RE: [Declude.Virus] F-Prot Switches
I just wanted to say thanks to everyone that shared their F-prot config and for the explanation of the switches. It was very helpful!! Mark ReimerIT Project ManagerAmerican CareSource214-596-2464 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of MattSent: Wednesday, March 29, 2006 2:45 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] F-Prot SwitchesI think that in the context of scanning E-mail, where executables are normally banned, this switch has far less risk of a false positive. Generally, virus scanners in Declude are only run on executables and _javascript_, and most executables are in fact viruses. On a desktop or server, there are far more executables that could be legitimate and the extra heuristics might be unwanted.Mattmarc wrote: really rare information about the /AI Switch... just found this about "Neural network": http://www.f-prot.com/support/windows/fpwin_faq/17.html We will not use it, because increases the risk of false alarms. marc At 03:55 29.03.2006, you wrote: What is the value of the "AI" switch? I see it (and others related) explained on the F-Prot web site, but I don't understand why one would use it or not use it. Nor does it tell you what the default is. /HEUR - Uses heuristic scanning of files. /NOHEUR - Doesn't use heuristic scanning of files. /AI - Uses Neural network heuristic scanning of files. /NOAI - Doesn't use Neural network heuristic scanning of files. Original Message From: "Colbeck, Andrew" [EMAIL PROTECTED] Sent: Tuesday, March 28, 2006 11:53 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-Prot Switches #Dec-10-2004 AC Note that I've added 'ai' and 'packed' to the switches suggested in the manual. The noboot and nomem options # are not listed when you ask fpcmd.exe for help, but they are definitely in the logs. SCANFILED:\F-Prot\fpcmd.exe /ai /server /archive=5 /packed /dumb /noboot /nomem /silent /report=report.txt Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Reimer Sent: Tuesday, March 28, 2006 8:46 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot Switches After seeing Matt's response I'm curious what other users are using for their F-prot switches. Some of the switches Matt uses seem like they should be used but Declude does not include them in the config shown in their EVA manual. What do the majority of you all use? Mark Reimer IT Project Manager American CareSource 214-596-2464 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. [Scanned for viruses by Declude] [Scanned for viruses by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot Switches
really rare information about the /AI Switch... just found this about Neural network: http://www.f-prot.com/support/windows/fpwin_faq/17.html We will not use it, because increases the risk of false alarms. marc At 03:55 29.03.2006, you wrote: What is the value of the AI switch? I see it (and others related) explained on the F-Prot web site, but I don't understand why one would use it or not use it. Nor does it tell you what the default is. /HEUR - Uses heuristic scanning of files. /NOHEUR - Doesn't use heuristic scanning of files. /AI - Uses Neural network heuristic scanning of files. /NOAI - Doesn't use Neural network heuristic scanning of files. Original Message From: Colbeck, Andrew [EMAIL PROTECTED] Sent: Tuesday, March 28, 2006 11:53 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-Prot Switches #Dec-10-2004 AC Note that I've added 'ai' and 'packed' to the switches suggested in the manual. The noboot and nomem options # are not listed when you ask fpcmd.exe for help, but they are definitely in the logs. SCANFILED:\F-Prot\fpcmd.exe /ai /server /archive=5 /packed /dumb /noboot /nomem /silent /report=report.txt Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Tuesday, March 28, 2006 8:46 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot Switches After seeing Matt's response I'm curious what other users are using for their F-prot switches. Some of the switches Matt uses seem like they should be used but Declude does not include them in the config shown in their EVA manual. What do the majority of you all use? Mark Reimer IT Project Manager American CareSource 214-596-2464 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. [Scanned for viruses by Declude] [Scanned for viruses by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot Switches
I think that in the context of scanning E-mail, where executables are normally banned, this switch has far less risk of a false positive. Generally, virus scanners in Declude are only run on executables and _javascript_, and most executables are in fact viruses. On a desktop or server, there are far more executables that could be legitimate and the extra heuristics might be unwanted. Matt marc wrote: really rare information about the /AI Switch... just found this about "Neural network": http://www.f-prot.com/support/windows/fpwin_faq/17.html We will not use it, because increases the risk of false alarms. marc At 03:55 29.03.2006, you wrote: What is the value of the "AI" switch? I see it (and others related) explained on the F-Prot web site, but I don't understand why one would use it or not use it. Nor does it tell you what the default is. /HEUR - Uses heuristic scanning of files. /NOHEUR - Doesn't use heuristic scanning of files. /AI - Uses Neural network heuristic scanning of files. /NOAI - Doesn't use Neural network heuristic scanning of files. Original Message From: "Colbeck, Andrew" [EMAIL PROTECTED] Sent: Tuesday, March 28, 2006 11:53 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-Prot Switches #Dec-10-2004 AC Note that I've added 'ai' and 'packed' to the switches suggested in the manual. The noboot and nomem options # are not listed when you ask fpcmd.exe for help, but they are definitely in the logs. SCANFILED:\F-Prot\fpcmd.exe /ai /server /archive=5 /packed /dumb /noboot /nomem /silent /report=report.txt Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Reimer Sent: Tuesday, March 28, 2006 8:46 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot Switches After seeing Matt's response I'm curious what other users are using for their F-prot switches. Some of the switches Matt uses seem like they should be used but Declude does not include them in the config shown in their EVA manual. What do the majority of you all use? Mark Reimer IT Project Manager American CareSource 214-596-2464 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. [Scanned for viruses by Declude] [Scanned for viruses by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] F-Prot Switches
#Dec-10-2004 AC Note that I've added 'ai' and 'packed' to the switches suggested in the manual. The noboot and nomem options # are not listed when you ask fpcmd.exe for help, but they are definitely in the logs. SCANFILED:\F-Prot\fpcmd.exe /ai /server /archive=5 /packed /dumb /noboot /nomem /silent /report=report.txt Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Tuesday, March 28, 2006 8:46 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot Switches After seeing Matt's response I'm curious what other users are using for their F-prot switches. Some of the switches Matt uses seem like they should be used but Declude does not include them in the config shown in their EVA manual. What do the majority of you all use? Mark Reimer IT Project Manager American CareSource 214-596-2464 --- [This E-mail has been scanned for viruses] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot Switches
Hi Mark, Mark Reimer wrote: After seeing Matt's response I'm curious what other users are using for their F-prot switches. here are mine: SCANFILE1e:\Progra~1\FSI\F-Prot\fpcmd.exe /ARCHIVE=5 /DUMB /NOBOOT /NOMEM /PACKED /SERVER /SILENT /TYPE /REPORT=report.txt VIRUSCODE13 VIRUSCODE16 VIRUSCODE18 VIRUSCODE19 VIRUSCODE110 REPORT1Infection: #2 SCANFILE2e:\mcafee\scan.exe /ALL /ANALYZE /MAILBOX /MIME /NOBEEP /NOBOOT /NOBREAK /NODDA /NOMEM /PROGRAM /SILENT /UNZIP /REPORT report.txt VIRUSCODE213 REPORT2Found #3 SCANFILE3c:\clamav-devel\bin\clamdscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txt VIRUSCODE31 -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot Switches
SCANFILE C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /PACKED /NOMEM /ARCHIVE=5 /NOBOOT /DUMB /REPORT=report.txt marc At 18:46 28.03.2006, you wrote: After seeing Matt's response I'm curious what other users are using for their F-prot switches. Some of the switches Matt uses seem like they should be used but Declude does not include them in the config shown in their EVA manual. What do the majority of you all use? Mark Reimer IT Project Manager American CareSource 214-596-2464 --- [This E-mail has been scanned for viruses] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. [Scanned for viruses by Declude] [Scanned for viruses by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot Switches
SCANFILE C:\f-prot_windows\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=5 /PACKED /NOBOOT /DUMB /REPORT=report.txt Regards Mario Antonio - Original Message - From: Mark Reimer [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, March 28, 2006 11:46 AM Subject: [Declude.Virus] F-Prot Switches After seeing Matt's response I'm curious what other users are using for their F-prot switches. Some of the switches Matt uses seem like they should be used but Declude does not include them in the config shown in their EVA manual. What do the majority of you all use? Mark Reimer IT Project Manager American CareSource 214-596-2464 --- [This E-mail has been scanned for viruses] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This e-mail was scanned for viruses by our AntiVirus Protection System] --- [This e-mail was scanned for viruses by our AntiVirus Protection System] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] F-Prot Switches
If you take a look at the DOS version of F-Prot ftp://ftp.f-prot.com/pub/dos/fp-316b.zip you will find that it contains a file called COMMAND.TXT that seems to explain everything. I've attached it below: The command-line options F-PROT.EXE is usually run without any parameters and will then enter interactive mode, but if the /HARD option is used, or a drive, file or directory is specified, it will enter command-line mode. Syntax for command-line mode: F-PROT [drive, file or directory] [options] The available command-line options are /APPEND Appends the report to an existing file (Only used with /REPORT). /ARCHIVE=n Scans inside .ARJ, .CAB, .LZH and .ZIP archives. F-PROT currently supports only RAR archives created by RAR 2.5 and older - support for RAR 3.0 will be added soon. The parameter n specifies how many levels (archives inside archives) to scan. /AUTO May be specified with /DISINF, /DELETE or /RENAME so F-PROT will not request permission before rremoving each virus. /BEEP Produces an annoying beep when a virus is found. NOT recommended when scanning a virus collection. /COLLECT Assumes what is being scanned is a virus collection, where viruses might be found in abnormal locations. In particular, selecting this option will enable detection of file images of boot sector viruses. This switch also provides the same features as the old /GURU option. Note that using /COLLECT will slow down the scan. /DELETE Deletes infected files. /DISINF Disinfects whenever possible. It is possible to specify the following combinations of switches: /DISINF /DELETE Disinfects when possible, otherwise deletes infected files. /DISINF /RENAME Disinfects when possible, otherwise attempts to rename infected COM/EXE files to VOM/VXE. /DISINF /RENAME /DELETE Disinfects when possible, otherwise attempts to rename infected COM/EXE files to VOM/VXE, but if that fails the files are deleted. /DUMB Does a dumb scan of all files. This option is often not necessary, and /TYPE can be used instead. The only cases where it might be needed are the following: If you are scanning a virus collection, where infected files have non-standard extensions, such as .VOM instead of .COM, they will not be scanned for viruses, unless this switch is specified. If you are cleaning up a virus infection you should use this switch. /EXT By default F-PROT will open every file and try to determine its type, so it will for example scan Word files, even if they do not use a DOC/DOT extension. By using /EXT the scanning can be speeded up slightly as F-PROT will then only scan files with default extensions. /FREEZE Freezes the program if a virus is found anywhere. /HARD Scans all files on all hard disks in the computer. /HELP Displays the list of command-line options. /INTER Forces the program to enter interactive mode, even when a path, directory or file name is given on the command line. /LIST Lists all files that are scanned. /LOADDEF Load the DEF files into memory. /NOBOOT Does not scan boot sectors. /NOBREAK Disables ESC and ^C during scanning. /NOFILE Does not scan files. Only useful if you cleaning up a boot sector infection and do not want to spend unnecessary time scanning files. /NOFLOPPY For use on systems without floppy drives. /NOHEUR Version 3 has a smaller, more reliable set of heuristics than version 2, but they are enabled by default, unlike version 2. This option allows you to turn the heuristics off. /NOMEM Does not scan memory for viruses. Not recommended, unless you are absolutely certain that no viruses are present in memory. /NOSUB Does not scan subdirectories. /PACKED Scans inside various types of compressed executables (PKLITE for example), by emulating the execution of the decompressor. As this option can slow the scan down significantly, we only recommend using it when scanning new software before installation. /PAGE Pauses after each page (command-line mode only). /REMOVEALL Removes all macros from all documents. Useful if you encounter a new macro virus, and you know that the document did not contain any macros before it got infected. /REMOVENEW If a new variant of a macro virus is found in a document, all macros are removed from that particular document. /RENAME Renames infected COM/EXE files to VOM/VXE. If files with those extensions already exist, .VVV is used instead. Infected document files are not renamed, as that would be pointless - they would be equally infectious afterwards. /REPORT=file Sends the output to a file, in addition to displaying it on the screen. /SAFEREMOVE Removes all macros from documents, if a known virus is found. /SERVER Enable mail-server heuristics. Will for example complain about encrypted executables inside archives. /SILENT Does not generate any screen output (command-line mode only). /TYPE Scan every file, but skip those which do not seem
RE: [Declude.Virus] F-Prot Switches
What is the value of the AI switch? I see it (and others related) explained on the F-Prot web site, but I don't understand why one would use it or not use it. Nor does it tell you what the default is. /HEUR - Uses heuristic scanning of files. /NOHEUR - Doesn't use heuristic scanning of files. /AI - Uses Neural network heuristic scanning of files. /NOAI - Doesn't use Neural network heuristic scanning of files. Original Message From: Colbeck, Andrew [EMAIL PROTECTED] Sent: Tuesday, March 28, 2006 11:53 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] F-Prot Switches #Dec-10-2004 AC Note that I've added 'ai' and 'packed' to the switches suggested in the manual. The noboot and nomem options # are not listed when you ask fpcmd.exe for help, but they are definitely in the logs. SCANFILED:\F-Prot\fpcmd.exe /ai /server /archive=5 /packed /dumb /noboot /nomem /silent /report=report.txt Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Tuesday, March 28, 2006 8:46 AM To: Declude.Virus@declude.com Subject: [Declude.Virus] F-Prot Switches After seeing Matt's response I'm curious what other users are using for their F-prot switches. Some of the switches Matt uses seem like they should be used but Declude does not include them in the config shown in their EVA manual. What do the majority of you all use? Mark Reimer IT Project Manager American CareSource 214-596-2464 --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
