Home > Uncategorized > Anti-virus scanning for “offline clients” with TrendMicro command line scanner

Anti-virus scanning for “offline clients” with TrendMicro command line scanner

Note that the lpt$vpn.xxx files are located for download on the trend site as well.


We have some file servers that are highly utilized for I/O. All of our clients have filter drivers routing files to a malware scanner. We also have packet inspection at our perimeter scanning incoming (detected) files for known viruses.

I have been looking for a way to scan the files that are at rest on these highly utilized servers for a while. I am interested in using Trend Micro, since we are licensed, but kept putting off working something out until today when I watched the Mandiant “webinar” the Fresh Prints of Mal-ware: The Nutts and Boltz of M-Trends. Mandiant reviews some of the findings of their annual Mtrends report, where they covered the idea of malicious webapps and other things just chillin’ on web servers. One of their bullet points? Use a virus scanner. Duh… but Mandiant stated that they found many people exclude production related files from scanning because of performance impact.

Granted these files at rest will be scanned the moment they are accessed, virus scanning is just such a trivial, rudimentary but important thing to put in place for security that I’m embarassed it’s taken me this long to implement this strategy.

I had worked on figuring out a stand alone, self-contained method, but obtaining the definition files was proving to take too much time.

So, to keep it legal anyway… you must have a TrendMicro server (in this case is “tsserver”) who has the definition files accessible via their Office Scan share.

Grant access to the scanner executable:

vscanwin32.com is available on any TrendMicro OfficeScan client in the security agent directory.

Create a shared folder on a server called tmscan$ on a server and copy the following files:

  • vscanwin32.com
  • BPMNT.DLL
  • VSAPI32.DLL

On the machine you wish to scan files, RAM and boot sector on, schedule the following batch:

pushd \\tsserver\ofcscan\
ls -t | grep lpt$vpn | head -1 > %temp%\lastdef
set /p lptdef= < "%temp%\lastdef"
del %temp%\lastdef
if exist "%temp%\lpt$vpn*" (del /f /q "%temp%\lpt$vpn*")
copy /y /b /v "\\tsserver\ofcscan\%lptdef%" %temp%\%lptdef%
"\\tsserver\tmscan$\vscanwin32.com" /S /c /d /p="\\tsserver\ofcscan\%lptdef%" %1

This batch locates the latest definition file from the Trend server, the last lpt$vpn.* that was modified.

The script will work as the first argument would be the path you wish to scan.

You can produce a log by redirecting stdout (using > ) of vscanwin32.com to a file. You could then use sendemail.vbs to send the results. Otherwise, you could further parse the log, record it to a DB, etc.

"\\tsserver\tmscan$\vscanwin32.com" /S /c /d /p="\\tsserver\ofcscan\%lptdef%" %1 > %temp%\trendscan.log
"cat.exe" %temp%\trendscan.log | "sed.exe" s/\r/\r\n/g > %temp%\trendscandos.log
"cat.exe" %temp%\trendscandos.log | "grep.exe" "Reading virus pattern" >> %temp%\trend_final.log
echo. >> %temp%\trend_final.log
"cat.exe" %temp%\trendscandos.log | "grep.exe" "Scanning Memory" >> %temp%\trend_final.log
echo. >> %temp%\trend_final.log
"cat.exe" %temp%\trendscandos.log | "grep.exe" "Scanning partition" >> %temp%\trend_final.log
echo. >> %temp%\trend_final.log
"cat.exe" %temp%\trendscandos.log | "grep.exe" "Scanning boot sector" >> %temp%\trend_final.log
echo. >> %temp%\trend_final.log
"cat.exe" %temp%\trendscandos.log | "grep.exe" "Found Virus" >> %temp%\trend_final.log
echo. >> %temp%\trend_final.log
"cat.exe" %temp%\trendscandos.log | "grep.exe" "files have been checked" >> %temp%\trend_final.log
echo. >> %temp%\trend_final.log
"cat.exe" %temp%\trendscandos.log | "grep.exe" "files containing viruses" >> %temp%\trend_final.log
echo. >> %temp%\trend_final.log
"cat.exe" %temp%\trendscandos.log | "grep.exe" "file-type viruses found" >> %temp%\trend_final.log
cscript "sendmail.VBS" /from:robot@externaldomain /subject:"Virus scan results for %hostname%" /body:stdin < %temp%\trend_final.log
del /f /q %temp%\trendscan.log %temp%\trendscandos.log %temp%\trend_final.log
Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: