Saving PCs from viruses the Linux way

If you're an IT consultant, and you're looking for a fresh way to rid hard drives of viruses, take a look at the method Jack Wallen outlines using Linux and ClamTK.

This past week we were inundated by PCs with viruses. Either people were bringing their infected machines to the office or calling us to come and get them. It was a madhouse. What was really crazy was to see how many machines had either zero protection or just standard free versions of antivirus tools (or, gasp, Norton or McAfee). Now, I will admit that even free antivirus is better than none. But recently, the infected PCs have become trickier to disinfect. I came across a nice little boot sector virus last week that laughed at Combofix, CCleaner, AVG, and Avast. It wasn't until I pulled out all the stops, with the help of my good old friend Linux, that I was able to finally say goodbye to those infections. But how? Let me explain this simple method.

What you will need:
  • You will need a Linux machine with ClamAV (and all the trimmings - including ClamTK if you want a GUI).
  • An adapter that will allow you to connect the removed hard drive to your Linux machine.
  • A little patience.

If you've never worked with ClamAV, you should know it is a very easy to use virus scanner. The only downfall to this virus scanner is that it isn't quite asreal-time as most people are used to. That is fine since we are using it on a Linux machine that isn't to be used as a mail server - so no big deal. And by adding the ClamTK interface, we make the scans quite simple. Make sure you download the latest ClamTK version from the ClamTK site. If you do not, and you use the version from your distro's repositories, you will most likely be using an out-of-date version. The latest version includes Preferences and Scheduling that you do not want to be without.

Once you have ClamAV and ClamTK installed (and run clam-freshclam to update the virus signatures) you are ready to go. Here's the "how-to":

  1. Remove the hard drive from the infected machine.
  2. Plug infected hard drive into Linux box.
  3. Mount infected hard drive so that ClamAV can see the drive. (If you are using a distro like Ubuntu the icon will most likely appear on your desktop; just double-click on that icon and the drive will be ready for you.)
  4. Open up ClamTK.
  5. Configure ClamTK to scan recursively and do a thorough scan on the mounted drive.
  6. Run ClamTK.

Because you are doing a thorough scan, it will take some time. But you can just let it go unattended. By the time the scan is done, ClamTK should have found your virus and quarantined it.

Why use this method?

The reasons for using such a method should be obvious. There are cases when just booting the infected drive can cause further damage (or even replicate a thought-to-be-removed virus). Because of this you want to avoid actually using the drive for anything other than a target for a scan. And why Linux? If there is a virus on that drive, you don't want to take any chances of that virus infecting your work machine. If said work machine is a Linux machine - you can rest assured that the virus will struggle to cause any damage.

Final thoughts

I am one to say quickly that Linux has its place in just about every environment. The PC engineer would be remiss if they didn't include Linux in their toolkit for one task or another. Using Linux as an external virus scanner is a great way to get rid of nasty viruses that cripple Windows machines - without doing further harm and without having to go through one virus scanner after another.

Will ClamAV catch everything? Probably not. Is this setup perfect? Nothing is. But this method will most likely succeed when that drive is threatening to no longer function if it boots one more time. Give this method a go. I think you'll find more success than not.