Anti-virus on a stick: SLAX + F-Prot

If you are careful and knowledgeable when it comes to computers, you do not need to have an anti-virus program clogging up you system. But for most people this is a bad decition. Because people do get viruses. And once you do, perhaps because you failed to update your anti-virus program, chances are high that you’re fucked. No matter what anti-virus program you use, the virus won’t go away, and wont let itself be deleted. So what do you do?

What you need is to start up your computer without Windows (and thus the viruses) being loaded into memory. There are various ways you can do this, among those are a Windows Live CD with anti-virus (which I would like to write about later), but my solution to the problem is Linux and Frisk’s mailserver/workstation package, F-PROT Antivirus.

f-prot logo

Why not any other virus scanner, like AVG for Linux, Avira, Avast!, or Clam-AV? Because all they do is scan. They don’t disinfect anything at the time of this writing.

At the time being, the only graphical user interface (gui) for f-prot’s linux version is for the old version 4. Version 6 find almost twice the amount of viruses compared to version 4, and is therefore what I use. Therefore I assume you know your way around the command line and have used some form of Unix before. I might make a GUI myself in the future (let me know if you have a need for this!), in which case I will make an updated posting.

Anyway, divertions aside, what you need is a Linux distribution. For our purposes no hard drive install is necessary (as would be the case with Ubuntu, for instance), and thus you could download one of the many Linux distributions that are installable on a usb stick. Search around for either PuppyLinux, Damn Small Linux, Knoppix (big!), or my personal favorite; SLAX. Go their respective sites to learn how to install these. In SLAX case you should be able to simply download und uncompress to your usb stick, and then run the script \boot\bootinst.bat as someone with Administrator rights. Your mileage may vary, so try asking around for help in the forums for the different distros if things don’t work as planned either when it comes to installation, configuration, or something else.

After rebooting, starting up Linux from the usb stick, and configuring your internet connection, go to the download page for F-Prot. Download the Linux version and unpack it your home drive. Using SLAX, this would mean the /root directory.

A console running f-prot

Using the command line, go into the f-prot directory, run the ./install-f-prot.pl script, register (for this you need to be online, or otherwise the install will fail), and answer the questions.

If all is good, the anti-virus daemon program (fpscand) should be running, and you can now try scanning for viruses using the fpscan command. fpscan --help will bring up an array of options you can use. I assume you just want to scan and disenfect (that means deleting!) all infected files on your local drives. I then issue the following command from the console:
fpscan --disinfect --adware --applications --all
If you want a little more control of what you are deleting, leaving out the «–disinfect» option will prompt you in each case. You can then choose to delete (Y), keep (N), delete all (A), or quit (Q).
fpscan --adware --applications --all

The output will be something like this

root@slax:~/f-prot# fpscan --report  --adware --applications --local

F-PROT Antivirus version 6.2.1.4252 (built: 2008-04-28T16-44-10)
FRISK Software International (C) Copyright 1989-2007

Engine version: 4.4.4.56
Virus signatures: 200805081637f6efa427cfaf0a586fa821a351621cde
                  (/root/f-prot/antivir.def)

[Unscannable]  /mnt/sda1/D2D/PATCH/FINGER/INSTALL/DRIVERS/SETUP.EXE->(CAB)->WindowsInstaller-KB893803-v2-x86.exe->(CAB)
Scanning: /

Happy hunting :)

XP Virus Edition

9 svar til Anti-virus on a stick: SLAX + F-Prot

  1. Carl-Erik sier:

    I had run some proof of concept tests at my own machine use the EICAR «virus». This weekend the first real world test was tried on a friends computer, and I have to say it wasn’t 100% successfull, though I thought so at first.

    F-PROT found 7 viruses, trojans, and backdoors, of which all were deleted, and also found some program that it meant was a security risk; a program that let other people see what is going on through your webcam – without you being there. Now why would anyone want that?

    Anyway, after the scanning and disenfectioning was done (took about 2 hours on her 30 gigs of data) we started the machine up. First thing that comes up is Avast! Anti-virus saying it has found some virus (some dll file). Great – just the problem she had earlier …

    So although f-prot found a bunch of viruses, it didn’t catch them all. Maybe upping the heuristics option, or perhaps running AVG to dig some extra, would have helped, but we ended up just wiping the whole disk and reinstalling XP and SP3. Lots of work for nothing, one might say …

    Will try running it on another fucked up computer on Friday. Maybe that will be more successfull.

  2. Carl-Erik sier:

    On second thought, packing some of the other virus scanners might not be such a bad idea. If you let F-PROT take out the worst, and then run clam-av, AVG, and/or Avast! you will probably be able to find the last remaining buggers, which you can then manually delete. There probably won’t be too many remaining, so deleting by hand should be doable.

  3. Carl-Erik sier:

    I just found out about KlamAV – a KDE front-end to clam-av. It makes clam-av a lot more useful by actually implementing quarantine and deletion measures. You can get it for SLAX by googling «klamav slax». One click and it is installed. Works great, and when it comes to virus scanners: the more the merrier :)

    Found a SLAX package here, but it might not be valid by the time you read this …

  4. «F-Secure’s mailserver/workstation package» ???

    Please…. F-Secure has nothing to do with F-Prot today.

  5. Carl-Erik sier:

    OK, taken care of now. Although I am not the first to make this mistake (run a google search for «f-secure f-prot») … Thanks for the comment, though.

  6. Alarm sier:

    I have try to follow the instruction of installing f-prot for linux 6.0.2 but when come to updating virus definition, its failed. The error msg shows:

    Warning: Network – Operation timeout
    Warning: Network – Operation timeout
    Warning: Network – Operation timeout

    I know what the problem. This is because of proxy. But how to setup the proxy in this case.

  7. Carl-Erik sier:

    Sorry, but this is a different thing. Try asking in the Slax forums.

  8. Eric sier:

    I’ve been attempting to get your system to work, but I’m lost. I think I got the program installed correctly, but when I attempt to run the scanner it says «Command cannot be found».

    If I do an ls in the f-prot directory I noticed that fpscan is in red w/ an @ on the end. Does this mean it was not installed correctly?

    Please help.

  9. Carl-Erik sier:

    That usually means that a symbolic link is pointing to a wrong (non-existing) file. I am guessing you removed/moved the directory containing the files after you ran the install command, which would explain why the symbolic link (in /usr/local/bin?) is pointing to a file that doesn’t exist. I just tried doing the same on a Ubuntu install in my Virtualbox install and it went completely smooth. No problems. Remember that the ./install-f-prot.pl command basically just creates some symbolic links pointing to the directory where you unpacked the files. So remember this when choosing where to unpack the files and do not move the directory afterwards, as this will mess things up.

    This is posting of mine is a bit old, why not check out some of the live cd’s mentioned in this post regarding anti-virus on live cd’s In one response in that thread (from 2010) you can see there is a Clam AV module available for SLAX. It is a different program, but it comes with a KDE front-end which will give you all the options you need (to disinfect, etc). Try that.

Legg igjen en kommentar

Fyll inn i feltene under, eller klikk på et ikon for å logge inn:

WordPress.com-logo

Du kommenterer med bruk av din WordPress.com konto. Logg ut / Endre )

Twitter picture

Du kommenterer med bruk av din Twitter konto. Logg ut / Endre )

Facebookbilde

Du kommenterer med bruk av din Facebook konto. Logg ut / Endre )

Google+ photo

Du kommenterer med bruk av din Google+ konto. Logg ut / Endre )

Kobler til %s

Følg med

Få nye innlegg levert til din innboks.

Bli med 687 andre følgere

%d bloggers like this: