Anti Virus Solutions That Use Their Own Boot CD?

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

Will - 02 Jul 2008 18:47 GMT

Can someone recommend an anti-virus solution that lets you build a boot CD
that will inspect the NTFS file system for trojans or viruses without any
need to boot the OS on the file system you are inspecting?

Signature

Will

Reply to this Message

Doug McIntyre - 02 Jul 2008 20:38 GMT

>Can someone recommend an anti-virus solution that lets you build a boot CD
>that will inspect the NTFS file system for trojans or viruses without any
>need to boot the OS on the file system you are inspecting?

Thats not going to be too common, because its not a very effective
model for ongoing A/V protection.

You could probably do something like this by combining together
something like BartPE or WindowsPE boot disks with Clamwin so that can
you can boot (or even PXE boot) off CD and run Clamwin to scan files
on the mounted hard drive.

Reply to this Message

FromTheRafters - 02 Jul 2008 21:32 GMT

Has Clamwin now gone beyond the mostly email scanning
database? I recall that Clam's original purpose had been to
look for the types of malware that you would expect to find
in the email environment and misused as an all around scanner
by many of the open source proponents.

It shouldn't be any problem inspecting the files, but affecting
them is another matter.

>>Can someone recommend an anti-virus solution that lets you build a boot CD
>>that will inspect the NTFS file system for trojans or viruses without any
[quoted text clipped - 7 lines]
> you can boot (or even PXE boot) off CD and run Clamwin to scan files
> on the mounted hard drive.

Reply to this Message

Will - 03 Jul 2008 07:59 GMT

>>Can someone recommend an anti-virus solution that lets you build a boot CD
>>that will inspect the NTFS file system for trojans or viruses without any
>>need to boot the OS on the file system you are inspecting?
>
> Thats not going to be too common, because its not a very effective
> model for ongoing A/V protection.

Day-to-day protection has to balance many different issues like
intrusiveness and performance on a system under use. It's very easy to
subvert modern virus checking programs with root kit viruses. The rootkit
simply rewrites kernel functions and reports back to the virus checker only
the data it wants the checker to see.

Booting from a standalone CD is the only approach that guarantees that all
files on the file system can be inspected by an OS and application that is
not under control of a trojan or rootkit. It would be an extremely good
way of checking for hidden files or folders that would otherwise be hidden
from view if the rootkit were active.

It's a shame if no anti-virus vendor has seen to create such a bootable CD.

Signature

Will

Reply to this Message

David H. Lipman - 03 Jul 2008 11:21 GMT

From: "Will" <westes-usc@noemail.nospam>

>>>Can someone recommend an anti-virus solution that lets you build a boot CD
>>>that will inspect the NTFS file system for trojans or viruses without any
>>>need to boot the OS on the file system you are inspecting?

>> Thats not going to be too common, because its not a very effective
>> model for ongoing A/V protection.

| Day-to-day protection has to balance many different issues like
| intrusiveness and performance on a system under use. It's very easy to
| subvert modern virus checking programs with root kit viruses. The rootkit
| simply rewrites kernel functions and reports back to the virus checker only
| the data it wants the checker to see.

| Booting from a standalone CD is the only approach that guarantees that all
| files on the file system can be inspected by an OS and application that is
| not under control of a trojan or rootkit. It would be an extremely good
| way of checking for hidden files or folders that would otherwise be hidden
| from view if the rootkit were active.

| It's a shame if no anti-virus vendor has seen to create such a bootable CD.

The problem is by nature a CDROM is Read-Only and thus can't be updated easily. Thus, its
signature would go out of date rather rapidly.

Signature

Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Reply to this Message

Will - 03 Jul 2008 21:06 GMT

A well-made product of the kind I am describing contains a program to create
that boot CD on demand, from the latest updates.

It's the same model that ERD Commander uses to build new recovery boot CDs,
installing different sets of device drivers on each build.

If you have a suspect computer, you would go to the "safe" computer,
download the latest virus files, then build a new boot CD and use it the
same day to do your inspection of the infected computer.

Signature

Will

> From: "Will" <westes-usc@noemail.nospam>
>
[quoted text clipped - 21 lines]
> The problem is by nature a CDROM is Read-Only and thus can't be updated easily. Thus, its
> signature would go out of date rather rapidly.

Reply to this Message

David H. Lipman - 03 Jul 2008 22:04 GMT

From: "Will" <westes-usc@noemail.nospam>

| A well-made product of the kind I am describing contains a program to create
| that boot CD on demand, from the latest updates.

| It's the same model that ERD Commander uses to build new recovery boot CDs,
| installing different sets of device drivers on each build.

| If you have a suspect computer, you would go to the "safe" computer,
| download the latest virus files, then build a new boot CD and use it the
| same day to do your inspection of the infected computer.

That's true. I explain such a concept in using a surrugate PC to download updates for my
Multi AV Scanning tool and transferring the Multi AV to a thumb drive (or media,
preferrably Read/Write media) and then to an infected PC and boot from a DOS Disk or a DOS
disk with NTFS4DOS.

Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe

http://www.pctipp.ch/downloads/dl/35905.asp

English:
http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-
anti-virus-for-free/

Signature

Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Reply to this Message

Will - 03 Jul 2008 23:50 GMT

> From: "Will" <westes-usc@noemail.nospam>
>
[quoted text clipped - 25 lines]
> English:
> http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-
anti-virus-for-free/

The idea of combining multiple anti-virus programs to one integrated
environment is nice. You would think someone would have figured out how to
sell that as a subscription service and then send out a new CD every two
weeks and charge for it? I would gladly pay and do not have the time to
put these kinds of packages together and then constantly update them.

Signature

Will

Reply to this Message

David H. Lipman - 04 Jul 2008 00:02 GMT

From: "Will" <westes-usc@noemail.nospam>

| The idea of combining multiple anti-virus programs to one integrated
| environment is nice. You would think someone would have figured out how to
| sell that as a subscription service and then send out a new CD every two
| weeks and charge for it? I would gladly pay and do not have the time to
| put these kinds of packages together and then constantly update them.

I provide the Multi AV Scanning Tool as CareWare.

If you find the tool useful and it has helped you -- Don't donate to me, donaye to
charity. :-)

Signature

Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Reply to this Message

Twayne - 05 Jul 2008 00:56 GMT

>>> Can someone recommend an anti-virus solution that lets you build a
>>> boot CD that will inspect the NTFS file system for trojans or
[quoted text clipped - 18 lines]
> It's a shame if no anti-virus vendor has seen to create such a
> bootable CD.

Norton and, I think McAfee both allow that, actually. The only gotcha
is that only PART of the inspection can be done that way. Since virus
profiles are constantly changing, it will still have to access the drive
to get those signatures. But, it's still a very reliable way of
handling infections on PCs. A CD, once written and its session closed,
is not going to be affected by any virus or malware of any kind. So,
yes, the do it with the exception of using the signature files on the
hard drive.
I can't understand why everyone is saying no one does it; I just
pulled out my CD to make sure I'm right, and, well, I'm right! <g>.
Toss it in the drive, boot from it, the AV process automagically starts,
and off we go. It's not new; been this way for a long, long time.

Reply to this Message

Will - 05 Jul 2008 01:35 GMT

> >>> Can someone recommend an anti-virus solution that lets you build a
> >>> boot CD that will inspect the NTFS file system for trojans or
[quoted text clipped - 31 lines]
> Toss it in the drive, boot from it, the AV process automagically starts,
> and off we go. It's not new; been this way for a long, long time.

What you are describing is a way to run a virus checker from a CD after
booting the OS on the affected system. The problem with that approach is
that a rootkit virus can alter the operating system calls to disguise what
is on the disk.

The c:\windows folder might contain a subdirectory named evilvirustoolkit,
but as long as you boot your OS under the control of the rootkit that folder
stays invisible to every application on the system, including your virus
checker.

What I was asking for was a virus checker that boots from *its own operating
system embedded on a CD*. That way there is no involvement with infected
OS code on the system being inspected.

Signature

Will

Reply to this Message

Al Dunbar - 05 Jul 2008 05:53 GMT

>> >>> Can someone recommend an anti-virus solution that lets you build a
>> >>> boot CD that will inspect the NTFS file system for trojans or
[quoted text clipped - 34 lines]
> What you are describing is a way to run a virus checker from a CD after
> booting the OS on the affected system.

Re-read what Twayne wrote: "Toss it in the drive, boot from it, the AV
process automagically starts". to me that means booting from the CD, not
booting the OS installed on the machine.

/Al

> The problem with that approach is
> that a rootkit virus can alter the operating system calls to disguise what
[quoted text clipped - 10 lines]
> system embedded on a CD*. That way there is no involvement with infected
> OS code on the system being inspected.

Reply to this Message

Will - 05 Jul 2008 07:24 GMT

>>> >>> Can someone recommend an anti-virus solution that lets you build a
>>> >>> boot CD that will inspect the NTFS file system for trojans or
[quoted text clipped - 38 lines]
> process automagically starts". to me that means booting from the CD, not
> booting the OS installed on the machine.

I guess I can go buy one and find out. I did read what he wrote, but
somehow thought he didn't mean it as he literally said it.

Signature

Will

>> The problem with that approach is
>> that a rootkit virus can alter the operating system calls to disguise
[quoted text clipped - 13 lines]
>> infected
>> OS code on the system being inspected.

Reply to this Message

David B. - 03 Jul 2008 14:05 GMT

Both Avira and Kaspersky have a free boot CD scanner available.

http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html
http://ftp.kaspersky.com/devbuilds/RescueDisk/

Signature

----
Crosspost, do not multipost http://www.blakjak.demon.co.uk/mul_crss.htm
How to ask a question http://support.microsoft.com/kb/555375

> Can someone recommend an anti-virus solution that lets you build a boot CD
> that will inspect the NTFS file system for trojans or viruses without any
> need to boot the OS on the file system you are inspecting?

Reply to this Message

Will - 03 Jul 2008 23:54 GMT

That's great stuff. We have a winner. Thanks!

Signature

Will

> Both Avira and Kaspersky have a free boot CD scanner available.
>
[quoted text clipped - 5 lines]
>> that will inspect the NTFS file system for trojans or viruses without any
>> need to boot the OS on the file system you are inspecting?

Reply to this Message

Will - 04 Jul 2008 23:52 GMT

The Kaspersky boot CD simply shuts down the computer when it gets to the
graphics display. It has a "safe" mode that looks like a simple bash
shell, and I have no idea what to do there. Clearly an experimental
project for them....

The Avira boots, but it looks like a very simple tool.

Signature

Will

> Both Avira and Kaspersky have a free boot CD scanner available.
>
[quoted text clipped - 4 lines]
> > that will inspect the NTFS file system for trojans or viruses without any
> > need to boot the OS on the file system you are inspecting?

Reply to this Message

David B. - 07 Jul 2008 14:12 GMT

Haven't seen that behavior on any machines I've run it on.
Simple means nothing, as long as it accomplishes the task it's designed to
do, which is scan for nasties.

Signature

----
Crosspost, do not multipost http://www.blakjak.demon.co.uk/mul_crss.htm
How to ask a question http://support.microsoft.com/kb/555375

> The Kaspersky boot CD simply shuts down the computer when it gets to the
> graphics display. It has a "safe" mode that looks like a simple bash
[quoted text clipped - 13 lines]
> any
>> > need to boot the OS on the file system you are inspecting?

Reply to this Message