can you do a malware scan of windows machine with linux CD ?

Capt'n Midnight

just wondering out loud.

you can use ubuntu or other linux cd's to run clamav to do a virus scan of a windows machine, can you do something similar for malware ?

Martyr

i've never used linux for this purpose(thought about BartPE), but i tried ultimate bootdisk a couple of times, and found it ok for some malware.
the free scanners.. f-prot did pick up some viruses alright, but not everything.

one thing i think would be cool, and very useful to have.. is a signature verification program, like the verification feature of sysinternals autoruns/process explorer.

possibly build on top of offline registry editor, which is open source.
include something like PEiD which recognises loads of PE compressors/encrypters used to protect malware from disassembly.

Have a fresh clean set of catalog files from microsoft on cdrom, which would be used to verify all startup points..drivers,services,plugins..etc

start with anti-virus scan, or some software that takes a checksum and compares to database of known malware, just to weed out the suckers.

after most files pass virus test, verify the publisher of each file, see if its trusted, if that doesn't pass, flag as suspicious...if its compressed/encrypted, flag highly suspicious and inspect closer, or just disable it for reboot and another virus scan using full scanner..possibly search online for any relevant information about the unrecognised file.

..not that time consuming, unless the system is completely overrun with malware that cannot be detected by av-scanner.

certainly rootkit revealer does read the registry hives/and low disk reads already, but sometimes rootkits block these programs from executing at all, and RKR won't run in safe mode..

does anyone know any software which runs off linux to carry out advanced malware detection?

would be nice software.
i'd say it would be no problem to use clamav off linux, just guessing

Capt'n Midnight

Average Joe wrote:

but sometimes rootkits block these programs from executing at all, and RKR won't run in safe mode.
...
i'd say it would be no problem to use clamav off linux, just guessing

yeah the idea is to bypass anything running

and yes clamav can be run from a linux boot disk

would be nice to have a CD that boots up , downloads the latest signature files from the interweb and cleans the whole thing, one problem is the number of patches means it would be very difficult to generate a white list of windows system files so that you could end up with a relatively clean system that could be booted with all non-microsoft stuff off.

SouperComputer

maybe instead of it downloading a rake of updates everytime you boot the CD, it could mount a USB drive and store update and definition-specific data there.

Capt'n Midnight

SouperComputer wrote:

maybe instead of it downloading a rake of updates everytime you boot the CD, it could mount a USB drive and store update and definition-specific data there.

That's a plan

actually a 1GB USB key would hold a bootable image and some space

another idea is to use a CD/DVD RW and merge them in to the unused space, puppylinux can do something like that IIRC

mcloughl

you should have a look at backtrack http://www.remote-exploit.org/backtrack.html This distro is the best all in 1 security toolkit. It comes with stuff like chkrootkit etc. It will also allow you to mount read only the local disk partitions.

SouperComputer

mcloughl wrote:

you should have a look at backtrack http://www.remote-exploit.org/backtrack.html This distro is the best all in 1 security toolkit. It comes with stuff like chkrootkit etc. It will also allow you to mount read only the local disk partitions.

I'm familiar with Backtrack and its predecessors, however I'm curious as to how it can scan for malware on a Windows machine