User's Guide for Beta 1.0

Table of Contents

Introduction

Polaris (Principle of Least Authority for Real Internet Security) protects you from viruses that you run, either from email attachments you open, macro viruses contained in files you edit, programs you launch, scripts on web pages you visit, or in email you read. This User's Guide describes the Beta 1.0 release of Polaris. Because it is not a fully developed product, there are several places where things can be improved. These future improvements will be noted where appropriate.

Back to Table of Contents

Why Polaris

Every program you launch in Windows has the authority to do anything you can do, even if you don't want it done. That's what viruses do. They run in programs you launch and do things that you don't want done. These things include installing spyware, adware, backdoors, and Trojan horses; modifying the system registry; and mailing themselves to email addresses found on your machine.

Why is this so? All operating systems in common use today, not just Windows, decide on what a program can do by looking up the identity of the person who launched it. This approach makes sense if we can be sure that the program is operating in that person's best interest, but viruses show that this assumption is not valid. It is this fundamental flaw in existing systems that makes it impossible to protect them from viruses.

Polaris takes a different approach to launching programs. Each program is launched as if by a user with the minimum set of authorities the program needs to run. Hence, a virus running in this program can do very little damage. By adhering to the Principle of Least Authority, Polaris reduces your vulnerability to viruses.

Back to Table of Contents

How Polaris works

You don't need to read this section, but knowing how Polaris works may help you build a mental model of what's going on. That mental model may help you identify the cause of a problem and discover your own workaround.

Polaris protects you by giving each program you launch only the permissions it needs to do its job. Since it works in a Microsoft environment, it can't rely on changes to the application or the operating system. Instead, Polaris changes the way programs are launched.

How Polaris Works

When you Polarize an application, you are telling the system to launch the program with a program called powercmd.exe. This program uses a variant of the Windows RunAs function that lets you start a program under a different user account. We call the polarized application a Pet, and each Pet has a separate user account. For example, a pet you call Excel may have an account named polass7sAaJDp708. The strange name is picked to be unique among all users on your machine, which allows different users to assign the same petname to a given application.

Suppose you have Polarized Excel. When you double click on a file with an extension of xls, powercmd makes a copy of the file and starts a program that keeps the copy and the original synchronized. If your file is c:\temp\data.xls, the copy will be created with the file name c:\Documents and Settings\polass7sAaJDp708\Application Data\Hewlett-Packard\Polaris\editables\c\temp\data.xls. Powercmd then starts Excel running as if it were launched by the user polass7sAaJDp708.

Of course, applications need access to more than just the file you're working on. They also need to be able to read their libraries, fonts, etc. So, the Pet accounts have an installation endowment, the permissions they get every time they start. This endowment includes permission to read your c:\Program Files and c:\Windows directories. The Pet also has read and write permission to its own account's folders, c:\Documents and Settings\polass7sAaJDp708 in our example, and its subdirectories. In addition, due to the way the Microsoft Office Suite operates, in this Beta release all Pets have permission to see the name of every file your file system. The result of this installation endowment is that malicious code running in a Pet can read directory and file names, but it can only read the files in its installation endowment and any files you've opened with the Pet. Nevertheless, you may want to be circumspect in the names you choose for files. For example, ATMpin1234 is probably not a good file name.

Back to Table of Contents

Installation

This Beta release of Polaris does not use a standard installer. Instead, you run a set up script that creates some registry entries and two folders. If your userid is alice, these folders are under c:\Documents and Settings\alice\Application Data\Hewlett-Packard\Polaris\ and are named requests and editables. You are not given the option of changing the location of these directories. If you already have directories with these names that you are using for some other purpose, you must rename them before installing Polaris.

Polaris was developed and tested on Microsoft Windows XP Service Pack 2. We don't guarantee that it will work with this or any other configuration. Some machines are configured in a way that interferes with Polaris. We will try to help you identify the cause of the problem, but we may not succeed.

To install Polaris, run setup.bat from your installation CD or shared drive. This script copies the Polaris software to c:\Program Files\Hewlett-Packard\Polaris, adds the shortcul powerwindow.lnk to your startup folder, and starts the PowerWindow. You are now ready to start Polarizing applications. The script also configures your file system so that Office applications can find the files they need. This step can take 10 to 30 minutes depending on how many files you have. Don't panic. Just start the installation when you're ready to leave for lunch.

The most common vector for computer viruses is email attachments. Polaris provides a means to launch attachments that will limit the damage that a virus can do. In this Beta release, you must run setupOutlook.bat to add special buttons to your Outlook windows. You may have to restart Outlook to see them. When you open Outlook, even unpolarized Outlook, you'll see a button that looks like a floppy disk with an arrow coming out of its top. If you mouse over this button, you'll see a tool tip PolarisLaunch. A similar button will appear on each email you open.

Endowments

When you want to open an attachment, select the message containing the attachment, and click on the PolarisLaunch button on the Outlook tool bar. If there is only one attachment, it will open. If there is more than one, you will be given the option to select the one you want to open.

If you have created a Pet for the type of attachment, such as Excel for an xls attachment, Polaris will use that Pet. If not, Polaris will launch the attachment in the IceBox, a special account with very few permissions. Many applications won't run in the IceBox, but those that do won't be able to do much harm. If you don't have a Pet for the application, and the attachment won't open in the IceBox, and if you really, Really, REALLY need to open the attachment and you are really, Really, REALLY sure that it's safe, you can double click on the attachment or right click on the attachment and select Open. That's dangerous. A better approach is to save the attachment to disk and open it from there. Be sure to virus scan the file first, but that won't protect you if there's an unrecognized virus in the file.

Back to Table of Contents

Uninstalling

This Beta release of Polaris does not use a standard uninstaller, nor can you uninstall Polaris from the Control Panel using Add/Remove Programs. If you believe that Polaris is causing you problems, you may want to uninstall it. However, that may not be necessary, since Polaris doesn't interfere with your normal use of appilications.

If you have information, such as browser bookmarks, that you want to save, you should move them to a folder in your user account. That's not strictly necessary for the first option below, but you'll quickly forget where you left things if you don't. You can find the account name for the pet by looking at the user User Name in the Processes tab on the Windows Task Manager. If you have more than one Pet for the program, make sure the one you want is the only one that is running.

BEWARE. Malicious code may have corrupted those files. Be very careful before moving them out of the Pet account.

There are three things you can do.

  1. Reset the default launch.
    • From Tools on File Explorer, select Folder Options
    • Select File Types
    • Find the file type you'd like to reset, say XLS
    • Click Advanced
    • Select Open and click Set Default and OK
    • Repeat as needed for other file types
  2. Depolarize the applications
    • Open the Polarizer
    • Select a Pet from the list of Existing Pets
    • Click De-Polarize
    • Repeat as needed for other pets
    • The corresponding accounts will disappear the next time you reboot.
  3. Uninstall Polaris
    • Depolarize all pets listed in Existing Pets
      • Open the Polarizer.
      • Select a pet from the list of Existing Pets.
      • Click De-Polarize.
      • Repeat as needed for other pets.
    • Remove the PowerWindow from your StartUp folder (substitute your account name for alice in the following)
      • Navigate to c:\Documents and Settings\alice\Start Menu\Programs\Startup
      • Delete the shortcut powerwindow.lnk
    • Reboot the computer.
    • If any of the Pet accounts show up in c:\Documents and Settings, delete them.
    • Run regedit
      • From Start select Run ... and type regedit.
      • Remove My Computer\HKEY_CURRENT_USER\SOFTWARE\HEWLETT-PACKARD\POLARIS.
    • Delete the folder c:\Program Files\Hewlett-Packard\Polaris
    • Delete the folder c:\Documents and Settings\alice\Application Data\Hewlett-Packard\Polaris
  4. Congratulate yourself on completing the uninstall, but be extra careful because you're no longer protected.

Back to Table of Contents

Polarizing applications

After installing Polaris, you will have an icon on your desktop labeled Polarizer. Launching this program brings up a window that lets you set up applications to be safe from viruses. Each instance of such a safely tamed application is called a Pet.

Polarizer Window

There are two lists in the Polarizer window, Existing Pets and Pet Templates for Known Applications. Initially, the list of Existing Pets is empty. You may start by selecting one of the known applications or by typing in the information yourself. The Petname can be anything you like as long as it doesn't contain white space. The Polarizer will create a shortcut for this pet after adding the string Safe to the end of the name you chose.

Say that you want to be able to use Excel macros safely. Select Excel from the list of Known Apps. You will see that the Default File Extensions contains xls and xlt. If you don't change this setting, you will be able to launch this Pet by double clicking on the icon for files with either of these extensions. The Path to Executable has been set to point to a likely place to find the program the Pet will run. Simply type over this value or use the Browse button to find the executable.

The Configure and Configure Network Authentication buttons let you change some settings that are described later. You may ignore them for most Windows applications. The Update Existing Pet Endowments button lets you easily correct any mistakes. So, if you decide that you don't want the Excel Pet to launch for files of type xlt, simply select Excel from the list of Exisiting Pets, remove xlt from the list of File extensions, and click this button. You may also use this button to change the any of the options on the Endowments window without repolarizing the application.

If the application you want to Polarize isn't on the list of Known Apps, you can still Polarize it. Just fill in the File Extensions and the Path to Executable. If you don't know the path, then you can browse for it. You'll have to think up your own Petname without any hint from the Polarizer.

When the information is to your liking, click the Polarize button. It should take less than 30 seconds to set up your Pet. Be patient. In this Beta release, the icon won't change to an hour glass, but progress is being made.

The polarizer will put an icon on your Desktop with a label ExcelSafe if Excel is the name you've chosen for the Pet. It will also create a user account with a name made up of three parts.

Warning!!! Warning!!! Warning!!! Geek talk. Take Precautions!!!

  • The first part will always be pola. That way all Pets will appear close to each other in a sorted list of user accounts.
  • The second part is seven characters that should be unique to the user who created the Pet. That way all the Pets created by a given user will appear close to each other in a sorted list of user accounts.
  • The third part is an integer that is incremented each time you create a Pet. These numbers are never reused unless you uninstall and reinstall Polaris. That assures that there will be no confusion between an existing Pet and one that you deleted.

End geek talk. You may now return to your regularly scheduled reading.

You will get a folder in c:\Documents and Settings with this name, as well. When Polarization is complete, you'll be asked if you want to Polarize another application.

Verifying Installation and Polarization

You are now ready to test the installation. Polarize Excel by selecting it from the Pet Templates for Known Applications on the Polarizer window. Select Excel. If you're using a different version, you'll have to use the Browse button to find the executable. It will probably be in c:\Program Files\Microsoft Office\Officexx\excel.exe, where xx is the version you are using. Next, click Polarize. When the polarization is complete, you should exit the Polarizer.

You can now check that your installation succeeded by running the Polaris demo. The installation procedure for Polaris added a file named killer.xls to your My Documents folder. This spreadsheet uses some time travel technology to calculate, not predict, the value of a stock portfolio 10 years in the future. A lot of people would be very interested in running such a spreadsheet, but it contains a virus that we wrote.

Before you can run the demo, you need to configure your macro security settings.

  • Open unpolarized Excel from the Start Menu under All Programs.
  • If it is running unpolarized, you will not see <<>> in the title bar of the Excel window.
  • Select Tools-Macro-Security.
  • Set the Security Level to Medium.
  • Close Excel
  • Open your Excel Pet using the shortcut the Polarizer put on your desktop.
  • Verify that Excel is running polarized by looking for <<Excel>> in the title bar of the Excel window. If you used a different petname, then that name will appear between the angle brackets.
  • Select Tools-Macro-Security.
  • Set the Security Level to Low. The text next to that selection recommends against using this setting, but that warning is for Excel not running under Polaris.
  • Close your Excel Pet.
  • Make sure you have some shortcuts on your desktop. If you don't have any, then
    • Open File Explorer.
    • Right click on any file and select Create Shortcut.
    • Drag the shortcut to your Desktop.
    • Repeat as necessary.

Now that the one-time setup is complete, you're ready to amaze your friends and neighbors. First, you'll show them what a virus can do if you don't use Polaris.

  1. Right click on the icon for killer.xls and select Open.
  2. Point out the annoying dialog box and click Enable.
  3. Verify that Excel is not running in a Pet by pointing out the absence of <<>> in the title bar.
  4. Enter a value representing your current investment in HP and click Compute HP 10-year value.
  5. Enter a value representing your current investment in Microsoft and click Compute Microsoft 10-year value.
  6. A very scary window will appear, but don't worry. Just click Destroy.
  7. The virus we wrote appears to delete all the shortcuts on your Desktop. If this had been a real virus, you'd be in a lot of trouble. In fact, the virus only moved your shortcuts to c:\trash. You can copy them back to your Desktop.
    • In File Explorer, navigate to c:\trash.
    • Click on one of the files in the right pane and type CTL-A to select all files.
    • Drag the selected items to your Desktop
  8. Close Excel, and click No when asked if you want to save your changes.

Here's what happened. When you told Windows to open killer.xls, it started Excel and sent the running program the string "killer.xls". Excel then used that string to open the file. Since the process running Excel could have been given any string, it needed permission to open any file you could open, including all the shortcuts on your Desktop.

Now do the same thing with Polaris.

  1. Open killer.xls. You can double click on the icon for the file, drag the icon to the shortcut labelled ExcelSafe, or right click on the icon and select OpenSafe.
  2. Point out that you didn't have to deal with an annoying dialog box.
  3. Verify that Excel is running in a Pet by looking for <<Excel>> in the title bar.
  4. Enter a value representing your current investment in HP and click Compute HP 10-year value.
  5. Enter a value representing your current investment in Microsoft and click Compute Microsoft 10-year value.
  6. That very scary window will appear, but this time it won't be so scary. The list of files to be destroyed is empty. Click Destroy.
  7. The virus is happy, and so are you.

You just saw something pretty amazing. Under Polaris, Excel is more functional, because you can safely use macros, easier to use, because you're not bothered with security dialog boxes, and more secure, because the virus didn't hurt you. Many people would have you believe that you'd have to pick two out of three.

The reason you get all three is that Polaris enforces the Principle of Least Authority at the granularity of individual applications. When Polaris starts the Pet, it starts it with permission to edit none of your files and adds the ability to edit the one file you just selected. That's why the virus didn't eat up your Desktop. Excel didn't need permission to delete your shortcuts, so Polaris didn't give it that permission.

Multiple Pets for One Application

In this Beta release, each Pet has permission to read and write any files opened by that Pet. So, if you've opened one spreadsheet received as spam and another spreadsheet containing critical information, a virus running in the spam spreadsheet could destroy the information in the critical file. You have two ways to prevent this attack,

  1. Close all running instances of the Pet.
    • Verfify that you didn't miss any.
      • Right click on the Polabear icon in your system tray.
      • Select Kill.
      • Click on the name of your Pet if it appears in the list.
  2. Create more than one Pet for the applicaton.
    • Polarize the application with one Petname, say ExcelforSecrets.
    • Polarize the application with another Petname, say ExcelforSpam.
Only one of them can be set to launch automatically when double clicking on the icon for a file with an extension of xls, but you can always drag the icon for a file to the shortcut for the Pet you want to use.

Another application you might want several Pets for is your browser. You can have one Pet for browsing sites you trust, such as your bank and your stock broker. This Pet can safely remember your passwords, and you can save files you'd like to keep private in the browser's directory. You can have a second Pet for browsing sites you don't trust as much. This Pet won't have access to anything you've put into the first Pet. You'll probably want a third browser Pet if you use your browser to read files. Simply configure this one to launch when you open an HTML file. This way you can use your browser to read files, but scripts on web pages you visit won't have access to them.

There's one thing you need to be aware of if you have more than one Pet for an application. Some applications lock a file when they open it. If you try to open it again, you get a read only version. Polaris doesn't lock the file. However, if you open it outside a Pet, a Save of that file in the Pet fails. You'll have to do a SaveAs to save the Pet's copy. The problem is that two Pets that open the same file can both do a Save. That might be a problem, so be careful. At any rate, it's no worse than using an application that doesn't lock the file.

Re-Polarization

There may be times when you want to re-polarize an application. The simplest thing to do is start over from scratch, but that loses any customizations, such as tool bars you added and menus you moved around, that differ from what's on the version of the application that runs in your account. The most common problem is losing your browser Favorites/Bookmarks when you re-polarize. When you click the Polarize button with a Petname that appears in the list of Existing Pets, you'll see the following window.

Polarizer Window

If you didn't mean to use that name, click Cancel, and try again. If you haven't done a lot of customization, you should select Polarize from Scratch. This option is the safest because it creates a brand new user account. That means that any detritus left lying around by malicious code in the Pet account will be deleted. It also means that any settings, such as browser Favorites/Bookmarks or toolbar settings that are specific to the Pet will be lost. You can keep them by clicking Re-Polarize. You'll get a new Pet account, but your settings will be copied from the old one. Now you'll have your configuration, but you may also have settings made by potentially malicious code, such as a home page that you'd rather your children didn't see. How long re-polarizing takes depends on how much customization you've done. It shouldn't take more than a minute or so.

Network Authentication

Some sites on the network need to know who you are before you can use them. Windows passes your login information, but not your password, to these programs, so you don't have to type your password over and over. That information is also used when you use a printer on the network that is controlled by an authenticating print server.

Your Pets don't run with your identity, so that doesn't work for polarized applications that access these sites. You can tell Polaris to provide this authentication by clicking Configure Network Authentication on the main Polarizer window, which will bring up the following window.

Polarizer Window

You have three options. If you select No Authentication, any password Polaris has remembered for you will be forgotten. (NB: The following option isn't working right now. We'll remove this warning once it is.) Selecting Request Password At Boot means that you will have to provide your login password every time the PowerWindow starts. Normally, that will only happen when you login, so it shouldn't be too much of a burden. The password you provide will be stored in an encrypted file if you select Store Password.

You don't have to worry about your password being stolen. Polaris uses EFS, the Windows Encrypted File System, which computes an encryption key based on your login password. Only someone who knows your login password or is running a program as you can decrypt this file. To protect you further, your password is encrypted with itself as the encryption key. Hence, a scan of your disk won't reveal your password. On the other hand, a virus running in your account will be able to get your password. Of course, such a virus has lots of other ways to capture your password and do lots of other nasty stuff.

You will have to return to this window if you change your login password. Of course you don't have to worry about forgetting. All your network authentications will fail until you do. In this Beta release, you will need to restart the PowerWindow after changing your password. Right click on the PowerWindow icon in your system tray and select Exit to close all running Pets and the PowerWindow. Your new password will be in effect when you restart the PowerWindow.

Additional Authorities

The Polarizer does a pretty good job setting up the permissions for a Pet. However, there will be times when a Pet will need additional authority. That's what the Endowments are for. Click the Configure button to see what you can do.

Endowments

We'll start at the top of the Endowments window and explain the items one by one.

Server Sites to Automatically Authenticate: Every program running in a Window's process has an authentication token. That's how Windows knows what permissions the process has. This token is also passed to network sites so they can know what permissions to grant. If you use a network shared drive, your token tells the machine what files you can read and/or write. Web sites on the Intranet also use the token so you don't have to keep logging in.

When you run a Pet, the process doesn't have your token. Instead, it has a token for the Pet account, which isn't known to other machines. Hence, the Pet doesn't have permission to access any resources on these machines. That's a GOOD THING. It means that a virus running in a Pet can't damage resources on other machines. It can also be inconvenient if you have to keep logging into a few sites over and over.

Fortunately, it's possible to attach the part of your token used for network access to the Pet's token. This section of the Endowments window allows you to specify those servers you want to recognize your pets as you. Doing so can be dangerous because a virus running in the Pet will have all of your authority on these servers and will be able to do anything you can do. However, the convenience may outweigh the risk, particularly if you only have read access to the data on these servers. Just fill in the domain names for each such site in the form server.company.com. NB: We are having inconsistent results with this feature. We think our corporate servers are doing a hand-off to servers we don't know about. Please let us know how well it works for you.

You will also need to provide your network authentication so that Polaris can add your network token to the Pet. You do that by clicking on the Configure Network Authentication button on the main Polarizer window.

Additional Applications to run in this Pet: There are times you want to run applications together. A common case is when you want to include a spreadsheet in a document. You can run Microsoft Word in the Excel Pet account. Simply provide the path to the executables you want to run in that account. There's no Browse option in this Beta release, so you'll just have to find the executable and enter the path directly.

When you polarize the application, you'll get a shortcut for the Pet, say ExcelSafe, and one for each application that will run in the pet, say Excel-WordSafe. This convention was chosen to put Pets that run in the same account close to each other in a sorted list of shortcuts.

Note that you may not need to use this option very often. If you are running Excel in a Pet and cause it to open Microsoft Word, Word will open in the Excel Pet account. However, you may find times when that doesn't work. For example, if you polarize your email client, you'll want the program that runs the synchronizer for your PDA to run in that pet.

Read-Only: Some applications use collections of files. The most common case is the browser, but it's special, so there's a separate check box elsewhere. A less common case is when you have a document that uses figures stored in some folder. If you open the document in a Pet, it won't have access to those files. Simply fill in the paths to the folders you want the Pet to have read access to. Be careful. The Pet will be able to read any file in the folder and subfolders.

Read-Write: Some applications need to be able to modify a collection of files. The most common case is a spreadsheet with links to other files. If you open the spreadsheet in a Pet, it won't have access to those files. Simply fill in the paths to the folders you want the pet to have read/write access to. Be careful. The Pet will be able to modify any file in the folder and subfolders.

Command Line Arguments: Some programs allow you to specify runtime parameters in addition to the name of a file. Specify them exactly as you would on a command line.

Check Boxes: There are five check boxes on the Endowments window. Each of them deals with a different, commonly occuring special case.

  • Set as Default Web Browser: When you click on a web link in an email or in a document, Windows launches your default browser. You want that browser to be a Pet, so you check this box when polarizing your browser. Some software installations reset the default to be unpolarized Internet Explorer. You can undo this change by polarizing your browser again. Be sure to save your bookmarks before re-polarizing unless you use the medium risk option explained at Re-Polarization
  • Set as Default Mail Client: (NB: This option is not yet working. We'll remove this warning once it is.) Many people depend on their email and don't want to risk losing productivity by polarizing their mail client. That's a wise policy, but it can be dangerous. There have been several attacks that get launched when you open or even preview a message. We've found that Outlook can be used effectively in a Pet. However, some functions, such as sending an email from your browser or Microsoft Word won't work unless you check this box.
  • Allow Read/Write of Windows Temp folders: Some applications make changes in the Windows temp folder, which is usually c:\tmp or c:\temp. You can tell which name to use for sure by opening a command window and typing echo %TEMP%. Such programs violate Microsoft recommendations, but they are not rare. Clicking this box gives the Pet write permission to your temp folder and all its subfolders. Granting this permission may be dangerous if you store install programs in this folder. Malicious software running in a pet with this permission could replace one of those programs with a Trojan Horse that could end up running with administrator privileges.
  • Allow editing the application execution folder: Some applications make changes in the folder containing the executable of the program being run, which is usually in c:\Program Files. Such programs violate Microsoft recommendations, but they are the primary reason you need to run with administrator privileges to get your job done. Clicking this box gives the Pet write permission to the folder containing the executable program and all its subfolders. This folder is the one in the path name you specified in the main Polarizer window. Granting this permission is dangerous, albeit far less dangerous than granting write permission to all of c:\Program Files, but it's the best you can do if you want to run the program.
  • Read Only With Links: Some programs need access to other files in the folder of the file being used and files in its subfolders. We say these files are linked to the file you open. The primary example is a browser Pet used to display files stored on your disk. The graphics for the web page are often stored in a subdirectory with a name related to the name of your file. So, if your file is named c:\My Documents\myPage.htm, its graphics are most likely in c:\My Documents\myPage_files. If you simply open a browser Pet to read the file, you won't see the graphics because the Pet won't have permission to read files in the subdirectory. Normally, Polaris makes a copy of a file when it is being edited by a Pet. That would require copying an entire folder hierarchy for a web page to be viewed properly. However, a browser doesn't modify the file, so Polaris avoids this overhead by granting the Pet read permission to folder containing the file and its subfolders. Of course, if the person opening the file doesn't have authority to grant this permission, such as when the file is on a network share, then Polaris does make a copy.
  • Grant Full Network Credentials: Selecting this option is equivalent to granting this Pet access to everything you can do on the network. A virus running in this Pet's account won't be able to do much harm to your machine, but it might be able to do a lot of damage to other machines you access. Be very careful which Pets get this endowment.
  • Do Not Shut Down App When Windows All Closed: Normally, Polaris cleans up the Pet account when last visible window running in the Pet is closed. Polaris kills all processes running in that Pet, which prevents a virus from staring a long running program. Polaris also shuts down the file synchronizers and deletes the Pet's copies of any files you opened. That relieves you of worrying what data a virus running in the Pet might see. Unfortunately, this cleanup closes service routines that you may want to leave running. Check this box to bypass the cleanup. If you do need to force a clean up, you can right click on the PowerWindow icon in your system tray, mouse over Kill, and select the Pet you want closed.

Back to Table of Contents

Using Polarized applications

You use Polarized applications exactly as you would any other program (except you can't drag/drop between Pets). Either launch the program from the shortcut, drag a document onto the shortcut, or double click on the icon for a file with the appropriate extension.

Your Pet will take a few additional secconds to start the first time you use a Pet after a reboot or when the Pet hasn't been used for a long time. Don't panic. Windows has to load the Pet's account information into the registry. Microsoft didn't optimize that path because they assumed it would only be needed at login. Most applications start in 10 seconds or less. However, we have seen delays as long as 30 seconds if a disk intensive program, such as a virus scanner, is running. Once the registry information is loaded, subsequent launches of the application will not incur any additional delay.

Polaris doesn't interact with your program in any way once it is running except for accessing other files. Any time you need to designate a file, such as with Open or SaveAs, you will see a file dialog box presented by Polaris. Because of the way this Beta release operates, you may see another dialog box flash momentarily on your screen before the Polaris file dialog opens and just after it closes. Also, in this Beta release the Polaris file dialog box may sometimes be under another window. Often, clicking the icon for the Pet in the task bar will make the dialog visible. If that doesn't work, hitting ESC cancels the request and returns control to the application.

There will also be times when you see two dialog boxes. The one labeled <<petname>> Open, where petname is the name of the Pet requesting access to the file, is running with the Pet's permissions. The one labeled Open for <<petname>> is the one you want to use since it has all your permissions. This label is very important. A file dialog box from an unpolarized application has a title Open, which gives you no indication of what application is requesting access. With Polaris, you know exactly which Pet will be getting access to the file.

Sometimes a failure occurs that might cause a loss of data, such as when you close the PowerWindow while a Pet is open. In such cases, Polaris saves the version from the Pet account area in a folder on your Desktop named PolarisRecover. You'll have to figure out if the version in that folder is the one you want.

You may encounter situations where you can't get your work done, apparently because of some strange behavior you think may be due to Polaris. Since you're using the Beta release, you may well be right. You may also be wrong. It could be a problem with Windows, or it could be that a virus has attacked the application and is struggling to get out to attack you, which has happened in our existing pilot program with the Alpha release. A virus not detected by Symantec AntiVirus corrupted a Pet, but could not corrupt the system.

It is possible to open the application the unsafe way, but before you go to this extreme, start the Polarizer and Polarize the application again under a new Petname. If the new Pet has the same behavior on a different file, it is probably not a virus. (The virus should be trapped in the original Pet). If the new Pet doesn't work either, you can see if it is a Polaris problem by opening the program the unsafe way. If you're opening the program directly, simply double click on the shortcut for the unsafe application (Found under All Programs under the Start button). If you're opening the program by double clicking on the icon for a file, then right click the document icon and select Open instead of the OpenSafe default. At this point you'll be as vulnerable as you were before you installed Polaris. When you find out that the problem isn't related to Polaris, you can go back to using the Pet.

Back to Table of Contents

Differences from an Unsafe Desktop

We have worked hard to make using Polaris identical to using an unsafe Windows XP environment. We haven't completely succeeded, but we've come close. There are no differences for non-Polarized applications. The differences for Polarized applications are:

  • Some Windows applications lock a file when you edit it. That means that you can only open it for reading while it is locked. Polaris does not lock the original file when you open it in a Pet. That means you can open it for writing outside the Pet. Don't worry. You won't be able to clobber your data. If you try to save a file that's been opened twice, the Pet will tell you to do a SaveAs. There is one exception. If the file is opened simultaneously in more than one Pet, you can get in trouble even if the application normally locks the file.
  • Drag and drop to running Pets doesn't work. However, you can drag and drop onto the shortcut for a Pet or between windows running in a Pet.
  • File dialog boxes have buttons along the left side and a pulldown menu at the top. The Desktop entry at the top of the pulldown points to the Pet account, not yours.
  • Some extra logins are required when running from a Polarized browser unless you've configured your network authentication for those sites.
  • Polaris doesn't detect non-standard file dialog boxes, such as those produced by some Java applications. You may not want to polarize these programs.
  • Some extra steps are needed for editable, linked files. For example, you may need to grant read only or read/write permission using the Endowments window.
  • Some classes of applications, mostly games using advanced graphics, won't run Polarized.
  • Some ActiveX controls, in particular the one that launches MacroMedia Flash, don't work in polarized Internet Explorer. We are actively investigating this problem. In the interim, if you need Flash, say to watch a baseball game on MLB.com, use Firefox or your unpolarized Internet Explorer.
  • You won't be able to open files using the application's list of recently used files, either from the File menu or from the task pane. That's because Polaris can't tell if it's you asking or a virus running in the Pet. Instead, use My Recent Documents from the Start menu. NB: We have a partial solution to this problem. Let us know if this feature is very important to you.

Other that this relatively short list, everything should work the way it always has, except that you don't have to worry about viruses. In fact, in some ways Polaris makes your machine easier to use.

  • You can configure your settings to reduce the number of security related dialog boxes presented to you.
  • You can safely use functions that are too dangerous in a non-Polaris machine, such as macros, web scripting, and launching email attachments.
  • You can move or rename a file while you are editing it.

Back to Table of Contents

Identifying Polarized applications

When the PowerWindow is running, it labels each window with the name of the Pet associated with it. So, windows running in your Excel Pet will have the label <<Excel>>. If the application is not running Polarized, the <<>> is absent. If you don't see this prefix on your Pets, it means you have to restart your PowerWindow. Since the PowerWindow doesn't reconnect to Pets that were running when it crashed, you should close any running Pets first. Note that we have not observed any crashes of the PowerWindow in our internal testing of this version.

You can make a more visibly striking but less reliable indication by using a poorly understood feature of Windows. Most applications use the new XP windows style with rounded corners. Polarized applications run with the old style windows that have sharp corners. If you change the color of the title bar, the change will apply only to old style windows. To make this change

  • Right click on the desktop and select Properties.
  • Select Appearance.
  • Click Advanced.
  • Click on Active Window in the upper area.
  • Select Color 1 and Color 2 to your liking.
  • Click OK
  • Repeat for the Inactive Window and Message Box.
  • Click OK when you are done.

Setting Appearance

Back to Table of Contents

Special instructions for specific applications

This section contains instructions that are specific to individual applications.

Adobe Reader:

By default, all PDF documents open in the same running instance of the Reader, even if they're opened by different users. That's pretty bizarre, but most personal computers only have one user, so you never notice it. Even more surprising is the behavior when you have previously read a PDF in your browser. Adobe Reader uses that instance even if you open the file from your Desktop.

The bad part is that this behavior can prevent you from using your Acrobat Pet. Say that you've opened a PDF document that you wrote. You know that's safe, so you opened it in your account. Next you open a PDF email attachment. That might not be safe. Since you're a savvy Polaris user, you'd like that document to open in a Pet. Adobe Reader doesn't want to do that. The Pet process starts, sees that there is a process running Reader, and sends a Windows message to that process to open the file. That message doesn't get through. That's a GOOD THING. Allowing such Windows messages from the Pet to your account would let a virus do anything you can do. Too bad for you. The document never opens.

Fortunately, there's an undocumented flag for Adobe Reader, /n, that tells the launcher to use a new instance each time Reader is run. To change this behavior,

  • Select Folder Options from the Control Panel.
  • Select File Types and highlight PDF.
  • Select Advanced and highlight Open.
  • Change the "Application used to perform action:" by replacing "%1" with /n "%1".
  • Click OK twice.
These arguments are inserted automatically if you use the entry in the Known Pets list. Adding this option to the Open command lets you run an unsafe Reader even if you have a safe Pet running.

This behavior also causes problems if you open PDFs by clicking on links in your browser. By default, Adobe Reader runs in the browser process, and the file is rendered in the browser window. We haven't figured out how to attach the /n option to the command, so bad things happen. Fortunately, you can configure Adobe Reader to open in a separate process.

  • Open Adobe Reader from the Start menu.
  • Select Edit and Preferences.
  • Select Internet from the list of Categories.
  • Uncheck the box labeled Open PDF in browser window.
  • Click OK and close Adobe Reader.
Now, when you click on a link in your browser to open a PDF, you'll get a new window containing the document. If the document doesn't open, and you're using Firefox, then you probably have Adobe Reader running. If there are no visible windows for Reader, you may have to kill the process AcroRd32.exe from the Task Manager.

Blowfish:

Blowfish is an open source implementation of Bruce Schneier's Blowfish encryption algorithm. Unlike many applications, Blowfish needs read/write access to the folder containing its executable. Check the appropriate box under the Endowments options.

Browsers:

Should your browser Pet get corrupted by a malicious web site, you can recover by simply repolarizing. Sometimes you can only recover by repolarizing from scratch. That means you'll lose any bookmarks you've set only in the browser Pet.

The simple answer would seem to be sharing the bookmarks with your unpolarized browser. That's not wise. Surprisingly, there are dangerous bookmarks. Some malicious sites install them in your list of bookmarks. That means it isn't safe to share bookmarks between polarized and unpolarized versions of your browser. Instead, we recommend setting bookmarks in your unpolarized browser for only trusted sites.

One upshot of not sharing bookmarks is that you'll need to save the bookmarks in your Pet. When updating your bookmarks, you should export them to a convenient place, such as your Desktop. Then, should you have to repolarize from scratch, you can just import them. You should do virus and spyware scans on the file first, though, in case it has one of those bad bookmarks. You should NEVER copy your Pet's bookmarks to your unpolarized browser. Copy individual bookmarks, instead.

Internet Explorer (and perhaps other browsers):

Your browser can use your digital certificates. Unfortunately, this Beta release does not copy them for you when you polarize Internet Explorer. You will need to open the unsafe browser, export your certificates and import them to each browser Pet. NB: We are unable to add certificates to your personal set. We believe that happens because the browser is not running with the identity in your certificate, but we're not sure.

Microsoft Office Suite:

Microsoft invested considerable time and money developing an extremely powerful macro language. Unfortunately, attackers can use the power of these macros to damage your machine or steal your secrets. Many installations protect you by setting the security level to keep macros from running. Since you're using Polaris, you're far less vulnerable. In order to run macros, open the polarized version of the application, select Tools/Macro/Security and click the radio button for Low. The accompanying text says that this setting isn't recommended, but that warning doesn't apply to Polarized applications.

Outlook:

If you're like most users, you can't do your job without reliable access to your email. That's why most users don't Polarize Outlook. However, if you're brave and paranoid, you may want to. It's not a bad idea. Some viruses launch even if you preview an email. Since your email is so important, you'll probably want to be able to switch back to the unpolarized version if something goes wrong. So, before you polarize Outlook you should record the Outlook settings you are using. Unfortunately, you can only have one instance of Outlook running at a time. That means you'll have to copy your settings manually in order to set up your Outlook Pet.

Select E-mail Accounts from the Tools menu in Outlook. Under E-mail in the window that pops up, click View or change existing e-mail accounts, and click Next. Select the email account marked Default, and click Change.... Write down the name of your exchange server and user name. Note if the Use Cached Exchange Mode button is clicked. It's probably a good idea to click it, since it makes switching between the Polarized and unpolarized Outlooks easier. Finally, click on More Settings ... and make a note of everything you see on all the tabs and menus.

Polarize Outlook. Make sure that you've selected it as your default mail client in the Endowments window. If you don't want to have to type your login password every time you start your Outlook Pet, add the Exchange server to the list of server sites to automatically authenticate. The first time you open the Outlook Pet, you'll be taken to the E-mail Accounts window. Simply step through the various windows and tabs making sure your settings match those of your unpolarized Outlook. The most important one is the Offline Folder File Settings ... under the Advanced tab. You'll see the path to the cache file. Replace the Pet's user name in that path with yours. If you do, there will be no delay needed to refresh the cache when you switch between unpolarized Outlook and your Outlook Pet.

Back to Table of Contents

Troubleshooting

This section lists some common problems and what to do about them.

Slow Start-up

Your Pet will take a few additional secconds to start the first time you use a Pet after a reboot or when the Pet hasn't been used for a long time. Don't panic. Windows has to load the Pet's account information into the registry. Microsoft didn't optimize that path because they assumed it would only be needed at login. Once the registry information is loaded, your application will start without any additional delay. We have seen cases where the start-up takes 30 seconds or so. Usually that's because a disk intensive application, such as a virus scan, is running. Be patient. After the first time, your Pet will launch normally.

Failure to start

Nothing may happen when you try to launch a pet. The most common cause is that the PowerWindow isn't running. If it is running, try again. That sometimes works. If trying again doesn't work, the PowerWindow may be stuck. Close all Pets, restart the PowerWindow, and try again.

Firefox and Adobe Reader may fail to start for a different reason. They try to use a running instance, even if that instance is running in a different user account. Your Firefox Pet won't open if you have Firefox running in your account. Firefox won't open in your account if you have a Firefox Pet running. If Adobe Reader is running in your account, it won't open a PDF from Firefox. There will also be problems opening PDFs from your browser unless you've configured Adobe Reader properly.

Polaris Not Responding

If you can't launch a new Pet, or if Polaris functions, such as the PowerWindow file dialog box or the Pet names on title bars, don't seem to be working, the PowerWindow may have died or be stuck. You can verify the problem using the Windows task manager.

  • Start the task manager: CTL-ALT-DEL followed by T.
  • Select the Processes tab.
  • If you don't see powerwindow.exe, you have the problem. If you do see it, continue.
  • There should be a column labeled CPU. If this column doesn't appear, then
    • On the View menu, click on Select Columns.
    • Check the box next to CPU.
    • Click OK
  • The program powerwindow.exe should be using a few percent of the CPU. If it is using 0%, you have the problem.

If you have the problem,

  • Kill the process running powerwindow.exe if necessary.
  • Close all Pets.
  • Restart the PowerWindow.

Application doesn't respond after file operation

There are times when your application will stop responding after a file operation, such as Open or Save As. It may be that your file dialog box is under some other window or that it's on an alternate screen if you use more than one monitor. Sometimes clicking on the icon for your pet in the task bar makes the dialog box visible. If that doesn't work, you can minimize windows to see if the dialog box is under one of them. If that doesn't work, simply hitting ESC will clear up the problem. You can then try opening the file dialog box again.

Lost Changes to a File

If something goes wrong, the updates you're making in the Pet may not appear in the file you opened. The most common reason is that you closed the PowerWindow while a Pet was open. If you suspect that may have happened, look in the folder PolarisRecover on your Desktop. Any changes you made up to the last Save or SaveAs will be in the file in that folder. If there's no file, then the all the changes up to your last Save or SaveAs are reflected in the orginal file. Perhaps you should consider saving more frequently.

Blue Screen of Death

The only reports we have of this behavior is when coming out of Suspend mode on a machine with VMWare installed. The problem occurs even when no virtual machine is running. Uninstalling VMWare appears to fix the problem. An alternative is to avoid suspending your machine by hibernating or shutting down.

Pets Disappear

One user reported that Pets disappeared seemingly at random times. We identified the problem as being due to the desktop management software being used. The tool gives the user multiple virtual desktops. However, since the tool runs on early versions of Windows, it doesn't use the Windows Desktop introduced in Windows 2000. Instead, it opens and closes windows to give the appearance of separate desktops. The problem is that Polaris assumes a process running in a Pet that has no visible windows has been started by a virus and kills it. The solution is to configure your desktop management software so that your Pets appear on all virtual desktops. Alternatively, you can tell Polaris not to close the Pet when no windows are visible by setting the endowment when you Polarize. Don't forget that every file you open is available to the Pet until you tell Polaris to close it.

File Dialog Box Pulldown Points to Wrong Place

File dialog boxes have buttons along the left side and a pulldown menu at the top. The Desktop entry at the top of the pulldown points to the Pet account, not yours. You can navigate to your own area by using the pulldown to navigate to c:\Documents and Settings\alice, if your userid is alice. You'll see entries for Desktop and alice's Documents. Alternatively, you can use the buttons on the left. They point to your folders, not the Pet's.

Text in File Dialog Box is Offset

If you can't see the all fields in the PowerWindow's file dialog box, or the window is all gray, you can simply type the fully qualified pathname of the file. Otherwise, just close the dialog box and try again. The offset occurs rarely, so you should be fine after one more try.

Application Doesn't Use Standard File Dialog

Some applications, particularly those ported from Unix or that you've written yourself, don't use standard file dialog boxes. A common example is Java applications written with the Swing library, those with the funny looking flat buttons. You won't be able to open any files other than at launch time because the Pet won't have the permission to read them. If you do need access, you can manually copy the file or files to the Pet account's area. However, you won't have synchronizers for these files. Also, these files will be deleted shortly after the last instance of the Pet is closed.

Failure to open file

The file you designated doesn't open. Trying again almost always works.

Inability to print

Some enterprises use authenticating network print servers, which don't recognize your Pets. The solution is to either set up Network Authentication on the Polarizer or bypass the print server. To set up a network printer for direct printing

  • Look at the printer to find its manufacturer and model number.
  • Look at the network, or speak to a network administrator, to learn the printer's name or IP address or domain name. An example in HP Labs is vega04.hpl.hp.com.
  • Select ControlPanel/Printers and Faxes/ and Add Printer.
  • Select Local Printer. Do not select Network Printer, even though, technically, the printer is on the network.
  • Select Create New Port. Set the Type of Port to Standard TCP/IP Port.
  • Type in the printer name or IP address.
  • Specify the printer model number. Allow the printer wizard to complete construction of the new printer.
Once your printer is installed, you need to configure a separator page. The generic separator pages will use the account name of your Pet. You can customize your page to use your account name, your full name, or anything else you like, as long as you can print it in a family newspaper.
  • Copy c:/windows/system32/sysprint.sep to a safe location, such as c:/myseparator.sep.
  • About 15 lines down, there is a line containing the string (@N@L).
  • Replace the text between the parentheses with whatever you'd like to appear on the separator page, but don't make the line too long.
  • Further down the page, you'll see a line referring to the server name and another with the string PSCRIPT Page Separator. You may replace the text between the parentheses on these lines. Ours say Polabears do it in place of the first and with least authority in place of the second. It's important to keep the line shorter than 72 characters.
Now configure your printer to use your separator page.
  • Open Printers and Faxes and highlight your printer.
  • Select Set printer properties.
  • Select Advanced and click Separator Page....
  • Select a .sep file and click Open.
  • Click OK twice.

"Uncaught Exception" dialog  box

If you get an uncaught exception, click the Continue button. Often you will be able to continue operations unimpaired. If instead of clicking the Continue button you click the Break button, the Polaris PowerWindow will be shut down, and files that you are currently editing will no longer be properly saved. Simply restarting the PowerWindow will not fix the problem. Shut down all the polarized applications, restart the PowerWindow using the shortcut in your Start Up folder, and reload the documents.

Pet headers no longer appear

If new windows no longer have a <<xxx>> notation as the prefix on the title bar, your PowerWindow has shut down or is stuck. Close the PowerWindow and all running Pets, and relaunch the PowerWindow using the shortcut in your Start Up folder.

WinZip in a Pet

By default, WinZip tries to open in a currently open WinZip window. If WinZip was opened in a Pet, opening another zip file with your permissions will fail. The problem is that the unconfined WinZip sees the existing window and tries to use it. Unbeknownst to WinZip, that window is running in a Pet and doesn't have permission to read the zip file. To fix this problem,

  • Close any instances of WinZip running in Pets.
  • Open WinZip from the Start button to ensure that it is running with your permissions.
  • Under Options uncheck Reuse WinZip windows.
You don't need to repeat this process for your Pets. Polaris protects you from the Shatter Attack by restricting the access a Pet has to windows not associated with that Pet. That protection also means that WinZip running in a Pet can't see windows opened by WinZip not running in that Pet.

There's another problem if WinZip opens in a Pet. Since WinZip uses non-standard dialog boxes, you won't be able to extract files to a location outside the Pet account with this Beta release. You should open the zip file with WinZip running with your permissions. Alternatively, you can extract the files to a folder in the Pet account, which you can find under c:\Documents and Settings\xxx\, where xxx is the account name used for your Pet.

Back to Table of Contents

Limitations

The most important limitation of Polaris is that it only works with Windows XP Professional with Service Pack 2. There is no theoretical reason it should not work with Service Pack 1, Home Edition, or even Windows 2000. However, there are minor differences that cause problems. Try Polaris at your own risk on other versions of Windows.

There are a number of applications that you should not Polarize because they don't work when confined. These are the ones we know of.

  • Direct 3D applications: Direct 3D is incompatible with the security machinery inside Polaris. Hence, over half of all game software is incompatible.
  • Cygwin: The Cygwin command shell, which attempts to emulate a Unix bash shell on Windows, modifies access control lists in a manner that is incompatible with Polaris. Not only should Cygwin not be Polarized, we recommend against running Cygwin on a Polarized machine. In particular, using the Cygwin cp command leads to conflict with Polaris operations.
  • PGP: PGP will not run Polarized.
There are a number of issues that we have not attempted to address in this Beta release.
  • Polaris does not block Pets from accessing the network.
  • If a virus directly attacks Outlook rather than simply being an email attachment, e.g., a malicious ActiveX control in an HTML mail, the contacts list is available to the virus.
  • You can not use drag/drop to a Pet. There are many places where Windows ignores the distinction of user accounts; this one it observes.
  • If the server for your network drives does not authenticate, Polaris will not be able to limit your Pets' access to them.

    Back to Table of Contents

    Upgrading from the Alpha

    The Alpha version of Polaris has proven to be surprisingly stable and effective at blocking the current crop of viruses. Unfortunately, the Alpha version is vulnerable to a very simple attack that isn't necessary if people aren't using Polaris. Once Polaris is in widespread use, we can expect to see this attack appear. Moving to the Polaris Beta will protect you.

    On Windows, any process can send a Windows message to any other window on the desktop. These messages tell the recipient process to do such things as type characters, open files, and run commands. Microsoft states that all programs running on a desktop are assumed to have the same privileges. That's true on a standard desktop, but not with Polaris. Hence, a virus running in a program on a standard desktop can do anything the user can do, up to and including erasing all the user's files. A virus running in a Pet can't. However, it can send a Windows message to the Start button telling it to select Run and execute erase *.*.

    The Polaris Beta adds an additional restriction to programs running in Pets. They can only send Windows messages to other windows associated with that same Pet. A virus running in a Pet can't even find out that the Start button exists.

    Unfortunately, upgrading to the Beta isn't simple because the Alpha doesn't have an Uninstall utility. That means a lot of manual work is required. If you're about to get a new machine, you might want to keep the Alpha release on your current machine and install the Beta on the new one. On the other hand, having the Alpha version on your machine won't interfere with your use of the Beta. After glancing through the instructions for removing the Alpha, you might just decide to leave it installed.

    If you want to leave the Alpha on your machine, then follow the first five steps. If you want to remove all vestiges of the Alpha, then do all of them. Read the instructions carefully. Because of the way the browser wraps text at the end of the line, some filenames end up split between two lines. Make sure you don't delete a folder when you should have deleted a single file.

    1. Record the names of all your Pets.
    2. Kill the powerbox.exe process.
      • Select the Processes tab in the Task Manager.
      • Find powerbox.exe and click End Process.
      • Click Yes in the dialog box that opens.
    3. Delete c:\Documents and Settings\alice\Start Menu\Programs\Start Menu\powerbox.exe, after substituting your userid for alice.
    4. Remove the Polarizer shortcut from your desktop.
    5. Delete any Pet shortcuts.
    6. Reboot. Sorry about that, but some folders can't be deleted unless you do.
    7. Unpolarize all existing Pets using the De-polarize button on the Polarizer.
    8. Verify that the Pets have been removed by typing net users in a command window. You'll remove any that are left in the next step.
    9. Delete the boxedAcct account and any accounts missed by the de-polarizer.
      • From Start select Control Panel.
      • Double click on User Accounts.
      • Highlight the entry boxedAcct and click Remove.
      • Repeat for any other Pet accounts you see. Their account names end with the string Acct. Just be sure you don't inadvertently delete an account unrelated to Polaris.
    10. Remove the OpenSafe option.
      • From the file explorer select Tools and Folder Options.
      • Click on the File Types tab.
      • For each filetype you associated with a Pet,
        • Highlight the filetype, and click Advanced. If the Advanced button doesn't show up, you don't have to do anything for this filetype.
        • Highlight OpenSafe, and click Remove.
        • Highlight Open, and click Set Default.
    11. Remove two registry entries.
      • Select Start, Run, enter regedit, and click OK.
      • In the registry editor, navigate to My Computer\HKEY_CLASSES_ROOT\*\shell\Polaris Send To Pet.
      • In the left panel, right click on this entry and select Delete.
      • Click OK.
      • Navigate to My Computer\HKEY_LOCAL_MACHINE\software\Hewlett-Packard\polaris.
      • In the left panel, right click on this entry and select Delete.
      • Click OK.
    12. Delete the following folders
      • c:\confinedrequests
      • c:\Documents and Settings\alice\appdirs, after substituting your userid for alice. Do NOT remove Application Data.
      • c:\Documents and Settings\xxxAcct, where xxx is the name of a former Pet. You may get a scary message about deleting a system or read-only file. If you do, click Yes to All.
      • c:\print
      • c:\runsafe
    13. You are now ready to install the Beta.

    Back to Table of Contents