cancel
Showing results for 
Search instead for 
Did you mean: 
Reliable Contributor rmetzger
Reliable Contributor
Report Inappropriate Content
Message 1 of 7

Command Line Scanning, McAfee CLS, Batch

Periodically, the VirusScan Enterprise forum receives request for a Command Line Scanner or API for .Net or other languages.

Usually, this is done to scan files 'Uploaded' to a server or such.

A couple of points:

1) If VirusScan Enterprise (VSE) is installed and running, this should not be necessary. However, VSE can be left in a configuration that allows more than the Security Administrator might like for an Internet facing  server. To augment VSE, a programmed method of scanning can use McAfee's Command Line Scanner (CLS).

2) VSE has Scan32.exe (and Scan64.exe for x64 systems) but I have found limited documentation on their use from the Command Line interface. Also, VirusScan Command Line Scanner can run independently of VSE as a second line of defense. As such, it can be configured as needed without compromising the primary defense using VSE.

Also, McAfee CLS has logging and exit error codes relevant to the programmer or systems/security administrator.

3) I am sure McAfee has an API, but whether they will disclose this is up to McAfee. Disclosure might open up security holes they would prefer not to open. Contact McAfee directly to see if this API is available. Alternatively, I would suggest the Command Line Scanner instead.

I have compiled some of my thoughts on using McAfee's Command Line Scanner. Some content is directly from McAfee documentation.

Feel free to use the examples, but you must assume all responsibility for any actions, losses, or problems encountered.

I may add to another discussion to document my thoughts with Stinger Command Line at a later time.

Anyway, here is my mind dump.

-     -     -     -     -     -     -     -     -

Download VirusScan Command Line Scanners

Enter your valid Grant Number here:

http://www.mcafee.com/us/downloads/downloads.aspx

Click on the 'Endpoint Protection Suite' (or your licensed product)

    Endpoint Security

        VirusScan Command Line Scanners

Download the product and integrate it within your application.

-    -    -    -    -    -    -    -    -    -

VirusScan Command Line Scanner, Command Line Options:

McAfee VirusScan Command Line for Win32 Version: 6.0.4.564

Copyright (C) 2013 McAfee, Inc.

(408) 988-3832 LICENSED COPY - June 24 2013

Usage: scan [object1] [object2...] [option1] [option2...]

   /?                                   : Display this help screen.

   /AD                                : Scan all drives (not removable media).

   /ADL                              : Scan all local drives (not removable media).

   /ADN                             : Scan all network drives.

   /AFC=<cache size>      : Set the Size(in MB) of the Internal Cache Used When Decompressing Archive Files.

   /ALL                              : Scan all files regardless of filename extension.

   /ALLOLE                       : Treat all files as compound/OLE regardless of extension.

   /ANALYZE                    : Turn on heuristic analysis for programs and macros.

   /APPEND                       : Append to report file rather than overwriting.

   /APPENDBAD                : Append to bad file rather than overwriting.

   /ASCII                            : Display filenames as ASCII text.

   /BADLIST=<filename>   : Filename and path for bad list log file.

   /BOOT                           : Scan boot sector and master boot record Only.

   /CHECKLIST=<filename>   : Scan list of files contained in <filename>.

   /CLEAN                         : Attempt to clean infected files.

   /CONTACTFILE=<filename> : Display contents of <filename> when a virus is found.

   /DAM                             : Remove all macros from infected MS Office files.

   /DECOMPRESS             : Converts avv*.dat files and creates runtime.dat file

                                        : Must be done by itself

   /DEL                              : Delete infected files except archive files.

   /DOHSM                        : Scan migrated files(hierarchical storage management).

   /DRIVER=<dir>              : Directory specifying location of DAT files.

   /EXCLUDE=<filename>  : Do not scan files/directories listed in <filename>.

   /EXTENSIONS               : Scan defaults & user extension list.

   /EXTLIST                       : List file-extensions scanned by default.

   /EXTRA=<filename>     : Specify the full path and file name of any extra.dat file.

   /FAM                             : Find all macros - not just infected macros. Used with /DAM will remove all macros.

   /FDC                             : Force digital signature check.

   /FREQUENCY=<hours>  : Do not scan <hours> after the previous scan.

   /HELP                           : Displays this help

   /HTML=<filename>       : Create and specify a HTML report file.

   /LOAD=<filename>      : Load options from <filename>.

   /LOUD                          : Include all scanned files in the /REPORT file.

   /MAILBOX                    : Scan inside plain text mailboxes.

   /MANALYZE                : Turn on macro heuristics.

   /MANY                         : Scan many floppy diskettes.

   /MAXFILESIZE=<size> : Examine Only those files smaller than the specified size(in MB).

   /MEMSIZE=<size>        : File size(in KB) to load into memory for scanning limited by a maximum file size defaulting to 1MB.

   /MIME                           : Scan inside MIME, UUE, XXE and BinHex files.

   /MOVE=<dir>               : Move infected file into directory <dir>, preserving path.

   /NC                              : No Integrity Check; Use without Internet connection. see KB68314

                                       : The program performs a standard digital signing check of the engine binary prior

                                       : to execution. If the computer is not connected to the Internet, this check can fail

                                       : unexpectedly. The scan will still continue. Without a connection to the Internet,

                                       : files like mcscan32.dll will fail the digital signature check. /NC skips the check.

   /NOBKSEM                  : Prevent scanning of files that are normally protected.

   /NOBOOT                    : Do not scan boot sectors.

   /NOBREAK                  : Disable Ctrl-C / Ctrl-Break during scanning.

   /NOCOMP                    : Do not scan self extracting executables by default.

   /NOD                           : Don't switch into /ALL mode when repairing.

   /NODDA                      : Do not scan boot sectors.

   /NODECRYPT              : Don't scan password-protected MS Office documents.

   /NODOC                      : Do not scan MS Office files.

   /NOEXPIRE                  : Disable data files expiration date notice.

   /NOJOKES                  : Do not alert on joke files.

   /NOMEM                      : Do not scan memory for viruses.

   /NORECALL                : Do not move files from remote storage into local storage after scanning.

   /NORENAME               : Do not rename infected files that cannot be cleaned.

   /NOSCRIPT                 : Do not scan files that contain HTML, JavaScript, Visual Basic, or Script Component Type Libraries.

   /PANALYZE                : Turn on program heuristics.

   /PAUSE                       : Pause at end of each screen page.

   /PLAD                         : Preserve the last-accessed time and date for files that are scanned.

   /PROGRAM                 : Scan for potentially unwanted applications.

   /RECURSIVE               : Examine any subdirectories in addition to the specified target directory.

   /REPORT=<filename> : Report names of viruses found into <filename>.

   /RPTALL                     : Include all scanned files in the /REPORT file.

   /RPTCOR                    : Include corrupted files in /REPORT file.

   /RPTERR                     : Include errors in /REPORT file.

   /RPTOBJECTS            : Reports number of objects at all levels scanned in summary.

   /SECURE                    : Equivalent to Analyse, doall, unzip.

   /SHOWCOMP             : Report any files that are packaged.

   /SILENT                      : Disable all screen output.

   /STREAMS                 : Scan inside NTFS streams (NT & DATAPOL Only).

   /SUB                          : Examine any subdirectories in addition to the specified target directory.

   /THREADS=<nn>       : Set scan thread count.

   /TIMEOUT=<seconds> : Set the maximum time to spend scanning any one file.

   /UNZIP                       : Scan inside archive files, such as those saved in ZIP, LHA, PKarc, ARJ, TAR, CHM, and RAR.

   /VERSION                  : Display the scanner's version number.

   /VIRLIST                    : Display virus list.

   /WINMEM[=<pid>]      : If pid given scans the Windows Process with Process ID <pid> otherwise scans all Windows Processes.

   /XMLPATH=<filename> : Filename and path for XML log file.

   * Mandatory

I included a couple of 'semi-undocumented' options.

Consider using the /DECOMPRESS function after updating VSE Dat files. This improves scan performance.

The /NC option may be needed if your server or PC doing the scan is not connected to the Internet.

-    -    -    -    -    -    -    -    -    -

Options with parameters.

Where an option has a parameter, insert only one space between them. For example,

the following commands are intended to scan all directories on the C disk, and

list any infected files in the file named BADLIST.TXT. The first command is valid,

but the second command gives an error message because it has more than one space

between the /BADLIST option and its parameter, BADLIST.TXT.

SCAN C:\ /SUB  /BADLIST BADLIST.TXT     &:: works

SCAN C:\ /SUB /BADLIST  BADLIST.TXT    &:: fails

SCAN C:\ /SUB  /BADLIST=BADLIST.TXT     &:: works

In the second line, /BADLIST has 2 spaces before BADLIST.TXT and errors out.

Instead of a space, use the = character, which seems to work and is more clear.

-    -    -    -    -    -    -    -    -    -

Improve Performance by creating Runtime.dat (cache) file.

Scan32.exe, Scan64.exe, and Scan.exe use the signature files (avvscan.dat,

avvclean.dat, and avvnames.dat) to scan files. As part of the process, the scan

engine combines these files (in RAM) to scan the file. Scan32 and Scan64, when

signatures are updated, create the combined file Runtime{date}.dat (cache) to

improve performance, storing the combined file on disk. Scan.exe can do the same

with the /DECOMPRESS switch. This improves performance dramatically between each

scan, as it no longer needs to recombine the signature files.

To create faster scanning:

1) cd to the directory containing Scan.exe and associated files.

2) Delete existing avv*.dat and runtime.dat files:

    avvscan.dat avvclean.dat avvnames.dat runtime.dat

3a) Download todays ????xdat.exe to the directory containing Scan.exe

    Extract the contents (using todays version):

     7523xdat.exe /E

    This will extract todays avv*.dat (avvscan.dat avvclean.dat avvnames.dat)

      or

3b)  copy the latest avv*.dat to the directory containing Scan.exe

4) Construct a new Runtime.dat cache file

    Scan /DECOMPRESS

Now, when running Scan.exe, Scan.exe sees Runtime.dat and simply loads this

instead of rebuilding it each time, in RAM.

Batch code snippet:

@echo off

rem  Please use with caution, add error checking, assume responsibility

rem  for the following code segment. I will assume no responsibility for

rem  any actions or losses that may occur based on your use of this code.

rem  Use at your own risk.

rem 1. Modify this directory of your liking.

    cd McAfee\Scanner

rem 2. Use your preferred method of download to this directory, ????xdat.exe

    for %%F in (avvscan avvclean avvnames runtime) do if exist "%%~F.dat" del "%%~F.dat"

    for %%F in (GSDSuper.dll Sdatpack.lst NaiScrip.nsc) do del "%%~F"

rem 3a. Once downloaded, extract the the contents

    7523xdat.exe /E .

rem 3b. Alternatively, copy current avvscan.dat avvclean.dat avvnames.dat

rem     from the latest updated VSE to this directory

rem if exist "%CommonProgramFiles%\McAfee\Engine\avv*.dat"    copy "%CommonProgramFiles%\McAfee\Engine\avv*.dat"

rem if exist "%CommonProgramFiles(x86)%\McAfee\Engine\avv*.dat"    copy "%CommonProgramFiles(x86)%\McAfee\Engine\avv*.dat"

rem 4. Create runtime.dat, delete existing if it exists.

rem del runtime.dat

    Scan /DECOMPRESS

-    -    -    -    -    -    -    -    -    -

Scan.exe Exit Codes / ErrorLevel

ErrorLevel Description

      0     The scanner found no viruses or other potentially unwanted software,

             and returned no errors.

      2     Integrity check on DAT file failed.

      6     A general problem occurred.

      8     The scanner was unable to find a DAT file.

    10     A virus was found in memory.

    12     The scanner tried to clean a file, the attempt failed, and the file

             is still infected.

    13     The scanner found one or more viruses or hostile objects such as a

             Trojan.horse program, joke program, or test file.

    15     The scanner's self.check failed; the scanner may be infected or

             damaged.

    19     The scanner succeeded in cleaning all infected files.

    20     Scanning was prevented because of the /FREQUENCY option.

    21     Computer requires a reboot to clean the infection.

-    -    -    -    -    -    -    -    -    -

Command Line Example(s):

Assume name=ScanIT.bat

@echo off

rem  Please use with caution, add error checking, assume responsibility

rem  for the following code segment. I will assume no responsibility for

rem  any actions or losses that may occur based on your use of this code.

rem  Use at your own risk.

rem Pass a parameter of the file or directory you wish to scan.

rem 1. Modify this directory of your liking.

    cd McAfee\Scanner

rem 2. Scan All files (or files in subdirectories) specified at batch file start.

rem    Make sure a parameter is specified, such as C:\Upload\ or C:\Upload\AFile.exe

rem    Note: Direcories must be specified with an ending \

  Scan %* /ANALYZE/ALL/CLEAN/DAM/NC/NOEXPIRE/PLAD/PROGRAM/SUB/STREAMS/UNZIP/THREADS=4/TIMEOUT=15/APPEND=C:\McAfee\Logs\Scan.log /EXCLUDE=Exclude.lst

if ERRORLEVEL 1 echo  ?? The scanner found a problem. Here is the result:
if /i %ERRORLEVEL% EQU 2 echo  Integrity check on DAT Failed.
if /i %ERRORLEVEL% EQU 6 echo  A general problem occurred.
if /i %ERRORLEVEL% EQU 8 echo  The scanner was unable to find a DAT file.
if /i %ERRORLEVEL% EQU 10 echo  A virus was found in memory.
if /i %ERRORLEVEL% EQU 12 echo  The scanner tried to clean a file, the attempt failed and the file is still infected.
if /i %ERRORLEVEL% EQU 13 echo  The scanner found one or more viruses or hostile objects such as a Trojan.horse program, joke program, or test file.
if /i %ERRORLEVEL% EQU 15 echo  The scanner's self.check failed; the scanner may be infected or damaged.
if /i %ERRORLEVEL% EQU 19 echo  The scanner succeeded in cleaning all infected files.
if /i %ERRORLEVEL% EQU 20 echo  Scanning was prevented because of the /FREQUENCY option.
if /i %ERRORLEVEL% EQU 21 echo  Computer requires a reboot to clean the infection.

-    -    -    -    -    -    -    -    -    -

Exclusions to scan.

Please limit use of exclusions.

From the ScanIT.bat example above, create an Exclude.lst file,

in the same directory as Scan.exe (as the example specifies).

This list of exclusions are examples only, use only what you

MUST exclude. Review the list for Corporate Compliance and

try not to exclude any file if at all possible.

PsExec.*

PSEXESVC.*

**\VNChooks*.*

**\VNCviewer*.*

**\UltraVNC*.*

**\TightVNC*.*

**\bin\Temp\

**\GSDData\

**\Temp\mfe\

**\NOTES*\**

**\Common Framework\

**\ePO Agent\

**\McAfee\Temp\

**\McAfee\Spam*\

**\GroupShield*\Scan\

**\Backup Exec\

**\Backup Exec\**

**\SharePoint Portal Server\**

**\Microsoft Shared\Web StorageSystem\

**\McAfee\McAfee PortalShield\**

-     -     -     -     -     -     -     -     -     -     -

Constructive criticism welcome.

Thanks,

Ron Metzger

Thanks,
Ron Metzger

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
6 Replies
susja
Level 10
Report Inappropriate Content
Message 2 of 7

Re: Command Line Scanning, McAfee CLS, Batch

Hi Ron Metzger,

could you please clarify for me: is scan32.exe that in my case I found in c:\Program Files (x86)\McAfee\VirusScan Enterprise\ directory different from VSE command line scanner?

I have VSE 8.7i. Should I download additional component (VSE command line scanner) or I should just re-configure existing VSE 8.7i that I have?

I have 20 PC's ... hence I'll have to install it on all of it ...

Could you please clarify for me?

Thanks in advance

P.S. I used scan32.exe but someone from the forum said it's not supported scenario and I should use VSE command line scanner ...

Reliable Contributor rmetzger
Reliable Contributor
Report Inappropriate Content
Message 3 of 7

Re: Command Line Scanning, McAfee CLS, Batch


susja wrote:



Hi Ron Metzger,


could you please clarify for me: is scan32.exe that in my case I found in c:\Program Files (x86)\McAfee\VirusScan Enterprise\ directory different from VSE command line scanner?


I have VSE 8.7i. Should I download additional component (VSE command line scanner) or I should just re-configure existing VSE 8.7i that I have?


I have 20 PC's ... hence I'll have to install it on all of it ...


Could you please clarify for me?


Thanks in advance


P.S. I used scan32.exe but someone from the forum said it's not supported scenario and I should use VSE command line scanner ...




VSE (Scan32.exe) and VirusScan Command Line Scanner (Scan.exe) are completely separate products. (There is no VSE command line scanner, only VirusScan Enterprise commonly called VSE or VirusScan Command Line Scanner, I will call it CLS to avoid naming confusion.)

CLS does Not need to be installed on your PCs. In fact, you can create a version of CLS on a flash drive, network share, or CD and run it from there if you wish. CLS has different operating systems versions in which you may run. So, if a Windows system is currently infected and unable to boot, say, you could boot under a version of Linux from a CD or flash drive and run the CLS version for Linux against the Windows partitions. Of course you could create a Windows PE boot disk and run the Windows version of VirusScan CLS as well.

You can download VirusScan Command Line Scanner with a valid Grant Number here:

Download My Products Login | McAfee Downloads

Products > McAfee Endpoint Protection Suite (or whatever product you are licensed for)

    Endpoint Security

        VirusScan Command Line Scanners

Agree to the licensing terms,

    select the download of choice, such as vscl-w32-605-l.zip for McAfee VirusScan Command Line for Windows.

(v6.0.5L now uses the 5700 engine.)

I hope this clarifies things for you.

Ron Metzger

Thanks,
Ron Metzger

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
susja
Level 10
Report Inappropriate Content
Message 4 of 7

Re: Command Line Scanning, McAfee CLS, Batch

thanks a lot for explanation

Re: Command Line Scanning, McAfee CLS, Batch

How can I test documents doc, docx, xls, and xlsx etc using CLS? It seems docx and xlsx are not supported. Please clarify.

Also where can I get infected docx and xlsx file for testing?

Highlighted

Re: Command Line Scanning, McAfee CLS, Batch

I'd strongly suggest anyone planning to use VSCL in this way review: https://kc.mcafee.com/corporate/index?page=content&id=KB52944

Especially the PM statement section later in the article:

To quote:

VirusScan Command Line Scanner 6 integration with email or gateway scanning

McAfee VirusScan software Command Line Scanner: An option to integrate McAfee anti-malware protection.

The McAfee VCLS is one option to integrate leading McAfee anti-malware protection into server environments where other, more optimized, integrations may not apply.

For optimal performance and protection, McAfee recommends installing and running McAfee server or gateway products that closely fit the desired integration wherever possible. These products are designed especially for gateway use cases, such as email scanning, while the VirusScan software CLS has very different design intentions and capabilities. Please contact your McAfee Sales representative to find the most appropriate solution for your needs.

The VirusScan software CLS was not designed with the intent of handling the high transaction rate and concurrent file operations that are seen in a typical server environment. For those environments, McAfee recommends only the McAfee Server or Gateway family of products. If, however, you still wish to utilize the VirusScan software CLS in a server environment, McAfee recommends that this should be done only for scanning larger collections of static data wherever possible, rather than invoking it for single file scanning on a repeated basis. This will improve the overall performance experience with the VirusScan software CLS by reducing the DAT initialization overheads.

On the subject of asking for infected samples - you won't find them in this forum, please don't ask here. Thx.

You can discuss it further with McAfee Labs directly if you need for advice.

VSCL (i.e. CLS) scans the same file types as VirusScan, as it uses the same AV-engine. (not literally, but it's the same dll).

VSCL doesn't use Artemis though.

Reliable Contributor rmetzger
Reliable Contributor
Report Inappropriate Content
Message 7 of 7

Re: Command Line Scanning, McAfee CLS, Batch


jdhingra wrote:



How can I test documents doc, docx, xls, and xlsx etc using CLS? It seems docx and xlsx are not supported. Please clarify.


Also where can I get infected docx and xlsx file for testing?


Take statements to heart. VSCL (CLS) is meant to be used as a secondary or out-of-band scanner when other active Real-Time scanners are not possible.

That said, VSCL does scan .docX and .xlsX files unless you issue the /NODOC command line option. This should work fine as long as the documents/spreadsheets are not password protected (as far as I know).

I do not know of any sources of test (infected) .docx or .xlsx files.

However, you could use the 68 byte EICAR string (see eicar.org) inserted into a pure ascii string, zip it up and give it a .docx extension. (While you are at it, you should construct a password protected .zip version as well, so that you will not need to reconstruct the eicar test file over and over with each successful test.) You will probably need to disable any real-time scanner to construct this/these file(s). See if that helps. This won't test detecting a macro virus, but at least you may find whether VSE or VSCL is able to detect in your environment.

What can you disclose about what you are doing, that VSCL is the only option?

Ron Metzger

Thanks,
Ron Metzger

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community