What's New in VirusScan for Windows NT v4.0.3a (4019) Copyright (c) 1994-99 by Network Associates, Inc., and its Affiliated Companies. All Rights Reserved. ***** IMPORTANT ***** This version of VirusScan includes the 4019 DAT Files for detection and cleaning of the W97M/Melissa virus. Thank you for using VirusScan for Windows NT. This What's New file contains important information regarding this release. Network Associates strongly recommends that you read the entire document. Network Associates welcomes your comments and suggestions. Please use the information provided in this file to contact Customer Care or technical support. **NOTE: Do not attempt to install this version of VirusScan on a Digital Equipment (DEC) Alpha system.** **IMPORTANT: This version of VirusScan for Windows NT DOES include support for Windows NT 3.51. Network Associates recommends that you install Windows NT Service Pack 5 in order to use VirusScan with this Windows NT version. Note also that running VirusScan for Windows NT with Windows NT v4.0 recommends that you have Windows NT v4.0 Service Pack 4 installed.** ___________________ WHAT'S IN THIS FILE - New Features - Known Issues - Installation - Performing a "Silent" Installation - Documentation - Frequently Asked Questions - Additional Information - Contacting Network Associates ____________ NEW FEATURES 1. A new Network Associates scanning engine is at the heart of VirusScan v4.0.3a. Created and backed by the combined efforts of the McAfee Labs and Dr Solomon anti-virus research teams, this engine delivers outstanding virus detection and cleaning rates. 2. VirusScan protection now extends to file system support for Microsoft's Distributed File System. 3. Alert Manager can now direct alert messages to McAfee Management Edition v2.0 for network-wide administrative convenience. 4. The new scanning engine incorporated in VirusScan for Windows NT comes with improved heuristic scanning capability that detects previously unidentified macro and file-infector viruses. The engine employs both positive heuristics, which allows it to look for "virus-like" characteristics in the files it scans, and negative heuristics, which allows it to look for file characteristics that indicate that questionable code does not result from a virus infection. As a result, the incidence of false virus identifications is very low. See "Additional Information" later in this file for more information. 5. VirusScan for Windows NT supports Windows NT 5.0 BETA 2. 6. You can now enable or disable the on-access scanning component in VirusScan for Windows NT both from the graphical user interface and from an NT Command Prompt window. To learn how to do so, see item 12 in "Additional Information" later in this file. 7. VirusScan's Setup utility will seamlessly remove from your target server or workstation all existing NetShield NT and VirusScan for Windows NT versions earlier than v3.1.4a. Setup will also allow you to remove any version later than v3.1.4a and, if you wish, to preserve the settings you chose for that earlier version. 8. VirusScan's Setup utility will remove all existing versions of Dr Solomon Anti-Virus Toolkit for Windows NT v7.74 and later. * NEW VIRUSES DETECTED * **** IMPORTANT NOTE **** This release of VirusScan for Windows NT functions ONLY with the 40XX .DAT file series. Network Associates recommends that you use this VirusScan release with the 4019 .DAT files included with the program package or series 40XX .DAT files released later. You CANNOT use VirusScan with .DAT file versions from the 30XX, the 97XX or the 98XX series, nor may you use the .DAT files included in this release with 2.x or 3.x versions of VirusScan for Windows NT. **** Because the previous VirusScan for Windows NT scanning engine and the new Network Associates scanning engine identify and classify viruses in different ways, the .DAT files included with this VirusScan release do not include a list of viruses cleaned. Future releases will incorporate this information, once McAfee Labs adopts a standard virus naming convention. With this .DAT file release, the new scanning engine detects a total of about 41,990 viruses and variants, Trojan horse files, and other malicious software. Of this number these 49 viruses are new: Alien.480 Anti-AV AWME.1206 Baloo.525 BugsBunny.ow Callgirl.ow Deadman.576 Elsa.857 Gluk HLL.cmp.Friends.4544 HLL.cmp.MF.4480 HLL.cmp.MF.4496 HLL.cmp.MF.4528 HLLP.Kobr.9488 HLLT.Zoom.5062 IOTM.1009 Jura.3242 Keypress.1266a Lazarus.2222 LittleDevil.2109 Loose Luce.3600 Luce.3756 Luce.4200 Lyceum.1832 Nympho QPrep.63 Radiation.GR Sahand.cmp.2382 SimpleMinded.ow Smgtest SOP.1364 Stoneheart.a Vacsina.dr VS W97M/Allen W97M/Ethan.f W97M/Melissa W97M/Remplace.a W97M/Remplace.b W97M/Twno.aw WM/Julho.a WM/Julho.b Xany.110a XM/Hidemod.a XM/Hidemod.b XM/Uedasan.a Zorm.1475 Zorm.1807 * NEW REMOVALS * With this .DAT file release, the new scanning engine removes the 18 new viruses listed below. Network Associates software removes a virus either by deleting the infecting virus code from files or by deleting the file from your computer. Anti-AV.GR Gluk.GR Loose.GR Nympho.GR Radiation.GR Smgtest.GR VS.GR1 W97M/Allen W97M/Ethan.f W97M/Melissa W97M/Remplace.a W97M/Remplace.b W97M/Twno.aw WM/Julho.a WM/Julho.b XM/Hidemod.a XM/Hidemod.b XM/Uedasan.a ____________ KNOWN ISSUES 1. You may not connect to another workstation on the network to run an AutoUpgrade session from that computer. You can, however, connect to another server, schedule an AutoUpgrade session, then disconnect to allow the remote server to run AutoUpgrade itself. 2. If you add the Simple Network Management Protocol service to your workstation setup after you have installed VirusScan, you must re-install VirusScan in order to use SNMP as an alerting option with Alert Manager. 3. If you have manually uninstalled a previous installation of VirusScan for Windows NT, and have not rebooted, a silent installation of VirusScan v4.0.3a will fail. 4. When installing using the default Windows NT SYSTEM account, some product functionality is not available. This includes: alert forwarding to other NT servers, sending alerts to printers, scheduled AutoUpdates from NT file shares, remote event logging, and scheduled scans of network drives. 5. To upgrade a component of VirusScan, you must perform the full installation. If a partial installation is performed, an error message will appear when the system is restarted. 6. The Network Associates McShield Service will not run when you start the server if you give it a custom account. You must run this service with a system account. During installation, however, Setup installs the McShield service to run with a system account, whether or not you specify a custom account for the rest of the installation. 7. VirusScan will send several alert messages if it finds a virus when it scans the boot sector on a floppy disk. Although ordinarily this might indicate that the disk has several separate infections, here the messages all result from the single infection. VirusScan generates several messages because it scans the floppy disk and detects the same virus each time Windows tries to mount the disk. If it cannot read a virus-infected boot sector on the floppy disk, Windows tries to mount the disk several times before it gives up. If you have VirusScan's on-access scanner set to clean or delete infected files, subsequent scanning passes should not generate alert messages. 8. If you create a scan task in VirusScan's Scan Wizard, then tell VirusScan to start the task immediately without saving its settings, VirusScan will start the task without creating a task entry in the AntiVirus Console window. This means that you cannot see task statistics if you close the Status window after the task starts, and it means that you cannot stop the scan operation once it's underway. To have more control over the scan operation, first save your settings, then start the scan operation from the AntiVirus Console window. When the task finishes, you can delete it from the task list. 9. If you disable the Network Associates Task Manager Service from the Windows NT Control Panel, VirusScan's on-access scanning component will not disable correctly. Although the system tray icon will indicate that the on-access scanner is not active, the scanner will continue to monitor your system. If you choose not to install the Task Manager Service component during a custom installation, you will not be able to enable or disable the on-access scanning component. 10. Setup will not install some VirusScan services correctly under these conditions: * If you have a folder or file named PROGRAM in your root directory--C:\PROGRAM, for example. * If you have a VIRUSSCAN directory where Setup expects to create the VirusScan program directory. If, for example, you create a VIRUSSCAN folder in the path C:\Program Files\Network Associates, Setup will not install some VirusScan services correctly. This same problem occurs during silent installations. To avoid this problem, delete any files or folders in the directories noted above, then run Setup and allow it to create the correct program directory structure during installation. 11. If you install VirusScan on a computer running a beta version of Windows NT 5.0, right-clicking the AntiVirus Console icon in the system tray, then choosing Console from the shortcut menu will open the AntiVirus Console. If you then close the Console, the system tray icon will disappear. If you restart your computer after you install VirusScan, this problem will not occur. 12. Stopping any of the VirusScan services in the Windows NT Services control panel can cause VirusScan to lose track of the status of its on-access scanning component. For example, if you stop the McTaskManager or the McShield services, the system tray icon for the VirusScan on-access scanner will indicate that the scanner is disabled. If you then right-click the icon, however, the shortcut menu will show Disable as a menu choice instead of Enable. Rather than stopping VirusScan services to disable the scanner, use the VirusScan interface to disable it. For more details, see item 12 in "Additional Information" later in this file. 13. This VirusScan version comes with its network scanning option disabled. You can enable this option by selecting a checkbox in the on-access scanning property page. 14. If you are running VirusScan on a computer using Cheyenne Agent for Open Files or St. Bernard's Open File Agent, file rename operation may not function correctly. 15. If you have Norton Utilities v2.0 installed, then you install VirusScan, your system will halt with a blue- screen error in the RDR.SYS module as you try to restart it. A conflict with the Norton Unerase version included with this Norton Utilities release causes this error. To resolve this problem, install the latest Norton Utilities version available. ____________ INSTALLATION * INSTALLING VIRUSSCAN FOR WINDOWS NT * VirusScan requires Windows NT 4.0 Service Pack 4 to run. Before you install VirusScan, verify that your system has Windows NT 4.0 and NT Service Pack 4 installed, then follow the steps below. If you plan to run VirusScan with Windows NT 3.51, verify that you have installed Windows NT v3.51 Service Pack 5. VirusScan for Windows NT functions best with, but does not require, Service Pack 5. 1. Make sure you have Administrator rights for the workstation on which you are installing VirusScan. 2. Run SETUP.EXE and follow the prompts. NOTE: If you uninstall VirusScan in order to install an upgrade, Network Associates recommends that you first reboot the system before you install the upgrade version. __________________________________ PERFORMING A "SILENT INSTALLATION" If you want to deploy VirusScan as your standard anti-virus security application, you can use the program’s "silent" installation feature to set up VirusScan on each network node with little or no interaction from end users or other administrators. During a silent installation, Setup does not display any of its usual wizard panels or windows, or offer the end user any configuration options. Instead, you preset these choices and run Setup in the background on each target workstation. If you wish, you can even install VirusScan on any unattended servers, provided you have all of the necessary administrative privileges. A silent installation consists of two major steps. First, you must install the same VirusScan components on your administrative computer that you want Setup to install on each target server. A special Setup mode records the choices you make during installation and preserves them in a configuration file called SETUP.ISS. Next, you must use a different Setup mode to install an identical VirusScan configuration on each target system. Setup will use the SETUP.ISS file you create in the first step to guide each subsequent installation you perform. NOTE: Silent installations use the system account for installation. This can mean that some VirusScan features will not function after installation. See Known Issue #3 earlier in this file for details. * RECORDING YOUR PREFERENCES * To record your installation preferences, follow these steps: 1. Look for an existing SETUP.ISS file inside the \WINDOWS, the \I386 or the \WINNT folder on your administrative computer. If you find a file with that name there, rename it or delete it. As you record your installation preferences, Setup will save them into a new SETUP.ISS file in the same location. 2. Choose Run from the Start menu in the Windows taskbar. The Run dialog box will appear. 3. Type :\SETUP.EXE -R in the text box provided, then click OK. Here, represents the drive letter for your CD-ROM drive or the path to the folder that contains your extracted VirusScan files. The -R tells Setup to run in its “record” mode. NOTE: If your VirusScan copy came on a VirusScan Security Suite or a Total Virus Defense CD-ROM disc, you must also specify which folder contains VirusScan for Windows NT. See the CONTENTS.TXT file included with either product suite for details. 4. Follow the instructions outlined in each wizard panel to choose the components and the settings you want each of the target workstations to have. Setup notes the choices you make at each step and records them as entries in SETUP.ISS. NOTE: Take particular care during this initial installation to respond to any questions that appear in the wizard panels and to follow the installation steps in the sequence presented, or the silent installation you run later will abort. You may not backtrack during the installation to change your settings. To specify different options, you will need to begin the installation again in order for Setup to record your choices correctly. If you plan to install VirusScan on unattended workstations, be sure to specify options that do not require user interaction. 5. Once you’ve completed the installation, click Finish to quit Setup. * EDITING THE SETUP.ISS FILE * If you want Setup to silently install VirusScan in a particular directory, or if you want Setup to silently uninstall previous VirusScan versions before it installs another version, you will need to edit the SETUP.ISS file you created when you installed VirusScan on your administrative computer or workstation. To make network administration easier, for example, you might want to install all of your VirusScan copies in the same directory on each network node. SETUP.ISS is simply a specially formatted text file similar to configuration files such as WIN.INI or SYSTEM.INI. You can open it in any text editor and change any of its entries to suit your needs. NOTE: Network Associates recommends that you make only limited changes to the SETUP.ISS file. If you want complete control over the installation process, or if you want to specify the configuration options for each copy of VirusScan in advance, you can use ISeamless, a powerful Network Associates scripting tool designed for this purpose. Contact Network Associates technical support for details. Specifying an Installation Directory SETUP.ISS specifies an installation directory as a value for the variable szDir, which you’ll find listed beneath the header [SdSetupType-x]. By default, this entry reads: [SdSetupType-0] szDir=C:\Program Files\Network Associates\NetShld\ Result=XXX Possible values for XXX will normally include 301, 302, or 303, depending on which options you chose when you recorded your initial installation. To specify a different installation directory, replace the path shown with the path you want. The installation directory you specify here will override the default installation directory on each target system. To tell Setup to determine where to install the program files on the target computer, add 100 to the value shown at XXX so that, for example, 301 becomes 401. This tells each target computer to disregard the szDir variable and to assign a directory for the files that reflects the organization of that computer's operating system. Uninstalling Previous VirusScan Versions To tell Setup to remove previous VirusScan versions before installing an updated version, open SETUP.ISS in a text editor, scroll to the bottom of the file, then add this line: Preserve=0 Next, save the file in text format, then quit your text editor. NOTE: Setup creates a unique SETUP.ISS file for each Network Associates product on each platform. You must use the file that corresponds to the operating system running on the target workstation. You may not, for example, use a SETUP.ISS file created during a VirusScan for Windows 95 installation to control a VirusScan for Windows NT installation. Network Associates recommends that you use the SETUP.ISS file you created to perform a test installation on a single workstation before you use it to deploy VirusScan across your network. * RUNNING A SILENT INSTALLATION * Once you have a SETUP.ISS file that lists all of the components and settings you want each workstation on your network to have, you can replicate these settings exactly for every VirusScan copy you install. You can run a silent installation in a variety of ways, and with different levels of interaction with network users. You can, for example, create a script for your users that runs a silent VirusScan installation as soon as they connect to an authentication server, with no further interaction beyond that needed to log in. You can also ask your users or other administrators to run the installation from a designated server. Still other options include deploying VirusScan through a network management application such as Zero Administration Client (ZAC) from Network Associates, System Management Server (SMS) from Microsoft, or similar packages. Whichever method you choose, you must first prepare the VirusScan package for installation, then run Setup in its silent mode. Follow these steps: 1. Copy the VirusScan installation files from the VirusScan CD-ROM disc or the folder on your administrative computer in which your store them to a VirusScan directory on a central server. Your users or your network management application will install VirusScan from this server. 2. Locate the SETUP.ISS file stored in the VirusScan directory on the central server. Rename or delete this file. 3. Copy the SETUP.ISS file you created when you ran the recorded installation on your administrative computer to the VirusScan directory on the central server. You’ll find the file you need to copy in the WINNT directory on your administrative computer. Once you finish this step, your users or your network management application can run Setup in its silent mode to replicate the installation you recorded. To run Setup in silent mode, include the line :\SETUP.EXE -S in any login script you write or any instructions to your users that describe how to run Setup. In this line, represents the path to the folder on the server that contains the VirusScan installation files and the SETUP.ISS file you created. The -S tells Setup to run in silent mode. By default, Setup restarts the workstation when it has finished installing files. If you do not want Setup to reboot each target workstation, you must edit the SETUP.ISS file you created during your recorded installation. Here, you would change the value in the BootOption entry beneath the heading [sdFinishReboot - 0] from its current value to zero (0). This tells Setup not to force the target workstation to reboot. As a further step toward enforcing a consistent anti-virus security policy across your network, you can also copy a configuration file with the options you want your users to have into the installation directory on each workstation. You can also use password protection to prevent unauthorized changes to the configuration settings you chose. To preset your configuration options so that VirusScan installs with them already in place, use the Network Associates ISeamless scripting utility. This utility gives you complete control over installation and configuration options. Contact your sales representative or Network Associates technical support for details. * COMPONENTS INSTALLED WITH VIRUSSCAN * Component Supported Systems --------- ----------------- 1. VirusScan Console Windows NT Workstation 2. VirusScan Task Manager Windows NT Workstation 3. McShield on-access Windows NT Workstation scanner 4. Alert Manager Windows NT Workstation * PRIMARY PROGRAM FILES FOR VIRUSSCAN * Files located in the Install directory: ======================================= 1. Installed for the Alert Manager/Console/Server: README.1ST = Network Associates information MCARCHIV.DLL = Archive library file MCCOMM.DLL = NetWare communications MCKRNL32.DLL = Cross-platform file MCRPC.DLL = RPC library MCRUTIL.DLL = NetWare utility library MCUTIL32.DLL = Multipurpose file SHUTIL.DLL = NT utility library AMGRCNFG.EXE = Alert Manager configuration program MCSEVSHL.EXE = Service installation SCNCFG32.EXE = Task configuration SCNSTAT.EXE = Task statistics SHCFG32.EXE = On-access scanning configuration SHSTAT.EXE = Shield status monitor program SVCPWD.EXE = Service account configuration program VALIDATE.EXE = Network Associates file validation program VIRNOTFY.EXE = Notification utility WCMDR.EXE = Uninstall helper MCCONSOL.HLP = Console help PKGDESC.INI = Update description file WCMDR.INI = Uninstall helper WCMDRSIL.INI = Silent uninstall helper DEISL1.ISU = Uninstall file PACKING.LST = Packing list NAIFILTR.SYS = System files RESELLER.TXT = Network Associates authorized resellers WHATSNEW.TXT = This document 2. Installed for Alert Manager: SAMPLE.CMD = Sample alert command file DMIALERT.DLL = DMI alerting library MCALSNMP.DLL = SNMP alerting MCSERVIC.DLL = Service installation library POWERP32.DLL = Alert manager paging AMGRSRVC.EXE = Alert manager service program ALRTMGR.HLP = Alert manager help file ANTIVIRI.MIB = SNMP trap template NAI.MIB = SNMP trap template MODEMS.TXT = List of modems and initialization strings OHNO.WAV = Alert message sound file WARNING.WAV = Default alert sound file CENTALRT.TXT = Centralized alerting file 3. Installed for the Console: SHIELD.CNT = Help link file BROWSENT.DLL = NT browser library INETWH16.DLL = Help file library INETWH32.DLL = Help file library REGEMUL.DLL = Registry emulator library IMPTASK.EXE = Import task file MCCONSOL.EXE = Console manager MCREGEDT.EXE = Network Associates registry editor MCUPDATE.EXE = AutoUpdate file SETBROWS.EXE = Sets default browser SHIELD.HLP = On-access scanning help 4. Installed for the VirusScan Task Manager: SCAN32.EXE = On-demand scanner VIRUSCAN.CNT = Help link file CLEAN.DAT = Virus clean definition data NAMES.DAT = Virus names definition data SCAN.DAT = Virus definition data LICENSE.DAT = Virus definition data MESSAGES.DAT = Virus definition data SHLDMSG.DAT = Virus definition data MCSCAN32.DLL = Scan32 main library MCSERVIC.DLL = Service installation library VSTSKMGR.EXE = VirusScan Task Manager service MCSHIELD.EXE = VirusScan on-access service NAIANN.DLL = Library file that handles communications between the McShield service and the Task Manager service VIRUSCAN.HLP = Scan 32 help VIRUSSCAN ACTIVITY LOG.TXT = VirusScan Activity Log DEFAULT.VSC = Default scan32 values Files located in %SYSTEMROOT%\SYSTEM32: ======================================= 1. Installed for the Console/Server/Alert Manager: CTL3D32.DLL = 32-bit 3D Windows controls library DSSDATA.DLL = on-access scanning library Files located in %SYSTEMROOT%\SYSTEM32\DRIVERS: =============================================== 1. Installed for the on-access scanner: NAIFSREC.SYS = System files * TESTING YOUR INSTALLATION * The Eicar Standard AntiVirus Test File is a combined effort by anti-virus vendors throughout the world to implement one standard by which customers can verify their anti-virus installations. To test your installation, copy the following line into its own file, then save the file with the name EICAR.COM. X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* The file size will be 69 or 70 bytes. Next, start your anti-virus software and allow it to scan the directory that contains EICAR.COM. When your software scans this file, it will report finding the EICAR virus. Note that this file is NOT A VIRUS. Delete the file when you have finished testing your installation to avoid alarming unsuspecting users. * UNINSTALLING VIRUSSCAN * To remove VirusScan from your workstation, run the uninstallation utility that comes with the program. You can run this utility in normal or "silent" mode. To do so, follow these steps: 1. Open a Command Prompt window in Windows NT. 2. Type either of these lines at the command line: a. To uninstall VirusScan with no special options, type X:\Progra~1\Networ~1\VirusS~1\wcmdr.exe followed by this argument: -iD:\PROGRA~1\NETWOR~1\VIRUSS~1\WCmdr.ini Here X: represents the drive on which you have VirusScan installed. If you have installed VirusScan to a different drive or directory, substitute the correct path at the command line. Both the command and its argument should appear on the same line. b. To uninstall VirusScan "silently," type: X:\Progra~1\Networ~1\VirusS~1\wcmdr.exe followed by this argument: -iD:\PROGRA~1\NETWOR~1\VIRUSS~1\Wcmdrsil.ini Again, X: represents the drive on which you have VirusScan installed. If you have installed VirusScan to a different drive or directory, substitute the correct path at the command line. Both the command and its argument should appear on the same line. * UNINSTALLING VIRUSSCAN WITHOUT THE UNINSTALLATION UTILITY * 1. Before starting, follow these two substeps: a. Run the Windows NT utility RDISK to create an emergency repair disk. b. Run the command UNLODCTR MCSHIELD from the Windows NT command line to stop the registry from recording performance counter information for the McShield service. 2. Open the Windows NT Services Control Panel, then stop the Network Associates Task Manager service, the Network Associates McShield service, and the Network Associates AlertManager service. 3. Stop the VirusScan console if running. 4. Using the NT Task Manager, end the SHSTAT process. 5. If you use SNMP, stop the SNMP service in Control Panel/Services. 6. Delete the VirusScan installation directory (the directory that contains the VirusScan executables). 7. Delete this device driver file from %SYSTEMROOT% \SYSTEM32\DRIVERS NAIFSREC.SYS Delete this file from %SYSTEMROOT%\SYSTEM32\ DSSDATA.DLL 8. If you are using Windows NT 4.0 and if VirusScan was set to load at startup, remove the following registry keys: HKLM\software\microsoft\windows\CurrentVersion\Run \Shstatexe HKLM\software\microsoft\windows\CurrentVersion \uninstall\VirusScan NT 9. Remove VirusScan installation registry keys: HKLM\software\mcafee\mcalsnmp HKLM\software\network associates\VirusScan for Windows NT HKLM\software\mcafee\virusscan HKLM\software\mcafee\alertmanager (Do not remove this key if you have other Network Associates products installed that use Alertmanager.) 10. Remove VirusScan device driver and service registry keys: HKLM\system\CurrentControlSet\Services\Alertmanager HKLM\system\CurrentControlSet\Services\NaiFilter HKLM\system\CurrentControlSet\Services\NaiFsrec HKLM\system\CurrentControlSet\Services\McShield HKLM\system\CurrentControlSet\Services\McTaskManager 11. If you are using Windows NT 4.0 and the context-sensitive scanning option was installed, remove the following registry keys: HKLM\software\classes\comfile\shell\virusscan HKLM\software\classes\directory\shell\virusscan HKLM\software\classes\drive\shell\virusscan HKLM\software\classes\exefile\shell\virusscan HKLM\software\classes\word.document.6\shell\virusscan HKLM\software\classes\word.document.8\shell\virusscan HKLM\software\classes\word.template\shell\virusscan 12. If you are using Windows NT 4.0 and you want to remove the Scan for Viruses right-click option, remove the following registry keys: HKCR\comfile\shell\VirusScan HKCR\Directory\shell\VirusScan HKCR\Drive\shell\VirusScan HKCR\exefile\shell\VirusScan HKCR\Excel.Addin\shell\VirusScan HKCR\Excel.Chart.5\shell\VirusScan HKCR\Excel.Macrosheet\shell\VirusScan HKCR\Excel.Sheet.5\shell\VirusScan HKCR\Excel.Template\shell\VirusScan HKCR\Excel.Workspace\shell\VirusScan HKCR\Excel.XLL\shell\VirusScan HKCR\exefile\shell\VirusScan HKCR\WinZip\shell\VirusScan HKCR\Word.Document.6\shell\VirusScan HKCR\Word.Template\shell\VirusScan 13. To remove SNMP extension agent, remove the following registry value: HKLM\system\CurrentControlSet\services\SNMP\parameters\ ExtensionAgent\McAlSNMP 14. Since entries in HkeyClassesRoot are not derived from a hive, it is unneccessary to delete these keys manually. When you reboot, VirusScan-specific keys under HkeyClassesRoot will be removed. 15. Reboot the system. * CREATING AN EMERGENCY DISK * This version of VirusScan for Windows NT includes a utility that allows you to create an emergency boot disk that can scan your workstation for boot-sector viruses. Use this disk to restart your workstation if VirusScan detects a boot-sector virus during installation, or to scan for boot-sector or memory-resident viruses any time thereafter. The emergency disk utility consists of a floppy disk image file (EDISK.IMG), a disk-copy program (NAIDSKIM.EXE), and a batch file (MAKEDISK.BAT) that starts the utility to copy the disk image. To create the emergency disk, follow these steps: 1. Click Start in the Windows taskbar, then choose Run. 2. Click Browse in the Run dialog box to open a dialog box you can use to locate the file MAKEDISK.BAT. You'll find this file in the \VirusScan\EDU directory. 3. Choose the file, then click OK in the Run dialog box to start the batch file. The batch file will open a Command Line Prompt window and will ask you to insert a write-capable floppy disk into your floppy drive. 4. Insert a blank, unlocked floppy disk into your floppy drive, then press any key on your keyboard to continue. MAKEDISK.BAT will copy these files onto the floppy disk: AUTOEXEC.BAT BIOS.SYS BOOTSCAN.EXE CLEAN.DAT COMMAND.COM GETREPLY.EXE KERNEL.SYS NAMES.DAT SCAN.DAT 5. When the batch file has finished, press any key on your keyboard to continue. 6. Click the close box in the upper right corner of the Command Prompt window to exit. 7. Copy to the disk you just created any other utilities you need to start your computer, debug your system software, manage any extended or expanded memory you have, or perform other tasks at startup. If you use a disk compression utility, be sure to copy the drivers you need to uncompress your files. 8. When you have finished copying files to the emergency disk, remove it from your floppy drive, label it, lock it, and store it in a safe place. NOTE: A locked floppy disk shows two holes near the edge of the disk opposite the metal shutter. If you don’t see two holes, look for a plastic sliding tab at one of the disk corners, then slide the tab until it locks in an open position. Because no software can save to a locked disk, viruses cannot infect files stored on one. __________________________ FREQUENTLY ASKED QUESTIONS Regularly updated lists of frequently asked questions about Network Associates products also are available on the Network Associates BBS and website, and on CompuServe and America Online. Q: How can I scan mapped Novell drives with scheduled on-demand scans? A: If you want to scan any Novell-server drives (mapped or via UNC) from scheduled tasks, you must create the same account/password on the Novell server as used by VirusScan services on your Windows NT workstation. Q: As an administrator, how can I scan private directories that are accessible only to individual users? A: On-demand (scheduled) scans are launched by the VirusScan Task Manager service. If you specify a user name and password for the service, then the scheduled scan will only scan directories for which the service name has privileges. If no user name was specified, then the service has SYSTEM privileges. To perform an on-demand, or scheduled, scan of private directories, the VirusScan Task Manager service must have access to these private areas. Following are two ways to address this issue: Solution A: 1. Create a custom user name to be used by the Service. 2. Give this user name privileges to access the private spaces. Considerations with Solution A: This account can be used to access the private directories. To prepare these directories with proper rights, open a DOS prompt and enter: CACLS /E /G (domain name)\(service account name) Enter CACLS at the DOS prompt to get a complete list of options. Solution B: 1. Do not associate a user name to the Service. 2. Give SYSTEM privileges to access the private spaces. Considerations with Solution B: Someone could create or use a Service to access your information. Network Associates recommends Solution B as a more secure solution. Q: VirusScan will not perform an on-demand (scheduled) scan of some network drives. Why? A: It is possible that the user name you are using for the VirusScan Task Manager service does not have sufficient rights to scan the drives in question. To verify whether this is the issue, connect to each drive using the user name and password utilized by the VirusScan Task Manager service from the workstation where the service is running. Confirm that this user name has rights on the device by manually running an on-demand scan. If you can scan the device while you're logged in, then the service should also be able to do it as a scheduled scan. When scanning remote locations, Network Associates recommends using the UNC path for scheduled tasks. Q: My scheduled tasks do not run when the VirusScan Task Manager service is stopped. Why? A: The VirusScan Task Manager service is responsible for starting scheduled on-demand tasks and AutoUpdate tasks. If the VirusScan Task Manager service is stopped, all of these tasks are disabled. Q: Can I update VirusScan's data files to detect new viruses? A: Yes, VirusScan now includes the Network Associates AutoUpdate and AutoUpgrade components, which offer powerful updating capabilities that ensure that you have the latest VirusScan files installed. AutoUpdate can automatically update the VirusScan data (.DAT) files the program uses to detect viruses. AutoUpgrade can automatically download new VirusScan program versions. If you need additional assistance with downloading, contact Network Associates Download Support at (408) 988-3832. Q: How do I disable VirusScan's on-access scanner? A: You can now enable or disable the on-access scanning component in VirusScan both from the graphical user interface and from an NT Command Prompt window. To learn how to do so, see item 12 in "Additional Information" later in this file. Q: Can I run a silent installation that removes previous VirusScan versions before Setup installs a new VirusScan version? A: Yes. To do so, however, you must edit the SETUP.ISS file you create when you record your initial installation. To learn how to do so, see "Editing the SETUP.ISS File" earlier in this file. ______________________ ADDITIONAL INFORMATION 1. After completing your installation or upgrade of VirusScan, Network Associates recommends that you reboot your computer before you use VirusScan. 2. VirusScan automatically excludes a Microsoft Exchange database directory if the following Windows NT Registry key exists: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \MSExchangeIS\ParametersSystem\DB Log This entry allows VirusScan Task Manager service to look for Microsoft Exchange Server each time it starts. This exclusion is needed to avoid potential mail database corruption in the event that VirusScan detects an infected file. Note: If Microsoft Exchange Server is installed, an entry will be visible in the VirusScan Properties Exclusions tab. 3. SVCPWD.EXE is a utility for setting or changing usernames and passwords that the Network Associates services use. SVCPWD requests one command-line parameter which is a filename (e.g., computers.txt). Use SVCPWD /? to get additional information about command-line options. This file (e.g., computers.txt) contains a list of all the computers that you want to modify the service accounts (username and password)for. Example: \\COMPUTER1 \\COMPUTER2 \\SERVER Start the SVCPWD utility by entering the file as command-line (i.e. SVCPWD computers.txt). This utility contacts all the computers via the network and changes the username and password originally given to the Network Associates service. The username and password are changed to the value that you set when you start the utility. All service accounts must be set to user "LocalSystem". If a domain\username is entered, then the SVCPWD utility will require a password for the domain\username. When this is completed, the utility contacts all the computers and changes the settings. Note 1: The domain\username that is used by the services needs to be an administrative account. Note 2: The person running this utility must have an administrative account for all the computers that require such changes. Note 3: Do not run this utility during an on-demand scan operation. 4. When using an ISeamless Install Script, and running setup in standard or silent mode without any parameters, setup requires that the custom installation file produced by ISeamless be named admin.sis or oem.sis. 5. If VirusScan finds an older version of the file WININET.DLL during installation, it upgrades the file to the current version. 6. If you are running any other anti-virus product on the system, please exclude that product's installation directory within the VirusScan Properties Exclusions tab. 7. When installing VirusScan to remote systems on your network, the destination systems must have a proper security relationship (i.e., they must reside on the same domain or share a trust relationship, and the account being used must have Administrator privileges on the machine being installed to) with the system you are performing the installation from. If the computers do not have a proper security relationship, the remote installation will not be performed properly. 8. If compressed file scanning is turned on, VirusScan temporarily uses additional harddrive space when scanning compressed files (i.e., ZIP, LZH/LHA, UUENCODE, etc.). 9. When performing a silent installation using the default SETUP.ISS file, via either AutoUpgrade or the command setup -s, your service user resets to the LocalSystem account and the workstation reboots if necessary when the installation is completed. If you wish to keep your settings, record your own SETUP.ISS file for use during silent installations (see the VirusScan User's Guide for detailed information on creating your own setup.iss file). 10. By default, VirusScan's on-access scanning component does not have heuristic scanning activated. You can activate this feature by entering the values shown for the REG_DWORD entries in these registry keys: HKEY_LOCAL_MACHINE\Software\McAfee\VirusScan\McShield\CurrentVersion dwMacroHeuristicsLevel:REG_DWORD:0 or 1 dwProgramHeuristicsLevel:REG_DWORD:0 or 1 11. The new NAI.MIB and ANTIVIRI.MIB files included with this release improve the data reporting capabilities of SNMP traps sent via Alert Manager. You can compile these files into your SNMP management utility so that the utility can decode traps sent from Alert Manager. Some SNMP managers also allow you to write scripts that will act on the information received via the SNMP traps. New alert items include: ALERT NAME WHAT IT REPORTS naiTrapAgent Names the agent that sent the trap naiTrapAgentVersion Gives the version of the agent naiTrapSeverity Gives the severity code the alert message naiTrapDescription Describes the trap naiTrapAlarmSourceAddress Gives the IP or IPX address of the computer that sends the trap naiTrapAlarmSourceDNSName Lists the fully qualified DNS name or computer name naiTrapGMTTime Lists the GMT time at which the alert generation occurred naiTrapLocalTime Lists the time local to the computer that generated the trap naiTrapURL Gives a URL link to an HTML or FTP file naiTrapPseudoID Lists the Pseudo Trap ID or Message ID for the generated trap naiAntiVirusTrapAgentUser Lists the name of the active user account that generated the trap naiAntiVirusTrapInfectedFile Names the infected file that caused the computer to generate a trap naiAntiVirusTrapVirusName Names the infecting virus naiAntiVirusTrapTaskName Names the active task that generated the trap naiAntiVirusTrapStatus Gives the status of the file that caused the computer to send a trap naiAntiVirusTrapOS Lists the active operating system on the computer that sent the trap naiAntiVirusTrapEngineVersion Lists the version number of the VirusScan scan engine naiAntiVirusTrapDATVersion Lists the version number of the current .DAT file 12. To enable or disable VirusScan's on-access scanning component, you can use one of these methods: - You can disable on-access scanning from the VirusScan graphical user interface. To do so, first verify that the VirusScan shield icon appears in your system tray to the left of the clock. If the icon appears there, right-click it to display a shortcut menu, then choose Disable. The icon will appear with a red line through it, which indicates that on-access scanning is disabled. To enable on-access scanning again, right-click the icon, then choose Enable from the shortcut menu. If the icon does not appear in your system tray, verify that you have installed the on-access component correctly. - You can also disable VirusScan on-access scanning from a Windows NT Command Prompt window. To do so, open a Command Prompt window, then type: SHSTAT.EXE -DISABLE To enable on-access scanning again, type SHSTAT.EXE -ENABLE at the prompt. - You can disable and enable on-access scanning from VirusScan's AntiVirus Console. To do so, open the Console, then select the VirusScan On-Access Monitor task in the task list. Next, click the Stop button in the Console toolbar, or choose Disable from the Console's Scan menu. To enable the on-access component again, select the On-Access Monitor task, then click the Play button in the Console toolbar, or choose Enable from the Console's Task menu. 13. If you schedule an AutoUpdate or AutoUpgrade session that downloads the installation package from a NetWare server to an NT system, you can use the optional File Copy Utility shipped with VirusScan. To install this component, you must choose it as a Custom installation option during Setup. To learn more about this component, contact your PrimeSupport representative. _____________ DOCUMENTATION For more information, refer to the users guides for each product included on the CD-ROM or available from Network Associates electronic services. Each product user's guide is saved in Adobe Acrobat Portable Document Format (.PDF). You can view and print this document with Adobe's Acrobat Reader. PDF files can include hypertext links and other navigation features to assist you in finding answers to questions about your Network Associates product. To download Adobe Acrobat Reader from the World Wide Web, visit Adobe's website at: http://www.adobe.com/prodindex/acrobat/readstep.html To download documentation for Network Associates anti-virus software, visit the Network Associates FTP site at: ftp://www.nai.com/pub/manuals/total_virus_defense Additional contact information appears in the following section. Documentation feedback is welcome. Send e-mail to tvd_documentation@nai.com. _____________________________ CONTACTING NETWORK ASSOCIATES On December 1, 1997, McAfee Associates merged with Network General Corporation, Pretty Good Privacy, Inc., and Helix Software, Inc. to form Network Associates, Inc. The combined Company subsequently acquired Dr Solomon's Software and CyberMedia, Inc. Network Associates continues to market and support the product lines from each of the former entities. You may direct all questions, comments and technical support requests to the Network Associates Customer Care department at any of the addresses or phone numbers listed below. Contact the Network Associates Customer Care department at: 1. Phone (408) 988-3832 Monday-Friday, 6:00 A.M. - 6:00 P.M. Pacific time 2. Fax (408) 970-9727 24-hour, Group III Fax 3. Fax-back automated response system (408) 346-3414 Send correspondence to any of the following Network Associates locations: Network Associates Corporate Headquarters 3965 Freedom Circle McCandless Towers Santa Clara, CA 95054 Phone numbers for corporate-licensed customers: Phone: (408) 988-3832 Fax: (408) 970-9727 Phone numbers for retail-licensed customers: Phone: (972) 278-6100 Fax: (408) 970-9727 Network Associates offices outside the United States: Network Associates Australia Level 1, 500 Pacific Highway St. Leonards, NSW Sydney, Australia 2065 Phone: 61-2-8425-4200 Fax: 61-2-9439-5166 Network Associates Austria Pulvermuehlstrasse 17 Linz, Austria Postal Code A-4040 Phone: 43-732-757-244 Fax: 43-732-757-244-20 Network Associates Belgium Bessenveldtstraat 25a Diegem, Belgium - 1831 Phone: 32-3-716-4070 Fax: 61-2-716-4770 Network Associates do Brasil Rua Geraldo Flausino Gomez 78 Cj. - 51 Brooklin Novo - São Paulo SP - 04575-060 - Brasil Phone: (55 11) 5505 1009 Fax: (55 11) 5505 1006 Network Associates Canada 139 Main Street, Suite 201 Unionville, Ontario Canada L3R 2G6 Phone: (905) 479-4189 Fax: (905) 479-4540 Network Associates People's Republic of China New Century Office Tower, Room 1557 No. 6 Southern Road Capitol Gym Beijing People's Republic of China 100044 Phone: 86 10 6849-2650 Fax: 86 10 6849-2069 NA Network Associates Oy Sinikalliontie 9, 3rd Floor 02630 Espoo Finland Phone: 358 9 5270 70 Fax: 358 9 5270 7100 Network Associates France S.A. 50 Rue de Londres 75008 Paris France Phone: 33 1 44 908 737 Fax: 33 1 45 227 554 Network Associates GmbH Ohmstraße 1 D-85716 Unterschleißheim Deutschland Phone: 49 (0)89/3707-0 Fax: 49 (0)89/3707-1199 Network Associates Hong Kong 19th Floor, Matheson Centre 3 Matheson Way Causeway Bay Hong Kong 63225 Phone: 852-2832-9525 Fax: 852-2832-9530 Network Associates Srl Centro Direzionale Summit Palazzo D/1 Via Brescia, 28 20063 - Cernusco sul Naviglio (MI) ITALY Phone: 39 (0)2 9214 1555 Fax: 39 (0)2 9214 1644 Network Associates Japan, Inc. Toranomon 33 Mori Bldg. 3-8-21 Toranomon Minato-ku Tokyo 105-0001 Japan Phone: 81 3 5408 0700 Fax: 81 3 5408 0780 Network Associates Latin America 150 South Pine Island Road, Suite 205 Plantation, Florida 33324 United States Phone: (954) 452-1731 Fax: (954) 236-8031 Network Associates de Mexico Andres Bello No. 10, 4 Piso 4th Floor Col. Polanco Mexico City, Mexico D.F. 11560 Phone: (525) 282-9180 Fax: (525) 282-9183 Network Associates International B.V. Gatwickstraat 25 1043 GL Amsterdam The Netherlands Phone: 31 20 586 6100 Fax: 31 20 586 6101 Network Associates Portugal Av. da Liberdade, 114 1269-046 Lisboa Portugal Phone: 351 1 340 4543 Fax: 351 1 340 4575 Net Tools Network Associates South Africa Bardev House, St. Andrews Meadowbrook Lane Epson Downs, P.O. Box 7062 Bryanston, Johannesburg South Africa 2021 Phone: 27 11 706-1629 Fax: 27 11 706-1569 Network Associates South East Asia 78 Shenton Way #29-02 Singapore 079120 Phone: 65 222-7555 Fax: 65 222-7555 Network Associates Spain Orense 4, 4a Planta. Edificio Trieste 28020 Madrid Spain Phone: 34 91 598 18 00 Fax: 34 91 556 14 04 Network Associates Sweden Datavägen 3A Box 596 S-175 26 Järfälla Sweden Phone: 46 (0) 8 580 88 400 Fax: 46 (0) 8 580 88 405 Network Associates AG Baeulerwisenstrasse 3 8152 Glattbrugg Switzerland Phone: 0041 1 808 99 66 Fax: 0041 1 808 99 77 Network Associates Taiwan Suite 6, 11F No. 188, Sec. 5 Nan King E. Rd. Taipei, Taiwan, Republic of China Phone: 886-2-27-474-8800 Fax: 886-2-27-635-5864 Network Associates International Ltd. Minton Place, Victoria Street Windsor, Berkshire SL4 1EG United Kingdom Phone: 44 (0)1753 827 500 Fax: 44 (0)1753 827 520 Or, you can receive online assistance through any of the following resources: 1. Internet E-mail: support@nai.com 2. Internet FTP: ftp.nai.com 3. World Wide Web: http://support.nai.com 4. America Online: keyword MCAFEE 5. CompuServe: GO NAI To provide the answers you need quickly and efficiently, the Network Associates technical support staff needs some information about your computer and your software. Please have this information ready when you call: - Program name and version number - Computer brand and model - Any additional hardware or peripherals connected to your computer - Operating system type and version numbers - Network name, operating system, and version - Network card installed, where applicable - Modem manufacturer, model, and baud, where applicable - Relevant browsers or applications and their version numbers, where applicable - How to reproduce your problem: when it occurs, whether you can reproduce it regularly, and under what conditions - Information needed to contact you by voice, fax, or e-mail We also seek and appreciate general feedback. * FOR PRODUCT UPGRADES * To make it easier for you to receive and use Network Associates products, we have established a reseller's program to provide service, sales, and support for our products worldwide. For a listing of resellers, see the resellers.txt file or contact Network Associates Customer Care for resellers near you. * FOR REPORTING PROBLEMS * Network Associates prides itself on delivering a high-quality product. If you find any problems, please take a moment to review the contents of this file. If the problem you've encountered is documented, there is no need to report the problem to Network Associates. If you find any feature that does not appear to function properly on your system, or if you believe an application would benefit greatly from enhancement, please contact Network Associates with your suggestions or concerns. * FOR ON-SITE TRAINING INFORMATION * Contact Network Associates Customer Service at (800) 338-8754. * NETWORK ASSOCIATES BETA SITE * Get pre-release software, including .DAT files, through http://www.avertlabs.com. You will have access to Public Beta and External Test Areas. Your feedback will make a difference.