Section 3 of 3 - Prev - Next All sections - 1 - 2 - 3
SAM application Minimum and Preferred memory allocations must be
increased from their shipping defaults to 5000K or greater. The
(May 1998) SAM definitions files included a Read Me with
instructions. More information may be available from Symantec SAM
support on the Web.]
Symantec issued a Norton AntiVirus 5.x->5.0.3 patch for Mac OS 8.5,
fixing the problem with copying files on AppleShare networks.
Virex offers very fast scanning is easy to update, and includes
checksumming for the detection of unknown viruses. It's also
possible to buy an administration package. The basic package
includes a control panel for scanning on file or diskette access
which can be locked independently of the administration package.
Installation and interface are easy and efficient. Virex 5.8 scans
ZIP archives, has a contextual menu plug-in module, and interface
enhancements.
Virex 5.9.1 was released on 18-Jan-99, for compatibility with
Mac OS 8.5 and Virex Administrator 1.4, and can be downloaded.
. Registered users who
bought McAfee VirusScan during the past six months or so, and
registered users of Virex 5.8 and 5.9 could still upgrade:
.
Virex Administrator version 1.4 was released by NAI on 23-Dec-98.
Virex and Virex Administrator had these home pages:
++Current Virex release is 6.0. Licensed 5.9x users can obtain an
upgrade. OS 9 users will need the beta control panel available from
www.nai.com, to overcome compatibility problems.
Dr Solomon's Software acquired Virex and netOctopus from Datawatch
Corp. on 10-Oct-97. Network Associates (NAI) acquired Dr Solomon's
on 13-Aug-98. Netopia, Inc., acquired what is now named Timbuktu
netOctopus in late '98 or early '99.
++VirusScan 3.0.1 is the final version for Macintosh, and may be
updated for macro viruses into 1999, but will never have AutoStart
worm definitions or definitions for the new System viruses like
SevenDust E. VirusScan customers need to take advantage of a free
upgrade to Virex as soon as possible.
Dr. Solomon's for Macintosh went through various stages of neglect
through late 1998 and support appears to have vanished altogether in
1999, when customers started to receive Virex disks instead of Dr.
Solly's updates.
++Rival 3.0.4 is available from Intego. [Probably obsolete info.]
++F-Secure for Macintosh is one of the best-kept secrets in anti-virus.
The last time I saw it, it detected macro viruses only. You might be
lucky and find some reference to it at:
It features on datafellows evaluation CDs.
8.6 Contact Details
--------------------
Network Associates
(for Virex, Dr Solomon's Anti-Virus Toolkit, and VirusScan)
Network Associates Corporate Headquarters
3965 Freedom Circle
McCandless Towers
Santa Clara, CA 95054
United States
Customer Care:
Voice +1 408 988 3832
Fax +1 408 970 9727
Fax-back automated response system
+1 408 988 3034
BBS +1 408 988 4004
America Online keyword: MCAFEE
CompuServe: GO NAI
support@nai.com
ftp://ftp.nai.com/pub/antivirus/mac/
http://www.nai.com/
Dr. Solomon's Software Ltd.
(for Dr. Solomon's Anti-Virus Toolkit)
Alton House
Gatehouse Way
Aylesbury
Buckinghamshire HP19 3XU
United Kingdom
UK Support: support@uk.drsolomon.com
US Support: support@us.drsolomon.com
UK Tel: +44 (0)1296 318700
USA Tel: +1 781-273-7400, 1-888-DRSOLOMON
CompuServe: GO DRSOLOMON
Web: http://www.drsolomon.com
FTP: ftp://ftp.drsolomon.com
Symantec Corporation (for NAV and SAM)
10201 Torre Avenue
Cupertino CA 95014
United States
+1 408 725 2762
Fax: +1 408 253 4992
US Support: 541-465-8420
AOL: SYMANTEC
European Support: 31-71-353-111
Australian Support: 61-2-879-6577
http://www.symantec.com/
ftp://ftp.symantec.com/
Intego (for Rival)
10, rue Say
75009 Paris
France
+33 1 49 95 07 80
Fax: +33 1 49 95 07 83
Email: rival@intego.com
http://www.intego.com/
Sophos Plc (for Sophos Anti-Virus)
The Pentagon
Abingdon
Oxon
England OX14 3YP
US Support: +1-888-SOPHOS-9
UK Support: +44-1235-559933
http://www.sophos.com/
++Details on DataFellows will be included when I've determined the current
status of F-Secure for Macintosh. [Sorry: next time round, guys....]
9.0 Welcome Datacomp
=====================
From time to time there are reports from Mac users that the message
'Welcome Datacomp' appears in their documents without having been
typed. This is the result of using a Trojanised 3rd-party
Mac-compatible keyboard with this 'joke' hard-coded into the
keyboard ROM. It's not a virus - it cannot infect anything. The
only cure is to replace the keyboard (be polite but firm with the
dealer if you were sold this as a new keyboard!).
10.0 Hoaxes and myths
======================
Some of these are PC-specific, rather than Mac-specific, while some
have no basis in reality on any system. [I look forward to hearing
about the first Turing machine infector....] They are included here
(a) because Mac support staff are accustomed to being asked about
them (b) because anything that -might- work on a real PC -might-
also work with DOS emulation, in principle.
++This section may vanish in the near future, or at least contract.
The hoax business has changed a lot since this FAQ began.
10.1 Good Times virus
----------------------
There is *no* Good Times virus that trashes your hard disk and
launches your CPU into an nth-complexity binary loop when you read
mail with "Good Times" in the Subject: field.
You can get a copy of the latest version of Les Jones' FAQ on the
Good Times Hoax on the World Wide Web:
There's a Mini-FAQ available as:
10.2 Modems and Hardware viruses
---------------------------------
There is no modem virus that spreads via an undocumented subcarrier
- whatever that means.... There is no virus that causes damage to
hardware.
10.3 Email viruses
-------------------
Any file virus can be transmitted as an E-mail attachment. However,
the virus code has to be executed before it actually infects.
Sensibly configured mailers and browsers don't allow this: check
yours. In particular, check that your Web browser doesn't
automatically pass Word documents to Word 6 to open, since this may
result in embedded macros being launched.
10.4 JPEG/GIF viruses
----------------------
There is no known way in which a virus could sensibly be spread by
a graphics file such as a JPEG or .GIF file, which does not contain
executable code. Macro viruses work because the files to which they
are attached are not 'pure' data files.
10.5 Hoaxes Help
-----------------
If you should receive a virus warning, look at these sites before
forwarding it along (in fact, it's probably never justified to pass
on a virus alert indiscriminately, and reputable antivirus
companies don't do this. In fact, the information that such and
such a virus exists is not, in itself, useful to the average
computer user, even if it does. A statement like, "Please forward
to everyone!" is one mark of a hoax.
Computer Virus Myths home page
Data Fellows
Scams and Hoaxes FAQ: Messages you DON'T want to post
Corporates who haven't sorted out their hoax management strategy
might get some mileage out of my mini-paper on "Dealing with
Internet Hoaxes", though it's getting a bit long in the tooth. It
is, however, one of the few papers on the subject which deals with
it from an adminstrator's/manager's point of view as well as from
an everyday user/victim's. [DH]
++
I'm slightly surprised to find that I'm managing an EICAR project
in this area: watch this space.
11.0 Glossary
==============
* Change Detectors/Checksummers/Integrity Checkers - programs that
keep a database of the characteristics of all executable files on a
system and check for changes which might signify an attack by an
unknown virus.
* Cryptographic Checksummers use an encryption algorithm to lessen
the risk of being fooled by a virus that targets that particular
checksummer.
* Dropper - a program that installs a virus or Trojan, often
covertly.
* Generic - catch-all name for antivirus software that doesn't know
about individual viruses, but attempts to detect viruses by
detecting virus-like code, behaviour, or changes in files
containing executable code.
* Heuristic scanners - scanners that inspect executable files for
code using operations that might denote an unknown virus.
* Monitor/Behaviour Blocker - a TSR that monitors programs while
they are running for behaviour which might denote a virus.
* Scanner (conventional scanner, command-line scanner, on-demand
scanner) - a program that looks for known viruses by checking for
recognisable patterns ('scan strings', 'search strings',
'signatures') or using a more flexible algorithmic approach for
detection of polymorphic viruses, which can't be found by a search
for a simple scan string. These are not usually associated with the
Macintosh platform, but there are Word Macro viruses which exhibit
mutation.
* Trojan (Trojan Horse) - a program intended to perform some covert
and usually malicious act that the victim did not expect or want.
It differs from a destructive virus in that it doesn't reproduce,
(though this distinction is by no means universally accepted).
* Virus - a program (a block of executable code) that attaches
itself to, overwrites or otherwise replaces another program in
order to reproduce itself without the knowledge of the computer
user. Most viruses are comparatively harmless, and may be present
for years with no noticeable effect: some, however, may cause
random damage to data files (sometimes insidiously, over a long
period) or attempt to destroy files and disks. Others cause
unintended damage. Even benign viruses (apparently non-destructive
viruses) cause significant damage by occupying disk space and/or
main memory, by using up CPU processing time, by introducing the
risk of incompatibilities and conflicts, and by the time and
expense wasted in detecting and removing them.
12.0 General Reference Section
===============================
12.1 Mac Newsgroups
--------------------
comp.sys.mac.apps
comp.sys.mac.comm
comp.sys.mac.misc
comp.sys.mac.system
comp.virus
alt.comp.virus
The focus on these two groups tends to be IBM-compatible, but Mac
issues are certainly aired. Alt.comp.virus is unmoderated, and the
quality of the advice and opinions aired there is very variable -
there are many reputable and expert posters, and many mischievous
and misleading contributions. Caveat lector.... comp.virus lies
dormant for years at a time, but is well worth watching when there's
anything there.
12.2 References and Publications
---------------------------------
Sensei Consulting Macintosh WAIS Archives
"Inside the Apple Macintosh" - Peter Norton & Jim Heid (Brady) (The
2nd Edition is pre-PowerMac, and I haven't seen a later one, but
there's some surprisingly useful stuff in there).
"Inside Macintosh" (Addison Wesley). Essential reading for Mac
programmers. (Umpteen volumes of fairly low-level info. Expensive
(in the UK, at any rate), and whenever you get near some useful
info, it refers you to one of the volumes you haven't got. However,
the series has been re-vamped since I acquired my copies, and this
may be less than just. It's possible to download them in Acrobat
and in some cases other formats from:
where you can also order hardcopy and CD versions. Lots of other
useful files.
"Power Macintosh Emergency Handbook" (Apple Computer)
MacFixIt "Troubleshooting for the Macintosh"
"Sad Macs, Bombs and other Disasters"
Ted Landau (Addison Wesley)
MacInTouch home page (info and services)
MacWEEK.com (Have run MacInTouch columns about the AutoStart worms.)
Macworld magazine
TidBITS (Have done many good articles on Mac/macro virus issues.)
13.0 Mac troubleshooting
=========================
Since the initial release of this document, a number of people have
E-mailed me asking for help with a possibly virus-related problem.
While I'll always help if I can, I should point out (1) I'm an
experienced Mac user and an IT support professional, but I don't
claim to be a Mac expert (2) pressure of work and other commitments
and a huge E-mail turnover means that I can't promise a quick or
in-depth response [DH]. Whether you mail direct or post to a
relevant newsgroup, it's helpful if you can supply a few details,
such as:
* Which model of Macintosh you're using. It may be useful to know
how much RAM it has, the size of the hard disk, and any peripherals
you're using.
* Which version of MacOS you're using.
* Which applications you're using, and which version. If you're
using Word, it may be critical to know whether you're using version
6 or later, or an earlier version.
* Which, if any, antivirus packages you use, and what version
number. If you're using NAV, for instance, what version?
* List any error messages or alerts that have appeared.
* List any recent changes in configuration, additional hardware
etc.
* List any diagnostic/repair packages you've tried, and the
results.
* List any other steps you've taken towards determining the cause
of the problem and/or trying to fix it, e.g. rebuilding the
desktop, booting without extensions, zapping PRAM etc.
Here are a few steps that it might be appropriate to try if virus
scanning with an up-to-date scanner finds nothing. This section
will be improved when and if I have time.
Rebuilding the desktop is by no means a cure-all, but rarely does
any harm. It may be worth disabling extensions when you do this,
especially if the operation doesn't seem to be completed
successfully.
To disable extensions, restart the machine with the shift key held
down until you see an Extensions Off message. If you're rebuilding
the desktop, release the shift key and hold down Command (the key
with the Apple outline icon) & Options (alt) until requested to
confirm that you want to rebuild.
Disabling extensions is also a good starting point for tracking
down an extensions conflict. If booting without extensions appears
to bypass the problem, try removing extensions with Extensions
Manager (System 7.5) - remove one at a time, and replace it before
removing the next one and booting with that one removed. Remember
that if removing one stops the problem, it's still worth putting it
back and trying all the others to see if you can find one it's
conflicting with. Extensions Manager also lets you disable control
panels. If you don't have Extensions Manager, try Now Utilities or
Conflict Catcher.
Parameter RAM (PRAM) contains system information, notably the
settings for a number of system control panels. 'Zapping' PRAM
returns possibly corrupt PRAM data to default values. A likely
symptom of corrupted PRAM is a problem with date and time (but
could be a symptom of a corrupted system file). With system 7, hold
down Command-Option-P-R at bootup until the Mac beeps and restarts.
You may have restore changes to some control panels before your
system works properly. If the reset values aren't retained, the
battery may need replacing.
--
End "Viruses and the Macintosh" version 1.6a by David Harley
Section 3 of 3 - Prev - Next All sections - 1 - 2 - 3
