ECLS not cleaning or honoring exclusions?

Discussion in 'ESET NOD32 Antivirus' started by vertexcg, Jun 5, 2011.

Thread Status:
Not open for further replies.
  1. vertexcg

    vertexcg Registered Member

    Joined:
    Jun 5, 2011
    Posts:
    1
    First of all thanks to this forum - I am converting all my managed AV nodes to ESET due in large part to the quality of information here.

    I have quite a few nodes deployed and am executing a scan via ecls every night. This is done through a third party tool that integrates with my ticketing software. What I am finding is that ecls is not honoring the exclusions I have set in my "default" config xml file, nor does it seem to be cleaning anything.

    Here is the contents of a log file generated with ecls:

    Infected PC: XXXXXXX

    Results:
    ECLS Command-line scanner, version 4.2.71.2, (C) 1992-2010 ESET, spol. s r.o.
    Module loader, version 1031 (20091029), build 1035
    Module perseus, version 1300 (20110517), build 1390
    Module scanner, version 6182 (20110605), build 9376
    Module archiver, version 1128 (20110315), build 1086
    Module advheur, version 1118 (20110419), build 1076
    Command line: /auto /clean-mode=strict /unsafe /unwanted /log-file=C:\ESET\ecls.txt
    Scan started at: 06/05/11 19:03:10
    <SNIP FOR BREVITY>
    name="C:\WINDOWS\LTSvc\ProduKey.exe", threat="Win32/PSWTool.ProductKey.126 potentially unsafe application", action="action selection postponed until scan completion", info=""
    name="C:\WINDOWS\LTSvc\scripts\ProduKey.exe", threat="a variant of Win32/PSWTool.ProductKey potentially unsafe application", action="action selection postponed until scan completion", info=""
    name="C:\WINDOWS\Temp\LTCache\transfertoolsprodukeyexe.exe", threat="a variant of Win32/PSWTool.ProductKey potentially unsafe application", action="action selection postponed until scan completion", info=""
    name="D:\Home\dkennedy\ServUSetup.exe � INNO � file0000.bin", threat="probably a variant of Win32/ServU-Daemon potentially unsafe application", action="", info=""
    name="D:\Home\dkennedy\ServUSetup.exe � INNO � file0002.bin", threat="a variant of Win32/ServU-Daemon.AA potentially unsafe application", action="", info=""
    name="D:\Home\dkennedy\Documents from 98\Tony\My Documents\tpe.zip", threat="a variant of Win32/Tool.TPE.A potentially unsafe application", action="action selection postponed until scan completion", info=""
    name="D:\Home\dkennedy\Documents from 98\Tony\My Documents\tpe.zip � ZIP � Tola's Patching Engine.exe", threat="a variant of Win32/Tool.TPE.A potentially unsafe application", action="", info=""
    Scan completed at: 06/05/11 19:42:24
    Scan time: 2354 sec (0:39:14)
    Total: files - 59847, objects 289802

    Infected: files - 6, objects 7
    Cleaned: files - 0, objects 0

    As you can see nothing was actually cleaned.

    I also have C:\WINDOWS\LTSvc\*.* added as an exclusion and it's alerting on things in this folder.

    Any suggestions?

    On a side note - is there a way to have all the "error opening", "password protected", etc ... noise not get written to the log file?

    Thanks All!
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Ecls is a stand-alone scanner, it's comletely different than the one accesible via gui. If you want to exclude certain files from scanning, use the /exclude= parameter.
    As for error logging, it's not currently possible to prevent certain error messages from being logged. However, it's an easy task to do it during post-processing using grep or your own script for instance.
     
Thread Status:
Not open for further replies.