Virus and how to get rid of it using free Bootable Linux Antivirus CD


please note this article was published in May 2009 and is outdated, some links below might be broken

 

The idea is very simple. Boot from external device and then scan hard drive. This prevents virus from loading during boot on infected machine and makes the scanning easier (viruses usually try to hide when loaded in memory). I remember back in the old days of MS DOS 3.0 it was pretty easy to built bootable floppy disk. It became almost impossible with WinNT4. Luckily Linux improved and can boot easily from CD or USB stick and can even read-write to NTFS partitions.

There are several free Bootable Antivirus CDs out there, however they do not work always as they could or should.In general I found more issues on old laptops when the CD froze during boot, during scan or did not recognize NTFS partition (older the laptop, more issues you will face). You should be prepared to create several CDs instead of relying on one AV only.

In general you should to use the CD right away or the PC should be connected with ethernet cable to the internet to receive newest virus signaures (wireless can work in some cases but requires some linux knowledge). I found one exception –  F-SECURE allows to boot from CD and load virus definitions from USB stick. TRINITY needs internet connection no matter how fresh the CD is (this is by design). Some Antivirus packages are very simple scanners only, some allow additional tasks like fixing registry or transfering data from infected PC over the network.

So who is the winner? If you are dummy user, I would start with AVIRA or DrWeb – it offers very simple interface and it’s kinda hard to screw. My personal choice is Trinity for it’s flexibility and multiple AV engines.

1. download ISO of the antivirus engine (see links below)
2. burn it on CD (I like free ImgBurn )
3. make sure the boot sequence is set to CD-ROM then HARD DRIVE in BIOS (see below)
4. boot from CD (I recommend to put CD in the tray, turn off PC, then turn it back on – don’t do just reboot from windows)

BIOS

here is how my BIOS looks like (on my PC it came after I hit F2 during PC startup) – notice boot sequence

`

AVIRA

highly recommended for novice users
download ISO here

+ very easy to use graphical environment
+ downloaded ISO had latest virus signatures
+ allows SCAN ONLY / DISINFECT VIRUSES / DELETE VIRUSES
+ allow virus signatures update over network
+ offers command line console
– if you use older ISO (few weeks after you burn it), does not automatically update virus signatures (you have to click button UPDATE in the menu) before you scan
– by default only scans (does not clean nor delete viruses) – you have to change it in CONFIGURATION menu (AV should prompt after scan what to do with infected files by default)

AVIRA1

easy to understand boot screen with default (1) option

AVIRA2

easy to start scanning (initial screen is in german, very easy to change)

 

AVIRA3

easy to change options, it would be nice if default action would be “prompt”

 

AVIRA4

very easy to follow scan progress

AVIRA5

virus signatures are easy to update but do not update automatically before scanning

AVIRA6

switch to console mode

`

DrWeb

highly recommended for novice as well as advanced users
download ISO here

+ very easy to use graphical environment with full “windows like desktop” – this was my most favorite desktop of all AV distros
+ includes web browser – very useful if you do not have second computer and need some help
+ downloaded ISO had latest virus signatures
+ allows SCAN ONLY / DISINFECT VIRUSES / DELETE VIRUSES
+ allow virus signatures update over network
+ offers command line console
+ offers easy to create bootable USB
+ offers Windows like Driver Letters (the only Linux AV out there with this feature)
+ allows scanning in both graphical as well as simple text mode (called safe mode)
– significantly slower than other engines (not sure if this is just me, but I was getting 4x slower scan than any other engine)

easy to follow boot screen

easy to follow boot screen

Initial screen cannot be easier than this. Windows users would love it.

Initial screen cannot be easier than this. Windows users would love it.

very detail options

very detail options

DrWeb started in Safe Mode

DrWeb started in Safe Mode… and YES Midnight Commander is present !!

`

BitDefender

recommended for novice as well as more advanced users
download ISO here

+ very easy to use graphical environment with full “windows like desktop”
+ includes web browser – very useful if you do not have second computer and need some help
+ allows SCAN ONLY / DISINFECT VIRUSES / DELETE VIRUSES
+ allow virus signatures update over network
+ offers command line console
– downloaded ISO did not have latest virus signatures
– when you restarting the scan manually it offers linux volumes – this might be confusing for windows users
– does not automatically update virus signatures (you have to click button UPDATE in the menu) although the scanning starts scanning automatically after boot !!
+/- initial screen waits for 30 seconds, if you don’t reacts starts booting from hard drive (other AV tools started OS from CD by default)

BITDEF1

easy to understand boot screen with default “boot from HDD – a bit unexpected”

BITDEF2

easy to follow scanning progress (notice this is an app, you can start other programs while scanning is in progress)

BITDEF3

easy to change setting and run virus signatures update, I wish signatures update would run automatically before the scan starts (this printscreen was created on MAY-30-2009)

BITDEF4

if you restart scan, you face a question “what to scan” and  linux folder structure. This can scare windows users a bit

`

Kaspersky

did not boot at all on any laptop (ISO downloaded and burned several times over 2 months period)
download ISO here

KAV1

initial boot screen, system did not boot

`

F-Secure

not recommended
download ISO here

+ easy to use text environment
+ allow virus signatures update over network
+ allow virus signatures update over USB thumb drive
– allows DELETE VIRUSES  (rename files) only
– no command line console
– downloaded ISO did not have latest virus signatures
– even newest virus signatures from both network and thumb drive were more than two weeks old !!
– you cannot scan a folder, you can scan only single or multiple partitions
+/- initial screen waits for 15 seconds, if you don’t reacts starts booting from hard drive (other AV tools started OS from CD by default)

FSECURE1

easy to understand boot screen (maybe to simple) with default “boot from HDD” which I did not like

FSECURE2

license screen … who has time to read these?

FSECURE3

easy to select partition to scan, you cannot select single folder to scan

FSECURE4

very easy to understand screen, almost impossible to misuse

FSECURE5

completed scan

`

Trinity

recommended for advanced users only
download ISO here – top right corner

Trinity is actually not Antivirus CD created by one AV company, it is Bootable Linux CD with easy to start 4 free available antivirus scanners.

+ allows SCAN ONLY / DISINFECT VIRUSES / DELETE VIRUSES (depending on the engine you select)
+ multiple antivirus engines (ClamAV, BitDefender, F-prot, AVG)
+ automatically updates virus signatures before scanning
+ allow virus signatures update over network
+ very good documentation (type trkhelp in the command line)
+ offers autoupdate of itself
+ offers easy to create bootable USB
+ offers easy boot from the network
+ has tons of additional tools (my favorite is SAMBA)
–  there should be a message “type trkhelp for detail documentation”  after you boot from CD (not everybody is a pro or users this CD every day)
–  offers command line console only (no graphical interface)
– downloaded ISO did not have latest virus signatures (this is by definition, trinity is universal wrapper for multiple AV engines)
– at the time of writing this AVG did not work (looks like AVG changed the scanning engine and newest trinity ISO 3.3 did not reflect the changes yet)
– virusscan script should allow to SCAN ONLY / DISINFECT / DELETE virus option for each AV engine (not sure if this is possible)

TRINITY1

a bit complex boot menu, serves it’s purpose well for advanced users

TRINITY2

standard linux boot sceen

TRINITY3

Documentation is very detail

TRINITY4

command line scan is not as easy to follow as GUI but does it’s job

`

BartPE

recommended for advanced users only, I would recommend BartPE in special cases only (do not start with BartPE). What are the special cases? Well, you might be facing issues with Linux on NTFS dirty partitions, this is where Windows environment does good job.
download ISO here

BartPE is actually not Antivirus CD created by one AV company, it is Bootable Windows CD, you have to download McAfee DOS command line scanner manually (this is better location for superDAT)

+ allows SCAN ONLY / DISINFECT VIRUSES / DELETE VIRUSES
+it’s Windows environment (well kinda)
+ uses windows native drivers
+ has tons of additional plug-ins
– requires to download antivirus engine manually prior creating ISO (you could possibly do this on live CD – map network drive and copy AV over network to ramdrive – i did not try this)
– downloaded installer did not have latest virus signatures (this is by definition, BartPE is universal wrapper only)
– it’s not easy to download ISO but installer which creates ISO, if you have one PC and it’s already infected I would not recommend to use BartPE
– requires Windows XP installation in order to create ISO (the installer creates ISO based on your windows files), it can work with VISTA with workarounds (I did not test it)
– in general not error-free WindowsXP boot from CD if you plan to use it on multiple PCs with different hardware (I was getting blue-screen of death on one laptop)
+/- antivurs scanner is command line only, however the setting and the scanning report are graphical

simple to use tool which creates ISO (please note you need WinXP installation disks and free McAfee virus signatures)

simple to use tool which creates ISO (please note you need WinXP installation disks and manually download free McAfee virus scanner)

BartPE prompts for Network Config First

BartPE prompts for Network Config First

Does this look like Windows?

Does this look like Windows?

BartPE wrapper for McAfee command line scanner - very easy to use

BartPE wrapper for McAfee command line scanner – very easy to use

Result of the scan is presented in Notepad. Who does not love notepad?

Result of the scan is presented in Notepad. Who does not love notepad?

`

AVG

recommended for advanced users only
download ISO here

AVG is not bootable linux CD, however I would like to mention it here (I quickly mentioned it above in TRINITY section). You can theoretically use almost any bootable linux CD, download AVG software from link above for free and run AVG scan. I was able to do this with Ubuntu 9.04 live CD and AVG DEB installation package with no problems.

Small correction on 03-APR-2010: It’s been a while since I wrote this article, AVG released bootable antivirus CD. I did not test it, you can find it here

installing AVG under Ubuntu 9.04 Live CD

installing AVG under Ubuntu 9.04 Live CD

Tagged ,

2 thoughts on “Virus and how to get rid of it using free Bootable Linux Antivirus CD

  1. […] boots off of and runs an operating system environment from instead of Windows. This link “Jiri’s – Virus and how to get rid of it using free Bootable Linux Antivirus CD” has the steps to create the cd and use it to scan for viruses while windows is dormant. The […]

  2. link for BartPE iso seems to be wrong. same as link below it for mCcaffe. need iso link for BartPE

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: