Virus Scan A Windows Machine

How often do we all hear the phrase, “Could you take a look at it for me?” Whether you are checking out a machine for a friend or colleague or looking after one of your own machines, it's handy to have the ability to virus check a Windows setup from the safety of a Linux boot CD or USB stick. This short guide shows you how to scan for infected files by booting into SystemRescueCD and running ClamAV, a virus checker.

We recently covered SystemRescueCD, a bootable disc that constitutes a Swiss army knife of Linux based tools for system recovery. ClamAV is one of the useful tools that it includes in a preconfigured, ready to run state. It is possible to boot from SystemRescueCD, mount a Windows partition and then scan it for virus infected files. As you don't have to boot the infected system, this approach offers some advantages over that of running a Windows-based tool.

Boot into the SystemRescueCD desktop in the normal way by accepting the default options and then typing “wizard” when prompted. Once you're at the desktop, open a command line terminal.

The first thing to do is to start the ClamVA demon by typing


After a few moments, control of the command line should return to the user. The next thing we need to do is to update the ClamVA virus database. Use this command:


The next stage is to mount the NTFS partition that contains the suspect files. Before we can do that though, we have to figure out how Linux has named the Windows partition. Do this by running GParted via the application launcher. GParted will display all of the partitions on all of the disks fitted to the system. Make a note of the device name of the partition that you're interested in.

Once you know the name of the partition, mount it so that we can access it. Do this by typing:

ntfs-3g /dev/sda1 /mnt/windows

adjusting the “sda1” part for the actual name of the partition that you're interested in.

Change the current directory to the root of the windows partition:

cd /mnt/windows

Invoke the virus checker itself and select recursive operation:

clamscan -r

The virus checker will now run and tell you if it finds an infected file. By and large, the simplest procedure is to move any such file to an unused directory. Note that, in cases where you have an idea of where the problem might be, you can add a directory name to the clamscan command.

Remember, if you are sorting out a friend's box, play up the advantages of a Linux system to them. The actual scan takes quite a while, and the person you're helping won't be able to tell you to get lost until you've got it working again for them.

SystemRescueCD website

ClamVA website


UK based freelance writer Michael Reed writes about technology, retro computing, geek culture and gender politics.


Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Why need for virusscanners

Sebas's picture

Why need for virusscanners and spyware cleaners when only thing u need is (not my program though)

Very easy for the noobs with no brains. Or the lazy admins who don'twant any unwanted shit on there computerfarms :)

What about the registry?

Anonymous's picture

Unless any of these tools can attach to, and scan the Windows registry, only half of the problem is being fixed. I think Linux is great, but you can also do these types of virus scans using WinPE; which is now free. Although not free, Winternals will allow you to attach to a Windows installation and scan the registry, but they were bought out by Microsoft. Now, to get the same functionally, you have to buy Microsoft DaRT :< Anyone know of a solution that will allow you to do the same for free? Linux based or otherwise?

linux registry tools (for a windows registry)

Anonymous's picture

I think the "caine" distro has a few registry tools, not scanners specificall, but they can loaddump the registry and maniplate it.
A quick apt-cache search here came up with
reglookup , and registry-tools

better tip

Anonymous's picture

it is better to use something more efficient and also free by the way.
dr. web has a wonderful linux live cd which is generated everyday from current bases.

i like clamAV, but dr. web does its work better.

the live cd is small lxde based distribution with virus scanner and midnight commander.

Additional CLI option

fla.spots's picture


clamscan -i -r

The -i setting will only display infected files.

Without it, you'll get a list of every file on the target, and there's no logfile created for review.

This is why Linux is the BEST!

bobwdn's picture

Many people have approached me with "my computer does this" and when they bring it to me, the first thing I do is insert a livecd. A livecd will let me know if they have a hardware issue or a software related issue. Most times, it's software related and then I virus scan and clean their computer and in a few hours (after far too many re-starts) they have a clean functional computer again. System Rescue CD is my choice for cleaning and testing. All I need is a lan wire that includes internet access and I am good to fix most anything.


Anonymous's picture

Guys... ClamAV has been already ported to Windows. No need to bootup from CD unless your pc is really messed up.

Question: Is there a maximum size of HD one can scan?

jockeyshortz's picture

I tried to scan a 2TB USB(NTFS) hard drive using a livecd. The L*nux O/S
could not mount the Hard Drive. Is there a maximum size of USB Hard Drive NTFS formatted that Linux O/S running in RAM can mount?

thank you

Great, but...

Matthew Stinar's picture

I love what ClamAV is doing, but the project isn't really quite there yet. The scanning engine is dog slow compared to its proprietary competitors. That's not to say I don't use it, but I still find myself dependent on non-free software to get the job done right.

So easy... just get Trinity Rescue Kit ...

nomasteryoda's picture

If you have a network connection available, pop in a TRK 3.4 or higher and follow the simple (aka Windows user) menus to scan with not 1, but 4 different AntiVirus programs. When the scans are done the programs will write a log file to the disk you've just scanned.

This thing is totally amazing and of course comes with the guru option of switching to a command line to do other "magic" to a system like recover files from a USB stick, hard drive or even a CD using the most awesome tool testdisk.

I've been using System Rescue CD for years, and have tried Trinity as it has progressed, but the latest version of Trinity is truly awesome!!!

Yes. I know this sounds like an advert, but give it a try.



Good for VMs also

bjr's picture

This is a good idea for VMs also. Just attach your Windows virtual disk to a Linux VM, boot the VM and run Clamav on the Windows disk. I just tried this with both a CentOS 5.5 VM and a Fedora 13 VM. I attached my XP virtual disks to the VMs, installed clamav and clamav-update, and then added a mount point for Windows, added an /etc/fstab entry, mounted the windows disk and scanned it.

yum -y install clamav
yum -y install clamav-update

KAV Rescue

Ronald Gibson's picture

KAV Rescue bots, downloads the virus definitions and scans without doing commands. Great for when you can't boot up in Windows.


Doug.Roberts's picture

Good article, Michael. I'd been meaning to try out ClamVA for a while; your article gave me the nudge to finally do so. I'm running it now on about 5.3 GB of archived work directories and it has already found one Trojan in an email file: Email.Trojan.GZC FOUND

BTW, I'm sure everybody has their favorite bootable rescue environment. Mine is Ubuntu Network Edition 10.04 on a usb stick. I've installed ClamVA on mine now.



Anonymous's picture

Great article. Thank you.

P.S. Your url for 'SystemRescueCD Website' is not going to the right page, try instead of


Michael Reed's picture

Thanks. Now corrected.

UK based freelance writer Michael Reed writes about technology, retro computing, geek culture and gender politics.

don't for get f-prot

Prussian7's picture

I have done this with f-prot anti virus too.