1

salt win8 grains.item osfullname

win8:
    ----------
    osfullname:
        Microsoft Windows 8.1 Enterprise Evaluation

salt win8 cmd.run shell='powershell' '& "C:\\Program Files\\ClamAV-x64\clamdscan.exe" -V'

win8:
    ClamAV 0.98.7/21375/Tue Feb 16 05:36:54 2016

clamd is running on a Ubuntu VM. Here's the configuration on a Windows client (network mode):

TCPAddr <clamd.server.ip.address>
TCPSocket 3310
User Administrator

and I would like to scan only last 24 hours files by using something like this:

salt win8 cmd.run shell='powershell' 'Get-ChildItem "C:\\Program Files\\ClamAV-x64" -Recurse | Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-1) } | % { $_.FullName }'

win8:
    C:\Program Files\ClamAV-x64\eicar.com.txt
    C:\Program Files\ClamAV-x64\file_to_scan.txt
    C:\Program Files\ClamAV-x64\report.txt
    C:\Program Files\ClamAV-x64\scan.ps1
    C:\Program Files\ClamAV-x64\sendmail.ps1

then write that list to a file:

| Out-File "C:\Program Files\ClamAV-x64\file_to_scan.txt"

and use -f option:

salt win8 cmd.run shell='powershell' '& "C:\\Program Files\\ClamAV-x64\clamdscan.exe" -h'

win8:

                           ClamAV Daemon Client 0.99
               By The ClamAV Team: http://www.clamav.net/about.html#credits
               (C) 2007-2015 Cisco Systems, Inc.

        --file-list=FILE    -f FILE        Scan files from FILE

but I got this error when scanning:

salt win8 cmd.run shell='powershell' '& "C:\\Program Files\\ClamAV-x64\clamdscan.exe" -f "C:\\Program Files\\ClamAV-x64\file_to_scan.txt"'

win8:

    ----------- SCAN SUMMARY -----------
    Infected files: 0
    Total errors: 1
    Time: 0.000 sec (0 m 0 s)
    ERROR: Can't access file C:\Windows\system32\config\systemprofile\ÿþC

It always said that it cannot access a weird file named ÿþC in the current working directory:

salt win8 cmd.run shell='powershell' 'cd \; & "C:\\Program Files\\ClamAV-x64\clamdscan.exe" -f "C:\\Program Files\\ClamAV-x64\file_to_scan.txt"'

win8:

    ----------- SCAN SUMMARY -----------
    Infected files: 0
    Total errors: 1
    Time: 0.000 sec (0 m 0 s)
    ERROR: Can't access file C:\\ÿþC

What is ÿþC? And why it said that?

PS: OS X client worked fine:

clamdscan -f file_to_scan

    /Users/quanta/Downloads/eicar.com.txt: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 4.359 sec (0 m 4 s)

Tue Feb 16 22:54:26 ICT 2016

Got another weird filename if running directly on the Windows VM:

PS C:\Windows\system32> & 'C:\Program Files\ClamAV-x64\clamdscan.exe' -f 'C:\Program Files\ClamAV-x64\file_to_scan.txt'
ERROR: Can't access file C:\Windows\system32\ ■C

----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 1
Time: 0.000 sec (0 m 0 s)
quanta
  • 51,413
  • 19
  • 159
  • 217

1 Answers1

0

What is ÿþC?

ÿþ is a representation of BOM (byte order mark) by UTF-16 (LE) encoding.

And why it said that?

Because Out-File uses the encoding of the system's current ANSI code page by default:

-Encoding

Specifies the type of character encoding used in the file. Valid values are "Unicode", "UTF7", "UTF8", "UTF32", "ASCII", "BigEndianUnicode", "Default", and "OEM". "Unicode" is the default. "Default" uses the encoding of the system's current ANSI code page.

The solution is use -Encoding ASCII to get rid of garbled characters:

"C:\\Program Files\\ClamAV-x64" -Recurse | Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-1) } | % { $_.FullName } | Out-File "C:\Program Files\ClamAV-x64\file_to_scan.txt" -Encoding ASCII'

Files\\ClamAV-x64'; & 'C:\\Program Files\\ClamAV-x64\clamdscan.exe' -f .\file_to_scan.txt"

win8:
    C:\Program Files\ClamAV-x64\eicar.com.txt: Eicar-Test-Signature FOUND
    C:\Program Files\ClamAV-x64\file_to_scan.txt: OK
    C:\Program Files\ClamAV-x64\report.txt: OK
    C:\Program Files\ClamAV-x64\scan.ps1: OK
    C:\Program Files\ClamAV-x64\sendmail.ps1: OK

    ----------- SCAN SUMMARY -----------
    Infected files: 1
    Time: 5.845 sec (0 m 5 s)
    ERROR: Minions returned with non-zero exit code

Source: https://social.technet.microsoft.com/Forums/office/en-US/ab1beb83-9174-413c-b1a6-882cef213980/getting-garbled-text-with-outfile-?forum=winserverpowershell

quanta
  • 51,413
  • 19
  • 159
  • 217