SYMANTEC CORPORATION - PETER NORTON GROUP
NORTON DESKTOP FOR WINDOWS - Norton AntiVirus Update


This file contains information about Norton Desktop Norton AntiVirus
Update that is not included in the Norton Desktop for Windows 
documentation (in the manual or in online help). Please read this file
thoroughly before you install or use the Norton Desktop Norton AntiVirus
update. To print this file from the DOS prompt, type:

     COPY NAVREAD.TXT PRN:


INSTALLING VIRUS INTERCEPT ON A BOOTABLE DISKETTE
=================================================
     If you want to make a bootable diskette that loads either the 2K
or the 7K Virus Intercept device driver, both the NAV&.SYS and the
NAV_.SYS files must be present on the diskette. In addition, the path
to the device driver must be explicitly specified in a CONFIG.SYS
file on the diskette. For example:

     DEVICE=A:\NAV&.SYS /B

or

     DEVICE=C:\NDW\NAV&.SYS /B


CHOOSING THE APPROPRIATE VIRUS INTERCEPT DRIVER
===============================================
     There are three device drivers in Norton Desktop Norton AntiVirus
Update, each designed to reside quietly on your system and watch for
viruses. Which device driver is right for you depends on your system's
requirements. Each of the device drivers operates and detects 
viruses in DOS and Windows and can take advantage of your high
memory when loaded high.

NAV&.SYS (2K device driver)
--------------------------- 
     If you have limited memory or if you have a large number of
TSRs loaded into high memory, use NAV&.SYS. This very small device
driver detects viruses when an infected program is run. But because
of its small size, it does not detect Boot Sector infections and does
not bring up visual Virus Intercept alerts while in Microsoft Windows.
     
NAV&.SYS /B (7K device driver)
------------------------------
     This small device driver performs the same operations as the 2K
device driver with the addition of Boot Sector virus detection. Virus
Intercept Alerts appear under Windows (when NAVPOPUP.EXE is loaded).
     If you run Windows in Standard mode and have 2M (megabyte) RAM
or less, you should use NAV&.SYS /B as the Norton Desktop Norton
AntiVirus Update device driver for best results.

NAV_.SYS (56K device driver, 22K with expanded memory)
------------------------------------------------------
     This device driver performs all of the operations of the 2K 
 and 7K versions and also scans files during a DOS copy operation. 
     Like the 2K and 7K device drivers, it will detect a virus in 
an infected program upon execution. Additionally, NAV_.SYS will prevent
you from copying an infected program from a diskette onto your computer.
Virus Intercept Alerts appear under Microsoft Windows (when NAVPOPUP.EXE
is loaded).     


VIRUS INTERCEPT AND GRAPHICS MODE
=================================
     When boot-sector viruses are detected by NAV&.SYS /B, the Virus
Alert message is displayed on the 25th line of the screen. If the
current display is in graphics mode an audible alarm will sound although
an alert message will not be displayed. The Microsoft Windows graphical
environment is fully supported and the popup is available.


VIRUS INTERCEPT WITHIN WINDOWS
==============================
     Each of the three Virus Intercept device drivers included in 
 Norton Desktop Norton AntiVirus Update operates with Microsoft Windows.
     If you are using the 7K (NAV&.SYS /B) or 56K (NAV_.SYS) Virus 
Intercept device drivers, the NAVPOPUP utility enables Virus Intercept
to display the alert boxes in Windows. Since these alert boxes are of
System Error type, the button labels are different from the DOS button
labels. However, the functionality of both the DOS and Windows alert
boxes is similar. The timeout feature, however, is not available in the
Windows type alert boxes. 
     If this utility is not run when in Windows and you execute an
application that displays in graphics mode, you will not see a 
Virus Alert message on the screen when a virus is detected. You will,
however, hear the audible alarm, regardless of whether the Special
Sound option is set on or off.


HIDING THE ICON
===============
     You can hide or show the Norton Desktop Norton AntiVirus Update
Popup application icon. (Application icons, remember, appear at the
bottom of your desktop when a running application is minimized.) The
Norton Desktop Norton AntiVirus Update Popup application icon is hidden
by default, but if you want to make it visible when Virus Intercept is
running, follow these steps:

     1. Start Norton AntiVirus. (Double-click the Norton AntiVirus
        tool icon or choose Norton AntiVirus from the Tools menu.)
     2. Choose Intercept... from the Norton AntiVirus Options menu.
     3. Check the Hide Popup Icon check box.
     4. Click OK.


VIRUS DEFINITIONS
=================
     Virus definitions are read into memory at boot time. If Virus
Intercept is active and you add or delete virus definitions, these
changes will take effect for Virus Intercept only AFTER you reboot.
They will, however, immediately take effect in Virus Clinic.


WARM BOOT TRAP
==============
     TSRs, device drivers or programs that trap for the Ctrl+Alt+Del
keyboard sequence may override Virus Intercept's ability to check
during reboot for any boot sector viruses on the floppy disks in
your drives.
     Likewise, programs that perform a warm boot without use of the 
Ctrl+Alt+Del keyboard sequence will bypass Virus Intercept's automatic
boot sector check.


INOCULATION FILES
=================
     When the Detect Unknown Viruses option is checked in the Options 
menu Global selection, an inoculation file named NAV_._NO is placed in
the root directory of each local hard drive and each floppy drive that
is not write-protected. The hidden and system attributes are set for this
file so it does not appear in normal directory listings. It contains
information that enables Norton Desktop Norton AntiVirus Update to
determine if your program files change in a manner that could indicate
virus activity.
     On networks, a single NAV_._NO file is created for each volume of
the network, and appears in the directory specified in the Options menu
Global selection.  The default directory is \NCDTREE. This directory is
automatically created for each volume provided the user has access
rights to the directory.  
     A suggested procedure for network administrators is to enable
inoculation and scan the network drives to create the inoculation data
for all system files during the initial installation of Norton Desktop
Norton AntiVirus Update.
     To delete this file from Norton Desktop Norton AntiVirus Update, go
to the Tools menu Uninoculate selection and specify the drives on which
you want to remove the file. If Detect Unknown Viruses is checked, the
file will be created again.


SPECIAL SOUND
=============
     The NAV&.SYS and NAV&.SYS /B Virus Intercept drivers will play
the Special Sound when detecting a boot sector virus, regardless of
whether or not the Special Sound option is enabled. This guarantees
that you are alerted when a boot sector virus is present.


INTERCEPT OPTIONS IN VIRUS CLINIC
=================================
     It is possible to configure Norton AntiVirus to protect the
system areas of your disks from within Virus Clinic. The Intercept
Options menu selection allows you to enable (and disable)
write-protection of the system areas of both Hard Disks and Floppy
Disks. These options are called "Write-Protect Hard Disk System
Areas" and "Write-Protect Floppy Disk System Areas." When one or both
of these options are enabled, Norton Desktop Norton AntiVirus Update
will alert you of any attempts to write to the partition table and boot
sector of the hard disk, and/or as the boot sector of any disks in the
local floppy disk drives. This adds a level of security against unknown
viruses by monitoring the disk areas that they infect, and alerting you
to attempts to change these areas.
     During normal operation, you should not get a Write Attempt 
warning unless you are formatting a floppy disk, or using a program
with the ability to edit the system areas, such as the DISKEDIT program
from Norton Utilities.
     If you get a Write Protect alert, you decide whether the write 
attempt proceeds or not.
     These two options together are equivalent to the /W switch used
with NAV_.SYS in version 2.0.  The /W switch will still function in
Norton AntiVirus 2.1.

     NOTE: This feature is not available with the NAV&.SYS and 
           NAV&.SYS /B Virus Intercept drivers.

     The Scan All Floppies on Reboot option will cause all floppy
drives to be scanned by NAV on a warm system boot. This is equivalent
to the /A switch used with NAV_.SYS and NAV&.SYS in version 2.0.
The /A switch will still function in Norton AntiVirus 2.1.


COMMAND-LINE SWITCHES
=====================

/ID=xxx
-------
     TSR ID switch for use on the device driver line in CONFIG.SYS, 
where xxx is any number between 192 and 255.  This switch can be
useful for eliminating conflicts with other TSRs which will attempt
to use the ID already reserved for NAV_.SYS. In case of a conflict,
try setting NAV's TSR ID to 200. For example:

           DEVICE=C:\NAV\NAV_.SYS /ID=200

/NE
---
     When NAV_.SYS loads from CONFIG.SYS, it will by default attempt
to load part of itself into expanded memory, if available. To disable
this feature, use the /NE switch on the device driver line in CONFIG.SYS.

/OVL=<path>
-----------
     This command line switch for the 2K and 7K Virus Intercepts 
(NAV&.SYS and NAV&.SYS /B) specifies the location of the NAV_.SYS
file. This is necessary if NAV&.SYS and NAV_.SYS are not in the same
directory. For example, if you are using a diskless workstation and
the A: drive is no longer accessible after booting, you can tell
NAV&.SYS to find NAV_.SYS in another location, other than A:

           DEVICE=NAV&.SYS /OVL=F:\NETDIR

/NR
---
     This command line switch for all versions of Virus Intercept 
allows automatic Network Redirector detection to be disabled. Normally,
Virus Intercept will automatically detect that a Network Redirector is
being installed, like NetWare's NETX program. This switch will enable
NAV.EXE to disable this automatic detection. After you've added this
switch to the Virus Intercept device driver, you can disable automatic 
Network Redirector detection by specifying the following command
before the Network Redirector is loaded: NAV /NR-
     After the Network Redirector is unloaded, you can reenable 
automatic Network Redirector detection by typing: NAV /NR+


/SAVE AND /RESTORE
------------------
     /SAVE    - Creates a Rescue Disk
     /RESTORE - Restores from Rescue Disk

     These functions are identical to those available from within 
Virus Clinic, under the Tools menu option ("Create Rescue Disk" and
"Restore from Rescue Disk").


UPGRADING EXISTING SOFTWARE
===========================
     If you are using Norton Desktop Norton AntiVirus Update with
Detect Unknown Viruses checked in the Global section of the Options
menu and you reinstall an existing piece of software in the original
directory, update the inoculation information with one of two procedures.
     Scan the directory that contains the upgraded software using
Virus Clinic and Reinoc the files that are reported containing an
unknown virus.
     Alternately, scan the directory from the DOS command line with
a command similar to this:

          NAV /REFRESH C:\123

Replace C:\123 with the directory name that contains your upgraded
software.


SMARTDRV.EXE
============
     If you have DEVICE=NAV&.SYS in your CONFIG.SYS file and encounter
problems attempting to load SMARTDRV.EXE from a batch file or from
the command line, you may force it to load low by including the /L
(load low) switch: SMARTDRV /L [your parameters]


MICROSOFT WINDOWS
=================
     If you check Detect Unknown Viruses in the Global selection 
of the Options menu, you MUST also check Auto Inoculate and scan your
Windows directories prior to executing Windows. Skipping this procedure
could result in a system hang as you attempt to enter Windows.  
     You may also use the command line to perform this operation. 
Simply type the following command:

           NAV /REFRESH C:\WINDOWS

Substitute the path for your Windows installation for "C:\WINDOWS."
      With SHARE.EXE loaded, a number of files will report "Access
denied" during a scan. This is because these files are exclusively
locked by Windows, and/or possibly some other application. These files
may be scanned by exiting from Windows and scanning with the DOS version
of clinic.


DESQVIEW AND MULTITASKING
=========================
     Use NAV_.SYS when using DESQview. NAV&.SYS does not detect 
program executions under a multitasking environment. In addition,
do not run Virus Clinic in the background under DESQview, as viruses
may not be properly identified.


QEMM & 386^MAX
==============
     When using the NAV&.SYS or NAV&.SYS /B Virus Intercept drivers
with QEMM or 386^MAX memory managers, you may experience a "Batch file
missing" error when calling a secondary batch file from within your
AUTOEXEC.BAT. This is the result of special actions that Virus Intercept
must take when a LOADHI command is executed.  
     To correctly check a program being loaded high, Virus Intercept
must temporarily reserve a block of memory. This memory block is not
released until a non-resident command other than LOADHI is executed. 
If this memory block is released within a secondary batch file, the
pointers back to the primary batch file are lost, resulting in the
"Batch file missing" message.
      This circumstance can be prevented by executing any program
or external DOS command (other than LOADHI) immediately prior to
calling the secondary batch file.


QEMM STEALTH MODE
=================
     Users who have enabled QEMM's STEALTH mode must ensure that
QEMM appears in their CONFIG.SYS file before any of the Norton
Desktop Norton AntiVirus Update device drivers.


386^MAX
=======
     Users of 386^MAX 6.0 who experience problems while using the
Windows version of Norton Desktop Norton AntiVirus Update, should
ensure that 386^MAX has not been configured to use an area of memory
already in use for ROM BIOS shadowing. Using the 386^MAX NOROM option
will disable 386^MAX's ROM BIOS caching feature.


IBM PS/1
========
     If you are using the PS/1 BUS mouse without a mouse driver, you
should disable the FAST MOUSE RESET selection, located in the Video and
Mouse Options of the Options menu.


STACKER, DISKREET, AND DEVICE-DRIVEN DRIVES
===========================================
     As far as your computer is concerned, device-driven drives do
not exist until their device drivers are loaded from your CONFIG.SYS
file. Device driven drives include those created by the SpeedStor or
Disk Manager partitioning programs, compressed drives such as those
created by Stacker and encrypted drives such as those created by the
Norton Utilities Diskreet program.
     If Norton Desktop Norton AntiVirus Update is loaded onto one of
these drives, the device driver statement(s) for the drive MUST appear
in your CONFIG.SYS file ABOVE the device driver statement that loads
Virus Intercept.
     Because of a Stacker limitation, if you are using Stacker on 
removable drives such as those made by Syquest or Bernoulli, you will
not be able to scan non-compressed files on the removable drive. Files
compressed under Stacker, however, will be scanned normally.


COMMUNICATIONS PROGRAMS
=======================
     For maximum protection, Virus Intercept alerts halt all other
system activity. Consequently, time-sensitive communications programs,
such as ProComm Plus or Crosstalk, may crash or lose data after an alert
is displayed. Because NAV_.SYS scans only reads from disk, this is likely
to happen only if you are multitasking or if you are uploading an
infected file to someone else.


BACKUP PROGRAMS
===============
     Virus Intercept is compatible with most popular backup programs,
including Norton Backup. However, there are several special considerations
that you should be aware of.

     1. You will not be able to back up the NAV_.SYS Virus Intercept
        driver if this driver is currently loaded in memory. Either:

        a) tell your backup program to exclude this file, or  
        b) reboot your machine, wait until the BIOS beep, then
           simultaneously hold down both Shift keys until you see
           the message "The Norton AntiVirus Not Loaded." You can
           then back up all files.

      2. Running a backup program while Virus Intercept is running
         in Detect Unknown Viruses mode with Auto-Inoculate OFF may
         cause an alert as you back up any non-inoculated files. The
         backup program will stop and wait for a response to the
         alert screen. Because some backup programs cannot tolerate
         an unexpected interruption, they may abort.


NORTON PCANYWHERE
=================
     If Virus Intercept is running on the host computer and an alert
appears, the alert is not heard at the remote location. However, if the
alert is displayed for longer than a few seconds, it will be displayed
at the remote location.


Q&A
===
     If you have difficulty running Norton Desktop Norton AntiVirus
Update from the Q&A main menu, create a batch file that executes
NAV.EXE and replace the NAV.EXE filename in the Q&A utilities menu
with the new batch filename. 


HERCULES GRAPHICS CARDS
=======================
     If you are using the NAV_.SYS Virus Intercept driver and a 
Hercules graphics card which does not contain a light pen port, you
may experience a system lockup if a Virus Intercept Alert appears while
your system is running a graphics-mode application (such as Windows).
To prevent this, turn off the visual alert feature of Virus Intercept
before running Windows or other graphics programs.


DOS ERROR LEVELS
================
     Norton Desktop Norton AntiVirus Update returns the following
DOS errorlevels after exiting from Virus Clinic or upon the completion
of a command-line function:

     ERRORLEVEL     MEANING

          1         Virus found in memory
          2         Virus Clinic may be infected
          3         Viruses detected during scan
          4         No viruses detected
          5         Device driver is not active in RAM
          6         Device driver is active in RAM
        255         Scan not completed


EXPANDING NORTON PRODUCT EXECUTABLES
====================================
     Many Peter Norton products including Norton Utilities save space
on your disk by storing the program files in a self-extracting, compressed
format.
     If you are using Norton Desktop Norton AntiVirus Update with
Detect Unknow Virueses checked in the Global section of the Options
menu, a Virus Intercept Alert may appear if the compressed programs are
expanded after they are inoculated. If this occurs, reinoculation is
recommended.
     You can use the command line to perform this operation. Simply type
the following command:

     NAV/ REFRESH C:\NU

--end of file--
