What's New in NetShield for Windows NT v2.5.3 (9611)
         Copyright 1994-1996 by McAfee, Inc.
                 All Rights Reserved.


Thank you for using McAfee's NetShield for Windows NT.
This What's New file contains important information
regarding the current version of this product. It is
highly recommended that you read the entire document.

McAfee welcomes your comments and suggestions. Please 
use the information provided in this file to 
contact us.

___________________
WHAT'S IN THIS FILE

- New Features
- Known Issues
- Installation             
- Documentation            
- Frequently Asked Questions
- Additional Information
- Contact McAfee

____________
NEW FEATURES              

    Centralized Alerting is now enabled in NetShield NT.
    McAfee anti-virus products for the workstation can now
    send alerts to the NetShield server.

    Centralized Alerting and Reporting is configurable
    through the anti-virus console from the TOOLS|ALERTS
    menu. To enable this feature, workstation users must
    have WRITE access to the NETSHLD\ALERTS directory.
    Centralized Alerting can be disabled by denying access
    to this directory or deleting it altogether.

    For more information on using this feature, please
    refer to the Frequently Asked Questions listed below.


* ENHANCEMENTS *

1. 'Disconnect User' and 'Alert Client Connection' in the
    Shield configuration have been separated and the per-
    formance enhanced.
2.  MCALERT.MIB file included to interpret SMNP traps.


* ISSUES ADDRESSED IN THIS RELEASE *

1.  McFSREC errors in the event log have been resolved.
2.  Error message with DrWatson TASKMGR.EXE, when
    attempting to disconnect users while sending them a
    network message, has been resolved.


* NEW VIRUSES DETECTED *

This DAT file (9611) detects the following 129
new viruses. Locations that have experienced
particular problems with specific viruses are also
identified.

_922				Germany
_1000				US
_2673                           Philippines
APOCALIPSE.1685 		Portugal
APRIL1A.798
APRIL1B.797
AREQUIPA.1994			Peru
ASBV
ASH.302
ASMODEOUS.1437
ASSIGN.653
ATOM
BANDUNG.A			US/Indonesia
BANDUNG.B
BARAN.2978
BARAN.3001
BNB.498
BR.1180
BW.790
CACO.3310			Peru
CHANDI				US
CHAPA.447
CHAPA.448
CHERRY.2266
COMP.180
CONCEPT.I
CONCEPT.L
CONCEPT.M
CONCEPT.N
CONCEPT.P
COOL.929
COREA.926
COUP.2062
CRAWLER.545
CRIM_WW
CYBERTECH.668
DAN.1784
DELTREE TROJAN
DEMON3B.4313
DINA.271
DINA.283
DIR-II.1536.G
DIR-II.AS
DREAMER.8869
DST.330
DST.347
DST.396
DSTAR.223
EASY				Internet
EDOL.832
EXEHEADER.VLAD.337
EXTRACTJPG.TROJAN
FATHER_MAC.1382
FAULT.9209
FORMATC:TROJAN                  
FSN.1279
GANGSTERZ			Internet
H-ANDROMED.594
HELGA.666.B
HELPER				US
HIDER.2143
INCH
INFERNO.781
JASON.626
JOVIAL.503
JUICE.305
KALO.1464
KOSKON.313
LATER.981.B
LD93.1217			Australia
LUNCH.783
MACGYVER.4112 (MBR)		Taiwan
MAIDEN.891
MARKUS.5415
MBRK.714
MDMA.C				US
MINZ.470
MIXTURA.1000
MOSCA.1278
MURCIA.4651
NPOX.1186
OKTUBRE.1784
OUTLAW				Internet
PELIGRO.1206			Peru
PHARDERA			Internet
PIRANIA.1617
PROTOVIRUS.720
PS-MPC.504			Peru
RESCUE 911.3774 		Saudi Arabia
ROTATOR.864
SALAMANDER.888
SANLORENO.1025
SAVER:DE			Internet
SCROLL.600
SHOWOFXX			Australia
SIERRA.D			US
SILLY.745
SMILEY:DE			Germany
SPEC.907
SPOOKY:DE			Internet
STEATODA.1623			Israel
STRYX:DE			Internet
SUPERF.1175
SVC.3103			South America
SYSKLL.290
T555.556
TAURUS.1852
THEATRE:TW  (*)                 Taiwan
THEATRE.A:TW  (*)               Taiwan
TREBUJENA.1094
TRIVIAL.44.F
TRIVIAL.45.H
TRIVIAL.52
TRIVIAL.53.A
TRIVIAL.119
TRIVIAL.284
TROOPER.2259                    
TWNO:TW  (*)                    Taiwan
TWNO.B:TW  (*)                  Taiwan
TWNO.C:TW  (*)                  Taiwan
UNHAPPY.763.A
UNHAPPY.763.B
VCC.620
VCS.799
WAZZU.J
WAZZU.O
WAZZU.P 			US
WAZZU.Q 			US
ZGENRAT.785			US
(*)  Infects double-byte (omnicode) versions of Word,
     which include Japanese, Korean, Chinese, and
     simplified Chinese.     
                          
____________
KNOWN ISSUES

1.  Files with the "-" (dash) character in the filename
    that are compressed in zipped files will not be
    scanned by the on-demand scanner.

2.  NetShield continues to scan after clicking STOP.
    If this occurs, move the Netshield window to
    reveal the DynaZip UnZip Error window. Then click
    OK and respond appropriately to the dialog box.

3.  On-access exclusions only apply to local devices.

____________
INSTALLATION

* INSTALLING THE PRODUCT *

Prior to installation, take the following steps:

1.  Uninstall any previous version of NetShield NT.
2.  Reboot the NT system.
3.  Make sure you have Administrator rights for the server
    on which you are installing NetShield.
4.  Run SETUP.EXE and follow the prompts. If the NT server
    is a BDC, make sure to check the appropriate box when
    prompted.

If you would like to perform a "silent" installation
of NetShield NT, requiring minimal user interaction and
using all default or "Typical" installation settings, add
-s (i.e. SETUP.EXE -s) to the setup command when you
install the product.

NOTE: If you would like to perform a silent installation
      on machines running NT 4.0, you must first rename
      SETUP40.ISS to SETUP.ISS. 

Network Administrators can customize the silent
installation by following the steps below.

1.  Check in the Windows directory to ensure that a
    file named SETUP.ISS does not already exist. If it
    does, rename it, back it up, or delete it.

2.  Run SETUP.EXE with the -r switch, (i.e. SETUP.EXE -r).

3.  Select the components you would like to be installed
    during the silent installation.  All responses will
    be recorded.

4.  Finish the installation, and locate the file SETUP.ISS
    in the Windows directory.

5.  Open the file using any ASCII editor (e.g., NOTEPAD.EXE)
    and delete the section titled  APPLICATION.

6.  Locate the section [SdSetupType-0] in the SETUP.ISS
    file and go to the line:

        Result=x

        where x is equal to
        301 (Typical installation)
        302 (Compact installation)
        303 (Custom installation)

7.  Add 100 to the above value, so that the Result
    variable is equal to 401, 402, or 403. Modifying
    this file will allow the installation to copy the
    NetShield files to the drive where the operating
    system resides instead of defaulting to the C:
    drive.

8.  Rename, back up, or delete SETUP.ISS on the first
    installation disk (floppies only). For CD-ROM versions
    of the product, you must copy the installation files
    onto the hard drive before taking this step.

9.  Copy the new SETUP.ISS from the Windows directory
    to the location of the installation files.

10. Run SETUP.EXE with the -s switch (i.e. SETUP.EXE -s).

11. When the silent installation is complete, you should
    reboot the machine manually.

    NOTE: If you do not specify a "recorded" answer for
    all dialog boxes during the initial installation, the
    silent installation will fail. Also, the file used
    for the silent installation, SETUP.ISS, may not work
    properly across different operating systems. For
    example, if the silent install is generated for
    Windows 95, it may not work properly in Windows 3.1x
    or Windows NT.

* PRIMARY PROGRAM FILES FOR NETSHIELD NT *

Files located in the Install directory:
=======================================

1.  Installed for the Alert Manager/Console/Server:

                  MCKRNLNT.DLL = Library files
                  MCSCAN32.DLL = Library files
                  MCUTILNT.DLL = Library files
                    SHUTIL.DLL = Library files
                    README.1ST = McAfee information
                  WHATSNEW.TXT = What's New document
                   PACKING.LST = Packing list
                    AGENTS.TXT = McAfee authorized agents
                  VALIDATE.EXE = McAfee file validation
                                 program
                    UPDATE.MSG = Update message file
                    SHIELD.HLP = On-access scanner help
                    SHIELD.CNT = On-access context-sensitive
                                 help
                  MCCONSOL.HLP = Console help
                  VIRUSCAN.HLP = On-demand scanner help
                  VIRUSCAN.CNT = On-demand context-sensitive
                                 help
                     NAMES.DAT = Virus names definition data
                      SCAN.DAT = Virus scan definition data
                     CLEAN.DAT = Virus clean definition data
    Netshield Activity Log.TXT = NetShield activity log
         Scan Activity Log.TXT = Scan activity log
                    MODEMS.TXT = Modem initialization
                                 strings
                    SAMPLE.CMD = Sample alert file
                  MCUPDATE.EXE = Update module
                  AMGRCNFG.EXE = Alert manager configuration
                                 program
                    FTPGET.CMD = Automatic updating script
                    DEISL1.ISU = Uninstall file
                  MCSRVSHL.EXE = Uninstall application
                  MCSERVIC.DLL = Install/uninstall library file
                   MCALERT.MIB = Interpret SMNP traps

2.  Installed for Alert Manager:

                     WCMDR.EXE = Uninstall program
                     WCMDR.INI = Uninstall initialization file
                   DEFAULT.VSC = On-demand scanner default
                                 configuration settings
                   NETSHLD.MIF = MIF file
                   IMPTASK.EXE = Task import tool
                   IMPTASK.TXT = Task import text file
                  AMGRSRVC.EXE = Alert manager service
                                 program
                  MCALSNMP.DLL = Alert manager SNMP
                  POWERP32.DLL = Alert manager support
                                 module
                  VIRNOTFY.EXE = Notification utility

3.  Installed for the Console:

                  MCCONSOL.EXE = Console manager 
                    SHSTAT.EXE = Shield status monitor
                                 program
                   SCNSTAT.EXE = Scan status monitor
                                 program
                  SCNCFG32.EXE = Console configuration
                                 module
                   VIRLIST.EXE = Virus list
                   SHCFG32.EXE = Console configuration
                                 module
                    DPMI16.DLL = 16-bit DOS protected
                                 mode interface library
                    DPMI32.DLL = 32-bit DOS protected
                                 mode interface library
                  MCKRNL95.DLL = Library files      
                  MCUTIL95.DLL = Library files

4.  Installed for the Server:

                  DUNZIP32.DLL = File decompression
                                 library
                    DZIP32.DLL = File decompression
                                 library
                   TASKMRG.EXE = Task managing service
                    SCAN32.EXE = On-demand scanner


Files located in WINNT35\SYSTEM32:
==================================

1.  Installed for the Console/Server/Alert Manager:

                   CTL3D32.DLL = 32-bit 3D Windows
                                 controls library (*)

(*) File will be installed upon installation of
    NetShield if the file does not already exist,
    or if an older version is found.  


Files located in WINNT35\SYSTEM32\DRIVERS:
========================================== 

1.  Installed for the Server:

                  MCFILTER.SYS = System files
                   MCFSREC.SYS = System files
                    MCKRNL.SYS = System files
                    MCSCAN.SYS = System files
                    MCUTIL.SYS = System files
                  MCSHIELD.SYS = System files


* TESTING YOUR INSTALLATION *
                              
The Eicar Standard AntiVirus Test File is a combined effort
by anti-virus vendors throughout the world to come up with
one standard by which customers can verify their anti-virus
installation.
To test your installation, copy the following line
into its own file and name it EICAR.COM.

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

When done, you will have a 69- or 70-byte file.

When NetShield for Windows NT is applied to this file,
Scan will report finding the EICAR-STANDARD-AV-TEST-FILE
virus.

It is important to know that THIS IS NOT A VIRUS. However,
users often have the need to test that their installations
function correctly. The anti-virus industry, through the
European Institute for Computer Antivirus Research, has 
adopted this standard to facilitate this need.

Please delete the file when installation testing is
completed so unsuspecting users are not unnecessarily
alarmed.

_____________
DOCUMENTATION

For more information, refer to the NetShield User's
Guide, included on the CD-ROM versions of this program
or available from McAfee's BBS and FTP site. This file
is in Adobe Acrobat Portable Document Format (.PDF)
and can be viewed using Adobe Acrobat Reader. This form
of electronic documentation includes hypertext links
and easy navigation to assist you in finding answers
to questions about your McAfee product.

Adobe Acrobat Reader is available on CD-ROM in the
ACROREAD subdirectory. Adobe Acrobat Reader also can be
downloaded from the World Wide Web at:

http://www.adobe.com/Acrobat/readstep.html

NetShield documentation can be downloaded from McAfee's
BBS or the World Wide Web at:

http://www.McAfee.com or http://205.227.129.97

For more information on viruses and virus prevention,
see the McAfee Virus Information Library, MCAFEE.HLP,
included on the CD-ROM version of this product or
available from McAfee's BBS or FTP site. 

__________________________
FREQUENTLY ASKED QUESTIONS

Regularly updated lists of frequently asked questions 
about McAfee products also are available on McAfee's 
BBS, website, and CompuServe and AOL forums.
 
Q:  How do I enable McAfee's Centralized Alerting and
    Reporting?

A:  McAfee's VirusScan now supports Centralized Alerting
    and Reporting to a remote NetWare or Windows NT server
    running NetShield for Windows NT v2.5.3 or NetShield
    for NetWare v2.3.3.

    Centralized Alerting and Reporting and be configured
    by an administrator through the anti-virus console.
    To set up this option, check the Enable Central
    Alerting checkbox on the Tools|Alerts menu. Set up a
    directory for Central Alerting and point your
    workstations to this directory.
     
    To set up this option on your VirusScan client, modify
    VirusScan NT's DEFAULT.VSH and DEFAULT.VSC, and/or your
    custom settings file to read the following:

    Note: Administrators will need to configure both the
    .VSH and .VSC files for complete Centralized Alerting
    & Reporting.

           szNetworkAlertPath=<directory name>
           bNetworkAlert=1
   
    Where the <directory name> is the path (can use UNC
    format where supported)to the remote NT directory.
    From this directory, NetShield can broadcast or
    compile the alerts and reports according to its
    established configuration.

    NOTE: The client must have write access to this
    <directory> location and the directory must contain
    the NetShield-supplied CENTALRT.TXT file.
   
    To send a complete alerting file identifying the
    system user, establish the following environment
    variables or add them to the AUTOEXEC.BAT file.

           Set COMPUTERNAME=<name of computer>
           Set USERNAME=<user name>

    The alert file sent to the server is an .alr text
    file. Upon receipt of the alert file, NetShield NT 
    sends an alert message to an administrator and/or
    appropriate personnel.


Q:  How do I manually uninstall NetShield for Windows NT?

A:  To uninstall, take the following steps:

    1.  Close all product dialog windows.
    2.  Delete the installation directory.
    3.  Delete the HKLM\SOFTWARE\MCAFEE key in the
        registry.
    4.  Delete the six McAfee device drivers (MC*.*)
        in %SYSTEMROOT%\SYSTEM32\DRIVERS.
    5.  Reboot.                  

Q:  Why do I get an error in MCINST32.DLL when I
    attempt to install NetShield for Windows NT?

A:  NetShield for Windows NT was designed for an i386
    processor only. This error is usually caused by an
    attempt to install to a non i386-based machine.
  

Q:  Is there a conflict with the Novell written client
    for NT?

A:  No. However, there are some timing issues that
    arise when NetShield for Windows NT is installed.
    If it is necessary for you to use the Novell client,
    then change the account that both the McAfee Task
    Manager and the Alert Manager use to a "System"
    account.


Q:  Why do I get errors in my event viewer after
    installing Service Pack 3 or Service Pack 4?

A:  Service Pack 3 and Service Pack 4 involved a
    change to the HAL.DLL file that is used by McAfee's
    device drivers. If you are using NetShield for
    Windows NT Version 2.5.0, uninstall, then install
    Version 2.5.3 or higher.
                     

Q:  As an administrator, how can I scan private
    directories that are accessible only to 
    individual users?

A:  The on-access scanner will detect infected files 
    as they are copied into the users' private spaces. 

    On-demand (scheduled) scans are launched by the 
    McTaskManager Service. If you specify a user name 
    and password for the Service, then the scheduled 
    scan will only scan directories for which the user 
    name has privileges. If no user name was specified, 
    then the Service has SYSTEM privileges. 
    
    To perform an on-demand, or scheduled, scan of 
    private directories, the McTaskManager Service must 
    have access to these private areas. Following are 
    two ways to address this issue:

    Solution A:
    1. Create a custom user name to be used by the Service.  
    2. Give this user name privileges to access the private 
       spaces.

       Considerations with Solution A:
       The administrator will need to know the user names 
       and passwords.  

    Solution B:
    1. Do not associate a user name to the Service.
    2. Give SYSTEM privileges to access the private spaces.

       Considerations with Solution B:
       Someone could create or use a Service to access your 
       information.

    McAfee recommends Solution B as a more secure solution. 


Q:  NetShield will not perform an on-demand (scheduled)
    scan of some networked devices. Why?
  
A:  It is possible that the user name you are using for
    the Taskmanager Service does not have sufficient
    rights to scan the devices in question. To verify
    whether this is the issue, log in to each device using
    the user name and password used by the Taskmanager
    Service. Confirm that this user name has rights on
    the device by manually running an on-demand scan. If
    you can scan the device while you're logged in, then
    the Service should also be able to do it as a scheduled
    scan.


Q:  When performing an on-demand (scheduled) scan of a
    networked device, the system locks up. How can I
    solve this problem?

A:  Log on to the device in question and manually run
    an on-demand scan with the Compressed Files option
    turned off. If the scanner locks up, note where it
    locks. Attempt to determine which file NetShield locks
    on and send the information to McAfee. If the scan
    succeeds, select the Compressed Files option and scan
    the device again. If it locks this time, chances are
    you have a ZIP file that is corrupted or large, and
    it takes time to scan. If scanning works in both
    scenarios, then give the Taskmanager Service the same
    user name and password currently logged in as and try
    a scheduled scan again. If this now works, then the
    old user name didn't have sufficient rights to scan
    the device in question.


Q:  I have an on-demand (scheduled) scan that doesn't
    seem to run. What am I doing wrong?

A:  Scheduled scans should not overlap one another. If
    you have more than one drive, folder, or item that
    you would like to have scanned, add additional items
    for scanning to the Detections page of the Task's
    properties. After making the changes, restart the
    computer and scheduled scans should function as
    designed.

Q:  Can I update NetShield's data files to detect
    new viruses?

A:  Yes. If you have Internet access, you can download
    updated McAfee data files from the McAfee Web 
    Site, BBS, or other online resources. To download 
    from the McAfee Web Site, follow these steps:
    
    1.  Go to the McAfee Web Site (http://www.mcafee.com
        or http://205.227.129.97).

    2.  Click on the Download McAfee button in the upper
        left hand column or frame.

    3.  Click on Update Your DAT Files to update DAT files.

    4.  View the information provided on new DAT files
        and downloading.

    5.  Click on Download This Month's DAT.
   
    6.  Data file updates are stored in a compressed form 
        to reduce transmission time. Unzip the files into
        a temporary directory, then copy the files to the
        appropriate directory, replacing your old files.    

    7.  Before performing any scans, shut down your
        computer, wait a few seconds, and turn it on again.

    If you need additional assistance with downloading, 
    contact McAfee Download Support at (408) 988-3832.

______________________
ADDITIONAL INFORMATION

1.  NetShield NT includes an external utility,
    VIRNOTFY.EXE, that will notify you in the event that
    McAfee's Alertmanager is not installed. To use this
    utility, open McConsole, and select Tools/Alerts. Add
    the path and utility to the Program To Execute line.

2.  NetShield NT is Microsoft BackOffice certified. For
    details on how to install NetShield using SMS, refer
    to your BackOffice documentation.

______________
CONTACT McAFEE

* FOR QUESTIONS, ORDERS, PROBLEMS, OR COMMENTS *

Contact McAfee's Customer Care department: 
1.  Call (408) 988-3832
    Monday-Friday, 6:00 A.M. - 6:00 P.M. Pacific time

2.  Fax: (408) 970-9727
    24-hour, Group III Fax 
		
3.  Fax-back automated response system: (408) 988-3034
    24-hour fax

Send correspondence to any of the following McAfee 
locations:
	
    McAfee Corporate Headquarters		
    2710 Walsh Avenue			
    Santa Clara, CA 95051-0963		
	
    McAfee East Coast Office					
    Jerral West Center
    766 Shrewsbury Avenue
    Tinton Falls, NJ 07724-3298

    McAfee Central Office			
    5944 Luther Lane, Suite 117		
    Dallas, TX 75225				
						
    McAfee Canada
    178 Main Street
    Unionville, Ontario
    Canada L2R 2G9

    McAfee Europe B.V.			
    Orlyplein 81 - Busitel 1		
    1043 DS Amsterdam				
    The Netherlands	 		

    McAfee (UK) Ltd.
    Hayley House, London Road
    Bracknell, Berkshire  RG12 2TH
    United Kingdom  

    McAfee France S.A.			
    50 rue de Londres				
    75008 Paris					
    France					
				
    McAfee Deutschland GmbH
    Industriestrasse 1
    D-82110 Germering
    Germany

Or, you can receive online assistance through any of the 
following resources:

1.  Bulletin Board System: (408) 988-4004
    24-hour US Robotics HST DS

2.  Internet e-mail: support@mcafee.com

3.  Internet FTP: ftp.mcafee.com or 205.227.129.134

4.  World Wide Web: http://www.mcafee.com
    or http://205.227.129.97

5.  America Online: keyword MCAFEE

6.  CompuServe: GO MCAFEE

7.  The Microsoft Network: GO MCAFEE
                               
Before contacting McAfee, please make note of the
following information. When sending correspondence,
please include the same details.

- Program name and version number
- Type and brand of your computer, hard drive, and any 
  peripherals
- Operating system type and version
- Network name, operating system, and version
- Contents of your AUTOEXEC.BAT, CONFIG.SYS, and 
  system LOGIN script
- Microsoft service pack, where applicable
- Network card installed, where applicable
- Modem manufacturer, model, and baud, where 
  applicable
- Relevant browsers/applications and version number,
  where applicable

- Problem
- Specific scenario where problem occurs
- Conditions required to reproduce problem
- Statement of whether problem is reproducible on demand

- Your contact information: voice, fax, and e-mail

Other general feedback is also appreciated.


* FOR ON-SITE TRAINING INFORMATION *
 
Contact McAfee Customer Service at (800) 338-8754.


* FOR PRODUCT UPGRADES *

To make it easier for you to receive and use McAfee's
products, we have established an Agents program to 
provide service, sales, and support for our products 
worldwide. For a listing of agents, see the file 
AGENTS.TXT, where applicable, or contact McAfee
Customer Service for agents near you.


