OPTIONS

-c, --copyright

Display copyright information and then exit. All other options will be ignored.

-h, -?, --help

Display usage message and then exit. All other options will be ignored.

-v, --version

Display version information and then exit. All other options will be ignored.

--end

Used to exit VFind while in Interactive mode.

--jadevdl=file

Tells VFind to load additional virus signatures from file. File contains vdl models for hostile Java applets and applications.

--lang=langfile

This is used to provide an alternative message catalog file for VFind's output messages and is used for internationalization purposes. Message catalogs for different locales are provided by CyberSoft.

--libon=library, --liboff=library

Turn on/off library. VFind will list the available libraries upon startup. Amiga and eicar libraries are turned off by default.

--notell=virus

This option provides a way to turn off reporting of individual viruses. This may be useful if your site gets a lot of false positives for some particular virus due to the type of data you have. Virus is the name of the virus as it appears after `VIRUS ID: ' in VFind's output.

--notells=file

This provides a way to specify multiple notell parameters in a file. File is a file that contains valid virus parameters as described in the notell option.

-p, --per-file

Per-file: count of number of possible virus infections displayed for each file.

--quiet=num

This command provides a way of suppressing some of VFind's verbosity.

--quiet=0

The default behavior.

--quiet=1

Suppresses the "Enter the name of the file to be checked:" prompt and its two trailing newlines.

--quiet=2

Suppresses the "Checking file: filename" and its two trailing newlines.

Thus, with --quiet=2, you can pipe a list of file names to VFind and there will be no per-file output unless a possible virus is found. There will always, however, be the final report of the number of files scanned and the number of possible infections found.

--quit

Used to exit VFind while in Interactive mode.

--speed=num

This option allows you to control the priority VFind gives to running fast over conflicting concerns.

--speed=0

The minimum speed. Shortest start-up time. Slowest scan speed.

--speed=1

The medium speed. Slightly longer start-up time. Middle scan speed.

--speed=2

The maximum speed. Currently the default speed. Longest start-up time. Fastest scan speed

--stdin

Use the data on standard input as the file to scan. This will be treated as a file called stdin.

-ssr, --smartscan-read

This option will tell VFind to read a SmartScan there must be a process writing a SmartScan stream to VFind's stdin.

-sst, --smartscan-types

SmartScan Types: Displays file types and any VDL's skipped due to file type restrictions.

--sieve=file

Tells VFind to load additional virus signatures from file. File contains virus signatures in the sieve format.

--vexit

This option causes VFind to return a known value on exit. With this option VFind will return 0 if no viruses were detected. In the event that a virus has been detected, VFind will return 23. This functionality is useful when integrating VFind in a script or other program. The return values cannot be changed from the defaults (23 and 0).

-e, --exit-on-error

Tells VFind to exit immediately after encountering any kind of error or warning condition. Normally, VFind prints a warning message and attempts to continue processing after encountering a non-fatal error, such as a syntax error in a VDL description.

--vlist

This option causes VFind to print to stdout a list of all viruses for which it currently scans.

--vdl=file

Tells VFind to read additional virus description codes from file.

--vdl0=file

Tells VFind to read additional speed=0 virus descriptions from file.

With speed>0, most VDL rules are compiled into a parallel search engine, which provides fast scanning but no control over the order in which the VDL patterns are applied. With speed=0, VDL rules are placed in a first-in-last-out queue, so the last rule specified is the first one executed, and speed=0 rules are always executed before the parallel search engine. So the --vdl0 option is useful when you have some set of VDL rules which you want executed in a guaranteed order, and this would usually be used in conjunction with the -#=1 option to stop scanning after finding one match.

--vdlc=file

Tells VFind to read additional case-insensitive virus descriptions from file.

Case-insensitive VDL constructs (i.e. ~"..." strings) are not compiled into the regular parallel search engine. But VDL files specified using the --vdlc option are compiled into a separate case-insensitive parallel search engine for faster processing.

--#=num

Stop scanning a file after finding n viruses, e.g. --#=1 will stop after finding 1 virus. Note that # starts a comment in the Unix Bourne shell, so you may have to specify this option in quotes: '--#=1'

--rcf=file

Run Control File. Tells VFind to read additional command-line arguments from file.

LICENSES

CyberSoft, Inc.
1508 Butler Pike
Conshohocken, PA 19428.
Phone: +1.610.825.4748
Fax: +1.610.825.6785

• /LICENSE
• /etc/LICENSE
• The current working directory.
• The VSTK library directory configured during installation.

INPUT

1. Interactive mode: Running VFind without any file arguments (or other input such as SmartScan and stdin) will result in a prompt asking what file to scan. Example:

     vfind
   

2. Batch mode: VFind can be invoked with a list of files (or other input such as SmartScan or stdin). In this mode, VFind will scan all of the targets and write a report to stdout. This mode is useful when scanning many files or directories. Example:

     vfind *.doc *.exe
   

3. Automated mode: VFind can be run from a script, batch file, or other application and be scheduled using UNIX cron or a similar program. To run in this mode simply create your VFind command and place it in the appropriate place in your script, batch file, or application. When this mode is invoked, VFind will run unattended and generate a report to stdout. This report can be redirected to a file, E-mailed, or otherwise processed. This mode of operation is useful when scanning a large amount of data on a regular basis.

OUTPUT

The choke method is as simple as piping the output from VFind into grep, or a similar tool.

Each line of output from VFind starts with a chevron as follows:

Chevron	Meaning
##==>	Informational Message
##==>>	VFind Warning
##==>>>	Serious VFind Condition
##==>>>>	Possible Virus Detection

Example:

  find / -type f | vfind | grep '##==>>>' > REPORT

The above example would only show errors and virus detection messages.

SMARTSCAN

VFind is a SmartScan compliant tool. Specifying the -ssr option to VFind will cause VFind to read a SmartScan stream from stdin. For example:

  find /export/home -type f -print | uad -s -ssw | \
    vfind -ssr > REPORT

SPEED

One reason is that there is a space/speed trade-off. With --speed=2, VFind typically takes about 8 Megabytes of dynamic space to run. If this is prohibitive on your machine (i.e., VFind can't run or there is excessive paging), try --speed=1.

Another reason involves the trade-off between start-up time and marginal scan time. With --speed=2 there is a substantial start-up time as VFind initializes various internal structures. This might be on the order of, e.g., a second. When scanning a single small file, this might be a waste of time.

On the other hand, --speed=2 provides the fastest marginal scan time, that is, the time needed to scan each extra byte of data. Thus, when scanning large amounts of data with a single invocation of VFind (such as when handling SmartScan data from uad(1) or handling a large number of file names piped in via standard input), --speed=2" (if you have the space for it) is a good idea despite the start-up time.