[ Next Article | Previous Article | Book Contents | Library Home | Legal | Search ]
Commands Reference, Volume 6

virscan Command

Purpose

Scans files for viruses.

Syntax

virscan [ -a ] [ -m ] [ -nmut ] [ -q ] [ -qq ] [-sFile ] [ -v ] [ -w"String" ] [ -p [ File ] ] [ -lFile | -tFile | Directory ]

Description

The virscan command is used to detect the presence of computer viruses in a file system. The virscan command scans the directory (and all of its subdirectories) indicated by the Directory variable, if specified.

The virscan command does not attempt to remove viral infections from a system. If the command discovers a virus, seek competent technical assistance to clean up the infection safely and prevent it from spreading to other systems.

The virscan command cannot find virus signatures in files that are compressed or encrypted. This includes files that have been compressed by archiving programs. To scan such files, unpack them first and then scan their constituent files.

On systems with damaged directory trees, the virscan command terminates with an error. Though not caused by the virscan command, this condition will prevent the virscan command from scanning the disk correctly. Run the fsck command to diagnose any error conditions.

The virscan command was originally developed to detect the presence of known computer viruses in MS-DOS or PC-DOS systems. It was adapted for use in an AIX environment, but at this time contains no known AIX virus signatures. The virus signature file contains only known DOS-based virus signatures.

Flags

-a Scans all files on the indicated path. This is useful for cleaning up after a virus infection because absolutely every file on a file system is checked for the presence of viruses. By default, the virscan command only scans executable files.
-h Displays a brief summary of command-line options.
-hh Displays usage examples.
-lFile Scans all files listed in the specified File for viral signatures. The file should contain one file name per line. The files to be scanned may be specified relative to the current directory or may be given full path names.
-m Attempts to detect mutant viruses. With this flag, the virscan command tries to detect larger variations on the viruses listed in the signature files. Virus signatures are broken into random fragments, and the virscan command scans for the fragments as well as for the original signatures. With this flag, the virscan command need not match an entire signature. The number of mismatched bytes allowed is a function of the signature length; the longer the signature, the more mismatched bytes are allowed. There is a small possibility of false alarms if this option is used, since short fragments may be found in files that do not contain viruses. Be prepared to investigate in more detail any reports of signatures found. By default, the virscan command scans for the entire signature string.
-nmut Disables the default mutant detection. This option is useful should you encounter false virus warnings.
-pFile Creates a list of files that tested positive. This is useful if you want to have a list of infected files for use in a cleanup process. If the File variable is not specified, the positive.vir default output file will be created in the current directory. However, the file will not be created unless a virus signature is found.
-q Enables the display of only those messages that are indications that a viral signature has been found, error messages, and warnings that troublesome viruses have been found.
-qq Disables the display of all messages except fatal error messages and warnings that troublesome viruses have been found. The only indication that viral signatures have been found is the error level returned by the virscan command.
-sFile Uses a non-default signature file for this scan. By default, the virscan command uses the signatures in the /usr/lib/security/scan/virsig.lst file and the /usr/lib/security/scan/addenda.lst file (if present) for its scan. However, this flag disables the use of these default signature files and causes the virscan command to use the signature file specified by the File variable. To use a default signature file as well as a user-defined signature file, the default signature file must be separately and explicitly specified with the -s flag.
-tFile Scans only the specified file for viral signatures.
-v Causes the virscan command to display both a list of files as they are scanned and a hexadecimal display of any virus signatures found. If a scan terminates early due to an error, this flag can be used to help diagnose the problem.
-w"String" Causes the virscan command to scan files that match the specified String wildcard file name. By default, the virscan command only scans executable files. This flag is used to force scanning of arbitrary files.
? Displays a brief summary of command-line options.
?? Displays usage examples.

Error Codes

The virscan command sets the error level upon exit to one of the following:

0 No virus signatures were found and no other fatal errors occurred.
1 No virus signatures were found, but the program terminated with an error before the scan was complete.
2 One or more virus signatures were found.

Examples

  1. To scan all files in the /usr file system, enter:
    virscan -a /usr
    To scan all files in the /usr file system and put the names of any infected files into the file positive.vir in the current directory, enter:
    virscan -a -p /usr
  2. To scan the files listed in the files.dat file for viral signatures, enter:
    virscan -lfiles.dat
  3. To scan the /usr file system using the signatures in both the mysig.dat and virsig.lst files, enter:
    virscan -s/usr/lib/security/scan/virsig.lst -smysig.dat /usr
  4. To scan the /usr file system for files matching the *.o wildcard specification, enter:
    virscan /usr -w"*.o"
  5. To scan an entire system, enter:
    virscan /

Files

positive.vir Contains a list of files that tested positive. This file is created in the current directory.
/usr/bin/virscan Contains the virscan command.
/usr/lib/security/scan/virsig.lst Contains signatures of known computer viruses. These are the viruses known about when this version of the program was distributed. The file currently includes only known PC-DOS based virus signatures.
/usr/lib/security/scan/addenda.lst A user-created file containing signatures of additional viruses.

Related Information

The fsck command.

Testing Files for Viruses (virscan Command) in AIX Version 4.3 System User's Guide: Operating System and Devices.

Security Administration in AIX Version 4.3 System Management Guide: Operating System and Devices.


[ Next Article | Previous Article | Book Contents | Library Home | Legal | Search ]