|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
[ More Info ]
In this instance I used the F-Secure Rescue CD 3.11 on a Compaq Presario SR1900NX system running WIndows XP to perform an initial malware scan of the system.
[ More Info ]
/tmp, which exists only in the system's memory
when the system is booted from the F-Secure Rescue CD, I also wanted
the output log files produced by the scanning process to be stored
somewhere where I could access them after the reboot.
When a scan is started, the following is displayed:
Scanning Scanning all filesystems mounted under /mnt/scan/ directory. The results of the scan will be saved in /tmp/scan_results.txt Alt-F1 This screen. Alt-F5 To see details of files being scanned. Alt-F6 To see any malware found. Ctrl-C TO cancel scanning.
You can also use Alt-F2, Alt-F3, or Alt-F4 to get a shell prompt. I used Alt-F2 to obtain a shell prompt.
When a system is booted from the rescue CD, the hard drive on the system
is mounted under /mnt/scan. In this case, the hard drive is an
IDE
drive designated as hda2 by Linux, which is the operating system
used on the F-Secure Rescue CD. So I could store the log files, which are as
follows, somewhere under /mnt/scan/hda2.
scan_error.txt
scan_log.txt
scan_results.txtOn this system there was a C:\TEMP directory, so I decided
to store them there. You can see the directories on the hard drive using
the ls command, e.g. ls /mnt/scan/hda2/.
Using the pico editor on the CD, I created a script,
which I named rebootwin in the
/tmp directory to automatically reboot the system after 9 hours,
presuming that the scan of the system should certainly be completed within
that time (it took about 3 hours).
root@tty2[/]# cd /tmp root@tty2[tmp]# pico rebootwin
I put the following commands in the script:
#!/bin/bash
date
sleep 9h
cp scan*.txt /mnt/scan/hda2/TEMP/.
reboot
The script prints the date and time and then "sleeps" for 9h. When that
amount of time has elapsed, it copies the log files from the scanning
process from the /tmp directory to the C:\TEMP
directory on the system's hard drive. The system is then rebooted. If
the system is set to boot from the hard drive first, rather than a CD-ROM
drive, it will boot into Windows from the hard drive. If the system's BIOS
is set to attempt to boot the system first from a CD in a CD-ROM drive, it will
reboot from the F-Secure Rescue CD, but, unless a key is hit within a few
seconds, it will not continue with a reboot into the antivirus scanning
software, but will instead boot from the system's hard drive.
I saved the script with Ctrl-X and then made the script executable
with the chmod command. I then started the script with
./rebootwin.
root@tty2[tmp]# chmod 755 test root@tty2[tmp]# ./rebootwin Sat Sep 13 23:52:46 UTC 2008
The next morning, I was able to check the results of the scanning process by examing the log files on the system's hard drive.
[ More Info ]
Searching for other rescue CD's, I also found one from F-Secure, which uses a Knoppix LiveCD to boot a system to perform an antivirus scan of the system. You can use it to boot a Windows system to check the system for viruses without booting into a possibly infected copy of the Windows operating system. F-Secure Rescue CD 2.00 is free and can update itself over the network, if a DHCP server is available on the network to provide it with IP configuration information. You don't need to understand Linux to use the software; you are presented with prompts to walk you through the process of scanning a system.
[ More Info ]
[ More Info ]
