Seek And Destroy Malware With An Antiviral Live CD

← Back to Stories (view on slashdot.org)

Seek And Destroy Malware With An Antiviral Live CD

Posted by timothy on Wednesday December 22, 2004 @02:56AM from the toolkit dept.

Yx writes "CHRONOMIUM Virus Live is a GPL automatic decontamination LiveCD. It can without installing anything on your computer, seek and destroy viruses found on it. It is very useful when viruses have taken over a computer, and made it unable to work correctly. In its new 0.9 version, the GPL flavour is fully functional. So if you're doomed by those petty viruses, just try it, it may help you much! Download it here."

31 comments

Min score:

Reason:

Sort:

fonctional? by Dr.+Bent · 2004-12-22 03:10 · Score: 0

Maybe the next version should seek and destroy bad grammar and spelling.
1. Re:fonctional? by Atzanteol · 2004-12-22 03:24 · Score: 1
  
  Or you could realize the maintainer is French, and speaks English as a second language?
  
  --
  "Ignorance more frequently begets confidence than does knowledge"
  
  - Charles Darwin
Such an obvious idea... by Spudley · 2004-12-22 03:11 · Score: 1

It's such an obvious idea, I can't belive it's taken this long for someone to produce it.

I've been wondering for ages why the anti-virus companies haven't been producing this sort of thing.

The only difficulty with the format is that it's harder to update for new viruses than a traditional virus checker, but even then it's still a good idea, and I'm sure it's a problem they could find a way around.

--
(Spudley Strikes Again!)
1. Re:Such an obvious idea... by tdemark · 2004-12-22 03:18 · Score: 2
  
  Evidently, the CD can read updates to the Virus DB and the application off of a USB drive.
  
  - Tony
2. Re:Such an obvious idea... by tdemark · 2004-12-22 03:29 · Score: 2, Interesting
  
  Yeah, I'm responding twice to the same post... sorry.
  
  In terms of "an obvious idea", what I've always wanted to see is a LiveCD/Knoppix offering that could read a FAT/NTFS partition on boot and run equivalents to the following software:
  
  - Norton AV / ClamAV
  - AdAware
  - Spybot S&D
  
  By the title of the story, I thought we might have actually gotten something close ("Seek and Destroy" vs "Search and Destroy").
  
  - Tony
3. Re:Such an obvious idea... by Nimey · 2004-12-22 03:48 · Score: 1
  
  It's been a feature for years with Norton Antivirus, at least since the 2000 release. NAV's only limitation was that it could only read and write FAT partitions -- this was so until at least 2003, I've not tried '04.
  
  --
  Hail Eris, full of mischief...
  
  E pluribus sanguinem
4. Re:Such an obvious idea... by milkman_matt · 2004-12-22 06:42 · Score: 1
  
  The only difficulty with the format is that it's harder to update for new viruses than a traditional virus checker, but even then it's still a good idea, and I'm sure it's a problem they could find a way around.
  
  Couldn't they set up a small RAMDisk to store the definitions file on? Assuming it can find a valid network connection and maybe DHCP an address from it the way most of the LiveCDs i've seen do? Of course you would store the most 'current' definitions possible on the disc, in case the disc can't find your NIC or establish a connection or anything.. but I think that would be a viable solution right?
Can it update? by twiztidlojik · 2004-12-22 03:13 · Score: 1

I'd like to see this use virus definition files that are recent. Can this CD automatically download them and use them? I'd rather see this than some schmuck running around with a six month old liveCD with old virus defs.

By the way, a USB memory stick won't cut it.

--
I will now redundantly add my name to the end of my post. You know, in case you forgot me or something.
1. Re:Can it update? by StillDocked · 2004-12-22 04:43 · Score: 1
  
  Why won't a USB Memory stick work for you?
  
  I am testing the software right now, and I like what I see.
2. Re:Can it update? by Godeke · 2004-12-22 05:30 · Score: 0
  
  So you would prefer a malware infested machine to be hooked to a network than to use a USB stick??? I'm not following how that is a good idea.
  
  --
  Sig under construction since 1998.
Write to NTFS volumes? by rhild · 2004-12-22 03:14 · Score: 2, Interesting

Anyone know if this thing can write to NTFS volumes? I couldn't tell from the English part of their website and my French ain't so good.

If it can't write to NTFS volumes it wouldn't do me any good.
1. Re:Write to NTFS volumes? by Beatbyte · 2004-12-22 03:22 · Score: 1
  
  it's experimental but yes.
  
  --
  Get paid to code OSS
2. Re:Write to NTFS volumes? by Anonymous Coward · 2004-12-22 03:23 · Score: 1, Informative
  
  The NTFS partitions are borne through the use of captive-ntfs and the antivirus engaged is CLAM.
  
  If it uses captive-ntfs it *should* be able to write to NTFS but there's no more detail than that.
3. Re:Write to NTFS volumes? by Sepper · 2004-12-22 03:40 · Score: 4, Informative
  
  Yes it can.
  
  But there seems to be 3 version of the ISO... (6 if you count the fact that each come in En and Fr)
  
  As far as I can tell, these are the edition (I can read french but the info is a bit spread across the site):
  
  GPL Edition (Which uses ClamAV)
  Fr: ftp://telechargement.antesis.org/download/CHRONOMI UM-0.9.0-GPL-fr.iso
  En: ftp://telechargement.antesis.org/download/CHRONOMI UM-0.9.0-GPL-en.iso
  
  Community Edition (using F-prot)
  Fr: ftp://telechargement.antesis.org/download/CHRONOMI UM-0.9.0-COMMUNITY-fr.iso
  En: ftp://telechargement.antesis.org/download/CHRONOMI UM-0.9.0-COMMUNITY-en.iso
  
  Community Edition With NTFS drivers (using F-prot)
  Fr: ftp://telechargement.antesis.org/download/CHRONOMI UM-0.9.0-COMMUNITY_FULL-fr.iso
  En: ftp://telechargement.antesis.org/download/CHRONOMI UM-0.9.0-COMMUNITY_FULL-en.iso
  
  The lastest defintions for F-Prot have to be downloaded from: http://www.f-prot.com/download/
  (but they can be stored in a USB key)
  
  Voilà!
  Hope it clarify things a bit...
  
  --
  I live in Soviet Canuckistan you insensitive clod!
4. Re:Write to NTFS volumes? by Sepper · 2004-12-22 03:44 · Score: 1
  
  I looked in the forums, and they say they use a Non-GPL driver for NTFS... I don't know which one they are talking about, but that's the reason why the GPL edition of the LiveCD won't write (read?) NTFS.
  
  --
  I live in Soviet Canuckistan you insensitive clod!
5. Re:Write to NTFS volumes? by Bravo_Two_Zero · 2004-12-22 03:52 · Score: 1
  
  This:
  
  "The NTFS partitions are borne through the use of captive-ntfs and the antivirus engaged is CLAM." ...would suggest yes, but clarification from one of our French-speaking compadres would be better.
  
  --
  
  Amateurs discuss tactics. Professionals discuss logistics.
6. Re:Write to NTFS volumes? by rhild · 2004-12-22 04:00 · Score: 1
  
  Thanks for the translation/clarification
7. Re:Write to NTFS volumes? by Firehawke · 2004-12-22 04:09 · Score: 1
  
  Captive NTFS works by providing a WINE-style interface between the real NTFS drivers from Microsoft and Linux. That would definitely explain why they're avoiding trying to tag that version as GPL, with 'tainted' filesystem drivers.
8. Re:Write to NTFS volumes? by fm6 · 2004-12-22 04:20 · Score: 2, Informative
  
  "Non-GPL"? That's an interesting way to put it. The problem with writing a driver for NTFS is that Microsoft keeps making undocumented changes in the system. (Sabotaging third-party driver vendors, or just their usual compulsive bit-twiddling? Only The Shadow Knows.) Captive-NTFS's workaround is to provide hooks for Microsoft's NTFS.sys. Which they can't distribute, for obvious reasons. But there's nothing to prevent you from copying the file from an XP installation.
  Though it is possible that "Non-GPL" refers to something else.
9. Re:Write to NTFS volumes? by Geoffreyerffoeg · 2004-12-22 06:14 · Score: 1
  
  Les partitions NTFS sont supportées à travers l'utilisation de captive-ntfs
  
  In other words, oui. NTFS is supported through Captive (which, I might add, works well from personal experience on Knoppix). Captive requires using NTFS drivers on an existing Windows installation, but does anyone have an NTFS drive without Windows installed on it? (Even if your install is b0rked, the drivers are still there.)
10. Re:Write to NTFS volumes? by advocate_one · 2004-12-22 09:50 · Score: 1
  
  "Non-GPL" refers to the antivirus software... Clam AV is fully redistributable, but the other one, F-prot, is only free for personal use.
  
  --
  Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
Torrent link? by Darkness+Productions · 2004-12-22 03:31 · Score: 1

Anyone with a torrent link? I highly expect the server to not last too horribly long, but it's still up as of right now.

--
Glen
Track your fuel economy
Work with a windows system? by Dibson · 2004-12-22 04:59 · Score: 1

Call me foolish for asking-

I'm looking to clean up a friends Windows machine in a few weeks: would this do the trick? If not, how does one go about removing all the software that's crippled a computer?

It's pretty bad, my current suggestion is to format the drive... maybe there's a better way.

--
-- Why keep us waiting? We are not made of time.
1. Re:Work with a windows system? by jayfehr · 2004-12-22 05:37 · Score: 2, Informative
  
  Ad Aware should remove most of the spyware, but there's a lot of stuff that digs itself so far into the system that it's nearly impossible to clean. I also recommend "Hijack This", although it will not remove anything it will give you a list of all running process, then with the help of google, you can disable anything that shouldn't be running. Also be sure to use "msconfig" to disable any processes that try to start at boot time that may be malware (again google is your friend).
  
  Of course when this is all done run a complete virus scan, I use the free version of AVG and haven't had any problems. And also be sure to get all the windows updates.
  
  Last thing to be aware of is that some of this malware will corrupt system files and whatnot and a full reinstall may have to be done anyway, but I always recommend that as a last resort when fixing someone elses machine because there is always something that they forgot to backup and it's you they're going to call to try and find it.
  
  Ad Aware: http://www.lavasoftusa.com/software/adaware/
  Hijack This: http://www.spywareinfo.com/~merijn/
2. Re:Work with a windows system? by advocate_one · 2004-12-22 09:38 · Score: 1
  
  is it possible to run adaware from this live cd using wine and get it to scan the windows disk registry rather than the wine registry?
  
  --
  Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
3. Re:Work with a windows system? by tchuladdiass · 2004-12-22 11:40 · Score: 1
  
  If it's mostly just adware ad not viruses, then boot up into single user (i mean "safe") mode (hit F8 on initial bootup, and select "safe mode with network support"), and log in as administrator. This will at least keep the adware startup scripts from running.
  Then, run ad-aware and spybot. Finally, take a manual look at the startup fields in the registry -- run regedit and look at the key "HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/ CurrentVersion/Run".
  Also, there's a bunch of startup fields that are kicked off by IE. The best way to find them all is to grab CWShredder (which is designed to speciffically handle Cool Web Search, a particulary nasty bit of malware). It has a "report" option, run it and it will display all your starup registary keys, both under the ...windows/currentversion/run and the various IE startup / helper objects / toolbars -- kill anything that looks like it doesn't belong.
  Then, open a command window (cmd.exe), cd to /"Program Files", and do a "dir /od" (order directory listing by date). This will group the most recent program installs towards the bottom, to make it a bit easier to identify possible bad ones. Look at the exe files in there, and do a google search using unrecognized program names as keywords (along with the keywords "windows" and "spyware").
  Once things are cleaned up, reboot normally, pull up the tasklist and again lookup any program that you don't recognize.
  This process has worked for me everytime so far (takes about an hour or so once you get into the swing of it).
  Good luck.
4. Re:Work with a windows system? by bhtooefr · 2004-12-22 14:03 · Score: 1
  
  Actually, THAT inspired an idea here... USB Live Windows 98, but it copies the registry straight from the HDD (rather than using a real Win98 registry - could be a bit dicey, though), and then runs AdAware and Spybot on it...