Virus Scanning Windows from Knoppix

Why worry about scanning Windows for viruses from inside Windows? Use Knoppix to scan for viruses from the safety of a linux-based, read-only OS.

If you don’t already have it, get Knoppix with your favorite BitTorrent client (I use Azureus 2.5) and this tracker. I use the DVD, but the CD version should work the same for this.

You can find downloading, burning, and booting help here. Boot to Knoppix.

In order to update virus definitions, a working internet connection is needed. In my case (a DHCP-enabled Linksys Cable/DSL router) things “just worked” with Knoppix’s magic boot configuration. If you run into problems, I suggest starting with the FAQ Pages then trying Google.

Naturally, the disks I want to scan need to be available–that is, they need to be recognized by the kernel and mounted. For me this just works again thanks to Knoppix boot config magic. If you run into bad magic, consult the above sources, or whatever divine ones you have access to.

I check to see if they’re already there. Since I have SATA drives in this box, they should appear as /dev/sd*. IDE drives would appear as /dev/hd*.

# df
Filesystem ... Mounted on
/dev/root ... /
/ramdisk ... /ramdisk
...
/dev/shm ... /dev/shm

No harddisks are mounted, so I check /etc/fstab to see if Knoppix recognized them.

# cat /etc/fstab
/proc /proc proc rw,nosuid,nodev,noexec 0 0
...
# Added by KNOPPIX
/dev/sdc1 /media/sdc1 ntfs noauto,users,exec,umask=000,uid=knoppix,gid=knoppix 0 0
# Added by KNOPPIX
/dev/sdc2 /media/sdc2 ntfs noauto,users,exec,umask=000,uid=knoppix,gid=knoppix 0 0

The Added by KNOPPIX entries are the two partitions on my SATA drive. Since Knoppix recognized them, I can simply mount them.

# mount /dev/sdc1
# mount /dev/sdc2
# df -k
Filesystem ... Mounted on
/dev/root ... /
/ramdisk ... /ramdisk
...
/dev/shm ... /dev/shm
/dev/sdc1 ... /media/sdc1
/dev/sdc2 ... /media/sdc2

Just like any OS, Knoppix gets patched regularly. Since I want to have the latest, greatest virus scan, I’ll get (some of) the updates with the bundled Debian package manager.

#apt-get update

There’s a lot of output from that command to update the Debian package manager’s package list. It just means the installer knows about the latest stuff now.

I use ClamAV to scan for viruses. So, I’ll check that it’s up-to-date per the package installer.

#apt-get install clamav
Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed: libclamav2
Suggested packages: unrar
The following packages will be upgraded: clamav
...
Do you want to continue [Y/n]? Y

The changelogs are presented (press ‘q’ to exit) and there are more prompts to follow, but the install should work without any errors.

I also want to update the ClamAV utility that fetches the current virus definitions.

#apt-get install clamav-freshclam

This time, the install wants to replace a conf file that has been locally modified. I choose to install the package maintainer’s versions, after I compare them side-by-side.

When that’s done, I update the virus definitions.

# freshclam

Finally, scan.

# cd /media
# clamscan -r -l /var/clamlog

The options -r and -l [filename] are for recursively scan directories and log scan output, respectfully. Note that this will only identify viruses. If I wanted to take action when an infection is found, I’d have to specify what to do in different options.

As I write this up, I’m scanning my squeeky-clean new computer. I don’t expect any problems there. Once it’s done, I’ll scan my older Windows machine and that might be more interesting.

Advertisements
This entry was posted in antivirus, clamav, howto, knoppix, linux, security, windows. Bookmark the permalink.

23 Responses to Virus Scanning Windows from Knoppix

  1. mghicks says:

    Seems like a lot of people are looking at these instructions and that’s great! Please leave a comment and let me know how they work for you.

    • Bob Hicks says:

      I found this very helpful as I had used Knoppix several times to be able to get to work on dead Windows machines using NTFS but had known nothing about the ability to download additional packages like ClamAV. I am using that now to try and find a virus that
      infected my daughter’s Vista laptop from facebook and rendered her McAfee non-operational among other nasty effects. Some examples of how to deal with found viruses would be nice.

    • Bob Hicks says:

      Once again thanks for providing this very useful page. Since running ClamAV on a machine with a large number of files produces a log with many thousands of lines 99.9% of which just say OK, an example of the text used by ClamAV to identify a virus found would be useful when searching the log.

      • mghicks says:

        Check the options for clamscan. I’m pretty sure one of them suppresses the clean file notifications, so you’ll see only the problems.

        ClamAV doesn’t have a mechanism to “clean” infected files for you. So, what should you do when you have a virus?

        At the risk of a cop-out, that’s a tricky question and way beyond the scope of my intent. I’m neither a security nor a virus expert. My personal responses have gone from deleting the contaminated file to wiping and rebuilding the whole system. The biggest threat is anything the virus did that’s gone undetected–installing a rootkit, for example.

    • Devinder Sethi says:

      Very helpful article. Thanks for sharing with us.

  2. Amodef says:

    Thanks a lot for this ! It’s working pretty well !
    I’ve tested it with my little XP partition, without any problem. Now I’ll try to help a friend that’s very infected and can’t even install an AV X) .

  3. Joshua Yost says:

    I used this to help me scan computer and find a free solution to offline virus scans

  4. Paul Bethe says:

    I tried using the CD, and it does not work for me. It hangs up on libc6 and tells me that I have to manually stop and start some services. I think one of them is the window manager, so I tried booting as Knoppix 2. The result is the same.

    • mghicks says:

      Hi Paul,

      Sorry that you ran into trouble. This tutorial is a bit old now. I’ll try to post an updated version over the weekend!

      Weekend update: For starters I think you want to find Knoppix version 5.x. The current release I found for the CD is 5.1.1 and for the DVD is 5.3.1. In both cases, the steps above should work. I’m downloading the .iso files for both now. Once I’ve tested, if there are any changes to the procedures, I’ll post them.

      –Matt

  5. Paul Bethe says:

    OK, I now have the DVD 5.3.1, and it is working on this machine. My older PC does not read DVD, and that is the one that I had tried earlier.

  6. mghicks says:

    Well, the 5.1.1 CD should work the same, but I’ll admit I’ve had better luck with the Knoppix DVDs. I just successfully used the 5.3.1 DVD with the exact instructions above. It took 6.5 hours to scan close to 1TB. (And that’s why I didn’t confirm these instructions until now.) 😉

  7. Paul B. says:

    If you have the time, give the CD another try. Today I noticed that the CD has a kernel that ends in 19. That is pretty old.

  8. Vm says:

    hello sir does this support for NTFS too…….:)

    Thanks
    Vm

  9. Paul Bethe says:

    Just for fun, I tried this out using an Ubuntu live CD. It worked with a few modifications. But wait; what’s this I see? Knoppix 6.0…. I have to try this out. The Knoppix CD I have is just so old: it gets in trouble when I do the apt-get update.

  10. Paul Bethe says:

    OK, now I have tried the new CD. It is a beta release, and it does not work very well for me. These instructions still hold pretty true. One difference was that apt-get install clamav installed freshclam as part of the process. I ran freshclam, and it seemed to work, but when I ran clamscan, it complained that the engine was out-of-date and the signatures were more than a week out!

  11. mghicks says:

    Interesting, Paul. I noticed freshclam installed with clamav, too, when I did this in December and had no problems updating. Didn’t see the same problem you had running it, though. What version of the CD are you using? I’ll look at it this weekend.

  12. Paul B. says:

    The version is 6.0.1, from last month. It is an interesting work. The motivation for this release to to introduce ADRIANE for the blind and people with low vision. If you don’t boot up with the right options, your computer will speak to you in German even if you have the English language version.

  13. Amazing Larry says:

    I followed these instructions to the letter using Knoppix CD 6.0.1 (the non-ADRIANE version), and now my Windows machine is virus-free and all my dreams have come true. Thank you!

  14. pkrn says:

    Hello Mghicks.

    I search all day about saving a ClamAv scanlog.

    The option -l (you said) works perfect.

    Thanks

  15. LinuxNewbie says:

    I was able to run “apt-get install clamav-freshclam” and when I check the version I am told I have latest version. I found your post very helpful however I still get the “this version of the clamav is out of date” when I start a scan by running “freshclam”. I know I am so close to run a scan from the Ubuntu LiveCD and yet so far. Any help will be appreciated.

  16. phal says:

    Very nice detailed instructions, thanks a lot for taking the time to do this. Now I’m off to see how it works for me!

  17. Jimbo says:

    Perfect.
    I just purchased a used Windows machine, loaded up a Kopix distro and discovered ClamAV. With your clear instructions, the signatures were brought up-to-date and I’m happily scanning the disk. … and isn’t it cool to have this post providing value 7 years later.
    Thanks!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s