==================================================================
                   F-PROT ANTIVIRUS 3.16

                for Windows 98/ME/NT/2000/XP

                       RELEASE NOTES
==================================================================


This document describes the changes in the software since F-Prot
Antivirus 3.15b.


MAJOR ENHANCEMENTS
------------------

Version 3.16 contains a major overhaul of the virus scanning
engine (new engine version 3.16.1).  These changes improve its
detection capabilities of known malware as well as unknown malware
by means of heuristics.  The engine can now better detect and
handle executable packers that are often used by malware authors
to conceal their malicious code.

This version includes a more generic JPEG GDI+ exploit detection
(Microsoft Security Bulletin MS04-028) than the previous version.
It also includes EMF/WMF image format exploit detection (Microsoft
Security Bulletin MS04-032).

The single-user and trial product packages perform an Internet
update of the virus signature files during the install process.
It is therefore important to do the install while on-line.  For
the multi-user product package system administrators should be
aware of the need to update the virus signature files after
post-install configuration.

The DOS scanner is now no longer installed on NT/2000/XP/2003.
If version 3.16 is installed as an upgrade then the previous DOS
version is removed.  The DOS scanner is not suitable for use on
the NTFS file system, now more popular as the result of increased
use of Windows XP.  The Command-Line Scanner (fpcmd.exe) should be
used instead of the DOS scanner.

The install now always integrates F-Prot Antivirus with Explorer.
This can be turned off by using the /NOHOOKSHELL option for the
setup.

All executables that are encrypted in ZIP archives are now
reported as "could be a suspicious file (encrypted program in
archive)" but where previously reported as "could be a security
risk".

Archive handling has been improved and is now more consistent.
Version 3.16 also includes detection against so-called "archive
bombs", archives that are constructed in such a way that a 
seemingly innocent file will expand tremendously, consuming all
available memory and CPU on the computer.  A part of this change
is that the scanners now only scan to a certain number of levels.
Of particular note is that the Command-Line Scanner (fpcmd.exe)
only scans by default to a depth of 5 levels.  This can be changed
by using the command-line switch /ARCHIVE=N where N can be 1 through
99, or 0 for infinite.  If the limit is exceeded then it will exit
with a new exit code 10 (some files were not scanned; in this case
because maximum archive level was reached).  The OnDemand Scanner
scans an infinite number of levels by default but this behaviour
can be changed using the same command-line switch.  The RealTime
Protector scans to a depth of one level by default.

Another new exit code has been added to the OnDemand Scanner and
the Command-Line Scanner, exit code 9.  This exit code indicates
that some files were not scanned, e.g., encrypted files, because
of unsupported/unknown compression methods, because of
unsupported/unknown file formats, corrupted or invalid files.

Both exit code 9 and 10 indicate that some files were not scanned
and, therefore, they can not be guaranteed to be clean.  The
difference between them is that if exit code 10 occurs then some
settings can be changed (e.g., increase the maximum allowed
archive depth) and the scanner might be able to scan the file.
If, however, exit code 9 occurs then the scanner is not able to
scan the file.

A complete list of the exit codes can be found at
http://www.f-prot.com/support/windows/fpwin_faq/65.html


MINOR ENHANCEMENTS AND BUGFIXES
-------------------------------

In some cases scanning files that were compressed using 
unsupported/unknown compression methods resulted in an IO error.
This has now been fixed.

An IO error sometimes also occurred when scanning a part of an
archive that had been split into multiple parts.  The scanner now
reports this as an invalid file.

When scanning Java class files (that are normally inside JAR
archives) the previous version reported "Not scanned (unknown file
format)" when scanning an unsupported/unknown format class file
with default scanning options.  In version 3.16 this is only
reported when the /LIST command line switch is used.

RAR archive formats 1.5, 2.0 and 2.6 are supported and format 2.9
is partially supported.  Format 2.9 is only supported when it is
not a solid archive and when the RAR Virtual Machine and the PPM
model are not used.


2004-11-17