Good command line scanner

[Oliver Betz]

Hello All,

which virus scanner combines these properties as good as possible:

- detect/report ZIP bombs (e.g. by limiting the processing time or
nesting level),
- unpacks (also malformed) email attachments,
- Win32 command line application supporting long file names,
- simple signature update e.g. by downloading by FTP/HTTP,
- preferably no temp disk files (staying there in case of a crash),
- not too expensive for some 10 computers?

I do _not_ like some bloated windows app for the update job, since it
has to run on a mail/file server and it must also interact with the
mail server software (stop it during the update). The best thing would
be to have signature files accessible via ftp, with reliable time
stamps. In this case, the updates can be done with a simple script and
wget (downloading only if there is a newer file).

Regarding decompression bombs: a signature based system is IMHO
useless. The best would be a processing time limit. In addition, the
used memory (RAM, disk) must be limited.


At the moment, we have a 20 computer F-Prot/DOS license. It works very
well, a nightly job looks for new signatures, mail server integration
is simple and transparent. For some workstations, I have single file
checking in the context menu. On-demand scanning of workstations via
logon script or manually.

But F-Prot
- can be knocked out by a ZIP bomb (e.g. 42.ZIP),
- doesn't support long file names and long directory paths, therefore
doesn't scan "on demand" systems with deep directory structures
(usually NT4, W2K, XP).

fpcmd.exe doesn't seem to be the "perfect" solution:

Still vulnerable.

You have to pay and download the full Windows version. In our case no
noticeable difference, but for more computers more than twice the
money (e.g. 71EUR instead of 23EUR for 20 computers).

Updating the engine is much more complicated, no simple download and
extract.

There is no interactive mode, so you have to set up batch files (not
so important).

No "scan all local hard disks" option.

No "beep" - although this didn't work very well with F-Prot and >=NT4.

Needs some output filtering (e.g. through a simple perl script) since
it puts tons of "unsupported compression method", "in use by another
application", "unknown file format", "in use by another application"
and maybe "encrypted" messages in the log file.

Thanks in advance,

Oliver

 

[David H. Lipman]

McAfee's Command Line Scanner. It is a mixed mode DOS/Win32 executable that fully scans
nested ZIP files, scan MIME and has no problems w/long file names.

/AD Scan all drives (not removable media).
/ADL Scan all local drives (not removable media).
/ADN Scan all network drives.
/AFC=<cache size> Set the Size of the Internal Cache Used When Decompress
ng Archive Files.
/ALL Scan all files regardless of filename extension.
/ALLOLE Treat all files as compound/OLE regardless of extension

/ANALYZE Turn on heuristic analysis for programs and macros.
/APPEND Append to report file rather than overwriting.
/BOOT Scan boot sector and master boot record only.
/CHECKLIST <filename> Scan list of files contained in <filename>.
/CLEAN Clean viruses from infected files and system areas.
/CONTACTFILE <filename> Display contents of <filename> when a virus is found.
/DAM Remove all macros from infected MS Office files.
/DEL Delete infected files.
/DOHSM Scan migrated files (hierarchical storage management).
/EXCLUDE <filename> Do not scan files listed in <filename>.
/EXTLIST List file extensions scanned by default.
/EXTRA <filename> Scan using an extra DAT file.
/FAM Find all macros - not just infected macros.
Used with /DAM will remove all macros.
/FREQUENCY <hours> Do not scan <hours> after the previous scan.
/HELP Display this help screen.
/HTML <filename> Create an HTML report file.
/LOAD <filename> Load options from <filename>.
/MAILBOX Scan inside plain text mailboxes.
/MANALYZE Turn on macro heuristics.
/MANY Scan many floppy diskettes.
/MIME Scan inside MIME, UUE, XXE and BinHex files.
/MOVE <dir> Move infected files into directory <dir>, preserving
path.
/NOBACKUP Do not prompt for a backup diskette during a sector
repair.
/NOBOOT Do not scan boot sectors.
/NOBREAK Disable Ctrl-C / Ctrl-Break during scanning.
/NOCOMP Do not scan self extracting executables by default.
/NOD Don't switch into /ALL mode when repairing.
/NODDA No direct disk access.
/NODOC Do not scan MS Office files.
/NOEXPIRE Disable data files expiration date notice.
/NOMEM Do not scan memory for viruses.
/NODECRYPT Don't scan password-protected MS Office documents.
/NOJOKES Do not alert on joke files.
/NORENAME Do not rename infected files that cannot be cleaned.
/PANALYZE Turn on program heuristics.
/PAUSE Pause at end of each screen page.
/PLAD Preserve Last Access Dates on Novell NetWare drives.
/PROGRAM Scan for potentially unwanted applications.
/REPORT <filename> Report names of viruses found into <filename>.
/RPTALL Include all scanned files in the /REPORT file.
/RPTCOR Include corrupted files in /REPORT file.
/RPTERR Include errors in /REPORT file.
/SILENT Disable all screen output.
/STREAMS Scan inside NTFS streams (NT only).
/SUB Scan subdirectories.
/TIMEOUT <seconds> Set the maximum time to spend scanning any one file.
/UNZIP Scan inside archive files.
/VIRLIST Display virus list.
/WINMEM Scan all Running Windows Processes.
/WINMEM=<pid> Scan the Running Windows Process With Process ID <pid>.

~ ~ ~

Dave
| Hello All,
|
| which virus scanner combines these properties as good as possible:
|
| - detect/report ZIP bombs (e.g. by limiting the processing time or
| nesting level),
| - unpacks (also malformed) email attachments,
| - Win32 command line application supporting long file names,
| - simple signature update e.g. by downloading by FTP/HTTP,
| - preferably no temp disk files (staying there in case of a crash),
| - not too expensive for some 10 computers?
|
| I do _not_ like some bloated windows app for the update job, since it
| has to run on a mail/file server and it must also interact with the
| mail server software (stop it during the update). The best thing would
| be to have signature files accessible via ftp, with reliable time
| stamps. In this case, the updates can be done with a simple script and
| wget (downloading only if there is a newer file).
|
| Regarding decompression bombs: a signature based system is IMHO
| useless. The best would be a processing time limit. In addition, the
| used memory (RAM, disk) must be limited.
|
|
| At the moment, we have a 20 computer F-Prot/DOS license. It works very
| well, a nightly job looks for new signatures, mail server integration
| is simple and transparent. For some workstations, I have single file
| checking in the context menu. On-demand scanning of workstations via
| logon script or manually.
|
| But F-Prot
| - can be knocked out by a ZIP bomb (e.g. 42.ZIP),
| - doesn't support long file names and long directory paths, therefore
| doesn't scan "on demand" systems with deep directory structures
| (usually NT4, W2K, XP).
|
| fpcmd.exe doesn't seem to be the "perfect" solution:
|
| Still vulnerable.
|
| You have to pay and download the full Windows version. In our case no
| noticeable difference, but for more computers more than twice the
| money (e.g. 71EUR instead of 23EUR for 20 computers).
|
| Updating the engine is much more complicated, no simple download and
| extract.
|
| There is no interactive mode, so you have to set up batch files (not
| so important).
|
| No "scan all local hard disks" option.
|
| No "beep" - although this didn't work very well with F-Prot and >=NT4.
|
| Needs some output filtering (e.g. through a simple perl script) since
| it puts tons of "unsupported compression method", "in use by another
| application", "unknown file format", "in use by another application"
| and maybe "encrypted" messages in the log file.
|
| Thanks in advance,
|
| Oliver
| --
| Oliver Betz, Muenchen

 

[Zebulon Blah]

| But F-Prot
| - doesn't support long file names and long directory paths, therefore
| doesn't scan "on demand" systems with deep directory structures
| (usually NT4, W2K, XP).
|

Interesting. My version of F-PROT for DOS can detect the Eicar Test File with an artificially
long file name (about 60 characters), buried five directories deep. This is with Win2000,
using FAT32.

Z

 

[me]

Interesting. My version of F-PROT for DOS can detect the Eicar Test File with an artificially
long file name (about 60 characters), buried five directories deep. This is with Win2000,
using FAT32.

Z

Some paths may be longer than DOS can hadle (over 127?).

J

 

[Zvi Netiv]

Interesting. My version of F-PROT for DOS can detect the Eicar Test File with an artificially
long file name (about 60 characters),

DOS scanners refer to the 8.3 DOS name.

buried five directories deep. This is with Win2000,
using FAT32.

Nothing to do with the DOS limitation of the path string to 64 characters max.
Under Windows, there is no limitation on the allowed path string length from the
DOS shell, independently of the file system, be it FAT, FAT32 or NTFS.

Secondly, the deepest that DOS can reach isn't limited by the number of
subdirectory levels but to the length of the path string! For example, if you
use a single character for directory names then you can go 31 levels down (64
divided by two, minus one, for the drive designation) until the limit is
reached, for example: "C:\A\B\C\D ..."

Regards, Zvi

 

[Oliver Betz]

McAfee's Command Line Scanner. It is a mixed mode DOS/Win32 executable that fully scans
nested ZIP files, scan MIME and has no problems w/long file names.

Looks good, but it seems that it's hard to get "VirusScan Command
Line" as a single product. NAI's web site and shop is a nightmare...

I was not able to find quickly any dealer or pricing information for
10 computers.

Is "VirusScan Command Line" sold only through special channels?

Oliver

 

[David H. Lipman]

Nope it is part of the McAfee ENGINE.

Dave



|
| >McAfee's Command Line Scanner. It is a mixed mode DOS/Win32 executable that fully scans
| >nested ZIP files, scan MIME and has no problems w/long file names.
|
| Looks good, but it seems that it's hard to get "VirusScan Command
| Line" as a single product. NAI's web site and shop is a nightmare...
|
| I was not able to find quickly any dealer or pricing information for
| 10 computers.
|
| Is "VirusScan Command Line" sold only through special channels?
|
| Oliver
| --
| Oliver Betz, Munich

 

[Oliver Betz]

/TIMEOUT <seconds> Set the maximum time to spend scanning any one file.

although this prevents from running too long, the return code is still
zero if the operation timed out, and there is no entry in the badlist,
so one had to create and check a log file if he wants to find ZIP
bombs.

IMO, a time out should cause a nonzero return code.

And the log file contains the names of all remaining files in the ZIP
file - not so nice: the Java runtime creates some 6000 lines in the
log file, WIN NT driver cache other 3000 lines.

Maybe for scanning mails, a short timeout is appropriate, and for "on
demand" scanning a very long timeout. Or exclude jre and driver
cache...

Oliver

 

[Oliver Betz]

[Is "VirusScan Command Line" sold only through special channels?]

Nope it is part of the McAfee ENGINE.

I'm not sure what you mean. NAI writes about a product "VirusScan
Command Line", but it's not in their shop. Most software resellers
don't sell it, too.

Now I will check two large German distributors.

All this is much harder than ordering a 10 computer license of F-Prot.

Oliver

 

[Frans Meijer]

[Is "VirusScan Command Line" sold only through special channels?]

Nope it is part of the McAfee ENGINE.

I'm not sure what you mean. NAI writes about a product "VirusScan
Command Line", but it's not in their shop. Most software resellers
don't sell it, too.

It is probably distributed together with the 'regular' windows based scanner.
It used to be anyway. Much the same as F-Prot and Norton, except that f-prot
makes their DOS commandline scanner available for free (the 32bit commandline
scanner comes only with the full Windows package).

 

[Oliver Betz]

[Is "VirusScan Command Line" sold only through special channels?]

It is probably distributed together with the 'regular' windows based scanner.

It is also sold as a separate product, but dealers are hard to find.
After all, those dealers have so many NAI Antivirus products and
volume programs that it's hard to find and/or understand what to buy.
That's inefficient and annoying.

It used to be anyway. Much the same as F-Prot and Norton, except that f-prot
makes their DOS commandline scanner available for free (the 32bit commandline

Only for non-commercial use. But I have no problem to pay 23EUR for a
20 computer license (although we have no 20 computers...), especially
because ordering is _simple_ at https://secure.f-prot.com/cgi-bin/buy

scanner comes only with the full Windows package).

Paying 39EUR for a 10 computer F-Prot/Windows license is one
disadvantage, but I need to _install_ the Package (with rather useless
GUI stuff) to get fpcmd.exe on eache engine update. And it lacks some
features of the DOS version (see the "F-Prot for Windows development
stoped?" thread).

I wish that the next F-Prot version combines the features of the DOS
and the Win32 version, and adds things like timeout. And it would be
great to have a F-Prot/Commandline (with fpcmd) instead of (or in
addition to) F-Prot/DOS.

Oliver