
Norman Virus Control for Workstations
"Armour" version 3.46
Copyright (c) 1993 - 95 Norman Data Defense Systems

This text file contains recent information that has not yet been added to
the manual. Please read this first and make notes in your manual before
installing.

*** Evaluation copies of Armour will not scan network drives. If you
        have an evaluation copy and are attempting to scan a network
        drive through ScanMenu, it will display a blank screen. Press
        [Esc] to exit and return to ScanMenu. ***

Corrections to Section 1.5.1.1 "NVC.SYS"

        The "installation" paragraph should read:

                "By default, NVC.SYS is copied to the C:\NORMAN directory.
                NVC.SYS is loaded as the last line of CONFIG.SYS.

                If you are using configuration blocks in CONFIG.SYS (a
                feature of MS-DOS 6.00+), then NVC.SYS is loaded as the
                last line of each block except for [menu] and [common].

                NVCINST attempts to load NVC.SYS high except when QEMM
                is found in CONFIG.SYS.

                If QEMM is found in CONFIG.SYS, and there is at least one
                line referencing LOADHI, then NVCINST loads NVC.SYS as
                follows:

                        [path]\loadhi /h [installation drive:\dir]\nvc.sys

                If QEMM is being used with the /ST parameter, then NVC.SYS
                is loaded with the /A parameter.

                        See section 5.1.4.1.4 for more details on /A.

                If 386Max is being used, then NVC.SYS is loaded with the
                /T parameter.

                        See section 5.1.4.1.3 for more details on /T.

                Note: if you are manually loading NVC.SYS into CONFIG.SYS,
                then NVC.SYS must be loaded after HIMEM only if DOS is
                being loaded high.

                In addition, if CONFIG.SYS contains a line with the device
                driver IFSHLP.SYS, NVC.SYS must be loaded after this line.

                ** Please apply all these changes to section 3.1.1. 
                   See below for more corrections to section 3.1.1. **
                                                                     
Addition: Section 1.5.5 "TCP/IP Extension Modules"

        Through version 3.42 of Armour, our messaging features were 
        handled through IPX communications. In Armour v3.46, however,
        you have the option of receiving Armour components which can 
        generate SNMP traps for use in messaging throughout PC-NFS and Lan
        Workplace environments.

        SNMP is a protocol which controls and monitors TCP/IP-based
        networks. An SNMP management station may poll an SNMP agent
        to obtain information about the agent system. The management
        station uses UDP (User Datagram Protocol) on port 161 to send
        a PDU (Protocol Data Unit) containing such a request.
        A system does not have to be polled to transmit information to
        the management station. Another SNMP mechanism is called
        "traps". An SNMP agent may sent a trap message to the management-
        station without being polled. This is typically done when something
        extraordinary has occurred. In this case, a trap message is sent
        when a virus is detected. UDP port 162 is used for SNMP traps.

        Contents of the installation disk:

       The Armour installation disks for PC-NFS and Lan
       Workplace environments contain the same filenames. However,
       the programs are unique for each TCP/IP environment.

       Following is a list of files included on each disk:

       readme.txt:         This file contains any last-minute
                           changes to the user manual.
       install.bat:        A simple installation routine which
                           copies the files from the disk to
                           a target directory.
       systems.txt:        An ASCII configuration file which
                           contains a user-defined message
                           (to be displayed when a virus is
                           detected) and the names of the servers
                           that are to be notified by the agent.
                           This file is an example only. Users
                           must modify this file according
                           to their own needs. 
       setup.exe:          A configuration program that compiles
                           the file "systems.txt" into "tcp_ip.cfg",
                           which is the configuration file used
                           by the agents.
       nvc.exe:            A replacement for the DOS command-line
                           virus scanner.
       nvcw.exe:           A replacement for the Windows
                           virus scanner.
       nvs.exe:            A replacement for the Windows scanner
                           scheduler.
       nvcsys.exe:         A replacement for the Windows agent
                           that communicates with NVC.SYS.
       ip_test.exe:        This program sends a dummy trap to the
                           list of management stations specified in
                           the configuration file "tcp_ip.cfg".
                           It may be helpful when troubleshooting
                           an installation. 

       System Requirements:

       The only requirement to make the Armour TCP/IP extension work on 
       a system is that a matching TCP/IP protocol stack and environment 
       is installed on the system. Before installing the extension, make 
       sure that TCP/IP is up and running by issuing a "ping" command or
       something similar. 

       Installation:

       IMPORTANT: you must first install the original (non-TCP/IP)
       Armour components and then install the TCP/IP extension.

       The TCP/IP installation disk contains replacement modules for the
       original Armour programs.

       Therefore, it is very important that the TCP/IP extension disk
       you are using has the same version number as the Armour programs
       that are already installed.

       For example: If you have Armour v3.46 installed on your system,
       and you wish to install the TCP/IP extension for Lan Workplace, then
       you need to install version 3.46 of the TCP/IP extension.

              In the future, ensure that you receive both the original
              Armour components and the TCP/IP extensions as upgrades.

       When using NVC.SYS with the TCP/IP extension for PC-NFS, it is
       important that you use the /T parameter on NVC.SYS. NVC.SYS will
       not co-exist with PC-NFS without this parameter. Failure to include
       the /T parameter may cause the PC to hang. Inclusion of the /T
       parameter will not impair the ability of NVC.SYS to detect
       unknown viruses. The difference lies in when the virus is detected.
       When the /T parameter is used, the virus will be detected as it
       tries to infect, and not when it goes resident in memory.

       Copy all the files from the disk into the directory where your 
       Armour programs reside. You may also use INSTALL.BAT by typing 
       
                install c:\norman

        where "c:\norman" is the directory where Armour resides.

        Configuring the installation:

        After copying the files from the TCP/IP extension disk into the 
        Armour directory, you are ready to configure the system. This is 
        done by editing the file "systems.txt". Use DOS EDIT, Windows 
        Notepad, or any other ASCII editor for this task. "systems.txt" 
        contains a list of the machines in the network where SNMP traps 
        are to be sent. You may also enter a text string that will be
        included with the trap. An example of "systems.txt" is shown below:

        ; Norman Data Defense Systems TCP/IP server name file
        ;
        ; This file lists the names of the servers that are to
        ; be notified in case of a virus incident. Lines starting
        ; with ';' are ignored and can be used for comments. Up
        ; to 150 server names may be given in this file.
        ; A system name cannot exceed 8 characters in length.
        ; A system may only occur once in the file.
        ; A custom-designed message of 70 characters (max.) may be 
        ; included on any separate line, starting with the character '@'.
        ; This brief message may be used to identify the sending system
        ; and its location, etc.
        ;
        norman
        einstein
        ;
        @This is a custom message line.
        ;

        As you can see in the example, comments may be included on any 
        line by starting the line with a semi-colon. You can include a 
        custom message by starting a line with the character "@".

        In this example, SNMP traps will be sent to the machines "norman" 
        and "einstein". It is necessary that these machines are available 
        in the "hosts" table on the workstation or its name server, so 
        that valid IP-addresses can be resolved from the names.

        After you have edited the "systems.txt" file, you must compiled it
        and create the file "tcp_ip.cfg". "tcp_ip.cfg" is created by running
        "setup.exe".

        Testing:

        A test program called "ip_test.exe" is included on the TCP/IP 
        extension disk. This program will send a test-trap to the systems 
        specified in "tcp_ip.cfg". "ip_test" will return a variety of
        messages, depending on whether or not the operation ended 
        successfully. The MIB id for the test-trap is "Internet.1007.1.7".

        There are 3 command-line parameters for ip_test.exe:

        Parameter       Meaning

        /F<text>        Send alternate file location string
        /T<number>      Send alternate enterprise trap number
        /V<text>        Send alternate virus name string

        Using these parameters, it is possible to send any file location 
        string, enterprise trap number and virus name string to the systems. 
        Using this feature makes it easy to customize the service routines
        at the receiving end. 
        
        Remember that the specific trap number indicates wether a virus 
        is normal (1) or dangerous (2).

        Troubleshooting:

        The following are explanations of some of the error messages that 
        may be displayed by the configuration program (setup.exe) and the 
        test program (ip_test.exe). 

        Configuration program error messages:

        The configuration program (setup.exe) uses the data contained in 
        the file "systems.txt" in order to generate a configuration file. 
        This is a short overview of some of the error messages that may
        be encountered when running "setup.exe":

        Error in line x: Server name is too long: <name>.
        Error in line x: Illegal character in position y of name: <name>.
        Error in line x: Duplicate name: <name>.
        Error in line x: Customized message is too long. Line ignored.

                The messages above all refer to errors with the system 
                names and custom message in "systems.txt".
                
                To correct an error, edit the file again. The error 
                messages should tell you on which line the error is located. 

        Error: Cannot find systems name file.
        Error: Cannot open systems name file.

                These two messages appear if there is a problem with the 
                file "systems.txt". Make sure that this file exists in 
                the directory from which you ran "setup.exe".

        Error: Cannot open configuration file.
        Error: Could not write to configuration file!

                These two messages appear when, for some reason, the setup
                program is unable to create the file "tcp_ip.cfg". Make 
                sure that there are enough file handles available and 
                that there is room enough on your disk.

        Warning: No system names given!
                                       
                This message appears if there are no system names in 
                "systems.txt". "setup.exe" will still generate a 
                configuration file, but no traps will be generated 
                by the applications.

        Test program error messages:

        The test program, "ip_test.exe", will normally terminate with the 
        following message:

                Trap PDU sent, Result OK!

        This means that a trap was successfully generated and sent to the 
        systems specified in "systems.txt". The program will list the 
        systems to which it is sending traps. If the list does not match 
        the systems that you specified in "systems.txt", you will have to 
        run "setup.exe" again in order to generate a new configuration file.

        If you enter an illegal command-line parameter for "ip_test.exe", 
        the following will appear:

                Illegal option: <option>
                
        The following are brief descriptions of other error messages that 
        may be produced by "ip_test.exe":

        Cannot open configuration file.
        
                The configuration file "tcp_ip.cfg" is not available in 
                the Armour directory.

        The client is not installed.

                The local TCP/IP environment is not installed and/or is
                not running.

        Configuration file checksum error!

                The configuration file "tcp_ip.cfg" is defective.
                Generate a new one using "setup.exe".

        Unable to generate PDU!
        Could not allocate buffer!
        Out of memory error, xxx.

                All three of these messages are a result of a lack of 
                free memory on the local system.

        Could not read configuration file.

                There is a problem reading "tcp_ip.cfg". This is most 
                likely because of a problem in the DOS environment.

        Could not open endpoint!

                There are problems with the port at the receiving end of 
                the connection.

        Version verification failure!

                This error occurs if your configuration file (tcp_ip.cfg) 
                was generated in a format not compatible with the current 
                version of the TCP/IP agent. Run "setup.exe" from you latest
                version of the TCP/IP extension package.

        Configuration file is empty!

                This message means that your configuration file does not 
                contain any systems to send traps to. Edit "systems.txt".

        Could not send to system name no.x!

                This means that the program was unable to establish a 
                connection with the specified system. Usually this is 
                because the receiving system is down. If many systems 
                are not responding, only the last one will show in the 
                error message.

        System name no.x is not valid!

                This means that the specified system does not resolve to 
                a valid IP-address. Check that the system appears in
                your hosts-file or at your name server.

        Technical issues:

        Detailed description of Norman SNMP traps:

        Products from Norman Data Defense Systems have their own place in 
        the SNMP MIB tree. The following illustration (Figure 1) shows the 
        structure of this tree.

        When a trap is sent from any of the anti-virus applications, the 
        trap number is 6, which means that the enterprise-specific trap 
        number is set. The enterprise-specific trap from Norman anti-virus 
        programs indicates whether the virus that has been discovered is 
        dangerous or not.

        Specific trap number 1 indicates regular viruses, while number 2 
        indicates dangerous viruses.

        Figure 1: Norman in the MIB tree
                                  .
                                  .
                         Ŀ
                             Internet     
                                1         
                         
                                  .
                                  .
                         Ŀ
                             Private      
                                4         
                         
                                  .
                                  .
                         Ŀ
                            Enterprises   
                                1         
                         
                                  .
                                  .
                         Ŀ
                               Norman     
                                1007      
                         
                                  .
                                  .
                         Ŀ
                            Anti-Virus    
                                1         
                         
 Ŀ   Ŀ   Ŀ   Ŀ
  NVC.SYS   NVC.EXE    NVCW.EXE    TEST   
    1          2          3          7     more to be added
           in the future

        Therefore, traps that are sent from Norman applications have 
        the following ID's:

        nvc.sys         .1.3.6.1.4.1.1007.1.1
        nvc.exe         .1.3.6.1.4.1.1007.1.2
        nvcw.exe        .1.3.6.1.4.1.1007.1.3
        ip_test.exe     .1.3.6.1.4.1.1007.1.7

        There is a variable bindings list included in Norman virus-traps. 
        It consists of four octet strings containing information about the 
        virus attack.

        Octet-string no.1:      This string contains the origin of the 
                                message (user login and machine name).
        
        Octet-string no.2:      If possible, this string indicates the 
                                name of the virus that has been detected.

        Octet-string no.3:      This string indicates the location (filename) 
                                of the virus.

        Octet-string no.4:      Contains the user-defined message included 
                                in the local "tcp_ip.cfg" configuration file.

Corrections to Section 3.1.1 "What happens during installation from Disk 1"

        INSTALL.BAT on Disk 1 does *not* run the command NVCINST DEFAULTS.
        Instead, it asks whether or not you plan to install the Windows
        components today. Then based on your answer, NVCINST either runs
        NVCINST CLEAN ASKBIND or NVCINST CLEAN NOBIND. The reason for this
        is Binder. We recommend that after installation, you run Binder and
        create new FileLogs. If you only wish to install the DOS components,
        you should run Binder at the end of Disk 1 installation. But if
        you wish to install the Windows components from Disk 2 also, then
        you should run Binder at the end of Disk 2 installation.

                See section 3.2 for more information on the parameters
                CLEAN, ASKBIND, and NOBIND.

        Regarding BootGuard (BG.EXE) and the bullet on page 31. The bullet
        should read:

                If BG.EXE is not present, add the line "c:\norman\bg.exe".
                This line will be placed as the first line of AUTOEXEC.BAT.

                        BG cannot be called from....

                NVCINST removes any call to BG.EXE in AUTOEXEC.BAT which
                does not originate from C:\NORMAN (the default) or the
                user-specified installation directory.

        ** Please apply all changes from the above "Corrections to Section
                1.5.1.1 **
            
Correction to Section 3.1.2 "What happens during installation from Disk 2"

        All references to the file VBASE.PIF should be ignored. This file
        is not present on the Armour diskettes.

        All references to VBASE.ICO should be changed to V-BASE.ICO.

        All references to NVCW.ICO should be ignored.

Addition to Section 3.2.1 "Parameters Specific to NVC.SYS"

        We have added another parameter to use for customizing the
        installation of NVC.SYS:

        LOADLOW         Loads NVC.SYS into conventional memory

        NOZAP           Doesn't change the configuration of previous
                        instances of NVC.SYS in CONFIG.SYS.

                When to use: if you have configured NVC.SYS in a special
                way for your environment, then the next time you upgrade
                Armour, you want to retain that configuration. Use
                the NOZAP parameter with NVCINST to keep your NVC.SYS
                configuration intact.

        ** If NVCINST detects a DOS other than MS-DOS, then NVCINST
        will try to load NVC.SYS high with a statement like this:

        devicehigh = c:\norman\nvc.sys


Note on Section 5.1.6 "Help Menu"

        You may access our context-sensitive help from any of the
        Windows scanner's dialog boxes. The Windows help file that 
        accompanies this version of Armour, however, is currently
        being revised, so you will experience some disparity in
        the text. We apologize in advance for the inconvenience.

Addition to Section 9.0 "Troubleshooting"

        9.4 NVC.SYS and Downloading from CompuServe

        When using WINCIM to download programs, NVC.SYS warns. This is a
        result of the way WINCIM handles downloads. 
        
        For example, if you wish to download ABC.EXE, then WINCIM creates
        a file called ABC.000 of the same size. Then just before the
        file transfer happens, WINCIM renames ABC.000 to ABC.EXE and
        overwrites the first few bytes. This overwriting behavior is what
        causes NVC.SYS to warn.

        Until we can revise NVC.SYS to address this issue, we recommend
        the following for downloading from CompuServe using WINCIM:

                if you wish to download ABC.EXE, save it as ABC.E
                if you wish to download ABC.COM, save it as ABC.C

                then download using WINCIM and afterwards, rename
                *.E to *.EXE and *.C to *.COM.

*** End ***
