Friday, January 18, 2008

Virus scan Windows using a Linux live CD

[There's been quite a bit of interest in this post and I've expanded on it quite a bit. Please post any comments or questions to help me improve this guide. - Neil] Keith and I have both run into situations where we want to recover a Windows computer by cleaning it up with a Linux Live (bootable) CD distro. This offers several advantages to cleaning up an infected or compromised computer by booting into Windows:
  • It prevents the malware, if it exists, from jumping from the infected computer or partition we are trying to fix to the repair partition or boot medium.
  • If we boot from a CD, there's actually no way to alter the boot medium, since it's read-only.
Naturally, we started with Knoppix -- download it here. Installing and scanning with F-Prot is covered in this Knoppix.net discussion thread, Virus Scan from LiveCD, which describes how to install F-Prot from the command line using apt-get. Also, In Knoppix 5.1, you can boot from the Knoppix CD and install F-Prot with the Synaptic Package Manager:
  1. Run Synaptic Package Manager: K > KNOPPIX >Manage Software in KNOPPIX (kpackage)
  2. Click Search.
  3. Type f-prot in the Search: field and click [Search]
  4. Check f-prot-installer
  5. Click [Apply Changes]
  6. Open Details on the Applying Changes dialog box by click on the little triangle.
  7. the F-Prot installer prompts you in the Details box. Select Download and install and select [OK] (use the Tab key and Return to make selections)
I had trouble with both of these methods because some repositories were not available, particularly the one that provided f-prot! I went straight to the source, from F-Prot: Download F-PROT Antivirus for Linux Workstations. I downloaded the Perl-based installer, which also happens to have the largest version number (6.01, today), to my Knoppix Home directory. To install F-prot:
  1. Right-click on the downloaded tgz file and select Extract Here. This should create a directory in your home directory called f-prot.
  2. cd f-prot/
  3. sudo ./install-f-prot.pl
  4. Just accept the default choices during the installation, unless you have a reason not to. The installer will download the latest definition files.
Then, mount the volumes you want to scan by opening the icons on the Knoppix desktop. Go back to your command prompt and type fpscan /media/hda1 replacing "/media/hda1" with the path to the drive you want to scan. Enter fpscan by itself at the command prompt to see a list of options. The f-prot directory also contains documentation (f-prot/doc/html if you want to use a browser). Remember, everything disappears when you reboot, so if you don't want to have to download the F-Prot installer, copy the compressed (tgz) file to a USB drive. Then, when it's time to install it again, just boot from Knoppix, copy the tgz file to the Knoppix home directory, and then follow the steps above. Note you still need a live Internet connection to get the latest definition files. We explored using ClamAV, which is included in Knoppix 5.1 but is not up-to-date with the latest definitions. To update ClamAV (sudo freshclam) it turns out you need to update the libc6 libraries first, which is such a pain and so time-consuming that I ended up just using F-Prot, following the steps above (although Keith and I were able to scan a laptop with ClamAV after running through an incredibly complex update procedure). Thanks to Paul for the comment on the ClamAV issue, below. If you have any more comments or questions about this procedure, let me know.

20 comments:

Paul said...

good advice, except clamav requires a newer version of libc6 than is available on knoppix (usually). If freshclam doesn't work, you're pretty much done. On to f-prot then.

Neil Johnson said...

Paul,

After going through the process of updating libc6, just to get freshclam to work, I've decided it's much easier just to go with F-Prot. I've updated the original post to describe a reliable way to run the latest F-Prot from a Knoppix 5.1 boot CD.

Thanks!

Anonymous said...

Instead of using ./install-f-prot.pl, new linux users should be instructed to use:

sudo ./install-f-prot.pl

Anonymous said...

Just wondering how your able to install fprot when using/booting from knoppix live. When you boot from the cd, you have no space for storage if your working on a windows pc (its NTFS).

Neil Johnson said...

Good catch: I've updated the body of this post to use sudo ./install-f-prot.pl. Thanks!

Neil

Neil Johnson said...

Earlier, Anonymous asked how are we able to "install fprot when using/booting from knoppix live" since the Knoppix CD is obviously read only, and all of the file systems are mounted by default in read only mode as well. The answer is this: the updates and changes to the Knoppix installation are made in RAM, and do not persist after you reboot.

In the original post, I suggest using a USB "thumb" drive to keep the F-prot installation files handy, so you don't have to download the installer again, but you still need to check for the latest definitions once f-prot is installed.

If you want to update your actual Knoppix CD with the latest f-prot & virus definitions, so the updated code persists after you reboot, you will have to remaster your Knoppix CD, which is, as they say, non-trivial. Perhaps a topic for another post...

Also, unless you are checking many, many computers at the same time, the chances are that you will need to update the latest definitions the next time you use the Knoppix CD to do a virus scan, and if that's the case, you might as well use the latest f-prot code as well. Again, follow the steps in the main post to update the latest version of f-prot and the accompanying definitions -- but the update only lasts until you shut down.

Wellu Mäkinen said...

No need to do any kind of installing here. Just extract the tar.gz somewhere (e.g /tmp/ will do) and you get f-prot subdirectory. From there do sudo cp f-prot.conf.default /etc/f-prot.conf and then ./fpupdate as normal user. This will get the latest virus definitions. After that you can run ./fpscan from the temporary directory. After updating one can remove /etc/f-prot.conf. Ok, there's no harm in installing if using live cd but I'll use this trick on my normal desktop too just to make sure nothing is left behind after I'm done with scanning. IMHO these installation scripts suck and running those as root sucks even more!

Anonymous said...

Maybe I'm doing something wrong, but I couldn't seem to find the f-prot package on Knoppix's DVD (or should I be using the CD instead?) I tried 5.3 and 5.1, and neither of them had the f-prot package when I did a search. I tried to download it over the Internet, but for some reason I wasn't able to install it. I'm not as fluent in Linux as Microspeak, so maybe I just need a couple more tries...

Neil Johnson said...

Please note that, as I mentioned in the original post above, you need to download F-prot from their web site: http://www.f-prot.com/download/home_user/download_fplinux.html. Also, see Wellu's comment above for suggestions on how to install F-prot to a temporary directory.

Robert Carnegie said...

I notice that Knoppix 5.3.1 (apparently DVD only, not CD?) changelog includes "Updated ntfs-3g with 'visible alternate data streams' extension (to discover files in other files, mount option streams_interface=visible)". I seem to recall that alternate data streams (a file with more than one stream of bytes in it, I forget what for originally, not the same as journalling, hasn't caught on) has been proposed, perhaps used, as a method to hide a virus. It's a bit like Macintosh files since the old days with data fork, resource fork (icons and such? - not part of the file data body). So I guess I'm wondering whether F-prot for Linux will detect viruses in these circumstances. (Probably not if you use Knoppix pre 5.3 and it can't even see that part of files - or can it?) Indeed we're assuming that it will detect Windows viruses as well as Linux ones...? And also assuming that using the free F-prot Linux download on a PC that runs Windows the other 364 days of the year is actually within licence terms - it can't be what they had it in mind for you to do. You may as well buy it for Windows anyway: by most accounts it's good stuff and it covers several home PCs. But the catch is to virus scan a modern Windows PC so that a clever virus can't get into the operating system first and pretend to the scanner that it isn't there, and I presume that's why we want to boot from a read-only disc.

One other thing to check on is, if you're mostly a Windows person and you run Knoppix or Linux wiithout networking for this exercise (there is wireless in there), can you do all the downloading on a separate Windows PC including current F-prot virus information? Is the download of F-prot itself initially up to date, or do you need to get new virus data to do a proper check? The instructions describe getting virus definitions using the Linux tool. I think F-prot -used- to update their download packages once a week or maybe better, so that you always got a fairly fresh copy.

I'm pursuing this because I've just bought a Vista laptop second-hand and I don't know where it's been.

I know of one deliberately specified non-virus string which has been agreed to test virus scanners safely - here: http://www.eicar.org/anti_virus_test_file.htm But it won't tell you "This virus scanner detects Windows viruses" or Linux viruses or whatever. You probably don't -want- one that discriminates, unless there are only 3 viruses for your model of cell phone and it doesn't have enough RAM to run F-prot's copyright message. But... well, this is already way too long.

Neil Johnson said...

Robert,

You raise some interesting issues about F-prot in your post, above. I can't say I have tested each of the Linux-compatible anti-virus programs to the extent you suggest. My interest in running an anti-virus scan from a Linux boot CD is, as you suggest, to ensure that the virus scan executes in a "known-good" environment; specifically, an operating system and file system that has not been potentially compromised by a virus attack. I recommend F-prot because it's a solid product and well maintained across platforms. There may be other superior products out there -- please post your suggestions here if they also run on Linux.

You asked if F-prot downloads the latest definitions when you install it. It certainly should be current, but it doesn't hurt to double check, so I'd recommend running the f-prot updater after you've installed it, to be sure -- or carefully read the output from the installer to see if you received the latest definition file during the install.

Good luck with your Vista laptop! If you have lots of work to do on that computer to ensure it's reliable, you might also consider setting up a dual-boot configuration with Ubuntu, or a similar easy-to-use Linux variant, to help repair Vista to your satisfaction. With a dual-boot setup, the Linux partitions will be invisible to Windows when you boot into Vista (i.e. safe from viral infection), but you can work with the Windows partitions if you boot into Linux, and use a number of Linux-based tools to maintain or repair the Windows volumes -- a setup that is useful in many circumstances, if Windows ever gets hosed on your laptop, for any reason.

Keith Salustro said...

Robert,

Neil provided good info... I would also recommend the dual-install.

Also, reinstalling vista would be the best choice, but maybe you don't have the license key, or the media, or you want to preserve some of the apps that are on there?

If you need the key, use KeyFinder to find your key, although you have to be careful since it might be a key for an OEM distribution and may not work with the Vista CD you reinstall with.

In any case, it's helpful that Ubuntu will be able to resize your Windows partition for you, to create space so it has room to install.

Tatiane said...

Great article. Helped me a lot!

Ryan said...

I tried installing f-prot to scan my Windows PC via an Ubuntu (9.04) LiveCD, but it seems f-prot doesn't exist anymore in the Debian repositories, so this procedure didn't work. Does this method require Knoppix? Or is there a new name for f-prot?

Regardless, I'm trying ClamAV (using KlamAV as a frontend). So far it's picking up a lot of security threats on the computer. And updating the virus database was a matter of clicking a button.

I have my fingers crossed that it'll work good :)

Luggage said...

Hey Im using this method to clean up a system some family friends brought me.

F-Prot is great but itś not everything, it found 4 backdoors (backdoor2 family) of which the files I deleted, not being anything critical.

So then I wanted to boot into windows to see if anything else was wrong, needed tweaking or fixing (full service when I fix friendś systems) but on boot I found out F-Prot by far doesn get everything, as soon as I booted into windows I got bombarded with those fake anti virus tools (now I know how they got the backdoor though) trying to install trojans and backoors again.

So while F-Prot will find strictly virusses and such it's not as able to find the software responsible for keeping the system infected.

Still thanks for the guide, this will be a standard tool in my repair kit from now on, just hope to find a scanner that will sniff out the crap that keeps downloading and installing these thins as soon as you plug in the utp cable / connect to wifi.

creativesumant said...

If you boot from the CD how can you have an internet connection to update the virus software?

Don't forget to check out "Linux Tips and Tricks "

Anonymous said...

Just curious, I read the f-prot's website and they didn't indicate f-prot for linux can scan for windows based malware/virus/etc.

According to the website, f-prot for linux scans for and detects malware developed for the *nix platform.

I only ask because, I'm running a linux file server (for downloads) and want to implement some malware detection prior to moving the files into production (i.e my media server). My main concern is windows users who might access the files.

Any ideas?

Neil Johnson said...

A quick check on the F-PROT Antivirus latest product versions and virus signature files indicates that they use the same signature file for all of their products, which makes sense: it's easier to maintain one single signature file than to try to fork a signature file for each OS.

Note that you could set up a cron job for the command line version to automatically update the definition file and also automatically scan a directory on regular intervals -- a good option for a file server.

Danny D. Clark said...

Can we use F-proot antivirus together with one other antivirus software? I heard from a friend that F-proot works well and I want to give it a try myself as well. However I am a bit hesitant because I have a current antivirus installed in my PC. Any advice you can give please?

Neil Johnson said...

@Danny: There's really no conflict in running two different antivirus scans on the same storage device. Note that I wouldn't recommend running them at the same time, and I'm also not talking about using two anti-virus products simultaneously that both run monitoring services. But just running a disk scan? Use as many different programs as you like.