







                           VirusScan Version 2.0.2
                       Copyright 1994 by McAfee, Inc.
                            All Rights Reserved.







                             Brought to you by:

                      Igor Grebert    Project Leader
                    Jivko Koltchev    Lead Programmer
                         David Mai    TSR Programmer
                      Vadim Ivanov    Algorithms/Emulation Programmer
                 Tatyana Shishkina    Virus Librarian, Programmer
                    Bruce de Graaf    GUI Programmer
                      Dmitri Orlov    DOS UI Programmer
                 Geoff Brandenburg    GUI Artist
                     Spencer Clark    SQA Manager
                      David Pierce    Lead SQA Engineer
                        Sean Birch    SQA Engineer
                      John Zussman    Documentation Project Leader
                        Eric Ivory    Technical Writer
                    Aryeh Goretsky    Manager Technical Support

      With special thanks to Bob Chappelear, Rudite Emir, and Bill Larson










            McAfee, Inc.                 (408) 988-3832 office
            2710 Walsh Avenue            (408) 970-9727 fax
            Santa Clara, CA  95051-0963  (408) 988-4004 BBS (25 lines)
            U.S.A.                       USR HST/v.32/v.42bis/MNP1-5
                                         CompuServe        GO MCAFEE
                                         InterNet support@mcafee.COM
                                         America Online       MCAFEE

           Using VirusScan (Version 2.0)                            1

            CHAPTER 1: WELCOME TO VIRUSSCAN

            Thank you for evaluating McAfee, Inc.'s, VirusScan(TM)
            software Version 2.0, a powerful and advanced system
            designed to detect, eradicate, and prevent computer viruses.
            VirusScan will help you protect one of your most important
            assets--the information on your computer or local area network.

            VirusScan includes two main programs:

            o    The Scan program detects known viruses in your
                 computer's memory or on disks. See the README.1ST file
                 for the number of viruses that Scan detects. It can
                 also detect new and unknown viruses. Once viruses are
                 detected, it can remove them and restore your system to
                 normal operation.

            o    The VShield(TM) program continuously monitors and
                 protects your system from viruses that might be
                 introduced.

            The VirusScan programs run on IBM-PC or 100% compatible
            personal computers (PCs) that use DOS 3.0 and above, Windows
            3.1, or OS/2 2.0 and above.

            VirusScan is an important element of a comprehensive
            security program that includes a variety of safety measures,
            such as regular backups, meaningful password protection,
            training, and awareness. We urge you to set up and comply
            with such a security program in your organization. For tips
            on how to do this, see "Other Sources of Information" in
            this chapter.


            HOW TO USE THIS MANUAL

            This manual will help you get VirusScan running quickly and
            properly on DOS, Windows, and OS/2 systems.

            o    All the key information is in Chapter 2, "Don't Skip
                 this Chapter." Please don't install VirusScan before
                 reading it, even if you are already familiar with
                 Scan. Installing and using VirusScan is not like using
                 other software.

            The rest of Chapter 1, "Welcome to VirusScan," describes the
            programs and files on your VirusScan disk, system
            requirements, how to register, and how to get help.

            Chapter 3, "Scan Reference," in this document and Chapter 3, 
            "VShield Reference," in the VShield documentation contain 
            reference information for Scan and VShield, respectively.

           Using VirusScan (Version 2.0)                            2


            Many users will not need to read these chapters, because basic 
            operation of VirusScan, as described in Chapter 2, will detect 
            and remove most viruses from your system. The options described 
            in Chapter 3 in this document and Chapter 3 in the VShield 
            documentation offer additional power and control, and are most 
            useful in vulnerable environments and to network administrators 
            and information services staff.

            Chapter 4, "Tips & Troubleshooting," explains how to get the
            most out of VirusScan, and how to cope with some common
            problems.

            Appendix A, "Retrieving VirusScan Updates via the McAfee BBS,"
            provides instructions for using the McAfee Bulletin Board (BBS).

            Appendix B, "Options Comparison Between VirusScan Versions
            1.5 and 2.0," shows the differences between command line options
            in Scan 1.5 and 2.0.


































           Using VirusScan (Version 2.0)                            3


            NOTATION

            In this manual, we use several conventions to distinguish
            particular kinds of text.

            CONVENTION       EXAMPLE       REPRESENTS
            
            Upper-case       C:\>          What your
                                           computer displays
                                           on your screen.
            
            Lower-case       scan c:       What you
                                           type, verbatim.
            
            Curly braces     {filename}    Required
                                           element; do not
                                           type braces { }.
            
            Square braces    [filename]    Optional
                                           element; do not
                                           type braces [ ].
            
            Upper-case in    <ENTER>       Key to press
            brackets                       on the
                                           keyboard.


            WHAT VIRUSSCAN INCLUDES

            In addition to Scan or VShield, the Validate program 
            ensures that new versions of VirusScan software 
            you've obtained are authentic.

            Finally, the VirusScan archive contains several useful text
            files, which you can view and print with a text editor, word
            processor, or DOS PRINT command. You'll find version-
            specific information in the README.1ST text file.















           Using VirusScan (Version 2.0)                            4

            VIRUSSCAN FILES AFTER UNPACKING

            After unpacking VirusScan you should have appropriate
            program files on your system for the version you have
            obtained (DOS, Windows, or OS/2). Several useful text
            files are also included.

            VirusScan for DOS.
            AGENTS.TXT   - list of McAfee authorized agents.
            CLEAN.DAT    - virus removal data file required by SCAN.EXE
            COMPUSER.NOT - explains how to obtain CompuServe membership
            FILE_ID.DIZ  - description of VirusScan used by some BBS
                           software
            FILENAME.TXT - explains new McAfee BBS file name conventions
            LICENSE.TXT  - explains how to license VirusScan
            NAMES.DAT    - virus name data file required by SCAN.EXE
            PACKING.LST  - contains a list of all files, including
                           validation information
            README.1ST   - late-breaking information and new
                           instructions not contained in this manual
            REGISTER.TXT - explains how to register VirusScan for
                           your use
            SCAN.DAT     - virus string data file required by SCAN.EXE
            SCAN.EXE     - the VirusScan program
            SCAN.TXT     - on-line manual for Scan
            VALIDATE.EXE - used to check VirusScan programs for
                           authenticity
            VALIDATE.TXT - explains how to run VALIDATE.EXE

            VShield
            AGENTS.TXT   - list of McAfee authorized agents.
            CHKVSHLD.EXE - checks for presence of VShield and VShieldCRC
                           in memory
            COMPUSER.NOT - explains how to obtain CompuServe membership
            FILE_ID.DIZ  - description of VShield used by some BBS
                           software
            FILENAME.TXT - explains new McAfee BBS file name conventions
            LICENSE.TXT  - explains how to license VShield
            PACKING.LST  - contains a list of all files, including
                           validation information
            REGISTER.TXT - explains how to register VirusScan for 
                           your use
            VALIDATE.EXE - used to check VirusScan programs for
                           authenticity
            VALIDATE.TXT - explains how to run VALIDATE.EXE
            VSHIELD.DAT  - virus string data file required by
                           VSHIELD.EXE
            VSHIELD.EXE  - the VShield program
            VSHIELD.TXT  - on-line manual for VShield
            VSHLDCRC.EXE - the VShieldCRC program
            VSHLDWIN.EXE - used by VShield and VShieldCRC to display
                           messages within Windows

           Using VirusScan (Version 2.0)                            5


            VirusScan for OS/2
            AGENTS.TXT   - list of McAfee authorized agents.
            CLEAN.DAT    - virus removal data file required by
                           OS2SCAN.EXE
            COMPUSER.NOT - explains how to obtain CompuServe membership
            FILE_ID.ZIP  - description of VirusScan used by some BBS
                           software
            FILENAME.TXT - explains new McAfee BBS file name conventions
            LICENSE.TXT  - explains how to license VirusScan
            NAMES.DAT    - virus name data file required by OS2SCAN.EXE
            PACKING.LST  - contains a list of all files, including
                           validation information
            README.1ST   - late-breaking information and new
                           instructions not contained in this manual
            REGISTER.DOC - explains how to register VirusScan for your
                           use
            OS2SCAN.EXE  - the VirusScan program
            SCAN.DAT     - virus string data file required by
                           OS2SCAN.EXE
            SCAN.TXT     - on-line manual for Scan
            VALIDATE.EXE - used to check VirusScan programs for
                           authenticity
            VALIDATE.TXT - explains how to run VALIDATE.EXE


























           Using VirusScan (Version 2.0)                            6


            SYSTEM AND MEMORY REQUIREMENTS

            The VirusScan programs require an IBM-compatible personal
            computer and any of the following operating systems:

            o    DOS 3.0 or later and at least 340Kb of free RAM for the
                 command line programs.

            o    Windows 3.1 or later and at least 4Mb of RAM.

            o    IBM OS/2 2.00(GA) or later and at least 8Mb of RAM.

            VirusScan for DOS requires 340Kb of available free memory in
            order to scan a system for viruses.

            VShield is a terminate-and-stay-resident (TSR) program that
            requires 67Kb of free memory. VShield will minimize the use
            of conventional memory by loading into expanded, extended,
            or upper memory, when available. For more information, see
            "System Requirements and Performance" in Chapter 3.


            LICENSING VIRUSSCAN

            The VirusScan software is provided under license from
            McAfee, Inc., a copy of which is included in the file
            LICENSE.TXT. Please read it and comply with it.

            If you want to use VirusScan after the evaluation period,
            please register your copy of the software by filling out and
            returning the enclosed registration form, REGISTER.TXT.
            Registration entitles you to upgrades at no charge from
            McAfee's bulletin board system and other sources, as well as
            technical support, for one year from your date of purchase.


















           Using VirusScan (Version 2.0)                            7


            TECHNICAL SUPPORT

            For help in using this product, we invite you to contact
            McAfee technical support. You can contact us:

            o    On-line 24 hours a day, through our bulletin board
                 system, CompuServe, fax, or Internet (see "Online
                 Access to Updates and Technical Support" below); or

            o    By telephone at (408) 988-3832, Monday through Friday,
                 7:00 am to 5:30 pm Pacific Time.

            For fast and accurate help, please have the following
            information ready when you contact McAfee:

            o    Program name and version number.

            o    Type and brand of computer, hard disk, and any
                 peripherals.

            o    Version of DOS, along with any TSR's or device drivers
                 in use.

            o    Printouts of your AUTOEXEC.BAT and CONFIG.SYS files.

            o    A printout of the contents of memory, from the MEM
                 command (provided in DOS 4.0 and later) or a similar
                 utility.

            o    A description of the exact problem you are having.
                 Please be as specific as possible. If you can't be at
                 your computer when you call, a printout of the screen
                 will be helpful.

            If you are overseas, you can contact a McAfee authorized
            agent for support. Agents are located in more than 50
            countries around the world and provide local sales and
            support for our software. Please refer to the AGENTS.TXT
            file for a complete list of McAfee agents.


            ONLINE ACCESS TO UPDATES AND TECHNICAL SUPPORT

            McAfee updates VirusScan monthly to add new virus detectors,
            new options, and fix reported bugs. To distribute these new
            versions, we run a multi-line bulletin board system, a forum
            on CompuServe, and an Internet node.

            



           Using VirusScan (Version 2.0)                            8

            
            Bulletin board system (BBS) access
            Our multiline BBS is accessible 24 hours a day, 365 days a
            year, except for scheduled downtime and maintenance. All
            lines run high-performance modems operating from 1,200 bps
            to 14,400 bps with line settings of 8 data bits, no parity,
            and 1 stop bit. The McAfee BBS phone number is (408) 988-4004.

            CompuServe Access
            We sponsor the McAfee Virus Help Forum on CompuServe. To
            reach it, type GO MCAFEE at any CompuServe prompt. A free
            introductory membership is available. For more information,
            please read the enclosed COMPUSER.TXT file.

            Internet Access
            The latest versions of McAfee's anti-virus software are
            available by anonymous ftp (file transfer protocol) over the
            Internet from the site mcafee.com. If your domain resolver
            does not support names, use the IP# 192.187.128.1. Enter
            "anonymous" or "ftp" as your user ID (do not type the
            quotation marks) and your own e-mail address as the
            password. Programs are located in the pub/antivirus
            directory. If you have questions, please send e-mail to
            support@mcafee.com.

            You can also find McAfee's anti-virus software at the SimTel
            Software Repository at Oak.Oakland.EDU in the
            pub/msdos/virus directory and its associated mirror sites:

            o    WUARCHIVE.WUSTL.EDU (US).
            o    FTP.SWITCH.CH (Switzerland).
            o    FTP.FUNET.FI (Finland).
            o    SRC.DOC.IC.AC (UK).
            o    ARCHIE.AU (Australia).


















            
           Using VirusScan (Version 2.0)                            9

            
            OTHER SOURCES OF INFORMATION

            The McAfee BBS and CompuServe Virus Help Forum are excellent
            sources of information on virus protection. Batch files and
            utilities to help you use VirusScan software are often
            available, along with helpful advice.

            Independent publishers, colleges, training centers, and
            vendors also offer information and training about virus
            protection and computer security.

            We especially recommend the following books:

            o    Ferbrache, David. A Pathology of Computer Viruses.
                 London: Springer-Verlag, 1992. (ISBN 0-387-19610-2)

            o    Hoffman, Lance J. Rogue Programs: Viruses, Worms, and
                 Trojan Horses. Van Nostrand Reinhold, 1990. 
                 (ISBN 0-442-00454-0)

            o    Jacobson, Robert V. The PC Virus Control Handbook,
                 2nd Ed. San Francisco: Miller Freeman Publications, 1990.
                 (ISBN 0-87930-194-0)
            
            o    Jacobson, Robert V. Using McAfee, Inc. Software
                 for Safe Computing. New York: International Security
                 Technology, 1992. (ISBN 0-9627374-1-0)

            In addition, the following sources can provide useful
            information about viruses:

            o    National Computer Security Association (NCSA)
                 10 South Courthouse Avenue
                 Carlisle, PA 17013

            o    CompuServe McAfee Computer Virus Help Forum (GO
                 VIRUSFORUM)

            o    Internet comp.virus newsgroup













           Using VirusScan (Version 2.0)                            10


            CHAPTER 2: DON'T SKIP THIS CHAPTER
            (or, What you really need to know about VirusScan)

            We're serious about this. Installing and running the
            VirusScan(TM) programs is not like using other software.
            Even if you are a long-time user of McAfee's software,
            please take the time to read through and follow the tasks in
            this chapter.

            The reason is to avoid spreading a computer virus infection.
            Viruses spread when you start your computer (sometimes
            called booting) from an infected disk, or when you run an
            infected program. If your computer is infected, installing
            and running VirusScan on your hard disk may spread the
            infection, even to the VirusScan programs themselves. The
            tasks in this chapter will ensure that you have a clean
            environment to detect, eradicate, and prevent viruses.

            This is like a surgical team establishing a "sterile field"
            before performing surgery. Once it is established, they make
            sure that everything brought into the field has already been
            sterilized. In this procedure, you will create a clean anti-
            viral start-up diskette with which you can always re-
            establish the sterile field.

            Your VirusScan archive (.ZIP) file is created with
            authenticity checks and a serial number embedded in it to
            ensure that it has not been tampered with or modified.
            Additionally, VirusScan comes with Validate, a Cyclic
            Redundancy Check (CRC) program that computes a check-sum for
            VirusScan's files.  Once you have unpacked the VirusScan
            archive, you should copy all the files to a diskette in
            drive A: and write-protect it to ensure that no virus can
            alter the programs and information stored there. Under no
            circumstances should you remove the write protection.  Label
            this diskette as your 'VirusScan Program Diskette.'

            Here's a summary of the tasks you'll follow in this chapter:

            o    Installing VirusScan.
            o    Scanning your system.
            o    If you detect a virus.
            o    Activating VShield(TM).
            o    Making a clean start-up (boot) diskette.
            o    Running the VirusScan programs.
            o    When to scan for viruses.
            o    Updating VirusScan regularly.


            NOTE: Because OS/2 programs run in a protected mode, OS/2
            systems are not vulnerable to viruses as DOS and Windows

           Using VirusScan (Version 2.0)                            11


            systems are. Many OS/2 users run DOS and Win-OS/2 sessions,
            however, and they are still vulnerable. By using the
            VirusScan programs as described in this manual, you can
            protect the DOS and Win-OS/2 portions of your OS/2 system
            from infection.















































           Using VirusScan (Version 2.0)                            12


            INSTALLING VIRUSSCAN

            This task explains how to check your system and install the
            VirusScan software under DOS, Windows, or OS/2. Don't use
            any other method to install VirusScan, or you risk spreading
            a virus.


            INSTALLATION STEPS

            Start from the system prompt (C:\> or [C:\]). If you are
            running Windows or an application program, exit from it to
            display the prompt. If you are running OS/2, close all DOS
            and Win-OS/2 sessions open the Command Prompts folder in the
            OS/2 System folder, and click on either the OS/2 Full Screen
            or OS/2 Window icons.

            After typing each entry on the command line, press <ENTER>.

            1.   Create a directory to contain the VirusScan files, as
                 in the following example:

                        C:\> mkdir c:\mcafee

                 and press <ENTER>. 

                 If you have an earlier version of VirusScan already
                 installed, create a separate directory (such as 
                 c:\newvscan) for the new version. (You should test 
                 the new version before removing the earlier version.)

            2.   Copy the VirusScan archived (.ZIP) file to this 
                 directory, as in the following example:

                        C:\> copy c:\download\*.zip c:\mcafee

                 and press <ENTER>.

            3.   Change to the VirusScan directory you just created,
                 as in the following example:

                        C:\> cd c:\mcafee

                 and press <ENTER>.
            
            4.   Unzip the file using PKUNZIP.EXE, as in the following
                 example:

                        C:\mcafee> PKUNZIP *.ZIP

                 and press <ENTER>.
            
           Using VirusScan (Version 2.0)                            13


            5.   Run VirusScan to check your local hard disk(s) by
                 typing:

                      c:\mcafee> scan /adl

                 and pressing <ENTER>. It may take several minutes
                 for the Scan program to check for viruses in memory,
                 then on the system and user portions of your drives.
                 Scan keeps you informed of its progress. Read the
                 information carefully, and write down the name of any
                 viruses Scan reports.

            6.   If Scan does not report any viruses, congratulations
                 --most likely your system is currently virus-free.
                 Continue with "Making a Clean Start-Up Diskette" in
                 this chapter.

                 If Scan finds one or more viruses you'll see a
                 message like:

                           Found the Jerusalem Virus

                 Stop the installation. Don't panic, even if the virus
                 has infected many files. At the same time, don't run
                 any other programs, especially if the virus is found
                 in memory. Go directly to "If You Detect a Virus"
                 later in this chapter for further instructions.

            7.   Create a directory on your hard disk to store the
                 VirusScan files in by typing:

                      C:\> mkdir mcafee

                 and pressing <ENTER>.

            8.   Copy the VirusScan files from the 'VirusScan Program
                 Diskette' in drive A: to your hard disk by typing:

                      C:\> copy a:\*.* c:\mcafee

                 and pressing <ENTER>.  VirusScan has now been installed
                 onto your hard disk.  Now your system's startup files
                 must be modified to find VirusScan on your system.

            9.   DOS and Windows users: Using a text editor program, 
                 load your AUTOEXEC.BAT file.  Locate the path statement,
                 which typically begins with a 'PATH' or 'SET PATH ='
                 statement.  Place your cursor at the end of this line
                 and type:

                      ;C:\MCAFEE
           Using VirusScan (Version 2.0)                            14


                 and press <ENTER>.  Now save your AUTOEXEC.BAT file and
                 exit the editor.

                 NOTE: If a semi-colon ";" is already present at the end
                       of the line, do not add one to the path statement.

                 OS/2 users: Make the same change listed above to the
                             'SET PATH='  statements in your CONFIG.SYS
                             file. Now save your CONFIG.SYS file and
                             exit the editor.

            Congratulations! You've successfully installed VirusScan.
            Restart your computer now and continue with this chapter to
            see how you can use VirusScan to keep your computer virus-
            free. We recommend looking over the following sections in
            this chapter:

                 "Scanning Your System"
                 "If You Detect A Virus"
                 "Activating VShield"
                 "Making A Clean Start-Up Diskette"

            so you'll know what took place during installation. Then
            continue with the remaining tasks in this chapter, beginning
            with "Running the VirusScan Programs" to find out how and
            when to run and update the VirusScan programs.


























           Using VirusScan (Version 2.0)                            15

            
            SCANNING YOUR SYSTEM

            VirusScan's Scan program examines your PC and disks to
            detect viruses there. The first time you run Scan, do so
            from the original, write-protected diskette so that the
            programs themselves cannot be infected.

            Start from the system prompt (C:\> or [C:\]). If you are
            running Windows or an application program, exit from it to
            display the prompt. If you are running OS/2, close all DOS
            and Win-OS/2 sessions. Next, open the Command Prompts folder
            in the OS/2 system folder, then click the OS/2 Full Screen or
            OS/2 Window icon.

            After typing each entry on the command line, press <ENTER>.
            If you include the /REPORT option, Scan saves a report of
            infected files and any system errors to a log file that you
            specify.

            o    Insert the 'VirusScan Program Diskette' in drive A:

            o    Scan your C: drive for known viruses by typing:

                      C:\> a:scan c: /report c:\virus.log

                 OS/2 Users: Be sure to replace "a:scan" with
                             "a:os2scan" in the above example.

                 Or, if you have more than one hard drive, scan them in
                 the same fashion. For example, if you have C and D
                 drives:

                      C:\> a:scan c: d: /report c:\virus.log

                 You can also scan all local drives using the /ADL
                 option. For example:

                      C:\> a:scan /adl /report c:\virus.log














           Using VirusScan (Version 2.0)                            16


                 It may take several minutes for the Scan program to
                 check for viruses in memory, then on the system and
                 user portions of your drives. Scan keeps you informed
                 of its progress. Read the information on the screen
                 carefully.  Below is a sample of what Scan reports
                 when checking a drive for viruses:

                 Ŀ
                  Database file V1.00 created Fri Apr 1 12:01:00 1994 
                  Finished scanning memory for viruses.               
                  Scanning C:                                         
                                                                      
                  Summary report on C:                                
                                                                      
                  File(s)                                             
                          Analyzed: ..............    1500            
                          Scanned: ...............     750            
                          Possibly Infected: .....       0            
                          Master Boot Record(s):..       1            
                          Possibly Infected:......       0            
                          Boot Sector(s):.........       1            
                          Possibly Infected:......       0            
                                                                      
                  Time: 60.00 sec.                                    
                 

            o    If Scan reports 0 viruses found, congratulations--most
                 likely your system is currently virus-free. Skip to
                 "Activating VShield" later in this chapter to continue.

                 If Scan finds one or more viruses, you'll see a message
                 like:

                 Ŀ
                   Scanning C:                                        
                   Scanning file C:\DOS\ATTRIB.EXE                    
                           Found the Jerusalem virus                  
                 

                 Don't panic, even if the virus has infected many files.
                 At the same time, don't run any other programs,
                 especially if the virus is found in memory. Turn to "If
                 You Detect a Virus" later in this chapter, where 
                 VirusScan will help you eradicate it.

            o    Scan has many options to control and fine-tune the
                 scope, validation, and operation of its scan. For
                 details, see Chapter 3 and "Detecting new 
                 and unknown viruses" in Chapter 4.




           Using VirusScan (Version 2.0)                            17


            IF YOU DETECT A VIRUS

            In this task, you will run Scan with the /CLEAN option to
            eradicate most known viruses from your disks.

            o    If you are at all unsure about how to proceed once
                 you've found a virus, contact McAfee for assistance
                 (see "Technical Support" in Chapter 1).

            We strongly recommend that you get experienced help in
            dealing with viruses if you are unfamiliar with anti-virus
            software and methods. This is especially true for "critical"
            viruses and master boot record (MBR or so-called "partition
            table")/boot sector infections, because improper removal of
            these viruses can result in the loss of all data and use of
            the infected disks.


            RESTART FROM A CLEAN ENVIRONMENT

            You must run Scan from a clean, virus-free environment. With
            DOS or Windows, restart from a clean diskette. With OS/2,
            simply close all DOS and Win-OS/2 sessions.

            DOS or Windows
            With DOS or Windows, the only way to ensure a clean
            environment is to turn your computer off to eliminate any
            viruses in memory, then restart from a virus-free floppy
            diskette in drive A:, preferably the original, write-
            protected DOS installation diskette that came with your
            computer. If you don't have one, borrow or buy one; don't
            use a diskette that might be infected. (You will create a
            new anti-viral diskette in "Making a Clean Start-Up
            Diskette" later in this chapter to use in the future, 
            but you need a clean environment before you create one.)

            1.   Turn off your computer. (Don't just reset or reboot,
                 which may leave some viruses intact in the computer's
                 memory.)

            2.   Make sure your clean boot (start-up) diskette is write-
                 protected.

                 o    For a 3.5" diskette, slide its corner tab so that
                      the square hole is open.

                 o    For a 5.25" diskette, cover its corner notch with
                      a write-protect tab. Be sure to use the black or
                      silver write-protect stickers provided with your
                      diskettes, not transparent tape, which is ignored
                      by the floppy drive's infrared write-protection
                      mechanism.
           Using VirusScan (Version 2.0)                            18


            3.   Insert your start-up diskette in drive A:.

            4.   Turn on your computer and wait until you see the system
                 prompt (probably A>). Don't run any programs on your
                 hard disk, or you may reactivate the virus.

            OS/2
            With OS/2, you can eliminate most viruses from memory by
            closing all DOS, Win-OS/2, and virtual DOS machine (VDM)
            sessions. Because OS/2 programs run in protected mode,
            viruses cannot spread between them.


            BACK UP YOUR HARD DISK

            Some viruses may leave certain disks or files unusable when
            cleaned up. To increase your chance of recovery, copy all
            the files on all of your hard disks onto fresh diskettes or
            a backup tape after booting from a clean copy of the
            operating system. You can use a commercial backup program,
            or the one included with DOS or OS/2. Scan the program disk
            first to make sure that the backup program itself is not
            infected. Do not run the backup program if it is infected.
            Instead, reload it from your original installation
            diskettes.

            Although some of the backed-up files may be infected, it is
            better to have current copies than not. However, don't
            overwrite previous backup disks or tapes, which may or may
            not be infected.


            RUN SCAN WITH THE /CLEAN OPTION

            Start from the system prompt (probably A> or [A:\]). If you
            are running OS/2, open the Command Prompts folder in the
            OS/2 system folder, and click on the OS/2 Full Screen or
            OS/2 Window icons.

            After typing each entry on the command line, press [Enter].

            1.   Insert the 'VirusScan Program Diskette' in drive A:.

            2.   Eliminate the first known virus on your hard drive(s)
                 by typing:

                 DOS or Windows
                      A> a:scan /adl /clean

                 OS/2
                      [A:\] a:os2scan /adl /clean

           Using VirusScan (Version 2.0)                            19


                 Scan keeps you informed of its progress and generally 
                 reports that a virus was removed successfully. If Scan 
                 reports that the virus could not safely be removed, 
                 see the next section, "If Viruses Were Not Removed, 
                 Contact Technical Support."

            3.   Repeat step 2 for other viruses found by Scan, and for
                 other infected hard drives. For example:

                 DOS or Windows
                      A> a:scan /clean d:

                 OS/2
                      [A:\] a:os2scan /clean d:

                 o    Scan has options to control and fine-tune the
                      scope, validation, and operation of its
                      disinfection. For details, see Chapter 3.

            If Viruses were NOT removed, contact Technical Support

            If Scan can't remove a virus, it will tell you:

            Virus cannot be safely removed from this file.

            Make sure to take note of the filename, because you will
            need to restore it from backups. Run Scan again, this time
            using the /CLEAN and /DEL options to delete the remaining
            infected files, as described in Chapter 3. If you have 
            any questions, contact McAfee (see "Technical Support" 
            in Chapter 1).

            If viruses were safely removed, rescan and check diskettes

            If Scan has successfully removed all the viruses, restart
            your computer.

            Restart installation as described in "Installing VirusScan"
            earlier in this chapter. Assuming that your system is now 
            virus-free, installation will scan your system, activate 
            VShield, and make a clean start-up diskette as part of the
            installation procedure. Thereafter, you can proceed to
            "Running the VirusScan programs" later in this chapter.

            One common source of virus infection is floppy diskettes.
            Once you've finished installing VirusScan on your hard disk,
            use Scan again to examine and disinfect the diskettes you
            use, as described in "When to Rescan," in this chapter.














           Using VirusScan (Version 2.0)                            20


            FALSE ALARMS

            Due to the nature of anti-virus software, there is a small
            possibility that Scan may report a virus in a file that is
            not infected. This can be more likely if you are using more
            than one brand of virus protection software, especially if
            the virus is only reported in memory and not anywhere on the
            disk when you boot.

            If Scan reports a virus infection that you suspect may be in
            error, contact McAfee (see "Technical Support" in Chapter 1).
            You can upload the file to our bulletin board system at
            (408) 988-4004, along with your name, address, daytime
            telephone number, and electronic mail address (if any).


            ACTIVATING VSHIELD

            VirusScan's VShield program can help prevent viruses from
            infecting your system. It runs as a "terminate-and-stay-
            resident" (TSR) program, remaining in memory and scanning
            and intercepting programs as they are executed.

            To install VShield, use your editor to load your
            AUTOEXEC.BAT file. Insert the following as the first line:

                 C:\MCAFEE\VSHIELD

            If you load network drivers, disk-caching software, or 
            other memory-resident programs that changes the way 
            in which you access disks, insert a second VShield line 
            after the last invocation of such software:

                 C:\MCAFEE\VSHIELD /RECONNECT

            and press <ENTER>.  This reactivates VShield if it has been
            deactivated by another memory-resident program.  Now save
            your AUTOEXEC.BAT file.

            


           Using VirusScan (Version 2.0)                            21


            Windows
            VShield can display messages from within Windows in a
            message dialog. This is done through VShield's
            Windows Messager. If you choose not to install the
            Messager, VShield will still detect viruses, but will
            not be able to report them to you.

            1.   To activate the Messager, you must copy the
                 VSHLDWIN.EXE file from your VirusScan directory
                 (typically C:\MCAFEE) to your Windows directory
                 (typically C:\WINDOWS). You can do this by typing:

                      C:\> copy c:\mcafee\vshldwin.exe c:\windows

                 and pressing <ENTER>.

            2.   Go to your Windows directory, and using a text editor
                 program, load your WIN.INI file.  Go to the [Windows]
                 settings and insert the following line:

                      load=vshldwin.exe

                 NOTE: If you already have a "load=" line in your WIN.INI
                       file, go to the end of it and type:

                           ; vshldwin.exe

                 and press <ENTER>.  Now save your WIN.INI file and
                 exit the editor.

            VShield will now run whenever you start or restart your
            computer. To activate VShield at any time:

            DOS or Windows - Restart your computer by pressing the
            <CTRL>, <ALT>, and <DEL> keys simultaneously, or by turning
            it off and then on again (if Windows is running, exit out
            of it before doing restarting your computer).

            OS/2 - Restart all DOS and Win-OS/2 windows.

            o    If you have difficulties running VShield, it may be due
                 to conflicts with other TSR programs in your system, or
                 with other programs that monitor disk access. See
                 Chapter 3 in the VShield documentation for details, and
                 Chapter 4, "Tips and Troubleshooting," in this document
                 for more information. Contact McAfee technical support 
                 if you need help (see "Technical Support" in Chapter 1).





           Using VirusScan (Version 2.0)                            22


            o    VShield normally occupies up to 67Kb of conventional
                 (base 640Kb) memory. VShield minimizes the use of
                 conventional memory by attempting to load into extended
                 (XMS) memory, expanded (EMS) memory, upper memory, or a
                 combination of them before using conventional memory.

                 For computers with extreme available memory
                 limitations, you can use VShield's /SWAP option to
                 reduce its memory requirements to 7Kb, although this
                 will decrease VShield's speed. For details, see
                 Chapter 3 in the VShield documentation.

            o    VShield has options to control and fine-tune the scope,
                 validation, and operation of its virus prevention. For
                 details, see Chapter 3 in the VShield documentation.

            o    When used in conjunction with some of Scan's options,
                 VShield can help protect your system from new and
                 unknown viruses. For details, see "Detecting New and
                 Unknown Viruses" in Chapter 4.

            o    Under OS/2, VShield runs in DOS and Win-OS/2 sessions
                 only, because current viruses can operate only in those
                 sessions.

            o    In Windows, you can use the VShield icon to turn
                 messages from VShield on and off (VShield itself,
                 however, remains active). For details, see Chapter 3
                 in the VShield documentation.























           Using VirusScan (Version 2.0)                            23


            MAKING A CLEAN START-UP DISKETTE

            In DOS or Windows, create a clean anti-viral start-up (boot)
            diskette that you can use to regain your "sterile field" if
            your system becomes infected. This is not necessary in OS/2,
            although it will be helpful to make backup copies of your
            OS/2 installation diskettes.

            DOS or Windows
            In DOS, start from the system prompt (C:\>). In Windows, you
            may open a DOS window, or duplicate these steps using
            Windows' File Manager.

            1.   Insert a blank or dispensable diskette into drive A.
                 Make sure the diskette contains no important
                 information, as this procedure will erase it.

            2.   Format the disk as a DOS-bootable diskette with the
                 system files on it by typing:

                      C:\> format a: /s /v /u

                 and pressing <ENTER>.  If you are using a version of
                 DOS before DOS 5.0, do not type the "/u" option.  The
                 /U option is used in recent versions of DOS to insure
                 that the floppy diskette is erased completely (earlier
                 versions of DOS automatically do this).

                 When prompted for a volume label, type:

                      virusfree01

                 and press <ENTER>, or use another name of up to 11
                 characters.

            3.   Copy the VirusScan program files onto the diskette.
                 Here's one way to do this, assuming that your VirusScan
                 files are stored in C:\MCAFEE:

                      C:\> copy c:\mcafee\scan.exe a:
                      C:\> copy c:\mcafee\scan.dat a:
                      C:\> copy c:\mcafee\clean.dat a:
                      C:\> copy c:\mcafee\names.dat a:

            4.   Copy useful DOS programs to the diskette. Here's one
                 way to do this, assuming that your DOS files are stored
                 in C:\DOS:

                      C:\> copy c:\dos\format.* a:
                      C:\> copy c:\dos\xcopy.* a:
                      C:\> copy c:\dos\diskcopy.* a:
                      C:\> copy c:\dos\sys.* a:
           Using VirusScan (Version 2.0)                            24


                      C:\> copy c:\dos\fdisk.* a:
                      C:\> copy c:\dos\debug.* a:
                      C:\> copy c:\dos\unerase.* a:
                      C:\> copy c:\dos\mem.* a:
                      C:\> copy c:\dos\chkdsk.* a:

                 In the same way, copy other DOS programs that you think
                 might be useful.

            5.   Remove the diskette from the drive and write-protect it
                 so that it cannot become infected.

                 o    For a 3.5" diskette, slide its corner tab so that
                      the square hole is open.

                 o    For a 5.25" diskette, cover its corner notch with
                      a write-protect tab. Be sure to use the opaque
                      write-protect stickers provided with your
                      diskettes, not transparent tape.

            6.   Label the diskette "Virus-Free Boot Disk" and put it
                 away in a secure place in case you need to reestablish
                 a virus-free environment in the future.  You may want
                 to include supplemental information on the disk label,
                 such as the date and versions of DOS and VirusScan.

            OS/2
            With OS/2, you don't need a virus-free start-up disk.
            However, it will be helpful to keep a clean copy of
            important files, such as your system configuration files.
            Copy your  CONFIG.SYS, STARTUP.CMD, and AUTOEXEC.BAT files
            onto an empty, formatted diskette. Write-protect the
            diskette, label it, and put it away in a secure place.



















           Using VirusScan (Version 2.0)                            25


            RUNNING THE VIRUSSCAN PROGRAMS

            VIRUSSCAN FOR DOS

            To run the VirusScan programs from the DOS command prompt,
            type the program name (SCAN) on the command line. Follow the
            program name with the drive, directory, or file(s) you want
            to scan for viruses and the options you want to use.

            Note:     If you have not changed the path statement in your
                      AUTOEXEC.BAT file, you will need to include its
                      location (usually C:\MCAFEE) in the command, or
                      change to that directory.

            For example, to examine a diskette in drive A: type:

                 C:\> c:\mcafee\scan a:

            and press <ENTER>.

            EXCEPTION:
                      If Scan detects a virus in memory or on your hard
                      disk, don't run Scan with the /CLEAN option from
                      C:\MCAFEE. Instead, restart your computer and run
                      Scan from your clean start-up diskette as described
                      in "If you detect a virus" in this chapter.

            VirusScan can list the viruses it detects.  To view this list,
            run Scan with the /VIRLIST option, described in Chapter 3.
            

            VSHIELD

            VShield loads automatically upon startup for DOS and Windows
            computers, or when a DOS or Win-OS/2 session is started
            within OS/2.

            o    You can change VShield options from the DOS command
                 line by removing VShield from memory and re-running it,
                 or by editing the VShield command line in your
                 AUTOEXEC.BAT file. See Chapter 3 in the VShield 
                 documentation for details.










           Using VirusScan (Version 2.0)                            26


            VIRUSSCAN FOR OS/2

            To run Scan from OS/2, open the Command Prompts folder in
            the OS/2 System folder and click on the OS/2 Full Screen or
            OS/2 Window icons. Next, type the program name (OS2SCAN) on
            the command line. Follow the program name with the drive,
            directory, or file(s) you want to scan for viruses and
            the options you want to use.

            Note: If you have not changed the PATH and LIBPATH
                  statements in your CONFIG.SYS file, you will need to
                  include its location (usually C:\MCAFEE) on the command
                  line, or change to that directory.

            For example, to examine a diskette in drive A: type:

                 [C:\] c:\mcafee\os2scan a:

            and press <ENTER>.

            o    VShield does not run in native OS/2 sessions, only
                 under DOS and Win-OS/2 sessions inside of OS/2. If you
                 have placed the VShield command in your AUTOEXEC.BAT
                 file, it will run automatically when you start a DOS or
                 Win-OS/2 session. You can also run it from the DOS
                 command line, as described earlier in this section.


























           Using VirusScan (Version 2.0)                            27


            WHEN TO RESCAN

            Although VShield will monitor your software for viruses,
            it's wise to scan your disks when you introduce new programs
            or disks that may be infected. New programs and files are
            generally introduced in two ways: by inserting a diskette,
            and by installing new programs.  It is also possible to
            download a computer virus using a modem, however, this is
            extremely rare.

            o    You can use VShield with the /ANYACCESS option to scan
                 diskettes automatically. For more information, see
                 the discussion of /ANYACCESS in Chapter 3 in the VShield
                 documentation.

            o    For instructions on running VirusScan, see "Running the
                 VirusScan programs" earlier in this chapter.

            WHEN YOU INSERT AN UNCHECKED DISKETTE
            Every time you insert a new diskette in your drive, run Scan
            on it before executing, installing, or copying its files. If
            you have several diskettes to scan, you can scan them
            consecutively. In fact, we recommend doing this now with all
            the diskettes you normally use, as well as diskettes
            received from friends, co-workers, salespeople, and even
            your own diskettes if they have been in another PC.

            WHEN YOU INSTALL OR DOWNLOAD NEW FILES
            Every time you install new software on your hard drive, or
            download executable files from a network server, bulletin
            board, or on-line service, run Scan on the directory the
            files were placed in before executing the files.




















           Using VirusScan (Version 2.0)                            28


            UPDATING VIRUSSCAN REGULARLY

            Unfortunately, new viruses (and variants of old ones) appear
            and circulate often in the personal computer community.
            Fortunately, McAfee updates the VirusScan programs
            regularly--usually every month, but sooner if many new
            viruses have appeared. Each new version may detect and
            eradicate as many as 60-100 new viruses or more, and may add
            new features. To find out what's new, review the README.1ST
            text file.


            DOWNLOADING NEW VERSIONS

            You may use your own communications software to download new
            versions from the McAfee bulletin board, CompuServe, or the
            Internet. See Chapter 1, "Welcome to VirusScan" for more
            information.

            Always download and decompress the files in a separate
            directory from your current files. That way, if you
            discover a problem with the new files, you'll still
            have the old ones intact.


            VALIDATING VIRUSSCAN

            When you download a program file from any source other than
            the McAfee bulletin board system or other direct-from-McAfee
            service, it's important to verify that it is authentic,
            unaltered, and uninfected.
            McAfee anti-virus software includes a program called
            Validate that helps you do this. When you receive a new
            version of VirusScan, run Validate on all of the program
            files.

            To do this for Scan, start from the system prompt (C:\> or
            [C:\]):

            1.   Change to the directory to which you've downloaded the
                 files. For example, if you've stored the files in
                 C:\DOWNLOAD, type:

                      C:\> cd \download

                 and press <ENTER>.

            2.   Type the command:

                      C:\DOWNLOAD> c:\mcafee\validate scan.exe

                 and press <ENTER>.
           Using VirusScan (Version 2.0)                            29


                 OS/2 Users: Be sure to replace SCAN.EXE with
                             OS2SCAN.EXE as the file to be validated.

            3.   Compare the results with the information in the
                 README.1ST file or other text file for the program you
                 have just validated. If the validation results match
                 what's in the file, it is highly unlikely that the
                 program has been modified.

            4.   Once you have validated the new version, copy it into
                 your C:\MCAFEE directory. In addition, create a new
                 "VirusScan Start-Up Diskette" containing the new
                 version.


            UPDATE YOUR CLEAN START-UP DISKETTE

            Once you have validated the new version, copy it into 
            your C:\MCAFEE directory. In addition, copy the Scan 
            program onto your clean start-up diskette. Below is one 
            way to do this; you may also use the Windows File Manager 
            or the OS/2 environment.

            Note any changes you've made to default options, because 
            you may want to select and save them again. Start from 
            the system prompt (C> or [C:\]).

            1. Navigate to the directory to which you've 
               retrieved the files, such as C:\MCAFEE:

                 cd c:\mcafee

            2. Temporarily remove write-protection from your clean
               start-up diskette and insert it in drive A.

               o For a 3.5" diskette, slide its corner tab so that 
                 the square hole is closed.
               o For a 5.25" diskette, remove the tab or tape from 
                 its corner notch.

            3. Copy the Scan program, and its data files to the diskette.

               DOS or Windows       C> copy SCAN.EXE a:
                                    C> copy *.DAT a:
               OS/2              [C:\] copy OS2SCAN.EXE a:
                                 [C:\] copy *.DAT a:

            4. Remove the diskette from the drive and write-protect
               it again. 


           Using VirusScan (Version 2.0)                            30


            Chapter 3: VIRUSSCAN REFERENCE

            VirusScan(TM)'s Scan program detects, identifies, and
            disinfects known DOS computer. Scan checks memory and both
            the system and data areas of disks for virus infections. If
            Scan finds a known virus, in most cases it will eliminate
            the virus and fully restore infected programs or system
            areas to normal operation. To obtain a list of all the
            viruses that Scan detects, run SCAN with the /VIRLIST
            option.

            In addition, Scan can also assign validation and recovery
            codes to files, and then use those codes to detect and treat
            infection by new and unknown viruses. If Scan has stored
            validation or recovery data for files, it may detect file
            changes and warn that infection by an unknown virus may have
            occurred. Scan can also use the recovery codes to remove new
            or unknown viruses and restore infected files, master boot
            record (MBRs), and boot sectors.

            This chapter describes how to use Scan from the DOS or OS/2
            command prompt.

            The command-line versions of VirusScan run under DOS and
            OS/2. The program files are SCAN.EXE and OS2SCAN.EXE,
            respectively. This chapter describes them both.

            Note:     Because OS/2 operates in a protected mode
                 environment, Scan for OS/2 does not check memory. To
                 protect against viruses in OS/2 DOS and Win-OS/2
                 sessions, use the VShield(TM) virus prevention program.


            DO YOU NEED TO READ THIS CHAPTER?

            Many users will not need the Scan command line options
            described in this chapter. We have designed Scan so that
            basic operation, as described in "Scanning Your System" and
            "When to Rescan" in Chapter 2, will detect most viruses in
            your system. The command line options described here offer
            additional power and control over virus detection. They
            enable you to run Scan from batch or script files, and are
            most useful in vulnerable environments and to network
            administrators and information services staff.








           Using VirusScan (Version 2.0)                            31


            SYSTEM REQUIREMENTS AND SUPPORT

            Scan requires DOS 3.0 or later, Windows 3.1 or later, or IBM
            OS/2 Version 2.0 or later. Running Scan for DOS requires
            340Kb of free RAM.

            Scan works with 3Com 3/Share and 3/Open, Artisoft LanTastic,
            AT&T StarLAN, Banyan VINES, DEC Pathworks, IBM LAN Server,
            Microsoft LAN Manager, Novell NetWare, and any other IBMNET-
            or NETBIOS-compatible network operating systems. Contact
            McAfee or your local authorized agent if you do not see your
            network listed (see "Technical Support" in Chapter 1).

            Scan is designed to check for pre-existing infections of
            known and unknown viruses on floppy, hard, CD-ROM, and
            compressed (SuperStor, Stacker, DoubleSpace, and so on)
            disks on both stand-alone and networked personal computers,
            as well as network file servers. If you have a Novell
            NetWare/386 V3.1X or 4.01 file server, you may want to use
            the NETShield(TM) virus prevention NetWare Loadable Module
            in conjunction with Scan.

            o    To use Scan to clean up (disinfect) virus-infected
                 files, the CLEAN.DAT file must be present in the same
                 subdirectory as Scan. If you don't have the CLEAN.DAT
                 file, first verify whether you should contact your
                 system administrator or information systems staff
                 directly for virus clean-up. Otherwise, you can contact
                 McAfee (see "Technical Support" in Chapter 1).


            TECHNICAL OVERVIEW

            KNOWN VIRUS DETECTION
            Scan detects known viruses by searching the system for known
            characteristics (sequences of code) unique to each computer
            virus and reporting their presence if found. For viruses
            that encrypt or cipher their code so that every infection is
            different, Scan uses detection algorithms that work by
            statistical analysis, heuristic analysis, and code
            disassembly.

            NEW AND UNKNOWN VIRUS DETECTION
            Scan can also check for new or unknown viruses by comparing
            files against previously recorded validation data. If a file
            has been modified, it will no longer match the validation
            data, and Scan will report that the file may have become
            infected. With certain options, Scan /CLEAN can use the
            validation and recovery data to restore infected files,
            master boot records (MBRs), or boot sectors.


           Using VirusScan (Version 2.0)                            32


            NOTE TO NETWORK USERS

            To use Scan on a network drive (or directory), you must be
            connected to that drive and have read access to it. Some
            command line options described in this chapter attempt to
            create, change, and delete files. To use these options, you
            must have sufficient access rights. If you have questions
            about access rights, contact your network administrator.












































           Using VirusScan (Version 2.0)                            33


            VALIDATING SCAN

            The VirusScan program has several safeguards to ensure that
            it remains free of viruses.  See "Validating VirusScan" in
            Chapter 2 for more information.

            We recommend that you update your copy of the VirusScan
            programs regularly. You can obtain an upgrade from several
            sources, as described in "Updating VirusScan Regularly" in
            Chapter 2.

            Before using a new version of Scan for the first time,
            verify that it has not been tampered with or infected by
            using the Validate program, as described in "Validating
            VirusScan" in Chapter 2. If your new copy of Scan differs
            from the validation data in the on-line documentation file,
            it may have been damaged. Don't use it, and obtain a clean
            copy of Scan from a known source.

            Scan performs an integrity test when run. This self-check
            allows Scan to determine if it has been modified.  If Scan
            fails its integrity test, a warning message will appear, and
            Scan will refuse to run and return to the command line
            prompt.  If Scan reports that it failed its integrity check,
            you must then obtain an undamaged copy before continuing.


            RUNNING SCAN FROM THE COMMAND LINE

            Scan checks files and other areas of the system that can
            contain computer viruses. When a virus is found, Scan
            identifies it and the system area or file where it was found.

            By default, Scan examines all files on a system. Once you've
            installed VirusScan and have established a "sterile field"
            (as described in Chapter 2), you might not need to scan
            every file on your system again, just the executable files
            (.EXE, .COM, .SYS, .BIN, .OVL, and .DLL files). Use the /STD
            option to scan executable files only. (Note that the list of
            extensions for standard executables has changed from
            previous versions of Scan.)











           Using VirusScan (Version 2.0)                            34


            From DOS or OS/2, you can run Scan from the command line
            prompt. (From OS/2, open the Command Prompts folder in the
            OS/2 system folder, then choose the OS/2 Full Screen or OS/2
            Window icons to see the command line prompt.) The syntax is:

                 DOS  C:\> scan {drives} [options]
                 OS/2 [C:\] os2scan {drives} [options]

            {drives} indicates one or more drives to be scanned. You
            must specify one or more drives to scan. If you list a drive
            like C:, all of its subdirectories will be scanned. If you
            list \, only the root directory and boot area of the current
            disk will be scanned. If you list a directory or \, its
            subdirectories will not be scanned unless you use the /SUB
            option.

            [options] indicates one or more of the Scan options listed
            in the "Scan Command Line Option Summary" on the following
            page.

































           Using VirusScan (Version 2.0)                            35


            SCAN COMMAND LINE OPTION SUMMARY

            /? or /HELP
            Display help screen.

            /ADL
                 Scan all local drives (except floppy drives).

            /ADN
                 Scan all network drives.

            /AF {filename}
                 Store validation/recovery codes in filename.

            /APPEND
                 Append to  rather than overwrite, the report file
                 (/REPORT).

            /AV
                 Add validation/recovery data to program files.

            /BOOT
                 Scan master boot record and boot sector only.

            /CF {filename}
                 Check validation/recovery codes in filename.

            /CLEAN
                 Clean up infections in master boot records, boot
                 sectors, and files when possible.

            /CV
                 Check validation/recovery data in files.

            /DEL
                 Overwrite and delete infected files.

            /EXCLUDE {filename}
                 Exclude from scan any files listed in filename.
                 Typically used in conjunction with the /AV option.

            /FAST
                 Speed up VirusScan's scanning; may detect fewer
            viruses.

            /LOAD {filename}
                 Use Scan settings stored in filename.

            /LOG
                 Save date and time VirusScan was last run in SCAN.LOG.


           Using VirusScan (Version 2.0)                            36


            /MOVE {directory}
                 Move infected files to directory.

            /NOMEM
                 Skip memory checking (not applicable to OS/2).

            /PAUSE
                 Enable screen pause at end of display page.

            /PLAD
                 Preserve Last-Access date of scanned files on Novell
                 drives.

            /REPORT {filename}
                 Create report of infected files found during scan in
                 filename.

            /RF {filename}
                 Remove validation/recovery codes in filename.

            /RPTCOR
                 Add list of corrupted files to the report file
                 (/REPORT).

            /RPTERR
                 Add list of system errors to the report file (/REPORT).

            /RPTMOD
                 Add list of modified files to the report file
                 (/REPORT).

            /RV
                 Remove validation/recovery data from files.

            /SHOWLOG
                 Display information in SCAN.LOG.

            /STD
                 Scan executable files only (.COM, .EXE, .SYS, .BIN,
                 .OVL, and .DLL)

            /SUB
                 Scan subdirectories inside a directory.

            /VIRLIST
                 Display list of viruses detected by VirusScan.






           Using VirusScan (Version 2.0)                            37


            SCAN OPTION DESCRIPTIONS

            Here is a detailed description of Scan's options.

            /? or /HELP
            Display list of Scan options
            Displays a list of Scan command line options with a brief
            description of each. No virus scanning will be performed
            when these options are specified. Use either of these
            options alone on the command line.

            /ADL
            Scan all local drives (except floppy drives)
            Scans all local drives for viruses, in addition to those
            specified on the command line. In DOS, use /ADL to check all
            local drives, including compressed drives and CD-ROMs. To
            scan both local and network drives, use /ADL and /ADN
            together in the same command line.

            /ADN
            Scan all network drives
            Scans all network drives for viruses, in addition to those
            specified on the command line. To scan both local and
            network drives, use /ADL and /ADN together in the same
            command line.

            /AF {filename}
            Store validation/recovery codes in file
            Helps you detect and recover from new or unknown viruses.
            /AF logs validation and recovery data for the executable
            files, boot sector, and master boot record (MBR) of a disk
            in the file you specify. The log file is about 95 bytes per
            file validated. You must specify a filename, which can
            include the target drive and directory (such as
            D:\VAL\DRIVES.VAL). If the target path is a network drive,
            you must be able to create and delete files in that drive.
            If filename exists, Scan updates it. The /AF option adds
            about 300% more time to scanning.

            To exclude self-modifying or self-checking files that might
            cause false alarms, use the /EXCLUDE option. To recover from
            a virus using the /AF information, use the /CF and /CLEAN
            options together in the same command line. Using any of the
            /AF, /CF, or /RF options together in the same command line
            returns an error.

            o    /AF performs the same function as /AV, but stores its
                 data in a separate file rather than changing the
                 executable files themselves. For more information, see
                 "Detecting new and unknown viruses" in Chapter 4.


           Using VirusScan (Version 2.0)                            38

            /APPEND
            Append to the report file.
            Used in conjunction with /REPORT, appends the report message
            text to the specified report file, if it exists. Otherwise,
            the /REPORT option overwrites the specified report file, if
            it exists.
            
            /AV
            Add validation/recovery data to files
            Helps you detect and recover from new or unknown viruses.
            /AV adds recovery and validation data to each standard
            executable file (.EXE, .COM, .SYS, .BIN, .OVL. and .DLL),
            increasing the size of each file by 98 bytes. To update
            files on a shared network drive, you must have update access
            rights. The /AV option adds about 100% more time to
            scanning.

            To exclude self-modifying or self-checking files that might
            cause false alarms, use the /EXCLUDE option. To recover from
            a virus using the /AF information, use the /CV and /CLEAN
            options together in the same command line. Using any of the
            /AV, /CV, or /RV options together in the same command line
            returns an error.

            o    The /AV option does not store any information about the
                 master boot record (MBR) or boot sector of the drive
                 being scanned.

            /BOOT
            Scan boot sector and master boot record only
            Scans the boot sector and master boot record on the
            specified drive(s), but not the files or directories on
            those drives.

            /CF {filename}
            Check validation/recovery codes in file
            Helps you detect new or unknown viruses. Checks validation
            data stored by the /AF option in filename. If a file or
            system area has changed, Scan reports that a viral infection
            may have occurred. The /CF option adds about 250% more time
            to scanning. For more information, see "Detecting New And
            Unknown Viruses" in Chapter 4. You can use /CF and /CLEAN in
            the same command line to check validation/recovery codes and
            remove any viruses found. Using any of the /AF, /CF, or /RF
            options together in a command line returns an error.

            o    Some older Hewlett-Packard and Zenith PCs modify the
                 boot sector each time the system is booted. If you use
                 /CF or /CV, Scan will continuously report that the boot
                 sector has been modified even though no virus may be
                 present. Check your system's technical reference manual
                 to determine whether your PC has self-modifying boot
                 code, or contact McAfee for help (see "Technical
           Using VirusScan (Version 2.0)                            39           


            Support" in Chapter 1).

            o    OS/2 dual boot systems change the boot sector between
                 DOS and OS/2 depending on which operating system is
                 active. This causes Scan to report that the boot sector
                 has been modified.

            /CLEAN
            Remove viruses from boot sector, master boot record (MBR),
            and infected files
            Attempts to restore the boot sector, if infected, and any
            infected files. Usually, between 10% and 20% of all viruses
            are not removable; they damage the file they infect beyond
            repair. If the infected file resides on a network drive, you
            must be able to modify files on that drive to clean it. If
            it cannot restore a file, you'll see a message that
            identifies the name of the unrecoverable file. To use
            /CLEAN, the CLEAN.DAT file must reside in the Scan
            directory.

            Use /CLEAN instead of /DEL when you want to restore infected
            files, not just delete or overwrite them. The /CLEAN option
            can remove master boot record and boot sector viruses,
            but the /DEL option cannot. If you use /CLEAN and /DEL in
            the same command line, Scan first attempts to disinfect an
            infected file, then deletes it only if it cannot be
            repaired. Similarly, if you use /CLEAN and /MOVE in the same
            command line, Scan attempts first to clean an infected file,
            then moves it automatically if the file is unrecoverable.

            You can use /CLEAN and /CF or /CV in the same command line
            to check validation/recovery codes and remove any viruses
            found. We strongly recommend that you get experienced help
            in dealing with viruses if you are unfamiliar with anti-
            virus software and methods. This is especially true for
            "critical" viruses and master boot record/boot sector
            infections, because improper removal of these viruses can
            result in the loss of all data on the infected disks.

            o    When scanning a network drive using /CLEAN, you must
                 have sufficient rights to update files on that drive.

            /CV
            Check validation/recovery data in files
            Helps you detect new or unknown viruses. Checks validation
            data added by the /AV option. If a file is modified, Scan
            reports that a viral infection may have occurred. The /CV
            option adds about 50% more time to scanning. You can use
            /CLEAN and /CF or /CV in the same command line to check
            validation/recovery codes and restore infected files. Using
            any of the /AV, /CV, or /RV options together in the same
            command line returns an error.
           Using VirusScan (Version 2.0)                            40


            /DEL
            Overwrite and delete infected files
            Deletes and overwrites each infected file. Files erased by
            the /DEL option cannot be recovered (generate a report so
            that you can restore them from backups). Instead of /DEL
            alone, we recommend using it in combination with the /CLEAN
            option to attempt to disinfect an infected file first, then
            delete it only if the file is unrecoverable. The /CLEAN
            option can remove master boot record and boot sector
            viruses, but the /DEL option cannot.

            o    When scanning a network drive using /DEL, you must have
                 sufficient access rights to delete files on that drive.

            /EXCLUDE {filename}
            Scan using exception list file
            Allows you to exclude files from /AF or /AV validation.
            Self-modifying or self-checking files can cause a false
            alarm during a scan. To create filename, see "Technical Note
            1: Creating an Exception List File for the /EXCLUDE Option"
            in this chapter.

            /FAST
            Speed up VirusScan's scanning
            Reduces Scan time by about 15%. Using the /FAST option, Scan
            examines a smaller portion of each file for viruses,
            although it examines more files overall. Using /FAST might
            miss some infections found in a more comprehensive (but
            slower) scan. Do not use this option if you have found a
            virus or suspect one.

            /LOAD {filename}
            Use Scan settings stored in {filename}.
            By default, Scan loads its internal default settings plus
            any options specified on the command line. You can store all
            custom settings in a separate ASCII text file, then use
            /LOAD to load those settings from that file.

            Use a text editor to create the file. You can put all
            options on the same line separated by a space or put each
            option (with its parameter) on its own line, separated by a
            hard carriage return and line feed, as shown in the
            following examples:









           Using VirusScan (Version 2.0)                            41

            Sample load file with all options on the same command line:

                 m: /report a:infectn.rpt /rptcor /rpterr

            Sample load file with each option on a separate command
            line:

                 m:
                 /report a:infectn.rpt
                 /rptcor
                 /rpterr

            /LOG
            Save date and time of last scan
            Stores the time and date Scan is being run by updating or
            creating a file called SCAN.LOG in the current directory.

            /MOVE {directory}
            Move infected files to directory
            Moves all infected files found during a scan to the
            specified directory. If you use /MOVE in conjunction with
            /CLEAN, Scan attempts to restore an infected file first,
            then moves it to the specified directory only if the file
            cannot be restored. Using /MOVE and /DEL in the same command
            line returns an error message.

            /NOMEM
            Skip memory checking
            Reduces scan time by omitting all memory checks for viruses.
            Use /NOMEM only when you are absolutely certain that your
            system is virus-free.
            By default, Scan checks system memory for all for critical
            known computer viruses that can inhabit memory. In addition
            to main memory from 0Kb to 640Kb, Scan checks upper memory
            from 640Kb to 1,024Kb and the high memory area from 1,024Kb
            to 1,088Kb that can be used by computer viruses on 286 and
            later systems. Memory above 1,088Kb is not addressed
            directly by the processor and is not presently susceptible
            to viruses.

            o    /NOMEM is not applicable to OS/2.












           Using VirusScan (Version 2.0)                            42


            /PAUSE
            Enable screen pausing.
            If you specify /PAUSE, a "More? (H = Help)" prompt will
            appear when Scan fills up a screen with messages, such as
            when using the /SHOWLOG or /VIRLIST options. Otherwise,
            Scan will, by default, fill the screen with messages and
            scroll the screen continuously without stopping.  This
            allows Scan to be run against PCs with many drives or on
            PCs with severe infections without requiring user
            intervention. We recommend that you omit /PAUSE when
            keeping a record of Scan's messages using the report options
            (/REPORT, /RPTCOR, /RPTMOD, and /RPTERR).

            /PLAD
            Preserve Last-Access date on NetWare drives.
            Prevents changing the Last-Access date attribute for files
            stored on a network drive of a Novell network. Normally,
            NetWare updates the Last-Access date when files are
            accessed on network drives. However, some tape backup
            systems use the Last-Access date to decide whether to back
            up the file. Use /PLAD to ensure that the last access date
            does not change as the result of scanning.

            /REPORT {filename}
            Create report of infected files and system errors
            Saves the output of Scan to filename in ASCII text file
            format. If filename exists, /REPORT erases and replaces it.
            You can include the destination drive and directory (such as
            D:\VSREPRT\ALL.TXT), but if the destination is a network
            drive, you must be able to create and delete files on that
            drive. You can also use /RPTCOR, /RPTMOD, and /RPTERR to add
            corrupted files, modified files, and system errors to the
            report.

            /RF {filename}
            Remove validation/recovery codes in file
            Removes validation and recovery data from filename created
            by the /AF option. If filename resides on a shared network
            drive, you must be able to delete files on that drive. Using
            any of the /AF, /CF, or /RF options together in the same
            command line returns an error.

            /RPTCOR
            Add corrupted files to Scan report
            Used in conjunction with /REPORT, adds the names of
            corrupted files to the report file. A corrupted file is a
            file that a virus has damaged beyond repair, which typically
            occurs in 10% to 20% of all viral infections. You can use
            /RPTCOR with /RPTMOD and /RPTERR on the same command line.



           Using VirusScan (Version 2.0)                            43


            /RPTERR
            Add errors to Scan report
            Used in conjunction with /REPORT, adds system errors to the
            report file.
            System errors include problems reading or writing to a
            diskette or hard disk, file system or network problems,
            problems creating reports, and other system-related
            problems. You can use /RPTERR with /RPTCOR and /RPTMOD on
            the same command line.

            /RPTMOD
            Add modified files to the Scan report
            Used in conjunction with /REPORT, adds the names of modified
            files to the report file. Scan identifies modified files
            when the validation/recovery codes do not match (using the
            /CF or /CV options). You can use /RPTMOD with /RPTCOR and
            /RPTERR on the same command line.

            /RV
            Remove validation/recovery from files
            Removes validation and recovery data from files validated
            with the /AV option, along with the SCAN.LOG file on the
            specified drive. To update files on a shared network drive,
            you must have access rights to update them. Using any of the
            /AV, /CV, or /RV options together in the same command line
            returns an error.

            /SHOWLOG
            Update and display the contents of SCAN.LOG
            Stores the time and date Scan is being run by updating or
            creating a file called SCAN.LOG in the current directory,
            and shows you the date and time of previous scans that have
            been recorded in the SCAN.LOG file using the /LOG switch.
            The SCAN.LOG file contains text and some special formatting.
            To pause when the screen fills with messages, specify the
            /PAUSE option.

            /STD
            Scan executable files only (.COM, .EXE, .SYS, .BIN, .OVL, .DLL)
            Reduces scan time when a full scan is not needed. Otherwise,
            Scan checks all files on the drive scanned and examines
            files in greater detail, which increases Scan's ability to
            detect viruses in overlay files but substantially increases
            the scanning time required. Do not use this option if you
            have found a virus or suspect one. (The list of extensions
            for standard executables has changed from previous releases
            of VirusScan.)





           Using VirusScan (Version 2.0)                            44


            /SUB
            Scan subdirectories
            By default, when you specify a directory to scan rather than
            a drive, Scan will examine only the files it contains, not
            its subdirectories. Use /SUB to scan all subdirectories
            inside any directories you've specified. Do not use /SUB if
            you are scanning an entire drive.

            /VIRLIST
            Display list of viruses detected by VirusScan
            Shows the name of the viruses that VirusScan detects. To
            pause when the screen fills with messages, specify the
            /PAUSE option. Use /VIRLIST alone on the command line.







































           Using VirusScan (Version 2.0)                            45


            CLEANING VIRUSES

            Although /CLEAN removes many viruses and restores normal
            operation, viruses can be harmful and insidious, and no
            anti-virus program can undo all their damage. Usually,
            between 10% and 20% of all viruses corrupt the files they
            infect, making them unrecoverable. If the file is infected
            with an uncommon virus that /CLEAN can't remove, Scan
            notifies you and identifies the filename. Write down this
            filename so that you can restore it from a backup diskette
            or tape. If you use both the /CLEAN and the /DEL options,
            Scan will first attempt to repair an infected file and, if
            the file is damaged beyond repair, Scan will delete it.
            Deleted files are not recoverable except from backups.

            Some viruses damage or overwrite program (.EXE) files or
            overlay files. Removing the virus can truncate the file or
            otherwise render it inoperable. Others, like the common
            virus Stoned, infect the master boot record (MBR). On
            systems partitioned with programs other than DOS (such as
            Disk Manager and SpeedStor), removing the virus can cause
            loss of the master boot record (MBR) and all data on the
            disk if done improperly.

            BASIC PRINCIPLES TO MINIMIZE DAMAGE
            These considerations lead to the three important principles:

            1.   Before running Scan with the /CLEAN option, back up all
                 of your programs and data.

                 Of course, this works best if you backup your files
                 regularly, so that you can restore your files from a
                 backup made before your system was infected. But even a
                 backup from an infected system can be useful for
                 restoring data, because most viruses do not corrupt
                 data. If a program no longer runs after being cleaned,
                 replace it from the original disk or from a virus-free
                 backup.

                 When disinfecting an infected system, it is important
                 to start from a "sterile field," as described in 
                 Chapter 2.

            2.   Before running Scan with the /CLEAN option for DOS,
                 restart your computer from a clean, write-protected
                 diskette; before running it for OS/2, close all DOS and
                 Win-OS/2 sessions.

                 Preferably, use the clean anti-virus start-up diskette
                 you created in "Making a clean start-up diskette" in
                 Chapter 2. And, because running any program can spread
                 the infection:
           Using VirusScan (Version 2.0)                            46


            3.   Do not run any programs, including Windows, before
                 running Scan /CLEAN.

                 Run Scan /CLEAN from DOS instead of from Windows. 
                 Exit completely from Windows. Do not run Scan /CLEAN 
                 from within a DOS window.

                 IMPORTANT: If you are at all unsure about how to
                            proceed once you've found a virus, contact
                            McAfee technical support, or your local
                            authorized agent, for assistance (see
                            "Technical support" in Chapter 1).








































           Using VirusScan (Version 2.0)                            47


            RUNNING SCAN TO CLEAN UP INFECTIONS

            Preparation

            1.   Before running Scan to clean up infections, clear the
                 virus from system memory and prevent reinfection:

                 o    With DOS, turn off your PC, then restart from a
                      clean start-up diskette, preferably the anti-virus
                      diskette you prepared in "Making a clean start-up
                      diskette" in Chapter 2.

                 o    With OS/2, close all DOS and Win-OS/2 sessions.

                 o    With an OS/2 dual-boot system infected by a boot
                      sector virus (like FORM, Disk Killer, or others
                      identified by Scan), boot (start up) OS/2 first,
                      delete the BOOT.DOS file from the \OS2 directory,
                      and then boot DOS to create a new, virus-free DOS
                      boot sector file.

            2.   Run the Scan program to locate and identify the
                 infections.

            3.   Back up the files on the infected disks (be sure not to
                 overwrite any previous backups).

            4.   Repeat Step 1.

            5.   Don't run any programs, including Windows, before
                 running Scan /CLEAN. If you have Windows, run Scan
                 /CLEAN from DOS.

            6.   When disinfecting a hard disk, always run Scan /CLEAN
                 from your write-protected VirusScan diskette to prevent
                 infection of the Scan program. When disinfecting
                 diskettes, make sure there is no active virus in memory
                 before running Scan from your hard disk.














           Using VirusScan (Version 2.0)                            48            
            

            SUCCESSFUL AND UNSUCCESSFUL RESULTS

            Scan /CLEAN reports the results of its attempt to remove the
            virus from each infected file. If a file has several
            infections, it will report on each.  If viruses were not
            removed, contact technical support.

            If Scan can't remove a virus, you'll see a message like:

                 Virus cannot be safely removed from this file.

            Make sure to take note of the file name, because you will
            need to restore it from backups. If you have any questions
            about how to proceed, contact McAfee technical support or
            your local authorized agent (see "Technical Support" in
            Chapter 1).


            IF VIRUSES WERE SAFELY REMOVED, RESCAN AND CHECK DISKETTES

            If Scan /CLEAN has successfully removed all the viruses,
            turn your computer off again and restart from the system
            disk. Scan your hard disks again to make sure they are
            virus-free. If you suspect that your system was infected
            from a diskette, run Scan from your hard disk to examine
            and disinfect the diskettes you use.


























           Using VirusScan (Version 2.0)                            49


            EXAMPLES

            These examples show different option settings. In OS/2,
            remember to use OS2SCAN instead of SCAN.

            scan c:
                 Scan all executable files on drive C.

            scan f:
                 Scan drive F:, a network drive.

            scan c: /adl /adn
                 Scan all local and network drives (except floppy drives).

            scan f: g: h: /del
                 Scan all files on drives F:, G:, and H:, and delete any
                 infected files found.

            scan c: d: e: /av
                 Scan for viruses in all files and add validation codes
                 to executable files on drives C:, D:, and E:.

            scan m: /report a:infectn.rpt /rptcor /rpterr
                 Scan for viruses on network drive M: and create a log
                 file of infections, corruptions, and errors in the file
                 INFECTN.RPT on drive A:.

            scan e:\user\mike e:\user\chris e:\user\cindy /sub
                 Scan all subdirectories inside the directories
                 USER\MIKE, USER\CHRIS, and USER\CINDY on drive E:.

            scan c: d: e: /fast /cv
                 Quickly scan drives C:, D:, and E:, and also report any
                 executable files that do not have validation codes.

            scan c:\command.com
                 Scan a single file.















           Using VirusScan (Version 2.0)                            50


            ERROR LEVELS

            o    This section is primarily for network administrators,
                 information systems staff, and other people who may
                 want to run VirusScan from DOS batch files, network
                 login scripts, or OS/2 REXX scripts.

            After Scan has finished running, it sets the ERRORLEVEL. You
            can use the ERRORLEVEL in batch or script files to take
            different actions based on the results of the scan. See your
            operating system documentation for information on creating
            these types of files.

            Scan returns the following ERRORLEVELs:

            ERRORLEVEL          DESCRIPTION

                 0         No errors occurred and no viruses were found.

                 1         An error occurred while accessing a file
                           (either reading or writing).

                 2         A VirusScan database (*.DAT) file is
                           corrupted.

                 3         An error occurred while accessing a disk
                           (either reading or writing).

                 4         An error occurred with the file created with
                           the /AF option; the file has been damaged.

                 5         Insufficient memory to load program or
                           complete an operation.

                 6         An internal program error occurred.

                 7         An error occurred while accessing or
                           processing an international message file
                           (MCAFEE.MSG).

                 8         A file required to run VirusScan, such as
                           SCAN.DAT or NAMES.DAT, is missing.

                 9         Incompatible or unrecognized option(s) or
                           argument(s) for an option were specified on
                           the command line.

                 10        A computer virus was found in memory.

                 11        An internal program error occurred.


           Using VirusScan (Version 2.0)                            51


                 12        An error occurred while attempting to remove
                           a virus, such as no CLEAN.DAT file found
                           or VirusScan was unable to remove the virus.

                 13        One or more viruses was found in the master
                           boot record, boot sector, or file(s).

                 14        The SCAN.DAT file is out-of-date; please
                           upgrade VirusScan data files.

                 15        VirusScan failed its self-check.  It may be
                           infected with a virus, tampered with, or
                           damaged.

                 16        An error occurred while accessing or
                           attempting to access a specified drive,
                           directory, or file.

                 17        No drive, directory or file was specified for
                           scanning.

                 18        A validated file has been modified and no
                           longer matches its CRC check-sum (/CF or /CV
                           options).

                 19 - 99   Reserved.

                 100+      An error within the operating system.
                           VirusScan adds 100 to original error number.























           Using VirusScan (Version 2.0)                            52


            APPLICATION NOTE 1: UPDATING VALIDATION CODES

            If you install any new software or programs on your system,
            including a new version of DOS, and are running Scan or
            VShield with the /CF (preferred) or /CV validation options,
            you need to install validation codes for the new files with
            Scan's /AF (preferred) or /AV options.

            The quickest way to update the validation codes is to remove
            all validation codes from the hard disk and then add them
            back. To do this, first run Scan with the /RF or /RV option, 
            then run it again with the /AF or /AV option.








































           Using VirusScan (Version 2.0)                            53


            APPLICATION NOTE 2: REFORMATTING INFECTED DISKETTES WITH DOS
                                5.0 AND LATER

            When reformatting infected diskettes using DOS 5.0 and later
            versions, be sure to add the /U switch to the FORMAT
            command. This tells DOS to do an unconditional format of the
            diskette, without saving the original infected boot sector.
            This is necessary to erase certain infections, and will
            prevent reinfection by unformatting the diskette.











































           Using VirusScan (Version 2.0)                            54


            TECHNICAL NOTE 1: CREATING AN EXCEPTION LIST FILE
                              FOR THE /EXCLUDE OPTION

            If you set up validation codes using Scan's /AF or /AV
            options, subsequent scans using the /CF or /CV options will
            detect changes in executable files. This can generate false
            alarms if the executable files are self-modifying or self-
            checking (most programs that do this will tell you to turn
            off your anti-virus software before running them; some of
            these files are listed below). Therefore, use the /EXCLUDE
            option in conjunction with /AF or /AV to identify such files
            and exclude them from the validation.

            The exception list is an ASCII (or DOS) text file. If you
            use a word processor to create it, be sure to save the file
            as ASCII or DOS Text. Each line in the file contains the path 
            and file name of one file that should not be validated. 
            Here is an example:

                 C:\CLIPPER\BIN\CLIPPER.EXE
                 C:\123\123.COM
                 C:\FOX\FOXPROLX.EXE
                 C:\DOS\SETVER.EXE
                 C:\PKWARE\PKLITE.EXE
                 C:\PKWARE\PKZIP.EXE
                 C:\PKWARE\PKUNZIP.EXE
                 C:\SEMWARE\Q.EXE
                 C:\SWAPVOL.COM
                 C:\WORDSTAR\WS.EXE























           Using VirusScan (Version 2.0)                            55


            Chapter 4: TIPS & TROUBLESHOOTING

            The other chapters in this manual are meant to tell you
            clearly and concisely how to use the VirusScan(TM) software.
            Still, you may have questions or encounter confusing
            situations. This chapter contains two kinds of advice:

            o    Tips for getting the most out of VirusScan.

            o    Common problems and how to solve or avoid them.

            If this information doesn't help resolve your question or
            problem, contact McAfee (see "Technical Support" in 
            Chapter 1).


            DETECTING NEW AND UNKNOWN VIRUSES

            There are two ways of dealing with new and unknown viruses
            that may infect your system:

            o    Update VirusScan regularly.
            o    Store and check validation and recovery information
                 about your files.


            UPDATE VIRUSSCAN REGULARLY

            Most likely, McAfee will see new viruses long before you do.
            We update the VirusScan programs often--usually montly, but 
            more often if many new viruses have appeared. Each new 
            version may detect and eradicate as many as 60 to 100 new 
            viruses or more, and may fix bugs that have been reported.

            Updating VirusScan regularly is probably all you need to do
            to protect against new viruses. See the instructions for
            obtaining new versions in "Updating VirusScan Regularly" in
            Chapter 2.


            USE THE VALIDATION AND RECOVERY OPTIONS

            If your environment is highly vulnerable to viruses, or you
            require unusual security against them, you can use
            VirusScan's validation and recovery options. Scan checks for
            new or unknown viruses by comparing files against previously
            recorded validation data. If a file has been modified, it no
            longer matches the validation data, and Scan reports that
            the file may have become infected. Scan has two levels of
            validation, which are stored in two separate ways:


           Using VirusScan (Version 2.0)                            56


            o    It can store the enhanced code in a separate recovery
                 file, which can be stored off-line (for example, on a
                 diskette) for recovery purposes (/AF, /CF, and /RF
                 switches). This is the preferred method because it
                 stores the data for files, the boot sector, and the
                 master boot record (MBR) of a disk in the recovery
                 file.

            o    It can append a 98-byte validation code to .COM and
                 .EXE files (/AV, /CV, and /RV switches). This method
                 applies to the files you specified only. It does not
                 store data for the boot sector and master boot record
                 (MBR).

            Once the validation codes are stored, both Scan and VShield
            can use the /CV and /CF options to detect changes to the
            files. More importantly, if you have stored the recovery
            information with /AF, Scan can use it to restore infected
            files, master boot record (MBRs), and boot sectors.

            All of these options require continuing effort to store and
            maintain the codes. For example, if you install new programs
            or upgrade old ones, you should use the /RV or /RF options
            to remove all codes, then /AV or /AF to restore them.

            If you want to use one of these methods, which should you
            use? We recommend the "F" options--/AF, /CF, and /RF--over
            the "V" options. /AF stores the validation and recovery
            information in a separate file, instead of modifying the
            program files themselves. This has three advantages:

            o    You can store the recovery file off-line (on your clean
                 anti-viral startup diskette, for example, or on a
                 network drive or tape drive) and access it on demand to
                 check for, and recover from, infection by unknown
                 viruses. Use the procedure below to create a recovery
                 diskette.

            o    This method keeps self-checking files (usually copy-
                 protected programs) from reporting that they have been
                 tampered with.

            o    If you use this method, you don't need an exception
                 list. However, it's important that you run Scan with
                 the /RF option on individual self-modifying files, such
                 as Lotus 1-2-3, to remove the validation codes for
                 those programs from the validation file.

            The "V" options are primarily useful for companies that
            distribute software to their customers or employees, and
            want to incorporate an additional level of virus protection.

           Using VirusScan (Version 2.0)                            57


            CREATING A RECOVERY DISKETTE

            To store the recovery file, create a new "VirusScan Startup
            Diskette" and then run Scan to create a validation code and
            recovery data file by typing:

                 scan /adl /af a:\scancrc.crc

            and pressing <ENTER>.  The above command scans the local
            hard disk drive(s) for known viruses and creates
            "SCANCRC.CRC," a file containing validation codes and
            recovery data, on the diskette. After Scan finishes,
            write-protect the diskette, label it as your "VirusScan
            Recovery Diskette," and store in a safe location.

            To check for virus infection, turn your computer off, insert
            your "VirusScan Recovery Diskette" in drive A:, and turn
            the power back on. The PC will now start from the diskette.
            At the DOS prompt, type:

                 scan /adl /cf a:\scancrc.crc

            and press <ENTER>.  This will compare the local hard disk
            drive(s) against the recovery data stored on the diskette
            in the SCANCRC.CRC file.

            If you detect an unknown virus, to disinfect your system,
            turn your PC off, insert the recovery diskette, and turn the
            power back on. The PC will start from the floppy disk. At
            the DOS prompt, type:

                 scan /adl /cf a:\scancrc.crc /clean

            to restore drives C and D with the recovery data stored in
            SCANCRC.CRC on the diskette.

            If you install new software, or upgrade your DOS version,
            remember to update your recovery file. See Application 
            note 1, "Updating Validation Codes," in Chapter 3.













           Using VirusScan (Version 2.0)                            58


            INTERACTING WITH YOUR NETWORK

            Many personal computers are interconnected through a local
            area network (LAN). VirusScan is highly compatible with most
            networks. Here are some ways of using the VirusScan software
            with your network:

            Run Scan on network drives
            Run from a workstation (PC) on the network, Scan checks
            network drives for viruses just as it does local drives. For
            convenience, the /ADN option scans all network drives to
            which the workstation is connected.

            Use VShield and CheckVShield
            By activating VShield as part of every workstation's
            AUTOEXEC.BAT file, you can prevent the workstations from
            introducing viruses into the network. Network administrators
            can ensure that VShield is active on each workstation by
            running CheckVShield as part of the network login script,
            before actual login.

            Use NETShield
            NETShield provides continuous virus protection on a NetWare
            server. NetWare network administrators can use it to check
            for both known and unknown viruses and to monitor all
            network activities. On other kinds of networks, you can use
            Scan to check network servers.

            Develop a network security program, as described in the next
            tip.

            Develop a security program
            VirusScan has been shown to be an effective virus-preventive
            measure when used in a conscientiously applied program of
            network security and regular professional care.

            VirusScan is one important element of a comprehensive
            computing security program that includes a variety of safety
            measures, such as regular backups, meaningful password
            protection, user training, and awareness. Even with
            VirusScan, some viruses--not to mention theft or fire--an
            render a disk unrecoverable without a recent backup to
            reload information. Although outlining such a security
            program is beyond the scope of this manual, see "Other
            Sources of Information" in Chapter 1 for suggestions.

            If you are a network administrator, we urge you to implement
            a security program to safeguard your organization's data and
            productivity. If you are a network user, please support and
            comply with such a program.


           Using VirusScan (Version 2.0)                            59


            TROUBLESHOOTING

            Using VirusScan with other anti-virus software
            When you run more than one anti-virus program from different
            vendors, you risk strange results and false alarms. For
            example, some anti-virus programs store their "virus
            signature strings" unprotected in memory. Running VirusScan
            may "detect" them falsely as a virus.

            False alarms
            Scan may incorrectly report a virus in the boot sector or
            master boot record (MBR) of a disk if the diskette using a
            special copy-protection or encryption mechanism. Contact
            technical support if you're unsure (see "Technical Support"
            in Chapter 1).

            TSR conflicts
            Some "terminate-and-stay-resident" (TSR) software may
            conflict with VirusScan programs, especially VShield (which
            is itself a TSR). To check whether this is the problem,
            "comment out" the other TSR files in your AUTOEXEC.BAT file
            and restart your system. If the errors disappear, the TSR
            conflict caused them.

            Slow disk access, program locks
            Running VShield will slow your system slightly as described
            in Chapter 3 in the VShield documentation, especially if you 
            use either the /ANYACCESS or /SWAP options. If you experience 
            very slow disk access, or if programs lock or freeze while 
            using Windows 3.1, you may be using a disk cache program that 
            interferes with program operation, or you may need to increase 
            the number of BUFFERS in your CONFIG.SYS file.

            Program locks with VShield's /SWAP option
            When VShield is running with the /SWAP option, certain
            programs may lock up the computer. These programs may use
            memory without allocating it first, including older versions
            of Lotus 1-2-3, pfs:Write and Professional Write,
            OfficeWrite, and DisplayWrite4. To correct, restart your
            computer and run VShield without the /SWAP option.

            Unable to remove VShield
            If the /REMOVE option doesn't successfully remove VShield
            from memory, you have probably loaded other terminate-and-
            stay-resident (TSR) programs after VShield. VShield can't be
            removed until the other TSRs are removed. If you need to
            unload VShield often, load it last.





           Using VirusScan (Version 2.0)                            60


            APPENDIX A: RETRIEVING VIRUSSCAN UPDATES VIA THE McAFEE BBS

            McAfee runs a multiple line bulletin board system (BBS) for
            you to download program updates, receive technical support,
            and interact with other McAfee users.

            DIAL UP

            o    The McAfee BBS phone number is (408) 988-4004.

            o    The BBS operates at up to 14,400 bps (baud). Set your
                 communications parameters to 8 data bits, 1 stop bit,
                 no parity, and your terminal emulation to ANSI or TTY.

            o    The BBS is Bell- and ITU- (formerly CCITT) compatible.


            LOG ON

            After receiving the CONNECT message from your communications
            package:

            o    Enter your name, geographic location, and password.

                 To retrieve the VirusScan programs, type "GUEST" for
                 first name, and "USER" for last name.

                 Or, if you want personal answers or feedback, create
                 your own account by entering your first and last name
                 and a password. Passwords should be 3-8 characters long
                 and are case-sensitive.


            THE MAIN MENU

            Here are some of the important functions on the main menu:

            F    File transfer area (download McAfee updates)
            M    Message area (read and write messages in all sections
                 and e-mail)
            G    Goodbye (hang up and leave the BBS)

            Downloading McAfee programs
            
            1.   Select <F> from the Main Menu to go to the File
                 transfer area.  This is the area from which you can
                 download McAfee programs.

            2.   Select <1> for the McAfee Antivirus Files.  A sorted
                 directory listing of files available for download will
                 be displayed.

           Using VirusScan (Version 2.0)                            61


            3.   Type <D> for download, then type in the filename as
                 found in the directory.

            4.   The BBS will prompt you to select a protocol. We
                 recommend error-correcting protocol such as ZMODEM,
                 YMODEM or XMODEM.

            5.   You'll see the message Awaiting start signal. Tell your
                 software to receive files.  With PROCOMM for DOS or
                 TELIX, press the <PAGE DOWN> key, with BITCOM, press
                 the <F2> key.  For other communications programs, check
                 your manual.

            7.   Your software will prompt you to select a protocol and
                 file name to receive the file. Select the same protocol
                 and name.




































           Using VirusScan (Version 2.0)                            62

            APPENDIX B: OPTIONS COMPARISON BETWEEN
            VIRUSCAN VERSIONS 1.5 AND 2.0


            VERSION COMPARISON OF SCAN OPTIONS

               Scan         Scan         
               Version 1.5  Version 2.0   Option Description
                         
              /? /H or      /? or /HELP   Display help screen.
              /HELP                      
            
              /A                          Scan all files,
                                          including data files.
            
              /AD{x}        /AD{x}        Scan all drives
                                          {L=Local, N=Network}.
                                          Leave blank for both
                                          (version 1.5 only).
            
              /AF           /AF           Store
             {filename}     {filename}    validation/recovery
                                          codes in filename.
            
              /AG                         Add recovery/validation
              {filename}                  data to files except
                                          those listed in {filename}.
            
              /AV           /AV           Add validation/recovery
              {filename}                  data to program files.
                                          Exclude those listed in
                                          {filename} (version 1.5
                                          only); exclude those
                                          listed in /EXCLUDE
                                          option (version 2.0 only).
            
              /BELL                       Beep whenever a virus
                                          is found.
            
              /BMP                        Scan OS/2 Boot Manager
                                          partition only.
                         
                            /BOOT         Scan master boot record
                                          and boot sector only.
            
              /CERTIFY                    List files not having a
                                          validation code.
                                       
              /CF           /CF           Check
              {filename}    {filename}    validation/recovery
                                          codes in filename.
            
              
           Using VirusScan (Version 2.0)                            63
              

            VERSION COMPARISON OF SCAN OPTIONS (continued)

               Scan         Scan         
               Version 1.5  Version 2.0   Option Description
                         
              /CG                         Check
                                          recovery/validation
                                          data in files.
            
              /CHKHI                      Check memory from 0Kb
                                          to 1,088Kb (not
                                          applicable to OS/2).
            
              (CLEAN.EXE)   /CLEAN        Clean up infections in
                                          master boot records,
                                          boot sectors, and files
                                          when possible.
            
              /CV           /CV           Check
                                          validation/recovery
                                          data in files.
            
              /D            /DEL          Overwrite and delete
                                          infected files.
                                          Save date and time
                                          VirusScan was last run
                                          in SCAN.LOG.
            
              /DATE         /LOG          Save date and time
                                          VirusScan was last run.
                                          Save in SCAN.LOG file
                                          (version 2.0 only).
                         
                            /EXCLUDE      Exclude from scan any
                            {filename}    files listed in
                                          filename. Typically
                                          used in conjunction
                                          with the /AV option.
            
              EXT                         Scan using external
              {filename}                  virus information from
                                          filename.
            
              /FAST         /FAST         Speed up VirusScan's
                                          scanning; may detect
                                          fewer viruses.
            
              /HISTORY      /APPEND       Append Scan report to
              filename                    filename (version 1.5).
                                          Append to, rather than
                                          overwrite, the report
                                          file (/REPORT, version 2.0)
           Using VirusScan (Version 2.0)                            64
              

            VERSION COMPARISON OF SCAN OPTIONS (continued)

               Scan         Scan         
               Version 1.5  Version 2.0   Option Description
                         
              /M                          Scan memory for all
                                          viruses (not applicable
                                          to OS/2).
            
              /MANY                       Scan multiple floppy
                                          disks (diskettes).
                         
                            /MOVE         Move infected files to
                            {directory}   directory.
            
              /NLZ                        Skip internal scan of
                                          LZEXE compressed files.
                                       
              /NOBREAK                    Disable Ctrl-C and Ctrl-
                                          Brk during scan.
            
              /NOEXPIRE                   Do not display
                                          expiration notice.
            
              /NOMEM        /NOMEM        Skip memory checking
                                          (not applicable to OS/2).
            
              /NOPAUSE      /PAUSE        Disable screen pause
                                          (version 1.5 only).
                                          Enable screen pause
                                          (version 2.0 only).
            
              /NPKL                       Skip internal scan of
                                          PKLITE compressed files.
                         
                            /PLAD         Preserve Last-Access
                                          date of scanned files
                                          on Novell drives.
            
              /REPORT       /REPORT       Create report of
              {filename}    {filename}    infected files found
                                          during scan in filename.
            
              /RF           /RF           Remove
              {filename}    {filename}    validation/recovery
                                          codes in filename.
            
              /RG           /RG           Remove
                                          recovery/validation
                                          data from files.


           Using VirusScan (Version 2.0)                            65
              

            VERSION COMPARISON OF SCAN OPTIONS (continued)

               Scan         Scan         
               Version 1.5  Version 2.0   Option Description
                         
                            /RPTCOR       Add list of corrupted
                                          files to the report
                                          file (/REPORT).
                         
                            /RPTERR       Add list of system
                                          errors to the report
                                          file (/REPORT).
                         
                            /RPTMOD       Add list of modified
                                          files to the report
                                          file (/REPORT).
            
              /RV           /RV           Remove
                                          validation/recovery
                                          data from files.
            
              /SAVE         /SAVE         Save specified options
                                          as new defaults (not
                                          available in Windows).
            
              /SHOWDATE     /SHOWLOG      Show date and time of
                                          last scan (version 1.5
                                          only). Display
                                          information in SCAN.LOG
                                          (version 2.0 only)
                         
                            /STD          Scan executable files
                                          only (.COM, .EXE, .SYS,
                                          .BIN, .OVL, and .DLL)
            
              /SUB          /SUB          Scan subdirectories
                                          inside a directory.
                                       
                            /VIRLIST      Display list of viruses
                                           detected by VirusScan.
            
               @filename     /LOAD         Use Scan settings
                             {filename}    stored in filename.
                                         
                           




