uad(1)

CyberSoft VFind Security Toolkit

uad(1)

uad - Universal Atomic Disintegrator

For each file argument, uad (Universal Atomic Disintegrator) attempts to identify the file type. If the file is a composite file of a type uad knows how to expand, uad attempts to expand the file and recursively process the subfiles.

Currently, uad expands BinHex, TNEF, tar'd, ziped, zip2exe, compressed and gziped files as well as extracting MIME and uuencoded enclosures in text files. Support for other archive and compression formats is available using external programs and the --external option.

OPTIONS

-c, --copyright

Display copyright information and then exit. All other options will be ignored.

-h, -?, --help

Display usage message and then exit. All other options will be ignored.

-v, --version

Display version information.

-e prog, --external prog

Use external expander for unknown archive types. You must provide the external expander program. An example uad-helper Unix sh script is provided to handle cpio, RAR, bzip2, and StuffIt formats.

-k, --keep-tmpfiles

The temporary files containing constituent files created during expansion are retained (normally they are deleted). These files are announced as each input file is scanned when this option is specified.

-l, --follow-links

Symbolic links are followed. First, the link file is described, then the file it points to is scanned.

-L, --transparent-links

Symbolic links are followed transparently. The data in the file linked to is used to describe the link file.

-m, --malformed

Keep malformed files. Normally uad does not keep any partial output or extracted components if an archive or encoding is malformed. This option will cause uad to keep such files, e.g. they will appear on SmartScan output.

For use in conjunction with SmartScan output piped into vfind, you should also specify the uad -p option when using -m, otherwise trailing content in a malformed archive may not be processed.

-n, --no-expansion

Do not expand composite files.

--no-recursion

Do not expand files recursively.

-p, --provide-all

Provide All Files: Normally uad does not provide output files for archives which have been expanded into component files. This option will cause uad to also provide the archive files.

-p0, --provide-top

Provide Top Files: Normally uad does not provide output files which are simply copies of input file archives which have been expanded into component files. This option will cause uad to also provide the top-level input archive files.

-pid, --pid

Print process id to stderr.

-q string, --quote string

Quote: This option causes uad to write the specified literal string on SmartScan output.

-s, --stdin-file-list

Read the names of files to scan from standard input, one per line.

-S, --stdin

Use the data on standard input as the file to scan.

-ssr, --smartscan-read

This option causes uad to read files from a SmartScan stream on standard input.

-ssw, --smartscan-write

Write a SmartScan Stream to the standard output. This option is useful when interfacing with other SmartScan Compliant tools such as vfind(1).

-t dir, --tmpdir dir

Set the directory uad uses for its temporary files to dir. Without this option, uad will use the default temp directory appropriate to the operating system.

-T, --Text

Set Text mode. This option forces uad to treat input files as text.

-w, --write-files

Constituent files for which meaningful names are available (from, e.g., an archive or MIME message) are saved with those names in the current directory. Subdirectories are created as needed.

-z, --zeroing-off

Don't zero out the temporary files before unlinking them. This speeds things up a little, but introduces a potential security hole.

--

End of Options: Signals to uad that all remaining arguments are to be treated as filenames, even if they start with '-'.

LICENSES

uad requires a LICENSE file to run. This LICENSE file is host specific, therefore uad will only run on the licensed machine. Additional licenses may be purchased by contacting:

CyberSoft, Inc.
1508 Butler Pike
Conshohocken, PA 19428.
Phone: +1.610.825.4748
Fax: +1.610.825.6785

At start-up, uad searches for the LICENSE file in these locations:

• /LICENSE
• /etc/LICENSE
• The current working directory.
• The VSTK library directory configured during installation.

INPUT

uad can take input in three ways.

1. uad with a filename or list of filenames as arguments.
   Example:

     uad --write-files jdk1.1.tar.gz strerror.c
   

2. uad reading a data stream from the standard input.
   Example:

     dd -bs=20 -if=/dev/rmt/0mn | uad -S
   

3. uad reading a list of filenames from the standard input.
   Example:

     find /usr/local/bin -type f -print | uad -s
   

OUTPUT

Each input file is described with at least two lines written to standard output. Each line begins with a zero- based number indicating how many levels of expansion were needed to access the file. The first line reports the name, and the second reports the type. For example:

  uad /bin/ls

might produce the following output:

  0: Name: /bin/ls
  0: Type: sticky 80386 COFF executable

If the file has sub-components, there will be a third line announcing the fact, followed by the components with a level number one greater than that of the file. For example:

  uad archive.tar

might produce:

  0: Name: archive.tar
  0: Type: tar archive
  0: Components...
  1: Name: foo
  1: Type: unknown
  1: Name: bar
  1: Type: unknown

Such expansion can proceed to any number of levels. For example:

  uad mbox.tgz

might produce:

  0: Name: mbox.tgz
  0: Type: gzip compressed data
  0: Components...
  1: Name: unknown
  1: Type: tar archive
  1: Components...
  2: Name: mbox
  2: Type: text
  2: Components...
  3: Type: text fragment
  3: Unnamed
  3: Type: text (no enclosures found)
  3: Unnamed
  3: Type: text fragment
  3: Unnamed
  3: Type: text (8-bit)
  3: Unnamed
  3: Type: text fragment
  3: Name: medal.gif
  3: Type: GIF picture - version 87a 125 x 125,
       interlaced, 256 colors

In this case, uad has extracted attachments from email messages. The components of type 'text fragment' are typically mail messages and/or MIME headers that delimit the other components. These are put in mini-files of their own. Attachments that are themselves text files are, of course, recursively scanned. If nothing is found in them, this is announced as type 'text (no enclosures found)'. If, in the above example, uad had been invoked with the -w option (see above), it would have also announced:

  uad: Wrote file `medal.gif'

SMARTSCAN

uad is a SmartScan compliant tool. Specifying the -ssw option to uad will cause uad to produce a SmartScan stream as output. This stream can then be redirected to another SmartScan compliant tool, such as vfind(1), and processed further. For example:

  find /export/home -type f -print | \
    uad -s -ssw | vfind -ssr > REPORT

LICENSE

Please report all bugs to support@cyber.com Make sure to include the version of uad, the platform and OS, the script or command used, the complete output showing the bug, a short description of the problem, and contact information.

© 1996-2002 by CyberSoft, Inc. All rights reserved. Portions of this software are covered by the following copyrights:

The Universal Atomic Disintegrator incorporates (de)compression code by the Info-ZIP groups. There are no extra charges or costs due to the use of this code, and the original (de)compression sources are freely available from CyberSoft, Inc.

uad(1)

CyberSoft VFind Security Toolkit

uad(1)