Virusdie.Server

Virusdie.Server is a stand-alone web-antivirus for Hosters, VPS/DS, server admins and for developers. It’s designed to find and remove web-malware (shells, backdoors, spambots, redirectors, trojans etc.) in HTML, PHP, JS and other files (including tar archives) automatically on servers.

Virusdie.Server is compatible with: CentOS 6, CentOS 7, Debian 7, Debian 8, Debian 9, Ubuntu

Virusdie.Server terms :: Version history

Quick start guide

Using scanner

Execute command /usr/local/vdserver/scan (or just vdscan, if symlink was created) without parameters to see the instructions on how to use the scanner.

Scanner command line options

vdscan [-flags] < files... | @listfile | @ >

-h, --help:     Print help text and exit
-v, --version:  Print program version and exit
-c, --config:   Print config file contents and exit
-r, --remove:   Cleanup files automatically (if supported by this build)
-d, --nodelete: Do not delete files if they should be deleted with -r
-j, --json:     Print detailed JSON scan results on STDOUT
-z, --unpack:   Unpack and scan archived/packed files (tar/gzip/bzip2/xz/lzma)
-a, --allfiles: Scan all types of files, do not filter file names by extension
-t, --nobin:    Auto detect and skip binary files, scan only text files
-e, --echo:     Print response to STDERR for every item in the list (see below)
-x, --exclude <filename>
  Exclude files/folders listed in file <filename>.
  The file should contain absolute path names, folders should end with '/'.
--dump <dumpfile>
  Create a scan report including copies of malicious files in '<dumpfile>.tar.gz'.
  Available patterns in <dumpfile>:
    {N} - Base name of the first scanned directory/file
    {T} - Current UNIX timestamp
    {D} - Current date in YYYY-MM-DD-hh-mm-ss form
--noemptydump
  Do not store the report if there are no threats found (used with --dump)
--domain <hostname>
  The domain name the scanned files belongs to.
  Required to detect external redirects.
--reloadvdb, --updatevdb
  Force virus database update
--homepath <path>
  Set alternative path to home directory
--configfile <file>
  Load alternative configuration from file <file>
--threads, --limitcpu <number of parallel scanner threads / CPU cores>
  Set the number of parallel scanner threads and the number of CPU cores to use.
  All available CPU cores will be used by default (when --threads < 1).
  See also 'threads' config option.
--vdbid <N>
  Use alternative virus database. The default databse ID is '0' (zero).
  See also 'vdbID' config option.
--maxage <age>
  Scan only files that are newer than the specified age.
  (Scanner started at - File mod time < age).
  Modifiers are required in <age> (h, m, s): 8h, 2h30m, 1h == 60m == 3600s.
--maxsize <size>
  Limit the size of scanned files. Ignore files larger than <size> bytes.
  Modifiers are allowed in <size> (k, m, g): 50k, 2m512k, 2k512, etc.
  Note there is 1 MB hard limit on the maximum file size.
--update <channel>
  Check for updates and exit, lookup the specified update <channel>:
    stable: Stable versions, production use
    latest: Latest versions, pre-production testing
  The list of channels is available on downloads page.
  If there is no update available then exit with non-zero exit status code:
  vdscan --update stable && ./update_script.sh
--sendfile <file>
  Send suspicious file for analysis and exit.
  If failed then exit with non-zero exit status code.

files:     Scanned directories, files (glob patterns allowed)
@listfile: Scan files listed in the file <listfile>
@:         Read file list to scan from STDIN (pipe or keyboard (interactive mode))

Any file name passed as argument can appear in "B64:..." form (base64 encoded).
This also applied to names in the list files. (vdscan B64:YWJjZGU= file2.js).

About list files ("@listfile" or "@"), interactive mode:

  The file name prefixed with '@' will be treated as list file only in case it
  is a single element in the list of files in the command line.
  List files can not contain directories, only files. Directories will be ignored.
  If --echo (-e) flag is set then results in form ":message:filepath" will be
  printed on STDERR after scanning of every file from the list. There "message" is
  the one of: ignored, excluded, error, scanned. Try "echo file|vdscan @ -e".
  File names listed in list files can not start with a colon (':xxx'). Such names
  are treated as commands. They are especially used in interactive mode to change
  the options, control scan process state, retrieve information during scan.
  Unknown/empty commands are silently ignored (like a comments). The result of
  the command will be printed on STDERR in form ":command:result".

The list of currently supported interactive commands:

  :echo     [1|0] # Change the --echo (-e) switch
  :remove   [1|0] # Change the --remove (-r) switch
  :nodelete [1|0] # Change the --nodelete (-d) switch
  :unpack   [1|0] # Change the --unpack (-z) switch
  :nobin    [1|0] # Change the --nobin (-t) switch
  :maxage   [age] # Set the --maxage value
  :maxsize [size] # Set the --maxsize value
  :stats          # Show the current scan statistics
  :help or :?     # Print the list of commands
  :exit or :q     # Close all scan threads and exit

About flags:

  It is possible to combine several short flags into one:
    '-rjx file' is equal to '-r -j -x file'
  To specify the value for the flag the equal sign (=) may also be used:
    '-rx=file --dump=www' is equal to '-r -x file --dump www'
  Add '--' to skip parsing of remaining flags. Useful if some positional arguments
  are started with a dash (vdscan -r -- -file).

Examples:

  vdscan -rx ignored.txt www/ --dump /tmp/vdscan.{N}.{D}
  vdscan -a *.js *.php dir1/ dir2/ -j --maxsize 150k --maxage 2h30m
  # Use list file:
  vdscan -rj -d @list.txt
  # Read file names to scan from STDIN:
  echo file.js | vdscan @ -r
  cat list.txt | vdscan @ -az
  vdscan @ < list.txt
  # Read file names directly from the keyboard (interactive mode):
  vdscan @ --echo

Example output (Plain text format, default):

  www/
  www/sub/path/to/file1 : 123 : Trojan  : I : D : -
  www/sub/path/to/file2 : 456 : Spambot :   :   : R
  www/sub/path/to/file2 :     :         :   :   : EW

Example output (JSON format, -j, --json):

  [
   ["www/sub/path/to/file1", "123", "Trojan",  1, 1,  0, "B64="]
  ,["www/sub/path/to/file2", "456", "Spambot", 0, 0,  1, "B64="]
  ,["www/sub/path/to/file2", "",    "",        0, 0, -2, null]
  ]

Scan results

Scan results (list of files with detected malware information) outputs on STDOUT. You can output detailed (JSON, if you want to parse it or process it some way) or a short information.

By default (without -j flag) the result is a text as shown below:

Path to a file : Malware ID : Name of malware : Is it curable automatically : Malware type : Cleanup result
...

Detailed format (with -j flag). The result is a JSON array as shown below:

[
["Path to a file", "Malware ID", "Name of malware", Is it curable automatically, Malware type, Cleanup result, "Code fragment"]
, ...
]

Scanner reports

You can set --dump parameter to create an archive with malicious file copies and detailed scan log when you run the antivirus. An archive will contains data as shown below:

File/Folder Description
files/ Malicious files (before cleanup) with real paths.
cmd Folder and full list of parameters scan process was started with.
target The list of objects to scan from command line.
scan.json A full scan log in JSON format. It contains malicious code fragments founded in each file.
scan.log Short scan log.
stats.json Scan statistics (start time, duration, number of files checked, infected, treated, number of read erros, number of threats found, number of curable threats, number of threats removed).

Logs contains data described in section Scan results.

Running in the background

You can use any usual scheduler, eg CRON, and adjust the scan schedule in any convenient way.

Process exit codes

The scanner process sets the exit status code on exit. On normal exit the exist staus will be zero. On errors it will be non-zero.

The term main command/operation there means the one of: Normal scan; running with –help switch; –version switch; –config; –update; –sendfile.

The codes 4 and 5 are returned in case of errors occured when creating/reading/writing the log files / dump file / list file / exclusions file / home directory. The scanner will not exit on I/O errors occured when scanning of user files, such errors are reflected in log files.

Code 7 returned in case of errors occured when interacting with remote services (updating virus database, checking for software updates by –update, sending files by –sendfile, etc.).


Go to top