vfindc - Heterogeneous Antivirus Client
Synopsis
Description
Options
Usage
Licenses
Input
Output
Custom Messages
Smartscan
Locking
Restarting
Files
See Also
Bugs
Copyright
vfindc [-c, --copyright]
[-h, --help]
[-v, --version]
[--vlist]vfindc [-e, --exit-on-error]
[--end]
[--notell=virus]
[--notells=file]
[--noscan=filename]
[--noscans=file]
[--force-scan]
[--recursion-limit=number]
[--follow-symlinks]
[--ignore-symlinks]
[-l, --localhost]
[-p, --per-file]
[--pid]
[--quiet=num]
[--quit]
[--rcf=file]
[--pidfile=file]
[--savepid=file]
[--stdin]
[--uad=opts]
[--server=host[:port]]
[-4, --IPv4]
[-6, --IPv6]
[--vexit]
[--#=num]
[--]
[filenames...]
VFindc is a client that attaches to VFindd, and scans for UNIX, Amiga, Macintosh, Windows 95/NT, and Dos viruses, including Denial of Service attacks, Back Door attacks, hostile Java Applications and Applets, OLE/VB5 Macro viruses, and common hacks.
-c, --copyright Display copyright information and then exit. All other options will be ignored. -h, --help Display usage message and then exit. All other options will be ignored. -v, --version Display version information and then exit. All other options will be ignored. -e, --exit-on-error Tells VFindc to exit immediately after encountering any kind of error or warning condition. Normally, VFindc prints a warning message and attempts to continue processing after encountering a non-fatal error, such as a syntax error in a VDL description. --end Used to exit VFindc while in Interactive mode. --noscan=filename This option provides a way to turn off scanning of particular files or directories. This may be useful when scanning disks containing e.g. quarantined viruses or virus scanner configuratuion files. If the name contains a ’/’ (slash) character, if is matched agains the full name of the scanning target, otherwise, it is matched only agains the final component, after the final slash. --noscans=file This option provides a way to specify multiple noscan parameters in a file. File is a file that contains file or directory names as described in the noscan option. --notell=virus This option provides a way to turn off reporting of individual viruses. This may be useful if your site gets a lot of false positives for some particular virus due to the type of data you have. Virus is the name of the virus as it appears after "VIRUS ID: " in vfindc’s output, for example: --notell="CVDL W32/Sircam.a" --notells=file This option provides a way to specify multiple notell parameters in a file. File is a file that contains valid virus parameters as described in the notell option. --force-scan Force scanning of the compiled vdl data file. This file is normally not scanned, as it would be very slow, and produce a large amount of false hits. The file is instead protected by a cryptographic checksum; any modifications to the file are reported as hits on the "Forgery.1" virus id. --recursion-limit=number Maximum depth to recursively scan directories, negative for unlimited (the default), or zero to not scan directories at all. --follow-symlinks If this flag is given, VFindc will follow symbolic links pointing to directories; otherwise, such links are ignored. This option should be used with precaution, as loops in the directory structure can make VFindc unable to scan all files. --ignore-symlinks If ths flag is given, VFindc will not follow symbolic links pointing to regular files, otherwise, such links are followed and the file scanned as usual. Setting this may be useful e.g. to limit scanning to a locally mounted file system. -l, --localhost Assume that the VFind Daemon has access to the same file system as the client. This allows the client to pass files by name to the daemon, rather than copying them over the network, which may affect performance somewhat. -p, --per-file Display the number of possible virus infections for each file. --pid Print process id to stderr. See also --pidfile. --quiet=num This command provides a way of suppressing some of vfindc’s verbosity. --quiet=0
The default behavior. --quiet=1
Suppresses the "Enter the name of the file to be checked:" prompt and its two trailing newlines. --quiet=2
Suppresses the "Checking file: filename" and its two trailing newlines. --quiet=3
Suppresses all per-file output, including virus detections. Available only for applications linked with vfindc as a library using callback functions to handle detections. Thus, with --quiet=2, you can pipe a list of file names to vfindc and there will be no per-file output unless a possible virus is found. There will always, however, be the final report of the number of files scanned and the number of possible infections found.
--quit Used to exit vfindc while in Interactive mode. --rcf=file Run Control File. Tells VFindc to read additional command-line arguments from file. --pidfile=file Save process id to file. --savepid=file This option is available for backwards compatibility only, and is scheduled to be removed in a future release. --stdin Use the data on standard input as the file to scan. This will be treated as a file called "-". --uad=opts Instructs VFindd to run uad as a subprocess with the specified command-line opts which will be passed to uad in addition to -ssw and -s. Thus, uad will read file names from standard input and write smartscan output to VFindd. Note: uad runs on the server with VFindd, not with the client.
--server=host[:port] Connect to the VFind Daemon on the specified host and port. It is possible to use this option more than once, to spread the scanning load over multiple hosts. By default, VFindc connects to the local host on port 8081. -4, --IPv4 Connect to the server using internet protocol version 4. If not specified, the client will use both IPv4 and IPv6, if available. -6, --IPv6 Connect to the server using internet protocol version 6. If not specified, the client will use both IPv4 and IPv6, if available. --vexit This option causes vfindc to return a known value on exit. With this option vfindc will return 0 if no viruses were detected. In the event that a virus has been detected, vfindc will return 23. This functionality is useful when integrating vfindc in a script or other program. The return values cannot be changed from the defaults (23 and 0). --vlist This option causes vfindc to print to stdout a list of all viruses for which it currently scans. --#=num Stop scanning a file after finding num viruses, e.g. --#=1 will stop after finding 1 virus. Note that # starts a comment in the Unix Bourne shell, so you may have to specify this option in quotes: ’--#=1’
-- End of Options: Signals to VFindc that all remaining arguments are to be treated as filenames, even if they start with ’-’.
VFindc requires a LICENSE file to run. This LICENSE file is host specific, therefore vfindc will only run on the licensed machine. Additional licenses may be purchased by contacting:
CyberSoft, Inc.
1508 Butler Pike
Conshohocken, PA 19428.
Phone: +1.610.825.4748
Fax: +1.610.825.6785At start-up, vfindc searches for the LICENSE file in these locations:
* /LICENSE
* /etc/LICENSE
* The current working directory.
* The VSTK library directory set at installation.
VFindc can be run in three ways.
1. Interactive mode: Running vfindc without any file arguments (or other input such as SmartScan and stdin) will result in a prompt asking what file to scan. Example: vfindc
2. Batch mode: VFindc can be invoked with a list of files (or other input such as SmartScan or stdin). In this mode, vfindc will scan all of the targets and write a report to stdout. This mode is useful when scanning many files or directories. Example: vfindc *.doc *.exe
3. Automated mode: VFindc can be run from a script, batch file, or other application and be scheduled using UNIX cron or a similar program. To run in this mode simply create your vfindc command and place it in the appropriate place in your script, batch file, or application. When this mode is invoked, vfindc will run un-attended and generate a report to stdout. This report can be redirected to a file, emailed, or otherwise processed. This mode of operation is useful when scanning a large amount of data on a regular basis.
VFindc’s output can be very verbose at times. In order to cut down the output we recommend using the choke method.
The choke method is as simple as piping the output from vfindc into grep, or a similar tool.
Each line of output from vfindc starts with a chevron as follows:
Chevron Meaning -------------------------------------- ##==> Informational Message ##==>> VFindc Warning ##==>>> Serious VFindc Condition ##==>>>> Possible Virus DetectionExample:find / -type f | vfindc | grep ’##==>>>’ > REPORTThe above example would only show errors and virus detection messages.
The current version of VFindc does not support Custom Messages (see vfind(1)); VFindc output is worded for virus scanning only. Support for custom messages in VFindc may be added in a future release.
The current version of VFindc does not support SmartScan streams; file typing and extraction using UAD can instead be achieved using the --uad= flag. SmartScan support is planned to be be added to VFindc in a future release.
VFindc does not provide any locks agains multiple access. To update files while VFindd is scanning them, the files should be copied/untarred first with a different name, and then renamed to their correct name. This will assure that VFindc can not read a file before it’s complete.
VFindc does not support restarting using SIGHUP.
$VSTK_HOME/LICENSE
vfind(1), vfindd(1), uad(1)
Please report all bugs to support@cyber.com Make sure to include the version of vfindc, the platform and OS, the script or command used, the complete output showing the bug, a short description of the problem, and contact information.
Copyright 1991-2005 by CyberSoft, Inc. All rights reserved.
| CyberSoft, Inc. | vfindc (1) | December 2005 |