Difference between revisions of "File"

From SpybotWiki
Jump to: navigation, search
m
 
(10 intermediate revisions by one other user not shown)
Line 1: Line 1:
''File'' is the regular command to detect any files on your system.
+
{{SbiCmdInfo
 +
|SYNTAX = File
 +
|PENAME = SpybotSD.exe
 +
|PEVERSION = 1.3
 +
|GROUP = Files
 +
|MINUPDATE = n/a
 +
|ADVFILEPARAMS = yes (third)
 +
|ADVREGPARAMS = no
 +
|ADVBUILDPARAMS = yes (third)
 +
|ADVSPECIALPARAMS = no
 +
}}''File'' is the regular command to detect any files on your system.
  
 
==Usage==
 
==Usage==
  File:[Description],[Filepath & Filename],<advanced file parameters>
+
 
 +
====for .sbi====
 +
  File:<description(string)>,<filename(string)>[,advanced file parameters]
 +
 
 +
===for scripts===
 +
sbiFile(<description(string)>,<filename(string)>[,advanced file parameters]);
  
 
===Examples===
 
===Examples===
 +
 +
====for .sbi====
 
  File:"<$FILE_DATA>","<$WINDIR>\Malware.txt","filesize=182,md5=83C36C493D7A254F9DE2ED63B3F92548"
 
  File:"<$FILE_DATA>","<$WINDIR>\Malware.txt","filesize=182,md5=83C36C493D7A254F9DE2ED63B3F92548"
 
  File:"<$FILE_DATA>","<wc>C:\Temp\Malware.*","filesize>=180,md5=83C36C493D7A254F9DE2ED63B3F92548"
 
  File:"<$FILE_DATA>","<wc>C:\Temp\Malware.*","filesize>=180,md5=83C36C493D7A254F9DE2ED63B3F92548"
 
  File:"<$FILE_DATA>","<regexpr>C:\Temp\Mal[a-z]{4}.*","filesize<=190,md5=83C36C493D7A254F9DE2ED63B3F92548"
 
  File:"<$FILE_DATA>","<regexpr>C:\Temp\Mal[a-z]{4}.*","filesize<=190,md5=83C36C493D7A254F9DE2ED63B3F92548"
 +
File:"<$FILE_DATA>","<regexpr>C:\Windows\System[^\t]*\Mal[a-z]{4}.*","filesize<=190,md5=83C36C493D7A254F9DE2ED63B3F92548"
 +
 +
====for scripts====
 +
sbiFile('<$FILE_DATA>','<$WINDIR>\Malware.txt','filesize=182,md5=83C36C493D7A254F9DE2ED63B3F92548');
  
 
===Description===
 
===Description===
 
This command defines where to look for files. It accepts three parameters:  
 
This command defines where to look for files. It accepts three parameters:  
 +
 
# The first parameter is a simple description, used for the GUI to display to the user only. Instead of using plain text, it is recommended to use [[Description templates|description templates]], which are displayed in a localized version by the scanner GUI.
 
# The first parameter is a simple description, used for the GUI to display to the user only. Instead of using plain text, it is recommended to use [[Description templates|description templates]], which are displayed in a localized version by the scanner GUI.
# The second parameter defines the file name and path. In the standard form, it supports wildcards and [[Path templates|path templates]], but you can also use [[AlgoPrefix|Algo-Prefixes]] to vary the filename matching algorithm, e.g. to use regular expressions. Please note that any pattern apply to the file name only! The file path cannot be varied, but if you specify advanced parameters, the On-Access scanner will simply ignore the path.
+
# The second parameter defines the file name and path. In the standard form, it supports wildcards and [[Path templates|path templates]], but you can also use [[AlgoPrefix|Algo-Prefixes]] to vary the filename matching algorithm, e.g. to use regular expressions. Starting with [[Spybot - Search & Destroy]] 1.6, you may use wildcards or regular expressions in any part of the path, on a by level base. {{AlgoPrefix}} {{PathTemplates}}
 
# The third parameter allows you to define more criteria to look for in a file, since the file name itself is rarely unique (just think about all those misleading malware files that attempt to use standard Windows filenames). There is a huge range of [[Advanced file parameters|advanced file parameters]], with different costs, some cached, some not. Using less costly parameters like [[filesize]] first is quite recommended to filter the amount of files that are left for the later parameters.
 
# The third parameter allows you to define more criteria to look for in a file, since the file name itself is rarely unique (just think about all those misleading malware files that attempt to use standard Windows filenames). There is a huge range of [[Advanced file parameters|advanced file parameters]], with different costs, some cached, some not. Using less costly parameters like [[filesize]] first is quite recommended to filter the amount of files that are left for the later parameters.
  
 
If you are dealing with [[Rootkits]], you also need to take a look at [[NTFile]], a brother of this command that uses deeper rooted functions to locate a file and is able to detect files hidden to the standard Win32 API.
 
If you are dealing with [[Rootkits]], you also need to take a look at [[NTFile]], a brother of this command that uses deeper rooted functions to locate a file and is able to detect files hidden to the standard Win32 API.
 +
 +
===Scan Results===
 +
* The file identified by the parameters.
  
 
==See also==
 
==See also==
Line 33: Line 58:
  
 
[[Category:SBI Commands]]
 
[[Category:SBI Commands]]
[[Category:SBI Commands (current)]]
 
[[Category:SBI Commands supporting AlgoPrefix]]
 

Latest revision as of 09:42, 21 April 2011

File
Group Files
Main Application Version 1.3
Required Update n/a
File Parameters yes (third)
Registry Parameters no
Build Parameters yes (third)
Special Parameters no

File is the regular command to detect any files on your system.

Usage

for .sbi

File:<description(string)>,<filename(string)>[,advanced file parameters]

for scripts

sbiFile(<description(string)>,<filename(string)>[,advanced file parameters]);

Examples

for .sbi

File:"<$FILE_DATA>","<$WINDIR>\Malware.txt","filesize=182,md5=83C36C493D7A254F9DE2ED63B3F92548"
File:"<$FILE_DATA>","<wc>C:\Temp\Malware.*","filesize>=180,md5=83C36C493D7A254F9DE2ED63B3F92548"
File:"<$FILE_DATA>","<regexpr>C:\Temp\Mal[a-z]{4}.*","filesize<=190,md5=83C36C493D7A254F9DE2ED63B3F92548"
File:"<$FILE_DATA>","<regexpr>C:\Windows\System[^\t]*\Mal[a-z]{4}.*","filesize<=190,md5=83C36C493D7A254F9DE2ED63B3F92548"

for scripts

sbiFile('<$FILE_DATA>','<$WINDIR>\Malware.txt','filesize=182,md5=83C36C493D7A254F9DE2ED63B3F92548');

Description

This command defines where to look for files. It accepts three parameters:

  1. The first parameter is a simple description, used for the GUI to display to the user only. Instead of using plain text, it is recommended to use description templates, which are displayed in a localized version by the scanner GUI.
  2. The second parameter defines the file name and path. In the standard form, it supports wildcards and path templates, but you can also use Algo-Prefixes to vary the filename matching algorithm, e.g. to use regular expressions. Starting with Spybot - Search & Destroy 1.6, you may use wildcards or regular expressions in any part of the path, on a by level base. AP PT
  3. The third parameter allows you to define more criteria to look for in a file, since the file name itself is rarely unique (just think about all those misleading malware files that attempt to use standard Windows filenames). There is a huge range of advanced file parameters, with different costs, some cached, some not. Using less costly parameters like filesize first is quite recommended to filter the amount of files that are left for the later parameters.

If you are dealing with Rootkits, you also need to take a look at NTFile, a brother of this command that uses deeper rooted functions to locate a file and is able to detect files hidden to the standard Win32 API.

Scan Results

  • The file identified by the parameters.

See also

Similar commands