This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to scan Windows7/Server2008 file system from command-line?

This should be a simple problem to solve but it seems not to be...

  • I have a hard disk containing a full Server 2008 file system which I want to fully scan using Sophos Anti-Virus for Windows
  • The drive is mounted as a normal disk, not as a system drive, it's drive letter is usually something like e:\
  • I want to be able to scan it from the command-line (I'm using sav32cli.exe)

The flags I'm passing to sav32cli are:

-sc -dn -no-stop-scan -f -rec -all -eec -cab -loopback -oe -b -tnef -suspicious -include -archive

So an example command might be:

c:\Program Files\...\sav32cli.exe -sc -dn -no-stop-scan -f -rec -all -eec -cab -loopback -oe -b -tnef -suspicious -include -archive e:\

The problem I encounter when doing this is:

  • A Windows7 / Server2008 file system contains junction points (eg c:\Documents and Settings) which point to other folders on the disk. (As far as I can tell junction points are the Windows equivalent of Unix symlinks.) When Sophos sav32cli is asked to scan this disk using the flags above it follows these junction points and ends up scanning many files more than once and also follows some symlinks to start scanning the c:\ drive
Using this page I tried the following to fix this problem:

  • To prevent the scanner following symlinks I added the --no-follow-symlinks flag, this is not one of the flags listed when I run the scanner with --help. This flag has no effect.

  • To prevent the scanner scanning files more than once I added the --backtrack-protection flag, this is not one of the flags listed when I run the scanner with --help. This flag causes the scanner to only scan the pagefile.sys file.
My questions:
  1. Are these additional two flags only supported on the Linux versions of the AV client but haven't been disabled from the Windows version?
  2. Am I using the flags incorrectly?
  3. How does the backtrack-protection flag work? Does it cause the scanner to think it's scanned the file system once already so it doesn't need to scan it again? How can I reset it's 'backtrack state'?
Thanks in advance,
Tom
:10493


This thread was automatically locked due to age.
  • I've found this article which raises a similar issue.

    I'm going to check I'm running the scanner as Administrator, but surely this is not such an uncommon scenario for this issue to have only been seen by me and the author of the linked post?

    As an aside...

    As pointed out by 'sjwk' this problem is not seen on Windows XP because the junction points that are causing the problem are only present in later versions of Windows. Their purpose I guess was to allow Microsoft to change the layout of the Windows folders while maintaining compatibility with applications originally developed for WinXP.

    :10495
  • Hello Tom,

    I mapped a W2k8R2 server's disk (as Z: ) on a Win7 machine and running sav32cli Z: resulted (after a few minutes) in a pop up telling me that the program stopped working.  Using Process Monitor I could see that it looped on the \Administrator\AppData\Local\ folder building an ever longer path (first time I tried I didn't stop sav32cli or the Process Monitor in time and it just froze the machine. Just for fun I "loopback" mapped the Win7 C$ to Z (so it accessed its own C: as Z: ) with almost identical results - only it took less time until the pop up, well, popped up :smileyhappy:. Guess it would be the same when scanning an attached Win7/W2k8 disk as the symlinks will also point to C:.

    As I didn't find a helpful undocumented switch I submitted this to Support [Edit: case #2723878, under investigation].

    Christian

    :10511
  • Support called back with the results the other day and confirmed that a scan on a mapped drive (whether the disk is local or on a remote computer) containing Win7/W2k8 loops.

    Scanning a local disk works (should work) even though it follows the symlinks for "some time" and thus repeatedly scans the same area. I have done a few tests and it always finished within reasonable time. The -dn (display names) flag doesn't really help in determining whether it jumps to C: - it doesn't look like. To make sure one would have to use the -ns (non-silent) switch but this causes troubles as it is building very long paths while it "loops". For the same reason monitoring the file systems requests can lead to crashes.

    There are (currently) no switches to control either behaviour - but, as I said, a scan on a local drive should finish. Thus you should be "able" to scan it with SAV32CLI without major problems.  

    Christian

    :11027