What's New in NetShield NT v4.0.3a (4019) Copyright (c) 1994-99 by Network Associates, Inc., and its Affiliated Companies. All Rights Reserved. ***** IMPORTANT ***** This version of NetShield NT includes the 4019 DAT Files for detection and cleaning of the W97M/Melissa virus. Thank you for using NetShield NT. This What's New file contains important information regarding this release. Network Associates strongly recommends that you read the entire document. Network Associates welcomes your comments and suggestions. Please use the information provided in this file to contact Customer Care or technical support. **WARNING: Do not attempt to install this version of NetShield on a Digital Equipment (DEC) Alpha system.** **IMPORTANT: This version of NetShield NT DOES include support for Windows NT 3.51. Network Associates recommends that you install Windows NT Service Pack 5 in order to use NetShield with this Windows NT version. Note also that running NetShield NT with Windows NT v4.0 recommends that you have Windows NT v4.0 Service Pack 4 installed.** ___________________ WHAT'S IN THIS FILE - New Features - Known Issues - Installation - Performing a "Silent" Installation - Documentation - Frequently Asked Questions - Additional Information - Contacting Network Associates ____________ NEW FEATURES 1. A new Network Associates scanning engine is at the heart of NetShield NT v4.0.3a. Created and backed by the combined efforts of the McAfee Labs and Dr Solomon anti-virus research teams, this engine delivers outstanding virus detection and cleaning rates. 2. NetShield now provides anti-virus protection for key Microsoft BackOffice server components, including Microsoft Clustering Server and Microsoft Terminal Server. NetShield is Cluster Server compatible, but not cluster aware. NetShield protection also extends to file system support for Microsoft's Distributed File System. 3. Alert Manager can now direct alert messages to McAfee Management Edition v2.0 for network-wide administrative convenience. 4. The new scanning engine incorporated in NetShield NT comes with improved heuristic scanning capability that detects previously unidentified macro and file- infector viruses. The engine employs both positive heuristics, which allows it to look for "virus-like" characteristics in the files it scans, and negative heuristics, which allows it to look for file characteristics that indicate that questionable code does not result from a virus infection. As a result, the incidence of false virus identifications is very low. See "Additional Information" later in this file for more information. 5. You can use the NetShield Console to centrally configure, monitor, and initiate scan operations on Windows NT and NetWare servers where you have NetShield installed. You can run the Intel-based version of the console on both Windows NT, and Windows 95 or Windows 98, to perform remote administration. 6. This NetShield version features enhanced SNMP alerting capability for such SNMP management applications as HP OpenView. 7. NetShield includes support for the Banyan Vines network operating system. See "Additional Information" later in this file for more information. 8. NetShield NT supports Windows NT 5.0 BETA 2. 9. You can now enable or disable NetShield NT's on-access scanner both from the graphical user interface and from an NT Command Prompt window. To learn how to do so, see item 12 in "Additional Information" later in this file. 10. NetShield's Setup utility will seamlessly remove from your target server or workstation all existing NetShield NT and VirusScan for Windows NT versions earlier than v3.1.4a. Setup will also allow you to remove any version later than v3.1.4a and, if you wish, to preserve the settings you chose for that earlier version. 11. NetShield's Setup utility will remove all existing versions of Dr Solomon Anti-Virus Toolkit for Windows NT v7.74 and later. * NEW VIRUSES DETECTED * **** IMPORTANT NOTE **** This release of NetShield NT functions ONLY with the 40XX .DAT file series. Network Associates recommends that you use this NetShield NT release with the 4014 .DAT files included with the program package or series 40XX .DAT files released later. You CANNOT use NetShield NT with .DAT file versions from the 30XX, the 97XX or the 98XX series, nor may you use the .DAT files included in this release with 2.x or 3.x versions of NetShield NT. **** Because the previous NetShield scanning engine and the new Network Associates scanning engine identify and classify viruses in different ways, the .DAT files included with this NetShield release do not include a list of viruses cleaned. Future releases will incorporate this information, once McAfee Labs adopts a standard virus naming convention. With this .DAT file release, the new scanning engine detects a total of about 41,990 viruses and variants, Trojan horse files, and other malicious software. Of this number these 49 viruses are new: Alien.480 Anti-AV AWME.1206 Baloo.525 BugsBunny.ow Callgirl.ow Deadman.576 Elsa.857 Gluk HLL.cmp.Friends.4544 HLL.cmp.MF.4480 HLL.cmp.MF.4496 HLL.cmp.MF.4528 HLLP.Kobr.9488 HLLT.Zoom.5062 IOTM.1009 Jura.3242 Keypress.1266a Lazarus.2222 LittleDevil.2109 Loose Luce.3600 Luce.3756 Luce.4200 Lyceum.1832 Nympho QPrep.63 Radiation.GR Sahand.cmp.2382 SimpleMinded.ow Smgtest SOP.1364 Stoneheart.a Vacsina.dr VS W97M/Allen W97M/Ethan.f W97M/Melissa W97M/Remplace.a W97M/Remplace.b W97M/Twno.aw WM/Julho.a WM/Julho.b Xany.110a XM/Hidemod.a XM/Hidemod.b XM/Uedasan.a Zorm.1475 Zorm.1807 * NEW REMOVALS * With this .DAT file release, the new scanning engine removes the 18 new viruses listed below. Network Associates software removes a virus either by deleting the infecting virus code from files or by deleting the file from your computer. Anti-AV.GR Gluk.GR Loose.GR Nympho.GR Radiation.GR Smgtest.GR VS.GR1 W97M/Allen W97M/Ethan.f W97M/Melissa W97M/Remplace.a W97M/Remplace.b W97M/Twno.aw WM/Julho.a WM/Julho.b XM/Hidemod.a XM/Hidemod.b XM/Uedasan.a ____________ KNOWN ISSUES 1. You may not connect to another server on the network to run an AutoUpgrade session from that computer. You can, however, connect to another server, schedule an AutoUpgrade session, then disconnect to allow the remote server to run AutoUpgrade itself. 2. If you add the Simple Network Management Protocol service to your server setup after you have installed VirusScan, you must re-install VirusScan in order to use SNMP as an alerting option with Alert Manager. 2. If you have manually uninstalled a previous installation of NetShield for Windows NT, and have not rebooted, a silent installation of NetShield v4.0.3a will fail. 3. When installing using the default Windows NT SYSTEM account, some product functionality is not available. This includes: alert forwarding to other NT servers, sending alerts to printers, scheduled AutoUpdates from NT file shares, remote event logging, and scheduled scans of network drives. 4. To upgrade a component of NetShield, you must perform a full installation. If you perform only a partial installation, an error message will appear when you restart the system. 5. The Network Associates McShield Service will not run when you start the server if you give it a custom account. You must run this service with a system account. During installation, however, Setup installs the McShield service to run with a system account, whether or not you specify a custom account for the rest of the installation. 6. If you install NetShield NT on a Lotus Notes server, you must exclude the Lotus Notes SMTP working directory from NetShield NT on-access scan operations. To learn how to exclude directories, see the NetShield NT User's Guide. 7. NetShield will send several alert messages if it finds a virus when it scans the boot sector on a floppy disk. Although ordinarily this might indicate that the disk has several separate infections, here the messages all result from the single infection. NetShield generates several messages because it scans the floppy disk and detects the same virus each time Windows tries to mount the disk. If it cannot read a virus-infected boot sector on the floppy disk, Windows tries to mount the disk several times before it gives up. If you have NetShield's on-access scanner set to clean or delete infected files, subsequent scanning passes should not generate alert messages. 8. If you create a scan task in NetShield's Scan Wizard, then tell NetShield to start the task immediately without saving its settings, NetShield will start the task without creating a task entry in the AntiVirus Console window. This means that you cannot see task statistics if you close the Status window after the task starts, and it means that you cannot stop the scan operation once it's underway. To have more control over the scan operation, first save your settings, then start the scan operation from the AntiVirus Console window. When the task finishes, you can delete it from the task list. 9. If you disable the Network Associates Task Manager Service from the Windows NT Control Panel, NetShield's on-access scanning component will not disable correctly. Although the system tray icon will indicate that the on-access scanner is not active, the scanner will continue to monitor your system. If you choose not to install the Task Manager Service component during a custom installation, you will not be able to enable or disable the on-access scanning component. 10. Setup will not install some NetShield services correctly under these conditions: * If you have a folder or file named PROGRAM in your root directory--C:\PROGRAM, for example. * If you have a NETSHIELD directory where Setup expects to create the NetShield NT program directory. If, for example, you create a NETSHIELD folder in the path C:\Program Files\Network Associates, Setup will not install some NetShield services correctly. This same problem occurs during silent installations. To avoid this problem, delete any files or folders in the directories noted above, then run Setup and allow it to create the correct program directory structure during installation. 11. If you run an intensive series of scan operations on a Dell quad-processor system, NetShield will fail after a couple of hours of activity with a blue screen error. Installing Windows NT Service Pack 4 remedies this error. For more information about the issues surrounding this condition, see Document Q180648 in the Microsoft Knowledge Base. 12. Do not install NetShield NT to a shared drive on a cluster server. The program will not function correctly if the shared drive is part of a passive server within the cluster. 13. Do not install NetShield NT to a virtual server within a server cluster. Installing NetShield to a virtual server causes it to install only to the active server within the cluster. NetShield functions properly when you install it to a physical server instead. 14. Stopping any of the NetShield services in the Windows NT Services control panel can cause NetShield to lose track of the status of its on-access scanning component. For example, if you stop the McTaskManager or the McShield services, the system tray icon for the NetShield on-access scanner will indicate that the scanner is disabled. If you then right-click the icon, however, the shortcut menu will show Disable as a menu choice instead of Enable. Rather than stopping NetShield services to disable the scanner, use the NetShield interface to disable it. For more details, see item 12 in "Additional Information" later in this file. 15. NetShield no longer supports network scanning as a feature available through the user interface. You can enable this feature by changing a registry setting. To learn how to do this, see item 13 in "Additional Information" later in this file. Network Associates recommends that you leave this feature disabled and that you use NetShield to scan its host server for incoming and outgoing network traffic. 16. If you are running NetShield NT on a computer using Cheyenne Agent for Open Files or St. Bernard's Open File Agent, file rename operation may not function correctly. 17. If you click the Browse button during installation to choose a directory for NetShield's program files, you will see a Network button. Network Associates recommends that you do not install NetShield anywhere except to the local server. This button is a default feature of the Setup utility and does not function correctly in this version. 18. If you have Norton Utilities v2.0 installed, then you install NetShield, your system will halt with a blue- screen error in the RDR.SYS module as you try to restart it. A conflict with the Norton Unerase version included with this Norton Utilities release causes this error. To resolve this problem, install the latest Norton Utilities version available. ____________ INSTALLATION * SYSTEM REQUIREMENTS * NetShield requires Windows NT 4.0 Service Pack 4 to run. Before you install NetShield, verify that your system has Windows NT 4.0 and NT Service Pack 4 installed, then follow the steps below. If you plan to run NetShield NT with Windows NT 3.51, verify that you have installed Windows NT v3.51 Service Pack 5. NetShield NT functions best with, but does not require, Service Pack 5. * INSTALLATION STEPS * 1. Make sure you have Administrator rights for the server on which you are installing NetShield. 2. Run SETUP.EXE, then follow the prompts. NOTE: If you uninstall NetShield in order to install an upgrade, Network Associates recommends that you first reboot the system before you install the upgrade version. __________________________________ PERFORMING A "SILENT INSTALLATION" If you want to deploy NetShield as your standard anti-virus security application, you can use the program’s "silent" installation feature to set up NetShield on each network node with little or no interaction from end users or other administrators. During a silent installation, Setup does not display any of its usual wizard panels or windows, or offer the end user any configuration options. Instead, you preset these choices and run Setup in the background on each target server. If you wish, you can even install NetShield on any unattended servers, provided you have all of the necessary administrative privileges. A silent installation consists of two major steps. First, you must install the same NetShield components on your administrative computer or server that you want Setup to install on each target server. A special Setup mode records the choices you make during installation and preserves them in a configuration file called SETUP.ISS. Next, you must use a different Setup mode to install an identical NetShield configuration on each target system. Setup will use the SETUP.ISS file you create in the first step to guide each subsequent installation you perform. NOTE: Silent installations use the system account for installation. This can mean that some NetShield features will not function after installation. See Known Issue #3 earlier in this file for details. * RECORDING YOUR PREFERENCES * To record your installation preferences, follow these steps: 1. Look for an existing SETUP.ISS file inside the \WINDOWS, the \I386 or the \WINNT folder on your administrative computer or server. If you find a file with that name there, rename it or delete it. As you record your installation preferences, Setup will save them into a new SETUP.ISS file in the same location. 2. Choose Run from the Start menu in the Windows taskbar. The Run dialog box will appear. 3. Type :\SETUP.EXE -R in the text box provided, then click OK. Here, represents the drive letter for your CD-ROM drive or the path to the folder that contains your extracted NetShield files. The -R tells Setup to run in its “record” mode. NOTE: If your NetShield copy came on a NetShield Security Suite or a Total Virus Defense CD-ROM disc, you must also specify which folder contains NetShield NT. See the CONTENTS.TXT file included with either product suite for details. 4. Follow the instructions outlined in each wizard panel to choose the components and the settings you want each of the target servers to have. Setup notes the choices you make at each step and records them as entries in SETUP.ISS. NOTE: Take particular care during this initial installation to respond to any questions that appear in the wizard panels and to follow the installation steps in the sequence presented, or the silent installation you run later will abort. You may not backtrack during the installation to change your settings. To specify different options, you will need to begin the installation again in order for Setup to record your choices correctly. If you plan to install NetShield on unattended workstations, be sure to specify options that do not require user interaction. 5. Once you’ve completed the installation, click Finish to quit Setup. * EDITING THE SETUP.ISS FILE * If you want Setup to silently install NetShield in a particular directory, or if you want Setup to silently uninstall previous NetShield versions before it installs another version, you will need to edit the SETUP.ISS file you created when you installed NetShield on your administrative computer or server. To make network administration easier, for example, you might want to install all of your NetShield copies in the same directory on each network node. SETUP.ISS is simply a specially formatted text file similar to configuration files such as WIN.INI or SYSTEM.INI. You can open it in any text editor and change any of its entries to suit your needs. NOTE: Network Associates recommends that you make only limited changes to the SETUP.ISS file. If you want complete control over the installation process, or if you want to specify the configuration options for each copy of NetShield in advance, you can use ISeamless, a powerful Network Associates scripting tool designed for this purpose. Contact Network Associates technical support for details. Specifying an Installation Directory SETUP.ISS specifies an installation directory as a value for the variable szDir, which you’ll find listed beneath the header [SdSetupType-x]. By default, this entry reads: [SdSetupType-0] szDir=C:\Program Files\Network Associates\NetShield NT\ Result=XXX Possible values for XXX will normally include 301, 302, or 303, depending on which options you chose when you recorded your initial installation. To specify a different installation directory, replace the path shown with the path you want. The installation directory you specify here will override the default installation directory on each target system. To tell Setup to determine where to install the program files on the target computer, add 100 to the value shown at XXX so that, for example, 301 becomes 401. This tells each target computer to disregard the szDir variable and to assign a directory for the files that reflects the organization of that computer's operating system. Uninstalling Previous NetShield Versions To tell Setup to remove previous NetShield versions before installing an updated version, open SETUP.ISS in a text editor, scroll to the bottom of the file, then add this line: Preserve=0 Next, save the file in text format, then quit your text editor. NOTE: Setup creates a unique SETUP.ISS file for each Network Associates product on each platform. You must use the file that corresponds to the operating system running on the target workstation. You may not, for example, use a SETUP.ISS file created during a VirusScan for Windows 95 installation to control a VirusScan for Windows NT installation. Network Associates recommends that you use the SETUP.ISS file you created to perform a test installation on a single workstation before you use it to deploy NetShield across your network. * RUNNING A SILENT INSTALLATION * Once you have a SETUP.ISS file that lists all of the components and settings you want each server on your network to have, you can replicate these settings exactly for every NetShield copy you install. You can run a silent installation in a variety of ways, and with different levels of interaction with network users. You can, for example, create a script for your users that runs a silent NetShield installation as soon as they connect to an authentication server, with no further interaction beyond that needed to log in. You can also ask your users or other administrators to run the installation from a designated server. Still other options include deploying NetShield through a network management application such as Zero Administration Client (ZAC) from Network Associates, System Management Server (SMS) from Microsoft, or similar packages. Whichever method you choose, you must first prepare the NetShield package for installation, then run Setup in its silent mode. Follow these steps: 1. Copy the NetShield installation files from the NetShield CD-ROM disc or the folder on your administrative computer in which your store them to a NetShield directory on a central server. Your users or your network management application will install NetShield from this server. 2. Locate the SETUP.ISS file stored in the NetShield directory on the central server. Rename or delete this file. 3. Copy the SETUP.ISS file you created when you ran the recorded installation on your administrative computer to the NetShield directory on the central server. You’ll find the file you need to copy in the WINDOWS directory on your administrative computer. Once you finish this step, your users or your network management application can run Setup in its silent mode to replicate the installation you recorded. To run Setup in silent mode, include the line :\SETUP.EXE -S in any login script you write or any instructions to your users that describe how to run Setup. In this line, represents the path to the folder on the server that contains the NetShield installation files and the SETUP.ISS file you created. The -S tells Setup to run in silent mode. By default, Setup restarts the workstation when it has finished installing files. If you do not want Setup to reboot each target workstation, you must edit the SETUP.ISS file you created during your recorded installation. Here, you would change the value in the BootOption entry beneath the heading [sdFinishReboot - 0] from its current value to zero (0). This tells Setup not to force the target workstation to reboot. As a further step toward enforcing a consistent anti-virus security policy across your network, you can also copy a configuration file with the options you want your users to have into the installation directory on each server. You can also use password protection to prevent unauthorized changes to the configuration settings you chose. To preset your configuration options so that NetShield installs with them already in place, use the Network Associates ISeamless scripting utility. This utility gives you complete control over installation and configuration options. Contact your sales representative or Network Associates technical support for details. * COMPONENTS INSTALLED WITH NETSHIELD * Component Supported Systems --------- ----------------- 1. NetShield Console Windows NT Servers Windows NT Workstations Windows 95 and Windows 98 2. NetShield Task Manager Windows NT Servers only 3. McShield on-access Windows NT Servers only scanner 3. Alert Manager Windows NT Servers only * PRIMARY PROGRAM FILES FOR NETSHIELD * Files located in the Install directory: ======================================= 1. Installed for the Alert Manager/Console/Server: README.1ST = Network Associates information MCARCHIV.DLL = Archive library file MCCOMM.DLL = NetWare communications MCKRNL32.DLL = Cross-platform file MCRPC.DLL = RPC library MCRUTIL.DLL = NetWare utility library MCUTIL32.DLL = Multipurpose file SHUTIL.DLL = NT utility library AMGRCNFG.EXE = Alert Manager configuration program MCSEVSHL.EXE = Service installation SCNCFG32.EXE = Task configuration SCNSTAT.EXE = Task statistics SHCFG32.EXE = On-access scanning configuration SHSTAT.EXE = Shield status monitor program SVCPWD.EXE = Service account configuration program VALIDATE.EXE = McAfee file validation program VIRNOTFY.EXE = Notification utility WCMDR.EXE = Uninstall helper MCCONSOL.HLP = Console help PKGDESC.INI = Update description file WCMDR.INI = Uninstall helper WCMDRSIL.INI = Silent uninstall helper DEISL1.ISU = Uninstall file PACKING.LST = Packing list NAIFILTR.SYS = System files RESELLER.TXT = Network Associates authorized resellers WHATSNEW.TXT = This document 2. Installed for Alert Manager: SAMPLE.CMD = Sample alert command file DMIALERT.DLL = DMI alerting library MCALSNMP.DLL = SNMP alerting MCSERVIC.DLL = Service installation library POWERP32.DLL = Alert manager paging AMGRSRVC.EXE = Alert manager service program ALRTMGR.HLP = Alert manager help file ANTIVIRI.MIB = SNMP trap template NAI.MIB = SNMP trap template MODEMS.TXT = List of modems and initialization strings OHNO.WAV = Alert message sound file WARNING.WAV = Default alert sound file CENTALRT.TXT = Centralized alerting file 3. Installed for the Console: SHIELD.CNT = Help link file BROWSENT.DLL = NT browser library INETWH16.DLL = Help file library INETWH32.DLL = Help file library REGEMUL.DLL = Registry emulator library IMPTASK.EXE = Import task file MCCONSOL.EXE = Console manager MCREGEDT.EXE = McAfee registry editor MCUPDATE.EXE = AutoUpdate file SETBROWS.EXE = Sets default browser SHIELD.HLP = On-access scanning help 4. Installed for the NetShield Task Manager: SCAN32.EXE = On-demand scanner VIRUSCAN.CNT = Help link file CLEAN.DAT = Virus clean definition data NAMES.DAT = Virus names definition data SCAN.DAT = Virus definition data LICENSE.DAT = Virus definition data MESSAGES.DAT = Virus definition data SHLDMSG.DAT = Virus definition data MCSCAN32.DLL = Scan32 main library MCSERVIC.DLL = Service installation library VSTSKMGR.EXE = NetShield Task Manager service MCSHIELD.EXE = NetShield on-access service NAIANN.DLL = Library file that handles communications between the McShield service and the Task Manager service VIRUSCAN.HLP = Scan 32 help NETSHIELD ACTIVITY LOG.TXT = NetShield Activity Log DEFAULT.VSC = Default scan32 values Files located in %SYSTEMROOT%\SYSTEM32: ======================================= 1. Installed for the Console/Server/Alert Manager: CTL3D32.DLL = 32-bit 3D Windows controls library DSSDATA.DLL = on-access scanning library Files located in %SYSTEMROOT%\SYSTEM32\DRIVERS: =============================================== 1. Installed for the on-access scanner: NAIFSREC.SYS = System files * TESTING YOUR INSTALLATION * The Eicar Standard AntiVirus Test File is a combined effort by anti-virus vendors throughout the world to implement one standard by which customers can verify their anti-virus installations. To test your installation, copy the following line into its own file, then save the file with the name EICAR.COM. X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* The file size will be 69 or 70 bytes. Next, start your anti-virus software and allow it to scan the directory that contains EICAR.COM. When your software scans this file, it will report finding the EICAR virus. Note that this file is NOT A VIRUS. Delete the file when you have finished testing your installation to avoid alarming unsuspecting users. * UNINSTALLING NETSHIELD * To remove NetShield from your server, run the uninstallation utility that comes with the program. You can run this utility in normal or "silent" mode. To do so, follow these steps: 1. Open a Command Prompt window in Windows NT. 2. Type either of these lines at the command line: a. To uninstall NetShield with no special options, type X:\Progra~1\Networ~1\NetShi~1\wcmdr.exe followed by this argument: -iD:\PROGRA~1\NETWOR~1\NETSHI~1\wcmdr.ini Here X: represents the drive on which you have NetShield installed. If you have installed NetShield to a different drive or directory, substitute the correct path at the command line. Both the command and its argument should appear on the same line. b. To uninstall NetShield "silently," type: X:\Program Files\Network Associates\NetSheild NT\wcmdr.exe followed by this argument: -iD:\PROGRA~1\NETWOR~1\NETSHI~1\wcmdrsil.ini Again, X: represents the drive on which you have NetShield installed. If you have installed NetShield to a different drive or directory, substitute the correct path at the command line. Both the command and its argument should appear on the same line. * UNINSTALLING NETSHIELD WITHOUT THE UNINSTALLATION UTILITY * 1. Before starting, follow these two substeps: a. Run the Windows NT utility RDISK to create an emergency repair disk. b. Run the command UNLODCTR MCSHIELD from the Windows NT command line to stop the registry from recording performance counter information for the McShield service. 2. Open the Windows NT Services Control Panel, then stop the Network Associates Task Manager service, the Network Associates McShield service, and the Network Associates AlertManager service. 3. Stop the NetShield console if it is running. 4. Use the NT Task Manager to end the SHSTAT process. 5. If you use SNMP, stop the SNMP service in Control Panel/Services. 6. Delete the NetShield installation directory (the directory that contains the NetShield executables). 7. Delete this device driver file from %SYSTEMROOT% \SYSTEM32\DRIVERS NAIFSREC.SYS Delete this file from %SYSTEMROOT%\SYSTEM32\ DSSDATA.DLL 8. If you are using Windows NT 4.0 and if NetShield was set to load at startup, remove the following registry keys: HKLM\software\microsoft\windows\CurrentVersion\Run \Shstatexe HKLM\software\microsoft\windows\CurrentVersion \uninstall\NetShield NT 9. Remove NetShield installation registry keys: HKLM\software\mcafee\mcalsnmp HKLM\software\network associates\Netshield NT HKLM\software\mcafee\virusscan HKLM\software\mcafee\alertmanager (Do not remove this key if you have other Network Associates products installed that use Alertmanager.) 10. Remove NetShield device driver and service registry keys: HKLM\system\CurrentControlSet\Services\Alertmanager HKLM\system\CurrentControlSet\Services\NaiFilter HKLM\system\CurrentControlSet\Services\NaiFsrec HKLM\system\CurrentControlSet\Services\McShield HKLM\system\CurrentControlSet\Services\McTaskManager 11. If you are using Windows NT 4.0 and the context-sensitive scanning option was installed, remove the following registry keys: HKLM\software\classes\comfile\shell\virusscan HKLM\software\classes\directory\shell\virusscan HKLM\software\classes\drive\shell\virusscan HKLM\software\classes\exefile\shell\virusscan HKLM\software\classes\word.document.6\shell\virusscan HKLM\software\classes\word.document.8\shell\virusscan HKLM\software\classes\word.template\shell\virusscan 12. If you are using Windows NT 4.0 and you want to remove the Scan for Viruses right-click option, remove the following registry keys: HKCR\comfile\shell\VirusScan HKCR\Directory\shell\VirusScan HKCR\Drive\shell\VirusScan HKCR\exefile\shell\VirusScan HKCR\Excel.Addin\shell\VirusScan HKCR\Excel.Chart.5\shell\VirusScan HKCR\Excel.Macrosheet\shell\VirusScan HKCR\Excel.Sheet.5\shell\VirusScan HKCR\Excel.Template\shell\VirusScan HKCR\Excel.Workspace\shell\VirusScan HKCR\Excel.XLL\shell\VirusScan HKCR\exefile\shell\VirusScan HKCR\WinZip\shell\VirusScan HKCR\Word.Document.6\shell\VirusScan HKCR\Word.Template\shell\VirusScan 13. To remove SNMP extension agent, remove the following registry value: HKLM\system\CurrentControlSet\services\SNMP\parameters\ ExtensionAgent\McAlSNMP 14. Since entries in HkeyClassesRoot are not derived from a hive, it is unneccessary to delete these keys manually. When you reboot, NetShield-specific keys under HkeyClassesRoot will be removed. 15. Reboot the system. * CREATING AN EMERGENCY DISK * This version of NetShield NT includes a utility that allows you to create an emergency boot disk that can scan your NetShield server for boot-sector viruses. Use this disk to restart your server if NetShield detects a boot-sector virus during installation, or to scan for boot-sector or memory-resident viruses any time thereafter. The emergency disk utility consists of a floppy disk image file (EDISK.IMG), a disk-copy program (NAIDSKIM.EXE), and a batch file (MAKEDISK.BAT) that starts the utility to copy the disk image. To create the emergency disk, follow these steps: 1. Click Start in the Windows taskbar, then choose Run. 2. Click Browse in the Run dialog box to open a dialog box you can use to locate the file MAKEDISK.BAT. You'll find this file in the \NetShield\EDU directory. 3. Choose the file, then click OK in the Run dialog box to start the batch file. The batch file will open a Command Line Prompt window and will ask you to insert a write-capable floppy disk into your floppy drive. 4. Insert a blank, unlocked floppy disk into your floppy drive, then press any key on your keyboard to continue. MAKEDISK.BAT will copy these files onto the floppy disk: AUTOEXEC.BAT BIOS.SYS BOOTSCAN.EXE CLEAN.DAT COMMAND.COM GETREPLY.EXE KERNEL.SYS NAMES.DAT SCAN.DAT 5. When the batch file has finished, press any key on your keyboard to continue. 6. Click the close box in the upper right corner of the Command Prompt window to exit. 7. Copy to the disk you just created any other utilities you need to start your computer, debug your system software, manage any extended or expanded memory you have, or perform other tasks at startup. If you use a disk compression utility, be sure to copy the drivers you need to uncompress your files. 8. When you have finished copying files to the emergency disk, remove it from your floppy drive, label it, lock it, and store it in a safe place. NOTE: A locked floppy disk shows two holes near the edge of the disk opposite the metal shutter. If you don’t see two holes, look for a plastic sliding tab at one of the disk corners, then slide the tab until it locks in an open position. Because no software can save to a locked disk, viruses cannot infect files stored on one. __________________________ FREQUENTLY ASKED QUESTIONS Regularly updated lists of frequently asked questions about Network Associates products also are available on the Network Associates BBS and website, and on CompuServe and America Online. Q: How can I scan mapped Novell drives with scheduled on-demand scans? A: If you want to scan any Novell-server drives (mapped or via UNC) from scheduled tasks, you must create the same account/password on the Novell server as used by NetShield services on your Windows NT server. Q: As an administrator, how can I scan private directories that are accessible only to individual users? A: On-demand (scheduled) scans are launched by the NetShield Task Manager service. If you specify a user name and password for the service, then the scheduled scan will only scan directories for which the service name has privileges. If no user name was specified, then the service has SYSTEM privileges. To perform an on-demand, or scheduled, scan of private directories, the NetShield Task Manager service must have access to these private areas. Following are two ways to address this issue: Solution A: 1. Create a custom user name to be used by the Service. 2. Give this user name privileges to access the private spaces. Considerations with Solution A: This account can be used to access the private directories. To prepare these directories with proper rights, open a DOS prompt and enter: CACLS /E /G (domain name)\(service account name) Enter CACLS at the DOS prompt to get a complete list of options. Solution B: 1. Do not associate a user name to the Service. 2. Give SYSTEM privileges to access the private spaces. Considerations with Solution B: Someone could create or use a Service to access your information. Network Associates recommends Solution B as a more secure solution. Q: NetShield will not perform an on-demand (scheduled) scan of some network drives. Why? A: It is possible that the user name you are using for the NetShield Task Manager service does not have sufficient rights to scan the drives in question. To verify whether this is the issue, connect to each drive using the user name and password utilized by the NetShield Task Manager service from the server where the service is running. Confirm that this user name has rights on the device by manually running an on-demand scan. If you can scan the device while you're logged in, then the service should also be able to do it as a scheduled scan. When scanning remote locations, Network Associates recommends using the UNC path for scheduled tasks. Q: My scheduled tasks do not run when the NetShield Task Manager service is stopped. Why? A: The NetShield Task Manager service is responsible for starting scheduled on-demand tasks and AutoUpdate tasks. If the NetShield Task Manager service is stopped, all of these tasks are disabled. Q: Can I update NetShield's data files to detect new viruses? A: Yes, NetShield now includes the Network Associates AutoUpdate and AutoUpgrade components, which offer powerful updating capabilities that ensure that you have the latest NetShield files installed. AutoUpdate can automatically update the NetShield data (.DAT) files the program uses to detect viruses. AutoUpgrade can automatically download new NetShield program versions. If you need additional assistance with downloading, contact Network Associates Download Support at (408) 988-3832. Q: Does NetShield protect users accessing files accessed on my web server or FTP server on this system? A: Yes, NetShield detects infections in files transferred with Microsoft Internet Information Server (IIS). This protects remote users accessing files via HTTP or FTP. Q: How do I disable NetShield's on-access scanner? A: You can now enable or disable the on-access scanning component in NetShield NT both from the graphical user interface and from an NT Command Prompt window. To learn how to do so, see item 12 in "Additional Information" later in this file. Q: Can I run a silent installation that removes previous NetShield versions before Setup installs a new NetShield version? A: Yes. To do so, however, you must edit the SETUP.ISS file you create when you record your initial installation. To learn how to do so, see "Editing the SETUP.ISS File" earlier in this file. ______________________ ADDITIONAL INFORMATION 1. After completing your installation or upgrade of NetShield, Network Associates recommends that you reboot your computer before you start NetShield. 2. NetShield automatically excludes a Microsoft Exchange database directory if the following Windows NT Registry key exists: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \MSExchangeIS\ParametersSystem\DB Log This entry allows NetShield Task Manager service to look for Microsoft Exchange Server each time it starts. This exclusion is needed to avoid potential mail database corruption in the event that NetShield detects an infected file. Note: If Microsoft Exchange Server is installed, an entry will be visible in the NetShield Properties Exclusions tab. 3. SVCPWD.EXE is a utility for setting or changing usernames and passwords that the Network Associates services use. SVCPWD requests one command-line parameter which is a filename (e.g., computers.txt). Use SVCPWD /? to get additional information about command-line options. This file (e.g., computers.txt) contains a list of all the computers that you want to modify the service accounts (username and password)for. Example: \\COMPUTER1 \\COMPUTER2 \\SERVER Start the SVCPWD utility by entering the file as command-line (i.e. SVCPWD computers.txt). This utility contacts all the computers via the network and changes the username and password originally given to the Network Associates service. The username and password are changed to the value that you set when you start the utility. All service accounts must be set to user "LocalSystem". If a domain\username is entered, then the SVCPWD utility will require a password for the domain\username. When this is completed, the utility contacts all the computers and changes the settings. Note 1: The domain\username that is used by the services needs to be an administrative account. Note 2: The person running this utility must have an administrative account for all the computers that require such changes. Note 3: Do not run this utility during an on-demand scan operation. 4. When using an ISeamless Install Script, and running setup in standard or silent mode without any parameters, setup requires that the custom installation file produced by ISeamless be named admin.sis or oem.sis. 5. If NetShield finds an older version of the file WININET.DLL during installation, it upgrades the file to the current version. 6. If you are running any other anti-virus product on the system, please exclude that product's installation directory within the NetShield Properties Exclusions tab. 7. When installing NetShield to remote systems on your network, the destination systems must have a proper security relationship (i.e., they must reside on the same domain or share a trust relationship, and the account being used must have Administrator privileges on the machine being installed to) with the system you are performing the installation from. If the computers do not have a proper security relationship, the remote installation will not be performed properly. 8. If compressed file scanning is turned on, NetShield temporarily uses additional hard disk space when scanning compressed files (i.e., ZIP, LZH/LHA, UUENCODE, etc.). 9. When performing a silent installation using the default SETUP.ISS file, via either AutoUpgrade or the command setup -s, your service user resets to the LocalSystem account and the server reboots if necessary when the installation is completed. If you wish to keep your settings, record your own SETUP.ISS file for use during silent installations (see the NetShield User's Guide for detailed information on creating your own setup.iss file). 10. By default, NetShield's on-access scanning component does not have heuristic scanning activated. You can activate this feature by entering the values shown for the REG_DWORD entries in these registry keys: HKLM\McAfee\VirusScan\McShield\CurrentVersion dwMacroHeuristicsLevel:REG_DWORD:0 or 1 dwProgramHeuristicsLevel:REG_DWORD:0 or 1 11. The new NAI.MIB and ANTIVIRI.MIB files included with this release improve the data reporting capabilities of SNMP traps sent via Alert Manager. You can compile these files into your SNMP management utility so that the utility can decode traps sent from Alert Manager. Some SNMP managers also allow you to write scripts that will act on the information received via the SNMP traps. New alert items include: ALERT NAME WHAT IT REPORTS naiTrapAgent Names the agent that sent the trap naiTrapAgentVersion Gives the version of the agent naiTrapSeverity Gives the severity code the alert message naiTrapDescription Describes the trap naiTrapAlarmSourceAddress Gives the IP or IPX address of the computer that sends the trap naiTrapAlarmSourceDNSName Lists the fully qualified DNS name or computer name naiTrapGMTTime Lists the GMT time at which the alert generation occurred naiTrapLocalTime Lists the time local to the computer that generated the trap naiTrapURL Gives a URL link to an HTML or FTP file naiTrapPseudoID Lists the Pseudo Trap ID or Message ID for the generated trap naiAntiVirusTrapAgentUser Lists the name of the active user account that generated the trap naiAntiVirusTrapInfectedFile Names the infected file that caused the computer to generate a trap naiAntiVirusTrapVirusName Names the infecting virus naiAntiVirusTrapTaskName Names the active task that generated the trap naiAntiVirusTrapStatus Gives the status of the file that caused the computer to send a trap naiAntiVirusTrapOS Lists the active operating system on the computer that sent the trap naiAntiVirusTrapEngineVersion Lists the version number of the NetShield scan engine naiAntiVirusTrapDATVersion Lists the version number of the current .DAT file 12. To enable or disable NetShield NT's on-access scanning component, you can use one of these methods: - If you have installed NetShield on your local NT server, you can disable on-access scanning from the NetShield graphical user interface. You cannot use this method if you have installed NetShield on a remote server. To disable on-access scanning, first verify that the NetShield NT shield icon appears in your system tray to the left of the clock. If the icon appears there, right-click it to display a shortcut menu, then choose Disable. The icon will appear with a red line through it, which indicates that on-access scanning is disabled. To enable on-access scanning again, right-click the icon, then choose Enable from the shortcut menu. If the icon does not appear in your system tray, verify that you have installed the on-access component correctly. - If you have installed NetShield on your local NT server, you can also disable on-access scanning from a Windows NT Command Prompt window. You cannot use this method if you have installed NetShield on a remote server. To disable on-access scanning, open a Command Prompt window, then type: SHSTAT.EXE -DISABLE To enable on-access scanning again, type SHSTAT.EXE -ENABLE at the prompt. - If you have installed NetShield NT on your local NT server OR on a remote server, you can disable and enable on-access scanning from NetShield's AntiVirus Console. To do so, open the Console, then log on, if necessary, to the NetShield NT server with the active on-access scanning component you want to disable. Next, select the NetShield On-Access Monitor task in the task list, then click the Stop button in the Console toolbar, or choose Disable from the Console's Scan menu. To enable the on-access component again, select the On-Access Monitor task, then click the Play button in the Console toolbar, or choose Enable from the Console's Task menu. 13. To enable NetShield to scan network drives, start the Windows registry editor, then locate this key: HKLM\SOFTWARE\McAfee\VirusScan\McShield\CurrentVersion Change the value for the bNetworkScanEnabled key from 0 to 1 to enable this feature. To disable the feature, change the value back to 0. NOTE: Network Associates recommends that you leave this feature disabled, and that you use NetShield to scan incoming and outgoing network traffic for the host server. 14. If you schedule an AutoUpdate or AutoUpgrade session that downloads the installation package from a NetWare server to an NT system, you can use the optional File Copy Utility shipped with NetShield. To install this component, you must choose it as a Custom installation option during Setup. To learn more about this component, contact your PrimeSupport representative. _____________ DOCUMENTATION For more information, refer to the users guides for each product included on the CD-ROM or available from Network Associates electronic services. Each product user's guide is saved in Adobe Acrobat Portable Document Format (.PDF). You can view and print this document with Adobe's Acrobat Reader. PDF files can include hypertext links and other navigation features to assist you in finding answers to questions about your Network Associates product. To download Adobe Acrobat Reader from the World Wide Web, visit Adobe's website at: http://www.adobe.com/prodindex/acrobat/readstep.html To download documentation for Network Associates anti-virus software, visit the Network Associates FTP site at: ftp://www.nai.com/pub/manuals/total_virus_defense Additional contact information appears in the following section. Documentation feedback is welcome. Send e-mail to tvd_documentation@nai.com. _____________________________ CONTACTING NETWORK ASSOCIATES On December 1, 1997, McAfee Associates merged with Network General Corporation, Pretty Good Privacy, Inc., and Helix Software, Inc. to form Network Associates, Inc. The combined Company subsequently acquired Dr Solomon's Software and CyberMedia, Inc. Network Associates continues to market and support the product lines from each of the former entities. You may direct all questions, comments and technical support requests to the Network Associates Customer Care department at any of the addresses or phone numbers listed below. Contact the Network Associates Customer Care department at: 1. Phone (408) 988-3832 Monday-Friday, 6:00 A.M. - 6:00 P.M. Pacific time 2. Fax (408) 970-9727 24-hour, Group III Fax 3. Fax-back automated response system (408) 346-3414 Send correspondence to any of the following Network Associates locations: Network Associates Corporate Headquarters 3965 Freedom Circle McCandless Towers Santa Clara, CA 95054 Phone numbers for corporate-licensed customers: Phone: (408) 988-3832 Fax: (408) 970-9727 Phone numbers for retail-licensed customers: Phone: (972) 278-6100 Fax: (408) 970-9727 Network Associates offices outside the United States: Network Associates Australia Level 1, 500 Pacific Highway St. Leonards, NSW Sydney, Australia 2065 Phone: 61-2-8425-4200 Fax: 61-2-9439-5166 Network Associates Austria Pulvermuehlstrasse 17 Linz, Austria Postal Code A-4040 Phone: 43-732-757-244 Fax: 43-732-757-244-20 Network Associates Belgium Bessenveldtstraat 25a Diegem, Belgium - 1831 Phone: 32-3-716-4070 Fax: 61-2-716-4770 Network Associates do Brasil Rua Geraldo Flausino Gomez 78 Cj. - 51 Brooklin Novo - São Paulo SP - 04575-060 - Brasil Phone: (55 11) 5505 1009 Fax: (55 11) 5505 1006 Network Associates Canada 139 Main Street, Suite 201 Unionville, Ontario Canada L3R 2G6 Phone: (905) 479-4189 Fax: (905) 479-4540 Network Associates People's Republic of China New Century Office Tower, Room 1557 No. 6 Southern Road Capitol Gym Beijing People's Republic of China 100044 Phone: 86 10 6849-2650 Fax: 86 10 6849-2069 NA Network Associates Oy Sinikalliontie 9, 3rd Floor 02630 Espoo Finland Phone: 358 9 5270 70 Fax: 358 9 5270 7100 Network Associates France S.A. 50 Rue de Londres 75008 Paris France Phone: 33 1 44 908 737 Fax: 33 1 45 227 554 Network Associates GmbH Ohmstraße 1 D-85716 Unterschleißheim Deutschland Phone: 49 (0)89/3707-0 Fax: 49 (0)89/3707-1199 Network Associates Hong Kong 19th Floor, Matheson Centre 3 Matheson Way Causeway Bay Hong Kong 63225 Phone: 852-2832-9525 Fax: 852-2832-9530 Network Associates Srl Centro Direzionale Summit Palazzo D/1 Via Brescia, 28 20063 - Cernusco sul Naviglio (MI) ITALY Phone: 39 (0)2 9214 1555 Fax: 39 (0)2 9214 1644 Network Associates Japan, Inc. Toranomon 33 Mori Bldg. 3-8-21 Toranomon Minato-ku Tokyo 105-0001 Japan Phone: 81 3 5408 0700 Fax: 81 3 5408 0780 Network Associates Latin America 150 South Pine Island Road, Suite 205 Plantation, Florida 33324 United States Phone: (954) 452-1731 Fax: (954) 236-8031 Network Associates de Mexico Andres Bello No. 10, 4 Piso 4th Floor Col. Polanco Mexico City, Mexico D.F. 11560 Phone: (525) 282-9180 Fax: (525) 282-9183 Network Associates International B.V. Gatwickstraat 25 1043 GL Amsterdam The Netherlands Phone: 31 20 586 6100 Fax: 31 20 586 6101 Network Associates Portugal Av. da Liberdade, 114 1269-046 Lisboa Portugal Phone: 351 1 340 4543 Fax: 351 1 340 4575 Net Tools Network Associates South Africa Bardev House, St. Andrews Meadowbrook Lane Epson Downs, P.O. Box 7062 Bryanston, Johannesburg South Africa 2021 Phone: 27 11 706-1629 Fax: 27 11 706-1569 Network Associates South East Asia 78 Shenton Way #29-02 Singapore 079120 Phone: 65 222-7555 Fax: 65 222-7555 Network Associates Spain Orense 4, 4a Planta. Edificio Trieste 28020 Madrid Spain Phone: 34 91 598 18 00 Fax: 34 91 556 14 04 Network Associates Sweden Datavägen 3A Box 596 S-175 26 Järfälla Sweden Phone: 46 (0) 8 580 88 400 Fax: 46 (0) 8 580 88 405 Network Associates AG Baeulerwisenstrasse 3 8152 Glattbrugg Switzerland Phone: 0041 1 808 99 66 Fax: 0041 1 808 99 77 Network Associates Taiwan Suite 6, 11F No. 188, Sec. 5 Nan King E. Rd. Taipei, Taiwan, Republic of China Phone: 886-2-27-474-8800 Fax: 886-2-27-635-5864 Network Associates International Ltd. Minton Place, Victoria Street Windsor, Berkshire SL4 1EG United Kingdom Phone: 44 (0)1753 827 500 Fax: 44 (0)1753 827 520 Or, you can receive online assistance through any of the following resources: 1. Internet E-mail: support@nai.com 2. Internet FTP: ftp.nai.com 3. World Wide Web: http://support.nai.com 4. America Online: keyword MCAFEE 5. CompuServe: GO NAI To provide the answers you need quickly and efficiently, the Network Associates technical support staff needs some information about your computer and your software. Please have this information ready when you call: - Program name and version number - Computer brand and model - Any additional hardware or peripherals connected to your computer - Operating system type and version numbers - Network name, operating system, and version - Network card installed, where applicable - Modem manufacturer, model, and baud, where applicable - Relevant browsers or applications and their version numbers, where applicable - How to reproduce your problem: when it occurs, whether you can reproduce it regularly, and under what conditions - Information needed to contact you by voice, fax, or e-mail We also seek and appreciate general feedback. * FOR PRODUCT UPGRADES * To make it easier for you to receive and use Network Associates products, we have established a reseller's program to provide service, sales, and support for our products worldwide. For a listing of resellers, see the resellers.txt file or contact Network Associates Customer Care for resellers near you. * FOR REPORTING PROBLEMS * Network Associates prides itself on delivering a high-quality product. If you find any problems, please take a moment to review the contents of this file. If the problem you've encountered is documented, there is no need to report the problem to Network Associates. If you find any feature that does not appear to function properly on your system, or if you believe an application would benefit greatly from enhancement, please contact Network Associates with your suggestions or concerns. * FOR ON-SITE TRAINING INFORMATION * Contact Network Associates Customer Service at (800) 338-8754. * NETWORK ASSOCIATES BETA SITE * Get pre-release software, including .DAT files, through http://www.avertlabs.com. You will have access to Public Beta and External Test Areas. Your feedback will make a difference.