Hi MartynK and Mail Enable
Here are the standard settings:
Code: Select all
C:\Program Files\McAfee\scan.exe
"[AGENT]" "[FILENAME]" /ALL /ANALYSE /NOBOOT /NOMEM /UNZIP /SILENT
Which are different from the settings I have to use in order to get anything deleted:
Code: Select all
C:\Program Files\Network Associates\VirusScan\csscan.exe
"[AGENT]" /target "[FILENAME]" /analyse /multiext /allapps /unzip /archive /mime /primary delete
I know that one is not to let the virus scanner do the deleting "on the scene", but instead let it return a code, which the MTA respond on (and do the deleting). But in order to delete any virus files (because the scanner isn't returning any codes other than "0"), I have inserted the "/primary delete" parameter.
The different parameters in Mcafee Enterprise 8.0i are:
Code: Select all
C:\Program Files\Network Associates\VirusScan>csscan
Required switches
=================
/TARGET <target> object to scan
target can be
a file or directory name : scan file or directory
MEMORY : scan memory
A, B etc. : scan a bootsector
0, 1 etc. : scan an MBR
EXTLIST : don't scan anything. Print extension lists from DATS.
VIRLIST : don't scan anything. Print viruslist including application catagories.
APPLIST : don't scan anything. Print list of only application detections
Optional switches (Misc)
=========================
/? /HELP Show this text.
/ENGDATS <dir> Directory to find engine & DATS (default : read location from registry)
/PID <productid> Product ID to pass to engine (default : 12013
)
Optional switches (Detection)
==============================
/JUSTLISTSTREAMS No scanning, just print names of streams that file contains.
/MANALYSE Turn on macro heuristics (default : OFF)
/PANALYSE Turn on program heuristics (default : OFF)
/ANALYSE Turn on both heuristics (default : OFF)
/MULTIEXT Turn on multiple extension heuristic (default : OFF)
/SERVER Turn on the server switch (default : OFF)
/DEFAULTFILES Scan extensions from the DATS (default : scan all files)
/SPYWARE Detect spyware (default : OFF)
/ADWARE Detect adware (default : OFF)
/REMADMIN Detect remote administration tools (default : OFF)
/DIALERS Detect dialers (default : OFF)
/PWCRACK Detect password crackers (default : OFF)
/JOKES Detect jokes (default : OFF)
/PUA Detect potentially unwanted apps (default : OFF)
/ALLAPPS All the spyware, adware, etc. (default : OFF)
/NEXCLUDE <name,name> Exclude virusnames from detection (default : None)
/DETECT <name,name> Treat filenames as detections (default : None)
"detected as" will be the filename
/APPLYNVP Apply Non-Virus Policy. (default : OFF)
This can be used to read the NVP policy from the registry
instead of specifing /SPYWARE etc, /NEXCLUDE and /DET ECT
/UNZIP Scan in archives (default : OFF)
/ARCHIVE Scan in archives (default : OFF)
/NOUNPACK Don't scan in compressed files (default : Scan compressed files)
/MIME Scan in mime files (default : OFF)
/SUB Scan in subdirectories (default : OFF)
/SECURE /ANALYSE /UNZIP /ALLAPPS /SUB
Optional switches (Actions)
============================
/PRIMARY <action> Sets the primary action for viruses (default : CONTINUE)
/SECONDARY <action> Sets the primary action for viruses (default : CONTINUE)
/PRIMARYAPP <action> Sets the primary action for apps (default : CONTINUE)
/SECONDARYAPP <action> Sets the primary action for apps (default : CONTINUE)
<Action> can be CONTINUE
CLEAN (not for secondary)
DELETE
MOVE
PROMPT (for testing, see the /PROMPT switch)
/PROMPT <string> Sets the order in which the
prompt code will return actions (default : "")
Actions are C=Clean, D=Delete, M=Move.
When end of the end of the string or an unrecognised character is reached then continue will be returned
So to simulate a user pressing Clean then, if necessary, Move then Continue do
/ACTION PROMPT /PROMPT CM
/MOVEDIR <dir> Sets the move directory (default : none)
/CLEAN Shortcut for /PRIMARY CLEAN /SECONDARY CONTINUE /PRIMARYAPP CLEAN /SECONDARYAPP CONTINUE
/DELETE Shortcut for /PRIMARY DELETE /SECONDARY CONTINUE /PRIMARYAPP DELETE /SECONDARYAPP CONTINUE
/MOVE Shortcut for /PRIMARY MOVE /SECONDARY CONTINUE /PRIMARYAPP MOVE /SECONDARYAPP CONTINUE
(Still need to do /MOVEDIR)
Optional switches (Output)
===========================
/LOG <filename> Name of file to log to (default : no logging)
/LOUD Show all scan results (default : OFF)
/QUIET No progress display (default : OFF)
/ALERT Alert to ePO and AM (default : OFF)
/EPODIR <dir> For testing : Force creation of
event files to specified directory
even if ePO agent isn't installed (default : none)
/TIMES <filename> Log of time to scan each file/dir (default : none)
C:\Program Files\Network Associates\VirusScan>
I have no folder called "Engine". Take a look:
Code: Select all
C:\Program Files\Network Associates\VirusScan>dir *.
Volume in drive C has no label.
Volume Serial Number is 6408-4AB4
Directory of C:\Program Files\Network Associates\VirusScan
24-05-2005 08:30 <DIR> .
24-05-2005 08:30 <DIR> ..
24-05-2005 08:29 <DIR> MID
24-05-2005 08:30 <DIR> RepairCache
24-05-2005 08:29 <DIR> Res09
0 File(s) 0 bytes
5 Dir(s) 118.897.074.176 bytes free
C:\Program Files\Network Associates\VirusScan>
I just downloaded: "McAfee VirusScan Enterprise 8.0i" at:
Code: Select all
http://www.mcafeesecurity.com/us/downloads/evals/
The MTA is saying the following when I use:
Code: Select all
"[AGENT]" /target "[FILENAME]" /analyse /multiext /allapps /unzip /archive /mime
Debug:
Code: Select all
C:\Program Files\Mail Enable\bin>memta -debug
Debugging MailEnable Mail Transfer Agent.
****************************************************************************
* *
* MailEnable Mail Transfer Agent (Version 1.0.02) *
* Copyright (C) Andrew Sproul, Peter Fregon 2001-2004. *
* *
****************************************************************************
Loaded 5 Filters
Bayesian Filter Loading Library..
Bayesian Filter - Loading Dictionary..
Bayesian Filter - Loading Complete.
Loading Dictionary...
Dictionary Load Status:
Time Taken: 156 milliseconds
Dictionary Size: 31666 tokens
Dictionary Loaded.
Antivirus Loading Library..
05/24/05 09:31:36 Loaded Plug-In Filter [MTAFILTER]
Reading settings for: LS
Reading settings for: POP
Reading settings for: SF
Reading settings for: SMTP
Service Starting
Service Loading Agents
Cleaning Inbound Directory for List Server Connector
Resetting Inbound Messages for List Server Connector
No outgoing message files in queue!
Cleaning Inbound Directory for POP Connector
Initalised MTA Connector Collector Thread for List Server Connector
Resetting Inbound Messages for POP Connector
No outgoing message files in queue!
Cleaning Inbound Directory for SF Connector
Resetting Inbound Messages for SF Connector
No outgoing message files in queue!
Cleaning Inbound Directory for SMTP Connector
Resetting Inbound Messages for SMTP Connector
Initalised MTA Connector Collector Thread for POP Connector
Initalised MTA Connector Collector Thread for SF Connector
No outgoing message files in queue!
Initalised MTA Connector Collector Thread for SMTP Connector
Processing file EA4303918BFB470D97DEF0AA5DCEE1.MAI from queue SMTP
05/24/05 09:31:59 [EA4303918BFB470D97DEF0AA5DCEE1.MAI] from (SMTP) [SMTP:xxxxx@xx
xxxx.xxx]->[SF:xxxxx.xxx/xxxx] Mapped Literal
Allocating 5 Results
Processing Message...
Message Size detected as 1858
Attachment (1) Found - Processing
Attachment Processing Completed
Attachment (2) Found - Processing
Attachment Processing Completed
Attachment (3) Found - Processing
Attachment Processing Completed
CommonShell Command Line Scanner
Engine Version : 4400
DAT Version : 4497
Summary :-
FilesFound : 1
FilesScanned : 1
FilesNotScanned : 0
ObjectsFound : 1
ObjectsInfected : 0
ObjectsCleaned : 0
FilesInfected : 0
FilesCleaned : 0
FilesMoved : 0
FilesDeleted : 0
Started at : 09:32:03 24. maj 2005
Ended at : 09:32:04 24. maj 2005
Duration : 0 minutes 0 seconds
Returned 0
CommonShell Command Line Scanner
Engine Version : 4400
DAT Version : 4497
C:\PROGRA~1\MAILEN~1\Scratch\EA4303~1.MAI\2.ATT : contains "Test" called "EICAR
test file" (No Action Taken )
C:\PROGRA~1\MAILEN~1\Scratch\EA4303~1.MAI\2.ATT : No action taken
Summary :-
FilesFound : 1
FilesScanned : 1
FilesNotScanned : 0
ObjectsFound : 1
ObjectsInfected : 1
ObjectsCleaned : 0
FilesInfected : 1
FilesCleaned : 0
FilesMoved : 0
FilesDeleted : 0
Started at : 09:32:04 24. maj 2005
Ended at : 09:32:04 24. maj 2005
Duration : 0 minutes 0 seconds
Returned 0
Processing Message Content...
From Found:From: "TESTVIRUS.org" <tester@testvirus.org>
To Found:To: <xxxxxx@xxxxxxxx>
Processing Recipient List of 1 delimiters
Mime Encapsulatation detected
Attachment Found:Content-Type: application/octet-stream; name="eicar.com"
Skipping encoded attachment
Attachment Found:Content-Disposition: attachment; filename="eicar.com"
ProcessFilter:
Releasing 5 Results
ME-MTA-ROUTE [EA4303918BFB470D97DEF0AA5DCEE1.MAI] from [SMTP] Connector queued
to [SF] Connector as [7BD97C4C4F3548DCA5E7529B1B4239.MAI]