Mcafee VIRUSSCAN 5.1 ADMINISTRATOR GUIDE

McAfee VirusScan
Administrator’s Guide
Version 5.1
COPYRIGHT
Copyright © 2000 Network Associates, Inc. and its Affiliated Companies. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permissio n of Network A ssociates, Inc.
* ActiveHelp, Bomb Shelter, Building a World of Trust, CipherLink, Clean-Up, Cloaking, CNX, Compass 7, CyberCop, CyberMedia, Data Security Letter, Discover, Distributed Sniffer System, Dr
Solomon’s, Enterprise Secure Cast, First Aid, ForceField, Gauntlet, GMT, GroupShield, HelpDesk, Hunter, ISDN Tel/Scope, LM 1, LA NGuru, Leadin g Help Desk Technolo gy, Magic Solu tions, Magi cSpy, MagicTree, Magic University, MagicWin, MagicWord, McAfee, McAfee Associates, MoneyMagic, More Power To You, Multimedia Cloaking, NetCrypto, NetOctopus, NetRoom, NetSca n, Net Shield, NetShiel d, NetStalker, Net Tools, Network Associates, Network General, Network Uptime!, NetXRay, Nuts & Bolts, PC Medic, PCNotary, PGP, PGP (Pretty Good Privacy), PocketScope, Pop-Up, PowerTelnet, Pretty Good Privacy, PrimeSupport, RecoverKey, RecoverKey-International, ReportMagic, RingFence, Router PM, Safe & Sound, SalesMagic, SecureCast, Service Level Manager, ServiceMagic, Site Meter, Sniffer, SniffMaster, SniffNet, Stalker, Statistical Information Retrieval (SIR), SupportMagic, Switch PM, TeleSniffer, TIS, TMach, TMeg, Tota l Network Security, Total Network Vis ibility, Total Service Desk, Total Virus Defense, T-POD, Trusted Ma ch, Trusted Ma il, Uninstall er, Virex, Vi rex-PC, Virus Fo rum, ViruScan, VirusScan, VShi eld, WebScan , Web Shield, W ebS niffer , WebSt alker W ebW all , and ZAC 2000
are registered trademarks of Network Associates and/or its affiliates in the US and/or other countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners.
LICENSE AGREEMENT
NOTICE TO ALL USERS: CAREFULLY READ THE FOLLOWING LEGAL AGREEMENT ("AGREEMENT"), FOR THE LICENSE OF SPECIFIED SOFTWARE ("SOFTWARE") BY NETWORK ASSOCIATES, INC. ("McAfee"). BY CLICKING THE ACCEPT BUTTON OR INSTALLING THE SOFTWARE, YOU (EITHER AN INDIVIDUAL OR A SINGLE ENTITY) CONSENT TO BE BOUND BY AND BECOME A PARTY TO THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, CLICK THE BUTTON THAT INDICATES THAT YOU DO NOT ACCEPT THE TERMS OF THIS AGREEMENT AND DO NOT INSTALL THE SOFTWARE. (IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO THE PLACE OF PURCHASE FOR A FULL REFUND.)
1. License Grant. Subject to the payment of the applicable license fees, and subject to the terms and
conditions of this Agreement, McAfee hereby grants to you a non-exclusive, non-transferable right to use one copy of the specified version of the Software and the accompanying documentation (the "Documentation"). You may install one copy of the Software on one computer, workstation, personal digital assistant, pager, "smart phone" or other electronic device for which the Software was designed (each, a "Client Device"). If the Software is licensed as a suite or bundle with more than one specified Software product, this license applies to all such specified Software products, subject to any restrictions or usage terms specified on the applicable price list or product packaging that apply to any of such Software products individually.
Issued July 2000/McAfee VirusScan v5.1 Anti-Virus Software
Table of Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii
Anti-virus protection as information security . . . . . . . . . . . . . . . . . . . . . . . . .vii
Information security as a business necessity . . . . . . . . . . . . . . . . . . . . . . . . . .x
Active Virus Defense security perimeters . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
McAfee VirusScan’s anti-virus research . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Chapter 1. About VirusScan Software . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Introducing VirusScan anti-virus software . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
How does VirusScan software work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
What comes with VirusScan software? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
What’s new in this release? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Chapter 2. Installing VirusScan Software . . . . . . . . . . . . . . . . . . . . . . . .27
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Other recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Preparing to install VirusScan software . . . . . . . . . . . . . . . . . . . . . . . . .28
Installation options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Installation steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Using the Emergency Disk Creation utility . . . . . . . . . . . . . . . . . . . . . . .39
Determining when you must restart your computer . . . . . . . . . . . . . . . .44
Testing your installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Modifying or removing your VirusScan installation . . . . . . . . . . . . . . . .46
Chapter 3. Removing Infections
From Your System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
If you suspect you have a virus... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
Deciding when to scan for viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Recognizing when you don’t have a virus . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Understanding false detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Responding to viruses or malicious software . . . . . . . . . . . . . . . . . . . . . . . . .55
Submitting a virus sample . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
Administrator’s Guide iii
Table of Contents
Using the SendVirus utility to submit a file sample . . . . . . . . . . . . . . . .67
Capturing boot sector, file-infecting, and macro viruses . . . . . . . . . . . .70
Chapter 4. Using VirusScan Software . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Using the VShield scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Using the VirusScan application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Scheduling scan tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Using specialized scanning tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Chapter 5. Sending Alert Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Using the Alert Manager Client Configuration utility . . . . . . . . . . . . . . . . . . .79
VirusScan software as an Alert Manager Client . . . . . . . . . . . . . . . . . . . . . . .80
Configuring the Alert Manager Client utility . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Appendix A. Using VirusScan Administrative Utilities . . . . . . . . . . . . .85
Understanding the VirusScan control panel . . . . . . . . . . . . . . . . . . . . . . . . . .85
Opening the VirusScan control panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Choosing VirusScan control panel options . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Appendix B. Installed Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
What’s in this appendix? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
VShield scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Dependent and related files for the VirusScan application . . . . . . . . . .95
Alert Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
VirusScan control panel files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
ScreenScan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
VirusScan Emergency Disk files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Dependent and related files for the E-Mail Scan extension . . . . . . . . .103
Appendix C. Using VirusScan Command-line Options . . . . . . . . . . . .107
Adding advanced VirusScan engine options . . . . . . . . . . . . . . . . . . . . . . . . .107
Running the VirusScan Command Line program . . . . . . . . . . . . . . . . . . . . .107
Appendix D. Using the SecureCast Service to Get New Data Files . . 117
Introducing the SecureCast service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117
Why should I update my data files? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118
iv McAfee VirusScan
Table of Contents
Which data files does the SecureCast service deliver? . . . . . . . . . . . .118
Installing the BackWeb client and SecureCast service . . . . . . . . . . . . . . . . .119
System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119
Troubleshooting the Enterprise SecureCast service . . . . . . . . . . . . . .129
Unsubscribing from the SecureCast service . . . . . . . . . . . . . . . . . . . . .129
Support resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129
SecureCast service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129
BackWeb client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Appendix E. Product Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131
Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131
How to Contact McAfee . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131
Customer service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Technical support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Appendix F. Download Information (License ID #: VSF500R) . . . . . . .135
SecureCast™ (For Windows 95/98 Retail Version): . . . . . . . . . . . . . . . . . . .135
Internet Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
Administrator’s Guide v
Table of Contents
vi McAfee VirusScan

Preface

Anti-virus protection as information security

“The world chang ed [on March 26, 1999]— does anyon e doubt that ? The world
is different. Melissa proved that ... and we are very fortunate ... the world could have gone very close to meltdown.”
Padgett Peterson, Chief Info Security Architect, Lockheed Martin Corporation,
on the 1999 “Melissa” virus epidemic
By the end of the 1990s, many information technology professionals had
begun to recognize that they could not easily separate how they needed to
respond to new virus threats from how they already dealt with deliberate
network security breaches. Dorothy Denning, co-editor of the 1998 computer
security handbook Internet Besieged: Countering Cyberspace Scofflaws, explicitly
grouped anti-virus security measures in with other network security
measures, classifying them as a defense against malicious “injected code.”
Denning justified her inclusive grouping on based on her definition of
information security as “the effective use of safeguards to protect the
confidentiality, integrity, authenticity, availability, and non-repudiation of
information and information processing systems.” Virus payloads had always
threatened or damaged data integrity, but by the time she wrote her survey
article, newer viruses had already begun to mount sophisticated attacks that
struck at the remaining underpinnings of information security. Denning’s
classification recognized that newer viruses no longer merely annoyed system
administrators or posed a relatively low-grade threat; they had in fact
graduated to become a serious hazard.
Though not targeted with as much precision as an unauthorized network
intrusion, virus attacks had begun to take on the color of deliberate
information warfare. Consider these examples, many of which introduced
quickly-copied innovations to the virus writer’s repertoire:
• W32/CIH.Spacefiller destroyed the flash BIOS in workstations it infected, effectively preventing them from booting. It also overwrote parts of the infected hard disk with garbage data.
• XM/Compat.A rewrote the data inside Microsoft Excel spreadsheet files. It used advanced polymorphic concealment techniques, which meant that with each infection it changed the signature bytes that indicated its presence and allowed anti-virus scanners to find it.
Administrator’s Guide vii
Preface
• W32/Ska, though technically a worm, replaced the infected computer’s WinSock file so that it could attach itself to outgoing Simple Mail Transfer Protocol (SMTP) messages and postings to U SENET news groups. This strategy made it commonplace in many areas.
• Remote Explorer stole the security privileges of a Windows NT domain administrator and used them to install itself as a Windows NT Service. It also deposited copies of itself in the Windows NT driver directory and carried with it a supporting Dynamic Link Library (.DLL) file that allowed it to randomly encrypt data files. Because it appeared almost exclusively at one corporate site, security experts speculated that it was a deliberate, targeted attack on the unfortunate company’s network integrity.
• Back Orifice, the product of a group calling itself the Cult of the Dead Cow, purported to give the owner of the client portion of the Back Orifice application complete remote access to any Windows 95 or Windows 98 workstation that runs the concealed companion server. That access—from anywhere on the Internet—allowed the client to capture keystrokes; open, copy, delete, or run files; transmit screen captures; and restart, crash, or shut down the infected computer. To add insult to injury, early Back Orifice releases on CD-ROM carried a W32/CIH.Spacefiller infection.
Throughout much of 1999, virus and worm attacks suddenly stepped up in intensity and in the public eye. Part of the reason for this, of course, is that many of the more notorious viruses and worms took full advantage of the Internet, beginning a long-predicted assault by flooding e-mail transmissions, websites, newsgroups and other available channels at an almost exponential rate of growth. They now bullied their way into network environments, spreading quickly and leaving a costly trail of havoc behind them.
W97M/Melissa, the “Melissa” virus, jolted most corporate information technology departments out of whatever remaining complacency they had held onto in the face of the newer virus strains. Melissa brought corporate e-mail servers down across the United States and elsewhere when it struck in March 1999. Melissa instructed e-mail client programs to send out infected e-mail messages to the first 50 entries in each target computer’s address book. This transformed a simple macro virus infection with no real payload into an effective denial-of-service attack on mail servers.
Melissa’s other principle innovation was its direct attempt to play on end-user psychology: it forged an e-mail message from a sender the recipient knew, and sent it with a subject line that urged that recipient to open both the message and the attached file. In this way, Melissa almost made the need for viral code to spread itself obsolete—end users themselves cooperated in its propagation, and their own computers blindly participated.
viii McAfee VirusScan
Preface
A rash of Melissa variants and copycats appeared soon after. Some, such as W97M/Prilissa, included destructive payloads. Later the same yea r, a number of new viruses and worms either demonstrated novel or unexpected ways to get into networks and compromise information security, or actually perpetuated attacks. Examples included:
• W32/ExploreZip.worm and its variants, which used some of Melissa’s techniques to spread, initially through e-mail. After it successfully infected a host machine, ExploreZip searched for unsecured network shares and quietly copied itself throughout a network. It carried a destructive payload that erased various Windows system files and Microsoft Office documents, replacing them with an unrecoverable zero-byte-length files.
• W32/Pretty.worm, which did Melissa one better by sending itself to every entry in the infected computer’s MAPI address book. It also connected to an Internet Relay Chat (IRC) server, joined a particular IRC channel, then opened a path to receive commands via the IRC connection. This potentially allowed those on the channel to siphon information from the infected computer, including the computer name and owner’s name, his or her dial-up networking user name and password, and the path to the system root directory.
• W32/FunLove.4099, which infected ActiveX .OCX files, among others. This meant that it could lurk on web pages with ActiveX content, and infect systems with low or nonexistent browser security settings as they downloaded pages to their hard disks. If a Windows NT computer user had logged into a system with administrative rights, the infecting virus would patch two critical system files that gave all users on the networkincluding the virus—administrative rights to all files on the target computer. It spread further within the network by attaching itself to files with the extensions .SCR, .OCX, and .EXE.
• VBS/Bubbleboy, a proof-of-concept demonstration that showed that a virus could infect target computers directly from e-mail messages themselves, without needing to propagate through message attachments. It effectively circumvented desktop anti-virus protection altogether, at least initially. Its combination of HTML and VBScript exploited existing vulnerabilities in Internet-enabled mail systems; its author played upon the same end-user psychology that made Melissa success fu l.
The other remarkable development in the year w as the degree to wh ich virus writers copied, fused, and extended each others’ techniques. This cross­pollination had always occurred previously, but the speed a t which it took place and the increasing sophistication of the tools and techniques that became available during this period prepared very fertile ground for a nervously awaited bumper crop of intricate viruses.
Administrator’s Guide ix
Preface

Information security as a business necessity

Coincidentally or not, these darkly inventive new virus attacks and speedy propagation methods appeared as more businesses made the transition to Internet-based information systems and electronic commerce operations. The convenience and efficiency that the Internet brought to business saved money and increased profits. This probably also made these same businesses attractive targets for pranksters, the hacker underground, and those intent on striking at their favored targets.
Previously, the chief costs from a virus attack were the time and money it took to combat an infection and restore computer systems to working order. To those costs the new types of virus attacks now added the costs of lost productivity, network and server downtime, service denials for e-mail and
other critical business tools, exposure—and perhaps widespread distribution —of confidential information, and other ills.
Ultimately, the qualifying differences between a hacker-directed security breach in a network and a security breach that results from a virus attack might become merely ones of intent and method, not results. Already new attacks have shaken the foundations of Net-enable d bu sinesses, many of which require 24-hour availability for networks and e-mail, high data integrity, confidential customer lists, secure credit card data and purchase verification, reliable communications, and hundreds of other computer-aided transactional details. The costs from these virus attacks in the digital economy now cut directly into the bottom line.
Because they do, protecting that bottom line means implementing a total solution for information and network security—one that includes comprehensive anti-virus protection. It’s not enough to rely only on desktop-based anti-virus protection, or on haphazard or ad hoc security measures. The best defense requires sealing all potential points by which viruses can enter or attack your network, from the firewall and gateway down to the individual workstation, and keeping the anti-virus sentries at those points updated and current.
Part of the solution is deploying the McAfee VirusScan’s Active Virus Defense* software suite, which provides a comprehensive, multi-platform series of defensive perimeters for your network. You can also build on that security with the McAfee VirusScan’s Active Security suite, which allows you to monitor your network against intrusions, watch actual network packet traffic, and encrypt e-mail and network transmissions. But even with anti-virus and security software installed, new and previously unidentified viruses will inevitably find their way into yo ur network. That’s where the other part of the equation comes in: a thorough, easy-to-follow anti-virus security policy and set of practices for your enterprise—in the last ana lysis, only that can help to stop a virus attack before it becomes a virus epidemic.
x McAfee VirusScan

Active Virus Defense security perimeters

The McAfee VirusScan’s Active Virus Defense product suite exists for one simple reason: there is no such thing as too much anti-virus protection for the modern, automated enterprise. Although at first glance it might seem needlessly redundant to protect all of your desktop computers, file and network servers, gateways, e-mail servers and firewalls, each of these network nodes serves a different function in your network, a nd has different duties. An anti-virus scanner designed to keep a production workstation virus-free, for example, can’t intercept viruses that flood e-mail servers and effectively deny their services. Nor would you want to make a file server responsible for continuously scanning its client workstations—the cost in network bandwidth would be too high.
More to the point, each node’s specialized functions mean that viruses infect them in different ways that, in turn, call for optimized anti-virus solutions. Viruses and other malicious code can enter your network from a variety of sources—floppy disks and CD-ROMs, e-mail attachments, downloaded files, and Internet sites, for example. These unpredictable points of entry mean that infecting agents can slip through the chinks in incomplete anti-virus armor.
Desktop workstations, for example, can spread viruses by any of a variety of means—via floppy disks, by downloading them from the Internet, by mapping server shares or other workstations’ hard disks. E-mail servers, by contrast, rarely use floppy disks and tend not to use mapped drives—the Melissa virus showed, however, that they are quite vulnerable to e-mail–borne infections, even if they don’t execute the virus code themselves.
Preface

At the desktop: VirusScan software

The McAfee VirusScan’s Active Virus Defense product suite matches each point of vulnerability with a specialized, and optimized, anti-virus application. At the desktop level, the cornerstone of the suite is the VirusScan anti-virus product. VirusScan software protects some of your most vulnerable virus entry points with an interlocking set of scanners, utilities, and support files that allow it to cover:
• Local hard disks, floppy disks, CD-ROMs, and other removable media. The VShield scanner resides in memory, waiting for local file access of any sort. As soon as one of your network users opens, runs, copies, saves, renames, or sets attributes for any file on their system—even from mapped network drives—the VShield scanner examines it for infections.
You can supplement this continuous protection with scan operations you configure and schedule for your own needs. Comprehensive security options let you protect individual options with a password, or run the entire application in secure mode to lock out all unauthorized access.
Administrator’s Guide xi
Preface
• System memory, boot sectors, and master boot records. You can configure regularly scheduled scan operations that examine these favorite virus hideouts, or set up periodic operations whenever a threat seems likely.
• Microsoft Exchange mailboxes. VirusScan software includes a specialized E-Mail Scan extension that assumes y our network user’s Microsoft Exchange or Outlook identity to scan his or her mailbox directly—before viruses get downloaded to the local workstation. This can prevent some Melissa-style infections and avoid infecti on s fro m th e next generation of VBS/Bubbleboy descendants.
• Internet mail and file downloads. The VShield scanner includes two modules that specialize in intercepting SMTP and POP-3 e-mail messages, and that can examine files your network users download from Internet sites. The E-Mail Scan and Download Scan modules work together to scan the stream of file traffic that most workstations generate and receive daily.
• Hostile code. The Olympus scan engine at the heart of VirusScan software routinely looks for suspicious script code, macro code, known Trojan horse programs—even virus jokes or hoaxes. With the help of the VShield Internet Filter module, it also blocks hostile ActiveX and Java objects, many of which can lurk unnoticed on websites, waitin g to deploy sophisticated virus-like payloads. The Internet Filter module can even block entire websites, preventing network users from visiting sites that pose a threat to network integrity.
VirusScan software ties these powerful scanning capabilities together with a powerful set of alerting, and management tools. These include:
• Alert Manager client configuration. VirusScan software includes a client
• Integration with McAfee VirusScan’s ePolicy Orchestrator management
xii McAfee VirusScan
configuration utility yo u can use to have it pass alert messages directly to Alert Manager servers on your network, to a Centralized Alerting share, or to a Desktop Management Interface administrative application. Other alert methods include local custom messages and beeps, detection alerts and response options, and e-mail alert messages.
software. Centralized anti-virus management takes a quantum leap forward with this highly scalable management tool. VirusScan software ships with a plug-in library file that works with the ePolicy Orchestrator server to enforce enterprise-wide network security policies.
You can use ePolicy Orchestrator to configure, update, distribute and manage VirusScan installations at the group, workstation or user level. Schedule and run scan tasks, change configurations, update .DAT and engine files—all from a central console.
Taken together, the Active Virus Defense suite forms a tight series of anti-virus security perimeters around your network that protect you against both external and internal sources of infection. Those perimeters, correctly configured and implemented in conjunction with a clear enterprise-wide anti-virus security policy, do indeed offer useful redundancy, but their chief benefit lies in their ability to stop viruses as they enter your network, without your having to await a tardy or accidental discovery. Early detection contains infections, saves on the costs of virus eradicatio n, and in many cases can prevent a destructive virus payload from triggering.

McAfee VirusScan’s anti-virus research

Even the best anti-virus software is only as good as its latest update. Because as many as 200 to 300 vi rus es an d varian t s a ppear each mo nth , the .D AT fi le s
that enable McAfee VirusScan’s software to detect and remove viruses can get quickly outdated. If you have not updated the files that originally came with your software, you could risk infection from newly emerging viruses. McAfee VirusScan’s has, however, assembled the world’s largest and most experienced anti-virus research staff in its Anti-Virus Emergency Response Team (AVERT)*. This premier anti-virus research organization has a worldwide reach and a “follow the sun” coverage policy, that ensures that you get the files you need to combat new viruses as soon as—and often before—you need them. You can take advantage of many of the direct products of this research by visiting the AVERT research site on the Network Associates website:
Preface
http://www.nai.com/asp_set/anti_virus/introduction/default.asp
Contact your McAfee VirusScan’s representative, or visit the McAfee VirusScan’s website, to find out how to enlist the power of the Active Virus Defense security solution on your side:
http://www.mcafeeb2b.com/
Administrator’s Guide xiii
Preface
xiv McAfee VirusScan

1About VirusScan Software

Introducing VirusScan anti-virus softw are

Eighty percent of the Fortune 100—and more than 50 million users worldwide—choose VirusScan anti-virus software to protect their computers from the staggering range of viruses and other malicious agents that has emerged in the last decade to invade co rpora te n etworks a nd cause havo c for business users. They do so because VirusScan software offers the most comprehensive desktop anti-virus security solution available, with features that spot viruses, block hostile ActiveX and Java objects, identify dangerous websites, stop infectious e-mail messages—and even root out “zombie” agents that assist in large-scale denial-of-service attacks from across the Internet. They do so also because they recognize h ow m uch value McAfe e VirusScan’s anti-virus research and development brings to their fight to maintain network integrity and service levels, ensure data security, and reduce ownership costs.
With more than 50,000 viruses and malicious agents now in circulation, the stakes in this battle have risen considerably. Viruses and worms now have capabilities that can cost an enterprise real money, not just in terms of lost productivity and cleanup costs, but in direct bottom-line reductions in revenue, as more businesses move into e-commerce and online sales, and as virus attacks proliferate.
1
VirusScan software first honed it s technological edge as one of a handful of pioneering utilities developed to combat the earliest virus epidemics of the personal computer age. It has developed considerably in the intervening years to keep pace with each new subterfuge that virus writers have unleashed. As one of the first Internet-aware anti-virus applications, it maintains its value today as an indispensable business utility for the new electronic economy. Now, with this release, VirusScan software adds a whole new level of manageability and integration with other McAfee VirusScan’s anti-virus tools.
Architectural improvements mean that each VirusScan component meshes closely with the others, sharing data and resources for better application response and fewer demands on your system. Full support for Network Associates ePolicy Orchestrator management software means that network administrators can handle the details of component and task configuration, leaving you free to concentrate on your own work. A new incremental updating technology, meanwhile, means speedier and less bandwidth-intensive virus definition and scan engine downloads—now the protection you need to deal with the blindingly quick distribution rates of new-generation viruses can arrive faster than ever before. To learn more about these features, see “What’s new in this release?” on page 24.
Administrator’s Guide 15
About VirusScan Software
The new release also adds multiplatform support for Windows 95, Windows 98, Windows ME, Windows NT Workstation v4.0, and Windows 2000 Professional, all in a single package with a sing le installer, but optimized to take advantage of the benefits each platform offers. Windows NT Workstation v4.0 and Windows 2000 Professional users, for example, can run VirusScan software with differing security levels that provide a range of enforcement options for system administrators. That way, corporate anti-virus policy
implementation can vary from the relatively casual—where an administrator might lock down a few critical settings, for example—to the very strict, with predefined settings that users cannot change or disable at all.
At the same time, as the cornerstone product in the McAfee VirusScan’s Active Virus Defense and Total Virus Defense security suites, VirusScan software retains the same core features that have made it the utility of choice for the corporate desktop. These include a virus detection rate second to none, powerful heuristic capabilities, Trojan horse program detection and removal, rapid- response updating with weekly virus definition (.DAT) file releases, daily beta .DAT releases, and EXTRA.DAT file support in crisis or outbreak situations. Because more than 300 new viruses or malicious software agents appear each month McAfee VirusScan backs its software with a worldwide reach and 24-hour “follow the sun” coverage from its Anti-Virus Emergency Response Team (AVERT).
Even with the rise of viruses and worms that use e-mail to spread, that flood e-mail servers, or that infect groupware products and file servers directly, the individual desktop remains the single largest source of infections, and is often the most vulnerable point of entry. VirusScan software acts as a tireless desktop sentry, guarding your system against more venerable virus threats and against the latest threats that lurk on websites, often without the site owner’s knowledge, or spread via e-mail, whether solicited or not.
In this environment, taking precautions to protect yourself from malicious software is no longer a luxury, but a necessity. Consider the extent to which you rely on the data on your computer and the time, trouble and money it would take to replace that data if it became corrupted or unusable because of a virus infection. Corporate anti-virus cleanup co sts, by some estimates, topped $16 billion in 1999 alon e. Bala nce the probability of infection—and your company’s share of the resulting costs—against the time and effort it takes to put a few common sense security measures in place, and you can quickly see the utility in protecting yourself.
Even if your own data is relatively unimportant to you, neglecting to guard against viruses might mean tha t your computer could play unwitting host to a virus that could spread to computers that your co-workers and colleagues use. Checking your hard disk periodically with VirusScan software significantly reduces your system’s vulnerability to infection and keeps you from losing time, money an d data unnecessarily.
16 McAfee VirusScan

How does VirusScan software work?

VirusScan software combines the anti-virus industry’s most capable scan engine with top-notch interface enhancements that give you complete access to that engine’s power. The VirusScan graphical user interface unifies its specialized program components, but without sacrificing the flexibility you need to fit the software into your computing environment. The scan engine, meanwhile, combines the best features of tech nologies thatMcA fee VirusScan researchers developed independently for more than a decade.

Fast, accurate virus de tection

The foundation for that combination is the unique development environmen t that McAfee VirusScan researchers constructed for the engine. That environment includes Virtran, a specialized programming language with a structure and “vocabulary” optimized for the particular requirements that virus detection and removal impose. Using specific library functions from this language, for instance, virus researchers can pinpoint those sections within a file, a boot sector, or a master boot record that viruses tend to infect, either because they can hide within them, or because they can hijack their execution routines. This way, the scanner avoids having to examine the entire file for virus code; it can instead sample the file at well defined poin ts to look for virus code signatures that indicate an infection.
About VirusScan Software
The development environment brings as much speed to .DAT file construction as it does to scan engine routines. The environment provides tools researchers can use to write “generic” definitions that identify entire virus families, and that can easily detect the tens or hundreds of variants that make up the bulk of new virus sightings. Continual refinements to this technique have moved most of the hand-tooled virus definitions that used to reside in .DAT file updates directly into the scan engine as bundles of generic routines. Researchers can even employ a Virtran architectural feature to plug in new engine “verbs” that, when combined with existing engine functions, can add functionality needed to deal with new infection techniques, new variants, or other problems that emerging viruses now pose.
This results in blazingly quick enhancements the engine’s detection capabilities and removes the need for continuous updates tha t target virus variants.

Encrypted polymorphic virus detection

Along with generic virus variant detection, the scan engine now incorpora te s a generic decryption engine, a set of ro utines that en ables VirusScan so ftware to track viruses that try to conceal themselves by encrypting and mutating their code signatures. These “polymorphic” viruses are notoriously difficult to detect, since they change their code signature each time they replicate.
Administrator’s Guide 17
About VirusScan Software
This meant that the simple pattern-matching method that earlier scan engine incarnations used to find many viruses simply no longer worked, since no constant sequence of bytes existed to detect. To respond to this threat, McAfee VirusScan researchers developed the PolyScan Decryption Engine, which locates and analyzes the algorithm that these types of viruses use to encrypt and decrypt themselves. It then runs this code through its paces in an emulated virtual machine in order to understand how the viruses mutate
themselves. Once it does so, the engine can spot the “undisguised” nature of these viruses, and thereby detect them reliably no matter how they try to hide themselve s.

“Double heuristics” analysis

As a further engine enhancement, McAfee VirusScan research ers h ave hon ed
early heuristic scanning technologies—originally developed to detect the astonishing flood of macro virus variants that erupted after 1995 —into a set of precision instruments. Heuristic scanning techniques rely on the engine’s experience with previous viruses to predict the likelihood that a suspicious file is an as-yet unidentified or unclassified new virus.
The scan engine now incorporates ViruLogic, a heuristic technique that can observe a program’s behavior and evaluate how closely it resembles either a macro virus or a file-infecting virus. ViruLogic looks for virus-like behaviors in program functions, such as covert file modifications, background calls or invocations of e-mail clients, and other methods that viruses can use to replicate themselves. When the number of these types of behaviors—or their inherent quality—reaches a predetermined threshold of tolerance, th e engine fingers the program as a likely virus.
The engine also “triangulates” its evaluation by looking for program behavior that no virus would display—prompting for some types of user input, for example—in order to eliminate false positive detections. This double-heuristic combination of “positive” and “negative” techniques results in an unsurpassed detection rate with few, if any, costly misidentifications.

Wide-spectrum coverage

As malicious agents have evolved to take advantage of the instant communication and pervasive reach of the Internet, so VirusScan software has evolved to counter the threats they present. A computer “virus” once meant a specific type of agent—one designed to replicate on its own and cause a limited type of havoc on the unlucky recipient’s computer. In recent years, however, an astounding range of malicious agents has emerged to assault personal computer users from nearly every conceivable angle. Many of these agents—some of the fastest-spreading worms, for instance—use updated versions of vintage techniques to infect systems, but many others make full use of the new opportunities that web-based scripting and application hosting present.
18 McAfee VirusScan
About VirusScan Software
Still others open “back doors” into desktop systems or create security holes in a way that closely resembles a deliberate attempt at network penetration, rather than the more random mayhem that most viruses tend to leave in their wakes.
The latest VirusScan software releases, as a consequence, do not simply wait for viruses to appear on your system, they scan proactively at the source or work to deflect hostile agents away from your system. The VShield scanner that comes with VirusScan software has three modules that concentrate on agents that arrive from the Internet, that spread via e-mail, or that lurk on Internet sites. It can look for particular Java and ActiveX objects that pose a threat, or block access to dangerous Internet sites. Meanwhile, an E-M ail Scan extension to Microsoft Exchange e-mail clients, such as Microsoft Outlook, can “x-ray” your mailbox on the server, looking for malicious agents before they arrive on your desktop.
VirusScan software even protects itself against attempts to use its own functionality against your computer. Some virus writers embed their viruses inside documents that, in turn, they embed in other files in an attempt to evade detection. Still others take this technique to an absurd extreme, constructing highly recursive—and very large—compressed a rchive f iles in an attempt to tie up the scanner as it digs through the file looking for infections. VirusScan software accurately scans the majority of popular compressed file and archive file formats, but it also includes logic that keeps it from getting trapped in an endless hunt for a virus chimera.

What comes with VirusSca n softwa re?

VirusScan software consists of several components that combine one or more related programs, each of which play a part in defending your computer against viruses and other malicious software. The components are:
The VirusScan Central. This is your main entry point in using all of the available components of McAfee VirusScan. This home screen (see Figure 1-2) provides relevant information such as the last time a virus scan was performed on your computer; what VShield settings are enabled or disabled and available DAT information and when it was created.
Administrator’s Guide 19
About VirusScan Software
Figure 1-1. McAfee VirusScan Central screen
The VirusScan Console. This component allows you to create, configure and run VirusScan tasks at times you specif y. A “task” can include anything from running a scan operation on a set of disks at a specific time or interval, to running an update o r upgrade operation. You can al so enable or disable the VShield scanner from the Console window.
the Console comes with a preset list of tasks that ensures a minimal level of protection for your system—you can, for example, immediately scan and clean your C: drive or all disks on your computer.
The VShield scanner. This component gives you continuous anti-virus protection from viruses that arrive on floppy disks, from your network, or from various sources on the Internet. The VShield scanner starts when you start your computer, and stays in memory until you shut down. A flexible set of property pages lets you tell the scanner which parts of yo ur system to examine, what to look for, which parts to leave alone, and how to respond to any infected files it finds. In addition, the scanner can alert you when it finds a virus, and can generate reports that summarize each of its actions.
20 McAfee VirusScan
About VirusScan Software
The VShield scanner comes with three other specialized modules that guard against hostile Java applets and ActiveX controls, that scan e-mail messages and attachments that you receive from the Internet via Lotus
cc:Mail, Microsoft Mail or other mail clients that comply with Microsoft’s Messaging Application Programming Interface (MAPI) standard, and that block access to dangerous Internet sites. Secure password protection for your configuration options prevents others from making unauthorized changes. The same convenient dialog bo x controls configuration options for all VShield modules.
• Safe & Sound. This component allows you to create backup sets in protected volume files, which is the safest and preferred type of backup. A protected volume file is a sectioned-off area of the drive, sometimes called a logical drive.
NOTE: Sa fe & Sound is on ly a vailabl e for Wi ndow s 95, 98 and Windows ME. For more information, access the PDF formatted
file of the User’s Guide (i.e., vscan51_userguide.pdf) included in the McAfee VirusScan CD-ROM and read “About Safe & Sound”.
• Quarantine. This component allows you to move infected files to a quarantine folder. This moves infected files from areas where they can be accessed and enables you to clean or delete them at your convenience.
NOTE: For more information, access the PDF formatted file of
the User’s Guide (i.e., vscan51_userguide.pdf) included in the McAfee VirusScan CD-ROM and read “About Quarantine”.
• The E-Mail Scan extension. This component allows you to scan your Microsoft Exchange or Outlook mailbox, or public folders to which you
have access, directly on the server. This invaluable “x-ray” peek into your mailbox means that VirusScan software can find potential infections before they make their way to your desktop, which can stop a Melissa-like virus in its tracks.
• A cc:Mail scanner. This component includes technology optimized for scanning Lotus cc:Mail mailboxes that do not use the MAPI standard. Install and use this component if your workgroup or network uses cc:Mail v7.x or earlier.
Administrator’s Guide 21
About VirusScan Software
The Alert Manager Client configuration uti lity. Thi s com pon ent le ts yo u choose a destination for Alert Manager “events” that VirusScan software generates when it detects a virus or takes other noteworthy actions. You can also specify a destination directory for older-style Centralized Alerting messages, or supplement either method with Desktop Management Interface (DMI) alerts sent via your DMI client software.
• The ScreenScan utility. This optional component scans your computer as your screen saver runs during idle periods.
• The SendVirus utility. This component gives you an easy and painless way to submit files that you believe are infected directly to McAfee
VirusScan’s anti-virus researchers. A simple wizard guides you as you choose files to submit, include contact details and, if you prefer, strip out any personal or confidential data from document files.
• The Emergency Disk creation utility. This essential utility helps you to create a floppy disk that you can use to boot your computer int o a virus-free environment, then scan essential system areas to remove any viruses that could load at startup.
Command-line scanners. This component consists of a set of full-featured scanners you can use to run targeted scan operations from the MS-DOS Prompt or Comma nd Prompt wi ndows, or fr om prot ected MS-DOS m ode. The set includes:
22 McAfee VirusScan
SCAN.EXE, a scanner for 32-bit environments only. This is the
primary command-line interface. When you run this file, it first checks its environment to see whether it can run by itself. If your computer is running in 16-bit or protected mode, it will transfer control to one of the other scanners.
SCANPM.EXE, a scanner for 16- and 32-bit environments. This
scanner provides you with a full set of scanning options for 16- and 32-bit protected-mode DOS environments. It also includes support for extended memory and flexible memory allocations. SCAN.EXE will transfer control to this scanner when its specialized capabilities can enable your scan operation to run more efficiently.
SCAN86.EXE, a scanner for 16-bit environments only. This scanner
includes a limited set of capabilities geared to 16-bit environments. SCAN.EXE will transfer control to this scanner if your computer is running in 16-bit mode, but without special memory configurations.
BOOTSCAN.EXE, a smaller, specialized scanner for use primarily
with the Emergency Disk utility. This scanner ordinarily runs from a floppy disk you create to provide you with a virus-free boot environment.
About VirusScan Software
When you run the Emergency Disk creation wizard, VirusScan software copies BOOTSCAN.EXE, and a specialized set of .DAT files to a single floppy disk. BOOTSCAN.EXE will not detect or clean macro viruses, but it will detect or clean other viruses that can jeopardize your VirusScan software installation or infect files at system startup. Once you identify and respond to those viruses, you can safely run VirusScan software to clean the rest of your system.
All of the command-line scanners allow you to initiate targeted scan operations from an MS-DOS Prompt or Command Prompt window, or from protected MS-DOS mode. Ordinarily, you’ll use the VirusScan application’s graphical user interface (GUI) to perform most scanning operations, but if you have trouble starting Windows or if the VirusScan GUI components will not run in your environment, yo u can use the command-line scanners as a backup.
Documentation. VirusScan software documentation includes:
–A printed Getting Started Guide, which introduces the product,
provides installation instructions, outlines how to respond if you suspect your computer has a virus, and provides a brief product overview. The printed Getting Started Guide comes with the VirusScan software copies distributed on CD-ROM discs—you can also download it as vs51_getstart.PDF from Network Associates website or from other electronic services.
A user’s guide saved on the VirusScan software CD-ROM or
installed on your hard disk in Adobe Acrobat .PDF format. You can also download it as a vscan51_userguide.PDF file from Network Associates website or from other electronic services. The VirusScan
User’s Guide describes in detail how to use VirusScan and includes other information useful as background or as advanced configuration options. Acrobat .PDF files are flexible online documents that contain hyperlinks, outlines and other aids for easy navigation and information retrieval.
This administrator’s guide saved on the VirusScan software
CD-ROM or installed on your hard disk in Adobe Acrobat .PDF format. You can also download it as vs51_admin.PDF from Network Associates website or from other electronic services. The
VirusScan Administrator’s Guide describes in detail how to manage and configure VirusScan software from a local or remote desktop.
An online help file. This file gives you quick access to a full range of
topics that describe VirusScan software. You can open this file either by choosing Help Topics from the Help menu in the VirusScan main window, or by c licking any of the Help buttons disp layed in VirusScan dialog boxes.
Administrator’s Guide 23
About VirusScan Software
The help file also includes extensive context-sensitive—or “What's This”—help. To see these help topics, right-click buttons, lists, icons, some text boxes, and other elements that you see within dialog boxes. You can also click the ? symbol at the top-right corner in most dialog boxes, then click the element you want to see described to display the relevant topic. The dialog boxes with Help buttons open the help file to the specific topic that describes the entire dialog box.
A LICENSE.TXT file. This file outlines the terms of your license to
use VirusScan software. Read it carefully—by in stalling VirusScan software you agree to its terms.
A README.TXT file. This file contains last-minute additions or
changes to the documentation, lists any known behavior or other issues with the product release, and often describes new product features incorporated into incremental product updates. You’ll find the README.TXT file at the root level of your VirusScan software CD-ROM or in the VirusScan software program folder—you can open and print it from Windows Notepad, or from nearly any word-processing software.

What’s new in this release?

This VirusScan release introduces a number of innovative new features to the
product’s core functionality, to its range of coverage, and to the details of its application architecture. A previous section, “How does VirusScan software
work?” on page 17, discusses many of these features. The single most
significant change between previous VirusScan versions and this release, however, is the integration of two separate VirusScan versions optimized to run on separate Windows platforms into a single product that runs on both. This single product also takes full advantage of each platform’s strengths.
The next sections discuss other changes that this VirusScan release introduces.

Installation and distribution features

McAfee VirusScan’s anti-virus products, including VirusScan software, now use the Microsoft Windows Installer (MSI), which comes with all Windows 2000 Professional systems. This Setup utility offers a wealth of custom installation and configuration features that make VirusScan software rollout across large organizations much easier and more intuitive. To learn more about how to run custom Setup operations with MSI, see Chapter 2, “Insta lling
VirusScan Software” in the VirusScan Administrator’s Guide.
24 McAfee VirusScan
About VirusScan Software
This VirusScan version also comes w ith complete support for the Network Associates ePolicy Orchestrator software distribution tool. A specially packaged VirusScan version ships with the ePolicy Orchestrator software, ready for enterprise-wide distribution. You can distribute VirusScan software, configure it from the ePolicy Orchestrator console, update that configuration and any program or .DAT files at any time, and schedule scan operations, all for your entire network user base. To learn more about using ePolicy Orchestrator software for VirusScan distribution and configuration, consult the ePolicy Orchestrator Administrator’s Guide.

Interface enhancements

This release moves the VirusScan interface for all supported platforms solidly into the territory VirusScan for Windows 95 and Windows 98 pioneered with its v4.0.1 release. This adds extensive VShield scanner configuration options for the Windows NT Workstation v4.0 and Windows 2000 Professional platforms, while reducing the complexity of some previous configuration options. Alert Manager server configuration, for example, moves entirely over
to the NetShield product line—VirusScan software now acts strictly as a configurable client application.
This release also adds a new VirusScan control panel, which functions as a central point from which you can enable and disable all VirusScan components. This control panel also lets you set a ceiling for the number of items you can scan in or exclude from a single operation, and can set the VShield scanner and VirusScan control panel to run at startup. Other changes include:
• New VShield system tray icon states tell you more about which VShield modules are active. These states are:
All VShield modules are active – The System Scan module is active, but one or more of the other
VShield modules is inactive
The System Scan module is inactive, but one or more of the other
VShield modules is active
All VShield modules are inactive
• New interface settings for task configuration allow you to tell the VirusScan application how you want it to appear as your scheduled task runs and what you want it to do when it finishes. You can also set a password to protect individual task settings from changes, or to protect an entire task configuration at once.
Administrator’s Guide 25
About VirusScan Software
• An updated randomization feature for schedule d ta sks allows you to set a time for the task to run, then set a randomization “window.” The VirusScan Console then picks a random time within the window to actually start the task.
• System Scan mo dule action options now include a new Prompt Type configuration option for Windows 95 and Windows 98 systems. This option lets you determine how the Prompt for user action alert appears.

Changes in product functionality

• A new Alert Manager Client configuration utility allows you to choose an Alert Manager server installed on your network as an alert message destination, or to select a network share as a destination for Centralized Alerting messages. You can also supplement either of these alert methods with Desktop Management Interface alert messages.
• The Alert Manager server supports Intel Pentium III processor serial numbers to identify individual machines for virus notification. For more information about Intel processor serial numbers, consult the Intel FAQ at http://support.intel.com/support/processors/pentiumiii/psqa.htm.

New update options for your VirusScan software

Even with the majority of the virus definitions it requires now incorporated directly into its engine in generic routines, VirusScan software still requires regular .DAT file updates to keep pace with the 200 to 300 new viruses that appear each month. To meet this need, McAfee VirusScan has incorporated updating technology in VirusScan software from its earliest incarnations. With this release, that technology takes a quantum leap forward with incremental .DAT file updating.
The Network Associates SecureCast service provides a convenient method you can use to receive the latest virus definition (.DAT) file updates automatically, as they become available, without your having to download them.
NOTE: For more information, access the PDF formatted file of the User’s Guide (i.e., vscan51_userguide.pdf) included in the McAfee VirusScan CD-ROM and read “Using the SecureCast Service to Get New Data Files.”
26 McAfee VirusScan
2Installing VirusScan
Software

Before you begin

McAfee VirusScan Software distributes VirusScan software in two ways: 1) as an archived file that you can download from the McAfee Web site; and 2) on CD-ROM. Although the method you use to transfer VirusScan files from an archive you download differs from the method you use to transfer files from a CD-ROM you place in your CD-ROM drive, the installation steps you follow after that are the same for both distribution types. Review the system requirements to verify that VirusScan software will run on your system.

System requirements

VirusScan software will install and run on any IBM PC or PC-compatible computer equipped with:
• A processor equivalent to at least an Intel Pentium-class or compatible processor. McAfee VirusScan Software recommends an Intel Pentium processor or Celeron processor running at a minimum of 166 MHz.
• A CD-ROM drive. If you downloaded your copy of VirusScan software, this is an optional item.
2
• At least 16MB of free hard disk space.
• At least 16MB of free random-access memory (RAM). McAfee VirusScan Software recommends at least 20MB.
• Microsoft Windows 95, Windows 98, Windows ME, Windows NT Workstation v4.0 with Service Pack 4 or later, or Windows 2000 Professional. McAfee VirusScan Software recommends that you also have Microsoft Internet Explorer v4.0.1 or later installed, particularly if your system runs any Windows 95 version.

Other recommendations

To take full advantage of VirusScan software’s automatic update features, you should have an Internet connection via a high-speed modem and an Internet service provider.
User’s Guide 27
Installing VirusScan Software

Preparing to install VirusScan software

After inserting the McAfee VirusScan on your CD-ROM drive , you should see a VirusScan welcome image appear automatically. To install VirusScan software immediately, click Install VirusScan, then skip to Step 4 to continue with Setup. If the welcome image does not appear, or if you are installing VirusScan software from files you downloaded, start with Step 2.
Ë IMPORTANT: Because Setup installs some VirusScan files as services on
Windows NT Workstation v4.0 and Windows 2000 Professional systems, you must log in to your system with Administrator rights to install this product. To run Setup on Windows 95 or Windows 98, you do not need to log in with any particular profile or rights.

Installation options

The Installation steps section describes how to install VirusScan software with its most common options on a single compu ter or workstati on. You can choo se
to do a Typical setup—which installs commonly used VirusScan components but leaves out some VShield modules and the ScreenScan utility—or you can choose to do a Custom setup, which gi ves you the option to install all VirusScan components.

Installation steps

McAfee VirusScan Software recommends that you first quit all other applications you have running on your system before you start Setup. Doing so reduces the possibility that software conflicts will interfere with your installation.
To install VirusScan sof tware, follo w these step s:
1. If your computer runs Windows NT Workstation v4.0 or Windows 2000 Professional, log on to your sys tem as Administrator. You must have administrative rights to install VirusScan software on your system.
28 McAfee VirusScan
Installing VirusScan Software
2. Choose Run from the Start menu in the Windows taskbar. The Run dialog box will appear (Figure 2-1).
Figure 2-1. Run dialog box
3. Type <X>:\SETUP.EXE in the text box provided, then click OK. Here, <X> represents the drive letter for your CD-ROM drive or the path
to the folder that contains your extracted VirusScan files. To search for the correct files on your hard disk or CD-ROM, click Browse.
NOTE: If your VirusScan software copy came on an Active Virus
Defense or a Total Virus Defense CD-ROM, you must also specify which folder contains the VirusScan software.
Before it continues with the installation, Setup first checks to see whether your computer already has version 1.1 of the Microsoft Windows Installer (MSI) utility running as part of your system software.
If your computer runs Windows 2000 Professional, this MSI version already exists on your system. If your computer runs an earlier Windows release, you might still have this MSI version on your system if you previously installed other software that uses MSI. In e ither of these cases, Setup will display its first wizard panel immedia tely. Skip to Step 4 to continue.
If Setup does not find MSI v1.1 on your computer, it installs files it needs to continue the installation, then prompts you to restart your computer. Click Restart System.
When your computer restarts, Setup will continue from where it left off. The Setup welcome panel will appear (Figure 2-2).
User’s Guide 29
Installing VirusScan Software
4. This first panel tells you where to locate the README.TXT file, which describes product features, lists any known issues, and includes the latest available product information for this VirusScan version. When you have read the text, click Next> to continue.
Figure 2-2. Setup welcome panel
5. The next wizard panel displays the VirusScan software end-user license
30 McAfee VirusScan
agreement. Read this agreement carefully—if you install VirusScan software, you agree to abide by the terms of the license.
If you do not agree to the license terms, select I do not agree to the terms of the License Agreement, then click Cancel. Setup will quit immediately. Otherwise, click I agree to the terms of the License Agreement, then click Next> to continue.
Setup next checks to see whether previous VirusScan versions or incompatible software exists on your computer. If you have no other anti-virus software or any previous VirusScan versions on your system, it will display the Security Type or the Setup Type panel. Skip to Step 8 to continue.
If Setup discovers an earlier VirusScan version on your system, it will tell you that it must remove that earlier version. If your computer runs Windows 95 or Windows 98, Setup also gives you the option to preserve the VShield configuration settings you chose for the earlier version.
If your computer runs Windows NT Workstation v4.0 or Windows 2000 Professional, Setup will remove the previous VirusScan version, but will not preserve any previous VShield scanner settings.
Loading...
+ 110 hidden pages