6 Replies Latest reply on Feb 27, 2015 9:50 AM by rmetzger

    Command Line Scanning, McAfee CLS, Batch

    rmetzger

      Periodically, the VirusScan Enterprise forum receives request for a Command Line Scanner or API for .Net or other languages.

      Usually, this is done to scan files 'Uploaded' to a server or such.

       

      A couple of points:

       

      1) If VirusScan Enterprise (VSE) is installed and running, this should not be necessary. However, VSE can be left in a configuration that allows more than the Security Administrator might like for an Internet facing  server. To augment VSE, a programmed method of scanning can use McAfee's Command Line Scanner (CLS).

       

      2) VSE has Scan32.exe (and Scan64.exe for x64 systems) but I have found limited documentation on their use from the Command Line interface. Also, VirusScan Command Line Scanner can run independently of VSE as a second line of defense. As such, it can be configured as needed without compromising the primary defense using VSE.

       

      Also, McAfee CLS has logging and exit error codes relevant to the programmer or systems/security administrator.

       

      3) I am sure McAfee has an API, but whether they will disclose this is up to McAfee. Disclosure might open up security holes they would prefer not to open. Contact McAfee directly to see if this API is available. Alternatively, I would suggest the Command Line Scanner instead.

       

      I have compiled some of my thoughts on using McAfee's Command Line Scanner. Some content is directly from McAfee documentation.

      Feel free to use the examples, but you must assume all responsibility for any actions, losses, or problems encountered.

       

      I may add to another discussion to document my thoughts with Stinger Command Line at a later time.

       

      Anyway, here is my mind dump.

       

      -     -     -     -     -     -     -     -     -

       

      Download VirusScan Command Line Scanners

       

      Enter your valid Grant Number here:

      http://www.mcafee.com/us/downloads/downloads.aspx

       

      Click on the 'Endpoint Protection Suite' (or your licensed product)

          Endpoint Security

              VirusScan Command Line Scanners

       

      Download the product and integrate it within your application.

       

      -    -    -    -    -    -    -    -    -    -

       

      VirusScan Command Line Scanner, Command Line Options:

       

      McAfee VirusScan Command Line for Win32 Version: 6.0.4.564

      Copyright (C) 2013 McAfee, Inc.

      (408) 988-3832 LICENSED COPY - June 24 2013

       

      Usage: scan [object1] [object2...] [option1] [option2...]

         /?                                   : Display this help screen.

         /AD                                : Scan all drives (not removable media).

         /ADL                              : Scan all local drives (not removable media).

         /ADN                             : Scan all network drives.

         /AFC=<cache size>      : Set the Size(in MB) of the Internal Cache Used When Decompressing Archive Files.

         /ALL                              : Scan all files regardless of filename extension.

         /ALLOLE                       : Treat all files as compound/OLE regardless of extension.

         /ANALYZE                    : Turn on heuristic analysis for programs and macros.

         /APPEND                       : Append to report file rather than overwriting.

         /APPENDBAD                : Append to bad file rather than overwriting.

         /ASCII                            : Display filenames as ASCII text.

         /BADLIST=<filename>   : Filename and path for bad list log file.

         /BOOT                           : Scan boot sector and master boot record Only.

         /CHECKLIST=<filename>   : Scan list of files contained in <filename>.

         /CLEAN                         : Attempt to clean infected files.

         /CONTACTFILE=<filename> : Display contents of <filename> when a virus is found.

         /DAM                             : Remove all macros from infected MS Office files.

       

         /DECOMPRESS             : Converts avv*.dat files and creates runtime.dat file

                                              : Must be done by itself

       

         /DEL                              : Delete infected files except archive files.

         /DOHSM                        : Scan migrated files(hierarchical storage management).

         /DRIVER=<dir>              : Directory specifying location of DAT files.

         /EXCLUDE=<filename>  : Do not scan files/directories listed in <filename>.

         /EXTENSIONS               : Scan defaults & user extension list.

         /EXTLIST                       : List file-extensions scanned by default.

         /EXTRA=<filename>     : Specify the full path and file name of any extra.dat file.

         /FAM                             : Find all macros - not just infected macros. Used with /DAM will remove all macros.

         /FDC                             : Force digital signature check.

         /FREQUENCY=<hours>  : Do not scan <hours> after the previous scan.

         /HELP                           : Displays this help

         /HTML=<filename>       : Create and specify a HTML report file.

         /LOAD=<filename>      : Load options from <filename>.

         /LOUD                          : Include all scanned files in the /REPORT file.

         /MAILBOX                    : Scan inside plain text mailboxes.

         /MANALYZE                : Turn on macro heuristics.

         /MANY                         : Scan many floppy diskettes.

         /MAXFILESIZE=<size> : Examine Only those files smaller than the specified size(in MB).

         /MEMSIZE=<size>        : File size(in KB) to load into memory for scanning limited by a maximum file size defaulting to 1MB.

         /MIME                           : Scan inside MIME, UUE, XXE and BinHex files.

         /MOVE=<dir>               : Move infected file into directory <dir>, preserving path.

       

         /NC                              : No Integrity Check; Use without Internet connection. see KB68314

                                             : The program performs a standard digital signing check of the engine binary prior

                                             : to execution. If the computer is not connected to the Internet, this check can fail

                                             : unexpectedly. The scan will still continue. Without a connection to the Internet,

                                             : files like mcscan32.dll will fail the digital signature check. /NC skips the check.

       

         /NOBKSEM                  : Prevent scanning of files that are normally protected.

         /NOBOOT                    : Do not scan boot sectors.

         /NOBREAK                  : Disable Ctrl-C / Ctrl-Break during scanning.

         /NOCOMP                    : Do not scan self extracting executables by default.

         /NOD                           : Don't switch into /ALL mode when repairing.

         /NODDA                      : Do not scan boot sectors.

         /NODECRYPT              : Don't scan password-protected MS Office documents.

         /NODOC                      : Do not scan MS Office files.

         /NOEXPIRE                  : Disable data files expiration date notice.

         /NOJOKES                  : Do not alert on joke files.

         /NOMEM                      : Do not scan memory for viruses.

         /NORECALL                : Do not move files from remote storage into local storage after scanning.

         /NORENAME               : Do not rename infected files that cannot be cleaned.

         /NOSCRIPT                 : Do not scan files that contain HTML, JavaScript, Visual Basic, or Script Component Type Libraries.

         /PANALYZE                : Turn on program heuristics.

         /PAUSE                       : Pause at end of each screen page.

         /PLAD                         : Preserve the last-accessed time and date for files that are scanned.

         /PROGRAM                 : Scan for potentially unwanted applications.

         /RECURSIVE               : Examine any subdirectories in addition to the specified target directory.

         /REPORT=<filename> : Report names of viruses found into <filename>.

         /RPTALL                     : Include all scanned files in the /REPORT file.

         /RPTCOR                    : Include corrupted files in /REPORT file.

         /RPTERR                     : Include errors in /REPORT file.

         /RPTOBJECTS            : Reports number of objects at all levels scanned in summary.

         /SECURE                    : Equivalent to Analyse, doall, unzip.

         /SHOWCOMP             : Report any files that are packaged.

         /SILENT                      : Disable all screen output.

         /STREAMS                 : Scan inside NTFS streams (NT & DATAPOL Only).

         /SUB                          : Examine any subdirectories in addition to the specified target directory.

         /THREADS=<nn>       : Set scan thread count.

         /TIMEOUT=<seconds> : Set the maximum time to spend scanning any one file.

         /UNZIP                       : Scan inside archive files, such as those saved in ZIP, LHA, PKarc, ARJ, TAR, CHM, and RAR.

         /VERSION                  : Display the scanner's version number.

         /VIRLIST                    : Display virus list.

         /WINMEM[=<pid>]      : If pid given scans the Windows Process with Process ID <pid> otherwise scans all Windows Processes.

         /XMLPATH=<filename> : Filename and path for XML log file.

       

         * Mandatory

       

      I included a couple of 'semi-undocumented' options.

      Consider using the /DECOMPRESS function after updating VSE Dat files. This improves scan performance.

      The /NC option may be needed if your server or PC doing the scan is not connected to the Internet.

       

      -    -    -    -    -    -    -    -    -    -

       

      Options with parameters.

       

      Where an option has a parameter, insert only one space between them. For example,

      the following commands are intended to scan all directories on the C disk, and

      list any infected files in the file named BADLIST.TXT. The first command is valid,

      but the second command gives an error message because it has more than one space

      between the /BADLIST option and its parameter, BADLIST.TXT.

       

      SCAN C:\ /SUB  /BADLIST BADLIST.TXT     &:: works

      SCAN C:\ /SUB /BADLIST  BADLIST.TXT    &:: fails

      SCAN C:\ /SUB  /BADLIST=BADLIST.TXT     &:: works

       

      In the second line, /BADLIST has 2 spaces before BADLIST.TXT and errors out.

      Instead of a space, use the = character, which seems to work and is more clear.

       

      -    -    -    -    -    -    -    -    -    -

       

      Improve Performance by creating Runtime.dat (cache) file.

       

      Scan32.exe, Scan64.exe, and Scan.exe use the signature files (avvscan.dat,

      avvclean.dat, and avvnames.dat) to scan files. As part of the process, the scan

      engine combines these files (in RAM) to scan the file. Scan32 and Scan64, when

      signatures are updated, create the combined file Runtime{date}.dat (cache) to

      improve performance, storing the combined file on disk. Scan.exe can do the same

      with the /DECOMPRESS switch. This improves performance dramatically between each

      scan, as it no longer needs to recombine the signature files.

       

      To create faster scanning:

      1) cd to the directory containing Scan.exe and associated files.

      2) Delete existing avv*.dat and runtime.dat files:

          avvscan.dat avvclean.dat avvnames.dat runtime.dat

      3a) Download todays ????xdat.exe to the directory containing Scan.exe

          Extract the contents (using todays version):

           7523xdat.exe /E

          This will extract todays avv*.dat (avvscan.dat avvclean.dat avvnames.dat)

            or

      3b)  copy the latest avv*.dat to the directory containing Scan.exe

      4) Construct a new Runtime.dat cache file

          Scan /DECOMPRESS

       

      Now, when running Scan.exe, Scan.exe sees Runtime.dat and simply loads this

      instead of rebuilding it each time, in RAM.

       

      Batch code snippet:

       

      @echo off

      rem  Please use with caution, add error checking, assume responsibility

      rem  for the following code segment. I will assume no responsibility for

      rem  any actions or losses that may occur based on your use of this code.

      rem  Use at your own risk.

       

      rem 1. Modify this directory of your liking.

          cd McAfee\Scanner

       

      rem 2. Use your preferred method of download to this directory, ????xdat.exe

          for %%F in (avvscan avvclean avvnames runtime) do if exist "%%~F.dat" del "%%~F.dat"

          for %%F in (GSDSuper.dll Sdatpack.lst NaiScrip.nsc) do del "%%~F"

       

      rem 3a. Once downloaded, extract the the contents

          7523xdat.exe /E .

       

      rem 3b. Alternatively, copy current avvscan.dat avvclean.dat avvnames.dat

      rem     from the latest updated VSE to this directory

      rem if exist "%CommonProgramFiles%\McAfee\Engine\avv*.dat"    copy "%CommonProgramFiles%\McAfee\Engine\avv*.dat"

      rem if exist "%CommonProgramFiles(x86)%\McAfee\Engine\avv*.dat"    copy "%CommonProgramFiles(x86)%\McAfee\Engine\avv*.dat"

       

      rem 4. Create runtime.dat, delete existing if it exists.

      rem del runtime.dat

          Scan /DECOMPRESS

       

      -    -    -    -    -    -    -    -    -    -

       

      Scan.exe Exit Codes / ErrorLevel

       

      ErrorLevel Description

            0     The scanner found no viruses or other potentially unwanted software,

                   and returned no errors.

            2     Integrity check on DAT file failed.

            6     A general problem occurred.

            8     The scanner was unable to find a DAT file.

          10     A virus was found in memory.

          12     The scanner tried to clean a file, the attempt failed, and the file

                   is still infected.

          13     The scanner found one or more viruses or hostile objects such as a

                   Trojan.horse program, joke program, or test file.

          15     The scanner's self.check failed; the scanner may be infected or

                   damaged.

          19     The scanner succeeded in cleaning all infected files.

          20     Scanning was prevented because of the /FREQUENCY option.

          21     Computer requires a reboot to clean the infection.

       

      -    -    -    -    -    -    -    -    -    -

       

      Command Line Example(s):

       

      Assume name=ScanIT.bat

       

      @echo off

      rem  Please use with caution, add error checking, assume responsibility

      rem  for the following code segment. I will assume no responsibility for

      rem  any actions or losses that may occur based on your use of this code.

      rem  Use at your own risk.

       

      rem Pass a parameter of the file or directory you wish to scan.

       

      rem 1. Modify this directory of your liking.

          cd McAfee\Scanner

       

      rem 2. Scan All files (or files in subdirectories) specified at batch file start.

      rem    Make sure a parameter is specified, such as C:\Upload\ or C:\Upload\AFile.exe

      rem    Note: Direcories must be specified with an ending \

       

        Scan %* /ANALYZE/ALL/CLEAN/DAM/NC/NOEXPIRE/PLAD/PROGRAM/SUB/STREAMS/UNZIP/THREADS=4/TIM EOUT=15/APPEND=C:\McAfee\Logs\Scan.log /EXCLUDE=Exclude.lst

      if ERRORLEVEL 1 echo  ?? The scanner found a problem. Here is the result:
      if /i %ERRORLEVEL% EQU 2 echo  Integrity check on DAT Failed.
      if /i %ERRORLEVEL% EQU 6 echo  A general problem occurred.
      if /i %ERRORLEVEL% EQU 8 echo  The scanner was unable to find a DAT file.
      if /i %ERRORLEVEL% EQU 10 echo  A virus was found in memory.
      if /i %ERRORLEVEL% EQU 12 echo  The scanner tried to clean a file, the attempt failed and the file is still infected.
      if /i %ERRORLEVEL% EQU 13 echo  The scanner found one or more viruses or hostile objects such as a Trojan.horse program, joke program, or test file.
      if /i %ERRORLEVEL% EQU 15 echo  The scanner's self.check failed; the scanner may be infected or damaged.
      if /i %ERRORLEVEL% EQU 19 echo  The scanner succeeded in cleaning all infected files.
      if /i %ERRORLEVEL% EQU 20 echo  Scanning was prevented because of the /FREQUENCY option.
      if /i %ERRORLEVEL% EQU 21 echo  Computer requires a reboot to clean the infection.

       

       

      -    -    -    -    -    -    -    -    -    -

       

      Exclusions to scan.

      Please limit use of exclusions.

       

      From the ScanIT.bat example above, create an Exclude.lst file,

      in the same directory as Scan.exe (as the example specifies).

       

      This list of exclusions are examples only, use only what you

      MUST exclude. Review the list for Corporate Compliance and

      try not to exclude any file if at all possible.

       

      PsExec.*

      PSEXESVC.*

       

      **\VNChooks*.*

      **\VNCviewer*.*

      **\UltraVNC*.*

      **\TightVNC*.*

       

      **\bin\Temp\

      **\GSDData\

      **\Temp\mfe\

      **\NOTES*\**

      **\Common Framework\

      **\ePO Agent\

      **\McAfee\Temp\

      **\McAfee\Spam*\

      **\GroupShield*\Scan\

       

      **\Backup Exec\

      **\Backup Exec\**

       

      **\SharePoint Portal Server\**

      **\Microsoft Shared\Web StorageSystem\

      **\McAfee\McAfee PortalShield\**

       

      -     -     -     -     -     -     -     -     -     -     -

       

      Constructive criticism welcome.

       

      Thanks,

      Ron Metzger

        • 1. Re: Command Line Scanning, McAfee CLS, Batch
          susja

          Hi Ron Metzger,

          could you please clarify for me: is scan32.exe that in my case I found in c:\Program Files (x86)\McAfee\VirusScan Enterprise\ directory different from VSE command line scanner?

          I have VSE 8.7i. Should I download additional component (VSE command line scanner) or I should just re-configure existing VSE 8.7i that I have?

          I have 20 PC's ... hence I'll have to install it on all of it ...

          Could you please clarify for me?

          Thanks in advance

          P.S. I used scan32.exe but someone from the forum said it's not supported scenario and I should use VSE command line scanner ...

          • 2. Re: Command Line Scanning, McAfee CLS, Batch
            rmetzger

            susja wrote:

             

            Hi Ron Metzger,

            could you please clarify for me: is scan32.exe that in my case I found in c:\Program Files (x86)\McAfee\VirusScan Enterprise\ directory different from VSE command line scanner?

            I have VSE 8.7i. Should I download additional component (VSE command line scanner) or I should just re-configure existing VSE 8.7i that I have?

            I have 20 PC's ... hence I'll have to install it on all of it ...

            Could you please clarify for me?

            Thanks in advance

            P.S. I used scan32.exe but someone from the forum said it's not supported scenario and I should use VSE command line scanner ...

            VSE (Scan32.exe) and VirusScan Command Line Scanner (Scan.exe) are completely separate products. (There is no VSE command line scanner, only VirusScan Enterprise commonly called VSE or VirusScan Command Line Scanner, I will call it CLS to avoid naming confusion.)

             

            CLS does Not need to be installed on your PCs. In fact, you can create a version of CLS on a flash drive, network share, or CD and run it from there if you wish. CLS has different operating systems versions in which you may run. So, if a Windows system is currently infected and unable to boot, say, you could boot under a version of Linux from a CD or flash drive and run the CLS version for Linux against the Windows partitions. Of course you could create a Windows PE boot disk and run the Windows version of VirusScan CLS as well.

             

            You can download VirusScan Command Line Scanner with a valid Grant Number here:

            Download My Products Login | McAfee Downloads

             

            Products > McAfee Endpoint Protection Suite (or whatever product you are licensed for)

                Endpoint Security

                    VirusScan Command Line Scanners

             

            Agree to the licensing terms,

                select the download of choice, such as vscl-w32-605-l.zip for McAfee VirusScan Command Line for Windows.

            (v6.0.5L now uses the 5700 engine.)

             

            I hope this clarifies things for you.

            Ron Metzger

            • 3. Re: Command Line Scanning, McAfee CLS, Batch
              susja

              thanks a lot for explanation

              • 4. Re: Command Line Scanning, McAfee CLS, Batch
                jdhingra

                How can I test documents doc, docx, xls, and xlsx etc using CLS? It seems docx and xlsx are not supported. Please clarify.

                Also where can I get infected docx and xlsx file for testing?

                • 5. Re: Command Line Scanning, McAfee CLS, Batch
                  rackroyd

                  I'd strongly suggest anyone planning to use VSCL in this way review: https://kc.mcafee.com/corporate/index?page=content&id=KB52944

                  Especially the PM statement section later in the article:

                   

                  To quote:

                   

                  VirusScan Command Line Scanner 6 integration with email or gateway scanning

                  McAfee VirusScan software Command Line Scanner: An option to integrate McAfee anti-malware protection.

                   

                  The McAfee VCLS is one option to integrate leading McAfee anti-malware protection into server environments where other, more optimized, integrations may not apply.

                   

                  For optimal performance and protection, McAfee recommends installing and running McAfee server or gateway products that closely fit the desired integration wherever possible. These products are designed especially for gateway use cases, such as email scanning, while the VirusScan software CLS has very different design intentions and capabilities. Please contact your McAfee Sales representative to find the most appropriate solution for your needs.

                   

                  The VirusScan software CLS was not designed with the intent of handling the high transaction rate and concurrent file operations that are seen in a typical server environment. For those environments, McAfee recommends only the McAfee Server or Gateway family of products. If, however, you still wish to utilize the VirusScan software CLS in a server environment, McAfee recommends that this should be done only for scanning larger collections of static data wherever possible, rather than invoking it for single file scanning on a repeated basis. This will improve the overall performance experience with the VirusScan software CLS by reducing the DAT initialization overheads.

                   

                   

                  On the subject of asking for infected samples - you won't find them in this forum, please don't ask here. Thx.

                  You can discuss it further with McAfee Labs directly if you need for advice.

                   

                  VSCL (i.e. CLS) scans the same file types as VirusScan, as it uses the same AV-engine. (not literally, but it's the same dll).

                  VSCL doesn't use Artemis though.

                  • 6. Re: Command Line Scanning, McAfee CLS, Batch
                    rmetzger

                    jdhingra wrote:

                     

                    How can I test documents doc, docx, xls, and xlsx etc using CLS? It seems docx and xlsx are not supported. Please clarify.

                    Also where can I get infected docx and xlsx file for testing?

                    Take rackroyd statements to heart. VSCL (CLS) is meant to be used as a secondary or out-of-band scanner when other active Real-Time scanners are not possible.

                     

                    That said, VSCL does scan .docX and .xlsX files unless you issue the /NODOC command line option. This should work fine as long as the documents/spreadsheets are not password protected (as far as I know).

                     

                    I do not know of any sources of test (infected) .docx or .xlsx files.

                    However, you could use the 68 byte EICAR string (see eicar.org) inserted into a pure ascii string, zip it up and give it a .docx extension. (While you are at it, you should construct a password protected .zip version as well, so that you will not need to reconstruct the eicar test file over and over with each successful test.) You will probably need to disable any real-time scanner to construct this/these file(s). See if that helps. This won't test detecting a macro virus, but at least you may find whether VSE or VSCL is able to detect in your environment.

                     

                    What can you disclose about what you are doing, that VSCL is the only option?

                     

                    Ron Metzger