McAfee VirusScan Command Line Q's

Peacekeeper · Aug 5, 2004

What about the daily dat files dont they include all old sigs?Ok this not
fully tested but a thought
http://vil.nai.com/vil/virus-4d.asp

Peacekeeper · Aug 5, 2004

Strangely our tech has never tried removing any of those files
he is thinking on it

Peacekeeper · Aug 5, 2004

Sorry tech too busy to experiment, i tried.

Peacekeeper said:
Strangely our tech has never tried removing any of those files
he is thinking on it

David H. Lipman · Aug 5, 2004

Thanx for trying. Needless to say, I'm disappointed. Is this McAfee's support ? If so
they should know, and not have to test.

Dave

| Sorry tech too busy to experiment, i tried.
|
| | > Strangely our tech has never tried removing any of those files
| > he is thinking on it
| >
| > | > > I only scan irregularly here as too occupied in the mcafeehelp.com
| forums.
| > >
| > > I will get back with our techs thoughts tomorrow
| > >
| > > Peace(aussie)
| > >
| > > | > > > Thanx PeaceKeeper!
| > > >
| > > > I'm glad to see you monitoring.
| > > > Too bad Wrangler (UK) monitors very intermittently. He is EXTREMELY
| > > knowledgeable on McAfee
| > > > ENGINES and the like.
| > > >
| > > > Dave
| > > >
| > > >
| > > >
| > > >
| > > >
| > > > | > > > | David I will find out if you want,
| > > > |
| > > > | Peace
| > > > | | > > > | > Art wrote:
| > > > | >
| > > > | > > Guy wrote:
| > > > | > >
| > > > | > >> David wrote:
| > > > | > >>
| > > > | > >>> To run both the GUI and the Command Line scanner -
| > > > | > >>> yes, all arerequired.
| > > > | > >>>
| > > > | > >>> To JUST run the Command Line Scanner you need... SCAN.EXE
| > > > | > >>> SCANPM.EXE all DAT files.
| > > > | > >
| > > > | > > SCANPM.EXE works ok with just all the DAT files. SCAN.EXE
| requires
| > > > | > > all the DAT files plus the three DLL files:
| > > > | > >
| > > > | > > MCSCAN32.DLL
| > > > | > > RWABS16.DLL
| > > > | > > RWABS32.DLL
| > > > | > >
| > > > | > >> Can I write my own DAT file, like Sophos PATTERN files, for
| > > > | > >> undetected malware?
| > > > | > >
| > > > | > > You can do this with Sophos???
| > > > | > >
| > > > | >
| > > > | > Yes, when "Arnold" HackArmy came out last week(?) Sophos would not
| > > > | > detect so I wrote a PATTERN file to match it.
| > > > | >
| > > > | > Contents SWEEP.PAT file:
| > > > | >
| > > > | > Arnold_Virus BF04F4F655764B43 ; Backdoor.Hackarmy.gen
| > > > | >
| > > > | > I opened the malware in a hex editor and found what appeared to be
| a
| > > > | > unique string. Sophos running with the pattern picked up the file
| > with
| > > > | > no false positives. This is a good feature that allows screening
| of
| > > > | > those suspicious files during otherwise undetectable outbreaks.
| > > > | >
| > > > | > > McAfee will send you a Extra DAT to take care of some new
| malware
| > > > | > > when you submit the suspect file to them and they add detection.
| > > > | > >
| > > > | >
| > > > | > Thank you for the information, you have been helpful.
| > > > | >
| > > > | > --
| > > > | > Regards,
| > > > | > Guy
| > > > |
| > > > |
| > > >
| > > >
| > >
| > >
| >
| >
|
|

Peacekeeper · Aug 6, 2004

David if you can elaborate as to why you need to know I may be able to get
them interested.

Spanpm is a 16bit version scan the 32 bit i remember. the daily dat files do
not have scanpm included so the dlls may be required by 32 scan.exe. just a
wild guess.

If you are interested in continuing this discussion you or art can email me
(remove stop) and use mcafee as subject line, anything else is liable to be
vaporised

Peace

Guy · Aug 6, 2004

David said:
Art:

I believe we have discussed this before...

RWABS16.DLL
RWABS32.DLL

Are not required by the Command Line Scanner. I use it on "this"
PC and neither DLL exist on the PC at all.

You are most likely correct about MCSCAN32.DLL when running
SCAN.DLL under a WinNT Command Prompt but not in DOS.

SCAN.EXE wants these MCSCAN32.DLL, RWABS16.DLL, RWABS32.DLL plus DATs.
SCAMPM.EXE seems to just want DATs.

More info:

00:00:00.640: LoadLibraryA("D:\MCAFEE\MCSCAN32.DLL")
called from "d:\mcafee\SCAN.EXE" at address
0x004163FA by thread 1.
00:00:00.773: LoadLibraryA("rwabs32")
called from "d:\mcafee\MCSCAN32.DLL" at address
0x12008454 by thread 1.
00:00:02.354: LoadLibraryA("rwabs32")
called from "d:\mcafee\SCAN.EXE" at address
0x0041FED4 by thread 1.
00:00:02.357: LoadLibraryA("rwabs32")
returned 0x10000000 by thread 1.
00:00:02.363: GetProcAddress(0x10000000 [d:\mcafee\RWABS32.DLL],
"_Basil_1_32") called from "d:\mcafee\SCAN.EXE" at address
0x0041FEF5 and returned 0x10001200 by thread 1.

Guy · Aug 6, 2004

Guy said:
Some questions for any users of McAfee VirusScan Command Line.

Thank you all for the information

Wrangler · Aug 6, 2004

David H. Lipman said:
Thanx PeaceKeeper!

I'm glad to see you monitoring.
Too bad Wrangler (UK) monitors very intermittently. He is EXTREMELY knowledgeable on McAfee
ENGINES and the like.

High praise indeed from Mr Lipman... Sorry for the delay... I check a.c.v
every few days...

I am around, but more lurquing these days as I am no longer where I was, but
doing fine thanks very much

This also means my memory is somewhat faded by several (well, nine!) months,
so, please don't take this as Gospel and if you are planning on doing
anything exciting, talk to support again !!

As I remember it, Scan.Exe checks the environment and makes the call about
which files are needed - the basic files, or with the support files (DLL's
etc) depending on if Windows OS support is required. I think you will find
this is where the difference of needing or not needing the support files
comes from.

Its been a few months, so I may be a bit rusty... I have other things I have
to stuff and retain in my cranium now...

Don't think badly of support, as this is not a question that they would be
expected to answer - people generally run the engines using contents of the
installed package / SuperDATs / Engine Updates and don't tend to chop 'em up
into their constituent parts very often.

BTW, you going to VB in Chicago?

Cheers,

\/\/

David H. Lipman · Aug 6, 2004

Hi Wrangler:

Its great to see your still around. You know that if your not around then you are a square
:-)

While this is no burning question, I'm still interested in an answer, even qualified, and I
think I understand there is an OS dependency . The knowledge helps me to support and use
McAfee AV software better.

I'm sorry to say, I won't be going to Chicago :-(

Dave
PS All the best to you and yours and I hope your new situation brings you the pleasures you
so rightly deserve.

|
| > Thanx PeaceKeeper!
|
| > I'm glad to see you monitoring.
| > Too bad Wrangler (UK) monitors very intermittently. He is EXTREMELY
| knowledgeable on McAfee
| > ENGINES and the like.
|
| High praise indeed from Mr Lipman... Sorry for the delay... I check a.c.v
| every few days...
|
| I am around, but more lurquing these days as I am no longer where I was, but
| doing fine thanks very much

|
| This also means my memory is somewhat faded by several (well, nine!) months,
| so, please don't take this as Gospel and if you are planning on doing
| anything exciting, talk to support again !!
|
| As I remember it, Scan.Exe checks the environment and makes the call about
| which files are needed - the basic files, or with the support files (DLL's
| etc) depending on if Windows OS support is required. I think you will find
| this is where the difference of needing or not needing the support files
| comes from.
|
| Its been a few months, so I may be a bit rusty... I have other things I have
| to stuff and retain in my cranium now...
|
| Don't think badly of support, as this is not a question that they would be
| expected to answer - people generally run the engines using contents of the
| installed package / SuperDATs / Engine Updates and don't tend to chop 'em up
| into their constituent parts very often.
|
| BTW, you going to VB in Chicago?
|
| Cheers,
|
| \/\/
|
|