----------------------------------------------------------------------- NOVVIRUS.DOC -- 19980302 -- Email thread on NetWare Anti-Virus Products ----------------------------------------------------------------------- Feel free to add or edit this document and then email it back to faq@jelyon.com Date: Mon, 7 Aug 1995 14:00:42 -0600 From: Rebecca Ramirez Subject: F-Prot experiences (fwd) Thank you to everyone who sent me recommendations for an anti-virus product for our office. Here is a summary: F-Prot: 9 recommendations $1.00/machine for shareware product or $10.00/machine for F-Prot Professional commercial product. These prices are for 150 PC's. They also have an NLM for the server and offer an educational institution discount. 800-423-9147 (f-prot professional) ftp://ftp.coast.net/SimTel/msdos/virus/fp-218a.zip (shareware) McAfee: 1 recommendation $3,210 for 101-200 machines or $5,100 for any combo of Scan/WScan+CleanUp, Vshield. 800-866-6585 Dr.Soloman: 1 recommendation ThunderByte: 1 recommendation 800-968-9527 $4810 / up to 250 PC's. IBM Antivirus: 1 rec. Central Point AntiVirus: 1 rec. ------------------------------ Date: Tue, 5 Dec 1995 09:07:50 -0800 From: "Aaron D. Turner" Subject: Re: Virus Protection We use Nortons AV package. Nice central management and autoinstalling via the net. The workstation and NLM really work together and I've been happy with how it handles viruses. We've experienced a few compatibility problems (certain highperf. video cards and the like). But it is very configureable so we've always found a work around. Our environment has a broad range of systems, and we're able to put users into different AV "groups" to give us an optimum performance to detection trade-off on each system -- slower systems have their HD & RAM scanned, while faster systems with more RAM load the TSR. ------------------------------ Symantec Norton AntiVirus (800) 441-7234 McAfee VirusScan (800) 338-8754 Dr. Solomon's Anti-Virus Toolkits (800) 701-9648 Each of these vendors also have NLM packages to further protect the network. There is also a package called F-PROT which has wide net-acceptance, but it appears to be right in middle of a major upgrade and is currently unavailable as a commercial package. Hope this helps, Sean Dickman ------------------------------ Date: Thu, 16 Jan 1997 13:39:00 +1100 (EST) From: Creative Computing Subject: AV programs I have discovered that McAfee will not -always- scan every possible sub-directory when using /sub option. This particularly happens when using unix mounting programs which allow dos to mount unix hard drives, such as "samba". Actually McAfee only scans about 1/8 of all the directories on our networked drives. I am not entirely sure if it is caused by our mounting program or otherwise. Andrew Murphy ------------------------------ Date: Wed, 17 Jan 1996 06:55:42 -0800 From: Floyd Maxwell Subject: Anti-Virus NLMs Joe D. wrote: >of time if nothing else). We know that some third party NLMs cause big >problems in servers too; virus scanners and tape backup programs come >to mind. --------- What Anti-Virus NLMs are being used by everyone? I am aware of NAV, CPAV, McAfee, Intel's VirusProtect and F-Prot. -------- How satisfied are you? Have there been server crashes because of it? -------- What client programs are also being used? ------------------------------ Date: Wed, 17 Jan 96 15:01:27 CST From: "Rick C Nelson" Subject: Anti-Virus Have been using Cheyenne's Inoculan v3.0 on netware 311 for 1.5 years and have never had a problem. I know its hard to believe Cheyenne, but proof is in the puddin'. ----------------------------- From: "Roger Bell" Date: Wed, 17 Jan 1996 11:33:12 EST Subject: Re: Anti-Virus NLMs Intel Virus Protect V2.13 No problems with NLM or Client ----------------------------- From: "Yair Wellner" Organization: MIGAL Date: Thu, 18 Jan 1996 06:39:54 GMT+0200 Subject: virus If you have Diskless workstation DO NOT USE the Intel Avti-virus V3.00 Some of the workstation will not boot and Intel gives bad support Yair ------------------------------ From: "Rob Waterlander" Date: Thu, 18 Jan 1996 08:53:00 +0100 Subject: Re: Anti-Virus NLMs >What Anti-Virus NLMs are being used by everyone? I am aware of NAV, >CPAV, McAfee, Intel's VirusProtect and F-Prot. > >-------- We are using Dr Solomon's Toolkit for NetWare. It comes with a DOS, Windows and NetWare solution. Each workstation loads the guard driver that traces viruses on the workstation. On the server there is a NLM running which checks each connection if it is running the guard driver. If so you are granted access to the network, if not you're being logged out of the network. A second NLM runs at night to check the fileserver volumes for viruses. (check out http://www.solomon.com) >How satisfied are you? Have there been server crashes because of it? > >-------- We are very satisfied. We have also a subscription for an update every three months. So far (we are using it for 15 months) we have had no crashes related to the virusscanner. >What client programs are also being used? > >-------- The client part is guard. There is also the toolkit part, with enables me to quickly scan the network ore local drive's. The client toolkit part is also cable of cleaning viruses. ------------------------ From: Phil Randal Subject: Re: Anti-Virus NLMs Date: Thu, 18 Jan 96 10:05:56 GMT >What Anti-Virus NLMs are being used by everyone? I am aware of NAV, >CPAV, McAfee, Intel's VirusProtect and F-Prot. Check out Dr Solomon's at www.drsolomon.com. It has had very good reviews in the UK press and we use it here quite happily. -------------------------- Date: Thu, 18 Jan 1996 13:49:51 +0200 (GMT+0200) From: Bennie Venter Subject: antivirus NLM's Over here we're using Dr Solomons AV in NLM format. The workstations are running VGUARD wich, if used with the NLM can report virusses found. The clients available that can talk to the NLM include Win95 & DOS/Win, The clients for Win-NT & OS/2 do not run like that but will supposedly soon. The security for server NLM includes refusing login if vguard is not loaded, etc. It contains netware send message facilities etc. Works nicely on a netware 3.12 25 user wich runs oracle for netware workgroup server & all fits nicely into 64 Meg of mem with 6G of disk space mounted in 2 drives 1 volume per drive of wich one is 64k block size & the other is 16k. Soon we will load it onto all the other servers. Hope it keeps up the good behaviour. --------------------------- Subject: Re: Anti-Virus NLMs Date: Thu, 18 Jan 1996 17:06:12 +0000 (GMT) From: Richard Letts >What Anti-Virus NLMs are being used by everyone? I am aware of NAV, >CPAV, McAfee, Intel's VirusProtect and F-Prot. we use McAfee NLM on the server >How satisfied are you? Have there been server crashes because of it? Very satisfied: it has caught several viruses, indeed we can see the ripple-effect as the virus spreads from the source across campus. It's never crashed out server. In periodic-scan mode it consumes no system resources during the working day. We don't scna files in and out of the server as this would have a performance penalty. >What client programs are also being used? F-Prot -- it has a nice user-interface which is useful for panic-stricken users. --------------------------- From: Chien-Li Chung Date: Thu, 18 Jan 1996 17:37:50 +0000 Subject: virus protection We're using Intel's VirusProtect 2.1 ------------------------------ Date: Sat, 20 Jan 1996 14:01:02 -0800 (PST) From: "Aaron D. Turner" Subject: Re: Anti-Virus NLMs We're running NAV on a 3.12 and 3.11 server. Overall I'd say we are very happy with it and it's integration with the NAV workstation TSR. We've been running it for a few months now, and havn't had any abends, though like all AV packages we do notice a slight lag in loading programs off the server as the NLM scans them. It does a nice job of reporting viruses on the WORKSTATIONS when used with the NAV TSR, so that we track who's bringing them in. HTH. ------------------------------ Date: Sun, 21 Jan 96 21:08 MET From: arthur-b@ZeelandNet.nl (Arthur B.) Subject: Re: Anti-Virus NLMs >What Anti-Virus NLMs are being used by everyone? I am aware of NAV, >CPAV, McAfee, Intel's VirusProtect and F-Prot. I know of sites with: nothing Intel LANDesk VirusProtect version 2.x Intel LANDesk VirusProtect version 3.x McAfee >How satisfied are you? Have there been server crashes because of it? The site with no virusprotection run pretty fast. The others run a little slower to a lot slower. Intel LANDesk gives me trouble sometimes. Intel views on a good product are not entirly as I see it (deletion of any directory by users is prohibited for example, even the ones they created themselves). However, Intel is the one that has given me the best support in years. I find that a big plus. McAfee just runs, but I haven't tested it yet. So I have not much to say about it. >What client programs are also being used? The ones that come with the package. Or F-Prot which is very very good. ------------------------------ Date: Tue, 23 Jan 1996 21:51:17 -0500 From: Jerry White Subject: Anti-Virus NLMs -Reply >What Anti-Virus NLMs are being used by everyone? I am aware >of NAV, CPAV, McAfee, Intel's VirusProtect and F-Prot. CPAV, Netware 3.12 on 8 servers. It conflicts with DHANDFX patch, so we don't run the patch. >How satisfied are you? Have there been server crashes because of it? moderately satisfied. The CPAV Master server crashed once. No big deal. The DOS scan program is really slow. It doesn't hold a special place in my heart. We're going to a management suite (Managewise, Mcafee, Symantec.) Whichever one we go to, we'll replace CPAV with theirs. >What client programs are also being used? A few vertical-market DOS programs. Standard Windows OA apps. No c/s apps or databases. Windows locally. -------------------------- Date: Tue, 23 Jan 1996 09:45:46 +0100 From: "David W. Hanson" Subject: Re: Again :Wizard Behaviour on Netware 3.12 >Have you run a good virus scanner on your clients and the exe/com >files on your server lately? > >McAfee LanScan/ NetSheild is tops and it will save you a job the one >and only time it works! Excuse me while I gag! McAfee is -not- tops. It is somewhere in the middle of the crowd. However, your advice to scan is good advice. I would recommend F-PROT, AVP, or Dr. Soloman's, all three of which have higher detection rates than McAfee. ------------------------------ Date: Tue, 30 Jan 1996 16:42:56 -0600 From: labuser@depaul.edu (Lab User) Subject: Re: Anti-Virus NLMs >What Anti-Virus NLMs are being used by everyone? I am aware of NAV, >CPAV, McAfee, Intel's VirusProtect and F-Prot. We are using Net-Prot. It's working fine but in the beginning we were getting alot of NCP errors at the console but Command Software finally got that straightened out. >How satisfied are you? Have there been server crashes because of it? Never had the server crash because of error from net-prot or from Viruses. >What client programs are also being used? We are using F-Prot on the workstations (Novell recommended not using NLM's and only using workstation protection) and it has been doing a great job. We used to use McAfee and before that another company that disappeared. ------------------------------ Date: Mon, 5 Feb 1996 09:11:49 EDT From: ctl@BRONZE.COIL.COM (Bill Vanderhoof) Subject: Re: 312PT6.EXE warning! >>We applied most of the patches in 312PT6.EXE (also included the Patch >>Manager from CDUPD2.EXE) (except for a few which seemed irrelevant to >>our environment) and rebooted the (3.12) File Server. >> >>Everything came up fine except Intel Landesk Virus Protect. It came up >>with the following messages: >> >>"PSCAN: Could Not Attach Pre-Scan Drivers >>PSCAN: Be Sure This is a Netware 3.12 Server >>Module PSCAN.NLM is being referenced >> You must unload LPROTECT.NLM before you can unload PSCAN.NLM >>1/22/96 9:38:06 am: 1.1.91 Error unloading killed loadable module >>LANDesk Virus Protect:Could not attach to Pre-Scan Protocol Stack". >: >>We REM'd out all of the patches and brought them back in one at a time >>on a test server and discovered that DHANDFX.NLM causes the problem. >>We've kept it REM'd out as it appears to relate particularly to sites >>running Mac Name Space, NFS and GroupWare - none of which we run. > >Check out Intel's web site, you'll need a new PSCAN to work with the new >CLIB with new hooks to attach the pscan driver. Same thing happened when >I applied LIBUP5... Follow Tim's response. I have Novell Managewise 2.0 on a Nnetware 3.12 server and I got the same PSCAN errors. Get the new PSCAN from Intel and it will work like a charm. I don't think it has anything to do with the patches. ------------------------------ Date: Wed, 7 Feb 1996 17:41:26 -0500 From: Daniel Tran Subject: LIBUP6.EXE and Intel Virus Protect Here's the story on libup6.exe and Intel Virus Protect 3.0D. I previously mentioned the D patch of Virus Protect works fine with the new clib.nlm included in libup6.exe. My server crashed yesterday with the following message: ABEND: Invalid semaphore number passed to kernel Running Process: LDVPAction Process Stack: Just talked with Intel. They are aware of the problem. They mentioned if you have PSCAN.NLM with date 08-15-95 and size 17,527 bytes, it will probably work fine with CLIB version 3.12J. They did stressed that this is not OFFICIAL Yet. I do have the correct PSCAN.NLM so the bottom line is that "your server may crash too". Based on my info, Intel will check again with Novell. Best thing to do now is go back to libup5.exe. I believe it's 3.12h. Another weird thing, why did Novell skip the "i" revision and jumped to "j". ------------------------------ Date: Tue, 13 Feb 1996 21:23:13 -0800 From: Bill Willcutt Subject: FAQ info on Anti-Virus NLM's First, let me thank you for maintaining the Novell FAQ. I as a young administrator without as much experience as most of the contributors have benefitted from you FAQ many times. Now, I thought I would share with you my experience with Anti-Virus software. I am using F-Prot on all of my users as well as Net-Prot on our server. Net-Prot can be configured to scan in different ways. Currently, we are scanning on all file activity on the server, with a full scan of all volumes at midnight each day. I haven't seen hardly any difference in overhead and I have cut down the number of viruses around our LAN tremendously. I might add, that on workstations, each user does a full scan once a day (on bootup) and keeps resident protection (f-prot's virstop) that even detects if an infected diskette is inserted in a drive. The F-prot - Net-Prot combination has kept our server virus free for quite some time. I get regular updates from f-prot when they release new versions. I then load them on the server and have a batch file in system login script that checks the version on the workstation and updates it if necessary. I would recommend these products to anyone. ------------------------------ Date: Wed, 28 Feb 1996 08:01:01 -0600 From: Joe Doupnik Subject: Re: ...latest patches & upgrades... >Good morning ....recently I addressed this group with the question, is >Netware v3.12 a "patched" v3.11 and what are the reasons for upgrading from >v3.11 to v3.12. In the interim I loaded the latest v3.12 patch kit. With >this patch kit 52 NLMs are loaded from Startup.ncf.......if my system need >them or not!.....I must unload two of these patches in the Autoexec.ncf to >make Inoculan run correctly. Apparently the whole virus detector NLM industry has many problems in servers as the server software evolves. It's difficult to know where the finger should be pointed; probably at everyone involved. > Does Novell believe that v3.12 needs all of >these patches to run correctly? This seems a "shotgun" approach at best >and a case of bad engineering at the least. I also believe all of these >NLMs are using quite a bit of memory that should be best used to serve >files and print requests. Cool reason rather than emotion will be more productive here. There is very little memory consumption, as can be verified by looking at Monitor. And of course Novell did all this just to annoy you personally. On the other hand MS products never have bugs, by fiat of Mr Gates; instead they have version number increases and Service Packs and "buy it again" messages from users. (GPFs are free and unlimited). Joe D. ------------------------------ Date: Mon, 4 Mar 1996 05:56:00 EST From: SUMBILC Subject: Intel Virus Protect and Novell 32 Client >Has anyone figured out how to make the Intel Virus Protect workstation >scan (VSCAND.EXE) work with the Novell Client 32 on a Windows 95 client? >The server is 3.11 soon to be 4.1. When the VSCAND.EXE TSR runs, the DOS >box pops up with the error "Loader error (0000): unrecognized error". >I can press CTRL-C to continue, but the scan doesn't run. I have experienced the same problem here but I was able work around it. Be sure you have the following files when you try to execute VSCAND : husdll.dll dpmi16bi.ovl scanutil.dll lpt$vpn.### (signature file) pkutil.dll vscand.exe rtm.exe vscando.exe vscand.com Del C. Sumbillo ------------------------------ Date: Sat, 20 Apr 1996 11:39:00 BST From: Stephen Knight Subject: RE : Netware antivirus systems >I would be interested in what my options are for protecting a 3.12 >server and its Win 3.1 clients. Ease of use, implementation and it >should not cause conflicts are major concerns, cost, while always a >consideration would be secondary. Here we use Sophos Sweep NLM running on a 3.11 server with Intercheck loaded from the system login script which performs a full scan of local drives each time a new workstation is added or the scanner is updated. I would highly recommend this system as long as your clients are mainly static PC's logging into the network all the time.... When you are on-site you receive immediate (SEND) messages, a log of all problems, and the Intercheck program stops the workstation being able to load the program / word doc. concerned. Once a file has been checked okay it isn't scanned again -- as far as the user is concerned there is just a short pause the first time they use a program and a helpful dialog box tellls them what's going on.... The "scan files as they are copied to/from server" bit only works on NW 4.x but with Intercheck that is a bit overkill anyway.... Only problem is where you have a lot of servers and login/out frequently as logging out means it can't connect to the server to scan -- and it only remembers the version of login.exe on the server you last used.... ------------------------------ Date: Tue, 23 Apr 1996 00:38:52 +0800 From: Samuel Chan Subject: Re: Netware antivirus systems I've used Cheyenne's Inculan for two years. I was told that LDVP works better as a whole. However, the newer release of Incolan (4.0) runs on NDS and more imporntly, it works perfectly with Cheyenne's ARCserve! ------------------------------ Date: Sat, 25 May 1996 11:18:33 CST From: TJ Siwinski Subject: [none] >We are running a 3.12 server (ProSignia 500 with 83 meg of >memory; 4 gig disk space), which is newly installed, but has >been running seamlessly for about a month -- no problems. >We loaded Command Software's NET-PROT NLM (anti- >virus software). Several hours after that, the server stopped >accepting logins -- in fact, you couldn't do anything at the >console -- including Exit from Monitor. The only solution was >to power off the server. >We think that it stopped in the middle of a backup session I had a similar problem with F-Prot...I had to check ALL of my NLMs and make sure I had the very latest from Novell... that solved the problem. ------------------------------ Date: Mon, 3 Jun 1996 23:15:26 +0200 From: "Arthur B." Subject: Re: NLM-based virus scanner >We're in the process of connecting our NetWare network to the >Internet. Before we go "live", my boss insists that we get full-time >virus protection installed on all servers (three NetWare 3.12; one >Citrix Winframe). I know that opinion is divided on whether >NLM-based virus scanners are even a good idea, but my hands >are tied on that score. Does anyone have a favorite among the >majors: F-Prot, McAfee Netshield, Cheyenne Inoculan? Question: Why install a real-time anti-virus product now? Do you not need one from day 1? - F-Prot seems to be good. - McAfee seems to have a small problem with a NLM for Netware 4.x. The problem being that it doesn't exist (info from a Dutch McAfee BBS). - Have you ever heard of Thunderbyte anti-virus? - Others I don't know that much about. Would recommend that you install an anti-virus product on an absolute virus free fileserver/PC(s)...in case one of the PCs already has one. Some people seem to forget that killing a virus means more then running a program from harddisc or loading a NLM. For example: Installing a NLM based anti-virus product can make you believe that you are home free. That is not the case if one of your PCs already was infected by some bootsector or partition virus before you installed the NLM. The list can go on and on. - Like not checking every diskette or forget to look inside PKLite files (or files of the same nature), ZIP archives, etc. - Cleaning up a virus by trying to install an anti-virus product on the hard disc and run it against the virus. - Restoring backups and not checking them. - Forgetting to check laptops, remote sides and/or PCs at home. General rule: most infections come from the inside not the outside. Meaning that you check more on what your users bring in then what your modems bring in. Question: Do you think that installing an anti-virus product alone will give you good enough protection? I would recommend at least reading about a firewall. Reminder: I'm not trying to worry you. Just show some things to think about. Most of the above will happen only to a few of us. However, when it does the damage can be very great (a trojan running under an admin account is about the worst). It is up to you to measure up the risk against the workload. ------------------------------ Date: Mon, 3 Jun 1996 18:52:26 EST From: Jayson Agagnier Subject: Re: NLM-based virus scanner We have McAfee NetShield loaded on our 3.1x servers, no problems at all, with a general scan run daily at 03:00. Out 4.1 server use another product called ViruSafe from EliaShim Microcomputers. The EliaShim product is controlled via client workstation, not the server console, and has very good reporting. We evaluated the Norton product vs. the McAfee, and found Norton to be more expensive for our site, and found their updates not frequent enough. The Eliashim product was priced well, uses less server memory and resources than the other two mentioned above, and we are looking at placing them on our 3.1x server when the McAfee and Norton licenses run out. ------------------------------ Date: Tue, 4 Jun 1996 14:21:18 +0100 From: Peter Scherrer Subject: Re: NLM-based virus scanner >We're in the process of connecting our NetWare network to the >Internet. Before we go "live", my boss insists that we get full-time >virus protection installed on all servers (three NetWare 3.12; one >Citrix Winframe). I know that opinion is divided on whether >NLM-based virus scanners are even a good idea, but my hands >are tied on that score. Does anyone have a favorite among the >majors: F-Prot, McAfee Netshield, Cheyenne Inoculan? IMHO there is just F-Prot worth mentioning. The two otherones belong to the also runs. For good indepth information and reviews, have a look at: www.drsolomon.com ------------------------------ Date: Tue, 4 Jun 1996 21:15:18 -0500 From: Erwin Goodwin Subject: Re: Virus Scanner NLMs We use Norman Data Defense on our 100 pc site. It has done a better job than McAfee or f-Prot which are being run on sister sites on our campus. Norman works well under 3.11, 3.12, 4.1 and WIN95. We have never had a problem. They have a collection of software including the virus firewall for the server and PC along with alert notification to the admin/super/or group. We went from over 100 virus hits a week (student labs) to less than 5 a week because we received the message and could go right to the student and get their disk cleaned. Our students really appreciated getting all of their disks cleaned. BTW, it really worked well on RIPPER (one of our students tried to force an infection). For more info, see http://www.norman.com or write to norman@norman.com Prices are very close especially with educ. discount. ------------------------------ Date: Wed, 5 Jun 1996 05:29:57 +0000 From: Scott Doniger Subject: NLM-based virus scanner >We're in the process of connecting our NetWare >network to the Internet. Before we go "live", my >boss insists that we get full-time virus protection >installed on all servers (three NetWare 3.12; one >Citrix Winframe). I know that opinion is divided >on whether NLM-based virus scanners are even a good >idea, but my hands are tied on that score. Does >anyone have a favorite among the majors: F-Prot, >McAfee Netshield, Cheyenne Inoculan? I have been working wilh FProt for years. I think it is the best NLM on the market. Unfortuntly, they dont get much press. It is the fastest and lowest overhead.. I can prove it... Also they have a 24hr HUMAN virus responce team at no charge. Email me for more info... ------------------------------ Date: Thu, 13 Jun 1996 12:32:10 -0400 From: Rick Troha Subject: Re: Anti-Virus products Invircible. It can be found at ftp.invircible.com ------------------------------ Date: Thu, 20 Jun 1996 11:57:05 -0600 From: Joe Doupnik Subject: Re: CCDSetFileSize Abend >If this question was answered before, excuse me. Not answered before, and it's a tough one. >I have a Pentium90 w/64Megs, NW 4.1 50-user, 540 Meg IDE drive containing >a 250 Meg SYS: vol, a 4 Gig SCSI-2 Segate containing 1 1.5 Gig OFFICE: >volume and a 2.5 Gig SASI: volume. Both of the volumes are used as file >and data servers. >All current patches and upgrades for 4.1 that I have found on the Novell >FTP have been loaded (even the ones I don't need now, but you never know). Good move, generally. I do the same. >One of the users created a file on the SASI volume (34K), that now, >whenever accessed causes a CCDSetFileSize abend. > >At the same time this was happening, a file that contains just indexed >ASCII data suddenly became 4.5 Gigs big. The virus scan has detected no >problems, but when it scanned the one 34K file----ABEND. Uh oh. How about removing as many "helpful" NLMs as you can and try again. Virus scanning software is often the cause of file operation troubles these days. Reboot the server to have the file system checked as it comes up. You can run VREPAIR manually too. (Load VREPAIR from the system console, toggle round to the colon prompt to dismount the volume of interest, toggle round again to start Vrepair.) You may need to thoroughly inspect the SCSI system to ensure it is in good shape. Be sure the Seagate drive has its cache turned OFF (contact their ftp site, ftp.seagate.com as I recall, and get the tiny program which does that job). Keep the drive and motherboard cool, nice and cool. >Is there a utility out there for Novell file/data servers that operates >along the lines of Norton's? Nope, alas, other than VREPAIR noted above. >Is there anything I can do, besides wipe/reload? See above before giving up hope. We can't let computers win all the battles. Joe D. ------------------------------ Date: Mon, 1 Jul 1996 19:11:26 -0400 From: "Brian K. Voorhes" Subject: 4.1 Server Crash - Solution Thanks for the suggestions folks. As it turns out, the error appears to have been a little bit less esoteric. The server crashed again today with another weird error, stating that it had attempted to Move a file into an invalid directory entry. I pulled the server apart with the debugger and found that it had stopped with a cr2=00000000. Of course, I was just as unable to restart the server but this gave me the clue I needed. According to Novell, two things commonly cause a server error with a cr2 set at 0. The first is a buggy piece of software that dereferences a null pointer. The other is an invalid access at the DOS level. The latter is what was going on. The client's server had Anti-Exe.A infecting the DOS partition of the server. Best bet anyone has got is that in the process of trying to infect files, the virus corrupted little bits of system RAM here and there, leading to these weird errors. With any kind of luck, this will clear up the abends. The stern lecture about viruses has already been given to the on-site support engineer, and we plan on disseminating that info to the general network users. ------------------------------ Date: Wed, 18 Sep 1996 13:31:46 -0800 From: Charles Middlet Subject: Re: Warning LIBUP9 >This is a warning to be careful when upgrading to LIBUP9. If you are >running PSERVER.NLM - DON'T DO IT. > >Pserver abends when attaching to the network. I've tried various things, >but the only one that works is going back to LIBUP8. Here is the notes that I got from INTEL about the problem. Welcome to the Intel(r) LANDesk(r) Virus Protect automated mailing list. ***************************************************************** Novell has released a new patch kit for NetWare 3.x, 312PT8.EXE. In this patch kit is a Mac fix called MACNMFX.NLM. This patch conflicts with LANDesk Virus Protect's PSCAN.NLM and will cause a SERVER ABEND whenever a mac file is accessed. Intel engineers have written a very simple NLM which demonstrates the problem and sent it off to Novell in hopes that they can correct this problem. LANDesk Virus Protect code is not the cause of the problem. Until the problem is resolved, this part of the Netware 312PT8, MACNMFX.NLM, should NOT BE RUN. This will not only abend the server with our NLM, but with ANY other NLM which intercepts file-opens (which is common in auditing, metering, and anti- virus software) Watch for an updated file from Novell to resolve this issue. **************************************************************** End Issue #6 5 SEP 1996 ********* FOLLOWUP ******* Issue #6A ***************************************************************** It has come to our attention that Novell has released an updated patch file that resolves the ABEND situation described in the previous message. The new file is called 312PT9.EXE, and contains a new MACNMFX.NLM dated August 12, 1996. The file is not on the 'Top-20' list yet, but the file can be located using the search function. **************************************************************** End Issue #6A --------- Date: Wed, 18 Sep 1996 20:32:46 -0600 From: Mark Barton Subject: Re: Warning LIBUP9 While [the above] is good information for people who use LANDesk and have patched their file servers with 312pt8 (and who should be installing the 312pt9 patch as we speak), it has nothing to do with LIBUP9.EXE ------------------------------ Date: Thu, 27 Mar 1997 16:34:40 +0000 From: Joop van Buuren Subject: Novell Client32 prevents detection of viruses (WIN95) FORWARDED MESSAGE ----------------- >>>>> We have discovered that if you install Novell's Client32 on a PC running Windows 95, many antiviral products fail to detect infected files when they are stored on a NetWare server. These products fail because they monitor file I/O by registering a file system API hook with the Windows 95 IFS Manager. Client32 intercepts I/O requests before they are sent to IFSMgr. Requests directed to a NetWare server never reach IFSMgr at all, and are therefore invisible to file system hooks. Of course, this does not just affect antiviral products, but these are probably the most widely installed products that use Windows 95 file system hooks. Novell technical support has informed me that Client32 cannot be modified to pass I/O requests along to IFSMgr without making major changes in its design. They currently have no plans to do this. In an earlier posting, I promised to try to find out how many commercial products are affected by this problem. I decided to concentrate on antivirus products, because it's easy to get copies of them for testing. I downloaded evaluation copies of a number of these and installed each one on a PC running Client32. After installing each product, I tried to run a copy of the Eicar Standard AntiVirus Test File stored on a NetWare server. To try this with your own favorite antivirus product, copy the following line into a file stored on a NetWare server and name it EICAR.COM: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* Of course, you'll also need a copy of Client32, which you can get from Novell's "NetWare Client 32 for Windows 95 Home Page" at http://support.novell.com/home/client/c3295 If an antiviral package is working properly and detects the Eicar test virus, it shouldn't be possible to run EICAR.COM. If I couldn't find a free evaluation copy of an antiviral product on the network, I called technical support for that company, described the problem, and asked whether or not they are affected. The following table summarizes my findings: PRODUCT AFFECTED? Cheyenne AntiVirus for Win95 Yes Dr. Solomon's AntiVirus No* F-Prot No McAfee VirusScan Yes Norton AntiVirus No PC-cillin2 Yes ThunderByte AntiVirus Yes IBM AntiVirus Unknown** * I wasn't able to test this product personally, but the company told me that they are not affected. If anyone can confirm this, I'd like to hear about it. ** IBM technical support has been trying for several weeks to find out from their engineering group whether or not they register a file system hook. No answer yet. As you can see from this list, there appears to be a significant security risk to many Novell customers. Because some products do work properly with Client32, it is clearly possible to monitor file I/O without relying upon a file system API hook. Is anyone out there willing to describe their method for accomplishing this? My own company sells a file encryption product that uses a file system hook, and I'd like to find out about alternatives that work properly with Client32 and don't disable 32-bit file access. Craig Richardson AXENT Technologies, Inc. Nashua, New Hampshire <<<<< ------------------------------ Date: Sun, 20 Apr 1997 02:30:35 +0200 From: "Arthur B." Subject: Re: Any virus breaking Netware security >Is there any virus which can break netware security. > >What I mean to ask is that if a particular directory has only "Read" and >"file scan" rights , can a virus active in memory infect the files in this >directory when the files in this directory are executed. > >I tried with Die-Hard virus , it does not infect files in such directory. Yes and no. No, because as long as the user in question has RF rights the virus doesn't have enough rights to mess up the executables. Yes, because when someone with enough rights (like the admin responding to the users cry for help because his virus infected PC behaves strangly) logs in the virus can play along. And infect other PC's from the networkdrive from there on. This is a good reason (amongst others) to never login with S rights on a user workstation. Only login with S rights on known trusted PC's (or a laptop for on the spot jobs). Same rule goes for M and/or C and/or W rights in directories with executables in them. ------------------------------ Date: Thu, 19 Jun 1997 08:03:01 -0700 From: Johnny Stephens Subject: Re: Virus Protection Netware 4.1 >I have a Netware 4.1 Server that is heavily infected by Concept and >APPDER.A...Does anyone have any good recommendations for a Server >Virus Application that will run on Netware 4.X I use Dr. Solomon for NetWare on my 4.11 server. It has done a good job blocking the Concept virus (it alerts me when a workstation is trying to save an infected file). I also have it scan the entire volume nightly. In combination with their Winguard on the workstations, we've been able to avoid losing *any* data to viruses. ------------------------------ Date: Wed, 16 Jul 1997 12:09:59 -0700 From: Tim Madden Subject: Re: Virus scanning and volume compression >>Don't schedule virus scanning and tape backup at the same time, especially if >>you're using volume compression (and I suppose you are). > >Don't enable volume compression on a volume that is going contain >very many files that need to be scanned for virus infections. Virus >scanning opens the files to scan them, so the files get decompressed >every time you scan them. Unless compression is set immediately >re-compress the files, you lose the 'benefit' of compression. If >there is enough room to hold all of the decompressed files, there was >no need for compression in the first place, and compression/decompression >just adds unnecessary overhead. I was just checking some settings on my McAfee Netshield console, and noticed that I have "scan compressed files" disabled. In light of your points above, it's a good thing. My theory is, - I scan all uncompressed files every day. - If a file is compressed, it hasn't been accessed for x number of days. - If the file hasn't been accessed in x number of days, then it couldn't have been infected (right?) - It's therefore unnecessary to scan compressed files for viruses. This avoids the compress-decompress to scan-recompress loop you correctly warn about. ------------------------------ Date: Thu, 17 Jul 1997 08:02:17 -0400 From: Marcelle McGhee Subject: Novell FAQ update For the past month we have been experiencing the following problem with Windows 95 version b and Client32: After logging into any Netware 4.1 server, the user would have no drive mappings except for F: mapped to sys and Z: mapped to sys also. It seems that this problem began with the new version b of Windows 95. We upgraded our client to ver 2.12 but the same problem kept occurring. After eliminating as many facts as possible, on the pc, we have determined that Norton Anti-Virus was at the root of the problem. It seems that Norton Anti-virus auto-protect feature was interring with Client32's ability to map drives. A phone call to Symantec confirmed this and they gave us a solution. Basically turn off auto-protect at startup option and instead place a shortcut to the auto-protect exe in the windows95 startup folder. This means that Norton Anti-virus auto protect does not kick in until Windows 95 is at the desktop and all Client32 activity is completed. This solution seems to be working for us. ------------------------------ Date: Fri, 14 Nov 1997 13:57:24 -0500 From: "Brien K. Meehan" Subject: Virus Scanning (was Compression) >This never happens on our setup. I run our nightly tape backup at 11pm >and it always finishes by 1am. I've set compression to run between 2-6am >when nobody's here. I don't understand why you'd need to run a full >server virus scan if it's already scanning on-the-fly. I used the full virus scan to cause high utilization due to compression I thought it was clear that this was a test platform. That notwithstanding, I do perform regular full virus scans on the servers I support, in addition to real-time scanning. Why? Because I like to be careful! In fact, we require all incoming media to be scanned for viruses at a stand-alone workstation before being used on the network, in addition to real-time scanning at the workstation. I've supported 1500 workstations for 3 years at this site, and have NEVER had a known virus infect a workstation. (We had a little problem with that dumb-ass Macro virus, before it was "known", but that's another story. Suffice to say, a weekend of free pizza from the boss isn't all bad. And even then, only 2 machines were found to be infected.) And most of the computer users are those pesky, know-it-all engineer types, so that's a real accomplishment. I'm not blowing my own horn, this policy was in place when I arrived. Adhering to it has made the time we spend repairing virus damage nearly zero. Plus, we gladly spend 10 minutes here and there manually checking someone's machine any time they suspect a virus, to make them feel better about it. Am I being too careful? My results say "no." I'm sure I'm not the only one who is this militant about virus scanning. ------------------------------ Date: Tue, 16 Dec 1997 12:32:51 -0700 From: Tim Madden Subject: Re: Workstation Updates with NAL >I would be interested to know exactly how you update later versions >of McAfee DAT files onto the local hard disk. Do you run a batch >file from within NAL to copy in new data files? > >What if the workstation has the dat files open with virus shield?? Here's how I've got the Application Object, called UP-DAT, set up: Page Settings ------- ------------ ID Install only (no executable needed) - checked Prompt for reboot - never Run Once - checked Version Stamp - year/month of DAT file (ie 9711) GUID - Associations ARG;GWS.ARG (my O and an OU) Applicatn Files Clean.dat Names.dat scan.dat mcalyze.dat and the O and OU the application object is associated with: Applications UP-DAT - Force run (and that's it) Since I don't have NAL provide an icon anywhere, the users never see the app. object. The combination of "force run" and the "Version Stamp", cause NAL to compare the ver stamp in the NDS to the ver stamp in the client's registry. If the NDS ver stamp is higher, then the app copies the "application files" to the client's . Pretty slick. Since I upgraded from NAL 1.x to 2.x, the client stores the ver stamp in the HKEY current_user\software\netware\nal\1.0\distribute\\ \version ------------------------------ Date: Mon, 2 Mar 1998 09:01:59 +0100 From: Alfred JILKA Subject: Re: Password-protected macro viruses >For a macro virus to have an effect in a password-protected document, >the password owner would have to knowingly infect the document with a >macro virus -- true? ^^^^ false... Assume a user who has his docs passwordprotected. The same user opens an infected document he was given by some other person. Now normal.dot is infected. In fact, every document our user will open in the future will be infected, as the virus resides within normal.dot. So it does not matter, whether he has password protected his docs or not. It only matters for a scanner. As far as I know (as I used these) F-Protect's macroscanner and Dr. Solomons _can_ scan passwordprotected documents. ------------------------------