|
You can run Dr.Web Scanner with the following command:
$ %bin_dir/drweb <path> [parameters]
where <path> – is either the path (or paths) to scanned directories or mask for checked files. If a path is specified with the following prefix: disk://<path to device file> (files of the devices are located in the /dev directory), Dr.Web Scanner checks the boot sector of the corresponding device and cure it, if necessary. The path can start with an optional parameter - path.
When Dr.Web Scanner is started only with the <path> argument, without any parameters specified, it scans the specified directory using the default set of parameters (for details, see below).
The following example shows a command to check the user home directory:
$ %bin_dir/drweb ~
Once scanning completes, Dr.Web Scanner displays all detected threats (infected and suspicious files) in the following format:
/path/file infected [virus] VIRUS_NAME
After that, Dr.Web Scanner outputs summary report in the following format:
Report for "/opt/drweb/tmp":
Scanned : 34/32 Cured : 0
Infected : 5/5 Removed : 0
Modifications : 0/0 Renamed : 0
Suspicious : 0/0 Moved : 0
Scan time : 00:00:02 Scan speed : 5233 KB/s
Numbers separated by slash "/" mean the following: the first number – total number of files, the second one – number of files in archives.
You can use readme.eicar file, included in the distribution package, to test Dr.Web Scanner. Open this file in any text editor and follow the instructions from the file to transform it into eicar.com program.
When you check the program with Dr.Web Scanner, the following message must be output:
%bin_dir/doc/eicar.com infected by Eicar Test File (Not a Virus!)
This program is not a virus and is used only for testing of anti-virus software.
Dr.Web Scanner has numerous command-line parameters. In accordance with UNIX conventions, the parameters are separated from a path by a space character and start with a hyphen ("-"). To get a full list of parameters, run Dr.Web Scanner with either -?, -h, or -help parameters.
The Console Scanner basic parameters can be divided into the following groups:
•Scan area parameters •Diagnostic parameters •Action parameters •Interface parameters Scan Area Parameters
These parameters determine where to perform a virus scan:
Parameter
|
Description
|
-path [=] <path>
|
Sets the path to be scanned.
Symbol '=' can be skipped, in this case a path for scanning is separated from the -path parameter by a space. You can specify several paths in one -path parameter (paths will be combined into one list). You can also specify paths without the -path parameter.
If in the startup options the <path> parameter is specified with following prefix:
disk://<path to device file>,
the boot sector (MBR) of the corresponding device is checked and cured, if necessary.
Device file is a special file, located in the /dev directory and named as sdX or hdX, where X is a letter of the Latin alphabet (a, b, c, ...). For example: hda, sda.
Thus, to check MBR of disk sda, specify the following:
disk:///dev/sda
|
-@[+]<file>
|
Instructs to scan objects listed in the specified file. Add a plus '+' if you do not want the file with the list of objects to be deleted when scanning completes. The file can contain paths to directories that must be periodically scanned or list of files to be checked regularly.
|
--
|
Instructs to read the list of objects for scanning from the standard input stream (stdin).
|
-sd
|
Sets recursive search for files to scan in subfolders.
|
-fl
|
Instructs to follow symbolic links to both files and folders. Links that cause loops are ignored.
|
-mask
|
Instructs to ignore filename masks.
|
Diagnostic Parameters
These parameters determine object types to be scanned for viruses:
Parameter
|
Description
|
-al
|
Instructs to scan all objects defined by scan paths regardless of their file extension and structure.
This parameter is opposite to the -ex parameter.
|
-ex
|
Instructs to scan only files of certain types in the specified paths. The list of file types must be specified in the FileTypes variable of the configuration file. The configuration file is defined by the -ini parameter. By default, objects with the following file extensions are scanned: EXE, COM, DLL, SYS, VXD, OV?, BAT, BIN, DRV, PRG, BOO, SCR, CMD, 386, FON, DO?, XL?, WIZ, RTF, CL*, HT*, VB*, JS*, INF, PP?, OBJ, LIB, PIF, HLP, MD?, INI, MBR, IMG, CSC, CPL, MBP, SH, SHB, SHS, SHT*, CHM, REG, XML, PRC, ASP, LSP, MSO, OBD, THE*, NWS, SWF, MPP, OCX, VS*, DVB, CPY, BMP, RPM, ISO, DEB, AR?, ZIP, R??, GZ, Z, TGZ, TAR, TAZ, CAB, LHA, LZH, BZ2, MSG, EML, 7Z, CPIO.
This parameter is opposite to the -al parameter.
|
-ar[d|m|r][n]
|
Instructs to scan files within archives (ARJ, CAB, GZIP, RAR, TAR, ZIP, etc.). An archive is understood to be a tar archive (*.tar) or compressed archive (*.tar.bz2, *.tbz).
If additional modifiers (d, m or r) are not specified, Dr.Web Scanner only informs the user on detected malicious or suspicious files in archives. Otherwise, it applies the specified actions to detected threats.
|
-cn[d|m|r][n]
|
Instructs to scan files within containers (HTML, RTF, PowerPoint).
If additional modifiers (d, m or r) are not specified, Dr.Web Scanner only informs the user on detected malicious or suspicious files in containers. Otherwise, it applies the specified actions to detected threats.
|
-ml[d|m|r][n]
|
Instructs to scan contents of mail files.
If additional modifiers (d, m or r) are not specified, Dr.Web Scanner only informs the user on detected malicious or suspicious objects. Otherwise, it applies the specified actions to detected threats.
|
-upn
|
Scan executable files packed with LZEXE, DIET, PKLITE, EXEPACK without output of the compression type.
|
-ha
|
Enables heuristic analysis to detect unknown threats.
|
For some parameters, you can use the following additional modifiers:
•Add d to delete objects to avert the threat •Add m to move objects to Quarantine to avert the threat •Add r to rename objects to avert the threat (that is, replace the first character of the file extension with '#') •Add n to disable logging of the archive, container, mail file or packer type If malicious objects are detected within complex objects such as archives, containers, packed or mail files, the reaction is applied to the whole complex object, and not to the included malicious object only.
|
Action Parameters
These parameters determine which actions are applied to infected (or suspicious) objects:
Parameter
|
Description
|
-cu[d|m|r]
|
Defines an action applied to infected files and boot sectors.
If an additional modifier is not specified, Dr.Web Scanner cures infected objects and deletes incurable files (unless another action is specified in the -ic parameter). Additional modifiers allow to set another action instead of curing, but the new action can be applied only to infected files. In this case, action for incurable files must be set with -ic parameter.
|
-ic[d|m|r]
|
Defines an action applied to incurable files.
If an additional modifier is not specified, Dr.Web Scanner only informs the user about the threat.
|
-sp[d|m|r]
|
Defines an action applied to suspicious files.
If an additional modifier is not specified, Dr.Web Scanner only informs the user about the threat.
|
-adw[d|m|r|i]
|
Defines an action applied to adware.
If an additional modifier is not specified, Dr.Web Scanner only informs the user about the threat.
|
-dls[d|m|r|i]
|
Defines an action applied to dialers.
If an additional modifier is not specified, Dr.Web Scanner only informs the user about the threat.
|
-jok[d|m|r|i]
|
Defines an action applied to joke programs.
If an additional modifier is not specified, Dr.Web Scanner only informs the user about the threat.
|
-rsk[d|m|r|i]
|
Defines an action applied to potentially dangerous programs.
If an additional modifier is not specified, Dr.Web Scanner only informs the user about the threat.
|
-hck[d|m|r|i]
|
Defines an actionapplied to hacktools.
If an additional modifier is not specified, Dr.Web Scanner only informs the user about the threat.
|
Additional modifiers indicate actions that is applied in order to avert threats:
•Add d to delete objects. •Add m to move objects to Quarantine. •Add r to rename objects, that is, replace the first character of extension with '#'. •Add i to ignore threats (available for minor threats only such as adware etc), that is, apply no action and do not list such threats in the report. If malicious objects are detected within complex objects such as archives, containers, packed or mail files, the action is applied to the whole complex object, and not to the included malicious object only.
|
Interface Parameters
These parameters configure Dr.Web Scanner output:
Parameter
|
Description
|
-v, -version,
--version
|
Instructs to output information on the product and engine versions and exit Dr.Web Scanner.
|
-ki
|
Instructs to output information about the license and its owner (in UTF8 encoding only).
|
-go
|
Instructs to run Dr.Web Scanner in batch mode when all questions implying answers from a user are skipped and all decisions implying a choice are taken automatically. This mode is useful for automatic scanning of files, for example, during a daily (or weekly) check of the hard drive.
|
-ot
|
Instructs to use the standard output (stdout).
|
-oq
|
Disables information output.
|
-ok
|
Instructs to list all scanned objects in the report and mark the "clean" object with Ok.
|
-log=[+]<path to file>
|
Instructs to log Dr.Web Scanner operations in the specified file. The file name is required for enabling logging. Add a plus '+' if you want to append the log file instead of overwriting it.
|
-ini=<path to file>
|
Instructs to use the specified configuration file. By default, Dr.Web Scanner uses drweb32.ini (this configuration file is shared by Dr.Web Daemon, Dr.Web Scanner and Dr.Web Updater). Dr.Web Scanner uses parameters specified in the [Scanner] section of this file. The list of the scanner parameters and available values are similar to the those specified in the [Daemon] section.
|
-lng=<path to file>
|
Instructs to use the specified language file. The default language is English.
|
-a = <Control Agent address>
|
Run Dr.Web Scanner in the central protection mode.
|
-ni
|
Disables the use of the configuration file for adjusting scanner settings. Dr.Web Scanner is configured via command line parameters.
|
-ns
|
Disables interruption of scanning process even upon receipt of interruption signals (SIGINT).
|
--only-key
|
On startup, only key file is received from Dr.Web Agent.
|
You can use the hyphen «-» postfix (no space) to disable the following parameters:
-ar -cu -ha -ic -fl -ml -ok -sd -sp
For example, if you start Dr.Web Scanner with the following command:
$ drweb <path> -ha-
heuristic analysis (enabled by default) will be disabled.
For the -cu, -ic and -sp parameters, the "negative" form disables any action specified with additional modifiers, that is, information on detection of infected or suspicious object is logged, but no action is performed to avert threats.
The -al and -ex parameters have no "negative" form, but specifying one of them cancels actions of the other.
By default (if Dr.Web Scanner configuration is not customized and no parameters are specified), Dr.Web Scanner is started with the following parameters:
-ar -ha -fl- -ml -sd -al -ok
Default Dr.Web Scanner parameters (including scan of archives, packed files, files of email programs, recursive search, heuristic analysis and others) are sufficient for everyday diagnostics and can be used in most typical cases. You can also use hyphen «-» postfix to disable required parameters (as it is shown above with an example of heuristic analysis).
Disabling scanning of archives and packed files significantly decreases anti-virus protection level, because viruses are often distributed as archives (especially, self-extracting ones) attached to an email message. Office documents are potentially susceptible to infection with macro viruses (e.g., Word, Excel) and can also be dispatched via email within archives and containers.
When you run Dr.Web Scanner with default parameters, no cure actions and no actions for incurable and suspicious files are performed. To enable these actions, specify the corresponding command line parameters explicitly.
|