This chapter describes Command's F-PROT Professional menu options and command line parameters and menu options that can be used in the DOS environment. In an emergency, you can boot from Command's F-PROT Professional rescue disk or a Windows NT startup disk and use these tools.F-PROT.EXE and FIXDISK.EXE (described in Chapter 4) can be used to disinfect a hard drive. They are located on the installation diskettes of Command's F-PROT Professional for Windows NT and they are also on the rescue disk created during installation.
F-PROT.EXE can be run from DOS in both menu-driven and command-line modes. A list of the command line switches can be found in this chapter in the section on Command-Line Mode. In F-PROT.EXE Menu Options, you will find the selections that are available from Command's F-PROT Professional menus. If you simply type F-PROT rom a DOS prompt, you will begin the menu-driven version of Command's F-PROT Professional for DOS.
The following example shows how to run Command's F-PROT Professional from the command line. As concern over a virus is the main reason you would be running the DOS version of Command's F-PROT Professional for a Windows NT system, we suggest you run it from your floppy drive. Once you have booted with your write-protected rescue disk, be sure you are at the A: prompt, and type:
When Command's F-PROT Professional for DOS is run with /HARD, it scans the boot records and executable files on all local, logical drives. The /DISINF switch tells Command's F-PROT Professional to identify a virus and asks if you wish to disinfect it.F-PROT /HARD /DISINF [ENTER]
| You can run Command's F-PROT Professional from DOS only if your primary partition for Windows is FAT, not NTFS. |
Run F-PROT.EXE by typing the following from the DOS command line. Make sure you press the [ENTER]after each command.Each time you run F-PROT.EXE, it scans for viruses in memory. When the memory check is complete, the following menu with the items Scan, Configure, Viruses, Program and Quit appears.F-PROT
Main Menu Screen
You can select a command from the menu in one of two ways:
When you select Scan from the main menu, the scanning menu appears. From this menu, you can scan for viruses on both local and network drives. You can configure how Command's F-PROT Professional scans by selecting the other options that appear on this menu. Press [ESC] at anytime to abort a scan in progress.
Scan Menu Screen
The following sections discuss the commands and options available from this initial menu.
Select this item and press [ENTER] to begin scanning. The F10 key will also start this process.
Scan Method Screen
Method
When you choose this menu item and press [ENTER], a sub-menu appears from which you select the type of scan to perform. Two types of scanning are available and each offers advantages. Use the arrow keys to highlight the type of scan you wish to perform and press [ENTER]. Remember, the scan does not start until you select Begin Scan.
Secure scan
Secure Scan uses two different signatures when scanning for a virus and reports the variant of virus found. Secure Scan also checks for Trojan Horses and polymorphic viruses.
Heuristic scan
This method of scanning does not rely on specific virus signatures. It uses behavioral patterns as well as a set of rules to identify the type of code that viruses use. This is not a recommended option for inexperienced users as it can return false positives.
Search
This command displays a sub-menu that lists where Command's F-PROT Professional should search for viruses. You can select only one option at a time.
Hard Disk
Select this option to search your local hard disks. By default, Command's F-PROT Professional searches all logical and physical drives automatically.
Diskette Drive
Use this option to select a diskette drive for scanning. A sub-menu appears from which you can select the drive.
Network
Select this option to search all of your network drives.
User-specified
Select this option to specify the drive/path to search. This is particularly useful when you want to scan newly created directories after installing a new program.
| This command displays a window from which you can select the type of action to take when a virus is found. The default is Report Only. If you choose to disinfect a file, make sure you can run Command's F-PROT Professional after booting the system from a clean write-protected system diskette. Should a virus remain active in memory, it can interfere with the disinfection process. |
Scan Action Screen
Report Only
This option displays the results of the scan in a window. You can scroll through this window. This report can be sent to the printer or to a disk file.
Disinfect/Query
Select this option to have Command's F-PROT Professional prompt you before disinfecting a file. Command's F-PROT Professional is capable of disinfecting most non-overwriting viruses.
Automatic Disinfection
Select this to automatically disinfect a file when Command's F-PROT Professional finds a virus. No prompt appears with this option. There are some viruses that cannot be disinfected.
Delete / Query
Select this option to prompt you before deleting an infected file.
Automatic Deletion
Command's F-PROT Professional will delete infected files automatically with this option. This is not recommended as some viruses encrypt portions of the hard disk. The encrypted portions would be lost when the virus is removed.
Rename/Query
Select this option to prompt you before renaming an infected file. Infected files are then renamed using a V in place of the first letter of the original name, such as .VOT, .VOC, .VOM or .VXE. Use this if you wish to study the infected file or compare it to a clean backup copy. Files with these extensions are not executable and, therefore, pose no threat to your system.
Automatic Renaming
This option is the same as the Rename/Query option described above except that Command's F-PROT automatically renames an infected file.
Targets
This menu item displays a window from which you can select the search criteria for Command's F-PROT Professional. Use the space bar to toggle a YES or NO option.TARGET SELECTION
| Type of File | ||
| Boot Sector Viruses | YES | NO |
| File Viruses, Including Trojan and Joke Programs | YES | NO |
| Packed Files | YES | NO |
| User-defined Strings | YES | NO |
Files
Select this option to choose which files to search.
Standard Executables
Select this to have Command's F-PROT Professional search files that end in .APP, .COM, .EXE, .OV?, .PGM and .SYS. Users may specify up to ten extensions to scan.
All Files
Use this to search every file. This is not a recommended option for an inexperienced user. Searching all files on a disk will generate a lengthy report, some of which could be inaccurate. Use this if you are concerned that an improperly named file may contain a virus that could later be activated by renaming the file.
User-Specified
Select this to specify a list of custom filename extensions to search. Simply move the highlight bar to an empty line and enter a three-character filename extension. DOS wildcards are acceptable. Keep in mind that only executable files and documents that use macros can allow a virus to activate and infect other programs. Further information on virus terminology and behavior can be found in the Glossary.
Packed Files
Select this to examine executable files that have been compressed with PKLite, DIET or similar programs.
When you select Configure from the main menu, the options Language and Setup appear. These options provide language selection and virus list formatting.
Where available, this is for multiple language support in Command's F-PROT Professional.
Selecting this option will sort, by row or column, the list of viruses scanned by Command's F-PROT Professional. When sorted by row, viruses appear left-to-right in alphabetical order. This is the default setting.
When you select Viruses from the main menu, the options Information and New Viruses appear. Use these to view information about a specific virus or add a new signature.
Select this option to display a window that lists the most common viruses in the virus signature database. This screen helps you find out more about a specific virus, such as the type of damage it causes and how it spreads.
To view information on a virus, simply move the highlight bar to the name of the virus and press [ENTER]. The up and down arrows and the page up and page down keys allow you to scroll through the virus list. You can also type the first few letters of the virus name. A second window provides specific information about the virus. Press[ESC] to close the information window.The virus names shown in yellow designate the root of a family of viruses. Virus names in white are variants.
Select this option to display a menu from which you can add, delete or list your user-defined signatures. These options are useful when a new virus is discovered and you have not obtained a virus signature update.
| Be sure to set Targets to Scan to check user-defined strings. Should you choose New Search Strings, Command's F-PROT Professional will ask you a series of questions concerning the virus. These are: |
You must provide a hexadecimal series of characters for the search string. Command's F-PROT Professional will add this to a list and can use this information.
When you select Program from the main menu, another menu appears with the following options:
Each provides specific information that may prove useful.
Select Quit to exit F-PROT.EXE. A prompt appears to let you save changes. Setup information is stored, by default, in a file named SETUP.F2 .
Use command line switches when you wish to run Command's F-PROT Professional for DOS in a noninteractive mode. The order of the switches is not critical.COMMAND LINE SWITCHES
| Switch | Description |
| /640 | Scan only the first 640K of memory. Some video drivers require this. |
| /ACCESS | Prevents the last access date from changing on a Novell file server. This maintains compatibility with archival software that relies on access dates. Additionally, F-PROT will automatically skip compressed or migrated files. |
| /ALL | Search all files, not just executables. This approach may cause false positives and should be used with care. |
| /ANALYZE | Perform a heuristic analysis instead of a signature-based scan. This approach may cause false positives and should be used with care. |
| /APPEND | Append a new report to an existing one. Use this with the /REPORT switch. |
| /ARCHIVE | Search within .ZIP files. Note that PKUNZIP.EXE must be within a pathed directory. |
| /AUTO | Use with /DELETE or /DISINF seitch so that F-PROT will not prompt you before deleting or disinfecting a file. By default, /DELETE and /DISINF ask if the file should be affected. |
| /BEEP | Sound an alarm when a virus is found. |
| /BOOT [default] | Scan for MBR and boot sector viruses. |
| /DELETE | Delete all infected files instead of listing them. This is not recommended since some viruses encrypt portions of the drive. |
| /DISINF | Disinfect whenever possible. This option does delete some first-generation virus samples. A first-generation virus is the "starter" program that begins the infection process. It is very rare to encounter one. This option will never delete a file that can be disinfected. |
| /EXT= | Specify additional filename extensions to scan. Separate each filename extension with a period (.). For example:/EXT=EXE.COM.PRG.DBL |
| /FILE [default] | Scan for file viruses. |
| /FREEZE | Halt the computer when a virus is found. |
| /HARD | Scan all the physical hard drives in the system. |
| /HELP or /? | Display a list of available options. |
| /LIST | Produce a list of all files checked, not just infected files. |
| /MONO | Forces monochrome screen mode. |
| /MULTI | Prompts for multiple diskettes to scan. |
| /NET | Scans all network drives. |
| /NOBOOT | Do NOT scan for MBR and boot sector viruses. |
| /NOBREAK | Do NOT allow users to abort a scan with the [ESC] key. |
| /NODOC | Do NOT scan document files. |
| /NOFILE | Do NOT scan for file viruses. |
| /NOMEM | Do NOT scan memory. |
| /NOPACKED | Do NOT search inside packed files. |
| /NOSUB | Do NOT scan sub-directories. |
| /NOUSER [default] | Do NOT search for user-defined virus patterns. |
| /NOWRAP | Do NOT wrap text in reports. |
| /OLD | Do NOT display out-of-date messages. |
| /PACKED [default] | Scan inside packed files. |
| /PAGE | Pauses after every screen while displaying report. |
| /RENAME | Rename infected files. You may use this switch with/AUTO. |
| /REPORT | Sends the output to the specified file. |
| /SILENT | Generates no screen outpput at all. This is useful when running F-PROT from a batch file where you will check for the return codes. |
| /TODAY | The date of the last scan is stored in an F-PROT.DAT file. If the next scan finds the same date, F-PROT will not repeat the scan. |
| /USER | Search for user-defined virus patterns. This option should only be used if absolutely necessary, as it can result in a considerable speed decrease. |
For example, if you wanted to scan and disinfect the hard drive you would type the following:F-PROT /HARD /DISINF