McAfee Dr Solomon’s Anti-Virus Administrator's Manual

Category
Antivirus security software
Type
Administrator's Manual

This manual is also suitable for

Dr Solomon’s Anti-Virus
Administrator’s
Guide
Version 8.5
COPYRIGHT
Copyright © 2000 Network Associates, Inc. and its Affiliated Companies. All Rights Reserved. No part
of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated
into any language in any form or by any means without the written permission of Network Associates,
Inc.
TRADEMARK ATTRIBUTIONS
* ActiveHelp, Bomb Shelter, Building a World of Trust, CipherLink, Clean-Up, Cloaking, CNX,
Compass 7, CyberCop, CyberMedia, Data Security Letter, Discover, Distributed Sniffer System, Dr
Solomon’s, Enterprise Secure Cast, First Aid, ForceField, Gauntlet, GMT, GroupShield, HelpDesk,
Hunter, ISDN Tel/Scope, LM 1, LANGuru, Leading Help Desk Technology, Magic Solutions, MagicSpy,
MagicTree, Magic University, MagicWin, MagicWord, McAfee, McAfee Associates, MoneyMagic, More
Power To You, Multimedia Cloaking, NetCrypto, NetOctopus, NetRoom, NetScan, Net Shield, NetShield,
NetStalker, Net Tools, Network Associates, Network General, Network Uptime!, NetXRay, Nuts & Bolts,
PC Medic, PCNotary, PGP, PGP (Pretty Good Privacy), PocketScope, Pop-Up, PowerTelnet, Pretty
Good Privacy, PrimeSupport, RecoverKey, RecoverKey-International, ReportMagic, RingFence, Router
PM, Safe & Sound, SalesMagic, SecureCast, Service Level Manager, ServiceMagic, Site Meter, Sniffer,
SniffMaster, SniffNet, Stalker, Statistical Information Retrieval (SIR), SupportMagic, Switch PM,
TeleSniffer, TIS, TMach, TMeg, Total Network Security, Total Network Visibility, Total Service Desk,
Total Virus Defense, T-POD, Trusted Mach, Trusted Mail, Uninstaller, Virex, Virex-PC, Virus Forum,
ViruScan, VirusScan, VShield, WebScan, WebShield, WebSniffer, WebStalker WebWall, and ZAC 2000
are registered trademarks of Network Associates and/or its affiliates in the US and/or other countries. All
other registered and unregistered trademarks in this document are the sole property of their respective
owners.
LICENSE AGREEMENT
NOTICE TO ALL USERS: CAREFULLY READ THE FOLLOWING LEGAL AGREEMENT
("AGREEMENT"), FOR THE LICENSE OF SPECIFIED SOFTWARE ("SOFTWARE") BY
NETWORK ASSOCIATES, INC. ("McAfee"). BY CLICKING THE ACCEPT BUTTON OR
INSTALLING THE SOFTWARE, YOU (EITHER AN INDIVIDUAL OR A SINGLE ENTITY)
CONSENT TO BE BOUND BY AND BECOME A PARTY TO THIS AGREEMENT. IF YOU DO
NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, CLICK THE BUTTON THAT
INDICATES THAT YOU DO NOT ACCEPT THE TERMS OF THIS AGREEMENT AND DO NOT
INSTALL THE SOFTWARE. (IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO THE
PLACE OF PURCHASE FOR A FULL REFUND.)
1. License Grant. Subject to the payment of the applicable license fees, and subject to the terms and
conditions of this Agreement, McAfee hereby grants to you a non-exclusive, non-transferable right
to use one copy of the specified version of the Software and the accompanying documentation (the
"Documentation"). You may install one copy of the Software on one computer, workstation,
personal digital assistant, pager, "smart phone" or other electronic device for which the Software
was designed (each, a "Client Device"). If the Software is licensed as a suite or bundle with more
than one specified Software product, this license applies to all such specified Software products,
subject to any restrictions or usage terms specified on the applicable price list or product packaging
that apply to any of such Software products individually.
Issued May 2000/ Dr Solomon’s Anti-Virus v8.5
(i.e., the required number of licenses would equal the number of distinct inputs to the
multiplexing or pooling software or hardware "front end"). If the number of Client Devices or
seats that can connect to the Software can exceed the number of licenses you have obtained, then
you must have a reasonable mechanism in place to ensure that your use of the Software does not
exceed the use limits specified for the licenses you have obtained. This license authorizes you to
make or download one copy of the Documentation for each Client Device or seat that is licensed,
provided that each such copy contains all of the Documentation's proprietary notices.
c. Volume Licenses. If the Software is licensed with volume license terms specified in the
applicable price list or product packaging for the Software, you may make, use and install as
many additional copies of the Software on the number of Client Devices as the volume license
authorizes. You must have a reasonable mechanism in place to ensure that the number of Client
Devices on which the Software has been installed does not exceed the number of licenses you
have obtained. This license authorizes you to make or download one copy of the Documentation
for each additional copy authorized by the volume license, provided that each such copy contains
all of the Documentation's proprietary notices.
2. Term. This Agreement is effective for an unlimited duration unless and until earlier terminated as
set forth herein. This Agreement will terminate automatically if you fail to comply with any of the
limitations or other requirements described herein. Upon any termination or expiration of this
Agreement, you must destroy all copies of the Software and the Documentation. You may
terminate this Agreement at any point by destroying all copies of the Software and the
Documentation.
3. Updates. For the time period specified in the applicable price list or product packaging for the
Software you are entitled to download revisions or updates to the Software when and as McAfee
publishes them via its electronic bulletin board system, website or through other online services.
For a period of ninety (90) days from the date of the original purchase of the Software, you are
entitled to download one (1) revision or upgrade to the Software when and as McAfee publishes it
via its electronic bulletin board system, website or through other online services. After the
specified time period, you have no further rights to receive any revisions or upgrades without
purchase of a new license or annual upgrade plan to the Software.
4. Ownership Rights. The Software is protected by United States copyright laws and international
treaty provisions. McAfee and its suppliers own and retain all right, title and interest in and to the
Software, including all copyrights, patents, trade secret rights, trademarks and other intellectual
property rights therein. Your possession, installation, or use of the Software does not transfer to
you any title to the intellectual property in the Software, and you will not acquire any rights to the
Software except as expressly set forth in this Agreement. All copies of the Software and
Documentation made hereunder must contain the same proprietary notices that appear on and in the
Software and Documentation.
Administrator’s Guide iii
5. Restrictions. You may not rent, lease, loan or resell the Software. You may not permit third parties
to benefit from the use or functionality of the Software via a timesharing, service bureau or other
arrangement, except to the extent such use is specified in the applicable list price or product
packaging for the Software. You may not transfer any of the rights granted to you under this
Agreement. You may not reverse engineer, decompile, or disassemble the Software, except to the
extent the foregoing restriction is expressly prohibited by applicable law. You may not modify, or
create derivative works based upon, the Software in whole or in part. You may not copy the
Software or Documentation except as expressly permitted in Section 1 above. You may not remove
any proprietary notices or labels on the Software. All rights not expressly set forth hereunder are
reserved by McAfee. McAfee reserves the right to periodically conduct audits upon advance
written notice to verify compliance with the terms of this Agreement.
6. Warranty and Disclaimer
a. Limited Warranty. McAfee warrants that for sixty (60) days from the date of original purchase
the media (e.g., diskettes) on which the Software is contained will be free from defects in
materials and workmanship.
b. Customer Remedies. McAfee's and its suppliers' entire liability and your exclusive remedy for
any breach of the foregoing warranty shall be, at McAfee's option, either (i) return of the
purchase price paid for the license, if any, or (ii) replacement of the defective media in which the
Software is contained. You must return the defective media to McAfee at your expense with a
copy of your receipt. This limited warranty is void if the defect has resulted from accident,
abuse, or misapplication. Any replacement media will be warranted for the remainder of the
original warranty period. Outside the United States, this remedy is not available to the extent
McAfee is subject to restrictions under United States export control laws and regulations.
c. Warranty Disclaimer. Except for the limited warranty set forth herein, THE SOFTWARE IS
PROVIDED "AS IS." TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE
LAW, MCAFEE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND
NONINFRINGEMENT WITH RESPECT TO THE SOFTWARE AND THE
ACCOMPANYING DOCUMENTATION. YOU ASSUME RESPONSIBILITY FOR
SELECTING THE SOFTWARE TO ACHIEVE YOUR INTENDED RESULTS, AND FOR
THE INSTALLATION OF, USE OF, AND RESULTS OBTAINED FROM THE SOFTWARE.
WITHOUT LIMITING THE FOREGOING PROVISIONS, MCAFEE MAKES NO
WARRANTY THAT THE SOFTWARE WILL BE ERROR-FREE OR FREE FROM
INTERRUPTIONS OR OTHER FAILURES OR THAT THE SOFTWARE WILL MEET
YOUR REQUIREMENTS. SOME STATES AND JURISDICTIONS DO NOT ALLOW
LIMITATIONS ON IMPLIED WARRANTIES, SO THE ABOVE LIMITATION MAY NOT
APPLY TO YOU. The foregoing provisions shall be enforceable to the maximum extent
permitted by applicable law.
iv Dr Solomon’s Anti-Virus
7. Limitation of Liability. UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY,
WHETHER IN TORT, CONTRACT, OR OTHERWISE, SHALL MCAFEE OR ITS SUPPLIERS
BE LIABLE TO YOU OR TO ANY OTHER PERSON FOR ANY INDIRECT, SPECIAL,
INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING,
WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE,
COMPUTER FAILURE OR MALFUNCTION, OR FOR ANY AND ALL OTHER DAMAGES
OR LOSSES. IN NO EVENT WILL MCAFEE BE LIABLE FOR ANY DAMAGES IN EXCESS
OF THE LIST PRICE MCAFEE CHARGES FOR A LICENSE TO THE SOFTWARE, EVEN IF
MCAFEE SHALL HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO LIABILITY FOR DEATH OR
PERSONAL INJURY TO THE EXTENT THAT APPLICABLE LAW PROHIBITS SUCH
LIMITATION. FURTHERMORE, SOME STATES AND JURISDICTIONS DO NOT ALLOW
THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES,
SO THIS LIMITATION AND EXCLUSION MAY NOT APPLY TO YOU. The foregoing
provisions shall be enforceable to the maximum extent permitted by applicable law.
8. United States Government. The Software and accompanying Documentation are deemed to be
"commercial computer software" and "commercial computer software documentation,"
respectively, pursuant to DFAR Section 227.7202 and FAR Section 12.212, as applicable. Any
use, modification, reproduction, release, performance, display or disclosure of the Software and
accompanying Documentation by the United States Government shall be governed solely by the
terms of this Agreement and shall be prohibited except to the extent expressly permitted by the
terms of this Agreement.
9. Export Controls. Neither the Software nor the Documentation and underlying information or
technology may be downloaded or otherwise exported or re-exported (i) into (or to a national or
resident of ) Cuba, Iran, Iraq, Libya, North Korea, Sudan, Syria or any other country to which the
United States has embargoed goods; or (ii) to anyone on the United States Treasury Department's
list of Specially Designated Nations or the United States Commerce Department's Table of Denial
Orders. By downloading or using the Software you are agreeing to the foregoing and you are
certifying that you are not located in, under the control of, or a national or resident of any such
country or on any such list.
IN ADDITION, YOU SHOULD BE AWARE OF THE FOLLOWING: EXPORT OF THE
SOFTWARE MAY BE SUBJECT TO COMPLIANCE WITH THE RULES AND
REGULATIONS PROMULGATED FROM TIME TO TIME BY THE BUREAU OF EXPORT
ADMINISTRATION, UNITED STATES DEPARTMENT OF COMMERCE, WHICH
RESTRICT THE EXPORT AND RE-EXPORT OF CERTAIN PRODUCTS AND TECHNICAL
DATA. IF THE EXPORT OF THE SOFTWARE IS CONTROLLED UNDER SUCH RULES
AND REGULATIONS, THEN THE SOFTWARE SHALL NOT BE EXPORTED OR
RE-EXPORTED, DIRECTLY OR INDIRECTLY, (A) WITHOUT ALL EXPORT OR
RE-EXPORT LICENSES AND UNITED STATES OR OTHER GOVERNMENTAL
APPROVALS REQUIRED BY ANY APPLICABLE LAWS, OR (B) IN VIOLATION OF ANY
APPLICABLE PROHIBITION AGAINST THE EXPORT OR RE-EXPORT OF ANY PART OF
THE SOFTWARE.
Administrator’s Guide v
SOME COUNTRIES HAVE RESTRICTIONS ON THE USE OF ENCRYPTION WITHIN
THEIR BORDERS, OR THE IMPORT OR EXPORT OF ENCRYPTION EVEN IF FOR ONLY
TEMPORARY PERSONAL OR BUSINESS USE. YOU ACKNOWLEDGE THAT THE
IMPLEMENTATION AND ENFORCEMENT OF THESE LAWS IS NOT ALWAYS
CONSISTENT AS TO SPECIFIC COUNTRIES. ALTHOUGH THE FOLLOWING
COUNTRIES ARE NOT AN EXHAUSTIVE LIST THERE MAY EXIST RESTRICTIONS ON
THE EXPORTATION TO, OR IMPORTATION OF, ENCRYPTION BY: BELGIUM, CHINA
(INCLUDING HONG KONG), FRANCE, INDIA, INDONESIA, ISRAEL, RUSSIA, SAUDI
ARABIA, SINGAPORE, AND SOUTH KOREA. YOU ACKNOWLEDGE IT IS YOUR
ULTIMATE RESPONSIBILITY TO COMPLY WITH ANY AND ALL GOVERNMENT
EXPORT AND OTHER APPLICABLE LAWS AND THAT MCAFEE HAS NO FURTHER
RESPONSIBILITY AFTER THE INITIAL SALE TO YOU WITHIN THE ORIGINAL
COUNTRY OF SALE.
10.High Risk Activities. The Software is not fault-tolerant and is not designed or intended for use in
hazardous environments requiring fail-safe performance, including without limitation, in the
operation of nuclear facilities, aircraft navigation or communication systems, air traffic control,
weapons systems, direct life-support machines, or any other application in which the failure of the
Software could lead directly to death, personal injury, or severe physical or property damage
(collectively, "High Risk Activities"). McAfee expressly disclaims any express or implied
warranty of fitness for High Risk Activities.
11.Miscellaneous. This Agreement is governed by the laws of the United States and the State of
California, without reference to conflict of laws principles. The application of the United Nations
Convention of Contracts for the International Sale of Goods is expressly excluded. This Agreement
sets forth all rights for the user of the Software and is the entire agreement between the parties. This
Agreement supersedes any other communications with respect to the Software and Documentation.
This Agreement may not be modified except by a written addendum issued by a duly authorized
representative of McAfee. No provision hereof shall be deemed waived unless such waiver shall
be in writing and signed by McAfee or a duly authorized representative of McAfee. If any
provision of this Agreement is held invalid, the remainder of this Agreement shall continue in full
force and effect. The parties confirm that it is their wish that this Agreement has been written in
the English language only.
12.McAfee Customer Contact. If you have any questions concerning these terms and conditions, or
if you would like to contact McAfee for any other reason, please call (408) 988-3832, fax (408)
970-9727, or write: McAfee Software, 3965 Freedom Circle, Santa Clara, California 95054.
http://www.mcafee.com.
Statements made to you in the course of this sale are subject to the Year 2000 Information and
Readiness Disclosure Act (Public Law 105-271). In the case of a dispute, this Act may reduce your
legal rights regarding the use of any statements regarding Year 2000 readiness, unless otherwise
specified in your contract or tariff.
vi Dr Solomon’s Anti-Virus
Administrator’s Guide vii
Table of Contents
Preface.....................................................xi
Anti-virusprotectionasinformationsecurity .........................xi
Informationsecurityasabusinessnecessity ........................xiv
ActiveVirusDefensesecurityperimeters ............................xv
Dr Solomon’s anti-virus research . . . . . .............................xvii
HowtocontactNetworkAssociates...............................xviii
Customerservice..........................................xviii
Technical support ..........................................xix
Downloadsupport ...........................................xx
NetworkAssociatestraining...................................xx
Commentsandfeedback......................................xx
Reportingnewitemsforanti-virusdatafileupdates ...............xx
Internationalcontactinformation..............................xxii
Chapter 1. About Dr Solomon’sAnti-Virus .......................25
Introducing Dr Solomon’sAnti-Virus ................................25
How does Dr Solomon’sAnti-Viruswork?............................27
What comes with Dr Solomon’sAnti-Virus? ..........................29
What’snewinthisrelease?........................................33
Chapter 2. Installing Dr Solomon’sAnti-Virus ....................37
Beforeyoubegin.................................................37
Systemrequirements.........................................37
Installing Dr Solomon’sAnti-Virussoftwareonalocalcomputer.........38
Installationsteps ............................................38
Using the Emergency Disk Creation utility . . . . . . . . . ..............53
Determiningwhenyoumustrestartyourcomputer................58
Testingyourinstallation ..........................................59
Modifying or removing your local Dr Solomon’s Anti-Virus installation .
61
Installing Dr Solomon’s Anti-Virus software on other computers . . . . . . . . .63
UsingActiveDirectoryandGroupPolicies.......................63
Table of Contents
viii Dr Solomon’sAnti-Virus
Installing Dr Solomon’s Anti-Virussoftwareusing command-line options
64
UsingManagementEditionsoftware ............................72
Using ePolicy Orchestrator to deploy Dr Solomon’sAnti-Virussoftware
73
Installing via System Management Server . . . . . . . . . . ..............74
Installing via Tivoli IT Director . . . ..............................74
Installing via ZENworks . . . . . . . . . ..............................75
Exporting Dr Solomon’sAnti-Viruscustomsettings ...............75
Chapter 3. Removing Infections
FromYourSystem ....................................79
Ifyoususpectyouhaveavirus... ...................................79
Decidingwhentoscanforviruses ..................................82
Recognizing when you don’thaveavirus ............................83
Understandingfalsedetections ................................84
Responding to viruses or malicious software . . . . . . . . . . . ..............85
Submittingavirussample.........................................97
Using the SendVirus utility to submit a file sample . . ..............97
Capturing boot sector, file-infecting, and macro viruses . . . . . . . . . . .100
Chapter 4. Using Dr Solomon’sAnti-Virus ......................105
UsingtheWinGuardscanner......................................105
Using the Dr Solomon’sAnti-Virusapplication.......................105
Schedulingscantasks...........................................106
Usingspecializedscanningtools ..................................106
Chapter5. SendingAlertMessages............................107
Using the Alert Manager Client Configuration utility . . . . . .............107
Dr Solomon’sAnti-VirusasanAlertManagerClient ..................108
ConfiguringtheAlertManagerClientutility..........................108
Chapter 6. Updating and Upgrading Dr Solomon’sAnti-Virus ......113
Developinganupdatingstrategy ..................................113
Update and upgrade methods . . . . . . . . .............................114
Understanding the AutoUpdate utility . .............................116
Administrator’s Guide ix
Table of Contents
ConfiguringtheAutoUpdateUtility.................................118
UnderstandingtheAutoUpgradeutility .............................127
Configuring the AutoUpgrade utility . . . .............................128
Using the AutoUpgrade and SuperDAT utilities together . . . . . . . . . .137
DeployinganEXTRA.DATfile.................................139
Appendix A. Using Dr Solomon’s Anti-Virus Administrative Utilities 141
Understanding the Dr Solomon’sAnti-Viruscontrolpanel .............141
Opening the Dr Solomon’sAnti-Viruscontrolpanel...................141
Choosing Dr Solomon’sAnti-Viruscontrolpaneloptions ..............142
AppendixB. InstalledFiles...................................147
What’sinthisappendix? .........................................147
WinGuardscanner ..........................................147
Dependent and related files for the Dr Solomon’s Anti-Virus application
153
AlertManager ..............................................156
Dr Solomon’sAnti-Viruscontrolpanelfiles .....................157
ScreenScan................................................158
Dr Solomon’sAnti-VirusEmergencyDiskfiles...................160
Dependent and related files for the E-Mail Scan extension . . . . . . . . .162
Appendix C. Using Dr Solomon’s Anti-Virus Command-line Options 167
Adding advanced Dr Solomon’sAnti-Virusengineoptions.............167
Running the Dr Solomon’s Anti-Virus Command Line program . . . . . . . . .167
Running the on-demand scanner with command-line arguments . . . . . . . .177
Appendix D. Using the SecureCast Service to Get New Data Files . .185
Introducing the SecureCast service . . . .............................185
Why should I update my data files? . . . .............................186
WhichdatafilesdoestheSecureCastservicedeliver? ............186
Installing the BackWeb client and SecureCast service . . . . .............187
Systemrequirements........................................187
Troubleshooting the Enterprise SecureCast service . .............197
UnsubscribingfromtheSecureCastservice.....................197
Supportresources ..............................................197
Table of Contents
x Dr Solomon’sAnti-Virus
SecureCastservice .........................................197
BackWebclient.............................................198
Appendix E. Network Associates
Support Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199
Adding value to your Dr Solomon’sproduct .........................199
PrimeSupport options for corporate customers . . . . . .............199
Ordering a corporate PrimeSupport plan . . . . . . . . . . .............202
PrimeSupport options for home users . .............................204
How to reach international home user support . . . . . . .............206
Ordering a PrimeSupport plan for home users . . . . . . .............206
NetworkAssociatesconsultingandtraining.........................207
ProfessionalServices .......................................207
TotalEducationServices.....................................208
Appendix F. Understanding iDAT Technology . . . . . . . . . . . . . . . . . . .209
Understandingincremental.DATfiles ..............................209
How does iDAT updating work? . . . . . . .............................210
What does Dr Solomon’sposteachweek?......................211
Bestpractices ..................................................212
Frequentlyaskedquestions ......................................213
Index......................................................217
Administrator’s Guide xi
Preface
Anti-virus protection as information security
“Theworld changed [onMarch26,1999]—does anyonedoubtthat?The world
is different. Melissa proved that ... and we are very fortunate ... the world
could have gone very close to meltdown.”
—Padgett Peterson, Chief Info Security Architect, Lockheed Martin Corporation,
on the 1999 “Melissa” virus epidemic
Bytheendofthe1990s,manyinformationtechnologyprofessionalshad
begun to recognize that they could not easily separate how they needed to
respond to new virus threats from how they already dealt with deliberate
network security breaches. Dorothy Denning, co-editor of the 1998 computer
security handbook Internet Besieged: Countering Cyberspace Scofflaws, explicitly
grouped anti-virus security measures in with other network security
measures, classifying them as a defense against malicious “injected code.”
Denning justified her inclusive grouping on based on her definition of
information security as “the effective use of safeguards to protect the
confidentiality, integrity, authenticity, availability, and non-repudiation of
information and information processing systems.” Virus payloads had always
threatened or damaged data integrity, but by the time she wrote her survey
article, newer viruses had already begun to mount sophisticated attacks that
struck at the remaining underpinnings of information security. Denning’s
classification recognized that newer viruses no longer merely annoyed system
administrators or posed a relatively low-grade threat; they had in fact
graduated to become a serious hazard.
Though not targeted with as much precision as an unauthorized network
intrusion, virus attacks had begun to take on the color of deliberate
information warfare. Consider these examples, many of which introduced
quickly-copied innovations to the virus writer’s repertoire:
• W32/CIH.Spacefiller destroyed the flash BIOS in workstations it infected,
effectively preventing them from booting. It also overwrote parts of the
infected hard disk with garbage data.
• XM/Compat.Arewrotethe datainsideMicrosoftExcelspreadsheetfiles.It
used advanced polymorphic concealment techniques, which meant that
with each infection it changed the signature bytes that indicated its
presence and allowed anti-virus scanners to find it.
Preface
xii Dr Solomon’sAnti-Virus
• W32/Ska, though technically a worm, replaced the infected computer’s
WinSock file so that it could attach itself to outgoing Simple Mail Transfer
Protocol (SMTP) messages and postings to USENET news groups. This
strategy made it commonplace in many areas.
• Remote Explorer stole the security privileges of a Windows NT domain
administrator and used them to install itself as a Windows NT Service. It
also deposited copies of itself in the Windows NT driver directory and
carried with it a supporting Dynamic Link Library (.DLL) file that allowed
it to randomly encrypt data files. Because it appeared almost exclusively at
one corporate site, security experts speculated that it was a deliberate,
targeted attack on the unfortunate company’s network integrity.
• Back Orifice, the product of a group calling itself the Cult of the Dead Cow,
purported to give the owner of the client portion of the Back Orifice
application complete remote access to any Windows 95 or Windows 98
workstation that runs the concealed companion server. That access—from
anywhere on the Internet—allowed the client to capture keystrokes; open,
copy, delete, or run files; transmit screen captures; and restart, crash, or
shut down the infected computer. To add insult to injury, early Back
Orifice releases on CD-ROM carried a W32/CIH.Spacefiller infection.
Throughout much of 1999, virus and worm attacks suddenly stepped up in
intensity and in the public eye. Part of the reason for this, of course, is that
many of the more notorious viruses and worms took full advantage of the
Internet, beginning a long-predicted assault by flooding e-mail transmissions,
websites, newsgroups and other available channels at an almost exponential
rate of growth. They now bullied their way into network environments,
spreading quickly and leaving a costly trail of havoc behind them.
W97M/Melissa, the “Melissa” virus, jolted most corporate information
technology departments out of whatever remaining complacency they had
held onto in the face of the newer virus strains. Melissa brought corporate
e-mail servers down across the United States and elsewhere when it struck in
March 1999. Melissa instructed e-mail client programs to send out infected
e-mail messages to the first 50 entries in each target computer’s address book.
This transformed a simple macro virus infection with no real payload into an
effective denial-of-service attack on mail servers.
Melissa’s other principle innovation was its direct attempt to play on end-user
psychology: it forged an e-mail message from a sender the recipient knew, and
sent it with a subject line that urged that recipient to open both the message
and the attached file. In this way, Melissa almost made the need for viral code
to spread itself obsolete—end users themselves cooperated in its propagation,
and their own computers blindly participated.
Administrator’s Guide xiii
Preface
A rash of Melissa variants and copycats appeared soon after. Some, such as
W97M/Prilissa, included destructive payloads. Later the same year, a number
of new viruses and worms either demonstrated novel or unexpected ways to
get into networks and compromise information security, or actually
perpetuated attacks. Examples included:
• W32/ExploreZip.worm and its variants, which used some of Melissa’s
techniques to spread, initially through e-mail. After it successfully infected
a host machine, ExploreZip searched for unsecured network shares and
quietly copied itself throughout a network. It carried a destructive payload
that erased various Windows system filesand Microsoft Office documents,
replacing them with an unrecoverable zero-byte-length files.
• W32/Pretty.worm, which did Melissa one better by sending itself to every
entry in the infected computer’s MAPI address book. It also connected to
an Internet Relay Chat (IRC) server, joined a particular IRC channel, then
opened a path to receive commands via the IRC connection. This
potentially allowed those on the channel to siphon information from the
infectedcomputer, includingthe computername and owner’s name,hisor
her dial-up networking user name and password, and the path to the
system root directory.
• W32/FunLove.4099, which infected ActiveX .OCX files, among others.
This meant that it could lurk on webpages with ActiveX content, and infect
systems with low or nonexistent browser security settings as they
downloaded pages to their hard disks. If a Windows NT computer user
had logged into a system with administrative rights, the infecting virus
would patch two critical system files that gave all users on the network
—including the virus—administrative rights to all files on the target
computer. It spread further within the network by attaching itself to files
with the extensions .SCR, .OCX, and .EXE.
• VBS/Bubbleboy, a proof-of-concept demonstration that showed that a
virus could infect target computers directly from e-mail messages
themselves, without needing to propagate through message attachments.
It effectively circumvented desktop anti-virus protection altogether, at
least initially. Its combination of HTML and VBScript exploited existing
vulnerabilitiesinInternet-enabledmail systems;itsauthorplayedupon the
same end-user psychology that made Melissa successful.
The other remarkable development in the year was the degree to which virus
writers copied, fused, and extended each others’ techniques. This cross-
pollination had always occurred previously, but the speed at which it took
placeandtheincreasingsophisticationof thetoolsandtechniquesthatbecame
available during this period prepared very fertile ground for a nervously
awaited bumper crop of intricate viruses.
Preface
xiv Dr Solomon’sAnti-Virus
Information security as a business necessity
Coincidentally or not, these darkly inventive new virus attacks and speedy
propagation methods appeared as more businesses made the transition to
Internet-based information systems and electronic commerce operations. The
convenience and efficiency that the Internet brought to business saved money
and increased profits. This probably also made these same businesses
attractive targets for pranksters, the hacker underground, and those intent on
striking at their favored targets.
Previously, the chief costs from a virus attack were the time and money it took
to combat an infection and restore computer systems to working order. To
those costs the new types of virus attacks now added the costs of lost
productivity, network and server downtime, service denials for e-mail and
other critical business tools, exposure—and perhaps widespread distribution
—of confidential information, and other ills.
Ultimately, the qualifying differences between a hacker-directed security
breach in a network and a security breach that results from a virus attack
might become merely ones of intent and method, not results. Already new
attacks have shaken the foundations of Net-enabled businesses, many of
which require 24-hour availability for networks and e-mail, high data
integrity, confidential customer lists, secure credit card data and purchase
verification, reliable communications, and hundreds of other computer-aided
transactional details. The costs from these virus attacks in the digital economy
now cut directly into the bottom line.
Because they do, protecting that bottom line means implementing a total
solution for information and network security—one that includes
comprehensive anti-virus protection. It’s not enough to rely only on
desktop-basedanti-virusprotection,oronhaphazardoradhocsecurity
measures. The best defense requires sealing all potential points by which
viruses can enter or attack your network, from the firewall and gateway down
to the individual workstation, and keeping the anti-virus sentries at those
points updated and current.
Part of the solution is deploying the Dr Solomon’s Active Virus Defense*
software suite, which provides a comprehensive, multi-platform series of
defensive perimeters for your network. You can also build on that security
with the Dr Solomon’s Active Security suite, which allows you to monitor
your network against intrusions, watch actual network packet traffic, and
encrypt e-mail and network transmissions. But even with anti-virus and
security software installed, new and previously unidentified viruses will
inevitably find their way into your network. That’s where the other part of the
equation comes in: a thorough, easy-to-follow anti-virus security policy and
set of practices for your enterprise—in the last analysis, only that can help to
stop a virus attack before it becomes a virus epidemic.
Administrator’s Guide xv
Preface
Active Virus Defense security perimeters
The Dr Solomon’s Active Virus Defense product suite exists for one simple
reason: there is no such thing as too much anti-virus protection for the
modern, automated enterprise. Although at first glance it might seem
needlessly redundant to protect all of your desktop computers, file and
network servers, gateways,e-mail servers and firewalls, each of these network
nodesservesadifferentfunctionin yournetwork,andhas different duties.An
anti-virus scanner designed to keep a production workstation virus-free, for
example, can’t intercept viruses that flood e-mail servers and effectively deny
their services. Nor would you want to make a file server responsible for
continuously scanning itsclient workstations—the cost in network bandwidth
would be too high.
More to the point, each node’s specialized functions mean that viruses infect
them in different ways that, in turn, call for optimized anti-virus solutions.
Viruses and other malicious code can enter your network from a variety of
sources—floppy disks and CD-ROMs, e-mail attachments, downloaded files,
and Internet sites, for example. These unpredictable points of entry mean that
infecting agents can slip through the chinks in incomplete anti-virus armor.
Desktop workstations, for example, can spread viruses by any of a variety of
means—via floppy disks, by downloading them from the Internet, by
mapping server shares or other workstations’ hard disks. E-mail servers, by
contrast, rarely use floppy disks and tend not to use mapped drives—the
Melissa virus showed, however, that they arequite vulnerable to e-mail–borne
infections, even if they don’t execute the virus code themselves.
At the desktop: Dr Solomon’sAnti-Virus
The Dr Solomon’s Active Virus Defense product suite matches each point of
vulnerability with a specialized, and optimized, anti-virus application. At the
desktop level, the cornerstone of the suite is the Dr Solomon’s Anti-Virus
anti-virus product. Dr Solomon’s Anti-Virus protects some of your most
vulnerable virusentry points withan interlocking set ofscanners, utilities, and
support files that allow it to cover:
• Localharddisks,floppydisks,CD-ROMs,andotherremovablemedia.The
WinGuard scanner resides in memory, waiting for local file access of any
sort. As soon as one of your network users opens, runs, copies, saves,
renames, or sets attributes for any file on their system—even from mapped
network drives—the WinGuard scanner examines it for infections.
You can supplement this continuous protection with scan operations you
configure and schedule for your own needs. Comprehensive security
options let you protect individual options with a password, or run the
entire application in secure mode to lock out all unauthorized access.
Preface
xvi Dr Solomon’sAnti-Virus
• System memory, boot sectors, and master boot records. You can configure
regularly scheduled scan operations that examine these favorite virus
hideouts, or set up periodic operations whenever a threat seems likely.
• Microsoft Exchange mailboxes. Dr Solomon’s Anti-Virus includes a
specialized E-Mail Scan extension that assumes your network user’s
Microsoft Exchange or Outlook identity to scan his or her mailbox
directly—before viruses get downloaded to the local workstation. This can
prevent some Melissa-style infections and avoid infections from the next
generation of VBS/Bubbleboy descendants.
• Internet mail and file downloads. The WinGuard scanner includes two
modules that specialize in intercepting SMTP and POP-3 e-mail messages,
and that can examine files your network users download from Internet
sites. The E-Mail Scan and Download Scan modules work together to scan
the stream of file traffic that most workstations generate and receive daily.
• Hostile code. The Olympus scan engine at the heart of Dr Solomon’s
Anti-Virus routinely looks for suspicious script code, macro code, known
Trojan horse programs—even virus jokes or hoaxes. With the help of the
WinGuard Internet Filter module, it also blocks hostile ActiveX and Java
objects, many of which can lurk unnoticed on websites, waiting to deploy
sophisticated virus-like payloads. The Internet Filter module can even
block entire websites, preventing network users from visiting sites that
pose a threat to network integrity.
Dr Solomon’s Anti-Virus ties these powerful scanning capabilities together
with a powerful set of alerting, updating, and management tools. These
include:
• Alert Manager client configuration. Dr Solomon’s Anti-Virus includes a
client configuration utility you can use to have it pass alert messages
directly to Alert Manager servers on your network, to a Centralized
Alerting share, or to a Desktop Management Interface administrative
application. Other alert methods include local custom messages and beeps,
detection alerts and response options, and e-mail alert messages.
• Next-generation AutoUpdateandAutoUpgradeutilities.AutoUpdate v4.5
features complete and transparent support for new incremental .DAT file
updates, which save you time and network bandwidth by adding only
virus definitions you don’t already have installed on your system. The new
AutoUpgrade version includes support for v1.2 of the Dr Solomon’s
SuperDAT utility, which you can use to update the Olympus scan engine
and its support files.
Administrator’s Guide xvii
Preface
• Integration with DrSolomon’sePolicy Orchestrator management software.
Centralized anti-virus management takes a quantum leap forward with
this highly scalable management tool. Dr Solomon’s Anti-Virus ships with
a plug-in library file that works with the ePolicy Orchestrator server to
enforce enterprise-wide network security policies.
You can use ePolicy Orchestrator to configure, update, distribute and
manage Dr Solomon’s Anti-Virus installations at the group, workstation or
user level. Schedule and run scan tasks, change configurations, update
.DAT and engine files—all from a central console.
Taken together, the ActiveVirus Defense suite forms a tightseriesofanti-virus
security perimeters around your network that protect you against both
external and internal sources of infection. Those perimeters, correctly
configured and implemented in conjunction with a clear enterprise-wide
anti-virus security policy, do indeed offer useful redundancy, but their chief
benefit lies in their ability to stop viruses as they enter your network, without
your having to await a tardy or accidental discovery. Early detection contains
infections, saves on the costs of virus eradication, and in many cases can
prevent a destructive virus payload from triggering.
Dr Solomon’s anti-virus research
Even the best anti-virus software is only as good as its latest update. Because
as many as 200 to 300 viruses and variants appear each month, the .DAT files
that enable Dr Solomon’s software to detect and remove viruses can get
quickly outdated. If you have not updated the files that originally came with
your software, you could risk infection from newly emerging viruses. Dr
Solomon’s has, however, assembled the world’s largest and most experienced
anti-virus research staff in its Anti-Virus Emergency Response Team
(AVERT)*. This premier anti-virus research organization has a worldwide
reach and a “follow the sun” coverage policy, that ensures that you get the files
you need to combat new viruses as soon as—and often before—you need
them. You can take advantage of many of the direct products of this research
by visiting the AVERT research site on the Network Associates website:
http://www.nai.com/asp_set/anti_virus/introduction/default.asp
ContactyourDrSolomon’srepresentative,orvisittheDrSolomon’swebsite,
to find out how to enlist the power of the Active Virus Defense security
solution on your side:
http://www.mcafeeb2b.com/
Preface
xviii Dr Solomon’sAnti-Virus
How to contact Network Associates
Customer service
On December 1, 1997, McAfee Associates merged with Network General
Corporation, Pretty Good Privacy, Inc., and Helix Software, Inc. to form
Network Associates, Inc. The combined Company subsequently acquired Dr
Solomon's Software, Trusted Information Systems, Magic Solutions, and
CyberMedia, Inc.
A January 2000 company reorganization formed four independent business
units, each concerned with a particular product line. These are:
• Magic Solutions.This divisionsupplies the TotalService desk product line
and related products
• McAfee and Dr Solomon’s Software. These divisions provide the Active
Virus Defense product suite and related anti-virus software solutions to
corporate and retail customers.
• PGP Security. This division provides award-winning encryption and
security solutions, including the PGP data security and encryption product
line, the Gauntlet firewall product line, the WebShield E-ppliance
hardware line, and the CyberCop Scanner and Monitor product series.
• Sniffer Technologies. This division supplies the industry-leading Sniffer
network monitoring, reporting, and analysis utility and related software.
Network Associates continues to market and support the product lines from
each of the new independent business units. You may direct all questions,
comments, or requests concerning the software you purchased, your
registration status, or similar issues to the Network Associates Customer
Servicedepartmentatthefollowingaddress:
Network Associates Customer Service
4099 McEwan, Suite 500
Dallas, Texas 75244
U.S.A.
The department's hours of operation are 8:00 a.m. and 8:00 p.m. Central Time,
Monday through Friday
Other contact information for corporate-licensed customers:
Phone: (972) 308-9960
Fax: (972) 619-7485 (24-hour, Group III fax)
E-Mail: services_corporate_division@nai.com
Web: http://www.nai.com
Administrator’s Guide xix
Preface
Other contact information for retail-licensed customers:
Phone: (972) 308-9960
Fax: (972) 619-7485 (24-hour, Group III fax)
E-Mail: cust_care@nai.com
Web: http://www.mcafee.com/
Technical support
Dr Solomon’s and Network Associates are famous for their dedication to
customer satisfaction. The companies have continued this tradition bymaking
their sites on the World Wide Web valuable resources for answers to technical
support issues. Dr Solomon’s encourages you to make this your first stop for
answers to frequently asked questions, for updates to Dr Solomon’s and
Network Associates software, and for access to news and virus information
.
Ifyoudonotfindwhatyouneedordonothavewebaccess,tryoneofour
automated services.
If the automated services do not have the answers you need, contact Network
Associates at one of the following numbers Monday through Friday between
8:00
A.M.and8:00P.M. Central time to find out about Network Associates
technical support plans.
For corporate-licensed customers:
For retail-licensed customers:
This guide includes a summary of the PrimeSupport plans available to Dr
Solomon’s customers. To learn more about plan features and other details, see
Appendix E, “Network Associates Support Services.”
World Wide Web http://www.nai.com/asp_set/services/technical_support
/tech_intro.asp
Internet techsupport@mcafee.com
CompuServe GO NAI
America Online keyword MCAFEE
Phone (972) 308-9960
Fax (972) 619-7845
Phone (972) 855-7044
Fax (972) 619-7845
Preface
xx Dr Solomon’sAnti-Virus
To provide the answers you need quickly and efficiently, the Network
Associates technical support staff needs some information about your
computer and your software. Please include this information in your
correspondence:
• Product name and version number
• Computer brand and model
• Any additional hardware or peripherals connected to your computer
• Operating system type and version numbers
• Network type and version, if applicable
• Contents of your AUTOEXEC.BAT, CONFIG.SYS, and system LOGIN
script
• Specific steps to reproduce the problem
Download support
Togethelpwith navigating ordownloadingfiles from theNetwork Associates
or Dr Solomon’s websites or FTP sites, call:
Network Associates training
For information about scheduling on-site training for any Dr Solomon’s or
Network Associates product, call Network Associates Customer Service at:
(972) 308-9960.
Comments and feedback
Dr Solomon’s Software appreciates your comments and reserves the right to
use any information you supply in any way it believes appropriate without
incurring any obligation whatsoever.
Reporting new items for anti-virus data file updates
DrSolomon’santi-virussoftwareoffersyouthebestavailabledetectionand
removal capabilities, including advanced heuristic scanning that can detect
new and unnamed viruses as they emerge. Occasionally, however, an entirely
new type of virus that is not a variation on an older type can appear on your
system and escape detection.
Corporate customers (801) 492-2650
Retail customers (801) 492-2600
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72
  • Page 73 73
  • Page 74 74
  • Page 75 75
  • Page 76 76
  • Page 77 77
  • Page 78 78
  • Page 79 79
  • Page 80 80
  • Page 81 81
  • Page 82 82
  • Page 83 83
  • Page 84 84
  • Page 85 85
  • Page 86 86
  • Page 87 87
  • Page 88 88
  • Page 89 89
  • Page 90 90
  • Page 91 91
  • Page 92 92
  • Page 93 93
  • Page 94 94
  • Page 95 95
  • Page 96 96
  • Page 97 97
  • Page 98 98
  • Page 99 99
  • Page 100 100
  • Page 101 101
  • Page 102 102
  • Page 103 103
  • Page 104 104
  • Page 105 105
  • Page 106 106
  • Page 107 107
  • Page 108 108
  • Page 109 109
  • Page 110 110
  • Page 111 111
  • Page 112 112
  • Page 113 113
  • Page 114 114
  • Page 115 115
  • Page 116 116
  • Page 117 117
  • Page 118 118
  • Page 119 119
  • Page 120 120
  • Page 121 121
  • Page 122 122
  • Page 123 123
  • Page 124 124
  • Page 125 125
  • Page 126 126
  • Page 127 127
  • Page 128 128
  • Page 129 129
  • Page 130 130
  • Page 131 131
  • Page 132 132
  • Page 133 133
  • Page 134 134
  • Page 135 135
  • Page 136 136
  • Page 137 137
  • Page 138 138
  • Page 139 139
  • Page 140 140
  • Page 141 141
  • Page 142 142
  • Page 143 143
  • Page 144 144
  • Page 145 145
  • Page 146 146
  • Page 147 147
  • Page 148 148
  • Page 149 149
  • Page 150 150
  • Page 151 151
  • Page 152 152
  • Page 153 153
  • Page 154 154
  • Page 155 155
  • Page 156 156
  • Page 157 157
  • Page 158 158
  • Page 159 159
  • Page 160 160
  • Page 161 161
  • Page 162 162
  • Page 163 163
  • Page 164 164
  • Page 165 165
  • Page 166 166
  • Page 167 167
  • Page 168 168
  • Page 169 169
  • Page 170 170
  • Page 171 171
  • Page 172 172
  • Page 173 173
  • Page 174 174
  • Page 175 175
  • Page 176 176
  • Page 177 177
  • Page 178 178
  • Page 179 179
  • Page 180 180
  • Page 181 181
  • Page 182 182
  • Page 183 183
  • Page 184 184
  • Page 185 185
  • Page 186 186
  • Page 187 187
  • Page 188 188
  • Page 189 189
  • Page 190 190
  • Page 191 191
  • Page 192 192
  • Page 193 193
  • Page 194 194
  • Page 195 195
  • Page 196 196
  • Page 197 197
  • Page 198 198
  • Page 199 199
  • Page 200 200
  • Page 201 201
  • Page 202 202
  • Page 203 203
  • Page 204 204
  • Page 205 205
  • Page 206 206
  • Page 207 207
  • Page 208 208
  • Page 209 209
  • Page 210 210
  • Page 211 211
  • Page 212 212
  • Page 213 213
  • Page 214 214
  • Page 215 215
  • Page 216 216
  • Page 217 217
  • Page 218 218
  • Page 219 219
  • Page 220 220
  • Page 221 221
  • Page 222 222
  • Page 223 223
  • Page 224 224

McAfee Dr Solomon’s Anti-Virus Administrator's Manual

Category
Antivirus security software
Type
Administrator's Manual
This manual is also suitable for

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI