On-Demand scanning
On-Demand scanning refers to the process of explicitly scanning a file or directory for viruses. An on-demand scan is typically initiated at a scheduled time. When an on-demand scan is initiated, Powertech Antivirus processes all of the files in the specified directories for viruses and provides a report of scanning activities.
To scan the file system for viruses and malicious code, use the avscan command.
On-Access and On-Demand scanning can be run simultaneously. Any user can use the avscan command, but you must have *RX authority to files in order to scan or otherwise see them. You can clean or quarantine files without *RWX authority, but will not be able to view the folder including the files. For this reason, it is recommended that full system scans be run by a root user.
avscan command
Syntax
avscan [ -r ] [--ignorelinks] [ --noheuristics ] [ --nomacros ] [ --pup ] [ --mime ] [ --noarc ] [ --exeonly ] [ --exclude {file(s):directorie(s) } ] [ --maxwait seconds ] [ --timeout seconds ] [ --delay microseconds ] [ --clean ] [ --quar ] [ --cmd <"command-string"> ] [ --notify <"notifiers"> ] [ --loglevel level ] [ --quiet ] [ --version ] [--help] file1:file2:dir1:dir2 ...
Description
The avscan command scans the specified file or directory for viruses and malicious code.
When an infection is encountered and you have not specified the --clean or --quar flags, the avscan command prints the infections to the output stream and the infected file remains unchanged. To have the command clean or quarantine infections you need to specify either the --clean or --quar options (or both). Please note if a file cannot be cleaned it is deleted unless the --quar option is specified.
If you specify the -r flag, the avscan command descends the specified directories recursively. If no file or directory is specified, the avscan command scans the current directory without descending subdirectories. For example:
./avscan
Will simply scan the current directory. To scan a specific file or directory recursively, use the following:
./avscan -r /home/testuser
Linux
AIX
You can use wildcards in file names:
./avscan /home/usr*
To send the output stream to a log file, use the redirection symbol:
./avscan > mylog.txt
Options
-r
Descends only directories recursively, as specified by the pattern File...|Directory....
--ignorelinks
Ignore all symbolic links. By default, the command follows all symbolic links during the scan. This parameter instructs the command to ignore any symbolic links it finds.
--noheuristics
Do not use heuristic analysis when scanning files. The scanning engine normally employs heuristic technology to detect new viruses in executable files in addition to its normal scanning. Without heuristics, the engine can only find viruses that are already known. Heuristics slows scanning performance and increases paranoia. Default is to use heuristics, so --noheuristics will turn this feature off.
--nomacros
Do not scan compound documents for macros viruses. This parameter is similar to heuristics but scans for new viruses in compound document formats; for example Microsoft OLE formats such as Word documents. By default the avscan command will scan for macro viruses. Use the --nomacros option to turn this feature off.
--pup
Scan for potentially unwanted programs. Some widely available applications, such as password crackers or remote-access utilities can be used maliciously or can pose a security threat. If you set this parameter, the product scans for such files.
--mime
Scan for viruses in MIME-encoded files, UU-encoded files, XX-encoded files and BinHex files, and files in TNEF and IMC formats. By default, the product does not scan these types of files. This parameter reduces scanning performance.
--noarc
Do not scan within archives (.zip, .jar, .rar, etc). Default is to scan archives.
--quiet
Prints minimal information to the output stream, useful for parsing the output file.
--exeonly
Do not scan non-executable files (.txt, etc). Default is to scan all files (recommended), so --exeonly will scan executable files only.
--exclude <file1:file2:directory1:directory2:...>
Excludes the specified files and/or directories from scanning. For example:
avscan --exclude /home/usr1:/home/usr2 will exclude the /home/usr1 and /home/usr2 directories. You can specify a maximum of 100 files and directories to exclude using this parameter.
--maxwait <seconds>
Specifies the maximum number of seconds to spend scanning any one file. After the number of seconds has elapsed the product assumes the file is OK and proceeds with the next file. There is no default for this parameter (files are scanned completely). Use this option cautiously.
--timeout <seconds>
Specifies the maximum number of seconds the avscan command will execute in total. After the number of seconds has elapsed, the command will end without scanning any remaining files. The return code will indicate a timeout has occurred.
--delay <microseconds>
The amount of time in microseconds the scanner should pause with each progress beat from a scanning operation. This can be used as a simple CPU limiting technique. It can be an integer value between 0 and 999999. The default value of 0 disables the feature.
--clean
Clean infected files by repairing the infection. Please note most infections cannot be cleaned.
--quar option is specified).--quar
Quarantine the infected files by moving them to the /Quarantined directory. When --quar and --clean are both specified, the product attempts to clean the file first, and if unsuccessful moves the file to the quarantine directory. If neither -clean or --quar are specified, no actions are taken on infected files.
--cmd <"command string">
Runs the specified command string when infections are found, passing the file name as a parameter. This allows a user-written script to perform actions such as alerting an administrator. Please note this file will be a live infected file and in no way should the script attempt to read it. The intention is to allow you to process the file name. You may want to implement a procedure to notify an administrator, for example. Scripts must have execute permissions in order to be run.
--notify <"notifiers">
Notify those notifiers in the comma separated list which are defined in the [notify] section of config.ini. This list will override the list defined by the config.ini avscan:notify parameter. See Notification Support.
--loglevel <level>
Specifies the number of directory levels that will be printed in the output listing. The default is 99.
--quiet
Prints minimal information to the output stream, useful for parsing the output file.
--version
Prints the program version and build information, then exits.
Examples
avscan
Scans all files in the current directory.
avscan -r /
Scans all files in the current directory and all sub-directories.
avscan -r / --clean --quar
Scans all files on the system and if an infection is found, the file is cleaned. If cleaning fails, the file is moved to the /Quarantine directory.
avscan -r / --clean --quar > avscan.out
Scans all files on the system and if an infection is found, the file is cleaned. If cleaning fails, the file is moved to the /Quarantine directory. Sends all output to the avscan.log file in the home or current directory.
If the file cannot be found, try the default path name: /opt/sgav/avscan.log.
Notes
If the file cannot be found try the default path name: /opt/sgav/avscan.
To schedule a scan using cron, run command crontab -e to edit the crontab file using the vi editor. Position the cursor to the end and type i to insert a line. Type the following line to schedule the job to run every day at 1am. This example will scan the home directories and time out after 4 hours:
0 1 * * * /opt/sgav/avscan -r /home --timeout 864000 --clean --quar > /opt/sgav/log/avscan.out
To see the cron log, run tail /var/adm/cron/logtail /var/log/syslog. For more information about scheduling using cron, run man crontab.
exit status
This command returns the following exit values:
0 Process completed successfully. No virus(es) detected.
1 Process completed, but one or more files were not scanned due to an error.
2 Timeout reached (--timeout parameter).
3 One or more virus infections were found.
Performance Considerations
On-Demand scanning of the entire file system can be a very long running, CPU-intensive process. The time required to complete a full scan depends upon several factors, including the speed of the processor, the contention of CPU resources with other jobs, and the number and types of files to scan.
At the expense of scanning time, the impact of the on-demand scan on other jobs in the system can be lessened by the following:
- Use of nice(1) to downgrade the scheduling priority of the task
- Use of the delay option to yield CPU time at regular intervals
Troubleshooting
If a virus was not detected in a particular file, verify your virus definitions ‘know’ about the suspected virus. Check the McAfee virus information library at https://home.mcafee.com/virusinfo.
Recommendations
- Schedule scan tasks to run during off-peak hours.
- If you are not using on-access scanning, then run a full scan once per day if possible.
- Virus definitions are released daily. Be sure to keep the database up to date using the avupdate tool.
- Exclude /proc, /dev, /sys and optical media mount paths from your scan using the exclude path option.
- Enable on-access scanning to reduce or eliminate the need for on-demand scanning.
- Review the scan reports to understand the length of time to scan specific directories.
Previous - On-Access Scanning