API into virus programs
John Callicotte
with a third party executable. For example, in my C++ program I want to
"call" VirusScan or AntiVirus, give it a file name and find out if it has a
virus or not. Is this possible? I know that McAfee has a DOS program
called SCAN.EXE which will allow you to do this, but there seems to be some
confusion (coming from McAfee) whether or not this uses the extra.dat file.
I would prefer to use the Symantec product since they have better technical
support, but McAfee will work as well.
Thanks in advance.
John Callicotte
Saillant Consulting Group
Arthur Kopp
Based upon my experience evaluating DOS scanners, I suggest that you
consider SCANPM.EXE rather than SCAN.EXE. SCANPM requires six .DAT
files including CLEAN, MESSAGES, NAMES, INTERNET, LICENSE and SCAN.
Art
Arthur Kopp
<john.ca...@saillant.com> wrote:
>I am trying to find out if it is possible to use a virus program's engine
>with a third party executable.
BTW, I got curious about this and just tried out my old QB4.5 with its
Shell command (invoking a child process) and it worked fine using
SCANPM from v. 4.X NAI. There is no doubt that what you are trying to
do is quite feasible.
Art
Me
virus? I don't happen to have any virus-infected files on me at the moment....
Thanks for your reply. I'll look into it.
John
In article <387e10f7...@news.mindspring.com>, art...@mindpring.com
says...
Randy Abrams
Me <y...@somehost.somedomain> wrote in message
news:TBpf4.1661$uI1....@typhoon2.kc.rr.com...
> So, what is the behavior associated with SCANPM when it finds a file that
has a
> virus? I don't happen to have any virus-infected files on me at the
moment....
>
> Thanks for your reply. I'll look into it.
>
> John
>
The eicar test file will do quite nicely for you. You can discover the
behavior and don't need to mess around with a live virus.
Just copy the text below and paste it into a plain text file. Conventionally
it is named eicar.com, but you can name it anything you wish.
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Regards,
Randy
--
--
The opinions expressed in this message are my own personal views
and do not reflect the official views of the Microsoft Corporation.
Arthur Kopp
>So, what is the behavior associated with SCANPM when it finds a file that has a
>virus? I don't happen to have any virus-infected files on me at the moment....
Well, Randy has made a good suggestion of using the eicar test file.
Execute SCANPM /? to get a list of normal options including the
command to generate a text file. The program will output info to the
console (screen) in any event. I don't know off hand if Scanpm also
produces codes which can be used by batch files as some av scanners
do. Never played with that aspect.
>Thanks for your reply. I'll look into it.
Seems like a fun project :)
Art
Nick FitzGerald
> I am trying to find out if it is possible to use a virus program's engine
> with a third party executable. For example, in my C++ program I want to
> "call" VirusScan or AntiVirus, give it a file name and find out if it has
a
> virus or not. Is this possible? I know that McAfee has a DOS program
> called SCAN.EXE which will allow you to do this, but there seems to be
some
> confusion (coming from McAfee) whether or not this uses the extra.dat
file.
> I would prefer to use the Symantec product since they have better
technical
> support, but McAfee will work as well.
Does performance matter?
Does cost?
What platforms does it have to run on?
Several vendors have DLL versions of their scanners and/or
SDKs. If looking for a solely Win32-hosted solution, you
should find that both these offer lower overhead and
(probably) better long-term stability.
--
Nick FitzGerald
Me
When I run SCAN.EXE on the eicar.com file it renames it to eicar.vom. Is the
behavior that I can expect on every infected file or is this just a special
case with eicar.com? Sorry to be so dense, but without a real virus-infected
file it's hard to predict behavior.
John
In article <387e2f01...@news.mindspring.com>, art...@mindpring.com
says...
sop...@cix.compulink.co.uk
john.ca...@saillant.com (John Callicotte) wrote:
> I am trying to find out if it is possible to use a virus program's
> engine with a third party executable.
Sophos produce an API called SAVI (Sophos Anti-Virus Interface). This
has proven very popular with companies who want to integrate anti-virus
into their products and services, yet still be easy to keep up to date for
the very latest virus protection.
If you're a single user it probably is not appropriate but if you want to
know more you could do worse than call one of the Sophos offices
(telephone numbers below).
--
Graham Cluley, Senior Technology Consultant, Sophos Anti-Virus
email: gcl...@sophos.com http://www.sophos.com
US Support: +1 888 SOPHOS 9 UK Support: +44 1235 559933
Arthur Kopp
>Well, I am using McAfee now since that is what the client has decided to use.
>When I run SCAN.EXE on the eicar.com file it renames it to eicar.vom. Is the
>behavior that I can expect on every infected file or is this just a special
>case with eicar.com? Sorry to be so dense, but without a real virus-infected
>file it's hard to predict behavior.
I think the whole idea of the Eicar test file is to negate the need
for actual viruses in many or most such testing situations. If you are
itching and determined you will find actual viruses but I follow the
lead of some regulars here who discourage the spread and dissemenation
of the damn things.
Art
Randy Abrams
Me <y...@somehost.somedomain> wrote in message
> Well, I am using McAfee now since that is what the client has decided to
use.
> When I run SCAN.EXE on the eicar.com file it renames it to eicar.vom. Is
the
> behavior that I can expect on every infected file or is this just a
special
> case with eicar.com? Sorry to be so dense, but without a real
virus-infected
> file it's hard to predict behavior.
>
It's not dense, it's called learning. This is the behavior you can expect
for all infected files that can not be cleaned. There are some viruses that
can not be restored with anti-virus software because they have altered the
file in addition to adding their code to it, or they have written their code
over the file's code. If a virus only adds code to a file then it usually
can be restored (cleaned or disinfected) with AV software. Try naming
eicar.com to eicar.exe, eicar.doc, eicar.xls, and eicar.dll and you can
observe how the scanners treat these extensions. You have already learned
that it will take a com file and rename it to vom.
What the scanner does with a file that can be cleaned will depend upon your
settings. If you choose "Clean" or "Disinfect" then the scanner will do so
without renaming the file when it can handle the virus in question. If you
choose "delete", it will toast it!
One final note. If testing with the eicar file is still challenging for you,
might I submit that you are not yet ready to use a live virus in your
testing. You should learn a lot more about viruses and the behaviors of
virus scanners before you begin testing with the live ones. If or when you
do use live viruses, please make sure that you have an isolated machine. If
you are going to test with boot sector viruses then make sure you know how
to handle ones that survive fdisk and format before you start.
One final test. Try putting eicar.com into a zip file and see what your
scanner does. Try different configurations for your scanner. You have a lot
to learn about your scanner with the eicar file before you'll ever require a
live virus. Note, that naming an eicar test file eicar.zip is not the same
as putting one into a zip file.
Regards,
Randy
Raid Slam
sop...@cix.compulink.co.uk wrote:
> (telephone numbers below).
> --
> Graham Cluley, Senior Technology Consultant, Sophos Anti-Virus
> email: gcl...@sophos.com http://www.sophos.com
> US Support: +1 888 SOPHOS 9 UK Support: +44 1235 559933
You might not want to take this persons Advice however.
I was browsing the web the other day when I ran across two articles
(which I've kept local copies of) where Mr Cluley lies to a reporter,
and as a result, to the general public as well. All under the guise of
"antivirus expert".
http://www.coderz.net/Raid/article1.htm and article2.htm respectively.
In numerous instances, Graham misleads the reporter by claiming that I
had spread the virus known as Toadie. I've maintained from the very
beginning that I didn't spread it, and no one has come up with proof to
the contrary...
Graham went on to say how I had been deleting msgs from deja.com.
Again, a lie. I've never deleted ANY msgs from ANY newsgroups. Only
repeat msgs when my newsclient messed up, and sent 10-20 copies of the
SAME msg.
To take Grahams misleading advice on anything is a foolhearty thing to
do. Sophos is a fool for hiring such a misleading bastard.
Graham is truely more qualified to flip burgers, Expert my ass.
Regards,
Raid [SLAM]
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
sop...@cix.compulink.co.uk
soho20N...@hotmail.com.invalid (Raid Slam) wrote:
> You might not want to take this persons Advice however.
> I was browsing the web the other day when I ran across two articles
> (which I've kept local copies of) where Mr Cluley lies to a reporter,
Hi Raid
Did you know I wrote to that particular reporter (and his editor, Richard
Barry) complaining about those articles at the time? I also complained
that they had made up some stuff that I never said. The complaints went
on for some time, and despite promises from the reporter and his editor,
they never corrected the story to my satisfaction. Maybe they liked their
version of the story more because it was more sensational.
Fortunately for me my colleague Paul Ducklin (and other staff from Sophos)
were in the same room as me when I spoke to the reporter, and they
recalled what I really said.
For the record though, I do disapprove of your virus distribution.
Randy Abrams
You may wish to consider Raid's motive in givin you advice no to take Graham
Cluely's advice.
Raid claims to intend to cause people harm. Raid claims that his virus
writing serves to cause harm.
Here's a juicy quote from ol' Raid "Most people really aren't too offly
bright, so whats the harm if I
exploit them for what they are? Useless imbreeds."
So what do you think the point of his advice is?? Perhaps exploiting you???
So, when you read the post below, be sure to take into account the motives
of the author.
Regards,
Randy
--
The opinions expressed in this message are my own personal views
and do not reflect the official views of the Microsoft Corporation.
Raid Slam <soho20N...@hotmail.com.invalid> wrote in message
news:2750ac20...@usw-ex0102-015.remarq.com...
> In article <85na4d$5ki$1...@plutonium.compulink.co.uk>,
> sop...@cix.compulink.co.uk wrote:
>
> > (telephone numbers below).
> > --
> > Graham Cluley, Senior Technology Consultant, Sophos Anti-Virus
> > email: gcl...@sophos.com http://www.sophos.com
> > US Support: +1 888 SOPHOS 9 UK Support: +44 1235 559933
>
> You might not want to take this persons Advice however.
> I was browsing the web the other day when I ran across two articles
> (which I've kept local copies of) where Mr Cluley lies to a reporter,
kurt wismer
> So, what is the behavior associated with SCANPM when it finds a file that has a
> virus? I don't happen to have any virus-infected files on me at the moment....
that depends on what command line arguements you give it...
--
"bottom lip quivers, rage is so apparent
don't know whether to kill or cry
don't know whether to rebuild or to burn it
you don't know how just to say goodbye"
Me
I understand (somewhat) how viruses are kicked off, so I'm not going to start
spreading them around on my machine. I appreciate the warning, anyway.
I think I have enough info now to do my job. Thanks again.
John
In article <u54du2qX$GA.229@cpmsnbbsa04>, ran...@microsoft.com says...
Raid Slam
<ran...@microsoft.com> wrote:
> Quoted post below.
> You may wish to consider Raid's motive in givin you advice no to
> take Graham Cluely's advice.
Nice try Randy.
I had no motive, no hidden agenda. I've emailed graham weeks ago asking
the same question regarding other news articles. He never responded to
them, so I decided to make it a public inquiry.
I didn't write the articles, and I didn't speak to the reporters. The
reports show graham in a bad light because those are his words, not
mine.
> Raid claims to intend to cause people harm. Raid claims that his
> virus writing serves to cause harm.
Which has nothing whatsoever to do with the post I made on this thread.
How am I causing graham harm by asking him why he bullshitted a
reporter? I have a right to ask those who accuse me, Don't I?
> So what do you think the point of his advice is?? Perhaps
> exploiting you???
Oh, that's a hell of a stretch. Just what am I going to exploit Randy?
> So, when you read the post below, be sure to take into account the
> motives of the author.
WHat motives randy? I didn't write the news articles... So just what
motives do I have for wanting to know why he lied about me?
Raid Slam
<AF29BEB7D832B7DD.24E637A4...@lp.airnews.net>,
TINLC#15...@utdallas.edu (Paul Schmehl) wrote:
> Which merely makes it an unproven statement, not a lie.
Uhm, no.
When you claim somebody has done something, and you have no proof to
verify this, you are lieing. You may play word games and call it
"unproven" if you like. But what if I published that you were a child
molester or something in your news paper? Of course, we both know you
aren't, but would I then be lieing about you? or simply making an
unproven statement?
> So......you *have* deleted messages, which makes his statement
> factual.
LoL. I went over this with Kurt once. I deleted COPIES of msgs, not
originals. Kurt was bent out of shape one evening over this, so when my
client crashed and sent 10-12 repeat posts, I left them all on here.
People whined about the wasted bandwidth, repeat msgs n all. But I
think it proved my point. :)
> Honesty and qualification have no correlation whatsoever. You, of
> all people, should understand that.
If your in the spotlight so to speak, and you represent the "good
guys", then your qualification does come into question when your
dishonest with your customers.
Raid Slam
sop...@cix.compulink.co.uk wrote:
> Hi Raid
Hi Graham.
> Did you know I wrote to that particular reporter (and his editor,
> Richard Barry) complaining about those articles at the time? I also
> complained that they had made up some stuff that I never said.
Oh? How odd, that they would twist your words on you. I suppose the
other articles I've collected are all not your own words, but it's a
conspiracy to make you look bad right Graham? You'll excuse me if I
think your full of shit.
Want copies of the other news reports Graham? I'd be happy to forward
them to anybody who's curious.
> The complaints went on for some time, and despite promises from the >
reporter and his editor, they never corrected the story to my >
satisfaction.
I find it odd that he wouldn't report the story as his "antivirus
expert" had told it. He emailed me several times as well. I did the
right thing, and told him to go fuck himself. But, I'll forward a copy
of your reply to him, I'd like to see what the reporter has to say
about it.
> Maybe they liked their version of the story more because it was more
> sensational.
Yea, sensation sells software, Antivirus software. Scare the users,
profits go up. Funny tho, weren't you bitching recently about NAI and
norton pulling the same shit? :)
> Fortunately for me my colleague Paul Ducklin (and other staff from
> Sophos) were in the same room as me when I spoke to the reporter, and
> they recalled what I really said.
And you really said what now?
Remember, I've got other news articles not written by zdnet or that
reporter which say the same thing, your words.
> For the record though, I do disapprove of your virus distribution.
For the record Graham,
I don't give a fuck what you think. I just "disapprove" of your bs
tactics.
ham...@cix.compulink.co.uk
> I find it odd that he wouldn't report the story as his "antivirus
> expert" had told it. He emailed me several times as well. I did the
> right thing, and told him to go fuck himself. But, I'll forward a copy
> of your reply to him, I'd like to see what the reporter has to say
> about it.
Feel free to contact him. I know what I said to him, I had colleagues in
the same room as me when I spoke to him - who heard what I said and were
as disgruntled as I was about what the guy reported, and I have copies of
the emails I sent him and his editor moaning about it.
But this was several months ago (long before you ever moaned about the
reports) and I've certainly got no interest in moaning any more to the
journalist in question. Maybe we'd have been more successful if we'd
both moaned about his reporting?
ham...@cix.compulink.co.uk
> How am I causing graham harm by asking him why he bullshitted a
> reporter?
When did I "bullshit" a reporter? Can you be specific? Clearly you're
upset - so lets try and get to the bottom of precisely what you're upset
about.
ham...@cix.compulink.co.uk
> I find it odd that he wouldn't report the story as his
> "antivirus expert" had told it.
It's a long time ago now, but sometimes journalists don't report things
entirely accurately. For instance, I spoke to loads of journalists prior
to Y2K and told them there was no Y2K virus problem. Many of them chose
not to quote me, and just quote the people who said there was impending
doom (makes for a better story, see).
Then you get one better. I was quoted on the front page of the Financial
Times just before Y2K. But what's curious is that that journalist who
wrote the Financial Times story had *never* spoken to me. Which is a
shame because I could have given her a much more interesting story if she
had bothered. Instead she took one sentence out of my "Is there a Y2K
virus problem?" white paper out of complete and utter context. To give
her credit it must have taken her hours to choose such a juicy quote from
my paper!
Later, other newspapers and magazines (who had obviously read the
Financial Times) also quoted me without speaking to me!! They just used
the same quote the FT had lifted out of context from my Y2K white paper.
Maybe you don't have much experience of the media, Raid. I do. And I'm
afraid that on some occasions something goes wrong and what the journalist
writes isn't always the real story. In the case you're moaning about I
immediately complained to the journalist and his editor - but they chose
not to correct the story to my satisfaction. Well, that's their choice
and I made a mental note for the future.
I emailed the woman who wrote the story on the front page of the Financial
Times quoting me, suggesting that it was a shame she hadn't actually found
the time to speak to me as I would have given her a far more interesting
story. Guess what? No reply from her either. Maybe she felt bad about
it.
Welcome to the wonderful world of media relations. Normally it goes
smoothly - but sometimes something goes a bit skewiff. And it's not
always the quoted person's fault.
Randy Abrams
Raid Slam <soho20N...@hotmail.com.invalid> wrote in message
> In article <#nz51SrX$GA.276@cpmsnbbsa04>, "Randy Abrams"
> <ran...@microsoft.com> wrote:
> > Quoted post below.
> > You may wish to consider Raid's motive in givin you advice no to
> > take Graham Cluely's advice.
>
> Nice try Randy.
>
> I had no motive, no hidden agenda. I've emailed graham weeks ago asking
> the same question regarding other news articles. He never responded to
> them, so I decided to make it a public inquiry.
Telling People not to trust Graham and a public inquiry are two entirely
different things. I've re-read your entire post. Not one inquiry.
<snip>
> > Raid claims to intend to cause people harm. Raid claims that his
> > virus writing serves to cause harm.
>
> Which has nothing whatsoever to do with the post I made on this thread.
It most certainly does. You are advising people. When someone who claims to
want to harm me offers me advice I certainly will not accept it as the
gospel truth. Would you???
> How am I causing graham harm by asking him why he bullshitted a
> reporter? I have a right to ask those who accuse me, Don't I?
I didn't say you were trying to cause Graham harm. I merely advised that the
advise in your post comes from someone who wishes to do people harm.
Wouldn't you want to know right up front if someone who had it in for you
was offering you advice?
> > So what do you think the point of his advice is?? Perhaps
> > exploiting you???
>
> Oh, that's a hell of a stretch. Just what am I going to exploit Randy?
Trust.
> > So, when you read the post below, be sure to take into account the
> > motives of the author.
>
> WHat motives randy? I didn't write the news articles... So just what
> motives do I have for wanting to know why he lied about me?
>
If you want to know why he "lied" about you, then I would suggest asking.
The post you made does not ask Graham why he "lied" to you. The post you
made advises people that a person who claims to wish to harm them thinks
they shouldn't trust Graham.
Regards,
Randy
--
Dalton
in
the same room as me when I spoke to him - who heard what I said and were
as disgruntled as I was about what the guy reported, and I have copies of
the emails I sent him and his editor moaning about it.
<<<<<<<<<<<<<
Thats the press all over there not fussy they will shaft VX and AV alike if
it sells papers..=]
Dalt
Raid Slam
<D76C4D219ACCA95A.56620402...@lp.airnews.net>,
TINLC#15...@utdallas.edu (Paul Schmehl) wrote:
> You obviously have never dealt with the press......
No? Try finding a copy of the Sept 16th, 1999 issue of Rolling Stones
magazine.
Or try reading any number of media reports about me. I hate the media,
yet I still get contacted by them when "virus breakouts" occur.
kurt wismer
> In article
> <AF29BEB7D832B7DD.24E637A4...@lp.airnews.net>,
> TINLC#15...@utdallas.edu (Paul Schmehl) wrote:
>
> > Which merely makes it an unproven statement, not a lie.
>
> Uhm, no.
>
> When you claim somebody has done something, and you have no proof to
> verify this, you are lieing.
no, if you claim something is a fact when you know it is a falsehood, then
you are lying... he would have to know for a fact that you didn't spread
them and there's really no way for him to know that... otherwise it's just
conjecture...
> You may play word games and call it
> "unproven" if you like. But what if I published that you were a child
> molester or something in your news paper?
that would be libelous and if he could prove what you were saying was
untrue he might be able to get most of your worldly possessions in a court
battle...
you could try the same thing with graham, but first you'd have to prove he
actually said those things (and he's already claimed he didn't and has
witnesses, and it's not like the media has the greatest track record in
this area)... you'd also have to expose your identity...