Difference between revisions of "File"
(→Usage: added var types) |
m |
||
| (3 intermediate revisions by one other user not shown) | |||
| Line 12: | Line 12: | ||
==Usage== | ==Usage== | ||
| + | |||
| + | ====for .sbi==== | ||
File:<description(string)>,<filename(string)>[,advanced file parameters] | File:<description(string)>,<filename(string)>[,advanced file parameters] | ||
| + | |||
| + | ===for scripts=== | ||
| + | sbiFile(<description(string)>,<filename(string)>[,advanced file parameters]); | ||
===Examples=== | ===Examples=== | ||
| + | |||
| + | ====for .sbi==== | ||
File:"<$FILE_DATA>","<$WINDIR>\Malware.txt","filesize=182,md5=83C36C493D7A254F9DE2ED63B3F92548" | File:"<$FILE_DATA>","<$WINDIR>\Malware.txt","filesize=182,md5=83C36C493D7A254F9DE2ED63B3F92548" | ||
File:"<$FILE_DATA>","<wc>C:\Temp\Malware.*","filesize>=180,md5=83C36C493D7A254F9DE2ED63B3F92548" | File:"<$FILE_DATA>","<wc>C:\Temp\Malware.*","filesize>=180,md5=83C36C493D7A254F9DE2ED63B3F92548" | ||
File:"<$FILE_DATA>","<regexpr>C:\Temp\Mal[a-z]{4}.*","filesize<=190,md5=83C36C493D7A254F9DE2ED63B3F92548" | File:"<$FILE_DATA>","<regexpr>C:\Temp\Mal[a-z]{4}.*","filesize<=190,md5=83C36C493D7A254F9DE2ED63B3F92548" | ||
| + | File:"<$FILE_DATA>","<regexpr>C:\Windows\System[^\t]*\Mal[a-z]{4}.*","filesize<=190,md5=83C36C493D7A254F9DE2ED63B3F92548" | ||
| + | |||
| + | ====for scripts==== | ||
| + | sbiFile('<$FILE_DATA>','<$WINDIR>\Malware.txt','filesize=182,md5=83C36C493D7A254F9DE2ED63B3F92548'); | ||
===Description=== | ===Description=== | ||
| Line 23: | Line 34: | ||
# The first parameter is a simple description, used for the GUI to display to the user only. Instead of using plain text, it is recommended to use [[Description templates|description templates]], which are displayed in a localized version by the scanner GUI. | # The first parameter is a simple description, used for the GUI to display to the user only. Instead of using plain text, it is recommended to use [[Description templates|description templates]], which are displayed in a localized version by the scanner GUI. | ||
| − | # The second parameter defines the file name and path. In the standard form, it supports wildcards and [[Path templates|path templates]], but you can also use [[AlgoPrefix|Algo-Prefixes]] to vary the filename matching algorithm, e.g. to use regular expressions. | + | # The second parameter defines the file name and path. In the standard form, it supports wildcards and [[Path templates|path templates]], but you can also use [[AlgoPrefix|Algo-Prefixes]] to vary the filename matching algorithm, e.g. to use regular expressions. Starting with [[Spybot - Search & Destroy]] 1.6, you may use wildcards or regular expressions in any part of the path, on a by level base. {{AlgoPrefix}} {{PathTemplates}} |
# The third parameter allows you to define more criteria to look for in a file, since the file name itself is rarely unique (just think about all those misleading malware files that attempt to use standard Windows filenames). There is a huge range of [[Advanced file parameters|advanced file parameters]], with different costs, some cached, some not. Using less costly parameters like [[filesize]] first is quite recommended to filter the amount of files that are left for the later parameters. | # The third parameter allows you to define more criteria to look for in a file, since the file name itself is rarely unique (just think about all those misleading malware files that attempt to use standard Windows filenames). There is a huge range of [[Advanced file parameters|advanced file parameters]], with different costs, some cached, some not. Using less costly parameters like [[filesize]] first is quite recommended to filter the amount of files that are left for the later parameters. | ||
Latest revision as of 09:42, 21 April 2011
| File | |
| Group | Files |
| Main Application | Version 1.3 |
| Required Update | n/a |
| File Parameters | yes (third) |
| Registry Parameters | no |
| Build Parameters | yes (third) |
| Special Parameters | no |
File is the regular command to detect any files on your system.
Contents
Usage
for .sbi
File:<description(string)>,<filename(string)>[,advanced file parameters]
for scripts
sbiFile(<description(string)>,<filename(string)>[,advanced file parameters]);
Examples
for .sbi
File:"<$FILE_DATA>","<$WINDIR>\Malware.txt","filesize=182,md5=83C36C493D7A254F9DE2ED63B3F92548"
File:"<$FILE_DATA>","<wc>C:\Temp\Malware.*","filesize>=180,md5=83C36C493D7A254F9DE2ED63B3F92548"
File:"<$FILE_DATA>","<regexpr>C:\Temp\Mal[a-z]{4}.*","filesize<=190,md5=83C36C493D7A254F9DE2ED63B3F92548"
File:"<$FILE_DATA>","<regexpr>C:\Windows\System[^\t]*\Mal[a-z]{4}.*","filesize<=190,md5=83C36C493D7A254F9DE2ED63B3F92548"
for scripts
sbiFile('<$FILE_DATA>','<$WINDIR>\Malware.txt','filesize=182,md5=83C36C493D7A254F9DE2ED63B3F92548');
Description
This command defines where to look for files. It accepts three parameters:
- The first parameter is a simple description, used for the GUI to display to the user only. Instead of using plain text, it is recommended to use description templates, which are displayed in a localized version by the scanner GUI.
- The second parameter defines the file name and path. In the standard form, it supports wildcards and path templates, but you can also use Algo-Prefixes to vary the filename matching algorithm, e.g. to use regular expressions. Starting with Spybot - Search & Destroy 1.6, you may use wildcards or regular expressions in any part of the path, on a by level base. AP PT
- The third parameter allows you to define more criteria to look for in a file, since the file name itself is rarely unique (just think about all those misleading malware files that attempt to use standard Windows filenames). There is a huge range of advanced file parameters, with different costs, some cached, some not. Using less costly parameters like filesize first is quite recommended to filter the amount of files that are left for the later parameters.
If you are dealing with Rootkits, you also need to take a look at NTFile, a brother of this command that uses deeper rooted functions to locate a file and is able to detect files hidden to the standard Win32 API.
Scan Results
- The file identified by the parameters.
