Main Menu Screen
This chapter will explain the Command AntiVirus command-line and menu options that can be used in the DOS environment. In an emergency, you can boot either from the Command AntiVirus rescue disk or from a Windows 95 startup disk and use these tools.
F-PROT.EXE and FIXDISK.EXE (described in Chapter 4) can be used to disinfect a hard drive. They are located on the installation diskettes of Command AntiVirus for Windows 95, and are also on the Command AntiVirus rescue disk you created during installation.
F-PROT.EXE can be run from DOS in both menu-driven and command-line modes. A list of the command line switches can be found in this chapter in the section on Command-Line Mode. In the F-PROT.EXE Menu Options section, you will find the selections which are available from the Command AntiVirus menus. If you simply type F-PROT from a DOS prompt, you will begin the menu driven version of Command AntiVirus for DOS.
The following example shows how to run Command AntiVirus from the command-line. Since the main reason you would be running the DOS version of Command AntiVirus for a Windows 95 system is concern over a virus, we suggest you run it from your floppy drive. Once you have booted with a write-protected Command AntiVirus rescue disk, be sure you are at the A: prompt, and type:
F-PROT /HARD /DISINF [ENTER]
If you are booting with a Windows 95 startup disk, you must insert a disk containing the following files: F-PROT.EXE, ENGLISH.TX0, SIGN.DEF before typing the above command. These files are on the Command AntiVirus installation diskettes.When F-PROT.EXE is run with /HARD, it scans the boot records and executable files on all local logical drives. The /DISINF switch tells F-PROT to identify a virus, and asks if you want to disinfect it.
F-PROTEach time you run F-PROT.EXE it scans for viruses in memory. When the memory check is complete the following menu with the items Scan, Configure, Viruses, Program and Quit appears.
Main Menu Screen
You may select a command from the menu in one of two ways:
- Press the highlighted letter from the keyboard. For example, the letter Q in QUIT is highlighted.
- With the arrow keys, move the highlight bar to the command and press [ENTER]
When you select "Scan" from the main menu, the scanning menu appears. From this menu, you can scan for viruses on both local and network drives. You may configure how Command AntiVirus scans by selecting the other options that appear on this menu. Press [ESC] at anytime to abort a scan in progress.
Begin Scan Screen
The following sections discuss the commands and options available from this initial menu.
Select this item and press [ENTER] to begin scanning. The F10 key will also start this process.
Scan Method Screen
When you choose this menu item and press [ENTER], a submenu appears from which you select the type of scan to perform. Two types of scanning are available and each offers advantages. Use the arrow keys to highlight the type of scan you want to perform and press [ENTER]. Remember, the scan does not start until you select "Begin Scan".
Secure Scan
"Secure Scan" uses two different signatures when scanning for a virus and reports the variant of virus found. Secure Scan also checks for Trojan Horses and polymorphic viruses.
Heuristic Scan
| This method of scanning does not rely on specific virus signatures. It uses behavioral patterns as well as a set of rules to identify the type of code that viruses use. This is not a recommended option for inexperienced users as it can return false positives. |
This command displays a submenu that lists where Command AntiVirus should search for viruses. You may select only one option at a time.
Hard Disk
Select this option to search your local hard disks. By default, Command AntiVirus searches all logical and physical drives automatically.
Diskette Drive
Use this option to select a diskette drive for scanning. A submenu appears from which you can select the drive.
Network
Select this option to search all of your network drives.
User-specified
Select this option to specify the drive/path to search. This is particularly useful when you want to scan newly created directories after installing a new program.
| This command displays a window from which you can select the type of action to take when a virus is found. The default is "Report Only". If you choose to disinfect a file, make sure you can run Command AntiVirus after booting the system from a clean write-protected system diskette. Should a virus remain active in memory, it can interfere with the disinfection process. |
Scan Action Screen
This option displays the results of the scan in a window. You may scroll through this window. This report may be sent to the printer or to a disk file.
Select this option to have Command AntiVirus prompt you before disinfecting a file. Command AntiVirus is capable of disinfecting most non-overwriting viruses.
| Select this to automatically disinfect a file when Command AntiVirus finds a virus. No prompt appears with this option. |
Select this option to prompt you before deleting an infected file.
| Command AntiVirus will delete infected files automatically with this option. This is not recommended since some viruses encrypt portions of the hard disk. The encrypted portions would be lost when the virus is removed. |
| Select this option to rename infected files to .VOM or .VXE. Use this if you want to study the infected file or compare it to a clean backup copy. Files with these extensions are not executable and, therefore pose no threat to your system. |
This option is the same as the Rename/Query option described above except that Command AntiVirus automatically renames an infected file.
This menu item displays a window from which you can select the search criteria for Command AntiVirus. Use the space bar to toggle a YES or NO option.
TARGET SELECTION
Type of File . . Boot Sector Viruses YES NO File Viruses, Including Trojan and Joke Programs YES NO Packed Files YES NO User-defined Strings YES NO
Select this option to choose which files to search.
Standard Executables
Select this to have Command AntiVirus search files that end in .APP, .COM, .EXE, .OV?, .PGM and .SYS. Users may specify up to ten extensions to scan.
All Files
| Use this to search every file. This is not a recommended option for an inexperienced user. Searching all files on a disk will generate a lengthy report, some of which could be inaccurate. Use this if you are concerned that an improperly named file may contain a virus that could later be activated by renaming the file. |
User-Specified
Select this to specify a list of custom file name extensions to search. Simply move the highlight bar to an empty line and enter a three-character file name extension. DOS wildcards are acceptable.
| Keep in mind the fact that only an executable file will allow a virus to activate and infect other programs. Further information on virus terminology and behavior can be found in the Glossary. |
Packed Files
Select this to examine executable files that have been compressed with PKLite, Diet or similar programs.
When you Select "Configure" from the main menu, the options "Language" and "Setup" appear. These options provide language selection and virus list formatting.
Where available, this is for multiple language support in Command AntiVirus.
Select this option to sort the list of viruses Command AntiVirus scans for, by row or column. When sorted by row, viruses appear left to right in alphabetical order. This is the default.
Select this option to display a window that lists the most common viruses in the virus signature database. This screen helps you find out more about a specific virus, such as the type of damage it causes and how it spreads.
Virus Information Screen
To view information on a virus, simply move the highlight bar to the name of the virus and press [ENTER]. The up and down arrows and the page up and page down keys allow you to scroll through the virus list. You can also type the first few letters of the virus name. A second window provides specific information about the virus. Press [ESC] to close the information window.
The virus names shown in yellow designate the root of a family of viruses. Virus names in white are variants.
Select this option to display a menu from which you can add, delete or list your user-defined signatures. These options are useful when a new virus is discovered and you have not obtained a virus signature update.
| Be sure to set
"Targets to Scan" to check user-defined
strings. Should you choose "New Search Strings", Command AntiVirus will ask you a series of questions concerning the virus. These are: |
- What is the name of the virus?
- Does it infect .COM files?
- Does it infect .EXE files?
- Does it infect the boot sector?
- Search String: ?
You must provide a hexadecimal series of characters for the search string. Command AntiVirus will add this to a list and will use that information to detect the viruses denoted by the search string.
When you select "Program" from the main menu, another menu appears with the following options:
- Licensing Command AntiVirus
- Obtaining Updates
- Performance
- About the Program
Each provides specific information that may prove useful.
Select "Quit" to exit F-PROT.EXE. A prompt appears to let you save changes that you may have made to F-PROT.EXE's settings.
Setup information is stored by default in a file named SETUP.F2.
COMMAND LINE SWITCHES
| Switch | Description |
| /640 | Scan only the first 640K of memory. Some video drivers require this. |
| /ACCESS | Prevents the last access date from changing on a Novell file server. This maintains compatibility with archival software that relies on access dates. Additionally, Command AntiVirus will automatically skip compressed or migrated files. |
| /ALL | Search all files, not just executables. This approach may cause false positives and should be used with care. |
| /ANALYZE | Perform a heuristic analysis instead of a signature-based scan. This approach may cause false positives and should be used with care. |
| /APPEND | Append a new report to an existing one. Use this with the /REPORT switch. |
| /ARCHIVE | Search within .ZIP files. Note that PKUNZIP.EXE must be within a pathed directory. |
| /AUTO | Use with /DELETE or /DISINF switch so that Command AntiVirus will not prompt you before deleting or disinfecting a file. By default, /DELETE and /DISINF ask if the file should be affected. |
| /BEEP | Sound an alarm when a virus is found. |
| /BOOT [default] | Scan for MBR and boot sector viruses. |
| /DELETE | Delete all infected files instead of listing them. This is not recommended since some viruses encrypt portions of the drive. |
| /DISINF | Disinfect whenever possible. This option does delete some first-generation virus samples. A first-generation virus is the "starter" program that begins the infection process. It is very rare to encounter one. This option will never delete a file that can be disinfected. |
| /EXT= |
Specify additional file name extensions to scan. Separate each file name extension with a period (.). For example: /EXT=EXE.COM.PRG.DBL |
| /FILE [default] | Scan for file viruses. |
| /FREEZE | Halt the computer when a virus is found. |
| /HARD | Scan all the physical hard drives in the system. |
| /HELP or /? | Display a list of available options. |
| /LIST | Produce a list of all files checked, not just infected files. |
| /MONO | Forces monochrome screen mode. |
| /MULTI | Prompts for multiple diskettes to scan. |
| /NET | Scans all network drives. See "Restricting Users". |
| /NOBOOT | Do NOT scan for MBR and boot sector viruses. |
| /NOBREAK | Do NOT allow users to abort a scan with the [ESC] key. See Restricting Users". |
| /NODOC | Do NOT scan document files. |
| /NOFILE | Do NOT scan for file viruses. |
| /NOMEM | Do NOT scan memory. |
| /NOPACKED | Do NOT search inside packed files. |
| /NOSUB | Do NOT scan subdirectories. |
| /NOUSER [default] | Do NOT search for user-defined virus patterns. |
| /NOWRAP | Do NOT wrap text in reports. |
| /OLD | Do NOT display out-of-date messages. |
| /PACKED [default] | Scan inside packed files. |
| /PAGE | Pauses after every screen while displaying report. |
| /RENAME | Rename infected files. You may use this switch with /AUTO. |
| /REPORT | Sends the output to the specified file. |
| /SILENT | Generates no screen outpput at all. This is useful when running Command AntiVirus from a batch file where you will check for the return codes. |
| /TODAY | The date of the last scan is stored in an F-PROT.DAT file. If the next scan finds the same date, Command AntiVirus will not repeat the scan. |
| /USER | Search for user-defined virus patterns. This option should only be used if absolutely necessary, as it can result in a considerable speed decrease. |
F-PROT.EXE RETURN CODES
| Return Codes | Descriptions |
| 0 | Normal exit. No viruses found. |
| 1 | Abnormal termination-unrecoverable error. This is usually the result of a missing system file |
| 2 | Self test failed, Command AntiVirus has been modified. |
| 3 | A Boot/File virus infection has been found. |
| 4 | Virus signatures found in memory |
| 5 | Program terminated with ESC. |
| 6 | At least one virus was removed. This code is only meaningful when used to scan a single virus |
| 7 | Insufficient memory. Additional available RAM is required. |
| 8 | Invalid program files. Usually indicates corrupt files. |
| 90 | A macro virus has been found. This return code can combine with the other codes. For example, a 93 return code indicates that a Boot/File virus infection was found as well as a macro virus. |
