F-Secure Anti-Virus for Windows Servers Administrator s Guide
"F-Secure" and the triangle symbol are registered trademarks of F-Secure Corporation and F-Secure product names and symbols/logos are either trademarks or registered trademarks of F-Secure Corporation. All product names referenced herein are trademarks or registered trademarks of their respective companies. F-Secure Corporation disclaims proprietary interest in the marks and names of others. Although F-Secure Corporation makes every effort to ensure that this information is accurate, F-Secure Corporation will not be liable for any errors or omission of facts contained herein. F-Secure Corporation reserves the right to modify specifications cited in this document without prior notice. Companies, names and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of F-Secure Corporation. Copyright 1996-2004 F-Secure Corporation. All rights reserved. #12000071-3F08
Contents 1. Welcome... 1 Today's Challenges... 1 The Solution... 1 1.1 F-Secure Anti-Virus... 1 Administration... 2 Local Interface... 2 2. Installation... 3 2.1 System Requirements... 3 2.2 Remote Installation... 4 F-Secure Policy Manager... 4 2.3 Installation... 5 Remote Installation... 5 Local Installation... 6 3. Centrally Managing F-Secure Anti-Virus... 9 3.1 F-Secure Policy Manager Console Features... 9 Configuring Settings... 9 Operations... 10 3.2 Settings... 11 Operations... 20
Statistics... 22 4. Using F-Secure Anti-Virus... 30 4.1 Real-Time Protection... 30 4.2 Scanning for Viruses Manually... 31 Shortcut Menu... 32 Status Indicator... 33 Windows Start Menu... 34 4.3 How Disinfection Wizard Removes a Virus... 35 4.4 F-Secure Anti-Virus Local Settings... 40 Statistics... 40 Real-Time Protection... 41 Manual Scanning... 45 Updates... 48 5. Updating Virus Definition Databases... 49 5.1 Update Methods... 49 Appendix A. Parameters & Return Codes... 54 Using Command-Line Scanner... 54 Command-Line Scanner Parameters... 56 Command-Line Scanner Return Codes... 57 Appendix B. F-Secure Anti-Virus for DOS... 61 Installation... 62 Scanning for Viruses... 62 Updating... 62 Command-Line Options... 63 Error Codes... 64
Technical Support... 67 Web Club... 67 Virus Descriptions on the Web... 68 Electronic Mail Support... 68 About F-Secure Corporation... 71 The F-Secure Product Family... 72
1. Welcome Today's Challenges Seven to ten new viruses are found each day, some of them with the ability to spread globally within hours. If a virus enters the corporate network, fighting against it can be very costly, difficult and time consuming. Virus infections often cause big financial losses due to network disruptions, decreased productivity, corrupted data and leaks of confidential data. Also, the company reputation can be in danger if it spreads viruses to its business associates. The Solution F-Secure Anti-Virus for Windows Servers ensures that users who connect with infected machines to the corporate file servers do not spread viruses to others on the network. With F-Secure, antivirus protection is fast, efficient and easy. antivirus installations and management can be done remotely from one central location. 1.1 F-Secure Anti-Virus F-Secure Anti-Virus has an easily accessible user interface, which not only provides important update information, but also makes it possible for users to perform manual scans. You do not have to worry about manually updating virus database updates; F-Secure Anti-Virus with F-Secure BackWeb make sure that the databases are kept up-to-date. F-Secure Anti-Virus provides the network administrator with comprehensive security management features and a three-tier architecture that will scale from a small LAN with only a few workstations, all the 1
Chapter 1 Welcome way up to a large WAN with hundreds of thousands of nodes distributed around the globe. Every major function of F-Secure Anti-Virus is transparent to the user, which reduces maintenance costs. Software distribution and alerting functions are based on a three-tier system that uses the HTTP protocol to work in any TCP/IP network. The HTTP protocol will work easily with your existing routers, firewalls, and other components of your network infrastructure. Administration The F-Secure Policy Manager Console utility provides central administration under a three-tier management architecture. The administration tasks include software distribution, updating, alerting, and configuration management. F-Secure Anti-Virus is scalable to enterprise-wide networks through distributed F-Secure Policy Manager Servers and HTTP protocol. F-Secure Management Agent provides statistics from each workstation and sends alerts when a virus is found. The administrator can create and distribute policies that specify different settings for manual scans and real-time protection. Alerts, reports, and messages are viewed in F-Secure Policy Manager Console. Improved support for the industry-standard SNMP protocol. Installation and updates are supported under the Microsoft Systems Management Server (SMS) on Windows networks. Local Interface A new and simple user interface makes the most common functions available from a shortcut menu. A new Disinfection Wizard guides the user through the removal of viruses from the system. The new and easy-to-use virus information database on the F-Secure Web site can be conveniently accessed. All F-Secure Anti-Virus settings can be centrally managed by the administrator. The administrator can determine what is visible in the user interface, thus controlling the level of transparency to the user. 2
2. Installation This chapter describes the different installation methods for system administrators who need to install F-Secure Anti-Virus with centrally managed features. 2.1 System Requirements Operating System: Processor: MS Windows NT Server 4.0 with Service Pack 6 or later, MS Windows 2000 Server with Service Pack 3 or later, MS Windows 2000 Advanced Server with Service Pack 3 or later, MS Windows Server 2003, Standard Edition with latest service pack, MS Windows Server 2003, Enterprise Edition with latest service pack Intel Pentium processor Memory: 64 MB for Windows NT Server 4.0 128 MB for Windows 2000 Server, Windows Server 2003 Free Hard Disk space: Approximately 30MB During installation 60 MB 3
Chapter 2 Installation 2.2 Remote Installation Remote installation is recommended for network environments with more than 50 hosts. This installation method uses F-Secure Policy Manager to push F-Secure Anti-Virus to the hosts. This section describes what F-Secure Policy Manager is and how it works, and what the installation order is. Please read the F-Secure Policy Manager manual on the F-Secure CD if you are not familiar with F-Secure Policy Manager. F-Secure Policy Manager F-Secure Policy Manager provides a scalable way to manage the security of multiple applications on multiple operating systems from one central location. F-Secure Policy Manager can be used to keep security software up-to-date, manage configurations, oversee enterprise compliance and be scaled to handle even the largest, most mobile workforce. F-Secure Policy Manager provides a tightly integrated infrastructure for defining security policies, deploying both policies and applications software to local and remote systems, and monitoring the activities of all systems in the enterprise to ensure compliance with corporate policies and centralized control. F-Secure Policy Manager consists of the following architectural components: F-Secure Policy Manager Server F-Secure Policy Manager Console F-Secure Policy Manager Console can be run on several different platforms. It can be used to remotely deploy F-Secure Management Agent on other hosts with no need for local login scripts, rebooting, or any actions by the end user. F-Secure Management Agent handles all management functions on local hosts. It provides a common interface for all F-Secure applications, and operates within the policy-based management infrastructure to enforce the policies set by the administrator. Policy-Based Management F-Secure Policy Manager uses a concept known as policy-based management. A security policy is a set of well-defined rules that regulate how sensitive information and other resources are managed, protected, and distributed. F-Secure Policy Manager uses policies that are configured by the administrator centrally. 4
Installation Section 2.3 This enables the most effective control over security in a corporate environment. Policy-based management implements many functions, including: Remotely controlling and monitoring the behavior of the products. Monitoring statistics provided by the products and F-Secure Management Agent. Remotely starting predefined operations. Transmitting alerts and notifications from the products to the system administrator. Information between F-Secure Policy Manager Console and the hosts is exchanged through the transfer of policy files. NOTE: The management architecture is covered in detail in the F-Secure Policy Manager Administrator s Guide available on the F-Secure CD. Please refer to the manual if you are not familiar with the F-Secure Policy Manager product. 2.3 Installation F-Secure Anti-Virus for Windows Server provides real-time protection for the entire corporate network by protecting information stored on your server. It protects the server by automatically searching for viruses in every file that is being accessed from any host connected to the server. If a virus is found in a file, access to that file is blocked. F-Secure Anti-Virus provides extensive logging, communication and administration features making the administrator s job easier, simpler, and safer. F-Secure Anti-Virus supports all Windows-compatible networks and integrates in F-Secure Policy Manager. Remote Installation You need to have F-Secure Policy Manager already installed before you can install F-Secure Anti-Virus. F-Secure Policy Manager is not installed, install the components in the following order: Step 1 Install F-Secure Policy Manager Server. 5
Chapter 2 Installation Step 2 Install F-Secure Policy Manager Console. Step 3 Install F-Secure Management Agent. Step 4 Install F-Secure Anti-Virus. The following list describes which components are installed on the network computers: 1. Administrator s machine F-Secure Policy Manager Console controls all the hosts remotely. 2. Policy Manager Server The Web server that enables communication between hosts and the administrator s machine. 3. File Servers Servers running WinNT 4.0 or Windows 2000/2003 operating systems. F-Secure Management Agent must be remotely installed on the hosts before F-Secure Anti-Virus can be installed remotely. Local Installation To install the software from the F-Secure CD directly, do the following: Step 1 Insert the F-Secure CD in the CD-ROM drive. Step 2 Choose Corporate Use and click Next to continue. Step 3 Click on Anti-Virus Solutions listed under Install Security Software. 6
Installation Section 2.3 Step 4 Enter the keycode you received with your software and click Next to continue. Step 5 Click on the product name to start the installation. Step 6 When prompted for the Administration Method, choose Centralized Administration Through Network. Step 7 Under Choose Products to Install, be sure to select the F-Secure Management Agent checkbox. F-Secure Management Agent handles communication between the administrator and the host. Step 8 If you have had F-Secure Anti-Virus previously installed on the server, you are now given an opportunity to add components or to re-install all components. Step 9 When installing F-Secure Anti-Virus, sometimes it may be necessary to change public-key settings and communication settings. You can keep the existing settings or you can define new settings. If you decide to keep the existing settings, the next screen will display the list of changes to the system and the installation will be complete. Otherwise, proceed to Step 10. Step 10 Enter the path to the public Management Key that you created during the F-Secure Policy Manager Console setup. Click the Browse button to search for this key. You can transfer the key to the host by using any of the following methods: 1. Use a shared folder on the file server, or 2. Use a floppy disk, or 3. Send the key as an attachment to an e-mail message. 7
Chapter 2 Installation Step 11 If you are using F-Secure Policy Manager Server with HTTP protocol, you only need to enter the Web address of the server to complete the installation. If you are using the shared Communication Directory to administer the hosts, you have to enter the user name and password for the domain user account that you created for accessing the Communication Directory on the file server. See the F-Secure Policy Manager Administrator s Guide for more information. Step 12 After you have entered all the information, the changes to your system will be displayed, and you can finish the installation by clicking Finish. 8
3. Centrally Managing F-Secure Anti-Virus This chapter describes the F-Secure Policy Manager Console settings and operations. For detailed information on the F-Secure Anti-Virus settings, operations and statistics, see Settings on page 11. In order to distribute F-Secure Anti-Virus and policies to hosts, F-Secure Policy Manager must be installed on an administrator s machine, and F-Secure Management Agent must be installed on the hosts. For more information on installing F-Secure Policy Manager, see the F-Secure Policy Manager on page 4. 3.1 F-Secure Policy Manager Console Features Configuring Settings The behavior of F-Secure Anti-Virus is determined by settings stored in policy files. All of the settings can be configured centrally using F-Secure Policy Manager Console. Most of the settings can be viewed at the host using F-Secure Settings and Statistics, which can be launched by double-clicking the F icon in the system tray, or by double-clicking the Status Indicator icon. For more information on settings that can be configured, see Settings on page 11. For information on using F-Secure Policy Manager Console to change settings, see the F-Secure Policy Manager Administrator s Guide. 9
Chapter 3 Centrally Managing F-Secure Anti-Virus Operations Operations are tasks that the administrator can launch on hosts through F-Secure Policy Manager Console. To display a list of available operations for F-Secure Anti-Virus, select a domain or host in the Domain pane of F-Secure Policy Manager Console, and open the Operations folder in the Product pane. This will display a list of available operations for F-Secure Anti-Virus. When you have selected an operation, click Start to start it. An operation is not actually started until you have distributed the policy and the hosts have received it. You can undo an operation before you have distributed the policy to the hosts. ILaunching a Manual Scan To launch a manual scan of all the hard disks on any host or logical domain, do the following in F-Secure Policy Manager Console: 1. In the Domain pane, select the domain. 2. In the Product pane, browse to Operations and choose Launch Manual Scanning. 3. Click Start. This will force the host to perform a manual scan on all hard disks, according to the manual scanning settings on each host. NOTE: Using this feature will force the host to scan all the local hard drives. Scanning all the local hard drives usually takes a long time, so this feature should not be used carelessly. Distributing Virus Database Updates You can force a host to get new updates of the virus definition databases. To do this, follow this procedure using F-Secure Policy Manager Console: 1. In the Domain pane, select the domain that will receive the update. 2. In the Product pane, browse to Operations, and choose Get Virus Database Update. 10
Settings Section 3.2 3. Click Start. The hosts will retrieve the latest virus signature database files from the F-Secure Policy Manager Server. 4. Distribute the policy. To automatically update the virus database files on the F-Secure Policy Manager Server, go to http://www.f-secure.com/download-purchase/updates.html and download the F-Secure Anti-Virus Update utility. In order to use the automatic database updates, hosts must have both read and write rights to the folder Program Files\F-Secure Anti-Virus and the directory Program Files\F-Secure\Common\commdir and their subdirectories. NOTE: Distributing virus definition databases is not usually needed, since the default setting for centrally managed hosts is to get the updates automatically the administrator only has to make sure that the updates are downloaded to the F-Secure Policy Manager Server regularly. 3.2 Settings F-Secure Anti-Virus settings can be modified in F-Secure Policy Manager Console through the Policy tab of the Properties pane. New settings will take effect only after the modified policy has been distributed to the hosts. The settings listed below are for Language, Plug-Ins, Virus Definition Database Updates, Real-Time Protection, Manual Scanning and Scheduler. Language Language used in the user interface of F-Secure Anti-Virus. Plug-Ins Opens a table of plug-ins you have installed for F-Secure Anti-Virus. Plug-ins can include third-party scanning engines. The table below describes settings that can be made for each plug-in. Settings followed by an asterisk (*) should not be changed. 11
Chapter 3 Centrally Managing F-Secure Anti-Virus To disable a scan engine, change its "Status" value to "Disabled" and distribute the policy. The given scan engine will be disabled on the hosts and it will cease to consume CPU and memory resources. NOTE: Note that virus protection will be effectively removed if all scan engines are disabled. Virus Definition Database Updates The polling interval is specified in F-Secure Management Agent Settings, under Communications > Protocols > Incoming Packages Polling Interval. Setting Poll Automatically Launch Scan After Update Information Site Definition (Default = Enabled) (Default = Disabled) Host will be scanned immediately after being updated with a new virus database. The URL path to an ISP (Internet Service Provider) defined information site, where users are directed after pressing the More Information button in the Update page of the F-Secure Anti-Virus Properties pane. For more information about F-Secure Management Agent, see the F-Secure Policy Manager Administrator s Guide. Update Reminder Setting Reminder Status Reminder Interval Definition (Default = Disabled). Enables the automatic virus definition database update reminders. If this status has been disabled, the user cannot access the Remind me about updates every X days check box in the Updates page of the Properties pane. (Default = 7 days). Specifies how often an update dialog appears. If the above Reminder Status is disabled, this status is also disabled. 12
Settings Section 3.2 Setting Allow Manual Updates Force URL Definition (Default = Disabled). Specifies whether manual updates are available to the user or not. If this feature is not available, the Update Reminders dialog and the Update Now button in the Update page of the F-Secure Anti-Virus Properties pane cannot be used. URL for virus signature database downloads. Alert Administrator When Databases Are Old Setting Send a Trap When Databases Are Old Number of Days for Databases to Become Old Definition (Default = Enabled) Specifies whether a trap is sent to the administrator when the virus definition databases have become old. (Default = 30 days) This value (number of days) specifies when the virus definition databases are considered old. An alert will be sent to the administrator when the latest database has become older than the specified number of days. Visual Setting Status Indicator Definition (Default = Enabled). The Status Indicator is an icon in the System Tray that shows the state of real-time protection to the user. Settings for Real-Time Protection Setting Scanning Enabled Definition Activates real-time scanning for viruses. 13
Chapter 3 Centrally Managing F-Secure Anti-Virus Setting Memory Scan Boot Sector Scanning File Scanning Definition Specifies whether system memory will be scanned for viruses at start-up. Allows you to set the following options: Action on Infection. Specifies the action taken when an infection is detected. Set by default to Disinfect Automatically. Scan Floppy Disk Boot Sectors. Scan Floppy Boot Sectors on Shutdown. This is done to prevent boot sector viruses from spreading. Allows you to set the following options: Scan Files. Specifies which files to scan. This can be all files, or only files with extensions that are listed under Inclusions and Exclusions (see below). Action on Infection. The action taken when a virus is detected. The action value "Default" means that the action as defined here under this setting will be applied. Set by default to Disinfect Automatically. Scan Network Drives. When enabled, F-Secure Anti-Virus real-time protection scans files accessed over the network (Default =Enabled). Scan when Created or Modified. (Default =Enabled). Scan Inside Archives (Default =Disabled). Scan inside archived files, such as ZIP ARJ LZH TAR TGZ GZ CAB RAR BZ2, MSI, Z and JAR. This depends on the setting Included extensions for compressed files. 14
Settings Section 3.2 Setting Inclusions and Exclusions. Definition Specifies files to be scanned or excluded from scanning. If this option is enabled, objects or file extensions can be specified to determine which files will be scanned or excluded from scanning. Options: Included Extensions = list of extensions included Included Extensions for Compressed Files (Default = ZIP ARJ LZH TAR TGZ GZ CAB RAR BZ2, MSU, Z and JAR) Add Extensions Defined in Database Updates (Default = Enabled) Excluded Extensions Enabled (Default = Disabled) Excluded Extensions Excluded Objects Enabled (Default = Disabled) Actions, Advanced These advanced settings specify the behavior of software when detecting infected files with real-time scanning. Under normal conditions, it is not necessary to change the default settings under this branch. Actions Entry Index Action Description Primary Action Definition The index column Verbal description of action. This does not affect the operation of the software in any way. Primary action to be carried out if specified conditions are met. If the primary actions are set to something other than "Default", the action as specified by the "Action on Infection" setting has no effect. This means that any action the user selects from the F-Secure Anti-Virus user interface will be overridden by the action specified in this table. In case the primary actions in this table are set to something other than "Default", it is recommended to change the "Action on Infection" setting to match the selected primary action in this table, and to set the access restriction of the "Action on Infection" setting to "Final". 15
Chapter 3 Centrally Managing F-Secure Anti-Virus Actions Entry Secondary Action File State User State File Type Definition Secondary action is carried out in case the primary action fails. Condition specifying file state. Can be Undefined, Existing or Created. Condition specifying the user state. Can be Undefined, Logged On or Not Logged On. Condition specifying file type.can be Undefined, OLE or Mailbox. Actions, Advanced; User Input Timeouts User Input Timeout Setting Ask After Scan Timeout Ask After Scan Timeout for New Infected Files Definition (Default=5) Specifies a timeout value in minutes; the setting will be used if the action to be carried out on infected file has been specified as "Ask After Scan". A value of zero means that the action prompt will never time out. Same as Ask After Scan Timeout but applies to infections found in new files created on the system. Settings for Manual Scanning Setting Memory Scan Definition Specifies whether the system memory will be scanned for viruses once a manual scan has been launched. The Excluded Segment setting specifies the memory segments to be excluded from scanning. 16
Settings Section 3.2 Setting Boot Sector Scanning File Scanning Inclusions and Exclusions Definition Allows you to set the following options: Action on infection. The action taken when an infection is detected. Set by default to Disinfect Automatically. Scan Floppy Disk Boot Sectors. Allows you to set the following options: Scan Files. Specifies which files to scan. This can be all files, or only files with extensions that are listed under Inclusions and Exclusions (see below). Action on infection. The action taken when a virus is detected. This is set by default to Disinfect Automatically. Scan Inside Archives. Scan inside archived files, such as ARJ, ZIP, and LZH files. This depends on the setting Included extensions for compressed files. Specifies files to be scanned or excluded from scanning. If this option is enabled, objects or file extensions can be specified to determine which files will be scanned or excluded from scanning. Options: Included Extensions = list of extensions included Included Extensions for Compressed Files (Default = ZIP ARJ LZH TAR TGZ GZ CAB RAR BZ2, MSI, Z and JAR) Add Extensions Defined in Database Updates (Default= Enabled) Excluded Extensions Enabled (Default = Disabled) Excluded Extensions Excluded Objects Enabled (Default = Disabled) Actions, Advanced Actions Entry Index Definition The index column 17
Chapter 3 Centrally Managing F-Secure Anti-Virus Actions Entry Action Description Primary Action Secondary Action User State File Type Definition Verbal description of action. This does not affect the operation of the software in any way. Primary action to be carried out if specified conditions are met. If the primary actions are set to something other than "Default", the action as specified by the "Action on Infection" setting has no effect. This means that any action the user selects from the F-Secure Anti-Virus user interface will be overridden by the action specified in this table. In case the primary actions in this table are set to something other than "Default", it is recommended to change the "Action on Infection" setting to match the selected primary action in this table, and to set the access restriction of the "Action on Infection" setting to "Final". Secondary action is carried out in case the primary action fails. Condition specifying the user state. Can be Undefined, Logged On or Not Logged On. Condition specifying file type.can be Undefined, OLE or Mailbox. Scheduler You can set specific scanning, database update and generic tasks with the scheduler. The table below explains the settings for the scheduled tasks. Task Entry Name Description Name of the scheduled task. The name will be visible in the user interface for the scheduled tasks on the user s computer. Note: each task must have a unique name. 18
Settings Section 3.2 Task Entry Scheduling Parameters Task Type Description A command-line type of setting consisting of parameters that determine when the scheduled task is to be executed. The following parameters are supported: Execution time (required): "/thh:mm", where HH:MM specifies the start time (local time) of the task execution. Execution time, alternative format for "system idle" tasks: "/timinutes", where MINUTES specifies the number of minutes the system must remain idle for the task to start. "/t" and "/ti" parameters are mutually exclusive. Begin date (optional): "/byyyy-mm-dd", where YYYY-MM-DD specifies the first date to which the scheduled task execution applies. The year number value must have four digits; if the parameter is not specified, the task's scheduling will apply as soon as the policy with the scheduled task is retrieved by the user's computer. End date (optional): "/eyyyy-mm-dd", where YYYY-MM-DD specifies the last date to which the scheduled task execution applies. The year number value must have four digits. Repeat mode (optional): "/rrepeat_mode", where REPEAT_MODE has one of the following values: "once" (task will be executed once only), "daily", "weekly", "monthly" (task will be executed once per day, week or month respectively); if the parameter is not specified, the task will be executed daily. Examples: "/t18:00 /b2001-10-15 /rweekly" : execute a task weekly starting on Oct 15, 2001 (Monday), at 18:00. "/ti30" : execute a task daily after the computer has been idle for 30 minuted. Specifies one of the following task types: Scan local drives, Poll for Updates or Generic. 19
Chapter 3 Centrally Managing F-Secure Anti-Virus Task Entry Task Type Specific Parameters Description Parameters specific to the task type: Generic tasks: command-line for task (name of executable and command-line parameters). Scan Local Drives and Poll for Updates tasks: this parameter is not used. Operations The operations settings are in the Policy tab of the Properties pane. These settings let you start a remote operation on a host from the administrator's machine. Operations settings also show the status of operations reported through the incremental policy. Operations are not triggered immediately. Operations are triggered on a host only after the policy has been distributed to the host and read by the host. Reset Statistics Reset: Contains a Start button for starting the operation. Variables to Reset: Allow you to select which variables you want to have reset during the operation. Setting Realtime / Object Counters / Scanned Files.../ Object Counters / Scanned Boot Sectors... / Object Counters / Infected Files Definition (Scanned Files) Total number of files scanned. (Scanned Boot Sectors) Total number of boot sectors scanned. (Infected Files) Total number of files infected. 20
Settings Section 3.2 Setting.../ Object Counters / Infected Boot Sectors... / Object Counters / Disinfected Files... / Disinfected Boot Sectors... / Renamed Files (Infected Boot Sectors) Total number of boot sectors infected. (Disinfected Files) Total number of files disinfected. Total number of boot sectors disinfected. Total number of files renamed..../ Deleted Files Total number of files deleted.... / Viruses Found in Memory.../ Suspected Files... / Suspected Boot Sectors../ Remotely Accessed Files Definition Total number of infections found in memory. Total number of suspected files found. Total number of suspected boot sectors found. Total number of remotely accessed files found infected. Get Virus Database Update: Contains a Start button for forcing the host to poll for updates. Launch Manual Scanning: Contains a Start button for launching a manual scan on the host. The scanning task will run only after the policy has been distributed to the host. 21
Chapter 3 Centrally Managing F-Secure Anti-Virus Statistics The F-Secure Anti-Virus statistics can be viewed in the Status tab in F-Secure Policy Manager Console s Properties pane. Setting Previous Reset of Statistics MIB Version Installation Directory Common/Product Name/ Hotfixes Plug-Ins Plug-in statuses: Definition Timestamp of the previous reset of statistics. The value is the number of seconds elapsed since 1.1.1970 0:00 UTC. If reset has never been done, the value is zero. The running version number of the product MIB. Complete directory path where the product is installed on the host. HotfixesEntry: Index: For indexing hotfix applications. ID: Hotfix package identifier as assigned by F-Secure Corporation. Description: Short description indicating the content or purpose of the hotfix. Release Timestamp: Hotfix manufacture or release timestamp. Product Version: Product version on top of which the hotfix was applied. Product Build: Product build on top of which the hotfix was applied. Application Timestamp: Timestamp of the hotfix application. Information and status of the plug-ins installed on the host; displayed as a table. 0 = Not loaded 1 = Loaded but disabled 2 = Loaded and enabled 22
Settings Section 3.2 Virus Database Updates Setting Last Remind Date Number of Database Updates Received Current Detection Rate Definition When the virus signature database update reminder was shown the last time. Number of virus definition database updates received since the first-time installation of the product. Measures the detection rate of the product. It is the sum of virus definition database record counts of all scan engines used by the product. This value should not be interpreted as the count of different viruses detected by the product. Real-Time Statistics Real-Time Statistics/ Object Counters Setting Realtime / Object Counters / Scanned Files.../ Object Counters / Scanned Boot Sectors.../ Object Counters / Infected Files Definition (Scanned Files) Total number of files scanned. (Scanned Boot Sectors) Total number of boot sectors scanned. (Infected Files) Total number of files infected. 23
Chapter 3 Centrally Managing F-Secure Anti-Virus Setting... / Object Counters / Infected Boot Sectors... / Object Counters / Disinfected Files.../ Disinfected Boot Sectors... / Renamed Files Definition (Infected Boot Sectors) Total number of boot sectors infected. (Disinfected Files) Total number of files disinfected. Total number of boot sectors disinfected. Total number of files renamed..../ Deleted Files Total number of files deleted.... / Viruses Found in Memory.../ Suspected Files... / Suspected Boot Sectors... / Remotely Accessed Files / Last Time Infected Object Was Detected Total number of infections found in memory. Total number of suspected files found. Total number of suspected boot sectors found. An estimate of the number of remotely accessed files found infected. The last time an infection was found (elapsed seconds since 1.1.1970 0:00 UTC). 24
Settings Section 3.2 Real-Time Statistics / Object Counters, Since First-Time Installation Object Counters that will not be reset at reboot. Scanned Files Scanned Boot Sectors Infected Files Infected Boot Sectors Disinfected Files Disinfected Boot Sectors Renamed Files Deleted Files Real-Time Protection Daeactivations Definition Number of files scanned. Number of boot sectors scanned. Number of infected files detected. Number of infected boot sectors detected. Number of files disinfected. Number of boot sectors disinfected. Number of files renamed. Number of files deleted. Shows the number of times real-time protection has been deactivated on the computer since first-time installation. Real-Time Statistics / File Scanning Setting Inclusions and Exclusions Definition Included Extensions: List of file name extensions included for scanning. The list is a combination of extensions defined in policy and database updates, unless adding of extensions defined in database updates has been disabled. 25
Chapter 3 Centrally Managing F-Secure Anti-Virus Manual Scanning Statistics Manual Scanning Statistics / Object Counters Setting Realtime / Object Counters / Scanned Files.../ Object Counters / Scanned Boot Sectors.../ Object Counters / Infected Files... / Object Counters / Infected Boot Sectors... / Object Counters / Disinfected Files... / Disinfected Boot Sectors.../ Renamed Files Definition (Scanned Files) Total number of files scanned. (Scanned Boot Sectors) Total number of boot sectors scanned. (Infected Files) Total number of files infected. (Infected Boot Sectors) Total number of boot sectors infected. (Disinfected Files) Total number of files disinfected. Total number of boot sectors disinfected. Total number of files renamed.... / Deleted Files Total number of files deleted.... / Viruses found in Memory Total number of infections found in memory 26
Settings Section 3.2 Setting... / Suspected Files... / Suspected Boot Sectors.../ Last Time Infected Object Was Detected Database Date Definition Total number of files found with a suspected virus. Total number of boot sectors found with a suspected virus. The last time an infection was found (elapsed seconds since 1.1.1970 0:00 UTC). Tells the current virus signature database date (elapsed seconds since 1.1.1970 0:00 UTC). Manual Scanning Statistics / Object Counters, Since First-Time Installation Setting Scanned Files Scanned Boot Sectors Infected Files Infected Boot Sectors Disinfected Files Disinfected Boot Sectors Renamed Files Deleted Files Definition Number of files scanned. Number of boot sectors scanned. Number of infected files detected. Number of infected boot sectors detected. Number of files disinfected. Number of boot sectors disinfected. Number of files renamed. Number of files deleted. 27
Chapter 3 Centrally Managing F-Secure Anti-Virus Manual Scanning Statistics / File Scanning Setting Inclusions and Excllusions Definition Included Extensions: List of file name extensions included for scanning. The list is a combination of extensions defined in policy and database updates, unless adding of extensions defined in database updates has been disabled. Common Scanning Statistics Statistics common to both real-time scanning and manual scanning. Setting Last Infection Information.../Timestamp.../Virus Name.../Infected Object Name.../Action Taken Definition Information about the last infection detected on the computer. Time of encountering the infection (as seconds since 1.1.1970 0:00 UTC). Name of the virus, trojan or worm. Name of the infected object. Information about the action taken on the infected object. 28
Settings Section 3.2 Scheduler Statistics for scheduled tasks. Setting Scheduled TasksEntry/ Name = Scheduled task.../last Execution Time.../Last Exit Code=0.../System Scheduler Error Code =0 Defintion Name of the scheduled task. The name will be visible in user interface for scheduled tasks on user's computer. Note: each task must have a unique name. Date and time of last execution of the task, in format "YYYY-MM-DD hh:mm" (local time). If empty then the task has not been executed yet. Exit code of last execution of the task. Error code from the Windows System Task Scheduler (component of the operating system that is responsible for executing the scheduled tasks). 29
4. Using F-Secure Anti-Virus This chapter covers the following topics: What Real-Time Protection is, and how it functions How to run manual scans on disks, folders and diskettes How F-Secure Anti-Virus Disinfection Wizard works when a virus is detected What the F-Secure Anti-Virus user settings are, and how to use them. 4.1 Real-Time Protection To see if Real-Time Protection is active, check the Status Indicator icon in the System Tray in the lower right corner of the screen. Alternatively, you can double-click the (F-Secure) icon in the System tray to open F-Secure Settings and Statistics. If the status of F-Secure Anti-Virus is Enabled, Real-time Protection is active and providing continuous protection. Status Indicator Status Real-Time Protection is enabled. 30
Scanning for Viruses Manually Section 4.2 Real-Time Protection is disabled. Real-Time Protection is malfunctioning. These may mean that some components are not working.you can test the virus protection with the EICAR Standard Anti-Virus Test File. Virus definition databases are old. To update them, right-click the Status Indicator icon and select Update Virus Definition Databases. For information on the Status Indicator features, go to the section Status Indicator on page 33. 4.2 Scanning for Viruses Manually The real-time detection features of F-Secure Anti-Virus ensure the strongest protection against viruses automatically. The information in this section is for reference in case you want to run a manual scan. During manual scanning the Manual Scan Statistics dialog box displays a progress indicator and statistics for the scan. The scan can be interrupted by clicking Stop. A report is generated after the scan is completed. You can view the report in your Web browser by clicking Show Report. 31
Chapter 4 Using F-Secure Anti-Virus You can start a manual scan from one of the following: Shortcut menu (right-click on a file, folder or disk) Status Indicator (right-click on the icon to select one of the scan actions) Windows Start menu (right-click on the menu) Shortcut Menu To scan a file, folder, or disk for viruses, right-click its icon, and choose Scan Folders for Viruses from the shortcut menu. Any file, folder, or drive can be scanned this way, regardless of extension. 32
Scanning for Viruses Manually Section 4.2 Status Indicator The Status Indicator icon is next to the F-Secure icon in the system tray. Right-click the Status Indicator to open the pop-up menu. The pop-up menu has the following actions: Scan All Hard Disks Scan Diskette Scan Target Properties Update Virus Definition Databases 33
Chapter 4 Using F-Secure Anti-Virus Scan Options To start a manual scan, right-click the Status Indicator, and choose one of the scan actions listed in the pop-up menu: Scan All Hard Disks, Scan Diskette or Scan Target. If you choose Scan All Hard Disks, all of the hard disks will be scanned. If you choose Scan Diskette, the diskette you inserted will be skanned. If you choose Scan Target, the folder or disk that you selected will be scanned. The Manual Scan Statistics dialog box displays a progress indicator and statistics during all of the scan actions described above. Properties If you select Properties from the Status Indicator pop-up menu, you can view the F-Secure Anti-Virus status and user settings information. The status is Enabled if real-time protection is active, and Disabled if it is not active. Click the Properties button to access the user settings information. For more details on user settings, go to F-Secure Anti-Virus Local Settings on page 40. You can also open the Properties dialog directly by double-clicking the Status Indicator icon in the system tray. Update Virus Definition Databases For information on virus definition databases, go to Updating Virus Definition Databases on page 49. Windows Start Menu You can scan hard disks, diskettes, and folders from the Windows Start menu. To start a manual scan, select one of the following scan commands on the menu: Scan all local hard disks, Scan diskette or Scan folder. If you select Scan folder, you will need to select a folder or disk to scan. 34
How Disinfection Wizard Removes a Virus Section 4.3 4.3 How Disinfection Wizard Removes a Virus When F-Secure Anti-Virus detects a virus, it starts Disinfection Wizard by default. Administrators can change this in the security policy. NOTE: The default is disinfect automatically. 35
Chapter 4 Using F-Secure Anti-Virus Step 1 Virus Detected Disinfection Wizard opens a dialog with the name of the detected virus displayed. Disinfection Wizard will disinfect the object by default within the time set. You can stop the timer by clicking the Stop Timer button, or by clicking Next. If you are a corporate user, you can view the timer settings in Settings on page 11. For information about the virus, click on its name, and then click the Virus Info button. The Virus Information page will display information about the virus detected. If the virus is new, it may not yet be described here. Check the Virus Information Database at our Web site for the latest information. To proceed with the virus disinfection, click Next. 36
How Disinfection Wizard Removes a Virus Section 4.3 Step 2 Action Taken A list of infected objects will be displayed. An object can, for example, be a document file that a virus has used to spread. In the Action to Take box, choose the action to be taken on the infected objects. Disinfect and Rename are the recommended actions, as these actions do not destroy the objects the virus is attached to. WARNING: Please remember that if you select Delete as the action to be taken, the object that is infected will also be deleted. After you have chosen the action to be taken, click Next, and Disinfection Wizard will perform the action automatically on all of the selected objects. 37
Chapter 4 Using F-Secure Anti-Virus Step 3 Action Results The results of the action will be displayed after the action has been taken. Click Next to exit Disinfection Wizard. 38
How Disinfection Wizard Removes a Virus Section 4.3 Step 4 Closing Disinfection Wizard Click Finish to close the dialog. NOTE: A report is generated in manual scanning only. In real-time scanning the Finish button does not contain the option to generate a report. The scan report is sent to the administrator if the program is centrally managed. The administrator can view the report in F-Secure Policy Manager Console (in the Reports page of the Properties pane). The report contains links to corresponding virus descriptions in the Web Club s virus database. The administrator can configure F-Secure Anti-Virus to automatically remove viruses from the computer without prompting for any action. In this case, Disinfection Wizard does not run. 39
Chapter 4 Using F-Secure Anti-Virus 4.4 F-Secure Anti-Virus Local Settings You can view and modify the F-Secure Anti-Virus local settings by double-clicking the Status Indicator icon in the system tray. The F-Secure Anti-Virus user settings dialog will open directly.you can also open the user settings by double-clicking the F-Secure icon in the system tray. The F-Secure Settings and Statistics dialog will open and display a list of installed F-Secure products. You can either double-click the F-Secure Anti-Virus application, or click Properties to open the F-Secure Anti-Virus Properties dialog box. In the F-Secure Anti-Virus Properties dialog box, you can specify different settings for Real-time Protection, Manual Scanning and Updates. The F-Secure Anti-Virus Properties dialog box also has information on scan statistics since the initial start-up of the computer. Action Statistics Real-Time Protection Manual Scanning Updates Description Displays results of the real-time scan. Settings for transparent, continuous protection provided by F-Secure Anti-Virus while it runs in the background, scanning files as they are accessed. Settings for the scanning tasks that are started manually. Settings for virus definition database update reminders for manual updates. The Update Now button starts immediate definition database updates Real-time scans should be restricted so that they do not use a large amount of system resources, which can occur when scanning compressed files and other special files. One way to save system resources is to avoid scanning archives. Because manual scans are only performed when desired, they can be set to scan larger groups of files, which will consume more system resources. Statistics The Statistics dialog of the F-Secure Anti-Virus Properties dialog box displays results of the real-time scan for the current session. 40
F-Secure Anti-Virus Local Settings Section 4.4 Real-Time Protection In the Real-Time Protection dialog of the F-Secure Anti-Virus Properties dialog box, you can set what action is taken when an infected file is found, and which files are scanned during real-time scanning. To enable Real-Time Protection, tick the Enable Protection check box. To disable Real-Time Protection, clear the Enable Protection check box. Action to Take on Infected Files In the Action to Take on Infected Files box, you can choose what action F-Secure Anti-Virus will take when an infected file is detected. Choose one of the following actions: Action Ask after scan Definition Starts the Disinfection Wizard when an infected file is detected. 41
Chapter 4 Using F-Secure Anti-Virus Action Disinfect automatically Rename automatically Delete automatically Report only Definition Disinfects the file automatically when a virus is detected (by default). Renames the file automatically when a virus is found. Deletes the file automatically when a virus is found. Note that this option also deletes the object the virus is attached to, so this option is not recommended. Indicates that a virus is found, and does not let you open the infected object. This option only reports, it does does not take any action against the virus. Scanning Options Under Scanning Options, you can choose which files will be scanned in real-time. 42
F-Secure Anti-Virus Local Settings Section 4.4 The following options are available: All files All files will be scanned, regardless of their file extension. This option is not recommended because it might slow down system performance considerably. Files with these extensions Files with specified extensions will be scanned. To specify files that have no extension, type. You can use the wildcard?. Enter each file extension separated by a space. This option is recommended for real-time protection. Exclude files with these extensions You can specify files that will not be scanned. NOTE: Invalid characters are not accepted in these fields. They are replaced with the underscore ( _ ) symbol if copied from the clipboard. Exclude objects You can specify individual files or folders that will not be scanned. To do so, click the Select button to open the Exclude from scanning dialog box (see screenshot below). In the dialog box, select the files or folders you want to exclude from scanning and click the Add button. To remove any files or folders from the Excluded objects list, select the files or folders, and click the Remove button. The files or folders will then be included in the scans again. 43
Chapter 4 Using F-Secure Anti-Virus Scan inside compressed files Select this check box to scan inside compressed ZIP, ARJ, LZH, RAR, CAB, TAR, BZ2, GZ, JAR,.MSI,.Z and TGZ files. Scanning inside large compressed files might use a lot of system resources and slow down the system, therefore it is not recommended with real-time protection. 44
F-Secure Anti-Virus Local Settings Section 4.4 Manual Scanning The settings for manual scan operations can be specified in the Manual Scanning dialog of the F-Secure Anti-Virus Properties dialog box. You can set what action is taken when an infected file is found, and which files are scanned during manual scanning. Action to Take on Infected Files In the Action to Take on Infected Files box, you can choose what action F-Secure Anti-Virus will take when an infected file is detected. You can choose Ask after Scan, Disinfect automatically, Rename automatically, Delete automatically or Report Only: Action Ask after Scan Disinfect automatically Rename automatically Delete automatically Report only Definition Starts the Disinfection Wizard when an infected file is detected. Disinfects the file automatically when a virus is detected (by default). Renames the file automatically when a virus is found. Deletes the file automatically when a virus is found. Note that this option also deletes the object the virus is attached to, so this option is not recommended. Generates an HTML report regardless whether infections were found or not. Scanning Options Under Scanning Options, you can choose which files will be scanned during the manual scanning operation. 45
Chapter 4 Using F-Secure Anti-Virus The following options are available: All files All files will be scanned, regardless of their file extension. This option is not recommended because it may slow down system performance considerably. Files with these extensions Files with specified extensions will be scanned. Enter each file extension separated by a space. To specify files that have no extension, type. You may use the wildcard?. Exclude files with these extensions You may specify files that will not be scanned. NOTE: Invalid characters are not accepted in these fields. They are replaced with the underscore ( _ ) symbol if copied from the clipboard. Exclude objects You can specify individual files or folders that will not be scanned. To do so, click the Select button to open the Exclude from scanning dialog box (see screenshot below). In the dialog box, select the files or folders you want to exclude from scanning and click the Add button. To remove any files or folders from the Excluded objects list, select the file or folder, and click the Remove button. The file or folder will then be included in the scan again. 46
F-Secure Anti-Virus Local Settings Section 4.4 Scan inside compressed files Select this check box to scan inside compressed ZIP, ARJ, LZH, RAR, CAB, TAR, GZ, BZ2, JAR,.MSI,.Z and TGZ files. The Scan Now button can be used to scan a folder for viruses at any time. 47
Chapter 4 Using F-Secure Anti-Virus Updates The Updates page has information on installed scanning engines and virus database updates. It also has a direct link from the More Information button to the F-Secure web site. Installed Scanning Engines In the Installed Scanning Engines box you can find information on the currently installed scanning engine names, the individual database dates and the scanning engine revision numbers. The scanning engines used are F-Secure Libra, F-Secure AVP and F-Secure Orion. Virus Definition Database Updates The Virus Definition Database Updates section informs you about the current status of the virus definition databases. It will, for example, inform of any immediate updates that should be made if virus definition databases are old. Remind me about updates With the Remind me about updates check box you can enable the automatic virus definition database update reminders. You can determine how often an update dialog appears by inserting a number in the days box. 48
5. Updating Virus Definition Databases F-Secure Anti-Virus uses special databases - virus definition databases - to detect viruses. Whenever a new virus is found, the databases need to be updated for F-Secure Anti-Virus to be able to detect it. This is why it is of the utmost importance that you regularly update the virus definition databases. This chapter describes the different methods you can use to update virus definition databases. 5.1 Update Methods You can choose between the different update methods listed below. Automatic Update Automatic updates with F-Secure Automatic Update Agent (may be referred to as F-Secure Backweb) is the best way to keep the virus definition databases up-to-date. F-Secure Automatic Update Agent updates the virus definition databases automatically when your network connection is open. The update may take several minutes, so make sure your network connection is open long enough. F-Secure Automatic Update Agent is usually installed with F-Secure Anti-Virus Semi-Automatic Update: Download the package from the F-Secure Web site automatic distribution to hosts The virus definition database package can be downloaded from: 49
Chapter 5 Updating Virus Definition Databases http://www.f-secure.com/download-purchase/updates.html or from the European mirror site. Only one virus definition database is required. The database file is named Latest.zip. After downloading the package to a local disk, it needs to be imported into F-Secure Policy Manager Console. F-Secure Policy Manager Console places the package in the F-Secure Policy Manager Server or the Communication Directory. The F-Secure Management Agent on each host polls for the package according to its polling policy, and takes the package into use. To import the package to F-Secure Policy Manager Console, do the following: 1. Choose Import Virus Signatures Database from the Tools menu. 2. Choose Open from the File menu. In the File Open dialog box, select the database package from the directory it was stored in. To distribute the database to the hosts, do the following: 1. Enable automatic polling for the virus definition databases on the hosts where you want to automatically receive the database. Enable the Poll Automatically setting in F-Secure Anti-Virus / Settings / Virus Database Updates / Poll Automatically. 2. Distribute the policy to the hosts by choosing Distribute from the File menu. 3. The hosts will download the database package from the F-Secure Policy Manager Server or from the Communication Directory the next time they poll for new database versions. Manual Update You can use the Update Now button in the F-Secure Anti-Virus user settings, or the Status Indicator icon in the system tray to manually update the virus definition databases. If you want to use the Update Now button, go to Updates on page 48 to view the settings. If you want to use the Status Indicator to update the databases, select Update Virus Definition Databases from the Status Indicator pop-up menu described in Status Indicator on page 33. During manual updates, a dialog is shown during the download process, and you can cancel the update by clicking the Cancel Update button. Remember that the databases should be updated at least once a week. 50
Update Methods Section 5.1 Automatic Update Agent to F-Secure Policy Manager Server Automatic distribution to hosts (recommended method) This is the best way to update the virus definition database. Updated databases will be automatically delivered by F-Secure Corporation to F-Secure Policy Manager Server or F-Secure Policy Manager Console when they become available. The F-Secure Management Agent on each host polls for the package according to its polling policy, and takes the package into use. Follow these steps: 1. Download F-Secure Automatic Update Agent Client (may be referred to as F-Secure Backweb Client) CD rom: http://www.f-secure.com/download-purchase/updates.html 2. Install it on the computer running F-Secure Policy Manager Server or F-Secure Policy Manager Console. Automatic polling for the Virus Definition Database on the hosts that will automatically receive the Virus Definition Database should be enabled by default. Verify that the Poll Automatically setting in F-Secure Anti-Virus / Settings / Virus Database Updates / Poll Automatically is enabled. 3. Distribute the policy to the hosts by choosing Distribute from the File menu. 4. The hosts will download the database package from the F-Secure Policy Manager Server or from the Communication Directory the next time they poll for new database versions. Automatic Update Agent to F-Secure Policy Manager Server Distribution to hosts is triggered by the network administrator Updated databases are automatically delivered by F-Secure Corporation to your network s F-Secure Policy Manager Server or F-Secure Policy Manager. However, the virus definition database is not automatically distributed to the hosts from the Policy Manager Server or the Communication Directory. The administrator initiates the distribution to the hosts with the following steps: 1. Select the Get Virus Database Update setting in the F-Secure Anti-Virus / Operations / Get Virus Database Update tree. Then click the Start button. 2. Choose Distribute from the File menu. This will distribute the policy to the hosts. 51
Chapter 5 Updating Virus Definition Databases 3. When a host next polls the Policy Manager Server or the Communication Directory according to its policy polling interval, it will fetch the new database. Download the package from the F-Secure Web site distribution to hosts is triggered by the network administrator The virus definition database is downloaded from the F-Secure Web site at : http://www.f-secure.com/download-purchase/updates.html or the European mirror site. However, the database is not automatically distributed to the hosts. To import the package to F-Secure Policy Manager Console, do the following: 1. Choose Import Virus Signatures Database from the Tools menu. 2. Choose Open from the File menu. In the File Open dialog box, select the database package from the directory it was stored in. To distribute the virus definition databases to the hosts, do the following: 1. Select the Get Virus Database Update setting in the F-Secure Anti-Virus / Operations / Get Virus Database Update tree. Then click the Start button. 2. Choose Distribute from the File menu. This will distribute the policy to the hosts. 3. When a host next polls the Policy Manager Server or the Communication Directory according to its policy polling interval, it will fetch the new database. Using the FSUPDATE.exe Tool FSUPDATE.exe is a tool for updating F-Secure Anti-Virus virus definition databases. To update the virus definition database, go to: http://www.f-secure.com/download-purchase/updates.html 1. Click Download the latest update from USA or Download the latest update from Europe depending on your location. Save the fsupdate.exe file to a local disk. 2. Run fsupdate.exe in the host which has F-Secure Anti-Virus installed. After approximately 1 minute, the virus definition databases are updated. You can check the update from the Updates tab in the F-Secure Anti-Virus Properties pane. 52
Update Methods Section 5.1 F-Secure Anti-Virus Proxy F-Secure Anti-Virus Proxy retrieves virus definition database updates from a local update repository instead of from the F-Secure Policy Manager Server, and distributes the updates locally to the hosts. F-Secure Anti-Virus Proxy resides in the remote network and runs specially configured Policy Manager Server software. Hosts in remote offices communicate with the Master Policy Manager Server in the main office, but this communication is restricted to remote management and alerting. You can install F-Secure Anti-Virus Proxy when you install F-Secure Policy Manager. For installation instructions and more detailed information about F-Secure Anti-Virus Proxy, read the F-Secure Policy Manager Administrator s Guide available on the F-Secure CD. 53
Appendix A. Parameters & Return Codes The F-Secure Anti-Virus command-line scanner, its parameters and return codes are described in this Appendix. F-Secure Anti-Virus command-line scanner is a tool you can use to easily access the virus scanner through the command prompt. F-Secure Anti-Virus command-line scanner (command-line scanner) is part of the standard F-Secure Anti-Virus product, you do not need to install it separately. A-1 Using Command-Line Scanner You can use command-line scanner in situations where, for example, scripted F-Secure Anti-Virus runs are needed. Command-line scanner is located in the F-Secure Anti-Virus directory. The default location is C:\Program Files\F-Secure\Anti-Virus\fsav.exe. Running fsav.exe without any parameters outputs the available parameters. The command-line scanner parameters and return codes are listed in this Appendix. The command-line format is: FSAV [targets] [options] All options start with "/". Any argument not starting with this character is considered a target. The command-line can include multiple targets. The target defaults to '*.*' if no targets are defined. Target names that contain spaces or other special characters must be enclosed in double quotes. 54
Using Command-Line Scanner Boot sectors are included in the scan if the drive letter of a local hard disk is specified in a target path, for example: FSAV "C:\Program Files" This can be overridden using the /NOBOOT option. For example: FSAV C:\*.* /NOBOOT /DISINF only scans files on the hard disk. But if you type: FSAV C:\*.* /DISINF both files and boot sectors on the hard disk are scanned. In both cases any viruses found will be disinfected. To scan all the hard disk drives, type: FSAV /HARD To abort a scan, press CTRL + C Main Report File The main report file can be created using the /REPORT=file command-line switch. This is a plain text file that lists the fully qualified names of all infected objects. HTML Report File The HTML report file is created if the /REPORT=file comand-line switch is specified. If you type /NOHTML the report is not generated. Note that if the /REPORT -switch is not used, no report file of any kind is created. NOTE: The HTML report file will be transferred to F-Secure Policy Manager also. AT Command You can also use command-line scanner with the AT command. For example: at 07.30 am /next:friday FSAV /HARD /DISINF would scan all hard drives and disinfect viruses on Friday at 07.30 am For more infomation about the scheduling service, consult your Microsoft Windows manual. 55
Parameters & Return Codes A-2 Command-Line Scanner Parameters Parameter /ALL /APPEND /ARCHIVE /BEEP /DELETE /DISINFECT /EXCLUDEPATH=list /EXCLUDEEXT=list /EXT /HARD /HELP /LIST /NOBOOT /NOBREAK /NOHTML Function Scan all files regardless of extension. Append in existing report. Default is to overwrite. Include archives in the scan. Beep when a virus is found. Attempt to delete infected objects. Attempt to disinfect infected objects. Skip files/paths matching entries on the list. The excluded objects list is read in the policy. This switch will override the values in the policy. Skip files with these extensions. The excluded extensions are read in the policy. This switch will override the values in the policy (not suppported in 1.0/F-Secure Anti-Virus 5.30). Valid abbreviation for /EXTENSIONS. Scans all files on all hard disks in the computer. Displays the list of command-line options. Write list of scanned objects (fully qualified names). Do not scan boot sectors, scan only files. Scan cannot be interrupted by the user. The report file is created if the /REPORT=file command-line switch is specified, and Network Request Broker (NRB) is enabled. If /NOHTML is given, the report generation is skipped. If the /REPORT switch is not used, no report file is created. 56
Command-Line Scanner Return Codes Parameter /RENAME /REPORT=file /SCANNER=<s> /SCANNER /SILENT /VERSION /ZIP Function Attempt to rename infected objects. Write the report in TXT format to file. The report and all extended characters are printed in ANSI, so they will not be printed correctly when the report is viewed with a DOS -based editor. Specify one scanner plug-in that will be used in the scan, instead of all enabled scanners. The default value is all scanners. s can be one of the following strings: Libra, AVP, Orion. The scanner name parameter is not case sensitive. Action with /SCANNER is included, which means that the scanner name is printed along with the error/infection messages. When an object is reported as infected or erroneous, giving this parameter will list the name of the scanner plug-in that reported the infection or error. Sample output with the parameter given: C:\foo\bar.exe Infected Worm [F-Secure Anti-Virus AVP Plug-in] No screen output. Show scanner version information. Valid acronym for /ARCHIVES. /? Displays the list of command-line options (same as /HELP). A-3 Command-Line Scanner Return Codes The following return codes are produced by the program: 57
Parameters & Return Codes Exit code Explanation 0 Scan completed successfully; no viruses or suspicious files found. 1 Command-line scan is not allowed in the policy. 2 Scan was aborted by the user. 3 Error loading F-Secure Anti-Virus or one of its program files. 4 Error when connecting to the scanning engines (Gatekeeper). 5 Self-test failed. 6 Command-line syntax error, or unknown parameter. 7 Execution failed; out of memory. 8 Scan path not valid. 10 Failed to open one of the report files, scan successful. 11 Encountered encrypted files that cannot be scanned, these objects may still be infected. 12 Failed to open some objects, these objects may still be infected. 20 Suspicious code found, may be a virus. 21 One or more viruses found, actions successful. No viruses remaining. 22 One or more viruses found, actions successful. Renamed viruses remaining on disc. 23 One or more viruses found, actions unsuccessful or not attempted. System still infected. 24 Virus found in memory. Scan aborted. 58
Command-Line Scanner Return Codes Exit code Explanation 25 Virus(es) found and disinfected. System reboot is needed to complete the disinfection. 59
Parameters & Return Codes 60
Appendix B. F-Secure Anti-Virus for DOS F-Secure Anti-Virus for DOS is provided with your F-Secure Anti-Virus license for the following purposes: Recovery from viruses when the computer will not boot up with Windows. You can boot up from a DOS system disk, and run F-Secure Anti-Virus for DOS to remove viruses from the hard disk. Automation of virus scanning for processes like scheduled file transfers. F-Secure Anti-Virus for DOS supports command line use from batch files and provides you with result codes through the Errorlevel value. F-Secure Anti-Virus for DOS includes the following features: AVP scanning engine. Detection and removal of DOS viruses, Windows viruses, macro viruses, Trojan horses, e-mail worms, and other malicious code. The virus detection rate is generally the same as with the Windows versions. Command-line support for automation using batch files. Scanning inside compressed packages (including ZIP, LHZ, and ARJ formats). Scanning inside executable programs compressed with Diet, ExePack, LzExe, PkLite, and similar tools. NOTE: If you are running F-Secure Anti-Virus for DOS under Windows or OS/2, F-Secure Anti-Virus may attempt to read the boot sector or special files that the operating system keeps open (such as the swap file). This may trigger a warning. To continue scanning, click the Ignore button. 61
F-Secure Anti-Virus for DOS Installation To install F-Secure Anti-Virus for DOS on your computer, do the following: Step 1 Open the command prompt, and enter the following command: xcopy r:\dos\fsavp\3.0 (Replace r: with the letter assigned to your CD-ROM drive.) Step 2 Open Windows Explorer and locate the fsav.exe file in the installation directory. Step 3 Drag the fsav.exe file to your Start menu. This will create a menu item for starting the program. Scanning for Viruses To run the program, click the F-Secure Anti-Virus for DOS menu item on the Start menu, or execute fsav.exe from the command prompt. Follow the instructions on the screen to scan your system for viruses. F-Secure Anti-Virus for DOS can also be run directly from the CD-ROM or a floppy disk. When F-Secure Anti-Virus for DOS starts up, it loads its antivirus database and tests memory for the presence of resident viruses. Updating To combat new viruses, which appear almost daily, the F-Secure Anti-Virus Research Team at F-Secure Corporation works continuously to create effective measures against them. To update your current version of F-Secure Anti-Virus for DOS, just copy the latest anti-virus databases (called virus definitions ) into the F-Secure Anti-Virus for DOS directory. Then replace your old F-Secure Anti-Virus for dos avp.set file with 62
the new avp.set file that you get with your updated virus definitions. The new virus definitions and a new avp.set file can be downloaded from the F-Secure Web site. Command-Line Options When you start F-Secure Anti-Virus for DOS from the command line, you can use the following parameters. Below are examples of the F-Secure Anti-Virus command with parameters and options: FSAV path:\name /option(s) Scan floppy disk in drive A and disinfect viruses: FSAV A: /- /Y Scan all local hard drives and disinfect viruses: FSAV *: /- /Y Scan all local hard drives, disinfect viruses, disable aborting, and return to DOS: FSAV *: /- /Y /Z /Q path = any DOS path (* and *: = all hard disks) name = the wildcards * or? can be used. The default is executable files. Options: /- Disinfect /E Delete infected files /M Skip memory test /P Skip Master Boot Record test /B Skip DOS Boot Sector test /T=path Swapping directory /W[A][=filename] Save report /WA Append to existing file /O Display OK messages /Y Skip all dialog boxes 63
F-Secure Anti-Virus for DOS /S Sound off /X Do not use XMS memory /? Help screen /I Initiate scan immediately /Q Quit to DOS after test /* Check all files /N Check remote disks (used with *:) /1 Check only one floppy disk /R Do not scan subdirectories /U Disable Unpack (Unpacking Engine) /A Disable Extract (Extracting Engine) /H Disable heuristic analysis (Code Analyzer) /@[!]= listfile.txt Scan by list file. List file is a text file with filenames or directory names written out line by line. Wildcards are not allowed. If optional [!] is present, list file will be deleted after processing. If /@... key is present, F-Secure Anti-Virus for DOS starts scanning after loading. Location control is not in the action. /D Daily scanning. If this key is used, F-Secure Anti-Virus for DOS will not start if it successfully finished scanning on this day. /V Redundant scanning /Z Disable aborting /F= profile.prf F-Secure Anti-Virus for DOS starts with parameters defined in the profile.prf file. Error Codes When F-Secure Anti-Virus is run in command-line mode, it will return an exit code, which can be checked with the DOS Errorlevel command. 64
Code Definition 0 No viruses detected 1 Scanning is not completed 3 A suspicious object was detected 4 A virus was detected 5 All detected viruses were deleted 7 FSAV.EXE has been corrupted 10 Internal error in F-Secure Anti-Virus for DOS 65
F-Secure Anti-Virus for DOS 66
Technical Support F-Secure Technical Support is available by e-mail and from our Web site. You can access our Web site from within F-Secure Anti-Virus or from your Web browser. Web Club The F-Secure Anti-Virus Web Club provides assistance to F-Secure Anti-Virus users. To enter, choose the Web Club command from the Help menu. The first time you use this option, enter the path and name of your Web browser, and your location. 67
To connect to the Web Club directly from within your Web browser, go to: http://www.f-secure.com/webclub/ For advanced support, the F-Secure Anti-Virus Support Center is available at: http://www.f-secure.com/support/ Virus Descriptions on the Web F-Secure Corporation maintains a comprehensive collection of virus-related information on its Web site. You can access the Virus Information Database from: http://www.f-secure.com/virus-info/ Electronic Mail Support If you have questions about F-Secure Anti-Virus not covered in the manual or online services at http:// www.f-secure.com/, you can contact your local F-Secure distributor or F-Secure Corporation directly. 68
For basic technical assistance, please contact your local F-Secure Business Partner. Send your e-mail to: Anti-Virus-<country>@F-Secure.com, for example: Anti-Virus-Norway@F-Secure.com If there is no authorized F-Secure Anti-Virus Business Partner in your country, you can request basic technical assistance from: Anti-Virus-Support@F-Secure.com Before contacting support, please run the F-Secure Diagnostic utility on the host running F-Secure Anti-Virus. This utility gathers basic information about hardware, operating system, network configuration and installed F-Secure and third-party software. You can find and run FSDiag.exe utility under the F-Secure\Common folder. Please include the following information with your support request: Version number of F-Secure Anti-Virus (including the build number). Name and version number of your operating system (DOS, Windows). Include the build number. A detailed description of the problem, including any error messages displayed by the program, and any other details, which could help us replicate the problem. Then, please contact and send the F-Secure Diagnostic report file (fsdiag.tar.gz) and the additional information to your local F-Secure business partner or enter this information in the Problem Report form at http://www.f-secure.com/support/. When contacting F-Secure support by telephone, please do the following to save time: Be at your computer so you can follow instructions given by the support technician, or be prepared to write down instructions. Have your computer turned on, and (if possible) in the state it was in when the problem occurred; or you should be ready to replicate the problem on the computer with minimum effort. If you have a virus infection, make sure that you have run the latest fsupdate. The fsupdate can be downloaded from the Web Club. 69
70
About F-Secure Corporation F-Secure is a leading strategic provider of powerful data security solutions. The Company s products help enterprises protect corporate information and conduct electronic commerce securely. Customers in nearly every industry Government, Manufacturing, Retail, Telecommunications, Finance, Energy, Transportation, High Tech and more rely on F-Secure products to make information secure, reliable and accessible. F-Secure supports businesses with a broad range of centrally managed and widely distributed best-of-breed data security applications built on a highly scalable management infrastructure. Both internal corporate IT departments and external service providers use the F-Secure approach to effectively deliver Security as a Service to millions of users. With F-Secure, security is centrally managed, widely distributed, seamlessly integrated, totally automated and transparent to the user. Founded in 1988, F-Secure has been listed on the Helsinki Stock Exchange since November 1999. The company is headquartered in Helsinki, Finland with North American headquarters in San Jose, California, as well as offices in Canada, Germany, Sweden, Japan and the United Kingdom. F-Secure is supported by a network of VARs and Distributors in over 80 countries around the globe. Through strategic OEM agreements the company s security applications are integrated into the services and products of leading telecommunications equipment manufacturers, such as Cisco Systems, Ericsson, Nokia and Sonera. F-Secure has tens of thousands of customers. These include many of the world s largest industrial corporations and best-known telecommunications companies; major international airlines; European governments, post offices and defense forces; and some of the world s largest banks. Well-known customers include NASA, the US Air Force, Yahoo, US Department of Defense Medical Branch, the US Naval Warfare Center, the San Diego Supercomputer Center, Lawrence-Livermore National Laboratory, IBM, Unisys, Siemens AG, EDS, Cisco, Nokia, Sonera, UUNet Technologies, Boeing, Bell Atlantic and MCI. F-Secure software products have received numerous international awards, prizes and citations. The company was named one of the Top 100 Technology companies in the world by Red Herring magazine in its September 1998 issue. The Company was named one of the 25 Hottest Startups in the world 1998 and its products have consistently won awards including the West Coast Labs Anti-Virus Checkmark 1999, the Virus Bulletin 100% award 1999, the Editor s Choice from the German PC Professional magazine (member of Ziff-Davis group) 1999, Hot Product of the Year 1997 from Data Communications Magazine for F-Secure VPN; and the 1996 European Information Technology Prize. 71
About F-Secure Corporation The F-Secure Product Family F-Secure Anti-Virus automatically and transparently delivers the most powerful and up-to-date protection against computer viruses and malicious code to your workstations, servers, firewalls, gateways, mobile devices, and e-mail/groupware servers under one common management framework. F-Secure Policy Manager provides a flexible and scalable way to manage the security of multiple applications on multiple operating systems, from one central location. With a unique distributed architecture, the F-Secure Policy Manager keeps security software up-to-date, manages configurations, oversees enterprise compliance, and scales to handle large and mobile enterprises. F-Secure SSH enables remote systems administrators to access corporate network resources securely by protecting the transmission of sensitive data. F-Secure SSH provides numerous features to make secure administration and remote access connections easy to use, in a user-friendly, terminal-based application running on a wide variety of platforms. 72