Table of Contents Chapter 1 - Introduction Chapter 2 - Installation Chapter 3A+B - Using F-PROT Chapter 4 - Boot Record Support Chapter 5 - DOS Recovery Chapter 6 - Network Administration Appendix Home Technical Support

(This chapter is split into two pages for easier viewing. Click here for part 2 of "Using Command AntiVirus".)

3. USING COMMAND ANTIVIRUS

Command AntiVirus for Windows NT provides a truly effective, easy and intuitive way to scan for viruses.

One of the many benefits of Windows NT is its powerful administration capabilities. Command AntiVirus for Windows NT provides administrators with the ability to create customized virus scanning tasks that can be modified only by someone with administrative rights. Users without administrative rights can create their own scan tasks to suit their particular needs.

In addition, Command AntiVirus for Windows NT includes the CSS AV Scheduler service that runs scheduled and inactivity scans in the background. With this feature, the user's work flow is not interrupted while Command AntiVirus' protection operates invisibly behind the scenes.


Main View

In the following pages, all of the items that are accessible from this screen are discussed. You will discover the many ways that you can execute, customize and schedule virus scans. If you prefer, you can accomplish most scan tasks directly from the toolbar. Similarly, executing one of the existing scans from the task list is as easy as highlighting and clicking the stoplight icon or the Execute Task button. We also have quick scan methods available, such as clicking the right mouse button on a file name or using our drag and drop capability for instant virus scans. And, of course, you can access any of the options by using the drop down menus and a mouse or simple keystrokes.

TASK LIST

The task list appears in the main window of the Command AntiVirus interface and shows the scan tasks which are currently available to protect your computer from viruses. The many ways that you can work with this list are described in the following pages. These include accessing tasks via a drop-down menu, a shortcut menu, buttons and a toolbar. Command AntiVirus for Windows NT comes with several pre-configured tasks that are available upon installation. Command AntiVirus includes the most commonly needed tasks, which are: Scan Drive A, Scan Drive B, Scan Hard Drives, Scan CD-ROM, and Scan Network Drives. By default, all tasks are set to "Report only" if a virus is found. Once you become familiar with Command AntiVirus, you may want to modify the properties of these tasks (modifying allows you to change the default setting to disinfect), set up a scheduled scan or create your own new tasks.

ABOUT THE TASK WINDOW

Command AntiVirus for Windows NT lets you control the visual display of available scanning tasks. This section covers the different ways of viewing the scan tasks. For instance, you can change the view by resizing the column headers, sorting the display order, and changing icon sizes and task names. You can also show a list or detail view of the available scanning tasks. Scans can be selected and either launched or modified from this window. To initiate a scan, highlight the task name and click the Execute button or simply double-click the task.


Task List in Details View

Controlling and Identifying Scans

In Command AntiVirus for Windows NT, two types of scans can be created. Scans created by someone with administrator rights are called Administrator Tasks and scans created by a user without administrator rights are called User Tasks. Note that a user with administrator rights may create either type of task. Having two kinds of tasks allows administrators to create system-wide scanning tasks that cannot be modified or renamed by users without administrator rights. A task created by an administrator is easily identified by the computer icon to the left of its name.

Individual users, those without administrator rights, can create their own tasks that are specific to their own needs. An individual user can scan another user's files only if those files allow read access. User tasks are identified by the icon showing the profile of a person's head.

Note: If multiple users create customized User tasks, those tasks are visible only to the user who is currently logged in. This is because they are stored in the user's profile directory.

Sizing the Columns

The column headers, which can be seen in Details view, can be resized by dragging the split bar to the left or right.

Sort Order of Scan Tasks

The order in which the task names are displayed can be changed by clicking on a column header. Clicking on the Last results header will group all scans that detected a virus. Clicking on the Next scan on header performs a sort based on the next scheduled scans.

Icon Size of Scan Tasks

Tasks can also be displayed in the task list as large icons with the name below them. Choosing Small Icons displays the task name alongside each icon. Select View from the Menu Bar or use the Toolbar buttons to switch between large and small icons.

Neither the large icon view nor the small icon view displays the column headers, but each maximizes the use of the area for visibility of tasks as shown below. Also, the results of the last scan and the next scheduled scan are not shown in either Large Icons or Small Icons view.


Large Icons View

List or Details View of Scan Tasks

Tasks can be listed or shown with details. Select View from the Menu Bar or use the toolbar buttons to switch between List and Details.

Select List to display the tasks using small icons and task names in a column. Column headers are not shown.

Details displays your task list using small icons, task names, results of the last scan (if a virus was found) and the time of the next scheduled scan. This is the only option that shows column headers.

Changing Task Names

If you have administrator rights, you can rename any of the tasks by highlighting, clicking once, pausing and clicking again, or by clicking the right mouse button and selecting Rename. This action opens a text box around the existing name so that you can then modify the task name. If you make an error while typing, simply press the escape key and the entry will revert to its original form. Task names must contain only those characters that are legal for Windows NT long file names. For example, a task name cannot contain a \ (backslash) character.

If you do not have administrator rights, you may change the name of tasks that you created (User Tasks), but not those that were created by an administrator.

OPERATION OPTIONS

There are many ways to open Command AntiVirus' main program (or the GUI as it is sometimes called). There is, of course, the standard way from the Start menu. You can also open Command AntiVirus by moving your mouse pointer over the yellow C icon (located in the tray at the bottom right of your screen) and then either double-clicking or clicking the right mouse button, then selecting Launch Command AntiVirus.

There are multiple ways to launch a Command AntiVirus scanning task or, for that matter, any of the other operation options. For example, if you like using the command buttons or the toolbar, they are available from the main screen. You can also point and click on one of the menu titles and use the pointer to select one of the available commands. In addition, a command can be accessed by pressing the ALT key plus the underlined letter for that command. To execute one of the existing scan tasks from the task list, just highlight the task name and click Execute, or double-click the task name.

For a quick scan of a specific file or folder, use either the right-click shortcut feature or the drag and drop feature. Both can be used with files on the desktop or in Explorer. For details, see the section in this chapter called Quick Scanning.

The task operations are covered in the Using the Task Menu section.


Main View with Shortcut Menu

COMMAND BUTTONS

You can use the command buttons on the right to Execute the highlighted task, modify the Properties of the highlighted task or add a New Task. These buttons also provide quick access to virus descriptions.

SHORTCUT MENU

You can quickly access a shortcut menu by clicking the right mouse button. This menu allows you to execute the task, create a new task, rename an existing task, modify the properties of the selected task or delete the task entirely.

MENU BAR

You can access the Task, View, Preferences and Help menus with the mouse or keyboard. They contain commands that let you perform any of the operations available for creating, modifying, deleting or executing tasks.

TOOLBAR BUTTONS

The toolbar, shown below, is accessed using a mouse. We have included buttons for creating, modifying, deleting and executing tasks. You can also get help and change the way your screen looks with the simple click of a button.

If you move the mouse cursor over any toolbar button you can see a "tool tip" that identifies the function of that particular button.

Help

Choosing this toolbar button changes your mouse pointer to an arrow with a question mark. Pointing and clicking on an object produces a help screen containing information relevant to the object you clicked.

QUICK SCANNING

Using the Shortcut Menu

Within Command AntiVirus for Windows NT, you can activate a shortcut menu that allows you to perform fast and efficient virus scans of selected folders or files. The files or folders to be scanned can be located in Windows NT's Explorer, on the desktop or within program groups.

To perform a scan from the shortcut menu, highlight one or more file names or folders that you wish to scan and click the right mouse button. A Windows NT shortcut menu containing the Command AntiVirus Scan option will appear. Select that option by using either a right or left mouse click. The scan will begin immediately.


Shortcut Menu Scan

The shortcut or right-click scan properties are based on the Command AntiVirus' default scan. Administrators, however, can create a custom scan task as follows:
  1. Select the New Task button and name the task R-Mouse. It is necessary to use this task name only. The name is not case sensitive, but you cannot include spaces.
  2. Select the desired Action to take from the available options.
  3. Anything entered in the Drive/paths to scan box will be ignored and the selected file(s) or folders are scanned instead. Options in the Files box can be modified as usual.
  4. When complete, simply right-click on the folder/file (either on the desktop or in Explorer) that you want scanned.The file created is named R-Mouse.FPT.
Customized right-click scanning is available only under NT 4.0 and above.

Using Drag and Drop

Another way to scan files quickly is to use the drag and drop feature in Command AntiVirus for Windows NT. To use this feature, you need to have the Command AntiVirus interface open on your desktop. From Explorer or the desktop, click on the object you want scanned and, while holding the mouse button down, drag the files or folders anywhere over the Command AntiVirus task window and then release the button. When the mouse button is released, the scan starts immediately and a report window appears when the scan is complete.

The drag and drop properties are based on the Command AntiVirus default scan. Thus, if a virus is found, you receive notification only. You must then scan the file with a task that allows disinfection or whatever action you use for viruses. Administrators, however, can create a custom task as follows:
  1. Select the New Task button and name the task DragDrop. It is necessary to use this task name only. The name is not case sensitive, but you cannot include spaces.
  2. Select the desired Action to take from the available options.
  3. Anything entered in the Drive/paths to scan box will be ignored and the selected file(s) are scanned instead. Options in the Files box can be modified as usual.
  4. When complete, click on the folder/file (either on the desktop or in Explorer) that you want scanned and drag it into the open Command AntiVirus window.The file created is named DragDrop.FPT.

SCANNING FROM THE COMMAND LINE

There are times when it is useful to run a scan directly from the command�line. For example, command-line entries allow an administrator who is logging in remotely to immediately launch a scan.

Command AntiVirus for Windows NT utilizes CSS AV Scheduler (CSS-AVS.EXE) to run scheduled and inactivity scans in the background. CSS AV Scheduler can also be used to run scans manually. To use this feature, type the executable filename (CSS-AVS.EXE) and then add one or more of the available command-line parameters. They can be added in any order except for /FILE, /PATH and /TASK which must be placed last on the command line and are mutually exclusive. An example follows:

CSS-AVS /MEM /HARD /DISINF

The example shown above starts a scan that checks memory, scans all logical hard drives, and disinfects if a virus is found. If viruses are detected, they are logged into the Windows NT Event Viewer application log. We also have a log file named VIRUS.LOG that we create in the F-PROTNT directory.

COMMAND-LINE PARAMETERS FOR CSS AV SCHEDULER
Switch Description
/DELETE Delete all infected files instead of listing them. This is not recommended as some viruses encrypt portions of the drive.
/DENY Deny access to files containing a virus.
/DIR Scan subdirectories.
/DISINF Disinfect whenever possible. This option does delete some first-generation virus samples. A first-generation virus is the "starter" program that begins the infection process. It is very rare to encounter one. This option will never delete a file that can be disinfected.
/FILE=filename Scan for file viruses. This switch must be last on the command line.
/FLOPPY Scan floppy drives.
/HARD Scan all the physical hard drives in the system.
/INSTALL Install the CSS AV Scheduler service into the Service Control Manager.

*This must be run from the directory to which the service was installed (by default, Winnt/System32).

/MEM Scan memory.
/MBR Scan for MBR and boot sector viruses.
/NET Scan network drives.
/PATH=pathname Scan the specific path for viruses. This switch must be last on the command line.
/QUAR Quarantine files containing a virus.
/RENAME Rename infected files.
/REPORT Sends the output to the specified file.
/TASK=taskname Runs a specific scanning task. For instance, "/TASK=c:\test.fpt /quar" runs the task called Test.fpt using the /QUAR switch. Note: you must include the .fpt extension in the task name. This switch must be last on the command line.
/UNINSTALL Uninstall the CSS AV Scheduler service from the Service Control Manager.
If you use the /FILE= , the /PATH= or the /TASK= switch, please keep in mind that they are mutually exclusive and must be the last switch entered on the command line.

LOCATING SCAN RESULTS IN EVENT VIEWER

If Command AntiVirus finds a virus during a scheduled scan or in real-time, using DVP, it logs the occurrence to the Windows NT Event Viewer. Viruses found by DVP are logged to Event Viewer's System log and viruses found during scheduled scans are logged to the Application log.To locate the event:

  1. Open Windows NT's Event Viewer.
  2. For a virus reported by a scheduled scan, select Log and then choose Application. In the source column of the Event Log, look for CSS AV Scheduler.
  3. For a virus reported by DVP, select Log then and then choose System. In the source column of the Event Log, look for CSS DVP.
  4. Double click on the event to view the Event Detail dialog box.


Event Detail Dialog Box

There are a number of easy ways to access NT's Event Viewer from Command AntiVirus. One way is by clicking on the Event Viewer button on the toolbar. Also, you can click the right mouse button on the yellow C icon at the bottom of the screen and select Launch Event Viewer. Finally, there is even a menu item available from the View menu called Event Viewer. So, to view Event Viewer, you never need to leave Command AntiVirus!

The Event Details dialog box provides specific information regarding detected viruses. For more information regarding Command AntiVirus Event Viewer messages, see the Appendix in this manual.

USING THE QUARANTINE FEATURE

The quarantine feature moves infected files to a separate folder so that they can be evaluated and disinfected or deleted at a later time. When a file is moved, it is renamed. This is necessary as there can be files with the same names residing in different folders. If so, they would overwrite each other when they were moved to the quarantine folder. The new name that is created is alpha-numeric, using up to 8 characters but minus an extension. When a file is moved to the quarantine folder, a corresponding entry is made to a log file named HISTORY.LOG.

During a standard installation, the quarantine directory is created on the root directory of the system drive, where Windows NT was installed. This folder is then used to hold infected files. If an administrator wants to change the location of the quarantine directory, this can be done by choosing Advanced from the Preferences menu. The quarantine option is available for files that are scanned using specific tasks (scheduled and manual) and for files scanned in real-time.

Entries in the quarantine file look like this:


Quarantine folder

If you use this feature, there are some important considerations of which you need to be aware:

  1. If the quarantine directory does not exist, Command AntiVirus will create it. If, for any reason, a quarantine directory cannot be created or if there is an error in moving the infected file (for example, if the hard disk is full), the Action on infection becomes Report only.
  2. If the scan setting for Action to take is Quarantine or Quarantine/Query you cannot use the Include quarantine directory selection located in the Command AntiVirus Properties dialog box.
  3. There are some items that you cannot quarantine. They are the MBR (Master Boot Record) and the boot sector. The action taken by Command AntiVirus in that case is Report only.
  4. If a floppy disk is write-protected and has an infected file, that file cannot be moved from the diskette. However, Command AntiVirus makes a copy of the file and places it in the quarantine directory.
  5. If a ZIP file with multiple infections is quarantined, the number of reported infected files and the number of quarantined files will not be the same. This is because the entire Zip file is quarantined.

The VIRUS.LOG File

In addition to being entered into Event Viewer, information on viruses detected by CSS AV Scheduler is also recorded in a special log file, VIRUS.LOG. That file contains details regarding viruses that were found during scheduled scans, inactivity scans or during the command line usage of CSS-AVS.EXE.

If you are running Command AntiVirus from your local machine, then VIRUS.LOG will be located in the directory containing Command AntiVirus program files. However, if your workstation is running Command AntiVirus from a network server, VIRUS.LOG will be located in the root directory of your computer. The contents of VIRUS.LOG can be viewed with most ASCII or DOS editors.

The HISTORY.LOG File

The HISTORY.LOG file is an ASCII text file located in the quarantine folder. You can open it with any text editor. Once a file is moved to the quarantine folder, you need either to disinfect or delete it. To do this, you need to check the HISTORY.LOG file so that you know where the file originated and what it was called before its name was changed. The HISTORY.LOG file is created when necessary. To clear the log file completely, delete it: it is recreated the next time files are quarantined.

The format of HISTORY.LOG is shown in the following screen:


History Log

The first column in the history log file describes what action was performed on the infected file. The second column shows the name of the computer that contained the infected file(s). The third column provides the name of the user who was logged onto the computer when Command AntiVirus detected the infection. If no one is logged in when the file is quarantined, the user name will contain "System." The fourth and fifth columns, respectively, display the date and time of day that the infection was found. The sixth column shows the name that was assigned to the infected file when it was moved to the quarantine folder. The next column contains the infected file's original name; that is, the name it had prior to its being moved to the quarantine folder. The last column displays a brief message generated by Command AntiVirus describing why the file was moved to quarantine directory.

The HISTORY.LOG file provides all the information you need to locate infected files and return them to their original location after disinfection.

The HISTORY.LOG is formatted this way so that you could easily import its contents into most of today's popular spreadsheet programs.

Disinfecting quarantined files

The best way to disinfect a quarantined file is to create a special task for that purpose. Here are the things to keep in mind:
  1. The new task must be an Administrator task.
  2. In the Properties dialog box the Allow scanning of quarantined files check box needs to be selected.
  3. Once the file has been disinfected, you need to restore the original name to the file and move it back to its original location. Consult the HISTORY.LOG section for details on this.
  4. A user, who does not have administrator rights, can use this task as long as it was created as an Administrator task and access to the quarantine directory is permitted.

If DVP is active, you will be stopped if you try to copy or move an infected file.

Setting the Action to take to Delete in Command AntiVirus erases infected files completely. If you simply delete files from the quarantine directory in Windows NT 4.0, they will go to the recycled bin and could be available to reinfect. So, if you want to delete, it is better to use the Delete option in Command AntiVirus.

OTHER WAYS TO ACCESS COMMAND ANTIVIRUS

Once you become familiar with Command AntiVirus, you will enjoy using the different shortcuts that are built in. When you install the program you will notice that there is a yellow C icon (the F-AGENT icon) located in the tray at the bottom of your screen.


F-Agent icon

By double-clicking on this icon, you can open Command AntiVirus. You can also right click on the icon to open the small menu shown next.


F-Agent shortcut menu

As you can see, this menu lets you start Command AntiVirus, NT's Event Viewer, view or reset the statistics dialog box, and close F-Agent. To restart F�Agent without rebooting, go to the Start menu and select Programs then StartUp and choose F-AGENT NT.

If you close F�Agent, its icon will no longer be visible, inactivity scans will not work and DVP will not be able to display any user notification messages. However, scheduled scans (although you won't see the little clock running) and DVP continue to function.

Viewing Scanning Statistics

The Real-time and Scheduled Scan Statistics dialog box lets you see the results and the number of files scanned during scheduled scans and real-time (DVP) scans. Statistics for manual scans, scan tasks initiated directly from the Command AntiVirus window, do not show in this dialog box. Instead, they are recorded in the Scan Results window that appears when the scan completes.

If you would like to view scanning statistics, position your cursor over the F�Agent icon in the Windows NT task tray and click the right mouse button When a shortcut menu appears, choose Get Statistics and the statistics box shown next will open.


Scan Statistics

While a scheduled scan is running, results are updated in the statistics box. If you have this box open, you can watch the number of files increment. Scan statistics accumulate until you reset them. All files that are accessed in real time and are in the Include list add to the number of files scanned. To reset the totals in the statistics box, click the right mouse button on the F�Agent icon in the task tray and choose Reset Statistics.

For real-time and scheduled scan statistics to function properly, Dynamic Virus Protection (DVP) must be enabled. Otherwise, when you view the statistics function, the counters do not change.

USING THE TASK MENU

The Task Menu offers the ability to Execute a pre-defined task, create a New task, Delete a task or Edit an existing task. Further, the Task menu provides access to Properties in order to review or modify an existing task or Exit from the program.

You can access the Task drop-down menu by either clicking on Task or by pressing ALT + T.

When a task starts, a Scan Results window like the one shown next appears. An indicator bar shows the scan's progress. When the scan completes, the Scan Results window provides details concerning the scan.


Scan Results View

EXECUTING SCANS

You select a task by first clicking and highlighting it. The task begins when you choose the Execute command. You can also execute a task by simply double-clicking on a task name in the task list or by highlighting the task and clicking on the stoplight icon in the toolbar.

Use the vertical scroll bar on the right side of the Command AntiVirus Report Window to view the entire report. You can use the File menu to save a copy of the report, print the report or send a copy of it through your e-mail system. You can use the Edit menu to copy the report to the clipboard for pasting into another document.

If a virus is found during the scan and the Action to take setting is Report only, the Attention message box, shown next, will alert you. Press OK to continue so you can manually disinfect.


Virus Found

The default setting for Action to take in Command AntiVirus is Report only. To prompt for disinfection, change the Action to take setting to Disinfect or Disinfect/Query and allow Command AntiVirus to disinfect the virus.

CREATING NEW TASKS

Selecting the New command from the Task menu allows you to create a new custom task. This can also be accomplished by selecting the New Task button on the main screen. A small dialog box appears and you must provide the name for your new task. If you are an administrator, the dialog box for selecting the type of task (User or Administrator) appears. Next, the Properties menu opens with the default settings in place. You can either accept them or establish your own task parameters. See the following section Scanning Properties for details.

As an alternative to choosing New from the Task menu, you can choose the New button from the toolbar. The New button provides a shortcut to creating a new custom task.

DELETING TASKS

Selecting the Delete command from the Task menu allows you to remove a predefined task. Tasks can also be deleted by selecting, and then clicking, the right mouse button followed by either choosing Delete or by just pressing the delete key on your keyboard.

EDITING TASKS

The Edit option allows you to Cut, Copy or Paste a task. For example, if you highlight Scan Hard Drives, select Copy and click on Paste, it will create a new task entitled Copy of Scan Hard Drives. You can then rename it or change the properties.

Instead of choosing the Cut command from the Edit menu, you can use the Cut button located on the toolbar. That button allows you to delete a task and save it to the clipboard. From the clipboard, a subsequent Paste will return it to the task list.
As an alternative to using the Copy function on the Edit menu, you can choose the Copy button from the toolbar. The Copy button allows you to create a copy of the task in the clipboard. A subsequent Paste adds it to the task list.
You can use the Paste button from the toolbar as an alternative to choosing the Paste command on the Edit menu. This button allows you to place a task in the task list. After a task has been either cut or copied, it can be pasted to that list. The name of the task will start with the phrase "Copy of". You can then modify and rename the task using the other available options.

If you do not have administrator rights, you cannot cut an Administrator Task. However, the Copy and Paste process yields a slightly different result. If you have administrator rights and you use copy and paste on an Administrator Task, the task will remain an Administrator Task. On the other hand, if you have user rights when you copy and paste an Administrator Task, it is converted to a User Task. It is then subject to the same restrictions that are associated with the assigned permissions.