Loading
Virus Scan A Windows Machine
How often do we all hear the phrase, “Could you take a look at it for me?” Whether you are checking out a machine for a friend or colleague or looking after one of your own machines, it's handy to have the ability to virus check a Windows setup from the safety of a Linux boot CD or USB stick. This short guide shows you how to scan for infected files by booting into SystemRescueCD and running ClamAV, a virus checker.
We recently covered SystemRescueCD, a bootable disc that constitutes a Swiss army knife of Linux based tools for system recovery. ClamAV is one of the useful tools that it includes in a preconfigured, ready to run state. It is possible to boot from SystemRescueCD, mount a Windows partition and then scan it for virus infected files. As you don't have to boot the infected system, this approach offers some advantages over that of running a Windows-based tool.
Boot into the SystemRescueCD desktop in the normal way by accepting the default options and then typing “wizard” when prompted. Once you're at the desktop, open a command line terminal.
The first thing to do is to start the ClamVA demon by typing
clamd
After a few moments, control of the command line should return to the user. The next thing we need to do is to update the ClamVA virus database. Use this command:
freshclam
The next stage is to mount the NTFS partition that contains the suspect files. Before we can do that though, we have to figure out how Linux has named the Windows partition. Do this by running GParted via the application launcher. GParted will display all of the partitions on all of the disks fitted to the system. Make a note of the device name of the partition that you're interested in.
Once you know the name of the partition, mount it so that we can access it. Do this by typing:
ntfs-3g /dev/sda1 /mnt/windows
adjusting the “sda1” part for the actual name of the partition that you're interested in.
Change the current directory to the root of the windows partition:
cd /mnt/windows
Invoke the virus checker itself and select recursive operation:
clamscan -r
The virus checker will now run and tell you if it finds an infected file. By and large, the simplest procedure is to move any such file to an unused directory. Note that, in cases where you have an idea of where the problem might be, you can add a directory name to the clamscan command.
Remember, if you are sorting out a friend's box, play up the advantages of a Linux system to them. The actual scan takes quite a while, and the person you're helping won't be able to tell you to get lost until you've got it working again for them.
ClamVA website
______________________
UK based freelance writer Michael Reed writes about technology, retro computing, geek culture and gender politics.
Webcast
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Sponsored by AMD
White Paper
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy
Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6
Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.
Learn more about catching the bad guy in this free white paper.
Sponsored by DLT Solutions
- RSS Feeds
- Dynamic DNS—an Object Lesson in Problem Solving
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- Using Salt Stack and Vagrant for Drupal Development
- New Products
- A Topic for Discussion - Open Source Feature-Richness?
- Drupal Is a Framework: Why Everyone Needs to Understand This
- Validate an E-Mail Address with PHP, the Right Way
- What's the tweeting protocol?
- Tech Tip: Really Simple HTTP Server with Python
- Kernel Problem
2 hours ago - BASH script to log IPs on public web server
6 hours 27 min ago - DynDNS
10 hours 2 min ago - Reply to comment | Linux Journal
10 hours 35 min ago - All the articles you talked
12 hours 58 min ago - All the articles you talked
13 hours 1 min ago - All the articles you talked
13 hours 3 min ago - myip
17 hours 27 min ago - Keeping track of IP address
19 hours 18 min ago - Roll your own dynamic dns
1 day 32 min ago
Enter to Win an Adafruit Pi Cobbler Breakout Kit for Raspberry Pi
It's Raspberry Pi month at Linux Journal. Each week in May, Adafruit will be giving away a Pi-related prize to a lucky, randomly drawn LJ reader. Winners will be announced weekly.
Fill out the fields below to enter to win this week's prize-- a Pi Cobbler Breakout Kit for Raspberry Pi.
Congratulations to our winners so far:
- 5-8-13, Pi Starter Pack: Jack Davis
- 5-15-13, Pi Model B 512MB RAM: Patrick Dunn
- 5-21-13, Prototyping Pi Plate Kit: Philip Kirby
- Next winner announced on 5-27-13!
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?
Developer Poll
Comments
Why need for virusscanners
Why need for virusscanners and spyware cleaners when only thing u need is http://www.sandboxie.com/ (not my program though)
Very easy for the noobs with no brains. Or the lazy admins who don'twant any unwanted shit on there computerfarms :)
What about the registry?
Unless any of these tools can attach to, and scan the Windows registry, only half of the problem is being fixed. I think Linux is great, but you can also do these types of virus scans using WinPE; which is now free. Although not free, Winternals will allow you to attach to a Windows installation and scan the registry, but they were bought out by Microsoft. Now, to get the same functionally, you have to buy Microsoft DaRT :< Anyone know of a solution that will allow you to do the same for free? Linux based or otherwise?
linux registry tools (for a windows registry)
I think the "caine" distro has a few registry tools, not scanners specificall, but they can loaddump the registry and maniplate it.
A quick apt-cache search here came up with
reglookup , and registry-tools
better tip
it is better to use something more efficient and also free by the way.
dr. web has a wonderful linux live cd which is generated everyday from current bases.
i like clamAV, but dr. web does its work better.
http://www.freedrweb.com/livecd/?lng=en
http://www.freedrweb.com/cureit/
the live cd is small lxde based distribution with virus scanner and midnight commander.
Additional CLI option
Use:
clamscan -i -r
The -i setting will only display infected files.
Without it, you'll get a list of every file on the target, and there's no logfile created for review.
This is why Linux is the BEST!
Many people have approached me with "my computer does this" and when they bring it to me, the first thing I do is insert a livecd. A livecd will let me know if they have a hardware issue or a software related issue. Most times, it's software related and then I virus scan and clean their computer and in a few hours (after far too many re-starts) they have a clean functional computer again. System Rescue CD is my choice for cleaning and testing. All I need is a lan wire that includes internet access and I am good to fix most anything.
ClamAV
Guys... ClamAV has been already ported to Windows. No need to bootup from CD unless your pc is really messed up.
Question: Is there a maximum size of HD one can scan?
I tried to scan a 2TB USB(NTFS) hard drive using a livecd. The L*nux O/S
could not mount the Hard Drive. Is there a maximum size of USB Hard Drive NTFS formatted that Linux O/S running in RAM can mount?
thank you
jockeyshortz
Great, but...
I love what ClamAV is doing, but the project isn't really quite there yet. The scanning engine is dog slow compared to its proprietary competitors. That's not to say I don't use it, but I still find myself dependent on non-free software to get the job done right.
So easy... just get Trinity Rescue Kit ...
If you have a network connection available, pop in a TRK 3.4 or higher and follow the simple (aka Windows user) menus to scan with not 1, but 4 different AntiVirus programs. When the scans are done the programs will write a log file to the disk you've just scanned.
This thing is totally amazing and of course comes with the guru option of switching to a command line to do other "magic" to a system like recover files from a USB stick, hard drive or even a CD using the most awesome tool testdisk.
I've been using System Rescue CD for years, and have tried Trinity as it has progressed, but the latest version of Trinity is truly awesome!!!
Yes. I know this sounds like an advert, but give it a try.
http://trinityhome.org
Cheers!
nomasteryoda
Good for VMs also
This is a good idea for VMs also. Just attach your Windows virtual disk to a Linux VM, boot the VM and run Clamav on the Windows disk. I just tried this with both a CentOS 5.5 VM and a Fedora 13 VM. I attached my XP virtual disks to the VMs, installed clamav and clamav-update, and then added a mount point for Windows, added an /etc/fstab entry, mounted the windows disk and scanned it.
yum -y install clamav
yum -y install clamav-update
KAV Rescue
http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/
KAV Rescue bots, downloads the virus definitions and scans without doing commands. Great for when you can't boot up in Windows.
Nice
Good article, Michael. I'd been meaning to try out ClamVA for a while; your article gave me the nudge to finally do so. I'm running it now on about 5.3 GB of archived work directories and it has already found one Trojan in an email file: Email.Trojan.GZC FOUND
BTW, I'm sure everybody has their favorite bootable rescue environment. Mine is Ubuntu Network Edition 10.04 on a usb stick. I've installed ClamVA on mine now.
--Doug
Awesome
Great article. Thank you.
P.S. Your url for 'SystemRescueCD Website' is not going to the right page, try http://www.sysresccd.org/Main_Page instead of http://www.sysresccd.org/Main_PageSystemRescueCD.
corrected
Thanks. Now corrected.
UK based freelance writer Michael Reed writes about technology, retro computing, geek culture and gender politics.
don't for get f-prot
I have done this with f-prot anti virus too.