What best virus checker (to boot from CD)
in [Viruses]
|
Prev: bios virus
Next: neat script
From: David W. Hodgins on 16 Aug 2008 16:28 On Sat, 16 Aug 2008 15:58:03 -0400, Tommy McClure <tmDELccDEL72AThalDASHpcDOTorg> wrote: > I tried putting EICAR into a very small directory and it found it. Reported > it correctly, but still no TRK-INFECTED directory with the .gz file in it. > The EICAR file still untouched. No error message about lack of space. What is the output of the command "mount" (without the quotes)? I'm just wondering if the filesystem is being mounted read only. When I have my ntfs partition mounted, the mount command shows ... /dev/hda13 on /var/mnt/hda13 type fuseblk (rw,noexec,nosuid,nodev,allow_other,blksize=4096) The rw stands for read/write. If it's showing ro, that would explain the problem, although it should be giving an appropriate error message, in that case. Note: I'm using a regular linux installation (Mandriva 2008.1), not a boot cd. Also, how much space is available (use the command df to see)? Regards, Dave Hodgins -- Change nomail.afraid.org to ody.ca to reply by email. (nomail.afraid.org has been set up specifically for use in usenet. Feel free to use it yourself.)
From: Tommy McClure on 16 Aug 2008 19:31 David W. Hodgins wrote: > On Sat, 16 Aug 2008 15:58:03 -0400, Tommy McClure > <tmDELccDEL72AThalDASHpcDOTorg> wrote: > >> I tried putting EICAR into a very small directory and it found it. >> Reported it correctly, but still no TRK-INFECTED directory with the >> .gz file in it. The EICAR file still untouched. No error message >> about lack of space. > > What is the output of the command "mount" (without the quotes)? > > I'm just wondering if the filesystem is being mounted read only. > When I have > my ntfs partition mounted, the mount command shows ... > /dev/hda13 on /var/mnt/hda13 type fuseblk > (rw,noexec,nosuid,nodev,allow_other,blksize=4096) > > The rw stands for read/write. If it's showing ro, that would explain > the problem, although it should be giving an appropriate error > message, in that case. > > Note: I'm using a regular linux installation (Mandriva 2008.1), not a > boot cd. > > Also, how much space is available (use the command df to see)? > > Regards, Dave Hodgins real simple mounting : mountallfs [ i don't know if this is part of the TRK scripts or not ] I did test the writeability because that's the first thing that came to my mind too. I created a small file with vi and wrote it to the same directory. It was there when I did an ls in it. Also, I could cat filename.txt also. Sorry I didn't think to df when finished with the whole drive. That's a lot of switches you use, I don't even know half of them. -- tommy
From: David W. Hodgins on 16 Aug 2008 21:26 On Sat, 16 Aug 2008 19:31:43 -0400, Tommy McClure <tmDELccDEL72AThalDASHpcDOTorg> wrote: > real simple mounting : mountallfs [ i don't know if this is part of the > TRK scripts or not ] The command mountallfs is not a standard linux command, so it's probably a script that calls fsdisk -l, to list the partitions, and then generates mount commands for the filesystems it knows how to mount. > I did test the writeability because that's the first thing that came to my > mind too. I created a small file with vi and wrote it to the same directory. > It was there when I did an ls in it. Also, I could cat filename.txt also. Ok. Just a thought. > Sorry I didn't think to df when finished with the whole drive. I haven't used clamav in quite a while, but I think it only reports eicar, and doesn't quarantine it. I could be wrong about that though. If the drive doesn't have enough free space, that would explain the creation of the quarantine file failing. > That's a lot of switches you use, I don't even know half of them. I only specified (in /etc/fstab) ... /dev/hda13 /var/mnt/hda13 ntfs-3g defaults,noauto,users 0 0 The mounting of the filesystem added the rest, automatically. noauto stops it from being mounted at boot time. users allows a regular user to mount it, not just root. noexec,nosuid,nodev automatically get added when you specify users, on the assumption it isn't safe to run programs or setup devices on the filesystem. These three, stop programs from being executed, ignore file permissions that include the set-user-id option, which is used to allow one user to run a program, with the permissions, of another user (usually root). and prevent the creation or use of files that are used to access hardware devices. For example, /dev/lp is normally a filename used to write to a printer. allow_other is added when you specify users for any filesystem mounted trough fuse (ntfs-3g is fuse "Filesystem in USErspace") module, and have the proper fuse configuration file setup. blksize=4096 gets added by the ntfs-3g module (I think), and is not currently listed in the man page for mount, for mounting ntfs filesystems. The mount command, without any parameters will show you what is currently mounted. Other ways of seeing what's mounted include "cat /etc/mtab", "cat /proc/mounts". Regards, Dave Hodgins -- Change nomail.afraid.org to ody.ca to reply by email. (nomail.afraid.org has been set up specifically for use in usenet. Feel free to use it yourself.)
From: Tommy McClure on 17 Aug 2008 09:05
David W. Hodgins wrote: > On Sat, 16 Aug 2008 19:31:43 -0400, Tommy McClure > <tmDELccDEL72AThalDASHpcDOTorg> wrote: > >> real simple mounting : mountallfs [ i don't know if this is part >> of the TRK scripts or not ] > > The command mountallfs is not a standard linux command, so it's > probably a script > that calls fsdisk -l, to list the partitions, and then generates > mount commands > for the filesystems it knows how to mount. > >> I did test the writeability because that's the first thing that came >> to my mind too. I created a small file with vi and wrote it to the >> same directory. It was there when I did an ls in it. Also, I could >> cat filename.txt also. > > Ok. Just a thought. > >> Sorry I didn't think to df when finished with the whole drive. > > I haven't used clamav in quite a while, but I think it only reports > eicar, and > doesn't quarantine it. I could be wrong about that though. If the > drive doesn't > have enough free space, that would explain the creation of the > quarantine file > failing. > >> That's a lot of switches you use, I don't even know half of them. > > I only specified (in /etc/fstab) ... > /dev/hda13 /var/mnt/hda13 ntfs-3g defaults,noauto,users 0 0 > > The mounting of the filesystem added the rest, automatically. > > noauto stops it from being mounted at boot time. > > users allows a regular user to mount it, not just root. > > noexec,nosuid,nodev automatically get added when you specify users, > on the > assumption it isn't safe to run programs or setup devices on the > filesystem. > These three, stop programs from being executed, ignore file > permissions that include the set-user-id option, which is used to > allow one user to run a program, with > the permissions, of another user (usually root). and prevent the > creation or use > of files that are used to access hardware devices. For example, > /dev/lp is normally > a filename used to write to a printer. > > allow_other is added when you specify users for any filesystem > mounted trough fuse (ntfs-3g is fuse "Filesystem in USErspace") > module, and have the proper fuse configuration file setup. > > blksize=4096 gets added by the ntfs-3g module (I think), and is not > currently listed > in the man page for mount, for mounting ntfs filesystems. > > The mount command, without any parameters will show you what is > currently mounted. Other ways of seeing what's mounted include "cat > /etc/mtab", "cat /proc/mounts". > > Regards, Dave Hodgins I wish manual writers would write them the way you write about linux. The main advantage of clam is that you can scan a dead windows system without having a high speed connection. If you do, you can choose avg, fprot, bde or clam with TRK. I now know to write the viruscan to a log [manually] , and delete the virus infected files [manually], its supposed to be automatic, but they don't have a good handle on how the AV clients are going to react. They keep changing. I have read lots of threads on their postings, and manual deletion is the only way that seems to work. That is a modest amount of work for me with 11 infections, but what about the monster sized drives 200gb, and many more files infected? -- tommy |