Ecls.exe command line scanner

[estas 0]

Situation: we are using hmailserver for our mail server. This server stores all incoming mails temporarily as a file so external antivirus software (with a command line scanner) has the opportunity to scan this .tmp or .eml file. After the scan the mail server looks at the return code and acts on it by deleting the attachment or the mail if a tread is found.

To do this we use a bat file like this

"C:\Program Files\ESET\ESET Endpoint Antivirus\ecls.exe" /no-log-console /log-file=C:\hmailserver\logs\eset.log /no-log-all /no-quarantine /clean-mode=none /no-boots %1
exit %errorlevel%

The problem is that all viruses are passed even when a tread should be found:

This is what a log looked like:

ECLS Command-line scanner, version 5.0.2229.0, (C) 1992-2014 ESET, spol. s r.o.
Module loader, version 1060 (20150617), build 1092
Module perseus, version 1472 (20150930), build 1713
Module scanner, version 12488 (20151030), build 26481
Module archiver, version 1238 (20150921), build 1250
Module advheur, version 1162 (20150923), build 1128
Module cleaner, version 1114 (20151004), build 1145

Command line: /no-log-console /log-file=C:\hmailserver\logs\eset.log /no-log-all /no-quarantine /clean-mode=none /no-boots C:\Program Files (x86)\hMailServer\Data\{9B097597-F2B3-488D-AECC-B9BE156D5BE1}.eml 

Scan started at:   10/30/15 10:13:07

Scan completed at: 10/30/15 10:13:07
Scan time:         0 sec (0:00:00)
Total:             files - 1, objects 2
Infected:          files - 0, objects 0
Cleaned:           files - 0, objects 0

What are we doing wrong with the parameters. We need the scanner to scan the file, and only the file (no memory or boot sectors) and then return a value if a tread is found. The file may NOT be cleaned or quarantined. We have the exit codes set to 50.

We are using Eset Endpoint antivirus 5.0.2229.1

This should be our first line of defense but for some odd reason we cannot seem to get it working.

All help is welcome

 

ps: this the 3th try. All other tries did not get posted

[Marcos 5,156]

When a threat is found, exit code 50 is returned. I'd suggest testing it with the eicar test file to make sure that you don't test a fresh malware that may not be detected by ecls before an update of the signature database.

[estas 0]

Thanks Marcos for your reply.

Did that already but the strangest things is, if I would do it manually than the test returns exit code 50.

If I would do the same by mail than the exit code will return 100 (added log functionality to the bat file)

*** Date: ma 02-11-2015 and Time: 9-32-03,07 *** File:"C:\Program Files (x86)\hMailServer\Data\{5E655CBB-75DA-4B67-B209-50644DA4ED44}.eml"  errorlevel:100

What can cause the exit code 100 to appear?

[Marcos 5,156]

Exit code 100 means an error loading a module. Make sure to use the "/base-dir=" parameter that will point to the ESET install folder with modules. Not sure how it works with long paths so you'd better use a shortened form "/base-dir=C:\PROGRA~1\ESET\ESETEN~1\".

[estas 0]

Tried the /base-dir parameter, but result is the same - error 100 still exists. Some scans return code 0, others still error 100. The mails returning error 100 are just regular html mails from customers, nothing special about the mails. Could this be a Windows security issue? (Windows 7 pro)

[Marcos 5,156]

Could you please pm me an example of a file that returns an error (exit code 100)?

[estas 0]

Just send you one file where we had the error 100. If I would use the same bat file (manually) with this file, then the return code is 0. Tried this by putting the file in a c:\temp folder and in the program files folder as well with same result.

[Zugzwang 0]

Just send you one file where we had the error 100. If I would use the same bat file (manually) with this file, then the return code is 0. Tried this by putting the file in a c:\temp folder and in the program files folder as well with same result.

Did you get this all sorted? I'm looking to setup hmailserver and have Eset File Security 4.5 on Windows 2012 do you know if they will work together? Would you mind sending an overview of installation with the bat file and how you trigger that.

 

Any help/reference appreciated.

 

Regards.

[estas 0]

Hello Zugzwang, we never got the error 100 solved, but everything is working and (some) virusses are getting fetched by ECLS.

We are using Eset Endpoint Antivirus 6 with following setup:

• Excluded folders for Realtime protection:  C:\Program Files (x86)\hMailServer\Temp\*.* and C:\Program Files (x86)\hMailServer\Data\*.*
• In hmailserver use external scanner C:\hmailserver\esetscan.bat "%FILE%" with return value 50

esetscan.bat

"C:\Program Files\ESET\ESET Endpoint Antivirus\ecls.exe" /log-file=C:\hmailserver\logs\eset.log /no-log-console /log-all /no-quarantine /clean-mode=none /no-boots %1
exit %errorlevel%

 

Some virusses are getting through probably where the error 100 is reported, but our client (also using Eset) are fetching these virusses.

 

Hope this will help you and others.

[ABHISHEK 0]

I want to scan using command line scanner.

We tried following command  but its not work so please help me on this issue .

 

"C:\Program Files\ESET\ESET Endpoint Security\ecls.exe" C:\Program Files\hMailServer\Data /files /no-boots /arch /mail /mailbox /sfx /rtp /adware /unsafe /unwanted /pattern /heur /adv-heur /clean-mode=Strict /log-file=c:\eset1.txt /aind "%FILE%"

[JWright.80 0]

 

I want to scan using command line scanner.

We tried following command  but its not work so please help me on this issue .

 

"C:\Program Files\ESET\ESET Endpoint Security\ecls.exe" C:\Program Files\hMailServer\Data /files /no-boots /arch /mail /mailbox /sfx /rtp /adware /unsafe /unwanted /pattern /heur /adv-heur /clean-mode=Strict /log-file=c:\eset1.txt /aind "%FILE%"

 

 

 

we use a similar command with Trustwave SEG (Mail Marshal) but it returns a code of 10 on every item.  10 means it couldn't scan some items if I remember correctly.  ESET support and Trustwave both don't seem to know why ecls.exe is not scanning properly.

[Marcos 5,156]

Ecls has never been supported by ESET as a command-line scanner for scanning email. In fact, it's violation of EULA which says:
4. License. Provided that you have agreed to this Agreement and you pay the License Fee under Article 17 when due and payable, the Provider grants you a non-exclusive and non-transferable right to install the Software on the hard disk of a computer or on a similar medium for permanent storing of data, to install and store the Software to the memory of a computer system and to implement, store and display the Software on computer systems, however, provided that the maximum number of such computer systems is the number which the End User specified in an order and for which the End User paid the relevant fee (the “License”). One user shall mean: (i) installation of the Software on one computer system, or (ii) if the extent of a license is bound to the number of mail boxes, then one user shall mean a computer user who accepts electronic mail through a Mail User Agent (the “MUA”). If the MUA accepts electronic mail and subsequently distributes it automatically to several users, then the number of users shall be determined according to the actual number of users for whom the electronic mail is distributed. If a mail server performs the function of a mail gate, the number of users shall equal the number of mail servers for which such gate provides services. If any number of addresses of electronic mail (e.g., through alias) are directed to one user and one user accepts them, and mails are not automatically distributed on the side of the client for more users, the License is required for only one computer. To use the Software in corporate environment (on workstations, file servers, mail servers, mail relays, mail gateways or internet gateways) Business Edition of the Software is required.