AVG GNU/Linux Rescue CD

AVG Rescue GNU/Linux (ARL) CD is a "rescue CD", i.e., a bootable CD that allows you to scan a Microsoft Windows system for malware, such as viruses, spyware, trojans, worms, etc. without starting Windows on the system. You boot the system from the rescue CD and then commence an virus scan from the CD. A rescue CD can be very useful when a system can't even be booted into Windows or if it runs abysmally slowly when booted into Microsoft Windows because it is badly infected by malware.

AVG Rescue CD GNU/Linux is a free product of AVG Technologies and there is no explicit support for it. Fortunately you can use a free forum provided by AVG Technologies for their free products. You can report your bugs, problems and questions there. There is no guarantee for a quick reply or bug fix from AVG's side, but, hopefully the community of free users will be able to provide you with a quick and an accurate response. The forum for the rescue CD is accessible here.

After booting from the CD, you will be asked to accept the End User License Agreement (EULA).

Note: you can run the entire process remotely, if you wish, using Secure Shell (SSH) from another system, if you follow the steps further down in this document for resetting the root password and starting the process from a shell prompt using the arl command.


After you accede to the license agreement, the Microsoft Windows partitions on the hard drive in the system will be mounted.

Mounting Windows partitions

After the Windows partitions are mounted, you will be asked whether you want to update the software. Accept the default option of "yes" by hitting Enter, which will get you the latest antivirus definitions.

AVG Rescue CD update recommended

Note: you can maneuver through options you will see presented to you by using the cursor keys on the keyboard.

You will then be prompted as to the type of update to perform. You have the following choices:

OnlineUpdate from the Internet.
OfflineUpdate from directory.
DownloadDownload update files from the Internet.

AVG Rescue CD update type

You can just hit Enter to get the latest updates, if the system has an active Internet connection.

You will next be prompted as to whether you want a "Virus database update", "Program update", or "Optional update." The default option is "Virus database update", which will include the other updates, so you can just hit Enter to accept the default option.

AVG Rescue CD update priority

When the update is completed, you will be prompted to hit Enter to continue.

AVG Rescue CD update completed

You will then be presented with the AVG Rescue CD main menu. You can just hit Enter, if you wish to start scanning the system.

AVG Rescue CD main menu

If you wish to see the version of ARL, you can select "About".

AVG Rescue CD About version information

The "Utilities" option shows the following utitlities list.

File ManagerMidnight Commander.
Registry EditorWindows registry editor.
PingPing utility.
TestDiskDisk data recovery utility.
PhotoRecRecover deleted files.
LinksText WWW browser.

AVG Rescue CD utilities menu

When you are ready to scan the system and have selected the "Scan" option, you will be asked whether you wish to scan volumes or a directory. If you wish to scan the entire hard drive where Microsoft Windows is located, just hit Enter with the default selection of "Volumes".

AVG Rescue CD scan type

You will then see a "Scan Volumes" menu with all volumes selected. The hard drive partitions will be in the form /mnt/sda1, mnt/sda2, /mnt/hda1, etc. depending on how many partitions are on the hard drive and the type of drive. I would suggest deselecting the one that has "iso9660" in the description as that is the CD itself, which you normally should not have to concern yourself about. You can deslect it by using the downard pointing arrow key on the keyboard to navigate to it and then hit the space bar to deselect it. You can then hit Enter to proceed.

AVG Rescue CD scan volumes

You will then be able to select various scan options.

AVG Rescue CD scan options

The following options are available with those marked with an asterisk chosen by default.

[*]arcScan inside archives.
[ ]pdwReport password protected files. Use with --arc
[ ]arcbombswReport archive bombs. Use with --arc.
[*]heurUse heuristics for scanning.
[*]pupScan for potentially unwanted programs.
[*]pup2Scan for enhanced set of Potentially Undwanted Programs.
[ ]cooScan cookies.
[ ]hidextRecognize hidden extensions.
[ ]macrowReport documents with macros.

The scanner will not be able to scan password protected files, such as password protected zip files. You can check the pdw option, if you want a list of such password protected files included in the scan results. You can select and deselect options using the space bar.

Hit Enter to start the scan when you have selected the options you want or to accept the default options.

When the scan is completed, you will see a list of the infections found, similar to the following.

AVG Rescue CD scan completed

When you hit Enter, you will see a scan result menu. You can choose to display the report file, handle each infected file separately, hangle single or group of infected files, rename all infected files, or delete all infected files.

AVG Rescue CD scan result menu

If you choose the "Individual" option, you will be prompted file by file as to whether you wish to skip, rename, or delete the file.

AVG Rescue CD infected file action

If you choose "Select", instead of "Individual", you will see all infected files selected by default. You can deselect ones you don't want to rename or delete with the "rename all infected files" or "deleted all selected files" options. You can deselect a file by moving to it with the cursor key then deselecting it with the space bar.

AVG Rescue CD select files

If you wish to see details on the infected file, navigate to the "Detail" option with the cursor keys.

AVG Rescue CD file details

Select the "Action" option to proceed, when you are finished deselecting files.

AVG Rescue CD action proceed

If you have any problems deleting all of the selected files as a group, go back to the individual option and delete them one by one.

When you wish to reboot, you can do it via the menu or you can type reboot at a shell prompt.

You can get other shell prompts at any time by hitting the Alt key and a function key, such as F2 simultaneously, i.e. Alt-F2. You can return to the primary shell at any time by hitting Alt-F1. If you do so you will see the following:

Welcome to AVG Rescue GNU/Linux
arl login:

You can use root for the userid; there is no password prompt. When the scan is completed, you can get another shell prompt and make the working directory /opt/avg/arl (AVG stores its files in the /opt/avg directory) and examine the log file containing the scan results, which is scan_report.txt

Welcome to AVG Rescue GNU/Linux
arl login: root
[root@arl ~]# cd /opt/avg/arl
[root@arl ~]# more scan_report.txt

The rescue CD runs a Secure Shell server. To log into the system running the AVG rescue CD software using SSH, you will need to change the root password to one of your choosing. You will be warned that a password is too weak or too short, if you don't select a strong password.

[root@arl ~]# passwd root
Changing password for root
New password:
Retype password:
Password for root changed by root

You can determine what IP address was assigned to the system by an Dynamic Host Configuration Protocol (DHCP) server on your network by using the ifconfig command.

[root@arl ~]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:07:E9:87:30:B0  
          inet addr:  Bcast:  Mask:
          inet6 addr: fe80::207:e9ff:fe87:30b0/64 Scope:Link
          RX packets:15169 errors:0 dropped:0 overruns:0 frame:0
          TX packets:720 errors:0 dropped:0 overruns:0 carrier:0
          collisions:1 txqueuelen:1000 
          RX bytes:2371388 (2.2 MiB)  TX bytes:61516 (60.0 KiB)

lo        Link encap:Local Loopback  
          inet addr:  Mask:
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Look for the inet addr. The relevant IP address will normally be the one associated with eth0. You can then use that address to establish an SSH connection to the system from another system.

$ ssh root@
root@'s password: 
[root@arl ~]#

You can use scp from a remote system to copy the log file from the scanned system to the remote system.

$ scp root@ .
root@'s password: 
scan_report.txt                               100% 5443     5.3KB/s   00:00

If you wish to determine which version of ARL Linux the rescue CD uses, you can find that in /etc/arl-version

[root@arl ~]# cat /etc/arl-version

You can access the ARL menu by typing arl at a shell prompt. That will put you at the point where you are asked to accept the End User License Agreement (EULA).

[root@arl ~]# arl

I sometimes wish to copy all of the infected files to another location for analysis by other antivirus tools or to upload them to sites such as Virustotal, which will scan files for free with multiple antivirus programs. I put all of the files in a .gz file and then transfer the file to another system. To do so, you can copy scan_report.txt to another file and then edit that file, so that it contains only the file names for the infected files. I.e., remove the "virus identified", "Trojan horse", etc. comments from the end of each line listing an infected file and remove the comment lines from the beginning and end of the file. The vi editor is provided on the CD, so you can use it to edit the file. Once you have removed the extraneous information from the file, leaving only the file names, put double quotes at the beginning and end of each line, since the path and/or filename for some files may contain spaces. You can do so in vi or you can use the following sed commands at the shell prompt to put a double quote at the beginning and end of each line.

# sed -i 's/^/"/' infected_filenames.txt
# sed -i 's/$/"/' infected_filenames.txt

I then use tar to create an archive file of the infected files.

[root@arl arl]# cat infected_filenames.txt | xargs tar -cvf infected-files.tar

I then compress the file with gzip before transferring it to another system with scp.

[root@arl arl]# ls -lh *.tar
-rw-------    1 root     root       32.7M Nov 11 06:36 infected-files.tar
[root@arl arl]# gzip infected-files.tar 
[root@arl arl]# ls -lh *.gz
-rw-------    1 root     root       69.6K Nov 11 06:42 infected-files.tar.gz


  1. AVG Rescue CD
    AVG - Antivirus and Internet Security
  2. ARL Linux Info
    Date: March 30, 2010
    AVG Forum
  3. AVG Rescue CD GNU/Linux

Valid HTML 4.01 Transitional

Created: November 11, 2011