Ultimate Boot CD

I have made a 7z file for Parted Magic with avast antivirus, but you have to register with your email adress (only for personal use). I also want to include some other antivirus programs.

- CLAM antivirus (totaly free)
- panda antivirus
- ...

Does anyone has suggestions for other virus scanners?
They must have a linux version, else it won't work. Most of those antivirus programs are free for personal use but you have to register with an email address. Is it allowed to include the key, that I received, in the package or has everybody who wants to use it, register his own version?

I have also included Mersene prime test and stresscpu2 successfully into Parted Magic.

Victor, how big can I make the package?
Avast antivirus is now 10MB compressed (uncompressed 20mb).
The definition file is 5MB (now in the archive).

I am trying to place the definition files in another 7z file, so that updating the definitions would be easy.

Is there someone who can make 48x48 icons for stresscpu2, mersene prime test and a general antivirus icon in the gimp or photoshop? Save the image as png.

Clam AV has been a popular choice for a while so that would be a good selection to include.

The current UBCD has Bughunter, FProt and mcafee and they do release updates but if they can be replaced by more recent programs that may be a good idea. They take up almost 50MB (Bughunter ~ 700KB, FProt ~ 17MB and McAfee ~ 29MB) currently.

Trinity Rescue Kit has a group of 5 scanners in the newest version, but I'm not sure what they are. A quote from harakiri from the TRK forum:

I 'm not guaranteeing anything for someone elses product: the antiviri are all third party products. You should get the same result for detection and cleaning as their Windows counterparts however.
My experience is that with TRK I can remove the most dangerous threats that are uncleanable from Windows.
It does remove some spyware to some degree yes. You should run it with AVG then.
To have all the antiviri available offline on your CD, you fist need to burn the iso (on a cd/rw preferrably), run updatetrk which will create you an iso with all the AVs included and reburn that new iso. TRK doesn't come with the AVs included because they are not GPL or anything similar licensed.
Read the docs for more info about it.

If the whole group can't be pulled directly from TRK, it may be a good source of where to start.. If the TRK creator would be nice enough to provide this as a package that would be even better..

Doing some searches on AV products for Linux that can scan Windows systems:

http://www.free-av.de/en/tools/12/avira ... ystem.html

http://www.f-prot.com/products/home_use/linux/ -> Not sure if this will scan Windows drives as well...

http://www.johannrain-softwareentwicklung.de/index8.htm -> Freeware but not sure if the Linux version can scan Windows systems...

I don't see many recent definitive guides on the subject but there are many dated ones out there..

I see that many online versions are available now and it would be interesting to see links to some of the better ones possibly on the desktop or start menu of the Parted Magic version that is included. I'm just not sure that they will run correctly because I know at least some will require Windows to run...

All linux versions can scan windows partitions if you can mount the windows partition (which shouldn't be the problem).

Note: For testing purposes only!
I have uploaded the files. Because the site where I did it doesn't allow 7z and files larger than 1 MB, I had to split them and had to give them ugly names (extension *.png ).

Follow the next instructions to download them.

Download unxutils from http://sourceforge.net/project/showfile ... up_id=9328
Extract wget.exe from it. (wget is just a command line download program)
Download http://ubcdpmagic.fizwig.com/avast.txt and place it in the same directory as wget.exe

cd to the directory of the extracted wget.exe

Type at the command prompt to download avast.7z: This starts the download.
If you have a program to check the md5 hash, do it. Type at the command prompt to download root.7z: md5 hash Download Parted Magic and extract it. Integrate it in ubcd (see my tutorial). Replace the root.7z and avast.7z files in /pmagic/pmodules/ and remaster the iso.

Test in a virtual machine.
Let me know what you think of it. On my machine, its boots very slowly (use the 3 option of pmagic to see that it is unpacking the *.7z files) on my pc. If you know someone who can make icons (48x48) for a general antivirus program, stresscpu or prime, ask him/her.
You have to register to use avast antivirus.

I added the new PMAGIC into my build and added the files from your downloads. Everything seems to start ok, but when I start the Avast and add the Key I get the following error:

"Can't write to file descriptor 8 (error 28: No space left on device)"

I tried starting PMAGIC with option 1 and 3 and get the same with either. If I try to start the Avast from the task bar after that I get various errors.

I was not able to use my mouse in VirtualBox or VirtualPC with PMAGIC so I booted the system with it and go the errors. I have 1.5Gigs of ram so I don't think it's insufficient ram. I see in the config file that the ramdrive is set to 200000, is that 200MB? Maybe this needs to be increased?

Try to set the RAM size for your virtual machine larger. (e.g. 320mb or more).

Test if you got your mouse problem also in the original Parted Magic.

I thought I had the VMs set to 512MB but VirtualBox was at 256MB works in that now it seems set at 512MB. Booted to the system from the CD when I got those errors.

Which errors do you get? Check if you burned the iso properly (burn at low speed). Test if this is also the case with the original Parted Magic iso. Instead of burning cd's, make a bootable usb stick.
See of your problem is listed on the Parted Magic forum.

Just reran in VirtualBox and runs and updates fine. Tried again when booting the system to the CD and still having problems. I added a line to the end of the pmagic.cfg file and increased the RAMDRIVE to 384000 from 200000 and rebuilt and burned and that seems to fix it.

Here is what I added to the cfg file:

LABEL larger-ram
MENU LABEL ^6. Default settings with larger ramdrive (Runs from RAM / Ejects CD)
TEXT HELP
Same as normal with larger RAMDRIVE - 384MB
ENDTEXT
KERNEL /pmagic/bzImage
APPEND noapic initrd=/pmagic/initrd root=/dev/ram0 init=/linuxrc ramdisk_size=384000 pmodules=/pmagic/pmodules squashfs=/pmagic/pmagic keymap=us multiboot vga=791 quiet toram

Now it starts, registers and updates fine.

I have compliled ClamAv:

- Get wget to download the files that I uploaded:
http://sourceforge.net/projects/unxutils
- Get md5sum for windows to check that the files are downloaded correctly:
http://downloads.activestate.com/contri ... m/Windows/
- Place wget.exe and md5sum.exe in c:\windows\system32 or place them in the same directory as where you want to download the clamav files.
- Go to start ==> Run As... ==> cmd ==> cd to the directory where you want to download the clamav files (e.g .cd C:/clamav/).
- Download it with wget: - Check if the files are downloaded correctly: - The output should be: - Place the files clamav-install.sh, clamav.7z and clamav-definitons.7z in /pmagic/pmodules/.

- Remaster the iso

Now you can use clamav to scan your partitions for viruses.
To update the definition files, double click on clamav-install.sh (/media/cdrom1/pmagic/pmodules). This script adds a user clamav to pmagic. The definition update program freshclam needs this user. Normally this script should be executed automatically (if you choose the third option of pmagic, you see that "clamav-install.sh" gets executed but it doesn't work sadly) . There is a new pre-release of Parted Magic 3.0, but I can't boot it with qemu or with virtualbox, which is sad, so I can't test that the script gets executed in the new version of parted magic. After you execute the script you can update the definition files with the "freshclam" command.
You can scan your files with the "clamscan" command. See "man clamscan" for the available options (press q to quit the man page).

I have found a GUI for F-Prot Antivirus. I will try to compile it one of the next days.

XFPROT is a graphical frontend to the F-Prot Antivirus(TM) for Linux

http://web.tiscali.it/sharp/xfprot/

I have compiled XPROT.

See: http://ubcd.110mb.com/ubcd50b1/ for a screenshot.
The 7zip file: http://ubcd.110mb.com/download/xfprot/1.23/xfprot.7z

not meaning to sound like a wet towel, but hasn't support for F-prot ceased? maybe i'm thinking of the DOS version.

It is the dos version, that doesn't get updates.
See: http://www.f-prot.com/products/home_use/dos/

yeah, realised it shortly after posting my dumbass comment (long day at the office).

I've got your icons covered, I'll make some nice ones

viewtopic.php?t=1466

I've posted links to your icons here

@ Electrocat: Thanks for the icons
I have edited the antivirus1.png icon a little bit. i removed the black background (made it transparant and cleaned up some pixels so that the images looks nice on the panel of Parted Magic.

@ all
I have found and solved a bug in XFPROT (problems with scanning directories with a space in it). I have mailed the author of XFPROT and he has corrected it for the next release.

Parted Magic 3.0 has switched the terminal from xterm to roxterm., XPROT calls xterm with the -hold option, but roxterm doesn't support that option. I will try to find a solution. I think (hope) that the hold option is not necessary for roxterm to work correctly.

In the further release of clamAV 7zip archive, you don't have to execute the clamav-install.sh when you invoke clamfresh for updating the definitions.

I still have some problem with getting clamtk (GUI for clamav) working on Parted Magic (some dependencies stuff with perl).

The files posted above won't work directly in Parted Magic 3.0. You have to extract the 7zip files to a folder named usr, then you have to compress the usr folder with 7zip again.

I will post some files if I have time.

ClamAV v0.94: (release date: 4 September 2008)

I have compiled ClamAV v0.94.
In this release you don't have to execute clamav-install.sh before you can run freshclam to update the definition files of clamav. I have renamed freshclam to freshclam-exe and written a shell script named freshclam that checks if the user clamav exists (if not, it gets added to the system) and that checks if there is a working internet connection. If there is a working internet connection, freshclam-exe (original freshclam) will be executed and will update the definition files. BTW, scripts placed in /pmagic/pmodules/scripts/ will be executed now.. See: http://partedmagic.com/phpBB3/viewtopic.php?f=7&t=177.

Changes in ClamAV 0.94 which I think are relevant for UBCD:

Logical Signatures
New! Enhanced Detection Engine
Description: ClamAV now supports logical signatures. The logical signature technology uses operators such as AND, OR and NOT to allow the combination of more than one signature into one entry in the signature database resulting in more detailed and flexible pattern matching. This helps ClamAV catch modern ever-evolving scripting and complex
malware.
Benefit: The enhanced ClamAV signature accuracy increases the detection of more complex malware and scripts.

Disassembly Engine
New!
Description: The bytes of a virus can now be examined more rigorously, improving the detection of encrypted malware. The disassembly engine improves detection of complex malware by disassembling and examining executable code at certain positions.
Benefit: The disassembly engine allows signature writers to create signatures that are more reliable.

PUA Detection
Improved!
Description: We improved the detection of PUAs (potentially unwanted applications) and now allow users to decide which signatures should be loaded by changes to clamd.conf.
Benefit: Users gain from an improved level of configurability in ClamAV’s PUA feature. In 0.93, the entire feature was on or off; in 0.94 a user can block some signatures, for example jokes, while allowing others. We maintain a list of available PUA categories on www.clamav.net.

For the full change log see: http://www.clamav.net/press/0.94-WhatsNew.pdf

To run an antivirus scan with ClamAV, run clamscan with some parameters.

root@PartedMagic:~# clamscan --help

Clam AntiVirus Scanner 0.94
(C) 2002 - 2007 ClamAV Team - http://www.clamav.net/team

--help -h Print this help screen
--version -V Print version number
--verbose -v Be verbose
--debug Enable libclamav's debug messages
--quiet Only output error messages
--stdout Write to stdout instead of stderr
--no-summary Disable summary at end of scanning
--infected -i Only print infected files
--bell Sound bell on virus detection

--tempdir=DIRECTORY Create temporary files in DIRECTORY
--leave-temps Do not remove temporary files
--database=FILE/DIR -d FILE/DIR Load virus database from FILE or load
all .cvd and .db[2] files from DIR
--log=FILE -l FILE Save scan report to FILE
--recursive -r Scan subdirectories recursively
--remove Remove infected files. Be careful!
--move=DIRECTORY Move infected files into DIRECTORY
--copy=DIRECTORY Copy infected files into DIRECTORY
--exclude=PATT Don't scan file names containing PATT
--exclude-dir=PATT Don't scan directories containing PATT
--include=PATT Only scan file names containing PATT
--include-dir=PATT Only scan directories containing PATT

--detect-pua Detect Possibly Unwanted Applications
--exclude-pua=CAT Skip PUA sigs of category CAT
--include-pua=CAT Load PUA sigs of category CAT
--detect-structured Detect structured data (SSN, Credit Card)
--structured-ssn-format=X SSN format (0=normal,1=stripped,2=both)
--structured-ssn-count=N Min SSN count to generate a detect
--structured-cc-count=N Min CC count to generate a detect
--no-mail Disable mail file support
--no-phishing-sigs Disable signature-based phishing detection
--no-phishing-scan-urls Disable url-based phishing detection
--heuristic-scan-precedence Stop scanning as soon as a heuristic match is found
--phishing-ssl Always block SSL mismatches in URLs (phishing module)
--phishing-cloak Always block cloaked URLs (phishing module)
--no-algorithmic Disable algorithmic detection
--no-pe Disable PE analysis
--no-elf Disable ELF support
--no-ole2 Disable OLE2 support
--no-pdf Disable PDF support
--no-html Disable HTML support
--no-archive Disable archive support
--detect-broken Try to detect broken executable files
--block-encrypted Block encrypted archives
--mail-follow-urls Download and scan URLs

--max-filesize=#n Files larger than this will be skipped and assumed clean
--max-scansize=#n The maximum amount of data to scan for each container file (*)
--max-files=#n The maximum number of files to scan for each container file (*)
--max-recursion=#n Maximum archive recursion level for container file (*)
--max-dir-recursion=#n Maximum directory recursion level

(*) Certain files (e.g. documents, archives, etc.) may in turn contain other
files inside. The above options ensure safe processing of this kind of data.

To update the definition files of ClamAV, run freshclam from the terminal emulator (roxterm).

You can download the last definition files manually from http://www.clamav.net/:

Latest ClamAV™ stable release is: 0.94
Total number of signatures: 418125
ClamAV Virus Databases:
main.cvd ver. 48 released on 04 Sep 2008 18:51 +0000
daily.cvd ver. 8207 released on 10 Sep 2008 10:58 +0000

Open the /pmagic/pmodules/clamav-definitions.7z archive and replace /usr/share/clamav/daily.cvd and /usr/share/clamav/main.cvd with the new downloaded versions.


A graphic interface for clamav (ClamTK) won't be included for the moment. I still didn't figured out which files I need for it. If someone knows, let me know. The files that I found to be needed for ClamTK already taken up 30MiB of space.


XFPROT v1.25: (release date: 10 August 2008)

I have compiled XFPROT v1.25. I had to make some modification to the source code to get around the problem:

Parted Magic 3.0 (and pre 3.1) has switched the terminal from xterm to roxterm. XPROT calls xterm with the -hold option, but roxterm doesn't support that option.

The problem with scanning file names with spaces is resolved in XFPROT v1.25 (bug in XFPROT v1.23).
I also found and solved another bug in XFPROT when used in conjunction with gnome-terminal. This is no problem for incorporation in Parted Magic because it doesn"t have gnome-terminal, but it is better if the problem gets corrected. I will report my findings to the author of XFPROT.

I also putted all the f-prot files in /opt/f-prot/ and made symlinks to the necessary locations so when a new version of f-prot comes out, you only have to replace the files in /opt/f-prot/ inside the fprot.7z file (put the antivir.def in fprot-definitions.7z.

To save the updated antivir.def, open PCMan File Manager and go to /opt/f-prot/. Copy the file antivir.def to your local hard disk. Boot into windows, open /pmagic/pmodules/fprot-definitions.7z and replace the /opt/f-prot/antivir.def inside this archive with the new one.

I also added a check in /usr/bin/fpupdate to see if there is a working internet connection. If there is a working internet connection, it calls /opt-f-prot/fpupdate, which will update the definition file.

I made all this with the beef drapes of Parted Magic 3.1-pre (September 9) in mind. Parted Magic 3.1-pre has a start menu and a different background and desktop environment (LXDE) than Parted Magic 3.0, so now I don't need the generic antivirus icon any more. It should work on Parted Magic 3.0 also (not tested).

If you have Parted Magic 3.1, you can start xfprot by clicking Start ==> System Tools ==> Xfprot.
If you have Parted Magic 3.0, you have to open a terminal emulator and type xfprot. (Note to Victor: change it in the help file if you want to stick with Parted Magic 3.0, the previous version had to be called with xfprot-gtk.)

You also can run F-Prot from the commandline. This allows you to set more parameters and options.

root@PartedMagic:~# fpscan --help

Usage:
fpscan [MEDIA] [OPTIONS] [PATHS]
Where:
MEDIA is ALL, LOCAL or BOOT.
OPTIONS is any combination of legal options (see below).
PATHS is one or more paths to scan.

If MEDIA is specified, paths are optional.
If paths are given MEDIA is optional.
Options and media specifiers are not case sensitive.

MEDIA:

-a, --all
Scan every file found and all boot sectors.
Specifying additional paths after this switch has no effect since any
path is a subset of ALL.

-l, --local
Scan all local disks/partitions.
Specifying additional paths causes those paths to be scanned as well.

-n, --network (Windows only)
Scan every file on every network drive.
Specifying additional paths causes those paths to be scanned as well.

-b, --boot (Windows/Linux only)
Scan all boot sectors.
Specifying paths in addition causes those paths to be scanned as well.

SCANNING OPTIONS:

-t, --streams (Windows only)
Scan inside NTFS streams.

-f, --follow
Follow symbolic links. Symlinks, when specified as paths on
the command line are always followed, regardless of this option.

-m, --mount (Unix only)
For each path given, stay on that filesystem.

--maxdepth=n
Descend at most n levels of directories below a given scanpath
(default 30 levels).

-s n, --scanlevel=n (0 <= n <= 4)
0 => Disable regular scanning (only heuristics).
1 => Skip suspicious data files. Not recommened if filename is
unavailable.
2 => (Default) Unknown and/or wrong extentions will be emulated.
3 => Unknown binaries emulated.
4 => For scanning virus collections, no limits for emulation.

-u n, --heurlevel=n (0 <= n <= 4, default 2)
How aggressive heuristic should be used. Higher levels means
more heuristic tests are done which increases both detection rates
AND risk of false positives.

-z n, --archive=n (0 <= n <= 99, default 5 levels)
How deep to scan inside nested archives.

--adware
Scan for and report/act on adware in addition to viruses and worms.

--applications
Scan for and report/act on applications that may constitue security
risks. This includes remote access tools which users should regard as
malware if installed without their knowledge or consent. The same
program could be a perfectly valid and useful tools for another person,
so the definition of what should be considered malware in this category
must come from the user.

-v n, --verbose=n (0 <= n <= 2)
0 => Report infections only
1 => (Default) Report infections and scan errors
2 => Report all files as they are processed, as well as all
warnings and errors.

--signatures=FILE
Use a specific virus signature file (antivir.def).
Refer to the file using its full path name.

By default the virus signature file is loaded from the same directory
as the command-line scanner binary.

-o FILE, --output=FILE
Send output to FILE instead of stdout.

-e LIST, --exclude=LIST
Do not scan files and directories that match entries in LIST.

LIST should be a comma seperated list of paths.
The '*' character may be used as a wildcard. If entry ends with
a path separator ('/' on Unix, '\' on Windows), any directory that
matches the entry will be skipped entirely.
Examples (Unix paths used):
--exclude=/tmp/ => skips /tmp and any and all files therein.
--exclude=/tmp/* => does the same thing, but is less efficient.
--exclude=*/tmp/ => skips all folders named 'tmp'.
--exclude=*.dat => skips all files ending in .dat.
--exclude=/boot/initrd,/tmp/ => skips the specific file /boot/initrd
and the directory /tmp/.

Please note that most Unix shells treat '*' as a special character
so it must be escaped with a backslash ('\') or surrounded by
quotation marks to be passed on to the program.

DISINFECTION OPTIONS:

--disinfect
Automatically disinfect files if possible.

--report
Only report infections. Do not disinfect.

Default is to ask if disinfection should be attempted.

EXTRA MACRO DISINFECTION OPTIONS:

--macros_safe
Remove all macros from infected documents.

--macros_new
Remove all macros from document when new variant is found.

Default is to remove only known malware macros.

HELP AND INFORMATION OPTIONS:

--version
Print version numbers and exit.

--virno
Print statistics about malware from definition file and exit.

--virlist
List known malware and exit.

-h, --help
Print this help.

Run fpupdate from the terminal emulator to update the definitions manually.


Parted Magic 3.1 matter:

You have to change tmpfs_size=180M to at least tmpfs_size=220M or you can delete this parameter all the way (Parted Magic will set the tmpfs_size to the half of your RAM size). This only applies to Parted Magic 3.1-pre. (Parted Magic unpacked is 160 MiB + 53 MiB for the antivirus 7z files) You better can set this a lot higher (e.g 360M), because else you won't be able to update the definition files, unless you delete the definition files first before you update them.

The tmpfs_size parameter only affects the size of the ram drive, you still need 120 MiB RAM extra to run the utilities. Because you need more that 256MB RAM to run the original Parted Magic already, this is most of the time no problem because you will have 512 MiB of RAM in you PC to run it (or 384 MiB = 256MiB + 128MiB).

If you run PCMan File Manager, you can see the amount of free space on the ram drive. if you see that this is to low (e.g.: Free space: 0 MB), you have to increase the number of the tmpfs_size parameter.

The keymap= option, which you can set when you press [TAB] when you are at the Parted Magic menu (press F2 to see all possibilities), now works: http://partedmagic.com/phpBB3/viewtopic.php?f=7&t=213.

@Victor: You have to change the 2 help files for Parted Magic completely.
See: http://partedmagic.com/wiki/PartedMagic ... .ChangeLog to get an idea.

The last beef drapes of Parted Magic can be downloaded from: http://www.partedmagic.com/beef_drapes/


Download section:

Place the files in /pmagic/pmodules/

http://home.versateladsl.be/vt6124227/a ... /clamav.7z
http://home.versateladsl.be/vt6124227/a ... nitions.7z
http://home.versateladsl.be/vt6124227/a ... nitions.7z
http://home.versateladsl.be/vt6124227/a ... s/fprot.7z
http://home.versateladsl.be/vt6124227/a ... /xfprot.7z

Check if the md5 hash corresponds with the following (especially for the definition files because the upload process did get interrupted several times):

67f780d2f017d6d074abeda01b4b0ea6 ./clamav-definitions.7z
3771d239c3a1723084c34699e5c94947 ./clamav.7z
9c53dc443dd10a561e7c0c36a49381fe ./fprot-definitions.7z
8a31c809ccbc7c918315ecd673e6631c ./fprot.7z
53112aa47d30f7de3467be2d8aac4a1b ./xfprot.7z

Get md5sum for windows, to check that the files are downloaded correctly.
http://downloads.activestate.com/contri ... m/Windows/


You can put those files just in C:\pmagic\pmodules\ on your hard drive. f you have Parted Magic on a USB thumb drive, you can add the files to the /pmagic/pmodules/ directory of your thumb drive. Parted Magic normally will find them. When you reboot to UBCD50b5, choose booting Parted Magic from USB (also when you have UBCD burned to a CD). This trick allows you to test those files without wasting a CD .