cancel
Showing results for 
Search instead for 
Did you mean: 
nathangjones
Level 7

Command line scanner V6 doesnt scan all files

Hi

We were using an older version of command line scanner with bart pe and its McAfee plugin.  Just tested and it scanned over 65,000 files on our pc.

Since the new SDATs mean we had to upgrade.  I downloaded Command Line Scanner V6 used its scan.exe with bart pe.

Now when i run the scan, with the exact same options on the exact same pc, only 22,000 files are scanned.

Any ideas why this is.

thanks

0 Kudos
12 Replies
rackroyd
Level 16

Re: Command line scanner V6 doesnt scan all files

Hi,

More detail is needed to be able to comment on this.

Please provide what information you can for each scenario.

Rgds,

Rob,

0 Kudos
nathangjones
Level 7

Re: Command line scanner V6 doesnt scan all files

Hi.  Ive included more info:

We used to create Bart pe boot Cds and use the available SDAT files.  This was when V1 & V2 Dat were both supported.  The last boot CD I created used Command Line Scanner V5.40.0 (which was included with the SDAT).  I guess the AV Engine then was 5.3.00.

On a reference pc, I boot from this CD, scan all files and subdirectories.  The report shows a total of 64,768 files were scanned.

Now I need to update/recreate these boot cds.  I read the following McAfee Articles:-

KB67088 (How to create a Windows XP boot CD including McAfee Command Line Scanner).

KB66741 (Important info about the 5400 AV Scanning Engine)

I was instructed to download Command Line Scanner V6, since the V2 SDATs now only support the latest scanning engine V5.400.  I now create the boot CD with the latest SDAT.  Extract scan.exe from Command Line Scanner V6 and insert into the McAfee plugin files that Bart pe uses.

I now boot from this CD.  As per KB68314, I use the /nc switch.  Since the Scanning engine uses a digtally signed certificate, otherwise I get a mcscan32.dll failed integrity check error.  Using the same reference pc, I scan all files and subdirectories.  However the report shows only 22,574 files were scanned.

Is there a reason why so many less files are being scanned.

Thanks

0 Kudos
rackroyd
Level 16

Re: Command line scanner V6 doesnt scan all files

Thanks,

Actually the 5.40.0 Command Line Scanner uses the 5400 Engine, and so does the V6.0 command line scanner.

What switches (apart from /nc) are you using and do you have any scan reports from both 5.40.0 and 6.0 you can share ?

Rgds,

Rob.

0 Kudos
nathangjones
Level 7

Re: Command line scanner V6 doesnt scan all files

Hi.

I have attached reports from the scan using the old boot CD we had when scan.exe was part of the SDAT (scanv54.txt), and the one I just created using scan.exe from command line scanner V6 (scanv6.txt).

The switches were all automatically created, using the check boxes provided with Bart PE McAFee Virus Scan Wrapper GUI.  They are detailed in the reports, and as you can see they are the same with the exception of the /nc switch I included.

Thanks

0 Kudos
rackroyd
Level 16

Re: Command line scanner V6 doesnt scan all files

Thanks,

The Bart PE wrapper is not something we would have control over, but as you say the switches do look the same.

It looks like the only way you are likely to account for the difference is by including the /RPTALL switch so every scan is listed verbosely.

Then it would be a matter of working out the differences from the (now much larger) logs in both instances.

That would take some time, and may be something for a support call.

We would need you to be able to reproduce similar results outside of the Bart PE framework though, as we don't support 3rd party integrations of the Command Line Scanner directly, just the scanner itself.

It sounds like you should get the same (or similar) results scanning from the root of C:\ with the same switches and the machine booted normally.

If the problem can't be reproduced outside of the Bart PE framework though, you will need to take it up with NU2 Productions.

Something to bear in mind which I think you've already realised. We no longer post the command line scanner in the daily superdat. There is a file with that name in the sdat, but it's just a stub for sdat compatibilty.

Use of the command line scanner falls under licensing and is only available for download with a grant id.

Rgds,

Rob.

0 Kudos
nathangjones
Level 7

Re: Command line scanner V6 doesnt scan all files

Hi Rob

I have tested this again on the reference pc, but ran from within Windows not via the Bart pe boot disk.  Again there is a huge difference between the number of files scanned using the two versions of command line scanner.

I have attached the reports from both.

Thanks

0 Kudos
rackroyd
Level 16

Re: Command line scanner V6 doesnt scan all files

Hi,

As I mentioned before the only way you are likely to account for the difference is by including the /RPTALL switch so every scan is listed verbosely.

Then it would be a matter of working out the differences from the (now much larger) logs in both instances.

As an aside - What exactly is the full command line being used at the prompt to run the scan for both cases ?

This isn't included in the summary.

Rgds,

Rob.

0 Kudos
nathangjones
Level 7

Re: Command line scanner V6 doesnt scan all files

The commands were

c:\vscl54> SCAN /ADL /MIME /SUB /UNZIP /ALL /RPTCOR /RPTERR /STREAMS /REPORT E:\SCANV54.TXT

and

c:\vscl6> SCAN /ADL /MIME /SUB /UNZIP /ALL /RPTCOR /RPTERR /STREAMS /REPORT E:\SCANV6.TXT /NC

Strangely, from the cmd prompt I ran dir /s c:\ and it listed total files of 22228 on this pc.  Which is very near what the V6 scanner totalled from within Windows and Bart PE

Therefore the issue may be with the older version overstating whats its scanning, and not an issue with V6 after all.

I will include the RPTALL switch with both, and compare to see whats going on.

thanks

0 Kudos
rackroyd
Level 16

Re: Command line scanner V6 doesnt scan all files

Personally I suspect the lack of a defined scan path in the command line may have an effect on the behaviour between versions.

Try something like this instead:

c:\vscl6> SCAN /ADL /MIME /SUB /UNZIP /ALL /RPTCOR /RPTERR /STREAMS /REPORT E:\SCANV6.TXT /NC c:\*.*

or

c:\vscl6> SCAN /MIME /SUB /UNZIP /ALL /RPTCOR /RPTERR /STREAMS /REPORT E:\SCANV6.TXT /NC c:\*.*

I know this is contrary to the /ADL switch (All Drives Local), and perhaps the /SUB switch too and maybe that's a behavioural issue which can be looked at through a support call if you wish to open one.

This might not be exactly the right combination on the command line, but I think you're on the right path now (no pun intended).

I'd take a look at that before breaking down the verbose scan report.

Hth,

Rob.

0 Kudos