Virus scan Windows using a Linux live CD

[There's been quite a bit of interest in this post and I've expanded on it quite a bit. Please post any comments or questions to help me improve this guide.

- Neil]

Keith and I have both run into situations where we want to recover a Windows computer by cleaning it up with a Linux Live (bootable) CD distro. This offers several advantages to cleaning up an infected or compromised computer by booting into Windows:

• It prevents the malware, if it exists, from jumping from the infected computer or partition we are trying to fix to the repair partition or boot medium.
• If we boot from a CD, there's actually no way to alter the boot medium, since it's read-only.
  

Naturally, we started with Knoppix -- download it here. Installing and scanning with F-Prot is covered in this Knoppix.net discussion thread, Virus Scan from LiveCD, which describes how to install F-Prot from the command line using apt-get.

Also, In Knoppix 5.1, you can boot from the Knoppix CD and install F-Prot with the Synaptic Package Manager:

1. Run Synaptic Package Manager: K > KNOPPIX >Manage Software in KNOPPIX (kpackage)
2. Click Search.
3. Type f-prot in the Search: field and click [Search]
4. Check f-prot-installer
   
5. Click [Apply Changes]
   
6. Open Details on the Applying Changes dialog box by click on the little triangle.
   
7. the F-Prot installer prompts you in the Details box. Select Download and install and select [OK] (use the Tab key and Return to make selections)

I had trouble with both of these methods because some repositories were not available, particularly the one that provided f-prot!

I went straight to the source, from F-Prot: Download F-PROT Antivirus for Linux Workstations.

I downloaded the Perl-based installer, which also happens to have the largest version number (6.01, today), to my Knoppix Home directory. To install F-prot:

1. Right-click on the downloaded tgz file and select Extract Here. This should create a directory in your home directory called f-prot.
2. cd f-prot/
3. ./install-f-prot.pl
   
4. Just accept the default choices during the installation, unless you have a reason not to. The installer will download the latest definition files.

Then, mount the volumes you want to scan by opening the icons on the Knoppix desktop. Go back to your command prompt and type

fpscan /media/hda1

replacing "/media/hda1" with the path to the drive you want to scan. Enter fpscan by itself at the command prompt to see a list of options. The f-prot directory also contains documentation (f-prot/doc/html if you want to use a browser).

Remember, everything disappears when you reboot, so if you don't want to have to download the F-Prot installer, copy the compressed (tgz) file to a USB drive. Then, when it's time to install it again, just boot from Knoppix, copy the tgz file to the Knoppix home directory, and then follow the steps above. Note you still need a live Internet connection to get the latest definition files.

We explored using ClamAV, which is included in Knoppix 5.1 but is not up-to-date with the latest definitions. To update ClamAV (sudo freshclam) it turns out you need to update the libc6 libraries first, which is such a pain and so time-consuming that I ended up just using F-Prot, following the steps above (although Keith and I were able to scan a laptop with ClamAV after running through an incredibly complex update procedure). Thanks to Paul for the comment on the ClamAV issue, below. If you have any more comments or questions about this procedure, let me know.