Virusdie.Server is a stand-alone web-antivirus for Hosters, VPS/DS, server admins and for developers. It’s designed to find and remove web-malware (shells, backdoors, spambots, redirectors, trojans etc.) in HTML, PHP, JS and other files (including tar archives) automatically on servers.
Virusdie.Server is compatible with: CentOS 6, CentOS 7, Debian 7, Debian 8, Debian 9, Ubuntu
Virusdie.Server terms :: Version history
/usr/local/vdserver/
config.json
(field vdbApiKey
)chmod a+x /usr/local/vdserver/scan
ln -s /usr/local/vdserver/scan /usr/local/bin/vdscan
Execute command /usr/local/vdserver/scan
(or just vdscan
, if symlink was created)
without parameters to see the instructions on how to use the scanner.
vdscan [-flags] < files... | @listfile | @ >
-h, --help: Print help text and exit
-v, --version: Print program version and exit
-c, --config: Print config file contents and exit
-r, --remove: Cleanup files automatically (if supported by this build)
-d, --nodelete: Do not delete files if they should be deleted with -r
-j, --json: Print detailed JSON scan results on STDOUT
-z, --unpack: Unpack and scan archived/packed files (tar/gzip/bzip2/xz/lzma)
-a, --allfiles: Scan all types of files, do not filter file names by extension
-t, --nobin: Auto detect and skip binary files, scan only text files
-e, --echo: Print response to STDERR for every item in the list (see below)
-x, --exclude <filename>
Exclude files/folders listed in file <filename>.
The file should contain absolute path names, folders should end with '/'.
--dump <dumpfile>
Create a scan report including copies of malicious files in '<dumpfile>.tar.gz'.
Available patterns in <dumpfile>:
{N} - Base name of the first scanned directory/file
{T} - Current UNIX timestamp
{D} - Current date in YYYY-MM-DD-hh-mm-ss form
--noemptydump
Do not store the report if there are no threats found (used with --dump)
--domain <hostname>
The domain name the scanned files belongs to.
Required to detect external redirects.
--reloadvdb, --updatevdb
Force virus database update
--homepath <path>
Set alternative path to home directory
--configfile <file>
Load alternative configuration from file <file>
--threads, --limitcpu <number of parallel scanner threads / CPU cores>
Set the number of parallel scanner threads and the number of CPU cores to use.
All available CPU cores will be used by default (when --threads < 1).
See also 'threads' config option.
--vdbid <N>
Use alternative virus database. The default databse ID is '0' (zero).
See also 'vdbID' config option.
--maxage <age>
Scan only files that are newer than the specified age.
(Scanner started at - File mod time < age).
Modifiers are required in <age> (h, m, s): 8h, 2h30m, 1h == 60m == 3600s.
--maxsize <size>
Limit the size of scanned files. Ignore files larger than <size> bytes.
Modifiers are allowed in <size> (k, m, g): 50k, 2m512k, 2k512, etc.
Note there is 1 MB hard limit on the maximum file size.
--update <channel>
Check for updates and exit, lookup the specified update <channel>:
stable: Stable versions, production use
latest: Latest versions, pre-production testing
The list of channels is available on downloads page.
If there is no update available then exit with non-zero exit status code:
vdscan --update stable && ./update_script.sh
--sendfile <file>
Send suspicious file for analysis and exit.
If failed then exit with non-zero exit status code.
files: Scanned directories, files (glob patterns allowed)
@listfile: Scan files listed in the file <listfile>
@: Read file list to scan from STDIN (pipe or keyboard (interactive mode))
Any file name passed as argument can appear in "B64:..." form (base64 encoded).
This also applied to names in the list files. (vdscan B64:YWJjZGU= file2.js).
About list files ("@listfile" or "@"), interactive mode:
The file name prefixed with '@' will be treated as list file only in case it
is a single element in the list of files in the command line.
List files can not contain directories, only files. Directories will be ignored.
If --echo (-e) flag is set then results in form ":message:filepath" will be
printed on STDERR after scanning of every file from the list. There "message" is
the one of: ignored, excluded, error, scanned. Try "echo file|vdscan @ -e".
File names listed in list files can not start with a colon (':xxx'). Such names
are treated as commands. They are especially used in interactive mode to change
the options, control scan process state, retrieve information during scan.
Unknown/empty commands are silently ignored (like a comments). The result of
the command will be printed on STDERR in form ":command:result".
The list of currently supported interactive commands:
:echo [1|0] # Change the --echo (-e) switch
:remove [1|0] # Change the --remove (-r) switch
:nodelete [1|0] # Change the --nodelete (-d) switch
:unpack [1|0] # Change the --unpack (-z) switch
:nobin [1|0] # Change the --nobin (-t) switch
:maxage [age] # Set the --maxage value
:maxsize [size] # Set the --maxsize value
:stats # Show the current scan statistics
:help or :? # Print the list of commands
:exit or :q # Close all scan threads and exit
About flags:
It is possible to combine several short flags into one:
'-rjx file' is equal to '-r -j -x file'
To specify the value for the flag the equal sign (=) may also be used:
'-rx=file --dump=www' is equal to '-r -x file --dump www'
Add '--' to skip parsing of remaining flags. Useful if some positional arguments
are started with a dash (vdscan -r -- -file).
Examples:
vdscan -rx ignored.txt www/ --dump /tmp/vdscan.{N}.{D}
vdscan -a *.js *.php dir1/ dir2/ -j --maxsize 150k --maxage 2h30m
# Use list file:
vdscan -rj -d @list.txt
# Read file names to scan from STDIN:
echo file.js | vdscan @ -r
cat list.txt | vdscan @ -az
vdscan @ < list.txt
# Read file names directly from the keyboard (interactive mode):
vdscan @ --echo
Example output (Plain text format, default):
www/
www/sub/path/to/file1 : 123 : Trojan : I : D : -
www/sub/path/to/file2 : 456 : Spambot : : : R
www/sub/path/to/file2 : : : : : EW
Example output (JSON format, -j, --json):
[
["www/sub/path/to/file1", "123", "Trojan", 1, 1, 0, "B64="]
,["www/sub/path/to/file2", "456", "Spambot", 0, 0, 1, "B64="]
,["www/sub/path/to/file2", "", "", 0, 0, -2, null]
]
Scan results (list of files with detected malware information) outputs on STDOUT. You can output detailed (JSON, if you want to parse it or process it some way) or a short information.
-j
flag) the result is a text as shown below: ¶Path to a file : Malware ID : Name of malware : Is it curable automatically : Malware type : Cleanup result
...
I
shows if malware is incurable and can’t be removed automaticallyD
shows if it is a suspicion (Doubt)R
- malware removed from the file.D
- malicious file deleted.ND
- the file was not deleted in accordance with the -d
flag.E
- file read error.EW
- file write error.ED
- file delete error.-
- cleanup is impossible or file wasn’t cleaned.-j
flag). The result is a JSON array as shown below: ¶[
["Path to a file", "Malware ID", "Name of malware", Is it curable automatically, Malware type, Cleanup result, "Code fragment"]
, ...
]
1
shows if malware is incurable and can’t be removed automatically, else 0
1
shows if it is a suspicion, else 0
1
- malware removed from the file.2
- malicious file deleted.3
- the file was not deleted in accordance with the -d
flag.-1
- file read error.-2
- file write error.-3
- file delete error.0
- cleanup is impossible or file wasn’t cleaned.You can set --dump
parameter to create an archive with malicious file copies and detailed scan log when you run the antivirus.
An archive will contains data as shown below:
File/Folder | Description |
---|---|
files/ | Malicious files (before cleanup) with real paths. |
cmd | Folder and full list of parameters scan process was started with. |
target | The list of objects to scan from command line. |
scan.json | A full scan log in JSON format. It contains malicious code fragments founded in each file. |
scan.log | Short scan log. |
stats.json | Scan statistics (start time, duration, number of files checked, infected, treated, number of read erros, number of threats found, number of curable threats, number of threats removed). |
Logs contains data described in section Scan results.
You can use any usual scheduler, eg CRON, and adjust the scan schedule in any convenient way.
The scanner process sets the exit status code on exit. On normal exit the exist staus will be zero. On errors it will be non-zero.
0
- Normal exit, the main command/operation completed successfully1
- Program crashed, abnormal program termination2
- Invalid/unknown/incompatible command line options3
- Incorrect configuration files4
- Failed to create/open/close files, directories5
- Some I/O operation failed6
- The main command/operation failed7
- Error in external (remote) service/application/API (database, WEB-server)The term main command/operation there means the one of: Normal scan; running with –help switch; –version switch; –config; –update; –sendfile.
The codes 4
and 5
are returned in case of errors occured when creating/reading/writing the log files / dump file / list file / exclusions file / home directory. The scanner will not exit on I/O errors occured when scanning of user files, such errors are reflected in log files.
Code 7
returned in case of errors occured when interacting with remote services (updating virus database, checking for software updates by –update, sending files by –sendfile, etc.).