Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 6 subscribers
  • Views 13977 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sav32cli, Windows 7/Vista and NTFS junctions

sjwk

Morning all,

I'm testing the use of Sav32CLI from a PE boot image created from the Windows 7 Automated Installation kit so that it can be run from a known clean boot source, for when there are things that the installed copy of Sophos can't pick up/clean.

This has worked fine with XP machines, but today have had a Vista PC brought in.  Sav32cli appears to be delving into an loop caused by Vista/W7 having a junction (symlink) within the user profile that points to the parent directory for legacy reasons

(c:\Users\<user>\AppData\Local contains 'Application Data' that points back to ...\AppData\Local).

Is there any option that needs to be set to get Sav32CLI to not descend into junctions and skip them instead?  Or could that lead to viruses getting missed?  It's been running for an hour so far and has been giving me pages of the same pair of viruses in the same order contained within

c:\Users\<user>\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\... (repeats for several lines until it gets truncated so I can't see where it has really found these files).

On the plus side it does look as though it is finally starting to unwind the recursion so it will eventually find the original files and hopefully deal with them, but it would speed things up if it didn't spend an hour for each user profile on the computer scanning the same files over and over!

Ta,

Steve.

:9599


This thread was automatically locked due to age.
Parents
  • 0

    Christian,

    Sorry about the lack of a response, I thought I subscribed to this as a feed but I guess not! haha.  We never were scanning the C: drive with the command listed above mainly because this was a small segment of our users who constantly got FakeAV infections and also ran with Admin rights (a situation we have been in the process of fixing, haha)  Essentially we used this tool for a quick cleaning purpose and then made sure their Sophos client was updated and started a full scan.  After a little bit of tinkering with Wildcards I was able to setup this:


    "C:\Users\*\Application Data" "C:\Users\*\Cookies" "C:\Users\*\Local Settings" "C:\Users\*\My Documents" "C:\Users\*\NetHood" "C:\Users\*\PrintHood" "C:\Users\*\Recent" "C:\Users\*\SendTo" "C:\Users\*\Start Menu" "C:\Users\*\Templates" "C:\Users\*\AppData\Local\Application Data" "C:\Users\*\AppData\Local\History" "C:\Users\*\AppData\Local\Temporary Internet Files" "C:\ProgramData\Application Data" "C:\ProgramData\Desktop" "C:\ProgramData\Documents" "C:\ProgramData\Favorites" "C:\ProgramData\Start Menu" "C:\ProgramData\Templates"

    Entering that in the exceptions portion of the script will ignore the junctions for all the users if you want to perform a fullscan on the entire C: drive.  Also you're correct, I did use the ns switch combined with exporting it to a logfile. That's when I realized something was wrong with the scanner.  

    Hope this helps!

    Tim

    :13847
Reply
  • 0

    Christian,

    Sorry about the lack of a response, I thought I subscribed to this as a feed but I guess not! haha.  We never were scanning the C: drive with the command listed above mainly because this was a small segment of our users who constantly got FakeAV infections and also ran with Admin rights (a situation we have been in the process of fixing, haha)  Essentially we used this tool for a quick cleaning purpose and then made sure their Sophos client was updated and started a full scan.  After a little bit of tinkering with Wildcards I was able to setup this:


    "C:\Users\*\Application Data" "C:\Users\*\Cookies" "C:\Users\*\Local Settings" "C:\Users\*\My Documents" "C:\Users\*\NetHood" "C:\Users\*\PrintHood" "C:\Users\*\Recent" "C:\Users\*\SendTo" "C:\Users\*\Start Menu" "C:\Users\*\Templates" "C:\Users\*\AppData\Local\Application Data" "C:\Users\*\AppData\Local\History" "C:\Users\*\AppData\Local\Temporary Internet Files" "C:\ProgramData\Application Data" "C:\ProgramData\Desktop" "C:\ProgramData\Documents" "C:\ProgramData\Favorites" "C:\ProgramData\Start Menu" "C:\ProgramData\Templates"

    Entering that in the exceptions portion of the script will ignore the junctions for all the users if you want to perform a fullscan on the entire C: drive.  Also you're correct, I did use the ns switch combined with exporting it to a logfile. That's when I realized something was wrong with the scanner.  

    Hope this helps!

    Tim

    :13847
Children
No Data
Cookie Information Banner