malware scanners for linux

[velvetpants]

Say I have a virus infested windows PC, and instead of risking getting my thumbdrive or other PCs on the network infected, I would just rip out the hard drive and plug it into my linux box.
What tools would I use to scan the drive?

Google hasn't gotten me anything except kaspersky, but I could never get it to work on ubuntu 10.10, either due to incompatibility or my own ignorance.

 

[ModestGamer]

format and reinstall. Make sure to use a utility that will write all zeros or FFFF the whole drive. virus's can do some strange file system tricks and you wouldn't want something to stay in the boot sector.

 

[velvetpants]

format and reinstall. Make sure to use a utility that will write all zeros or FFFF the whole drive. virus's can do some strange file system tricks and you wouldn't want something to stay in the boot sector.

really not at all what I was asking about...
I only format if nothing else works

 

[ModestGamer]

Thats your best option. Now if you want to remove data from the drive, boot into a linux live CD and transfer those files to a quarentineable thumbdrive.

 

[Net]

first off why not unplug it from the network, burn a CD of a virus update from another pc and load it on the infected one, then do a scan?

other option:

BartPE is a windows XP Live CD. Do a virus scan from it. You need a copy of Windows XP http://www.nu2.nu/pebuilder/

 

[velvetpants]

first off why not unplug it from the network, burn a CD of a virus update from another pc and load it on the infected one, then do a scan?

That's what I've been doing, except with a flash drive that I format after each session. But it's not exactly easy to work on a 5 year old, malware infested XP installation.
I'll have to sit in front of the computer for 40 minutes just to start a virus scan.

BartPE is a windows XP Live CD. Do a virus scan from it. You need a copy of Windows XP http://www.nu2.nu/pebuilder/

That could work though. Thanks.
The windows. Permissions is something I'd like to bypass though. It takes forever for to take ownership and change the permissions of every file on the hard drive.

 

[Net]

That could work though. Thanks.
The windows. Permissions is something I'd like to bypass though. It takes forever for to take ownership and change the permissions of every file on the hard drive.

http://www.windowsitpro.com/article/administration-tools2/bartpe/2.aspx

how to for virus and malware scan with BartPE
http://skyjuiceiswater.blogspot.com/2008/01/how-to-use-bartpe-to-scan-computers.html

you should ask the moderators to move this thread to security. you'll get more responses.

 

[Colt45]

clamav?

 

[velvetpants]

clamav?

I this the same as clamwin for windows?
I've been using that a lot so that would be awesome. Thanks.

http://www.windowsitpro.com/article/.../bartpe/2.aspx

how to for virus and malware scan with BartPE
http://skyjuiceiswater.blogspot.com/...computers.html

you should ask the moderators to move this thread to security. you'll get more responses.

good read. Thanks.

 

[Colt45]

I this the same as clamwin for windows?
I've been using that a lot so that would be awesome. Thanks.

Yeah, afaik. never used the windows port myself.

could try something like this, live disc that has it already installed, at least the last version did. kinda nice in general
http://grml.org/

 

[Khyron320]

I do this exact thing.
For 1 main reason: most people bring me dogshit slow pcs. This is faster on my 3.0ghz 8400
Free:
Clamav - horrible detection
Fprot - can be installed to a folder with no annoying sevices in the background
Avg - requires annoying sevice running to update/scan
Just google u will find them.
Another trick is to build up a good md5sum library of commonly infected files and run a diff on them

Paid:
Many some are very expensive because only server versions are avaible

 

[takeru]

http://www.avg.com/us-en/avg-rescue-cd

burn to disc and boot up. even can do online virus def updates.

 

[jae]

If its a 5-year old malware infested XP install, why wouldn't you want to start fresh?

But if you really want to just clean it, Bitdefender is on Linux. And I believe its a deb package if I remember correctly.

 

[VinDSL]

Generic: How to Remove Windows Viruses with Linux

Avast! / Ubuntu specific: Scan a Windows PC for Viruses from a Ubuntu Live CD

 

[velvetpants]

If its a 5-year old malware infested XP install, why wouldn't you want to start fresh?

But if you really want to just clean it, Bitdefender is on Linux. And I believe its a deb package if I remember correctly.

If it was my PC, I would format it without thinking twice.

But when you're dealing with the computer illiterate then you have to be more careful.

Here is how it usually goes:

1. I call up the customer and tell them that their OS is completely messed up and that it needs to be reinstalled. I always try to carefully explain to them that this means all their data and any installed program will be gone forever.

2. I format it, the customers picks it up, all good.

3. Customer comes back the next day, furious. He can't connect to the wifi, his printer doesn't work and his MS office 2000 is missing and it's all my fault "and I never told him that would happen".

4. Then I have to explain to him again what happens when you format a hard drive, what a driver is, what an SSID and wep key is and that MS office is a seperate product from Windows and is not included in the operating and that I can't install it without having the goddamn product key.
(this is like describing the color green to a blind person)

I rather spend more time cleaning up a messed up windows install then deal with that shit.

 

[VinDSL]

I rather spend more time cleaning up a messed up windows install then deal with that shit.

Been there; done it!

I only clean-up machines for close friends and coworkers (ppl that I care about).

It's a tedious process. Usually takes me 2-3 days to repair/restore/optimize an infested machine.

LoL! There's no way I would do this for a living. It's a labor of love, for me...

 

[VinDSL]

Free:
Clamav - horrible detection
Fprot - can be installed to a folder with no annoying sevices in the background
Avg - requires annoying sevice running to update/scan

Clamav - agreed!

Fprot - I love Fprot! PITA to setup on Ubu (with a GUI). Not worth the effort IMO.

I have recommended Fprot (not free) to Winders users for years, and they want to lay down and have sex with me.

Detecting malware is easy. Removing it is a different matter. Nothing beats Fprot for removing viruses, in my experience!

Avg - Can't stand it. Sorry! And, I don't know why. Just the *thought* of it makes me want to ralph...

Sooo... what do I use on Linux machines, you may ask? :awe:

I think Avast! is hard to beat.

Avast! - Easy to use GUI interface - decent detection - doesn't work worth jack for removing viruses (like most av software) but does a good job a moving/renaming/deleting/quarantining them - *FREE*.

 

[Khyron320]

Dont get me wrong for linux the only thing i use is chkrootkit.

As far as guis go... you cant automate things with scripts very easily with gui Antivirus....

 

[lxskllr]

Where are you guys getting your data for poor ClamAV performance? I'm not doubting it, but I've looked all over for decent benches of that app. What I always heard was it does well at new viruses at the expense of old ones, but I've never seen anything one way or the other. I had a commercial use for it once for a broke company, but I couldn't justify removing an expired AVG package, for an unknown quantity.

 

[VinDSL]

Where are you guys getting your data for poor ClamAV performance? I'm not doubting it, but I've looked all over for decent benches of that app. [...]

I don't know what you think of Wikipedia, but...

SOURCE

Effectiveness

ClamAV sometimes suffers from poor detection rates and its scans are slow and less effective than some other antivirus programs (such as Avast or AVG). For example, ClamAV failed to detect almost half of the Trojan horse, password stealers, and other malware in AV-Test.org's "zoo" of malware samples.[7]

ClamAV is occasionally included in comparative tests against other antivirus products. In the 2008 AV-Test it rated: on-demand: very poor, false positives: poor, on-access: poor, response time: very good, rootkits: very poor[8]

In 2007 Untangle ranked Clam 2nd out of 10, ahead of Symantec, F-Prot, Sophos, McAfee, GlobalHauri, Fortinet and SonicWall.[9]

In the 1–21 June 2008 test performed by Virus.gr, ClamWin version 0.93 detected 54.68% of all threats and ranked 37th out of 49 products tested; the best scored over 99%.[10]

In the 10 August-5 September 2009 test performed by Virus.gr, ClamWin version 0.95.2 detected 52.48% of all threats and ranked 43 out of 55 products tested; the best scored 98.89%.[11]

Personally, I've found Clam to be slow and kludgey.

I can't speak for the effectiveness, as I've never tested it against known threats...

 

[lxskllr]

Thanks Vin. Ya know, I never thought to look at Wikipedia :^D

Pretty bad detection rates. It looks like it was a good choice staying with expired AVG.

 

[MrColin]

Some packages I have used in ubuntu to scan windows partitions/disks
bitdefender for unices - works ok
avast - works well
clamav - about half of windows binaries falsely identified as virus or infected

 

[velvetpants]

Thanks guys
I'm gonna be testing all of those over the next few weeks

 

[laserhawk64]

Used AVG for years. Then I heard about Avast!... I'm running it now. It's better. Lots better.

Note that even the /free/ version has to be registered, though... otherwise it dies in 30 days.

BUT... what you need is probably more like Trinity Rescue Kit (aka TRK) --
TRK homepage here.

It's powerful and it's awesome, BUT you gotta have your bash commands down pat. (bash = Bourne Again SHell... it's the Linux command line. It's like DOS only with better font rendering and case sensitivity -- and it's just as rude when you do something wrong )

 

[VinDSL]

[...] I heard about Avast!... I'm running it now. It's better. Lots better.

Note that even the /free/ version has to be registered, though... otherwise it dies in 30 days.

For clarification...

Avast! registration is totally painless. A single key is good for multiple installs, on different machines, and it expires in 1 year (365.25 days).

Heh! I didn't want ppl to think they had to re-register Avast! every 30 days...