scan virus beta1 v2.0, opensuse 13.2- kde, double names problem

To all: The script works, but has issues and the instructions are incomplete. It’s not recommended to use it at this time. Use at your own risk. This a beta1 release under creative common license.
http://creativecommons.org/licenses/by-nc-nd/4.0/legalcode
This new version has all you need to use it. The mswin scan finds all vfat and ntfs drives (included flash drives) and scans them. It traps control-c to exit without any problems.

After I ran the script in superuser mode, I launched dolphin and there were two of each mswin drives. Is there a way to fix it? Mount it in ‘/media/’?

‘.snapshots’ is filtered out since it makes scans takes much longer. What is it?

Thanks.

#!/bin/bash
#: Title       : scanvirus
#: Date Created: Thu Sep 2 19:27:00 PST 2010
#: Last Edit   : Mon July 7 3:00:00 PST 2015
#: Author      : Lord Valarian #: Version     : Beta1  v2.0.0
#: Description : Run virus scanning application
#: License     : http://creativecommons.org/licenses/by-nc-nd/4.0/legalcode
#: Options     : p1: -w  -l  --setup  --kdeicons


#Open bin folder
#Place this file inside "/home/bin/"
#
#Right-click on scanvirus
#Click on properties
#Click on permissions
#Check executable and click ok
#
#Click Control -> Tools -> Open Terminal
#Enter termal command:  scanvirus --setup
#Enter admin password, wait for it to finish. Don't close terminal.
#Enter termal command:  scanvirus --kdeicons
#close terminal windows
#
#Click on either desktop icon to scan


Create_KDE_linux_scan_icon() {
  cat > ScanVirus_KDE_Linux_Scan.desktop <<EOF
#!/usr/bin/env xdg-open
[Desktop Entry]
Comment[en_US]=
Comment=
Exec=sh scanvirus -linux
GenericName[en_US]=
GenericName=
Icon=kde
MimeType=
Name[en_US]=ScanVirus - linux anti-virus scan
Name=ScanVirus - linux anti-virus scan
Path=$PATH
StartupNotify=true
Terminal=true
TerminalOptions=\s--noclose
Type=Application
X-DBUS-ServiceName=
X-DBUS-StartupType=
X-KDE-SubstituteUID=false
X-KDE-Username=
X-SuSE-translate=trueEOF
EOF

#set file permissions
chmod 744 ScanVirus_KDE_Linux_Scan.desktop
}


Create_KDE_windows_scan_icon() {
  cat > ScanVirus_KDE_Windows_Scan.desktop <<EOF
#!/usr/bin/env xdg-open
[Desktop Entry]
Comment[en_US]=
Comment=
Exec=sh scanvirus -mswin
GenericName[en_US]=
GenericName=
Icon=kde
MimeType=
Name[en_US]=ScanVirus - windows anti-virus scan
Name=ScanVirus - windows anti-virus scan
Path=$PATH
StartupNotify=true
Terminal=true
TerminalOptions=\s--noclose
Type=Application
X-DBUS-ServiceName=
X-DBUS-StartupType=
X-KDE-SubstituteUID=false
X-KDE-Username=
X-SuSE-translate=true
EOF

#set file permissions
chmod 744 ScanVirus_KDE_Windows_Scan.desktop
}

#####################
# shortcut code for clamscan #
#####################

control_c()
# run if user hits control-c
{
  printf 'Exiting...
'
  scanvirus_trap_flag='true'
}

    # trap keyboard interrupt (control-c)
    scanvirus_trap_flag='false'
    trap control_c 2

    #commands
    if  "$1" = "-mswin" ] ||  "$1" = "-w" ]; then
        printf ""
        printf ".....scanvirus mswin.....
"

        #blkid -o list
        scanvirus_flag="false"
        while read -ra line; do 
          if  "$scanvirus_flag" = 'false' ]; then
            scanvirus_flag="true"
            read -ra line
            read -ra line
            #break
          fi
        
#Device=       ${line[0]}
#FS_type=      ${line[1]}
#Label=        ${line[2]}
#Mount_Point=  ${line[3]}

          #if file system vfat or ntfs
          if  "${line[1]}" = 'ntfs' ] ||  "${line[1]}" = 'vfat' ]; then
             #printf "%s %s %s
" ${line[0]} ${line[1]} ${line[2]}

             #if device not mounted
             if  "${line[3]}" = '(not' ]; then

               #if root/mnt/label exists
               if  ! -d "/mnt/${line[2]}" ]]; then
                 printf "__________________________________________________
"

                 while read -ra line_error; do 
                   printf "error: %s
" ${line_error}
                   break
                 done < <(mkdir "/mnt/${line[2]}")
                 printf "mkdir %s
" ${line[2]}

                 while read -ra line_error; do 
                   printf "error: %s
" ${line_error}
                   break
                 done < <(mount "${line[0]}" "/mnt/${line[2]}")                
                 printf "%s  mounted
" ${line[2]}
                 
                 printf "scanning %s
" ${line[2]}
                 clamscan -r -i "/mnt/${line[2]}"
                 
                 while read -ra line_error; do 
                   printf "error: %s
" ${line_error}
                   break
                 done < <(umount "${line[0]}" "/mnt/${line[2]}")
                 printf "%s  unmounted
" ${line[2]}

                 while read -ra line_error; do 
                   printf "error: %s
" ${line_error}
                   break
                 done < <(rmdir "/mnt/${line[2]}")
                 printf "rmdir %s
" ${line[2]}
                 
                 if  "$scanvirus_trap_flag" = 'true' ]; then
                    break
                 fi
        
                 printf "__________________________________________________
"
                 #break
               else
                 printf "Error: /mnt/%s exists
" ${line[2]}
                 break
               fi
               
             elif  "${line[3]}" = '(in' ]; then
               printf "(in use)
" 
             else
                 printf "__________________________________________________
"
                 printf "scanning %s
" ${line[2]}
                 clamscan -r -i "${line[3]}"  
                 printf "__________________________________________________
"
             fi
         fi             
           
         done < <(blkid -o list)

    elif  "$1" = "-linux" ] ||  "$1" = "-l" ]; then
        printf "Scanning linux...
"; 
          #which scans linux only. Both?
          #clamscan -r / --exclude-dir=/sys --exclude-dir=/proc --exclude-dir=/dev --cross-fs=no 
          su -c "freshclam;clamscan -r / --exclude-dir=/sys --exclude-dir=/proc --exclude-dir=/dev --exclude-dir=/.snapshots --follow-dir-symlinks=0  --follow-file-symlinks=0"
          #clamscan -r / --exclude-dir=/sys --exclude-dir=/proc --exclude-dir=/dev --follow-dir-symlinks=0  --follow-file-symlinks=0
          #clamscan -r / --exclude-dir=/sys --exclude-dir=/proc --exclude-dir=/dev --follow-dir-symlinks=0  --follow-file-symlinks=0 --log=scan.log

    elif  "$1" = "-help" ] ||  "$1" = "-h" ]; then

        printf "
Scan Virus
help commands
-------------
-linux or -l:  virus scan linux files
-mswin or -w:  virus scan windows files
--setup:  setup scanvirus
--kdeicons:  setup icons

"           

    elif  "$1" = "--setup" ]; then
        printf "
"
        printf "ScanVirus Setup
"
        su -c "zypper --non-interactive install clamav;chkconfig freshclam on;freshclam;exit"
        printf "
"

    elif  "$1" = "--kdeicons" ]; then
            Create_KDE_linux_scan_icon;
            Create_KDE_windows_scan_icon;  
            printf "KDE Icons Created
";
    else
        printf "
Scan Virus
help commands
-------------
-linux or -l:  virus scan linux files
-mswin or -w:  virus scan windows files
--setup:  setup scanvirus
--kdeicons:  setup icons

"           
    fi
exit 0
# End Of Script

Try to mount them like KDE does, use udisks2. Would also spare you from creating subdirectories /mnt/label/ as mount points.
Something like:

udisksctl mount -b /dev/sdb1

The command will output where it mounted it to.

You can unmount it again with e.g.:

udisksctl unmount -b /dev/sdb1

See also “man udisksctl” and “udisksctl --help”.

Btw, KDE/udisks2 do not mount to /media, but /run/media/$USER/.
/media does not even exist on a default 13.2 or Tumbleweed installation I think.

‘.snapshots’ is filtered out since it makes scans takes much longer. What is it?

Snapper’s hourly system snapshots.

Thanks, i’ll see if that fixes the problem with duplicate names. I’ll have to parse the output. I already have that setup.

I have an SSD? Should I turn off snapshots? Or like the swap dir put it on the Backup magnetic drive.

On 2015-07-07 00:46, lord valarian wrote:

> I have an SSD? Should I turn off snapshots?

Is it formatted btrfs?
The point of using btrfs is having snapshots.
And no, they can not go to another partition nor disk.

If you do not want snapshots, then don’t format as btrfs, either…


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

As Carlos wrote, you cannot put them onto another drive/partition/filesystem.

I do not fully agree with the sentence that you shouldn’t use btrfs if you don’t want snapshots. The two are not really related, and snapshots are not at all a btrfs feature anyway.
E.g. btrfs detects an SSD by itself and changes its behaviour accordingly to optimize things.

But snapshots are probably the most user noticable feature. As mentioned, they are not really a “btrfs thing”, but done by snapper. Actually, snapper should also support ext4, but certain “advanced” features of btrfs make them more efficient (“Copy-On-Write” in particular), and btrfs also allows to boot from them, so that’s only enabled by default with btrfs.

If you ask because you want to minimize writes to your SSD, I’d say no need to turn them off.
The files in the snapshots are not copies. They are more like symlinks, but they get “detached” automatically by the filesystem when the actual files are changed.
So they shouldn’t “stress” your SSD at all I think.

PS: If you use udisksctl, you don’t have to run the script as root either (for the mounting part at least).
The user will be promped for the root password if necessary. Just like when you click on a drive/partition in dolphin… :wink:

Well, my virus scanner did what I designed to do. :slight_smile: FYI, I changed the scan right after to move all files to a virus folder and rescanned. (’–move=directory’)

My windows anti-virus wouldn’t work. The system crashed when I unplugged the lan cable. I rebooted to suse and found these and scan and found these.

/mnt/MSWIN764/Program Files/Common Files/Microsoft Shared/ink/InkWatson.exe: Win.Trojan.Win64-129 FOUND
LibClamAV Warning: cli_scanicon: found 1 invalid icon entries of 1 total
LibClamAV Warning: cli_scanicon: found 1 invalid icon entries of 1 total
/mnt/MSWIN764/Windows/SysWOW64/AtBroker.exe: Win.Trojan.Graftor-2702 FOUND
/mnt/MSWIN764/Windows/SysWOW64/cleanmgr.exe: Win.Trojan.Symmi-1190 FOUND
/mnt/MSWIN764/Windows/SysWOW64/printui.exe: Win.Trojan.Symmi-1187 FOUND
LibClamAV Warning: cli_scanicon: found 1 invalid icon entries of 1 total
LibClamAV Warning: cli_scanicon: found 1 invalid icon entries of 1 total
/mnt/MSWIN764/Windows/winsxs/amd64_microsoft-windows-tabletpc-inkwatson_31bf3856ad364e35_6.1.7600.16385_none_644c1a991aac9ffb/InkWatson.exe: Win.Trojan.Win64-129 FOUND
/mnt/MSWIN764/Windows/winsxs/amd64_microsoft-windows-tabletpc-inkwatson_31bf3856ad364e35_6.1.7600.16385_none_644c1a991aac9ffb/InkWatson.exe: moved to ‘/home/alexr1984/VirusVault//InkWatson.exe’
/mnt/MSWIN764/Windows/winsxs/Backup/wow64_microsoft-windows-p…installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_3eceef6140ec9728_printui.exe_bb673fff: Win.Trojan.Symmi-1187 FOUND
/mnt/MSWIN764/Windows/winsxs/Backup/wow64_microsoft-windows-p…installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_3eceef6140ec9728_printui.exe_bb673fff: moved to ‘/home/alexr1984/VirusVault//wow64_microsoft-windows-p…installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_3eceef6140ec9728_printui.exe_bb673fff’
/mnt/MSWIN764/Windows/winsxs/wow64_microsoft-windows-p…installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_3eceef6140ec9728/printui.exe: Win.Trojan.Symmi-1187 FOUND
/mnt/MSWIN764/Windows/winsxs/wow64_microsoft-windows-p…installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_3eceef6140ec9728/printui.exe: moved to ‘/home/alexr1984/VirusVault//printui.exe’
/mnt/MSWIN764/Windows/winsxs/wow64_microsoft-windows-w…for-management-core_31bf3856ad364e35_6.1.7601.17514_none_32e02520f8081891/WSManHTTPConfig.exe: Win.Trojan.Graftor-2696 FOUND
/mnt/MSWIN764/Windows/winsxs/wow64_microsoft-windows-w…for-management-core_31bf3856ad364e35_6.1.7601.17514_none_32e02520f8081891/WSManHTTPConfig.exe: moved to ‘/home/alexr1984/VirusVault//WSManHTTPConfig.exe’
/mnt/MSWIN764/Windows/winsxs/x86_microsoft-windows-atbroker_31bf3856ad364e35_6.1.7600.16385_none_cf7705f47fa8cd65/AtBroker.exe: Win.Trojan.Graftor-2702 FOUND
/mnt/MSWIN764/Windows/winsxs/x86_microsoft-windows-atbroker_31bf3856ad364e35_6.1.7600.16385_none_cf7705f47fa8cd65/AtBroker.exe: moved to ‘/home/alexr1984/VirusVault//AtBroker.exe’
/mnt/MSWIN764/Windows/winsxs/x86_microsoft-windows-cleanmgr_31bf3856ad364e35_6.1.7600.16385_none_6d1a8c84bedf66a4/cleanmgr.exe: Win.Trojan.Symmi-1190 FOUND
/mnt/MSWIN764/Windows/winsxs/x86_microsoft-windows-cleanmgr_31bf3856ad364e35_6.1.7600.16385_none_6d1a8c84bedf66a4/cleanmgr.exe: moved to ‘/home/alexr1984/VirusVault//cleanmgr.exe’

Now to see if windows is clean now and refine the script more. When I change the mount function, i’ll post again.

On 2015-07-14 01:16, lord valarian wrote:

> My windows anti-virus wouldn’t work. The system crashed when I unplugged
> the lan cable. I rebooted to suse and found these and scan and found
> these.

Well, don’t know enough to know if those Windows virii are real or not
(false positives), or how dangerous. However, I just remembered that
there are some antivirii software in Windows that you can download a
bootable CD to do the testing locally. And I think one I tried was
actually a Linux live.


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

Thanks for the info about SSD’s. The whole scan on an ssd without ‘.snapshots’ takes about 15 mins. With ‘.snapshots’, it takes 2hrs+ to do the full scan, do I need to scan them? 178+ snapshots

I made a partition copy of the older windoze system to my backup drive. Note: the virus wiped out all my data files, all but dll files. Then reinstalled windows on my main drive. I reinstalled linux to get grub working again. I scanned again and found The virus on the backup and main drive. Dam hacker was at it again! :stuck_out_tongue: When the scan complete, it moved all the virus files into my new vault. I deleted all virus files. It was that new security hole that microsoft, just discovered. I ran disk and register cleaners. I still have to rescan with -----scanvirus for linux----- TM. :wink: It’s more fun when your creation, does what’s designed for and does it well. Enough on windoze…

My motherboard died. So, had to get a different one. Once, i’m done with system recovery. I’ll work on scanvirus more.

On 2015-07-21 23:16, lord valarian wrote:

> Thanks for the info about SSD’s. The whole scan on an ssd without
> ‘.snapshots’ takes about 15 mins. With ‘.snapshots’, it takes 2hrs+ to
> do the full scan, do I need to scan them? 178+ snapshots

Well, if you stored Windows virii there, then the answer is yes, scan it :-p

Windows can not store anything in a btrfs partition.
You did, on Linux. :slight_smile:


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

[QUOTE=robin_listas;2720509]On 2015-07-21 23:16, lord valarian wrote:

> Thanks for the info about SSD’s. The whole scan on an ssd without
> ‘.snapshots’ takes about 15 mins. With ‘.snapshots’, it takes 2hrs+ to
> do the full scan, do I need to scan them? 178+ snapshots

Well, if you stored Windows virii there, then the answer is yes, scan it :-p

Windows can not store anything in a btrfs partition.
You did, on Linux. :slight_smile:


Cheers / Saludos,

Let me restate:

(ssd1 drive) windows7 partition – boot failure – all files but ‘.dll’ deleted. virus attack
partition copy windows partition (ssd1 drive) mswin partition to (backup drive) old mswin system
windows reinstall and boot to windows – virus scanner fails. Possible virus.
opensuse reinstall and boot to opensuse. ScanVirus v2.0 scan of all vfat and ntfs drives. Detected virus on (ssd1 drive)-mswin partition and mswin partition(backup drive). Virus files moved to linux folder ‘virus vault’. Same virus detected. Old mswin install and new.
Deleted (backup drive) mswin partition.
Boot to mswin. Virus scanner working. MSWIN scanned and clean of viruses.
Next step: boot to opensuse and scan with scanvirus.

The virus most likely got in when I was reinstalling mswin. The second opensuse scan should tell me it’s gone for good. I need to get in the habit of using my own scanner to scan windows once a week.

Thanks to all! :slight_smile: The udisk command works on scanvirus. I just need to finish it out. I’ll post again when I have it completed.

Ok, it works. However, the command: udisksctl mount -b $devicename"

If windows is in hibernate mode, the drive fails to mount and command output reads “drive needs to be in read only mode.” Try to make line read only. I couldn’t get it to work. I had to disable hibernate mode to get the drive to mount. How do I get the mount command to work in if windows is in hibernate mode?

Well, normally you can’t.

As the message would suggest it might be possible in read-only mode, try that.

According to:

wolfi@amiga:~> udisksctl mount --help
Usage:
  udisksctl mount [OPTION...]

Mount a filesystem.

Application Options:
  -p, --object-path         Object to mount
  -b, --block-device        Block device to mount
  -t, --filesystem-type     Filesystem type to use
  -o, --options             Mount options
  --no-user-interaction     Do not authenticate the user if needed

, you can specify mount options via the ‘-o’ parameter, so this should mount it read-only:

udisksctl mount -b $devicename -o ro

No idea whether this works though, I never tried to mount a hibernated Windows partition.

On 2015-09-07 23:36, lord valarian wrote:
>
> Ok, it works. However, the command: udisksctl mount -b $devicename"
>
> If windows is in hibernate mode, the drive fails to mount and command
> output reads “drive needs to be in read only mode.” Try to make line
> read only. I couldn’t get it to work. I had to disable hibernate mode
> to get the drive to mount. How do I get the mount command to work in if
> windows is in hibernate mode?

Don’t even try. Forcing mount may result in corruption, and Windows will
crash later when it tries to restore from hibernation. Even it might
corrupt the disk further, beyond recognition.

So, DON’T.


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

A read-only mount should not cause problems, I suppose.

On 2015-09-09 15:36, wolfi323 wrote:
>
> robin_listas;2727387 Wrote:
>> Don’t even try. Forcing mount may result in corruption, and Windows will
>> crash later when it tries to restore from hibernation. Even it might
>> corrupt the disk further, beyond recognition.
>>
> A read-only mount should not cause problems, I suppose.

Maybe, but it is pointless for an antivirus run, because you can not
delete or quarantine the found viruses, if it is mounted read only.


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

Yeah, but you can tell the user that a file is infected, write it into a list of infected files, and so on.

On 2015-09-09 19:26, wolfi323 wrote:
>
> robin_listas;2727523 Wrote:
>> On 2015-09-09 15:36, wolfi323 wrote:
>>> A read-only mount should not cause problems, I suppose.
>>
>> Maybe, but it is pointless for an antivirus run, because you can not
>> delete or quarantine the found viruses, if it is mounted read only.
>>
> Yeah, but you can tell the user that a file is infected, write it into a
> list of infected files, and so on.

True…


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))