Malformed containers are deleted although the action in Command Line Scanner is set to ‘-onerror leave’
|Article:TECH150023|||||Created: 2011-01-23|||||Updated: 2011-01-27|||||Article URL http://www.symantec.com/docs/TECH150023|
You are using Command Line Scanner (a command driven tool to scan files) and notice that files are deleted even though you are using the parameter –onerror with a value of 'leave'.
Command Line Scanner (ssecls.exe) is installed when you install Symantec Scan Engine (SSE).
Command Line Scanner is an API that lets you use the Symantec Scan Engine service (symcscan.exe) for scanning files.
This is caused by the default action for the antivirus scanning mode.
If you do not specify a scanning mode (using the parameter '-mode' and a value), the scan policy defaults to scanrepairdelete.
Command Line Scanner tries to repair infected (violating) files, but if files cannot be repaired they are deleted by the Command Line Scanner.
The parameter ‘-onerror’ does not relate to an action for a scan error but to what should happen if the Command Line Scanner has a problem attempting to replace an infected file.
The parameter ‘-onerror’ is applied later in the scanning process.
If a scan error occurs, the configured action for antivirus scanning is applied.
If that action is delete there is no longer a file to which to apply the ‘-onerror’ setting (should that be necessary).
The solution is to set the antivirus scanning parameter to
In the first case the file is scanned but no repair is attempted.
In the second case the file is not deleted if the repair fails.
More about the -mode and the -onerror parameters:
Article URL http://www.symantec.com/docs/TECH150023