Appendix A. Command-Line Switches for Dr.Web Scanner NT4

When scanning task is launched, it is performed by Dr.Web Scanner. If necessary, you can specify additional parameters of the checkup. You can enter the following switches (separated by spaces) in the Arguments entry field:

◆/@<file_name> or /@+<file_name> instructs to scan objects listed in the specified file. Each object is specified in a separate line of the list-file. It can be either a full path with the file name or the ?boot string which means that scanning of boot sectors should be performed. For the GUI version of the scanner the file names with mask and directory names should be specified there. The list-file can be prepared manually in any text editor; this can also be done automatically via applications using the scanner to check certain files. After the scanning is completed, the scanner deletes the list-file, if used without the + character.

◆/AL – to scan all files in the given device, or in the given folder, regardless the extensions or the internal format.

◆/AR – to scan files inside the archives. At present, the scanning of archives (without curing) created by the ARJ, PKZIP, ALZIP, AL RAR, LHA, GZIP, TAR, BZIP2, 7-ZIP, ACE, etc. archivers, as well as of MS CAB-archives – Windows Cabinet Files (QUANTUM packing is not supported yet) and ISO-images of optical disks (CD and DVD) is available. As it is specified (/AR) the switch instructs to inform a user when an archive with infected or suspicious files is detected. If the switch is supplemented with the D, M or R modifier, other actions are taken:

•/ARD – delete;

•/ARM – move (by default, to the Quarantine folder);

•/ARR – rename (by default, the first symbol of the extension is replaced by the # character).

•The switch may end with the N modifier, and in this case the name of the archiver after the name of the archived file will not be printed.

◆/CU – actions with infected files and boot sectors of drives. The curable objects are cured and the incurable files are deleted without additional D, M or R modifiers (if different action is not specified by the /IC switch). Other actions taken towards infected files:

•/CUD – delete;

•/CUM – move (by default, to the Quarantine folder);

•/CUR – rename (by default, the first symbol of extension is replaced by the # character).

◆/DA – to scan the computer once a day. The next check date is logged into the configuration file and that is why it should be accessible for writing and subsequent rewriting.

◆/EX – to scan files with extensions listed in the configuration file by default, or, if unavailable, these are EXE, COM, DLL, SYS, VXD, OV?, BAT, BIN, DRV, PRG, BOO, SCR, CMD, 386, FON, DO?, XL?, WIZ, RTF, CL*, HT*, VB*, JS*, INF, PP?, OBJ, LIB, PIF, AR?, ZIP, R??, GZ, Z, TGZ, TAR, TAZ, CAB, HLP, MD?, INI, MBR, IMG, CSC, CPL, MBP, SH, SHB, SHS, SHT*, MSG, CHM, XML, PRC, ASP, LSP, MSO, OBD, THE*, EML, NWS, SWF, MPP, TBB.

◆/FN – to load Russian letters to the video display decoder (for Dr.Web for DOS only).

◆/GO – batch mode of the program. All questions implying answers from a user are skipped; solutions implying a choice are taken automatically. This mode is useful for automatic scanning of files, for example, during a daily or weekly check of the hard disk.

◆/HA – to perform heuristic scanning of files and search for unknown viruses in them.

◆/ICR, /ICD or /ICM – actions with infected files which cannot be cured:

•/ICR – rename;

•/ICD – delete;

•/ICM – move.

◆/INI:<path> – use alternative configuration file with specified name or path.

◆/LNG:<file_name> or /LNG – use alternative language resources file (DWL-file) with specified name or path, and if the path is not specified – the inbuilt (English) language.

◆/ML – scan files of e-mail format (UUENCODE, XXENCODE, BINHEX and MIME). As it is specified (/ML) the switch instructs to inform a user if an infected or suspicious object is detected in a mail archive. If the switch is supplemented with the D, M or R modifier, other actions are taken:

•/MLD – delete;

•/MLM – move (by default, to the Quarantine folder);

•/MLR – rename (by default, the first symbol of extension is replaced by the # character);

•In addition the switch may be supplemented by an extra modifier N (at the same basic modifiers may also be set). In this case information output about mail archive messages is disabled.

◆/MW – actions with all types of unsolicited programs. As it is specified (/MW) the switch instructs to inform a user. If the switch is supplemented with the D, M, R or I modifier, other actions are taken:

•/MWD – delete;

•/MWM – move (by default, to the Quarantine folder);

•/MWR – rename (by default, the first symbol of extension is replaced by the # character);

•/MWI – ignore. Actions with certain types of unsolicited programs are specified by the /ADW, /DLS, /JOK, /RSK, /HCK switches.

◆/NI – do not use parameters specified in drweb32.ini configuration file.

◆/NR – do not create a log file.

◆/NS – disable interrupting of computer scanning. With this switch specified, a user will not be able to interrupt scanning by pressing Esc.

◆/OK – display full list of scanned objects and mark the uninfected ones with Ok.

◆/PF – prompt on, if multiple floppies are scanned.

◆/PR – prompt for confirmation before action.

◆/QU – the scanner checks the objects specified in the command line (files, disks, folders) and then automatically terminates (for the GUI version of the scanner only).

◆/RP<file_name> or /RP+<file_name> – log to the file specified in the switch. If no name is specified, log to a default file. If the + character is present, the file is appended. If there is no character, a new one is created.

◆/SCP:<n> – sets the priority of the scanning process, where <n> is a number ranging from 1 to 50.

◆/SD – scan subfolders.

◆/SHELL – for the GUI version of the scanner. The switch disables the splash screen display, scanning of the memory and autorun files. The earlier saved lists of paths to files and folders scanned by default are not loaded for scanning. This mode allows to use the GUI version of the scanner instead of the console version to scan only those objects which are listed in the command line switches.

◆/SO – enable sounds.

◆/SPR, /SPD or /SPM – actions with suspicious files:

•/SPR – rename;

•/SPD – delete;

•/SPM – move.

◆/SS – save the mode, specified during the current program launch in the configuration file when the program terminates.

◆/ST – sets stealth mode of the GUI version of the scanner. The program operates without any windows opened and self-terminates. But, if during scanning virus objects were detected, the scanner window will be opened after the scanning is completed. Such scanner mode presupposes, that the list of the scanned objects is specified in the command line.

◆/TB – scan boot sectors and master boot records (MBR) of the hard drive.

◆/TM – search for viruses in main memory (including Windows OS system area). Available for scanners for Windows OS only.

◆/TS – search for viruses in autorun files (in Autorun directory, system INI-files, Windows OS registry). Used only in scanners for Windows OS.

◆/UP or /UPN – disable the output of the names of the programs used for packing, conversion or vaccination of the scanned executable files to the log file by the scanners.

◆/WA – do not terminate the program until any key is pressed, if viruses or suspicious objects are found (for console scanners only).

◆/? – display short help on the program.

Certain switches allow the "–" character to be used at the end. In such "negative" form the switch means cancellation of the mode. Such option can be useful if a certain mode is enabled by default, or with the settings specified earlier in the configuration file. Here is the list of the command line switches allowing the "negative" form:
/ADW /AR /CU /DLS /FN /HCK /JOK /HA /IC /ML /MW /OK /PF /PR /RSK /SD /SO /SP/SS /TB /TM /TS /UP /WA

For /CU, /IC and /SP switches the "negative" form cancels any actions specified in the description of these switches. This means that infected and suspicious objects will be reported but no actions will be applied.

For /INI and /RP switches the "negative" form is written as /NI and /NR accordingly.

For /AL and /EX switches the "negative" form is not allowed. However, specifying one of them cancels the other.

If several alternative parameters are found in the command line, the last of them takes effect.

The DWScancl Console Scanner parameters

◆/AR – test archive files. Option is enabled by default.

◆/AC – test containers. Option is enabled by default.

◆/AFS – use forward slash to separate paths in archive. Option is disabled by default.

◆/ARC:<ratio> – maximum archive object compression. If the compression rate of the archive exceed the limit, Console Scanner neither unpacks, not scans the archive. Unlimited by default.

◆/ARL:<level> – maximum archive level. Unlimited by default.

◆/ARS:<size> – maximum archive size. if the archive size exceed the limit, Scanner neither unpacks, nor scans the archive, KB. Unlimited by default.

◆/ART:<size> – minimim archive object matched by /ARC. minimum size of file inside archive beginning from which compression ratio check will be performed, in KB. Unlimited by default.

◆/ARX:<size> – maximum archive object size in KB. Unlimited by default.

◆/BI – show virus bases info. Option is enabled by default.

◆/DR – recursive scan directory. Option is enabled by default.

◆/E:<engines> – maximum Dr.Web engines to use.

◆/FL:<path> – scan files listed in the specified file.

◆/FM:<masks> – scan files matched masks. By default all files are scanned.

◆/FR:<regexpr> – scan files matched expression. By default all files are scanned.

◆/H or /? – show help message.

◆/HA – use heuristic analysis. Option is enabled by default.

◆/KEY:<keyfile> – set the path to the licence key file. This parameter is needed, if the key file resides not in the directory with Console Scanner. By default a key file from the Antivirus installation folder is used.

◆/LN – resolve shell links. Option is disabled by default.

◆/LS – use LocalSystem account rights. Option is disabled by default.

◆/MA – test e-mail like files. Option is enabled by default.

◆/MC:<limit> – set maximum cure attempts number to limit. Unlimited by default.

◆/NB – don't backup curing/deleting files. Option is disabled by default.

◆/NI[:X] – nice mode 0-100, low resource usage in %. Unlimited by default.

◆/NT – test NTFS streams. Option is enabled by default.

◆/OK – show OK for clean files. Option is disabled by default.

◆/P:<prio> – test priority:

•0 – the lowest,

•L – low,

•N – general. Priority by default,

•H – the highest,

•M – maximal.

◆/PAL:<level> – maximum pack level. Value is 1000 by default.

◆/RA:<file.log> – add report into file.log. No report by default.

◆/RP:<file.log> – write report into file.log. No report by default.

◆/RPC:<secs> – Dr.Web Scanning Engine connection timeout. Timeout is 30 seconds by default.

◆/RPCD – use dynamic RPC identification.

◆/RPCE – use dynamic RPC endpoint.

◆/RPCE:<name> – use specified RPC endpoint.

◆/RPCH:<name> – use specified host name for remote call.

◆/RPCP:<name> – use specified RPC protocol. Possible protocols: lpc, np, tcp.

◆/QL – list quarantined files on all disks.

◆/QL:<drive> – list quarantined files on specified drive (letter).

◆/QR[:[d][:p]] – delete quarantined files on drive <d> (letter) older than <p> days (number). Unspecified <d> – all drives, unspecified <p> – 0 days.

◆/QNA – double quote file names always.

◆/REP – go follow reparse points. Option is disabled by default.

◆/SCC – show content of compound objects. Option is disabled by default.

◆/SCN – show container name. Option is disabled by default.

◆/SPN – show packer name. Option is disabled by default.

◆/SLS – show log on screen. Option is enabled by default.

◆/SPS – show progress on screen. Option is enabled by default.

◆/SST – show file scan time. Option is disabled by default.

◆/TB – test boot sectors. Option is disabled by default.

◆/TM – test processes in memory. Option is disabled by default.

◆/TS – test system startup processes. Option is disabled by default.

◆/TR – test system restore points directories. Option is disabled by default.

◆/W:<sec> – maximum time to scan in seconds. Unlimited by default.

◆/WCL – drwebwcl compatible output.

◆/X:S[:R] – set power state shutDown/Reboot/Suspend/Hibernate with reason R (for shutdown/reboot).

Action for different objects (C - cure, Q - move to quarantine, D - delete, I - ignore, R - inform. R is set by default for all objects):

◆/AAD:X – action for adware (R, possible DQIR).

◆/AAR:X – action for infected archive files (R, possible DQIR).

◆/ACN:X – action for infected container files (R, possible DQIR).

◆/ADL:X – action for dialers (R, possible DQIR).

◆/AHT:X – action for hacktools (R, possible DQIR).

◆/AIC:X – action for incurable files (R, possible DQR).

◆/AIN:X – action for infected files (R, possible CDQR).

◆/AJK:X – action for jokes (R, possible DQIR).

◆/AML:X – action for infected e-mail files (R, possible QIR).

◆/ARW:X – action for riskware (R, possible DQIR).

◆/ASU:X – action for suspicious files (R, possible DQIR).

Several parameters can have modifiers that clearly enable or disable options specified by these keys. For example:

/AC-     option is clearly disabled,
/AC,  /AC+    option is clearly enabled.

These modifiers can be useful if option was enabled or disabled by default or was set in configuration file earlier. Keys with modifiers are listed below:

/AR,  /AC,  /AFS,  /BI,  /DR,  /HA,  /LN,  /LS,  /MA,  /NB,  /NT,  /OK,  /QNA,  /REP,  /SCC,  /SCN,  /SPN,  /SLS,  /SPS,  /SST,  /TB,  /TM,  /TS,  /TR,  /WCL.

For /FL parameter  "-" modifier directs to scan paths listed in specified file and then delete this file.

For /ARC,  /ARL,  /ARS,  /ART,  /ARX,  /NI[:X],  /PAL,  /RPC and /W parameters "0" value means that there is no limit.

Example of using command line parameters with DWScancl Console Scanner:

[<path_to_file>]dwscancl /AR- /AIN:C /AIC:Q C:\

scan all files on disk C:, excluding those in archives; cure the infected files and move to quarantine those that cannot be cured.