Scan a Windows drive for viruses using Linux
Recently I came into a client who had a Windows XP machine that contained a nasty little virus that rendered the machine nearly unusable. When the machine would boot the CPU was pegging out at 100%, causing the GUI to be nearly unresponsive.
I attempted to run AVG, Avast, Malwarebytes - but all for naught. The machine was so slow it seemed as if installing a simple anti-virus tool was going to take me an entire 40 hour work week. So I opted for a different approach. Instead of allowing Windows to boot, I decided it was time take advantage of my good old friend, Linux! That's right, Linux can scan a Windows machine for viruses, and it does it quite well. And in this article I am going to show you a quick way to achieve this.
What you need
Amidst all the simplicity you will enjoy with the Linux scanning, there are a few things you will need. First you need to remove that drive from the Windows machine. That's right, we're going to attach it to the Linux machine and do a scan of this now "external" drive. I prefer to use a tool that allows me to attach the drive such that the drive is attached to the machine via USB.
You will also want to have a modern instance of Linux up and running. The machine can already be on. In fact, it's better if it is.
You will also need to install an anti-virus on Linux. http://www.f-prot.com/download/home_user/ is an outstanding choice.
The "how to"
The first thing you need to do is connect the infected drive to the Linux machine. Depending upon your distribution, an icon should appear on your desktop. If it does, double click that icon so to ensure the drive mounts. Now check to where that drive mounted (most likely in /media). What you will now do is use your Linux scanning tool to scan that mounted drive.
Let's say you are using F-Prot. To run this scan you would issue the command:
fpscan --disinfect /media/DISK
Where DISK is the mount point of your disk.
This will scan that drive and disinfect it. Understand that if one scanner doesn't locate the infected files you might want to run a different scan. You can use ClamAV for email-based viruses (Check out my article "Scan your Linux machine for viruses with ClamTK" for using a GUI front end for ClamAV). NOTE: I will be doing an article on installing and using Avira Antivir on Linux this week.
Hopefully one of your anti-virus tools will have caught the culprit and either quarantined or removed the virus. Once you are done with the scan, make sure you unmount the "external" drive before you remove the hardware.
After the hard drive is off the Linux machine, re-install it to the Windows machine, and boot up. Hopefully you are good to go.
Final thoughts
You probably never thought you would need any anti-virus on a Linux machine. Well, if your Windows machine has become unusable you have found the perfect use for such a combination. And  remember, if you are using Linux for your mail server, you should certainly have anti-virus installed.
Advertisement
Scanning a Windows drive for viruses using Linux is not a task that would be rare. Windows PCs are constantly infected with viruses. Why on earth then is there no simple to use Linux LiveCD/USB chock full of freeware antivirus programs? The last time I looked there were some 300+ flavors of Linux; Linux versions for web developers, programmers, musicians, etc. However, for years I have yet to find a Linux LiveCD/USB dedicated to scanning Windows for viruses. Am I missing something?
A dual boot system relieves the necessity of removing the drive. Partitioning your hard drive is an easy step when installing many flavours of Linux.
I easily removed 10 viruses from a friend’s machine running XP that way.
I’m doing just that as we speak. Correction, am trying to. Can’t seem to get the command right to scan my Vista part. Using the aforementioned F-prot. Any idea on the command? Tried several variations of /media/sda1, etc. Any pointers would be appreciated.
Thank u ..!
I use the Dr. Web Live CD for all systems. Have written an article on it but it’s not out yet. Of course you can update signatures, they will stay in RAM until reboot. You can turn it into a USB flash as well for persistency.
Every couple of months I get a new version of the Live CD so it isn’t so far behind when updating.
I posted to the forum topic Where Linux can help Windows user ;)
If you, guys, are into it, you can add more to my experience :)
Most live CD distributions do indeed support updating sigs and the like, just run the update for the AV. Then scan the system using the updated sigs.
FAR easier than tearing apart a system and moving a HD.
Gojes
Yes, I know 2 distros which loads to RAM completely, leaving drive or port free – Puppy and Parted Magic. Using both. But Puppy, it seems, can have troubles with non-English file and folder names, so I had to use also Ubuntu.
3 CDs/distros not too much anyway.
@Roman
That’s because you made a Live installer, not a live full system… make one from installed system via its own distro tools, Fedora can do this and so do many other distro which currently slipped my mind… ;)
Even if it not using linux… it can save the day.
Use a bartPE made disc and add the clamwin to a usb.
There are 2 scenarios:
1. you have a bartPE disc with a decent browser on and a machine with mem on board (1G will work). Download the clamwin and latest db and install… it will be installed in ramdisk.
2. you have a spare winpc (or even the ‘bad’ one if it is still live and kicking). Download clamwin and db and install it. Copy the clamwin+db on a usb stick (the db is in the doc&setting folder !!!). Boot from bartPE disk and access the usb clam version.
Gojes
1) I saw Ubuntu LiveUSB, made by Unetbootin from .iso and after boot from it mounted as CD anyway.
2) If you have acess to any of system HDD, you can work with them, even with NTFS ones. I use that many times.
Live CD would make it hard to update virus definition, Live USB ftw!
DanTe, it’s good when you have another Win machine around. But sometimes you may not, and to bring a few Linux CD’s in your pocket may be easier than to bring one more PC :)
If I’m going to remove a Windows drive in order to scan it, I wouldn’t plug it into a Linux machine. I would plug it into a Windows machine via a USB or eSATA dock. And scan it with anti-virus softwares designed for Windows running on Windows.
just make a specialized linux with antivirus on a spare usb drive.
Don’t connect an IDE drive (via IDE cable) with the power on, unless you are SURE the drive AND the controller support hot-swap! USB and Firewire external drive cases, and SATA drives (with or without a “dock” or case) are, however, hot-swap by design.
Why not just use a live cd with built in AV, you could even roll your own with F-prot