F-PROT for Linux - Trying to check bootsector

[Georg Peters]

F'up to alt.comp.anti-virus

I'm using F-PROT for Linux 4.5.4 from a non-root userid.
This is working fine on checking files and archives in read-only
mounted file systems (WIN-VFAT, FLOPPY-MINIX and CDROM-ISO9660).

How to check for bootsectors ? I tried following...

/dev/hda owned by root -> chmod 644 /dev/hda
giving read access on the raw disk device to the scanning userid,

similar -> chmod 644 /dev/fd0

ln -s /dev/hda /home/userid/scantest/hda
ln -s /dev/fd0 /home/userid/scantest/fd0

f-prot -follow /home/userid/scantest ...seems to have no effect,
is f-prot unable to read the device "file"? (option -follow should
at least follow the link).

Next try...

dd if=/dev/hda of=/home/userid/scantest/hda bs=4096 count=1
dd if=/dev/fd0 of=/home/userid/scantest/fd0 bs=4096 count=1

f-prot -collect /home/userid/scantest

(-collect
Scan a virus collection. This option is intended for advanced
users. When this option is used it will, e.g. scan for bootsector
viruses within files, even though the virus resides within a file
instead of a bootsector. *** from the f-prot.1-manpage ***)

The files containing dumped first blocks from the devices now are
scanned but nothing is reported, obviously I didn't expect infection.

Has anybody verified this procedure? Are there test cases available?

Regards Georg

 

[Lenard]

F'up to alt.comp.anti-virus

I'm using F-PROT for Linux 4.5.4 from a non-root userid.
This is working fine on checking files and archives in read-only
mounted file systems (WIN-VFAT, FLOPPY-MINIX and CDROM-ISO9660).

F-PROT's primary purpose is to scan for Windows infestations.

If you want to check your Linux system get and use something like
chkrootkit; http://www.chkrootkit.org/

 

[Georg Peters]

F-PROT's primary purpose is to scan for Windows infestations.

Yes, this is my primary purpose, too. Doing it from a safe (? ;-)
Linux with all the win-partitions mounted read-only, just to check
and report.

If you want to check your Linux system get and use something like
chkrootkit; http://www.chkrootkit.org/

Nice supplement for major Linux threats, worth to be tested.
Checked their README and I feel this is not my major risk scenario
here, bootsector (MBR) checking is not mentioned anyway. I just
wanted to verify if it's possible with F-PROT for Linux to do this
additional device level check, maybe (remember...)

dd if=/dev/hda of=/home/userid/scantest/hda bs=4096 count=1
dd if=/dev/fd0 of=/home/userid/scantest/fd0 bs=4096 count=1

f-prot -collect /home/userid/scantest

(-collect
Scan a virus collection. This option is intended for advanced
users. When this option is used it will, e.g. scan for bootsector
viruses within files, even though the virus resides within a file
instead of a bootsector. *** from the f-prot.1-manpage ***)

The files containing dumped first blocks from the devices now are
scanned but nothing is reported, obviously I didn't expect infection.

Has anybody verified this procedure? Are there test cases available?

Tx. anyway for the hint, Regards Georg

 

[peanutwhistle]

How to check for bootsectors ?

This is an interesting question. I also use F-prot. BTW - they have
released version 4.6.0 for Linux systems.

Perhaps you could try asking Tech Support at F-prot:

<http://www.f-prot.com/support/contact_support.html>

 

[Georg Peters]

dd if=/dev/hda of=/home/userid/scantest/hda bs=4096 count=1
dd if=/dev/fd0 of=/home/userid/scantest/fd0 bs=4096 count=1

f-prot -collect /home/userid/scantest

(-collect
Scan a virus collection. This option is intended for advanced
users. When this option is used it will, e.g. scan for bootsector
viruses within files, even though the virus resides within a file
instead of a bootsector. *** from the f-prot.1-manpage ***)

The files containing dumped first blocks from the devices now are
scanned but nothing is reported, obviously I didn't expect infection.

Got a reply from FRISK, this procedure will find a bootsector virus.
Good news, record closed.

Regards Georg