[K12OSN] Scanning WinXP for Malware from Linux

David L. Willson DLWillson at TheGeek.NU
Thu Oct 23 13:47:50 UTC 2008 

I find it best to keep an arsenal of anti-malware tools on my laptop.  I remove the infected hard drive from the Windows system and attach it to my Linux system with a USB2 adapter like this one:

http://www.microcenter.com/single_product_results.phtml?product_id=0263627

or this one:

http://www.microcenter.com/single_product_results.phtml?product_id=0287567

Once it's attached, I update my copy of Avira Antivir and scan the drive with the highest suspicious-ness settings.  These are my command-lines for that:

sudo antivir --update

avscan /media/sdd1 <- or where-ever it mounted

avscan is a little script I wrote so I could forget the switches I always use.  It looks like this:

myDate=$(date +%F-%s)
myLog=/data/AntiVirLOG-$myDate
myQuarantine=/data/AntiVirINFECTED-$myDate
myCommand="antivir -s --scan-in-archive -rf$myLog --moveto=$myQuarantine --heur-macro --heur-level=3  --with-alltypes --allfiles $1"
echo $myCommand
touch $myLog && mkdir $myQuarantine && eval $myCommand

Usually, I will get some bleeps that don't quarantine.  I upload those files one by one to www.virustotal.com.  VT scans the uploaded file with some 25 anti-virus engines, and returns a pretty report of the results.  If I think they're wrong about a particular file, I take a snapshot of my Windows XP VMware virtual machine and run that file to see what it does.  If it turns out to be bad stuff, I revert my VM, and go kill off the infection manually, but that's a whole 'nother chapter, and this is pretty long a'ready, eh.

I've got quite the collection of Windows virii going here.  Want some?

--David

----- Original Message -----
From: "Nils Breunese" <nils at breun.nl>
To: "Support list for open source software in schools." <k12osn at redhat.com>
Sent: Thursday, October 23, 2008 7:09:54 AM GMT -07:00 US/Canada Mountain
Subject: Re: [K12OSN] Scanning WinXP for Malware from Linux

Henry Hartley wrote:

> This isn't strictly speaking on topic for this list but this is the sort
> of thing one or more of you might know. Is there anything available that
> will allow me to scan a WinXP hard drive for malware under linux? That is
> to say, boot to linux (e.g. on USB drive), mount the NTFS drive, and scan.
> I have a WinXP machine that I suspect is infected. The registry became
> corrupted and I was able to roll back to a prior, good registry so I can
> boot but the system is neither stable nor usable. This seems like a good
> approach if the software exists.

This seems to have some info on using Knoppix to do this:
http://njlinux.blogspot.com/2008/01/virus-scan-windows-using-linux-live-cd.html
I don't have any experience with this, I just googled it.

Nils Breunese.

_______________________________________________
K12OSN mailing list
K12OSN at redhat.com
https://www.redhat.com/mailman/listinfo/k12osn
For more info see <http://www.k12os.org>

More information about the K12OSN mailing list