forked from anic17/Batch-Antivirus
-
Notifications
You must be signed in to change notification settings - Fork 0
/
BAV.bat
161 lines (141 loc) · 5.25 KB
/
BAV.bat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
::BAV_:[email protected]:anic17/Batch-Antivirus.git
@echo off
setlocal EnableDelayedExpansion
title Batch Antivirus Scanner
if /i "%~1"=="--help" goto help
call "%~dp0BAVStatus.bat" --skip || exit /b
set admin=1
set scanned_files=0
set threats=0
if /i "%~1"=="--reg-scan" goto reg_scan
if /i "%~2"=="--skip-update" (
goto skipupdate
)
net session > nul 2>&1 || set admin=0
if !admin!==0 (
echo Looks like you are running Batch Antivirus without administrator permissions...
echo.
echo This can make difficult to remove some malware.
echo It is recommended to run the scan as administrator.
echo.
echo.Would you like to run scan as administrator? ^(y/n^)
choice /c:YN /n
if !errorlevel!==1 goto runas
)
call "%~dp0BAVUpdate.bat"
:skipupdate
if "%~1"=="" (
cd \
) else (
cd /d "%~1" > nul 2>&1
)
echo.
echo Scanning '%CD%' for threats...
echo.
call :reg_scan
for /r %%A in (*) do call :scan "%%~A" 2>nul
:finished
echo Scan finished.
echo.
call :settitle
echo Result: !scanned_files! files scanned and !threats! threat(s) found
echo.
echo Press any key to quit...
pause>nul
exit /B %errorlevel%
:scan
set "filescan=%~1"
call :settitle
for /f %%A in ('sha256.exe "!filescan!" 2^>nul') do call :hashed %%A
set /a scanned_files+=1
goto :EOF
:hashed
set "hash=%~1"
set "hash=!hash:\=!"
findstr /c:"!hash!" "%~dp0VirusDataBaseHash.bav" > nul || goto :EOF
for /f "tokens=1* delims=:" %%a in ('findstr /c:"!hash!" "%~dp0VirusDataBaseHash.bav"') do (call :detection "%%~a" "%%~b")
goto :EOF
:detection
if "%~1" neq "!hash!" goto :EOF
start /b powershell [Reflection.Assembly]::LoadWithPartialName("""System.Windows.Forms""");$obj=New-Object Windows.Forms.NotifyIcon;$obj.Icon = [drawing.icon]::ExtractAssociatedIcon($PSHOME + """\powershell.exe""");$obj.Visible = $True;$obj.ShowBalloonTip(100000, """Batch Antivirus""","""Threats found: %~2""",2)>nul
echo Malware found: !filescan! ^| %~2
md "%~dp0Data\Quarantine\!hash!" > nul 2>&1
icacls "!filescan!" /setowner %username% > nul 2>&1
icacls "!filescan!" /grant %username%:(F,MA,WA,RA,WEA,REA,WDAC,DE) > nul 2>&1
move "!filescan!" "%~dp0Data\Quarantine\!hash!\!hash!" /y > nul 2>&1
icacls "%~dp0Data\Quarantine\!hash!\!hash!" /deny %username%:(RX,W,R,M,RD,WEA,REA,X,RA,WA) > nul 2>&1
set /a threats+=1
if not exist "!filescan!" (echo Malware successfully quarantined) else call :delete
goto :EOF
:delete
echo.
echo Failed to quarantine malware^^!
set /p "delmalware=Delete malware? (y/n): "
icacls "!filescan!" /setowner %username% > nul 2>&1
icacls "!filescan!" /grant %username%:(F,MA,WA,RA,WEA,REA,WDAC,DE) > nul 2>&1
if /i "%delmalware%"=="y" del !filescan! /s /q /f > nul
echo.
goto :EOF
:help
echo.
echo Batch Antivirus - Scanner
echo.
echo Syntax:
echo.
echo BAV [[folder] ^| --reg-scan ^| --help] [--skip-update]
echo.
echo Examples:
echo.
echo BAV
echo Will scan all the current drive. This may take some a lot of time depending
echo on the number of files and the computer performance.
echo.
echo BAV "%USERPROFILE%"
echo Will scan the folder "%USERPROFILE%" and all its subdirectories
echo It is recommended for a more precise and faster scan.
echo.
echo BAV --reg-scan
echo Only scan the autorun registry keys.
echo.
echo.BAV --skip-update
echo.Skip update checking and directly run scan.
echo.
echo BAV --help
echo Displays this help message.
echo.
echo Batch Antivirus will check at every startup new database updates to ensure you
echo have always the latest database.
echo.You can also manually check for updates by running 'BAVUpdate.bat' file.
echo.
echo Official GitHub repository:
echo https://github.com/anic17/Batch-Antivirus
echo.
echo If you accidentally downloaded some malware or PUP, contact [email protected]
echo and send the potentially malicious file via Mega, Dropbox, Google Drive, Mediafire or OneDrive.
echo.
echo Copyright (c) 2022 anic17 Software
endlocal
exit /B 0
:runas
powershell -ExecutionPolicy Bypass -Command Start-Process -FilePath """%~0""" -verb RunAs
exit /b
:reg_scan
:: Run keys
for %%A in (HKEY_LOCAL_MACHINE HKEY_CURRENT_USER) do (
rem Run and RunOnce
for /f "tokens=3* delims= " %%A in ('reg query "%%A\Software\Microsoft\Windows\CurrentVersion\Run"') do call :scan "%%~A"
for /f "tokens=3* delims= " %%A in ('reg query "%%A\Software\Microsoft\Windows\CurrentVersion\RunOnce"') do call :scan "%%~A"
)
:: Run WOW6432Node
for /f "tokens=3* delims= " %%A in ('reg query "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run"') do call :scan "%%~A"
for /f "tokens=3* delims= " %%A in ('reg query "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce"') do call :scan "%%~A"
:: Shell and userinit keys
for /f "tokens=3* delims= " %%A in ('reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit') do (
for /f "tokens=1 delims=," %%X in ("%%~A") do call :scan "%%~X"
)
for /f "tokens=3* delims= " %%A in ('reg query "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit') do (
for /f "tokens=1 delims=," %%X in ("%%~A") do call :scan "%%~X"
)
goto :EOF
:settitle
title Scanning now: !filescan! ; !scanned_files! scanned, !threats! threat(s) found