Background

Manually scanning for viruses.

 

Outline

1. Viruses
   • Identify Virus Sources
   • Identify Virus Definitions
2. Avail Viruses
   • Download Viruses
3. Scan For Viruses
   • Tools
     • clamscan
     • clamdscan

Tasks

Viruses

Identify Virus Sources

Here are some of the websites that avail viruses that we can use for our test.

Identify Virus Definitions

Here are the virus definition files.

GEOTEK – DATENTECHNIK

Avail Viruses

Please use a convenient OS Tool to avail the sampled Virus files.

OS – Linux

On Linux consider using a web browser and command-line tools such as wget.

Tools

wget

Syntax

wget -O [filename] [URL]

Sample

wget -O /tmp/personal/eicar.cab https://meineipadresse.de/testvirus/eicar.cab

Output – Image

Output – Text

>wget -O /tmp/personal/eicar.cab https://meineipadresse.de/testvirus/eicar.cab
--2020-11-21 21:39:27-- https://meineipadresse.de/testvirus/eicar.cab
Resolving meineipadresse.de (meineipadresse.de)... 159.69.68.106
Connecting to meineipadresse.de (meineipadresse.de)|159.69.68.106|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 150 [application/x-cab]
Saving to: ‘/tmp/personal/eicar.cab’

/tmp/personal/eicar.cab 100%[===========================================>] 150 --.-KB/s in 0s

2020-11-21 21:39:28 (255 MB/s) - ‘/tmp/personal/eicar.cab’ saved [150/150]

 

Scan Viruses

Please use a convenient OS Tool to avail the sampled Virus files.

Tools

clamscan

Outline

1. Command-line tool.
2. Able to check files and folders for viruses.
3. It is standalone

Option

1. Basic
2. Quiet
   • Options
     • –quiet
     • –bell

Basic

Syntax

clamscan [folder]

Sample

clamscan /tmp/personal

Output – Image

Output – Text

>clamscan /tmp/personal
/tmp/personal/eicar_com.zip: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/tmp/personal/Gen:Variant.Johnnie.97338.zip: OK
/tmp/personal/eicar.tar: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/tmp/personal/eicar.com.gz: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/tmp/personal/eicar.cab: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 9128582
Engine version: 0.102.4
Scanned directories: 1
Scanned files: 5
Infected files: 4
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 1.00:1)
Time: 19.591 sec (0 m 19 s)
>

Quiet

Syntax

clamscan --quiet --bell [folder]

Sample

clamscan --quiet --bell /tmp/personal

Output – Image

Output – Text

 

clamdscan

Outline

1. Command-line tool.
2. Able to check files and folders for viruses.
3. It relies on and needs the clamd daemon

Options

1. Basic
2. Quiet
   • Options
     • –quiet

Basic

Syntax

sudo clamdscan [folder]

Sample

sudo clamdscan /tmp/personal

Output – Image

Output – Text

>sudo clamdscan /tmp/personal
/tmp/personal/eicar_com.zip: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/tmp/personal/eicar.tar: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/tmp/personal/eicar.com.gz: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/tmp/personal/eicar.cab: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND</pre>
----------- SCAN SUMMARY -----------
Infected files: 4
Time: 0.035 sec (0 m 0 s)
>
<pre>

Quiet

Syntax

clamdscan --quiet [folder]

Sample

clamdscan --quiet /tmp/personal

Output – Image

Output – Text

TroubleShooting

If the clamd daemon is not running or not accessible, one will get error messages including:-

1. ERROR: Could not connect to clamd on LocalSocket /run/clamd.scan/clamd.sock: No such file or directory

Image

Textual

ERROR: Could not connect to clamd on LocalSocket /run/clamd.scan/clamd.sock: No such file or directory

Technical Analysis

calmscan versus calmdscan

1. calmscan
   • calmscan is a standalone application.  Upon launch, it loads anew into memory, reads its virus database, and checks files against the signature.
2. calmdscan
   • calmdscan uses IPC to connect to a separately running application.  It sends a payload over, waits for the host to complete its check, receives, and renders the result.

 

Summary

Please install an AntiVirus ( AV ) tool.

Occasionally, revisit your system and ensure its AV Subsystem is functional.