[KB3417] ESET Command Line Scanner Parameters (ecls.exe) (5.x and later)

Issue

Solution

The ESET Security On-demand scanner can be initiated from both the graphical user interface and command line. Command line scanning is useful if your computer is currently operational only in Safe Mode or if you are a network administrator and want to initiate scanning from an external application.

Location of ECLS scanner

The scanner (filename: ecls.exe) is located in C:\Program Files\ESET\ESET Security.

To use the scanner, open a Command Prompt, reference the full directory path to the scanner followed by the list of objects to scan. Additional parameters (see Scanner options) can be appended to the command line to further modify your scan.

Command line examples

Exampe 1

The example 1 below commands your ESET Smart Security product to run a scan with automatic scan settings, show the status bar of the scan while running and create a scan log file:

"C:\Program Files\ESET\ESET Security\ecls.exe" /base-dir="C:\Program Files\ESET\ESET Security\Modules" /auto /log-file=c:\ecls.txt /aind

NOTE:

When performing an On-demand computer scan,  you may see multiple blue “error” notifications in the Scan log. Visit the following ESET Knowledgebase article for more information: Blue error opening notifications in On-demand Scanner Log

Exampe 2

In the example below you create a batch file that commands ESET Endpoint (version 5) product to shutdown when a scan finishes:

@echo off
“C:\Program Files\ESET\ESET Security\ecls.exe” /base-dir=”C:\Program Files\ESET\ESET Security\Modules” /auto /aind /quarantine /memory /log-file=c:\ESET_scanlog.txt
shutdown /f /s /t 00

Command line parameters

Basic options Description
/base-dir=FOLDER load modules from FOLDER
/quar-dir=FOLDER quarantine FOLDER
/exclude=MASK exclude files matching MASK from scanning
/subdir scan subfolders (default)
/no-subdir do not scan subfolders
/max-subdir-level=LEVEL maximum sub-level of folders within folders to scan
/symlink follow symbolic links (default)
/no-symlink skip symbolic links
/ads scan Alternate Data Streams (ADS) (default)
/no-ads do not scan ADS
/log-file=FILE log output to FILE
/log-rewrite overwrite output file (default - append)
/log-console log output to console (default)
/no-log-console do not log output to console
/log-all also log clean files
/no-log-all do not log clean files (default)
/aind show activity indicator
/auto scan and automatically clean all local disks
Scanner options Description
/files scan files (default)
/no-files do not scan files
/memory scan memory
/boots scan boot sectors
/no-boots do not scan boot sectors (default)
/arch scan archives (default)
/no-arch do not scan archives
/max-obj-size=SIZE only scan files smaller than SIZE megabytes (default 0 = unlimited)
/max-archive-level=LEVEL maximum number of archives within archives (nested archives) to scan
/scan-timeout=LIMIT scan archives for LIMIT seconds at maximum
/max-arch-size=SIZE only scan the files in an archive if they are smaller than SIZE megabytes (default 0= unlimited)
/max-sfx-size=SIZE only scan the files in a self-extracting archive if they are smaller than SIZE megabytes (default 0 = unlimited)
/mail scan email files (default0
/no-mail do not scan email files
/mailbox scan mailboxes (default)
/no-mailbox do not scan mailboxes
/sfx scan self-extracting archive files (default)
/no-sfx do not scan self-extracting archive files
/rtp scan runtime packers (default)
/no-rtp do not scan runtime packers
/adware scan for Adware/Spyware/Riskware
/no-adware do not scan for Adware/Spyware/Riskware
/unsafe scan for potentially unsafe applications
/no-unsafe do not scan for potentially unsafe applications (default)
/unwanted scan for potentially unwanted applications
/no-unwanted do not scan for potentially unwanted applications (default)
/suspicious scan for suspicious applications (default)
/no-suspicious do not scan for suspicious applications
/pattern use signatures (default)
/no-pattern do not use signatures
/heur enable heuristics (default)
/no-heur disable heuristics
/adv-heur enable Advanced heuristics (default)
/no-adv-heur disable Advanced heuristics
/ext=EXTENSIONS scan only EXTENSIONS delimited by a colon
/ext-exclude=EXTENSIONS exclude EXTENSIONS delimited by a colon from scanning
/clean-mode=MODE

use cleaning MODE for infected objects. The following options are available:

None— No automatic cleaning will occur.

Standard (default)— ECLS.exe will attempt to automatically clean or delete infected files.

Strict— ECLS.exe will attempt to automatically clean or delete infected files without user intervention (you will not be prompted before files are deleted).

Rigorous— ECLS.exe will delete files without attempting to clean regardless of what the file is.

Delete— ECLS.exe will delete files without attempting to clean, but will refrain from deleting sensitive files such as Windows system files.

/quarantine copy infected files to Quarantine (supplements the action carried out during cleaning)
/no-quarantine do not copy infected files to Quarantine
General options Description
/help show help and quit
/version show version information and quit
/preserve-time preserve last access timestamp
Exit codes* Description
0 no threat found
1 threat found and cleaned
10 some files could not be scanned (may be threats)
50 threat found
100 error

*If you receive an error message with an exit code greater than 100, the file was not scanned and thus could be infected.