Note: a newer version of the rescue CD is available, F-Secure Rescue CD 3.16.
F-Secure provides a rescue CD, Rescue-CD 2.00, from which you can boot a system and scan it for viruses. This is very useful when a system is so infected it won't boot, runs extremely slowly under Windows, crashes unexpectedly under Windows, or is so badly infected that you don't want to boot into Windows to try and install software to disinfect the system. The F-Secure Rescue-CD allows you to boot into an alternate operating system. In this case the boot CD is a Knoppix Linux LiveCD.
You can find further information on F-Secure Rescue-CD 2.00 at F-Secure Linux Blug >> Rescue-CD 2.00.
To use the software, download the ISO file and create a bootable CD from it using Nero or whatever other CD-burning software you may use that can create bootable CDs from .iso files. Then boot the system from the F-Secure Rescue CD. You will need to hit Enter at the initial Rescue CD screen or the system will boot into Microsoft Windows within 15 seconds.
< Next > <Restart>
If you select "Next", which you can do by using the arrow keys or by Alt-N, the software will attempt to update its virus definition database over the network. If the system is connected to a network when you boot it, it will attempt to obtain IP address information from a DHCP server, which will allow the rescue CD software to update its virus definitions.
You may see the following at the point where it is updating the definitions:
Updating virus defintion database.
This could take some time, depending you your Internet connection
You will be then be prompted to agree to the End User License Agreement. When you select "Next" at that screen, you are asked to confirm that you have read the License Terms and accept them. You are then prompted to select the drives you want to scan. You can toggle the selection of drives/partitions on/of by using the arrow keys to move to a drive/partition and then using the spacebar to select or deselect an entry.
You can then select whether to "Proceed to Scan" or "Quit and restart". When you opt to "Proceed to Scan", a scan of the selected drives/partitions will commence.
Scanning
Scanning all filesystems mounted under /mnt/scan/ directory. The results of the scan will be saved in /tmp/scan_results.txt Alt-F1 This screen. Alt-F5 To see details of files being scanned. Alt-F6 To see any malware found. Ctrl-C TO cancel scanning. Scan started at Sat Mar 1 21:54:51 UTC 2008. Scanned Malware Progress 100 0 ooooooooooooooooooooooooooooooooooooooo.........
The scan report will show which files F-Secure antivirus has determined were
infected and renamed. When the files are renamed, .virus
is appended to the end of the filename. Eg.
hda1/WINDOWS/Temp/DWHD117.tmp
would be renamed to
hda1/WINDOWS/Temp/DWHD117.tmp.virus
, if the antivirus software
deemed it to be infected.
< Next >
When you go to the next screen, you will see the following:
< Scan again > < Restart >
You can get to a shell prompt for the root account at any time by hitting Ctrl-Alt-F2, Ctrl-Alt-F3, or Ctrl-Alt-F4 (each will open a separate shell prompt). You can get back to the F-Secure Rescue CD selections by hitting Ctrl-Alt-F1
If you wish to copy the file in which the results of the scan are stored,
you can do so, by hitting Ctrl-Alt-F2 to get a shell prompt. You can then
type cd /tmp
to change the working directory to the directory
where the F-Secure antivirus software stores its results. In that directory
you will find the following files:
mount_errors.txt
scan_errors.txt
scan_log.txt
scan_results.txt
The results of the scan are stored in scan_results.txt
. You
can use pico scan_results.txt
or nano scan_results.txt
to view the contents of that
file. This can be useful, if, as in the case above, the full path
for the infected file was so long that the filename and the particular
virus found aren't displayed. E.g. in the screen display above,
hda1/Documents and Settings/All Users/Application Data/Symantec/Norton
is displayed. In that case, I know that the F-secure program is
identifying something it found in a Symantec AntiVirus quarantine directory,
but, if I wanted to know what virus F-Secure identified associated with
that file, I could look in /tmp/scan_results.txt
to check,
since I could see the full text for each entry there.
You can see the results for every file checked by viewing scan_log.txt
. Those that were deemed uninfected will have clean
after their entries in the log files. If any problems were encountered scanning
particular files, you can find information on the reason within
scan_errors.txt
For hard drive partitions that were scanned, look
under /mnt/scan
with ls /mnt/scan
.
You should see something like
/mnt/scan/hda1
for an
IDE
disk drive.
So, if you want to copy the scan files created during the scan of the
system to the system's hard disk, you could create a directory on
the system's hard drive and copy them there. E.g., suppose I want to put
the files in the C:\TEMP
directory on the hard drive in a
subdirectory called F-Secure
. I could create the subdirectory
with mkdir /mnt/scan/hda1/TEMP/F-Secure
. Note: since the
rescue CD is a Knoppix Linux
LiveCD, you need to be mindful that directory names are case-sensitive.
Temp
is not the same as TEMP
. You can use the
Linux ls
command to view directory contents, e.g.
ls /mnt/scan/hda1
. After creating the directory for the scan
files, I could copy scan_errors.txt
, scan_log.txt
,
and scan_results.txt
to it with cp scan*.txt
/mnt/scan/hda1/TEMP/F-Secure/.
, allowing me to retain that information
after rebooting the system.
You can return to the Scan report screen with Alt-F1.
Like many antivirus vendors, F-Secure doesn't do a good job of providing
information on the viruses it detects, so you are left wondering exactly
what the malware may do. For instance, in the example above,
files were identified as infected with JS/Bankfraud.B@troj [Libra]
,
yet I could find no information on this malware in the
F-Secure Virus Description Database
. It wasn't listed under "J", nor "B" for "Bankfraud", nor even "T"
for "Troj, nor did anything
relevant appear when I searched the Virus Description Database for "Bankfraud".
F-Secure suggests searching for information at the
Project VGrep home page on
the Virus Bulletin web site. That site provides cross-reference names for
viruses. When I searched for js/bankfraud.b
there, I did
find it listed under other names for other vendors. There was no reference for
F-Secure there.
Note: I scanned a Windows Small Business Server (SBS) 2003 system with F-Secure Rescue CD without a problem, but when I scanned a Windows Vista laptop, the scan hung after scanning 100 files. I rebooted the system and tried again. The second time, 300 files were scanned before the system hung again. In both cases, the system wouldn't respond to any keyboard input. I left the second scan run overnight, thinking that it might be taking a long time to scan a particularly large file, but the system was at the same point the next morning and was not responding to any keyboard input.
Created: Sunday March 2, 2008