Free Antivirus Scanner for SureBackup & SecureRestore

[Novox]

I have McAfee Endpoint Security, which is McAfee's current flagship enterprise antivirus scanning product. Unfortunately, McAfee decided to remove on-demand scanning from the ENS CLI. Now, you have to run a custom job, and then query the job asynchronously for a disposition.

This obviously won't work with Veeam's Antivirus interface which expects the scanner to run synchronously and provide a simple error/return code...

Therefore, I am trying to find a free antivirus scanner that would work with Veeam. I assume it will need to be "portable" so it can run in conjunction with McAfee ENS already installed on my mount server. Also, I'll need a way to trigger updates via the CLI (maybe in a scheduled task or similar) so AV definitions will be up to date before Veeam runs files through the scanner.

Thank you!

[Novox]

Made some progress with ClamAV portable, however, their on-demand CLI scanner seems to need to load the DB every run, which takes ~30 seconds. If I work this into the Veeam AV config XML, every file scan will take at least 30 seconds...

Still researching :/

[Egor Yakovlev]

Hi Novox.

I seen they removed it from End-User version, but did they really remove CLI from an Enterprise one?
Latest version of McAfee Endpoint Security documentation states it is possible to run CLI scans on demand.

/Thanks!

[Novox]

Yes, I was basing the Veeam config on this link as well (https://docs.mcafee.com/bundle/endpoint ... A34AD.html).

McAfee ENS can scan individual files, however:

• You must define a "Custom Scan" in McAfee on the Mount Server

• You can run this "Custom Scan" from the CLI, and override what locations it scans (the individual files), effectively scanning from the CLI, HOWEVER...

• The scan runs asynchronously and you must query the overridden custom-scan task job to get the status

Veeam AntiVirus implementation does not seem to support CLI asynchronous scans... it seems to need to call a CLI scanner synchronously, which will block until the scan is complete, then return the exit code to Veeam for continuance...

Possibly making some headway with ClamAV, will report back soon.

[Novox]

For those interested, I've had some success with ClamAV. (I make no representation about how good ClamAV is, but it's free and portable).

The ClamD Daemon is not required because Veeam does not scan files one by one, but instead mountpoint by mountpoint. Therefore, the extra ~30 seconds database load for the synchronous "clamscan" is negligible when it only happens once per volume.

My Clam AV XML (AntivirusInfos.xml) configuration looks like this and I've confirmed the regex, error codes, etc are all correct:

Code: Select all

<AntivirusInfo Name='ClamAV Portable' IsPortableSoftware='true' ExecutableFilePath='C:\Utilities\ClamAV\clamscan.exe' CommandLineParameters='--infected --no-summary -r "%Path%"' RegPath='' ServiceName='' ThreatExistsRegEx='FOUND' IsParallelScanAvailable='false'>
     <ExitCodes>
        <ExitCode Type='Success' Description='No virus found'>0</ExitCode>
        <ExitCode Type='Infected' Description='Virus(es) found'>1</ExitCode>
        <ExitCode Type='Error' Description='Some error(s) occured'>2</ExitCode>
     </ExitCodes>
  </AntivirusInfo>

(Don't forget to change "ExecutableFilePath" to suit your environment).

Command line parameters (I will toy with these to continue troubleshooting, i.e. removing the first two to see where/if the scan is crashing):

• --infected: "Only print infected files"

• --no-summary: "Disable summary at end of scanning"

• -r: "Scan subdirectories recursively"

As I recall, ClamAV properly found EICAR, and indicated an infection was found in the SureBackup statistics, but then a long while later, the statistics indicated that the AntiVirus program had thrown an error (then hours passed and nothing and I had to stop the job). After I stopped the job and was able to view the scan log, I saw that the error thrown was a reference to a file within "System Volume Information" that was inaccessible.

Not sure if the scan process crashed OR if I simply didn't give it enough time to complete, I'll be trying again.

Also, don't forget to update your AV definitions with "freshclam" either by script, scheduled task, or other; before running.

[stuart_little1874]

Can you confirm what version of McAfee you are using? We have McAfee Endpoint Security 10.7.

Just about to head down the path of (attempting) to configure our XML file (but found this thread)...

[Dima P.]

Hello Stuart,

Can you please confirm that McAfee Endpoint Security 10.7 supports on demand scan via command line utility? I was not able to find any confirmation at McAfee help center (looks like the needed article is no longer active). Cheers!

[stuart_little1874]

Hi Dima, I will have our support guys contact McAfee and get back to you

[fuzzykoala120]

We are also looking at using McAfee with SureBackup. Looks like v10.7 introduced on demand scanning via CLI.

https://kc.mcafee.com/corporate/index?p ... cale=en_US

[Dima P.]

Hello Chris,

Interesting - we will review it with RnD folks, thanks for sharing!