==================================================================
                   F-PROT ANTIVIRUS 3.16f

                for Windows 98/ME/NT/2000/XP

                       RELEASE NOTES
==================================================================


This document describes the changes in the software since F-Prot
Antivirus 3.15b.


MAJOR ENHANCEMENTS
------------------

3.16f:

Fixed an endless loop encountered in a corrupted WMF sample.

3.16e:

Version 3.16e scans Windows Metafile images (WMF) to detect exploits
that use the CVE-2005-4560 vulnerability in WMF.

3.16d:

Version 3.16d will now try to scan zip files which falsely claim to use
64-bit compression methods. 64 bit compression is not supported, but the
scanner will now try to scan those files using 32 bit methods.

There is improved handling of some types of corrupt files, which were
previously skipped with an I/O error.

3.16c:

Version 3.16c contains a fix for a bug in the RealTime Protector
that in some cases might have caused a crash during or shortly after
a virus signature update.  In addition there a few enhancements to
the Updater that are related to that fix.

3.16b:

This new version 3.16b contains a number of bug fixes.  Deletion of
UPX-packed mass-mailing worms has been fixed.  Blocking of certain
non-executable EML files has been fixed.  A memory corruption that was
causing crashes has been fixed.  GZIP file that were incorrectly
reported as possible archive bombs are now handled correctly.

When installing 64-bit platforms then all components except the
RealTime Protector are now installed.  Windows XP Professional x64
Edition and Windows Server 2003 x64 Edition, which are now in beta,
will be fully supported in later releases.

Improvements have been made to the Updater to further verify the
authenticity of new virus signature files and to make sure they are
not corrupt after they are installed.

3.16a:

This new version 3.16a is released to fix a critical bug in the
"archive bomb" detection and handling that surfaced in version 3.16.

3.16:

Version 3.16 contains a major overhaul of the virus scanning
engine (new engine version 3.16.1).  These changes improve its
detection capabilities of known malware as well as unknown malware
by means of heuristics.  The engine can now better detect and
handle executable packers that are often used by malware authors
to conceal their malicious code.

This version includes a more generic JPEG GDI+ exploit detection
(Microsoft Security Bulletin MS04-028) than the previous version.
It also includes EMF/WMF image format exploit detection (Microsoft
Security Bulletin MS04-032).

The single-user and trial product packages perform an Internet
update of the virus signature files during the install process.
It is therefore important to do the install while on-line.  For
the multi-user product package system administrators should be
aware of the need to update the virus signature files after
post-install configuration.

The DOS scanner is now no longer installed on NT/2000/XP/2003.
If version 3.16 is installed as an upgrade then the previous DOS
version is removed.  The DOS scanner is not suitable for use on
the NTFS file system, now more popular as the result of increased
use of Windows XP.  The Command-Line Scanner (fpcmd.exe) should be
used instead of the DOS scanner.

The install now always integrates F-Prot Antivirus with Explorer.
This can be turned off by using the /NOHOOKSHELL option for the
setup.

All executables that are encrypted in ZIP archives are now
reported as "could be a suspicious file (encrypted program in
archive)" but where previously reported as "could be a security
risk".

Archive handling has been improved and is now more consistent.
Version 3.16 also includes detection against so-called "archive
bombs", archives that are constructed in such a way that a 
seemingly innocent file will expand tremendously, consuming all
available memory and CPU on the computer.  A part of this change
is that the scanners now only scan to a certain number of levels.
Of particular note is that the Command-Line Scanner (fpcmd.exe)
only scans by default to a depth of 5 levels.  This can be changed
by using the command-line switch /ARCHIVE=N where N can be 1 through
99, or 0 for infinite.  If the limit is exceeded then it will exit
with a new exit code 10 (some files were not scanned; in this case
because maximum archive level was reached).  The OnDemand Scanner
scans an infinite number of levels by default but this behaviour
can be changed using the same command-line switch.  The RealTime
Protector scans to a depth of one level by default.

Another new exit code has been added to the OnDemand Scanner and
the Command-Line Scanner, exit code 9.  This exit code indicates
that some files were not scanned, e.g., encrypted files, because
of unsupported/unknown compression methods, because of
unsupported/unknown file formats, corrupted or invalid files.

Both exit code 9 and 10 indicate that some files were not scanned
and, therefore, they can not be guaranteed to be clean.  The
difference between them is that if exit code 10 occurs then some
settings can be changed (e.g., increase the maximum allowed
archive depth) and the scanner might be able to scan the file.
If, however, exit code 9 occurs then the scanner is not able to
scan the file.

A complete list of the exit codes can be found at
http://www.f-prot.com/support/windows/fpwin_faq/65.html


MINOR ENHANCEMENTS AND BUGFIXES
-------------------------------

In some cases scanning files that were compressed using 
unsupported/unknown compression methods resulted in an IO error.
This has now been fixed.

An IO error sometimes also occurred when scanning a part of an
archive that had been split into multiple parts.  The scanner now
reports this as an invalid file.

When scanning Java class files (that are normally inside JAR
archives) the previous version reported "Not scanned (unknown file
format)" when scanning an unsupported/unknown format class file
with default scanning options.  In version 3.16 this is only
reported when the /LIST command line switch is used.

RAR archive formats 1.5, 2.0 and 2.6 are supported and format 2.9
is partially supported.  Format 2.9 is only supported when it is
not a solid archive and when the RAR Virtual Machine and the PPM
model are not used.


2006-01-06