Instructions for using EXTRA.DAT in Emergency Outbreak Mode
or supplemental detection and removal

Instructions for using the extra dat with NAI AV Products.

 

GroupShield Notes 4.02 and 4.5.

 

1.         At the Domino Server Console unload the following task:

                                GSScan

                        GSDScan

                        GSTmgr

 

            By typing in the following:          tell gsscan quit

                                                            tell gsdscan quit

                                                            tell gstmgr quit

 

2.         Copy the extra.dat into the location where GroupShield is installed

            The default location is: C:\Program Files\Network Associates\Groupshield

                       

3.         Restart the GroupShield Tasks by typing in the following order at the Server Console:

 

                        Load gstmgr

                        Load gsscan

                        Load gsdscan

 

 

Groupshield Exchange 4.5

 

With Groupshield Exchange 4.5, it is possible to stop viruses by keying off the subject line or attachment file name. Below are example instructions for blocking VBS/Loveletter.worm.a by using Groupshield's new attachment blocking feature:

 

Load Exchange Admin and double-click on the Groupshield Exchange object under the Server.

 

On the 'On-Access' tab, select 'Specified attachments' from the 'Attachment blocking' box and then click on 'Select...'

 

In the 'Name Based Options' box, click on 'Block Filenames' and then 'Change'

 

Click on Add and enter the filename: 'LOVE-LETTER-FOR-YOU.TXT.vbs'. Click OK, OK again and OK one more time to return to the Groupshield menu.

 

Groupshield Exchange will now block the vbs attachment and so prevent further infections. This will work without the extra.dat.

 

 

Groupshield Exchange 4.0.4

 

 

Ensure that you are using the latest dat files available.

 

Place the extra.dat in the \Program files\Network Associates\Groupshield Exchange\i386 folder if Groupshield is running on an Intel machine

 

Place the extra.dat in \Program files\Network Associates\Groupshield Exchange\Alpha if Groupshield is running on an Alpha machine.

 

Stop and restart the Groupshield Exchange service from the Control Panel.

 

Groupshield Exchange will now detect this virus and so prevent further infections.

 

 

WebShield SMTP

 

If you use WebShield SMTP version 4.5 you can also use content filtering and blocking to disable access to viruses. Below are instructions on how to filter based on VBS/Loveletter.worm.a :

 

In WebShield SMTP, you have the possibility of content filtering and blocking. You can scan on the subject header, which in the case of this virus is always identical ( 'I love you')

 

Procedure in WebShield SMTP 4.5 is as follows:

 

Open configurations console - go to content filter and enable content filtering.  Add description: loveletter and check subject line.  Filter on word/phrase, enter 'I love you' without the brackets and select block message when found.

 

 

VirusScan NT 4.0.x

 

Open the control panel

Double click services

STOP Network Associates McShield

Copy the EXTRA.DAT File in the following location

 

<drive>:\Program Files\Network Associates\VirusScan NT\

 

Alternatively search the computer for the following files:

 

Scan.Dat

Clean.Dat

Names.Dat

 

Copy the Extra.Dat into this location.

 

Start the McShield service again.

 

 

VirusScan Win 9x 4.0.x

Copy the extra.dat file into the VirusScan installation folder and reboot the computer.

 

 

VirusScan Win 9x 4.5

Copy the extra.dat file into the following folder:

<drive>:\Program Files\Common Files\Network Associates\VirusScan Engine\4.0.xx\

 

Alternatively search the computer for the following files:

 

Scan.Dat

Clean.Dat

Names.Dat

 

Copy the Extra.Dat into this location.  

 

 

VirusScan NT 4.5

 

Open the control panel

Double click services

STOP Network Associates McShield service

Copy the EXTRA.DAT File in the following location:

<drive>:\Program Files\Common Files\Network Associates\VirusScan Engine\4.0.xx\

 

Alternatively search the computer for the following files:

 

Scan.Dat

Clean.Dat

Names.Dat

 

Copy the Extra.Dat into this location.  

 

 

NetShield NT 4.0.x

 

Open the control panel

Double click services

STOP Network Associates McShield

Copy the EXTRA.DAT File in the following location

 

<drive>:\Program Files\Network Associates\VirusScan NT\

 

Alternatively search the computer for the following files:

 

Scan.Dat

Clean.Dat

Names.Dat

 

Copy the Extra.Dat into this location.

 

Start the McShield service again.

 

NetShield NT 4.5

 

Open the control panel

Double click services

STOP Network Associates McShield service

Copy the EXTRA.DAT File in the following location:

<drive>:\Program Files\Common Files\Network Associates\VirusScan Engine\4.0.xx\

 

Alternatively search the computer for the following files:

 

Scan.Dat

Clean.Dat

Names.Dat

 

Copy the Extra.Dat into this location.