[Gllug] Memory scanning

James Courtier-Dutton james.dutton at gmail.com
Mon Sep 6 12:01:43 UTC 2010

On 6 September 2010 11:49, - Tethys <tethys at gmail.com> wrote:
> On Mon, Sep 6, 2010 at 10:36 AM, James Courtier-Dutton
> <james.dutton at gmail.com> wrote:
>> For quite a long time now, I have wanted to write a tool in Linux that
>> can scan a Windows NTFS partition.
>> It would scan every executable on the HD, but not scan it for viruses,
>> but instead scan if for if it is the original or not.
> Why reinvent the wheel? Something like AIDE or tripwire should do this for you.

I believe AIDE and tripwire work differently.
For them, you have your filesystem. You run AIDE to create the checksums.
AIDE can then detect changes to that the filesystem.

I was looking for a more blind approach.
Someone gives me a system, I have no idea if it is infected or not by
some unknown virus.
I need some software to be able to tell me.
So, I am not really looking for changes as I don't have a "pre" state
like one does with AIDE.
I am looking for any executable that does not appear to be from
certified sources.

Windows is particulary difficult to use. For example, when booting in
"SAFE" mode, one cannot even run the McAfee Enterprise virus
Gllug mailing list  -  Gllug at gllug.org.uk

More information about the GLLUG mailing list