Home Page
Site Contents


F-MACRO - Scanner and disinfector for MS Word and Excel document macro viruses
Version 2.10, 2.27
Copyright (c) 1997 Command Software Systems, Inc.
Copyright (c) 1997 Data Fellows Ltd.
F-MACRO is a DOS program which searches Word 6.x and 7.x document files
for known Word macro viruses and disinfects them by disabling and
overwriting the viral macros. F-MACRO is able to parse the complex OLE2
file structure of Word document files making it very fast and accurate.
F-MACRO also searches Excel, version 5.0 and above, .XL? files for the
Laroux virus.
This scanning and disinfection technology was developed by Data Fellows
Ltd and Command Software Systems, Inc. for the commercial F-PROT
Professional package. F-PROT Professional for Windows, Windows 95,
Windows NT and OS/2 as well as the realtime Windows VxD scanners have
these macro scanning features built into their normal scanners.
If you are running a VxD-based background protection from the F-PROT
Professional suite, you will be notified on infected document files as
soon as you try to open or copy them or when you are receiving such a
document as an e-mail attachment or downloading it from www.
Disinfection can also be done in realtime for users of the Windows 95
product. A VxD-based solution provides significantly better protection
than anti-virus systems relying on the Word macro language.
For more information on the F-PROT Professional suite, see the web site
of Command Software Systems at http://www.commandcom.com, or the web
site of our development partner, DataFellows Ltd., at
The list of parameters is available from a help screen in F-MACRO. In
the directory where F-MACRO.EXE is located type: F-MACRO and press
Give scan path or drive as the first parameter.
Pressing the ESC key during a scan will provide you the option (yes/no)
of aborting the scan. 
        /IDENTIFICATION  List the macro viruses we detect/disinfect
        /DISINF          Disinfect infected documents
        /AUTO            Automatic disinfection, no prompting
        /ALL             Scan files with any extension
        /REPORT=         Send the output to a file
        /APPEND          Used with /REPORT - append to existing report
        /NOSUB           Do not recurse sub-directories
        /LIST            List all scanned filenames
        /BACKUP          Make a copy of the file before disinfecting it
        /REMOVEALL       Deletes all macros in a document (Word only)
        /REMNANTS        Use with the /DISINF switch. Removes any new or
                         modified macro virus variants when found 
			 (Word only)
	/RERENAME	 Renames filenames changed by an F-PROTW.EXE 
			 back to their original filenames.
     F-MACRO C:
F-MACRO.EXE Return Codes
F-MACRO returns the following codes, which you can check with the
ERRORLEVEL command from a batch file. Use this return code in your
AUTOEXEC.BAT file to alert the user if F-MACRO.EXE finds a problem.
           0              Normal exit. No viruses were found.
           1              Abnormal termination-unrecoverable error. 
			  This is usually the result of a missing system 
           3              A macro virus infection has been found.
           6              At least one virus was removed. This code is 
                          meaningful when used to scan a single file.
           8              Found something suspicious. Invalid program 
			  files. Usually indicates corrupt files.
           9              Had a problem with at least one file.
F-MACRO.EXE provides return codes in the following priority:
                              1   (error)
                              6   (disinfect)
                              3   (virus found)
                              8   (suspicious)
                              9   (problem)
                              0   (nothing)
Product Enchancements:
We added detection for Laroux D in this release.
In some cases F-Macro would lock up if a corrupt file was encountered.
This is now fixed.
There is now a new file named MACRO.DEF included with the F-MACRO
program. This file contains the macro virus signatures. It must be
in the same directory as F-MACRO.EXE. When virus signature updates 
are made available you will now be able to simply replace the 
MACRO.DEF file. In addition to creating a directory for F-MACRO on
your hard drive, we suggest placing the three files of F-MACRO on a
floppy disk. You will need F-MACRO.EXE, F-MACRO.DEF, and F-MACRO.TXT.
We recommend you make a backup copy of important document files before
disinfecting them.
There were reports of the /BACKUP switch not functioning properly.
This has been fixed for the 1.79c release.
The /REMOVEALL switch can now be used with the /DISINF switch. This
will remove macros only from infected documents. 
Two new switches have been added to F-MACRO for 1.70. These are
/REMOVEALL and /REMNANTS. Note that these two switches apply only to
Word documents.
The /REMOVEALL switch should be used with caution as it will remove ALL
macros from a document, regardless of infection.
The /REMNANTS switch is used in conjunction with the /DISINF switch. 
When F-MACRO reports that a document contains a new or modified variant
of a macro virus, or that it contains remnants of a macro virus, this 
switch causes F-MACRO to remove ALL the macros in the document. Since 
this can adversely affects your NORMAL.DOT's, you need to be particularly
careful when disinfecting your global document templates.
However, whenever F-MACRO finds an exact identification for a macro
virus, it will only remove those macros responsible for the infection.
The /RERENAME switch is used in conjunction with the /DISINF switch.
The function of /RERENAME is to return altered filenames to their 
original filenames.  For instance, when a F-PROTW.EXE is configured to 
rename an infected files, it changes the first letter of the file's 
extension to a "V".  Thus, a infected file called "DESKTAB.EXE" would be 
renamed to "DESKTAB.VXE".  Running F-Macro with the /RERENAME switch 
would revert the filename to DESKTAB.EXE.  To use the /RERENAME switch, 
use it with the following syntax:
	F-MACRO /ext=[file extension] /RERENAME /DISINF
For example, to revert files with a "VOC" extension back to their 
original Microsoft "DOC" extensions, you would use the following 
In order to be able to scan all document files, Word and Excel should 
be closed before running F-MACRO: otherwise it will keep NORMAL.DOT 
and possibly other files locked. F-MACRO will display a warning message
on such files.
If you have document files with non-standard extensions (something
other than DOC, DOT, XLS,or XLT), use the /ALL parameter to check all
F-MACRO will turn infected documents back to normal document type,
removing the template attribute added by the viruses.
For general info on macro viruses, see the macro section at
http://www.commandcom.com. For technical support, contact
[email protected].
Updates, when available, can be downloaded from the Command Software
WWW and ftp site.
For a current list of macro viruses detected by F-MACRO, type:
The Command Software web site has up-to-date descriptions on the
operation and effects of these macro viruses.
F-MACRO is protected by international copyright laws. F-MACRO is (c)
1997 Command Software Systems Inc. and (c) 1997 DataFellows Ltd.; it
is not in public domain or freeware, but you are free to use and share
this software with no charges in non-commercial private use. Use of this
software in other environments is not allowed in the United States of
America, Europe, Asia and Africa,  without a license to F-PROT
Professional or a current license from Frisk Software International.
Please redistribute F-MACRO only with this documentation. You
are not allowed to resell this software for your own profit (normal
copying costs excluded) or claim to hold rights to this software.
Although you may have the right to use F-MACRO, it will remain the
exclusive property of Command Software Systems, Inc., and DataFellows Ltd.
Command Software Systems Inc. and DataFellows Ltd. do not warrant that
the software is error free and we will not cover any costs created by
function or malfunction of this program. Command Software Systems Inc. and
DataFelows Ltd. also disclaim liability for possible consequential
damages. If you cannot agree to these restrictions, you should not use
Copyright (c) 1997 Command Software Systems, Inc.
Copyright (c) 1997 DataFellows Ltd.
This documentation adapted from documentation (c) DataFellows Ltd.