CDROM-Based Virus Scanners?

cheros asks: "Pretty much every virus checker I've seen requires installation of a couple of MB worth of data on the HD. However, in a controlled or accredited environment (say, a hospital) installation of external software can invalidate the build, and the checking process can adversely affect timing (in, say, plant control systems), so I'm looking for a virus checker that works from a CD. This obviously means the CD needs updating when new signatures come out, but at least it's a 'hands off' sweep of the system that can be done during maintenance down-time (and assures me that the virus software itself can't compromised). The only workaround I have at the moment is that critical system files can be checksummed to prove integrity (MD5 is your friend ;] ). That's OK for the systems that are fairly static (no, not blue screened, less data changes on the disk =] ), but systems where config data changes (say, a DDNS) are less easy to check. It's mostly a Windows problem (with &^$$& locked files being a pain), but the same situation can arise on any platform. Got any ideas?"

Try a usb or firewire harddisk

[Stigmata669]

Although i am unfamiliar with any CD based anti-virus software, you could always install the software onto a removable usb harddisk, even a keychain drive [thinkgeek.com] and run the software from the drive, leaving the primary disk more or less untouched (hopefuly less).

Openantivirus

[ChiefArcher]

try http://www.openantivirus.org [openantivirus.org] .. It's free.. it's open source.. it's in java.. Stick it on the cd with a (windows/linux/mac) jvm.. and you're set to go. I have openantivirus running on my mail server right now... catches almost everything.. I believe there's a "C" version called clamscan out there.... not sure if it'll compile under anything but linux.. but you can always try. ChiefArcher

Caution: MAJOR conflict of interest.

[Futurepower(R)]

Caution: MAJOR conflict of interest. The writer is an anti-virus consultant who will lose money if there is an open source alternative.

Norton Systemworks 2001

[karnal]

I've got a copy of Norton Systemworks 2001 at work that states on install, that you should boot to the cd-rom and have it do a virus check before you install the software (Norton Antivirus is included in this suite...)

I've not used it yet; the only risk I would say you'd run is if you have a virus that is not detected with the CD build of the virusscan... Pretty hard to do updates to read-only media.... but for a general sweep of the machine, you'd be good to go.

Maybe there's a way to "repackage" the bootable portion of the cd / virus definitions, and go that route? I'm sure Norton has had requests for this before, and it wouldn't take much time talking with their support (never had to contact them myself) to see if this is the case...

We're in the same boat, though... Validated systems; since I work in Network Architecture, one of the problems we run into is we can't put ANYTHING on servers that isn't validated (i.e. packet sniffing/analyzing agents, etc.) I see their point, so in the end we just mirror ports :) (slightly ot, I know)

F-PROT

[reynaert]

You could probably use the DOS or Linux version of F-Prot [f-prot.com]. It doesn't need to write anything, and it has some nice command-line options for automated scanning etc.

With a little effort, you can even fit the DOS version on a single floppy. You'll need to store it compressed, and uncompress it to a ramdisk when booting.

Re:F-PROT

[halibut007]

This is the program I use for scanning. Built a boot cd with a cdrw and floppy emulation using the dos version of f-prot. With the right drivers you could probably even get it to scan NTFS partitions. Update the definitions when needed. Works great. Just requires to boot from the CD.

Re:F-PROT

[tow]

Great scaning program, and I use it as well, but from time to time I'm using it on old computers, that can't read CDRW. The program does not have an option to take the definitions from another dir. I think that this could be the best solution to this prob.

Re:F-PROT

[Tux2000]

The guys and girls of the german c't magazine [heise.de] combined toms rescue boot disk [toms.net] with F-Prot for Linux and pressed it onto a CDROM shipped with the issue 13/2002 [heise.de]. You can order this issue for 3 EUR + shipping (1 EUR is round about 1 US $).

If you can get internet access with that CDROM, you can even update the scanner and the data files. (And as a nice bonus, you get 600 MBytes Freeware and Shareware.)

Tux2000

Re:F-PROT

[Wanker]

This sounds like an excellent suggestion-- build a bootable CD-ROM which auto-scans all the local drives. In addition to not requiring any installed software, booting off known virus-free media guarantees that you'll find all those nasty stealth viruses that like to hide in memory.

What about a remote system?

[thecampbeln]

I've used a laptop with Norton AntiVirus installed to check the hard disks/files of other systems, maybe something simple-n-stupid like this would help?

A bit of research first ...

[Blkdeath]

Would have led to Symantec [symantec.com] who ship their Norton Antivirus CDROMs as bootable CDs that can automatically check the filesystem(s) of the hard drive(s) with as little as one or two carriage returns.

Since the scanner can also be run manually, you could install updated definitions on a floppy disk with the tab set.

That's just off the top of my head; I'm sure The Best Friend Of The WWW [google.com] could render gallons more assistance.

Re:A bit of research first ...

[tow]

But the definitions are way too big for a floopy

What are you using?!?

[shyster]

Every Windows based virus scanner I've known has an option for this. Norton AntiVirus can boot to the CD or make floppy disks, I think the newer versions can use a floppy disk for later virus definitions. Mcafee can do the same, I believe. I know it can run off floppies. So can F-Prot.

DUH

[moosesocks]

This is quite obvious. Every virus scanner in my memory has had an option to boot off of the CD or create a boot floppy (which can be write protected in the same fashion as all floppies). The CD boots, can do a scan (automatically if you configure autoexec.bat to do so). You can re-burn the cd by placing new definitions on the cd, or tell the program to go get the definitions from another source (ls-120 drive, hard disk, etc.). This has all been possible with norton antivirus since version 2000 (probably earlier. i just never checked)

NAV

[vonsneerderhooten]

Norton A/V comes as a bootable cdrom, and you can make a set of rescue disks that you can use. I suppose you could also make a bootable cdrom [cdrfaq.org](Nero [nero.com] does that) with the vdefs on it, and use some autoexec file to do a batch scan of the system using the latest defs from the CD. So simple even a janitor could do it!!!

-D

Control Systems

[LWolenczak]

I used to work for a company in the SouthEastern United States, currently called Avid Solutions, Formerally called Carolina Instermentation Corp/Electrical Maintence Overflow Comp. (cic/emoc). Every Control System that I have ever seen them put together was setup a perticular way.

1. Locked down OS. In NT, this involved Policies, in most cases, Auto logins, and quite a bit of registery editing.
2. Seperated Network. The control networks were allways on their own network. In many cases, a main network, and a backup network.
3. No internet access.
4. No access to the floppy/cdrom unless your an administrator, hell, explorer dosen't even load, only the control application.

Perhaps you need to look at your setup and make some changes if your worried about viruses.

damn i cant spell today

[LWolenczak]

damn i cant spell today... I guess i need sleep

Re:Control Systems

[Blkdeath]

3. No internet access.

Would you care to accompany me on a routine run of some of our customers' networks today and inform them that in the interest of virus protection, we will be removing their Internet routers?

It's said that the safest way to protect your computer from [viruses/cracking/information theft/etc.] is to unplug it, but how practical is that here in the real world?

Re:Control Systems

[phorm]

In agreement with the other responders, this sounds like crap to me. Installing a complete lockdown on machines tends to p*ss off employees, and just generally cause problems. Locking down an existing open network is a pain in the butt to admins too, every time new software has to be installed the admin has to be called in.

I'm currently working in a local school district, and this is the only siutation I've found lockdowns useful, since kids intentionally tend to cause crap or download porn etc. In a business with reasonable adults, you can at least hope/expect that they won't be causing deliberate damage to the machines.

This shameful plug should be used to plug um... nevermind - phorm

Re:Control Systems

[LWolenczak]

In cases such as schools, you can't unplug it. In the case I'm talking about, The computer is only used to run a piece of machinery, or a set of chemical reactors. The system for all intensive purposes is unplugged because it does not need to be plugged in.

You have not seen Vexira Antivirus Rescue Disk CD?

[VexAdmin]

I work for Central Command the company that produces Vexira Antivirus so be careful you might find a few biased statements here :-) We have Vexira Antivirus Rescue Disk (VARD) which is a bootable CD-ROM and diskette virus scanner that runs entirely in RAM. It's based on a debian micro kernel and includes a easy to follow menu. It can update the latest virus database and virus scanning engine also! Yes, even if you are using the CD-ROM version. You just need to download updates onto a floppy and select the update option on the main menu. VARD will pull them into RAM.

It will boot and mount most any file system: Microsoft FAT 16, FAT 32, VFAT, NTFS, Linux ext2, ReiserFS and UMSDOS, IBM OS/2 HPFS, FreeBSD, OpenBSD, Solaris, and Unix UFS, CD-ROM ISO9660, Minix, FreeVxFS, Veritas VxFS, System V, Xenix, V7, and UDF.

Vexira Antivirus Rescue Risk [centralcommand.com]

The VARD is free BTW.

Re:You have not seen Vexira Antivirus Rescue Disk

[VexAdmin]

I forgot to add that VARD can be downloaded as a .ISO image or a 4 diskette set. You'll need to run the SFX diskette tool on a Windows box to create the diskettes because we use WinZip to create the SFX application but after that it will act just like the CD-ROM version. I prefer the CD-ROM version myself and give my friends a wallet size "card disk" for there field trouble shooting. It fits nicely in shirt pockets :-)

Re:You have not seen Vexira Antivirus Rescue Disk

[bobv-pillars-net]

Vexira website [centralcommand.com]

Why???

[OneFix]

I know that similar posts have been made, but I don't think this can be expressed enough!!!

You shouldn't need AV software in the systems you describe. These should not require direct access to an untrusted network...there is no reason why someone should be installing their own software on the system...and the systems should be designed as such (no direct access...a locked cabinet is a good idea here, and secondary/tertiary networks for workstation access to data)...if you really must have mission critical systems open to viruses, and you are using standard peecee hardware, you could always try an Antivirus PCI Card [rd-comp.com].

I guess this might be another advantage of using Linux for mission critical apps...chances are the employees don't have access to software...

Re:Why???

[OneFix]

This certainly doesn't assume that safety is a given. First, if you don't trust your employees that have access to missions critical systems/networks, you've got serious problems that a virus scanner isn't gonna fix.

The system I explained makes this very easy. The first way is to simply bury the connections for your mission critical network behind locked boxes. And if you're using a cabinet for the box, this is already done for you. Not to mention that many of the locations with similar set ups already have a strict "no laptops" policy. Another easy way to keep ppl from connecting to the network is to use non-standard connectors. This makes it so only the computer side of the connection has to be hidden.

The other way of securing the network (I know you'ld like to suggest they are sticking control systems in their lobby) is to require MAC authentication. I've even seen systems that use a rolling MAC address based on a standard time.

Re:Why???

[corey_lawson]

...all it takes is someone with a boot sector virus on a floppy to insert it into the otherwise-locked down system and cycle the power, to infect the machine. While systems for some time have been able to have a different boot order than FD0->HD0->HD1, there are older systems that don't allow this...

Re:Why???

[RocketJeff]

...all it takes is someone with a boot sector virus on a floppy to insert it into the otherwise-locked down system and cycle the power, to infect the machine.

Then remove the floppy drives. If someone needs access to a floppy, they can take it to an administrator who can move files as needed (after virus checking). Remember, this is a hospital production system - people shouldn't need routine access to a floppy drive.

Re:Why???

[tomhudson]

Removing both floppy and cdroms is SOP with me. Since I did that to everyone's boxes, I've got more time for other stuff.

Re:Why???

[OneFix]

How can they insert a floppy through a locked cabinet?

F-prot

[dasunt]

F-prot antivirus can fit on 3 write-protected floppies or a bootable CD-ROM. Its free for personal use, and easy enough to update by downloading new definitions from its website. Its available for both DOS and Linux.

Symantec

[e8johan]

If you have a virus threat problem, I assume that you are connected to an external (out of your control) network. If this network happens to be the internet (most likely), just try Symantec's [symantec.com] Security Check. It scans for viruses over the net (with a bit of ActiveX magic... It seems that M$ security misses can be useful sometimes ;-P)

Re:*grumble* You can already do this

[leuk_he]

But this affect the timings he was talking about.

"However, in a controlled or accredited environment (say, a hospital) installation of external software can invalidate the build, and the checking process can adversely affect timing (in, say, plant control systems), so I'm looking for a virus checker that works from a CD.

The logic behind his requirement is flawed:
Any non-acredited software can affect the build, Even anti-virus software that is not installed on that build. i.e. many antivirus software write checksums somewhere on the HD. I people can run such software you have a problem anyway in such an environment.

You can install most antivirus software in a non-interfering mode, only scan wheren you press the scan button. So why not put in on HD or a (read only) central server?

Opening up C$ & D$ would be a bad idea, but is is possible.

The only files you won't be able to access are those that are exclusive locked by the OS and they can't be infected by any virus anyway.

Since they can be updated by update software, virus software can update those files as well.

In the end i think he is a (l)user that cannot install software, but wants to virus check his PC anyway. (read between the lines!)

Really slow site, but here you go:

[Mustang Matt]

http://www.free-av.com/ave.htm

Of course this only works for Fat/Fat32.

I don't know of any that would scan NTFS. You'd have to have some munged version of NT/Win2k boot off a CD and then run a virus scanner.

You need two things...

[mgibbs]

1. A Norton AntiVirus 2002 CD
2. A floppy disk with the latest virus definitions on it.

The Norton AntiVirus CD automatically checks the floppy drive for the latest virus definitions when you boot from it, otherwise it uses the outdated ones on the CD.