Bootable Antivirus – the only way to be sure
There really is no excuse for not having some form of antivirus software installed on your PC. There are a plethora of free offerings out there from all the big names. They are all pretty good at carrying out manual scans, and real-time protection of your file system, email and web browsing activities.
However, there’s one type of infection which anti-virus products might not always detect effectively, and that’s a rootkit. Rootkits are a kind of infection that affects core files in the operating system. This can make them incredibly difficult to detect or remove using antivirus software that is running on the same machine. Why?
Imagine you come home to find a strange dude in the kitchen. Deciding if he is friend or foe is relatively easy – that’s like your run of the mill virus. If the dude in your kitchen is Yoda, then you have a problem. Yoda uses Jedi mind tricks to make you believe he’s your best mate, and that’s like a rootkit. The only way to detect Yoda is to leave the house and come back when he’s asleep.
So, the only way to detect certain rootkits (known as kernel-level or kernel-land rootkits) is to look for them when the operating system is not running. How do we do that? We use another operating system – one that is small enough to fit onto a CD, or a USB drive and boot the computer off that instead, so the rootkit code is never executed. Yoda sleeps.
In order to boot your PC from a bootable antivirus CD or USB drive you may have to alter your computer’s boot order by changing the BIOS settings. This is usually a case of pressing a particular key (Del, F1, F10, F12 are all commonly used keys) on the keyboard while the computer starts up. You can normally find this from your PC manufacturer, or elsewhere on the internet.
Most of these packages are provided in ISO format, which you will have to either burn to a CD or by using something like Unetbootin burn the image to a USB stick.
AVG Rescue CD
- Download from http://www.avg.com/gb-en/avg-rescue-cd
- Format : ISO or USB (Via EXE)
AVG offers Rescue CD in two formats – one contains an ISO image intended for burning to a CD, and another contains an EXE package that will create a bootable USB drive (ideal if the infected PC has no removable media). As all-in-one rescue CDs go, this one is hard to beat in our opinion.
Once booted up, AVG offers an broad assortment of text based utilities (file manager, ping, text based browser, data recovery, MBR replacement) and scanning options, making it formidable Swiss army knife. The first thing to do after starting up is to choose Configure and run update from the main menu. If it complains about having no network connection then use the Configure Network > Interface option and select DHCP to configure a wired interface.
When you are ready to scan there are a pile of options available but the defaults will find anything nasty that a windows based AV scan might miss.
Sophos Bootable Anti-Virus (SBAV)
- Download from http://www.sophos.com/en-us/support/knowledgebase/52011.aspx
- Format : ISO
This is a little bit more fiddly to install, but the instructions are given at the link above. Basically, the package includes an executable that has to run in order to create the ISO image, which you then burn to CD or USB.
Sophos’ offering is somewhat basic in terms of options, but this should in no way deter you from keeping a copy of this around. Sophos have an enviable reputation in the field of AntiVirus, and if you’re hunting for Rootkits, then it’s definitely worth letting Sophos look things over.
Sophos will attempt (if you ask it under the Advanced Scans) to disinfect files if possible. However, if you find a rootkit, then it’s probably best to make a note of the affected files and then use the sophos command line utility to copy known good copies of the files from another USB stick to your Windows installation. While it lacks the bells and whistles of AVG, for advanced users who tend to have other utilities for getting in and managing files, Sophos is our weapon of choice.
Kaspersky Rescue Disk
- Download from http://support.kaspersky.com/viruses/rescuedisk
- Format : ISO
Another Linux based rescue CD package, this time Gentoo based. This Rescue CD offers a text or gui interface, although the latter is far more intuitive and includes terminal, a web browser, file manager, network setup and the ability to take screenshots. Again, internet based updates are available and should be performed before carrying out a scan. You can choose to scan only or to disinfect files, which is handy.
Text mode is a bit awkward because the results of each activity vanish and are replaced by the Midnight Commander interface. The only way to get to see them again was to run something that returned us to the command line environment. This isn’t a huge big deal though, as the GUI interface looks nicer, and is very reliable.
BitDefender Rescue CD
- Download from : http://www.bitdefender.co.uk/support/how-to-create-a-bitdefender-rescue-cd-627.html
- Format : ISO
This rescue CD provides an XUbuntu based GUI with mouse. Like AVG, BitDefender have packed a whole bunch of utilities into their offering, including testdisk, gparted and other goodies. Like all other good rescue disks, updating is available over the net. In fact it takes place automatically when the system boots.
Being syslinux based it’s easy enough to put this onto a USB drive and add a persistence partition, allowing you to use Xubuntu’s apt-get framework to install other utilities. I’ll cover this in another article.
F-Secure Rescue CD
- Download from : http://www.f-secure.com/en/web/labs_global/removal-tools (Choose Rescue CD)
- Format : ISO
Security veterans seem to keep things simple. F-Secure’s Knoppix based package just gets down to business straight away. It gives you the choice of setting up a proxy connection, and that’s it. It then goes off to download the latest updates, which can unfortunately take some time to complete (over an hour at 5Mb/s – we think either F-Secure throttle this data or it’s on a slow feed) so don’t shortlist this one of your quick fixes!
It will find your Windows installation and scan it thoroughly, disinfecting as it goes – While F-Secure are renowned for their security chops, it would be nice if it was able to scan without making changes. For this reason – and the insanely slow update process, this isn’t one of our favourites.