Scanning NTFS partitions for virus outside XP

[macphisto]

Anyone have an easy solution to this? I have a job as a computer technician
and none of the other techs seem to have a good answer either. Ideally when
a customer brings in their PC and the symptoms sound virus-like, we update
the definitions of the anti-virus they're using and scan the drives. Of
course, usually there's no software present or the update subscription is
expired...even worse are the situations where a virus is preventing
installation of AV software. Obviously in these cases, the system needs to
be scanned from outside the Windows installation on that drive. Several
years ago before XP had been released making NTFS partitions commonplace for
consumer PCs, we would boot to DOS using a bootable CD and scan the drive(s)
with f-prot. As we all know, NTFS partitions cannot be accessed from DOS so
now we're faced with a problem. Usually, we end up yanking out the hard
drive and hooking it up to our tech computer and let Norton loose on it.
This method works, but is time consuming...especially with laptops.
Basically, we don't want to take a system apart if the problems are software
related. One of the techs did bring in a shareware program that emulated
DOS, but had no problems with NTFS. Unfortunately, the demo limited users to
read-only access. Despite being part of a hugely successful multi-billion
dollar corporation, the store would never hand over money for new software.
So that's our dilemma. I probably could have asked that question with a
great deal more brevity, but we're here to have fun too, right? Anyone?
Suggestions very much appreciated. I mean, there has to be an easier way to
do this. Just so it's clear, we're looking for a CD bootable version of some
OS (we're not picky) that can run a virus scan on NTFS partitions. Thanks
everyone for reading this drivel. Happy Holidays!

mac

 

[josh]

There are several linux OS that will run just off the cd and RAM. I know one
is called knopix and is a GUI. I'm sure that it would be easy to do this
with one of them.

 

[macphisto]

Someone actually brought in a copy of Knoppix and I haven't had the time to
check it out much, but I think there are two problems with it that prevent
us from using it for NTFS virus scan.

1) I'm pretty sure they distribute Knoppix as a CD image that cannot be
changed, i.e. cannot add anti-virus software.

2) I'm pretty sure Linux can't read NTFS partitions. I'm sure there's some
software to do it, but that brings us back to the first problem.

mac

 

[Chris Stolworthy]

Well one thing you can do is get a computer that has the latest greatest
virus definitions, network the two, map the "infected" computers hard drive.
THen you can actually use the virus scanner on the "good" computer to scan
the hard drive across the network. Not really outside Xp but it gets the
job done.

 

[JT]

Someone actually brought in a copy of Knoppix and I haven't had the time to
check it out much, but I think there are two problems with it that prevent
us from using it for NTFS virus scan.

1) I'm pretty sure they distribute Knoppix as a CD image that cannot be
changed, i.e. cannot add anti-virus software.

2) I'm pretty sure Linux can't read NTFS partitions. I'm sure there's some
software to do it, but that brings us back to the first problem.

mac

Look at http://www.ultimatebootcd.com/

Has Fprot on the CD, and an NTFS file reader. Will at least tell you if the
drive is infected, and which files need fixed. There are instructions on
how to keep the program updated and download new data files on the site.

BTW, Linux has been able to read NTFS for a few years now. Writing is still
a problem, because MS keeps "improving" the format by adding features, but
reading is rock solid.

JT

 

[JT]

Well one thing you can do is get a computer that has the latest greatest
virus definitions, network the two, map the "infected" computers hard drive.
THen you can actually use the virus scanner on the "good" computer to scan
the hard drive across the network. Not really outside Xp but it gets the
job done.

This assumes the virus is one that your scanner recognizes, and that it
doesn't infect by exploiting a new weakness. Actually safer to pull the
hard drive, slave it in another system, and scan it that way.

I know of some one that tried that, when the blaster worm was still new,
and ended up with 2 infected machines as his antivirus didn't stop the
worm from infecting his machine as well.

JT

 

[Chris Stolworthy]

Ummmm Wouldn't putting the drive into your system infect it anyway? THe
blaster worm does spread that way too...

 

[kony]

This assumes the virus is one that your scanner recognizes, and that it
doesn't infect by exploiting a new weakness. Actually safer to pull the
hard drive, slave it in another system, and scan it that way.

I know of some one that tried that, when the blaster worm was still new,
and ended up with 2 infected machines as his antivirus didn't stop the
worm from infecting his machine as well.

JT

Errr, but that "some one" wasn't competent. Practically anyone can
click "scan" on an antivirus program, but that doesn't mean [just]
anyone is fit to diagnose and repair an infected system.

OP's company needs to screw their heads on straight and pay for the
tools and training, and/or personnel, to get the job done right or not
even try it at all.


Dave

 

[JT]

This assumes the virus is one that your scanner recognizes, and that it
doesn't infect by exploiting a new weakness. Actually safer to pull the
hard drive, slave it in another system, and scan it that way.

I know of some one that tried that, when the blaster worm was still new,
and ended up with 2 infected machines as his antivirus didn't stop the
worm from infecting his machine as well.

JT

Errr, but that "some one" wasn't competent. Practically anyone can
click "scan" on an antivirus program, but that doesn't mean [just]
anyone is fit to diagnose and repair an infected system.

OP's company needs to screw their heads on straight and pay for the
tools and training, and/or personnel, to get the job done right or not
even try it at all.


Dave

Putting a possibly infected machine on a network with other machines to
"test" it is not always a good idea. I have fixed more than one machine
that got past the latest Norton with current updates. This friend of mine
had one of the corporate edition virus antivirus programs on their machine,
but scanned the other one before the update was out for blaster. Even had
all the critical updates installed. Luckily it was just the two machines,
not the coporate network.

And your suggestion was basically "network the 2 machines, and click scan"
.. Prefer booting up with a write protected medium on the infected machine,
and then scanning as appropriate.

JT

 

[Richard Steven Hack]

Get a Linux live CD with a virus scanner that runs on Linux but scans
for Windows viruses (there are some). Boot from the live CD, run the
scan.

Safest possible way - no Windows virus can infect Linux. And Linux
can read (but not write to) NTFS partitions. Use the scan to identify
any virus-infected files, then reboot under XP and delete the files.
Rescan to make sure you got them all.