Using the Symantec Protection Engine Command Line Scanner
search cancel

Using the Symantec Protection Engine Command Line Scanner


Article ID: 177105


Updated On:


Protection Engine for Cloud Services Protection Engine for NAS


You want to use the Symantec Protection Engine Command Line Scanner (SSECLS).




NOTE: This tool is only for testing and is not supported for use in production.


Use SSECLS from a command line. The following is the basic command line syntax.

ssecls [options] <file|directory> [file|directory]


Notes: In the line above there is a single space between each part. For example there is a space between ssecls and [options]. When inserting an option, replace [options] with the command. For example: ssecls -verbose

You can use several options with SSECLS. The following lists each option and associated defaults:

-server <IP1>:[port1]
Defaults to server
Multiple servers can be specified for load balancing.

In the option above, insert the IP address for <IP1> followed by a colon. For example: -server
You can add multiple IP addresses and ports using the syntax -server <IP1>:[port1];<IP2>:[port2]
An example: -server;

-mode <scan|scanrepair>
Defaults to the Protection Engine's scan policy.

Display file name and infection status for every file scanned.

Display detailed infection information for infected files.

Display the total time required to scan the file.

Recurse through directories.

-onerror leave|delete
Defaults to delete infected file when error occurs replacing the file.

Additional notes for Symantec Protection Engine Command Line Scanner included with Symantec Protection Engine Engine 7.0 and up:
The command-line scanner has been enhanced with new options to exclude certain files from scanning, and with the ability to redirect console output to a log file. Three command line arguments control these new capabilities.

Enhanced Logging

-log path

To redirect console output to a log file, use the argument '-log _path_' where _path_ is a full or partial path to a file. The file will be created if it does not exist, or overwritten if it does exist. When running in this mode, most output is sent to the log file instead of the screen; instead, savsecls writes a series of dots to the screen as it scans files so that you can 'see' progress.


-exclude *.ext | path/to/file | /path/to/dir
To exclude files by name, a rule file must be created. The format of the file is one string per line, where the string may contain:

  • A simple filename (such as "memo.doc") which causes files matching that name to be skipped regardless of the folder in which they are found. To skip all files with a given extension, use the syntax "*.ext". This is the only supported use of a wildcard.
  • A full pathname to a specific file in which case that specific file will be skipped.
  • A full pathname to a directory, in which case every file in that directory will be skipped.

Once a rule file has been created, run savsecls with the argument '-exclude _path_' where _path_ is the path to the rule file created above.

-maxsize size in bytes
To exclude files above a certain size from being scanned, use the argument '-maxsize _bytes_' where any file _bytes_ size or greater will be skipped by savsecls (e.g. such files are never sent to the scan engine.)



  • SSECLS will ignore symbolic links. (Unix file systems only)
  • SSECLS is an inclusive scanner, it will scan all files that it is directed to scan. The ability to exclude files was added to the 4.3.6 version of the product.