AntivirusMulti - skeniranje foldera sa vise konzolnih AV-ova

• 22Ovo se svidja korisnicima: magna86, daniel83, pedja93, mcrule, nemanja_066, knell, Ričard, dr_Bora, Black Code, helen1, Springfield, goran9888, NIx Car, Dr SiGn, Bogdan-Tc, diarno, klodovik, Sass Drake, A.L., Aco, DzoniB, Filodendron
  
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

[0] PROLOG:





Nivo znanja: srednji/napredni.


U ovom članku su od značaja standalone konzolni antivirusi, koji se kao takvi mogu preuzeti sa Interneta (dakle, neće biti reči o onim komercijalnim verzijama antivirusa sa GUI-jem gde CLI funkcionalnost dođe samo kao usputna opcija).

Ova rešenja sam isprva isprobavao na Win7 x64 mašini, ali sam odustao od daljeg isprobavanja jer pojedina rešenja nisu htela da rade kako treba (na primer Virus Buster, dok je Emsisoft radio odlično). Većina rešenja su isprobavana na x86 mašinama.

Uz članak prilažem i sledeće INF datoteke koje mogu olakšati otvaranje command prompta nad direktorijumima. Za Windows XP preuzeti [url=https://www.mycity.rs/must-login.png a za Windows Vista/7 [url=https://www.mycity.rs/must-login.png .

(objašnjenje: desni klik na inf datoteku i odabrati install. Kliknite desnim tasterom miša na folder i birajte opciju "Command Prompt here" ili sl. )


Predlažem da pre bilo kakvog eksperimantisanja pročitate članak u potpunosti, jer smatram da će mnoge stvari i česte greške kod parametrisanja biti mnogo jasnije.





[1] UVOD:





AntivirusMulti je aplikacija koja predstavlja grafički "front-end" za više konzolnih antivirusa. Logika i osnovna ideja, kojom se vodi ova aplikacija je sledeća:
--> ovo rešenje ne treba da zameni antivirus na računaru, već da ga dopuni i to skenerima više konzolnih antivirusa, koji će skenirati "prometne foldere" i na taj način dodatno zaštititi sistem.

Koncept koji se krije iza ove sintagme "dodatna zaštita" je sledeći: antivirusi između sebe ne dele definicije virusa niti njihove heuristike. Korišćenjem aplikacije AntivirusMulti i kombinacijom konzolnih antivirusa dobija se sinergetsko delovanje različitih antivirusnih rešenja (sa različitim bazama definicija i heuristikama) te se time značajno povećava verovatnoća da maliciozni programi budu detektovani.

Prometni folderi se odnosi na one foldere koji mogu biti leglo zaraze. Na primer, download folder omiljenog pretraživača, ili download managera. Kod takvih foldera, kroz koje prolazi "sve i svašta" treba biti znatno oprezniji. Kod aplikacije AntivirusMulti ta opreznost se ispoljava u monitoringu promena, tj. pojavljivanjem datoteka, nad određenim folderom. Za svaku unetu datoteku se aktiviraju unapred definisani konzolni skeneri koji se izvršavaju sekvencijalno (jedan po jedan).

Mogućnosti kombinovanja ovih antivirusa su mnogobrojne. Možemo, primera radi, ostaviti Realtime Protection matičnom antivirusu, dodatno heurističko skeniranje (videti sliku emsisofta sa uključenom heuristikom i detekcijom crva) dodeliti drugom konzolnom antivirusu, trećem dodeliti skeniranje arhiva, itd. (sve zavisi koje parametre prosledimo ovim konzolnim antivirusima).

Ne preporučuje se stavljanje čitavog diska (tj. particije) za nadgledanje! S obzirom da se motri svaka promena (uz to, sa više antivirusa) nastaće značajno zagušenje operativnog sistema.

Takođe treba pomenuti da Virustotal i Jotti za skeniranje uploadovanih datoteka koriste konzolne antiviruse.





[2] RAZRADA:





Preuzmite:
AntivirusMulti v2.2, njegov izvorni kod i dokumentaciju moguće je preuzeti sa linka: KLIK


Zahtevi:
Po pokretanju datoteke setup.exe aplikacija će preuzeti neophodne datoteke:
- Windows Installer 3.1
- .NET Framework 3.5 SP1

Međutim, iako je preuzela "sve" što joj treba, neće uspeti da se pokrene bez .NET Frameworka 4.0 (javljaće grešku... Bizarno, zar ne? ).


Na sledećoj slici možemo videti osnovni prozor aplikacije AntivirusMulti:



Slika 1: AntivirusMulti na primeru Emsisoftovog skenera


Grafički interfejs će biti objašnjen na primeru Emsisoftovog skenera, jer je za njegovo podešavanje neophodno iskoristiti sva polja aplikacije (u zavisnosti od sintakse skenera, moguće je da neko od polja bude prazno, što ćemo kasnije videti na primerima).

Pre nego što krenem sa objašnjavanjem, treba znati da AntivirusMulti pretpostavlja da se sintaksa svih unetih antivirusa može podvesti pod njegovu generičku sintaksu koja je oblika:

Citat:[ putanja_antivirusa ] + [ /parametar_pre ] + [putanja_datoteke/foldera] + [ /parametar_posle ]


Praktičan primer:

Citat:c:\emsisoft\a2cmd.exe /f= c:\download /m /n /quick /h /l="c:\logs\A2scan.log" /q="c:\quarant"

(bojama sam označio koji delovi generičke sintakse odgovaraju praktičnom primeru)


Sada je lako pretpostaviti šta predstavljaju polja glavnog prozora aplikacije AntivirusMulti:


I) Prvo ćemo odrediti Antivirus working directory (jer se ovaj parametar ređe menja). Dakle, to je folder nad kojim motrimo promene (odgovara ovome: [putanja_datoteke/foldera] u generičkoj sintaksi, što je označeno odgovarajućom bojom)


II) Potom popunjavamo sekciju "Antivirus addition"

- klikom na dugme Path, biramo putanju antivirusa.

- Pre Commands - odnosi se na parametre koji se nalaze pre izbora datoteke/foldera

- Post Commands - odnosi se na parametre koji se nalaze posle izbora datoteke/foldera

- Dugme Test current antivirus i nije baš poslužilo svrsi testiranja. Najbolje je testirati antivirus tako što ga ubacite u bazu i pustite da skenira "u realnom vremenu".

- Add Current Antivirus dodaje sve prethodno podešene podatke u bazu podataka (Configured antivirus List).


III) Unutar sekcije Antivirus monitoring, nalaze se:

- dugme Start antivirus monitoring : klikom na ovo dugme započinje proces praćenja promena unutar foldera za monitoring (definisan u sekciji: Antivirus working directory).

- dugme Stop antivirus monitoring : klikom na ovo dugme okončava se proces praćenja promena unutar foldera Antivirus working directory.

- Text box sa highlightovanim prikazom statusa monitoringa (Status: monitor started i monitor stopped).


IV) klikom na dugme Force Manually an Immediate scan, pokreću se svi antivirusi u bazi (sekvencijalno) i skenira se čitav sadržaj foldera za monitoring.


V) Sekcija "Black area" (nije imenovana, ali je crne boje i kao takva se naznačava i u dokumentaciji) sadrži:

- Messagess - ovde se ispisuju različite poruke vezane za aplikaciju i antiviruse. Ako se štriklira opcija ispod, u ovom prozoru je moguće (zavisno od funkcionalnosti programa i licence) prikazati izlaz konzolnog skenera (skenirani objekti, nađeni virusi i drugo; videti screenshotove).

- enable/disable trace antivirus option - u zavisnosti od licence koju imate nad konzolnim antivirusom ova funkcionalnost će biti podržana. Kao što je rečeno ovde se prenosi izlaz koji bi bio prikazan u konzoli. Ovo je praktično jer kumulativno sabira izvještaje različitih antivirusa (umesto prikazivanja svakog poejdinačno).

- Open trace file - tekst editorom se otvara izveštaj iz messages box-a.

- Delete trace file -briše se sadržaj messages boxa.

* Nakon što podesite konzolne antiviruse, moguće je sačuvati konfiguracione parametre. U meniju Configuration se nalaze Load i Save podstavke.


U članku su obrađeni sledeći programi:

Citat:1. Panda Antivirus Command-Line Scanner
2. Avira AntiVir Command Line Scanner
3. VIPRE Rescue
4. Emsisoft CLI Scanner
5. VirusBuster CLI Scanner
6. Ikarus T3 Command Line Scanner
7. Sophos Command Line Tool
8. Trend Micro SysClean
9. ClamWin Portable Scanner






[ a ] Panda Antivirus Command-Line Scanner





Preuzmite: LINK

Freeware: DA

Veličina: ~43 MB

Način ažuriranja: ne postoji automatsko ažuriranje. Manualno ažuriranje je moguće ako je plaćena licenca.


Sintaksa: pavcl [direktorijum] [parametar]

Primer: pavcl E:\Downloads -aex


Mogući parametri:

Citat: -auto Scan without user intervention.
-nob Do not scan boot sectors.
-lis Show virus list
-del Delete infected files.
-cmp Search for viruses into compressed files.
-clv Disinfect the viruses found.
-exc: Use exclusion list
-ext: Use valid extension list
-help Show help
-heu Activate heuristic detection method.
-heu: Activate heuristic detection method with level (1-3).
-onlype Use only PE Heuristic during analysis
-nbr Does not allow interrupting the program with Ctrl-C.
-nomalw Do not detect Malware
-nojoke Do not detect Jokes
-nodial Do not detect Dialers
-nohackt Do not detect Hacking Tools
-nospyw Do not detect Spyware
-nof Do not analyze files
-nocookiesDo not detect Tracking Cookies.
-nor Do not generate result files.
-noscr Do not output to console.
-nos Deactivate sounds.
-nsub Do not scan nested subdirectories.
-path Scan the directories specified in the path environment variable.
-sig: Alternate location for signature files
-ren Rename infected files.
-rto Restore original name for renamed files
-rpt: Report file
-save Saves the parameters to a file for its use the next time it is run.
-esp Change language to SPANISH.
-eng Change language to ENGLISH.
-aex Scan all files, independently of their extension.
-info Show configuration status information.
-no2 Do not perform the second action
-loc Analyze local drives
-all Analyze all drives

Kada ubacite datoteku u folder za monitoring, aktiviraće se antivirus i skenirati tu datoteku. Na sledećoj slici sam podvukao datoteku koju sam ubacio u folder za monitoring i izveštaj skeniranja.



Slika 2: Rezultat skeniranja datoteke koja je ubačena u folder download, Panda CLI-om





[ b ] Avira AntiVir Command Line Scanner





Preuzmite:

1) Command line scanner - "antivir_avcls_en.zip" ~ 300 kb ekstrahovano LINK
2) Neophodno preuzeti i ažurirane definicije ~40 MB LINK
Freeware: NE (na primerima sam imao ključ)
//napomena: skener, definicije i ključ moraju biti u istom folderu.

Veličina: ~40 MB

Način ažuriranja: Manualno ažuriranje preuzimanjem fusebundle-a.


Sintaksa: AVCLS [putanja[\*.ext]] [*.ext][parametri]

Primer: AVCLS C:\* -s skenira sve datoteke na particiji C


Parametri:
Citat: -? / -h ......... display the help text
-allfiles ....... scan all files
-defext ......... use the default extension list for scanning
-allboot ........ scan all boot records
-alldrives ...... scan all drives
-allhard ........ scan all hard disks
-allremote ...... scan all network drives
-wub ............ save unknown boot records to file '.\UKB.SAV'
-s .............. scan subdirectories
-z .............. files in archives will be extracted and scanned
-noboot ......... do not check any boot records
-nombr .......... do not check any master boot records
-nobreak ........ disable Ctl-C and Ctrl-Break
-v .............. verbose scan mode
-nopack ......... do not scan inside packed files
-e [-del | -ren] repair detected files if possible
[-del] non-repairable files will be deleted
[-ren] non-repairable files will be renamed
-ren ............ rename detected files (*.COM->*.VOM,...)
-del ............ delete detected files
-dmnoheur ....... disable macro heuristic
-dmdel .......... delete documents containing suspicious macros
-dmdas .......... delete all macros if one appears to be suspicious
-dmse ........... set exit code to 101 if any macro was found
-heuristic(: |=)1 heuristic detection rate low
-heuristic(: |=)2 heuristic detection rate medium
-heuristic(: |=)3 heuristic detection rate high
-r1 ............. just log infections and warnings
-r2 ............. log all scanned paths in addition
-r3 ............. log all scanned files
-r4 ............. select verbose log mode
-rs ............. select single-line log messages
-rf<filename> ... name of log file
?d = day, ?m = month, ?y = year (two digits each)
-ra ............. append new log data to existing file
-ro ............. overwrite existing log file
-q .............. quiet mode
-lang(: |=)DE .... use German texts
-lang(: |=)EN .... use English texts
-once ........... run AVCLS only once a day
-tmp<dir> ....... specify the directory for temporary files
-x<dir> ......... AVCLS looks for its files e.g. 'antivir3.vdf' in <dir>
-if<filename> ... AVCLS uses the given ini file
-kf<filename> ... AVCLS uses the given license file
-with-<type> .... detect unwanted programs,
like "dial", "joke", "game", "bdc"
"heur-dblext", "pck", "spr", "adspy", "appl"
the following types are enabled by default:
"dial", "bdc", "heur-dblext", "adspy"
-without-<type>.. like --with-<type>, but disables this type
-alltypes ....... combination of all known -with-<type> options
-qua-<type> <dir> the quarantine function enables detected files
to be isolate in special
directory by specifying:
"qua-move <dir>", "qua-copy <dir>"
or rather "-qua-restore <dir>", "-qua-delete <dir>
to restore or delete files
@<rspfile> ...... read parameters from the file <rspfile>
with each option in a separate line

list of return codes:
0: Normal program termination, no malware, no error
1: Detection pattern was found in a file or boot sector
2: A detection pattern was found in memory
3: Suspicious file found
100: AVCLS only has displayed this help text
101: A macro was found in a document file
102: The parameter -once was given and AVCLS already ran today
200: Program aborted, not enough memory available
201: The given response file could not be found
202: Within a response file another @<rsp> directive was found
203: Invalid parameter
204: Invalid (non-existent) directory given at command line
205: The log file could not be created
210: AVCLS could not find a necessary dll file
211: Programm aborted, because the self check failed
212: Virus definition file could not be found or read error
213: An error occured during initialisation



Aktivirao sam monitoring foldera download i ubacio neki log od Avengera.



Slika 3: reakcija Avirinog skenera na ubacivanje datoteke.


Rešio sam da malo začinim stvari. Ubacio sam malware u download folder, ubacio u bazu Pandin i Avirin skener sa parametrima i uradio manualni immediate scan:



Slika 4: detekcija malware-a prilikom manualnog skeniranja.





[ c ] VIPRE Rescue





Preuzmite: LINK

Freeware: DA

Veličina: ~87 MB

Način azuriranja: Manualno ažuriranje


Sintaksa: VIPRERescueScanner.exe [parametri]

Primer: E:\VIPRERESCUE>viprerescuescanner.exe /quick /path e:\downloads

Parametri:
Citat:

/quick - Perform a quick scan (default is deep scan)
/nolog - Disable logging (default is enabled)
/norootkit - Disable rootkit engine (default is enabled)
/path - Scan a specific path
/qlist - List quarantined items
/restore - Restore quarantined items


Da bi ažurirali definicije na ovom skeneru, malo ćemo tweakovati.
VIPRE definicije su, u stvari, RAR arhive. Mogu se preuzeti sa ovoga linka (preuzmite verziju sa najvećim brojem). Treba ih ekstrahovati u folder sa definicijama.

Kako zadati parametre i obaviti skeniranje, vidi se na sledećoj slici:



Slika 5: izlaz iz VIPRE skenera





[ d ] Emsisoft CLI Scanner





Preuzmite: LINK

Freeware: DA

Veličina: ~ 94 MB

Način ažuriranja: automatsko ažuriranje


Sintaksa: a2cmd.exe [putanja] /[parametri]

Primer: a2cmd /f="c:\windows\" /m /t /c /h /r /a /n /q


Parametri:

Citat:/f=[], /files=[path] Scan files
/quick Scans all active programs, Malware Traces and TrackingCookies
/smart Good and fast result, but only important folders will be scanned
/deep Slowest scan. All files on all hard disks will be scanned deeply
/m, /memory Scan Memory for active Malware
/t, /traces Scan for Malware Traces
/c, /cookies Scan for Tracking Cookies
/fh=[handle] /pid=[PID] Scan file by handle. Process ID of the handle is required
/b=[pointer] /bs=[size] /pid=[PID] Scan buffer. Buffer size and process ID are required

/h, /heuristic Heuristic scan for unknown Malware
/r, /riskware Alert Riskware that is often used by Malware
/a, /archive Scan in compressed archives (zip, rar, cab)
/n, /ntfs Scan in NTFS Alternate Data Streams
/l=[], /log=[filepath] Save a logfile in UNICODE format
/la=[], /logansi=[filepath] Save a logfile in ANSI format
/x=[], /ext=[list] Scan only specified file extensions, comma delimited
/xe=[], /extexclude=[list] Scan all except the specified file extensions
/wl=[], /whitelist=[file] Load whitelist items from the file
/d, /delete Delete found objects including references
/dq, /deletequick Delete found objects quickly
/q=[], /quarantine=[folder] Put found Malware into Quarantine

/ql, /quarantinelist List all quarantined items
/qr=[], /quarantinerestore=[n] Restore the item number n of the quarantine
/qd=[], /quarantinedelete=[n] Delete the item number n of the quarantine

/s /service Run scanner with support of the windows service to keep the signatures in RAM and avoid long loading time on batch scan jobs.
a2service.exe /uninstall a2cmd To uninstall the service
/u, /update Update software and signatures. Proxy is not supported.
/?, /help Show help message




Pre upotrebe ovog programa, dobro je ažurirati definicije:



Slika 6: Emsisoft CLI Update


Testiranje heuristike programa:



Slika 7: detekcija iz full scana sa samo uključenom heuristikom



Emsisoft Commandline Scanner podržava povratne vrednosti (korisno kod pisanja batch skripti za procesiranje rezultata skeniranja)

Kodovi:
0 --> maliciozni programi nisu pronađeni
1 --> sumnjive datoteke su nađene tokom skeniranja

Primer:
Citat:
echo off
a2cmd c:\windows\
if not errorlevel 1 goto end
echo sumnjive datoteke su nadjene tokom skeniranja
:end
echo Kraj batch programa






[ e ] VirusBuster CLI Scanner





Preuzmite: LINK

Freeware: NE

Veličina: ~300 KB

Način ažuriranja: automatsko ažuriranje

Sintaksa: pošto ima baš dosta parametara vezano za ovaj konzolni antivirus, prilažem pdf sa sintaksom, parametrima i primerima [url=https://www.mycity.rs/must-login.png

Pre upotrebe, otvorite konzolu i ažurirajte antivirus, sa sledećom naredbom:



Slika 8: Virus Buster update


Pošto je verzija shareware, treba sačekati 30 sekundi pre skeniranja (odbrojavanje se može videti na sledećoj slici).



Slika 9: Virusbuster-ov skener u akciji





[ f ] Ikarus T3 Command Line Scanner





Preuzmite: LINK (skener: t3scan, a definicije: t3sigs.vdb)

Freeware: DA

Veličina: ~50 MB

Način ažuriranja: manualno, preuzimanjem datoteke t3sigs.vdb

Sintaksa: t3scan [options] <samples>
t3scan [options] <path>

Parametri:

Citat: -help | -h | -? This help
-filelist | -F <filename> Read input files from newline-separated file <fil
ename>
-logfile | -l <filename> Create log file
-maxfilesize | -m <n> Max. filesize in MB (default 64MB)
-n No simulation
-nosubdirs | -d Do not scan sub directories
-r <n> Max. recursive scans (default 8 )
-vdbpath | -vp <directory> Path to signature database

Special options:
-noarchives | -na Do not scan archive content
-rtimeout <seconds> Stop recursively scanning files in an archive aft
er <seconds>
-sa Summarize archives: only the final result for the
archive is reported
-timeout <seconds> Stop scanning a single file after <seconds>
-version | -ver Display the program, engine and VDB version
-vdbver Display VDB version
-verbose | -v Increase the output level







Slika 10: Ikarus konzolni skener, parametri i izveštaj




[ g ] Sophos Command Line Tool (SAV32CLI Tool)





Preuzmite: skener i definicije

Freeware: DA

Veličina: ~60 MB

Način ažuriranja: manualno, preuzimanjem IDE datoteke
//naravno, i ovde vazi pravilo da se sadržaj svih arhiva ekstrahuje u isti folder.


Sintaksa: sav32cli.exe [putanja_foldera] -[parametri]

Primer: SAV32CLI C:\*.HLP , sav32cli.exe E:\downloads -f

Parametri:
Citat: - exclude - excludes folder from scanning
(SAV32CLI \fred -exclude \fred\games --> scans all of the fred directory, but excludes the directory games (and all directories and files under it).
-idedir=[putanja] - Specify an alternative directory for virus definitions
-include - Include items in scanning
-p=[putanja] - Write to log file in default encoding
-putf8 - Write to UTF-8 log file
-putf16 - Write to UTF-16LE log file
--stop-scan - Abort scanning of "zip bombs"

The following options may be prefixed with 'n' to invert their meaning
(for example, '-nsc' is the inverse of '-sc'). [*] indicates the option
is the default:

-sc [*] : Scan inside dynamically compressed executables
-f [ ] : Full scan
-di [ ] : Disinfect infected items
-s [*] : Run silently (do not list files swept)
-c [*] : Ask for confirmation before disinfection/deletion
-b [*] : Sound bell on virus detection
-all [ ] : Scan all files
-rec [*] : Do recursive scan
-remove [ ] : Remove infected objects
-move [ ] Move infected files to a quarantine directory
-rename [ ] : Append extension "infected" to filenames of infected files
-dn [ ] : Display names of files as they are scanned
-ss [ ] : Don't display anything except on error or virus
-eec [ ] : Use extended error codes
-ext=XXX, .. : Specify additional extensions to scan
-v : Display complete version information
-vv : Display complete version and IDE information
-h : Display this help and exit
-mbr [ ] : Scan master boot records on all hard disks
-bs=X,. [ ] : Scan boot sector of each drive listed
-mac [ ] : Scan for Macintosh viruses
-cdr=X, .[ ] : Scan boot sector in bootable image of each CD drive listed

-zip [ ] : Scan inside ZIP archives
-gzip [ ] : Scan inside GZIP compressed files
-arj [ ] : Scan inside ARJ archives
-cmz [ ] : Scan inside Unix-compressed files
-tar [ ] : Scan inside TAR archives
-rar [ ] : Scan inside RAR archives
-cab [ ] : Scan inside Microsoft Cabinet files
-archive [ ] : All of the above (see below for a full list)
-loopback [ ] : Scan inside loopback-type files
-mime [ ] : Scan files encoded in MIME format
-oe [ ] : Scan Microsoft Outlook Express mailbox files (you must also
use the -mime option with this option)
-tnef [ ] : Scan inside TNEF files


Error codes
-----------

SAV32CLI returns the following error codes:

0 If no errors are encountered and no viruses are found.
1 If the user interrupts the execution by pressing Esc.
2 If some error preventing further execution is discovered.
3 If viruses or virus fragments are discovered.

Extended error codes

A different set of error codes will be returned if SAV32CLI is run with the
-EEC command-line option:

0 If no errors are encountered and no viruses are found.
8 If survivable errors have occurred.
16 If password-protected files have been found and not decrypted.
20 If viruses have been found and disinfected.
24 If viruses have been found and not disinfected.
28 If viruses have been found in memory.
32 If there has been an integrity check failure.
36 If unsurvivable errors have occurred.
40 If execution has been interrupted.


Na sledećoj slici možemo videti korištene parametre za skeniranje. Bez parametra f će odraditi quick scan. Bez parametra -all skeniraće samo konkretni folder, bez podfoldera.



Slika 11: Sophosov izveštaj prilikom manualnog skeniranja i parametri.





[ h ] Trend Micro SysClean





Preuzmite: skener i definicije

Freeware: DA

Veličina: ~121 MB (sve ukupno)

Način ažuriranja: manualno, preuzimanjem tzv. consumer patterna
( 'cause 'virus signautre' sounds too lame )


Sintaksa: sysclean.com /NOGUI putanja_foldera

Primer: sysclean.com /NOGUI E:\downloads


Parametri:





Parametri su prikazani na sledećoj slici. Bez switcha NOGUI, uključiće se "interaktivni mod" gde korisnik može birati opcije preko tastature. Taj način nije od značaja (iako je konzolni) jer ne podržava automatizaciju.



Slika 12: Trend Micro skener, parametri i izlaz iz aplikacije.





[ i ] ClamWin Portable Scanner





Preuzmite: skener i definicije

Freeware: DA

Veličina: ~37 MB

Način ažuriranja: manualno, preuzimanjem signatura ili automatski kroz GUI.

Napomena: preuzećete EXE datoteku skenera koju treba extrahovati u željeni folder. Po pokretanju aplikacije će se morati podesiti neke osnovne putanje (do skenera, do foldera koji sadrži definicije, itd. i to sve kroz GUI, tako da verujem da ćete se snaći).



Sintaksa: [putanja_skenera] --database=[putanja_foldera_sa_signaturama] [parametri]

Primer sa mog računara: E:\ClamWinPortable\App\clamwin\bin\clamscan.exe --database="e:\ClamWinPortable" --recursive E:\downloads


Parametri:


Citat: --help -h Print this help screen
--version -V Print version number
--verbose -v Be verbose
--debug Enable libclamav's debug messages
--quiet Only output error messages
--stdout Write to stdout instead of stderr
--no-summary Disable summary at end of scanning
--infected -i Only print infected files
--bell Sound bell on virus detection
--show-progress Print progress indicator for each file

--tempdir=DIRECTORY Create temporary files in DIRECTORY
--leave-temps[=yes/no(*)] Do not remove temporary files
--database=FILE/DIR -d FILE/DIR Load virus database from FILE or load
all supported db files from DIR
--official-db-only[=yes/no(*)] Only load official signatures
--log=FILE -l FILE Save scan report to FILE
--recursive[=yes/no(*)] -r Scan subdirectories recursively
--cross-fs[=yes(*)/no] Scan files and directories on other fil
esystems
--follow-dir-symlinks[=0/1(*)/2] Follow directory symlinks (0 = never, 1
= direct, 2 = always)
--follow-file-symlinks[=0/1(*)/2] Follow file symlinks (0 = never, 1 = di
rect, 2 = always)
--file-list=FILE -f FILE Scan files from FILE
--remove[=yes/no(*)] Remove infected files. Be careful!
--move=DIRECTORY Move infected files into DIRECTORY
--copy=DIRECTORY Copy infected files into DIRECTORY
--exclude=REGEX Don't scan file names matching REGEX
--exclude-dir=REGEX Don't scan directories matching REGEX
--include=REGEX Only scan file names matching REGEX
--include-dir=REGEX Only scan directories matching REGEX
--memory Scan loaded executable modules
--kill -k Kill/Unload infected loaded modules
--unload -u Unload infected modules from processes

--bytecode[=yes(*)/no] Load bytecode from the database
--bytecode-trust-all[=yes/no(*)] Trust all loaded bytecode
--bytecode-timeout=N Set bytecode timeout (in milliseconds)
--detect-pua[=yes/no(*)] Detect Possibly Unwanted Applications
--exclude-pua=CAT Skip PUA sigs of category CAT
--include-pua=CAT Load PUA sigs of category CAT
--detect-structured[=yes/no(*)] Detect structured data (SSN, Credit Car
d)
--structured-ssn-format=X SSN format (0=normal,1=stripped,2=both)

--structured-ssn-count=N Min SSN count to generate a detect
--structured-cc-count=N Min CC count to generate a detect
--scan-mail[=yes(*)/no] Scan mail files
--phishing-sigs[=yes(*)/no] Signature-based phishing detection
--phishing-scan-urls[=yes(*)/no] URL-based phishing detection
--heuristic-scan-precedence[=yes/no(*)] Stop scanning as soon as a heuristic
match is found
--phishing-ssl[=yes/no(*)] Always block SSL mismatches in URLs (ph
ishing module)
--phishing-cloak[=yes/no(*)] Always block cloaked URLs (phishing mod
ule)
--algorithmic-detection[=yes(*)/no] Algorithmic detection
--scan-pe[=yes(*)/no] Scan PE files
--scan-elf[=yes(*)/no] Scan ELF files
--scan-ole2[=yes(*)/no] Scan OLE2 containers
--scan-pdf[=yes(*)/no] Scan PDF files
--scan-html[=yes(*)/no] Scan HTML files
--scan-archive[=yes(*)/no] Scan archive files (supported by libcla
mav)
--detect-broken[=yes/no(*)] Try to detect broken executable files
--block-encrypted[=yes/no(*)] Block encrypted archives

--max-filesize=#n Files larger than this will be skipped
and assumed clean
--max-scansize=#n The maximum amount of data to scan for
each container file (**)
--max-files=#n The maximum number of files to scan for
each container file (**)
--max-recursion=#n Maximum archive recursion level for con
tainer file (**)
--max-dir-recursion=#n Maximum directory recursion level

(*) Default scan settings
(**) Certain files (e.g. documents, archives, etc.) may in turn contain other
files inside. The above options ensure safe processing of this kind of data.





Slika 13: automatsko ažuriranje signatura kroz GUI




Slika 14 : signature (3 datoteke) i izlaz iz konzole




Slika 15: konačno - integracija sa AntivirusMulti i završetak skeniranja






[3] BONUS:



U aplikaciju Antivirusmulti mogu da se stave konzolni antivirusni alati, antimalware alati, kao i svi ostali programi koji se mogu pokrenuti u konzoli ili imaju posebnu komponentu za CLI funkcionalnost. Uz malo hakovanja (koje ovde neće biti opisano) moguće je "osposobiti" komercijalne aplikacije da budu portabilne i učiniti da njihov CLI modul radi sa AntivirusMulti. Parametre za rad sa Bitdefenderovim CLI modulom možete videti na sledećoj slici:



Slika 16: Bitdefender kao CLI skener u toku skeniranja


Takođe, na ovaj način je moguće pokrenuti MalwareBytes Antimalware (isprobano).


Neko će se zaptitati: "Ma sve je to OK, ali ko će da preuzima tol'ke definicije... ".

--> Potencijalno rešenje se može odraditi preko batch skriptinga.

Evo malo ideja:

- Preuzeti aplikaciju wget: [url=https://www.mycity.rs/must-login.png LINK[/url]

Sledeći kod kopirati u tekstualnu datoteki i sačuvati pod "preuzmisophos.cmd"

wget.exe -c http://www.sophos.com/tools/sav32sfx.exe sav32sfx.exe
wget.exe -c http://www.sophos.com/downloads/ide/web_ides.exe

Koliko znam, wget ne podržava download linkova u specifičnu lokaciju (preuzima datoteku u folder u kome se nalazi). Ideja bi bila da se u svaki folder sa definicijama pozove wget koji "gađa" specifične linkove.
Pošto su definicije obično u kompresovanim arhivama, može se iskoristiti i konzolni arhiver za dekompresiju.

Najlakša solucija je kod konzolnih antivirusa koji podržavaju automatsko ažuriranje, tako da samo treba zadati određeni parametar nad antivirusom za ažuriranje i u takvoj formi, ubaciti u batch skriptu.





[4] ZAKLJUČAK:



Predstavljen je još jedan način zaštite vašeg Windows operativnog sistema, skeniranjem unapred definisanog foldera ali i proverom datoteka tipa "one time scan", samim ubacivanjem u taj folder . Ovakav pristup možda može biti zamena za servise tipa virustotal ili jotti, gde željene datoteke ne bi uploadovali na njihove servere već jednostavno ubacili u folder nad kojim se vrši monitoring.

Ono što je dobro ovde je što vi imate kontrolu nad izborom antivirus/antimalware/drugih programa i nad režimima rada tih programa.





[5] EPILOG:




Da vas slučajno nisam video u Ambulanti ako se zarazite nekim keygenom sa neta

Moram da se zahvalim korisniku higuy na dobrim idejama, sugestijama i screenshotovima za pojedine aplikacije.

Do sledećeg članka

• 4Ovo se svidja korisnicima: ThePhilosopher, mcrule, nemanja_066, DzoniB
  
  Registruj se da bi pohvalio/la poruku!

Jos jednom, duboki respekt, gutam svaki clanak koji napises

• 2Ovo se svidja korisnicima: ThePhilosopher, Springfield
  
  Registruj se da bi pohvalio/la poruku!

Ja licno ne volim da pisem poruku u kojoj samo stoji, kratka pohvala tipa:
"Bravo!" ili "Svaka cast!" "Alal vera" itd. itd.
A primetio sam da su ranije mnogi to radili(kad se vratimo u proslost tamo negde od 2004-2008-)...

Ali tvoji clanci su jednostavno tako dobri, da moram i ja da se ubacim i pohvalim te.

Primetio sam da u poslednje vreme bas pravis dosta clanaka.
E sad, ne znam, mozda si i ranije pravio, kada ja nisam bio prisutan, ali jedno znam, u poslednje vreme ucestano pravis.
Koji je ovo po redu, 4,5? (odoh da prebrojim )



Da te pitam, koliko si vremena otprilike izdvojio za ovako nesto, odnosno koliko ti je trebalo vremena da uradis ovo? :-)


I naravno, svaka cast za trud, zeljno ocekujemo buduce clanke!



P.S.
Ti kako si krenuo, ozbiljno ti kazem, sustices Bobby-ja i Pecu.
Video sam one matore teme koje je Bobby pisao, pa kontam da si na dobrom putu.
Samo neke od Bobby-jevih izvanrednih tema:
http://www.mycity.rs/Zastita/Sandbox.html
http://www.mycity.rs/Zastita/Da-bi-se-postavilo-pametno-pitanje.html
http://www.mycity.rs/Zastita/Lov-na-vestice.html
http://www.mycity.rs/Zastita/Lov-na-vestice-II.html
http://www.mycity.rs/Zastita/Exe-packeri-i-desavanja-vezana-za-njih.html
http://www.mycity.rs/Zastita/Kada-ne-vazi-1-1.html
http://www.mycity.rs/Zastita/Kako-ljudi-kompromituju-sami-sebe.html



Takodje sam primetio da si lajkovao i procitao sve te teme, cenim da ti je Bobby na neki nacin uzor.

• 3Ovo se svidja korisnicima: ThePhilosopher, mcrule, A.L.
  
  Registruj se da bi pohvalio/la poruku!

Resenja za download WGET-om su sledeca:

1. Moguce je iskopirati wget.exe u PATH Windowsa, recimo u "C:\Windows\System32\" folder. Tada prestaje potreba za njegovim prisustvom u folderu u kome se nalazi BAT/CMD skripta. Isto vazi i za konzolni dekompresor.

2. Moguce je preuzeti definicije u tacno odredjeni folder ukoliko se koristi parametar "--directory-prefix=PREFIX". PREFIX je lokacija download foldera. Primer,

wget.exe --directory-prefix=c:\Downloads\ http://www.sophos.com/downloads/ide/web_ides.exe

Na ovaj nacin preuzece se fajl web_ides.exe u folder c:\Downloads\.

3. Takodje je moguce automatizovati update definicija koriscenjem skripti za download definicija unutar Task Scheduler-a. Pri tome se potrebne konzolne aplikacije moraju nalaziti u PATH-u Windows-a. Mada se i ovo sa PATH-om da izbeci ako ste vicni pisanju skripti.

• 6Ovo se svidja korisnicima: NIx Car, ThePhilosopher, dr_Bora, mcrule, A.L., higuy
  
  Registruj se da bi pohvalio/la poruku!

Napisano: 22 Mar 2012 20:25

VirusBlokAda VBA32 CLI Scanner

DOWNLOAD

FREEWARE: NE*

* U VBA32Check paketu se uz VBA32 CLI Scanner nalazi i key fajl koji je potreban za potpuno funkcionisanje ovog skenera.

Način ažuriranja: Ručno pomoću batch programa koji je dio paketa. (update.bat)

Parametri:

VBA32{W|X}.EXE [path] ... [path] [/switch] ... [/switch],
where path - drive:\directory\...\directory\ or
*: - local drives, **: - network drives;
@filename - process files from filelist
SWITCH - specifies program options:

/?[+|-] - show help screen;
/H[+|-] - show help screen;
/HELP[+|-] - show help screen;
/M=1 - fast scanning mode;
/M=2 - optimal scanning mode (/AF+);
/M=3 - thorough scanning mode (/AF+ /PM+);
/AF[+|-] - all files;
/PM[+|-] - thorough scanning mode (VERY slow);
/RW[+|-] - detect Spyware, Adware, Riskware;
/CH[+|-] - switch on cache while scanning objects;
/FC[+|-] - cure infected files;
/FD[+|-] - delete infected files;
/FR[+|-] - rename infected files;
/FM+[directory]- move infected files to selected directory (by default C:\Virus);
/SD[+|-] - delete suspicious files;
/SR[+|-] - rename suspicious files;
/SM+[directory]- move suspicious files to selected directory (by default C:\Virus);
/BC[+|-] - cure boot sectors;
/NA[+|-] - disable detection for the signed file (only Windows);
/HA=[0|1|2|3] - heuristic analysis level (0 - disabled, 2 - maximum);
/MR=[0|1|2] - memory scanning (0 - disabled, 2 - full,
full is enabled by default);
/AS=[0|1|2] - scan files launched at system startup
(0 - disabled, 2 - full,
full is enabled by default, only Windows);
/BT[+|-] - boot sectors scanning (enabled by default);
/QI[+[directory]|-] - copy infected object to Quarantine;
/QS[+[directory]|-] - copy suspicious object to Quarantine;
/D=[N,][filename] - run program once in N days (by default 1);
/R=[filename] - save report to file (VBA32.RPT by default);
/R+[filename] - append report to file (VBA32.RPT by default);
/UL[+|-] - show report in UTF-8;
/L=[filename] - save list of infected files to file (VBA32.LST);
/L+[filename] - append list of infected files to file (VBA32.LST);
/QU[+|-] - allow the program to be interrupted (by default);
/DB=directory - search virus definitions update in
selected directory on startup;
/SS[+|-] - enable virus detection sound warning;
/OK[+|-] - include "clean" filenames in report;
/AR[+|-] - enable archives scanning;
/AL=[file_size,kB] - don't scan archives larger than the specified value;
/AD[+|-] - delete archives containing infected files;
/SFX[+|-] - detect installers of malware;
/ML[+|-] - mail scanning;
/MD[+|-] - delete messages containing infected files;
/VL[+|-] - view list of viruses known to program;
/VM[+|-] - show macros information in documents;
/SI[+|-] - additional information about program support;
/LNG=suffix - select language file VBA32<suffix>.LNG;
/KF={directory|path} - specify path to key file;
/EXT= - specify list of file extensions to be checked;
/EXT+ - add user defined file extensions to default list;
/EXT- - remove file extensions from default list;
/WK[+|-] - wait for any key when finished;
/SP[+|-] - show overall check progress;
/J[+|-|=thread_count] - multithreaded mode, count of simultaneously
processed files can be set to default value (-J, -J+,
preferred) or explicitely (-J=count);
The following switches are active by default: /QU /MR /BT /AS /RW

Dopuna: 05 Maj 2012 1:31

Dr.Web console scanner for Windows

DOWNLOAD

FREEWARE: NE

Način ažuriranja: Ručno pomoću drwebupw.exe koji je sastavni dio paketa

Parametri:

COMMAND LINE OPTIONS

To start the program, use the following command line:

        <program> [disk:][path] [options]

where
program - executable module name (DrWebWCL);
disk:   - logical drive of a hard disk, floppy drive, network drive, CD-ROM,
          or * (all local logical drives);
path    - location of files to be checked; it may contain path to the
          directory on local/network drive (or network directory) and,
          optionally, filename (or filename mask).

The command line may contain several [disk:][path] parameters delimited with
blanks. In this case, the program will sequentially scan the specified objects.

Command line options (delimited with blanks)

/@[+]<file> - check objects listed in <file>.
      Each object must be identified on a separate line containing
      a full pathname (to check file) or the "?boot" keyword (to check
      boot sectors). The list file can be created with any text editor.
      When scan is completed, Dr.Web deletes the list file, unless
      "+" is included in the option;
/ADW[I|D|M|R] - determine the actions for detected adware: I - ignore;
      D - delete, M - move (by default, to the INFECTED.!!! directory),
      R - rename (by default, the extension's first character is changed to
      "#");
/AL - scan all files on a given drive or directory;
/AR[D|M|R][N] - check all files inside archives (ARJ, CAB, GZIP, LZH, RAR,
      TAR, ZIP...). Use the optional parameters to specify how archives with
      infected (or suspicious) objects should be treated as a whole:
      D - delete, M - move (by default, to the INFECTED.!!! directory),
      R - rename (by default, the extension's first character is changed to
      "#"); the N option suppresses the archive type after the name of the
      archive file;
/CN[D|M|R][N] - determine how containers (HTML, RTF, PowerPoint,..) with
      infected (or suspicious) objects should be treated as a whole:
      D - delete, M - move (by default, to the INFECTED.!!! directory),
      R - rename (by default, the extension's first character is changed to
      "#"); the N option suppresses the container type after the name of the
      container file;
/CU[D|M|R] - cure infected objects and delete incurable files. Or use the
      optional parameters to specify how infected filed should be treated:
      D - delete, M - move (by default, to the INFECTED.!!! directory),
      R - rename (by default, the extension's first character is changed to
      "#");
/DA - run Dr.Web only once in a day. For this option, the configuration file,
      (INI-file) containing the date of the next scanning session must be
      present;
/DLS[I|D|M|R] - determine the actions for detected dialers: I - ignore;
      D - delete, M - move (by default, to the INFECTED.!!! directory),
      R - rename (by default, the extension's first character is changed to
      "#");
/EX - scan files that have extensions associated with executable modules
      and MS Office documents (COM, EXE, SYS, BAT, CMD, DRV, BIN, DLL, OV?,
      BOO, PRG, VXD, 386, SCR, FON, DO?, XL?, WIZ, RTF, CL*, HT*, VBS, JS*,
      INF, A??, ZIP, R??, PP?, HLP, OBJ, LIB, MD?, INI, MBR, IMG, CSC, CPL,
      MBP, SH,  SHB, SHS, SHT*,MSG, CHM, XML, PRC, ASP, LSP, MSO, OBD, THE*,
      EML, NWS, TBB);
/GO - run without asking you what to do next (in such situations as not
      enough disk space for unpack operation, invalid parameters in the
      command line, Dr.Web infected by unknown virus, etc.). This option
      might be useful, say, for automatic check of incoming e-mail;
/HA - enable the heuristic analyzer that can detect unknown viruses;
/HCK[I|D|M|R] - determine the actions for detected hack tools: I - ignore;
      D - delete, M - move (by default, to the INFECTED.!!! directory),
      R - rename (by default, the extension's first character is changed to
      "#");
/IC[D|M|R] - determine how to treat incurable files: D - delete, M - move
      (by default, to the INFECTED.!!! directory), R - rename (by default,
      the extension's first character is changed to "#");
/INI:<path> - use an alternative configuration file (INI-file);
/JOK[I|D|M|R] - determine the actions for detected joke programs: I - ignore;
      D - delete, M - move (by default, to the INFECTED.!!! directory),
      R - rename (by default, the extension's first character is changed to
      "#");
/LNG[:<path>] - use an alternative language file (DWL-file), or built-in
      (english) language;
/ML[D|M|R][N] - check files of mail format (UUENCODE, XXENCODE, BINHEX,
      MIME,...). Use the optional parameters to specify how mail files with
      infected (or suspicious) objects should be treated as a whole:
      D - delete, M - move (by default, to the INFECTED.!!! directory),
      R - rename (by default, the extension's first character is changed to
      "#"); the N option suppresses the mail type after the name of the mail
      file;
/MW[I|D|M|R] - determine the actions for all types of malware programs (i.e.
      adware, dialers, hack tools, jokes, riskware): I - ignore; D - delete,
      M - move (by default, to the INFECTED.!!! directory), R - rename (by
      default, the extension's first character is changed to "#");
/NI - ignore the settings in the configuration file (DRWEB32.INI);
/NM - skip memory test;
/NS - run non-stop (no interruption by pressing ESC);
/OK - write a full list of scanned objects and display "OK" next to clean
      objects;
/PF - display the "Scan another diskette?" prompt after checking a floppy
      disk;
/PR - prompt to confirm an action on an infected or suspicious file;
/RP[+]<file> - write the scan results to a file (by default,
      <program>.LOG), <file> is the full pathname of a report file. If the
      plus sign is included, the recent report will be appended to the
      report file; otherwise the report file will be overwritten;
/RSK[I|D|M|R] - determine the actions for detected riskware: I - ignore;
      D - delete, M - move (by default, to the INFECTED.!!! directory),
      R - rename (by default, the extension's first character is changed to
      "#");
/SCP:<n> - specify the priority of the scanning process over other processes
      in the system (n - number from 1 to 50; default value is 25);
/SD - scan subdirectories;
/SL - scan symlinks;
/SO - play sounds;
/SP[D|M|R] - determine how to treat suspicious files: D - delete, M - move
      (by default, to the INFECTED.!!! directory), R - rename (by default,
      the extension's first character is changed to "#");
/SS - save current settings when the program terminates;
/TB - scan boot sectors and master boot record;
/TM - scan memory for viruses (including Windows system memory);
/TS - scan startup files;
/UPN - disable the output of names of file packers used for packing the
      scanned executable files to the log file;
/WA - wait after scan is finished if viruses or suspicious objects were found;
/?  - display help.

If DBWEB32.INI is not present or not used, the default options are:
/AL /AR /HA /ML /PR /SD /SL /TB /TM /TS

Some options can be postfixed with the "-" character. This "negation" form
disables the respective function or mode. It might be useful if the mode is
enabled by default or via settings in the INI-file.

The negation form can be applied to the following command-line options:
/ADW /AR /CU /DLS /FN /HCK /JOK /HA /IC /ML /MW /OK /PF /PR /RSK /SD /SL /SO
/SP /TB /TM /TS /UP /WA

Note that the negation form of /CU, /IC and /SP cancels all actions enabled
by these options. It means that information about infected and suspicious
objects will appear in the report file only.

/AL, /EX and /FM cannot be used in the negation form. However, any of these
options disables the other two.



RETURN CODES

The values of the return code and corresponding events are as follows:

  0 - OK, no virus found
  1 - known virus detected
  2 - modification of known virus detected
  4 - suspicious object found
  8 - known virus detected in archive (container, mail file)
 16 - modification of known virus detected in archive (container, mail file)
 32 - suspicious file found in archive (container, mail file)
 64 - at least one infected object successfully cured
128 - at least one infected or suspicious file deleted/renamed/moved

• 1Ovo se svidja korisniku: ThePhilosopher
  
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

Umjesto ClamWin-a možete koristiti službeni ClamAV port za Windows koji se može preuzeti odavde:

http://sourceforge.net/projects/clamav/files/clamav/win32/

Trenutne verzije se nalaze u folderu sa imenom trenutne verzije. Trenutno, to je 0.97.6:

http://sourceforge.net/projects/clamav/files/clamav/win32/0.97.6/

Na raspolaganju su vam 32-bitna i 64-bitna verzija. Iako se instalira, skener je u potpunosti portabilan.
Da se ne bi mučili oko podešavanja freshclam-a, postaviću vam moj freshclam.conf fajl i switcheve za isti.

https://www.mycity.rs/must-login.png

freshclam.exe --config-file=freshclam.conf


Swithcevi za ClamAV su uglavnom isti kao kod ClamWin-a.


Citat: Clam AntiVirus Scanner 0.97.6
By The ClamAV Team: http://www.clamav.net/team
(C) 2007-2009 Sourcefire, Inc.

--help -h Print this help screen
--version -V Print version number
--verbose -v Be verbose
--debug Enable libclamav's debug messages
--quiet Only output error messages
--stdout Write to stdout instead of stderr
--no-summary Disable summary at end of scanning
--infected -i Only print infected files
--bell Sound bell on virus detection

--tempdir=DIRECTORY Create temporary files in DIRECTORY
--leave-temps[=yes/no(*)] Do not remove temporary files
--database=FILE/DIR -d FILE/DIR Load virus database from FILE or load
all supported db files from DIR
--official-db-only[=yes/no(*)] Only load official signatures
--log=FILE -l FILE Save scan report to FILE
--recursive[=yes/no(*)] -r Scan subdirectories recursively
--cross-fs[=yes(*)/no] Scan files and directories on other filesystems
--follow-dir-symlinks[=0/1(*)/2] Follow directory symlinks (0 = never, 1 = direct, 2 = always)
--follow-file-symlinks[=0/1(*)/2] Follow file symlinks (0 = never, 1 = direct, 2 = always)
--file-list=FILE -f FILE Scan files from FILE
--remove[=yes/no(*)] Remove infected files. Be careful!
--move=DIRECTORY Move infected files into DIRECTORY
--copy=DIRECTORY Copy infected files into DIRECTORY
--exclude=REGEX Don't scan file names matching REGEX
--exclude-dir=REGEX Don't scan directories matching REGEX
--include=REGEX Only scan file names matching REGEX
--include-dir=REGEX Only scan directories matching REGEX

--bytecode[=yes(*)/no] Load bytecode from the database
--bytecode-unsigned[=yes/no(*)] Load unsigned bytecode
--bytecode-timeout=N Set bytecode timeout (in milliseconds)
--detect-pua[=yes/no(*)] Detect Possibly Unwanted Applications
--exclude-pua=CAT Skip PUA sigs of category CAT
--include-pua=CAT Load PUA sigs of category CAT
--detect-structured[=yes/no(*)] Detect structured data (SSN, Credit Card)
--structured-ssn-format=X SSN format (0=normal,1=stripped,2=both)
--structured-ssn-count=N Min SSN count to generate a detect
--structured-cc-count=N Min CC count to generate a detect
--scan-mail[=yes(*)/no] Scan mail files
--phishing-sigs[=yes(*)/no] Signature-based phishing detection
--phishing-scan-urls[=yes(*)/no] URL-based phishing detection
--heuristic-scan-precedence[=yes/no(*)] Stop scanning as soon as a heuristic match is found
--phishing-ssl[=yes/no(*)] Always block SSL mismatches in URLs (phishing module)
--phishing-cloak[=yes/no(*)] Always block cloaked URLs (phishing module)
--algorithmic-detection[=yes(*)/no] Algorithmic detection
--scan-pe[=yes(*)/no] Scan PE files
--scan-elf[=yes(*)/no] Scan ELF files
--scan-ole2[=yes(*)/no] Scan OLE2 containers
--scan-pdf[=yes(*)/no] Scan PDF files
--scan-html[=yes(*)/no] Scan HTML files
--scan-archive[=yes(*)/no] Scan archive files (supported by libclamav)
--detect-broken[=yes/no(*)] Try to detect broken executable files
--block-encrypted[=yes/no(*)] Block encrypted archives

--max-filesize=#n Files larger than this will be skipped and assumed clean
--max-scansize=#n The maximum amount of data to scan for each container file (**)
--max-files=#n The maximum number of files to scan for each container file (**)
--max-recursion=#n Maximum archive recursion level for container file (**)
--max-dir-recursion=#n Maximum directory recursion level

(*) Default scan settings
(**) Certain files (e.g. documents, archives, etc.) may in turn contain other
files inside. The above options ensure safe processing of this kind of data.