MSAV

Microsoft Anti-Virus (MSAV) is a discontinued antivirus software program designed for the MS-DOS operating system, providing basic scanning and removal of computer viruses on early personal computers.^[1] Introduced in 1993 with the release of MS-DOS 6.0, MSAV was bundled as a standard utility to offer users essential protection against emerging malware threats during the early 1990s.^[2] It originated from technology licensed by Microsoft from Central Point Software, Inc., whose Central Point Anti-Virus (CPAV) formed the core engine of the product.^[3] CPAV itself evolved from Turbo Anti-Virus, developed by Israel's Carmel Software Engineering Ltd. in the late 1980s, and was enhanced for broader DOS compatibility by Central Point starting in 1992.^[3] Key features of MSAV included command-line scanning of local or all drives, automatic cleaning of infected files, and generation of detailed reports in files like MSAV.RPT for tracking detections.^[1] Users could customize scans with switches such as /S for scanning, /C for cleaning, /A to scan all drives except A: and B:, and /N to display help text, making it suitable for both interactive and scripted use in DOS environments.^[1] While effective for its time against known viruses, evaluations in the mid-1990s highlighted limitations in detection rates and support as virus sophistication increased.^[2] MSAV's development ended following Symantec Corporation's acquisition of Central Point Software in 1994, after which the antivirus technology was merged into Norton's product line, and Microsoft shifted focus away from standalone DOS antivirus tools.^[3] It was not recommended for use with Windows 95 or later systems due to compatibility issues, marking the transition toward more integrated security solutions in subsequent Microsoft operating systems.^[1]

Overview

Introduction

Microsoft Anti-Virus (MSAV) is an antivirus software program developed by Microsoft specifically for the MS-DOS operating system, released as an integrated component of MS-DOS 6.0 in 1993.^[4] Designed to address the growing threat of computer viruses in personal computing during the early 1990s, MSAV provided users with tools to scan and protect MS-DOS-based systems against malicious software.^[2] The primary goal of MSAV was to detect and remove known viruses targeting MS-DOS environments, focusing on common threats such as boot sector and file infectors prevalent at the time.^[4] It operates on MS-DOS 6.0 and later versions, utilizing signature-based detection methods to identify infections by comparing files against a database of virus patterns. At launch, MSAV could detect over 150 known viruses, as demonstrated in contemporary independent tests evaluating its performance against sets of 250 samples.^[4] Historically, MSAV represented one of Microsoft's initial ventures into consumer security software, marking a brief period of direct involvement in antivirus protection before the company pivoted toward enterprise-oriented solutions in later decades.^[5] Evolving from technology licensed from Central Point Software, it underscored Microsoft's early recognition of security needs in its core operating system ecosystem.^[4]

Purpose and Functionality

Microsoft Anti-Virus (MSAV) was developed as a manual scanning tool to detect and remove known computer viruses from MS-DOS systems, focusing on protecting user data and maintaining system integrity against prevalent threats of the era. Its core purposes include performing on-demand scans of memory, boot sectors, and disk drives to identify infections, as well as providing basic remediation through automatic cleaning of affected files and sectors. The program employs a "Detect and Clean" strategy, allowing users to either identify viruses for manual review or directly remove them, thereby addressing issues like corrupted executables and boot records.^[6]^[7] A key functionality is file integrity verification, achieved by generating CHKLIST.MS files during scans that store checksums of executable programs in each directory. These checksums enable subsequent scans to detect unauthorized changes to files, flagging potential infections without requiring full re-scans of unchanged data. MSAV targets primarily file infectors, which append malicious code to DOS executables, and boot-sector viruses such as Michelangelo and Stoned, which embed in the master boot record to propagate via floppy disks and disrupt system startup. For remediation, it restores infected boot sectors and removes viral code from files, though success depends on the virus being in its signature database of over 800 known threats.^[6]^[7]^[8] Despite its utility, MSAV has notable limitations inherent to DOS-era antivirus software. The base version provides no real-time monitoring, leaving systems vulnerable between manual scans; this gap was partially addressed by the optional VSafe TSR component of MSAV, a memory-resident program that watches for suspicious file access and boot sector writes. Virus definition updates were entirely manual, obtained by downloading signature files (.DAT or .DEF) from a Microsoft BBS at 503-531-8100 or through physical media like floppy disks, often requiring users to install them via command-line tools—a process prone to delays and user error in an era without internet connectivity.^[6]^[9] Furthermore, as a signature-based scanner, MSAV could not detect unknown or zero-day viruses, limiting its effectiveness to threats already cataloged in its database.^[1] In terms of operational scope, MSAV functions as a standalone executable (MSAV.EXE) invoked via the command line with switches for customized scans, such as /A for all non-floppy drives or /C for cleaning. It integrates into MS-DOS environments by supporting startup automation through AUTOEXEC.BAT and compatibility with memory managers, allowing seamless use alongside other system utilities for routine maintenance.^[6]^[1]

Development and History

Origins and Licensing

In the early 1990s, the increasing prevalence of computer viruses targeting MS-DOS systems motivated Microsoft to incorporate antivirus protection into its operating system offerings, as boot sector viruses spread rapidly through floppy disks and file-sharing practices.^[10] By late 1990, the number of known viruses had grown to nearly 300, heightening concerns among users and prompting software vendors to address these threats more directly.^[10] Microsoft, traditionally focused on core OS development, opted not to build an antivirus solution from scratch but instead pursued external partnerships to integrate proven technology. To enable this entry into the antivirus space, Microsoft licensed scanning engine technology from Central Point Software (CPS) in the early 1990s, adapting it into Microsoft Antivirus (MSAV).^[4] MSAV was essentially a subset of CPS's established Central Point Anti-Virus (CPAV) product, which provided the core detection and removal capabilities.^[4] In turn, CPAV originated from a licensing agreement CPS secured in 1991 with Israel's Carmel Software Engineering Ltd. for their Turbo Anti-Virus utility, a DOS-based scanner that formed the foundational engine.^[11] Development of MSAV involved collaboration between CPS engineers, who handled engine adaptations, and Microsoft teams, who incorporated DOS-specific integration features such as hooks for seamless operation within the MS-DOS environment.^[11] This rebranding and customization occurred ahead of MSAV's inclusion in MS-DOS 6.0.

Release Timeline and Versions

Microsoft Anti-Virus (MSAV) was initially released in March 1993 as part of MS-DOS 6.0, bundled on the installation disks and provided free of charge to users with a licensed copy of the operating system.^[12] The software was included to address growing concerns over boot sector viruses and other DOS-era threats, serving as a basic scanning tool integrated into the OS distribution.^[13] A significant update accompanied the MS-DOS 6.2 release in November 1993, which expanded the virus signature database to enhance detection rates for newly emerging malware.^[14] This version improved upon the initial implementation by incorporating additional patterns derived from ongoing threat research, though it retained the core engine licensed from Central Point Software.^[13] Beginning in 1994, Microsoft offered standalone updates to the MSAV virus signature database through its download services, including the emerging Microsoft Download Center and BBS systems, allowing users to refresh definitions without requiring a full OS upgrade.^[13] These updates were distributed as separate files, such as definition sets, to maintain compatibility with earlier MS-DOS installations.^[3] The final bundled iteration of MSAV appeared with MS-DOS 6.22 in June 1994, supporting the latest DOS version at the time and featuring an expanded signature database that covered a broader range of known viruses. While no major engine overhauls followed, signature updates continued to be available as free downloads until June 1996, reflecting Microsoft's initial foray into antivirus distribution before shifting focus to Windows-based solutions.^[15]^[16]

Technical Features

Core Scanning Engine

The core scanning engine of MSAV relies on signature-based detection to identify known viruses by comparing byte patterns and checksums in files against entries in its virus database, stored in the VDB.DAT file. This approach allows the engine to target executable files and other common infection vectors, such as .COM, .EXE, .SYS, and boot sectors, while using checksum verification to flag alterations indicative of infection. The database, when bundled with MS-DOS 6.0 in 1993, contained signatures for prevalent threats of the era, enabling detection of boot sector viruses like STONED and file infectors through pattern matching.^[17]^[18] Scanning modes in the core engine include full system scans covering all non-floppy drives, selective directory or file scans for targeted areas, and dedicated boot sector checks to inspect the master boot record and DOS boot sector for infections. To optimize efficiency, the engine maintains a CHKLIST.MS file in scanned directories, recording original checksums to quickly identify modified files during subsequent runs without re-examining unchanged ones; this heuristic-like integrity check helps detect minor variants of known viruses by spotting unexpected changes. In a 1994 Virus Bulletin test on a 386/16 MHz system with a 42 MB drive, a full hard drive scan took 3 minutes 37 seconds, demonstrating reasonable performance for on-demand use on 386-era systems.^[19]^[20]^[17] Upon detection, the engine supports automated removal through cleaning options, which restore infected files to their original state where possible or prompt for deletion/renaming; for boot sectors, it attempts repair by overwriting viral code with a clean version from the DOS system files, though this could fail on compressed volumes like DoubleSpace. Infected files are not formally quarantined in a dedicated structure like QUARANT.INI but handled directly via user-confirmed actions during the scan. Virus definitions in VDB.DAT required manual updates via replacement files provided by Microsoft, with free upgrades available periodically to address emerging threats. Command-line options, such as /S for boot sectors and /C for cleaning, allow integration with scripts for automated invocation.^[8]^[19]^[17]

VSafe Real-Time Protection

VSafe serves as the terminate-and-stay-resident (TSR) module within Microsoft Anti-Virus (MSAV), providing proactive, real-time monitoring to detect potential virus activity on MS-DOS systems. As a background program, it intercepts system operations such as file access, boot sector interactions, and executable launches, alerting users to suspicious behavior without performing virus removal itself. This component complements MSAV's scanning engine by focusing on prevention rather than retrospective detection, requiring the main MSAV program for any necessary cleanup actions.^[6] Upon activation, VSafe loads into conventional memory, occupying approximately 44 KB to remain resident and continuously oversee system activity. It monitors key areas including executable file executions for known virus signatures, boot sector accesses on hard drives and floppy disks, and attempts to modify system memory or perform low-level formatting on the hard drive. Users can configure these protections through options such as enabling general write protection (disabled by default), checking executable files (enabled by default), and warning about resident program loads after VSafe initialization (disabled by default). For instance, it blocks or flags unauthorized writes to critical areas like boot sectors, helping to prevent boot sector viruses from establishing footholds during disk operations or program runs.^[6] To invoke VSafe, users execute the VSAFE.COM file at the command prompt or include it in startup files like AUTOEXEC.BAT (e.g., vsafe) for automatic loading on boot. Advanced setup allows loading it high into upper memory blocks using commands like loadhigh vsafe in CONFIG.SYS to optimize conventional memory usage, often with assistance from the MemMaker utility. Alerts are delivered via on-screen messages, such as "Virus Found" or notifications of memory modification attempts, with hotkeys like ALT+V to access options or unload the module temporarily with vsafe /u. These notifications can include prompts for user intervention, ensuring immediate awareness without disrupting normal operations.^[6] Despite its effectiveness against file and boot sector threats common in the MS-DOS era, VSafe has notable limitations inherent to its TSR design and the era's technology. It does not support virus removal, relying entirely on MSAV for that function, and requires periodic updates to MSAV's signature files for accurate detection. Compatibility issues arise with certain software, including conflicts with other TSR programs, network drivers (which may trigger false positives), and applications needing the top of conventional memory; it is also incompatible with Windows environments and must be unloaded before running setup programs. Furthermore, as a DOS-specific tool, VSafe offers no protection against emerging threats like macro viruses in office applications or network-based infections, focusing solely on local file I/O and floppy interactions.^[6]

Command-Line and Integration Options

Microsoft Anti-Virus (MSAV) supports command-line invocation through MSAV.EXE, allowing users to perform virus scans directly from the MS-DOS prompt without launching the graphical interface.^[7] The basic syntax is MSAV [drive:] [/S | /C] [/R] [/A | /L] [/N] [/P] [/F] [/VIDEO], where the optional drive parameter specifies the target drive (defaulting to the current drive if omitted).^[1] The /S switch initiates a scan of the specified drive without removing detected viruses, while /C performs both scanning and automatic removal of viruses.^[21] Additional options include /R to generate a report file named MSAV.RPT in the root directory detailing the number of files scanned and viruses found, /A to scan all drives except A: and B:, and /L to limit scanning to local drives excluding network volumes.^[7] For automated and non-interactive use, MSAV provides switches like /N, which displays the contents of MSAV.TXT (if present) before scanning in command-line mode and returns an exit code of 86 if viruses are detected, enabling error handling in scripts.^[1] The /P switch enforces a command-line interface for the scan process, and /F suppresses the display of scanned filenames when combined with /N or /P, facilitating quieter operation in batch environments.^[21] The /VIDEO switch lists or applies display options, such as screen line counts (/25, /43) or color schemes (/BW for black-and-white), to adapt to different hardware configurations.^[7] MSAV integrates seamlessly with MS-DOS batch files for scheduled or boot-time execution, such as adding MSAV /P /R to AUTOEXEC.BAT to run an automated scan and log results upon system startup.^[22] This allows for programmatic control, including conditional execution based on exit codes to alert users or halt further operations if threats are identified. Compatibility extends to DOS 6.0 and later utilities, enabling MSAV to run alongside tools like DEFRAG without conflicts in standard environments.^[1] Scan results and configuration changes are logged to MSAV.RPT, providing a verifiable record for post-scan review.^[21] Customization of scan behavior, such as default paths and alert thresholds, is managed through the MSAV.INI file in the DOS directory, which stores user modifications made via the program's interface or command-line sessions.^[21] For real-time protection integration, MSAV can be paired with VSafe by invoking both in batch scripts, though detailed VSafe loading is handled separately.^[22] These features make MSAV suitable for scripted antivirus routines in enterprise or automated MS-DOS setups.

Usage and Operation

User Interface Elements

Microsoft Anti-Virus for MS-DOS (MSAV) features a text-based, menu-driven user interface designed for the constraints of DOS environments. Upon launching the program via the MSAV command at the DOS prompt, users are presented with a main menu offering options such as Detect, Detect & Clean, Select New Drive, Options, and Exit, allowing selection of scanning modes and configurations through keyboard input.^[6] Online help is accessible by pressing F1, providing explanations for commands, procedures, and dialog boxes within the interface.^[6] Navigation relies entirely on keyboard controls, with arrow keys used to highlight and select menu options, the Enter key to confirm choices, and the Spacebar to toggle selections in lists such as drive options.^[6] The interface lacks mouse support, aligning with standard DOS text-mode limitations, though command-line alternatives are available for scripted or non-interactive use.^[7] Output during scans is displayed in real-time on the status screen, showing details such as the total number of files scanned, detected infections, and elapsed time, for example, "Total Files 3408 0 0 Scan Time 00:02:48."^[6] Virus alerts appear prominently with the affected file path and prompt users for actions like Clean, Continue, Stop, or Delete, ensuring immediate visibility of threats.^[6] Post-scan summary reports are generated as text files, such as MSAV.RPT, detailing overall results including any viruses found.^[7] The interface supports multiple display modes for compatibility with various hardware, including default color, black-and-white via the /BW switch, monochromatic via /MONO, and LCD-optimized via /LCD, with /IN forcing color output even on non-color adapters.^[7] Screen resolution adapts to the display adapter, supporting 25, 28, 43, 50, or 60 lines for monitors like VGA or EGA.^[7]

Scanning Procedures

To initiate a scan with Microsoft Anti-Virus (MSAV) in MS-DOS 6.2 or later, users boot the system to the command prompt and execute the MSAV.EXE program by typing msav and pressing Enter.^[6] Upon launch, the interface presents a Drives box where users select specific drives for scanning, enabling a custom scan targeted at particular volumes, or opt for a broader full scan by choosing all available local drives.^[22] For automated initiation, MSAV can be added to the AUTOEXEC.BAT file with parameters like /P for a command-line mode or /L to restrict scanning to local drives excluding network ones.^[1] During the scan, MSAV monitors progress through a status screen that displays real-time counts of files checked, infections detected, and items cleaned, allowing users to track the operation's advancement across selected drives.^[6] If a potential virus is identified, the program pauses and prompts the user for input via a "Virus Found" dialog, offering options such as Clean (to remove the threat), Continue (to proceed without action), Stop (to halt the scan), or Delete (to erase the file).^[22] Interruptions can be handled by pressing Ctrl+C to terminate the process gracefully, or in cases of system hangs, by using Ctrl+Alt+Del to reboot and restart the scan.^[6] Upon completion, MSAV interprets results by summarizing totals for checked files, detected infections, and cleaned items on the status screen, providing a clear overview of the system's health.^[22] A log file named MSAV.RPT is generated in the root directory if the /R parameter is specified during invocation, capturing detailed scan outcomes for later review.^[1] Users can manually verify results by examining the status summary and log, cross-checking suspect files against known virus signatures before proceeding with further actions.^[6] Best practices for effective scanning include performing the operation from a clean boot using a startup disk formatted with FORMAT A: /S and containing MSAV files, which bypasses potentially infected CONFIG.SYS and AUTOEXEC.BAT files to ensure a secure environment.^[22] Prior to scanning, users should update the DAT virus signature files by downloading new definitions from Microsoft's Bulletin Board Service (BBS) at (503) 531-8100 or via a provided update coupon, as MSAV supports detection of over 800 viruses but requires current signatures for accuracy.^[6]

Virus Handling and Quarantine

Upon detection of a virus during scanning, MSAV prompts the user with options to delete the infected file, clean it by removing the virus, continue without action, or stop the scan.^[22] MSAV provides dedicated repair tools for recovery efforts. The boot sector repair function cleans the infected area, restoring standard boot operations. For file-based infections, disinfection involves removing viral code and attempting to reconstruct the original executable content, though this may fail if the virus has corrupted the host file beyond repair.^[23] Error handling emphasizes user involvement to reduce false positives, with confirmation prompts required prior to any irreversible actions like deletion. MSAV lacks support for polymorphic viruses, as its signature-based approach cannot adapt to self-mutating code variations.^[23]

Discontinuation and Legacy

End of Support

Microsoft ended support for MS-DOS 6.x, which included the bundled Microsoft Anti-Virus (MSAV), on December 31, 2001. This marked the official phase-out of the legacy DOS platform, with no further phone support, hotfixes, or updates provided thereafter.^[24] The discontinuation aligned with Microsoft's strategic pivot from MS-DOS to the Windows operating system family, particularly the NT kernel-based versions like Windows 2000 and XP, which offered enhanced security architectures and rendered DOS-specific tools obsolete. Additionally, the evolving threat landscape shifted focus from DOS boot sector viruses to more sophisticated Windows-targeted malware, diminishing the relevance of MSAV.^[25] Virus definitions for MSAV were last updated in June 1996, when Symantec released the final patch adding polymorphic virus detection capabilities. By the early 2000s, official downloads of MSAV and related MS-DOS components were phased out from Microsoft's website as part of the broader legacy software cleanup. Users faced significant challenges post-support, including vulnerability to post-Y2K date-related bugs in MS-DOS without patches, and exposure to emerging threats without updates. Users were encouraged to migrate to antivirus solutions compatible with Windows environments.^[25]

Impact on Antivirus Evolution

Microsoft Anti-Virus (MSAV) played a pivotal role in the early evolution of antivirus software by introducing one of the first instances of bundled antivirus protection within a major operating system distribution. Released in 1993 and integrated into MS-DOS 6.0 and subsequent versions, MSAV popularized the concept of including antivirus tools directly in OS packages, making basic virus scanning accessible to a broad user base without requiring separate purchases.^[5] This bundling approach influenced later strategies, such as the incorporation of signature-based detection and periodic update mechanisms, where users could download virus definition files to maintain efficacy against emerging threats like boot sector and file infectors prevalent in the DOS era.^[1] In the 1990s market landscape, MSAV contributed to heightened awareness of DOS viruses among mainstream users, coinciding with the rise of notable threats such as the Jerusalem and Cascade viruses, and it positioned Microsoft as a direct competitor to established players like McAfee and Norton. By leveraging the popularity of Central Point Anti-Virus (CPAV), on which it was based, MSAV helped CPAV/Norton dominate the U.S. antivirus market, driving competition that emphasized detection rates and ease of integration with DOS environments.^[26] Initial independent tests praised its effectiveness, but later evaluations revealed declining performance, particularly against polymorphic viruses, underscoring the limitations of early signature-only models.^[5] MSAV's legacy extended to shaping Microsoft's long-term security strategy, laying groundwork for successors like Microsoft Security Essentials in 2009 and the evolution into Windows Defender, which adopted and refined real-time protection concepts first explored in MSAV's VSafe component. Its discontinuation highlighted the need for more versatile, multi-platform solutions capable of addressing GUI-based systems and diverse malware types beyond DOS. Today, MSAV is preserved in archives for retro computing emulation, serving as a historical benchmark for understanding the transition from command-line scanners to integrated, always-on defenses.