Category : System Diagnostics for your computer
Archive   : NETSC97.ZIP
Filename : NETSCN97.DOC

NETSCAN Version V97
Copyright (C) 1989 - 1992 by McAfee Associates
All rights reserved.

Documentation by Aryeh Goretsky.

























McAfee Associates (408) 988-3832 office
3350 Scott Blvd, Bldg. 14 (408) 970-9727 fax
Santa Clara, CA 95054 (408) 988-4004 BBS (25 lines)
U.S.A. USR HST/v.32/v.42bis/MNP1-5
CompuServe GO MCAFEE
InterNet [email protected]



TABLE OF CONTENTS:


SYNOPSIS . . . . . . . . . . . . . . . . . . . . . . . . . . .2
- What is NETSCAN?
- System requirements

AUTHENTICITY . . . . . . . . . . . . . . . . . . . . . . . . .2
- Verifying the integrity of NETSCAN

WHAT'S NEW . . . . . . . . . . . . . . . . . . . . . . . . . .4
- New features and viruses in this release

OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . .5
- General description of NETSCAN

OPERATION and OPTIONS. . . . . . . . . . . . . . . . . . . . .6
- How to use NETSCAN, detailed explanation of switches

EXAMPLES . . . . . . . . . . . . . . . . . . . . . . . . . . .12
- Samples of frequently-used options

EXIT CODES . . . . . . . . . . . . . . . . . . . . . . . . . .13
- ERRORLEVELS for running NETSCAN from batch files

VIRUS REMOVAL. . . . . . . . . . . . . . . . . . . . . . . . .13
- How to manually remove a virus

LICENSE. . . . . . . . . . . . . . . . . . . . . . . . . . . .14
- How to license NETSCAN

TECH SUPPORT . . . . . . . . . . . . . . . . . . . . . . . . .14
- Information you should have ready when calling

APPENDIX A . . . . . . . . . . . . . . . . . . . . . . . . . .15
- Creating a virus string file with the /EXT option














Page 1

NETSCAN Version V97 Page 2


SYNOPSIS

NETSCAN is a virus detection and identification program
for local and wide area networks. NETSCAN will search any
networked drive accessible as a DOS device for known viruses.
NETSCAN works by searching the system for sequences of
bytes unique to each computer virus and then reporting their
presence if found.
NETSCAN Version V97, when used in conjunction with the
VIRUSCAN program on workstations, can identify all known
computer virus strains. (For a complete list of viruses
detected, please refer to the acompanying VIRLIST.TXT file).
In order for NETSCAN to check all areas of the server for
computer viruses, NETSCAN should be run under an account with
global read and filescan rights.
NETSCAN requires 320Kb of RAM and DOS 2.0 or above (some
features require DOS 3.1 or above) and works with 3Com 3/Share
and 3/Open, Artisoft LANTastic, AT&T StarLAN, Banyan VINES,
DEC Pathworks, Microsoft LAN Manager, Novell NetWare, and any
other IBMNET or NETBIOS compatible network operating system.
If you do not see your NOS listed, contact McAfee Associates.


AUTHENTICITY

NETSCAN performs a self-check when run. If NETSCAN has
been modified in any way, a warning will be displayed and the
user prompted to either continue or quit. NETSCAN can still
check for viruses, however, if NETSCAN reports it has been
damaged, it is recommended that a clean copy be obtained.
NETSCAN versions 46 and above are packaged with VALIDATE,
a program to ensure the integrity of the NETSCAN.EXE file. The
VALIDATE.DOC file tells how to use VALIDATE. VALIDATE can be
used to check subsequent versions of NETSCAN for tampering.

The validation results for Version V97 should be:

FILE NAME: NETSCAN.EXE
SIZE: 81,527
DATE: 10-15-1992
FILE AUTHENTICATION
Check Method 1: E21B
Check Method 2: 1904

If your copy of NETSCAN differs, it may have been damaged or
have options stored in it with the /SAVE switch. Run NETSCAN
with only the /SAVE option to remove any stored options and
then re-run VALIDATE. Always obtain your copy of NETSCAN from a
known source. The latest version of NETSCAN and validation data
for NETSCAN.EXE can be obtained from McAfee Associates' BBS at
(408) 988-4004 or from the Computer Virus Help Forum on CompuServe (
GO VIRUSFORUM).
NETSCAN Version V97 Page 3


Beginning with Version 72, all of McAfee Associates'
VIRUSCAN series are archived with PKWare's PKZIP Authentic File
Verification. If you do not see an "-AV" after every file is
unzipped and receive the "Authentic Files Verified! # NWN405
Zip Source: McAFEE ASSOCIATES" message when you unzip the files
then do not use them. If your version of PKUNZIP does not have
verification ability, then this message may not be displayed.
Please contact us if you believe tampering has occured to the
.ZIP file.


















[This space intentionally left blank]
























NETSCAN Version V97 Page 4


WHAT'S NEW

NETSCAN version V97 has been updated to detect all the
new viruses added to version 8.9V97 of VIRUSCAN.

Beginning in Version 90, we have started optimizing our
virus search strings by grouping similar viruses together
into generic virus detection strings. This speeds up the
VIRUSCAN program by reducing the amount of virus strings it
has to look for and makes the program file smaller by reducing
the size of its virus string data.


THE COMPUTER VIRUS HELP FORUM ON COMPUSERVE

We are now sponsoring the Computer Virus Help Forum on
CompuServe. Updates to the NETSCAN series, information about
computer viruses, and technical support may be obtained by
typing GO VIRUSFORUM at any CompuServe prompt. A free
introductory membership to CompuServe is also available. For
more information, please read the COMPUSER.NOT file.


INTERNET ACCESS TO McAFEE ASSOCIATES SOFTWARE

The latest versions of McAfee Associates' anti-viral
software is now available by anonymous ftp (file transfer
protocol over the Internet from the site mcafee.COM. If
your domain resolver does not support names, use the IP#
192.187.128.1.






















NETSCAN Version V97 Page 5


OVERVIEW

NETSCAN is designed to work with file servers on local
and wide area networks. For stand-alone and networked PC's, use
the VIRUSCAN program instead.
NETSCAN checks files, subdirectories, or entire volumes
on a file server forpre-existing computer virus infections. It
will identify the virus infecting the system and the area where
it was found.
Infected files can be removed either with the /D overwrite-
and-delete option in NETSCAN which will erase the file, or with
the CLEAN-UP universal virus disinfection program. CLEAN-UP is
recommended because in most cases it eliminates the virus and
fully restores the program or system area.

NETSCAN can be updated to search for new viruses by an
External Virus Data File, which allows the user to input new
search strings for viruses.
After seven months have passed NETSCAN will display a
message that it may no longer be current. However, NETSCAN will
continue to function as normal. This message can be bypassed
by running NETSCAN with the /NOEXPIRE switch.
NETSCAN displays messages in English, French, or Spanish.





























NETSCAN Version V97 Page 6


OPERATION and OPTIONS

IMPORTANT NOTE: WRITE PROTECT YOUR FLOPPY DISK BEFORE SCANNING
TO PREVENT INFECTION OF THE NETSCAN PROGRAM.

NETSCAN checks files and other areas of the system that
can contain a computer virus. When a virus is found, NETSCAN
identifies the virus and the file or system area where it was
found.
NETSCAN examines files based on their extension. The default
extensions supported by NETSCAN are .APP, .BIN, .COM, .EXE, .OV?,
.PGM, .PIF, .PRG, .SWP, .SYS, and .XTP. Additional extensions
can be added with the /EXT option, or use the /A to check all
files on the disk.


Valid options for NETSCAN are:

NETSCAN d1: ... d26: /? /A /AF filename /BELL /CF filename /CHKHI
/D /E .xxx .yyy .zzz /EXT filename /FAST
/FR /H /HELP /HISTORY filename /M /NLZ
/NOBREAK /NOEXPIRE /NOMEM /NOPAUSE /NPKL
/REPORT filename /RF filename /SAVE
/SP /SUB /UNATTEND @filename

Options are:

/? /H /HELP - Display help screen
/A - Scan all files, including data, for viruses
/AF filename - Store recovery data/validation codes to file
/BELL - Beep whenever a virus is found
/CF filename - Check for viruses using recovery data/
validation codes stored in filename
/CHKHI - Check memory from 0Kb to 1088Kb
(on workstation NETSCAN is run from)
/D - Overwrite and delete infected file
/E .xxx .yyy - Scan overlay extensions .xxx .yyy .zzz
/EXT filename - Scan using external virus data file
/FAST - Speed up NETSCAN's output
(see below for specifics)
/FR - Display messages in French
/HISTORY filename - Create infection log, appending to old log
/M - Scan memory for all viruses
(see below for specifics)
/NLZ - Skip internal scan of LZEXE-compressed files
/NOBREAK - Disable Ctrl-C and Ctrl-Brk during scanning
/NOEXPIRE - Do not display expiration notice
/NOMEM - Skip memory checking
/NOPAUSE - Disable screen pause when scanning
/NPKL - Skip internal scan of PKLITE-compressed files
/REPORT filename - Create infection log, deleting old log

NETSCAN Version V97 Page 7


/RF filename - Remove recovery data/validation codes stored
in filename
/SAVE - Save specified command line options as new
defaults
/SP - Display messages in Spanish
/SUB - Scan subdirectories under a subdirectory
/UNATTEND - Scan using DOS critical error handler
@filename - Scan using options from configuration file

(d1: ... d26: indicate drives to be scanned)


The /A option checks all files on the drive scanned. This
substantially increases the time required to scan disks, so
it is recommended this swich only be used when installing new
software or if a file-infecting virus has been found. This
option takes priority over the /E option.

The /AF option logs recovery data and validation codes
for .COM and .EXE files on the network drive to a user-
specified file that can be located on any drive. The size of
the log file will be about 20Kb for every 1,000 files validated.
The syntax is /AF filename, where "filename" is the path and
file where recovery data and validation codes are stored.

The /BELL option will cause NETSCAN to beep each time a
computer virus is found.

The /CF option checks recovery data and validation codes
added by the /AF option. The syntax is /CF filename, where
"filename" is the path and file name where recovery data
and validation codes are stored.

The /CHKHI option checks the memory on the workstation
running NETSCAN between 640Kb and 1,088Kb that can be used on AT
(286) and 386 systems for computer viruses. On XT systems with
extended memory cards installed, this will cause the first 64K of
RAM to be scanned again. This option cannot be used with the
/NOMEM option.

The /D option tells NETSCAN to prompt the user to
overwrite and delete an infected file when one is found. A file
erased by the /D option cannot be recovered. If the CLEAN-UP
program is available, it can be used to disinfect the file.

The /E option allows the user to specify an extension or
set of extensions to scan. Extensions should include a period
"." and should also be separated by a space after the /E. Up to
three extensions may be added with the /E. For more extensions,
use the /A option.


NETSCAN Version V97 Page 8


The /EXT option allows NETSCAN to search for viruses from
a text file containing user-defined search strings in addition
to the viruses that NETSCAN already identifies. The syntax for
using the external virus data file is /EXT d:filename, where d:
is the drive name and filename is the name of the external virus
data file. For instructions on how to create an external virus
data file, refer to Appendix A.

NOTE: The /EXT option provides users with the ability to add
strings for detection of viruses on an interim or
emergency basis. When used with the /D option, it will
overwrite-and-delete infected files. This option is not
for general use and should be used with caution.

The /FAST option will speed NETSCAN up by displaying fewer
messages on the screen, skipping checking inside of LZEXE- and
PKLITE-compressed files, and examining a smaller portion of
files during scanning. This may reduce the accuracy of NETSCAN.

The /FR option tells NETSCAN to output all messages in
French instead of English. The /FR option cannot be used with
the /SP (Spanish) option.

The /HISTORY option saves a list of infected files to
disk. The list is saved to disk as an ASCII text file. If a
list exists, then the results of the current scan will be added
to the end. The syntax is /HISTORY filename, where "filename"
is the path and name of the report file.

The /M option tells NETSCAN to check system memory on the
workstation for all known computer viruses that can inhabit
memory. NETSCAN by default only checks memory for critical and
"stealth" viruses, which are viruses which can cause catastrophic
damage or spread the virus infection during the scanning process.
By default, NETSCAN will check memory for the following viruses:

1024 1253 1554 1963
1971 2560 337 3445-Stealth
4096 512 Anthrax Antitelefonica
Brain Caz CD Dark Avenger
Dir-2 Doom II Empire Fish
Flu-2 Form Greemlin Irish
Joshi Leech Lozinsky Microbes
Mirror Nomenklatura NOP No-Int (Stoned III)
P1R (Phoenix) Phantom Plastique Pogue
SBC Sentinel Stoned Sunday-2
SVC Taiwan3 Tequila Turbo (Polish-2)
Twin-351 V2100 V2P6 Whale

If one of these viruses is found in memory, NETSCAN will stop and
tell the user to power down, and reboot the system from a virus-
free system-bootable disk.
NETSCAN Version V97 Page 9


NOTE: Using the /M option with another anti-viral software
package may result in false alarms if the other package
does not remove its virus search strings from memory.

The /NLZ option tells NETSCAN not to look inside files
compressed with LZEXE, a file compression program. NETSCAN will
still check the LZEXE-compressed files for viruses that have
infected after file compression.

The /NOBREAK option prevents Ctrl-C or Ctrl-Brk from
aborting the scanning process.

The /NOMEM option is used to turn off all memory checking
for viruses in order to speed up the scanning process. It
should only be used when a system is known to be virus-free.
The /NOMEM option can not be used with the /CHKHI or /M options.

The /NOEXPIRE option disables the warning message that
NETSCAN displays after seven months warning that it may no longer
be current with respect to known computer viruses.

The /NOPAUSE option disables the "More? (H = Help )" prompt
that is displayed when NETSCAN fills up a screen with messages.
This allows NETSCAN to check networks with multiple infections without
requiring operator assistance.

The /NPKL option tells NETSCAN not to look inside files
compressed with PKLITE, a file compression program. NETSCAN will
still check the PKLITE-compressed files for viruses that have
infected after file compression.

The /REPORT option saves a list of infected files to
disk. The list is saved to disk as an ASCII text file. If a
list exists, then it will be overwritten with the new list.
The syntax is /REPORT filename, where "filename" is the path
and name of the report file.

The /RF option will remove recovery data and validation
codes for files from the recovery data and validation code
file. The syntax is /RF filename, where "filename" is the path
and file where recovery data and validation codes are stored.











NETSCAN Version V97 Page 10


The /SAVE option is used to store NETSCAN options for
subsequent executions of NETSCAN. Options are stored by
modifying the NETSCAN.EXE executable file. For example:

NETSCAN F: /HISTORY C:VIRUS.LOG /NOMEM /UNATTEND /SAVE

will set the default options to scanning the F: drive with the
/HISTORY, /NOMEM, and /UNATTEND swtiches. If NETSCAN is run
with just the /SAVE switch, then all options are removed and
NETSCAN will run with its original settings.

If you do not wish to modify the NETSCAN.EXE file, use the
@filename option instead, which allows you to store the NETSCAN
options in a separate text file.

NOTE: VALIDATE 0.4 must be used to validate NETSCAN version 94 or
above if /SAVE is used. /SAVE directly modifies NETSCAN.EXE
and the validate codes will no longer match if an older
version of VALIDATE is used. VALIDATE 0.4 will generate
the correct validation results even if the /SAVE option
has been used. Third party file-integrity check programs
may not produce the same results after the /SAVE option
is used. The /SAVE option should be added to NETSCAN by the
Systems Administrator prior to final installation on PC's
if other integrity checking programs are in use.

The /SP option tells NETSCAN to output all messages in
Spanish instead of English. This option can not be used with
the /FR (French) option.

The /SUB scans all subdirectories inside a subdirectory.
Previously, NETSCAN would only recursively check subdirectories
if a logical device (e.g., C:) was scanned.

The /UNATTEND option tells NETSCAN use the DOS critical
error handler when accessing files. If NETSCAN accesses an open
or non-shareble file, it will continue scanning instead of
displaying an error message. This option requires DOS 3.10 or above.

NOTE: The /UNATTEND switch is required if you are running
NETSCAN against a Novell NetWare file server.

The @FILENAME option allows the user to store a list of









NETSCAN Version V97 Page 11


options and/or system areas to be scanned in a configuration
file. Options need to be separated by a space, while system
areas (disks, subdirectories, or files) need to be on separate
lines. A sample file might look like this:

/HISTORY C:\VIRUS.LOG /NOMEM /UNATTEND
F:
X:\PROGRAMS\UTILS

The first line contains the NETSCAN options while other lines
contain the names of disks, subdirectories, or files to scan.
The configuration file should be an ASCII text file. If a word
processor is used to create the list, be sure to save as ASCII.







































NETSCAN Version V97 Page 12


EXAMPLES

The following examples show different option settings:

NETSCAN F:
To scan drive F:

NETSCAN F: G: H:
To scan drives F:, G:, and H::

NETSCAN F: /CF C:\NETSCAN.CRC
To scan files on drive F: and check for unknown viruses
viruses with recovery/validation data file NETSCAN.CRC.

NETSCAN Y: /D /A
Scans all files on drive Y: and prompt for erasure of
any infected files, if found.

NETSCAN F: /UNATTEND
To scan drive F: on a Novell NetWare network.

NETSCAN F: G: H: /E .WPM
Scans drives F:, G:, and H: including .WPM files

NETSCAN Z: /EXT A:SAMPLE.ASC /BELL
To scan drive Z: for known computer viruses and also
for viruses added by the user via the external virus
data file option, and beep whenever a virus is found.
























NETSCAN Version V97 Page 13


EXIT CODES

After NETSCAN has finished running, it will set the DOS
ERRORLEVEL. ERRORLEVEL's are used in batch files to pass the
results of a program's actions. The ERRORLEVEL's returned by
NETSCAN are:

ERRORLEVEL ³ DESCRIPTION
ÍÍÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0 ³ No viruses found
1 ³ One or more viruses found
2 ³ Abnormal termination (program error)
3 ³ One or more uncertified files found
4 ³ Ctrl-C or Ctrl-Break aborted scan

If a user stops the scanning process, NETSCAN will set the
ERRORLEVEL to 3. The /NOBREAK option can be used to prevent
users from stopping NETSCAN.


VIRUS REMOVAL

What do you do if a virus is found? You can contact McAfee
Associates for help by BBS, FAX, telephone, Internet, or
CompuServe. There is no charge for support calls to McAfee
Associates.
The CLEAN-UP universal virus disinfection program can
disinfect virtually all reported computer viruses. It is
updated with each release of the NETSCAN program to remove new
viruses. CLEAN-UP can be downloaded from McAfee Associates'
BBS, the mcafee.COM site on the InterNet, the Computer Virus
Help Forum on CompuServe, or from any of the agents listed in
the enclosed AGENTS.TXT text file.
It is strongly recommended that you get experienced help in
dealing with viruses if you are unfamilar with anti-virus
software and methods. This is especially true for 'critical'
viruses and partition table/boot sector infecting viruses as
improper removal of these viruses can result in the loss of
all data and the use of the infected disk(s). [For a listing of
critical viruses, see the /M switch listed under OPTIONS above.]
For qualified assistance in removing a virus, please
contact McAfee Associates directly or any of the Authorized
McAfee Associates Agents in your area. Agents may charge McAfee
Associates' normal support rates for their services.
If you wish to remove a file-infecting virus manually, you
can run NETSCAN with the /A and /D switches to erase all infected
files.
Before removing a boot sector or partition table-infecting
virus, it is recommended that you cold boot the infected PC from
a clean DOS disk and backup any critical data.


NETSCAN Version V97 Page 14


LICENSE

NETSCAN may be copied and distributed for testing and
evaluation purposes on a trial period of five (5) days. If you
wish to use NETSCAN after the trial period, a license is
required. Licenses are available for internal use within
businesses, organizations, government agencies, and external
use by repair centers and other service organizations. License
fees are based on the size of the network or number of copies
required. Information on licensing can be obtained from McAfee
Associates or any of its Authorized Agents listed in the
accompanying AGENTS.TXT file.


TECH SUPPORT

For fast and accurate help, please have the following
information ready when you contact McAfee Associates:

- Program name and version number.

- Type of network and workstations

- Version of DOS plus any TSRs or device drivers in use
on workstation.

- Printouts of your CONFIG.SYS, AUTOEXEC.BAT and network
login files.

- A printout of what is in memory from the MEM command
(DOS 4 and above users only) or a similar utility.

- The exact problem you are having. Please be as
specific as possible. Having a printout of the
screen and/or being at your computer be will helpful.

McAfee Associates can be contacted by BBS, CompuServe, FAX, or
InterNet 24 hours a day, or by telephone at (408) 988-3832,
Monday through Friday, 7:00AM to 5:30PM Pacific Time.

McAfee Associates (408) 988-3832 office
3350 Scott Blvd. Bldg. 14 (408) 970-9727 fax
Santa Clara, CA 95054-3107 (408) 988-4004 BBS (25 lines)
U.S.A USR HST/v.32/v.42bis/MNP1-5
CompuServe GO MCAFEE
Internet [email protected]

If you are overseas, there may be an Authorized McAfee Associates
Agent in your area. Please refer to the AGENTS.TXT file for a
listing of McAfee Associates Agents for support or sales.


NETSCAN Version V97 Page 15


APPENDIX A: Creating a Virus String File with the /EXT Option

NOTE: The /EXT option is intended for emergency and research
use only. It is a temporary method for identifying new
viruses prior to the subsequent release of NETSCAN. A
thorough understanding of viruses and string-search
techniques is advised for using this option. A string
length of 10 to 15 bytes is recommended.

The External Virus Data file should be created with an
editor or a word processor and saved as an ASCII text file. Be
sure each line ends with a Carriage Return/Line Feed pair.


The virus string file uses the following format:

#Comment about Virus_1
"aabbccddeeff..." Virus_1_Name
#Comment about Virus_2
"gghhiijjkkll..." Virus_2_Name
.
.
"uuvvwwxxyyzz..." Virus_n_Name


Where aa, bb, cc, etc. are the hexadecimal bytes that you wish
to scan for. Each line in the file represents one virus. The
Virus Name for each virus is mandatory, and may be up to 25
characters in length. The double quotes (") are required at the
beginning and end of each hexadecimal string.
NETSCAN will use the string file to search memory on the
workstation and all .COM and .EXE files, and overlay files with
the extensions .APP, .BIN, .COM, .EXE, .OV?, .PGM, .PIF, .PRG,
.SWP, .SYS, and .XTP.
Virus strings may contain wild cards. The two wildcard
options are:

FIXED POSITION WILDCARD
The question mark "?" may be used to represent a wildcard
in a fixed position within the string. For example, the string:

"E9 7C 00 10 ? 37 CB"

would match "E9 7C 00 10 27 37 CB", "E9 7C 00 10 9C 37 CB", or
any other similar string, regardless of the fifth byte.







NETSCAN Version V97 Page 16


RANGE WILDCARD

The asterisk "*", followed by range number in parentheses
"(" and ")" is used to represent a variable number of adjoining
random bytes. For example, the string:

"E9 7C *(4) 37 CB"

would match "E9 7C 00 37 CB", "E9 7C 00 11 37 CB", and
"E9 7C 00 11 22 37 CB". The string "E9 7C 00 11 22 33 44 37 CB"
would not match since the distance between 7C and 37 is greater
than four bytes. You may specify a range of up to 99 bytes.
Up to 10 different wildcards of either kind may be used in one
virus string.


COMMENTS
A pound sign "#" at the begining of a line will denote a
comment. Use this for adding notes to the external virus data
file. For example:

#New .COM virus found in file FRITZ.EXE from
#Schneiderland on 01-22-91
"53 48 45 45 50" Fritz-1 [F-1]

gives a description of the virus, name of the infected file,
where and when it was found, etc.