(old)Puppy Linux Discussion Forum

Note that the Puppy itself need not any virus scanner. In other word, any virus scanner do nothing with the Linux system.
These virus scanners are for protecting Windows. It is effective when you are sharing data with windows on your PC, or exchanging data with other PC using email, USB, be protect by or samba and etc. Also when you are running wine on Linux.

Note2: Clamav may over detect sane files as virus. Removing these files may harm the Windows system. I recommend to scan only data files by this clamav. The windows system files are better to be protected by proper security program or by free online scan on the Windows itself.

1. Get clamav-portable-0.2.tar.gz:
http://shino.pos.to/party/bridge.cgi?puppy/opt/
2. Extract the tar ball on somewhere under HDD or USB media mounted, /mnt/home, /mnt/sdb1 and etc.
3. Click on the folder, or the AppRun in the folder.
4. Step 1-->3-->4 on the GUI menu.


May work on any Puppy 431 and later.

In general, virus scanners have a large database, so that puppy space(pupsave) easily filled up. The Clamav-portable places all in one dirctory. When you place it under some mounted point, it does not consume pyppy space.

Compiled clamav-0.98.3 on Puppy-431JP. Combined with clamvtk-1.2 made by vicmz and fellow:
http://www.murga-linux.com/puppy/viewtopic.php?t=88656

DetectBrokenExecutables is disabled because it seems doing over detection.
You can change the option by editing the clamscan.conf in the folder.

1. Followed your instructions to download and extract the tarball to /mnt/home/Clamav-portable.

2. Ran /mnt/home/Clamav-portable/clamav-portable-0.2/AppRun.
Told it to scan sda1 holding installation of WinXP that I almost never use.
I've never done any significant work on it, no internet banking, use a multi-session Puppy DVD-RW for that and nothing else.
It found 1 infected file.
Examined /mnt/home/Clamav-portable/clamav-portable-0.2/clamav/virus/clamscan-FOUND.log
It had 1 entry = "/mnt/sda1/Program Files/Common Files/Microsoft Shared/MSInfo/msinfo32.exe: Win.Trojan.7400369 FOUND"
Looks BAD!
I have clicked "Quarantine files".
The file is now in "/mnt/home/Clamav-portable/clamav-portable-0.2/clamav/virus" folder.
What effect will that have on WinXP?
Can XP work OK without the use of this file?

3. Scanned 2 other partitions [sda2, sda3] used by XP.
Both are clean [no infected files found].

4. I have a Puppy->Xfe backup of the folder/file content of sda1 holding WinXP made 2013-Jan-16.
The MSInfo folder on this has 10 files [rather than 3].
I'm now scanning that backup of sda1 [oops, scanned all sda partitions in error].
It found 4 infected files.
Here are the additional infected files found:
/mnt/sdb1/backups/ASRock-H61M-S/Xfe/sda,Partitions,2013Jan16/sda5,EXT3/Mail/jwgteb8g.default/Mail/pop3.blueyonder.co-2.uk/Inbox: Heuristics.Phishing.Email.SpoofedDomain FOUND [sda5 is Puppy Home, Mail folder holds TB files]
/mnt/sdb1/backups/ASRock-H61M-S/Xfe/sda,Partitions,2013Jan16/sda3,FAT32/Windows/Run External Programs/Media Players/WMP11/portablewindowsmediaplayer11.exe: W32.Adware.Downloader.Mediaget-4 FOUND [sda3 holds Windows portables, scanned & clean previously]
/mnt/sdb1/backups/ASRock-H61M-S/Xfe/sda,Partitions,2013Jan16/sda3,FAT32/Windows/Run External Programs/Image Editing,Viewing/GIMPPortable/v2,2,17,0/App/gimp/lib/gimp/2.0/plug-ins/MapObject.exe: Win.Trojan.Agent-296317 FOUND
/mnt/sdb1/backups/ASRock-H61M-S/Xfe/sda,Partitions,2013Jan16/sda3,FAT32/Windows/Run External Programs/Anti-Spyware/1-2-3 Spyware Free/asc4.dll: Trojan.FakeAV-344 FOUND
I'm puzzled by these finds...these partitions have been scanned many times previously with no infections found.
Might these be false positives?

5. Rescanning the backup of sda1 only.
No infection found in the backup.
Would it be a good idea to delete all XP folders/files from sd1 and replace with clean backup copies?
.
.

shinobar wrote:Combined with clamvtk-1.2 made by vicmz and fellow:
http://www.murga-linux.com/puppy/viewtopic.php?t=88656

Actually it was all made by nilsonmorales, josep2424 and mama21mama. I only posted on their behalf because they aren't fluent in English. Thank you for updating it, Shinobar.

Discovered that when I was scanning the backups as per my previous post above, those partition backups were made when I had Win2000Pro on sda1.
So I found the correct backup made just after I'd replaced Win2000Pro with WinXP.
So...

1. Scanned "/mnt/sdc1/backups/ASRock-H61M-S/Xfe/WinXP,on,NTFS/131209_firstbackup,newly,installed".
An infected file was found:
/mnt/sdc1/backups/ASRock-H61M-S/Xfe/WinXP,on,NTFS/131209_firstbackup,newly,installed/Program Files/Common Files/Microsoft Shared/MSInfo/msinfo32.exe: Win.Trojan.7400369 FOUND
Now have 2 copies of this same infected file; one from the backup, the other from sda1.
So this XP was infected very early in its life.
I've quarantined both copies.
Not sure if I should restore the backup.

My experience with ClamAV is that it often reports false positives, and I understand it is reported to be notorious for this when it's being used to scan operating system files, rather than as an email scanner for servers which is what it was originally designed as.

Search the internet for - ClamAV - in conjunction with the names of any ''Trojans'' etc that it reports, and you should find results such as this:

https://www.virustotal.com/en/file/1d5c ... /analysis/

There's a newer Clamvtk.
commits are welcome
Clamvtk in Github

Add note2:
Clamav may over detect sane files as virus. Removing these files may harm the Windows system. I recommend to scan only data files by this clamav. The windows system files are better to be protected by proper security program or by free online scan on the Windows itself.

Hi,

many thanks for all involved in the portable version of clamav.

However, it does need some fine tuning and some help is required.

For instance it found one infected Email and quarantined my inbox.

I am pleased with it however and thanks again.

Regards Tony

shinobar wrote:...Clamav may over detect sane files as virus. Removing these files may harm the Windows system.

I checked each of the files at www.virustotal.com
Kept only 1 file [see below] in the virus vault, and returned all the others.
KEPT:
/mnt/sdb1/backups/ASRock-H61M-S/Xfe/sda,Partitions,2013Jan16/sda3,FAT32/Windows/Run External Programs/Media Players/WMP11/portablewindowsmediaplayer11.exe: W32.Adware.Downloader.Mediaget-4 FOUND
Here's the analysis window "Detection Ratio = 22/54"
All the others had very low detection ratios.

shinobar wrote: clamav-portable-0.2.tar.gz

Thank you shinobar.

Hi. I have two partions in my PC, one for windows and the "home" for linux.
This portable version works very well for analyzing the fat windows partition, however, when I try to analyze the "home", clamav ends the scan doing nothing.
Please tell me how to scan my "home" partition with clamav-portable

Is that thing still usable?

Why not? It updates.

deleted