How to format White List file?

[HurlingMalware]

I' using anti-malware (v 5.1.0.10) command line scanner on a Win XP Pro SP3 box.

I've setup a white list text file to exclude certain directories.

The location is: /whitelist="E:\My Documents\a-squared\WhiteList.txt"

WhiteList.txt has the following entries:

"C:\Documents and Settings\Administrator"

"C:\Documents and Settings\All Users"

"C:\Documents and Settings\Default User"

"C:\Documents and Settings\Local Service"

"C:\Documents and Settings\NetworkService"

However, folder "C:\Documents and Settings\Administrator" is scanned.

The scan parameters are:

/memory /traces /cookies /smart /riskware /ntfs /quarantinelist

Is my white list text file formatted incorrectly or is one of the scan parameters overriding what is in WhiteList.txt? If the file is formatted incorrectly, what is the correct format?

Thanks much!!!

[Lynx]

Hi HurlingMalware, welcome to the forum

1st, please search the forum using keywords like "White List"/ "Whitelist" or alike

You will find many discussions including using the feature with Command Line Scanner (CLS) or "a2cmd"

e.g.: '>this one and some subsequent links inside

Then the set of the parameters you've posted

/memory /traces /cookies /smart /riskware /ntfs /quarantinelist

does not include /WL=FoldersToIgnore.txt (the name of WhiteList is just a generic example)

Finally, I have to refresh my memory , but I am not sure that "C:\Documents and Settings\..." are included into the Smart Scan

The common report header of the latter says:

Scan type: Smart Scan
Objects: Memory, Traces, Cookies, C:\WINDOWS\, C:\Program Files
Scan archives: Off
Heuristics: Off
ADS Scan: On

If I am wrong - I'll be corrected

I'll try to run the latest version of CLS again and see what's going on

Meanwhile you can fix the parameters and in addition produce a report , so the developers can see that the folders were scanned despite being present in the WhiteList. The easiest way is to place some files inside those folders that are definitely flagged by EAM like Eicar or TrojanSimulator

In order to save report you can use redirection "> D:\AnyFolder\CLSreport.txt" at the end of the parameters set (where D is just any drive letter of your choice)

My regards

[Lynx]

In addition to the above

Sure the "C:\Documents and Settings\" folders were not scanned

I copied few files that must be flagged by EAM/CLS into the C:\Documents and Settings\Administrator\ folder

the Smart Scan finished

The extract from the report:

Emsisoft Commandline Scanner v. 5.1.0.2

© 2003-2010 Emsi Software GmbH - www.emsisoft.com

Emsisoft Commandline Scanner - Version 5.1

Last update: 28/04/2011 10:04:07 PM

Scan settings:

Objects: Memory, Traces, Cookies, C:\WINDOWS\, C:\PROGRAM FILES

Scan archives: Off

Heuristics: Off

ADS Scan: On

Scan start: 29/04/2011 10:35:45 AM

[664] C:\WINDOWS\system32\ntdll.dll

........

........

Scanned

Files: 114226

Traces: 457444

Cookies: 26

Processes: 41

Found

Files: 0

Traces: 19

Cookies: 0

Processes: 0

Scan end: 29/04/2011 11:36:44 AM

Scan time: 1:00:58

What you may have in your report are records like this

... [3820] C:\Documents and Settings\.....\Application Data\Mozilla\Firefox\Profiles\........\libs\cooliris.dll

But those are the processes, since /M parameter was used

or

records related to the Registry where Traces were scanned , like

HKEY_LOCAL_MACHINE\SOFTWARE\....
... c:\documents and settings\all users\... Menu.lnk...

, since /T was used

I can attach whole report, if you want

but basically, the WhiteList file you've created would better fit and to be tested with the Deep Scan, since the set of folders as in you post are not included into the Smart Scan type

I hope that users and the developers will add some info (and/or correct me)

My regards