          SCAN Reference      Copyright 1994 McAfee Inc.          Page 1
          
          VirusScan REFERENCE
          
          VirusScan's Scan program detects, identifies, and
          disinfects more than 2,600 known DOS computer
          viruses. Scan checks memory and both the system
          and data areas of disks for virus infections. If
          Scan finds a known virus, in most cases it will
          eliminate the virus and fully restore infected
          programs or system areas to normal operation.
          
          The SCAN.DAT file that accompanies Scan lists all
          viruses that Scan identifies and removes. Use Scan
          with the /VIRLIST option to see a list of these
          viruses.
          
          In addition, Scan can also assign validation and
          recovery codes to files, and use those codes to
          detect and treat infection by new and unknown
          viruses. If Scan has stored validation or recovery
          data for files, it may detect file changes and
          warn that infection by an unknown virus may have
          occurred. Scan can also use the recovery codes to
          remove new or unknown viruses and restore infected
          files, master boot record (MBRs), and boot
          sectors.
          
          Scan runs on DOS, Windows, and OS/2. The program
          files are SCAN.EXE, WSCAN.EXE, and OS2SCAN.EXE,
          respectively.
          
          Because OS/2 operates in a protected mode
          environment, Scan for OS/2 does not check memory.
          To protect against viruses in OS/2 DOS and Win-
          OS/2 sessions, use the VShield (for DOS) virus
          prevention program.
          
          DO YOU NEED TO READ THIS DOCUMENT?
          
          Many users will not need the Scan command line
          options described in details here. We have
          designed Scan so that basic operations will detect
          most viruses in your system. The command line
          options described here offer additional power and
          control over virus detection. They enable you to
          run Scan from batch or script files, and are most
          useful in vulnerable environments and to network
          administrators and information services staff.
          SCAN Reference      Copyright 1994 McAfee Inc.          Page 2

          SYSTEM REQUIREMENTS AND SUPPORT
          
          Scan requires DOS 3.0 or later, Windows 3.1 or
          later, or IBM OS/2 Version 2.0 or later. Running
          Scan for DOS with command line options requires
          360Kb of free RAM.
          
          Scan works with 3Com 3/Share and 3/Open, Artisoft
          LanTastic, AT&T StarLAN, Banyan VINES, DEC
          Pathworks, IBM LAN Server, Microsoft LAN Manager,
          Novell NetWare, and any other IBMNET- or NETBIOS-
          compatible network operating systems. Contact
          McAfee or your local authorized agent if you do
          not see your network listed.
          
          Scan is designed to check for pre-existing
          infections of known and unknown viruses on floppy,
          hard, CD-ROM, and compressed (SuperStor, Stacker,
          Doublespace, and so on) disks on both stand-alone
          and networked personal computers, as well as
          network file servers. If you have a Novell
          NetWare/386 V3.1X or 4.01 file server, you may
          want to use the NETShield virus prevention
          NetWare Loadable Module in conjunction with Scan.
          
          To use Scan to clean up (disinfect) virus-infected
          files, the CLEAN.DAT file must be present in the
          same subdirectory as Scan. If you don't have the
          CLEAN.DAT file, first verify whether you should
          contact your system administrator or information
          systems staff directly for virus clean-up.
          Otherwise, you can contact McAfee.
          
          TECHNICAL OVERVIEW
          
          KNOWN VIRUS DETECTION
          
          Scan detects known viruses by searching the system
          for known characteristics (sequences of code)
          unique to each computer virus and reporting their
          presence if found. For viruses that encrypt or
          cipher their code so that every infection is
          different, Scan uses detection algorithms that
          work by statistical analysis, heuristics, and code
          disassembly.
          
          NEW AND UNKNOWN VIRUS DETECTION
          
          Scan can also check for new or unknown viruses by
          comparing files against previously recorded
          validation data. If a file has been modified, it
          SCAN Reference      Copyright 1994 McAfee Inc.          Page 3
          
          will no longer match the validation data, and Scan
          will report that the file may have become
          infected. With certain options, Scan /CLEAN can
          use the validation and recovery data to restore
          infected files, master boot records (MBRs), or
          boot sectors.
          
          NOTE TO NETWORK USERS
          
          To use Scan on a network drive (or directory), you
          must be connected to that drive and have read
          access to it. Some command line options attempt to
          create, change, and delete files. To use these
          options, you must have sufficient access rights.
          If you have questions about access rights, contact
          your network administrator.
          
          VALIDATING SCAN
          
          The Scan program in your VirusScan package is
          supplied on a write-protected diskette (notchless)
          that should be secure from infection. We recommend
          that you update your copy of the VirusScan
          programs regularly. You can obtain an upgrade from
          several sources.
          
          Before using a new version of Scan for the first
          time, verify that it has not been tampered with or
          infected by using the Validate program. If your
          new copy of Scan differs from the validation data
          in the on-line documentation file, it may have
          been damaged. Don't use it, and obtain a clean
          copy of Scan from a known source.
          
          Scan performs a self-check when it runs. If Scan
          has been modified in any way, a warning appears
          and asks you whether to continue or quit. Scan may
          be infected. If you choose to continue, Scan can
          still check for viruses but may spread the
          infection. Therefore, if Scan reports that it has
          been damaged, we recommend that you quit, and then
          obtain a clean copy before continuing.
          
          Running Scan from the command line
          
          Scan checks files and other areas of the system
          that can contain computer viruses. When a virus is
          found, Scan identifies the virus and the system
          area or file where it was found.
          
          By default, Scan examines all files on a system.
          Once you've installed VirusScan and have
          SCAN Reference      Copyright 1994 McAfee Inc.          Page 4
          
          established a "sterile field", you might not need
          to scan every file on your system again, just the
          executable files (.EXE, .COM, .SYS, .BIN, .OVL,
          and .DLL files). Use the /STD option to scan
          executable files only. (Note that the list of
          extensions for standard executables has changed
          from previous versions of Scan.)
          
          From DOS or OS/2, you can run Scan from the system
          prompt. (From OS/2, open the Command Prompts
          folder in the OS/2 system folder, then choose OS/2
          Full Screen or OS/2 Window to see the system
          prompt.) The syntax is:
          
               DOS  C> scan {drives} [options]
          
               OS/2 [C:\] os2scan {drives} [options]
          
          * {drives} indicates one or more drives to be
          scanned. You must specify one or more drives to
          scan. If you list a drive like c:, all of its
          subdirectories will be scanned. If you list \,
          only the root directory and boot area of the
          current disk will be scanned. If you list \ or a
          directory, its subdirectories will not be scanned
          unless you use the /SUB option.
          
          * [options] indicates one or more of the Scan
          options listed in "Scan command line option
          summary."
          
          SCAN COMMAND LINE OPTION SUMMARY (DOS-OS/2)
          
          /? or /HELP
          
          Display help screen (not available in Windows, use
          Help menu instead).
          
          /ADL
          
          Scan all local drives.
          
          /ADN
          
          Scan all network drives.
          
          /AF {filename}
          
          Store validation/recovery codes in filename.
          SCAN Reference      Copyright 1994 McAfee Inc.          Page 5
          
          /AV
          
          Add validation/recovery data to program files.
          
          /BOOT
          
          Scan boot sector and master boot record only.
          
          /CF {filename}
          
          Check validation/recovery codes in filename.
          
          /CLEAN
          
          Clean up infections in boot sector, master boot
          record, and files when possible.
          
          /CV
          
          Check validation/recovery data in files.
          
          /DEL
          
          Overwrite and delete infected files.
          
          /EXCLUDE {filename}
          
          Exclude from scan any files listed in filename.
          (with /AV).
          
          /FAST
          
          Speed up VirusScan's scanning; may detect fewer
          viruses.
          
          /HISTORY
          
          Append, rather than overwrite, the report file
          (/REPORT).
          
          /LOAD {filename}
          
          Use Scan settings stored in filename.
          SCAN Reference      Copyright 1994 McAfee Inc.          Page 6
          
          /LOG
          
          Save date and time VirusScan was last run in
          SCAN.LOG.
          
          /MOVE {directory}
          
          Move infected files to directory.
          
          /NOMEM
          
          Skip memory checking (not applicable to OS/2).
          
          /PAUSE
          
          Enable screen pause.
          
          /PLAD
          
          Preserve last access dates on network drives in a
          Novell network.
          
          /REPORT {filename}
          
          Create report of infected files found during scan
          in filename.
          
          /RF filename
          
          Remove validation/recovery codes in filename.
          
          /RPTCOR
          
          Add list of corrupted files to the report file
          (/REPORT).
          
          /RPTERR
          
          Add list of system errors to the report file
          (/REPORT).
          
          /RPTMOD
          
          Add list of modified files to the report file
          (/REPORT).
          
          /RV
          
          Remove validation/recovery data from files.
          
          /SHOWLOG
          
          Display information in SCAN.LOG.
          SCAN Reference      Copyright 1994 McAfee Inc.          Page 7

          /STD
          
          Scan executable files only (COM, EXE, SYS, BIN,
          OVL, DLL)
          
          /SUB
          
          Scan subdirectories inside a directory.
          
          /VIRLIST
          
          Display list of viruses stored in SCAN.DAT
          
          SCAN OPTION DESCRIPTIONS
          
          Here is a detailed description of Scan's options.
          
          /? or /HELP
          
          Display list of Scan options
          
          Does not scan. Instead, displays a list of Scan
          command line options with a brief description of
          each. Use these options alone on the command line.
          
          /ADL
          
          Scan all local drives
          
          Scans all local drives for viruses, in addition to
          those specified on the command line. In DOS, use
          /ADL to check all local drives, including
          compressed drives and CD-ROMs. To scan both local
          and network drives, use /ADL and /ADN together in
          the same command line.
          
          /ADN
          
          Scan all network drives
          
          Scans all network drives for viruses, in addition
          to those specified on the command line. To scan
          both local and network drives, use /ADL and /ADN
          together in the same command line.
          
          /AF filename
          
          Store validation/recovery codes in file
          
          Helps you detect and recover from new or unknown
          viruses. /AF logs validation and recovery data for
          executable files, boot sector, and master boot
          record (MBR) of a disk in the file you specify.
          SCAN Reference      Copyright 1994 McAfee Inc.          Page 8

          The log file is about 95 bytes per file validated.
          You must specify a filename, which can include the
          target drive and directory (such as
          D:\VSVALID\VALCODES.VSC). If the target path is a
          network drive, you must be able to create and
          delete files in that drive. If filename exists,
          Scan updates it. The /AF option adds about 300%
          more time to scanning.
          
          To exclude self-modifying or self-checking files
          that might cause false alarms, use the /EXCLUDE
          option. To recover from a virus using the /AF
          information, use the /CF and /CLEAN options
          together in the same command line. Using any of
          the /AF, /CF, or /RF options together in the same
          command line returns an error.
          
          /AF performs the same function as /AV, but stores
          its data in a separate file rather than changing
          the executable files themselves.
          
          /AV
          
          Add validation/recovery data to files
          
          Helps you detect and recover from new or unknown
          viruses. /AV adds recovery and validation data to
          each standard executable file (.EXE, .COM, .SYS,
          .BIN, .OVL. and .DLL), increasing the size of each
          file by 98 bytes. To update files on a shared
          network drive, you must have update access rights.
          The /AV option adds about 100% more time to
          scanning.
          
          To exclude self-modifying or self-checking files
          that might cause false alarms, use the /EXCLUDE
          option. To recover from a virus using the /AF
          information, use the /CV and /CLEAN options
          together in the same command line. Using any of
          the /AV, /CV, or /RV options together in the same
          command line returns an error.
          
          /BOOT
          
          Scan boot sector and master boot record only
          SCAN Reference      Copyright 1994 McAfee Inc.          Page 9

          Scans the boot sector and master boot record on
          the specified drive(s), but not files or
          directories on those drives.
          
          /CF filename
          
          Check validation/recovery codes in file
          
          Helps you detect new or unknown viruses. Checks
          validation data stored by
          
          the /AF option in filename. If a file or system
          area has changed, Scan reports that a viral
          infection may have occurred. The /CF option adds
          about 250% more time to scanning. You can use /CF
          and /CLEAN in the same command line to check
          validation/recovery codes and remove any viruses
          found. Using any of the /AF, /CF, or /RF options
          together in the same command line returns an
          error.
          
          Some older Hewlett-Packard and Zenith PCs modify
          the boot sector each time the system is booted. If
          you use /CF or /CV, Scan will continuously report
          that the boot sector has been modified even though
          no virus may be present. Check your system's
          technical reference manual to determine whether
          your PC has self-modifying boot code, or contact
          McAfee for help.
          
          OS/2 dual boot systems change the boot sector
          between DOS and OS/2 depending on which operating
          system is active. This causes Scan to report that
          the boot sector has been modified.
          
          /CLEAN
          
          Remove viruses from boot sector, master boot
          record, and infected files
          
          Attempts to restore the boot sector, if infected,
          and any infected files. Usually, between 10% and
          20% of all viruses are not removable; they damage
          the file they infect beyond repair. If the
          infected file resides on a network drive, you must
          be able to modify files on that drive to clean it.
          If it cannot restore a file, you'll see a message
          that identifies the name of the unrecoverable
          file. To use /CLEAN, the CLEAN.DAT file must
          reside in the Scan directory.
          
          Use /CLEAN instead of /DEL when you want to
          restore infected files, not just delete or
          SCAN Reference      Copyright 1994 McAfee Inc.          Page 10

          overwrite them. The /CLEAN option can remove
          master boot record (MBR) and boot sector viruses,
          but the /DEL option cannot. If you use /CLEAN and
          /DEL in the same command line, Scan first attempts
          to disinfect an infected file, then deletes it
          only if it cannot be repaired. Similarly, if you
          use /CLEAN and /MOVE in the same command line,
          Scan attempts first to clean an infected file,
          then moves it automatically if the file is
          unrecoverable.
          
          You can use /CLEAN and /CF or /CV in the same
          command line to check validation/recovery codes
          and remove any viruses found. We strongly
          recommend that you get experienced help in dealing
          with viruses if you are unfamiliar with anti-virus
          software and methods. This is especially true for
          "critical" viruses and master boot record
          (MBR)/boot sector infections, because improper
          removal of these viruses can result in the loss of
          all data on the infected disks.
          
          When scanning a network drive using /CLEAN, you
          must have sufficient rights to update files on
          that drive.
          
          /CV
          
          Check validation/recovery data in files
          
          Helps you detect new or unknown viruses. Checks
          validation data added by the /AV option. If a file
          is modified, Scan reports that a viral infection
          may have occurred. The /CV option adds about 50%
          more time to scanning. You can use /CLEAN and /CV
          or /CF in the same command line to check
          validation/recovery codes and restore infected
          files. Using any of the /AV, /CV, or /RV options
          together in the same command line returns an
          error.
          
          /DEL
          
          Overwrite and delete infected files
          
          Deletes and overwrites each infected file. Files
          erased by the /DEL option cannot be recovered
          (generate a report so that you can restore them
          from backups). Instead of /DEL alone, we recommend
          using it in combination with the /CLEAN option to
          attempt to disinfect an infected file first, then
          delete it only if the file is unrecoverable. The
          /CLEAN option can remove master boot record and
          SCAN Reference      Copyright 1994 McAfee Inc.          Page 11

          boot sector viruses, but the /DEL option cannot.
          
          When scanning a network drive using /DEL, you must
          have sufficient access rights to delete files on
          that drive.
          
          /EXCLUDE filename
          
          Scan using exception list file
          
          Allows you to exclude files from /AF or /AV
          validation. Self-modifying or self-checking files
          can cause a false alarm during a scan. To create
          filename, see "Creating an exception list"
          
          /FAST
          
          Speed up VirusScan's scanning
          
          Reduces Scan time by about 15%. Using the /FAST
          option, Scan examines a smaller portion of each
          file for viruses, although it examines more files
          overall. Using /FAST might miss some infections
          found in a more comprehensive (but slower) scan.
          Do not use this option if you have found a virus
          or suspect one.
          
          /HISTORY
          
          Append to the report file.
          
          Used in conjunction with /REPORT, appends the
          report message text to the specified report file,
          if it exists. Otherwise, the /REPORT option
          overwrites the specified report file, if it
          exists.
          
          /LOAD {filename}
          
          Use Scan settings stored in filename.
          
          By default, Scan loads its internal default
          settings plus any options specified on the command
          line. You can store all custom settings in a
          separate ASCII text file, then use /LOAD to load
          SCAN Reference      Copyright 1994 McAfee Inc.          Page 12

          those settings from that file.
          
          /LOG
          
          Save date and time of last scan
          
          Stores the time and date Scan is being run by
          updating or creating a file called SCAN.LOG in the
          current directory.
          
          /MOVE {directory}
          
          Move infected files to directory
          
          Moves all infected files found during a scan to
          the specified directory. If you use /MOVE in
          conjunction with /CLEAN, Scan attempts to restore
          an infected file first, then moves it to the
          specified directory only if the file cannot be
          restored. Using /MOVE and /DEL in the same
          command line returns an error message.
          
          /NOMEM
          
          Skip memory checking
          
          Reduces scan time by omitting all memory checks
          for viruses. Use /NOMEM only when you are
          absolutely certain that your system is virus-free.
          
          By default, Scan checks system memory for critical
          known computer viruses that can inhabit memory. In
          addition to main memory from 0Kb to 640Kb, Scan
          checks system memory from 640Kb to 1088Kb that can
          be used by computer viruses on 286 and later
          systems. Memory above 1088Kb is not addressed
          directly by the processor and is not presently
          susceptible to viruses.
          
          /NOMEM is not applicable to OS/2.
          
          /PAUSE
          
          Enable screen pause
          
          If you specify /PAUSE, the More? (H = Help) prompt
          appears when Scan fills up a screen with messages.
          Otherwise, by default, Scan fills and scrolls a
          screen continuously without stopping, which allows
          Scan to run on PCs with severe infections without
          requiring you to attend. We recommend that you
          omit /PAUSE when keeping a record of Scan's
          messages using the report options (/REPORT,
          SCAN Reference      Copyright 1994 McAfee Inc.          Page 13

          /RPTCOR, /RPTMOD, and /RPTERR), or when using the
          /SHOWLOG or /VIRLIST options.
          
          /PLAD
          
          Preserve last access dates (on NetWare drives only).
          
          Prevents changing the last access date attribute
          for files stored on a network drive in a Novell
          network. Normally, NetWare updates the last access
          date when Scan opens and examines a file. However,
          some tape backup systems use this last access date
          to decide whether to back up the file. Use /PLAD
          to ensure that the last access date does not
          change as the result of scanning.
          
          /REPORT {filename}
          
          Create report of infected files and system errors
          
          Saves the output of Scan to filename in ASCII text
          file format. If filename exists, /REPORT erases
          and replaces it. You can include the destination
          drive and directory (such as D:\VSREPRT\ALL.TXT),
          but if the destination is a network drive, you
          must be able to create and delete files on that
          drive. You can also use /RPTCOR, /RPTMOD, and
          /RPTERR to add corrupted files, modified files,
          and system errors to the report.
          
          /RF filename
          
          Remove validation/recovery codes in file
          
          Removes recovery and validation data from filename
          created by the /AF option. If filename resides on
          a shared network drive, you must be able to delete
          files on that drive. Using any of the /AF, /CF, or
          /RF options together in the same command line
          returns an error.
          
          /RPTCOR
          
          Add corrupted files to Scan report
          
          Used in conjunction with /REPORT, adds the names
          of corrupted files to the report file. A corrupted
          file is a file that a virus has damaged beyond
          repair, which typically occurs in 10% to 20% of
          all viral infections. You can use /RPTCOR with
          /RPTMOD and /RPTERR on the same command line.
          SCAN Reference      Copyright 1994 McAfee Inc.          Page 14
          
          /RPTERR

          Add errors to Scan report
          
          Used in conjunction with /REPORT, adds system
          errors to the report file. System errors include
          problems reading or writing to a diskette or hard
          disk, file system or network problems, problems
          creating reports, and other system-related
          problems. You can use /RPTERR with /RPTCOR and
          /RPTMOD on the same command line.
          
          /RPTMOD
          
          Add modified files to the Scan report
          
          Used in conjunction with /REPORT, adds the names
          of modified files to the report file. Scan
          identifies modified files when the
          validation/recovery codes do not match (using the
          /CF or /CV options). You can use /RPTMOD with
          /RPTCOR and /RPTERR on the same command line.
          
          /RV
          
          Remove validation/recovery from files
          
          Removes validation and recovery data from files
          validated with the /AV option, along with the
          SCAN.LOG file on the specified drive. To update
          files on a shared network drive, you must have
          access rights to update them. Using any of the
          /AV, /CV, or /RV options together in the same
          command line returns an error.
          
          /SHOWLOG
          
          Display the contents of SCAN.LOG
          
          Shows you the date and time of previous scans that
          have been recorded in the SCAN.LOG file using the
          /LOG switch. The SCAN.LOG file contains text and
          some special formatting.
          
          /STD
          
          Scan executable files only (COM, EXE, SYS, BIN,
          OVL, and DLL)
          
          Reduces scan time when a full scan is not needed.
          Otherwise, Scan checks all files on the drive
          scanned and examines files in greater detail,
          which increases Scan's ability to detect viruses
          SCAN Reference      Copyright 1994 McAfee Inc.          Page 15

          in overlay files but substantially increases the
          scanning time required. Do not use this option if
          you have found a virus or suspect one. (The list
          of extensions for standard executables has changed
          from previous releases of VirusScan.)
          
          /SUB
          
          Scan subdirectories
          
          By default, when you specify a directory to scan
          rather than a drive, Scan will examine only the
          files it contains, not its subdirectories. Use
          /SUB to scan all subdirectories inside any
          directories you've specified. Do not use /SUB if
          you are scanning an entire drive.
          
          /VIRLIST
          
          Display the contents of SCAN.DAT
          
          Shows you the name and a brief description of the
          viruses that VirusScan detects.
          
          EXAMPLES
          
          These examples show different option settings. In
          OS/2, remember to use OS2SCAN instead of SCAN.
          
          scan c:
          
             Scan all executable files on drive C.
          
          scan f:
          
             Scan drive F, a network drive.
          
          scan c: /adl /adn
          
             Scan all local and network drives.
          
          scan f: g: h: /del
          
             Scan all files on drives F, G, and H, and delete
             any infected files found.
          
          scan c: d: e: /av
          
             Scan for viruses in all files and add
             validation codes to executable files on drives C,
             D, and E.
          SCAN Reference      Copyright 1994 McAfee Inc.          Page 16
          
          scan m: /report a:infectn.rpt /rptcor /rpterr

             Scan for viruses on network drive M: and
             create a log file of infections, corruptions, and
             errors in the file INFECTN.RPT on drive A.
          
          scan e:\user\jake e:\user\daisy e:\user\nick /sub
          
             Scan all subdirectories inside the directories
             USER\JAKE, USER\DAISY, and USER\NICK on drive E.
          
          scan c: d: e: /fast /cv
          
             Quickly scan drives C, D, and E, and report any
             executable files that do not have validation
             codes.
          
          scan c:\command.com
          
             Scan a single file.
          
          
          ERRORLEVELS
          
          This section is primarily for network
          administrators and information systems staff.
          
          After Scan has finished running, it sets the DOS
          ERRORLEVEL. You can use the ERRORLEVEL in
          AUTOEXEC.BAT to take different actions based on
          the results of the scan. See your DOS
          documentation for more information.
          
          Scan returns the following DOS ERRORLEVELs:
          
          <<Error levels to come>>
          
          APPLICATION NOTE 1
          
          UPDATING VALIDATION CODES
          
          If you install any new software or programs on
          your system, including a new version of DOS, and
          are running Scan or VShield with the /CF
          (preferred) or /CV -validation options, you need
          to install validation codes for the new files with
          Scan's /AF (preferred) or /AV options.
          
          The quickest way to update the validation codes is
          to remove all validation codes from the hard disk
          and then add them back. In other words, first run
          Scan with the /RF or /RV option, then run it again
          with the /AF or /AV option.
          
          SCAN Reference      Copyright 1994 McAfee Inc.          Page 17

          APPLICATION NOTE 2
          
          REFORMATTING INFECTED DISKETTES WITH DOS 5.0 AND
          LATER
          
          When reformatting infected diskettes using DOS 5.0
          and later versions, be sure to add the /U switch
          to the FORMAT command. This tells DOS to do an
          unconditional format of the diskette, without
          saving the original infected boot sector. This is
          necessary to erase certain infections, and will
          prevent reinfection by unformatting the diskette.
          
          TECHNICAL NOTE 1
          
          CREATING AN EXCEPTION LIST FILE FOR THE /EXCLUDE
          OPTION
          
          If you set up validation codes using Scan's /AF or
          /AV options, subsequent scans using the /CF or /CV
          options will detect changes in executable files.
          This can generate false alarms if the executable
          files are self-modifying or self-checking (most
          programs that do this will tell you to turn off
          your anti-virus software before running them; some
          of these files are listed below). Therefore, use
          the /EXCLUDE option in conjunction with /AF or /AV
          to identify such files and exclude them from the
          validation.
          
          The exception list is an ASCII or DOS text file.
          If you use a word processor to create it, be sure
          to save the file as ASCII or DOS Text. Each
          uncommented line in the file contains the path and
          file name of one file that should not be
          validated. Here is an example:
          
          C:\CLIPPER\BIN\CLIPPER.EXE
          
          C:\123\123.COM
          
          C:\FOX\FOXPROLX.EXE
          
          C:\DOS\SETVER.EXE
          
          C:\PKWARE\PKLITE.EXE
          
          C:\PKWARE\PKZIP.EXE
          
          C:\PKWARE\PKUNZIP.EXE
          
          C:\SEMWARE\Q.EXE
          
          SCAN Reference      Copyright 1994 McAfee Inc.          Page 18
          
          C:\SWAPVOL.COM
          
          C:\WORDSTAR\WS.EXE
          
          CLEANING VIRUSES
          
          Although /CLEAN removes many viruses and restores
          normal operation, viruses can be harmful and
          insidious, and no anti-virus program can undo all
          their damage. Usually, between 10% and 20% of all
          viruses corrupt the files they infect, making them
          unrecoverable. If the file is infected with an
          uncommon virus that /CLEAN can't remove, Scan
          notifies you and identifies the filename. Write
          down this filename so that you can restore it from
          a backup diskette or tape. If you use both the
          /CLEAN and the /DEL options, Scan will first
          attempt to repair an infected file and, if the
          file is damaged beyond repair, Scan will delete
          it. Deleted files are not recoverable except from
          backups.
          
          Some viruses damage or overwrite program (.EXE)
          files or overlay files. Removing the virus can
          truncate the file or otherwise render it
          inoperable. Others, like the common virus Stoned,
          infect the master boot record (MBR). On systems
          partitioned with programs other than DOS (such as
          Disk Manager and SpeedStor), removing the virus
          can cause loss of the master boot record (MBR) and
          all data on the disk if done improperly.
          
          BASIC PRINCIPLES TO MINIMIZE DAMAGE
          
          These considerations lead to the three important
          principles:
          
          1 Before running Scan with the /CLEAN option, back
          up all of your programs and data.
          
          Of course, this works best if you back up
          regularly, so that you can restore from a backup
          made before your system was infected. But even a
          backup from an infected system can be useful for
          restoring data, because most viruses do not
          corrupt data. If a program no longer runs after
          being cleaned, replace it from the original disk
          or from a virus-free backup.
          
          When disinfecting an infected system, it is
          important to start from a "sterile field."
          
          2 Before running Scan with the /CLEAN option for
          SCAN Reference      Copyright 1994 McAfee Inc.          Page 19

          DOS, restart your computer from a clean, write-
          protected diskette.
          
          Before running Scan with the /CLEAN option for
          OS/2, close all DOS and Win-OS/2 sessions.
          
          Preferably, use a clean anti-virus start-up
          diskette. And, because running any program can
          spread the infection:
          
          3 Do not run any programs, including Windows,
          before running Scan /CLEAN.
          
          Run Scan /CLEAN from DOS instead of Windows. Exit
          completely from DOS. Do not run Scan /CLEAN from
          within a DOS window.
          
          Important: If you are at all unsure about how to
          proceed once you've found a virus, contact McAfee
          technical support, or your local authorized agent,
          for assistance.
          
          We strongly recommend that you get experienced
          help in dealing with viruses if you are unfamiliar
          with anti-virus software and methods. This is
          especially true for "critical" viruses and master
          boot record (MBR)/boot sector infections, because
          improper removal of these viruses can result in
          the loss of all data and use of the infected
          disks.
          
          RUNNING SCAN TO CLEAN UP INFECTIONS
          
          PREPARATION
          
          Before running Scan to clean up infections:
          
          1 Clear the virus from system memory and prevent
          reinfection:
          
          * With DOS, turn off your PC, then restart from a
          clean start-up diskette, preferably the anti-virus
          diskette you prepared during installation.
          
          * With OS/2, close all DOS and Win-OS/2 sessions.
          
          * With an OS/2 dual-boot system infected by a boot
          sector virus (like Form, or others identified by
          Scan), boot (start up) OS/2 first, delete the
          BOOT.DOS file from the \OS2 directory, and then
          boot DOS to create a new, virus-free DOS boot
          sector file.
          
          SCAN Reference      Copyright 1994 McAfee Inc.          Page 20

          2 Run the Scan program to locate and identify the
          infections.
          
          3 Back up the files on the infected disks (be sure
          not to overwrite any previous backups).
          
          4 Repeat Step 1.
          
          5 Don't run any programs, including Windows,
          before running Scan /CLEAN. If you have Windows,
          run Scan /CLEAN from DOS.
          
          6 When disinfecting a hard disk, always run Scan
          /CLEAN from a write-protected diskette to prevent
          infection of the Scan program. When disinfecting
          diskettes, make sure there is no active virus in
          memory before running Scan from your hard disk.
          
          SUCCESSFUL AND UNSUCCESSFUL RESULTS
          
          Scan /CLEAN reports the results of its attempt to
          remove the virus from each infected file. If a
          file has several infections, it will report on
          each.
          
          If viruses were not removed, contact technical
          support
          
          If Scan can't remove a virus, you'll see a message
          like:
          
          Virus cannot be safely removed from this file.
          
          Make sure to take note of the file name, because
          you will need to restore it from backups. If you
          have any questions about how to proceed, contact
          McAfee technical support or your local authorized
          agent.
          
          If viruses were safely removed, rescan and check
          diskettes
          
          If Scan /CLEAN has successfully removed all the
          viruses, turn your computer off again and restart
          from the system disk. Scan your hard disks again
          to make sure they are virus-free. If you suspect
          that your system was infected from a diskette, run
          Scan from your hard disk to examine and disinfect
          the diskettes you use.
          
          CREATING A CUSTOM SETTINGS FILE
          
          When you run the Scan program, Scan uses its own
          internal default settings plus any options listed
          in the command line. You can create an ASCII text
          file to contain the settings you want to run with
          Scan, then load the settings using the /LOAD
          option.
          
          Your VirusScan package includes sample settings
          files that you can copy and change, using a DOS
          text editor, to suit your needs. The <<filename>>
          file contains the following text: <<sample to come>>
          
          <<end of text file>>
          






