Slashdot Mirror

← Back to Stories (view on slashdot.org)

CDROM-Based Virus Scanners?

Posted by Cliff on from the hands-off-bug-hunting dept.

cheros asks: "Pretty much every virus checker I've seen requires installation of a couple of MB worth of data on the HD. However, in a controlled or accredited environment (say, a hospital) installation of external software can invalidate the build, and the checking process can adversely affect timing (in, say, plant control systems), so I'm looking for a virus checker that works from a CD. This obviously means the CD needs updating when new signatures come out, but at least it's a 'hands off' sweep of the system that can be done during maintenance down-time (and assures me that the virus software itself can't compromised). The only workaround I have at the moment is that critical system files can be checksummed to prove integrity (MD5 is your friend ;] ). That's OK for the systems that are fairly static (no, not blue screened, less data changes on the disk =] ), but systems where config data changes (say, a DDNS) are less easy to check. It's mostly a Windows problem (with &^$$& locked files being a pain), but the same situation can arise on any platform. Got any ideas?"

48 comments

  1. Try a usb or firewire harddisk by Stigmata669 · · Score: 3, Insightful

    Although i am unfamiliar with any CD based anti-virus software, you could always install the software onto a removable usb harddisk, even a keychain drive and run the software from the drive, leaving the primary disk more or less untouched (hopefuly less).

    --
    Yawn.
    1. Re:Try a usb or firewire harddisk by Anonymous Coward · · Score: 0

      Brownie points for the OSDN sister site plug.

  2. Openantivirus by ChiefArcher · · Score: 2

    try http://www.openantivirus.org .. It's free.. it's open source.. it's in java.. Stick it on the cd with a (windows/linux/mac) jvm.. and you're set to go. I have openantivirus running on my mail server right now... catches almost everything.. I believe there's a "C" version called clamscan out there.... not sure if it'll compile under anything but linux.. but you can always try. ChiefArcher

    1. Re:Openantivirus by Anonymous Coward · · Score: 0

      Nick Fitzgerald puts it best

      You're joking, right?

      It is research only/very early beta and (currently) based on a
      chronically flawed view of how virus scanning works (or, perhaps more
      accurately, a chronically flawed view of how virus scanning can be
      done "well enough").

    2. Re:Openantivirus by Anonymous Coward · · Score: 0

      Did he even try to fix it? It IS open source. No, he just like to whine like a typical spoiled american.

  3. Norton Systemworks 2001 by karnal · · Score: 3, Informative

    I've got a copy of Norton Systemworks 2001 at work that states on install, that you should boot to the cd-rom and have it do a virus check before you install the software (Norton Antivirus is included in this suite...)

    I've not used it yet; the only risk I would say you'd run is if you have a virus that is not detected with the CD build of the virusscan... Pretty hard to do updates to read-only media.... but for a general sweep of the machine, you'd be good to go.

    Maybe there's a way to "repackage" the bootable portion of the cd / virus definitions, and go that route? I'm sure Norton has had requests for this before, and it wouldn't take much time talking with their support (never had to contact them myself) to see if this is the case...

    We're in the same boat, though... Validated systems; since I work in Network Architecture, one of the problems we run into is we can't put ANYTHING on servers that isn't validated (i.e. packet sniffing/analyzing agents, etc.) I see their point, so in the end we just mirror ports :) (slightly ot, I know)

    --
    Karnal
  4. F-PROT by reynaert · · Score: 3, Informative

    You could probably use the DOS or Linux version of F-Prot. It doesn't need to write anything, and it has some nice command-line options for automated scanning etc.

    With a little effort, you can even fit the DOS version on a single floppy. You'll need to store it compressed, and uncompress it to a ramdisk when booting.

    1. Re:F-PROT by halibut007 · · Score: 1

      This is the program I use for scanning. Built a boot cd with a cdrw and floppy emulation using the dos version of f-prot. With the right drivers you could probably even get it to scan NTFS partitions. Update the definitions when needed. Works great. Just requires to boot from the CD.

    2. Re:F-PROT by Anonymous Coward · · Score: 0

      Yup -- I've done just that. I used the NTFSDOS util from Sysinternals to scan NT machines with F-Prot on a floppy. I've used F-Prot for years and it's my personal favorite scanner.

    3. Re:F-PROT by tow · · Score: 1

      Great scaning program, and I use it as well, but from time to time I'm using it on old computers, that can't read CDRW. The program does not have an option to take the definitions from another dir. I think that this could be the best solution to this prob.

    4. Re:F-PROT by Tux2000 · · Score: 2, Informative

      The guys and girls of the german c't magazine combined toms rescue boot disk with F-Prot for Linux and pressed it onto a CDROM shipped with the issue 13/2002. You can order this issue for 3 EUR + shipping (1 EUR is round about 1 US $).

      If you can get internet access with that CDROM, you can even update the scanner and the data files. (And as a nice bonus, you get 600 MBytes Freeware and Shareware.)

      Tux2000

      --
      Denken hilft.
    5. Re:F-PROT by Wanker · · Score: 2

      This sounds like an excellent suggestion-- build a bootable CD-ROM which auto-scans all the local drives. In addition to not requiring any installed software, booting off known virus-free media guarantees that you'll find all those nasty stealth viruses that like to hide in memory.

  5. What about a remote system? by thecampbeln · · Score: 1

    I've used a laptop with Norton AntiVirus installed to check the hard disks/files of other systems, maybe something simple-n-stupid like this would help?

    --
    "1984" was ment to be a warning, not a guidebook. You hear that Kim Jong-il!? BushCo?!
  6. A bit of research first ... by Blkdeath · · Score: 1, Informative
    Would have led to Symantec who ship their Norton Antivirus CDROMs as bootable CDs that can automatically check the filesystem(s) of the hard drive(s) with as little as one or two carriage returns.

    Since the scanner can also be run manually, you could install updated definitions on a floppy disk with the tab set.

    That's just off the top of my head; I'm sure The Best Friend Of The WWW could render gallons more assistance.

    --
    BD Phone Home!

    Shameless plug. Like you weren't expecting it.

    1. Re:A bit of research first ... by tow · · Score: 1

      But the definitions are way too big for a floopy

    2. Re:A bit of research first ... by Anonymous Coward · · Score: 0


      But the parent didn't really care.

      He didn't care enough to think thru his
      "solution" that would work for about a week.

      The original question was for an AV soln that
      could run from RO media AND BE UPDATED.

      Writing def files to a floppy that (A) will
      not be used and (B) will not fit anyway is
      not a solution.

      But that brings me back to the fact that
      the parent is an idiot and was not offering
      a solution...

  7. What are you using?!? by shyster · · Score: 2

    Every Windows based virus scanner I've known has an option for this. Norton AntiVirus can boot to the CD or make floppy disks, I think the newer versions can use a floppy disk for later virus definitions. Mcafee can do the same, I believe. I know it can run off floppies. So can F-Prot.

  8. DUH by moosesocks · · Score: 2

    This is quite obvious. Every virus scanner in my memory has had an option to boot off of the CD or create a boot floppy (which can be write protected in the same fashion as all floppies). The CD boots, can do a scan (automatically if you configure autoexec.bat to do so). You can re-burn the cd by placing new definitions on the cd, or tell the program to go get the definitions from another source (ls-120 drive, hard disk, etc.). This has all been possible with norton antivirus since version 2000 (probably earlier. i just never checked)

    --
    -- If you try to fail and succeed, which have you done? - Uli's moose
  9. NAV by vonsneerderhooten · · Score: 1

    Norton A/V comes as a bootable cdrom, and you can make a set of rescue disks that you can use. I suppose you could also make a bootable cdrom (Nero does that) with the vdefs on it, and use some autoexec file to do a batch scan of the system using the latest defs from the CD. So simple even a janitor could do it!!!

    -D

  10. Control Systems by LWolenczak · · Score: 4, Insightful

    I used to work for a company in the SouthEastern United States, currently called Avid Solutions, Formerally called Carolina Instermentation Corp/Electrical Maintence Overflow Comp. (cic/emoc). Every Control System that I have ever seen them put together was setup a perticular way.

    1. Locked down OS. In NT, this involved Policies, in most cases, Auto logins, and quite a bit of registery editing.
    2. Seperated Network. The control networks were allways on their own network. In many cases, a main network, and a backup network.
    3. No internet access.
    4. No access to the floppy/cdrom unless your an administrator, hell, explorer dosen't even load, only the control application.

    Perhaps you need to look at your setup and make some changes if your worried about viruses.

    1. Re:Control Systems by Anonymous Coward · · Score: 0

      It came to our attention that you are a jew. The only purpose of your post was to advertise your company. Please remove that penis out of your butt crack.

    2. Re:Control Systems by Blkdeath · · Score: 1
      3. No internet access.
      Would you care to accompany me on a routine run of some of our customers' networks today and inform them that in the interest of virus protection, we will be removing their Internet routers?

      It's said that the safest way to protect your computer from [viruses/cracking/information theft/etc.] is to unplug it, but how practical is that here in the real world?

      --
      BD Phone Home!

      Shameless plug. Like you weren't expecting it.

    3. Re:Control Systems by Anonymous Coward · · Score: 0
      your - blongs to you
      you're - you are

      It's (note: that is short for it is) not that fucking hard.

    4. Re:Control Systems by phorm · · Score: 2

      In agreement with the other responders, this sounds like crap to me. Installing a complete lockdown on machines tends to p*ss off employees, and just generally cause problems. Locking down an existing open network is a pain in the butt to admins too, every time new software has to be installed the admin has to be called in.

      I'm currently working in a local school district, and this is the only siutation I've found lockdowns useful, since kids intentionally tend to cause crap or download porn etc. In a business with reasonable adults, you can at least hope/expect that they won't be causing deliberate damage to the machines.

      This shameful plug should be used to plug um... nevermind - phorm

    5. Re:Control Systems by LWolenczak · · Score: 2

      In cases such as schools, you can't unplug it. In the case I'm talking about, The computer is only used to run a piece of machinery, or a set of chemical reactors. The system for all intensive purposes is unplugged because it does not need to be plugged in.

    6. Re:Control Systems by Anonymous Coward · · Score: 0

      So, you mean to tell me that your entire fucking post was useless because you were talking about a computer that is virus free from all of those OS lock down shit, and you unplug it. Why did you bother to post?

  11. damn i cant spell today by LWolenczak · · Score: 1, Offtopic

    damn i cant spell today... I guess i need sleep

  12. You have not seen Vexira Antivirus Rescue Disk CD? by VexAdmin · · Score: 2, Informative
    I work for Central Command the company that produces Vexira Antivirus so be careful you might find a few biased statements here :-) We have Vexira Antivirus Rescue Disk (VARD) which is a bootable CD-ROM and diskette virus scanner that runs entirely in RAM. It's based on a debian micro kernel and includes a easy to follow menu. It can update the latest virus database and virus scanning engine also! Yes, even if you are using the CD-ROM version. You just need to download updates onto a floppy and select the update option on the main menu. VARD will pull them into RAM.

    It will boot and mount most any file system: Microsoft FAT 16, FAT 32, VFAT, NTFS, Linux ext2, ReiserFS and UMSDOS, IBM OS/2 HPFS, FreeBSD, OpenBSD, Solaris, and Unix UFS, CD-ROM ISO9660, Minix, FreeVxFS, Veritas VxFS, System V, Xenix, V7, and UDF.

    Vexira Antivirus Rescue Risk

    The VARD is free BTW.

  13. Re:You have not seen Vexira Antivirus Rescue Disk by VexAdmin · · Score: 1

    I forgot to add that VARD can be downloaded as a .ISO image or a 4 diskette set. You'll need to run the SFX diskette tool on a Windows box to create the diskettes because we use WinZip to create the SFX application but after that it will act just like the CD-ROM version. I prefer the CD-ROM version myself and give my friends a wallet size "card disk" for there field trouble shooting. It fits nicely in shirt pockets :-)

  14. Re:You have not seen Vexira Antivirus Rescue Disk by bobv-pillars-net · · Score: 1

    Vexira website

    --
    The Web is like Usenet, but
    the elephants are untrained.
  15. Why??? by OneFix · · Score: 5, Insightful

    I know that similar posts have been made, but I don't think this can be expressed enough!!!

    You shouldn't need AV software in the systems you describe. These should not require direct access to an untrusted network...there is no reason why someone should be installing their own software on the system...and the systems should be designed as such (no direct access...a locked cabinet is a good idea here, and secondary/tertiary networks for workstation access to data)...if you really must have mission critical systems open to viruses, and you are using standard peecee hardware, you could always try an Antivirus PCI Card.

    I guess this might be another advantage of using Linux for mission critical apps...chances are the employees don't have access to software...

    1. Re:Why??? by Anonymous Coward · · Score: 0

      The problem with such an environment is that if somehow, someone violates the integrity and gets a virus on the systems they would then have free-range without recourse until such time as they caused significant problems and the problems were investigated.

      in theory your right, but then, in theory it should be possible to secure such systems 100%. It isn't.

    2. Re:Why??? by Anonymous Coward · · Score: 0

      Take ONE (1) ignorant or malicious user with an infected laptop and you've got a problem. Yes, he shouldn't. And neither should the guy who just burgled your house. Security is based on the principle of failing safe - and NEVER assume safety as a given.

    3. Re:Why??? by OneFix · · Score: 2

      This certainly doesn't assume that safety is a given. First, if you don't trust your employees that have access to missions critical systems/networks, you've got serious problems that a virus scanner isn't gonna fix.

      The system I explained makes this very easy. The first way is to simply bury the connections for your mission critical network behind locked boxes. And if you're using a cabinet for the box, this is already done for you. Not to mention that many of the locations with similar set ups already have a strict "no laptops" policy. Another easy way to keep ppl from connecting to the network is to use non-standard connectors. This makes it so only the computer side of the connection has to be hidden.

      The other way of securing the network (I know you'ld like to suggest they are sticking control systems in their lobby) is to require MAC authentication. I've even seen systems that use a rolling MAC address based on a standard time.

    4. Re:Why??? by corey_lawson · · Score: 1

      ...all it takes is someone with a boot sector virus on a floppy to insert it into the otherwise-locked down system and cycle the power, to infect the machine. While systems for some time have been able to have a different boot order than FD0->HD0->HD1, there are older systems that don't allow this...

    5. Re:Why??? by RocketJeff · · Score: 1
      ...all it takes is someone with a boot sector virus on a floppy to insert it into the otherwise-locked down system and cycle the power, to infect the machine.
      Then remove the floppy drives. If someone needs access to a floppy, they can take it to an administrator who can move files as needed (after virus checking). Remember, this is a hospital production system - people shouldn't need routine access to a floppy drive.
    6. Re:Why??? by tomhudson · · Score: 2

      Removing both floppy and cdroms is SOP with me. Since I did that to everyone's boxes, I've got more time for other stuff.

    7. Re:Why??? by OneFix · · Score: 2

      How can they insert a floppy through a locked cabinet?

  16. F-prot by dasunt · · Score: 2

    F-prot antivirus can fit on 3 write-protected floppies or a bootable CD-ROM. Its free for personal use, and easy enough to update by downloading new definitions from its website. Its available for both DOS and Linux.

  17. Symantec by e8johan · · Score: 1

    If you have a virus threat problem, I assume that you are connected to an external (out of your control) network. If this network happens to be the internet (most likely), just try Symantec's Security Check. It scans for viruses over the net (with a bit of ActiveX magic... It seems that M$ security misses can be useful sometimes ;-P)

  18. *grumble* You can already do this by Anonymous Coward · · Score: 0

    Any enterprise virus protection product can do this w/o installing files on remote boxes. Failing that, scan the admin shares (C$/D$/etc) from a central server manually. The only files you won't be able to access are those that are exclusive locked by the OS and they can't be infected by any virus anyway.

    It still amazes me to this day the level of ignorance expressed by people who are responsible for admin duties on Windows machines.

  19. Re:*grumble* You can already do this by leuk_he · · Score: 1

    But this affect the timings he was talking about.

    "However, in a controlled or accredited environment (say, a hospital) installation of external software can invalidate the build, and the checking process can adversely affect timing (in, say, plant control systems), so I'm looking for a virus checker that works from a CD.

    The logic behind his requirement is flawed:
    Any non-acredited software can affect the build, Even anti-virus software that is not installed on that build. i.e. many antivirus software write checksums somewhere on the HD. I people can run such software you have a problem anyway in such an environment.

    You can install most antivirus software in a non-interfering mode, only scan wheren you press the scan button. So why not put in on HD or a (read only) central server?

    Opening up C$ & D$ would be a bad idea, but is is possible.

    The only files you won't be able to access are those that are exclusive locked by the OS and they can't be infected by any virus anyway.

    Since they can be updated by update software, virus software can update those files as well.

    In the end i think he is a (l)user that cannot install software, but wants to virus check his PC anyway. (read between the lines!)

  20. Re:*grumble* You can already do this by Anonymous Coward · · Score: 0

    Not sure I agree with your assumption, the poster might be more familiar with Unix/Linux where vcheck problems are different to manage (though not absent). Sort of the reverse of Windows sysadmins asked to switch to Linux :-).

    Booting from CD has the added advantage that the target drive/array to check can be mounted read-only (to prevent writes and thus invalidate accreditation - and check those locked system files), but that needs a little bit of messing around.
    It's IMO not a bad idea to check integrity occasionally, it only takes one idiot with an infected laptop to jack into the network to make a complete mess - after all, accreditation tends to slow down the update process considerably, so you're always behind with security patches.

    Of course you ought to hang such an idiot by the private parts, but that assumes

    a) you catch he/she/it doing it (or have IDS data to identify the culprit)
    b) he/she/it still has private parts to be hung by and
    c) the damage was indeed accidental (think that one over for a minute).

    Don't tell me that it should never happen. I've seen enough over the years not to assume anything.
    Process and education help, but won't cure stupidity.

    --
    Users. Can't live with them, .. err, that's it ;-).

  21. Really slow site, but here you go: by Mustang+Matt · · Score: 2

    http://www.free-av.com/ave.htm

    Of course this only works for Fat/Fat32.

    I don't know of any that would scan NTFS. You'd have to have some munged version of NT/Win2k boot off a CD and then run a virus scanner.

    --
    The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
  22. Re:*grumble* You can already do this by Anonymous Coward · · Score: 0

    Opening up C$ & D$ would be a bad idea, but is is possible.

    Why exactly do you think those shares exist to begin with? How do you think domain wide backups are performed? Those shares are exactly the ones used by enterprise anti-virus packages for scanning individual machines.

    Since they can be updated by update software, virus software can update those files as well.

    If the OS has the files locked for exclusive access nothing can update them except for the process that has them opened - period (or else it would be called psuedo-exclusive access). :)

    Files opened in this manner are typically data files (registry hives, database files, etc) and aren't subject to conventional virus infection anyway.

    In the end i think he is a (l)user that cannot install software, but wants to virus check his PC anyway. (read between the lines!)

    You are probably correct and I was a bit harsh. Still, he should be taking this up with his IT department and not trying to go it alone.

  23. You need two things... by mgibbs · · Score: 1
    1. A Norton AntiVirus 2002 CD
    2. A floppy disk with the latest virus definitions on it.

    The Norton AntiVirus CD automatically checks the floppy drive for the latest virus definitions when you boot from it, otherwise it uses the outdated ones on the CD.

  24. Caution: MAJOR conflict of interest. by Futurepower(R) · · Score: 2


    Caution: MAJOR conflict of interest. The writer is an anti-virus consultant who will lose money if there is an open source alternative.

  25. You're right. You can't spell today. by Anonymous Coward · · Score: 0

    In cases such as schools, you can't unplug it. In the case I'm talking about, the computer is only used to run a piece of machinery, or a set of chemical reactors. The system for all intents and purposes is unplugged because it does not need to be plugged in.

    I imagine that a "system for all intensive purposes" would be a gamer's box... but I digress.

    The other posters are missing the point that if a system doesn't need access, then don't grant it access.