Symantec Protection Engine 7.9.1 Command Line Scanner (ssecls.jar)

book

Article ID: 170922

calendar_today

Updated On:

Products

Protection Engine for Cloud Services Protection Engine for NAS

Issue/Introduction

How to scan a file with the Symantec Protection Engine 7.9.1 Command Line Scanner (ssecls.jar) utility?

Resolution

The command line scanner is intended for testing purposes ONLY. It is not intended to be used on a regular basis in a production environment. The command line scanner being used in production is not supported. 

Now, ssecls.jar supports multiple modes.  

1) Mode 0:

Use value 0 to request ssecls run in legacy mode i.e. scan single file requested using -f switch.

For example, Java -jar ssecls.jar -mode 0 -b -p 2 -s <server IP>:<port> -f “<filename>

 

2) Mode 1 (Multiple files):

Use value 1 to request ssecls scan multiple files passed using -fl switch ('-fl'-> File list is mandatory in this case

For example, Java -jar ssecls.jar -mode 1 -b -p 2 -s <server IP>:<port> -fl “<filename>”;”<filename>”

 

3) Mode 2:

Use 2 to run ssecls in multithreaded mode. ('-cfg'-> Config file (switch) passing is mandatory for this mode)

For example, Java -jar ssecls.jar -mode 2 –cfg <absolute path of SSELCS-Configuration.xml”>

Note: See the attached ssecls-configuration.xml file to this KB that contains the required parameters and its help for mode2. 

 

Usage: 

java -jar ssecls.jar -mode <ssecls operating mode> [options] -f <file to scan> | --help

Options: 

-s,--server

<server>:<port>:<keep-alive connection count>;[<server2>:<port2>:<keep-alive connection count 2>...]. Defaults to 127.0.0.1:1344.

If multiple servers are supplied then the server string should be enclosed in pair of double quotes.

For example, "<server>:<port>;<server2>:<port2>".

 

-a,--action    

SCAN|SCANREPAIR|SCANREPAIRDELETE|DEFAULT

 

-c,--clobber

always overwrite the scanned file with server response.

 

-b,--verbose   

print the scan result on standard output.

 

-d,--disableinsight 

Disable insight scanning for file.

 

-l,--aggressionlevel

<1|2|3>

Insight aggression level to be used for scanning.

 

-md5,--md5hash 

MD5 hash value of file.>

 

-sha,--sha256  

<SHA256 hash value of file.>

 

-i,--sourceip  

<Source IP of the file.>

 

-u,--sourceurl 

<Source URL of the file.>

 

-n,--digitallysigned

<0|1>

<File is not signed.>

 

-r,--reportinsightinfo    

<0|1>

                0              to disable insight result

                1              to enable insight result

 

-p,--api

<0|1|2>

Use 2 to scan file with new Insight API's, facilitates to provide file context (SHA256, MD5, digital signing status, source URL, source IP, etc) along with file scan request.Scan result provides more information about threat detected and file details.

Use value 1 to scan file with new API's, provides more information about threat detected.

Use value 0 to scan file with legacy API's. Defaults to 0.

 

-fl,--filelist 

Absolute filepaths delimited with ';' (This option is honoured only in -mode=1

 

-cfg,--cfg

Absolute filepath for config file (This option is honoured only in -mode=2)

 

-mode,--mode

<0|1|2>

Use 2 to run ssecls in multithreaded mode. ('-cfg'-> Config file (switch) passing is mandatory for this mode)

Use value 1 to request ssecls scan multiple files passed using -fl switch ('-fl'-> File list is mandatory in this case

Use value 0 to request ssecls run in legacy mode i.e. scan single file requested using -f switch.

If user wants to use older (SDK) codebase/logic system property <ssecls.older> needs to be 'true', only this mode honours this property.

 

-log,--log

Absolute filepath for SSECLS log file (This option is honoured only in -mode=2)

 

-loglevel,--loglevel

SSECLS logging level (This option is honoured only in -mode=2 along with -log option)

                0 - OFF

                1 - ERROR & WARNING

                2 - INFO

                3 - DETAIL

                4 - ALL

 

Attachments

SSECLS-Configuration.xml get_app