Linux

Saving PCs from viruses the Linux way

If you're an IT consultant, and you're looking for a fresh way to rid hard drives of viruses, take a look at the method Jack Wallen outlines using Linux and ClamTK.

This past week we were inundated by PCs with viruses. Either people were bringing their infected machines to the office or calling us to come and get them. It was a madhouse. What was really crazy was to see how many machines had either zero protection or just standard free versions of antivirus tools (or, gasp, Norton or McAfee). Now, I will admit that even free antivirus is better than none. But recently, the infected PCs have become trickier to disinfect. I came across a nice little boot sector virus last week that laughed at Combofix, CCleaner, AVG, and Avast. It wasn't until I pulled out all the stops, with the help of my good old friend Linux, that I was able to finally say goodbye to those infections. But how? Let me explain this simple method.

What you will need:
  • You will need a Linux machine with ClamAV (and all the trimmings - including ClamTK if you want a GUI).
  • An adapter that will allow you to connect the removed hard drive to your Linux machine.
  • A little patience.
ClamAV/ClamTK

If you've never worked with ClamAV, you should know it is a very easy to use virus scanner. The only downfall to this virus scanner is that it isn't quite asreal-time as most people are used to. That is fine since we are using it on a Linux machine that isn't to be used as a mail server - so no big deal. And by adding the ClamTK interface, we make the scans quite simple. Make sure you download the latest ClamTK version from the ClamTK site. If you do not, and you use the version from your distro's repositories, you will most likely be using an out-of-date version. The latest version includes Preferences and Scheduling that you do not want to be without.

Once you have ClamAV and ClamTK installed (and run clam-freshclam to update the virus signatures) you are ready to go. Here's the "how-to":

  1. Remove the hard drive from the infected machine.
  2. Plug infected hard drive into Linux box.
  3. Mount infected hard drive so that ClamAV can see the drive. (If you are using a distro like Ubuntu the icon will most likely appear on your desktop; just double-click on that icon and the drive will be ready for you.)
  4. Open up ClamTK.
  5. Configure ClamTK to scan recursively and do a thorough scan on the mounted drive.
  6. Run ClamTK.

Because you are doing a thorough scan, it will take some time. But you can just let it go unattended. By the time the scan is done, ClamTK should have found your virus and quarantined it.

Why use this method?

The reasons for using such a method should be obvious. There are cases when just booting the infected drive can cause further damage (or even replicate a thought-to-be-removed virus). Because of this you want to avoid actually using the drive for anything other than a target for a scan. And why Linux? If there is a virus on that drive, you don't want to take any chances of that virus infecting your work machine. If said work machine is a Linux machine - you can rest assured that the virus will struggle to cause any damage.

Final thoughts

I am one to say quickly that Linux has its place in just about every environment. The PC engineer would be remiss if they didn't include Linux in their toolkit for one task or another. Using Linux as an external virus scanner is a great way to get rid of nasty viruses that cripple Windows machines - without doing further harm and without having to go through one virus scanner after another.

Will ClamAV catch everything? Probably not. Is this setup perfect? Nothing is. But this method will most likely succeed when that drive is threatening to no longer function if it boots one more time. Give this method a go. I think you'll find more success than not.

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

83 comments
esarhaddon
esarhaddon

There is no perfect AV and they all eventually catch up. I have found through the years that a little practice in searching and investigation will provide the needed tools to remove a virus. This is why we have a job is it not? Having to have a completely separate machine to make a physical change to the device I want to run the AV on is ridiculous. Try doing that on 1,000 HD's, get it?

olegvf
olegvf

The method described in the article assumes taking the infected HDD out of the CPU-box. Much more practical way is to install Linux (I personally use full install of Ubuntu) into external USB HDD. 2.5" are the best choice for portability. For installation, make sure to use the modern PC, or at least update the BIOS first. Disconnect internal HDD(s), plug-in your empty USB Drive and boot from Ubuntu CD. When installing, partition USB Drive the way you like. I usually create at least one primary partition. EXT4 works fine for me. Size of it depends on what you would want to use this HDD for. If you think of later installing some additional Linux distro(s), you may, at this point, create up to two more primary partition(s). Format them the way you like, or leave unformatted for now. On the rest of the space create an extended partition, inside of which put a Linux_Swap one (I usually do 2GB). On the rest of the remaining space I put at least one big NTFS partition and create a mount point for it (I do '/media/DATANTFS' and label it 'USB_DATA'). This ntfs partition will be automatically mounted upon the boot into this USB Linux Drive, as well as, it will be accessible when you will use this USB HDD, as any other external ones, plugging into any working Windows computer. Continue and finish with the installation. After reboot and booting into this USB HDD (I assume you know how to do it), you will be presented with the GRUB-menu. Do nothing and this will start your Ubuntu session. Do not install any proprietary drivers, for this setup to remain portable across multiple platforms. Update Ubuntu, install any additional applications. In other words, use it the same way as you would with the internal HDD. A number of free Antivirus programs is available for Linux. I usually install AVAST free edition. This installation of Ubuntu will not automatically mount anything from the internal HDDs, and I leave it that way. To scan a partition on an internal HDD, mount it first. Important thing to remember, when you booted-in from this HDD, before unplugging it from the computer you are using, always shut down the OS fist. If you are to install some additional OS(es) into this USB HDD, always unplug the internal HDD(s) first, otherwise it will put some additional booting options into the USB HDD's Grub-menu (and they will be relevant for that particular CPU-box only), something that is not that difficult to fix, but why bother in the first place. Keep in mind when updating your Ubuntu on this USB Drive, that kernel updates are automatically editing the Grub-menu as well. So. you will be better to skip those kernel updates, when you do it on the CPU-box with the connected HDDs. Good luck!

Uncle Stoat
Uncle Stoat

Clam isn't very good at finding viruses as it's geared towards mail-borne infections. Without pulling drives out, using the Trinity Rescue Kit (http://trinityhome.org/trk/) will give a CD-boot linux environment which will pull in various antivirus programs and updates across a network connection into local ramdisk and then scan the disk. TRK is geared towards using multiple scanners (including clam). Even that's not 100% foolproof. Some of the newer malware is NASTY, complete with encrypted dropper files in multiple locations.

aalirashid
aalirashid

M thinkin this solution is worthy but but......removing HD nd plugin in Linux is a bit dificult,,,,,,although wht u hav suggested is 100% logical but can u explain ny other method of removing virus without plugin out t HD.If you could help me out (aalirashid@gmail.com) Regards Asim Ali Rashid

venerable Architect
venerable Architect

I'd like to see your view on disk (possibly partition) separation? I mean a separate System disk, a separate Program Disk and at least one separate Data disk as a basic way to structure a system so that recovery from problems is simplified. If Microsoft did this then wouldn't we all have a much easier life in recovering from infections ?

benwal91
benwal91

That sounds really cool. Just to be clear here, all I do is plug the infected drive into the Linux machine, turn it on, then run the scanner? (By the way, do I use the Ubuntu Server, or Desktop?)

braunmax
braunmax

My preferred antivirus products are AVIRA (first) with AVG (second). The reason is that AVIRA reports when it has failed to open a file for scanning, whereas AVG (when I had it for several years) did not. I could not clear a rootkit that was protecting itself from being opened for scanning [by AVG] as a result [in fact I cleared it by booting into LINUX, as described here - but with an outside USB linked drive]. Both are excellent products regarding both the updating frequency (2 hourly in the case of AVIRA/settable) and the huge range of viruses they catch. And AVIRA is also very cost effective.

Dr. Fowler
Dr. Fowler

Zut. Why move the drive? Just install Puppy or D**n Small Linux as an alternate boot and install ClamAV from repository? Consumes maybe a Gb or so on a how big HD? Then when the user corrupts his W partition, boot to Linux and scrub. Or is that too antithetical to modern IT Nannyism?

hakim_al
hakim_al

This article is not serious and is so subjective.

peterharding
peterharding

I agree. Remove the drive and attach to a Linux machine to scan or use a live CD (e.g. Puppy Linux). Then, after the drive is replaced in the Windows PC, run Vipre Rescue in safe mode followed by MBAM and then SuperAntiSpyware. After that all viruses and malware/spyware seem to have been eradicated, as I have not had any old infections reappear.

Jitse Klomp
Jitse Klomp

Back in the days when I was still using Windows, I trusted on Kaspersky Anti-virus. I have never had any infections whatsoever...

bus66vw
bus66vw

Would not that do the same thing as the Linux live CD scan?

mikep
mikep

The only downside of using ESET NOD32 on a Linux machine to scan a guest ntfs-formatted hard disk is the process of navigating to the mounted drive or partition, but this is offset by its superior scanning speed, so it's worth it, but even that depends on you chosen Linux distribution as to how easy it is to find/mount the drive, so it's really a moot point. Another benefit is that NOD32 for Linux has a real-time scanner, great for those sharing folders with windows machines. You can never ever trust a windows machine. The only other downside of using Linux to scan a ntfs formatted drive is if the drive has a dirty flag due to being shut-down uncleanly, that will have to be cleared first too, but any Linux tech worth his/her salt can do that easily anyway. ESET NOD32 is no newcomer to Linux, they have had commercial products for both file and mail servers for a many years now and they have a beta testing under way right now, free while it lasts. ESET NOD32's detection rates are superior to Norton, Mcafee and all the free AV's out there. If you find a virus and want to test which AV is best, upload it to virustotal.com, where it will be scanned by multiple AV's and a report will be generated for you and displayed in your browser. Typically, Clamav does not do so well with the viruses I have sent for testing. Mike P

thegreenwizard1
thegreenwizard1

Microsoft Security Essentials and Windows Live OneCare safety scanner . How is your experience with them?

pgit
pgit

running on Linux anyway. On windows it's usually avg free.

rmerchberger
rmerchberger

I've found that ClamAV is good for viruses but not so thorough for other spyware/malware which can still cause heartburn in a live Windows environment, and I've had a couple viruses that ClamAV couldn't clean well, so this is what I do: 1) set up drive on Linux PC and scan with ClamAV (just like your process...) But... 2) Boot Windows in VirtualBox which has MBAM and Avast AV, make sure latest updates are applied, and use the "virtual network share" to share the infected drive into the already running Windows environment so no files are locked on the target drive. 3) Scan said directory with Avast and MBAM - this is a little slower due to the virtual environment, but both programs tend to find & clean more than ClamAV alone. 4) Once those scans are complete, reinstall drive into PC, boot to safe mode (with network) install good AV software & MBAM, update & scan to catch registry errors, cookies, etc. In the last 2 years, I've only had one piece of malware that couldn't be eradicated this way (a rootkit attached to the atapi.sys driver - I think it was called 'google.go' -- and I had to boot to the windows recovery console & extract that file from the cabs manually - it was a PITA to track down!) and I've resurrected many PCs that the only other option was "slick & reinstall." I always tell people "Your PC will be gone for at least a couple days, probably more" and when people balk about the time it takes, I just tell them "I can have this done in a couple hours, but you'll lose everything. Your choice." People let me take the time to fix it right. Just like I tell the wife - I'd rather be thorough than fast. ;-) "Merch"

LYAK
LYAK

personally I use Antivir Antivirus,... but when working on others computers I do pull the hard drive and hook it to one of my machines that is solely for the purpose of diagnosing and fixing others hard drives.

azbat
azbat

I have been using this method for years to either scan hard drives to clear virus' or if the drive supports it, to DBAN the drive clean before drive disposal. I have also actively encouraged others in both business and at home that if they have more than 2 or 3 PCs to buy one of the adapters and use a 'clean' computer to scan the infected computers drive. Saves time and money for home users as people I know had been told it would take a week or so and might cost them up to $600 to get the drives scanned, when the adapter is only $25 online and might just take a few hours to scan. Can you guess which option they picked .......

Reginald937
Reginald937

This is a very old way of doing things, even before persistent USB installs were available you could have used a live CD (i've only ever used Ubuntu for this) to boot into the infected PC directly, no need to take the machine apart and manufacturers won't complain about invalidating the Warranty.

tgueth
tgueth

While I find your setup interesting, it is not clear why a computer running an Antivirus program (for me, Symantec) would not work as well. I basically use the same approach by attaching the hard drive via a USB external box to the computer, well after boot has completed. Autorun is disabled so nothing can run automatically from the infected hard drive. Have never had a virus jump across, and I have removed some really nasty viruses with this approach. However, I will say that it is good to find alternatives. I will have to give your approach a try in the near future.

guising
guising

In answer to the poll, my preferred anti-virus is simply to wipe Windows from the new machine and install Linux. Much easier than after-the-fact intervention.

Greenknight_z
Greenknight_z

I answered "other" in the poll, though for real-time protection I use Avast free. For serious malware, I have Ultimate Boot CD for Windows. It's a Bart's PE-based boot disc, as you mentioned in one of your replies, which comes with a nice selection of tools. http://www.ubcd4win.com/index.htm You have to have a Win XP SP1 or later installation disc to build the .iso from, but I think the next version will support Win 7. Too many tool options to list them all here, scanners on mine are Avira free, Kaspersky Virus Removal Tool, A-squared Free, Malwarebyte's Anti-Malware free, SUPERAntiSpyware free, McAfee Stinger, Avast Virus Cleaner; plus SD Fix and ComboFix, which you have to boot into the installed OS to run. I think I'm ready for almost anything. I also have a Puppy Linux CD, though I don't envision using it for malware scans. It would be good for that, though - it has ClamAv and Xfprot; for those who can't build or don't want to bother with UBCD4Win, it would be a viable choice.

Drakaran
Drakaran

I use Avira. On comparisons of anti-virus programs, it has consistently showed at the top with a couple others, like Kaperski, etc It had the highest detects of viruses, and decent detects of root kits etc. I'm surprised Kaperski didn't make your list. AVG has always had terrible detects, not much better than using nothing at all.

matkordell
matkordell

I use Microsoft Security Essentials. It is the most user friendly and does not bug my users with all kinds of options and questions that they don't understand. When it does pop up, if you take no action, it will take it's recommended actions automatically. It is free for desktops and is allowed for commercial use, saving my company thousands of dollars and headaches that others cause. I do realize that it may not be quite as advanced as some virus scanners but truthfully there is no virus scanner that will really keep you protected. MSE seems to do an alright job at detecting and preventing viruses and the benefits far out-way the detriments. MSE has got to be one of the best and most simple products from Microsoft. It looks really bad when you convince the CEO to spend $5000+ on anti-virus software and then you have a virus outbreak... not so bad when you get the job done for free using a product from a reputable name like Microsoft and there happens to be a virus outbreak.

dcolbert
dcolbert

I've seen a recent outbreak, and all of them were quickly resolved by booting into safe mode and running MalWareBytes in addition to having regular scanning and protection apps running in the taskbar. The most difficult virus right now is a quickly evolving class of virus that requires an application called "rkill.exe". Rkill is very aggressive about finding and killing protected processes that help these infections prevent traditional scanning apps from even running. I'd only use this method as a last resort or on a *very* important machine. The truth is that once a machine has been infected, the only 100% secure way to know the machine is clean is to low level format the drive and reinstall a clean OS and apps.

Craig_B
Craig_B

I believe you need a toolkit to remove malware; some methods work great on one type of malware but not on others. I have used a Linux boot disk (of course with Windows 7 and bit locker that will not work) with Avira, Trinity Rescue and Bit Defender Rescue with limited success (again depending on the malware). I have also used Sysinternals tools and registry hacking. MBAM has been useful. You can also take the drive out of the infected machine and mount as a 2nd drive on a Windows machine and do the same type of scans. There are cloud based scans that use multiple engines to scan the files. Of course, there is the reimage method which does great at work, since in 20 minutes I can have a new machine up and running. The old saying, an ounce of prevention is worth a pound of cure is true here as well. If you keep up on patches, have a firewall, an anti-malware scanner and a little user education you will not see very many, if any viruses.

yawningdogge
yawningdogge

Here's how I do it. I boot the infected machine with a live CD (Backtrack is my favorite) and mount the infected drive. Then share out the drive with Samba. Then you can just go to another computer on the network, map the Samba share, and scan the network drive. There is a lot missing here though. First of all, most A/V apps also scan the registry and hosts file for rogue entries. Scanning from the outside will only look for files. You also need to reset IE or whatever browser is used back to factory defaults, or it can still be hijacked.

Neon Samurai
Neon Samurai

Sure, repeatedly cleaning up the same issue on the same machine means billable repeat visits but it's ultimately a parasitic existence. We simply return to treat the symptom rather than fix the problem. What value does it add to the information systems we manage?

ticthak
ticthak

Takes me about 3-5 minutes (at most) to pull the HDD out of a machine, another couple of seconds to plug into the external adapter, virtually no configuration, and seconds to launch scans- maybe I could script all to the above to run basically unattended, but how long would it take just to get to the point of starting the scan (after you plug the HDD back in, and not even all SATA drives will really hotplug, so maybe power cycle too?)...

kmdennis
kmdennis

Why do you think the article is not serious? Could you also expand on the subjectivity of the article?

glieberg
glieberg

Another benefit of Nod32 is that the blind community can access the program with screen readers. Norton and McAfee are useless to begin with and less than useless for blind users. One other observation is that since we have used Nod32 on our Windows machines, we have had no virus problems, period. That said, I love Jack's solution for fixing an infected drive.

mikep
mikep

MS Security essentials and any other live over-the-net scanner require the infected PC to be running and transmitting data over the net, most likely attacking other PC's and wreaking yet more havoc, or giving the malicious software time to do more damages on the host machine, further risking the users data. They are better than nothing, but if there's a gaping hole in your boat, you dont put it into the water do you

kingttx
kingttx

I had my wife's friend bring me her laptop with the Security Tool virus/trojan/etc. where it wouldn't let Windows run MBAM, Norton scan, Spybot S&D, Ad-Aware, or even task manager. I downloaded the ClamAV live CD (forgot the official current name) and it found a single infected file. Rebooting into Windows, Security Tool was still running but at least I could now run MBAM, Spybot S&D, Ad-Aware, and the whole rest of the scanners piled onto her computer. Sometimes it's enough to get your foot in the door so you can effectively run the whole gambit of file scanners. Crap, I hate Windows!

DKeith45
DKeith45

I have one of those USB,IDE,SATA adapters and while it is a useful tool, simply doesn't work with all drives. Most recently the tool would not detect a WD 120 gig IDE drive, but another tool I use, a USB Mobile rack did. Sometimes even that doesn't do the trick and I have to do the old Master/Slave combo to get the drive to show... that ALWAYS works.

Chi-7
Chi-7

At this point I only have 16 clients left using windows in their business, I have spent the last two years swapping my clients to SuSE and have enjoyed a very high degree of success, everybody has been pleased with the outcome. It has been a "Win-Win" (no pun intended) situation for me, to the point that when support for XP is gone I'm done with MS.

r_widell
r_widell

A current UBCD4Win CD is one of the most valuable tools in my arsenal. However, most of the really good tools expect to be running under the infected OS so they scan the registry of the BartPE OS and not the one of the infected OS. This can lead to a number of issues wherein the cleaning is incomplete. It will sometimes help to mount the remote registry prior to starting the scan, but I've seen numerous situations where my results are better by running these tools from under the infected OS. As always, your mileage may vary. ron

jdaughtry
jdaughtry

I too use UBCD4Win and supplement it with ClamWin or AVG on a flash drive which can be kept up to date.

lefty.crupps
lefty.crupps

I agree that no-cost tools work well (Spybot, MBAM), as do Free (FLOSS) tools (ClamAV, good old GNU/Linux CLI for file removal), but this has me laughing: > using a product from a reputable > name like Microsoft No A/V scanner is perfect, but why would I trust a scanner from the same company that forgot to lock the doors on their OS, and still cannot get it right after years of updates and two OS releases later? All of these solutions are nice, but they're all after-the-infection methods. I don't know if I can fully trust a system after compromise, yet MS keeps making it legally more difficult to reinstall the OS. What a crock.

r_widell
r_widell

I haven't had the need nor desire to low-level format a drive since the advent of RLL-encoding and ZBR. The only purpose for low-level formatting is to augment the manufacturer's bad-block map (there are better ways of doing this) or change the sector size from the 512-bit default to some other preferred size. I realize that there are a few enterprise-class SCSI drives that permit low-level formatting to change sector size, and there are some apps out there that claim to do low-level formatting of standard drives (and I'll confess that I haven't tried them) but I've never found it necessary. In all cases I've seen, a high-level format (format, from the command line or right-click->format from the storage MMC) to reinitialize the file system is all that's required. For the truly paranoid, that can be preceded by zeroing out user-accessible areas of the drive and reinitializing the partition map. BTW, thanks for the rkill link. How do you rank it vs. GMER? ron

bobp
bobp

Thanks for the rkill recommendation. It looks like a great easy to use tool. There are times I wish I had it. I eventually got rid of the malware on a customer's machine, but it took a lot longer than it would with this tool paired with Malwarebytes, etc. The newBart's PE based Ultimate Boot CD is usually helpful, but rkill looks the best.

Neon Samurai
Neon Samurai

There may be a risk of increasing the infection if you are sharing the infected drive to a Windows environment on a second machine. The bridging OS may be virus hostile but the files are still being opened into a virus friendly environment.

Uncle Stoat
Uncle Stoat

If the same machine is showing up the same issue, it's time to allow management to initiate disciplinary procedures. Of course if it's billable hours, then that has its own lesson. IN a previous existance as a mom-and-pop ISP we'd give one free virus cleanup and then charge for subsequent ones. Very few people would repeat more than twice after being billed.

olegvf
olegvf

My last job was at a Private Merchant Bank/Hedge Fund. This was more than three years ago, and back then I was not using Linux as extensively as I do now, though I wish I was. A good half of all workstations was under/inside the trading desks. Up to 5 CPU-boxes per a trader/analyst slot/cubicle. In those extremely cramped, confined spaces, taking a box out could take sometimes a little longer than 3-5 minutes. Sometimes risking accidentally pulling a wire or two out of some other Box(s). God have mercy on you, if you do! A mistake, or a even a short delay may cost millions in losses, if sale/buy is not done in time. If one ever worked in environments like that, then he/she should know, that calm and good karma are not present there. The Floor is saturated with lightning and thunder.. And then, when finished, you have to put the Box back, and again, under the same pressure. In some cases that Box can be replaced with a preconfigured workstation, assuming that its particular setup allows for this, but even then, sometimes a user cannot give you those 6-10 minutes, that you may need to accomplish the swap. I agree, there are other environments, where +/- 2-3 minutes (to/from those 3-5 that you mentioned) are not that of a big deal. Still, I believe that taking the CPU-box out and carrying it into 'the shop', is not practical (unless there is a hardware failure). First, at that moment you may not have available room for taking things apart. Second, the computer, which mostly sits idle, just waiting for some HDD to be hooked up into, may be extremely busy as well. Let's say in case of mass malware infection on your hands. With the 'install Linux into external USB HDD' solution: 1. Hook up the Linux USB HDD into the CPU-box at question - 3-5 seconds, 2. Shut down the computer - time varies on how long it takes for that particular Box (but this one will be the same, as for the case outlined in the article), 3. Boot it into your USB HDD - time depends on the muscle of that CPU-box and on how lean your USB HDD Linux setup is (in my experience, about 0.5-3 minutes), 4. Go to your own workstation, as the rest can be done by remote control into that Box (if you know from previous experience that Linux will boot on that particular machine smoothly, this step #4 can start right when step #3 starts) 5. When finished with the Linux part of troubleshooting, reboot (again, remotely) and if the Box's BIOS has been setup to boot from the primary HDD, remotely watch it booting into Windows (if Windows is what that Box is running), 6. Make sure that everything works, disconnect (software eject) your USB HDD (still remotely), 7. Call a user to take over of his/her own workstation, and accept his/her happy verbal gratitude, 8. Terminate your remote session and go about your other tasks . You can even pick up your USB HDD at a later, more convenient moment. All this time, the user was at his/her desk, doing whatever could be accomplished without that particular CPU-box. Although, there is a thing to be cautious about. The NTFS partition which I have suggested to create on that Linux USB HDD. I find having it extremely useful. One can have there application installation sources, drivers, service packs,.. whatever one may need, even the images of your servers and workstations to re-image boxes, all without bogging down the network. Re-imaging part can be done from the Linux session, with the right tools. But in step #5(above) it may change the Windows drive letters (beyond C:), if your configuration does not account for this scenario. Once again, this is only if your USB HDD has a partition formatted as NTFS or FAT, or any other, that your Windows may read automatically from. If this is the thing of concern, have that partition formatted as a native Linux one (EXT2/3/4, reiserfs ,... ). By default, Windows cannot see inside of them, cannot mount them and cannot give them a drive-letter. You will still be able to store in there anything you want, but it will be accessible from Linux only. The described solution is perfect for an IT Consultant servicing a small company or an individual. The portable USB HDD can complement or even replace a Consultant's notebook. In a Big Corporation IT-shop, where, by the way, Security Policy may put restrictions on the IT Consultants carrying and using their own gadgets, I would suggest a modified scenario, leaving outlined above solution as a viable auxiliary one. Linux with all the necessary tools can be installed into a separate partition in all workstations for the dual-boot setup (this can be quite easily accomplished via imaging). The boot manager that can be installed into the MBR would be a better choice to use. I personally like the GAG bootmanager (as of now, the current version is 4.10). I usually set it to automatically boot into the OS of choice, after 10-20 seconds time-out period. In this case - Windows. To boot into another OS, in our case - Linux, a particular number has to be pressed on the keyboard. In this scenario you won't even have to go to a workstation, if a user can be trusted the task of pressing, let's say, #2 on the keyboard at a moment boot manger starts, before time-out. All the rest is the same (starting from the step #4 above). Not too bad when you have a number of remote offices to take care of. I hope you will find this post helpful.

kmdennis
kmdennis

Always great plus it has additional features that will keep you protected and prevent virii from being launched on the computer. I use MBAM, SuperAntiSpyware (USB version)for malware. I found Hijackthis to be quite helpful also. But I think the key to this issue is using the free product from MS called SteadyState!!! I don't know why it is not promoted and used in corporate environments and also in home environment. It would require a little bit of time to configure it, but I think you can save the config and reuse it. That way you will never get infected and you will still have the AV products to scan while you work and save files to a specific drive or section of the HD. That is a win-win and a potential to render virus useless.

justagallopin
justagallopin

I do slave to clam and linux pc, if having trouble beyond norm. Usually start with mbam in safe mode w/ntwkng and it will install that way, then scan. Clam seems to find too many false positives by marking every compressed file as bad. I usually look through and only remove what I think is actual virus, then continue in windows with the drive re-installed. It does help, and sometimes about the only way to make progress.

Chi-7
Chi-7

I have been using linux far a scanner about three years Clam AV, ClamTK, fresh Klam and avast pro for linux, nothing is perfect but this has been effective solution. I remember a screen in Vista "Windows, Life Without Walls" what an accurate description, security that could only be compared to throwing your teenage daughter out of the vehicle nude at Collage Hill in Tampa at 11:00PM on Friday Night.

Neon Samurai
Neon Samurai

The NT kernel actually has a very robust security model I'm told. The problem is that the user-land developers ignored the potential security offered by the kernel. An example is true user privileged separation which is available in the kernel but not fully implemented in the user-land. Similarily, the MS AV program is developed by the AV team not the userland team. Granted, this is somewhat speculation and optimistic opinion so I also consider the following: - MS market share does not equate directly to a better OS but there is a much stronger basis for equating directly to a more effective AV solution. My understanding is that MSE reports malware related data back to Microsoft. With there market share, that makes for a potentially huge AV database to draw on. With MSE free and targeting home users they are hitting the most highly infected user segment. - MSE seems to behave well along side other active scanners (test your setup obviously). That means that you can use MSE and your preferred software for a double scan or until your comfortable that MSE is catching anything that comes through. - It shows a pleasantly small resource footprint. AV on Windows is not optional but the amount of resources wasted/dedicated to it is negotiable thankfully. - MSE is has not yet proven to be a slacker among the third party AV reviews. If it's effectiveness ranks along side the top AV brands by third party verification, who cares what vendor delivers it? - Who, besides Microsoft, has complete intimate knowledge of the inner workings of Windows. Nothing works with Microsoft products the way Microsoft products do.

yawningdogge
yawningdogge

The second machine need not necessarily be a windows platform, but that's just the most convenient route if that's all there is. (It usually is.) True, virus files are exposed to the windows environment over the network, but they are not read into memory and they are not running on the host. I've done this many times and I've never contaminated the machine running the scan.

rkuhn040172
rkuhn040172

And I have never once had a virus on an external drive jump from the external to the host in a Windows environment. Being an external drive, nothing is loaded into memory. Just a bunch of files. I scan it as an external then return it to the original and rescan in order to catch registry files, hosts, etc. Works great.

Neon Samurai
Neon Samurai

1r. I hadn't considered that a remote mount would be loading the entire file system into memory. My thinking is that the AV still has to read each of those remote files so you get a streaming process versus a block process; the malicious file still flows through local memory as the scanner moves through the remote file list. 2r. mounting a file system as non-executable is absolutely the way to go be it a remote share or slaved drive. If Windows provided the possibility, I'd have my user home directories on a partition mounted non-executable in a heartbeat. How the AV reads the file is somewhat independent of it being local or remote though also; either way, the AV is still going to have to read it in that same safe way. I remember years ago one could test AV programs by opening virus source code. It would hit the memory in a non-executable state. The AV would still respond without having to muck with binary that could accidentally execute. If this is the modern day equivalent then I'm just looking for the technical understanding of why rather than taking it on faith.

Neon Samurai
Neon Samurai

If there is a technical reason why an infected remote file read through local memory can't jump hosts, that would add confidence to another option for dealing with virus hits.

r_widell
r_widell

1) Can you show me ANY network file sharing technology that automatically loads all remote files when mounting the remote file system? My network isn't fast enough and my memory isn't large enough to automatically load multiple hundreds of Gigabytes just by mounting a remote shared filesystem. Yes, elements of the remote directory structure will get loaded (in order to show you what files and subdirectories are there), but the files themselves are just sitting there until some action by the local machine causes them to get transferred over the network and loaded into memory. Note that I'm not negating the possibility that there's some autorun/autoplay "feature" in that remote filesystem that might cause the local machine to automatically execute a remote file, but it depends upon support from the local machine to implement that "feature". 2) The ability of a remote suspicious file to do damage depends greatly upon the manner in which it was loaded into memory. You obviously don't want it loaded as an executable file whereby program control gets passed to whatever code may be in the file. Loading it as data so that another program (e.g. an anti-malware scanner) can analyze it is much less problematic (assuming, of course, that the actual executable doesn't have problems which can lead to the inadvertent interpretation of data as code). ron

rkuhn040172
rkuhn040172

I'm not sure about that behavior from a technical point of view, I'm just saying that A) I've never had a virus jump from an external drive to the local system drive from memory and B) I have to admit that I always use a local PC that I know is quite solid from an updates/security point of view. The local PC I always use gets scanned in real time and daily using Symantec Enterprise Edition and I also use a host of programs like Malwarebyes, Spybot, Spyware Blaster, CCleaner, AdAware, Secunia, HiJackThis, etc. I'm sure if you have enough time on your hands this weekend :) you can figure this out, I'm just expressing my experience. Unfortunately, while I'd love to find an answer to your question, I have serious other issues at the moment: http://techrepublic.com.com/5208-6230-0.html?forumID=101&threadID=327257&messageID=3258273&tag=content;leftCol

Neon Samurai
Neon Samurai

No further response from Rick though this was going to be my question as I forgot it int he original response to both of you. Can you provide a summary for the technical basis of SMB/CIFS not reading remote files into local memory? I'll do my own web searches also but even a suggested link would be welcome. (I find it hard to trust a technology without understanding how the bits flow through it.)

Neon Samurai
Neon Samurai

I'd have thought that accessing the file through programs running in local memory would be more volitile. I expected CIFS mounts to behave more like removable media based on shared CDrom drives loading the autorun when mounted over the network. Is it a matter of treating remote drives differently based on how they present themselves or is it something else in the CIFS/SMB protocol that enables accessing a file without it touching local memory?