Table of Contents Chapter 1 - Introduction Chapter 2 - Installation Chapter 3A+B - Using F-PROT Chapter 4 - Boot Record Support Chapter 5 - DOS Recovery Chapter 6 - Network Administration Appendix Home Technical Support


The Properties dialog box allows you to modify an existing task and to configure a new task. In this dialog box you can select the Action to take, Drive/paths to scan, Files to scan and Schedule when the scan will take place. There are a number of ways to access the Properties dialog box. One way is from the Task menu. A quicker way is to select an existing task from the task list, and then either click on the Properties button located on the main menu or click the right mouse button and, then, click Properties.

In addition to choosing the Properties command from the Task menu, you can also use that command by selecting a task and, then, clicking on the Properties button in the toolbar.

Properties Dialog Box

Scan method

Secure scan

This is the default scanning method that searches for thousands of viruses and variants.

Action to take on infection

Click on the Action to take drop-down menu to see a list of the available methods for dealing with viruses. The choices contained in this list let you select how you want Command AntiVirus for Windows NT to react if a virus is found.

Report only

This informs you when a virus is detected; however, no other action will be taken. You may choose Report only in order to verify the type of virus before disinfection.

This is the default setting for all new scans and for all of the preset scans provided by Command AntiVirus. You will probably want to change this setting after becoming more acquainted with the software.

Disinfecting files automatically causes the least disruption to the user. If disinfection is not possible, Command AntiVirus asks if you wish to delete the file.


The Disinfect/Query option identifies a virus and asks if you wish to disinfect it.

This automatically deletes any file found to contain a virus.

With Delete, the potential exists for data loss. Some rare viruses are able to perform encryption on the hard drive, making file recovery difficult.


Choosing Delete/Query identifies a virus and asks if you wish to delete the infected file.


Selecting Rename automatically provides a new name for an infected file by putting a "V" in place of the first letter of the extension. For example, .COM becomes .VOM and .EXE becomes .VXE.


This identifies a virus-infected file and asks if you want to rename it. If you choose Yes, it renames the file as previously described. If you choose No, you then either need to disinfect or delete the file.


The Quarantine option places an infected file in an isolated directory where it cannot spread. This is helpful for examination or disinfection by the administrator at a later time.


The Quarantine/Query option prompts you before quarantining a file.

The Quarantine and Quarantine/Query options are available only to Administrators.
Query is not available in scheduled or inactivity scans, as these scans usually need to occur unattended. Thus, if the Action to take for a scan task was set to Disinfect/Query, the action would change to Disinfect; Quarantine/Query would change to Quarantine and so on. A warning message displays to remind you of this.
Remove all macros if a variant is found

If this option is selected, all macros are removed from any file containing a new or modified variant of a macro virus. If this option is not selected and the Action to take is Disinfect or Disinfect/Query, files are renamed if they contain remnants or are variants of macro viruses.

This option is available only when the Action to take is Disinfect or Disinfect/Query.

Selecting Drives/paths to scan

You can provide a specific drive or a UNC (Universal Naming Convention) path to scan. For example, you could establish a task that would perform a scheduled scan on the directory used to store files that are downloaded from other computers.


The browse button opens a dialog box allowing you to select the folder you wish to scan.

Include sub-folders

When you enter a path in the Drive/Paths To Scan text field, this option is activated. If enabled, it searches all sub-folders below the path specified.

Select all floppy drives

This searches all floppy drives.

Select all hard drives

This searches all logical hard drives on the local workstation, including compressed drives.

Select all network drives
This searches all network drives to which you have access rights and to which you have been mapped. This is not available for scheduled or inactivity scans.
Select all drives

This searches every drive where you have access rights. This option is not available for scheduled or inactivity scans.

Files to scan

The available options for the types of files to scan are described below. The recommended choice is Standard executables. You also have the option of selecting All Files but they are mutually exclusive. The compressed file options may be checked individually depending on your needs. Choose the documents option only if you have Microsoft Word 6.0 or later.

Standard executables

These are the files that would normally be attacked by a virus. Command AntiVirus ships ready to scan the following file extensions: .APP, .BIN, .COM, .DLL, .DO?, .EXE, .OV?, .PGM, .SYS, and .XL?. You may enter up to 20 filename extensions through the Preferences Files to Include/Exclude dialog box.

All files
This will scan all files. We do not recommended this option as it increases the probability of getting a false positive from a random string of characters in an otherwise harmless data file. Further, All Files takes much longer than using the other scanning options and it is unlikely to find additional viruses.

However, this option should be used if you want to scan documents that do not have a filename extension or to scan files with extensions longer than 3 characters.

Packed files

These are executable programs that have been compressed with PKLITE, DIET or similar programs.

ZIP files

These are files that have been archived using PKWare's ZIP compression utility.

Documents (.DOC)

This checks for macro viruses that can infect Microsoft Word documents and templates. Enabling this option also causes Command AntiVirus to check for macro viruses that could infect Microsoft Excel worksheets and templates.

Boot Sectors

Many common viruses infect the boot sectors and master boot records of hard drives. Checking this option results in the scanning of those areas.

User-defined Virus Strings

On rare occasions, a new virus spreads before we can release an update to Command AntiVirus. You can enter a string of characters, in hexadecimal, that provide your current version with the ability to detect the new virus. In general, it is best to select this option only when instructed by Technical Support. It is rare to have to enter a virus definition string. For more information, see the Using the Preferences Menu section.

Allow scanning of quarantined files

Selecting this option allows an administrator to scan the quarantine directory. If the option is not selected, the quarantine directory will not be scanned, even if the quarantine directory is in the path. A quarantine directory exists only if the Action to take selection in Command AntiVirus or DVP is set to Quarantine. Generally, suspect and infected files are placed in the quarantine directory to allow the administrator the opportunity to examine and disinfect them without disrupting the workflow of users. During a standard installation, the quarantine directory is created on the root directory of the system drive, where Windows NT was installed.

This option is available only if you have administrator rights.

If the Action to take is Quarantine then Allow scanning of quarantined files is unavailable since you cannot quarantine files that are already in the quarantine directory.

Using the Schedule option

Scheduled execution of a selected task can be a very useful anti-virus tool. Administrators can create scheduled scans that are installed on each user's computer. Scheduling a daily scan guarantees that a user's workstation is consistently checked for viruses. Additionally, scheduled scans will run as long as the computer is on, even if no one is logged onto the computer.

After you have defined a scan, you can select the Schedule button to assign a time for the scan to occur.

Command AntiVirus for Windows NT does not need to be opened for a scheduled scan to occur. Administrator-defined scheduled scans will take place even when no one is logged onto the machine. When a scheduled scan begins, a small clock with moving hands appears over the F�Agent icon in the tray. If the computer is not on when a scan is scheduled to run, the scan is skipped.

Scheduling is controlled by a service named CSS AV Scheduler (CSS�AVS.EXE) that runs in the background and is activated on startup. It is necessary to have both this service and the kernel-mode driver (DVP) started for scheduled scans to occur.

Schedule Menu

Enable scheduling

Checking this box turns on scheduled scanning. If the box is not checked, scheduled scanning will not occur.

Activity performed by CSS AV Scheduler can be seen in the Windows NT Event Viewer. The Event Viewer is located in the Windows NT start menu inside the Programs/Administrative Tools (Common) program group. You may also view the Event Viewer from the View menu of Command AntiVirus or by right clicking on the F-Agent icon.
The Windows NT Event Log may become filled if Command AntiVirus encounters a large number of infected files. If that happens frequently, you might consider increasing the Maximum Log File size in Windows NT's Event Viewer. Consult your Microsoft Windows NT manual for further information.
Choosing Scheduled Scan frequency

After enabling scheduled scans, you need to select how often a scheduled scan should occur. You may select only one option. Once this is completed, enter the time you want the scan to occur using a 24-hour format. Optionally, you can have the scan occur after a specified period of inactivity. If the computer is not on when a scan is scheduled to occur, the scan will be skipped.

If the inactivity scan time is too small, you could run into a perpetual scan situation.

Select the Daily option if you want a scan to take place each day.


When you select the Weekly option, you can then select the day or days on which you want a scan to occur.


If you select the Monthly option, you then have access to the drop-down dialog box that allows you to select the day of the month you want the scan to occur.

Time to scan

Specify time of day in 24-hour format with "00:00" indicating midnight. For instance, if you want to scan at 1:30 p.m., enter 13:30. Scheduled scans are skipped if the computer is not on during the time you have entered for the scan. If you would like to schedule an immediate scheduled scan for testing purposes, the scan should be scheduled at least five minutes ahead of the current time.

Scan after inactivity

You can choose to scan after a specified period of keyboard or mouse inactivity. A user must be logged in and F-Agent needs to be running for this scan to occur.

Stopping a scheduled scan

If a scheduled scan is running and you want to stop it, follow these steps:

  1. Open the Control Panel.
  2. Click on Services.
  3. Highlight CSS Scheduler.
  4. Click on STOP.

To start the service so that scheduled scans are active again, repeat the above procedure but, in step 4, click on START. To stop a scheduled scan, you must have administrator rights.


This is a standard Windows NT menu that allows you to change the way you view the tasks shown in the task list. The available options are described briefly. Further information can be found in your Microsoft Windows NT manual.

View Menu


The tasks are displayed in the task list as large icons with the task name located beneath each icon.

In addition to choosing the Large Icons command from the View menu, you can also access this command by selecting this button from the toolbar.


The tasks are displayed in the task list as several columns of small icons with the task name alongside each icon.

As an alternative to using the Small Icons command in the View menu, you can access that command by selecting this button from the toolbar.


The tasks are displayed in the task list as a single column of small icons with the task name alongside each icon.

In addition to using the List item on the View menu, you can also access it by selecting this List button from the toolbar.


The tasks are displayed in the task list as a single column of small icons with the name alongside each icon. Two additional columns also appear for each task: one for the results of the last scan and another showing the time of the next scheduled scan.

Selecting the Details button from the toolbar will display the task list as small icons with scan result and scheduled scan information next to it. The Details menu command can also be accessed by choosing it directly from theView menu.


Selecting the Refresh command updates the task window to reflect the Command AntiVirus task information stored on the disk. This is useful when copying task files from the network.


This menu item provides convenient access to Windows NT's Event Viewer.

You can also gain access to Event Viewer from a button (shown here) on the toolbar. For more information on Event Viewer, please see the section called Locating Scan Results in Event Viewer.


The Preferences menu is one of the key areas for customizing Command AntiVirus. You can access this menu either by highlighting and clicking on the menu title or by pressing ALT + P. Each menu option is explained in the following pages.

Preferences Menu

Through the Network menu command, you are able to set up messaging via your e-mail system and central event logging if you are running Command AntiVirus for NetWare.

The Reporting selection allows you to decide on available options for virus notification.

Active Protection opens a dialog box where you can enable, disable or configure real-time protection. From this dialog box, you can change the areas of memory that are scanned when the operating system is loaded.

There is also a menu command for Files to Include/Exclude that can be very helpful for specific scans.

Should you ever need to add User-Defined Virus Strings, the dialog box for that purpose is accessed from the Preferences Menu.

The Advanced selection allows you to set a directory into which viruses can be quarantined as well as modify service account information. This selection is available only if you have administrator rights.

All of the above-mentioned features are described in detail in the following sections.


The Network options allow you to set up messaging to your network. If you are running NetWare, there is a special section for configuring scan options that are designed to work with Command AntiVirus for NetWare (CSAV).

Network Dialog Box


When the NetWare tab is selected, a dialog box appears that allows you to configure the following items.

This option is not visible if F-NET.EXE is not running. F-NET.EXE allows the workstation to communicate to a server that is running Command AntiVirus for NetWare and record any virus incidents to the Command AntiVirus log. F-NET.EXE also preserves the last access date and allows compressed and migrated files to be skipped during a network scan.

F-NET is installed to the F-PROT directory only if a modification is made to the SETUP.INI file prior to installation. Details on modifying SETUP.INI can be found in the Network Administration chapter. If you are not running NetWare or Command AntiVirus for NetWare, it is not necessary or advisable to have F-NET.EXE.

Preserve last access date

Checking this box prevents modification of the last access date on the file. Many archive systems reference the last access date to determine if the file is eligible for archiving. If this option is disabled, the last access date will be updated to show the last time Command AntiVirus scanned the file. Use this option with caution as disabling it could prevent archival software from functioning properly.

Skip compressed files

Compressed files are files that have not been accessed for a period of time, perhaps weeks or months. If the file was compressed after an initial scan with Command AntiVirus, it is unlikely that it contains a virus. You can shorten scan times by checking this box. We advise that you check compressed files once when Command AntiVirus is first installed and then again with every major scan update.

Skip migrated files

As migrated files are not in use (by definition), you can shorten scan times by checking this box. Migrated files should be scanned once when Command AntiVirus is first installed and again before using them.

Log infection

If you are running Command AntiVirus for NetWare (CSAV), you can select this box. CSAV maintains a log file on each server. From within this box, choose a valid server name from the drop-down list box. Afterward, if a virus is discovered, it is added to that server's Command AntiVirus log file. Use a text editor or the View option in Command AntiVirus Administrator to view the log.


The Messaging dialog box allows you to modify the message shown to users when a virus is encountered.

Messaging Dialog Box

Message to display

You can enter a text message of your choice up to 80 characters in length. This is very useful for Network administrators and can include phone numbers or other helpful messages.


This area controls notification using your existing MAPI e-mail system. MAPI support includes Microsoft Mail, Microsoft Exchange, and Eudora Pro among others.


Choose Addresses to select who receives the messages.

Mail report

Check this box to have a virus report mailed to the person(s) selected in Addresses.

Mail infected files

Check this box to have the infected file mailed to the address(es) selected in Addresses.


The Reporting screen controls how the scan results for a manual scan are displayed for reporting purposes. It also allows you to choose an audible warning.

Reporting Menu

Beep When A Virus Is Found

If this item is selected, the PC speaker emits a short beep when a virus is found during any scan.

List All Files Scanned

You may wish to avoid lengthy reports by not selecting this box. However, this provides the ability to verify that the appropriate files are being scanned.

Wrap Text In Report Window

It may be easier to read short reports if you select this option. In longer reports, you may find it easier to find individual file listings without wrapping the text.


This section details how to configure real-time virus protection as provided by DVP for Windows NT. DVP actually consists of three kernel-mode drivers. One driver is CSS-REC.SYS, the "CSS Recognizer" for file systems and media changes. Another driver is CSS-FLTR.SYS, the CSS Filter. This component filters events such as opens, closes, and renames that Command AntiVirus needs to check. A third driver, CSS-DVP.SYS, contains the actual real-time anti-virus protection scan engine.

You can verify that these drivers are running by opening NT's Control Panel and choosing Devices. However, DO NOT try to disable DVP this way. If you want to disable DVP, open the Active Protection dialog box (shown below) and clear the check box that says Enable DVP. If DVP is disabled, real-time and scheduled scanning will no longer function. Also note that regardless of your user rights, you may not stop either CSS-REC.SYS or CSS-FLTR.SYS.

If DVP is disabled through Devices, you cannot perform scheduled scans, and manual scans will produce an error that says "Command AntiVirus is unable to read the boot sector".

Dynamic Virus Protection

This dialog box allows modification of the Dynamic Virus Protection (DVP) program. DVP provides real-time protection against viruses by scanning the boot sector every time a floppy is read. Further, DVP's real-time protection can be configured to scan qualify files as they are opened, closed, renamed, copied or deleted.

Active Protection Menu

Enable DVP

This box must be selected for real-time protection to work. If selected, DVP automatically scans floppy drives, CD-ROMS, local hard drives and/or network drives when files are accessed. This is highly recommended for the security of your system.

What to scan

If you have enabled DVP, you can then determine which drives are scanned by selecting any of the choices listed.

Action on infection

You may select any one of the options listed below. Some networks may not allow certain actions. If this should be the case, then a notification will be sent indicating the constraint.

Report only

This informs you when a virus is detected; however, no other action is taken other than to deny access to the file. Choose the Report Only option if you want to verify the type of virus before disinfection.


This automatically deletes virus-infected files.

While this is a powerful option, the potential exists for data loss. Some rare viruses perform encryption on the hard drive making file recovery difficult.

The Rename option give a new name to virus-infected files. It changes the file name extensions to a non-executable form.


This automatically disinfects virus-infected files. Please note the caution for Delete.


This moves an infected file to a separate directory so that the files may be disinfected and/or evaluated at a later time. If, for some reason, the Quarantine directory does not have enough room to store the infected file, the file will not be moved into that directory. Instead, the file will only be reported by Command AntiVirus.

Remove all macros if variant is found

If this option is selected, all macros are removed from any file containing a new or modified variant of a macro virus. If this option is not selected and the Action to take is Disinfect, files that contain remnants or are variants of macro infections are renamed.This option is available only when the selected Action to take is Disinfect.

Memory Scanning

We recommend scanning memory whenever you boot your system. Some systems have video problems when Upper Memory Blocks or High Memory is scanned. So, we provide various scan options. Memory scanning can be disabled, but this is not recommended.

Memory Scanning Menu

Complete 1MB memory scan + High Memory Area

Choosing this option provides the most comprehensive memory scan and includes the first 64 KB above 1 MB. Some viruses take advantage of this area and, if you scan only the first 640 KB or 1 MB, you run the risk of infection. Command AntiVirus has this option selected by default. If you experience lockups, try the Complete 1MB memory scan option.

Complete 1MB memory scan

Choosing this option provides a thorough scan of the first 1MB of memory, which includes the video area above 640KB. If you experience lockups, use the 640KB + High Memory option.

Scan first 640KB + High Memory Area

This option scans conventional memory plus the High Memory Area, which is the first 64KB above 1MB. This avoids scanning areas that may have conflicts with some high-resolution video drivers and some Micro Channel network cards.

Scan first 640KB

This option scans only conventional memory.

Skip memory scan
This is the fastest way to boot. Remember, this could allow a virus to remain active in memory if you have disabled some of the other detection features.


These two dialog boxes allow you to add or delete file extensions that you want scanned (included) or specific files that you do not want scanned (excluded). Extensions entered here apply to all scanning tasks.

Files to Include

If you want to add a specific file type to your scans, type the three-letter extension in the New extension text field and select Add. To remove a particular file type from your scans, locate the three-letter extension in the Filename Extensions list box. Highlight the extension you want to remove and then select Delete.

File Extensions Menu

Files to Exclude

To exclude a specific file from a scan, use the Browse button to locate the file or type its full name and extension in the New exclusion text field and then choose Add. To remove a file, highlight it in the Filenames list box and select Delete.

Files to Exclude Menu

The exclusion ability is helpful when you want to scan files with the same extension but you wish to exclude one or more specific files.

Wildcards are not accepted. If only an extension is entered in the New Exclusion text field and that extension is also in the Files to Include list, then files of that type will be scanned. To prevent all files of a specific type (all .DOC files for example) from being scanned, you must remove that extension from the Files to Include list.


This dialog box allows you to add, change or delete specific search strings that will become a part of the search criteria during a scan. In general, it is best to enter information in this dialog box only when instructed by Technical Support.

This option is useful when a new virus warning is posted and you have not yet had time to obtain a virus signature update. Should you ever need to use a user-defined search string, be sure you have a check in the User-Defined virus strings check box located in the Properties window.

When Command AntiVirus locates a file containing a user-defined virus string, it reports that the search string was found: it does not report that the file is infected. Other than notifying the user, no action will be taken on the file.

User-defined virus strings are not supported by either DVP or in scheduled scans.

User-Defined Virus Strings Dialog Box

The example shown above demonstrates how this capability could be used to detect a macro virus.

If you select the Add button, a dialog box opens so that you can enter the name of the virus, the virus string and the type of file that it infects. The options available in the Infects section allow you to select COM files, EXE files and Boot Sectors. Multipartite viruses could infect all three types of files.


The Advanced menu contains two tabbed pages. One of those pages, the Advanced Options, allows you to choose a quarantine folder to which infected files will be sent. The other tabbed page, Service Account, allows for the modification of service accounts.

Advanced Options Tabbed Page

Choosing the Advanced Options page prompts you for a path to the quarantine folder. By default, Command AntiVirus for Windows NT creates a quarantine folder off the root directory. In the Advanced Options page, entering a path to a different quarantine folder routes infected files to that folder rather than to the default folder. You must have Administrator rights to use this feature.

Service Account Tabbed Page

The Service Account page provides an administrator the ability to modify an existing account that is used as the service account for scanning network drives. This is the account that would have been set up or specified during installation. One of the modifications that can be made here is the changing of a password.

This dialog box is not used for creating a service account. It merely provides information that Command AntiVirus uses to reference the service account.


General help for Command AntiVirus for Windows NT can be found on this menu.

Help Menu


The Index is an alphabetical list of help topics.


This gives basic instructions for effectively using the help system.


This provides phone numbers and electronic methods to obtain technical support.


This provides information regarding the number of viruses detected by Command AntiVirus for Windows NT.


The Virus Information screen provides detailed information on several hundred common virus families and variants.


The product version number/scan engine version and copyright information can be found by selecting this menu item or by clicking the question mark button on the toolbar.