Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Partition id and scanning for viruses

  1. #1

    Default Partition id and scanning for viruses

    For the scanvirus script which uses clamscan, the extended debug output gives this. I need help identifying which partitions in MSWIN I should ignore and which should be scanned. An overview of what they do will be helpful. One entry has an NTFS file system and no files. It's confusing. This scan is 'windows 10' OS.

    Code:
    .....scanvirus mswin.....
    
    Device_Label= '/dev/sda2'
    File_System = 'swap'
    Drive_Label = 'primary'
    Mount_Point = '[SWAP]'
    
    Device_Label= '/dev/sda3'
    File_System = 'btrfs'
    Drive_Label = 'primary'
    Mount_Point = '/var/cache'
    
    Device_Label= '/dev/sda4'
    File_System = 'xfs'
    Drive_Label = 'primary'
    Mount_Point = '/home'
    
    Device_Label= '/dev/sdb1'
    File_System = 'ntfs'
    Drive_Label = 'Basic data partition'
    Mount_Point = ''
    __________________________________________________
    Mounted /dev/sdb1 at /run/media/root/Recovery
    Partition_Log=Recovery;
    
    scanning: Basic data partition /run/media/root/Recovery
    Scan only
    ----------- SCAN SUMMARY -----------
    Known viruses: 6356028
    Engine version: 0.99.2
    Scanned directories: 1
    Scanned files: 0
    Infected files: 0
    Data scanned: 0.00 MB
    Data read: 0.00 MB (ratio 0.00:1)
    Time: 17.426 sec (0 m 17 s)
    Unmounted /dev/sdb1
    __________________________________________________
    
    Device_Label= '/dev/sdb2'
    File_System = 'vfat'
    Drive_Label = 'EFI system partition'
    Mount_Point = ''
    __________________________________________________
    Mounted /dev/sdb2 at /run/media/root/3E7D-6A49
    Partition_Log=Recovery;EFI system partition;
    
    scanning: EFI system partition /run/media/root/3E7D-6A49
    Scan only
    ----------- SCAN SUMMARY -----------
    Known viruses: 6356028
    Engine version: 0.99.2
    Scanned directories: 1
    Scanned files: 0
    Infected files: 0
    Data scanned: 0.00 MB
    Data read: 0.00 MB (ratio 0.00:1)
    Time: 17.510 sec (0 m 17 s)
    Unmounted /dev/sdb2
    __________________________________________________
    
    Device_Label= '/dev/sdb4'
    File_System = 'ntfs'
    Drive_Label = 'Basic data partition'
    Mount_Point = ''
    __________________________________________________
    Mounted /dev/sdb4 at /run/media/root/MSWIN6410
    Partition_Log=Recovery;EFI system partition;MSWIN6410;
    
    scanning: Basic data partition /run/media/root/MSWIN6410
    Scan only
    ----------- SCAN SUMMARY -----------
    Known viruses: 6356028
    Engine version: 0.99.2
    Scanned directories: 1
    Scanned files: 30
    Infected files: 0
    Data scanned: 10.62 MB
    Data read: 18210.72 MB (ratio 0.00:1)
    Time: 22.044 sec (0 m 22 s)
    Unmounted /dev/sdb4
    __________________________________________________
    
    Device_Label= '/dev/sdb5'
    File_System = 'ntfs'
    Drive_Label = ''
    Mount_Point = ''
    __________________________________________________
    Mounted /dev/sdb5 at /run/media/root/861EFAEC1EFAD461
    Partition_Log=Recovery;EFI system partition;MSWIN6410;;
    
    scanning: /run/media/root/861EFAEC1EFAD461 
    Scan only
    ----------- SCAN SUMMARY -----------
    Known viruses: 6356028
    Engine version: 0.99.2
    Scanned directories: 1
    Scanned files: 0
    Infected files: 0
    Data scanned: 0.00 MB
    Data read: 0.00 MB (ratio 0.00:1)
    Time: 17.600 sec (0 m 17 s)
    Unmounted /dev/sdb5
    __________________________________________________
    
    Device_Label= '/dev/sdb6'
    File_System = 'ntfs'
    Drive_Label = 'Basic data partition'
    Mount_Point = ''
    __________________________________________________
    Mounted /dev/sdb6 at /run/media/root/Backups
    Partition_Log=Recovery;EFI system partition;MSWIN6410;;Backups;
    
    scanning: Basic data partition /run/media/root/Backups
    Scan only
    ----------- SCAN SUMMARY -----------
    Known viruses: 6356028
    Engine version: 0.99.2
    Scanned directories: 1
    Scanned files: 0
    Infected files: 0
    Data scanned: 0.00 MB
    Data read: 0.00 MB (ratio 0.00:1)
    Time: 17.547 sec (0 m 17 s)
    Unmounted /dev/sdb6
    __________________________________________________
    
    Device_Label= '/dev/sr1'
    File_System = 'udf"'
    Drive_Label = 'DVDVIDEO'
    Mount_Point = ' '
    
    Device_Label= '/dev/sdc1'
    File_System = 'ntfs'
    Drive_Label = 'KINGSTON_16GB'
    Mount_Point = ''
    __________________________________________________
    Mounted /dev/sdc1 at /run/media/root/KINGSTON_16GB
    Partition_Log=Recovery;EFI system partition;MSWIN6410;;Backups;KINGSTON_16GB;
    
    scanning: KINGSTON_16GB /run/media/root/KINGSTON_16GB
    Scan only
    ----------- SCAN SUMMARY -----------
    Known viruses: 6356028
    Engine version: 0.99.2
    Scanned directories: 1
    Scanned files: 9
    Infected files: 0
    Data scanned: 30.30 MB
    Data read: 15.04 MB (ratio 2.02:1)
    Time: 19.984 sec (0 m 19 s)
    Unmounted /dev/sdc1
    __________________________________________________
    
    Device_Label= '/dev/sda1'
    File_System = ''
    Drive_Label = 'primary'
    Mount_Point = ''
    
    Device_Label= '/dev/sdb3'
    File_System = ''
    Drive_Label = 'Microsoft reserved partition'
    Mount_Point = ''

  2. #2
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    26,300
    Blog Entries
    15

    Default Re: Partition id and scanning for viruses

    On Sun 03 Dec 2017 09:46:01 PM CST, lord valarian wrote:

    For the scanvirus script which uses clamscan, the extended debug output
    gives this. I need help identifying which partitions in MSWIN I should
    ignore and which should be scanned. An overview of what they do will be
    helpful. One entry has an NTFS file system and no files. It's confusing.
    This scan is 'windows 10' OS.
    Hi
    Perhaps target the partition type rather than filesystem on that
    partition type...?

    eg;
    Type 0700 for Microsoft basic data
    Type EF00 for EFI System

    Are you using the -r flag for recursive directories?

    --
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    openSUSE Leap 42.2|GNOME 3.20.2|4.4.92-18.36-default
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!


  3. #3

    Default Re: Partition id and scanning for viruses

    Quote Originally Posted by malcolmlewis View Post
    Hi
    Perhaps target the partition type rather than filesystem on that
    partition type...?

    eg;
    Type 0700 for Microsoft basic data
    Type EF00 for EFI System

    Are you using the -r flag for recursive directories?

    --
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    openSUSE Leap 42.2|GNOME 3.20.2|4.4.92-18.36-default
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!
    It passed the full -r full field test with no errors, partly. I'm still getting ';;' meaning the scanvirus is not grabbing the right label. For speed testing, I turn that off, no -r. All I need is to test is the correct output.


    http://www.win.tue.nl/~aeb/partition...n_types-1.html


    Code:
    /sbin/sfdisk -T
    Id  Name
    
     0  Empty
     1  FAT12
     2  XENIX root
     3  XENIX usr
     4  FAT16 <32M
     5  Extended
     6  FAT16
     7  HPFS/NTFS/exFAT
     8  AIX
     9  AIX bootable
     a  OS/2 Boot Manager
     b  W95 FAT32
     c  W95 FAT32 (LBA)
     e  W95 FAT16 (LBA)
     f  W95 Ext'd (LBA)
    10  OPUS
    11  Hidden FAT12
    12  Compaq diagnostics
    14  Hidden FAT16 <32M
    16  Hidden FAT16
    17  Hidden HPFS/NTFS
    18  AST SmartSleep
    1b  Hidden W95 FAT32
    1c  Hidden W95 FAT32 (LBA)
    1e  Hidden W95 FAT16 (LBA)
    24  NEC DOS
    27  Hidden NTFS WinRE
    39  Plan 9
    3c  PartitionMagic recovery
    40  Venix 80286
    41  PPC PReP Boot
    42  SFS
    4d  QNX4.x
    4e  QNX4.x 2nd part
    4f  QNX4.x 3rd part
    50  OnTrack DM
    51  OnTrack DM6 Aux1
    52  CP/M
    53  OnTrack DM6 Aux3
    54  OnTrackDM6
    55  EZ-Drive
    56  Golden Bow
    5c  Priam Edisk
    61  SpeedStor
    63  GNU HURD or SysV
    64  Novell Netware 286
    65  Novell Netware 386
    70  DiskSecure Multi-Boot
    75  PC/IX
    80  Old Minix
    81  Minix / old Linux
    82  Linux swap / Solaris
    83  Linux
    84  OS/2 hidden or Intel hibernation
    85  Linux extended
    86  NTFS volume set
    87  NTFS volume set
    88  Linux plaintext
    8e  Linux LVM
    93  Amoeba
    94  Amoeba BBT
    9f  BSD/OS
    a0  IBM Thinkpad hibernation
    a5  FreeBSD
    a6  OpenBSD
    a7  NeXTSTEP
    a8  Darwin UFS
    a9  NetBSD
    ab  Darwin boot
    af  HFS / HFS+
    b7  BSDI fs
    b8  BSDI swap
    bb  Boot Wizard hidden
    bc  Acronis FAT32 LBA
    be  Solaris boot
    bf  Solaris
    c1  DRDOS/sec (FAT-12)
    c4  DRDOS/sec (FAT-16 < 32M)
    c6  DRDOS/sec (FAT-16)
    c7  Syrinx
    da  Non-FS data
    db  CP/M / CTOS / ...
    de  Dell Utility
    df  BootIt
    e1  DOS access
    e3  DOS R/O
    e4  SpeedStor
    ea  Rufus alignment
    eb  BeOS fs
    ee  GPT
    ef  EFI (FAT-12/16/32)
    f0  Linux/PA-RISC boot
    f1  SpeedStor
    f4  SpeedStor
    f2  DOS secondary
    fb  VMware VMFS
    fc  VMware VMKCORE
    fd  Linux raid autodetect
    fe  LANstep
    ff  BBT


    https://serverfault.com/questions/35...m-type-for-udf

    'fdisk -l' has usefull info as well. What command gives these codes?

  4. #4
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    26,300
    Blog Entries
    15

    Default Re: Partition id and scanning for viruses

    Hi
    So there are two tools depending on dos type (legacy boot) fdisk or gpt type (UEFI) and gdisk (will cover the MS recovery (0C01) etc).

    There is lsblk or blkid (PARTLABEL)?
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  5. #5
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    10,806
    Blog Entries
    1

    Default Re: Partition id and scanning for viruses

    For stuff like this, I'd recommend avoiding re-inventing the wheel...
    Do a search on "antivirus open source" and inspect the source code of whatever exists out there... There is even a ClamWin and other scanners that use ClamAV as the scanner engine.

    Then, what you do shouldn't be any worse than the others you compare against, and may be better if you come up with a better idea.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  6. #6

    Default Re: Partition id and scanning for viruses

    Quote Originally Posted by tsu2 View Post
    For stuff like this, I'd recommend avoiding re-inventing the wheel...
    Do a search on "antivirus open source" and inspect the source code of whatever exists out there... There is even a ClamWin and other scanners that use ClamAV as the scanner engine.

    Then, what you do shouldn't be any worse than the others you compare against, and may be better if you come up with a better idea.

    TSU

    If were creating a graphical interface, it would be. What if the graphical interface wasn't working or a virus damaged it? Nothing like it existed when I first created it. No complex menus to go through. A simple command to make it easier to use clamscan with only two dependencies, clamav and udisks both NON-GFX.
    I have enough programming experience that I don't need to look at source code. I see it in mind.

    It's a matter of finding the command(s) that do the job, not programming it.

  7. #7
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    10,806
    Blog Entries
    1

    Default Re: Partition id and scanning for viruses

    Quote Originally Posted by lord_valarian View Post
    If were creating a graphical interface, it would be. What if the graphical interface wasn't working or a virus damaged it? Nothing like it existed when I first created it. No complex menus to go through. A simple command to make it easier to use clamscan with only two dependencies, clamav and udisks both NON-GFX.
    I have enough programming experience that I don't need to look at source code. I see it in mind.

    It's a matter of finding the command(s) that do the job, not programming it.

    Been there, done that.
    Lots of projects I've taken over because some Developer thought that they "just knew" what was best without ever looking at, or considering that other commonly used similar apps had already worked out the whole idea and are commonly used <because> they'd already gone through the whole debugging process of testing what was originally conceived, and fixed and improved on that.

    Is why I never rely on original conception immediately. I always start off by researching existing code to see if anything is available "off the shelf" before I authorize original code. Original code isn't always bad, it's just that the odds that it can be better in all aspects compared to what already may be available isn't likely(assuming that what is available is also well written).

    But, that's just me.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  8. #8

    Default Re: Partition id and scanning for viruses

    Quote Originally Posted by tsu2 View Post

    Been there, done that.
    Lots of projects I've taken over because some Developer thought that they "just knew" what was best without ever looking at, or considering that other commonly used similar apps had already worked out the whole idea and are commonly used <because> they'd already gone through the whole debugging process of testing what was originally conceived, and fixed and improved on that.

    Is why I never rely on original conception immediately. I always start off by researching existing code to see if anything is available "off the shelf" before I authorize original code. Original code isn't always bad, it's just that the odds that it can be better in all aspects compared to what already may be available isn't likely(assuming that what is available is also well written).

    But, that's just me.

    TSU
    Well, I looked and didn't see anything like a clamscan wrapper. Nothing that was non-gfx, more features, better logging, only two dependencies, very few commands, and easier to use than clamscan. I'm also the user. This has found viruses that windows scans missed. I released it so others could benefit from it's simplicity.

    If others can benefit from it, why not? I use it constantly. Clamscan can focus on anti-virus detection. I can focus on a simple command line that is very user friendly and for command line beginners.

  9. #9

    Default Re: Partition id and scanning for viruses

    Quote Originally Posted by malcolmlewis View Post
    Hi
    So there are two tools depending on dos type (legacy boot) fdisk or gpt type (UEFI) and gdisk (will cover the MS recovery (0C01) etc).

    There is lsblk or blkid (PARTLABEL)?

    lsblk --output LABEL,PARTLABEL,FSTYPE,PARTTYPE,RM,MOUNTPOINT



    This should work. I have to figure out what and how to parse it. Can't figure out why i'm getting a blank on mountpoint?


    Code:
    LABEL         PARTLABEL FSTYPE PARTTYPE                             RM MOUNTPOINT
                                                                         0 
                  primary          21686148-6449-6e6f-744e-656564454649  0 
                  primary   swap   ebd0a0a2-b9e5-4433-87c0-68b6b72699c7  0 [SWAP]
                  primary   btrfs  ebd0a0a2-b9e5-4433-87c0-68b6b72699c7  0 /var/crash
                  primary   xfs    ebd0a0a2-b9e5-4433-87c0-68b6b72699c7  0 /home
                                                                         1 
    KINGSTON_16GB           ntfs   0x7                                   1

  10. #10
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    26,300
    Blog Entries
    15

    Default Re: Partition id and scanning for viruses

    Quote Originally Posted by lord_valarian View Post
    lsblk --output LABEL,PARTLABEL,FSTYPE,PARTTYPE,RM,MOUNTPOINT



    This should work. I have to figure out what and how to parse it. Can't figure out why i'm getting a blank on mountpoint?


    Code:
    LABEL         PARTLABEL FSTYPE PARTTYPE                             RM MOUNTPOINT
                                                                         0 
                  primary          21686148-6449-6e6f-744e-656564454649  0 
                  primary   swap   ebd0a0a2-b9e5-4433-87c0-68b6b72699c7  0 [SWAP]
                  primary   btrfs  ebd0a0a2-b9e5-4433-87c0-68b6b72699c7  0 /var/crash
                  primary   xfs    ebd0a0a2-b9e5-4433-87c0-68b6b72699c7  0 /home
                                                                         1 
    KINGSTON_16GB           ntfs   0x7                                   1
    Hi
    If it's not mounted then will have nothing there

    eg on a test dual boot test system;

    Code:
    lsblk --output LABEL,PARTLABEL,FSTYPE,PARTTYPE,RM,MOUNTPOINT
    
    LABEL      PARTLABEL            FSTYPE PARTTYPE                             RM MOUNTPOINT
                                                                                 0 
               EFI System           vfat   c12a7328-f81f-11d2-ba4b-00a0c93ec93b  0 /boot/efi
               Microsoft reserved          e3c9e316-0b5c-4db8-817d-f92df00215ae  0 
               Microsoft basic data ntfs   ebd0a0a2-b9e5-4433-87c0-68b6b72699c7  0 
    swap       Linux swap           swap   0657fd6d-a4ab-43c4-84e5-0933c84b4f4f  0 [SWAP]
                                                                                 0 
    sled15beta Linux filesystem     btrfs  0fc63daf-8483-4772-8e79-3d69d8477de4  0 /
    data       Linux filesystem     xfs    0fc63daf-8483-4772-8e79-3d69d8477de4  0 /data
    Depends on how you want to parse, look at the -J (json) option. Use sed or awk?
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •