This moves infected files from areas where they can be
accessed and enables you to clean or delete them at your convenience.
NOTE: For more information, access the PDF formatted file of
the User’s Guide (i.e., vscan51_userguide.pdf) included in the
McAfee VirusScan CD-ROM and read “About Quarantine”.
• The E-Mail Scan extension. This component allows you to scan your
Microsoft Exchange or Outlook mailbox, or public folders to which you
have access, directly on the server. This invaluable “x-ray” peek into your
mailbox means that VirusScan software can find potential infections before
they make their way to your desktop, which can stop a Melissa-like virus
in its tracks.
• A cc:Mail scanner. This component includes technology optimized for
scanning Lotus cc:Mail mailboxes that do not use the MAPI standard.
Install and use this component if your workgroup or network uses cc:Mail
v7.x or earlier.
Administrator’s Guide21
About VirusScan Software
• The Alert Manager Client configuration uti lity. Thi s com pon ent le ts yo u
choose a destination for Alert Manager “events” that VirusScan software
generates when it detects a virus or takes other noteworthy actions. You
can also specify a destination directory for older-style Centralized Alerting
messages, or supplement either method with Desktop Management
Interface (DMI) alerts sent via your DMI client software.
• The ScreenScan utility. This optional component scans your computer as
your screen saver runs during idle periods.
• The SendVirus utility. This component gives you an easy and painless
way to submit files that you believe are infected directly to McAfee
VirusScan’s anti-virus researchers. A simple wizard guides you as you
choose files to submit, include contact details and, if you prefer, strip out
any personal or confidential data from document files.
• The Emergency Disk creation utility. This essential utility helps you to
create a floppy disk that you can use to boot your computer int o a
virus-free environment, then scan essential system areas to remove any
viruses that could load at startup.
• Command-line scanners. This component consists of a set of full-featured
scanners you can use to run targeted scan operations from the MS-DOS
Prompt or Comma nd Prompt wi ndows, or fr om prot ected MS-DOS m ode.
The set includes:
22McAfee VirusScan
–SCAN.EXE, a scanner for 32-bit environments only. This is the
primary command-line interface. When you run this file, it first
checks its environment to see whether it can run by itself. If your
computer is running in 16-bit or protected mode, it will transfer
control to one of the other scanners.
–SCANPM.EXE, a scanner for 16- and 32-bit environments. This
scanner provides you with a full set of scanning options for 16- and
32-bit protected-mode DOS environments. It also includes support
for extended memory and flexible memory allocations. SCAN.EXE
will transfer control to this scanner when its specialized capabilities
can enable your scan operation to run more efficiently.
–SCAN86.EXE, a scanner for 16-bit environments only. This scanner
includes a limited set of capabilities geared to 16-bit environments.
SCAN.EXE will transfer control to this scanner if your computer is
running in 16-bit mode, but without special memory configurations.
–BOOTSCAN.EXE, a smaller, specialized scanner for use primarily
with the Emergency Disk utility. This scanner ordinarily runs from
a floppy disk you create to provide you with a virus-free boot
environment.
About VirusScan Software
When you run the Emergency Disk creation wizard, VirusScan
software copies BOOTSCAN.EXE, and a specialized set of .DAT
files to a single floppy disk. BOOTSCAN.EXE will not detect or
clean macro viruses, but it will detect or clean other viruses that can
jeopardize your VirusScan software installation or infect files at
system startup. Once you identify and respond to those viruses, you
can safely run VirusScan software to clean the rest of your system.
All of the command-line scanners allow you to initiate targeted scan
operations from an MS-DOS Prompt or Command Prompt window, or
from protected MS-DOS mode. Ordinarily, you’ll use the VirusScan
application’s graphical user interface (GUI) to perform most scanning
operations, but if you have trouble starting Windows or if the VirusScan
GUI components will not run in your environment, yo u can use the
command-line scanners as a backup.
–A printed Getting Started Guide, which introduces the product,
provides installation instructions, outlines how to respond if you
suspect your computer has a virus, and provides a brief product
overview. The printed Getting Started Guide comes with the
VirusScan software copies distributed on CD-ROM discs—you can
also download it as vs51_getstart.PDF from Network Associates
website or from other electronic services.
–A user’s guide saved on the VirusScan software CD-ROM or
installed on your hard disk in Adobe Acrobat .PDF format. You can
also download it as a vscan51_userguide.PDF file from Network
Associates website or from other electronic services. The VirusScan
User’s Guide describes in detail how to use VirusScan and includes
other information useful as background or as advanced
configuration options. Acrobat .PDF files are flexible online
documents that contain hyperlinks, outlines and other aids for easy
navigation and information retrieval.
–This administrator’s guide saved on the VirusScan software
CD-ROM or installed on your hard disk in Adobe Acrobat .PDF
format. You can also download it as vs51_admin.PDF from
Network Associates website or from other electronic services. The
VirusScan Administrator’s Guide describes in detail how to manage
and configure VirusScan software from a local or remote desktop.
–An online help file. This file gives you quick access to a full range of
topics that describe VirusScan software. You can open this file either
by choosing Help Topics from the Help menu in the VirusScan
main window, or by c licking any of the Help buttons disp layed in
VirusScan dialog boxes.
Administrator’s Guide23
About VirusScan Software
The help file also includes extensive context-sensitive—or “What's
This”—help. To see these help topics, right-click buttons, lists, icons,
some text boxes, and other elements that you see within dialog
boxes. You can also click the ? symbol at the top-right corner in most
dialog boxes, then click the element you want to see described to
display the relevant topic. The dialog boxes with Help buttons open
the help file to the specific topic that describes the entire dialog box.
–A LICENSE.TXT file. This file outlines the terms of your license to
use VirusScan software. Read it carefully—by in stalling VirusScan
software you agree to its terms.
–A README.TXT file. This file contains last-minute additions or
changes to the documentation, lists any known behavior or other
issues with the product release, and often describes new product
features incorporated into incremental product updates. You’ll find
the README.TXT file at the root level of your VirusScan software
CD-ROM or in the VirusScan software program folder—you can
open and print it from Windows Notepad, or from nearly any
word-processing software.
What’s new in this release?
This VirusScan release introduces a number of innovative new features to the
product’s core functionality, to its range of coverage, and to the details of its
application architecture. A previous section, “How does VirusScan software
work?” on page 17, discusses many of these features. The single most
significant change between previous VirusScan versions and this release,
however, is the integration of two separate VirusScan versions optimized to
run on separate Windows platforms into a single product that runs on both.
This single product also takes full advantage of each platform’s strengths.
The next sections discuss other changes that this VirusScan release introduces.
Installation and distribution features
McAfee VirusScan’s anti-virus products, including VirusScan software, now
use the Microsoft Windows Installer (MSI), which comes with all Windows
2000 Professional systems. This Setup utility offers a wealth of custom
installation and configuration features that make VirusScan software rollout
across large organizations much easier and more intuitive. To learn more
about how to run custom Setup operations with MSI, see Chapter 2, “Insta lling
VirusScan Software” in the VirusScan Administrator’s Guide.
24McAfee VirusScan
About VirusScan Software
This VirusScan version also comes w ith complete support for the Network
Associates ePolicy Orchestrator software distribution tool. A specially
packaged VirusScan version ships with the ePolicy Orchestrator software,
ready for enterprise-wide distribution. You can distribute VirusScan software,
configure it from the ePolicy Orchestrator console, update that configuration
and any program or .DAT files at any time, and schedule scan operations, all
for your entire network user base. To learn more about using ePolicy
Orchestrator software for VirusScan distribution and configuration, consult
the ePolicy Orchestrator Administrator’s Guide.
Interface enhancements
This release moves the VirusScan interface for all supported platforms solidly
into the territory VirusScan for Windows 95 and Windows 98 pioneered with
its v4.0.1 release. This adds extensive VShield scanner configuration options
for the Windows NT Workstation v4.0 and Windows 2000 Professional
platforms, while reducing the complexity of some previous configuration
options. Alert Manager server configuration, for example, moves entirely over
to the NetShield product line—VirusScan software now acts strictly as a
configurable client application.
This release also adds a new VirusScan control panel, which functions as a
central point from which you can enable and disable all VirusScan
components. This control panel also lets you set a ceiling for the number of
items you can scan in or exclude from a single operation, and can set the
VShield scanner and VirusScan control panel to run at startup. Other changes
include:
• New VShield system tray icon states tell you more about which VShield
modules are active. These states are:
– All VShield modules are active
– The System Scan module is active, but one or more of the other
VShield modules is inactive
– The System Scan module is inactive, but one or more of the other
VShield modules is active
– All VShield modules are inactive
• New interface settings for task configuration allow you to tell the
VirusScan application how you want it to appear as your scheduled task
runs and what you want it to do when it finishes. You can also set a
password to protect individual task settings from changes, or to protect an
entire task configuration at once.
Administrator’s Guide25
About VirusScan Software
• An updated randomization feature for schedule d ta sks allows you to set a
time for the task to run, then set a randomization “window.” The
VirusScan Console then picks a random time within the window to
actually start the task.
• System Scan mo dule action options now include a new Prompt Type
configuration option for Windows 95 and Windows 98 systems. This
option lets you determine how the Prompt for user action alert appears.
Changes in product functionality
• A new Alert Manager Client configuration utility allows you to choose an
Alert Manager server installed on your network as an alert message
destination, or to select a network share as a destination for Centralized
Alerting messages. You can also supplement either of these alert methods
with Desktop Management Interface alert messages.
• The Alert Manager server supports Intel Pentium III processor serial
numbers to identify individual machines for virus notification. For more
information about Intel processor serial numbers, consult the Intel FAQ at
http://support.intel.com/support/processors/pentiumiii/psqa.htm.
New update options for your VirusScan software
Even with the majority of the virus definitions it requires now incorporated
directly into its engine in generic routines, VirusScan software still requires
regular .DAT file updates to keep pace with the 200 to 300 new viruses that
appear each month. To meet this need, McAfee VirusScan has incorporated
updating technology in VirusScan software from its earliest incarnations. With
this release, that technology takes a quantum leap forward with incremental
.DAT file updating.
The Network Associates SecureCast service provides a convenient method
you can use to receive the latest virus definition (.DAT) file updates
automatically, as they become available, without your having to download
them.
NOTE: For more information, access the PDF formatted file of the User’s
Guide (i.e., vscan51_userguide.pdf) included in the McAfee VirusScan
CD-ROM and read “Using the SecureCast Service to Get New Data
Files.”
26McAfee VirusScan
2Installing VirusScan
Software
Before you begin
McAfee VirusScan Software distributes VirusScan software in two ways: 1) as
an archived file that you can download from the McAfee Web site; and 2) on
CD-ROM. Although the method you use to transfer VirusScan files from an
archive you download differs from the method you use to transfer files from
a CD-ROM you place in your CD-ROM drive, the installation steps you follow
after that are the same for both distribution types. Review the system
requirements to verify that VirusScan software will run on your system.
System requirements
VirusScan software will install and run on any IBM PC or PC-compatible
computer equipped with:
• A processor equivalent to at least an Intel Pentium-class or compatible
processor. McAfee VirusScan Software recommends an Intel Pentium
processor or Celeron processor running at a minimum of 166 MHz.
• A CD-ROM drive. If you downloaded your copy of VirusScan software,
this is an optional item.
2
• At least 16MB of free hard disk space.
• At least 16MB of free random-access memory (RAM). McAfee VirusScan
Software recommends at least 20MB.
• Microsoft Windows 95, Windows 98, Windows ME, Windows NT
Workstation v4.0 with Service Pack 4 or later, or Windows 2000
Professional. McAfee VirusScan Software recommends that you also have
Microsoft Internet Explorer v4.0.1 or later installed, particularly if your
system runs any Windows 95 version.
Other recommendations
To take full advantage of VirusScan software’s automatic update features, you
should have an Internet connection via a high-speed modem and an Internet
service provider.
User’s Guide27
Installing VirusScan Software
Preparing to install VirusScan software
After inserting the McAfee VirusScan on your CD-ROM drive , you should see
a VirusScan welcome image appear automatically. To install VirusScan
software immediately, click Install VirusScan, then skip to Step 4 to continue
with Setup. If the welcome image does not appear, or if you are installing
VirusScan software from files you downloaded, start with Step 2.
Ë IMPORTANT: Because Setup installs some VirusScan files as services on
Windows NT Workstation v4.0 and Windows 2000 Professional systems,
you must log in to your system with Administrator rights to install this
product. To run Setup on Windows 95 or Windows 98, you do not need
to log in with any particular profile or rights.
Installation options
The Installation steps section describes how to install VirusScan software with
its most common options on a single compu ter or workstati on. You can choo se
to do a Typical setup—which installs commonly used VirusScan components
but leaves out some VShield modules and the ScreenScan utility—or you can
choose to do a Custom setup, which gi ves you the option to install all
VirusScan components.
Installation steps
McAfee VirusScan Software recommends that you first quit all other
applications you have running on your system before you start Setup. Doing
so reduces the possibility that software conflicts will interfere with your
installation.
To install VirusScan sof tware, follo w these step s:
1. If your computer runs Windows NT Workstation v4.0 or Windows 2000
Professional, log on to your sys tem as Administrator. You must have
administrative rights to install VirusScan software on your system.
28McAfee VirusScan
Installing VirusScan Software
2. Choose Run from the Start menu in the Windows taskbar.
The Run dialog box will appear (Figure 2-1).
Figure 2-1. Run dialog box
3. Type <X>:\SETUP.EXE in the text box provided, then click OK.
Here, <X> represents the drive letter for your CD-ROM drive or the path
to the folder that contains your extracted VirusScan files. To search for
the correct files on your hard disk or CD-ROM, click Browse.
NOTE: If your VirusScan software copy came on an Active Virus
Defense or a Total Virus Defense CD-ROM, you must also specify
which folder contains the VirusScan software.
Before it continues with the installation, Setup first checks to see whether
your computer already has version 1.1 of the Microsoft Windows
Installer (MSI) utility running as part of your system software.
If your computer runs Windows 2000 Professional, this MSI version
already exists on your system. If your computer runs an earlier Windows
release, you might still have this MSI version on your system if you
previously installed other software that uses MSI. In e ither of these cases,
Setup will display its first wizard panel immedia tely. Skip to Step 4 to
continue.
If Setup does not find MSI v1.1 on your computer, it installs files it needs
to continue the installation, then prompts you to restart your computer.
Click Restart System.
When your computer restarts, Setup will continue from where it left off.
The Setup welcome panel will appear (Figure 2-2).
User’s Guide29
Installing VirusScan Software
4. This first panel tells you where to locate the README.TXT file, which
describes product features, lists any known issues, and includes the latest
available product information for this VirusScan version. When you
have read the text, click Next> to continue.
Figure 2-2. Setup welcome panel
5. The next wizard panel displays the VirusScan software end-user license
30McAfee VirusScan
agreement. Read this agreement carefully—if you install VirusScan
software, you agree to abide by the terms of the license.
If you do not agree to the license terms, select I do not agree to the terms of the License Agreement, then click Cancel. Setup will quit
immediately. Otherwise, click I agree to the terms of the License Agreement, then click Next> to continue.
Setup next checks to see whether previous VirusScan versions or
incompatible software exists on your computer. If you have no other
anti-virus software or any previous VirusScan versions on your system,
it will display the Security Type or the Setup Type panel. Skip to Step 8
to continue.
If Setup discovers an earlier VirusScan version on your system, it will tell
you that it must remove that earlier version. If your computer runs
Windows 95 or Windows 98, Setup also gives you the option to preserve
the VShield configuration settings you chose for the earlier version.
If your computer runs Windows NT Workstation v4.0 or Windows 2000
Professional, Setup will remove the previous VirusScan version, but will
not preserve any previous VShield scanner settings.
Loading...
+ 110 hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.