Virus Scan A Windows Machine

How often do we all hear the phrase, “Could you take a look at it for me?” Whether you are checking out a machine for a friend or colleague or looking after one of your own machines, it's handy to have the ability to virus check a Windows setup from the safety of a Linux boot CD or USB stick. This short guide shows you how to scan for infected files by booting into SystemRescueCD and running ClamAV, a virus checker.

We recently covered SystemRescueCD, a bootable disc that constitutes a Swiss army knife of Linux based tools for system recovery. ClamAV is one of the useful tools that it includes in a preconfigured, ready to run state. It is possible to boot from SystemRescueCD, mount a Windows partition and then scan it for virus infected files. As you don't have to boot the infected system, this approach offers some advantages over that of running a Windows-based tool.

Boot into the SystemRescueCD desktop in the normal way by accepting the default options and then typing “wizard” when prompted. Once you're at the desktop, open a command line terminal.

The first thing to do is to start the ClamVA demon by typing

clamd

After a few moments, control of the command line should return to the user. The next thing we need to do is to update the ClamVA virus database. Use this command:

freshclam

The next stage is to mount the NTFS partition that contains the suspect files. Before we can do that though, we have to figure out how Linux has named the Windows partition. Do this by running GParted via the application launcher. GParted will display all of the partitions on all of the disks fitted to the system. Make a note of the device name of the partition that you're interested in.

Once you know the name of the partition, mount it so that we can access it. Do this by typing:

ntfs-3g /dev/sda1 /mnt/windows

adjusting the “sda1” part for the actual name of the partition that you're interested in.

Change the current directory to the root of the windows partition:

cd /mnt/windows

Invoke the virus checker itself and select recursive operation:

clamscan -r

The virus checker will now run and tell you if it finds an infected file. By and large, the simplest procedure is to move any such file to an unused directory. Note that, in cases where you have an idea of where the problem might be, you can add a directory name to the clamscan command.

Remember, if you are sorting out a friend's box, play up the advantages of a Linux system to them. The actual scan takes quite a while, and the person you're helping won't be able to tell you to get lost until you've got it working again for them.

SystemRescueCD website

ClamVA website

______________________

UK based freelance writer Michael Reed writes about technology, retro computing, geek culture and gender politics.

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Why need for virusscanners

Sebas's picture

Why need for virusscanners and spyware cleaners when only thing u need is http://www.sandboxie.com/ (not my program though)

Very easy for the noobs with no brains. Or the lazy admins who don'twant any unwanted shit on there computerfarms :)

What about the registry?

Anonymous's picture

Unless any of these tools can attach to, and scan the Windows registry, only half of the problem is being fixed. I think Linux is great, but you can also do these types of virus scans using WinPE; which is now free. Although not free, Winternals will allow you to attach to a Windows installation and scan the registry, but they were bought out by Microsoft. Now, to get the same functionally, you have to buy Microsoft DaRT :< Anyone know of a solution that will allow you to do the same for free? Linux based or otherwise?

linux registry tools (for a windows registry)

Anonymous's picture

I think the "caine" distro has a few registry tools, not scanners specificall, but they can loaddump the registry and maniplate it.
A quick apt-cache search here came up with
reglookup , and registry-tools

better tip

Anonymous's picture

it is better to use something more efficient and also free by the way.
dr. web has a wonderful linux live cd which is generated everyday from current bases.

i like clamAV, but dr. web does its work better.

http://www.freedrweb.com/livecd/?lng=en
http://www.freedrweb.com/cureit/

the live cd is small lxde based distribution with virus scanner and midnight commander.

Additional CLI option

fla.spots's picture

Use:

clamscan -i -r

The -i setting will only display infected files.

Without it, you'll get a list of every file on the target, and there's no logfile created for review.

This is why Linux is the BEST!

bobwdn's picture

Many people have approached me with "my computer does this" and when they bring it to me, the first thing I do is insert a livecd. A livecd will let me know if they have a hardware issue or a software related issue. Most times, it's software related and then I virus scan and clean their computer and in a few hours (after far too many re-starts) they have a clean functional computer again. System Rescue CD is my choice for cleaning and testing. All I need is a lan wire that includes internet access and I am good to fix most anything.

ClamAV

Anonymous's picture

Guys... ClamAV has been already ported to Windows. No need to bootup from CD unless your pc is really messed up.

Question: Is there a maximum size of HD one can scan?

jockeyshortz's picture

I tried to scan a 2TB USB(NTFS) hard drive using a livecd. The L*nux O/S
could not mount the Hard Drive. Is there a maximum size of USB Hard Drive NTFS formatted that Linux O/S running in RAM can mount?

thank you
jockeyshortz

Great, but...

Matthew Stinar's picture

I love what ClamAV is doing, but the project isn't really quite there yet. The scanning engine is dog slow compared to its proprietary competitors. That's not to say I don't use it, but I still find myself dependent on non-free software to get the job done right.

So easy... just get Trinity Rescue Kit ...

nomasteryoda's picture

If you have a network connection available, pop in a TRK 3.4 or higher and follow the simple (aka Windows user) menus to scan with not 1, but 4 different AntiVirus programs. When the scans are done the programs will write a log file to the disk you've just scanned.

This thing is totally amazing and of course comes with the guru option of switching to a command line to do other "magic" to a system like recover files from a USB stick, hard drive or even a CD using the most awesome tool testdisk.

I've been using System Rescue CD for years, and have tried Trinity as it has progressed, but the latest version of Trinity is truly awesome!!!

Yes. I know this sounds like an advert, but give it a try.
http://trinityhome.org

Cheers!

nomasteryoda

Good for VMs also

bjr's picture

This is a good idea for VMs also. Just attach your Windows virtual disk to a Linux VM, boot the VM and run Clamav on the Windows disk. I just tried this with both a CentOS 5.5 VM and a Fedora 13 VM. I attached my XP virtual disks to the VMs, installed clamav and clamav-update, and then added a mount point for Windows, added an /etc/fstab entry, mounted the windows disk and scanned it.

yum -y install clamav
yum -y install clamav-update

KAV Rescue

Ronald Gibson's picture

http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/

KAV Rescue bots, downloads the virus definitions and scans without doing commands. Great for when you can't boot up in Windows.

Nice

Doug.Roberts's picture

Good article, Michael. I'd been meaning to try out ClamVA for a while; your article gave me the nudge to finally do so. I'm running it now on about 5.3 GB of archived work directories and it has already found one Trojan in an email file: Email.Trojan.GZC FOUND

BTW, I'm sure everybody has their favorite bootable rescue environment. Mine is Ubuntu Network Edition 10.04 on a usb stick. I've installed ClamVA on mine now.

--Doug

Awesome

Anonymous's picture

Great article. Thank you.

P.S. Your url for 'SystemRescueCD Website' is not going to the right page, try http://www.sysresccd.org/Main_Page instead of http://www.sysresccd.org/Main_PageSystemRescueCD.

corrected

Michael Reed's picture

Thanks. Now corrected.

UK based freelance writer Michael Reed writes about technology, retro computing, geek culture and gender politics.

don't for get f-prot

Prussian7's picture

I have done this with f-prot anti virus too.

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState