Release Notes for Anti-Virus Scanning Engine 4160 OS/2 Copyright (c) 1992-2001 Networks Associates Technology, Inc. All Rights Reserved. ================================================ Product Release: December 4, 2001 - DAT Version: 4171 - Engine Version: 4160 ================================================ Thank you for using this software. This file contains important information regarding this release. We strongly recommend that you read the entire document. We welcome your comments and suggestions. ________________________________________________ IMPORTANT NOTE The 16-bit scanner (OS2SCAN.EXE) included in this package remains at the 4140 release. The additional architecture available in the 32-bit engine (PMSCAN.EXE) is necessary to detect and clean newer viruses. This is not possible using a 16-bit architecture. This will be the last engine release to include a 16-bit scanning engine and we strongly recommend the use of the 32-bit engine. ________________________________________________ WHAT'S IN THIS FILE - What are .DAT files? - What is the Scanning Engine? - New Features - System Requirements - Installation - Installing the Update Files (without the on-access scanner) - Installing the Update Files (with the on-access scanner) - Files Installed on Your Computer - Testing Your Installation - Known Issues - Documentation - Contacting Network Associates - Copyright and Trademark Attributions - Trademarks - License Agreement ________________________________________________ WHAT ARE .DAT FILES? McAfee virus definition (.DAT) files contain up-to-date virus signature and other information that McAfee anti-virus products use to protect your computer against the thousands of computer viruses in circulation. McAfee releases new .DAT files regularly to provide protection against the approximately 500 new viruses that appear each month. To ensure that your anti- virus software can protect your system or network against the latest threats, download and install the latest .DAT files. ________________________________________________ WHAT IS THE SCANNING ENGINE? The scanning engine included with this update package is the component of the software that actually detects viruses and repairs infected files. The engine is a self- contained program that you can 'drop in' to later generations of McAfee anti-virus software to provide that software with enhanced scanning and cleaning capabilities, much like you might replace parts of, or your entire, car engine. The rest of the anti-virus software framework allows you to direct and manage the scanning and cleaning capabilities built in to the engine. ________________________________________________ NEW FEATURES The anti-virus scanning engine has these enhancements and new features. New Features for 4160 engine: - Support for ACE (WinACE) Archiver The engine can now detect virus infections within files compressed by WinACE. - Support for additional packers The engine can now detect virus infections within files packed by PKLITE32, ELiTeWrap, Joiner, PEBundle, PEBundle Write-To-Disk, and tElock. - Support for newer versions of packers The engine can now detect virus infections within files packed by newer versions of Petite, ASPack, UPX, NeoLite, and PECompact. - Support for BZIP compression format The engine can now detect virus infections within files compressed by BZIP. - Support for additional LHA compression formats, LH6 and LH7 The engine can now detect virus infections within files compressed by LH6 and LH7 variants of LHA. - Support for zcompress compression format The engine can now detect virus infections within files compressed by zcompress. - Support for PDF 5.0 files The engine can now detect virus infections in embedded objects within Adobe Acrobat PDF 5.0 files. - Improved scanning for MIME formats The engine can now detect virus infections within e-mail messages with non-standard MIME formats. The engine now scans all attachments and also any content that is not plain text. - Support for Unicode and Unicode big-endian saved scripts The engine can now detect virus infections within VBS and Java scripts saved in Unicode or Unicode big-endian format. (This format is found in Macintosh and UNIX files). - Support for Compiled Help files The engine can now detect virus infections within compiled HTML help files (Microsoft's .CHM files). This compressed format requires that the /UNZIP switch is used. - Support for Microsoft Exchange internal data-transfer format The engine can now detect virus infections within Microsoft Exchange e-mail files that use Transport-Neutral Encapsulation Format (TNEF). - Support for Internet Message Connector (IMC) Archive format. The engine can now detect virus infections within IMC mail archives. - Support for uncompressed VBA in Visio files The engine can now detect virus infections within uncompressed Visual Basic for Applications scripts in Visio files. - Improved heuristic analysis for 32-bit Windows applications The engine uses improved heuristic analysis within Microsoft Windows 32-bit executables enabling it to detect unknown virus infections. - Support for compressed RTF and HTML in Microsoft Outlook messages The engine can now detect virus infections within compressed data in Microsoft Outlook and Exchange e-mail messages. - Support for Script Component Type Libraries The engine can now detect virus infections within Script Component Type Libraries (.HTA files). - Improved performance when scanning Windows 32 applications A new technology has been created for virus analysis within Windows 32 applications written in high-level languages. New Features for 4140 engine: - Improved performance for Microsoft Visio file scanning The scanning engine scanning speed for Visio files has been improved. - Fix to Corel Paint scanning In some cases it is possible for the scanning engine to crash when scanning Corel Paint version 9 files which contain empty VBA projects. This has been fixed in this release. - Additional support for Microsoft Office 2001 for Macintosh New Features for 4130 engine: - Improved performance for Microsoft Visio file scanning The scanning engine scanning speed for Visio files has been improved. - Additional support for Microsoft Office 2001 for Macintosh - Heuristic detection inside Visual Basic Scripts. The engine can now detect unknown viruses within Visual Basic Scripts. Some viruses can conceal Visual Basic Scripts within the body of an e-mail message. Some Windows and Internet Explorer configurations allow the embedded script to run when the e-mail message is opened in Microsoft Outlook. - Reporting of Windows Word 98 and Windows 2000 password-protected documents. The scanner reports password-protected files as it scans them. Previously, the scanner reported "The file could not be renamed - compound or archive". - Support for new unpacker formats, Windows executable compressors and encryptors The engine can now detect virus infections within files packed by several versions of NeoLite, PE-Crypt, PECompact, PE-PaCK, and .BJFnt. - Support for new versions of unpacker formats. The engine can now detect virus infections within files packed by new versions of UPX, ASPack, WWPack32, and Petite. - Support for Autodesk AutoCAD 2000 The engine can now detect virus infections within Autodesk AutoCAD 2000 drawing format files - file extensions, .DWG, and .D?B - Support for Corel Photo-Paint 9 The engine can now detect virus infections within Corel Photo-Paint 9 files - file extension .CPT. - Improvements in corrupt file handling. The software now provides better handling and reporting of corrupted files. - Reporting of 'Trojan horse' variants. Although the engine already detects Trojan horse files, it now states whether it has detected an original file or a variant. - Improved renaming of infected files Previously, files with a file extension of .V?? were not renamed. Extensions are now renamed as described in the following table. Extn Renamed Description ---- ------- -------------------------------------- ??? v?? File extensions that do not start with v are renamed with v as the initial letter of the file extension. Example: myfile.doc becomes myfile.voc. v?? vir File extensions that start with v are renamed as .vir. Example: file.vbs becomes file.vir. vir, These files are recognised as already v01-v99 infected, and are not renamed again. vir Files with no extensions are renamed with .vir. For file extensions with more than three letters, the name is not truncated. For example, notepad.class becomes notepad.vlass. ________________________________________________ SYSTEM REQUIREMENTS OS2/Warp 3 and 4 SES (Security Enabling Services) ________________________________________________ INSTALLATION The current version of VirusScan for OS/2 has two possible methods for updating. INSTALLING THE UPDATE FILES (WITHOUT ON-ACCESS SCANNER) If you are NOT running the Vshield 'On-Access' scanner, you can copy the new DAT and executable files into the VirusScan folder on your computer and overwrite the old DAT files. INSTALLING THE UPDATE FILES (WITH ON-ACCESS SCANNER) If your computer is running the Vshield 'On - Access' scanner, you can not overwrite the old DAT and executable files because the files will be in use. Therefore, you will need to disable or uninstall ALL components associated with Vshield in order to update the Engine or DATs. Briefly, the method is to uninstall the whole VirusScan for OS/2 product using its Uninstaller program, reboot the computer, then re-install the whole product again - but do not reboot after re-installing. You can then overwrite the files because they will not yet be in use. The method is next described in detail: 1. Locate and open the "NETA\VSCANOS2" folder on your Desktop. By default, the VirusScan installation utility places this folder on the OS/2 desktop. 2. Double-click the "Uninstaller Utility" program icon to open it. The Installation and Maintenance window appears. 3. Choose Delete from the Action menu. A dialog box appears, where you can choose the components you want to remove. 4. Click Select All to choose all VirusScan components. 5. Click Delete to remove all VirusScan components from the install directory. The uninstaller should remove the VirusScan components and delete the VirusScan folder from your OS/2 desktop. Click the OK button and close the Uninstall Utility. 6. Restart your computer to complete the uninstallation process. 7. You are now ready to re-install VirusScan for OS/2 from the CD to the default location on your computer and then update the Engine / DAT files. 8. Locate the INSTALL.EXE file in the Vscan/OS2 folder on the VirusScan CD, then double-click it to begin your re-installation. 9. Follow the instructions shown in the installation panels to continue. Select the components that you wish to install and click the Install button. NOTE: If you choose to install the VShield on-access scanner, you MUST have SES installed on your computer for it to work properly. If you have SES installed on your system, but not enabled, you should choose to enable SES through the VirusScan installation utility. WARNING: If you choose to enable SES but do not have it already installed on your computer, the installation utility will prevent Presentation Manager from running and your system from completing its startup. The installation utility CANNOT check for the presence of SES software on your computer. Be sure you have followed all of the steps shown in the previous sections before you continue with your installation. 10. Click OK when installation is complete. DO NOT RESTART YOUR COMPUTER YET. 11. Unzip the VirusScan for OS/2 DAT / Engine update file to a Temp folder and then copy all the newly unzipped files in to the VirusScan directory on the hard disk. You will need to select the "Replace existing object:" button followed by the OK button for some of the files in order to overwrite them. 12. When complete, you may restart your computer. 13. All installed VirusScan components should now display updated version information. FILES INSTALLED ON YOUR COMPUTER The following files are used to update VirusScan for OS/2. OS2SCAN.EXE VirusScan for OS/2 command-line program file PMSCAN.EXE OS/2 GUI scanner CLEAN.DAT Virus definition file LICENSE.DAT License compliance checker MESSAGES.DAT Localization file NAMES.DAT Virus names list SCAN.DAT Virus definitions file PACKING.LST Packing list for validation LICENSE.TXT License document CONTACT.TXT Contact information README.TXT This document APIO32.DLL 32-bit scanning engine NOV16.DLL Utility DLL for network messaging NOV32.DLL Utility DLL TESTING YOUR INSTALLATION The EICAR Standard AntiVirus Test File is a combined effort by anti-virus vendors throughout the world to implement one standard by which customers can verify their anti-virus installations. To test your installation, copy the following line into its own file, then save the file with the name EICAR.COM. X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* The file size will be 68 or 70 bytes. Next, start your anti-virus software and allow it to scan the directory that contains EICAR.COM. When your software scans this file, it will report finding the EICAR test file. Note that this file is NOT A VIRUS. Delete the file when you have finished testing your installation to avoid alarming unsuspecting users. ________________________________________________ KNOWN ISSUES 1. The report generated by the OS2SCAN.EXE scanner may occasionally show truncated directory names. ________________________________________________ DOCUMENTATION This product includes a documentation set that may consist of manuals saved in Adobe Acrobat Portable Document Format (.PDF) and an online Help system. Electronic copies of all product manuals are included on the product CD, or are available with a valid grant number on the McAfee download site: www.mcafeeb2b.com/naicommon/download/upgrade/login.asp A free copy of the latest version of the Acrobat Reader also comes with the product CD, or you can download any version from the Adobe web site: www.adobe.com/prodindex/acrobat/readstep.html This product includes the following documentation set: - Product Guide. This guide introduces the product, documents product features, provides detailed instructions for configuring the software, and includes information on deployment as well as recurring tasks and operating procedures. It also provides a roadmap for getting additional information or help. - Online Help system. Online Help, accessed from within the software application, gives you quick access to hints and tips about using your software. - A LICENSE file. This file outlines the terms under which you may use the product. Read it carefully. If you install the product, you agree to the license terms. - This README file. - A CONTACT file. This file provides a list of phone numbers, street addresses, web addresses, and fax numbers for Network Associates offices in the United States and around the world. It also includes contact information for services, such as technical support, customer service, onsite training, the beta program, and AVERT Anti-Virus Research Site. ________________________________________________ CONTACTING MCAFEE AND NETWORK ASSOCIATES Technical Support http://knowledge.nai.com Product Documentation Issues tvd_documentation@nai.com McAfee Beta Program Beta Web Site www.mcafeeb2b.com/beta/ E-mail avbeta@nai.com AVERT Anti-Virus Research Site www.mcafeeb2b.com/avert Download Site www.mcafeeb2b.com/naicommon/download/ DAT File Updates www.mcafeeb2b.com/naicommon/download/dats/find.asp Product Upgrades www.mcafeeb2b.com/naicommon/download/upgrade/login.asp Valid grant number required. Contact Network Associates Customer Service On-Site Training Information www.mcafeeb2b.com/services/mcafee-training/default.asp Finding a Reseller www.mcafeeb2b.com/naicommon/partners/tsp-seek/intro.asp Network Associates Customer Service US, Canada, and Latin America toll-free: Phone: +1-888-VIRUS NO or +1-888-847-8766 Monday - Friday, 8 a.m. - 8 p.m., Central Time E-mail: services_corporate_division@nai.com Web: www.nai.com www.mcafeeb2b.com For additional information on contacting Network Associates and McAfee -- including toll-free numbers for other geographic areas -- see the CONTACT file that accompanied your original product release. ________________________________________________ COPYRIGHT AND TRADEMARK ATTRIBUTIONS (c) 2001 Networks Associates Technology, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Networks Associates Technology, Inc., or its suppliers or affiliate companies. To obtain this permission, write to the attention of the Network Associates legal department at: 3965 Freedom Circle, Santa Clara, California 95054, or call +1-972-308-9960. TRADEMARKS Active Security, ActiveHelp, ActiveShield, AntiVirus Anyware and design, Bomb Shelter, Building a World of Trust, Certified Network Expert, Clean-Up, CleanUp Wizard, Cloaking, CNX, CNX Certification Certified Network Expert and design, CyberCop, CyberMedia, CyberMedia UnInstaller, Data Security Letter and design, Design (logo), Design (Rabbit with hat), design (stylized N), Disk Minder, Distributed Sniffer System, Distributed Sniffer System (in Katakana), Dr Solomon's, Dr Solomon's label, Enterprise SecureCast, EZ SetUp, First Aid, ForceField, Gauntlet, GMT, GroupShield, Guard Dog, HelpDesk, HomeGuard, Hunter, I C Expert, ISDN TEL/SCOPE, LAN Administration Architecture and design, LANGuru, LANGuru (in Katakana), LANWords, Leading Help Desk Technology, LM1, M and design, Magic Solutions, Magic University, MagicSpy, MagicTree, MagicWord, McAfee Associates, McAfee, McAfee (in Katakana), McAfee and design, NetStalker, MoneyMagic, More Power To You, MultiMedia Cloaking, myCIO.com, myCIO.com design (CIO design), myCIO.com Your Chief Internet Officer & design, NAI & design, Net Tools, Net Tools (in Katakana), NetCrypto, NetOctopus, NetRoom, NetScan, NetShield, NetStalker, Network Associates, Network General, Network Uptime!, NetXray, NotesGuard, Nuts & Bolts, Oil Change, PC Medic, PC Medic 97, PCNotary, PGP, PGP (Pretty Good Privacy), PocketScope, PowerLogin, PowerTelNet, Pretty Good Privacy, PrimeSupport, Recoverkey, Recoverkey - International, Registry Wizard, ReportMagic, RingFence, Router PM, SalesMagic, SecureCast, Service Level Manager, ServiceMagic, SmartDesk, Sniffer, Sniffer (in Hangul), SniffMaster, SniffMaster (in Hangul), SniffMaster (in Katakana), SniffNet, Stalker, Stalker (stylized), Statistical Information Retrieval (SIR), SupportMagic, TeleSniffer, TIS, TMACH, TMEG, TNV, TVD, TNS, TSD, Total Network Security, Total Network Visibility, Total Service Desk, Total Virus Defense, Trusted MACH, Trusted Mail, UnInstaller, Virex, Virus Forum, ViruScan, VirusScan, VShield, WebScan, WebShield, WebSniffer, WebStalker, WebWall, Who's Watching Your Network, WinGauge, Your E-Business Defender, ZAC 2000, Zip Manager are registered trademarks of Network Associates, Inc. and/or its affiliates in the US and/or other countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. LICENSE AGREEMENT NOTICE TO ALL USERS: FOR THE SPECIFIC TERMS OF YOUR LICENSE TO USE THE SOFTWARE THAT THIS DOCUMENTATION DESCRIBES, CONSULT THE LICENSE.TXT OR OTHER LICENSE DOCUMENT THAT ACCOMPANIES YOUR SOFTWARE, EITHER AS A TEXT FILE OR AS PART OF THE SOFTWARE PACKAGING. IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH THEREIN, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO THE PLACE OF PURCHASE FOR A FULL REFUND.