The virscan command is designed to detect many common computer viruses. It scans executable files, looking for signatures of viruses known when this version of the program was made available. A signature is a bit-pattern that is found in a particular virus. Virus signatures are obtained by performing "reverse engineering" on virus samples. To find virus signatures, the files that are scanned by the virscan program must be in their native executable form (not encrypted and not packed).
Note: The virscan command does not remove viruses, inhibit virus propagation, or recover any damage caused by viruses to programs or data. If you suspect that your computer system may be infected by a computer virus, contact the appropriate help desk, system administrator, or area information coordinator.
The virscan command scans files looking for bit-patterns matching the virus signatures. There may be viruses that currently exist, or that will exist in the future, that this program will not detect. There is no available, guaranteed solution to the computer virus problem. Therefore, it is recommended that data be backed up regularly and that caution is exercised in acquiring and using software.
For example, to scan for viruses in the /usr file system, enter:
virscan /usr
For further information on virscan and to view the online help, enter virscan without any arguments. To display a complete list of the available command-line options, enter:
virscan -h
See the virscan command in the AIX Version 4.3 Commands Reference for the exact syntax.
The virscan command uses the virus signatures found in the virsig.lst and the addenda.lst files, if present, to scan for viruses.
In both files, comment lines begin with an asterisk (*). The virscan command does not use these lines in its virus scan. Comment lines are used to give additional, human-readable comments about the information in the signature files.
The body of the file consists of entries that tell the virscan command what to do for each virus. Each entry is made up of three lines:
To indicate that a specified byte position in the signature string can have any value, use two question mark characters (??) in place of a pair of hexadecimal characters representing a signature byte. This indicates that the specified byte position in the signature string may have any value. Do not count the ?? bytes when following the signature length guidelines. If a signature string has any ?? substrings in it, no scan for variations on the signature is performed, even if the -m flag is used. If a signature string has any ?? strings in it, any FF values in the signature string will be treated as ?? bytes.
For example, suppose that a new virus, called Purple Virus, is discovered. This virus is found to infect executables, and you determined that the following string appears in every copy of the virus:
EA6061626364786566676869716A6B6C6D6E516FC0C1C8C958D6F1
The following lines could be added to the addenda.lst file to scan for this virus:
* * Entry for the nonexistent Purple Virus (just an example) * EA6061626364786566676869716A6B6C6D6E516FC0C1C8C958D6F1 A file on this disk may have the Purple Virus. (EXE)
To scan for signatures other than those in the virsig.lst file, perform the following:
The addenda.lst file follows the same format as the virsig.lst file.
Backup Files and Storage Media