Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

GNU/Linux Bootable Anti-malware Scanning Tools


  • Please log in to reply
9 replies to this topic

#1 Guest_hollowface_*

Guest_hollowface_*

  • Guests
  • OFFLINE
  •  

Posted 09 February 2017 - 07:26 PM

The purpose of this thread is to list and discuss bootable GNU/Linux anti-malware scanning tools. Share your comments, opinions, experiences, screenshots, and any good links you find :).

 


Caution! Please read for more information.

If you are considering using any of the tools mentioned in this thread, keep in mind whether the tool has appropriate features to accomplish the task you're trying to do. For example, if you wish to disinfect an operating system. In that scenario, unless the tool has been programmed to know which OS files are safe to remove, you could permenantly damage the OS, if you let the tool remove what-ever it wants.







-----------------------------------------------------------------------------------------------------------------------------

 

 

 

Norton Bootable Recovery Tool:
soaiii.JPG

ftzian.JPG

 

Official page: https://security.symantec.com/nbrt/nbrt.aspx

Norton Bootable Recovery Tool supports scanning/removing viruses, spyware, crimeware, trojan horses, hacking tools, adware, trackware, ransomware, as well as recovering files, and browsing the web [REF:https://support.norton.com/sp/en/us/home/current/solutions/v72380755_EndUserProfile_en_us][REF: File "/mnt/bootmedia/Symantec_NBRT/data/EN/NBRT_help.html" on NBRT]. The disc image is BIOS only [REF:https://support.norton.com/sp/en/us/home/current/solutions/v72380755_EndUserProfile_en_us]. It is derived from CentOS 6.7 [REF: File "/etc/system-release" on NBRT], and uses the Gnome 2.28.2 desktop environment [REF: Program "/usr/bin/gnome-about" on NBRT]. The disc is 32bit i686, equipped with kernel 2.6 [REF: Command "uname -a" on NBRT]. Upon boot up, the user is logged in as root [REF: Command "whoami" on NBRT], which isn't much of a surprise given the nature of the tool. It comes with Opera 12.16 Build 1860 [REF: Program "/usr/bin/opera" on NBRT, in Opera go to "Opera/Help/About Opera"]. The launcher for the Norton Bootable Recovery Tool is located at "/usr/bin/NBRTLauncher" [REF: Command "ls -l /usr/bin/NBRTLauncher" on NBRT]. Norton Bootable Recovery Tool software launches at startup, and provides language selection prompt. The software itself is not on the rootfs, but is on a mounted disc partition [REF: Command "ls -l "/mnt/bootmedia" on NBRT]. It comes with definitions [REF: Folder "/mnt/bootmedia/Symantec_NBRT/definitions" on NBRT], but will attempt to download the latest if possible [REF: File "/mnt/bootmedia/Symantec_NBRT/data/EN/NBRT_help.html" on NBRT]. When performing a scan you do not need to first mount your drives, NBRT will automatically do so [REF: Program "/usr/bin/NBRTLauncher" on NBRT]. While equipped with Nautlis [REF: File "/usr/bin/nautilus" on NBRT], Norton Bootable Recovery Tool provides it's own file access program [REF: Program "/usr/bin/NBRTLauncher" on NBRT, in NBRT click "Retrieve your files"]. While the current release of NBRT is Linux based, older versions were based on WinPE [REF:https://community.norton.com/en/blogs/product-update-announcements/introducing-new-linux-based-norton-bootable-recovery-tool-201610]. It does not appear to support specifying scan locations, it is for scanning entire systems, including the OS [REF: Program "/usr/bin/NBRTLauncher" on NBRT]. It supports scanning Windows XP, Windows Vista, Windows 7, Windows 8, and Windows 10 operating systems [REF:https://community.norton.com/en/blogs/product-update-announcements/introducing-new-linux-based-norton-bootable-recovery-tool-201610].






 



BC AdBot (Login to Remove)

 


#2 Guest_hollowface_*

Guest_hollowface_*

  • Guests
  • OFFLINE
  •  

Posted 11 February 2017 - 03:32 PM

It comes with Opera 12.16 Build 1860

 

Upon boot up, the user is logged in as root

-REF:https://www.bleepingcomputer.com/forums/t/639571/gnulinux-bootable-anti-malware-scanning-tools/#entry4177433

Being logged in as root, running Opera may be undesirable for security reasons, because the browser would be running as root. If your browser gets exploited, the entire OS is at risk. Worst of all, if you've been using the scanning tool, all your partitions are mounted, putting them at risk too.

Norton Bootable Recovery Tool does not come with any regular user accounts aside from the root account, only system related accounts [REF: Command "cat /etc/passwd"] but it does come equipped with useradd [REF: Command "useradd --help"], which can be used to create additional user accounts.

 

Tutorial for running Opera as a regular user, while you are logged in as root: https://www.bleepingcomputer.com/forums/t/639696/run-opera-as-a-user-while-root-on-norton-bootable-recovery-tool/#entry4178509


Edited by hollowface, 11 February 2017 - 03:38 PM.


#3 Guest_hollowface_*

Guest_hollowface_*

  • Guests
  • OFFLINE
  •  

Posted 11 February 2017 - 06:23 PM

On Norton Bootable Recovery Tool there is no root password set by default [REF: File "/etc/shadow"]. You can use passwd to set one [REF: Command "passwd --help"] if wished. NBRT comes equipped with both su [REF: Command "su --help"], and sudo [REF: Command "sudo --help"]. Keep in mind that since there is no root password set, if you create other user accounts, they will be able to get root access using su, no password required. ntfs-3g is an NTFS driver [REF: http://www.tuxera.com/community/open-source-ntfs-3g/], which NBRT comes equipped with [REF: Command "ls /bin/ntfs-3g"], presumibly to read NTFS partitions. If you need to take a screenshot, you can use Gnome Screenshot [REF: File "/usr/bin/gnome-screenshot]. The b43-fwcutter package is installed [REF: File "/usr/bin/b43-fwcutter], so it is likey that NBRT works with some Broadcom wireless devices. On CentOS, yum is the default package manager [REF: https://wiki.centos.org/PackageManagement/Yum], but Norton Bootable Recovery Tool does not include yum [REF: Command "yum --help"].

Questions I have:
- Does Norton Bootable Recovery Tool use custom malware definitions, or are they from another Norton product?
- If a scan detects anything, is it automatically removed? I'm assuming yes.
- When scanning, does it auto-mount partitions with non-Windows filesystems (eg: ext2, ext3, ext4)?
- The tool is targetting Windows systems, but are there any non-Windows malware definitions in it?
- How often are new dics released? Is there a schedule?
- How often are new definitions released? Is there a schedule?
- Are there any plans to drop X86-32 (32bit, x86, i686), in favour of X86-64, in the near future?
- Are there any plans to create a UEFI compatible disc?
- Does this disc work on Macs running Windows?

Ponderings Of Mine:
- CentOS 6 support ends in 2020, and CentOS 7 does not include Gnome 2. Will NBRT switch to Mate Desktop at that time?



#4 Guest_hollowface_*

Guest_hollowface_*

  • Guests
  • OFFLINE
  •  

Posted 12 February 2017 - 12:58 AM

Does Norton Bootable Recovery Tool use custom malware definitions, or are they from another Norton product?

-REF:https://www.bleepingcomputer.com/forums/t/639571/gnulinux-bootable-anti-malware-scanning-tools/#entry4178545

I downloaded Norton Security Deluxe, installed it, and updated the definitions. I downloaded Norton Bootable Recovery Tool, booted it, and updated the definitions.

Examination #1:
Before Updating NBRT
qxzkul.JPG

After Updating NBRT
llbvch.JPG

After A Reboot:
vvjulf.JPG

When Norton Bootable Recovery Tool is updated, it doesn't update the definitions in place on the media by writing to memory. It saves updates to a hard drive partition (without prompting or informing the user), and the definitions are NOT deleted when NBRT is done or rebooted [REF: Examination #1].

Examination #2:
dzcryk.JPG

They do not use the same organizational pattern [REF: Examination #2], but do both provide a definitions folder.

Examination #3:
nlazeh.JPG

Norton Bootable Recovery Tool seems to store updated definitions at "/mnt/nbrt/drive1/Symantec_NBRT/definitions/AntiVirus/VirusDefs/", while Norton Security Deluxe seems to store definitions at "/Program Files/Norton Security/NortonData/22.8.0.50/Definitions/SDSDefs/20160915.023/" [REF: Examination #3].

Examination #4:
tsusoe.JPG

They both seem to be using "Symantec Antivirus Definition Files", because they both have a whatsnew text file [REF: Examination #4], which documents what is new in Symantec Antivirus Definition Files. The dates don't match though, which suggests they get updates from different locations.

Examination #5:
cjnnoc.JPG

There are some size differences, "tcdefs.dat" being quite a significant difference [REF: Examination #5], suggesting that the definitions are either derived from a common source, but are themselves not identical, or that both products use identical definitions, but lots of recent updates have been released that have yet to make it to Norton Bootable Recovery Tool.



 



#5 Guest_hollowface_*

Guest_hollowface_*

  • Guests
  • OFFLINE
  •  

Posted 22 February 2017 - 01:05 AM

Bitdefender Rescue CD:

oqvjil.JPG

 

Informational Page: https://www.bitdefender.com/support/how-to-create-a-bitdefender-rescue-cd-627.html

 

Supports UEFI, uses Grub2. Seems to get stuck at "starting version 232", so I was unable to test further. I will have to try again, on a BIOS virtual machine, with more RAM, and see if that makes a difference.



#6 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA

Posted 26 February 2017 - 06:14 AM

Here's a list with 11 popular names (including those that hollowface provided) that does fairly much the same. :)

 

Spoiler

 

http://www.digitalcitizen.life/top-free-bootable-antivirus-rescue-discs-windows-pcs

 

The only thing that concerns me is that some (or all) may not get the associated registry infections/entries, and these aren't simply benign leftovers, though may be enough to get an unbootable computer running to where a traditional solution such as Malwarebytes finish the job, which does scan the registry, as does many other AV/Internet Security or anti-malware (AM) offerings. Hopefully the scan ran after booting into Windows will find these leftovers. :)

 

Of course, if one wants the ultimate rescue tool, then this is in the form of using backup software & often (I image my most used Windows systems weekly). While one can use the included backup & recovery for this task, I highly recommend Macrium Reflect. It's free, provides free WinPE media, the only cost is an external that's detached after every use, and save as many backup images as possible. Important Data should always be transferred to an external, USB stick or written to optical media as soon as generated (example, tax return forms). :)

 

http://filehippo.com/download_macrium_reflect/

 

Registration is not required (though offered), and to create WinPE media, a 150 to 400MB download from Microsoft will be needed, depending on OS. This allows one to backup outside of the Windows environment, so that no running Windows processes interferes with the backup process. Backup should always be a part of anyone who takes Windows Security seriously, it's no longer for simple drive failures anymore, though that still counts as one. :thumbup2:

 

Good Luck with the Bootable Tools above & hopefully the end result will be a running computer! :)

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#7 Guest_hollowface_*

Guest_hollowface_*

  • Guests
  • OFFLINE
  •  

Posted 01 March 2017 - 07:25 PM


some (or all) may not get the associated registry infections/entries, and these aren't simply benign leftovers, though may be enough to get an unbootable computer running to where a traditional solution such as Malwarebytes finish the job

-REF:https://www.bleepingcomputer.com/forums/t/639571/gnulinux-bootable-anti-malware-scanning-tools/#entry4188531

 

Indeed. Always use the right tool(s) for the job. Many of these types of tools do not seem to have registry cleaning abilities, which is sometimes needed when cleaning Windows operating systems. In that scenario, as you've stated, one may need to use additional products as part of their efforts.

 

 


if one wants the ultimate rescue tool, then this is in the form of using backup software & often

-REF:https://www.bleepingcomputer.com/forums/t/639571/gnulinux-bootable-anti-malware-scanning-tools/#entry4188531

 

I couldn't agree more. I have backups of not only my files, but also my operating systems, as well as re-install medias.

 

-------------------------------------------------------------------------------------------

 

I was able to boot Bitdefender Rescue CD under diagnostic mode, on a BIOS computer.

 

digroSH.png

It:
- Is derived from Gentoo Linux [REF: Command "uname -a"].
- Uses a X86-32 (i686) kernel [REF: Command "uname -a"].
- Automatically attempted to check for Bitdefender updates, after accepting the license agreement.
- Automatically attempted to scan the system!
- Is equipped with Gparted 0.27.0 [REF: Go to Menu, search Gparted, click Gparted, go to Help/About].
- It uses XFCE desktop environment [REF: Command "ls /usr/bin/xfce4*"].
- Has a Scan Now feature which allows you to scan a select location, but not an individual file.


Edited by hollowface, 01 March 2017 - 07:26 PM.


#8 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA

Posted 02 March 2017 - 04:39 AM

Here's another article with a list, some of which are the same, though there's a couple of extras on the list. :)

 

The Dr. Web bootable app has one benefit that some may not, being able to update prior to scanning, while not as well known (in the US) as some choices, is a powerful scanner. They developed their own decryption tool sometime back, we were discussing this in a Ransomware Topic, so must be very resourceful. Certainly one in the list to consider. :thumbup2:

 

https://www.lifewire.com/free-bootable-antivirus-tools-2625785

 

While I rarely use these tools, some can be of use when carefully ran, don't blindly trust the results w/out knowing what's being removed. When possible, use a second computer to research any found threats, and if there's an option, uncheck 'Automatically remove Threats' (or similar wording), until these can be verified. :)

 

This is why I love my old, banged up, though still perfectly running Ineo USB 3.0 docking station that fits both 2.5" & 3.5" SATA drives, it's self powered. I also have a StarTech SATA to USB cable with UASP (kind of a boost to USB 3.0 performance), though use more for cloning drives, as well as when going to other's homes, can remove these drives, and attach to my notebook, and scan with my installed security solutions, both AV & AM apps. Like these bootable Rescue CD's, it's easier to stop & quarantine threats while Windows isn't running. Plus in what I just described, the Registry is scanned, am not sure if quite as good as the install itself, though does find infected registry entries.

 

When fighting infections, we need all of the tools we can get our hands on & then some. :)

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#9 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA

Posted 02 March 2017 - 05:15 AM

Here are a few others, aimed towards Advanced users. :)

 

 

 

Top 5 Linux System Rescue CDs

 

Some of which (especially the last on the list) can backup files & repair both Windows & Linux OS's. That last one (2nd link), I'm going to get, that's a tool not currently in my arsenal, will have to check the version of another popular couple that's been around for years with the ones that I currently have downloaded burned to media & also exported to one or more externals (the 1st & 3rd on the list). The first one not only has an extensive line of AV/AM tools, also uninstallers, portable optical drive burning utility, drive tools, a list too extensive for me to type. :lol:

 

http://www.linuxandubuntu.com/home/top-5-linux-system-rescue-cds

 

https://www.system-rescue-cd.org/SystemRescueCd_Homepage

 

Have seen the one above on the Internet, though have never downloaded it, seems to have a decent manual to follow, as well as a SHA256 checksum, in addition to lesser secure SHA1 & MD5. Older versions has only MD5 checksums. 

 

https://www.system-rescue-cd.org/Download

 

Tools on the CD ISO image, which can also be used as a bootable USB stick. 

 

https://www.system-rescue-cd.org/System-tools

 

For whatever reason, couldn't get the 4th choice to open on my end & keep in mind that the 2nd is in Beta. The other three are well known by many Geeks who has been around the block. :P

 

Cat


Edited by cat1092, 02 March 2017 - 05:28 AM.

Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#10 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA

Posted 02 March 2017 - 05:24 AM

Malwarebytes offers a Free suite of tools for Windows systems, including bootable ones, under one condition, one must have a repair shop & be willing to fill out all of the required information to access. 

 

While this is aimed at professionals, who knows, there may be a few onboard. :)

 

https://www.malwarebytes.com/techbench/

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users