|
Home Page
|
README FIRST!: F-Macro
F-MACRO - Scanner and disinfector for MS Word and Excel document macro viruses
Version 2.10, 2.27
Copyright (c) 1997 Command Software Systems, Inc.
Copyright (c) 1997 Data Fellows Ltd.
7/9/97
*********************
PLEASE READ THE NOTES SECTION OF THIS DOCUMENT FOR IMPORTANT INFORMATION
ON THIS VERSION OF F-MACRO. THERE IS A NEW FILE, MACRO.DEF, THAT MUST
BE INSTALLED.
*********************
OVERVIEW
F-MACRO is a DOS program which searches Word 6.x and 7.x document files
for known Word macro viruses and disinfects them by disabling and
overwriting the viral macros. F-MACRO is able to parse the complex OLE2
file structure of Word document files making it very fast and accurate.
F-MACRO also searches Excel, version 5.0 and above, .XL? files for the
Laroux virus.
TECHNOLOGY
This scanning and disinfection technology was developed by Data Fellows
Ltd and Command Software Systems, Inc. for the commercial F-PROT
Professional package. F-PROT Professional for Windows, Windows 95,
Windows NT and OS/2 as well as the realtime Windows VxD scanners have
these macro scanning features built into their normal scanners.
If you are running a VxD-based background protection from the F-PROT
Professional suite, you will be notified on infected document files as
soon as you try to open or copy them or when you are receiving such a
document as an e-mail attachment or downloading it from www.
Disinfection can also be done in realtime for users of the Windows 95
product. A VxD-based solution provides significantly better protection
than anti-virus systems relying on the Word macro language.
For more information on the F-PROT Professional suite, see the web site
of Command Software Systems at http://www.commandcom.com, or the web
site of our development partner, DataFellows Ltd., at
http://www.datafellows.com.
USAGE
The list of parameters is available from a help screen in F-MACRO. In
the directory where F-MACRO.EXE is located type: F-MACRO and press
[ENTER]
Give scan path or drive as the first parameter.
Pressing the ESC key during a scan will provide you the option (yes/no)
of aborting the scan.
Options:
/IDENTIFICATION List the macro viruses we detect/disinfect
/DISINF Disinfect infected documents
/AUTO Automatic disinfection, no prompting
/ALL Scan files with any extension
/REPORT= Send the output to a file
/APPEND Used with /REPORT - append to existing report
/NOSUB Do not recurse sub-directories
/LIST List all scanned filenames
/BACKUP Make a copy of the file before disinfecting it
/REMOVEALL Deletes all macros in a document (Word only)
/REMNANTS Use with the /DISINF switch. Removes any new or
modified macro virus variants when found
(Word only)
/RERENAME Renames filenames changed by an F-PROTW.EXE
scan
back to their original filenames.
Examples:
F-MACRO C:
F-MACRO C:\DOCS /ALL /AUTO
F-MACRO Z:\USER\INFECTED.DOC /BACKUP /DISINF
F-MACRO.EXE Return Codes
F-MACRO returns the following codes, which you can check with the
ERRORLEVEL command from a batch file. Use this return code in your
AUTOEXEC.BAT file to alert the user if F-MACRO.EXE finds a problem.
RETURN CODE DESCRPTION
0 Normal exit. No viruses were found.
1 Abnormal termination-unrecoverable error.
This is usually the result of a missing system
file.
3 A macro virus infection has been found.
6 At least one virus was removed. This code is
only
meaningful when used to scan a single file.
8 Found something suspicious. Invalid program
files. Usually indicates corrupt files.
9 Had a problem with at least one file.
F-MACRO.EXE provides return codes in the following priority:
1 (error)
6 (disinfect)
3 (virus found)
8 (suspicious)
9 (problem)
0 (nothing)
NOTES:
5/27/96
Product Enchancements:
We added detection for Laroux D in this release.
Fixes:
In some cases F-Macro would lock up if a corrupt file was encountered.
This is now fixed.
4/9/97
There is now a new file named MACRO.DEF included with the F-MACRO
program. This file contains the macro virus signatures. It must be
in the same directory as F-MACRO.EXE. When virus signature updates
are made available you will now be able to simply replace the
MACRO.DEF file. In addition to creating a directory for F-MACRO on
your hard drive, we suggest placing the three files of F-MACRO on a
floppy disk. You will need F-MACRO.EXE, F-MACRO.DEF, and F-MACRO.TXT.
We recommend you make a backup copy of important document files before
disinfecting them.
There were reports of the /BACKUP switch not functioning properly.
This has been fixed for the 1.79c release.
The /REMOVEALL switch can now be used with the /DISINF switch. This
will remove macros only from infected documents.
Two new switches have been added to F-MACRO for 1.70. These are
/REMOVEALL and /REMNANTS. Note that these two switches apply only to
Word documents.
The /REMOVEALL switch should be used with caution as it will remove ALL
macros from a document, regardless of infection.
The /REMNANTS switch is used in conjunction with the /DISINF switch.
When F-MACRO reports that a document contains a new or modified variant
of a macro virus, or that it contains remnants of a macro virus, this
switch causes F-MACRO to remove ALL the macros in the document. Since
this can adversely affects your NORMAL.DOT's, you need to be particularly
careful when disinfecting your global document templates.
However, whenever F-MACRO finds an exact identification for a macro
virus, it will only remove those macros responsible for the infection.
The /RERENAME switch is used in conjunction with the /DISINF switch.
The function of /RERENAME is to return altered filenames to their
original filenames. For instance, when a F-PROTW.EXE is configured to
rename an infected files, it changes the first letter of the file's
extension to a "V". Thus, a infected file called "DESKTAB.EXE" would be
renamed to "DESKTAB.VXE". Running F-Macro with the /RERENAME switch
would revert the filename to DESKTAB.EXE. To use the /RERENAME switch,
use it with the following syntax:
F-MACRO /ext=[file extension] /RERENAME /DISINF
For example, to revert files with a "VOC" extension back to their
original Microsoft "DOC" extensions, you would use the following
command:
F-MACRO /ext=voc /RERENAME /DISINF
In order to be able to scan all document files, Word and Excel should
be closed before running F-MACRO: otherwise it will keep NORMAL.DOT
and possibly other files locked. F-MACRO will display a warning message
on such files.
If you have document files with non-standard extensions (something
other than DOC, DOT, XLS,or XLT), use the /ALL parameter to check all
files.
F-MACRO will turn infected documents back to normal document type,
removing the template attribute added by the viruses.
SUPPORT
For general info on macro viruses, see the macro section at
http://www.commandcom.com. For technical support, contact
[email protected].
UPDATES
Updates, when available, can be downloaded from the Command Software
WWW and ftp site.
KNOWN MACRO VIRUSES
For a current list of macro viruses detected by F-MACRO, type:
F-MACRO /IDENTIFICATION
The Command Software web site has up-to-date descriptions on the
operation and effects of these macro viruses.
LEGAL
F-MACRO is protected by international copyright laws. F-MACRO is (c)
1997 Command Software Systems Inc. and (c) 1997 DataFellows Ltd.; it
is not in public domain or freeware, but you are free to use and share
this software with no charges in non-commercial private use. Use of this
software in other environments is not allowed in the United States of
America, Europe, Asia and Africa, without a license to F-PROT
Professional or a current license from Frisk Software International.
Please redistribute F-MACRO only with this documentation. You
are not allowed to resell this software for your own profit (normal
copying costs excluded) or claim to hold rights to this software.
Although you may have the right to use F-MACRO, it will remain the
exclusive property of Command Software Systems, Inc., and DataFellows Ltd.
Command Software Systems Inc. and DataFellows Ltd. do not warrant that
the software is error free and we will not cover any costs created by
function or malfunction of this program. Command Software Systems Inc. and
DataFelows Ltd. also disclaim liability for possible consequential
damages. If you cannot agree to these restrictions, you should not use
F-MACRO.
Copyright (c) 1997 Command Software Systems, Inc.
Copyright (c) 1997 DataFellows Ltd.
This documentation adapted from documentation (c) DataFellows Ltd.
|
|