A common problem in security is deciding how to scan PCs that are suspected to be infected with a computer virus. One approach is to use anti-virus software already installed on the PC, however mistrust of that anti-virus software may be wise considering that there exist a number of viruses that disable or alter anti-virus software. An alternative approach is to boot the computer from some other media (CDROM, Floppy Disk, USB Mass Storage, PXE) and run an anti-virus program from that media. This approach increases the trustworthiness of the the anti-virus software but brings up the question of how to ensure that the latest anti-virus definitions are available.

Knoppix is a bootable linux distribution that comes with Clam Anti-virus and support the downloading of anti-virus definitions to a ramdisk. Thus, you can boot from the CDROM which has a complete read-only operating system installed already and then run the included virus-scanner which will get the latest virus updates over the net. This provides you with a safe and easy method to initially respond to suspected infections.

Knoppix can be obtained by direct download from a number of mirror sites or via BitTorrent.

It should be noted that just hours after I posted this, that SANS issued an alert for versions of ClamAV prior to version 0.87. Users can craft special files that when scanned could be used to run arbitrary code on the scanning machine.

Note also that in the environment described above, most such attacks would fail (no disk to write to expect ramdisk without taking very special measures).

For more information:

ClamAV Release Notes for version 0.87

Third Party Software Using ClamAV http://www.clamav.net/whos.html#pagestart (Includes Mac OS X server) http://www.clamav.net/3rdparty.html#pagestart

SecurityFocus BIDs:
http://www.securityfocus.com/bid/14867
http://www.securityfocus.com/bid/14866