|
Softpanorama |
May the source be with you, but remember the KISS principle ;-)
|
To run the F-macro one needs 2 files to be present in the directory that is available via PATH: F-MACRO.EXE and signature file MACRO.DEF.
I generally prefer command-line tools and thus macro is a very useful tool for me despite all its shortcomings. I can say that GUI-based versions as often as bad as F-macro much more clumsy to use ;-)
Let me stress it again. Success with F-macro much depends on whether you have latest version or not. So if you have macro virus problem, please download and use the latest version of F-macro. Never use old version because for new viruses it could produce strange or incorrect diagnostic messages or even corrupt files during disinfection. Again, please use the latest version available from ftp://ftp.datafellows.com/f-prot/tools/.
First download ZIP archive FMAC<.ZIP for example: FMAC208.ZIP.
Then copy it to the temporary directory (C:\TEMP) and unzip the file with
PKUNZIP or similar utility, for example:
PKUNZIP FMAC308.ZIP
After that please copy files MACRO.EXE and MACRO.DEF to the C:\UTILS\FPROT directory if you have local version of AV package installed, or ask you LAN support person to copy these files to the Y:\DOS\UTILS\FPROT directory. In this case new version will be available in all users and all batch files, for example FMACRO.BAT (see below).
As of late 1998 F-macro is still a better detection tool for macro viruses that F-prot.exe. F-prot detects a lot of so called false positives.
False positives are files that AV program considers to be infected, but in reality they are not. Usually they just contain search string, that if the signature for the macro virus is pretty primitive that AV "believes" they it had found a virus, but in reality this is an error in its recognition engine.
F-macro is a rather simple macro scanner/disinfector that is able to detect and in most cases correctly disinfect macro viruses. Disinfection capabilities are not impressive but adequate. For example if virus is slightly modified it will refuse to disinfect it automatically. In cases f-macro has problems one often delete virus macros directly in MS Word (this is actually the most safe method to deal with a macro virus that has visible macros) or convert the document into RTF and back for disinfection. Current version does not provide options for deleting one or several macro with given names, so to certain extent it is weaker disinfection tool that MS Word Tools/Macro Delete button ;-)
F-macro is useful for disinfection of macro virus on the whole hard drive; it is quicker than scanning with MS Word and is more or less reliable (earlier versions sometimes were not able to scan the whole harddrive, aborting with code 4000, but such cases are now quite rare).
There are some problem with wildcard in F-macro and in current version its incorrectly work if you try specify pattern like *.RTF in the command line.
Again, old versions of F-macro could corrupt documents when disinfecting document from the new macro virus.
F-MACRO c:\ /DISINF /AUTO
You can also type this command from the DOS prompt. FMACRO.BAT will call F-macro utility that will then scan user hard drive and disinfect all infected documents.
Fmacro <name of the directory or file>
For example:
fmacro C:
Attention: In case user is using MS Word 6.0, after F-macro will disinfect files user need to install SCANPROT macro package (see below) and protect NORMAL.DOT template with attribute READ_ONLY.
If macro virus is only detected and cannot be disinfected with available version of F-macro, there is a possibility to remove macros anyway by using option /REMOVEALL(see below).
Option /REMOVEALL) gives the possibility to remove even unknown macro
viruses, but basically it is equivalent to conversion to RTF, so the latter is
much more safer and the way to go if the document does not contain pictures
Y:\DOS\UTILS\FPROT\F-MACRO /REMOVEALL
That will remove macro in all macros from the document. So you better backup original copy of the file before disinfection.
Sometimes one needs to protect file in subdirectories from removing macros. In such cases one can use command
F-MACRO . /REMOVEALL /NOSUB /BACKUP
In this case F-macro will remove macros from all files in the current directory only (without subdirectories).
It should be stressed that option /REMOVEALL will removes all macro, not only virus macros. Usually this should not be a problem as most MS Word documents do not normally contain any macros. But if it is you can always restore original (infected) document from the backup (file with the same name as original, but extension .BAK)
If virus was found and disinfected on one drive, for example C: drive, one need to check all other drives that contain documents, for example if you use network drive and it is mapped as Z than you need to check Z: drive.
Important: if user backup documents on removable media (floppy, ZIP-disks, etc.) he/she needs to scan all disks as well in order to eliminate possibility of reinfection from stored documents.
Copyright © 1996-2008 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
Standard disclaimer: The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: February 28, 2008