
                      Doctor Web for DOS/386

                         Version 4.21
              Copyright (c) 1992-2000, Igor Daniloff

     Anti-virus laboratory of Igor Daniloff, DialogueScience, Inc.


This program is a representative of the new 32-bit generation of antivirus
scanner Doctor Web (or DrWeb). This new generation (DrWeb32) includes
programs for Windows 95/98/ME/NT/2000, DOS/386, OS/2, and Novell NetWare.

Functionally, Doctor Web for DOS/386 (or, briefly, DrWeb386) and the
traditional DrWeb for DOS are very much alike. In certain aspects DrWeb386
is substantially different from DrWeb for DOS. It runs in the "command line"
mode only and requires and 386 (or higher) processor. However, the new
program's strong points are:

- no practical limitation on the conventional memory. The program can
operate in the environment with less than 200K of main memory;

- support of the latest (memory-consuming) archive methods, employed by RAR
2.00, etc.;

- faster scan process. As compared with the 16-bit version, DrWeb32 may
show increase in performance by 15-20% (if DrWeb16 was optimally
configured) up to as much as 300% (if DrWeb16 had to run in a particularly
unfriendly environment).

Using of DrWeb386 are recommended for virus checking under DOS, before
Windows starts.


INSTALLATION NOTES

There is no install shield in this distribution package of DrWeb386. To
install the program, create a directory, say, DRWEB32, and unzip DRWEB386.ZIP
into it. Then run DRWEB386.EXE.

Note that all DrWeb32 programs are installed in the same directory. The
distribution packages of all family members include two common files,
DRWEB32.DLL (DrWeb32's engine) and DRWEBASE.VDB (main virus database).
All new virus base adds-on should also be placed in the same directory.

The configuration file DRWEB32.INI is also common to all family members and
can be placed in the same directory (for instance, DRWEB32). However, each
product uses its own section in the INI-file, except for DrWeb32W and
DrWebWCL that share the same section.

Log files are created in the same directory, separately for each product,
and are given, by default, the filename <program>.LOG.

Additionally, the DrWeb32 distribution kit may include language resource files
named <language>.DWL (for instance, RUSSIAN.DWL, GERMAN.DWL, etc.) that
contain program messages written in the respective language. The language
resource files are common to all programs of the DrWeb32 family. Language
can be changed by the /LNG command line option.


REGISTRATION KEYS FOR THE DRWEB32 FAMILY

Without a registration key (the DRWEB32.KEY file), all DrWeb32 members
offer a limited functionality only, as described below:

- at each startup, the evaluation version displays a warning (saying that
  it's an evaluation version);
- archives aren't checked;
- packed executable files aren't checked;
- heuristic analyzer is disabled;
- infected and suspicious files cannot be cured, deleted, removed or renamed.
 
Without the registration key, the DrWeb32 family members may be
redistributed without any restriction.
 
To enable an enhanced preview of Doctor Web features, DialogueScience
freely distributes a special evaluation registration key that removes
some of the restrictions mentioned above. However, this key only works
with the one version of DrWeb (that is attached to the key). With
the evaluation key, DrWeb32 will have the following restrictions:
 
- at each startup, the evaluation version displays a warning (saying that
  it's an evaluation version);
- archives are not checked;
- infected files cannot be cured.

In some cases DialogueScience and its dealers can also distribute other
evaluation registration keys, with other set of restrictions.

To use all features of DrWeb32, a user must purchase a commercial
registration key. This key, as well as an evaluation key, is a special
file generated by UserKey. When placed in the DrWeb32 home directory,
the key enables the full-featured commercial operation of DrWeb32. The key
contains a user name, duration and some other information, and is protected
against fraud with a digital signature.

The DrWeb32 programs may be distributed in various forms, for instance,
as an installation package or just as an archive. The installation package
may include images of 3.5" (1.44 B) floppy disks. Disk #1 contains
the installation program, SETUP.EXE. The registration key can be placed
on this disk, too. In this case the key is automatically copied to
the DrWeb32 directory.

The distribution kit may be contained in a single EXE-file that performs
the installation. In this case (or, if the key is shipped to the user
separately from DrWeb), the key must be placed to the DrWeb directory
after the installation.

If you tried an evaluation copy of DrWeb32 and have received a commercial
registration key, please copy it to the DrWeb32 directory.

WARNING! Please note that all registration keys for DrWeb32 have the same
filename, DRWEB32.KEY. Thus, the newer key might replace the old one
(for example, the evaluation or commercial key).


COMMAND LINE OPTIONS

To start Doctor Web, use the following command line:

        <program> [disk:][path] [options]

where
program - executable module name (DrWeb386),
disk:   - logical drive of a hard disk, floppy drive, network drive, CD-ROM,
          or * (all local logical drives);
path    - location of files to be checked; it may contain path to the
          directory on local/network drive (or network directory) and,
          optionally, filename (or filename mask).

The command line may contain several [disk:][path] parameters delimited with
blanks. In this case, the program will sequentially scan the specified objects.

Command line options (delimited with blanks)

/@[+]<file> - check objects listed in <file>.
      Each object must be identified on a separate line containing
      a full pathname (to check file) or the "?boot" keyword (to check
      boot sectors). The list file can be created with any text editor.
      When scan is completed, Doctor Web deletes the list file, unless
      "+" is included in the option.
      A list file can also be generated by ADinf. In this case, the
      integrity checker will include in the file modified objects only.
      Then, this list can be used by Doctor Web to limit the scan scope,
      which can substantially reduce overall scan time. If ADinf32 is
      configured to launch Doctor Web, the integrity checker inserts 
      the /@ option in the command line and starts the scanner
      automatically (see ADinf32 Manual for details);
/AL - scans all files on a given drive or directory;
/AR[N] - scans all files inside archives created by ARJ, PKZIP, RAR, without
      curing. The N option suppresses the name of the archive utility after
      the name of the archived file;
/CU[RDM][P] - cures infected files and disk system areas. Use the optional
      parameters to specify how infected filed should be treated:
      R - rename (by default, the extension's first character is changed to
      "#"), D - delete, M - move (by default, to the INFECTED.!!! directory);
      P - prompt before action;
/SP[RDM][P] - specifies how to treat suspicious files: R - rename, D - delete,
      M - move; P - prompt before action;
/IC[RDM][P] - specifies how to treat incurable files: R - rename, D - delete,
      M - move; P - prompt before action;
/DA - runs Dr.Web only once in a day. For this option, the configuration file,
      (INI-file) containing the date of the next scanning session must be
      present. This option is useful for starting Dr.Web automatically from
      the AUTOEXEC.BAT file only once in a day on booting the computer;
/EX - scans files that have extensions associated with executable modules
      and MS Office documents (COM, EXE, SYS, BAT, CMD, DRV, BIN, DLL, OV?,
      BOO, PRG, VXD, 386, SCR, FON, DO?, XL?, WIZ, RTF, CL*, HT*, VBS, JS*,
      INF, A??, ZIP, R??, PP?, HLP, OBJ, LIB, MD?, INI, MBR, IMG, CSC, CPL,
      MBP);
/FM - scans files (regardless of the extension) whose internal format is
      that of an executable module or MS Office document with macros (such
      as MS Word or Excel files);
/GO - goes without asking you what to do next (in such situations as not
      enough disk space for unpack operation, invalid parameters in the
      command line, DrWeb infected by unknown virus, etc.). This option
      might be useful, say, for automatic check of incoming e-mail;
/HA - enables the heuristic analyzer that can detect unknown viruses;
/INI:<path> - uses an alternative configuration file (INI-file);
/NI - ignores the settings in the configuration file (DRWEB32.INI);
/LNG[:<path>] - uses an alternative language file (DWL-file), or built-in
      (english) language;
/ML - check e-mail files encoded by UUENCODE and MIME utilities;
/NS - runs non-stop (no interruption by pressing ESC);
/OK - writes a full list of scanned objects and displays "OK" next to clean
      objects;
/PF - displays the "Scan another diskette?" prompt after checking a floppy
      disk;
/PR - prompts to confirm an action on an infected or suspicious file;
/RP[+]<file> - writes the scan results to a file (by default,
      <program>.LOG), <file> is the full pathname of a report file. If the
      plus sign is included, the recent report will be appended to the
      report file; otherwise the report file will be overwritten;
/NR - does not create report file;
/SD - scans subdirectories;
/SO - plays sounds;
/SS - saves current settings when the program terminates;
/TB - scans boot sectors and master boot record;
/TM - scans memory for viruses;
/UP[N] - checks executable files packed by ASPACK, COMPACK, DIET, EXEPACK,
      LZEXE, OPTLINK, PECOMPACT, PEPACK, PGMPAK, PKLITE, WWPACK, WWPACK32,
      UCEXE, UPX; files converted by BJFNT, COM2EXE, CONVERT, CRYPTCOM,
      CRYPTEXE, PECRYPT, PESHIELD, PROTECT, TINYPROG; and files immunized by
      CPAV, F-XLOCK, PGPROT, VACCINE. 
      N - suppresses the compression utility name after the name of the
      archived file;
/WA - waits after scan is finished if viruses or suspicious objects were found;
/?  - displays help.

If DBWEB32.INI is not present or not used, the default options are:
/AR /FM /HA /ML /PR /SD /TB /TM /UP

Some options can be postfixed with the "-" character. This "negation" form 
disables the respective function or mode. It might be useful if the mode is
enabled by default or via settings in the INI-file.

The negation form can be applied to the following command-line options:
/AR /CU /FN /HA /IC /ML /OK /PF /PR /SD /SO /SP /TB /TM /UP /WA

Note that the negation form of /CU, /IC and /SP cancels all actions enabled
by these options. It means that information about infected and suspicious
objects will appear in the report file only.

/AL, /EX and /FM cannot be used in the negation form. However, any of these
options disables the other two.


RETURN CODES

The values of the return code and corresponding events are as follows:

  0 - OK, no virus found
  1 - known virus detected
  2 - modification of known virus detected
  4 - suspicious object found
  8 - known virus detected in archive
 16 - modification of known virus detected in archive
 32 - suspicious file found in archive
 64 - at least one virus successfully cured
128 - at least one infected or suspicious file deleted/renamed/moved

The actual value returned by the program is equal to the sum of codes for
the events that occured during scanning. Obviously, the sum can be easily
decomposed into separate event codes.

For example, return code 9 = 1 + 8 means that known viruses were detected,
including viruses in archives; curing and others actions were not executed;
no other "virus" events occured during scanning.


LIMITATIONS IN THIS VERSION OF PROGRAM

- Virus check in archives is supported only for ZIP, ARJ and RAR.


======================
Below is Igor Daniloff's PGP public key. Please use it to encode virus
specimens when you wish to e-mail them to us.

Type Bits/KeyID    Date       User ID
pub  1024/1B87196D 1994/05/12 Igor A. Daniloff <ID@DrWeb.Ru>
                              Igor A. Daniloff <id@sald.spb.su>

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i

mQCNAi3R1+AAAAEEAMeH97dViOlTOwWjd6iLsRnEvDuNMnfQor+7NtuxV0v7Dgig
Kd4cE8dcSdfINr89mmIcPVCgI+uSDoDdgGK0WAl2pkJUigmJtidMpjFgyPoUTU6T
cqmss4CyDFH9UoM74RUEqSG0cwsnt+rz46yELf+v6kS9QZC3r53C6gEbhxltAAUR
tB5JZ29yIEEuIERhbmlsb2ZmIDxJREBEcldlYi5SdT6JAJUDBRA3P7dHncLqARuH
GW0BAQDTBACeJaSAdFMINa6G4xChVPHKUWy/jqdze94UtBRymBZFdmrtup+3bL6D
IB148AkFjH6zZyQLPCgXr4RqxURtA5H1SsFJR1Iqj2eTjQZOqfgL2IAR3M79qBqD
nhGzeQMOr7gP3hXnb2hQZtZJFgw6IneSHM5gXRVGm7y29yR0y6+RT7QhSWdvciBB
LiBEYW5pbG9mZiA8aWRAc2FsZC5zcGIuc3U+iQCVAwUQL7d6qTCAIMQGDNzxAQFN
jQP7BS+D1P68oNZjqHSGbxqqzrvasK5WjFJBefJ14ALeJbn4X3BcTFqfckYNYG6w
ZqTMWt9aZZKAWOA5rKfPp9LflJzJvZSSwYZz1Su5hJ3G0RM6z7JDVCQyV90yelDq
X1ehBEHAqMV2gvkhE5YKxvoH+uOG+TPq1FzUz4hQB/W4srCJAJUDBRAugG2cOpoV
rn3diFEBAeD3A/9jGJRp5TqD2FBrwkIaJd6SqJVvSbYQnE39th/u4csghFYEYcdS
GqPnVjxl0Sri1N5OqYB2uTRn0d0kqsrD24fuWFbZwvKlcZQO2C6W1zZSmwqAfw2p
jAD+tTvRZDSx2z0+zgRZ/EhDIaH/louf8zcL3UlrW2YPNRODzJW6VUiouIkAlQMF
EC8n2IANOmycNvS2swEBvqYEAJgRxQjfQhJI+iTMMUhWS8whvgitjzDeD+5u2tKz
KwqSa4TaOfgf2000rN2SbqyTg5gDirLsVF8x80PusKFRxedwBzBNLl9ar78HB/x4
lOEO+/obRUH4wT+bH6KfUkDuqVvYsTRZ3mDoLfyJw9pCtkDiFQdCrWcGh+UNr8nJ
oNBx
=VFhp
-----END PGP PUBLIC KEY BLOCK-----

======================
Please send your comments to:

DialogueScience, Inc.
40 Vavilova St., office 103
Moscow, 117786, RUSSIA

Tel.:     +7 (095) 135-6253, 137-0150
Tel./fax: +7 (095) 938-2970, 938-2855

FidoNet: 2:5020/69

E-mail:   Antivir@dials.ru
WWW:      http://www.dials.ru
FTP:      ftp.dials.ru, ftp2.dials.ru, ftp3.dials.ru

The author of Doctor Web is available by

E-mail: Igor.Daniloff@dials.ru , id@drweb.ru
FidoNet: 2:5020/69.14 , 2:5030/87.57
