Doctor Web for Windows 95/98/Me/NT/2000/XP Dr.Web(R) for Windows 95-XP Version 4.29 Copyright (c) 1992-2002, Igor Daniloff Anti-virus laboratory of Igor Daniloff, DialogueScience, Inc. This program is a representative of the 32-bit family of antivirus program Doctor Web (or, briefly, Dr.Web). This family includes programs for Windows 95/98/Me/NT/2000/XP, DOS/386, OS/2, Novell NetWare, Linux, FreeBSD, and Solaris (Intel). The program is designed for 32-bit Windows (i.e. Windows 95/98/Me, Windows NT 4.0, Windows 2000, and Windows XP). INSTALLATION NOTES The full Dr.Web for Windows 95/98/Me/NT/2000/XP distribution package includes the following programs: DrWeb32W - graphical version of scanner Dr.Web for Windows 95-XP; SpIDer - memory-resident guard for Windows 95-XP; DrWebWCL - console version of scanner Dr.Web for Windows 95-XP (no graphical interface); DrWeb386 - console version of scanner Dr.Web for DOS/386; DrWebScd - Dr.Web Scheduler. These components are briefly described below. Since they are mutually independent, you can install them in any combination. ATTENTION! Dr.Web for Windows distribution package for Home User (Home Edition) does not include the console versions of scanner Dr.Web and Scheduler. To install Dr.Web, run the SETUP program included in the distribution package and follow on-screen instructions. If the distribution package is delivered as an EXE file, run this file. Note that all Dr.Web programs are installed in the same directory. The distribution packages of all family members include two common files, DRWEB32.DLL (Dr.Web's engine) and DRWEBASE.VDB (main virus database). All new virus base adds-on should also be placed in the same directory. The configuration file DRWEB32.INI is also common to all family members and can be placed in the same directory (for instance, DRWEB32). However, each product uses its own section in the INI-file, except for DrWeb32W and DrWebWCL that share the same section. Log files are created in the same directory, separately for each product, and are given, by default, the filename .LOG. Additionally, the Dr.Web distribution kit may include language resource files named .DWL (for instance, RUSSIAN.DWL, GERMAN.DWL, etc.) that contain program messages written in the respective language. The language resource files are common to all programs of the Dr.Web family. In the program with graphical interface (DrWeb32W), language can be changed from a special menu in the main window. Or, in any version, language can be changed by the /LNG command line option. Updating the program via the Internet requires WININET.DLL. This library is usually installed by Windows standard setup, but it may be missing in earlier versions of Windows 95 and NT. If the "Library not found" error occurs when you try to update DrWeb32W, obtain the library (it's available from the same source as Dr.Web) and place it to Dr.Web's directory. However, if the library already exists in your system, we do not recommend its replacement since it might result in the library's version incompatibility. DR.WEB FOR WINDOWS 95-XP This version of scanner offers two variants, graphical (DrWeb32W) and command line, console (DrWebWCL). Both programs support the same command line options given below. However, DrWeb32W can be configured via dialog panels, which is usually more convenient. On the other hand, DrWebWCL requires less system resources. ATTENTION! Dr.Web for Windows distribution package for Home User (Home Edition) does not include the console version of scanner. Both programs use the same configuration file and the same option group in it. You can alternatively use both variants, whichever is more convenient at a given time. Dr.Web for Windows 95-XP can work with ADinf32 and ADinf for DOS, but would refuse to communicate with 16-bit ADinf for Windows. RUNNING DR.WEB All console versions of Dr.Web (i.e. non-graphical DrWebWCL, DrWeb386, DrWeb2CL) can be launched by using the command line as described below in "Using the Command Line for the Dr.Web family programs". The graphical version of Dr.Web for Windows 95-XP (DrWeb32W) can also be started with a command line, although you would normally use the program's icon on the Windows desktop. In addition to this traditional technique, the graphical interface supports a higher level of integration with the system GUI. Now, when you right-click on individual or selected objects of the file system (such as files, folders, and disks), you will see a new item, "Check by Dr.Web", in the context menu. This method is also available in Explorer. WARNING! This feature appears in the context menu only if Dr.Web was installed by using the distribution kit. If Dr.Web was updated via the Internet, the system is not reconfigured to enable the feature. Whenever you request Dr.Web to perform an antivirus check, your request is sent to an active copy of Dr.Web, if any. This makes the check process faster, since no time is required to launch unnecessary instances of the program. If your request is sent to an active copy of Dr.Web, the check process uses the settings configured for this copy. If there is no active copy of Dr.Web running in memory, Dr.Web is launched with the following options: - all files are checked regardless of the file extension; - archives and packed files are checked; - recursive scan of subfolders is enabled; - heuristic analyzer is enabled. After processing the request, Dr.Web remains in memory. This lets you easily examine the check results. Note that you can send multiple request to Dr.Web simultaneously, even if it's processing another request at that moment. All requests are queued and served sequentially. Besides, Dr.Web for Windows 95-XP can process requests posted by using the drag'n'drop operation. To check a file or folder (or a group of selected objects), just drag and drop it onto the main menu of Dr.Web active copy, or, if Dr.Web is not running at the moment, drop it onto the Dr.Web icon on the Windows desktop. SPIDER FOR WINDOWS 95-XP Now, the Dr.Web for Windows 95-XP distribution kit includes a memory-resident anti-virus program called SpIDer Guard for Windows 95-XP, or briefly SpIDer. SpIDer intercepts all attempts to access files and disk system areas and checks them for viruses "on-the-fly". Having detected a virus, SpIDer removes or locks it, granting access to the infected file only if it has been successfully cured. SpIDer can operate in a special mode when it's able to detect and block a virus-like activity (i.e. attempts to infect files and other objects on your hard disk) of any (even unknown) virus. SpIDer uses the same virus database and program kernel as Dr.Web for Windows 95-XP does. SpIDer is included in the Dr.Web for Windows 95-XP Distribution Kit and is installed with the same Setup program. On installation the Setup program configures SpIDer for automatic startup in subsequent Windows sessions. At startup, SpIDer checks the computer memory. After that, SpIDer's icon appears on the Windows System tray. Right click this icon to invoke SpIDer's menu, or double click the icon to open the Options dialog where you can reconfigure SpIDer. CONFIGURING SPIDER WARNING! Any changes to SpIDer's settings will take effect only after you restart Windows. Once started, SpIDer cannot be manually terminated. Uncheck the "Load at startup" box in the Options dialog to prevent SpIDer from auto-loading at Windows startup. There are several options used to configure SpIDer. File operations to be hooked by SpIDer are determined by the "Scan on-access mode" checkbox group. You can activate the following modes: "Run and Open" - check files when they are opened or executed; "Create and Write" - check new files when they are created, check existing files when they are changed; "Smart" - (1) on local hard disks, check files only when they are changed (thus, files aren't checked when they are launched. This mode assumes that you've already scanned newly created and modified file. Nevertheless, we recommend that you regularly scan your system, particularly after updating Dr.Web or virus base adds-on); (2) on removable and network drives, files are checked whenever they are opened Read-Only or Read-Write (this mode combines the functionality of "Run and Open" and "Create and Write"). Note: This version of SpIDer can intercept an attempt to access network drives provided it's installed over a standard Microsoft Network Client only. This feature may not work with other network clients, for example, a Novell client. If the "Virus activity control" box is checked, SpIDer can detect and block virus-like attempts to infect files, even if such attempts are made by unknown infectors and viruses that can't be recognized by the heuristic analyzer. WARNING! Certain viruses may corrupt a file when their infectious attempts are blocked by SpIDer. OTHER FEATURES OF SPIDER If you are trying to shutdown MS Windows 95/98/Me with a floppy disk inserted in drive A:, SpIDer will scan the diskette to make sure it's not infected. This technique protects you against unintentional booting from an infected diskette. Please note that if SpIDer is configured to check files when they are opened, scanning your system with Dr.Web may take a considerably longer time since each object will be checked twice - by guard and scanner. If you are going to use both programs concurrently, you should carefully configure each of them to avoid duplicate checking. SPECIFIC NOTES: SPIDER FOR WINDOWS NT/2000/XP SpIDer Guard for Windows NT/2000/XP includes two interacting modules: the file system driver/monitor (SPIDER.SYS), and the system service (SPIDERNT.EXE). The SPIDERNT service can be administered by using a special Control Panel applet, SpIDer Guard. Details are given below. System Requirements SpIDer Guard for Windows NT/2000/XP (or, briefly, SpIDerNT) is a memory-resident activity monitor designed to run under Windows NT 4.0 WorkStation, Windows 2000 Professional, and Windows XP. This edition of SpIDerNT is not intended for a server, primarily, due to the fact that a server and workstation require an essentially different functionality from the activity monitor. We are planning to release a special edition of SpIDer Guard for the server platforms of Windows NT/2000. Hardware Requirements - CPU: Intel Pentium 166 (Intel Celeron 266 or faster recommended); Alpha-based systems are not supported; - RAM: 32 MB (64 MB or more recommended); - 5 MB of free disk space for the installation of the kit with SpIDerNT. Administration and Configuration Notes Administration and configuration functions are distributed between two components: the SpIDer Guard Control Panel applet and the SpIDer Agent. The SpIDer Guard Control Panel applet is responsible for three basic functions: administration, special options, and notification subsystem setup, as detailed below. Administration functions allow you: - to activate/deactivate the SPIDERNT service. Use the Load/Unload buttons for this purpose; - to configure SpIDer's startup mode. You can choose between an automatic and manual mode. In the automatic mode, SpIDer autoruns after Windows startup. In the manual mode, you can run SpIDer as described above. - install/uninstall SpIDer Guard (i.e. register/unregister the antivirus service and driver.) Use the Install/Remove buttons for this purpose. Special options - Performance: size of "recent files" list. This setting affects SpIDer's performance, when the "Run and Open" or "Smart" on-access guard mode is enabled (in the Smart mode, the setting has an effect only for network and removable drives). A higher value increases SpIDer's performance but requires more memory. The default setting is 100 (which requires approx. 25K of memory per each logical drive). If you have enough memory, you can vary this setting between 500 and 1000. - Troubleshooting: ignore network operations. This setting disables scan of network drives. This feature might be useful, if you experience network problems when SpIDer Guard is active. Notifications subsystem setup Use this setting to configure e-mail or LAN alerts that are sent to users in case of a virus attack. Generic Features - Files can be scanned in the following modes: Run and Open, Create and Write, and Smart (files on local hard disks are checked for the write operation only; files on removable and network drives are checked for both the write and open/run operations). - Infected files can be cured. - Additional features: preventing access, renaming, and moving infected files to a designated folder. - Actions can be performed in automatic or interactive mode. - Interception of file operations for all file systems. When a new file system is added, SpIDer will automatically support it. - Interception of file operations for all mounted volumes, even if a volume is not associated with a drive letter. - Network support. SpIDer intercepts attempts to access network files using the drive letter or resource name (UNC). - Support for removable media. SpIDer automatically detects when volumes are mounted or dismounted. Limitations of this version - Boot device is not checked at system shutdown. - When a virus is detected, an immediate shutdown cannot be performed. - SpIDer Netting is disabled (this technology is used to monitor virus-like operations and to detect both known and unknown viruses). DR.WEB FOR DOS/386 Functionally, scanner DrWeb386 and the traditional Dr.Web for DOS are very much alike. In certain aspects, however, DrWeb386 is substantially different from Dr.Web for DOS. It runs in the "command line" mode only and requires 386 (or higher) processor. However, the new program's strong points are: - minimum requirements to the conventional memory. The program can operate in the environment with less than 200K of main memory; - support of the latest (memory-consuming) archive methods, employed by RAR 2.00, etc.; - faster scan process. As compared with the 16-bit version, DrWeb32 may show increase in performance by 15-20% (if DrWeb16 is optimally configured) up to 300% (if DrWeb16 runs in a particularly unfriendly environment.) DrWeb386 can be recommended for antivirus checking under DOS, just before the Windows environment is loaded. To install DrWeb386, run the setup program included in the Dr.Web for Windows 95-XP distribution package. ATTENTION! Dr.Web for Windows distribution package for Home User (Home Edition) does not include scanner DOS/386. UPDATE SUBSYSTEM OF DR.WEB The update subsystem enables an automatic delivery and installation of updates for Dr.Web for Windows 95-XP via the Internet or local network. The subsystem is used to update all components of the package, including program modules, virus databases, help files, and documentation. ATTENTION! If you have Dr.Web for Windows distribution package for Home User (Home Edition), you may use the update subsystem only from free area (see below). On the client's side, i.e. on the workstation where Dr.Web for Windows 95-XP is installed, the update process is supported by the special program module, DRWEBUPW.EXE. As a rule, the update module, DrWebUpW, is called from the main menu of the antivirus scanner, DrWeb32W. In this case, the update subsystem can conveniently be configured from the setup panel of DrWeb32W. Sometimes (for instance, if you didn't install all components of the Dr.Web for Windows 95-XP package) you might have to run the update module directly. You can start the update module with the /GO, /QU, /INI, and /LNG options (they have the same meaning as described in the Command Line Options section). Reports of update sessions are written to the DRWEBUPW.LOG file. The main option of the update subsystem is configured with the following line: UpdateURL = "network or local resource" where the resource is one of the following: 1) Directory on a local or network drive, e.g. "F:\DRWEB\UPDATE"; 2) Network (UNC) directory, e.g. "\\UPDATE_SERVER\DRWEB\UPDATE". 3) HTTP URL. Updating via Internet supports the HTTP protocol only. By default, the update subsystem is pre-configured to connect to the non-commercial area of DialogueScience www-server: "HTTP://WWW.DIALS.RU/DRWEB/FREE". At this URL, the update is available to any user. There are not only virus databases but also corrected program modules reside in the free update area. These modules are available only if user have the last (current) version of Dr.Web. For commercial update, change URL to "HTTP://WWW.DIALS.RU/DRWEB/UPDATE" and specify your user name and password: UserName = "user name" Password = "password" If you update from the DialogueScience server, the user name and password are given to you by DialogueScience Registration Service (reg@dials.ru). Otherwise, ask your Internet administrator for the user name and password. ATTENTION: system administrators. If you wish to enable your users to update Dr.Web from your own www-server or via your local network, create a special folder and place there all files obtained by the update subsystem from the respective area (free or commercial) of our server. In addition, place DRWEB32.LST (package description) to the same folder. If the package does not include this file, you may download it from: HTTP://WWW.DIALS.RU/DRWEB//DRWEB32.LST For commercial areas, an administrator must be registered by DialogueScience as a customer entitled to update via the Internet. DR.WEB SCHEDULER The Dr.Web for Windows 95-XP distribution kit includes a special component, DrWebScd. This program is a simple scheduler that allows you to manage an automatic launch of applications, in particular, the antivirus scanner or the update subsystem of Dr.Web. ATTENTION! Dr.Web for Windows distribution package for Home User (Home Edition) does not include Scheduler. By using Dr.Web Scheduler, you manage the so called "tasks". Each task describes when, how, and what application to run. Scheduler runs the application in accordance with this description and also allows you to view task list, create and delete tasks. You can also edit task description and enable/disable tasks. When Scheduler is active (running), its icon appears on the System Tray. Double-clicking (or right-clicking) this icon opens a window that shows Scheduler's main menu and task list. Normally, Scheduler is configured to run automatically at Window startup. If you want to disable this feature for the next Windows session, click Options on the main menu bar and uncheck the Load at Startup item. Each task has the following attributes: - Title: an arbitrary name of the task; - Path: full path to the scheduled application; - Parameters: command line options, if any, for the application; - Schedule: the program supports the following types of schedule: - Once. You must specify exact date and time to run the application; - Hourly. You must specify the minute of each hour to run the application; - Weekly. You must specify the day of week and time to run the application; - Monthly. You must specify the day of month and time to run the application; - Yearly. You must specify the day, month and time to run the application; - Daily. Unlike the Weekly schedule, here you can specify several days of week and time to run the application. You can temporarily disable a task (without actually deleting the task from the schedule). To do so, in the task settings you should clear the Enable checkbox. Note. If a task has not been launched on time (say, because the computer was turned off), Scheduler will run the application as scheduled for the next time. The current version does not support running "past due" applications. Examples of typical tasks are given below. 1) Update - automatic update of Dr.Web, scheduled weekly for Monday at 10:15, launches DrWebUpW (update program) from the Dr.Web home directory. Command-line parameters: /GO. It is assumed that the update program is properly configured for updates via the Internet or your local network. 2) Daily_Scan - launches the antivirus scanner DrWebWCL daily at 10:30 to scan the G:\INCOMING folder which is used as a container for new files. Command-line parameters: G:\INCOMING /GO /WA /HA /FM /TM- /TB- 3) Full_Scan - launches the antivirus scanner DrWebWCL periodically, on Wednesday and Friday at 13:00, for full scan of memory and all fixed drives. Command-line parameters: * /GO /WA /HA /AL If you choose to install the Scheduler component when installing Dr.Web, the SETUP program will activate Scheduler and create several typical tasks. However, all tasks will be disabled (the Enable checkbox is not selected). Thus, you will have a ready-to-use schedule that you can edit to suit your specific needs. Select the Enable checkbox for the task you want to run. REGISTRATION KEYS FOR THE DRWEB32 FAMILY For the Dr.Web programs, there is an important file, a registration user key. Without a registration key, all Dr.Web members offer a limited functionality only, as described below: - at each startup, the evaluation version displays a warning (saying that it's an evaluation version); - archives aren't checked; - e-mail message files aren't checked; - packed executable files aren't checked; - heuristic analyzer is disabled; - infected and suspicious files cannot be cured, deleted, removed or renamed. Without a registration key, the Dr.Web family members may be redistributed without any restriction. To enable an enhanced preview of Dr.Web features, DialogueScience freely distributes a special evaluation registration key, the DRWEVAL.KEY file, that removes some of the restrictions mentioned above. However, this key only works with the one version of Dr.Web (that is attached to the key). With the evaluation key, Dr.Web will have the following restrictions: - at each startup, the evaluation version displays a warning (saying that it's an evaluation version); - archives aren't checked; - e-mail message files aren't checked; - infected files cannot be cured. In some cases DialogueScience and its dealers can also distribute other evaluation registration keys, with other set of restrictions. To use all features of Dr.Web, a user must purchase a commercial registration key. This key, as well as an evaluation key, is a special file generated by UserKey. When placed in the Dr.Web home directory, the key enables the full-featured commercial operation of Dr.Web. The key contains a user name, duration and some other information, and is protected against fraud with a digital signature. The Dr.Web programs may be distributed in various forms, for instance, as an installation package or just as an archive. The installation package may include images of 3.5" (1.44 MB) floppy disks. Disk #1 contains the installation program, SETUP.EXE. The registration key can be placed on this disk, too. In this case the key is automatically copied to the Dr.Web directory. The distribution kit may be contained in a single EXE-file that performs the installation. In this case (or, if the key is shipped to the user separately from Dr.Web), the key must be placed to the Dr.Web directory after the installation. If you tried an evaluation copy of Dr.Web and have received a commercial registration key, please copy it to the Dr.Web directory. KNOWN PROBLEMS OF DR.WEB FOR WINDOWS 95-XP 1) Incompatibility with the installed version of COMCTL32.DLL Manifestation: an attempt to open the Setup dialog results in a system error, "Division error in USER.EXE" Reason: outdated version of COMCTL32.DLL Recommendation: update COMCTL32.DLL. The update package for COMCTL32.DLL (some 500 Kb) is available: - from Microsoft: FTP://FTP.MICROSOFT.COM/SOFTLIB/MSLFILES/40COMUPD.EXE - from DialogueScience: FTP://FTP.DIALS.RU/PUB/40COMUPD.EXE If you obtained the DialogueScience distribution kit on a CD-ROM, check the CD-ROM first. You may find the update package, 40COMUPD.EXE, in the PUB subdirectory. COMMAND LINE OPTIONS FOR DRWEB32 FAMILY PROGRAM To start Dr.Web, use the following command line: [disk:][path] [options] where program - executable module name (DrWeb32W for the graphical Windows-version, DrWebWCL for the command line Windows-version, or DrWeb386 for DOS/386-version); disk: - logical drive of a hard disk, floppy drive, network drive, CD-ROM, or * (all local logical drives); path - location of files to be checked; it may contain path to the directory on local/network drive (or network directory) and, optionally, filename (or filename mask). The command line may contain several [disk:][path] parameters delimited with blanks. In this case, the program will sequentially scan the specified objects. When scan is finished, DrWebWCL and DrWeb386 terminate. DrWeb32W (if started without /QU) opens its main window where the user can specify new objects to scan, view the scan results, customize the settings, update or terminate the program. If started without the [disk:][path] parameter, DrWeb32W immediately opens its main window. Command line options (delimited with blanks) /@[+] - check objects listed in . Each object must be identified on a separate line containing a full pathname (to check file) or the "?boot" keyword (to check boot sectors). The list file can be created with any text editor. When scan is completed, Dr.Web deletes the list file, unless "+" is included in the option. A list file can also be generated by ADinf. In this case, the integrity checker will include in the file modified objects only. Then, this list can be used by Dr.Web to limit the scan scope, which can substantially reduce overall scan time. If ADinf32 is configured to launch Dr.Web, the integrity checker inserts the /@ option in the command line and starts the scanner automatically (see ADinf32 Manual for details); /AL - scans all files on a given drive or directory; /AR[D|M|R][P][N] - checks all files inside archives (ARJ, CAB, GZIP, TAR, RAR, ZIP,...). Use the optional parameters to specify how archives with infected (or suspicious) objects should be treated as a whole: D - delete, M - move (by default, to the INFECTED.!!! directory), R - rename (by default, the extension's first character is changed to "#"); P - prompt before action; the N option suppresses the archive type after the name of the archive file; /CN[D|M|R][P][N] - specifies how containers (HTML, RTF, PowerPoint,..) with infected (or suspicious) objects should be treated as a whole: D - delete, M - move (by default, to the INFECTED.!!! directory), R - rename (by default, the extension's first character is changed to "#"); P - prompt before action; the N option suppresses the container type after the name of the container file; /CU[D|M|R][P] - cures infected objects and delete incurable files. Or use the optional parameters to specify how infected filed should be treated: D - delete, M - move (by default, to the INFECTED.!!! directory), R - rename (by default, the extension's first character is changed to "#"); P - prompt before action; /DA - runs Dr.Web only once in a day. For this option, the configuration file, (INI-file) containing the date of the next scanning session must be present. This option is useful for starting DrWeb386 automatically from the AUTOEXEC.BAT file only once in a day on booting the computer; /EX - scans files that have extensions associated with executable modules and MS Office documents (COM, EXE, SYS, BAT, CMD, DRV, BIN, DLL, OV?, BOO, PRG, VXD, 386, SCR, FON, DO?, XL?, WIZ, RTF, CL*, HT*, VBS, JS*, INF, A??, ZIP, R??, PP?, HLP, OBJ, LIB, MD?, INI, MBR, IMG, CSC, CPL, MBP, SH, SHB, SHS, SHT*,MSG, CHM, XML, PRC, ASP, LSP, MSO, OBD, THE*, EML, NWS, TBB); /FM - scans files (regardless of the extension) whose internal format is that of an executable module or MS Office document with macros (such as MS Word or Excel files); /GO - goes without asking you what to do next (in such situations as not enough disk space for unpack operation, invalid parameters in the command line, Dr.Web infected by unknown virus, etc.). This option might be useful, say, for automatic check of incoming e-mail; /HA - enables the heuristic analyzer that can detect unknown viruses; /IC[D|M|R][P] - specifies how to treat incurable files: D - delete, M - move (by default, to the INFECTED.!!! directory), R - rename (by default, the extension's first character is changed to "#"); P - prompt before action; /INI: - uses an alternative configuration file (INI-file); /LNG[:] - uses an alternative language file (DWL-file), or built-in (English) language; /ML[D|M|R][P][N] - checks files of mail format (UUENCODE, XXENCODE, BINHEX, MIME,...). Use the optional parameters to specify how mail files with infected (or suspicious) objects should be treated as a whole: D - delete, M - move (by default, to the INFECTED.!!! directory), R - rename (by default, the extension's first character is changed to "#"); P - prompt before action; the N option suppresses the mail type after the name of the mail file; /NI - ignores the settings in the configuration file (DRWEB32.INI); /NR - does not create report file; /NS - runs non-stop (no interruption by pressing ESC); /OK - writes a full list of scanned objects and displays "OK" next to clean objects; /PF - displays the "Scan another diskette?" prompt after checking a floppy disk; /PR - prompts to confirm an action on an infected or suspicious file; /QU - quits the program when scan is finished (DrWeb32W only); /RP[+] - writes the scan results to a file (by default, .LOG), is the full pathname of a report file. If the plus sign is included, the recent report will be appended to the report file; otherwise the report file will be overwritten; /SD - scans subdirectories; /SO - plays sounds; /SP[D|M|R][P] - specifies how to treat suspicious files: D - delete, M - move (by default, to the INFECTED.!!! directory), R - rename (by default, the extension's first character is changed to "#"); P - prompt before action; /SS - saves current settings when the program terminates; /TB - scans boot sectors and master boot record; /TM - scans memory for viruses (including Windows system memory for DrWeb32W and DrWebWCL); /UP[N] - checks executable files packed by ASPACK, COMPACK, DIET, EXEPACK, LZEXE, OPTLINK, PECOMPACT, PEPACK, PGMPAK, PKLITE, WWPACK, WWPACK32, UCEXE, UPX; files converted by BJFNT, COM2EXE, CONVERT, CRYPTCOM, CRYPTEXE, PECRYPT, PESHIELD, PROTECT, TINYPROG; and files immunized by CPAV, F-XLOCK, PGPROT, VACCINE. N - suppresses the compression utility name after the name of the archived file; /WA - waits after scan is finished if viruses or suspicious objects were found (DrWebWCL and DrWeb386 only); /? - displays help. If INI-file is not present or not used, the default options are: /AR /FM /HA /ML /PR /SD /TB /TM /UP Some options can be postfixed with the "-" character. This "negation" form disables the respective function or mode. It might be useful if the mode is enabled by default or via settings in the INI-file. The negation form can be applied to the following command-line options: /AR /CU /FN /HA /IC /ML /OK /PF /PR /SD /SO /SP /SS /TB /TM /UP /WA Note that the negation form of /CU, /IC and /SP cancels all actions enabled by these options. It means that information about infected and suspicious objects will appear in the report file only. /AL, /EX and /FM cannot be used in the negation form. However, any of these options disables the other two. RETURN CODES FOR DRWEBWCL AND DRWEB386 The values of the return code and corresponding events are as follows: 0 - OK, no virus found 1 - known virus detected 2 - modification of known virus detected 4 - suspicious object found 8 - known virus detected in archive 16 - modification of known virus detected in archive 32 - suspicious file found in archive 64 - at least one virus successfully cured 128 - at least one infected or suspicious file deleted/renamed/moved The actual value returned by the program is equal to the sum of codes for the events that occurred during scanning. Obviously, the sum can be easily decomposed into separate event codes. For example, return code 9 = 1 + 8 means that known viruses were detected, including viruses in archives; curing and others actions were not executed; no other "virus" events occurred during scanning. CONFIGURATION FILE, SETTINGS The configuration settings are contained in DRWEB32.INI. This file is located in the same directory as DrWeb32W and SpIDer programs. If the configuration file is missing, the program will use default settings. Most settings can be configured via the menu system. However, certain settings can be changed only by editing the INI-file. Some of them are described below. The INI-file is just a text file that can be edited by any text editor. This file is shared by all members of the Dr.Web family. And settings used by Dr.Web programs are grouped in several separate sections. WARNING! You must terminate Dr.Web and SpIDer before editing the corresponding section of INI-file. [SpiderGuard98] section (it is for SpIDer 95/98/Me) [SpiderGuardNT] section (it is for SpIDer NT/2000/XP) - UpdateFlags - list of files whose modification requires that virus bases be automatically reloaded. - UpdatePeriod - interval (in minutes) at which the files listed in UpdateFlags are repeatedly checked for modification. UpdatePeriod=0 disables automatic bases reloading. SpIDer can automatically reload virus bases without reloading the SpIDer program itself. This feature works as follows. By using the UpdateFlags option, you declare one or several files as "flags". These files are then checked for changes regularly, at the interval specified with the UpdatePeriod option. If any of the flag files has been updated, all virus bases are reloaded. For instance, it is convenient to use drwtoday.vdb (a "hot" add-on to the virus base) as a flag. ====================== Below is Igor Daniloff's PGP public key. Please use it to encode virus specimens when you wish to e-mail them to us. Type Bits/KeyID Date User ID pub 1024/1B87196D 1994/05/12 Igor A. Daniloff Igor A. Daniloff -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQCNAi3R1+AAAAEEAMeH97dViOlTOwWjd6iLsRnEvDuNMnfQor+7NtuxV0v7Dgig Kd4cE8dcSdfINr89mmIcPVCgI+uSDoDdgGK0WAl2pkJUigmJtidMpjFgyPoUTU6T cqmss4CyDFH9UoM74RUEqSG0cwsnt+rz46yELf+v6kS9QZC3r53C6gEbhxltAAUR tB5JZ29yIEEuIERhbmlsb2ZmIDxJREBEcldlYi5SdT6JAJUDBRA3P7dHncLqARuH GW0BAQDTBACeJaSAdFMINa6G4xChVPHKUWy/jqdze94UtBRymBZFdmrtup+3bL6D IB148AkFjH6zZyQLPCgXr4RqxURtA5H1SsFJR1Iqj2eTjQZOqfgL2IAR3M79qBqD nhGzeQMOr7gP3hXnb2hQZtZJFgw6IneSHM5gXRVGm7y29yR0y6+RT7QhSWdvciBB LiBEYW5pbG9mZiA8aWRAc2FsZC5zcGIuc3U+iQCVAwUQL7d6qTCAIMQGDNzxAQFN jQP7BS+D1P68oNZjqHSGbxqqzrvasK5WjFJBefJ14ALeJbn4X3BcTFqfckYNYG6w ZqTMWt9aZZKAWOA5rKfPp9LflJzJvZSSwYZz1Su5hJ3G0RM6z7JDVCQyV90yelDq X1ehBEHAqMV2gvkhE5YKxvoH+uOG+TPq1FzUz4hQB/W4srCJAJUDBRAugG2cOpoV rn3diFEBAeD3A/9jGJRp5TqD2FBrwkIaJd6SqJVvSbYQnE39th/u4csghFYEYcdS GqPnVjxl0Sri1N5OqYB2uTRn0d0kqsrD24fuWFbZwvKlcZQO2C6W1zZSmwqAfw2p jAD+tTvRZDSx2z0+zgRZ/EhDIaH/louf8zcL3UlrW2YPNRODzJW6VUiouIkAlQMF EC8n2IANOmycNvS2swEBvqYEAJgRxQjfQhJI+iTMMUhWS8whvgitjzDeD+5u2tKz KwqSa4TaOfgf2000rN2SbqyTg5gDirLsVF8x80PusKFRxedwBzBNLl9ar78HB/x4 lOEO+/obRUH4wT+bH6KfUkDuqVvYsTRZ3mDoLfyJw9pCtkDiFQdCrWcGh+UNr8nJ oNBx =VFhp -----END PGP PUBLIC KEY BLOCK----- ====================== Please send your comments to: DialogueScience, Inc. 40 Vavilova St., office 103 Moscow, 119991, RUSSIA Tel.: +7 (095) 135-6253, 137-0150 Tel./fax: +7 (095) 938-2970, 938-2855 FidoNet: 2:5020/69 E-mail: Antivir@dials.ru WWW: http://www.dials.ru FTP: ftp.dials.ru, ftp2.dials.ru, ftp3.dials.ru The author of Dr. Web is available at: E-mail: Igor.Daniloff@dials.ru , id@drweb.ru FidoNet: 2:5020/69.14 , 2:5030/87.57