Command-line scanner

Avast Free Antivirus / Premium Security
1

I’m using a mail server: hMailServer 4.4.2.275.
OS: Windows Vista Ultimate x64 (Finnish) with all latest updates installed.

I’m using command: ““C:\Program Files\Alwil Software\Avast4\ashCmd.exe” /A /C /D /F=PW /T=A /P=1”
to detect viruses. My problem is: when i sended eicar test file to my mailbox it didn’t detect it as a virus in mailserver.

Avast should return value: “1” when it finds an virus but it returned “0”.

2

Is this new for the build 1085? I’m not aware of any changes in the command-line scanner.
I tried it and it works without any problems here (btw, /F=PW doesn’t have much sense - it’s the same as /F=W).

So, are you sure you pass the right file to the scanner? Wasn’t the eicar test string simply embedded in the e-mail body (as text)?

3

hMailServer returns still (i tried to send eicar as text, txt and zip):

“DEBUG” 3560 “2007-11-16 01:40:10.523” “CustomVirusScanner::Scan()”
“DEBUG” 3560 “2007-11-16 01:40:10.685” “CustomVirusScanner::Scan() - C:\Program Files\Alwil Software\Avast4\ashCmd.exe C:\Program Files (x86)\hMailServer\Data{AC0212AC-87DF-40CC-B2F1-86EA3C8B722D}.eml - Returned 0”
“DEBUG” 3560 “2007-11-16 01:40:10.686” “CustomVirusScanner::~Scan()”

tried these commands:
“C:\Program Files\Alwil Software\Avast4\ashCmd.exe” /A /C /D /F=W /T=A /P=1
“C:\Program Files\Alwil Software\Avast4\ashCmd.exe” /A /C /D /F=W /T=A /P=4
“C:\Program Files\Alwil Software\Avast4\ashCmd.exe” /A /C /T=A
C:\Program Files\Alwil Software\Avast4\ashCmd.exe

It just returns “0” :S

4

The arguments were OK (I mean, I pasted your command-line into ashCmd, ran it from a batch and it worked correctly - errorlevel was 1).
If you pass this .eml file into ashCmd directly (from a command-line) - does it find the virus? Or, you can add the report-file-creation argument to the command line (/r=*c:\ashcmd.log) - is the virus detected?

5

Just saying from commandline no viruses found. :frowning: ClamWin works fine with mailserver.

6

Can you attach the .eml file (with eicar inside) here?

7

Here you are.

Forum didn’t allow me to send .eml attachment so i putted it as a text.

filename: {4D8FEC9F-7FC2-4800-AD2F-23C59D867864}.eml (doesn’t include eicar as .txt and .zip)

Return-Path: hidden@finetworks.fi
Received: from [192.168.0.10] ([127.0.0.1])
by mail.finetworks.fi
with hMailServer ; Fri, 16 Nov 2007 14:02:12 +0200
Message-ID: 473D86C4.2030002@finetworks.fi
Date: Fri, 16 Nov 2007 14:02:12 +0200
From: Mika hidden@finetworks.fi
Reply-To: hidden@finetworks.fi
User-Agent: Thunderbird 2.0.0.9 (Windows/20071031)
MIME-Version: 1.0
To: hidden@hidden.com
Subject: test
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

filename: {25868286-77B6-4CD6-BC3A-EC7F8C88C2B6}.eml (Includes eicar as .txt and .zip)

Return-Path: hidden@finetworks.fi
Received: from [192.168.0.10] ([127.0.0.1])
by mail.finetworks.fi
with hMailServer ; Fri, 16 Nov 2007 14:15:32 +0200
Message-ID: 473D89E4.4070800@finetworks.fi
Date: Fri, 16 Nov 2007 14:15:32 +0200
From: Mika hidden@finetworks.fi
Reply-To: hidden@finetworks.fi
User-Agent: Thunderbird 2.0.0.9 (Windows/20071031)
MIME-Version: 1.0
To: hidden@hidden.com
Subject: test
Content-Type: multipart/mixed;
boundary=“------------070105030606080309000007”

This is a multi-part message in MIME format.
--------------070105030606080309000007
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

--------------070105030606080309000007
Content-Type: application/x-zip-compressed;
name=“test.zip”
Content-Transfer-Encoding: base64
Content-Disposition: inline;
filename=“test.zip”

UEsDBAoAAAAAAMFxcDc8z1FoRAAAAEQAAAAIAAAAdGVzdC50eHRYNU8hUCVAQVBbNFxQWlg1
NChQXik3Q0MpN30kRUlDQVItU1RBTkRBUkQtQU5USVZJUlVTLVRFU1QtRklMRSEkSCtIKlBL
AQIUAAoAAAAAAMFxcDc8z1FoRAAAAEQAAAAIAAAAAAAAAAAAIAAAAAAAAAB0ZXN0LnR4dFBL
BQYAAAAAAQABADYAAABqAAAAAAA=
--------------070105030606080309000007
Content-Type: text/plain;
name=“test.txt”
Content-Transfer-Encoding: base64
Content-Disposition: inline;
filename=“test.txt”

WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1U
RVNULUZJTEUhJEgrSCo=
--------------070105030606080309000007–

8

I’ve split these posts from the beta announcement thread, since it doesn’t seem to be related.

So, if you copy&paste this content into a .eml file and run ashCmd on it, it doesn’t report anything? It detects the eicar without any problems here… (in both files, actually)

I used the same command-line as you posted originally (except for the location change):
d:\avast4\ashCmd.exe f:\test\1.eml /A /C /D /F=PW /T=A /P=1

Result: virus was detected, .eml file deleted, %errorlevel% = 1

9

To make sure the CLSID in the filename doesn’t get incorrectly resolved somewhere, I also tried with your filenames (and with other CLSIDs)… no difference.

Can your redirect the output from ashCmd to a file (e.g. with the /_ argument) to see what was really scanned?