Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition MP2 (builds 6.0.2. [551-555])

	Useful links
	How to change (add/delete) the Anti-Virus components

In order to manage the Anti-Virus from the command prompt the Shell component should be installed on the protected server.

KAVSHELL [ HELP | START | STOP | SCAN | FULLSCAN | TASK | RTP | UPDATE | ROLLBACK | LICENSE | FBRESET | TRACE| DUMP | IMPORT| EXPORT ]

START – this command starts Kaspersky Anti-Virus (Kaspersky Anti-Virus service)

STOP - this command stops Kaspersky Anti-Virus (Kaspersky Anti-Virus service)

SCAN - this command scans defined storages, detects and disinfects/ deletes infected objects

FULLSCAN - this command performs full computer scan, detects and disinfects deletes infected objects (it starts the predefined task Scan my computer with the parameters set in the Anti-Virus Console)

TASK- this command starts/ pauses/ resumes/ stops the defined task; returns the current task status/ task execution statistics

RTP - this command starts/ stops all real-time protection

UPDATE - this command updates the anti-virus databases

ROLLBACK - this command rolls back the anti-virus databases to the previous version

LICENSE - this command manages the license keys

FBRESET – resets the database of iSwift (file fidbox.dat) – beginning from application version 6.0 MP2

TRACE - this command enables or disables the tracking log of the whole application, manages parameters of the tracking log (trace of the specific components can be enabled via the Anti-Virus Console only)

DUMP - this command enables or disables the process memory dump in case of its abnormal termination

IMPORT - this command imports Anti-Virus settings and tasks from a file

EXPORT - this command exports Anti-Virus settings and tasks to a file

To see the command syntax and reference, run:

KAVSHELL HELP command

KAVSHELL command /?

KAVSHELL [ /? | HELP ]

Pay attention if the policy of Kaspersky Administration Kit is applied to the server then this policy is also applied to the tasks which are run from the command prompt. Example, if in the policy you have set Disinfect, delete if disinfection fails as the action for the on-demand scan task then if you start scan from the command prompt (by running the command KAVSHELL SCAN) and define the action to be performed on infected objects as Skip, then the Skip action will be ignored and the task will run with the policy settings - Disinfect, delete if disinfection fails

Anti-Virus startup

KAVSHELL START

Anti-Virus shutdown

KAVSHELL STOP

Back to the top

Scanning selected areas:

KAVSHELL SCAN <scan_scope> [/MEMORY | /SHARED | /STARTUP |/REMDRIVES | /FIXDRIVES | /MYCOMP]
[/L:<path_to_file_with_the_list_of_scan_scopes>] [/F<A|E|C>] [/AI:<DISINFECT | DISINFDEL | DELETE | REPORT | AUTO>]
[/AS:<QUARANTINE | DELETE | REPORT | AUTO>] [/E:<ABMSPO>] [/EM:<"masks">] [/ES:<size>] [/ET:<number_of_seconds>] [/NOICHECKER] [/NOISWIFT] [/W:<path_to_report_file>] [/ALIAS:<task_name_alias>]

Scan_scope is a mandatory modifier. It specifies the scan scope - the list of files, folders, network paths and pre-defined areas. Specify network paths in the UNC format. You can use path masks or variables. Predefined areas include: 

• /MEMORY: Scan objects in RAM 
• /SHARED: Scan shared folders 
• /STARTUP: Scan startup objects 
• /REMDRIVES: Scan removable drives 
• /FIXDRIVES: Scan hard drives 
• /MYCOMP: Scan all areas of protected server

/L:<path_to_file_with_the_list_of_scan_scopes> Full path to file with the list of scan scopes with the list of scan scopes. Delimit scan areas in the files using line breaks. You can specify pre-defined scan areas.

Notes:

- if the file/folder name contains a gap it should be taken in inverted commas

- masks can be used to set the scan scope

- if a directory is defined as a scan scope, all files and folders in the directory will be scanned

/F<A|E|C> - Detectable objects (File types). If you do not specify values for this modifier, Anti-Virus will scan objects by their format: 

• /FA: Scan all objects 
• /FC: Scan objects by format (the Anti-Virus analyzes the internal format of the file and scans only the files which can be infected)  
• /FE: Scan objects by extension (the Anti-Virus will scan files with the specified extensions in-depth for viruses)

/AI:<DISINFECT | DISINFDEL | DELETE | REPORT | AUTO> - Actions to be performed with infected objects. If you do not specify values for this modifier, Anti-Virus will perform action Report only and will skip infected files. 

• DISINFECT: Disinfect, skip if disinfection is not possible 
• DISINFDEL: Disinfect, delete if disinfection is not possible 
• DELETE: delete an infected object 
• REPORT: report only 
• AUTO: Perform the recommended action

/AS:<QUARANTINE | DELETE | REPORT | AUTO> - Actions with suspicious objects (actions) If you do not specify values for this modifier, Anti-Virus will perform action Report only. 

• QUARANTINE: Quarantine 
• DELETE: delete 
• REPORT: report only 
• AUTO: Perform the recommended action

/E:<ABMSPO> - Excludes composite objects of the following types:

• A – archives;
• B – e-mail bases;
• M – mail format types;
• S – self-extracting archives;
• P – packed objects;
• O – embedded OLE objects.

/EM:<"masks"> - Exclude files by mask. You can specify several masks by semicolon without a gap, for example, EM:"*.txt;*.png; C\Videos\*.avi".

/ES:<size> - Exclude from the scan composite objects, for example those objects with size exceeds the size specified by value size>. By default the Anti-Virus scans object of any size.

[/ET:<number of seconds>] - Stop processing object if it continues longer than the number of seconds specified by value . By default this setting is not restricted. no restrictions in the number of seconds are set.

 

/NOICHECKER - Disable the use of iChecker

 

/NOISWIFT- Disable the use of iSwift.

 

/ALIAS:<task_alias> - Allows assigning an on-demand scan task a temporary name by which the task can be accessed during its execution, for example in order to view its statistics using TASK command. The default temporary name scan_<kavshell_pid> is used, for example scan_1256. The task name is also assigned automatically as Scan objects (<date and time>) for example Scan objects (11_11_11_21_10_2006).

 

/W:<path_to_report_file> - enables writing the report to a specific file. If the full path is not specified the file will be created in the folder from which the KAVSHELL command is run. Re-starting the command with the same parameters re-writes the existing file. IF the report file cannot be created the Anti-Virus does not stop scan and does not inform of an error.

Examples:

Run scan of the following folders and files: 

• Folder4 – subfolder of the directory in which the KAVSHELL utility of the command prompt resides 
• D:\Folder1\Folder2\Folder3\ 
• C:\Folder5\ 
• \\server1\Shared Folder\ 
• F:\123\*.fgb – all files with the extension fgb in the folder F:\123\ 
• /SHARED – all shared folders on the server

with the parameters: 

• action to be performed on infected objects – disinfect, delete if disinfection fails 
• action to be performed on suspicious objects - quarantine 
• scan all files 
• exclusions – archives, mail databases, plain mail, files by masks *.xtx;*.ff?;*.ggg;*.bbb;*.info 
• do not use iChecker and iSwift 
• write the report into the file report.log, in the folder from which the KAVSHELL

KAVSHELL SCAN Folder4 D:\Folder1\Folder2\Folder3\ C:\Folder5\ C:\Folder6\3.exe F:\123\*.fgb
"\\server1\Shared Folder\" /SHARED /AI:DISINFDEL /AS:QUARANTINE /FA /E:ABM
/EM:"*.xtx;*.ff?;*.ggg;*.bbb;*.info" /NOICHECKER /NOISWIFT /W:report.log

Run scan of objects listed in the file scan_objects.lst (the file resides in the same folder where the KAVSHELL utility of the command prompt resides), log scan results into the file report.log.

KAVSHELL SCAN /L:scan_objects.lst /W:report.log

Back to the top

Scan My Computer task

KAVSHELL FULLSCAN [/W:<path_to_report_file>] – starts the system task Scan my computer

/W:<path_to_report_file> - enables writing the report to a specific file. If the full path is not specified the file will be created in the folder from which the KAVSHELL command is run. Re-starting the command with the same parameters re-writes the existing file. IF the report file cannot be created the Anti-Virus does not stop scan and does not inform of an error.

Back to the top

Managing tasks:

KAVSHELL TASK [<task_name_alias> { /START | /STOP | /PAUSE | /RESUME | /STATE | /STATISTICS} ]

If the command is run without modifiers it returns the list of all existing Anti-Virus tasks. The list contains the following fields: alias, task type (system, user-defined or group) and the current task status.

<task_alias> - Instead of the task name use its task alias in the TASK command. Task alias is an additional, short name which the Anti-Virus gives to tasks. In order to view task aliases enter KAVSHELL TASK without modifiers.

/START: starts the specified task

/STOP: stops the specified task

/PAUSE: pauses the specified task

/RESUME: resumes the specified task

/STATE: returns the current task status (started, not started. paused)

/STATISTICS: returns the statistics of the task execution - the number of objects processed since the task was started until the current moment.

Examples:

KAVSHELL TASK

KAVSHELL TASK on-access /START

KAVSHELL TASK user-task_1 /STOP

KAVSHELL TASK scan-computer /STATE

Back to the top

Starting or stopping Real-time protection

KAVSHELL RTP { /START | /STOP} - starts or stops all real-time protection tasks.

/START: starts all real-time protection tasks.

/STOP: stops all real-time protection tasks.

Examples:

KAVSHELL RTP /STOP

Back to the top

Updating anti-virus databases and application modules – starts temporary update task

KAVSHELL UPDATE <update_source | /AK | /KL> [/NOUSEKL] [/PROXY:<address>:<port>] [/AUTHTYPE:<0-2>] [/PROXYUSER:<user_name>] [/PROXYPWD:<password>] [/NOPROXYFORKL] [/USEPROXYFORCUSTOM] [/USEPROXYFORLOCAL] [/NOFTPPASSIVE] [/TIMEOUT:<number_of_seconds>] [/REG:<code_iso3166>] [/W:<name_of_report_file>] [/ALIAS:<task_alias>]

Update_source is a mandatory modifier. You can specify one or several sources. Anti-Virus will contact the sources in they order they are listed. Delimit the sources with a space. The following modifiers can be specified as an update source:

• <path_to_shared_folder_in_the _format_UNC>
• <URL> 
• <local_folder>
• /AK – Administration Server to which the Administration Agent installed on the protected server is connected 
• /KL – Kaspersky Lab’s update servers

 

/NOUSEKL – do not use Kaspersky Lab’s update servers if other update sources are not available (if an error occurred when updating from other update source). By default Kaspersky Lab’s update servers are used.

 

 /PROXY:<address>:<port> - Network or IP address of the proxy server and its port. If you do not specify this modifier, Anti-Virus will automatically detect parameters of the proxy server used in the local area network.

 

/NOPROXYFORKL - Do not use proxy server parameters for connecting with Kaspersky Lab's update servers (by default they are used). 

 

/USEPROXYFORCUSTOM – the modifier is used only if <path_to_shared_folder_in_format_UNC>, <URL> and <local_folder> are specified as an update source. This modifier sets using parameters of the proxy-server when connecting to these sources. If such addresses are not used, but the modifier /USEPROXYFORCUSTOM is not defined then the settings of the proxy-server are not used!

 

/USEPROXYFORLOCAL – use settings of the proxy-server when connecting to the update source in the local network. If as an update source you specified a local address but have not defined the /USEPROXYFORLOCAL modifier in the task, in this case proxy-server settings will not be used when connecting to this source!

 

/AUTHTYPE:<0-2> -This modifier specifies the authentication method for access to the proxy server: 

• 0 – in-built Windows NTLM-authentication; Anti-Virus will contact proxy server under the Local system (SYSTEM) account; 

 

• 1 – in-built Windows NTLM-authentication; Anti-Virus will contact proxy server under account with login name and password specified by modifiers /PROXYUSER and /PROXYPWD; 

 

• 2 – authentication by login name and password specified by specified modifiers /PROXYUSER and /PROXYPWD (basic authentication).

 

/PROXYUSER:<user_name> - Username that will be used for accessing proxy server. If you specify the value of modifier /AUTHTYPE:0, then the /PROXYUSER modifier is ignored.

 

/PROXYPWD:<password> - Username that will be used for accessing proxy server. If you specify the value of modifier /AUTHTYPE:0, then the /PROXYPWD modifier is ignored. If you specify modifier /PROXYUSER and omit modifier /PROXYPWD, the password will be considered to be blank.

 

/NOFTPPASSIVE - If you specify this modifier, Anti-Virus will use the active FTP server mode to connect to the protected server. If you do not specify this modifier, Anti-Virus will use the passive FTP server mode (if possible).

 

/TIMEOUT:<number_of_seconds> - FTP or HTTP server connection timeout. If you do not specify this modifier, Anti-Virus will use the default value: 10 sec. You can only use integers as the value for this modifier.

 

/REG:<code_iso3166> - Anti-Virus optimizes the downloading of updates to the protected server by selecting the update server closest to it (only if /KL- Kaspersky Labs update servers are selected as update source).

As the value of this modifiers specify the literal code of the location country of the protected server in accordance with standard ISO 3166-1, for example /REG: gr or /REG:RU.

If you omit this code or specify the code of a country that does not exist, Anti-Virus will detect the location of the protected server based on the regional settings of the computer on which Anti-Virus console is installed (for Microsoft Windows 2003 Server and above - by the value of variable Location).

 

/ALIAS:<task_alias> - This modifier will allow to assign the task a temporary name by which you cold access it during its execution. By default temporary name update_<kavshell_pid> is used, for example update_1234. The task will be automatically assigned name Anti-Virus bases update (<date_time>), for example, Anti-Virus bases update 13_10_50_20_09_2007.

 

/W:<path_to_report_file> - enables writing the report to a specific file. If the full path is not specified the file will be created in the folder from which the KAVSHELL command is run. Re-starting the command with the same parameters re-writes the existing file. IF the report file cannot be created the Anti-Virus does not stop scan and does not generate an error.

Back to the top

Rollback of the latest anti-virus database update:

KAVSHELL ROLLBACK

Back to the top

Adding or deleting a license key

KAVSHELL LICENSE [/ADD <path_to_key_file > [/R] | /DEL <serial_number>] 

without modifiers - Command returns the list of installed keys. It contains the following information about the key: 

• serial number of the key; 
• key type (for example, commercial or trial); 
• key expiration date (not specified for backup keys); 
• whether the key is a backup key.

If the value specified is * the key is installed as the backup key.

 

/ADD – installs a key file. Specify the full path to the key which is being installed.

 

/R- It specifies that the key being installed is the backup key. This key does not function without the /ADD modifier.

 

 /DEL <serial_number> - deletes the key with serial number specified by the value of /DEL.

Back to the top

Resetting the database of iSwift

KAVSHELL FBRESET

This command has been added to the application beginning from version 6.0 MP2.

iSwift technology which allows excluding a file from the scan, if the file has not been modified since the previous scan. The file fidbox.dat which is created by Kaspersky Anti-Virus in the system folder %windir%\system32\drivers contains the information about not infected objects already scanned by Kaspersky Anti-Virus. I.e. the more files Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition has scanned the bigger size the file fidbox.dat acquires. The file stores only actual information about files really existing in the system – if any file is deleted, the information about this file is deleted from the file fidbox.dat too.

KAVSHELL FBRESET.

Important: 

• When resetting the file fidbox.dat by the command KAVSHELL FBRESET the anti-virus protection should NOT be stopped (unlike when resetting the file manually);
• Once the file fidbox.dat is reset the load on the server from Kaspersky Anti-Virus may increase as all files accessed for the first time since fidbox.dat reset will be scanned by the anti-virus application. After the scan information about the scanned objects will be added again to the file fidbox.dat and if you access this file a second time, the iSwift technology will skip it during the scan if the file has not been modified.

Back to the top

Enabling/ disabling the tracking log

KAVSHELL TRACE/ <ON F:<path_to_log_file_folder> [/S:<maximum_log_size_in_megabytes>] [/LVL:<DEBUG | INFO | WARNING | ERROR | CRITICAL] | /OFF>

 Using the KAVSHELL TRACE command you can enable the tracking log for all application’s components simultaneously. Component-wise tracking log can be enabled via the Anti-Virus Console only.

/ON – enables the tracking log

/F:<path_to_log_file_folder> - this modifier specifies full path to the folder in which the tracking log files will be saved. Pay attention, the folder should be created before the tracking log is enabled! An individual file is created for each component. This is a mandatory parameter.

/S:<maximum_log_size_in_megabytes> - this modifier sets the maximum size of a single file of the track log. As soon as the log file reaches the maximum level, Anti-Virus will start recording information into a new file; the previous log file will be saved. If you do not specify the value of this modifier, the maximum log file size will be 50 MB.

/LVL:<DEBUG | INFO | WARNING | ERROR | CRITICAL> - this modifier sets the detail level of the log from the maximum (debug information) which records all events into the log to the minimum (CRITICAL) which records only critical events. If you do not specify this modifier, then events with the DEBUG information detail level will be recorded into the log.

/OFF - disables the tracking log

To change settings of the enabled tracking log run the command KAVSHELL TRACE with the modifier /ON and set the detail level of the log using the modifiers /S and /LVL.

Examples:

In order to enable the tracking log with the DEBUG detail level and maximum log size 200 MB and to save tracking results in the folder C:\Trace Folder, run the command:

KAVSHELL TRACE /ON /F:"C:\Trace Folder" /S:200

In order to enable the tracking log with the INFO detail level and to save tracking results in the folder C:\Trace Folder, run the command:

KAVSHELL TRACE /ON /F:"C:\Trace Folder" /LVL:info

To enable the tracking log of a remote Console add to the system registry of the computer with the installed Console a new key and restart the Console: 

• Microsoft Windows 32-bit ( download ready reg-file for 32-bit OS):

[HKEY_LOCAL_MACHINE\Software\KasperskyLab\KAVFSEE\6.0\Trace\] Configuration=sub-system=gui;level=info;sink=folder(<full_path_to_log_file_folder>);roll=50000;layout=basic;logging=on 

• Microsoft Windows 64-bit (download ready reg-file for 64-bit OS):

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\KasperskyLab\KAVFSEE\6.0\Trace\] Configuration=sub-system=gui;level=info;sink=folder(<full_path_to_log_file_folder>);roll=50000;layout=basic;logging=on

If the tracking log is enabled with the ready reg-files, in this case the logs are saved into the folder C:\Temp.

Back to the top

Enabling and disabling dump creation

KAVSHELL DUMP <</ON /F:<folder_with_dump_files> | /OFF> | </SNAPSHOT /F:<folder_with_dump_files> /P:<pid>> 

 /ON - enables creation of the process memory dump in case of its abnormal termination. The dump is saved into the folder specified by the /F modifier.

/SNAPSHOT - takes a snapshot of the memory of the specified Anti-Virus process in progress.

/F: <folder_with_dump_files> - this is a mandatory modifier. It specifies path to the folder in which the dump file will be saved. If you specify a path to a non-existent folder, no dump files will be created.

/P:<pid> - is an identifier of the PID process whose image should be taken. PID process identifier is displayed in the Windows Task Manager.

/OFF - disables creation of the process memory dump in case of its abnormal termination.

Examples:

In order to enable dump creation and to save dump files into the folder C:\Dump Folder, run the command:

KAVSHELL DUMP /ON /F:"C:\Dump Folder"

To take a snapshot of the memory of process with ID 1234 into folder C:/Dumps, run the command.

KAVSHELL DUMP /SNAPSHOT /F:C:\Dumps /P:1234

Back to the top

Importing settings

KAVSHELL IMPORT <full_path_and_configuration_file_name>

Examples:

KAVSHELL IMPORT Server.xml

Back to the top

Exporting settings

KAVSHELL EXPORT <full_path_and_configuration_file_name>

A configuration file can have any extension.

Examples:

KAVSHELL IMPORT Server.xml

Back to the top

You may enter either absolute or relative path to the file if as a task launch setting you specify path to the file with objects or demand reset of the task’s work into the file. A gap in the path should taken in inverted commas.