Had a strange situation at a customer that was infected with an variant of W32/xirtem@mm that I hope someone in here can give an answer to.
What happend was that this customer had several .EXE Win32 Cabinet Self-Extractor files on several different shares that was the virus file - When opening, a DOCUMENT.EXE lay behind and was the real virus file.
What I did was copying one of the EXE files to at workstation that had not been infected and used the 18.104.22.1686 commandline scanner and scanned the EXE file with first DAT 6185 (released per 2. Dec.) and then with the Beta Dats - Both ended with no detection.
Then I installed the VSE 8.7 to this workstation and updated the DAT files to 6185, and then scanned this sample, and now I got an detection on a W32/xirtem@mm worm - Question is why is there a differece in the result when scanning with the VSE 8.7i and the Commandline scanner when using the same DAT files.
The Syntax I used in in the commndline scanner was: Scan /adl /all /Program /Analyze /report c:\virrep.txt
Since cab is an archive format, you may need to include either /unzip or /secure with the command line scanner.
You are absolutly right on - Adding the /unzip to the syntax I used gave the result that I was look for. This would trick the commandline scanner to scan inside the Cabinet file and find the virus.
So thanks for your feedback