How to scan a file with the Symantec Protection Engine 7.9.1 Command Line Scanner (ssecls.jar) utility?
The command line scanner is intended for testing purposes ONLY. It is not intended to be used on a regular basis in a production environment. The command line scanner being used in production is not supported.
Now, ssecls.jar supports multiple modes.
1) Mode 0:
Use value 0 to request ssecls run in legacy mode i.e. scan single file requested using -f switch.
For example, Java -jar ssecls.jar -mode 0 -b -p 2 -s <server IP>:<port> -f “<filename>
2) Mode 1 (Multiple files):
Use value 1 to request ssecls scan multiple files passed using -fl switch ('-fl'-> File list is mandatory in this case
For example, Java -jar ssecls.jar -mode 1 -b -p 2 -s <server IP>:<port> -fl “<filename>”;”<filename>”
3) Mode 2:
Use 2 to run ssecls in multithreaded mode. ('-cfg'-> Config file (switch) passing is mandatory for this mode)
For example, Java -jar ssecls.jar -mode 2 –cfg <absolute path of SSELCS-Configuration.xml”>
Note: See the attached ssecls-configuration.xml file to this KB that contains the required parameters and its help for mode2.
java -jar ssecls.jar -mode <ssecls operating mode> [options] -f <file to scan> | --help
Options:
-s,--server |
<server>:<port>:<keep-alive connection count>;[<server2>:<port2>:<keep-alive connection count 2>...]. Defaults to 127.0.0.1:1344. If multiple servers are supplied then the server string should be enclosed in pair of double quotes. For example, "<server>:<port>;<server2>:<port2>".
|
-a,--action |
SCAN|SCANREPAIR|SCANREPAIRDELETE|DEFAULT
|
-c,--clobber |
always overwrite the scanned file with server response.
|
-b,--verbose |
print the scan result on standard output.
|
-d,--disableinsight |
Disable insight scanning for file.
|
-l,--aggressionlevel |
<1|2|3> Insight aggression level to be used for scanning.
|
-md5,--md5hash |
MD5 hash value of file.>
|
-sha,--sha256 |
<SHA256 hash value of file.>
|
-i,--sourceip |
<Source IP of the file.>
|
-u,--sourceurl |
<Source URL of the file.>
|
-n,--digitallysigned |
<0|1> <File is not signed.>
|
-r,--reportinsightinfo |
<0|1> 0 to disable insight result 1 to enable insight result
|
-p,--api |
<0|1|2> Use 2 to scan file with new Insight API's, facilitates to provide file context (SHA256, MD5, digital signing status, source URL, source IP, etc) along with file scan request.Scan result provides more information about threat detected and file details. Use value 1 to scan file with new API's, provides more information about threat detected. Use value 0 to scan file with legacy API's. Defaults to 0.
|
-fl,--filelist |
Absolute filepaths delimited with ';' (This option is honoured only in -mode=1
|
-cfg,--cfg |
Absolute filepath for config file (This option is honoured only in -mode=2)
|
-mode,--mode |
<0|1|2> Use 2 to run ssecls in multithreaded mode. ('-cfg'-> Config file (switch) passing is mandatory for this mode) Use value 1 to request ssecls scan multiple files passed using -fl switch ('-fl'-> File list is mandatory in this case Use value 0 to request ssecls run in legacy mode i.e. scan single file requested using -f switch. If user wants to use older (SDK) codebase/logic system property <ssecls.older> needs to be 'true', only this mode honours this property.
|
-log,--log |
Absolute filepath for SSECLS log file (This option is honoured only in -mode=2)
|
-loglevel,--loglevel |
SSECLS logging level (This option is honoured only in -mode=2 along with -log option) 0 - OFF 1 - ERROR & WARNING 2 - INFO 3 - DETAIL 4 - ALL
|