Difference between revisions of "NTFile"
(→Examples: added some from File) |
(typo in syntax in box) |
||
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
{{SbiCmdInfo | {{SbiCmdInfo | ||
− | |SYNTAX = | + | |SYNTAX = NTFile |
|PENAME = Plugins | |PENAME = Plugins | ||
|PEVERSION = 1.4 | |PEVERSION = 1.4 | ||
Line 12: | Line 12: | ||
==Usage== | ==Usage== | ||
− | NTFile:<description>,<filename>[,advanced file parameters] | + | NTFile:<description(string)>,<filename(string)>[,advanced file parameters] |
===Examples=== | ===Examples=== |
Latest revision as of 13:59, 23 February 2008
NTFile | |
Group | Files |
Main Application | Version 1.4 |
Required Update | 2008-03-05 (Plugins) |
File Parameters | yes (third) |
Registry Parameters | no |
Build Parameters | yes (third) |
Special Parameters | no |
Identifies files, using the Windows NT native mode, to avoid rootkit hiding in Windows 32 mode.
Usage
NTFile:<description(string)>,<filename(string)>[,advanced file parameters]
Examples
Identical to File:
NTFile:"<$FILE_DATA>","<$WINDIR>\Malware.txt","filesize=182,md5=83C36C493D7A254F9DE2ED63B3F92548" NTFile:"<$FILE_DATA>","<wc>C:\Temp\Malware.*","filesize>=180,md5=83C36C493D7A254F9DE2ED63B3F92548" NTFile:"<$FILE_DATA>","<regexpr>C:\Temp\Mal[a-z]{4}.*","filesize<=190,md5=83C36C493D7A254F9DE2ED63B3F92548"
Description
This command defines where to look for files. It accepts three parameters:
- The first parameter is a simple description, used for the GUI to display to the user only. Instead of using plain text, it is recommended to use description templates, which are displayed in a localized version by the scanner GUI.
- The second parameter defines the file name and path. In the standard form, it supports wildcards and path templates, but you can also use Algo-Prefixes to vary the filename matching algorithm, e.g. to use regular expressions. Please note that any pattern apply to the file name only! The file path cannot be varied, but if you specify advanced parameters, the On-Access scanner will simply ignore the path. AP PT
- The third parameter allows you to define more criteria to look for in a file, since the file name itself is rarely unique (just think about all those misleading malware files that attempt to use standard Windows filenames). There is a huge range of advanced file parameters, with different costs, some cached, some not. Using less costly parameters like filesize first is quite recommended to filter the amount of files that are left for the later parameters.
Scan Results
- The file identified by the parameters.
See also
- Advanced file parameters; especially exists(file)