VShield Reference Copyright 1994 McAfee Inc. Page 1 VSHIELD REFERENCE VirusScan's VShield is a memory-resident program that helps to prevent virus infection. It complements the Scan virus detection program as part of your computer security plan. While Scan checks areas on disks for viruses, the VShield program checks programs as they load into your computer's memory. This ensures that you don't "catch" any new viruses while you're working on your computer. VShield does this by remaining in memory and: * Checking master boot records (MBRs), boot sectors, system files, and itself for viruses when you turn on or reset ([Ctrl]+[Alt]+[Del]) your machine. * Checking program files for viruses as your computer executes them. * Checking files for viruses as you copy them (optional). * Checking for viruses whenever your computer accesses a disk (optional). The installation program automatically modifies your AUTOEXEC.BAT file so that VShield loads into memory every time you turn on your computer. If VShield finds a virus, you will see a message like: Found the Jerusalem Virus If that happens, don't panic. Turn to Chapter 4 to find out how to use the Scan program to get rid of the virus. If you need additional help, contact McAfee. There is one way to infect your computer that VShield cannot prevent only you can. Never accidentally start your computer from an unknown diskette. That's how 80% of all viruses are passed! Always make sure your diskette drives are empty before you turn your computer on. VShield runs under DOS, Windows, and OS/2 Virtual DOS Machine and WIN-OS/2 sessions. The program file is VSHIELD.EXE. The file called VSHWIN.EXE VShield Reference Copyright 1994 McAfee Inc. Page 2 allows VShield to display messages under Windows, and is added to your WIN.INI file automatically when you install VShield. If you need to conserve memory on your system, you can use VshieldCRC, a version of VShield that offers fewer protection options but requires less memory. The program file is VSHLDCRC.EXE. A companion program called CheckVshield checks whether either VShield or VshieldCRC is loaded in memory. The program file is CHKVSHLD.EXE. CheckVshield is especially useful for network administrators who want to ensure that everyone who logs on to the network is running VShield. All of these related programs are included in your VirusScan disk and described in this chapter. DO YOU NEED TO READ THIS DOCUMENT? Many users will not need the VShield options described in this chapter. We have designed VShield so that basic operation achieved by simply installing it in memory as described in Chapter 2 provides a high degree of protection for most users. The options here offer additional power and control for virus detection, and are most useful in vulnerable or memory-scarce environments, and to network administrators and information systems staff. SYSTEM REQUIREMENTS AND PERFORMANCE VShield is a terminate-and-stay-resident (TSR) program, which remains in memory while you run other programs. VShield tries to optimize memory usage and minimize conflicts with other TSRs. By default, VShield tries to conserve as much conventional memory as possible. If you have only 640Kb or less memory in your system, VShield requires about 67Kb of memory. By using the /SWAP option, you can reduce this to only 7Kb of conventional memory, although this will decrease VShield's speed. If you have more than 640Kb, VShield tries to load as much as possible into upper memory: first into expanded memory (EMS), into extended memory (XMS), then into upper memory blocks (640Kb to 1024Kb, or UMB). If you have sufficient high memory available, VShield or VshieldCRC use no conventional memory. You'll see a message after loading that describes where VShield loaded into memory and how VShield Reference Copyright 1994 McAfee Inc. Page 3 much memory it uses. You can control how VShield loads by using the /NOUMB, /NOEMS, and /NOXMS options, as described later in this chapter. VShield might require slightly more memory as the SCAN.DAT file grows to include more viruses. VShield adds a small amount of time to program loads and reboots. Performance will vary, depending on your system. The /SWAP option adds more time, because VShield must reload from disk to check files. VshieldCRC adds an average of one second to each program load. Once programs have been loaded, VShield does not degrade the performance of your system. Programs that load other files may run more slowly when you use the /FILEACCESS or /BOOTACCESS options, because these options cause VShield to scan files whenever they are accessed, not just when they are executed. FOUR LEVELS OF PROTECTION You can think of VShield as providing four levels of protection. You can use VShield's options to customize it for the level of protection you need. Level II meets the protection needs of most systems. Level I protection is appropriate for users who have very little memory available on their systems. It provides only minimal protection. For Level I protection, first use Scan with the /AF or /AV option to add validation codes. Then, install VshieldCRC instead of VShield. VshieldCRC can inform you that a file has not been certified, a file has been modified, a file size has changed, or a file has not been added to the validation file. VshieldCRC will not prevent infection, nor will it tell you when you have a known virus, but it allows you to prevent modified files from running. Use Scan instead to detect viruses, as described in Chapters 3 and 4. See "Using VShield." Level II protection is appropriate for most users. It will protect you from most viruses whether you have run Scan or not. For Level II protection, just install VShield according to the installation instructions. When VShield Reference Copyright 1994 McAfee Inc. Page 4 loading, VShield checks memory automatically for viruses. Once resident in memory, VShield checks master boot records (MBRs), boot sectors, and program files (when executed) for virus signatures. Level III protection is appropriate for computers that are used by many people, as in an open-use computer lab, or onto which you frequently load files from public sources. Level III protection checks for both validation codes and virus signatures, incorporating both Level I and Level II protection. For Level III protection, first use Scan with the /AF {filename} option, then use VShield with the /CF {filename} option. The /AF option logs recovery and validation data for program files, the boot sector, and the master boot record (MBR) to a file you specify. The /CF option tells VShield to check against that log. See Chapter 4, "VirusScan reference," for instructions on using Scan. Level IV protection is for environments where security is extremely important and new software is seldom introduced. It combines Level III protection with access control, specifying that only programs known to be safe can be run. For Level IV protection, run VShield with the /CERTIFY option. VShield has many optional features that you might use at any protection level. RUNNING VSHIELD VShield checks programs, the master boot record (MBR), boot sector, system files, and itself for virus signatures, the pattern of code unique to each virus. If VShield finds an infection, it prevents programs from running. It also prevents warm restarts ([Ctrl]+[Alt]+[Del]) from infected disks. You can use options to control and fine-tune the scope, validation parameters, and operation of the VShield's checks. To use VShield with options, use the following syntax: vshield [options] VShield Reference Copyright 1994 McAfee Inc. Page 5 [options] indicates one or more options described in the table in the next section. Don't enter the square braces, which indicate that what's within them is optional. Because systems and environments differ, VShield gives you a choice of options. Consider the mixture of safety, performance, and maintenance that meets your needs, then choose the combination of options that works best. DOS If you followed the installation instructions in Chapter 2, VShield begins working for you as soon as you install it, protecting the "sterile field" that the installation procedure creates. VShield is automatically added to your AUTOEXEC.BAT file, so it is activated every time you turn on your computer. The install program places VShield at the end of AUTOEXEC.BAT. In most cases this is OK. However, you should verify this by inspecting your AUTOEXEC.BAT file after you install VShield. To do so, use a text editor to examine your AUTOEXEC.BAT and follow these steps. If you need help with this procedure, see your DOS documentation or contact McAfee. 1 Check the placement of the VShield command line in the AUTOEXEC.BAT file. * VShield must be run before any menu programs, such as MS-DOS's DOSSHELL or Norton Commander, or it will not be loaded. * If AUTOEXEC.BAT loads any network drivers, keyboard drivers, disk caching programs, drive compression programs, or custom disk drivers, VShield must be run both before and after them. These kinds of programs disable VShield. The second time VShield is loaded, use only the /RECONNECT option, as described later in this chapter. 2 If necessary, move the line that loads VShield. 3 Add the VShield options of your choice to the command line. VShield Reference Copyright 1994 McAfee Inc. Page 6 On your VirusScan disk, you'll findAUTOEXEC.VSH, a sample AUTOEXEC.BAT that shows the correct placement of the VShield command line. If you are still not sure whether VShield is in the right place, contact McAfee. WINDOWS When you install VShield, it adds the VShield command line to your AUTOEXEC.BAT file. It also modifies your WIN.INI file to include VSHWIN.EXE, which allows VShield to display messages under Windows. However, you may need to change your Windows configuration for VShield to run properly. To do so, follow these steps. If you need help with this procedure, see your Windows documentation, or contact McAfee. 1 Follow the instructions for DOS users in the previous section. 2 Start Windows. 3 Make Program Manager the default shell. Use no other Windows shell. 4 In the Control Panel, configure Windows to run in 386 enhanced mode. 5 Load Windows. You will see the VShield icon on your desktop. If VShield finds or suspects a virus, you'll see a warning message. Choose OK to close the message dialog. Double-clicking the VShield icon only displays a message that VShield is loaded. OS/2 Because OS/2 is a protected environment, you need VShield only during Virtual DOS Machine (VDM) and WIN-OS/2 sessions. When you install it, VShield is automatically added to AUTOEXEC.BAT, so it is activated every time you start a VDM or WIN-OS/2 session. If your start-up batch file is not AUTOEXEC.BAT, edit your start-up batch file to include VShield. For example: VShield Reference Copyright 1994 McAfee Inc. Page 7 C:\vshield /fileaccess See /FILEACCESS, an option we recommend using with OS/2, in this chapter. SPECIAL INSTRUCTIONS FOR NETWORK ADMINISTRATORS You have many options for setting up VShield on a network. The table "Deciding which options are for you" lists options that most apply in network environments. If you need assistance in choosing the best configuration for your network, contact McAfee. If you run VShield from a network drive, flag VSHIELD.EXE as EXECUTE ONLY, READ ONLY, and SHAREABLE. If you run VShield from clients' local drives: * Edit all clients' AUTOEXEC.BAT files to load VShield with the options that are appropriate for your environment before any other drivers are loaded. * Add VShield with the /RECONNECT option to the AUTOEXEC.BAT or the network login script, after the network drivers are loaded. See /RECONNECT, later in this chapter, for more information. * Run CheckVshield from the login script. CheckVshield returns a DOS ERRORLEVEL that you can use in batch files to check and update VShield. For an example of using CheckVshield, see Technical note 2, "Sample NetWare login script and.BAT file," in this chapter. VSHIELD OPTION SUMMARY /? or /HELP Display a list of valid VShield command line options. /BOOT Check boot sectors for viruses when a program on a diskette executes. VShield Reference Copyright 1994 McAfee Inc. Page 8 /BOOTACCESS Scan the diskette boot sector for viruses whenever a diskette is accessed, including any read and write operations. /CERTIFY Prevent files without validation codes from running. /CF {filename} Check for viruses using recovery and validation data stored by Scan /AF in the specified filename. /CONTACT message Display specified message when a virus is found. /CONTACTFILE {filename} Display message stored in filename when a virus is found. /CV [filename] Check validation codes added to files by Scan; ignore files listed in filename. /EX {filename} Don't check files listed in filename for validation codes (/CF and /CV options). /FILEACCESS Scan files when they are accessed on a diskette, but don't check the boot sector. /IGNORE {drive(s)} Don't check programs loaded from the specified drive(s). /LOCK Halt the system when a file that is infected or not certified loads and attempts to execute. /NOEMS Prevent VShield from using expanded memory (EMS) VShield Reference Copyright 1994 McAfee Inc. Page 9 when it loads. /NOMEM Don't check memory for viruses. /NOREMOVE Prevent VShield from being removed from memory with the /REMOVE switch. /NOUMB Prevent VShield from using upper memory blocks (UMB) when it loads. /NOWARMBOOT Don't check the diskette boot sector for viruses during warm boot ([Ctrl]+[Alt]+[Del]). /NOXMS Prevent VShield from using extended memory (XMS) when it loads. /ONLY {drive(s)} Check programs loaded only from the specified drive(s). /RECONNECT Restore VShield after certain drivers or TSRs might have disabled it. /REMOVE Unload VShield from memory. /SAVE Save the command line options to the VSHIELD.INI file. /SWAP [pathname] Load VShield kernel (7Kb) only; swap the rest to pathname. VShield Reference Copyright 1994 McAfee Inc. Page 10 VSHIELD OPTION DESCRIPTIONS /? or /HELP Use this option to display a brief description of valid VShield command line options. /BOOT Checks the boot sector of a diskette for viruses whenever a program that resides on the diskette executes. By default, VShield checks programs when they execute, but does not check the boot sector of the diskette for viruses. The /BOOT option is faster, but less thorough, than /BOOTACCESS. Using /BOOT with either /BOOTACCESS or /FILEACCESS in the same command line returns an error message. This option does not work from within Windows File Manager. For virus-checking within Windows, use the /FILEACCESS or /BOOTACCESS switch instead. /BOOTACCESS Checks the diskette boot sector for viruses whenever a diskette is accessed by a read or write operation, such as a DIR or COPY command, and when a program on the diskette executes. This is the highest level of protection against viruses that infect boot sectors. Using /BOOTACCESS with either /BOOT or /FILEACCESS in the same command line returns an error message. /CERTIFY Prevents programs from running if they do not have Scan validation codes. Use it in high-security environments to prevent clients from running programs that have not been scanned. To use /CERTIFY, first run Scan with the /AF or /AV option, as described in Chapter 3. Then, use VShield with the /CERTIFY option and either the /CF or /CV option (either is required), such as: vshield /certify /cf c:\mcafee\recvalch.sav Some programs, such as Lotus 1-2-3, contain self- modifying code and do not work correctly with validation codes attached. You may create an exception list of files to exclude from validation. For instructions, refer to technical note 1, "Creating an exception list for /CERTIFY." VShield Reference Copyright 1994 McAfee Inc. Page 11 /CF {filename} Checks validation data stored by Scan's /AF {filename} option, where {filename} is the name of the validation data file created by Scan. If a file or system area has changed, VShield reports that a viral infection may have occurred. In this example: vshield /cf c:\mcafee\recvalch.sav /noems VShield looks in the RECVALCH.SAV file for validation data. /CONTACT message Displays a custom message when a virus is found. This message is displayed in addition to all other VShield messages. Use /CONTACT to let network users know what to do if VShield finds a virus. The message can be up to 50 characters long, and can contain any character except a backslash " \ ". Place messages starting with a hyphen " - " or slash " / " in quotation marks. If your message is longer than 50 characters or you want to store the message text in a file, use /CONTACTFILE instead. Using /CONTACT and /CONTACTFILE in the same command line returns an error message. /CONTACTFILE {filename} An alternative to the /CONTACT option, /CONTACTFILE identifies a file that contains the message string to display when a virus is found. This option is especially useful in network environments, because you can easily maintain the message text in a central file rather than changing the command line in the AUTOEXEC.BAT file on each workstation. If your message is 50 characters or fewer, you can use /CONTACT instead. Using /CONTACT and /CONTACTFILE in the same command line returns an error message. /CV Checks validation codes added by Scan with the /AV option. If a file has changed, VShield reports that the file has been modified and a viral infection may have occurred. You can specify the VShield Reference Copyright 1994 McAfee Inc. Page 12 /EXCLUDE option to exclude a list of files from validation checking. /EXCLUDE {filename} Excludes files listed in filename from validation code checking when using /CF or /CV. /FILEACCESS Checks all files when accessed by a read or write operation. Using /FILEACCESS with either /BOOT or /BOOTACCESS in the same command line returns an error message. We recommend always using /FILEACCESS with OS/2. /IGNORE {drives} Omits checking program loads from the specified drives, as shown in the following example: vshield /ignore t: y: w: Use /IGNORE or /ONLY to speed up VShield by excluding secure, virus-free network drives from virus checking. You can specify up to 26 drives. See also /ONLY, described later in this section. Using /IGNORE and /ONLY in the same command line returns an error message. /LOCK Halts the system to stop further infection if VShield finds a virus. /LOCK is appropriate in highly vulnerable network environments, such as open-use computer labs. If you use /LOCK, be sure to use /CONTACT or /CONTACTFILE to tell users what to do or whom to contact if a virus is found and the system locks up. /NOEMS Prevents VShield from using expanded memory (LIM EMS 3.2) when it loads. This ensures that EMS is available exclusively to other programs. /NOMEM Skips the memory check for viruses when VShield loads. Using /NOMEM improves performance slightly, but use it only if you are absolutely sure that your system is virus-free. VShield Reference Copyright 1994 McAfee Inc. Page 13 /NOREMOVE Prevents VShield from being removed from memory with the /REMOVE option in a subsequent VShield command. When you load VShield with the /NOREMOVE option, subsequent loads with the /REMOVE option will have not effect. Your network will be more secure if users cannot remove VShield, but this option may prevent users from solving memory limitations or conflicts. /NOUMB Prevents VShield from using the upper memory block (UMB, 640Kb to 1024Kb) when it loads. This ensures that UMB is available exclusively to other programs. /NOWARMBOOT Omits checking the diskette boot sector during a warm boot (Ctrl-Alt-Del) of the system. /NOXMS Prevents VShield from using extended memory when it loads. This ensures that XMS is available exclusively to other programs. /ONLY {drive(s)} Checks program loads only from the specified drive(s), ignoring all other drives, as shown in the following example: vshield /only c: f: k: Use /IGNORE or /ONLY to speed up VShield by excluding secure, virus-free network drives from virus checking. You can specify up to 26 drives. See also /IGNORE in this chapter. Using /ONLY and /IGNORE in the same command line returns an error message. /RECONNECT Restores VShield's links into DOS after another program has disabled it, such as a network driver, keyboard driver, custom disk driver, drive compression program, or disk caching program. These types of programs replace the normal DOS system interrupts so that VShield no longer recognizes program loads. After the lines in your VShield Reference Copyright 1994 McAfee Inc. Page 14 AUTOEXEC.BAT file (or network login script) that load these programs, add this command line to restore VShield: vshield /reconnect /REMOVE Unloads VShield from memory. You may want to do this temporarily if you are running out of memory for programs. For best results, try using VShield with the /SWAP option first. Use /REMOVE only as a last resort. /REMOVE will not work if other memory-resident programs were loaded after VShield, or if VShield was loaded previously with the /NOREMOVE option. /SAVE Stores the VShield options you specify as the defaults in VSHIELD.INI. In the following example, /SAVE saves the /CONTACTFILE N:\MSGFILE as the default setting: vshield /contactfile n:\personal\msgfile /save To remove custom options and return to VShield's original defaults, use the /SAVE option alone: vshield /save /SWAP [pathname] Installs a small (7Kb) kernel of VShield in memory that loads the rest of VShield from disk on demand. Specify a pathname only if you want VShield to swap to a path other than the directory where VShield resides. Use /SWAP only if you have very little memory available, but require a high assurance of safety. /SWAP will slow down your system and may cause conflicts with programs that fail to allocate memory properly. If you don't have enough memory to load VShield without swapping, consider using VshieldCRC instead. We do not recommend storing the swap file on a network path because, if the workstation disconnects from the network, the workstation will lock. Deciding which options are for you VShield Reference Copyright 1994 McAfee Inc. Page 15 Because systems and environments differ, VShield gives you a choice of options. Consider the mixture of safety, performance, and maintenance that meets your needs, then choose the combination of options that works best. COMMENTS MORE COMPLETE PROTECTION, ANY ENVIRONMENT /BOOTACCESS Highest protection against infected diskettes; checks for viruses whenever a diskette is accessed. /FILEACCESS Next highest protection against infected diskettes; checks for viruses whenever a file on a diskette is accessed. /BOOT Of the three, lowest protection against infected diskettes; checks for viruses whenever a program on a diskette executes. MORE COMPLETE PROTECTION, STABLE SOFTWARE ENVIRONMENT /CERTIFY Use with /CF {filename} or /CV [filename] and an exception list. /CF Use /CF or /CV. Of the two, /CF is recommended. /CV Use /CF or /CV. NETWORK ENVIRONMENTS /CONTACT Use this (or CONTACTFILE) to tell users what to do VShield Reference Copyright 1994 McAfee Inc. Page 16 when virus is found. /CONTACTFILE Use this (or CONTACT) to tell users what to do when virus is found. /IGNORE Use this (or /ONLY) to skip virus-free drives. /LOCK Use with /CONTACT or /CONTACTFILE {filename}. For high-risk -environments. /NOREMOVE Prevents VShield from being removed from memory. /ONLY Use this (or IGNORE) to check only vulnerable drives. /RECONNECT Required if drivers are loaded after VShield. FASTER PERFORMANCE, ANY ENVIRONMENT /NOMEM Only use on a virus-free computer. /NOWARMBOOT Omits checking the boot sector after a warm boot. Manage memory, any environment /NOEMS Use when other programs need exclusive use of EMS memory. /NOUMB VShield Reference Copyright 1994 McAfee Inc. Page 17 Use when other programs need exclusive use of UMB memory. /REMOVE May temporarily solve memory conflicts. /NOREMOVE Use to ensure that VShield remains in memory. /NOXMS Use when other programs need exclusive use of XMS memory. /SWAP Use in environments with very limited memory. EXAMPLES The following examples show different option settings: vshield Activates VShield (Level II protection). vshield /cv Activates VShield (Level III protection), if you have previously run SCAN /AV. vshield /certify /cf c:\valcodes.dat Activates VShield (Level IV protection) and checks a recovery and validation data file created when running Scan with the /AF option. vshield /swap Activates VShield kernel in memory and swaps from the directory in which VShield resides. vshield /cv c:\excption.lst /contact "Please Contact the PC Help Desk" Activates VShield (Level III protection), ignores checking files in the EXCPTION.LST files, and displays a message if a virus is found. VShield Reference Copyright 1994 McAfee Inc. Page 18 vshield /reconnect Re-enables VShield after it has been disconnected by network device drivers. ERRORLEVELS When VShield loads, it sets the DOS ERRORLEVEL. You can use the returned ERRORLEVEL in AUTOEXEC.BAT or other batch files to take different actions based on whether VShield has loaded in memory. See your DOS manual for more information. VShield returns these ERRORLEVELs: 0 - VShield successfully loaded in memory with all options operational. 9 - VShield not loaded correctly. Abnormal termination (program error). USING VSHLDCRC For Level I protection on systems with limited memory, use VshieldCRC instead of VShield. VshieldCRC is a separate program that consumes little system overhead, but is not recommended for normal use because it provides only minimal protection. VshieldCRC can inform you that you have been infected with a virus, but it does not check for virus signatures nor does it prevent infection. To use VshieldCRC, first use Scan with the /AF or /AV option. VshieldCRC checks the validation codes added by Scan. It also checks the master boot record (MBR) and boot sector validation codes, if present. See Chapter 4, "VirusScan reference," for instructions on using Scan. To load VshieldCRC with options, use the following syntax: VshieldCRC [options] [options] include the options listed in the table "VShield option summary." For more information on all options except /LOGFILE, see "VShield option descriptions" in this chapter. VShield Reference Copyright 1994 McAfee Inc. Page 19 EXAMPLES Activates VshieldCRC (Level I protection). VshieldCRC /cf valcodes.dat Activates VshieldCRC and checks validation data stored in VALCODES.DAT, a file that was created using Scan with the /AF option. VSHLDCRC OPTION SUMMARY /? or /HELP Display a list of valid VshieldCRC command line options. /CERTIFY Prevent files without validation codes from running. /CF {filename} Check for viruses using recovery and validation data stored by Scan /AF in the specified filename. /CONTACT message Display specified message when a virus is found. /CONTACTFILE {filename} Display message stored in specified filename when a virus is found. /CV Check validation codes added to files by Scan. /EX {filename} Don't check files listed in filename for validation codes (used with /CF and /CV options). VShield Reference Copyright 1994 McAfee Inc. Page 20 /FILEACCESS Don't check the diskette boot sector for viruses when a file on the diskette is accessed, including read and write operations; still checks files for validation codes. /IGNORE {drive(s)} Don't check programs loaded from specified drive(s). /LOCK Halt the system when a file that is not certified attempts to load and execute. /LOGFILE {filename} Write error information to filename. /NOREMOVE Prevent VshieldCRC from being removed from memory with a subsequent VshieldCRC command using /REMOVE. /NOUMB /ONLY {drive(s)} Check programs loaded only from the specified drive(s). /REMOVE Unload VshldCRC From memory. USING CHKVSHLD CheckVshield allows network administrators to make sure that workstations are running VShield or VshieldCRC before users can log onto a network. See technical note 2 in this chapter for a sample Novell NetWare login script using CheckVshield. To load CheckVshield with options, use the following syntax: chkvshld [option(s)] [option(s)] include: /? and /HELP Display a list of valid CheckVshield VShield Reference Copyright 1994 McAfee Inc. Page 21 command line options. /DEBUG Displays the version of VShield or VshieldCRC resident in memory and the DOS ERRORLEVEL on the screen. /Q Suppresses CheckVshield messages (quiet mode) so users don't see the messages. /V xxxxx Tells CheckVshield to look for a specific version (2.00 or higher) of VShield or VshieldCRC in memory. For example, /v 2.00 for VShield 2.00. Examples chkvshld /q Checks for VShield or VshieldCRC in memory and suppresses messages. ERRORLEVELS When CheckVshield runs, it sets the DOS ERRORLEVEL. Use the ERRORLEVEL in batch files to take different actions based on the results of CheckVshield's check. The ERRORLEVELs returned by CheckVshield are: 0 - VShield or VshieldCRC is resident or, if /V is used, the version specified is resident in memory. 1 - VShield or VshieldCRC is resident but does not match the version specified in the /V option. 2 - VShield or VshieldCRC is not resident in memory. 3 - Abnormal termination (program error). TECHNICAL NOTE 1 CREATING AN EXCEPTION LIST FOR /CERTIFY AND /CV VShield /CERTIFY permits a file to load only if: * It has been validated by Scan, or * It appears in the exception list file specified with the /CV option. VShield Reference Copyright 1994 McAfee Inc. Page 22 If you do not validate any files and do not use an exception list, /CERTIFY will disable all programs other than DOS internal commands. The exception list file is an ASCII or DOS text file containing up to 1,024 characters. If you use a word processor to create it, be sure to save the file as ASCII or DOS Text. Each uncommented line in the file contains the path and filename of one file that should not be validated. To enter a comment, start the line with an asterisk (*). Here is an example: * *LIST OF FILES TO EXCLUDE FROM /CV VALIDATION * *Nantucket Corp's database program, Clipper C:\CLIPPER\BIN\CLIPPER.EXE *Lotus Development Corp's spreadsheet program, 1-2-3 C:\123\123.COM *Microsoft's database program, FoxPro C:\FOX\FOXPROLX.EXE *MS-DOS 5.0 and above self-modifying program, SETVER C:\DOS\SETVER.EXE *PKWare's data compression programs already perform *a self-check C:\PKWARE\PKLITE.EXE C:\PKWARE\PKZIP.EXE C:\PKWARE\PKUNZIP.EXE *SemWare's QEdit text editor C:\SEMWARE\Q.EXE *Stac Technologies hard disk swapping program C:\SWAPVOL.COM *Symantec's Norton Utilities V6.01 disk caching program C:\NORTON\NCACHE.EXE *WordStar Corp's word processor is self-modifying C:\WORDSTAR\WS.EXE VShield Reference Copyright 1994 McAfee Inc. Page 23 TECHNICAL NOTE 2 SAMPLE NETWARE LOGIN SCRIPT AND .BAT FILE Here is a sample system login script for use by Novell NetWare system administrators. The login script gets the ERRORLEVEL from CheckVshield and displays messages on the user's screen. If VShield is not loaded correctly, there is an internal error with CHKVSHLD, either VShield or VshieldCRC is not installed, or an older version of VShield is present, the script exits the user to a NOLOGIN.BAT file that logs him or her out. #REM REPLACE "XXX" WITH CURRENT VERSION NUMBER CHKVSHLD /V "5.4VXXX" IF ERROR_LEVEL = "3" THEN FIRE PHASERS 5 TIMES WRITE "A CHKVSHLD internal error has occurred." WRITE "Please contact the Help Desk." #COMMAND /C NOLOGIN.BAT EXIT ELSE IF ERROR_LEVEL = "2" THEN FIRE PHASERS 5 TIMES WRITE "VShield has not been installed on your PC." WRITE "Access Denied. Please contact the Help Desk." #COMMAND /C NOLOGIN.BAT EXIT ELSE IF ERROR_LEVEL = "1" THEN FIRE PHASERS 5 TIMES WRITE "An old version of VShield has been installed." WRITE "Access to the network has been denied. Please" WRITE "contact the Help Desk to have a new version." WRITE "installed." #COMMAND /C NOLOGIN.BAT EXIT END END END VShield Reference Copyright 1994 McAfee Inc. Page 24 You can create more complex login scripts to send a message to the supervisor if an error has occurred, update the user's VSHIELD.EXE as he or she logs in to the network, and so forth. Here is a sample of the NOLOGIN.BAT file called by the login script. ECHO OFF REM Log the user off of the network LOGOUT <>