Why worry about scanning Windows for viruses from inside Windows? Use Knoppix to scan for viruses from the safety of a linux-based, read-only OS.
If you don’t already have it, get Knoppix with your favorite BitTorrent client (I use Azureus 2.5) and this tracker. I use the DVD, but the CD version should work the same for this.
You can find downloading, burning, and booting help here. Boot to Knoppix.
In order to update virus definitions, a working internet connection is needed. In my case (a DHCP-enabled Linksys Cable/DSL router) things “just worked” with Knoppix’s magic boot configuration. If you run into problems, I suggest starting with the FAQ Pages then trying Google.
Naturally, the disks I want to scan need to be available–that is, they need to be recognized by the kernel and mounted. For me this just works again thanks to Knoppix boot config magic. If you run into bad magic, consult the above sources, or whatever divine ones you have access to.
I check to see if they’re already there. Since I have SATA drives in this box, they should appear as /dev/sd*. IDE drives would appear as /dev/hd*.
# df
Filesystem ... Mounted on
/dev/root ... /
/ramdisk ... /ramdisk
...
/dev/shm ... /dev/shm
No harddisks are mounted, so I check /etc/fstab to see if Knoppix recognized them.
# cat /etc/fstab
/proc /proc proc rw,nosuid,nodev,noexec 0 0
...
# Added by KNOPPIX
/dev/sdc1 /media/sdc1 ntfs noauto,users,exec,umask=000,uid=knoppix,gid=knoppix 0 0
# Added by KNOPPIX
/dev/sdc2 /media/sdc2 ntfs noauto,users,exec,umask=000,uid=knoppix,gid=knoppix 0 0
The Added by KNOPPIX entries are the two partitions on my SATA drive. Since Knoppix recognized them, I can simply mount them.
# mount /dev/sdc1
# mount /dev/sdc2
# df -k
Filesystem ... Mounted on
/dev/root ... /
/ramdisk ... /ramdisk
...
/dev/shm ... /dev/shm
/dev/sdc1 ... /media/sdc1
/dev/sdc2 ... /media/sdc2
Just like any OS, Knoppix gets patched regularly. Since I want to have the latest, greatest virus scan, I’ll get (some of) the updates with the bundled Debian package manager.
#apt-get update
There’s a lot of output from that command to update the Debian package manager’s package list. It just means the installer knows about the latest stuff now.
I use ClamAV to scan for viruses. So, I’ll check that it’s up-to-date per the package installer.
#apt-get install clamav
Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed: libclamav2
Suggested packages: unrar
The following packages will be upgraded: clamav
...
Do you want to continue [Y/n]? Y
The changelogs are presented (press ‘q’ to exit) and there are more prompts to follow, but the install should work without any errors.
I also want to update the ClamAV utility that fetches the current virus definitions.
#apt-get install clamav-freshclam
This time, the install wants to replace a conf file that has been locally modified. I choose to install the package maintainer’s versions, after I compare them side-by-side.
When that’s done, I update the virus definitions.
# freshclam
Finally, scan.
# cd /media
# clamscan -r -l /var/clamlog
The options -r and -l [filename] are for recursively scan directories and log scan output, respectfully. Note that this will only identify viruses. If I wanted to take action when an infection is found, I’d have to specify what to do in different options.
As I write this up, I’m scanning my squeeky-clean new computer. I don’t expect any problems there. Once it’s done, I’ll scan my older Windows machine and that might be more interesting.
mghicks 