The Properties dialog box allows you to modify an existing task and to configure a new task. In this dialog box you can select the Action to take, Drive/paths to scan, Files to scan and Schedule when the scan will take place. There are a number of ways to access the Properties dialog box. One way is from the Task menu. A quicker way is to select an existing task from the task list, then click on the Properties button located on the main menu or click the right mouse button and then click Properties.
||In addition to choosing the Properties command from the Task menu, you can also use that command by selecting a task and then clicking on the Properties button in the toolbar. |
Properties Dialog Box
This is the default scanning method that searches for over 10,000+
viruses and variants.
Action to take on infection
Click on the Action to take drop-down menu to see a list of the available methods for dealing with viruses. The choices contained in this list let you select how you want Command's F-PROT Professional for Windows NT to react if a virus is found.
This informs you when a virus is detected; however, no other action will be taken. You may choose Report only in order to verify the type of virus before disinfection.
||This is the default setting for all new scans and for all of the preset scans provided by Command's F-PROT Professional. You will probably want to change this setting after becoming more acquainted with the software.|
Disinfecting files automatically causes the least disruption to the user. If
disinfection is not possible, Command's F-PROT Professional asks if you wish to delete the file.
The Disinfect/Query option identifies a virus and asks if you wish to disinfect it.
||This automatically deletes any file found to contain a virus.
With Delete, the potential exists for data loss. Some rare viruses are able to perform encryption on the hard drive, making file recovery difficult.
Choosing Delete/Query identifies a virus and asks if you wish to
delete the infected file.
Selecting Rename automatically provides a new name for an infected file by putting a "V" in place of the first letter of the extension. For example, .COM becomes .VOM and .EXE becomes .VXE.
This identifies a virus-infected file and asks if you want to rename it. If you choose Yes, it renames the file as previously described. If you choose No, you then either need to disinfect or delete the file.
The Quarantine option places an infected file in an isolated directory where it cannot spread. This is helpful for examination or disinfection by the administrator at a later time.
The Quarantine/Query option prompts you before quarantining a file.
||The Quarantine and Quarantine/Query options are available only to Administrators.|
||Queryis not available in scheduled or inactivity scans, as these scans
usually need to occur unattended. Thus, if the Action to take for a scan task was set to Disinfect/Query, the action would change to Disinfect; Quarantine/Query would change to Quarantine and so on. A warning message displays to remind you of this.|
Remove all macros if a variant is found
If this option is selected, all macros are removed from any file containing a new or modified variant of a macro virus. If this option is not selected and the Action to take is Disinfect or Disinfect/Query, files are renamed if they contain remnants
or are variants of macro viruses.
This option is available only when the Action to take is Disinfect or Disinfect/Query.
Selecting Drives/paths to scan
You can provide a specific drive or a UNC (Universal Naming Convention) path to scan. For example, you could establish a task that would perform a scheduled scan on the directory used to store files that are downloaded from other computers.
The browse button opens a dialog box allowing you to select the folder you wish to scan.
When you enter a path in the Drive/Paths To Scan text field, this option is activated. If enabled, it searches all sub-folders below the path specified.
Select all floppy drives
This searches all floppy drives.
Select all hard drives
This searches all logical hard drives on the local workstation, including
Select all network drives
||This searches all network drives to which you have access rights and to which you have been mapped. This is not available for scheduled or inactivity scans.|
Select all drives
This searches every drive where you have access rights. This option is not available for scheduled or inactivity scans.
Files to scan
The available options for the types of files to scan are described below. The
recommended choice is Standard executables. You also have the option of selecting All Files but they are mutually exclusive. The compressed file options may be checked individually depending on your needs. Choose the documents option only if you have Microsoft Word 6.0 or later.
These are the files that would normally be attacked by a virus. Command's
F-PROT Professional ships ready to scan the following file extensions: .APP, .BIN, .COM, .DLL, .DO?, .EXE, .OV?, .PGM, .SYS, .XL?. You may enter up to 20 filename extensions through the Preferences Files to Include/Exclude dialog box.
||This will scan all files. We do not recommended this option as it increases the probability of getting a false positive from a random string of characters in an otherwise harmless data file. Further, All Files takes much longerthan using the other scanning options and it is unlikely to find additional viruses. |
However, this option should be used if you want to scan documents that do not have a filename extension or to scan files with extensions longer than 3 characters.
These are executable programs that have been compressed with PKLITE, DIET or similar programs.
These are files that have been archived using PKWare's ZIP compression utility.
This checks for macro viruses that can infect Microsoft Word documents and templates. Enabling this option also cause Command's F-PROT to check for macro viruses that could infect Microsoft Excel worksheets and templates.
Many common viruses infect the boot sectors and master boot records of hard
drives. Checking this option causes those areas to be scanned.
User-defined Virus Strings
On rare occasions, a new virus spreads before we can release an update to Command's F-PROT Professional. You can enter a string of characters, in hexadecimal, that provide your current version with the ability to detect the new virus. In general, it is best to select this option only when instructed by Technical Support. It is rare to have to enter a virus definition string. For more information, see the
Using the Preferences Menu section.
Allow scanning of quarantined files
Selecting this option allows an administrator to scan the quarantine directory.
If the option is not selected, the quarantine directory will not be scanned, even if the quarantine directory is in the path. A quarantine directory exists only if the Action to take selection in Command's F-PROT or DVP is set to Quarantine. Generally, suspect and infected files are placed in the quarantine directory to allow the administrator the opportunity to examine and disinfect them without disrupting the workflow of users. During a standard installation, the quarantine directory is created on the root directory of the system drive, where Windows NT was installed.
||This option is available only if you have administrator rights.
If the Action to take is Quarantine then Allow scanning of quarantined files is unavailable since you cannot quarantine files that are already in the quarantine
Using the Schedule option
Scheduled execution of a selected task can be a very useful anti-virus tool.
Administrators can create scheduled scans that are installed on each user's computer. Scheduling a daily scan guarantees that a user's workstation is consistently checked for viruses. Additionally, scheduled scans will run as long as the computer is on, even if
no one is logged onto the computer.
After you have defined a scan, you can select the Schedule button to assign a time for the scan to occur.
Command's F-PROT Professional for Windows NT does not need to be opened for a scheduled scan to occur. Administrator-defined scheduled scans will take place even when no one is logged onto the machine. When a scheduled scan begins, a small clock with moving hands appears over the FAgent icon in the tray. If the computer is not on when a scan is scheduled to run, the scan is skipped.
Scheduling is controlled by a service named CSS AV Scheduler (CSSAVS.EXE) that runs in the background and is activated on startup. It is necessary to have both this service and the
kernel-mode driver (DVP) started for scheduled scans to occur.
Checking this box turns on scheduled scanning. If the box is not checked,
scheduled scanning will not occur.
||Activity performed by CSS AV Scheduler can be seen in the Windows NT Event Viewer. The Event Viewer is located in the Windows NT start menu inside the Programs/Administrative Tools (Common) program group. You may also view the Event
Viewer from the View menu of Command's FPROT Professional or by right clicking on the F-Agent icon.|
||The Windows NT Event Log may become filled if Command's F-PROT Professional encounters a large number of infected files. If that happens frequently, you might consider increasing the Maximum Log File size in Windows NT's Event Viewer. Consult your Microsoft Windows NT manual for further information.|
Choosing Scheduled Scan frequency
After enabling scheduled scans, you need to select how often a scheduled scan should occur. You may select only one option. Once this is completed, enter the time you want the scan to occur using a 24-hour format. Optionally, you can have the scan occur after a specified period of inactivity. If the computer is not on when a scan is scheduled to occur, the scan will be skipped.
||If the inactivity scan time is too small, you could run into a perpetual scan situation.|
Select the Daily option if you want a scan to take place each day.
When you select the Weekly option, you can then select the day or days on which you want a scan to occur.
If you select the Monthly option, you then have access to the drop-down dialog box that allows you to select the day of the month you want the scan to occur.
Time to scan
Specify time of day in 24-hour format with "00:00" indicating midnight. For instance, if you want to scan at 1:30 p.m., enter 13:30. Scheduled scans are skipped if the computer is not on during the time you have entered for the scan. If you would like
to schedule an immediate scheduled scan for testing purposes, the scan should be scheduled at least five minutes ahead of the current time.
Scan after inactivity
You can choose to scan after a specified period of keyboard or mouse inactivity. A user must be logged in and F-Agent needs to be running for this scan to occur.
Stopping a scheduled scan
If a scheduled scan is running and you want to stop it, follow these steps:
- Open the Control Panel.
- Click on Services.
- Highlight CSS Scheduler.
- Click on STOP.
To start the service so that scheduled scans are active again, repeat the above procedure but, in step 4, click on START. To stop a scheduled scan, you must have administrator rights.
USING THE VIEW MENU
This is a standard Windows NT menu that allows you to change the way you view the tasks shown in the task list. The available options are described briefly. Further information can be found in your Microsoft Windows NT manual.
||The tasks are displayed in the task list as large icons with the task name located beneath each icon.
In addition to choosing the Large Icons command from the View menu, you can also access this command by selecting this button from the toolbar.
||The tasks are displayed in the task list as several columns of small icons with the task name alongside each icon.
As an alternative to using the Small Icons command in the View menu, you can access that command by selecting this button from the toolbar.
||The tasks are displayed in the task list as a single column of small
icons with the task name alongside each icon.
In addition to using the List item on the View menu, you can also access it by selecting this List button from the toolbar.
||The tasks are displayed in the task list as a single column of small icons with the name alongside each icon. Two additional columns also appear for each task: one for the results of the last scan and another showing the time of the next scheduled scan.
Selecting the Details button from the toolbar will display the task list as small icons with scan result and scheduled scan information next to it. The Details menu
command can also be accessed by choosing it directly from theView menu.
Selecting the Refresh command updates the task window to reflect
the Command's F-PROT task information stored on the disk. This is useful when copying task files from the network.
||This menu item provides convenient access to Windows NT's Event Viewer.
You can also gain access to Event Viewer from a button (shown here) on the toolbar. For more information on Event Viewer, please see the section called Locating Scan Results in Event Viewer.
USING THE PREFERENCES MENU
The Preferences menu is one of the key areas for customizing Command's
F-PROT Professional. You can access this menu either by highlighting and clicking on the menu title or by pressing ALT + P. Each menu option is explained in the following pages.
Through the Network menu command, you are able to set up messaging
via your e-mail system and central event logging if you are running Command's F-PROT Professional for NetWare.
The Reporting selection allows you to decide on available options for virus notification.
Active Protection opens a dialog box where you can enable, disable or configure real-time protection. From this dialog box, you can change the areas of memory that are scanned when the operating system is loaded.
There is also a menu command for Files to Include/Exclude that can be very helpful for specific scans.
Should you ever need to add User-Defined Virus Strings, the dialog box for that purpose is accessed from the Preferences Menu.
||The Advanced selection allows you to set a directory into which viruses can be quarantined as well as modify service account information. This selection is available only if you have administrator rights.|
All of the above-mentioned features are described in detail in the following sections.
The Network options allow you to set up messaging to your network. If you are running NetWare, there is a special section for configuring scan options that are designed to work with Command's F-PROT Professional for NetWare (FPN).
When the NetWare tab is selected, a dialog box appears that allows you to configure the following items.
||This option is not visible if F-NET.EXE is not running. F-NET.EXE allows the workstation to communicate to a server that is running Command's F-PROT Professional
for NetWare and record any virus incidents to the F-PROT log. F-NET.EXE also preserves the last access date and allows compressed and migrated files to be skipped during a network
F-NET is installed to the F-PROT directory only if a modification is made to the SETUP.INI file prior to installation. Details on modifying SETUP.INI can be found in the Network Administration chapter. If you are not running NetWare or Command's F-PROT Professional for NetWare, it is not necessary or advisable to have F-NET.EXE.
Preserve last access date
Checking this box prevents modification of the last access date on the file. Many archive systems reference the last access date to determine if the file is eligible for archiving. If this option is disabled, the last access date will be updated to show the last time Command's F-PROT scanned the file. Use this option with caution as disabling it could prevent archival software from functioning properly.
Skip compressed files
Compressed files are files that have not been accessed for a period of time,
perhaps weeks or months. If the file was compressed after an initial scan with Command's F-PROT Professional, it is unlikely that it contains a virus. You can shorten scan times by checking this box. We advise that you check compressed files once when Command's F-PROT Professional is first installed and then again with every major scan update.
Skip migrated files
As migrated files are not in use (by definition), you can shorten scan times by checking this box. Migrated files should be scanned once when Command's F-PROT Professional is first installed and again before using them.
If you are running Command's F-PROT Professional for NetWare (FPN), you can select this box. FPN maintains a log file on each server. From within this box, choose a valid server name from the drop-down list box. Afterward, if a virus is discovered, it is added to that server's Command's FPROT Professional log file. Use a text editor or the View option in FPN Admin to view the log.
The Messaging menu allows you to modify the message shown to users when a virus is encountered.
Message to display
You can enter a text message of your choice up to 80 characters in length. This is very useful for Network administrators and can include phone numbers or other helpful messages.
This area controls notification using your existing MAPI e-mail system. MAPI support includes Microsoft Mail, Microsoft Exchange, and Eudora Pro among others.
Choose Addresses to select who receives the messages.
Check this box to have a virus report mailed to the person(s) selected in Addresses.
Mail infected files
Check this box to have the infected file mailed to the address(es) selected in Addresses.
The Reporting screen controls how the scan results for a manual scan are displayed for reporting purposes. It also allows you to choose an audible warning.
Beep When A Virus Is Found
The PC speaker emits a short beep when a virus is found, during any scan, if this item is selected.
List All Files Scanned
You may wish to avoid lengthy reports by not selecting this box. However, this provides the ability to verify that the appropriate files are being scanned.
Wrap Text In Report Window
It may be easier to read short reports if you select this option. In longer reports, you may find it easier to find individual file listings without wrapping the text.
This section details how to configure real-time virus protection as provided by DVP for Windows NT. DVP actually consists of three kernel-mode drivers. One driver is CSS-REC.SYS, the "CSS Recognizer" for file systems and media changes. Another driver is CSS-FLTR.SYS, the CSS Filter. This component filters events such as opens, closes, and renames that Command's F-PROT Professional needs to check. A third driver, CSS-DVP.SYS, contains the actual real-time anti-virus protection scan engine.
||You can verify that these drivers are running by opening NT's Control Panel and choosing Devices. However, DO NOT try to disable DVP this way. If you want to disable DVP, open the Active Protection dialog box (shown below) and clear the checkbox that says Enable DVP. If DVP is disabled, real-time and scheduled scanning will no longer function. Also note that, regardless of your user rights, you may not stop
either CSS-REC.SYS or CSS-FLTR.SYS.|
If DVP is disabled through Devices, you cannot perform scheduled scans and manual scans will produce an error that says "F-PROT is unable to read the boot sector".
Dynamic Virus Protection
This dialog box allows modification of the Dynamic Virus Protection
(DVP) program. DVP provides real-time protection against viruses by scanning the boot sector every time a floppy is read. Further, DVP's real-time protection can be configured to scan
qualify files as they are opened, closed, renamed, copied or deleted.
Active Protection Menu
This box must be selected for real-time protection to work. If selected, DVP automatically scans floppy drives, CD-ROMS, local hard drives and/or network drives when files are accessed. This is highly recommended for the security of your system.
What to scan
If you have enabled DVP, you can then determine which drives are scanned by selecting any of the choices listed.
Action on infection
You may select any one of the options listed below. Some networks may not allow certain actions. If this should be the case, then a notification will be sent indicating the constraint.
This informs you when a virus is detected; however, no other action
is taken other than to deny access to the file. Choose the Report Only option if you want to verify the type of virus before disinfection.
This automatically deletes virus-infected files.
||While this is a powerful option, the potential exists for data loss. Some rare viruses perform encryption on the hard drive making file recovery difficult.|
The Rename option give a new name to virus-infected files. It changes
the file name extensions to a non-executable form.
This automatically disinfects virus-infected files. Please note the
caution for Delete.
This moves an infected file to a separate directory so that the files
may be disinfected and/or evaluated at a later time. If, for some reason, the Quarantine directory does not have enough room to store the infected file, the file will not be moved into that directory. Instead, the file will only be reported by Command's F-PROT Professional.
Remove all macros if variant is found
If this option is selected, all macros are removed from any file
containing a new or modified variant of a macro virus. If this option is not selected and the Action to take is Disinfect, files that contain remnants or are variants of macro infections are renamed.This option is available only when the selected Action to take is Disinfect.
We recommend scanning memory whenever you boot your system. Some systems have video problems when Upper Memory Blocks or High Memory is scanned. So, we provide various scan options. Memory scanning can be disabled, but this is not recommended.
Memory Scanning Menu
Complete 1MB memory scan + High Memory Area
Choosing this provides the most comprehensive memory scan and includes the first 64 KB above 1 MB. Some viruses take advantage of this area and, if you scan only the first 640 KB or 1 MB, you run the risk of infection. Command's F-PROT Professional has this option
selected by default. If you experience lockups, try the Complete 1MB memory scan option.
Complete 1MB memory scan
Choosing this provides a thorough scan of the first 1MB of memory, which
includes the video area above 640KB. If you experience lockups, use the 640KB + High Memory option.
Scan first 640KB + High Memory Area
Scan conventional memory plus the High Memory Area, which is the first 64KB above 1MB. This avoids scanning areas that may have conflicts with some high-resolution video drivers and some Micro Channel network cards.
Scan first 640KB
This option scans only conventional memory.
Skip memory scan
||This is the fastest way to boot. Remember, this could allow a virus to remain active in memory if you have disabled some of the other detection features.|
FILES TO INCLUDE/EXCLUDE
These two dialog boxes allow you to add or delete file extensions that you want scanned (included) or specific files that you do not want scanned (excluded). Extensions entered here apply to all scanning tasks.
Files to Include
If you want to add a specific file type to your scans, type the three-letter
extension in the New extension text field and select Add. To remove a particular file type from your scans, locate the three-letter extension in the Filename Extensions list box. Highlight the extension you want to remove and then select Delete.
File Extensions Menu
Files to Exclude
To exclude a specific file from a scan, use the Browse button to locate the file or type its full name and extension in the New exclusion text field and then choose Add. To remove a file, highlight it in the Filenames list box and
Files to Exclude Menu
The exclusion ability is helpful when you want to scan files with the same extension but you wish to exclude one or more specific files.
Wildcards are not accepted. If only an extension is entered in the New Exclusion text field and that extension is also in the Files to Include list, then files of that type will be scanned. To prevent all files of a specific type (all .DOC files for example) from being scanned, you must remove that extension from the Files to Include list.
USER-DEFINED VIRUS STRINGS
This dialog box allows you to add, change or delete specific search strings that will become a part of the search criteria during a scan. In general, it is best to enter information in this dialog box only when instructed by Technical Support.
||This option is useful when a new virus warning is posted and you have not yet had time to obtain a virus signature update. Should you ever need to use a User-Defined search string, be sure you have a check in the User-Defined virus strings check box, located in the Properties window.|
When Command's F-PROT Professional locates a file containing a user-defined virus string, it reports that the search string was found: it does not report that the file is infected. Other than notifying the user, no action will be taken on the file.
||User-defined virus strings are not supported by either DVP or in scheduled scans.|
User-Defined Virus Strings Menu
The example shown above demonstrates how this capability could be used to detect a macro virus.
If you select the Add button, a dialog box opens so that you can enter the name of the virus, the virus string and the type of file that it infects. The options
available in the Infects section allow you to select COM files, EXE files and Boot Sectors. Multipartite viruses could infect all three types of files.
The Advanced menu contains two tabbed pages. One of those pages, the Advanced Options, allows you to choose a quarantine folder to which infected files will be sent. The other tabbed page, Service Account, allows for the modification of service accounts.
Advanced Options Tabbed Page
||Choosing the Advanced Options page prompts you for a path to the quarantine folder. By default, Command's F-PROT Professional for Windows NT creates a quarantine folder off the root directory. In the Advanced Options page, entering a path
to a different quarantine folder routes infected files to that folder rather than to the default folder. You must have Administrator rights to use this feature.|
||If you set a path to a different quarantine folder, infected files will be routed to that folder only if the quarantine option has been enabled in Active Protection and/or Properties dialog boxes. Files that were located in a previously defined quarantine directory will not be moved or modified.|
Service Account Tabbed Page
The Service Account page provides an administrator the ability to modify an existing account that is used as the service account for scanning network drives. This is the account that would have been set up or specified during installation. One of the modifications that can be made here is the changing of a password.
This dialog box is not used for creating a service account. It merely provides information that Command's F-PROT Professional uses to reference the service account.
General help for Command's F-PROT Professional for Windows NT can be found on this menu.
The Index is an alphabetical list of help topics.
This gives basic instructions for effectively using the help system.
This provides phone numbers and electronic methods to obtain technical support.
This provides information regarding the number of viruses detected by Command's F-PROT Professional for Windows NT.
The Virus Information screen provides detailed information on several hundred common virus families and variants.
ABOUT COMMAND'S F-PROT PROFESSIONAL FOR WINDOWS NT
||The product version number/scan engine version and copyright information
can be found by selecting this menu item or by clicking the question mark button on the toolbar.|