Vipre Scanner Description
#overview of the Vipre Rescue Scanner re-write


Vipre Rescue Scanner is a product produced by Sunbelt Software. It is comparable in overall effectiveness to the Combofix program written by the enigmatic sUBs and hosted here. Essentially, it is a command-line virus scanner with rootkit-removal abilities and the ability to run at system start-up to remove items that can't be deleted normally in Windows.

Unfortunately, Sunbelt released the product without an easy-to-use interface. That's where our GUI re-write comes in. We have essentially added the interface that Sunbelt forgot to write. All the same functionality is there (along with a few extra steps that enhance the program) but in a much easier to use format.


Vipre Scanner "Redux" works in the following way:

Download the VIPRERescueXXXX.exe from
extract the files from the downloaded file
remove unnecessary files, replace or rename some files and add some other files
re-compress the archive with 7-zip for a smaller executable


Our Vipre Scanner works differently from Sunbelt's in the following ways:
  • In-Program updates possible (although very slow) thanks to wget for Windows
  • Permission and ACL repair on target machine through Microsoft's subinacl.exe and secedit.exe
  • removing some temporary files to speed up scan times (this is arguably a bad thing, but viruses typically spawn from temp folders and it makes sense to delete them)
  • process killing during program execution (Processes listed in the processlist.ini file are killed as they are spawned during execution of Vipre Rescue)

How To Build It

One of the major points of the rebuilt Vipre Scanner that a user needs to understand is the creation process. It was explained briefly above, but going into a little more detail is appropriate.

To start with, here is an example of a Windows .cmd file that creates our rebuilt Vipre Scanner:


IF EXIST .\7zip.conf DEL /Q 7zip.conf
.\files\wget.exe --output-document=VIPREOrig.exe
.\files\7z.exe x -y -oVIPRERescue VIPREOrig.exe
DEL /Q .\VIPRERescue\deep_scan.bat
COPY .\files\. .\VIPRERescue
SET /A FILENAME = %random%
SET /A DIRECTORY = %random%
SET /A SCANFILE = %random%
ECHO Global > vpr_dat.ini
ECHO VipreDirectory=%DIRECTORY% >> vpr_dat.ini
ECHO VipreProgramName=%FILENAME%.exe >> vpr_dat.ini
ECHO VipreGUIName=%SCANFILE%.exe >> vpr_dat.ini
REN VIPRERescueScanner.exe %FILENAME%.exe
REN VipreScanner.exe %SCANFILE%.exe
..\files\7z.exe a -r -t7z -m0=lzma VipreScanner.7z *
COPY VipreScanner.7z ..
CD ..
ECHO ;!@Install@!UTF-8!> 7zip.conf
ECHO Title="Vipre Command-Line Virus Scanner">> 7zip.conf
ECHO ExecuteFile="%SCANFILE%.exe">> 7zip.conf
ECHO ;!@InstallEnd@!>> 7zip.conf
COPY /B 7zS.sfx 7zip.conf VipreScanner.7z VipreRescue.exe
DEL /Q 7zip.conf
DEL /Q VIPREOrig.exe
DEL /Q VIPREScanner.7z

As you can see, the script downloads and extracts the original Vipre files then moves all custom additions into the extracted folder. After that, it renames a number of executables in the extracted folder to random names to help protect against malicious software blocking names like VIPRERescueScanner.exe from running. These random names are then written to a generated .ini file called vpr_dat.ini. This file contains all the referenced file names and directories so the program can find everything. We then zip the file back up with 7-zip (saving about 20-30% space), create a small file explaining to the about-to-be-created .exe what it should do with the files it extracts, and package a 7-zip self-extracting archive. Then we remove some temp files and we're all done.

On average, Vipre Scanner will move from approximately 50 mb to about 40 mb during the process.

This script assumes the following file structure:

root (contains 7zS.sfx for creating self-extracting .exe)
  ---files (this folder contains our rewritten GUI and other tools needed in the program)
  ---VIPRERescue (this folder is generated during the program)

Last edited Aug 26, 2010 at 4:43 PM by johnseekins, version 7


No comments yet.