Partition id and scanning for viruses

lord_valarian · December 3, 2017, 10:44pm

For the scanvirus script which uses clamscan, the extended debug output gives this. I need help identifying which partitions in MSWIN I should ignore and which should be scanned. An overview of what they do will be helpful. One entry has an NTFS file system and no files. It’s confusing. This scan is ‘windows 10’ OS.

.....scanvirus mswin.....

Device_Label= '/dev/sda2'
File_System = 'swap'
Drive_Label = 'primary'
Mount_Point = '[SWAP]'

Device_Label= '/dev/sda3'
File_System = 'btrfs'
Drive_Label = 'primary'
Mount_Point = '/var/cache'

Device_Label= '/dev/sda4'
File_System = 'xfs'
Drive_Label = 'primary'
Mount_Point = '/home'

Device_Label= '/dev/sdb1'
File_System = 'ntfs'
Drive_Label = 'Basic data partition'
Mount_Point = ''
__________________________________________________
Mounted /dev/sdb1 at /run/media/root/Recovery
Partition_Log=Recovery;

scanning: Basic data partition /run/media/root/Recovery
Scan only
----------- SCAN SUMMARY -----------
Known viruses: 6356028
Engine version: 0.99.2
Scanned directories: 1
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 17.426 sec (0 m 17 s)
Unmounted /dev/sdb1
__________________________________________________

Device_Label= '/dev/sdb2'
File_System = 'vfat'
Drive_Label = 'EFI system partition'
Mount_Point = ''
__________________________________________________
Mounted /dev/sdb2 at /run/media/root/3E7D-6A49
Partition_Log=Recovery;EFI system partition;

scanning: EFI system partition /run/media/root/3E7D-6A49
Scan only
----------- SCAN SUMMARY -----------
Known viruses: 6356028
Engine version: 0.99.2
Scanned directories: 1
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 17.510 sec (0 m 17 s)
Unmounted /dev/sdb2
__________________________________________________

Device_Label= '/dev/sdb4'
File_System = 'ntfs'
Drive_Label = 'Basic data partition'
Mount_Point = ''
__________________________________________________
Mounted /dev/sdb4 at /run/media/root/MSWIN6410
Partition_Log=Recovery;EFI system partition;MSWIN6410;

scanning: Basic data partition /run/media/root/MSWIN6410
Scan only
----------- SCAN SUMMARY -----------
Known viruses: 6356028
Engine version: 0.99.2
Scanned directories: 1
Scanned files: 30
Infected files: 0
Data scanned: 10.62 MB
Data read: 18210.72 MB (ratio 0.00:1)
Time: 22.044 sec (0 m 22 s)
Unmounted /dev/sdb4
__________________________________________________

Device_Label= '/dev/sdb5'
File_System = 'ntfs'
Drive_Label = ''
Mount_Point = ''
__________________________________________________
Mounted /dev/sdb5 at /run/media/root/861EFAEC1EFAD461
Partition_Log=Recovery;EFI system partition;MSWIN6410;;

scanning: /run/media/root/861EFAEC1EFAD461 
Scan only
----------- SCAN SUMMARY -----------
Known viruses: 6356028
Engine version: 0.99.2
Scanned directories: 1
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 17.600 sec (0 m 17 s)
Unmounted /dev/sdb5
__________________________________________________

Device_Label= '/dev/sdb6'
File_System = 'ntfs'
Drive_Label = 'Basic data partition'
Mount_Point = ''
__________________________________________________
Mounted /dev/sdb6 at /run/media/root/Backups
Partition_Log=Recovery;EFI system partition;MSWIN6410;;Backups;

scanning: Basic data partition /run/media/root/Backups
Scan only
----------- SCAN SUMMARY -----------
Known viruses: 6356028
Engine version: 0.99.2
Scanned directories: 1
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 17.547 sec (0 m 17 s)
Unmounted /dev/sdb6
__________________________________________________

Device_Label= '/dev/sr1'
File_System = 'udf"'
Drive_Label = 'DVDVIDEO'
Mount_Point = ' '

Device_Label= '/dev/sdc1'
File_System = 'ntfs'
Drive_Label = 'KINGSTON_16GB'
Mount_Point = ''
__________________________________________________
Mounted /dev/sdc1 at /run/media/root/KINGSTON_16GB
Partition_Log=Recovery;EFI system partition;MSWIN6410;;Backups;KINGSTON_16GB;

scanning: KINGSTON_16GB /run/media/root/KINGSTON_16GB
Scan only
----------- SCAN SUMMARY -----------
Known viruses: 6356028
Engine version: 0.99.2
Scanned directories: 1
Scanned files: 9
Infected files: 0
Data scanned: 30.30 MB
Data read: 15.04 MB (ratio 2.02:1)
Time: 19.984 sec (0 m 19 s)
Unmounted /dev/sdc1
__________________________________________________

Device_Label= '/dev/sda1'
File_System = ''
Drive_Label = 'primary'
Mount_Point = ''

Device_Label= '/dev/sdb3'
File_System = ''
Drive_Label = 'Microsoft reserved partition'
Mount_Point = ''

malcolmlewis · December 3, 2017, 11:32pm

On Sun 03 Dec 2017 09:46:01 PM CST, lord valarian wrote:

For the scanvirus script which uses clamscan, the extended debug output
gives this. I need help identifying which partitions in MSWIN I should
ignore and which should be scanned. An overview of what they do will be
helpful. One entry has an NTFS file system and no files. It’s confusing.
This scan is ‘windows 10’ OS.

Hi
Perhaps target the partition type rather than filesystem on that
partition type…?

eg;
Type 0700 for Microsoft basic data
Type EF00 for EFI System

Are you using the -r flag for recursive directories?

–
Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
openSUSE Leap 42.2|GNOME 3.20.2|4.4.92-18.36-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!

lord_valarian · December 4, 2017, 7:07am

It passed the full -r full field test with no errors, partly. I’m still getting ‘;;’ meaning the scanvirus is not grabbing the right label. For speed testing, I turn that off, no -r. All I need is to test is the correct output.

http://www.win.tue.nl/~aeb/partitions/partition_types-1.html

/sbin/sfdisk -T
Id  Name

 0  Empty
 1  FAT12
 2  XENIX root
 3  XENIX usr
 4  FAT16 <32M
 5  Extended
 6  FAT16
 7  HPFS/NTFS/exFAT
 8  AIX
 9  AIX bootable
 a  OS/2 Boot Manager
 b  W95 FAT32
 c  W95 FAT32 (LBA)
 e  W95 FAT16 (LBA)
 f  W95 Ext'd (LBA)
10  OPUS
11  Hidden FAT12
12  Compaq diagnostics
14  Hidden FAT16 <32M
16  Hidden FAT16
17  Hidden HPFS/NTFS
18  AST SmartSleep
1b  Hidden W95 FAT32
1c  Hidden W95 FAT32 (LBA)
1e  Hidden W95 FAT16 (LBA)
24  NEC DOS
27  Hidden NTFS WinRE
39  Plan 9
3c  PartitionMagic recovery
40  Venix 80286
41  PPC PReP Boot
42  SFS
4d  QNX4.x
4e  QNX4.x 2nd part
4f  QNX4.x 3rd part
50  OnTrack DM
51  OnTrack DM6 Aux1
52  CP/M
53  OnTrack DM6 Aux3
54  OnTrackDM6
55  EZ-Drive
56  Golden Bow
5c  Priam Edisk
61  SpeedStor
63  GNU HURD or SysV
64  Novell Netware 286
65  Novell Netware 386
70  DiskSecure Multi-Boot
75  PC/IX
80  Old Minix
81  Minix / old Linux
82  Linux swap / Solaris
83  Linux
84  OS/2 hidden or Intel hibernation
85  Linux extended
86  NTFS volume set
87  NTFS volume set
88  Linux plaintext
8e  Linux LVM
93  Amoeba
94  Amoeba BBT
9f  BSD/OS
a0  IBM Thinkpad hibernation
a5  FreeBSD
a6  OpenBSD
a7  NeXTSTEP
a8  Darwin UFS
a9  NetBSD
ab  Darwin boot
af  HFS / HFS+
b7  BSDI fs
b8  BSDI swap
bb  Boot Wizard hidden
bc  Acronis FAT32 LBA
be  Solaris boot
bf  Solaris
c1  DRDOS/sec (FAT-12)
c4  DRDOS/sec (FAT-16 < 32M)
c6  DRDOS/sec (FAT-16)
c7  Syrinx
da  Non-FS data
db  CP/M / CTOS / ...
de  Dell Utility
df  BootIt
e1  DOS access
e3  DOS R/O
e4  SpeedStor
ea  Rufus alignment
eb  BeOS fs
ee  GPT
ef  EFI (FAT-12/16/32)
f0  Linux/PA-RISC boot
f1  SpeedStor
f4  SpeedStor
f2  DOS secondary
fb  VMware VMFS
fc  VMware VMKCORE
fd  Linux raid autodetect
fe  LANstep
ff  BBT

‘fdisk -l’ has usefull info as well. What command gives these codes?

malcolmlewis · December 4, 2017, 2:07pm

Hi
So there are two tools depending on dos type (legacy boot) fdisk or gpt type (UEFI) and gdisk (will cover the MS recovery (0C01) etc).

There is lsblk or blkid (PARTLABEL)?

tsu2 · December 4, 2017, 4:28pm

For stuff like this, I’d recommend avoiding re-inventing the wheel…
Do a search on “antivirus open source” and inspect the source code of whatever exists out there… There is even a ClamWin and other scanners that use ClamAV as the scanner engine.

Then, what you do shouldn’t be any worse than the others you compare against, and may be better if you come up with a better idea.

TSU

lord_valarian · December 8, 2017, 9:57pm

If were creating a graphical interface, it would be. What if the graphical interface wasn’t working or a virus damaged it? Nothing like it existed when I first created it. No complex menus to go through. A simple command to make it easier to use clamscan with only two dependencies, clamav and udisks both NON-GFX.
I have enough programming experience that I don’t need to look at source code. I see it in mind.

It’s a matter of finding the command(s) that do the job, not programming it.

tsu2 · December 9, 2017, 5:33pm

Been there, done that.
Lots of projects I’ve taken over because some Developer thought that they “just knew” what was best without ever looking at, or considering that other commonly used similar apps had already worked out the whole idea and are commonly used <because> they’d already gone through the whole debugging process of testing what was originally conceived, and fixed and improved on that.

Is why I never rely on original conception immediately. I always start off by researching existing code to see if anything is available “off the shelf” before I authorize original code. Original code isn’t always bad, it’s just that the odds that it can be better in all aspects compared to what already may be available isn’t likely(assuming that what is available is also well written).

But, that’s just me.

TSU

lord_valarian · December 13, 2017, 10:53pm

tsu2:

Been there, done that.
Lots of projects I’ve taken over because some Developer thought that they “just knew” what was best without ever looking at, or considering that other commonly used similar apps had already worked out the whole idea and are commonly used <because> they’d already gone through the whole debugging process of testing what was originally conceived, and fixed and improved on that.

Is why I never rely on original conception immediately. I always start off by researching existing code to see if anything is available “off the shelf” before I authorize original code. Original code isn’t always bad, it’s just that the odds that it can be better in all aspects compared to what already may be available isn’t likely(assuming that what is available is also well written).

But, that’s just me.

TSU

Well, I looked and didn’t see anything like a clamscan wrapper. Nothing that was non-gfx, more features, better logging, only two dependencies, very few commands, and easier to use than clamscan. I’m also the user. This has found viruses that windows scans missed. I released it so others could benefit from it’s simplicity.

If others can benefit from it, why not? I use it constantly. Clamscan can focus on anti-virus detection. I can focus on a simple command line that is very user friendly and for command line beginners.

lord_valarian · December 13, 2017, 10:56pm

lsblk --output LABEL,PARTLABEL,FSTYPE,PARTTYPE,RM,MOUNTPOINT

This should work. I have to figure out what and how to parse it. Can’t figure out why i’m getting a blank on mountpoint?

LABEL         PARTLABEL FSTYPE PARTTYPE                             RM MOUNTPOINT
                                                                     0 
              primary          21686148-6449-6e6f-744e-656564454649  0 
              primary   swap   ebd0a0a2-b9e5-4433-87c0-68b6b72699c7  0 [SWAP]
              primary   btrfs  ebd0a0a2-b9e5-4433-87c0-68b6b72699c7  0 /var/crash
              primary   xfs    ebd0a0a2-b9e5-4433-87c0-68b6b72699c7  0 /home
                                                                     1 
KINGSTON_16GB           ntfs   0x7                                   1

malcolmlewis · December 13, 2017, 11:44pm

lord_valarian:

lsblk --output LABEL,PARTLABEL,FSTYPE,PARTTYPE,RM,MOUNTPOINT

This should work. I have to figure out what and how to parse it. Can’t figure out why i’m getting a blank on mountpoint?

LABEL         PARTLABEL FSTYPE PARTTYPE                             RM MOUNTPOINT
                                                                     0 
              primary          21686148-6449-6e6f-744e-656564454649  0 
              primary   swap   ebd0a0a2-b9e5-4433-87c0-68b6b72699c7  0 [SWAP]
              primary   btrfs  ebd0a0a2-b9e5-4433-87c0-68b6b72699c7  0 /var/crash
              primary   xfs    ebd0a0a2-b9e5-4433-87c0-68b6b72699c7  0 /home
                                                                     1 
KINGSTON_16GB           ntfs   0x7                                   1

Hi
If it’s not mounted then will have nothing there

eg on a test dual boot test system;


lsblk --output LABEL,PARTLABEL,FSTYPE,PARTTYPE,RM,MOUNTPOINT

LABEL      PARTLABEL            FSTYPE PARTTYPE                             RM MOUNTPOINT
                                                                             0 
           EFI System           vfat   c12a7328-f81f-11d2-ba4b-00a0c93ec93b  0 /boot/efi
           Microsoft reserved          e3c9e316-0b5c-4db8-817d-f92df00215ae  0 
           Microsoft basic data ntfs   ebd0a0a2-b9e5-4433-87c0-68b6b72699c7  0 
swap       Linux swap           swap   0657fd6d-a4ab-43c4-84e5-0933c84b4f4f  0 [SWAP]
                                                                             0 
sled15beta Linux filesystem     btrfs  0fc63daf-8483-4772-8e79-3d69d8477de4  0 /
data       Linux filesystem     xfs    0fc63daf-8483-4772-8e79-3d69d8477de4  0 /data

Depends on how you want to parse, look at the -J (json) option. Use sed or awk?

lord_valarian · December 23, 2017, 8:53am

I plugin a flash drive into a usb port and it’s not mounted. ?? It’s not mounted until the drive is accessed?

deano_ferrari · December 23, 2017, 10:13am

It’s handled via udisks and the desktop environment. Which DE are you using? For example, the KDE device notifier allows users to configure automatic mounting if desired.

lord_valarian · December 24, 2017, 10:35pm

I’m using KDE. ‘scanvirus’ can be with run with no xwin system. It auto-mounts and unmounts as needed. It doesn’t need one, the whole point of it. I’ll work around this.

Thanks for the assist all. I’m ready to move on to the nice and renice functions.

deano_ferrari · December 24, 2017, 11:32pm

I guess I missed what you were asking then. Sorry about that.

lord_valarian · December 26, 2017, 10:56pm

Thanks for the assistance(all).

This has enabled me to release ‘scanvirus beta5’. This one partition design flaw can wait till later. GREP i’m getting better at using AWK i’m still learning bash. I’m always tweaking modifying scanvirus. The ‘j’ option of lsblk, i’ll check that out.