(This chapter is split into two pages for easier viewing. Click here for part 2 of "Using Command's F-PROT".)
Command's F-PROT Professional for Windows NT provides a truly effective, easy and intuitive way to scan for viruses.
One of the many benefits of Windows NT is its powerful administration capabilities. Command's F-PROT Professional for Windows NT provides administrators with the ability to create customized virus scanning tasks that can be modified only by someone with administrative rights. Users without administrative rights can create their own scan tasks to suit their particular needs.
In addition, Command's F-PROT Professional for Windows NT includes the CSS AV Scheduler service that runs scheduled and inactivity scans in the background. With this feature, the user's work flow is not interrupted while Command's F-PROT Professional's anti-virus protection operates invisibly behind the scenes.
In the following pages, all of the items that are accessible from this screen are discussed. You will discover the many ways that you can execute, customize and schedule virus scans. If you prefer, you can accomplish most scan tasks directly from the toolbar. Similarly, executing one of the existing scans from the task list is as easy as highlighting and clicking the stoplight icon or the Execute Task button. We also have quick scan methods available, such as clicking the right mouse button on a file name or using our drag and drop capability for instant virus scans. And, of course, you can access any of the options by using the drop down menus and a mouse or simple keystrokes.
The task list appears in the main window of Command's F-PROT Professional interface and shows the scan tasks which are currently available to protect your computer from viruses. The many ways that you can work with this list are described in the following pages. These include accessing tasks via a drop-down menu, a shortcut menu, buttons and a toolbar. Command's F-PROT Professional for Windows NT comes with several pre-configured tasks that are available upon installation. Command's F-PROT includes the most commonly needed tasks, which are: Scan Drive A, Scan Drive B, Scan Hard Drives, Scan CD-ROM, and Scan Network Drives. By default, all tasks are set to "Report only" if a virus is found. Once you become familiar with Command's F-PROT Professional, you may want to modify the properties of these tasks (modifying allows you to change the default setting to disinfect), set up a scheduled scan or create your own new tasks.
Command's F-PROT Professional for Windows NT lets you control the visual display of available scanning tasks. This section covers the different ways of viewing the scan tasks by sizing the column headers, sorting the display order, icon size, list or detail and changing the task names. Scans can be selected and either launched or modified from this window. To initiate a scan, highlight the task name and click the Execute button or simply double-click the task.
Task List in Details View
In Command's F-PROT Professional for Windows NT, two types of scans can be created. Scans created by someone with administrator rights are called Administrator Tasks and scans created by a user without administrator rights are called User Tasks. Note that a user with administrator rights may create either type of task. This differentiation between tasks allows administrators to create system-wide scanning tasks that cannot be modified or renamed by users without administrator rights. A task created by an administrator is easily identified by the computer icon to the left of its name.
Individual users, those without administrator rights, can create their own tasks that are specific to their own needs. An individual user can scan another user's files only if those files allow read access. User tasks are identified by the icon showing the profile of a person's head.
Note: If multiple users create customized User tasks, those tasks are visible only to the user who is currently logged in. This is because they are stored in the user's profile directory.
The column headers, which can be seen in Details view, can be re-sized by dragging the split bar to the left or right.
The order in which the task names are displayed can be changed by clicking on a column header. Clicking on the Last results header will group all scans that detected a virus. Clicking on the Next scan on header performs a sort based on next scheduled scans.
Tasks can also be displayed in the task list as large icons with the name below them. Choosing Small Icons displays the task name alongside each icon. Select View from the Menu Bar or use the Toolbar buttons to switch between large and small icons.
Neither the large icon view nor the small icon view displays the column headers, but each maximizes the use of the area for visibility of tasks as shown below. Also, the results of the last scan and the next scheduled scan are not shown in either Large Icons or Small Icons view.
Large Icons View
Tasks can be listed or shown with details. Select View from the Menu Bar or use the toolbar buttons to switch between List and Details.
Select List to display the tasks using small icons and task names in a column. Column headers are not shown.
Details displays your task list using small icons, task names, results of the last scan (if a virus was found) and the time of the next scheduled scan. This is the only option that shows column headers.
If you have administrator rights, you can rename any of the tasks by highlighting, clicking once, pausing and clicking again, or by clicking the right mouse button and selecting Rename. This action opens a text box around the existing name so that you can then modify the task name. If you make an error while typing, simply press the escape key and the entry will revert to its original form. Task names must contain only those characters that are legal for Windows NT long filenames. For example, a task name cannot contain a \ (backslash) character.
If you do not have administrator rights, you may change the name of tasks that you created (User Tasks), but not those that were created by an administrator.
There are many ways to open Command's F-PROT Professional's main program (or the GUI as it is sometimes called). There is, of course, the standard way from the Start menu. You can also open Command's F-PROT Professional by moving your mouse pointer over the blue F icon (located in the tray on the bottom right of your screen) and then either double-clicking or clicking the right mouse button, then selecting Launch F-PROT.
There are multiple ways to launch a Command's F-PROT Professional scanning task or, for that matter, any of the other operation options. For example, if you like using the command buttons or the toolbar, they are available from the main screen. You can also point and click on one of the menu titles and use the pointer to select one of the available commands. In addition, a command can be accessed by pressing the ALT key plus the underlined letter for that command. To execute one of the existing scan tasks from the task list, just highlight the task name and click Execute, or double-click the task name.
For a quick scan of a specific file or folder, use either the right-click shortcut feature or the drag and drop feature. Both can be used with files on the desktop or in Explorer. For details, see the section in this chapter called Quick Scanning.
The task operations are covered in the Using the Task Menu section.
Main View with Shortcut Menu
You can use the command buttons on the right to Execute the highlighted task, modify the Properties of the highlighted task or add a New Task. These buttons also provide quick access to virus descriptions.
When any task is highlighted, you can quickly access a shortcut menu by clicking the right mouse button. This menu allows you to execute the task, create a new task, rename an existing task, modify the properties of the selected task or delete the task entirely.
You can access the Task, View, Preferences and Help menus with the mouse or keyboard. They contain commands that let you perform any of the operations available for creating, modifying, deleting or executing tasks.
The toolbar, shown below, is accessed using a mouse. We have included buttons for creating, modifying, deleting and executing tasks. You can also get help and change the way your screen looks with the simple click of a button.
If you move the mouse cursor over any toolbar button you can see a "tool tip" that identifies the function of that particular button.
|Choosing this toolbar button changes your mouse pointer to an arrow with a question mark. Pointing and clicking on an object produces a help screen containing information relevant to the object you clicked.|
Within Command's F-PROT Professional for Windows NT, you can activate a shortcut menu that allows you to perform fast and efficient virus scans of selected folders or files. The files or folders to be scanned can be located in Windows NT's Explorer, on the desktop or within program groups.
To perform a scan from the shortcut menu, highlight one or more filenames or folders that you wish to scan and click the right mouse button. A Windows NT shortcut menu containing the F-PROT Virus Scan option will appear. Select that option by using either a right or left mouse click. The scan will begin immediately.
Shortcut Menu Scan
|The shortcut or right-click scan properties are based on Command's F-PROT Professional's default scan. Administrators, however, can create a custom scan task as follows:|
|Customized right-click scanning is available only under NT 4.0 and above.|
Another way to scan files quickly is to use the drag and drop feature in Command's F-PROT Professional for Windows NT. To use this feature, you need to have Command's F-PROT Professional's interface open on your desktop. From Explorer or the desktop, click on the object you want scanned and, while holding the mouse button down, drag the files or folders anywhere over the Command's F-PROT task window and then release the button. When the mouse button is released, the scan starts immediately and a report window appears when the scan is complete.
|The drag and drop properties are based on Command's F-PROT Professional's default scan. Thus, if a virus is found, you receive notification only. You must then scan the file with a task that allows disinfection or whatever action you use for viruses. Administrators, however, can create a custom task as follows:|
There are times when it is useful to run a scan directly from the commandline. For example, command-line entries allow an administrator who is logging in remotely to immediately launch a scan.
Command's F-PROT Professional for Windows NT utilizes CSS AV Scheduler (CSS-AVS.EXE) to run scheduled and inactivity scans in the background. CSS AV Scheduler can also be used to run scans manually. To use this feature, type the executable filename (CSS-AVS.EXE) and then add one or more of the available command-line parameters. They can be added in any order except for /FILE, /PATH and /TASK which must be placed last on the command line and are mutually exclusive. An example follows:
CSS-AVS /MEM /HARD /DISINF
The example shown above starts a scan that checks memory, scans all logical hard drives, and disinfects if a virus is found. If viruses are detected, they are logged into the Windows NT Event Viewer application log. We also have a log file named VIRUS.LOG that we create in the F-PROTNT directory.COMMAND-LINE PARAMETERS FOR CSS AV SCHEDULER
|/DELETE||Delete all infected files instead of listing them. This is not recommended as some viruses encrypt portions of the drive.|
|/DENY||Deny access to files containing a virus.|
|/DISINF||Disinfect whenever possible. This option does delete some first-generation virus samples. A first-generation virus is the "starter" program that begins the infection process. It is very rare to encounter one. This option will never delete a file that can be disinfected.|
|/FILE=filename||Scan for file viruses. This switch must be last on the command line.|
|/FLOPPY||Scan floppy drives.|
|/HARD||Scan all the physical hard drives in the system.|
|/INSTALL||Install the CSS AV Scheduler service into the Service Control Manager.
*This must be run from the directory to which the service was installed (by default, Winnt/System32).
|/MBR||Scan for MBR and boot sector viruses.|
|/NET||Scan network drives.|
|/PATH=pathname||Scan the specific path for viruses. This switch must be last on the command line.|
|/QUAR||Quarantine files containing a virus.|
|/RENAME||Rename infected files.|
|/REPORT||Sends the output to the specified file.|
|/TASK=taskname||Runs a specific scanning task. For instance, "/TASK=c:\test.fpt /quar" runs the task called Test.fpt using the /QUAR switch. Note: you must include the .fpt extension in the task name. This switch must be last on the command line.|
|/UNINSTALL||Uninstall the CSS AV Scheduler service from the Service Control Manager.|
|If you use the /FILE= , the /PATH= or the /TASK= switch, please keep in mind that they are mutually exclusive and must be the last switch entered on the command line.|
If Command's F-PROT Professional finds a virus during a scheduled scan or in real-time, using DVP, it logs the occurrence to the Windows NT Event Viewer. Viruses found by DVP are logged to Event Viewer's System log and viruses found during scheduled scans are logged to the Application log.To locate the event:
Event Detail Dialog Box
|There are a number of easy ways to access NT's Event Viewer from Command's F-PROT Professional. One way is by clicking on the Event Viewer button on the toolbar. You can click the right mouse button on the blue F icon at the bottom of the screen and select Launch Event Viewer and there is even a menu item available from the View menu called Event Viewer. So, you never have to leave Command's F-PROT Professional!|
The Event Details dialog box provides specific information regarding detected viruses. For more information regarding Command's FPROT Professional Event Viewer messages, see the Appendix in this manual.
The quarantine feature moves infected files to a separate folder so that they can be evaluated and disinfected or deleted at a later time. When a file is moved, it is renamed. This is necessary as there can be files with the same names residing in different folders. If so, they would overwrite each other when they were moved to the quarantine folder. The new name that is created is alpha-numeric, using up to 8 characters but minus an extension. When a file is moved to the quarantine folder, a corresponding entry is made to a log file named HISTORY.LOG.
During a standard installation, the quarantine directory is created on the root directory of the system drive, where Windows NT was installed. This folder is then used to hold infected files. If an administrator wants to change the location of the quarantine directory, this can be done by choosing Advanced from the Preferences menu. The quarantine option is available for files that are scanned using specific tasks (scheduled and manual) and for files scanned in real-time.
Entries in the quarantine file look like this:
If you use this feature, there are some important considerations that you need to be aware of.
In addition to being entered into Event Viewer, information on viruses detected by CSS AV Scheduler is also recorded in a special log file, VIRUS.LOG. That file contains details regarding viruses that were found during scheduled scans, inactivity scans or during the command line usage of CSS-AVS.EXE.
If you are running Command's F-PROT from your local machine, then VIRUS.LOG will be located in the directory containing Command's FPROT Professional program files. However, if your workstation is running Command's FPROT from a network server, VIRUS.LOG will be located in the root directory of your computer. The contents of VIRUS.LOG can be viewed with most ASCII or DOS editors.
The HISTORY.LOG file is an ASCII text file located in the quarantine folder. You can open it with any text editor. Once a file is moved to the quarantine folder, you need either to disinfect or delete it. To do this, you need to check the HISTORY.LOG file so that you know where the file originated and what it was called before its name was changed. The HISTORY.LOG file is created when necessary. To clear the log file completely, delete it: it is recreated the next time files are quarantined.
The format of HISTORY.LOG is shown in the following screen:
The first column in the history log file describes what action was performed on the infected file. The second column shows the name of the computer that contained the infected file(s). The third column provides the name of the user who was logged onto the computer when Command's F-PROT Professional detected the infection. If no one is logged in when the file is quarantined, the user name will contain "System." The fourth and fifth columns, respectively, display the date and time of day that the infection was found. The sixth column shows the name that was assigned to the infected file when it was moved to the quarantine folder. The next column contains the infected file's original name; that is, the name it had prior to its being moved to the quarantine folder. The last column displays a brief message generated by Command's F-PROT Professional describing why the file was moved to quarantine directory.
|The HISTORY.LOG file provides all the information you need to locate infected files and return them to their original location after disinfection.
The HISTORY.LOG is formatted this way so that you could easily import its contents into most popular spreadsheet programs.
|The best way to disinfect a quarantined file is to create a special task for that purpose. Here are the things to keep in mind:|
If DVP is active, you will be stopped if you try to copy or move an infected file.
|Setting the Action to take to Delete in Command's F-PROT Professional erases infected files completely. If you simply delete files from the quarantine directory in Windows NT 4.0, they will go to the recycled bin and could be available to re-infect. So, if you want to delete, its better to use the Delete option from Command's F-PROT Professional's program.|
Once you become familiar with Command's F-PROT Professional, you will enjoy using the different shortcuts that are built in. When you install the program you will notice that there is a blue F icon (the F-AGENT icon) located in the tray at the bottom of your screen.
By double clicking on this icon, you can open Command's F-PROT Professional. You can also right click on the icon to open the small menu shown next.
F-Agent shortcut menu
As you can see, this menu lets you start Command's F-PROT Professional, NT's Event Viewer, view or reset the statistics dialog box and close F-Agent. To restart FAgent without rebooting, go to the Start menu and select Programs then StartUp and choose F-AGENT NT.
|If you close FAgent, its icon will no longer be visible, inactivity scans will not work and DVP will not be able to display any user notification messages. However, scheduled scans (although you won't see the little clock running) and DVP continue to function.|
|The Real-time and Scheduled Scan Statistics dialog box lets you see the results and number of files scanned during scheduled scans and real-time (DVP) scans. Statistics for manual scans, scan tasks initiated directly from the Command's F-PROT Professional window, do not show in this dialog box. Instead, they are recorded in the Scan Results window that appears when the scan completes.|
If you would like to view scanning statistics, position your cursor over the FAgent icon in the Windows NT task tray and click the right mouse button click. When a shortcut menu appears, choose Get Statistics and the statistics box shown next will open.
While a scheduled scan is running, results are updated in the statistics box. If you have this box open, you can watch the number of files increment. Scan statistics accumulate until you reset them. All files that are accessed in real-time and are in the Include list add to the number of files scanned. To reset the totals in the statistics box, click the right mouse button on the FAgent icon in the task tray and then choose Reset Statistics.
|For real-time and scheduled scan statistics to function properly, Dynamic Virus Protection (DVP) must be enabled. Otherwise, when you view the statistics function, the counters do not change.|
The Task Menu offers the ability to Execute a pre-defined task, create a New task, Delete a task or Edit an existing task. Further, the Task menu provides access to Properties in order to review or modify an existing task or Exit from the program.
You can access the Task drop-down menu by either clicking on Task or by pressing ALT + T.
When a task starts, a Scan Results window like the one shown next, appears. An indicator bar shows the scan's progress. When the scan completes, the Scan Results window provides details concerning the scan.
Scan Results View
You select a task by first clicking and highlighting it. The task begins when you choose the Execute command. You can also execute a task by simply double-clicking on a task name in the task list or by highlighting the task and clicking on the stoplight icon in the toolbar.
Use the vertical scroll bar on the right side of the F-PROT Report Window to view the entire report. You can use the File menu to save a copy of the report, print the report or send a copy of it through your e-mail system. You can use the Edit menu to copy the report to the clipboard for pasting into another document.
If a virus is found during the scan and the Action to take setting is Report only, the Attention dialog box shown next will alert you. Press OK to continue so you can manually disinfect.
|The default setting for Action to take in Command's F-PROT Professional is Report only. To prompt for disinfection, change the Action to take setting to Disinfect or Disinfect/Query and allow Command's F-PROT Professional to disinfect the virus.|
Selecting the New command from the Task menu allows you to create a new custom task. This can also be accomplished by selecting the New Task button on the main screen. A small dialog box appears and you must provide the name for your new task. If you are an administrator, the dialog box for selecting the type of task (User or Administrator) appears. Next, the Properties menu opens with the default settings in place. You can either accept them or establish your own task parameters. See the following section Scanning Properties for details.
|As an alternative to choosing New from the Task menu, you can choose the New button from the toolbar. The New button provides a shortcut to creating a new custom task.|
Selecting the Delete command from the Task menu allows you to remove a pre-defined task. Tasks can also be deleted by selecting then clicking the right mouse button and choosing Delete or by just pressing the delete key on your keyboard.
The Edit option allows you to Cut, Copy or Paste a task. For example, if you highlight Scan Hard Drives, then select Copy and click on Paste, it will create a new task entitled Copy of Scan Hard Drives. You can then rename it or change the properties.
|Instead of choosing the Cut command from Edit menu, you can use the Cut button located on the toolbar. That button allows you to delete a task and save it to the clipboard. From the clipboard, a subsequent Paste will return it to the task list.0|
|As an alternative to using the Copy function on the Edit menu, you can choose the Copy button from the toolbar. The Copy button allows you to create a copy of the task in the clipboard. A subsequent Paste adds it to the task list.|
|You can use the Paste button from the toolbar as an alternative to choosing the Paste command on the Edit menu. This button allows you to place a task in the task list. After a task has been either cut or copied, it can be pasted to that list. The name of the task will start with the phrase "Copy of". You can then modify and rename the task using the other available options.|
If you do not have administrator rights, you cannot cut an Administrator Task. However, the Copy and Paste process yields a slightly different result. If you have administrator rights and you use copy and paste on an Administrator Task, the task will remain an Administrator Task. On the other hand, if you have user rights when you copy and paste an Administrator Task, it is converted to a User Task and it is then subject to the same restrictions that are associated with the assigned permissions.