          VShield Reference   Copyright 1994 McAfee Inc.     Page 1

          VSHIELD REFERENCE
          
          VirusScan's VShield is a memory-resident program
          that helps to prevent virus infection. It
          complements the Scan virus detection program as
          part of your computer security plan. While Scan
          checks areas on disks for viruses, the VShield
          program checks programs as they load into your
          computer's memory. This ensures that you don't
          "catch" any new viruses while you're working on
          your computer.
          
          VShield does this by remaining in memory and:
          
          * Checking master boot records (MBRs), boot
          sectors, system files, and itself for viruses when
          you turn on or reset ([Ctrl]+[Alt]+[Del]) your
          machine.
          
          * Checking program files for viruses as your
          computer executes them.
          
          * Checking files for viruses as you copy them
          (optional).
          
          * Checking for viruses whenever your computer
          accesses a disk (optional).
          
          The installation program automatically modifies
          your AUTOEXEC.BAT file so that VShield loads into
          memory every time you turn on your computer.
          
          If VShield finds a virus, you will see a message
          like:
          
             Found the Jerusalem Virus
          
          If that happens, don't panic. Turn to Chapter 4 to
          find out how to use the Scan program to get rid of
          the virus. If you need additional help, contact
          McAfee.
          
          There is one way to infect your computer that
          VShield cannot prevent only you can. Never
          accidentally start your computer from an unknown
          diskette. That's how 80% of all viruses are
          passed! Always make sure your diskette drives are
          empty before you turn your computer on.
          
          VShield runs under DOS, Windows, and OS/2 Virtual
          DOS Machine and WIN-OS/2 sessions. The program
          file is VSHIELD.EXE. The file called VSHWIN.EXE
          VShield Reference   Copyright 1994 McAfee Inc.     Page 2

          allows VShield to display messages under Windows,
          and is added to your WIN.INI file automatically
          when you install VShield. If you need to conserve
          memory on your system, you can use VshieldCRC, a
          version of VShield that offers fewer protection
          options but requires less memory. The program file
          is VSHLDCRC.EXE.
          
          A companion program called CheckVshield checks whether
          either VShield or VshieldCRC is loaded in memory.
          The program file is CHKVSHLD.EXE. CheckVshield is
          especially useful for network administrators who
          want to ensure that everyone who logs on to the
          network is running VShield. All of these related
          programs are included in your VirusScan disk and
          described in this chapter.
          
          DO YOU NEED TO READ THIS DOCUMENT?
          
          Many users will not need the VShield options
          described in this chapter. We have designed
          VShield so that basic operation achieved by simply
          installing it in memory as described in Chapter
          2 provides a high degree of protection for most
          users. The options here offer additional power and
          control for virus detection, and are most useful
          in vulnerable or memory-scarce environments, and
          to network administrators and information systems
          staff.
          
          SYSTEM REQUIREMENTS AND PERFORMANCE
          
          VShield is a terminate-and-stay-resident (TSR)
          program, which remains in memory while you run
          other programs. VShield tries to optimize memory
          usage and minimize conflicts with other TSRs. By
          default, VShield tries to conserve as much
          conventional memory as possible.
          
          If you have only 640Kb or less memory in your
          system, VShield requires about 67Kb of memory. By
          using the /SWAP option, you can reduce this to
          only 7Kb of conventional memory, although this
          will decrease VShield's speed.
          
          If you have more than 640Kb, VShield tries to load
          as much as possible into upper memory: first into
          expanded memory (EMS), into extended memory (XMS),
          then into upper memory blocks (640Kb to 1024Kb, or
          UMB). If you have sufficient high memory
          available, VShield or VshieldCRC use no conventional
          memory. You'll see a message after loading that
          describes where VShield loaded into memory and how
          VShield Reference   Copyright 1994 McAfee Inc.     Page 3

          much memory it uses. You can control how VShield
          loads by using the /NOUMB, /NOEMS, and /NOXMS
          options, as described later in this chapter.
          
          VShield might require slightly more memory as the
          SCAN.DAT file grows to include more viruses.
          
          VShield adds a small amount of time to program
          loads and reboots. Performance will vary,
          depending on your system. The /SWAP option adds
          more time, because VShield must reload from disk
          to check files. VshieldCRC adds an average of one
          second to each program load.
          
          Once programs have been loaded, VShield does not
          degrade the performance of your system. Programs
          that load other files may run more slowly when you
          use the /FILEACCESS or /BOOTACCESS options,
          because these options cause VShield to scan files
          whenever they are accessed, not just when they are
          executed.
          
          FOUR LEVELS OF PROTECTION
          
          You can think of VShield as providing four levels
          of protection. You can use VShield's options to
          customize it for the level of protection you need.
          Level II meets the protection needs of most
          systems.
          
          Level I protection is appropriate for users who
          have very little memory available on their
          systems. It provides only minimal protection.
          
          For Level I protection, first use Scan with the
          /AF or /AV option to add validation codes. Then,
          install VshieldCRC instead of VShield. VshieldCRC can
          inform you that a file has not been certified, a
          file has been modified, a file size has changed,
          or a file has not been added to the validation
          file. VshieldCRC will not prevent infection, nor
          will it tell you when you have a known virus, but
          it allows you to prevent modified files from
          running. Use Scan instead to detect viruses, as
          described in Chapters 3 and 4. See "Using
          VShield."
          
          Level II protection is appropriate for most users.
          It will protect you from most viruses whether you
          have run Scan or not.
          
          For Level II protection, just install VShield
          according to the installation instructions. When
          VShield Reference   Copyright 1994 McAfee Inc.     Page 4

          loading, VShield checks memory automatically for
          viruses. Once resident in memory, VShield checks
          master boot records (MBRs), boot sectors, and
          program files (when executed) for virus
          signatures.
          
          Level III protection is appropriate for computers
          that are used by many people, as in an open-use
          computer lab, or onto which you frequently load
          files from public sources. Level III protection
          checks for both validation codes and virus
          signatures, incorporating both Level I and Level
          II protection.
          
          For Level III protection, first use Scan with the
          /AF {filename} option, then use VShield with the
          /CF {filename} option. The /AF option logs
          recovery and validation data for program files,
          the boot sector, and the master boot record (MBR)
          to a file you specify. The /CF option tells
          VShield to check against that log. See Chapter 4,
          "VirusScan reference," for instructions on using
          Scan.
          
          Level IV protection is for environments where
          security is extremely important and new software
          is seldom introduced. It combines Level III
          protection with access control, specifying that
          only programs known to be safe can be run.
          
          For Level IV protection, run VShield with the
          /CERTIFY option.
          
          VShield has many optional features that you might
          use at any protection level.
          
          RUNNING VSHIELD
          
          VShield checks programs, the master boot record
          (MBR), boot sector, system files, and itself for
          virus signatures, the pattern of code unique to
          each virus. If VShield finds an infection, it
          prevents programs from running. It also prevents
          warm restarts ([Ctrl]+[Alt]+[Del]) from infected
          disks.
          
          You can use options to control and fine-tune the
          scope, validation parameters, and operation of the
          VShield's checks. To use VShield with options, use
          the following syntax:
          
          vshield [options]
          
          VShield Reference   Copyright 1994 McAfee Inc.     Page 5

          [options] indicates one or more options described
          in the table in the next section.
          
          Don't enter the square braces, which indicate that
          what's within them is optional.
          
          Because systems and environments differ, VShield
          gives you a choice of options. Consider the
          mixture of safety, performance, and maintenance
          that meets your needs, then choose the combination
          of options that works best.
          
          DOS
          
          If you followed the installation instructions in
          Chapter 2, VShield begins working for you as soon
          as you install it, protecting the "sterile field"
          that the installation procedure creates. VShield
          is automatically added to your AUTOEXEC.BAT file,
          so it is activated every time you turn on your
          computer.
          
          The install program places VShield at the end of
          AUTOEXEC.BAT. In most cases this is OK. However,
          you should verify this by inspecting your
          AUTOEXEC.BAT file after you install VShield.
          
          To do so, use a text editor to examine your
          AUTOEXEC.BAT and follow these steps. If you need
          help with this procedure, see your DOS
          documentation or contact McAfee.
          
          1 Check the placement of the VShield command line
          in the AUTOEXEC.BAT file.
          
          * VShield must be run before any menu programs,
          such as MS-DOS's DOSSHELL or Norton Commander, or
          it will not be loaded.
          
          * If AUTOEXEC.BAT loads any network drivers,
          keyboard drivers, disk caching programs, drive
          compression programs, or custom disk drivers,
          VShield must be run both before and after them.
          These kinds of programs disable VShield. The
          second time VShield is loaded, use only the
          /RECONNECT option, as described later in this
          chapter.
          
          2 If necessary, move the line that loads VShield.
          
          3 Add the VShield options of your choice to the
          command line.
          
          VShield Reference   Copyright 1994 McAfee Inc.     Page 6

          On your VirusScan disk, you'll findAUTOEXEC.VSH, a
          sample AUTOEXEC.BAT that shows the correct
          placement of the VShield command line. If you are
          still not sure whether VShield is in the right
          place, contact McAfee.
          
          WINDOWS
          
          When you install VShield, it adds the VShield
          command line to your AUTOEXEC.BAT file. It also
          modifies your WIN.INI file to include VSHWIN.EXE,
          which allows VShield to display messages under
          Windows. However, you may need to change your
          Windows configuration for VShield to run properly.
          
          To do so, follow these steps. If you need help
          with this procedure, see your Windows
          documentation, or contact McAfee.
          
          1 Follow the instructions for DOS users in the
          previous section.
          
          2 Start Windows.
          
          3 Make Program Manager the default shell. Use no
          other Windows shell.
          
          4 In the Control Panel, configure Windows to run
          in 386 enhanced mode.
          
          5 Load Windows. You will see the VShield icon on
          your desktop.
          
          If VShield finds or suspects a virus, you'll see a
          warning message. Choose OK to close the message
          dialog.
          
          Double-clicking the VShield icon only displays a
          message that VShield is loaded.
          
          OS/2
          
          Because OS/2 is a protected environment, you need
          VShield only during Virtual DOS Machine (VDM) and
          WIN-OS/2 sessions. When you install it, VShield is
          automatically added to AUTOEXEC.BAT, so it is
          activated every time you start a VDM or WIN-OS/2
          session.
          
          If your start-up batch file is not AUTOEXEC.BAT,
          edit your start-up batch file to include VShield.
          For example:
          
          VShield Reference   Copyright 1994 McAfee Inc.     Page 7

             C:\vshield /fileaccess
          
          See /FILEACCESS, an option we recommend using with
          OS/2, in this chapter.
          
          SPECIAL INSTRUCTIONS FOR NETWORK ADMINISTRATORS
          
          You have many options for setting up VShield on a
          network. The table "Deciding which options are for
          you" lists options that most apply in network
          environments. If you need assistance in choosing
          the best configuration for your network, contact
          McAfee.
          
          If you run VShield from a network drive, flag
          VSHIELD.EXE as EXECUTE ONLY, READ ONLY, and
          SHAREABLE.
          
          If you run VShield from clients' local drives:
          
          * Edit all clients' AUTOEXEC.BAT files to load
          VShield with the options that are appropriate for
          your environment before any other drivers are
          loaded.
          
          * Add VShield with the /RECONNECT option to the
          AUTOEXEC.BAT or the network login script, after
          the network drivers are loaded. See /RECONNECT,
          later in this chapter, for more information.
          
          * Run CheckVshield from the login script. CheckVshield
          returns a DOS ERRORLEVEL that you can use in batch
          files to check and update VShield. For an example
          of using CheckVshield, see Technical note 2, "Sample
          NetWare login script and.BAT file," in this
          chapter.
          
          VSHIELD OPTION SUMMARY
          
          /? or /HELP
          
          Display a list of valid VShield command line
          options.
          
          /BOOT
          
          Check boot sectors for viruses when a program on a
          diskette executes.
          
          VShield Reference   Copyright 1994 McAfee Inc.     Page 8

          /BOOTACCESS
          
          Scan the diskette boot sector for viruses whenever
          a diskette is accessed, including any read and
          write operations.
          
          /CERTIFY
          
          Prevent files without validation codes from
          running.
          
          /CF {filename}
          
          Check for viruses using recovery and validation
          data stored by Scan /AF in the specified filename.
          
          /CONTACT message
          
          Display specified message when a virus is found.
          
          /CONTACTFILE {filename}
          
          Display message stored in filename when a virus is
          found.
          
          /CV [filename]
          
          Check validation codes added to files by Scan;
          ignore files listed in filename.
          
          /EX {filename}
          
          Don't check files listed in filename for
          validation codes (/CF and /CV options).
          
          /FILEACCESS
          
          Scan files when they are accessed on a diskette,
          but don't check the boot sector.
          
          /IGNORE {drive(s)}
          
          Don't check programs loaded from the specified
          drive(s).
          
          /LOCK
          
          Halt the system when a file that is infected or
          not certified loads and attempts to execute.
          
          /NOEMS
          
          Prevent VShield from using expanded memory (EMS)
          VShield Reference   Copyright 1994 McAfee Inc.     Page 9

          when it loads.
          
          /NOMEM
          
          Don't check memory for viruses.
          
          /NOREMOVE
          
          Prevent VShield from being removed from memory
          with the
          
          /REMOVE switch.
          
          /NOUMB
          
          Prevent VShield from using upper memory blocks
          (UMB) when it loads.
          
          /NOWARMBOOT
          
          Don't check the diskette boot sector for viruses
          during warm boot ([Ctrl]+[Alt]+[Del]).
          
          /NOXMS
          
          Prevent VShield from using extended memory (XMS)
          when it loads.
          
          /ONLY {drive(s)}
          
          Check programs loaded only from the specified
          drive(s).
          
          /RECONNECT
          
          Restore VShield after certain drivers or TSRs
          might have disabled it.
          
          /REMOVE
          
          Unload VShield from memory.
          
          /SAVE
          
          Save the command line options to the VSHIELD.INI
          file.
          
          /SWAP [pathname]
          
          Load VShield kernel (7Kb) only; swap the rest to
          pathname.
          VShield Reference   Copyright 1994 McAfee Inc.     Page 10
          
          VSHIELD OPTION DESCRIPTIONS

          /? or /HELP
          
          Use this option to display a brief description of
          valid VShield command line options.
          
          /BOOT
          
          Checks the boot sector of a diskette for viruses
          whenever a program that resides on the diskette
          executes. By default, VShield checks programs when
          they execute, but does not check the boot sector
          of the diskette for viruses. The /BOOT option is
          faster, but less thorough, than /BOOTACCESS. Using
          /BOOT with either /BOOTACCESS or /FILEACCESS in
          the same command line returns an error message.
          
          This option does not work from within Windows File
          Manager. For virus-checking within Windows, use
          the /FILEACCESS or /BOOTACCESS switch
          instead.
          
          /BOOTACCESS
          
          Checks the diskette boot sector for viruses
          whenever a diskette is accessed by a read or write
          operation, such as a DIR or COPY command, and when
          a program on the diskette executes. This is the
          highest level of protection against viruses that
          infect boot sectors. Using /BOOTACCESS with either
          /BOOT or /FILEACCESS in the same command line
          returns an error message.
          
          /CERTIFY
          
          Prevents programs from running if they do not have
          Scan validation codes. Use it in high-security
          environments to prevent clients from running
          programs that have not been scanned. To use
          /CERTIFY, first run Scan with the /AF or /AV
          option, as described in Chapter 3. Then, use
          VShield with the /CERTIFY option and either the
          /CF or /CV option (either is required), such as:
          
             vshield /certify /cf c:\mcafee\recvalch.sav
          
          Some programs, such as Lotus 1-2-3, contain self-
          modifying code and do not work correctly with
          validation codes attached. You may create an
          exception list of files to exclude from
          validation. For instructions, refer to technical
          note 1, "Creating an exception list for /CERTIFY."
          VShield Reference   Copyright 1994 McAfee Inc.     Page 11
          
          /CF {filename}

          Checks validation data stored by Scan's /AF
          {filename} option, where {filename} is the name of
          the validation data file created by Scan. If a
          file or system area has changed, VShield reports
          that a viral infection may have occurred. In this
          example:
          
             vshield /cf c:\mcafee\recvalch.sav /noems
          
          VShield looks in the RECVALCH.SAV file for
          validation data.
          
          /CONTACT message
          
          Displays a custom message when a virus is found.
          This message is displayed in addition to all other
          VShield messages. Use /CONTACT to let network
          users know what to do if VShield finds a virus.
          The message can be up to 50 characters long, and
          can contain any character except a backslash " \
          ". Place messages starting with a hyphen " - " or
          slash " / " in quotation marks.
          
          If your message is longer than 50 characters or
          you want to store the message text in a
          file, use /CONTACTFILE instead. Using /CONTACT and
          /CONTACTFILE in the same command line returns an
          error message.
          
          /CONTACTFILE {filename}
          
          An alternative to the /CONTACT option,
          /CONTACTFILE identifies a file that contains the
          message string to display when a virus is found.
          This option is especially useful in network
          environments, because you can easily maintain the
          message text in a central file rather than
          changing the command line in the AUTOEXEC.BAT file
          on each workstation.
          
          If your message is 50 characters or fewer, you can
          use /CONTACT instead. Using /CONTACT and
          /CONTACTFILE in the same command line returns an
          error message.
          
          /CV
          
          Checks validation codes added by Scan with the /AV
          option. If a file has changed, VShield reports
          that the file has been modified and a viral
          infection may have occurred. You can specify the
          VShield Reference   Copyright 1994 McAfee Inc.     Page 12

          /EXCLUDE option to exclude a list of files from
          validation checking.
          
          /EXCLUDE {filename}
          
          Excludes files listed in filename from validation
          code checking when using /CF or /CV.
          
          /FILEACCESS
          
          Checks all files when accessed by a read or write
          operation. Using /FILEACCESS with either /BOOT or
          /BOOTACCESS in the same command line returns an
          error message.
          
          We recommend always using /FILEACCESS with
          OS/2.
          
          /IGNORE {drives}
          
          Omits checking program loads from the specified
          drives, as shown in the following example:
          
             vshield /ignore t: y: w:
          
          Use /IGNORE or /ONLY to speed up VShield by
          excluding secure, virus-free network drives from
          virus checking. You can specify up to 26 drives.
          See also /ONLY, described later in this section.
          Using /IGNORE and /ONLY in the same command line
          returns an error message.
          
          /LOCK
          
          Halts the system to stop further infection if
          VShield finds a virus. /LOCK is appropriate in
          highly vulnerable network environments, such as
          open-use computer labs. If you use /LOCK, be sure
          to use /CONTACT or /CONTACTFILE to tell users what
          to do or whom to contact if a virus is found and
          the system locks up.
          
          /NOEMS
          
          Prevents VShield from using expanded memory (LIM
          EMS 3.2) when it loads. This ensures that EMS is
          available exclusively to other programs.
          
          /NOMEM
          
          Skips the memory check for viruses when VShield
          loads. Using /NOMEM improves performance slightly,
          but use it only if you are absolutely sure that
          your system is virus-free.
          VShield Reference   Copyright 1994 McAfee Inc.     Page 13
          
          /NOREMOVE

          Prevents VShield from being removed from memory
          with the /REMOVE option in a subsequent VShield
          command. When you load VShield with the /NOREMOVE
          option, subsequent loads with the /REMOVE option
          will have not effect. Your network will be more
          secure if users cannot remove VShield, but this
          option may prevent users from solving memory
          limitations or conflicts.
          
          /NOUMB
          
          Prevents VShield from using the upper memory block
          (UMB, 640Kb to 1024Kb) when it loads. This ensures
          that UMB is available exclusively to other
          programs.
          
          /NOWARMBOOT
          
          Omits checking the diskette boot sector during a
          warm boot (Ctrl-Alt-Del) of the system.
          
          /NOXMS
          
          Prevents VShield from using extended memory when
          it loads. This ensures that XMS is available
          exclusively to other programs.
          
          /ONLY {drive(s)}
          
          Checks program loads only from the specified
          drive(s), ignoring all other drives, as shown in
          the following example:
          
            vshield /only c: f: k:
          
          Use /IGNORE or /ONLY to speed up VShield by
          excluding secure, virus-free network drives from
          virus checking. You can specify up to 26 drives.
          See also /IGNORE in this chapter. Using /ONLY and
          /IGNORE in the same command line returns an error
          message.
          
          /RECONNECT
          
          Restores VShield's links into DOS after another
          program has disabled it, such as a network driver,
          keyboard driver, custom disk driver, drive
          compression program, or disk caching program.
          These types of programs replace the normal DOS
          system interrupts so that VShield no longer
          recognizes program loads. After the lines in your
          VShield Reference   Copyright 1994 McAfee Inc.     Page 14

          AUTOEXEC.BAT file (or network login script) that
          load these programs, add this command line to
          restore VShield:
          
             vshield /reconnect
          
          /REMOVE
          
          Unloads VShield from memory. You may want to do
          this temporarily if you
          
          are running out of memory for programs. For best
          results, try using VShield with
          
          the /SWAP option first. Use /REMOVE only as a last
          resort.
          
          /REMOVE will not work if other memory-resident
          programs were loaded after VShield, or if VShield
          was loaded previously with the /NOREMOVE option.
          
          /SAVE
          
          Stores the VShield options you specify as the
          defaults in VSHIELD.INI. In the following example,
          /SAVE saves the /CONTACTFILE N:\MSGFILE as the
          default setting:
          
             vshield /contactfile n:\personal\msgfile /save
          
          To remove custom options and return to VShield's
          original defaults, use the /SAVE option alone:
          
             vshield /save
          
          /SWAP [pathname]
          
          Installs a small (7Kb) kernel of VShield in memory
          that loads the rest of VShield from disk on
          demand. Specify a pathname only if you want
          VShield to swap to a path other than the directory
          where VShield resides.
          
          Use /SWAP only if you have very little memory
          available, but require a high assurance of safety.
          /SWAP will slow down your system and may cause
          conflicts with programs that fail to allocate
          memory properly. If you don't have enough memory
          to load VShield without swapping, consider using
          VshieldCRC instead. We do not recommend storing the
          swap file on a network path because, if the
          workstation disconnects from the network, the
          workstation will lock.
          
          Deciding which options are for you
          VShield Reference   Copyright 1994 McAfee Inc.     Page 15

          Because systems and environments differ, VShield
          gives you a choice of options. Consider the
          mixture of safety, performance, and maintenance
          that meets your needs, then choose the combination
          of options that works best.
          
          COMMENTS
          
        MORE COMPLETE PROTECTION, ANY ENVIRONMENT
          
          /BOOTACCESS
          
          Highest protection against infected diskettes;
          checks for viruses whenever a diskette is
          accessed.
          
          /FILEACCESS
          
          Next highest protection against infected
          diskettes; checks for viruses whenever a file on a
          diskette is accessed.
          
          /BOOT
          
          Of the three, lowest protection against infected
          diskettes; checks for viruses whenever a program
          on a diskette executes.
          
        MORE COMPLETE PROTECTION, STABLE SOFTWARE
        ENVIRONMENT
          
          /CERTIFY
          
          Use with /CF {filename} or /CV [filename] and an
          exception list.
          
          /CF
          
          Use /CF or /CV. Of the two, /CF is recommended.
          
          /CV
          
          Use /CF or /CV.
          
        NETWORK ENVIRONMENTS
          
          /CONTACT
          
          Use this (or CONTACTFILE) to tell users what to do
          VShield Reference   Copyright 1994 McAfee Inc.     Page 16

          when virus is found.
          
          /CONTACTFILE
          
          Use this (or CONTACT) to tell users what to do
          when virus is found.
          
          /IGNORE
          
          Use this (or /ONLY) to skip virus-free drives.
          
          /LOCK
          
          Use with /CONTACT or /CONTACTFILE {filename}. For
          high-risk -environments.
          
          /NOREMOVE
          
          Prevents VShield from being removed from memory.
          
          /ONLY
          
          Use this (or IGNORE) to check only vulnerable
          drives.
          
          /RECONNECT
          
          Required if drivers are loaded after VShield.
          
        FASTER PERFORMANCE, ANY ENVIRONMENT
          
          /NOMEM
          
          Only use on a virus-free computer.
          
          /NOWARMBOOT
          
          Omits checking the boot sector after a warm boot.
          
          Manage memory, any environment
          
          /NOEMS
          
          Use when other programs need exclusive use of EMS
          memory.
          
          /NOUMB
          VShield Reference   Copyright 1994 McAfee Inc.     Page 17

          Use when other programs need exclusive use of UMB
          memory.
          
          /REMOVE
          
          May temporarily solve memory conflicts.
          
          /NOREMOVE
          
          Use to ensure that VShield remains in memory.
          
          /NOXMS
          
          Use when other programs need exclusive use of XMS
          memory.
          
          /SWAP
          
          Use in environments with very limited memory.
          
        EXAMPLES
          
          The following examples show different option
          settings:
          
          vshield
          
             Activates VShield (Level II protection).
          
          vshield /cv
          
             Activates VShield (Level III protection), if you
             have previously run SCAN /AV.
          
          vshield /certify /cf c:\valcodes.dat
          
             Activates VShield (Level IV protection) and checks
             a recovery and validation data file created when
             running Scan with the /AF option.
          
          vshield /swap
          
             Activates VShield kernel in memory and swaps from
             the directory in which VShield resides.
          
          vshield /cv c:\excption.lst /contact "Please
          Contact the PC Help Desk"
          
             Activates VShield (Level III protection), ignores
             checking files in the EXCPTION.LST files, and
             displays a message if a virus is found.
          VShield Reference   Copyright 1994 McAfee Inc.     Page 18
          
          vshield /reconnect

             Re-enables VShield after it has been disconnected
             by network device drivers.
          
          ERRORLEVELS
          
          When VShield loads, it sets the DOS ERRORLEVEL.
          You can use the returned ERRORLEVEL in
          AUTOEXEC.BAT or other batch files to take
          different actions based on whether VShield has
          loaded in memory. See your DOS manual for more
          information.
          
          VShield returns these ERRORLEVELs:
          
          0 - VShield successfully loaded in memory with
          all options operational.
          
          9 - VShield not loaded correctly. Abnormal
          termination (program error).
          
          USING VSHLDCRC
          
          For Level I protection on systems with limited
          memory, use VshieldCRC instead of VShield. VshieldCRC
          is a separate program that consumes little system
          overhead, but is not recommended for normal use
          because it provides only minimal protection.
          VshieldCRC can inform you that you have been
          infected with a virus, but it does not check for
          virus signatures nor does it prevent infection.
          
          To use VshieldCRC, first use Scan with the /AF or
          /AV option. VshieldCRC checks the validation codes
          added by Scan. It also checks the master boot
          record (MBR) and boot sector validation codes, if
          present. See Chapter 4, "VirusScan reference," for
          instructions on using Scan.
          
          To load VshieldCRC with options, use the following
          syntax:
          
             VshieldCRC [options]
          
          [options] include the options listed in the table
          "VShield option summary." For more information on
          all options except /LOGFILE, see "VShield option
          descriptions" in this chapter.
          

          VShield Reference   Copyright 1994 McAfee Inc.     Page 19          

          EXAMPLES
          
          Activates VshieldCRC (Level I protection).
          
             VshieldCRC /cf valcodes.dat
          
          Activates VshieldCRC and checks validation data
          stored in VALCODES.DAT, a file that was created
          using Scan with the /AF option.
          
          VSHLDCRC OPTION SUMMARY
          
          /? or /HELP
          
          Display a list of valid VshieldCRC command line
          options.
          
          /CERTIFY
          
          Prevent files without validation codes from
          running.
          
          /CF {filename}
          
          Check for viruses using recovery and validation
          data stored by Scan /AF in the specified filename.
          
          /CONTACT message
          
          Display specified message when a virus is found.
          
          /CONTACTFILE {filename}
          
          Display message stored in specified filename when
          a virus is found.
          
          /CV
          
          Check validation codes added to files by Scan.
          
          /EX {filename}
          
          Don't check files listed in filename for
          validation codes (used with /CF and /CV options).
          
          
          
          VShield Reference   Copyright 1994 McAfee Inc.     Page 20
          
          /FILEACCESS
          
          Don't check the diskette boot sector for viruses
          when a file on the diskette is accessed, including
          read and write operations; still checks files for
          validation codes.
          
          /IGNORE {drive(s)}
          
          Don't check programs loaded from specified
          drive(s).
          
          /LOCK
          
          Halt the system when a file that is not certified
          attempts to load and execute.
          
          /LOGFILE {filename}
          
          Write error information to filename.
          
          /NOREMOVE
          
          Prevent VshieldCRC from being removed from memory
          with a subsequent VshieldCRC command using /REMOVE.
          
          /NOUMB
          
          /ONLY {drive(s)}
          
          Check programs loaded only from the specified
          drive(s).
          
          /REMOVE
          
          Unload VshldCRC From memory.
          
          USING CHKVSHLD
          
          CheckVshield allows network administrators to make sure
          that workstations are running VShield or VshieldCRC
          before users can log onto a network. See technical
          note 2 in this chapter for a sample Novell NetWare
          login script using CheckVshield.
          
           To load CheckVshield with options, use the following
          syntax:
          
          chkvshld [option(s)]
          
          [option(s)] include:
          
          /? and /HELP Display a list of valid CheckVshield
          VShield Reference   Copyright 1994 McAfee Inc.     Page 21
          
          command line options.
          
          /DEBUG  Displays the version of VShield or
          VshieldCRC resident in memory and the DOS ERRORLEVEL
          on the screen.
          
          /Q Suppresses CheckVshield messages (quiet mode) so
          users don't see the messages.
          
          /V xxxxx Tells CheckVshield to look for a specific
          version (2.00 or higher) of VShield or VshieldCRC in
          memory. For example, /v 2.00 for VShield 2.00.
          
          Examples
          
             chkvshld /q
          
          Checks for VShield or VshieldCRC in memory and
          suppresses messages.
          
          ERRORLEVELS
          
          When CheckVshield runs, it sets the DOS ERRORLEVEL.
          Use the ERRORLEVEL in batch files to take
          different actions based on the results of
          CheckVshield's check. The ERRORLEVELs returned by
          CheckVshield are:
          
          0 - VShield or VshieldCRC is resident or, if /V is
          used, the version specified is resident in memory.
          
          1 - VShield or VshieldCRC is resident but does not
          match the version specified in the /V option.
          
          2 - VShield or VshieldCRC is not resident in memory.
          
          3 - Abnormal termination (program error).
          
          TECHNICAL NOTE 1
          
          CREATING AN EXCEPTION LIST FOR /CERTIFY AND /CV
          
          VShield /CERTIFY permits a file to load only if:
          
          * It has been validated by Scan, or
          
          * It appears in the exception list file specified
          with the /CV option.
          
          VShield Reference   Copyright 1994 McAfee Inc.     Page 22
          
          If you do not validate any files and do not use an
          exception list, /CERTIFY will disable all programs
          other than DOS internal commands.
          
          The exception list file is an ASCII or DOS text
          file containing up to 1,024 characters. If you use
          a word processor to create it, be sure to save the
          file as ASCII or DOS Text. Each uncommented line
          in the file contains the path and filename of one
          file that should not be validated. To enter a
          comment, start the line with an asterisk (*). Here
          is an example:
          
          *
          *LIST OF FILES TO EXCLUDE FROM /CV VALIDATION
          *
          *Nantucket Corp's database program, Clipper
          C:\CLIPPER\BIN\CLIPPER.EXE
          *Lotus Development Corp's spreadsheet program, 1-2-3
          C:\123\123.COM
          *Microsoft's database program, FoxPro
          C:\FOX\FOXPROLX.EXE
          *MS-DOS 5.0 and above self-modifying program, SETVER
          C:\DOS\SETVER.EXE
          *PKWare's data compression programs already perform
          *a self-check
          C:\PKWARE\PKLITE.EXE
          C:\PKWARE\PKZIP.EXE
          C:\PKWARE\PKUNZIP.EXE
          *SemWare's QEdit text editor
          C:\SEMWARE\Q.EXE
          *Stac Technologies hard disk swapping program
          C:\SWAPVOL.COM
          *Symantec's Norton Utilities V6.01 disk caching program
          C:\NORTON\NCACHE.EXE
          *WordStar Corp's word processor is self-modifying
          C:\WORDSTAR\WS.EXE

          VShield Reference   Copyright 1994 McAfee Inc.     Page 23
          
          TECHNICAL NOTE 2
          
          SAMPLE NETWARE LOGIN SCRIPT AND .BAT FILE
          
          Here is a sample system login script for use by
          Novell NetWare system administrators. The login
          script gets the ERRORLEVEL from CheckVshield and
          displays messages on the user's screen. If VShield
          is not loaded correctly, there is an internal
          error with CHKVSHLD, either VShield or VshieldCRC is
          not installed, or an older version of VShield is
          present, the script exits the user to a
          NOLOGIN.BAT file that logs him or her out.
          
          #REM REPLACE "XXX" WITH CURRENT VERSION NUMBER
          CHKVSHLD /V "5.4VXXX"
          IF ERROR_LEVEL = "3" THEN
            FIRE PHASERS 5 TIMES
            WRITE "A CHKVSHLD internal error has occurred."
            WRITE "Please contact the Help Desk."
            #COMMAND /C NOLOGIN.BAT
            EXIT
          ELSE
            IF ERROR_LEVEL = "2" THEN
              FIRE PHASERS 5 TIMES
              WRITE "VShield has not been installed on your PC."
              WRITE "Access Denied. Please contact the Help Desk."
              #COMMAND /C NOLOGIN.BAT
              EXIT
            ELSE
              IF ERROR_LEVEL = "1" THEN
                FIRE PHASERS 5 TIMES
                WRITE "An old version of VShield has been installed."
                WRITE "Access to the network has been denied. Please"
                WRITE "contact the Help Desk to have a new version."
                WRITE "installed."
                #COMMAND /C NOLOGIN.BAT
                EXIT
              END
            END
          END
          VShield Reference   Copyright 1994 McAfee Inc.     Page 24
          
          You can create more complex login scripts to send
          a message to the supervisor if an error has
          occurred, update the user's VSHIELD.EXE as he or
          she logs in to the network, and so forth.
          
          Here is a sample of the NOLOGIN.BAT file called by
          the login script.
          
          ECHO OFF
          REM Log the user off of the network
          LOGOUT
          
          <<end of text file>>
          







