SCAN Reference Copyright 1994 McAfee Inc. Page 1 VirusScan REFERENCE VirusScan's Scan program detects, identifies, and disinfects more than 2,600 known DOS computer viruses. Scan checks memory and both the system and data areas of disks for virus infections. If Scan finds a known virus, in most cases it will eliminate the virus and fully restore infected programs or system areas to normal operation. The SCAN.DAT file that accompanies Scan lists all viruses that Scan identifies and removes. Use Scan with the /VIRLIST option to see a list of these viruses. In addition, Scan can also assign validation and recovery codes to files, and use those codes to detect and treat infection by new and unknown viruses. If Scan has stored validation or recovery data for files, it may detect file changes and warn that infection by an unknown virus may have occurred. Scan can also use the recovery codes to remove new or unknown viruses and restore infected files, master boot record (MBRs), and boot sectors. Scan runs on DOS, Windows, and OS/2. The program files are SCAN.EXE, WSCAN.EXE, and OS2SCAN.EXE, respectively. Because OS/2 operates in a protected mode environment, Scan for OS/2 does not check memory. To protect against viruses in OS/2 DOS and Win- OS/2 sessions, use the VShield (for DOS) virus prevention program. DO YOU NEED TO READ THIS DOCUMENT? Many users will not need the Scan command line options described in details here. We have designed Scan so that basic operations will detect most viruses in your system. The command line options described here offer additional power and control over virus detection. They enable you to run Scan from batch or script files, and are most useful in vulnerable environments and to network administrators and information services staff. SCAN Reference Copyright 1994 McAfee Inc. Page 2 SYSTEM REQUIREMENTS AND SUPPORT Scan requires DOS 3.0 or later, Windows 3.1 or later, or IBM OS/2 Version 2.0 or later. Running Scan for DOS with command line options requires 360Kb of free RAM. Scan works with 3Com 3/Share and 3/Open, Artisoft LanTastic, AT&T StarLAN, Banyan VINES, DEC Pathworks, IBM LAN Server, Microsoft LAN Manager, Novell NetWare, and any other IBMNET- or NETBIOS- compatible network operating systems. Contact McAfee or your local authorized agent if you do not see your network listed. Scan is designed to check for pre-existing infections of known and unknown viruses on floppy, hard, CD-ROM, and compressed (SuperStor, Stacker, Doublespace, and so on) disks on both stand-alone and networked personal computers, as well as network file servers. If you have a Novell NetWare/386 V3.1X or 4.01 file server, you may want to use the NETShield virus prevention NetWare Loadable Module in conjunction with Scan. To use Scan to clean up (disinfect) virus-infected files, the CLEAN.DAT file must be present in the same subdirectory as Scan. If you don't have the CLEAN.DAT file, first verify whether you should contact your system administrator or information systems staff directly for virus clean-up. Otherwise, you can contact McAfee. TECHNICAL OVERVIEW KNOWN VIRUS DETECTION Scan detects known viruses by searching the system for known characteristics (sequences of code) unique to each computer virus and reporting their presence if found. For viruses that encrypt or cipher their code so that every infection is different, Scan uses detection algorithms that work by statistical analysis, heuristics, and code disassembly. NEW AND UNKNOWN VIRUS DETECTION Scan can also check for new or unknown viruses by comparing files against previously recorded validation data. If a file has been modified, it SCAN Reference Copyright 1994 McAfee Inc. Page 3 will no longer match the validation data, and Scan will report that the file may have become infected. With certain options, Scan /CLEAN can use the validation and recovery data to restore infected files, master boot records (MBRs), or boot sectors. NOTE TO NETWORK USERS To use Scan on a network drive (or directory), you must be connected to that drive and have read access to it. Some command line options attempt to create, change, and delete files. To use these options, you must have sufficient access rights. If you have questions about access rights, contact your network administrator. VALIDATING SCAN The Scan program in your VirusScan package is supplied on a write-protected diskette (notchless) that should be secure from infection. We recommend that you update your copy of the VirusScan programs regularly. You can obtain an upgrade from several sources. Before using a new version of Scan for the first time, verify that it has not been tampered with or infected by using the Validate program. If your new copy of Scan differs from the validation data in the on-line documentation file, it may have been damaged. Don't use it, and obtain a clean copy of Scan from a known source. Scan performs a self-check when it runs. If Scan has been modified in any way, a warning appears and asks you whether to continue or quit. Scan may be infected. If you choose to continue, Scan can still check for viruses but may spread the infection. Therefore, if Scan reports that it has been damaged, we recommend that you quit, and then obtain a clean copy before continuing. Running Scan from the command line Scan checks files and other areas of the system that can contain computer viruses. When a virus is found, Scan identifies the virus and the system area or file where it was found. By default, Scan examines all files on a system. Once you've installed VirusScan and have SCAN Reference Copyright 1994 McAfee Inc. Page 4 established a "sterile field", you might not need to scan every file on your system again, just the executable files (.EXE, .COM, .SYS, .BIN, .OVL, and .DLL files). Use the /STD option to scan executable files only. (Note that the list of extensions for standard executables has changed from previous versions of Scan.) From DOS or OS/2, you can run Scan from the system prompt. (From OS/2, open the Command Prompts folder in the OS/2 system folder, then choose OS/2 Full Screen or OS/2 Window to see the system prompt.) The syntax is: DOS C> scan {drives} [options] OS/2 [C:\] os2scan {drives} [options] * {drives} indicates one or more drives to be scanned. You must specify one or more drives to scan. If you list a drive like c:, all of its subdirectories will be scanned. If you list \, only the root directory and boot area of the current disk will be scanned. If you list \ or a directory, its subdirectories will not be scanned unless you use the /SUB option. * [options] indicates one or more of the Scan options listed in "Scan command line option summary." SCAN COMMAND LINE OPTION SUMMARY (DOS-OS/2) /? or /HELP Display help screen (not available in Windows, use Help menu instead). /ADL Scan all local drives. /ADN Scan all network drives. /AF {filename} Store validation/recovery codes in filename. SCAN Reference Copyright 1994 McAfee Inc. Page 5 /AV Add validation/recovery data to program files. /BOOT Scan boot sector and master boot record only. /CF {filename} Check validation/recovery codes in filename. /CLEAN Clean up infections in boot sector, master boot record, and files when possible. /CV Check validation/recovery data in files. /DEL Overwrite and delete infected files. /EXCLUDE {filename} Exclude from scan any files listed in filename. (with /AV). /FAST Speed up VirusScan's scanning; may detect fewer viruses. /HISTORY Append, rather than overwrite, the report file (/REPORT). /LOAD {filename} Use Scan settings stored in filename. SCAN Reference Copyright 1994 McAfee Inc. Page 6 /LOG Save date and time VirusScan was last run in SCAN.LOG. /MOVE {directory} Move infected files to directory. /NOMEM Skip memory checking (not applicable to OS/2). /PAUSE Enable screen pause. /PLAD Preserve last access dates on network drives in a Novell network. /REPORT {filename} Create report of infected files found during scan in filename. /RF filename Remove validation/recovery codes in filename. /RPTCOR Add list of corrupted files to the report file (/REPORT). /RPTERR Add list of system errors to the report file (/REPORT). /RPTMOD Add list of modified files to the report file (/REPORT). /RV Remove validation/recovery data from files. /SHOWLOG Display information in SCAN.LOG. SCAN Reference Copyright 1994 McAfee Inc. Page 7 /STD Scan executable files only (COM, EXE, SYS, BIN, OVL, DLL) /SUB Scan subdirectories inside a directory. /VIRLIST Display list of viruses stored in SCAN.DAT SCAN OPTION DESCRIPTIONS Here is a detailed description of Scan's options. /? or /HELP Display list of Scan options Does not scan. Instead, displays a list of Scan command line options with a brief description of each. Use these options alone on the command line. /ADL Scan all local drives Scans all local drives for viruses, in addition to those specified on the command line. In DOS, use /ADL to check all local drives, including compressed drives and CD-ROMs. To scan both local and network drives, use /ADL and /ADN together in the same command line. /ADN Scan all network drives Scans all network drives for viruses, in addition to those specified on the command line. To scan both local and network drives, use /ADL and /ADN together in the same command line. /AF filename Store validation/recovery codes in file Helps you detect and recover from new or unknown viruses. /AF logs validation and recovery data for executable files, boot sector, and master boot record (MBR) of a disk in the file you specify. SCAN Reference Copyright 1994 McAfee Inc. Page 8 The log file is about 95 bytes per file validated. You must specify a filename, which can include the target drive and directory (such as D:\VSVALID\VALCODES.VSC). If the target path is a network drive, you must be able to create and delete files in that drive. If filename exists, Scan updates it. The /AF option adds about 300% more time to scanning. To exclude self-modifying or self-checking files that might cause false alarms, use the /EXCLUDE option. To recover from a virus using the /AF information, use the /CF and /CLEAN options together in the same command line. Using any of the /AF, /CF, or /RF options together in the same command line returns an error. /AF performs the same function as /AV, but stores its data in a separate file rather than changing the executable files themselves. /AV Add validation/recovery data to files Helps you detect and recover from new or unknown viruses. /AV adds recovery and validation data to each standard executable file (.EXE, .COM, .SYS, .BIN, .OVL. and .DLL), increasing the size of each file by 98 bytes. To update files on a shared network drive, you must have update access rights. The /AV option adds about 100% more time to scanning. To exclude self-modifying or self-checking files that might cause false alarms, use the /EXCLUDE option. To recover from a virus using the /AF information, use the /CV and /CLEAN options together in the same command line. Using any of the /AV, /CV, or /RV options together in the same command line returns an error. /BOOT Scan boot sector and master boot record only SCAN Reference Copyright 1994 McAfee Inc. Page 9 Scans the boot sector and master boot record on the specified drive(s), but not files or directories on those drives. /CF filename Check validation/recovery codes in file Helps you detect new or unknown viruses. Checks validation data stored by the /AF option in filename. If a file or system area has changed, Scan reports that a viral infection may have occurred. The /CF option adds about 250% more time to scanning. You can use /CF and /CLEAN in the same command line to check validation/recovery codes and remove any viruses found. Using any of the /AF, /CF, or /RF options together in the same command line returns an error. Some older Hewlett-Packard and Zenith PCs modify the boot sector each time the system is booted. If you use /CF or /CV, Scan will continuously report that the boot sector has been modified even though no virus may be present. Check your system's technical reference manual to determine whether your PC has self-modifying boot code, or contact McAfee for help. OS/2 dual boot systems change the boot sector between DOS and OS/2 depending on which operating system is active. This causes Scan to report that the boot sector has been modified. /CLEAN Remove viruses from boot sector, master boot record, and infected files Attempts to restore the boot sector, if infected, and any infected files. Usually, between 10% and 20% of all viruses are not removable; they damage the file they infect beyond repair. If the infected file resides on a network drive, you must be able to modify files on that drive to clean it. If it cannot restore a file, you'll see a message that identifies the name of the unrecoverable file. To use /CLEAN, the CLEAN.DAT file must reside in the Scan directory. Use /CLEAN instead of /DEL when you want to restore infected files, not just delete or SCAN Reference Copyright 1994 McAfee Inc. Page 10 overwrite them. The /CLEAN option can remove master boot record (MBR) and boot sector viruses, but the /DEL option cannot. If you use /CLEAN and /DEL in the same command line, Scan first attempts to disinfect an infected file, then deletes it only if it cannot be repaired. Similarly, if you use /CLEAN and /MOVE in the same command line, Scan attempts first to clean an infected file, then moves it automatically if the file is unrecoverable. You can use /CLEAN and /CF or /CV in the same command line to check validation/recovery codes and remove any viruses found. We strongly recommend that you get experienced help in dealing with viruses if you are unfamiliar with anti-virus software and methods. This is especially true for "critical" viruses and master boot record (MBR)/boot sector infections, because improper removal of these viruses can result in the loss of all data on the infected disks. When scanning a network drive using /CLEAN, you must have sufficient rights to update files on that drive. /CV Check validation/recovery data in files Helps you detect new or unknown viruses. Checks validation data added by the /AV option. If a file is modified, Scan reports that a viral infection may have occurred. The /CV option adds about 50% more time to scanning. You can use /CLEAN and /CV or /CF in the same command line to check validation/recovery codes and restore infected files. Using any of the /AV, /CV, or /RV options together in the same command line returns an error. /DEL Overwrite and delete infected files Deletes and overwrites each infected file. Files erased by the /DEL option cannot be recovered (generate a report so that you can restore them from backups). Instead of /DEL alone, we recommend using it in combination with the /CLEAN option to attempt to disinfect an infected file first, then delete it only if the file is unrecoverable. The /CLEAN option can remove master boot record and SCAN Reference Copyright 1994 McAfee Inc. Page 11 boot sector viruses, but the /DEL option cannot. When scanning a network drive using /DEL, you must have sufficient access rights to delete files on that drive. /EXCLUDE filename Scan using exception list file Allows you to exclude files from /AF or /AV validation. Self-modifying or self-checking files can cause a false alarm during a scan. To create filename, see "Creating an exception list" /FAST Speed up VirusScan's scanning Reduces Scan time by about 15%. Using the /FAST option, Scan examines a smaller portion of each file for viruses, although it examines more files overall. Using /FAST might miss some infections found in a more comprehensive (but slower) scan. Do not use this option if you have found a virus or suspect one. /HISTORY Append to the report file. Used in conjunction with /REPORT, appends the report message text to the specified report file, if it exists. Otherwise, the /REPORT option overwrites the specified report file, if it exists. /LOAD {filename} Use Scan settings stored in filename. By default, Scan loads its internal default settings plus any options specified on the command line. You can store all custom settings in a separate ASCII text file, then use /LOAD to load SCAN Reference Copyright 1994 McAfee Inc. Page 12 those settings from that file. /LOG Save date and time of last scan Stores the time and date Scan is being run by updating or creating a file called SCAN.LOG in the current directory. /MOVE {directory} Move infected files to directory Moves all infected files found during a scan to the specified directory. If you use /MOVE in conjunction with /CLEAN, Scan attempts to restore an infected file first, then moves it to the specified directory only if the file cannot be restored. Using /MOVE and /DEL in the same command line returns an error message. /NOMEM Skip memory checking Reduces scan time by omitting all memory checks for viruses. Use /NOMEM only when you are absolutely certain that your system is virus-free. By default, Scan checks system memory for critical known computer viruses that can inhabit memory. In addition to main memory from 0Kb to 640Kb, Scan checks system memory from 640Kb to 1088Kb that can be used by computer viruses on 286 and later systems. Memory above 1088Kb is not addressed directly by the processor and is not presently susceptible to viruses. /NOMEM is not applicable to OS/2. /PAUSE Enable screen pause If you specify /PAUSE, the More? (H = Help) prompt appears when Scan fills up a screen with messages. Otherwise, by default, Scan fills and scrolls a screen continuously without stopping, which allows Scan to run on PCs with severe infections without requiring you to attend. We recommend that you omit /PAUSE when keeping a record of Scan's messages using the report options (/REPORT, SCAN Reference Copyright 1994 McAfee Inc. Page 13 /RPTCOR, /RPTMOD, and /RPTERR), or when using the /SHOWLOG or /VIRLIST options. /PLAD Preserve last access dates (on NetWare drives only). Prevents changing the last access date attribute for files stored on a network drive in a Novell network. Normally, NetWare updates the last access date when Scan opens and examines a file. However, some tape backup systems use this last access date to decide whether to back up the file. Use /PLAD to ensure that the last access date does not change as the result of scanning. /REPORT {filename} Create report of infected files and system errors Saves the output of Scan to filename in ASCII text file format. If filename exists, /REPORT erases and replaces it. You can include the destination drive and directory (such as D:\VSREPRT\ALL.TXT), but if the destination is a network drive, you must be able to create and delete files on that drive. You can also use /RPTCOR, /RPTMOD, and /RPTERR to add corrupted files, modified files, and system errors to the report. /RF filename Remove validation/recovery codes in file Removes recovery and validation data from filename created by the /AF option. If filename resides on a shared network drive, you must be able to delete files on that drive. Using any of the /AF, /CF, or /RF options together in the same command line returns an error. /RPTCOR Add corrupted files to Scan report Used in conjunction with /REPORT, adds the names of corrupted files to the report file. A corrupted file is a file that a virus has damaged beyond repair, which typically occurs in 10% to 20% of all viral infections. You can use /RPTCOR with /RPTMOD and /RPTERR on the same command line. SCAN Reference Copyright 1994 McAfee Inc. Page 14 /RPTERR Add errors to Scan report Used in conjunction with /REPORT, adds system errors to the report file. System errors include problems reading or writing to a diskette or hard disk, file system or network problems, problems creating reports, and other system-related problems. You can use /RPTERR with /RPTCOR and /RPTMOD on the same command line. /RPTMOD Add modified files to the Scan report Used in conjunction with /REPORT, adds the names of modified files to the report file. Scan identifies modified files when the validation/recovery codes do not match (using the /CF or /CV options). You can use /RPTMOD with /RPTCOR and /RPTERR on the same command line. /RV Remove validation/recovery from files Removes validation and recovery data from files validated with the /AV option, along with the SCAN.LOG file on the specified drive. To update files on a shared network drive, you must have access rights to update them. Using any of the /AV, /CV, or /RV options together in the same command line returns an error. /SHOWLOG Display the contents of SCAN.LOG Shows you the date and time of previous scans that have been recorded in the SCAN.LOG file using the /LOG switch. The SCAN.LOG file contains text and some special formatting. /STD Scan executable files only (COM, EXE, SYS, BIN, OVL, and DLL) Reduces scan time when a full scan is not needed. Otherwise, Scan checks all files on the drive scanned and examines files in greater detail, which increases Scan's ability to detect viruses SCAN Reference Copyright 1994 McAfee Inc. Page 15 in overlay files but substantially increases the scanning time required. Do not use this option if you have found a virus or suspect one. (The list of extensions for standard executables has changed from previous releases of VirusScan.) /SUB Scan subdirectories By default, when you specify a directory to scan rather than a drive, Scan will examine only the files it contains, not its subdirectories. Use /SUB to scan all subdirectories inside any directories you've specified. Do not use /SUB if you are scanning an entire drive. /VIRLIST Display the contents of SCAN.DAT Shows you the name and a brief description of the viruses that VirusScan detects. EXAMPLES These examples show different option settings. In OS/2, remember to use OS2SCAN instead of SCAN. scan c: Scan all executable files on drive C. scan f: Scan drive F, a network drive. scan c: /adl /adn Scan all local and network drives. scan f: g: h: /del Scan all files on drives F, G, and H, and delete any infected files found. scan c: d: e: /av Scan for viruses in all files and add validation codes to executable files on drives C, D, and E. SCAN Reference Copyright 1994 McAfee Inc. Page 16 scan m: /report a:infectn.rpt /rptcor /rpterr Scan for viruses on network drive M: and create a log file of infections, corruptions, and errors in the file INFECTN.RPT on drive A. scan e:\user\jake e:\user\daisy e:\user\nick /sub Scan all subdirectories inside the directories USER\JAKE, USER\DAISY, and USER\NICK on drive E. scan c: d: e: /fast /cv Quickly scan drives C, D, and E, and report any executable files that do not have validation codes. scan c:\command.com Scan a single file. ERRORLEVELS This section is primarily for network administrators and information systems staff. After Scan has finished running, it sets the DOS ERRORLEVEL. You can use the ERRORLEVEL in AUTOEXEC.BAT to take different actions based on the results of the scan. See your DOS documentation for more information. Scan returns the following DOS ERRORLEVELs: <> APPLICATION NOTE 1 UPDATING VALIDATION CODES If you install any new software or programs on your system, including a new version of DOS, and are running Scan or VShield with the /CF (preferred) or /CV -validation options, you need to install validation codes for the new files with Scan's /AF (preferred) or /AV options. The quickest way to update the validation codes is to remove all validation codes from the hard disk and then add them back. In other words, first run Scan with the /RF or /RV option, then run it again with the /AF or /AV option. SCAN Reference Copyright 1994 McAfee Inc. Page 17 APPLICATION NOTE 2 REFORMATTING INFECTED DISKETTES WITH DOS 5.0 AND LATER When reformatting infected diskettes using DOS 5.0 and later versions, be sure to add the /U switch to the FORMAT command. This tells DOS to do an unconditional format of the diskette, without saving the original infected boot sector. This is necessary to erase certain infections, and will prevent reinfection by unformatting the diskette. TECHNICAL NOTE 1 CREATING AN EXCEPTION LIST FILE FOR THE /EXCLUDE OPTION If you set up validation codes using Scan's /AF or /AV options, subsequent scans using the /CF or /CV options will detect changes in executable files. This can generate false alarms if the executable files are self-modifying or self-checking (most programs that do this will tell you to turn off your anti-virus software before running them; some of these files are listed below). Therefore, use the /EXCLUDE option in conjunction with /AF or /AV to identify such files and exclude them from the validation. The exception list is an ASCII or DOS text file. If you use a word processor to create it, be sure to save the file as ASCII or DOS Text. Each uncommented line in the file contains the path and file name of one file that should not be validated. Here is an example: C:\CLIPPER\BIN\CLIPPER.EXE C:\123\123.COM C:\FOX\FOXPROLX.EXE C:\DOS\SETVER.EXE C:\PKWARE\PKLITE.EXE C:\PKWARE\PKZIP.EXE C:\PKWARE\PKUNZIP.EXE C:\SEMWARE\Q.EXE SCAN Reference Copyright 1994 McAfee Inc. Page 18 C:\SWAPVOL.COM C:\WORDSTAR\WS.EXE CLEANING VIRUSES Although /CLEAN removes many viruses and restores normal operation, viruses can be harmful and insidious, and no anti-virus program can undo all their damage. Usually, between 10% and 20% of all viruses corrupt the files they infect, making them unrecoverable. If the file is infected with an uncommon virus that /CLEAN can't remove, Scan notifies you and identifies the filename. Write down this filename so that you can restore it from a backup diskette or tape. If you use both the /CLEAN and the /DEL options, Scan will first attempt to repair an infected file and, if the file is damaged beyond repair, Scan will delete it. Deleted files are not recoverable except from backups. Some viruses damage or overwrite program (.EXE) files or overlay files. Removing the virus can truncate the file or otherwise render it inoperable. Others, like the common virus Stoned, infect the master boot record (MBR). On systems partitioned with programs other than DOS (such as Disk Manager and SpeedStor), removing the virus can cause loss of the master boot record (MBR) and all data on the disk if done improperly. BASIC PRINCIPLES TO MINIMIZE DAMAGE These considerations lead to the three important principles: 1 Before running Scan with the /CLEAN option, back up all of your programs and data. Of course, this works best if you back up regularly, so that you can restore from a backup made before your system was infected. But even a backup from an infected system can be useful for restoring data, because most viruses do not corrupt data. If a program no longer runs after being cleaned, replace it from the original disk or from a virus-free backup. When disinfecting an infected system, it is important to start from a "sterile field." 2 Before running Scan with the /CLEAN option for SCAN Reference Copyright 1994 McAfee Inc. Page 19 DOS, restart your computer from a clean, write- protected diskette. Before running Scan with the /CLEAN option for OS/2, close all DOS and Win-OS/2 sessions. Preferably, use a clean anti-virus start-up diskette. And, because running any program can spread the infection: 3 Do not run any programs, including Windows, before running Scan /CLEAN. Run Scan /CLEAN from DOS instead of Windows. Exit completely from DOS. Do not run Scan /CLEAN from within a DOS window. Important: If you are at all unsure about how to proceed once you've found a virus, contact McAfee technical support, or your local authorized agent, for assistance. We strongly recommend that you get experienced help in dealing with viruses if you are unfamiliar with anti-virus software and methods. This is especially true for "critical" viruses and master boot record (MBR)/boot sector infections, because improper removal of these viruses can result in the loss of all data and use of the infected disks. RUNNING SCAN TO CLEAN UP INFECTIONS PREPARATION Before running Scan to clean up infections: 1 Clear the virus from system memory and prevent reinfection: * With DOS, turn off your PC, then restart from a clean start-up diskette, preferably the anti-virus diskette you prepared during installation. * With OS/2, close all DOS and Win-OS/2 sessions. * With an OS/2 dual-boot system infected by a boot sector virus (like Form, or others identified by Scan), boot (start up) OS/2 first, delete the BOOT.DOS file from the \OS2 directory, and then boot DOS to create a new, virus-free DOS boot sector file. SCAN Reference Copyright 1994 McAfee Inc. Page 20 2 Run the Scan program to locate and identify the infections. 3 Back up the files on the infected disks (be sure not to overwrite any previous backups). 4 Repeat Step 1. 5 Don't run any programs, including Windows, before running Scan /CLEAN. If you have Windows, run Scan /CLEAN from DOS. 6 When disinfecting a hard disk, always run Scan /CLEAN from a write-protected diskette to prevent infection of the Scan program. When disinfecting diskettes, make sure there is no active virus in memory before running Scan from your hard disk. SUCCESSFUL AND UNSUCCESSFUL RESULTS Scan /CLEAN reports the results of its attempt to remove the virus from each infected file. If a file has several infections, it will report on each. If viruses were not removed, contact technical support If Scan can't remove a virus, you'll see a message like: Virus cannot be safely removed from this file. Make sure to take note of the file name, because you will need to restore it from backups. If you have any questions about how to proceed, contact McAfee technical support or your local authorized agent. If viruses were safely removed, rescan and check diskettes If Scan /CLEAN has successfully removed all the viruses, turn your computer off again and restart from the system disk. Scan your hard disks again to make sure they are virus-free. If you suspect that your system was infected from a diskette, run Scan from your hard disk to examine and disinfect the diskettes you use. CREATING A CUSTOM SETTINGS FILE When you run the Scan program, Scan uses its own internal default settings plus any options listed in the command line. You can create an ASCII text file to contain the settings you want to run with Scan, then load the settings using the /LOAD option. Your VirusScan package includes sample settings files that you can copy and change, using a DOS text editor, to suit your needs. The <> file contains the following text: <> <>