Command line utility to update McAfee virusscan

Published:
I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line.

I thought I’d share my experience with you.

Why is it useful to be able to update an Antivirus from the command line?
Because it lets you control the schedule of this process.
For instance you can decide that you want to try to update each time the computer is booted. Or when a user logs in. Or when the computer has been idling for a certain amount of time. Or even at fixed moments.

It can also be a very nice thing to be able to do that when the normal/automated update does not work. And this was my primary reason for developing this utility: Some of the users I had to support were not connecting often enough to their corporate intranet. And their “anti-virus update servers” are on said intranet. The IT/Security team for their corporate IT/network had specified to use McAfee’s public update servers at the end of the list of update servers, but for some reason, it was not working as expected. Since I was in a hurry and could not spend too much time debugging McAfee’s product, I decided to create a simple script and to make sure it was launched often enough.

I came across several sources on the web, but the one that was really helpful was:
https://community.mcafee.com/message/113439


So I created a script that should be usable on most of the Windows systems that use McAfee virusscan. You need wget for this to work:
http://gnuwin32.sourceforge.net/packages/wget.htm

Wget is used to get the SuperDAT utility that McAfee provides for free on its update servers. SuperDAT is a single .exe file, which can run silently and which updates McAfee’s antivirus systems (virus definitions AND engines).

 
cd %temp%
                      if not exist McAfee\nul md McAfee
                      cd McAfee
                      if exist gdeltaavv.ini del gdeltaavv.ini
                      wget http://update.nai.com/products/commonupdater/gdeltaavv.ini
                      if not exist gdeltaavv.ini goto error1
                      for /F "usebackq skip=2 delims== tokens=1,2*" %%m in (`Find /I  "CurrentVersion" gdeltaavv.ini`) do set Curr=%%n
                      if exist sdat%Curr%.exe goto fin
                      del *.exe
                      wget http://download.nai.com/products/licensed/superdat/english/intel/sdat%Curr%.exe
                      if not exist sdat%Curr%.exe goto error2
                      sdat%Curr%.exe /silent
                      goto fin
                      :error1
                      echo Cannot retrieve gdeltaavv.ini
                      goto fin
                      :error2
                      echo Cannot retrieve sdat%Curr%.exe
                      goto fin
                      :fin

Open in new window


As you can see, this script is very simple. Even too simple: It will download SuperDAT even if the current virus signature is already installed on the computer running the script.

So I decided that it was better to check for the current version level of the virus signature (that McAfee calls DAT files) and to compare it with the “newer” one that McAfee provides on its site.

Retrieving the current version level of the DAT file is quite easy, with some registry mining.
In my case (VirusScan 8.7 I think), this is the binary value stored here:
HKLM\SOFTWARE\McAfee\AVEngine\AVDatVersion

Note that this may not be the actual value for YOUR version of VirusScan…

This is a DWord value that reg.exe will display as some Hexadecimal number. But I had to compare it to a decimal value and both are in environment variables, which are character strings. At first, I created a VB script on the fly (using echo commands) that I then invoked, just to be able to convert an hex to a decimal value. I’ll let you have it if you want that, but it’s a little too complex for this simple task. Which can be done a simpler way: Then, I remembered that you can use SET /A MyEnvVar = 0xFFFF (for instance) and that this will store the decimal equivalent of 0xFFFF in the environment variable “MyEnvVar”. So this is what I did. And now, I have a smarter command line script that I can use to fetch the latest and greatest McAfee’s SuperDAT utility only if you can actually update (and never if you are already up to date), and to run this utility silently.

Here is the latest version of the script I deployed:

 
cd %temp%
                      if not exist McAfee\nul md McAfee
                      cd McAfee
                      if exist gdeltaavv.ini del gdeltaavv.ini
                      
                      rem We get the .ini file where the newest version of DAT file is stored
                      
                      wget http://update.nai.com/products/commonupdater/gdeltaavv.ini
                      if not exist gdeltaavv.ini goto error1
                      
                      rem We extract the newest version level from that file, as a decimal number
                      for /F "usebackq skip=2 delims== tokens=1,2*" %%m in (`Find /I  "CurrentVersion" gdeltaavv.ini`) do set Curr=%%n
                      echo Newest DAT level on McAfee's site is %Curr%
                      
                      rem We get the current version of DAT file on the local computer (from its registry)
                      reg query HKLM\SOFTWARE\McAfee\AVEngine /v AVDatVersion > %temp%\McAfee\regqvv.txt
                      
                      rem We extract the actual version as a decimal number and store it in "LocCurrDec" environment variable
                      for /F "skip=4 delims=x tokens=2,*" %%m in (regqvv.txt) do set /A LocCurrDec = 0x%%m
                      
                      if %LocCurrDec% == %Curr% goto fin
                      
                      if exist sdat%Curr%.exe goto fin
                      del *.exe
                      
                      wget http://download.nai.com/products/licensed/superdat/english/intel/sdat%Curr%.exe
                      if not exist sdat%Curr%.exe goto error2
                      sdat%Curr%.exe /silent
                      
                      goto fin
                      
                      :error1
                      echo Cannot retrieve gdeltaavv.ini
                      goto fin
                      :error2
                      echo Cannot retrieve sdat%Curr%.exe
                      goto fin
                      
                      
                      :fin

Open in new window


If you found this article useful, please remember to click the "Yes" button.
2
12,219 Views

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.