Run complete anti virus scanning programmatically

All replies

• 

  

  0

  Sign in to vote

  I believe that the following will work:

  C:\Program Files\Microsoft Windows OneCare Live\Antivirus\mpcmdrun.exe scan -2

  If you open a command prompt and type mpcmdrun with no options, it lists the available options. In the above example, Scan is one option and "-2" means a full scan, while "-1" means a quick scan only.

  -steve

  Monday, June 23, 2008 5:56 PM

  Moderator
• 

  

  0

  Sign in to vote

  Thanks a lot Steve.

  You gave me exactly what i was looking for.

  Thanks a lot for your time, you are very kind.

  Best regards

  Michele

   

  Monday, June 23, 2008 6:17 PM
• 

  

  0

  Sign in to vote

  You're welcome.

  I had never used the command line scan before, but it did appear to work. I think that you may need to execute it at the root of the drive you wish to scan, but I can't be sure. You may want to run your own tests as this command line interface is not documented anywhere that I can find.

  When I ran it in a command window, the scan completed fairly quickly, so I suspect it may have scanned only the directory within which I started it. There doesn't appear to be a facility to specify the target for a scan. If I can find some more information about this, I'll update the thread.

  -steve

   

  Monday, June 23, 2008 7:00 PM

  Moderator
• 

  

  0

  Sign in to vote

   

  Hallo Steve.

  I had time to check the command utility you indicated me. Unfortunatly, even running it directly from c:\, the task ended very quickly so, just like you, i think that this utility is not the same as the manual complete scanning you can run from the main onecare interface. Consequently i am still searching for a way to programmatically run a full system onecare anti virus scanning. Every antivrus software i used before Onecare had this functionality so it would be seem very strange to me that it hasn't been implemented in Onecare.

  Looking further for your help and anyone else's help.

  Anyway i thank you again for you help and your time.

  Ciao

  Michele

  Tuesday, June 24, 2008 5:57 PM
• 

  

  0

  Sign in to vote

  That exe is recent addition to OneCare, so I wasn't quite sure what it actually did, though it does seem to scan something. Perhaps it scans the current directory and there are no switches to tell it to scan everything. It does take longer than the Quick Scan option, though. Previously, only the Safe Mode scan was available from the command line. So, unless I can find out more about this exe, it would seem that there isn't yet a way to programmatically execute the full scan. I'll let you know if I learn anything else.

  -seve

   

  Tuesday, June 24, 2008 6:44 PM

  Moderator
• 

  

  0

  Sign in to vote

  This command line is provided for a full scan in Forefront:

  C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware>mpcmdrun Scan -RestrictPrivileges -ScanType 2

   

  In this local thread:

  http://forums.technet.microsoft.com/en-US/Forefrontclientsetup/thread/97feb378-2279-4fcc-8e2d-edc95bc7bf81/

   

  I would guess that the syntax (excluding the path) might be the same in OneCare or Defender.

   

  GreginMich

   

  Tuesday, June 24, 2008 7:36 PM
• 

  

  0

  Sign in to vote

   

  Hi Gregin.

  First of all thank you.

  I used your combination and the task had a much longer duration. So, apparently, it has done something deeper.

  But i have some questions:

  1) Why the main interface of Onecare doesn't update the date of the last virus scanning?

  2) Is this utility performing exactly the same operations that Onecare performs when it does a full system scanning?

   

  Talking more clearly i have some doubts this command line utlity performs exactly the same things that Onecare does in a full system scanning, in specific:

  1) If Onecare manual or automatic anti virus scanning finds any malware it tries to fix it, does the command line utility do the same?

  2) Onecare has a detailed report of the scanning, does this command utility generates the same detailed report and if so where is it stored?

   

  What i am searching for is some utility that gives me at least exactly the same functionalities (eventually more) the main onecare interface anti virus scanning gives me.

   

  If, differently from my doubts, you or anyone else can confirm me that this command line utility performs exactly the same operations that Onecare scanning does than you gave me the solution.

  In any case, i really thank you.

  Ciao

  Michele

  P.S: I tried to add references to Onecare dlls ore exes , hoping to find some Onecare classes library that could let me recall some method to run the scanning but i wasn't lucky. (I am using VC++) Any help about using Onecare classes/objects would be very appreciated.

  Tuesday, June 24, 2008 8:45 PM
• 

  

  0

  Sign in to vote

  I have not used this interface, and was unable to find any documentation for it, so I’m pretty much in the dark as to its overall operation. From what I can gather, this is an invisible automation interface with no graphical presentation of its progress, detections, etc., so your question is a good one – how then do we know that it’s doing what we want it to do? I think that if you persist in your investigation you will probably discover that the scan functionally is equivalent to a visible scan in terms of reacting to a threat, since that would be its only raison d’être. While this interface may not be capable of logging events back to the main interface, I did find many references to “C:\Windows\Temp\MpCmdRun.log“ files, so you might want to check to see if it is logging to a file at that location. Because this tool has already been provided for the purpose of automation, and also for security reasons, it may well be that OneCare does not expose any automation library that could be used as an alternative. Hopefully someone out there will be able to come up with the documentation for this interface and enlighten all of us.

   

  GreginMich

   

  Wednesday, June 25, 2008 1:08 AM
• 

  

  0

  Sign in to vote

  Thanks, Greg.

  Michele, I'm looking into your questions for you.

  I suspect that I can answer one of the questions - it won't update the last scan time since the scan engine is being called outside of the OneCare UI and apart from the control of the scheduler, so it won't update the OneCare database. I can guess on two other questions - I think it will address any threats found during the scan and I doubt that there is any reporting.

  Keep in mind that this utility is provided with OneCare for support purposes per the text that appears when you run the command with the "/?' switch.

  As soon as I learn more, I'll get the answer(s) here.

  -steve

   

  Wednesday, June 25, 2008 1:12 AM

  Moderator
• 

  

  0

  Sign in to vote

  Using the command syntax from my first post in this thread, I ran a Complete Scan and a Quick Scan from the command prompt. I was surprised to see that the scan results were both duly filed, by type, in OneCare Protection\Scans\History\Results, where it appears that OneCare does indeed keep a record of command line scans. Unfortunately these results are not included when a support log is created, and I am not aware of any other way to view them.

   

  In my last post I recommended looking for the MpCmdRun.log file that appears in the Windows\Temp folder for a log of scan results. This was incorrect, since this file is owned by Windows Defender rather than OneCare. However, MpCmdRun.exe does log some basic information to an MpCmdRun.log file that appears (in Windows XP) in Documents and Settings\<account name>\Local Settings\Temp. This log only includes start and end times, confirmation of completion, and the number of threats detected. Maybe not the detail we were hoping for, but overall these results seem encouraging. According to this log, each time the original command syntax was run, a network service error was reported and the original command syntax was appended  with “-Reinvoke” and rerun, whereupon it completed successfully. I’m not sure whether this indicates a syntax error or some kind of configuration problem.

   

  GreginMich

  Wednesday, June 25, 2008 5:39 PM
• 

  

  0

  Sign in to vote

  I am guessing that the network service error (“Error running as network service”) reported in the log was probably being generated by the fact that MpCmdRun.exe was being asked to restrict network privileges on a system that is not logged on to a network. With Forefront the system would always be logged on, but not so with OneCare. In any case, by omitting the “-RestrictPrivileges” option from the command line, the scan completed with no error reported in the log. With that corrected, I promise to stop hogging this thread, and to wait patiently for the results of Steve’s investigation into what exactly is being scanned, how this scan will deal with threats when it encounters them, and whether it will log the threat responses, since these are really the relevant questions here.

   

  GreginMich

   

  Thursday, June 26, 2008 6:38 PM
• 

  

  0

  Sign in to vote

  You're not hogging it, you're being most helpful. I haven't received a response from my query to the OneCare team on this exe yet. :-)

  -steve

   

  Thursday, June 26, 2008 7:10 PM

  Moderator