Clamav-portable

Antivirus, forensics, intrusion detection, cryptography, etc.
Post Reply
Message
Author
User avatar
shinobar
Posts: 2672
Joined: Thu 28 May 2009, 09:26
Location: Japan
Contact:

Clamav-portable

#1 Post by shinobar »

Note that the Puppy itself need not any virus scanner. In other word, any virus scanner do nothing with the Linux system.
These virus scanners are for protecting Windows. It is effective when you are sharing data with windows on your PC, or exchanging data with other PC using email, USB, be protect by or samba and etc. Also when you are running wine on Linux.

Note2: Clamav may over detect sane files as virus. Removing these files may harm the Windows system. I recommend to scan only data files by this clamav. The windows system files are better to be protected by proper security program or by free online scan on the Windows itself.

1. Get clamav-portable-0.2.tar.gz:
http://shino.pos.to/party/bridge.cgi?puppy/opt/
2. Extract the tar ball on somewhere under HDD or USB media mounted, /mnt/home, /mnt/sdb1 and etc.
3. Click on the folder, or the AppRun in the folder.
4. Step 1-->3-->4 on the GUI menu.
Image

May work on any Puppy 431 and later.

In general, virus scanners have a large database, so that puppy space(pupsave) easily filled up. The Clamav-portable places all in one dirctory. When you place it under some mounted point, it does not consume pyppy space.

Compiled clamav-0.98.3 on Puppy-431JP. Combined with clamvtk-1.2 made by vicmz and fellow:
http://www.murga-linux.com/puppy/viewtopic.php?t=88656

DetectBrokenExecutables is disabled because it seems doing over detection.
You can change the option by editing the clamscan.conf in the folder.
Last edited by shinobar on Wed 18 Jun 2014, 10:29, edited 2 times in total.
Downloads for Puppy Linux [url]http://shino.pos.to/linux/downloads.html[/url]

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#2 Post by Sylvander »

1. Followed your instructions to download and extract the tarball to /mnt/home/Clamav-portable.

2. Ran /mnt/home/Clamav-portable/clamav-portable-0.2/AppRun.
Told it to scan sda1 holding installation of WinXP that I almost never use.
I've never done any significant work on it, no internet banking, use a multi-session Puppy DVD-RW for that and nothing else.
It found 1 infected file.
Examined /mnt/home/Clamav-portable/clamav-portable-0.2/clamav/virus/clamscan-FOUND.log
It had 1 entry = "/mnt/sda1/Program Files/Common Files/Microsoft Shared/MSInfo/msinfo32.exe: Win.Trojan.7400369 FOUND"
Looks BAD! :(
I have clicked "Quarantine files".
The file is now in "/mnt/home/Clamav-portable/clamav-portable-0.2/clamav/virus" folder.
What effect will that have on WinXP?
Can XP work OK without the use of this file?

3. Scanned 2 other partitions [sda2, sda3] used by XP.
Both are clean [no infected files found].

4. I have a Puppy->Xfe backup of the folder/file content of sda1 holding WinXP made 2013-Jan-16.
The MSInfo folder on this has 10 files [rather than 3].
I'm now scanning that backup of sda1 [oops, scanned all sda partitions in error].
It found 4 infected files.
Here are the additional infected files found:
/mnt/sdb1/backups/ASRock-H61M-S/Xfe/sda,Partitions,2013Jan16/sda5,EXT3/Mail/jwgteb8g.default/Mail/pop3.blueyonder.co-2.uk/Inbox: Heuristics.Phishing.Email.SpoofedDomain FOUND [sda5 is Puppy Home, Mail folder holds TB files]
/mnt/sdb1/backups/ASRock-H61M-S/Xfe/sda,Partitions,2013Jan16/sda3,FAT32/Windows/Run External Programs/Media Players/WMP11/portablewindowsmediaplayer11.exe: W32.Adware.Downloader.Mediaget-4 FOUND [sda3 holds Windows portables, scanned & clean previously]
/mnt/sdb1/backups/ASRock-H61M-S/Xfe/sda,Partitions,2013Jan16/sda3,FAT32/Windows/Run External Programs/Image Editing,Viewing/GIMPPortable/v2,2,17,0/App/gimp/lib/gimp/2.0/plug-ins/MapObject.exe: Win.Trojan.Agent-296317 FOUND
/mnt/sdb1/backups/ASRock-H61M-S/Xfe/sda,Partitions,2013Jan16/sda3,FAT32/Windows/Run External Programs/Anti-Spyware/1-2-3 Spyware Free/asc4.dll: Trojan.FakeAV-344 FOUND
I'm puzzled by these finds...these partitions have been scanned many times previously with no infections found.
Might these be false positives?

5. Rescanning the backup of sda1 only.
No infection found in the backup. :D
Would it be a good idea to delete all XP folders/files from sd1 and replace with clean backup copies?
.
.
Last edited by Sylvander on Tue 17 Jun 2014, 06:31, edited 5 times in total.

User avatar
vicmz
Posts: 1262
Joined: Sun 15 Jan 2012, 22:47

Re: Clamav-portable

#3 Post by vicmz »

shinobar wrote:Combined with clamvtk-1.2 made by vicmz and fellow:
http://www.murga-linux.com/puppy/viewtopic.php?t=88656
Actually it was all made by nilsonmorales, josep2424 and mama21mama. I only posted on their behalf because they aren't fluent in English. Thank you for updating it, Shinobar. :D
[url=http://murga-linux.com/puppy/viewtopic.php?t=76948]Puppy Linux en español[/url]

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#4 Post by Sylvander »

Discovered that when I was scanning the backups as per my previous post above, those partition backups were made when I had Win2000Pro on sda1.
So I found the correct backup made just after I'd replaced Win2000Pro with WinXP.
So...

1. Scanned "/mnt/sdc1/backups/ASRock-H61M-S/Xfe/WinXP,on,NTFS/131209_firstbackup,newly,installed".
An infected file was found:
/mnt/sdc1/backups/ASRock-H61M-S/Xfe/WinXP,on,NTFS/131209_firstbackup,newly,installed/Program Files/Common Files/Microsoft Shared/MSInfo/msinfo32.exe: Win.Trojan.7400369 FOUND
Now have 2 copies of this same infected file; one from the backup, the other from sda1.
So this XP was infected very early in its life.
I've quarantined both copies.
Not sure if I should restore the backup.

Al1000
Posts: 80
Joined: Tue 15 Apr 2014, 08:04
Location: Scotland

#5 Post by Al1000 »

My experience with ClamAV is that it often reports false positives, and I understand it is reported to be notorious for this when it's being used to scan operating system files, rather than as an email scanner for servers which is what it was originally designed as.

Search the internet for - ClamAV - in conjunction with the names of any ''Trojans'' etc that it reports, and you should find results such as this:

https://www.virustotal.com/en/file/1d5c ... /analysis/

User avatar
nilsonmorales
Posts: 972
Joined: Fri 15 Apr 2011, 14:39
Location: El Salvador

#6 Post by nilsonmorales »

There's a newer Clamvtk.
commits are welcome
Clamvtk in Github

Image
[b][url=http://nilsonmorales.blogspot.com/]My blog |[/url][/b][b][url=https://github.com/woofshahenzup]| Github[/url][/b]
[img]https://i.postimg.cc/5tz5vrrX/imag018la6.gif[/img]
[img]http://s5.postimg.org/7h2fid8pz/botones_logos3.png[/img]

User avatar
shinobar
Posts: 2672
Joined: Thu 28 May 2009, 09:26
Location: Japan
Contact:

Be caution

#7 Post by shinobar »

Add note2:
Clamav may over detect sane files as virus. Removing these files may harm the Windows system. I recommend to scan only data files by this clamav. The windows system files are better to be protected by proper security program or by free online scan on the Windows itself.
Downloads for Puppy Linux [url]http://shino.pos.to/linux/downloads.html[/url]

tony
Posts: 334
Joined: Sat 14 Jan 2006, 10:52
Location: Montreal.ca

#8 Post by tony »

Hi,

many thanks for all involved in the portable version of clamav.

However, it does need some fine tuning and some help is required.

For instance it found one infected Email and quarantined my inbox.

I am pleased with it however and thanks again.

Regards Tony

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

Re: Be caution

#9 Post by Sylvander »

shinobar wrote:...Clamav may over detect sane files as virus. Removing these files may harm the Windows system.
I checked each of the files at www.virustotal.com
Kept only 1 file [see below] in the virus vault, and returned all the others.
KEPT:
/mnt/sdb1/backups/ASRock-H61M-S/Xfe/sda,Partitions,2013Jan16/sda3,FAT32/Windows/Run External Programs/Media Players/WMP11/portablewindowsmediaplayer11.exe: W32.Adware.Downloader.Mediaget-4 FOUND
Here's the analysis window "Detection Ratio = 22/54"
All the others had very low detection ratios.

User avatar
ASRI éducation
Posts: 3197
Joined: Sat 09 May 2009, 12:10
Location: France
Contact:

Re: Clamav-portable

#10 Post by ASRI éducation »

shinobar wrote: clamav-portable-0.2.tar.gz
Thank you shinobar.
Projet ASRI éducation => [url=http://asri-education.org/]Association[/url] | [url=http://forum.asri-education.org/]Forum[/url] | [url=http://dl01.asri-education.org/]Dépôt[/url] | [url=http://kids.asri-education.org/]Espace kids[/url]

morochos
Posts: 68
Joined: Wed 28 Aug 2013, 02:55

Scan home partition

#11 Post by morochos »

Hi. I have two partions in my PC, one for windows and the "home" for linux.
This portable version works very well for analyzing the fat windows partition, however, when I try to analyze the "home", clamav ends the scan doing nothing.
Please tell me how to scan my "home" partition with clamav-portable

User avatar
torm
Posts: 186
Joined: Sat 07 Mar 2015, 19:56

#12 Post by torm »

Is that thing still usable?

slavvo67
Posts: 1610
Joined: Sat 13 Oct 2012, 02:07
Location: The other Mr. 305

#13 Post by slavvo67 »

Why not? It updates.

User avatar
perdido
Posts: 1528
Joined: Mon 09 Dec 2013, 16:29
Location: ¿Altair IV , Just north of Eeyore Junction.?

#14 Post by perdido »

deleted

Post Reply