Table of Contents Chapter 1 - Introduction Chapter 2 - Installation Chapter 3A+B - Using F-PROT Chapter 4 - Boot Record Support Chapter 5 - DOS Recovery Chapter 6 - Network Administration Appendix Home Technical Support

SCANNING PROPERTIES

The Properties dialog box allows you to modify an existing task and to configure a new task. In this dialog box you can select the Action to take, Drive/paths to scan, Files to scan and Schedule when the scan will take place. There are a number of ways to access the Properties dialog box. One way is from the Task menu. A quicker way is to select an existing task from the task list, then click on the Properties button located on the main menu or click the right mouse button and then click Properties.
In addition to choosing the Properties command from the Task menu, you can also use that command by selecting a task and then clicking on the Properties button in the toolbar.

Properties Dialog Box

Scan method

Secure scan
This is the default scanning method that searches for over 10,000+ viruses and variants.

Action to take on infection

Click on the Action to take drop-down menu to see a list of the available methods for dealing with viruses. The choices contained in this list let you select how you want Command's F-PROT Professional for Windows NT to react if a virus is found.
Report only
This informs you when a virus is detected; however, no other action will be taken. You may choose Report only in order to verify the type of virus before disinfection.
This is the default setting for all new scans and for all of the preset scans provided by Command's F-PROT Professional. You will probably want to change this setting after becoming more acquainted with the software.
Disinfect
Disinfecting files automatically causes the least disruption to the user. If disinfection is not possible, Command's F-PROT Professional asks if you wish to delete the file.
Disinfect/Query
The Disinfect/Query option identifies a virus and asks if you wish to disinfect it.
Delete
This automatically deletes any file found to contain a virus.

With Delete, the potential exists for data loss. Some rare viruses are able to perform encryption on the hard drive, making file recovery difficult.

Delete/Query
Choosing Delete/Query identifies a virus and asks if you wish to delete the infected file.
Rename
Selecting Rename automatically provides a new name for an infected file by putting a "V" in place of the first letter of the extension. For example, .COM becomes .VOM and .EXE becomes .VXE.
Rename/Query
This identifies a virus-infected file and asks if you want to rename it. If you choose Yes, it renames the file as previously described. If you choose No, you then either need to disinfect or delete the file.
Quarantine
The Quarantine option places an infected file in an isolated directory where it cannot spread. This is helpful for examination or disinfection by the administrator at a later time.
Quarantine/Query
The Quarantine/Query option prompts you before quarantining a file.
The Quarantine and Quarantine/Query options are available only to Administrators.

Queryis not available in scheduled or inactivity scans, as these scans usually need to occur unattended. Thus, if the Action to take for a scan task was set to Disinfect/Query, the action would change to Disinfect; Quarantine/Query would change to Quarantine and so on. A warning message displays to remind you of this.

Remove all macros if a variant is found
If this option is selected, all macros are removed from any file containing a new or modified variant of a macro virus. If this option is not selected and the Action to take is Disinfect or Disinfect/Query, files are renamed if they contain remnants or are variants of macro viruses.

This option is available only when the Action to take is Disinfect or Disinfect/Query.

Selecting Drives/paths to scan
You can provide a specific drive or a UNC (Universal Naming Convention) path to scan. For example, you could establish a task that would perform a scheduled scan on the directory used to store files that are downloaded from other computers.
Browse
The browse button opens a dialog box allowing you to select the folder you wish to scan.
Include sub-folders
When you enter a path in the Drive/Paths To Scan text field, this option is activated. If enabled, it searches all sub-folders below the path specified.
Select all floppy drives
This searches all floppy drives.
Select all hard drives
This searches all logical hard drives on the local workstation, including compressed drives.
Select all network drives
This searches all network drives to which you have access rights and to which you have been mapped. This is not available for scheduled or inactivity scans.
Select all drives
This searches every drive where you have access rights. This option is not available for scheduled or inactivity scans.

Files to scan

The available options for the types of files to scan are described below. The recommended choice is Standard executables. You also have the option of selecting All Files but they are mutually exclusive. The compressed file options may be checked individually depending on your needs. Choose the documents option only if you have Microsoft Word 6.0 or later.
Standard executables
These are the files that would normally be attacked by a virus. Command's F-PROT Professional ships ready to scan the following file extensions: .APP, .BIN, .COM, .DLL, .DO?, .EXE, .OV?, .PGM, .SYS, .XL?. You may enter up to 20 filename extensions through the Preferences Files to Include/Exclude dialog box.
All files
This will scan all files. We do not recommended this option as it increases the probability of getting a false positive from a random string of characters in an otherwise harmless data file. Further, All Files takes much longerthan using the other scanning options and it is unlikely to find additional viruses.
However, this option should be used if you want to scan documents that do not have a filename extension or to scan files with extensions longer than 3 characters.
Packed files
These are executable programs that have been compressed with PKLITE, DIET or similar programs.
ZIP files
These are files that have been archived using PKWare's ZIP compression utility.
Documents (.DOC)
This checks for macro viruses that can infect Microsoft Word documents and templates. Enabling this option also cause Command's F-PROT to check for macro viruses that could infect Microsoft Excel worksheets and templates.

Boot Sectors

Many common viruses infect the boot sectors and master boot records of hard drives. Checking this option causes those areas to be scanned.

User-defined Virus Strings

On rare occasions, a new virus spreads before we can release an update to Command's F-PROT Professional. You can enter a string of characters, in hexadecimal, that provide your current version with the ability to detect the new virus. In general, it is best to select this option only when instructed by Technical Support. It is rare to have to enter a virus definition string. For more information, see the Using the Preferences Menu section.

Allow scanning of quarantined files

Selecting this option allows an administrator to scan the quarantine directory. If the option is not selected, the quarantine directory will not be scanned, even if the quarantine directory is in the path. A quarantine directory exists only if the Action to take selection in Command's F-PROT or DVP is set to Quarantine. Generally, suspect and infected files are placed in the quarantine directory to allow the administrator the opportunity to examine and disinfect them without disrupting the workflow of users. During a standard installation, the quarantine directory is created on the root directory of the system drive, where Windows NT was installed.
This option is available only if you have administrator rights.

If the Action to take is Quarantine then Allow scanning of quarantined files is unavailable since you cannot quarantine files that are already in the quarantine directory.

Using the Schedule option

Scheduled execution of a selected task can be a very useful anti-virus tool. Administrators can create scheduled scans that are installed on each user's computer. Scheduling a daily scan guarantees that a user's workstation is consistently checked for viruses. Additionally, scheduled scans will run as long as the computer is on, even if no one is logged onto the computer.

After you have defined a scan, you can select the Schedule button to assign a time for the scan to occur.

Command's F-PROT Professional for Windows NT does not need to be opened for a scheduled scan to occur. Administrator-defined scheduled scans will take place even when no one is logged onto the machine. When a scheduled scan begins, a small clock with moving hands appears over the F­Agent icon in the tray. If the computer is not on when a scan is scheduled to run, the scan is skipped.

Scheduling is controlled by a service named CSS AV Scheduler (CSS­AVS.EXE) that runs in the background and is activated on startup. It is necessary to have both this service and the kernel-mode driver (DVP) started for scheduled scans to occur.


Schedule Menu
Enable scheduling
Checking this box turns on scheduled scanning. If the box is not checked, scheduled scanning will not occur.
Activity performed by CSS AV Scheduler can be seen in the Windows NT Event Viewer. The Event Viewer is located in the Windows NT start menu inside the Programs/Administrative Tools (Common) program group. You may also view the Event Viewer from the View menu of Command's F­PROT Professional or by right clicking on the F-Agent icon.
The Windows NT Event Log may become filled if Command's F-PROT Professional encounters a large number of infected files. If that happens frequently, you might consider increasing the Maximum Log File size in Windows NT's Event Viewer. Consult your Microsoft Windows NT manual for further information.
Choosing Scheduled Scan frequency
After enabling scheduled scans, you need to select how often a scheduled scan should occur. You may select only one option. Once this is completed, enter the time you want the scan to occur using a 24-hour format. Optionally, you can have the scan occur after a specified period of inactivity. If the computer is not on when a scan is scheduled to occur, the scan will be skipped.
If the inactivity scan time is too small, you could run into a perpetual scan situation.
Daily
Select the Daily option if you want a scan to take place each day.
Weekly
When you select the Weekly option, you can then select the day or days on which you want a scan to occur.
Monthly
If you select the Monthly option, you then have access to the drop-down dialog box that allows you to select the day of the month you want the scan to occur.
Time to scan
Specify time of day in 24-hour format with "00:00" indicating midnight. For instance, if you want to scan at 1:30 p.m., enter 13:30. Scheduled scans are skipped if the computer is not on during the time you have entered for the scan. If you would like to schedule an immediate scheduled scan for testing purposes, the scan should be scheduled at least five minutes ahead of the current time.
Scan after inactivity
You can choose to scan after a specified period of keyboard or mouse inactivity. A user must be logged in and F-Agent needs to be running for this scan to occur.

Stopping a scheduled scan

If a scheduled scan is running and you want to stop it, follow these steps:
  1. Open the Control Panel.

  2. Click on Services.

  3. Highlight CSS Scheduler.

  4. Click on STOP.
To start the service so that scheduled scans are active again, repeat the above procedure but, in step 4, click on START. To stop a scheduled scan, you must have administrator rights.

USING THE VIEW MENU

This is a standard Windows NT menu that allows you to change the way you view the tasks shown in the task list. The available options are described briefly. Further information can be found in your Microsoft Windows NT manual.

View Menu

LARGE ICONS

The tasks are displayed in the task list as large icons with the task name located beneath each icon.

In addition to choosing the Large Icons command from the View menu, you can also access this command by selecting this button from the toolbar.

SMALL ICONS

The tasks are displayed in the task list as several columns of small icons with the task name alongside each icon.

As an alternative to using the Small Icons command in the View menu, you can access that command by selecting this button from the toolbar.

LIST

The tasks are displayed in the task list as a single column of small icons with the task name alongside each icon.

In addition to using the List item on the View menu, you can also access it by selecting this List button from the toolbar.

DETAILS

The tasks are displayed in the task list as a single column of small icons with the name alongside each icon. Two additional columns also appear for each task: one for the results of the last scan and another showing the time of the next scheduled scan.

Selecting the Details button from the toolbar will display the task list as small icons with scan result and scheduled scan information next to it. The Details menu command can also be accessed by choosing it directly from theView menu.

REFRESH

Selecting the Refresh command updates the task window to reflect the Command's F-PROT task information stored on the disk. This is useful when copying task files from the network.

EVENT VIEWER

This menu item provides convenient access to Windows NT's Event Viewer.

You can also gain access to Event Viewer from a button (shown here) on the toolbar. For more information on Event Viewer, please see the section called Locating Scan Results in Event Viewer.

USING THE PREFERENCES MENU

The Preferences menu is one of the key areas for customizing Command's F-PROT Professional. You can access this menu either by highlighting and clicking on the menu title or by pressing ALT + P. Each menu option is explained in the following pages.

Preference Menu
Through the Network menu command, you are able to set up messaging via your e-mail system and central event logging if you are running Command's F-PROT Professional for NetWare.

The Reporting selection allows you to decide on available options for virus notification.

Active Protection opens a dialog box where you can enable, disable or configure real-time protection. From this dialog box, you can change the areas of memory that are scanned when the operating system is loaded.

There is also a menu command for Files to Include/Exclude that can be very helpful for specific scans.

Should you ever need to add User-Defined Virus Strings, the dialog box for that purpose is accessed from the Preferences Menu.

The Advanced selection allows you to set a directory into which viruses can be quarantined as well as modify service account information. This selection is available only if you have administrator rights.
All of the above-mentioned features are described in detail in the following sections.

NETWORK

The Network options allow you to set up messaging to your network. If you are running NetWare, there is a special section for configuring scan options that are designed to work with Command's F-PROT Professional for NetWare (FPN).

Network Menu

NetWare

When the NetWare tab is selected, a dialog box appears that allows you to configure the following items.
This option is not visible if F-NET.EXE is not running. F-NET.EXE allows the workstation to communicate to a server that is running Command's F-PROT Professional for NetWare and record any virus incidents to the F-PROT log. F-NET.EXE also preserves the last access date and allows compressed and migrated files to be skipped during a network scan.
F-NET is installed to the F-PROT directory only if a modification is made to the SETUP.INI file prior to installation. Details on modifying SETUP.INI can be found in the Network Administration chapter. If you are not running NetWare or Command's F-PROT Professional for NetWare, it is not necessary or advisable to have F-NET.EXE.
Preserve last access date
Checking this box prevents modification of the last access date on the file. Many archive systems reference the last access date to determine if the file is eligible for archiving. If this option is disabled, the last access date will be updated to show the last time Command's F-PROT scanned the file. Use this option with caution as disabling it could prevent archival software from functioning properly.
Skip compressed files
Compressed files are files that have not been accessed for a period of time, perhaps weeks or months. If the file was compressed after an initial scan with Command's F-PROT Professional, it is unlikely that it contains a virus. You can shorten scan times by checking this box. We advise that you check compressed files once when Command's F-PROT Professional is first installed and then again with every major scan update.
Skip migrated files
As migrated files are not in use (by definition), you can shorten scan times by checking this box. Migrated files should be scanned once when Command's F-PROT Professional is first installed and again before using them.
Log infection
If you are running Command's F-PROT Professional for NetWare (FPN), you can select this box. FPN maintains a log file on each server. From within this box, choose a valid server name from the drop-down list box. Afterward, if a virus is discovered, it is added to that server's Command's F­PROT Professional log file. Use a text editor or the View option in FPN Admin to view the log.

Messaging

The Messaging menu allows you to modify the message shown to users when a virus is encountered.

Messaging Menu
Message to display
You can enter a text message of your choice up to 80 characters in length. This is very useful for Network administrators and can include phone numbers or other helpful messages.
E-Mail
This area controls notification using your existing MAPI e-mail system. MAPI support includes Microsoft Mail, Microsoft Exchange, and Eudora Pro among others.
Addresses
Choose Addresses to select who receives the messages.
Mail report
Check this box to have a virus report mailed to the person(s) selected in Addresses.
Mail infected files
Check this box to have the infected file mailed to the address(es) selected in Addresses.

REPORTING

The Reporting screen controls how the scan results for a manual scan are displayed for reporting purposes. It also allows you to choose an audible warning.

Reporting Menu

Beep When A Virus Is Found

The PC speaker emits a short beep when a virus is found, during any scan, if this item is selected.

List All Files Scanned

You may wish to avoid lengthy reports by not selecting this box. However, this provides the ability to verify that the appropriate files are being scanned.

Wrap Text In Report Window

It may be easier to read short reports if you select this option. In longer reports, you may find it easier to find individual file listings without wrapping the text.

ACTIVE PROTECTION

This section details how to configure real-time virus protection as provided by DVP for Windows NT. DVP actually consists of three kernel-mode drivers. One driver is CSS-REC.SYS, the "CSS Recognizer" for file systems and media changes. Another driver is CSS-FLTR.SYS, the CSS Filter. This component filters events such as opens, closes, and renames that Command's F-PROT Professional needs to check. A third driver, CSS-DVP.SYS, contains the actual real-time anti-virus protection scan engine.
You can verify that these drivers are running by opening NT's Control Panel and choosing Devices. However, DO NOT try to disable DVP this way. If you want to disable DVP, open the Active Protection dialog box (shown below) and clear the checkbox that says Enable DVP. If DVP is disabled, real-time and scheduled scanning will no longer function. Also note that, regardless of your user rights, you may not stop either CSS-REC.SYS or CSS-FLTR.SYS.
If DVP is disabled through Devices, you cannot perform scheduled scans and manual scans will produce an error that says "F-PROT is unable to read the boot sector".

Dynamic Virus Protection

This dialog box allows modification of the Dynamic Virus Protection (DVP) program. DVP provides real-time protection against viruses by scanning the boot sector every time a floppy is read. Further, DVP's real-time protection can be configured to scan qualify files as they are opened, closed, renamed, copied or deleted.

Active Protection Menu
Enable DVP
This box must be selected for real-time protection to work. If selected, DVP automatically scans floppy drives, CD-ROMS, local hard drives and/or network drives when files are accessed. This is highly recommended for the security of your system.
What to scan
If you have enabled DVP, you can then determine which drives are scanned by selecting any of the choices listed.
Action on infection
You may select any one of the options listed below. Some networks may not allow certain actions. If this should be the case, then a notification will be sent indicating the constraint.
Report only
This informs you when a virus is detected; however, no other action is taken other than to deny access to the file. Choose the Report Only option if you want to verify the type of virus before disinfection.
Delete
This automatically deletes virus-infected files.
While this is a powerful option, the potential exists for data loss. Some rare viruses perform encryption on the hard drive making file recovery difficult.
Rename
The Rename option give a new name to virus-infected files. It changes the file name extensions to a non-executable form.
Disinfect
This automatically disinfects virus-infected files. Please note the caution for Delete.
Quarantine
This moves an infected file to a separate directory so that the files may be disinfected and/or evaluated at a later time. If, for some reason, the Quarantine directory does not have enough room to store the infected file, the file will not be moved into that directory. Instead, the file will only be reported by Command's F-PROT Professional.
Remove all macros if variant is found
If this option is selected, all macros are removed from any file containing a new or modified variant of a macro virus. If this option is not selected and the Action to take is Disinfect, files that contain remnants or are variants of macro infections are renamed.This option is available only when the selected Action to take is Disinfect.

Memory Scanning
We recommend scanning memory whenever you boot your system. Some systems have video problems when Upper Memory Blocks or High Memory is scanned. So, we provide various scan options. Memory scanning can be disabled, but this is not recommended.

Memory Scanning Menu
Complete 1MB memory scan + High Memory Area
Choosing this provides the most comprehensive memory scan and includes the first 64 KB above 1 MB. Some viruses take advantage of this area and, if you scan only the first 640 KB or 1 MB, you run the risk of infection. Command's F-PROT Professional has this option selected by default. If you experience lockups, try the Complete 1MB memory scan option.
Complete 1MB memory scan
Choosing this provides a thorough scan of the first 1MB of memory, which includes the video area above 640KB. If you experience lockups, use the 640KB + High Memory option.
Scan first 640KB + High Memory Area
Scan conventional memory plus the High Memory Area, which is the first 64KB above 1MB. This avoids scanning areas that may have conflicts with some high-resolution video drivers and some Micro Channel network cards.
Scan first 640KB
This option scans only conventional memory.
Skip memory scan
This is the fastest way to boot. Remember, this could allow a virus to remain active in memory if you have disabled some of the other detection features.

FILES TO INCLUDE/EXCLUDE

These two dialog boxes allow you to add or delete file extensions that you want scanned (included) or specific files that you do not want scanned (excluded). Extensions entered here apply to all scanning tasks.

Files to Include

If you want to add a specific file type to your scans, type the three-letter extension in the New extension text field and select Add. To remove a particular file type from your scans, locate the three-letter extension in the Filename Extensions list box. Highlight the extension you want to remove and then select Delete.

File Extensions Menu

Files to Exclude

To exclude a specific file from a scan, use the Browse button to locate the file or type its full name and extension in the New exclusion text field and then choose Add. To remove a file, highlight it in the Filenames list box and select Delete.

Files to Exclude Menu
The exclusion ability is helpful when you want to scan files with the same extension but you wish to exclude one or more specific files.

Wildcards are not accepted. If only an extension is entered in the New Exclusion text field and that extension is also in the Files to Include list, then files of that type will be scanned. To prevent all files of a specific type (all .DOC files for example) from being scanned, you must remove that extension from the Files to Include list.

USER-DEFINED VIRUS STRINGS

This dialog box allows you to add, change or delete specific search strings that will become a part of the search criteria during a scan. In general, it is best to enter information in this dialog box only when instructed by Technical Support.
This option is useful when a new virus warning is posted and you have not yet had time to obtain a virus signature update. Should you ever need to use a User-Defined search string, be sure you have a check in the User-Defined virus strings check box, located in the Properties window.
When Command's F-PROT Professional locates a file containing a user-defined virus string, it reports that the search string was found: it does not report that the file is infected. Other than notifying the user, no action will be taken on the file.
User-defined virus strings are not supported by either DVP or in scheduled scans.

User-Defined Virus Strings Menu
The example shown above demonstrates how this capability could be used to detect a macro virus.

If you select the Add button, a dialog box opens so that you can enter the name of the virus, the virus string and the type of file that it infects. The options available in the Infects section allow you to select COM files, EXE files and Boot Sectors. Multipartite viruses could infect all three types of files.

ADVANCED

The Advanced menu contains two tabbed pages. One of those pages, the Advanced Options, allows you to choose a quarantine folder to which infected files will be sent. The other tabbed page, Service Account, allows for the modification of service accounts.

Advanced Options Tabbed Page

Choosing the Advanced Options page prompts you for a path to the quarantine folder. By default, Command's F-PROT Professional for Windows NT creates a quarantine folder off the root directory. In the Advanced Options page, entering a path to a different quarantine folder routes infected files to that folder rather than to the default folder. You must have Administrator rights to use this feature.

If you set a path to a different quarantine folder, infected files will be routed to that folder only if the quarantine option has been enabled in Active Protection and/or Properties dialog boxes. Files that were located in a previously defined quarantine directory will not be moved or modified.

Service Account Tabbed Page

The Service Account page provides an administrator the ability to modify an existing account that is used as the service account for scanning network drives. This is the account that would have been set up or specified during installation. One of the modifications that can be made here is the changing of a password.

This dialog box is not used for creating a service account. It merely provides information that Command's F-PROT Professional uses to reference the service account.

HELP MENU

General help for Command's F-PROT Professional for Windows NT can be found on this menu.

Help Menu

INDEX

The Index is an alphabetical list of help topics.

USING HELP

This gives basic instructions for effectively using the help system.

TECHNICAL SUPPORT

This provides phone numbers and electronic methods to obtain technical support.

PERFORMANCE

This provides information regarding the number of viruses detected by Command's F-PROT Professional for Windows NT.

VIRUS INFORMATION

The Virus Information screen provides detailed information on several hundred common virus families and variants.

ABOUT COMMAND'S F-PROT PROFESSIONAL FOR WINDOWS NT

The product version number/scan engine version and copyright information can be found by selecting this menu item or by clicking the question mark button on the toolbar.