Difference between revisions of "File"

From SpybotWiki
Jump to: navigation, search
(Usage: added var types)
m (Description: added 1.6 improvement)
Line 23: Line 23:
  
 
# The first parameter is a simple description, used for the GUI to display to the user only. Instead of using plain text, it is recommended to use [[Description templates|description templates]], which are displayed in a localized version by the scanner GUI.
 
# The first parameter is a simple description, used for the GUI to display to the user only. Instead of using plain text, it is recommended to use [[Description templates|description templates]], which are displayed in a localized version by the scanner GUI.
# The second parameter defines the file name and path. In the standard form, it supports wildcards and [[Path templates|path templates]], but you can also use [[AlgoPrefix|Algo-Prefixes]] to vary the filename matching algorithm, e.g. to use regular expressions. Please note that any pattern apply to the file name only! The file path cannot be varied, but if you specify advanced parameters, the On-Access scanner will simply ignore the path. {{AlgoPrefix}} {{PathTemplates}}
+
# The second parameter defines the file name and path. In the standard form, it supports wildcards and [[Path templates|path templates]], but you can also use [[AlgoPrefix|Algo-Prefixes]] to vary the filename matching algorithm, e.g. to use regular expressions. Starting with [[Spybot - Search & Destroy]] 1.6, you may use wildcards or regular expressions in any part of the path, on a by level base. {{AlgoPrefix}} {{PathTemplates}}
 
# The third parameter allows you to define more criteria to look for in a file, since the file name itself is rarely unique (just think about all those misleading malware files that attempt to use standard Windows filenames). There is a huge range of [[Advanced file parameters|advanced file parameters]], with different costs, some cached, some not. Using less costly parameters like [[filesize]] first is quite recommended to filter the amount of files that are left for the later parameters.
 
# The third parameter allows you to define more criteria to look for in a file, since the file name itself is rarely unique (just think about all those misleading malware files that attempt to use standard Windows filenames). There is a huge range of [[Advanced file parameters|advanced file parameters]], with different costs, some cached, some not. Using less costly parameters like [[filesize]] first is quite recommended to filter the amount of files that are left for the later parameters.
  

Revision as of 16:44, 27 May 2008

File
Group Files
Main Application Version 1.3
Required Update n/a
File Parameters yes (third)
Registry Parameters no
Build Parameters yes (third)
Special Parameters no

File is the regular command to detect any files on your system.

Usage

File:<description(string)>,<filename(string)>[,advanced file parameters]

Examples

File:"<$FILE_DATA>","<$WINDIR>\Malware.txt","filesize=182,md5=83C36C493D7A254F9DE2ED63B3F92548"
File:"<$FILE_DATA>","<wc>C:\Temp\Malware.*","filesize>=180,md5=83C36C493D7A254F9DE2ED63B3F92548"
File:"<$FILE_DATA>","<regexpr>C:\Temp\Mal[a-z]{4}.*","filesize<=190,md5=83C36C493D7A254F9DE2ED63B3F92548"

Description

This command defines where to look for files. It accepts three parameters:

  1. The first parameter is a simple description, used for the GUI to display to the user only. Instead of using plain text, it is recommended to use description templates, which are displayed in a localized version by the scanner GUI.
  2. The second parameter defines the file name and path. In the standard form, it supports wildcards and path templates, but you can also use Algo-Prefixes to vary the filename matching algorithm, e.g. to use regular expressions. Starting with Spybot - Search & Destroy 1.6, you may use wildcards or regular expressions in any part of the path, on a by level base. AP PT
  3. The third parameter allows you to define more criteria to look for in a file, since the file name itself is rarely unique (just think about all those misleading malware files that attempt to use standard Windows filenames). There is a huge range of advanced file parameters, with different costs, some cached, some not. Using less costly parameters like filesize first is quite recommended to filter the amount of files that are left for the later parameters.

If you are dealing with Rootkits, you also need to take a look at NTFile, a brother of this command that uses deeper rooted functions to locate a file and is able to detect files hidden to the standard Win32 API.

Scan Results

  • The file identified by the parameters.

See also

Similar commands