
                 Dr.Web(R) Antivirus for DOS/386

                         Version 4.44


This program is a representative of the 32-bit family of the antivirus program
Dr.Web. This family includes programs for Windows 95/98/Me/NT/2000/XP/Vista,
DOS/386, OS/2, Novell NetWare, as well as Linux, FreeBSD, and other Unix-like
systems.


INSTALLATION NOTES

There is no install shield in this distribution package of Dr.Web for DOS/386
(or briefly, DrWeb386). To install the program, create a directory, say,
DRWEB, and unzip distribution archive into it. Then run DRWEB386.EXE.

Note that all Dr.Web programs are installed in the same directory. The
distribution packages of all family members include two common files,
DRWEB32.DLL (Dr.Web's engine) and DRWEBASE.VDB (main virus database).
All new virus base adds-on should also be placed in the same directory.

The configuration file DRWEB32.INI is also common to all family members and
can be placed in the same directory (for instance, DRWEB). However, each
product uses its own section in the INI-file.

Additionally, the Dr.Web distribution package may include language resource
files named <lan>-DRWEB.DWL (for instance, RU-DRWEB.DWL, DE-DRWEB.DWL, etc.)
that contain program messages written in the respective language. The language
resource files are common to all programs of the Dr.Web family. Language
can be changed by the /LNG command line option.


LICENSE KEY FILE

User's rights to use the antivirus are specified in the key file. The
following information is contained in the key file:
- list of antivirus components licensed to the user;
- license period for the product;
- virus definitions updates period (also called "subscription period"
  and may not be equal to the license period);
- other restrictions (e.i. the number of protected PCs etc.).

The key file has the key extension and must be located by default in the
installation directory.

ATTENTION! The key file has a write-protected format and therefore can
not be edited. Editing such file makes it invalid. This is why it is
not recommended to open your key file with a text editor which may
occasionally corrupt it.

Users who have purchased the antivirus from Dr.Web's certified
partners obtain a license key file. The parameters of the key file are
specified according to the license the user has paid for. The license
key file contains the name of the user (or a company name) and the name
of the selling company.

For evaluation purposes users may also obtain demo key files. Demo key
files allow to use the full functionality of the program and virus
definitions updates but have a limited term of use and do not imply
a user support.

A key file may be supplied with a key extension or as a zip archive
containing the key file.

The key file may be obtained by one of the following ways:
- Supplied as zip archive containing a file with key extension. Usually
  it emailed after user registration at the vendor's web site (see below). 
  The user should extract the key file using the respective archiving tool
  (WinZip or Pkunzip) into the Dr.Web installation directory.
- Included into the distribution package.
- Supplied on a media as file with key extension. The user should copy it
  into the Dr.Web installation directory manually.

The license key file is usually emailed to users once they complete
the registration procedure at the vendor's web site (the exact page
location is indicated in the registration card accompanying the product).
Visit the indicated web site, fill in the form and enter the registration
serial number into the appropriate field (you can find the serial number
in the registration card). The key file will be sent to the address
indicated by you.


COMMAND LINE OPTIONS

To start Dr.Web, use the following command line:

        <program> [disk:][path] [options]

where
program - executable module name (DrWeb386),
disk:   - logical drive of a hard disk, floppy drive, network drive, CD-ROM,
          or * (all local logical drives);
path    - location of files to be checked; it may contain path to the
          directory on local/network drive (or network directory) and,
          optionally, filename (or filename mask).

The command line may contain several [disk:][path] parameters delimited with
blanks. In this case, the program will sequentially scan the specified objects.

Command line options (delimited with blanks)

/@[+]<file> - check objects listed in <file>.
      Each object must be identified on a separate line containing
      a full pathname (to check file) or the "?boot" keyword (to check
      boot sectors). The list file can be created with any text editor.
      When scan is completed, Dr.Web deletes the list file, unless
      "+" is included in the option;
/ADW[I|D|M|R] - determine the actions for detected adware: I - ignore;
      D - delete, M - move (by default, to the INFECTED.!!! directory),
      R - rename (by default, the extension's first character is changed to
      "#");
/AL - scan all files on a given drive or directory;
/AR[D|M|R][N] - check all files inside archives (ARJ, CAB, GZIP, LZH, RAR,
      TAR, ZIP...). Use the optional parameters to specify how archives with
      infected (or suspicious) objects should be treated as a whole:
      D - delete, M - move (by default, to the INFECTED.!!! directory),
      R - rename (by default, the extension's first character is changed to
      "#"); the N option suppresses the archive type after the name of the
      archive file;
/CN[D|M|R][N] - determine how containers (HTML, RTF, PowerPoint,..) with
      infected (or suspicious) objects should be treated as a whole:
      D - delete, M - move (by default, to the INFECTED.!!! directory),
      R - rename (by default, the extension's first character is changed to
      "#"); the N option suppresses the container type after the name of the
      container file;
/CU[D|M|R] - cure infected objects and delete incurable files. Or use the
      optional parameters to specify how infected filed should be treated:
      D - delete, M - move (by default, to the INFECTED.!!! directory),
      R - rename (by default, the extension's first character is changed to
      "#");
/DA - run Dr.Web only once in a day. For this option, the configuration file,
      (INI-file) containing the date of the next scanning session must be
      present;
/DLS[I|D|M|R] - determine the actions for detected dialers: I - ignore;
      D - delete, M - move (by default, to the INFECTED.!!! directory),
      R - rename (by default, the extension's first character is changed to
      "#");
/EX - scan files that have extensions associated with executable modules
      and MS Office documents (COM, EXE, SYS, BAT, CMD, DRV, BIN, DLL, OV?,
      BOO, PRG, VXD, 386, SCR, FON, DO?, XL?, WIZ, RTF, CL*, HT*, VBS, JS*,
      INF, A??, ZIP, R??, PP?, HLP, OBJ, LIB, MD?, INI, MBR, IMG, CSC, CPL,
      MBP, SH,  SHB, SHS, SHT*,MSG, CHM, XML, PRC, ASP, LSP, MSO, OBD, THE*,
      EML, NWS, TBB);
/GO - run without asking you what to do next (in such situations as not
      enough disk space for unpack operation, invalid parameters in the
      command line, Dr.Web infected by unknown virus, etc.). This option
      might be useful, say, for automatic check of incoming e-mail;
/HA - enable the heuristic analyzer that can detect unknown viruses;
/HCK[I|D|M|R] - determine the actions for detected hack tools: I - ignore;
      D - delete, M - move (by default, to the INFECTED.!!! directory),
      R - rename (by default, the extension's first character is changed to
      "#");
/IC[D|M|R] - determine how to treat incurable files: D - delete, M - move
      (by default, to the INFECTED.!!! directory), R - rename (by default,
      the extension's first character is changed to "#");
/INI:<path> - use an alternative configuration file (INI-file);
/JOK[I|D|M|R] - determine the actions for detected joke programs: I - ignore;
      D - delete, M - move (by default, to the INFECTED.!!! directory),
      R - rename (by default, the extension's first character is changed to
      "#");
/LNG[:<path>] - use an alternative language file (DWL-file), or built-in
      (english) language;
/ML[D|M|R][N] - check files of mail format (UUENCODE, XXENCODE, BINHEX,
      MIME,...). Use the optional parameters to specify how mail files with
      infected (or suspicious) objects should be treated as a whole:
      D - delete, M - move (by default, to the INFECTED.!!! directory),
      R - rename (by default, the extension's first character is changed to
      "#"); the N option suppresses the mail type after the name of the mail
      file;
/MW[I|D|M|R] - determine the actions for all types of malware programs (i.e.
      adware, dialers, hack tools, jokes, riskware): I - ignore; D - delete,
      M - move (by default, to the INFECTED.!!! directory), R - rename (by
      default, the extension's first character is changed to "#");
/NI - ignore the settings in the configuration file (DRWEB32.INI);
/NM - skip memory test;
/NS - run non-stop (no interruption by pressing ESC);
/OK - write a full list of scanned objects and display "OK" next to clean
      objects;
/PF - display the "Scan another diskette?" prompt after checking a floppy
      disk;
/PR - prompt to confirm an action on an infected or suspicious file;
/RP[+]<file> - write the scan results to a file (by default,
      <program>.LOG), <file> is the full pathname of a report file. If the
      plus sign is included, the recent report will be appended to the
      report file; otherwise the report file will be overwritten;
/RSK[I|D|M|R] - determine the actions for detected riskware: I - ignore;
      D - delete, M - move (by default, to the INFECTED.!!! directory),
      R - rename (by default, the extension's first character is changed to
      "#");
/SCP:<n> - specify the priority of the scanning process over other processes
      in the system (n - number from 1 to 50; default value is 25);
/SD - scan subdirectories;
/SO - play sounds;
/SP[D|M|R] - determine how to treat suspicious files: D - delete, M - move
      (by default, to the INFECTED.!!! directory), R - rename (by default,
      the extension's first character is changed to "#");
/SS - save current settings when the program terminates;
/TB - scan boot sectors and master boot record;
/TM - scan memory for viruses (including Windows system memory);
/TS - scan startup files;
/UPN - disable the output of names of file packers used for packing the
      scanned executable files to the log file;
/WA - wait after scan is finished if viruses or suspicious objects were found;
/?  - display help.

If DBWEB32.INI is not present or not used, the default options are:
/AL /AR /HA /ML /PR /SD /TB /TM /TS

Some options can be postfixed with the "-" character. This "negation" form 
disables the respective function or mode. It might be useful if the mode is
enabled by default or via settings in the INI-file.

The negation form can be applied to the following command-line options:
/ADW /AR /CU /DLS /FN /HCK /JOK /HA /IC /ML /MW /OK /PF /PR /RSK /SD /SO /SP
/TB /TM /TS /UP /WA

Note that the negation form of /CU, /IC and /SP cancels all actions enabled
by these options. It means that information about infected and suspicious
objects will appear in the report file only.

/AL, /EX and /FM cannot be used in the negation form. However, any of these
options disables the other two.


RETURN CODES

The values of the return code and corresponding events are as follows:

  0 - OK, no virus found
  1 - known virus detected
  2 - modification of known virus detected
  4 - suspicious object found
  8 - known virus detected in archive (container, mail file)
 16 - modification of known virus detected in archive (container, mail file)
 32 - suspicious file found in archive (container, mail file)
 64 - at least one infected object successfully cured
128 - at least one infected or suspicious file deleted/renamed/moved

The actual value returned by the program is equal to the sum of codes for
the events that occured during scanning. Obviously, the sum can be easily
decomposed into separate event codes.

For example, return code 9 = 1 + 8 means that known viruses were detected,
including viruses in archives; curing and others actions were not executed;
no other "virus" events occured during scanning.


======================

Copyright (C) Doctor Web, Ltd.
Russia, Moscow - Saint Petersburg

WWW: http://www.drweb.com
E-mail: welcome@drweb.com
        newvirus@drweb.com (to send new viruses)
