Virus Scanning Windows from Knoppix

Why worry about scanning Windows for viruses from inside Windows? Use Knoppix to scan for viruses from the safety of a linux-based, read-only OS.

If you don’t already have it, get Knoppix with your favorite BitTorrent client (I use Azureus 2.5) and this tracker. I use the DVD, but the CD version should work the same for this.

You can find downloading, burning, and booting help here. Boot to Knoppix.

In order to update virus definitions, a working internet connection is needed. In my case (a DHCP-enabled Linksys Cable/DSL router) things “just worked” with Knoppix’s magic boot configuration. If you run into problems, I suggest starting with the FAQ Pages then trying Google.

Naturally, the disks I want to scan need to be available–that is, they need to be recognized by the kernel and mounted. For me this just works again thanks to Knoppix boot config magic. If you run into bad magic, consult the above sources, or whatever divine ones you have access to.

I check to see if they’re already there. Since I have SATA drives in this box, they should appear as /dev/sd*. IDE drives would appear as /dev/hd*.

# df
Filesystem ... Mounted on
/dev/root ... /
/ramdisk ... /ramdisk
/dev/shm ... /dev/shm

No harddisks are mounted, so I check /etc/fstab to see if Knoppix recognized them.

# cat /etc/fstab
/proc /proc proc rw,nosuid,nodev,noexec 0 0
# Added by KNOPPIX
/dev/sdc1 /media/sdc1 ntfs noauto,users,exec,umask=000,uid=knoppix,gid=knoppix 0 0
# Added by KNOPPIX
/dev/sdc2 /media/sdc2 ntfs noauto,users,exec,umask=000,uid=knoppix,gid=knoppix 0 0

The Added by KNOPPIX entries are the two partitions on my SATA drive. Since Knoppix recognized them, I can simply mount them.

# mount /dev/sdc1
# mount /dev/sdc2
# df -k
Filesystem ... Mounted on
/dev/root ... /
/ramdisk ... /ramdisk
/dev/shm ... /dev/shm
/dev/sdc1 ... /media/sdc1
/dev/sdc2 ... /media/sdc2

Just like any OS, Knoppix gets patched regularly. Since I want to have the latest, greatest virus scan, I’ll get (some of) the updates with the bundled Debian package manager.

#apt-get update

There’s a lot of output from that command to update the Debian package manager’s package list. It just means the installer knows about the latest stuff now.

I use ClamAV to scan for viruses. So, I’ll check that it’s up-to-date per the package installer.

#apt-get install clamav
Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed: libclamav2
Suggested packages: unrar
The following packages will be upgraded: clamav
Do you want to continue [Y/n]? Y

The changelogs are presented (press ‘q’ to exit) and there are more prompts to follow, but the install should work without any errors.

I also want to update the ClamAV utility that fetches the current virus definitions.

#apt-get install clamav-freshclam

This time, the install wants to replace a conf file that has been locally modified. I choose to install the package maintainer’s versions, after I compare them side-by-side.

When that’s done, I update the virus definitions.

# freshclam

Finally, scan.

# cd /media
# clamscan -r -l /var/clamlog

The options -r and -l [filename] are for recursively scan directories and log scan output, respectfully. Note that this will only identify viruses. If I wanted to take action when an infection is found, I’d have to specify what to do in different options.

As I write this up, I’m scanning my squeeky-clean new computer. I don’t expect any problems there. Once it’s done, I’ll scan my older Windows machine and that might be more interesting.

Firefox and plugins

I prefer Firefox as my web browser on Windows. There are three add-ons I consider absolutely necessary: NoScript, Adblock, and the Adblock Filterset updater. Some that I find nice to have: All-in-one Sidebar, Web Developer, DownThemAll, Tab Mix Plus, and Greasemonkey. And the theme I prefer, Littlefox. I’ll probably want some plugins, too.

It’s easy enough to perform these steps manually, but I’d like to at least consider my options for automation.

The standard installer doesn’t seem to support much, just an ini file. To be fair, I didn’t pursue that thread very far because I found this long discussion which details the community’s MSI efforts.

FrontMotion provides an MSI file. They also provide a roll-your-own installer system for a subscription fee. I’m sure there are corporate admins who can really benefit from that, but for my personal use, I’m not only lazy, I’m also cheap.

There used to be a nifty extension called Mass Installer that would install all the other extensions you listed in a text file. This has been discontinued, but clever folks outlined a similar method that would work later in the same thread. That seems to fit my need well enough.

The html file is a script to read the text file and launch installs. The text file contains URLs for the extension installs. Save them in the same directory, with the same basenames, extensions .html and .txt, and view the .html in Firefox. Simple, yes?

The only problem I see is that the install URLs contain version information. So, at some point, the file may “roll off” when enough later versions are released. I’m not concerned about out-of-date extensions, since it’s one click to update all extensions.*(or is this part of All-in-one Sidebar?)

Ideally, the script would take the extension homepage URL and discover the xpi link on it. This could be perilous to script if separate extensions exist for major Firefox releases. Whether or not I try that, I’ll eventually put these files where I can hit them directly via HTTP (but this requires changing the code, too.)

System backups and restores

One big reason I want to be efficient with work tasks is to have time for play. I’m a computer gamer. Unfortunately, this means Windows directly on the hardware (as opposed to emulation or virtualization from a different host OS.) This also means, I should be prepared to regularly rebuild it.

Enter the free-for-home-users DriveImage XML from Runtime Software.

It only supports Windows XP+, but I don’t see this as a serious drawback as Knoppix can be used to recover from Linux problems I’ll encounter (generally my own stupid mistakes). Driveimage XML fits the bill for an easy way to get back to a clean Windows XP without going through the install, pre-SP2 patch, SP2 patch, and finally post-SP2 patch.