1 2 Previous Next 12 Replies Latest reply on May 26, 2010 10:56 AM by nathangjones

    Command line scanner V6 doesnt scan all files

      Hi

       

      We were using an older version of command line scanner with bart pe and its McAfee plugin.  Just tested and it scanned over 65,000 files on our pc.

       

      Since the new SDATs mean we had to upgrade.  I downloaded Command Line Scanner V6 used its scan.exe with bart pe.

       

      Now when i run the scan, with the exact same options on the exact same pc, only 22,000 files are scanned.

       

      Any ideas why this is.

      thanks

        • 1. Re: Command line scanner V6 doesnt scan all files
          rackroyd

          Hi,

           

          More detail is needed to be able to comment on this.

          Please provide what information you can for each scenario.

           

          Rgds,

           

          Rob,

          • 2. Re: Command line scanner V6 doesnt scan all files

            Hi.  Ive included more info:

             

            We used to create Bart pe boot Cds and use the available SDAT files.  This was when V1 & V2 Dat were both supported.  The last boot CD I created used Command Line Scanner V5.40.0 (which was included with the SDAT).  I guess the AV Engine then was 5.3.00.

             

            On a reference pc, I boot from this CD, scan all files and subdirectories.  The report shows a total of 64,768 files were scanned.

             

            Now I need to update/recreate these boot cds.  I read the following McAfee Articles:-

             

            KB67088 (How to create a Windows XP boot CD including McAfee Command Line Scanner).

            KB66741 (Important info about the 5400 AV Scanning Engine)

             

            I was instructed to download Command Line Scanner V6, since the V2 SDATs now only support the latest scanning engine V5.400.  I now create the boot CD with the latest SDAT.  Extract scan.exe from Command Line Scanner V6 and insert into the McAfee plugin files that Bart pe uses.

             

            I now boot from this CD.  As per KB68314, I use the /nc switch.  Since the Scanning engine uses a digtally signed certificate, otherwise I get a mcscan32.dll failed integrity check error.  Using the same reference pc, I scan all files and subdirectories.  However the report shows only 22,574 files were scanned.

             

            Is there a reason why so many less files are being scanned.

             

            Thanks

            • 3. Re: Command line scanner V6 doesnt scan all files
              rackroyd

              Thanks,

               

              Actually the 5.40.0 Command Line Scanner uses the 5400 Engine, and so does the V6.0 command line scanner.

              What switches (apart from /nc) are you using and do you have any scan reports from both 5.40.0 and 6.0 you can share ?

               

              Rgds,

               

              Rob.

              • 4. Re: Command line scanner V6 doesnt scan all files

                Hi.

                 

                I have attached reports from the scan using the old boot CD we had when scan.exe was part of the SDAT (scanv54.txt), and the one I just created using scan.exe from command line scanner V6 (scanv6.txt).

                 

                The switches were all automatically created, using the check boxes provided with Bart PE McAFee Virus Scan Wrapper GUI.  They are detailed in the reports, and as you can see they are the same with the exception of the /nc switch I included.

                 

                Thanks

                • 5. Re: Command line scanner V6 doesnt scan all files
                  rackroyd

                  Thanks,

                   

                  The Bart PE wrapper is not something we would have control over, but as you say the switches do look the same.

                  It looks like the only way you are likely to account for the difference is by including the /RPTALL switch so every scan is listed verbosely.

                  Then it would be a matter of working out the differences from the (now much larger) logs in both instances.

                   

                  That would take some time, and may be something for a support call.

                  We would need you to be able to reproduce similar results outside of the Bart PE framework though, as we don't support 3rd party integrations of the Command Line Scanner directly, just the scanner itself.

                  It sounds like you should get the same (or similar) results scanning from the root of C:\ with the same switches and the machine booted normally.

                   

                  If the problem can't be reproduced outside of the Bart PE framework though, you will need to take it up with NU2 Productions.

                   

                  Something to bear in mind which I think you've already realised. We no longer post the command line scanner in the daily superdat. There is a file with that name in the sdat, but it's just a stub for sdat compatibilty.

                  Use of the command line scanner falls under licensing and is only available for download with a grant id.

                   

                  Rgds,

                   

                  Rob.

                  1 of 1 people found this helpful
                  • 6. Re: Command line scanner V6 doesnt scan all files

                    Hi Rob

                     

                    I have tested this again on the reference pc, but ran from within Windows not via the Bart pe boot disk.  Again there is a huge difference between the number of files scanned using the two versions of command line scanner.

                     

                    I have attached the reports from both.

                     

                    Thanks

                    • 7. Re: Command line scanner V6 doesnt scan all files
                      rackroyd

                      Hi,

                       

                      As I mentioned before the only way you are likely to account for the difference is by including the /RPTALL switch so every scan is listed verbosely.

                      Then it would be a matter of working out the differences from the (now much larger) logs in both instances.

                       

                      As an aside - What exactly is the full command line being used at the prompt to run the scan for both cases ?

                      This isn't included in the summary.

                       

                      Rgds,

                       

                      Rob.

                      • 8. Re: Command line scanner V6 doesnt scan all files

                        The commands were

                         

                        c:\vscl54> SCAN /ADL /MIME /SUB /UNZIP /ALL /RPTCOR /RPTERR /STREAMS /REPORT E:\SCANV54.TXT

                        and

                        c:\vscl6> SCAN /ADL /MIME /SUB /UNZIP /ALL /RPTCOR /RPTERR /STREAMS /REPORT E:\SCANV6.TXT /NC

                         

                        Strangely, from the cmd prompt I ran dir /s c:\ and it listed total files of 22228 on this pc.  Which is very near what the V6 scanner totalled from within Windows and Bart PE

                         

                        Therefore the issue may be with the older version overstating whats its scanning, and not an issue with V6 after all.

                         

                        I will include the RPTALL switch with both, and compare to see whats going on.

                         

                        thanks

                        • 9. Re: Command line scanner V6 doesnt scan all files
                          rackroyd

                          Personally I suspect the lack of a defined scan path in the command line may have an effect on the behaviour between versions.

                          Try something like this instead:

                           

                          c:\vscl6> SCAN /ADL /MIME /SUB /UNZIP /ALL /RPTCOR /RPTERR /STREAMS /REPORT E:\SCANV6.TXT /NC c:\*.*

                          or

                          c:\vscl6> SCAN /MIME /SUB /UNZIP /ALL /RPTCOR /RPTERR /STREAMS /REPORT E:\SCANV6.TXT /NC c:\*.*

                           

                          I know this is contrary to the /ADL switch (All Drives Local), and perhaps the /SUB switch too and maybe that's a behavioural issue which can be looked at through a support call if you wish to open one.

                           

                          This might not be exactly the right combination on the command line, but I think you're on the right path now (no pun intended).

                          I'd take a look at that before breaking down the verbose scan report.

                           

                          Hth,

                           

                          Rob.

                          1 of 1 people found this helpful
                          1 2 Previous Next