Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 6 subscribers
  • Views 13975 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sav32cli, Windows 7/Vista and NTFS junctions

sjwk

Morning all,

I'm testing the use of Sav32CLI from a PE boot image created from the Windows 7 Automated Installation kit so that it can be run from a known clean boot source, for when there are things that the installed copy of Sophos can't pick up/clean.

This has worked fine with XP machines, but today have had a Vista PC brought in.  Sav32cli appears to be delving into an loop caused by Vista/W7 having a junction (symlink) within the user profile that points to the parent directory for legacy reasons

(c:\Users\<user>\AppData\Local contains 'Application Data' that points back to ...\AppData\Local).

Is there any option that needs to be set to get Sav32CLI to not descend into junctions and skip them instead?  Or could that lead to viruses getting missed?  It's been running for an hour so far and has been giving me pages of the same pair of viruses in the same order contained within

c:\Users\<user>\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\... (repeats for several lines until it gets truncated so I can't see where it has really found these files).

On the plus side it does look as though it is finally starting to unwind the recursion so it will eventually find the original files and hopefully deal with them, but it would speed things up if it didn't spend an hour for each user profile on the computer scanning the same files over and over!

Ta,

Steve.

:9599


This thread was automatically locked due to age.
  • 0

    Hello Steve,

    which version of SAV32CLI do you use? Regarding symlinks I'm only aware of this article. But it doesn't say that the scan is looping - and I've seen this neither on XP (client has several junctions mainly for testing) nor on Win7. Make sure you run it as administrator (and that UAC doesn't interfere). AFAIK there is no applicable option - but that's gleaned from the help.

    Christian 

    :9617
  • 0

    Steve,

    Did you (or anyone) ever happen to find a workaround for this issue?  I'm experiencing the same problem with the April build of SAV32CLI.  I used the -ns switch in order to see what files were being scanned and it just seems to loop between the Application Data junctions.  I also tried building exclusions in but I have been unable to get it to work so far.

    Thanks,

    Tim

    :11955
  • 0

    Hi all,

    I found a way to deal with those junctions. Unfortunately, you have to add exclusions for each of the locations into the SAV32CLI command.  I've had some luck when adding these exclusions to the scan. Turns out I was configuring the previous exclusions wrong, haha.

    -exclude "C:\Users\%username%\Application Data" "C:\Users\%username%\Cookies" "C:\Users\%username%\Local Settings" "C:\Users\%username%\My Documents" "C:\Users\%username%\NetHood" "C:\Users\%username%\PrintHood" "C:\Users\%username%\Recent" "C:\Users\%username%\SendTo" "C:\Users\%username%\Start Menu" "C:\Users\%username%\Templates" "C:\Users\%username%\AppData\Local\Application Data" "C:\Users\%username%\AppData\Local\History" "C:\Users\%username%\AppData\Local\Temporary Internet Files" "C:\ProgramData\Application Data" "C:\ProgramData\Desktop" "C:\ProgramData\Documents" "C:\ProgramData\Favorites" "C:\ProgramData\Start Menu" "C:\ProgramData\Templates"

    Good luck!

    Tim

    :11959
  • 0

    Hello Tim,

    thanks for sharing your findings. As I said here it always completed within reasonable time. Did you scan the whole C: drive and did you ever wait for it to finish? Guess you used the -ns switch only after you've found that it takes overly long. Wonder why excluding just the logged on user helped though. Were you logged on as Administrator or did you use another admin user? What about UAC?

    Christian

    :11967
  • 0

    Christian,

    Sorry about the lack of a response, I thought I subscribed to this as a feed but I guess not! haha.  We never were scanning the C: drive with the command listed above mainly because this was a small segment of our users who constantly got FakeAV infections and also ran with Admin rights (a situation we have been in the process of fixing, haha)  Essentially we used this tool for a quick cleaning purpose and then made sure their Sophos client was updated and started a full scan.  After a little bit of tinkering with Wildcards I was able to setup this:


    "C:\Users\*\Application Data" "C:\Users\*\Cookies" "C:\Users\*\Local Settings" "C:\Users\*\My Documents" "C:\Users\*\NetHood" "C:\Users\*\PrintHood" "C:\Users\*\Recent" "C:\Users\*\SendTo" "C:\Users\*\Start Menu" "C:\Users\*\Templates" "C:\Users\*\AppData\Local\Application Data" "C:\Users\*\AppData\Local\History" "C:\Users\*\AppData\Local\Temporary Internet Files" "C:\ProgramData\Application Data" "C:\ProgramData\Desktop" "C:\ProgramData\Documents" "C:\ProgramData\Favorites" "C:\ProgramData\Start Menu" "C:\ProgramData\Templates"

    Entering that in the exceptions portion of the script will ignore the junctions for all the users if you want to perform a fullscan on the entire C: drive.  Also you're correct, I did use the ns switch combined with exporting it to a logfile. That's when I realized something was wrong with the scanner.  

    Hope this helps!

    Tim

    :13847
  • 0

    I forgot some Junctions that you will probably want to add to the tail end of that previous list:

    "C:\Documents and Settings" "C:\Users\All Users" "C:\Users\Default User\"

    These addtions have been quite effective for our organization when using the tool, hopefully they'll help all of you out as well!

    Tim

    :14407
Cookie Information Banner