• 0
Sign in to follow this  
ryerman

AdAwareCommandLineScanner --quarantine fails for infected archive

Question

AdAwareCommandLineScanner --quarantine fails for infected archive

 

AdAwareCommandLine.exe (provided with Ad-Aware 11.10.767.8917 in compatible mode) will quarantine an archive.
However, that requires user interaction if a threat is discovered.
Also, AdAwareCommandLine will not scan again, until the user deals with the threat.
I want an infected archive to be quarantined if the scan is unattended and for the scanner to be immediately available for another scan.

So I tested the stand-alone AdAwareCommandLineScanner, using EICAR test files. (NOT AdAwareCommandLine.exe, included with the GUI application)
I hoped that the AdAwareCommandLineScanner would quarantine an infected archive automatically, without user intervention.

The --quarantine switch works for a non-archive file (eicar.com) and the file is quarantined.
In the XML results file, ScanStatus="Moved"

However, a ZIP file containing a virus (eicar_com.zip) is not quarantined.
In the XML results file, ScanStatus="ScanFailed"

In both cases, a threat was detected: ThreatType="Virus" in the results files.

Is this desired behaviour or a bug?
If a virus is detected in an archive, shouldn't the --quarantine switch cause the archive to be quarantined?

AdAwareCommandLineScanner - Command Session.zip

Share this post


Link to post
Share on other sites

9 answers to this question

Recommended Posts

  • 0

Hi ryerman,

 

I haven't received a reply from Lavasoft yet.

But there are always users, like you, that want a whole zip file to be quarantined when only one of its internal files is malicious and others, like me, that only want to know and then be able to repack the zip file without the malicious file.

Share this post


Link to post
Share on other sites
  • 0

Hi CeciliaB,
Thanks for the quick reply.

I guess the developers of the CommandLineScanner were users like you, not me.
I won't hold my breath waiting for Lavasoft to change the --quarantine switch. ;)

Did you know that the --delete switch will remove a malicious internal file from an archive?
It seems inconsistent that the --quarantine switch would not move a malicious internal file, at least.
Maybe that would make restoration for such files too difficult to provide.

Share this post


Link to post
Share on other sites
  • 0

Hi ryerman,

 

CommandLineScanner isn't designed to handle archives. Lavasoft developed it since Virustotal.com needs such a function and they don't use it for archive files.

 

I'm sorry that that the two scanners can't do want you want.

 

I guess that you have read the manuals for the scanners.

Share this post


Link to post
Share on other sites
  • 0

Hi CeciliaB,

 

I've been using the manual found here:
http://lavasoft.com/mylavasoft/support/supportcenter/download-and-install-the-command-line-scanner
I was pleasantly surprised at how clear and well-organized it was.
It does not describe how archives are treated: in fact archives or any other file type are not mentioned.

But your remarks make me wonder about scanning archives.
Are you saying that the Command Line Scanner does not scan archives?

My testing showed that the EICAR test virus was identified when it was in an archive.
Was that merely some "faked" positive to satisfy Virustotal.com?
Would some other non-test threat be ignored, even if it was defined?
Is a legitimate, normal, accurate scan made in archives without passwords, one that identifies threats as if they were not in the archive?

The missing ability to quarantine an infected archive can be managed, as you indicated earlier.
But it would be very bad if we thought an archive was being scanned when it was not.

 

And just to be clear, I'm asking about Command Line Scanner, not AdAwareCommandLine.exe provided with the full installation

Share this post


Link to post
Share on other sites
  • 0

Sorry, I meant that it doesn't have any special actions as delete or quarantine for archives or its internal files.

Share this post


Link to post
Share on other sites
  • 0

Thanks for the clarification.
I can happily use the scanner without the quarantine action.
However, my testing shows that internal, malicious files will be deleted from an archive when using --delete.

  • Like 1

Share this post


Link to post
Share on other sites
  • 0

Ok, I might have misunderstood the information I got from Lavasoft.

Share this post


Link to post
Share on other sites
  • 0

Maybe.
Or maybe you understood correctly but the Lavasoft representative didn't know what they were taking about.
Now, it's difficult to rely on the accuracy of the information provided here.

The manual and other documentation (including the --help switch) should be up-graded to correctly explain how/if archives are treated differently than other files and folders.
Hopefully, Lavasoft cares enough to look at this thread and understands why that is necessary.

Share this post


Link to post
Share on other sites
  • 0

Neither my contact person nor I have English as our first language, so it's easy to misunderstand something and my contact person isn't the developer of the tool, but works in QA.

 

I'll forward your suggestion for the documentation.

 

There is another person that have posted about these tools, you can try to send him/her a PM if you want: http://www.lavasoftsupport.com/index.php?/topic/33796-ad-aware-command-line-scanner

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this