Content-type: text/html Manpage of virusscan

virusscan

Section: (8)
Updated: build 366
Index Return to Main Contents
 

NAME

virusscan - scan and attempt to disinfect your local drives from viri  

SYNOPSIS

virusscan -a [AV ENGINE(S)] -c -g -d [DESTINATION] -h -n -l [LOGFILE FOLDER] -r -p  

DESCRIPTION

Virusscan is a bash wrapper script for several free antivirus engines. It automatically downloads the engines and updates over the Internet, so your computer must have a working internet connection. There is a possibility to use it offline that will be discussed later.
It can also make md5sums + datestamps of all of your files for later reference.

 

SCAN ENGINES

Currently, 5 AV engines and md5 file checksumming are implemented.

-ClamAV

This is the basic engine provided and is already preinstalled on TRK. It is very effective on mailservers but is quite slow and tends to crash when used as a commandline scanner. It also focuses more on mailworms and, from experience, has less effectiveness for local viri. Clamav is the only GPL licensed AV engine implemented. All others have some sort of free-for-non-commercial-use license and are closed source. The pros of Clamav are:
* very quick on new virus outbreaks
* included in TRK
* GPL licensed, so free for everyone
The cons:
* slow and very CPU and memory intensive
* detects the least viri of the 5 scanners in virusscan.

 Because it's in fact a mailserver scanner, it will focus more on worms than on filth that comes from malicious websites and such.
* cannot disinfect inside files on its own. What is done in this case is quarantine the infected files into a tar.gz archive in <scandestination>/TRK-INFECTED/. Should a file be accidentally deleted, you can recover it afterwards and rescan it with another antivirus tool

-F-Prot

This antivirus tool and all the others are not included in TRK but get downloaded from the Internet as soon as you call upon them. They disappear after a reboot of TRK. If you want them to be available after a reboot, you have to run updatetrk. This will be explained later in this documentation. The pros of F-prot:
* lightweight, not a big download
* pretty fast, low cpu usage
* good disinfection method
The cons:
* does not detect everything
* their website sometimes fails and download of f-prot is aborted

-BitDefender Scanner

It has a good average between filesize, cpu/memory load and virusdetection. It can detect many different types of malware. From what has been experienced so far, it may detect other viri and malware than the other 4. It's recommended to sweep with this after another one has already run.
Pros of BitDefender Scanner:
* detects quite some viri
* pretty fast
* detects alternate malware
Cons:
* sometimes doesn't detect very common viri
* slow update process

-Vexira

This AV engine hasn't been tested so much, but it looks like a good average AV engine.

-Avast

Avast is the latest addition to virusscan (and replaces Grisoft AVG because AVG lacks cleaning support in its new version). Avast is a great AV on Windows, very lightweight, but has not been tested in depth yet on Linux/TRK.
For this particular AV engine you need a registered, free license key which is sent to you by mail.
Get it at http://www.avast.com/registration-free-antivirus.php
If you want to avoid entering the license key each time, it's recommened to run updatetrk

-MD5

This is not an antivirus engine but just reads all of your files and makes md5sums of them. It writes the result to a logfile in the same way as it does for an AV engine. The logfile format is: modification seconds since 1-1-1970 <space> md5sum <space> filepath.

 

USAGE

Usage is fairly simple and doesn't require in-depth knowledge of Linux. Here are the combinable options:
-a avs,bde,clam,fprot,va,md5
Specify which AV engine you want to use for scanning. If this parameter is omitted, use clamav instead. In older versions, you could add more than one engine behind the -a parameter. You just separated it with a comma, no spaces. The scans would be run consecutively. The problem with this approach is that when a fatal error occurs, virusscan quits completely. So it's still possible, but you cannot be sure virusscan will not exit after just 1 engine run has had a problem.
However: you can get the same functionality (without the risk of breaking off on 1 error) by launching multiple virusscans on the same line separated by a semicolon (this is standard bash). It will run each command regardless of the exit status of the previous command. An example will make it more clear:

virusscan -a clam; virusscan -a fprot; virusscan -a bde; virusscan -a va; virusscan -a avs

Possible engines are: avs for Avast, bde for BitDefender, clam for ClamAV, fprot for F-Prot, va for Vexira and md5 for checksumming.

-c
Use Common extensions (.exe,.com,.doc., ...) Only with ClamAv; speeds up scan a little.
-g
Get only, just download the AV and updates, no scanning. For use with updatetrk
-d
Destination folder to scan. If no destination is given, virusscan will scan all local filesystems it can find (calling mountallfs). You can specify multiple destinations if you separate them with commas, without any spaces in between
-n
No update. Don't check for new AV signatures. Use this option if the AV engine is already installed and up-to-date. Useful on computers without an internet connection, where TRK has been updated with updatetrk
-r
Run in read-only mode. No disinfection will occur, only a logfile will be written on the scan destination or the optional logfolder
-l /path/to/logfolder
When specified, logging will occur in the directory from the argument. Logfilenames will be generated from the used engine and the scan destinations. If the logdirectory does not exist, it will be created. This way, one can have a logfolder for each computer scanned. If you do not have write access to the folder, virusscan will exit
-p
Get the update URL in non-secured mode. For security reasons virusscan now fetches URLs from Trinityhome.org with https and a certificate located on your TRK. Should there be any problems with the certificate, virusscan will exit. Use this parameter to override ONLY IF YOU'RE REALLY REALLY SURE! Check if the URLs don't seem suspicous by executing 'cat /etc/*url.txt'
-s
Skip activating swap. Normally, virusscan checks to get swap memory and to add more tempspace. This option disables it. Also implied in read-only mode.
-h
Displays a short helpmessage

Since virusscan relies heavily on an internet connection, proxy support has been incorporated for use with the AV engines. If you're behind a proxy server, run '. setproxy' first.

 

EXAMPLES

virusscan -a avs -d /mnt0,/hda1/WINDOWS,/hda1/Program\ Files

This downloads, installs and updates Avast if not available and scans the locations /mnt0, /hda1/WINDOWS and /hda1/Program\ Files
Note the escape \ (backslash space) for directory names with spaces in them.  

BUGS

-AV engines might get broken because vendors choose to upgrade their versions and completely change the command syntax and install paths. If they haven't changed their syntax and merely changed their download location, virusscan is able to adapt to that by means of fetching the new download location url from the trinityhome site. This is what happened to AVG and why it has been thrown out: the new version (>8.x) has no more cleaning capabilities.
-ClamAv becomes slow and irresponsive and tends to crash after a lot of scanning.
-Avast seems to have the same problem but different: it looks like it's clogging your computer and your keyboard doesn't respond anymore but in fact it continues scanning. As long as you see/hear disk activity you could let it run. More feedback from users on that is desirable.
-No uniform logfiles. Unifying the logs from the different AV engines should be part of the rewrite one day.  

REFERENCES

http://www.avast.com/
http://www.bitdefender.com/
http://www.clamav.net/
http://www.f-prot.com/
http://www.centralcommand.com/ (Vexira)


 

Index

NAME
SYNOPSIS
DESCRIPTION
SCAN ENGINES
USAGE
EXAMPLES
BUGS
REFERENCES

This document was created by man2html, using the manual pages.
Time: 00:35:42 GMT, August 11, 2010