Scribd Logo
Upload

Welcome to Scribd!

  • Cleaning Windows With Linux and Clamav: Stephengran

    Uploaded by

    Robert Mota Hawks
    27 views4 pages
    Once a computer is infected with malware, you need special ways to clean it. One way is to pull the hard drive, put it into a clean machine with AV software. Another method involves using a Live Linux CD and a flash drive with ClamAV.

    Original Description:

    Original Title

    clamavInstructions1.01

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Once a computer is infected with malware, you need special ways to clean it. One way is to pull the hard drive, put it into a clean machine with AV software. Another method involves using a Live Linux CD and a flash drive with ClamAV.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    27 views4 pages

    Cleaning Windows With Linux and Clamav: Stephengran

    Uploaded by

    Robert Mota Hawks
    Once a computer is infected with malware, you need special ways to clean it. One way is to pull the hard drive, put it into a clean machine with AV software. Another method involves using a Live Linux CD and a flash drive with ClamAV.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    Cleaning Windows with Linux and ClamAV

    byRobertSpotswood Version1.01

    Introduction
    Onceacomputerisinfectedwithmalware,youneedspecialwaystocleanit.Just installingsomeantivirus(AV)softwareandtellingittocleanwillgetsomeproducts,but notall.Withmalwareemployingrootkittechnology,suchashookingintotheExplorer processandthereforebecomingcompletelyinvisibletoWindowsandtheprogramsthe runontopofWindows,suchasAVsoftware.Anothertrickistohavetwoprocesseswhich watcheachotherandrestoreoneiftheotheriskilled,orrestorefilesifdeleted. ThereisaneedtobeabletoscanaWindowsmachinewhilebeingabsolutelysureno malwareisactive.Onemethodistopulltheharddrive,putitintoaknownclean machinewithAVsoftware,andthenscantheharddrive.Itworks,butistimeconsuming, andyouhavetohaveacleanmachinehandy. Therehastobeabetterway,andthereis.ItinvolvesusingaLiveLinuxCDandaflash drivewithClamAV.

    Preparation
    ThankstoStephenGranforthestaticcompliationinstructions.Youneedstatic compliationtoreducelibraryversionconflicts. 1. ./configureenablestaticdisablesharedwithoutcurlprefix=/mnt/usbdisk 2. makeLDFLAGS='allstatic' 3. Copythebinariesfreshclamandclamscantoyourflashdrive. 4. Makeanetcdirectoryontheflashdisk.Thisandsteps57onlyhavetobedone once. 5. Copytheclamd.confandfreshclam.conftotheetcontheflashdisk 6. Forfreshclam.conf: a. Commentouttheexampleline b. ChangeDatabaseDirectoryoptionto/mnt/usbdisk Version1.01 Page1of4

    c. ChangeDatabaseMirrortodb.us.clamav.netforthoseintheUS.Seethedocs forthecorrectvalueforothercountries. 7. Forclamd.conf: a. Commentouttheexampleline b. ChangeDatabaseDirectoryoptionto/mnt/usbdisk

    Usage instructions
    Optional, but recommended:
    1. Haveagoodbackup.It'spossiblethemalwarecansabatogeyourcomputersothat removingitcausesdamage. 2. Doadiskcleanup.Everyfileyoudeleteisoneyoudon'thavetoscan.Thatmeans thescantakeslesstimeanddeletingisquickerthanscanning. 3. ClearyouInternetcaches.ThisincludesIE,Firefox,andOpera.Again,everyfile youdeleteisoneyoudon'thavetoscan. 4. Disablesystemrestore.Virusesareoftenbackeduphereandtherecanbea significantnumberoffilestoscan.However,thisdoeslimityourabilitytorepair sometypesofdamage,sousethisrecommendationwithcaution.

    Doing the Scan


    1. BootoffamodernliveCD.TheCDmusthaveNTFS3Gdrivers.TestedCD'ssofar: a. Knoppix5.1.1 b. Insert1.3.9b c. Xubuntu7.10DesktoprightnowthismypreferredCD 2. Openuptworootpromptterminals 3. Youmusthaveaclamavuser.Usethefollowingcommandtocreateoneifitdoesn't exist:useradd clamavIgnoreanyerrors,ifany,thattheuseralreadyexists. 4. Gettheuidandgidoftheclamavuser.Checkbyusingthefollowingcommand: grep clamav /etc/passwdForexample:

    clamav:x:119:129::/var/lib/clamav:/bin/falseHeretheuidis
    119andthegidis129.Oftenthenumbersarethesame.

    Version1.01

    Page2of4

    5. Nowmountplugintheflashdrive.Donotplugitinwhilebooting.Afew computershaveproblemsbootingoffaliveCDifaflashdriveisinserted.Ihave seenthiswithSonycomputersespecially. 6. Ignoreanyautomountoperations.Cancelthem.Theywillcauseproblemslater. 7. Findoutwheretheflashdriveis,andthewheretheharddrivetobescannedis. Runthefollowingcommand:fdisk -lasroot.Usuallyitis/dev/sd?1where the?isoftenan"a".Thiscommandalsotellsyouwheretheharddriveis. 8. Makethemountpointsfortheflashdriveandharddrive(ifnecessary).Atthe veryleast,youneedtorunthefollowingcommand:mkdir -p /mnt/usbdisk 9. Mounttheflashdrivewithclamavastheowner.Thisisparticularlyimportantif theflashdriveisformattedasFATorFAT32.Clamwillnorununlessthebinaries areownedbyclamavandwiththeFAT's,themountoptionsaretheonlywayto makethishappen.Youwillneedtheuidandgidnotedaboveinstep4.Usingstep 4asanexampleandassumingtheflashdriveisat/dev/sda1,themountcommand wouldbe:mount -t auto -o uid=119,gid=129 /dev/sda1 /mnt/

    usbdisk
    10. Now,assumingyouhaveinternetconnectivity,runthefollowingcommand:cd

    /mnt/usbdisk.Nextrunfreshclam:/mnt/usbdisk/freshclam Ifyou geterrorsabout/mnt/usbdisk not lockeditmeansthattheflashdriveis


    alsomountedsomewhereelse.Unmountallinstancesofitandrerunthemount commandinstep9.Asthedefinitionsarestoredontheflashdrive,thisstepcan bedoneaheadoftimeifyouknow,orsuspecttherewillbeinternetconnectivity issues.Justdoitasclosetotheactualscanaspossible. 11. Whilestep10isrunning,intheotherrootpromptwindow,mounttheharddrive partition(s).Usually,butnotalways,itis/dev/hda1or/dev/sda1.IfitisNTFS,a verycommonoccurance,youneedtoissuethefollowingcommand:mount -t

    ntfs-3g /dev/hda1 /mnt/hda1Thiscommandassumesyouwantto


    mountitat/mnt/hda1andthemountpointexists. 12. Deleteorrenameanyoldlog.txtfilesontheflashdrive. 13. Oncestep10isfinished,nowruntheclamscan.Seetheclamscanmanpageforall theoptions,butherearetheoptionsIuse.Thisassumestheharddriveismounted on/mnt/hda1:/mnt/usbdisk/clamscan -l log.txt -r -i

    --database=/mnt/usbdisk/ /mnt/hda1
    Version1.01 Page3of4

    14. Generallyyoushouldjustdeleteinfectedfiles.Theparanoidcanrenamethemand movethemtoanotherdirectoryinsteadofdeletingthem.However,youneedtouse commonsenseastheremaybefalsepositives.IfthecomputerhasAVsoftware, therewilllikelybefalsepositivesintheAVdirectory.Ifindoubt,andyouhaveweb access,youcantryuploadingthefiletohttp://www.virustotal.comor http://virusscan.jotti.org/toseewhatothervirusscannersthinkofthefile.Use sparinglythough.Theyareslow.Also,evenifthefilecomesbacksqueaky clean,therearestillnoguarantees. 15. Incaseyounoticeadifferenceinthenumberofsigsreportedbyfreshclamand clamscan,theyarePUA(PotentiallyUnwantedApplications)sigsandthey'renot loadedbydefault.Youcanenablethembypassingdetectpuatoclamscanor activatingDetectPUAinclamd.confbutbewarethehighfalsepositiverates! 16. NowifyourebootintoWindows,youmightwanttoreinstallyourAVsoftwareand doafullscan.ClamAVdoesnotcleanuptheregistry,althoughwiththeprogram filesgone,themalwareshouldbenonfunctionalatthispoint.

    Version1.01

    Page4of4

    You might also like