avscan command
Syntax
avscan [ -r ] [--ignorelinks] [ --noheuristics ] [ --nomacros ] [ --pup ] [ --mime ] [ --[no]arc ] [ --exeonly ] [ --exclude {file(s):directorie(s) } ] [ --maxwait seconds ] [ --timeout seconds ] [ --delay microseconds ] [ --scanthreads threads ] [ --clean ] [ --quar ] [ --cmd <"command-string"> ] [ --notify <"notifiers"> ] [ --loglevel level ] [ --quiet ] [ --notscanned ] [ --version ] [--help] file1:file2:dir1:dir2 ...
Description
The avscan command scans the specified file or directory for viruses and malicious code.
When an infection is found, prints a message to the output stream and the infected file remains unchanged. To have the command clean or quarantine infected files you need to specify either the --clean or --quar options (or both). If a file cannot be cleaned, it will be deleted, unless the --quar option is also specified.
If you specify the -r flag, the avscan command descends the specified directories recursively. If no file or directory is specified, the avscan command scans the current directory without descending subdirectories. For example:
./avscan
Will simply scan the current directory. To scan a specific file or directory recursively, use the following:
./avscan -r /home/testuser
You can use wildcards in file names:
./avscan /home/usr*
To send the output stream to a log file, use the redirection symbol:
./avscan > mylog.txt
Options
-r
Descends directories recursively.
--ignorelinks
Ignore all symbolic links that are found during the scan. This is the default behavior. This option is here for reasons of backwards compatibility.
--noignorelinks
Follow all symbolic links found during the scan.
--noheuristics
Do not use heuristic analysis when scanning files. The scanning engine normally employs heuristic technology to detect new viruses in executable files in addition to its normal scanning. Without heuristics, the engine can only find viruses that are already known. Heuristics slows scanning performance and increases paranoia. Default is to use heuristics, so --noheuristics will turn this feature off.
--nomacros
Do not scan compound documents for macros viruses. This parameter is similar to heuristics but scans for new viruses in compound document formats; for example Microsoft OLE formats such as Word documents. Default is to scan for macro viruses, so --nomacros will turn this feature off.
--pup
Detect potentially unwanted programs. Some widely available applications, such as password crackers or remote-access utilities can be used maliciously or can pose a security threat. If you set this parameter, the product scans for such files.
Default is to *not* scan for Potentially Unwanted Programs, so --pup will turn this feature on.
--mime
Scan for viruses in MIME-encoded files, UU-encoded files, XX-encoded files and BinHex files, and files in TNEF and IMC formats. This parameter reduces scanning performance.
Default is to not scan these types of files so --mime will turn this feature on.
--arc
Scan within archives (.zip, .jar, .rar, etc).The term "archive" also refers to disk images, installers underpinned by archive formats, mime attachments and other complex files that include embedded elements. Many archive files (especially jar files) can drastically increase scanning time. You may want to scan archives on a weekly basis, for example.
The default is not to scan within archives.
--noarc
Do not scan within archives (.zip, .jar, .rar, etc). This is the default behavior. This option is here for reasons of backwards compatibility.
--exeonly
Do not scan non-executable files (.txt, etc). Default is to scan all files (recommended), so --exeonly will scan executable files only.
--exclude <file1:file2:directory1:directory2:...>
Excludes the specified files and/or directories from scanning.
avscan --exclude /home/usr1:/home/usr2
will exclude both the /home/usr1 and /home/usr2 directories.
--maxwait <seconds>
Specifies the maximum number of seconds to spend scanning any one file. After the number of seconds has elapsed the product assumes the file is OK and proceeds with the next file. It can be an integer value between 0 and 99999. The default is 300 seconds. A value of 0 disables the feature (files are scanned completely).
--timeout <seconds>
Specifies the maximum number of seconds the avscan command will execute before returning. After the number of seconds has elapsed, the command will end without scanning any remaining file(s). The return code will indicate a timeout has occurred.
It can be an integer value between 0 and 999999. The default value of 0 disables the timeout.
--delay <microseconds>
The amount of time in microseconds the scanner should pause with each progress beat from a scanning operation. This can be used as a simple CPU limiting technique. It can be an integer value between 0 and 999999. The default value of 0 disables the feature.
--scanthreads <threads>
The number of scanning threads to allocate for concurrent scanning of files. This can reduce overall scanning time for scanning many files on systems with mutiple CPUs. It can be an integer value between 1 and 16. The default value is 1 thread.
--clean
Clean infected files by repairing the infection. Most infections cannot be cleaned.
--quar option is specified).--quar
Quarantine the infected files by moving them to the /Quarantined directory. When --quar and --clean are both specified, the product attempts to clean the file first, and if unsuccessful moves the file to the quarantine directory. If neither -clean or --quar are specified, no actions are taken on infected files. This is the default.
--cmd <"command string">
Runs the specified command string when infections are found, passing the file name as a parameter. This allows a user-written script to perform actions such as alerting an administrator. This file will be a live infected file, and in no way should the script attempt to read it. The intention is to allow you to process the file name. You may want to implement a procedure to notify and administrator, for example. If the file remains after the command returns it will be deleted.
--notify <"notifiers">
Notify those notifiers in the comma separated list which are defined in the [notify] section of config.ini. This list will override the list defined by the config.ini avscan:notify parameter. Note that notify names should be lowercase.
See Notification Support in avconfig command.
--loglevel <level>
Specifies the number of directory levels that will be printed in the output listing. The default is 99.
--quiet
Prints minimal information to the output stream, useful for parsing the output file.
--notscanned
When used in conjunction with the quiet option, this enables the additional reporting of errors, timeouts and skipped files.
--version
Prints the program version and build information, then exits.
Skipped Files
Files may be skipped (i.e. not scanned, or only partially scanned) for the following reasons:
aborted
Scanning of the file was aborted, typically due to a timeout or resource issue.
archive
The archive file was not scanned because archive scanning is disabled.
broken link
The file is a link that points to nowhere.
circular link
The file is a link that would create a loop in the scanning tree.
corrupted
The file, or one or more of the files inside an archive file, is corrupt and was not scanned.
encrypted
The file, or one or more of the files inside an archive file, is encrypted and could not be scanned.
link
The file is a link and was not followed because the option to follow links is not enabled.
nesting limit reached
Nesting refers to an archive file containing an archive file that contains a further archive file and so on. One or more archive files inside the top-level archive had too many levels of nesting and was not fully scanned.
not executable
The file, or one or more of the files inside an archive, is not considered executable and was not scanned. This can occur when the exeonly option is used, or when the engine scans a container expecting to find an executable file - and one does not exist.
not accessible
The scanner could not access the file for reading or writing.
not readable
The scanner could not open the file for reading.
non-regular file
The file is a special file that cannot be scanned, i.e. a Unix domain socket, pipe, FIFO, block or character device file.
settings
The file was not scanned due to the scanning options employed. Note that it is not currently possible to determine whether the options pup, mime, macro or heuristics would product a different scan result, so those options are unlikely to trigger this skip code.
timeout
The file was not completely scanned due to the time allowed via the maxwait setting.
unsupported object type
The file, or one or more of the files inside an archive, is of an unexpected type and cannot be scanned. An example of this would be a path name, that was originally determined to be a file, has been changed to a directory in the interval between the scanner finding it and attempting to scan it.
Scan Summary
At the end of a scan, a set of statistics are presented. These statistics include file counts, infection activity, error counts and a summary of file skip reasons.
Scan Statistics
files scanned
The number of files inspected fully. This does not include skipped files, archives including skipped files, or files that encounted errors during scanning.
infected
The number of files that were determined to be infected.
skipped
The number of files that were reported as skipped during scanning. This count includes archives that contained skipped files.
errors
The number of errors encountered during scanning files, resulting in the files not being scanned, removed or quarantined.
cleaned
The number of infections that were successfully cleaned.
deleted
The number of files that were deleted because cleaning attempts failed.
quarantined
The number of files that were successfully moved to quarantine.
Skip Statistics
link(s)
The number of links, cyclic links and broken links that were skipped.
archives
The number of archive files or other containers that were skipped, due to archive scanning being disabled.
settings
The number of files skipped due to settings other than archive scanning. This count includes the files skipped as not executable (e.g. when the exeonly option is in use).
no-access
The number of files skipped because they were not readable or writable.
encrypted
The number of files skipped because they were determined to be encrypted. If archive scanning is enabled, this includes the number of archives containing encrypted files.
corrupt
The number of files skipped because they were determined to be corrupted. If archive scanning is enabled, this includes the number of archives containing corrupt files.
timeout(s)
The number of files that encountered a timeout during scanning, through the maxwait configuration option.
other
The number of files skipped for any other reason. This includes nesting limits, special files, and unsupported file types.
Examples
Scans all files in the current directory.
Scans all files in the current directory and all sub-directories.
Scans all files on the system and if an infection is found, the file is cleaned. If cleaning fails, the file is moved to the /Quarantined directory.
Scans all files on the system and if an infection is found, the file is cleaned. If cleaning fails, the file is moved to the /Quarantined directory. Sends all output to the avscan.log file in the home or current directory.
If the file cannot be found, try the default path name: /opt/sgav/avscan.log.
Scans all files on the system, using up to 4 threads to improve throughput and reduce the time for the complete scan.
Scans all files on the system, reporting only files that are infected, skipped, or encountered errors during scanning.
Notes
If the file cannot be found try the default path name: /opt/sgav/avscan.
To schedule a scan using cron, run command crontab -e to edit the crontab file using the vi editor. Position the cursor to the end and type i to insert a line. Type the following line to schedule the job to run every day at 1am. This example will scan the home directories and time out after 4 hours:
0 1 * * * /opt/sgav/avscan -r /home --timeout 864000 --clean --quar > /opt/sgav/log/avscan.out
To see the cron log, run tail /var/adm/cron/logtail /var/log/syslog. For more information about scheduling using cron, run man crontab.
Exit status
The four exit status values that can be returned are:
0 Process completed successfully. No virus(es) detected.
1 Process completed, but one or more files were not scanned due to an error.
2 Timeout reached (--timeout parameter) or scan interrupted.
3 One or more virus infections were found.
Performance Considerations
On-demand scanning of the entire file system can be a very long running, CPU-intensive process. The time required to complete a full scan depends upon several factors, including the speed of the processor, the contention of CPU resources with other jobs, and the number and types of files to scan.
At the expense of scanning time, the impact of the on-demand scan on other jobs in the system can be lessened by the following:
- Use of nice(1) to downgrade the scheduling priority of the task
- Use of the delay option to yield CPU time at regular intervals
Recommendations
- Schedule scan tasks to run during off-peak hours.
- If you are not using on-access scanning, then run a full scan once per day if possible.
- Virus definitions are released daily. Be sure to keep the database up to date using the avupdate tool.
- Exclude /dev and optical media mount paths from your scan using the exclude path option. It is no longer necessary to exclude /proc and /sys as these paths are automatically excluded for recursive scans.
- Enable on-access scanning to reduce or eliminate the need for on-demand scanning.
- Review the scan reports to understand the length of time to scan specific directories.