McAfee Dr Solomon’s Anti-Virus Administrator's Manual

Brand: McAfee

Model: Dr Solomon’s Anti-Virus

Category: Antivirus security software

Type: Administrator's Manual

This manual is also suitable for

DR SOLOMON S ANTI-VIRUS 8.5

Dr Solomon’s Anti-Virus

Administrator’s

Guide

Version 8.5

of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated

into any language in any form or by any means without the written permission of Network Associates,

Inc.

TRADEMARK ATTRIBUTIONS

* ActiveHelp, Bomb Shelter, Building a World of Trust, CipherLink, Clean-Up, Cloaking, CNX,

Compass 7, CyberCop, CyberMedia, Data Security Letter, Discover, Distributed Sniffer System, Dr

Solomon’s, Enterprise Secure Cast, First Aid, ForceField, Gauntlet, GMT, GroupShield, HelpDesk,

Hunter, ISDN Tel/Scope, LM 1, LANGuru, Leading Help Desk Technology, Magic Solutions, MagicSpy,

MagicTree, Magic University, MagicWin, MagicWord, McAfee, McAfee Associates, MoneyMagic, More

Power To You, Multimedia Cloaking, NetCrypto, NetOctopus, NetRoom, NetScan, Net Shield, NetShield,

NetStalker, Net Tools, Network Associates, Network General, Network Uptime!, NetXRay, Nuts & Bolts,

PC Medic, PCNotary, PGP, PGP (Pretty Good Privacy), PocketScope, Pop-Up, PowerTelnet, Pretty

Good Privacy, PrimeSupport, RecoverKey, RecoverKey-International, ReportMagic, RingFence, Router

PM, Safe & Sound, SalesMagic, SecureCast, Service Level Manager, ServiceMagic, Site Meter, Sniffer,

SniffMaster, SniffNet, Stalker, Statistical Information Retrieval (SIR), SupportMagic, Switch PM,

TeleSniffer, TIS, TMach, TMeg, Total Network Security, Total Network Visibility, Total Service Desk,

Total Virus Defense, T-POD, Trusted Mach, Trusted Mail, Uninstaller, Virex, Virex-PC, Virus Forum,

ViruScan, VirusScan, VShield, WebScan, WebShield, WebSniffer, WebStalker WebWall, and ZAC 2000

are registered trademarks of Network Associates and/or its affiliates in the US and/or other countries. All

other registered and unregistered trademarks in this document are the sole property of their respective

owners.

LICENSE AGREEMENT

NOTICE TO ALL USERS: CAREFULLY READ THE FOLLOWING LEGAL AGREEMENT

("AGREEMENT"), FOR THE LICENSE OF SPECIFIED SOFTWARE ("SOFTWARE") BY

NETWORK ASSOCIATES, INC. ("McAfee"). BY CLICKING THE ACCEPT BUTTON OR

INSTALLING THE SOFTWARE, YOU (EITHER AN INDIVIDUAL OR A SINGLE ENTITY)

CONSENT TO BE BOUND BY AND BECOME A PARTY TO THIS AGREEMENT. IF YOU DO

NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, CLICK THE BUTTON THAT

INDICATES THAT YOU DO NOT ACCEPT THE TERMS OF THIS AGREEMENT AND DO NOT

INSTALL THE SOFTWARE. (IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO THE

PLACE OF PURCHASE FOR A FULL REFUND.)

1. License Grant. Subject to the payment of the applicable license fees, and subject to the terms and

conditions of this Agreement, McAfee hereby grants to you a non-exclusive, non-transferable right

to use one copy of the specified version of the Software and the accompanying documentation (the

"Documentation"). You may install one copy of the Software on one computer, workstation,

personal digital assistant, pager, "smart phone" or other electronic device for which the Software

was designed (each, a "Client Device"). If the Software is licensed as a suite or bundle with more

than one specified Software product, this license applies to all such specified Software products,

subject to any restrictions or usage terms specified on the applicable price list or product packaging

that apply to any of such Software products individually.

Issued May 2000/ Dr Solomon’s Anti-Virus v8.5

(i.e., the required number of licenses would equal the number of distinct inputs to the

multiplexing or pooling software or hardware "front end"). If the number of Client Devices or

seats that can connect to the Software can exceed the number of licenses you have obtained, then

you must have a reasonable mechanism in place to ensure that your use of the Software does not

exceed the use limits specified for the licenses you have obtained. This license authorizes you to

make or download one copy of the Documentation for each Client Device or seat that is licensed,

provided that each such copy contains all of the Documentation's proprietary notices.

c. Volume Licenses. If the Software is licensed with volume license terms specified in the

applicable price list or product packaging for the Software, you may make, use and install as

many additional copies of the Software on the number of Client Devices as the volume license

authorizes. You must have a reasonable mechanism in place to ensure that the number of Client

Devices on which the Software has been installed does not exceed the number of licenses you

have obtained. This license authorizes you to make or download one copy of the Documentation

for each additional copy authorized by the volume license, provided that each such copy contains

all of the Documentation's proprietary notices.

2. Term. This Agreement is effective for an unlimited duration unless and until earlier terminated as

set forth herein. This Agreement will terminate automatically if you fail to comply with any of the

limitations or other requirements described herein. Upon any termination or expiration of this

Agreement, you must destroy all copies of the Software and the Documentation. You may

terminate this Agreement at any point by destroying all copies of the Software and the

Documentation.

3. Updates. For the time period specified in the applicable price list or product packaging for the

Software you are entitled to download revisions or updates to the Software when and as McAfee

publishes them via its electronic bulletin board system, website or through other online services.

For a period of ninety (90) days from the date of the original purchase of the Software, you are

entitled to download one (1) revision or upgrade to the Software when and as McAfee publishes it

via its electronic bulletin board system, website or through other online services. After the

specified time period, you have no further rights to receive any revisions or upgrades without

purchase of a new license or annual upgrade plan to the Software.

4. Ownership Rights. The Software is protected by United States copyright laws and international

treaty provisions. McAfee and its suppliers own and retain all right, title and interest in and to the

Software, including all copyrights, patents, trade secret rights, trademarks and other intellectual

property rights therein. Your possession, installation, or use of the Software does not transfer to

you any title to the intellectual property in the Software, and you will not acquire any rights to the

Software except as expressly set forth in this Agreement. All copies of the Software and

Documentation made hereunder must contain the same proprietary notices that appear on and in the

Software and Documentation.

Administrator’s Guide iii

5. Restrictions. You may not rent, lease, loan or resell the Software. You may not permit third parties

to benefit from the use or functionality of the Software via a timesharing, service bureau or other

arrangement, except to the extent such use is specified in the applicable list price or product

packaging for the Software. You may not transfer any of the rights granted to you under this

Agreement. You may not reverse engineer, decompile, or disassemble the Software, except to the

extent the foregoing restriction is expressly prohibited by applicable law. You may not modify, or

create derivative works based upon, the Software in whole or in part. You may not copy the

Software or Documentation except as expressly permitted in Section 1 above. You may not remove

any proprietary notices or labels on the Software. All rights not expressly set forth hereunder are

reserved by McAfee. McAfee reserves the right to periodically conduct audits upon advance

written notice to verify compliance with the terms of this Agreement.

6. Warranty and Disclaimer

a. Limited Warranty. McAfee warrants that for sixty (60) days from the date of original purchase

the media (e.g., diskettes) on which the Software is contained will be free from defects in

materials and workmanship.

b. Customer Remedies. McAfee's and its suppliers' entire liability and your exclusive remedy for

any breach of the foregoing warranty shall be, at McAfee's option, either (i) return of the

purchase price paid for the license, if any, or (ii) replacement of the defective media in which the

Software is contained. You must return the defective media to McAfee at your expense with a

copy of your receipt. This limited warranty is void if the defect has resulted from accident,

abuse, or misapplication. Any replacement media will be warranted for the remainder of the

original warranty period. Outside the United States, this remedy is not available to the extent

McAfee is subject to restrictions under United States export control laws and regulations.

c. Warranty Disclaimer. Except for the limited warranty set forth herein, THE SOFTWARE IS

PROVIDED "AS IS." TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE

LAW, MCAFEE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED,

INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND

NONINFRINGEMENT WITH RESPECT TO THE SOFTWARE AND THE

ACCOMPANYING DOCUMENTATION. YOU ASSUME RESPONSIBILITY FOR

SELECTING THE SOFTWARE TO ACHIEVE YOUR INTENDED RESULTS, AND FOR

THE INSTALLATION OF, USE OF, AND RESULTS OBTAINED FROM THE SOFTWARE.

WITHOUT LIMITING THE FOREGOING PROVISIONS, MCAFEE MAKES NO

WARRANTY THAT THE SOFTWARE WILL BE ERROR-FREE OR FREE FROM

INTERRUPTIONS OR OTHER FAILURES OR THAT THE SOFTWARE WILL MEET

YOUR REQUIREMENTS. SOME STATES AND JURISDICTIONS DO NOT ALLOW

LIMITATIONS ON IMPLIED WARRANTIES, SO THE ABOVE LIMITATION MAY NOT

APPLY TO YOU. The foregoing provisions shall be enforceable to the maximum extent

permitted by applicable law.

iv Dr Solomon’s Anti-Virus

7. Limitation of Liability. UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY,

WHETHER IN TORT, CONTRACT, OR OTHERWISE, SHALL MCAFEE OR ITS SUPPLIERS

BE LIABLE TO YOU OR TO ANY OTHER PERSON FOR ANY INDIRECT, SPECIAL,

INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING,

WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE,

COMPUTER FAILURE OR MALFUNCTION, OR FOR ANY AND ALL OTHER DAMAGES

OR LOSSES. IN NO EVENT WILL MCAFEE BE LIABLE FOR ANY DAMAGES IN EXCESS

OF THE LIST PRICE MCAFEE CHARGES FOR A LICENSE TO THE SOFTWARE, EVEN IF

MCAFEE SHALL HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO LIABILITY FOR DEATH OR

PERSONAL INJURY TO THE EXTENT THAT APPLICABLE LAW PROHIBITS SUCH

LIMITATION. FURTHERMORE, SOME STATES AND JURISDICTIONS DO NOT ALLOW

THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES,

SO THIS LIMITATION AND EXCLUSION MAY NOT APPLY TO YOU. The foregoing

provisions shall be enforceable to the maximum extent permitted by applicable law.

8. United States Government. The Software and accompanying Documentation are deemed to be

"commercial computer software" and "commercial computer software documentation,"

respectively, pursuant to DFAR Section 227.7202 and FAR Section 12.212, as applicable. Any

use, modification, reproduction, release, performance, display or disclosure of the Software and

accompanying Documentation by the United States Government shall be governed solely by the

terms of this Agreement and shall be prohibited except to the extent expressly permitted by the

terms of this Agreement.

9. Export Controls. Neither the Software nor the Documentation and underlying information or

technology may be downloaded or otherwise exported or re-exported (i) into (or to a national or

resident of ) Cuba, Iran, Iraq, Libya, North Korea, Sudan, Syria or any other country to which the

United States has embargoed goods; or (ii) to anyone on the United States Treasury Department's

list of Specially Designated Nations or the United States Commerce Department's Table of Denial

Orders. By downloading or using the Software you are agreeing to the foregoing and you are

certifying that you are not located in, under the control of, or a national or resident of any such

country or on any such list.

IN ADDITION, YOU SHOULD BE AWARE OF THE FOLLOWING: EXPORT OF THE

SOFTWARE MAY BE SUBJECT TO COMPLIANCE WITH THE RULES AND

REGULATIONS PROMULGATED FROM TIME TO TIME BY THE BUREAU OF EXPORT

ADMINISTRATION, UNITED STATES DEPARTMENT OF COMMERCE, WHICH

RESTRICT THE EXPORT AND RE-EXPORT OF CERTAIN PRODUCTS AND TECHNICAL

DATA. IF THE EXPORT OF THE SOFTWARE IS CONTROLLED UNDER SUCH RULES

AND REGULATIONS, THEN THE SOFTWARE SHALL NOT BE EXPORTED OR

RE-EXPORTED, DIRECTLY OR INDIRECTLY, (A) WITHOUT ALL EXPORT OR

RE-EXPORT LICENSES AND UNITED STATES OR OTHER GOVERNMENTAL

APPROVALS REQUIRED BY ANY APPLICABLE LAWS, OR (B) IN VIOLATION OF ANY

APPLICABLE PROHIBITION AGAINST THE EXPORT OR RE-EXPORT OF ANY PART OF

THE SOFTWARE.

Administrator’s Guide v

SOME COUNTRIES HAVE RESTRICTIONS ON THE USE OF ENCRYPTION WITHIN

THEIR BORDERS, OR THE IMPORT OR EXPORT OF ENCRYPTION EVEN IF FOR ONLY

TEMPORARY PERSONAL OR BUSINESS USE. YOU ACKNOWLEDGE THAT THE

IMPLEMENTATION AND ENFORCEMENT OF THESE LAWS IS NOT ALWAYS

CONSISTENT AS TO SPECIFIC COUNTRIES. ALTHOUGH THE FOLLOWING

COUNTRIES ARE NOT AN EXHAUSTIVE LIST THERE MAY EXIST RESTRICTIONS ON

THE EXPORTATION TO, OR IMPORTATION OF, ENCRYPTION BY: BELGIUM, CHINA

(INCLUDING HONG KONG), FRANCE, INDIA, INDONESIA, ISRAEL, RUSSIA, SAUDI

ARABIA, SINGAPORE, AND SOUTH KOREA. YOU ACKNOWLEDGE IT IS YOUR

ULTIMATE RESPONSIBILITY TO COMPLY WITH ANY AND ALL GOVERNMENT

EXPORT AND OTHER APPLICABLE LAWS AND THAT MCAFEE HAS NO FURTHER

RESPONSIBILITY AFTER THE INITIAL SALE TO YOU WITHIN THE ORIGINAL

COUNTRY OF SALE.

10.High Risk Activities. The Software is not fault-tolerant and is not designed or intended for use in

hazardous environments requiring fail-safe performance, including without limitation, in the

operation of nuclear facilities, aircraft navigation or communication systems, air traffic control,

weapons systems, direct life-support machines, or any other application in which the failure of the

Software could lead directly to death, personal injury, or severe physical or property damage

(collectively, "High Risk Activities"). McAfee expressly disclaims any express or implied

warranty of fitness for High Risk Activities.

11.Miscellaneous. This Agreement is governed by the laws of the United States and the State of

California, without reference to conflict of laws principles. The application of the United Nations

Convention of Contracts for the International Sale of Goods is expressly excluded. This Agreement

sets forth all rights for the user of the Software and is the entire agreement between the parties. This

Agreement supersedes any other communications with respect to the Software and Documentation.

This Agreement may not be modified except by a written addendum issued by a duly authorized

representative of McAfee. No provision hereof shall be deemed waived unless such waiver shall

be in writing and signed by McAfee or a duly authorized representative of McAfee. If any

provision of this Agreement is held invalid, the remainder of this Agreement shall continue in full

force and effect. The parties confirm that it is their wish that this Agreement has been written in

the English language only.

12.McAfee Customer Contact. If you have any questions concerning these terms and conditions, or

if you would like to contact McAfee for any other reason, please call (408) 988-3832, fax (408)

970-9727, or write: McAfee Software, 3965 Freedom Circle, Santa Clara, California 95054.

http://www.mcafee.com.

Statements made to you in the course of this sale are subject to the Year 2000 Information and

Readiness Disclosure Act (Public Law 105-271). In the case of a dispute, this Act may reduce your

legal rights regarding the use of any statements regarding Year 2000 readiness, unless otherwise

specified in your contract or tariff.

vi Dr Solomon’s Anti-Virus

Administrator’s Guide vii

Table of Contents

Preface.....................................................xi

Anti-virusprotectionasinformationsecurity .........................xi

Informationsecurityasabusinessnecessity ........................xiv

ActiveVirusDefensesecurityperimeters ............................xv

Dr Solomon’s anti-virus research . . . . . .............................xvii

HowtocontactNetworkAssociates...............................xviii

Customerservice..........................................xviii

Technical support ..........................................xix

Downloadsupport ...........................................xx

NetworkAssociatestraining...................................xx

Commentsandfeedback......................................xx

Reportingnewitemsforanti-virusdatafileupdates ...............xx

Internationalcontactinformation..............................xxii

Chapter 1. About Dr Solomon’sAnti-Virus .......................25

Introducing Dr Solomon’sAnti-Virus ................................25

How does Dr Solomon’sAnti-Viruswork?............................27

What comes with Dr Solomon’sAnti-Virus? ..........................29

What’snewinthisrelease?........................................33

Chapter 2. Installing Dr Solomon’sAnti-Virus ....................37

Beforeyoubegin.................................................37

Systemrequirements.........................................37

Installing Dr Solomon’sAnti-Virussoftwareonalocalcomputer.........38

Installationsteps ............................................38

Using the Emergency Disk Creation utility . . . . . . . . . ..............53

Determiningwhenyoumustrestartyourcomputer................58

Testingyourinstallation ..........................................59

Modifying or removing your local Dr Solomon’s Anti-Virus installation .

Installing Dr Solomon’s Anti-Virus software on other computers . . . . . . . . .63

UsingActiveDirectoryandGroupPolicies.......................63

Table of Contents

viii Dr Solomon’sAnti-Virus

Installing Dr Solomon’s Anti-Virussoftwareusing command-line options

UsingManagementEditionsoftware ............................72

Using ePolicy Orchestrator to deploy Dr Solomon’sAnti-Virussoftware

Installing via System Management Server . . . . . . . . . . ..............74

Installing via Tivoli IT Director . . . ..............................74

Installing via ZENworks . . . . . . . . . ..............................75

Exporting Dr Solomon’sAnti-Viruscustomsettings ...............75

Chapter 3. Removing Infections

FromYourSystem ....................................79

Ifyoususpectyouhaveavirus... ...................................79

Decidingwhentoscanforviruses ..................................82

Recognizing when you don’thaveavirus ............................83

Understandingfalsedetections ................................84

Responding to viruses or malicious software . . . . . . . . . . . ..............85

Submittingavirussample.........................................97

Using the SendVirus utility to submit a file sample . . ..............97

Capturing boot sector, file-infecting, and macro viruses . . . . . . . . . . .100

Chapter 4. Using Dr Solomon’sAnti-Virus ......................105

UsingtheWinGuardscanner......................................105

Using the Dr Solomon’sAnti-Virusapplication.......................105

Schedulingscantasks...........................................106

Usingspecializedscanningtools ..................................106

Chapter5. SendingAlertMessages............................107

Using the Alert Manager Client Configuration utility . . . . . .............107

Dr Solomon’sAnti-VirusasanAlertManagerClient ..................108

ConfiguringtheAlertManagerClientutility..........................108

Chapter 6. Updating and Upgrading Dr Solomon’sAnti-Virus ......113

Developinganupdatingstrategy ..................................113

Update and upgrade methods . . . . . . . . .............................114

Understanding the AutoUpdate utility . .............................116

Administrator’s Guide ix

Table of Contents

ConfiguringtheAutoUpdateUtility.................................118

UnderstandingtheAutoUpgradeutility .............................127

Configuring the AutoUpgrade utility . . . .............................128

Using the AutoUpgrade and SuperDAT utilities together . . . . . . . . . .137

DeployinganEXTRA.DATfile.................................139

Appendix A. Using Dr Solomon’s Anti-Virus Administrative Utilities 141

Understanding the Dr Solomon’sAnti-Viruscontrolpanel .............141

Opening the Dr Solomon’sAnti-Viruscontrolpanel...................141

Choosing Dr Solomon’sAnti-Viruscontrolpaneloptions ..............142

AppendixB. InstalledFiles...................................147

What’sinthisappendix? .........................................147

WinGuardscanner ..........................................147

Dependent and related files for the Dr Solomon’s Anti-Virus application

153

AlertManager ..............................................156

Dr Solomon’sAnti-Viruscontrolpanelfiles .....................157

ScreenScan................................................158

Dr Solomon’sAnti-VirusEmergencyDiskfiles...................160

Dependent and related files for the E-Mail Scan extension . . . . . . . . .162

Appendix C. Using Dr Solomon’s Anti-Virus Command-line Options 167

Adding advanced Dr Solomon’sAnti-Virusengineoptions.............167

Running the Dr Solomon’s Anti-Virus Command Line program . . . . . . . . .167

Running the on-demand scanner with command-line arguments . . . . . . . .177

Appendix D. Using the SecureCast Service to Get New Data Files . .185

Introducing the SecureCast service . . . .............................185

Why should I update my data files? . . . .............................186

WhichdatafilesdoestheSecureCastservicedeliver? ............186

Installing the BackWeb client and SecureCast service . . . . .............187

Systemrequirements........................................187

Troubleshooting the Enterprise SecureCast service . .............197

UnsubscribingfromtheSecureCastservice.....................197

Supportresources ..............................................197

Table of Contents

x Dr Solomon’sAnti-Virus

SecureCastservice .........................................197

BackWebclient.............................................198

Appendix E. Network Associates

Support Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199

Adding value to your Dr Solomon’sproduct .........................199

PrimeSupport options for corporate customers . . . . . .............199

Ordering a corporate PrimeSupport plan . . . . . . . . . . .............202

PrimeSupport options for home users . .............................204

How to reach international home user support . . . . . . .............206

Ordering a PrimeSupport plan for home users . . . . . . .............206

NetworkAssociatesconsultingandtraining.........................207

ProfessionalServices .......................................207

TotalEducationServices.....................................208

Appendix F. Understanding iDAT Technology . . . . . . . . . . . . . . . . . . .209

Understandingincremental.DATfiles ..............................209

How does iDAT updating work? . . . . . . .............................210

What does Dr Solomon’sposteachweek?......................211

Bestpractices ..................................................212

Frequentlyaskedquestions ......................................213

Index......................................................217

Administrator’s Guide xi

Preface

Anti-virus protection as information security

“Theworld changed [onMarch26,1999]—does anyonedoubtthat?The world

is different. Melissa proved that ... and we are very fortunate ... the world

could have gone very close to meltdown.”

—Padgett Peterson, Chief Info Security Architect, Lockheed Martin Corporation,

on the 1999 “Melissa” virus epidemic

Bytheendofthe1990s,manyinformationtechnologyprofessionalshad

begun to recognize that they could not easily separate how they needed to

respond to new virus threats from how they already dealt with deliberate

network security breaches. Dorothy Denning, co-editor of the 1998 computer

security handbook Internet Besieged: Countering Cyberspace Scofflaws, explicitly

grouped anti-virus security measures in with other network security

measures, classifying them as a defense against malicious “injected code.”

Denning justified her inclusive grouping on based on her definition of

information security as “the effective use of safeguards to protect the

confidentiality, integrity, authenticity, availability, and non-repudiation of

information and information processing systems.” Virus payloads had always

threatened or damaged data integrity, but by the time she wrote her survey

article, newer viruses had already begun to mount sophisticated attacks that

struck at the remaining underpinnings of information security. Denning’s

classification recognized that newer viruses no longer merely annoyed system

administrators or posed a relatively low-grade threat; they had in fact

graduated to become a serious hazard.

Though not targeted with as much precision as an unauthorized network

intrusion, virus attacks had begun to take on the color of deliberate

information warfare. Consider these examples, many of which introduced

quickly-copied innovations to the virus writer’s repertoire:

• W32/CIH.Spacefiller destroyed the flash BIOS in workstations it infected,

effectively preventing them from booting. It also overwrote parts of the

infected hard disk with garbage data.

• XM/Compat.Arewrotethe datainsideMicrosoftExcelspreadsheetfiles.It

used advanced polymorphic concealment techniques, which meant that

with each infection it changed the signature bytes that indicated its

presence and allowed anti-virus scanners to find it.

Preface

xii Dr Solomon’sAnti-Virus

• W32/Ska, though technically a worm, replaced the infected computer’s

WinSock file so that it could attach itself to outgoing Simple Mail Transfer

Protocol (SMTP) messages and postings to USENET news groups. This

strategy made it commonplace in many areas.

• Remote Explorer stole the security privileges of a Windows NT domain

administrator and used them to install itself as a Windows NT Service. It

also deposited copies of itself in the Windows NT driver directory and

carried with it a supporting Dynamic Link Library (.DLL) file that allowed

it to randomly encrypt data files. Because it appeared almost exclusively at

one corporate site, security experts speculated that it was a deliberate,

targeted attack on the unfortunate company’s network integrity.

• Back Orifice, the product of a group calling itself the Cult of the Dead Cow,

purported to give the owner of the client portion of the Back Orifice

application complete remote access to any Windows 95 or Windows 98

workstation that runs the concealed companion server. That access—from

anywhere on the Internet—allowed the client to capture keystrokes; open,

copy, delete, or run files; transmit screen captures; and restart, crash, or

shut down the infected computer. To add insult to injury, early Back

Orifice releases on CD-ROM carried a W32/CIH.Spacefiller infection.

Throughout much of 1999, virus and worm attacks suddenly stepped up in

intensity and in the public eye. Part of the reason for this, of course, is that

many of the more notorious viruses and worms took full advantage of the

Internet, beginning a long-predicted assault by flooding e-mail transmissions,

websites, newsgroups and other available channels at an almost exponential

rate of growth. They now bullied their way into network environments,

spreading quickly and leaving a costly trail of havoc behind them.

W97M/Melissa, the “Melissa” virus, jolted most corporate information

technology departments out of whatever remaining complacency they had

held onto in the face of the newer virus strains. Melissa brought corporate

e-mail servers down across the United States and elsewhere when it struck in

March 1999. Melissa instructed e-mail client programs to send out infected

e-mail messages to the first 50 entries in each target computer’s address book.

This transformed a simple macro virus infection with no real payload into an

effective denial-of-service attack on mail servers.

Melissa’s other principle innovation was its direct attempt to play on end-user

psychology: it forged an e-mail message from a sender the recipient knew, and

sent it with a subject line that urged that recipient to open both the message

and the attached file. In this way, Melissa almost made the need for viral code

to spread itself obsolete—end users themselves cooperated in its propagation,

and their own computers blindly participated.

Administrator’s Guide xiii

Preface

A rash of Melissa variants and copycats appeared soon after. Some, such as

W97M/Prilissa, included destructive payloads. Later the same year, a number

of new viruses and worms either demonstrated novel or unexpected ways to

get into networks and compromise information security, or actually

perpetuated attacks. Examples included:

• W32/ExploreZip.worm and its variants, which used some of Melissa’s

techniques to spread, initially through e-mail. After it successfully infected

a host machine, ExploreZip searched for unsecured network shares and

quietly copied itself throughout a network. It carried a destructive payload

that erased various Windows system filesand Microsoft Office documents,

replacing them with an unrecoverable zero-byte-length files.

• W32/Pretty.worm, which did Melissa one better by sending itself to every

entry in the infected computer’s MAPI address book. It also connected to

an Internet Relay Chat (IRC) server, joined a particular IRC channel, then

opened a path to receive commands via the IRC connection. This

potentially allowed those on the channel to siphon information from the

infectedcomputer, includingthe computername and owner’s name,hisor

her dial-up networking user name and password, and the path to the

system root directory.

• W32/FunLove.4099, which infected ActiveX .OCX files, among others.

This meant that it could lurk on webpages with ActiveX content, and infect

systems with low or nonexistent browser security settings as they

downloaded pages to their hard disks. If a Windows NT computer user

had logged into a system with administrative rights, the infecting virus

would patch two critical system files that gave all users on the network

—including the virus—administrative rights to all files on the target

computer. It spread further within the network by attaching itself to files

with the extensions .SCR, .OCX, and .EXE.

• VBS/Bubbleboy, a proof-of-concept demonstration that showed that a

virus could infect target computers directly from e-mail messages

themselves, without needing to propagate through message attachments.

It effectively circumvented desktop anti-virus protection altogether, at

least initially. Its combination of HTML and VBScript exploited existing

vulnerabilitiesinInternet-enabledmail systems;itsauthorplayedupon the

same end-user psychology that made Melissa successful.

The other remarkable development in the year was the degree to which virus

writers copied, fused, and extended each others’ techniques. This cross-

pollination had always occurred previously, but the speed at which it took

placeandtheincreasingsophisticationof thetoolsandtechniquesthatbecame

available during this period prepared very fertile ground for a nervously

awaited bumper crop of intricate viruses.

Preface

xiv Dr Solomon’sAnti-Virus

Information security as a business necessity

Coincidentally or not, these darkly inventive new virus attacks and speedy

propagation methods appeared as more businesses made the transition to

Internet-based information systems and electronic commerce operations. The

convenience and efficiency that the Internet brought to business saved money

and increased profits. This probably also made these same businesses

attractive targets for pranksters, the hacker underground, and those intent on

striking at their favored targets.

Previously, the chief costs from a virus attack were the time and money it took

to combat an infection and restore computer systems to working order. To

those costs the new types of virus attacks now added the costs of lost

productivity, network and server downtime, service denials for e-mail and

other critical business tools, exposure—and perhaps widespread distribution

—of confidential information, and other ills.

Ultimately, the qualifying differences between a hacker-directed security

breach in a network and a security breach that results from a virus attack

might become merely ones of intent and method, not results. Already new

attacks have shaken the foundations of Net-enabled businesses, many of

which require 24-hour availability for networks and e-mail, high data

integrity, confidential customer lists, secure credit card data and purchase

verification, reliable communications, and hundreds of other computer-aided

transactional details. The costs from these virus attacks in the digital economy

now cut directly into the bottom line.

Because they do, protecting that bottom line means implementing a total

solution for information and network security—one that includes

comprehensive anti-virus protection. It’s not enough to rely only on

desktop-basedanti-virusprotection,oronhaphazardoradhocsecurity

measures. The best defense requires sealing all potential points by which

viruses can enter or attack your network, from the firewall and gateway down

to the individual workstation, and keeping the anti-virus sentries at those

points updated and current.

Part of the solution is deploying the Dr Solomon’s Active Virus Defense*

software suite, which provides a comprehensive, multi-platform series of

defensive perimeters for your network. You can also build on that security

with the Dr Solomon’s Active Security suite, which allows you to monitor

your network against intrusions, watch actual network packet traffic, and

encrypt e-mail and network transmissions. But even with anti-virus and

security software installed, new and previously unidentified viruses will

inevitably find their way into your network. That’s where the other part of the

equation comes in: a thorough, easy-to-follow anti-virus security policy and

set of practices for your enterprise—in the last analysis, only that can help to

stop a virus attack before it becomes a virus epidemic.

Administrator’s Guide xv

Preface

Active Virus Defense security perimeters

The Dr Solomon’s Active Virus Defense product suite exists for one simple

reason: there is no such thing as too much anti-virus protection for the

modern, automated enterprise. Although at first glance it might seem

needlessly redundant to protect all of your desktop computers, file and

network servers, gateways,e-mail servers and firewalls, each of these network

nodesservesadifferentfunctionin yournetwork,andhas different duties.An

anti-virus scanner designed to keep a production workstation virus-free, for

example, can’t intercept viruses that flood e-mail servers and effectively deny

their services. Nor would you want to make a file server responsible for

continuously scanning itsclient workstations—the cost in network bandwidth

would be too high.

More to the point, each node’s specialized functions mean that viruses infect

them in different ways that, in turn, call for optimized anti-virus solutions.

Viruses and other malicious code can enter your network from a variety of

sources—floppy disks and CD-ROMs, e-mail attachments, downloaded files,

and Internet sites, for example. These unpredictable points of entry mean that

infecting agents can slip through the chinks in incomplete anti-virus armor.

Desktop workstations, for example, can spread viruses by any of a variety of

means—via floppy disks, by downloading them from the Internet, by

mapping server shares or other workstations’ hard disks. E-mail servers, by

contrast, rarely use floppy disks and tend not to use mapped drives—the

Melissa virus showed, however, that they arequite vulnerable to e-mail–borne

infections, even if they don’t execute the virus code themselves.

At the desktop: Dr Solomon’sAnti-Virus

The Dr Solomon’s Active Virus Defense product suite matches each point of

vulnerability with a specialized, and optimized, anti-virus application. At the

desktop level, the cornerstone of the suite is the Dr Solomon’s Anti-Virus

anti-virus product. Dr Solomon’s Anti-Virus protects some of your most

vulnerable virusentry points withan interlocking set ofscanners, utilities, and

support files that allow it to cover:

• Localharddisks,floppydisks,CD-ROMs,andotherremovablemedia.The

WinGuard scanner resides in memory, waiting for local file access of any

sort. As soon as one of your network users opens, runs, copies, saves,

renames, or sets attributes for any file on their system—even from mapped

network drives—the WinGuard scanner examines it for infections.

You can supplement this continuous protection with scan operations you

configure and schedule for your own needs. Comprehensive security

options let you protect individual options with a password, or run the

entire application in secure mode to lock out all unauthorized access.

Preface

xvi Dr Solomon’sAnti-Virus

• System memory, boot sectors, and master boot records. You can configure

regularly scheduled scan operations that examine these favorite virus

hideouts, or set up periodic operations whenever a threat seems likely.

• Microsoft Exchange mailboxes. Dr Solomon’s Anti-Virus includes a

specialized E-Mail Scan extension that assumes your network user’s

Microsoft Exchange or Outlook identity to scan his or her mailbox

directly—before viruses get downloaded to the local workstation. This can

prevent some Melissa-style infections and avoid infections from the next

generation of VBS/Bubbleboy descendants.

• Internet mail and file downloads. The WinGuard scanner includes two

modules that specialize in intercepting SMTP and POP-3 e-mail messages,

and that can examine files your network users download from Internet

sites. The E-Mail Scan and Download Scan modules work together to scan

the stream of file traffic that most workstations generate and receive daily.

• Hostile code. The Olympus scan engine at the heart of Dr Solomon’s

Anti-Virus routinely looks for suspicious script code, macro code, known

Trojan horse programs—even virus jokes or hoaxes. With the help of the

WinGuard Internet Filter module, it also blocks hostile ActiveX and Java

objects, many of which can lurk unnoticed on websites, waiting to deploy

sophisticated virus-like payloads. The Internet Filter module can even

block entire websites, preventing network users from visiting sites that

pose a threat to network integrity.

Dr Solomon’s Anti-Virus ties these powerful scanning capabilities together

with a powerful set of alerting, updating, and management tools. These

include:

• Alert Manager client configuration. Dr Solomon’s Anti-Virus includes a

client configuration utility you can use to have it pass alert messages

directly to Alert Manager servers on your network, to a Centralized

Alerting share, or to a Desktop Management Interface administrative

application. Other alert methods include local custom messages and beeps,

detection alerts and response options, and e-mail alert messages.

• Next-generation AutoUpdateandAutoUpgradeutilities.AutoUpdate v4.5

features complete and transparent support for new incremental .DAT file

updates, which save you time and network bandwidth by adding only

virus definitions you don’t already have installed on your system. The new

AutoUpgrade version includes support for v1.2 of the Dr Solomon’s

SuperDAT utility, which you can use to update the Olympus scan engine

and its support files.

Administrator’s Guide xvii

Preface

• Integration with DrSolomon’sePolicy Orchestrator management software.

Centralized anti-virus management takes a quantum leap forward with

this highly scalable management tool. Dr Solomon’s Anti-Virus ships with

a plug-in library file that works with the ePolicy Orchestrator server to

enforce enterprise-wide network security policies.

You can use ePolicy Orchestrator to configure, update, distribute and

manage Dr Solomon’s Anti-Virus installations at the group, workstation or

user level. Schedule and run scan tasks, change configurations, update

.DAT and engine files—all from a central console.

Taken together, the ActiveVirus Defense suite forms a tightseriesofanti-virus

security perimeters around your network that protect you against both

external and internal sources of infection. Those perimeters, correctly

configured and implemented in conjunction with a clear enterprise-wide

anti-virus security policy, do indeed offer useful redundancy, but their chief

benefit lies in their ability to stop viruses as they enter your network, without

your having to await a tardy or accidental discovery. Early detection contains

infections, saves on the costs of virus eradication, and in many cases can

prevent a destructive virus payload from triggering.

Dr Solomon’s anti-virus research

Even the best anti-virus software is only as good as its latest update. Because

as many as 200 to 300 viruses and variants appear each month, the .DAT files

that enable Dr Solomon’s software to detect and remove viruses can get

quickly outdated. If you have not updated the files that originally came with

your software, you could risk infection from newly emerging viruses. Dr

Solomon’s has, however, assembled the world’s largest and most experienced

anti-virus research staff in its Anti-Virus Emergency Response Team

(AVERT)*. This premier anti-virus research organization has a worldwide

reach and a “follow the sun” coverage policy, that ensures that you get the files

you need to combat new viruses as soon as—and often before—you need

them. You can take advantage of many of the direct products of this research

by visiting the AVERT research site on the Network Associates website:

http://www.nai.com/asp_set/anti_virus/introduction/default.asp

ContactyourDrSolomon’srepresentative,orvisittheDrSolomon’swebsite,

to find out how to enlist the power of the Active Virus Defense security

solution on your side:

http://www.mcafeeb2b.com/

Preface

xviii Dr Solomon’sAnti-Virus

How to contact Network Associates

Customer service

On December 1, 1997, McAfee Associates merged with Network General

Corporation, Pretty Good Privacy, Inc., and Helix Software, Inc. to form

Network Associates, Inc. The combined Company subsequently acquired Dr

Solomon's Software, Trusted Information Systems, Magic Solutions, and

CyberMedia, Inc.

A January 2000 company reorganization formed four independent business

units, each concerned with a particular product line. These are:

• Magic Solutions.This divisionsupplies the TotalService desk product line

and related products

• McAfee and Dr Solomon’s Software. These divisions provide the Active

Virus Defense product suite and related anti-virus software solutions to

corporate and retail customers.

• PGP Security. This division provides award-winning encryption and

security solutions, including the PGP data security and encryption product

line, the Gauntlet firewall product line, the WebShield E-ppliance

hardware line, and the CyberCop Scanner and Monitor product series.

• Sniffer Technologies. This division supplies the industry-leading Sniffer

network monitoring, reporting, and analysis utility and related software.

Network Associates continues to market and support the product lines from

each of the new independent business units. You may direct all questions,

comments, or requests concerning the software you purchased, your

registration status, or similar issues to the Network Associates Customer

Servicedepartmentatthefollowingaddress:

Network Associates Customer Service

4099 McEwan, Suite 500

Dallas, Texas 75244

U.S.A.

The department's hours of operation are 8:00 a.m. and 8:00 p.m. Central Time,

Monday through Friday

Other contact information for corporate-licensed customers:

Phone: (972) 308-9960

Fax: (972) 619-7485 (24-hour, Group III fax)

E-Mail: services_corporate_division@nai.com

Web: http://www.nai.com

Administrator’s Guide xix

Preface

Other contact information for retail-licensed customers:

Phone: (972) 308-9960

Fax: (972) 619-7485 (24-hour, Group III fax)

E-Mail: cust_care@nai.com

Web: http://www.mcafee.com/

Technical support

Dr Solomon’s and Network Associates are famous for their dedication to

customer satisfaction. The companies have continued this tradition bymaking

their sites on the World Wide Web valuable resources for answers to technical

support issues. Dr Solomon’s encourages you to make this your first stop for

answers to frequently asked questions, for updates to Dr Solomon’s and

Network Associates software, and for access to news and virus information

Ifyoudonotfindwhatyouneedordonothavewebaccess,tryoneofour

automated services.

If the automated services do not have the answers you need, contact Network

Associates at one of the following numbers Monday through Friday between

8:00

A.M.and8:00P.M. Central time to find out about Network Associates

technical support plans.

For corporate-licensed customers:

For retail-licensed customers:

This guide includes a summary of the PrimeSupport plans available to Dr

Solomon’s customers. To learn more about plan features and other details, see

Appendix E, “Network Associates Support Services.”

World Wide Web http://www.nai.com/asp_set/services/technical_support

/tech_intro.asp

Internet techsupport@mcafee.com

CompuServe GO NAI

America Online keyword MCAFEE

Phone (972) 308-9960

Fax (972) 619-7845

Phone (972) 855-7044

Fax (972) 619-7845

Preface

xx Dr Solomon’sAnti-Virus

To provide the answers you need quickly and efficiently, the Network

Associates technical support staff needs some information about your

computer and your software. Please include this information in your

correspondence:

• Product name and version number

• Computer brand and model

• Any additional hardware or peripherals connected to your computer

• Operating system type and version numbers

• Network type and version, if applicable

• Contents of your AUTOEXEC.BAT, CONFIG.SYS, and system LOGIN

script

• Specific steps to reproduce the problem

Download support

Togethelpwith navigating ordownloadingfiles from theNetwork Associates

or Dr Solomon’s websites or FTP sites, call:

Network Associates training

For information about scheduling on-site training for any Dr Solomon’s or

Network Associates product, call Network Associates Customer Service at:

(972) 308-9960.

Comments and feedback

Dr Solomon’s Software appreciates your comments and reserves the right to

use any information you supply in any way it believes appropriate without

incurring any obligation whatsoever.

Reporting new items for anti-virus data file updates

DrSolomon’santi-virussoftwareoffersyouthebestavailabledetectionand

removal capabilities, including advanced heuristic scanning that can detect

new and unnamed viruses as they emerge. Occasionally, however, an entirely

new type of virus that is not a variation on an older type can appear on your

system and escape detection.

Corporate customers (801) 492-2650

Retail customers (801) 492-2600

Page is loading ...

McAfee Dr Solomon’s Anti-Virus Administrator's Manual

Brand: McAfee

Model: Dr Solomon’s Anti-Virus

Category: Antivirus security software

Type: Administrator's Manual

This manual is also suitable for

DR SOLOMON S ANTI-VIRUS 8.5

Download PDF

report

McAfee Dr Solomon’s Anti-Virus Administrator's Manual

This manual is also suitable for

McAfee Dr Solomon’s Anti-Virus Administrator's Manual

Related papers

Other documents