(release date: 4 September 2008)
I have compiled ClamAV v0.94
In this release you don't have to execute clamav-install.sh
before you can run freshclam
to update the definition files of clamav. I have renamed freshclam to freshclam-exe
and written a shell script named freshclam
that checks if the user clamav exists (if not, it gets added to the system) and that checks if there is a working internet connection. If there is a working internet connection, freshclam-exe (original freshclam) will be executed and will update the definition files. BTW, scripts placed in /pmagic/pmodules/scripts/
will be executed now.. See: http://partedmagic.com/phpBB3/viewtopic.php?f=7&t=177
Changes in ClamAV 0.94 which I think are relevant for UBCD:
Enhanced Detection EngineDescription:
ClamAV now supports logical signatures. The logical signature technology uses operators such as AND, OR and NOT to allow the combination of more than one signature into one entry in the signature database resulting in more detailed and flexible pattern matching. This helps ClamAV catch modern ever-evolving scripting and complex
The enhanced ClamAV signature accuracy increases the detection of more complex malware and scripts.Disassembly EngineNew!Description:
The bytes of a virus can now be examined more rigorously, improving the detection of encrypted malware. The disassembly engine improves detection of complex malware by disassembling and examining executable code at certain positions.Benefit:
The disassembly engine allows signature writers to create signatures that are more reliable.PUA DetectionImproved!Description:
We improved the detection of PUAs (potentially unwanted applications) and now allow users to decide which signatures should be loaded by changes to clamd.conf.Benefit:
Users gain from an improved level of configurability in ClamAV’s PUA feature. In 0.93, the entire feature was on or off; in 0.94 a user can block some signatures, for example jokes, while allowing others. We maintain a list of available PUA categories on www.clamav.net
For the full change log see: http://www.clamav.net/press/0.94-WhatsNew.pdf
To run an antivirus scan with ClamAV, run clamscan
with some parameters.
root@PartedMagic:~# clamscan --help
Clam AntiVirus Scanner 0.94
(C) 2002 - 2007 ClamAV Team - http://www.clamav.net/team
--help -h Print this help screen
--version -V Print version number
--verbose -v Be verbose
--debug Enable libclamav's debug messages
--quiet Only output error messages
--stdout Write to stdout instead of stderr
--no-summary Disable summary at end of scanning
--infected -i Only print infected files
--bell Sound bell on virus detection
--tempdir=DIRECTORY Create temporary files in DIRECTORY
--leave-temps Do not remove temporary files
--database=FILE/DIR -d FILE/DIR Load virus database from FILE or load
all .cvd and .db files from DIR
--log=FILE -l FILE Save scan report to FILE
--recursive -r Scan subdirectories recursively
--remove Remove infected files. Be careful!
--move=DIRECTORY Move infected files into DIRECTORY
--copy=DIRECTORY Copy infected files into DIRECTORY
--exclude=PATT Don't scan file names containing PATT
--exclude-dir=PATT Don't scan directories containing PATT
--include=PATT Only scan file names containing PATT
--include-dir=PATT Only scan directories containing PATT
--detect-pua Detect Possibly Unwanted Applications
--exclude-pua=CAT Skip PUA sigs of category CAT
--include-pua=CAT Load PUA sigs of category CAT
--detect-structured Detect structured data (SSN, Credit Card)
--structured-ssn-format=X SSN format (0=normal,1=stripped,2=both)
--structured-ssn-count=N Min SSN count to generate a detect
--structured-cc-count=N Min CC count to generate a detect
--no-mail Disable mail file support
--no-phishing-sigs Disable signature-based phishing detection
--no-phishing-scan-urls Disable url-based phishing detection
--heuristic-scan-precedence Stop scanning as soon as a heuristic match is found
--phishing-ssl Always block SSL mismatches in URLs (phishing module)
--phishing-cloak Always block cloaked URLs (phishing module)
--no-algorithmic Disable algorithmic detection
--no-pe Disable PE analysis
--no-elf Disable ELF support
--no-ole2 Disable OLE2 support
--no-pdf Disable PDF support
--no-html Disable HTML support
--no-archive Disable archive support
--detect-broken Try to detect broken executable files
--block-encrypted Block encrypted archives
--mail-follow-urls Download and scan URLs
--max-filesize=#n Files larger than this will be skipped and assumed clean
--max-scansize=#n The maximum amount of data to scan for each container file (*)
--max-files=#n The maximum number of files to scan for each container file (*)
--max-recursion=#n Maximum archive recursion level for container file (*)
--max-dir-recursion=#n Maximum directory recursion level
(*) Certain files (e.g. documents, archives, etc.) may in turn contain other
files inside. The above options ensure safe processing of this kind of data.
To update the definition files of ClamAV, run freshclam
from the terminal emulator (roxterm).
You can download the last definition files manually from http://www.clamav.net/
Latest ClamAV™ stable release is: 0.94
Total number of signatures: 418125
ClamAV Virus Databases:
main.cvd ver. 48 released on 04 Sep 2008 18:51 +0000
daily.cvd ver. 8207 released on 10 Sep 2008 10:58 +0000
Open the /pmagic/pmodules/clamav-definitions.7z
archive and replace /usr/share/clamav/daily.cvd
with the new downloaded versions.
A graphic interface for clamav (ClamTK
) won't be included for the moment. I still didn't figured out which files I need for it. If someone knows, let me know. The files that I found to be needed for ClamTK already taken up 30MiB of space.XFPROT v1.25:
(release date: 10 August 2008)
I have compiled XFPROT v1.25
. I had to make some modification to the source code to get around the problem:
Parted Magic 3.0 (and pre 3.1) has switched the terminal from xterm to roxterm. XPROT calls xterm with the -hold option, but roxterm doesn't support that option.
The problem with scanning file names with spaces is resolved in XFPROT v1.25 (bug in XFPROT v1.23).
I also found and solved another bug in XFPROT when used in conjunction with gnome-terminal. This is no problem for incorporation in Parted Magic because it doesn"t have gnome-terminal, but it is better if the problem gets corrected. I will report my findings to the author of XFPROT.
I also putted all the f-prot files in /opt/f-prot/
and made symlinks to the necessary locations so when a new version of f-prot comes out, you only have to replace the files in /opt/f-prot/
inside the fprot.7z
file (put the antivir.def
To save the updated antivir.def
, open PCMan File Manager
and go to /opt/f-prot/
. Copy the file antivir.def
to your local hard disk. Boot into windows, open /pmagic/pmodules/fprot-definitions.7z
and replace the /opt/f-prot/antivir.def
inside this archive with the new one.
I also added a check in /usr/bin/fpupdate
to see if there is a working internet connection. If there is a working internet connection, it calls /opt-f-prot/fpupdate
, which will update the definition file.
I made all this with the beef drapes of Parted Magic 3.1-pre (September 9) in mind. Parted Magic 3.1-pre has a start menu and a different background and desktop environment (LXDE) than Parted Magic 3.0, so now I don't need the generic antivirus icon any more. It should work on Parted Magic 3.0 also (not tested).
If you have Parted Magic 3.1, you can start xfprot
by clicking Start ==> System Tools ==> Xfprot
If you have Parted Magic 3.0, you have to open a terminal emulator and type xfprot
. (Note to Victor: change it in the help file if you want to stick with Parted Magic 3.0, the previous version had to be called with xfprot-gtk.)
You also can run F-Prot from the commandline. This allows you to set more parameters and options.
root@PartedMagic:~# fpscan --help
fpscan [MEDIA] [OPTIONS] [PATHS]
MEDIA is ALL, LOCAL or BOOT.
OPTIONS is any combination of legal options (see below).
PATHS is one or more paths to scan.
If MEDIA is specified, paths are optional.
If paths are given MEDIA is optional.
Options and media specifiers are not case sensitive.
Scan every file found and all boot sectors.
Specifying additional paths after this switch has no effect since any
path is a subset of ALL.
Scan all local disks/partitions.
Specifying additional paths causes those paths to be scanned as well.
-n, --network (Windows only)
Scan every file on every network drive.
Specifying additional paths causes those paths to be scanned as well.
-b, --boot (Windows/Linux only)
Scan all boot sectors.
Specifying paths in addition causes those paths to be scanned as well.
-t, --streams (Windows only)
Scan inside NTFS streams.
Follow symbolic links. Symlinks, when specified as paths on
the command line are always followed, regardless of this option.
-m, --mount (Unix only)
For each path given, stay on that filesystem.
Descend at most n levels of directories below a given scanpath
(default 30 levels).
-s n, --scanlevel=n (0 <= n <= 4)
0 => Disable regular scanning (only heuristics).
1 => Skip suspicious data files. Not recommened if filename is
2 => (Default) Unknown and/or wrong extentions will be emulated.
3 => Unknown binaries emulated.
4 => For scanning virus collections, no limits for emulation.
-u n, --heurlevel=n (0 <= n <= 4, default 2)
How aggressive heuristic should be used. Higher levels means
more heuristic tests are done which increases both detection rates
AND risk of false positives.
-z n, --archive=n (0 <= n <= 99, default 5 levels)
How deep to scan inside nested archives.
Scan for and report/act on adware in addition to viruses and worms.
Scan for and report/act on applications that may constitue security
risks. This includes remote access tools which users should regard as
malware if installed without their knowledge or consent. The same
program could be a perfectly valid and useful tools for another person,
so the definition of what should be considered malware in this category
must come from the user.
-v n, --verbose=n (0 <= n <= 2)
0 => Report infections only
1 => (Default) Report infections and scan errors
2 => Report all files as they are processed, as well as all
warnings and errors.
Use a specific virus signature file (antivir.def).
Refer to the file using its full path name.
By default the virus signature file is loaded from the same directory
as the command-line scanner binary.
-o FILE, --output=FILE
Send output to FILE instead of stdout.
-e LIST, --exclude=LIST
Do not scan files and directories that match entries in LIST.
LIST should be a comma seperated list of paths.
The '*' character may be used as a wildcard. If entry ends with
a path separator ('/' on Unix, '\' on Windows), any directory that
matches the entry will be skipped entirely.
Examples (Unix paths used):
--exclude=/tmp/ => skips /tmp and any and all files therein.
--exclude=/tmp/* => does the same thing, but is less efficient.
--exclude=*/tmp/ => skips all folders named 'tmp'.
--exclude=*.dat => skips all files ending in .dat.
--exclude=/boot/initrd,/tmp/ => skips the specific file /boot/initrd
and the directory /tmp/.
Please note that most Unix shells treat '*' as a special character
so it must be escaped with a backslash ('\') or surrounded by
quotation marks to be passed on to the program.
Automatically disinfect files if possible.
Only report infections. Do not disinfect.
Default is to ask if disinfection should be attempted.
EXTRA MACRO DISINFECTION OPTIONS:
Remove all macros from infected documents.
Remove all macros from document when new variant is found.
Default is to remove only known malware macros.
HELP AND INFORMATION OPTIONS:
Print version numbers and exit.
Print statistics about malware from definition file and exit.
List known malware and exit.
Print this help.
from the terminal emulator to update the definitions manually.Parted Magic 3.1 matter:
You have to change tmpfs_size=180M
to at least tmpfs_size=220M
or you can delete this parameter all the way (Parted Magic will set the tmpfs_size to the half of your RAM size). This only applies to Parted Magic 3.1-pre. (Parted Magic unpacked is 160 MiB + 53 MiB for the antivirus 7z files) You better can set this a lot higher (e.g 360M), because else you won't be able to update the definition files, unless you delete the definition files first before you update them.
parameter only affects the size of the ram drive, you still need 120 MiB RAM extra to run the utilities. Because you need more that 256MB RAM to run the original Parted Magic already, this is most of the time no problem because you will have 512 MiB of RAM in you PC to run it (or 384 MiB = 256MiB + 128MiB).
If you run PCMan File Manager
, you can see the amount of free space on the ram drive. if you see that this is to low (e.g.: Free space: 0 MB), you have to increase the number of the tmpfs_size
option, which you can set when you press [TAB] when you are at the Parted Magic menu (press F2 to see all possibilities), now works: http://partedmagic.com/phpBB3/viewtopic.php?f=7&t=213
@Victor: You have to change the 2 help files for Parted Magic completely.
to get an idea.
The last beef drapes of Parted Magic can be downloaded from: http://www.partedmagic.com/beef_drapes/Download section:
Place the files in /pmagic/pmodules/http://home.versateladsl.be/vt6124227/antivirus/clamav.7zhttp://home.versateladsl.be/vt6124227/antivirus/clamav-definitions.7zhttp://home.versateladsl.be/vt6124227/antivirus/fprot-definitions.7zhttp://home.versateladsl.be/vt6124227/antivirus/fprot.7zhttp://home.versateladsl.be/vt6124227/antivirus/xfprot.7z
Check if the md5 hash corresponds with the following (especially for the definition files because the upload process did get interrupted several times):
Get md5sum for windows, to check that the files are downloaded correctly.
You can put those files just in C:\pmagic\pmodules\
on your hard drive. f you have Parted Magic on a USB thumb drive, you can add the files to the /pmagic/pmodules/
directory of your thumb drive. Parted Magic normally will find them. When you reboot to UBCD50b5, choose booting Parted Magic from USB (also when you have UBCD burned to a CD). This trick allows you to test those files without wasting a CD