Malformed containers are deleted although the action in Command Line Scanner is set to ‘-onerror leave’

Article:TECH150023  |  Created: 2011-01-23  |  Updated: 2011-01-27  |  Article URL http://www.symantec.com/docs/TECH150023
Article Type
Technical Solution

Subject

Issue



You are using Command Line Scanner (a command driven tool to scan files) and notice that files are deleted even though you  are using the parameter –onerror with a value of 'leave'.
 


Environment



Command Line Scanner (ssecls.exe) is installed when you install Symantec Scan Engine (SSE).
Command Line Scanner is an API that lets you use the Symantec Scan Engine service (symcscan.exe) for scanning files.
 


Cause



This is caused by the default action for the antivirus scanning mode.
If you do not specify a scanning mode (using the parameter '-mode' and a value), the scan policy defaults to scanrepairdelete
Command Line Scanner tries to repair infected (violating) files, but if files cannot be repaired they are deleted by the Command Line Scanner.

The parameter ‘-onerror’ does not relate to an action for a scan error but to what should happen if the Command Line Scanner has a problem attempting to replace an infected file. 

The parameter ‘-onerror’ is applied later in the scanning process.
If a scan error occurs, the configured action for antivirus scanning is applied.
If that action is delete there is no longer a file to which to apply the ‘-onerror’ setting (should that be necessary).

 

 


Solution



The solution is to set the antivirus scanning parameter to

-mode scan

or

-mode scanrepair

 

In the first case the file is scanned but no repair is attempted.
In the second case the file is not deleted if the repair fails.


Supplemental Materials

Description

More about the -mode and the -onerror parameters:

-mode
Optionally override the default antivirus scanning mode. The scanning modes that you can select are as follows:
• scanrepairdelete: If you do not specify a scanning mode, the scan policy defaults to scanrepairdelete. Symantec Scan Engine tries to repair infected files. Files that cannot be repaired are deleted. This is the recommended setting
• scan: Files are scanned, but no repair is attempted. Infected files are not deleted.
• scanrepair: Symantec Scan Engine tries to repair infected files. Files that cannot be repaired are not deleted.

-onerror
Specify the disposition of a file that has been modified (repaired) by Symantec Scan Engine when an error occurs in replacing the file.
The default setting is to delete the file. You can specify one of the following:
• leave: The original (infected, violating) file is left in place.
• delete: The original (infected, violating) file is deleted, even though the replacement data is unavailable.
 

 

 




Article URL http://www.symantec.com/docs/TECH150023


Terms of use for this information are found in Legal Notices