U-M Virus Busters: U-M Preconfigured VirusScan 8.5 Installer FAQ

Download Antivirus Software

What to Do If You Have a Virus

Virus Filtering

Viruses Seen at U-M

Hoaxes, Hooey, and Hogwash

Urban Legends

U-M Resources

Other Resources

U-M Preconfigured VirusScan 8.5 Installer FAQ

Installation Issues

IBM ThinkPad/HP Computer Drivers

"RunAs" fails with a "Header corrupt" error

Installer Says VirusScan7_or_8 Installed

Installer Says VirusScan85 Installed

Installer says VirusScan_451 Installed

Installer Says VirusScan_9x Installed

Unable to Determine System Drive

Usage Issues

No Automatic Updates

E-Mail Doesn't Work

IRC Doesn't Work

Why are there red bars around my VirusScan icon?

Why can't I disable the on-access scanner?

General Information

What are the major new features in VirusScan 8.5?

Installation Issues

IBM ThinkPad/HP Computer Drivers
I have an IBM ThinkPad or a Hewlet-Packard computer. Anything special I need to know?
We are not sure: There were issues with VirusScan 8.0, but we hope they have been resolved in VirusScan 8.5. Nonetheless, to be safe: These computers may need to have updated drivers in order to accomodate VirusScan installs. Newer IBMs and HPs may well have updated software already, but it is prudent to make sure that the machines have the latest versions of these software packages. See these web sites for details:
- MIT's VirusScan Pre-Installation Instructions Although this page provides VirusScan 7 pre-installation instructions, the instructions also apply to VirusScan 8.5.
- McAfee's Knowledgebase Type nai21684 in the search box to find this article: "Drive Letter Access (DLA) issues with McAfee VirusScan and NetShield."
- McAfee's Knowledgebase Type nai35124 in the search box to find this article: "Windows Installer hangs on systems running DLA software and VirusScan Enterprise."

"RunAs" fails with a "Header corrupt" error
When I try to launch vs85um.exe with RunAs vs85um.exe, I get this error:
WinZip Self-Extractor
WinZip Self-Extractor header corrupt. Possible cause: bad disk or file transfer error.

The cause is that you are not running as a user with Adminstrator rights; be sure to click on "The following user" button, then select a user with admin rights.
Installer Says VirusScan7_or_8 Installed
I've uninstalled all my anti-virus software, but the U-M VirusScan Installer says that I still have VirusScan7_or_8 installed.
(Note: The same steps below apply with the VirusScan 7 installers, when VirusScan7 is reported.)
First, make sure that you have tried to uninstall "McAfee VirusScan" via Start/Settings/Control Panel/Add and Remove Software. Then find and delete the file mcshield.exe. Here is the path to where you are likely to find it:
%SystemDrive%\Program Files\Network Associates\VirusScan\mcshield.exe
If it is not there, try this path:
%SystemDrive%\Program Files\Common Files\Network Associates\McShield\mcshield.exe
Usually %SystemDrive% is your C: drive.

Installer Says VirusScan85 Installed
I've uninstalled all my anti-virus software, but the U-M VirusScan Installer says that I still have VirusScan85 installed.

First, make sure that you have tried to uninstall "McAfee VirusScan" via Start/Settings/Control Panel/Add and Remove Software. Then find and delete the file mcshield.exe. Here is the path to where you are likely to find it:
"%SystemDrive%\Program Files\McAfee\VirusScan Enterprise\mcshield.exe"
but with 64-bit Windows, it lives here:
"%SystemDrive%\Program Files (x86)\McAfee\VirusScan Enterprise\mcshield.exe"
Usually %SystemDrive% is your C: drive.
NOTE: Depending on the current "state of the installation", you may need to do one of the following first to be able to delete this file:
- Open the VirusScan Console and disable the [Access Protection] task.
- Delete the file while booted in Safe Mode.

Installer says VirusScan_451 Installed
I've uninstalled all my anti-virus software, but the U-M VirusScan Installer says that I still have VirusScan_451 installed.
First, make sure that you have tried to uninstall "McAfee VirusScan" via Start/Settings/Control Panel/Add and Remove Software before you try this procedure. Then find and delete the file mcshield.exe.
Here is the path to where you are likely to find it:
%SystemDrive%\Program Files\Common Files\Network Associates\McShield\mcshield.exe
Usually %SystemDrive% is your C: drive.

Installer Says VirusScan_9x Installed
I've uninstalled all my anti-virus software, but the U-M VirusScan Installer says that I still have VirusScan_9x installed.
First, make sure that you have tried to uninstall VirusScan via Start/Settings/Control Panel/Add and Remove Software. Then search for and delete any copies of these files that you find:
- VSHIELD.VXD
- MCSCAN32.VXD
Usually, these files will be in the C:\Windows\System folder. Then re-run the VirusScan installer.
Note: It is a good idea to make sure that you are including hidden files and folders in your search, because different versions of Windows behave differently. In brief:
1. Open any folder.
2. Select Folder Options from the View menu (Win9x/NT) or Tools menu (WinME/2000/XP).
3. Click the View tab, and make sure that all options that hide files are disabled. [You may want to change this back afterwards.]
More detailed instructions are available on the Xtra web site's instructions for showing hidden system files.

Unable to Determine System Drive
The installer says "Unable to determine system drive. Contact virus.busters@umich.edu for assistance."
(Note: This should not occur with installers released after 26 October, 2003.)
First, try restarting Windows and running the installer again.
If the problem persists, then something (or someone) has messed with the SystemDrive environment variable. The following should help resolve this problem.
1. First determine on which drive Windows is installed. This is usually C:, but might be different in some cases. If you don't know where Windows is installed, it is possible to determine the drive from the WINDIR environment variable:
  1. Click Start and choose Run.
  2. In the text box, type command, then click OK. (Alternately, open a DOS window.)
  3. At the DOS prompt, type echo %windir% and press the Enter key.
  4. The first two characters of the output (e.g., C: or D:) is the name of the drive where Windows is installed.
  5. Type exit and press the Enter key to close the command prompt window.
  Otherwise, contact your system vendor, whoever set up your computer for you, or the ITCS consultants at 764-HELP for assistance in figuring out its location.
2. Right-click My Computer (it will be either on the desktop or in the Start menu) and choose Properties.
3. Click the Advanced tab, and then click the Environment Variables button.
4. In the System variables section (at the bottom), click the New button.
5. In the Enter System Variable dialog box, do the following:
  - In the Variable name box, type SystemDrive.
  - In the Variable value box, type the name of the drive Windows is installed on (e.g., C: or D:). Be sure to include the colon (:) as part of the name; it is important.
  - Click OK.
6. Click OK to close the System Properties window.
7. Restart Windows and attempt the installation again.

Usage Issues

No Automatic Updates
Autoupdates do not occur on my computer.
If you have a firewall, be sure to allow Frameworkservice.exe access to the Net.
If that doesn't work, try this:
1. Right-click the VirusScan shield icon in the System Tray (by your clock).
2. Select VirusScan Console.
3. From the Tools menu, select Edit AutoUpdate Repository List.
4. Click the Proxy settings tab.
5. Click the Use Internet Explorer proxy settings radio button. Perhaps this will help.
6. Click OK.
7. Close the VirusScan Console window.
One last try: If all else fails, try booting in Safe Mode with Networking mode and see if you can autoupdate. If you can, then you know that the problem is not on the network, but on your machine (when you boot in Normal mode).
If the problem is on your machine, you may find it helpful to use the System Configuration Utility to troubleshoot the problem, assuming you have a technical bent and use Windows XP. Here's how:
1. Log on to your Windows computer as Administrator (or as any user with admin rights).
2. From the Start menu, select Run.
3. In the text box, type msconfig and click OK.
4. View the various tabs to find anything amiss—in particular, the Services tab may show some anomaly (e.g., a fragment of an uninstalled firewall).
5. Fix whatever anamolies you find (this is where you'll need that technical ability/agility!).
Under Windows 2000, you may get similar results via Start/Settings/Control Panel/Administrative Tools/Services.
E-Mail Doesn't Work
My e-mail program worked before I installed VirusScan 8.5, but now it does not.
VirusScan blocks viruses that send e-mail directly from infected computers. But it has a list of e-mailers that it should allow to send email. Perhaps your e-mail application is not on the list of allowed applications? Here's how to check for and fix that:
1. Right-click the VirusScan shield icon in the System Tray (by your clock)
2. Select VirusScan Console.
3. In the list of tasks, double-click the Access Protection task.
4. In the Access Protection Properties window, in the list of rules, double-click Prevent mass mailing worms from sending mail.
5. In the Excluded Processes list, add the filename of your e-mail application if it is not already listed. You do not need to specify the folder where this application is installed—just use its name.
6. Click OK.
7. Close the Access Protection Properties window.
8. Close the VirusScan Console window.
Note: The name(s) of the process(es) being blocked are listed in the AccessProtectionLog.txt file. To see the(se) name(s), right-click the Access Protection task in the VirusScan Console and select View Log.
IRC Doesn't Work
My IRC client doesn't work after installing VirusScan 8.5
VirusScan prevents rogue software from abusing IRC. If your IRC application is not on the list of allowed exceptions to this policy, here's how to permit it:
1. Right-click the VirusScan shield icon in the System Tray (by your clock)
2. Select VirusScan Console.
3. In the list of tasks, double-click the Access Protection task.
4. In the list of rules, double-click the first Prevent IRC communication rule (there are two).
5. In the Excluded processes section (at the bottom), add the filename of your IRC application if it is not already listed. You do not need to specify the folder where this application is installed—just use its name. Then click OK.
6. Repeat with the second Prevent IRC communication task.
7. Close the Access Protection Properties window.
8. Close the VirusScan Console window.
Why are there red bars around my VirusScan icon in the System Tray?

Whenever a VirusScan Access protection rule is violated, VirusScan prevents the action and notifies you by putting the red outline around the VirusScan shield. You may see what triggered the event by right-clicking the VirusScan icon, then selecting the VirusScan Console. When the Console opens, right-click the Access Protection task and select View log.
Unfortunately, VirusScan sometimes reports false alarms on the SiteList.xml file. You may safely ignore any alerts in the Access Protection log that looks similar to this:

2/19/2007 2:38:42 PM Blocked by Access Protection rule NT AUTHORITY\SYSTEM
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\SiteList.xml
Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings
Action blocked : Delete

The key issues of the false alarm are these:
- The process being blocked is vstskmgr.exe.
- The file that was to be deleted is SiteList.xml.
- The rule invoked is Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings.
If all those are satisfied, then rest assured that it is a false alarm.
Why can't I disable the on-access scanner?

The short answer is, "Because if *you* can, so can malicious software that VirusScan does not yet recognize." So VirusScan 8.5 is a lot better at protecting itself than older VirusScan versions. Moreover, there hasn't been a good reason to disable the on-access scanners of antivirus products since 1992 or thereabouts—false claims of software installers to the contrary. Trust us when we say that you almost surely do not want to disable the on-access scanner, unless you want to uninstall anti-virus protection totally. But if you have what you think is a really good reason, tell us ... and we'll see if we can help.
General Information
What are the major new features in VirusScan 8.5?
- VirusScan has been strengthened so that its processes are much more difficult to subvert.
- VirusScan 8.5 supports Vista and fully supports 64-bit versions of Windows.
- VirusScan 8.5 uses the new "V2" virus definition format—this means faster downloads, more flexibility, and elimination of some spurious error messages when updating.
- VirusScan 8.5 has a Quarantine Manager. This means that should VirusScan have virus definitions that cause it to change something in error, the change can be undone.

by Bruce P. Burrell (bpb@umich.edu)
for the U-M Virus Busters (virus.busters@umich.edu)

virus.busters@umich.edu

visits since this page was created 12 March 2007

This page last updated 16 March 2007