|
Home Page
|
README FIRST!: F-PROT Professional for DOS and 16-bit Windows
README FIRST!
Before installing or running F-PROT Professional for the first time,
please verify that your F-PROT Professional disks are write-protected.
If you suspect your computer has a virus, boot from a floppy disk
that is write-protected and then scan for viruses.
If you are a Windows 95 user, please obtain F-PROT Professional for
Windows 95 for complete protection. See additional reference to this
later in this file.
For a list of International Distributors of F-PROT Professional, see
the DISTRIB.TXT file which is located on the installation diskettes.
There is now a file included on the first installation diskette,
called FILEINFO.TXT. It is a list of file descriptions and files that
have changed since the previous release.
___
Notes on F-PROT Professional DOS/Windows v.2.27A
8/15/97
PRODUCT ENHANCEMENTS
New virus signatures have been added for this release.
Notes on F-PROT Professional DOS/Windows v.2.27.2
7/14/97
PRODUCT ENHANCEMENTS
There are no new features for this release.
FIXES
There were some reports of GPF's if Microsoft Word was opened twice,
or if Word and Excel were opened sequentially. This is now fixed.
There were some reports of a problem disinfecting read-only macro
documents. This is now fixed.
We have fixed a problem with a warning message that caused confusion
regarding the number of infected macros in a document. The error
message and the file name were out of sequence and this made it
appear that incorrect information was reported.
SPECIAL NOTES
Notes on F-PROT Professional DOS/Windows v.2.27.1
6/19/97
PRODUCT ENHANCEMENTS
A new virus signature that detects the Plagiarist.5120 virus
has been added.
There is a new F-PROT loader program, FP.EXE. This program loads
F-PROT.EXE and F-MACRO.EXE in succession making certain that file and
macro viruses are found. FP.EXE accepts the same command line
parameters as F-PROT.EXE and F-MACRO.EXE, sending the correct switches
to each application. Thus, the user needs to enter only one command
line as both applications will run accordingly. FP.EXE is located in
the SE_FMAC.EXE self-extracting file.
Notes on F-PROT Professional DOS/Windows v.2.27
6/9/97
PRODUCT ENHANCEMENTS
New virus signatures have been added for this release.
There is a new option, "Remove all macros if variant found", now
available for scans. If this option is selected, all
macros are removed from any file containing a new or modified
variant of a macro virus. The "Remove all..." option is located in the
Advanced Options dialog box (Options|Advanced...), in the first section.
This new option is only available when the Action to take
is "Auto Disinfect" or "Disinfect/Query". If this option is not selected,
and the Action to take is "Auto Disinfect" or "Disinfect/Query", files
that contain remnants or are variants of macro infections are renamed.
This option works the same way as the /REMNANTS switch in F-MACRO.EXE.
Notes on F-PROT Professional DOS/Windows v.2.26
4/9/97
PRODUCT ENHANCEMENTS
New virus signatures have been added for this release.
A new version of F-MACRO is now included in all versions of F-PROT
Professional. F-MACRO is a DOS utility that is used to scan for macro
viruses in Microsoft Word and Excel files. This can be used from DOS
and from a diskette. As of this release, F-MACRO has an additional file
associated with it. That file is named MACRO.DEF. MACRO.DEF contains
the virus signatures and must be located in the same directory as
F-MACRO.EXE. The installation of F-MACRO requires that you copy the
SE_FMAC.EXE (a self executing zipped file located on the installation
diskettes) file to a unique directory. You can then extract it by
executing the file. Once SE_FMAC is run, there will be three files,
MACRO.DEF, F-MACRO.EXE and F-MACRO.TXT. We recommend that you copy
these files to a floppy diskette in addition to leaving them on the
hard drive.
BUG FIXES
We received a report of DVP not detecting a macro virus, although
detected by the main scanner, when running MSOFFICE and Word from
the network. This is now fixed.
We have fixed a problem in DVP concerning the ability to open an
.XLS file that was set as read-only.
SPECIAL NOTES
Notes on F-PROT Professional 2.25
DOS/Windows 3.X
2/4/97
PRODUCT ENHANCEMENTS
New virus signatures have been added for this release.
For FPN and AlertTrack users:
A new menu item, called "Network", has
been added to the "Options" menu in F-PROT Professional for DOS &
Windows. If you use F-PROT Professional for NetWare you may use this
option to select an FPN server to receive notice of virus infections.
Version 2.25 of FPN needs to be loaded to enable this feature, and
FPN Administration must be configured to use AlertTrack. If both
AlertTrack and FPN are loaded, the message will be sent by the
method configured in AlertTrack. To use this capability, simply select
the "Log infections" checkbox. Once you have an "X" in the checkbox,
you will be able to select an FPN server from the drop-down list box.
Do this for every workstation you want to send an alert from FPN.
Alerts will indicate that an infection has been found and will show
the SERVER NAME/USER NAME/ADDRESS.
The report file will now display "Scanning inside ZIP files" if they are
included as a target to scan.
We have added the ability to disinfect macro viruses in files which
have the read-only attribute set.
We have added a new message to inform you if a file cannot be deleted or
disinfected because the disk is write protected.
FIXES
A cosmetic problem with F-PROT Professional for DOS macro virus
identification has been fixed. If F-PROT Professional for DOS detects
a macros virus, a screen displays warning you that you must use either
F-MACRO or one of the Windows products to disinfect. The problem was
that the display contained extraneous text characters.
SPECIAL NOTES
We have included a beta copy of a new version of the F-PROT for DOS
scanner which includes the ability to disinfect macro viruses. This
scanner eliminates the need to run an additional scan with F-MACRO,
since it contains the same identification and disinfection for
macro viruses as F-MACRO, F-PROTW, F-PROT32 and DVP. However, there
is no support for the /REMOVEALL and the /REMNANTS switches which
are available in F-MACRO.
The beta F-PROT for DOS file is a self extracting file called
SE_FPROT.EXE. When it is extracted it will be called F-PROTM.EXE.
When it is ready for final release it will be called F-PROT.EXE. If
you are running this beta version of F-PROT for DOS from a floppy disk
we recommend a memory manager (such as QEMM, 386^MAX, or HIMEM.SYS
(DEVICE=HIMEM.SYS) in CONFIG.SYS) be present to increase the speed
of the task. F-PROTM.EXE requires 460 KB of disk space and 444 KB
of RAM. The current release version of F-PROT.EXE requires 150 KB
of disk space and 412 KB of RAM.
Notes on F-PROT Professional 2.24c
DOS/Windows 3.X
9/24/96
Detection and disinfection for both Hare and Laroux (the Excel macro virus)
are included with this version of F-PROT Professional for Windows (all
platforms). Therefore, it is no longer necessary to scan with F-HARE
or F-XL.EXE. We have also added many other new virus signatures.
If you are installing F-PROT Professional for the first time, then the .XL?
extension will automatically be in the default list of "Files to scan". If
you are upgrading an existing version,and you wish to have files with the
.XL? extension scanned, it will be necessary to add this extension to each of
the existing scans. To do this, access File/Open from the main menu, then
choose the .FPW task you wish to add the XL? extension to. The FPW task you
selected will show at the top of the dialog box. Next choose Options/Filename
Extensions and type XL? in the blank box for New, select Add and click OK.
Choose any additional FPW tasks to change. You will be prompted to change each
task when a new one is selected.
F-MACRO.EXE is now shipped with all F-PROT products. It is a self extracting
file called SE_FMAC.EXE. F-MACRO is the DOS utility which can be used to
disinfect macro viruses for Word and Excel. Please note that 2 new switches
"REMOVEALL", and "REMNANTS" have been added. These new switches are for
MS WORD documents only. After exploding the self extracting file, check the
F-MACRO.DOC file (a text file) for a full description.
In previous versions of F-PROT Professional for Windows, access to the DVP
settings was, by default, denied. The default now is to allow access.
If you wish to make them unavailable to a user you must type DVPSET from a
DOS prompt. If you want access available again, type DVPSET ADMIN from a
DOS prompt.
In order to run the FPWCFG.EXE program, you must have CTL3D.DLL in the
current working directory with FPWCFG.EXE or the DLL must be in the
Windows\System directory. CTL3D.DLL is installed to the F-PROT
directory upon installation.
The Windows real-time protection defaults are set by the AUTOINST.INI file.
In this file under the preferences section, there is a new entry which is
ScanOnCreateRename. The default setting is OFF. If set to ON, the real-time
protection will scan files when they are created or renamed as well as when
they are opened or executed. This is recommended if you save e-mail
attachments. If you want it set to ON it should look as follows:
set=F-PROTW.CFG|Protection|ScanOnCreateRename|1
In this release we have changed the default method DVP uses when scanning for
macro viruses. There are two methods DVP can use. By default we now search
for macro viruses with a signature search. The main advantage of this "safe"
method is there is less chance of compatibility issues with corrupted
documents or other software. The other method uses OLE technology, provides
better identification and is much faster; however, some people have reported
compatibility issues, which we are investigating. If you prefer to use
the OLE type of scan (which is what was used in release v.2.23a) you will
need to have the following entry in your FPROTW.INI file, which is located
in the Windows directory.
[Scan]
DocScanSafeModeGK=0
(For the "safe" mode DocScanSafeModeGK=1 is used)
F-PROT PROFESSIONAL for DOS
We have added some new return codes for F-PROT.EXE. RETURN CODE 90 indicates
that a macro virus may have been found. The return codes (0-8) which currently
exist will function as usual. However, if there is a macro virus detected, the
second digit following the 9 will indicate the return code. For example, 3
indicates a boot/file virus has been found. If the return code is 93 it means
that a macros virus was also found.
If you will be scanning Excel files for Laroux with the DOS version of F-PROT,
please be advised that detection but not disinfection is offered. Be sure to
add the XL? extension to any existing scans. The /DOC switch will also scan
all XL? files plus DOC files, in this version.
Notes on F-PROT Professional 2.23a
DOS/Windows 3.X
8/16/96
There have been limited reports worldwide of the Hare virus. We encourage
you to use our utility, F-HARE, which detects and disinfects the three
variants of the virus. While we do not anticipate a high volume of Hare
incidence, we want our customers to avail themselves of the F-HARE utility.
The F-HARE utility is contained in the self-extracting file SE_FHARE.
It can be executed without installation and distributed via e-mail,
throughout your enterprise. When the F-HARE utility is executed memory will
be scanned. To scan drives the usage is:
F-HARE Drive [/DISINF] [/NOMEM] [/MULTI]
The following is to inform you about the virus:
Hare (also known as HDEuthanasia and Krsna)is a polymorphic, stealth,
multi-partite virus that was initially distributed via the Internet. It
overwrites the contents of hard disks and floppy disks and is Windows 95
aware. The Hare virus will trigger on August 22nd and September 22nd.
Please report any virus incidents to [email protected]
We have added new virus signatures.
There is a new macro virus which is designed to work in spreadsheets created
by Excel 5.0 or greater. This virus is named Laroux. At present it does not
do any damage to files, but simply attaches and spreads. If you have a
concern you will need to include the following hex string in your User-
defined Virus strings dialogue box, located under the Options menu.
You must also select "Targets to Scan" from the Options menu and select
the "User- Defined Virus String" check box.
0021 0060 0027 206A 0020 206A 00AD 0001 005C 0011
(DO NOT use the spaces shown-they are only for ease of reading)
Disinfection is not available in our scan engine at this time. However,
there is a file called F-XL.EXE located on our FTP and BBS, which will
disinfect. If you discover this string in an Excel file please call Technical
Support at 1-800-423-9147.
We no longer rely on STORAGE.DLL and COMPOBJ.DLL. This was changed because
scanning a corrupt .DOC file would cause the scanner to crash.
***NOTE: If you are using Microsoft Word 6.0c, and previously installed F-PROT
2.22.2 you may get GPF's. This is because we replaced the old STORAGE.DLL
and COMPOBJ.DLL with newer versions which are not compatible with Word 6.0c.
Replace STORAGE.DLL and COMPOBJ.DLL with the .DLL's from a system that does
not have the F-PROT 2.22.2 update. We are supplying a file available from
both our FTP and BBS, located in the F-PROT library, which will replace these
files. This file is available as WORDDLL.EXE or WORDDLL.ZIP.
After macro virus disinfection, if a document was originally created with
"Allow Fast Saves" enabled, F-PROT will compress it. There have been rare
cases when this causes a document to become corrupt. To prevent this from
occurring we will now check the file first, and you will see an error message
which says "This document could not be safely compressed, though it has been
disinfected. Please send a copy of this document to Command Software Systems
for analysis." Should you see this message, you may get a false positive if
scanning with F-PROT for DOS or F-PROT for NetWare. The file is disinfected.
To eliminate the false positive, you may wish to do the compression manually
as follows: Turn off the "Allow Fast Saves" check box (Tools/Options/Save tab)
and resave the document. This will remove the fragments which are left in a
document when "Allow Fast Saves" is used.
We have fixed a bug which was preventing .DO? files, which were located in
zip files, from being scanned for macro viruses. We have also fixed a bug so
that .DO? files will automatically be included when a new scan is created.
NOTES ON DVP-Dynamic Virus Protection
1. F-PROT's DVP Settings dialog box (accessed by double clicking on F-Agent
icon) now has a "More" button. When you click it, the program brings up
another dialog box. In this box, scans can be set to run on files that were
created or renamed. This dialog box also allows you to search for macro viruses,
and adjust the visual display options. These settings were previously stored
in F-PROTW.INI as undocumented options; they are now stored in F-PROTW.CFG.
2. A setting called LoadDelay= has been added to the F-PROTW.INI
[Gatekeeper] section. The setting is used to delay the loading of
DVP. This feature can be useful when many applications are loaded at
Windows startup, and there is not enough conventional memory available.
DVP's loading can be delayed until more memory becomes available. For
example, adding:
[Gatekeeper]
LoadDelay=5
would allow 5 seconds before DVP loads. By default this setting is 0.
3. After a boot sector infection has been detected and the user clicks
"OK" in the message box, the boot sector is scanned again to make sure
that the user has removed the infected diskette. The user will not be
allowed to continue using the computer until the diskette has either been
removed or replaced by a clean diskette.
Note for F-PROT for DOS users:
F-PROT for DOS provides macro virus identification only. Disinfection must
be accomplished using the Windows program or F-MACRO. This is due to memory
requirements needed for macro disinfection. In order to keep F-PROT.EXE
smaller in size,we have not included the disinfection capability.
For disinfection you may download F-MACxxx.EXE from our BBS(main file library)
or FTP (pub directory) site, or use the Windows program.
We have fixed the following: If VIRSTOP.EXE was run prior to running Windows,
pressing Ctrl+Alt+Del with a floppy in the drive, could produce a false
positive report which indicated a boot sector infection.
Notes on F-PROT Professional 2.22.2
DOS/Windows 3.X
5/14/96
F-PROT now provides Microsoft Word Macro virus disinfection
and improved macro virus identification. F-PROT (F-PROTW.EXE)
will defragment or compress disinfected documents. This prevents
any remnants of the original virus from remaining in the file
for other anti-virus products to incorrectly detect.
DVP (the real-time protection) will provide macro identification,
but you will need to use the F-PROT program to disinfect.
Known problem: A false positive could cause us to corrupt a document
during disinfection. There has only been one occurrence of this, but
please make backups before disinfecting. Please make us aware if you
encounter this.
Please note: If you have disinfected a .DOC file using another anti-virus
product or WVFIX and the "Allow Fast Saves" check box was enabled in Word,
then scanning with F-PROT for DOS may give you a false positive. If F-PROT
for Windows does not report an infection then the file has been disinfected.
Turn off the "Allow Fast Saves" check box (Tools/Options/Save tab) and
resave the document. This will remove the fragments which are left in a
document when "Allow Fast Saves" is used.
AS400 USERS: If you experience problems connecting with AS400,
please do the following: There is a file named F-PROTW2.386 which
can be renamed to F-PROTW.386. Just replace the existing F-PROTW.386
which is in the F-PROT directory.
F-PROT for DOS has a new environment variable. SET FP-ACCESS=1
If this is set, F-PROT will preserve the last access date (which is used
by backup software) and compressed or migrated files will be skipped.
This works the same as the /ACCESS switch. Either may be used. If both
the /ACCESS switch and the environment variable are used, then the last
access date is preserved. If neither is used, the last access date will
not be preserved.
Notes on F-PROT Professional 2.22
March 22, 1996
Virus descriptions may contain offensive language which is a reflection
of the actual text contained within the viruses and not our description
of the viruses.
The files that have the prefix SE_ are self extracting zip files. This has
replaced compressed files.
Some helpful files are:
se_eicar.exe (a test virus to demonstrate how F-PROT reacts to real viruses),
se_wvfix.exe (a Word document designed by Command Software as a counter
measure against the WinWord.Concept and WinWord. Nuclear macro viruses),
se_vers.exe (checks product versions), and se_util.exe (for Multi-platform users.
This file contains its own readthis.bat file for viewing and instructions.)
These files are located on the third diskette.
The extension DO? has been added to the F-PROT for Windows
FPW files for checking for macro viruses. If F-PROT is being upgraded,
the install FPW files will not be copied to the hard drive, so you must
add the DO? extension to the FPW files. This is done by opening an FPW
file and adding DO? in File Extensions under the Options menu.
Additional virus signatures have been added.
A beta version of VIRSTOP, called VIRSTOP2 is now
available. This version uses a different scheme for scanning files, so
memory swapping no longer occurs. If you've been experiencing lockup
problems with the current VIRSTOP, try this version.
Note that since this is beta, it does not offer the same functionality
as the regular VIRSTOP. If a virus is found in Windows, both DVP and
VIRSTOP will report it.
The options are hard-coded and can be viewed by running VIRSTOP2.
If you're using VIRSTOP with the /AUTOHOOK switch and experience a
lockup when Windows loads, make sure you execute a program after
NETX.EXE and prior to running WIN.COM. If this is a problem, then don't
use /AUTOHOOK, but instead use VIRSTOP /REHOOK prior to loading Windows.
___
Notes on F-PROT Professional 2.21b February 28, 1996
Virus detection has been increased on the OneHalf virus.
The DVPSET file has been corrected so that when it is executed it no
longer places the extra spaces in the WIN.INI.
There are currently incompatibilities with VIRSTOP and RPRINTER. If
VIRSTOP is executed after RPRINTER, RPRINTER will not work and vice
versa.
If you wish to NOT scan document files in the command line mode, one
must use the /NODOC switch with F-PROT.
DVP scans for document macro viruses by default.
The feature can be disabled by writing in F-PROTW.INI:
[Gatekeeper]
SearchForDocumentMacroViruses=0
___
Notes on F-PROT Professional 2.21a
January 30, 1996
Addition of new virus signatures to the scan engine.
The list of new signatures that F-PROT now detects includes the new
Word macro virus called HOT.
___
Notes on F-PROT Professional 2.21.3
January 12, 1996
Some reported false positives were addressed in this release.
___
Notes on F-PROT Professional 2.21.2
January 9, 1996
A correction in the DUNZIP.DLL for windows has been added.
A problem that occurred when a person tried to install F-PROT from DOS
after using ONEDISK.BAT has been resolved.
A minor adjustment to FIXDISK has also been made.
In addition, the DVP can now accept a custom message to display after
an infection has been found. This message can be set prior to
installation by changing the AUTOINST.INI file found on the first
diskette or after installation by modifying the AUTOINST.INI file in
the F-PROT directory and then running DVPSET.BAT. In the latter case,
DVP must be disabled then enabled before the message will be displayed.
This can be done by restarting Windows or through F-AGENT.
The area in the AUTOINST.INI to be changed is in the Preferences
section of the INI file. The last two settings affect the messaging.
Change the setting F-PROTW.CFG|F-PROTW.CFG|Scanning|ShowMsg|0 to
F-PROTW.CFG|Scanning|ShowMsg|1 to turn on the messaging. Place the
message that you want to appear in the setting
F-PROTW.CFG|Scanning|Msg|Message Text Here. If you wanted to display
"Please call the help desk at 1-800-INF-ECTD" the line would read
F-PROTW.CFG|Scanning|Msg|Please call the help desk at 1-800-INF-ECTD
__
Notes on F-PROT Professional 2.21.1
Corrected a false positive with VIRSTOP. It reports a boot sector virus
on floppy disks. There is a new VIRSTOP located on our BBS and FTP in
the standard F-PROT directory for people who have already downloaded
the 2.21.
___
Notes on F-PROT Professional 2.21
Corrected a problem occurring with DVP and WVFIX.
The WINWORD.COLORS virus is detected.
If your configuration is already setup, please remember to add DO? to
the executable extensions so F-PROT will scan the DOC and DOT files for
the WinWord macro files.
Also, if the [Gatekeeper] "HighPriorityLoad=1" parameter is set in
F-PROTW.INI, DVP will load without yielding in memory scan and
splash screen. This feature is useful when systems are low on
conventional memory during Windows startup, or if some application
started at Windows startup is in conflict with DVP. If enabled,
A-PROT.EXE will load DVP's DLLs, then start memory scan, and
then show the splash: other applications can not be started until the
memory scan and splash screen are finished.
New options have been added to the DVP real-time protection:
(1) Scans for document macro viruses by default.
The feature can be disabled by writing in F-PROTW.INI:
[Gatekeeper]
SearchForDocumentMacroViruses=0
(2) A-PROT.EXE accepts the /nomem switch to disable memory scan.
(3) A-PROT.EXE accepts the @0 switch to disable the splash screen.
(4) Fixed bug which caused the "SIGN.DEF checksum 1 errors".
Note: DVP is currently called from the WIN.INI and the WIN.INI
does not allow programs to accept command line switches. To get DVP
to use command line switches, create an icon for DVP in the STARTUP
group with the options added to the command line.
___
If a user starts having memory problems in Windows, go into the F-AGENT
icon and turn off
|
|