http://hd.competentsolutions.net/helpdesk/index.php?

_m=knowledgebase&_a=viewarticle&kbarticleid=34

McAfee SuperDAT Performing a command-line scan in Windo...

Author:
Competent Solutions
Created On: 11 Sep 2009 09:16 AM

Corporate KnowledgeBase
Performing a command-line scan in Windows Vista, XP, 2003 or 2000

Corporate KnowledgeBase ID: KB51141

Version: 5.0
Status: Published
Published: August 28, 2008
Updated: July 01, 2009

Environment
McAfee SuperDAT
McAfee DATs/Beta DATs

Microsoft Windows Vista

Microsoft Windows XP
Microsoft Windows 2003
Microsoft Windows 2000
Summary
Usually, all On-Demand Scans are done through the GUI. However, sometines it might be
necessary to run a scan without loading the GUI and loading strictly required programs only.
Scenarios which require this include, but are not limited to, the following:
•Scanning a computer before installing VirusScan to ensure it is clean of viruses.
•When a workstation has been infected with a virus and this hampers running VirusScan
Enterprise in the GUI.
•When VirusScan Enterprise (VSE) does not install.
Video Tutorial
NOTE: Adobe Flash Player is required. For further details, go to:
http://www.adobe.com/products/flashplayer/

To view a list of tutorials, go to the McAfee ServicePortal at

http://mysupport.mcafee.com/Eservice/Default.aspx and click View Tutorials.

To view this tutorial, see:

Performing a command-line scan in Microsoft Windows
Solution 1
The safest way to run a command-line scan is to download the latest SuperDAT from the McAfee
website and restart your computer in Safe Mode.

Page 1/6
Powered By Kayako SupportSuite
 http://hd.competentsolutions.net/helpdesk/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=34

Step 1 - Create a temporary scan folder on the root drive and assign a Read-Only attribute:
1.Create a folder named SCAN on the root of the system drive (typically C:).
2.Assign a Read-Only attribute on the SCAN folder. Right-click the C:SCAN folder and select
Properties.
3.Select Read-only and click OK.

NOTE: McAfee recommends deleting all temporary files from your system prior to running any
scan. This includes files in the temp folder, temporary Internet files as well as Internet usage history
and cookies.

Step 2 - Download the latest sdat####/exe (where #### is the version number) to the SCAN folder:
1.Start your web browser and access the McAfee Security Updates page:

http://www.mcafee.com/apps/downloads/security_updates/superdat.asp?region=us&segment=enter
prise

2.Click the SuperDATs tab.

3.Click sdat####.exe (Windows) to download the file. Example: sdat5371.exe.
4.Click Save.
5.Browse to the C:SCAN folder and click Save.

Step 3 - Extract the SuperDAT files in the C:SCAN folder:

1.Click Start, Run, type: CMD then click OK to open a command prompt.
2.Type cd c:scan and press ENTER.
3.Type SDAT####.EXE /e

NOTE: Where ##### is the version of the current SuperDAT file).

Step 4 - Download the Beta DATs (Optional)

Obtain the latest Beta DAT:

1.Launch Internet Explorer and browse to: http://vil.nai.com/vil/virus-4d.aspx
2.Double-click win_betaengdat.zip and click Save.
3.Navigate to the c:scan folder and click Save.
Decompress the downloaded .ZIP file
1.Double-click win_betaengdat.zip (in the scan folder).
2.Select Extract.
3.Use the Extract to location option.
4.Click Extract.

Step 5 - Run the scan in Windows Safe Mode:

For restarting in Safe Mode in other operating systems, refer to the Related Information section in
this article.
1.Press F8 immediately after the Power On Self-Test diagnostics and memory count.
2.Select: Safe Mode with command prompt.
3.Type the following command, then press ENTER:

Page 2/6
Powered By Kayako SupportSuite
 http://hd.competentsolutions.net/helpdesk/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=34

c:scanscan.exe /clean /all /adl /program /unzip /report c:scanscan-rpt.txt /rptall

IMPORTANT: You may see an error stating that an application is attempting to directly access the
hard disk. Click IGNORE to continue scanning.

4.After the scan has finished, restart your computer.

5.Using Windows explorer, open c:scanscan-rpt.txt and identify errors or infected files.
6.Manually delete any files identified as not cleaned, deleted, or renamed.
Solution 2
EXAMPLE Scan output that would be contained in the REPORT.TXT
McAfee VirusScan for Win32 v5.20.0
Copyright (c) 1992-2006 McAfee, Inc. All rights reserved.
(408) 988-3832 LICENSED COPY - May 26 2006

Scan engine v5.1.00 for Win32.

Virus data file v4939 created Jan 15 2007
Scanning for 222817 viruses, trojans and variants.

01/22/2007 17:00:05

Options:
/CLEAN /WINMEM /ALL /ADL /PROGRAM /UNZIP /REPORT REPORT.TXT

Scanning C: []
Scanning C:*.*
C:Program FilesJavlayernpf.sys ... Found the NTRootKit-R.gen trojan !!!
The file or process has been deleted.
C:WINDOWSDownloaded Program FilesUDC6_0001_D19M1908NetInstaller.exe ... Found
potentially unwanted program DriveCleaner.
The file or process has been deleted.
C:WINDOWSsystem32drivershttnpfs.sys ... Found the NTRootKit-R.gen trojan !!!
The file or process has been deleted.

Summary report on C:*.*

File(s)
Total files: ..........104919
Clean: ................104802
Possibly Infected: .....2
Cleaned: ..............0
Deleted: ..............3

Non-critical Error(s):2
Master Boot Record(s): ......2
Possibly Infected: ....0
Boot Sector(s): ...............1
Possibly Infected: ....0
Related Information

Page 3/6
Powered By Kayako SupportSuite
 http://hd.competentsolutions.net/helpdesk/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=34

Related articles:
•KB55986 - Daily DAT files explained
•KB53094 - Troubleshooting procedure for finding possible infected files (when virus not
detected)

Refer to the following relevant Microsoft Operating System article to start in Safe Mode:

Microsoft documentation

F8 Method

Windows Vista
http://windowshelp.microsoft.com/Windows/en-US/Help/323ef48f-7b93-4079-a48a-5c58eec904a110
33.mspx

Windows XP
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.ms
px?mfr=true

Windows 2003
http://technet2.microsoft.com/windowsserver/en/library/e14bf84d-d2f7-42c3-9fae-2af3db3f806c1033
.mspx?mfr=true

Windows 2000
http://www.microsoft.com/windows/windows2000/en/advanced/help/boot_failsafe.htm

System Configuration Tool (msconfig.exe)

Windows Vista http://support.microsoft.com/kb/929135/

Windows XP http://support.microsoft.com/kb/310560/

Windows 2003 http://support.microsoft.com/kb/325375

Windows 2000No documentation located

Information displayed when using SCAN32 /HELP or SCAN32 /?

McAfee VirusScan for Win32 v5.10.0

Page 4/6
Powered By Kayako SupportSuite
 http://hd.competentsolutions.net/helpdesk/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=34

Scan engine v5.2.00 for Win32

Syntax: Usage: Scan [object1] [object2...] [option1] [option2...]

SwitchDescription
/?Display the help screen.
/ADScan all drives (not removable media).
/ADLScan all local drives (not removable media).
/ADNScan all network drives.
/AFC=Set the Size of the Internal Cache Used When Decompressing Archive Files.
/ALLScan all files regardless of filename extension.
/ALLOLETreat all files as compound/OLE regardless of extension.
/ANALYZETurn on heuristic analysis for programs and macros.
/APPENDAppend to report file rather than overwriting.
/BOOTScan boot sector and master boot record only.
/CHECKLIST Scan list of files contained in .
/CLEANClean viruses from infected files and system areas.
/CONTACTFILE Display contents of when a virus is found.
/DAMRemove all macros from infected MS-Office files.
/DELDelete infected files.
/DOHSMScan migrated files (hierarchical storage management).
/EXCLUDE Do not scan files listed in .
/EXTLISTList file extensions scanned by default.
/EXTRA Scan using an extra DAT file.
/FAMFind all macros - not just infected macros. Used with /DAM will remove all macros.
/FREQUENCY Do not scan after the previous scan.
/HELPDisplay the help screen.
/HTML Create an HTML report file.
/LOAD Load options from .
/MAILBOXScan inside plain text mailboxes.
/MANALYZETurn on macro heuristics.
/MANYScan many floppy diskettes.
/MIMEScan inside MIME, UUE, XXE and BinHex files.
/MOVE Move infected files into directory, preserving path.
/NOBACKUPDo not prompt for a backup diskette during a sector repair.
/NOBOOTDo not scan boot sectors.
/NOBREAKDisable Ctrl-C / Ctrl-Break during scanning.
/NOCOMPDo not scan self extracting executables by default.
/NODDon't switch into /ALL mode when repairing.
/NODDANo direct disk access.
/NODOCDo not scan MS Office files.
/NOEXPIREDisable data files expiration date notice.
/NOMEMDo not scan memory for viruses.
/NODECRYPTDon't scan password-protected MS Office documents.
/NOJOKESDo not alert on joke files.
/NORENAMEDo not rename infected files that cannot be cleaned.
/PANALYZETurn on program heuristics.
/PAUSEPause at end of each screen page.

Page 5/6
Powered By Kayako SupportSuite
 http://hd.competentsolutions.net/helpdesk/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=34

/PLADPreserve Last Access Dates on Novell NetWare drives.

/PROGRAMScan for potentially unwanted applications.
/REPORT Report names of viruses found into .
/RPTALLInclude all scanned files in the /REPORT file.
/RPTCORInclude corrupted files in /REPORT file.
/RPTERRInclude errors in /REPORT file.
/SILENTDisable all screen output.
/STREAMSScan inside NTFS streams (NT only).
/SUBScan subdirectories.
/TIMEOUT Set the maximum time to spend scanning any one file.
/UNZIPScan inside archive files.
/VIRLISTDisplay virus list.
/WINMEMScan all Running Windows Processes.
/WINMEM=Scan the Running Windows Process With Process ID .

Previous Document ID
613469
Inquira Information Center Copyright ©2009, Inquira Inc., All Rights Reserved Release 8.1.2.1

Page 6/6
Powered By Kayako SupportSuite