Background
Manually scanning for viruses.
Outline
- Viruses
- Identify Virus Sources
- Identify Virus Definitions
- Avail Viruses
- Download Viruses
- Scan For Viruses
- Tools
- clamscan
- clamdscan
- Tools
Tasks
Viruses
Identify Virus Sources
Here are some of the websites that avail viruses that we can use for our test.
| Entity | WebSite | Link |
|---|---|---|
| GEOTEK – DATENTECHNIK | https://ipinfo.info/html/testvirus.php | Link |
Identify Virus Definitions
Here are the virus definition files.
GEOTEK – DATENTECHNIK
| File | File Name | Link |
|---|---|---|
| EICAR Testvirus (DOS/Windows executable) | eicar.com | Link |
| EICAR Testvirus (ZIP – packed) | eicar.zip | Link |
| EICAR Testvirus (ZIP – double packed) | eicar2.zip | Link |
| EICAR Testvirus (ZIP – triple packed) | eicar3.zip | Link |
| EICAR Testvirus (ZIP – quadruple packed) | eicar4.zip | Link |
| EICAR Testvirus (tar – packed) | eicar.tar | Link |
| EICAR Testvirus (gz – packed) | eicar.com.gz | Link |
| EICAR Testvirus (MS-cabinet – packed) | eicar.cab | Link |
Explanation
- The availed files differ in terms of packaging
- Packing? ( packed, double packed, and quadruple packed )
- Type of packaging includes com, zip, tar, gz, and cab
Avail Viruses
Please use a convenient OS Tool to avail the sampled Virus files.
OS – Linux
On Linux consider using a web browser and command-line tools such as wget.
Tools
wget
Syntax
wget -O [filename] [URL]
Sample
wget -O /tmp/personal/eicar.cab https://meineipadresse.de/testvirus/eicar.cab
Output – Image
Output – Text
>wget -O /tmp/personal/eicar.cab https://meineipadresse.de/testvirus/eicar.cab --2020-11-21 21:39:27-- https://meineipadresse.de/testvirus/eicar.cab Resolving meineipadresse.de (meineipadresse.de)... 159.69.68.106 Connecting to meineipadresse.de (meineipadresse.de)|159.69.68.106|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 150 [application/x-cab] Saving to: ‘/tmp/personal/eicar.cab’ /tmp/personal/eicar.cab 100%[===========================================>] 150 --.-KB/s in 0s 2020-11-21 21:39:28 (255 MB/s) - ‘/tmp/personal/eicar.cab’ saved [150/150]
Scan Viruses
Please use a convenient OS Tool to avail the sampled Virus files.
Tools
clamscan
Outline
- Command-line tool.
- Able to check files and folders for viruses.
- It is standalone
Option
- Basic
- Quiet
- Options
- –quiet
- –bell
- Options
Basic
Syntax
clamscan [folder]
Sample
clamscan /tmp/personal
Output – Image
Output – Text
>clamscan /tmp/personal
/tmp/personal/eicar_com.zip: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/tmp/personal/Gen:Variant.Johnnie.97338.zip: OK
/tmp/personal/eicar.tar: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/tmp/personal/eicar.com.gz: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/tmp/personal/eicar.cab: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
----------- SCAN SUMMARY -----------
Known viruses: 9128582
Engine version: 0.102.4
Scanned directories: 1
Scanned files: 5
Infected files: 4
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 1.00:1)
Time: 19.591 sec (0 m 19 s)
>
Quiet
Syntax
clamscan --quiet --bell [folder]
Sample
clamscan --quiet --bell /tmp/personal
Output – Image
Output – Text
clamdscan
Outline
- Command-line tool.
- Able to check files and folders for viruses.
- It relies on and needs the clamd daemon
Options
- Basic
- Quiet
- Options
- –quiet
- Options
Basic
Syntax
sudo clamdscan [folder]
Sample
sudo clamdscan /tmp/personal
Output – Image
Output – Text
>sudo clamdscan /tmp/personal
/tmp/personal/eicar_com.zip: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/tmp/personal/eicar.tar: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/tmp/personal/eicar.com.gz: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/tmp/personal/eicar.cab: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND</pre>
----------- SCAN SUMMARY -----------
Infected files: 4
Time: 0.035 sec (0 m 0 s)
>
<pre>
Quiet
Syntax
clamdscan --quiet [folder]
Sample
clamdscan --quiet /tmp/personal
Output – Image
Output – Text
TroubleShooting
If the clamd daemon is not running or not accessible, one will get error messages including:-
- ERROR: Could not connect to clamd on LocalSocket /run/clamd.scan/clamd.sock: No such file or directory
Image
Textual
ERROR: Could not connect to clamd on LocalSocket /run/clamd.scan/clamd.sock: No such file or directory
Technical Analysis
calmscan versus calmdscan
- calmscan
- calmscan is a standalone application. Upon launch, it loads anew into memory, reads its virus database, and checks files against the signature.
- calmdscan
- calmdscan uses IPC to connect to a separately running application. It sends a payload over, waits for the host to complete its check, receives, and renders the result.
Summary
Please install an AntiVirus ( AV ) tool.
Occasionally, revisit your system and ensure its AV Subsystem is functional.
