Why worry about scanning Windows for viruses from inside Windows? Use Knoppix to scan for viruses from the safety of a linux-based, read-only OS.
If you don’t already have it, get Knoppix with your favorite BitTorrent client (I use Azureus 2.5) and this tracker. I use the DVD, but the CD version should work the same for this.
You can find downloading, burning, and booting help here. Boot to Knoppix.
In order to update virus definitions, a working internet connection is needed. In my case (a DHCP-enabled Linksys Cable/DSL router) things “just worked” with Knoppix’s magic boot configuration. If you run into problems, I suggest starting with the FAQ Pages then trying Google.
Naturally, the disks I want to scan need to be available–that is, they need to be recognized by the kernel and mounted. For me this just works again thanks to Knoppix boot config magic. If you run into bad magic, consult the above sources, or whatever divine ones you have access to.
I check to see if they’re already there. Since I have SATA drives in this box, they should appear as /dev/sd*. IDE drives would appear as /dev/hd*.
# df
Filesystem ... Mounted on
/dev/root ... /
/ramdisk ... /ramdisk
...
/dev/shm ... /dev/shm
No harddisks are mounted, so I check /etc/fstab to see if Knoppix recognized them.
# cat /etc/fstab
/proc /proc proc rw,nosuid,nodev,noexec 0 0
...
# Added by KNOPPIX
/dev/sdc1 /media/sdc1 ntfs noauto,users,exec,umask=000,uid=knoppix,gid=knoppix 0 0
# Added by KNOPPIX
/dev/sdc2 /media/sdc2 ntfs noauto,users,exec,umask=000,uid=knoppix,gid=knoppix 0 0
The Added by KNOPPIX entries are the two partitions on my SATA drive. Since Knoppix recognized them, I can simply mount them.
# mount /dev/sdc1
# mount /dev/sdc2
# df -k
Filesystem ... Mounted on
/dev/root ... /
/ramdisk ... /ramdisk
...
/dev/shm ... /dev/shm
/dev/sdc1 ... /media/sdc1
/dev/sdc2 ... /media/sdc2
Just like any OS, Knoppix gets patched regularly. Since I want to have the latest, greatest virus scan, I’ll get (some of) the updates with the bundled Debian package manager.
#apt-get update
There’s a lot of output from that command to update the Debian package manager’s package list. It just means the installer knows about the latest stuff now.
I use ClamAV to scan for viruses. So, I’ll check that it’s up-to-date per the package installer.
#apt-get install clamav
Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed: libclamav2
Suggested packages: unrar
The following packages will be upgraded: clamav
...
Do you want to continue [Y/n]? Y
The changelogs are presented (press ‘q’ to exit) and there are more prompts to follow, but the install should work without any errors.
I also want to update the ClamAV utility that fetches the current virus definitions.
#apt-get install clamav-freshclam
This time, the install wants to replace a conf file that has been locally modified. I choose to install the package maintainer’s versions, after I compare them side-by-side.
When that’s done, I update the virus definitions.
# freshclam
Finally, scan.
# cd /media
# clamscan -r -l /var/clamlog
The options -r and -l [filename] are for recursively scan directories and log scan output, respectfully. Note that this will only identify viruses. If I wanted to take action when an infection is found, I’d have to specify what to do in different options.
As I write this up, I’m scanning my squeeky-clean new computer. I don’t expect any problems there. Once it’s done, I’ll scan my older Windows machine and that might be more interesting.
mghicks 
Seems like a lot of people are looking at these instructions and that’s great! Please leave a comment and let me know how they work for you.
I found this very helpful as I had used Knoppix several times to be able to get to work on dead Windows machines using NTFS but had known nothing about the ability to download additional packages like ClamAV. I am using that now to try and find a virus that
infected my daughter’s Vista laptop from facebook and rendered her McAfee non-operational among other nasty effects. Some examples of how to deal with found viruses would be nice.
Once again thanks for providing this very useful page. Since running ClamAV on a machine with a large number of files produces a log with many thousands of lines 99.9% of which just say OK, an example of the text used by ClamAV to identify a virus found would be useful when searching the log.
Check the options for clamscan. I’m pretty sure one of them suppresses the clean file notifications, so you’ll see only the problems.
ClamAV doesn’t have a mechanism to “clean” infected files for you. So, what should you do when you have a virus?
At the risk of a cop-out, that’s a tricky question and way beyond the scope of my intent. I’m neither a security nor a virus expert. My personal responses have gone from deleting the contaminated file to wiping and rebuilding the whole system. The biggest threat is anything the virus did that’s gone undetected–installing a rootkit, for example.
Very helpful article. Thanks for sharing with us.
Thanks a lot for this ! It’s working pretty well !
I’ve tested it with my little XP partition, without any problem. Now I’ll try to help a friend that’s very infected and can’t even install an AV X) .
I used this to help me scan computer and find a free solution to offline virus scans
I tried using the CD, and it does not work for me. It hangs up on libc6 and tells me that I have to manually stop and start some services. I think one of them is the window manager, so I tried booting as Knoppix 2. The result is the same.
Hi Paul,
Sorry that you ran into trouble. This tutorial is a bit old now. I’ll try to post an updated version over the weekend!
Weekend update: For starters I think you want to find Knoppix version 5.x. The current release I found for the CD is 5.1.1 and for the DVD is 5.3.1. In both cases, the steps above should work. I’m downloading the .iso files for both now. Once I’ve tested, if there are any changes to the procedures, I’ll post them.
–Matt
OK, I now have the DVD 5.3.1, and it is working on this machine. My older PC does not read DVD, and that is the one that I had tried earlier.
Well, the 5.1.1 CD should work the same, but I’ll admit I’ve had better luck with the Knoppix DVDs. I just successfully used the 5.3.1 DVD with the exact instructions above. It took 6.5 hours to scan close to 1TB. (And that’s why I didn’t confirm these instructions until now.) 😉
If you have the time, give the CD another try. Today I noticed that the CD has a kernel that ends in 19. That is pretty old.
hello sir does this support for NTFS too…….:)
Thanks
Vm
Just for fun, I tried this out using an Ubuntu live CD. It worked with a few modifications. But wait; what’s this I see? Knoppix 6.0…. I have to try this out. The Knoppix CD I have is just so old: it gets in trouble when I do the apt-get update.
OK, now I have tried the new CD. It is a beta release, and it does not work very well for me. These instructions still hold pretty true. One difference was that apt-get install clamav installed freshclam as part of the process. I ran freshclam, and it seemed to work, but when I ran clamscan, it complained that the engine was out-of-date and the signatures were more than a week out!
Interesting, Paul. I noticed freshclam installed with clamav, too, when I did this in December and had no problems updating. Didn’t see the same problem you had running it, though. What version of the CD are you using? I’ll look at it this weekend.
The version is 6.0.1, from last month. It is an interesting work. The motivation for this release to to introduce ADRIANE for the blind and people with low vision. If you don’t boot up with the right options, your computer will speak to you in German even if you have the English language version.
I followed these instructions to the letter using Knoppix CD 6.0.1 (the non-ADRIANE version), and now my Windows machine is virus-free and all my dreams have come true. Thank you!
Hello Mghicks.
I search all day about saving a ClamAv scanlog.
The option -l (you said) works perfect.
Thanks
I was able to run “apt-get install clamav-freshclam” and when I check the version I am told I have latest version. I found your post very helpful however I still get the “this version of the clamav is out of date” when I start a scan by running “freshclam”. I know I am so close to run a scan from the Ubuntu LiveCD and yet so far. Any help will be appreciated.
Try running “apt-get update clamav” then using freshclam to update virus definitions, then scanning. See also, https://help.ubuntu.com/community/ClamAV
Very nice detailed instructions, thanks a lot for taking the time to do this. Now I’m off to see how it works for me!
Perfect.
I just purchased a used Windows machine, loaded up a Kopix distro and discovered ClamAV. With your clear instructions, the signatures were brought up-to-date and I’m happily scanning the disk. … and isn’t it cool to have this post providing value 7 years later.
Thanks!
That’s amazing, Jimbo! Thanks for letting us know. I’d say it’s now easy to use many other distros for this, too.