Author Topic: Command-line scanner (Read 5275 times)

dj02 · « **on:** November 15, 2007, 11:34:00 PM »

Quote from: Vlk on November 15, 2007, 10:51:41 PM

The beta has now been updated to 4.7.1085.
There's a couple of improvements in the engine as well the updater itself.

Please feel free to update to it by simply invoking the program update.

Cheers
Vlk

I'm using a mail server: hMailServer 4.4.2.275.
OS: Windows Vista Ultimate x64 (Finnish) with all latest updates installed.

I'm using command: ""C:\Program Files\Alwil Software\Avast4\ashCmd.exe" /A /C /D /F=PW /T=A /P=1"
to detect viruses. My problem is: when i sended eicar test file to my mailbox it didn't detect it as a virus in mailserver.

Avast should return value: "1" when it finds an virus but it returned "0".

igor · « **Reply #1 on:** November 16, 2007, 12:05:16 AM »

Is this new for the build 1085? I'm not aware of any changes in the command-line scanner.
I tried it and it works without any problems here (btw, /F=PW doesn't have much sense - it's the same as /F=W).

So, are you sure you pass the right file to the scanner? Wasn't the eicar test string simply embedded in the e-mail body (as text)?

dj02 · « **Reply #2 on:** November 16, 2007, 12:44:29 AM »

Quote from: igor on November 16, 2007, 12:05:16 AM

Is this new for the build 1085? I'm not aware of any changes in the command-line scanner.
I tried it and it works without any problems here (btw, /F=PW doesn't have much sense - it's the same as /F=W).

So, are you sure you pass the right file to the scanner? Wasn't the eicar test string simply embedded in the e-mail body (as text)?

hMailServer returns still (i tried to send eicar as text, txt and zip):

"DEBUG"   3560   "2007-11-16 01:40:10.523"   "CustomVirusScanner::Scan()"
"DEBUG"   3560   "2007-11-16 01:40:10.685"   "CustomVirusScanner::Scan() - C:\Program Files\Alwil Software\Avast4\ashCmd.exe C:\Program Files (x86)\hMailServer\Data\{AC0212AC-87DF-40CC-B2F1-86EA3C8B722D}.eml - Returned 0"
"DEBUG"   3560   "2007-11-16 01:40:10.686"   "CustomVirusScanner::~Scan()"
------------------------------------------------------------------------------------
tried these commands:
"C:\Program Files\Alwil Software\Avast4\ashCmd.exe" /A /C /D /F=W /T=A /P=1
"C:\Program Files\Alwil Software\Avast4\ashCmd.exe" /A /C /D /F=W /T=A /P=4
"C:\Program Files\Alwil Software\Avast4\ashCmd.exe" /A /C /T=A
C:\Program Files\Alwil Software\Avast4\ashCmd.exe

It just returns "0" :S

igor · « **Reply #3 on:** November 16, 2007, 12:49:27 AM »

The arguments were OK (I mean, I pasted your command-line into ashCmd, ran it from a batch and it worked correctly - errorlevel was 1).
If you pass this .eml file into ashCmd directly (from a command-line) - does it find the virus? Or, you can add the report-file-creation argument to the command line (/r=*c:\ashcmd.log) - is the virus detected?

dj02 · « **Reply #4 on:** November 16, 2007, 01:18:39 AM »

Quote from: igor on November 16, 2007, 12:49:27 AM

The arguments were OK (I mean, I pasted your command-line into ashCmd, ran it from a batch and it worked correctly - errorlevel was 1).
If you pass this .eml file into ashCmd directly (from a command-line) - does it find the virus? Or, you can add the report-file-creation argument to the command line (/r=*c:\ashcmd.log) - is the virus detected?

Just saying from commandline no viruses found.

ClamWin works fine with mailserver.

igor · « **Reply #5 on:** November 16, 2007, 01:26:15 AM »

Can you attach the .eml file (with eicar inside) here?

dj02 · « **Reply #6 on:** November 16, 2007, 01:08:00 PM »

Quote from: igor on November 16, 2007, 01:26:15 AM

Can you attach the .eml file (with eicar inside) here?

Here you are.

Forum didn't allow me to send .eml attachment so i putted it as a text.
------------------------------------------------------------------------------------------
filename: {4D8FEC9F-7FC2-4800-AD2F-23C59D867864}.eml (doesn't include eicar as .txt and .zip)
------------------------------------------------------------------------------------------
Return-Path: <hidden@finetworks.fi>
Received: from [192.168.0.10] ([127.0.0.1])
   by mail.finetworks.fi
   with hMailServer ; Fri, 16 Nov 2007 14:02:12 +0200
Message-ID: <473D86C4.2030002@finetworks.fi>
Date: Fri, 16 Nov 2007 14:02:12 +0200
From: Mika <hidden@finetworks.fi>
Reply-To: hidden@finetworks.fi
User-Agent: Thunderbird 2.0.0.9 (Windows/20071031)
MIME-Version: 1.0
To: hidden@hidden.com
Subject: test
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

------------------------------------------------------------------------------------------
filename: {25868286-77B6-4CD6-BC3A-EC7F8C88C2B6}.eml (Includes eicar as .txt and .zip)
------------------------------------------------------------------------------------------
Return-Path: <hidden@finetworks.fi>
Received: from [192.168.0.10] ([127.0.0.1])
   by mail.finetworks.fi
   with hMailServer ; Fri, 16 Nov 2007 14:15:32 +0200
Message-ID: <473D89E4.4070800@finetworks.fi>
Date: Fri, 16 Nov 2007 14:15:32 +0200
From: Mika <hidden@finetworks.fi>
Reply-To: hidden@finetworks.fi
User-Agent: Thunderbird 2.0.0.9 (Windows/20071031)
MIME-Version: 1.0
To: hidden@hidden.com
Subject: test
Content-Type: multipart/mixed;
boundary="------------070105030606080309000007"

This is a multi-part message in MIME format.
--------------070105030606080309000007
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

--------------070105030606080309000007
Content-Type: application/x-zip-compressed;
name="test.zip"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
filename="test.zip"

UEsDBAoAAAAAAMFxcDc8z1FoRAAAAEQAAAAIAAAAdGVzdC50eHRYNU8hUCVAQVBbNFxQWlg1
NChQXik3Q0MpN30kRUlDQVItU1RBTkRBUkQtQU5USVZJUlVTLVRFU1QtRklMRSEkSCtIKlBL
AQIUAAoAAAAAAMFxcDc8z1FoRAAAAEQAAAAIAAAAAAAAAAAAIAAAAAAAAAB0ZXN0LnR4dFBL
BQYAAAAAAQABADYAAABqAAAAAAA=
--------------070105030606080309000007
Content-Type: text/plain;
name="test.txt"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
filename="test.txt"

WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1U
RVNULUZJTEUhJEgrSCo=
--------------070105030606080309000007--

igor · « **Reply #7 on:** November 16, 2007, 02:14:10 PM »

I've split these posts from the beta announcement thread, since it doesn't seem to be related.

So, if you copy&paste this content into a .eml file and run ashCmd on it, it doesn't report anything? It detects the eicar without any problems here... (in both files, actually)

I used the same command-line as you posted originally (except for the location change):
d:\avast4\ashCmd.exe f:\test\1.eml /A /C /D /F=PW /T=A /P=1

Result: virus was detected, .eml file deleted, %errorlevel% = 1

igor · « **Reply #8 on:** November 16, 2007, 02:23:07 PM »

To make sure the CLSID in the filename doesn't get incorrectly resolved somewhere, I also tried with your filenames (and with other CLSIDs)... no difference.

Can your redirect the output from ashCmd to a file (e.g. with the /_ argument) to see what was really scanned?

Author Topic: Command-line scanner (Read 5275 times)

dj02

Command-line scanner

igor

Command-line scanner

dj02

Command-line scanner

igor

Command-line scanner

dj02

Command-line scanner

igor

Command-line scanner

dj02

Command-line scanner

igor

Re: Command-line scanner

igor

Re: Command-line scanner