====================================================================
Norton DiskLock for PCs    Version 3.5             January 18, 1994
====================================================================
Please refer to this document BEFORE installing and using the
product. This file contains the latest details regarding the current 
release of Norton DiskLock. The goal of this document is to ensure 
a safe installation, inform  you of the latest changes, and help you avoid 
known problem areas.

===========================
To ensure a proper install:
===========================

1)   Set the number of available file handles to at least 20. This
     is accomplished by adding a FILES=20 statement to the
     CONFIG.SYS file.

2)   Remove any other security products, including previous versions
     of DiskLock, from your machine (both hardware cards and software).

3)   Install Norton DiskLock only on a primary bootable hard disk drive,
     not on a non-bootable or removable drive.

4)   Run CHKDSK /F or Norton Disk Doctor and correct any errors detected.

5)   Run a hard disk optimizer such as Norton Speed Disk to defragment
     the hard disk, because it will increase DiskLock's performance.

6)   Run a virus scanner such as Norton Anti Virus to verify that no
     virus can interfere with the installation.

================
Memory Managers:
================
Quarterdeck's QEMM386 version 6.xx:

    Add EXCLUDE=8000-9FFF to your command line options.

Quarterdeck's QEMM386 version 7.xx:

   - Using LOADHI with the /SQF option with Norton DiskLock loaded in EMS 
     may cause the program being loaded to hang. If you experience problems
     remove the /SQF switch.

   - Using LOADHI, from QEMM versions from 7.00 through 7.02, on 
     COMMAND.COM will cause unexpected results.  Quarterdeck has 
     fixed this in version 7.03

Qualitas' 386MAX:

   - When loading Windows if you receive the error "386MAX VxD
     Error V1014: Disk Cache or Other File I/O Software Using
     EMS Memory" add the following line to your AUTOEXEC.BAT file:

	  SET EMSCACHE=OK

   - When loading Windows if you receive the error "386MAX VxD
     Error V1018: NOLOW Option Required" add the following line
     to your AUTOEXEC.BAT file:

	  SET NOLOW=IGNORE

     The first version of 386MAX to support SET NOLOW=IGNORE was
     6.02.  There are patches available through Qualitas to update
     6.xx to 6.02.

   - Using 386LOAD with the FLEXFRAME option with Norton DiskLock
     loaded in EMS may cause the program being loaded to hang.

   - If you choose the XMS memory option in DiskLock, do not use
     the EMS=O parameter; this may cause system instability.  Instead,
     use the NOFRAME parameter. Consult your Qualitas 386MAX manual for
     additional information on using these parameters.
	       
EMM386 with Novell DOS7:

    Do not use the /frame-AUTO option. This option causes DiskLock to reboot.

All Memory Managers:

    - After changing the memory option for Norton DiskLock you
      should always reoptimize your memory configuration.

==============================
SCSI Adapters and DiskLock PC:
==============================
Make sure that your hard disk has been FDISKed and formatted on
the current disk controller BEFORE you install DiskLock.  This ensures 
that DiskLock obtains the correct disk parameters.

If a drive has been FDISKed and formatted on one controller, and it
it is used with another controller brand without being reformatted, 
problems can arise. Everything may seem to work fine in this situation
because the SCSI adapter reads the information that was set up on the disk 
originally. When DiskLock is installed, it creates a map of disk
information based on the original disk parameters.  The partition table is 
zeroed (to make the C: drive disappear when the machine is booted
from a floppy drive), and a DiskLock program is placed in the master boot 
record to take control of the workstation when it is rebooted. 

The machine reboots and the SCSI adapter goes to the partition table
to get the drive parameters. Because the partition table has been zeroed, 
the adapter cannot get the drive parameters in this manner. It then
calculates new parameters using an algorithm. The current controller is now   
using new disk parameters that may be incorrect, and, as a result, DiskLock
may be unable to load. This causes the following message to appear: 
"Error loading Norton DiskLock."

To correct this problem after you have installed DiskLock:
1)  Do an Emergency Remove to remove DiskLock from your workstation.  See
    the Norton DiskLock User's Guide for information on this procedure.
2)  Back up your hard drive to make sure you don't lose data.
3)  Reformat your hard drive on the new controller using FDISK or FORMAT.
4)  Restore your data.
5)  Install DiskLock.

=============================
New Features (DiskLock 3.5):  
=============================
1)   XMS support
2)   Screen saver logo
3)   Primary user encryption keys
4)   Distributed remove
5)   Using a setup file for a standalone installation

===========
XMS Support  
===========
DiskLock now provides 32-bit extended memory support (XMS) for 386 or greater 
machines. XMS is a memory area that provides RAM beyond 1 MB running in 
protected mode. When you use XMS, you save conventional memory for other DOS
applications that require it.

If XMS memory is available at installation, DiskLock uses it. DiskLock 
checks for available memory in the following order:  XMS, UMB, EMS, and 
conventional. If XMS is not usable, DiskLock continues checking the other 
memory areas until it finds one to use.

To change to the XMS memory option after installation:

1)  Add the following line to the end of your CONFIG.SYS file:
	  DEVICE=d:\DISKLOCK\CLOAKING.EXE
    Substitute the correct path if you did not use the DiskLock
    default.
2)  Start DISKLOCK.
3)  Select Setup from the Norton DiskLock main screen.
4)  Select Extended (XMS) from the Memory Options dialog box.
5)  Select Save to save changes.
The Extended memory option activates when you reboot the workstation.
The cloaking statement in CONFIG.SYS is required for XMS support.  If the
statement is removed, the DiskLock security kernel will not load into XMS
and will, as a result, use more conventional memory.  Otherwise, removing the
statement should have no effect.

=================
Screen Saver Logo  
=================
DiskLock now provides a screen saver logo in Windows that floats over the 
screen when it is locked.  The logo is displayed by default. 

This feature is optional; you can still have the screen blank. 
The blank screen provides better performance
when running background tasks.

To display the logo on a locked screen:
1)  Select Lock Screen from the Norton DiskLock main screen.
    The Lock System Now? dialog box appears.
2)  Select the Display DiskLock Logo check box.

The feature must already be selected if you use 
hotkeys to lock the screen.

============================
Primary User Encryption Keys
============================
Normally, the primary user can use the default encryption key or select a
unique encryption key when encrypting files. A new right has been added to 
Norton Console's Super User dialog box. The right grants (or denies) the
primary user the right to specify a unique encryption key. Denying primary 
users this right prevents them from encrypting files with unknown keys, 
making the files not decryptable by other users.
To select an encryption key option:
1)  From the program Manager in Windows, select Norton Administrator or
    Norton Console.
2)  Choose DiskLock from the Norton Console toolbar or pulldown menus.
3)  Select Super User from the category list on the left side of the 
    dialog box.
4)  Select Specify an Encryption Key to allow primary users to define their 
    own encryption keys. Leave the option unchecked to use default keys.
5)  Select Save or Save As to save the job for distribution.

============================
Distributed Remove
============================
This section describes how to use a distribution job to remove DiskLock 
PC from network workstations. Removing DiskLock in this way requires 
setting up an installation distribution job and modifying it to run the 
Remove program.

To create the distribution job:
1)  Select DiskLock from the toolbar to open the default setup file. 
2)  Type in your DiskLock Net console password (determined during the 
    installation process) and click OK.  The Configuration dialog 
    box appears.
3)  Select Save As to create a setup (.DLS) file. Name the distribution 
    file and select OK. 
    NOTE: After the distribution job is created, you can delete the setup 
    (.DLS) file created here.
4)  Select Add Install Job.  This creates an installation job to run for 
    the recipients that you select.  The Select Recipients dialog box appears.
5)  Select the recipients to receive the distribution.  The Object Type 
    drop down box contains lists of recipient types.  Select an object type 
    to display a list of potential recipients in the Available list box. 
6)  Highlight the recipients to be included in the Available list box and 
    select Add.  The selected recipients are included in the Selected list 
    box and are included in the distribution. 
7)  Select OK when all recipients are selected.
8)  Select Exit to return to the Norton Console screen.

To modify the distribution job for Remove:
1)  Select Distribute from the toolbar.
2)  Highlight the distribution job you created and select Modify.
3)  Highlight line 5 in the Actions to Perform group box and select Modify. 
    A line of instructions similar to the following appears:
    ...\AGENTS\DISKLOCK\INSTALL  \\DEV_1\SYS3\NANLITE\DATA\TEST.DLS
4)  Delete text, starting with the INSTALL directory.  Replace with 
    REMOVE followed by -R and any other applicable parameters. 
    See the list below for parameters.
    EXAMPLE: ...\AGENTS\DISKLOCK\REMOVE -S -R
5)  Select OK when editing is complete.
6)  Highlight line 4 in the Actions to Perform group box and select 
    Modify or Delete. Modify the message to make it applicable for 
    Remove or delete it.
    NOTE:  If you keep the message, it is displayed to the workstation user 
    before DiskLock is removed.  The user can refuse the job if Allow 
    Users to Refuse Job is selected. To display a message and prevent 
    the user from refusing the job, select Settings from the 
    Distribution Job dialog box. Deselect Allow Users to Refuse Job 
    and click OK (You may need to temporarily select the Show Progress
    messages option to enable this).
7)  Click OK when editing is complete.
8)  Click OK to save the job and return to the Norton Console screen.  
    As designated users log in, DiskLock is removed from their workstations.

Remove parameters:
S   Do not stop for user input. The user is not informed of problems 
    or allowed to make alterations. This should be the first option 
    on the command line.  Errors occurring in command line options 
    prior to this option may cause the user to be queried for a response.  
    Default: Stop for user input.

R   Do not reboot on completion.  Do not reboot after the final 
    completion of the remove process.  This allows the distribution 
    job to reboot the machine and register the job as successful.  
    Default: Reboot after completion of the remove.

D   Specify DiskLock directory.  The entry should be a full path 
    including the drive.  Default:  DiskLock directory found by scanning 
    the path or C:\DISKLOCK. Use this option when DiskLock programs are in 
    a directory not in the path or in C:\DISKLOCK.

X   Do not delete DiskLock directory.  This option prevents the removal 
    of the DiskLock directory and its files.  Default: Delete the 
    DiskLock directory.

A   Do not remove DiskLock from AUTOEXEC path.  This option disables 
    the process of removing the path from the path statement in the 
    AUTOEXEC.BAT file.  Default: Remove the DiskLock directory from the path.

I   Do not remove Windows icons. This option prevents the removal of the 
    DiskLock icon from windows.  Default: Remove the Windows icons. 
    (See below)

W   Windows directory.  This option allows for the specification of the 
    Windows directory.  The entry should be a full path including the drive.  
    Default: Windows directory found by scanning the path or C:\WINDOWS. Use 
    this option when DiskLock programs are in a directory not in the path or 
    in C:\WINDOWS.
    NOTE: If no -W option is specified and the Windows directory cannot 
    be found by scanning the PATH the -I option is set by default.

================================================
Using a Setup File for a Standalone Installation
================================================
The administrator can create a setup file that contains all of the
configuration parameters for a workstation or a group of workstations and
distribute it on a floppy. This procedure will allow the control of
DiskLock configuration for standalone workstations.

To create a setup file on a floppy disk:
1)  Create the setup (.DLS) file that contains the configuration you want.
    NOTE: If you create the setup file without defining a primary user,
    DiskLock accepts the user logged in at the time of installation as the
    primary user.  If the workstation is not logged into the network at 
    the time of installation, the installation program prompts for a DiskLock
    user ID and password.
2)  On a newly formatted floppy disk (#1) , create the following directories:
	      \NADMIN\AGENTS\DISKLOCK
	      \NADMIN\DATA
3)  Copy the Norton DiskLock for PCs Disk 1 to the \NADMIN\AGENTS\DISKLOCK
    directory.
4)  Copy the setup file created in Step 1 into the \NADMIN\DATA directory.
5)  On a second newly formatted floppy disk (#2), create the following 
    directory:
	      \NADMIN\AGENTS\DISKLOCK
6)  Copy the Norton DiskLock for PCs Disk 2 to the directory created in
    Step 5.
7)  Install the configuration on a workstation by inserting disk 1 that you
    created and typing:
	  A:\ADMIN\AGENTS\INSTALL A:\NADMIN\DATA\???.DLS
	  where ??? represents the name of the setup file you created in 
	  Step 1.
    NOTE: You must provide the drive and full path of the setup file.

=============================
New Features (DiskLock 3.01):  
=============================
1)   National Language Support
2)   Unattended remote installation
3)   Auditing enhancements
4)   International support 

=========================
National Language Support
=========================
If National Language Support (NLS) is required for your computer, 
this feature (located on the Setup screen) must be enabled for DiskLock.  
When this feature is enabled, DiskLock moves the NLS drivers to CONFIG.SYS.  
Instead of prompting for the user ID and password at system boot, 
DiskLock prompts for these after CONFIG.SYS is processed and before 
AUTOEXEC.BAT executes.  If the drivers are not loaded properly in 
CONFIG.SYS, you may not be able to type the characters for your user ID 
and password. For additional information on NLS, consult your DOS manual 
or DOS Help.

NOTES: If you are using DOS MEMMAKER, insert the line *COMLOAD into the 
MEMMAKER.INF file.  MEMMAKER will not attempt to load COMLOAD high, 
ensuring that you can continue NLS support.

The following examples show the changes that DiskLock makes to CONFIG.SYS 
and AUTOEXEC.BAT.  Before and after examples of each file are provided.

CONFIG.SYS --------------------------------------------

BEFORE:

device=c:\dos\display.sys con:=(EGA,850, 3)
country=033,850,c:\dos\country.sys


AFTER:

device=c:\dos\display.sys con:=(EGA,850, 3)
country=033,850,c:\dos\country.sys


rem - The following command(s) have been added to the CONFIG.SYS file in order
rem - to implement Norton DiskLock's National Language Support.  They must
rem - remain here to insure proper keyboard translation during login.

device=\COMLOAD.SYS C:\DOS\MODE.COM CON CODEPAGE PREPARE = ((437 850 865)
C:\DOS\EGA.CPI)
device=\COMLOAD.SYS C:\DOS\MODE.COM CON CODEPAGE SELECT = 850
device=\COMLOAD.SYS C:\DOS\KEYB.COM  FR,850,C:\DOS\KEYBOARD.SYS

rem - End of changes for Norton DiskLock.


AUTOEXEC.BAT -------------------------------------------


BEFORE:


mode con cp prep = ((437 850 865) c:\dos\ega.cpi)
mode con cp select = 850

keyb fr

AFTER:


rem - The execution of KEYB.COM has been moved from the AUTOEXEC.BAT
rem - file into the CONFIG.SYS file in order to support Norton DiskLock's
rem - National Language Support.

REM mode con cp prep = ((437 850 865) c:\dos\ega.cpi)
REM mode con cp select = 850

REM keyb fr

NOTE: Make a copy of the changed files on a floppy disk and save them 
in a safe place. If complications occur as a result of later changes to 
your NLS setup, these files may be necessary to help you login and 
access your computer.

A disruption in the NLS setup or a change in language can cause login 
failure to occur. Every time you make a change to the DOS NLS set, make 
sure the characters you use in your user IDs and passwords will be 
available in the new NLS scheme.

If you are unable to login due to NLS changes:

1)  Create a boot disk using the command  FORMAT A: /S.

2)  Copy a CONFIG.SYS file to the disk and add the following line to it:
    DEVICE=\COMLOAD.SYS A:KEYB.COM <COUNTRY>, CODE PAGE, A:KEYBOARD.SYS

3)  Copy the following files to the boot disk:
    COMLOAD.SYS (located on the DiskLock Installation diskettes)
    TSPDRV.SYS (located on the DiskLock Installation diskettes)
    KEYB.COM
    KEYBOARD.SYS

4)  Reboot the computer.

5)  When you see "Activating Security---------------------," press 
    and hold F10.

6)  Insert the boot disk into drive A and press Enter.

7)  Log in as you normally would.  
    The A: prompt appears.

8)  Change to the C drive and make the necessary changes to your NLS setup.

==============================
Unattended Remote Installation
==============================
Once the workstation user logs on to the network,  unattended remote 
installation allows DiskLock to be installed without further user input. 
To allow a completely unattended installation, two options have been 
added to Norton DiskLock Administrator's Setup/Install Paths screen. 
These options, together with the Enforce Use of Product Directory check 
box, allow the administrator to determine how much interaction is required 
from the user during installation. The options are:

Allow User to Respond to Installation Exceptions  - If this box is checked, 
the user is prompted to handle error conditions that may occur during 
install. If this box is not checked, the user is not prompted and the install 
fails. (Failed installations are reported in the DiskLock audit log.) 
Possible errors include:

  - The defined product directory is invalid.

  - The user ID conflicts with the pre-defined Superuser ID.

  - The National Language Support option is not selected but IDs or 
    passwords contain extended characters.

  - The required information to set up KEYB.COM cannot be found.

Display User's ID - If this box is checked, the user ID is displayed
on the login screen during the first log in after installation. If the
box is not checked, the user ID is not displayed and must be typed in 
by the user.

Enforce Use of Directory  - If this box is checked, the installation 
program does not ask the user to enter or verify the DiskLock program 
directory. The programs are installed in the directory specified by 
the administrator.  If this box is not selected, the user is prompted 
to verify or change the DiskLock program directory. (If a Windows 
directory is found, the product is installed for Windows.)

=====================
Auditing Enhancements
=====================
Auditing now provides additional detail about:

  - The remote distribution and management process

  - Workstations where the product has been removed.

New codes have also been added for the new configuration options.

Remote distribution and management  - The auditing log database now 
records information on installation jobs each time they run. If an 
error occurs, the variable data lists the specific cause  - for example, 
insufficient memory or not enough disk space. Each workstation that 
successfully installs has the successful installation recorded in the 
audit log database.

Auditing for workstations where the product has been removed - 
Attempts to remove the product, whether successful or not, 
are now audited. The Remove process audits the remove, and 
flushes the audit buffer to disk before disabling the kernel. 
The audit log file is left even after product files are deleted.

Audit collection has been enhanced to run even though the product 
has been removed, or if auditing has been turned off. In addition 
to issuing an error record, if the local audit log file is found, 
it is uploaded to the central database.

If the product has been removed and the local log file does not 
contain a Logon or Lock Return record, the audit collection agent 
cannot tell what the user ID was and uses "Unknown."

New codes for the new configuration options - audit codes have been 
added for the following configuration options: 

  - Case Sensitive Ids and Passwords

  - Prevent Direct Disk Access

  - NLS

  - Changing the Login Message 

  - Turning Enable Audit off.

======================
International Support:
======================
The default lock hot keys have been changed from Ctrl/Left Shift/L to
Ctrl/Left Shift/Spacebar. This key combination can be used on
all keyboards.

==============================
DOS and Windows Character Sets
==============================
DOS and Windows have different character sets.  Verify that any 
characters used for user IDs or passwords are acceptable in both.

======================
Windows for Workgroups
======================
If you are using the ODI network drivers and have 32-bit file 
access turned on, MSODISUP.386 expects IOS.386 to be loaded.  If, 
for some reason, IOS.386 does not load, erratic behavior may occur.  
Because DiskLock interacts with the file system, 32-bit file access 
will not load.  To resolve this problem, turn off 32-bit file access.

=======
PC-KWIK
=======
If you are running Super PC-KWIK, you must load PCKWIK.SYS in CONFIG.SYS.
System instability may occur without it.

============================
New Features (DiskLock 3.0):
============================
1)   With Norton Administrator or Norton Console, Norton DiskLock can
     be distributed to workstations on a network.
  
2)   The ability to turn off monitoring of Direct Disk Access for
     secondary users. 
     If the Prevent Direct Disk Access option is not selected, files 
     that are locked will be visible to secondary users.

3)   The option to set passwords to be case sensitive.
  
==============
Screen Locking
==============
When returning from screen locking in DOS, the screen is redisplayed
as it was when you first locked, even though processing continued in the
background.

When using the Norton Screen Saver and the Norton DiskLock Autolock
feature the timeout period for DiskLock's autolock should be set to a
smaller value than that for Screen Saver.  Otherwise DiskLock will
not lock the screen.

======================
Compression utilities:
======================
When installing DoubleSpace after DiskLock, DoubleSpace will prompt you
that you may be running software that is incompatible with the 
DoubleSpace install procedure.  DoubleSpace will install without
errors.  

====================
Other Items of Note:
====================
DISKLOCK -M will invoke Norton DiskLock in a monochrome mode.
This may be useful on laptops and other monochrome environments.

Norton DiskLock captures CTRL-C sequences issued in DOS and DOS 
sessions under Windows to insure operating integrity.

With MS/PC DOS 6.x multiboot AUTOEXEC.BAT, install adds the DiskLock
program directory to all path statements found.  

If using NAVTSR on a Banyan Vines network with Norton DiskLock you must
load NAVTSR with the /NR- option before the network drivers are loaded.
After the network drivers are successfully loaded run NAVTSR again with
the /NR+ option.

The Novell Netware shell, NETX, has a known conflict with NDOS that may
be more evident after installing Norton DiskLock.  A temporary work around
for this is to run COMMAND.COM as the primary shell with NDOS as a
secondary shell.

If you are using a disk cache program that loads from AUTOEXEC.BAT, 
we recommend placing it at the end of the file.  If you're using 
Norton Cache or Norton Speed Drive, this may also improve memory usage.
     
If you install DiskLock and add Windows later,  you can add DiskLock  
to your Windows desktop.  To add DiskLock to the desktop:

1)   Choose RUN from the File menu.

2)   Type WININST.EXE in the Command Line text box.

DiskLock for Windows is installed.
  
