Central Point Anti-Virus Version 1.3 This file contains information that is not in the manual or has changed since the manual was printed. Please take a moment to read it. The Virus Dictionary in the manual covers the most common viruses. See the Virus List in the program for new viruses that Central Point Anti-Virus now detects. CONTENTS OF THIS FILE ===================== This file is organized in the following order: * Change Summary * Signature Updates * Configuring the Screen Display * Windows Issues * Installation * Using VSafe * Using Bootsafe * Memory Usage * Using CPAV * Network Administrators * Command-Line Options * Using Batch Files * Troubleshooting * Documentation Changes CHANGE SUMMARY ============== * CPAV: Central Point Anti-Virus now detects, cleans, and immunizes polymorphic viruses created from the Dark Avenger mutation engine. A recent development, polymorphic viruses mutate and change their signatures with each infection. These viruses contain code that can be incorporated into any existing or future virus, allowing it to create an infinite variety of original encryption methods each time. * You can interrupt the memory scan when CPAV starts by pressing ESC. * INSTALL: Install no longer contains the Interface Options command; instead, use PC Config to change colors, mouse, keyboard, and display options. See the "Configuring the Screen Display" section for details. * When a virus is found on your computer, you now have the option to delete the infected files directly from the Virus Found dialog box. * BOOTSAFE: The /A command-line option added to Bootsafe allows you to use DOS error codes on exit. See the "Command-Line Options" section for details. * VSAFE/VWATCH: If VSafe or VWatch is resident in memory when you reboot your computer, and a disk is in drive A, the disk's boot sector is checked before rebooting. If that disk has a virus, a message informs you that the computer will not be rebooted. This protects you from infecting your system from the floppy disk. If this disk is found free of boot sector viruses, the boot process takes place from drive A. SIGNATURE UPDATES ================= Anti-virus programs use signatures to identify known viruses. Signatures are series of codes that are unique to individual viruses. If you install a new signature file and try to use it with another manufacturer's anti-virus program, you may receive a false alarm that a virus is present. In reality, the program sees the signature for a virus, not the actual virus. Use only the signatures for Central Point Anti-Virus with this program to avoid receiving false alarms. Please note that signatures added to the program update the virus detection capabilities of Central Point Anti-Virus and VSafe. VWatch does not use the external signature file. To receive virus-cleaning and immunizing capabilities and to update VWatch, you must upgrade the program or subscribe to the Continuous Anti-Virus Protection Service (CAP). You can update virus signatures monthly by downloading files from Central Point Software's BBS or CompuServe. If you enrolled in the subscription service, disks are mailed quarterly. CONFIGURING THE SCREEN DISPLAY ============================== Install no longer has the Interface Options button; instead, to change screen colors, specify mouse and keyboard options, and change the text display, use PC Config. To start PC Config from DOS, type PCCONFIG The PC Config window displays the following options: * Color * Display * Mouse * Keyboard The procedures for these options appear in the "Configuring the Screen Display" chapter. The first step of the procedures should be "Start PC Config," instead of "Choose Interface Options." WINDOWS ISSUES =============== * Central Point Anti-Virus is fully compatible with Windows 3.x, running in 386 enhanced mode. * During installation, the program modifies the WIN.INI file so that WNTSRMAN.EXE (the TSR Manager) loads when you start Windows. This application manages communication between VSafe and VWatch, and Windows. * When you start the Program Manager in Windows after installing Central Point Anti-Virus, you see two icons: CPAV and VSafe/VWatch. The CPAV icon opens the program. The VSafe/VWatch icon opens a control window where you can configure the program for that session in Windows, depending on the utility you loaded. * If VSafe or VWatch detects a virus or suspicious activity when you run an application from Windows, the TSR Manager sounds an alarm and issues a warning message. NOTE: If you run a DOS-based graphics application from Windows or the DOS prompt, you will not see a warning dialog when a virus is detected. Instead, an alarm sounds and the action stops. IMPORTANT: Because Windows uses the disk for memory swapping, turn off VSafe's Write Protect option when running Windows. If you turn on this option while in Windows, VSafe displays a message advising you to turn it off. INSTALLATION ============ * If your computer boots from a drive other than drive C, the Install program prompts you to choose the drive where the AUTOEXEC.BAT and CONFIG.SYS files are stored. * During installation, the Install program automatically creates backups of AUTOEXEC.BAT and CONFIG.SYS before making any modifications to them. The backup files are named AUTOEXEC.SAV and CONFIG.SAV. * To reconfigure options, you can run the Install program from the original Central Point Anti-Virus disk or from the directory where you installed Central Point Anti-Virus. Uninstall --------- When you remove Central Point Anti-Virus by choosing Uninstall from the Install program window, it deletes the files in the C:\CPAV directory (or the directory you specified during installation) and removes modifications the program made to the AUTOEXEC.BAT and CONFIG.SYS files. Any checklist files (CHKLIST.CPS) created in directories on your hard disk are not deleted. Emergency Diskette ------------------ Choosing Emergency Diskette in the Install program creates an image of the boot sector, partition table, and CMOS of the boot drive of your computer. When you complete installation, use the BOOTSAFE command to save a copy of the partition table of each physical drive attached to your computer. See the "Ongoing Virus Protection" chapter of the manual for instructions. Upgrade Version --------------- To upgrade from an earlier version of Central Point Anti-Virus, choose Upgrade Version. The program copies new files to the drive and directory you specify while the two configuration files, CPAV.INI and CPSCOLOR.DAT, remain unchanged. This allows you to continue using the option settings, screen colors, keyboard controls, and mouse controls you are familiar with while updating your computer with the latest version of Central Point Anti-Virus software. Customize Install ----------------- Choose Customize Install to create a set of installation disks customized with default memory-resident program choices and option settings you specify. Once the installation set is customized, you can quickly install the programs and option settings on other computers by typing INSTALL C: (substitute any drive letter for C) When you install Central Point Anti-Virus, the software automatically installs in a directory called \CPAV on the drive specified, with the default memory-resident programs and option settings you specified in the installation set. You can create sets of 360K, 720K, 1.2MB, 1.44MB, or 2.88MB disks. Password -------- If you forget the password you created for Central Point Anti-Virus, reinstall the software to create a new one. Installing VSafe and VWatch --------------------------- * VSafe, VWatch, and VDefend (part of the PC Tools package) are mutually exclusive; install the one that best suits your system's configuration. Use VSafe to provide the highest level of ongoing virus protection for your computer. If you choose to install VSafe, a dialog box asks you to enter the directory where Windows files are located. If you do not use Windows, choose Cancel to continue with the installation. * Selecting the option to install VSafe as a Driver adds the line DEVICE=C:\CPAV\VSAFE.SYS to the CONFIG.SYS file. Selecting the option to install VWatch as a Driver adds the line DEVICE=C:\CPAV\VWATCH.SYS to the CONFIG.SYS file. If you specify a drive and directory location other than C:\CPAV, the DEVICE= line reflects that drive and directory. * VWatch must be installed after any network drivers. If you are using a network, modify your AUTOEXEC.BAT or CONFIG.SYS file after installation to make sure network drivers are loaded before VWatch. The suggested loading order is Net driver (IPX) Net driver (NETX) VWATCH Login USING VSAFE =========== * If the ALT-V hotkey combination to display the VSafe control window conflicts with key codes used by other memory-resident programs or within other applications, change the VSafe hotkey combination. To change to another ALT-key combination, from DOS type: VSAFE /Ax where x represents the new hotkey you want to assign. To change to a CTRL-key combination, from DOS type: VSAFE /Cx where x represents the new hotkey you want to assign. * To have virus protection on networks with VSafe, load VSafe with the /N parameter before the network drivers. NOTE: You may not be able to remove some TSR programs from memory after using this option. * If VSafe detects that a file no longer matches its checksum, the resulting dialog box now gives the user the option of directly updating the checksum without having to run the CPAV program. If you selected the Disable Update option in CPAV, VSafe's warning dialog box has a Reboot button in place of Update. USING BOOTSAFE ============== * If you receive the following message from Bootsafe, use the suggestions below to remedy the situation: WARNING: BOOT SECTOR/PARTITION TABLE WAS MODIFIED Bootsafe issues this message when the partition table information is changed in any way. When you install new operating system software (like an upgrade to DOS 5), the software modifies your partition table. If you install disk compression software (like Stacker), your original drive C files are compressed and the software reassigns the drive designator. If you can rule out either of those possibilities, then the cause of this message may be that you have a boot sector virus. If this is the case, use your emergency disk to boot from and repair the partition table. If you are using a Stacker swap file, this message appears each time Bootsafe scans your system. To remedy this: 1. Press C to continue when you see the message. 2. Then edit your AUTOEXEC.BAT file to change the following line from: C:\CPAV\BOOTSAFE to C:\CPAV\BOOTSAFE D: (where D is the drive designator of your swapped drive). 3. Reboot your computer. 4. Press U to update the information in the image file the first time. Hereafter, you probably won't see this message unless you have a boot sector virus. * The first step in the manual for restoring a partition table image with Bootsafe is incorrect. Insert the floppy disk containing the image of the partition table. To restore the partition table image to drive C, from DOS, type: A:BOOTSAFE C: /R To restore the image to drive D, from DOS, type: A:BOOTSAFE D: /R If the CMOS information, partition table, or boot sector of your hard disk is damaged for any reason, you can use the image saved with Bootsafe to restore the disk to working condition. * Some older Hewlett Packard and Zenith computers modify the boot sector or drive partition table each time the system is started. If Bootsafe is installed, Central Point Anti-Virus will continually display warnings that it is modifying the boot sector, partition table, or both. Check your computer's documentation to determine if the system automatically modifies the boot sector or partition table during startup. If it does, remove Bootsafe from your AUTOEXEC.BAT file. MEMORY USAGE ============ * VSafe and VWatch now support expanded and extended memory. The programs look first for available expanded memory, then extended memory when loading. The amount of conventional memory occupied depends on the use of available expanded or extended memory, as shown below: When VSafe Uses Conventional Memory Usage Is --------------------------------------------------- Expanded memory 6K Extended memory 20K Conventional memory 41K When VWatch Uses Conventional Memory Usage Is --------------------------------------------------- Expanded memory 1K Extended memory 6K Conventional memory 25K Conventional memory with disk swapping 8K (See the next item for more information on disk swapping.) You can force the type of memory used by adding the following command-line options: /NE disables use of expanded memory. /NX disables use of extended memory. For example, if you have both expanded and extended memory and want to force VSafe or VWatch to use extended memory, from DOS type: VSAFE /NE or VWATCH /NE To force use of conventional memory when both expanded and extended memory are present, from DOS type: VSAFE /NE /NX or VWATCH /NE /NX * If your computer is equipped with conventional memory only and you are running VWatch, you can minimize memory use with disk swapping. To tell VWatch to use disk swapping, from DOS type: VWATCH /D A portion of the program loads into conventional memory, occupying 7K. When other parts of the program are needed, VWatch reads the information from disk. Because VWatch scans files only when they are executed, use of disk swapping only minimally affects system response time. USING CPAV ========== The following sections describe additions to the CPAV program. CPAV.INI File ------------- The CPAV.INI file controls all option settings for both the INSTALL and CPAV programs. You can change an option's setting by editing the CPAV.INI file. A "0" indicates the option is off; a "1" indicates the option is on. Using CPAV with a Menu Program ------------------------------ If you are using a menu program, you can add selections to "Scan a Floppy Disk" (CPAV A: /S) and "Scan Local Hard Drives" (CPAV /L). Then, when you want to scan a new floppy disk or periodically scan the hard drive to check for viruses, you can do so quickly from the menu program. Verifications Exceptions List ----------------------------- To avoid verification alerts for files that change often, CPAV provides a verification exceptions list. For example, if you change your CONFIG.SYS file frequently, you can add it to the Verifications Exceptions list so that it is ignored when checksums are verified. Files in the Verifications Exceptions list are still checked for the presence of known viruses. VSafe will also use the Verifications Exceptions list. To add a file to the Verifications Exceptions list: 1. Choose Verification Exceptions from the Configure menu. 2. Choose Add. 3. Type the name of the file you want to add to the list. 4. Choose OK. To remove a file from the Verifications Exceptions list: 1. Choose Verification Exceptions from the Configure menu. 2. Select the file you want to remove from the list. 3. Choose Remove. Search Capabilities in the Virus List ------------------------------------- The Virus List dialog box now contains search capabilities. A text box at the bottom of the dialog box allows you to type the name of a specific virus and quickly locate it in the Virus List. As you type each character, the first virus or alias containing that letter is highlighted in the list. Choose Find Next to find the next match for the specified search text. Change Alert Message -------------------- Access to the Change Alert Message option in the Configure menu is now password-protected. Create Report Option -------------------- Choose Report from the Scan menu to view, print, or clear the reports created when the Create Report option is on. Anti-Stealth Option ------------------- When you select this option along with the Verify Integrity option, Central Point Anti-Virus uses a special, low-level checking routine to enhance the detection of the Stealth family of viruses. The default for this option is off. Stealth viruses are particularly tricky in their attempts to infect the computer's COMMAND.COM file and then spread to other executable files. For maximum protection against Stealth viruses, leave both the Anti-Stealth and Verify Integrity options on. Create Infection Report Option ------------------------------ When you select this option, Central Point Anti-Virus creates a \REPORTS subdirectory under the directory from which you ran the CPAV program. Detailed information about any virus found and action taken during a scan is stored in a file named REPORT.###, where ### represents 000 for the first report file, 001 for the second, and so forth. The default for this option is off. When you view the Activity Log in the CPAV program, the log entry for any scan in which a virus was detected appears in a contrasting color. Highlighting such an entry and choosing Info displays the appropriate Infection Report, allowing you to see the viruses, the infected files, and the action taken. If you run the CPAV program from a network drive, the Activity Report shows NET: and the user name of the person who ran the program in place of the drive ID and volume name. Disable Update Option --------------------- If CPAV finds a modified file during a scan, it displays the Verify Error dialog box, allowing you to Update the file's checksum information, Delete the file, Continue the scan and ignore the change, or Stop the scan. When you select the Disable Update option, you disable the Update button in this dialog box. When VSafe is memory-resident and you run an executable file that does not match its checksum information, VSafe displays a dialog box with options to Stop the execution of the file, Continue and ignore the changes, or Update the file's checksum information. If you install VSafe memory-resident after selecting the Disable Update option in CPAV, the Update button in the VSafe warning dialog changes to Boot. The default for this option is off. Disable Continue Option ----------------------- If CPAV finds an infected file, it displays the Virus Found dialog box, allowing you to Delete the infected file, Clean, Continue or Stop. However, if you select the Disable Continue option, the Continue button is disabled. This option also disables the Continue button in all VSafe alert dialogs. The default for this option is off. Disable Scan Stop Option ------------------------ When you select this option, you disable the usual means of stopping a scan -- pressing F3 or ESC. The default for this option is off. Disable VSafe Hotkey Option --------------------------- When you select this option, you cannot access the VSafe control menu, you cannot remove VSafe from memory, and VSafe command-line options are ignored. Use this option to prevent users from bypassing the use of VSafe. This option is password-protected and the default is off. NETWORK ADMINISTRATORS ====================== * If the CPAV program detects a virus and the user is logged on to a network server, a message indicating the user's name and the drive containing the virus appears on the server's system console. * Novell Network users can configure CPAV to notify the network administrator or any other network user when there is a virus on the user's computer. To specify the user to be notified when there is a virus: 1. Choose Send Network Messages To from the Configure menu. 2. Type a valid network user name in the Network Messages dialog box. By default, no user name is specified. 3. Choose OK. If the CPAV program finds a virus on your machine, it displays a message on the screen of the user you specified. * If you install the CPAV program on a network drive for access by multiple users, you can set different option configurations for each user and specify an environment variable that allows the program to find the local configuration settings. To create an individual configuration and set the environment variable: 1. Install Central Point Anti-Virus on the network drive or an individual computer. 2. Run the CPAV program. 3. Select the configuration options you want. 4. Choose Exit from the File menu. 5. Select Save Configuration and choose OK. The configuration options you selected are saved in the CPAV directory in a file named CPAV.INI. 6. Copy the CPAV.INI file to a floppy disk and go to the user's computer you want to set up. 7. Copy the CPAV.INI file to a directory on the user's computer. 8. Edit the AUTOEXEC.BAT file to include the line SET CPAV=, substituting the path for the CPAV.INI file for . For example, if you copied the CPAV.INI file to the CPAV directory on drive C:, type SET CPAV=C:\CPAV\CPAV.INI When the user runs the CPAV program from the network drive, it uses the configuration options in the local CPAV.INI file. * If you select the Create Infection Report option in CPAV, it creates a REPORTS subdirectory under the directory from which the CPAV program was executed. Detailed information about any virus found is stored in files in this directory. When you run CPAV from a network drive, the Activity Report shows NET: and the user name of the person who ran the program. To use this feature, assign read and write access rights to the \CPAV\REPORTS directory for all users. Also, assign read and write access rights to the file \CPAV\ACTIVITY.CPS for all users. Scripts for Network Users ------------------------- If you want to make sure that all users accessing the network are using VSafe or VWatch, copy the file ISCPSTSR.EXE from the Central Point Anti-Virus distribution disk to the system login directory and add the following lines to the END of the system login script: #ISCPSTSR IF "%ERRORLEVEL"<>"99" THEN #LOGOUT When a user attempts to log in to the network, ISCPSTSR checks the system to see if either VSafe or VWatch has been installed memory-resident. If VSafe or VWatch is not resident, the user will not be allowed to log in. You can use any Novell NetWare command in place of LOGOUT. For example, you can use the EXIT command to exit to a batch file that will automatically install VSafe or VWatch on the user's computer and then restart the computer. COMMAND-LINE OPTIONS ==================== The following command-line options have been added to CPAV. /E Enters the Express Menu directly. /R Turns on the Create Report option. /A Scans all drives except A and B (including network drives). /L Scans all local drives except A and B. /N Suppresses interface information. Displays text in the CPAV.TXT file, if one exists. /P Displays command-line interface instead of the graphic interface. /F Suppresses names of files scanned. Valid only with /N or /P. /60 Sets the screen to display 60 lines. /VIDEO Displays the video and mouse command-line options. The following command-line options have been added to VSafe. /N Allows recognition of network drivers and files on networks loaded after VSafe. /NE Disables use of Expanded memory. /NX Disables use of Extended memory. /Cx Sets the VSAFE hotkey to CTRL-x. The following VWATCH command-line options have been added: /NE Disables use of Expanded memory. /NX Disables use of Extended memory. /D Allows use of disk swapping to conserve conventional memory. The following command-line option was added to Bootsafe: /A Exits the program without prompting, issuing an error code (either 86 or 2). This parameter works only with /T. Both of these parameters are useful in batch files and in network environments. See the "Using Batch Files" section next for ways to implement this parameter. USING BATCH FILES ================= Bootsafe (with the /A parameter) and CPAV can return DOS error codes under certain circumstances. (These are sometimes called exit codes.) This is useful when using the IF ERRORLEVEL statement in batch files. The following examples are given to demonstrate how you can use these. If CPAV or Bootsafe finds a virus, they return an error code of 86. They return an error code of 0 if no virus is found. If you want to run CPAV from a batch file, the following example shows you how to insert a message when this situation arises: ECHO OFF CPAV /L /S IF NOT ERRORLEVEL 86 GOTO END ECHO VIRUS FOUND! CONTACT ADMINISTRATOR IMMEDIATELY! :END ECHO SCAN COMPLETE Any legal DOS commands, program calls, or batch file calls may be substituted for the message. When this batch file is executed, it runs CPAV and scans all local drives except A and B. When the scan is complete, if there is a virus, the message "VIRUS FOUND! CONTACT ADMINISTRATOR IMMEDIATELY! SCAN COMPLETE" appears. Bootsafe returns an error code of 2 when it is time to run a scan as indicated by the /T parameter. The error code of 0 is returned if it is not time to run a scan. For example, if a network administrator specifies that users scan their local drives only once a day, each user's AUTOEXEC.BAT file can have the following lines added: BOOTSAFE C: /T1 /A IF ERRORLEVEL 2 CPAV /L /S When the batch file containing these statements is executed, CPAV runs and it scans all local drives except A and B one time per day. Even if the user reboots several times, CPAV won't scan the disk again. TROUBLESHOOTING =============== If you receive the message "Out of environment space," consult your DOS manual for information on modifying the CONFIG.SYS file using the SHELL command to increase your system's environment space. DOCUMENTATION CHANGES ===================== Page 12: The checklist file created when the Create New Checksums option is selected is CHKLIST.CPS, not CHECKLIST.CPS. Page 15: The manual suggests using PC Tools PC Format as an alternative to the DOS FORMAT A: /S command. The correct command for using PC Format is PCFORMAT A: /S. Page 20: The procedure for returning to a recent Help topic should read: "To return to a recent topic, select F5-Go Back. The most recent help topic appears. You can go back through all the topics you've seen since opening Help, continue selecting F5-Go Back." Page 49: The manual describes switching from Full Menus to the Express Menu. Reference to "Advanced" should read "Full Menus." Page 51: The manual directs you to the Additional Features chapter for more information on the Allow Network Access and Detection Only options. Explanations of these options can actually be found earlier in the same chapter's "Scanning Options" section. Page 55: The first step for restoring a partition table image with Bootsafe is incorrect. Insert the disk containing the image of the partition table. To restore the partition table image to drive C, from DOS, type: A:BOOTSAFE C: /R To restore the image to drive D, from DOS, type: A:BOOTSAFE D: /R