"June 2001" "CyberSoft, Inc." "VFind Security Toolkit"
vfind \- Heterogeneous Antivirus Tool
SYNOPSIS
"[ " "-c" ", " "--copyright" " ]"
"[ " "-h" ", " "-?" ", " "--help" " ]"
"[ " "-v" ", " "--version" " ]"
VFind [ \--jadevdl=\file\ ] [ \--vdl=\file\ ] [ \--vdl0=\file\ ] [ \--vdlc=\file\ ] [ \--sieve=\file\ ] [ \--libon=\library\ ] [ \--liboff=\library\ ] [ \--rcf=\file\ ] [ \--stdin\ ] [ \--notell=\virus\ ] [ \--notells=\file\ ] [ \-p\, \--per-file\ ] [ \--quiet=\num\ ] [ \--quit\ ] [ \--end\ ] [ \--speed=\num\ ] [ \-ssr\, \--smartscan-read\ ] [ \-sst\, \--smartscan-types\ ] [ \--lang=\langfile\ ] [ \--vexit\ ] [ \-e\, \--exit-on-error\ ] [ \--vlist\ ] [ \--#=\num\ ] [ \filenames\... ]
VFind is a heterogeneous virus scanner that simultaneously scans for UNIX, Amiga, Macintosh, Windows 95/NT, and Dos viruses, including Denial of Service attacks, Back Door attacks, hostile Java Applications and Applets, OLE/VB5 Macro viruses, and common hacks.
OPTIONS
"-c" ", " "--copyright" Display copyright information and then exit. All other options will be ignored.
"-h" ", " "-?" ", " "--help" Display usage message and then exit. All other options will be ignored.
"-v" ", " "--version" Display version information and then exit. All other options will be ignored.
--end Used to exit VFind while in Interactive mode.
\--jadevdl=\file\ Tells VFind to load additional virus signatures from \file\. File contains vdl models for hostile java applets and applications.
\--lang=\langfile This is used to provide an alternative message catalog file for VFind's output messages and is used for internationalization purposes. Message catalogs for different locales are provided by CyberSoft.
\--libon\=\library\, \--liboff=\library\ Turn on/off \library\. VFind will list the available libraries upon startup. Amiga and eicar libraries are turned off by default.
\--notell\=\virus\ This option provides a way to turn off reporting of individual viruses. This may be useful if your site gets a lot of false positives for some particular virus due to the type of data you have. Virus is the name of the virus as it appears after `VIRUS ID: ' in vfind's output.
\--notells=\file\ This provides a way to specify multiple notell parameters in a file. \File\ is a file that contains valid virus parameters as described in the '--notell` option.
\-p\, \--per-file\ Per-file: count of number of possible virus infections displayed for each file.
\--quiet\=\num\ This command provides a way of suppressing some of vfind's verbosity.
\--quiet=0\
The default behavior.
\--quiet=1\
Suppresses the "Enter the name of the file to be checked:" prompt and its two trailing newlines.
\--quiet=2\
Suppresses the "Checking file: filename" and its two trailing newlines.
"Thus, with " "--quiet=2" ", you can pipe a list of file names" to vfind and there will be no per-file output unless a possible virus is found. There will always, however, be the final report of the number of files scanned and the number of possible infections found.
\--quit\ Used to exit vfind while in Interactive mode.
\--speed=\num\ This option allows you to control the priority vfind gives to running fast over conflicting concerns.
\--speed=0\
The minimum speed. Shortest start-up time. Slowest scan speed.
\--speed=1\
The medium speed. Slightly longer start-up time. Middle scan speed.
\--speed=2\
The maximum speed. Currently the default speed. Longest start-up time. Fastest scan speed
\--stdin\ Use the data on standard input as the file to scan. This will be treated as a file called stdin.
\-ssr\, \--smartscan-read\ This option will tell vfind to read a SmartScan there must be a process writing a SmartScan stream to vfind's stdin.
\-sst\, \--smartscan-types\ SmartScan Types: Displays file types and any VDL's skipped due to file type restrictions.
\--sieve=\file\ Tells vfind to load additional virus signatures from file. file contains virus signatures in the sieve format.
\--vexit\ This option causes vfind to return a known value on exit. With this option vfind will return 0 if no viruses were detected. In the event that a virus has been detected, vfind will return 23. This functionality is useful when integrating vfind in a script or other program. The return values cannot be changed from the defaults (23 and 0).
\-e\, \--exit-on-error\ Tells VFind to exit immediately after encountering any kind of error or warning condition. Normally, VFind prints a warning message and attempts to continue processing after encountering a non-fatal error, such as a syntax error in a VDL description.
\--vlist\ This option causes vfind to print to stdout a list of all viruses for which it currently scans.
\--vdl=\file\ Tells vfind to read additional virus description codes from \file\.
\--vdl0=\file\ Tells VFind to read additional speed=0 virus descriptions from \file\. With speed>0, most VDL rules are compiled into a parallel search engine, which provides fast scanning but no control over the order in which the VDL patterns are applied. With speed=0, VDL rules are placed in a first-in-last-out queue, so the last rule specified is the first one executed, and speed=0 rules are always executed before the parallel search engine. So the \--vdl0\ option is useful when you have some set of VDL rules which you want executed in a guaranteed order, and this would usually be used in conjunction with the \--#=1\ option to stop scanning after finding one match.
\--vdlc=\file\ Tells VFind to read additional case-insensitive virus descriptions from \file\. Case-insensitive VDL constructs (i.e. ~"..." strings) are not compiled into the regular parallel search engine. But VDL files specified using the \--vdlc\ option are compiled into a separate case-insensitive parallel search engine for faster processing.
\--#=\num\ Stop scanning a file after finding \num\ viruses, e.g. --#=1 will stop after finding 1 virus. Note that # starts a comment in the Unix Bourne shell, so you may have to specify this option in quotes: '--#=1'
\--rcf=\file\ Run Control File. Tells VFind to read additional command-line arguments from \file\.
"VFind" " requires a " ` "LICENSE" " file to run. This " "LICENSE" " file is host specific," therefore vfind will only run on the licensed machine. Additional licenses may be purchased by contacting:
CyberSoft, Inc.
1508 Butler Pike
Conshohocken, PA 19428.
Phone: +1.610.825.4748
Fax: +1.610.825.6785
At start-up, \vfind\ searches for the \LICENSE\ file in these locations:
* /LICENSE
* /etc/LICENSE
* The current working directory.
* The VSTK library directory set at installation.
"VFind" " can be run in three ways."
1. Interactive mode: Running vfind without any file arguments (or other input such as SmartScan and stdin) will result in a prompt asking what file to scan. Example: vfind
2. Batch mode: VFind can be invoked with a list of files (or other input such as SmartScan or stdin). In this mode, vfind will scan all of the targets and write a report to stdout. This mode is useful when scanning many files or directories. Example: vfind *.doc *.exe
3. Automated mode: VFind can be run from a script, batch file, or other application and be scheduled using UNIX cron or a similar program. To run in this mode simply create your vfind command and place it in the appropriate place in your script, batch file, or application. When this mode is invoked, vfind will run un-attended and generate a report to stdout. This report can be redirected to a file, emailed, or otherwise processed. This mode of operation is useful when scanning a large amount of data on a regular basis.
OUTPUT VFind's output can be very verbose at times. In order to cut down the output we recommend using the choke method. The choke method is as simple as piping the output from vfind into grep, or a similar tool. Each line of output from vfind starts with a chevron as follows: Chevron Meaning -------------------------------------- ##==> Informational Message ##==>> VFind Warning ##==>>> Serious VFind Condition ##==>>>> Possible Virus Detection Example: find / -type f | vfind | grep '##==>>>' > REPORT The above example would only show errors and virus detection messages.
VFind is a SmartScan compliant tool. Specifying the -ssr option to vfind will cause vfind to read a SmartScan stream from stdin. For example: find /export/home -type f -print | uad -s -ssw | \\ vfind -ssr >
Why would you ever want to use less than the maximum speed? Most users will never have to worry about this; however, here are a couple of reasons someone might. One reason is that there is a space/speed trade-off. With --speed=2\, vfind typically takes about 8 Megabytes of dynamic space to run. If this is prohibitive on your machine (i.e., vfind can't run or there is excessive paging), try \--speed=1\. Another reason involves the trade-off between start-up time and marginal scan time. With \--speed=2\ there is a substantial start-up time as vfind initializes various internal structures. This might be on the order of, e.g., a second. When scanning a single small file, this might be a waste of time. On the other hand, \--speed=2\ provides the fastest marginal scan time, that is, the time needed to scan each extra byte of data. Thus, when scanning large amounts of data with a single invocation of vfind (such as when handling SmartScan data from uad(1) or handling a large number of file names piped in via standard input), \--speed=2\ (if you have the space for it) is a good idea despite the start-up time.
FILES LICENSE
SEE ALSO
"uad" "(1), " "cit" "(1), " "thd" "(1), " "bhead" "(1), "
"jdis" "(1), " "find" "(1), " "dd" "(1), " "grep" "(1)"
BUGS Please report all bugs to support@cyber.com Make sure to include the version of vfind, the platform and OS, the script or command used, the complete output showing the bug, a short description of the problem, and contact information.
COPYRIGHT Copyright 1991-2001 by CyberSoft, Inc. All rights reserved.