Saturday, June 26, 2004

LINUX: Scanning for viruses with Knoppix

O'Reilly Network: Scanning for viruses with Knoppix [Jun. 25, 2004]: "Recently, I have had a few machines suffer from weird behavior, and while the machines run virus scanners, some of the users don't have it set to automatically download new definitions. I wanted to make sure that no viruses were hiding in the background or trying to evade detection. This is where Knoppix comes in.

First, with the Knoppix disc, the OS that might possibly be infected is completely powered down, so anything that might have been running in memory is gone. Second I'm booting into a completely different OS, so I don't have to worry about the infection somehow running accidentally under Linux. Third, Knoppix and the virus scanner in it is free, so I can burn many copies of it and scan multiple machines at once.

So, how to scan them? Knoppix does not include the virus scanner as part of its CD by default, but it is an option in the live software installer. So, I run the live software installer from the Knoppix menu, and install f-prot. Once f-prot is installed, a new icon appears on the desktop for your newly installed programs. I run the front-end to f-prot and check the option to download the latest definitions.

Once the definitions are updated, clicking another option will let me choose drives that Knoppix has detected for f-prot to scan. This process does take some time, but hey, Knoppix has web browsers and tons of games to help me pass the time while the scan is finishing. Once it's done, I get a nice long report of each file it scanned and which ones are infected with a virus, then I can decide to go through and delete those manually, or move them somewhere safe, or whatever I want to do. You could also run f-prot from the command line and tell it to attempt to repair or delete the infection itself.

Since Knoppix can share directories over the network with samba, you could also have other virus scanners on known clean machines scan the share if you were really paranoid.

One handy thing about using Knoppix for this, is that you can also go to that relative's/friend's computer that doesn't have any virus protection and seems to always get infected with the latest viruses (you know the one), and you can safely clean the system up.

Kyle Rankin is a systems administrator for The Green Sheet, Inc. and has been using Linux in one form or another since early 1998."


