McAfee VCLCDE-AA-DA, VirusScan Command Line Product Manual

Download

Product Guide

VirusScan® Command Line

version 5.20.0

McAfee®

System Protection

Industry-leading intrusion prevention solutions

or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS

ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N), ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSION PREVENTION THROUGH INNOVATION, MCAFEE, MCAFEE (AND IN KATAKANA), MCAFEE AND DESIGN, MCAFEE.COM, MCAFEE VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE INFORMATION License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

Attributions

This product includes or may include:

• Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). • Cryptographic software written by Eric A. Young and software written by Tim J. Hudson. • Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for any software covered under the GPL which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. • Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. • Software originally written by Robert Nordier, Copyright © 1996-7 Robert Nordier. • Software written by Douglas W. Sauder. • Software developed by the Apache Software Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at www.apache.org/licenses/LICENSE-2.0.txt. • International Components for Unicode ("ICU") Copyright ©1995-2002 International Business Machines Corporation and others. • Software developed by CrystalClear Software, Inc., Copyright ©2000 CrystalClear Software, Inc. • FEAD

Optimizer

Outside In

HTML Export, © 2001 Stellent Chicago, Inc. • Software copyrighted by Thai Open Source Software Center Ltd. and Clark Cooper, © 1998, 1999, 2000. • Software copyrighted by Expat maintainers. • Software copyrighted by The Regents of the University of California, © 1996, 1989, 1998-2000. • Software copyrighted by Gunnar Ritter. • Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A., © 2003. • Software copyrighted by Gisle Aas. © 1995-2003. • Software copyrighted by Michael A. Chase, © 1999-2000.

• Software copyrighted by Neil Winton, ©1995-1996. • Software copyrighted by RSA Data Security, Inc., © 1990-1992. • Software copyrighted by Sean M. Burke, © 1999, 2000. • Software copyrighted by Martijn Koster, © 1995. • Software copyrighted by Brad Appleton, © 1996-1999.

• Software copyrighted by Michael G. Schwern, ©2001. • Software copyrighted by Graham Barr, © 1998. • Software copyrighted by Larry Wall and Clark Cooper, © 1998-2000. • Software copyrighted by Frodo Looijaard, © 1997. • Software copyrighted by the Python Software Foundation, Copyright © 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. • Software copyrighted by Beman Dawes, © 1994-1999, 2002. • Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek © 1997-2000 University of Notre Dame. • Software copyrighted by Simone Bordet & Marco Cravero, © 2002. • Software copyrighted by Stephen Purcell, © 2001. • Software developed by the Indiana University Extreme! Lab (http://www.extreme.indiana.edu/). • Software copyrighted by International Business Machines Corporation and others, © 1995-2003. • Software developed by the University of California, Berkeley and its contributors. • Software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl project (http:// www.modssl.org/). • Software copyrighted by Kevlin Henney, © 2000-2002. • Software copyrighted by Peter Dimov and Multi Media Ltd. © 2001, 2002. • Software copyrighted by David Abrahams, © 2001, 2002. See http://www.boost.org/libs/bind/bind.html for documentation. • Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, © 2000. • Software copyrighted by Boost.org, © 1999-2002. • Software copyrighted by Nicolai M. Josuttis, © 1999. • Software copyrighted by Jeremy Siek, © 1999-2001. • Software copyrighted by Daryle Walker, © 2001. • Software copyrighted by Chuck Allison and Jeremy Siek, © 2001, 2002. • Software copyrighted by Samuel Krempp, © 2001. See http://www.boost.org for updates, documentation, and revision history. • Software copyrighted by Doug Gregor (gregod@cs.rpi.edu), © 2001, 2002. • Software copyrighted by Cadenza New Zealand Ltd., © 2000. • Software copyrighted by Jens Maurer, ©2000, 20 01. • Software copyrighted by Jaakko Järvi (jaakko.jarvi@cs.utu.fi), ©1999, 2000. • Software copyrighted by Ronald Garcia, © 2002. • Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, ©1999-2001. • Software copyrighted by Stephen Cleary (shammah@voyager.net), ©20 00. • Software copyrighted by Housemarque Oy <http://www.housemarque.com>, © 2001. • Software copyrighted by Paul Moore, © 1999. • Software copyrighted by Dr. John Maddock, © 1998-2002. • Software copyrighted by Greg Colvin and Beman Dawes, © 1998, 1999. • Software copyrighted by Peter Dimov, © 2001, 2002. • Software copyrighted by Jeremy Siek and John R. Bandela, © 2001. • Software copyrighted by Joerg Walter and Mathias Koch, © 200 0-2002. • Software copyrighted by Carnegie Mellon University © 1989, 1991, 1992. • Software copyrighted by Cambridge Broadband Ltd., © 2001-2003. • Software copyrighted by Sparta, Inc., © 2003-2004. • Software copyrighted by Cisco, Inc. and Information Network Center of Beijing University of Posts and Telecommunications, © 2004. • Software copyrighted by Simon Josefsson, © 2003. • Software copyrighted by Thomas Jacob, © 2003-2004. • Software copyrighted by Advanced Software Engineering Limited, © 2004. • Software copyrighted by Todd C. Miller, © 1998. • Software copyrighted by The Regents of the University of California, © 1990, 1993, with code derived from software contributed to Berkeley by Chris Torek.

PATENT INFORMATION

Protected by US Patents 6,029,256; 6,496,875; 6,668,289.

Issued July 2007 / VirusScan® Command Line software version 5.20.0

DBN-004-EN

Contents

1 Introducing VirusScan® Command Line 5

Product features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

What’s new in this release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Using this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Getting product information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Contact information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2 Installing VirusScan® Command Line 10

Installation requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Installing the software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Validating your files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Testing your installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Removing the program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

3 Using the Command-Line Scanner 16

What can you scan? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Scanning diskettes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Scanning files in remote storage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

Scanning NTFS streams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

Scanning protected files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

Using memory caches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

Scanning processes in memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Running an on-demand scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Command-line conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

General hints and tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Configuring scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Creating a list of infected files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Using heuristic analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Producing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Choosing the options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Scanning options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Response and notification options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Report options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

General options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Options in alphabetic order. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Error levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Handling error messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

4 Removing Infections 38

If the scanner detects a virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Removing a virus found in a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Running additional virus-cleaning tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

5 Preventing Infections 42

Detecting new and unidentified viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Why do I need new DAT files? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

VirusScan® Command Line 5.20.0 Product Guide Contents

Updating your DAT files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Index 44

Introducing VirusScan® Command Line

The command-line scanner is a program that you can run from a command-line prompt. It provides an alternative to scanners that use a graphical user interface (GUI). Both types of scanner use the same scanning engine. This section describes:

 Product features

 What’s new in this release

 Using this guide

 Getting product information

 Contact information

Product features

When installed on your Microsoft Windows system, VirusScan® Command Line becomes an effective solution against viruses, Trojan-horse programs, and other types of potentially unwanted software.

The command-line scanner enables you to search for viruses in any directory or file in your computer on demand — in other words, at any time. The command-line scanner also features options that can alert you when the scanner detects a virus or that enable the scanner to take a variety of automatic actions.

When kept up-to-date with the latest virus definition (DAT) files, the scanner is an important part of your network security. We recommend that you set up a security policy for your network that incorporates as many protective measures as possible. The scanner acts as an interface to the powerful scanning engine — the engine common to all our security products.

VirusScan® Command Line 5.20.0 Product Guide Introducing VirusScan® Command Line

What’s new in this release

This release of VirusScan® Command Line includes the following new features or enhancements:

 More protection: Automatic identification and removal of viruses delivering the next

generation of best-of-breed anti-virus scanning engines. It offers improved protection against existing, new and potential threats and increases the depth and breadth of the protection we provide.

 It's faster than before: We've listened to our customers who asked for a faster

Engine and it delivers superior performance to current McAfee Anti-Virus products on all supported platforms.

 100% drop-in compatibility with existing McAfee Anti-Virus products and DAT files.

It's easy to upgrade; just replace your existing Engine with the new version and you're protected. No worrying about compatibility.

Using this guide

This guide provides information on installing, configuring and using your product. For system requirements, refer to the Release Notes. The following topics are included:

 Introducing VirusScan® Command Line on page 5.

An overview of the product, including a description of new or changed features; an overview of this guide; McAfee contact information.

 Installing VirusScan® Command Line on page 10.

 Using the Command-Line Scanner on page 16.

The command options organized as functions and in alphabetic order.

 Removing Infections on page 38.

 Preventing Infections on page 42.

Audience

This information is intended primarily for two audiences:

 Network administrators who are responsible for their company’s anti-virus and

security program.

 Users who are responsible for updating virus definition (DAT) files on their

workstations, or configuring the software’s detection options.

VirusScan® Command Line 5.20.0 Product Guide Introducing VirusScan® Command Line

Using this guide

Conventions

This guide uses the following conventions:

Bold Condensed

All words from the interface, including options, menus, buttons, and dialog box names.

Example:

Type the

User name and Password of the appropriate account.

Courier The path of a folder or program; text that represents something the user

types exactly (for example, a command at the system prompt).

Examples:

The default location for the program is:

C:\Program Files\McAfee\EPO\3.5.0

Run this command on the client computer:

scan --help

Italic For emphasis or when introducing a new term; for names of product

documentation and topics (headings) within the material.

Example: Refer to the VirusScan Enterprise Product Guide for more information.

Blue A web address (

URL) and/or a live link.

Example: Visit the McAfee web site at:

http://www.mcafee.com

<TERM> Angle brackets enclose a generic term.

Example: In the console tree, right-click <

SERVER>.

Note

Note: Supplemental information; for example, another method of

executing the same command.

Tip

Tip: Suggestions for best practices and recommendations from McAfee for

threat prevention, performance and efficiency.

Caution

Caution: Important advice to protect your computer system, enterprise,

software installation, or data.

Warning

Warning: Important advice to protect a user from bodily harm when using

a hardware product.

VirusScan® Command Line 5.20.0 Product Guide Introducing VirusScan® Command Line

Getting product information

Unless otherwise noted, product documentation comes as Adobe Acrobat .PDF files, available on the product CD or from the McAfee download site.

Product Guide — Product introduction and features, detailed instructions for installing

and configuring the software, information on deployment, recurring tasks, and operating procedures.

Help — Brief descriptions of the most common options, accessed from the software

application.

Release Notes — ReadMe. Product information, resolved issues, any known issues,

and last-minute additions or changes to the product or its documentation. A text file is included with the software application and on the product CD.

License Agreement — The McAfee License Agreement booklet that includes all of

the license types you can purchase for your product. The License Agreement presents general terms and conditions for use of the licensed product.

Contacts — Contact information for McAfee services and resources: technical

support, customer service, Security Headquarters (AVERT), beta program, and training. A text file is included with the software application and on the product CD.

VirusScan® Command Line 5.20.0 Product Guide Introducing VirusScan® Command Line

Contact information

Threat Center: McAfee Avert® Labs http://www.mcafee.com/us/threat_center/default.asp

Avert Labs Threat Library

http://vil.nai.com

Avert Labs WebImmune & Submit a Sample (Logon credentials required)

https://www.webimmune.net/default.asp

Avert Labs DAT Notification Service

http://vil.nai.com/vil/signup_DAT_notification.aspx

Download Site http://www.mcafee.com/us/downloads/

Product Upgrades (Valid grant number required)

Security Updates (DATs, engine)

HotFix and Patch Releases

 For Security Vulnerabilities (Available to the public)

 For Products (ServicePortal account and valid grant number required)

Product Evaluation

McAfee Beta Program

Technical Support http://www.mcafee.com/us/support/

KnowledgeBase Search

http://knowledge.mcafee.com/

McAfee Technical Support ServicePortal (Logon credentials required)

https://mysupport.mcafee.com/eservice_enu/start.swe

Customer Service

Web

http://www.mcafee.com/us/support/index.html http://www.mcafee.com/us/about/contact/index.html

Phone — US, Canada, and Latin America toll-free: +1-888-VIRUS NO or +1-888-847-8766 Monday – Friday, 8 a.m. – 8 p.m., Central Time

Professional Services

Enterprise: http://www.mcafee.com/us/enterprise/services/index.html

Small and Medium Business: http://www.mcafee.com/us/smb/services/index.html

Installing VirusScan® Command Line

We distribute the VirusScan® Command Line software in two ways — on a CD, and as an archived file that you can download from our web site or from other electronic services.

Review the Installation requirements to verify that the software will run on your system, then follow the installation steps.

Installation requirements

To install and run the software, you need the following:

 An IBM-compatible personal computer with a Pentium or equivalent processor.

 10 MB of free hard disk space for a full installation.

 For Microsoft Windows 98 systems, a minimum of 64 MB RAM is required, 128 MB

IS recommended.

 For Microsoft Windows NT and later systems, a minimum of 128 MB RAM is

required, 256

MB IS recommended.

 The 64-bit version requires an AMD64 processor, running a 64-bit Microsoft

Windows operating system.

 A CD drive, if you are not downloading the software from a web site.

Other recommendations

To take full advantage of the regular updates to DAT files from our web site, you need an Internet connection, either through your local area network, or via a high-speed modem and an Internet Service Provider.

VirusScan® Command Line 5.20.0 Product Guide Installing VirusScan® Command Line

Installing the software

If you suspect your computer is already infected, see Removing Infections on page 38 before you install the scanner software.

1 Create a directory for the software on your hard disk. If you are using DOS, you may

use

MKDIR.

2 Depending on the source of your command-line program files, do one of the

following:

 CD

Insert the CD into your CD drive, then copy the files from the CD to the directory that you created in Step 1.

 Files downloaded from a web site

Download the file to the directory that you created in Step 1, and decompress the zipped files into that directory.

3 If you are using DOS, add the directory you created in Step 1 to the

PATH statement

in your

AUTOEXEC.BAT file.

To run the scanner before a workstation logs on to a Novell NetWare server

To enable the scanner to run on a personal computer before it can logon to a Novell NetWare server, use the following steps immediately after installation

1 Rename

LOGIN1.EXE, then remove any references to the scanning software from the file.

2 Create a batch file named

3 At the first line of the batch file, add a call to the scanner, with the options you want

to include. For example:

SCAN /ADL /SECURE /NOBREAK

4 Add a call to the file LOGIN1.EXE to a subsequent line of the batch file. For example:

lOGIN1.EXE %1 %2 %3

The previous steps prevent LOGIN.EXE and SCAN.EXE from loading into memory at the same time. This allows the scanner to run before your computer tries to get access to the network.

Tip

We recommend that you use the -d option to extract command-line files and preserve their directory structure. Type CD to change to the directory to which you extracted the program files.

VirusScan® Command Line 5.20.0 Product Guide Installing VirusScan® Command Line

Installing the software

Sample batch file

The following code is provided only as a suggestion, for you to use and modify to suit your own purposes. It has not been thoroughly tested. This sample batch file assumes that

SCAN and the DAT files are in the current directory. It enables the login to the

Netware server only if the scan finds no viruses on the workstation. All local drives are scanned, and the user cannot press

CTRL BREAK to quit the scan.

@ECHO OFF

SCAN /ADL /SECURE /NOBREAK

IF ERRORLEVEL 102 GOTO ERR102 IF ERRORLEVEL 21 GOTO ERR21 IF ERRORLEVEL 20 GOTO ERR20 IF ERRORLEVEL 19 GOTO ERR19 IF ERRORLEVEL 15 GOTO ERR15 IF ERRORLEVEL 13 GOTO ERR13 IF ERRORLEVEL 10 GOTO ERR10 IF ERRORLEVEL 8 GOTO ERR8 IF ERRORLEVEL 6 GOTO ERR6 IF ERRORLEVEL 2 GOTO ERR2 IF ERRORLEVEL 0 GOTO ERR0

:ERR102

ECHO User exited. GOTO EXIT

:ERR21

ECHO Clean on reboot. Please restart this PC to complete cleaning. GOTO EXIT

:ERR20

ECHO Frequency error (Don't scan N hours after the previous scan). GOTO EXIT

:ERR19

ECHO All cleaned. GOTO EXIT

:ERR15

ECHO Self-integrity check failed GOTO EXIT

:ERR13

ECHO Virus found! GOTO EXIT

:ERR10

ECHO A virus was found in memory! GOTO EXIT

:ERR8

ECHO DAT file not found. GOTO EXIT

:ERR6

ECHO There has been a problem [not a virus] with scan. GOTO EXIT

:ERR2

ECHO DAT file integrity check failed. GOTO EXIT

:ERR0

ECHO Scan completed successfully. No viruses found. LOGIN1.EXE %1 %2 %3

:EXIT

VirusScan® Command Line 5.20.0 Product Guide Installing VirusScan® Command Line

Validating your files

When you download or copy files from any outside source, your computer is at risk of virus infection — even if the risk is small. Downloading our scanning software is no exception. It is important to verify that the software is authentic, unaltered, and not infected. Strict, extensive security measures ensure that the products you purchase and download from our web site and other electronic services are safe, reliable, and free from virus infections. However, scanning software attracts the attention of virus writers and Trojan-horse writers, and some find it amusing to post infected copies of commercial software, or use the same file names to camouflage their own work.

Download the software package from our web site. If you download a file from any other source, it is important to verify that it is authentic, unaltered, and not infected. The software package includes a utility program called

VALIDATE.EXE that you can use

to ensure that your version of the software is authentic. When you receive a new version of this software, you can run

VALIDATE.EXE on all of its program files and DAT

files.

To ensure that you have exactly the same files as the original software, you need to compare the validation codes that

VALIDATE.EXE generates against the packing list

supplied with your copy of the software. The packing list is a text file that contains the validation codes that were generated from a cyclical redundancy check (CRC) when the software was packaged for delivery.

To validate your files:

1 Install the software as described in page 11.

2 In the Microsoft Windows task bar, choose a Command Prompt.

3 In the window that appears, change directory to the directory that contains the

VirusScan

Command Line files. (In DOS, you can use the CD command.)

4 At the command prompt, type:

VALIDATE *.*

The program examines all of the files in the program directory, then generates a file list that includes the following information:

 The name of each file.

 The size of each file, in bytes.

 The creation date and time of each file.

 Two validation codes in separate columns for each file.

For example:

AVVSCAN DAT 242681 03-26-04 4:40a 35B2 4690 AVVSCAN.DAT

5 Print this output so that you can review it easily. Direct the output to a file, and print

the file directly from any text editor, such as Microsoft Notepad. At the command prompt, type:

VALIDATE *.* > FILENAME

6 Print the file, PACKING.LST directly from any text editor, such as Microsoft Notepad.

VirusScan® Command Line 5.20.0 Product Guide Installing VirusScan® Command Line

Testing your installation

7 Compare the output from VALIDATE.EXE and PACKING.LST.

The sizes, creation dates and times, and validation codes for each file name must match exactly. If they do not, delete the file immediately. Do not open the file or examine it with any other utility; this may cause virus infection.

Checking your installation with

VALIDATE.EXE does not guarantee that your copy is free

from defects, copying errors, virus infections or tampering, but the program’s security features make it extremely unlikely that anyone has tampered with files that have correct validation codes.

Testing your installation

After it is installed, the program is ready to scan your computer for infected files. You can run a test to determine that the program is installed correctly and can properly scan for viruses. The test was developed by the European Institute of Computer Anti-virus Research (EICAR), a coalition of anti-virus vendors, as a method of testing any anti-virus software installation.

To test your installation:

1 Open a standard MS-DOS or Windows text editor, then type the following character

string as one line, with no spaces or line breaks:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

2 Save the file with the name EICAR.COM. The file size will be 68 or 70 bytes.

3 Start your scanning software and allow it to scan the directory that contains

EICAR.COM. When the software examines this file, it reports Found EICAR test

file NOT a virus.

Caution

The line shown above should appear as one line in your text editor window, so be sure to maximize your text editor window and delete any line breaks. Also, be sure to type the letter O, not the number 0, in the “X5O...” that begins the test message.

If you are reading this manual on your computer, you can copy the line directly from the Acrobat PDF file and paste it into Notepad. You can also copy this text string directly from the “Testing your installation” section of the README.TXT file, which is in your scanner’s program directory. If you copy the line from either of these sources, be sure to delete any carriage returns or spaces.

Caution

This file is

not a virus —

it cannot spread or infect other files, or otherwise harm your computer. Delete the file when you have finished testing your installation to avoid alarming other users.

Please note that products that operate through a graphical user

interface do not return this same EICAR identification message.

VirusScan® Command Line 5.20.0 Product Guide Installing VirusScan® Command Line

Removing the program

To remove the product from your system:

1 Change your command prompt to point to the directory that contains the VirusScan®

Command Line files (as set up in Step 1 under Installing the software on page 11).

2 Delete all files in the directory.

Caution

Removing the software leaves your computer unprotected against virus attack. Remove the product only when you are sure that you can upgrade quickly to a new version.

If you are an administrator, ensure that your users cannot accidentally remove their VirusScan

Command Line software.

Using the Command-Line Scanner

The command-line scanner is a program that you can run from a command prompt. If the scanner has been added to

PATH or is in the current directory, you can run a scan

by typing

SCAN at the command prompt with the options you want. For a complete list

of options, see page 25.

You should scan any file that is new to your computer, especially any newly downloaded or installed files. If your computers are susceptible to infection, you should scan as often as once a day. The scanner operates with minimal use of system resources.

The following features offer optimum protection for your computer and network:

 On-demand scanning options let you start a scan immediately or schedule

automatic scans.

 Advanced heuristic analysis detects previously unknown macro viruses and

program viruses.

 Updates to virus definition files and upgrades to program components ensure that

the program has the most current scanning technology to deal with threats as they emerge.

Later sections in this guide describe each of these features in detail.

The command-line scanner also includes options for administrators that help to ensure that the scanner is being used most efficiently. For example, the

/FREQUENCY option (on

page 27) sets a mandatory period between scans, which helps to minimize resources

when the network is most busy.

VirusScan® Command Line 5.20.0 Product Guide Using the Command-Line Scanner

What can you scan?

 File types scanned by default.

The following file types and many other common file types that are susceptible to infection are scanned by default: .BIN, .COM, .DLL, .DOC, .DOT, .EXE, .HTM, .INI, .OVL, .RTF, .SYS, .VBS, .VXD, .XLA, .XLS, and .XLT.

 Archived and compressed files recognized by the scanner.

You can scan compressed and archive file formats which include .ARC, .ARJ, .CAB, Diet, .GZIP, LZEXE, .LZH, PKLite, .RAR, .TAR, and .ZIP files.

The scanner detects and reports any infections found in any compressed or archive file. The scanner can also clean files in .ZIP archive format. If you have access to Windows, you can clean certain infections from compressed files using VirusScan for Windows software.

You can use the options

/UNZIP and /NOCOMP to configure the scanner to handle

compressed files. These and other scanning options are described in the tables from page 25 to page 30.

 Any potentially unwanted software, cookies and registry entries.

The scanner detects and reports these items, enabling you to remove them if necessary.

Scanning diskettes

Diskettes pose a threat because many viruses infect computers when a computer ‘boots’ from an infected disk, or when users copy, run, or install programs or files that are infected. If you scan all new disks before first use, you can prevent new viruses entering any computer system.

Always scan all disks you use. Do not assume that disks received from friends, co-workers, and others are virus-free. Disks can also pose a threat even if they are not bootable. Therefore, we recommend that you check that your disk drives are empty before you turn on your computer. Then your computer will not pick up a boot-sector virus from an infected disk that was inadvertently left in a disk drive.

1 Using the

CD command, change to the directory where the scanner was installed.

2 Type:

SCAN A: /MANY

3 Insert a disk into the A drive, and press E

NTER.

The program scans the disk and displays the names of any infected files.

4 Remove the scanned disk from the A drive.

Repeat Step 3 and Step 4 for all disks that you need to scan.

Note

If the scanner detects a virus on this disk, it runs the command-line option that you chose for dealing with the virus. See page 40 for details on removing viruses.

VirusScan® Command Line 5.20.0 Product Guide Using the Command-Line Scanner

Scanning files in remote storage

Under some Microsoft Windows systems, files that are not in frequent use can be stored in a remote storage system, such as the Hierarchical Storage Management (HSM) system. However, when the files are scanned using the

/DOHSM option, those

files become in use again. To prevent this effect, you can include the

/NORECALL option.

In combination, these options request the stored file for scanning, but the file continues to reside in remote storage. The file is not transported back to local storage.

Scanning NTFS streams

Some known methods of file infection add the virus body at the beginning or the end of a host file. However, a stream virus exploits the NTFS multiple data streams feature in Windows NT and more recent Windows operating systems. For example, a Windows 95 or Windows 98 FAT file has only one data stream — the program code or data itself. In NTFS, users can create any number of data streams within the file — independent executable program modules, as well as various service streams such as file access rights, encryption data, and processing time.

Unfortunately, some streams might contain viruses. The scanner can detect a stream virus in one of two ways; you can specify the full stream name, or you can include

/STREAMS and specify either no stream name, or a part of a stream name using the

wildcard characters

? and *.

The following table shows the effect of different commands on a stream called

FILE:STREAM that contains a virus.

Scanning protected files

The scanner normally scans files such as other users’ profiles and recycle bins. To prevent this type of scanning in Windows NT or later systems, use /NOBKSEM.

Table 3-1 Scanning streams

Command Action

SCAN /ALL /STREAMS FILE All streams were scanned.

The virus is detected.

SCAN /ALL FILE:STREAM The exact stream name was specified.

The virus is detected.

SCAN /ALL /STREAMS FILE:STREAM The exact stream name was specified.

The virus is detected.

SCAN /ALL FILE:STR* An exact stream name was not specified.

The virus is not detected.

SCAN /ALL /STREAMS FILE:STR* All streams beginning with “str” are

scanned.

The virus is detected.

SCAN /ALL FILE No streams were named.

The virus is not detected.

VirusScan® Command Line 5.20.0 Product Guide Using the Command-Line Scanner

Using memory caches

When scanning a file for viruses and other potentially unwanted software, the scanner reads the file into computer memory in amounts determined by the operating system. Although changes are not normally necessary, you can improve the scanning speed by increasing the amount of memory that the scanner uses. This can be controlled by the following options:

 /OCRS

 /OCMAX

 /AFC

Options /OCRS and /OCMAX are intended for use with offline or remote storage, such as Hierarchical Storage Management (HSM). The

/AFC option can improve scanning

performance in some cases.

OCRS

Typically the scanner reads only a few kilobytes of a file at a time, therefore a large number of reads might be required per file. The

/OCRS option causes the scanner to use

a larger internal “cache” for each file read instead. The size of reads for this cache is determined by a value in the range 0 through 4, as follows:

/OCRS=0 — 128KB /OCRS=1 — 256KB /OCRS=2 — 512KB /OCRS=3 — 1MB /OCRS=4 — 2MB

OCMAX

The /OCMAX option changes the maximum size of the internal cache for file reads. By default, the scanner typically caches up to eight reads per file and uses a cache read size of 128KB — and therefore a maximum cache size of 1

M, which is 128KB x 8).

When setting the maximum size explicitly, you must specify the value of

/OCMAX as a

number of Megabytes. See the following examples for

/OCRS and /OCMAX.

 Use 512KB read size. This implies a maximum cache size (OCMAX) of 4MB (8 x 512KB).

SCAN C:\ /OCRS=2

 Use 1MB read size. This implies a maximum cache size (OCMAX) of 8MB (8 x 1MB).

SCAN C:\ /OCRS=3

 Use a 1MB read size, but limit the cache size to 4MB.

SCAN C:\ /OCRS=3 /OCMAX=4

 Use a 2MB read size, but limit the cache size to 8MB.

SCAN C:\ /OCRS=4 /OCMAX=8

AFC

When scanning files, the scanner places the contents into computer memory (or file cache) before scanning them. This option allows you to vary the amount of cache that

the scanner uses.

VirusScan® Command Line 5.20.0 Product Guide Using the Command-Line Scanner

Scanning processes in memory

The cache is allocated “per file”, so the scanner uses a large amount of cache if there are many nested files. A larger cache size normally improves scanning speeds unless the computer has very low memory.

A range of cache sizes — 8

MB to 512MB — is permitted. If you specify a value outside

this range, the minimum or maximum value is assumed as appropriate. If you do not use this option, the scanner uses the default value of 12

MB.

Scanning processes in memory

Viruses such as CodeRed do not exist as files on disk but rather as executable code in the memory space of an infected process. To protect against this threat, you can include the

/WINMEM option. The process is scanned in memory together with any files

or DLLs associated with it.

Examples

Running an on-demand scan

You can scan any file or directory on your file system from the command line by adding options to the basic command. When executed without options, the program simply displays a brief summary of its options. When executed with only a directory name specified, the program scans every file in that directory only, and issues a message if any infected files are found. The options fall into the following main groups:

 Scanning options — determine how and where the scanner looks for infected

files. See page 25.

Note

When using the /WINMEM option, specify at least one file for scanning as well.

SCAN EXAMPLE.EXE /WINMEM

Scans the file EXAMPLE.EXE and all processes running on the computer.

SCAN *.EXE /WINMEM

Scans all files with a “.EXE” file name extension in the current directory, and all processes running on the computer.

SCAN *.* /WINMEM

Scans all files in the current directory and all processes running on the computer.

SCAN AA.EXE /WINMEM=1234

Scans the file, AA.EXE in the current directory and the specified process, 1234. The parameter is the process identifier or PID. If the process is not running, the scanner issues a message.

VirusScan® Command Line 5.20.0 Product Guide Using the Command-Line Scanner

Running an on-demand scan

 Response and notification options — determine how the scanner responds to

infected files. See page 30.

 Report options — determine how the scanner displays the results of the scan. See

page 32.

 General options — for such things as user help. See page 33.

Each group of options appears in its own table with a description of its function. See

Choosing the options on page 25 for details.

Command-line conventions

Use the following conventions to add options to the command line:

 Separate each option with spaces.

 Do not use any option more than once on the command line.

 Follow the syntax correctly.

 To start the program, at the command prompt, type:

SCAN

(This example assumes that the scanner is available in your search path.)

 To have the program examine a specific file or list of files, add the target directories

or files to the command line after

SCAN. You can limit your scan by excluding certain

files from scans with the

/EXCLUDE option. See page 26 for details.

General hints and tips

The following examples assume that the scanner is available in your search path.

 To display a list of all the options, each with a short description of their features, type

the command:

SCAN /HELP

 To display a list of all the viruses that the program detects, type the command:

SCAN /VIRLIST

 To display information about the version of the program, type the command:

SCAN /HELP

 To run a full scan on all drives, type the command:

SCAN /AD

 To run a full scan on the network drives, type the command:

SCAN /ADN

To ensure maximum protection from virus attack, you must regularly update your DAT files. See Preventing Infections on page 42 for details.

VirusScan® Command Line 5.20.0 Product Guide Using the Command-Line Scanner

Configuring scans

Instead of running each scan with all its options directly from the command line, you can keep the options in a separate text file, known as a task file. In the file, you can specify the actions that the scanner must take when a virus is detected. This allows you to run complete scans with ease, and at any time; you need only specify the files or directories that you want to scan.

To configure a scan:

1 Choose the command options that you want to use.

See Choosing the options on page 25 for a description of available options.

2 Type the command options into a text editor just as you might on the command line.

3 Save the text as a file.

4 Type the following at the command prompt:

SCAN /LOAD <FILENAME>

Here, <FILENAME> is the name of the text file you created in steps Step 2 and

Step 3, and <

TARGET>

is the file or directory you want to scan.

If the scanner detects no virus infections, it displays no output.

To learn how to specify the options, see Command-line conventions on page 21.

The following examples show how you can configure scans using task files. The examples assume the scanner is available in the search path.

Example 1

To scan files in the

C:\WINDOWS directory according to the settings you stored in the

task file

C:\TASKS\CONFIG1.TXT, type the command:

SCAN /LOAD C:\TASKS\CONFIG1.TXT C:\WINDOWS

The contents of the file C:\TASKS\CONFIG1.TXT are:

/MOVE C:\VIRUSES /NOCOMP /MAXFILESIZE 4

They instruct the scanner to move any infected files to

C:\VIRUSES, to ignore

compressed executables created with LZEXE or PkLite, and to examine only files smaller than 4

MB.

As an alternative, you can arrange the contents of the task file as single lines:

/MOVE C:\VIRUSES

/NOCOMP

/MAXFILESIZE 4

VirusScan® Command Line 5.20.0 Product Guide Using the Command-Line Scanner

Creating a list of infected files

Example 2

To scan only files smaller than 4

MB and to ignore compressed executables created with

LZEXE or PkLite in three separate directories, type the command:

SCAN /LOAD C:\TASKS\CONFIG2.TXT /CHECKLIST C:\CHECKS\CHECK1.TXT

The contents of the task file

C:\TASKS\CONFIG2.TXT are:

/NOCOMP

/MAXFILESIZE 4

The contents of the checklist file C:\CHECKS\CHECK1.TXT are:

C:\WINDOWS C:\BIN C:\PERL

Creating a list of infected files

Although a summary report can be useful, you can also create a simple list that contains only the names of the infected files. You can create and control this list using the options,

/BADLIST, /APPENDBAD, and /CHECKLIST.

For example, the following command scans the directory DIR1 and all its subdirectories, and produces information on-screen:

SCAN C:\DIR1\*.* /SUB

To produce a simple list of infected files, you can add the /BADLIST option:

SCAN C:\DIR1\*.* /SUB /BADLIST BAD1.TXT

The contents of BAD1.TXT might look like this list:

C:\DIR1\GAMES\HOTGAME.EXE ... Found Acid.674 virus!

C:\DIR1\SCANTEST\VTEST.COM ... Found: EICAR test file NOT a virus.

You can add to the list of infected files by using the /APPENDBAD option. For example, the following command scans the directory

DIR2, and any infected files found here are

added to the existing list:

SCAN C:\DIR2\*.* /SUB /BADLIST BAD1.TXT /APPENDBAD

Then, the contents of BAD1.TXT might look like this:

C:\DIR1\GAMES\HOTGAME.EXE ... Found Acid.674 virus!

C:\DIR1\SCANTEST\VTEST.COM ... Found: EICAR test file NOT a virus.

C:\DIR2\PRICES.DOC ... Found: virus or variant W97M/Concept!

C:\DIR2\COSTS\MAY2005.DOC ... Found the W97M/Ethan virus!

Using the /CHECKLIST option, you can refer to that list, and scan the same files again later:

SCAN /CHECKLIST BAD1.TXT

VirusScan® Command Line 5.20.0 Product Guide Using the Command-Line Scanner

Using heuristic analysis

A scanner uses two techniques to detect viruses — signature matching and heuristic analysis.

A virus signature is simply a binary pattern that is found in a virus-infected file. Using information in the DAT files, the scanner searches for those patterns. However, this approach cannot detect a new virus because its signature is not yet known, therefore the scanner uses another technique — heuristic analysis.

Programs, documents or e-mail messages that carry a virus often have distinctive features. They might attempt unprompted modification of files, invoke mail clients, or use other means to replicate themselves. The scanner analyzes the program code to detect these kinds of computer instructions. The scanner also searches for “legitimate,” non-virus-like behavior, such as prompting the user before taking action, and thereby avoids raising false alarms.

In an attempt to avoid detection, some viruses are encrypted. Each computer instruction is simply a binary number, but the computer does not use all the possible numbers. By searching for unexpected numbers inside a program file, the scanner can detect an encrypted virus. By using these techniques, the scanner can detect both known viruses and many new viruses and variants. Options that use heuristic analysis include

/ANALYZE, /MANALYZE, and /PANALYZE. See Table 3-2, Scanning options on

page 25.

Producing reports

The scanner can report its results in a log file that you create and name. In this example, the scanner creates its report in a log file called

WEEK40.TXT, which appears in your

current working directory.

To create a report:

1 If you do not already have the VirusScan program directory listed in your path

statement, change to the directory where you stored your VirusScan program files.

2 At the command prompt, type:

SCAN /ADN /REPORT WEEK40.TXT

The scanner scans all network drives and generates a text file of the results. The contents of the report are identical to the text you see on-screen as the scanner is running.

3 To create a running report of the scanner’s actions, use the

/APPEND option to add

any results of the scan to a file. At the command prompt, type:

SCAN /ADN /APPEND /REPORT WEEKLY.TXT

The scanner scans all network drives, and appends the results of the scan to the existing file,

WEEKLY.TXT.

VirusScan® Command Line 5.20.0 Product Guide Using the Command-Line Scanner

Choosing the options

The following sections describe the options that you can use to target your scans:

 Scanning options.

 Response and notification options on page 30.

 Report options on page 32.

 General options on page 33.

The options are also listed alphabetically with brief descriptions on page 34.

In the descriptions, variables such as file names or path appear in chevrons (< >). To learn how to add these to the command line, see Command-line conventions on

page 21.

Scanning options

Scanning options describe how and where each scan looks for infected files. You can use a combination of these options to customize the scan to suit your needs.

Caution

To configure a scan, you must specify a target location for the scan, such as C:\, A:\, /ADL, /ADN.

The /ALL option overrides the /NODOC option, such that all files are scanned, but Microsoft Office files are not scanned for macros.

Table 3-2 Scanning options

Option Limitations Description

/AD None. Same as /ALLDRIVES.

/ADL None. Scan all local drives, including compressed and PC drives, in

addition to any other drives specified on the command line. Do not scan removable media.

/ADN None. Scan all network drives, in addition to any other drives

specified on the command line.

/AFC=<SIZE> Specify the size of the file cache.

By default, the cache size is 12

MB. A larger cache size can

improve scanning performance in some cases, unless the computer has low memory. The range of sizes allowed is 8

MB to 512MB. Specify the size in megabytes. For example,

to specify a 64

MB cache, use /AFC=64.

See also Scanning diskettes on page 17.

/MAXFILESIZE <SIZE> None. Examine only those files that are smaller than the specified

size.

Specify the file size in megabytes. For example, /MAXFILESIZE 5 means scan only files that are smaller than 5

MB.

/MIME None. Scan MIME-encoded files.

This type of file is not scanned by default.

/NOBACKUP None. Do not prompt for backup of sectors before attempting to

clean.

/NOBKSEM Windows NT and

later versions only.

Prevent scanning of files that are normally protected.

Such files can normally be accessed by the operating system’s FILE_FLAG_BACKUP_SEMANTICS flag.

See Scanning protected files on page 18 for details.

/NOBOOT None. Do not scan the boot sector.

/NOBREAK None. Disable CTRL-C and CTRL-BREAK during scans.

Users cannot halt scans in progress if this option is set.

Table 3-2 Scanning options (continued)

Option Limitations Description

VirusScan® Command Line 5.20.0 Product Guide Using the Command-Line Scanner

Choosing the options

/NOCOMP None. Do not check compressed executables created with the

LZEXE or PkLite file-compression programs.

This reduces scanning time when a full scan is not needed. Otherwise, by default, the scanner checks inside executable, or self-decompressing files by decompressing each file in memory and checking for viruses.

/NOD Use with

/CLEAN.

Scan only the susceptible file types.

By default, /CLEAN scans and tries to clean viruses in all file types. When you include the /NOD option, the scanning and cleaning are limited to the susceptible file types only, as recognized by their file extensions. See File types scanned

by default. on page 17.

/NODDA Do not use

with /BOOT.

Do not access disk directly. This prevents the scanner from accessing the boot record.

You might need to use this option on some device- driven drives.

/NODECRYPT None. Do not decrypt Microsoft Office compound documents that

are password-protected.

By default, macros inside password-protected compound documents are scanned by employing “password cracking” techniques. If, for reasons of security, you do not require these techniques, use this option. Password cracking does not render the file readable.

/NODOC See note

on page 29.

Do not scan document files.

This includes Microsoft Office documents, OLE2, PowerPoint, CorelDraw, WordPerfect, RTF, Visio, Autodesk Autocad 2000, Adobe PDF 5, and Corel PhotoPaint 9 files.

/NOEXPIRE None. Disable the “expiration date” message if the scanner’s DAT

files are out of date.

For more details, see Preventing Infections on page 42.

/NOJOKES None. Do not report any joke programs.

/NOMEM None. Do not scan memory for viruses.

Use this option only when you are certain that your computer is virus-free.

/NOSCRIPT None. Do not scan files that contain HTML, JavaScript, Visual

Basic, or Script Component Type Libraries.

This type of file is normally scanned by default. Stand-alone JavaScript and Visual Basic Script files will still be scanned.

/OCMAX=<SIZE> Use with

Microsoft Windows only.

Specify the maximum size of the internal cache for file reads.

The size must be specified in megabytes. See also Using

memory caches on page 19.

/OCRS=<VALUE> Use with

Microsoft Windows only.

Specify a value that represents the size of the internal cache size for each file read.

The value may be specified as a digit that represents sizes between 128

KB and 2MB. See also Using memory caches

on page 19.

/PANALYZE

/PANALYSE

Use heuristic analysis to identify potential new program viruses.

By default, the program scans only for known viruses. This option is a subset of /ANALYZE. See alsoUsing heuristic

analysis on page 24.

Table 3-2 Scanning options (continued)

Option Limitations Description

VirusScan® Command Line 5.20.0 Product Guide Using the Command-Line Scanner

Choosing the options

/PROGRAM None. Scan for potentially unwanted applications.

Some widely available applications such as “password crackers” can be used maliciously or can pose a security threat.

/SECURE None. Examine all files, decompress archive files, and use

heuristic analysis.

This option activates the /ANALYZE, and /UNZIP options.

/SHOWCOMP None. Report any files that are packaged.

/STREAMS NTFS only, run

from within Windows NT and later versions.

Scan all streams within a file if it is in an NTFS partition.

See also Scanning NTFS streams on page 18.

/SUB None. Scan any subdirectories inside a directory.

By default, when you specify a directory to scan rather than a drive, the scanner examines only the files it contains, not its subdirectories.

Use this option to scan all subdirectories within the specified directories. This option is not necessary if you specify an entire drive as a target.

/TIMEOUT <SECONDS> None. Set the maximum time to scan any one file.

/UNZIP None.

Scan inside archive files, such as those saved in ZIP, LHA, PKarc, ARJ, WinACE, CAB, and CHM formats.

If used with /CLEAN, this option attempts to clean non-compressed files inside ZIP files only. No other archive formats can be cleaned.

The /CLEAN option does not delete or rename infected files within ZIP files. It does not rename the ZIP file itself.

The program cannot clean infected files found within any other archive format; you must first extract them manually from the archive file.

/WINMEM

/WINMEM=

<PID>

Specify at least one file for scanning.

Scan inside running processes.

Scan the specified process from its memory image. See also Scanning processes in memory on page 20.

Table 3-2 Scanning options (continued)

Option Limitations Description

VirusScan® Command Line 5.20.0 Product Guide Using the Command-Line Scanner

Choosing the options

Response and notification options

The response and notification options determine how the scanner responds to an infection. You can use a combination of these options to customize the scan. None of the options in the following table occur automatically. To activate each option, specify it in the command line.

Table 3-3 Response and notification options

Option Limitations Description

/CLEAN None. Automatically remove any infections.

By default, the program states only that infections were found but does not try to clean the infected files. If the program cannot clean the file, it displays a warning message. If you use this option, repeat the scan to ensure that there are no more infections. See If the scanner detects a virus on

page 40 for more information.

/CONTACTFILE <FILENAME> None. Display the contents of the specified file when a virus is

found.

This enables you to provide contact information and instructions to the user when a virus is encountered. We recommend using /LOCK with this option.

This option is especially useful for networks, because you can maintain the message text in a central file, rather than on each workstation.

Any character is valid in a contact message except a backslash (\). Messages beginning with a slash (/)or a hyphen (-) must be placed in quotation marks.

/DAM None. Delete all macros in a file if an infected macro is found.

If you suspect you have an infection in your file, you can choose to remove all macros from the file to prevent any exposure to a virus.

To pre-emptively delete all macros in a file, use this option with /FAM, although this should be used with caution. If you use these two options together, all found macros are deleted, regardless of the presence of an infection.

/DEL None.

Delete infected

.COM and .EXE files.

This option does not delete infected items within Microsoft Word documents or archives. If the scanner detects infected files within an archive, it does not delete the files within the archive, nor does it delete the archive itself.

We recommend that you use the /CLEAN option to protect against viruses that infect file types other than

.COM or .EXE.

See If the scanner detects a virus on page 40 for more information.

/EVLOG On

Windows NT and later versions.

Use Event Logging.

Any detections are recorded in the Application Log of the Event Viewer.

/LOCK In MS-DOS

systems only, not Windows NT or later.

Halt and lock the computer if a virus is found.

This option is appropriate in vulnerable network environments, such as open-use computer laboratories.

We recommend that you use this option with the /CONTACTFILE <FILENAME> option to tell users what to do or whom to contact if the scanner locks their computer.

VirusScan® Command Line 5.20.0 Product Guide Using the Command-Line Scanner

Choosing the options

/MOVE <DIR> None. Move any infected files to a quarantine location as specified.

When the program moves an infected file, it replicates the full directory path for the infected file inside the quarantine directory, so that you can determine the original location of the infected file.

This option has no effect if the Master Boot Record or boot sector is infected, because these are not files.

See If the scanner detects a virus on page 40 for more information.

/NOBEEP None. Do not issue a tone when the scan ends.

By default, a tone is issued at the end of a scan if an infection is found.

/NORENAME None. Do not rename an infected file that cannot be cleaned.

For information about renaming, see Table 4-1 on page 40.

See If the scanner detects a virus on page 40 for more information.

/PAUSE Do not use

with report options.

Enable a screen pause.

When the screen is full of messages, the prompt “Press any key to continue” appears. Otherwise, by default, the screen fills and scrolls continuously without stopping. This allows the scanner to run without stopping on computers with multiple drives or that have severe infections.

We recommend that you do not use this option with the report options, /REPORT, /RPTALL, /RPTCOR, and /RPTERR.

/PLAD On NetWare

volumes only.

Preserve the last-accessed time and date for files that are scanned.

Some software (such as used for creating backups or archives) relies on a file’s last-accessed time and date to work correctly. If you set this option, the scanner resets that time and date to their original values after scanning the file.

Table 3-3 Response and notification options (continued)

Option Limitations Description

VirusScan® Command Line 5.20.0 Product Guide Using the Command-Line Scanner

Choosing the options

Report options

By default, the results of a scan appear on-screen. The following table lists the options for displaying the results elsewhere. To capture a scanner report to a text file, use

/REPORT with any additional options as needed. For examples, see Producing reports

on page 24.

Table 3-4 Report options

Option Limitations Description

/APPEND Use this option

with /REPORT.

Append information to the specified report file instead of overwriting it.

/HTML <FILENAME> None. Create a file containing the results in HTML format.

/LOUD None Display a progress summary during the scan.

Note that this option can produce a large amount of information.

/REPORT <FILENAME> Do not use

with /PAUSE.

Create a report of infected files and system errors, and save the data to the specified file in ASCII text file format.

If that file already exists, /REPORT overwrites it. To avoid overwriting, use the /APPEND option with /REPORT. The scanner then adds report information to the end of the file, instead of overwriting it.

You can also use /RPTALL, /RPTCOR and /RPTERR to add more information to the report.

You can include the destination drive and directory (such as D:\VSREPRT\ALL.TXT), but if the destination is a network drive, you must have rights to create and delete files on that drive.

You may find it helpful to add a list of scanning options to the report files. To do this, type at the command prompt:

SCAN /HELP /APPEND /REPORT <FILENAME>

We recommend you do not use /PAUSE when using any report option.

/RPTALL Use with

/REPORT.

Include the names of all scanned files in the report file.

/RPTCOR Use with

/REPORT.

Include a list of corrupted files in the report file.

/RPTERR Use with

/REPORT.

Include system errors in the report file.

System errors can include problems reading or writing to a disk or hard disk, file system or network problems, problems creating reports, and other system-related problems.

/VIRLIST None. Display the name of each virus that the scanner can detect.

This option produces a long list, which is best viewed from a text file. To do this, type:

SCAN /VIRLIST /REPORT <FILENAME.TXT>

For full details about each virus, see the Virus Information Library (see Contact information on page 9).

VirusScan® Command Line 5.20.0 Product Guide Using the Command-Line Scanner

Choosing the options

General options

General options provide help or give extra information about the scan. You may use a combination of these options to customize the scan. None of the options in Table 3-5 occur automatically. To activate each option, specify it as part of the command line.

Table 3-5 General options

Option Limitations Description

/? None. Display a list of command-line options, each with a brief

description.

You can add a list of scanning options to a report file. To do this, type at the command prompt:

SCAN /? /REPORT <FILENAME>

The report is appended with the full set of options available for that task.

/BEEP None. Issue a tone when an infected file is found.

By default, a tone is only issued when the scan ends.

/EXTLIST None. Display names of file extensions that are scanned by

default.

/HELP None. See the /? option.

/NORECALL Use with /DOHSM Do not move files from remote storage into local storage

after scanning. See also Scanning files in remote storage on

page 18.

/SILENT None. Do not display any information on-screen.

VirusScan® Command Line 5.20.0 Product Guide Using the Command-Line Scanner

Choosing the options

Options in alphabetic order

For convenience, the options are repeated in this section alphabetically with a brief description. For full descriptions, see the previous sections.

Table 3-6 Alphabetic list of options

Option Description See ...

/? Display a list of command-line options, each with a brief

description.

page 33

/AD Same as /ALLDRIVES. page 25

/ADL Scan all local drives, including compressed and PC drives, in

addition to any other drives specified on the command line. Do not scan removable media.

page 25

/ADN Scan all network drives, in addition to any other drives specified

on the command line.

page 25

/AFC=<SIZE> Specify the size of the file cache. page 25

/ALL Scan all files regardless of extension. page 25

/ALLDRIVES Scan all drives. Scan all network drives and local drives, but not

removable drives; these include disk drives, CD drives, and Zip drives.

page 25

/ALLOLE Check every file for OLE objects. page 25

/ANALYSE Same as /ANALYZE. page 26

/ANALYZE Use heuristic analysis to find possible new viruses in “clean”

files.

page 26

/APPEND Append information to the specified report file instead of

overwriting it.

page 32

/APPENDBAD Append names of infected files to an existing file, as specified by

/BADLIST.

page 26

/BADLIST <FILENAME> Create a list of infected files. page 26

/BEEP Issue a tone when an infected file is found. page 33

/BOOT Scan boot sector and master boot record only. page 26

/BPRESTORE Restore sectors from backup after cleaning. page 26

/CHECKLIST <FILENAME> Scan the files listed in the specified file. page 26

/CLEAN Automatically remove any infections. page 30

/CONTACTFILE <FILENAME> Display the contents of the specified file when a virus is found. page 30

/DAM Delete all macros in a file if an infected macro is found. page 30

/DEL Delete infected .COM and .EXE files. page 30

/DOHSM Scan files that are offline. page 26

/DRIVER Specify the location of the DAT files: SCAN.DAT, NAMES.DAT,

and CLEAN.DAT.

page 26

/EVLOG Use Event Logging. page 30

/EXCLUDE <FILENAME> Exclude the directories or files from the scan as specified in

<FILENAME>.

page 26

/EXTLIST Display names of file extensions that are scanned by default. page 33

/EXTRA <FILENAME> Specify the location on any EXTRA.DAT file. page 26

/FAM Find all macros, not just macros suspected of being infected. page 26

/FREQUENCY <HOURS> Do not scan before the specified number of hours after the

previous scan.

page 27

/HELP See the /? option. page 33

/HTML <FILENAME> Create a file containing the results in HTML format. page 32

VirusScan® Command Line 5.20.0 Product Guide Using the Command-Line Scanner

Choosing the options

/LOAD <FILENAME> Load scanning options from the named file, or scanning profile. page 27

/LOCK Halt and lock the computer if a virus is found. page 30

/LOUD Display a progress summary during the scan. page 32

/MAILBOX Scan plain-text mailboxes. page 27

/MANALYSE Same as /MANALYZE. page 27

/MANALYZE Use heuristics analysis to identify potential macro viruses. page 27

/MANY Scan multiple disks consecutively in a single drive. page 27

/MAXFILESIZE <SIZE> Examine only those files that are smaller than the specified size. page 27

/MIME Scan MIME-encoded files. page 27

/MOVE <DIR> Move any infected files to a quarantine location as specified. page 31

/NOBACKUP Do not prompt for backup of sectors before attempting to clean. page 27

/NOBEEP Do not issue a tone when the scan ends. page 31

/NOBKSEM Prevent scanning of files that are normally protected. page 27

/NOBOOT Do not scan the boot sector. page 27

/NOBREAK Disable Ctrl-C and Ctrl-Break during scans. page 27

/NOCOMP Do not check compressed executables created with the LZEXE or

PkLite file-compression programs.

page 28

/NOD Scan only the susceptible file types. page 28

/NODDA Do not access disk directly. This prevents the scanner from

accessing the boot record.

page 28

/NODECRYPT Do not decrypt Microsoft Office compound documents that are

password-protected.

page 28

/NODOC Do not scan document files. page 28

/NOEXPIRE Disable the “expiration date” message if the scanner’s DAT files

are out of date.

page 28

/NOJOKES Do not report any joke programs. page 28

/NOMEM Do not scan memory for viruses. page 28

/NORECALL Do not move files from remote storage into local storage after

scanning. See also Scanning files in remote storage on page 18.

page 33

/NORENAME Do not rename an infected file that cannot be cleaned. page 31

/NOSCRIPT Do not scan files that contain HTML, JavaScript, Visual Basic, or

Script Component Type Libraries.

page 28

/OCMAX=<SIZE> Specify the maximum size of the internal cache for file reads. page 28

/OCRS=<VALUE> Specify a value that represents the size of the internal cache size

for each file read.

page 28

/PANALYSE Same as /PANALYZE. page 28

/PANALYZE Use heuristic analysis to identify potential new program viruses. page 28

/PAUSE Enable a screen pause. page 31

/PLAD Preserve the last-accessed time and date for files that are

scanned.

page 31

/PROGRAM Scan for potentially unwanted applications. page 29

/REPORT <FILENAME> Create a report of infected files and system errors, and save the

data to the specified file in ASCII text file format.

page 32

/RPTALL Include the names of all scanned files in the report file. page 32

/RPTCOR Include a list of corrupted files in the report file. page 32

/RPTERR Include system errors in the report file. page 32

Table 3-6 Alphabetic list of options (continued)

Option Description See ...

VirusScan® Command Line 5.20.0 Product Guide Using the Command-Line Scanner

Error levels

When you run the on-demand scanner in the MS-DOS environment, an error level is set. You can use the

ERRORLEVEL value in batch files to take actions based on the

results of the scan. See your MS-DOS operating-system documentation for more information.

The on-demand scanner can return the following error levels:

/SECURE Examine all files, decompress archive files, and use heuristic

analysis.

page 29

/SHOWCOMP Report any files that are packaged. page 29

/SILENT Do not display any information on-screen. page 33

/STREAMS Scan all streams within a file if it is in an NTFS partition. page 29

/SUB Scan any subdirectories inside a directory. page 29

/TIMEOUT <SECONDS> Set the maximum time to scan any one file. page 29

/UNZIP Scan inside archive files, such as those saved in ZIP, LHA, PKarc,

ARJ, WinACE, CAB, and CHM formats.

page 29

/WINMEM Scan inside running processes. page 29

/VIRLIST Display the name of each virus that the scanner can detect. page 32

Table 3-6 Alphabetic list of options (continued)

Option Description See ...

Table 3-7 Error Levels

Error Level

Description

0 The scanner found no viruses or other potentially unwanted software, and

returned no errors.

2 Integrity check on DAT file failed.

6 A general problem occurred.

8 The scanner was unable to find a DAT file.

10 A virus was found in memory.

12 The scanner tried to clean a file, the attempt failed, and the file is still infected.

13 The scanner found one or more viruses or hostile objects — such as a

Trojan-horse program, joke program, or test file.

15 The scanner’s self-check failed; the scanner may be infected or damaged.

19 The scanner succeeded in cleaning all infected files.

20 Scanning was prevented because of the /FREQUENCY option.

See page 27 for more information.

21 Computer requires a reboot to clean the infection.

102 The user quit via E

SC-X, ^C or EXIT button.

This feature can be disabled with the /NOBREAK option.

VirusScan® Command Line 5.20.0 Product Guide Using the Command-Line Scanner

Handling error messages

You can often correct the message, Invalid switch or incorrect usage by checking the form of the command in Options in alphabetic order on page 34.

Where an option has a parameter, insert only one space between them. For example, the following commands are intended to scan all directories on the C disk, and list any infected files in the file named

BADLIST.TXT. The first two commands are valid, but the

third command gives an error message because it has more than one space between the

/BADLIST option and its parameter, BADLIST.TXT.

SCAN C:\ /SUB /BADLIST BADLIST.TXT

Removing Infections

Although they are not harmless, most viruses that infect your computer do not destroy data, play pranks, or render your computer unusable. Even the rare viruses that carry a destructive payload usually produce their nasty effects in response to a trigger event. In most cases, unless you know that a payload has activated, you have time to deal with the infection properly. However, this unwanted computer code can interfere with your computer’s normal operation, consume system resources and have other undesirable effects, so take viruses seriously and remove them when you encounter them.

Unusual computer behavior, unexplained crashes, or other unpredictable events might not be caused by a virus. If you believe you have a virus on your computer because of occurrences such as these, a scan might not produce the results you expect, but it helps eliminate one potential cause of your computer problems.

To clean your computer

If your computer has a virus or you suspect it has, and you have not yet installed the on-demand scanner, follow these steps:

1 Isolate your infected computer from any network that it uses.

2 Download and unzip up-to-date anti-virus software and DAT files onto another

computer and create a CD.

3 Create a directory for the software on the hard disk of the infected computer.

4 Insert the CD into your CD drive, then copy the files from the CD to the directory

that you created in Step 3.

5 Add the directory to the

PATH statement in your AUTOEXEC.BAT file or use the System

Properties

window.

6 At the command prompt, type the following to thoroughly scan the computer:

SCAN /ADL /ALL /CLEAN /WINMEM /PROGRAM

7 Shut down your computer and boot it into Safe Mode.

8 Scan your disks again immediately after the boot. At the command prompt, type:

SCAN /ADL /ALL /CLEAN /WINMEM /PROGRAM

This step is necessary because some infections can affect other files but this will not be apparent until the computer has booted.

VirusScan® Command Line 5.20.0 Product Guide Removing Infections

9 If necessary, repeat Step 7 and Step 8 to ensure that all effects of the original

infection are removed.

10 If you cannot remove all effects of the original infection, refer to the Virus

Information Library for more information about manually removing an infection. For any further assistance, refer to the AVERT Home Page. See the addresses in

Contact information on page 9.

If the infections were removed:

Shut down your computer and remove the CD. Reconnect to the network, and begin the installation procedure described on page 10.

To find and remove the possible source of infection, scan your diskettes immediately after installation. For information, see Scanning diskettes on page 17.

If infections were not removed:

If the scanner cannot remove an infection, you see one of the following messages:

Virus could not be removed.

There is no remover currently available for the virus.

In this case, refer to the Virus Information Library. See Contact information on

page 9 for more information about manually removing an infection.

If the virus still cannot be removed, refer to the AVERT Home Page for information about manually removing infections. See Contact information on page 9.

VirusScan® Command Line 5.20.0 Product Guide Removing Infections

If the scanner detects a virus

Viruses attack computer systems by infecting files — usually executable program files or macros inside documents and templates. The scanner can safely remove most common viruses from infected files.

However, some viruses are designed to damage your files. The scanner can move these irreparably damaged or corrupted files to a quarantine directory or delete them permanently to prevent further infection.

If the scanner cannot clean an infected file, it renames the file to prevent its use. When a file is renamed, only the file extension (typically three letters) is changed. The following table shows the methods of renaming.

For example, if an infected file called

BAD.COM is found, the scanner attempts to

rename the file to

BAD.VOM. However, if a file of that name already exists in the

directory, the scanner attempts to rename the file to

BAD.VIR, BAD.V01, or BAD.V02,

and so on.

For file extensions with more than three letters, the name is usually not truncated. For example,

NOTEPAD.CLASS becomes NOTEPAD.VLASS. However, an infected file called

WATER.VAPOR

becomes WATER.VIR.

Removing a virus found in a file

If the scanner detects a virus in a file, it displays the path names of infected files and takes the action you specified. For example:

 If you selected /MOVE, the scanner automatically moves the infected files to the

specified quarantine directory.

 If you selected /CLEAN, the scanner attempts to clean the file.

 If you selected /DEL and this is an .EXE or .COM file, the scanner deletes the infected

file.

 If you selected /NORENAME, the scanner does not rename the infected file.

Table 4-1 Renaming infected files

Original Renamed Description

Not V?? V?? File extensions that do not start with v are renamed with v as

the initial letter of the file extension. For example,

MYFILE.DOC becomes MYFILE.VOC.

V?? VIR

File extensions that start with v are renamed as

.VIR. For

example, MYFILE.VBs becomes MYFILE.VIR.

VIR, V01-V99

These files are recognized as already infected, and are not renamed again.

<blank> VIR

Files with no extensions are given the extension,

.VIR.

VirusScan® Command Line 5.20.0 Product Guide Removing Infections

If the scanner detects a virus

Running additional virus-cleaning tasks

These tasks include:

 Cleaning macro viruses from password-protected files.

 Cleaning Windows NT hard disks.

Cleaning macro viruses from password-protected files

The scanner respects users’ passwords and usually leaves them intact. For example, in some password-protected Microsoft Excel files, the scanner removes macro viruses without disturbing users’ passwords.

However, macro viruses that infect Microsoft Word files sometimes plant their own passwords. Depending on the capabilities of the virus, the scanner takes one of the following actions when trying to clean a password-protected file:

 If the macro virus can plant its own password:

The scanner cleans the file, removes the planted password, and removes the virus.

 If the macro virus cannot plant its own password:

The scanner notes the infection but does not remove the password.

Cleaning Windows NT hard disks

To clean the Master Boot Record (MBR) on a hard disk formatted with the Microsoft Windows NT file system (NTFS):

1 Start the computer that has the NTFS file system partition from a virus-free MS-DOS

boot disk.

2 Run the scanner, using

SCAN /BOOT /CLEAN. Be sure to run the scanner from a disk

that you know is free from viruses.

This cleans the NTFS file system Master Boot Record, but the scanner cannot read the rest of the NTFS file system partition when you boot into a MS-DOS environment. To scan the rest of the NTFS file system partition, reboot into Windows NT, then run the scanner again.

Caution

Take care if you are using more than one of these options in combination. For example, if you specify /MOVE and /CLEAN together, the scanner creates a copy of an infected file in the specified quarantine directory before attempting to clean the file. If you want to keep an infected copy for investigation, this is useful, but if you intend only to remove any virus that might be present on the computer, it is more beneficial and more secure to use /CLEAN on its own. Generally speaking, simply specifying more command-line options does not necessarily increase the benefit of the scanning.

Preventing Infections

VirusScan® Command Line is an effective tool for preventing infections, and it is most effective when combined with regular backups, meaningful password protection, user training, and awareness of threats from viruses and other potentially unwanted software.

To create a secure system environment and minimize the chance of infection, we recommend that you do the following:

 Install VirusScan

Command Line software and other McAfee security software.

 Schedule scans — at system boot and/or at regular intervals.

 Make frequent backups of important files. Even if you have VirusScan

Command Line software to prevent attacks from viruses, damage from fire, theft, or vandalism can render your data unrecoverable without a recent backup.

Detecting new and unidentified viruses

To offer the best protection possible, we continually update the definition (DAT) files that the VirusScan

Command Line software uses to detect potentially unwanted

software. For maximum protection, you should regularly retrieve these files.

We offer free online DAT file updates for the life of your product, but cannot guarantee that they will be compatible with previous versions. By updating your software to the latest version of the product and updating regularly to the latest DAT files, you ensure complete protection for the term of your software subscription or maintenance plan.

Why do I need new DAT files?

Hundreds of new viruses and other potentially unwanted objects appear each month. Often, older DAT files cannot assist the VirusScan

Command Line software in detecting these new variations. For example, the DAT files with your original copy of VirusScan

Command Line might not detect a virus that was discovered after you

bought the product.

If you suspect you have found a new virus, use WebImmune. See Contact information

on page 9 for the address.

VirusScan® Command Line 5.20.0 Product Guide Preventing Infections

Detecting new and unidentified viruses

Updating your DAT files

The DAT files are contained in a single compressed file. Download the new file from either of the following sources:

 FTP server. Open a connection to the FTP site, ftp://ftp.mcafee.com.

Use anonymous as your user name and your e-mail address as your password to gain access. Look for a compressed file in the directory

pub/antivirus/datfiles/4.x. The file has the format dat-nnnn.zip, where nnnn is

the DAT version number. For example:

dat-5066.zip.

 Web Site. Start your browser, then go to the Downloads area for the latest file. See

the

Download Site under Contact information on page 9 for the address.

The number given to the file changes on a regular basis. A higher number indicates a later version of the DAT files. When you are selecting the latest version of DAT file, ignore any reference to SuperDAT (a self-installing DAT file). You cannot use this type of file with the command-line scanner.

To use the new DAT files:

1 Create a download directory.

2 Change to the download directory, and download the new compressed file from the

source you have chosen. The downloaded DAT file is in a compressed .ZIP format.

3 Locate the directory on your hard drive where the command-line scanner is currently

loaded (as set up in Step 1 on page 11).

4 Use a compression utility such as WinZip or PKZip to extract the files from the .ZIP

file into that directory. Be sure to extract all the files. If using WinZip, select the

Use

Folder Names

and the All Files options.

5 Allow the updated files to overwrite the existing DAT files.

Note

If other SupportingProductName software products are loaded on your computer, or if you chose custom installation options, some DAT files might be located in more than one directory. If so, save these updated DAT files to each directory.

Index

alarm (See beep) 31 /ALL option, warning with /NODOC

alphabetic options 34 ARC files 29 arguments (See options) 25 audience for this guide 6 Avert Labs Threat Center 9 Avert Labs Threat Library 9

BACKUP_SEMANTICS flag 27 beep, not wanted 31 beta program website 9

boot record, preventing scanner

from accessing

boot sector

limiting scan to

warning about /NODDA 26

cache 19 /CLEAN option 30, 40 clean, all infected files 30 CodeRed 20 colon, delimiter in stream naming

command-line options (See options)

compressed files

scanning inside

skipping during virus scans 28 types recognized by the scanner

computer problems, attributing to

viruses

configuration options 22 conventions, command line 21 corrupted files 32, 40 crashes attributed to viruses 38

CTRL+BREAK, disabling during

scans

CTRL+C, disabling during scans 27 customer service, contacting 9 cyclical redundancy check (CRC) 13

damaged files 40 DAT file 43

updates 42

DAT files

Avert Labs notification service

for updates

updates, website 9 date (expiration date message) 28 defaults, cache 20 /DEL option 30, 40

direct drive access, disabling with

scanner

directories, scanning 29 diskettes 27

disks

scanning

scanning multiple 27 DLL scanning 20 DOS 11 download website 9

drives

scanning local

scanning network 25

EICAR "virus" for testing installation

error levels 36 error messages 37 Eudora 27

evaluating McAfee products,

download website

event log 30

examples

batch file for NetWare login

cache, AFC 25

deleting all macros 26

list of infected files 23

/OCMAX 19

reporting 24

streams 18

/WINMEM 20 Excel 41 excluding files from scan 26

exit codes (error levels) 36 expiration date message, disabling

EXTRA.DAT 26

file types

list of scanned

scanning all 25

FILE_FLAG_BACKUP_SEMANTICS

flag

files

compressed

corrupted 32, 40 damaged 40 deleting infected files 30 do not scan compressed files 28 excluding from scan 26 joke programs 28 last -access date 31 moving infected files 31 scanning all 29 scanning ARC 29 scanning under specified size 27 setting cache size 20

floppy disks 27

frequency

error level for prevented

scanning

setting for scan 27

general options 25

help

displaying

online 21

heuristic analysis 29

enabling full capabilities 26 macro viruses only 27 program viruses only 28

Hierarchical Storage Management

(HSM)

HotFix and Patch releases (for

products and security vulnerabilities)

VirusScan® Command Line 5.20.0 Product Guide Index

IDE (See DAT files)

infected files

creating a list of

deleting permanently 30 do not rename 31 moving 31 not renaming 40

removing viruses from 38–?? installation requirements 10 installation, testing effectiveness of

installing VirusScan software 10

Invalid switch or incorrect usage,

message

joke programs 28

KnowledgeBase search 9

local drives, scanning 25

locking the computer, if a virus is

found

locking, on DOS systems only 30 LS120 media 27 LZEXE 28

macro 27

macro viruses

cleaning

heuristic analysis for 27

mailboxes

plain text

with /MIME 27

master boot record (MBR), how to

clean on NTFS

memory

cache

omitting from scans 28

virus infections in, error level for

messages

displaying when a virus is found

Invalid switch or incorrect usage

pausing when displaying 31

Microsoft Office

files not scanned for macros,

warning

omitting files from scans 28 MIME 27 /MOVE option 31, 40 moving infected files 31

Netscape 27

NetWare

last -access date

scanning before login 12 network drives, scanning 25 new features 6 /NODDA, do not use with BOOT 28 /NODOC option, warning with /ALL

/NORENAME option 31, 40

Novell NetWare, run scanner before

NTFS streams 18 NTFS, cleaning 41

Office, Microsoft 28 offline storage 19 on-demand scanning 20 options 25–33

alphabetic order 34

general 25

report 32

response and notification 30

password-protected files 41

pattern files (See DAT files)

/PAUSE

do not use with report options

not with /REPORT 32

pausing, when displaying scanner

messages

PID, process scanning 20 PINE 27 PKLITE 28 plain-text mailboxes 27 preventing infection 42 process identifier 20 process scanning 20 product information, where to find 8 product upgrades 9

professional services, McAfee

resources

protected files 18

quarantine 40

recycle bins 18 remote storage 19

/DOHSM and /NORECALL 33 report options 32

reports

adding names of scanned files to

adding system errors to 32 do not use options with /PAUSE

generating with scanner 32

with scanning options 32 resources, for product information 8 response and notification options

responses, default when infected

by viruses

38–??

SCAN.EXE 16

scanning

disks

full scan 21

on-demand 20

speed improvement 20 scanning options, added to report

script 28

Security Headquarters (See Avert

Labs)

security threat

security updates, DAT files and

engine

security vulnerabilities, releases for

self-check, error level if fails 36 ServicePortal, technical support 9

sound (See beep)

streams

subdirectories, scanning 29

submit a sample, Avert Labs

WebImmune

switches (See options) 25 system performance 16 system requirements 10

task file 22 technical support, contacting 9 testing your installation 14

Threat Center (See Avert Labs)

threat library

tone (See beep)

training, McAfee resources

trash can 18

upgrade website 9 user profiles 18 users halting scans, how to prevent

VirusScan® Command Line 5.20.0 Product Guide Index

using this guide 6

audience 6

typeface conventions and

symbols

version number 21

virus definitions (See DAT files)

Virus Information Library

Virus Information Library (See Avert

Labs Threat Library)

virus scanning

displaying message when virus

is found

preventing users from halting 27

viruses

detected, error level for

displaying list of detected 32 effects of 38–?? list of detected 21 locking the computer if found 30 removing from infected files

38–??

VirusScan software 36

WebImmune, Avert Labs Threat

Center

Windows NT File System (NTFS),

cleaning MBR

McAfee VCLCDE-AA-DA, VirusScan Command Line Product Manual

Specifications and Main Features

Frequently Asked Questions

User Manual