Scanning for viruses with Knoppix

by Kyle Rankin

Recently, I have had a few machines suffer from weird behavior, and while the machines run virus scanners, some of the users don't have it set to automatically download new definitions. I wanted to make sure that no viruses were hiding in the background or trying to evade detection. This is where Knoppix comes in.

First, with the Knoppix disc, the OS that might possibly be infected is completely powered down, so anything that might have been running in memory is gone. Second I'm booting into a completely different OS, so I don't have to worry about the infection somehow running accidentally under Linux. Third, Knoppix and the virus scanner in it is free, so I can burn many copies of it and scan multiple machines at once.

So, how to scan them? Knoppix does not include the virus scanner as part of its CD by default, but it is an option in the live software installer. So, I run the live software installer from the Knoppix menu, and install f-prot. Once f-prot is installed, a new icon appears on the desktop for your newly installed programs. I run the front-end to f-prot and check the option to download the latest definitions.

Once the definitions are updated, clicking another option will let me choose drives that Knoppix has detected for f-prot to scan. This process does take some time, but hey, Knoppix has web browsers and tons of games to help me pass the time while the scan is finishing. Once it's done, I get a nice long report of each file it scanned and which ones are infected with a virus, then I can decide to go through and delete those manually, or move them somewhere safe, or whatever I want to do. You could also run f-prot from the command line and tell it to attempt to repair or delete the infection itself.

Since Knoppix can share directories over the network with samba, you could also have other virus scanners on known clean machines scan the share if you were really paranoid.

One handy thing about using Knoppix for this, is that you can also go to that relative's/friend's computer that doesn't have any virus protection and seems to always get infected with the latest viruses (you know the one), and you can safely clean the system up.

11 Comments

Simoncu
2004-06-27 23:17:42
Scanning for viruses with Knoppix
Hi, fisrt I'm not a linux/unix/whatever-ix or -ux guru. So could you explain to me how and where you install and update the f-prot ? Afaik, Knoppix comes on a CD, so do you dload and install the antivirus on the local hard drive ?
Thats a point I didnt get


Thanks


Simon

greenfly
2004-06-28 09:04:19
Scanning for viruses with Knoppix
Knoppix and most other livecds create a ramdisk--a hard drive of sorts out of part of your RAM. It uses this to store temporary files, such as this live install of f-prot and its virus definitions. Once you shut down Knoppix, everything in the ramdisk goes away.


However, you can save to disk (and even use a disk as your home directory) if you want, or even use a usb key drive or something along those lines, but in this case it isn't necessary.

ekwok
2004-06-29 01:31:50
May I ask you how to do it?
I am new to linux, I only know how to install software with rpm but not f-prot.


Can you show me the step of how to do it?

greenfly
2004-06-29 08:19:45
May I ask you how to do it?
Really, installing f-prot on your distribution is going to depend heavily on which distribution of Linux you are using (and whether your distribution already has it packaged). Because of that, it would be somewhat difficult to explain the best way to install it (plus I don't know that this comments section is the best way to go about it anyway).


Under Knoppix it's just a matter of clicking Kmenu->KNOPPIX->Utilities->Live Software Installer and then choosing f-prot to install, but under Debian unstable you would run apt-get install f-prot. Under other distributions it would be different.

jjjrrr3
2004-06-29 09:43:56
May I ask you how to do it?
For those unfamiliar with Knoppix, it's very easy. In Knoppix 3.4, one can go to the Knoppix menu -> Utilities -> Install software -> F-prot. Simple as that!
kojo
2004-06-30 09:42:38
Can you scan Windows partitions?
So, can I use this methood to check a windows machine for virii? Will the program running from Knoppix be able to scan a Windows 2K/XP partion properly?
greenfly
2004-06-30 09:47:15
Can you scan Windows partitions? --Yes
Yes, Knoppix can read and write to FAT, FAT32, and NTFS partitions. To write to NTFS partitions you have to take advantage of the captive-ntfs package (Kmenu->Knoppix->Utilities->Captive NTFS) but otherwise with FAT or FAT32 partitions you can just click on hard drives icons to browse the filesystem.


Really, if you are just scanning for viruses, that just requires read access, so you don't have to bother with captive-ntfs just to scan for viruses on NTFS either, you would only need to worry about it if you wanted to go in and delete files.

kojo
2004-06-30 12:54:04
Can you scan Windows partitions? --Yes
Thanks GreenFly!!
helpdeskdan
2004-09-21 22:15:00
Broken
This seems to be broken in the latest version I downloaded, dated 8/16/04. (perhaps only broken in 3.6?) I found a way to make it work, but it takes a few commands. I posted a writeup at cs.svsu.edu/~dgschmid/knoppix.html. It's important to note that captive is still a little flakey - it is important to know that you MUST unmount the partition before shutting down to commit changes. (see known bugs) Nonetheless, it is a good article.
CAPkix
2004-10-25 09:21:47
Excellent Resource!
Unfortunately, since I'm only a casual linux user, linux isn't the first thing that pops into my mind when trying to solve a problem.


I spent the past day fixing a machine for a friend that had about 2 years of unprotected internet use. My friend likes adult sites. He REALLY likes adult sites. And the adult sites liked him because they could install everything on his unprotected and unpatched XP machine. I tried to get Norton and Grisoft AV products to clean things up. I tried to install from windows update. In the end, I did what any smart person would do to windows, I formated the hell out of it.


Had I known that I could use Knoppix to at least kill the viruses, I would have saved myself about 8 hours finaggling and reinstalling.


Thanks for the article!


-NCP

dk
2006-02-28 08:59:48
Thanks for the captiventfs tip :D