My roommate's computer has been running slowly ever since she brought it into class to run PowerPoint for an oral presentation. We believe it may have contracted a virus, especially since it refuses to run the Virus Scan (you click on it and nothing happens). I was looking around for a CD like Knoppix that had a Virus Scanner on it (one of my friends was convinced he'd seen one before) and while I didn't find the CD he was talking about I did find a link to an old program to install a Virus Scanner while running the LiveEval CD.

http://www.cs.bsu.edu/homepages/gjjones/administrivia/stories/2003/06/24/fprotVirusScanningWithAModifiedKnoppixCd.html

After updating for the newer version of f-prot (and making a guess about the new location/name of the check-updates file, we came up with the following code:

#
# Install f-prot - useful in combination with persistant home
#
# Edited version
#

mkdir -p $HOME/software/
cd $HOME/software/
wget ftp://www.f-prot.com/pub/linux/fp-linux-ws-4.4.1.tar.gz
tar xzf fp-linux-ws-4.4.1.tar.gz

mkdir -p $HOME/man/man8
mkdir -p $HOME/bin

ln -fs $(pwd)/f-prot/f-prot.sh $HOME/bin/f-prot
ln -fs $(pwd)/f-prot/check-updates.sh $HOME/bin/check-updates.sh
ln -fs $(pwd)/f-prot/man8/f-prot.8 $HOME/man/man8/
ln -fs $(pwd)/f-prot/man8/check-updates.sh.8 $HOME/man/man8/

# Setting up Manpath & PATH for f-prot

cp $HOME/.bashrc $HOME/.bashrc.templ
cat $HOME/.bashrc.templ | grep -v "export MANPATH=\$HOME/man" | grep -v "export PATH=\$HOME/bin/"> $HOME/.bashrc
echo "export MANPATH=\$HOME/man/:\$MANPATH" >> $HOME/.bashrc
echo "export PATH=\$HOME/bin/:\$PATH" >> $HOME/.bashrc
rm -f $HOME/.bashrc.templ

# Fix paths

cp f-prot/f-prot.sh /tmp/f-prot.$$
sed 's%/usr/local/f-prot/%'$(pwd)'/f-prot/%g' /tmp/f-prot.$$ > f-prot/f-prot.sh

cp f-prot/tools/check-updates.pl /tmp/f-prot.$$
sed 's%/usr/local/f-prot/%'$(pwd)'/f-prot/%g' /tmp/f-prot.$$ > f-prot/tools/check-updates.pl
rm -f /tmp/f-prot.$$

# cleanup

rm -f fp-linux-sb.tar.gz

Unfortunately, it still won't run. Or rather, we can run through the code without a problem (except at "cp f-prot/tools/check-updates.pl /tmp/f-prot.$$" is asks if we want to overwrite "/tmp/f-prot.988"), but the virus scanner won't run. We can click on the icon in the /home/knoppix/software/f-prot folder, but it doesn't do anything. And typing "exec f-prot" while in the f-prot folder results in the sound of the CD spinning, and the Console suddenly shutting down without further ado.
So I am wondering if anyone can help. Is this just her computer refusing to run a Virus Scan yet again? Or is the Virus Scanner just too new to install onto the RAM disk in a LiveEval CD? Any help would be appreciated.

I think knoppix comes with clamscan.
type
clamscan
at a command prompt, and it'll scan a directory.

There's also BitDefender linux, which is a knoppix variant with a BitDefender virus scanner.

SolarCat,

Not sure if I understand your post, it appears you are saying two things here, if I hear you correctly, this is what I am reading...

(1) Is your friends system running Knoppix, Linux, or a version of Windows? ( I get the feeling they are running Windows)

(2) Are you just trying to get the Knoppix CD to run, so you can run a virus scanner on your friends computer, which is a Windows OS? (this is what I am thinking)

Depending on the version of Windows (your friend) has, Knoppix may not help you. If the version of Windows uses a NTFS on the hard drives, Knoppix may be able to detect something, but may not be able to do anything about it.

Having been a Customer Support Representative for the "roll out" of Win98, I can tell you, if you called M$ Support, they would want you to run a virus scanner "native" to the OS, a virus scanner "knowledgable" of the file system, and able to clean that file system, and the OS.

Most of the "main" virus programs, have a "trial" period, so you don't have to buy them before you have had a chance to try them first. As a CSR for Windows98, we were unable to "strictly" suggest one virus program, we had to suggest three, or more, so we didn't sound like we were bias, or had alterior motives on the choice of virus programs.

McAfee, F-Prot, and Norton, were my "usual" suggestions - of these, now I don't work for M$, I can "push" my preferances, I would go with F-Prot first, McAfee second, and lastly, Norton ( I have only had bad luck with Norton )...

I got severely tired of the games McAfee played with having to "constantly" upgrade pay for new "engines" they kept creating in McAfee - and I actually found a FREE virus scanner - can't remember the name now, but they gave you a FREE virus program, unlimited signature downloads, and the upgrades were also free. Sorry, can't remember the name...

All of the downloadable virus programs (for Windows), will check for viri BEFORE they install, or at least check that the viri program isn't infected first.

Another thought, you said your friends computer is running slow now, where is it running slow? On the internet, or just starting programs? If its starting programs, and particular ones, or just all of them?

If your friends computer is running slowly on the internet, I would suggest a "free" program for scanning "nasties" within internet explorer, "SpyBot - Search and Destroy" - it runs through your internet files, and detects (and removes, if you tell it to) advertisement cookies, security invading cookies, rogue dialers, and even registry entries that are from adult sites that "hide" but run when Internet Explorer starts up - some of, or all of, these things can slow down internet explorer, by causing more things to run in the "background" without you even knowing about it.

Other ideas from being a CSR for Windows support - how long has it been since they ran a defrag on there hard drive? If it has been recently, have they, since then, removed, or moved, or added a lot of large files to there system recently? (this can deteriorate system performace as well)

How long have they been running there hard drive? Have you recently run ScanDisk - with the "through" [major spelling error here] setting? You might be having bad spots on the hard drive, i.e. the drive might be going out.

If your friend doesn't run around on the internet, and go to "unknown" sites, or install "strange" programs from these "unknown" sites, I would think a virus is not the answer. I NEVER had a virus in Windows. I kept to "known" sites, like M$, MSN, my home site, etc... and never openned any email that "I didn't know who it came from", and never downloaded any program I didn't trust the site it was coming from, and I ran Win98 for more than 7 years without a virus attack.

What I would suggest (personal preferance here):

Run ScanDisk - in the "through" setting - if it finds a problem, fix, and run again - if it finds one again - consider your drive going bye-bye - back up your data, and maybe get a backup hard drive just in case.

Run Defrag - if it is "severely" fragmented, this could easily be the problem.

Get a "native" virus scanner for your Operating System - still trying to remember that name of the free virus program, something like "avscan" or something, OMG, the company name was AVast - I just remembered that... Was a great virus program, they have a "purchase" option to unlock "all" the features, but the "free" version works good as it is though.

Get SpyBot and scan your system for problems, this and a virus scanner are "excellent" programs to have in a Windows Utilities arsenal - IMHO

NOTE: all these suggestions are for a Windows OS - I have "never" heard of a virus in Linux, and yes, I run no virus program in Knoppix, I do have a firewall though.

I hope this helps,
Cuddles
[ps - if your Win OS is out of warranty, this kind of information would have cost you (probably, knowing M$'s costs) around $30 for a one-time charge, and for a yearly subscription, I think its around $200 or something -=- I expect payment in the mail [giggle] ]

Actually, not to dis the above poster, clamscan and bitdefender are effective at finding windows viruses.

www.bitdefender.com has a linux distro, and I think they had NTFS write support (through captive NTFS) since 4 months ago.

I find clamscan to run a bit slow, but it has an online update so you can scan with the latest patterns.
You can also find clamscan on Inside security's INSERT, and knoppix-std

SoftwareTester,

No dis intended, nor implied, my knowledge is "behind" the times, as far as Linux is concerned. I "knew" they were working on "native" read and write NTFS support, but never heard any updates to that information. So, my posting was based on my "previous" information of this. I will need to remember that "they" have gotten NTFS support on both read and write now, thank you for the information news :D

Also, IMO, I would still think a "native" OS virus scanner would be better though. I think of this as the same way, I have heard, numerous times, to format a Linux file system, use Linux, to format a Windows file system, use Windows -=- kind of thing. Would think this holds true for any "problems" in those systems. :?:

But, not to dis the power of Linux, I think it has the "upper hand" in all of this, it can get into a broken system better, and can "fix" things that Windows might not even see, or allow you to fix.

Just my thoughts,
Cuddles

Hi Cuddles,

I just downloaded Knoppix 3.4 today, and one of the menu items (penguin menu)
is.. 'install extra software'
and at the top of the list is... FProt.
So, knoppix goes and downloads Fprot from Fsecure, allows you to grab an update, and scan your system.


Fprot is quite fast. I scanned 5 gigs in 12 minutes, which is many times faster than clamscan.
Wonder how long the Fprot guys will put up with linux users dl'ing FProt each time they feel like scanning for viruses.

She is running Windows XP on a FAT32 partition. McAfee Virus Scanner is already installed on her computer, and we get free virus updates through that because of a deal our University has with the software company. But it won't do the autoupdate anymore, and it won't even run. As my roommate put it, "When I tell it to run it makes a sound like the computer is going to run it, and then it just doesn't run and hopes you won't notice." We also have another University program called "Stinger" that they recommend to find different worms and things. She ran that, and that one actually opened, but it didn't find anything. So we figured we'd see if Knoppix or any other Live CDs had a Virus Scanner we could use.

She is planning on taking it to the University help desk on Thursday. If they couldn't fix it, she wanted to just install Knoppix instead of Windows, or a dual partition of Knoppix, so I'm just going to burn her a copy of 3.4 so she can play with it over the Summer and see if that's what she really wants...

Hi Cuddles,

I just downloaded Knoppix 3.4 today, and one of the menu items (penguin menu)
is.. 'install extra software'
and at the top of the list is... FProt.
So, knoppix goes and downloads Fprot from Fsecure, allows you to grab an update, and scan your system.


Fprot is quite fast. I scanned 5 gigs in 12 minutes, which is many times faster than clamscan.
Wonder how long the Fprot guys will put up with linux users dl'ing FProt each time they feel like scanning for viruses.

Can you get an upto date deffinition list with fprot as you can with clamav? Maybe the script downloads the latest deffs when it runs, but i haven't used it and don't know.

Well, as it appears, I am "seriously" out-of-date with "current" things... sheesh, been only a month or two.... things do change quickly on Linux...

SolarCat, sounds like a good plan, considering that, as SoftwareTester said, v3.4 comes "standard" with a "mainstream" virus program.

SoftwareTester, COOL, I am way out of date with current versions, I am still running v3.3 :( As for the "update" FProt is doing, I know for a fact that even McAfee "checks" when you are connected to the internet to see if "updates" are available. Maybe this is what it is doing, and it may have, like McAfee, a setting for disabling this checking upon start-up? I can't imagine a virus program that "always" loads its virus sigs from online, way too much data, and excess communication, to "keep" doing this. Far better to store a sig file on the system, and "update" as needed, or when requested. I've used FProt, in fact, M$ used it on all of there "internal" systems. Good program, for virus detection. (and it was fast) -=- As for Norton, I think of it more on a system repair/hard drive repair software, but had numerous problems when I went and used there virus program, seriously a "security" issue - I wanted to keep in constant communication with its "mother site", and transfered lots of data back and forth, when I was connected, what, I don't know, but "scarey" none the less.

Aay, you thinking the way I am? This "communication" could just be a "updater" to keep the program, or virus defs updated, as much as possible?

I can't imagine, considering how many virus's are created, and virus sigs added, on a daily basis, that a virus program is going to "keep" downloading a "complete list" everytime you run it, that would be insane. Unless... (as the mainstream virus programs have done), "they" are looking to the future, when "they" may start to "charge" to get those virus sigs, in the future. If thats the case, it is quite easy to "add" a locking mechanism on the download side on there site. Norton has gone to this scheme, where you pay for virus updates on a monthly/yearly basis. McAfee does about the same thing, not on the virus sigs though, but there program, and engine. McAfee changes the "format" of there virus sig files, so that only the "current" version of there program can read it. Thus, forcing someone to have to pay for a "update" virus program to use the sigs. They don't charge for the sigs though, but in essence, they are.

I still hold true to my original thinking: I think virus's were created by the virus program developers, and continue to "help" development of new virus's. Thus, keeping them in business. I can't prove, nor disprove, this, but it sure seems like it.

Just my thoughts,
Cuddles

Well, McAfee decided to do the Auto-update thing, but it still won't open to scan for viruses. Haven't tried the f-prot download with v3.4 yet (it's Finals week, that's on the list for tomorrow when we're both done and have a little more time... :? ). So that's the plan I suppose, we'll see how it goes. Thanks a lot for your help. I love all the friendly, helpful people in this forum. :D Thanks especially to softwaretester, I wouldn't have found that myself without hunting for it for several hours...

Cuddles,

you're not out of date. 3.4 only came out a few days ago.

The f-prot live-install on Knoppix 3.4 downloads f-prot and its complete, up-to-date virus definitions each time it is run. It works beautifully with a high-speed internet connection, but I haven't tried installing it over a dialup connection.

It has to download all the virus definitions, not just the new ones, each time you boot up and run the live-install. There just isn't room on the Knoppix cd for the f-prot program and a basic set of virus definitions, and apparently Klaus Knopper has concerns about it not being Free-as-in-freedom.

If anyone knows of a good way to carry f-prot and a basic set of virus definitions around on a USB thumbdrive, with incremental updates downloaded quickly over the 'net, please post it here.

The BitDefender cd, LinuxDefender_Live!_v1.5.6_CeBIT.iso, was based on the c't Knoppix 3.4 iso. It had a built-in Windows virus scanner with the definition database updated over the net, and support for Captive ntfs read-write access. I haven't actually tried it, though, and it doesn't seem to be available on the BitDefender site anymore. Try http://gddistrowatch.tuwien.ac.at/?newsid=01481#0

For "native" MS-Windows antivirus, PCWorld.com has a review ( http://www.pcworld.com/howto/article/0,aid,113462,00.asp ) of four free-as-in-beer programs that are quite good, with scheduled scans and definition updates. They recommend Alwil's Avast ( http://www.asw.cz/i_idt_1016.html ) as the best of the bunch. Make sure all your MS-Windows using friends are running it, and you'll have less work to do helping them recover from virus infections.

>>Thanks especially to softwaretester, I

You're welcome.

I now have knoppix v3.4 too, and I've used f-prot, but I wonder, is it really only capable of scanning and reporting by showing a logfile, or can you order it to disinfect/delete too? Because else this is useless to me...

?

You can also (if you have the time to read documentation) use BartPE (a bootable windowsXP system), but it is sort of a pain to get it to work properly. I have used f-prot before, but I have never gotten to see how well it works since I haven't gotten a virus on my box for a while, not to mention that my brother has to use my Windows XP box to get his palm to sinc up (he won't even look at any of the damnable configuration files, or ask for help, so "it doesn't work". He won't even dual boot his computer, so he has to inconvience me).

hi all

some add infos

overcloacking :
hide a file from windows file listing
can hide a process from windows taskmon

injection :
there are several ways to " inject a process into another " spoofing the real process commander

autostart keys
several ways to load a process on windows start up (some are not detected by av (antivirus)

the virus last generation join theese technologies :
you can delete the file, but often the virii has already messed up the win system and often will download and execute a new one

free av won't protect you neither norton av
new critical security whole on outlook express allow the mail html code content to simulate a browser breaking all the web security features (script blocking & iframe blocking)

for me the best av is kaspersky av, but the best to do with an infected win os is
take an image (norton ghost)
format the hd
reinstall win os
backup your important files from the image
take a new image

btw : the av have not all the signatures from all the existing malware
it's easy to discover which strings they use to detect it
by changing one bit or by addicting a space inside the string, the malware become undetected

sorry for the bad news

Hmmm. I've tried f-prot again, on an NTFS partition I know has infected files, and I'm less impressed. It scans it all, lists the full pathnames of all 26273 files, and then says how many are infected (finding a couple more than AVG under WinXP). But it won't disinfect them (no surprise), and it won't even seem to list the infected files so I can delete or replace them manually with captive-ntfs (big surprise). So that's not much use, really.

I'm sympathetic to the recommendation to run a "native" MS-Windows virus scanner, or just backup user files and reinstall everything, but there are times when it would be helpful to find and fix a minor infection without worrying that a running virus will prevent a Windows virus-scanner from doing its job.

If anyone has any suggestions as to what I'm missing here, please post them.
________________________________________
Results of virus scanning:
Files: 26273
MBRs: 0
Boot sectors: 0
Objects scanned: 60691
Infected: 29
Suspicious: 2
Disinfected: 0
Deleted: 0
Renamed: 0

Time: 21:18

Apparently f-prot liveinstall will disinfect automatically if you run it from the command line with the right options; the GUI just scans, and doesn't even report properly for me. I haven't tested it yet, but see http://www.oreillynet.com/pub/wlg/5118 for an article on virus scanning with f-prot under Knoppix.