Page 5
Table of Contents Understanding the AutoUpgrade utility ......118 Configuring the AutoUpgrade utility ....... .119 Using the AutoUpgrade and SuperDAT utilities together .
Page 6
Appendix E. Network Associates Support Services ....185 Adding value to your McAfee product ......185 PrimeSupport options for corporate customers .
Preface Anti-virus protection as information security “The world changed [on March 26, 1999]—does anyone doubt that? The world is different. Melissa proved that ... and we are very fortunate ... the world could have gone very close to meltdown.” —Padgett Peterson, Chief Info Security Architect, Lockheed Martin Corporation, on the 1999 “Melissa”...
Page 8
In this way, Melissa almost made the need for viral code to spread itself obsolete—end users themselves cooperated in its propagation, and their own computers blindly participated. viii McAfee VirusScan Anti-Virus Software...
Page 9
Preface A rash of Melissa variants and copycats appeared soon after. Some, such as W97M/Prilissa, included destructive payloads. Later the same year, a number of new viruses and worms either demonstrated novel or unexpected ways to get into networks and compromise information security, or actually perpetuated attacks.
Part of the solution is deploying the McAfee Active Virus Defense* software suite, which provides a comprehensive, multi-platform series of defensive perimeters for your network. You can also build on that security with the...
Preface Active Virus Defense security perimeters The McAfee Active Virus Defense product suite exists for one simple reason: there is no such thing as too much anti-virus protection for the modern, automated enterprise. Although at first glance it might seem needlessly...
Page 12
The new AutoUpgrade version includes support for v1.2 of the McAfee SuperDAT utility, which you can use to update the Olympus scan engine and its support files.
200 to 300 viruses and variants appear each month, the .DAT files that enable McAfee software to detect and remove viruses can get quickly outdated. If you have not updated the files that originally came with your software, you could risk infection from newly emerging viruses.
• Magic Solutions. This division supplies the Total Service desk product line and related products • McAfee. This division provides the Active Virus Defense product suite and related anti-virus software solutions to corporate and retail customers. • PGP Security. This division provides award-winning encryption and...
The companies have continued this tradition by making their sites on the World Wide Web valuable resources for answers to technical support issues. McAfee encourages you to make this your first stop for answers to frequently asked questions, for updates to McAfee and Network Associates...
(801) 492-2650 Retail customers (801) 492-2600 Network Associates training For information about scheduling on-site training for any McAfee or Network Associates product, call Network Associates Customer Service at: (972) 308-9960. Comments and feedback McAfee appreciates your comments and reserves the right to use any information you supply in any way it believes appropriate without incurring any obligation whatsoever.
Java classes, ActiveX controls, dangerous websites, or viruses that your software does not now detect. Note that McAfee reserves the right to use any information you supply as it deems appropriate, without incurring any obligations whatsoever.
NA Network Associates Oy Lautruphoej 1-3 Mikonkatu 9, 5. krs. 2750 Ballerup 00100 Helsinki Danmark Finland Phone: 45 70 277 277 Phone: 358 9 5270 70 Fax: 45 44 209 910 Fax: 358 9 5270 7100 xviii McAfee VirusScan Anti-Virus Software...
Page 19
Preface Network Associates Network Associates France S.A. Deutschland GmbH 50 Rue de Londres Ohmstraße 1 75008 Paris D-85716 Unterschleißheim France Deutschland Phone: 33 1 44 908 737 Phone: 49 (0)89/3707-0 Fax: 33 1 45 227 554 Fax: 49 (0)89/3707-1199 Network Associates Hong Kong Network Associates Srl 19th Floor, Matheson Centre Centro Direzionale Summit...
Page 20
Suite 6, 11F, No. 188, Sec. 5 227 Bath Road Nan King E. Rd. Slough, Berkshire Taipei, Taiwan, Republic of China SL1 5PP Phone: 886-2-27-474-8800 United Kingdom Fax: 886-2-27-635-5864 Phone: 44 (0)1753 217 500 Fax: 44 (0)1753 217 520 McAfee VirusScan Anti-Virus Software...
“zombie” agents that assist in large-scale denial-of-service attacks from across the Internet. They do so also because they recognize how much value McAfee anti-virus research and development brings to their fight to maintain network integrity and service levels, ensure data security, and reduce ownership costs.
Page 22
At the same time, as the cornerstone product in the McAfee Active Virus Defense and Total Virus Defense security suites, VirusScan software retains the same core features that have made it the utility of choice for the corporate desktop.
The scan engine, meanwhile, combines the best features of technologies that McAfee and Dr Solomon researchers developed independently for more than a decade.
Page 24
This meant that the simple pattern-matching method that earlier scan engine incarnations used to find many viruses simply no longer worked, since no constant sequence of bytes existed to detect. To respond to this threat, McAfee researchers developed the PolyScan Decryption Engine, which locates and analyzes the algorithm that these types of viruses use to encrypt and decrypt themselves.
About VirusScan Software Still others open “back doors” into desktop systems or create security holes in a way that closely resembles a deliberate attempt at network penetration, rather than the more random mayhem that most viruses tend to leave in their wakes.
Page 26
Centralized Alerting messages, or supplement either method with Desktop Management Interface (DMI) alerts sent via your DMI client software. • The ScreenScan utility. This optional component scans your computer as your screen saver runs during idle periods. McAfee VirusScan Anti-Virus Software...
Page 27
About VirusScan Software • The SendVirus utility. This component gives you an easy and painless way to submit files that you believe are infected directly to McAfee anti-virus researchers. A simple wizard guides you as you choose files to submit, include contact details and, if you prefer, strip out any personal or confidential data from document files.
Page 28
The dialog boxes with Help buttons open the help file to the specific topic that describes the entire dialog box. McAfee VirusScan Anti-Virus Software...
Chapter 2, “Installing VirusScan Software” in the VirusScan Administrator’s Guide. This VirusScan version also comes with complete support for the McAfee ePolicy Orchestrator software distribution tool. A specially packaged VirusScan version ships with the ePolicy Orchestrator software, ready for enterprise-wide distribution. You can distribute VirusScan software, configure it from the ePolicy Orchestrator console, update that configuration and any program or .DAT files at any time, and schedule scan operations, all...
Page 30
• System Scan module action options now include a new Prompt Type configuration option for Windows 95 and Windows 98 systems. This option lets you determine how the Prompt for user action alert appears. McAfee VirusScan Anti-Virus Software...
Page 31
VirusScan software still requires regular .DAT file updates to keep pace with the 200 to 300 new viruses that appear each month. To meet this need, McAfee has incorporated updating technology in VirusScan software from its earliest incarnations. With this release, that technology takes a quantum leap forward with incremental .DAT...
Page 32
About VirusScan Software McAfee VirusScan Anti-Virus Software...
VirusScan program files to your computer’s hard disk. The second option copies selected components to the target workstation. McAfee distributes VirusScan software in two ways: as an archived file that you can download from the McAfee website or from other electronic services, and on CD-ROM disc.
Installation steps McAfee recommends that you first quit all other applications you have running on your system before you start Setup. Doing so reduces the possibility that software conflicts will interfere with your installation.
Page 35
Installing VirusScan Software 2. Choose Run from the Start menu in the Windows taskbar. The Run dialog box will appear (Figure 2-1). Figure 2-1. Run dialog box 3. Type <X>:\SETUP.EXE in the text box provided, then click OK. Here, <X> represents the drive letter for your CD-ROM drive or the path to the folder that contains your extracted VirusScan files.
Page 36
Next> to continue. 6. The next wizard panel displays the VirusScan software end-user license agreement. Read this agreement carefully—if you install VirusScan software, you agree to abide by the terms of the license. McAfee VirusScan Anti-Virus Software...
Page 37
Installing VirusScan Software If you do not agree to the license terms, select I do not agree to the terms of the License Agreement, then click Cancel. Setup will quit immediately. Otherwise, click I agree to the terms of the License Agreement, then click Next>...
Page 38
Setup can continue without conflicts. NOTE: McAfee strongly recommends that you remove incompatible software. Because most anti-virus software operates at a very low level within your system, two anti-virus programs that compete for access to the same files or that perform critical operations can make your system very unstable.
Page 39
Installing VirusScan Software The options in this panel govern whether others who use your computer can make changes to the configuration options you choose, can schedule and run tasks, or can enable and disable VirusScan components. VirusScan software includes extensive security measures to ensure that unauthorized users cannot make any changes to software configurations in Maximum Security mode.
Page 40
Custom Installation. This option starts with the same components as the Typical setup, but allows you to choose from among these additional items: – The VShield E-Mail Scan, Download Scan, and Internet Filter modules – The ScreenScan utility McAfee VirusScan Anti-Virus Software...
Page 41
Installing VirusScan Software To learn more about what each component does, see “What comes with VirusScan software?” on page 29 of the VirusScan User’s Guide. 11. Choose the option you prefer, then click Next> to continue. If you chose Custom Setup, you’ll see the panel shown in Figure 2-8.
Page 42
Setup first removes any incompatible software from your system. It then copies VirusScan program files to your hard disk. When it has finished, it displays a panel that asks if you want to configure the product you installed (see Figure 2-10 on page 43). McAfee VirusScan Anti-Virus Software...
Page 43
Installing VirusScan Software Figure 2-10. Completing Setup panel 15. At this point, you can: • Finish your installation. Leave the Scan Memory for Viruses before Configuring checkbox clear, then click Skip Config to finish your installation. Setup will ask if you want to start the VShield scanner and the VirusScan Console immediately.
Page 44
After the utility creates the disk, it returns to the regular Setup sequence. Clear this checkbox to skip the Emergency Disk creation. You can start the utility at any time after installation. McAfee VirusScan Anti-Virus Software...
Page 45
Installing VirusScan Software • Run Default Scan for Viruses after Installation. This option is active by default. The option tells Setup to finish the installation, then to run the VirusScan application immediately afterwards to scan your entire startup partition. The application will alert you if it finds any viruses on this partition, but otherwise will quit without any further notice.
Page 46
19. When you have chosen the option you want, click Next>. If you chose to run an AutoUpdate operation immediately, the utility will connect to the McAfee website to download new incremental .DAT files. After it finishes, the Setup sequence will resume.
Installing VirusScan Software Figure 2-13. Successful Installation panel 20. To do so, select the Start VirusScan checkbox, then click Finish. The VirusScan software “splash screens” will appear, and the VShield scanner and VirusScan Console icons will appear in the Windows system tray.
Page 48
The special .DAT files have these names: • EMCLEAN.DAT • EMNAMES.DAT • EMSCAN.DAT McAfee periodically updates these .DAT files to detect new boot-sector viruses. You can download new Emergency .DAT files from this location: http://www.nai.com/asp_set/anti_virus/avert/tools.asp NOTE: McAfee recommends that you download new Emergency .DAT files directly to a newly formatted floppy disk in order to reduce the risk of infection.
Page 49
Installing VirusScan Software 1. Click Next> to continue. The next wizard panel appears (Figure 2-15). Figure 2-15. Second Emergency Disk panel If your computer runs Windows NT Workstation or Windows 2000 Professional, the wizard tells you that it will format your Emergency Disk with the NAI-OS.
Page 50
Click Finish to quit the wizard when it has created your disk. Next, remove the disk from your floppy drive, lock it, label it McAfee Emergency Boot Disk and store it in a safe place.
Page 51
Emergency Disk to start your computer. Follow these substeps: a. Insert an unlocked and unformatted floppy disk into your floppy drive. McAfee recommends that you use a completely new disk that you have never previously formatted to prevent the possibility of virus infections on your Emergency Disk.
Page 52
If you don’t see two holes, look for a plastic sliding tab at one of the disk corners, then slide the tab until it locks in an open position. McAfee VirusScan Anti-Virus Software...
In some cases, however, the Microsoft Installer (MSI) will need to replace or initialize certain files, or previous McAfee product installations might require you to remove files in order for VirusScan software to run correctly. These requirements can also vary for each supported Windows platform.
IMPORTANT: This file is n ot a virus— it cannot spread or infect other files, or otherw ise harm your system . D elete the file w hen you have finished testing your installation to avoid alarm ing other users. McAfee VirusScan Anti-Virus Software...
1. Click Start in the Windows taskbar, point to Settings, then choose Control Panel. 2. Locate and double-click the Add/Remove Programs control panel. 3. In the Add/Remove Programs Properties dialog box, choose McAfee VirusScan v4.5.0 in the list, then click Add/Remove. Setup will start and display the first Maintenance wizard panel (Figure 2-21).
Page 56
• Remove. Select this option to remove VirusScan software from your computer completely. Setup will ask you to confirm that you want to remove the software from your system (see Figure 2-23 on page 57). McAfee VirusScan Anti-Virus Software...
Installing VirusScan Software Figure 2-23. Remove the Program panel 6. Click Remove. Setup will display progress information as it deletes VirusScan software from your system. When it has finished, click Finish to close the wizard panel. Installing VirusScan software on other computers The next sections describe how to install VirusScan software over your network, to many workstations at once, and with various custom configurations.
NOTE: You can run Setup from the command line only to install VirusScan software to a local computer. To install the software over a network, you must use McAfee Management Edition or ePolicy Orchestrator software. To do so, click Start in the Windows taskbar, then choose Run. Next, enter the command line you want to use in the Run dialog box, then click OK.
Page 59
Installing VirusScan Software – PRESERVESETTINGS. This property tells Setup whether it should retain the configuration options you used for previous VShield scanner installations. By default, its value is True. – REBOOT. This property tells Setup whether it should restart your computer.
Page 61
Installing VirusScan Software Installing to a custom directory To install VirusScan software to a custom directory, add the INSTALLDIR property to the command line, then follow the property with a value for the directory you want to use. To install VirusScan software to C:\My Anti-Virus Software, for example, type this line at the command prompt: setup INSTALLDIR= “c:\My Anti-Virus Software”...
Page 62
41) will show only the components you specify as those available for installation. If you use these same examples to specify a component set for installation, Setup will install only the components you specified during a Typical installation. McAfee VirusScan Anti-Virus Software...
Page 63
Installing VirusScan Software Setting reboot options You can force or prevent the target computer from restarting during the installation. To do this, add the REBOOT property to the command line. REBOOT=F forces the restart, while REBOOT=R prevents the restart. If you must first install the Windows Installer service on a target computer, Setup will require you to restart whether you force or prevent a restart for other reasons.
Page 64
Without the /LSCRIPT option, Setup will run and, if you do not have MSI v1.1 installed or if you have a previous VirusScan version on the target computer, will require the target computer to restart. Before it does so, however, it places a flag in the Windows RunOnce registry key. McAfee VirusScan Anti-Virus Software...
VirusScan installation package to a local directory on the target computer. You may not use a login script to install VirusScan software from elsewhere on your network. To install VirusScan software from a remote location on the network, use McAfee Management Edition or McAfee ePolicy Orchestrator management software. ...
Using ePolicy Orchestrator to deploy VirusScan software ePolicy Orchestrator management software provides a single point of control for all of your McAfee anti-virus products. It is a scalable anti-virus management tool that provides centralized policy management and enforcement, software distribution, and extensive reporting features.
Installing VirusScan Software With the ePolicy Orchestrator server, console, and agent you can manage a single database and software repository from any location on your company’s network. Once you have installed the ePolicy Orchestrator server and console, and have loaded VirusScan software is loaded into the repository, you can use the console to push the agent onto the client machines.
Novell ZENworks documentation. Exporting VirusScan custom settings McAfee provides a small utility that you can use to put a VirusScan installation package together with all of the configuration settings you want to use for each target computer. McAfee releases this utility, the Custom Installation Creator, apart from the VirusScan product package.
Page 69
Installing VirusScan Software Table 2-1. MSI_INST.EXE command-line switches Option Purpose Usage IMPORT Import settings into a VirusScan /IMPORT<path and filename> installation from an .INI file you designate EXPORT Export settings from a VirusScan /EXPORT<path and filename> installation to an .INI file you designate EXPOPTIONS Export certain settings from...
Page 70
MSI_INST.EXE to read the exclusion settings from a previous .INI file and set new installation appropriately. You must use this option with the /PREVIOUS option. NOTE: You may use this option only to preserve VirusScan v4.0.2 and v4.0.3 settings. McAfee VirusScan Anti-Virus Software...
Removing Infections From Your System If you suspect you have a virus... First of all, don’t panic! Although far from harmless, most viruses that infect your machine will not destroy data, play pranks, or render your computer unusable. Even the comparatively rare viruses that do carry a destructive payload usually produce their nasty effects in response to a trigger event.
Page 72
The Emergency Disk will load the files it needs to conduct the scan operation into memory. If you have extended memory on your computer, it will load its database files into that memory for faster execution. McAfee VirusScan Anti-Virus Software...
Page 73
NOTE: McAfee strongly recommends that you do not interrupt the BOOTSCAN.EXE scanner as it runs its scan operation. The Emergency Disk will not detect macro viruses, script viruses, or Trojan horse programs, but it will detect common file-infecting and boot-sector viruses.
The VirusScan Console includes AutoUpdate and AutoUpgrade tasks you can use to update your .DAT files and the VirusScan engine. To learn how to update your software, see Chapter 6, “Updating and Upgrading VirusScan Software.”. McAfee VirusScan Anti-Virus Software...
You can, however, rely on McAfee researchers to identify and isolate the virus, then to update VirusScan software immediately so that you can detect and, if possible, remove the virus when you next encounter it.
If none of these situations apply, contact Network Associates technical support or send e-mail to virus_research@nai.com with a detailed explanation of the problem you encountered. McAfee VirusScan Anti-Virus Software...
Removing Infections From Your System Responding to viruses or malicious software Because VirusScan software consists of several component programs, any one of which could be active at one time, your possible responses to a virus infection or to other malicious software will depend upon which program detected the harmful object, how you have that program configured to respond, and other circumstances.
Page 78
Action page. NOTE: The Continue access checkbox is unavailable if your computer runs Windows NT Workstation v4.0 or Windows 2000, or if you choose the GUI prompt type on Windows 95 and Windows 98 systems. McAfee VirusScan Anti-Virus Software...
Page 79
Removing Infections From Your System To take one of the actions shown in an alert message, click a button in the Access to File Was Denied dialog box, or type the letter highlighted in yellow when you see the full-screen warning. If you want the same response to apply to all infected files that the System Scan module finds during this scan operation, select the Apply to all items checkbox in the dialog box.
Page 80
• Exclude. Click this button to prevent the E-Mail Scan module from flagging this file as a virus in future scan operations. If you copy this file to your hard disk, this also prevents the System Scan module from detecting the file as a virus. McAfee VirusScan Anti-Virus Software...
Page 81
Removing Infections From Your System When you choose your action, the E-Mail Scan module will implement it immediately and add a notice to the top of the e-mail message that contained the infected attachment. The notice gives the file name of the infected attachment, identifies the name of the infecting virus, and describes the action that the module took in response.
Page 82
VirusScan software to suit your own needs. With this initial configuration, the program will prompt you for a response when it finds a virus (Figure 3-6). Figure 3-6. VirusScan response options McAfee VirusScan Anti-Virus Software...
Page 83
Removing Infections From Your System To respond to the infection, click one of the buttons shown. You can tell the VirusScan application to: • Continue. Click this button to proceed with the scan operation and have the application list each infected file in the lower portion of its main window (Figure 3-7), record each detection in its log file, but take no other...
Page 84
Once it has finished examining your system, you can right-click each file listed in the main window, then choose an individual response from the shortcut menu that appears. McAfee VirusScan Anti-Virus Software...
Page 85
Removing Infections From Your System • Stop. Click this button to stop the scan operation immediately. The E-Mail Scan extension will list the infected files it has already found in the lower portion of its main window (Figure 3-9) and record each detection in its log file, but it will take no other action to respond to the virus.
Page 86
Chapter 6, “Creating and Configuring Scheduled Tasks” in the VirusScan User’s Guide. The Library is part of the McAfee AVERT website, which you can visit at: http://www.nai.com/asp_set/anti_virus/avert/intro.asp The AVERT website has a wealth of virus-related data and software. McAfee VirusScan Anti-Virus Software...
Page 87
Examples include: • Current information and risk assessments on emerging and active virus threats • Software tools you can use to extend or supplement your McAfee anti-virus software • Contact addresses and other information for submitting questions, virus samples, and other data •...
If you have a suspicious file that you believe contains a virus, or experience a system condition that might result from an infection—but VirusScan software has not detected a virus—McAfee recommends that you send a sample to its anti-virus research team for analysis. When you do so, be sure to start your system in the apparently infected state—don’t start your system from a clean...
Page 89
Removing Infections From Your System 4. Read the welcome message, then click Next> to continue. The Contact Information wizard panel appears. Figure 3-13. Your Contact Information panel 5. If you want AVERT researchers to contact you about your submission, enter your name, e-mail address, and any message you would like to send along with your submission in the text boxes provided, then click Next>...
Page 90
Remove my personal data from file checkbox, then click Next> to continue. This tells the SENDVIR.EXE utility to strip everything out of the file except macros or executable code. The Choose E-Mail Service panel appears (Figure 3-16). Figure 3-16. Choose E-mail Service panel McAfee VirusScan Anti-Virus Software...
If you suspect you have a virus infection, you can collect a sample of the virus, then either create a floppy disk image to send via e-mail, or mail the floppy disk itself to McAfee anti-virus researchers. The researchers would also benefit from having samples of your current system files on a separate floppy disk.
Page 92
If you suspect you have a file-infecting virus or a macro virus that has infected any of your Microsoft Word, Excel, or PowerPoint files, send these files to McAfee anti-virus researchers, either with the SENDVIR.EXE utility, via e-mail as floppy disk images, or through the mail on floppy disk: •...
Page 93
Making disk images To send the files now stored on any floppy disks you created, you can use a McAfee AVERT Labs tool called RWFLOPPY.EXE to make a floppy disk image that encapsulates the infection. The RWFLOPPY.EXE tool does not...
Page 94
9. Attach the .ZIP file that you created to an e-mail message. Sending samples via e-mail Once you’ve made disk images or created a file archive for your samples, send them to McAfee researchers at one of these e-mail addresses: In the United States virus_research@nai.com In the United Kingdom vsample@nai.com...
Page 95
Removing Infections From Your System Mailing infected floppy disks You can also mail the actual disks you created directly to McAfee anti-virus researchers. McAfee recommends that you create a text file or write a message to accompany the disks that includes the same information you would submit with an electronic disk image.
Page 96
Removing Infections From Your System McAfee VirusScan Anti-Virus Software...
Using VirusScan Software Using the VShield scanner The VShield scanner protects your system in the background, as you work with your files, in order to prevent infection from viruses that arrive via floppy disks, from your network, embedded in file attachments that come with e-mail messages, or from your computer’s memory.
Exchange or Outlook client application. To learn how to configure the E-Mail Scan extension and other specialized scanners, see Chapter 8, “Using Specialized Scanning Tools,” in the VirusScan User’s Guide. McAfee VirusScan Anti-Virus Software...
Sending Alert Messages Using the Alert Manager Client Configuration utility All McAfee anti-virus software includes wide range of methods to alert you when it has detected a virus or other malicious software. These methods include: • graphical and full-screen warnings that appear on your local computer, often with response options •...
.ALR files, and distributing the alert messages from any it finds. NOTE: McAfee recommends that you send alert events directly to an Alert Manager server rather than via Centralized Alerting, unless your network configuration does not permit you to use Alert Manager servers.
Page 101
Configuration utility not to pass alert messages from your anti-virus software to the Alert Manager server or to your Desktop Management Interface (DMI) administrative software. By default, this checkbox is clear. McAfee recommends that you leave it clear so that the client sends alert messages out. ...
Page 102
Alert Manager server if you have Active Directory Services installed on this computer and running on your network. To prevent the client utility from doing so, select the Disable Active Directory Lookup checkbox, when it appears. McAfee VirusScan Anti-Virus Software...
Page 103
Sending Alert Messages When you’ve chosen a destination for your alert messages, click OK to close the dialog box. • Enable Centralized alerting. Click this button to have VirusScan components send alert messages to a Centralized Alerting directory somewhere on your network. Choosing this option prevents you from sending alert events to an Alert Manager server.
Page 104
Consult your system administrator for specific details that apply to your DMI software. When you have entered a number, click OK to close the dialog box. 4. Click OK to save your changes and close the Alert Manager Client Configuration dialog box. McAfee VirusScan Anti-Virus Software...
“Understanding iDAT Technology.” What is the scan engine? The McAfee scan engine is at the heart of McAfee anti-virus software. The engine contains the program logic necessary to scan files at particular points, process and pattern-match virus definitions with data it finds in your files,...
Appendix F, “Understanding iDAT Technology.” • SuperDAT scan engine and .DAT file updates. McAfee releases a weekly SuperDAT package of current .DAT file updates and the current Olympus scan engine, together with a Setup feature that makes updating and upgrading a snap.
Page 107
128. In addition to the weekly SuperDAT package that contains both current .DAT files and a current scan engine, McAfee will make available a SuperDAT package that consists only of .DAT files. This executable file minimizes the need for you to closely manage your .DAT file updates. It...
“push-pull” arrangement. Once you install its client software on an administrative server, the SecureCast service can send, or “push,” updated files to you automatically, as soon as McAfee makes them available on its servers. To learn more about the SecureCast service, see Appendix D, “Using...
• Reduce the likelihood that you will need to wait to download new .DAT files. Traffic on McAfee servers increases dramatically on regular .DAT file publishing dates. Avoiding the competition for network bandwidth enables you to deploy your update with minimal interruptions.
Page 110
Disabled. A site is enabled if you have selected the Enabled checkbox in the Automatic Update Properties dialog box. A site is disabled if you clear this checkbox. This designation does not change whether or not the AutoUpdate utility can connect with the site. McAfee VirusScan Anti-Virus Software...
Page 111
Updating and Upgrading VirusScan Software Initially, the utility comes configured to connect only to the Network Associates FTP site. You can add as many different sites as you need, and alter the order in which AutoUpdate tries to connect to them, from this dialog box.
Page 112
By default, the AutoUpdate utility records what happens during update attempts and saves the record in the file UPDATE UPGRADE ACTIVITY LOG.TXT in the VirusScan program directory whenever you stop the task or when you shut your system down. McAfee VirusScan Anti-Virus Software...
Page 113
Updating and Upgrading VirusScan Software If you would prefer to log this data to a different text file, enter its path and filename in the text box provided, or click Browse to locate the file. The AutoUpdate utility will not generate a text file—it will write only to an existing file.
Page 114
If you click Update now, the AutoUpdate utility will use the same account you used to log on to your network to connect to the upgrade server. McAfee VirusScan Anti-Virus Software...
Page 115
Updating and Upgrading VirusScan Software To use a custom account, clear the Use Logged In Account checkbox, then click UNC login information to enter a user name and password for an account that has access rights to the target server. •...
Page 116
After a Successful Update area. To tell AutoUpdate where to save the .DAT file package, enter a path and folder name in the text box below this checkbox, or click Browse to locate a suitable folder. McAfee VirusScan Anti-Virus Software...
Page 117
WARNING: McAfee recommends that you use this option with extreme caution. If you have configured your AutoUpdate task to connect to a server that stores older .DAT...
OK. To close the dialog box without saving your changes, click Cancel. Understanding the AutoUpgrade utility McAfee revises VirusScan software and the Olympus scan engine regularly to add new detection and repair capabilities, new features for manageability and flexibility, and other enhancements that make it a better anti-virus security tool.
Updating and Upgrading VirusScan Software By default, the AutoUpgrade task included with VirusScan Console does not come configured with any default upgrade site. Instead, McAfee recommends that you use other mechanisms, such as the Enterprise SecureCast service, to receive new SuperDAT or program files, then place those files on a central server within your network.
Page 120
User’s Guide. To learn how to set a schedule for the task, see “Enabling tasks” on page 208 of the User’s Guide. 2. Click Configure. The Automatic Upgrade dialog box appears with the Upgrade Sites property page selected (see Figure 6-7 on page 121). McAfee VirusScan Anti-Virus Software...
Page 121
Updating and Upgrading VirusScan Software Figure 6-7. Automatic Upgrade dialog box - Upgrade Sites page Here, the AutoUpgrade utility lists the sites from which it will download new VirusScan program files. It also reports each site’s current status as Enabled or Disabled. A site is enabled if you have selected the Enabled checkbox in the Automatic Upgrade Properties dialog box.
Page 122
Move Down. • Update your files immediately from the sites listed in the update list, using default configuration options or the options you chose for this task. Click Upgrade now. McAfee VirusScan Anti-Virus Software...
Page 123
Updating and Upgrading VirusScan Software To use this function, you must have configured enough of the necessary options for the AutoUpgrade utility to locate the listed site and, if necessary, log on to it. See “Configuring upgrade options” on page 124 to learn how to specify the options you need.
Page 124
Figure 6-10. Automatic Upgrade Properties dialog box - Upgrade Options page Next, follow these steps: 1. Enter a descriptive name in the Site Name text box that clearly identifies the new site. An example might be Internal Program File Upgrade Site. McAfee VirusScan Anti-Virus Software...
Page 125
Updating and Upgrading VirusScan Software 2. Select the Enabled checkbox to approve this site for the AutoUpgrade utility’s use. Clearing this checkbox preserves the options you’ve chosen, but causes the utility to skip this site when it tries to download new .DAT files. The AutoUpgrade utility will make a maximum of three connection attempts for the site during each scheduled update operation.
Page 126
To have AutoUpgrade do additional pre- or post-processing on the files, or to have it take other actions, click the Advanced Upgrade Options tab to display the property page shown in Figure 6-5 on page 116. McAfee VirusScan Anti-Virus Software...
Page 127
Updating and Upgrading VirusScan Software Figure 6-11. Automatic Update Properties dialog box - Advanced Update Options page Next, follow these steps: 1. Tell the AutoUpgrade utility what you want it to do before or as it performs an update. Your options are: •...
Using the AutoUpgrade and SuperDAT utilities together For this release, you must modify the SuperDAT package you download from the McAfee website in order to use it with the AutoUpgrade utility. NOTE: VirusScan v4.5 and later releases require you to use the SuperDAT v1.2 or later utility.
Page 129
Updating and Upgrading VirusScan Software 3. If you want to, create and copy a SETUP.ISS file into the directory from which you tell AutoUpgrade to download new files. SETUP.ISS is a simple text file that governs how the AutoUpgrade utility upgrades your software.
• A virus presents a “medium on-watch” or “high” risk threat of infection. To learn about what constitutes a medium on-watch or high risk, or about McAfee AVERT risk assessment in general, visit the AVERT website at: http://www.mcafeeb2b.com/asp_set/anti_virus/alerts/ara.asp • A high-prevalence virus threatens an outbreak situation Ë...
Page 131
Updating and Upgrading VirusScan Software For VirusScan v4.5 and later releases, copy any EXTRA.DAT files you download to this directory: C:\Program Files\Common Files\Network Associates\VirusScan Engine \4.0.xx User’s Guide...
NOTE: McAfee strongly recommends that you set the VirusScan management service to load at startup. If you do not, you might not be able to start some VirusScan components, and you will lose the benefit of data sharing between components.
VirusScan management service (AVSYNMGR.EXE) as soon as you start your computer. The management service oversees all communications between VirusScan program components, determines which components must load to accomplish program tasks, and allows you to start or stop all program components at once. McAfee VirusScan Anti-Virus Software...
Page 135
Manager. If your computer runs Windows 95 or Windows 98, this service is not directly accessible. NOTE: McAfee strongly recommends that you set the VirusScan management service to load at startup. If you do not, you might not be able to start some VirusScan components, and you will lose the benefit of data sharing between components.
Page 136
Click OK to save your changes and close the control panel. Click Cancel to close the control panel without saving your changes. NOTE: The VirusScan management service must restart itself and all active VirusScan components in order to implement any changes you make. McAfee VirusScan Anti-Virus Software...
Installed Files What’s in this appendix? The VirusScan installation procedure places essential program files on the VirusScan client workstation. This section provides an overview of the files installed. Some of the files are associated with a particular component while others are in common use, called by program functions as needed.
Page 138
Filter driver for C:\Program Files\Common Files\Network System Scan module. Associates Runs only on \McShield Windows NT and Windows 2000 systems NAIFSREC.SYS File system redirector C:\Winnt\System32\drivers for System Scan module. Runs only on Windows NT and Windows 2000 systems McAfee VirusScan Anti-Virus Software...
Page 139
VShield support file. C:\Windows\System Initializes services for DOS protected-mode interface. Runs only on Windows 95 and Windows 98 systems MCSCAN32.VXD McAfee scan engine. C:\Windows\System Runs only on Windows 95 and Windows 98 systems MCUTIL.VXD Support file for C:\Windows\System System Scan module.
Page 140
Filter modules. Intercepts files downloaded through web browsers for scan engine to examine Dependent files VShield requires these files to run, but these are not VShield program files, or are not dedicated solely to VShield support. McAfee VirusScan Anti-Virus Software...
Page 141
VirusScan control C:\Windows\System or C:\Winnt\System 32 panel applet RESDLL.DLL Resource file for all C:\Program Files\Common Files\Network components Associates\McPal MCSCAN32.DLL McAfee Scan engine C:\Program Files\Common Files\Network file Associates\VirusScan Engine\4.0.xx RWABS16.DLL Support file for scan C:\Program Files\Common Files\Network engine Associates\VirusScan Engine\4.0.xx RWABS32.DLL...
VirusScan Scheduler can start according to a schedule you set. The application requires a number of support files to function, including some related to the McAfee scan engine. This table lists VirusScan application and related files: Program files...
Installed Files Table B-7. Alert Manager files NAKRNL32.DLL Library file for various C:\Program Files\Common Files\Network VirusScan utilities Associates\McPal NAUTIL32.DLL Library file for various C:\Program Files\Common Files\Network VirusScan utilities Associates\McPal VirusScan control panel files As the initial process for all VirusScan components, the VirusScan management service does not depend on other VirusScan components.
The ScreenScan utility runs as an executable file that starts whenever your screen saver runs. The utility requires a number of support files to function, including some related to the McAfee scan engine. This table lists ScreenScan utility and related files: Program files...
Page 149
Table B-11. ScreenScan dependent files File Function Location RESDLL.DLL Resource file for all C:\Program Files\Common Files\Network VirusScan Associates components \McPal MCSCAN32.DLL McAfee Scan engine C:\Program Files\Common Files\Network file Associates \VirusScan Engine\4.0.xx RWABS16.DLL Support file for scan C:\Program Files\Common Files\Network engine Associates \VirusScan Engine\4.0.xx RWABS32.DLL...
CLEAN.DAT file that other VirusScan components use. You may not use a CLEAN.DAT file from the VirusScan program directory for the Emergency Disk. COMMAND.COM Command interpreter. This file is a command shell that responds to command-line input McAfee VirusScan Anti-Virus Software...
Page 151
Table B-12. VirusScan Emergency Disk files GETREPLY.EXE Application file. This file processes output from the scan operation KERNEL.SYS System file LICENSE.DAT McAfee License file. The command-line scanner uses this to track use eligibility for this product MESSAGES.DAT McAfee resource file. This file stores...
Tools menu and as buttons in the application toolbar. You can use the extension to run scan operations whenever you wish. The extension requires a number of support files to function, including some related to the McAfee scan engine. This table lists extension and related files: Program files Table B-13.
Page 153
VirusScan control C:\Windows\System or C:\Winnt\System 32 panel applet. RESDLL.DLL Resource file for all C:\Program Files\Common Files\Network VirusScan Associates\McPal components. MCSCAN32.DLL McAfee Scan engine C:\Program Files\Common Files\Network file. Associates\VirusScan Engine\4.0.xx RWABS16.DLL Support file for scan C:\Program Files\Common Files\Network engine. Associates\VirusScan Engine\4.0.xx RWABS32.DLL...
Using VirusScan Command-line Options Adding advanced VirusScan engine options The following table lists all of the command-line options that can be communicated directly to the scanning engine via the Advanced Scan Settings dialog box provided by most Detection property pages. These command-line options (that you specify in the Advanced Scan Settings dialog box), will supplement, and can overwrite, the options selected in the VShield and VirusScan Detection property pages.
Page 156
To scan both local drives and network drives, use the /ADL and /ADN commands together in the same command line. /ALERTPATH <dir> On-demand Designates the directory <dir> as a network path scanning only for Centralized Alerting alert messages. McAfee VirusScan Anti-Virus Software...
Page 157
Using VirusScan Command-line Options Table C-1. VirusScan command-line scanner options /ALL On-demand Overrides the default scan setting by scanning all scanning only infectable files—regardless of extension. Using the /ALL option substantially increases the scanning time required. Use it only if you find a virus or suspect that you have one.
Page 158
Does not check any files loaded from the specified scanning only drive(s). /LOAD <filename> On-demand Load scanning options from the named file. scanning only Use this option to perform a scan you’ve already configured by loading custom settings saved in an ASCII-formatted file. McAfee VirusScan Anti-Virus Software...
Page 159
/LOCK is appropriate in highly vulnerable network environments environments, such as open-use computer labs. McAfee recommends using /LOCK with the /CONTACTFILE option to tell users what to do or whom to contact if VirusScan locks the system. /MANALYZE On-demand Sets the scanner’s heuristic scanning features to...
Page 160
Disables the “expiration date” message if the scanning only VirusScan data files are out of date. /NOMEM None Does not scan memory for viruses. This greatly reduces scan time. Use /NOMEM only when you are absolutely certain that your computer is virus-free. McAfee VirusScan Anti-Virus Software...
Page 161
PCs with multiple drives or that have severe infections, without needing your input. McAfee recommends omitting /PAUSE when using the report options (/REPORT, /RPTCOR, and /RPTERR) /PLAD...
Page 162
You can include the destination drive and directory (such as D:\VSREPRT\ALL.TXT), but if the destination is a network drive, you must have rights to create and delete files on that drive. McAfee recommends omitting /PAUSE when using any report option. /RPTALL On-demand Include all scanned files in the /REPORT file.
Page 163
/VIRLIST <filename>.txt Because the scanner can detect many viruses, this file will be over 250 pages long. This is too large for the MS-DOS Edit program to open; McAfee recommends using Notepad or another text editor to open the virus list.
Prompt window, type exit at the command prompt. If you restarted your computer in DOS mode, type win to start Windows, or restart your computer as you would normally. The following table lists the arguments that can be added to the SCAN32 command. McAfee VirusScan Anti-Virus Software...
Page 165
Using VirusScan Command-line Options Table C-2. SCAN32.EXE command-line options Option /SPLASH This option tells the VirusScan application to display its identity or “splash” screen when it starts. /NOSPLASH This option tells the VirusScan application to hide its identity or “splash” screen when it starts.
Page 166
This option tells the VirusScan application to scan files saved in compressed file archives. Examples of such archives include .ZIP, .CAB, .LZH, and .UUE files. This can slow down scan operations, but gives your system better protection. McAfee VirusScan Anti-Virus Software...
Page 167
Using VirusScan Command-line Options Table C-2. SCAN32.EXE command-line options /NOCOMP This option tells the VirusScan application not to scan any files in compressed file archives. This can speed up scan operations. /CONTINUE This option tells the VirusScan application to continue the scan operation automatically when it detects a virus.
Page 168
This option tells the VirusScan application to leave virus detection events out of the log file. /LOGCLEAN This option tells the VirusScan application to record an event in the log file each time it cleans, or fails to clean, an infected file. McAfee VirusScan Anti-Virus Software...
Page 169
Using VirusScan Command-line Options Table C-2. SCAN32.EXE command-line options /NOLOGCLEAN This option tells the VirusScan application not to record an event when it cleans or fails to clean an infected file. /LOGDELETE This option tells the VirusScan application to record an event in the log file each time it deletes an infected file.
Page 170
Using VirusScan Command-line Options McAfee VirusScan Anti-Virus Software...
Using the SecureCast Service to Get New Data Files Introducing the SecureCast service The Network Associates SecureCast service provides a convenient method you can use to receive the latest virus definition (.DAT) file updates automatically, as they become available, without your having to download them.
Your software relies on information in its virus definition files (.DAT) files to identify viruses. More than 200 new viruses appear each month, however, and older .DAT files might not recognize them. To meet this challenge, McAfee releases new .DAT files each week. You are entitled to these free data file updates for use with your version of the software.
Using the SecureCast Service to Get New Data Files Installing the BackWeb client and SecureCast service Setting up SecureCast service and the BackWeb client is a two-phase process: 1. Download and install the BackWeb client 2. Register to receive SecureCast service InfoPaks To get started with the SecureCast service, review the system requirements shown below, then follow the steps outlined in each section.
Page 174
3. Read the instructions and warnings on this panel, then click Next> to continue. 4. The BackWeb license agreement appears (Figure D-2). Figure D-2. BackWeb Software License Agreement panel 5. Click Yes to continue. 6. The Choose Destination Location panel appears (Figure D-3 on page 175). McAfee VirusScan Anti-Virus Software...
Page 175
Using the SecureCast Service to Get New Data Files Figure D-3. Choose Destination Location panel 7. Enter a new location for Setup to install the client software, if you wish, or click Browse to locate a suitable folder. Click Next> to continue. Setup will begin to copy BackWeb program files to your computer.
Page 176
This allows you to control how the BackWeb client behaves with respect to other applications you might have running when SecureCast InfoPaks arrive at your desktop. For more information, see the BackWeb online help at http://www.backweb.com/. Next, skip to Step McAfee VirusScan Anti-Virus Software...
Page 177
Using the SecureCast Service to Get New Data Files 10. If you chose HTTP via proxy as your connection method, the HTTP Proxy Setup panel appears (Figure D-6). Figure D-6. HTTP Proxy Setup panel 11. Enter the name of your proxy server in the Proxy text box, then enter the port the server uses for communication in the Port text box.
Page 178
SecureCast channels to which you InfoPaks subscribe downloaded appear here. to your system appear here. Choose which service information you want to SecureCast see in this Flash Banner area. Figure D-9. The Enterprise SecureCast client window McAfee VirusScan Anti-Virus Software...
Page 179
Using the SecureCast Service to Get New Data Files The SecureCast service alerts you that an InfoPak has arrived with the Flash message shown at the bottom right corner of Figure D-9. Ë IMPORTANT: If you are a corporate user and have a high-speed Internet connection, the window may list Register Now as an already received InfoPak.
Page 180
Parent Company Information dialog box appears (see Figure D-13 on page 181). Skip to Step 7 on page 181. • If you have cleared the Subsidiary of a Parent Company checkbox, continue with Step 6 on page 181. McAfee VirusScan Anti-Virus Software...
Page 181
Using the SecureCast Service to Get New Data Files Figure D-13. SecureCast Parent Company Information form 6. If your company is the subsidiary of another company, enter contact information for your parent company in the text boxes provided. When you have finished, click Next>. The Proxy Communication Configuration dialog box appears (Figure D-14).
Page 182
You can use this page to download product updates and upgrades, contact technical support, and get other information directly from Network Associates. The terms of your grant will determine what information you see here and what you can download. McAfee VirusScan Anti-Virus Software...
Using the SecureCast Service to Get New Data Files Troubleshooting the Enterprise SecureCast service Registration problems If you try to register during a busy time of day on the web, you may encounter a delay while the server tries to process your registration request. If you receive the error message “1105 Error”...
Using the SecureCast Service to Get New Data Files BackWeb client • For a comprehensive guide to BackWeb, including additional troubleshooting advice, see the online BackWeb User’s Manual: http://www.backweb.com/ McAfee VirusScan Anti-Virus Software...
Network Associates Support Services Adding value to your McAfee product Choosing McAfee anti-virus, Sniffer Technologies network management, and PGP security software helps to ensure that the critical technology you rely on functions smoothly and effectively. Taking advantage of a Network...
Page 186
Network Associates website • Electronic incident and query submission • Technical documents, including user’s guides, FAQ lists, and release notes • Data file updates and product upgrades via the Network Associates website McAfee VirusScan Anti-Virus Software...
Page 187
Network Associates Support Services The PrimeSupport Priority plan The PrimeSupport Priority plan gives you round-the-clock telephone access to essential product assistance from experienced Network Associates technical support staff members. You can purchase the PrimeSupport Priority plan on an annual basis when you purchase a Network Associates product, either with a subscription license or a one-year license.
Friday from 8:00 a.m. to 7:00 p.m. Central time. Press 3 on your telephone keypad for sales assistance. • In Europe, the Middle East, and Africa, contact your local Network Associates office. Contact information appears near the front of this guide. McAfee VirusScan Anti-Virus Software...
Page 189
Network Associates Support Services Table E-1. Corporate PrimeSupport Plans at a Glance Plan Knowledge Feature Center Connect Priority Enterprise Technical support via website Software updates Technical — Monday–Friday Monday–Friday, after Monday–Friday, after support via hours emergency hours emergency telephone access access North America: North America:...
– Visit the Network Associates CompuServe forum at GO NAI – Visit Network Associates on America Online: keyword MCAFEE • Free access to the PrimeSupport KnowledgeBase: online access to technical solutions from a searchable knowledge base, electronic incident submission, and technical documents such as user’s guides, FAQs, and release notes.
Page 191
Network Associates online or electronic services. • Quarterly Disk/CD Plan. This plan gives you automatic quarterly delivery of upgrade disks or CDs if you cannot obtain product upgrades online. This service is available for McAfee VirusScan and NetShield software only. Administrator’s Guide...
• In North America, call Network Associates Customer Service at (972) 855-7044 • In international locations, contact the Network Associates retail technical support center closest to your location for more information. Some support options may not be available in some locations. McAfee VirusScan Anti-Virus Software...
Network Associates Support Services Network Associates consulting and training The Network Associates Total Service Solutions program provides you with expert consulting and comprehensive education that can help you maximize the security and performance of your network investments. The Total Service Solutions program includes the Network Associates Professional Consulting arm and the Total Education Services program.
50,000 virus definitions. With this VirusScan release, McAfee introduced a new incremental virus definition (.DAT or iDAT) technology that consists of small parcels that contain only the virus definitions that have changed between weekly .DAT file...
AutoUpdate utility can look in the DELTA.INI file to learn that it needs to download the 10th, 11th, and 12th .UPD file releases to have all of the virus definitions that the current .DAT file release does. McAfee VirusScan Anti-Virus Software...
What does McAfee post each week? Each week McAfee posts a complete .DAT file update, along with a new weekly iDAT update, and a new DELTA.INI file that has updated Multiple Patch Table and Incremental Resolver entries. You can download these files...
2. From the baseline state, use a web browser or FTP client software each week to download new .UPD files directly from the McAfee FTP site to a central server on your network.
If you configure your computers to download iDAT files directly from the McAfee website, be sure to schedule your updates for a time after the regular weekly .DAT file postings.
Page 200
Scheduling issues Q: How often should I check for updates? A: Normally, McAfee posts updated .DAT files on a weekly basis. You may, however, check more or less often as your network security needs require. Be aware that your risk of virus infection grows as the period between updates to the virus data files grows.
FTP, use of to log on to update and upgrade sites anti-virus software Command line options consequences of running multiple vendor silent versions command line options reporting new viruses not detected by to McAfee xvii on access scanner autoexe.bat preserving settings AutoUpdate rebooting advanced options for, security...
Page 202
E-Mail Scan Force Update, use of to replace corrupted dependent files .DAT files program files FTP (File Transfer Protocol) temporary files use of to obtain VirusScan upgrades E-Mail Scan program component, default responses when virus found McAfee VirusScan Anti-Virus Software...
Page 203
America Online incremental DAT files via CompuServe use of DELTA.INI file for within the United States infected files McAfee Emergency Disk cleaning yourself when VirusScan creating cannot on uninfected computer removing viruses from use of to reboot system...
Page 204
Small Office/Home Office Annual training Plan website address for software updates and Professional Consulting Services upgrades description of new viruses, reporting to McAfee xvii program components, included with numbering conventions for .DAT files VirusScan programs running after successful updates Olympus scan engine...
Page 205
Sending restarting Setup with the McAfee Emergency Disk "silent" and "record" modes, using aborting if virus detected during SETUP.EXE, renaming SuperDAT packages scan engine for use with AutoUpgrade upgrading with AutoUpdate and the SETUP.ISS file, use of for SuperDAT utility...
Page 206
VirusScan PrimeSupport SecureCast for home users System Scan module ordering default response options for via electronic services testing your installation Tivoli installing VirusScan Total Education Services description of Total Service Solutions contacting McAfee VirusScan Anti-Virus Software...
Page 207
AutoUpdate steps for recommended method for downloading from infected files and distributing reporting new strains to McAfee xvii updates and upgrades viewing information about use of anonymous FTP to log into sites use of UNC notation to designate...
Page 208
VirusScan application website, Network Associates technical support via dependent files program files temporary files ZENworks VirusScan Command Line installing VirusScan use of when booting with Emergency Disk VirusScan control panel files options temporary files McAfee VirusScan Anti-Virus Software...
Need help?
Do you have a question about the VIRUSSCAN 4.5 and is the answer not in the manual?
Questions and answers