Removing viruses with KlamAV

I’ve always thought that removing viruses from within a running Windows system makes about as much sense as a surgeon trying to remove his own appendix. Better to boot the computer into a live Linux installation, mount the Windows partition, and scan it that way.

TODO: Revisit this article. I now prefer Kaspersky Rescue Disk to KlamAV. Spin off my recommendations for AVs for Windows into a separate new article, also addressing Windows Defender, Microsoft Security Essentials, and relevant portions of the Windows Control Panel’s security section.

I like to use Mandriva Flash for this: it comes with KlamAV preinstalled, and being a writable USB key, the antivirus can be kept up to date. Any live Linux distro on writable media will do, however.

You can also use KlamAV as a diagnostic tool, checking to see if a Windows computer is infected.

Boot Mandriva Flash and open KlamAV. You will be greeted with the first-time wizard; accepting the default settings is usually safe. Open the Scan tab and press “Options”; a dialog will open. In “Archive Types”, select all archive types and the associated program for each. You may have to install some packages. On my system, I associated:

  • zip: /usr/bin/unzip
  • rar: /usr/bin/unrar (after installing unrar package)
  • arj: /usr/bin/arj (after installing arj package)
  • zoo: /usr/bin/zoo (after installing zoo package in PLF repository)
  • lzh: /usr/bin/lha (after installing lha package)
  • jar: /usr/bin/unzip, per man clamscan
  • deb: /usr/bin/tgz, per man clamscan
  • tar: /bin/tar

In “Event Logging” I set the logs to expire after 2 days. Press “OK” to return to the main configuration window.

Open the Update tab and select “Update Virus Database Automatically”; I set mine to once a day. Two other options that sound appealing — update ClamAV and KlamAV automatically — have never worked for me so I leave them unselected. You will periodically receive warnings that ClamAV and/or KlamAV are out of date; I do not know how to update them nor suppress the warnings.

When finished configuring KlamAV, simply close the window.

I like to manually update the virus database as described above just before leaving my office for the work site. That way I won’t be slowed down should the customer have a slow Internet connection. I also like to carry with me:

  • CCleaner or a similar Registry checker for Windows to clean up the Registry after disinfection.
  • An antivirus to install on Windows afterwards. It’s a safe bet that the infected computer has no effective one. I have been pleased with F-Prot (home and small office) and Kaspersky OpenSpace (enterprise). Vendors I do not recommend include Symantec (Norton), McAfee, or Trend Micro.
  • The Symantec and McAfee product removal tools.
  • The EICAR antivirus test files, so I can test the new antivirus after installing it. These should be on nonwritable media (a mini CD, for example) to prevent the antivirus from deleting them upon detection.

Boot the Windows computer into Mandriva Flash and open KlamAV. If you didn’t do so before leaving the office, manually update the virus database. In the Scan tab, select the desired option in “When a virus is found”; I prefer to quarantine the file. You will probably want to scan folders recursively. Select the device to scan, usually the hard drive with Windows. Press “Scan”.

TODO: Document how to set up Flash to automatically mount the Windows drive, and how to not leave workstation-specific junk behind in /etc/fstab.

While scanning — this will take a while — take the opportunity to educate the client on how antivirus products work. Help the client to understand that they are merely reactive, not proactive, and so are no replacement for safe computing practices. Also explain the subscription model of the antivirus you will be installing, and that it will be his responsibility to periodically renew it.

Boot the computer into Windows, but physically disconnected from any network (no Internet, no LAN, wireless cards turned off). Uninstall any existing antivirus, which has proven itself to be either ineffective or damaged.

If the computer has or ever had a Symantec (Norton) or McAfee antivirus or other product installed, merely using the uninstaller from the Windows Control Panel is not sufficient and traces will remain that hinder the installation and operation of a new antivirus. For this reason I run the Symantec and McAfee product removal tools as a matter of course before installing an antivirus on every computer. (This is one reason I strongly discourage the use of Symantec and McAfee products.) The tools sometimes fail, in which case you will have to remove the Symantec or McAfee product manually.

Even well-behaved security products can be damaged by malware, making their removal difficult. First, try uninstalling them while running Windows in Safe Mode (which is good advice for dealing with any troublesome uninstall). If that doesn’t work, try these product-specific methods:

When all antivirus products have been removed, reboot, still without networking. Use CCleaner or another Registry checker to clean up after anything you have removed.

Now install the new antivirus you brought with you. If the installer is an .exe file, right-click on it and select “run as administrator” (which is how security software generally should be installed). Do not connect to the Internet to download an antivirus now; all you will do is reinfect the machine.

Reboot again and test the new antivirus with the EICAR test files. There are three test files. The first,, is the basic test file. The second file,, contains the test file inside a zip archive. A good antivirus scanner will spot the test inside an archive. The third file,, is a zip archive containing, to see whether the virus scanner checks archives more than only one level deep. All three files should be detected.

If all goes well, connect the computer to the Internet, update the virus database, and begin a full scan. If the Internet connection is not working in Windows — for example, if you’ve brought the computer to your shop and the connection is not automatically recognized — then configure it.

You are finished. Congratulations on a job well done.

KlamAV is a graphical frontend to ClamAV, which is the antivirus proper. If KlamAV or KDE isn’t your cup of tea, consider ClamTk, a Gnomish frontend to ClamAV. For that matter, you aren’t limited to ClamAV: several reputable antivirus vendors such as Kaspersky offer Linux versions of their products on live CDs for exactly this purpose.

If KlamAV’s updates consistently fail, check your version of ClamAV. Version 0.94 has reached end of life and needs to be updated to at least 0.95.

Useful comparisons of anti-virus solutions can be found at Virus Bulletin (free registration required for some content) and AV Comparatives.


About Warren Post

So far: Customer support guy, jungle guide, IT consultant, beach bum, entrepreneur, teacher, diplomat, over-enthusiastic cyclist. Tomorrow: who knows?
This entry was posted in Uncategorized and tagged , , , . Bookmark the permalink.

4 Responses to Removing viruses with KlamAV

  1. anonymous says:

    John writes:I did this for AVG Threat Labs. I like it because it scans webpages prior to you accessing it, so I hope my computer will stay "cleaner" for longer now. Thanks for the tips, mate!

  2. wpost says:

    Glad to help. And if you are concerned about malware-infected websites, be sure to not use Internet Explorer. Safer browsers include Opera (my favorite) and Firefox. My notes on securing their settings and installing security extensions:

  3. Pingback: Securing a Windows computer | Warren's tech notes

  4. Pingback: Mandriva Flash | A maze of twisty little passages

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s