                   Frequently Asked Questions about F/WIN
                   ======================================


I ALREADY HAVE A VIRUS SCANNER.  WHY USE F/WIN?

     a.   F/WIN uses heuristic detection for macro viruses that
          infect Microsoft Word documents.  That means it can
          find known and UNKNOWN macro viruses and trojans, as
          well as deliberate acts of sabotage in Word macros.

     b.   F/WIN can remove known and unknown macro viruses. A lot
          of the regular antivirus programs can only detect macro
          viruses and of course they only can remove KNOWN
          viruses.

     c.   F/WIN is a passive scanner.  That means you don't have
          to use Word templates to defend yourself against macro
          viruses.  These templates are no real safe protection,
          and of course, you will need Winword for using them.
          F/WIN is a DOS based virus scanner and doesn't stay
          resident in memory.

     d.   F/WIN can detect and remove the only known PE-EXE
          (Windows 95 viruses).

     e.   F/WIN can detect known and unknown viruses that infect
          Windows EXE files which use the <Winsurfer> or <Ph33r>
          infection scheme.

     f.   F/WIN is inexpensive, especially when considering the
          protection that it provides.

     g.   F/WIN offers two method of cleaning.  'Clean' and
          'Wipe'.  The macros that make up the virus are stored
          inside a Word template in a couple of ways.  First,
          there are pointers near the beginning of the file that
          tells Word where to find the macros.  Then there are
          the actual macro's themselves.  The 'CLEAN' function
          overwrites both areas, leaving no trace whatsoever of
          the virus.  The 'WIPE' function overwrites only the
          pointers.  Use WIPE when F/WIN tells you that it can't
          remove the virus using the CLEAN function.

          The advantage to WIPE is that it almost always works.
          It is very rare when F/WIN can't clean a file using
          WIPE.  The disadvantage is that since it leaves behind
          the macros themselves, other anti-virus scanners may
          flag the files as still being infected.  If this
          happens, there are two solutions.

          1.   Scan the files again with F/WIN.  F/WIN will
               produce a message saying that the macros have been
               disabled.  This means that while F/WIN still finds
               them too, it also tells you that they're harmless.

          2.   The next time you save the files in Word, Word
               will not keep the 'dead' macros.  Other virus
               scanners will no longer get false alarms on them.

     h.   Some other scanners use a process similar to F/WIN's
          WIPE.  They only overwrite the pointers, not the macro
          bodies.  F/WIN should tell you that the macros have
          been disabled.  Therefore, F/WIN should not false alarm
          on these files like many other scanners will.



SHOULD I REPLACE MY EXISTING SCANNER WITH F/WIN?

     No.  F/WIN is a specialized scanner that is intended to
     supplement the one you currently have. By now, there are
     more than 9000 known viruses for DOS, but only about
     40 Windows specific Macro and EXE viruses.  You will need
     a normal DOS antivirus program, of course.  However, it's
     likely that the number of Windows viruses will increase
     in the future.



DOES F/WIN DETECT MACRO VIRUSES IN OTHER SOFTWARE LIKE AMIPRO,
WORD PERFECT, ETC.?

     At this time it does not.  That is a feature we hope to add
     to it at a future date.  So far, F/WIN only detects macro
     viruses in Microsoft Word 6.0 and 7.0 documents.  The only
     known non-Winword macro virus AmiPro.Green_Stripe isn't
     reported in the wild.  Starting with the 3.12 release, F/WIN
     can also detect and remove Word 6.0 and 7.0 viruses/trojans
     that are imbedded inside Microsoft Excel spreadsheets.



HOW OFTEN WILL F/WIN BE UPDATED?

     Because of it's heuristic nature, F/WIN doesn't need regular
     updates like normal virus scanners.  Normally, updates will
     be released to provide bug fixes or add new features, and
     will appear at least every two months.  Of course customers
     will be provided with a new version if they detect a virus
     which F/WIN missed.



HOW WILL I RECEIVE UPDATES?

     Because the FWIN.KEY is valid for every new version, you
     just need to download the shareware version from your local
     BBS or FTP/WWW site and replace the FWIN.EXE file!  The
     latest shareware version of F/WIN is available at:

     http://www.gen.com/fwin
     http://www.valleynet.com/~joe
     http://www.cyberbox.north.de (German site)

     The program is released as a ZIP archive and will have a
     file name like FWIN312E.ZIP (English version) and
     FWIN312G.ZIP (German version).



HOW SAFE IS F/WIN?  CAN IT DESTROY MY DOCUMENTS?

     The cleaning process has proven to be safe in our tests.
     But if for some reason it would damage your document, it
     makes a backup of it before attempting to remove the virus.

     The backup allows you to try a different method for cleaning
     or to recover the file if the cleaning process failed.
     Because F/WIN can't decode OLE2 objects like Microsoft Word
     documents with 100% accuracy, it's possible that it could
     destroy infected documents sometimes. If you encounter
     problems cleaning macro viruses, you could send us the files
     and we will clean them manually.  Also, F/WIN has two
     options to clean documents.  Both remove the virus reliably,
     but the second approach (Wipe macro names) makes fewer
     modifications to the document, and will work most likely in
     every case.  There should never be a situation in which
     F/WIN causes you to lose your document during the cleaning
     process.  It should always be recoverable through the
     backup.  To recap, here's what we suggest to do:

     1.  Disinfect with the CLEAN option first.
     2.  Check the backup directory you specified with the /MOVE=
         parameter.  There should be a sub-directory called
         /DAMAGE under it.  If there are any files there, scan
         them TWICE with F/WIN using the WIPE feature.
     3.  Check the backup directory you specified with the /MOVE=
         parameter again (specify a different directory name than
         the first time).  Look again in the /DAMAGE
         sub-directory.  If there are any files there (most times
         there won't be), send them to us if you like to have the
         virus manually removed.



HOW QUICKLY WILL I GET A REPLY TO QUESTIONS?

     As we both aren't full-time virus researchers, we can't
     always respond at once.  We will check our accounts at
     least one time a day, so you will get answers within one or
     two days. We will do our best to get to you as quickly as
     possible.  If you are e-mailing us about a current virus
     emergency, please put "VIRUS EMERGENCY" in the SUBJECT line
     of your e-mail message.  Those messages will be given first
     priority.


WHY SHOULD I CHOOSE F/WIN OVER OTHER AV PRODUCTS TO PROTECT
AGAINST WORD MACRO VIRUSES?

     F/WIN was designed from the beginning by its author (Stefan
     Kurtzhals) to be able to detect and remove known and unknown
     viruses and trojans, while at the same time allowing Word
     users to go on using WordBasic macros they wanted to use.
     While most Word users don't use WordBasic macros, many do.
     And those that do, often find these macros to be real
     time-savers because they automate repetitive, tedious
     processes that would normally have to be done manually.

     F/WIN Anti-virus has built into it profiles of how viruses
     and trojans "behave".  If it finds macros that fit the
     pattern, it warns the user so that they can choose whether
     or not to remove the macros.  These build-in behavior
     profiles offer several advantages to F/WIN users:

     1.   Users can go on using most, if not all of the macros
          they currently use without having to deal with endless
          false alarms.  If a product produces too many false
          alarms, users will simply quit using it and leave
          themselves with little or no defenses.

     2.   F/WIN distinguishes between a trojan and a virus.  This
          can be important for a user to know for damage
          assessment purposes, because viruses spread themselves
          to other files.  Trojans don't.

     3.   F/WIN doesn't just say it's found potentially dangerous
          macros like some products do.  It goes a step further
          and tells the user exactly what suspicious behavior it
          has found.  Users can then look up each warning message
          F/WIN produced in the FWIN.TXT file and get a more
          in-depth explanation of what the message means.  This
          allows users to make more intelligent decisions about
          whether or not to delete the macros, or whether to
          investigate them further.  It also may help to explain
          damage that may already have been done by the virus or
          trojan.

     4.   F/WIN has 3 levels of detection.  Each lower level
          offers a more thorough search than the level above it.
          This allows users to have more control about how
          sensitive F/WIN is in it's detection of viruses and
          trojans.


F/WIN IS A DOS PROGRAM.  WILL IT HANDLE THE LONG FILE NAMES
WINDOWS 95 USES?

     Yes it will.  We have tested F/WIN in the following
     environments:

     PC DOS
     MS DOS
     Windows 3.x
     Windows 95 (DOS 7.0)
     OS/2 Warp (from a DOS window)

     There is an advantage to using a DOS version in Windows 95
     and Windows 3.x.  If a virus or trojan deletes or damages
     critical files that Windows 3.x or Windows 95 uses, you
     can't get into those environments to run your virus scanner.
     In the case of either Widows 3.x or Windows 95, you could
     boot from a floppy (or not), and still be able to run F/WIN
     to find the culprit.  Most anti-virus programs offer a DOS
     versions for situation like this, but there are some that
     don't.  Remember, if a virus manages to infect your system,
     Windows will most likely not start up and you can't use your
     Windows based antivirus program.  It is strongly recommended
     to boot from a DOS boot disk before trying to remove a
     virus.


I DON'T HAVE A VIRUS COLLECTION I CAN TEST F/WIN AGAINST.  IS
THERE SOME WAY I CAN SEE ACTUAL FULL-COLOR SCREEN PRINTS OF F/WIN
FINDING REAL VIRUSES?

     Because the typical person trying out F/WIN doesn't happen
     to have a Word macro virus/trojan collection at his/her
     disposal, we've added something new to our web page that
     will allow you to see what kinds of messages F/WIN produces
     for some of the viruses and trojans that have been discussed
     on various virus forums.  What we've done is to create a
     file called FWINSCRN.ZIP that can be downloaded from our web
     site.  It contains screen prints of F/WIN actually finding
     real viruses and trojans.  You can then download a shareware
     copy of F/WIN, and look up the warning messages in the
     FWIN.TXT file for yourself.  All the screen prints are in
     .GIF format.  A text file is also included to explain what's
     on each screen.


