[K12OSN] Scanning WinXP for Malware from Linux
David L. Willson
DLWillson at TheGeek.NU
Thu Oct 23 13:47:50 UTC 2008
I find it best to keep an arsenal of anti-malware tools on my laptop. I remove the infected hard drive from the Windows system and attach it to my Linux system with a USB2 adapter like this one:
http://www.microcenter.com/single_product_results.phtml?product_id=0263627
or this one:
http://www.microcenter.com/single_product_results.phtml?product_id=0287567
Once it's attached, I update my copy of Avira Antivir and scan the drive with the highest suspicious-ness settings. These are my command-lines for that:
sudo antivir --update
avscan /media/sdd1 <- or where-ever it mounted
avscan is a little script I wrote so I could forget the switches I always use. It looks like this:
myDate=$(date +%F-%s)
myLog=/data/AntiVirLOG-$myDate
myQuarantine=/data/AntiVirINFECTED-$myDate
myCommand="antivir -s --scan-in-archive -rf$myLog --moveto=$myQuarantine --heur-macro --heur-level=3 --with-alltypes --allfiles $1"
echo $myCommand
touch $myLog && mkdir $myQuarantine && eval $myCommand
Usually, I will get some bleeps that don't quarantine. I upload those files one by one to www.virustotal.com. VT scans the uploaded file with some 25 anti-virus engines, and returns a pretty report of the results. If I think they're wrong about a particular file, I take a snapshot of my Windows XP VMware virtual machine and run that file to see what it does. If it turns out to be bad stuff, I revert my VM, and go kill off the infection manually, but that's a whole 'nother chapter, and this is pretty long a'ready, eh.
I've got quite the collection of Windows virii going here. Want some?
--David
----- Original Message -----
From: "Nils Breunese" <nils at breun.nl>
To: "Support list for open source software in schools." <k12osn at redhat.com>
Sent: Thursday, October 23, 2008 7:09:54 AM GMT -07:00 US/Canada Mountain
Subject: Re: [K12OSN] Scanning WinXP for Malware from Linux
Henry Hartley wrote:
> This isn't strictly speaking on topic for this list but this is the sort
> of thing one or more of you might know. Is there anything available that
> will allow me to scan a WinXP hard drive for malware under linux? That is
> to say, boot to linux (e.g. on USB drive), mount the NTFS drive, and scan.
> I have a WinXP machine that I suspect is infected. The registry became
> corrupted and I was able to roll back to a prior, good registry so I can
> boot but the system is neither stable nor usable. This seems like a good
> approach if the software exists.
This seems to have some info on using Knoppix to do this:
http://njlinux.blogspot.com/2008/01/virus-scan-windows-using-linux-live-cd.html
I don't have any experience with this, I just googled it.
Nils Breunese.
_______________________________________________
K12OSN mailing list
K12OSN at redhat.com
https://www.redhat.com/mailman/listinfo/k12osn
For more info see <http://www.k12os.org>
More information about the K12OSN
mailing list