AMS 2.61 and AV scanning detects scanning failure

[Pugglewuggle]

Hi,

I just upgraded a test installation of our email server to ESET NOD32 Antivirus 3.0 today from 2.7.

When I click test antivirus scanner, I get a message that says it failed. I know it worked because of the return code of the AV app.

I basically converted the command line options for 2.7 to the new CLI commands for 3.0 using information found in the whitepapers.

Here is what was previously used in 2.7:

nod32.exe "%s" /selfcheck- /sound- /quit+ /scanmbr- /scanmem- /scanboot- /arch+ /pack+ /sfx+ /mailbox+ /all

Here is what I'm now using in 3.0

ecls.exe "%s" /files /no-boots /arch /rtp /sfx /mail /pattern /heur /adv-heur

Please note that NOD32 v. 3.0 has different executables - one for the GUI and one designed solely for CLI interaction. ECLS.exe is the command line version.


If you can test this and see what exactly is going on, that would be great.


Here are the command line instructions for version 3.0:

Options

/base-dir=directory path to load modules from
/quar-dir=directory path to use for quarantining files
/exclude=directory path to exclude from being scanned
/subdir scan subdirectories (default)
/no-subdir do not scan subdirectories
/max-subdir-level=number maximum number of subdirectories to scan recursively (by default, 0, which is unlimited)
/symlink follow symbolic links (default)
/no-symlink skip symbolic links
/log-file=file log output to file
/log-rewrite overwrite output file (default - append)
/log-all also log clean files
/no-log-all do not log clean files (default)
/aind show activity indicator
/auto scan and automatically clean all local disks
Scanner options
/files scan files (default)
/no-files do not scan files
/boots scan boot sectors (default)
/no-boots do not scan boot sectors
/arch scan archives (default)
/no-arch do not scan archives
/max-archive-level=number maximum number of archives to scan recursively (by default, 0, which is unlimited)
/scan-timeout=number maximum amount of time in seconds to scan an archive file
/max-arch-size=number maximum number of bytes to scan inside an archive file(by default, 0, which is unlimited)
/mail scan email files
/no-mail do not scan email files
/sfx scan self-extracting archive files
/no-sfx do not scan self-extracting archive files
/rtp scan runtime packed files
/no-rtp do not scan runtime packed files
/adware scan for Adware/Spyware/Riskware
/no-adware do not scan for Adware/Spyware/Riskware
/unsafe scan for potentially unsafe applications
/no-unsafe do not scan for potentially unsafe applications
/unwanted scan for potentially unwanted applications
/no-unwanted do not scan for potentially unwanted applications
/pattern use signatures
/no-pattern do not use signatures
/heur enable heuristics
/no-heur disable heuristics
/adv-heur enable Advanced heuristics
/no-adv-heur disable Advanced heuristics
/ext=extension scan only files ending in extension (use a colon character (":") to separate extensions)
/ext-exclude=extension do not scan any files ending in extension (use a colon character (":") to separate extensions)
/action=action performs the specified actions when an infected object is detected. Available actions are none, clean and prompt
/quarantine copy infected files to Quarantine (supplements action)
/no-quarantine do not copy infected files to Quarantine

General options
/help show help and quit
/version show version information and quit
Exit codes:
0 no threat found
1 threat found but not cleaned
10 some infected files were not cleaned
101 archive error
102 access error
103 internal error
Exit codes greater than 100 mean that the file was not scanned and thus can be infected.

Here are the command line instructions for version 2.7:

The parameters and their effects:
Many parameters are enabled or disabled with a plus(+) or minus (-) sign. For example, to enable the scanner self-check use “/selfcheck+” , to disable it, use “/selfcheck-”.

General
• /help Display the list of program switches
• /selfcheck+ (-) Self-test enable (disable)
• /expire+ (-) Enable (disable) the program expiration notice
• /subdir+ (-) Enable (disable) the sub-directories scanning
• /sound+ (-) Sound warning enable (disable)
• /list+ Create the list of all tested objects in the Log
• /list- Include in the Log only the objects infected
• /break+ (-) Enable (disable) testing intermission
• /scroll+ (-) Enable (disable) Log scrolling
• /quit+ (-) Quit/do not quit the program after scanning
Detection
• /pattern+ (-) Enable (disable) testing using virus signatures
• /heur+ (-) Enable (disable) heuristic analysis
• /scanfile+ (-) Enable (disable) scanning of files
• /scanboot+ (-) Enable (disable) boot sector scanning
• /scanmbr+ (-) Enable (disable) master boot record (MBR) scanning
• /scanmem+ (-) Enable (disable) scanning memory
• /arch+ (-) Enable (disable) scanning archives (ZIP, ARJ, RAR, etc.)
• /sfx + (-) Enable (disable) scanning self-extracting archives
• /pack+ (-) Enable (disable) scanning runtime-packed files internally
• /mailbox+ (-) Enable (disable) scanning mailboxes
• /ntfs+ (-) Enable (disable) scanning NTFS streams
• /adware Enable detection of adware, spyware and riskware
• /unsafe Enable detection of potentially unsafe applications
• /unwanted Enable detection of potentially unwanted applications
• /local Scan all local non-removable media
• /network Scan all network disks
• /ext=<LIST> Add a new extension to the list of scanned files. (multiple entries are permitted, e.g., /ext=EXT1,EXT2)
• /all Scan all files
• /antistealth+ (-) Enable the Anti-Stealth technology against active rootkits
Heuristic analysis
• /ah Enable advanced heuristics
• /heur+ (-) Enable (disable) standard heuristics
Log
• /log+ (-) Enable (disable) log file creation
• /wrap+ (-) Enable (disable) wrapping text in log
• /logappend Enable (disable) appending to log file
• /logrewrite Enable rewriting of the Log file
• /logsize=N Set Log file to a maximum size of N KB)
• /log=<FILENAME> Set the Log file name (e.g.: /log=NOD.LOG)
Cleaning
• /cleanmode Enables cleaning mode (the actions taken will depend on the action settings)
• /clean Clean infected objects (if applicable)
• /prompt Prompt for an action when a virus is detected
• /rename Rename infected files
• /delete Delete infected files
• /quarantine Copy infected file to quarantine before taking further action (clean/delete)
Note: If the switches: /prompt, /rename, /delete/ or /replace are used concurrently with the /clean switch, the corresponding action will be carried out only if the threat cannot be cleaned. The further a parameter is listed, the higher priority it has. For instance, using the "/clean /delete /prompt " parameters will result in that the "/prompt " parameter will supersede the "/clean /delete" parameters.

[Pugglewuggle]

Okay, after a few hours, I figured it out!

The executable has to be the ecls.exe (and it's path) as before mentioned.

But (here's the trick) the parameters have to have the correct path where the NOD32 modules reside specified, like this (note the base-dir switch):

"%s" /base-dir="C:\Program Files\ESET\ESET NOD32 Antivirus" /files /no-boots /arch /rtp /sfx /mail /adware /unsafe /unwanted /pattern /heur /adv-heur /action=clean

on an x64 system, the bas-dir switch path might have to be adjusted... it really depends on how your Windows installation is and how it's configured.

Although I'm a big fan of ESET, whoever's idea it was to NOT automatically load the modules should be fired. TERRIBLE design.

At any rate, there it is! All fixed!

***NOTE*** : depending on which action is required, the /action=x switch might need to be adjusted for your server.

[Code Crafters]

Thanks for the information on this. Obviously, antivirus software have new versions released all the time and the parameters can change which is why we warn that our settings are only a guide to what worked and what we recommend as appropriate options for the version we used. I have made a note for the latest version to be downloaded and these parameters updated in a future update. I have referred to your forum post here for when that is updated.