avscan command

Syntax

avscan  [  -r  ]  [--ignorelinks]  [  --noheuristics  ]   [  --nomacros  ]  [ --pup ] [ --mime ] [ --noarc ] [ --exeonly ] [ --exclude {file(s):directorie(s) } ] [ --maxwait seconds ] [ --timeout seconds ] [ --delay microseconds ] [ --clean ] [ --quar ] [ --cmd <"command-string"> ] [ --notify <"notifiers"> ] [ --loglevel level ] [ --quiet ] [ --version ] [--help] file1:file2:dir1:dir2 ...

Description

The avscan command scans the specified file or directory for viruses and malicious code.

The avscan command scans the specified files and/or directories for viruses and malicious code. When an infection is found, prints a message to the output stream and the infected file remains unchanged. To have the command clean or quarantine infected files you need to specify either the --clean or --quar options (or both). Please note if a file cannot be cleaned it will be deleted unless the --quar option is also specified.

If you specify the -r flag, the avscan command descends the specified directories recursively. If no file or directory is specified, the avscan command scans the current directory without descending subdirectories. For example:

./avscan

Will simply scan the current directory. To scan a specific file or directory recursively, use the following:

./avscan -r /home/testuser

You can use wildcards in file names:

./avscan /home/usr*

To send the output stream to a log file, use the redirection symbol:

./avscan > mylog.txt

Options

-r

Descends directories recursively.

--ignorelinks

Ignore all symbolic links that are found during the scan. This is the default behavior. This option is here for reasons of backwards compatibility.

--noignorelinks

Follow all symbolic links found during the scan.

--noheuristics

Do not use heuristic analysis when scanning files. The scanning engine normally employs heuristic technology to detect new viruses in executable files in addition to its normal scanning. Without heuristics, the engine can only find viruses that are already known. Heuristics slows scanning performance and increases paranoia. Default is to use heuristics, so --noheuristics will turn this feature off.

--nomacros

Do not scan compound documents for macros viruses. This parameter is similar to heuristics but scans for new viruses in compound document formats; for example Microsoft OLE formats such as Word documents. Default is to scan for macro viruses, so --nomacros will turn this feature off.

--pup

Detect potentially unwanted programs. Some widely available applications, such as password crackers or remote-access utilities can be used maliciously or can pose a security threat. If you set this parameter, the product scans for such files.

Default is to *not* scan for Potentially Unwanted Programs, so --pup will turn this feature on.

--mime

Scan for viruses in MIME-encoded files, UU-encoded files, XX-encoded files and BinHex files, and files in TNEF and IMC formats. This parameter reduces scanning performance. Default is to not scan these types of files so --mime will turn this feature on.

--arc

Scan within archives (.zip, .jar, .rar, etc). Many archive files (especially jar files) can drastically increase scanning time. You may want to scan archives on a weekly basis, for example. The default is not to scan within archives.

--noarc

Do not scan within archives (.zip, .jar, .rar, etc). This is the default behaviour. This option is here for reasons of backwards compatibility.

--exeonly

Do not scan non-executable files (.txt, etc). Default is to scan all files (recommended), so --exeonly will scan executable files only.

--exclude <file1:file2:directory1:directory2:...>

Excludes the specified files and/or directories from scanning. If your exclude string contains wildcard characters you need to surround the string in quotes (i.e. --exclude "/excluded-file*")

EXAMPLE:

avscan --exclude /home/usr1:/home/usr2

will exclude both the /home/usr1 and /home/usr2 directories.
NOTE: If your exclude string contains wildcard characters you need to surround the string in quotes (ie --exclude "/excluded-file*")
--maxwait <seconds>

Specifies the maximum number of seconds to spend scanning any one file. After the number of seconds has elapsed the product assumes the file is OK and proceeds with the next file. It can be an integer value between 0 and 99999. The default is 300 seconds. A value of 0 disables the feature (files are scanned completely).

--timeout <seconds>

Specifies the maximum number of seconds the avscan command will execute before returning. After the number of seconds has elapsed, the command will end without scanning any remaining file(s). The return code will indicate a timeout has occurred.

It can be an integer value between 0 and 999999. The default value of 0 disables the timeout.

--delay <microseconds>

The amount of time in microseconds the scanner should pause with each progress beat from a scanning operation. This can be used as a simple CPU limiting technique. It can be an integer value between 0 and 999999. The default value of 0 disables the feature.

--clean

Clean infected files by repairing the infection. Please note most infections cannot be cleaned.

WARNING: If the file cannot be cleaned it will be deleted (unless the --quar option is specified).
--quar

Quarantine the infected files by moving them to the /Quarantined directory. When --quar and --clean are both specified, the product attempts to clean the file first, and if unsuccessful moves the file to the quarantine directory. If neither -clean or --quar are specified, no actions are taken on infected files. This is the default.

--cmd <"command string">

Runs the specified command string when infections are found, passing the file name as a parameter. This allows a user-written script to perform actions such as alerting an administrator. Please note this file will be a live infected file and in no way should the script attempt to read it. The intention is to allow you to process the file name. You may want to implement a procedure to notify and administrator, for example. If the file remains after the command returns it will be deleted.

--notify <"notifiers">

Notify those notifiers in the comma separated list which are defined in the [notify] section of config.ini. This list will override the list defined by the config.ini avscan:notify parameter. Note that notify names should be lowercase.

See Notification Support.

--loglevel <level>

Specifies the number of directory levels that will be printed in the output listing. The default is 99.

--quiet

Prints minimal information to the output stream, useful for parsing the output file.

--version

Prints the program version and build information, then exits.

Examples

avscan

Scans all files in the current directory.

avscan -r /

Scans all files in the current directory and all sub-directories. 

avscan -r / --clean --quar

Scans all files on the system and if an infection is found, the file is cleaned. If cleaning fails, the file is moved to the /Quarantine directory. 

avscan -r / --clean --quar > avscan.out

Scans all files on the system and if an infection is found, the file is cleaned. If cleaning fails, the file is moved to the /Quarantine directory. Sends all output to the avscan.log file in the home or current directory.

If the file cannot be found, try the default path name: /opt/sgav/avscan.log.

Notes

If the file cannot be found try the default path name: /opt/sgav/avscan.

To schedule a scan using cron, run command crontab -e to edit the crontab file using the vi editor. Position the cursor to the end and type i to insert a line. Type the following line to schedule the job to run every day at 1am. This example will scan the home directories and time out after 4 hours: 

0 1 * * * /opt/sgav/avscan -r /home --timeout 864000 --clean --quar > /opt/sgav/log/avscan.out

To see the cron log, run tail /var/adm/cron/logtail /var/log/syslog. For more information about scheduling using cron, run man crontab.

exit status

This command returns the following exit values:

0 Process completed successfully. No virus(es) detected.

1 Process completed, but one or more files were not scanned due to an error.

2 Timeout reached (--timeout parameter).

3 One or more virus infections were found.

Performance Considerations

On-demand scanning of the entire file system can be a very long running, CPU-intensive process. The time required to complete a full scan depends upon several factors, including the speed of the processor, the contention of CPU resources with other jobs, and the number and types of files to scan.

At the expense of scanning time, the impact of the on-demand scan on other jobs in the system can be lessened by the following:

  • Use of nice(1) to downgrade the scheduling priority of the task
  • Use of the delay option to yield CPU time at regular intervals

Troubleshooting

If a virus was not detected in a particular file, verify your virus definitions ‘know’ about the suspected virus. Check the McAfee virus information library at https://home.mcafee.com/virusinfo.

Recommendations

  • Schedule scan tasks to run during off-peak hours.
  • If you are not using on-access scanning, then run a full scan once per day if possible.
  • Virus definitions are released daily. Be sure to keep the database up to date using the avupdate tool.
  • Exclude /proc, /dev, /sys and optical media mount paths from your scan using the exclude path option.
  • Enable on-access scanning to reduce or eliminate the need for on-demand scanning.
  • Review the scan reports to understand the length of time to scan specific directories.