cancel
Showing results for 
Search instead for 
Did you mean: 
Remrem
Level 7

VirusScan Command Line Scanner not scanning in Win32 Cabinet files

Hi All

Had a strange situation at a customer that was infected with an variant of W32/xirtem@mm that I hope someone in here can give an answer to.

What happend was that this customer had several .EXE Win32 Cabinet Self-Extractor files on several different shares that was the virus file - When opening, a DOCUMENT.EXE lay behind and was the real virus file.

What I did was copying one of the EXE files to at workstation that had not been infected and used the 6.0.3.356 commandline scanner and scanned the EXE file with first DAT 6185 (released per 2. Dec.) and then with the Beta Dats - Both ended with no detection.

Then I installed the VSE 8.7 to this workstation and updated the DAT files to 6185, and then scanned this sample, and now I got an detection on a W32/xirtem@mm worm - Question is why is there a differece in the result when scanning with the VSE 8.7i and the Commandline scanner when using the same DAT files.

The Syntax I used in in the commndline scanner was: Scan /adl /all /Program /Analyze /report c:\virrep.txt

Please Advice

Best Regards

RemRem

0 Kudos
2 Replies
rackroyd
Level 16

Re: VirusScan Command Line Scanner not scanning in Win32 Cabinet files

Hi,

Since cab is an archive format, you may need to include either /unzip or /secure with the command line scanner.

Rgds,

Rob

0 Kudos
TONI_N
Level 7

Re: VirusScan Command Line Scanner not scanning in Win32 Cabinet files

Hi Rob

You are absolutly right on  - Adding the /unzip to the syntax I used gave the result that I was look for. This would trick the commandline scanner  to scan inside the Cabinet file and find the virus.

So thanks for your feedback

0 Kudos