Linux, Wine, windows virus question. - Ubuntu

This is a discussion on Linux, Wine, windows virus question. - Ubuntu ; Thanks to my router SNAFU this week I am seriously paranoid about leaving windows on long enough to perform a total disk scan virus/spyware/malware check on about 40GB of stuff on the drive. So here is the question... Has anybody ...

+ Reply to Thread
Results 1 to 18 of 18

Thread: Linux, Wine, windows virus question.

  1. Linux, Wine, windows virus question.

    Thanks to my router SNAFU this week I am seriously paranoid about
    leaving windows on long enough to perform a total disk scan
    virus/spyware/malware check on about 40GB of stuff on the drive.
    So here is the question...
    Has anybody ever tried to install XP anti-virus scanners in wine and
    then scan a real windows installation?
    Same for VMware, virtual box, xen, etc.
    I have them all but haven't had time to play with them as much as I want
    due to summer outdoors stuff and my trying to deal with various
    government agencies regarding projects I am working on. I am pulling a
    'Thomas Edison' this year and have found many things that can stand to
    be re-invented for better energy use and 'green' projects.
    My plan was to install AVG, Norton/Symantec/whoever's software and try
    to clean up windows without actually running it, since a virus could
    still be sending out spam during the time of the test.
    The 'possibly' obvious answer would be to just unplug my Internet during
    the scan but I do need to update all my programs first and that seems a
    bit risky at this point.
    I am not doing this with the intent of being a 'win-droid' but it is a
    windows world with the government agencies like the patent office and
    many that I am dealing with. This year is a non 'work for someone else'
    year for me, since I do have that option, and I am trying to do
    something for the planet and not just some dip wad employer.
    Since I am up to my eyeballs with trying to develop these ideas I don't
    have a ton of time to play with all this right now, um, this year.
    Thanks in advance,
    Bill Baka

  2. Re: Linux, Wine, windows virus question.

    > Has anybody ever tried to install XP anti-virus scanners in wine and
    > then scan a real windows installation?


    There's nothing stopping you downloading a raft of stuff to enable you
    to scan the potentially infected machine while keeping it offline.

    I've got a bunch of links to assorted AV / rootkit / spyware linked on
    my site here:

    http://coreutilities.co.uk/useful.html (it redirects to vndv.com)

    You can also download the latest Spybot S&D and the majority of the
    updates (you still get some others available once online, like
    descriptions, but the main update "includes" is a good start), and
    transfer them via memory stick / CD.

    Blacklight is really friendly to use, not at all like Mark
    Russinovich's Rootkit Revealer - it's click and run and wait.

    Smitfraudfix is best run from Safe Mode, and i'd suggest a couple of
    things - do a scan, then reboot back to Safe Mode and do the DNS fix
    (just in case it has been hacked)

    Sysclean also scans for spyware as well as using the full AV
    signatures of its' paid for big brother, but is a "one-off" rather
    than resident checker. Download the program itself, the signatures,
    and the .DA5 (spyware sigs), stick them all in the same directory, and
    unpack the AV and spyware sigs before running the Sysclean executable
    itself.

    I'd also strongly recommend running Vundofix, as it's on a lot of
    machines I check ! (this can be done via a normal boot)

    Avast is pretty good (and free), but if you want to be absolutely
    paranoid, get Avira (http://www.free-av.com) - you can check out the
    relative performances of Windows AV programs at:

    http://www.av-comparatives.org

    (comparatives section / online report) - the retrospective test is
    interesting as it does a test on an un-updated machine using old
    signatures to see how it copes with new stuff.

  3. Re: Linux, Wine, windows virus question.

    Colin Wilson wrote:
    >> Has anybody ever tried to install XP anti-virus scanners in wine and
    >> then scan a real windows installation?
    >>

    >
    > There's nothing stopping you downloading a raft of stuff to enable you
    > to scan the potentially infected machine while keeping it offline.
    >
    > I've got a bunch of links to assorted AV / rootkit / spyware linked on
    > my site here:
    >
    > http://coreutilities.co.uk/useful.html (it redirects to vndv.com)
    >
    > You can also download the latest Spybot S&D and the majority of the
    > updates (you still get some others available once online, like
    > descriptions, but the main update "includes" is a good start), and
    > transfer them via memory stick / CD.
    >
    > Blacklight is really friendly to use, not at all like Mark
    > Russinovich's Rootkit Revealer - it's click and run and wait.
    >
    > Smitfraudfix is best run from Safe Mode, and i'd suggest a couple of
    > things - do a scan, then reboot back to Safe Mode and do the DNS fix
    > (just in case it has been hacked)
    >
    > Sysclean also scans for spyware as well as using the full AV
    > signatures of its' paid for big brother, but is a "one-off" rather
    > than resident checker. Download the program itself, the signatures,
    > and the .DA5 (spyware sigs), stick them all in the same directory, and
    > unpack the AV and spyware sigs before running the Sysclean executable
    > itself.
    >
    > I'd also strongly recommend running Vundofix, as it's on a lot of
    > machines I check ! (this can be done via a normal boot)
    >
    > Avast is pretty good (and free), but if you want to be absolutely
    > paranoid, get Avira (http://www.free-av.com) - you can check out the
    > relative performances of Windows AV programs at:
    >
    > http://www.av-comparatives.org
    >
    > (comparatives section / online report) - the retrospective test is
    > interesting as it does a test on an un-updated machine using old
    > signatures to see how it copes with new stuff.
    >

    Thanks,
    I just went there quickly and book marked them (in Ubuntu) so I can
    download them here and write the files to my XP transfer directory. Then
    I can unplug my Ethernet cable, boot XP, and install all of them and run
    them, no memory stick needed. Even if a virus tries to disable an
    anti-virus program, the theory is that it can't get them all.
    It is sooo nice that Linux, Ubuntu at least, will read and write to an
    NTFS drive partition.
    Again, thanks for the idea input.
    Bill Baka

  4. Re: Linux, Wine, windows virus question.

    Bill Baka wrote:
    > Thanks to my router SNAFU this week I am seriously paranoid about
    > leaving windows on long enough to perform a total disk scan
    > virus/spyware/malware check on about 40GB of stuff on the drive.
    > So here is the question...
    > Has anybody ever tried to install XP anti-virus scanners in wine and
    > then scan a real windows installation?
    > Same for VMware, virtual box, xen, etc.
    > I have them all but haven't had time to play with them as much as I want
    > due to summer outdoors stuff and my trying to deal with various
    > government agencies regarding projects I am working on. I am pulling a
    > 'Thomas Edison' this year and have found many things that can stand to
    > be re-invented for better energy use and 'green' projects.
    > My plan was to install AVG, Norton/Symantec/whoever's software and try
    > to clean up windows without actually running it, since a virus could
    > still be sending out spam during the time of the test.
    > The 'possibly' obvious answer would be to just unplug my Internet during
    > the scan but I do need to update all my programs first and that seems a
    > bit risky at this point.
    > I am not doing this with the intent of being a 'win-droid' but it is a
    > windows world with the government agencies like the patent office and
    > many that I am dealing with. This year is a non 'work for someone else'
    > year for me, since I do have that option, and I am trying to do
    > something for the planet and not just some dip wad employer.
    > Since I am up to my eyeballs with trying to develop these ideas I don't
    > have a ton of time to play with all this right now, um, this year.
    > Thanks in advance,
    > Bill Baka



    Several years ago I ran Norton Anti-Virus on a Windows XP Pro box, and
    had it scan my Thunderbird (maybe it was Mozilla back then) e-mail
    directory on a Lindows box, over the LAN.

    NAV discovered four infected e-mail messages, but couldn't do anything
    about removing the virus, quarantining, or other "protective" measures.

    AFAIK, those four infected messages are still in the mail store on this
    Ubuntu 6.06 box.

    If you want to scan your Windows box, and don't want it to possibly send
    out spam, simply disconnect the network while you scan.


    --
    John

    No Microsoft, Apple, AT&T, Intel, Novell, Trend Micro, nor Ford products were used in the preparation or transmission of this message.

    The EULA sounds like it was written by a team of lawyers who want to tell me what I can't do. The GPL sounds like it was written by a human being, who wants me to know what I can do.

  5. Re: Linux, Wine, windows virus question.

    John F. Morse wrote:
    > Bill Baka wrote:
    >> Thanks to my router SNAFU this week I am seriously paranoid about
    >> leaving windows on long enough to perform a total disk scan
    >> virus/spyware/malware check on about 40GB of stuff on the drive.
    >> So here is the question...
    >> Has anybody ever tried to install XP anti-virus scanners in wine and
    >> then scan a real windows installation?
    >> Same for VMware, virtual box, xen, etc.
    >> I have them all but haven't had time to play with them as much as I want
    >> due to summer outdoors stuff and my trying to deal with various
    >> government agencies regarding projects I am working on. I am pulling a
    >> 'Thomas Edison' this year and have found many things that can stand to
    >> be re-invented for better energy use and 'green' projects.
    >> My plan was to install AVG, Norton/Symantec/whoever's software and try
    >> to clean up windows without actually running it, since a virus could
    >> still be sending out spam during the time of the test.
    >> The 'possibly' obvious answer would be to just unplug my Internet during
    >> the scan but I do need to update all my programs first and that seems a
    >> bit risky at this point.
    >> I am not doing this with the intent of being a 'win-droid' but it is a
    >> windows world with the government agencies like the patent office and
    >> many that I am dealing with. This year is a non 'work for someone else'
    >> year for me, since I do have that option, and I am trying to do
    >> something for the planet and not just some dip wad employer.
    >> Since I am up to my eyeballs with trying to develop these ideas I don't
    >> have a ton of time to play with all this right now, um, this year.
    >> Thanks in advance,
    >> Bill Baka

    >
    >
    > Several years ago I ran Norton Anti-Virus on a Windows XP Pro box, and
    > had it scan my Thunderbird (maybe it was Mozilla back then) e-mail
    > directory on a Lindows box, over the LAN.
    >
    > NAV discovered four infected e-mail messages, but couldn't do anything
    > about removing the virus, quarantining, or other "protective" measures.
    >
    > AFAIK, those four infected messages are still in the mail store on
    > this Ubuntu 6.06 box.
    >
    > If you want to scan your Windows box, and don't want it to possibly
    > send out spam, simply disconnect the network while you scan.
    >
    >

    NAV sounds kind of useless if it wouldn't remove the bad files. It may
    be the storage of Mozilla, rolling all the email into one big file that
    only Thunderbird can read, that caused the problem. Killing bad cookies
    is no problem since they are individual files. A previous poster today
    jogged me into thinking about downloading all possibly useful files in
    Ubuntu then saving the installations to an NTFS transfer directory, then
    disconnecting and booting windows.
    All good input.
    Thanks to all,
    Bill Baka

  6. Re: Linux, Wine, windows virus question.

    Bill Baka wrote:

    > Thanks to my router SNAFU this week I am seriously paranoid about
    > leaving windows on long enough to perform a total disk scan
    > virus/spyware/malware check on about 40GB of stuff on the drive.
    > So here is the question...
    > Has anybody ever tried to install XP anti-virus scanners in wine and
    > then scan a real windows installation?


    Not that. But for disinfecting laptops and other pcs I boot them with a
    rescuecd (linux), share the windows partitions with ntfs-3g from that one,
    and scan from another linux machine with clamav,f-prot and avg.
    Usually with a switch to remove suspicious files altogether, even if that
    makes a repair install necessary afterwards.
    Of course, before scanning, I get rid of temp folders, recycler and the
    system_volume_information as well.


  7. Re: Linux, Wine, windows virus question.

    Bill Baka schreef:
    > Thanks to my router SNAFU this week I am seriously paranoid about
    > leaving windows on long enough to perform a total disk scan
    > virus/spyware/malware check on about 40GB of stuff on the drive.
    > So here is the question...
    > Has anybody ever tried to install XP anti-virus scanners in wine and
    > then scan a real windows installation?
    > Same for VMware, virtual box, xen, etc.
    > I have them all but haven't had time to play with them as much as I want
    > due to summer outdoors stuff and my trying to deal with various
    > government agencies regarding projects I am working on. I am pulling a
    > 'Thomas Edison' this year and have found many things that can stand to
    > be re-invented for better energy use and 'green' projects.
    > My plan was to install AVG, Norton/Symantec/whoever's software and try
    > to clean up windows without actually running it, since a virus could
    > still be sending out spam during the time of the test.
    > The 'possibly' obvious answer would be to just unplug my Internet during
    > the scan but I do need to update all my programs first and that seems a
    > bit risky at this point.
    > I am not doing this with the intent of being a 'win-droid' but it is a
    > windows world with the government agencies like the patent office and
    > many that I am dealing with. This year is a non 'work for someone else'
    > year for me, since I do have that option, and I am trying to do
    > something for the planet and not just some dip wad employer.
    > Since I am up to my eyeballs with trying to develop these ideas I don't
    > have a ton of time to play with all this right now, um, this year.
    > Thanks in advance,
    > Bill Baka


    As others have suggested you'd be served well disconnecting the network
    while running XP.

    In recent months I have had very good results running the Trend Micro
    offline virus scanner.
    "http://www.freecomputerconsultant.com/sysclean.html"

  8. Re: Linux, Wine, windows virus question.

    Dirk T. Verbeek wrote:
    >
    > As others have suggested you'd be served well disconnecting the
    > network while running XP.

    Yes, I am already planning that.
    >
    >
    > In recent months I have had very good results running the Trend Micro
    > offline virus scanner.
    > "http://www.freecomputerconsultant.com/sysclean.html"

    I went there just now and it is bookmarked.
    Thanks for the reply.
    Url's are probably the most helpful thing, but it is also very good
    sense to be off the network.

    Thanks for the note.
    Bill Baka

    I hope at least one other person can make use of that URL.

  9. Re: Linux, Wine, windows virus question.

    Bill Baka wrote:
    > Thanks to my router SNAFU this week I am seriously paranoid about
    > leaving windows on long enough to perform a total disk scan
    > virus/spyware/malware check on about 40GB of stuff on the drive.
    > [...]


    http://technet.microsoft.com/en-gb/l.../cc700813.aspx
    "The only way to clean a compromised system is to flatten and
    rebuild."

    I think this also holds for Linux.

    --
    Niklaus

  10. Re: Linux, Wine, windows virus question.

    Niklaus Kuehnis wrote:
    > Bill Baka wrote:
    >
    >> Thanks to my router SNAFU this week I am seriously paranoid about
    >> leaving windows on long enough to perform a total disk scan
    >> virus/spyware/malware check on about 40GB of stuff on the drive.
    >> [...]
    >>

    >
    > http://technet.microsoft.com/en-gb/l.../cc700813.aspx
    > "The only way to clean a compromised system is to flatten and
    > rebuild."
    >
    > I think this also holds for Linux.
    >
    >

    It does hold true for Windows since once it gets to a certain point it
    is hopeless. A badly fragged drive can kill most recovery programs. I
    managed to re-install a Linux once without wiping the old settings out,
    but I totally forgot how I pulled it off.
    Bill Baka

  11. Re: Linux, Wine, windows virus question.

    wisdomkiller & pain wrote:
    > Bill Baka wrote:
    >
    >
    >> Thanks to my router SNAFU this week I am seriously paranoid about
    >> leaving windows on long enough to perform a total disk scan
    >> virus/spyware/malware check on about 40GB of stuff on the drive.
    >> So here is the question...
    >> Has anybody ever tried to install XP anti-virus scanners in wine and
    >> then scan a real windows installation?
    >>

    >
    > Not that. But for disinfecting laptops and other pcs I boot them with a
    > rescuecd (linux), share the windows partitions with ntfs-3g from that one,
    > and scan from another linux machine with clamav,f-prot and avg.
    > Usually with a switch to remove suspicious files altogether, even if that
    > makes a repair install necessary afterwards.
    > Of course, before scanning, I get rid of temp folders, recycler and the
    > system_volume_information as well.
    >
    >

    It sounds plausible but since Linux does not use things like .exe
    executables and dll's like windows how does clam or another linux based
    program handle them? My plan is to not have to re-install XP since that
    is an all day job to do it from scratch, but to unplug my Ethernet
    connection and transfer my pdf and jpg files to a non-bootable storage
    only disk, then defrag because it is a mess right now, then scan about 5
    times, each with a different scanner, AVG included, then Avira, Avast,
    and whatever other free or trial ones there are. I bought Zonealarm pro
    with AV and anti-spyware, so scanning 40GB or so will take me a few
    days. I can pop in here between tests and reboots to check and report to
    anyone interest. It may not be Ubuntu specific or it might have some
    direct Ubuntu relevance, since Ubuntu is capable of reading NTFS but not
    the other way around.
    Thanks,
    Bill

  12. Re: Linux, Wine, windows virus question.

    Bill Baka wrote:

    > wisdomkiller & pain wrote:

    .....
    >> Not that. But for disinfecting laptops and other pcs I boot them with a
    >> rescuecd (linux), share the windows partitions with ntfs-3g from that
    >> one, and scan from another linux machine with clamav,f-prot and avg.
    >> Usually with a switch to remove suspicious files altogether, even if that
    >> makes a repair install necessary afterwards.
    >> Of course, before scanning, I get rid of temp folders, recycler and the
    >> system_volume_information as well.
    >>
    >>

    > It sounds plausible but since Linux does not use things like .exe
    > executables and dll's like windows how does clam or another linux based
    > program handle them? My plan is to not have to re-install XP since that


    Clamav and avg workstation for linux and others do mostly find windows
    viruses and malware. Only a miniscule percentage/promillage *g* of the
    patterns is for *nix malware.

    > is an all day job to do it from scratch, but to unplug my Ethernet
    > connection and transfer my pdf and jpg files to a non-bootable storage
    > only disk, then defrag because it is a mess right now, then scan about 5
    > times, each with a different scanner, AVG included, then Avira, Avast,


    As long as you scan from inside the running windows system, you risk
    rootkits hiding away malware from sight of scanners. Or at least
    undeleteable malware due to "file in use"-issues.
    That does not happen when you use a independent OS to boot your pc and just
    mount the partitions about to scan.

    > and whatever other free or trial ones there are. I bought Zonealarm pro
    > with AV and anti-spyware, so scanning 40GB or so will take me a few
    > days. I can pop in here between tests and reboots to check and report to
    > anyone interest. It may not be Ubuntu specific or it might have some
    > direct Ubuntu relevance, since Ubuntu is capable of reading NTFS but not
    > the other way around.


    You are about to waste a lot of your time, stress your harddisk, lose your
    patience and finally ... well, everything that takes you to install linux
    on that infested 'puter can only make things better.


  13. Re: Linux, Wine, windows virus question.

    wisdomkiller & pain wrote:
    > Bill Baka wrote:
    >
    >
    >> wisdomkiller & pain wrote:
    >>

    > ....
    >
    >>> Not that. But for disinfecting laptops and other pcs I boot them with a
    >>> rescuecd (linux), share the windows partitions with ntfs-3g from that
    >>> one, and scan from another linux machine with clamav,f-prot and avg.
    >>> Usually with a switch to remove suspicious files altogether, even if that
    >>> makes a repair install necessary afterwards.
    >>> Of course, before scanning, I get rid of temp folders, recycler and the
    >>> system_volume_information as well.
    >>>
    >>>
    >>>

    >> It sounds plausible but since Linux does not use things like .exe
    >> executables and dll's like windows how does clam or another linux based
    >> program handle them? My plan is to not have to re-install XP since that
    >>

    >
    > Clamav and avg workstation for linux and others do mostly find windows
    > viruses and malware. Only a miniscule percentage/promillage *g* of the
    > patterns is for *nix malware.
    >

    So far, so good.
    >
    >> is an all day job to do it from scratch, but to unplug my Ethernet
    >> connection and transfer my pdf and jpg files to a non-bootable storage
    >> only disk, then defrag because it is a mess right now, then scan about 5
    >> times, each with a different scanner, AVG included, then Avira, Avast,
    >>

    >
    > As long as you scan from inside the running windows system, you risk
    > rootkits hiding away malware from sight of scanners. Or at least
    > undeleteable malware due to "file in use"-issues.
    > That does not happen when you use a independent OS to boot your pc and just
    > mount the partitions about to scan.
    >

    That was my initial question about wine since booting an infected XP
    will not always work.
    >
    >> and whatever other free or trial ones there are. I bought Zonealarm pro
    >> with AV and anti-spyware, so scanning 40GB or so will take me a few
    >> days. I can pop in here between tests and reboots to check and report to
    >> anyone interest. It may not be Ubuntu specific or it might have some
    >> direct Ubuntu relevance, since Ubuntu is capable of reading NTFS but not
    >> the other way around.
    >>

    >
    > You are about to waste a lot of your time, stress your harddisk, lose your
    > patience and finally ... well, everything that takes you to install linux
    > on that infested 'puter can only make things better.
    >
    >

    I'm there already.
    Thanks,
    Bill Baka

  14. Re: Linux, Wine, windows virus question.

    > As long as you scan from inside the running windows system, you risk
    > rootkits hiding away malware from sight of scanners. Or at least
    > undeleteable malware due to "file in use"-issues.


    I pointed the OP towards a rootkit finder... the "file in use" errors
    are typically taken care of by the other apps I referred to as well,
    with some running during a reboot, some in safe mode, and some prompt
    you to re-run following a reboot if components were detected.

    > That does not happen when you use a independent OS to boot your pc and just
    > mount the partitions about to scan.


    Without booting into Windows, many apps are not able to scan a system
    as though it was booted "properly" i.e. not able to re-target the code
    to scan the "remote" registry properly etc.

  15. Re: Linux, Wine, windows virus question.

    I'm the OP, so here goes..

    Colin Wilson wrote:
    >> As long as you scan from inside the running windows system, you risk
    >> rootkits hiding away malware from sight of scanners. Or at least
    >> undeleteable malware due to "file in use"-issues.
    >>

    I have had that happen so I can confirm that.
    >
    > I pointed the OP towards a rootkit finder... the "file in use" errors
    > are typically taken care of by the other apps I referred to as well,
    > with some running during a reboot, some in safe mode, and some prompt
    > you to re-run following a reboot if components were detected.
    >

    Still checking, and have found a few rootkit finders.
    >
    >> That does not happen when you use a independent OS to boot your pc and just
    >> mount the partitions about to scan.
    >>

    >
    > Without booting into Windows, many apps are not able to scan a system
    > as though it was booted "properly" i.e. not able to re-target the code
    > to scan the "remote" registry properly etc.
    >

    Confirmed that one also. Checking from another windows installation will
    not check the registry on the installation you want to check. A pre-scan
    seems to be the logical thing then boot the suspect system and make sure
    the registry gets thoroughly checked and cleaned. Using multiple
    scanners is also about the only way to go since I have had Symantec,
    McAfee and others miss some things that shareware types like AVG or
    Adaware have found.
    Tip-toeing through a mine field.
    Bill Baka

  16. Re: Linux, Wine, windows virus question.

    Bill Baka wrote:

    > I'm the OP, so here goes..

    .....
    >> Without booting into Windows, many apps are not able to scan a system
    >> as though it was booted "properly" i.e. not able to re-target the code
    >> to scan the "remote" registry properly etc.
    >>

    > Confirmed that one also. Checking from another windows installation will
    > not check the registry on the installation you want to check. A pre-scan
    > seems to be the logical thing then boot the suspect system and make sure
    > the registry gets thoroughly checked and cleaned. Using multiple
    > scanners is also about the only way to go since I have had Symantec,
    > McAfee and others miss some things that shareware types like AVG or
    > Adaware have found.
    > Tip-toeing through a mine field.


    Yes, scanning from a bootcd does not address the registry changes.
    However, files not present anymore 'cause the scanner killed them, that are
    addressed in the registry, just produce messages at startup. You can later
    on remove the corresponding registry entries, or run a regcleaner.
    Sometimes even default associations to exe or others got remapped by
    viruses, which makes a registry repair necessary.


  17. Re: Linux, Wine, windows virus question.

    > McAfee and others miss some things that shareware types like AVG or
    > Adaware have found.


    From personal experience, although AVG might have improved in the last
    12 months, every machine I was called in to look at that had AVG
    installed had at least two live viruses in memory...

    I use Avast myself as a freebie, but another machine I use (my wifes')
    has Avira installed. It's _very_ effective.

    > Tip-toeing through a mine field.


    ....and Windows is a pair of size 12 clodhopper boots to do it in.

  18. Re: Linux, Wine, windows virus question.

    > Yes, scanning from a bootcd does not address the registry changes.
    > However, files not present anymore 'cause the scanner killed them, that are
    > addressed in the registry, just produce messages at startup. You can later
    > on remove the corresponding registry entries, or run a regcleaner.


    Infected system files that are deleted can cause problems :-}

    It's not a quick or sure fix either way, look to the machine being
    offline for at least 12 hours until you can be relatively "happy" that
    it's had a good going over... :-}

+ Reply to Thread