Scanning Windows from Ubuntu 10.10 LiveCD (ClamAV)
Recently I was working with someone who suspected that their laptop had a virus, and so wanted to do a virus scan. Needless to say, I recommended to them a couple of freely available virus scanners for Windows, but I also recommended that they boot up a LiveCD and run a virus scan from there. Being able to run off a LiveCD for a virus scan ensures that no techniques that the virus can employ on the host operating system to hide itself (such as a rootkit might do) will work.
However, they had never used Linux before, and rather struggled with some of the basics, like installing a piece of software. As a result, I decided to write a well illustrated guide to scanning a Windows system from Ubuntu LiveCD (10.10), starting with the installation of the scanner, and then the actual scan. This guide is for the absolute beginner, and strives to be completely step by step. Please comment if you feel a step is missing.
Ubuntu LiveCD
To start off, you need to get a LiveCD (or make a LiveUSB) of Ubuntu, a completely free operating system.
To download and find instructions for creating the media, and running Ubuntu, go to Ubuntu.com.
Install ClamAV
First, open the Synaptic Package Manager by going to System then Administration then Synaptic Package Manager
.
Once this is open, go to the
Now select the Community-maintained Open Source software (universe)
.
Now you need to reload the repositories, so that you can download the new indexes for the repositories you have just selected. To do this select the blue, circular arrow in the left corner.
Once you’ve clicked the reload button, a small window should pop up, titled Downloading Package Information
.
Wait for this process to finish, the window will close itself.
Now its time to find clamav, in order to install it. In the box underneath the words Quick search
, type in clamav
and hit enter. ClamAV is an opensource antivirus scanner.
Once clamav comes up as a result (and if it doesn’t close and reopen Synaptic, and then search again), click the box next to clamav, and select the Mark for Installation
option.
A window should come up, asking if you wish to “Mark additional required changes”. Select the Mark
option.
Now select the Apply button, which is on the upper center of Synaptic, as shown below.
This should launch a new window. Select the Apply option in this window.
A new window should come up now. Let this process complete, once it is done the window will close automatically.
ClamAV is now installed. Now close Synaptic.
Mounting the Drive
Now go to Places > Home
to open the Home directory (folder).
In the window that opens up, there should be a side window, with a simple image of a hard drive. Beside this image, there should be a number, with the characters “GB” beside it. This is probably your Windows drive. Click on this (or one of them) to mount it.
If its the Windows drive, it should have folders with titles like Boot
, Documents and Settings
, and Windows
, and look like the below.
In reality, if you have more than one drive listed, you should probably mount them all, so that you can scan them later. Take note of the title of the drive (it should be in the titlebar of the window). The title is probably made up of a mix of numbers and letters that make no sense.
Working With ClamAV
First, open a terminal. Go to Applications > Accessories > Terminal
A new window (the terminal) will pop up. In this terminal type sudo freshclam
, and press enter. (This updates the signatures to look for).
Now you need to make a logfile for clamAV to write to. Type the command
touch /home/ubuntu/Desktop/clam_log
and hit enter to make this file on your desktop. The file will be named clam_log
. Verify this by minimising all windows and looking on your desktop to see if the file has appeared.
Now it is time for you to begin the scan.
Bring the terminal back up. Enter clamscan --bell -r --log=/home/ubuntu/Desktop/clam_log -i /media/52DBFDE43B3EAE59/
Replace 52DBFDE43B3EAE59
with the title of the drive that you mounted earlier. Hit enter and wait for it to run.
Once the scan is complete, it will show a section labelled “SCAN SUMMARY”. This section tells you if you have an infected file. If it says that there are 0 infected files, you are most likely good.
On mine, I downloaded a test file from eicar.org. ClamAV tells me that the infected file is /media/52DBFDE43B3EAE59/ProgramData/eicar.com
. At this point, there are two choices to deal with the infected file. One is to delete it - which I recommend doing only if you downloaded the file and know what you are doing.
The better option is to take the information that it provides about the file, and search for removal options. The relevant information for this search is the part that is after the colon, but before the FOUND
. In my case, I would search for “Eicar-Test-Signature”.
If you want to be able to transfer this information to a different computer or operating system, you can copy the log file, clam_log, from the Desktop to your desired destination.
Repeat the scan itself and the following steps for all the drives you mounted. Once you are through, shutdown Ubuntu with the power button symbol in the upper right corner, and make sure to remove the media when it tells you to. You’ve now completed a virus scan from Ubuntu.</settings>