Offline Virus Scanning

I’m writing this mainly codify my recent attempts to improve the state of offline virus scanning. I’ve just recently been adopted as a junior threat analyzer. Parts of my duties include assuring that flagged machines are double checked with multiple antivirus vendors. (This is a side-effect of using equipment designed for malware analysis and log parsing, minor forensic reports.) Because of this, I’ve become accustomed to using bootable live media to assure semi-static scans. I’ve also noticed a few problems.

My requirements for offline scanning:

  • Use live media, you need to scan the host target statically.
  • Keep that live media up to date. (With an network or offline-network mode.)
  • Make sure it supports files systems used by Windows, Linux, and Mac.
  • Proper alerting upon completion.
  • Options for a forensics scan.
  • Make sure it boots quickly and automatically jumps into scan mode.

Here are some obvious issues:

  1. Industry standard and enterprise systems do not provide these tools.
  2. This incapacitates the target system for as long as the scan runs.
  3. Virus definitions are updated frequently; authoring updated live media takes time.

I didn’t have much trouble finding Live CDs for various antivirus scanners. There’s an old article here which provides a decent list. But none of them had all the bells and whistles I wanted. I wanted something very quick and automated: boot fast, ask a few questions, start scanning. The closest one I found was F-Secure which provided a concise terminal interface and almost no decision making. The main issue I had was that you were required to update via the network. Well that’s no good, what if I want to scan a system that was disconnected from the network? You also had to boot with the option “forensics” to enable read-only mounting of filesystems.

When I first found the list I was pretty excited. It meant that others were lead to similar conundrums where at some point in their life they needed to perform an offline scan. (Perhaps they are all attempts to recover from a damaged system.) My situation is a bit different; I’m using live media as a precaution, a bit of a second opinion. I don’t plan on watching the scans either. I want to play a system administrator role where I deploy and alert.

I found OpenDiagnostics. OD uses clamav to perform the scanning. (Oh, let me also add that I want something Linux based, using BartPE or other Live Windows media gives me headaches. Remember I mentioned ‘fast booting’ under requirements.) Unfortunately OpenDiagnostics, which is based on Ubuntu, hasn’t updated to 10.04 (edit: has since been updated, see bottom) or even a version that supports libc6 which is required by Clamav version 0.96.

I’m going to create my own, something based on the Ubuntu Live CD, including friendly menus and tons of capabilities depending on your needs. Problem 2 will be addressed with optional automated boot-then-scan abilities and optional upon-completion alerting. It’ll be very simple to update definitions without having to re-squash the live file system, just a simple folder on the ISO where updates are dropped. After the live system boots, a script will run to search the folder for engine updates and definition files.

Wish me luck!

Update: Brandon from Volatile Minds contacted me to let me know that Open Diagnostics has been updated to 10.04, check it out.