For research purposes we are releasing our command-line scanners and signature updates for those who wish to implement malware scanning in a not-for-profit project. Organizations such as VirusTotal, Jotti, CastleCops MIRT, ShadowServer and others use these scanners already on a daily basis to provide a valuable service for the community.
The scanner works under Windows (NT/Me/2000/2003/XP/Vista) and under Linux (rpm and tgz). Non-regular signature updates can be found here. If you are working on a project which needs regular updates please contact me directly.
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
26 comments
Panda har på deres research blog annonceret at de vælger at frigive deres kommando linje antivirus skanner til gratis brug inklusive signatur opdateringer.
Skanneren er tiltænkt avancerede brugere, som selv vil skanne efter behov via cmd eller til b..
How to contact you? I can’t find any contacts, I make a website,that like VT,Jotti,I use pavcl in my site(http://virscan.org), and send samples to panda, I write many email to panda, but no reply. Please contact me, my email address is flowerpig@gmail.com. Thank you:)
Hello~, I’m from VirSCAN.org, I had sent about 2500 samples to virussamples@pandasoftware.com, Please check it, I hope get promission to use pavcl in VirSCAN, Like VT or Jotti. VirSCAN’s samples most from China. That’s not same as VT or Jotti. If the Panda not promission VirSCAN use pavcl. Please tell me, I can close the Panda engine. Please reply me, Thank you.
Hi,
I have created a bootable bartpe (CD and flash drive) that can access XP, 2000, 2003, and probably Vista (not tested), and wish to use your commandline. I have being sucessfully clean viruses from machine that can no longer boot with this method. Thanks for your commandline. I hope you will continue provide your virus signature openly that allows me to update my bootable bartpe.
alt
Sure, but remember it’s a signature that’s not regularly updated. You can get it from here:
http://research.pandasecurity.com/blogs/images/pav.zip
Sure would be nice of there was a parm like retcc which would allow me to request the total number of virii found via a return code so as to assist automation.
Can you explain the difference between pav.zip (non-regular signature updates can be found there) and pavcl.zip?
Pavcl uses 24 bits numeric return values. The values from bit 8 to bit 23 contain a numeric value that indicates the number of infected files it finds. Bit 24 indicates virus overflow. If it’s active it means it has detected more than 65535 infected files. If you’re interested in the remaining return codes (bit 1 to bit 7) which deal with scan events and detection/disinfection actions, contact me offline.
PAVCL is the command-line (CLI) scanner. It supports Windows and Linux. PAV.SIG (included in pav.zip) is the signature database which includes the detection and disinfection routines and is updated at least once a daily.
Why does the command line scanner have massive temp files and pause for a long time when scanning the files in the root of the drive being scanned?
These temp files can grow as large as 1.8 GB in size and scrolls up very quickly. What is the program doing when it is creating these files? Is there a way to keep it from doing this?
It drastically slows down the scan times and interrupted leaves these temp files on the drive.
This is a known issue of the command-line scanner which occurs when we try to open in read/write mode the pagefile and hibernation file. As these OS files are locked, the scanner creates a temporary copy which it uses for scanning.
This is not an error as the scanner is trying to scan all files as it's supposed to (even though it takes longer), but it will be fixed with our engine version 9.5 which is due out in 2008.
In the meantime you may also use the '-exc' switch, such as:
pavcl -cmp -nob -aex -nomem -exc:sys c:
Hello,
I saw the Highest heuristic sensitivity cannot detect a little Malware detected by Medium heuristic sensitivity.
How to let it be the most powerful ?
Thanks.
The high heuristic setting is -heu:1, medium is -heu:2 and low is -heu:3. Make sure you are using -heu:1 as the setting for high heuristic and not -heu:3.
Thanks for your help.
But, I know “heu:1” is the highest heuristic sensitivity.
Some files detected by “Heu:2” cannot also detect by “Heu:1”.
Please see the picture.
http://xs222.xs.to/xs222/07501/pavcl_heur.PNG
Modor please send me the file to pedro.bustamante-at-pandasecurity.com.
Hi,
First, I would like to thank you and Panda for making this tool available to the public. I love command line based antimalware tools (so I can run them in safe-mode command prompt only from my USB thumb drive on my family’s computers.
I ran this tool last night on a system to test it out using the following command line arguments:
pavcl.exe -loc -cmp -heu:1 -nos -aex -nob
I think it may have a few false positives, here is the log result, I will be happy to email you some of these files if you do not think there will be any copyright concerns with Ubisoft, Obsidian Entertainment, Microsoft, or other companies’ whose files were detected.
The reason I think they are false positives is that I made a pass on that machine with Symantec’s Antivirus, Trend Micro’s sysclean package, A-Squared, Mcafee, and ClamWin, but these files were not detected by any of those programs (which were all updated and had heuristics enabled and were in safe mode).
They are labeled as suspect, so I am guessing if I just turn the heuristics down, it will lessen the (possible) false positives significantly? Here is the log and again, let me know if you want me to send the files to you (if you do not think that there will be any legal / copyright concerns, as mentioned above).
Log:
http://home.comcast.net/~quako33/MISC/pavcl.log
Thanks again Mr. Bustamante for your hard work in putting all of this stuff together for the community!
-Quentin
Thanks for your comments Quentin. Please update the signature database and run the scan again. If you’re still encountering these detections send me the files so we can analyze them.
Pav.sig update:
http://research.pandasecurity.com/blogs/images/pav.zip
the ” -exc:” switch does not work with linux.
if I write :
./pavcl -aex -cmp -clv -aex -exc:/opt /
the “/opt” folder is not excluded and is scanned though.
Is it the right way to use the ” -exc: ” option ?
Thanx.
Pedro,
In the opening text on this blog you state:
>> If you are working on a project which needs
>> regular updates please contact me directly.
We will need regular updates, before too long. We are paying customers of a Panda GUI-based tool. Is there a way to take the updates that are regularly issued for that and use them with pavcl?
Thanks!
Barry, it depends on the product you have licensed. If it’s the stand-alone product then it doesn’t include license to the command-line scanner. If you own a corporate license then it does include the cmd scanner license as well. Optionally I think you can purchase a separate license to the command-line scanner. Contact your local Panda office for this.
Regarding the URL to use for downloading the updates once you have a registered username/password, its the following:
http://username:password@acs.pandasoftware.com/member/pavsig3/pav.zip
I just recently tested the command-line scanner on a Vista platform, inside of a VMware workstation. I used an offline boot utility called VistaPE for Vista, that is similar to BartPE in its functionality. While calling my local Panda sales rep., I found out that they do sell licenses to Panda command-line. The rub here is that you have to buy a minimum 5 licenses. However, I should point out that my 5 licenses only cost $41.83. I find this well worth the price.
I used to use mcafee command line, but I recently I found out that you have to have some super-expensive enterprise license to use it. Not to mention that they did something screwy with their engine updates. Although, I understand that from time to time you have to make updates to AV engine to keep up.
The pav.zip file that I download from here is more than double the size of the files that my friend downloads for his group. (They have names such as 2008-03-26.pav.zip)
Are these files compatible? I wouldn’t think that they are interchangeable since they differ so much in size!
The pav.zip I have here for research purposes is the complete output signatures from our Collective Intelligence (http://research.pandasecurity.com/archive/Technology-Paper_3A00_-From-AV-to-Collective-Intelligence.aspx).
Our traditional products have a smaller signature which is more optimized to what’s truly circulating and infecting users in-the-wild.
You can safely use one or the other with the command-line scanner. However the one found here is not recommended to be used in our regular desktop products, only with the command-line scanner.
I’m use Debian GNU Linux,
i convert rpm with alien and install it,
it works, but in some cases return “Segmentation fault” error.
e.g. /opt/pavcl/usr/bin/pavcl -info
or /opt/pavcl/usr/bin/pavcl -lis
what it means?
First, as others have mentioned, _thanks for this_. You are doing a great service to those of us who have to try to help those less technical with their malware issues. Second, which would YOU use to help friends/family/etc, the PAV.Sig I can access because I’m a licensed owner of the command line version or the one you provide freely here? It seems like you are saying that the one available to licensed owners is just more streamlined (i.e. may work faster) but I wonder if the freely available one is more inclusive.
Either way, THANKS AGAIN!
Brett, if you have Internet connectivity I'd recommend scanning with ActiveScan 2.0 (www.activescan.com) as it has the largest detection capacity by using Collective Intelligence (cloud-scanning).
However I'd also have Panda Anti-Rootkit handy to uncover any possible hidden components. If this turns out to be the case, then use the latest command-line scanner (PAVCL) to deactivate the rootkit and do a complete clean-up (http://research.pandasecurity.com/archive/New-Panda-Antivirus-Command-Line-9.5.1.aspx)
Regarding which pav.sig to use with the PAVCL, the one I post on the blog here is for people who do not have a paying license but still want to use Panda to detect and disinfect computers. It is more inclusive but unfortunately I update it manually whenever I have some time to do that (I'll do it now btw). But if you have an active license then use your daily pav.sig as this will be the most representative of current threats in the wild.