







                           VirusScan Version 2.0.1
                       Copyright 1994 by McAfee, Inc.
                            All Rights Reserved.







                             Brought to you by:

                      Igor Grebert    Project Leader
                    Jivko Koltchev    Lead Programmer
                         David Mai    TSR Programmer
                      Vadim Ivanov    Algorithms/Emulation Programmer
                 Tatyana Shishkina    Virus Librarian, Programmer
                    Bruce de Graaf    GUI Programmer
                      Dmitri Orlov    DOS UI Programmer
                 Geoff Brandenburg    GUI Artist
                     Spencer Clark    SQA Manager
                      David Pierce    Lead SQA Engineer
                        Sean Birch    SQA Engineer
                      John Zussman    Documentation Project Leader
                        Eric Ivory    Technical Writer
                    Aryeh Goretsky    Manager Technical Support

      With special thanks to Bob Chappelear, Rudite Emir, and Bill Larson










            McAfee, Inc.                 (408) 988-3832 office
            2710 Walsh Avenue            (408) 970-9727 fax
            Santa Clara, CA  95051-0963  (408) 988-4004 BBS (25 lines)
            U.S.A.                       USR HST/v.32/v.42bis/MNP1-5
                                         CompuServe        GO MCAFEE
                                         InterNet support@mcafee.COM
                                         America Online       MCAFEE

           Using VirusScan (Version 2.0)                            1

            CHAPTER 1: WELCOME TO VIRUSSCAN

            Thank you for evaluating McAfee, Inc.'s, VirusScan(TM)
            software Version 2.0, a powerful and advanced system
            designed to detect, eradicate, and prevent computer viruses.
            VirusScan will help you protect one of your most important
            assets--the information on your computer or local area network.

            VirusScan includes two main programs:

            o    The Scan program detects known viruses in your
                 computer's memory or on disks. See the README.1ST file
                 for the number of viruses that Scan detects. It can
                 also detect new and unknown viruses. Once viruses are
                 detected, it can remove them and restore your system to
                 normal operation.

            o    The VShield(TM) program continuously monitors and
                 protects your system from viruses that might be
                 introduced.

            The VirusScan programs run on IBM-PC or 100% compatible
            personal computers (PCs) that use DOS 3.0 and above, Windows
            3.1, or OS/2 2.0 and above.

            VirusScan is an important element of a comprehensive
            security program that includes a variety of safety measures,
            such as regular backups, meaningful password protection,
            training, and awareness. We urge you to set up and comply
            with such a security program in your organization. For tips
            on how to do this, see "Other Sources of Information" in
            this chapter.


            HOW TO USE THIS MANUAL

            This manual will help you get VirusScan running quickly and
            properly on DOS, Windows, and OS/2 systems.

            o    All the key information is in Chapter 2, "Don't Skip
                 this Chapter." Please don't install VirusScan before
                 reading it, even if you are already familiar with
                 Scan. Installing and using VirusScan is not like using
                 other software.

            The rest of Chapter 1, "Welcome to VirusScan," describes the
            programs and files on your VirusScan disk, system
            requirements, how to register, and how to get help.

            Chapter 3, "VirusScan Reference," in the Scan 
            documentation, and Chapter 3, "VShield Reference," 
            in this document contain reference information for 
            Scan and VShield, respectively.
           Using VirusScan (Version 2.0)                            2


            Many users will not need to read these chapters, because basic 
            operation of VirusScan, as described in Chapter 2, will detect 
            and remove most viruses from your system. The options described 
            in Chapter 3 in the Scan documentation and Chapter 3 in this 
            document offer additional power and control, and are most 
            useful in vulnerable environments and to network administrators 
            and information services staff.

            Chapter 4, "Tips & Troubleshooting," explains how to get the
            most out of VirusScan, and how to cope with some common
            problems.

            Appendix A, "Retrieving VirusScan Updates via the McAfee BBS,"
            provides instructions for using the McAfee Bulletin Board (BBS).

            Appendix B, "Options Comparison Between VirusScan Versions
            1.5 and 2.0," shows the differences between command line options
            in VShield 1.5 and 2.0, then between VShield1 1.5 and 
            VShieldCRC 2.0.

































           Using VirusScan (Version 2.0)                            3


            NOTATION

            In this manual, we use several conventions to distinguish
            particular kinds of text.

            CONVENTION       EXAMPLE       REPRESENTS
            
            Upper-case       C:\>          What your
                                           computer displays
                                           on your screen.
            
            Lower-case       scan c:       What you
                                           type, verbatim.
            
            Curly braces     {filename}    Required
                                           element; do not
                                           type braces { }.
            
            Square braces    [filename]    Optional
                                           element; do not
                                           type braces [ ].
            
            Upper-case in    <ENTER>       Key to press
            brackets                       on the
                                           keyboard.


            WHAT VIRUSSCAN INCLUDES

            In addition to Scan or VShield, the Validate program 
            ensures that new versions of VirusScan software 
            you've obtained are authentic.

            Finally, the VirusScan archive contains several useful text
            files, which you can view and print with a text editor, word
            processor, or DOS PRINT command. You'll find version-
            specific information in the README.1ST text file.















           Using VirusScan (Version 2.0)                            4

            VIRUSSCAN FILES AFTER UNPACKING

            After unpacking VirusScan you should have appropriate
            program files on your system for the version you have
            obtained (DOS, Windows, or OS/2). Several useful text
            files are also included.

            VirusScan for DOS.
            AGENTS.TXT   - list of McAfee authorized agents.
            CLEAN.DAT    - virus removal data file required by SCAN.EXE
            COMPUSER.NOT - explains how to obtain CompuServe membership
            FILE_ID.DIZ  - description of VirusScan used by some BBS
                           software
            FILENAME.TXT - explains new McAfee BBS file name conventions
            LICENSE.TXT  - explains how to license VirusScan
            NAMES.DAT    - virus name data file required by SCAN.EXE
            PACKING.LST  - contains a list of all files, including
                           validation information
            README.1ST   - late-breaking information and new
                           instructions not contained in this manual
            REGISTER.TXT - explains how to register VirusScan for
                           your use
            SCAN.DAT     - virus string data file required by SCAN.EXE
            SCAN.EXE     - the VirusScan program
            SCAN.TXT     - on-line manual for Scan
            VALIDATE.EXE - used to check VirusScan programs for
                           authenticity
            VALIDATE.TXT - explains how to run VALIDATE.EXE

            VShield
            AGENTS.TXT   - list of McAfee authorized agents.
            CHKVSHLD.EXE - checks for presence of VShield and VShieldCRC
                           in memory
            COMPUSER.NOT - explains how to obtain CompuServe membership
            FILE_ID.DIZ  - description of VShield used by some BBS
                           software
            FILENAME.TXT - explains new McAfee BBS file name conventions
            LICENSE.TXT  - explains how to license VShield
            PACKING.LST  - contains a list of all files, including
                           validation information
            REGISTER.TXT - explains how to register VirusScan for 
                           your use
            VALIDATE.EXE - used to check VirusScan programs for
                           authenticity
            VALIDATE.TXT - explains how to run VALIDATE.EXE
            VSHIELD.DAT  - virus string data file required by
                           VSHIELD.EXE
            VSHIELD.EXE  - the VShield program
            VSHIELD.TXT  - on-line manual for VShield
            VSHLDCRC.EXE - the VShieldCRC program
            VSHLDWIN.EXE - used by VShield and VShieldCRC to display
                           messages within Windows

           Using VirusScan (Version 2.0)                            5


            VirusScan for OS/2
            AGENTS.TXT   - list of McAfee authorized agents.
            CLEAN.DAT    - virus removal data file required by
                           OS2SCAN.EXE
            COMPUSER.NOT - explains how to obtain CompuServe membership
            FILE_ID.ZIP  - description of VirusScan used by some BBS
                           software
            FILENAME.TXT - explains new McAfee BBS file name conventions
            LICENSE.TXT  - explains how to license VirusScan
            NAMES.DAT    - virus name data file required by OS2SCAN.EXE
            PACKING.LST  - contains a list of all files, including
                           validation information
            README.1ST   - late-breaking information and new
                           instructions not contained in this manual
            REGISTER.DOC - explains how to register VirusScan for your
                           use
            OS2SCAN.EXE  - the VirusScan program
            SCAN.DAT     - virus string data file required by
                           OS2SCAN.EXE
            SCAN.TXT     - on-line manual for Scan
            VALIDATE.EXE - used to check VirusScan programs for
                           authenticity
            VALIDATE.TXT - explains how to run VALIDATE.EXE


























           Using VirusScan (Version 2.0)                            6


            SYSTEM AND MEMORY REQUIREMENTS

            The VirusScan programs require an IBM-compatible personal
            computer and any of the following operating systems:

            o    DOS 3.0 or later and at least 340Kb of free RAM for the
                 command line programs.

            o    Windows 3.1 or later and at least 4Mb of RAM.

            o    IBM OS/2 2.00(GA) or later and at least 8Mb of RAM.

            VirusScan for DOS requires 340Kb of available free memory in
            order to scan a system for viruses.

            VShield is a terminate-and-stay-resident (TSR) program that
            requires 67Kb of free memory. VShield will minimize the use
            of conventional memory by loading into expanded, extended,
            or upper memory, when available. For more information, see
            "System Requirements and Performance" in Chapter 3 in the
            Scan documentation.


            LICENSING VIRUSSCAN

            The VirusScan software is provided under license from
            McAfee, Inc., a copy of which is included in the file
            LICENSE.TXT. Please read it and comply with it.

            If you want to use VirusScan after the evaluation period,
            please register your copy of the software by filling out and
            returning the enclosed registration form, REGISTER.TXT.
            Registration entitles you to upgrades at no charge from
            McAfee's bulletin board system and other sources, as well as
            technical support, for one year from your date of purchase.

















           Using VirusScan (Version 2.0)                            7


            TECHNICAL SUPPORT

            For help in using this product, we invite you to contact
            McAfee technical support. You can contact us:

            o    On-line 24 hours a day, through our bulletin board
                 system, CompuServe, fax, or Internet (see "Online
                 Access to Updates and Technical Support" below); or

            o    By telephone at (408) 988-3832, Monday through Friday,
                 7:00 am to 5:30 pm Pacific Time.

            For fast and accurate help, please have the following
            information ready when you contact McAfee:

            o    Program name and version number.

            o    Type and brand of computer, hard disk, and any
                 peripherals.

            o    Version of DOS, along with any TSR's or device drivers
                 in use.

            o    Printouts of your AUTOEXEC.BAT and CONFIG.SYS files.

            o    A printout of the contents of memory, from the MEM
                 command (provided in DOS 4.0 and later) or a similar
                 utility.

            o    A description of the exact problem you are having.
                 Please be as specific as possible. If you can't be at
                 your computer when you call, a printout of the screen
                 will be helpful.

            If you are overseas, you can contact a McAfee authorized
            agent for support. Agents are located in more than 50
            countries around the world and provide local sales and
            support for our software. Please refer to the AGENTS.TXT
            file for a complete list of McAfee agents.


            ONLINE ACCESS TO UPDATES AND TECHNICAL SUPPORT

            McAfee updates VirusScan monthly to add new virus detectors,
            new options, and fix reported bugs. To distribute these new
            versions, we run a multi-line bulletin board system, a forum
            on CompuServe, and an Internet node.

            



           Using VirusScan (Version 2.0)                            8

            
            Bulletin board system (BBS) access
            Our multiline BBS is accessible 24 hours a day, 365 days a
            year, except for scheduled downtime and maintenance. All
            lines run high-performance modems operating from 1,200 bps
            to 14,400 bps with line settings of 8 data bits, no parity,
            and 1 stop bit. The McAfee BBS phone number is (408) 988-4004.

            CompuServe Access
            We sponsor the McAfee Virus Help Forum on CompuServe. To
            reach it, type GO MCAFEE at any CompuServe prompt. A free
            introductory membership is available. For more information,
            please read the enclosed COMPUSER.TXT file.

            Internet Access
            The latest versions of McAfee's anti-virus software are
            available by anonymous ftp (file transfer protocol) over the
            Internet from the site mcafee.com. If your domain resolver
            does not support names, use the IP# 192.187.128.1. Enter
            "anonymous" or "ftp" as your user ID (do not type the
            quotation marks) and your own e-mail address as the
            password. Programs are located in the pub/antivirus
            directory. If you have questions, please send e-mail to
            support@mcafee.com.

            You can also find McAfee's anti-virus software at the SimTel
            Software Repository at Oak.Oakland.EDU in the
            pub/msdos/virus directory and its associated mirror sites:

            o    WUARCHIVE.WUSTL.EDU (US).
            o    FTP.SWITCH.CH (Switzerland).
            o    FTP.FUNET.FI (Finland).
            o    SRC.DOC.IC.AC (UK).
            o    ARCHIE.AU (Australia).


















            
           Using VirusScan (Version 2.0)                            9

            
            OTHER SOURCES OF INFORMATION

            The McAfee BBS and CompuServe Virus Help Forum are excellent
            sources of information on virus protection. Batch files and
            utilities to help you use VirusScan software are often
            available, along with helpful advice.

            Independent publishers, colleges, training centers, and
            vendors also offer information and training about virus
            protection and computer security.

            We especially recommend the following books:

            o    Ferbrache, David. A Pathology of Computer Viruses.
                 London: Springer-Verlag, 1992. (ISBN 0-387-19610-2)

            o    Hoffman, Lance J. Rogue Programs: Viruses, Worms, and
                 Trojan Horses. Van Nostrand Reinhold, 1990. 
                 (ISBN 0-442-00454-0)

            o    Jacobson, Robert V. The PC Virus Control Handbook,
                 2nd Ed. San Francisco: Miller Freeman Publications, 1990.
                 (ISBN 0-87930-194-0)
            
            o    Jacobson, Robert V. Using McAfee, Inc. Software
                 for Safe Computing. New York: International Security
                 Technology, 1992. (ISBN 0-9627374-1-0)

            In addition, the following sources can provide useful
            information about viruses:

            o    National Computer Security Association (NCSA)
                 10 South Courthouse Avenue
                 Carlisle, PA 17013

            o    CompuServe McAfee Computer Virus Help Forum (GO
                 VIRUSFORUM)

            o    Internet comp.virus newsgroup













           Using VirusScan (Version 2.0)                            10


            CHAPTER 2: DON'T SKIP THIS CHAPTER
            (or, What you really need to know about VirusScan)

            We're serious about this. Installing and running the
            VirusScan(TM) programs is not like using other software.
            Even if you are a long-time user of McAfee's software,
            please take the time to read through and follow the tasks in
            this chapter.

            The reason is to avoid spreading a computer virus infection.
            Viruses spread when you start your computer (sometimes
            called booting) from an infected disk, or when you run an
            infected program. If your computer is infected, installing
            and running VirusScan on your hard disk may spread the
            infection, even to the VirusScan programs themselves. The
            tasks in this chapter will ensure that you have a clean
            environment to detect, eradicate, and prevent viruses.

            This is like a surgical team establishing a "sterile field"
            before performing surgery. Once it is established, they make
            sure that everything brought into the field has already been
            sterilized. In this procedure, you will create a clean anti-
            viral start-up diskette with which you can always re-
            establish the sterile field.

            Your VirusScan archive (.ZIP) file is created with
            authenticity checks and a serial number embedded in it to
            ensure that it has not been tampered with or modified.
            Additionally, VirusScan comes with Validate, a Cyclic
            Redundancy Check (CRC) program that computes a check-sum for
            VirusScan's files.  Once you have unpacked the VirusScan
            archive, you should copy all the files to a diskette in
            drive A: and write-protect it to ensure that no virus can
            alter the programs and information stored there. Under no
            circumstances should you remove the write protection.  Label
            this diskette as your 'VirusScan Program Diskette.'

            Here's a summary of the tasks you'll follow in this chapter:

            o    Installing VirusScan
            o    Scanning your system.
            o    If you detect a virus.
            o    Activating VShield(TM).
            o    Making a clean start-up (boot) diskette.
            o    Running the VirusScan programs.
            o    When to scan for viruses.
            o    Updating VirusScan regularly.


            NOTE: Because OS/2 programs run in a protected mode, OS/2
            systems are not vulnerable to viruses as DOS and Windows

           Using VirusScan (Version 2.0)                            11


            systems are. Many OS/2 users run DOS and Win-OS/2 sessions,
            however, and they are still vulnerable. By using the
            VirusScan programs as described in this manual, you can
            protect the DOS and Win-OS/2 portions of your OS/2 system
            from infection.















































           Using VirusScan (Version 2.0)                            12


            INSTALLING VIRUSSCAN

            This task explains how to check your system and install the
            VirusScan software under DOS, Windows, or OS/2. Don't use
            any other method to install VirusScan, or you risk spreading
            a virus.


            INSTALLATION STEPS

            Start from the system prompt (C:\> or [C:\]). If you are
            running Windows or an application program, exit from it to
            display the prompt. If you are running OS/2, close all DOS
            and Win-OS/2 sessions open the Command Prompts folder in the
            OS/2 System folder, and click on either the OS/2 Full Screen
            or OS/2 Window icons.

            After typing each entry on the command line, press <ENTER>.

            1.   Create a directory to contain the VirusScan files, as
                 in the following example:

                        C:\> mkdir c:\mcafee

                 and press <ENTER>. 

                 If you have an earlier version of VirusScan already
                 installed, create a separate directory (such as 
                 c:\newvscan) for the new version. (You should test 
                 the new version before removing the earlier version.)

            2.   Copy the VirusScan archived (.ZIP) file to this 
                 directory, as in the following example:

                        C:\> copy c:\download\*.zip c:\mcafee

                 and press <ENTER>.

            3.   Change to the VirusScan directory you just created,
                 as in the following example:

                        C:\> cd c:\mcafee

                 and press <ENTER>.
            
            4.   Unzip the file using PKUNZIP.EXE, as in the following
                 example:

                        C:\mcafee> PKUNZIP *.ZIP

                 and press <ENTER>.
            
           Using VirusScan (Version 2.0)                            13


            5.   Run VirusScan to check your local hard disk(s) by
                 typing:

                      c:\mcafee> scan /adl

                 and pressing <ENTER>. It may take several minutes
                 for the Scan program to check for viruses in memory,
                 then on the system and user portions of your drives.
                 Scan keeps you informed of its progress. Read the
                 information carefully, and write down the name of any
                 viruses Scan reports.

            6.   If Scan does not report any viruses, congratulations
                 --most likely your system is currently virus-free.
                 Continue with "Making a Clean Start-Up Diskette" in
                 this chapter.

                 If Scan finds one or more viruses you'll see a
                 message like:

                           Found the Jerusalem Virus

                 Stop the installation. Don't panic, even if the virus
                 has infected many files. At the same time, don't run
                 any other programs, especially if the virus is found
                 in memory. Go directly to "If You Detect a Virus"
                 later in this chapter for further instructions.

            7.   Create a directory on your hard disk to store the
                 VirusScan files in by typing:

                      C:\> mkdir mcafee

                 and pressing <ENTER>.

            8.   Copy the VirusScan files from the 'VirusScan Program
                 Diskette' in drive A: to your hard disk by typing:

                      C:\> copy a:\*.* c:\mcafee

                 and pressing <ENTER>.  VirusScan has now been installed
                 onto your hard disk.  Now your system's startup files
                 must be modified to find VirusScan on your system.

            9.   DOS and Windows users: Using a text editor program, 
                 load your AUTOEXEC.BAT file.  Locate the path statement,
                 which typically begins with a 'PATH' or 'SET PATH ='
                 statement.  Place your cursor at the end of this line
                 and type:

                      ;C:\MCAFEE
           Using VirusScan (Version 2.0)                            14


                 and press <ENTER>.  Now save your AUTOEXEC.BAT file and
                 exit the editor.

                 NOTE: If a semi-colon ";" is already present at the end
                       of the line, do not add one to the path statement.

                 OS/2 users: Make the same change listed above to the
                             'SET PATH='  statements in your CONFIG.SYS
                             file. Now save your CONFIG.SYS file and
                             exit the editor.

            Congratulations! You've successfully installed VirusScan.
            Restart your computer now and continue with this chapter to
            see how you can use VirusScan to keep your computer virus-
            free. We recommend looking over the following sections in
            this chapter:

                 "Scanning Your System"
                 "If You Detect A Virus"
                 "Activating VShield"
                 "Making A Clean Start-Up Diskette"

            so you'll know what took place during installation. Then
            continue with the remaining tasks in this chapter, beginning
            with "Running the VirusScan Programs" to find out how and
            when to run and update the VirusScan programs.


























           Using VirusScan (Version 2.0)                            15

            
            SCANNING YOUR SYSTEM

            VirusScan's Scan program examines your PC and disks to
            detect viruses there. The first time you run Scan, do so
            from the original, write-protected diskette so that the
            programs themselves cannot be infected.

            Start from the system prompt (C:\> or [C:\]). If you are
            running Windows or an application program, exit from it to
            display the prompt. If you are running OS/2, close all DOS
            and Win-OS/2 sessions. Next, open the Command Prompts folder
            in the OS/2 system folder, then click the OS/2 Full Screen or
            OS/2 Window icon.

            After typing each entry on the command line, press <ENTER>.
            If you include the /REPORT option, Scan saves a report of
            infected files and any system errors to a log file that you
            specify.

            o    Insert the 'VirusScan Program Diskette' in drive A:

            o    Scan your C: drive for known viruses by typing:

                      C:\> a:scan c: /report c:\virus.log

                 OS/2 Users: Be sure to replace "a:scan" with
                             "a:os2scan" in the above example.

                 Or, if you have more than one hard drive, scan them in
                 the same fashion. For example, if you have C and D
                 drives:

                      C:\> a:scan c: d: /report c:\virus.log

                 You can also scan all local drives using the /ADL
                 option. For example:

                      C:\> a:scan /adl /report c:\virus.log














           Using VirusScan (Version 2.0)                            16


                 It may take several minutes for the Scan program to
                 check for viruses in memory, then on the system and
                 user portions of your drives. Scan keeps you informed
                 of its progress. Read the information on the screen
                 carefully.  Below is a sample of what Scan reports
                 when checking a drive for viruses:

                 Ŀ
                  Database file V1.00 created Fri Apr 1 12:01:00 1994 
                  Finished scanning memory for viruses.               
                  Scanning C:                                         
                                                                      
                  Summary report on C:                                
                                                                      
                  File(s)                                             
                          Analyzed: ..............    1500            
                          Scanned: ...............     750            
                          Possibly Infected: .....       0            
                          Master Boot Record(s):..       1            
                          Possibly Infected:......       0            
                          Boot Sector(s):.........       1            
                          Possibly Infected:......       0            
                                                                      
                  Time: 60.00 sec.                                    
                 

            o    If Scan reports 0 viruses found, congratulations--most
                 likely your system is currently virus-free. Skip to
                 "Activating VShield" later in this chapter to continue.

                 If Scan finds one or more viruses, you'll see a message
                 like:

                 Ŀ
                   Scanning C:                                        
                   Scanning file C:\DOS\ATTRIB.EXE                    
                           Found the Jerusalem virus                  
                 

                 Don't panic, even if the virus has infected many files.
                 At the same time, don't run any other programs,
                 especially if the virus is found in memory. Turn to "If
                 You Detect a Virus" later in this chapter, where 
                 VirusScan will help you eradicate it.

            o    Scan has many options to control and fine-tune the
                 scope, validation, and operation of its scan. For
                 details, see Chapter 3 in the VirusScan documentation, 
                 and "Detecting new and unknown viruses" in Chapter 4.




           Using VirusScan (Version 2.0)                            17


            IF YOU DETECT A VIRUS

            In this task, you will run Scan with the /CLEAN option to
            eradicate most known viruses from your disks.

            o    If you are at all unsure about how to proceed once
                 you've found a virus, contact McAfee for assistance
                 (see "Technical Support" in Chapter 1).

            We strongly recommend that you get experienced help in
            dealing with viruses if you are unfamiliar with anti-virus
            software and methods. This is especially true for "critical"
            viruses and master boot record (MBR or so-called "partition
            table")/boot sector infections, because improper removal of
            these viruses can result in the loss of all data and use of
            the infected disks.


            RESTART FROM A CLEAN ENVIRONMENT

            You must run Scan from a clean, virus-free environment. With
            DOS or Windows, restart from a clean diskette. With OS/2,
            simply close all DOS and Win-OS/2 sessions.

            DOS or Windows
            With DOS or Windows, the only way to ensure a clean
            environment is to turn your computer off to eliminate any
            viruses in memory, then restart from a virus-free floppy
            diskette in drive A:, preferably the original, write-
            protected DOS installation diskette that came with your
            computer. If you don't have one, borrow or buy one; don't
            use a diskette that might be infected. (You will create a
            new anti-viral diskette in "Making a Clean Start-Up
            Diskette" later in this chapter to use in the future, 
            but you need a clean environment before you create one.)

            1.   Turn off your computer. (Don't just reset or reboot,
                 which may leave some viruses intact in the computer's
                 memory.)

            2.   Make sure your clean boot (start-up) diskette is write-
                 protected.

                 o    For a 3.5" diskette, slide its corner tab so that
                      the square hole is open.

                 o    For a 5.25" diskette, cover its corner notch with
                      a write-protect tab. Be sure to use the black or
                      silver write-protect stickers provided with your
                      diskettes, not transparent tape, which is ignored
                      by the floppy drive's infrared write-protection
                      mechanism.
           Using VirusScan (Version 2.0)                            18


            3.   Insert your start-up diskette in drive A:.

            4.   Turn on your computer and wait until you see the system
                 prompt (probably A>). Don't run any programs on your
                 hard disk, or you may reactivate the virus.

            OS/2
            With OS/2, you can eliminate most viruses from memory by
            closing all DOS, Win-OS/2, and virtual DOS machine (VDM)
            sessions. Because OS/2 programs run in protected mode,
            viruses cannot spread between them.


            BACK UP YOUR HARD DISK

            Some viruses may leave certain disks or files unusable when
            cleaned up. To increase your chance of recovery, copy all
            the files on all of your hard disks onto fresh diskettes or
            a backup tape after booting from a clean copy of the
            operating system. You can use a commercial backup program,
            or the one included with DOS or OS/2. Scan the program disk
            first to make sure that the backup program itself is not
            infected. Do not run the backup program if it is infected.
            Instead, reload it from your original installation
            diskettes.

            Although some of the backed-up files may be infected, it is
            better to have current copies than not. However, don't
            overwrite previous backup disks or tapes, which may or may
            not be infected.


            RUN SCAN WITH THE /CLEAN OPTION

            Start from the system prompt (probably A> or [A:\]). If you
            are running OS/2, open the Command Prompts folder in the
            OS/2 system folder, and click on the OS/2 Full Screen or
            OS/2 Window icons.

            After typing each entry on the command line, press [Enter].

            1.   Insert the 'VirusScan Program Diskette' in drive A:.

            2.   Eliminate the first known virus on your hard drive(s)
                 by typing:

                 DOS or Windows
                      A> a:scan /adl /clean

                 OS/2
                      [A:\] a:os2scan /adl /clean

           Using VirusScan (Version 2.0)                            19


                 Scan keeps you informed of its progress and generally 
                 reports that a virus was removed successfully. If Scan 
                 reports that the virus could not safely be removed, 
                 see the next section, "If Viruses Were Not Removed, 
                 Contact Technical Support."

            3.   Repeat step 2 for other viruses found by Scan, and for
                 other infected hard drives. For example:

                 DOS or Windows
                      A> a:scan /clean d:

                 OS/2
                      [A:\] a:os2scan /clean d:

                 o    Scan has options to control and fine-tune the
                      scope, validation, and operation of its
                      disinfection. For details, see Chapter 3
                      in the Scan documentation.

            If Viruses were NOT removed, contact Technical Support

            If Scan can't remove a virus, it will tell you:

            Virus cannot be safely removed from this file.

            Make sure to take note of the filename, because you will
            need to restore it from backups. Run Scan again, this time
            using the /CLEAN and /DEL options to delete the remaining
            infected files, as described in Chapter 3 in the Scan
            documentation. If you have any questions, contact McAfee
            (see "Technical Support" in Chapter 1).

            If viruses were safely removed, rescan and check diskettes

            If Scan has successfully removed all the viruses, restart
            your computer.

            Restart installation as described in "Installing VirusScan"
            earlier in this chapter. Assuming that your system is now 
            virus-free, installation will scan your system, activate 
            VShield, and make a clean start-up diskette as part of the
            installation procedure. Thereafter, you can proceed to
            "Running the VirusScan programs" later in this chapter.

            One common source of virus infection is floppy diskettes.
            Once you've finished installing VirusScan on your hard disk,
            use Scan again to examine and disinfect the diskettes you
            use, as described in "When to Rescan," in this chapter.













           Using VirusScan (Version 2.0)                            20


            FALSE ALARMS

            Due to the nature of anti-virus software, there is a small
            possibility that Scan may report a virus in a file that is
            not infected. This can be more likely if you are using more
            than one brand of virus protection software, especially if
            the virus is only reported in memory and not anywhere on the
            disk when you boot.

            If Scan reports a virus infection that you suspect may be in
            error, contact McAfee (see "Technical Support" in Chapter 1).
            You can upload the file to our bulletin board system at
            (408) 988-4004, along with your name, address, daytime
            telephone number, and electronic mail address (if any).


            ACTIVATING VSHIELD

            VirusScan's VShield program can help prevent viruses from
            infecting your system. It runs as a "terminate-and-stay-
            resident" (TSR) program, remaining in memory and scanning
            and intercepting programs as they are executed.

            To install VShield, use your editor to load your
            AUTOEXEC.BAT file. Insert the following as the first line:

                 C:\MCAFEE\VSHIELD

            If you load network drivers, disk-caching software, or 
            other memory-resident programs that changes the way 
            in which you access disks, insert a second VShield line 
            after the last invocation of such software:

                 C:\MCAFEE\VSHIELD /RECONNECT

            and press <ENTER>.  This reactivates VShield if it has been
            deactivated by another memory-resident program.  Now save
            your AUTOEXEC.BAT file.

            


           Using VirusScan (Version 2.0)                            21


            Windows
            VShield can display messages from within Windows in a
            message dialog. This is done through VShield's
            Windows Messager. If you choose not to install the
            Messager, VShield will still detect viruses, but will
            not be able to report them to you.

            1.   To activate the Messager, you must copy the
                 VSHLDWIN.EXE file from your VirusScan directory
                 (typically C:\MCAFEE) to your Windows directory
                 (typically C:\WINDOWS). You can do this by typing:

                      C:\> copy c:\mcafee\vshldwin.exe c:\windows

                 and pressing <ENTER>.

            2.   Go to your Windows directory, and using a text editor
                 program, load your WIN.INI file.  Go to the [Windows]
                 settings and insert the following line:

                      load=vshldwin.exe

                 NOTE: If you already have a "load=" line in your WIN.INI
                       file, go to the end of it and type:

                           ; vshldwin.exe

                 and press <ENTER>.  Now save your WIN.INI file and
                 exit the editor.

            VShield will now run whenever you start or restart your
            computer. To activate VShield at any time:

            DOS or Windows - Restart your computer by pressing the
            <CTRL>, <ALT>, and <DEL> keys simultaneously, or by turning
            it off and then on again (if Windows is running, exit out
            of it before doing restarting your computer).

            OS/2 - Restart all DOS and Win-OS/2 windows.

            o    If you have difficulties running VShield, it may be due
                 to conflicts with other TSR programs in your system, or
                 with other programs that monitor disk access. See
                 Chapter 3 for details, and Chapter 4, "Tips and 
                 Troubleshooting," for more information. Contact 
                 McAfee technical support if you need help (see 
                 "Technical Support" in Chapter 1).



           Using VirusScan (Version 2.0)                            22


            o    VShield normally occupies up to 67Kb of conventional
                 (base 640Kb) memory. VShield minimizes the use of
                 conventional memory by attempting to load into extended
                 (XMS) memory, expanded (EMS) memory, upper memory, or a
                 combination of them before using conventional memory.

                 For computers with extreme available memory
                 limitations, you can use VShield's /SWAP option to
                 reduce its memory requirements to 7Kb, although this
                 will decrease VShield's speed. For details, see
                 Chapter 3.

            o    VShield has options to control and fine-tune the scope,
                 validation, and operation of its virus prevention. For
                 details, see Chapter 3.

            o    When used in conjunction with some of Scan's options,
                 VShield can help protect your system from new and
                 unknown viruses. For details, see "Detecting New and
                 Unknown Viruses" in Chapter 4.

            o    Under OS/2, VShield runs in DOS and Win-OS/2 sessions
                 only, because current viruses can operate only in those
                 sessions.

            o    In Windows, you can use the VShield icon to turn
                 messages from VShield on and off (VShield itself,
                 however, remains active). For details, see Chapter 3.
























           Using VirusScan (Version 2.0)                            23


            MAKING A CLEAN START-UP DISKETTE

            In DOS or Windows, create a clean anti-viral start-up (boot)
            diskette that you can use to regain your "sterile field" if
            your system becomes infected. This is not necessary in OS/2,
            although it will be helpful to make backup copies of your
            OS/2 installation diskettes.

            DOS or Windows
            In DOS, start from the system prompt (C:\>). In Windows, you
            may open a DOS window, or duplicate these steps using
            Windows' File Manager.

            1.   Insert a blank or dispensable diskette into drive A.
                 Make sure the diskette contains no important
                 information, as this procedure will erase it.

            2.   Format the disk as a DOS-bootable diskette with the
                 system files on it by typing:

                      C:\> format a: /s /v /u

                 and pressing <ENTER>.  If you are using a version of
                 DOS before DOS 5.0, do not type the "/u" option.  The
                 /U option is used in recent versions of DOS to insure
                 that the floppy diskette is erased completely (earlier
                 versions of DOS automatically do this).

                 When prompted for a volume label, type:

                      virusfree01

                 and press <ENTER>, or use another name of up to 11
                 characters.

            3.   Copy the VirusScan program files onto the diskette.
                 Here's one way to do this, assuming that your VirusScan
                 files are stored in C:\MCAFEE:

                      C:\> copy c:\mcafee\scan.exe a:
                      C:\> copy c:\mcafee\scan.dat a:
                      C:\> copy c:\mcafee\clean.dat a:
                      C:\> copy c:\mcafee\names.dat a:

            4.   Copy useful DOS programs to the diskette. Here's one
                 way to do this, assuming that your DOS files are stored
                 in C:\DOS:

                      C:\> copy c:\dos\format.* a:
                      C:\> copy c:\dos\xcopy.* a:
                      C:\> copy c:\dos\diskcopy.* a:
                      C:\> copy c:\dos\sys.* a:
           Using VirusScan (Version 2.0)                            24


                      C:\> copy c:\dos\fdisk.* a:
                      C:\> copy c:\dos\debug.* a:
                      C:\> copy c:\dos\unerase.* a:
                      C:\> copy c:\dos\mem.* a:
                      C:\> copy c:\dos\chkdsk.* a:

                 In the same way, copy other DOS programs that you think
                 might be useful.

            5.   Remove the diskette from the drive and write-protect it
                 so that it cannot become infected.

                 o    For a 3.5" diskette, slide its corner tab so that
                      the square hole is open.

                 o    For a 5.25" diskette, cover its corner notch with
                      a write-protect tab. Be sure to use the opaque
                      write-protect stickers provided with your
                      diskettes, not transparent tape.

            6.   Label the diskette "Virus-Free Boot Disk" and put it
                 away in a secure place in case you need to reestablish
                 a virus-free environment in the future.  You may want
                 to include supplemental information on the disk label,
                 such as the date and versions of DOS and VirusScan.

            OS/2

            With OS/2, you don't need a virus-free start-up disk.
            However, it will be helpful to keep a clean copy of
            important files, such as your system configuration files.
            Copy your  CONFIG.SYS, STARTUP.CMD, and AUTOEXEC.BAT files
            onto an empty, formatted diskette. Write-protect the
            diskette, label it, and put it away in a secure place.


















           Using VirusScan (Version 2.0)                            25


            RUNNING THE VIRUSSCAN PROGRAMS

            VIRUSSCAN FOR DOS

            To run the VirusScan programs from the DOS command prompt,
            type the program name (SCAN) on the command line. Follow the
            program name with the drive, directory, or file(s) you want
            to scan for viruses and the options you want to use.

            Note:     If you have not changed the path statement in your
                      AUTOEXEC.BAT file, you will need to include its
                      location (usually C:\MCAFEE) in the command, or
                      change to that directory.

            For example, to examine a diskette in drive A: type:

                 C:\> c:\mcafee\scan a:

            and press <ENTER>.

            EXCEPTION:
                      If Scan detects a virus in memory or on your hard
                      disk, don't run Scan with the /CLEAN option from
                      C:\MCAFEE. Instead, restart your computer and run
                      Scan from your clean start-up diskette as described
                      in "If you detect a virus" in this chapter.

            VirusScan can list the viruses it detects.  To view this list,
            run Scan with the /VIRLIST option, described in Chapter 3
            in the Scan documentation.


            VSHIELD

            VShield loads automatically upon startup for DOS and Windows
            computers, or when a DOS or Win-OS/2 session is started
            within OS/2.

            o    You can change VShield options from the DOS command
                 line by removing VShield from memory and re-running it,
                 or by editing the VShield command line in your
                 AUTOEXEC.BAT file. See Chapter 3 for details.










           Using VirusScan (Version 2.0)                            26


            VIRUSSCAN FOR OS/2

            To run Scan from OS/2, open the Command Prompts folder in
            the OS/2 System folder and click on the OS/2 Full Screen or
            OS/2 Window icons. Next, type the program name (OS2SCAN) on
            the command line. Follow the program name with the drive,
            directory, or file(s) you want to scan for viruses and
            the options you want to use.

            Note: If you have not changed the PATH and LIBPATH
                  statements in your CONFIG.SYS file, you will need to
                  include its location (usually C:\MCAFEE) on the command
                  line, or change to that directory.

            For example, to examine a diskette in drive A: type:

                 [C:\] c:\mcafee\os2scan a:

            and press <ENTER>.

            o    VShield does not run in native OS/2 sessions, only
                 under DOS and Win-OS/2 sessions inside of OS/2. If you
                 have placed the VShield command in your AUTOEXEC.BAT
                 file, it will run automatically when you start a DOS or
                 Win-OS/2 session. You can also run it from the DOS
                 command line, as described earlier in this section.


























           Using VirusScan (Version 2.0)                            27


            WHEN TO RESCAN

            Although VShield will monitor your software for viruses,
            it's wise to scan your disks when you introduce new programs
            or disks that may be infected. New programs and files are
            generally introduced in two ways: by inserting a diskette,
            and by installing new programs.  It is also possible to
            download a computer virus using a modem, however, this is
            extremely rare.

            o    You can use VShield with the /ANYACCESS option to scan
                 diskettes automatically. For more information, see
                 the discussion of /ANYACCESS in Chapter 3.

            o    For instructions on running VirusScan, see "Running the
                 VirusScan programs" earlier in this chapter.

            WHEN YOU INSERT AN UNCHECKED DISKETTE
            Every time you insert a new diskette in your drive, run Scan
            on it before executing, installing, or copying its files. If
            you have several diskettes to scan, you can scan them
            consecutively. In fact, we recommend doing this now with all
            the diskettes you normally use, as well as diskettes
            received from friends, co-workers, salespeople, and even
            your own diskettes if they have been in another PC.

            WHEN YOU INSTALL OR DOWNLOAD NEW FILES
            Every time you install new software on your hard drive, or
            download executable files from a network server, bulletin
            board, or on-line service, run Scan on the directory the
            files were placed in before executing the files.





















           Using VirusScan (Version 2.0)                            28


            UPDATING VIRUSSCAN REGULARLY

            Unfortunately, new viruses (and variants of old ones) appear
            and circulate often in the personal computer community.
            Fortunately, McAfee updates the VirusScan programs
            regularly--usually every month, but sooner if many new
            viruses have appeared. Each new version may detect and
            eradicate as many as 60-100 new viruses or more, and may add
            new features. To find out what's new, review the README.1ST
            text file.


            DOWNLOADING NEW VERSIONS

            You may use your own communications software to download new
            versions from the McAfee bulletin board, CompuServe, or the
            Internet. See Chapter 1, "Welcome to VirusScan" for more
            information.

            Always download and decompress the files in a separate
            directory from your current files. That way, if you
            discover a problem with the new files, you'll still
            have the old ones intact.


            VALIDATING VIRUSSCAN

            When you download a program file from any source other than
            the McAfee bulletin board system or other direct-from-McAfee
            service, it's important to verify that it is authentic,
            unaltered, and uninfected.
            McAfee anti-virus software includes a program called
            Validate that helps you do this. When you receive a new
            version of VirusScan, run Validate on all of the program
            files.

            To do this for Scan, start from the system prompt (C:\> or
            [C:\]):

            1.   Change to the directory to which you've downloaded the
                 files. For example, if you've stored the files in
                 C:\DOWNLOAD, type:

                      C:\> cd \download

                 and press <ENTER>.

            2.   Type the command:

                      C:\DOWNLOAD> c:\mcafee\validate scan.exe

                 and press <ENTER>.
           Using VirusScan (Version 2.0)                            29


                 OS/2 Users: Be sure to replace SCAN.EXE with
                             OS2SCAN.EXE as the file to be validated.

            3.   Compare the results with the information in the
                 README.1ST file or other text file for the program you
                 have just validated. If the validation results match
                 what's in the file, it is highly unlikely that the
                 program has been modified.

            4.   Once you have validated the new version, copy it into
                 your C:\MCAFEE directory. In addition, create a new
                 "VirusScan Start-Up Diskette" containing the new
                 version.


            UPDATE YOUR CLEAN START-UP DISKETTE

            Once you have validated the new version, copy it into 
            your C:\MCAFEE directory. In addition, copy the Scan 
            program onto your clean start-up diskette. Below is one 
            way to do this; you may also use the Windows File Manager 
            or the OS/2 environment.

            Note any changes you've made to default options, because 
            you may want to select and save them again. Start from 
            the system prompt (C> or [C:\]).

            1. Navigate to the directory to which you've
               retrieved the files, such as C:\MCAFEE:

                 cd c:\mcafee

            2. Temporarily remove write-protection from your clean
               start-up diskette and insert it in drive A.

               o For a 3.5" diskette, slide its corner tab so that
                 the square hole is closed.
               o For a 5.25" diskette, remove the tab or tape from
                 its corner notch.

            3. Copy the Scan program, and its data files to the diskette.

               DOS or Windows       C> copy SCAN.EXE a:
                                    C> copy *.DAT a:
               OS/2              [C:\] copy OS2SCAN.EXE a:
                                 [C:\] copy *.DAT a:

            4. Remove the diskette from the drive and write-protect
               it again.


           Using VirusScan (Version 2.0)                            30


            Chapter 3: VSHIELD REFERENCE

            VirusScan(TM)'s VShield(TM) is a memory-resident program
            that helps to prevent virus infection. It complements the
            Scan virus detection program as part of your computer
            security plan. While Scan checks areas on disks for viruses,
            the VShield program checks programs as they load into your
            computer's memory. This ensures that you don't "catch" any
            new viruses while you're working on your computer.

            VShield does this by remaining in memory and:

            o    Checking master boot records (MBR's), boot sectors,
                 system files, and itself for viruses when you turn on
                 or soft-boot (press the <CTRL>, <ALT>, and <DEL> keys
                 together) your machine.

            o    Checking program files for viruses as your computer
                 executes them.

            o    Checking files for viruses as you copy them (optional).

            o    Checking for viruses whenever your computer accesses a
                 disk (optional).

            Follow the instructions in Chapter 2 to install VShield.
            Instructions are given on how to modify your AUTOEXEC.BAT
            file so that VShield loads into memory every time you turn
            on your computer.

            If VShield finds a virus, you will hear three beeps and see
            a message like:

                 Found the Jerusalem Virus

            If that happens, don't panic. Turn to Chapter 3 in the 
            Scan documentation to find out how to use the Scan 
            program to get rid of the virus. If you need additional help, 
            contact McAfee (see "Technical Support" in Chapter 1).

            Note:     There is one way to infect your computer that
                      VShield cannot prevent--only you can. Never
                      accidentally start your computer from an unknown
                      diskette. That's how 80% of all viruses are passed!
                      Always make sure your diskette drives are empty before
                      you turn your computer on.

            VShield runs under DOS, Windows, and OS/2 Virtual DOS
            Machine and WIN-OS/2 sessions. The filename for this program
            is VSHIELD.EXE.


           Using VirusScan (Version 2.0)                            31


            The file called VSHLDWIN.EXE allows VShield to display
            messages from within Windows, and is added to your WIN.INI
            file automatically when you install VShield.

            If you need to conserve memory on your system, you can use
            VShieldCRC, a version of VShield that offers fewer
            protection options but requires less memory. The filename
            of the program is VSHLDCRC.EXE.

            A companion program called CheckVShield checks whether either
            VShield or VShieldCRC is loaded in memory. The filename of the 
            program is CHKVSHLD.EXE. CheckVShield is especially useful 
            for network administrators who want to ensure that everyone 
            who logs on to the network is running VShield. All of these 
            related programs are included in your VirusScan disk and 
            described in this chapter.


            DO YOU NEED TO READ THIS CHAPTER?

            Many users will not need the VShield options described in
            this chapter. We have designed VShield so that basic
            operation--achieved by simply installing it in memory as
            described in Chapter 2--provides a high degree of
            protection for most users. The options here offer additional
            power and control for virus detection, and are most useful
            in vulnerable or memory-scarce environments, and to network
            administrators and information systems staff. See "Four
            Levels of Protection" and "Deciding Which Options Are for
            You" in this chapter for help in deciding how to use
            VShield.





















           Using VirusScan (Version 2.0)                            32


            SYSTEM REQUIREMENTS AND PERFORMANCE

            VShield is a terminate-and-stay-resident (TSR) program,
            which remains in memory while you run other programs.
            VShield tries to optimize memory usage and minimize
            conflicts with other TSRs. By default, VShield tries to
            conserve as much conventional memory as possible.

            If you have only 640Kb or less memory in your system,
            VShield requires about 67Kb of memory. By using the /SWAP
            option, you can reduce this to only 7Kb of conventional
            memory, although this will decrease VShield's speed.

            If you have more than 640Kb of memory in your system,
            VShield tries to load as much of itself as possible above
            your conventional memory: first, into expanded memory (EMS),
            into extended memory (XMS), then into upper memory blocks
            (640Kb to 1024Kb, or UMB). If you have sufficient high
            memory available, VShield or VShieldCRC use no conventional
            memory.

            After VShield loads you'll see a message that describes
            where VShield loaded into memory and how much memory it
            using. You can control how VShield loads by using the
            /NOUMB, /NOEMS, and /NOXMS options, as described later in
            this chapter.

            o    VShield might require slightly more memory as the
                 VSHIELD.DAT file grows to include more viruses.

            VShield adds a small amount of time to program loads and
            reboots. Performance will vary, depending on your system.
            The /SWAP option adds more time, because VShield must reload
            from disk to check files.

            VShieldCRC adds an average of one second to each program
            load.

            Once programs have been loaded, VShield does not degrade the
            performance of your system in any way. Programs that load
            other files may run more slowly when you use the /FILEACCESS
            or /ANYACCESS options, because these options cause VShield
            to scan files whenever they are accessed, not just when they
            are executed.








           Using VirusScan (Version 2.0)                            33


            FOUR LEVELS OF PROTECTION

            You can think of VShield as providing four levels of
            protection. You can use VShield's options to customize it
            for the level of protection you need. Level II meets the
            protection needs of most systems.

            LEVEL I PROTECTION
            This level is appropriate for users who have very little
            memory available on their systems. It provides only minimal
            protection.

            For Level I protection, first use Scan with the /AF or /AV
            option to add validation codes. Then, install VShieldCRC
            instead of VShield.

            VShieldCRC can inform you that a file has not been
            certified, a file has been modified, a file size has
            changed, or a file has not been added to the validation
            file. VShieldCRC will not prevent infection, nor will it
            tell you when you have a known virus. Use Scan instead to
            detect viruses, as described in Chapters 3 and 4. See "Using
            VShieldCRC" in this chapter for instructions.

            LEVEL II PROTECTION
            This level is appropriate for most users. It will protect
            you from most viruses whether you have run Scan or not.

            For Level II protection, just install VShield according to
            the instructions in "Activating VShield." When loading,
            VShield checks memory automatically for viruses. Once
            resident in memory, VShield checks master boot records
            (MBRs), boot sectors, and program files (when executed) for
            virus signatures.

            LEVEL III PROTECTION
            This level is appropriate for computers that are used by
            many people, as in an open-use computer lab, or onto which
            you frequently load files from public sources. Level III
            protection checks for both validation codes and virus
            signatures, incorporating both Level I and Level II
            protection.

            For Level III protection, first use Scan with the /AF
            {filename} option, then use VShield with the /CF {filename}
            option. The /AF option logs validation and recovery data for
            program files, the boot sector, and the master boot record
            (MBR) to a file you specify. The /CF option tells VShield to
            check against that log. See Chapter 3 in the Scan 
            documentation for instructions.


           Using VirusScan (Version 2.0)                            34


            LEVEL IV PROTECTION
            This level is for environments where security is extremely
            important and new software is seldom introduced. It combines
            Level III protection with access control, specifying that
            only programs known to be safe can be run.

            For Level IV protection, run VShield with the /CERTIFY
            option. See the "VShield Option Descriptions" later in this
            chapter for details about /CERTIFY.

            o    VShield has many optional features that you might use
                 at any protection level. See the table "VShield Option
                 Summary" later in this chapter to see these options at
                 a glance.






































           Using VirusScan (Version 2.0)                            35


            RUNNING VSHIELD

            VShield checks programs, master boot records (MBR), boot
            sectors, system files, and itself for virus strings, the
            patterns of code unique to each computer virus. If VShield
            finds an infection, it prevents programs from running. It
            also prevents soft boots (also known as "warm boots")
            performed by pressing the <CTRL>, <ALT>, and <DEL> keys
            together from an infected floppy diskette in the A: drive.

            You can use options to control and fine-tune the scope,
            validation parameters, and operation of the VShield's
            checks. To use VShield with options, use the following
            syntax:

                 vshield [options]

            [options] indicates one or more options described in the
            table in the next section.

            o    Don't enter the square braces, which indicate that
                 what's within them is optional.

            Because systems and environments differ, VShield gives you
            a choice of options. Consider the mixture of safety,
            performance, and maintenance that meets your needs, then
            choose the combination of options that works best.

            When you run VShield for the first time, VShield uses the
            virus information contained in SCAN.DAT to creates a new
            file, VSHIELD.DAT, in the program directory. The VSHIELD.DAT
            file contains virus information in a format that is
            optimized for VShield operation. Thereafter, when you
            install an updated version of SCAN.DAT, VShield updates
            VSHIELD.DAT automatically with any new virus information it
            finds in SCAN.DAT.

            DOS
            If you followed the installation instructions in Chapter 2,
            VShield begins working for you as soon as you install it,
            protecting the "sterile field" that the installation
            procedure creates. VShield should be run from your
            AUTOEXEC.BAT file, so it is activated every time you turn on
            your computer.

            o    Check the placement of the VShield command line in the
                 AUTOEXEC.BAT file.

            o    VShield must be run before Microsoft Windows or any
                 menu programs, such as MS-DOS's DOSSHELL or Norton
                 Commander, or it will not be loaded.

           Using VirusScan (Version 2.0)                            36


                 1.   If your AUTOEXEC.BAT loads any network drivers,
                      keyboard drivers, disk caching programs, drive
                      compression programs, or custom disk drivers,
                      VShield must be run both before and after them.
                      These kinds of programs disable VShield. The
                      second time VShield is loaded, use only the
                      /RECONNECT option, as described later in this
                      chapter.

                 2.   If necessary, move the line that loads VShield.

                 3.   Add the VShield options of your choice to the
                      command line.

            Windows
            When you installed VShield, you should have added the
            VShield command line to your AUTOEXEC.BAT file and modified
            your WIN.INI file to include VSHLDWIN.EXE, which allows
            VShield to display messages under Windows. However, you may
            need to change your Windows configuration for VShield to run
            properly. To do so, follow these steps. If you need help
            with this procedure, see your Windows documentation, or
            contact McAfee (see "Technical Support" in Chapter 1).

            1.   Follow the instructions for DOS users in the previous
                 section.

            2.   Start Windows.

            3.   Make Program Manager the default shell. Use no other
                 Windows shell during installation.

            4.   In the Control Panel, configure Windows to run in 386
                 Enhanced mode.

            5.   Load Windows. You will see the VShield icon on your
                 desktop. If VShield finds or suspects a virus, you'll
                 see a warning message. Choose OK to close the message
                 dialog.

                 Note: Double-clicking the VShield icon only displays a
                      message that VShield is loaded.

            OS/2
            
            Because OS/2 is a protected environment, you need VShield
            only during Virtual DOS Machine (VDM) and WIN-OS2 sessions.
            When loaded through your AUTOEXEC.BAT file, VShield is
            automatically activated every time you start a DOS VDM or
            WIN-OS/2 session.


           Using VirusScan (Version 2.0)                            37


            If your DOS and WIN-OS/2 start-up batch file is not named
            AUTOEXEC.BAT, edit it so that it includes VShield. For
            example, add the following line:

                 c:\mcafee\vshield

            to your start-up batch file.













































           Using VirusScan (Version 2.0)                            38


            SPECIAL INSTRUCTIONS FOR NETWORK ADMINISTRATORS

            You have many options for setting up VShield on a network.
            The table "Deciding Which Options Are For You" later in
            this chapter lists options that most apply in network
            environments. If you need assistance in choosing the best
            configuration for your network, contact McAfee (see
            "Technical Support" in Chapter 1).

            If you run VShield from a network drive, flag VSHIELD.EXE as
            EXECUTE-ONLY, READ-ONLY, and SHAREABLE.

            If you run VShield from clients' local drives:
            
            o    Edit all clients' AUTOEXEC.BAT files to load VShield
                 with the options that are appropriate for your
                 environment before any other drivers are loaded.

            o    Add VShield with the /RECONNECT option to the
                 AUTOEXEC.BAT file or the network login script, after 
                 the network drivers are loaded. See /RECONNECT, 
                 later in this chapter, for more information.

            o    Run CheckVShield from the login script. CheckVShield
                 returns a DOS ERRORLEVEL that you can use in batch
                 files to check and update VShield. For an example of
                 using CheckVShield, see "Technical Note 2: Sample
                 NetWare Login Script and .BAT File" later in this 
                 chapter.
                 






















           Using VirusScan (Version 2.0)                            39


            VSHIELD OPTION SUMMARY

            Option and Description

            /? or /HELP
                 Display a list of valid VShield command line options.

            /ANYACCESS
                 Scan the diskette boot sector for viruses whenever a
                 diskette is accessed (including any read and write
                 operations); scan .EXE, .COM, .DLL, .OVL, .BIN, and 
                 .SYS files whenever the file is opened, read, or updated; 
                 scan .EXE and .COM files upon execution; scan any
                 newly created file, regardless of extension.

            /BOOTACCESS
                 Scan the diskette boot sector for viruses whenever a
                 diskette is accessed (including any read and write
                 operations); individual files on a diskette are not
                 scanned when a diskette is accessed.

            /CERTIFY
                 Prevent files without validation codes from running.

            /CF {filename}
                 Check for viruses using validation and recovery data
                 stored by Scan /AF in the specified filename.

            /CONTACT {message}
                 Display specified message when a virus is found.

            /CONTACTFILE {filename}
                 Display message stored in filename when a virus is
                 found.

            /CV
                 Check validation codes added to files by Scan.

            /EXCLUDE {filename}
                 Don't check files listed in filename for validation
                 codes (/CF and /CV options).

            /FILEACCESS
                 Scan .EXE, .COM, .DLL, .OVL, .BIN, and .SYS files
                 whenever the file is opened, read, or updated; 
                 scan .EXE and .COM files upon execution; the 
                 diskette boot sector is not checked when a diskette 
                 is accessed.

            /IGNORE {drive(s)}
                 Don't check programs loaded from the specified
                 drive(s).
           Using VirusScan (Version 2.0)                            40
            
            
            /LOCK
                 Halt the system when a file that is infected or not
                 certified loads and attempts to execute.

            /NOEMS
                 Prevent VShield from using expanded memory (EMS) when
            it loads.

            /NOMEM
                 Do not check memory for viruses upon running.

            /NOREMOVE
                 Prevent VShield from being removed from memory with the
                 /REMOVE switch.

            /NOUMB
                 Prevent VShield from using upper memory blocks (UMB)
                 when it loads.

            /NOWARMBOOT
                 Don't check the diskette boot sector for viruses during
                 a warm boot.

            /NOXMS
                 Prevent VShield from using extended memory (XMS) when
                 it loads.

            /ONLY {drive(s)}
                 Check programs loaded only from the specified drive(s).

            /RECONNECT
                 Restore VShield after certain drivers or TSRs have
                 disabled it.

            /REMOVE
                 Unload VShield from memory.

            /SAVE
                 Save the command line options to the VSHIELD.INI file.

            /SWAP [pathname]
                 Load VShield kernel (7Kb) only; swap the rest from
                 pathname.
            


            





           Using VirusScan (Version 2.0)                            41          
            
            
            VSHIELD OPTION DESCRIPTIONS

            /? or /HELP
            Use this option to display a brief description of valid
            VShield command line options.

            /ANYACCESS
            Checks the boot sector and files during read and write 
            operations. Whenever a diskette is accessed (including 
            any read and write operations such as a DIR or COPY 
            command), VShield checks the boot sector for viruses. 
            Whenever an .EXE, .COM, .DLL, .OVL, .BIN, or .SYS file is
            opened, read, or updated, VShield checks the accessed file. 
            Whenever an .EXE or .COM file executes, VShield checks the 
            file for viruses as it loads and prevents execution if 
            the file is infected. Whenever a new file is created, such 
            as with a COPY command, VShield checks the file (regardless 
            of its extension).

            This is the highest level of protection against viruses 
            that infect boot sectors and standard executable files. 
            Using /ANYACCESS with either /BOOTACCESS or /FILEACCESS in 
            the same command line returns an error message.

            Note:     The /ANYACCESS switch is not recommended for use
                      with DOS and WIN-OS/2 sessions under OS/2 due to
                      certain low-level operating system incompatibilities
                      between OS/2 and DOS.  Use the /FILEACCESS switch
                      instead.
            
            /BOOTACCESS
            Checks the diskette boot sector for viruses whenever a
            diskette is accessed (including any read and write operations 
            such as a DIR or COPY command). Unlike /ANYACCESS, 
            /BOOTACCESS does not check individual files on the diskette, 
            only the boot sector. Using /BOOTACCESS with /ANYACCESS on 
            the same command line returns an error message.

            Note:     This option does not work from within Windows File
                      Manager. For virus-checking within Windows, use the
                      /ANYACCESS or /FILEACCESS switch instead.
            
            









           Using VirusScan (Version 2.0)                            42          
            
            
            /CERTIFY
            Prevents programs from running if they do not have Scan
            validation codes. Use it in high-security environments to
            prevent clients from running programs that have not been
            scanned. To use /CERTIFY, first run Scan with the /AF or /AV
            option, as described in Chapter 3 in the Scan 
            documentation. Then, use VShield with the /CERTIFY option 
            and either the /CF or /CV option (either is required), 
            such as:

                 vshield /certify /cf c:\mcafee\valcodes.val

            Some programs, such as Lotus 1-2-3, contain self-modifying
            code and do not work correctly with validation codes
            attached. You may create an exception list of files to
            exclude from validation. For instructions, refer to
            "Technical Note 1: Creating an exception list for /EXCLUDE"
            in Chapter 3 of the Scan documentation.

            /CF {filename}
            Checks validation data stored by Scan's /AF {filename}
            option, where filename is the name of the validation data
            file created by Scan. If a file or system area has changed,
            VShield reports that a viral infection may have occurred.
            You can specify the /EXCLUDE option to exclude a list of
            files from validation checking. In this example:

                 vshield /cf c:\mcafee\valcodes.dat /noems

            VShield looks in the VALCODES.DAT file for validation data.
            For instructions on using Scan /AF to add validation codes,
            see "/AF {filename} Store recovery/validation codes in file"
            in Chapter 3 in the Scan documentation, and "Detecting 
            New and Unknown Viruses" in Chapter 4.

            /CONTACT {message}
            Displays a custom message when a virus is found. This
            message is displayed in addition to all other VShield
            messages. Use /CONTACT to let network users know what to
            do if VShield finds a virus. The message can be up to 50
            characters long, and can contain any character except a
            backslash "\" character.  Place messages starting with a
            hyphen "-" or a slash "/" in quotation marks.

            If your message is longer than 50 characters or you want to
            store the message text in a file, use /CONTACTFILE instead.
            Using /CONTACT and /CONTACTFILE in the same command line
            returns an error message.




           Using VirusScan (Version 2.0)                            43


            /CONTACTFILE {filename}
            An alternative to the /CONTACT option, /CONTACTFILE
            identifies a file that contains the message string to
            display when a virus is found. This option is especially
            useful in network environments, because you can easily
            maintain the message text in a central file rather than
            changing the command line in the AUTOEXEC.BAT file on each
            workstation.

            If your message is 50 characters or fewer, you can use
            /CONTACT instead. Using /CONTACT and /CONTACTFILE in the
            same command line returns an error message.

            /CV
            Checks validation codes added by Scan with the /AV option.
            If a file has changed, VShield reports that the file has
            been modified and a viral infection may have occurred. You
            can specify the /EXCLUDE option to exclude a list of files
            from validation checking. For instructions on using Scan to
            add validation codes, see "/AV Add recovery/validation data
            to files" in Chapter 3 in the Scan documentation, and 
            "Detecting new and unknown viruses" in Chapter 4.

            /EXCLUDE {filename}
            Excludes files listed in filename from validation when using
            /CF or /CV.  For more information, see "Technical Note 1:
            Creating an Exception List for /EXCLUDE" later in this chapter.

            /FILEACCESS
            Checks standard executable files whenever the file is
            accessed or executed.  Whenever an .EXE, .COM, .DLL, .OVL,
            .BIN, or .SYS file is opened, read, or updated, VShield checks 
            the accessed file. Whenever an .EXE or .COM file executes, 
            VShield checks the file for viruses as it loads and prevents 
            execution if the file is infected. VShield checks all files 
            when accessed by a read or write operation. Using /ANYACCESS 
            on the same command line with /FILEACCESS returns an error 
            message.

            o    We recommend always using /FILEACCESS with OS/2.

            For VShieldCRC, /FILEACCESS checks files only if they have
            been validated with the /AF or /AV options.
            
            
            
            





           Using VirusScan (Version 2.0)                            44          

            /IGNORE {drives}
            Omits checking program loads from the specified drives, as
            shown in the following example:

                 vshield /ignore t: y: w:

            Use /IGNORE or /ONLY to speed up VShield by excluding
            secure, virus-free drives such as network drives from virus
            checking. You can specify up to 26 drives. See also /ONLY,
            described later in this section. Using /IGNORE and /ONLY in
            the same command line returns an error message.

            /LOCK
            Halts the system to stop further infection if VShield finds
            a virus. /LOCK is appropriate in highly vulnerable network
            environments, such as open-use computer labs. If you use
            /LOCK, be sure to use /CONTACT or /CONTACTFILE  to tell
            users what to do or whom to contact if a virus is found and
            the system locks up.

            /NOEMS
            Prevents VShield from using expanded memory (LIM EMS 3.2)
            when it loads. This ensures that EMS is available
            exclusively for other programs.

            /NOMEM
            Skips the memory check for viruses when VShield loads. Using
            /NOMEM allows VShield to load more quickly, but use it only 
            if you are absolutely sure that your system is virus-free.

            /NOREMOVE
            Prevents VShield from being removed from memory with the
            /REMOVE option in a subsequent VShield command. When you
            load VShield with the /NOREMOVE option, subsequent loads
            with the /REMOVE option will have not effect. Your network
            will be more secure if users cannot remove VShield, but this
            option may prevent users from solving memory limitations or
            conflicts.

            /NOUMB
            Prevents VShield from using the upper memory block (UMB,
            640Kb to 1024Kb) when it loads. This ensures that the UMB
            is available exclusively for other programs.

            /NOWARMBOOT
            Omits checking the diskette boot sector during a warm boot
            of the system.

            /NOXMS
            Prevents VShield from using extended memory (XMS) when it
            loads. This ensures that XMS is available exclusively for
            other programs.

           Using VirusScan (Version 2.0)                            45


            /ONLY {drive(s)}
            Checks program loads only from the specified drive(s),
            ignoring all other drives, as shown in the following
            example:

                 vshield /only c: f: k:

            Use /IGNORE or /ONLY to speed up VShield by excluding
            secure, virus-free network drives from virus checking. You
            can specify up to 26 drives. See also /IGNORE earlier in
            this section. Using /ONLY and /IGNORE in the same 
            command line returns an error message.

            /RECONNECT
            Restores VShield's links into DOS after another program has
            disabled it, such as a network driver, keyboard driver,
            custom disk driver, drive compression program, or disk
            caching program. These types of programs replace the normal
            DOS system interrupts so that VShield no longer recognizes
            program loads. After the lines in your AUTOEXEC.BAT file (or
            network login script) that load these programs, add this
            command line to restore VShield:

                 vshield /reconnect

            /REMOVE
            Unloads VShield from memory. You may want to do this
            temporarily if you are running out of memory for programs.
            For best results, try using VShield with the /SWAP option
            first. Use /REMOVE only as a last resort.

            Note:     /REMOVE will not work if other memory-resident
                      programs were loaded after VShield, or if VShield was
                      loaded previously with the /NOREMOVE option.

            /SAVE
            Stores the VShield options you specify as the defaults in
            the VSHIELD.INI file. In the following example, /SAVE saves
            "/CONTACTFILE N:\USR\DAVEM\MSGFILE" as the default setting:

                 vshield /contactfile n:\usr\davem\msgfile /save

            To remove custom options and return to VShield's original
            defaults, use the /SAVE option alone:

                 vshield /save

            /SWAP [pathname]
            Installs a small (7Kb) kernel of VShield in memory that
            loads the rest of VShield from disk on demand. Specify a
            pathname only if you want VShield to swap to a path other
            than the directory where VShield resides.
           Using VirusScan (Version 2.0)                            46
            
            Use /SWAP only if you have very little memory available, but
            require a high assurance of safety. /SWAP will slow down
            your system and may cause conflicts with programs that fail
            to allocate memory properly. If you don't have enough memory
            to load VShield without swapping, consider using VShieldCRC
            instead. We do not recommend storing the swap file on a
            network path because, if the workstation disconnects from
            the network, the workstation will lock.













































           Using VirusScan (Version 2.0)                            47


            DECIDING WHICH OPTIONS ARE FOR YOU

            Because systems and environments differ, VShield gives you a
            choice of options. Consider the mixture of safety,
            performance, and maintenance that meets your needs, then
            choose the combination of options that works best.


            REQUIREMENT          OPTION        COMMENTS
            
            More complete        /ANYACCESS    Highest protection against
            protection, any                    infected diskettes; checks
            environment                        for viruses whenever a dis-
                                               kette or files are accessed.
                                
                                 /FILEACCESS   Next highest protection
                                               against infected diskettes;
                                               checks for viruses whenever
                                               a standard file is accessed. 
                                
                                 /BOOTACCESS   Of the three, lowest
                                               protection against infected
                                               diskettes; checks for
                                               viruses in boot sector when
                                               a diskette is accessed.
            
            More complete        /CERTIFY      Use with /CF {filename} or
            protection,                        /CV and an exception list.
            stable software     
            environment          /CF           Use /CF or /CV. Of the two,
                                               /CF is recommended.
                                
                                 /CV           Use /CF or /CV.
            
            Network or multi-    /CONTACT      Use this (or /CONTACTFILE)
            user environments                  to tell users what to do
                                               when a virus is found.
                                
                                 /CONTACTFILE  Use this (or /CONTACT) to
                                               tell users what to do when 
                                               a virus is found.
                                
                                 /IGNORE       Use this (or /ONLY) to
                                               skip virus-free drives.
                                
                                 /LOCK         Use with /CONTACT or
                                               /CONTACTFILE {filename}.
            




           Using VirusScan (Version 2.0)                            48


            
            For network          /NOREMOVE     Prevents VShield from
            environments                       being removed from memory.
            (continued)         
                                 /ONLY         Use this (or IGNORE) to check
                                               only vulnerable drives.
                                
                                 /RECONNECT    Required if network drivers
                                               are loaded after VShield.
            
            Faster performance,  /NOMEM        Only use on a virus-free
            any environment                    computer.
                                
                                 /NOWARMBOOT   Omits checking the boot
                                               sector after a warm boot.
            
            Manage memory, any   /NOEMS        Use when other programs need
            environment                        exclusive use of EMS memory.
                                
                                 /NOUMB        Use when other programs need
                                               exclusive use of UMB memory.
                                
                                 /NOXMS        Use when other programs need
                                               exclusive use of XMS memory.
                                
                                 /NOREMOVE     Use to ensure that VShield
                                               remains in memory.
                                
                                 /REMOVE       May temporarily solve memory
                                               conflicts.
                                
                                 /SWAP         Use in environments with very
                                               limited memory.
            


















           Using VirusScan (Version 2.0)                            49


            EXAMPLES

            The following examples show different option settings:

            vshield
                 Activates VShield (Level II protection).

            vshield /cv
                 Activates VShield (Level III protection), if you have
                 previously run SCAN /AV.

            vshield /certify /cf c:\valcodes.dat
                 Activates VShield (Level IV protection) and checks a
                 validation and recovery data file created when running
                 Scan with the /AF option.

            vshield /swap
                 Activates VShield kernel in memory and swaps from the
                 directory in which VShield resides.

            vshield /cv /exclude c:\excption.lst /contact "Call the Help Desk!"
                 Activates VShield (Level III protection), ignores
                 checking files in the EXCPTION.LST files, and displays
                 a message if a virus is found.

            vshield /reconnect
                 Re-activates VShield after it has been disabled by
                 network device drivers.
























           Using VirusScan (Version 2.0)                            50


            ERROR LEVELS

            When VShield loads, it sets the DOS ERRORLEVEL. You can use
            the returned ERRORLEVEL in AUTOEXEC.BAT or other batch files
            to take different actions based on whether VShield has
            loaded in memory. See your DOS manual for more information
            on using ERRORLEVEL's.

            VShield returns these ERRORLEVELs:

            ERRORLEVEL          DESCRIPTION

                 0              VShield successfully loaded in memory
                                with all options operational.

                 9              VShield not loaded correctly. Abnormal
                                termination (program error).

            VShield alerts you to problems by beeping once for system
            errors, twice for validation errors (/CF or /CF checking),
            or three times if a virus is found.


            USING VSHIELDCRC

            For Level I protection on systems with limited memory, use
            VShieldCRC instead of VShield. VShieldCRC is a separate
            program that consumes little system overhead, but is not
            recommended for normal use because it provides only minimal
            protection. VShieldCRC can inform you that you have been
            infected with a virus, but it does not check for virus
            signatures nor does it prevent infection.

            To use VShieldCRC, first use Scan with the /AF or /AV
            option. VShieldCRC checks the validation codes added by
            Scan. It also checks the master boot record (MBR) and boot
            sector validation codes, if present. See Chapter 3 in the 
            Scan documentation for instructions on using Scan.

            To load VShieldCRC with options, use the following syntax:

                 vshldcrc [options]

            [options] include the options listed in the table
            "VShieldCRC Option Summary" which follows. For more
            information on all options except /LOGFILE, see "VShield
            Option Descriptions" earlier in this chapter.





           Using VirusScan (Version 2.0)                            51


            EXAMPLES

            vshldcrc
                 Activates VShieldCRC (Level I protection).

            vshldcrc /cf valcodes.crc
                 Activates VShieldCRC and checks validation data stored
                 in VALCODES.CRC, a file that was created using Scan
                 with the /AF option.











































           Using VirusScan (Version 2.0)                            52


            VSHIELDCRC OPTION SUMMARY

            Option and Description

            /? or /HELP
                 Display a list of valid VShieldCRC command line
                 options.

            /CERTIFY
                 Prevent files without validation codes from running.

            /CF {filename}
                 Check for viruses using validation and recovery data
                 stored by Scan /AF in the specified filename.

            /CONTACT {message}
                 Display specified message when a virus is found.

            /CONTACTFILE {filename}
                 Display message stored in specified filename when a
                 virus is found.

            /CV
                 Check validation codes added to files by Scan.

            /EXCLUDE {filename}
                 Don't check files listed in filename for validation
                 codes (used with /CF and /CV options).

            /FILEACCESS
                 Checks validated files whenever the file is accessed or 
                 executed.  Whenever a validated .EXE, .COM, .DLL, .OVL, 
                 .BIN, or .SYS file is opened, read, or updated, VShieldCRC 
                 checks the accessed file. Whenever a validated .EXE or
                 .COM file executes, VShieldCRC checks the file for viruses 
                 as it loads and prevents execution if the file is infected.  

            /IGNORE {drive(s)}
                 Don't check programs loaded from specified drive(s).

            /LOCK
                 Halt the system when a file that is not certified
                 attempts to load and execute.

            /LOGFILE {filename}
                 Write error information to filename.

            /NOREMOVE
                 Prevent VShieldCRC from being removed from memory with
                 a subsequent VShieldCRC command using /REMOVE.

            
           Using VirusScan (Version 2.0)                            53          


            /NOUMB
                 Prevent VShieldCRC from using upper memory blocks (UMB)
                 when it loads.

            /ONLY {drive(s)}
                 Check programs loaded only from the specified drive(s).

            /REMOVE
                 Unload VShieldCRC from memory.











































           Using VirusScan (Version 2.0)                            54


            USING CHECKVSHIELD

            CheckVShield allows network administrators to make sure that
            workstations are running VShield or VShieldCRC before users
            can log onto a network. See "Technical Note 2: Sample
            NetWare login script and .BAT file" later in this chapter for
            a sample Novell NetWare login script using CheckVShield.

            To load CheckVShield with options, use the following syntax:

                 chkvshld [option(s)]

            [option(s)] include:

            /? and /HELP
                 Display a list of valid CheckVShield command line
                 options.

            /DEBUG
                 Displays the version of VShield or VShieldCRC resident
                 in memory and the DOS ERRORLEVEL on the screen.

            /Q
                 Suppresses CheckVShield messages (quiet mode) so users
                 don't see the messages.

            /V xxxxx
                 Tells CheckVShield to look for a specific version (2.00
                 or higher) of VShield or VShieldCRC in memory. For
                 example, /v 2.00 for VShield 2.00.






















           Using VirusScan (Version 2.0)                            55


            EXAMPLES

            chkvshld /q
                 Checks for VShield or VShieldCRC in memory and
                 suppresses messages.


            ERROR LEVELS

            When CheckVShield runs, it sets the DOS ERRORLEVEL. Use the
            ERRORLEVEL in batch files to take different actions based on
            the results of CheckVShield's check. The ERRORLEVELs returned
            by CheckVShield are:

            ERRORLEVEL                    DESCRIPTION

                 0                        VShield or VShieldCRC is
                                          resident or, if /V is used,
                                          the version specified is
                                          resident in memory.

                 1                        VShield or VShieldCRC is
                                          resident but does not match
                                          the version specified in the
                                          /V option.

                 2                        VShield or VShieldCRC is not
                                          resident in memory.

                 3                        Abnormal termination (program
                                          error).





















           Using VirusScan (Version 2.0)                            56


            TECHNICAL NOTE 1: CREATING AN EXCEPTION LIST FOR /EXCLUDE

            VShield /CERTIFY permits a file to load only if:

            o    It has been validated by Scan, or

            o    It appears in the exception list file specified with
                 the /EXCLUDE option, used in conjunction with /CF or
                 /CV.

            If you do not validate any files and do not use an exception
            list, /CERTIFY will disable all programs other than DOS
            internal commands.

            The exception list file is an ASCII or DOS text file
            containing up to 1,024 characters. If you use a word
            processor to create it, be sure to save the file as ASCII
            or DOS Text. Here is an example:

                 C:\CLIPPER\BIN\CLIPPER.EXE
                 C:\123\123.COM
                 C:\FOX\FOXPROLX.EXE
                 C:\DOS\SETVER.EXE
                 C:\PKWARE\PKLITE.EXE
                 C:\PKWARE\PKZIP.EXE
                 C:\PKWARE\PKUNZIP.EXE
                 C:\SEMWARE\Q.EXE
                 C:\SWAPVOL.COM
                 C:\NORTON\NCACHE.EXE
                 C:\WORDSTAR\WS.EXE






















           Using VirusScan (Version 2.0)                            57


            TECHNICAL NOTE 2: SAMPLE NETWARE LOGIN SCRIPT AND .BAT FILE

            Here is a sample system login script for use by Novell
            NetWare system administrators. The login script gets the
            ERRORLEVEL from CheckVShield and displays messages on the
            user's screen. If VShield is not loaded correctly, there is
            an internal error with CheckVShield, either VShield or
            VShieldCRC is not installed, or an older version of VShield
            is present, the script exits the user to a NOLOGIN.BAT file
            that logs him or her out.

            #REM REPLACE "XXX" WITH CURRENT VERSION NUMBER
            CHKVSHLD /V "XXX"
                 IF ERROR_LEVEL = "3" THEN
                      FIRE PHASERS 5 TIMES
                      WRITE "A CHKVSHLD internal error has occurred."
                      WRITE "Please contact the Help Desk."
                      #COMMAND /C NOLOGIN.BAT
                 EXIT
            ELSE
                 IF ERROR_LEVEL = "2" THEN
                      FIRE PHASERS 5 TIMES
                      WRITE "VShield has not been installed on your PC."
                      WRITE "Access Denied. Please contact the Help Desk."
                      #COMMAND /C NOLOGIN.BAT
                 EXIT
            ELSE
                 IF ERROR_LEVEL = "1" THEN
                      FIRE PHASERS 5 TIMES
                      WRITE "An old version of VShield has been installed."
                      WRITE "Access to the network has been denied.  Please"
                      WRITE "contact the Help Desk to have a new version."
                      WRITE "installed."
                      #COMMAND /C NOLOGIN.BAT
                 EXIT
            END
            END
            END

            You can create more complex login scripts to send a message
            to the supervisor if an error has occurred, update the
            user's VSHIELD.EXE as he or she logs in to the network, and
            so forth.

            Here is a sample of the NOLOGIN.BAT file called by the login
            script.

                 ECHO OFF
                 REM Log the user off of the network
                 LOGOUT


           Using VirusScan (Version 2.0)                            58


            Chapter 4: TIPS & TROUBLESHOOTING

            The other chapters in this manual are meant to tell you
            clearly and concisely how to use the VirusScan(TM) software.
            Still, you may have questions or encounter confusing
            situations. This chapter contains two kinds of advice:

            o    Tips for getting the most out of VirusScan.

            o    Common problems and how to solve or avoid them.

            If this information doesn't help resolve your question or
            problem, contact McAfee (see "Technical Support" in 
            Chapter 1).


            DETECTING NEW AND UNKNOWN VIRUSES

            There are two ways of dealing with new and unknown viruses
            that may infect your system:

            o    Update VirusScan regularly.
            o    Store and check validation and recovery information
                 about your files.


            UPDATE VIRUSSCAN REGULARLY

            Most likely, McAfee will see new viruses long before you do.
            We update the VirusScan programs often--usually montly, but 
            more often if many new viruses have appeared. Each new 
            version may detect and eradicate as many as 60 to 100 new 
            viruses or more, and may fix bugs that have been reported.

            Updating VirusScan regularly is probably all you need to do
            to protect against new viruses. See the instructions for
            obtaining new versions in "Updating VirusScan Regularly" in
            Chapter 2.


            USE THE VALIDATION AND RECOVERY OPTIONS

            If your environment is highly vulnerable to viruses, or you
            require unusual security against them, you can use
            VirusScan's validation and recovery options. Scan checks for
            new or unknown viruses by comparing files against previously
            recorded validation data. If a file has been modified, it no
            longer matches the validation data, and Scan reports that
            the file may have become infected. Scan has two levels of
            validation, which are stored in two separate ways:


           Using VirusScan (Version 2.0)                            59


            o    It can store the enhanced code in a separate recovery
                 file, which can be stored off-line (for example, on a
                 diskette) for recovery purposes (/AF, /CF, and /RF
                 switches). This is the preferred method because it
                 stores the data for files, the boot sector, and the
                 master boot record (MBR) of a disk in the recovery
                 file.

            o    It can append a 98-byte validation code to .COM and
                 .EXE files (/AV, /CV, and /RV switches). This method
                 applies to the files you specified only. It does not
                 store data for the boot sector and master boot record
                 (MBR).

            Once the validation codes are stored, both Scan and VShield
            can use the /CV and /CF options to detect changes to the
            files. More importantly, if you have stored the recovery
            information with /AF, Scan can use it to restore infected
            files, master boot record (MBRs), and boot sectors.

            All of these options require continuing effort to store and
            maintain the codes. For example, if you install new programs
            or upgrade old ones, you should use the /RV or /RF options
            to remove all codes, then /AV or /AF to restore them.

            If you want to use one of these methods, which should you
            use? We recommend the "F" options--/AF, /CF, and /RF--over
            the "V" options. /AF stores the validation and recovery
            information in a separate file, instead of modifying the
            program files themselves. This has three advantages:

            o    You can store the recovery file off-line (on your clean
                 anti-viral startup diskette, for example, or on a
                 network drive or tape drive) and access it on demand to
                 check for, and recover from, infection by unknown
                 viruses. Use the procedure below to create a recovery
                 diskette.

            o    This method keeps self-checking files (usually copy-
                 protected programs) from reporting that they have been
                 tampered with.

            o    If you use this method, you don't need an exception
                 list. However, it's important that you run Scan with
                 the /RF option on individual self-modifying files, such
                 as Lotus 1-2-3, to remove the validation codes for
                 those programs from the validation file.

            The "V" options are primarily useful for companies that
            distribute software to their customers or employees, and
            want to incorporate an additional level of virus protection.

           Using VirusScan (Version 2.0)                            60


            CREATING A RECOVERY DISKETTE

            To store the recovery file, create a new "VirusScan Startup
            Diskette" and then run Scan to create a validation code and
            recovery data file by typing:

                 scan /adl /af a:\scancrc.crc

            and pressing <ENTER>.  The above command scans the local
            hard disk drive(s) for known viruses and creates
            "SCANCRC.CRC," a file containing validation codes and
            recovery data, on the diskette. After Scan finishes,
            write-protect the diskette, label it as your "VirusScan
            Recovery Diskette," and store in a safe location.

            To check for virus infection, turn your computer off, insert
            your "VirusScan Recovery Diskette" in drive A:, and turn
            the power back on. The PC will now start from the diskette.
            At the DOS prompt, type:

                 scan /adl /cf a:\scancrc.crc

            and press <ENTER>.  This will compare the local hard disk
            drive(s) against the recovery data stored on the diskette
            in the SCANCRC.CRC file.

            If you detect an unknown virus, to disinfect your system,
            turn your PC off, insert the recovery diskette, and turn the
            power back on. The PC will start from the floppy disk. At
            the DOS prompt, type:

                 scan /adl /cf a:\scancrc.crc /clean

            to restore drives C and D with the recovery data stored in
            SCANCRC.CRC on the diskette.

            If you install new software, or upgrade your DOS version,
            remember to update your recovery file. See Application 
            note 1, "Updating Validation Codes," in Chapter 3 in 
            the Scan documentation.












           Using VirusScan (Version 2.0)                            61


            INTERACTING WITH YOUR NETWORK

            Many personal computers are interconnected through a local
            area network (LAN). VirusScan is highly compatible with most
            networks. Here are some ways of using the VirusScan software
            with your network:

            Run Scan on network drives
            Run from a workstation (PC) on the network, Scan checks
            network drives for viruses just as it does local drives. For
            convenience, the /ADN option scans all network drives to
            which the workstation is connected.

            Use VShield and CheckVShield
            By activating VShield as part of every workstation's
            AUTOEXEC.BAT file, you can prevent the workstations from
            introducing viruses into the network. Network administrators
            can ensure that VShield is active on each workstation by
            running CheckVShield as part of the network login script,
            before actual login.

            Use NETShield
            NETShield provides continuous virus protection on a NetWare
            server. NetWare network administrators can use it to check
            for both known and unknown viruses and to monitor all
            network activities. On other kinds of networks, you can use
            Scan to check network servers.

            Develop a network security program, as described in the next
            tip.

            Develop a security program
            VirusScan has been shown to be an effective virus-preventive
            measure when used in a conscientiously applied program of
            network security and regular professional care.

            VirusScan is one important element of a comprehensive
            computing security program that includes a variety of safety
            measures, such as regular backups, meaningful password
            protection, user training, and awareness. Even with
            VirusScan, some viruses--not to mention theft or fire--an
            render a disk unrecoverable without a recent backup to
            reload information. Although outlining such a security
            program is beyond the scope of this manual, see "Other
            Sources of Information" in Chapter 1 for suggestions.

            If you are a network administrator, we urge you to implement
            a security program to safeguard your organization's data and
            productivity. If you are a network user, please support and
            comply with such a program.


           Using VirusScan (Version 2.0)                            62


            TROUBLESHOOTING

            Using VirusScan with other anti-virus software
            When you run more than one anti-virus program from different
            vendors, you risk strange results and false alarms. For
            example, some anti-virus programs store their "virus
            signature strings" unprotected in memory. Running VirusScan
            may "detect" them falsely as a virus.

            False alarms
            Scan may incorrectly report a virus in the boot sector or
            master boot record (MBR) of a disk if the diskette using a
            special copy-protection or encryption mechanism. Contact
            technical support if you're unsure (see "Technical Support"
            in Chapter 1).

            TSR conflicts
            Some "terminate-and-stay-resident" (TSR) software may
            conflict with VirusScan programs, especially VShield (which
            is itself a TSR). To check whether this is the problem,
            "comment out" the other TSR files in your AUTOEXEC.BAT file
            and restart your system. If the errors disappear, the TSR
            conflict caused them.

            Slow disk access, program locks
            Running VShield will slow your system slightly as described
            in Chapter 3, especially if you use either the /ANYACCESS 
            or /SWAP options. If you experience very slow disk access, 
            or if programs lock or freeze while using Windows 3.1, 
            you may be using a disk cache program that interferes with 
            program operation, or you may need to increase the number 
            of BUFFERS in your CONFIG.SYS file.

            Program locks with VShield's /SWAP option
            When VShield is running with the /SWAP option, certain
            programs may lock up the computer. These programs may use
            memory without allocating it first, including older versions
            of Lotus 1-2-3, pfs:Write and Professional Write,
            OfficeWrite, and DisplayWrite4. To correct, restart your
            computer and run VShield without the /SWAP option.

            Unable to remove VShield
            If the /REMOVE option doesn't successfully remove VShield
            from memory, you have probably loaded other terminate-and-
            stay-resident (TSR) programs after VShield. VShield can't be
            removed until the other TSRs are removed. If you need to
            unload VShield often, load it last.





           Using VirusScan (Version 2.0)                            63


            APPENDIX A: RETRIEVING VIRUSSCAN UPDATES VIA THE McAFEE BBS

            McAfee runs a multiple line bulletin board system (BBS) for
            you to download program updates, receive technical support,
            and interact with other McAfee users.

            DIAL UP

            o    The McAfee BBS phone number is (408) 988-4004.

            o    The BBS operates at up to 14,400 bps (baud). Set your
                 communications parameters to 8 data bits, 1 stop bit,
                 no parity, and your terminal emulation to ANSI or TTY.

            o    The BBS is Bell- and ITU- (formerly CCITT) compatible.


            LOG ON

            After receiving the CONNECT message from your communications
            package:

            o    Enter your name, geographic location, and password.

                 To retrieve the VirusScan programs, type "GUEST" for
                 first name, and "USER" for last name.

                 Or, if you want personal answers or feedback, create
                 your own account by entering your first and last name
                 and a password. Passwords should be 3-8 characters long
                 and are case-sensitive.


            THE MAIN MENU

            Here are some of the important functions on the main menu:

            <F>    File transfer area (download McAfee updates)
            <M>    Message area (read and write messages in all sections
                   and e-mail)
            <G>    Goodbye (hang up and leave the BBS)

            Downloading McAfee programs
            
            1.   Select <F> from the Main Menu to go to the File
                 transfer area.  This is the area from which you can
                 download McAfee programs.

            2.   Select <1> for the McAfee Antivirus Files.  A sorted
                 directory listing of files available for download will
                 be displayed.

           Using VirusScan (Version 2.0)                            64


            3.   Type <D> for download, then type in the filename as
                 found in the directory.

            4.   The BBS will prompt you to select a protocol. We
                 recommend error-correcting protocol such as ZMODEM,
                 YMODEM or XMODEM.

            5.   You'll see the message Awaiting start signal. Tell your
                 software to receive files.  With PROCOMM for DOS or
                 TELIX, press the <PAGE DOWN> key, with BITCOM, press
                 the <F2> key.  For other communications programs, check
                 your manual.

            7.   Your software will prompt you to select a protocol and
                 file name to receive the file. Select the same protocol
                 and name.




































           Using VirusScan (Version 2.0)                            65

            APPENDIX B: OPTIONS COMPARISON BETWEEN
            VIRUSCAN VERSIONS 1.5 AND 2.0

            VERSION COMPARISON OF VSHIELD OPTIONS

               VShield      VShield      
               Version 1.5  Version 2.0   Option Description
                         
               /? or /HELP  /? or /HELP   Display a list of valid
                                          VShield command line
                                          options.
            
               /ACCESS                    Check for viruses when
                                          files are opened and
                                          diskettes are accessed.
                         
                            /ANYACCESS    Scan the diskette boot
                                          sector for viruses
                                          whenever a diskette is
                                          accessed (including any
                                          read and write
                                          operations); scan .EXE,
                                          .COM, .DLL, .OVL, .BIN,
                                          and .SYS files whenever
                                          the file is opened,
                                          read, or updated; scan
                                          .EXE and .COM files
                                          upon execution; scan
                                          any newly created file,
                                          regardless of extension.
            
              /BOOT         /BOOTACCESS   Scan the diskette boot
                                          sector for viruses
                                          whenever a diskette is
                                          accessed (including any
                                          read and write
                                          operations); individual
                                          files on a diskette are
                                          not scanned when a
                                          diskette is accessed.
            
              /CERTIFY      /CERTIFY      Prevent files without
              {filename}                  validation codes from
                                          running. {filename} is
                                          an optional exception
                                          list (version 1.5 only)
            
              /CF           /CF           Check for viruses using
              {filename}    {filename}    validation and recovery
                                          data stored by Scan /AF
                                          in the specified filename.


           Using VirusScan (Version 2.0)                            66
              

            VERSION COMPARISON OF VSHIELD OPTIONS (continued)

               VShield      VShield      
               Version 1.5  Version 2.0   Option Description
                         
              /CG           /CV           Check recovery and
                                          validation codes added
                                          to files by Scan.
            
              /CHKHI        (default)     Check memory from 0-
                                          1088Kb when VShield loads.
            
              /CONTACT      /CONTACT      Display specified
              {message}     {message}     message when a virus is
                                          found.
            
                            /CONTACTFILE  Display message stored
                            {filename}    in filename when a
                                          virus is found.
            
              /CV                         Check validation codes
                                          added to files by Scan.
                         
            /CV [filename]  /EXCLUDE      Don't check files
               or           {filename}    listed in filename for
            /CG [filename]                validation codes (/CF
                                          and /CV options).
            
              /F                          Use with /SWAP for DOS
             {pathname}                   2.0 systems ONLY.
                         
              /COPY         /FILEACCESS   Scan .EXE, .COM, .DLL,
                                          .OVL, .BIN, and .SYS
                                          files whenever the file
                                          is opened, read, or
                                          updated; scan .EXE and
                                          .COM files upon
                                          execution; the diskette
                                          boot sector is not
                                          checked when a diskette
                                          is accessed.
            
             /IGNORE        /IGNORE       Don't check programs
             {drive(s)}     {drive(s)}    loaded from the
                                          specified drive(s).
            
             /LH            (default)     Load VShield into upper
                                          memory area.
            
             /LOCK          /LOCK         Halt the system when a
                                          file that is infected
                                          or not certified loads
                                          and attempts to execute.
           Using VirusScan (Version 2.0)                            67
              

            VERSION COMPARISON OF VSHIELD OPTIONS (continued)

               VShield      VShield      
               Version 1.5  Version 2.0   Option Description
                         
             /M             (default)     Scan base memory for
                                          viruses when VShield loads.
            
             /NB            /NOWARMBOOT   Disable boot sector
                                          check during install
                                          and reboot.
            
             /NI6510                      Fixes Racal Datacomm
                                          NI6510 conflict.
            
             /NOBREAK                     Prevent [Ctrl]+[C] /
                                          [Ctrl]+[Brk] from
                                          working during install.
            
             /NOCONT                      Prevent non-certified
                                          programs from running.
            
             /NODISK                      Turn off the boot
                                          sector check when
                                          VShield is loading.
            
             /NOEMS         /NOEMS        Prevent VShield from
                                          using expanded memory
                                          (EMS) when it loads.
            
             /NOFLOPPY                    Turn off the boot sector
                                          check for floppy drives.
            
             /NOMEM         /NOMEM        Do not check memory for
                                          viruses upon running.
            
             /NOREMOVE      /NOREMOVE     Prevent VShield from
                                          being removed from
                                          memory with the /REMOVE
                                          switch.
                         
                            /NOUMB        Prevent VShield from
                                          using upper memory
                                          blocks (UMB) when it
                                          loads.
                         
                            /NOXMS        Prevent VShield from
                                          using extended memory
                                          (XMS) when it loads.



           Using VirusScan (Version 2.0)                            68
              

            VERSION COMPARISON OF VSHIELD OPTIONS (continued)

               VShield      VShield      
               Version 1.5  Version 2.0   Option Description
                         
               /ONLY        /ONLY         Check programs loaded
              {drive(s)}    {drive(s)}    only from the specified
                                          drive(s).
                          
              /RECONNECT    /RECONNECT    Restore VShield after
                                          certain drivers or TSRs
                                          have disabled it.
            
              /REMOVE       /REMOVE       Unload VShield from
                                          memory.
            
              /SAVE         /SAVE         Save specified options
                                          as new defaults
                                          (version 1.5 only).
                                          Save the command line
                                          options to the VSHIELD.INI
                                          file (version 2.0 only).
            
              /SWAP         /SWAP         Load VShield kernel
              [pathname]    [pathname]    only (5Kb in version
                                          1.5; 7Kb in version
                                          2.0); swap the rest
                                          from pathname.
                            
                           
                           





















           Using VirusScan (Version 2.0)                            69
              

            VERSION COMPARISON OF VSHIELD1/VSHIELDCRC OPTIONS

               VShield1     VShieldCRC   
               Version 1.5  Version 2.0   Option Description
                         
                            /? or /HELP   Display a list of valid
                                          VShieldCRC command line
                                          options.
                         
                            /CERTIFY      Prevent files without
                                          validation codes from
                                          running.
                         
                            /CF           Check for viruses using
                            {filename}    validation and recovery
                                          data stored by Scan /AF
                                          in the specified filename.
                                       
                            /CONTACT      Display specified message
                            {message}     when a virus is found.
                        
                            /CONTACTFILE  Display message stored
                            {filename}    in specified filename
                                          when a virus is found.
                         
                            /CV           Check validation codes
                                          added to files by Scan.
                         
                            /EXCLUDE      Don't check files
                            {filename}    listed in filename for
                                          validation codes (used
                                          with /CF and /CV options).
                         
                            /FILEACCESS   Checks validated files
                                          whenever the file is
                                          accessed or executed.
                                          Whenever a validated
                                          .EXE, .COM, .DLL, .OVL,
                                          .BIN, or .SYS file is
                                          opened, read, or
                                          updated, Scan checks
                                          the accessed file.
                                          Whenever a validated
                                          .EXE or .COM file
                                          executes, Scan checks
                                          the file for viruses as
                                          it loads and prevents
                                          execution if the file
                                          is infected.



           Using VirusScan (Version 2.0)                            70
              

            VERSION COMPARISON OF VSHIELD1/VSHIELDCRC OPTIONS (continued)

               VShield1     VShieldCRC   
               Version 1.5  Version 2.0   Option Description
                         
                            /IGNORE       Don't check programs
                            {drive(s)}    loaded from specified
                                          drive(s).
                         
                            /LOCK         Halt the system when a
                                          file that is not
                                          certified attempts to
                                          load and execute.
                             
                            /LOGFILE      Write error information
                            {filename}    to filename.
            
                 /NB                      Disable boot sector
                                          checking during install
                                          and reboot.
            
                                         
                            /NOREMOVE     Prevent VShieldCRC from
                                          being removed from memory 
                                          with a subsequent VShieldCRC
                                          command using /REMOVE.
                         
                            /NOUMB        Prevent VShieldCRC from
                                          using upper memory
                                          blocks (UMB) when it loads.
                         
                            /ONLY         Check programs loaded
                            {drive(s)}    only from the specified
                                          drive(s).
            
                 /REMOVE    /REMOVE       Unload VShieldCRC from
                                          memory.
                                          


