U-M Virus Busters - F-PROT FAQ

[last update 10/03/96]

by Bruce P. Burrell
bpb@umich.edu
virus.busters@umich.edu

Here's a list of some Frequently Asked Questions pertaining to F-PROT for DOS.

Q1. What does it mean when F-PROT.EXE detects a Word/Macro virus, but F-MacroW.exe doesn't?

A1. F-MacroW understands the OLE2 structure of Word documents; F-PROT.EXE just uses a brute force approach. Therefore, sometimes F-PROT.EXE will think there is a virus when in fact there is not. Here's the pertinent quote, taken from the F-MACROW.DOC file in the 2.24c release:

"Please use F-MACROW to scan and disinfect macro viruses - *NOT* F-PROT. If F-PROT and F-MACROW disagree on whether a document is infected or not - trust F-MACROW, not F-PROT."

Q2. If I have such a document that seems infected with F-PROT, but that F-MacroW says is ok, how do I get rid of the "ghost positive"?

A2. The following will often work:

   1. Save a copy of the document to a floppy disk, and remove the diskette.
      This is just a backup, in case something goes wrong.

   2. Use File Save As to save to a new Word document.

   3. Scan the new document to see if F-PROT still thinks it's infected.

   4. If not, delete the original and rename the new one.  If, however, you
      still get a false positive... 

   5. Use File Save As in to save in RTF format, then open the RTF doc and
      Save As a Word doc.

Note that if the RTF method is used, ALL macros will be deleted. Don't use this method if you have your own macros; U-M members may contact virus.busters@umich.edu for assistance.

Q3. How do I use F-PROT under Windows 95?

A3. F-PROT isn't designed for Graphical User Interface (GUI) performance. Read Using F-PROT for DOS under Win95 to see how to use it as best as possible under Win95.

Q4. What special considerations are there for Windows NT?

A4. The main consideration here is non-DOS file systems (HPFS and NTFS). See F-PROT under Windows NT, and have a peek at Using F-PROT for DOS under Win95 also.

Q5. When I boot from a clean floppy disk, I can't access my C: drive. How can I use F-PROT to scan my hard drive?

A5. Some viruses "disguise" the existence of the hard drive when booting from floppy, probably to try to prevent disinfection. One of the most common viruses at U-M, the Monkey virus, behaves in this fashion. Fortunately, as long as one can get to the A:\> prompt, F-PROT is usually up to the task. To remove these viruses, clean boot from floppy and use the command:

F-PROT /HARD /DISINF

Don't be concerned if, after disinfection, the message "Error: Hard drive not found" appears; just reboot and rerun the above command.

If F-PROT is unable to remove the virus, contact virus.busters@umich.edu

Last updated: Friday, 11-Apr-1997 11:04:24 EDT.
University of Michigan Virus Busters - virus.busters@umich.edu