OPTIONS

-c, --copyright

Display copyright information and then exit. All other options will be ignored.

-h, -?, --help

Display usage message and then exit. All other options will be ignored.

-v, --version

Display version information and then exit. All other options will be ignored.

-d, --dup-check

Tells vfind to check for duplicate VDL names and definitions, and other potential problems. With this option enabled, duplicates will be reported as parser errors. Also, any VDL segment which starts with an offset range or .* operator will be reported as a parser error. An offset at the beginning of a VDL segment is allowed by the CVDL syntax, but does not make sense to use, and may cause the VDL to run very slow.

-e, --exit-on-error

Tells vfind to exit immediately after encountering any kind of error or warning condition. Normally, vfind prints a warning message and attempts to continue processing after encountering a non-fatal error, such as a syntax error in a VDL description.

--emu=options

Set options for polymorphic virus emulation. This option is still under development and its usage will be documented further in a future release.

--emu-config=file

Specify emulation configuration file. This option is still under development and its usage will be documented further in a future release.

--end

Used to exit vfind while in Interactive mode.

-i, --ignore-eof

Tells vfind to ignore end-of-file and keep trying to read input files names or SmartScan input. --end and --quit may still be used to exit Interactive mode.

--jadevdl=file

Tells vfind to load additional virus signatures from file. File contains VDL models for hostile java applets and applications.

--libon=library, --liboff=library

Turn on/off library. vfind will list the available libraries upon startup. Amiga and eicar libraries are turned off by default. Use --libon='*' to turn on all libraries.

--noload=virus

This option provides a way to disable loading of individual VDLs. This may be useful if your site gets a lot of false positives for some particular virus due to the type of data you have. Virus is the name of the virus as it appears in the VDL file, for example: --noload="W95/Sircam.Worm"

--noloads=file

This provides a way to specify multiple noload parameters in a file. File is a file that contains valid virus parameters as described in the noload option. For each line of the file, leading and trailing whitespace is stripped, then lines which are empty or start with '#' (i.e. comments) are skipped.

--notell=virus

This option provides a way to turn off reporting of individual viruses. This may be useful if your site gets a lot of false positives for some particular virus due to the type of data you have. Virus is the name of the virus as it appears after `VIRUS ID: ' in vfind's output, for example: --notell="CVDL W95/Sircam.Worm"

--notells=file

This provides a way to specify multiple notell parameters in a file. File is a file that contains valid virus parameters as described in the notell option.

-p, --per-file

Per-file: count of number of possible virus infections displayed for each file.

--pid

Print process id to stderr.

--quiet=num

This command provides a way of suppressing some of vfind's verbosity.

--quiet=0

The default behavior.

--quiet=1

Suppresses the "Enter the name of the file to be checked:" prompt and its two trailing newlines.

--quiet=2

Suppresses the "Checking file: filename" and its two trailing newlines.

Thus, with --quiet=2, you can pipe a list of file names to vfind and there will be no per-file output unless a possible virus is found. There will always, however, be the final report of the number of files scanned and the number of possible infections found.

--quit

Used to exit vfind while in Interactive mode.

--rcf=file

Run Control File. Tells vfind to read additional command-line arguments from file.

--speed=num

This option allows you to control the priority vfind gives to running fast over conflicting concerns.

--speed=0

The minimum speed. Shortest start-up time. Slowest scan speed.

--speed=1

The medium speed. Slightly longer start-up time. Middle scan speed.

--speed=2

The maximum speed. Currently the default speed. Longest start-up time. Fastest scan speed

-ssr, --smartscan-read

This option will tell vfind to read a SmartScan input stream. There must be a process writing a SmartScan stream to vfind's stdin.

-sst, --smartscan-types

SmartScan Types: Displays file types and any VDL's skipped due to file type restrictions.

--stdin

Use the data on standard input as the file to scan. This will be treated as a file called stdin.

-u, --unbuf

Make SmartScan Read unbuffered. Use of this option may cause a performance penalty, so it should not be used unless your application requires it.

--vdl=file

Tells vfind to read additional virus description codes from file.

--vdl0=file

Tells vfind to read additional speed=0 virus descriptions from file.

With speed>0, most VDL rules are compiled into a parallel search engine, which provides fast scanning but no control over the order in which the VDL patterns are applied. With speed=0, VDL rules are placed in a first-in-last-out queue, so the last rule specified is the first one executed, and speed=0 rules are always executed before the parallel search engine. So the --vdl0 option is useful when you have some set of VDL rules which you want executed in a guaranteed order, and this would usually be used in conjunction with the -#=1 option to stop scanning after finding one match.

--vdlc=file

Tells vfind to read additional case-insensitive virus descriptions from file.

Case-insensitive VDL constructs (i.e. ~"..." strings) are not compiled into the regular parallel search engine. But VDL files specified using the --vdlc option are compiled into a separate case-insensitive parallel search engine for faster processing.

--vdle=file

Tells vfind to read additional decrypted polymorphic virus descriptions from file. Used in conjunction with the --emu option. This option is still under development and its usage will be documented further in a future release.

--vdlE=file

Tells vfind to read additional Entry point virus descriptions from file. Used in conjunction with the --emu option. This option is still under development and its usage will be documented further in a future release.

--vexit

This option causes vfind to return a known value on exit. With this option vfind will return 0 if no viruses were detected. In the event that a virus has been detected, vfind will return 23. This functionality is useful when integrating vfind in a script or other program. The return values cannot be changed from the defaults (23 and 0).

--vlist

This option causes vfind to print to stdout a list of all viruses for which it currently scans.

--#=num

Stop scanning a file after finding n viruses, e.g. --#=1 will stop after finding 1 virus. Note that # starts a comment in the Unix Bourne shell, so you may have to specify this option in quotes: '--#=1'

--

End of Options: Signals to vfind that all remaining arguments are to be treated as filenames, even if they start with '-'.

LICENSES

• /LICENSE
• /etc/LICENSE
• The current working directory.
• The VSTK library directory configured during installation.

INPUT

1. Interactive mode: Running vfind without any file arguments (or other input such as SmartScan and stdin) will result in a prompt asking what file to scan. Example:

     vfind
   

2. Batch mode: vfind can be invoked with a list of files (or other input such as SmartScan or stdin). In this mode, vfind will scan all of the targets and write a report to stdout. This mode is useful when scanning many files or directories. Example:

     vfind *.doc *.exe
   

3. Automated mode: vfind can be run from a script, batch file, or other application and be scheduled using UNIX cron or a similar program. To run in this mode simply create your vfind command and place it in the appropriate place in your script, batch file, or application. When this mode is invoked, vfind will run un-attended and generate a report to stdout. This report can be redirected to a file, emailed, or otherwise processed. This mode of operation is useful when scanning a large amount of data on a regular basis.

OUTPUT

The choke method is as simple as piping the output from vfind into grep, or a similar tool.

Each line of output from vfind starts with a chevron as follows:

  find / -type f | vfind | grep '##==>>>' > REPORT

The above example would only show errors and virus detection messages.

SMARTSCAN

VFind is a SmartScan compliant tool. Specifying the -ssr option to vfind will cause vfind to read a SmartScan stream from stdin. For example:

  find /export/home -type f -print | uad -s -ssw | \
    vfind -ssr > REPORT

SPEED

One reason is that there is a space/speed trade-off. With --speed=2, vfind typically takes about 8 Megabytes of dynamic space to run. If this is prohibitive on your machine (i.e., vfind can't run or there is excessive paging), try --speed=1.

Another reason involves the trade-off between start-up time and marginal scan time. With --speed=2 there is a substantial start-up time as vfind initializes various internal structures. This might be on the order of, e.g., a second. When scanning a single small file, this might be a waste of time.

On the other hand, --speed=2 provides the fastest marginal scan time, that is, the time needed to scan each extra byte of data. Thus, when scanning large amounts of data with a single invocation of vfind (such as when handling SmartScan data from uad(1) or handling a large number of file names piped in via standard input), --speed=2" (if you have the space for it) is a good idea despite the start-up time.

If vfind is invoked using a name starting with 'l', (e.g. an lvfind symlink to vfind), then it attempts to acquire a shared (read-only) lock on the LOCK file. If invoked using a name starting with 'L' (e.g. Lvfind), then it attempts to acquire an exclusive (read-write) lock on the LOCK file.

Shared locks do not interfere with other shared locks, but will fail if there is an existing exclusive lock. An exclusive lock will fail if there are any other locks of either type. Shared locks require only read access to the LOCK file, but an exclusive lock requires read-write access.

lvfind will release the lock only after reading all VDL files, including those from the data/vfind/vdl.list VDL list file plus any others specified using --vdl=, --vdlc=, etc. command-line options.

Lvfind simply waits up to 60 seconds (Lsleep option) and then exits, it does not read any VDL files or scan any input data. It prints the process id to stderr (as though --pid was specified) to facilitate killing it.

The default values for command-line options are equivalent to specifying:

  lvfind 60
  Lvfind 60 60

After 60 failed locking attempts (lcount_max option), lvfind will set the vfind error flag and give up, continuing with the rest of the program; but Lvfind will just exit.