Skip to main content

Linux Antivirus

Linux doesn't *need* Antivirus... blah.. blah... whatever...  I wear seatbelts not because I *will* be in an accident today... I wear them as I *might* be in an accident.  I don't actually run AV on my Linux systems...

My Windows 8.1 host was p0wned when I attempted to download/install a Matrix Screensaver from CNET.  I thought that site was safe.. but there is definitely many reasons why I don't generally run Windows.  Stupid stuff like this... ranks pretty high on that list.

Anyhow - since the host in question is a dual-boot system with Windows and either Fedora or RHEL - I figured I should clean-up the Malware on my Windows partition while running it from Linux.

This is the procedure for Linux:

### Install ClamAV and mount Windows partition
yum -y install clamav clamav-data  clamav-filesystem clamav-lib clamav-lib clamav-scanner-systemd clamav-server-sysvinit clamav-update clamav-unofficial-sigs

mkdir -p /windows/C
mount /dev/sda4 /windows/C

### Update the virus definitions
sed -i -e 's/^Example/#Example/' /etc/freshclam.conf
sed -i -e 's/db.XY/db.US/' /etc/freshclam.conf

mkdir /var/log/clamav
chown clamupdate:clamupdate /var/log/clamav
 
cat <(crontab -l) <(echo "30 0 * * 0 /bin/freshclam --quiet -l /var/log/clamav/freshclam.log") | crontab -

### Run a scan
clamscan --quiet --recursive=yes / --log=/var/log/clamav/clamscan-`date +%F`.out
# In another terminal run...
tail -f /var/log/clamav/clamscan-`date +%F`.out | egrep -v 'Symbolic|OK|Empty'

# A more optimal scan command
/bin/clamscan --infected --recursive --quiet --exclude-dir=^/sys --exclude-dir=^/dev --exclude-dir=^/proc --log=/var/log/clamav/clamscan-`date +%F`.out /


Labels:

Comments

Post a Comment

Popular posts from this blog

P2V using dd for KVM-QEMU guest

Preface: I have certainly not exhaustively tested this process.  I had a specific need and found a specific solution that worked. Situation:  I was issued a shiny new laptop running Red Hat Enterprise Linux 7 (with Corp VPN, certs, Authentication configuration, etc...)  The image was great, but I needed more flexibility on my bare metal.  So, my goal was to P2V the corporate image so I could just run it as a VM. * Remove corporate drive and install new SSD * install corp drive in external USB-3 case * Install RHEL 7 on new SSD * dd old drive to a disk-image file in a temp location which will be an image which is the same size as your actual drive (unless you have enough space in your destination to contain a temp and converted image) * convert the raw disk-image to a qcow file while pushing it to the final location - this step should reduce the disk size - however, I believe it will only reduce/collapse zero-byte blocks (not just free space - i.e. if you de...
1 comment
Read more

Sun USS 7100 foo

TIP: put ALL of your LUNs into a designated TARGET and INITIATOR group when you create them.  If you leave them in the "default" group, then everything that does an discovery against the array will find them :-( I'm struggling to recognize a reason that a default should even be present on the array. Also - who, exactly, is Sun trying to kid.  The USS is simply a box.. running Solaris .. with IPMP and ZFS.  Great.  If you have ever attempted to "break-in" or "p0wn" your IBM HMC, you know that there are people out there that can harden a box - then.. there's Sun.  After a recent meltdown at the office I had to get quite intimate with my USS 7110 and learned quite a bit.  Namely: there's a shell ;-) My current irritation is how they attempt to "warn you" away from using the shell (my coverage expired a long time ago to worry about that) and then how they try to hide things, poorly. I was curious as to what version of SunOS it ...
1 comment
Read more

"Error getting authority: Error initializing authority: Could not connect: No such file or directory (g-io-error-quark, 1)"

"Error getting authority: Error initializing authority: Could not connect: No such file or directory (g-io-error-quark, 1)" One issue that may cause this to arise is if you managed to break your /etc/fstab We had an engineer add a line with the intended options of "nfsvers=3" but instead added "-onfsvers=3" and it broke the system fairly catastrophically.
Post a Comment
Read more